dapr
/
kubernetes-operator
mirror of https://github.com/dapr/kubernetes-operator.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update dapr helm chart from v1.11.3 to v1.12.0

This commit is contained in:
Luca Burgazzoli 2023-10-13 08:53:46 +02:00
parent 1b91c10b27
commit 6527c7f183
No known key found for this signature in database
GPG Key ID: 238C46A40510C1A9
38 changed files with 559 additions and 262 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -22,7 +22,7 @@ LOCALBIN := $(PROJECT_PATH)/bin
HELM_CHART_REPO ?= https://dapr.github.io/helm-charts HELM_CHART_REPO ?= https://dapr.github.io/helm-charts
HELM_CHART ?= dapr HELM_CHART ?= dapr
HELM_CHART_VERSION ?= 1.11.3 HELM_CHART_VERSION ?= 1.12.0
HELM_CHART_URL ?= https://raw.githubusercontent.com/dapr/helm-charts/master/dapr-$(HELM_CHART_VERSION).tgz HELM_CHART_URL ?= https://raw.githubusercontent.com/dapr/helm-charts/master/dapr-$(HELM_CHART_VERSION).tgz
## Tool Versions ## Tool Versions

26
config/crd/dapr/components.yaml
View File

@ -12,7 +12,7 @@ spec:
- name: v1alpha1 - name: v1alpha1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: Component describes an Dapr component type description: Component describes an Dapr component type.
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: 'APIVersion defines the versioned schema of this representation
@ -20,7 +20,7 @@ spec:
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string type: string
auth: auth:
description: Auth represents authentication details for the component description: Auth represents authentication details for the component.
properties: properties:
secretStore: secretStore:
type: string type: string
@ -39,32 +39,38 @@ spec:
type: string type: string
type: array type: array
spec: spec:
description: ComponentSpec is the spec for a component description: ComponentSpec is the spec for a component.
properties: properties:
initTimeout:
type: string
ignoreErrors: ignoreErrors:
type: boolean type: boolean
initTimeout:
type: string
metadata: metadata:
items: items:
description: MetadataItem is a name/value pair for a metadata description: NameValuePair is a name/value pair.
properties: properties:
envRef:
description: EnvRef is the name of an environmental variable
to read the value from.
type: string
name: name:
description: Name of the property.
type: string type: string
secretKeyRef: secretKeyRef:
description: SecretKeyRef is a reference to a secret holding description: SecretKeyRef is the reference of a value in a secret
the value for the metadata item. Name is the secret name, store component.
and key is the field in the secret.
properties: properties:
key: key:
description: Field in the secret.
type: string type: string
name: name:
description: Secret name.
type: string type: string
required: required:
- key
- name - name
type: object type: object
value: value:
description: Value of the property, in plaintext.
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
required: required:
- name - name

47
config/crd/dapr/configuration.yaml
View File

@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.9.2 controller-gen.kubebuilder.io/version: v0.11.3
creationTimestamp: null creationTimestamp: null
name: configurations.dapr.io name: configurations.dapr.io
labels: labels:
@ -224,13 +224,20 @@ spec:
description: Configure API logging. description: Configure API logging.
properties: properties:
enabled: enabled:
description: Default value for enabling API logging. Sidecars can always override this by setting `--enable-api-logging` to true or false explicitly. The default value is false. description: Default value for enabling API logging. Sidecars
can always override this by setting `--enable-api-logging`
to true or false explicitly. The default value is false.
type: boolean type: boolean
obfuscateURLs: obfuscateURLs:
description: 'When enabled, obfuscates the values of URLs in HTTP API logs, logging the route name rather than the full path being invoked, which could contain PII. Default: false. This option has no effect if API logging is disabled.' description: 'When enabled, obfuscates the values of URLs
in HTTP API logs, logging the route name rather than the
full path being invoked, which could contain PII. Default:
false. This option has no effect if API logging is disabled.'
type: boolean type: boolean
omitHealthChecks: omitHealthChecks:
description: 'If true, health checks are not reported in API logs. Default: false. This option has no effect if API logging is disabled.' description: 'If true, health checks are not reported in API
logs. Default: false. This option has no effect if API logging
is disabled.'
type: boolean type: boolean
type: object type: object
type: object type: object
@ -315,8 +322,34 @@ spec:
properties: properties:
allowedClockSkew: allowedClockSkew:
type: string type: string
controlPlaneTrustDomain:
type: string
enabled: enabled:
type: boolean type: boolean
sentryAddress:
type: string
tokenValidators:
description: Additional token validators to use. When Dapr is
running in Kubernetes mode, this is in addition to the built-in
"kubernetes" validator. In self-hosted mode, enabling a custom
validator will disable the built-in "insecure" validator.
items:
description: ValidatorSpec contains additional token validators
to use.
properties:
name:
description: Name of the validator
enum:
- jwks
type: string
options:
description: Options for the validator, if any
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- name
type: object
type: array
workloadCertTTL: workloadCertTTL:
type: string type: string
required: required:
@ -397,6 +430,12 @@ spec:
required: required:
- samplingRate - samplingRate
type: object type: object
wasm:
description: WasmSpec describes the security profile for all Dapr Wasm components.
properties:
strictSandbox:
type: boolean
type: object
type: object type: object
type: object type: object
served: true served: true

113
config/crd/dapr/httpendpoints.yaml
View File

@ -18,10 +18,14 @@ spec:
- name: v1alpha1 - name: v1alpha1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: HTTPEndpoint describes a Dapr HTTPEndpoint type for external service invocation. This endpoint can be external to Dapr, or external to the environment. description: HTTPEndpoint describes a Dapr HTTPEndpoint type for external
service invocation. This endpoint can be external to Dapr, or external to
the environment.
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string type: string
auth: auth:
description: Auth represents authentication details for the component. description: Auth represents authentication details for the component.
@ -32,7 +36,9 @@ spec:
- secretStore - secretStore
type: object type: object
kind: kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string type: string
metadata: metadata:
type: object type: object
@ -41,28 +47,113 @@ spec:
type: string type: string
type: array type: array
spec: spec:
description: HTTPEndpointSpec describes an access specification for allowing external service invocations. description: HTTPEndpointSpec describes an access specification for allowing
external service invocations.
properties: properties:
baseUrl: baseUrl:
type: string type: string
headers: clientTLS:
items: description: TLS describes how to build client or server TLS configurations.
description: Header is the name/value pair for a header specification. properties:
certificate:
description: TLSDocument describes and in-line or pointer to a
document to build a TLS configuration.
properties: properties:
name:
type: string
secretKeyRef: secretKeyRef:
description: SecretKeyRef is a reference to a secret holding the value for the metadata item. Name is the secret name, and key is the field in the secret. description: SecretKeyRef is the reference of a value in a
secret store component.
properties: properties:
key: key:
description: Field in the secret.
type: string type: string
name: name:
description: Secret name.
type: string type: string
required: required:
- key
- name - name
type: object type: object
value: value:
description: Value of the property, in plaintext.
x-kubernetes-preserve-unknown-fields: true
type: object
privateKey:
description: TLSDocument describes and in-line or pointer to a
document to build a TLS configuration.
properties:
secretKeyRef:
description: SecretKeyRef is the reference of a value in a
secret store component.
properties:
key:
description: Field in the secret.
type: string
name:
description: Secret name.
type: string
required:
- name
type: object
value:
description: Value of the property, in plaintext.
x-kubernetes-preserve-unknown-fields: true
type: object
renegotiation:
default: Never
description: Renegotiation sets the underlying tls negotiation
strategy for an http channel.
enum:
- Never
- OnceAsClient
- FreelyAsClient
type: string
rootCA:
description: TLSDocument describes and in-line or pointer to a
document to build a TLS configuration.
properties:
secretKeyRef:
description: SecretKeyRef is the reference of a value in a
secret store component.
properties:
key:
description: Field in the secret.
type: string
name:
description: Secret name.
type: string
required:
- name
type: object
value:
description: Value of the property, in plaintext.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
headers:
items:
description: NameValuePair is a name/value pair.
properties:
envRef:
description: EnvRef is the name of an environmental variable
to read the value from.
type: string
name:
description: Name of the property.
type: string
secretKeyRef:
description: SecretKeyRef is the reference of a value in a secret
store component.
properties:
key:
description: Field in the secret.
type: string
name:
description: Secret name.
type: string
required:
- name
type: object
value:
description: Value of the property, in plaintext.
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
required: required:
- name - name

