dapr
/
docs
mirror of https://github.com/dapr/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'v1.7' into resiliency_docs

This commit is contained in:
greenie-msft 2022-04-06 14:52:03 -07:00 committed by GitHub
parent ef686fdfa1 6ac78945ff
commit 863911243f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 235 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
daprdocs/content/en/operations/security/mtls.md
View File

@ -158,8 +158,35 @@ helm install \
dapr \
dapr/dapr
```
### Root and issuer certificate upgrade using CLI (Recommended)
The CLI commands below can be used to renew root and issuer certificates in your Kubernetes cluster.
### Updating root or issuer certs
#### Generate brand new certificates
1. The command below generates brand new root and issuer certificates, signed by a newly generated private root key.
> **Note: The `Dapr sentry service` followed by rest of the control plane services must be restarted for them to be able to read the new certificates. This can be done by supplying `--restart` flag to the command.**
```bash
dapr mtls renew-certificate -k --valid-unitl <days> --restart
```
2. The command below generates brand new root and issuer certificates, signed by provided private root key.
> **Note: If your existing deployed certificates are signed by this same private root key, the `Dapr Sentry service` can then read these new certificates without restarting.**
```bash
dapr mtls renew-certificate -k --private-key <private_key_file_path> --valid-until <days>
```
#### Renew certificates by using provided custom certificates
To update the provided certificates in the Kubernetes cluster, the CLI command below can be used.
> **Note - It does not support `valid-until` flag to specify validity for new certificates.**
```bash
dapr mtls renew-certificate -k --ca-root-certificate <ca.crt> --issuer-private-key <issuer.key> --issuer-public-certificate <issuer.crt> --restart
```
### Updating root or issuer certs using Kubectl
If the Root or Issuer certs are about to expire, you can update them and restart the required system services.
@ -256,6 +283,11 @@ kubectl rollout restart deploy/myapp
You will experience potential downtime due to mismatching certificates until all deployments have successfully been restarted (and hence loaded the new Dapr certificates).
### Kubernetes video demo
Watch this video to show how to update mTLS certificates on Kubernetes
<iframe width="1280" height="720" src="https://www.youtube.com/embed/_U9wJqq-H1g" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
### Set up monitoring for Dapr control plane mTLS certificate expiration
Beginning 30 days prior to mTLS root certificate expiration the Dapr sentry service will emit hourly warning level logs indicating that the root certificate is about to expire.
@ -300,11 +332,6 @@ dapr status -k
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```
### Kubernetes video demo
Watch this video to show how to update mTLS certificates on Kubernetes
<iframe width="1280" height="720" src="https://www.youtube.com/embed/_U9wJqq-H1g" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
## Self hosted
### Running the control plane Sentry service
@ -450,6 +477,8 @@ By default, system services will look for the credentials in `/var/run/dapr/cred
*Note: If you signed the cert root with a different private key, restart the Dapr instances.*
## Community call video on certificate rotation
Watch this video on how to perform certificate rotation if your certicates are expiring.
Watch this [video](https://www.youtube.com/watch?v=Hkcx9kBDrAc&feature=youtu.be&t=1400) on how to perform certificate rotation if your certicates are expiring.
<iframe width="1280" height="720" src="https://www.youtube.com/watch?v=Hkcx9kBDrAc" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
<div class="embed-responsive embed-responsive-16by9">
<iframe width="560" height="315" src="https://www.youtube.com/embed/Hkcx9kBDrAc?start=1400"></iframe>
</div>

11
daprdocs/content/en/reference/cli/dapr-components.md
View File

@ -45,4 +45,15 @@ dapr components -k -n mycomponent
# List Dapr components in all namespaces in Kubernetes mode
dapr components -k --all-namespaces
```
### Warning messages
This command can issue warning messages.
#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```

10
daprdocs/content/en/reference/cli/dapr-configurations.md
View File

@ -45,4 +45,14 @@ dapr configurations -k -n appconfig
# List Dapr configurations in all namespaces in Kubernetes mode
dapr configurations -k --all-namespaces
```
### Warning messages
This command can issue warning messages.
#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```

10
daprdocs/content/en/reference/cli/dapr-dashboard.md
View File

@ -49,3 +49,13 @@ dapr dashboard -k -p 9999 --address 0.0.0.0
# Port forward to dashboard service running in Kubernetes on a specified port
dapr dashboard -k -p 9999
```
### Warning messages - Kubernetes Mode
This command can issue warning messages.
#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```

