dapr
/
kubernetes-operator
mirror of https://github.com/dapr/kubernetes-operator.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update dapr helm chart from v1.11.3 to v1.12.0

This commit is contained in:
Luca Burgazzoli 2023-10-13 08:53:46 +02:00
parent 1b91c10b27
commit 6527c7f183
No known key found for this signature in database
GPG Key ID: 238C46A40510C1A9
38 changed files with 559 additions and 262 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -22,7 +22,7 @@ LOCALBIN := $(PROJECT_PATH)/bin
HELM_CHART_REPO ?= https://dapr.github.io/helm-charts
HELM_CHART ?= dapr
HELM_CHART_VERSION ?= 1.11.3
HELM_CHART_VERSION ?= 1.12.0
HELM_CHART_URL ?= https://raw.githubusercontent.com/dapr/helm-charts/master/dapr-$(HELM_CHART_VERSION).tgz
## Tool Versions

26
config/crd/dapr/components.yaml
View File

@ -12,7 +12,7 @@ spec:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Component describes an Dapr component type
description: Component describes an Dapr component type.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
@ -20,7 +20,7 @@ spec:
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
auth:
description: Auth represents authentication details for the component
description: Auth represents authentication details for the component.
properties:
secretStore:
type: string
@ -39,32 +39,38 @@ spec:
type: string
type: array
spec:
description: ComponentSpec is the spec for a component
description: ComponentSpec is the spec for a component.
properties:
initTimeout:
type: string
ignoreErrors:
type: boolean
initTimeout:
type: string
metadata:
items:
description: MetadataItem is a name/value pair for a metadata
description: NameValuePair is a name/value pair.
properties:
envRef:
description: EnvRef is the name of an environmental variable
to read the value from.
type: string
name:
description: Name of the property.
type: string
secretKeyRef:
description: SecretKeyRef is a reference to a secret holding
the value for the metadata item. Name is the secret name,
and key is the field in the secret.
description: SecretKeyRef is the reference of a value in a secret
store component.
properties:
key:
description: Field in the secret.
type: string
name:
description: Secret name.
type: string
required:
- key
- name
type: object
value:
description: Value of the property, in plaintext.
x-kubernetes-preserve-unknown-fields: true
required:
- name

47
config/crd/dapr/configuration.yaml
View File

@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.9.2
controller-gen.kubebuilder.io/version: v0.11.3
creationTimestamp: null
name: configurations.dapr.io
labels:
@ -224,13 +224,20 @@ spec:
description: Configure API logging.
properties:
enabled:
description: Default value for enabling API logging. Sidecars can always override this by setting `--enable-api-logging` to true or false explicitly. The default value is false.
description: Default value for enabling API logging. Sidecars
can always override this by setting `--enable-api-logging`
to true or false explicitly. The default value is false.
type: boolean
obfuscateURLs:
description: 'When enabled, obfuscates the values of URLs in HTTP API logs, logging the route name rather than the full path being invoked, which could contain PII. Default: false. This option has no effect if API logging is disabled.'
description: 'When enabled, obfuscates the values of URLs
in HTTP API logs, logging the route name rather than the
full path being invoked, which could contain PII. Default:
false. This option has no effect if API logging is disabled.'
type: boolean
omitHealthChecks:
description: 'If true, health checks are not reported in API logs. Default: false. This option has no effect if API logging is disabled.'
description: 'If true, health checks are not reported in API
logs. Default: false. This option has no effect if API logging
is disabled.'
type: boolean
type: object
type: object
@ -315,8 +322,34 @@ spec:
properties:
allowedClockSkew:
type: string
controlPlaneTrustDomain:
type: string
enabled:
type: boolean
sentryAddress:
type: string
tokenValidators:
description: Additional token validators to use. When Dapr is
running in Kubernetes mode, this is in addition to the built-in
"kubernetes" validator. In self-hosted mode, enabling a custom
validator will disable the built-in "insecure" validator.
items:
description: ValidatorSpec contains additional token validators
to use.
properties:
name:
description: Name of the validator
enum:
- jwks
type: string
options:
description: Options for the validator, if any
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- name
type: object
type: array
workloadCertTTL:
type: string
required:
@ -397,6 +430,12 @@ spec:
required:
- samplingRate
type: object
wasm:
description: WasmSpec describes the security profile for all Dapr Wasm components.
properties:
strictSandbox:
type: boolean
type: object
type: object
type: object
served: true

113
config/crd/dapr/httpendpoints.yaml
View File

@ -18,10 +18,14 @@ spec:
- name: v1alpha1
schema:
openAPIV3Schema:
description: HTTPEndpoint describes a Dapr HTTPEndpoint type for external service invocation. This endpoint can be external to Dapr, or external to the environment.
description: HTTPEndpoint describes a Dapr HTTPEndpoint type for external
service invocation. This endpoint can be external to Dapr, or external to
the environment.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
auth:
description: Auth represents authentication details for the component.
@ -32,7 +36,9 @@ spec:
- secretStore
type: object
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
@ -41,28 +47,113 @@ spec:
type: string
type: array
spec:
description: HTTPEndpointSpec describes an access specification for allowing external service invocations.
description: HTTPEndpointSpec describes an access specification for allowing
external service invocations.
properties:
baseUrl:
type: string
headers:
items:
description: Header is the name/value pair for a header specification.
clientTLS:
description: TLS describes how to build client or server TLS configurations.
properties:
certificate:
description: TLSDocument describes and in-line or pointer to a
document to build a TLS configuration.
properties:
name:
type: string
secretKeyRef:
description: SecretKeyRef is a reference to a secret holding the value for the metadata item. Name is the secret name, and key is the field in the secret.
description: SecretKeyRef is the reference of a value in a
secret store component.
properties:
key:
description: Field in the secret.
type: string
name:
description: Secret name.
type: string
required:
- key
- name
type: object
value:
description: Value of the property, in plaintext.
x-kubernetes-preserve-unknown-fields: true
type: object
privateKey:
description: TLSDocument describes and in-line or pointer to a
document to build a TLS configuration.
properties:
secretKeyRef:
description: SecretKeyRef is the reference of a value in a
secret store component.
properties:
key:
description: Field in the secret.
type: string
name:
description: Secret name.
type: string
required:
- name
type: object
value:
description: Value of the property, in plaintext.
x-kubernetes-preserve-unknown-fields: true
type: object
renegotiation:
default: Never
description: Renegotiation sets the underlying tls negotiation
strategy for an http channel.
enum:
- Never
- OnceAsClient
- FreelyAsClient
type: string
rootCA:
description: TLSDocument describes and in-line or pointer to a
document to build a TLS configuration.
properties:
secretKeyRef:
description: SecretKeyRef is the reference of a value in a
secret store component.
properties:
key:
description: Field in the secret.
type: string
name:
description: Secret name.
type: string
required:
- name
type: object
value:
description: Value of the property, in plaintext.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
headers:
items:
description: NameValuePair is a name/value pair.
properties:
envRef:
description: EnvRef is the name of an environmental variable
to read the value from.
type: string
name:
description: Name of the property.
type: string
secretKeyRef:
description: SecretKeyRef is the reference of a value in a secret
store component.
properties:
key:
description: Field in the secret.
type: string
name:
description: Secret name.
type: string
required:
- name
type: object
value:
description: Value of the property, in plaintext.
x-kubernetes-preserve-unknown-fields: true
required:
- name

