From 597891f44a0902b8b5f11e725761ec098ad987aa Mon Sep 17 00:00:00 2001 From: salaboy Date: Mon, 31 Jul 2023 16:10:53 +0100 Subject: [PATCH] initial commit, all code provided by @lburgazzoli --- .github/.DS_Store | Bin 0 -> 6148 bytes .github/dependabot.yml | 8 + .github/workflows/build.yaml | 45 ++ .gitignore | 158 +++++++ Dockerfile | 7 + Makefile | 264 ++++++++++++ PROJECT | 20 + README.md | 39 ++ bundle.Dockerfile | 20 + config/crd/bases/dapr.dapr.io_daprs.yaml | 44 ++ config/crd/kustomization.yaml | 6 + config/default/kustomization.yaml | 30 ++ config/default/manager_auth_proxy_patch.yaml | 57 +++ config/default/manager_config_patch.yaml | 10 + config/manager/kustomization.yaml | 8 + config/manager/manager.yaml | 99 +++++ .../dapr-operator.clusterserviceversion.yaml | 41 ++ config/manifests/kustomization.yaml | 7 + config/prometheus/kustomization.yaml | 2 + config/prometheus/monitor.yaml | 26 ++ .../rbac/auth_proxy_client_clusterrole.yaml | 16 + config/rbac/auth_proxy_role.yaml | 24 ++ config/rbac/auth_proxy_role_binding.yaml | 19 + config/rbac/auth_proxy_service.yaml | 21 + config/rbac/dapr_editor_role.yaml | 31 ++ config/rbac/dapr_viewer_role.yaml | 27 ++ config/rbac/kustomization.yaml | 18 + config/rbac/leader_election_role.yaml | 44 ++ config/rbac/leader_election_role_binding.yaml | 19 + config/rbac/role.yaml | 113 +++++ config/rbac/role_binding.yaml | 19 + config/rbac/service_account.yaml | 12 + config/samples/catalog.yaml | 13 + config/samples/kustomization.yaml | 5 + config/samples/sample.yaml | 51 +++ config/samples/subscription.yaml | 12 + config/scorecard/bases/config.yaml | 7 + config/scorecard/kustomization.yaml | 16 + config/scorecard/patches/basic.config.yaml | 10 + config/scorecard/patches/olm.config.yaml | 50 +++ hack/generate-catalog.sh | 39 ++ hack/operator-icon.svg | 15 + helm-charts/dapr/.helmignore | 24 ++ helm-charts/dapr/Chart.yaml | 5 + helm-charts/dapr/README.md | 258 +++++++++++ .../dapr/charts/dapr_config/.helmignore | 22 + .../dapr/charts/dapr_config/Chart.yaml | 5 + .../charts/dapr_config/templates/_helpers.tpl | 32 ++ .../templates/dapr_default_config.yaml | 15 + .../dapr/charts/dapr_config/values.yaml | 4 + .../dapr/charts/dapr_operator/.helmignore | 22 + .../dapr/charts/dapr_operator/Chart.yaml | 5 + .../dapr_operator/templates/_helpers.tpl | 32 ++ .../templates/dapr_operator_deployment.yaml | 247 +++++++++++ .../dapr_operator_poddisruptionbudget.yaml | 31 ++ .../templates/dapr_operator_service.yaml | 31 ++ .../dapr/charts/dapr_operator/values.yaml | 41 ++ .../dapr/charts/dapr_placement/.helmignore | 22 + .../dapr/charts/dapr_placement/Chart.yaml | 5 + .../dapr_placement/templates/_helpers.tpl | 39 ++ .../dapr_placement_poddisruptionbudget.yaml | 31 ++ .../templates/dapr_placement_service.yaml | 23 + .../templates/dapr_placement_statefulset.yaml | 232 ++++++++++ .../dapr/charts/dapr_placement/values.yaml | 44 ++ helm-charts/dapr/charts/dapr_rbac/.helmignore | 22 + helm-charts/dapr/charts/dapr_rbac/Chart.yaml | 5 + .../charts/dapr_rbac/templates/_helpers.tpl | 32 ++ .../charts/dapr_rbac/templates/injector.yaml | 79 ++++ .../charts/dapr_rbac/templates/operator.yaml | 140 ++++++ .../charts/dapr_rbac/templates/placement.yaml | 50 +++ .../dapr_rbac/templates/secret-reader.yaml | 33 ++ .../charts/dapr_rbac/templates/sentry.yaml | 79 ++++ helm-charts/dapr/charts/dapr_rbac/values.yaml | 4 + .../dapr/charts/dapr_sentry/.helmignore | 22 + .../dapr/charts/dapr_sentry/Chart.yaml | 5 + .../charts/dapr_sentry/templates/_helpers.tpl | 32 ++ .../templates/dapr_sentry_deployment.yaml | 207 +++++++++ .../dapr_sentry_poddisruptionbudget.yaml | 31 ++ .../templates/dapr_sentry_service.yaml | 15 + .../dapr/charts/dapr_sentry/values.yaml | 44 ++ .../charts/dapr_sidecar_injector/.helmignore | 22 + .../charts/dapr_sidecar_injector/Chart.yaml | 5 + .../dapr_sidecar_injector_deployment.yaml | 234 ++++++++++ ..._sidecar_injector_poddisruptionbudget.yaml | 33 ++ .../dapr_sidecar_injector_service.yaml | 19 + .../dapr_sidecar_injector_webhook_config.yaml | 59 +++ .../charts/dapr_sidecar_injector/values.yaml | 46 ++ helm-charts/dapr/crds/components.yaml | 92 ++++ helm-charts/dapr/crds/configuration.yaml | 403 ++++++++++++++++++ helm-charts/dapr/crds/httpendpoints.yaml | 82 ++++ helm-charts/dapr/crds/resiliency.yaml | 135 ++++++ helm-charts/dapr/crds/subscription.yaml | 174 ++++++++ helm-charts/dapr/templates/NOTES.txt | 9 + helm-charts/dapr/templates/_helpers.tpl | 32 ++ helm-charts/dapr/values.yaml | 46 ++ watches.yaml | 12 + 96 files changed, 4845 insertions(+) create mode 100644 .github/.DS_Store create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/build.yaml create mode 100644 .gitignore create mode 100644 Dockerfile create mode 100644 Makefile create mode 100644 PROJECT create mode 100644 README.md create mode 100644 bundle.Dockerfile create mode 100644 config/crd/bases/dapr.dapr.io_daprs.yaml create mode 100644 config/crd/kustomization.yaml create mode 100644 config/default/kustomization.yaml create mode 100644 config/default/manager_auth_proxy_patch.yaml create mode 100644 config/default/manager_config_patch.yaml create mode 100644 config/manager/kustomization.yaml create mode 100644 config/manager/manager.yaml create mode 100644 config/manifests/bases/dapr-operator.clusterserviceversion.yaml create mode 100644 config/manifests/kustomization.yaml create mode 100644 config/prometheus/kustomization.yaml create mode 100644 config/prometheus/monitor.yaml create mode 100644 config/rbac/auth_proxy_client_clusterrole.yaml create mode 100644 config/rbac/auth_proxy_role.yaml create mode 100644 config/rbac/auth_proxy_role_binding.yaml create mode 100644 config/rbac/auth_proxy_service.yaml create mode 100644 config/rbac/dapr_editor_role.yaml create mode 100644 config/rbac/dapr_viewer_role.yaml create mode 100644 config/rbac/kustomization.yaml create mode 100644 config/rbac/leader_election_role.yaml create mode 100644 config/rbac/leader_election_role_binding.yaml create mode 100644 config/rbac/role.yaml create mode 100644 config/rbac/role_binding.yaml create mode 100644 config/rbac/service_account.yaml create mode 100644 config/samples/catalog.yaml create mode 100644 config/samples/kustomization.yaml create mode 100644 config/samples/sample.yaml create mode 100644 config/samples/subscription.yaml create mode 100644 config/scorecard/bases/config.yaml create mode 100644 config/scorecard/kustomization.yaml create mode 100644 config/scorecard/patches/basic.config.yaml create mode 100644 config/scorecard/patches/olm.config.yaml create mode 100755 hack/generate-catalog.sh create mode 100644 hack/operator-icon.svg create mode 100644 helm-charts/dapr/.helmignore create mode 100644 helm-charts/dapr/Chart.yaml create mode 100644 helm-charts/dapr/README.md create mode 100644 helm-charts/dapr/charts/dapr_config/.helmignore create mode 100644 helm-charts/dapr/charts/dapr_config/Chart.yaml create mode 100644 helm-charts/dapr/charts/dapr_config/templates/_helpers.tpl create mode 100644 helm-charts/dapr/charts/dapr_config/templates/dapr_default_config.yaml create mode 100644 helm-charts/dapr/charts/dapr_config/values.yaml create mode 100644 helm-charts/dapr/charts/dapr_operator/.helmignore create mode 100644 helm-charts/dapr/charts/dapr_operator/Chart.yaml create mode 100644 helm-charts/dapr/charts/dapr_operator/templates/_helpers.tpl create mode 100644 helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_deployment.yaml create mode 100644 helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_poddisruptionbudget.yaml create mode 100644 helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_service.yaml create mode 100644 helm-charts/dapr/charts/dapr_operator/values.yaml create mode 100644 helm-charts/dapr/charts/dapr_placement/.helmignore create mode 100644 helm-charts/dapr/charts/dapr_placement/Chart.yaml create mode 100644 helm-charts/dapr/charts/dapr_placement/templates/_helpers.tpl create mode 100644 helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_poddisruptionbudget.yaml create mode 100644 helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_service.yaml create mode 100644 helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_statefulset.yaml create mode 100644 helm-charts/dapr/charts/dapr_placement/values.yaml create mode 100644 helm-charts/dapr/charts/dapr_rbac/.helmignore create mode 100644 helm-charts/dapr/charts/dapr_rbac/Chart.yaml create mode 100644 helm-charts/dapr/charts/dapr_rbac/templates/_helpers.tpl create mode 100644 helm-charts/dapr/charts/dapr_rbac/templates/injector.yaml create mode 100644 helm-charts/dapr/charts/dapr_rbac/templates/operator.yaml create mode 100644 helm-charts/dapr/charts/dapr_rbac/templates/placement.yaml create mode 100644 helm-charts/dapr/charts/dapr_rbac/templates/secret-reader.yaml create mode 100644 helm-charts/dapr/charts/dapr_rbac/templates/sentry.yaml create mode 100644 helm-charts/dapr/charts/dapr_rbac/values.yaml create mode 100644 helm-charts/dapr/charts/dapr_sentry/.helmignore create mode 100644 helm-charts/dapr/charts/dapr_sentry/Chart.yaml create mode 100644 helm-charts/dapr/charts/dapr_sentry/templates/_helpers.tpl create mode 100644 helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml create mode 100644 helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_poddisruptionbudget.yaml create mode 100644 helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_service.yaml create mode 100644 helm-charts/dapr/charts/dapr_sentry/values.yaml create mode 100644 helm-charts/dapr/charts/dapr_sidecar_injector/.helmignore create mode 100644 helm-charts/dapr/charts/dapr_sidecar_injector/Chart.yaml create mode 100644 helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml create mode 100644 helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_poddisruptionbudget.yaml create mode 100644 helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_service.yaml create mode 100644 helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_webhook_config.yaml create mode 100644 helm-charts/dapr/charts/dapr_sidecar_injector/values.yaml create mode 100644 helm-charts/dapr/crds/components.yaml create mode 100644 helm-charts/dapr/crds/configuration.yaml create mode 100644 helm-charts/dapr/crds/httpendpoints.yaml create mode 100644 helm-charts/dapr/crds/resiliency.yaml create mode 100644 helm-charts/dapr/crds/subscription.yaml create mode 100644 helm-charts/dapr/templates/NOTES.txt create mode 100644 helm-charts/dapr/templates/_helpers.tpl create mode 100644 helm-charts/dapr/values.yaml create mode 100644 watches.yaml diff --git a/.github/.DS_Store b/.github/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..36b372c72cba58418798b30534145e40b446efdb GIT binary patch literal 6148 zcmeHKJ5EC}5S)b+K{P2TeTCe>ioyxF0D>q@p7bOlMEfevm7_8HDTp3)NfXUV>#^56 zwmik#w*YMOxmyD(086?fzI~XR@4L_Jt|CUH^Nc+PjQGNFcbsMa9dPag86!S$_|1PG z-o|n8ZJ8910#ZN7!Kn+ zdI@6l0I?TNiHy)Jsl=pOwHTIk##`m}!YMK7uxdW6Zno-BENN(xAUn^M3Q+n4QzPpaBFdz{zWMt`My&WY~Ec~Ce+IVMIq=EBSI dQzT_x^Evl>;glG3#)D4O&w%S9lLFUP;0L2O71{s* literal 0 HcmV?d00001 diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..2122481 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,8 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: daily + time: "19:30" + timezone: Europe/Paris diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 0000000..e1d25ac --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,45 @@ +name: build + +on: + #pull_request: + # branches: + # - main + push: + tags: + - "v*" + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} + cancel-in-progress: true + +env: + IMAGE_VERSION: ${{ github.ref_name}} + IMAGE_TAG_BASE: "quay.io/lburgazzoli/dapr-operator" + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: check-out + uses: actions/checkout@v3 + - name: Login to Quay.io + uses: docker/login-action@v2 + with: + registry: quay.io + username: ${{ secrets.CONTAINER_REGISTRY_USERNAME }} + password: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }} + - name: Build Operator Container Image + run: | + export VERSION="${IMAGE_VERSION#v}" + + make bundle docker-build docker-push + - name: Build Operator Bundle + run: | + export VERSION="${IMAGE_VERSION#v}" + + make bundle bundle-build bundle-push + - name: Build Operator Catalog + run: | + export VERSION="${IMAGE_VERSION#v}" + + make catalog-build catalog-push diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8a4db02 --- /dev/null +++ b/.gitignore @@ -0,0 +1,158 @@ +# If you prefer the allow list template instead of the deny list, see community template: +# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore +# +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib + +# Test binary, built with `go test -c` +*.test + +# Output of the go coverage tool, specifically when used with LiteIDE +*.out + +# Dependency directories (remove the comment below to include it) +# vendor/ + +# Go workspace file +go.work + +bin/ + +# Released Packages +*.tar.gz + +# Release Notes +/release-notes.md + +# IDEs +.idea +*.iml +.project +.metadata +.gopath + +# envrc +.envrc + +# eclipse / vscode +.settings +.classpath +.factorypath + +# Created by https://www.gitignore.io/api/go,vim,emacs,visualstudiocode + +### Emacs ### +# -*- mode: gitignore; -*- +*~ +\#*\# +/.emacs.desktop +/.emacs.desktop.lock +*.elc +auto-save-list +tramp +.\#* + +# Org-mode +.org-id-locations +*_archive + +# flymake-mode +*_flymake.* + +# eshell files +/eshell/history +/eshell/lastdir + +# elpa packages +/elpa/ + +# reftex files +*.rel + +# AUCTeX auto folder +/auto/ + +# cask packages +.cask/ +dist/ + +# Flycheck +flycheck_*.el + +# server auth directory +/server/ + +# projectiles files +.projectile +projectile-bookmarks.eld + +# directory configuration +.dir-locals.el + +# saveplace +places + +# url cache +url/cache/ + +# cedet +ede-projects.el + +# smex +smex-items + +# company-statistics +company-statistics-cache.el + +# anaconda-mode +anaconda-mode/ + +### Go ### +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib + +# Test binary, build with 'go test -c' +*.test + +# Output of the go coverage tool, specifically when used with LiteIDE +*.out + +### Vim ### +# swap +.sw[a-p] +.*.sw[a-p] +# session +Session.vim +# temporary +.netrwhist +# auto-generated tag files +tags + +### VisualStudioCode ### +.vscode +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json + +# Unix line endings for the Maven wrapper script +mvnw text eol=lf +.history + +# End of https://www.gitignore.io/api/go,vim,emacs,visualstudiocode + +### config kustomize ### +config/**/*.gen.tmpl +config/**/*.gen.yaml +config/**/*.gen.json + +*-installer* diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..7fa8ba9 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,7 @@ +# Build the manager binary +FROM quay.io/operator-framework/helm-operator:v1.28.1 + +ENV HOME=/opt/helm +COPY watches.yaml ${HOME}/watches.yaml +COPY helm-charts ${HOME}/helm-charts +WORKDIR ${HOME} diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..89ab56e --- /dev/null +++ b/Makefile @@ -0,0 +1,264 @@ +# VERSION defines the project version for the bundle. +# Update this value when you upgrade the version of your project. +# To re-generate a bundle for another specific version without changing the standard setup, you can: +# - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) +# - use environment variables to overwrite this value (e.g export VERSION=0.0.2) +VERSION ?= 0.0.22 + +MKFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST))) +PROJECT_PATH := $(patsubst %/,%,$(dir $(MKFILE_PATH))) +LOCAL_BIN_PATH := ${PROJECT_PATH}/bin + +# CHANNELS define the bundle channels used in the bundle. +# Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") +# To re-generate a bundle for other specific channels without changing the standard setup, you can: +# - use the CHANNELS as arg of the bundle target (e.g make bundle CHANNELS=candidate,fast,stable) +# - use environment variables to overwrite this value (e.g export CHANNELS="candidate,fast,stable") +ifneq ($(origin CHANNELS), undefined) +BUNDLE_CHANNELS := --channels=$(CHANNELS) +endif + +# DEFAULT_CHANNEL defines the default channel used in the bundle. +# Add a new line here if you would like to change its default config. (E.g DEFAULT_CHANNEL = "stable") +# To re-generate a bundle for any other default channel without changing the default setup, you can: +# - use the DEFAULT_CHANNEL as arg of the bundle target (e.g make bundle DEFAULT_CHANNEL=stable) +# - use environment variables to overwrite this value (e.g export DEFAULT_CHANNEL="stable") +ifneq ($(origin DEFAULT_CHANNEL), undefined) +BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL) +endif +BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL) + +# IMAGE_TAG_BASE defines the docker.io namespace and part of the image name for remote images. +# This variable is used to construct full image tags for bundle and catalog images. +# +# For example, running 'make bundle-build bundle-push catalog-build catalog-push' will build and push both +# dapr.io/dapr-operator-bundle:$VERSION and dapr.io/dapr-operator-catalog:$VERSION. +IMAGE_TAG_BASE ?= quay.io/lburgazzoli/dapr-operator + +# BUNDLE_IMG defines the image:tag used for the bundle. +# You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=/:) +BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION) + +# BUNDLE_GEN_FLAGS are the flags passed to the operator-sdk generate bundle command +BUNDLE_GEN_FLAGS ?= -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS) + +# USE_IMAGE_DIGESTS defines if images are resolved via tags or digests +# You can enable this value if you would like to use SHA Based Digests +# To enable set flag to true +USE_IMAGE_DIGESTS ?= false +ifeq ($(USE_IMAGE_DIGESTS), true) + BUNDLE_GEN_FLAGS += --use-image-digests +endif + +# Image URL to use all building/pushing image targets +IMG ?= $(IMAGE_TAG_BASE):v$(VERSION) + +# dapr helm chart related info +HELM_CHART_REPO ?= https://dapr.github.io/helm-charts +HELM_CHART ?= dapr +HELM_CHART_VERSION ?= 1.11.0 +HELM_CHART_URL ?