Problem
In self-hosted mode, dapr init does not start the Sentry service. Users who
want mTLS and any feature that depends on it currently have to install or
build Sentry separately, generate or supply certs, set
DAPR_TRUST_ANCHORS / DAPR_CERT_CHAIN / DAPR_CERT_KEY env vars, and run
./sentry themselves before they can use the feature. See Setup & configure
mTLS certificates (self-hosted)
for the current manual steps.
This is friction for any feature that builds on the sidecar SPIFFE identity,
including:
Proposal
Add a first-class option to dapr init that brings up a local Sentry as
part of the standard self-hosted setup. Sketch:
dapr init --enable-mtls # opt-in flag
What it should do:
- Generate (or accept user-supplied) root/issuer certs into the standard
$HOME/.dapr/certs/ location.
- Start the Sentry service alongside the other Dapr self-hosted services
(Docker container or native binary, matching the rest of dapr init's
model).
- Write a default Dapr configuration with
spec.mtls.enabled: true so
dapr run picks it up without extra flags.
- Wire the trust-anchor / cert-chain / cert-key env vars so existing
sidecar launches work out of the box.
- Surface a clear status line ("Sentry running, mTLS enabled, trust domain
cluster.local") in dapr status / dapr init output.
Acceptance criteria
Out of scope
- Bring-your-own-CA flow (already supported via existing cert flags; this
issue is about the zero-config default).
- Kubernetes (
dapr init -k already installs Sentry).
Problem
In self-hosted mode,
dapr initdoes not start the Sentry service. Users whowant mTLS and any feature that depends on it currently have to install or
build Sentry separately, generate or supply certs, set
DAPR_TRUST_ANCHORS/DAPR_CERT_CHAIN/DAPR_CERT_KEYenv vars, and run./sentrythemselves before they can use the feature. See Setup & configuremTLS certificates (self-hosted)
for the current manual steps.
This is friction for any feature that builds on the sidecar SPIFFE identity,
including:
dapr/docs#5082)
else gated on workload identity in self-hosted mode
Proposal
Add a first-class option to
dapr initthat brings up a local Sentry aspart of the standard self-hosted setup. Sketch:
dapr init --enable-mtls # opt-in flag
What it should do:
$HOME/.dapr/certs/location.(Docker container or native binary, matching the rest of
dapr init'smodel).
spec.mtls.enabled: truesodapr runpicks it up without extra flags.sidecar launches work out of the box.
cluster.local") in
dapr status/dapr initoutput.Acceptance criteria
dapr init --enable-mtls(or equivalent flag) provisions certs, startsSentry, and produces a working mTLS-enabled self-hosted environment in
one command.
dapr runagainst that environment gets a valid SPIFFE SVID withoutadditional env-var plumbing from the user.
dapr uninstallcleans up Sentry alongside the other services.prerequisites, workflow access policy prerequisites.
Out of scope
issue is about the zero-config default).
dapr init -kalready installs Sentry).