Fixes in control plane services CLI flags (#6925)

- Removed flags that are deprecated and have no effect
- Remove `tokenAudience` flag from Helm chart since it's now unused
- Fixed description of some flags
- Use constants for default trust anchors file path

Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Co-authored-by: Dapr Bot <56698301+dapr-bot@users.noreply.github.com>
Co-authored-by: Mukundan Sundararajan <65565396+mukundansundar@users.noreply.github.com>

charts/dapr/README.md

@@ -167,7 +167,6 @@ The Helm chart has the follow configuration options that can be supplied:
 | `dapr_sentry.tls.issuer.certPEM`    | Issuer Certificate cert                                                                                                                                 | `""`                    |
 | `dapr_sentry.tls.issuer.keyPEM`     | Issuer Private Key cert                                                                                                                                 | `""`                    |
 | `dapr_sentry.tls.root.certPEM`      | Root Certificate cert                                                                                                                                   | `""`                    |
-| `dapr_sentry.tokenAudience`         | Expected audience for tokens; multiple values can be separated by a comma. Defaults to the audience expected by the Kubernetes control plane if not set | `""` |
 | `dapr_sentry.runAsNonRoot`          | Boolean value for `securityContext.runAsNonRoot`. You may have to set this to `false` when running in Minikube                                          | `true` |
 | `dapr_sentry.resources`             | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty       | `{}` |
 | `dapr_sentry.debug.enabled`         | Boolean value for enabling debug mode                                                                                                                   | `{}` |

charts/dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml

@@ -172,10 +172,6 @@ spec:
 {{- end }}
         - "--trust-domain"
         - {{ .Values.global.mtls.controlPlaneTrustDomain }}
-{{- if .Values.tokenAudience }}
-        - "--token-audience"
-        - {{ .Values.tokenAudience }}
-{{- end }}
 {{- with .Values.global.issuerFilenames }}
         - "--issuer-ca-filename"
         - "{{ .ca }}"

charts/dapr/charts/dapr_sentry/values.yaml

@@ -11,8 +11,6 @@ image:
 nameOverride: ""
 fullnameOverride: ""
 
-tokenAudience: ""
-
 deploymentAnnotations: {}
 
 service:

cmd/operator/options/options.go

@@ -21,6 +21,7 @@ import (
 	"k8s.io/klog"
 
 	"github.com/dapr/dapr/pkg/metrics"
+	securityConsts "github.com/dapr/dapr/pkg/security/consts"
 	"github.com/dapr/kit/logger"
 )
 
@@ -72,12 +73,7 @@ func New() *Options {
 	flag.BoolVar(&opts.EnableArgoRolloutServiceReconciler, "enable-argo-rollout-service-reconciler", false, "Enable the service reconciler for Dapr-enabled Argo Rollouts")
 	flag.BoolVar(&opts.WatchdogCanPatchPodLabels, "watchdog-can-patch-pod-labels", false, "Allow watchdog to patch pod labels to set pods with sidecar present")
 
-	flag.StringVar(&opts.TrustAnchorsFile, "trust-anchors-file", "/var/run/secrets/dapr.io/tls/ca.crt", "Path to trust anchors file")
-
-	depCCP := flag.String("certchain", "", "DEPRECATED")
-	depRCF := flag.String("issuer-ca-filename", "", "DEPRECATED")
-	depICF := flag.String("issuer-certificate-filename", "", "DEPRECATED")
-	depIKF := flag.String("issuer-key-filename", "", "DEPRECATED")
+	flag.StringVar(&opts.TrustAnchorsFile, "trust-anchors-file", securityConsts.ControlPlaneDefaultTrustAnchorsPath, "Filepath to the trust anchors for the Dapr control plane")
 
 	opts.Logger = logger.DefaultOptions()
 	opts.Logger.AttachCmdFlags(flag.StringVar, flag.BoolVar)
@@ -87,10 +83,6 @@ func New() *Options {
 
 	flag.Parse()
 
-	if len(*depRCF) > 0 || len(*depICF) > 0 || len(*depIKF) > 0 || len(*depCCP) > 0 {
-		log.Warn("--certchain, --issuer-ca-filename, --issuer-certificate-filename and --issuer-key-filename are deprecated and will be removed in v1.14")
-	}
-
 	wilc := strings.ToLower(opts.watchdogIntervalStr)
 	switch wilc {
 	case "0", "false", "f", "no", "off":

cmd/placement/options/options.go

@@ -23,6 +23,7 @@ import (
 	"github.com/dapr/dapr/pkg/modes"
 	"github.com/dapr/dapr/pkg/placement/raft"
 	"github.com/dapr/dapr/pkg/security"
+	securityConsts "github.com/dapr/dapr/pkg/security/consts"
 	"github.com/dapr/kit/logger"
 	"github.com/dapr/kit/utils"
 )
@@ -62,8 +63,6 @@ type Options struct {
 	Metrics *metrics.Options
 }
 
