dapr
/
kubernetes-operator
mirror of https://github.com/dapr/kubernetes-operator.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

initial commit, all code provided by @lburgazzoli

This commit is contained in:
salaboy 2023-07-31 16:10:53 +01:00
parent d7f38a7c5f
commit 597891f44a
96 changed files with 4845 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
.github/.DS_Store vendored Normal file
View File

Binary file not shown.

8
.github/dependabot.yml vendored Normal file
View File

@ -0,0 +1,8 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: daily
time: "19:30"
timezone: Europe/Paris

45
.github/workflows/build.yaml vendored Normal file
View File

@ -0,0 +1,45 @@
name: build
on:
#pull_request:
# branches:
# - main
push:
tags:
- "v*"
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true
env:
IMAGE_VERSION: ${{ github.ref_name}}
IMAGE_TAG_BASE: "quay.io/lburgazzoli/dapr-operator"
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: check-out
uses: actions/checkout@v3
- name: Login to Quay.io
uses: docker/login-action@v2
with:
registry: quay.io
username: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
password: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }}
- name: Build Operator Container Image
run: |
export VERSION="${IMAGE_VERSION#v}"
make bundle docker-build docker-push
- name: Build Operator Bundle
run: |
export VERSION="${IMAGE_VERSION#v}"
make bundle bundle-build bundle-push
- name: Build Operator Catalog
run: |
export VERSION="${IMAGE_VERSION#v}"
make catalog-build catalog-push

158
.gitignore vendored Normal file
View File

@ -0,0 +1,158 @@
# If you prefer the allow list template instead of the deny list, see community template:
# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
#
# Binaries for programs and plugins
*.exe
*.exe~
*.dll
*.so
*.dylib
# Test binary, built with `go test -c`
*.test
# Output of the go coverage tool, specifically when used with LiteIDE
*.out
# Dependency directories (remove the comment below to include it)
# vendor/
# Go workspace file
go.work
bin/
# Released Packages
*.tar.gz
# Release Notes
/release-notes.md
# IDEs
.idea
*.iml
.project
.metadata
.gopath
# envrc
.envrc
# eclipse / vscode
.settings
.classpath
.factorypath
# Created by https://www.gitignore.io/api/go,vim,emacs,visualstudiocode
### Emacs ###
# -*- mode: gitignore; -*-
*~
\#*\#
/.emacs.desktop
/.emacs.desktop.lock
*.elc
auto-save-list
tramp
.\#*
# Org-mode
.org-id-locations
*_archive
# flymake-mode
*_flymake.*
# eshell files
/eshell/history
/eshell/lastdir
# elpa packages
/elpa/
# reftex files
*.rel
# AUCTeX auto folder
/auto/
# cask packages
.cask/
dist/
# Flycheck
flycheck_*.el
# server auth directory
/server/
# projectiles files
.projectile
projectile-bookmarks.eld
# directory configuration
.dir-locals.el
# saveplace
places
# url cache
url/cache/
# cedet
ede-projects.el
# smex
smex-items
# company-statistics
company-statistics-cache.el
# anaconda-mode
anaconda-mode/
### Go ###
# Binaries for programs and plugins
*.exe
*.exe~
*.dll
*.so
*.dylib
# Test binary, build with 'go test -c'
*.test
# Output of the go coverage tool, specifically when used with LiteIDE
*.out
### Vim ###
# swap
.sw[a-p]
.*.sw[a-p]
# session
Session.vim
# temporary
.netrwhist
# auto-generated tag files
tags
### VisualStudioCode ###
.vscode
.vscode/*
!.vscode/settings.json
!.vscode/tasks.json
!.vscode/launch.json
!.vscode/extensions.json
# Unix line endings for the Maven wrapper script
mvnw text eol=lf
.history
# End of https://www.gitignore.io/api/go,vim,emacs,visualstudiocode
### config kustomize ###
config/**/*.gen.tmpl
config/**/*.gen.yaml
config/**/*.gen.json
*-installer*

7
Dockerfile Normal file
View File

@ -0,0 +1,7 @@
# Build the manager binary
FROM quay.io/operator-framework/helm-operator:v1.28.1
ENV HOME=/opt/helm
COPY watches.yaml ${HOME}/watches.yaml
COPY helm-charts ${HOME}/helm-charts
WORKDIR ${HOME}

264
Makefile Normal file
View File

@ -0,0 +1,264 @@
# VERSION defines the project version for the bundle.
# Update this value when you upgrade the version of your project.
# To re-generate a bundle for another specific version without changing the standard setup, you can:
# - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
# - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
VERSION ?= 0.0.22
MKFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST)))
PROJECT_PATH := $(patsubst %/,%,$(dir $(MKFILE_PATH)))
LOCAL_BIN_PATH := ${PROJECT_PATH}/bin
# CHANNELS define the bundle channels used in the bundle.
# Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
# To re-generate a bundle for other specific channels without changing the standard setup, you can:
# - use the CHANNELS as arg of the bundle target (e.g make bundle CHANNELS=candidate,fast,stable)
# - use environment variables to overwrite this value (e.g export CHANNELS="candidate,fast,stable")
ifneq ($(origin CHANNELS), undefined)
BUNDLE_CHANNELS := --channels=$(CHANNELS)
endif
# DEFAULT_CHANNEL defines the default channel used in the bundle.
# Add a new line here if you would like to change its default config. (E.g DEFAULT_CHANNEL = "stable")
# To re-generate a bundle for any other default channel without changing the default setup, you can:
# - use the DEFAULT_CHANNEL as arg of the bundle target (e.g make bundle DEFAULT_CHANNEL=stable)
# - use environment variables to overwrite this value (e.g export DEFAULT_CHANNEL="stable")
ifneq ($(origin DEFAULT_CHANNEL), undefined)
BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL)
endif
BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)
# IMAGE_TAG_BASE defines the docker.io namespace and part of the image name for remote images.
# This variable is used to construct full image tags for bundle and catalog images.
#
# For example, running 'make bundle-build bundle-push catalog-build catalog-push' will build and push both
# dapr.io/dapr-operator-bundle:$VERSION and dapr.io/dapr-operator-catalog:$VERSION.
IMAGE_TAG_BASE ?= quay.io/lburgazzoli/dapr-operator
# BUNDLE_IMG defines the image:tag used for the bundle.
# You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=<some-registry>/<project-name-bundle>:<tag>)
BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION)
# BUNDLE_GEN_FLAGS are the flags passed to the operator-sdk generate bundle command
BUNDLE_GEN_FLAGS ?= -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
# USE_IMAGE_DIGESTS defines if images are resolved via tags or digests
# You can enable this value if you would like to use SHA Based Digests
# To enable set flag to true
USE_IMAGE_DIGESTS ?= false
ifeq ($(USE_IMAGE_DIGESTS), true)
BUNDLE_GEN_FLAGS += --use-image-digests
endif
# Image URL to use all building/pushing image targets
IMG ?= $(IMAGE_TAG_BASE):v$(VERSION)
# dapr helm chart related info
HELM_CHART_REPO ?= https://dapr.github.io/helm-charts
HELM_CHART ?= dapr
HELM_CHART_VERSION ?= 1.11.0
HELM_CHART_URL ?= https://raw.githubusercontent.com/dapr/helm-charts/master/dapr-$(HELM_CHART_VERSION).tgz
.PHONY: all
all: docker-build
##@ General
# The help target prints out all targets with their descriptions organized
# beneath their categories. The categories are represented by '##@' and the
# target descriptions by '##'. The awk commands is responsible for reading the
# entire set of makefiles included in this invocation, looking for lines of the
# file as xyz: ## something, and then pretty-format the target and help. Then,
# if there's a line with ##@ something, that gets pretty-printed as a category.
# More info on the usage of ANSI control characters for terminal formatting:
# https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters
# More info on the awk command:
# http://linuxcommand.org/lc3_adv_awk.php
.PHONY: help
help: ## Display this help.
@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
.PHONY: init
init: operator-sdk
$(OPERATOR_SDK) init \
--plugins helm \
--domain dapr.io \
--group dapr \
--version v1alpha1 \
--kind Dapr \
--helm-chart-repo $(HELM_CHART_REPO) \
--helm-chart $(HELM_CHART) \
--helm-chart-version $(HELM_CHART_VERSION)
.PHONY: update
update:
rm -rf $(PROJECT_PATH)/helm-charts/dapr
mkdir -p $(PROJECT_PATH)/helm-charts/dapr
curl --location --silent $(HELM_CHART_URL) \
| tar xzf - \
--directory $(PROJECT_PATH)/helm-charts/dapr \
--strip-components=1
##@ Build
.PHONY: run
run: helm-operator ## Run against the configured Kubernetes cluster in ~/.kube/config
$(HELM_OPERATOR) run
.PHONY: docker-build
docker-build: ## Build docker image with the manager.
docker build -t ${IMG} .
.PHONY: docker-push
docker-push: ## Push docker image with the manager.
docker push ${IMG}
##@ Deployment
.PHONY: install
install: kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config.
$(KUSTOMIZE) build config/crd | kubectl apply -f -
.PHONY: uninstall
uninstall: kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config.
$(KUSTOMIZE) build config/crd | kubectl delete -f -
.PHONY: deploy
deploy: kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
$(KUSTOMIZE) build config/default | kubectl apply -f -
.PHONY: undeploy
undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config.
$(KUSTOMIZE) build config/default | kubectl delete -f -
OS := $(shell uname -s | tr '[:upper:]' '[:lower:]')
ARCH := $(shell uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
.PHONY: kustomize
KUSTOMIZE = $(shell pwd)/bin/kustomize
kustomize: ## Download kustomize locally if necessary.
ifeq (,$(wildcard $(KUSTOMIZE)))
ifeq (,$(shell which kustomize 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(KUSTOMIZE)) ;\
curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.7/kustomize_v4.5.7_$(OS)_$(ARCH).tar.gz | \
tar xzf - -C bin/ ;\
}
else
KUSTOMIZE = $(shell which kustomize)
endif
endif
.PHONY: operator-sdk
OPERATOR_SDK = $(shell pwd)/bin/operator-sdk
operator-sdk: ## Download operator-sdk locally if necessary, preferring the $(pwd)/bin path over global if both exist.
ifeq (,$(wildcard $(OPERATOR_SDK)))
ifeq (,$(shell which operator-sdk 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(OPERATOR_SDK)) ;\
curl -sSLo $(OPERATOR_SDK) https://github.com/operator-framework/operator-sdk/releases/download/v1.28.1/operator-sdk_$(OS)_$(ARCH) ;\
chmod +x $(OPERATOR_SDK) ;\
}
else
OPERATOR_SDK = $(shell which operator-sdk)
endif
endif
.PHONY: helm-operator
HELM_OPERATOR = $(shell pwd)/bin/helm-operator
helm-operator: ## Download helm-operator locally if necessary, preferring the $(pwd)/bin path over global if both exist.
ifeq (,$(wildcard $(HELM_OPERATOR)))
ifeq (,$(shell which helm-operator 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(HELM_OPERATOR)) ;\
curl -sSLo $(HELM_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.28.1/helm-operator_$(OS)_$(ARCH) ;\
chmod +x $(HELM_OPERATOR) ;\
}
else
HELM_OPERATOR = $(shell which helm-operator)
endif
endif
.PHONY: bundle
bundle: operator-sdk kustomize ## Generate bundle manifests and metadata, then validate generated files.
$(OPERATOR_SDK) generate kustomize manifests -q
cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
$(KUSTOMIZE) build config/manifests | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS)
$(OPERATOR_SDK) bundle validate ./bundle
.PHONY: bundle-build
bundle-build: ## Build the bundle image.
docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) .
.PHONY: bundle-push
bundle-push: ## Push the bundle image.
$(MAKE) docker-push IMG=$(BUNDLE_IMG)
.PHONY: opm
OPM = $(shell pwd)/bin/opm
opm: ## Download opm locally if necessary.
ifeq (,$(wildcard $(OPM)))
ifeq (,$(shell which opm 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(OPM)) ;\
curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.27.1/$(OS)-$(ARCH)-opm ;\
chmod +x $(OPM) ;\
}
else
OPM = $(shell which opm)
endif
endif
# A comma-separated list of bundle images (e.g. make catalog-build BUNDLE_IMGS=example.com/operator-bundle:v0.1.0,example.com/operator-bundle:v0.2.0).
# These images MUST exist in a registry and be pull-able.
BUNDLE_IMGS ?= $(BUNDLE_IMG)
# The image tag given to the resulting catalog image (e.g. make catalog-build CATALOG_IMG=example.com/operator-catalog:v0.2.0).
#CATALOG_IMG ?= $(IMAGE_TAG_BASE)-catalog:v$(VERSION)
CATALOG_IMG ?= $(IMAGE_TAG_BASE)-catalog:latest
# Set CATALOG_BASE_IMG to an existing catalog image tag to add $BUNDLE_IMGS to that image.
ifneq ($(origin CATALOG_BASE_IMG), undefined)
FROM_INDEX_OPT := --from-index $(CATALOG_BASE_IMG)
endif
# Build a catalog image by adding bundle images to an empty catalog using the operator package manager tool, 'opm'.
# This recipe invokes 'opm' in 'semver' bundle add mode. For more information on add modes, see:
# https://github.com/operator-framework/community-operators/blob/7f1438c/docs/packaging-operator.md#updating-your-existing-operator
.PHONY: catalog-build
catalog-build: opm ## Build a catalog image.
$(OPM) index add --container-tool docker --mode semver --tag $(CATALOG_IMG) --bundles $(BUNDLE_IMGS) $(FROM_INDEX_OPT)
# Push the catalog image.
.PHONY: catalog-push
catalog-push: ## Push a catalog image.
$(MAKE) docker-push IMG=$(CATALOG_IMG)
.PHONY: openshift/deploy/catalog
openshift/deploy/catalog: ## Deploy catalog.
kubectl apply -f config/samples/catalog.yaml
.PHONY: openshift/deploy/subscritpion
openshift/deploy/subscritpion: ## Deploy subscritpion.
kubectl apply -f config/samples/subscription.yaml
.PHONY: openshift/deploy/dapr
openshift/deploy/dapr: ## Deploy sample.
kubectl apply -f config/samples/sample.yaml
.PHONY: openshift/undeploy
openshift/undeploy: ## Deploy sample.
kubectl delete --ignore-not-found=true -f config/samples/sample.yaml
kubectl delete --ignore-not-found=true -f config/samples/subscription.yaml
kubectl delete --ignore-not-found=true -f config/samples/catalog.yaml

