Dapr
v1.16.15Orchestration & ManagementDapr 1.16.15 fixes a sentry crash that blocks all mTLS identity issuance when the issuer key is Ed25519 or RSA — directly relevant to anyone who downgraded from 1.18 or rotated their issuer key type.
breakingUpgrade to 1.16.15 if you downgraded from 1.18 or rotated your issuer key
If your 1.16 control plane has an Ed25519 or RSA issuer key in the dapr-trust-bundle secret — which happens automatically after a 1.18 downgrade — dapr-sentry crash-loops and no new mTLS certificates are issued. Existing sidecars with unexpired certs keep working, but any pod restart or cert expiry will cause identity failures. Upgrade to 1.16.15 immediately. If you cannot upgrade right now, the only workaround is to replace the issuer key in dapr-trust-bundle with an ECDSA P-256 key.
Key changes (5)
- dapr-sentry crashes on startup with 'unsupported key type' when the trust bundle contains an Ed25519 or RSA issuer key
- Root cause: dapr/kit's EncodePrivateKey only matched *ecdsa.PrivateKey and *ed25519.PrivateKey (pointer form), missing the value-type Ed25519 and RSA entirely
- Fix: dapr/kit v0.16.3 now handles ed25519.PrivateKey (value), *rsa.PrivateKey, and *ecdsa.PrivateKey via PKCS#8 round-trip
- Affects 1.16 clusters downgraded from 1.18, or any 1.16 deployment where the issuer key was manually rotated to Ed25519 or RSA
- While sentry is crash-looping, sidecars with valid unexpired certs keep running, but any fresh start or cert rotation fails