dapr
/
docs
mirror of https://github.com/dapr/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2293 from pravinpushkar/feature/renew_cert 

Adding documentation for certificate renewal
This commit is contained in:
greenie-msft 2022-04-06 14:39:34 -07:00 committed by GitHub
parent ec0c9078ca 049b9002f2
commit 792b68d11b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 212 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
daprdocs/content/en/operations/security/mtls.md
View File

@ -158,8 +158,35 @@ helm install \
dapr \
dapr/dapr
```
### Root and issuer certificate upgrade using CLI (Recommended)
The CLI commands below can be used to renew root and issuer certificates in your Kubernetes cluster.
### Updating root or issuer certs
#### Generate brand new certificates
1. The command below generates brand new root and issuer certificates, signed by a newly generated private root key.
> **Note: The `Dapr sentry service` followed by rest of the control plane services must be restarted for them to be able to read the new certificates. This can be done by supplying `--restart` flag to the command.**
```bash
dapr mtls renew-certificate -k --valid-unitl <days> --restart
```
2. The command below generates brand new root and issuer certificates, signed by provided private root key.
> **Note: If your existing deployed certificates are signed by this same private root key, the `Dapr Sentry service` can then read these new certificates without restarting.**
```bash
dapr mtls renew-certificate -k --private-key <private_key_file_path> --valid-until <days>
```
#### Renew certificates by using provided custom certificates
To update the provided certificates in the Kubernetes cluster, the CLI command below can be used.
> **Note - It does not support `valid-until` flag to specify validity for new certificates.**
```bash
dapr mtls renew-certificate -k --ca-root-certificate <ca.crt> --issuer-private-key <issuer.key> --issuer-public-certificate <issuer.crt> --restart
```
### Updating root or issuer certs using Kubectl
If the Root or Issuer certs are about to expire, you can update them and restart the required system services.
@ -256,6 +283,11 @@ kubectl rollout restart deploy/myapp
You will experience potential downtime due to mismatching certificates until all deployments have successfully been restarted (and hence loaded the new Dapr certificates).
### Kubernetes video demo
Watch this video to show how to update mTLS certificates on Kubernetes
<iframe width="1280" height="720" src="https://www.youtube.com/embed/_U9wJqq-H1g" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
### Set up monitoring for Dapr control plane mTLS certificate expiration
Beginning 30 days prior to mTLS root certificate expiration the Dapr sentry service will emit hourly warning level logs indicating that the root certificate is about to expire.
@ -300,11 +332,6 @@ dapr status -k
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```
### Kubernetes video demo
Watch this video to show how to update mTLS certificates on Kubernetes
<iframe width="1280" height="720" src="https://www.youtube.com/embed/_U9wJqq-H1g" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
## Self hosted
### Running the control plane Sentry service
@ -450,6 +477,8 @@ By default, system services will look for the credentials in `/var/run/dapr/cred
*Note: If you signed the cert root with a different private key, restart the Dapr instances.*
## Community call video on certificate rotation
Watch this video on how to perform certificate rotation if your certicates are expiring.
Watch this [video](https://www.youtube.com/watch?v=Hkcx9kBDrAc&feature=youtu.be&t=1400) on how to perform certificate rotation if your certicates are expiring.
<iframe width="1280" height="720" src="https://www.youtube.com/watch?v=Hkcx9kBDrAc" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
<div class="embed-responsive embed-responsive-16by9">
<iframe width="560" height="315" src="https://www.youtube.com/embed/Hkcx9kBDrAc?start=1400"></iframe>
</div>

11
daprdocs/content/en/reference/cli/dapr-components.md
View File

@ -45,4 +45,15 @@ dapr components -k -n mycomponent
# List Dapr components in all namespaces in Kubernetes mode
dapr components -k --all-namespaces
```
### Warning messages
This command can issue warning messages.
#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```

10
daprdocs/content/en/reference/cli/dapr-configurations.md
View File

@ -45,4 +45,14 @@ dapr configurations -k -n appconfig
# List Dapr configurations in all namespaces in Kubernetes mode
dapr configurations -k --all-namespaces
```
### Warning messages
This command can issue warning messages.
#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```

10
daprdocs/content/en/reference/cli/dapr-dashboard.md
View File

@ -49,3 +49,13 @@ dapr dashboard -k -p 9999 --address 0.0.0.0
# Port forward to dashboard service running in Kubernetes on a specified port
dapr dashboard -k -p 9999
```
### Warning messages - Kubernetes Mode
This command can issue warning messages.
#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```

11
daprdocs/content/en/reference/cli/dapr-list.md
View File

@ -48,4 +48,15 @@ dapr list -k --namespace default
# List Dapr instances in all namespaces in Kubernetes mode
dapr list -k --all-namespaces
```
### Warning messages - Kubernetes Mode
This command can issue warning messages.
#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```

11
daprdocs/content/en/reference/cli/dapr-logs.md
View File

@ -35,3 +35,14 @@ dapr logs [flags]
# Get logs of sample app from target pod in custom namespace
dapr logs -k --app-id sample --pod-name target --namespace custom
```
### Warning messages
This command can issue warning messages.
#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```

