Overview of Dapr configuration options

Information on Dapr configuration and how to set options for your application

Sidecar configuration

Setup sidecar configuration

Self-hosted sidecar

In self hosted mode the Dapr configuration is a configuration file, for example config.yaml. By default the Dapr sidecar looks in the default Dapr folder for the runtime configuration eg: $HOME/.dapr/config.yaml in Linux/MacOS and %USERPROFILE%\.dapr\config.yaml in Windows.

A Dapr sidecar can also apply a configuration by using a --config flag to the file path with dapr run CLI command.

Kubernetes sidecar

In Kubernetes mode the Dapr configuration is a Configuration CRD, that is applied to the cluster. For example:

  1. kubectl apply -f myappconfig.yaml

You can use the Dapr CLI to list the Configuration CRDs

  1. dapr configurations -k

A Dapr sidecar can apply a specific configuration by using a dapr.io/config annotation. For example:

  1. annotations:
  2. dapr.io/enabled: "true"
  3. dapr.io/app-id: "nodeapp"
  4. dapr.io/app-port: "3000"
  5. dapr.io/config: "myappconfig"

Note: There are more Kubernetes annotations available to configure the Dapr sidecar on activation by sidecar Injector system service.

Sidecar configuration settings

The following configuration settings can be applied to Dapr application sidecars:

Tracing

Tracing configuration turns on tracing for an application.

The tracing section under the Configuration spec contains the following properties:

  1. tracing:
  2. samplingRate: "1"
  3. otel:
  4. endpointAddress: "https://..."
  5. zipkin:
  6. endpointAddress: "http://zipkin.default.svc.cluster.local:9411/api/v2/spans"

The following table lists the properties for tracing:

PropertyTypeDescription
samplingRatestringSet sampling rate for tracing to be enabled or disabled.
stdoutboolTrue write more verbose information to the traces
otel.endpointAddressstringSet the Open Telemetry (OTEL) server address to send traces to
otel.isSecureboolIs the connection to the endpoint address encryped
otel.protocolstringSet to http or grpc protocol
zipkin.endpointAddressstringSet the Zipkin server address to send traces to

samplingRate is used to enable or disable the tracing. To disable the sampling rate , set samplingRate : "0" in the configuration. The valid range of samplingRate is between 0 and 1 inclusive. The sampling rate determines whether a trace span should be sampled or not based on value. samplingRate : "1" samples all traces. By default, the sampling rate is (0.0001) or 1 in 10,000 traces.

See Observability distributed tracing for more information

Metrics

The metrics section can be used to enable or disable metrics for an application.

The metrics section under the Configuration spec contains the following properties:

  1. metrics:
  2. enabled: true

The following table lists the properties for metrics:

PropertyTypeDescription
enabledbooleanWhether metrics should to be enabled.

See metrics documentation for more information

Middleware

Middleware configuration set named HTTP pipeline middleware handlers The httpPipeline and the appHttpPipeline section under the Configuration spec contains the following properties:

  1. httpPipeline: # for incoming http calls
  2. handlers:
  3. - name: oauth2
  4. type: middleware.http.oauth2
  5. - name: uppercase
  6. type: middleware.http.uppercase
  7. appHttpPipeline: # for outgoing http calls
  8. handlers:
  9. - name: oauth2
  10. type: middleware.http.oauth2
  11. - name: uppercase
  12. type: middleware.http.uppercase

The following table lists the properties for HTTP handlers:

PropertyTypeDescription
namestringName of the middleware component
typestringType of middleware component

See Middleware pipelines for more information

Scope secret store access

See the Scoping secrets guide for information and examples on how to scope secrets to an application.

Access Control allow lists for building block APIs

See the selectively enable Dapr APIs on the Dapr sidecar guide for information and examples on how to set ACLs on the building block APIs lists.

Access Control allow lists for service invocation API

See the Allow lists for service invocation guide for information and examples on how to set allow lists with ACLs which using service invocation API.

Disallow usage of certain component types

Using the components.deny property in the Configuration spec you can specify a denylist of component types that cannot be initialized.

For example, the configuration below disallows the initialization of components of type bindings.smtp and secretstores.local.file:

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Configuration
  3. metadata:
  4. name: myappconfig
  5. spec:
  6. components:
  7. deny:
  8. - bindings.smtp
  9. - secretstores.local.file

You can optionally specify a version to disallow by adding it at the end of the component name. For example, state.in-memory/v1 disables initializing components of type state.in-memory and version v1, but does not disable a (hypothetical) v2 version of the component.

Note: One special note applies to the component type secretstores.kubernetes. When you add that component to the denylist, Dapr forbids the creation of additional components of type secretstores.kubernetes. However, it does not disable the built-in Kubernetes secret store, which is created by Dapr automatically and is used to store secrets specified in Components specs. If you want to disable the built-in Kubernetes secret store, you need to use the dapr.io/disable-builtin-k8s-secret-store annotation.

Turning on preview features

See the preview features guide for information and examples on how to opt-in to preview features for a release. Preview feature enable new capabilities to be added that still need more time until they become generally available (GA) in the runtime.

Example sidecar configuration

The following yaml shows an example configuration file that can be applied to an applications’ Dapr sidecar.

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Configuration
  3. metadata:
  4. name: myappconfig
  5. namespace: default
  6. spec:
  7. tracing:
  8. samplingRate: "1"
  9. stdout: true
  10. otel:
  11. endpointAddress: "localhost:4317"
  12. isSecure: false
  13. protocol: "grpc"
  14. httpPipeline:
  15. handlers:
  16. - name: oauth2
  17. type: middleware.http.oauth2
  18. secrets:
  19. scopes:
  20. - storeName: localstore
  21. defaultAccess: allow
  22. deniedSecrets: ["redis-password"]
  23. components:
  24. deny:
  25. - bindings.smtp
  26. - secretstores.local.file
  27. accessControl:
  28. defaultAction: deny
  29. trustDomain: "public"
  30. policies:
  31. - appId: app1
  32. defaultAction: deny
  33. trustDomain: 'public'
  34. namespace: "default"
  35. operations:
  36. - name: /op1
  37. httpVerb: ['POST', 'GET']
  38. action: deny
  39. - name: /op2/*
  40. httpVerb: ["*"]
  41. action: allow

Control-plane configuration

There is a single configuration file called daprsystem installed with the Dapr control plane system services that applies global settings. This is only set up when Dapr is deployed to Kubernetes.

Control-plane configuration settings

A Dapr control plane configuration can configure the following settings:

PropertyTypeDescription
enabledboolSet mtls to be enabled or disabled
allowedClockSkewstringThe extra time to give for certificate expiry based on possible clock skew on a machine. Default is 15 minutes.
workloadCertTTLstringTime a certificate is valid for. Default is 24 hours

See the Mutual TLS HowTo and security concepts for more information.

Example control plane configuration

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Configuration
  3. metadata:
  4. name: default
  5. namespace: default
  6. spec:
  7. mtls:
  8. enabled: true
  9. allowedClockSkew: 15m
  10. workloadCertTTL: 24h

Last modified October 11, 2022: Update to observability docs for OTEL (#2876) (4d860db7)