From 20f204531f02a1149dcc4c06d20add1c1afac522 Mon Sep 17 00:00:00 2001 From: Josh van Leeuwen Date: Fri, 5 Sep 2025 19:56:55 -0300 Subject: [PATCH 01/17] [1.16] Add docs on DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK env var (#4832) * [1.16] Add docs on DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK env var Fixes https://github.com/dapr/docs/issues/4784 Signed-off-by: joshvanl * Apply suggestions from code review Co-authored-by: Mark Fussell Signed-off-by: Josh van Leeuwen * Adds DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK to environment reference Signed-off-by: joshvanl * Moved non-root execution section for Kubernetes Moved the section on running Dapr services as non-root in Kubernetes, including environment variable configuration. Signed-off-by: Mark Fussell --------- Signed-off-by: joshvanl Signed-off-by: Josh van Leeuwen Signed-off-by: Mark Fussell Co-authored-by: Mark Fussell Signed-off-by: Kobbi Gal --- daprdocs/content/en/concepts/security-concept.md | 6 ++++++ .../hosting/kubernetes/kubernetes-production.md | 12 +++++++++++- daprdocs/content/en/reference/environment/_index.md | 3 ++- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/daprdocs/content/en/concepts/security-concept.md b/daprdocs/content/en/concepts/security-concept.md index 0266a75d2f0..fa284cde420 100644 --- a/daprdocs/content/en/concepts/security-concept.md +++ b/daprdocs/content/en/concepts/security-concept.md @@ -153,6 +153,12 @@ With Dapr OAuth 2.0 middleware, you can enable OAuth authorization on Dapr endpo You can adopt common network security technologies, such as network security groups (NSGs), demilitarized zones (DMZs), and firewalls, to provide layers of protection over your networked resources. For example, unless configured to talk to an external binding target, Dapr sidecars don’t open connections to the internet and most binding implementations only use outbound connections. You can design your firewall rules to allow outbound connections only through designated ports. +## Run as non-root in Kubernetes +When running in Kubernetes, Dapr services ensure each process is running as non-root. This is done by checking the UID & GID of the process is `65532`, and fatal erroring if it is not what is expected. If you must run a non-default UID & GID in Kubernetes, set the following env var to skip this check. +```bash +DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK="true" +``` + # Security policies Dapr has an extensive set of security policies you can apply to your applications. You can scope what they are able to do, either through a policy setting in the sidecar configuration, or with the component specification. diff --git a/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md b/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md index 40c4c8d02c8..c4f4b88e2a0 100644 --- a/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md +++ b/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md @@ -343,10 +343,20 @@ By default, the Dapr sidecar injector injects a sidecar without any `seccompProf Refer to [the Arguments and Annotations overview]({{% ref "arguments-annotations-overview.md" %}}) to set the appropriate `seccompProfile` on the sidecar container. -## Best Practices +## Run as non-root +When running in Kubernetes, Dapr services ensure each process is running as non-root. +This is done by checking the UID & GID of the process is `65532`, and fatal erroring if it is not what is expected. +If you must run a non-default UID & GID in Kubernetes, set the following env var to skip this check. + +```bash +DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK="true" +``` + +## Best Practices Watch this video for a deep dive into the best practices for running Dapr in production with Kubernetes. + {{< youtube id=_U9wJqq-H1g >}} ## Related links diff --git a/daprdocs/content/en/reference/environment/_index.md b/daprdocs/content/en/reference/environment/_index.md index ad26f9dcbc2..c2bd8f5e337 100644 --- a/daprdocs/content/en/reference/environment/_index.md +++ b/daprdocs/content/en/reference/environment/_index.md @@ -29,4 +29,5 @@ The following table lists the environment variables used by the Dapr runtime, CL | DAPR_COMPONENTS_SOCKETS_EXTENSION | .NET and Java pluggable component SDKs | A per-SDK configuration that indicates the default file extension applied to socket files created by the SDKs. Not a Dapr-enforced behavior. | | DAPR_PLACEMENT_METADATA_ENABLED | Dapr placement | Enable an endpoint for the Placement service that exposes placement table information on actor usage. Set to `true` to enable in self-hosted mode. [Learn more about the Placement API]({{% ref placement_api.md %}}) | | DAPR_HOST_IP | Dapr sidecar | The host's chosen IP address. If not specified, will loop over the network interfaces and select the first non-loopback address it finds.| -| DAPR_HEALTH_TIMEOUT | SDKs | Sets the time on the "wait for sidecar" availability. Overrides the default timeout setting of 60 seconds. | \ No newline at end of file +| DAPR_HEALTH_TIMEOUT | SDKs | Sets the time on the "wait for sidecar" availability. Overrides the default timeout setting of 60 seconds. | +| DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK | Dapr control plane & sidecar | Disable the check that ensures the Dapr containers are not running as root on Kubernetes linux. This is not recommended for production environments. Set to `true` to disable the check. | From 5e822742cdd8b170b9f47bc54551ea7a23545d06 Mon Sep 17 00:00:00 2001 From: Joni Collinge Date: Sat, 6 Sep 2025 00:26:19 +0100 Subject: [PATCH 02/17] Update actor state store docs to include strong consistency requirement (#4766) * Update actor state store docs to include strong consistency requirement Signed-off-by: Jonathan Collinge * Move consistency to independent sentence Signed-off-by: Jonathan Collinge --------- Signed-off-by: Jonathan Collinge Co-authored-by: Mark Fussell Co-authored-by: Marc Duiker Signed-off-by: Kobbi Gal --- .../state-management/state-management-overview.md | 2 +- daprdocs/content/en/reference/api/state_api.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/daprdocs/content/en/developing-applications/building-blocks/state-management/state-management-overview.md b/daprdocs/content/en/developing-applications/building-blocks/state-management/state-management-overview.md index db03f548921..fc62523e354 100644 --- a/daprdocs/content/en/developing-applications/building-blocks/state-management/state-management-overview.md +++ b/daprdocs/content/en/developing-applications/building-blocks/state-management/state-management-overview.md @@ -95,7 +95,7 @@ You can group write, update, and delete operations into a request, which are the ### Actor state -Transactional state stores can be used to store actor state. To specify which state store to use for actors, specify value of property `actorStateStore` as `true` in the state store component's metadata section. Actors state is stored with a specific scheme in transactional state stores, allowing for consistent querying. Only a single state store component can be used as the state store for all actors. Read the [state API reference]({{% ref state_api.md %}}) and the [actors API reference]({{% ref actors_api.md %}}) to learn more about state stores for actors. +Transactional state stores can be used to store actor state. To specify which state store to use for actors, specify value of property `actorStateStore` as `true` in the state store component's metadata section. Actors state is stored with a specific scheme in transactional state stores, allowing for consistent querying. Only a single state store component can be used as the state store for all actors. If your state store is backed by a distributed database, you must make sure that it provides strong consistency. Read the [state API reference]({{% ref state_api.md %}}) and the [actors API reference]({{% ref actors_api.md %}}) to learn more about state stores for actors. #### Time to Live (TTL) on actor state You should always set the TTL metadata field (`ttlInSeconds`), or the equivalent API call in your chosen SDK when saving actor state to ensure that state eventually removed. Read [actors overview]({{% ref actors-overview.md %}}) for more information. diff --git a/daprdocs/content/en/reference/api/state_api.md b/daprdocs/content/en/reference/api/state_api.md index 53654cf38a9..328ffec80fd 100644 --- a/daprdocs/content/en/reference/api/state_api.md +++ b/daprdocs/content/en/reference/api/state_api.md @@ -544,7 +544,7 @@ curl -X POST http://localhost:3500/v1.0/state/starwars/transaction \ ## Configuring state store for actors -Actors don't support multiple state stores and require a transactional state store to be used with Dapr. [View which services currently implement the transactional state store interface]({{% ref "supported-state-stores.md" %}}). +Actors don't support multiple state stores and require a transactional state store to be used with Dapr. [View which services currently implement the transactional state store interface]({{% ref "supported-state-stores.md" %}}). If your state store is backed by a distributed database, you must make sure that it provides strong consistency. Specify which state store to be used for actors with a `true` value for the property `actorStateStore` in the metadata section of the `statestore.yaml` component file. For example, the following components yaml will configure Redis to be used as the state store for Actors. From fdbbcb1d694b03c80c0a8876e83460cd7638245d Mon Sep 17 00:00:00 2001 From: Joni Collinge Date: Sat, 6 Sep 2025 00:35:37 +0100 Subject: [PATCH 03/17] Add docs for Azure Federated Identity via Dapr Sentry OIDC (#4650) * Add initial docs for Azure federated identity credential Signed-off-by: Jonathan Collinge * Add audiences to access control struct docs Signed-off-by: Jonathan Collinge * Update helm values Signed-off-by: Jonathan Collinge * Remove jwt audiences from configuration Signed-off-by: Jonathan Collinge * Add warning Signed-off-by: Jonathan Collinge * Update args and annotation Signed-off-by: Jonathan Collinge * Fix localized URLs Signed-off-by: Jonathan Collinge * Add comment to increase init timeout Signed-off-by: Jonathan Collinge * Update daprdocs/content/en/developing-applications/integrations/Azure/azure-authentication/authenticating-azure.md Signed-off-by: Mark Fussell * Update daprdocs/content/en/developing-applications/integrations/Azure/azure-authentication/authenticating-azure.md Signed-off-by: Mark Fussell * Update daprdocs/content/en/developing-applications/integrations/Azure/azure-authentication/authenticating-azure.md Signed-off-by: Mark Fussell * Update daprdocs/content/en/developing-applications/integrations/Azure/azure-authentication/authenticating-azure.md Signed-off-by: Mark Fussell * Update daprdocs/content/en/developing-applications/integrations/Azure/azure-authentication/authenticating-azure.md Signed-off-by: Mark Fussell --------- Signed-off-by: Jonathan Collinge Signed-off-by: Mark Fussell Co-authored-by: Mark Fussell Co-authored-by: Marc Duiker Signed-off-by: