Installation guide
Prerequisites
- Kubernetes cluster where you have Administrator access.
- Helm 3.x or later.
- Cluster outbound network access to Diagrid's artifact repository (See Access details).
- A D3E access token (provided by Diagrid).
- Dynatrace installation (only required for Option 3: Dynatrace integration).
Open source version compatibility
D3E maintains full compatibility with Dapr open source, providing additional enterprise features on top of the existing APIs and SDKs. Only two versions of Dapr are supported at a time; the current stable version and previous minor version, including select patch versions. This means that there is a rolling window that moves forward for supported releases and it is your operational responsibility to remain up to date with these supported versions. If you have an older version of Dapr you may have to do intermediate upgrades to get to a supported version.
The table below lists the currently supported and deprecated versions of D3E, corresponding to the associated Dapr open source versions.
| D3E version | ARM64 features | AMD64 features | Operating system | Notes |
|---|---|---|---|---|
| 1.13.6 | Multi-tenant control plane, namespace isolation and reduced permission set. | Multi-tenant control plane, namespace isolation, reduced permission set and Dynatrace integration. | Linux | |
| 1.14.4 | Multi-tenant control plane, namespace isolation and reduced permission set. | Multi-tenant control plane, namespace isolation, reduced permission set and Dynatrace integration. | Linux | |
| 1.14.5 | Multi-tenant control plane, namespace isolation and reduced permission set. | Multi-tenant control plane, namespace isolation, reduced permission set and Dynatrace integration. | Linux | |
| 1.14.6* | Multi-tenant control plane, namespace isolation and reduced permission set. | Multi-tenant control plane, namespace isolation, reduced permission set and Dynatrace integration. | Linux | *Backport Oracle state store features |
| 1.15.5 | Multi-tenant control plane, namespace isolation and reduced permission set. | Multi-tenant control plane, namespace isolation, reduced permission set and Dynatrace integration. | Linux |
Installation setup
- Ensure any existing Dapr installations are removed from your cluster. Run the following commands to delete the resources.
helm uninstall dapr -n dapr-system
kubectl delete pvc -n dapr-system --all
kubectl delete crds subscriptions.dapr.io resiliencies.dapr.io configurations.dapr.io components.dapr.io httpendpoints.dapr.io
- Set your D3E token in your terminal. Note: this is a custom access token that is provided to you by the Diagrid team.
token=<TOKEN-PROVIDED-BY-DIAGRID>
- Choose your installation path and continue with one of the following options to install D3E:
- Option 1: D3E with single namespace isolation
- Option 2: D3E with multi-namespace isolation & multi-tenancy
- Option 3: D3E with Dynatrace
- Option 4: D3E without CRDs and ClusterRoles
Option 1: D3E with single namespace isolation
In this configuration of D3E, the Dapr control plane is scoped to a single namespace and only applications deployed within that namespace can be injected with Dapr sidecars.
Helm values:
The D3E Helm chart supports all Helm chart values available from the open source Dapr Helm chart repository along with the values listed below. If you require additional configuration for your Dapr deployment, ensure to add these values into your Helm install command or use a custom values file.
| Helm value | Description | Default value | D3E options |
|---|---|---|---|
| global.rbac.namespaced | Enable namespace isolation | false | true, false |
Example installation command:
The following command will install D3E version 1.15.5 into the dapr-system namespace, and only allow applications in dapr-system to be injected with Dapr sidecars.
helm install \
--create-namespace \
-n dapr-system dapr \
--set global.rbac.namespaced=true \
--set diagrid.token=${token} \
--set global.tag=1.15.5 \
oci://public.ecr.aws/diagrid/d3e-charts/d3e-dapr --version 1.15.5
Option 1: Single namespace isolation
Option 2: D3E with multi-namespace isolation & multi-tenancy
In this configuration of D3E, the Dapr control plane is scoped to a list of namespaces and only applications deployed in those namespaces can be injected with Dapr sidecars. Use the global.rbac.namespaces Helm value to specify the list of namespaces that Dapr should be able to target for injection.
