Skip to content

Commit

Permalink
Injector: add option to add DAPR_HOST_IP env var to daprd (dapr#7511)
Browse files Browse the repository at this point in the history 
The `DAPR_HOST_IP` env var is used in various places in Dapr for a sidecar to know its own IP address, for example for service invocation or actor invocation.

When using the Dapr injector to add the daprd container, we can use the downstream APIs to add the `DAPR_HOST_IP` env var based on data from the controller

This option can be enabled by setting the Helm option `dapr_sidecar_injector.enableK8sDownwardAPIs=true`

Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
  • Loading branch information
@ItalyPaleAle
ItalyPaleAle authored Feb 8, 2024
1 parent b103e4e commit 3b4de9d
Show file tree
Hide file tree
Showing 9 changed files with 83 additions and 80 deletions.
9 changes: 5 additions & 4 deletions charts/dapr/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,10 +194,11 @@ The Helm chart has the follow configuration options that can be supplied:
| `dapr_sidecar_injector.injectorImage.name` | Docker image name for sidecar injector service (`global.registry/dapr_sidecar_injector.injectorImage.name`) | `dapr`|
| `dapr_sidecar_injector.webhookFailurePolicy` | Failure policy for the sidecar injector | `Ignore` |
| `dapr_sidecar_injector.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot` for the Sidecar Injector container itself. You may have to set this to `false` when running in Minikube | `true` |
| `dapr_sidecar_injector.sidecarRunAsNonRoot` | When this boolean value is true (the default), the injected sidecar containers have `runAsRoot: true`. You may have to set this to `false` when running Minikube | `true` |
| `dapr_sidecar_injector.sidecarReadOnlyRootFilesystem` | When this boolean value is true (the default), the injected sidecar containers have `readOnlyRootFilesystem: true` | `true` |
| `dapr_sidecar_injector.sidecarDropALLCapabilities` | When this boolean valus is true, the injected sidecar containers have `securityContext.capabilities.drop: ["ALL"]` | `false` |
| `dapr_sidecar_injector.allowedServiceAccounts` | String value for extra allowed service accounts in the format of `namespace1:serviceAccount1,namespace2:serviceAccount2` | `""` |
| `dapr_sidecar_injector.sidecarRunAsNonRoot` | When this boolean value is true (the default), the injected sidecar containers have `runAsRoot: true`. You may have to set this to `false` when running Minikube | `true` |
| `dapr_sidecar_injector.sidecarReadOnlyRootFilesystem` | When this boolean value is true (the default), the injected sidecar containers have `readOnlyRootFilesystem: true` | `true` |
| `dapr_sidecar_injector.enableK8sDownwardAPIs` | When set to true, uses the Kubernetes downward projection APIs to inject certain environmental variables (such as pod IP) into the daprd container. (default: `false`) | `true` |
| `dapr_sidecar_injector.sidecarDropALLCapabilities` | When this boolean valus is true, the injected sidecar containers have `securityContext.capabilities.drop: ["ALL"]` | `false` |
| `dapr_sidecar_injector.allowedServiceAccounts` | String value for extra allowed service accounts in the format of `namespace1:serviceAccount1,namespace2:serviceAccount2` | `""` |
| `dapr_sidecar_injector.allowedServiceAccountsPrefixNames` | Comma-separated list of extra allowed service accounts. Each item in the list should be in the format of namespace:serviceaccount. To match service accounts by a common prefix, you can add an asterisk (`*`) at the end of the prefix. For instance, ns1*:sa2* will match any service account that starts with sa2, whose namespace starts with ns1. For example, it will match service accounts like sa21 and sa2223 in namespaces such as ns1, ns1dapr, and so on. | `""` |
| `dapr_sidecar_injector.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` |
| `dapr_sidecar_injector.debug.enabled` | Boolean value for enabling debug mode | `{}` |
Expand Down
2 changes: 2 additions & 0 deletions charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,8 @@ spec:
# Configuration for injected sidecars
- name: SIDECAR_RUN_AS_NON_ROOT
value: {{ .Values.sidecarRunAsNonRoot | toString | toYaml }}
- name: ENABLE_K8S_DOWNWARD_APIS
value: {{ .Values.enableK8sDownwardAPIs | toString | toYaml }}
- name: SIDECAR_DROP_ALL_CAPABILITIES
value: {{ .Values.sidecarDropALLCapabilities | toString | toYaml }}
- name: SIDECAR_READ_ONLY_ROOT_FILESYSTEM
Expand Down
1 change: 1 addition & 0 deletions charts/dapr/charts/dapr_sidecar_injector/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ runAsNonRoot: true
sidecarRunAsNonRoot: true
sidecarReadOnlyRootFilesystem: true
sidecarDropALLCapabilities: false
enableK8sDownwardAPIs: false
allowedServiceAccounts: ""
allowedServiceAccountsPrefixNames: ""
resources: {}
Expand Down
1 change: 1 addition & 0 deletions pkg/injector/consts/consts.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ const (
UserContainerAppProtocolName = "APP_PROTOCOL" // Name of the variable exposed to the app containing the app protocol.
UserContainerDaprHTTPPortName = "DAPR_HTTP_PORT" // Name of the variable exposed to the app containing the Dapr HTTP port.
UserContainerDaprGRPCPortName = "DAPR_GRPC_PORT" // Name of the variable exposed to the app containing the Dapr gRPC port.