Kobbi Gal --- .../authenticating-azure.md | 101 +++++++++++++++++- 1 file changed, 99 insertions(+), 2 deletions(-) diff --git a/daprdocs/content/en/developing-applications/integrations/Azure/azure-authentication/authenticating-azure.md b/daprdocs/content/en/developing-applications/integrations/Azure/azure-authentication/authenticating-azure.md index 324ef9e9a77..0a6f1ba8632 100644 --- a/daprdocs/content/en/developing-applications/integrations/Azure/azure-authentication/authenticating-azure.md +++ b/daprdocs/content/en/developing-applications/integrations/Azure/azure-authentication/authenticating-azure.md @@ -26,8 +26,7 @@ If you are just getting started, it is recommended to use workload identity fede ## Managed identities and workload identity federation -When your application is running on a supported Azure service (such as Azure VMs, Azure Container Apps, Azure Web Apps, etc), an identity for your application can be assigned at the infrastructure level. - +With Managed Identities (MI), your application can authenticate with Microsoft Entra ID and obtain an access token to make requests to Azure services. When your application is running on a supported Azure service (such as Azure VMs, Azure Container Apps, Azure Web Apps, etc), an identity for your application can be assigned at the infrastructure level. You can also setup Microsoft Entra ID to federate trust to your Dapr application identity directly by using a [Federated Identity Credential](https://learn.microsoft.com/graph/api/resources/federatedidentitycredentials-overview?view=graph-rest-1.0). This allows you to configure access to your Microsoft resources even when not running on Microsoft infrastructure. To see how to configure Dapr to use a federated identity, see the section on [Authenticating with a Federated Identity Credential](#authenticating-with-a-federated-identity-credential). This is done through [system or user assigned managed identities]({{< ref howto-mi.md >}}), or [workload identity federation]({{< ref howto-wif.md >}}). Once using managed identities, your code doesn't have to deal with credentials, which: @@ -115,6 +114,104 @@ When running on Kubernetes, you can also use references to Kubernetes secrets fo When running on Azure Kubernetes Service (AKS), you can authenticate components using Workload Identity. Refer to the Azure AKS documentation on [enabling Workload Identity](https://learn.microsoft.com/azure/aks/workload-identity-overview) for your Kubernetes resources. +#### Authenticating with a Federated Identity Credential + +You can use a [Federated Identity Credential](https://learn.microsoft.com/graph/api/resources/federatedidentitycredentials-overview?view=graph-rest-1.0) in Microsoft Entra ID to federate trust directly to your Dapr installation regardless of where it is running. This allows you to easily configure access rules against your Dapr application's [SPIFFE](https://spiffe.io/) ID consistently across different clouds. + +In order to federate trust, you must be running Dapr Sentry with JWT issuing and OIDC discovery enabled. These can be configured using the following Dapr Sentry helm values: + +```yaml +jwt: + # Enable JWT token issuance by Sentry + enabled: true + # Issuer value for JWT tokens + issuer: "" + +oidc: + enabled: true + server: + # Port for the OIDC HTTP server + port: 9080 + tls: + # Enable TLS for the OIDC HTTP server + enabled: true + # TLS certificate file for the OIDC HTTP server + certFile: "" + # TLS certificate file for the OIDC HTTP server + keyFile: "" +``` + +{{% alert title="Warning" color="warning" %}} +The `issuer` value must match exactly the value you provide when creating the Federated Identity Credential in Microsoft Entra ID. +{{% /alert %}} + +Providing these settings exposes the following endpoints on your Dapr Sentry installation on the provided OIDC HTTP port: +``` +/.well-known/openid-configuration +/jwks.json +``` + +You also need to provide the Dapr runtime configuration to request a JWT token with the Azure audience `api://AzureADTokenExchange`. +When running in standalone mode, this can be provided using the flag `--sentry-request-jwt-audiences=api://AzureADTokenExchange`. +When running in Kubernetes, this can be provided by decorating the application Kubernetes manifest with the annotations `"dapr.io/sentry-request-jwt-audiences": "api://AzureADTokenExchange"`. +This ensures Sentry service issues a JWT token with the correct audience, which is required for Microsoft Entra ID to validate the token. + +In order for Microsoft Entra ID to be able to access the OIDC endpoints, you must expose them on a public address. You must ensure that the domain that you are serving these endpoints via is the same as the issuer you provided when configuration Dapr Sentry. + +You can now create your federated credential in Microsoft Entra ID. + +```shell +cat > creds.json <", + "subject": spiffe://public/ns//", + "audiences": ["api://AzureADTokenExchange"], + "description": "Credential for Dapr App ID" +} +EOF + +export APP_ID=$(az ad app create --display-name my-dapr-app --enable-access-token-issuance --enable-id-token-issuance | jq .id) +az ad sp create --id $APP_ID +az ad app federated-credential create --id $APP_ID --parameters ./creds.json +``` + +Now that you have a federated credential for your Microsoft Entra ID Application Registration, you can assign the desired roles to it's service principal. + +An example of assigning "Storage Blob Data Owner" role is below. +```shell +az role assignment create --assignee-object-id $APP_ID --assignee-principal-type ServicePrincipal --role "Storage Blob Data Owner" --scope "/subscriptions/$SUBSCRIPTION/resourceGroups/$GROUP/providers/Microsoft.Storage/storageAccounts/$ACCOUNT_NAME" +``` + +To configure a Dapr Component to access an Azure resource using the federated credentail, you first need to fetch your `clientId` and `tenantId`: +```shell +CLIENT_ID=$(az ad app show --id $APP_ID --query appId --output tsv) +TENANT_ID=$(az account show --query tenantId --output tsv) +``` + +Then you can create your Azure Dapr Component and simply provide these value: +```yaml +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: azureblob +spec: + type: state.azure.blobstorage + version: v2 + initTimeout: 10s # Increase the init timeout to allow enough time for Azure to perform the token exchange + metadata: + - name: clientId + value: $CLIENT_ID + - name: tenantId + value: $TENANT_ID + - name: accountName + value: $ACCOUNT_NAME + - name: containerName + value: $CONTAINER_NAME +``` + +The Dapr runtime uses these details to authenticate with Microsoft Entra ID, using the Dapr Sentry issued JWT token to exchange for an access token to access the Azure resource. + #### Authenticating using Azure CLI credentials (development-only) > **Important:** This authentication method is recommended for **development only**. From 6bcb576a33e0c37b86fae48956d0b8ef91bfe49d Mon Sep 17 00:00:00 2001 From: Mike Nguyen Date: Sat, 6 Sep 2025 00:41:48 +0100 Subject: [PATCH 04/17] docs: longhaul dashboard page (#4838) * docs: longhaul dashboard page closes #4780 Signed-off-by: Mike Nguyen * docs:fix typo Co-authored-by: Marc Duiker Signed-off-by: Mike Nguyen * Update daprdocs/content/en/operations/observability/_index.md Signed-off-by: Mark Fussell --------- Signed-off-by: Mike Nguyen Signed-off-by: Mark Fussell Co-authored-by: Marc Duiker Co-authored-by: Mark Fussell Signed-off-by: Kobbi Gal --- .../en/operations/observability/_index.md | 6 +++ .../perf-longhaul.md | 49 +++++++++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 daprdocs/content/en/operations/performance-and-scalability/perf-longhaul.md diff --git a/daprdocs/content/en/operations/observability/_index.md b/daprdocs/content/en/operations/observability/_index.md index 6b7171767bf..faa2365177e 100644 --- a/daprdocs/content/en/operations/observability/_index.md +++ b/daprdocs/content/en/operations/observability/_index.md @@ -16,3 +16,9 @@ description: See and measure the message calls to components and between network - Review the [Observability API reference documentation]({{% ref health_api.md %}}). - Read the [general overview of the observability concept]({{% ref observability-concept %}}) in Dapr. {{% /alert %}} + +{{% alert title="Dapr Observability in Action!" color="primary" %}} +Dapr has a public Grafana dashboard demonstrating observability in action on the longhaul testing environment. + - [Dapr Public Grafana Dashboard](https://dapr.grafana.net/public-dashboards/86d748b233804e74a16d8243b4b64e18) + - Read more about: [Longhaul performance and stability]({{% ref perf-longhaul.md %}}) + {{% /alert %}} \ No newline at end of file diff --git a/daprdocs/content/en/operations/performance-and-scalability/perf-longhaul.md b/daprdocs/content/en/operations/performance-and-scalability/perf-longhaul.md new file mode 100644 index 00000000000..130506df4a8 --- /dev/null +++ b/daprdocs/content/en/operations/performance-and-scalability/perf-longhaul.md @@ -0,0 +1,49 @@ +--- +type: docs +title: "Longhaul performance and stability" +linkTitle: "Longhaul performance and stability" +weight: 10000 +description: "" +--- + +This article provides longhaul performance and stability benchmarks for Dapr on Kubernetes. + +The longhaul tests are designed to run for a period of a week, validating the stability of Dapr and its components, while measuring resource utilization and performance over time. + +## Public Dashboard + +You can access the live longhaul test results on the public Grafana dashboard. This dashboard is updated in near real-time, showing the latest results from the longhaul tests. + +[Dapr Longhaul Dashboard](https://dapr.grafana.net/public-dashboards/86d748b233804e74a16d8243b4b64e18). + +## System overview + +The longhaul environment is run on a 3 node managed Azure Kubernetes Service (AKS) cluster, using standard D2s_v5 nodes running 2 cores and 8GB of RAM, with network acceleration. + +## Test Applications + +- Feed generator +- Hashtag Actor +- Hashtag counter +- Message Analyzer +- Pubsub Workflow +- Streaming Pubsub Publisher / Producer +- Streaming Pubsub Subscriber / Consumer +- Snapshot App +- Validation Worker App +- Scheduler Jobs App +- Workflow Gen App +- Scheduler Actor Reminders - Client +- Scheduler Actor Reminders - Server +- Scheduler Workflow App + +## Redeployments + +The longhaul test environment is redeployed every 7 days (Fridays at 08:00 UTC). + +## Test Infrastructure + +The test infrastructure is sourced from this [GitHub repository](https://github.com/dapr/test-infra). + +It is a mixture of Bicep IaC templates and Helm charts to deploy the test applications and Dapr. + From 9454bc31320dfd4b7bb912517c4438992da0dd61 Mon Sep 17 00:00:00 2001 From: Javier Aliaga Date: Sat, 6 Sep 2025 02:53:53 +0200 Subject: [PATCH 05/17] [1.16] Support subsecond precision jobs and reminders (#4851) * docs: Support subsecond precision jobs and reminders Signed-off-by: Javier Aliaga * Update daprdocs/content/en/developing-applications/building-blocks/jobs/jobs-features-concepts.md Co-authored-by: Josh van Leeuwen Signed-off-by: Javier Aliaga * Update daprdocs/content/en/developing-applications/building-blocks/jobs/jobs-features-concepts.md Signed-off-by: Mark Fussell * Update daprdocs/content/en/developing-applications/building-blocks/actors/actors-timers-reminders.md Signed-off-by: Mark Fussell * Update daprdocs/content/en/developing-applications/building-blocks/jobs/jobs-features-concepts.md Signed-off-by: Mark Fussell --------- Signed-off-by: Javier Aliaga Signed-off-by: Mark Fussell Co-authored-by: Josh van Leeuwen Co-authored-by: Mark Fussell Signed-off-by: Kobbi Gal --- .../building-blocks/actors/actors-timers-reminders.md | 3 ++- .../building-blocks/jobs/jobs-features-concepts.md | 3 +-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/daprdocs/content/en/developing-applications/building-blocks/actors/actors-timers-reminders.md b/daprdocs/content/en/developing-applications/building-blocks/actors/actors-timers-reminders.md index bf828b42836..736547e91d6 100644 --- a/daprdocs/content/en/developing-applications/building-blocks/actors/actors-timers-reminders.md +++ b/daprdocs/content/en/developing-applications/building-blocks/actors/actors-timers-reminders.md @@ -29,9 +29,10 @@ Supported formats: If `period` is omitted, the callback will be invoked only once. Supported formats: -- time.Duration format, e.g. `2h30m` +- time.Duration format (Sub-second precision is supported when using duration values), e.g. `2h30m`, `500ms` - [ISO 8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations) format, e.g. `PT2H30M`, `R5/PT1M30S` +Note: Actual trigger resolution may vary by runtime and environment. --- `ttl` is an optional parameter that sets time at which or time interval after which the timer/reminder will be expired and deleted. If `ttl` is omitted, no restrictions are applied. diff --git a/daprdocs/content/en/developing-applications/building-blocks/jobs/jobs-features-concepts.md b/daprdocs/content/en/developing-applications/building-blocks/jobs/jobs-features-concepts.md index 18510be116f..fbeb0f50a0a 100644 --- a/daprdocs/content/en/developing-applications/building-blocks/jobs/jobs-features-concepts.md +++ b/daprdocs/content/en/developing-applications/building-blocks/jobs/jobs-features-concepts.md @@ -10,8 +10,7 @@ Now that you've learned about the [jobs building block]({{% ref jobs-overview %} into the features and concepts included with Dapr Jobs and the various SDKs. Dapr Jobs: - Provides a robust and scalable API for scheduling operations to be triggered in the future. - Exposes several capabilities which are common across all supported languages. - - +- Supports sub-second precision when using duration values (for example `500ms`). Actual trigger resolution may vary by runtime; Cron-based schedules are at the seconds level only. ## Job identity From 7dec5ee103acb1e7db0963321fe50d7ef52cc2e2 Mon Sep 17 00:00:00 2001 From: Josh van Leeuwen Date: Fri, 5 Sep 2025 22:02:02 -0300 Subject: [PATCH 06/17] [1.16] Adds docs for EKS IRSA (#4845) * [1.16] Adds docs for EKS IRSA Fixes https://github.com/dapr/docs/issues/4779 Signed-off-by: joshvanl * Adds ref to AWS auth page Signed-off-by: joshvanl --------- Signed-off-by: joshvanl Co-authored-by: Mark Fussell Signed-off-by: Kobbi Gal --- .../hosting/kubernetes/cluster/setup-eks.md | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/daprdocs/content/en/operations/hosting/kubernetes/cluster/setup-eks.md b/daprdocs/content/en/operations/hosting/kubernetes/cluster/setup-eks.md index 6cff6e58031..b70929ce35e 100644 --- a/daprdocs/content/en/operations/hosting/kubernetes/cluster/setup-eks.md +++ b/daprdocs/content/en/operations/hosting/kubernetes/cluster/setup-eks.md @@ -113,6 +113,29 @@ You should see the following response: ✅ Success! Dapr has been installed to namespace dapr-system. To verify, run `dapr status -k' in your terminal. To get started, go here: https://docs.dapr.io/getting-started ``` +## IAM Roles for Service Accounts (IRSA) + +You can attach custom annotations to the ServiceAccounts created by the `dapr_rbac` Helm subchart—useful for enabling IAM Roles for Service Accounts (IRSA) on AWS EKS. +This enables fine-grained, secure access control for Dapr components using EKS’s IRSA mechanism. +Update your Dapr Helm values files to include the following necessary annotations for the ServiceAccounts. + +See [here]({{% ref authenticating-aws.md %}}) for more information on AWS authentication. + +```yaml +serviceAccount: + operator: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam:::role/operator-role + injector: + annotations: {} + placement: + annotations: {} + scheduler: + annotations: {} + sentry: + annotations: {} +```` + ## Troubleshooting ### Access permissions From b064b215787aa7c50786c77d613bf27be49f6550 Mon Sep 17 00:00:00 2001 From: Josh van Leeuwen Date: Fri, 5 Sep 2025 23:31:55 -0300 Subject: [PATCH 07/17] [1.16] Adds WorkflowsClusteredDeployment (#4831) * [1.16] Adds WorkflowsClusteredDeployment Adds WorkflowsClusteredDeployment feature gate docs. Signed-off-by: joshvanl * Adds second about the executor actor type Signed-off-by: joshvanl * Apply suggestions from code review Co-authored-by: Mark Fussell Signed-off-by: Josh van Leeuwen --------- Signed-off-by: joshvanl Signed-off-by: Josh van Leeuwen Co-authored-by: Mark Fussell Signed-off-by: Kobbi Gal --- .../building-blocks/workflow/workflow-architecture.md | 10 ++++++++++ .../en/operations/support/support-preview-features.md | 3 ++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/daprdocs/content/en/developing-applications/building-blocks/workflow/workflow-architecture.md b/daprdocs/content/en/developing-applications/building-blocks/workflow/workflow-architecture.md index 214ec6d2680..2fdd37d1cf8 100644 --- a/daprdocs/content/en/developing-applications/building-blocks/workflow/workflow-architecture.md +++ b/daprdocs/content/en/developing-applications/building-blocks/workflow/workflow-architecture.md @@ -253,6 +253,16 @@ An example of scheduling a workflow with a start time of "now" in the Go SDK is client.ScheduleNewWorkflow(ctx, "MyCoolWorkflow", workflow.WithStartTime(time.Now())) ``` +## Workflows cluster deployment when using Dapr Shared with workflow + +{{% alert title="Note" color="primary" %}} +The following feature is only available when the [Workflows Clustered Deployment preview feature is enabled]({{% ref "preview-features.md" %}}). +{{% /alert %}} + +When using [Dapr Shared]({{% ref "kubernetes-dapr-shared" %}}), it can be the case that there are multiple daprd sidecars running behind a single load balancer or service. +As such, the instance to which a worker receiving work, may not be the same instance that receives the work result. +Dapr creates a third actor type to handle this scenario: `dapr.internal.{namespace}.{appID}.executor` to handle routing of the worker results back to the correct workflow actor to ensure correct operation. + ## Next steps {{< button text="Author workflows >>" page="howto-author-workflow.md" >}} diff --git a/daprdocs/content/en/operations/support/support-preview-features.md b/daprdocs/content/en/operations/support/support-preview-features.md index 73139b9cd41..1c4734ed998 100644 --- a/daprdocs/content/en/operations/support/support-preview-features.md +++ b/daprdocs/content/en/operations/support/support-preview-features.md @@ -21,4 +21,5 @@ For CLI there is no explicit opt-in, just the version that this was first made a | **Actor State TTL** | Allow actors to save records to state stores with Time To Live (TTL) set to automatically clean up old data. In its current implementation, actor state with TTL may not be reflected correctly by clients, read [Actor State Transactions]({{% ref actors_api.md %}}) for more information. | `ActorStateTTL` | [Actor State Transactions]({{% ref actors_api.md %}}) | v1.11 | | **Component Hot Reloading** | Allows for Dapr-loaded components to be "hot reloaded". A component spec is reloaded when it is created/updated/deleted in Kubernetes or on file when running in self-hosted mode. Ignores changes to actor state stores and workflow backends. | `HotReload`| [Hot Reloading]({{% ref components-concept.md %}}) | v1.13 | | **Subscription Hot Reloading** | Allows for declarative subscriptions to be "hot reloaded". A subscription is reloaded either when it is created/updated/deleted in Kubernetes, or on file in self-hosted mode. In-flight messages are unaffected when reloading. | `HotReload`| [Hot Reloading]({{% ref "subscription-methods.md#declarative-subscriptions" %}}) | v1.14 | -| **Scheduler Actor Reminders** | Scheduler actor reminders are actor reminders stored in the Scheduler control plane service, as opposed to the Placement control plane service actor reminder system. The `SchedulerReminders` preview feature defaults to `true`, but you can disable Scheduler actor reminders by setting it to `false`. | `SchedulerReminders`| [Scheduler actor reminders]({{% ref "scheduler.md#actor-reminders" %}}) | v1.14 | \ No newline at end of file +| **Scheduler Actor Reminders** | Scheduler actor reminders are actor reminders stored in the Scheduler control plane service, as opposed to the Placement control plane service actor reminder system. The `SchedulerReminders` preview feature defaults to `true`, but you can disable Scheduler actor reminders by setting it to `false`. | `SchedulerReminders`| [Scheduler actor reminders]({{% ref "scheduler.md#actor-reminders" %}}) | v1.14 | +| **Workflows Clustered Deployment** | Enable Workflows to function when workflow clients communicate to multiple daprds of the same appID who are behind a loadbalancer. Only relevant when using [Dapr shared]({{% ref "kubernetes-dapr-shared" %}}) | `WorkflowsClusteredDeployment`| [Dapr Shared]({{% ref "kubernetes-dapr-shared" %}}) | v1.16 | From e9ce44d591f55d6bc2cf6a003d5800a60bd17c72 Mon Sep 17 00:00:00 2001 From: Marc Duiker Date: Tue, 16 Sep 2025 16:45:28 +0200 Subject: [PATCH 08/17] Setup 1.17 (#4866) Signed-off-by: Marc Duiker Signed-off-by: Kobbi Gal --- .../{website-v1-16.yml => website-v1-17.yml} | 6 +++--- hugo.yaml | 16 +++++++++------- 2 files changed, 12 insertions(+), 10 deletions(-) rename .github/workflows/{website-v1-16.yml => website-v1-17.yml} (97%) diff --git a/.github/workflows/website-v1-16.yml b/.github/workflows/website-v1-17.yml similarity index 97% rename from .github/workflows/website-v1-16.yml rename to .github/workflows/website-v1-17.yml index 3748ff58c11..568f47f1eb0 100644 --- a/.github/workflows/website-v1-16.yml +++ b/.github/workflows/website-v1-17.yml @@ -1,14 +1,14 @@ -name: Azure Static Web App v1.16 +name: Azure Static Web App v1.17 on: workflow_dispatch: push: branches: - - v1.16 + - v1.17 pull_request: types: [opened, synchronize, reopened, closed] branches: - - v1.16 + - v1.17 jobs: build_and_deploy_job: diff --git a/hugo.yaml b/hugo.yaml index a6e206f75ee..34953ae0732 100644 --- a/hugo.yaml +++ b/hugo.yaml @@ -1,4 +1,4 @@ -baseURL: https://v1-16.docs.dapr.io +baseURL: https://v1-17.docs.dapr.io title: Dapr Docs # Output directory for generated site @@ -120,7 +120,7 @@ params: # Menu title if your navbar has a versions selector to access old versions