diff --git a/Makefile b/Makefile index 9c5a542..9a33891 100644 --- a/Makefile +++ b/Makefile @@ -22,7 +22,7 @@ LOCALBIN := $(PROJECT_PATH)/bin HELM_CHART_REPO ?= https://dapr.github.io/helm-charts HELM_CHART ?= dapr -HELM_CHART_VERSION ?= 1.11.3 +HELM_CHART_VERSION ?= 1.12.0 HELM_CHART_URL ?= https://raw.githubusercontent.com/dapr/helm-charts/master/dapr-$(HELM_CHART_VERSION).tgz ## Tool Versions diff --git a/config/crd/dapr/components.yaml b/config/crd/dapr/components.yaml index e959dbb..c6c23a2 100644 --- a/config/crd/dapr/components.yaml +++ b/config/crd/dapr/components.yaml @@ -12,7 +12,7 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Component describes an Dapr component type + description: Component describes an Dapr component type. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -20,7 +20,7 @@ spec: internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string auth: - description: Auth represents authentication details for the component + description: Auth represents authentication details for the component. properties: secretStore: type: string @@ -39,32 +39,38 @@ spec: type: string type: array spec: - description: ComponentSpec is the spec for a component + description: ComponentSpec is the spec for a component. properties: - initTimeout: - type: string ignoreErrors: type: boolean + initTimeout: + type: string metadata: items: - description: MetadataItem is a name/value pair for a metadata + description: NameValuePair is a name/value pair. properties: + envRef: + description: EnvRef is the name of an environmental variable + to read the value from. + type: string name: + description: Name of the property. type: string secretKeyRef: - description: SecretKeyRef is a reference to a secret holding - the value for the metadata item. Name is the secret name, - and key is the field in the secret. + description: SecretKeyRef is the reference of a value in a secret + store component. properties: key: + description: Field in the secret. type: string name: + description: Secret name. type: string required: - - key - name type: object value: + description: Value of the property, in plaintext. x-kubernetes-preserve-unknown-fields: true required: - name diff --git a/config/crd/dapr/configuration.yaml b/config/crd/dapr/configuration.yaml index e37c4af..4668827 100644 --- a/config/crd/dapr/configuration.yaml +++ b/config/crd/dapr/configuration.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.2 + controller-gen.kubebuilder.io/version: v0.11.3 creationTimestamp: null name: configurations.dapr.io labels: @@ -224,13 +224,20 @@ spec: description: Configure API logging. properties: enabled: - description: Default value for enabling API logging. Sidecars can always override this by setting `--enable-api-logging` to true or false explicitly. The default value is false. + description: Default value for enabling API logging. Sidecars + can always override this by setting `--enable-api-logging` + to true or false explicitly. The default value is false. type: boolean obfuscateURLs: - description: 'When enabled, obfuscates the values of URLs in HTTP API logs, logging the route name rather than the full path being invoked, which could contain PII. Default: false. This option has no effect if API logging is disabled.' + description: 'When enabled, obfuscates the values of URLs + in HTTP API logs, logging the route name rather than the + full path being invoked, which could contain PII. Default: + false. This option has no effect if API logging is disabled.' type: boolean omitHealthChecks: - description: 'If true, health checks are not reported in API logs. Default: false. This option has no effect if API logging is disabled.' + description: 'If true, health checks are not reported in API + logs. Default: false. This option has no effect if API logging + is disabled.' type: boolean type: object type: object @@ -315,8 +322,34 @@ spec: properties: allowedClockSkew: type: string + controlPlaneTrustDomain: + type: string enabled: type: boolean + sentryAddress: + type: string + tokenValidators: + description: Additional token validators to use. When Dapr is + running in Kubernetes mode, this is in addition to the built-in + "kubernetes" validator. In self-hosted mode, enabling a custom + validator will disable the built-in "insecure" validator. + items: + description: ValidatorSpec contains additional token validators + to use. + properties: + name: + description: Name of the validator + enum: + - jwks + type: string + options: + description: Options for the validator, if any + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - name + type: object + type: array workloadCertTTL: type: string required: @@ -397,6 +430,12 @@ spec: required: - samplingRate type: object + wasm: + description: WasmSpec describes the security profile for all Dapr Wasm components. + properties: + strictSandbox: + type: boolean + type: object type: object type: object served: true diff --git a/config/crd/dapr/httpendpoints.yaml b/config/crd/dapr/httpendpoints.yaml index 2266759..82c3446 100644 --- a/config/crd/dapr/httpendpoints.yaml +++ b/config/crd/dapr/httpendpoints.yaml @@ -18,10 +18,14 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: HTTPEndpoint describes a Dapr HTTPEndpoint type for external service invocation. This endpoint can be external to Dapr, or external to the environment. + description: HTTPEndpoint describes a Dapr HTTPEndpoint type for external + service invocation. This endpoint can be external to Dapr, or external to + the environment. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string auth: description: Auth represents authentication details for the component. @@ -32,7 +36,9 @@ spec: - secretStore type: object kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -41,28 +47,113 @@ spec: type: string type: array spec: - description: HTTPEndpointSpec describes an access specification for allowing external service invocations. + description: HTTPEndpointSpec describes an access specification for allowing + external service invocations. properties: baseUrl: type: string + clientTLS: + description: TLS describes how to build client or server TLS configurations. + properties: + certificate: + description: TLSDocument describes and in-line or pointer to a + document to build a TLS configuration. + properties: + secretKeyRef: + description: SecretKeyRef is the reference of a value in a + secret store component. + properties: + key: + description: Field in the secret. + type: string + name: + description: Secret name. + type: string + required: + - name + type: object + value: + description: Value of the property, in plaintext. + x-kubernetes-preserve-unknown-fields: true + type: object + privateKey: + description: TLSDocument describes and in-line or pointer to a + document to build a TLS configuration. + properties: + secretKeyRef: + description: SecretKeyRef is the reference of a value in a + secret store component. + properties: + key: + description: Field in the secret. + type: string + name: + description: Secret name. + type: string + required: + - name + type: object + value: + description: Value of the property, in plaintext. + x-kubernetes-preserve-unknown-fields: true + type: object + renegotiation: + default: Never + description: Renegotiation sets the underlying tls negotiation + strategy for an http channel. + enum: + - Never + - OnceAsClient + - FreelyAsClient + type: string + rootCA: + description: TLSDocument describes and in-line or pointer to a + document to build a TLS configuration. + properties: + secretKeyRef: + description: SecretKeyRef is the reference of a value in a + secret store component. + properties: + key: + description: Field in the secret. + type: string + name: + description: Secret name. + type: string + required: + - name + type: object + value: + description: Value of the property, in plaintext. