Add secrets example

examples/docker-compose.common.yml

@@ -0,0 +1,5 @@
+version: "3"
+services:
+  placement:
+    image: daprio/dapr:1.0.1
+    command: ["./placement","-port","50006"]

examples/images/Caddyfile

@@ -0,0 +1,9 @@
+:80
+
+root * /app
+uri replace /assets/ /services/ui/src/assets/
+file_server * {
+    hide .git
+}
+php_fastcgi localhost:9000
+encode gzip

examples/images/caddy.Dockerfile

@@ -0,0 +1,6 @@
+FROM caddy AS base
+ARG SERVICE
+COPY services/$SERVICE /app/services/$SERVICE
+COPY index.php /app/index.php
+COPY global-config.php /app/global-config.php
+COPY images/Caddyfile /etc/caddy/Caddyfile

examples/images/opcache.ini

@@ -0,0 +1,157 @@
+[opcache]
+; Determines if Zend OPCache is enabled
+opcache.enable=1
+
+; Determines if Zend OPCache is enabled for the CLI version of PHP
+opcache.enable_cli=1
+
+; The OPcache shared memory storage size.
+opcache.memory_consumption=128
+
+; The amount of memory for interned strings in Mbytes.
+opcache.interned_strings_buffer=8
+
+; The maximum number of keys (scripts) in the OPcache hash table.
+; Only numbers between 200 and 1000000 are allowed.
+opcache.max_accelerated_files=10000
+
+; The maximum percentage of "wasted" memory until a restart is scheduled.
+;opcache.max_wasted_percentage=5
+
+; When this directive is enabled, the OPcache appends the current working
+; directory to the script key, thus eliminating possible collisions between
+; files with the same name (basename). Disabling the directive improves
+; performance, but may break existing applications.
+;opcache.use_cwd=1
+
+; When disabled, you must reset the OPcache manually or restart the
+; webserver for changes to the filesystem to take effect.
+;opcache.validate_timestamps=1
+
+; How often (in seconds) to check file timestamps for changes to the shared
+; memory storage allocation. ("1" means validate once per second, but only
+; once per request. "0" means always validate)
+;opcache.revalidate_freq=2
+
+; Enables or disables file search in include_path optimization
+;opcache.revalidate_path=0
+
+; If disabled, all PHPDoc comments are dropped from the code to reduce the
+; size of the optimized code.
+;opcache.save_comments=1
+
+; If enabled, compilation warnings (including notices and deprecations) will
+; be recorded and replayed each time a file is included. Otherwise, compilation
+; warnings will only be emitted when the file is first cached.
+opcache.record_warnings=1
+
+; Allow file existence override (file_exists, etc.) performance feature.
+;opcache.enable_file_override=0
+
+; A bitmask, where each bit enables or disables the appropriate OPcache
+; passes
+;opcache.optimization_level=0x7FFFBFFF
+
+;opcache.dups_fix=0
+
+; The location of the OPcache blacklist file (wildcards allowed).
+; Each OPcache blacklist file is a text file that holds the names of files
+; that should not be accelerated. The file format is to add each filename
+; to a new line. The filename may be a full path or just a file prefix
+; (i.e., /var/www/x  blacklists all the files and directories in /var/www
+; that start with 'x'). Line starting with a ; are ignored (comments).
+;opcache.blacklist_filename=
+
+; Allows exclusion of large files from being cached. By default all files
+; are cached.
+;opcache.max_file_size=0
+
+; Check the cache checksum each N requests.
+; The default value of "0" means that the checks are disabled.
+;opcache.consistency_checks=100
+
+; How long to wait (in seconds) for a scheduled restart to begin if the cache
+; is not being accessed.
+;opcache.force_restart_timeout=180
+
+; OPcache error_log file name. Empty string assumes "stderr".
+;opcache.error_log=
+
+; All OPcache errors go to the Web server log.
+; By default, only fatal errors (level 0) or errors (level 1) are logged.
+; You can also enable warnings (level 2), info messages (level 3) or
+; debug messages (level 4).
+;opcache.log_verbosity_level=1
+
+; Preferred Shared Memory back-end. Leave empty and let the system decide.
+;opcache.preferred_memory_model=
+
+; Protect the shared memory from unexpected writing during script execution.
+; Useful for internal debugging only.
+;opcache.protect_memory=0
+
+; Allows calling OPcache API functions only from PHP scripts which path is
+; started from specified string. The default "" means no restriction
+;opcache.restrict_api=
+
+; Mapping base of shared memory segments (for Windows only). All the PHP
+; processes have to map shared memory into the same address space. This
+; directive allows to manually fix the "Unable to reattach to base address"
+; errors.
+;opcache.mmap_base=
+
+; Facilitates multiple OPcache instances per user (for Windows only). All PHP
+; processes with the same cache ID and user share an OPcache instance.
+;opcache.cache_id=
+
+; Enables and sets the second level cache directory.
+; It should improve performance when SHM memory is full, at server restart or
+; SHM reset. The default "" disables file based caching.
+opcache.file_cache=/var/www/tmp/.opcache
+
+; Enables or disables opcode caching in shared memory.
+;opcache.file_cache_only=0
+
+; Enables or disables checksum validation when script loaded from file cache.
+opcache.file_cache_consistency_checks=1
+
+; Implies opcache.file_cache_only=1 for a certain process that failed to
+; reattach to the shared memory (for Windows only). Explicitly enabled file
+; cache is required.
+;opcache.file_cache_fallback=1
+
+; Enables or disables copying of PHP code (text segment) into HUGE PAGES.
+; This should improve performance, but requires appropriate OS configuration.
+;opcache.huge_code_pages=1
+
+; Validate cached file permissions.
+;opcache.validate_permission=0
+
+; Prevent name collisions in chroot'ed environment.
+;opcache.validate_root=0
+
+; If specified, it produces opcode dumps for debugging different stages of
+; optimizations.
+;opcache.opt_debug_level=0
+
+; Specifies a PHP script that is going to be compiled and executed at server
+; start-up.
+; http://php.net/opcache.preload
+;opcache.preload=
+
+; Preloading code as root is not allowed for security reasons. This directive
+; facilitates to let the preloading to be run as another user.
+; http://php.net/opcache.preload_user
+;opcache.preload_user=
+
+; Prevents caching files that are less than this number of seconds old. It
+; protects from caching of incompletely updated files. In case all file updates
+; on your site are atomic, you may increase performance by setting it to "0".
+opcache.file_update_protection=0
+
+; Absolute path used to store shared lockfiles (for *nix only).
+;opcache.lockfile_path=/tmp
+
+opcache.jit_buffer_size=256M
+
+opcache.jit=tracing

