Managing Secrets in Catalyst

When you create a Catalyst resource such as a Component, HTTPEndpoint, or Configuration, sensitive metadata values (connection passwords, API keys, access tokens, etc.) can be managed in two ways.

Transparent secret management (default)

If you provide sensitive values as plaintext, Catalyst identifies them via the Dapr component metadata schema (fields marked as sensitive — passwords, tokens, access keys, certificates) and transparently extracts them into a Catalyst-managed secret store. The resource spec is rewritten to reference the stored value via secretKeyRef before it is persisted — so plaintext values are never stored in the control plane database. No additional configuration is needed:

diagrid component create my-pubsub --type pubsub.redis \
  --metadata redisHost=https://endpoint \
  --metadata redisPassword=pwd

Here redisPassword is automatically extracted into a secret; only redisHost remains as plaintext metadata.

Bring your own secret store

If you prefer to resolve secrets from your own secret store, create a Dapr secret store component and reference it from other resources via auth.secretStore + secretKeyRef. In this mode, Catalyst does not perform any transparent extraction — your resources are applied to the dataplane exactly as declared.

Supported secret store types are documented in the Components Reference:

• secretstores.aws.secretsmanager — AWS Secrets Manager
• secretstores.azure.keyvault — Azure Key Vault
• secretstores.hashicorp.vault — HashiCorp Vault

Create one by applying a Component resource with the Diagrid CLI:

apiVersion: cra.diagrid.io/v1beta1
kind: Component
metadata:
  name: my-vault
spec:
  type: secretstores.hashicorp.vault
  version: v1
  metadata:
    - name: vaultAddr
      value: "https://vault.example.com:8200"
    - name: vaultToken
      value: "<token>"

diagrid apply -f my-vault.yaml

Once registered, reference it from another resource:

auth:
  secretStore: my-vault
spec:
  metadata:
    - name: apiKey
      secretKeyRef:
        name: <secret-name-in-the-store>
        key: <key-within-the-secret>

Your applications can also look up secrets from these stores at runtime via the Dapr Secrets API.