Dapr 1.18 is a large release centered on workflow security and durability (tamper detection, access policies, history propagation, concurrency limits), with Jobs API and HotReload graduating to GA and several breaking changes requiring pre-upgrade review.
securityEnable WorkflowAccessPolicy in shared or multi-tenant clusters
Before 1.18, any caller in the same trust domain could schedule, terminate, or query any other app's workflows. The new WorkflowAccessPolicy CRD lets you lock this down per-operation with glob-pattern rules. The default is still open (no policy = all calls allowed), so existing deployments are unaffected — but teams running shared clusters should define policies now. Also: redis common components previously skipped TLS cert verification unconditionally; this is fixed in 1.18, so verify your Redis TLS config is correct before upgrading.
breakingDo not roll back from 1.18 directly to 1.17.6 or earlier
Sentry 1.18 writes an Ed25519-keyed CA into the dapr-trust-bundle secret. Any Sentry version before 1.17.7 cannot parse this and will crash-loop, blocking all new certificate issuance. Before upgrading, confirm your rollback target is 1.17.7+. If you need to go below 1.17.7, downgrade to 1.17.7 first, stabilize, then continue. Also audit any code that relied on silent workflow ID reuse — it now gets a hard conflict error.
breakingHop-by-hop headers stripped on service invocation — check your apps
Standard HTTP hop-by-hop headers (Connection, Keep-Alive, Transfer-Encoding, etc.) are now stripped during service invocation per RFC 7230. Any app relying on these headers passing through will silently break. Audit service invocation call sites and move to non-hop-by-hop equivalents before upgrading.
enhancementEnable workflow history signing for audit-sensitive workloads
Workflow history signing is opt-in and disabled by default. It requires mTLS to be active. Before turning it on cluster-wide, let any in-flight unsigned workflows complete or purge them — enabling signing on a workflow that started unsigned is a hard verification error with no catch-up path. Once enabled, a tampered workflow is terminated and flagged with DAPR_WORKFLOW_HISTORY_TAMPERED, leaving the original state intact for forensic review. Good candidate for compliance-sensitive or multi-tenant workflow deployments.
主な変更 (7)
- Sentry now generates Ed25519 workload identity keys — rollback floor is 1.17.7; rolling back to 1.17.6 or earlier crashes Sentry
- WorkflowAccessPolicy CRD added for per-operation allow-list access control between apps; default is open (no policy = all allowed)
- Workflow history signing added (opt-in, one-way) for tamper detection via chained SPIFFE-signed event batches
- HotReload is now GA and on by default — Components, Subscriptions, Configurations, Resiliencies, and more reload without sidecar restart
- Jobs API graduates to stable; alpha RPCs deprecated but still functional — migrate app code to ScheduleJob/GetJob/DeleteJob
- Workflow ID reuse semantics changed: creating a workflow with an existing active instance ID now returns a conflict error instead of silently overwriting
- Java SDK minimum version bumped to Java 17; Spring Boot baseline moves to 3.5