20
PROJECT Normal file
View File

@ -0,0 +1,20 @@
# Code generated by tool. DO NOT EDIT.
# This file is used to track the info used to scaffold your project
# and allow the plugins properly work.
# More info: https://book.kubebuilder.io/reference/project-config.html
domain: dapr.io
layout:
- helm.sdk.operatorframework.io/v1
plugins:
manifests.sdk.operatorframework.io/v2: {}
scorecard.sdk.operatorframework.io/v2: {}
projectName: dapr-operator
resources:
- api:
crdVersion: v1
namespaced: true
domain: dapr.io
group: dapr
kind: Dapr
version: v1alpha1
version: "3"

39
README.md Normal file
View File

@ -0,0 +1,39 @@
# dapr-operator
## setup
```shell
# install the catalog
make openshift/deploy/catalog
```
## installation via cli
```shell
# waith for the catalog to be installed,
# then install the subsription
make openshift/deploy/subscritpion
# wait thil the subscription is ready,
# then deploy a dapr instance
make openshift/deploy/dapr
```
- Cleanup:
```shell
# cleanup
make openshift/undeploy:
```
## installation via UI
![image](https://github.com/lburgazzoli/dapr-operator/assets/1868933/9fc376a0-aec1-4bae-861f-361ccd9952aa)
![image](https://github.com/lburgazzoli/dapr-operator/assets/1868933/97fc8672-1f0c-4c1b-bd39-59f3c72287f2)
![image](https://github.com/lburgazzoli/dapr-operator/assets/1868933/faab9ee5-23b5-469d-8fd5-7d1f8aee34d7)
![image](https://github.com/lburgazzoli/dapr-operator/assets/1868933/19168795-817f-420f-95e5-b3523e2c4b2b)
![image](https://github.com/lburgazzoli/dapr-operator/assets/1868933/d76d9e55-86a1-4d22-857c-28550660d3fd)
![image](https://github.com/lburgazzoli/dapr-operator/assets/1868933/0379f506-1a52-4cad-ace7-c14c241af76f)
![image](https://github.com/lburgazzoli/dapr-operator/assets/1868933/c14a3022-cdc3-4469-b668-5afeb8cbfb8f)
![image](https://github.com/lburgazzoli/dapr-operator/assets/1868933/c26fec46-182e-4eee-8f23-208379ac9afe)
![image](https://github.com/lburgazzoli/dapr-operator/assets/1868933/ada9f1bb-6055-44f4-bac8-a5a83dc50689)

20
bundle.Dockerfile Normal file
View File

@ -0,0 +1,20 @@
FROM scratch
# Core bundle labels.
LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1
LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
LABEL operators.operatorframework.io.bundle.package.v1=dapr-operator
LABEL operators.operatorframework.io.bundle.channels.v1=alpha
LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.29.0
LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
LABEL operators.operatorframework.io.metrics.project_layout=helm.sdk.operatorframework.io/v1
# Labels for testing.
LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1
LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/
# Copy files to locations specified by labels.
COPY bundle/manifests /manifests/
COPY bundle/metadata /metadata/
COPY bundle/tests/scorecard /tests/scorecard/

44
config/crd/bases/dapr.dapr.io_daprs.yaml Normal file
View File

@ -0,0 +1,44 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: daprs.dapr.dapr.io
spec:
group: dapr.dapr.io
names:
kind: Dapr
listKind: DaprList
plural: daprs
singular: dapr
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Dapr is the Schema for the daprs API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of Dapr
type: object
x-kubernetes-preserve-unknown-fields: true
status:
description: Status defines the observed state of Dapr
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources:
status: {}

6
config/crd/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
# This kustomization.yaml is not intended to be run by itself,
# since it depends on service name and namespace that are out of this kustomize package.
# It should be run by config/default
resources:
- bases/dapr.dapr.io_daprs.yaml
#+kubebuilder:scaffold:crdkustomizeresource

30
config/default/kustomization.yaml Normal file
View File

@ -0,0 +1,30 @@
# Adds namespace to all resources.
namespace: dapr-operator-system
# Value of this field is prepended to the
# names of all resources, e.g. a deployment named
# "wordpress" becomes "alices-wordpress".
# Note that it should also match with the prefix (text before '-') of the namespace
# field above.
namePrefix: dapr-operator-
# Labels to add to all resources and selectors.
#labels:
#- includeSelectors: true
# pairs:
# someName: someValue
resources:
- ../crd
- ../rbac
- ../manager
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
#- ../prometheus
patchesStrategicMerge:
# Protect the /metrics endpoint by putting it behind auth.
# If you want your controller-manager to expose the /metrics
# endpoint w/o any authn/z, please comment the following line.
- manager_auth_proxy_patch.yaml

57
config/default/manager_auth_proxy_patch.yaml Normal file
View File

@ -0,0 +1,57 @@
# This patch inject a sidecar container which is a HTTP proxy for the
# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
- ppc64le
- s390x
- key: kubernetes.io/os
operator: In
values:
- linux
containers:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=0"
ports:
- containerPort: 8443
protocol: TCP
name: https
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
- name: manager
args:
- "--health-probe-bind-address=:8081"
- "--metrics-bind-address=127.0.0.1:8080"
- "--leader-elect"
- "--leader-election-id=dapr-operator"
- "--zap-devel"

10
config/default/manager_config_patch.yaml Normal file
View File

@ -0,0 +1,10 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: manager

8
config/manager/kustomization.yaml Normal file
View File

@ -0,0 +1,8 @@
resources:
- manager.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
images:
- name: controller
newName: quay.io/lburgazzoli/dapr-operator
newTag: v0.0.22

99
config/manager/manager.yaml Normal file
View File

@ -0,0 +1,99 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: controller-manager
app.kubernetes.io/name: namespace
app.kubernetes.io/instance: system
app.kubernetes.io/component: manager
app.kubernetes.io/created-by: dapr-operator
app.kubernetes.io/part-of: dapr-operator
app.kubernetes.io/managed-by: kustomize
name: system
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
labels:
control-plane: controller-manager
app.kubernetes.io/name: deployment
app.kubernetes.io/instance: controller-manager
app.kubernetes.io/component: manager
app.kubernetes.io/created-by: dapr-operator
app.kubernetes.io/part-of: dapr-operator
app.kubernetes.io/managed-by: kustomize
spec:
selector:
matchLabels:
control-plane: controller-manager
replicas: 1
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: manager
labels:
control-plane: controller-manager
spec:
# TODO(user): Uncomment the following code to configure the nodeAffinity expression
# according to the platforms which are supported by your solution.
# It is considered best practice to support multiple architectures. You can
# build your manager image using the makefile target docker-buildx.
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: kubernetes.io/arch
# operator: In
# values:
# - amd64
# - arm64
# - ppc64le
# - s390x
# - key: kubernetes.io/os
# operator: In
# values:
# - linux
securityContext:
runAsNonRoot: true
# TODO(user): For common cases that do not require escalating privileges
# it is recommended to ensure that all your Pods/Containers are restrictive.
# More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
# Please uncomment the following code if your project does NOT have to work on old Kubernetes
# versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
# seccompProfile:
# type: RuntimeDefault
containers:
- args:
- --leader-elect
- --leader-election-id=dapr-operator
- --zap-devel
image: controller:latest
name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
# TODO(user): Configure the resources accordingly based on the project requirements.
# More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources:
requests:
cpu: 10m
memory: 64Mi
serviceAccountName: controller-manager
terminationGracePeriodSeconds: 10

41
config/manifests/bases/dapr-operator.clusterserviceversion.yaml Normal file
View File

File diff suppressed because one or more lines are too long

7
config/manifests/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
# These resources constitute the fully configured set of manifests
# used to generate the 'manifests/' directory in a bundle.
resources:
- bases/dapr-operator.clusterserviceversion.yaml
- ../default
- ../samples
- ../scorecard

2
config/prometheus/kustomization.yaml Normal file
View File

@ -0,0 +1,2 @@
resources:
- monitor.yaml

26
config/prometheus/monitor.yaml Normal file
View File

@ -0,0 +1,26 @@
# Prometheus Monitor Service (Metrics)
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
labels:
control-plane: controller-manager
app.kubernetes.io/name: servicemonitor
app.kubernetes.io/instance: controller-manager-metrics-monitor
app.kubernetes.io/component: metrics
app.kubernetes.io/created-by: dapr-operator
app.kubernetes.io/part-of: dapr-operator
app.kubernetes.io/managed-by: kustomize
name: controller-manager-metrics-monitor
namespace: system
spec:
endpoints:
- path: /metrics
port: https
scheme: https
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
tlsConfig:
insecureSkipVerify: true
selector:
matchLabels:
control-plane: controller-manager

16
config/rbac/auth_proxy_client_clusterrole.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: clusterrole
app.kubernetes.io/instance: metrics-reader
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/created-by: dapr-operator
app.kubernetes.io/part-of: dapr-operator
app.kubernetes.io/managed-by: kustomize
name: metrics-reader
rules:
- nonResourceURLs:
- "/metrics"
verbs:
- get

24
config/rbac/auth_proxy_role.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: clusterrole
app.kubernetes.io/instance: proxy-role
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/created-by: dapr-operator
app.kubernetes.io/part-of: dapr-operator
app.kubernetes.io/managed-by: kustomize
name: proxy-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create

19
config/rbac/auth_proxy_role_binding.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: clusterrolebinding
app.kubernetes.io/instance: proxy-rolebinding
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/created-by: dapr-operator
app.kubernetes.io/part-of: dapr-operator
app.kubernetes.io/managed-by: kustomize
name: proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: proxy-role
subjects:
- kind: ServiceAccount
name: controller-manager
namespace: system

21
config/rbac/auth_proxy_service.yaml Normal file
View File

@ -0,0 +1,21 @@
apiVersion: v1
kind: Service
metadata:
labels:
control-plane: controller-manager
app.kubernetes.io/name: service
app.kubernetes.io/instance: controller-manager-metrics-service
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/created-by: dapr-operator
app.kubernetes.io/part-of: dapr-operator
app.kubernetes.io/managed-by: kustomize
name: controller-manager-metrics-service
namespace: system
spec:
ports:
- name: https
port: 8443
protocol: TCP
targetPort: https
selector:
control-plane: controller-manager

31
config/rbac/dapr_editor_role.yaml Normal file
View File

@ -0,0 +1,31 @@
# permissions for end users to edit daprs.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: clusterrole
app.kubernetes.io/instance: dapr-editor-role
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: dapr-operator
app.kubernetes.io/part-of: dapr-operator
app.kubernetes.io/managed-by: kustomize
name: dapr-editor-role
rules:
- apiGroups:
- dapr.dapr.io
resources:
- daprs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- dapr.dapr.io
resources:
- daprs/status
verbs:
- get

27
config/rbac/dapr_viewer_role.yaml Normal file
View File

@ -0,0 +1,27 @@
# permissions for end users to view daprs.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: clusterrole
app.kubernetes.io/instance: dapr-viewer-role
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: dapr-operator
app.kubernetes.io/part-of: dapr-operator
app.kubernetes.io/managed-by: kustomize
name: dapr-viewer-role
rules:
- apiGroups:
- dapr.dapr.io
resources:
- daprs
verbs:
- get
- list
- watch
- apiGroups:
- dapr.dapr.io
resources:
- daprs/status
verbs:
- get

18
config/rbac/kustomization.yaml Normal file
View File

@ -0,0 +1,18 @@
resources:
# All RBAC will be applied under this service account in
# the deployment namespace. You may comment out this resource
# if your manager will use a service account that exists at
# runtime. Be sure to update RoleBinding and ClusterRoleBinding
# subjects if changing service account names.
- service_account.yaml
- role.yaml
- role_binding.yaml
- leader_election_role.yaml
- leader_election_role_binding.yaml
# Comment the following 4 lines if you want to disable
# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
# which protects your /metrics endpoint.
- auth_proxy_service.yaml
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml
- auth_proxy_client_clusterrole.yaml

44
config/rbac/leader_election_role.yaml Normal file
View File

@ -0,0 +1,44 @@
# permissions to do leader election.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/name: role
app.kubernetes.io/instance: leader-election-role
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: dapr-operator
app.kubernetes.io/part-of: dapr-operator
app.kubernetes.io/managed-by: kustomize
name: leader-election-role
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch

19
config/rbac/leader_election_role_binding.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/name: rolebinding
app.kubernetes.io/instance: leader-election-rolebinding
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: dapr-operator
app.kubernetes.io/part-of: dapr-operator
app.kubernetes.io/managed-by: kustomize
name: leader-election-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: leader-election-role
subjects:
- kind: ServiceAccount
name: controller-manager
namespace: system

113
config/rbac/role.yaml Normal file
View File

@ -0,0 +1,113 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: manager-role
rules:
##
## Base operator rules
##
# We need to get namespaces so the operator can read namespaces to ensure they exist
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
# We need to manage Helm release secrets
- apiGroups:
- ""
resources:
- secrets
verbs:
- "*"
# We need to create events on CRs about things happening during reconciliation
- apiGroups:
- ""
resources:
- events
verbs:
- create
# We need to install dapr's CRDs
- apiGroups:
- "apiextensions.k8s.io"
resources:
- customresourcedefinitions
verbs:
- "*"
##
## Rules for dapr.dapr.io/v1alpha1, Kind: Dapr
##
- apiGroups:
- dapr.dapr.io
resources:
- daprs
- daprs/status
- daprs/finalizers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- verbs:
- "*"
apiGroups:
- "rbac.authorization.k8s.io"
resources:
- "clusterrolebindings"
- "clusterroles"
- verbs:
- "*"
apiGroups:
- "admissionregistration.k8s.io"
resources:
- "mutatingwebhookconfigurations"
- verbs:
- "*"
apiGroups:
- ""
resources:
- "secrets"
- "serviceaccounts"
- "services"
- verbs:
- "*"
apiGroups:
- "rbac.authorization.k8s.io"
resources:
- "rolebindings"
- "roles"
- verbs:
- "*"
apiGroups:
- "apps"
resources:
- "deployments"
- "statefulsets"
- apiGroups:
- dapr.io
resources:
- components
- components/status
- components/finalizers
- configurations
- configurations/status
- configurations/finalizers
- resiliencies
- resiliencies/status
- resiliencies/finalizers
- subscriptions
- subscriptions/status
- subscriptions/finalizers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
#+kubebuilder:scaffold:rules

