Skip to content

Commit

Permalink
Addressing review comments
Browse files Browse the repository at this point in the history 
Signed-off-by: Pravin Pushkar <ppushkar@microsoft.com>
  • Loading branch information
@pravinpushkar
pravinpushkar committed Apr 6, 2022
1 parent f822b81 commit 72af4c7
Show file tree
Hide file tree
Showing 10 changed files with 115 additions and 0 deletions.
19 changes: 19 additions & 0 deletions daprdocs/content/en/operations/security/mtls.md
View file
Expand Up @@ -199,6 +199,17 @@ kubectl rollout restart statefulsets/dapr-placement-server -n <DAPR_NAMESPACE>

4. Restart your Dapr applications to pick up the latest trust bundle.

{{% alert title="Recommended CLI command to rotate certificates with new ones" color="success" %}}
The below CLI command can be used to renew root and issuer certificates of your Kubernetes cluster. It also gives an option to provide validity for the new certificates in number of days.

The 2nd variant of this command provides `--private-key` flag to support use of `private root key` of your existing deployed certificate.
This command generate new certificates signed by same private key. In this case the `Dapr Sentry service` would be able to pick the new certificate without restarting it.
{{% /alert %}}

```bash
dapr mtls renew-certificate -k --valid-unitl <days> --restart
dapr mtls renew-certificate -k --private-key <private_key_file_path> --valid-until <days>
```
{{% alert title="Potential application downtime with mTLS enabled." color="warning" %}}
Restarts of deployments using service to service invocation using mTLS will fail until the callee service has also been restarted (thereby loading the new Dapr Trust Bundle). Additionally, the placement service will not be able to assign new actors (while existing actors remain unaffected) until applications have been restarted to load the new Dapr Trust Bundle.
{{% /alert %}}
Expand Down Expand Up @@ -246,6 +257,14 @@ Once Sentry has been completely restarted run:
kubectl rollout restart deploy/dapr-operator -n <DAPR_NAMESPACE>
kubectl rollout restart statefulsets/dapr-placement-server -n <DAPR_NAMESPACE>
```
{{% alert title="Recommended CLI command to achieve above steps" color="success" %}}
To update the provided certificates in Kubernetes cluster, the belowl CLI command can be used.
**Note - It does not support `valid-until` flag to specify validity.**
{{% /alert %}}

```bash
dapr mtls renew-certificate -k --ca-root-certificate <ca.crt> --issuer-private-key <issuer.key> --issuer-public-certificate <issuer.crt> --restart
```

Next, you must restart all Dapr-enabled pods.
The recommended way to do this is to perform a rollout restart of your deployment:
Expand Down
11 changes: 11 additions & 0 deletions daprdocs/content/en/reference/cli/dapr-components.md
View file
Expand Up @@ -45,4 +45,15 @@ dapr components -k -n mycomponent

# List Dapr components in all namespaces in Kubernetes mode
dapr components -k --all-namespaces
```

### Warning messages
This command can issue warning messages.

#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:

```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```
10 changes: 10 additions & 0 deletions daprdocs/content/en/reference/cli/dapr-configurations.md
View file
Expand Up @@ -45,4 +45,14 @@ dapr configurations -k -n appconfig

# List Dapr configurations in all namespaces in Kubernetes mode
dapr configurations -k --all-namespaces
```
### Warning messages
This command can issue warning messages.

#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:

```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```
10 changes: 10 additions & 0 deletions daprdocs/content/en/reference/cli/dapr-dashboard.md
View file
Expand Up @@ -49,3 +49,13 @@ dapr dashboard -k -p 9999 --address 0.0.0.0
# Port forward to dashboard service running in Kubernetes on a specified port
dapr dashboard -k -p 9999
```
### Warning messages - Kubernetes Mode
This command can issue warning messages.

#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:

```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```
11 changes: 11 additions & 0 deletions daprdocs/content/en/reference/cli/dapr-list.md
View file
Expand Up @@ -48,4 +48,15 @@ dapr list -k --namespace default

# List Dapr instances in all namespaces in Kubernetes mode
dapr list -k --all-namespaces
```

### Warning messages - Kubernetes Mode
This command can issue warning messages.

#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:

```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```
11 changes: 11 additions & 0 deletions daprdocs/content/en/reference/cli/dapr-logs.md
View file
Expand Up @@ -35,3 +35,14 @@ dapr logs [flags]
# Get logs of sample app from target pod in custom namespace
dapr logs -k --app-id sample --pod-name target --namespace custom
```

### Warning messages
This command can issue warning messages.

#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:

```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```
11 changes: 11 additions & 0 deletions daprdocs/content/en/reference/cli/dapr-mtls/_index.md
View file
Expand Up @@ -48,4 +48,15 @@ You can learn more about each sub command from the links below.
```bash
# Check if mTLS is enabled on the Kubernetes cluster
dapr mtls -k
```

### Warning messages
This command can issue warning messages.

#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:

```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```
11 changes: 11 additions & 0 deletions daprdocs/content/en/reference/cli/dapr-mtls/dapr-mtls-export.md
View file
Expand Up @@ -33,3 +33,14 @@ dapr mtls export [flags]
# Check expiry of Kubernetes certs
dapr mtls export -o ./certs
```

### Warning messages
This command can issue warning messages.

#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:

```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```
11 changes: 11 additions & 0 deletions daprdocs/content/en/reference/cli/dapr-status.md
View file
Expand Up @@ -32,3 +32,14 @@ dapr status -k
# Get status of Dapr services from Kubernetes
dapr status -k
```

### Warning messages
This command can issue warning messages.

#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:

```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```
10 changes: 10 additions & 0 deletions daprdocs/content/en/reference/cli/dapr-upgrade.md
View file
Expand Up @@ -46,6 +46,16 @@ dapr upgrade -k --runtime-version 1.2
# Upgrade or downgrade to a specified version of Dapr runtime in Kubernetes with value set
dapr upgrade -k --runtime-version 1.2 --set global.logAsJson=true
```
### Warning messages
This command can issue warning messages.

#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:

```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```

### Related links

Expand Down

0 comments on commit 72af4c7

Please sign in to comment.