Adds mtls.mountSentryVolume, extraVolumes, extraVolumeMounts He…

…lm Chart options (dapr#6895)

* Adds `mountSentryToken` helm chart option to disable mounting sentry
token

Signed-off-by: joshvanl <me@joshvanl.dev>

* Adds toggle to injector sentry token. Don't patch if not exist for pod

Signed-off-by: joshvanl <me@joshvanl.dev>

* Adds `global.extraVolumes` and `global.extraVolumeMounts` helm chart options

Signed-off-by: joshvanl <me@joshvanl.dev>

* Adds comment to extra volumes about them being used for sentry
authentication

Signed-off-by: joshvanl <me@joshvanl.dev>

* Separates extra volumes and volume mounts into separate components

Signed-off-by: joshvanl <me@joshvanl.dev>

* Fix injector volume indentation

Signed-off-by: joshvanl <me@joshvanl.dev>

* Updates helm chart README.md

Signed-off-by: joshvanl <me@joshvanl.dev>

---------

Signed-off-by: joshvanl <me@joshvanl.dev>
Co-authored-by: Mukundan Sundararajan <65565396+mukundansundar@users.noreply.github.com>

charts/dapr/README.md

@@ -90,6 +90,15 @@ The Helm chart has the follow configuration options that can be supplied:
 | `global.mtls.allowedClockSkew`            | Allowed clock skew for workload cert rotation                           | `15m`                   |
 | `global.mtls.controlPlaneTrustDomain `    | Trust domain for control plane                                          | `cluster.local`         |
 | `global.mtls.sentryAddress`               | Sentry address for control plane                                        | `dapr-sentry.{{ .ReleaseNamespace  }}.svc:443` |
+| `global.mtls.mountSentryToken`            | Gates whether the sentry bound service account token volume is mounted to control plane pods | `true` |
+| `global.extraVolumes.sentry`              | Array of extra volumes to make available to sentry pods                 | `[]`                    |
+| `global.extraVolumes.placement`           | Array of extra volumes to make available to placement pods              | `[]`                    |
+| `global.extraVolumes.operator`            | Array of extra volumes to make available to operator pods               | `[]`                    |
+| `global.extraVolumes.injector`            | Array of extra volumes to make available to sidecar injector pods       | `[]`                    |
+| `global.extraVolumeMounts.sentry`         | Array of extra volume mounts to make available to sentry pod containers           | `[]`          |
+| `global.extraVolumeMounts.placement`      | Array of extra volume mounts to make available to placement pod containers        | `[]`          |
+| `global.extraVolumeMounts.operator`       | Array of extra volume mounts to make available to operator pod containers         | `[]`          |
+| `global.extraVolumeMounts.injector`       | Array of extra volume mounts to make available to sidecar injector pod containers | `[]`          |
 | `global.dnsSuffix`                        | Kuberentes DNS suffix                                                   | `.cluster.local`        |
 | `global.daprControlPlaneOs`               | Operating System for Dapr control plane                                 | `linux`                 |
 | `global.daprControlPlaneArch`             | CPU Architecture for Dapr control plane                                 | `amd64`                 |

charts/dapr/charts/dapr_operator/templates/dapr_operator_deployment.yaml

@@ -106,9 +106,14 @@ spec:
         - name: dapr-trust-bundle
           mountPath: /var/run/secrets/dapr.io/tls
           readOnly: true
+      {{- if .Values.global.mtls.mountSentryVolume }}
         - name: dapr-identity-token
           mountPath: /var/run/secrets/dapr.io/sentrytoken
           readOnly: true
+      {{- end }}
+      {{- with .Values.global.extraVolumeMounts.operator }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
         command:
 {{- if eq .Values.debug.enabled false }}
         - "/operator"
@@ -162,13 +167,18 @@ spec:
         - name: dapr-trust-bundle
           configMap:
             name: dapr-trust-bundle
+    {{- if .Values.global.mtls.mountSentryVolume }}
         - name: dapr-identity-token
           projected:
             sources:
             - serviceAccountToken:
                 path: token
                 expirationSeconds: 600
                 audience: "spiffe://{{ .Values.global.mtls.controlPlaneTrustDomain }}/ns/{{ .Release.Namespace }}/dapr-sentry"
+    {{- end }}
+      {{- with .Values.global.extraVolumes.operator }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:

charts/dapr/charts/dapr_placement/templates/dapr_placement_statefulset.yaml

@@ -77,8 +77,13 @@ spec:
           - name: dapr-trust-bundle
             mountPath: /var/run/secrets/dapr.io/tls
             readOnly: true
+        {{- if .Values.global.mtls.mountSentryVolume }}
           - name: dapr-identity-token
             mountPath: /var/run/secrets/dapr.io/sentrytoken
+        {{- end }}
+        {{- with .Values.global.extraVolumeMounts.placement }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
 {{- if or (eq .Values.global.ha.enabled true) (eq .Values.ha true) }}
   {{- if eq .Values.cluster.forceInMemoryLog false }}
           - name: raft-log
@@ -184,13 +189,18 @@ spec:
       - name: dapr-trust-bundle
         configMap:
           name: dapr-trust-bundle
+    {{- if .Values.global.mtls.mountSentryVolume }}
       - name: dapr-identity-token
         projected:
           sources:
           - serviceAccountToken:
               path: token
               expirationSeconds: 600
               audience: "spiffe://{{ .Values.global.mtls.controlPlaneTrustDomain }}/ns/{{ .Release.Namespace }}/dapr-sentry"
+    {{- end }}
+    {{- with .Values.global.extraVolumes.placement }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:

charts/dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml

@@ -137,6 +137,9 @@ spec:
           - name: credentials
             mountPath: /var/run/secrets/dapr.io/credentials
             readOnly: true
+        {{- with .Values.global.extraVolumeMounts.sentry }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         command:
 {{- if eq .Values.debug.enabled false }}
         - "/sentry"
@@ -185,6 +188,9 @@ spec:
         - name: credentials
           secret:
             secretName: dapr-trust-bundle
+      {{- with .Values.global.extraVolumes.sentry }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:

charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml

@@ -192,20 +192,30 @@ spec:
         - name: dapr-trust-bundle
           mountPath: /var/run/secrets/dapr.io/tls
           readOnly: true
+      {{- if .Values.global.mtls.mountSentryVolume }}
         - name: dapr-identity-token
           mountPath: /var/run/secrets/dapr.io/sentrytoken
           readOnly: true
+      {{- end }}
+      {{- with .Values.global.extraVolumeMounts.injector }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       volumes:
       - name: dapr-trust-bundle
         configMap:
           name: dapr-trust-bundle
+    {{- if .Values.global.mtls.mountSentryVolume }}
       - name: dapr-identity-token
         projected:
           sources:
           - serviceAccountToken:
               path: token
               expirationSeconds: 600
               audience: "spiffe://{{ .Values.global.mtls.controlPlaneTrustDomain }}/ns/{{ .Release.Namespace }}/dapr-sentry"
+    {{- end }}
+      {{- with .Values.global.extraVolumes.injector }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:

charts/dapr/values.yaml

@@ -39,8 +39,24 @@ global:
     workloadCertTTL: 24h
     allowedClockSkew: 15m
     controlPlaneTrustDomain: "cluster.local"
+    # If set to true, a bound service account token will be mounted and used to
+    # authenticate to Sentry.
+    mountSentryVolume: true
     # Used to override `dapr-sentry.{{ .Release.Namespace }}.svc.cluster.local:443`
     #sentryAddress:
+  # extraVolumes and extraVolumeMounts are used to mount additional volumes to
+  # the Dapr control plane pods. Useful for using alternative authentication
+  # credentials to sentry.
+  extraVolumes: {}
+  #  sentry:
+  #  placement:
+  #  operator:
+  #  injector:
+  extraVolumeMounts: {}
+  #  sentry:
+  #  placement:
+  #  operator:
+  #  injector:
   actors:
     enabled: true
   daprControlPlaneOs: linux

pkg/injector/service/pod_patch.go

@@ -26,6 +26,7 @@ import (
 	scheme "github.com/dapr/dapr/pkg/client/clientset/versioned"
 	injectorConsts "github.com/dapr/dapr/pkg/injector/consts"
 	"github.com/dapr/dapr/pkg/injector/patcher"
+	"github.com/dapr/dapr/pkg/security/token"
 )
 
 const (
@@ -78,6 +79,7 @@ func (i *injector) getPodPatchOperations(ctx context.Context, ar *admissionv1.Ad
 	sidecar.CurrentTrustAnchors = trustAnchors
 	sidecar.CertChain = string(daprdCert)
 	sidecar.CertKey = string(daprdPrivateKey)
+	sidecar.DisableTokenVolume = !token.HasKubernetesToken()
 
 	// Set the placement address unless it's skipped
 	// Even if the placement is skipped, however,the placement address will still be included if explicitly set in the annotations

pkg/security/token/token.go

@@ -72,3 +72,15 @@ func GetSentryToken(allowKubernetes bool) (token string, validator sentryv1pb.Si
 
 	return "", sentryv1pb.SignCertificateRequest_UNKNOWN, nil
 }
+
+// HasKubernetesToken returns true if a Kubernetes token exists.
+func HasKubernetesToken() bool {
+	_, err := os.Stat(kubeTknPath)
+	if err != nil {
+		_, err = os.Stat(legacyKubeTknPath)
+		if err != nil {
+			return false
+		}
+	}
+	return true
+}