From bf745d2f6caee828efeb0e29c0e236cd57b5625a Mon Sep 17 00:00:00 2001 From: Bernd Verst <4535280+berndverst@users.noreply.github.com> Date: Fri, 1 Apr 2022 19:32:49 -0700 Subject: [PATCH 1/2] Provide monitoring instructions for Dapr root certificate Signed-off-by: Bernd Verst <4535280+berndverst@users.noreply.github.com> --- .../content/en/operations/security/mtls.md | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/daprdocs/content/en/operations/security/mtls.md b/daprdocs/content/en/operations/security/mtls.md index e6ecfaba8..2ce2bbb43 100644 --- a/daprdocs/content/en/operations/security/mtls.md +++ b/daprdocs/content/en/operations/security/mtls.md @@ -256,6 +256,50 @@ kubectl rollout restart deploy/myapp You will experience potential downtime due to mismatching certificates until all deployments have successfully been restarted (and hence loaded the new Dapr certificates). +### Set up monitoring for Dapr control plane mTLS certificate expiration + +Beginning 30 days prior to mTLS root ceritificate expiration the Dapr sentry service will hourly emit warning level logs indicating that the root certificate is about to expire. + +As an operational best practice for running Dapr in production we recommend configuring monitoring for these particular sentry service logs so that you are aware of the upcoming certificate expiration. + +```bash +"Dapr root certificate expiration warning: certificate expires in 2 days and 15 hours" +``` + +Once the certificate has expired you will see the following message: + +```bash +"Dapr root certificate expiration warning: certificate has expired." +``` + +In Kubernetes you can view the sentry service logs like so: + +```bash +kubectl logs deployment/dapr-sentry -n dapr-system +``` + +The log output will appear like the following:" + +```bash +{"instance":"dapr-sentry-68cbf79bb9-gdqdv","level":"warning","msg":"Dapr root certificate expiration warning: certificate expires in 2 days and 15 hours","scope":"dapr.sentry","time":"2022-04-01T23:43:35.931825236Z","type":"log","ver":"1.6.0"} +``` + +As an additional tool to alert you to the upcoming certificate expiration beginning with release 1.7.0 the CLI now prints the certificate expiration status whenever you interact with a Kubernetes-based deployment. + +Example: +```bash +dapr status -k + + NAME NAMESPACE HEALTHY STATUS REPLICAS VERSION AGE CREATED + dapr-sentry dapr-system True Running 1 1.7.0 17d 2022-03-15 09:29.45 + dapr-dashboard dapr-system True Running 1 0.9.0 17d 2022-03-15 09:29.45 + dapr-sidecar-injector dapr-system True Running 1 1.7.0 17d 2022-03-15 09:29.45 + dapr-operator dapr-system True Running 1 1.7.0 17d 2022-03-15 09:29.45 + dapr-placement-server dapr-system True Running 1 1.7.0 17d 2022-03-15 09:29.45 +⚠ Dapr root certificate of your Kubernetes cluster expires in 2 days. Expiry date: Mon, 04 Apr 2022 15:01:03 UTC. + Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions. +``` + ### Kubernetes video demo Watch this video to show how to update mTLS certificates on Kubernetes From b4e11cae0784adc94a7a851df585f8f296bdee44 Mon Sep 17 00:00:00 2001 From: Bernd Verst <4535280+berndverst@users.noreply.github.com> Date: Sun, 3 Apr 2022 13:14:13 -0700 Subject: [PATCH 2/2] Update daprdocs/content/en/operations/security/mtls.md Co-authored-by: Mukundan Sundararajan <65565396+mukundansundar@users.noreply.github.com> Signed-off-by: Bernd Verst <4535280+berndverst@users.noreply.github.com> --- daprdocs/content/en/operations/security/mtls.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/security/mtls.md b/daprdocs/content/en/operations/security/mtls.md index 2ce2bbb43..5e9503c39 100644 --- a/daprdocs/content/en/operations/security/mtls.md +++ b/daprdocs/content/en/operations/security/mtls.md @@ -258,7 +258,7 @@ You will experience potential downtime due to mismatching certificates until all ### Set up monitoring for Dapr control plane mTLS certificate expiration -Beginning 30 days prior to mTLS root ceritificate expiration the Dapr sentry service will hourly emit warning level logs indicating that the root certificate is about to expire. +Beginning 30 days prior to mTLS root certificate expiration the Dapr sentry service will emit hourly warning level logs indicating that the root certificate is about to expire. As an operational best practice for running Dapr in production we recommend configuring monitoring for these particular sentry service logs so that you are aware of the upcoming certificate expiration.