19
config/rbac/role_binding.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: clusterrolebinding
app.kubernetes.io/instance: manager-rolebinding
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: dapr-operator
app.kubernetes.io/part-of: dapr-operator
app.kubernetes.io/managed-by: kustomize
name: manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: manager-role
subjects:
- kind: ServiceAccount
name: controller-manager
namespace: system

12
config/rbac/service_account.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: serviceaccount
app.kubernetes.io/instance: controller-manager-sa
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: dapr-operator
app.kubernetes.io/part-of: dapr-operator
app.kubernetes.io/managed-by: kustomize
name: controller-manager
namespace: system

13
config/samples/catalog.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: dapr-catalog
namespace: openshift-marketplace
spec:
sourceType: grpc
image: quay.io/lburgazzoli/dapr-operator-catalog:latest
displayName: Dapr Catalog
publisher: dapr.io
updateStrategy:
registryPoll:
interval: 10m

5
config/samples/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
## Append samples of your project ##
resources:
- catalog.yaml
- subscription.yaml
- sample.yaml

51
config/samples/sample.yaml Normal file
View File

@ -0,0 +1,51 @@
apiVersion: dapr.dapr.io/v1alpha1
kind: Dapr
metadata:
name: dapr-sample
spec:
global:
registry: docker.io/daprio
tag: "1.11.0"
dnsSuffix: ".cluster.local"
logAsJson: false
imagePullPolicy: IfNotPresent
imagePullSecrets: ""
nodeSelector: {}
tolerations: []
rbac:
namespaced: false
ha:
enabled: false
replicaCount: 3
disruption:
minimumAvailable: ""
maximumUnavailable: "25%"
prometheus:
enabled: true
port: 9090
mtls:
enabled: true
workloadCertTTL: 24h
allowedClockSkew: 15m
actors:
enabled: true
daprControlPlaneOs: linux
labels: {}
k8sLabels:
app.kubernetes.io/name: "{{ .Release.Name }}"
app.kubernetes.io/version: "{{ .Values.global.tag }}"
app.kubernetes.io/part-of: "dapr"
app.kubernetes.io/managed-by: "helm"
app.kubernetes.io/component: "{{ .Values.component }}" # Should be set in each subchart
issuerFilenames: {}
## the issuerFilenames dictionary, if setup, have to contain 3 keys: ca,cert,key
# issuerFilenames:
# ca: "ca.crt"
# cert: "tls.crt"
# key: "tls.key"
argoRolloutServiceReconciler:
enabled: false
operator:
watchdogCanPatchPodLabels: false

12
config/samples/subscription.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: dapr-operator
namespace: openshift-operators
spec:
channel: alpha
installPlanApproval: Automatic
name: dapr-operator
source: dapr-catalog
sourceNamespace: openshift-marketplace
startingCSV: dapr-operator.v1.11.0-2

7
config/scorecard/bases/config.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: scorecard.operatorframework.io/v1alpha3
kind: Configuration
metadata:
name: config
stages:
- parallel: true
tests: []

16
config/scorecard/kustomization.yaml Normal file
View File

@ -0,0 +1,16 @@
resources:
- bases/config.yaml
patchesJson6902:
- path: patches/basic.config.yaml
target:
group: scorecard.operatorframework.io
version: v1alpha3
kind: Configuration
name: config
- path: patches/olm.config.yaml
target:
group: scorecard.operatorframework.io
version: v1alpha3
kind: Configuration
name: config
#+kubebuilder:scaffold:patchesJson6902

10
config/scorecard/patches/basic.config.yaml Normal file
View File

@ -0,0 +1,10 @@
- op: add
path: /stages/0/tests/-
value:
entrypoint:
- scorecard-test
- basic-check-spec
image: quay.io/operator-framework/scorecard-test:v1.28.1
labels:
suite: basic
test: basic-check-spec-test

50
config/scorecard/patches/olm.config.yaml Normal file
View File

@ -0,0 +1,50 @@
- op: add
path: /stages/0/tests/-
value:
entrypoint:
- scorecard-test
- olm-bundle-validation
image: quay.io/operator-framework/scorecard-test:v1.28.1
labels:
suite: olm
test: olm-bundle-validation-test
- op: add
path: /stages/0/tests/-
value:
entrypoint:
- scorecard-test
- olm-crds-have-validation
image: quay.io/operator-framework/scorecard-test:v1.28.1
labels:
suite: olm
test: olm-crds-have-validation-test
- op: add
path: /stages/0/tests/-
value:
entrypoint:
- scorecard-test
- olm-crds-have-resources
image: quay.io/operator-framework/scorecard-test:v1.28.1
labels:
suite: olm
test: olm-crds-have-resources-test
- op: add
path: /stages/0/tests/-
value:
entrypoint:
- scorecard-test
- olm-spec-descriptors
image: quay.io/operator-framework/scorecard-test:v1.28.1
labels:
suite: olm
test: olm-spec-descriptors-test
- op: add
path: /stages/0/tests/-
value:
entrypoint:
- scorecard-test
- olm-status-descriptors
image: quay.io/operator-framework/scorecard-test:v1.28.1
labels:
suite: olm
test: olm-status-descriptors-test

39
hack/generate-catalog.sh Executable file
View File

@ -0,0 +1,39 @@
#!/bin/sh +x
operator_dir="$1"
operator_bundle="$2"
operator_version="$3"
catalog_image="$4"
echo $operator_dir
echo $operator_bundle
echo $operator_version
echo $catalog_image
tmp_dir=$(mktemp -d -t ci-XXXXXXXXXX)
mkdir -p ${tmp_dir}/dapr
${operator_dir}/bin/opm generate dockerfile ${tmp_dir}/dapr
${operator_dir}/bin/opm init dapr-helm-operator \
--default-channel=preview \
--icon=${operator_dir}/hack/operator-icon.svg \
--output yaml \
> ${tmp_dir}/dapr/operator.yaml
${operator_dir}/bin/opm render ${operator_bundle} \
--output=yaml \
> ${tmp_dir}/dapr/operator.yaml
cat << EOF >> ${tmp_dir}/dapr/operator.yaml
---
schema: olm.channel
package: dapr-help-operator
name: preview
entries:
- name: dapr-helm-operator.${operator_version}
EOF
#opm validate ${tmp_dir}
#docker build -f ${tmp_dir}/dapr.Dockerfile -t ${catalog_image} ${tmp_dir}

15
hack/operator-icon.svg Normal file
View File

@ -0,0 +1,15 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="367px" height="270px" viewBox="0 0 367 270" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 51.3 (57544) - http://www.bohemiancoding.com/sketch -->
<title>Artboard</title>
<desc>Created with Sketch.</desc>
<defs></defs>
<g id="Artboard" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<path d="M89.7917119,193.508761 L62.9000392,193.508761 L62.9000392,185.06412 C60.3311064,188.28895 57.7348835,190.639215 55.1112926,192.114985 C50.5200084,194.683918 45.3002339,195.968365 39.4518124,195.968365 C29.9959534,195.968365 21.5787254,192.716254 14.1998759,186.211935 C5.39991464,178.450478 1,168.174901 1,155.384895 C1,142.376257 5.50922929,131.991365 14.5278231,124.229909 C21.6880401,118.053538 29.9139674,114.9654 39.205852,114.9654 C44.6170083,114.9654 49.7001395,116.113203 54.4553981,118.408845 C57.1883053,119.720641 60.0031576,121.879605 62.9000392,124.885803 L62.9000392,70.3645766 L89.7917119,70.3645766 L89.7917119,193.508761 Z M63.7199073,155.466882 C63.7199073,150.656965 62.0255302,146.57133 58.6367253,143.209855 C55.2479203,139.848379 51.148621,138.167666 46.3387042,138.167666 C40.9822061,138.167666 36.5822914,140.189987 33.1388283,144.23469 C30.3512629,147.514178 28.9575012,151.258205 28.9575012,155.466882 C28.9575012,159.675559 30.3512629,163.419586 33.1388283,166.699075 C36.5276333,170.743777 40.9275479,172.766098 46.3387042,172.766098 C51.2032791,172.766098 55.3162428,171.09905 58.6777187,167.764903 C62.0391946,164.430756 63.7199073,160.331457 63.7199073,155.466882 Z M190.65006,193.508761 L163.758387,193.508761 L163.758387,185.06412 C161.189454,188.28895 158.593231,190.639215 155.969641,192.114985 C151.378356,194.683918 146.158582,195.968365 140.31016,195.968365 C130.854301,195.968365 122.437073,192.716254 115.058224,186.211935 C106.258263,178.450478 101.858348,168.174901 101.858348,155.384895 C101.858348,142.376257 106.367577,131.991365 115.386171,124.229909 C122.546388,118.053538 130.772315,114.9654 140.0642,114.9654 C145.475356,114.9654 150.558487,116.113203 155.313746,118.408845 C158.046653,119.720641 160.861506,121.879605 163.758387,124.885803 L163.758387,117.425004 L190.65006,117.425004 L190.65006,193.508761 Z M164.578255,155.466882 C164.578255,150.656965 162.883878,146.57133 159.495073,143.209855 C156.106268,139.848379 152.006969,138.167666 147.197052,138.167666 C141.840554,138.167666 137.440639,140.189987 133.997176,144.23469 C131.209611,147.514178 129.815849,151.258205 129.815849,155.466882 C129.815849,159.675559 131.209611,163.419586 133.997176,166.699075 C137.385981,170.743777 141.785896,172.766098 147.197052,172.766098 C152.061627,172.766098 156.174591,171.09905 159.536067,167.764903 C162.897543,164.430756 164.578255,160.331457 164.578255,155.466882 Z M294.54192,155.548869 C294.54192,168.557507 290.03269,178.942399 281.014097,186.703856 C273.85388,192.880226 265.627952,195.968365 256.336068,195.968365 C250.924911,195.968365 245.84178,194.820561 241.086522,192.524919 C238.353614,191.213123 235.538762,189.054159 232.64188,186.047961 L232.64188,231.550639 L205.750208,231.550639 L205.750208,117.425004 L232.64188,117.425004 L232.64188,125.869645 C235.046839,122.699473 237.643062,120.349208 240.430627,118.81878 C245.021911,116.249847 250.241686,114.9654 256.090107,114.9654 C265.545966,114.9654 273.963194,118.21751 281.342044,124.72183 C290.142005,132.483286 294.54192,142.758863 294.54192,155.548869 Z M266.584418,155.466882 C266.584418,151.148889 265.217985,147.404862 262.485078,144.23469 C259.041615,140.189987 254.614372,138.167666 249.203215,138.167666 C244.338641,138.167666 240.225677,139.834714 236.864201,143.168861 C233.502725,146.503008 231.822012,150.602307 231.822012,155.466882 C231.822012,160.276799 233.516389,164.362434 236.905194,167.72391 C240.293999,171.085386 244.393299,172.766098 249.203215,172.766098 C254.614372,172.766098 259.014286,170.743777 262.403091,166.699075 C265.190657,163.419586 266.584418,159.675559 266.584418,155.466882 Z M363.671373,142.267006 C359.899961,140.463288 356.073949,139.561442 352.19322,139.561442 C343.338601,139.561442 337.599582,143.168825 334.975991,150.3837 C333.992144,153.007291 333.500228,156.532689 333.500228,160.959998 L333.500228,193.508761 L306.608556,193.508761 L306.608556,117.425004 L333.500228,117.425004 L333.500228,129.886998 C336.342452,125.459689 339.403262,122.262235 342.682751,120.294542 C347.11006,117.670951 352.357164,116.359175 358.424218,116.359175 C359.845329,116.359175 361.594364,116.441161 363.671373,116.605136 L363.671373,142.267006 Z" id="dapr" fill="#0D2192"></path>
<polygon id="tie" fill="#0D2192" fill-rule="nonzero" points="205.538409 194.062172 232.614551 194.062172 234.946621 257.633831 219.07648 268.75443 203.206339 257.633831"></polygon>
<rect id="Rectangle-4" fill="#0D2192" fill-rule="nonzero" x="144.829497" y="2.27908829" width="102.722643" height="72.2941444" rx="2"></rect>
<rect id="Rectangle-4" fill="#FFFFFF" fill-rule="nonzero" opacity="0.0799999982" x="144.829497" y="2.27908829" width="37.9976369" height="72.2941444"></rect>
<rect id="Rectangle-3" fill="#0D2192" fill-rule="nonzero" x="112.390768" y="69.9090944" width="166.248488" height="17.3513412" rx="3.72016"></rect>
<rect id="Rectangle-4" fill="#FFFFFF" fill-rule="nonzero" opacity="0.0799999982" x="112.390768" y="69.9090944" width="51.4375478" height="21.3554969"></rect>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 5.4 KiB

24
helm-charts/dapr/.helmignore Normal file
View File

@ -0,0 +1,24 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
packages/

5
helm-charts/dapr/Chart.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
appVersion: 1.11.0
description: A Helm chart for Dapr on Kubernetes
name: dapr
version: 1.11.0