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object headers: items: - description: Header is the name/value pair for a header specification. + description: NameValuePair is a name/value pair. properties: + envRef: + description: EnvRef is the name of an environmental variable + to read the value from. + type: string name: + description: Name of the property. type: string secretKeyRef: - description: SecretKeyRef is a reference to a secret holding the value for the metadata item. Name is the secret name, and key is the field in the secret. + description: SecretKeyRef is the reference of a value in a secret + store component. properties: key: + description: Field in the secret. type: string name: + description: Secret name. type: string required: - - key - name type: object value: + description: Value of the property, in plaintext. x-kubernetes-preserve-unknown-fields: true required: - name diff --git a/config/crd/dapr/subscription.yaml b/config/crd/dapr/subscription.yaml index cdf42c6..afd2322 100644 --- a/config/crd/dapr/subscription.yaml +++ b/config/crd/dapr/subscription.yaml @@ -54,9 +54,9 @@ spec: deadLetterTopic: type: string bulkSubscribe: - description: Represents bulk subscribe properies + description: Represents bulk subscribe properties properties: - enabled: + enabled: type: boolean maxMessagesCount: type: integer @@ -144,9 +144,9 @@ spec: description: The optional dead letter queue for this topic to send events to. type: string bulkSubscribe: - description: Represents bulk subscribe properies + description: Represents bulk subscribe properties properties: - enabled: + enabled: type: boolean maxMessagesCount: type: integer diff --git a/helm-charts/dapr/Chart.yaml b/helm-charts/dapr/Chart.yaml index f6320e9..faf0f0d 100644 --- a/helm-charts/dapr/Chart.yaml +++ b/helm-charts/dapr/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.11.3 +appVersion: 1.12.0 description: A Helm chart for Dapr on Kubernetes name: dapr -version: 1.11.3 +version: 1.12.0 diff --git a/helm-charts/dapr/README.md b/helm-charts/dapr/README.md index 70e21d6..4a2010d 100644 --- a/helm-charts/dapr/README.md +++ b/helm-charts/dapr/README.md @@ -78,9 +78,9 @@ The Helm chart has the follow configuration options that can be supplied: | `global.tag` | Docker image version tag | latest release | | `global.logAsJson` | Json log format for control plane services | `false` | | `global.imagePullPolicy` | Global Control plane service imagePullPolicy | `IfNotPresent` | -| `global.imagePullSecrets` | Control plane service images pull secrets for docker registry | `""` | +| `global.imagePullSecrets` | Control plane service images pull secrets for docker registry. Its value can be: a string with single imagePullSecret, an array of `{name: pullSecret}` maps (Kubernetes-style), or an array of strings | `[]` | | `global.ha.enabled` | Highly Availability mode enabled for control plane | `false` | -| `global.ha.replicaCount` | Number of replicas of control plane services in Highly Availability mode | `3` | +| `global.ha.replicaCount` | Number of replicas of control plane services in Highly Availability mode
Note that in HA mode, Dapr Placement has 3 replicas and that cannot be configured. | `3` | | `global.ha.disruption.minimumAvailable` | Minimum amount of available instances for control plane. This can either be effective count or %. | `` | | `global.ha.disruption.maximumUnavailable` | Maximum amount of instances that are allowed to be unavailable for control plane. This can either be effective count or %. | `25%` | | `global.prometheus.enabled` | Prometheus metrics enablement for control plane services | `true` | @@ -88,6 +88,17 @@ The Helm chart has the follow configuration options that can be supplied: | `global.mtls.enabled` | Mutual TLS enablement | `true` | | `global.mtls.workloadCertTTL` | TTL for workload cert | `24h` | | `global.mtls.allowedClockSkew` | Allowed clock skew for workload cert rotation | `15m` | +| `global.mtls.controlPlaneTrustDomain ` | Trust domain for control plane | `cluster.local` | +| `global.mtls.sentryAddress` | Sentry address for control plane | `dapr-sentry.{{ .ReleaseNamespace }}.svc:443` | +| `global.mtls.mountSentryToken` | Gates whether the sentry bound service account token volume is mounted to control plane pods | `true` | +| `global.extraVolumes.sentry` | Array of extra volumes to make available to sentry pods | `[]` | +| `global.extraVolumes.placement` | Array of extra volumes to make available to placement pods | `[]` | +| `global.extraVolumes.operator` | Array of extra volumes to make available to operator pods | `[]` | +| `global.extraVolumes.injector` | Array of extra volumes to make available to sidecar injector pods | `[]` | +| `global.extraVolumeMounts.sentry` | Array of extra volume mounts to make available to sentry pod containers | `[]` | +| `global.extraVolumeMounts.placement` | Array of extra volume mounts to make available to placement pod containers | `[]` | +| `global.extraVolumeMounts.operator` | Array of extra volume mounts to make available to operator pod containers | `[]` | +| `global.extraVolumeMounts.injector` | Array of extra volume mounts to make available to sidecar injector pod containers | `[]` | | `global.dnsSuffix` | Kuberentes DNS suffix | `.cluster.local` | | `global.daprControlPlaneOs` | Operating System for Dapr control plane | `linux` | | `global.daprControlPlaneArch` | CPU Architecture for Dapr control plane | `amd64` | @@ -98,38 +109,43 @@ The Helm chart has the follow configuration options that can be supplied: | `global.issuerFilenames.ca` | Custom name of the file containing the root CA certificate inside the container | `ca.crt` | | `global.issuerFilenames.cert` | Custom name of the file containing the leaf certificate inside the container | `issuer.crt` | | `global.issuerFilenames.key` | Custom name of the file containing the leaf certificate's key inside the container | `issuer.key` | -| `global.actors.enabled` | Enables the Dapr actors building block. When "false", the Dapr Placement serice is not installed, and attempting to use Dapr actors will fail. | `true` | +| `global.actors.enabled` | Enables the Dapr actors building block. When "false", the Dapr Placement serice is not installed, and attempting to use Dapr actors will fail. | `true` | +| `global.seccompProfile` | SeccompProfile for Dapr control plane services | `""` | | `global.rbac.namespaced` | Removes cluster wide permissions where applicable | `false` | | `global.argoRolloutServiceReconciler.enabled` | Enable the service reconciler for Dapr-enabled Argo Rollouts | `false` | ### Dapr Operator options: -| Parameter | Description | Default | -|-------------------------------------------|-------------------------------------------------------------------------|-------------------------| -| `dapr_operator.replicaCount` | Number of replicas | `1` | -| `dapr_operator.logLevel` | Log level | `info` | -| `dapr_operator.watchInterval` | Interval for polling pods' state (e.g. `2m`). Set to `0` to disable, or `once` to only run once when the operator starts | `0` | -| `dapr_operator.maxPodRestartsPerMinute` | Maximum number of pods in an invalid state that can be restarted per minute | `20` | -| `dapr_operator.image.name` | Docker image name (`global.registry/dapr_operator.image.name`) | `dapr` | -| `dapr_operator.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. You may have to set this to `false` when running in Minikube | `true` | -| `dapr_operator.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` | -| `dapr_operator.debug.enabled` | Boolean value for enabling debug mode | `{}` | -| `dapr_operator.serviceReconciler.enabled`| If false, disables the reconciler that creates Services for Dapr-enabled Deployments and StatefulSets.
Note: disabling this reconciler could prevent Dapr service invocation from working. | `true` | -| `dapr_operator.watchNamespace` | The namespace to watch for annotated Dapr resources in | `""` | +| Parameter | Description | Default | +|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------| +| `dapr_operator.replicaCount` | Number of replicas | `1` | +| `dapr_operator.logLevel` | Log level | `info` | +| `dapr_operator.watchInterval` | Interval for polling pods' state (e.g. `2m`). Set to `0` to disable, or `once` to only run once when the operator starts | `0` | +| `dapr_operator.maxPodRestartsPerMinute` | Maximum number of pods in an invalid state that can be restarted per minute | `20` | +| `dapr_operator.image.name` | Docker image name (`global.registry/dapr_operator.image.name`) | `dapr` | +| `dapr_operator.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. You may have to set this to `false` when running in Minikube | `true` | +| `dapr_operator.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` | +| `dapr_operator.debug.enabled` | Boolean value for enabling debug mode | `{}` | +| `dapr_operator.serviceReconciler.enabled` | If false, disables the reconciler that creates Services for Dapr-enabled Deployments and StatefulSets.