11
daprdocs/content/en/reference/cli/dapr-list.md
View File

@ -48,4 +48,15 @@ dapr list -k --namespace default
# List Dapr instances in all namespaces in Kubernetes mode
dapr list -k --all-namespaces
```
### Warning messages - Kubernetes Mode
This command can issue warning messages.
#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```

11
daprdocs/content/en/reference/cli/dapr-logs.md
View File

@ -35,3 +35,14 @@ dapr logs [flags]
# Get logs of sample app from target pod in custom namespace
dapr logs -k --app-id sample --pod-name target --namespace custom
```
### Warning messages
This command can issue warning messages.
#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```

19
daprdocs/content/en/reference/cli/dapr-mtls/_index.md
View File

@ -30,8 +30,9 @@ dapr mtls [command]
### Available Commands
```txt
expiry Checks the expiry of the root certificate
export Export the root CA, issuer cert and key from Kubernetes to local files
expiry Checks the expiry of the root Certificate Authority (CA) certificate
export Export the root Certificate Authority (CA), issuer cert and issuer key to local files
renew-certificate Rotates the existing root Certificate Authority (CA), issuer cert and issuer key
```
### Command Reference
@ -40,10 +41,22 @@ You can learn more about each sub command from the links below.
- [`dapr mtls expiry`]({{< ref dapr-mtls-expiry.md >}})
- [`dapr mtls export`]({{< ref dapr-mtls-export.md >}})
- [`dapr mtls renew-certificate`]({{< ref dapr-mtls-renew-certificate.md >}})
### Examples
```bash
# Check if mTLS is enabled
# Check if mTLS is enabled on the Kubernetes cluster
dapr mtls -k
```
### Warning messages
This command can issue warning messages.
#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```

2
daprdocs/content/en/reference/cli/dapr-mtls/dapr-mtls-expiry.md
View File

@ -8,7 +8,7 @@ weight: 2000
### Description
Checks the expiry of the root certificate
Checks the expiry of the root Certificate Authority (CA) certificate
### Supported platforms

13
daprdocs/content/en/reference/cli/dapr-mtls/dapr-mtls-export.md
View File

@ -8,7 +8,7 @@ weight: 1000
### Description
Export the root CA, issuer cert and key from Kubernetes to local files
Export the root Certificate Authority (CA), issuer cert and issuer key to local files
### Supported platforms
@ -33,3 +33,14 @@ dapr mtls export [flags]
# Check expiry of Kubernetes certs
dapr mtls export -o ./certs
```
### Warning messages
This command can issue warning messages.
#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```

72
daprdocs/content/en/reference/cli/dapr-mtls/dapr-mtls-renew-certificate.md Normal file
View File

@ -0,0 +1,72 @@
---
type: docs
title: "mtls renew certificate CLI command reference"
linkTitle: "mtls renew certificate"
description: "Detailed information on the mtls renew certificate CLI command"
weight: 3000
---
### Description
This command can be used to renew expiring Dapr certificates. For example the Dapr Sentry service can generate default root and issuer certificates used by applications. For more information see [secure Dapr to Dapr communication]({{< ref "#secure-dapr-to-dapr-communication" >}})
### Supported platforms
- [Kubernetes]({{< ref kubernetes >}})
### Usage
```bash
dapr mtls renew-certificate [flags]
```
### Flags
| Name | Environment Variable | Default | Description |
| -------------- | -------------------- | ----------------- | ------------------------------------------- |
| `--help`, `-h` | | | help for renew-certificate
| `--kubernetes`, `-k` | | `false` | supprted platform| |
| `--valid-until` | | 365 days | Validity for newly created certificates |
| `--restart` | | false | Restarts Dapr control plane services (Sentry service, Operator service and Placement server) |
| `--timeout` | | 300 sec | The timeout for the certificate renewal process |
| `--ca-root-certificate` | | | File path to user provided PEM root certificate|
| `--issuer-public-certificate` | | | File path to user provided PEM issuer certificate|
| `--issuer-private-key` | | | File path to user provided PEM issue private key|
| `--private-key` | | | User provided root.key file which is used to generate root certificate|
### Examples
#### Renew certificates by generating brand new certificates
Generates new root and issuer certificates for the Kubernetes cluster with a default validity of 365 days. The certificates are not applied to the Dapr control plane.
```bash
dapr mtls renew-certificate -k
```
Generates new root and issuer certificates for the Kubernetes cluster with a default validity of 365 days and restarts the Dapr control plane services.
```bash
dapr mtls renew-certificate -k --restart
```
Generates new root and issuer certificates for the Kubernetes cluster with a given validity time.
```bash
dapr mtls renew-certificate -k --valid-until <no of days>
```
Generates new root and issuer certificates for the Kubernetes cluster with a given validity time and restarts the Dapr control place services.
```bash
dapr mtls renew-certificate -k --valid-until <no of days> --restart
```
#### Renew certificate by using user provided certificates
Rotates certificates for the Kubernetes cluster with the provided ca.pem, issuer.pem and issuer.key file paths and restarts the Dapr control plane services
```bash
dapr mtls renew-certificate -k --ca-root-certificate <ca.pem> --issuer-private-key <issuer.key> --issuer-public-certificate <issuer.pem> --restart
```
Rotates certificates for the Kubernetes cluster with the provided ca.pem, issuer.pem and issuer.key file paths.
```bash
dapr mtls renew-certificate -k --ca-root-certificate <ca.pem> --issuer-private-key <issuer.key> --issuer-public-certificate <issuer.pem>
```
#### Renew certificates by generating brand new certificates using the provided root private key
Uses existing private root.key to generate new root and issuer certificates for the Kubernetes cluster with a given validity time for created certs.
```bash
dapr mtls renew-certificate -k --private-key myprivatekey.key --valid-until <no of days>
```
Uses the existing private root.key to generate new root and issuer certificates for the Kubernetes cluster.
```bash
dapr mtls renew-certificate -k --private-key myprivatekey.key
```

11
daprdocs/content/en/reference/cli/dapr-status.md
View File

@ -32,3 +32,14 @@ dapr status -k
# Get status of Dapr services from Kubernetes
dapr status -k
```
### Warning messages
This command can issue warning messages.
#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```