of your site. # This menu appears only if you have at least one [params.versions] set. - version_menu: v1.16 (preview) + version_menu: v1.17 (preview) # Flag used in the "version-banner" partial to decide whether to display a # banner on every page indicating that this is an archived version of the docs. @@ -130,7 +130,7 @@ params: # The version number for the version of the docs represented in this doc set. # Used in the "version-banner" partial to display a version number for the # current doc set. - version: v1.16 + version: v1.17 # A link to latest version of the docs. Used in the "version-banner" partial to # point people to the main doc site. @@ -147,13 +147,15 @@ params: # Uncomment this if your GitHub repo does not have "main" as the default branch, # or specify a new value if you want to reference another branch in your GitHub links - github_branch: v1.16 + github_branch: v1.17 versions: - - version: v1.16 (preview) + - version: v1.17 (preview) url: "#" - - version: v1.15 (latest) - url: "https://docs.dapr.io" + - version: v1.16 (latest) + url: https://docs.dapr.io + - version: v1.15 + url: https://v1-15.docs.dapr.io - version: v1.14 url: https://v1-14.docs.dapr.io - version: v1.13 From fb2127f84ad3b2355830f17d3cd01b58be20a592 Mon Sep 17 00:00:00 2001 From: Albert Callarisa Date: Wed, 22 Oct 2025 12:35:54 +0200 Subject: [PATCH 09/17] Docs for OAuth2 Private Key JWT Ref: https://github.com/dapr/components-contrib/pull/4057 Signed-off-by: Albert Callarisa Signed-off-by: Kobbi Gal --- .../supported-bindings/kafka.md | 12 +- .../supported-pubsub/setup-apache-kafka.md | 125 ++++++++++++++---- 2 files changed, 105 insertions(+), 32 deletions(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-bindings/kafka.md b/daprdocs/content/en/reference/components-reference/supported-bindings/kafka.md index acd98b337c7..1067fa72c4e 100644 --- a/daprdocs/content/en/reference/components-reference/supported-bindings/kafka.md +++ b/daprdocs/content/en/reference/components-reference/supported-bindings/kafka.md @@ -78,16 +78,20 @@ spec: | `consumeRetryEnabled` | N | Input/Output | Enable consume retry by setting to `"true"`. Default to `false` in Kafka binding component. | `"true"`, `"false"` | | `publishTopic` | Y | Output | The topic to publish to. | `"mytopic"` | | `authRequired` | N | *Deprecated* | Enable [SASL](https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer) authentication with the Kafka brokers. | `"true"`, `"false"` | -| `authType` | Y | Input/Output | Configure or disable authentication. Supported values: `none`, `password`, `mtls`, or `oidc` | `"password"`, `"none"` | +| `authType` | Y | Input/Output | Configure or disable authentication. Supported values: `none`, `password`, `mtls`, `oidc` or `oidc_private_key_jwt` | `"password"`, `"none"` | | `saslUsername` | N | Input/Output | The SASL username used for authentication. Only required if `authRequired` is set to `"true"`. | `"adminuser"` | | `saslPassword` | N | Input/Output | The SASL password used for authentication. Can be `secretKeyRef` to use a [secret reference]({{% ref component-secrets.md %}}). Only required if `authRequired` is set to `"true"`. | `""`, `"KeFg23!"` | | `saslMechanism` | N | Input/Output | The SASL authentication mechanism you'd like to use. Only required if `authtype` is set to `"password"`. If not provided, defaults to `PLAINTEXT`, which could cause a break for some services, like Amazon Managed Service for Kafka. | `"SHA-512", "SHA-256", "PLAINTEXT"` | | `initialOffset` | N | Input | The initial offset to use if no offset was previously committed. Should be "newest" or "oldest". Defaults to "newest". | `"oldest"` | | `maxMessageBytes` | N | Input/Output | The maximum size in bytes allowed for a single Kafka message. Defaults to 1024. | `"2048"` | -| `oidcTokenEndpoint` | N | Input/Output | Full URL to an OAuth2 identity provider access token endpoint. Required when `authType` is set to `oidc` | "https://identity.example.com/v1/token" | -| `oidcClientID` | N | Input/Output | The OAuth2 client ID that has been provisioned in the identity provider. Required when `authType` is set to `oidc` | `"dapr-kafka"` | +| `oidcTokenEndpoint` | N | Input/Output | Full URL to an OAuth2 identity provider access token endpoint. Required when `authType` is set to `oidc` or `oidc_private_key_jwt` | "https://identity.example.com/v1/token" | +| `oidcClientID` | N | Input/Output | The OAuth2 client ID that has been provisioned in the identity provider. Required when `authType` is set to `oidc` or `oidc_private_key_jwt` | `"dapr-kafka"` | | `oidcClientSecret` | N | Input/Output | The OAuth2 client secret that has been provisioned in the identity provider: Required when `authType` is set to `oidc` | `"KeFg23!"` | -| `oidcScopes` | N | Input/Output | Comma-delimited list of OAuth2/OIDC scopes to request with the access token. Recommended when `authType` is set to `oidc`. Defaults to `"openid"` | `"openid,kafka-prod"` | +| `oidcScopes` | N | Input/Output | Comma-delimited list of OAuth2/OIDC scopes to request with the access token. Recommended when `authType` is set to `oidc` or `oidc_private_key_jwt`. Defaults to `"openid"` | `"openid,kafka-prod"` | +| `oidcClientAssertionCert` | N | Input/Output | The OAuth2 client assertion certificate used for authentication. Required when `authType` is set to `oidc_private_key_jwt`. Can be `secretKeyRef` to use a secret reference | `"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"` | +| `oidcClientAssertionKey` | N | Input/Output | The OAuth2 client assertion key used for authentication. Required when `authType` is set to `oidc_private_key_jwt`. Can be `secretKeyRef` to use a secret reference | `"-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"` | +| `oidcResource` | N | Input/Output | The OAuth2 resource to request with the access token. Recommended when `authType` is set to `oidc_private_key_jwt`. | `"api://kafka"` | +| `oidcAudience` | N | Input/Output | The OAuth2 audience to request with the access token. Recommended when `authType` is set to `oidc_private_key_jwt`. | `"http:///realms/local"` | | `version` | N | Input/Output | Kafka cluster version. Defaults to 2.0.0. Please note that this needs to be mandatorily set to `1.0.0` for EventHubs with Kafka. | `"1.0.0"` | | `direction` | N | Input/Output | The direction of the binding. | `"input"`, `"output"`, `"input, output"` | | `oidcExtensions` | N | Input/Output | String containing a JSON-encoded dictionary of OAuth2/OIDC extensions to request with the access token | `{"cluster":"kafka","poolid":"kafkapool"}` | diff --git a/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-apache-kafka.md b/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-apache-kafka.md index 8e4e95d74ea..d4d59c8e034 100644 --- a/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-apache-kafka.md +++ b/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-apache-kafka.md @@ -75,7 +75,7 @@ spec: value: "true" - name: escapeHeaders # Optional. value: false - + ``` > For details on using `secretKeyRef`, see the guide on [how to reference secrets in components]({{% ref component-secrets.md %}}). @@ -89,7 +89,7 @@ spec: | consumerID | N | Consumer ID (consumer tag) organizes one or more consumers into a group. Consumers with the same consumer ID work as one virtual consumer; for example, a message is processed only once by one of the consumers in the group. If the `consumerID` is not provided, the Dapr runtime set it to the Dapr application ID (`appID`) value. If a value for `consumerGroup` is provided, any value for `consumerID` is ignored - a combination of the consumer group and a random unique identifier will be set for the `consumerID` instead. | Can be set to string value (such as `"channel1"` in the example above) or string format value (such as `"{podName}"`, etc.). [See all of template tags you can use in your component metadata.]({{% ref "component-schema.md#templated-metadata-values" %}}) | clientID | N | A user-provided string sent with every request to the Kafka brokers for logging, debugging, and auditing purposes. Defaults to `"namespace.appID"` for Kubernetes mode or `"appID"` for Self-Hosted mode. | `"my-namespace.my-dapr-app"`, `"my-dapr-app"` | authRequired | N | *Deprecated* Enable [SASL](https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer) authentication with the Kafka brokers. | `"true"`, `"false"` -| authType | Y | Configure or disable authentication. Supported values: `none`, `password`, `mtls`, `oidc` or `awsiam` | `"password"`, `"none"` +| authType | Y | Configure or disable authentication. Supported values: `none`, `password`, `mtls`, `oidc`, `oidc_private_key_jwt` or `awsiam` | `"password"`, `"none"` | saslUsername | N | The SASL username used for authentication. Only required if `authType` is set to `"password"`. | `"adminuser"` | saslPassword | N | The SASL password used for authentication. Can be `secretKeyRef` to use a [secret reference]({{% ref component-secrets.md %}}). Only required if `authType is set to `"password"`. | `""`, `"KeFg23!"` | saslMechanism | N | The SASL Authentication Mechanism you wish to use. Only required if `authType` is set to `"password"`. Defaults to `PLAINTEXT` | `"SHA-512", "SHA-256", "PLAINTEXT"` @@ -103,10 +103,14 @@ spec: | clientKey | N | Client key, required for `authType` `mtls` Can be `secretKeyRef` to use a secret reference | `"-----BEGIN RSA PRIVATE KEY-----\n\n-----END RSA PRIVATE KEY-----"` | skipVerify | N | Skip TLS verification, this is not recommended for use in production. Defaults to `"false"` | `"true"`, `"false"` | | disableTls | N | Disable TLS for transport security. To disable, you're not required to set value to `"true"`. This is not recommended for use in production. Defaults to `"false"`. | `"true"`, `"false"` | -| oidcTokenEndpoint | N | Full URL to an OAuth2 identity provider access token endpoint. Required when `authType` is set to `oidc` | "https://identity.example.com/v1/token" | -| oidcClientID | N | The OAuth2 client ID that has been provisioned in the identity provider. Required when `authType` is set to `oidc` | `dapr-kafka` | +| oidcTokenEndpoint | N | Full URL to an OAuth2 identity provider access token endpoint. Required when `authType` is set to `oidc` or `oidc_private_key_jwt` | "https://identity.example.com/v1/token" | +| oidcClientID | N | The OAuth2 client ID that has been provisioned in the identity provider. Required when `authType` is set to `oidc` or `oidc_private_key_jwt` | `dapr-kafka` | | oidcClientSecret | N | The OAuth2 client secret that has been provisioned in the identity provider: Required when `authType` is set to `oidc` | `"KeFg23!"