Adds listen-address CLI flags for all services servers. (dapr#7675)

* Adds `listen-address` CLI flags for all services servers.

Address corresponding `--listen-address` CLI flags for all services
servers. This sets the listening address for these TCP servers.

This is added to allow users to both bind the address to localhost to
prevent access to a particular server on the network, as well as for
integration testing as it is more correct to bind to localhost and
prevents triggering MacOS firewall popups.

Signed-off-by: joshvanl <[email protected]>

* Report localhost to nameresolver when internal grpc listen address is
localhost

Signed-off-by: joshvanl <[email protected]>

* Use localhost host for placement report when internal gRPC address is
localhost

Signed-off-by: joshvanl <[email protected]>

* Change default listen-address from `0.0.0.0` to empty string to allow
for default ipv6 support and keep backwards compat.

Signed-off-by: joshvanl <[email protected]>

---------

Signed-off-by: joshvanl <[email protected]>
Co-authored-by: Dapr Bot <[email protected]>

cmd/daprd/app/app.go

@@ -136,44 +136,46 @@ func Run() {
 			}
 
 			rt, rerr := runtime.FromConfig(ctx, &runtime.Config{
-				AppID:                        opts.AppID,
-				ActorsService:                opts.ActorsService,
-				RemindersService:             opts.RemindersService,
-				AllowedOrigins:               opts.AllowedOrigins,
-				ResourcesPath:                opts.ResourcesPath,
-				ControlPlaneAddress:          opts.ControlPlaneAddress,
-				AppProtocol:                  opts.AppProtocol,
-				Mode:                         opts.Mode,
-				DaprHTTPPort:                 opts.DaprHTTPPort,
-				DaprInternalGRPCPort:         opts.DaprInternalGRPCPort,
-				DaprAPIGRPCPort:              opts.DaprAPIGRPCPort,
-				DaprAPIListenAddresses:       opts.DaprAPIListenAddresses,
-				DaprPublicPort:               opts.DaprPublicPort,
-				ApplicationPort:              opts.AppPort,
-				ProfilePort:                  opts.ProfilePort,
-				EnableProfiling:              opts.EnableProfiling,
-				AppMaxConcurrency:            opts.AppMaxConcurrency,
-				EnableMTLS:                   opts.EnableMTLS,
-				SentryAddress:                opts.SentryAddress,
-				MaxRequestSize:               opts.MaxRequestSize,
-				ReadBufferSize:               opts.ReadBufferSize,
-				UnixDomainSocket:             opts.UnixDomainSocket,
-				DaprGracefulShutdownSeconds:  opts.DaprGracefulShutdownSeconds,
-				DaprBlockShutdownDuration:    opts.DaprBlockShutdownDuration,
-				DisableBuiltinK8sSecretStore: opts.DisableBuiltinK8sSecretStore,
-				EnableAppHealthCheck:         opts.EnableAppHealthCheck,
-				AppHealthCheckPath:           opts.AppHealthCheckPath,
-				AppHealthProbeInterval:       opts.AppHealthProbeInterval,
-				AppHealthProbeTimeout:        opts.AppHealthProbeTimeout,
-				AppHealthThreshold:           opts.AppHealthThreshold,
-				AppChannelAddress:            opts.AppChannelAddress,
-				EnableAPILogging:             opts.EnableAPILogging,
-				Config:                       opts.Config,
-				Metrics:                      opts.Metrics,
-				AppSSL:                       opts.AppSSL,
-				ComponentsPath:               opts.ComponentsPath,
-				Registry:                     reg,
-				Security:                     sec,
+				AppID:                         opts.AppID,
+				ActorsService:                 opts.ActorsService,
+				RemindersService:              opts.RemindersService,
+				AllowedOrigins:                opts.AllowedOrigins,
+				ResourcesPath:                 opts.ResourcesPath,
+				ControlPlaneAddress:           opts.ControlPlaneAddress,
+				AppProtocol:                   opts.AppProtocol,
+				Mode:                          opts.Mode,
+				DaprHTTPPort:                  opts.DaprHTTPPort,
+				DaprInternalGRPCPort:          opts.DaprInternalGRPCPort,
+				DaprInternalGRPCListenAddress: opts.DaprInternalGRPCListenAddress,
+				DaprAPIGRPCPort:               opts.DaprAPIGRPCPort,
+				DaprAPIListenAddresses:        opts.DaprAPIListenAddresses,
+				DaprPublicPort:                opts.DaprPublicPort,
+				DaprPublicListenAddress:       opts.DaprPublicListenAddress,
+				ApplicationPort:               opts.AppPort,
+				ProfilePort:                   opts.ProfilePort,
+				EnableProfiling:               opts.EnableProfiling,
+				AppMaxConcurrency:             opts.AppMaxConcurrency,
+				EnableMTLS:                    opts.EnableMTLS,
+				SentryAddress:                 opts.SentryAddress,
+				MaxRequestSize:                opts.MaxRequestSize,
+				ReadBufferSize:                opts.ReadBufferSize,
+				UnixDomainSocket:              opts.UnixDomainSocket,
+				DaprGracefulShutdownSeconds:   opts.DaprGracefulShutdownSeconds,
+				DaprBlockShutdownDuration:     opts.DaprBlockShutdownDuration,
+				DisableBuiltinK8sSecretStore:  opts.DisableBuiltinK8sSecretStore,
+				EnableAppHealthCheck:          opts.EnableAppHealthCheck,
+				AppHealthCheckPath:            opts.AppHealthCheckPath,
+				AppHealthProbeInterval:        opts.AppHealthProbeInterval,
+				AppHealthProbeTimeout:         opts.AppHealthProbeTimeout,
+				AppHealthThreshold:            opts.AppHealthThreshold,
+				AppChannelAddress:             opts.AppChannelAddress,
+				EnableAPILogging:              opts.EnableAPILogging,
+				Config:                        opts.Config,
+				Metrics:                       opts.Metrics,
+				AppSSL:                        opts.AppSSL,
+				ComponentsPath:                opts.ComponentsPath,
+				Registry:                      reg,
+				Security:                      sec,
 			})
 			if rerr != nil {
 				return rerr