4
config/crd/dapr/subscription.yaml
View File

@ -54,7 +54,7 @@ spec:
deadLetterTopic: deadLetterTopic:
type: string type: string
bulkSubscribe: bulkSubscribe:
description: Represents bulk subscribe properies description: Represents bulk subscribe properties
properties: properties:
enabled: enabled:
type: boolean type: boolean
@ -144,7 +144,7 @@ spec:
description: The optional dead letter queue for this topic to send events to. description: The optional dead letter queue for this topic to send events to.
type: string type: string
bulkSubscribe: bulkSubscribe:
description: Represents bulk subscribe properies description: Represents bulk subscribe properties
properties: properties:
enabled: enabled:
type: boolean type: boolean

4
helm-charts/dapr/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v1 apiVersion: v1
appVersion: 1.11.3 appVersion: 1.12.0
description: A Helm chart for Dapr on Kubernetes description: A Helm chart for Dapr on Kubernetes
name: dapr name: dapr
version: 1.11.3 version: 1.12.0

39
helm-charts/dapr/README.md
View File

@ -78,9 +78,9 @@ The Helm chart has the follow configuration options that can be supplied:
| `global.tag` | Docker image version tag | latest release | | `global.tag` | Docker image version tag | latest release |
| `global.logAsJson` | Json log format for control plane services | `false` | | `global.logAsJson` | Json log format for control plane services | `false` |
| `global.imagePullPolicy` | Global Control plane service imagePullPolicy | `IfNotPresent` | | `global.imagePullPolicy` | Global Control plane service imagePullPolicy | `IfNotPresent` |
| `global.imagePullSecrets` | Control plane service images pull secrets for docker registry | `""` | | `global.imagePullSecrets` | Control plane service images pull secrets for docker registry. Its value can be: a string with single imagePullSecret, an array of `{name: pullSecret}` maps (Kubernetes-style), or an array of strings | `[]` |
| `global.ha.enabled` | Highly Availability mode enabled for control plane | `false` | | `global.ha.enabled` | Highly Availability mode enabled for control plane | `false` |
| `global.ha.replicaCount` | Number of replicas of control plane services in Highly Availability mode | `3` | | `global.ha.replicaCount` | Number of replicas of control plane services in Highly Availability mode<br>Note that in HA mode, Dapr Placement has 3 replicas and that cannot be configured. | `3` |
| `global.ha.disruption.minimumAvailable` | Minimum amount of available instances for control plane. This can either be effective count or %. | `` | | `global.ha.disruption.minimumAvailable` | Minimum amount of available instances for control plane. This can either be effective count or %. | `` |
| `global.ha.disruption.maximumUnavailable` | Maximum amount of instances that are allowed to be unavailable for control plane. This can either be effective count or %. | `25%` | | `global.ha.disruption.maximumUnavailable` | Maximum amount of instances that are allowed to be unavailable for control plane. This can either be effective count or %. | `25%` |
| `global.prometheus.enabled` | Prometheus metrics enablement for control plane services | `true` | | `global.prometheus.enabled` | Prometheus metrics enablement for control plane services | `true` |
@ -88,6 +88,17 @@ The Helm chart has the follow configuration options that can be supplied:
| `global.mtls.enabled` | Mutual TLS enablement | `true` | | `global.mtls.enabled` | Mutual TLS enablement | `true` |
| `global.mtls.workloadCertTTL` | TTL for workload cert | `24h` | | `global.mtls.workloadCertTTL` | TTL for workload cert | `24h` |
| `global.mtls.allowedClockSkew` | Allowed clock skew for workload cert rotation | `15m` | | `global.mtls.allowedClockSkew` | Allowed clock skew for workload cert rotation | `15m` |
| `global.mtls.controlPlaneTrustDomain ` | Trust domain for control plane | `cluster.local` |
| `global.mtls.sentryAddress` | Sentry address for control plane | `dapr-sentry.{{ .ReleaseNamespace }}.svc:443` |
| `global.mtls.mountSentryToken` | Gates whether the sentry bound service account token volume is mounted to control plane pods | `true` |
| `global.extraVolumes.sentry` | Array of extra volumes to make available to sentry pods | `[]` |
| `global.extraVolumes.placement` | Array of extra volumes to make available to placement pods | `[]` |
| `global.extraVolumes.operator` | Array of extra volumes to make available to operator pods | `[]` |
| `global.extraVolumes.injector` | Array of extra volumes to make available to sidecar injector pods | `[]` |
| `global.extraVolumeMounts.sentry` | Array of extra volume mounts to make available to sentry pod containers | `[]` |
| `global.extraVolumeMounts.placement` | Array of extra volume mounts to make available to placement pod containers | `[]` |
| `global.extraVolumeMounts.operator` | Array of extra volume mounts to make available to operator pod containers | `[]` |
| `global.extraVolumeMounts.injector` | Array of extra volume mounts to make available to sidecar injector pod containers | `[]` |
| `global.dnsSuffix` | Kuberentes DNS suffix | `.cluster.local` | | `global.dnsSuffix` | Kuberentes DNS suffix | `.cluster.local` |
| `global.daprControlPlaneOs` | Operating System for Dapr control plane | `linux` | | `global.daprControlPlaneOs` | Operating System for Dapr control plane | `linux` |
| `global.daprControlPlaneArch` | CPU Architecture for Dapr control plane | `amd64` | | `global.daprControlPlaneArch` | CPU Architecture for Dapr control plane | `amd64` |
@ -99,12 +110,13 @@ The Helm chart has the follow configuration options that can be supplied:
| `global.issuerFilenames.cert` | Custom name of the file containing the leaf certificate inside the container | `issuer.crt` | | `global.issuerFilenames.cert` | Custom name of the file containing the leaf certificate inside the container | `issuer.crt` |
| `global.issuerFilenames.key` | Custom name of the file containing the leaf certificate's key inside the container | `issuer.key` | | `global.issuerFilenames.key` | Custom name of the file containing the leaf certificate's key inside the container | `issuer.key` |
| `global.actors.enabled` | Enables the Dapr actors building block. When "false", the Dapr Placement serice is not installed, and attempting to use Dapr actors will fail. | `true` | | `global.actors.enabled` | Enables the Dapr actors building block. When "false", the Dapr Placement serice is not installed, and attempting to use Dapr actors will fail. | `true` |
| `global.seccompProfile` | SeccompProfile for Dapr control plane services | `""` |
| `global.rbac.namespaced` | Removes cluster wide permissions where applicable | `false` | | `global.rbac.namespaced` | Removes cluster wide permissions where applicable | `false` |
| `global.argoRolloutServiceReconciler.enabled` | Enable the service reconciler for Dapr-enabled Argo Rollouts | `false` | | `global.argoRolloutServiceReconciler.enabled` | Enable the service reconciler for Dapr-enabled Argo Rollouts | `false` |
### Dapr Operator options: ### Dapr Operator options:
| Parameter | Description | Default | | Parameter | Description | Default |
|-------------------------------------------|-------------------------------------------------------------------------|-------------------------| |-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|
| `dapr_operator.replicaCount` | Number of replicas | `1` | | `dapr_operator.replicaCount` | Number of replicas | `1` |
| `dapr_operator.logLevel` | Log level | `info` | | `dapr_operator.logLevel` | Log level | `info` |
| `dapr_operator.watchInterval` | Interval for polling pods' state (e.g. `2m`). Set to `0` to disable, or `once` to only run once when the operator starts | `0` | | `dapr_operator.watchInterval` | Interval for polling pods' state (e.g. `2m`). Set to `0` to disable, or `once` to only run once when the operator starts | `0` |
@ -113,23 +125,27 @@ The Helm chart has the follow configuration options that can be supplied:
| `dapr_operator.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. You may have to set this to `false` when running in Minikube | `true` | | `dapr_operator.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. You may have to set this to `false` when running in Minikube | `true` |
| `dapr_operator.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` | | `dapr_operator.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` |
| `dapr_operator.debug.enabled` | Boolean value for enabling debug mode | `{}` | | `dapr_operator.debug.enabled` | Boolean value for enabling debug mode | `{}` |
| `dapr_operator.serviceReconciler.enabled`| If false, disables the reconciler that creates Services for Dapr-enabled Deployments and StatefulSets.<br>Note: disabling this reconciler could prevent Dapr service invocation from working. | `true` | | `dapr_operator.serviceReconciler.enabled` | If false, disables the reconciler that creates Services for Dapr-enabled Deployments and StatefulSets.<br>Note: disabling this reconciler could prevent Dapr service invocation from working. | `true` |