-var log = logger.NewLogger("dapr.placement.options")
-
 func New() *Options {
 	// Default options
 	var opts Options
@@ -79,15 +78,10 @@ func New() *Options {
 	flag.IntVar(&opts.ReplicationFactor, "replicationFactor", defaultReplicationFactor, "sets the replication factor for actor distribution on vnodes")
 
 	flag.StringVar(&opts.TrustDomain, "trust-domain", "localhost", "Trust domain for the Dapr control plane")
-	flag.StringVar(&opts.TrustAnchorsFile, "trust-anchors-file", "/var/run/secrets/dapr.io/tls/ca.crt", "Filepath to the trust anchors for the Dapr control plane")
-	flag.StringVar(&opts.SentryAddress, "sentry-address", fmt.Sprintf("dapr-sentry.%s.svc:443", security.CurrentNamespace()), "Filepath to the trust anchors for the Dapr control plane")
+	flag.StringVar(&opts.TrustAnchorsFile, "trust-anchors-file", securityConsts.ControlPlaneDefaultTrustAnchorsPath, "Filepath to the trust anchors for the Dapr control plane")
+	flag.StringVar(&opts.SentryAddress, "sentry-address", fmt.Sprintf("dapr-sentry.%s.svc:443", security.CurrentNamespace()), "Address of the Sentry service")
 	flag.StringVar(&opts.Mode, "mode", string(modes.StandaloneMode), "Runtime mode for Placement")
 
-	depCC := flag.String("certchain", "", "DEPRECATED")
-	depRCF := flag.String("issuer-ca-filename", "", "DEPRECATED")
-	depICF := flag.String("issuer-certificate-filename", "", "DEPRECATED")
-	depIKF := flag.String("issuer-key-filename", "", "DEPRECATED")
-
 	opts.Logger = logger.DefaultOptions()
 	opts.Logger.AttachCmdFlags(flag.StringVar, flag.BoolVar)
 
@@ -99,10 +93,6 @@ func New() *Options {
 
 	flag.Parse()
 
-	if len(*depRCF) > 0 || len(*depICF) > 0 || len(*depIKF) > 0 || len(*depCC) > 0 {
-		log.Warn("--certchain, --issuer-ca-filename, --issuer-certificate-filename and --issuer-key-filename are deprecated and will be removed in v1.14.")
-	}
-
 	opts.RaftPeers = parsePeersFromFlag(opts.RaftPeerString)
 	if opts.RaftLogStorePath != "" {
 		opts.RaftInMemEnabled = false

cmd/sentry/main.go

@@ -48,10 +48,6 @@ func main() {
 
 	metricsExporter := metrics.NewExporterWithOptions(log, metrics.DefaultMetricNamespace, opts.Metrics)
 
-	if len(opts.TokenAudience) > 0 {
-		log.Warn("--token-audience is deprecated and will be removed in Dapr v1.14")
-	}
-
 	if err := utils.SetEnvVariables(map[string]string{
 		utils.KubeConfigVar: opts.Kubeconfig,
 	}); err != nil {

cmd/sentry/options/options.go

@@ -38,7 +38,6 @@ type Options struct {
 	HealthzPort           int
 	IssuerCredentialsPath string
 	TrustDomain           string
-	TokenAudience         string
 	Kubeconfig            string
 	Logger                logger.Options
 	Metrics               *metrics.Options
@@ -57,7 +56,6 @@ func New() *Options {
 	flag.StringVar(&opts.IssuerCertFilename, "issuer-certificate-filename", config.DefaultIssuerCertFilename, "Issuer certificate filename")
 	flag.StringVar(&opts.IssuerKeyFilename, "issuer-key-filename", config.DefaultIssuerKeyFilename, "Issuer private key filename")
 	flag.StringVar(&opts.TrustDomain, "trust-domain", "localhost", "The CA trust domain")
-	flag.StringVar(&opts.TokenAudience, "token-audience", "", "DEPRECATED, flag has no effect.")
 	flag.IntVar(&opts.Port, "port", config.DefaultPort, "The port for the sentry server to listen on")
 	flag.IntVar(&opts.HealthzPort, "healthz-port", 8080, "The port for the healthz server to listen on")
 

pkg/security/consts/consts.go

@@ -57,4 +57,7 @@ const (
 	// ControlPlaneAddressEnvVar is the daprd environment variable for
 	// configuring the control plane trust domain.
 	ControlPlaneTrustDomainEnvVar = "DAPR_CONTROLPLANE_TRUST_DOMAIN"
+
+	// ControlPlaneDefaultTrustAnchorsPath is the default path where the trust anchors are placed for control plane services.
+	ControlPlaneDefaultTrustAnchorsPath = "/var/run/secrets/dapr.io/tls/ca.crt"
 )