Add Akeyless Secret Store Documentation

.github/workflows/website-v1-17.yml

@@ -47,9 +47,9 @@ jobs:
           HUGO_ENV: production
           HUGO_VERSION: "0.147.9"
         with:
-          azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_V1_16 }}
-          repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments)
+          azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_V1_17 }}
           skip_deploy_on_missing_secrets: true
+          repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments)
           action: "upload"
           ###### Repository/Build Configurations - These values can be configured to match your app requirements. ######
           # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig
@@ -66,6 +66,7 @@ jobs:
         id: closepullrequest
         uses: Azure/static-web-apps-deploy@v1
         with:
-          azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_V1_16 }}
+          azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_V1_17 }}
           skip_deploy_on_missing_secrets: true
+          app_location: "/daprdocs/public" # App source code path
           action: "close"

daprdocs/content/en/developing-applications/building-blocks/pubsub/pubsub-cloudevents.md

@@ -239,6 +239,48 @@ Invoke-RestMethod -Method Post -ContentType 'application/cloudevents+json' -Body
 
 {{< /tabpane >}}
 
+### Publish binary CloudEvents
+
+In binary mode, the transport payload only contains the event body, while
+CloudEvent attributes are supplied via transport metadata that begins with the
+`ce_` prefix (HTTP headers, Kafka headers, NATS headers, and so on). This is
+useful when you already produce binary mode events or you want to send arbitrary
+binary data without wrapping it in an additional JSON envelope.
+
+To publish a binary CloudEvent to Dapr (via HTTP/gRPC publish APIs or directly
+into a broker that Dapr reads from):
+
+1. Set the transport’s native content-type metadata (for example the HTTP
+   `Content-Type` header or a Kafka `content-type` message header) to the MIME
+   type that represents binary data, which is `application/octet-stream`.
+
+2. Add the required CloudEvent attributes (`ce_specversion`, `ce_type`,
+   `ce_source`, `ce_id`) as transport metadata. Optional attributes such as
+   `ce_subject`, `ce_time`, or `ce_traceparent` are also honored.
+
+3. Send the payload bytes in the message body.
+
+{{< tabpane text=true >}}
+
+{{% tab "HTTP API (Bash)" %}}
+
+Publish a Binary CloudEvent to orders topic:
+
+```bash
+curl -X POST http://localhost:3500/v1.0/publish/order-pub-sub/orders \
+  -H "Content-Type: application/octet-stream" \
+  -H "ce_specversion: 1.0" \
+  -H "ce_type: com.example.order.created" \
+  -H "ce_source: urn:example:/checkout" \
+  -H "ce_id: 2a8bbf52-1222-4c2c-85f0-8a8875c7bc10" \
+  -H "ce_subject: orders/100" \
+  --data-binary $'\x01\x02\x03\x04'
+```
+
+{{% /tab %}}
+
+{{< /tabpane >}}
+
 ## Event deduplication
 
 When using cloud events created by Dapr, the envelope contains an `id` field which can be used by the app to perform message deduplication. Dapr does not handle deduplication automatically. Dapr supports using message brokers that natively enable message deduplication.

daprdocs/content/en/reference/api/pubsub_api.md

@@ -300,6 +300,28 @@ HTTP Status | Description
 404 | error is logged and all messages are dropped
 other | warning is logged and all messages to be retried
 
+#### CloudEvents binary mode
+
+Supports publishing CloudEvents that use the binary mode defined by
+the CloudEvents HTTP binding. In this mode, the HTTP body only contains the
+payload bytes, and CloudEvent attributes are passed as headers with the `ce_`
+prefix. Provide the required headers (`ce_specversion`, `ce_type`, `ce_source`,
+`ce_id`) along with any optional ones (for example `ce_subject` or `ce_time`).
+Dapr copies the HTTP `Content-Type` header into the CloudEvent's
+`datacontenttype` attribute and forwards the resulting event to subscribers.
+
+Example sending four raw bytes:
+
+```bash
+curl -X POST http://localhost:3500/v1.0/publish/pubsubName/deathStarStatus \
+  -H "Content-Type: application/octet-stream" \
+  -H "ce_specversion: 1.0" \
+  -H "ce_type: com.example.deathstar.status.changed" \
+  -H "ce_source: urn:example:/deathstar" \
+  -H "ce_id: 3a58b9b8-24d2-4f62-84f4-6177c2fe0633" \
+  --data-binary $'\x01\x02\x03\x04'
+```
+
 ## Message envelope
 