| `dapr_operator.watchNamespace` | The namespace to watch for annotated Dapr resources in | `""` | | `dapr_operator.watchNamespace` | The namespace to watch for annotated Dapr resources in | `""` |
| `dapr_operator.deploymentAnnotations` | Custom annotations for Dapr Operator Deployment | `{}` |
### Dapr Placement options: ### Dapr Placement options:
| Parameter | Description | Default | | Parameter | Description | Default |
|-------------------------------------------|-------------------------------------------------------------------------|-------------------------| |------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|
| `dapr_placement.ha` | If set to true, deploys the Placement service with 3 nodes regardless of the value of `global.ha.enabled` | `false` |
| `dapr_placement.replicationFactor` | Number of consistent hashing virtual node | `100` | | `dapr_placement.replicationFactor` | Number of consistent hashing virtual node | `100` |
| `dapr_placement.logLevel` | Service Log level | `info` | | `dapr_placement.logLevel` | Service Log level | `info` |
| `dapr_placement.image.name` | Service docker image name (`global.registry/dapr_placement.image.name`) | `dapr` | | `dapr_placement.image.name` | Service docker image name (`global.registry/dapr_placement.image.name`) | `dapr` |
| `dapr_placement.cluster.forceInMemoryLog` | Use in-memory log store and disable volume attach when `global.ha.enabled` is true | `false` | | `dapr_placement.cluster.forceInMemoryLog` | Use in-memory log store and disable volume attach when HA is true | `false` |
| `dapr_placement.cluster.logStorePath` | Mount path for persistent volume for log store in unix-like system when `global.ha.enabled` is true | `/var/run/dapr/raft-log` | | `dapr_placement.cluster.logStorePath` | Mount path for persistent volume for log store in unix-like system when HA is true | `/var/run/dapr/raft-log` |
| `dapr_placement.cluster.logStoreWinPath` | Mount path for persistent volume for log store in windows when `global.ha.enabled` is true | `C:\\raft-log` | | `dapr_placement.cluster.logStoreWinPath` | Mount path for persistent volume for log store in windows when HA is true | `C:\\raft-log` |
| `dapr_placement.volumeclaims.storageSize` | Attached volume size | `1Gi` | | `dapr_placement.volumeclaims.storageSize` | Attached volume size | `1Gi` |
| `dapr_placement.volumeclaims.storageClassName` | storage class name | | | `dapr_placement.volumeclaims.storageClassName` | storage class name | |
| `dapr_placement.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. Does not apply unless `forceInMemoryLog` is set to `true`. You may have to set this to `false` when running in Minikube | `false` | | `dapr_placement.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. Does not apply unless `forceInMemoryLog` is set to `true`. You may have to set this to `false` when running in Minikube | `false` |
| `dapr_placement.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` | | `dapr_placement.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` |
| `dapr_placement.debug.enabled` | Boolean value for enabling debug mode | `{}` | | `dapr_placement.debug.enabled` | Boolean value for enabling debug mode | `{}` |
| `dapr_placement.metadataEnabled` | Boolean value for enabling placement tables metadata HTTP API | `false` |
| `dapr_placement.statefulsetAnnotations` | Custom annotations for Dapr Placement Statefulset | `{}` |
### Dapr RBAC options: ### Dapr RBAC options:
| Parameter | Description | Default | | Parameter | Description | Default |
@ -139,7 +155,7 @@ The Helm chart has the follow configuration options that can be supplied:
### Dapr Sentry options: ### Dapr Sentry options:
| Parameter | Description | Default | | Parameter | Description | Default |
|-------------------------------------------|-------------------------------------------------------------------------|-------------------------| |-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|
| `dapr_sentry.replicaCount` | Number of replicas | `1` | | `dapr_sentry.replicaCount` | Number of replicas | `1` |
| `dapr_sentry.logLevel` | Log level | `info` | | `dapr_sentry.logLevel` | Log level | `info` |
| `dapr_sentry.image.name` | Docker image name (`global.registry/dapr_sentry.image.name`) | `dapr` | | `dapr_sentry.image.name` | Docker image name (`global.registry/dapr_sentry.image.name`) | `dapr` |
@ -147,14 +163,14 @@ The Helm chart has the follow configuration options that can be supplied:
| `dapr_sentry.tls.issuer.keyPEM` | Issuer Private Key cert | `""` | | `dapr_sentry.tls.issuer.keyPEM` | Issuer Private Key cert | `""` |
| `dapr_sentry.tls.root.certPEM` | Root Certificate cert | `""` | | `dapr_sentry.tls.root.certPEM` | Root Certificate cert | `""` |
| `dapr_sentry.tokenAudience` | Expected audience for tokens; multiple values can be separated by a comma. Defaults to the audience expected by the Kubernetes control plane if not set | `""` | | `dapr_sentry.tokenAudience` | Expected audience for tokens; multiple values can be separated by a comma. Defaults to the audience expected by the Kubernetes control plane if not set | `""` |
| `dapr_sentry.trustDomain` | Trust domain (logical group to manage app trust relationship) for access control list | `cluster.local` |
| `dapr_sentry.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. You may have to set this to `false` when running in Minikube | `true` | | `dapr_sentry.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. You may have to set this to `false` when running in Minikube | `true` |
| `dapr_sentry.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` | | `dapr_sentry.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` |
| `dapr_sentry.debug.enabled` | Boolean value for enabling debug mode | `{}` | | `dapr_sentry.debug.enabled` | Boolean value for enabling debug mode | `{}` |
| `dapr_sentry.deploymentAnnotations` | Custom annotations for Dapr Sentry Deployment | `{}` |
### Dapr Sidecar Injector options: ### Dapr Sidecar Injector options:
| Parameter | Description | Default | | Parameter | Description | Default |
|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------| |-----------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|
| `dapr_sidecar_injector.enabled` | Enable the sidecar injector | `true` | | `dapr_sidecar_injector.enabled` | Enable the sidecar injector | `true` |
| `dapr_sidecar_injector.sidecarImagePullPolicy` | Dapr sidecar image pull policy | `IfNotPresent` | | `dapr_sidecar_injector.sidecarImagePullPolicy` | Dapr sidecar image pull policy | `IfNotPresent` |
| `dapr_sidecar_injector.replicaCount` | Number of replicas | `1` | | `dapr_sidecar_injector.replicaCount` | Number of replicas | `1` |
@ -174,6 +190,7 @@ The Helm chart has the follow configuration options that can be supplied:
| `dapr_sidecar_injector.ignoreEntrypointTolerations` | JSON array of Kubernetes tolerations. If pod contains any of these tolerations, it will ignore the Docker image ENTRYPOINT for Dapr sidecar. | `[{\"effect\":\"NoSchedule\",\"key\":\"alibabacloud.com/eci\"},{\"effect\":\"NoSchedule\",\"key\":\"azure.com/aci\"},{\"effect\":\"NoSchedule\",\"key\":\"aws\"},{\"effect\":\"NoSchedule\",\"key\":\"huawei.com/cci\"}]` | | `dapr_sidecar_injector.ignoreEntrypointTolerations` | JSON array of Kubernetes tolerations. If pod contains any of these tolerations, it will ignore the Docker image ENTRYPOINT for Dapr sidecar. | `[{\"effect\":\"NoSchedule\",\"key\":\"alibabacloud.com/eci\"},{\"effect\":\"NoSchedule\",\"key\":\"azure.com/aci\"},{\"effect\":\"NoSchedule\",\"key\":\"aws\"},{\"effect\":\"NoSchedule\",\"key\":\"huawei.com/cci\"}]` |
| `dapr_sidecar_injector.hostNetwork` | Enable hostNetwork mode. This is helpful when working with overlay networks such as Calico CNI and admission webhooks fail | `false` | | `dapr_sidecar_injector.hostNetwork` | Enable hostNetwork mode. This is helpful when working with overlay networks such as Calico CNI and admission webhooks fail | `false` |
| `dapr_sidecar_injector.healthzPort` | The port used for health checks. Helpful in combination with hostNetwork to avoid port collisions | `8080` | | `dapr_sidecar_injector.healthzPort` | The port used for health checks. Helpful in combination with hostNetwork to avoid port collisions | `8080` |
| `dapr_sidecar.deploymentAnnotations` | Custom annotations for Dapr sidecar Deployment | `{}` |
## Example of highly available configuration of the control plane ## Example of highly available configuration of the control plane

2
helm-charts/dapr/charts/dapr_config/Chart.yaml
View File

@ -2,4 +2,4 @@ apiVersion: v1
appVersion: "1.0" appVersion: "1.0"
description: A Helm chart for Dapr configuration description: A Helm chart for Dapr configuration
name: dapr_config name: dapr_config
version: 1.11.3 version: 1.12.0

3
helm-charts/dapr/charts/dapr_config/templates/dapr_default_config.yaml
View File