258
helm-charts/dapr/README.md Normal file
View File

@ -0,0 +1,258 @@
# Introduction
This chart deploys the Dapr control plane system services on a Kubernetes cluster using the Helm package manager.
## Chart Details
This chart installs Dapr via "child-charts":
* Dapr Component and Configuration Kubernetes CRDs
* Dapr Operator
* Dapr Sidecar injector
* Dapr Sentry
* Dapr Placement
## Prerequisites
* Kubernetes cluster with RBAC (Role-Based Access Control) enabled is required
* Helm 3.4.0 or newer
## Resources Required
The chart deploys pods that consume minimum resources as specified in the resources configuration parameter.
## Install the Chart
Ensure Helm is initialized in your Kubernetes cluster.
For more details on initializing Helm, [read the Helm docs](https://helm.sh/docs/)
1. Add dapr.github.io as an helm repo
```
helm repo add dapr https://dapr.github.io/helm-charts/
helm repo update
```
2. Install the Dapr chart on your cluster in the dapr-system namespace:
```
helm install dapr dapr/dapr --namespace dapr-system --wait
```
## Verify installation
Once the chart is installed, verify the Dapr control plane system service pods are running in the `dapr-system` namespace:
```
kubectl get pods --namespace dapr-system
```
## Uninstall the Chart
To uninstall/delete the `dapr` release:
```
helm uninstall dapr -n dapr-system
```
## Upgrade the charts
Follow the upgrade HowTo instructions in [Upgrading Dapr with Helm](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-production/#upgrading-dapr-with-helm).
## Resource configuration
By default, all deployments are configured with blank `resources` attributes, which means that pods will consume as much cpu and memory as they want. This is probably fine for a local development or a non-production setup, but for production you should configure them. Consult Dapr docs and [Kubernetes docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for guidance on setting these values.
For example, in order to configure the `memory.requests` setting for the `dapr-operator` deployment, configure a values.yml file with the following:
```yaml
dapr_operator:
resources:
requests:
memory: 200Mi
```
## Configuration
The Helm chart has the follow configuration options that can be supplied:
### Global options:
| Parameter | Description | Default |
|-------------------------------------------|-------------------------------------------------------------------------|-------------------------|
| `global.registry` | Docker image registry | `docker.io/daprio` |
| `global.tag` | Docker image version tag | latest release |
| `global.logAsJson` | Json log format for control plane services | `false` |
| `global.imagePullPolicy` | Global Control plane service imagePullPolicy | `IfNotPresent` |
| `global.imagePullSecrets` | Control plane service images pull secrets for docker registry | `""` |
| `global.ha.enabled` | Highly Availability mode enabled for control plane | `false` |
| `global.ha.replicaCount` | Number of replicas of control plane services in Highly Availability mode | `3` |
| `global.ha.disruption.minimumAvailable` | Minimum amount of available instances for control plane. This can either be effective count or %. | `` |
| `global.ha.disruption.maximumUnavailable` | Maximum amount of instances that are allowed to be unavailable for control plane. This can either be effective count or %. | `25%` |
| `global.prometheus.enabled` | Prometheus metrics enablement for control plane services | `true` |
| `global.prometheus.port` | Prometheus scrape http endpoint port | `9090` |
| `global.mtls.enabled` | Mutual TLS enablement | `true` |
| `global.mtls.workloadCertTTL` | TTL for workload cert | `24h` |
| `global.mtls.allowedClockSkew` | Allowed clock skew for workload cert rotation | `15m` |
| `global.dnsSuffix` | Kuberentes DNS suffix | `.cluster.local` |
| `global.daprControlPlaneOs` | Operating System for Dapr control plane | `linux` |
| `global.daprControlPlaneArch` | CPU Architecture for Dapr control plane | `amd64` |
| `global.nodeSelector` | Pods will be scheduled onto a node node whose labels match the nodeSelector | `{}` |
| `global.tolerations` | Pods will be allowed to schedule onto a node whose taints match the tolerations | `{}` |
| `global.labels` | Custom pod labels | `{}` |
| `global.k8sLabels` | Custom metadata labels | `{}` |
| `global.issuerFilenames.ca` | Custom name of the file containing the root CA certificate inside the container | `ca.crt` |
| `global.issuerFilenames.cert` | Custom name of the file containing the leaf certificate inside the container | `issuer.crt` |
| `global.issuerFilenames.key` | Custom name of the file containing the leaf certificate's key inside the container | `issuer.key` |
| `global.actors.enabled` | Enables the Dapr actors building block. When "false", the Dapr Placement serice is not installed, and attempting to use Dapr actors will fail. | `true` |
| `global.rbac.namespaced` | Removes cluster wide permissions where applicable | `false` |
| `global.argoRolloutServiceReconciler.enabled` | Enable the service reconciler for Dapr-enabled Argo Rollouts | `false` |
### Dapr Operator options:
| Parameter | Description | Default |
|-------------------------------------------|-------------------------------------------------------------------------|-------------------------|
| `dapr_operator.replicaCount` | Number of replicas | `1` |
| `dapr_operator.logLevel` | Log level | `info` |
| `dapr_operator.watchInterval` | Interval for polling pods' state (e.g. `2m`). Set to `0` to disable, or `once` to only run once when the operator starts | `0` |
| `dapr_operator.maxPodRestartsPerMinute` | Maximum number of pods in an invalid state that can be restarted per minute | `20` |
| `dapr_operator.image.name` | Docker image name (`global.registry/dapr_operator.image.name`) | `dapr` |
| `dapr_operator.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. You may have to set this to `false` when running in Minikube | `true` |
| `dapr_operator.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` |
| `dapr_operator.debug.enabled` | Boolean value for enabling debug mode | `{}` |
| `dapr_operator.serviceReconciler.enabled`| If false, disables the reconciler that creates Services for Dapr-enabled Deployments and StatefulSets.<br>Note: disabling this reconciler could prevent Dapr service invocation from working. | `true` |
| `dapr_operator.watchNamespace` | The namespace to watch for annotated Dapr resources in | `""` |
### Dapr Placement options:
| Parameter | Description | Default |
|-------------------------------------------|-------------------------------------------------------------------------|-------------------------|
| `dapr_placement.replicationFactor` | Number of consistent hashing virtual node | `100` |
| `dapr_placement.logLevel` | Service Log level | `info` |
| `dapr_placement.image.name` | Service docker image name (`global.registry/dapr_placement.image.name`) | `dapr` |
| `dapr_placement.cluster.forceInMemoryLog` | Use in-memory log store and disable volume attach when `global.ha.enabled` is true | `false` |
| `dapr_placement.cluster.logStorePath` | Mount path for persistent volume for log store in unix-like system when `global.ha.enabled` is true | `/var/run/dapr/raft-log` |
| `dapr_placement.cluster.logStoreWinPath` | Mount path for persistent volume for log store in windows when `global.ha.enabled` is true | `C:\\raft-log` |
| `dapr_placement.volumeclaims.storageSize` | Attached volume size | `1Gi` |
| `dapr_placement.volumeclaims.storageClassName` | storage class name | |
| `dapr_placement.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. Does not apply unless `forceInMemoryLog` is set to `true`. You may have to set this to `false` when running in Minikube | `false` |
| `dapr_placement.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` |
| `dapr_placement.debug.enabled` | Boolean value for enabling debug mode | `{}` |
### Dapr RBAC options:
| Parameter | Description | Default |
|-------------------------------------------|-------------------------------------------------------------------------|-------------------------|
| `dapr_rbac.secretReader.enabled` | Deploys a default secret reader Role and RoleBinding | `true` |
| `dapr_rbac.secretReader.namespace` | Namespace for the default secret reader | `default` |
### Dapr Sentry options:
| Parameter | Description | Default |
|-------------------------------------------|-------------------------------------------------------------------------|-------------------------|
| `dapr_sentry.replicaCount` | Number of replicas | `1` |
| `dapr_sentry.logLevel` | Log level | `info` |
| `dapr_sentry.image.name` | Docker image name (`global.registry/dapr_sentry.image.name`) | `dapr` |
| `dapr_sentry.tls.issuer.certPEM` | Issuer Certificate cert | `""` |
| `dapr_sentry.tls.issuer.keyPEM` | Issuer Private Key cert | `""` |
| `dapr_sentry.tls.root.certPEM` | Root Certificate cert | `""` |
| `dapr_sentry.tokenAudience` | Expected audience for tokens; multiple values can be separated by a comma. Defaults to the audience expected by the Kubernetes control plane if not set | `""` |
| `dapr_sentry.trustDomain` | Trust domain (logical group to manage app trust relationship) for access control list | `cluster.local` |
| `dapr_sentry.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. You may have to set this to `false` when running in Minikube | `true` |
| `dapr_sentry.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` |
| `dapr_sentry.debug.enabled` | Boolean value for enabling debug mode | `{}` |
### Dapr Sidecar Injector options:
| Parameter | Description | Default |
|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|
| `dapr_sidecar_injector.enabled` | Enable the sidecar injector | `true` |
| `dapr_sidecar_injector.sidecarImagePullPolicy` | Dapr sidecar image pull policy | `IfNotPresent` |
| `dapr_sidecar_injector.replicaCount` | Number of replicas | `1` |
| `dapr_sidecar_injector.logLevel` | Log level | `info` |
| `dapr_sidecar_injector.image.name` | Docker image name for Dapr runtime sidecar to inject into an application (`global.registry/dapr_sidecar_injector.image.name`) | `daprd`|
| `dapr_sidecar_injector.injectorImage.name` | Docker image name for sidecar injector service (`global.registry/dapr_sidecar_injector.injectorImage.name`) | `dapr`|
| `dapr_sidecar_injector.webhookFailurePolicy` | Failure policy for the sidecar injector | `Ignore` |
| `dapr_sidecar_injector.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot` for the Sidecar Injector container itself. You may have to set this to `false` when running in Minikube | `true` |
| `dapr_sidecar_injector.sidecarRunAsNonRoot` | When this boolean value is true (the default), the injected sidecar containers have `runAsRoot: true`. You may have to set this to `false` when running Minikube | `true` |
| `dapr_sidecar_injector.sidecarReadOnlyRootFilesystem` | When this boolean value is true (the default), the injected sidecar containers have `readOnlyRootFilesystem: true` | `true` |
| `dapr_sidecar_injector.sidecarDropALLCapabilities` | When this boolean valus is true, the injected sidecar containers have `securityContext.capabilities.drop: ["ALL"]` | `false` |
| `dapr_sidecar_injector.allowedServiceAccounts` | String value for extra allowed service accounts in the format of `namespace1:serviceAccount1,namespace2:serviceAccount2` | `""` |
| `dapr_sidecar_injector.allowedServiceAccountsPrefixNames` | Comma-separated list of extra allowed service accounts. Each item in the list should be in the format of namespace:serviceaccount. To match service accounts by a common prefix, you can add an asterisk (`*`) at the end of the prefix. For instance, ns1*:sa2* will match any service account that starts with sa2, whose namespace starts with ns1. For example, it will match service accounts like sa21 and sa2223 in namespaces such as ns1, ns1dapr, and so on. | `""` |
| `dapr_sidecar_injector.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` |
| `dapr_sidecar_injector.debug.enabled` | Boolean value for enabling debug mode | `{}` |
| `dapr_sidecar_injector.kubeClusterDomain` | Domain for this kubernetes cluster. If not set, will auto-detect the cluster domain through the `/etc/resolv.conf` file `search domains` content. | `cluster.local` |
| `dapr_sidecar_injector.ignoreEntrypointTolerations` | JSON array of Kubernetes tolerations. If pod contains any of these tolerations, it will ignore the Docker image ENTRYPOINT for Dapr sidecar. | `[{\"effect\":\"NoSchedule\",\"key\":\"alibabacloud.com/eci\"},{\"effect\":\"NoSchedule\",\"key\":\"azure.com/aci\"},{\"effect\":\"NoSchedule\",\"key\":\"aws\"},{\"effect\":\"NoSchedule\",\"key\":\"huawei.com/cci\"}]` |
| `dapr_sidecar_injector.hostNetwork` | Enable hostNetwork mode. This is helpful when working with overlay networks such as Calico CNI and admission webhooks fail | `false` |
| `dapr_sidecar_injector.healthzPort` | The port used for health checks. Helpful in combination with hostNetwork to avoid port collisions | `8080` |
## Example of highly available configuration of the control plane
This command creates three replicas of each control plane pod for an HA deployment (with the exception of the Placement pod) in the dapr-system namespace:
```
helm install dapr dapr/dapr --namespace dapr-system --set global.ha.enabled=true --wait
```
## Example of installing edge version of Dapr
This command deploys the latest `edge` version of Dapr to `dapr-system` namespace. This is useful if you want to deploy the latest version of Dapr to test a feature or some capability in your Kubernetes cluster.
```
helm install dapr dapr/dapr --namespace dapr-system --set-string global.tag=edge --wait
```
## Example of installing dapr on Minikube
Configure a values file with these options:
```yaml
dapr_dashboard:
runAsNonRoot: false
logLevel: DEBUG
serviceType: NodePort # Allows retrieving the dashboard url by running the command "minikube service list"
dapr_placement:
runAsNonRoot: false
logLevel: DEBUG
dapr_operator:
runAsNonRoot: false
logLevel: DEBUG
dapr_sentry:
runAsNonRoot: false
logLevel: DEBUG
dapr_sidecar_injector:
runAsNonRoot: false
logLevel: DEBUG
global:
logAsJson: true
```
Install dapr:
```bash
helm install dapr dapr/dapr --namespace dapr-system --values values.yml --wait
```
## Example of debugging dapr
Rebuild dapr binaries and docker images:
```bash
make release GOOS=linux GOARCH=amd64 DEBUG=1
export DAPR_TAG=dev
export DAPR_REGISTRY=<your docker.io id>
docker login
make docker-push DEBUG=1
```
Take dapr_operator as an example, configure the corresponding `debug.enabled` option in a value file:
```yaml
global:
registry: docker.io/<your docker.io id>
tag: "dev-linux-amd64"
dapr_operator:
debug:
enabled: true
```
Step into dapr project, and install dapr:
```bash
helm install dapr charts/dapr --namespace dapr-system --values values.yml --wait
```
Find the target dapr-operator pod:
```bash
kubectl get pods -n dapr-system -o wide
```
Port forward the debugging port so that it's visible to your IDE:
```bash
kubectl port-forward dapr-operator-5c99475ffc-m9z9f 40000:40000 -n dapr-system
```
## Example of using nodeSelector option
```
helm install dapr dapr/dapr --namespace dapr-system --set global.nodeSelector.myLabel=myValue --wait
```

22
helm-charts/dapr/charts/dapr_config/.helmignore Normal file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

5
helm-charts/dapr/charts/dapr_config/Chart.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
appVersion: "1.0"
description: A Helm chart for Dapr configuration
name: dapr_config
version: 1.11.0

32
helm-charts/dapr/charts/dapr_config/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "dapr_config.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "dapr_config.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "dapr_config.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

15
helm-charts/dapr/charts/dapr_config/templates/dapr_default_config.yaml Normal file
View File

@ -0,0 +1,15 @@
{{- if .Values.dapr_config_chart_included }}
apiVersion: dapr.io/v1alpha1
kind: Configuration
metadata:
name: {{ .Values.dapr_default_system_config_name }}
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
spec:
mtls:
enabled: {{ .Values.global.mtls.enabled }}
workloadCertTTL: {{ .Values.global.mtls.workloadCertTTL }}
allowedClockSkew: {{ .Values.global.mtls.allowedClockSkew }}
{{- end }}

4
helm-charts/dapr/charts/dapr_config/values.yaml Normal file
View File

@ -0,0 +1,4 @@
# This value is essential in determining whether to build this chart or not based on the usecase. For example this chart should not be included while generating manifest file for dapr which is achieved by overriding this value.
dapr_config_chart_included: true
dapr_default_system_config_name: "daprsystem"
component: config

22
helm-charts/dapr/charts/dapr_operator/.helmignore Normal file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

5
helm-charts/dapr/charts/dapr_operator/Chart.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
appVersion: "1.0"
description: A Helm chart for Dapr Kubernetes Operator
name: dapr_operator
version: 1.11.0

