mTLS with dapr not working in self-hosted with docker

147 views Asked by At

I am trying to unable mTLS for securing sidecar to sidecar communication but I am not sure how to set environment variables DAPR_TRUST_ANCHORS, DAPR_CERT_CHAIN, DAPR_CERT_KEY ca.crt, issuer.crt, issuer.key.

I am self-hosting the service using docker-compose. Below is my docker compose file.

docker-compose.yml:

version: "3.4"

services:

# Ommited for brevity

  camera-service:
    container_name: camera-service
    build:
      context: ./src
      dockerfile: Services/CameraService/CameraService.Api/Dockerfile
    ports:
      - "5103:80"
      - "50002:50001"
      - "9092:9090"
    networks:
      - custom_network
    extra_hosts:
      - "host.docker.internal:host-gateway"

  camera-dapr:
    image: "daprio/daprd:latest"
    container_name: camera-dapr
    environment:      
      - DAPR_TRUST_ANCHORS="$(cat /certs/ca.crt)"
      - DAPR_CERT_CHAIN="$(cat /certs/issuer.crt)"
      - DAPR_CERT_KEY="$(cat /certs/issuer.key)"
      - NAMESPACE=as
    command: ["./daprd",
      "-app-id", "camera-service",
      "-app-port", "80",
      "-log-level", "debug",
      "-enable-api-logging",
      "-enable-mtls",
      "-sentry-address", "dapr-sentry:50005",
      "-components-path", "/components",
      "-config", "/config/asDemoM-config.yaml",
      ]
    volumes:
      - "./dapr/components/:/components"
      - "./dapr/config/:/config"
      - "./.dapr/certs/:/certs"
    depends_on:
      - camera-service
    network_mode: "service:camera-service"

  dapr-sentry:
    image: "daprio/sentry"
    container_name: dapr-sentry
    command: [
      "./sentry",
      "-config", "/config/asDemoM-config.yaml",
      "-issuer-credentials", "/certs",
      "-port", "50005",
      "-trust-domain", "localhost",
      "-log-level", "debug",
    ]
    volumes:
      - "./.dapr/certs/:/certs"
      - "./dapr/config/:/config"
    ports:
      - "50005:50005"
      - "9999:8080"
    networks:
      - custom_network

networks:
  custom_network:
    external: true
    name: as-microservices-docker-network

This throws the following error in the sidecar "camera-dapr": level=fatal msg="failed to decode trust anchors: no certificates found" app_id=camera-service instance=4a69a119fdf7 scope=dapr.runtime type=log ver=1.12.0

While setting the environment in service camera-dapr, the cat command doesn't execute and it sets the value as it is. So I tried setting the value directly like this

- DAPR_TRUST_ANCHORS=-----BEGIN CERTIFICATE-----\n MIIBaTCCAQ+gAwIBAgIRAMkRAtH7QjjyjHY+zKX68MswCgYIKoZIzj0EAwIwFDES\n MBAGA1UEChMJbG9jYWxob3N0MB4XDTIzMTAyMzA5NDM0M1oXDTI0MTAyMjA5NTg0\n M1owFDESMBAGA1UEChMJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\n QgAEQeb4bTRx0t6N0daP3OX0atj0eVZkHGpPJp/zVN0vrDwm36wKD0qgERkk0iJD\n AtNqHPBMX/hTd5PUoOWzJw+9Z6NCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB\n /wQFMAMBAf8wHQYDVR0OBBYEFAbHS+mRS2P+kww2ykKplmLV/W0YMAoGCCqGSM49\n BAMCA0gAMEUCIQCbvRiBgPCwZKimxOvXcEx1MNl7xZNb4/iKzEmDr0JmkgIgAbPM\n Wonoc7xuWqu6F78b8AHuHWX4VzgmE3hBymU7q8g=\n -----END CERTIFICATE-----

But this also throw the same error.

I am referring the official dapr docs though it doesn't include complete sample for self-hosting with docker. https://docs.dapr.io/operations/security/mtls/#self-hosted

I would be grateful if someone can share reference of a working sample project or point out what I am doing wrong.

0

There are 0 answers