10
daprdocs/content/en/reference/cli/dapr-upgrade.md
View File

@ -46,6 +46,16 @@ dapr upgrade -k --runtime-version 1.2
# Upgrade or downgrade to a specified version of Dapr runtime in Kubernetes with value set
dapr upgrade -k --runtime-version 1.2 --set global.logAsJson=true
```
### Warning messages
This command can issue warning messages.
#### Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
```
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
```
### Related links

9
daprdocs/content/en/reference/components-reference/supported-bindings/eventhubs.md
View File

@ -48,9 +48,14 @@ The above example uses secrets as plain strings. It is recommended to use a secr
| connectionString | Y | Output | The [EventHubs connection string](https://docs.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature). Note that this is the EventHub itself and not the EventHubs namespace. Make sure to use the child EventHub shared access policy connection string | `"Endpoint=sb://****"` |
| consumerGroup | Y | Output | The name of an [EventHubs Consumer Group](https://docs.microsoft.com/azure/event-hubs/event-hubs-features#consumer-groups) to listen on | `"group1"` |
| storageAccountName | Y | Output | The name of the account of the Azure Storage account to persist checkpoints data on | `"accountName"` |
| storageAccountKey | Y | Output | The account key for the Azure Storage account to persist checkpoints data on | `"accountKey"` |
| storageContainerName | Y | Output | The name of the container in the Azure Storage account to persist checkpoints data on | `"contianerName"` |
| storageAccountKey | Y* | Output | The account key for the Azure Storage account to persist checkpoints data on. ***Not required if using AAD authentication.** | `"accountKey"` |
| storageContainerName | Y | Output | The name of the container in the Azure Storage account to persist checkpoints data on | `"containerName"` |
| partitionID | N | Output | ID of the partition to send and receive events | `0` |
| eventHub | N | Output | The name of the EventHubs hub. **Required if using AAD authentication.** | `eventHubsNamespace-hubName` |
| eventHubNamespace | N | Output | The name of the EventHubs namespace. **Required if using AAD authentication.** | `eventHubsNamespace` |
### Azure Active Directory (AAD) authentication
The Azure Event Hubs pubsub component supports authentication using all Azure Active Directory mechanisms. For further information and the relevant component metadata fields to provide depending on the choice of AAD authentication mechanism, see the [docs for authenticating to Azure]({{< ref authenticating-azure.md >}}).
## Binding support

6
daprdocs/content/en/reference/components-reference/supported-pubsub/setup-azure-eventhubs.md
View File

@ -54,10 +54,10 @@ The above example uses secrets as plain strings. It is recommended to use a secr
| Field | Required | Details | Example |
|--------------------|:--------:|---------|---------|
| connectionString | Y | Connection-string for the Event Hub or the Event Hub namespace. Mutally exclusive with `eventHubNamespace` field. Not to be used when [Azure Authentication]({{< ref "authenticating-azure.md" >}}) is used | `"Endpoint=sb://{EventHubNamespace}.servicebus.windows.net/;SharedAccessKeyName={PolicyName};SharedAccessKey={Key};EntityPath={EventHub}"` or `"Endpoint=sb://{EventHubNamespace}.servicebus.windows.net/;SharedAccessKeyName={PolicyName};SharedAccessKey={Key}"`
| eventHubNamespace | Y | The Event Hub Namespace name. Mutally exclusive with `connectionString` field. To be used when [Azure Authentication]({{< ref "authenticating-azure.md" >}}) is used | `"namespace"`