examples/images/service.Dockerfile

@@ -0,0 +1,39 @@
+FROM php:8.0-fpm AS base
+ENV VERSION=1
+COPY --from=mlocati/php-extension-installer /usr/bin/install-php-extensions /usr/local/bin/
+RUN apt-get update && apt-get install -y wget git unzip && apt-get clean && rm -rf /var/cache/apt/lists
+RUN install-php-extensions curl intl zip sodium opcache xdebug @composer && mkdir -p /app && \
+    cd $(php -d 'display_errors=stderr' -r 'echo ini_get("extension_dir");') && \
+    mkdir -p /php-disabled && mv xdebug.so /php-disabled && mv $PHP_INI_DIR/conf.d/docker-php-ext-xdebug.ini /php-disabled
+WORKDIR /app
+
+FROM base AS vendor
+COPY composer.json composer.json
+COPY composer.lock composer.lock
+RUN composer install --no-dev -o -n
+
+FROM base AS config
+ARG SERVICE
+ENV SERVICE=$SERVICE
+COPY services/$SERVICE services/$SERVICE
+COPY --from=vendor /app/vendor vendor
+COPY index.php index.php
+COPY global-config.php global-config.php
+
+FROM config AS production
+RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
+ENV PHP_CLI_SERVER_WORKERS=100
+COPY images/opcache.ini /tmp/opcache.ini
+COPY images/fpm.conf /usr/local/etc/php-fpm.d/www.conf
+RUN cat /tmp/opcache.ini >> $PHP_INI_DIR/php.ini
+
+FROM production AS development
+ARG SERVICE
+COPY images/xdebug.ini /tmp/xdebug.ini
+ENV DBGP_IDEKEY=$SERVICE
+RUN mv "$PHP_INI_DIR/php.ini-development" "$PHP_INI_DIR/php.ini" && \
+    cd $(php -d 'display_errors=stderr' -r 'echo ini_get("extension_dir");') && \
+    mv /php-disabled/xdebug.so . && mv /php-disabled/docker-php-ext-xdebug.ini $PHP_INI_DIR/conf.d/docker-php-ext-xdebug.ini
+RUN cat /tmp/xdebug.ini >> $PHP_INI_DIR/php.ini
+COPY images/opcache.ini /tmp/opcache.ini
+RUN cat /tmp/opcache.ini >> $PHP_INI_DIR/php.ini