 Dapr pub/sub adheres to [version 1.0 of CloudEvents](https://github.com/cloudevents/spec/blob/v1.0/spec.md).

daprdocs/content/en/reference/components-reference/supported-secret-stores/akeyless.md

@@ -0,0 +1,206 @@
+---
+type: docs
+title: "Akeyless"
+linkTitle: "Akeyless"
+description: Information about the Akeyless secret store component configuration.
+---
+
+## Create the Akeyless component
+
+To setup Akeyless secret store create a component of type `secretstores.akeyless`. See [this guide]({{% ref "setup-secret-store.md#apply-the-configuration" %}}) on how to create and apply a secretstore configuration. See this guide on [referencing secrets]({{% ref component-secrets.md %}}) to retrieve and use the secret with Dapr components.
+
+
+## Component Format
+
+```yaml
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: akeyless
+spec:
+  type: secretstores.akeyless
+  version: v1
+  metadata:
+  - name: gatewayUrl
+    value: "http://gw.akeyless.svc.cluster.local/api/v2"
+  - name: accessId
+    value: "p-abcdefg1234am"
+  - name: accessKey
+    value: "abcd/1234="
+  - name: jwt
+    value: "ZXlKa..."
+  - name: k8sAuthConfigName
+    value: aks-cluster-1-auth-conf
+  - name: k8sServiceAccountToken
+    value: "Z1234ch/sasw1..."
+```
+
+## Spec metadata fields
+
+| Field              | Required | Details                                                                 | Example             |
+|--------------------|:--------:|-------------------------------------------------------------------------|---------------------|
+| `gatewayUrl`   | N        | The Akeyless Gateway API URL. Defaults to https://api.akeyless.io.                                           | `http://gw.akeyless.svc.cluster.local:8000/api/v2` |
+| `accessID`           | Y        | The Akeyless Access ID of the authentication method                    | `p-1234567890am`    |
+| `accessKey`          | N        | Fill in when using an API Key (`access_key`) authentication method.              | `ABCD1233...=`    |
+| `jwt`                | N        | Fill in a `base64`-encoded string of the JWT when using OAuth2.0/JWT (`jwt`) authentication method                | `base64 -i "eyJ..."`          |
+| `k8sAuthConfigName`  | N        | Fill in when using Kubernetes Authentication (`k8s`) authentication method     | `my-k8s-auth-conf`                |
+| `k8sGatewayUrl`      | N        | Fill in when using Kubernetes Authentication (`k8s`) authentication method. If not filled in, will default to value set for `akeylessGWApiURL`. | `http://gw.akeyless.svc.cluster.local:8000` |
+| `k8sServiceAccountToken`  | N        |  Fill in a `base64`-encoded string of the JWT when using Kubernetes Authentication (`k8s`) authentication method. If not filled in, will read from k8s token in container filesystem | ``base64 -i "eyJ..."`` |
+
+
+## Authentication Methods
+
+The following authentication methods are supported:
+
+### [API Key](https://docs.akeyless.io/docs/api-key)
+
+```yaml
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: akeyless
+spec:
+  type: secretstores.akeyless
+  version: v1
+  metadata:
+  - name: gatewayUrl
+    value: "https://api.akeyless.io"
+  - name: accessId
+    value: "p-123..."
+  - name: accessKey
+    value: "ABCD1233...="
+```
+
+### [AWS IAM](https://docs.akeyless.io/docs/aws-iam)
+
+```yaml
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: akeyless
+spec:
+  type: secretstores.akeyless
+  version: v1
+  metadata:
+  - name: gatewayUrl
+    value: "https://api.akeyless.io"
+  - name: accessId
+    value: "p-123..."
+```
+
+### [OAuth2.0/JWT](https://docs.akeyless.io/docs/oauth20jwt)
+
+```yaml