DaprContainerHostIP = "DAPR_HOST_IP" // Name of the variable injected in the daprd container containing the pod's IP
TokenVolumeKubernetesMountPath = "/var/run/secrets/dapr.io/sentrytoken" /* #nosec */ // Mount path for the Kubernetes service account volume with the sentry token.
TokenVolumeName = "dapr-identity-token" /* #nosec */ // Name of the volume with the service account token for daprd.
ComponentsUDSVolumeName = "dapr-components-unix-domain-socket" // Name of the Unix domain socket volume for components.
Expand Down
25 changes: 13 additions & 12 deletions pkg/injector/patcher/sidecar.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ type SidecarConfig struct {
OperatorAddress string
SentryAddress string
RunAsNonRoot bool
EnableK8sDownwardAPIs bool
ReadOnlyRootFilesystem bool
SidecarDropALLCapabilities bool
DisableTokenVolume bool
Expand All @@ -62,25 +63,25 @@ type SidecarConfig struct {
Enabled bool `annotation:"dapr.io/enabled"`
AppPort int32 `annotation:"dapr.io/app-port"`
Config string `annotation:"dapr.io/config"`
AppProtocol string `annotation:"dapr.io/app-protocol" default:"http"`
AppProtocol string `annotation:"dapr.io/app-protocol" default:"http"`
AppSSL bool `annotation:"dapr.io/app-ssl"` // TODO: Deprecated in Dapr 1.11; remove in a future Dapr version
AppID string `annotation:"dapr.io/app-id"`
EnableProfiling bool `annotation:"dapr.io/enable-profiling"`
LogLevel string `annotation:"dapr.io/log-level" default:"info"`
LogLevel string `annotation:"dapr.io/log-level" default:"info"`
APITokenSecret string `annotation:"dapr.io/api-token-secret"`
AppTokenSecret string `annotation:"dapr.io/app-token-secret"`
LogAsJSON bool `annotation:"dapr.io/log-as-json"`
AppMaxConcurrency *int `annotation:"dapr.io/app-max-concurrency"`
EnableMetrics bool `annotation:"dapr.io/enable-metrics" default:"true"`
SidecarMetricsPort int32 `annotation:"dapr.io/metrics-port" default:"9090"`
EnableDebug bool `annotation:"dapr.io/enable-debug" default:"false"`
SidecarDebugPort int32 `annotation:"dapr.io/debug-port" default:"40000"`
EnableMetrics bool `annotation:"dapr.io/enable-metrics" default:"true"`
SidecarMetricsPort int32 `annotation:"dapr.io/metrics-port" default:"9090"`
EnableDebug bool `annotation:"dapr.io/enable-debug" default:"false"`
SidecarDebugPort int32 `annotation:"dapr.io/debug-port" default:"40000"`
Env string `annotation:"dapr.io/env"`
SidecarCPURequest string `annotation:"dapr.io/sidecar-cpu-request"`
SidecarCPULimit string `annotation:"dapr.io/sidecar-cpu-limit"`
SidecarMemoryRequest string `annotation:"dapr.io/sidecar-memory-request"`
SidecarMemoryLimit string `annotation:"dapr.io/sidecar-memory-limit"`
SidecarListenAddresses string `annotation:"dapr.io/sidecar-listen-addresses" default:"[::1],127.0.0.1"`
SidecarListenAddresses string `annotation:"dapr.io/sidecar-listen-addresses" default:"[::1],127.0.0.1"`
SidecarLivenessProbeDelaySeconds int32 `annotation:"dapr.io/sidecar-liveness-probe-delay-seconds" default:"3"`
SidecarLivenessProbeTimeoutSeconds int32 `annotation:"dapr.io/sidecar-liveness-probe-timeout-seconds" default:"3"`
SidecarLivenessProbePeriodSeconds int32 `annotation:"dapr.io/sidecar-liveness-probe-period-seconds" default:"6"`
Expand All @@ -93,18 +94,18 @@ type SidecarConfig struct {
SidecarSeccompProfileType string `annotation:"dapr.io/sidecar-seccomp-profile-type"`
HTTPMaxRequestSize *int `annotation:"dapr.io/http-max-request-size"`
HTTPReadBufferSize *int `annotation:"dapr.io/http-read-buffer-size"`
GracefulShutdownSeconds int `annotation:"dapr.io/graceful-shutdown-seconds" default:"-1"`
GracefulShutdownSeconds int `annotation:"dapr.io/graceful-shutdown-seconds" default:"-1"`
BlockShutdownDuration *string `annotation:"dapr.io/block-shutdown-duration"`
EnableAPILogging *bool `annotation:"dapr.io/enable-api-logging"`
UnixDomainSocketPath string `annotation:"dapr.io/unix-domain-socket-path"`
VolumeMounts string `annotation:"dapr.io/volume-mounts"`
VolumeMountsRW string `annotation:"dapr.io/volume-mounts-rw"`
DisableBuiltinK8sSecretStore bool `annotation:"dapr.io/disable-builtin-k8s-secret-store"`
EnableAppHealthCheck bool `annotation:"dapr.io/enable-app-health-check"`
AppHealthCheckPath string `annotation:"dapr.io/app-health-check-path" default:"/healthz"`
AppHealthProbeInterval int32 `annotation:"dapr.io/app-health-probe-interval" default:"5"` // In seconds
AppHealthProbeTimeout int32 `annotation:"dapr.io/app-health-probe-timeout" default:"500"` // In milliseconds
AppHealthThreshold int32 `annotation:"dapr.io/app-health-threshold" default:"3"`
AppHealthCheckPath string `annotation:"dapr.io/app-health-check-path" default:"/healthz"`
AppHealthProbeInterval int32 `annotation:"dapr.io/app-health-probe-interval" default:"5"` // In seconds
AppHealthProbeTimeout int32 `annotation:"dapr.io/app-health-probe-timeout" default:"500"` // In milliseconds
AppHealthThreshold int32 `annotation:"dapr.io/app-health-threshold" default:"3"`
PlacementAddress string `annotation:"dapr.io/placement-host-address"`
PluggableComponents string `annotation:"dapr.io/pluggable-components"`
PluggableComponentsSocketsFolder string `annotation:"dapr.io/pluggable-components-sockets-folder"`
Expand Down
69 changes: 41 additions & 28 deletions pkg/injector/patcher/sidecar_container.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -219,41 +219,54 @@ func (c *SidecarConfig) getSidecarContainer(opts getSidecarContainerOpts) (*core