= https://raw.githubusercontent.com/dapr/helm-charts/master/dapr-$(HELM_CHART_VERSION).tgz + +.PHONY: all +all: docker-build + +##@ General + +# The help target prints out all targets with their descriptions organized +# beneath their categories. The categories are represented by '##@' and the +# target descriptions by '##'. The awk commands is responsible for reading the +# entire set of makefiles included in this invocation, looking for lines of the +# file as xyz: ## something, and then pretty-format the target and help. Then, +# if there's a line with ##@ something, that gets pretty-printed as a category. +# More info on the usage of ANSI control characters for terminal formatting: +# https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters +# More info on the awk command: +# http://linuxcommand.org/lc3_adv_awk.php + +.PHONY: help +help: ## Display this help. + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) + +.PHONY: init +init: operator-sdk + $(OPERATOR_SDK) init \ + --plugins helm \ + --domain dapr.io \ + --group dapr \ + --version v1alpha1 \ + --kind Dapr \ + --helm-chart-repo $(HELM_CHART_REPO) \ + --helm-chart $(HELM_CHART) \ + --helm-chart-version $(HELM_CHART_VERSION) + + +.PHONY: update +update: + rm -rf $(PROJECT_PATH)/helm-charts/dapr + mkdir -p $(PROJECT_PATH)/helm-charts/dapr + + curl --location --silent $(HELM_CHART_URL) \ + | tar xzf - \ + --directory $(PROJECT_PATH)/helm-charts/dapr \ + --strip-components=1 + +##@ Build + +.PHONY: run +run: helm-operator ## Run against the configured Kubernetes cluster in ~/.kube/config + $(HELM_OPERATOR) run + +.PHONY: docker-build +docker-build: ## Build docker image with the manager. + docker build -t ${IMG} . + +.PHONY: docker-push +docker-push: ## Push docker image with the manager. + docker push ${IMG} + +##@ Deployment + +.PHONY: install +install: kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. + $(KUSTOMIZE) build config/crd | kubectl apply -f - + +.PHONY: uninstall +uninstall: kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. + $(KUSTOMIZE) build config/crd | kubectl delete -f - + +.PHONY: deploy +deploy: kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. + cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} + $(KUSTOMIZE) build config/default | kubectl apply -f - + +.PHONY: undeploy +undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. + $(KUSTOMIZE) build config/default | kubectl delete -f - + +OS := $(shell uname -s | tr '[:upper:]' '[:lower:]') +ARCH := $(shell uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') + +.PHONY: kustomize +KUSTOMIZE = $(shell pwd)/bin/kustomize +kustomize: ## Download kustomize locally if necessary. +ifeq (,$(wildcard $(KUSTOMIZE))) +ifeq (,$(shell which kustomize 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p $(dir $(KUSTOMIZE)) ;\ + curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.7/kustomize_v4.5.7_$(OS)_$(ARCH).tar.gz | \ + tar xzf - -C bin/ ;\ + } +else +KUSTOMIZE = $(shell which kustomize) +endif +endif + +.PHONY: operator-sdk +OPERATOR_SDK = $(shell pwd)/bin/operator-sdk +operator-sdk: ## Download operator-sdk locally if necessary, preferring the $(pwd)/bin path over global if both exist. +ifeq (,$(wildcard $(OPERATOR_SDK))) +ifeq (,$(shell which operator-sdk 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p $(dir $(OPERATOR_SDK)) ;\ + curl -sSLo $(OPERATOR_SDK) https://github.com/operator-framework/operator-sdk/releases/download/v1.28.1/operator-sdk_$(OS)_$(ARCH) ;\ + chmod +x $(OPERATOR_SDK) ;\ + } +else +OPERATOR_SDK = $(shell which operator-sdk) +endif +endif + +.PHONY: helm-operator +HELM_OPERATOR = $(shell pwd)/bin/helm-operator +helm-operator: ## Download helm-operator locally if necessary, preferring the $(pwd)/bin path over global if both exist. +ifeq (,$(wildcard $(HELM_OPERATOR))) +ifeq (,$(shell which helm-operator 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p $(dir $(HELM_OPERATOR)) ;\ + curl -sSLo $(HELM_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.28.1/helm-operator_$(OS)_$(ARCH) ;\ + chmod +x $(HELM_OPERATOR) ;\ + } +else +HELM_OPERATOR = $(shell which helm-operator) +endif +endif + +.PHONY: bundle +bundle: operator-sdk kustomize ## Generate bundle manifests and metadata, then validate generated files. + $(OPERATOR_SDK) generate kustomize manifests -q + cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) + $(KUSTOMIZE) build config/manifests | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS) + $(OPERATOR_SDK) bundle validate ./bundle + +.PHONY: bundle-build +bundle-build: ## Build the bundle image. + docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) . + +.PHONY: bundle-push +bundle-push: ## Push the bundle image. + $(MAKE) docker-push IMG=$(BUNDLE_IMG) + +.PHONY: opm +OPM = $(shell pwd)/bin/opm +opm: ## Download opm locally if necessary. +ifeq (,$(wildcard $(OPM))) +ifeq (,$(shell which opm 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p $(dir $(OPM)) ;\ + curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.27.1/$(OS)-$(ARCH)-opm ;\ + chmod +x $(OPM) ;\ + } +else +OPM = $(shell which opm) +endif +endif + +# A comma-separated list of bundle images (e.g. make catalog-build BUNDLE_IMGS=example.com/operator-bundle:v0.1.0,example.com/operator-bundle:v0.2.0). +# These images MUST exist in a registry and be pull-able. +BUNDLE_IMGS ?= $(BUNDLE_IMG) + +# The image tag given to the resulting catalog image (e.g. make catalog-build CATALOG_IMG=example.com/operator-catalog:v0.2.0). +#CATALOG_IMG ?= $(IMAGE_TAG_BASE)-catalog:v$(VERSION) +CATALOG_IMG ?= $(IMAGE_TAG_BASE)-catalog:latest + +# Set CATALOG_BASE_IMG to an existing catalog image tag to add $BUNDLE_IMGS to that image. +ifneq ($(origin CATALOG_BASE_IMG), undefined) +FROM_INDEX_OPT := --from-index $(CATALOG_BASE_IMG) +endif + +# Build a catalog image by adding bundle images to an empty catalog using the operator package manager tool, 'opm'. +# This recipe invokes 'opm' in 'semver' bundle add mode. For more information on add modes, see: +# https://github.com/operator-framework/community-operators/blob/7f1438c/docs/packaging-operator.md#updating-your-existing-operator +.PHONY: catalog-build +catalog-build: opm ## Build a catalog image. + $(OPM) index add --container-tool docker --mode semver --tag $(CATALOG_IMG) --bundles $(BUNDLE_IMGS) $(FROM_INDEX_OPT) + +# Push the catalog image. +.PHONY: catalog-push +catalog-push: ## Push a catalog image. + $(MAKE) docker-push IMG=$(CATALOG_IMG) + + + +.PHONY: openshift/deploy/catalog +openshift/deploy/catalog: ## Deploy catalog. + kubectl apply -f config/samples/catalog.yaml + +.PHONY: openshift/deploy/subscritpion +openshift/deploy/subscritpion: ## Deploy subscritpion. + kubectl apply -f config/samples/subscription.yaml + +.PHONY: openshift/deploy/dapr +openshift/deploy/dapr: ## Deploy sample. + kubectl apply -f config/samples/sample.yaml + +.PHONY: openshift/undeploy +openshift/undeploy: ## Deploy sample. + kubectl delete --ignore-not-found=true -f config/samples/sample.yaml + kubectl delete --ignore-not-found=true -f config/samples/subscription.yaml + kubectl delete --ignore-not-found=true -f config/samples/catalog.yaml + diff --git a/PROJECT b/PROJECT new file mode 100644 index 0000000..0bdb0ef --- /dev/null +++ b/PROJECT @@ -0,0 +1,20 @@ +# Code generated by tool. DO NOT EDIT. +# This file is used to track the info used to scaffold your project +# and allow the plugins properly work. +# More info: https://book.kubebuilder.io/reference/project-config.html +domain: dapr.io +layout: +- helm.sdk.operatorframework.io/v1 +plugins: + manifests.sdk.operatorframework.io/v2: {} + scorecard.sdk.operatorframework.io/v2: {} +projectName: dapr-operator +resources: +- api: + crdVersion: v1 + namespaced: true + domain: dapr.io + group: dapr + kind: Dapr + version: v1alpha1 +version: "3" diff --git a/README.md b/README.md new file mode 100644 index 0000000..94ffb02 --- /dev/null +++ b/README.md @@ -0,0 +1,39 @@ +# dapr-operator + +## setup + +```shell +# install the catalog +make openshift/deploy/catalog +``` + +## installation via cli + +```shell +# waith for the catalog to be installed, +# then install the subsription +make openshift/deploy/subscritpion + +# wait thil the subscription is ready, +# then deploy a dapr instance +make openshift/deploy/dapr +``` + +- Cleanup: +```shell +# cleanup +make openshift/undeploy: +``` + +## installation via UI + +![image](https://github.com/lburgazzoli/dapr-operator/assets/1868933/9fc376a0-aec1-4bae-861f-361ccd9952aa) +![image](https://github.com/lburgazzoli/dapr-operator/assets/1868933/97fc8672-1f0c-4c1b-bd39-59f3c72287f2) +![image](https://github.com/lburgazzoli/dapr-operator/assets/1868933/faab9ee5-23b5-469d-8fd5-7d1f8aee34d7) +![image](https://github.com/lburgazzoli/dapr-operator/assets/1868933/19168795-817f-420f-95e5-b3523e2c4b2b) +![image](https://github.com/lburgazzoli/dapr-operator/assets/1868933/d76d9e55-86a1-4d22-857c-28550660d3fd) +![image](https://github.com/lburgazzoli/dapr-operator/assets/1868933/0379f506-1a52-4cad-ace7-c14c241af76f) +![image](https://github.com/lburgazzoli/dapr-operator/assets/1868933/c14a3022-cdc3-4469-b668-5afeb8cbfb8f) +![image](https://github.com/lburgazzoli/dapr-operator/assets/1868933/c26fec46-182e-4eee-8f23-208379ac9afe) +![image](https://github.com/lburgazzoli/dapr-operator/assets/1868933/ada9f1bb-6055-44f4-bac8-a5a83dc50689) + diff --git a/bundle.Dockerfile b/bundle.Dockerfile new file mode 100644 index 0000000..c051f5d --- /dev/null +++ b/bundle.Dockerfile @@ -0,0 +1,20 @@ +FROM scratch + +# Core bundle labels. +LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 +LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ +LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ +LABEL operators.operatorframework.io.bundle.package.v1=dapr-operator +LABEL operators.operatorframework.io.bundle.channels.v1=alpha +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.29.0 +LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 +LABEL operators.operatorframework.io.metrics.project_layout=helm.sdk.operatorframework.io/v1 + +# Labels for testing. +LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1 +LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/ + +# Copy files to locations specified by labels. +COPY bundle/manifests /manifests/ +COPY bundle/metadata /metadata/ +COPY bundle/tests/scorecard /tests/scorecard/ diff --git a/config/crd/bases/dapr.dapr.io_daprs.yaml b/config/crd/bases/dapr.dapr.io_daprs.yaml new file mode 100644 index 0000000..a27583f --- /dev/null +++ b/config/crd/bases/dapr.dapr.io_daprs.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: daprs.dapr.dapr.io +spec: + group: dapr.dapr.io + names: + kind: Dapr + listKind: DaprList + plural: daprs + singular: dapr + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Dapr is the Schema for the daprs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Dapr + type: object + x-kubernetes-preserve-unknown-fields: true + status: + description: Status defines the observed state of Dapr + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml new file mode 100644 index 0000000..a444e2c --- /dev/null +++ b/config/crd/kustomization.yaml @@ -0,0 +1,6 @@ +# This kustomization.yaml is not intended to be run by itself, +# since it depends on service name and namespace that are out of this kustomize package. +# It should be run by config/default +resources: +- bases/dapr.dapr.io_daprs.yaml +#+kubebuilder:scaffold:crdkustomizeresource diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml new file mode 100644 index 0000000..73051a3 --- /dev/null +++ b/config/default/kustomization.yaml @@ -0,0 +1,30 @@ +# Adds namespace to all resources. +namespace: dapr-operator-system + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: dapr-operator- + +# Labels to add to all resources and selectors. +#labels: +#- includeSelectors: true +# pairs: +# someName: someValue + +resources: +- ../crd +- ../rbac +- ../manager +# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. +#- ../prometheus + +patchesStrategicMerge: +# Protect the /metrics endpoint by putting it behind auth. +# If you want your controller-manager to expose the /metrics +# endpoint w/o any authn/z, please comment the following line. +- manager_auth_proxy_patch.yaml + + diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml new file mode 100644 index 0000000..dfe296b --- /dev/null +++ b/config/default/manager_auth_proxy_patch.yaml @@ -0,0 +1,57 @@ +# This patch inject a sidecar container which is a HTTP proxy for the +# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + containers: + - name: kube-rbac-proxy + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=0" + ports: + - containerPort: 8443 + protocol: TCP + name: https + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=127.0.0.1:8080" + - "--leader-elect" + - "--leader-election-id=dapr-operator" + - "--zap-devel" diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml new file mode 100644 index 0000000..f6f5891 --- /dev/null +++ b/config/default/manager_config_patch.yaml @@ -0,0 +1,10 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml new file mode 100644 index 0000000..13b6807 --- /dev/null +++ b/config/manager/kustomization.yaml @@ -0,0 +1,8 @@ +resources: +- manager.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: controller + newName: quay.io/lburgazzoli/dapr-operator + newTag: v0.0.22 diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml new file mode 100644 index 0000000..d63f85a --- /dev/null +++ b/config/manager/manager.yaml @@ -0,0 +1,99 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: namespace + app.kubernetes.io/instance: system + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: dapr-operator + app.kubernetes.io/part-of: dapr-operator + app.kubernetes.io/managed-by: kustomize + name: system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + labels: + control-plane: controller-manager + app.kubernetes.io/name: deployment + app.kubernetes.io/instance: controller-manager + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: dapr-operator + app.kubernetes.io/part-of: dapr-operator + app.kubernetes.io/managed-by: kustomize +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + # TODO(user): Uncomment the following code to configure the nodeAffinity expression + # according to the platforms which are supported by your solution. + # It is considered best practice to support multiple architectures. You can + # build your manager image using the makefile target docker-buildx. + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/arch + # operator: In + # values: + # - amd64 + # - arm64 + # - ppc64le + # - s390x + # - key: kubernetes.io/os + # operator: In + # values: + # - linux + securityContext: + runAsNonRoot: true + # TODO(user): For common cases that do not require escalating privileges + # it is recommended to ensure that all your Pods/Containers are restrictive. + # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + # Please uncomment the following code if your project does NOT have to work on old Kubernetes + # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). + # seccompProfile: + # type: RuntimeDefault + containers: + - args: + - --leader-elect + - --leader-election-id=dapr-operator + - --zap-devel + image: controller:latest + name: manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + # TODO(user): Configure the resources accordingly based on the project requirements. + # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: 10m + memory: 64Mi + serviceAccountName: controller-manager + terminationGracePeriodSeconds: 10 diff --git a/config/manifests/bases/dapr-operator.clusterserviceversion.yaml b/config/manifests/bases/dapr-operator.clusterserviceversion.yaml new file mode 100644 index 0000000..1a4fc17 --- /dev/null +++ b/config/manifests/bases/dapr-operator.clusterserviceversion.yaml @@ -0,0 +1,41 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: '[]' + capabilities: Basic Install + name: dapr-operator.v0.0.0 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: {} + description: dapr + displayName: Dapr Helm Operator + icon: + - base64data: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iMzY3cHgiIGhlaWdodD0iMjcwcHgiIHZpZXdCb3g9IjAgMCAzNjcgMjcwIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPCEtLSBHZW5lcmF0b3I6IFNrZXRjaCA1MS4zICg1NzU0NCkgLSBodHRwOi8vd3d3LmJvaGVtaWFuY29kaW5nLmNvbS9za2V0Y2ggLS0+CiAgICA8dGl0bGU+QXJ0Ym9hcmQ8L3RpdGxlPgogICAgPGRlc2M+Q3JlYXRlZCB3aXRoIFNrZXRjaC48L2Rlc2M+CiAgICA8ZGVmcz48L2RlZnM+CiAgICA8ZyBpZD0iQXJ0Ym9hcmQiIHN0cm9rZT0ibm9uZSIgc3Ryb2tlLXdpZHRoPSIxIiBmaWxsPSJub25lIiBmaWxsLXJ1bGU9ImV2ZW5vZGQiPgogICAgICAgIDxwYXRoIGQ9Ik04OS43OTE3MTE5LDE5My41MDg3NjEgTDYyLjkwMDAzOTIsMTkzLjUwODc2MSBMNjIuOTAwMDM5MiwxODUuMDY0MTIgQzYwLjMzMTEwNjQsMTg4LjI4ODk1IDU3LjczNDg4MzUsMTkwLjYzOTIxNSA1NS4xMTEyOTI2LDE5Mi4xMTQ5ODUgQzUwLjUyMDAwODQsMTk0LjY4MzkxOCA0NS4zMDAyMzM5LDE5NS45NjgzNjUgMzkuNDUxODEyNCwxOTUuOTY4MzY1IEMyOS45OTU5NTM0LDE5NS45NjgzNjUgMjEuNTc4NzI1NCwxOTIuNzE2MjU0IDE0LjE5OTg3NTksMTg2LjIxMTkzNSBDNS4zOTk5MTQ2NCwxNzguNDUwNDc4IDEsMTY4LjE3NDkwMSAxLDE1NS4zODQ4OTUgQzEsMTQyLjM3NjI1NyA1LjUwOTIyOTI5LDEzMS45OTEzNjUgMTQuNTI3ODIzMSwxMjQuMjI5OTA5IEMyMS42ODgwNDAxLDExOC4wNTM1MzggMjkuOTEzOTY3NCwxMTQuOTY1NCAzOS4yMDU4NTIsMTE0Ljk2NTQgQzQ0LjYxNzAwODMsMTE0Ljk2NTQgNDkuNzAwMTM5NSwxMTYuMTEzMjAzIDU0LjQ1NTM5ODEsMTE4LjQwODg0NSBDNTcuMTg4MzA1MywxMTkuNzIwNjQxIDYwLjAwMzE1NzYsMTIxLjg3OTYwNSA2Mi45MDAwMzkyLDEyNC44ODU4MDMgTDYyLjkwMDAzOTIsNzAuMzY0NTc2NiBMODkuNzkxNzExOSw3MC4zNjQ1NzY2IEw4OS43OTE3MTE5LDE5My41MDg3NjEgWiBNNjMuNzE5OTA3MywxNTUuNDY2ODgyIEM2My43MTk5MDczLDE1MC42NTY5NjUgNjIuMDI1NTMwMiwxNDYuNTcxMzMgNTguNjM2NzI1MywxNDMuMjA5ODU1IEM1NS4yNDc5MjAzLDEzOS44NDgzNzkgNTEuMTQ4NjIxLDEzOC4xNjc2NjYgNDYuMzM4NzA0MiwxMzguMTY3NjY2IEM0MC45ODIyMDYxLDEzOC4xNjc2NjYgMzYuNTgyMjkxNCwxNDAuMTg5OTg3IDMzLjEzODgyODMsMTQ0LjIzNDY5IEMzMC4zNTEyNjI5LDE0Ny41MTQxNzggMjguOTU3NTAxMiwxNTEuMjU4MjA1IDI4Ljk1NzUwMTIsMTU1LjQ2Njg4MiBDMjguOTU3NTAxMiwxNTkuNjc1NTU5IDMwLjM1MTI2MjksMTYzLjQxOTU4NiAzMy4xMzg4MjgzLDE2Ni42OTkwNzUgQzM2LjUyNzYzMzMsMTcwLjc0Mzc3NyA0MC45Mjc1NDc5LDE3Mi43NjYwOTggNDYuMzM4NzA0MiwxNzIuNzY2MDk4IEM1MS4yMDMyNzkxLDE3Mi43NjYwOTggNTUuMzE2MjQyOCwxNzEuMDk5MDUgNTguNjc3NzE4NywxNjcuNzY0OTAzIEM2Mi4wMzkxOTQ2LDE2NC40MzA3NTYgNjMuNzE5OTA3MywxNjAuMzMxNDU3IDYzLjcxOTkwNzMsMTU1LjQ2Njg4MiBaIE0xOTAuNjUwMDYsMTkzLjUwODc2MSBMMTYzLjc1ODM4NywxOTMuNTA4NzYxIEwxNjMuNzU4Mzg3LDE4NS4wNjQxMiBDMTYxLjE4OTQ1NCwxODguMjg4OTUgMTU4LjU5MzIzMSwxOTAuNjM5MjE1IDE1NS45Njk2NDEsMTkyLjExNDk4NSBDMTUxLjM3ODM1NiwxOTQuNjgzOTE4IDE0Ni4xNTg1ODIsMTk1Ljk2ODM2NSAxNDAuMzEwMTYsMTk1Ljk2ODM2NSBDMTMwLjg1NDMwMSwxOTUuOTY4MzY1IDEyMi40MzcwNzMsMTkyLjcxNjI1NCAxMTUuMDU4MjI0LDE4Ni4yMTE5MzUgQzEwNi4yNTgyNjMsMTc4LjQ1MDQ3OCAxMDEuODU4MzQ4LDE2OC4xNzQ5MDEgMTAxLjg1ODM0OCwxNTUuMzg0ODk1IEMxMDEuODU4MzQ4LDE0Mi4zNzYyNTcgMTA2LjM2NzU3NywxMzEuOTkxMzY1IDExNS4zODYxNzEsMTI0LjIyOTkwOSBDMTIyLjU0NjM4OCwxMTguMDUzNTM4IDEzMC43NzIzMTUsMTE0Ljk2NTQgMTQwLjA2NDIsMTE0Ljk2NTQgQzE0NS40NzUzNTYsMTE0Ljk2NTQgMTUwLjU1ODQ4NywxMTYuMTEzMjAzIDE1NS4zMTM3NDYsMTE4LjQwODg0NSBDMTU4LjA0NjY1MywxMTkuNzIwNjQxIDE2MC44NjE1MDYsMTIxLjg3OTYwNSAxNjMuNzU4Mzg3LDEyNC44ODU4MDMgTDE2My43NTgzODcsMTE3LjQyNTAwNCBMMTkwLjY1MDA2LDExNy40MjUwMDQgTDE5MC42NTAwNiwxOTMuNTA4NzYxIFogTTE2NC41NzgyNTUsMTU1LjQ2Njg4MiBDMTY0LjU3ODI1NSwxNTAuNjU2OTY1IDE2Mi44ODM4NzgsMTQ2LjU3MTMzIDE1OS40OTUwNzMsMTQzLjIwOTg1NSBDMTU2LjEwNjI2OCwxMzkuODQ4Mzc5IDE1Mi4wMDY5NjksMTM4LjE2NzY2NiAxNDcuMTk3MDUyLDEzOC4xNjc2NjYgQzE0MS44NDA1NTQsMTM4LjE2NzY2NiAxMzcuNDQwNjM5LDE0MC4xODk5ODcgMTMzLjk5NzE3NiwxNDQuMjM0NjkgQzEzMS4yMDk2MTEsMTQ3LjUxNDE3OCAxMjkuODE1ODQ5LDE1MS4yNTgyMDUgMTI5LjgxNTg0OSwxNTUuNDY2ODgyIEMxMjkuODE1ODQ5LDE1OS42NzU1NTkgMTMxLjIwOTYxMSwxNjMuNDE5NTg2IDEzMy45OTcxNzYsMTY2LjY5OTA3NSBDMTM3LjM4NTk4MSwxNzAuNzQzNzc3IDE0MS43ODU4OTYsMTcyLjc2NjA5OCAxNDcuMTk3MDUyLDE3Mi43NjYwOTggQzE1Mi4wNjE2MjcsMTcyLjc2NjA5OCAxNTYuMTc0NTkxLDE3MS4wOTkwNSAxNTkuNTM2MDY3LDE2Ny43NjQ5MDMgQzE2Mi44OTc1NDMsMTY0LjQzMDc1NiAxNjQuNTc4MjU1LDE2MC4zMzE0NTcgMTY0LjU3ODI1NSwxNTUuNDY2ODgyIFogTTI5NC41NDE5MiwxNTUuNTQ4ODY5IEMyOTQuNTQxOTIsMTY4LjU1NzUwNyAyOTAuMDMyNjksMTc4Ljk0MjM5OSAyODEuMDE0MDk3LDE4Ni43MDM4NTYgQzI3My44NTM4OCwxOTIuODgwMjI2IDI2NS42Mjc5NTIsMTk1Ljk2ODM2NSAyNTYuMzM2MDY4LDE5NS45NjgzNjUgQzI1MC45MjQ5MTEsMTk1Ljk2ODM2NSAyNDUuODQxNzgsMTk0LjgyMDU2MSAyNDEuMDg2NTIyLDE5Mi41MjQ5MTkgQzIzOC4zNTM2MTQsMTkxLjIxMzEyMyAyMzUuNTM4NzYyLDE4OS4wNTQxNTkgMjMyLjY0MTg4LDE4Ni4wNDc5NjEgTDIzMi42NDE4OCwyMzEuNTUwNjM5IEwyMDUuNzUwMjA4LDIzMS41NTA2MzkgTDIwNS43NTAyMDgsMTE3LjQyNTAwNCBMMjMyLjY0MTg4LDExNy40MjUwMDQgTDIzMi42NDE4OCwxMjUuODY5NjQ1IEMyMzUuMDQ2ODM5LDEyMi42OTk0NzMgMjM3LjY0MzA2MiwxMjAuMzQ5MjA4IDI0MC40MzA2MjcsMTE4LjgxODc4IEMyNDUuMDIxOTExLDExNi4yNDk4NDcgMjUwLjI0MTY4NiwxMTQuOTY1NCAyNTYuMDkwMTA3LDExNC45NjU0IEMyNjUuNTQ1OTY2LDExNC45NjU0IDI3My45NjMxOTQsMTE4LjIxNzUxIDI4MS4zNDIwNDQsMTI0LjcyMTgzIEMyOTAuMTQyMDA1LDEzMi40ODMyODYgMjk0LjU0MTkyLDE0Mi43NTg4NjMgMjk0LjU0MTkyLDE1NS41NDg4NjkgWiBNMjY2LjU4NDQxOCwxNTUuNDY2ODgyIEMyNjYuNTg0NDE4LDE1MS4xNDg4ODkgMjY1LjIxNzk4NSwxNDcuNDA0ODYyIDI2Mi40ODUwNzgsMTQ0LjIzNDY5IEMyNTkuMDQxNjE1LDE0MC4xODk5ODcgMjU0LjYxNDM3MiwxMzguMTY3NjY2IDI0OS4yMDMyMTUsMTM4LjE2NzY2NiBDMjQ0LjMzODY0MSwxMzguMTY3NjY2IDI0MC4yMjU2NzcsMTM5LjgzNDcxNCAyMzYuODY0MjAxLDE0My4xNjg4NjEgQzIzMy41MDI3MjUsMTQ2LjUwMzAwOCAyMzEuODIyMDEyLDE1MC42MDIzMDcgMjMxLjgyMjAxMiwxNTUuNDY2ODgyIEMyMzEuODIyMDEyLDE2MC4yNzY3OTkgMjMzLjUxNjM4OSwxNjQuMzYyNDM0IDIzNi45MDUxOTQsMTY3LjcyMzkxIEMyNDAuMjkzOTk5LDE3MS4wODUzODYgMjQ0LjM5MzI5OSwxNzIuNzY2MDk4IDI0OS4yMDMyMTUsMTcyLjc2NjA5OCBDMjU0LjYxNDM3MiwxNzIuNzY2MDk4IDI1OS4wMTQyODYsMTcwLjc0Mzc3NyAyNjIuNDAzMDkxLDE2Ni42OTkwNzUgQzI2NS4xOTA2NTcsMTYzLjQxOTU4NiAyNjYuNTg0NDE4LDE1OS42NzU1NTkgMjY2LjU4NDQxOCwxNTUuNDY2ODgyIFogTTM2My42NzEzNzMsMTQyLjI2NzAwNiBDMzU5Ljg5OTk2MSwxNDAuNDYzMjg4IDM1Ni4wNzM5NDksMTM5LjU2MTQ0MiAzNTIuMTkzMjIsMTM5LjU2MTQ0MiBDMzQzLjMzODYwMSwxMzkuNTYxNDQyIDMzNy41OTk1ODIsMTQzLjE2ODgyNSAzMzQuOTc1OTkxLDE1MC4zODM3IEMzMzMuOTkyMTQ0LDE1My4wMDcyOTEgMzMzLjUwMDIyOCwxNTYuNTMyNjg5IDMzMy41MDAyMjgsMTYwLjk1OTk5OCBMMzMzLjUwMDIyOCwxOTMuNTA4NzYxIEwzMDYuNjA4NTU2LDE5My41MDg3NjEgTDMwNi42MDg1NTYsMTE3LjQyNTAwNCBMMzMzLjUwMDIyOCwxMTcuNDI1MDA0IEwzMzMuNTAwMjI4LDEyOS44ODY5OTggQzMzNi4zNDI0NTIsMTI1LjQ1OTY4OSAzMzkuNDAzMjYyLDEyMi4yNjIyMzUgMzQyLjY4Mjc1MSwxMjAuMjk0NTQyIEMzNDcuMTEwMDYsMTE3LjY3MDk1MSAzNTIuMzU3MTY0LDExNi4zNTkxNzUgMzU4LjQyNDIxOCwxMTYuMzU5MTc1IEMzNTkuODQ1MzI5LDExNi4zNTkxNzUgMzYxLjU5NDM2NCwxMTYuNDQxMTYxIDM2My42NzEzNzMsMTE2LjYwNTEzNiBMMzYzLjY3MTM3MywxNDIuMjY3MDA2IFoiIGlkPSJkYXByIiBmaWxsPSIjMEQyMTkyIj48L3BhdGg+CiAgICAgICAgPHBvbHlnb24gaWQ9InRpZSIgZmlsbD0iIzBEMjE5MiIgZmlsbC1ydWxlPSJub256ZXJvIiBwb2ludHM9IjIwNS41Mzg0MDkgMTk0LjA2MjE3MiAyMzIuNjE0NTUxIDE5NC4wNjIxNzIgMjM0Ljk0NjYyMSAyNTcuNjMzODMxIDIxOS4wNzY0OCAyNjguNzU0NDMgMjAzLjIwNjMzOSAyNTcuNjMzODMxIj48L3BvbHlnb24+CiAgICAgICAgPHJlY3QgaWQ9IlJlY3RhbmdsZS00IiBmaWxsPSIjMEQyMTkyIiBmaWxsLXJ1bGU9Im5vbnplcm8iIHg9IjE0NC44Mjk0OTciIHk9IjIuMjc5MDg4MjkiIHdpZHRoPSIxMDIuNzIyNjQzIiBoZWlnaHQ9IjcyLjI5NDE0NDQiIHJ4PSIyIj48L3JlY3Q+CiAgICAgICAgPHJlY3QgaWQ9IlJlY3RhbmdsZS00IiBmaWxsPSIjRkZGRkZGIiBmaWxsLXJ1bGU9Im5vbnplcm8iIG9wYWNpdHk9IjAuMDc5OTk5OTk4MiIgeD0iMTQ0LjgyOTQ5NyIgeT0iMi4yNzkwODgyOSIgd2lkdGg9IjM3Ljk5NzYzNjkiIGhlaWdodD0iNzIuMjk0MTQ0NCI+PC9yZWN0PgogICAgICAgIDxyZWN0IGlkPSJSZWN0YW5nbGUtMyIgZmlsbD0iIzBEMjE5MiIgZmlsbC1ydWxlPSJub256ZXJvIiB4PSIxMTIuMzkwNzY4IiB5PSI2OS45MDkwOTQ0IiB3aWR0aD0iMTY2LjI0ODQ4OCIgaGVpZ2h0PSIxNy4zNTEzNDEyIiByeD0iMy43MjAxNiI+PC9yZWN0PgogICAgICAgIDxyZWN0IGlkPSJSZWN0YW5nbGUtNCIgZmlsbD0iI0ZGRkZGRiIgZmlsbC1ydWxlPSJub256ZXJvIiBvcGFjaXR5PSIwLjA3OTk5OTk5ODIiIHg9IjExMi4zOTA3NjgiIHk9IjY5LjkwOTA5NDQiIHdpZHRoPSI1MS40Mzc1NDc4IiBoZWlnaHQ9IjIxLjM1NTQ5NjkiPjwvcmVjdD4KICAgIDwvZz4KPC9zdmc+ + mediatype: image/svg+xml + install: + spec: + deployments: null + strategy: "" + installModes: + - supported: false + type: OwnNamespace + - supported: false + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - dapr + links: + - name: Dapr Operator + url: https://dapr-operator.domain + maintainers: + - email: lburgazzoli@gmail.com + name: luca + maturity: alpha + provider: + name: dapr.io + version: 0.0.0 diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml new file mode 100644 index 0000000..565b08d --- /dev/null +++ b/config/manifests/kustomization.yaml @@ -0,0 +1,7 @@ +# These resources constitute the fully configured set of manifests +# used to generate the 'manifests/' directory in a bundle. +resources: +- bases/dapr-operator.clusterserviceversion.yaml +- ../default +- ../samples +- ../scorecard diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml new file mode 100644 index 0000000..ed13716 --- /dev/null +++ b/config/prometheus/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- monitor.yaml diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml new file mode 100644 index 0000000..da1cd35 --- /dev/null +++ b/config/prometheus/monitor.yaml @@ -0,0 +1,26 @@ + +# Prometheus Monitor Service (Metrics) +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: servicemonitor + app.kubernetes.io/instance: controller-manager-metrics-monitor + app.kubernetes.io/component: metrics + app.kubernetes.io/created-by: dapr-operator + app.kubernetes.io/part-of: dapr-operator + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-monitor + namespace: system +spec: + endpoints: + - path: /metrics + port: https + scheme: https + bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + tlsConfig: + insecureSkipVerify: true + selector: + matchLabels: + control-plane: controller-manager diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml new file mode 100644 index 0000000..32b5fd8 --- /dev/null +++ b/config/rbac/auth_proxy_client_clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: clusterrole + app.kubernetes.io/instance: metrics-reader + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: dapr-operator + app.kubernetes.io/part-of: dapr-operator + app.kubernetes.io/managed-by: kustomize + name: metrics-reader +rules: +- nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml new file mode 100644 index 0000000..b6b8a53 --- /dev/null +++ b/config/rbac/auth_proxy_role.yaml @@ -0,0 +1,24 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: clusterrole + app.kubernetes.io/instance: proxy-role + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: dapr-operator + app.kubernetes.io/part-of: dapr-operator + app.kubernetes.io/managed-by: kustomize + name: proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml new file mode 100644 index 0000000..e9083a1 --- /dev/null +++ b/config/rbac/auth_proxy_role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/instance: proxy-rolebinding + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: dapr-operator + app.kubernetes.io/part-of: dapr-operator + app.kubernetes.io/managed-by: kustomize + name: proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml new file mode 100644 index 0000000..4bbe1bf --- /dev/null +++ b/config/rbac/auth_proxy_service.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: service + app.kubernetes.io/instance: controller-manager-metrics-service + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: dapr-operator + app.kubernetes.io/part-of: dapr-operator + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager diff --git a/config/rbac/dapr_editor_role.yaml b/config/rbac/dapr_editor_role.yaml new file mode 100644 index 0000000..719a7fe --- /dev/null +++ b/config/rbac/dapr_editor_role.yaml @@ -0,0 +1,31 @@ +# permissions for end users to edit daprs. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: clusterrole + app.kubernetes.io/instance: dapr-editor-role + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: dapr-operator + app.kubernetes.io/part-of: dapr-operator + app.kubernetes.io/managed-by: kustomize + name: dapr-editor-role +rules: +- apiGroups: + - dapr.dapr.io + resources: + - daprs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - dapr.dapr.io + resources: + - daprs/status + verbs: + - get diff --git a/config/rbac/dapr_viewer_role.yaml b/config/rbac/dapr_viewer_role.yaml new file mode 100644 index 0000000..f26cc6f --- /dev/null +++ b/config/rbac/dapr_viewer_role.yaml @@ -0,0 +1,27 @@ +# permissions for end users to view daprs. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: clusterrole + app.kubernetes.io/instance: dapr-viewer-role + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: dapr-operator + app.kubernetes.io/part-of: dapr-operator + app.kubernetes.io/managed-by: kustomize + name: dapr-viewer-role +rules: +- apiGroups: + - dapr.dapr.io + resources: + - daprs + verbs: + - get + - list + - watch +- apiGroups: + - dapr.dapr.io + resources: + - daprs/status + verbs: + - get diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml new file mode 100644 index 0000000..731832a --- /dev/null +++ b/config/rbac/kustomization.yaml @@ -0,0 +1,18 @@ +resources: +# All RBAC will be applied under this service account in +# the deployment namespace. You may comment out this resource +# if your manager will use a service account that exists at +# runtime. Be sure to update RoleBinding and ClusterRoleBinding +# subjects if changing service account names. +- service_account.yaml +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml +# Comment the following 4 lines if you want to disable +# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# which protects your /metrics endpoint. +- auth_proxy_service.yaml +- auth_proxy_role.yaml +- auth_proxy_role_binding.yaml +- auth_proxy_client_clusterrole.yaml diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml new file mode 100644 index 0000000..e97496e --- /dev/null +++ b/config/rbac/leader_election_role.yaml @@ -0,0 +1,44 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: role + app.kubernetes.io/instance: leader-election-role + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: dapr-operator + app.kubernetes.io/part-of: dapr-operator + app.kubernetes.io/managed-by: kustomize + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml new file mode 100644 index 0000000..10226ea --- /dev/null +++ b/config/rbac/leader_election_role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rolebinding + app.kubernetes.io/instance: leader-election-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: dapr-operator + app.kubernetes.io/part-of: dapr-operator + app.kubernetes.io/managed-by: kustomize + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml new file mode 100644 index 0000000..09b38c7 --- /dev/null +++ b/config/rbac/role.yaml @@ -0,0 +1,113 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: + ## + ## Base operator rules + ## + # We need to get namespaces so the operator can read namespaces to ensure they exist + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + # We need to manage Helm release secrets + - apiGroups: + - "" + resources: + - secrets + verbs: + - "*" + # We need to create events on CRs about things happening during reconciliation + - apiGroups: + - "" + resources: + - events + verbs: + - create + # We need to install dapr's CRDs + - apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - "*" + + ## + ## Rules for dapr.dapr.io/v1alpha1, Kind: Dapr + ## + - apiGroups: + - dapr.dapr.io + resources: + - daprs + - daprs/status + - daprs/finalizers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - verbs: + - "*" + apiGroups: + - "rbac.authorization.k8s.io" + resources: + - "clusterrolebindings" + - "clusterroles" + - verbs: + - "*" + apiGroups: + - "admissionregistration.k8s.io" + resources: + - "mutatingwebhookconfigurations" + - verbs: + - "*" + apiGroups: + - "" + resources: + - "secrets" + - "serviceaccounts" + - "services" + - verbs: + - "*" + apiGroups: + - "rbac.authorization.k8s.io" + resources: + - "rolebindings" + - "roles" + - verbs: + - "*" + apiGroups: + - "apps" + resources: + - "deployments" + - "statefulsets" + - apiGroups: + - dapr.io + resources: + - components + - components/status + - components/finalizers + - configurations + - configurations/status + - configurations/finalizers + - resiliencies + - resiliencies/status + - resiliencies/finalizers + - subscriptions + - subscriptions/status + - subscriptions/finalizers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +#+kubebuilder:scaffold:rules diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml new file mode 100644 index 0000000..9102b7b --- /dev/null +++ b/config/rbac/role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/instance: manager-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: dapr-operator + app.kubernetes.io/part-of: dapr-operator + app.kubernetes.io/managed-by: kustomize + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml new file mode 100644 index 0000000..e4429e5 --- /dev/null +++ b/config/rbac/service_account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: serviceaccount + app.kubernetes.io/instance: controller-manager-sa + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: dapr-operator + app.kubernetes.io/part-of: dapr-operator + app.kubernetes.io/managed-by: kustomize + name: controller-manager + namespace: system diff --git a/config/samples/catalog.yaml b/config/samples/catalog.yaml new file mode 100644 index 0000000..a2db366 --- /dev/null +++ b/config/samples/catalog.yaml @@ -0,0 +1,13 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: CatalogSource +metadata: + name: dapr-catalog + namespace: openshift-marketplace +spec: + sourceType: grpc + image: quay.io/lburgazzoli/dapr-operator-catalog:latest + displayName: Dapr Catalog + publisher: dapr.io + updateStrategy: + registryPoll: + interval: 10m diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml new file mode 100644 index 0000000..8e592be --- /dev/null +++ b/config/samples/kustomization.yaml @@ -0,0 +1,5 @@ +## Append samples of your project ## +resources: + - catalog.yaml + - subscription.yaml + - sample.yaml diff --git a/config/samples/sample.yaml b/config/samples/sample.yaml new file mode 100644 index 0000000..36e37e9 --- /dev/null +++ b/config/samples/sample.yaml @@ -0,0 +1,51 @@ +apiVersion: dapr.dapr.io/v1alpha1 +kind: Dapr +metadata: + name: dapr-sample +spec: + global: + registry: docker.io/daprio + tag: "1.11.0" + dnsSuffix: ".cluster.local" + logAsJson: false + imagePullPolicy: IfNotPresent + imagePullSecrets: "" + nodeSelector: {} + tolerations: [] + rbac: + namespaced: false + ha: + enabled: false + replicaCount: 3 + disruption: + minimumAvailable: "" + maximumUnavailable: "25%" + prometheus: + enabled: true + port: 9090 + mtls: + enabled: true + workloadCertTTL: 24h + allowedClockSkew: 15m + actors: + enabled: true + daprControlPlaneOs: linux + labels: {} + k8sLabels: + app.kubernetes.io/name: "{{ .Release.Name }}" + app.kubernetes.io/version: "{{ .Values.global.tag }}" + app.kubernetes.io/part-of: "dapr" + app.kubernetes.io/managed-by: "helm" + app.kubernetes.io/component: "{{ .Values.component }}" # Should be set in each subchart + + issuerFilenames: {} + ## the issuerFilenames dictionary, if setup, have to contain 3 keys: ca,cert,key + # issuerFilenames: + # ca: "ca.crt" + # cert: "tls.crt" + # key: "tls.key" + argoRolloutServiceReconciler: + enabled: false + + operator: + watchdogCanPatchPodLabels: false diff --git a/config/samples/subscription.yaml b/config/samples/subscription.yaml new file mode 100644 index 0000000..8c80e01 --- /dev/null +++ b/config/samples/subscription.yaml @@ -0,0 +1,12 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: dapr-operator + namespace: openshift-operators +spec: + channel: alpha + installPlanApproval: Automatic + name: dapr-operator + source: dapr-catalog + sourceNamespace: openshift-marketplace + startingCSV: dapr-operator.v1.11.0-2 diff --git a/config/scorecard/bases/config.yaml b/config/scorecard/bases/config.yaml new file mode 100644 index 0000000..c770478 --- /dev/null +++ b/config/scorecard/bases/config.yaml @@ -0,0 +1,7 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: [] diff --git a/config/scorecard/kustomization.yaml b/config/scorecard/kustomization.yaml new file mode 100644 index 0000000..50cd2d0 --- /dev/null +++ b/config/scorecard/kustomization.yaml @@ -0,0 +1,16 @@ +resources: +- bases/config.yaml +patchesJson6902: +- path: patches/basic.config.yaml + target: + group: scorecard.operatorframework.io + version: v1alpha3 + kind: Configuration + name: config +- path: patches/olm.config.yaml + target: + group: scorecard.operatorframework.io + version: v1alpha3 + kind: Configuration + name: config +#+kubebuilder:scaffold:patchesJson6902 diff --git a/config/scorecard/patches/basic.config.yaml b/config/scorecard/patches/basic.config.yaml new file mode 100644 index 0000000..c8455f1 --- /dev/null +++ b/config/scorecard/patches/basic.config.yaml @@ -0,0 +1,10 @@ +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.28.1 + labels: + suite: basic + test: basic-check-spec-test diff --git a/config/scorecard/patches/olm.config.yaml b/config/scorecard/patches/olm.config.yaml new file mode 100644 index 0000000..8680989 --- /dev/null +++ b/config/scorecard/patches/olm.config.yaml @@ -0,0 +1,50 @@ +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.28.1 + labels: + suite: olm + test: olm-bundle-validation-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.28.1 + labels: + suite: olm + test: olm-crds-have-validation-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-crds-have-resources + image: quay.io/operator-framework/scorecard-test:v1.28.1 + labels: + suite: olm + test: olm-crds-have-resources-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.28.1 + labels: + suite: olm + test: olm-spec-descriptors-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-status-descriptors + image: quay.io/operator-framework/scorecard-test:v1.28.1 + labels: + suite: olm + test: olm-status-descriptors-test diff --git a/hack/generate-catalog.sh b/hack/generate-catalog.sh new file mode 100755 index 0000000..0161687 --- /dev/null +++ b/hack/generate-catalog.sh @@ -0,0 +1,39 @@ +#!