Kubernetes secrets

Detailed information on the Kubernetes secret store component

Default Kubernetes secret store component

When Dapr is deployed to a Kubernetes cluster, a secret store with the name kubernetes is automatically provisioned. This pre-provisioned secret store allows you to use the native Kubernetes secret store with no need to author, deploy or maintain a component configuration file for the secret store and is useful for developers looking to simply access secrets stored natively in a Kubernetes cluster.

A custom component definition file for a Kubernetes secret store can still be configured (See below for details). Using a custom definition decouples referencing the secret store in your code from the hosting platform as the store name is not fixed and can be customized, keeping your code more generic and portable. Additionally, by explicitly defining a Kubernetes secret store component you can connect to a Kubernetes secret store from a local Dapr self-hosted installation. This requires a valid kubeconfig file.

Create a custom Kubernetes secret store component

To setup a Kubernetes secret store create a component of type secretstores.kubernetes. See this guide on how to create and apply a secretstore configuration. See this guide on referencing secrets to retrieve and use the secret with Dapr components.

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: mycustomsecretstore
spec:
  type: secretstores.kubernetes
  version: v1
  metadata:[]

Spec metadata fields

Field Required Details Example
defaultNamespace N Default namespace to retrieve secrets from. If unset, the namespace must be specified in each request metadata or via environment variable NAMESPACE "default-ns"
kubeconfigPath N The path to the kubeconfig file. If not specified, the store uses the default in-cluster config value "/path/to/kubeconfig"

Optional per-request metadata properties

The following optional query parameters can be provided to Kubernetes secret store component:

Query Parameter Description
metadata.namespace The namespace of the secret. If not specified, the namespace of the pod is used.

Last modified December 12, 2024: Update setup-aws-snssqs.md (#4437) (c13e6d9)