From da332b69dede0ceb7733e071d5bffbefb165a996 Mon Sep 17 00:00:00 2001 From: vinayada1 <28875764+vinayada1@users.noreply.github.com> Date: Wed, 9 Dec 2020 14:35:26 -0800 Subject: [PATCH 1/7] update steps to run hello-world with ACL in selfhosted mode --- .../configuration/invoke-allowlist.md | 35 +++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/daprdocs/content/en/operations/configuration/invoke-allowlist.md b/daprdocs/content/en/operations/configuration/invoke-allowlist.md index 773d6229f23..f89eed0b7fc 100644 --- a/daprdocs/content/en/operations/configuration/invoke-allowlist.md +++ b/daprdocs/content/en/operations/configuration/invoke-allowlist.md @@ -14,7 +14,7 @@ An access control policy is specified in configuration and be applied to Dapr si **TrustDomain** - A "trust domain" is a logical group to manage trust relationships. Every application is assigned a trust domain which can be specified in the access control list policy spec. If no policy spec is defined or an empty trust domain is specified, then a default value "public" is used. This trust domain is used to generate the identity of the application in the TLS cert. -**App Identity** - Dapr generates a [SPIFFE](https://spiffe.io/) id for all applications which is attached in the TLS cert. The SPIFFE id is of the format: `**spiffe://\/ns/\/\**`. For matching policies, the trust domain, namespace and app ID values of the calling app are extracted from the SPIFFE id in the TLS cert of the calling app. These values are matched against the trust domain, namespace and app ID values specified in the policy spec. If all three of these match, then more specific policies are further matched. +**App Identity** - Dapr requests the sentry service to generate a [SPIFFE](https://spiffe.io/) id for all applications and this id is attached in the TLS cert. The SPIFFE id is of the format: `**spiffe://\/ns/\/\**`. For matching policies, the trust domain, namespace and app ID values of the calling app are extracted from the SPIFFE id in the TLS cert of the calling app. These values are matched against the trust domain, namespace and app ID values specified in the policy spec. If all three of these match, then more specific policies are further matched. ## Configuration properties @@ -190,7 +190,8 @@ spec: ``` ## Hello world example -This scenario shows how to apply access control to the [hello world](https://github.com/dapr/quickstarts/blob/master/hello-world/README.md) or [hello kubernetes](https://github.com/dapr/quickstarts/blob/master/hello-world/README.md) samples where a python app invokes a node.js app. You can create and apply these configuration files `nodeappconfig.yaml` and `pythonappconfig.yaml` as described in the [configuration]({{< ref "configuration-concept.md" >}}) article. +### Kubernetes Mode +This scenario shows how to apply access control to the [hello kubernetes](https://github.com/dapr/quickstarts/blob/master/hello-world/README.md) samples where a python app invokes a node.js app. You can create and apply these configuration files `nodeappconfig.yaml` and `pythonappconfig.yaml` as described in the [configuration]({{< ref "configuration-concept.md" >}}) article. The nodeappconfig example below shows how to deny access to the `neworder` method from the `pythonapp`, where the python app is in the `myDomain` trust domain and `default` namespace. The nodeapp is in the `public` trust domain. @@ -261,3 +262,33 @@ spec: - name: python image: dapriosamples/hello-k8s-python:edge ``` + +### Self-hosted Mode + This feature relies on the sentry service to generate the TLS certificates with the SPIFFE id to work correctly. Therefore, to run this sample in self-hosted mode, we need