` | -| oidcScopes | N | Comma-delimited list of OAuth2/OIDC scopes to request with the access token. Recommended when `authType` is set to `oidc`. Defaults to `"openid"` | `"openid,kafka-prod"` | +| oidcScopes | N | Comma-delimited list of OAuth2/OIDC scopes to request with the access token. Recommended when `authType` is set to `oidc` or `oidc_private_key_jwt`. Defaults to `"openid"` | `"openid,kafka-prod"` | +| oidcClientAssertionCert | N | The OAuth2 client assertion certificate used for authentication. Required when `authType` is set to `oidc_private_key_jwt`. Can be `secretKeyRef` to use a secret reference | `"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"` | +| oidcClientAssertionKey | N | The OAuth2 client assertion key used for authentication. Required when `authType` is set to `oidc_private_key_jwt`. Can be `secretKeyRef` to use a secret reference | `"-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"` | +| oidcResource | N | The OAuth2 resource to request with the access token. Recommended when `authType` is set to `oidc_private_key_jwt`. | `"api://kafka"` | +| oidcAudience | N | The OAuth2 audience to request with the access token. Recommended when `authType` is set to `oidc_private_key_jwt`. | `"http:///realms/local"` | | oidcExtensions | N | String containing a JSON-encoded dictionary of OAuth2/OIDC extensions to request with the access token | `{"cluster":"kafka","poolid":"kafkapool"}` | | awsRegion | N | This maintains backwards compatibility with existing fields. It will be deprecated as of Dapr 1.17. Use 'region' instead. The AWS region where the Kafka cluster is deployed to. Required when `authType` is set to `awsiam` | `us-west-1` | | awsAccessKey | N | This maintains backwards compatibility with existing fields. It will be deprecated as of Dapr 1.17. Use 'accessKey' instead. AWS access key associated with an IAM account. | `"accessKey"` @@ -140,12 +144,13 @@ The metadata `version` must be set to `1.0.0` when using Azure EventHubs with Ka Kafka supports a variety of authentication schemes and Dapr supports several: SASL password, mTLS, OIDC/OAuth2. With the added authentication methods, the `authRequired` field has been deprecated from the v1.6 release and instead the `authType` field should be used. If `authRequired` is set to `true`, Dapr will attempt to configure `authType` correctly -based on the value of `saslPassword`. The valid values for `authType` are: +based on the value of `saslPassword`. The valid values for `authType` are: - `none` - `password` - `certificate` - `mtls` -- `oidc` +- `oidc` +- `oidc_private_key_jwt` - `awsiam` {{% alert title="Note" color="primary" %}} @@ -335,6 +340,70 @@ spec: value: 0.10.2.0 ``` +#### OAuth2 Private Key JWT + +Setting `authType` to `oidc_private_key_jwt` enables SASL authentication via the **OAUTHBEARER** mechanism. This supports specifying a private key JWT from an external OAuth2 or [OIDC](https://en.wikipedia.org/wiki/OpenID) identity provider. Currently, only the **client_credentials** grant is supported. + +Configure `oidcTokenEndpoint` to the full URL for the identity provider access token endpoint. + +Set `oidcClientID` to the client ID, `oidcClientAssertionCert` to the client assertion certificate and `oidcClientAssertionKey` to the client assertion key provisioned in the identity provider. + +If `caCert` is specified in the component configuration, the certificate is appended to the system CA trust for verifying the identity provider certificate. Similarly, if `skipVerify` is specified in the component configuration, verification will also be skipped when accessing the identity provider. + +By default, the only scope requested for the token is `openid`; it is **highly** recommended that additional scopes be specified via `oidcScopes` in a comma-separated list and validated by the Kafka broker. If additional scopes are not used to narrow the validity of the access token, +a compromised Kafka broker could replay the token to access other services as the Dapr clientID. + +```yaml +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: kafka-pubsub +spec: + type: pubsub.kafka + version: v1 + metadata: + - name: brokers # Required. Kafka broker connection setting + value: "dapr-kafka.myapp.svc.cluster.local:9092" + - name: consumerGroup # Optional. Used for input bindings. + value: "group1" + - name: clientID # Optional. Used as client tracing ID by Kafka brokers. + value: "my-dapr-app-id" + - name: authType # Required. + value: "oidc_private_key_jwt" + - name: oidcTokenEndpoint # Required if authType is `oidc_private_key_jwt`. + value: "https://identity.example.com/v1/token" + - name: oidcClientID # Required if authType is `oidc_private_key_jwt`. + value: "dapr-myapp" + - name: oidcClientAssertionCert # Required if authType is `oidc_private_key_jwt`. + secretKeyRef: + name: kafka-tls + key: oidcClientAssertionCert + - name: oidcClientAssertionKey # Required if authType is `oidc_private_key_jwt`. + secretKeyRef: + name: kafka-tls + key: oidcClientAssertionKey + - name: oidcScopes # Recommended if authType is `oidc_private_key_jwt`. + value: "openid,kafka-dev" + - name: oidcResource # Optional. + value: "api://kafka" + - name: oidcAudience # Optional. + value: "http:///realms/local" + - name: caCert # Optional. + secretKeyRef: + name: kafka-tls + key: caCert + - name: maxMessageBytes # Optional. + value: 1024 + - name: consumeRetryInterval # Optional. + value: 200ms + - name: heartbeatInterval # Optional. + value: 5s + - name: sessionTimeout # Optional. + value: 15s + - name: version # Optional. + value: 0.10.2.0 +``` + #### AWS IAM Authenticating with AWS IAM is supported with MSK. Setting `authType` to `awsiam` uses AWS SDK to generate auth tokens to authenticate. @@ -418,9 +487,9 @@ auth: ## Consuming from multiple topics -When consuming from multiple topics using a single pub/sub component, there is no guarantee about how the consumers in your consumer group are balanced across the topic partitions. +When consuming from multiple topics using a single pub/sub component, there is no guarantee about how the consumers in your consumer group are balanced across the topic partitions. -For instance, let's say you are subscribing to two topics with 10 partitions per topic and you have 20 replicas of your service consuming from the two topics. There is no guarantee that 10 will be assigned to the first topic and 10 to the second topic. Instead, the partitions could be divided unequally, with more than 10 assigned to the first topic and the rest assigned to the second topic. +For instance, let's say you are subscribing to two topics with 10 partitions per topic and you have 20 replicas of your service consuming from the two topics. There is no guarantee that 10 will be assigned to the first topic and 10 to the second topic. Instead, the partitions could be divided unequally, with more than 10 assigned to the first topic and the rest assigned to the second topic. This can result in idle consumers listening to the first topic and over-extended consumers on the second topic, or vice versa. This same behavior can be observed when using auto-scalers such as HPA or KEDA. @@ -475,7 +544,7 @@ Apache Kafka supports the following bulk metadata options: When invoking the Kafka pub/sub, its possible to provide an optional partition key by using the `metadata` query param in the request url. -The param name can either be `partitionKey` or `__key` +The param name can either be `partitionKey` or `__key` Example: @@ -552,7 +621,7 @@ app.include_router(router) ## Receiving message headers with special characters -The consumer application may be required to receive message headers that include special characters, which may cause HTTP protocol validation errors. +The consumer application may be required to receive message headers that include special characters, which may cause HTTP protocol validation errors. HTTP header values must follow specifications, making some characters not allowed. [Learn more about the protocols](https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2). In this case, you can enable `escapeHeaders` configuration setting, which uses URL escaping to encode header values on the consumer side. @@ -593,13 +662,13 @@ Currently, only message value serialization/deserialization is supported. Since Please note that `rawPayload=true` should NOT be set for consumers, as the message value will be wrapped into a CloudEvent and base64-encoded. Leaving `rawPayload` as default (i.e. `false`) will send the Avro-decoded message to the application as a JSON payload. -When setting the `useAvroJson` component metadata to `true`, the inbound/outbound Avro binary is converted into/from Avro JSON encoding. -This can be preferable when accurate type mapping is desirable. -The default is standard JSON which is typically easier to bind to a native type in an application. +When setting the `useAvroJson` component metadata to `true`, the inbound/outbound Avro binary is converted into/from Avro JSON encoding. +This can be preferable when accurate type mapping is desirable. +The default is standard JSON which is typically easier to bind to a native type in an application. {{% /alert %}} When configuring the Kafka pub/sub component metadata, you must define: -- The schema registry URL +- The schema registry URL - The API key/secret, if applicable Schema subjects are automatically derived from topic names, using the standard naming convention. For example, for a topic named `my-topic`, the schema subject will be `my-topic-value`. @@ -679,16 +748,16 @@ app.include_router(router) ``` {{% /tab %}} -{{< /tabpane >}} +{{< /tabpane >}} ### Avoiding downstream side effects when publishing messages requiring custom metadata -Dapr allows customizing the publishing behavior by setting custom publish metadata. +Dapr allows customizing the publishing behavior by setting custom publish metadata. For instance, to publish in avro format, it is required to set the `valueSchemaType=Avro` metadata. However, by default these metadata items get converted to Kafka headers and published along with the message. This default behavior is very helpful for instance to forward tracing headers across a chain of publishers/consumers. -In certain scenario, however, it has unwanted side effects. +In certain scenario, however, it has unwanted side effects. Let's assume you consume an Avro message using Dapr with the headers above.If this message cannot be consumed successfully and configured to be sent to a dead letter topic, `valueSchemaType=Avro` will be automatically carried forward when publishing to the dead letter topic, requiring the set up of a schema associated with this topic. In many scenarios, it is preferable to publish dead letter messages in JSON only, as complying to a determined schema is not possible. To avoid this behavior, the kafka-pubsub component can be configured to exclude certain metadata keys from being converted to/from headers. @@ -709,24 +778,24 @@ metadata: ``` ### Overriding default consumer group rebalancing -In Kafka, rebalancing strategies determine how partitions are assigned to consumers within a consumer group. The default strategy is "range", but "roundrobin" and "sticky" are also available. +In Kafka, rebalancing strategies determine how partitions are assigned to consumers within a consumer group. The default strategy is "range", but "roundrobin" and "sticky" are also available. - `Range`: -Partitions are assigned to consumers based on their lexicographical order. -If you have three partitions (0, 1, 2) and two consumers (A, B), consumer A might get partitions 0 and 1, while consumer B gets partition 2. +Partitions are assigned to consumers based on their lexicographical order. +If you have three partitions (0, 1, 2) and two consumers (A, B), consumer A might get partitions 0 and 1, while consumer B gets partition 2. - `RoundRobin`: -Partitions are assigned to consumers in a round-robin fashion. -With the same example above, consumer A might get partitions 0 and 2, while consumer B gets partition 1. +Partitions are assigned to consumers in a round-robin fashion. +With the same example above, consumer A might get partitions 0 and 2, while consumer B gets partition 1. - `Sticky`: -This strategy aims to preserve previous assignments as much as possible while still maintaining a balanced distribution. -If a consumer leaves or joins the group, only the affected partitions are reassigned, minimizing disruption. +This strategy aims to preserve previous assignments as much as possible while still maintaining a balanced distribution. +If a consumer leaves or joins the group, only the affected partitions are reassigned, minimizing disruption. #### Choosing a Strategy: - `Range`: -Simple to understand and implement, but can lead to uneven distribution if partition sizes vary significantly. +Simple to understand and implement, but can lead to uneven distribution if partition sizes vary significantly. - `RoundRobin`: -Provides a good balance in many cases, but might not be optimal if message keys are unevenly distributed. +Provides a good balance in many cases, but might not be optimal if message keys are unevenly distributed. - `Sticky`: -Generally preferred for its ability to minimize disruption during rebalances, especially when dealing with a large number of partitions or frequent consumer group changes. +Generally preferred for its ability to minimize disruption during rebalances, especially when dealing with a large number of partitions or frequent consumer group changes. ## Create a Kafka instance From cd4cad714adde256c496b8677e575ebf530ad22a Mon Sep 17 00:00:00 2001 From: Kobbi Gal Date: Thu, 30 Oct 2025 14:41:39 -0400 Subject: [PATCH 10/17] Add Akeyless Secret Store Documentation Signed-off-by: Kobbi Gal --- .../supported-secret-stores/akeyless.md | 224 ++++++++++++++++++ 1 file changed, 224 insertions(+) create mode 100644 daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md new file mode 100644 index 00000000000..3415649f690 --- /dev/null +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md @@ -0,0 +1,224 @@ +--- +type: docs +title: "Akeyless" +linkTitle: "Akeyless" +description: Information about the Akeyless secret store component configuration. +--- + +## Create the Akeyless component + +To setup Akeyless secret store create a component of type `secretstores.akeyless`. See [this guide]({{% ref "setup-secret-store.md#apply-the-configuration" %}}) on how to create and apply a secretstore configuration. See this guide on [referencing secrets]({{% ref component-secrets.md %}}) to retrieve and use the secret with Dapr components. + + +## Component Format + +```yaml +schemaVersion: v1 +type: secretstores +name: akeyless +version: v1 +status: beta +title: "Akeyless Secret Store" +urls: + - title: Reference + url: https://docs.dapr.io/reference/components-reference/supported-secret-stores/akeyless/ +authenticationProfiles: + - title: API Key + description: Authenticate using an API key. + metadata: + - name: accessId + required: true + description: The Akeyless Access ID. + example: "p-123456780wm" + type: string + - name: accessKey + required: true + description: The Akeyless API key. + example: "ABCD1233...=" + type: string + sensitive: true + - title: JWT + description: Authenticate using a JSON Web Token. + metadata: + - name: accessId + required: true + description: The Akeyless Access ID. + example: "p-123456780wm" + type: string + - name: jwt + required: true + description: The JSON Web Token. + example: "eyJ..." + type: string + sensitive: true + - title: AWS IAM + description: Authenticate using AWS IAM. + metadata: + - name: accessId + required: true + description: The Akeyless Access ID. + example: "p-123456780wm" + type: string + - title: Kubernetes + description: Authenticate using Kubernetes. + metadata: + - name: accessId + required: true + description: The Akeyless Access ID. + example: "p-123456780wm" + type: string + - name: k8sAuthConfigName + required: true + description: The name of the k8s auth config. + example: "k8s-auth-config" + type: string + - name: k8sGatewayUrl + required: true + description: The gateway URL that where the k8s auth config is located. + example: "http://gw.akeyless.svc.cluster.local:8000" + type: string + - name: k8sServiceAccountToken + required: true + description: The service account token. + example: "eyJ..." + type: string + sensitive: true +metadata: + - name: gatewayUrl + required: false + description: | + The URL to the Akeyless Gateway API. Default is https://api.akeyless.io. + default: "https://api.akeyless.io" + example: "https://your.akeyless.gw" + type: string +``` + +## Spec metadata fields + +| Field | Required | Details | Example | +|--------------------|:--------:|-------------------------------------------------------------------------|---------------------| +| `gatewayUrl` | N | The Akeyless Gateway API URL. Defaults to https://api.akeyless.io. | `http://gw-release.akeyless.svc.cluster.local:8000/api/v2` | +| `accessID` | Y | The Akeyless Access ID of the authentication method | `p-1234567890` | +| `accessKey` | N | Fill in when using an API Key (`access_key`) authentication method. | `ABCD1233...=` | +| `jwt` | N | Fill in a `base64`-encoded string of the JWT when using OAuth2.0/JWT (`jwt`) authentication method | `eyJ...` | +| `k8sAuthConfigName` | N | Fill in when using Kubernetes Authentication (`k8s`) authentication method | `my-k8s-auth-conf` | +| `k8sGatewayUrl` | N | Fill in when using Kubernetes Authentication (`k8s`) authentication method. If not filled in, will default to value set for `akeylessGWApiURL`. | `http://gw-release.akeyless.svc.cluster.local:8000/api/v2` | +| `k8sServiceAccountToken` | N | Fill in a `base64`-encoded string of the JWT when using Kubernetes Authentication (`k8s`) authentication method. If not filled in, will read from k8s token in container filesystem | `ej...` | + + +## Authentication Methods + +We currently support the following authentication methods: + +### [API Key](https://docs.akeyless.io/docs/api-key) + + + +```yaml +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: akeyless +spec: + type: secretstores.akeyless + version: v1 + metadata: + - name: gatewayUrl + value: "https://api.akeyless.io" + - name: accessId + value: "p-123..." + - name: accessKey + value: "ABCD1233...=" +``` + +### [AWS IAM](https://docs.akeyless.io/docs/aws-iam) + +```yaml +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: akeyless +spec: + type: secretstores.akeyless + version: v1 + metadata: + - name: gatewayUrl + value: "https://api.akeyless.io" + - name: accessId + value: "p-123..." +``` + +### [OAuth2.0/JWT](https://docs.akeyless.io/docs/oauth20jwt) + +```yaml +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: akeyless +spec: + type: secretstores.akeyless + version: v1 + metadata: + - name: gatewayUrl + value: "https://api.akeyless.io" + - name: accessId + value: "p-123..." + - name: jwt + value: "eyJ..." +``` + +### [Kubernetes](https://docs.akeyless.io/docs/kubernetes-auth) + +```yaml +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: akeyless +spec: + type: secretstores.akeyless + version: v1 + metadata: + - name: gatewayUrl + value: "http://release-gw.akeyless.svc.cluster.local:8000/api/v2" + - name: accessID + value: "p-123..." + - name: k8sAuthConfigName + value: "my-k8s-auth-config" + - name: k8sGatewayUrl + value: "http://release-gw.akeyless.svc.cluster.local:8000/api/v2" + - name: k8sServiceAccountToken + value: "eyJ..." +``` + +{{% alert title="Warning" color="warning" %}} +The above examples use secrets as plain strings. It is recommended to use a local secret store such as [Kubernetes secret store]({{% ref kubernetes-secret-store.md %}}) or a [local file]({{% ref file-secret-store.md %}}) to bootstrap secure key storage. +{{% /alert %}} + + +## Retrieve secrets + +You can retrieve secrets from Akeyless using the Dapr secrets API: + +```bash +curl http://localhost:3500/v1.0/secrets/akeyless/my-secret +``` + +This returns the secret value stored in Akeyless with the name `my-secret`. + +## Setup Akeyless instance + +To get started with Akeyless: + +1. Sign up for an Akeyless account at [https://www.akeyless.io](https://www.akeyless.io) +2. Create an Access ID and configure your preferred authentication method. +3. Set up your secrets in the Akeyless. +4. Configure the Dapr component using one of the authentication methods above. + +For more detailed setup instructions, refer to the [Akeyless documentation](https://docs.akeyless.io/). + +## Related links + +- [Secrets building block]({{% ref secrets %}}) +- [How-To: Retrieve a secret]({{% ref "howto-secrets.md" %}}) +- [How-To: Reference secrets in Dapr components]({{% ref component-secrets.md %}}) +- [Secrets API reference]({{% ref secrets_api.md %}}) \ No newline at end of file From 2dc06c1e1162290069184c07652b26c99337af43 Mon Sep 17 00:00:00 2001 From: Kobbi Gal Date: Tue, 11 Nov 2025 13:18:26 -0500 Subject: [PATCH 11/17] added metadata params path,secrets_type to bulk Signed-off-by: Kobbi Gal --- .../supported-secret-stores/akeyless.md | 145 ++++++++++-------- 1 file changed, 80 insertions(+), 65 deletions(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md index 3415649f690..5f8a8a6805b 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md @@ -13,6 +13,7 @@ To setup Akeyless secret store create a component of type `secretstores.akeyless ## Component Format ```yaml +# yaml-language-server: $schema=../../component-metadata-schema.json schemaVersion: v1 type: secretstores name: akeyless @@ -22,67 +23,6 @@ title: "Akeyless Secret Store" urls: - title: Reference url: https://docs.dapr.io/reference/components-reference/supported-secret-stores/akeyless/ -authenticationProfiles: - - title: API Key - description: Authenticate using an API key. - metadata: - - name: accessId - required: true - description: The Akeyless Access ID. - example: "p-123456780wm" - type: string - - name: accessKey - required: true - description: The Akeyless API key. - example: "ABCD1233...