32
helm-charts/dapr/charts/dapr_operator/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "dapr_operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "dapr_operator.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "dapr_operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

247
helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_deployment.yaml Normal file
View File

@ -0,0 +1,247 @@
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "dapr-webhook-cert"}}
{{- $existingCA := lookup "v1" "Secret" .Release.Namespace "dapr-webhook-ca"}}
{{- $ca := genCA "dapr-webhook-ca" 3650 }}
{{- $cn := printf "dapr-webhook" }}
{{- $altName1 := printf "dapr-webhook.%s" .Release.Namespace }}
{{- $altName2 := printf "dapr-webhook.%s.svc" .Release.Namespace }}
{{- $altName3 := printf "dapr-webhook.%s.svc.cluster" .Release.Namespace }}
{{- $altName4 := printf "dapr-webhook.%s.svc.cluster.local" .Release.Namespace }}
{{- $cert := genSignedCert $cn nil (list $altName1 $altName2 $altName3 $altName4) 3650 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: dapr-webhook-cert
labels:
app: dapr-operator
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
data:
{{ if $existingSecret }}tls.crt: {{ index $existingSecret.data "tls.crt" }}
{{ else }}tls.crt: {{ b64enc $cert.Cert }}
{{ end }}
{{ if $existingSecret }}tls.key: {{ index $existingSecret.data "tls.key" }}
{{ else }}tls.key: {{ b64enc $cert.Key }}
{{ end }}
---
apiVersion: v1
kind: Secret
metadata:
name: dapr-webhook-ca
labels:
app: dapr-operator
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
data:
{{ if $existingCA }}caBundle: {{ index $existingCA.data "caBundle" }}
{{ else }}caBundle: {{ b64enc $ca.Cert }}
{{ end }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dapr-operator
labels:
app: dapr-operator
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
spec:
{{- if eq .Values.global.ha.enabled true }}
replicas: {{ .Values.global.ha.replicaCount }}
{{- else }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
app: dapr-operator
template:
metadata:
labels:
app: dapr-operator
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
{{- with .Values.global.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if eq .Values.global.prometheus.enabled true }}
annotations:
prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}"
prometheus.io/port: "{{ .Values.global.prometheus.port }}"
prometheus.io/path: "/"
{{- end }}
spec:
containers:
- name: dapr-operator
livenessProbe:
httpGet:
path: /healthz
port: 8080
{{- if eq .Values.debug.enabled false }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
{{- else }}
initialDelaySeconds: {{ .Values.debug.initialDelaySeconds }}
{{- end }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
readinessProbe:
httpGet:
path: /healthz
port: 8080
{{- if eq .Values.debug.enabled false }}
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
{{- else }}
initialDelaySeconds: {{ .Values.debug.initialDelaySeconds }}
{{- end }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
{{- if contains "/" .Values.image.name }}
image: "{{ .Values.image.name }}"
{{- else }}
image: "{{ .Values.global.registry }}/{{ .Values.image.name }}:{{ .Values.global.tag }}"
{{- end }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- if eq .Values.global.daprControlPlaneOs "linux" }}
securityContext:
runAsNonRoot: {{ .Values.runAsNonRoot }}
{{- if eq .Values.debug.enabled true }}
capabilities:
add:
- SYS_PTRACE
{{- end }}
{{- end }}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- containerPort: 6500
{{- if eq .Values.global.prometheus.enabled true }}
- name: metrics
containerPort: {{ .Values.global.prometheus.port }}
protocol: TCP
{{- end }}
{{- if eq .Values.debug.enabled true }}
- name: debug
containerPort: {{ .Values.debug.port }}
protocol: TCP
{{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}
volumeMounts:
- name: credentials
mountPath: /var/run/dapr/credentials
readOnly: true
- name: webhook-creds
{{- if eq .Values.global.daprControlPlaneOs "windows" }}
mountPath: "C:\\Windows\\TEMP\\k8s-webhook-server\\serving-certs"
{{- else }}
mountPath: /tmp/k8s-webhook-server/serving-certs
{{- end }}
readOnly: true
command:
{{- if eq .Values.debug.enabled false }}
- "/operator"
{{- else }}
- "/dlv"
{{- end }}
args:
{{- if eq .Values.debug.enabled true }}
- "--listen=:{{ .Values.debug.port }}"
- "--accept-multiclient"
- "--headless=true"
- "--log"
- "--api-version=2"
- "exec"
- "/operator"
- "--"
{{- end }}
- "--watch-interval"
- "{{ .Values.watchInterval }}"
- "--max-pod-restarts-per-minute"
- "{{ .Values.maxPodRestartsPerMinute }}"
- "--log-level"
- "{{ .Values.logLevel }}"
{{- if eq .Values.global.logAsJson true }}
- "--log-as-json"
{{- end }}
{{- if eq .Values.global.prometheus.enabled true }}
- "--enable-metrics"
- "--metrics-port"
- "{{ .Values.global.prometheus.port }}"
{{- else }}
- "--enable-metrics=false"
{{- end }}
{{- with .Values.global.issuerFilenames }}
- "--issuer-ca-filename"
- "{{ .ca }}"
- "--issuer-certificate-filename"
- "{{ .cert }}"
- "--issuer-key-filename"
- "{{ .key }}"
{{- end }}
{{- if .Values.watchNamespace }}
- "--watch-namespace"
- "{{ .Values.watchNamespace }}"
{{- end }}
{{- if not .Values.serviceReconciler.enabled }}
- "--disable-service-reconciler"
{{- end }}
{{- if .Values.global.argoRolloutServiceReconciler.enabled }}
- "--enable-argo-rollout-service-reconciler"
{{- end }}
{{- if .Values.global.operator.watchdogCanPatchPodLabels }}
- "--watchdog-can-patch-pod-labels"
{{- end }}
serviceAccountName: dapr-operator
volumes:
- name: credentials
secret:
secretName: dapr-trust-bundle
- name: webhook-creds
secret:
secretName: dapr-webhook-cert
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- {{ .Values.global.daprControlPlaneOs }}
{{- if .Values.global.daprControlPlaneArch }}
- key: kubernetes.io/arch
operator: In
values:
- {{ .Values.global.daprControlPlaneArch }}
{{- end }}
{{- if .Values.global.ha.enabled }}
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- dapr-operator
topologyKey: topology.kubernetes.io/zone
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.global.imagePullSecrets }}
{{- end }}
{{- if .Values.global.nodeSelector }}
nodeSelector:
{{ toYaml .Values.global.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.global.tolerations }}
tolerations:
{{ toYaml .Values.global.tolerations | indent 8 }}
{{- end }}

31
helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,31 @@
{{- if eq .Values.global.ha.enabled true }}
{{- if .Capabilities.APIVersions.Has "policy/v1" }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: dapr-operator-disruption-budget
labels:
app: dapr-operator
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
spec:
{{- if .Values.global.ha.disruption.minimumAvailable }}
minAvailable: {{ .Values.global.ha.disruption.minimumAvailable }}
{{- end }}
{{- if .Values.global.ha.disruption.maximumUnavailable }}
maxUnavailable: {{ .Values.global.ha.disruption.maximumUnavailable }}
{{- end }}
selector:
matchLabels:
app: dapr-operator
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
{{- with .Values.global.labels }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}

31
helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_service.yaml Normal file
View File

@ -0,0 +1,31 @@
kind: Service
apiVersion: v1
metadata:
name: dapr-api
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
spec:
selector:
app: dapr-operator
ports:
- protocol: TCP
port: {{ .Values.ports.port }}
targetPort: {{ .Values.ports.targetPort }}
---
apiVersion: v1
kind: Service
metadata:
name: dapr-webhook
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
spec:
ports:
- port: 443
targetPort: 19443
protocol: TCP
selector:
app: dapr-operator

41
helm-charts/dapr/charts/dapr_operator/values.yaml Normal file
View File

@ -0,0 +1,41 @@
replicaCount: 1
logLevel: info
watchInterval: "0"
watchNamespace: ""
maxPodRestartsPerMinute: 20
component: operator
# Override this to use a custom operator service image.
# If the image name contains a "/", it is assumed to be a full docker image name, including the registry url and tag.
# Otherwise, the helm chart will use {{ .Values.global.registry }}/{{ .Values.image.name }}:{{ .Values.global.tag }}
image:
name: "operator"
nameOverride: ""
fullnameOverride: ""
runAsNonRoot: true
serviceReconciler:
enabled: true
ports:
protocol: TCP
port: 80
targetPort: 6500
resources: {}
livenessProbe:
initialDelaySeconds: 3
periodSeconds: 3
failureThreshold: 5
readinessProbe:
initialDelaySeconds: 3
periodSeconds: 3
failureThreshold: 5
debug:
enabled: false
port: 40000
initialDelaySeconds: 30000

22
helm-charts/dapr/charts/dapr_placement/.helmignore Normal file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

5
helm-charts/dapr/charts/dapr_placement/Chart.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
appVersion: "1.0"
description: A Helm chart for Dapr Kubernetes placement
name: dapr_placement
version: 1.11.0

39
helm-charts/dapr/charts/dapr_placement/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,39 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "dapr_placement.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "dapr_placement.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "dapr_placement.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create initial cluster peer list.
*/}}
{{- define "dapr_placement.initialcluster" -}}
{{- print "dapr-placement-server-0=dapr-placement-server-0.dapr-placement-server." .Release.Namespace ".svc" .Values.global.dnsSuffix ":" .Values.ports.raftRPCPort ",dapr-placement-server-1=dapr-placement-server-1.dapr-placement-server." .Release.Namespace ".svc" .Values.global.dnsSuffix ":" .Values.ports.raftRPCPort ",dapr-placement-server-2=dapr-placement-server-2.dapr-placement-server." .Release.Namespace ".svc" .Values.global.dnsSuffix ":" .Values.ports.raftRPCPort -}}
{{- end -}}

31
helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,31 @@
{{- if and (eq .Values.global.ha.enabled true) (eq .Values.global.actors.enabled true) }}
{{- if .Capabilities.APIVersions.Has "policy/v1" }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: dapr-placement-server-disruption-budget
labels:
app: dapr-placement-server
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
spec:
{{- if .Values.global.ha.disruption.minimumAvailable }}
minAvailable: {{ .Values.global.ha.disruption.minimumAvailable }}
{{- end }}
{{- if .Values.global.ha.disruption.maximumUnavailable }}
maxUnavailable: {{ .Values.global.ha.disruption.maximumUnavailable }}
{{- end }}
selector:
matchLabels:
app: dapr-placement-server
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
{{- with .Values.global.labels }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}

23
helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_service.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if eq .Values.global.actors.enabled true }}
kind: Service
apiVersion: v1
metadata:
name: dapr-placement-server
labels:
app: dapr-placement-server
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
spec:
selector:
app: dapr-placement-server
# placement must be able to resolve pod address to join initial cluster peers
# before POD is ready
publishNotReadyAddresses: true
ports:
- name: api
port: {{ .Values.ports.apiPort }}
- name: raft-node
port: {{ .Values.ports.raftRPCPort }}
clusterIP: None
{{- end }}

232
helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_statefulset.yaml Normal file
View File

@ -0,0 +1,232 @@
{{- if eq .Values.global.actors.enabled true }}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: dapr-placement-server
labels:
app: dapr-placement-server
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
spec:
{{- if eq .Values.global.ha.enabled true }}
replicas: 3
{{- else }}
replicas: 1
{{- end }}
serviceName: dapr-placement-server
podManagementPolicy: Parallel
selector:
matchLabels:
app: dapr-placement-server
template:
metadata:
labels:
app: dapr-placement-server
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
{{- with .Values.global.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if eq .Values.global.prometheus.enabled true }}
annotations:
prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}"
prometheus.io/port: "{{ .Values.global.prometheus.port }}"
prometheus.io/path: "/"
{{- end }}
spec:
containers:
- name: dapr-placement-server
livenessProbe:
httpGet:
path: /healthz
port: 8080
{{- if eq .Values.debug.enabled false }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
{{- else }}
initialDelaySeconds: {{ .Values.debug.initialDelaySeconds }}
{{- end }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
readinessProbe:
httpGet:
path: /healthz
port: 8080
{{- if eq .Values.debug.enabled false }}
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
{{- else }}
initialDelaySeconds: {{ .Values.debug.initialDelaySeconds }}
{{- end }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
{{- if contains "/" .Values.image.name }}
image: "{{ .Values.image.name }}"
{{- else }}
image: "{{ .Values.global.registry }}/{{ .Values.image.name }}:{{ .Values.global.tag }}"
{{- end }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
resources:
{{ toYaml .Values.resources | indent 10 }}
volumeMounts:
- name: credentials
mountPath: /var/run/dapr/credentials
readOnly: true
{{- if eq .Values.global.ha.enabled true }}
{{- if eq .Values.cluster.forceInMemoryLog false }}
- name: raft-log
{{- if eq .Values.global.daprControlPlaneOs "windows" }}
mountPath: {{ .Values.cluster.logStoreWinPath }}
{{- else }}
mountPath: {{ .Values.cluster.logStorePath }}
{{- end }}
{{- end }}
{{- end }}
ports:
- containerPort: {{ .Values.ports.apiPort }}
name: api
- containerPort: {{ .Values.ports.raftRPCPort }}
name: raft-node
{{- if eq .Values.global.prometheus.enabled true }}
- name: metrics
containerPort: {{ .Values.global.prometheus.port }}
protocol: TCP
{{- end }}
command:
{{- if eq .Values.debug.enabled false }}
- "/placement"
{{- else }}
- "/dlv"
{{- end }}
args:
{{- if eq .Values.debug.enabled true }}
- "--listen=:{{ .Values.debug.port }}"
- "--accept-multiclient"
- "--headless=true"
- "--log"
- "--api-version=2"
- "exec"
- "/placement"
- "--"
{{- end }}
{{- if eq .Values.global.ha.enabled true }}
- "--id"
- "$(PLACEMENT_ID)"
- "--initial-cluster"
- {{ template "dapr_placement.initialcluster" . }}
{{- if eq .Values.cluster.forceInMemoryLog false }}
- "--raft-logstore-path"
{{- if eq .Values.global.daprControlPlaneOs "windows" }}
- "{{ .Values.cluster.logStoreWinPath }}\\cluster-v2-$(PLACEMENT_ID)"
{{- else }}
- "{{ .Values.cluster.logStorePath }}/cluster-v2-$(PLACEMENT_ID)"
{{- end }}
{{- end }}
{{- end }}
- "--log-level"
- {{ .Values.logLevel }}
{{- if eq .Values.global.logAsJson true }}
- "--log-as-json"
{{- end }}
{{- if eq .Values.global.prometheus.enabled true }}
- "--enable-metrics"
- "--replicationFactor"
- "{{ .Values.replicationFactor }}"
- "--metrics-port"
- "{{ .Values.global.prometheus.port }}"
{{- else }}
- "--enable-metrics=false"
{{- end }}
- "--tls-enabled"
{{- with .Values.global.issuerFilenames }}
- "--issuer-ca-filename"
- "{{ .ca }}"
- "--issuer-certificate-filename"
- "{{ .cert }}"
- "--issuer-key-filename"
- "{{ .key }}"
{{- end }}
{{- if eq .Values.global.daprControlPlaneOs "linux" }}
securityContext:
{{- if eq .Values.cluster.forceInMemoryLog true }}
runAsNonRoot: {{ .Values.runAsNonRoot }}
{{- else }}
runAsUser: 0
{{- end }}
{{- if eq .Values.debug.enabled true }}
capabilities:
add:
- SYS_PTRACE
{{- end }}
{{- end }}
env:
- name: PLACEMENT_ID
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
serviceAccountName: dapr-placement
volumes:
- name: credentials
secret:
secretName: dapr-trust-bundle
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- {{ .Values.global.daprControlPlaneOs }}
{{- if .Values.global.daprControlPlaneArch }}
- key: kubernetes.io/arch
operator: In
values:
- {{ .Values.global.daprControlPlaneArch }}
{{- end }}
{{- if .Values.global.ha.enabled }}
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- dapr-placement-server
topologyKey: topology.kubernetes.io/zone
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.global.imagePullSecrets }}
{{- end }}
{{- if .Values.global.nodeSelector }}
nodeSelector:
{{ toYaml .Values.global.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.global.tolerations }}
tolerations:
{{ toYaml .Values.global.tolerations | indent 8 }}
{{- end }}
{{- if eq .Values.global.ha.enabled true }}
{{- if eq .Values.cluster.forceInMemoryLog false }}
volumeClaimTemplates:
- metadata:
name: raft-log
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.volumeclaims.storageSize }}
{{- if .Values.volumeclaims.storageClassName }}
storageClassName: {{ .Values.volumeclaims.storageClassName }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