to use the steps below to setup the sentry service and enable mTLS. Note, the ACL policies are the same as defined in nodeappconfig.yaml and pythonappconfig.yaml defined above: + 1. Follow steps to [run the sentry service in self-hosted mode](../security/mtls.md). + 2. Set environment variables and run daprd for node app with mTLS enabled and point to the local sentry service using the commands: + ``` +export DAPR_TRUST_ANCHORS=`cat $HOME/.dapr/certs/ca.crt` +export DAPR_CERT_CHAIN=`cat $HOME/.dapr/certs/issuer.crt` +export DAPR_CERT_KEY=`cat $HOME/.dapr/certs/issuer.key` +export NAMESPACE=default + +daprd --app-id nodeapp --dapr-grpc-port 50002 -dapr-http-port 3501 --log-level debug --app-port 3000 --enable-mtls --sentry-address localhost:50001 --config nodeappconfig.yaml + ``` + 3. Run the node app in a separate window: + ``` + node app.js + ``` + 4. Set environment variables and run daprd for python app with mTLS enabled and point to the local sentry service using the commands: + ``` +export DAPR_TRUST_ANCHORS=`cat $HOME/.dapr/certs/ca.crt` +export DAPR_CERT_CHAIN=`cat $HOME/.dapr/certs/issuer.crt` +export DAPR_CERT_KEY=`cat $HOME/.dapr/certs/issuer.key` +export NAMESPACE=default + + daprd --app-id pythonapp --dapr-grpc-port 50003 --metrics-port 9092 --log-level debug --enable-mtls --sentry-address localhost:50001 --config pythonappconfig.yaml + ``` +5. Run the python app in a separate window: +``` +python app.py +``` From 143f0302b3e61af633bfedf58c23860f79551460 Mon Sep 17 00:00:00 2001 From: vinayada1 <28875764+vinayada1@users.noreply.github.com> Date: Wed, 9 Dec 2020 15:13:15 -0800 Subject: [PATCH 2/7] fix review comments --- .../content/en/operations/configuration/invoke-allowlist.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/daprdocs/content/en/operations/configuration/invoke-allowlist.md b/daprdocs/content/en/operations/configuration/invoke-allowlist.md index f89eed0b7fc..8250bf57335 100644 --- a/daprdocs/content/en/operations/configuration/invoke-allowlist.md +++ b/daprdocs/content/en/operations/configuration/invoke-allowlist.md @@ -191,7 +191,7 @@ spec: ## Hello world example ### Kubernetes Mode -This scenario shows how to apply access control to the [hello kubernetes](https://github.com/dapr/quickstarts/blob/master/hello-world/README.md) samples where a python app invokes a node.js app. You can create and apply these configuration files `nodeappconfig.yaml` and `pythonappconfig.yaml` as described in the [configuration]({{< ref "configuration-concept.md" >}}) article. +This scenario shows how to apply access control to the [hello kubernetes](https://github.com/dapr/quickstarts/tree/master/hello-kubernetes/README.md) samples where a python app invokes a node.js app. You can create and apply these configuration files `nodeappconfig.yaml` and `pythonappconfig.yaml` as described in the [configuration]({{< ref "configuration-concept.md" >}}) article. The nodeappconfig example below shows how to deny access to the `neworder` method from the `pythonapp`, where the python app is in the `myDomain` trust domain and `default` namespace. The nodeapp is in the `public` trust domain. @@ -264,7 +264,7 @@ spec: ``` ### Self-hosted Mode - This feature relies on the sentry service to generate the TLS certificates with the SPIFFE id to work correctly. Therefore, to run this sample in self-hosted mode, we need to use the steps below to setup the sentry service and enable mTLS. Note, the ACL policies are the same as defined in nodeappconfig.yaml and pythonappconfig.yaml defined above: + This feature relies on the sentry service to generate the TLS certificates with the SPIFFE id to work correctly. Therefore, to run this [hello kubernetes](https://github.com/dapr/quickstarts/tree/master/hello-world/README.md) in self-hosted mode, we need to use the steps below to setup the sentry service and enable mTLS. Note, the ACL policies are the same as defined in nodeappconfig.yaml and pythonappconfig.yaml defined above: 1. Follow steps to [run the sentry service in self-hosted mode](../security/mtls.md). 