Skip to content

Commit

Permalink
Merge pull request dapr#4420 from hhunter-ms/upmerge_11-05
Browse files Browse the repository at this point in the history
Upmerge 11/05
  • Loading branch information
hhunter-ms authored Nov 5, 2024
2 parents 1632f50 + 48cbac2 commit 07b6aa8
Show file tree
Hide file tree
Showing 35 changed files with 107 additions and 41 deletions.
2 changes: 1 addition & 1 deletion daprdocs/content/en/contributing/contributing-overview.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ See the [Dapr community repository](https://github.com/dapr/community) for more

1. **Docs**: This [repository](https://github.com/dapr/docs) contains the documentation for Dapr. You can contribute by updating existing documentation, fixing errors, or adding new content to improve user experience and clarity. Please see the specific guidelines for [docs contributions]({{< ref contributing-docs >}}).

2. **Quickstarts**: The Quickstarts [repository](https://github.com/dapr/quickstarts) provides simple, step-by-step guides to help users get started with Dapr quickly. Contributions in this repository involve creating new quickstarts, improving existing ones, or ensuring they stay up-to-date with the latest features.
2. **Quickstarts**: The Quickstarts [repository](https://github.com/dapr/quickstarts) provides simple, step-by-step guides to help users get started with Dapr quickly. [Contributions in this repository](https://github.com/dapr/quickstarts/blob/master/CONTRIBUTING.md) involve creating new quickstarts, improving existing ones, or ensuring they stay up-to-date with the latest features.

3. **Runtime**: The Dapr runtime [repository](https://github.com/dapr/dapr) houses the core runtime components. Here, you can contribute by fixing bugs, optimizing performance, implementing new features, or enhancing existing ones.

Expand Down
2 changes: 1 addition & 1 deletion daprdocs/content/en/contributing/daprbot.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
type: docs
title: "Dapr bot reference"
linkTitle: "Dapr bot"
weight: 15
weight: 70
description: "List of Dapr bot capabilities."
---

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,15 +41,18 @@ Style and tone conventions should be followed throughout all Dapr documentation

## Diagrams and images

Diagrams and images are invaluable visual aids for documentation pages. Diagrams are kept in a [Dapr Diagrams Deck](https://github.com/dapr/docs/tree/v1.11/daprdocs/static/presentations), which includes guidance on style and icons.
Diagrams and images are invaluable visual aids for documentation pages. Use the diagram style and icons in the [Dapr Diagrams template deck](https://github.com/dapr/docs/tree/v1.14/daprdocs/static/presentations).

As you create diagrams for your documentation:
The process for creating diagrams for your documentation:

- Save them as high-res PNG files into the [images folder](https://github.com/dapr/docs/tree/v1.11/daprdocs/static/images).
- Name your PNG files using the convention of a concept or building block so that they are grouped.
1. Download the [Dapr Diagrams template deck](https://github.com/dapr/docs/tree/v1.14/daprdocs/static/presentations) to use the icons and colors.
1. Add a new slide and create your diagram.
1. Screen capture the diagram as high-res PNG file and save in the [images folder](https://github.com/dapr/docs/tree/v1.14/daprdocs/static/images).
1. Name your PNG files using the convention of a concept or building block so that they are grouped.
- For example: `service-invocation-overview.png`.
- For more information on calling out images using shortcode, see the [Images guidance](#images) section below.
- Add the diagram to the correct section in the `Dapr-Diagrams.pptx` deck so that they can be amended and updated during routine refresh.
1. Add the diagram to the appropriate section in your documentation using the HTML `<image>` tag.
1. In your PR, comment the diagram slide (not the screen capture) so it can be reviewed and added to the diagram deck by maintainers.