Note: disabling this reconciler could prevent Dapr service invocation from working. | `true` | +| `dapr_operator.watchNamespace` | The namespace to watch for annotated Dapr resources in | `""` | +| `dapr_operator.deploymentAnnotations` | Custom annotations for Dapr Operator Deployment | `{}` | ### Dapr Placement options: -| Parameter | Description | Default | -|-------------------------------------------|-------------------------------------------------------------------------|-------------------------| -| `dapr_placement.replicationFactor` | Number of consistent hashing virtual node | `100` | -| `dapr_placement.logLevel` | Service Log level | `info` | -| `dapr_placement.image.name` | Service docker image name (`global.registry/dapr_placement.image.name`) | `dapr` | -| `dapr_placement.cluster.forceInMemoryLog` | Use in-memory log store and disable volume attach when `global.ha.enabled` is true | `false` | -| `dapr_placement.cluster.logStorePath` | Mount path for persistent volume for log store in unix-like system when `global.ha.enabled` is true | `/var/run/dapr/raft-log` | -| `dapr_placement.cluster.logStoreWinPath` | Mount path for persistent volume for log store in windows when `global.ha.enabled` is true | `C:\\raft-log` | -| `dapr_placement.volumeclaims.storageSize` | Attached volume size | `1Gi` | -| `dapr_placement.volumeclaims.storageClassName` | storage class name | | -| `dapr_placement.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. Does not apply unless `forceInMemoryLog` is set to `true`. You may have to set this to `false` when running in Minikube | `false` | -| `dapr_placement.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` | -| `dapr_placement.debug.enabled` | Boolean value for enabling debug mode | `{}` | +| Parameter | Description | Default | +|------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------| +| `dapr_placement.ha` | If set to true, deploys the Placement service with 3 nodes regardless of the value of `global.ha.enabled` | `false` | +| `dapr_placement.replicationFactor` | Number of consistent hashing virtual node | `100` | +| `dapr_placement.logLevel` | Service Log level | `info` | +| `dapr_placement.image.name` | Service docker image name (`global.registry/dapr_placement.image.name`) | `dapr` | +| `dapr_placement.cluster.forceInMemoryLog` | Use in-memory log store and disable volume attach when HA is true | `false` | +| `dapr_placement.cluster.logStorePath` | Mount path for persistent volume for log store in unix-like system when HA is true | `/var/run/dapr/raft-log` | +| `dapr_placement.cluster.logStoreWinPath` | Mount path for persistent volume for log store in windows when HA is true | `C:\\raft-log` | +| `dapr_placement.volumeclaims.storageSize` | Attached volume size | `1Gi` | +| `dapr_placement.volumeclaims.storageClassName` | storage class name | | +| `dapr_placement.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. Does not apply unless `forceInMemoryLog` is set to `true`. You may have to set this to `false` when running in Minikube | `false` | +| `dapr_placement.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` | +| `dapr_placement.debug.enabled` | Boolean value for enabling debug mode | `{}` | +| `dapr_placement.metadataEnabled` | Boolean value for enabling placement tables metadata HTTP API | `false` | +| `dapr_placement.statefulsetAnnotations` | Custom annotations for Dapr Placement Statefulset | `{}` | ### Dapr RBAC options: | Parameter | Description | Default | @@ -138,42 +154,43 @@ The Helm chart has the follow configuration options that can be supplied: | `dapr_rbac.secretReader.namespace` | Namespace for the default secret reader | `default` | ### Dapr Sentry options: -| Parameter | Description | Default | -|-------------------------------------------|-------------------------------------------------------------------------|-------------------------| -| `dapr_sentry.replicaCount` | Number of replicas | `1` | -| `dapr_sentry.logLevel` | Log level | `info` | -| `dapr_sentry.image.name` | Docker image name (`global.registry/dapr_sentry.image.name`) | `dapr` | -| `dapr_sentry.tls.issuer.certPEM` | Issuer Certificate cert | `""` | -| `dapr_sentry.tls.issuer.keyPEM` | Issuer Private Key cert | `""` | -| `dapr_sentry.tls.root.certPEM` | Root Certificate cert | `""` | -| `dapr_sentry.tokenAudience` | Expected audience for tokens; multiple values can be separated by a comma. Defaults to the audience expected by the Kubernetes control plane if not set | `""` | -| `dapr_sentry.trustDomain` | Trust domain (logical group to manage app trust relationship) for access control list | `cluster.local` | -| `dapr_sentry.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. You may have to set this to `false` when running in Minikube | `true` | -| `dapr_sentry.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` | -| `dapr_sentry.debug.enabled` | Boolean value for enabling debug mode | `{}` | +| Parameter | Description | Default | +|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------| +| `dapr_sentry.replicaCount` | Number of replicas | `1` | +| `dapr_sentry.logLevel` | Log level | `info` | +| `dapr_sentry.image.name` | Docker image name (`global.registry/dapr_sentry.image.name`) | `dapr` | +| `dapr_sentry.tls.issuer.certPEM` | Issuer Certificate cert | `""` | +| `dapr_sentry.tls.issuer.keyPEM` | Issuer Private Key cert | `""` | +| `dapr_sentry.tls.root.certPEM` | Root Certificate cert | `""` | +| `dapr_sentry.tokenAudience` | Expected audience for tokens; multiple values can be separated by a comma. Defaults to the audience expected by the Kubernetes control plane if not set | `""` | +| `dapr_sentry.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. You may have to set this to `false` when running in Minikube | `true` | +| `dapr_sentry.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` | +| `dapr_sentry.debug.enabled` | Boolean value for enabling debug mode | `{}` | +| `dapr_sentry.deploymentAnnotations` | Custom annotations for Dapr Sentry Deployment | `{}` | ### Dapr Sidecar Injector options: -| Parameter | Description | Default | -|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------| -| `dapr_sidecar_injector.enabled` | Enable the sidecar injector | `true` | -| `dapr_sidecar_injector.sidecarImagePullPolicy` | Dapr sidecar image pull policy | `IfNotPresent` | -| `dapr_sidecar_injector.replicaCount` | Number of replicas | `1` | -| `dapr_sidecar_injector.logLevel` | Log level | `info` | -| `dapr_sidecar_injector.image.name` | Docker image name for Dapr runtime sidecar to inject into an application (`global.registry/dapr_sidecar_injector.image.name`) | `daprd`| -| `dapr_sidecar_injector.injectorImage.name` | Docker image name for sidecar injector service (`global.registry/dapr_sidecar_injector.injectorImage.name`) | `dapr`| -| `dapr_sidecar_injector.webhookFailurePolicy` | Failure policy for the sidecar injector | `Ignore` | -| `dapr_sidecar_injector.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot` for the Sidecar Injector container itself. You may have to set this to `false` when running in Minikube | `true` | -| `dapr_sidecar_injector.sidecarRunAsNonRoot` | When this boolean value is true (the default), the injected sidecar containers have `runAsRoot: true`. You may have to set this to `false` when running Minikube | `true` | -| `dapr_sidecar_injector.sidecarReadOnlyRootFilesystem` | When this boolean value is true (the default), the injected sidecar containers have `readOnlyRootFilesystem: true` | `true` | -| `dapr_sidecar_injector.sidecarDropALLCapabilities` | When this boolean valus is true, the injected sidecar containers have `securityContext.capabilities.drop: ["ALL"]` | `false` | -| `dapr_sidecar_injector.allowedServiceAccounts` | String value for extra allowed service accounts in the format of `namespace1:serviceAccount1,namespace2:serviceAccount2` | `""` | +| Parameter | Description | Default | +|-----------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------| +| `dapr_sidecar_injector.enabled` | Enable the sidecar injector | `true` | +| `dapr_sidecar_injector.sidecarImagePullPolicy` | Dapr sidecar image pull policy | `IfNotPresent` | +| `dapr_sidecar_injector.replicaCount` | Number of replicas | `1` | +| `dapr_sidecar_injector.logLevel` | Log level | `info` | +| `dapr_sidecar_injector.image.name` | Docker image name for Dapr runtime sidecar to inject into an application (`global.registry/dapr_sidecar_injector.image.name`) | `daprd`| +| `dapr_sidecar_injector.injectorImage.name` | Docker image name for sidecar injector service (`global.registry/dapr_sidecar_injector.injectorImage.name`) | `dapr`| +| `dapr_sidecar_injector.webhookFailurePolicy` | Failure policy for the sidecar injector | `Ignore` | +| `dapr_sidecar_injector.