| connectionString | Y* | Connection-string for the Event Hub or the Event Hub namespace. *Mutally exclusive with `eventHubNamespace` field. *Not to be used when [Azure Authentication]({{< ref "authenticating-azure.md" >}}) is used | `"Endpoint=sb://{EventHubNamespace}.servicebus.windows.net/;SharedAccessKeyName={PolicyName};SharedAccessKey={Key};EntityPath={EventHub}"` or `"Endpoint=sb://{EventHubNamespace}.servicebus.windows.net/;SharedAccessKeyName={PolicyName};SharedAccessKey={Key}"`
| eventHubNamespace | N* | The Event Hub Namespace name. *Mutally exclusive with `connectionString` field. *To be used when [Azure Authentication]({{< ref "authenticating-azure.md" >}}) is used | `"namespace"`
| storageAccountName | Y | Storage account name to use for the EventProcessorHost |`"myeventhubstorage"`
| storageAccountKey | Y | Storage account key to use for the EventProcessorHost. Can be `secretKeyRef` to use a secret reference | `"112233445566778899"`
| storageAccountKey | Y* | Storage account key to use for the EventProcessorHost. Can be `secretKeyRef` to use a secret reference. *Omit if using [Azure Authentication]({{< ref "authenticating-azure.md" >}}) and AAD authentication to the storage account is preferred. | `"112233445566778899"`
| storageContainerName | Y | Storage container name for the storage account name. | `"myeventhubstoragecontainer"`
| enableEntityManagement | N | Boolean value to allow management of EventHub namespace. Default: `false` | `"true", "false"`
| resourceGroupName | N | Name of the resource group the event hub namespace is a part of. Needed when entity management is enabled | `"test-rg"`

15
daprdocs/content/en/reference/components-reference/supported-state-stores/setup-redis.md
View File

@ -244,11 +244,20 @@ Consider the example from ["How-To: Query state"]({{< ref "howto-state-query-api
{{< tabs "Self-Hosted" "Kubernetes" "Azure" "AWS" "GCP" "Redis Enterprise Cloud" "Alibaba Cloud" >}}
{{% codetab %}}
If you are using a self-hosted deployment of Dapr v1.7 and up, a Redis instance with the required modules is automatically created as a Docker container when you run `dapr init`.
If you are using a self-hosted deployment of Dapr, a Redis instance without the JSON module is automatically created as a Docker container when you run `dapr init`.
Alternatively, you can create an instance of Redis by running the following command:
```bash
docker run -p 6379:6379 --name redis --rm redis
```
The Redis container that gets created on dapr init or via the above command, cannot be used with state store query API alone. You can run redislabs/rejson docker image on a different port(than the already installed Redis is using) to work with they query API.
> Note: `redislabs/rejson` has support only for amd64 architecture.
Use following command to create an instance of redis compatiable with query API.
```bash
docker run -p 6379:6379 --name redis --rm redislabs/rejson:2.0.6
docker run -p 9445:9445 --name rejson --rm redislabs/rejson:2.0.6
```
{{% /codetab %}}
@ -305,7 +314,7 @@ Memory Store does not support modules and cannot be used with query.
{{< /tabs >}}
Next is to start a Dapr application. Refer to this [component configuration file](../../../../developing-applications/building-blocks/state-management/query-api-examples/components/redis/redis.yml), which contains query indexing schemas.
Next is to start a Dapr application. Refer to this [component configuration file](../../../../developing-applications/building-blocks/state-management/query-api-examples/components/redis/redis.yml), which contains query indexing schemas. Make sure to modify the `redisHost` to reflect the local forwarding port which `redislabs/rejson` uses.
```bash
dapr run --app-id demo --dapr-http-port 3500 --components-path query-api-examples/components/redis
```

2
sdkdocs/java

@ -1 +1 @@
Subproject commit d3df194bad3826069b7c9cda5178196e92dacad1
Subproject commit bb6db2ec6b6925f85fad9bf7a144ada7a767086f