## Contributing a new docs page

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,17 +37,16 @@ metadata:
spec:
topic: orders
routes:
default: /checkout
default: /orders
pubsubname: pubsub
scopes:
- orderprocessing
- checkout
```
Here the subscription called `order`:
- Uses the pub/sub component called `pubsub` to subscribes to the topic called `orders`.
- Sets the `route` field to send all topic messages to the `/checkout` endpoint in the app.
- Sets `scopes` field to scope this subscription for access only by apps with IDs `orderprocessing` and `checkout`.
- Sets the `route` field to send all topic messages to the `/orders` endpoint in the app.
- Sets `scopes` field to scope this subscription for access only by apps with ID `orderprocessing`.

When running Dapr, set the YAML component file path to point Dapr to the component.

Expand Down Expand Up @@ -113,7 +112,7 @@ In your application code, subscribe to the topic specified in the Dapr pub/sub c

```csharp
//Subscribe to a topic
[HttpPost("checkout")]
[HttpPost("orders")]
public void getCheckout([FromBody] int orderId)
{
Console.WriteLine("Subscriber received : " + orderId);
Expand All @@ -128,7 +127,7 @@ public void getCheckout([FromBody] int orderId)
import io.dapr.client.domain.CloudEvent;
//Subscribe to a topic
@PostMapping(path = "/checkout")
@PostMapping(path = "/orders")
public Mono<Void> getCheckout(@RequestBody(required = false) CloudEvent<String> cloudEvent) {
return Mono.fromRunnable(() -> {
try {
Expand All @@ -146,7 +145,7 @@ public Mono<Void> getCheckout(@RequestBody(required = false) CloudEvent<String>
from cloudevents.sdk.event import v1
#Subscribe to a topic
@app.route('/checkout', methods=['POST'])
@app.route('/orders', methods=['POST'])
def checkout(event: v1.Event) -> None:
data = json.loads(event.Data())
logging.info('Subscriber received: ' + str(data))
Expand All @@ -163,7 +162,7 @@ const app = express()
app.use(bodyParser.json({ type: 'application/*+json' }));
// listen to the declarative route
app.post('/checkout', (req, res) => {
app.post('/orders', (req, res) => {
console.log(req.body);
res.sendStatus(200);
});
Expand All @@ -178,7 +177,7 @@ app.post('/checkout', (req, res) => {
var sub = &common.Subscription{
PubsubName: "pubsub",
Topic: "orders",
Route: "/checkout",
Route: "/orders",
}
func eventHandler(ctx context.Context, e *common.TopicEvent) (retry bool, err error) {
Expand All @@ -191,7 +190,7 @@ func eventHandler(ctx context.Context, e *common.TopicEvent) (retry bool, err er

{{< /tabs >}}

The `/checkout` endpoint matches the `route` defined in the subscriptions and this is where Dapr sends all topic messages to.
The `/orders` endpoint matches the `route` defined in the subscriptions and this is where Dapr sends all topic messages to.

### Streaming subscriptions

Expand Down Expand Up @@ -325,7 +324,7 @@ In the example below, you define the values found in the [declarative YAML subsc

```csharp
[Topic("pubsub", "orders")]
[HttpPost("/checkout")]
[HttpPost("/orders")]
public async Task<ActionResult<Order>>Checkout(Order order, [FromServices] DaprClient daprClient)
{
// Logic
Expand All @@ -337,7 +336,7 @@ or

```csharp
// Dapr subscription in [Topic] routes orders topic to this route
app.MapPost("/checkout", [Topic("pubsub", "orders")] (Order order) => {
app.MapPost("/orders", [Topic("pubsub", "orders")] (Order order) => {
Console.WriteLine("Subscriber received : " + order);
return Results.Ok(order);
});
Expand All @@ -359,7 +358,7 @@ app.UseEndpoints(endpoints =>
```java
private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
@Topic(name = "checkout", pubsubName = "pubsub")
@Topic(name = "orders", pubsubName = "pubsub")
@PostMapping(path = "/orders")
public Mono<Void> handleMessage(@RequestBody(required = false) CloudEvent<String> cloudEvent) {
return Mono.fromRunnable(() -> {
Expand All @@ -370,6 +369,7 @@ public Mono<Void> handleMessage(@RequestBody(required = false) CloudEvent<String
throw new RuntimeException(e);
}
});
}
```