@ -3,6 +3,7 @@ apiVersion: dapr.io/v1alpha1
kind: Configuration kind: Configuration
metadata: metadata:
name: {{ .Values.dapr_default_system_config_name }} name: {{ .Values.dapr_default_system_config_name }}
namespace: {{ .Release.Namespace }}
labels: labels:
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }} {{ $key }}: {{ tpl $value $ }}
@ -12,4 +13,6 @@ spec:
enabled: {{ .Values.global.mtls.enabled }} enabled: {{ .Values.global.mtls.enabled }}
workloadCertTTL: {{ .Values.global.mtls.workloadCertTTL }} workloadCertTTL: {{ .Values.global.mtls.workloadCertTTL }}
allowedClockSkew: {{ .Values.global.mtls.allowedClockSkew }} allowedClockSkew: {{ .Values.global.mtls.allowedClockSkew }}
controlPlaneTrustDomain: {{ .Values.global.mtls.controlPlaneTrustDomain }}
sentryAddress: {{ if .Values.global.mtls.sentryAddress }}{{ .Values.global.mtls.sentryAddress }}{{ else }}dapr-sentry.{{ .Release.Namespace }}.svc.cluster.local:443{{ end }}
{{- end }} {{- end }}

2
helm-charts/dapr/charts/dapr_config/values.yaml
View File

@ -1,4 +1,4 @@
# This value is essential in determining whether to build this chart or not based on the usecase. For example this chart should not be included while generating manifest file for dapr which is achieved by overriding this value. # This value is essential in determining whether to build this chart or not based on the use case. For example this chart should not be included while generating manifest file for dapr which is achieved by overriding this value.
dapr_config_chart_included: true dapr_config_chart_included: true
dapr_default_system_config_name: "daprsystem" dapr_default_system_config_name: "daprsystem"
component: config component: config

2
helm-charts/dapr/charts/dapr_operator/Chart.yaml
View File

@ -2,4 +2,4 @@ apiVersion: v1
appVersion: "1.0" appVersion: "1.0"
description: A Helm chart for Dapr Kubernetes Operator description: A Helm chart for Dapr Kubernetes Operator
name: dapr_operator name: dapr_operator
version: 1.11.3 version: 1.12.0

122
helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_deployment.yaml
View File

@ -1,48 +1,8 @@
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "dapr-webhook-cert"}}
{{- $existingCA := lookup "v1" "Secret" .Release.Namespace "dapr-webhook-ca"}}
{{- $ca := genCA "dapr-webhook-ca" 3650 }}
{{- $cn := printf "dapr-webhook" }}
{{- $altName1 := printf "dapr-webhook.%s" .Release.Namespace }}
{{- $altName2 := printf "dapr-webhook.%s.svc" .Release.Namespace }}
{{- $altName3 := printf "dapr-webhook.%s.svc.cluster" .Release.Namespace }}
{{- $altName4 := printf "dapr-webhook.%s.svc.cluster.local" .Release.Namespace }}
{{- $cert := genSignedCert $cn nil (list $altName1 $altName2 $altName3 $altName4) 3650 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: dapr-webhook-cert
labels:
app: dapr-operator
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
data:
{{ if $existingSecret }}tls.crt: {{ index $existingSecret.data "tls.crt" }}
{{ else }}tls.crt: {{ b64enc $cert.Cert }}
{{ end }}
{{ if $existingSecret }}tls.key: {{ index $existingSecret.data "tls.key" }}
{{ else }}tls.key: {{ b64enc $cert.Key }}
{{ end }}
---
apiVersion: v1
kind: Secret
metadata:
name: dapr-webhook-ca
labels:
app: dapr-operator
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
data:
{{ if $existingCA }}caBundle: {{ index $existingCA.data "caBundle" }}
{{ else }}caBundle: {{ b64enc $ca.Cert }}
{{ end }}
---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: dapr-operator name: dapr-operator
namespace: {{ .Release.Namespace }}
labels: labels:
app: dapr-operator app: dapr-operator
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}
@ -67,11 +27,15 @@ spec:
{{- with .Values.global.labels }} {{- with .Values.global.labels }}
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}
{{- if eq .Values.global.prometheus.enabled true }}
annotations: annotations:
dapr.io/control-plane: operator
{{- if eq .Values.global.prometheus.enabled true }}
prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}" prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}"
prometheus.io/port: "{{ .Values.global.prometheus.port }}" prometheus.io/port: "{{ .Values.global.prometheus.port }}"
prometheus.io/path: "/" prometheus.io/path: "/"
{{- end }}
{{- if .Values.deploymentAnnotations }}
{{ toYaml .Values.deploymentAnnotations | indent 4}}
{{- end }} {{- end }}
spec: spec:
containers: containers:
@ -107,11 +71,18 @@ spec:
{{- if eq .Values.global.daprControlPlaneOs "linux" }} {{- if eq .Values.global.daprControlPlaneOs "linux" }}
securityContext: securityContext:
runAsNonRoot: {{ .Values.runAsNonRoot }} runAsNonRoot: {{ .Values.runAsNonRoot }}
{{- if eq .Values.debug.enabled true }} {{- if eq .Values.debug.enabled true }}
capabilities: capabilities:
add: add: ["SYS_PTRACE"]
- SYS_PTRACE {{- else }}
{{- end }} readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
{{- end }}
{{- if .Values.global.seccompProfile }}
seccompProfile:
type: {{ .Values.global.seccompProfile }}
{{- end }}
{{- end }} {{- end }}
env: env:
- name: NAMESPACE - name: NAMESPACE
@ -133,16 +104,22 @@ spec:
resources: resources:
{{ toYaml .Values.resources | indent 10 }} {{ toYaml .Values.resources | indent 10 }}
volumeMounts: volumeMounts:
- name: credentials - name: dapr-trust-bundle
mountPath: /var/run/dapr/credentials mountPath: /var/run/secrets/dapr.io/tls
readOnly: true
{{- if .Values.global.mtls.mountSentryVolume }}
- name: dapr-identity-token
mountPath: /var/run/secrets/dapr.io/sentrytoken
readOnly: true readOnly: true
- name: webhook-creds
{{- if eq .Values.global.daprControlPlaneOs "windows" }}
mountPath: "C:\\Windows\\TEMP\\k8s-webhook-server\\serving-certs"
{{- else }}
mountPath: /tmp/k8s-webhook-server/serving-certs
{{- end }} {{- end }}
readOnly: true {{- if eq .Values.debug.enabled false }}
# This is not needed in debug mode because the root FS is writable
- name: dapr-operator-tmp
mountPath: /tmp
{{- end }}
{{- with .Values.global.extraVolumeMounts.operator }}
{{- toYaml . | nindent 8 }}
{{- end }}
command: command:
{{- if eq .Values.debug.enabled false }} {{- if eq .Values.debug.enabled false }}
- "/operator" - "/operator"
@ -166,6 +143,8 @@ spec:
- "{{ .Values.maxPodRestartsPerMinute }}" - "{{ .Values.maxPodRestartsPerMinute }}"
- "--log-level" - "--log-level"
- "{{ .Values.logLevel }}" - "{{ .Values.logLevel }}"
- "--trust-anchors-file"
- "/var/run/secrets/dapr.io/tls/ca.crt"
{{- if eq .Values.global.logAsJson true }} {{- if eq .Values.global.logAsJson true }}
- "--log-as-json" - "--log-as-json"
{{- end }} {{- end }}
@ -176,14 +155,6 @@ spec:
{{- else }} {{- else }}
- "--enable-metrics=false" - "--enable-metrics=false"
{{- end }} {{- end }}
{{- with .Values.global.issuerFilenames }}
- "--issuer-ca-filename"
- "{{ .ca }}"
- "--issuer-certificate-filename"
- "{{ .cert }}"
- "--issuer-key-filename"
- "{{ .key }}"
{{- end }}
{{- if .Values.watchNamespace }} {{- if .Values.watchNamespace }}
- "--watch-namespace" - "--watch-namespace"
- "{{ .Values.watchNamespace }}" - "{{ .Values.watchNamespace }}"
@ -199,12 +170,25 @@ spec:
{{- end }} {{- end }}
serviceAccountName: dapr-operator serviceAccountName: dapr-operator
volumes: volumes:
- name: credentials - name: dapr-operator-tmp
secret: emptyDir:
secretName: dapr-trust-bundle sizeLimit: 2Mi
- name: webhook-creds medium: Memory
secret: - name: dapr-trust-bundle
secretName: dapr-webhook-cert configMap:
name: dapr-trust-bundle
{{- if .Values.global.mtls.mountSentryVolume }}
- name: dapr-identity-token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 600
audience: "spiffe://{{ .Values.global.mtls.controlPlaneTrustDomain }}/ns/{{ .Release.Namespace }}/dapr-sentry"
{{- end }}
{{- with .Values.global.extraVolumes.operator }}
{{- toYaml . | nindent 8 }}
{{- end }}
affinity: affinity:
nodeAffinity: nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution: requiredDuringSchedulingIgnoredDuringExecution:
@ -235,7 +219,7 @@ spec:
{{- end }} {{- end }}
{{- if .Values.global.imagePullSecrets }} {{- if .Values.global.imagePullSecrets }}
imagePullSecrets: imagePullSecrets:
- name: {{ .Values.global.imagePullSecrets }} {{- include "dapr.imagePullSecrets" (dict "imagePullSecrets" .Values.global.imagePullSecrets) | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.global.nodeSelector }} {{- if .Values.global.nodeSelector }}
nodeSelector: nodeSelector:

1
helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_poddisruptionbudget.yaml
View File

@ -7,6 +7,7 @@ apiVersion: policy/v1beta1
kind: PodDisruptionBudget kind: PodDisruptionBudget
metadata: metadata:
name: dapr-operator-disruption-budget name: dapr-operator-disruption-budget
namespace: {{ .Release.Namespace }}
labels: labels:
app: dapr-operator app: dapr-operator
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}

2
helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_service.yaml
View File

@ -2,6 +2,7 @@ kind: Service
apiVersion: v1 apiVersion: v1
metadata: metadata:
name: dapr-api name: dapr-api
namespace: {{ .Release.Namespace }}
labels: labels:
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }} {{ $key }}: {{ tpl $value $ }}
@ -18,6 +19,7 @@ apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: dapr-webhook name: dapr-webhook
namespace: {{ .Release.Namespace }}
labels: labels:
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }} {{ $key }}: {{ tpl $value $ }}

2
helm-charts/dapr/charts/dapr_operator/values.yaml
View File

@ -14,6 +14,8 @@ image:
nameOverride: "" nameOverride: ""
fullnameOverride: "" fullnameOverride: ""
deploymentAnnotations: {}
runAsNonRoot: true runAsNonRoot: true
serviceReconciler: serviceReconciler:

2
helm-charts/dapr/charts/dapr_placement/Chart.yaml
View File

@ -2,4 +2,4 @@ apiVersion: v1
appVersion: "1.0" appVersion: "1.0"
description: A Helm chart for Dapr Kubernetes placement description: A Helm chart for Dapr Kubernetes placement
name: dapr_placement name: dapr_placement
version: 1.11.3 version: 1.12.0

1
helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_poddisruptionbudget.yaml
View File

@ -7,6 +7,7 @@ apiVersion: policy/v1beta1
kind: PodDisruptionBudget kind: PodDisruptionBudget
metadata: metadata:
name: dapr-placement-server-disruption-budget name: dapr-placement-server-disruption-budget
namespace: {{ .Release.Namespace }}
labels: labels:
app: dapr-placement-server app: dapr-placement-server
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}

1
helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_service.yaml
View File

@ -3,6 +3,7 @@ kind: Service
apiVersion: v1 apiVersion: v1
metadata: metadata:
name: dapr-placement-server name: dapr-placement-server
namespace: {{ .Release.Namespace }}
labels: labels:
app: dapr-placement-server app: dapr-placement-server
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}

76
helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_statefulset.yaml
View File

@ -3,13 +3,14 @@ apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
metadata: metadata:
name: dapr-placement-server name: dapr-placement-server
namespace: {{ .Release.Namespace }}
labels: labels:
app: dapr-placement-server app: dapr-placement-server
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }} {{ $key }}: {{ tpl $value $ }}
{{- end }} {{- end }}
spec: spec:
{{- if eq .Values.global.ha.enabled true }} {{- if or (eq .Values.global.ha.enabled true) (eq .Values.ha true) }}
replicas: 3 replicas: 3
{{- else }} {{- else }}
replicas: 1 replicas: 1
@ -29,11 +30,15 @@ spec:
{{- with .Values.global.labels }} {{- with .Values.global.labels }}
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}
{{- if eq .Values.global.prometheus.enabled true }}
annotations: annotations:
dapr.io/control-plane: placement
{{- if eq .Values.global.prometheus.enabled true }}
prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}" prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}"
prometheus.io/port: "{{ .Values.global.prometheus.port }}" prometheus.io/port: "{{ .Values.global.prometheus.port }}"
prometheus.io/path: "/" prometheus.io/path: "/"
{{- end }}
{{- if .Values.statefulsetAnnotations }}
{{ toYaml .Values.statefulsetAnnotations | indent 4}}
{{- end }} {{- end }}
spec: spec:
containers: containers:
@ -69,10 +74,17 @@ spec:
resources: resources:
{{ toYaml .Values.resources | indent 10 }} {{ toYaml .Values.resources | indent 10 }}
volumeMounts: volumeMounts:
- name: credentials - name: dapr-trust-bundle
mountPath: /var/run/dapr/credentials mountPath: /var/run/secrets/dapr.io/tls
readOnly: true readOnly: true
{{- if eq .Values.global.ha.enabled true }} {{- if .Values.global.mtls.mountSentryVolume }}
- name: dapr-identity-token
mountPath: /var/run/secrets/dapr.io/sentrytoken
{{- end }}
{{- with .Values.global.extraVolumeMounts.placement }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if or (eq .Values.global.ha.enabled true) (eq .Values.ha true) }}
{{- if eq .Values.cluster.forceInMemoryLog false }} {{- if eq .Values.cluster.forceInMemoryLog false }}
- name: raft-log - name: raft-log
{{- if eq .Values.global.daprControlPlaneOs "windows" }} {{- if eq .Values.global.daprControlPlaneOs "windows" }}
@ -109,7 +121,7 @@ spec:
- "/placement" - "/placement"
- "--" - "--"
{{- end }} {{- end }}
{{- if eq .Values.global.ha.enabled true }} {{- if or (eq .Values.global.ha.enabled true) (eq .Values.ha true) }}
- "--id" - "--id"
- "$(PLACEMENT_ID)" - "$(PLACEMENT_ID)"
- "--initial-cluster" - "--initial-cluster"
@ -128,6 +140,9 @@ spec:
{{- if eq .Values.global.logAsJson true }} {{- if eq .Values.global.logAsJson true }}
- "--log-as-json" - "--log-as-json"
{{- end }} {{- end }}
{{- if eq .Values.metadataEnabled true }}
- "--metadata-enabled"
{{- end }}
{{- if eq .Values.global.prometheus.enabled true }} {{- if eq .Values.global.prometheus.enabled true }}
- "--enable-metrics" - "--enable-metrics"
- "--replicationFactor" - "--replicationFactor"
@ -138,14 +153,10 @@ spec:
- "--enable-metrics=false" - "--enable-metrics=false"
{{- end }} {{- end }}
- "--tls-enabled" - "--tls-enabled"
{{- with .Values.global.issuerFilenames }} - "--trust-domain={{ .Values.global.mtls.controlPlaneTrustDomain }}"
- "--issuer-ca-filename" - "--trust-anchors-file=/var/run/secrets/dapr.io/tls/ca.crt"
- "{{ .ca }}" - "--sentry-address={{ if .Values.global.mtls.sentryAddress }}{{ .Values.global.mtls.sentryAddress }}{{ else }}dapr-sentry.{{ .Release.Namespace }}.svc.cluster.local:443{{ end }}"
- "--issuer-certificate-filename" - "--mode=kubernetes"
- "{{ .cert }}"
- "--issuer-key-filename"
- "{{ .key }}"
{{- end }}
{{- if eq .Values.global.daprControlPlaneOs "linux" }} {{- if eq .Values.global.daprControlPlaneOs "linux" }}
securityContext: securityContext:
{{- if eq .Values.cluster.forceInMemoryLog true }} {{- if eq .Values.cluster.forceInMemoryLog true }}
@ -153,11 +164,18 @@ spec:
{{- else }} {{- else }}
runAsUser: 0 runAsUser: 0
{{- end }} {{- end }}
{{- if eq .Values.debug.enabled true }} {{- if eq .Values.debug.enabled true }}
capabilities: capabilities:
add: add: ["SYS_PTRACE"]
- SYS_PTRACE {{- else }}
{{- end }} readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
{{- end }}
{{- if .Values.global.seccompProfile }}
seccompProfile:
type: {{ .Values.global.seccompProfile }}
{{- end }}
{{- end }} {{- end }}
env: env:
- name: PLACEMENT_ID - name: PLACEMENT_ID
@ -170,9 +188,21 @@ spec:
fieldPath: metadata.namespace fieldPath: metadata.namespace
serviceAccountName: dapr-placement serviceAccountName: dapr-placement
volumes: volumes:
- name: credentials - name: dapr-trust-bundle
secret: configMap:
secretName: dapr-trust-bundle name: dapr-trust-bundle
{{- if .Values.global.mtls.mountSentryVolume }}
- name: dapr-identity-token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 600
audience: "spiffe://{{ .Values.global.mtls.controlPlaneTrustDomain }}/ns/{{ .Release.Namespace }}/dapr-sentry"
{{- end }}
{{- with .Values.global.extraVolumes.placement }}
{{- toYaml . | nindent 6 }}
{{- end }}
affinity: affinity:
nodeAffinity: nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution: requiredDuringSchedulingIgnoredDuringExecution:
@ -203,7 +233,7 @@ spec:
{{- end }} {{- end }}
{{- if .Values.global.imagePullSecrets }} {{- if .Values.global.imagePullSecrets }}
imagePullSecrets: imagePullSecrets:
- name: {{ .Values.global.imagePullSecrets }} {{- include "dapr.imagePullSecrets" (dict "imagePullSecrets" .Values.global.imagePullSecrets) | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.global.nodeSelector }} {{- if .Values.global.nodeSelector }}
nodeSelector: nodeSelector:
@ -213,7 +243,7 @@ spec:
tolerations: tolerations:
{{ toYaml .Values.global.tolerations | indent 8 }} {{ toYaml .Values.global.tolerations | indent 8 }}
{{- end }} {{- end }}
{{- if eq .Values.global.ha.enabled true }} {{- if or (eq .Values.global.ha.enabled true) (eq .Values.ha true) }}
{{- if eq .Values.cluster.forceInMemoryLog false }} {{- if eq .Values.cluster.forceInMemoryLog false }}
volumeClaimTemplates: volumeClaimTemplates:
- metadata: - metadata:

6
helm-charts/dapr/charts/dapr_placement/values.yaml
View File

@ -10,11 +10,15 @@ image:
nameOverride: "" nameOverride: ""
fullnameOverride: "" fullnameOverride: ""
statefulsetAnnotations: {}
ports: ports:
protocol: TCP protocol: TCP
apiPort: 50005 apiPort: 50005
raftRPCPort: 8201 raftRPCPort: 8201
ha: false
cluster: cluster:
forceInMemoryLog: false forceInMemoryLog: false
logStorePath: /var/run/dapr/raft-log logStorePath: /var/run/dapr/raft-log
@ -26,6 +30,8 @@ volumeclaims:
replicationFactor: 100 replicationFactor: 100
metadataEnabled: false
livenessProbe: livenessProbe:
initialDelaySeconds: 10 initialDelaySeconds: 10
periodSeconds: 3 periodSeconds: 3

2
helm-charts/dapr/charts/dapr_rbac/Chart.yaml
View File

@ -2,4 +2,4 @@ apiVersion: v1
appVersion: "1.0" appVersion: "1.0"
description: A Helm chart for Dapr Kubernetes RBAC components description: A Helm chart for Dapr Kubernetes RBAC components
name: dapr_rbac name: dapr_rbac
version: 1.11.3 version: 1.12.0

6
helm-charts/dapr/charts/dapr_rbac/templates/injector.yaml
View File

@ -2,6 +2,7 @@ apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: dapr-injector name: dapr-injector
namespace: {{ .Release.Namespace }}
labels: labels:
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }} {{ $key }}: {{ tpl $value $ }}
@ -19,6 +20,10 @@ rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["serviceaccounts"] resources: ["serviceaccounts"]
verbs: ["get", "list"] verbs: ["get", "list"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["patch"]
resourceNames: ["dapr-sidecar-injector"]
{{- if not .Values.global.rbac.namespaced }} {{- if not .Values.global.rbac.namespaced }}
- apiGroups: ["dapr.io"] - apiGroups: ["dapr.io"]
resources: ["configurations", "components"] resources: ["configurations", "components"]
@ -46,6 +51,7 @@ kind: Role
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: dapr-injector name: dapr-injector
namespace: {{ .Release.Namespace }}
labels: labels:
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }} {{ $key }}: {{ tpl $value $ }}

3
helm-charts/dapr/charts/dapr_rbac/templates/operator.yaml
View File

@ -2,6 +2,7 @@ apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: dapr-operator name: dapr-operator
namespace: {{ .Release.Namespace }}
labels: labels:
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }} {{ $key }}: {{ tpl $value $ }}
@ -84,6 +85,7 @@ kind: Role
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: dapr-operator name: dapr-operator
namespace: {{ .Release.Namespace }}
labels: labels:
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }} {{ $key }}: {{ tpl $value $ }}
@ -150,6 +152,7 @@ kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: dapr-operator name: dapr-operator
namespace: {{ .Release.Namespace }}
labels: labels:
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }} {{ $key }}: {{ tpl $value $ }}

1
helm-charts/dapr/charts/dapr_rbac/templates/placement.yaml
View File

@ -2,6 +2,7 @@ apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: dapr-placement name: dapr-placement
namespace: {{ .Release.Namespace }}
labels: labels:
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }} {{ $key }}: {{ tpl $value $ }}

14
helm-charts/dapr/charts/dapr_rbac/templates/sentry.yaml
View File

@ -2,6 +2,7 @@ apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: dapr-sentry name: dapr-sentry
namespace: {{ .Release.Namespace }}
labels: labels:
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }} {{ $key }}: {{ tpl $value $ }}
@ -22,7 +23,10 @@ rules:
{{- if not .Values.global.rbac.namespaced }} {{- if not .Values.global.rbac.namespaced }}
- apiGroups: ["dapr.io"] - apiGroups: ["dapr.io"]
resources: ["configurations"] resources: ["configurations"]
verbs: ["list"] verbs: ["list", "get", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "get", "watch"]
{{- end }} {{- end }}
--- ---
kind: ClusterRoleBinding kind: ClusterRoleBinding
@ -46,6 +50,7 @@ kind: Role
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: dapr-sentry name: dapr-sentry
namespace: {{ .Release.Namespace }}
labels: labels:
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }} {{ $key }}: {{ tpl $value $ }}
@ -53,7 +58,11 @@ metadata:
rules: rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["secrets"] resources: ["secrets"]
verbs: ["get", "update"] verbs: ["get", "update","delete"]
resourceNames: ["dapr-trust-bundle"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "update", "watch", "list"]
resourceNames: ["dapr-trust-bundle"] resourceNames: ["dapr-trust-bundle"]
{{- if eq .Values.global.rbac.namespaced true }} {{- if eq .Values.global.rbac.namespaced true }}
- apiGroups: ["dapr.io"] - apiGroups: ["dapr.io"]
@ -65,6 +74,7 @@ kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: dapr-sentry name: dapr-sentry
namespace: {{ .Release.Namespace }}
labels: labels:
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }} {{ $key }}: {{ tpl $value $ }}

2
helm-charts/dapr/charts/dapr_sentry/Chart.yaml
View File

@ -2,4 +2,4 @@ apiVersion: v1
appVersion: "1.0" appVersion: "1.0"
description: A Helm chart for Dapr Sentry description: A Helm chart for Dapr Sentry
name: dapr_sentry name: dapr_sentry
version: 1.11.3 version: 1.12.0

