[v1.16] docs: Sentry Ed25519 workload identity keys#5188
Merged
Conversation
* sentry: document Ed25519 default workload identity keys Sentry switched workload X.509 certificate key generation from ECDSA P-256 to Ed25519 in Dapr 1.18 (dapr/dapr#9598). Changes: - concepts/security-concept.md: add 'Workload identity key algorithm' subsection under 'Secure Dapr to Dapr communication'. Covers what changed (default: Ed25519 for workload/CA certs, RSA for injector/ operator webhook serving certs, RSA-2048 for JWT/OIDC unchanged), why (smaller keys/sigs, faster ops, cleaner curve design), mixed- version rolling-upgrade compatibility, FIPS callout (Ed25519 is not FIPS-140 approved; BYO-CA path is the workaround), and downgrade floor alert (1.17.7). Also updates stale 'ECDSA private key' sentence in the same section. - operations/security/mtls.md: add 'Workload identity key algorithm' section at the top pointing to the concept page. Adds BYO-CA note explaining that supplied issuer key algorithm is what Sentry uses. Updates stale 'ECDSA PEM encoded' in self-hosted BYO-certs prose. Adds inline note on the Kubernetes openssl example clarifying that RSA keys are also accepted (relevant for FIPS environments). Related: dapr/dapr#9873 (injector/operator RSA webhook certs — tracked separately as gap R5). Targets v1.18. Signed-off-by: Nelson Parente <nelson_parente@live.com.pt> * sentry: tighten Ed25519 workload identity docs (review pass) Signed-off-by: Nelson Parente <nelson_parente@live.com.pt> --------- Signed-off-by: Nelson Parente <nelson_parente@live.com.pt> Co-authored-by: Mark Fussell <markfussell@gmail.com>
|
Azure Static Web Apps: Your stage site is ready! Visit it here: https://salmon-mud-01247fe1e-5188.westus2.7.azurestaticapps.net |
JoshVanL
approved these changes
May 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #5181 to the v1.16 docs branch.
Even though Ed25519 workload keys are a Dapr 1.18 change, the docs are duplicated on v1.16 so users reading the v1.16 site see the same upgrade/downgrade guidance — specifically the 1.17.7 floor needed to read Ed25519 trust bundles after a 1.18 rollout/rollback.
Files touched
daprdocs/content/en/concepts/security-concept.mddaprdocs/content/en/operations/security/mtls.mdCherry-picked cleanly from
bfc7a27(the v1.18 squash-merge of #5181) — same 2 files, +43/-2.Test plan
{{% ref "security-concept.md#workload-identity-key-algorithm" %}}resolves on v1.16.{{% ref "mtls#bringing-your-own-certificates" %}}resolves.Related