4
config/crd/dapr/subscription.yaml
View File

@ -54,7 +54,7 @@ spec:
deadLetterTopic:
type: string
bulkSubscribe:
description: Represents bulk subscribe properies
description: Represents bulk subscribe properties
properties:
enabled:
type: boolean
@ -144,7 +144,7 @@ spec:
description: The optional dead letter queue for this topic to send events to.
type: string
bulkSubscribe:
description: Represents bulk subscribe properies
description: Represents bulk subscribe properties
properties:
enabled:
type: boolean

4
helm-charts/dapr/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v1
appVersion: 1.11.3
appVersion: 1.12.0
description: A Helm chart for Dapr on Kubernetes
name: dapr
version: 1.11.3
version: 1.12.0

39
helm-charts/dapr/README.md
View File

@ -78,9 +78,9 @@ The Helm chart has the follow configuration options that can be supplied:
| `global.tag` | Docker image version tag | latest release |
| `global.logAsJson` | Json log format for control plane services | `false` |
| `global.imagePullPolicy` | Global Control plane service imagePullPolicy | `IfNotPresent` |
| `global.imagePullSecrets` | Control plane service images pull secrets for docker registry | `""` |
| `global.imagePullSecrets` | Control plane service images pull secrets for docker registry. Its value can be: a string with single imagePullSecret, an array of `{name: pullSecret}` maps (Kubernetes-style), or an array of strings | `[]` |
| `global.ha.enabled` | Highly Availability mode enabled for control plane | `false` |
| `global.ha.replicaCount` | Number of replicas of control plane services in Highly Availability mode | `3` |
| `global.ha.replicaCount` | Number of replicas of control plane services in Highly Availability mode<br>Note that in HA mode, Dapr Placement has 3 replicas and that cannot be configured. | `3` |
| `global.ha.disruption.minimumAvailable` | Minimum amount of available instances for control plane. This can either be effective count or %. | `` |
| `global.ha.disruption.maximumUnavailable` | Maximum amount of instances that are allowed to be unavailable for control plane. This can either be effective count or %. | `25%` |
| `global.prometheus.enabled` | Prometheus metrics enablement for control plane services | `true` |
@ -88,6 +88,17 @@ The Helm chart has the follow configuration options that can be supplied:
| `global.mtls.enabled` | Mutual TLS enablement | `true` |
| `global.mtls.workloadCertTTL` | TTL for workload cert | `24h` |
| `global.mtls.allowedClockSkew` | Allowed clock skew for workload cert rotation | `15m` |
| `global.mtls.controlPlaneTrustDomain ` | Trust domain for control plane | `cluster.local` |
| `global.mtls.sentryAddress` | Sentry address for control plane | `dapr-sentry.{{ .ReleaseNamespace }}.svc:443` |
| `global.mtls.mountSentryToken` | Gates whether the sentry bound service account token volume is mounted to control plane pods | `true` |
| `global.extraVolumes.sentry` | Array of extra volumes to make available to sentry pods | `[]` |
| `global.extraVolumes.placement` | Array of extra volumes to make available to placement pods | `[]` |
| `global.extraVolumes.operator` | Array of extra volumes to make available to operator pods | `[]` |
| `global.extraVolumes.injector` | Array of extra volumes to make available to sidecar injector pods | `[]` |
| `global.extraVolumeMounts.sentry` | Array of extra volume mounts to make available to sentry pod containers | `[]` |
| `global.extraVolumeMounts.placement` | Array of extra volume mounts to make available to placement pod containers | `[]` |
| `global.extraVolumeMounts.operator` | Array of extra volume mounts to make available to operator pod containers | `[]` |
| `global.extraVolumeMounts.injector` | Array of extra volume mounts to make available to sidecar injector pod containers | `[]` |
| `global.dnsSuffix` | Kuberentes DNS suffix | `.cluster.local` |
| `global.daprControlPlaneOs` | Operating System for Dapr control plane | `linux` |
| `global.daprControlPlaneArch` | CPU Architecture for Dapr control plane | `amd64` |
@ -99,12 +110,13 @@ The Helm chart has the follow configuration options that can be supplied:
| `global.issuerFilenames.cert` | Custom name of the file containing the leaf certificate inside the container | `issuer.crt` |
| `global.issuerFilenames.key` | Custom name of the file containing the leaf certificate's key inside the container | `issuer.key` |
| `global.actors.enabled` | Enables the Dapr actors building block. When "false", the Dapr Placement serice is not installed, and attempting to use Dapr actors will fail. | `true` |
| `global.seccompProfile` | SeccompProfile for Dapr control plane services | `""` |
| `global.rbac.namespaced` | Removes cluster wide permissions where applicable | `false` |
| `global.argoRolloutServiceReconciler.enabled` | Enable the service reconciler for Dapr-enabled Argo Rollouts | `false` |
### Dapr Operator options:
| Parameter | Description | Default |
|-------------------------------------------|-------------------------------------------------------------------------|-------------------------|
|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|
| `dapr_operator.replicaCount` | Number of replicas | `1` |
| `dapr_operator.logLevel` | Log level | `info` |
| `dapr_operator.watchInterval` | Interval for polling pods' state (e.g. `2m`). Set to `0` to disable, or `once` to only run once when the operator starts | `0` |
@ -113,23 +125,27 @@ The Helm chart has the follow configuration options that can be supplied:
| `dapr_operator.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. You may have to set this to `false` when running in Minikube | `true` |
| `dapr_operator.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` |
| `dapr_operator.debug.enabled` | Boolean value for enabling debug mode | `{}` |
| `dapr_operator.serviceReconciler.enabled`| If false, disables the reconciler that creates Services for Dapr-enabled Deployments and StatefulSets.<br>Note: disabling this reconciler could prevent Dapr service invocation from working. | `true` |
| `dapr_operator.serviceReconciler.enabled` | If false, disables the reconciler that creates Services for Dapr-enabled Deployments and StatefulSets.<br>Note: disabling this reconciler could prevent Dapr service invocation from working. | `true` |
| `dapr_operator.watchNamespace` | The namespace to watch for annotated Dapr resources in | `""` |