// Create the container object
probeHTTPHandler := getProbeHTTPHandler(c.SidecarPublicPort, injectorConsts.APIVersionV1, injectorConsts.SidecarHealthzPath)
env := []corev1.EnvVar{
{
Name: "NAMESPACE",
Value: c.Namespace,
},
{
Name: securityConsts.TrustAnchorsEnvVar,
Value: string(c.CurrentTrustAnchors),
},
{
Name: "POD_NAME",
ValueFrom: &corev1.EnvVarSource{
FieldRef: &corev1.ObjectFieldSelector{
FieldPath: "metadata.name",
},
},
},
// TODO: @joshvanl: In v1.14, these two env vars should be moved to flags.
{
Name: securityConsts.ControlPlaneNamespaceEnvVar,
Value: c.ControlPlaneNamespace,
},
{
Name: securityConsts.ControlPlaneTrustDomainEnvVar,
Value: c.ControlPlaneTrustDomain,
},
}
if c.EnableK8sDownwardAPIs {
env = append(env,
corev1.EnvVar{
Name: injectorConsts.DaprContainerHostIP,
ValueFrom: &corev1.EnvVarSource{
FieldRef: &corev1.ObjectFieldSelector{
FieldPath: "status.podIP",
},
},
},
)
}
container := &corev1.Container{
Name: injectorConsts.SidecarContainerName,
Image: c.SidecarImage,
ImagePullPolicy: c.ImagePullPolicy,
SecurityContext: securityContext,
Ports: ports,
Args: append(cmd, args...),
Env: []corev1.EnvVar{
{
Name: "NAMESPACE",
Value: c.Namespace,
},
{
Name: "POD_NAME",
ValueFrom: &corev1.EnvVarSource{
FieldRef: &corev1.ObjectFieldSelector{
FieldPath: "metadata.name",
},
},
},
{
Name: securityConsts.TrustAnchorsEnvVar,
Value: string(c.CurrentTrustAnchors),
},
// TODO: @joshvanl: In v1.14, this two env vars should be moved to flags.
{
Name: securityConsts.ControlPlaneNamespaceEnvVar,
Value: c.ControlPlaneNamespace,
},
{
Name: securityConsts.ControlPlaneTrustDomainEnvVar,
Value: c.ControlPlaneTrustDomain,
},
},
VolumeMounts: opts.VolumeMounts,
Env: env,
VolumeMounts: opts.VolumeMounts,
ReadinessProbe: &corev1.Probe{
ProbeHandler: probeHTTPHandler,
InitialDelaySeconds: c.SidecarReadinessProbeDelaySeconds,
Expand Down
Loading

0 comments on commit 3b4de9d

Please sign in to comment.