Helm values:
The D3E Helm chart supports all Helm chart values available from the open source Dapr Helm chart repository along with the values listed below. If you require additional configuration for your Dapr deployment, ensure to add these values into your Helm install command or use a custom values file.
| Helm value | Description | Default value | D3E options |
|---|---|---|---|
| global.rbac.namespaced | Enable namespace isolation | false | true, false |
| global.rbac.namespaces | List of namespaces Dapr can inject sidecars into | [] | ["namespace-1", “namespace-2”], ... |
Example installation command:
The following command will install D3E version 1.15.5 into the dapr-system namespace, and only allow applications in the namespace crud-app to be injected with Dapr sidecars.
helm install \
--create-namespace \
-n dapr-system \
--set global.rbac.namespaced=true \
--set-json 'global.rbac.namespaces=[“crud-app”]' \
--set diagrid.token=${token} \
--set global.tag=1.15.5 \
dapr oci://public.ecr.aws/diagrid/d3e-charts/d3e-dapr --version 1.15.5
Option 2: Multi-namespace isolation
Multi-tenancy support:
To configure multi-tenancy, execute the D3E Helm installation command again, modifying the Dapr namespace value (-n) and the global.rbac.namespaces value with new namespaces. This will allow for multiple Dapr installations within the same cluster, each within its own isolated namespace.
For example, run the Helm command to end up with the following cluster configuration:
- D3E deployed in the dapr-system namespace with the attributes
global.rbac.namespaced=trueandglobal.rbac.namespaces=[“crud-app”] - D3E deployed in the dapr-secondary namespace with the attributes
global.rbac.namespaced=trueandglobal.rbac.namespaces=[“order-app”]
Option 2: Multi-tenancy & namespace isolation
Option 3: D3E with Dynatrace
In this configuration of D3E, the Dapr sidecar uses container images that are compatible with Dynatrace. Use the global.tag Helm value to add the suffix -dynatrace to the version of D3E you are installing. Note: this option can be also combined with Helm values provided with D3E Options 1 or 2.
Helm values:
The D3E Helm chart supports all Helm chart values available from the open source Dapr Helm chart repository along with the values listed below. If you require additional configuration for your Dapr deployment, ensure to add these values into your Helm install command or use a custom values file.
| Helm value | Description | Default value | D3E options |
|---|---|---|---|
| global.tag | Container image tag | latest release | -dynatrace |
Example installation command:
The following command will install D3E version 1.15.5 with Dynatrace integration into the dapr-system namespace, and only allow applications in the namespace crud-app to be injected with Dapr sidecars.
helm install \
--create-namespace \
-n dapr-system \
--set global.rbac.namespaced=true \
--set-json 'global.rbac.namespaces=["crud-app”]' \
--set diagrid.token=${token} \
--set global.tag=1.15.5-dynatrace \
dapr oci://public.ecr.aws/diagrid/d3e-charts/d3e-dapr --version 1.15.5
Option 3: Dynatrace integration & namespace isolation
Option 4: D3E without CRDs and ClusterRoles using the Diagrid Dapr Injector Helm chart
This configuration of D3E (Diagrid Dapr Distribution for Enterprises) focuses on a CRD-free installation mode, eliminating the need for both Dapr ClusterRoles and CustomResourceDefinitions (CRDs). This is done by deploying Dapr in standalone mode without the Dapr control plane sidecar injector service, removing the requirement for the Sidecar Injector ClusterRole (detailed in Kubernetes resource requirements). Additionally the Dapr control plane operator service is not deployed in this configuration, allowing for no CRDs and with the operator service in standalone mode, the system:auth-delegator ClusterRoleBinding requirement is also removed.
