dapr
/
docs
mirror of https://github.com/dapr/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2322 from berndverst/v1.7 

Provide monitoring instructions for Dapr root certificate expiration
This commit is contained in:
greenie-msft 2022-04-05 18:53:33 -07:00 committed by GitHub
parent 8471bbfa64 ad2930036e
commit 67d65a75b7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 44 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
daprdocs/content/en/operations/security/mtls.md
View File

@ -256,6 +256,50 @@ kubectl rollout restart deploy/myapp
You will experience potential downtime due to mismatching certificates until all deployments have successfully been restarted (and hence loaded the new Dapr certificates). You will experience potential downtime due to mismatching certificates until all deployments have successfully been restarted (and hence loaded the new Dapr certificates).
### Set up monitoring for Dapr control plane mTLS certificate expiration
Beginning 30 days prior to mTLS root certificate expiration the Dapr sentry service will emit hourly warning level logs indicating that the root certificate is about to expire.
As an operational best practice for running Dapr in production we recommend configuring monitoring for these particular sentry service logs so that you are aware of the upcoming certificate expiration.
```bash
"Dapr root certificate expiration warning: certificate expires in 2 days and 15 hours"
```
Once the certificate has expired you will see the following message:
```bash
"Dapr root certificate expiration warning: certificate has expired."
```
In Kubernetes you can view the sentry service logs like so:
```bash
kubectl logs deployment/dapr-sentry -n dapr-system
```
The log output will appear like the following:"
```bash
{"instance":"dapr-sentry-68cbf79bb9-gdqdv","level":"warning","msg":"Dapr root certificate expiration warning: certificate expires in 2 days and 15 hours","scope":"dapr.sentry","time":"2022-04-01T23:43:35.931825236Z","type":"log","ver":"1.6.0"}
```
As an additional tool to alert you to the upcoming certificate expiration beginning with release 1.7.0 the CLI now prints the certificate expiration status whenever you interact with a Kubernetes-based deployment.
Example:
```bash
dapr status -k
NAME NAMESPACE HEALTHY STATUS REPLICAS VERSION AGE CREATED
dapr-sentry dapr-system True Running 1 1.7.0 17d 2022-03-15 09:29.45
dapr-dashboard dapr-system True Running 1 0.9.0 17d 2022-03-15 09:29.45
dapr-sidecar-injector dapr-system True Running 1 1.7.0 17d 2022-03-15 09:29.45
dapr-operator dapr-system True Running 1 1.7.0 17d 2022-03-15 09:29.45
dapr-placement-server dapr-system True Running 1 1.7.0 17d 2022-03-15 09:29.45
⚠ Dapr root certificate of your Kubernetes cluster expires in 2 days. Expiry date: Mon, 04 Apr 2022 15:01:03 UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```
### Kubernetes video demo ### Kubernetes video demo
Watch this video to show how to update mTLS certificates on Kubernetes Watch this video to show how to update mTLS certificates on Kubernetes