2. Set environment variables and run daprd for node app with mTLS enabled and point to the local sentry service using the commands: ``` From d5f6acf07a88bb3d8756fa36ea35b36eb48cfe1b Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Wed, 9 Dec 2020 22:04:47 -0800 Subject: [PATCH 3/7] Update invoke-allowlist.md --- .../configuration/invoke-allowlist.md | 111 ++++++++++++------ 1 file changed, 76 insertions(+), 35 deletions(-) diff --git a/daprdocs/content/en/operations/configuration/invoke-allowlist.md b/daprdocs/content/en/operations/configuration/invoke-allowlist.md index 8250bf57335..1745980e271 100644 --- a/daprdocs/content/en/operations/configuration/invoke-allowlist.md +++ b/daprdocs/content/en/operations/configuration/invoke-allowlist.md @@ -189,11 +189,11 @@ spec: namespace: "ns2" ``` -## Hello world example -### Kubernetes Mode -This scenario shows how to apply access control to the [hello kubernetes](https://github.com/dapr/quickstarts/tree/master/hello-kubernetes/README.md) samples where a python app invokes a node.js app. You can create and apply these configuration files `nodeappconfig.yaml` and `pythonappconfig.yaml` as described in the [configuration]({{< ref "configuration-concept.md" >}}) article. +## Hello world examples +These examples show how to apply access control to the [hello world](https://github.com/dapr/quickstarts#quickstarts) quickstart samples where a python app invokes a node.js app. +Access control lists rely on the Dapr [Sentry service]({{< ref "security-concept.md" >}}) to generate the TLS certificates with a SPIFFE id for authentication, which means the Sentry service either has to be running locally or deployed to your hosting enviroment such as a Kubernetes cluster. -The nodeappconfig example below shows how to deny access to the `neworder` method from the `pythonapp`, where the python app is in the `myDomain` trust domain and `default` namespace. The nodeapp is in the `public` trust domain. +The nodeappconfig example below shows how to **deny** access to the `neworder` method from the `pythonapp`, where the python app is in the `myDomain` trust domain and `default` namespace. The nodeapp is in the `public` trust domain. **nodeappconfig.yaml** @@ -234,7 +234,78 @@ spec: trustDomain: "myDomain" ``` -For example, this is how the pythonapp is deployed to Kubernetes in the default namespace with this configuration file. +### Self-hosted mode +This example uses the [hello world](https://github.com/dapr/quickstarts/tree/master/hello-world/README.md) quickstart. + +The following steps run the Sentry service locally with mTLS enabled, set up necessary environment variables to access certificates, and then launch both the node app and python app each referencing the Sentry service to apply the ACLs. + + 1. Follow these steps to run the [Sentry service in self-hosted mode]({{< ref "mtls.md" >}}) with mTLS enabled. + 2. In a command prompt, set these environment variables +{{< tabs Linux Windows>}} + +{{% codetab %}} +```bash +export DAPR_TRUST_ANCHORS=`cat $HOME/.dapr/certs/ca.crt` +export DAPR_CERT_CHAIN=`cat $HOME/.dapr/certs/issuer.crt` +export DAPR_CERT_KEY=`cat $HOME/.dapr/certs/issuer.key` +export NAMESPACE=default + ``` +{{% /codetab %}} + +{{% codetab %}} +```powershell +set DAPR_TRUST_ANCHORS=`` +set DAPR_CERT_CHAIN=`` +set DAPR_CERT_KEY=`` +set