19
daprdocs/content/en/reference/cli/dapr-mtls/_index.md
View File

@ -30,8 +30,9 @@ dapr mtls [command]
### Available Commands
```txt
expiry Checks the expiry of the root certificate
export Export the root CA, issuer cert and key from Kubernetes to local files
expiry Checks the expiry of the root Certificate Authority (CA) certificate
export Export the root Certificate Authority (CA), issuer cert and issuer key to local files
renew-certificate Rotates the existing root Certificate Authority (CA), issuer cert and issuer key
```
### Command Reference
@ -40,10 +41,22 @@ You can learn more about each sub command from the links below.
- [`dapr mtls expiry`]({{< ref dapr-mtls-expiry.md >}})
- [`dapr mtls export`]({{< ref dapr-mtls-export.md >}})
- [`dapr mtls renew-certificate`]({{< ref dapr-mtls-renew-certificate.md >}})
### Examples
```bash
# Check if mTLS is enabled
# Check if mTLS is enabled on the Kubernetes cluster
dapr mtls -k
```
### Warning messages
This command can issue warning messages.
#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```

2
daprdocs/content/en/reference/cli/dapr-mtls/dapr-mtls-expiry.md
View File

@ -8,7 +8,7 @@ weight: 2000
### Description
Checks the expiry of the root certificate
Checks the expiry of the root Certificate Authority (CA) certificate
### Supported platforms

13
daprdocs/content/en/reference/cli/dapr-mtls/dapr-mtls-export.md
View File

@ -8,7 +8,7 @@ weight: 1000
### Description
Export the root CA, issuer cert and key from Kubernetes to local files
Export the root Certificate Authority (CA), issuer cert and issuer key to local files
### Supported platforms
@ -33,3 +33,14 @@ dapr mtls export [flags]
# Check expiry of Kubernetes certs
dapr mtls export -o ./certs
```
### Warning messages
This command can issue warning messages.
#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```

72
daprdocs/content/en/reference/cli/dapr-mtls/dapr-mtls-renew-certificate.md Normal file
View File

@ -0,0 +1,72 @@
---
type: docs
title: "mtls renew certificate CLI command reference"
linkTitle: "mtls renew certificate"
description: "Detailed information on the mtls renew certificate CLI command"
weight: 3000
---
### Description
This command can be used to renew expiring Dapr certificates. For example the Dapr Sentry service can generate default root and issuer certificates used by applications. For more information see [secure Dapr to Dapr communication]({{< ref "#secure-dapr-to-dapr-communication" >}})
### Supported platforms
- [Kubernetes]({{< ref kubernetes >}})
### Usage
```bash
dapr mtls renew-certificate [flags]
```
### Flags
| Name | Environment Variable | Default | Description |
| -------------- | -------------------- | ----------------- | ------------------------------------------- |
| `--help`, `-h` | | | help for renew-certificate
| `--kubernetes`, `-k` | | `false` | supprted platform| |
| `--valid-until` | | 365 days | Validity for newly created certificates |
| `--restart` | | false | Restarts Dapr control plane services (Sentry service, Operator service and Placement server) |
| `--timeout` | | 300 sec | The timeout for the certificate renewal process |
| `--ca-root-certificate` | | | File path to user provided PEM root certificate|
| `--issuer-public-certificate` | | | File path to user provided PEM issuer certificate|
| `--issuer-private-key` | | | File path to user provided PEM issue private key|
| `--private-key` | | | User provided root.key file which is used to generate root certificate|
### Examples
#### Renew certificates by generating brand new certificates
Generates new root and issuer certificates for the Kubernetes cluster with a default validity of 365 days. The certificates are not applied to the Dapr control plane.
```bash
dapr mtls renew-certificate -k
```
Generates new root and issuer certificates for the Kubernetes cluster with a default validity of 365 days and restarts the Dapr control plane services.
```bash
dapr mtls renew-certificate -k --restart
```
Generates new root and issuer certificates for the Kubernetes cluster with a given validity time.
```bash
dapr mtls renew-certificate -k --valid-until <no of days>
```
Generates new root and issuer certificates for the Kubernetes cluster with a given validity time and restarts the Dapr control place services.
```bash
dapr mtls renew-certificate -k --valid-until <no of days> --restart
```
#### Renew certificate by using user provided certificates
Rotates certificates for the Kubernetes cluster with the provided ca.pem, issuer.pem and issuer.key file paths and restarts the Dapr control plane services
```bash
dapr mtls renew-certificate -k --ca-root-certificate <ca.pem> --issuer-private-key <issuer.key> --issuer-public-certificate <issuer.pem> --restart
```
Rotates certificates for the Kubernetes cluster with the provided ca.pem, issuer.pem and issuer.key file paths.
```bash
dapr mtls renew-certificate -k --ca-root-certificate <ca.pem> --issuer-private-key <issuer.key> --issuer-public-certificate <issuer.pem>
```
#### Renew certificates by generating brand new certificates using the provided root private key
Uses existing private root.key to generate new root and issuer certificates for the Kubernetes cluster with a given validity time for created certs.
```bash
dapr mtls renew-certificate -k --private-key myprivatekey.key --valid-until <no of days>
```
Uses the existing private root.key to generate new root and issuer certificates for the Kubernetes cluster.
```bash
dapr mtls renew-certificate -k --private-key myprivatekey.key
```

11
daprdocs/content/en/reference/cli/dapr-status.md
View File

@ -32,3 +32,14 @@ dapr status -k
# Get status of Dapr services from Kubernetes
dapr status -k
```
### Warning messages
This command can issue warning messages.
#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```

10
daprdocs/content/en/reference/cli/dapr-upgrade.md
View File

@ -46,6 +46,16 @@ dapr upgrade -k --runtime-version 1.2
# Upgrade or downgrade to a specified version of Dapr runtime in Kubernetes with value set
dapr upgrade -k --runtime-version 1.2 --set global.logAsJson=true
```
### Warning messages
This command can issue warning messages.
#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```
### Related links