61
helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml
View File

@ -1,7 +1,22 @@
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "dapr-trust-bundle"}}
---
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata:
name: dapr-trust-bundle
namespace: {{ .Release.Namespace }}
labels:
app: dapr-sentry
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
{{ if and .Values.tls.issuer.certPEM (and .Values.tls.issuer.keyPEM .Values.tls.root.certPEM) }}
data:
issuer.crt: {{ b64enc .Values.tls.issuer.certPEM | trim }}
issuer.key: {{ b64enc .Values.tls.issuer.keyPEM | trim }}
ca.crt: {{ b64enc .Values.tls.root.certPEM | trim }}
{{ end }}
---
apiVersion: v1
kind: ConfigMap
metadata: metadata:
name: dapr-trust-bundle name: dapr-trust-bundle
labels: labels:
@ -9,21 +24,16 @@ metadata:
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }} {{ $key }}: {{ tpl $value $ }}
{{- end }} {{- end }}
{{ if .Values.tls.root.certPEM }}
data: data:
{{ if .Values.tls.issuer.certPEM }}issuer.crt: {{ b64enc .Values.tls.issuer.certPEM | trim }} ca.crt: {{- .Values.tls.root.certPEM | toYaml | indent 1}}
{{ else if $existingSecret }}issuer.crt: {{ index $existingSecret.data "issuer.crt" }} {{end}}
{{ end }}
{{ if .Values.tls.issuer.keyPEM }}issuer.key: {{ b64enc .Values.tls.issuer.keyPEM | trim }}
{{ else if $existingSecret }}issuer.key: {{ index $existingSecret.data "issuer.key" }}
{{end}}
{{ if .Values.tls.root.certPEM }}ca.crt: {{ b64enc .Values.tls.root.certPEM | trim }}
{{ else if $existingSecret }}ca.crt: {{ index $existingSecret.data "ca.crt" }}
{{end}}
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: dapr-sentry name: dapr-sentry
namespace: {{ .Release.Namespace }}
labels: labels:
app: dapr-sentry app: dapr-sentry
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}
@ -48,11 +58,15 @@ spec:
{{- with .Values.global.labels }} {{- with .Values.global.labels }}
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}
{{- if eq .Values.global.prometheus.enabled true }}
annotations: annotations:
dapr.io/control-plane: sentry
{{- if eq .Values.global.prometheus.enabled true }}
prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}" prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}"
prometheus.io/port: "{{ .Values.global.prometheus.port }}" prometheus.io/port: "{{ .Values.global.prometheus.port }}"
prometheus.io/path: "/" prometheus.io/path: "/"
{{- end }}
{{- if .Values.deploymentAnnotations }}
{{ toYaml .Values.deploymentAnnotations | indent 4}}
{{- end }} {{- end }}
spec: spec:
containers: containers:
@ -90,8 +104,15 @@ spec:
runAsNonRoot: {{ .Values.runAsNonRoot }} runAsNonRoot: {{ .Values.runAsNonRoot }}
{{- if eq .Values.debug.enabled true }} {{- if eq .Values.debug.enabled true }}
capabilities: capabilities:
add: add: ["SYS_PTRACE"]
- SYS_PTRACE {{- else }}
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
{{- end }}
{{- if .Values.global.seccompProfile }}
seccompProfile:
type: {{ .Values.global.seccompProfile }}
{{- end }} {{- end }}
{{- end }} {{- end }}
env: env:
@ -115,8 +136,11 @@ spec:
{{ toYaml .Values.resources | indent 10 }} {{ toYaml .Values.resources | indent 10 }}
volumeMounts: volumeMounts:
- name: credentials - name: credentials
mountPath: /var/run/dapr/credentials mountPath: /var/run/secrets/dapr.io/credentials
readOnly: true readOnly: true
{{- with .Values.global.extraVolumeMounts.sentry }}
{{- toYaml . | nindent 10 }}
{{- end }}
command: command:
{{- if eq .Values.debug.enabled false }} {{- if eq .Values.debug.enabled false }}
- "/sentry" - "/sentry"
@ -147,7 +171,7 @@ spec:
- "--enable-metrics=false" - "--enable-metrics=false"
{{- end }} {{- end }}
- "--trust-domain" - "--trust-domain"
- {{ .Values.tls.trustDomain }} - {{ .Values.global.mtls.controlPlaneTrustDomain }}
{{- if .Values.tokenAudience }} {{- if .Values.tokenAudience }}
- "--token-audience" - "--token-audience"
- {{ .Values.tokenAudience }} - {{ .Values.tokenAudience }}
@ -165,6 +189,9 @@ spec:
- name: credentials - name: credentials
secret: secret:
secretName: dapr-trust-bundle secretName: dapr-trust-bundle
{{- with .Values.global.extraVolumes.sentry }}
{{- toYaml . | nindent 8 }}
{{- end }}
affinity: affinity:
nodeAffinity: nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution: requiredDuringSchedulingIgnoredDuringExecution:
@ -195,7 +222,7 @@ spec:
{{- end }} {{- end }}
{{- if .Values.global.imagePullSecrets }} {{- if .Values.global.imagePullSecrets }}
imagePullSecrets: imagePullSecrets:
- name: {{ .Values.global.imagePullSecrets }} {{- include "dapr.imagePullSecrets" (dict "imagePullSecrets" .Values.global.imagePullSecrets) | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.global.nodeSelector }} {{- if .Values.global.nodeSelector }}
nodeSelector: nodeSelector:

1
helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_poddisruptionbudget.yaml
View File

@ -7,6 +7,7 @@ apiVersion: policy/v1beta1
kind: PodDisruptionBudget kind: PodDisruptionBudget
metadata: metadata:
name: dapr-sentry-budget name: dapr-sentry-budget
namespace: {{ .Release.Namespace }}
labels: labels:
app: dapr-sentry app: dapr-sentry
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}

10
helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_service.yaml
View File

@ -2,6 +2,7 @@ kind: Service
apiVersion: v1 apiVersion: v1
metadata: metadata:
name: dapr-sentry name: dapr-sentry
namespace: {{ .Release.Namespace }}
labels: labels:
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }} {{ $key }}: {{ tpl $value $ }}
@ -13,3 +14,12 @@ spec:
- protocol: TCP - protocol: TCP
port: {{ .Values.ports.port }} port: {{ .Values.ports.port }}
targetPort: {{ .Values.ports.targetPort }} targetPort: {{ .Values.ports.targetPort }}
name: grpc
# Added for backwards compatibility where previous clients will attempt to
# connect on port 80.
{{ if (ne (int .Values.ports.port) 80) }}
- protocol: TCP
port: 80
targetPort: {{ .Values.ports.targetPort }}
name: legacy
{{ end }}

4
helm-charts/dapr/charts/dapr_sentry/values.yaml
View File

@ -13,9 +13,11 @@ fullnameOverride: ""
tokenAudience: "" tokenAudience: ""
deploymentAnnotations: {}
ports: ports:
protocol: TCP protocol: TCP
port: 80 port: 443
targetPort: 50001 targetPort: 50001
tls: tls:

2
helm-charts/dapr/charts/dapr_sidecar_injector/Chart.yaml
View File

@ -2,4 +2,4 @@ apiVersion: v1
appVersion: "1.0" appVersion: "1.0"
description: A Helm chart for the Dapr sidecar injector description: A Helm chart for the Dapr sidecar injector
name: dapr_sidecar_injector name: dapr_sidecar_injector
version: 1.11.3 version: 1.12.0

