diff --git a/charts/dapr/README.md b/charts/dapr/README.md index ce6e598d121..4a2010db393 100644 --- a/charts/dapr/README.md +++ b/charts/dapr/README.md @@ -90,6 +90,15 @@ The Helm chart has the follow configuration options that can be supplied: | `global.mtls.allowedClockSkew` | Allowed clock skew for workload cert rotation | `15m` | | `global.mtls.controlPlaneTrustDomain ` | Trust domain for control plane | `cluster.local` | | `global.mtls.sentryAddress` | Sentry address for control plane | `dapr-sentry.{{ .ReleaseNamespace }}.svc:443` | +| `global.mtls.mountSentryToken` | Gates whether the sentry bound service account token volume is mounted to control plane pods | `true` | +| `global.extraVolumes.sentry` | Array of extra volumes to make available to sentry pods | `[]` | +| `global.extraVolumes.placement` | Array of extra volumes to make available to placement pods | `[]` | +| `global.extraVolumes.operator` | Array of extra volumes to make available to operator pods | `[]` | +| `global.extraVolumes.injector` | Array of extra volumes to make available to sidecar injector pods | `[]` | +| `global.extraVolumeMounts.sentry` | Array of extra volume mounts to make available to sentry pod containers | `[]` | +| `global.extraVolumeMounts.placement` | Array of extra volume mounts to make available to placement pod containers | `[]` | +| `global.extraVolumeMounts.operator` | Array of extra volume mounts to make available to operator pod containers | `[]` | +| `global.extraVolumeMounts.injector` | Array of extra volume mounts to make available to sidecar injector pod containers | `[]` | | `global.dnsSuffix` | Kuberentes DNS suffix | `.cluster.local` | | `global.daprControlPlaneOs` | Operating System for Dapr control plane | `linux` | | `global.daprControlPlaneArch` | CPU Architecture for Dapr control plane | `amd64` | diff --git a/charts/dapr/charts/dapr_operator/templates/dapr_operator_deployment.yaml b/charts/dapr/charts/dapr_operator/templates/dapr_operator_deployment.yaml index 2f06e3e9902..35ca543206d 100644 --- a/charts/dapr/charts/dapr_operator/templates/dapr_operator_deployment.yaml +++ b/charts/dapr/charts/dapr_operator/templates/dapr_operator_deployment.yaml @@ -106,9 +106,14 @@ spec: - name: dapr-trust-bundle mountPath: /var/run/secrets/dapr.io/tls readOnly: true + {{- if .Values.global.mtls.mountSentryVolume }} - name: dapr-identity-token mountPath: /var/run/secrets/dapr.io/sentrytoken readOnly: true + {{- end }} + {{- with .Values.global.extraVolumeMounts.operator }} + {{- toYaml . | nindent 8 }} + {{- end }} command: {{- if eq .Values.debug.enabled false }} - "/operator" @@ -162,6 +167,7 @@ spec: - name: dapr-trust-bundle configMap: name: dapr-trust-bundle + {{- if .Values.global.mtls.mountSentryVolume }} - name: dapr-identity-token projected: sources: @@ -169,6 +175,10 @@ spec: path: token expirationSeconds: 600 audience: "spiffe://{{ .Values.global.mtls.controlPlaneTrustDomain }}/ns/{{ .Release.Namespace }}/dapr-sentry" + {{- end }} + {{- with .Values.global.extraVolumes.operator }} + {{- toYaml . | nindent 8 }} + {{- end }} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: diff --git a/charts/dapr/charts/dapr_placement/templates/dapr_placement_statefulset.yaml b/charts/dapr/charts/dapr_placement/templates/dapr_placement_statefulset.yaml index 55d6c634204..87fb99040fc 100644 --- a/charts/dapr/charts/dapr_placement/templates/dapr_placement_statefulset.yaml +++ b/charts/dapr/charts/dapr_placement/templates/dapr_placement_statefulset.yaml @@ -77,8 +77,13 @@ spec: - name: dapr-trust-bundle mountPath: /var/run/secrets/dapr.io/tls readOnly: true + {{- if .Values.global.mtls.mountSentryVolume }} - name: dapr-identity-token mountPath: /var/run/secrets/dapr.io/sentrytoken + {{- end }} + {{- with .Values.global.extraVolumeMounts.placement }} + {{- toYaml . | nindent 10 }} + {{- end }} {{- if or (eq .Values.global.ha.enabled true) (eq .Values.ha true) }} {{- if eq .Values.cluster.forceInMemoryLog false }} - name: raft-log @@ -184,6 +189,7 @@ spec: - name: dapr-trust-bundle configMap: name: dapr-trust-bundle + {{- if .Values.global.mtls.mountSentryVolume }} - name: dapr-identity-token projected: sources: @@ -191,6 +197,10 @@ spec: path: token expirationSeconds: 600 audience: "spiffe://{{ .Values.global.mtls.controlPlaneTrustDomain }}/ns/{{ .Release.Namespace }}/dapr-sentry" + {{- end }} + {{- with .Values.global.extraVolumes.placement }} + {{- toYaml . | nindent 6 }} + {{- end }} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: diff --git a/charts/dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml b/charts/dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml index 6ab201a624e..435ebdbeddf 100644 --- a/charts/dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml +++ b/charts/dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml @@ -137,6 +137,9 @@ spec: - name: credentials mountPath: /var/run/secrets/dapr.io/credentials readOnly: true + {{- with .Values.global.extraVolumeMounts.sentry }} + {{- toYaml . | nindent 10 }} + {{- end }} command: {{- if eq .Values.debug.enabled false }} - "/sentry" @@ -185,6 +188,9 @@ spec: - name: credentials secret: secretName: dapr-trust-bundle + {{- with .Values.global.extraVolumes.sentry }} + {{- toYaml . | nindent 8 }} + {{- end }} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: diff --git a/charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml b/charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml index 158d3ecf803..ee63bbc1e99 100644 --- a/charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml +++ b/charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml @@ -192,13 +192,19 @@ spec: - name: dapr-trust-bundle mountPath: /var/run/secrets/dapr.io/tls readOnly: true + {{- if .Values.global.mtls.mountSentryVolume }} - name: dapr-identity-token mountPath: /var/run/secrets/dapr.io/sentrytoken readOnly: true + {{- end }} + {{- with .Values.global.extraVolumeMounts.injector }} + {{- toYaml . | nindent 8 }} + {{- end }} volumes: - name: dapr-trust-bundle configMap: name: dapr-trust-bundle + {{- if .Values.global.mtls.mountSentryVolume }} - name: dapr-identity-token projected: sources: @@ -206,6 +212,10 @@ spec: path: token expirationSeconds: 600 audience: "spiffe://{{ .Values.global.mtls.controlPlaneTrustDomain }}/ns/{{ .Release.Namespace }}/dapr-sentry" + {{- end }} + {{- with .Values.global.extraVolumes.injector }} + {{- toYaml . | nindent 6 }} + {{- end }} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: diff --git a/charts/dapr/values.yaml b/charts/dapr/values.yaml index 88f09311bcc..829f88cc9d1 100644 --- a/charts/dapr/values.yaml +++ b/charts/dapr/values.yaml @@ -39,8 +39,24 @@ global: workloadCertTTL: 24h allowedClockSkew: 15m controlPlaneTrustDomain: "cluster.local" + # If set to true, a bound service account token will be mounted and used to + # authenticate to Sentry. + mountSentryVolume: true # Used to override `dapr-sentry.{{ .Release.Namespace }}.svc.cluster.local:443` #sentryAddress: + # extraVolumes and extraVolumeMounts are used to mount additional volumes to + # the Dapr control plane pods. Useful for using alternative authentication + # credentials to sentry. + extraVolumes: {} + # sentry: + # placement: + # operator: + # injector: + extraVolumeMounts: {} + # sentry: + # placement: + # operator: + # injector: actors: enabled: true daprControlPlaneOs: linux diff --git a/pkg/injector/service/pod_patch.go b/pkg/injector/service/pod_patch.go index 74d9552b410..d8fa6264713 100644 --- a/pkg/injector/service/pod_patch.go +++ b/pkg/injector/service/pod_patch.go @@ -26,6 +26,7 @@ import ( scheme "github.com/dapr/dapr/pkg/client/clientset/versioned" injectorConsts "github.com/dapr/dapr/pkg/injector/consts" "github.com/dapr/dapr/pkg/injector/patcher" + "github.com/dapr/dapr/pkg/security/token" ) const ( @@ -78,6 +79,7 @@ func (i *injector) getPodPatchOperations(ctx context.Context, ar *admissionv1.Ad sidecar.CurrentTrustAnchors = trustAnchors sidecar.CertChain = string(daprdCert) sidecar.CertKey = string(daprdPrivateKey) + sidecar.DisableTokenVolume = !token.HasKubernetesToken() // Set the placement address unless it's skipped // Even if the placement is skipped, however,the placement address will still be included if explicitly set in the annotations diff --git a/pkg/security/token/token.go b/pkg/security/token/token.go index 7c10128d244..a979b7cca91 100644 --- a/pkg/security/token/token.go +++ b/pkg/security/token/token.go @@ -72,3 +72,15 @@ func GetSentryToken(allowKubernetes bool) (token string, validator sentryv1pb.Si return "", sentryv1pb.SignCertificateRequest_UNKNOWN, nil } + +// HasKubernetesToken returns true if a Kubernetes token exists. +func HasKubernetesToken() bool { + _, err := os.Stat(kubeTknPath) + if err != nil { + _, err = os.Stat(legacyKubeTknPath) + if err != nil { + return false + } + } + return true +}