44
helm-charts/dapr/charts/dapr_placement/values.yaml Normal file
View File

@ -0,0 +1,44 @@
logLevel: info
component: placement
# Override this to use a custom placement service image.
# If the image name contains a "/", it is assumed to be a full docker image name, including the registry url and tag.
# Otherwise, the helm chart will use {{ .Values.global.registry }}/{{ .Values.image.name }}:{{ .Values.global.tag }}
image:
name: "placement"
nameOverride: ""
fullnameOverride: ""
ports:
protocol: TCP
apiPort: 50005
raftRPCPort: 8201
cluster:
forceInMemoryLog: false
logStorePath: /var/run/dapr/raft-log
logStoreWinPath: C:\\raft-log
volumeclaims:
storageSize: 1Gi
storageClassName:
replicationFactor: 100
livenessProbe:
initialDelaySeconds: 10
periodSeconds: 3
failureThreshold: 5
readinessProbe:
initialDelaySeconds: 3
periodSeconds: 3
failureThreshold: 5
debug:
enabled: false
port: 40000
initialDelaySeconds: 30000
runAsNonRoot: true
resources: {}

22
helm-charts/dapr/charts/dapr_rbac/.helmignore Normal file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

5
helm-charts/dapr/charts/dapr_rbac/Chart.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
appVersion: "1.0"
description: A Helm chart for Dapr Kubernetes RBAC components
name: dapr_rbac
version: 1.11.0

32
helm-charts/dapr/charts/dapr_rbac/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "dapr_rbac.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "dapr_rbac.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "dapr_rbac.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

79
helm-charts/dapr/charts/dapr_rbac/templates/injector.yaml Normal file
View File

@ -0,0 +1,79 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: dapr-injector
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-injector
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
rules:
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get", "list"]
{{- if not .Values.global.rbac.namespaced }}
- apiGroups: ["dapr.io"]
resources: ["configurations", "components"]
verbs: [ "get", "list"]
{{- end }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-injector
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
subjects:
- kind: ServiceAccount
name: dapr-injector
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dapr-injector
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-injector
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames: ["dapr-trust-bundle"]
{{- if eq .Values.global.rbac.namespaced true }}
- apiGroups: ["dapr.io"]
resources: ["configurations", "components"]
verbs: [ "get", "list"]
{{- end }}
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-injector
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
subjects:
- kind: ServiceAccount
name: dapr-injector
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dapr-injector

140
helm-charts/dapr/charts/dapr_rbac/templates/operator.yaml Normal file
View File

@ -0,0 +1,140 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: dapr-operator
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
---
{{- if not .Values.global.rbac.namespaced }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-operator-admin
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
rules:
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "patch"]
- apiGroups: ["apps"]
resources: ["deployments", "deployments/finalizers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["statefulsets", "statefulsets/finalizers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods"]
{{- if .Values.global.operator.watchdogCanPatchPodLabels }}
verbs: ["get", "list", "delete", "watch", "patch"]
{{- else }}
verbs: ["get", "list", "delete", "watch"]
{{- end }}
- apiGroups: [""]
resources: ["services","services/finalizers"]
verbs: ["get", "list", "watch", "update", "create"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["dapr.io"]
resources: ["components", "configurations", "subscriptions", "resiliencies", "httpendpoints"]
verbs: [ "get", "list", "watch"]
{{- end }}
{{- if .Values.global.argoRolloutServiceReconciler.enabled }}
- apiGroups: ["argoproj.io"]
resources: ["rollouts"]
verbs: ["get", "list", "watch"]
{{- end }}
---
{{- if not .Values.global.rbac.namespaced }}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-operator-admin
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
subjects:
- kind: ServiceAccount
name: dapr-operator
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dapr-operator-admin
{{- end }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-operator
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
rules:
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "watch", "update", "create"]
resourceNames: ["operator.dapr.io", "webhooks.dapr.io"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "update", "create"]
resourceNames: ["operator.dapr.io", "webhooks.dapr.io"]
# We cannot use resourceNames for create because Kubernetes doesn't nessarily
# know resource names at authorization time.
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create"]
- apiGroups: [""]
resources: ["configmaps", "events"]
verbs: ["create"]
{{- if eq .Values.global.rbac.namespaced true }}
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "patch"]
- apiGroups: ["apps"]
resources: ["deployments", "deployments/finalizers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["statefulsets", "statefulsets/finalizers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "delete"]
- apiGroups: [""]
resources: ["services","services/finalizers"]
verbs: ["get", "list", "watch", "update", "create"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["dapr.io"]
resources: ["components", "configurations", "subscriptions", "resiliencies", "httpendpoints"]
verbs: [ "get", "list", "watch"]
{{- end }}
{{- if .Values.global.argoRolloutServiceReconciler.enabled }}
- apiGroups: ["argoproj.io"]
resources: ["rollouts"]
verbs: ["get", "list", "watch"]
{{- end }}
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-operator
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
subjects:
- kind: ServiceAccount
name: dapr-operator
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dapr-operator

50
helm-charts/dapr/charts/dapr_rbac/templates/placement.yaml Normal file
View File

@ -0,0 +1,50 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: dapr-placement
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
---
{{- if eq .Values.global.rbac.namespaced true }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-placement
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
rules:
- apiGroups: [""]
resources: ["configmaps", "events"]
verbs: ["get"]
---
{{- if eq .Values.global.rbac.namespaced true }}
kind: RoleBinding
{{- else }}
kind: ClusterRoleBinding
{{- end }}
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-placement
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
subjects:
- kind: ServiceAccount
name: dapr-placement
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
{{- if eq .Values.global.rbac.namespaced true }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
name: dapr-placement

33
helm-charts/dapr/charts/dapr_rbac/templates/secret-reader.yaml Normal file
View File

@ -0,0 +1,33 @@
{{- if .Values.secretReader.enabled }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: secret-reader
namespace: {{ .Values.secretReader.namespace }}
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-secret-reader
namespace: {{ .Values.secretReader.namespace }}
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
subjects:
- kind: ServiceAccount
name: default
roleRef:
kind: Role
name: secret-reader
apiGroup: rbac.authorization.k8s.io
{{- end }}

79
helm-charts/dapr/charts/dapr_rbac/templates/sentry.yaml Normal file
View File

@ -0,0 +1,79 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: dapr-sentry
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-sentry
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
{{- if not .Values.global.rbac.namespaced }}
- apiGroups: ["dapr.io"]
resources: ["configurations"]
verbs: ["list"]
{{- end }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-sentry
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
subjects:
- kind: ServiceAccount
name: dapr-sentry
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dapr-sentry
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-sentry
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "update", "delete"]
resourceNames: ["dapr-trust-bundle"]
{{- if eq .Values.global.rbac.namespaced true }}
- apiGroups: ["dapr.io"]
resources: ["configurations"]
verbs: ["list"]
{{- end }}
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-sentry
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
subjects:
- kind: ServiceAccount
name: dapr-sentry
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dapr-sentry

4
helm-charts/dapr/charts/dapr_rbac/values.yaml Normal file
View File

@ -0,0 +1,4 @@
secretReader:
enabled: true
namespace: default
component: rbac

22
helm-charts/dapr/charts/dapr_sentry/.helmignore Normal file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

5
helm-charts/dapr/charts/dapr_sentry/Chart.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
appVersion: "1.0"
description: A Helm chart for Dapr Sentry
name: dapr_sentry
version: 1.11.0

32
helm-charts/dapr/charts/dapr_sentry/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "dapr_sentry.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "dapr_sentry.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "dapr_sentry.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

207
helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml Normal file
View File

@ -0,0 +1,207 @@
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "dapr-trust-bundle"}}
---
apiVersion: v1
kind: Secret
metadata:
name: dapr-trust-bundle
labels:
app: dapr-sentry
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
data:
{{ if .Values.tls.issuer.certPEM }}issuer.crt: {{ b64enc .Values.tls.issuer.certPEM | trim }}
{{ else if $existingSecret }}issuer.crt: {{ index $existingSecret.data "issuer.crt" }}
{{ end }}
{{ if .Values.tls.issuer.keyPEM }}issuer.key: {{ b64enc .Values.tls.issuer.keyPEM | trim }}
{{ else if $existingSecret }}issuer.key: {{ index $existingSecret.data "issuer.key" }}
{{end}}
{{ if .Values.tls.root.certPEM }}ca.crt: {{ b64enc .Values.tls.root.certPEM | trim }}
{{ else if $existingSecret }}ca.crt: {{ index $existingSecret.data "ca.crt" }}
{{end}}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dapr-sentry
labels:
app: dapr-sentry
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
spec:
{{- if eq .Values.global.ha.enabled true }}
replicas: {{ .Values.global.ha.replicaCount }}
{{- else }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
app: dapr-sentry
template:
metadata:
labels:
app: dapr-sentry
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
{{- with .Values.global.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if eq .Values.global.prometheus.enabled true }}
annotations:
prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}"
prometheus.io/port: "{{ .Values.global.prometheus.port }}"
prometheus.io/path: "/"
{{- end }}
spec:
containers:
- name: dapr-sentry
livenessProbe:
httpGet:
path: /healthz
port: 8080
{{- if eq .Values.debug.enabled false }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
{{- else }}
initialDelaySeconds: {{ .Values.debug.initialDelaySeconds }}
{{- end }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
readinessProbe:
httpGet:
path: /healthz
port: 8080
{{- if eq .Values.debug.enabled false }}
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
{{- else }}
initialDelaySeconds: {{ .Values.debug.initialDelaySeconds }}
{{- end }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
{{- if contains "/" .Values.image.name }}
image: "{{ .Values.image.name }}"
{{- else }}
image: "{{ .Values.global.registry }}/{{ .Values.image.name }}:{{ .Values.global.tag }}"
{{- end }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- if eq .Values.global.daprControlPlaneOs "linux" }}
securityContext:
runAsNonRoot: {{ .Values.runAsNonRoot }}
{{- if eq .Values.debug.enabled true }}
capabilities:
add:
- SYS_PTRACE
{{- end }}
{{- end }}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- containerPort: 50001
{{- if eq .Values.global.prometheus.enabled true }}
- name: metrics
containerPort: {{ .Values.global.prometheus.port }}
protocol: TCP
{{- end }}
{{- if eq .Values.debug.enabled true }}
- name: debug
containerPort: {{ .Values.debug.port }}
protocol: TCP
{{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}
volumeMounts:
- name: credentials
mountPath: /var/run/dapr/credentials
readOnly: true
command:
{{- if eq .Values.debug.enabled false }}
- "/sentry"
{{- else }}
- "/dlv"
{{- end }}
args:
{{- if eq .Values.debug.enabled true }}
- "--listen=:{{ .Values.debug.port }}"
- "--accept-multiclient"
- "--headless=true"
- "--log"
- "--api-version=2"
- "exec"
- "/sentry"
- "--"
{{- end }}
- "--log-level"
- {{ .Values.logLevel }}
{{- if eq .Values.global.logAsJson true }}
- "--log-as-json"
{{- end }}
{{- if eq .Values.global.prometheus.enabled true }}
- "--enable-metrics"
- "--metrics-port"
- "{{ .Values.global.prometheus.port }}"
{{- else }}
- "--enable-metrics=false"
{{- end }}
- "--trust-domain"
- {{ .Values.tls.trustDomain }}
{{- if .Values.tokenAudience }}
- "--token-audience"
- {{ .Values.tokenAudience }}
{{- end }}
{{- with .Values.global.issuerFilenames }}
- "--issuer-ca-filename"
- "{{ .ca }}"
- "--issuer-certificate-filename"
- "{{ .cert }}"
- "--issuer-key-filename"
- "{{ .key }}"
{{- end }}
serviceAccountName: dapr-sentry
volumes:
- name: credentials
secret:
secretName: dapr-trust-bundle
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- {{ .Values.global.daprControlPlaneOs }}
{{- if .Values.global.daprControlPlaneArch }}
- key: kubernetes.io/arch
operator: In
values:
- {{ .Values.global.daprControlPlaneArch }}
{{- end }}
{{- if .Values.global.ha.enabled }}
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- dapr-sentry
topologyKey: topology.kubernetes.io/zone
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.global.imagePullSecrets }}
{{- end }}
{{- if .Values.global.nodeSelector }}
nodeSelector:
{{ toYaml .Values.global.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.global.tolerations }}
tolerations:
{{ toYaml .Values.global.tolerations | indent 8 }}
{{- end }}

