发布日期: 2024-09-13
版本号: v1.14.3

Dapr 1.14.3版本存在已知升级问题:从v1.14.0至v1.14.2版本升级时可能因StatefulSet字段限制导致失败,建议用户直接升级至v1.14.4或更高版本而非手动修复。此版本主要修复以下问题:1. 修复AWS密钥管理器及参数存储组件在细粒度IAM策略下的初始化失败问题,移除冗余权限检查;2. 解决调度器内置ETCD数据库内存溢出问题,默认存储扩容至16Gi并优化数据清理策略;3. 修正HTTP任务触发器请求体错误base64编码问题,确保数据以标准JSON字符串传输;4. 允许HTTP任务API的请求体直接接收JSON字符串,提升接口易用性;5. 新增sidecar注入器的安全上下文配置选项(runAsUser/runAsGroup),满足安全策略要求。

更新内容 (中文)

Dapr 1.14.3

⚠️ 从 Dapr 版本 v1.14.0v1.14.1v1.14.2 升级至 v1.14.3 时,升级将失败并显示以下错误:

Error: UPGRADE FAILED: cannot patch \"dapr-scheduler-server\" with kind StatefulSet: StatefulSet.apps \"dapr-scheduler-server\" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'ordinals', 'template', 'updateStrategy', 'persistentVolumeClaimRetentionPolicy' and 'minReadySeconds' are forbidden

用户可通过在重新运行升级前删除 Scheduler StatefulSet 来临时解决此问题(需指定新的存储大小)。但我们建议跳过此版本,直接升级至 v1.14.4 或更高版本。

本次更新包含以下错误修复:

修复 AWS Secrets Manager 和 Parameter Store 组件在使用更细粒度 IAM 权限时的问题

问题

当使用 AWS Secrets Manager 和 Parameter Store 时,如果 IAM 策略仅允许访问特定密钥,daprd 在初始化阶段会失败。

影响

若 IAM 策略仅允许访问特定密钥,Dapr 将无法启动。

根本原因

初始化时 daprd 会尝试通过读取虚拟密钥来验证对 AWS Secrets Manager 和 Parameter Store 服务的访问权限。若当前 IAM 策略仅允许访问特定密钥,此操作将失败。

解决方案

已移除该额外检查。

修复 Scheduler 嵌入式 ETCD 数据库内存耗尽问题

问题

通过 Scheduler 创建合理数量的 Job 或 Actor 提醒(包括通过工作流创建)会导致嵌入式 Scheduler 内存耗尽。

影响

Job、Actor 提醒和工作流 API 将不可用。

根本原因

嵌入式 ETCD 数据库的默认存储容量过小,且已删除数据的清理策略不够激进。

解决方案

将嵌入式 ETCD 数据库的默认存储容量从 2Gi 提升至 16Gi,并增加已删除数据的清理频率。现已在 Scheduler 中暴露更多选项用于进一步调整这些参数。

修复 Job HTTP 触发器请求体中的 base64 编码值

问题

在 HTTP 应用程序中处理 Job 触发器时,请求体内容值可能被 base64 编码,导致应用程序反序列化错误。

影响

应用程序无法正确处理 Job 触发器。

根本原因

Job 触发器在向应用程序发送请求时错误地对请求体内容值进行了编码。

解决方案

daprd 现在将请求体内容值作为标准 JSON 字符串发送。

修改 HTTP Job API 请求体数据字段以接受 JSON 字符串

问题

此前 HTTP Job API 请求体数据字段仅支持完整的 protobuf 消息格式。

影响

对于希望使用 curl 或 Postman 等工具测试和开发 HTTP API 的用户不够友好。

根本原因

HTTP Job API 使用了与 gRPC API 相同的请求模式。

解决方案

HTTP Job API 现在支持在请求体数据字段中使用 JSON 字符串。

新增 sidecar 注入器的 securityContext/runAsGroup 和 securityContext/runAsUser 配置选项

问题

daprd sidecar 缺少 securityContext/runAsGroup 和/或 securityContext/runAsUser 配置。

影响

daprd sidecar 无法通过某些策略执行方案的安全检查,导致无法运行。

根本原因

缺少设置 securityContext/runAsGroup 和/或 securityContext/runAsUser 的能力。

解决方案

在 Helm 图表中新增 dapr_sidecar_injector.sidecarRunAsUser 和/或 dapr_sidecar_injector.sidecarRunAsGroup 配置选项。

更新内容 (原始)

Dapr 1.14.3

⚠️ When upgrading from Dapr versions v1.14.0, v1.14.1, or v1.14.2 to v1.14.3, the upgrade fails with the following error:

Error: UPGRADE FAILED: cannot patch "dapr-scheduler-server" with kind StatefulSet: StatefulSet.apps "dapr-scheduler-server" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'ordinals', 'template', 'updateStrategy', 'persistentVolumeClaimRetentionPolicy' and 'minReadySeconds' are forbidden

The workaround for the user is to Delete the Scheduler StatefulSet before re-running the upgrade with the new storage size, but we recommend skipping this version and upgrading to v1.14.4 or later instead.

This update includes bug fixes:

Fix AWS Secrets Manager and Parameter Store components when working with more granular IAM permissions

Problem

When using AWS Secrets Manager and Parameter Store daprd would fail on initialisation if the IAM policy would only allow access for certain secrets.

Impact

Dapr wouldn’t be able to start if the IAM policy would only allow access to certain secrets.

Root cause

On initialisation daprd would try to verify access to the AWS Secrets Manager and Parameter Store services by trying to read a dummy secret which would fail if the IAM policy in place would only allow access to certain secrets.

Solution

The additional check was removed.

Fix Scheduler embedded ETCD database running out of memory

Problem

Creating a reasonable number of Jobs or Actor Reminders (also through workflows) with the Scheduler, would case the embedded Scheduler to run out of memory.

Impact

The Jobs, Actor Reminders, and Workflow APIs would become unavailable.

Root cause

The default storage size of the embedded ETCD database was too small, as well as the purging of deleted data was not sufficiently aggressive enough.

Solution

Increase the default storage size of the embedded ETCD database from 2Gi to 16Gi, increase the frequency of purging of deleted data. More options are now exposed on the Scheduler to tune these values further.

Fix the Job HTTP Trigger Request body base64 encoding values

Problem

When handling a Job trigger in a HTTP application, the value content of the request body could be base64 encoded, causing application serialization errors.

Impact

The Job trigger would not be processed by the application correctly.

Root cause

The Job trigger was erroneously encoding the request body value content when sending the request to the applicaiton.

Solution

daprd now sends the request body value content as a standard JSON string.

Change the HTTP Job API request body data field to accept JSON strings

Problem

The HTTP Job API request body data field previously accepted fully qualified protobuf messages.

Impact

The HTTP API was less approachable for users who wanted to test and develop with the HTTP API, often times using curl or Postman etc.

Root cause

The HTTP Job API used the same request schema as the gRPC API.

Solution

The HTTP Job API now accepts JSON strings for the request body data field.

Add securityContext/runAsGroup and securityContext/runAsUser as sidecar injector options

Problem

daprd sidecar is missing the securityContext/runAsGroup and/or securityContext/runAsUser settings.

Impact

daprd sidecar was not passing security checks by some policy enforcement solutions and could not run.

Root cause

Missing the ability to set the securityContext/runAsGroup and/or securityContext/runAsUser settings.

Solution

Added the dapr_sidecar_injector.sidecarRunAsUser and/or dapr_sidecar_injector.sidecarRunAsGroup helm chart settings.

下载链接