| `dapr_operator.deploymentAnnotations` | Custom annotations for Dapr Operator Deployment | `{}` |
### Dapr Placement options:
| Parameter | Description | Default |
|-------------------------------------------|-------------------------------------------------------------------------|-------------------------|
|------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|
| `dapr_placement.ha` | If set to true, deploys the Placement service with 3 nodes regardless of the value of `global.ha.enabled` | `false` |
| `dapr_placement.replicationFactor` | Number of consistent hashing virtual node | `100` |
| `dapr_placement.logLevel` | Service Log level | `info` |
| `dapr_placement.image.name` | Service docker image name (`global.registry/dapr_placement.image.name`) | `dapr` |
| `dapr_placement.cluster.forceInMemoryLog` | Use in-memory log store and disable volume attach when `global.ha.enabled` is true | `false` |
| `dapr_placement.cluster.logStorePath` | Mount path for persistent volume for log store in unix-like system when `global.ha.enabled` is true | `/var/run/dapr/raft-log` |
| `dapr_placement.cluster.logStoreWinPath` | Mount path for persistent volume for log store in windows when `global.ha.enabled` is true | `C:\\raft-log` |
| `dapr_placement.cluster.forceInMemoryLog` | Use in-memory log store and disable volume attach when HA is true | `false` |
| `dapr_placement.cluster.logStorePath` | Mount path for persistent volume for log store in unix-like system when HA is true | `/var/run/dapr/raft-log` |
| `dapr_placement.cluster.logStoreWinPath` | Mount path for persistent volume for log store in windows when HA is true | `C:\\raft-log` |
| `dapr_placement.volumeclaims.storageSize` | Attached volume size | `1Gi` |
| `dapr_placement.volumeclaims.storageClassName` | storage class name | |
| `dapr_placement.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. Does not apply unless `forceInMemoryLog` is set to `true`. You may have to set this to `false` when running in Minikube | `false` |
| `dapr_placement.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` |
| `dapr_placement.debug.enabled` | Boolean value for enabling debug mode | `{}` |
| `dapr_placement.metadataEnabled` | Boolean value for enabling placement tables metadata HTTP API | `false` |
| `dapr_placement.statefulsetAnnotations` | Custom annotations for Dapr Placement Statefulset | `{}` |
### Dapr RBAC options:
| Parameter | Description | Default |
@ -139,7 +155,7 @@ The Helm chart has the follow configuration options that can be supplied:
### Dapr Sentry options:
| Parameter | Description | Default |
|-------------------------------------------|-------------------------------------------------------------------------|-------------------------|
|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|
| `dapr_sentry.replicaCount` | Number of replicas | `1` |
| `dapr_sentry.logLevel` | Log level | `info` |
| `dapr_sentry.image.name` | Docker image name (`global.registry/dapr_sentry.image.name`) | `dapr` |
@ -147,14 +163,14 @@ The Helm chart has the follow configuration options that can be supplied:
| `dapr_sentry.tls.issuer.keyPEM` | Issuer Private Key cert | `""` |
| `dapr_sentry.tls.root.certPEM` | Root Certificate cert | `""` |
| `dapr_sentry.tokenAudience` | Expected audience for tokens; multiple values can be separated by a comma. Defaults to the audience expected by the Kubernetes control plane if not set | `""` |
| `dapr_sentry.trustDomain` | Trust domain (logical group to manage app trust relationship) for access control list | `cluster.local` |
| `dapr_sentry.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot`. You may have to set this to `false` when running in Minikube | `true` |
| `dapr_sentry.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` |
| `dapr_sentry.debug.enabled` | Boolean value for enabling debug mode | `{}` |
| `dapr_sentry.deploymentAnnotations` | Custom annotations for Dapr Sentry Deployment | `{}` |
### Dapr Sidecar Injector options:
| Parameter | Description | Default |
|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|
|-----------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|
| `dapr_sidecar_injector.enabled` | Enable the sidecar injector | `true` |
| `dapr_sidecar_injector.sidecarImagePullPolicy` | Dapr sidecar image pull policy | `IfNotPresent` |
| `dapr_sidecar_injector.replicaCount` | Number of replicas | `1` |
@ -174,6 +190,7 @@ The Helm chart has the follow configuration options that can be supplied:
| `dapr_sidecar_injector.ignoreEntrypointTolerations` | JSON array of Kubernetes tolerations. If pod contains any of these tolerations, it will ignore the Docker image ENTRYPOINT for Dapr sidecar. | `[{\"effect\":\"NoSchedule\",\"key\":\"alibabacloud.com/eci\"},{\"effect\":\"NoSchedule\",\"key\":\"azure.com/aci\"},{\"effect\":\"NoSchedule\",\"key\":\"aws\"},{\"effect\":\"NoSchedule\",\"key\":\"huawei.com/cci\"}]` |
| `dapr_sidecar_injector.hostNetwork` | Enable hostNetwork mode. This is helpful when working with overlay networks such as Calico CNI and admission webhooks fail | `false` |
| `dapr_sidecar_injector.healthzPort` | The port used for health checks. Helpful in combination with hostNetwork to avoid port collisions | `8080` |
| `dapr_sidecar.deploymentAnnotations` | Custom annotations for Dapr sidecar Deployment | `{}` |
## Example of highly available configuration of the control plane

2
helm-charts/dapr/charts/dapr_config/Chart.yaml
View File

@ -2,4 +2,4 @@ apiVersion: v1
appVersion: "1.0"
description: A Helm chart for Dapr configuration
name: dapr_config
version: 1.11.3
version: 1.12.0

3
helm-charts/dapr/charts/dapr_config/templates/dapr_default_config.yaml
View File

@ -3,6 +3,7 @@ apiVersion: dapr.io/v1alpha1
kind: Configuration
metadata:
name: {{ .Values.dapr_default_system_config_name }}
namespace: {{ .Release.Namespace }}
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
@ -12,4 +13,6 @@ spec:
enabled: {{ .Values.global.mtls.enabled }}
workloadCertTTL: {{ .Values.global.mtls.workloadCertTTL }}
allowedClockSkew: {{ .Values.global.mtls.allowedClockSkew }}
controlPlaneTrustDomain: {{ .Values.global.mtls.controlPlaneTrustDomain }}
sentryAddress: {{ if .Values.global.mtls.sentryAddress }}{{ .Values.global.mtls.sentryAddress }}{{ else }}dapr-sentry.{{ .Release.Namespace }}.svc.cluster.local:443{{ end }}
{{- end }}

