Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Injector: add DAPR_HOST_IP env var to daprd #7511

Merged
merged 1 commit into from
Feb 8, 2024
Merged

Injector: add DAPR_HOST_IP env var to daprd #7511

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
9 changes: 5 additions & 4 deletions charts/dapr/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,10 +194,11 @@ The Helm chart has the follow configuration options that can be supplied:
| `dapr_sidecar_injector.injectorImage.name` | Docker image name for sidecar injector service (`global.registry/dapr_sidecar_injector.injectorImage.name`) | `dapr`|
| `dapr_sidecar_injector.webhookFailurePolicy` | Failure policy for the sidecar injector | `Ignore` |
| `dapr_sidecar_injector.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot` for the Sidecar Injector container itself. You may have to set this to `false` when running in Minikube | `true` |
| `dapr_sidecar_injector.sidecarRunAsNonRoot` | When this boolean value is true (the default), the injected sidecar containers have `runAsRoot: true`. You may have to set this to `false` when running Minikube | `true` |
| `dapr_sidecar_injector.sidecarReadOnlyRootFilesystem` | When this boolean value is true (the default), the injected sidecar containers have `readOnlyRootFilesystem: true` | `true` |
| `dapr_sidecar_injector.sidecarDropALLCapabilities` | When this boolean valus is true, the injected sidecar containers have `securityContext.capabilities.drop: ["ALL"]` | `false` |
| `dapr_sidecar_injector.allowedServiceAccounts` | String value for extra allowed service accounts in the format of `namespace1:serviceAccount1,namespace2:serviceAccount2` | `""` |
| `dapr_sidecar_injector.sidecarRunAsNonRoot` | When this boolean value is true (the default), the injected sidecar containers have `runAsRoot: true`. You may have to set this to `false` when running Minikube | `true` |
| `dapr_sidecar_injector.sidecarReadOnlyRootFilesystem` | When this boolean value is true (the default), the injected sidecar containers have `readOnlyRootFilesystem: true` | `true` |
| `dapr_sidecar_injector.enableK8sDownwardAPIs` | When set to true, uses the Kubernetes downward projection APIs to inject certain environmental variables (such as pod IP) into the daprd container. (default: `false`) | `true` |
| `dapr_sidecar_injector.sidecarDropALLCapabilities` | When this boolean valus is true, the injected sidecar containers have `securityContext.capabilities.drop: ["ALL"]` | `false` |
| `dapr_sidecar_injector.allowedServiceAccounts` | String value for extra allowed service accounts in the format of `namespace1:serviceAccount1,namespace2:serviceAccount2` | `""` |
| `dapr_sidecar_injector.allowedServiceAccountsPrefixNames` | Comma-separated list of extra allowed service accounts. Each item in the list should be in the format of namespace:serviceaccount. To match service accounts by a common prefix, you can add an asterisk (`*`) at the end of the prefix. For instance, ns1*:sa2* will match any service account that starts with sa2, whose namespace starts with ns1. For example, it will match service accounts like sa21 and sa2223 in namespaces such as ns1, ns1dapr, and so on. | `""` |
| `dapr_sidecar_injector.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` |
| `dapr_sidecar_injector.debug.enabled` | Boolean value for enabling debug mode | `{}` |
Expand Down
2 changes: 2 additions & 0 deletions charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,8 @@ spec:
# Configuration for injected sidecars
- name: SIDECAR_RUN_AS_NON_ROOT
value: {{ .Values.sidecarRunAsNonRoot | toString | toYaml }}
- name: ENABLE_K8S_DOWNWARD_APIS
value: {{ .Values.enableK8sDownwardAPIs | toString | toYaml }}
- name: SIDECAR_DROP_ALL_CAPABILITIES
value: {{ .Values.sidecarDropALLCapabilities | toString | toYaml }}
- name: SIDECAR_READ_ONLY_ROOT_FILESYSTEM
Expand Down
1 change: 1 addition & 0 deletions charts/dapr/charts/dapr_sidecar_injector/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ runAsNonRoot: true
sidecarRunAsNonRoot: true
sidecarReadOnlyRootFilesystem: true
sidecarDropALLCapabilities: false
enableK8sDownwardAPIs: false
allowedServiceAccounts: ""
allowedServiceAccountsPrefixNames: ""
resources: {}
Expand Down
1 change: 1 addition & 0 deletions pkg/injector/consts/consts.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ const (
UserContainerAppProtocolName = "APP_PROTOCOL" // Name of the variable exposed to the app containing the app protocol.
UserContainerDaprHTTPPortName = "DAPR_HTTP_PORT" // Name of the variable exposed to the app containing the Dapr HTTP port.