examples/images/xdebug.ini

@@ -0,0 +1,7 @@
+[xdebug]
+;xdebug.discover_client_host = true
+xdebug.mode = develop,debug
+xdebug.log = /tmp/xdebug.log
+xdebug.log_level = 0
+xdebug.client_host = host.docker.internal
+xdebug.start_with_request = true

examples/secrets/.dockerignore

@@ -0,0 +1 @@
+vendor/

examples/secrets/.env

@@ -0,0 +1 @@
+DOCKER_USER=withinboredom

examples/secrets/.gitignore

@@ -0,0 +1,2 @@
+images/
+vendor/

examples/secrets/Makefile

@@ -0,0 +1,50 @@
+SHELL := /bin/bash
+
+include .env
+export $(shell sed 's/=.*//' .env)
+
+.PHONY: deps
+deps: images/fpm.conf images/opcache.ini images/xdebug.ini images/Caddyfile docker-compose.yml
+	DOCKER_BUILDKIT=1 COMPOSE_DOCKER_CLI_BUILD=1 docker-compose build
+
+.PHONY: start
+start:
+	DOCKER_BUILDKIT=1 COMPOSE_DOCKER_CLI_BUILD=1 docker-compose -f docker-compose.yml -f ../docker-compose.common.yml up -d
+
+.PHONY: push
+push: deps
+	docker-compose push
+
+.PHONY: deploy
+deploy:
+	kubectl apply -f deployments/simple-secret.yml
+	kubectl apply -f deployments/some-secrets.yml
+	envsubst < deployments/secret-service.yml | kubectl apply -f -
+	envsubst < deployments/client-service.yml | kubectl apply -f -
+
+.PHONY: deploy-delete
+deploy-delete:
+	kubectl delete -f deployments/simple-secret.yml
+	kubectl delete -f deployments/some-secrets.yml
+	envsubst < deployments/secret-service.yml | kubectl delete -f -
+	envsubst < deployments/client-service.yml | kubectl delete -f -
+
+images/fpm.conf: ../images/fpm.conf
+	mkdir -p images
+	cp ../images/fpm.conf images/fpm.conf
+	touch images/fpm.conf
+
+images/opcache.ini: ../images/opcache.ini
+	mkdir -p images
+	cp ../images/opcache.ini images/opcache.ini
+	touch images/opcache.ini
+
+images/xdebug.ini: ../images/xdebug.ini
+	mkdir -p images
+	cp ../images/xdebug.ini images/xdebug.ini
+	touch images/xdebug.ini
+
+images/Caddyfile: ../images/Caddyfile
+	mkdir -p images
+	cp ../images/Caddyfile images/Caddyfile
+	touch images/Caddyfile

examples/secrets/components/file-secrets.yml

@@ -0,0 +1,13 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: file-secrets
+  namespace: secret-example
+spec:
+  type: secretstores.local.file
+  version: v1
+  metadata:
+    - name: secretsFile
+      value: /components/secrets.json
+    - name: nestedSeparator
+      value: "."

examples/secrets/components/secrets.json

@@ -0,0 +1,7 @@
+{
+  "some-secret": {
+    "nested": "got the nested secret!",
+    "other": "some other secret"
+  },
+  "simple-secret": "got the simple secret!"
+}

examples/secrets/composer.json

@@ -0,0 +1,8 @@
+{
+  "name": "dapr/secret-example",
+  "license": "MIT",
+  "description": "A basic example demonstrating secret access",
+  "require": {
+    "dapr/php-sdk": "^1.0"
+  }
+}