=" - type: string - sensitive: true - - title: JWT - description: Authenticate using a JSON Web Token. - metadata: - - name: accessId - required: true - description: The Akeyless Access ID. - example: "p-123456780wm" - type: string - - name: jwt - required: true - description: The JSON Web Token. - example: "eyJ..." - type: string - sensitive: true - - title: AWS IAM - description: Authenticate using AWS IAM. - metadata: - - name: accessId - required: true - description: The Akeyless Access ID. - example: "p-123456780wm" - type: string - - title: Kubernetes - description: Authenticate using Kubernetes. - metadata: - - name: accessId - required: true - description: The Akeyless Access ID. - example: "p-123456780wm" - type: string - - name: k8sAuthConfigName - required: true - description: The name of the k8s auth config. - example: "k8s-auth-config" - type: string - - name: k8sGatewayUrl - required: true - description: The gateway URL that where the k8s auth config is located. - example: "http://gw.akeyless.svc.cluster.local:8000" - type: string - - name: k8sServiceAccountToken - required: true - description: The service account token. - example: "eyJ..." - type: string - sensitive: true metadata: - name: gatewayUrl required: false @@ -91,6 +31,46 @@ metadata: default: "https://api.akeyless.io" example: "https://your.akeyless.gw" type: string + - name: accessId + required: true + description: | + The Akeyless Access ID. Currently supported authentication methods are: API keys (`access_key`, default), JWT (`jwt`) and AWS IAM (`aws_iam`). + example: "p-123456780wm" + type: string + - name: jwt + required: false + description: | + If using the JWT authentication method, specify it here. + example: "eyJ..." + type: string + sensitive: true + - name: accessKey + required: false + description: | + If using the API key (access_key) authentication method, specify it here. + example: "ABCD1233...=" + type: string + sensitive: true + - name: k8sAuthConfigName + required: false + description: | + If using the k8s auth method, specify the name of the k8s auth config. + example: "k8s-auth-config" + type: string + - name: k8sGatewayUrl + required: false + description: | + The gateway URL that where the k8s auth config is located. + example: "http://gw.akeyless.svc.cluster.local:8000" + type: string + - name: k8sServiceAccountToken + required: false + description: | + If using the k8s auth method, specify the service account token. If not specified, + we will try to read it from the default service account token file. + example: "eyJ..." + type: string + sensitive: true ``` ## Spec metadata fields @@ -112,8 +92,6 @@ We currently support the following authentication methods: ### [API Key](https://docs.akeyless.io/docs/api-key) - - ```yaml apiVersion: dapr.io/v1alpha1 kind: Component @@ -197,13 +175,50 @@ The above examples use secrets as plain strings. It is recommended to use a loca ## Retrieve secrets -You can retrieve secrets from Akeyless using the Dapr secrets API: +Once configured, you can retrieve secrets using the Dapr secrets API: ```bash +# Get a single secret curl http://localhost:3500/v1.0/secrets/akeyless/my-secret + +# Get all secrets (static, dynamic, rotated) from root (/) path +curl http://localhost:3500/v1.0/secrets/akeyless/bulk + +# Get all secrets static secrets +curl http://localhost:3500/v1.0/secrets/akeyless/bulk?metadata.secrets_type=static + +# Get all static and dynamic secrets from a specific path (/my/org) +curl http://localhost:3500/v1.0/secrets/akeyless/bulk?metadata.secrets_type=static,dynamic&metadata.path=/my/org ``` -This returns the secret value stored in Akeyless with the name `my-secret`. +Or using the Dapr SDK. The example below retrieves all static secrets from path `/path/to/department`: + +```go +log.Println("Starting test application") + client, err := dapr.NewClient() + if err != nil { + log.Printf("Error creating Dapr client: %v\n", err) + panic(err) + } + log.Println("Dapr client created successfully") + const daprSecretStore = "akeyless" + + defer client.Close() + ctx := context.Background() + akeylessBulkMetadata := map[string]string{ + "path": "/path/to/department", + "secrets_type": "static", + } + secrets, err := client.GetBulkSecret(ctx, daprSecretStore, akeylessBulkMetadata) + if err != nil { + log.Printf("Error fetching secrets: %v\n", err) + panic(err) + } + log.Printf("Found %d secrets: ", len(secrets)) + for secretName, secretValue := range secrets { + log.Printf("Secret: %s, Value: %s", secretName, secretValue) + } +``` ## Setup Akeyless instance From 17ce5097fb420e1f23e39f08e558b93a84ed3067 Mon Sep 17 00:00:00 2001 From: Kobbi Gal Date: Tue, 11 Nov 2025 13:25:09 -0500 Subject: [PATCH 12/17] added note about failing retrieval of secret when using bulk api Signed-off-by: Kobbi Gal --- .../components-reference/supported-secret-stores/akeyless.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md index 5f8a8a6805b..2b58e099f67 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md @@ -220,6 +220,10 @@ log.Println("Starting test application") } ``` +{{% alert title="Failing Retrieval in Bulk" color="info" %}} +When retrieving secrets using the bulk API, all successfully-retrieved secrets will be returned and failed ones will be logged in the component log. +{{% /alert %}} + ## Setup Akeyless instance To get started with Akeyless: From 7b9277f0d7689fc160172e57746ebb1ad36b3891 Mon Sep 17 00:00:00 2001 From: Kobbi Gal Date: Thu, 4 Dec 2025 14:40:12 -0500 Subject: [PATCH 13/17] review fixes Signed-off-by: Kobbi Gal --- .../supported-secret-stores/akeyless.md | 85 ++++++------------- 1 file changed, 24 insertions(+), 61 deletions(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md index 2b58e099f67..26795c0cfbe 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md @@ -13,82 +13,44 @@ To setup Akeyless secret store create a component of type `secretstores.akeyless ## Component Format ```yaml -# yaml-language-server: $schema=../../component-metadata-schema.json -schemaVersion: v1 -type: secretstores -name: akeyless -version: v1 -status: beta -title: "Akeyless Secret Store" -urls: - - title: Reference - url: https://docs.dapr.io/reference/components-reference/supported-secret-stores/akeyless/ +apiVersion: dapr.io/v1alpha1 +kind: Component metadata: + name: akeyless +spec: + type: secretstores.akeyless + version: v1 + metadata: - name: gatewayUrl - required: false - description: | - The URL to the Akeyless Gateway API. Default is https://api.akeyless.io. - default: "https://api.akeyless.io" - example: "https://your.akeyless.gw" - type: string + value: "http://gw.akeyless.svc.cluster.local/api/v2" - name: accessId - required: true - description: | - The Akeyless Access ID. Currently supported authentication methods are: API keys (`access_key`, default), JWT (`jwt`) and AWS IAM (`aws_iam`). - example: "p-123456780wm" - type: string - - name: jwt - required: false - description: | - If using the JWT authentication method, specify it here. - example: "eyJ..." - type: string - sensitive: true + value: "p-abcdefg1234am" - name: accessKey - required: false - description: | - If using the API key (access_key) authentication method, specify it here. - example: "ABCD1233...=" - type: string - sensitive: true + value: "abcd/1234=" + - name: jwt + value: "ZXlKa..." - name: k8sAuthConfigName - required: false - description: | - If using the k8s auth method, specify the name of the k8s auth config. - example: "k8s-auth-config" - type: string - - name: k8sGatewayUrl - required: false - description: | - The gateway URL that where the k8s auth config is located. - example: "http://gw.akeyless.svc.cluster.local:8000" - type: string + value: aks-cluster-1-auth-conf - name: k8sServiceAccountToken - required: false - description: | - If using the k8s auth method, specify the service account token. If not specified, - we will try to read it from the default service account token file. - example: "eyJ..." - type: string - sensitive: true + value: "Z1234ch/sasw1..." ``` ## Spec metadata fields | Field | Required | Details | Example | |--------------------|:--------:|-------------------------------------------------------------------------|---------------------| -| `gatewayUrl` | N | The Akeyless Gateway API URL. Defaults to https://api.akeyless.io. | `http://gw-release.akeyless.svc.cluster.local:8000/api/v2` | -| `accessID` | Y | The Akeyless Access ID of the authentication method | `p-1234567890` | +| `gatewayUrl` | N | The Akeyless Gateway API URL. Defaults to https://api.akeyless.io. | `http://gw.akeyless.svc.cluster.local:8000/api/v2` | +| `accessID` | Y | The Akeyless Access ID of the authentication method | `p-1234567890am` | | `accessKey` | N | Fill in when using an API Key (`access_key`) authentication method. | `ABCD1233...=` | -| `jwt` | N | Fill in a `base64`-encoded string of the JWT when using OAuth2.0/JWT (`jwt`) authentication method | `eyJ...` | +| `jwt` | N | Fill in a `base64`-encoded string of the JWT when using OAuth2.0/JWT (`jwt`) authentication method | `base64 -i "eyJ..."` | | `k8sAuthConfigName` | N | Fill in when using Kubernetes Authentication (`k8s`) authentication method | `my-k8s-auth-conf` | -| `k8sGatewayUrl` | N | Fill in when using Kubernetes Authentication (`k8s`) authentication method. If not filled in, will default to value set for `akeylessGWApiURL`. | `http://gw-release.akeyless.svc.cluster.local:8000/api/v2` | -| `k8sServiceAccountToken` | N | Fill in a `base64`-encoded string of the JWT when using Kubernetes Authentication (`k8s`) authentication method. If not filled in, will read from k8s token in container filesystem | `ej...` | +| `k8sGatewayUrl` | N | Fill in when using Kubernetes Authentication (`k8s`) authentication method. If not filled in, will default to value set for `akeylessGWApiURL`. | `http://gw.akeyless.svc.cluster.local:8000` | +| `k8sServiceAccountToken` | N | Fill in a `base64`-encoded string of the JWT when using Kubernetes Authentication (`k8s`) authentication method. If not filled in, will read from k8s token in container filesystem | ``base64 -i "eyJ..."`` | ## Authentication Methods -We currently support the following authentication methods: +The following authentication methods are supported: ### [API Key](https://docs.akeyless.io/docs/api-key) @@ -142,7 +104,7 @@ spec: - name: accessId value: "p-123..." - name: jwt - value: "eyJ..." + value: "base64 encoded JWT" ``` ### [Kubernetes](https://docs.akeyless.io/docs/kubernetes-auth) @@ -191,6 +153,7 @@ curl http://localhost:3500/v1.0/secrets/akeyless/bulk?metadata.secrets_type=stat curl http://localhost:3500/v1.0/secrets/akeyless/bulk?metadata.secrets_type=static,dynamic&metadata.path=/my/org ``` +### Language Tab: Golang Or using the Dapr SDK. The example below retrieves all static secrets from path `/path/to/department`: ```go @@ -221,7 +184,7 @@ log.Println("Starting test application") ``` {{% alert title="Failing Retrieval in Bulk" color="info" %}} -When retrieving secrets using the bulk API, all successfully-retrieved secrets will be returned and failed ones will be logged in the component log. +When retrieving secrets using the bulk API, all successfully-retrieved secrets are returned and failed ones are logged in the component log. {{% /alert %}} ## Setup Akeyless instance @@ -236,7 +199,7 @@ To get started with Akeyless: For more detailed setup instructions, refer to the [Akeyless documentation](https://docs.akeyless.io/). ## Related links - +- [Akeyless Sign Up](https://console.akeyless.io/registration) - [Secrets building block]({{% ref secrets %}}) - [How-To: Retrieve a secret]({{% ref "howto-secrets.md" %}}) - [How-To: Reference secrets in Dapr components]({{% ref component-secrets.md %}}) From 13aedc66294e6a8e87ab5cd6471ad2eec4c614eb Mon Sep 17 00:00:00 2001 From: Marc Duiker Date: Wed, 19 Nov 2025 17:00:15 +0100 Subject: [PATCH 14/17] Update deployment token (#4928) * Setup 1.17 Signed-off-by: Marc Duiker * Update deployment token, remove obsolete field Signed-off-by: Marc Duiker * Add skip_deploy_on_missing_secrets option This field is required when people create a PR based on a branch in their fork and the secret is not available. Signed-off-by: Marc Duiker --------- Signed-off-by: Marc Duiker Signed-off-by: Kobbi Gal --- .github/workflows/website-v1-17.