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot` for the Sidecar Injector container itself. You may have to set this to `false` when running in Minikube | `true` | +| `dapr_sidecar_injector.sidecarRunAsNonRoot` | When this boolean value is true (the default), the injected sidecar containers have `runAsRoot: true`. You may have to set this to `false` when running Minikube | `true` | +| `dapr_sidecar_injector.sidecarReadOnlyRootFilesystem` | When this boolean value is true (the default), the injected sidecar containers have `readOnlyRootFilesystem: true` | `true` | +| `dapr_sidecar_injector.sidecarDropALLCapabilities` | When this boolean valus is true, the injected sidecar containers have `securityContext.capabilities.drop: ["ALL"]` | `false` | +| `dapr_sidecar_injector.allowedServiceAccounts` | String value for extra allowed service accounts in the format of `namespace1:serviceAccount1,namespace2:serviceAccount2` | `""` | | `dapr_sidecar_injector.allowedServiceAccountsPrefixNames` | Comma-separated list of extra allowed service accounts. Each item in the list should be in the format of namespace:serviceaccount. To match service accounts by a common prefix, you can add an asterisk (`*`) at the end of the prefix. For instance, ns1*:sa2* will match any service account that starts with sa2, whose namespace starts with ns1. For example, it will match service accounts like sa21 and sa2223 in namespaces such as ns1, ns1dapr, and so on. | `""` | -| `dapr_sidecar_injector.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` | -| `dapr_sidecar_injector.debug.enabled` | Boolean value for enabling debug mode | `{}` | -| `dapr_sidecar_injector.kubeClusterDomain` | Domain for this kubernetes cluster. If not set, will auto-detect the cluster domain through the `/etc/resolv.conf` file `search domains` content. | `cluster.local` | -| `dapr_sidecar_injector.ignoreEntrypointTolerations` | JSON array of Kubernetes tolerations. If pod contains any of these tolerations, it will ignore the Docker image ENTRYPOINT for Dapr sidecar. | `[{\"effect\":\"NoSchedule\",\"key\":\"alibabacloud.com/eci\"},{\"effect\":\"NoSchedule\",\"key\":\"azure.com/aci\"},{\"effect\":\"NoSchedule\",\"key\":\"aws\"},{\"effect\":\"NoSchedule\",\"key\":\"huawei.com/cci\"}]` | -| `dapr_sidecar_injector.hostNetwork` | Enable hostNetwork mode. This is helpful when working with overlay networks such as Calico CNI and admission webhooks fail | `false` | -| `dapr_sidecar_injector.healthzPort` | The port used for health checks. Helpful in combination with hostNetwork to avoid port collisions | `8080` | +| `dapr_sidecar_injector.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` | +| `dapr_sidecar_injector.debug.enabled` | Boolean value for enabling debug mode | `{}` | +| `dapr_sidecar_injector.kubeClusterDomain` | Domain for this kubernetes cluster. If not set, will auto-detect the cluster domain through the `/etc/resolv.conf` file `search domains` content. | `cluster.local` | +| `dapr_sidecar_injector.ignoreEntrypointTolerations` | JSON array of Kubernetes tolerations. If pod contains any of these tolerations, it will ignore the Docker image ENTRYPOINT for Dapr sidecar. | `[{\"effect\":\"NoSchedule\",\"key\":\"alibabacloud.com/eci\"},{\"effect\":\"NoSchedule\",\"key\":\"azure.com/aci\"},{\"effect\":\"NoSchedule\",\"key\":\"aws\"},{\"effect\":\"NoSchedule\",\"key\":\"huawei.com/cci\"}]` | +| `dapr_sidecar_injector.hostNetwork` | Enable hostNetwork mode. This is helpful when working with overlay networks such as Calico CNI and admission webhooks fail | `false` | +| `dapr_sidecar_injector.healthzPort` | The port used for health checks. Helpful in combination with hostNetwork to avoid port collisions | `8080` | +| `dapr_sidecar.deploymentAnnotations` | Custom annotations for Dapr sidecar Deployment | `{}` | ## Example of highly available configuration of the control plane diff --git a/helm-charts/dapr/charts/dapr_config/Chart.yaml b/helm-charts/dapr/charts/dapr_config/Chart.yaml index 795540b..091ce4b 100644 --- a/helm-charts/dapr/charts/dapr_config/Chart.yaml +++ b/helm-charts/dapr/charts/dapr_config/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v1 appVersion: "1.0" description: A Helm chart for Dapr configuration name: dapr_config -version: 1.11.3 +version: 1.12.0 diff --git a/helm-charts/dapr/charts/dapr_config/templates/dapr_default_config.yaml b/helm-charts/dapr/charts/dapr_config/templates/dapr_default_config.yaml index 1458475..d2adef6 100644 --- a/helm-charts/dapr/charts/dapr_config/templates/dapr_default_config.yaml +++ b/helm-charts/dapr/charts/dapr_config/templates/dapr_default_config.yaml @@ -3,6 +3,7 @@ apiVersion: dapr.io/v1alpha1 kind: Configuration metadata: name: {{ .Values.dapr_default_system_config_name }} + namespace: {{ .Release.Namespace }} labels: {{- range $key, $value := .Values.global.k8sLabels }} {{ $key }}: {{ tpl $value $ }} @@ -12,4 +13,6 @@ spec: enabled: {{ .Values.global.mtls.enabled }} workloadCertTTL: {{ .Values.global.mtls.workloadCertTTL }} allowedClockSkew: {{ .Values.global.mtls.allowedClockSkew }} + controlPlaneTrustDomain: {{ .Values.global.mtls.controlPlaneTrustDomain }} + sentryAddress: {{ if .Values.global.mtls.sentryAddress }}{{ .Values.global.mtls.sentryAddress }}{{ else }}dapr-sentry.{{ .Release.Namespace }}.svc.cluster.local:443{{ end }} {{- end }} diff --git a/helm-charts/dapr/charts/dapr_config/values.yaml b/helm-charts/dapr/charts/dapr_config/values.yaml index 0bc86c2..2173cfc 100644 --- a/helm-charts/dapr/charts/dapr_config/values.yaml +++ b/helm-charts/dapr/charts/dapr_config/values.yaml @@ -1,4 +1,4 @@ -# This value is essential in determining whether to build this chart or not based on the usecase. For example this chart should not be included while generating manifest file for dapr which is achieved by overriding this value. +# This value is essential in determining whether to build this chart or not based on the use case. For example this chart should not be included while generating manifest file for dapr which is achieved by overriding this value. dapr_config_chart_included: true dapr_default_system_config_name: "daprsystem" component: config diff --git a/helm-charts/dapr/charts/dapr_operator/Chart.yaml b/helm-charts/dapr/charts/dapr_operator/Chart.yaml index 2fe563e..ce2f47e 100644 --- a/helm-charts/dapr/charts/dapr_operator/Chart.yaml +++ b/helm-charts/dapr/charts/dapr_operator/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v1 appVersion: "1.0" description: A Helm chart for Dapr Kubernetes Operator name: dapr_operator -version: 1.11.3 +version: 1.12.0 diff --git a/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_deployment.yaml b/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_deployment.yaml index 6307031..81c7434 100644 --- a/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_deployment.yaml +++ b/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_deployment.yaml @@ -1,48 +1,8 @@ -{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "dapr-webhook-cert"}} -{{- $existingCA := lookup "v1" "Secret" .Release.Namespace "dapr-webhook-ca"}} -{{- $ca := genCA "dapr-webhook-ca" 3650 }} -{{- $cn := printf "dapr-webhook" }} -{{- $altName1 := printf "dapr-webhook.%s" .Release.Namespace }} -{{- $altName2 := printf "dapr-webhook.%s.svc" .Release.Namespace }} -{{- $altName3 := printf "dapr-webhook.%s.svc.cluster" .Release.Namespace }} -{{- $altName4 := printf "dapr-webhook.