31
helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,31 @@
{{- if eq .Values.global.ha.enabled true }}
{{- if .Capabilities.APIVersions.Has "policy/v1" }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: dapr-sentry-budget
labels:
app: dapr-sentry
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
spec:
{{- if .Values.global.ha.disruption.minimumAvailable }}
minAvailable: {{ .Values.global.ha.disruption.minimumAvailable }}
{{- end }}
{{- if .Values.global.ha.disruption.maximumUnavailable }}
maxUnavailable: {{ .Values.global.ha.disruption.maximumUnavailable }}
{{- end }}
selector:
matchLabels:
app: dapr-sentry
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
{{- with .Values.global.labels }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}

15
helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_service.yaml Normal file
View File

@ -0,0 +1,15 @@
kind: Service
apiVersion: v1
metadata:
name: dapr-sentry
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
spec:
selector:
app: dapr-sentry
ports:
- protocol: TCP
port: {{ .Values.ports.port }}
targetPort: {{ .Values.ports.targetPort }}

44
helm-charts/dapr/charts/dapr_sentry/values.yaml Normal file
View File

@ -0,0 +1,44 @@
replicaCount: 1
logLevel: info
component: sentry
# Override this to use a custom sentry service image.
# If the image name contains a "/", it is assumed to be a full docker image name, including the registry url and tag.
# Otherwise, the helm chart will use {{ .Values.global.registry }}/{{ .Values.image.name }}:{{ .Values.global.tag }}
image:
name: "sentry"
nameOverride: ""
fullnameOverride: ""
tokenAudience: ""
ports:
protocol: TCP
port: 80
targetPort: 50001
tls:
issuer:
certPEM: ""
keyPEM: ""
root:
certPEM: ""
trustDomain: cluster.local
livenessProbe:
initialDelaySeconds: 3
periodSeconds: 3
failureThreshold: 5
readinessProbe:
initialDelaySeconds: 3
periodSeconds: 3
failureThreshold: 5
debug:
enabled: false
port: 40000
initialDelaySeconds: 30000
runAsNonRoot: true
resources: {}

22
helm-charts/dapr/charts/dapr_sidecar_injector/.helmignore Normal file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

5
helm-charts/dapr/charts/dapr_sidecar_injector/Chart.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
appVersion: "1.0"
description: A Helm chart for the Dapr sidecar injector
name: dapr_sidecar_injector
version: 1.11.0

234
helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml Normal file
View File

@ -0,0 +1,234 @@
{{- if eq .Values.enabled true }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: dapr-sidecar-injector
labels:
app: dapr-sidecar-injector
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
spec:
{{- if eq .Values.global.ha.enabled true }}
replicas: {{ .Values.global.ha.replicaCount }}
{{- else }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
app: dapr-sidecar-injector
template:
metadata:
labels:
app: dapr-sidecar-injector
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
{{- with .Values.global.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if eq .Values.global.prometheus.enabled true }}
annotations:
prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}"
prometheus.io/port: "{{ .Values.global.prometheus.port }}"
prometheus.io/path: "/"
{{- end }}
spec:
{{- if .Values.hostNetwork }}
hostNetwork: true
{{- end }}
serviceAccountName: dapr-injector
containers:
- name: dapr-sidecar-injector
livenessProbe:
httpGet:
path: /healthz
port: {{ .Values.healthzPort }}
{{- if eq .Values.debug.enabled false }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
{{- else }}
initialDelaySeconds: {{ .Values.debug.initialDelaySeconds }}
{{- end }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
readinessProbe:
httpGet:
path: /healthz
port: {{ .Values.healthzPort }}
{{- if eq .Values.debug.enabled false }}
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
{{- else }}
initialDelaySeconds: {{ .Values.debug.initialDelaySeconds }}
{{- end }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
{{- if contains "/" .Values.injectorImage.name }}
image: "{{ .Values.injectorImage.name }}"
{{- else }}
image: "{{ .Values.global.registry }}/{{ .Values.injectorImage.name }}:{{ .Values.global.tag }}"
{{- end }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- if eq .Values.global.daprControlPlaneOs "linux" }}
securityContext:
{{- if eq .Values.runAsNonRoot true }}
runAsNonRoot: {{ .Values.runAsNonRoot }}
{{- else }}
runAsUser: 1000
{{- end }}
{{- if eq .Values.debug.enabled true }}
capabilities:
add:
- SYS_PTRACE
{{- end }}
{{- end }}
command:
{{- if eq .Values.debug.enabled false }}
- "/injector"
{{- else }}
- "/dlv"
{{- end }}
args:
{{- if eq .Values.debug.enabled true }}
- "--listen=:{{ .Values.debug.port }}"
- "--accept-multiclient"
- "--headless=true"
- "--log"
- "--api-version=2"
- "exec"
- "/injector"
- "--"
{{- end }}
- "--log-level"
- {{ .Values.logLevel }}
{{- if eq .Values.global.logAsJson true }}
- "--log-as-json"
{{- end }}
{{- if eq .Values.global.prometheus.enabled true }}
- "--enable-metrics"
- "--metrics-port"
- "{{ .Values.global.prometheus.port }}"
{{- else }}
- "--enable-metrics=false"
{{- end }}
- "--healthz-port"
- "{{ .Values.healthzPort }}"
{{- with .Values.global.issuerFilenames }}
- "--issuer-ca-secret-key"
- "{{ .ca }}"
- "--issuer-certificate-secret-key"
- "{{ .cert }}"
- "--issuer-key-secret-key"
- "{{ .key }}"
{{- end }}
env:
- name: TLS_CERT_FILE
value: /dapr/cert/tls.crt
- name: TLS_KEY_FILE
value: /dapr/cert/tls.key
{{- if .Values.kubeClusterDomain }}
- name: KUBE_CLUSTER_DOMAIN
value: "{{ .Values.kubeClusterDomain }}"
{{- end }}
- name: SIDECAR_IMAGE
{{- if contains "/" .Values.image.name }}
value: "{{ .Values.image.name }}"
{{- else }}
value: "{{ .Values.global.registry }}/{{ .Values.image.name }}:{{ .Values.global.tag }}"
{{- end }}
- name: SIDECAR_IMAGE_PULL_POLICY
value: "{{ .Values.sidecarImagePullPolicy }}"
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if .Values.ignoreEntrypointTolerations }}
- name: IGNORE_ENTRYPOINT_TOLERATIONS
value: "{{ .Values.ignoreEntrypointTolerations }}"
{{- end }}
{{- if not .Values.global.actors.enabled }}
- name: SKIP_PLACEMENT
value: "true"
{{- end }}
- name: SIDECAR_RUN_AS_NON_ROOT
value: "{{ .Values.sidecarRunAsNonRoot }}"
- name: SIDECAR_DROP_ALL_CAPABILITIES
value: "{{ .Values.sidecarDropALLCapabilities }}"
- name: SIDECAR_READ_ONLY_ROOT_FILESYSTEM
value: "{{ .Values.sidecarReadOnlyRootFilesystem }}"
{{- if .Values.allowedServiceAccounts }}
- name: ALLOWED_SERVICE_ACCOUNTS
value: "{{ .Values.allowedServiceAccounts }}"
{{- end }}
{{- if .Values.allowedServiceAccounts }}
- name: ALLOWED_SERVICE_ACCOUNTS
value: "{{ .Values.allowedServiceAccounts }}"
{{- end }}
{{- if .Values.allowedServiceAccountsPrefixNames }}
- name: ALLOWED_SERVICE_ACCOUNTS_PREFIX_NAMES
value: "{{ .Values.allowedServiceAccountsPrefixNames }}"
{{- end }}
ports:
- name: https
containerPort: 4000
protocol: TCP
{{- if eq .Values.global.prometheus.enabled true }}
- name: metrics
containerPort: {{ .Values.global.prometheus.port }}
protocol: TCP
{{- end }}
{{- if eq .Values.debug.enabled true }}
- name: debug
containerPort: {{ .Values.debug.port }}
protocol: TCP
{{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}
volumeMounts:
- name: cert
mountPath: /dapr/cert
readOnly: true
volumes:
- name: cert
secret:
secretName: dapr-sidecar-injector-cert
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- {{ .Values.global.daprControlPlaneOs }}
{{- if .Values.global.daprControlPlaneArch }}
- key: kubernetes.io/arch
operator: In
values:
- {{ .Values.global.daprControlPlaneArch }}
{{- end }}
{{- if .Values.global.ha.enabled }}
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- dapr-sidecar-injector
topologyKey: topology.kubernetes.io/zone
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.global.imagePullSecrets }}
{{- end }}
{{- if .Values.global.nodeSelector }}
nodeSelector:
{{ toYaml .Values.global.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.global.tolerations }}
tolerations:
{{ toYaml .Values.global.tolerations | indent 8 }}
{{- end }}
{{- end }}

33
helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,33 @@
{{- if eq .Values.enabled true }}
{{- if eq .Values.global.ha.enabled true }}
{{- if .Capabilities.APIVersions.Has "policy/v1" }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: dapr-sidecar-injector-disruption-budget
labels:
app: dapr-sidecar-injector
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
spec:
{{- if .Values.global.ha.disruption.minimumAvailable }}
minAvailable: {{ .Values.global.ha.disruption.minimumAvailable }}
{{- end }}
{{- if .Values.global.ha.disruption.maximumUnavailable }}
maxUnavailable: {{ .Values.global.ha.disruption.maximumUnavailable }}
{{- end }}
selector:
matchLabels:
app: dapr-sidecar-injector
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
{{- with .Values.global.labels }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}
{{- end }}

19
helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_service.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if eq .Values.enabled true }}
apiVersion: v1
kind: Service
metadata:
name: dapr-sidecar-injector
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
spec:
type: ClusterIP
ports:
- port: 443
targetPort: https
protocol: TCP
name: https
selector:
app: dapr-sidecar-injector
{{- end }}

59
helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_webhook_config.yaml Normal file
View File

@ -0,0 +1,59 @@
{{- if eq .Values.enabled true }}
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "dapr-sidecar-injector-cert"}}
{{- $existingWebHookConfig := lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" .Release.Namespace "dapr-sidecar-injector"}}
{{- $ca := genCA "dapr-sidecar-injector-ca" 3650 }}
{{- $cn := printf "dapr-sidecar-injector" }}
{{- $altName1 := printf "dapr-sidecar-injector.%s" .Release.Namespace }}
{{- $altName2 := printf "dapr-sidecar-injector.%s.svc" .Release.Namespace }}
{{- $altName3 := printf "dapr-sidecar-injector.%s.svc.cluster" .Release.Namespace }}
{{- $altName4 := printf "dapr-sidecar-injector.%s.svc.cluster.local" .Release.Namespace }}
{{- $cert := genSignedCert $cn nil (list $altName1 $altName2 $altName3 $altName4) 3650 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: dapr-sidecar-injector-cert
labels:
app: dapr-sidecar-injector
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
data:
{{ if $existingSecret }}tls.crt: {{ index $existingSecret.data "tls.crt" }}
{{ else }}tls.crt: {{ b64enc $cert.Cert }}
{{ end }}
{{ if $existingSecret }}tls.key: {{ index $existingSecret.data "tls.key" }}
{{ else }}tls.key: {{ b64enc $cert.Key }}
{{ end }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: dapr-sidecar-injector
labels:
app: dapr-sidecar-injector
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
webhooks:
- name: sidecar-injector.dapr.io
reinvocationPolicy: IfNeeded
clientConfig:
service:
namespace: {{ .Release.Namespace }}
name: dapr-sidecar-injector
path: "/mutate"
caBundle: {{ if $existingWebHookConfig }}{{ (index $existingWebHookConfig.webhooks 0).clientConfig.caBundle }}{{ else }}{{ b64enc $ca.Cert }}{{ end }}
rules:
- apiGroups:
- ""
apiVersions:
- v1
resources:
- pods
operations:
- CREATE
failurePolicy: {{ .Values.webhookFailurePolicy}}
sideEffects: None
admissionReviewVersions: ["v1", "v1beta1"]
{{- end }}

46
helm-charts/dapr/charts/dapr_sidecar_injector/values.yaml Normal file
View File

@ -0,0 +1,46 @@
enabled: true
replicaCount: 1
logLevel: info
component: sidecar-injector
# Override this to use a custom sidecar image.
# If the image name contains a "/", it is assumed to be a full docker image name, including the registry url and tag.
# Otherwise, the helm chart will use {{ .Values.global.registry }}/{{ .Values.image.name }}:{{ .Values.global.tag }}
image:
name: "daprd"
# Override this to use a custom injector service image.
# If the image name contains a "/", it is assumed to be a full docker image name, including the registry url and tag.
# Otherwise, the helm chart will use {{ .Values.global.registry }}/{{ .Values.injectorImage.name }}:{{ .Values.global.tag }}
injectorImage:
name: "injector"
nameOverride: ""
fullnameOverride: ""
webhookFailurePolicy: Ignore
sidecarImagePullPolicy: IfNotPresent
runAsNonRoot: true
sidecarRunAsNonRoot: true
sidecarReadOnlyRootFilesystem: true
sidecarDropALLCapabilities: false
allowedServiceAccounts: ""
allowedServiceAccountsPrefixNames: ""
resources: {}
kubeClusterDomain: cluster.local
ignoreEntrypointTolerations: "[{\\\"effect\\\":\\\"NoSchedule\\\",\\\"key\\\":\\\"alibabacloud.com/eci\\\"},{\\\"effect\\\":\\\"NoSchedule\\\",\\\"key\\\":\\\"azure.com/aci\\\"},{\\\"effect\\\":\\\"NoSchedule\\\",\\\"key\\\":\\\"aws\\\"},{\\\"effect\\\":\\\"NoSchedule\\\",\\\"key\\\":\\\"huawei.com/cci\\\"}]"
hostNetwork: false
healthzPort: 8080
livenessProbe:
initialDelaySeconds: 3
periodSeconds: 3
failureThreshold: 5
readinessProbe:
initialDelaySeconds: 3
periodSeconds: 3
failureThreshold: 5
debug:
enabled: false
port: 40000
initialDelaySeconds: 30000