cmd/daprd/options/options.go

@@ -35,49 +35,51 @@ import (
 )
 
 type Options struct {
-	AppID                        string
-	ComponentsPath               string
-	ControlPlaneAddress          string
-	ControlPlaneTrustDomain      string
-	ControlPlaneNamespace        string
-	SentryAddress                string
-	TrustAnchors                 []byte
-	AllowedOrigins               string
-	EnableProfiling              bool
-	AppMaxConcurrency            int
-	EnableMTLS                   bool
-	AppSSL                       bool
-	MaxRequestSize               int // In bytes
-	ResourcesPath                []string
-	AppProtocol                  string
-	EnableAPILogging             *bool
-	RuntimeVersion               bool
-	BuildInfo                    bool
-	WaitCommand                  bool
-	DaprHTTPPort                 string
-	DaprAPIGRPCPort              string
-	ProfilePort                  string
-	DaprInternalGRPCPort         string
-	DaprPublicPort               string
-	AppPort                      string
-	DaprGracefulShutdownSeconds  int
-	DaprBlockShutdownDuration    *time.Duration
-	ActorsService                string
-	RemindersService             string
-	DaprAPIListenAddresses       string
-	AppHealthProbeInterval       int
-	AppHealthProbeTimeout        int
-	AppHealthThreshold           int
-	EnableAppHealthCheck         bool
-	Mode                         string
-	Config                       []string
-	UnixDomainSocket             string
-	ReadBufferSize               int // In bytes
-	DisableBuiltinK8sSecretStore bool
-	AppHealthCheckPath           string
-	AppChannelAddress            string
-	Logger                       logger.Options
-	Metrics                      *metrics.Options
+	AppID                         string
+	ComponentsPath                string
+	ControlPlaneAddress           string
+	ControlPlaneTrustDomain       string
+	ControlPlaneNamespace         string
+	SentryAddress                 string
+	TrustAnchors                  []byte
+	AllowedOrigins                string
+	EnableProfiling               bool
+	AppMaxConcurrency             int
+	EnableMTLS                    bool
+	AppSSL                        bool
+	MaxRequestSize                int // In bytes
+	ResourcesPath                 []string
+	AppProtocol                   string
+	EnableAPILogging              *bool
+	RuntimeVersion                bool
+	BuildInfo                     bool
+	WaitCommand                   bool
+	DaprHTTPPort                  string
+	DaprAPIGRPCPort               string
+	ProfilePort                   string
+	DaprInternalGRPCPort          string
+	DaprInternalGRPCListenAddress string
+	DaprPublicPort                string
+	DaprPublicListenAddress       string
+	AppPort                       string
+	DaprGracefulShutdownSeconds   int
+	DaprBlockShutdownDuration     *time.Duration
+	ActorsService                 string
+	RemindersService              string
+	DaprAPIListenAddresses        string
+	AppHealthProbeInterval        int
+	AppHealthProbeTimeout         int
+	AppHealthThreshold            int
+	EnableAppHealthCheck          bool
+	Mode                          string
+	Config                        []string
+	UnixDomainSocket              string
+	ReadBufferSize                int // In bytes
+	DisableBuiltinK8sSecretStore  bool
+	AppHealthCheckPath            string
+	AppChannelAddress             string
+	Logger                        logger.Options
+	Metrics                       *metrics.Options
 }
 
