Allow disabling Placement and Actors in Helm chart (dapr#6237)

Fixes dapr#6173 Signed-off-by: ItalyPaleAle <[email protected]> Co-authored-by: Mukundan Sundararajan <[email protected]> Co-authored-by: Artur Souza <[email protected]>
TheLandGame · Apr 20, 2023 · 94c6229 · 94c6229
1 parent ffdb394
commit 94c6229
Show file tree

Hide file tree

Showing 10 changed files with 168 additions and 1 deletion.
diff --git a/charts/dapr/README.md b/charts/dapr/README.md
@@ -98,6 +98,7 @@ The Helm chart has the follow configuration options that can be supplied:
 | `global.issuerFilenames.ca`               | Custom name of the file containing the root CA certificate inside the container    | `ca.crt`     |
 | `global.issuerFilenames.cert`             | Custom name of the file containing the leaf certificate inside the container       | `issuer.crt` |
 | `global.issuerFilenames.key`              | Custom name of the file containing the leaf certificate's key inside the container | `issuer.key` |
+| `global.actors.enabled`                   | Enables the Dapr actors building block. When "false", the Dapr Placement serice is not installed, and attempting to use Dapr actors will fail. | `true`                  |
 | `global.rbac.namespaced`                  | Removes cluster wide permissions where applicable  | `false` |
 | `global.argoRolloutServiceReconciler.enabled` | Enable the service reconciler for Dapr-enabled Argo Rollouts         | `false` |
 

diff --git a/charts/dapr/charts/dapr_placement/templates/dapr_placement_poddisruptionbudget.yaml b/charts/dapr/charts/dapr_placement/templates/dapr_placement_poddisruptionbudget.yaml
@@ -1,4 +1,4 @@
-{{- if eq .Values.global.ha.enabled true }}
+{{- if and (eq .Values.global.ha.enabled true) (eq .Values.global.actors.enabled true) }}
 {{- if .Capabilities.APIVersions.Has "policy/v1" }}
 apiVersion: policy/v1
 {{- else }}

diff --git a/charts/dapr/charts/dapr_placement/templates/dapr_placement_service.yaml b/charts/dapr/charts/dapr_placement/templates/dapr_placement_service.yaml
@@ -1,3 +1,4 @@
+{{- if eq .Values.global.actors.enabled true }}
 kind: Service
 apiVersion: v1
 metadata:
@@ -19,3 +20,4 @@ spec:
   - name: raft-node
     port: {{ .Values.ports.raftRPCPort }}
   clusterIP: None
+{{- end }}
diff --git a/charts/dapr/charts/dapr_placement/templates/dapr_placement_statefulset.yaml b/charts/dapr/charts/dapr_placement/templates/dapr_placement_statefulset.yaml
@@ -1,3 +1,4 @@
+{{- if eq .Values.global.actors.enabled true }}
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
@@ -228,3 +229,4 @@ spec:
     {{- end }}
   {{- end }}
 {{- end }}
+{{- end }}
diff --git a/charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml b/charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml
@@ -144,6 +144,10 @@ spec:
 {{- if .Values.ignoreEntrypointTolerations }}
         - name: IGNORE_ENTRYPOINT_TOLERATIONS
           value: "{{ .Values.ignoreEntrypointTolerations }}"
+{{- end }}
+{{- if not .Values.global.actors.enabled }}
+        - name: SKIP_PLACEMENT
+          value: "true"
 {{- end }}
         - name: SIDECAR_RUN_AS_NON_ROOT
           value: "{{ .Values.sidecarRunAsNonRoot }}"

diff --git a/charts/dapr/values.yaml b/charts/dapr/values.yaml
@@ -22,6 +22,8 @@ global:
     enabled: true
     workloadCertTTL: 24h
     allowedClockSkew: 15m
+  actors:
+    enabled: true
   daprControlPlaneOs: linux
   labels: {}
   k8sLabels:

diff --git a/pkg/injector/config.go b/pkg/injector/config.go
@@ -33,6 +33,7 @@ type Config struct {
 	AllowedServiceAccounts            string `envconfig:"ALLOWED_SERVICE_ACCOUNTS"`
 	AllowedServiceAccountsPrefixNames string `envconfig:"ALLOWED_SERVICE_ACCOUNTS_PREFIX_NAMES"`
 	IgnoreEntrypointTolerations       string `envconfig:"IGNORE_ENTRYPOINT_TOLERATIONS"`
+	SkipPlacement                     string `envconfig:"SKIP_PLACEMENT"`
 	RunAsNonRoot                      string `envconfig:"SIDECAR_RUN_AS_NON_ROOT"`
 	ReadOnlyRootFilesystem            string `envconfig:"SIDECAR_READ_ONLY_ROOT_FILESYSTEM"`
 	SidecarDropALLCapabilities        string `envconfig:"SIDECAR_DROP_ALL_CAPABILITIES"`
@@ -112,6 +113,11 @@ func (c *Config) GetDropCapabilities() bool {
 	return utils.IsTruthy(c.SidecarDropALLCapabilities)
 }
 