/bin/sh +x + +operator_dir="$1" +operator_bundle="$2" +operator_version="$3" +catalog_image="$4" + +echo $operator_dir +echo $operator_bundle +echo $operator_version +echo $catalog_image + +tmp_dir=$(mktemp -d -t ci-XXXXXXXXXX) +mkdir -p ${tmp_dir}/dapr + +${operator_dir}/bin/opm generate dockerfile ${tmp_dir}/dapr + +${operator_dir}/bin/opm init dapr-helm-operator \ + --default-channel=preview \ + --icon=${operator_dir}/hack/operator-icon.svg \ + --output yaml \ + > ${tmp_dir}/dapr/operator.yaml + +${operator_dir}/bin/opm render ${operator_bundle} \ + --output=yaml \ + > ${tmp_dir}/dapr/operator.yaml + +cat << EOF >> ${tmp_dir}/dapr/operator.yaml +--- +schema: olm.channel +package: dapr-help-operator +name: preview +entries: + - name: dapr-helm-operator.${operator_version} +EOF + +#opm validate ${tmp_dir} + +#docker build -f ${tmp_dir}/dapr.Dockerfile -t ${catalog_image} ${tmp_dir} \ No newline at end of file diff --git a/hack/operator-icon.svg b/hack/operator-icon.svg new file mode 100644 index 0000000..716c3e4 --- /dev/null +++ b/hack/operator-icon.svg @@ -0,0 +1,15 @@ + + + + Artboard + Created with Sketch. + + + + + + + + + + \ No newline at end of file diff --git a/helm-charts/dapr/.helmignore b/helm-charts/dapr/.helmignore new file mode 100644 index 0000000..6974e85 --- /dev/null +++ b/helm-charts/dapr/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +packages/ diff --git a/helm-charts/dapr/Chart.yaml b/helm-charts/dapr/Chart.yaml new file mode 100644 index 0000000..37bb47a --- /dev/null +++ b/helm-charts/dapr/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: 1.11.0 +description: A Helm chart for Dapr on Kubernetes +name: dapr +version: 1.11.0 diff --git a/helm-charts/dapr/README.md b/helm-charts/dapr/README.md new file mode 100644 index 0000000..70e21d6 --- /dev/null +++ b/helm-charts/dapr/README.md @@ -0,0 +1,258 @@ +# Introduction + +This chart deploys the Dapr control plane system services on a Kubernetes cluster using the Helm package manager. + +## Chart Details + +This chart installs Dapr via "child-charts": + +* Dapr Component and Configuration Kubernetes CRDs +* Dapr Operator +* Dapr Sidecar injector +* Dapr Sentry +* Dapr Placement + +## Prerequisites + +* Kubernetes cluster with RBAC (Role-Based Access Control) enabled is required +* Helm 3.4.0 or newer + +## Resources Required +The chart deploys pods that consume minimum resources as specified in the resources configuration parameter. + +## Install the Chart + +Ensure Helm is initialized in your Kubernetes cluster. + +For more details on initializing Helm, [read the Helm docs](https://helm.sh/docs/) + +1. Add dapr.github.io as an helm repo + ``` + helm repo add dapr https://dapr.github.io/helm-charts/ + helm repo update + ``` + +2. Install the Dapr chart on your cluster in the dapr-system namespace: + ``` + helm install dapr dapr/dapr --namespace dapr-system --wait + ``` + +## Verify installation + +Once the chart is installed, verify the Dapr control plane system service pods are running in the `dapr-system` namespace: +``` +kubectl get pods --namespace dapr-system +``` + +## Uninstall the Chart + +To uninstall/delete the `dapr` release: +``` +helm uninstall dapr -n dapr-system +``` + +## Upgrade the charts + +Follow the upgrade HowTo instructions in [Upgrading Dapr with Helm](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-production/#upgrading-dapr-with-helm). + + +## Resource configuration +By default, all deployments are configured with blank `resources` attributes, which means that pods will consume as much cpu and memory as they want. This is probably fine for a local development or a non-production setup, but for production you should configure them. Consult Dapr docs and [Kubernetes docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for guidance on setting these values. + +For example, in order to configure the `memory.requests` setting for the `dapr-operator` deployment, configure a values.yml file with the following: +```yaml +dapr_operator: + resources: + requests: + memory: 200Mi +``` + +## Configuration + +The Helm chart has the follow configuration options that can be supplied: + +### Global options: +| Parameter | Description | Default | +|-------------------------------------------|-------------------------------------------------------------------------|-------------------------| +| `global.registry` | Docker image registry | `docker.io/daprio` | +| `global.tag` | Docker image version tag | latest release | +| `global.logAsJson` | Json log format for control plane services | `false` | +| `global.imagePullPolicy` | Global Control plane service imagePullPolicy | `IfNotPresent` | +| `global.imagePullSecrets` | Control plane service images pull secrets for docker registry | `""` | +| `global.ha.enabled` | Highly Availability mode enabled for control plane | `false` | +| `global.ha.replicaCount` | Number of replicas of control plane services in Highly Availability mode | `3` | +| `global.ha.disruption.minimumAvailable` | Minimum amount of available instances for control plane. This can either be effective count or %. | `` | +| `global.ha.disruption.maximumUnavailable` | Maximum amount of instances that are allowed to be unavailable for control plane. This can either be effective count or %. | `25%` | +| `global.prometheus.enabled` | Prometheus metrics enablement for control plane services | `true` | +| `global.prometheus.port` | Prometheus scrape http endpoint port | `9090` | +| `global.mtls.enabled` | Mutual TLS enablement | `true` | +| `global.mtls.workloadCertTTL` | TTL for workload cert | `24h` | +| `global.mtls.allowedClockSkew` | Allowed clock skew for workload cert rotation | `15m` | +| `global.dnsSuffix` | Kuberentes DNS suffix | `.cluster.local` | +| `global.daprControlPlaneOs` | Operating System for Dapr control plane | `linux` | +| `global.daprControlPlaneArch` | CPU Architecture for Dapr control plane | `amd64` | +| `global.nodeSelector` | Pods will be scheduled onto a node node whose labels match the nodeSelector | `{}` | +| `global.tolerations` | Pods will be allowed to schedule onto a node whose taints match the tolerations | `{}` | +| `global.labels` | Custom pod labels | `{}` | +| `global.k8sLabels` | Custom metadata labels | `{}` | +| `global.issuerFilenames.ca` | Custom name of the file containing the root CA certificate inside the container | `ca.crt` | +| `global.issuerFilenames.cert` | Custom name of the file containing the leaf certificate inside the container | `issuer.crt` | +| `global.issuerFilenames.key` | Custom name of the file containing the leaf certificate's key inside the container | `issuer.key` | +| `global.actors.enabled` | Enables the Dapr actors building block. When "false", the Dapr Placement serice is not installed, and attempting to use Dapr actors will fail. | `true` | +| `global.rbac.namespaced` | Removes cluster wide permissions where applicable | `false` | +| `global.argoRolloutServiceReconciler.enabled` | Enable the service reconciler for Dapr-enabled Argo Rollouts | `false` | + +### Dapr Operator options: +| Parameter | Description | Default | +|-------------------------------------------|-------------------------------------------------------------------------|-------------------------| +| `dapr_operator.replicaCount` | Number of replicas | `1` | +| `dapr_operator.logLevel` | Log level | `info` | +| `dapr_operator.watchInterval` | Interval for polling pods' state (e.g. `2m`). Set to `0` to disable, or `once` to only run once when the operator starts | `0` | +| `dapr_operator.maxPodRestartsPerMinute` | Maximum number of pods in an invalid state that can be restarted per minute | `20` | +| `dapr_operator.image.name` | Docker image name (`global.registry/dapr_operator.image.name`) | `dapr` | +| `dapr_operator.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. You may have to set this to `false` when running in Minikube | `true` | +| `dapr_operator.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` | +| `dapr_operator.debug.enabled` | Boolean value for enabling debug mode | `{}` | +| `dapr_operator.serviceReconciler.enabled`| If false, disables the reconciler that creates Services for Dapr-enabled Deployments and StatefulSets.
Note: disabling this reconciler could prevent Dapr service invocation from working. | `true` | +| `dapr_operator.watchNamespace` | The namespace to watch for annotated Dapr resources in | `""` | + +### Dapr Placement options: +| Parameter | Description | Default | +|-------------------------------------------|-------------------------------------------------------------------------|-------------------------| +| `dapr_placement.replicationFactor` | Number of consistent hashing virtual node | `100` | +| `dapr_placement.logLevel` | Service Log level | `info` | +| `dapr_placement.image.name` | Service docker image name (`global.registry/dapr_placement.image.name`) | `dapr` | +| `dapr_placement.cluster.forceInMemoryLog` | Use in-memory log store and disable volume attach when `global.ha.enabled` is true | `false` | +| `dapr_placement.cluster.logStorePath` | Mount path for persistent volume for log store in unix-like system when `global.ha.enabled` is true | `/var/run/dapr/raft-log` | +| `dapr_placement.cluster.logStoreWinPath` | Mount path for persistent volume for log store in windows when `global.ha.enabled` is true | `C:\\raft-log` | +| `dapr_placement.volumeclaims.storageSize` | Attached volume size | `1Gi` | +| `dapr_placement.volumeclaims.storageClassName` | storage class name | | +| `dapr_placement.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. Does not apply unless `forceInMemoryLog` is set to `true`. You may have to set this to `false` when running in Minikube | `false` | +| `dapr_placement.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` | +| `dapr_placement.debug.enabled` | Boolean value for enabling debug mode | `{}` | + +### Dapr RBAC options: +| Parameter | Description | Default | +|-------------------------------------------|-------------------------------------------------------------------------|-------------------------| +| `dapr_rbac.secretReader.enabled` | Deploys a default secret reader Role and RoleBinding | `true` | +| `dapr_rbac.secretReader.namespace` | Namespace for the default secret reader | `default` | + +### Dapr Sentry options: +| Parameter | Description | Default | +|-------------------------------------------|-------------------------------------------------------------------------|-------------------------| +| `dapr_sentry.replicaCount` | Number of replicas | `1` | +| `dapr_sentry.logLevel` | Log level | `info` | +| `dapr_sentry.image.name` | Docker image name (`global.registry/dapr_sentry.image.name`) | `dapr` | +| `dapr_sentry.tls.issuer.certPEM` | Issuer Certificate cert | `""` | +| `dapr_sentry.tls.issuer.keyPEM` | Issuer Private Key cert | `""` | +| `dapr_sentry.tls.root.certPEM` | Root Certificate cert | `""` | +| `dapr_sentry.tokenAudience` | Expected audience for tokens; multiple values can be separated by a comma. Defaults to the audience expected by the Kubernetes control plane if not set | `""` | +| `dapr_sentry.trustDomain` | Trust domain (logical group to manage app trust relationship) for access control list | `cluster.local` | +| `dapr_sentry.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. You may have to set this to `false` when running in Minikube | `true` | +| `dapr_sentry.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` | +| `dapr_sentry.debug.enabled` | Boolean value for enabling debug mode | `{}` | + +### Dapr Sidecar Injector options: +| Parameter | Description | Default | +|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------| +| `dapr_sidecar_injector.enabled` | Enable the sidecar injector | `true` | +| `dapr_sidecar_injector.sidecarImagePullPolicy` | Dapr sidecar image pull policy | `IfNotPresent` | +| `dapr_sidecar_injector.replicaCount` | Number of replicas | `1` | +| `dapr_sidecar_injector.logLevel` | Log level | `info` | +| `dapr_sidecar_injector.image.name` | Docker image name for Dapr runtime sidecar to inject into an application (`global.registry/dapr_sidecar_injector.image.name`) | `daprd`| +| `dapr_sidecar_injector.injectorImage.name` | Docker image name for sidecar injector service (`global.registry/dapr_sidecar_injector.injectorImage.name`) | `dapr`| +| `dapr_sidecar_injector.webhookFailurePolicy` | Failure policy for the sidecar injector | `Ignore` | +| `dapr_sidecar_injector.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot` for the Sidecar Injector container itself. You may have to set this to `false` when running in Minikube | `true` | +| `dapr_sidecar_injector.sidecarRunAsNonRoot` | When this boolean value is true (the default), the injected sidecar containers have `runAsRoot: true`. You may have to set this to `false` when running Minikube | `true` | +| `dapr_sidecar_injector.sidecarReadOnlyRootFilesystem` | When this boolean value is true (the default), the injected sidecar containers have `readOnlyRootFilesystem: true` | `true` | +| `dapr_sidecar_injector.sidecarDropALLCapabilities` | When this boolean valus is true, the injected sidecar containers have `securityContext.capabilities.drop: ["ALL"]` | `false` | +| `dapr_sidecar_injector.allowedServiceAccounts` | String value for extra allowed service accounts in the format of `namespace1:serviceAccount1,namespace2:serviceAccount2` | `""` | +| `dapr_sidecar_injector.allowedServiceAccountsPrefixNames` | Comma-separated list of extra allowed service accounts. Each item in the list should be in the format of namespace:serviceaccount. To match service accounts by a common prefix, you can add an asterisk (`*`) at the end of the prefix. For instance, ns1*:sa2* will match any service account that starts with sa2, whose namespace starts with ns1. For example, it will match service accounts like sa21 and sa2223 in namespaces such as ns1, ns1dapr, and so on. | `""` | +| `dapr_sidecar_injector.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` | +| `dapr_sidecar_injector.debug.enabled` | Boolean value for enabling debug mode | `{}` | +| `dapr_sidecar_injector.kubeClusterDomain` | Domain for this kubernetes cluster. If not set, will auto-detect the cluster domain through the `/etc/resolv.conf` file `search domains` content. | `cluster.local` | +| `dapr_sidecar_injector.ignoreEntrypointTolerations` | JSON array of Kubernetes tolerations. If pod contains any of these tolerations, it will ignore the Docker image ENTRYPOINT for Dapr sidecar. | `[{\"effect\":\"NoSchedule\",\"key\":\"alibabacloud.com/eci\"},{\"effect\":\"NoSchedule\",\"key\":\"azure.com/aci\"},{\"effect\":\"NoSchedule\",\"key\":\"aws\"},{\"effect\":\"NoSchedule\",\"key\":\"huawei.com/cci\"}]` | +| `dapr_sidecar_injector.hostNetwork` | Enable hostNetwork mode. This is helpful when working with overlay networks such as Calico CNI and admission webhooks fail | `false` | +| `dapr_sidecar_injector.healthzPort` | The port used for health checks. Helpful in combination with hostNetwork to avoid port collisions | `8080` | + +## Example of highly available configuration of the control plane + +This command creates three replicas of each control plane pod for an HA deployment (with the exception of the Placement pod) in the dapr-system namespace: + +``` +helm install dapr dapr/dapr --namespace dapr-system --set global.ha.enabled=true --wait +``` + +## Example of installing edge version of Dapr + +This command deploys the latest `edge` version of Dapr to `dapr-system` namespace. This is useful if you want to deploy the latest version of Dapr to test a feature or some capability in your Kubernetes cluster. + +``` +helm install dapr dapr/dapr --namespace dapr-system --set-string global.tag=edge --wait +``` + +## Example of installing dapr on Minikube +Configure a values file with these options: +```yaml +dapr_dashboard: + runAsNonRoot: false + logLevel: DEBUG + serviceType: NodePort # Allows retrieving the dashboard url by running the command "minikube service list" +dapr_placement: + runAsNonRoot: false + logLevel: DEBUG +dapr_operator: + runAsNonRoot: false + logLevel: DEBUG +dapr_sentry: + runAsNonRoot: false + logLevel: DEBUG +dapr_sidecar_injector: + runAsNonRoot: false + logLevel: DEBUG +global: + logAsJson: true +``` + +Install dapr: +```bash +helm install dapr dapr/dapr --namespace dapr-system --values values.yml --wait +``` + +## Example of debugging dapr +Rebuild dapr binaries and docker images: +```bash +make release GOOS=linux GOARCH=amd64 DEBUG=1 +export DAPR_TAG=dev +export DAPR_REGISTRY= +docker login +make docker-push DEBUG=1 +``` +Take dapr_operator as an example, configure the corresponding `debug.enabled` option in a value file: +```yaml +global: + registry: docker.io/ + tag: "dev-linux-amd64" +dapr_operator: + debug: + enabled: true +``` + +Step into dapr project, and install dapr: +```bash +helm install dapr charts/dapr --namespace dapr-system --values values.yml --wait +``` + +Find the target dapr-operator pod: +```bash +kubectl get pods -n dapr-system -o wide +``` + +Port forward the debugging port so that it's visible to your IDE: +```bash +kubectl port-forward dapr-operator-5c99475ffc-m9z9f 40000:40000 -n dapr-system +``` +## Example of using nodeSelector option +``` +helm install dapr dapr/dapr --namespace dapr-system --set global.nodeSelector.myLabel=myValue --wait +``` diff --git a/helm-charts/dapr/charts/dapr_config/.helmignore b/helm-charts/dapr/charts/dapr_config/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_config/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm-charts/dapr/charts/dapr_config/Chart.yaml b/helm-charts/dapr/charts/dapr_config/Chart.yaml new file mode 100644 index 0000000..a7b0263 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_config/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for Dapr configuration +name: dapr_config +version: 1.11.0 diff --git a/helm-charts/dapr/charts/dapr_config/templates/_helpers.tpl b/helm-charts/dapr/charts/dapr_config/templates/_helpers.tpl new file mode 100644 index 0000000..9762ee7 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_config/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "dapr_config.