I am trying to unable mTLS for securing sidecar to sidecar communication but I am not sure how to set environment variables DAPR_TRUST_ANCHORS, DAPR_CERT_CHAIN, DAPR_CERT_KEY ca.crt, issuer.crt, issuer.key.
I am self-hosting the service using docker-compose. Below is my docker compose file.
docker-compose.yml:
version: "3.4"
services:
# Ommited for brevity
camera-service:
container_name: camera-service
build:
context: ./src
dockerfile: Services/CameraService/CameraService.Api/Dockerfile
ports:
- "5103:80"
- "50002:50001"
- "9092:9090"
networks:
- custom_network
extra_hosts:
- "host.docker.internal:host-gateway"
camera-dapr:
image: "daprio/daprd:latest"
container_name: camera-dapr
environment:
- DAPR_TRUST_ANCHORS="$(cat /certs/ca.crt)"
- DAPR_CERT_CHAIN="$(cat /certs/issuer.crt)"
- DAPR_CERT_KEY="$(cat /certs/issuer.key)"
- NAMESPACE=as
command: ["./daprd",
"-app-id", "camera-service",
"-app-port", "80",
"-log-level", "debug",
"-enable-api-logging",
"-enable-mtls",
"-sentry-address", "dapr-sentry:50005",
"-components-path", "/components",
"-config", "/config/asDemoM-config.yaml",
]
volumes:
- "./dapr/components/:/components"
- "./dapr/config/:/config"
- "./.dapr/certs/:/certs"
depends_on:
- camera-service
network_mode: "service:camera-service"
dapr-sentry:
image: "daprio/sentry"
container_name: dapr-sentry
command: [
"./sentry",
"-config", "/config/asDemoM-config.yaml",
"-issuer-credentials", "/certs",
"-port", "50005",
"-trust-domain", "localhost",
"-log-level", "debug",
]
volumes:
- "./.dapr/certs/:/certs"
- "./dapr/config/:/config"
ports:
- "50005:50005"
- "9999:8080"
networks:
- custom_network
networks:
custom_network:
external: true
name: as-microservices-docker-network
This throws the following error in the sidecar "camera-dapr": level=fatal msg="failed to decode trust anchors: no certificates found" app_id=camera-service instance=4a69a119fdf7 scope=dapr.runtime type=log ver=1.12.0
While setting the environment in service camera-dapr, the cat command doesn't execute and it sets the value as it is. So I tried setting the value directly like this
- DAPR_TRUST_ANCHORS=-----BEGIN CERTIFICATE-----\n MIIBaTCCAQ+gAwIBAgIRAMkRAtH7QjjyjHY+zKX68MswCgYIKoZIzj0EAwIwFDES\n MBAGA1UEChMJbG9jYWxob3N0MB4XDTIzMTAyMzA5NDM0M1oXDTI0MTAyMjA5NTg0\n M1owFDESMBAGA1UEChMJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\n QgAEQeb4bTRx0t6N0daP3OX0atj0eVZkHGpPJp/zVN0vrDwm36wKD0qgERkk0iJD\n AtNqHPBMX/hTd5PUoOWzJw+9Z6NCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB\n /wQFMAMBAf8wHQYDVR0OBBYEFAbHS+mRS2P+kww2ykKplmLV/W0YMAoGCCqGSM49\n BAMCA0gAMEUCIQCbvRiBgPCwZKimxOvXcEx1MNl7xZNb4/iKzEmDr0JmkgIgAbPM\n Wonoc7xuWqu6F78b8AHuHWX4VzgmE3hBymU7q8g=\n -----END CERTIFICATE-----
But this also throw the same error.
I am referring the official dapr docs though it doesn't include complete sample for self-hosting with docker. https://docs.dapr.io/operations/security/mtls/#self-hosted
I would be grateful if someone can share reference of a working sample project or point out what I am doing wrong.