%s.svc.cluster.local" .Release.Namespace }} -{{- $cert := genSignedCert $cn nil (list $altName1 $altName2 $altName3 $altName4) 3650 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: dapr-webhook-cert - labels: - app: dapr-operator - {{- range $key, $value := .Values.global.k8sLabels }} - {{ $key }}: {{ tpl $value $ }} - {{- end }} -data: - {{ if $existingSecret }}tls.crt: {{ index $existingSecret.data "tls.crt" }} - {{ else }}tls.crt: {{ b64enc $cert.Cert }} - {{ end }} - - {{ if $existingSecret }}tls.key: {{ index $existingSecret.data "tls.key" }} - {{ else }}tls.key: {{ b64enc $cert.Key }} - {{ end }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: dapr-webhook-ca - labels: - app: dapr-operator - {{- range $key, $value := .Values.global.k8sLabels }} - {{ $key }}: {{ tpl $value $ }} - {{- end }} -data: - {{ if $existingCA }}caBundle: {{ index $existingCA.data "caBundle" }} - {{ else }}caBundle: {{ b64enc $ca.Cert }} - {{ end }} ---- apiVersion: apps/v1 kind: Deployment metadata: name: dapr-operator + namespace: {{ .Release.Namespace }} labels: app: dapr-operator {{- range $key, $value := .Values.global.k8sLabels }} @@ -67,11 +27,15 @@ spec: {{- with .Values.global.labels }} {{- toYaml . | nindent 8 }} {{- end }} -{{- if eq .Values.global.prometheus.enabled true }} annotations: + dapr.io/control-plane: operator +{{- if eq .Values.global.prometheus.enabled true }} prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}" prometheus.io/port: "{{ .Values.global.prometheus.port }}" prometheus.io/path: "/" +{{- end }} +{{- if .Values.deploymentAnnotations }} +{{ toYaml .Values.deploymentAnnotations | indent 4}} {{- end }} spec: containers: @@ -107,11 +71,18 @@ spec: {{- if eq .Values.global.daprControlPlaneOs "linux" }} securityContext: runAsNonRoot: {{ .Values.runAsNonRoot }} -{{- if eq .Values.debug.enabled true }} + {{- if eq .Values.debug.enabled true }} capabilities: - add: - - SYS_PTRACE -{{- end }} + add: ["SYS_PTRACE"] + {{- else }} + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + {{- end }} + {{- if .Values.global.seccompProfile }} + seccompProfile: + type: {{ .Values.global.seccompProfile }} + {{- end }} {{- end }} env: - name: NAMESPACE @@ -133,16 +104,22 @@ spec: resources: {{ toYaml .Values.resources | indent 10 }} volumeMounts: - - name: credentials - mountPath: /var/run/dapr/credentials - readOnly: true - - name: webhook-creds - {{- if eq .Values.global.daprControlPlaneOs "windows" }} - mountPath: "C:\\Windows\\TEMP\\k8s-webhook-server\\serving-certs" - {{- else }} - mountPath: /tmp/k8s-webhook-server/serving-certs - {{- end }} - readOnly: true + - name: dapr-trust-bundle + mountPath: /var/run/secrets/dapr.io/tls + readOnly: true + {{- if .Values.global.mtls.mountSentryVolume }} + - name: dapr-identity-token + mountPath: /var/run/secrets/dapr.io/sentrytoken + readOnly: true + {{- end }} + {{- if eq .Values.debug.enabled false }} + # This is not needed in debug mode because the root FS is writable + - name: dapr-operator-tmp + mountPath: /tmp + {{- end }} + {{- with .Values.global.extraVolumeMounts.operator }} + {{- toYaml . | nindent 8 }} + {{- end }} command: {{- if eq .Values.debug.enabled false }} - "/operator" @@ -166,6 +143,8 @@ spec: - "{{ .Values.maxPodRestartsPerMinute }}" - "--log-level" - "{{ .Values.logLevel }}" + - "--trust-anchors-file" + - "/var/run/secrets/dapr.io/tls/ca.crt" {{- if eq .Values.global.logAsJson true }} - "--log-as-json" {{- end }} @@ -176,14 +155,6 @@ spec: {{- else }} - "--enable-metrics=false" {{- end }} -{{- with .Values.global.issuerFilenames }} - - "--issuer-ca-filename" - - "{{ .ca }}" - - "--issuer-certificate-filename" - - "{{ .cert }}" - - "--issuer-key-filename" - - "{{ .key }}" -{{- end }} {{- if .Values.watchNamespace }} - "--watch-namespace" - "{{ .Values.watchNamespace }}" @@ -199,12 +170,25 @@ spec: {{- end }} serviceAccountName: dapr-operator volumes: - - name: credentials - secret: - secretName: dapr-trust-bundle - - name: webhook-creds - secret: - secretName: dapr-webhook-cert + - name: dapr-operator-tmp + emptyDir: + sizeLimit: 2Mi + medium: Memory + - name: dapr-trust-bundle + configMap: + name: dapr-trust-bundle + {{- if .Values.global.mtls.mountSentryVolume }} + - name: dapr-identity-token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 600 + audience: "spiffe://{{ .Values.global.mtls.controlPlaneTrustDomain }}/ns/{{ .Release.Namespace }}/dapr-sentry" + {{- end }} + {{- with .Values.global.extraVolumes.operator }} + {{- toYaml . | nindent 8 }} + {{- end }} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -235,7 +219,7 @@ spec: {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: - - name: {{ .Values.global.imagePullSecrets }} + {{- include "dapr.imagePullSecrets" (dict "imagePullSecrets" .Values.global.imagePullSecrets) | nindent 8 }} {{- end }} {{- if .Values.global.nodeSelector }} nodeSelector: diff --git a/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_poddisruptionbudget.yaml b/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_poddisruptionbudget.yaml index 5ca533e..7069fae 100644 --- a/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_poddisruptionbudget.yaml +++ b/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_poddisruptionbudget.yaml @@ -7,6 +7,7 @@ apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: dapr-operator-disruption-budget + namespace: {{ .Release.Namespace }} labels: app: dapr-operator {{- range $key, $value := .Values.global.k8sLabels }} diff --git a/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_service.yaml b/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_service.yaml index fb994a6..10ffaa8 100644 --- a/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_service.yaml +++ b/helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_service.yaml @@ -2,6 +2,7 @@ kind: Service apiVersion: v1 metadata: name: dapr-api + namespace: {{ .Release.Namespace }} labels: {{- range $key, $value := .Values.global.k8sLabels }} {{ $key }}: {{ tpl $value $ }} @@ -18,6 +19,7 @@ apiVersion: v1 kind: Service metadata: name: dapr-webhook + namespace: {{ .Release.Namespace }} labels: {{- range $key, $value := .Values.global.k8sLabels }} {{ $key }}: {{ tpl $value $ }} diff --git a/helm-charts/dapr/charts/dapr_operator/values.yaml b/helm-charts/dapr/charts/dapr_operator/values.yaml index 21a19ac..6f81c33 100644 --- a/helm-charts/dapr/charts/dapr_operator/values.yaml +++ b/helm-charts/dapr/charts/dapr_operator/values.yaml @@ -14,6 +14,8 @@ image: nameOverride: "" fullnameOverride: "" +deploymentAnnotations: {} + runAsNonRoot: true serviceReconciler: diff --git a/helm-charts/dapr/charts/dapr_placement/Chart.yaml b/helm-charts/dapr/charts/dapr_placement/Chart.yaml index 6b7c187..e13389b 100644 --- a/helm-charts/dapr/charts/dapr_placement/Chart.yaml +++ b/helm-charts/dapr/charts/dapr_placement/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v1 appVersion: "1.0" description: A Helm chart for Dapr Kubernetes placement name: dapr_placement -version: 1.11.3 +version: 1.12.0 diff --git a/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_poddisruptionbudget.yaml b/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_poddisruptionbudget.yaml index b26d4f1..1ecd7f5 100644 --- a/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_poddisruptionbudget.yaml +++ b/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_poddisruptionbudget.yaml @@ -7,6 +7,7 @@ apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: dapr-placement-server-disruption-budget + namespace: {{ .Release.Namespace }} labels: app: dapr-placement-server {{- range $key, $value := .Values.global.k8sLabels }} diff --git a/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_service.yaml b/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_service.yaml index 7b7e443..42f2554 100644 --- a/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_service.yaml +++ b/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_service.yaml @@ -3,6 +3,7 @@ kind: Service apiVersion: v1 metadata: name: dapr-placement-server + namespace: {{ .Release.Namespace }} labels: app: dapr-placement-server {{- range $key, $value := .Values.global.k8sLabels }} diff --git a/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_statefulset.yaml b/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_statefulset.yaml index 6fa87ea..e805dbf 100644 --- a/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_statefulset.yaml +++ b/helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_statefulset.yaml @@ -3,13 +3,14 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: dapr-placement-server + namespace: {{ .Release.Namespace }} labels: app: dapr-placement-server {{- range $key, $value := .Values.global.k8sLabels }} {{ $key }}: {{ tpl $value $ }} {{- end }} spec: -{{- if eq .Values.global.ha.enabled true }} +{{- if or (eq .Values.global.ha.enabled true) (eq .Values.ha true) }} replicas: 3 {{- else }} replicas: 1 @@ -29,11 +30,15 @@ spec: {{- with .Values.global.labels }} {{- toYaml . | nindent 8 }} {{- end }} -{{- if eq .Values.global.prometheus.enabled true }} annotations: + dapr.io/control-plane: placement +{{- if eq .Values.global.prometheus.enabled true }} prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}" prometheus.io/port: "{{ .Values.global.prometheus.port }}" prometheus.io/path: "/" +{{- end }} +{{- if .Values.statefulsetAnnotations }} +{{ toYaml .Values.statefulsetAnnotations | indent 4}} {{- end }} spec: containers: @@ -69,10 +74,17 @@ spec: resources: {{ toYaml .Values.resources | indent 10 }} volumeMounts: - - name: credentials - mountPath: /var/run/dapr/credentials + - name: dapr-trust-bundle + mountPath: /var/run/secrets/dapr.io/tls readOnly: true -{{- if eq .Values.global.ha.enabled true }} + {{- if .Values.global.mtls.mountSentryVolume }} + - name: dapr-identity-token + mountPath: /var/run/secrets/dapr.io/sentrytoken + {{- end }} + {{- with .Values.global.extraVolumeMounts.placement }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- if or (eq .Values.global.ha.enabled true) (eq .Values.ha true) }} {{- if eq .Values.cluster.forceInMemoryLog false }} - name: raft-log {{- if eq .Values.global.daprControlPlaneOs "windows" }} @@ -109,7 +121,7 @@ spec: - "/placement" - "--" {{- end }} -{{- if eq .Values.global.ha.enabled true }} +{{- if or (eq .Values.global.ha.enabled true) (eq .Values.ha true) }} - "--id" - "$(PLACEMENT_ID)" - "--initial-cluster" @@ -128,6 +140,9 @@ spec: {{- if eq .Values.global.logAsJson true }} - "--log-as-json" {{- end }} +{{- if eq .Values.metadataEnabled true }} + - "--metadata-enabled" +{{- end }} {{- if eq .Values.global.prometheus.enabled true }} - "--enable-metrics" - "--replicationFactor" @@ -138,14 +153,10 @@ spec: - "--enable-metrics=false" {{- end }} - "--tls-enabled" -{{- with .Values.global.issuerFilenames }} - - "--issuer-ca-filename" - - "{{ .ca }}" - - "--issuer-certificate-filename" - - "{{ .cert }}" - - "--issuer-key-filename" - - "{{ .key }}" -{{- end }} + - "--trust-domain={{ .Values.global.mtls.controlPlaneTrustDomain }}" + - "--trust-anchors-file=/var/run/secrets/dapr.io/tls/ca.crt" + - "--sentry-address={{ if .Values.global.mtls.sentryAddress }}{{ .Values.global.mtls.sentryAddress }}{{ else }}dapr-sentry.{{ .Release.Namespace }}.svc.cluster.local:443{{ end }}" + - "--mode=kubernetes" {{- if eq .Values.global.daprControlPlaneOs "linux" }} securityContext: {{- if eq .Values.cluster.forceInMemoryLog true }} @@ -153,11 +164,18 @@ spec: {{- else }} runAsUser: 0 {{- end }} -{{- if eq .Values.debug.enabled true }} + {{- if eq .Values.debug.enabled true }} capabilities: - add: - - SYS_PTRACE -{{- end }} + add: ["SYS_PTRACE"] + {{- else }} + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + {{- end }} + {{- if .Values.global.seccompProfile }} + seccompProfile: + type: {{ .Values.global.seccompProfile }} + {{- end }} {{- end }} env: - name: PLACEMENT_ID @@ -170,9 +188,21 @@ spec: fieldPath: metadata.namespace serviceAccountName: dapr-placement volumes: - - name: credentials - secret: - secretName: dapr-trust-bundle + - name: dapr-trust-bundle + configMap: + name: dapr-trust-bundle + {{- if .Values.global.mtls.mountSentryVolume }} + - name: dapr-identity-token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 600 + audience: "spiffe://{{ .Values.global.mtls.controlPlaneTrustDomain }}/ns/{{ .Release.Namespace }}/dapr-sentry" + {{- end }} + {{- with .Values.global.extraVolumes.placement }} + {{- toYaml . | nindent 6 }} + {{- end }} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -203,7 +233,7 @@ spec: {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: - - name: {{ .Values.global.imagePullSecrets }} + {{- include "dapr.imagePullSecrets" (dict "imagePullSecrets" .Values.global.imagePullSecrets) | nindent 8 }} {{- end }} {{- if .Values.global.nodeSelector }} nodeSelector: @@ -213,7 +243,7 @@ spec: tolerations: {{ toYaml .Values.global.tolerations | indent 8 }} {{- end }} -{{- if eq .Values.global.ha.enabled true }} +{{- if or (eq .Values.global.ha.enabled true) (eq .Values.ha true) }} {{- if eq .Values.cluster.forceInMemoryLog false }} volumeClaimTemplates: - metadata: diff --git a/helm-charts/dapr/charts/dapr_placement/values.yaml b/helm-charts/dapr/charts/dapr_placement/values.yaml index f057da4..06ee8e2 100644 --- a/helm-charts/dapr/charts/dapr_placement/values.yaml +++ b/helm-charts/dapr/charts/dapr_placement/values.yaml @@ -10,11 +10,15 @@ image: nameOverride: "" fullnameOverride: "" +statefulsetAnnotations: {} + ports: protocol: TCP apiPort: 50005 raftRPCPort: 8201 +ha: false + cluster: forceInMemoryLog: false logStorePath: /var/run/dapr/raft-log @@ -26,6 +30,8 @@ volumeclaims: replicationFactor: 100 +metadataEnabled: false + livenessProbe: initialDelaySeconds: 10 periodSeconds: 3 diff --git a/helm-charts/dapr/charts/dapr_rbac/Chart.yaml b/helm-charts/dapr/charts/dapr_rbac/Chart.yaml index 5e17ce2..d1766f0 100644 --- a/helm-charts/dapr/charts/dapr_rbac/Chart.yaml +++ b/helm-charts/dapr/charts/dapr_rbac/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v1 appVersion: "1.0" description: A Helm chart for Dapr Kubernetes RBAC components name: dapr_rbac -version: 1.11.3 +version: 1.12.0 diff --git a/helm-charts/dapr/charts/dapr_rbac/templates/injector.yaml b/helm-charts/dapr/charts/dapr_rbac/templates/injector.yaml index 5dd79f6..ffb1845 100644 --- a/helm-charts/dapr/charts/dapr_rbac/templates/injector.yaml +++ b/helm-charts/dapr/charts/dapr_rbac/templates/injector.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: dapr-injector + namespace: {{ .Release.Namespace }} labels: {{- range $key, $value := .Values.global.k8sLabels }} {{ $key }}: {{ tpl $value $ }} @@ -19,6 +20,10 @@ rules: - apiGroups: [""] resources: ["serviceaccounts"] verbs: ["get", "list"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["patch"] + resourceNames: ["dapr-sidecar-injector"] {{- if not .Values.global.rbac.namespaced }} - apiGroups: ["dapr.io"] resources: ["configurations", "components"] @@ -46,6 +51,7 @@ kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: dapr-injector + namespace: {{ .Release.Namespace }} labels: {{- range $key, $value := .Values.global.k8sLabels }} {{ $key }}: {{ tpl $value $ }} diff --git a/helm-charts/dapr/charts/dapr_rbac/templates/operator.yaml b/helm-charts/dapr/charts/dapr_rbac/templates/operator.yaml index 130d325..4ef416b 100644 --- a/helm-charts/dapr/charts/dapr_rbac/templates/operator.yaml +++ b/helm-charts/dapr/charts/dapr_rbac/templates/operator.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: dapr-operator + namespace: {{ .Release.Namespace }} labels: {{- range $key, $value := .Values.global.k8sLabels }} {{ $key }}: {{ tpl $value $ }} @@ -84,6 +85,7 @@ kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: dapr-operator + namespace: {{ .Release.Namespace }} labels: {{- range $key, $value := .Values.global.k8sLabels }} {{ $key }}: {{ tpl $value $ }} @@ -150,6 +152,7 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: dapr-operator + namespace: {{ .Release.Namespace }} labels: {{- range $key, $value := .Values.global.k8sLabels }} {{ $key }}: {{ tpl $value $ }} diff --git a/helm-charts/dapr/charts/dapr_rbac/templates/placement.yaml b/helm-charts/dapr/charts/dapr_rbac/templates/placement.yaml index 94be694..588fa69 100644 --- a/helm-charts/dapr/charts/dapr_rbac/templates/placement.yaml +++ b/helm-charts/dapr/charts/dapr_rbac/templates/placement.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: dapr-placement + namespace: {{ .Release.Namespace }} labels: {{- range $key, $value := .Values.global.k8sLabels }} {{ $key }}: {{ tpl $value $ }} diff --git a/helm-charts/dapr/charts/dapr_rbac/templates/sentry.yaml b/helm-charts/dapr/charts/dapr_rbac/templates/sentry.yaml index e19c098..b21f303 100644 --- a/helm-charts/dapr/charts/dapr_rbac/templates/sentry.yaml +++ b/helm-charts/dapr/charts/dapr_rbac/templates/sentry.