How-To: Install certificates in the Dapr sidecar

Configure the Dapr sidecar container to trust certificates

The Dapr sidecar can be configured to trust certificates for communicating with external services. This is useful in scenarios where a self-signed certificate needs to be trusted, such as:

  • Using an HTTP binding
  • Configuring an outbound proxy for the sidecar

Both certificate authority (CA) certificates and leaf certificates are supported.

You can make the following configurations when the sidecar is running as a container.

  1. Configure certificates to be available to the sidecar container using volume mounts.
  2. Point the environment variable SSL_CERT_DIR in the sidecar container to the directory containing the certificates.

Note: For Windows containers, make sure the container is running with administrator privileges so it can install the certificates.

The following example uses Docker Compose to install certificates (present locally in the ./certificates directory) in the sidecar container:

  1. version: '3'
  2. services:
  3. dapr-sidecar:
  4. image: "daprio/daprd:edge" # dapr version must be at least v1.8
  5. command: [
  6. "./daprd",
  7. "-app-id", "myapp",
  8. "-app-port", "3000",
  9. ]
  10. volumes:
  11. - "./components/:/components"
  12. - "./certificates:/certificates" # (STEP 1) Mount the certificates folder to the sidecar container
  13. environment:
  14. - "SSL_CERT_DIR=/certificates" # (STEP 2) Set the environment variable to the path of the certificates folder
  15. # Uncomment the line below for Windows containers
  16. # user: ContainerAdministrator

Note: When the sidecar is not running inside a container, certificates must be directly installed on the host operating system.

On Kubernetes:

  1. Configure certificates to be available to the sidecar container using a volume mount.
  2. Point the environment variable SSL_CERT_DIR in the sidecar container to the directory containing the certificates.

The following example YAML shows a deployment that:

  • Attaches a pod volume to the sidecar
  • Sets SSL_CERT_DIR to install the certificates
  1. apiVersion: apps/v1
  2. kind: Deployment
  3. metadata:
  4. name: myapp
  5. namespace: default
  6. labels:
  7. app: myapp
  8. spec:
  9. replicas: 1
  10. selector:
  11. matchLabels:
  12. app: myapp
  13. template:
  14. metadata:
  15. labels:
  16. app: myapp
  17. annotations:
  18. dapr.io/enabled: "true"
  19. dapr.io/app-id: "myapp"
  20. dapr.io/app-port: "8000"
  21. dapr.io/volume-mounts: "certificates-vol:/tmp/certificates" # (STEP 1) Mount the certificates folder to the sidecar container
  22. dapr.io/env: "SSL_CERT_DIR=/tmp/certificates" # (STEP 2) Set the environment variable to the path of the certificates folder
  23. spec:
  24. volumes:
  25. - name: certificates-vol
  26. hostPath:
  27. path: /certificates
  28. #...

Note: When using Windows containers, the sidecar container is started with admin privileges, which is required to install the certificates. This does not apply to Linux containers.

After following these steps, all the certificates in the directory pointed by SSL_CERT_DIR are installed.

Demo

Watch the demo on using installing SSL certificates and securely using the HTTP binding in community call 64:

Next steps

Enable preview features

Last modified October 11, 2024: Fixed typo (#4389) (fe17926)