docs: Sentry Ed25519 workload identity keys#5181
Open
nelson-parente wants to merge 2 commits into
Open
Conversation
Sentry switched workload X.509 certificate key generation from ECDSA P-256 to Ed25519 in Dapr 1.18 (dapr/dapr#9598). Changes: - concepts/security-concept.md: add 'Workload identity key algorithm' subsection under 'Secure Dapr to Dapr communication'. Covers what changed (default: Ed25519 for workload/CA certs, RSA for injector/ operator webhook serving certs, RSA-2048 for JWT/OIDC unchanged), why (smaller keys/sigs, faster ops, cleaner curve design), mixed- version rolling-upgrade compatibility, FIPS callout (Ed25519 is not FIPS-140 approved; BYO-CA path is the workaround), and downgrade floor alert (1.17.7). Also updates stale 'ECDSA private key' sentence in the same section. - operations/security/mtls.md: add 'Workload identity key algorithm' section at the top pointing to the concept page. Adds BYO-CA note explaining that supplied issuer key algorithm is what Sentry uses. Updates stale 'ECDSA PEM encoded' in self-hosted BYO-certs prose. Adds inline note on the Kubernetes openssl example clarifying that RSA keys are also accepted (relevant for FIPS environments). Related: dapr/dapr#9873 (injector/operator RSA webhook certs — tracked separately as gap R5). Targets v1.18. Signed-off-by: Nelson Parente <nelson_parente@live.com.pt>
Signed-off-by: Nelson Parente <nelson_parente@live.com.pt>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Files touched
daprdocs/content/en/concepts/security-concept.mddaprdocs/content/en/operations/security/mtls.mdTest plan
hugo servelocally).{{% ref "security-concept.md#workload-identity-key-algorithm" %}}anchor link resolves.{{% ref "mtls#bringing-your-own-certificates" %}}link resolves.htmltestor equivalent passes).Related
Targets v1.18. Draft pending review.