UserContainerDaprGRPCPortName = "DAPR_GRPC_PORT" // Name of the variable exposed to the app containing the Dapr gRPC port.
DaprContainerHostIP = "DAPR_HOST_IP" // Name of the variable injected in the daprd container containing the pod's IP
TokenVolumeKubernetesMountPath = "/var/run/secrets/dapr.io/sentrytoken" /* #nosec */ // Mount path for the Kubernetes service account volume with the sentry token.
TokenVolumeName = "dapr-identity-token" /* #nosec */ // Name of the volume with the service account token for daprd.
ComponentsUDSVolumeName = "dapr-components-unix-domain-socket" // Name of the Unix domain socket volume for components.
Expand Down
25 changes: 13 additions & 12 deletions pkg/injector/patcher/sidecar.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ type SidecarConfig struct {
OperatorAddress string
SentryAddress string
RunAsNonRoot bool
EnableK8sDownwardAPIs bool
ReadOnlyRootFilesystem bool
SidecarDropALLCapabilities bool
DisableTokenVolume bool
Expand All @@ -62,25 +63,25 @@ type SidecarConfig struct {
Enabled bool `annotation:"dapr.io/enabled"`
AppPort int32 `annotation:"dapr.io/app-port"`
Config string `annotation:"dapr.io/config"`
AppProtocol string `annotation:"dapr.io/app-protocol" default:"http"`
AppProtocol string `annotation:"dapr.io/app-protocol" default:"http"`
AppSSL bool `annotation:"dapr.io/app-ssl"` // TODO: Deprecated in Dapr 1.11; remove in a future Dapr version
AppID string `annotation:"dapr.io/app-id"`
EnableProfiling bool `annotation:"dapr.io/enable-profiling"`
LogLevel string `annotation:"dapr.io/log-level" default:"info"`
LogLevel string `annotation:"dapr.io/log-level" default:"info"`
APITokenSecret string `annotation:"dapr.io/api-token-secret"`
AppTokenSecret string `annotation:"dapr.io/app-token-secret"`
LogAsJSON bool `annotation:"dapr.io/log-as-json"`
AppMaxConcurrency *int `annotation:"dapr.io/app-max-concurrency"`
EnableMetrics bool `annotation:"dapr.io/enable-metrics" default:"true"`
SidecarMetricsPort int32 `annotation:"dapr.io/metrics-port" default:"9090"`
EnableDebug bool `annotation:"dapr.io/enable-debug" default:"false"`
SidecarDebugPort int32 `annotation:"dapr.io/debug-port" default:"40000"`
EnableMetrics bool `annotation:"dapr.io/enable-metrics" default:"true"`
SidecarMetricsPort int32 `annotation:"dapr.io/metrics-port" default:"9090"`
EnableDebug bool `annotation:"dapr.io/enable-debug" default:"false"`
SidecarDebugPort int32 `annotation:"dapr.io/debug-port" default:"40000"`
Env string `annotation:"dapr.io/env"`
SidecarCPURequest string `annotation:"dapr.io/sidecar-cpu-request"`
SidecarCPULimit string `annotation:"dapr.io/sidecar-cpu-limit"`
SidecarMemoryRequest string `annotation:"dapr.io/sidecar-memory-request"`
SidecarMemoryLimit string `annotation:"dapr.io/sidecar-memory-limit"`
SidecarListenAddresses string `annotation:"dapr.io/sidecar-listen-addresses" default:"[::1],127.0.0.1"`
SidecarListenAddresses string `annotation:"dapr.io/sidecar-listen-addresses" default:"[::1],127.0.0.1"`
SidecarLivenessProbeDelaySeconds int32 `annotation:"dapr.io/sidecar-liveness-probe-delay-seconds" default:"3"`
SidecarLivenessProbeTimeoutSeconds int32 `annotation:"dapr.io/sidecar-liveness-probe-timeout-seconds" default:"3"`
SidecarLivenessProbePeriodSeconds int32 `annotation:"dapr.io/sidecar-liveness-probe-period-seconds" default:"6"`
Expand All @@ -93,18 +94,18 @@ type SidecarConfig struct {
SidecarSeccompProfileType string `annotation:"dapr.io/sidecar-seccomp-profile-type"`
HTTPMaxRequestSize *int `annotation:"dapr.io/http-max-request-size"`
HTTPReadBufferSize *int `annotation:"dapr.io/http-read-buffer-size"`
GracefulShutdownSeconds int `annotation:"dapr.io/graceful-shutdown-seconds" default:"-1"`