NAMESPACE=default +``` +{{% /codetab %}} + +3. Run daprd to launch a Dapr sidecar for the node.js app with mTLS enabled, referencing the local Sentry service. +``` +daprd --app-id nodeapp --dapr-grpc-port 50002 -dapr-http-port 3501 --log-level debug --app-port 3000 --enable-mtls --sentry-address localhost:50001 --config nodeappconfig.yaml + ``` +4. Run the node app in a separate command prompt. + ``` + node app.js +``` +5. In another command prompt, set these environment variables. +{{< tabs Linux Windows>}} + +{{% codetab %}} +```bash +export DAPR_TRUST_ANCHORS=`cat $HOME/.dapr/certs/ca.crt` +export DAPR_CERT_CHAIN=`cat $HOME/.dapr/certs/issuer.crt` +export DAPR_CERT_KEY=`cat $HOME/.dapr/certs/issuer.key` +export NAMESPACE=default + ``` +{{% /codetab %}} + +{{% codetab %}} +```powershell +set DAPR_TRUST_ANCHORS=`` +set DAPR_CERT_CHAIN=`` +set DAPR_CERT_KEY=`` +set NAMESPACE=default +``` +{{% /codetab %}} +6. Run daprd to launch a Dapr sidecar for the python app with mTLS enabled, referencing the local Sentry service. + ``` + daprd --app-id pythonapp --dapr-grpc-port 50003 --metrics-port 9092 --log-level debug --enable-mtls --sentry-address localhost:50001 --config pythonappconfig.yaml + ``` +7. Run the python app in a separate command prompt. +``` +python app.py +``` +8. You should see the calls to the node app fail in the python app command prompt based due to the **deny** operation action in the nodeappconfig file. Change this to action to **allow** and re-run the apps and you should then see this call succeed. + +### Kubernetes mode +This example uses the [hello kubernetes](https://github.com/dapr/quickstarts/tree/master/hello-kubernetes/README.md) quickstart. + +You can create and apply the above configuration files `nodeappconfig.yaml` and `pythonappconfig.yaml` as described in the [configuration]({{< ref "configuration-concept.md" >}}) to the Kubernetes deployments. + +For example, below is how the pythonapp is deployed to Kubernetes in the default namespace with this pythonappconfig configuration file. +Do the same for the nodeapp deployment and then look at the logs for the pythonapp to see the calls fail due to the **deny** operation action set in the nodeappconfig file. Change this to action to **allow** and re-deploy the apps and you should then see this call succeed. ```yaml apiVersion: apps/v1 @@ -262,33 +333,3 @@ spec: - name: python image: dapriosamples/hello-k8s-python:edge ``` - -### Self-hosted Mode - This feature relies on the sentry service to generate the TLS certificates with the SPIFFE id to work correctly. Therefore, to run this [hello kubernetes](https://github.com/dapr/quickstarts/tree/master/hello-world/README.md) in self-hosted mode, we need to use the steps below to setup the sentry service and enable mTLS. Note, the ACL policies are the same as defined in nodeappconfig.yaml and pythonappconfig.yaml defined above: - 1. Follow steps to [run the sentry service in self-hosted mode](../security/mtls.md). - 2. Set environment variables and run daprd for node app with mTLS enabled and point to the local sentry service using the commands: - ``` -export DAPR_TRUST_ANCHORS=`cat $HOME/.dapr/certs/ca.crt` -export DAPR_CERT_CHAIN=`cat $HOME/.dapr/certs/issuer.crt` -export DAPR_CERT_KEY=`cat $HOME/.dapr/certs/issuer.key` -export NAMESPACE=default - -daprd --app-id nodeapp --dapr-grpc-port 50002 -dapr-http-port 3501 --log-level debug --app-port 3000 --enable-mtls --sentry-address localhost:50001 --config nodeappconfig.yaml - ``` - 3. Run the node app in a separate window: - ``` - node app.js - ``` - 4. Set environment variables and run daprd for python app with mTLS enabled and point to the local sentry service using the commands: - ``` -export DAPR_TRUST_ANCHORS=`cat $HOME/.dapr/certs/ca.crt` -export DAPR_CERT_CHAIN=`cat $HOME/.dapr/certs/issuer.crt` -export DAPR_CERT_KEY=`cat $HOME/.dapr/certs/issuer.key` -export NAMESPACE=default - - daprd --app-id pythonapp --dapr-grpc-port 50003 --metrics-port 9092 --log-level debug --enable-mtls --sentry-address localhost:50001 --config pythonappconfig.yaml - ``` -5. Run the python app in a separate window: -``` -python app.py -``` From 67856ad8de7c80f0d03ac0bb27454802b605d79e Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Wed, 9 Dec 2020 22:15:56 -0800 Subject: [PATCH 4/7] Update invoke-allowlist.md --- .../content/en/operations/configuration/invoke-allowlist.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/daprdocs/content/en/operations/configuration/invoke-allowlist.md b/daprdocs/content/en/operations/configuration/invoke-allowlist.md index 1745980e271..a3f8f0bf960 100644 --- a/daprdocs/content/en/operations/configuration/invoke-allowlist.md +++ b/daprdocs/content/en/operations/configuration/invoke-allowlist.md @@ -241,7 +241,7 @@ The following steps run the Sentry service locally with mTLS enabled, set up nec 1. Follow these steps to run the [Sentry service in self-hosted mode]({{< ref "mtls.md" >}}) with mTLS enabled. 2. In a command prompt, set these environment variables -{{< tabs Linux Windows>}} +{{< tabs Linux/MacOS Windows>}} {{% codetab %}} ```bash @@ -270,7 +270,7 @@ daprd --app-id nodeapp --dapr-grpc-port 50002 -dapr-http-port 3501 --log-level d node app.js ``` 5. In another command prompt, set these environment variables. -{{< tabs Linux Windows>}} +{{< tabs Linux/MacOS Windows>}} {{% codetab %}} ```bash From 907ced7b9c19cb1b0ac2f4d641e3116a43658b7f Mon Sep 17 00:00:00 2001 From: Aaron Crawfis Date: Thu, 10 Dec 2020 09:10:40 -0800 Subject: [PATCH 5/7] Fix codetab formatting issues on rendered website --- .../configuration/invoke-allowlist.md | 133 ++++++++++-------- 1 file changed, 76 insertions(+), 57 deletions(-) diff --git a/daprdocs/content/en/operations/configuration/invoke-allowlist.md b/daprdocs/content/en/operations/configuration/invoke-allowlist.md index a3f8f0bf960..8f4233ba01c 100644 --- a/daprdocs/content/en/operations/configuration/invoke-allowlist.md +++ b/daprdocs/content/en/operations/configuration/invoke-allowlist.md @@ -239,67 +239,86 @@ This example uses the [hello world](https://github.com/dapr/quickstarts/tree/mas The following steps run the Sentry service locally with mTLS enabled, set up necessary environment variables to access certificates, and then launch both the node app and python app each referencing the Sentry service to apply the ACLs. - 1. Follow these steps to run the [Sentry service in self-hosted mode]({{< ref "mtls.md" >}}) with mTLS enabled. - 2. In a command prompt, set these environment variables -{{< tabs Linux/MacOS Windows>}} - -{{% codetab %}} -```bash -export DAPR_TRUST_ANCHORS=`cat $HOME/.dapr/certs/ca.crt` -export DAPR_CERT_CHAIN=`cat $HOME/.dapr/certs/issuer.crt` -export DAPR_CERT_KEY=`cat $HOME/.dapr/certs/issuer.key` -export NAMESPACE=default - ``` -{{% /codetab %}} - -{{% codetab %}} -```powershell -set DAPR_TRUST_ANCHORS=`` -set DAPR_CERT_CHAIN=`` -set DAPR_CERT_KEY=`` -set NAMESPACE=default -``` -{{% /codetab %}} + 1. Follow these steps to run the [Sentry service in self-hosted mode]({{< ref "mtls.md" >}}) with mTLS enabled + + 2. In a command prompt, set these environment variables: + + {{< tabs "Linux/MacOS" Windows >}} + + {{% codetab %}} + ```bash + export DAPR_TRUST_ANCHORS=`cat $HOME/.dapr/certs/ca.crt` + export DAPR_CERT_CHAIN=`cat $HOME/.dapr/certs/issuer.crt` + export DAPR_CERT_KEY=`cat $HOME/.dapr/certs/issuer.key` + export NAMESPACE=default + ``` + + {{% /codetab %}} + + {{% codetab %}} + ```powershell + set DAPR_TRUST_ANCHORS=`` + set DAPR_CERT_CHAIN=`` + set DAPR_CERT_KEY=`` + set NAMESPACE=default + ``` + + {{% /codetab %}} + + {{< /tabs >}} -3. Run daprd to launch a Dapr sidecar for the node.js app with mTLS enabled, referencing the local Sentry service. -``` -daprd --app-id nodeapp --dapr-grpc-port 50002 -dapr-http-port 3501 --log-level debug --app-port 3000 --enable-mtls --sentry-address localhost:50001 --config nodeappconfig.yaml - ``` -4. Run the node app in a separate command prompt. - ``` - node app.js -``` -5. In another command prompt, set these environment variables. -{{< tabs Linux/MacOS Windows>}} - -{{% codetab %}} -```bash -export DAPR_TRUST_ANCHORS=`cat $HOME/.dapr/certs/ca.crt` -export DAPR_CERT_CHAIN=`cat $HOME/.dapr/certs/issuer.crt` -export DAPR_CERT_KEY=`cat $HOME/.dapr/certs/issuer.key` -export NAMESPACE=default - ``` -{{% /codetab %}} - -{{% codetab %}} -```powershell -set DAPR_TRUST_ANCHORS=`` -set DAPR_CERT_CHAIN=`` -set DAPR_CERT_KEY=`` -set NAMESPACE=default -``` -{{% /codetab %}} -6. Run daprd to launch a Dapr sidecar for the python app with mTLS enabled, referencing the local Sentry service. - ``` - daprd --app-id pythonapp --dapr-grpc-port 50003 --metrics-port 9092 --log-level debug --enable-mtls --sentry-address localhost:50001 --config pythonappconfig.yaml - ``` -7. Run the python app in a separate command prompt. -``` -python app.py -``` +3. Run daprd to launch a Dapr sidecar for the node.js app with mTLS enabled, referencing the local Sentry service: + + ```bash + daprd --app-id nodeapp --dapr-grpc-port 50002 -dapr-http-port 3501 --log-level debug --app-port 3000 --enable-mtls --sentry-address localhost:50001 --config nodeappconfig.yaml + ``` + +4. Run the node app in a separate command prompt: + + ```bash + node app.js + ``` + +5. In another command prompt, set these environment variables: + + {{< tabs "Linux/MacOS" Windows >}} + + {{% codetab %}} + ```bash + export DAPR_TRUST_ANCHORS=`cat $HOME/.dapr/certs/ca.crt` + export DAPR_CERT_CHAIN=`cat $HOME/.dapr/certs/issuer.crt` + export DAPR_CERT_KEY=`cat $HOME/.dapr/certs/issuer.key` + export NAMESPACE=default + ``` + {{% /codetab %}} + + {{% codetab %}} + ```powershell + set DAPR_TRUST_ANCHORS=`` + set DAPR_CERT_CHAIN=`` + set DAPR_CERT_KEY=`` + set NAMESPACE=default + ``` + {{% /codetab %}} + + {{< /tabs >}} + +6. Run daprd to launch a Dapr sidecar for the python app with mTLS enabled, referencing the local Sentry service: + + ```bash + daprd --app-id pythonapp --dapr-grpc-port 50003 --metrics-port 9092 --log-level debug --enable-mtls --sentry-address localhost:50001 --config pythonappconfig.yaml + ``` + +7. Run the python app in a separate command prompt: + + ```bash + python app.py + ``` + 8. You should see the calls to the node app fail in the python app command prompt based due to the **deny** operation action in the nodeappconfig file. Change this to action to **allow** and re-run the apps and you should then see this call succeed. ### Kubernetes mode + This example uses the [hello kubernetes](https://github.com/dapr/quickstarts/tree/master/hello-kubernetes/README.md) quickstart. You can create and apply the above configuration files `nodeappconfig.yaml` and `pythonappconfig.yaml` as described in the [configuration]({{< ref "configuration-concept.md" >}}) to the Kubernetes deployments. From 89e83dd2349e243be2d43930fa74c6a7b4266bc9 Mon Sep 17 00:00:00 2001 From: vinayada1 <28875764+vinayada1@users.noreply.github.com> Date: Fri, 11 Dec 2020 15:32:07 -0800 Subject: [PATCH 6/7] add ps commands --- .../configuration/invoke-allowlist.