带有 dapr 的 mTLS 在使用 docker 自托管中不起作用

mTLS with dapr not working in self-hosted with docker

提问人:Arjun Khunt 提问时间:10/25/2023 更新时间:10/25/2023 访问量:43

问:

我正在尝试无法使用 mTLS 来保护 sidecar 到 sidecar 的通信,但我不确定如何设置环境变量DAPR_TRUST_ANCHORS、DAPR_CERT_CHAIN、DAPR_CERT_KEY ca.crt、issuer.crt issuer.key。

我正在使用 docker-compose 自托管服务。下面是我的docker撰写文件。

docker-compose.yml:

version: "3.4"

services:

# Ommited for brevity

  camera-service:
    container_name: camera-service
    build:
      context: ./src
      dockerfile: Services/CameraService/CameraService.Api/Dockerfile
    ports:
      - "5103:80"
      - "50002:50001"
      - "9092:9090"
    networks:
      - custom_network
    extra_hosts:
      - "host.docker.internal:host-gateway"

  camera-dapr:
    image: "daprio/daprd:latest"
    container_name: camera-dapr
    environment:      
      - DAPR_TRUST_ANCHORS="$(cat /certs/ca.crt)"
      - DAPR_CERT_CHAIN="$(cat /certs/issuer.crt)"
      - DAPR_CERT_KEY="$(cat /certs/issuer.key)"
      - NAMESPACE=as
    command: ["./daprd",
      "-app-id", "camera-service",
      "-app-port", "80",
      "-log-level", "debug",
      "-enable-api-logging",
      "-enable-mtls",
      "-sentry-address", "dapr-sentry:50005",
      "-components-path", "/components",
      "-config", "/config/asDemoM-config.yaml",
      ]
    volumes:
      - "./dapr/components/:/components"
      - "./dapr/config/:/config"
      - "./.dapr/certs/:/certs"
    depends_on:
      - camera-service
    network_mode: "service:camera-service"

  dapr-sentry:
    image: "daprio/sentry"
    container_name: dapr-sentry
    command: [
      "./sentry",
      "-config", "/config/asDemoM-config.yaml",
      "-issuer-credentials", "/certs",
      "-port", "50005",
      "-trust-domain", "localhost",
      "-log-level", "debug",
    ]
    volumes:
      - "./.dapr/certs/:/certs"
      - "./dapr/config/:/config"
    ports:
      - "50005:50005"
      - "9999:8080"
    networks:
      - custom_network

networks:
  custom_network:
    external: true
    name: as-microservices-docker-network

这会在 sidecar “camera-dapr” 中引发以下错误: level=fatal msg=“无法解码信任锚点:未找到证书” app_id=camera-service instance=4a69a119fdf7 scope=dapr.runtime type=log ver=1.12.0

在 service camera-dapr 中设置环境时,cat 命令不会执行,而是按原样设置值。所以我试着像这样直接设置值

- DAPR_TRUST_ANCHORS=-----开始证书-----\n MIIBaTCCAQ+gAwIBAgIRAMkRAtH7QjjyjHY+zKX68MswCgYIKoZIzj0EAwIwFDES\n MBAGA1UEChMJbG9jYWxob3N0MB4XDTIzMTAyMzA5NDM0M1oXDTI0MTAyMjA5NTg0\n M1owFDESMBAGA1UEChMJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\n QgAEQeb4bTRx0t6N0daP3OX0atj0eVZkHGpPJp/zVN0vrDwm36wKD0qgERkk0iJD\n AtNqHPBMX/hTd5PUoOWzJw+9Z6NCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB\n /wQFMAMBAf8wHQYDVR0OBBYEFAbHS+mRS2P+kww2ykKplmLV/W0YMAoGCCqGSM49\n BAMCA0gAMEUCIQCbvRiBgPCwZKimxOvXcEx1MNl7xZNb4/iKzEmDr0JmkgIgAbPM\n Wonoc7xuWqu6F78b8AHuHWX4VzgmE3hBymU7q8g=\n -----结束证书-----

但这也引发了同样的错误。

我指的是官方的 dapr 文档,尽管它不包括使用 docker 进行自托管的完整示例。https://docs.dapr.io/operations/security/mtls/#self-hosted

如果有人可以分享工作示例项目的参考或指出我做错了什么,我将不胜感激。

安全 docker-compose 哨兵 mtls dapr

评论

答: 暂无答案

上一个:Nuxt 构建因 Sentry 而失败

下一个:如何在 Quasar 中配置 Sentry Vite-Plugin 以上传 sourcemap?