Instead of relying on the standard Sidecar Injector and CRDs, this approach utilizes the Diagrid Dapr Injector Helm library chart (https://github.com/diagridio/diagrid-dapr-injector-helm-sample/tree/main) to inject the Dapr sidecar directly into application manifests and to facilitate the loading of Dapr resources.
This option, while offering the least amount of cluster permissions by avoiding both CRDs and the standard Sidecar Injector, involves significant operational overhead. You need to configure your Dapr application manifests to contain the sidecars and manage Dapr resources directly within your application's Helm charts. Unless there is a strict requirement for no Dapr ClusterRoles and no Dapr CRDs to be deployed in your Kubernetes environment, this method is strongly not recommended.
Helm values:
The D3E Helm chart supports all Helm chart values available from the open source Dapr Helm chart repository along with the values listed below. If you require additional configuration for your Dapr deployment, ensure to add these values into your Helm install command or use a custom values file.
This option can be combined with Helm values in D3E Options 1, 2 or 3 to provide namespace isolation, multi-tenancy or Dynatrace integration in your D3E deployment.
| Helm value | Description | Default value | D3E options |
|---|---|---|---|
dapr_sidecar_injector.enabled | Deployment of the standard sidecar injector control plane service | true | true, false |
global.rbac.injector.enabled | Deployment of the injector ClusterRole | true | true, false |
global.rbac.namespaced | Enables namespace-scoped RBAC for Dapr components | false | true, false |
global.rbac.sentry.createServiceAccount | Create a service account for the Dapr Sentry component | true | true, false |
global.rbac.createTokenReviewerRole | Create a token reviewer role | false | true, false |
global.rbac.createTokenReviewerRoleBinding | Create a token reviewer role binding | true | true, false |
global.rbac.crds.enabled | Enable CRDs RBAC | true | true, false |
global.rbac.operator.enabled | Enable the operator RBAC | true | true, false |
Example installation command: The following command will install D3E version 1.15.5 into the dapr-system namespace, without the sidecar injector control plane service and operator and only allow applications in the dapr-system namespace to be injected with sidecars.
helm install \
--skip-crds \
-n <namespace> \
--set global.tag=1.15.5 \
--set global.actors.enabled=false \
--set global.scheduler.enabled=false \
--set global.rbac.injector.enabled=false \
--set global.rbac.createTokenReviewerRole=false \
--set global.rbac.createTokenReviewerRoleBinding=false \
--set global.rbac.crds.enabled=false \
--set global.rbac.operator.enabled=false \
--set global.rbac.namespaced=true \
--set global.rbac.crds.enabled=false \
--set global.rbac.operator.enabled=false \
--set global.rbac.sentry.createServiceAccount=true \
--set-json 'global.rbac.namespaces=["<namespace_A>","<namespace_B>"]' \
--set dapr_operator.enabled=false \
--set dapr_sidecar_injector.enabled=false \
--set dapr_placement.mode=standalone \
--set dapr_scheduler.mode=standalone \
--set dapr_sentry.mode=standalone \
--set dapr_sentry.injectDaprSystemConfig=true \
--set dapr_config.dapr_config_chart_included=false \
--set diagrid.token="YOUR_TOKEN" \
dapr oci://public.ecr.aws/diagrid/d3e-charts/d3e-dapr --version 1.15.5
Running your Dapr workloads with the Diagrid Dapr Injector: After installing D3E on your cluster, you need to configure your applications to contain the Dapr sidecars at deployment time, by adding the Diagrid Dapr Injector Helm library chart as a dependency to your applications.
The step-by-step instructions to configure this are detailed in the GitHub repository here, starting at Step 1: Add the Dependency. This configuration must be done for all Dapr-enabled applications otherwise the sidecar will not be injected and Dapr operations will fail.
It is recommended to test out the behaviour using the deploy-sample sample application located in the repository to ensure that you understand the implications before proceeding with configuring your applications.
Option 4: Without ClusterRoles using the Diagrid Dapr Injector Helm chart & single namespace isolation