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: dapr-sentry + namespace: {{ .Release.Namespace }} labels: {{- range $key, $value := .Values.global.k8sLabels }} {{ $key }}: {{ tpl $value $ }} @@ -22,7 +23,10 @@ rules: {{- if not .Values.global.rbac.namespaced }} - apiGroups: ["dapr.io"] resources: ["configurations"] - verbs: ["list"] + verbs: ["list", "get", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["list", "get", "watch"] {{- end }} --- kind: ClusterRoleBinding @@ -46,6 +50,7 @@ kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: dapr-sentry + namespace: {{ .Release.Namespace }} labels: {{- range $key, $value := .Values.global.k8sLabels }} {{ $key }}: {{ tpl $value $ }} @@ -53,7 +58,11 @@ metadata: rules: - apiGroups: [""] resources: ["secrets"] - verbs: ["get", "update"] + verbs: ["get", "update","delete"] + resourceNames: ["dapr-trust-bundle"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "update", "watch", "list"] resourceNames: ["dapr-trust-bundle"] {{- if eq .Values.global.rbac.namespaced true }} - apiGroups: ["dapr.io"] @@ -65,6 +74,7 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: dapr-sentry + namespace: {{ .Release.Namespace }} labels: {{- range $key, $value := .Values.global.k8sLabels }} {{ $key }}: {{ tpl $value $ }} diff --git a/helm-charts/dapr/charts/dapr_sentry/Chart.yaml b/helm-charts/dapr/charts/dapr_sentry/Chart.yaml index bf93891..7f0243d 100644 --- a/helm-charts/dapr/charts/dapr_sentry/Chart.yaml +++ b/helm-charts/dapr/charts/dapr_sentry/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v1 appVersion: "1.0" description: A Helm chart for Dapr Sentry name: dapr_sentry -version: 1.11.3 +version: 1.12.0 diff --git a/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml b/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml index 7cbf444..322f9d8 100644 --- a/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml +++ b/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml @@ -1,7 +1,22 @@ -{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "dapr-trust-bundle"}} ---- apiVersion: v1 kind: Secret +metadata: + name: dapr-trust-bundle + namespace: {{ .Release.Namespace }} + labels: + app: dapr-sentry + {{- range $key, $value := .Values.global.k8sLabels }} + {{ $key }}: {{ tpl $value $ }} + {{- end }} +{{ if and .Values.tls.issuer.certPEM (and .Values.tls.issuer.keyPEM .Values.tls.root.certPEM) }} +data: + issuer.crt: {{ b64enc .Values.tls.issuer.certPEM | trim }} + issuer.key: {{ b64enc .Values.tls.issuer.keyPEM | trim }} + ca.crt: {{ b64enc .Values.tls.root.certPEM | trim }} +{{ end }} +--- +apiVersion: v1 +kind: ConfigMap metadata: name: dapr-trust-bundle labels: @@ -9,21 +24,16 @@ metadata: {{- range $key, $value := .Values.global.k8sLabels }} {{ $key }}: {{ tpl $value $ }} {{- end }} +{{ if .Values.tls.root.certPEM }} data: - {{ if .Values.tls.issuer.certPEM }}issuer.crt: {{ b64enc .Values.tls.issuer.certPEM | trim }} - {{ else if $existingSecret }}issuer.crt: {{ index $existingSecret.data "issuer.crt" }} - {{ end }} - {{ if .Values.tls.issuer.keyPEM }}issuer.key: {{ b64enc .Values.tls.issuer.keyPEM | trim }} - {{ else if $existingSecret }}issuer.key: {{ index $existingSecret.data "issuer.key" }} - {{end}} - {{ if .Values.tls.root.certPEM }}ca.crt: {{ b64enc .Values.tls.root.certPEM | trim }} - {{ else if $existingSecret }}ca.crt: {{ index $existingSecret.data "ca.crt" }} - {{end}} + ca.crt: {{- .Values.tls.root.certPEM | toYaml | indent 1}} +{{end}} --- apiVersion: apps/v1 kind: Deployment metadata: name: dapr-sentry + namespace: {{ .Release.Namespace }} labels: app: dapr-sentry {{- range $key, $value := .Values.global.k8sLabels }} @@ -48,11 +58,15 @@ spec: {{- with .Values.global.labels }} {{- toYaml . | nindent 8 }} {{- end }} -{{- if eq .Values.global.prometheus.enabled true }} annotations: + dapr.io/control-plane: sentry +{{- if eq .Values.global.prometheus.enabled true }} prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}" prometheus.io/port: "{{ .Values.global.prometheus.port }}" prometheus.io/path: "/" +{{- end }} +{{- if .Values.deploymentAnnotations }} +{{ toYaml .Values.deploymentAnnotations | indent 4}} {{- end }} spec: containers: @@ -90,8 +104,15 @@ spec: runAsNonRoot: {{ .Values.runAsNonRoot }} {{- if eq .Values.debug.enabled true }} capabilities: - add: - - SYS_PTRACE + add: ["SYS_PTRACE"] + {{- else }} + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + {{- end }} + {{- if .Values.global.seccompProfile }} + seccompProfile: + type: {{ .Values.global.seccompProfile }} {{- end }} {{- end }} env: @@ -115,8 +136,11 @@ spec: {{ toYaml .Values.resources | indent 10 }} volumeMounts: - name: credentials - mountPath: /var/run/dapr/credentials + mountPath: /var/run/secrets/dapr.io/credentials readOnly: true + {{- with .Values.global.extraVolumeMounts.sentry }} + {{- toYaml . | nindent 10 }} + {{- end }} command: {{- if eq .Values.debug.enabled false }} - "/sentry" @@ -147,7 +171,7 @@ spec: - "--enable-metrics=false" {{- end }} - "--trust-domain" - - {{ .Values.tls.trustDomain }} + - {{ .Values.global.mtls.controlPlaneTrustDomain }} {{- if .Values.tokenAudience }} - "--token-audience" - {{ .Values.tokenAudience }} @@ -165,6 +189,9 @@ spec: - name: credentials secret: secretName: dapr-trust-bundle + {{- with .Values.global.extraVolumes.sentry }} + {{- toYaml . | nindent 8 }} + {{- end }} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -195,7 +222,7 @@ spec: {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: - - name: {{ .Values.global.imagePullSecrets }} + {{- include "dapr.imagePullSecrets" (dict "imagePullSecrets" .Values.global.imagePullSecrets) | nindent 8 }} {{- end }} {{- if .Values.global.nodeSelector }} nodeSelector: diff --git a/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_poddisruptionbudget.yaml b/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_poddisruptionbudget.yaml index 817ddad..c80fe5d 100644 --- a/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_poddisruptionbudget.yaml +++ b/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_poddisruptionbudget.yaml @@ -7,6 +7,7 @@ apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: dapr-sentry-budget + namespace: {{ .Release.Namespace }} labels: app: dapr-sentry {{- range $key, $value := .Values.global.k8sLabels }} diff --git a/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_service.yaml b/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_service.yaml index 3f81a0c..559a3bf 100644 --- a/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_service.yaml +++ b/helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_service.yaml @@ -2,6 +2,7 @@ kind: Service apiVersion: v1 metadata: name: dapr-sentry + namespace: {{ .Release.Namespace }} labels: {{- range $key, $value := .Values.global.k8sLabels }} {{ $key }}: {{ tpl $value $ }} @@ -11,5 +12,14 @@ spec: app: dapr-sentry ports: - protocol: TCP - port: {{ .Values.ports.port }} - targetPort: {{ .Values.ports.targetPort }} \ No newline at end of file + port: {{ .Values.ports.port }} + targetPort: {{ .Values.ports.targetPort }} + name: grpc +# Added for backwards compatibility where previous clients will attempt to +# connect on port 80. +{{ if (ne (int .Values.ports.port) 80) }} + - protocol: TCP + port: 80 + targetPort: {{ .Values.ports.targetPort }} + name: legacy +{{ end }} diff --git a/helm-charts/dapr/charts/dapr_sentry/values.yaml b/helm-charts/dapr/charts/dapr_sentry/values.yaml index f0fbc69..265d5ce 100644 --- a/helm-charts/dapr/charts/dapr_sentry/values.yaml +++ b/helm-charts/dapr/charts/dapr_sentry/values.yaml @@ -13,9 +13,11 @@ fullnameOverride: "" tokenAudience: "" +deploymentAnnotations: {} + ports: protocol: TCP - port: 80 + port: 443 targetPort: 50001 tls: diff --git a/helm-charts/dapr/charts/dapr_sidecar_injector/Chart.yaml b/helm-charts/dapr/charts/dapr_sidecar_injector/Chart.yaml index af0cbac..d19a1ee 100644 --- a/helm-charts/dapr/charts/dapr_sidecar_injector/Chart.yaml +++ b/helm-charts/dapr/charts/dapr_sidecar_injector/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v1 appVersion: "1.0" description: A Helm chart for the Dapr sidecar injector name: dapr_sidecar_injector -version: 1.11.3 +version: 1.12.0 diff --git a/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml b/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml index dda4051..1c8ca57 100644 --- a/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml +++ b/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml @@ -3,6 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: dapr-sidecar-injector + namespace: {{ .Release.Namespace }} labels: app: dapr-sidecar-injector {{- range $key, $value := .Values.global.k8sLabels }} @@ -27,11 +28,15 @@ spec: {{- with .Values.global.labels }} {{- toYaml . | nindent 8 }} {{- end }} -{{- if eq .Values.global.prometheus.enabled true }} annotations: + dapr.io/control-plane: injector +{{- if eq .Values.global.prometheus.enabled true }} prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}" prometheus.io/port: "{{ .Values.global.prometheus.port }}" prometheus.io/path: "/" +{{- end }} +{{- if .Values.deploymentAnnotations }} +{{ toYaml .Values.deploymentAnnotations | indent 4}} {{- end }} spec: {{- if .Values.hostNetwork }} @@ -77,8 +82,15 @@ spec: {{- end }} {{- if eq .Values.debug.enabled true }} capabilities: - add: - - SYS_PTRACE + add: ["SYS_PTRACE"] + {{- else }} + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + {{- end }} + {{- if .Values.global.seccompProfile }} + seccompProfile: + type: {{ .Values.global.seccompProfile }} {{- end }} {{- end }} command: @@ -112,19 +124,13 @@ spec: {{- end }} - "--healthz-port" - "{{ .Values.healthzPort }}" -{{- with .Values.global.issuerFilenames }} - - "--issuer-ca-secret-key" - - "{{ .ca }}" - - "--issuer-certificate-secret-key" - - "{{ .cert }}" - - "--issuer-key-secret-key" - - "{{ .key }}" -{{- end }} env: - - name: TLS_CERT_FILE - value: /dapr/cert/tls.crt - - name: TLS_KEY_FILE - value: /dapr/cert/tls.key + - name: DAPR_TRUST_ANCHORS_FILE + value: /var/run/secrets/dapr.io/tls/ca.crt + - name: DAPR_CONTROL_PLANE_TRUST_DOMAIN + value: {{ .Values.global.mtls.controlPlaneTrustDomain }} + - name: DAPR_SENTRY_ADDRESS + value: {{ if .Values.global.mtls.sentryAddress }}{{ .Values.global.mtls.sentryAddress }}{{ else }}dapr-sentry.