 func New(origArgs []string) (*Options, error) {
@@ -117,8 +119,10 @@ func New(origArgs []string) (*Options, error) {
 	fs.StringVar(&opts.DaprHTTPPort, "dapr-http-port", strconv.Itoa(runtime.DefaultDaprHTTPPort), "HTTP port for Dapr API to listen on")
 	fs.StringVar(&opts.DaprAPIListenAddresses, "dapr-listen-addresses", runtime.DefaultAPIListenAddress, "One or more addresses for the Dapr API to listen on, CSV limited")
 	fs.StringVar(&opts.DaprPublicPort, "dapr-public-port", "", "Public port for Dapr Health and Metadata to listen on")
+	fs.StringVar(&opts.DaprPublicListenAddress, "dapr-public-listen-address", "", "Public listen address for Dapr Health and Metadata")
 	fs.StringVar(&opts.DaprAPIGRPCPort, "dapr-grpc-port", strconv.Itoa(runtime.DefaultDaprAPIGRPCPort), "gRPC port for the Dapr API to listen on")
 	fs.StringVar(&opts.DaprInternalGRPCPort, "dapr-internal-grpc-port", "", "gRPC port for the Dapr Internal API to listen on")
+	fs.StringVar(&opts.DaprInternalGRPCListenAddress, "dapr-internal-grpc-listen-address", "", "gRPC listen address for the Dapr Internal API")
 	fs.StringVar(&opts.AppPort, "app-port", "", "The port the application is listening on")
 	fs.StringVar(&opts.ProfilePort, "profile-port", strconv.Itoa(runtime.DefaultProfilePort), "The port for the profile server")
 	fs.StringVar(&opts.AppProtocol, "app-protocol", string(protocol.HTTPProtocol), "Protocol for the application: grpc, grpcs, http, https, h2c")

cmd/injector/app/app.go

@@ -102,6 +102,7 @@ func Run() {
 
 	inj, err := service.NewInjector(service.Options{
 		Port:                    opts.Port,
+		ListenAddress:           opts.ListenAddress,
 		AuthUIDs:                uids,
 		Config:                  cfg,
 		DaprClient:              daprClient,
@@ -143,7 +144,7 @@ func Run() {
 			return nil
 		},
 		func(ctx context.Context) error {
-			healhtzErr := healthzServer.Run(ctx, opts.HealthzPort)
+			healhtzErr := healthzServer.Run(ctx, opts.HealthzListenAddress, opts.HealthzPort)
 			if healhtzErr != nil {
 				return fmt.Errorf("failed to start healthz server: %w", healhtzErr)
 			}

cmd/injector/options/options.go

@@ -24,11 +24,13 @@ import (
 )
 
 type Options struct {
-	HealthzPort int
-	Kubeconfig  string
-	Port        int
-	Logger      logger.Options
-	Metrics     *metrics.Options
+	HealthzPort          int
+	HealthzListenAddress string
+	Kubeconfig           string
+	Port                 int
+	ListenAddress        string
+	Logger               logger.Options
+	Metrics              *metrics.Options
 }
 
 func New(origArgs []string) *Options {
@@ -54,7 +56,9 @@ func New(origArgs []string) *Options {
 	fs.SortFlags = true
 
 	fs.IntVar(&opts.HealthzPort, "healthz-port", 8080, "The port used for health checks")
+	fs.StringVar(&opts.HealthzListenAddress, "healthz-listen-address", "", "The listening address for the healthz server")
 	fs.IntVar(&opts.Port, "port", 4000, "The port used for the injector service")
+	fs.StringVar(&opts.ListenAddress, "listen-address", "", "The listen address for the injector service")
 
 	if home := homedir.HomeDir(); home != "" {
 		fs.StringVar(&opts.Kubeconfig, "kubeconfig", filepath.Join(home, ".kube", "config"), "(optional) absolute path to the kubeconfig file")

cmd/operator/app/app.go

@@ -56,8 +56,11 @@ func Run() {
 		WatchdogInterval:                    opts.WatchdogInterval,
 		WatchdogCanPatchPodLabels:           opts.WatchdogCanPatchPodLabels,
 		APIPort:                             opts.APIPort,
+		APIListenAddress:                    opts.APIListenAddress,
 		HealthzPort:                         opts.HealthzPort,
+		HealthzListenAddress:                opts.HealthzListenAddress,
 		WebhookServerPort:                   opts.WebhookServerPort,
+		WebhookServerListenAddress:          opts.WebhookServerListenAddress,
 	})
 	if err != nil {
 		log.Fatalf("error creating operator: %v", err)

