DEV Community

Siri Varma Vegiraju
Siri Varma Vegiraju

Posted on

Enabling mTLS with Dapr Sidecar communication

Dapr mTLS Setup and Configuration Summary

Overview

Dapr supports in-transit encryption between Dapr instances using the Sentry service, which acts as a central Certificate Authority (CA). You can either bring your own certificates or let Dapr automatically create self-signed certificates.

Key Features:

  • Automatic self-signed certificate generation (valid for 1 year)
  • Support for custom certificates
  • Certificate rotation capabilities
  • Monitoring and alerting for certificate expiration

Configuration Structure

Control Plane Configuration

mTLS is configured through a Dapr Configuration resource:

apiVersion: dapr.io/v1alpha1
kind: Configuration
metadata:
  name: daprsystem
  namespace: default
spec:
  mtls:
    enabled: true
    workloadCertTTL: "24h"
    allowedClockSkew: "15m"
Enter fullscreen mode Exit fullscreen mode

Kubernetes Deployment

Default Setup

  • mTLS enabled by default when deploying Dapr to Kubernetes
  • Certificates persisted to Kubernetes secrets in the Dapr system namespace
  • Sentry service installed via Helm or Dapr CLI

Configuration Management

View current configuration:

kubectl get configurations/daprsystem --namespace <DAPR_NAMESPACE> -o yaml
Enter fullscreen mode Exit fullscreen mode

Edit configuration:

kubectl edit configurations/daprsystem --namespace <DAPR_NAMESPACE>
Enter fullscreen mode Exit fullscreen mode

Restart control plane after changes:

kubectl rollout restart deploy/dapr-sentry -n <DAPR_NAMESPACE>
kubectl rollout restart deploy/dapr-operator -n <DAPR_NAMESPACE>
kubectl rollout restart statefulsets/dapr-placement-server -n <DAPR_NAMESPACE>
Enter fullscreen mode Exit fullscreen mode

Disabling mTLS

Via Helm:

kubectl create ns dapr-system
helm install \
  --set global.mtls.enabled=false \
  --namespace dapr-system \
  dapr \
  dapr/dapr
Enter fullscreen mode Exit fullscreen mode

Via CLI:

dapr init --kubernetes --enable-mtls=false
Enter fullscreen mode Exit fullscreen mode

Bring Your Own Certificates

Generate certificates using OpenSSL:

  1. Create configuration files (root.conf and issuer.conf)
  2. Generate root certificate and key:
openssl ecparam -genkey -name prime256v1 | openssl ec -out root.key
openssl req -new -nodes -sha256 -key root.key -out root.csr -config root.conf -extensions v3_req
openssl x509 -req -sha256 -days 365 -in root.csr -signkey root.key -outform PEM -out root.pem -extfile root.conf -extensions v3_req
Enter fullscreen mode Exit fullscreen mode
  1. Generate issuer certificate and key:
openssl ecparam -genkey -name prime256v1 | openssl ec -out issuer.key
openssl req -new -sha256 -key issuer.key -out issuer.csr -config issuer.conf -extensions v3_req
openssl x509 -req -in issuer.csr -CA root.pem -CAkey root.key -CAcreateserial -outform PEM -out issuer.pem -days 365 -sha256 -extfile issuer.conf -extensions v3_req
Enter fullscreen mode Exit fullscreen mode

Install with custom certificates:

kubectl create ns dapr-system
helm install \
  --set-file dapr_sentry.tls.issuer.certPEM=issuer.pem \
  --set-file dapr_sentry.tls.issuer.keyPEM=issuer.key \
  --set-file dapr_sentry.tls.root.certPEM=root.pem \
  --namespace dapr-system \
  dapr \
  dapr/dapr
Enter fullscreen mode Exit fullscreen mode

Certificate Renewal

CLI-based renewal (Recommended):

Generate new certificates:

# Brand new certificates with new root key
dapr mtls renew-certificate -k --valid-until <days> --restart

# New certificates with existing root key (no downtime)
dapr mtls renew-certificate -k --private-key <private_key_file_path> --valid-until <days>

# Using custom certificates
dapr mtls renew-certificate -k --ca-root-certificate <ca.crt> --issuer-private-key <issuer.key> --issuer-public-certificate <issuer.crt> --restart
Enter fullscreen mode Exit fullscreen mode

Manual certificate rotation:

# Update certificates via Helm
helm upgrade \
  --set-file dapr_sentry.tls.issuer.certPEM=issuer.pem \
  --set-file dapr_sentry.tls.issuer.keyPEM=issuer.key \
  --set-file dapr_sentry.tls.root.certPEM=root.pem \
  --namespace dapr-system \
  dapr \
  dapr/dapr
Enter fullscreen mode Exit fullscreen mode

Avoiding Downtime

  • Critical: Always sign new certificates with the same private root key
  • If using different root key, restart Sentry service and all control plane components
  • Restart application deployments: kubectl rollout restart deploy/myapp