2
helm-charts/dapr/charts/dapr_config/values.yaml
View File

@ -1,4 +1,4 @@
# This value is essential in determining whether to build this chart or not based on the usecase. For example this chart should not be included while generating manifest file for dapr which is achieved by overriding this value.
# This value is essential in determining whether to build this chart or not based on the use case. For example this chart should not be included while generating manifest file for dapr which is achieved by overriding this value.
dapr_config_chart_included: true
dapr_default_system_config_name: "daprsystem"
component: config

2
helm-charts/dapr/charts/dapr_operator/Chart.yaml
View File

@ -2,4 +2,4 @@ apiVersion: v1
appVersion: "1.0"
description: A Helm chart for Dapr Kubernetes Operator
name: dapr_operator
version: 1.11.3
version: 1.12.0

122
helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_deployment.yaml
View File

@ -1,48 +1,8 @@
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "dapr-webhook-cert"}}
{{- $existingCA := lookup "v1" "Secret" .Release.Namespace "dapr-webhook-ca"}}
{{- $ca := genCA "dapr-webhook-ca" 3650 }}
{{- $cn := printf "dapr-webhook" }}
{{- $altName1 := printf "dapr-webhook.%s" .Release.Namespace }}
{{- $altName2 := printf "dapr-webhook.%s.svc" .Release.Namespace }}
{{- $altName3 := printf "dapr-webhook.%s.svc.cluster" .Release.Namespace }}
{{- $altName4 := printf "dapr-webhook.%s.svc.cluster.local" .Release.Namespace }}
{{- $cert := genSignedCert $cn nil (list $altName1 $altName2 $altName3 $altName4) 3650 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: dapr-webhook-cert
labels:
app: dapr-operator
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
data:
{{ if $existingSecret }}tls.crt: {{ index $existingSecret.data "tls.crt" }}
{{ else }}tls.crt: {{ b64enc $cert.Cert }}
{{ end }}
{{ if $existingSecret }}tls.key: {{ index $existingSecret.data "tls.key" }}
{{ else }}tls.key: {{ b64enc $cert.Key }}
{{ end }}
---
apiVersion: v1
kind: Secret
metadata:
name: dapr-webhook-ca
labels:
app: dapr-operator
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
data:
{{ if $existingCA }}caBundle: {{ index $existingCA.data "caBundle" }}
{{ else }}caBundle: {{ b64enc $ca.Cert }}
{{ end }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dapr-operator
namespace: {{ .Release.Namespace }}
labels:
app: dapr-operator
{{- range $key, $value := .Values.global.k8sLabels }}
@ -67,11 +27,15 @@ spec:
{{- with .Values.global.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if eq .Values.global.prometheus.enabled true }}
annotations:
dapr.io/control-plane: operator
{{- if eq .Values.global.prometheus.enabled true }}
prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}"
prometheus.io/port: "{{ .Values.global.prometheus.port }}"
prometheus.io/path: "/"
{{- end }}
{{- if .Values.deploymentAnnotations }}
{{ toYaml .Values.deploymentAnnotations | indent 4}}
{{- end }}
spec:
containers:
@ -107,11 +71,18 @@ spec:
{{- if eq .Values.global.daprControlPlaneOs "linux" }}
securityContext:
runAsNonRoot: {{ .Values.runAsNonRoot }}
{{- if eq .Values.debug.enabled true }}
{{- if eq .Values.debug.enabled true }}
capabilities:
add:
- SYS_PTRACE
{{- end }}
add: ["SYS_PTRACE"]
{{- else }}
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
{{- end }}
{{- if .Values.global.seccompProfile }}
seccompProfile:
type: {{ .Values.global.seccompProfile }}
{{- end }}
{{- end }}
env:
- name: NAMESPACE
@ -133,16 +104,22 @@ spec:
resources:
{{ toYaml .Values.resources | indent 10 }}
volumeMounts:
- name: credentials
mountPath: /var/run/dapr/credentials
- name: dapr-trust-bundle
mountPath: /var/run/secrets/dapr.io/tls
readOnly: true
{{- if .Values.global.mtls.mountSentryVolume }}
- name: dapr-identity-token
mountPath: /var/run/secrets/dapr.io/sentrytoken
readOnly: true
- name: webhook-creds
{{- if eq .Values.global.daprControlPlaneOs "windows" }}
mountPath: "C:\\Windows\\TEMP\\k8s-webhook-server\\serving-certs"
{{- else }}
mountPath: /tmp/k8s-webhook-server/serving-certs
{{- end }}
readOnly: true
{{- if eq .Values.debug.enabled false }}
# This is not needed in debug mode because the root FS is writable
- name: dapr-operator-tmp
mountPath: /tmp
{{- end }}
{{- with .Values.global.extraVolumeMounts.operator }}
{{- toYaml . | nindent 8 }}
{{- end }}
command:
{{- if eq .Values.debug.enabled false }}
- "/operator"
@ -166,6 +143,8 @@ spec:
- "{{ .Values.maxPodRestartsPerMinute }}"
- "--log-level"
- "{{ .Values.logLevel }}"
- "--trust-anchors-file"
- "/var/run/secrets/dapr.io/tls/ca.crt"
{{- if eq .Values.global.logAsJson true }}
- "--log-as-json"
{{- end }}
@ -176,14 +155,6 @@ spec:
{{- else }}
- "--enable-metrics=false"
{{- end }}
{{- with .Values.global.issuerFilenames }}
- "--issuer-ca-filename"
- "{{ .ca }}"
- "--issuer-certificate-filename"
- "{{ .cert }}"
- "--issuer-key-filename"
- "{{ .key }}"
{{- end }}
{{- if .Values.watchNamespace }}
- "--watch-namespace"
- "{{ .Values.watchNamespace }}"
@ -199,12 +170,25 @@ spec:
{{- end }}
serviceAccountName: dapr-operator
volumes:
- name: credentials
secret:
secretName: dapr-trust-bundle
- name: webhook-creds
secret:
secretName: dapr-webhook-cert
- name: dapr-operator-tmp
emptyDir:
sizeLimit: 2Mi
medium: Memory
- name: dapr-trust-bundle
configMap:
name: dapr-trust-bundle
{{- if .Values.global.mtls.mountSentryVolume }}
- name: dapr-identity-token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 600
audience: "spiffe://{{ .Values.global.mtls.controlPlaneTrustDomain }}/ns/{{ .Release.Namespace }}/dapr-sentry"
{{- end }}
{{- with .Values.global.extraVolumes.operator }}
{{- toYaml . | nindent 8 }}
{{- end }}
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
@ -235,7 +219,7 @@ spec:
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.global.imagePullSecrets }}
{{- include "dapr.imagePullSecrets" (dict "imagePullSecrets" .Values.global.imagePullSecrets) | nindent 8 }}
{{- end }}
{{- if .Values.global.nodeSelector }}
nodeSelector:

1
helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_poddisruptionbudget.yaml
View File

@ -7,6 +7,7 @@ apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: dapr-operator-disruption-budget
namespace: {{ .Release.Namespace }}
labels:
app: dapr-operator
{{- range $key, $value := .Values.global.k8sLabels }}

2
helm-charts/dapr/charts/dapr_operator/templates/dapr_operator_service.yaml
View File

@ -2,6 +2,7 @@ kind: Service
apiVersion: v1
metadata:
name: dapr-api
namespace: {{ .Release.Namespace }}
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
@ -18,6 +19,7 @@ apiVersion: v1
kind: Service
metadata:
name: dapr-webhook
namespace: {{ .Release.Namespace }}
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}

2
helm-charts/dapr/charts/dapr_operator/values.yaml
View File

@ -14,6 +14,8 @@ image:
nameOverride: ""
fullnameOverride: ""
deploymentAnnotations: {}
runAsNonRoot: true
serviceReconciler:

2
helm-charts/dapr/charts/dapr_placement/Chart.yaml
View File

@ -2,4 +2,4 @@ apiVersion: v1
appVersion: "1.0"
description: A Helm chart for Dapr Kubernetes placement
name: dapr_placement
version: 1.11.3
version: 1.12.0

1
helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_poddisruptionbudget.yaml
View File

@ -7,6 +7,7 @@ apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: dapr-placement-server-disruption-budget
namespace: {{ .Release.Namespace }}
labels:
app: dapr-placement-server
{{- range $key, $value := .Values.global.k8sLabels }}

1
helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_service.yaml
View File

@ -3,6 +3,7 @@ kind: Service
apiVersion: v1
metadata:
name: dapr-placement-server
namespace: {{ .Release.Namespace }}
labels:
app: dapr-placement-server
{{- range $key, $value := .Values.global.k8sLabels }}

76
helm-charts/dapr/charts/dapr_placement/templates/dapr_placement_statefulset.yaml
View File

@ -3,13 +3,14 @@ apiVersion: apps/v1
kind: StatefulSet
metadata:
name: dapr-placement-server
namespace: {{ .Release.Namespace }}
labels:
app: dapr-placement-server
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
spec:
{{- if eq .Values.global.ha.enabled true }}
{{- if or (eq .Values.global.ha.enabled true) (eq .Values.ha true) }}
replicas: 3
{{- else }}
replicas: 1
@ -29,11 +30,15 @@ spec:
{{- with .Values.global.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if eq .Values.global.prometheus.enabled true }}
annotations:
dapr.io/control-plane: placement
{{- if eq .Values.global.prometheus.enabled true }}
prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}"
prometheus.io/port: "{{ .Values.global.prometheus.port }}"
prometheus.io/path: "/"
{{- end }}
{{- if .Values.statefulsetAnnotations }}
{{ toYaml .Values.statefulsetAnnotations | indent 4}}
{{- end }}
spec:
containers:
@ -69,10 +74,17 @@ spec:
resources:
{{ toYaml .Values.resources | indent 10 }}
volumeMounts:
- name: credentials
mountPath: /var/run/dapr/credentials
- name: dapr-trust-bundle
mountPath: /var/run/secrets/dapr.io/tls
readOnly: true
{{- if eq .Values.global.ha.enabled true }}
{{- if .Values.global.mtls.mountSentryVolume }}
- name: dapr-identity-token
mountPath: /var/run/secrets/dapr.io/sentrytoken
{{- end }}
{{- with .Values.global.extraVolumeMounts.placement }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if or (eq .Values.global.ha.enabled true) (eq .Values.ha true) }}
{{- if eq .Values.cluster.forceInMemoryLog false }}
- name: raft-log
{{- if eq .Values.global.daprControlPlaneOs "windows" }}
@ -109,7 +121,7 @@ spec:
- "/placement"
- "--"
{{- end }}
{{- if eq .Values.global.ha.enabled true }}
{{- if or (eq .Values.global.ha.enabled true) (eq .Values.ha true) }}
- "--id"
- "$(PLACEMENT_ID)"
- "--initial-cluster"
@ -128,6 +140,9 @@ spec:
{{- if eq .Values.global.logAsJson true }}
- "--log-as-json"
{{- end }}
{{- if eq .Values.metadataEnabled true }}
- "--metadata-enabled"
{{- end }}
{{- if eq .Values.global.prometheus.enabled true }}
- "--enable-metrics"
- "--replicationFactor"
@ -138,14 +153,10 @@ spec:
- "--enable-metrics=false"
{{- end }}
- "--tls-enabled"
{{- with .Values.global.issuerFilenames }}
- "--issuer-ca-filename"
- "{{ .ca }}"
- "--issuer-certificate-filename"
- "{{ .cert }}"
- "--issuer-key-filename"
- "{{ .key }}"
{{- end }}
- "--trust-domain={{ .Values.global.mtls.controlPlaneTrustDomain }}"
- "--trust-anchors-file=/var/run/secrets/dapr.io/tls/ca.crt"
- "--sentry-address={{ if .Values.global.mtls.sentryAddress }}{{ .Values.global.mtls.sentryAddress }}{{ else }}dapr-sentry.{{ .Release.Namespace }}.svc.cluster.local:443{{ end }}"
- "--mode=kubernetes"
{{- if eq .Values.global.daprControlPlaneOs "linux" }}
securityContext:
{{- if eq .Values.cluster.forceInMemoryLog true }}
@ -153,11 +164,18 @@ spec:
{{- else }}
runAsUser: 0
{{- end }}
{{- if eq .Values.debug.enabled true }}
{{- if eq .Values.debug.enabled true }}
capabilities:
add:
- SYS_PTRACE
{{- end }}
add: ["SYS_PTRACE"]
{{- else }}
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
{{- end }}
{{- if .Values.global.seccompProfile }}
seccompProfile:
type: {{ .Values.global.seccompProfile }}
{{- end }}
{{- end }}
env:
- name: PLACEMENT_ID
@ -170,9 +188,21 @@ spec:
fieldPath: metadata.namespace
serviceAccountName: dapr-placement
volumes:
- name: credentials
secret:
secretName: dapr-trust-bundle
- name: dapr-trust-bundle
configMap:
name: dapr-trust-bundle
{{- if .Values.global.mtls.mountSentryVolume }}
- name: dapr-identity-token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 600
audience: "spiffe://{{ .Values.global.mtls.controlPlaneTrustDomain }}/ns/{{ .Release.Namespace }}/dapr-sentry"
{{- end }}
{{- with .Values.global.extraVolumes.placement }}
{{- toYaml . | nindent 6 }}
{{- end }}
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
@ -203,7 +233,7 @@ spec:
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.global.imagePullSecrets }}
{{- include "dapr.imagePullSecrets" (dict "imagePullSecrets" .Values.global.imagePullSecrets) | nindent 8 }}
{{- end }}
{{- if .Values.global.nodeSelector }}
nodeSelector:
@ -213,7 +243,7 @@ spec:
tolerations:
{{ toYaml .Values.global.tolerations | indent 8 }}
{{- end }}
{{- if eq .Values.global.ha.enabled true }}
{{- if or (eq .Values.global.ha.enabled true) (eq .Values.ha true) }}
{{- if eq .Values.cluster.forceInMemoryLog false }}
volumeClaimTemplates:
- metadata:

6
helm-charts/dapr/charts/dapr_placement/values.yaml
View File

@ -10,11 +10,15 @@ image:
nameOverride: ""
fullnameOverride: ""
statefulsetAnnotations: {}
ports:
protocol: TCP
apiPort: 50005
raftRPCPort: 8201
ha: false
cluster:
forceInMemoryLog: false
logStorePath: /var/run/dapr/raft-log
@ -26,6 +30,8 @@ volumeclaims:
replicationFactor: 100
metadataEnabled: false
livenessProbe:
initialDelaySeconds: 10
periodSeconds: 3

2
helm-charts/dapr/charts/dapr_rbac/Chart.yaml
View File

@ -2,4 +2,4 @@ apiVersion: v1
appVersion: "1.0"
description: A Helm chart for Dapr Kubernetes RBAC components
name: dapr_rbac
version: 1.11.3
version: 1.12.0

6
helm-charts/dapr/charts/dapr_rbac/templates/injector.yaml
View File

@ -2,6 +2,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: dapr-injector
namespace: {{ .Release.Namespace }}
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
@ -19,6 +20,10 @@ rules:
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get", "list"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["patch"]
resourceNames: ["dapr-sidecar-injector"]
{{- if not .Values.global.rbac.namespaced }}
- apiGroups: ["dapr.io"]
resources: ["configurations", "components"]
@ -46,6 +51,7 @@ kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-injector
namespace: {{ .Release.Namespace }}
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}

3
helm-charts/dapr/charts/dapr_rbac/templates/operator.yaml
View File

@ -2,6 +2,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: dapr-operator
namespace: {{ .Release.Namespace }}
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
@ -84,6 +85,7 @@ kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-operator
namespace: {{ .Release.Namespace }}
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
@ -150,6 +152,7 @@ kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-operator
namespace: {{ .Release.Namespace }}
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}

1
helm-charts/dapr/charts/dapr_rbac/templates/placement.yaml
View File

@ -2,6 +2,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: dapr-placement
namespace: {{ .Release.Namespace }}
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}

14
helm-charts/dapr/charts/dapr_rbac/templates/sentry.yaml
View File

@ -2,6 +2,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: dapr-sentry
namespace: {{ .Release.Namespace }}
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
@ -22,7 +23,10 @@ rules:
{{- if not .Values.global.rbac.namespaced }}
- apiGroups: ["dapr.io"]
resources: ["configurations"]
verbs: ["list"]
verbs: ["list", "get", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "get", "watch"]
{{- end }}
---
kind: ClusterRoleBinding
@ -46,6 +50,7 @@ kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-sentry
namespace: {{ .Release.Namespace }}
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
@ -53,7 +58,11 @@ metadata:
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "update"]
verbs: ["get", "update","delete"]
resourceNames: ["dapr-trust-bundle"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "update", "watch", "list"]
resourceNames: ["dapr-trust-bundle"]
{{- if eq .Values.global.rbac.namespaced true }}
- apiGroups: ["dapr.io"]
@ -65,6 +74,7 @@ kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-sentry
namespace: {{ .Release.Namespace }}
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}

2
helm-charts/dapr/charts/dapr_sentry/Chart.yaml
View File

@ -2,4 +2,4 @@ apiVersion: v1
appVersion: "1.0"
description: A Helm chart for Dapr Sentry
name: dapr_sentry
version: 1.11.3
version: 1.12.0