+func (c *Config) GetSkipPlacement() bool {
+	// Default is false if empty
+	return utils.IsTruthy(c.SkipPlacement)
+}
+
 func (c *Config) parseTolerationsJSON() {
 	if c.IgnoreEntrypointTolerations == "" {
 		return

diff --git a/pkg/injector/pod_patch.go b/pkg/injector/pod_patch.go
@@ -116,6 +116,7 @@ func (i *injector) getPodPatchOperations(ctx context.Context, ar *v1.AdmissionRe
 		TrustAnchors:                 trustAnchors,
 		VolumeMounts:                 volumeMounts,
 		ComponentsSocketsVolumeMount: componentsSocketVolumeMount,
+		SkipPlacement:                i.config.GetSkipPlacement(),
 		RunAsNonRoot:                 i.config.GetRunAsNonRoot(),
 		ReadOnlyRootFilesystem:       i.config.GetReadOnlyRootFilesystem(),
 		SidecarDropALLCapabilities:   i.config.GetDropCapabilities(),

diff --git a/pkg/injector/sidecar/container.go b/pkg/injector/sidecar/container.go
@@ -51,6 +51,7 @@ type ContainerConfig struct {
 	TrustAnchors                 string
 	VolumeMounts                 []corev1.VolumeMount
 	ComponentsSocketsVolumeMount *corev1.VolumeMount
+	SkipPlacement                bool
 	RunAsNonRoot                 bool
 	ReadOnlyRootFilesystem       bool
 	SidecarDropALLCapabilities   bool
@@ -97,8 +98,11 @@ func GetSidecarContainer(cfg ContainerConfig) (*corev1.Container, error) {
 		log.Warn(err)
 	}
 
+	// We still include PlacementServiceAddress if explicitly set as annotation
 	if cfg.Annotations.Exist(annotations.KeyPlacementHostAddresses) {
 		cfg.PlacementServiceAddress = cfg.Annotations.GetString(annotations.KeyPlacementHostAddresses)
+	} else if cfg.SkipPlacement {
+		cfg.PlacementServiceAddress = ""
 	}
 
 	ports := []corev1.ContainerPort{

diff --git a/pkg/injector/sidecar/container_test.go b/pkg/injector/sidecar/container_test.go
@@ -338,6 +338,151 @@ func TestGetSidecarContainer(t *testing.T) {
 		assert.Equal(t, corev1.PullAlways, container.ImagePullPolicy)
 	})
 