{{ .Release.Namespace }}.svc.cluster.local:443{{ end }} {{- if .Values.kubeClusterDomain }} - name: KUBE_CLUSTER_DOMAIN value: "{{ .Values.kubeClusterDomain }}" @@ -184,13 +190,33 @@ spec: resources: {{ toYaml .Values.resources | indent 10 }} volumeMounts: - - name: cert - mountPath: /dapr/cert + - name: dapr-trust-bundle + mountPath: /var/run/secrets/dapr.io/tls readOnly: true + {{- if .Values.global.mtls.mountSentryVolume }} + - name: dapr-identity-token + mountPath: /var/run/secrets/dapr.io/sentrytoken + readOnly: true + {{- end }} + {{- with .Values.global.extraVolumeMounts.injector }} + {{- toYaml . | nindent 8 }} + {{- end }} volumes: - - name: cert - secret: - secretName: dapr-sidecar-injector-cert + - name: dapr-trust-bundle + configMap: + name: dapr-trust-bundle + {{- if .Values.global.mtls.mountSentryVolume }} + - name: dapr-identity-token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 600 + audience: "spiffe://{{ .Values.global.mtls.controlPlaneTrustDomain }}/ns/{{ .Release.Namespace }}/dapr-sentry" + {{- end }} + {{- with .Values.global.extraVolumes.injector }} + {{- toYaml . | nindent 6 }} + {{- end }} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -221,7 +247,7 @@ spec: {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: - - name: {{ .Values.global.imagePullSecrets }} + {{- include "dapr.imagePullSecrets" (dict "imagePullSecrets" .Values.global.imagePullSecrets) | nindent 8 }} {{- end }} {{- if .Values.global.nodeSelector }} nodeSelector: diff --git a/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_poddisruptionbudget.yaml b/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_poddisruptionbudget.yaml index 4b6f8ee..9ae8ad8 100644 --- a/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_poddisruptionbudget.yaml +++ b/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_poddisruptionbudget.yaml @@ -8,6 +8,7 @@ apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: dapr-sidecar-injector-disruption-budget + namespace: {{ .Release.Namespace }} labels: app: dapr-sidecar-injector {{- range $key, $value := .Values.global.k8sLabels }} diff --git a/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_service.yaml b/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_service.yaml index 837c3a1..b31018f 100644 --- a/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_service.yaml +++ b/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_service.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Service metadata: name: dapr-sidecar-injector + namespace: {{ .Release.Namespace }} labels: {{- range $key, $value := .Values.global.k8sLabels }} {{ $key }}: {{ tpl $value $ }} diff --git a/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_webhook_config.yaml b/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_webhook_config.yaml index 8253020..67e123b 100644 --- a/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_webhook_config.yaml +++ b/helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_webhook_config.yaml @@ -1,31 +1,4 @@ {{- if eq .Values.enabled true }} -{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "dapr-sidecar-injector-cert"}} -{{- $existingWebHookConfig := lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" .Release.Namespace "dapr-sidecar-injector"}} -{{- $ca := genCA "dapr-sidecar-injector-ca" 3650 }} -{{- $cn := printf "dapr-sidecar-injector" }} -{{- $altName1 := printf "dapr-sidecar-injector.%s" .Release.Namespace }} -{{- $altName2 := printf "dapr-sidecar-injector.%s.svc" .Release.Namespace }} -{{- $altName3 := printf "dapr-sidecar-injector.%s.svc.cluster" .Release.Namespace }} -{{- $altName4 := printf "dapr-sidecar-injector.%s.svc.cluster.local" .Release.Namespace }} -{{- $cert := genSignedCert $cn nil (list $altName1 $altName2 $altName3 $altName4) 3650 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: dapr-sidecar-injector-cert - labels: - app: dapr-sidecar-injector - {{- range $key, $value := .Values.global.k8sLabels }} - {{ $key }}: {{ tpl $value $ }} - {{- end }} -data: - {{ if $existingSecret }}tls.crt: {{ index $existingSecret.data "tls.crt" }} - {{ else }}tls.crt: {{ b64enc $cert.Cert }} - {{ end }} - - {{ if $existingSecret }}tls.key: {{ index $existingSecret.data "tls.key" }} - {{ else }}tls.key: {{ b64enc $cert.Key }} - {{ end }} ---- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: @@ -43,7 +16,6 @@ webhooks: namespace: {{ .Release.Namespace }} name: dapr-sidecar-injector path: "/mutate" - caBundle: {{ if $existingWebHookConfig }}{{ (index $existingWebHookConfig.webhooks 0).clientConfig.caBundle }}{{ else }}{{ b64enc $ca.Cert }}{{ end }} rules: - apiGroups: - "" diff --git a/helm-charts/dapr/charts/dapr_sidecar_injector/values.yaml b/helm-charts/dapr/charts/dapr_sidecar_injector/values.yaml index 67fbaf4..8ffb2e0 100644 --- a/helm-charts/dapr/charts/dapr_sidecar_injector/values.yaml +++ b/helm-charts/dapr/charts/dapr_sidecar_injector/values.yaml @@ -15,6 +15,7 @@ image: injectorImage: name: "injector" +deploymentAnnotations: {} nameOverride: "" fullnameOverride: "" webhookFailurePolicy: Ignore diff --git a/helm-charts/dapr/templates/_helpers.tpl b/helm-charts/dapr/templates/_helpers.tpl index 93e6b50..2f4043f 100644 --- a/helm-charts/dapr/templates/_helpers.tpl +++ b/helm-charts/dapr/templates/_helpers.tpl @@ -30,3 +30,20 @@ Create chart name and version as used by the chart label. {{- define "k8s_operator.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} + +{{/* +Formats imagePullSecrets. Input is dict( "imagePullSecrets" .{specific imagePullSecrets}). +*/}} +{{- define "dapr.imagePullSecrets" -}} +{{- if eq (typeOf .imagePullSecrets) "string" }} +- name: {{ .imagePullSecrets }} +{{- else }} +{{- range .imagePullSecrets }} +{{- if eq (typeOf .) "map[string]interface {}" }} +- {{ toYaml (dict "name" .name) | trim }} +{{- else }} +- name: {{ . }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/helm-charts/dapr/values.yaml b/helm-charts/dapr/values.yaml index 41919e4..0a9e040 100644 --- a/helm-charts/dapr/values.yaml +++ b/helm-charts/dapr/values.yaml @@ -1,10 +1,26 @@ global: registry: docker.io/daprio - tag: '1.11.3' + tag: '1.12.0' dnsSuffix: ".cluster.local" logAsJson: false imagePullPolicy: IfNotPresent + + # To help compatibility with other charts which use global.imagePullSecrets. + # Allow either a string with single imagepullsecret or an array of {name: pullSecret} maps (k8s-style) or an array of strings (more common helm-style). + # global: + # imagePullSecrets: "pullSecret" + # or + # global: + # imagePullSecrets: + # - name: pullSecret1 + # - name: pullSecret2 + # or + # global: + # imagePullSecrets: + # - pullSecret1 + # - pullSecret2 imagePullSecrets: "" + nodeSelector: {} tolerations: [] rbac: @@ -22,10 +38,30 @@ global: enabled: true workloadCertTTL: 24h allowedClockSkew: 15m + controlPlaneTrustDomain: "cluster.local" + # If set to true, a bound service account token will be mounted and used to + # authenticate to Sentry. + mountSentryVolume: true + # Used to override `dapr-sentry.{{ .Release.Namespace }}.svc.cluster.local:443` + #sentryAddress: + # extraVolumes and extraVolumeMounts are used to mount additional volumes to + # the Dapr control plane pods. Useful for using alternative authentication + # credentials to sentry. + extraVolumes: {} + # sentry: + # placement: + # operator: + # injector: + extraVolumeMounts: {} + # sentry: + # placement: + # operator: + # injector: actors: enabled: true daprControlPlaneOs: linux labels: {} + seccompProfile: "" k8sLabels: app.kubernetes.io/name: "{{ .Release.Name }}" app.kubernetes.io/version: "{{ .Values.global.tag }}"