Self-Hosted Deployment

Setup Requirements

  • mTLS disabled by default in self-hosted mode
  • Manual configuration required

Running Sentry Service

# Create certificate directory
mkdir -p $HOME/.dapr/certs

# Run Sentry service
./sentry --issuer-credentials $HOME/.dapr/certs --trust-domain cluster.local
Enter fullscreen mode Exit fullscreen mode

Dapr Instance Configuration

Configuration file:

apiVersion: dapr.io/v1alpha1
kind: Configuration
metadata:
  name: daprsystem
  namespace: default
spec:
  mtls:
    enabled: true
Enter fullscreen mode Exit fullscreen mode

Environment variables (Linux/Mac):

export DAPR_TRUST_ANCHORS=`cat $HOME/.dapr/certs/ca.crt`
export DAPR_CERT_CHAIN=`cat $HOME/.dapr/certs/issuer.crt`
export DAPR_CERT_KEY=`cat $HOME/.dapr/certs/issuer.key`
export NAMESPACE=default
Enter fullscreen mode Exit fullscreen mode

Environment variables (Windows):

$env:DAPR_TRUST_ANCHORS=$(Get-Content -raw $env:USERPROFILE\.dapr\certs\ca.crt)
$env:DAPR_CERT_CHAIN=$(Get-Content -raw $env:USERPROFILE\.dapr\certs\issuer.crt)
$env:DAPR_CERT_KEY=$(Get-Content -raw $env:USERPROFILE\.dapr\certs\issuer.key)
$env:NAMESPACE="default"
Enter fullscreen mode Exit fullscreen mode

Run Dapr with mTLS:

# Using Dapr CLI
dapr run --app-id myapp --config ./config.yaml node myapp.js

# Using daprd directly
daprd --app-id myapp --enable-mtls --sentry-address localhost:50001 --config=./config.yaml
Enter fullscreen mode Exit fullscreen mode

Custom Certificates (Self-Hosted)

Using step tool:

# Create root certificate
step certificate create cluster.local ca.crt ca.key --profile root-ca --no-password --insecure

# Create issuer certificate
step certificate create cluster.local issuer.crt issuer.key --ca ca.crt --ca-key ca.key --profile intermediate-ca --not-after 8760h --no-password --insecure

# Launch Sentry with custom certificates
./sentry --issuer-credentials $HOME/.dapr/certs --trust-domain cluster.local
Enter fullscreen mode Exit fullscreen mode

Monitoring and Alerting

Certificate Expiration Monitoring

  • Warning logs: Emitted 30 days before certificate expiration
  • Log format: Hourly warnings in Sentry service logs
  • CLI status: Shows certificate expiration when running dapr status -k

Example warning log:

{
  "instance": "dapr-sentry-68cbf79bb9-gdqdv",
  "level": "warning",
  "msg": "Dapr root certificate expiration warning: certificate expires in 2 days and 15 hours",
  "scope": "dapr.sentry",
  "time": "2022-04-01T23:43:35.931825236Z",
  "type": "log",
  "ver": "1.6.0"
}
Enter fullscreen mode Exit fullscreen mode

View Sentry logs:

kubectl logs --selector=app=dapr-sentry --namespace <DAPR_NAMESPACE>
Enter fullscreen mode Exit fullscreen mode

Advanced Features

Token Validators

JWKS Validator Configuration:

kind: Configuration
apiVersion: dapr.io/v1alpha1
metadata:
  name: sentryconfig
spec:
  mtls:
    enabled: true
    tokenValidators:
      - name: jwks
        options:
          minRefreshInterval: 2m
          requestTimeout: 1m
          source: "https://localhost:1234/"
          caCertificate: "<optional ca certificate bundle string>"
Enter fullscreen mode Exit fullscreen mode

Static JWKS Configuration:

kind: Configuration
apiVersion: dapr.io/v1alpha1
metadata:
  name: sentryconfig
spec:
  mtls:
    enabled: true
    tokenValidators:
      - name: jwks
        options:
          minRefreshInterval: 2m
          requestTimeout: 1m
          source: |
            {"keys":[ "12345.." ]}
Enter fullscreen mode Exit fullscreen mode

Best Practices

Certificate Management

  • Always use the same private root key when rotating certificates to avoid downtime
  • Monitor certificate expiration 30 days in advance
  • Set up automated alerts for certificate expiration warnings
  • Test certificate rotation in non-production environments first

Production Considerations

  • Configure monitoring for Sentry service logs
  • Implement automated certificate renewal where possible
  • Plan maintenance windows for certificate rotation if downtime is unavoidable
  • Document certificate rotation procedures for your team

Security

  • Protect private keys with appropriate file permissions
  • Use strong certificate validity periods (not too short, not too long)
  • Regular certificate rotation as part of security hygiene
  • Audit certificate usage and access patterns

Reference: https://docs.dapr.io/operations/security/mtls/

Top comments (0)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.