Addressing review comments

Signed-off-by: Pravin Pushkar <ppushkar@microsoft.com>
This commit is contained in:
Pravin Pushkar 2022-03-28 17:22:56 +05:30
parent 2a66de5e21
commit f822b8193f
5 changed files with 24 additions and 23 deletions

View File

@ -450,6 +450,8 @@ By default, system services will look for the credentials in `/var/run/dapr/cred
*Note: If you signed the cert root with a different private key, restart the Dapr instances.*
## Community call video on certificate rotation
Watch this video on how to perform certificate rotation if your certicates are expiring.
Watch this [video](https://www.youtube.com/watch?v=Hkcx9kBDrAc&feature=youtu.be&t=1400) on how to perform certificate rotation if your certicates are expiring.
<iframe width="1280" height="720" src="https://www.youtube.com/watch?v=Hkcx9kBDrAc" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
<div class="embed-responsive embed-responsive-16by9">
<iframe width="560" height="315" src="https://www.youtube.com/embed/Hkcx9kBDrAc?start=1400"></iframe>
</div>

View File

@ -30,9 +30,9 @@ dapr mtls [command]
### Available Commands
```txt
expiry Checks the expiry of the root certificate
export Export the root CA, issuer cert and key from Kubernetes to local files
renew-certificate Rotates root CA, issuer cert and issuer key in Kubernetes secret used by Sentry service
expiry Checks the expiry of the root Certificate Authority (CA) certificate
export Export the root Certificate Authority (CA), issuer cert and issuer key to local files
renew-certificate Rotates the existing root Certificate Authority (CA), issuer cert and issuer key
```
### Command Reference
@ -46,6 +46,6 @@ You can learn more about each sub command from the links below.
### Examples
```bash
# Check if mTLS is enabled
# Check if mTLS is enabled on the Kubernetes cluster
dapr mtls -k
```

View File

@ -8,7 +8,7 @@ weight: 2000
### Description
Checks the expiry of the root certificate
Checks the expiry of the root Certificate Authority (CA) certificate
### Supported platforms

View File

@ -8,7 +8,7 @@ weight: 1000
### Description
Export the root CA, issuer cert and key from Kubernetes to local files
Export the root Certificate Authority (CA), issuer cert and issuer key to local files
### Supported platforms

View File

@ -7,8 +7,7 @@ weight: 3000
---
### Description
This command can be used to renew expiring Dapr certificates in Kubernetes cluster.
It renews root CA certificate, issuer certificate and issuer key.
This command can be used to renew expiring Dapr certificates. For example the Dapr Sentry service can generate default root and issuer certificates used by applications. For more information see [secure Dapr to Dapr communication]({{< ref "#secure-dapr-to-dapr-communication" >}})
### Supported platforms
@ -29,45 +28,45 @@ dapr mtls renew-certificate [flags]
| `--valid-until` | | 365 days | Validity for newly created certificates |
| `--restart` | | false | Restarts Dapr control plane services (Sentry service, Operator service and Placement server) |
| `--timeout` | | 300 sec | The timeout for the certificate renewal process |
| `--ca-root-certificate` | | | User provided root certificate pem file path|
| `--issuer-public-certificate` | | | User provided issuer certificate pem file path|
| `--issuer-private-key` | | | User provided issue private key file path|
| `--ca-root-certificate` | | | File path to user provided PEM root certificate|
| `--issuer-public-certificate` | | | File path to user provided PEM issuer certificate|
| `--issuer-private-key` | | | File path to user provided PEM issue private key|
| `--private-key` | | | User provided root.key file which is used to generate root certificate|
### Examples
#### Renew certificates by generating fresh new certificates
Generates new root and issuer certificates for Dapr kubernetes cluster with a default validity of 365 days.
#### Renew certificates by generating brand new certificates
Generates new root and issuer certificates for the Kubernetes cluster with a default validity of 365 days. The certificates are not applied to the Dapr control plane.
```bash
dapr mtls renew-certificate -k
```
Generates new root and issuer certificates for kubernetes cluster with a default validity of 365 days and restart the control plane services.
Generates new root and issuer certificates for the Kubernetes cluster with a default validity of 365 days and restarts the Dapr control plane services.
```bash
dapr mtls renew-certificate -k --restart
```
Generates new root and issuer certificates for kubernetes cluster with a given validity.
Generates new root and issuer certificates for the Kubernetes cluster with a given validity time.
```bash
dapr mtls renew-certificate -k --valid-until <no of days>
```
Generates new root and issuer certificates for kubernetes cluster with a given validity and restart the control place services.
Generates new root and issuer certificates for the Kubernetes cluster with a given validity time and restarts the Dapr control place services.
```bash
dapr mtls renew-certificate -k --valid-until <no of days> --restart
```
#### Renew certificate by using user provided certificates
Rotates certificate of your kubernetes cluster with provided ca.pem, issuer.pem and issuer.key file path and restart the control plane services
Rotates certificates for the Kubernetes cluster with the provided ca.pem, issuer.pem and issuer.key file paths and restarts the Dapr control plane services
```bash
dapr mtls renew-certificate -k --ca-root-certificate <ca.pem> --issuer-private-key <issuer.key> --issuer-public-certificate <issuer.pem> --restart
```
Rotates certificate of your kubernetes cluster with provided ca.pem, issuer.pem and issuer.key file path.
Rotates certificates for the Kubernetes cluster with the provided ca.pem, issuer.pem and issuer.key file paths.
```bash
dapr mtls renew-certificate -k --ca-root-certificate <ca.pem> --issuer-private-key <issuer.key> --issuer-public-certificate <issuer.pem>
```
#### Renew certificates by generating fresh certificates using provided root private key
Uses existing private root.key to generate new root and issuer certificates for kubernetes cluster with a given validity for created certs.
#### Renew certificates by generating brand new certificates using the provided root private key
Uses existing private root.key to generate new root and issuer certificates for the Kubernetes cluster with a given validity time for created certs.
```bash
dapr mtls renew-certificate -k --private-key myprivatekey.key --valid-until <no of days>
```
Uses existing private root.key to generate new root and issuer certificates for kubernetes cluster with a default validity of 365 days for created certs.
Uses the existing private root.key to generate new root and issuer certificates for the Kubernetes cluster.
```bash
dapr mtls renew-certificate -k --private-key myprivatekey.key
```