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/website-v1-17.yml b/.github/workflows/website-v1-17.yml index 568f47f1eb0..013e842f698 100644 --- a/.github/workflows/website-v1-17.yml +++ b/.github/workflows/website-v1-17.yml @@ -47,9 +47,9 @@ jobs: HUGO_ENV: production HUGO_VERSION: "0.147.9" with: - azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_V1_16 }} - repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments) + azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_V1_17 }} skip_deploy_on_missing_secrets: true + repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments) action: "upload" ###### Repository/Build Configurations - These values can be configured to match your app requirements. ###### # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig @@ -66,6 +66,7 @@ jobs: id: closepullrequest uses: Azure/static-web-apps-deploy@v1 with: - azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_V1_16 }} + azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_V1_17 }} skip_deploy_on_missing_secrets: true + app_location: "/daprdocs/public" # App source code path action: "close" From e9f394f9f25e90486e75f639df3e6289577fdfec Mon Sep 17 00:00:00 2001 From: Adam shamis Date: Thu, 4 Dec 2025 03:14:08 +0200 Subject: [PATCH 15/17] Added binary cloudevent examples and explanation (#4942) * Added bianry cloudevent exmaples and explanation Signed-off-by: adam shamis * tabpane line was missing Signed-off-by: adam shamis * topic was misproununced Signed-off-by: adam shamis --------- Signed-off-by: adam shamis Signed-off-by: Kobbi Gal --- .../pubsub/pubsub-cloudevents.md | 42 +++++++++++++++++++ .../content/en/reference/api/pubsub_api.md | 22 ++++++++++ 2 files changed, 64 insertions(+) diff --git a/daprdocs/content/en/developing-applications/building-blocks/pubsub/pubsub-cloudevents.md b/daprdocs/content/en/developing-applications/building-blocks/pubsub/pubsub-cloudevents.md index b152d4541b9..cf4dd6b800c 100644 --- a/daprdocs/content/en/developing-applications/building-blocks/pubsub/pubsub-cloudevents.md +++ b/daprdocs/content/en/developing-applications/building-blocks/pubsub/pubsub-cloudevents.md @@ -239,6 +239,48 @@ Invoke-RestMethod -Method Post -ContentType 'application/cloudevents+json' -Body {{< /tabpane >}} +### Publish binary CloudEvents + +In binary mode, the transport payload only contains the event body, while +CloudEvent attributes are supplied via transport metadata that begins with the +`ce_` prefix (HTTP headers, Kafka headers, NATS headers, and so on). This is +useful when you already produce binary mode events or you want to send arbitrary +binary data without wrapping it in an additional JSON envelope. + +To publish a binary CloudEvent to Dapr (via HTTP/gRPC publish APIs or directly +into a broker that Dapr reads from): + +1. Set the transport’s native content-type metadata (for example the HTTP + `Content-Type` header or a Kafka `content-type` message header) to the MIME + type that represents binary data, which is `application/octet-stream`. + +2. Add the required CloudEvent attributes (`ce_specversion`, `ce_type`, + `ce_source`, `ce_id`) as transport metadata. Optional attributes such as + `ce_subject`, `ce_time`, or `ce_traceparent` are also honored. + +3. Send the payload bytes in the message body. + +{{< tabpane text=true >}} + +{{% tab "HTTP API (Bash)" %}} + +Publish a Binary CloudEvent to orders topic: + +```bash +curl -X POST http://localhost:3500/v1.0/publish/order-pub-sub/orders \ + -H "Content-Type: application/octet-stream" \ + -H "ce_specversion: 1.0" \ + -H "ce_type: com.example.order.created" \ + -H "ce_source: urn:example:/checkout" \ + -H "ce_id: 2a8bbf52-1222-4c2c-85f0-8a8875c7bc10" \ + -H "ce_subject: orders/100" \ + --data-binary $'\x01\x02\x03\x04' +``` + +{{% /tab %}} + +{{< /tabpane >}} + ## Event deduplication When using cloud events created by Dapr, the envelope contains an `id` field which can be used by the app to perform message deduplication. Dapr does not handle deduplication automatically. Dapr supports using message brokers that natively enable message deduplication. diff --git a/daprdocs/content/en/reference/api/pubsub_api.md b/daprdocs/content/en/reference/api/pubsub_api.md index d2cc67ab03e..f09b549c851 100644 --- a/daprdocs/content/en/reference/api/pubsub_api.md +++ b/daprdocs/content/en/reference/api/pubsub_api.md @@ -300,6 +300,28 @@ HTTP Status | Description 404 | error is logged and all messages are dropped other | warning is logged and all messages to be retried +#### CloudEvents binary mode + +Supports publishing CloudEvents that use the binary mode defined by +the CloudEvents HTTP binding. In this mode, the HTTP body only contains the +payload bytes, and CloudEvent attributes are passed as headers with the `ce_` +prefix. Provide the required headers (`ce_specversion`, `ce_type`, `ce_source`, +`ce_id`) along with any optional ones (for example `ce_subject` or `ce_time`). +Dapr copies the HTTP `Content-Type` header into the CloudEvent's +`datacontenttype` attribute and forwards the resulting event to subscribers. + +Example sending four raw bytes: + +```bash +curl -X POST http://localhost:3500/v1.0/publish/pubsubName/deathStarStatus \ + -H "Content-Type: application/octet-stream" \ + -H "ce_specversion: 1.0" \ + -H "ce_type: com.example.deathstar.status.changed" \ + -H "ce_source: urn:example:/deathstar" \ + -H "ce_id: 3a58b9b8-24d2-4f62-84f4-6177c2fe0633" \ + --data-binary $'\x01\x02\x03\x04' +``` + ## Message envelope Dapr pub/sub adheres to [version 1.0 of CloudEvents](https://github.com/cloudevents/spec/blob/v1.0/spec.md). From 0a2a572b4067a5f7866725912d0f9bedf7486d83 Mon Sep 17 00:00:00 2001 From: Kobbi Gal Date: Wed, 10 Dec 2025 10:32:44 -0500 Subject: [PATCH 16/17] add gw tls conf Signed-off-by: Kobbi Gal --- .../supported-secret-stores/akeyless.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md index 26795c0cfbe..711eb52d88c 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md @@ -23,6 +23,8 @@ spec: metadata: - name: gatewayUrl value: "http://gw.akeyless.svc.cluster.local/api/v2" + - name: gatewayTLSCA + value: "LS0tLS1CRUdJTi..." - name: accessId value: "p-abcdefg1234am" - name: accessKey @@ -39,12 +41,13 @@ spec: | Field | Required | Details | Example | |--------------------|:--------:|-------------------------------------------------------------------------|---------------------| -| `gatewayUrl` | N | The Akeyless Gateway API URL. Defaults to https://api.akeyless.io. | `http://gw.akeyless.svc.cluster.local:8000/api/v2` | -| `accessID` | Y | The Akeyless Access ID of the authentication method | `p-1234567890am` | -| `accessKey` | N | Fill in when using an API Key (`access_key`) authentication method. | `ABCD1233...=` | -| `jwt` | N | Fill in a `base64`-encoded string of the JWT when using OAuth2.0/JWT (`jwt`) authentication method | `base64 -i "eyJ..."` | -| `k8sAuthConfigName` | N | Fill in when using Kubernetes Authentication (`k8s`) authentication method | `my-k8s-auth-conf` | -| `k8sGatewayUrl` | N | Fill in when using Kubernetes Authentication (`k8s`) authentication method. If not filled in, will default to value set for `akeylessGWApiURL`. | `http://gw.akeyless.svc.cluster.local:8000` | +| `gatewayUrl` | N | The Akeyless Gateway API URL. Defaults to https://api.akeyless.io. | `http://gw.akeyless.svc.cluster.local:8000/api/v2` | +| `gatewayTLSCA` | No | The `base64`-encoded PEM certificate of the Akeyless Gateway. Use this when connecting to a gateway with a self-signed or custom CA certificate. | `LS0tLS1CRUdJTi...` | +| `accessID` | Y | The Akeyless Access ID of the authentication method | `p-1234567890am` | +| `accessKey` | N | Fill in when using an API Key (`access_key`) authentication method. | `ABCD1233...=` | +| `jwt` | N | Fill in a `base64`-encoded string of the JWT when using OAuth2.0/JWT (`jwt`) authentication method | `base64 -i "eyJ..."` | +| `k8sAuthConfigName`| N | Fill in when using Kubernetes Authentication (`k8s`) authentication method | `my-k8s-auth-conf` | +| `k8sGatewayUrl` | N | Fill in when using Kubernetes Authentication (`k8s`) authentication method. If not filled in, will default to value set for `akeylessGWApiURL`. | `http://gw.akeyless.svc.cluster.local:8000` | | `k8sServiceAccountToken` | N | Fill in a `base64`-encoded string of the JWT when using Kubernetes Authentication (`k8s`) authentication method. If not filled in, will read from k8s token in container filesystem | ``base64 -i "eyJ..."`` | @@ -125,7 +128,7 @@ spec: - name: k8sAuthConfigName value: "my-k8s-auth-config" - name: k8sGatewayUrl - value: "http://release-gw.akeyless.svc.cluster.local:8000/api/v2" + value: "http://release-gw.akeyless.svc.cluster.local:8000" - name: k8sServiceAccountToken value: "eyJ..." ``` From 055ff6d5e2fb7ba218ae301ac8adc78f4a530107 Mon Sep 17 00:00:00 2001 From: Kobbi Gal Date: Wed, 10 Dec 2025 13:49:16 -0500 Subject: [PATCH 17/17] updating gw tls field, added 30s timeout for tls client Signed-off-by: Kobbi Gal --- .../components-reference/supported-secret-stores/akeyless.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md index 711eb52d88c..0b5d0eb5572 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md @@ -23,7 +23,7 @@ spec: metadata: - name: gatewayUrl value: "http://gw.akeyless.svc.cluster.local/api/v2" - - name: gatewayTLSCA + - name: gatewayTlsCa value: "LS0tLS1CRUdJTi..." - name: accessId value: "p-abcdefg1234am" @@ -42,7 +42,7 @@ spec: | Field | Required | Details | Example | |--------------------|:--------:|-------------------------------------------------------------------------|---------------------| | `gatewayUrl` | N | The Akeyless Gateway API URL. Defaults to https://api.akeyless.io. | `http://gw.akeyless.svc.cluster.local:8000/api/v2` | -| `gatewayTLSCA` | No | The `base64`-encoded PEM certificate of the Akeyless Gateway. Use this when connecting to a gateway with a self-signed or custom CA certificate. | `LS0tLS1CRUdJTi...` | +| `gatewayTlsCa` | No | The `base64`-encoded PEM certificate of the Akeyless Gateway. Use this when connecting to a gateway with a self-signed or custom CA certificate. The Akeyless client will be set to a 30 second timeout. | `LS0tLS1CRUdJTi...` | | `accessID` | Y | The Akeyless Access ID of the authentication method | `p-1234567890am` | | `accessKey` | N | Fill in when using an API Key (`access_key`) authentication method. | `ABCD1233...=` | | `jwt` | N | Fill in a `base64`-encoded string of the JWT when using OAuth2.0/JWT (`jwt`) authentication method | `base64 -i "eyJ..."` |