GracefulShutdownSeconds int `annotation:"dapr.io/graceful-shutdown-seconds" default:"-1"`
BlockShutdownDuration *string `annotation:"dapr.io/block-shutdown-duration"`
EnableAPILogging *bool `annotation:"dapr.io/enable-api-logging"`
UnixDomainSocketPath string `annotation:"dapr.io/unix-domain-socket-path"`
VolumeMounts string `annotation:"dapr.io/volume-mounts"`
VolumeMountsRW string `annotation:"dapr.io/volume-mounts-rw"`
DisableBuiltinK8sSecretStore bool `annotation:"dapr.io/disable-builtin-k8s-secret-store"`
EnableAppHealthCheck bool `annotation:"dapr.io/enable-app-health-check"`
AppHealthCheckPath string `annotation:"dapr.io/app-health-check-path" default:"/healthz"`
AppHealthProbeInterval int32 `annotation:"dapr.io/app-health-probe-interval" default:"5"` // In seconds
AppHealthProbeTimeout int32 `annotation:"dapr.io/app-health-probe-timeout" default:"500"` // In milliseconds
AppHealthThreshold int32 `annotation:"dapr.io/app-health-threshold" default:"3"`
AppHealthCheckPath string `annotation:"dapr.io/app-health-check-path" default:"/healthz"`
AppHealthProbeInterval int32 `annotation:"dapr.io/app-health-probe-interval" default:"5"` // In seconds
AppHealthProbeTimeout int32 `annotation:"dapr.io/app-health-probe-timeout" default:"500"` // In milliseconds
AppHealthThreshold int32 `annotation:"dapr.io/app-health-threshold" default:"3"`
PlacementAddress string `annotation:"dapr.io/placement-host-address"`
PluggableComponents string `annotation:"dapr.io/pluggable-components"`
PluggableComponentsSocketsFolder string `annotation:"dapr.io/pluggable-components-sockets-folder"`
Expand Down
69 changes: 41 additions & 28 deletions pkg/injector/patcher/sidecar_container.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -219,41 +219,54 @@ func (c *SidecarConfig) getSidecarContainer(opts getSidecarContainerOpts) (*core

// Create the container object
probeHTTPHandler := getProbeHTTPHandler(c.SidecarPublicPort, injectorConsts.APIVersionV1, injectorConsts.SidecarHealthzPath)
env := []corev1.EnvVar{
{
Name: "NAMESPACE",
Value: c.Namespace,
},
{
Name: securityConsts.TrustAnchorsEnvVar,
Value: string(c.CurrentTrustAnchors),
},
{
Name: "POD_NAME",
ValueFrom: &corev1.EnvVarSource{
FieldRef: &corev1.ObjectFieldSelector{
FieldPath: "metadata.name",
},
},
},
// TODO: @joshvanl: In v1.14, these two env vars should be moved to flags.
{
Name: securityConsts.ControlPlaneNamespaceEnvVar,
Value: c.ControlPlaneNamespace,
},
{
Name: securityConsts.ControlPlaneTrustDomainEnvVar,
Value: c.ControlPlaneTrustDomain,
},
}
if c.EnableK8sDownwardAPIs {
env = append(env,
corev1.EnvVar{
Name: injectorConsts.DaprContainerHostIP,
ValueFrom: &corev1.EnvVarSource{
FieldRef: &corev1.ObjectFieldSelector{
FieldPath: "status.podIP",
},
},
},
)
}
container := &corev1.Container{
Name: injectorConsts.SidecarContainerName,
Image: c.SidecarImage,
ImagePullPolicy: c.ImagePullPolicy,
SecurityContext: securityContext,
Ports: ports,
Args: append(cmd, args...),
Env: []corev1.EnvVar{
{
Name: "NAMESPACE",
Value: c.Namespace,
},
{
Name: "POD_NAME",
ValueFrom: &corev1.EnvVarSource{
FieldRef: &corev1.ObjectFieldSelector{
FieldPath: "metadata.name",
},
},
},
{
Name: securityConsts.TrustAnchorsEnvVar,
Value: string(c.CurrentTrustAnchors),
},
// TODO: @joshvanl: In v1.14, this two env vars should be moved to flags.
{
Name: securityConsts.ControlPlaneNamespaceEnvVar,
Value: c.ControlPlaneNamespace,
},
{
Name: securityConsts.ControlPlaneTrustDomainEnvVar,
Value: c.ControlPlaneTrustDomain,
},
},
VolumeMounts: opts.VolumeMounts,
Env: env,
VolumeMounts: opts.VolumeMounts,
ReadinessProbe: &corev1.Probe{
ProbeHandler: probeHTTPHandler,
InitialDelaySeconds: c.SidecarReadinessProbeDelaySeconds,
Expand Down