61
helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml
View File

@ -1,7 +1,22 @@
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "dapr-trust-bundle"}}
---
apiVersion: v1
kind: Secret
metadata:
name: dapr-trust-bundle
namespace: {{ .Release.Namespace }}
labels:
app: dapr-sentry
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
{{ if and .Values.tls.issuer.certPEM (and .Values.tls.issuer.keyPEM .Values.tls.root.certPEM) }}
data:
issuer.crt: {{ b64enc .Values.tls.issuer.certPEM | trim }}
issuer.key: {{ b64enc .Values.tls.issuer.keyPEM | trim }}
ca.crt: {{ b64enc .Values.tls.root.certPEM | trim }}
{{ end }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: dapr-trust-bundle
labels:
@ -9,21 +24,16 @@ metadata:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
{{ if .Values.tls.root.certPEM }}
data:
{{ if .Values.tls.issuer.certPEM }}issuer.crt: {{ b64enc .Values.tls.issuer.certPEM | trim }}
{{ else if $existingSecret }}issuer.crt: {{ index $existingSecret.data "issuer.crt" }}
{{ end }}
{{ if .Values.tls.issuer.keyPEM }}issuer.key: {{ b64enc .Values.tls.issuer.keyPEM | trim }}
{{ else if $existingSecret }}issuer.key: {{ index $existingSecret.data "issuer.key" }}
{{end}}
{{ if .Values.tls.root.certPEM }}ca.crt: {{ b64enc .Values.tls.root.certPEM | trim }}
{{ else if $existingSecret }}ca.crt: {{ index $existingSecret.data "ca.crt" }}
{{end}}
ca.crt: {{- .Values.tls.root.certPEM | toYaml | indent 1}}
{{end}}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dapr-sentry
namespace: {{ .Release.Namespace }}
labels:
app: dapr-sentry
{{- range $key, $value := .Values.global.k8sLabels }}
@ -48,11 +58,15 @@ spec:
{{- with .Values.global.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if eq .Values.global.prometheus.enabled true }}
annotations:
dapr.io/control-plane: sentry
{{- if eq .Values.global.prometheus.enabled true }}
prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}"
prometheus.io/port: "{{ .Values.global.prometheus.port }}"
prometheus.io/path: "/"
{{- end }}
{{- if .Values.deploymentAnnotations }}
{{ toYaml .Values.deploymentAnnotations | indent 4}}
{{- end }}
spec:
containers:
@ -90,8 +104,15 @@ spec:
runAsNonRoot: {{ .Values.runAsNonRoot }}
{{- if eq .Values.debug.enabled true }}
capabilities:
add:
- SYS_PTRACE
add: ["SYS_PTRACE"]
{{- else }}
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
{{- end }}
{{- if .Values.global.seccompProfile }}
seccompProfile:
type: {{ .Values.global.seccompProfile }}
{{- end }}
{{- end }}
env:
@ -115,8 +136,11 @@ spec:
{{ toYaml .Values.resources | indent 10 }}
volumeMounts:
- name: credentials
mountPath: /var/run/dapr/credentials
mountPath: /var/run/secrets/dapr.io/credentials
readOnly: true
{{- with .Values.global.extraVolumeMounts.sentry }}
{{- toYaml . | nindent 10 }}
{{- end }}
command:
{{- if eq .Values.debug.enabled false }}
- "/sentry"
@ -147,7 +171,7 @@ spec:
- "--enable-metrics=false"
{{- end }}
- "--trust-domain"
- {{ .Values.tls.trustDomain }}
- {{ .Values.global.mtls.controlPlaneTrustDomain }}
{{- if .Values.tokenAudience }}
- "--token-audience"
- {{ .Values.tokenAudience }}
@ -165,6 +189,9 @@ spec:
- name: credentials
secret:
secretName: dapr-trust-bundle
{{- with .Values.global.extraVolumes.sentry }}
{{- toYaml . | nindent 8 }}
{{- end }}
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
@ -195,7 +222,7 @@ spec:
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.global.imagePullSecrets }}
{{- include "dapr.imagePullSecrets" (dict "imagePullSecrets" .Values.global.imagePullSecrets) | nindent 8 }}
{{- end }}
{{- if .Values.global.nodeSelector }}
nodeSelector:

1
helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_poddisruptionbudget.yaml
View File

@ -7,6 +7,7 @@ apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: dapr-sentry-budget
namespace: {{ .Release.Namespace }}
labels:
app: dapr-sentry
{{- range $key, $value := .Values.global.k8sLabels }}

10
helm-charts/dapr/charts/dapr_sentry/templates/dapr_sentry_service.yaml
View File

@ -2,6 +2,7 @@ kind: Service
apiVersion: v1
metadata:
name: dapr-sentry
namespace: {{ .Release.Namespace }}
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
@ -13,3 +14,12 @@ spec:
- protocol: TCP
port: {{ .Values.ports.port }}
targetPort: {{ .Values.ports.targetPort }}
name: grpc
# Added for backwards compatibility where previous clients will attempt to
# connect on port 80.
{{ if (ne (int .Values.ports.port) 80) }}
- protocol: TCP
port: 80
targetPort: {{ .Values.ports.targetPort }}
name: legacy
{{ end }}

4
helm-charts/dapr/charts/dapr_sentry/values.yaml
View File

@ -13,9 +13,11 @@ fullnameOverride: ""
tokenAudience: ""
deploymentAnnotations: {}
ports:
protocol: TCP
port: 80
port: 443
targetPort: 50001
tls:

2
helm-charts/dapr/charts/dapr_sidecar_injector/Chart.yaml
View File

@ -2,4 +2,4 @@ apiVersion: v1
appVersion: "1.0"
description: A Helm chart for the Dapr sidecar injector
name: dapr_sidecar_injector
version: 1.11.3
version: 1.12.0

68
helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml
View File

@ -3,6 +3,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: dapr-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
app: dapr-sidecar-injector
{{- range $key, $value := .Values.global.k8sLabels }}
@ -27,11 +28,15 @@ spec:
{{- with .Values.global.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if eq .Values.global.prometheus.enabled true }}
annotations:
dapr.io/control-plane: injector
{{- if eq .Values.global.prometheus.enabled true }}
prometheus.io/scrape: "{{ .Values.global.prometheus.enabled }}"
prometheus.io/port: "{{ .Values.global.prometheus.port }}"
prometheus.io/path: "/"
{{- end }}
{{- if .Values.deploymentAnnotations }}
{{ toYaml .Values.deploymentAnnotations | indent 4}}
{{- end }}
spec:
{{- if .Values.hostNetwork }}
@ -77,8 +82,15 @@ spec:
{{- end }}
{{- if eq .Values.debug.enabled true }}
capabilities:
add:
- SYS_PTRACE
add: ["SYS_PTRACE"]
{{- else }}
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
{{- end }}
{{- if .Values.global.seccompProfile }}
seccompProfile:
type: {{ .Values.global.seccompProfile }}
{{- end }}
{{- end }}
command:
@ -112,19 +124,13 @@ spec:
{{- end }}
- "--healthz-port"
- "{{ .Values.healthzPort }}"
{{- with .Values.global.issuerFilenames }}
- "--issuer-ca-secret-key"
- "{{ .ca }}"
- "--issuer-certificate-secret-key"
- "{{ .cert }}"
- "--issuer-key-secret-key"
- "{{ .key }}"
{{- end }}
env:
- name: TLS_CERT_FILE
value: /dapr/cert/tls.crt
- name: TLS_KEY_FILE
value: /dapr/cert/tls.key
- name: DAPR_TRUST_ANCHORS_FILE
value: /var/run/secrets/dapr.io/tls/ca.crt
- name: DAPR_CONTROL_PLANE_TRUST_DOMAIN
value: {{ .Values.global.mtls.controlPlaneTrustDomain }}
- name: DAPR_SENTRY_ADDRESS
value: {{ if .Values.global.mtls.sentryAddress }}{{ .Values.global.mtls.sentryAddress }}{{ else }}dapr-sentry.{{ .Release.Namespace }}.svc.cluster.local:443{{ end }}
{{- if .Values.kubeClusterDomain }}
- name: KUBE_CLUSTER_DOMAIN
value: "{{ .Values.kubeClusterDomain }}"
@ -184,13 +190,33 @@ spec:
resources:
{{ toYaml .Values.resources | indent 10 }}
volumeMounts:
- name: cert
mountPath: /dapr/cert
- name: dapr-trust-bundle
mountPath: /var/run/secrets/dapr.io/tls
readOnly: true
{{- if .Values.global.mtls.mountSentryVolume }}
- name: dapr-identity-token
mountPath: /var/run/secrets/dapr.io/sentrytoken
readOnly: true
{{- end }}
{{- with .Values.global.extraVolumeMounts.injector }}
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: cert
secret:
secretName: dapr-sidecar-injector-cert
- name: dapr-trust-bundle
configMap:
name: dapr-trust-bundle
{{- if .Values.global.mtls.mountSentryVolume }}
- name: dapr-identity-token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 600
audience: "spiffe://{{ .Values.global.mtls.controlPlaneTrustDomain }}/ns/{{ .Release.Namespace }}/dapr-sentry"
{{- end }}
{{- with .Values.global.extraVolumes.injector }}
{{- toYaml . | nindent 6 }}
{{- end }}
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
@ -221,7 +247,7 @@ spec:
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.global.imagePullSecrets }}
{{- include "dapr.imagePullSecrets" (dict "imagePullSecrets" .Values.global.imagePullSecrets) | nindent 8 }}
{{- end }}
{{- if .Values.global.nodeSelector }}
nodeSelector:

1
helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_poddisruptionbudget.yaml
View File

@ -8,6 +8,7 @@ apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: dapr-sidecar-injector-disruption-budget
namespace: {{ .Release.Namespace }}
labels:
app: dapr-sidecar-injector
{{- range $key, $value := .Values.global.k8sLabels }}

1
helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_service.yaml
View File

@ -3,6 +3,7 @@ apiVersion: v1
kind: Service
metadata:
name: dapr-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}

28
helm-charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_webhook_config.yaml
View File

@ -1,31 +1,4 @@
{{- if eq .Values.enabled true }}
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "dapr-sidecar-injector-cert"}}
{{- $existingWebHookConfig := lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" .Release.Namespace "dapr-sidecar-injector"}}
{{- $ca := genCA "dapr-sidecar-injector-ca" 3650 }}
{{- $cn := printf "dapr-sidecar-injector" }}
{{- $altName1 := printf "dapr-sidecar-injector.%s" .Release.Namespace }}
{{- $altName2 := printf "dapr-sidecar-injector.%s.svc" .Release.Namespace }}
{{- $altName3 := printf "dapr-sidecar-injector.%s.svc.cluster" .Release.Namespace }}
{{- $altName4 := printf "dapr-sidecar-injector.%s.svc.cluster.local" .Release.Namespace }}
{{- $cert := genSignedCert $cn nil (list $altName1 $altName2 $altName3 $altName4) 3650 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: dapr-sidecar-injector-cert
labels:
app: dapr-sidecar-injector
{{- range $key, $value := .Values.global.k8sLabels }}
{{ $key }}: {{ tpl $value $ }}
{{- end }}
data:
{{ if $existingSecret }}tls.crt: {{ index $existingSecret.data "tls.crt" }}
{{ else }}tls.crt: {{ b64enc $cert.Cert }}
{{ end }}
{{ if $existingSecret }}tls.key: {{ index $existingSecret.data "tls.key" }}
{{ else }}tls.key: {{ b64enc $cert.Key }}
{{ end }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
@ -43,7 +16,6 @@ webhooks:
namespace: {{ .Release.Namespace }}
name: dapr-sidecar-injector
path: "/mutate"
caBundle: {{ if $existingWebHookConfig }}{{ (index $existingWebHookConfig.webhooks 0).clientConfig.caBundle }}{{ else }}{{ b64enc $ca.Cert }}{{ end }}
rules:
- apiGroups:
- ""

1
helm-charts/dapr/charts/dapr_sidecar_injector/values.yaml
View File

@ -15,6 +15,7 @@ image:
injectorImage:
name: "injector"
deploymentAnnotations: {}
nameOverride: ""
fullnameOverride: ""
webhookFailurePolicy: Ignore

17
helm-charts/dapr/templates/_helpers.tpl
View File

@ -30,3 +30,20 @@ Create chart name and version as used by the chart label.
{{- define "k8s_operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Formats imagePullSecrets. Input is dict( "imagePullSecrets" .{specific imagePullSecrets}).
*/}}
{{- define "dapr.imagePullSecrets" -}}
{{- if eq (typeOf .imagePullSecrets) "string" }}
- name: {{ .imagePullSecrets }}
{{- else }}
{{- range .imagePullSecrets }}
{{- if eq (typeOf .) "map[string]interface {}" }}
- {{ toYaml (dict "name" .name) | trim }}
{{- else }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

38
helm-charts/dapr/values.yaml
View File

@ -1,10 +1,26 @@
global:
registry: docker.io/daprio
tag: '1.11.3'
tag: '1.12.0'
dnsSuffix: ".cluster.local"
logAsJson: false
imagePullPolicy: IfNotPresent
# To help compatibility with other charts which use global.imagePullSecrets.
# Allow either a string with single imagepullsecret or an array of {name: pullSecret} maps (k8s-style) or an array of strings (more common helm-style).
# global:
# imagePullSecrets: "pullSecret"
# or
# global:
# imagePullSecrets:
# - name: pullSecret1
# - name: pullSecret2
# or
# global:
# imagePullSecrets:
# - pullSecret1
# - pullSecret2
imagePullSecrets: ""
nodeSelector: {}
tolerations: []
rbac:
@ -22,10 +38,30 @@ global:
enabled: true
workloadCertTTL: 24h
allowedClockSkew: 15m
controlPlaneTrustDomain: "cluster.local"
# If set to true, a bound service account token will be mounted and used to
# authenticate to Sentry.
mountSentryVolume: true
# Used to override `dapr-sentry.{{ .Release.Namespace }}.svc.cluster.local:443`
#sentryAddress:
# extraVolumes and extraVolumeMounts are used to mount additional volumes to
# the Dapr control plane pods. Useful for using alternative authentication
# credentials to sentry.
extraVolumes: {}
# sentry:
# placement:
# operator:
# injector:
extraVolumeMounts: {}
# sentry:
# placement:
# operator:
# injector:
actors:
enabled: true
daprControlPlaneOs: linux
labels: {}
seccompProfile: ""
k8sLabels:
app.kubernetes.io/name: "{{ .Release.Name }}"
app.kubernetes.io/version: "{{ .Values.global.tag }}"