+	t.Run("get sidecar container with SkipPlacement=true", func(t *testing.T) {
+		an := map[string]string{}
+		an[annotations.KeyConfig] = defaultTestConfig
+		an[annotations.KeyAppPort] = "5000"
+		an[annotations.KeyLogAsJSON] = "true"
+		an[annotations.KeyAPITokenSecret] = defaultAPITokenSecret
+		an[annotations.KeyAppTokenSecret] = defaultAppTokenSecret
+		an[annotations.KeyEnableDebug] = "true"
+
+		container, _ := GetSidecarContainer(ContainerConfig{
+			AppID:                   "app_id",
+			Annotations:             an,
+			DaprSidecarImage:        "daprio/dapr",
+			ImagePullPolicy:         "Always",
+			Namespace:               "dapr-system",
+			ControlPlaneAddress:     "controlplane:9000",
+			PlacementServiceAddress: "placement:50000",
+			SentryAddress:           "sentry:50000",
+			MTLSEnabled:             true,
+			Identity:                "pod_identity",
+			SkipPlacement:           true,
+		})
+
+		expectedArgs := []string{
+			"/dlv",
+			"--listen=:40000",
+			"--accept-multiclient",
+			"--headless=true",
+			"--log",
+			"--api-version=2",
+			"exec",
+			"/daprd",
+			"--",
+			"--mode", "kubernetes",
+			"--dapr-http-port", "3500",
+			"--dapr-grpc-port", "50001",
+			"--dapr-internal-grpc-port", "50002",
+			"--dapr-listen-addresses", "[::1],127.0.0.1",
+			"--dapr-public-port", "3501",
+			"--app-port", "5000",
+			"--app-id", "app_id",
+			"--control-plane-address", "controlplane:9000",
+			"--app-protocol", "http",
+			"--placement-host-address", "",
+			"--config", defaultTestConfig,
+			"--log-level", "info",
+			"--app-max-concurrency", "-1",
+			"--sentry-address", "sentry:50000",
+			"--enable-metrics=true",
+			"--metrics-port", "9090",
+			"--dapr-http-max-request-size", "-1",
+			"--dapr-http-read-buffer-size", "-1",
+			"--dapr-graceful-shutdown-seconds", "-1",
+			"--disable-builtin-k8s-secret-store=false",
+			"--log-as-json",
+			"--enable-mtls",
+		}
+
+		// Command should be empty, image's entrypoint to be used.
+		assert.Equal(t, 0, len(container.Command))
+		// NAMESPACE
+		assert.Equal(t, "dapr-system", container.Env[0].Value)
+		// DAPR_API_TOKEN
+		assert.Equal(t, defaultAPITokenSecret, container.Env[6].ValueFrom.SecretKeyRef.Name)
+		// DAPR_APP_TOKEN
+		assert.Equal(t, defaultAppTokenSecret, container.Env[7].ValueFrom.SecretKeyRef.Name)
+		// default image
+		assert.Equal(t, "daprio/dapr", container.Image)
+		assert.EqualValues(t, expectedArgs, container.Args)
+		assert.Equal(t, corev1.PullAlways, container.ImagePullPolicy)
+	})
+
+	t.Run("get sidecar container with SkipPlacement=true and explicit placement address annotation", func(t *testing.T) {
+		an := map[string]string{}
+		an[annotations.KeyConfig] = defaultTestConfig
+		an[annotations.KeyAppPort] = "5000"
+		an[annotations.KeyLogAsJSON] = "true"
+		an[annotations.KeyAPITokenSecret] = defaultAPITokenSecret
+		an[annotations.KeyAppTokenSecret] = defaultAppTokenSecret
+		an[annotations.KeyEnableDebug] = "true"
+		an[annotations.KeyPlacementHostAddresses] = "some-host:50000"
+
+		container, _ := GetSidecarContainer(ContainerConfig{
+			AppID:                   "app_id",
+			Annotations:             an,
+			DaprSidecarImage:        "daprio/dapr",
+			ImagePullPolicy:         "Always",
+			Namespace:               "dapr-system",
+			ControlPlaneAddress:     "controlplane:9000",
+			PlacementServiceAddress: "placement:50000",
+			SentryAddress:           "sentry:50000",
+			MTLSEnabled:             true,
+			Identity:                "pod_identity",
+			SkipPlacement:           true,
+		})
+
+		expectedArgs := []string{
+			"/dlv",
+			"--listen=:40000",
+			"--accept-multiclient",
+			"--headless=true",
+			"--log",
+			"--api-version=2",
+			"exec",
+			"/daprd",
+			"--",
+			"--mode", "kubernetes",
+			"--dapr-http-port", "3500",
+			"--dapr-grpc-port", "50001",
+			"--dapr-internal-grpc-port", "50002",
+			"--dapr-listen-addresses", "[::1],127.0.0.1",
+			"--dapr-public-port", "3501",
+			"--app-port", "5000",
+			"--app-id", "app_id",
+			"--control-plane-address", "controlplane:9000",
+			"--app-protocol", "http",
+			"--placement-host-address", "some-host:50000",
+			"--config", defaultTestConfig,
+			"--log-level", "info",
+			"--app-max-concurrency", "-1",
+			"--sentry-address", "sentry:50000",
+			"--enable-metrics=true",
+			"--metrics-port", "9090",
+			"--dapr-http-max-request-size", "-1",
+			"--dapr-http-read-buffer-size", "-1",
+			"--dapr-graceful-shutdown-seconds", "-1",
+			"--disable-builtin-k8s-secret-store=false",
+			"--log-as-json",
+			"--enable-mtls",
+		}
+
+		// Command should be empty, image's entrypoint to be used.
+		assert.Equal(t, 0, len(container.Command))
+		// NAMESPACE
+		assert.Equal(t, "dapr-system", container.Env[0].Value)
+		// DAPR_API_TOKEN
+		assert.Equal(t, defaultAPITokenSecret, container.Env[6].ValueFrom.SecretKeyRef.Name)
+		// DAPR_APP_TOKEN
+		assert.Equal(t, defaultAppTokenSecret, container.Env[7].ValueFrom.SecretKeyRef.Name)
+		// default image
+		assert.Equal(t, "daprio/dapr", container.Image)
+		assert.EqualValues(t, expectedArgs, container.Args)
+		assert.Equal(t, corev1.PullAlways, container.ImagePullPolicy)
+	})
+
 	t.Run("get sidecar container override listen address", func(t *testing.T) {
 		an := map[string]string{}
 		an[annotations.KeyConfig] = defaultTestConfig