Dapr 1.11.5
Important: Users who rely on gRPC-to-gRPC service invocation (legacy, non proxy-based) are encouraged to upgrade to Dapr 1.11.5 before upgrading existing deployments to 1.12.x, to prevent temporary issues during a rollout of Dapr 1.12.x.
This update contains the following security fixes:
- Security: prevent Sentry and Injector from applying the
daprsystem
Configuration from a non control plane namespace.
Additionally, this patch release contains bug fixes:
- Fixed gRPC-to-gRPC service invocation when the
ServiceInvocationStreaming
feature is enabled. - Fixed invoke remote stream from closing stream before EOF
- Fixed failures downgrading from 1.12.x to 1.11.x
- Fixed returning of HTTP status code in HTTP service invocation with resiliency enabled
Security: Sentry and Injector only apply daprsystem
Configuration from the control plane namespace
Problem
Sentry and Injector will apply the daprsystem
configuration from a non-control plane namespace if the namespace name is alphabetically higher than the control plane namespace name.
Impact
Accidentally or maliciously, a Kubernetes user can write a Configuration in a non-control plane namespace that will be applied by Sentry and Injector.
This can re-write the Sentry CA, disable mTLS, or otherwise bring down the entire Dapr cluster.
Root cause
Sentry and Injector currently list Configurations, before matching on the list for the daprsystem
Configuration, without filtering for namespaces.
Solution
Update Sentry and Injector to only get the daprsystem
Configuration from the namespace where the Dapr control plane is installed, instead of listing all Configurations.
Fixed gRPC-to-gRPC service invocation when the ServiceInvocationStreaming
feature is enabled.
Problem
When the ServiceInvocationStreaming
preview flag is enabled, the type_url
property is removed when performing service invocation. This can cause failures when performing the gRPC-to-gRPC service invocation (legacy, non proxy-based).
Impact
Aside from the immediate impact on users who have the ServiceInvocationStreaming
feature flag enabled, this issue can also impact users who rely on the (legacy, non proxy-based) gRPC-to-gRPC service invocation capabilities of Dapr, and who are in the process of upgrading to Dapr 1.12.x.
In fact, a Dapr 1.12.x sidecar would always attempt to communicate with Dapr 1.11.x using the streaming APIs, so using Dapr 1.12.x to invoke Dapr 1.11.x would cause the issue to appear even if ServiceInvocationStreaming
is not enabled in Dapr 1.11.x
Root cause
An issue was detected in the internal implementation of service invocation when streaming was enabled.
Solution
We fixed the issue in Dapr 1.12.0 and 1.11.5.
Fixed invoke remote stream from closing stream before EOF
Problem
When performing service invocation using resiliency, the service invocation can end with an EOF error rather than successfully returning the result.
Impact
When ServiceInvocationStreaming
is enabled, service invocation is unusable when using resiliency.
Root cause
A bug in the code meant that the gRPC stream was closed before the EOF was sent to the client.
Solution
Fix the code so that the EOF is sent before the stream is closed.
Fixed failures downgrading from 1.12.x to 1.11.x
Problem
When downgrading from 1.12.x to 1.11.x, the Dapr sidecar injector will fail to inject the sidecar into pods, failing with validating certificates against the Certification Authority.
Impact
Users who downgrade the Dapr installation from 1.12.x to 1.11.x will result in their Dapr cluster being in broken state.
Root cause
1.12 made a change that the Injector's serving certificate is now signed by the Dapr CA (Certification Authority), rather than a separate CA managed through Helm.
The 1.11 Helm chart will always use an existing CA in the Webhook Configuration if it exists, meaning the serving certificate and CA will mismatch on a downgrade.
Solution
The 1.11 Helm chart will correctly update the webhook Configuration to use the Dapr CA when downgrading from 1.12 to 1.11.
Fixed returning of HTTP status code in HTTP service invocation with resiliency enabled
Problem
With Resiliency enabled, in case of HTTP service invocation, if one application sends error status codes (HTTP codes <200 or >=400), Dapr returns a response with a generic 500 error, instead of the actual response error code.
Impact
Applications will receive the wrong status code in case of HTTP service invocation returning a failure error code with Resiliency enabled.
Root cause
A bug was discovered in how errors were handled when Resiliency was enabled, causing all errors from the application to be "swallowed" by Dapr.
Solution
Resiliency code now returns the correct status code to the application.