AgentSkillsCN

Dapr Validator

对 Dapr 组件配置、Sidecar 注解以及 mTLS 设置进行验证。当您:(1) 创建 Dapr 组件清单;(2) 为部署添加 Dapr 注解;(3) 配置发布/订阅、状态存储或绑定服务;(4) 在部署启用 Dapr 的应用之前;(5) 生成新的 Dapr 组件时,均可使用此技能。它能够验证密钥管理(secretKeyRef)、作用域、mTLS、Sidecar 资源限制,以及命名空间配置。

SKILL.md
--- frontmatter
name: Dapr Validator
description: Validate Dapr component configs, sidecar annotations, and mTLS settings. Use when: (1) Creating Dapr Component manifests, (2) Adding Dapr annotations to deployments, (3) Configuring pub/sub, state stores, or bindings, (4) Before deploying Dapr-enabled applications, (5) Generating new Dapr components. Validates secrets management (secretKeyRef), scopes, mTLS, sidecar resource limits, and namespace configuration.

Overview

This skill validates Dapr configurations for security, correctness, and best practices. It ensures all Dapr components and sidecar annotations follow standards before deployment.

Quick Start

Validate Existing Components

bash
# Validate a Dapr component file
python scripts/validate_component.py <component-file.yaml>

# Validate deployment Dapr annotations
python scripts/validate_deployment.py <deployment-file.yaml>

Generate New Components

bash
# Generate from templates
python scripts/generate_component.py --type statestore-postgres --name mystore --namespace todo-app

# Available templates in assets/:
# - statestore-postgres, statestore-redis
# - pubsub-kafka, pubsub-redis
# - configuration (mTLS)

Validation Rule Codes

CodeCategoryDescription
DAPR-001ComponentMissing namespace
DAPR-002ComponentUsing 'default' namespace
DAPR-003SecurityInline credentials (not using secretKeyRef)
DAPR-004ComponentMissing or empty scopes
DAPR-005ConfigurationmTLS not enabled
DAPR-006DeploymentMissing dapr.io/app-id annotation
DAPR-007DeploymentMissing sidecar resource limits
DAPR-008ComponentInvalid component type
DAPR-009Deploymentapp-id doesn't match component scopes
DAPR-010DeploymentMissing dapr.io/app-port annotation

Component Structure

Every Dapr component MUST have:

yaml
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: <lowercase-hyphenated>
  namespace: <explicit-namespace>    # Never "default"
spec:
  type: <component-type>
  version: v1
  metadata:
    - name: <key>
      secretKeyRef:                  # For sensitive values
        name: <secret-name>
        key: <secret-key>
scopes:                              # REQUIRED
  - <app-id-1>

Validation Rules

Secrets Management

yaml
# ✅ CORRECT
metadata:
  - name: connectionString
    secretKeyRef:
      name: postgres-secrets
      key: connection-string

# ❌ WRONG - Never inline secrets
metadata:
  - name: connectionString
    value: "postgresql://user:password@host/db"

Scopes (Required)

yaml
# ✅ CORRECT - Scoped to specific apps
scopes:
  - todo-backend
  - todo-mcp-server

# ❌ WRONG - Empty or missing scopes

mTLS Configuration

yaml
apiVersion: dapr.io/v1alpha1
kind: Configuration
metadata:
  name: dapr-config
spec:
  mtls:
    enabled: true    # MANDATORY

Deployment Annotations

Every Dapr-enabled deployment MUST have:

yaml
annotations:
  dapr.io/enabled: "true"
  dapr.io/app-id: "<unique-app-id>"
  dapr.io/app-port: "<container-port>"
  dapr.io/app-protocol: "http"
  dapr.io/sidecar-cpu-request: "100m"
  dapr.io/sidecar-memory-request: "128Mi"
  dapr.io/sidecar-cpu-limit: "300m"
  dapr.io/sidecar-memory-limit: "256Mi"

Component Examples

PostgreSQL State Store

yaml
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: statestore
  namespace: todo
spec:
  type: state.postgresql
  version: v1
  metadata:
    - name: connectionString
      secretKeyRef:
        name: postgres-secrets
        key: connection-string
scopes:
  - todo-backend

Kafka Pub/Sub

yaml
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: pubsub
  namespace: todo
spec:
  type: pubsub.kafka
  version: v1
  metadata:
    - name: brokers
      value: "kafka:9092"
    - name: authType
      value: "password"
    - name: saslUsername
      secretKeyRef:
        name: kafka-secrets
        key: username
    - name: saslPassword
      secretKeyRef:
        name: kafka-secrets
        key: password
scopes:
  - todo-backend

Validation Output

code
## Dapr Validation Report

### Component: statestore
✅ Structure valid
✅ Namespace explicit
✅ Secrets use secretKeyRef
✅ Scopes defined
❌ ERROR: Empty scopes

### Deployment: todo-backend
✅ Dapr enabled
✅ App-id matches scopes
⚠️ WARNING: No sidecar limits

### Status: PASSED / BLOCKED

Common Mistakes

MistakeFix
Inline secretsUse secretKeyRef
Missing scopesAdd explicit app-ids
Wrong app-idMatch annotation to scopes
No sidecar limitsAdd resource annotations
Missing namespaceUse explicit namespace

Checklist

code
Components:
[ ] apiVersion: dapr.io/v1alpha1
[ ] Explicit namespace
[ ] secretKeyRef for credentials
[ ] Scopes defined

Deployments:
[ ] dapr.io/enabled: "true"
[ ] dapr.io/app-id set
[ ] dapr.io/app-port correct
[ ] Sidecar resource limits

Configuration:
[ ] mTLS enabled

CLI Commands

bash
dapr status -k
dapr components -k -n todo
kubectl describe component statestore -n todo