1

I am trying to unable mTLS for securing sidecar to sidecar communication but I am not sure how to set environment variables DAPR_TRUST_ANCHORS, DAPR_CERT_CHAIN, DAPR_CERT_KEY ca.crt, issuer.crt, issuer.key.

I am self-hosting the service using docker-compose. Below is my docker compose file.

docker-compose.yml:

version: "3.4"

services:

# Ommited for brevity

  camera-service:
    container_name: camera-service
    build:
      context: ./src
      dockerfile: Services/CameraService/CameraService.Api/Dockerfile
    ports:
      - "5103:80"
      - "50002:50001"
      - "9092:9090"
    networks:
      - custom_network
    extra_hosts:
      - "host.docker.internal:host-gateway"

  camera-dapr:
    image: "daprio/daprd:latest"
    container_name: camera-dapr
    environment:      
      - DAPR_TRUST_ANCHORS="$(cat /certs/ca.crt)"
      - DAPR_CERT_CHAIN="$(cat /certs/issuer.crt)"
      - DAPR_CERT_KEY="$(cat /certs/issuer.key)"
      - NAMESPACE=as
    command: ["./daprd",
      "-app-id", "camera-service",
      "-app-port", "80",
      "-log-level", "debug",
      "-enable-api-logging",
      "-enable-mtls",
      "-sentry-address", "dapr-sentry:50005",
      "-components-path", "/components",
      "-config", "/config/asDemoM-config.yaml",
      ]
    volumes:
      - "./dapr/components/:/components"
      - "./dapr/config/:/config"
      - "./.dapr/certs/:/certs"
    depends_on:
      - camera-service
    network_mode: "service:camera-service"

  dapr-sentry:
    image: "daprio/sentry"
    container_name: dapr-sentry
    command: [
      "./sentry",
      "-config", "/config/asDemoM-config.yaml",
      "-issuer-credentials", "/certs",
      "-port", "50005",
      "-trust-domain", "localhost",
      "-log-level", "debug",
    ]
    volumes:
      - "./.dapr/certs/:/certs"
      - "./dapr/config/:/config"
    ports:
      - "50005:50005"
      - "9999:8080"
    networks:
      - custom_network

networks:
  custom_network:
    external: true
    name: as-microservices-docker-network

This throws the following error in the sidecar "camera-dapr": level=fatal msg="failed to decode trust anchors: no certificates found" app_id=camera-service instance=4a69a119fdf7 scope=dapr.runtime type=log ver=1.12.0

While setting the environment in service camera-dapr, the cat command doesn't execute and it sets the value as it is. So I tried setting the value directly like this

- DAPR_TRUST_ANCHORS=-----BEGIN CERTIFICATE-----\n MIIBaTCCAQ+gAwIBAgIRAMkRAtH7QjjyjHY+zKX68MswCgYIKoZIzj0EAwIwFDES\n MBAGA1UEChMJbG9jYWxob3N0MB4XDTIzMTAyMzA5NDM0M1oXDTI0MTAyMjA5NTg0\n M1owFDESMBAGA1UEChMJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\n QgAEQeb4bTRx0t6N0daP3OX0atj0eVZkHGpPJp/zVN0vrDwm36wKD0qgERkk0iJD\n AtNqHPBMX/hTd5PUoOWzJw+9Z6NCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB\n /wQFMAMBAf8wHQYDVR0OBBYEFAbHS+mRS2P+kww2ykKplmLV/W0YMAoGCCqGSM49\n BAMCA0gAMEUCIQCbvRiBgPCwZKimxOvXcEx1MNl7xZNb4/iKzEmDr0JmkgIgAbPM\n Wonoc7xuWqu6F78b8AHuHWX4VzgmE3hBymU7q8g=\n -----END CERTIFICATE-----

But this also throw the same error.

I am referring the official dapr docs though it doesn't include complete sample for self-hosting with docker. https://docs.dapr.io/operations/security/mtls/#self-hosted

I would be grateful if someone can share reference of a working sample project or point out what I am doing wrong.

Improve this question
3
  • No, but I have asked the same in Dapr's discord channel (discord.com/channels/778680217417809931/780544855579295754). @Edmond Commented Dec 8, 2023 at 9:06
  • I found out the issue, you cannot set the environmental variables like you have done. After you create the docker containers, investigate inside the container at the "Inspect" section (click on the container and it should be next to the Logs). You can create a .env file where you define the variable and have a script that reads the certificate file and write to the .env variable DAPR_TRUST_ANCHORS. The result should be: DAPR_TRUST_ANCHORS="..." In the docker compose you can set it the variable like this: environment: - DAPR_TRUST_ANCHORS=${DAPR_TRUST_ANCHORS} Commented Dec 8, 2023 at 9:14
  • 1
    DAPR_TRUST_ANCHORS can also be passed in docker-compose using - | like below: - |(linebreak) DAPR_TRUST_ANCHORS=-----BEGIN CERTIFICATE-----(linebreak) certificateValue(linebreak) -----END CERTIFICATE----- But I think hardcoding DAPR_TRUST_ANCHORS in docker-compose is insecure. So may be using .env as you suggested is the way to go. Thanks. @Edmond Commented Dec 11, 2023 at 6:10
Related questions
6
Zipkin tracing not working for docker-compose and Dapr
3
Dapr golang Docker Compose - running into a ""errorCode":"ERR_DIRECT_INVOKE","message":"invoke API is not ready" error
628
How to restart a single container with docker-compose
Load 4 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.