92
helm-charts/dapr/crds/components.yaml Normal file
View File

@ -0,0 +1,92 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: components.dapr.io
labels:
app.kubernetes.io/part-of: "dapr"
spec:
group: dapr.io
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Component describes an Dapr component type
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
auth:
description: Auth represents authentication details for the component
properties:
secretStore:
type: string
required:
- secretStore
type: object
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
scopes:
items:
type: string
type: array
spec:
description: ComponentSpec is the spec for a component
properties:
initTimeout:
type: string
ignoreErrors:
type: boolean
metadata:
items:
description: MetadataItem is a name/value pair for a metadata
properties:
name:
type: string
secretKeyRef:
description: SecretKeyRef is a reference to a secret holding
the value for the metadata item. Name is the secret name,
and key is the field in the secret.
properties:
key:
type: string
name:
type: string
required:
- key
- name
type: object
value:
x-kubernetes-preserve-unknown-fields: true
required:
- name
type: object
type: array
type:
type: string
version:
type: string
required:
- metadata
- type
- version
type: object
type: object
served: true
storage: true
names:
kind: Component
plural: components
singular: component
categories:
- all
- dapr
scope: Namespaced

403
helm-charts/dapr/crds/configuration.yaml Normal file
View File

@ -0,0 +1,403 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.9.2
creationTimestamp: null
name: configurations.dapr.io
labels:
app.kubernetes.io/part-of: "dapr"
spec:
group: dapr.io
names:
kind: Configuration
listKind: ConfigurationList
plural: configurations
singular: configuration
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Configuration describes an Dapr configuration setting.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ConfigurationSpec is the spec for an configuration.
properties:
accessControl:
description: AccessControlSpec is the spec object in ConfigurationSpec.
properties:
defaultAction:
type: string
policies:
items:
description: AppPolicySpec defines the policy data structure
for each app.
properties:
appId:
type: string
defaultAction:
type: string
namespace:
type: string
operations:
items:
description: AppOperationAction defines the data structure
for each app operation.
properties:
action:
type: string
httpVerb:
items:
type: string
type: array
name:
type: string
required:
- action
- name
type: object
type: array
trustDomain:
type: string
required:
- appId
type: object
type: array
trustDomain:
type: string
type: object
api:
description: APISpec describes the configuration for Dapr APIs.
properties:
allowed:
description: List of allowed APIs. Can be used in conjunction with denied.
items:
description: APIAccessRule describes an access rule for allowing or denying a Dapr API.
properties:
name:
type: string
protocol:
type: string
version:
type: string
required:
- name
- version
type: object
type: array
denied:
description: List of denied APIs. Can be used in conjunction with allowed.
items:
description: APIAccessRule describes an access rule for allowing or denying a Dapr API.
properties:
name:
type: string
protocol:
type: string
version:
type: string
required:
- name
- version
type: object
type: array
type: object
appHttpPipeline:
description: PipelineSpec defines the middleware pipeline.
properties:
handlers:
items:
description: HandlerSpec defines a request handlers.
properties:
name:
type: string
selector:
description: SelectorSpec selects target services to which
the handler is to be applied.
properties:
fields:
items:
description: SelectorField defines a selector fields.
properties:
field:
type: string
value:
type: string
required:
- field
- value
type: object
type: array
required:
- fields
type: object
type:
type: string
required:
- name
- type
type: object
type: array
required:
- handlers
type: object
components:
description: ComponentsSpec describes the configuration for Dapr components
properties:
deny:
description: Denylist of component types that cannot be instantiated
items:
type: string
type: array
type: object
features:
items:
description: FeatureSpec defines the features that are enabled/disabled.
properties:
enabled:
type: boolean
name:
type: string
required:
- enabled
- name
type: object
type: array
httpPipeline:
description: PipelineSpec defines the middleware pipeline.
properties:
handlers:
items:
description: HandlerSpec defines a request handlers.
properties:
name:
type: string
selector:
description: SelectorSpec selects target services to which
the handler is to be applied.
properties:
fields:
items:
description: SelectorField defines a selector fields.
properties:
field:
type: string
value:
type: string
required:
- field
- value
type: object
type: array
required:
- fields
type: object
type:
type: string
required:
- name
- type
type: object
type: array
required:
- handlers
type: object
logging:
description: LoggingSpec defines the configuration for logging.
properties:
apiLogging:
description: Configure API logging.
properties:
enabled:
description: Default value for enabling API logging. Sidecars can always override this by setting `--enable-api-logging` to true or false explicitly. The default value is false.
type: boolean
obfuscateURLs:
description: 'When enabled, obfuscates the values of URLs in HTTP API logs, logging the route name rather than the full path being invoked, which could contain PII. Default: false. This option has no effect if API logging is disabled.'
type: boolean
omitHealthChecks:
description: 'If true, health checks are not reported in API logs. Default: false. This option has no effect if API logging is disabled.'
type: boolean
type: object
type: object
metric:
default:
enabled: true
description: MetricSpec defines metrics configuration.
properties:
enabled:
type: boolean
rules:
items:
description: MetricsRule defines configuration options for a
metric.
properties:
labels:
items:
description: MetricsLabel defines an object that allows
to set regex expressions for a label.
properties:
name:
type: string
regex:
additionalProperties:
type: string
type: object
required:
- name
- regex
type: object
type: array
name:
type: string
required:
- labels
- name
type: object
type: array
required:
- enabled
type: object
metrics:
default:
enabled: true
description: MetricSpec defines metrics configuration.
properties:
enabled:
type: boolean
rules:
items:
description: MetricsRule defines configuration options for a
metric.
properties:
labels:
items:
description: MetricsLabel defines an object that allows
to set regex expressions for a label.
properties:
name:
type: string
regex:
additionalProperties:
type: string
type: object
required:
- name
- regex
type: object
type: array
name:
type: string
required:
- labels
- name
type: object
type: array
required:
- enabled
type: object
mtls:
description: MTLSSpec defines mTLS configuration.
properties:
allowedClockSkew:
type: string
enabled:
type: boolean
workloadCertTTL:
type: string
required:
- enabled
type: object
nameResolution:
description: NameResolutionSpec is the spec for name resolution configuration.
properties:
component:
type: string
configuration:
description: DynamicValue is a dynamic value struct for the component.metadata
pair value.
type: object
x-kubernetes-preserve-unknown-fields: true
version:
type: string
required:
- component
- configuration
- version
type: object
secrets:
description: SecretsSpec is the spec for secrets configuration.
properties:
scopes:
items:
description: SecretsScope defines the scope for secrets.
properties:
allowedSecrets:
items:
type: string
type: array
defaultAccess:
type: string
deniedSecrets:
items:
type: string
type: array
storeName:
type: string
required:
- storeName
type: object
type: array
required:
- scopes
type: object
tracing:
description: TracingSpec defines distributed tracing configuration.
properties:
otel:
description: OtelSpec defines Otel exporter configurations.
properties:
endpointAddress:
type: string
isSecure:
type: boolean
protocol:
type: string
required:
- endpointAddress
- isSecure
- protocol
type: object
samplingRate:
type: string
stdout:
type: boolean
zipkin:
description: ZipkinSpec defines Zipkin trace configurations.
properties:
endpointAddress:
type: string
required:
- endpointAddress
type: object
required:
- samplingRate
type: object
type: object
type: object
served: true
storage: true

82
helm-charts/dapr/crds/httpendpoints.yaml Normal file
View File

@ -0,0 +1,82 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: httpendpoints.dapr.io
labels:
app.kubernetes.io/part-of: "dapr"
spec:
group: dapr.io
names:
kind: HTTPEndpoint
listKind: HTTPEndpointList
plural: httpendpoints
singular: httpendpoint
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: HTTPEndpoint describes a Dapr HTTPEndpoint type for external service invocation. This endpoint can be external to Dapr, or external to the environment.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
auth:
description: Auth represents authentication details for the component.
properties:
secretStore:
type: string
required:
- secretStore
type: object
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
scopes:
items:
type: string
type: array
spec:
description: HTTPEndpointSpec describes an access specification for allowing external service invocations.
properties:
baseUrl:
type: string
headers:
items:
description: Header is the name/value pair for a header specification.
properties:
name:
type: string
secretKeyRef:
description: SecretKeyRef is a reference to a secret holding the value for the metadata item. Name is the secret name, and key is the field in the secret.
properties:
key:
type: string
name:
type: string
required:
- key
- name
type: object
value:
x-kubernetes-preserve-unknown-fields: true
required:
- name
type: object
type: array
required:
- baseUrl
type: object
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

135
helm-charts/dapr/crds/resiliency.yaml Normal file
View File

@ -0,0 +1,135 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
creationTimestamp: null
name: resiliencies.dapr.io
labels:
app.kubernetes.io/part-of: "dapr"
spec:
group: dapr.io
names:
kind: Resiliency
listKind: ResiliencyList
plural: resiliencies
singular: resiliency
categories:
- dapr
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
scopes:
items:
type: string
type: array
spec:
properties:
policies:
properties:
circuitBreakers:
additionalProperties:
properties:
interval:
type: string
maxRequests:
type: integer
timeout:
type: string
trip:
type: string
type: object
type: object
retries:
additionalProperties:
properties:
duration:
type: string
maxInterval:
type: string
maxRetries:
type: integer
policy:
type: string
type: object
type: object
timeouts:
additionalProperties:
type: string
type: object
type: object
targets:
properties:
actors:
additionalProperties:
properties:
circuitBreaker:
type: string
circuitBreakerCacheSize:
type: integer
circuitBreakerScope:
type: string
retry:
type: string
timeout:
type: string
type: object
type: object
apps:
additionalProperties:
properties:
circuitBreaker:
type: string
circuitBreakerCacheSize:
type: integer
retry:
type: string
timeout:
type: string
type: object
type: object
components:
additionalProperties:
properties:
inbound:
properties:
circuitBreaker:
type: string
retry:
type: string
timeout:
type: string
type: object
outbound:
properties:
circuitBreaker:
type: string
retry:
type: string
timeout:
type: string
type: object
type: object
type: object
type: object
required:
- policies
- targets
type: object
type: object
served: true
storage: true

174
helm-charts/dapr/crds/subscription.yaml Normal file
View File

@ -0,0 +1,174 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: subscriptions.dapr.io
labels:
app.kubernetes.io/part-of: "dapr"
spec:
group: dapr.io
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
namespace: replaceme # Patched by post-install webhook
name: dapr-webhook
path: /convert
#caBundle: Patched by post-install webhook
conversionReviewVersions:
- v1
- v2alpha1
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Subscription describes an pub/sub event subscription.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
scopes:
items:
type: string
type: array
spec:
description: SubscriptionSpec is the spec for an event subscription.
properties:
pubsubname:
type: string
route:
type: string
topic:
type: string
deadLetterTopic:
type: string
bulkSubscribe:
description: Represents bulk subscribe properies
properties:
enabled:
type: boolean
maxMessagesCount:
type: integer
maxAwaitDurationMs:
type: integer
required:
- enabled
type: object
metadata:
additionalProperties:
type: string
type: object
required:
- pubsubname
- route
- topic
type: object
type: object
served: true
storage: false
- name: v2alpha1
schema:
openAPIV3Schema:
description: Subscription describes an pub/sub event subscription.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
scopes:
items:
type: string
type: array
spec:
description: SubscriptionSpec is the spec for an event subscription.
properties:
metadata:
additionalProperties:
type: string
description: The optional metadata to provide the subscription.
type: object
pubsubname:
description: The PubSub component name.
type: string
routes:
description: The Routes configuration for this topic.
properties:
default:
type: string
rules:
description: The list of rules for this topic.
items:
description: Rule is used to specify the condition for sending
a message to a specific path.
properties:
match:
description: The optional CEL expression used to match the
event. If the match is not specified, then the route is
considered the default. The rules are tested in the order
specified, so they should be define from most-to-least
specific. The default route should appear last in the
list.
type: string
path:
description: The path for events that match this rule.
type: string
required:
- match
- path
type: object
type: array
type: object
topic:
description: The topic name to subscribe to.
type: string
deadLetterTopic:
description: The optional dead letter queue for this topic to send events to.
type: string
bulkSubscribe:
description: Represents bulk subscribe properies
properties:
enabled:
type: boolean
maxMessagesCount:
type: integer
maxAwaitDurationMs:
type: integer
required:
- enabled
type: object
required:
- pubsubname
- routes
- topic
type: object
type: object
served: true
storage: true
names:
kind: Subscription
listKind: SubscriptionList
plural: subscriptions
singular: subscription
categories:
- all
- dapr
scope: Namespaced

9
helm-charts/dapr/templates/NOTES.txt Normal file
View File

@ -0,0 +1,9 @@
Thank you for installing Dapr: High-performance, lightweight serverless runtime for cloud and edge
Your release is named {{ .Release.Name }}.
To get started with Dapr, we recommend using our quickstarts:
https://github.com/dapr/quickstarts
For more information on running Dapr, visit:
https://dapr.io

32
helm-charts/dapr/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "k8s_operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "k8s_operator.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "k8s_operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

46
helm-charts/dapr/values.yaml Normal file
View File

@ -0,0 +1,46 @@
global:
registry: docker.io/daprio
tag: '1.11.0'
dnsSuffix: ".cluster.local"
logAsJson: false
imagePullPolicy: IfNotPresent
imagePullSecrets: ""
nodeSelector: {}
tolerations: []
rbac:
namespaced: false
ha:
enabled: false
replicaCount: 3
disruption:
minimumAvailable: ""
maximumUnavailable: "25%"
prometheus:
enabled: true
port: 9090
mtls:
enabled: true
workloadCertTTL: 24h
allowedClockSkew: 15m
actors:
enabled: true
daprControlPlaneOs: linux
labels: {}
k8sLabels:
app.kubernetes.io/name: "{{ .Release.Name }}"
app.kubernetes.io/version: "{{ .Values.global.tag }}"
app.kubernetes.io/part-of: "dapr"
app.kubernetes.io/managed-by: "helm"
app.kubernetes.io/component: "{{ .Values.component }}" # Should be set in each subchart
issuerFilenames: {}
## the issuerFilenames dictionary, if setup, have to contain 3 keys: ca,cert,key
# issuerFilenames:
# ca: "ca.crt"
# cert: "tls.crt"
# key: "tls.key"
argoRolloutServiceReconciler:
enabled: false
operator:
watchdogCanPatchPodLabels: false

12
watches.yaml Normal file
View File

@ -0,0 +1,12 @@
# Use the 'create api' subcommand to add watches to this file.
- group: dapr.dapr.io
version: v1alpha1
kind: Dapr
chart: helm-charts/dapr
overrideValues:
dapr_operator:runAsNonRoot: "true"
dapr_placement.runAsNonRoot: "true"
dapr_sentry.runAsNonRoot: "true"
dapr_dashboard.runAsNonRoot: "true"
#+kubebuilder:scaffold:watch