我的书签
添加书签
移除书签HashiCorp Vault
Detailed information on the HashiCorp Vault secret store component
Create the Vault component
To setup HashiCorp Vault secret store create a component of type secretstores.hashicorp.vault. See this guide on how to create and apply a secretstore configuration. See this guide on referencing secrets to retrieve and use the secret with Dapr components.
apiVersion: dapr.io/v1alpha1kind: Componentmetadata:name: vaultnamespace: defaultspec:type: secretstores.hashicorp.vaultversion: v1metadata:- name: vaultAddrvalue: [vault_address] # Optional. Default: "https://127.0.0.1:8200"- name: caCert # Optional. This or caPath or caPemvalue: "[ca_cert]"- name: caPath # Optional. This or CaCert or caPemvalue: "[path_to_ca_cert_file]"- name: caPem # Optional. This or CaCert or CaPathvalue : "[encoded_ca_cert_pem]"- name: skipVerify # Optional. Default: falsevalue : "[skip_tls_verification]"- name: tlsServerName # Optional.value : "[tls_config_server_name]"- name: vaultTokenMountPath # Required. Path to token file.value : "[path_to_file_containing_token]"- name: vaultKVPrefix # Optional. Default: "dapr"value : "[vault_prefix]"
Warning
The above example uses secrets as plain strings. It is recommended to use a local secret store such as Kubernetes secret store or a local file to bootstrap secure key storage.
Spec metadata fields
| Field | Required | Details | Example |
|---|---|---|---|
| vaultAddr | N | The address of the Vault server. Defaults to “https://127.0.0.1:8200“ | “https://127.0.0.1:8200“ |
| caCert | N | Certificate Authority use only one of the options. The encoded cacerts to use | “cacerts” |
| caPath | N | Certificate Authority use only one of the options. The path to a CA cert file | “path/to/cacert/file” |
| caPem | N | Certificate Authority use only one of the options. The encoded cacert pem to use | “encodedpem” |
| skipVerify | N | Skip TLS verification. Defaults to “false” | “true”, “false” |
| tlsServerName | N | TLS config server name | “tls-server” |
| vaultTokenMountPath | Y | Path to file containing token | “path/to/file” |
| vaultKVPrefix | N | The prefix in vault. Defautls to “dapr” | “dapr”, “myprefix” |
Setup Hashicorp Vault instance
Setup Hashicorp Vault using the Vault documentation: https://www.vaultproject.io/docs/install/index.html.
For Kubernetes, you can use the Helm Chart: https://github.com/hashicorp/vault-helm.
Related links
- Secrets building block
- How-To: Retrieve a secret
- How-To: Reference secrets in Dapr components
- Secrets API reference
Last modified May 26, 2021: Update to point to 1.2 (#1518) (c690379)