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "dapr_config.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "dapr_config.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/helm-charts/dapr/charts/dapr_config/templates/dapr_default_config.yaml b/helm-charts/dapr/charts/dapr_config/templates/dapr_default_config.yaml new file mode 100644 index 0000000..1458475 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_config/templates/dapr_default_config.yaml @@ -0,0 +1,15 @@ +{{- if .Values.dapr_config_chart_included }} +apiVersion: dapr.io/v1alpha1 +kind: Configuration +metadata: + name: {{ .Values.dapr_default_system_config_name }} + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +spec: + mtls: + enabled: {{ .Values.global.mtls.enabled }} + workloadCertTTL: {{ .Values.global.mtls.workloadCertTTL }} + allowedClockSkew: {{ .Values.global.mtls.allowedClockSkew }} +{{- end }} diff --git a/helm-charts/dapr/charts/dapr_config/values.yaml b/helm-charts/dapr/charts/dapr_config/values.yaml new file mode 100644 index 0000000..0bc86c2 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_config/values.yaml @@ -0,0 +1,4 @@ +# This value is essential in determining whether to build this chart or not based on the usecase. For example this chart should not be included while generating manifest file for dapr which is achieved by overriding this value. +dapr_config_chart_included: true +dapr_default_system_config_name: "daprsystem" +component: config diff --git a/helm-charts/dapr/charts/dapr_operator/.helmignore b/helm-charts/dapr/charts/dapr_operator/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_operator/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm-charts/dapr/charts/dapr_operator/Chart.yaml b/helm-charts/dapr/charts/dapr_operator/Chart.yaml new file mode 100644 index 0000000..9f6b69f --- /dev/null +++ b/helm-charts/dapr/charts/dapr_operator/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for Dapr Kubernetes Operator +name: dapr_operator +version: 1.11.0 diff --git a/helm-charts/dapr/charts/dapr_operator/templates/_helpers.tpl b/helm-charts/dapr/charts/dapr_operator/templates/_helpers.tpl new file mode 100644 index 0000000..599f395 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_operator/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "dapr_operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "dapr_operator.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "dapr_operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_deployment.yaml b/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_deployment.yaml new file mode 100644 index 0000000..6307031 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_deployment.yaml @@ -0,0 +1,247 @@ +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "dapr-webhook-cert"}} +{{- $existingCA := lookup "v1" "Secret" .Release.Namespace "dapr-webhook-ca"}} +{{- $ca := genCA "dapr-webhook-ca" 3650 }} +{{- $cn := printf "dapr-webhook" }} +{{- $altName1 := printf "dapr-webhook.%s" .Release.Namespace }} +{{- $altName2 := printf "dapr-webhook.%s.svc" .Release.Namespace }} +{{- $altName3 := printf "dapr-webhook.%s.svc.cluster" .Release.Namespace }} +{{- $altName4 := printf "dapr-webhook.%s.svc.cluster.local" .Release.Namespace }} +{{- $cert := genSignedCert $cn nil (list $altName1 $altName2 $altName3 $altName4) 3650 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: dapr-webhook-cert + labels: + app: dapr-operator + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +data: + {{ if $existingSecret }}tls.crt: {{ index $existingSecret.data "tls.crt" }} + {{ else }}tls.crt: {{ b64enc $cert.Cert }} + {{ end }} + + {{ if $existingSecret }}tls.key: {{ index $existingSecret.data "tls.key" }} + {{ else }}tls.key: {{ b64enc $cert.Key }} + {{ end }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: dapr-webhook-ca + labels: + app: dapr-operator + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +data: + {{ if $existingCA }}caBundle: {{ index $existingCA.data "caBundle" }} + {{ else }}caBundle: {{ b64enc $ca.Cert }} + {{ end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dapr-operator + labels: + app: dapr-operator + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +spec: +{{- if eq .Values.global.ha.enabled true }} + replicas: {{ .Values.global.ha.replicaCount }} +{{- else }} + replicas: {{ .Values.replicaCount }} +{{- end }} + selector: + matchLabels: + app: dapr-operator + template: + metadata: + labels: + app: dapr-operator + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} + {{- with .Values.global.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} +{{- if eq .Values.global.prometheus.enabled true }} + annotations: + prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}" + prometheus.io/port: "{{ .Values.global.prometheus.port }}" + prometheus.io/path: "/" +{{- end }} + spec: + containers: + - name: dapr-operator + livenessProbe: + httpGet: + path: /healthz + port: 8080 +{{- if eq .Values.debug.enabled false }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} +{{- else }} + initialDelaySeconds: {{ .Values.debug.initialDelaySeconds }} +{{- end }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: /healthz + port: 8080 +{{- if eq .Values.debug.enabled false }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} +{{- else }} + initialDelaySeconds: {{ .Values.debug.initialDelaySeconds }} +{{- end }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- if contains "/" .Values.image.name }} + image: "{{ .Values.image.name }}" +{{- else }} + image: "{{ .Values.global.registry }}/{{ .Values.image.name }}:{{ .Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- if eq .Values.global.daprControlPlaneOs "linux" }} + securityContext: + runAsNonRoot: {{ .Values.runAsNonRoot }} +{{- if eq .Values.debug.enabled true }} + capabilities: + add: + - SYS_PTRACE +{{- end }} +{{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + - containerPort: 6500 +{{- if eq .Values.global.prometheus.enabled true }} + - name: metrics + containerPort: {{ .Values.global.prometheus.port }} + protocol: TCP +{{- end }} +{{- if eq .Values.debug.enabled true }} + - name: debug + containerPort: {{ .Values.debug.port }} + protocol: TCP +{{- end }} + resources: +{{ toYaml .Values.resources | indent 10 }} + volumeMounts: + - name: credentials + mountPath: /var/run/dapr/credentials + readOnly: true + - name: webhook-creds + {{- if eq .Values.global.daprControlPlaneOs "windows" }} + mountPath: "C:\\Windows\\TEMP\\k8s-webhook-server\\serving-certs" + {{- else }} + mountPath: /tmp/k8s-webhook-server/serving-certs + {{- end }} + readOnly: true + command: +{{- if eq .Values.debug.enabled false }} + - "/operator" +{{- else }} + - "/dlv" +{{- end }} + args: +{{- if eq .Values.debug.enabled true }} + - "--listen=:{{ .Values.debug.port }}" + - "--accept-multiclient" + - "--headless=true" + - "--log" + - "--api-version=2" + - "exec" + - "/operator" + - "--" +{{- end }} + - "--watch-interval" + - "{{ .Values.watchInterval }}" + - "--max-pod-restarts-per-minute" + - "{{ .Values.maxPodRestartsPerMinute }}" + - "--log-level" + - "{{ .Values.logLevel }}" +{{- if eq .Values.global.logAsJson true }} + - "--log-as-json" +{{- end }} +{{- if eq .Values.global.prometheus.enabled true }} + - "--enable-metrics" + - "--metrics-port" + - "{{ .Values.global.prometheus.port }}" +{{- else }} + - "--enable-metrics=false" +{{- end }} +{{- with .Values.global.issuerFilenames }} + - "--issuer-ca-filename" + - "{{ .ca }}" + - "--issuer-certificate-filename" + - "{{ .cert }}" + - "--issuer-key-filename" + - "{{ .key }}" +{{- end }} +{{- if .Values.watchNamespace }} + - "--watch-namespace" + - "{{ .Values.watchNamespace }}" +{{- end }} +{{- if not .Values.serviceReconciler.enabled }} + - "--disable-service-reconciler" +{{- end }} +{{- if .Values.global.argoRolloutServiceReconciler.enabled }} + - "--enable-argo-rollout-service-reconciler" +{{- end }} +{{- if .Values.global.operator.watchdogCanPatchPodLabels }} + - "--watchdog-can-patch-pod-labels" +{{- end }} + serviceAccountName: dapr-operator + volumes: + - name: credentials + secret: + secretName: dapr-trust-bundle + - name: webhook-creds + secret: + secretName: dapr-webhook-cert + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - {{ .Values.global.daprControlPlaneOs }} +{{- if .Values.global.daprControlPlaneArch }} + - key: kubernetes.io/arch + operator: In + values: + - {{ .Values.global.daprControlPlaneArch }} +{{- end }} +{{- if .Values.global.ha.enabled }} + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - dapr-operator + topologyKey: topology.kubernetes.io/zone +{{- end }} +{{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.global.imagePullSecrets }} +{{- end }} +{{- if .Values.global.nodeSelector }} + nodeSelector: +{{ toYaml .Values.global.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.global.tolerations }} + tolerations: +{{ toYaml .Values.global.tolerations | indent 8 }} +{{- end }} diff --git a/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_poddisruptionbudget.yaml b/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_poddisruptionbudget.yaml new file mode 100644 index 0000000..5ca533e --- /dev/null +++ b/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_poddisruptionbudget.yaml @@ -0,0 +1,31 @@ +{{- if eq .Values.global.ha.enabled true }} +{{- if .Capabilities.APIVersions.Has "policy/v1" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: dapr-operator-disruption-budget + labels: + app: dapr-operator + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +spec: +{{- if .Values.global.ha.disruption.minimumAvailable }} + minAvailable: {{ .Values.global.ha.disruption.minimumAvailable }} +{{- end }} +{{- if .Values.global.ha.disruption.maximumUnavailable }} + maxUnavailable: {{ .Values.global.ha.disruption.maximumUnavailable }} +{{- end }} + selector: + matchLabels: + app: dapr-operator + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} + {{- with .Values.global.labels }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end }} diff --git a/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_service.yaml b/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_service.yaml new file mode 100644 index 0000000..fb994a6 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_service.yaml @@ -0,0 +1,31 @@ +kind: Service +apiVersion: v1 +metadata: + name: dapr-api + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +spec: + selector: + app: dapr-operator + ports: + - protocol: TCP + port: {{ .Values.ports.port }} + targetPort: {{ .Values.ports.targetPort }} +--- +apiVersion: v1 +kind: Service +metadata: + name: dapr-webhook + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +spec: + ports: + - port: 443 + targetPort: 19443 + protocol: TCP + selector: + app: dapr-operator \ No newline at end of file diff --git a/helm-charts/dapr/charts/dapr_operator/values.yaml b/helm-charts/dapr/charts/dapr_operator/values.yaml new file mode 100644 index 0000000..21a19ac --- /dev/null +++ b/helm-charts/dapr/charts/dapr_operator/values.yaml @@ -0,0 +1,41 @@ +replicaCount: 1 +logLevel: info +watchInterval: "0" +watchNamespace: "" +maxPodRestartsPerMinute: 20 +component: operator + +# Override this to use a custom operator service image. +# If the image name contains a "/", it is assumed to be a full docker image name, including the registry url and tag. +# Otherwise, the helm chart will use {{ .Values.global.registry }}/{{ .Values.image.name }}:{{ .Values.global.tag }} +image: + name: "operator" + +nameOverride: "" +fullnameOverride: "" + +runAsNonRoot: true + +serviceReconciler: + enabled: true + +ports: + protocol: TCP + port: 80 + targetPort: 6500 + +resources: {} + +livenessProbe: + initialDelaySeconds: 3 + periodSeconds: 3 + failureThreshold: 5 +readinessProbe: + initialDelaySeconds: 3 + periodSeconds: 3 + failureThreshold: 5 + +debug: + enabled: false + port: 40000 + initialDelaySeconds: 30000 diff --git a/helm-charts/dapr/charts/dapr_placement/.helmignore b/helm-charts/dapr/charts/dapr_placement/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_placement/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm-charts/dapr/charts/dapr_placement/Chart.yaml b/helm-charts/dapr/charts/dapr_placement/Chart.yaml new file mode 100644 index 0000000..de9c2af --- /dev/null +++ b/helm-charts/dapr/charts/dapr_placement/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for Dapr Kubernetes placement +name: dapr_placement +version: 1.11.0 diff --git a/helm-charts/dapr/charts/dapr_placement/templates/_helpers.tpl b/helm-charts/dapr/charts/dapr_placement/templates/_helpers.tpl new file mode 100644 index 0000000..3956a23 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_placement/templates/_helpers.tpl @@ -0,0 +1,39 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "dapr_placement.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "dapr_placement.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "dapr_placement.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create initial cluster peer list. +*/}} +{{- define "dapr_placement.initialcluster" -}} +{{- print "dapr-placement-server-0=dapr-placement-server-0.dapr-placement-server." .Release.Namespace ".svc" .Values.global.dnsSuffix ":" .Values.ports.raftRPCPort ",dapr-placement-server-1=dapr-placement-server-1.dapr-placement-server." .Release.Namespace ".svc" .Values.global.dnsSuffix ":" .Values.ports.raftRPCPort ",dapr-placement-server-2=dapr-placement-server-2.dapr-placement-server." .Release.Namespace ".svc" .Values.global.dnsSuffix ":" .Values.ports.raftRPCPort -}} +{{- end -}} diff --git a/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_poddisruptionbudget.yaml b/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_poddisruptionbudget.yaml new file mode 100644 index 0000000..b26d4f1 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_poddisruptionbudget.yaml @@ -0,0 +1,31 @@ +{{- if and (eq .Values.global.ha.enabled true) (eq .Values.global.actors.enabled true) }} +{{- if .Capabilities.APIVersions.Has "policy/v1" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: dapr-placement-server-disruption-budget + labels: + app: dapr-placement-server + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +spec: +{{- if .Values.global.ha.disruption.minimumAvailable }} + minAvailable: {{ .Values.global.ha.disruption.minimumAvailable }} +{{- end }} +{{- if .Values.global.ha.disruption.maximumUnavailable }} + maxUnavailable: {{ .Values.global.ha.disruption.maximumUnavailable }} +{{- end }} + selector: + matchLabels: + app: dapr-placement-server + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} + {{- with .Values.global.labels }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end }} diff --git a/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_service.yaml b/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_service.yaml new file mode 100644 index 0000000..7b7e443 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_service.yaml @@ -0,0 +1,23 @@ +{{- if eq .Values.global.actors.enabled true }} +kind: Service +apiVersion: v1 +metadata: + name: dapr-placement-server + labels: + app: dapr-placement-server + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +spec: + selector: + app: dapr-placement-server + # placement must be able to resolve pod address to join initial cluster peers + # before POD is ready + publishNotReadyAddresses: true + ports: + - name: api + port: {{ .Values.ports.apiPort }} + - name: raft-node + port: {{ .Values.ports.raftRPCPort }} + clusterIP: None +{{- end }} \ No newline at end of file diff --git a/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_statefulset.yaml b/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_statefulset.yaml new file mode 100644 index 0000000..6fa87ea --- /dev/null +++ b/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_statefulset.yaml @@ -0,0 +1,232 @@ +{{- if eq .Values.global.actors.enabled true }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: dapr-placement-server + labels: + app: dapr-placement-server + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +spec: +{{- if eq .Values.global.ha.enabled true }} + replicas: 3 +{{- else }} + replicas: 1 +{{- end }} + serviceName: dapr-placement-server + podManagementPolicy: Parallel + selector: + matchLabels: + app: dapr-placement-server + template: + metadata: + labels: + app: dapr-placement-server + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} + {{- with .Values.global.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} +{{- if eq .Values.global.prometheus.enabled true }} + annotations: + prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}" + prometheus.io/port: "{{ .Values.global.prometheus.port }}" + prometheus.io/path: "/" +{{- end }} + spec: + containers: + - name: dapr-placement-server + livenessProbe: + httpGet: + path: /healthz + port: 8080 +{{- if eq .Values.debug.enabled false }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} +{{- else }} + initialDelaySeconds: {{ .Values.debug.initialDelaySeconds }} +{{- end }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: /healthz + port: 8080 +{{- if eq .Values.debug.enabled false }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} +{{- else }} + initialDelaySeconds: {{ .Values.debug.initialDelaySeconds }} +{{- end }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- if contains "/" .Values.image.name }} + image: "{{ .Values.image.name }}" +{{- else }} + image: "{{ .Values.global.registry }}/{{ .Values.image.name }}:{{ .Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + resources: +{{ toYaml .Values.resources | indent 10 }} + volumeMounts: + - name: credentials + mountPath: /var/run/dapr/credentials + readOnly: true +{{- if eq .Values.global.ha.enabled true }} + {{- if eq .Values.cluster.forceInMemoryLog false }} + - name: raft-log + {{- if eq .Values.global.daprControlPlaneOs "windows" }} + mountPath: {{ .Values.cluster.logStoreWinPath }} + {{- else }} + mountPath: {{ .Values.cluster.logStorePath }} + {{- end }} + {{- end }} +{{- end }} + ports: + - containerPort: {{ .Values.ports.apiPort }} + name: api + - containerPort: {{ .Values.ports.raftRPCPort }} + name: raft-node +{{- if eq .Values.global.prometheus.enabled true }} + - name: metrics + containerPort: {{ .Values.global.prometheus.port }} + protocol: TCP +{{- end }} + command: +{{- if eq .Values.debug.enabled false }} + - "/placement" +{{- else }} + - "/dlv" +{{- end }} + args: +{{- if eq .Values.debug.enabled true }} + - "--listen=:{{ .Values.debug.port }}" + - "--accept-multiclient" + - "--headless=true" + - "--log" + - "--api-version=2" + - "exec" + - "/placement" + - "--" +{{- end }} +{{- if eq .Values.global.ha.enabled true }} + - "--id" + - "$(PLACEMENT_ID)" + - "--initial-cluster" + - {{ template "dapr_placement.initialcluster" . }} + {{- if eq .Values.cluster.forceInMemoryLog false }} + - "--raft-logstore-path" + {{- if eq .Values.global.daprControlPlaneOs "windows" }} + - "{{ .Values.cluster.logStoreWinPath }}\\cluster-v2-$(PLACEMENT_ID)" + {{- else }} + - "{{ .Values.cluster.logStorePath }}/cluster-v2-$(PLACEMENT_ID)" + {{- end }} + {{- end }} +{{- end }} + - "--log-level" + - {{ .Values.logLevel }} +{{- if eq .Values.global.logAsJson true }} + - "--log-as-json" +{{- end }} +{{- if eq .Values.global.prometheus.enabled true }} + - "--enable-metrics" + - "--replicationFactor" + - "{{ .Values.replicationFactor }}" + - "--metrics-port" + - "{{ .Values.global.prometheus.port }}" +{{- else }} + - "--enable-metrics=false" +{{- end }} + - "--tls-enabled" +{{- with .Values.global.issuerFilenames }} + - "--issuer-ca-filename" + - "{{ .ca }}" + - "--issuer-certificate-filename" + - "{{ .cert }}" + - "--issuer-key-filename" + - "{{ .key }}" +{{- end }} +{{- if eq .Values.global.daprControlPlaneOs "linux" }} + securityContext: +{{- if eq .Values.cluster.forceInMemoryLog true }} + runAsNonRoot: {{ .Values.runAsNonRoot }} +{{- else }} + runAsUser: 0 +{{- end }} +{{- if eq .Values.debug.enabled true }} + capabilities: + add: + - SYS_PTRACE +{{- end }} +{{- end }} + env: + - name: PLACEMENT_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + serviceAccountName: dapr-placement + volumes: + - name: credentials + secret: + secretName: dapr-trust-bundle + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - {{ .Values.global.daprControlPlaneOs }} +{{- if .Values.global.daprControlPlaneArch }} + - key: kubernetes.io/arch + operator: In + values: + - {{ .Values.global.daprControlPlaneArch }} +{{- end }} +{{- if .Values.global.ha.enabled }} + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - dapr-placement-server + topologyKey: topology.kubernetes.io/zone +{{- end }} +{{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.global.imagePullSecrets }} +{{- end }} +{{- if .Values.global.nodeSelector }} + nodeSelector: +{{ toYaml .Values.global.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.global.tolerations }} + tolerations: +{{ toYaml .Values.global.tolerations | indent 8 }} +{{- end }} +{{- if eq .Values.global.ha.enabled true }} + {{- if eq .Values.cluster.forceInMemoryLog false }} + volumeClaimTemplates: + - metadata: + name: raft-log + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.volumeclaims.storageSize }} + {{- if .Values.volumeclaims.storageClassName }} + storageClassName: {{ .Values.volumeclaims.storageClassName }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/helm-charts/dapr/charts/dapr_placement/values.yaml b/helm-charts/dapr/charts/dapr_placement/values.yaml new file mode 100644 index 0000000..f057da4 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_placement/values.yaml @@ -0,0 +1,44 @@ +logLevel: info +component: placement + +# Override this to use a custom placement service image. +# If the image name contains a "/", it is assumed to be a full docker image name, including the registry url and tag. +# Otherwise, the helm chart will use {{ .Values.global.registry }}/{{ .Values.image.name }}:{{ .Values.global.tag }} +image: + name: "placement" + +nameOverride: "" +fullnameOverride: "" + +ports: + protocol: TCP + apiPort: 50005 + raftRPCPort: 8201 + +cluster: + forceInMemoryLog: false + logStorePath: /var/run/dapr/raft-log + logStoreWinPath: C:\\raft-log + +volumeclaims: + storageSize: 1Gi + storageClassName: + +replicationFactor: 100 + +livenessProbe: + initialDelaySeconds: 10 + periodSeconds: 3 + failureThreshold: 5 +readinessProbe: + initialDelaySeconds: 3 + periodSeconds: 3 + failureThreshold: 5 + +debug: + enabled: false + port: 40000 + initialDelaySeconds: 30000 + +runAsNonRoot: true +resources: {} diff --git a/helm-charts/dapr/charts/dapr_rbac/.helmignore b/helm-charts/dapr/charts/dapr_rbac/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_rbac/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm-charts/dapr/charts/dapr_rbac/Chart.yaml b/helm-charts/dapr/charts/dapr_rbac/Chart.yaml new file mode 100644 index 0000000..a75ca1d --- /dev/null +++ b/helm-charts/dapr/charts/dapr_rbac/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for Dapr Kubernetes RBAC components +name: dapr_rbac +version: 1.11.0 diff --git a/helm-charts/dapr/charts/dapr_rbac/templates/_helpers.tpl b/helm-charts/dapr/charts/dapr_rbac/templates/_helpers.tpl new file mode 100644 index 0000000..d4c3e67 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_rbac/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "dapr_rbac.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "dapr_rbac.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "dapr_rbac.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/helm-charts/dapr/charts/dapr_rbac/templates/injector.yaml b/helm-charts/dapr/charts/dapr_rbac/templates/injector.yaml new file mode 100644 index 0000000..5dd79f6 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_rbac/templates/injector.yaml @@ -0,0 +1,79 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: dapr-injector + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: dapr-injector + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +rules: + - apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "list"] +{{- if not .Values.global.rbac.namespaced }} + - apiGroups: ["dapr.io"] + resources: ["configurations", "components"] + verbs: [ "get", "list"] +{{- end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: dapr-injector + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +subjects: +- kind: ServiceAccount + name: dapr-injector + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dapr-injector +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: dapr-injector + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + resourceNames: ["dapr-trust-bundle"] +{{- if eq .Values.global.rbac.namespaced true }} + - apiGroups: ["dapr.io"] + resources: ["configurations", "components"] + verbs: [ "get", "list"] +{{- end }} +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: dapr-injector + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +subjects: +- kind: ServiceAccount + name: dapr-injector + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: dapr-injector diff --git a/helm-charts/dapr/charts/dapr_rbac/templates/operator.yaml b/helm-charts/dapr/charts/dapr_rbac/templates/operator.yaml new file mode 100644 index 0000000..9a6efff --- /dev/null +++ b/helm-charts/dapr/charts/dapr_rbac/templates/operator.yaml @@ -0,0 +1,140 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: dapr-operator + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +--- +{{- if not .Values.global.rbac.namespaced }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: dapr-operator-admin + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +rules: + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "patch"] + - apiGroups: ["apps"] + resources: ["deployments", "deployments/finalizers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["statefulsets", "statefulsets/finalizers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] +{{- if .Values.global.operator.watchdogCanPatchPodLabels }} + verbs: ["get", "list", "delete", "watch", "patch"] +{{- else }} + verbs: ["get", "list", "delete", "watch"] +{{- end }} + - apiGroups: [""] + resources: ["services","services/finalizers"] + verbs: ["get", "list", "watch", "update", "create"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["dapr.io"] + resources: ["components", "configurations", "subscriptions", "resiliencies", "httpendpoints"] + verbs: [ "get", "list", "watch"] +{{- end }} +{{- if .Values.global.argoRolloutServiceReconciler.enabled }} + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["get", "list", "watch"] +{{- end }} +--- +{{- if not .Values.global.rbac.namespaced }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: dapr-operator-admin + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +subjects: +- kind: ServiceAccount + name: dapr-operator + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dapr-operator-admin +{{- end }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: dapr-operator + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "update", "create"] + resourceNames: ["operator.dapr.io", "webhooks.dapr.io"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "update", "create"] + resourceNames: ["operator.dapr.io", "webhooks.dapr.io"] +# We cannot use resourceNames for create because Kubernetes doesn't nessarily +# know resource names at authorization time. + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create"] + - apiGroups: [""] + resources: ["configmaps", "events"] + verbs: ["create"] +{{- if eq .Values.global.rbac.namespaced true }} + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "patch"] + - apiGroups: ["apps"] + resources: ["deployments", "deployments/finalizers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["statefulsets", "statefulsets/finalizers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "delete"] + - apiGroups: [""] + resources: ["services","services/finalizers"] + verbs: ["get", "list", "watch", "update", "create"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["dapr.io"] + resources: ["components", "configurations", "subscriptions", "resiliencies", "httpendpoints"] + verbs: [ "get", "list", "watch"] +{{- end }} +{{- if .Values.global.argoRolloutServiceReconciler.enabled }} + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["get", "list", "watch"] +{{- end }} +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: dapr-operator + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +subjects: +- kind: ServiceAccount + name: dapr-operator + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: dapr-operator diff --git a/helm-charts/dapr/charts/dapr_rbac/templates/placement.yaml b/helm-charts/dapr/charts/dapr_rbac/templates/placement.yaml new file mode 100644 index 0000000..fa42e83 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_rbac/templates/placement.yaml @@ -0,0 +1,50 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: dapr-placement + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +--- +{{- if eq .Values.global.rbac.namespaced true }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: dapr-placement + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +rules: + - apiGroups: [""] + resources: ["configmaps", "events"] + verbs: ["get"] +--- +{{- if eq .Values.global.rbac.namespaced true }} +kind: RoleBinding +{{- else }} +kind: ClusterRoleBinding +{{- end }} +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: dapr-placement + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +subjects: +- kind: ServiceAccount + name: dapr-placement + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io +{{- if eq .Values.global.rbac.namespaced true }} + kind: Role +{{- else }} + kind: ClusterRole +{{- end }} + name: dapr-placement diff --git a/helm-charts/dapr/charts/dapr_rbac/templates/secret-reader.yaml b/helm-charts/dapr/charts/dapr_rbac/templates/secret-reader.yaml new file mode 100644 index 0000000..b742870 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_rbac/templates/secret-reader.yaml @@ -0,0 +1,33 @@ +{{- if .Values.secretReader.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: secret-reader + namespace: {{ .Values.secretReader.namespace }} + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: dapr-secret-reader + namespace: {{ .Values.secretReader.namespace }} + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +subjects: +- kind: ServiceAccount + name: default +roleRef: + kind: Role + name: secret-reader + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/helm-charts/dapr/charts/dapr_rbac/templates/sentry.yaml b/helm-charts/dapr/charts/dapr_rbac/templates/sentry.yaml new file mode 100644 index 0000000..2a41d0c --- /dev/null +++ b/helm-charts/dapr/charts/dapr_rbac/templates/sentry.yaml @@ -0,0 +1,79 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: dapr-sentry + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: dapr-sentry + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +rules: + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +{{- if not .Values.global.rbac.namespaced }} + - apiGroups: ["dapr.io"] + resources: ["configurations"] + verbs: ["list"] +{{- end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: dapr-sentry + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +subjects: +- kind: ServiceAccount + name: dapr-sentry + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dapr-sentry +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: dapr-sentry + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "update", "delete"] + resourceNames: ["dapr-trust-bundle"] +{{- if eq .Values.global.rbac.namespaced true }} + - apiGroups: ["dapr.io"] + resources: ["configurations"] + verbs: ["list"] +{{- end }} +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: dapr-sentry + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +subjects: +- kind: ServiceAccount + name: dapr-sentry + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: dapr-sentry diff --git a/helm-charts/dapr/charts/dapr_rbac/values.yaml b/helm-charts/dapr/charts/dapr_rbac/values.yaml new file mode 100644 index 0000000..fe7a0dd --- /dev/null +++ b/helm-charts/dapr/charts/dapr_rbac/values.yaml @@ -0,0 +1,4 @@ +secretReader: + enabled: true + namespace: default +component: rbac diff --git a/helm-charts/dapr/charts/dapr_sentry/.helmignore b/helm-charts/dapr/charts/dapr_sentry/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_sentry/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm-charts/dapr/charts/dapr_sentry/Chart.yaml b/helm-charts/dapr/charts/dapr_sentry/Chart.yaml new file mode 100644 index 0000000..a5698ce --- /dev/null +++ b/helm-charts/dapr/charts/dapr_sentry/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for Dapr Sentry +name: dapr_sentry +version: 1.11.0 diff --git a/helm-charts/dapr/charts/dapr_sentry/templates/_helpers.tpl b/helm-charts/dapr/charts/dapr_sentry/templates/_helpers.tpl new file mode 100644 index 0000000..4c119ec --- /dev/null +++ b/helm-charts/dapr/charts/dapr_sentry/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "dapr_sentry.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "dapr_sentry.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "dapr_sentry.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml b/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml new file mode 100644 index 0000000..7cbf444 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml @@ -0,0 +1,207 @@ +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "dapr-trust-bundle"}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: dapr-trust-bundle + labels: + app: dapr-sentry + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +data: + {{ if .Values.tls.issuer.certPEM }}issuer.crt: {{ b64enc .Values.tls.issuer.certPEM | trim }} + {{ else if $existingSecret }}issuer.crt: {{ index $existingSecret.data "issuer.crt" }} + {{ end }} + {{ if .Values.tls.issuer.keyPEM }}issuer.key: {{ b64enc .Values.tls.issuer.keyPEM | trim }} + {{ else if $existingSecret }}issuer.key: {{ index $existingSecret.data "issuer.key" }} + {{end}} + {{ if .Values.tls.root.certPEM }}ca.crt: {{ b64enc .Values.tls.root.certPEM | trim }} + {{ else if $existingSecret }}ca.crt: {{ index $existingSecret.data "ca.crt" }} + {{end}} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dapr-sentry + labels: + app: dapr-sentry + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +spec: +{{- if eq .Values.global.ha.enabled true }} + replicas: {{ .Values.global.ha.replicaCount }} +{{- else }} + replicas: {{ .Values.replicaCount }} +{{- end }} + selector: + matchLabels: + app: dapr-sentry + template: + metadata: + labels: + app: dapr-sentry + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} + {{- with .Values.global.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} +{{- if eq .Values.global.prometheus.enabled true }} + annotations: + prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}" + prometheus.io/port: "{{ .Values.global.prometheus.port }}" + prometheus.io/path: "/" +{{- end }} + spec: + containers: + - name: dapr-sentry + livenessProbe: + httpGet: + path: /healthz + port: 8080 + {{- if eq .Values.debug.enabled false }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + {{- else }} + initialDelaySeconds: {{ .Values.debug.initialDelaySeconds }} + {{- end }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: /healthz + port: 8080 + {{- if eq .Values.debug.enabled false }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + {{- else }} + initialDelaySeconds: {{ .Values.debug.initialDelaySeconds }} + {{- end }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- if contains "/" .Values.image.name }} + image: "{{ .Values.image.name }}" +{{- else }} + image: "{{ .Values.global.registry }}/{{ .Values.image.name }}:{{ .Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- if eq .Values.global.daprControlPlaneOs "linux" }} + securityContext: + runAsNonRoot: {{ .Values.runAsNonRoot }} + {{- if eq .Values.debug.enabled true }} + capabilities: + add: + - SYS_PTRACE + {{- end }} +{{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + - containerPort: 50001 +{{- if eq .Values.global.prometheus.enabled true }} + - name: metrics + containerPort: {{ .Values.global.prometheus.port }} + protocol: TCP +{{- end }} +{{- if eq .Values.debug.enabled true }} + - name: debug + containerPort: {{ .Values.debug.port }} + protocol: TCP +{{- end }} + resources: +{{ toYaml .Values.resources | indent 10 }} + volumeMounts: + - name: credentials + mountPath: /var/run/dapr/credentials + readOnly: true + command: +{{- if eq .Values.debug.enabled false }} + - "/sentry" +{{- else }} + - "/dlv" +{{- end }} + args: +{{- if eq .Values.debug.enabled true }} + - "--listen=:{{ .Values.debug.port }}" + - "--accept-multiclient" + - "--headless=true" + - "--log" + - "--api-version=2" + - "exec" + - "/sentry" + - "--" +{{- end }} + - "--log-level" + - {{ .Values.logLevel }} +{{- if eq .Values.global.logAsJson true }} + - "--log-as-json" +{{- end }} +{{- if eq .Values.global.prometheus.enabled true }} + - "--enable-metrics" + - "--metrics-port" + - "{{ .Values.global.prometheus.port }}" +{{- else }} + - "--enable-metrics=false" +{{- end }} + - "--trust-domain" + - {{ .Values.tls.trustDomain }} +{{- if .Values.tokenAudience }} + - "--token-audience" + - {{ .Values.tokenAudience }} +{{- end }} +{{- with .Values.global.issuerFilenames }} + - "--issuer-ca-filename" + - "{{ .ca }}" + - "--issuer-certificate-filename" + - "{{ .cert }}" + - "--issuer-key-filename" + - "{{ .key }}" +{{- end }} + serviceAccountName: dapr-sentry + volumes: + - name: credentials + secret: + secretName: dapr-trust-bundle + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - {{ .Values.global.daprControlPlaneOs }} +{{- if .Values.global.daprControlPlaneArch }} + - key: kubernetes.io/arch + operator: In + values: + - {{ .Values.global.daprControlPlaneArch }} +{{- end }} +{{- if .Values.global.ha.enabled }} + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - dapr-sentry + topologyKey: topology.kubernetes.io/zone +{{- end }} +{{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.global.imagePullSecrets }} +{{- end }} +{{- if .Values.global.nodeSelector }} + nodeSelector: +{{ toYaml .Values.global.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.global.tolerations }} + tolerations: +{{ toYaml .Values.global.tolerations | indent 8 }} +{{- end }} diff --git a/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_poddisruptionbudget.yaml b/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_poddisruptionbudget.yaml new file mode 100644 index 0000000..817ddad --- /dev/null +++ b/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_poddisruptionbudget.yaml @@ -0,0 +1,31 @@ +{{- if eq .Values.global.ha.enabled true }} +{{- if .Capabilities.APIVersions.Has "policy/v1" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: dapr-sentry-budget + labels: + app: dapr-sentry + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +spec: +{{- if .Values.global.ha.disruption.minimumAvailable }} + minAvailable: {{ .Values.global.ha.disruption.minimumAvailable }} +{{- end }} +{{- if .Values.global.ha.disruption.maximumUnavailable }} + maxUnavailable: {{ .Values.global.ha.disruption.maximumUnavailable }} +{{- end }} + selector: + matchLabels: + app: dapr-sentry + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} + {{- with .Values.global.labels }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end }} diff --git a/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_service.yaml b/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_service.yaml new file mode 100644 index 0000000..3f81a0c --- /dev/null +++ b/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_service.yaml @@ -0,0 +1,15 @@ +kind: Service +apiVersion: v1 +metadata: + name: dapr-sentry + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +spec: + selector: + app: dapr-sentry + ports: + - protocol: TCP + port: {{ .Values.ports.port }} + targetPort: {{ .Values.ports.targetPort }} \ No newline at end of file diff --git a/helm-charts/dapr/charts/dapr_sentry/values.yaml b/helm-charts/dapr/charts/dapr_sentry/values.yaml new file mode 100644 index 0000000..f0fbc69 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_sentry/values.yaml @@ -0,0 +1,44 @@ +replicaCount: 1 +logLevel: info +component: sentry + +# Override this to use a custom sentry service image. +# If the image name contains a "/", it is assumed to be a full docker image name, including the registry url and tag. +# Otherwise, the helm chart will use {{ .Values.global.registry }}/{{ .Values.image.name }}:{{ .Values.global.tag }} +image: + name: "sentry" + +nameOverride: "" +fullnameOverride: "" + +tokenAudience: "" + +ports: + protocol: TCP + port: 80 + targetPort: 50001 + +tls: + issuer: + certPEM: "" + keyPEM: "" + root: + certPEM: "" + trustDomain: cluster.local + +livenessProbe: + initialDelaySeconds: 3 + periodSeconds: 3 + failureThreshold: 5 +readinessProbe: + initialDelaySeconds: 3 + periodSeconds: 3 + failureThreshold: 5 + +debug: + enabled: false + port: 40000 + initialDelaySeconds: 30000 + +runAsNonRoot: true +resources: {} diff --git a/helm-charts/dapr/charts/dapr_sidecar_injector/.helmignore b/helm-charts/dapr/charts/dapr_sidecar_injector/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_sidecar_injector/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm-charts/dapr/charts/dapr_sidecar_injector/Chart.yaml b/helm-charts/dapr/charts/dapr_sidecar_injector/Chart.yaml new file mode 100644 index 0000000..36693d5 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_sidecar_injector/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for the Dapr sidecar injector +name: dapr_sidecar_injector +version: 1.11.0 diff --git a/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml b/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml new file mode 100644 index 0000000..dda4051 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml @@ -0,0 +1,234 @@ +{{- if eq .Values.enabled true }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dapr-sidecar-injector + labels: + app: dapr-sidecar-injector + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +spec: +{{- if eq .Values.global.ha.enabled true }} + replicas: {{ .Values.global.ha.replicaCount }} +{{- else }} + replicas: {{ .Values.replicaCount }} +{{- end }} + selector: + matchLabels: + app: dapr-sidecar-injector + template: + metadata: + labels: + app: dapr-sidecar-injector + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} + {{- with .Values.global.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} +{{- if eq .Values.global.prometheus.enabled true }} + annotations: + prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}" + prometheus.io/port: "{{ .Values.global.prometheus.port }}" + prometheus.io/path: "/" +{{- end }} + spec: + {{- if .Values.hostNetwork }} + hostNetwork: true + {{- end }} + serviceAccountName: dapr-injector + containers: + - name: dapr-sidecar-injector + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.healthzPort }} + {{- if eq .Values.debug.enabled false }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + {{- else }} + initialDelaySeconds: {{ .Values.debug.initialDelaySeconds }} + {{- end }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: /healthz + port: {{ .Values.healthzPort }} + {{- if eq .Values.debug.enabled false }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + {{- else }} + initialDelaySeconds: {{ .Values.debug.initialDelaySeconds }} + {{- end }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- if contains "/" .Values.injectorImage.name }} + image: "{{ .Values.injectorImage.name }}" +{{- else }} + image: "{{ .Values.global.registry }}/{{ .Values.injectorImage.name }}:{{ .Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- if eq .Values.global.daprControlPlaneOs "linux" }} + securityContext: + {{- if eq .Values.runAsNonRoot true }} + runAsNonRoot: {{ .Values.runAsNonRoot }} + {{- else }} + runAsUser: 1000 + {{- end }} + {{- if eq .Values.debug.enabled true }} + capabilities: + add: + - SYS_PTRACE + {{- end }} +{{- end }} + command: +{{- if eq .Values.debug.enabled false }} + - "/injector" +{{- else }} + - "/dlv" +{{- end }} + args: +{{- if eq .Values.debug.enabled true }} + - "--listen=:{{ .Values.debug.port }}" + - "--accept-multiclient" + - "--headless=true" + - "--log" + - "--api-version=2" + - "exec" + - "/injector" + - "--" +{{- end }} + - "--log-level" + - {{ .Values.logLevel }} +{{- if eq .Values.global.logAsJson true }} + - "--log-as-json" +{{- end }} +{{- if eq .Values.global.prometheus.enabled true }} + - "--enable-metrics" + - "--metrics-port" + - "{{ .Values.global.prometheus.port }}" +{{- else }} + - "--enable-metrics=false" +{{- end }} + - "--healthz-port" + - "{{ .Values.healthzPort }}" +{{- with .Values.global.issuerFilenames }} + - "--issuer-ca-secret-key" + - "{{ .ca }}" + - "--issuer-certificate-secret-key" + - "{{ .cert }}" + - "--issuer-key-secret-key" + - "{{ .key }}" +{{- end }} + env: + - name: TLS_CERT_FILE + value: /dapr/cert/tls.crt + - name: TLS_KEY_FILE + value: /dapr/cert/tls.key +{{- if .Values.kubeClusterDomain }} + - name: KUBE_CLUSTER_DOMAIN + value: "{{ .Values.kubeClusterDomain }}" +{{- end }} + - name: SIDECAR_IMAGE +{{- if contains "/" .Values.image.name }} + value: "{{ .Values.image.name }}" +{{- else }} + value: "{{ .Values.global.registry }}/{{ .Values.image.name }}:{{ .Values.global.tag }}" +{{- end }} + - name: SIDECAR_IMAGE_PULL_POLICY + value: "{{ .Values.sidecarImagePullPolicy }}" + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace +{{- if .Values.ignoreEntrypointTolerations }} + - name: IGNORE_ENTRYPOINT_TOLERATIONS + value: "{{ .Values.ignoreEntrypointTolerations }}" +{{- end }} +{{- if not .Values.global.actors.enabled }} + - name: SKIP_PLACEMENT + value: "true" +{{- end }} + - name: SIDECAR_RUN_AS_NON_ROOT + value: "{{ .Values.sidecarRunAsNonRoot }}" + - name: SIDECAR_DROP_ALL_CAPABILITIES + value: "{{ .Values.sidecarDropALLCapabilities }}" + - name: SIDECAR_READ_ONLY_ROOT_FILESYSTEM + value: "{{ .Values.sidecarReadOnlyRootFilesystem }}" +{{- if .Values.allowedServiceAccounts }} + - name: ALLOWED_SERVICE_ACCOUNTS + value: "{{ .Values.allowedServiceAccounts }}" +{{- end }} +{{- if .Values.allowedServiceAccounts }} + - name: ALLOWED_SERVICE_ACCOUNTS + value: "{{ .Values.allowedServiceAccounts }}" +{{- end }} +{{- if .Values.allowedServiceAccountsPrefixNames }} + - name: ALLOWED_SERVICE_ACCOUNTS_PREFIX_NAMES + value: "{{ .Values.allowedServiceAccountsPrefixNames }}" +{{- end }} + ports: + - name: https + containerPort: 4000 + protocol: TCP +{{- if eq .Values.global.prometheus.enabled true }} + - name: metrics + containerPort: {{ .Values.global.prometheus.port }} + protocol: TCP +{{- end }} +{{- if eq .Values.debug.enabled true }} + - name: debug + containerPort: {{ .Values.debug.port }} + protocol: TCP +{{- end }} + resources: +{{ toYaml .Values.resources | indent 10 }} + volumeMounts: + - name: cert + mountPath: /dapr/cert + readOnly: true + volumes: + - name: cert + secret: + secretName: dapr-sidecar-injector-cert + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - {{ .Values.global.daprControlPlaneOs }} +{{- if .Values.global.daprControlPlaneArch }} + - key: kubernetes.io/arch + operator: In + values: + - {{ .Values.global.daprControlPlaneArch }} +{{- end }} +{{- if .Values.global.ha.enabled }} + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - dapr-sidecar-injector + topologyKey: topology.kubernetes.io/zone +{{- end }} +{{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.global.imagePullSecrets }} +{{- end }} +{{- if .Values.global.nodeSelector }} + nodeSelector: +{{ toYaml .Values.global.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.global.tolerations }} + tolerations: +{{ toYaml .Values.global.tolerations | indent 8 }} +{{- end }} +{{- end }} diff --git a/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_poddisruptionbudget.yaml b/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_poddisruptionbudget.yaml new file mode 100644 index 0000000..4b6f8ee --- /dev/null +++ b/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_poddisruptionbudget.yaml @@ -0,0 +1,33 @@ +{{- if eq .Values.enabled true }} +{{- if eq .Values.global.ha.enabled true }} +{{- if .Capabilities.APIVersions.Has "policy/v1" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: dapr-sidecar-injector-disruption-budget + labels: + app: dapr-sidecar-injector + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +spec: +{{- if .Values.global.ha.disruption.minimumAvailable }} + minAvailable: {{ .Values.global.ha.disruption.minimumAvailable }} +{{- end }} +{{- if .Values.global.ha.disruption.maximumUnavailable }} + maxUnavailable: {{ .Values.global.ha.disruption.maximumUnavailable }} +{{- end }} + selector: + matchLabels: + app: dapr-sidecar-injector + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} + {{- with .Values.global.labels }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_service.yaml b/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_service.yaml new file mode 100644 index 0000000..837c3a1 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_service.yaml @@ -0,0 +1,19 @@ +{{- if eq .Values.enabled true }} +apiVersion: v1 +kind: Service +metadata: + name: dapr-sidecar-injector + labels: + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: 443 + targetPort: https + protocol: TCP + name: https + selector: + app: dapr-sidecar-injector +{{- end }} diff --git a/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_webhook_config.yaml b/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_webhook_config.yaml new file mode 100644 index 0000000..8253020 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_webhook_config.yaml @@ -0,0 +1,59 @@ +{{- if eq .Values.enabled true }} +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "dapr-sidecar-injector-cert"}} +{{- $existingWebHookConfig := lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" .Release.Namespace "dapr-sidecar-injector"}} +{{- $ca := genCA "dapr-sidecar-injector-ca" 3650 }} +{{- $cn := printf "dapr-sidecar-injector" }} +{{- $altName1 := printf "dapr-sidecar-injector.%s" .Release.Namespace }} +{{- $altName2 := printf "dapr-sidecar-injector.%s.svc" .Release.Namespace }} +{{- $altName3 := printf "dapr-sidecar-injector.%s.svc.cluster" .Release.Namespace }} +{{- $altName4 := printf "dapr-sidecar-injector.%s.svc.cluster.local" .Release.Namespace }} +{{- $cert := genSignedCert $cn nil (list $altName1 $altName2 $altName3 $altName4) 3650 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: dapr-sidecar-injector-cert + labels: + app: dapr-sidecar-injector + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +data: + {{ if $existingSecret }}tls.crt: {{ index $existingSecret.data "tls.crt" }} + {{ else }}tls.crt: {{ b64enc $cert.Cert }} + {{ end }} + + {{ if $existingSecret }}tls.key: {{ index $existingSecret.data "tls.key" }} + {{ else }}tls.key: {{ b64enc $cert.Key }} + {{ end }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: dapr-sidecar-injector + labels: + app: dapr-sidecar-injector + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +webhooks: +- name: sidecar-injector.dapr.io + reinvocationPolicy: IfNeeded + clientConfig: + service: + namespace: {{ .Release.Namespace }} + name: dapr-sidecar-injector + path: "/mutate" + caBundle: {{ if $existingWebHookConfig }}{{ (index $existingWebHookConfig.webhooks 0).clientConfig.caBundle }}{{ else }}{{ b64enc $ca.Cert }}{{ end }} + rules: + - apiGroups: + - "" + apiVersions: + - v1 + resources: + - pods + operations: + - CREATE + failurePolicy: {{ .Values.webhookFailurePolicy}} + sideEffects: None + admissionReviewVersions: ["v1", "v1beta1"] +{{- end }} diff --git a/helm-charts/dapr/charts/dapr_sidecar_injector/values.yaml b/helm-charts/dapr/charts/dapr_sidecar_injector/values.yaml new file mode 100644 index 0000000..67fbaf4 --- /dev/null +++ b/helm-charts/dapr/charts/dapr_sidecar_injector/values.yaml @@ -0,0 +1,46 @@ +enabled: true +replicaCount: 1 +logLevel: info +component: sidecar-injector + +# Override this to use a custom sidecar image. +# If the image name contains a "/", it is assumed to be a full docker image name, including the registry url and tag. +# Otherwise, the helm chart will use {{ .Values.global.registry }}/{{ .Values.image.name }}:{{ .Values.global.tag }} +image: + name: "daprd" + +# Override this to use a custom injector service image. +# If the image name contains a "/", it is assumed to be a full docker image name, including the registry url and tag. +# Otherwise, the helm chart will use {{ .Values.global.registry }}/{{ .Values.injectorImage.name }}:{{ .Values.global.tag }} +injectorImage: + name: "injector" + +nameOverride: "" +fullnameOverride: "" +webhookFailurePolicy: Ignore +sidecarImagePullPolicy: IfNotPresent +runAsNonRoot: true +sidecarRunAsNonRoot: true +sidecarReadOnlyRootFilesystem: true +sidecarDropALLCapabilities: false +allowedServiceAccounts: "" +allowedServiceAccountsPrefixNames: "" +resources: {} +kubeClusterDomain: cluster.local +ignoreEntrypointTolerations: "[{\\\"effect\\\":\\\"NoSchedule\\\",\\\"key\\\":\\\"alibabacloud.com/eci\\\"},{\\\"effect\\\":\\\"NoSchedule\\\",\\\"key\\\":\\\"azure.com/aci\\\"},{\\\"effect\\\":\\\"NoSchedule\\\",\\\"key\\\":\\\"aws\\\"},{\\\"effect\\\":\\\"NoSchedule\\\",\\\"key\\\":\\\"huawei.com/cci\\\"}]" +hostNetwork: false +healthzPort: 8080 + +livenessProbe: + initialDelaySeconds: 3 + periodSeconds: 3 + failureThreshold: 5 +readinessProbe: + initialDelaySeconds: 3 + periodSeconds: 3 + failureThreshold: 5 + +debug: + enabled: false + port: 40000 + initialDelaySeconds: 30000 diff --git a/helm-charts/dapr/crds/components.yaml b/helm-charts/dapr/crds/components.yaml new file mode 100644 index 0000000..e959dbb --- /dev/null +++ b/helm-charts/dapr/crds/components.yaml @@ -0,0 +1,92 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: components.dapr.io + labels: + app.kubernetes.io/part-of: "dapr" +spec: + group: dapr.io + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Component describes an Dapr component type + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + auth: + description: Auth represents authentication details for the component + properties: + secretStore: + type: string + required: + - secretStore + type: object + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + scopes: + items: + type: string + type: array + spec: + description: ComponentSpec is the spec for a component + properties: + initTimeout: + type: string + ignoreErrors: + type: boolean + metadata: + items: + description: MetadataItem is a name/value pair for a metadata + properties: + name: + type: string + secretKeyRef: + description: SecretKeyRef is a reference to a secret holding + the value for the metadata item. Name is the secret name, + and key is the field in the secret. + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + value: + x-kubernetes-preserve-unknown-fields: true + required: + - name + type: object + type: array + type: + type: string + version: + type: string + required: + - metadata + - type + - version + type: object + type: object + served: true + storage: true + names: + kind: Component + plural: components + singular: component + categories: + - all + - dapr + scope: Namespaced diff --git a/helm-charts/dapr/crds/configuration.yaml b/helm-charts/dapr/crds/configuration.yaml new file mode 100644 index 0000000..e37c4af --- /dev/null +++ b/helm-charts/dapr/crds/configuration.yaml @@ -0,0 +1,403 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: configurations.dapr.io + labels: + app.kubernetes.io/part-of: "dapr" +spec: + group: dapr.io + names: + kind: Configuration + listKind: ConfigurationList + plural: configurations + singular: configuration + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Configuration describes an Dapr configuration setting. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConfigurationSpec is the spec for an configuration. + properties: + accessControl: + description: AccessControlSpec is the spec object in ConfigurationSpec. + properties: + defaultAction: + type: string + policies: + items: + description: AppPolicySpec defines the policy data structure + for each app. + properties: + appId: + type: string + defaultAction: + type: string + namespace: + type: string + operations: + items: + description: AppOperationAction defines the data structure + for each app operation. + properties: + action: + type: string + httpVerb: + items: + type: string + type: array + name: + type: string + required: + - action + - name + type: object + type: array + trustDomain: + type: string + required: + - appId + type: object + type: array + trustDomain: + type: string + type: object + api: + description: APISpec describes the configuration for Dapr APIs. + properties: + allowed: + description: List of allowed APIs. Can be used in conjunction with denied. + items: + description: APIAccessRule describes an access rule for allowing or denying a Dapr API. + properties: + name: + type: string + protocol: + type: string + version: + type: string + required: + - name + - version + type: object + type: array + denied: + description: List of denied APIs. Can be used in conjunction with allowed. + items: + description: APIAccessRule describes an access rule for allowing or denying a Dapr API. + properties: + name: + type: string + protocol: + type: string + version: + type: string + required: + - name + - version + type: object + type: array + type: object + appHttpPipeline: + description: PipelineSpec defines the middleware pipeline. + properties: + handlers: + items: + description: HandlerSpec defines a request handlers. + properties: + name: + type: string + selector: + description: SelectorSpec selects target services to which + the handler is to be applied. + properties: + fields: + items: + description: SelectorField defines a selector fields. + properties: + field: + type: string + value: + type: string + required: + - field + - value + type: object + type: array + required: + - fields + type: object + type: + type: string + required: + - name + - type + type: object + type: array + required: + - handlers + type: object + components: + description: ComponentsSpec describes the configuration for Dapr components + properties: + deny: + description: Denylist of component types that cannot be instantiated + items: + type: string + type: array + type: object + features: + items: + description: FeatureSpec defines the features that are enabled/disabled. + properties: + enabled: + type: boolean + name: + type: string + required: + - enabled + - name + type: object + type: array + httpPipeline: + description: PipelineSpec defines the middleware pipeline. + properties: + handlers: + items: + description: HandlerSpec defines a request handlers. + properties: + name: + type: string + selector: + description: SelectorSpec selects target services to which + the handler is to be applied. + properties: + fields: + items: + description: SelectorField defines a selector fields. + properties: + field: + type: string + value: + type: string + required: + - field + - value + type: object + type: array + required: + - fields + type: object + type: + type: string + required: + - name + - type + type: object + type: array + required: + - handlers + type: object + logging: + description: LoggingSpec defines the configuration for logging. + properties: + apiLogging: + description: Configure API logging. + properties: + enabled: + description: Default value for enabling API logging. Sidecars can always override this by setting `--enable-api-logging` to true or false explicitly. The default value is false. + type: boolean + obfuscateURLs: + description: 'When enabled, obfuscates the values of URLs in HTTP API logs, logging the route name rather than the full path being invoked, which could contain PII. Default: false. This option has no effect if API logging is disabled.' + type: boolean + omitHealthChecks: + description: 'If true, health checks are not reported in API logs. Default: false. This option has no effect if API logging is disabled.' + type: boolean + type: object + type: object + metric: + default: + enabled: true + description: MetricSpec defines metrics configuration. + properties: + enabled: + type: boolean + rules: + items: + description: MetricsRule defines configuration options for a + metric. + properties: + labels: + items: + description: MetricsLabel defines an object that allows + to set regex expressions for a label. + properties: + name: + type: string + regex: + additionalProperties: + type: string + type: object + required: + - name + - regex + type: object + type: array + name: + type: string + required: + - labels + - name + type: object + type: array + required: + - enabled + type: object + metrics: + default: + enabled: true + description: MetricSpec defines metrics configuration. + properties: + enabled: + type: boolean + rules: + items: + description: MetricsRule defines configuration options for a + metric. + properties: + labels: + items: + description: MetricsLabel defines an object that allows + to set regex expressions for a label. + properties: + name: + type: string + regex: + additionalProperties: + type: string + type: object + required: + - name + - regex + type: object + type: array + name: + type: string + required: + - labels + - name + type: object + type: array + required: + - enabled + type: object + mtls: + description: MTLSSpec defines mTLS configuration. + properties: + allowedClockSkew: + type: string + enabled: + type: boolean + workloadCertTTL: + type: string + required: + - enabled + type: object + nameResolution: + description: NameResolutionSpec is the spec for name resolution configuration. + properties: + component: + type: string + configuration: + description: DynamicValue is a dynamic value struct for the component.metadata + pair value. + type: object + x-kubernetes-preserve-unknown-fields: true + version: + type: string + required: + - component + - configuration + - version + type: object + secrets: + description: SecretsSpec is the spec for secrets configuration. + properties: + scopes: + items: + description: SecretsScope defines the scope for secrets. + properties: + allowedSecrets: + items: + type: string + type: array + defaultAccess: + type: string + deniedSecrets: + items: + type: string + type: array + storeName: + type: string + required: + - storeName + type: object + type: array + required: + - scopes + type: object + tracing: + description: TracingSpec defines distributed tracing configuration. + properties: + otel: + description: OtelSpec defines Otel exporter configurations. + properties: + endpointAddress: + type: string + isSecure: + type: boolean + protocol: + type: string + required: + - endpointAddress + - isSecure + - protocol + type: object + samplingRate: + type: string + stdout: + type: boolean + zipkin: + description: ZipkinSpec defines Zipkin trace configurations. + properties: + endpointAddress: + type: string + required: + - endpointAddress + type: object + required: + - samplingRate + type: object + type: object + type: object + served: true + storage: true diff --git a/helm-charts/dapr/crds/httpendpoints.yaml b/helm-charts/dapr/crds/httpendpoints.yaml new file mode 100644 index 0000000..2266759 --- /dev/null +++ b/helm-charts/dapr/crds/httpendpoints.yaml @@ -0,0 +1,82 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: httpendpoints.dapr.io + labels: + app.kubernetes.io/part-of: "dapr" +spec: + group: dapr.io + names: + kind: HTTPEndpoint + listKind: HTTPEndpointList + plural: httpendpoints + singular: httpendpoint + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: HTTPEndpoint describes a Dapr HTTPEndpoint type for external service invocation. This endpoint can be external to Dapr, or external to the environment. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + auth: + description: Auth represents authentication details for the component. + properties: + secretStore: + type: string + required: + - secretStore + type: object + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + scopes: + items: + type: string + type: array + spec: + description: HTTPEndpointSpec describes an access specification for allowing external service invocations. + properties: + baseUrl: + type: string + headers: + items: + description: Header is the name/value pair for a header specification. + properties: + name: + type: string + secretKeyRef: + description: SecretKeyRef is a reference to a secret holding the value for the metadata item. Name is the secret name, and key is the field in the secret. + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + value: + x-kubernetes-preserve-unknown-fields: true + required: + - name + type: object + type: array + required: + - baseUrl + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/helm-charts/dapr/crds/resiliency.yaml b/helm-charts/dapr/crds/resiliency.yaml new file mode 100644 index 0000000..ecc7a03 --- /dev/null +++ b/helm-charts/dapr/crds/resiliency.yaml @@ -0,0 +1,135 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: resiliencies.dapr.io + labels: + app.kubernetes.io/part-of: "dapr" +spec: + group: dapr.io + names: + kind: Resiliency + listKind: ResiliencyList + plural: resiliencies + singular: resiliency + categories: + - dapr + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + scopes: + items: + type: string + type: array + spec: + properties: + policies: + properties: + circuitBreakers: + additionalProperties: + properties: + interval: + type: string + maxRequests: + type: integer + timeout: + type: string + trip: + type: string + type: object + type: object + retries: + additionalProperties: + properties: + duration: + type: string + maxInterval: + type: string + maxRetries: + type: integer + policy: + type: string + type: object + type: object + timeouts: + additionalProperties: + type: string + type: object + type: object + targets: + properties: + actors: + additionalProperties: + properties: + circuitBreaker: + type: string + circuitBreakerCacheSize: + type: integer + circuitBreakerScope: + type: string + retry: + type: string + timeout: + type: string + type: object + type: object + apps: + additionalProperties: + properties: + circuitBreaker: + type: string + circuitBreakerCacheSize: + type: integer + retry: + type: string + timeout: + type: string + type: object + type: object + components: + additionalProperties: + properties: + inbound: + properties: + circuitBreaker: + type: string + retry: + type: string + timeout: + type: string + type: object + outbound: + properties: + circuitBreaker: + type: string + retry: + type: string + timeout: + type: string + type: object + type: object + type: object + type: object + required: + - policies + - targets + type: object + type: object + served: true + storage: true + diff --git a/helm-charts/dapr/crds/subscription.yaml b/helm-charts/dapr/crds/subscription.yaml new file mode 100644 index 0000000..cdf42c6 --- /dev/null +++ b/helm-charts/dapr/crds/subscription.yaml @@ -0,0 +1,174 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: subscriptions.dapr.io + labels: + app.kubernetes.io/part-of: "dapr" +spec: + group: dapr.io + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + namespace: replaceme # Patched by post-install webhook + name: dapr-webhook + path: /convert + #caBundle: Patched by post-install webhook + conversionReviewVersions: + - v1 + - v2alpha1 + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Subscription describes an pub/sub event subscription. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + scopes: + items: + type: string + type: array + spec: + description: SubscriptionSpec is the spec for an event subscription. + properties: + pubsubname: + type: string + route: + type: string + topic: + type: string + deadLetterTopic: + type: string + bulkSubscribe: + description: Represents bulk subscribe properies + properties: + enabled: + type: boolean + maxMessagesCount: + type: integer + maxAwaitDurationMs: + type: integer + required: + - enabled + type: object + metadata: + additionalProperties: + type: string + type: object + required: + - pubsubname + - route + - topic + type: object + type: object + served: true + storage: false + - name: v2alpha1 + schema: + openAPIV3Schema: + description: Subscription describes an pub/sub event subscription. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + scopes: + items: + type: string + type: array + spec: + description: SubscriptionSpec is the spec for an event subscription. + properties: + metadata: + additionalProperties: + type: string + description: The optional metadata to provide the subscription. + type: object + pubsubname: + description: The PubSub component name. + type: string + routes: + description: The Routes configuration for this topic. + properties: + default: + type: string + rules: + description: The list of rules for this topic. + items: + description: Rule is used to specify the condition for sending + a message to a specific path. + properties: + match: + description: The optional CEL expression used to match the + event. If the match is not specified, then the route is + considered the default. The rules are tested in the order + specified, so they should be define from most-to-least + specific. The default route should appear last in the + list. + type: string + path: + description: The path for events that match this rule. + type: string + required: + - match + - path + type: object + type: array + type: object + topic: + description: The topic name to subscribe to. + type: string + deadLetterTopic: + description: The optional dead letter queue for this topic to send events to. + type: string + bulkSubscribe: + description: Represents bulk subscribe properies + properties: + enabled: + type: boolean + maxMessagesCount: + type: integer + maxAwaitDurationMs: + type: integer + required: + - enabled + type: object + required: + - pubsubname + - routes + - topic + type: object + type: object + served: true + storage: true + names: + kind: Subscription + listKind: SubscriptionList + plural: subscriptions + singular: subscription + categories: + - all + - dapr + scope: Namespaced diff --git a/helm-charts/dapr/templates/NOTES.txt b/helm-charts/dapr/templates/NOTES.txt new file mode 100644 index 0000000..b28e23b --- /dev/null +++ b/helm-charts/dapr/templates/NOTES.txt @@ -0,0 +1,9 @@ +Thank you for installing Dapr: High-performance, lightweight serverless runtime for cloud and edge + +Your release is named {{ .Release.Name }}. + +To get started with Dapr, we recommend using our quickstarts: +https://github.com/dapr/quickstarts + +For more information on running Dapr, visit: +https://dapr.io diff --git a/helm-charts/dapr/templates/_helpers.tpl b/helm-charts/dapr/templates/_helpers.tpl new file mode 100644 index 0000000..93e6b50 --- /dev/null +++ b/helm-charts/dapr/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "k8s_operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "k8s_operator.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "k8s_operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/helm-charts/dapr/values.yaml b/helm-charts/dapr/values.yaml new file mode 100644 index 0000000..fe98485 --- /dev/null +++ b/helm-charts/dapr/values.yaml @@ -0,0 +1,46 @@ +global: + registry: docker.io/daprio + tag: '1.11.0' + dnsSuffix: ".cluster.local" + logAsJson: false + imagePullPolicy: IfNotPresent + imagePullSecrets: "" + nodeSelector: {} + tolerations: [] + rbac: + namespaced: false + ha: + enabled: false + replicaCount: 3 + disruption: + minimumAvailable: "" + maximumUnavailable: "25%" + prometheus: + enabled: true + port: 9090 + mtls: + enabled: true + workloadCertTTL: 24h + allowedClockSkew: 15m + actors: + enabled: true + daprControlPlaneOs: linux + labels: {} + k8sLabels: + app.kubernetes.io/name: "{{ .Release.Name }}" + app.kubernetes.io/version: "{{ .Values.global.tag }}" + app.kubernetes.io/part-of: "dapr" + app.kubernetes.io/managed-by: "helm" + app.kubernetes.io/component: "{{ .Values.component }}" # Should be set in each subchart + + issuerFilenames: {} + ## the issuerFilenames dictionary, if setup, have to contain 3 keys: ca,cert,key + # issuerFilenames: + # ca: "ca.crt" + # cert: "tls.crt" + # key: "tls.key" + argoRolloutServiceReconciler: + enabled: false + + operator: + watchdogCanPatchPodLabels: false diff --git a/watches.yaml b/watches.yaml new file mode 100644 index 0000000..a799d8d --- /dev/null +++ b/watches.yaml @@ -0,0 +1,12 @@ +# Use the 'create api' subcommand to add watches to this file. +- group: dapr.dapr.io + version: v1alpha1 + kind: Dapr + chart: helm-charts/dapr + overrideValues: + dapr_operator:runAsNonRoot: "true" + dapr_placement.runAsNonRoot: "true" + dapr_sentry.runAsNonRoot: "true" + dapr_dashboard.runAsNonRoot: "true" + +#+kubebuilder:scaffold:watch