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: akeyless
+spec:
+  type: secretstores.akeyless
+  version: v1
+  metadata:
+  - name: gatewayUrl
+    value: "https://api.akeyless.io"
+  - name: accessId
+    value: "p-123..."
+  - name: jwt
+    value: "base64 encoded JWT"
+```
+
+### [Kubernetes](https://docs.akeyless.io/docs/kubernetes-auth)
+
+```yaml
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: akeyless
+spec:
+  type: secretstores.akeyless
+  version: v1
+  metadata:
+  - name: gatewayUrl
+    value: "http://release-gw.akeyless.svc.cluster.local:8000/api/v2"
+  - name: accessID
+    value: "p-123..."
+  - name: k8sAuthConfigName
+    value: "my-k8s-auth-config"
+  - name: k8sGatewayUrl
+    value: "http://release-gw.akeyless.svc.cluster.local:8000/api/v2"
+  - name: k8sServiceAccountToken
+    value: "eyJ..."
+```
+
+{{% alert title="Warning" color="warning" %}}
+The above examples use secrets as plain strings. It is recommended to use a local secret store such as [Kubernetes secret store]({{% ref kubernetes-secret-store.md %}}) or a [local file]({{% ref file-secret-store.md %}}) to bootstrap secure key storage.
+{{% /alert %}}
+
+
+## Retrieve secrets
+
+Once configured, you can retrieve secrets using the Dapr secrets API:
+
+```bash
+# Get a single secret
+curl http://localhost:3500/v1.0/secrets/akeyless/my-secret
+
+# Get all secrets (static, dynamic, rotated) from root (/) path
+curl http://localhost:3500/v1.0/secrets/akeyless/bulk
+
+# Get all secrets static secrets
+curl http://localhost:3500/v1.0/secrets/akeyless/bulk?metadata.secrets_type=static
+
+# Get all static and dynamic secrets from a specific path (/my/org)
+curl http://localhost:3500/v1.0/secrets/akeyless/bulk?metadata.secrets_type=static,dynamic&metadata.path=/my/org
+```
+
+### Language Tab: Golang
+Or using the Dapr SDK. The example below retrieves all static secrets from path `/path/to/department`:
+
+```go
+log.Println("Starting test application")
+	client, err := dapr.NewClient()
+	if err != nil {
+		log.Printf("Error creating Dapr client: %v\n", err)
+		panic(err)
+	}
+	log.Println("Dapr client created successfully")
+	const daprSecretStore = "akeyless"
+
+	defer client.Close()
+	ctx := context.Background()
+	akeylessBulkMetadata := map[string]string{
+		"path":         "/path/to/department",
+		"secrets_type": "static",
+	}
+	secrets, err := client.GetBulkSecret(ctx, daprSecretStore, akeylessBulkMetadata)
+	if err != nil {
+		log.Printf("Error fetching secrets: %v\n", err)
+		panic(err)
+	}
+	log.Printf("Found %d secrets: ", len(secrets))
+	for secretName, secretValue := range secrets {
+		log.Printf("Secret: %s, Value: %s", secretName, secretValue)
+	}
+```
+
+{{% alert title="Failing Retrieval in Bulk" color="info" %}}
+When retrieving secrets using the bulk API, all successfully-retrieved secrets are returned and failed ones are logged in the component log.
+{{% /alert %}}
+
+## Setup Akeyless instance
+
+To get started with Akeyless:
+
+1. Sign up for an Akeyless account at [https://www.akeyless.io](https://www.akeyless.io)
+2. Create an Access ID and configure your preferred authentication method.
+3. Set up your secrets in the Akeyless.
+4. Configure the Dapr component using one of the authentication methods above.
+
+For more detailed setup instructions, refer to the [Akeyless documentation](https://docs.akeyless.io/).
+
+## Related links
+- [Akeyless Sign Up](https://console.akeyless.io/registration)
+- [Secrets building block]({{% ref secrets %}})
+- [How-To: Retrieve a secret]({{% ref "howto-secrets.md" %}})
+- [How-To: Reference secrets in Dapr components]({{% ref component-secrets.md %}})
+- [Secrets API reference]({{% ref secrets_api.md %}})