{{% /codetab %}}
Expand All @@ -382,7 +382,7 @@ def subscribe():
subscriptions = [
{
'pubsubname': 'pubsub',
'topic': 'checkout',
'topic': 'orders',
'routes': {
'rules': [
{
Expand Down Expand Up @@ -418,7 +418,7 @@ app.get('/dapr/subscribe', (req, res) => {
res.json([
{
pubsubname: "pubsub",
topic: "checkout",
topic: "orders",
routes: {
rules: [
{
Expand Down Expand Up @@ -480,7 +480,7 @@ func configureSubscribeHandler(w http.ResponseWriter, _ *http.Request) {
t := []subscription{
{
PubsubName: "pubsub",
Topic: "checkout",
Topic: "orders",
Routes: routes{
Rules: []rule{
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ State management is one of the most common needs of any new, legacy, monolith, o

In this guide, you'll learn the basics of using the key/value state API to allow an application to save, get, and delete state.

## Example

The code example below _loosely_ describes an application that processes orders with an order processing service which has a Dapr sidecar. The order processing service uses Dapr to store state in a Redis state store.

<img src="/images/building-block-state-management-example.png" width=1000 alt="Diagram showing state management of example service">
Expand Down Expand Up @@ -554,7 +552,7 @@ namespace EventService
string DAPR_STORE_NAME = "statestore";
//Using Dapr SDK to retrieve multiple states
using var client = new DaprClientBuilder().Build();
IReadOnlyList<BulkStateItem> mulitpleStateResult = await client.GetBulkStateAsync(DAPR_STORE_NAME, new List<string> { "order_1", "order_2" }, parallelism: 1);
IReadOnlyList<BulkStateItem> multipleStateResult = await client.GetBulkStateAsync(DAPR_STORE_NAME, new List<string> { "order_1", "order_2" }, parallelism: 1);
}
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ Because workflow retry policies are configured in code, the exact developer expe
| --- | --- |
| **Maximum number of attempts** | The maximum number of times to execute the activity or child workflow. |
| **First retry interval** | The amount of time to wait before the first retry. |
| **Backoff coefficient** | The amount of time to wait before each subsequent retry. |
| **Backoff coefficient** | The coefficient used to determine the rate of increase of back-off. For example a coefficient of 2 doubles the wait of each subsequent retry. |
| **Maximum retry interval** | The maximum amount of time to wait before each subsequent retry. |
| **Retry timeout** | The overall timeout for retries, regardless of any configured max number of attempts. |

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ description: Get started with the Dapr Workflow building block
Dapr Workflow is currently in beta. [See known limitations for {{% dapr-latest-version cli="true" %}}]({{< ref "workflow-overview.md#limitations" >}}).
{{% /alert %}}

{{% alert title="Note" color="primary" %}}
Redis is currently used as the state store component for Workflows in the Quickstarts. However, Redis does not support transaction rollbacks and should not be used in production as an actor state store.
{{% /alert %}}

Let's take a look at the Dapr [Workflow building block]({{< ref workflow-overview.md >}}). In this Quickstart, you'll create a simple console application to demonstrate Dapr's workflow programming model and the workflow management APIs.

In this guide, you'll:
Expand Down Expand Up @@ -1356,4 +1360,4 @@ Join the discussion in our [discord channel](https://discord.com/channels/778680
- Walk through a more in-depth [.NET SDK example workflow](https://github.com/dapr/dotnet-sdk/tree/master/examples/Workflow)
- Learn more about [Workflow as a Dapr building block]({{< ref workflow-overview >}})
{{< button text="Explore Dapr tutorials >>" page="getting-started/tutorials/_index.md" >}}
{{< button text="Explore Dapr tutorials >>" page="getting-started/tutorials/_index.md" >}}
32 changes: 32 additions & 0 deletions daprdocs/content/en/operations/configuration/secret-scope.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,15 @@ title: "How-To: Limit the secrets that can be read from secret stores"
linkTitle: "Limit secret store access"
weight: 3000
description: "Define secret scopes by augmenting the existing configuration resource with restrictive permissions."
description: "Define secret scopes by augmenting the existing configuration resource with restrictive permissions."
---

In addition to [scoping which applications can access a given component]({{< ref "component-scopes.md">}}), you can also scop a named secret store component to one or more secrets for an application. By defining `allowedSecrets` and/or `deniedSecrets` lists, you restrict applications to access only specific secrets.
In addition to [scoping which applications can access a given component]({{< ref "component-scopes.md">}}), you can also scop a named secret store component to one or more secrets for an application. By defining `allowedSecrets` and/or `deniedSecrets` lists, you restrict applications to access only specific secrets.