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/daprdocs/content/en/operations/configuration/invoke-allowlist.md b/daprdocs/content/en/operations/configuration/invoke-allowlist.md index 8f4233ba01c..a622fed2e3d 100644 --- a/daprdocs/content/en/operations/configuration/invoke-allowlist.md +++ b/daprdocs/content/en/operations/configuration/invoke-allowlist.md @@ -254,14 +254,14 @@ The following steps run the Sentry service locally with mTLS enabled, set up nec ``` {{% /codetab %}} - - {{% codetab %}} - ```powershell - set DAPR_TRUST_ANCHORS=`` - set DAPR_CERT_CHAIN=`` - set DAPR_CERT_KEY=`` - set NAMESPACE=default - ``` + + {{% codetab %}} + ```powershell + $env:DAPR_TRUST_ANCHORS=$(Get-Content $env:USERPROFILE\.dapr\certs\ca.crt) + $env:DAPR_CERT_CHAIN=$(Get-Content $env:USERPROFILE\.dapr\certs\issuer.crt) + $env:DAPR_CERT_KEY=$(Get-Content $env:USERPROFILE\.dapr\certs\issuer.key) + $env:NAMESPACE="default" + ``` {{% /codetab %}} @@ -294,10 +294,10 @@ The following steps run the Sentry service locally with mTLS enabled, set up nec {{% codetab %}} ```powershell - set DAPR_TRUST_ANCHORS=`` - set DAPR_CERT_CHAIN=`` - set DAPR_CERT_KEY=`` - set NAMESPACE=default + $env:DAPR_TRUST_ANCHORS=$(Get-Content $env:USERPROFILE\.dapr\certs\ca.crt) + $env:DAPR_CERT_CHAIN=$(Get-Content $env:USERPROFILE\.dapr\certs\issuer.crt) + $env:DAPR_CERT_KEY=$(Get-Content $env:USERPROFILE\.dapr\certs\issuer.key) + $env:NAMESPACE="default" ``` {{% /codetab %}} From 0f84df301ee31269854e2782ce40c5c64956b5e0 Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Fri, 11 Dec 2020 16:52:42 -0800 Subject: [PATCH 7/7] Update invoke-allowlist.md --- .../content/en/operations/configuration/invoke-allowlist.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/daprdocs/content/en/operations/configuration/invoke-allowlist.md b/daprdocs/content/en/operations/configuration/invoke-allowlist.md index a622fed2e3d..4c2fdfae556 100644 --- a/daprdocs/content/en/operations/configuration/invoke-allowlist.md +++ b/daprdocs/content/en/operations/configuration/invoke-allowlist.md @@ -315,16 +315,15 @@ The following steps run the Sentry service locally with mTLS enabled, set up nec python app.py ``` -8. You should see the calls to the node app fail in the python app command prompt based due to the **deny** operation action in the nodeappconfig file. Change this to action to **allow** and re-run the apps and you should then see this call succeed. +8. You should see the calls to the node app fail in the python app command prompt based due to the **deny** operation action in the nodeappconfig file. Change this action to **allow** and re-run the apps and you should then see this call succeed. ### Kubernetes mode - This example uses the [hello kubernetes](https://github.com/dapr/quickstarts/tree/master/hello-kubernetes/README.md) quickstart. You can create and apply the above configuration files `nodeappconfig.yaml` and `pythonappconfig.yaml` as described in the [configuration]({{< ref "configuration-concept.md" >}}) to the Kubernetes deployments. For example, below is how the pythonapp is deployed to Kubernetes in the default namespace with this pythonappconfig configuration file. -Do the same for the nodeapp deployment and then look at the logs for the pythonapp to see the calls fail due to the **deny** operation action set in the nodeappconfig file. Change this to action to **allow** and re-deploy the apps and you should then see this call succeed. +Do the same for the nodeapp deployment and then look at the logs for the pythonapp to see the calls fail due to the **deny** operation action set in the nodeappconfig file. Change this action to **allow** and re-deploy the apps and you should then see this call succeed. ```yaml apiVersion: apps/v1