68
helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml
View File

@ -3,6 +3,7 @@ apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: dapr-sidecar-injector name: dapr-sidecar-injector
namespace: {{ .Release.Namespace }}
labels: labels:
app: dapr-sidecar-injector app: dapr-sidecar-injector
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}
@ -27,11 +28,15 @@ spec:
{{- with .Values.global.labels }} {{- with .Values.global.labels }}
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}
{{- if eq .Values.global.prometheus.enabled true }}
annotations: annotations:
dapr.io/control-plane: injector
{{- if eq .Values.global.prometheus.enabled true }}
prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}" prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}"
prometheus.io/port: "{{ .Values.global.prometheus.port }}" prometheus.io/port: "{{ .Values.global.prometheus.port }}"
prometheus.io/path: "/" prometheus.io/path: "/"
{{- end }}
{{- if .Values.deploymentAnnotations }}
{{ toYaml .Values.deploymentAnnotations | indent 4}}
{{- end }} {{- end }}
spec: spec:
{{- if .Values.hostNetwork }} {{- if .Values.hostNetwork }}
@ -77,8 +82,15 @@ spec:
{{- end }} {{- end }}
{{- if eq .Values.debug.enabled true }} {{- if eq .Values.debug.enabled true }}
capabilities: capabilities:
add: add: ["SYS_PTRACE"]
- SYS_PTRACE {{- else }}
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
{{- end }}
{{- if .Values.global.seccompProfile }}
seccompProfile:
type: {{ .Values.global.seccompProfile }}
{{- end }} {{- end }}
{{- end }} {{- end }}
command: command:
@ -112,19 +124,13 @@ spec:
{{- end }} {{- end }}
- "--healthz-port" - "--healthz-port"
- "{{ .Values.healthzPort }}" - "{{ .Values.healthzPort }}"
{{- with .Values.global.issuerFilenames }}
- "--issuer-ca-secret-key"
- "{{ .ca }}"
- "--issuer-certificate-secret-key"
- "{{ .cert }}"
- "--issuer-key-secret-key"
- "{{ .key }}"
{{- end }}
env: env:
- name: TLS_CERT_FILE - name: DAPR_TRUST_ANCHORS_FILE
value: /dapr/cert/tls.crt value: /var/run/secrets/dapr.io/tls/ca.crt
- name: TLS_KEY_FILE - name: DAPR_CONTROL_PLANE_TRUST_DOMAIN
value: /dapr/cert/tls.key value: {{ .Values.global.mtls.controlPlaneTrustDomain }}
- name: DAPR_SENTRY_ADDRESS
value: {{ if .Values.global.mtls.sentryAddress }}{{ .Values.global.mtls.sentryAddress }}{{ else }}dapr-sentry.{{ .Release.Namespace }}.svc.cluster.local:443{{ end }}
{{- if .Values.kubeClusterDomain }} {{- if .Values.kubeClusterDomain }}
- name: KUBE_CLUSTER_DOMAIN - name: KUBE_CLUSTER_DOMAIN
value: "{{ .Values.kubeClusterDomain }}" value: "{{ .Values.kubeClusterDomain }}"
@ -184,13 +190,33 @@ spec:
resources: resources:
{{ toYaml .Values.resources | indent 10 }} {{ toYaml .Values.resources | indent 10 }}
volumeMounts: volumeMounts:
- name: cert - name: dapr-trust-bundle
mountPath: /dapr/cert mountPath: /var/run/secrets/dapr.io/tls
readOnly: true readOnly: true
{{- if .Values.global.mtls.mountSentryVolume }}
- name: dapr-identity-token
mountPath: /var/run/secrets/dapr.io/sentrytoken
readOnly: true
{{- end }}
{{- with .Values.global.extraVolumeMounts.injector }}
{{- toYaml . | nindent 8 }}
{{- end }}
volumes: volumes:
- name: cert - name: dapr-trust-bundle
secret: configMap:
secretName: dapr-sidecar-injector-cert name: dapr-trust-bundle
{{- if .Values.global.mtls.mountSentryVolume }}
- name: dapr-identity-token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 600
audience: "spiffe://{{ .Values.global.mtls.controlPlaneTrustDomain }}/ns/{{ .Release.Namespace }}/dapr-sentry"
{{- end }}
{{- with .Values.global.extraVolumes.injector }}
{{- toYaml . | nindent 6 }}
{{- end }}
affinity: affinity:
nodeAffinity: nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution: requiredDuringSchedulingIgnoredDuringExecution:
@ -221,7 +247,7 @@ spec:
{{- end }} {{- end }}
{{- if .Values.global.imagePullSecrets }} {{- if .Values.global.imagePullSecrets }}
imagePullSecrets: imagePullSecrets:
- name: {{ .Values.global.imagePullSecrets }} {{- include "dapr.imagePullSecrets" (dict "imagePullSecrets" .Values.global.imagePullSecrets) | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.global.nodeSelector }} {{- if .Values.global.nodeSelector }}
nodeSelector: nodeSelector:

1
helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_poddisruptionbudget.yaml
View File

@ -8,6 +8,7 @@ apiVersion: policy/v1beta1
kind: PodDisruptionBudget kind: PodDisruptionBudget
metadata: metadata:
name: dapr-sidecar-injector-disruption-budget name: dapr-sidecar-injector-disruption-budget
namespace: {{ .Release.Namespace }}
labels: labels:
app: dapr-sidecar-injector app: dapr-sidecar-injector
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}

1
helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_service.yaml
View File

@ -3,6 +3,7 @@ apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: dapr-sidecar-injector name: dapr-sidecar-injector
namespace: {{ .Release.Namespace }}
labels: labels:
{{- range $key, $value := .Values.global.k8sLabels }} {{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }} {{ $key }}: {{ tpl $value $ }}

28
helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_webhook_config.yaml
View File

@ -1,31 +1,4 @@
{{- if eq .Values.enabled true }} {{- if eq .Values.enabled true }}
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "dapr-sidecar-injector-cert"}}
{{- $existingWebHookConfig := lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" .Release.Namespace "dapr-sidecar-injector"}}
{{- $ca := genCA "dapr-sidecar-injector-ca" 3650 }}
{{- $cn := printf "dapr-sidecar-injector" }}
{{- $altName1 := printf "dapr-sidecar-injector.%s" .Release.Namespace }}
{{- $altName2 := printf "dapr-sidecar-injector.%s.svc" .Release.Namespace }}
{{- $altName3 := printf "dapr-sidecar-injector.%s.svc.cluster" .Release.Namespace }}
{{- $altName4 := printf "dapr-sidecar-injector.%s.svc.cluster.local" .Release.Namespace }}
{{- $cert := genSignedCert $cn nil (list $altName1 $altName2 $altName3 $altName4) 3650 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: dapr-sidecar-injector-cert
labels:
app: dapr-sidecar-injector
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
data:
{{ if $existingSecret }}tls.crt: {{ index $existingSecret.data "tls.crt" }}
{{ else }}tls.crt: {{ b64enc $cert.Cert }}
{{ end }}
{{ if $existingSecret }}tls.key: {{ index $existingSecret.data "tls.key" }}
{{ else }}tls.key: {{ b64enc $cert.Key }}
{{ end }}
---
apiVersion: admissionregistration.k8s.io/v1 apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration kind: MutatingWebhookConfiguration
metadata: metadata:
@ -43,7 +16,6 @@ webhooks:
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
name: dapr-sidecar-injector name: dapr-sidecar-injector
path: "/mutate" path: "/mutate"
caBundle: {{ if $existingWebHookConfig }}{{ (index $existingWebHookConfig.webhooks 0).clientConfig.caBundle }}{{ else }}{{ b64enc $ca.Cert }}{{ end }}
rules: rules:
- apiGroups: - apiGroups:
- "" - ""

1
helm-charts/dapr/charts/dapr_sidecar_injector/values.yaml
View File

@ -15,6 +15,7 @@ image:
injectorImage: injectorImage:
name: "injector" name: "injector"
deploymentAnnotations: {}
nameOverride: "" nameOverride: ""
fullnameOverride: "" fullnameOverride: ""
webhookFailurePolicy: Ignore webhookFailurePolicy: Ignore

17
helm-charts/dapr/templates/_helpers.tpl
View File

@ -30,3 +30,20 @@ Create chart name and version as used by the chart label.
{{- define "k8s_operator.chart" -}} {{- define "k8s_operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{/*
Formats imagePullSecrets. Input is dict( "imagePullSecrets" .{specific imagePullSecrets}).
*/}}
{{- define "dapr.imagePullSecrets" -}}
{{- if eq (typeOf .imagePullSecrets) "string" }}
- name: {{ .imagePullSecrets }}
{{- else }}
{{- range .imagePullSecrets }}
{{- if eq (typeOf .) "map[string]interface {}" }}
- {{ toYaml (dict "name" .name) | trim }}
{{- else }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

38
helm-charts/dapr/values.yaml
View File

@ -1,10 +1,26 @@
global: global:
registry: docker.io/daprio registry: docker.io/daprio
tag: '1.11.3' tag: '1.12.0'
dnsSuffix: ".cluster.local" dnsSuffix: ".cluster.local"
logAsJson: false logAsJson: false
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
# To help compatibility with other charts which use global.imagePullSecrets.
# Allow either a string with single imagepullsecret or an array of {name: pullSecret} maps (k8s-style) or an array of strings (more common helm-style).
# global:
# imagePullSecrets: "pullSecret"
# or
# global:
# imagePullSecrets:
# - name: pullSecret1
# - name: pullSecret2
# or
# global:
# imagePullSecrets:
# - pullSecret1
# - pullSecret2
imagePullSecrets: "" imagePullSecrets: ""
nodeSelector: {} nodeSelector: {}
tolerations: [] tolerations: []
rbac: rbac:
@ -22,10 +38,30 @@ global:
enabled: true enabled: true
workloadCertTTL: 24h workloadCertTTL: 24h
allowedClockSkew: 15m allowedClockSkew: 15m
controlPlaneTrustDomain: "cluster.local"
# If set to true, a bound service account token will be mounted and used to
# authenticate to Sentry.
mountSentryVolume: true
# Used to override `dapr-sentry.{{ .Release.Namespace }}.svc.cluster.local:443`
#sentryAddress:
# extraVolumes and extraVolumeMounts are used to mount additional volumes to
# the Dapr control plane pods. Useful for using alternative authentication
# credentials to sentry.
extraVolumes: {}
# sentry:
# placement:
# operator:
# injector:
extraVolumeMounts: {}
# sentry:
# placement:
# operator:
# injector:
actors: actors:
enabled: true enabled: true
daprControlPlaneOs: linux daprControlPlaneOs: linux
labels: {} labels: {}
seccompProfile: ""
k8sLabels: k8sLabels:
app.kubernetes.io/name: "{{ .Release.Name }}" app.kubernetes.io/name: "{{ .Release.Name }}"
app.kubernetes.io/version: "{{ .Values.global.tag }}" app.kubernetes.io/version: "{{ .Values.global.tag }}"