For more information about configuring a Configuration resource:
- [Configuration overview]({{< ref configuration-overview.md >}})
- [Configuration schema]({{< ref configuration-schema.md >}})
For more information about configuring a Configuration resource:
- [Configuration overview]({{< ref configuration-overview.md >}})
- [Configuration schema]({{< ref configuration-schema.md >}})
Expand Down Expand Up @@ -55,8 +60,10 @@ The `allowedSecrets` and `deniedSecrets` list values take priority over the `def

### Scenario 1: Deny access to all secrets for a secret store

In a Kubernetes cluster, the native Kubernetes secret store is added to your Dapr application by default. In some scenarios, it may be necessary to deny access to Dapr secrets for a given application. To add this configuration:
In a Kubernetes cluster, the native Kubernetes secret store is added to your Dapr application by default. In some scenarios, it may be necessary to deny access to Dapr secrets for a given application. To add this configuration:

1. Define the following `appconfig.yaml`.
1. Define the following `appconfig.yaml`.

```yaml
Expand All @@ -70,7 +77,25 @@ In a Kubernetes cluster, the native Kubernetes secret store is added to your Dap
- storeName: kubernetes
defaultAccess: deny
```
```yaml
apiVersion: dapr.io/v1alpha1
kind: Configuration
metadata:
name: appconfig
spec:
secrets:
scopes:
- storeName: kubernetes
defaultAccess: deny
```

1. Apply it to the Kubernetes cluster using the following command:

```bash
kubectl apply -f appconfig.yaml`.
```
For applications that you need to deny access to the Kubernetes secret store, follow [the Kubernetes instructions]({{< ref kubernetes-overview >}}), adding the following annotation to the application pod.
1. Apply it to the Kubernetes cluster using the following command:
```bash
Expand All @@ -85,6 +110,7 @@ dapr.io/config: appconfig
With this defined, the application no longer has access to Kubernetes secret store.
### Scenario 2: Allow access to only certain secrets in a secret store
### Scenario 2: Allow access to only certain secrets in a secret store
To allow a Dapr application to have access to only certain secrets, define the following `config.yaml`:
Expand All @@ -102,6 +128,7 @@ spec:
allowedSecrets: ["secret1", "secret2"]
```

This example defines configuration for secret store named `vault`. The default access to the secret store is `deny`. Meanwhile, some secrets are accessible by the application based on the `allowedSecrets` list. Follow [the Sidecar configuration instructions]({{< ref "configuration-overview.md#sidecar-configuration" >}}) to apply configuration to the sidecar.
This example defines configuration for secret store named `vault`. The default access to the secret store is `deny`. Meanwhile, some secrets are accessible by the application based on the `allowedSecrets` list. Follow [the Sidecar configuration instructions]({{< ref "configuration-overview.md#sidecar-configuration" >}}) to apply configuration to the sidecar.

### Scenario 3: Deny access to certain sensitive secrets in a secret store
Expand All @@ -126,3 +153,8 @@ This configuration explicitly denies access to `secret1` and `secret2` from the
## Next steps

{{< button text="Service invocation access control" page="invoke-allowlist" >}}
This configuration explicitly denies access to `secret1` and `secret2` from the secret store named `vault,` while allowing access to all other secrets. Follow [the Sidecar configuration instructions]({{< ref "configuration-overview.md#sidecar-configuration" >}}) to apply configuration to the sidecar.

## Next steps

{{< button text="Service invocation access control" page="invoke-allowlist" >}}
Loading

0 comments on commit 07b6aa8

Please sign in to comment.