cmd/operator/options/options.go

@@ -53,8 +53,11 @@ type Options struct {
 	Logger                             logger.Options
 	Metrics                            *metrics.Options
 	APIPort                            int
+	APIListenAddress                   string
 	HealthzPort                        int
+	HealthzListenAddress               string
 	WebhookServerPort                  int
+	WebhookServerListenAddress         string
 }
 
 func New() *Options {
@@ -79,8 +82,11 @@ func New() *Options {
 	flag.StringVar(&opts.TrustAnchorsFile, "trust-anchors-file", securityConsts.ControlPlaneDefaultTrustAnchorsPath, "Filepath to the trust anchors for the Dapr control plane")
 
 	flag.IntVar(&opts.APIPort, "port", 6500, "The port for the operator API server to listen on")
+	flag.StringVar(&opts.APIListenAddress, "listen-address", "", "The listening address for the operator API server")
 	flag.IntVar(&opts.HealthzPort, "healthz-port", 8080, "The port for the healthz server to listen on")
+	flag.StringVar(&opts.HealthzListenAddress, "healthz-listen-address", "", "The listening address for the healthz server")
 	flag.IntVar(&opts.WebhookServerPort, "webhook-server-port", 19443, "The port for the webhook server to listen on")
+	flag.StringVar(&opts.WebhookServerListenAddress, "webhook-server-listen-address", "", "The listening address for the webhook server")
 
 	opts.Logger = logger.DefaultOptions()
 	opts.Logger.AttachCmdFlags(flag.StringVar, flag.BoolVar)

cmd/placement/app/app.go

@@ -116,13 +116,13 @@ func Run() {
 				RouterOptions: metadataOptions,
 			})
 			healthzServer.Ready()
-			if healthzErr := healthzServer.Run(ctx, opts.HealthzPort); healthzErr != nil {
+			if healthzErr := healthzServer.Run(ctx, opts.HealthzListenAddress, opts.HealthzPort); healthzErr != nil {
 				return fmt.Errorf("failed to start healthz server: %w", healthzErr)
 			}
 			return nil
 		},
 		func(ctx context.Context) error {
-			return apiServer.Run(ctx, strconv.Itoa(opts.PlacementPort))
+			return apiServer.Run(ctx, opts.PlacementListenAddress, strconv.Itoa(opts.PlacementPort))
 		},
 	).Run(ctx)
 	if err != nil {

cmd/placement/options/options.go

@@ -47,11 +47,13 @@ type Options struct {
 	RaftLogStorePath string
 
 	// Placement server configurations
-	PlacementPort   int
-	HealthzPort     int
-	MetadataEnabled bool
-	MaxAPILevel     int
-	MinAPILevel     int
+	PlacementPort          int
+	PlacementListenAddress string
+	HealthzPort            int
+	HealthzListenAddress   string
+	MetadataEnabled        bool
+	MaxAPILevel            int
+	MinAPILevel            int
 
 	TLSEnabled       bool
 	TrustDomain      string
@@ -96,7 +98,9 @@ func New(origArgs []string) *Options {
 	fs.BoolVar(&opts.RaftInMemEnabled, "inmem-store-enabled", true, "Enable in-memory log and snapshot store unless --raft-logstore-path is set")
 	fs.StringVar(&opts.RaftLogStorePath, "raft-logstore-path", "", "raft log store path.")
 	fs.IntVar(&opts.PlacementPort, "port", defaultPlacementPort, "sets the gRPC port for the placement service")
+	fs.StringVar(&opts.PlacementListenAddress, "listen-address", "", "The listening address for the placement service")
 	fs.IntVar(&opts.HealthzPort, "healthz-port", defaultHealthzPort, "sets the HTTP port for the healthz server")
+	fs.StringVar(&opts.HealthzListenAddress, "healthz-listen-address", "", "The listening address for the healthz server")
 	fs.BoolVar(&opts.TLSEnabled, "tls-enabled", false, "Should TLS be enabled for the placement gRPC server")
 	fs.BoolVar(&opts.MetadataEnabled, "metadata-enabled", opts.MetadataEnabled, "Expose the placement tables on the healthz server")
 	fs.IntVar(&opts.MaxAPILevel, "max-api-level", 10, "If set to >= 0, causes the reported 'api-level' in the cluster to never exceed this value")

cmd/sentry/app/app.go

@@ -73,6 +73,7 @@ func Run() {
 	cfg.RootCertPath = rootCertPath
 	cfg.TrustDomain = opts.TrustDomain
 	cfg.Port = opts.Port
+	cfg.ListenAddress = opts.ListenAddress
 
 	var (
 		watchDir    = filepath.Dir(cfg.IssuerCertPath)
@@ -146,7 +147,7 @@ func Run() {
 	err = mngr.Add(func(ctx context.Context) error {
 		healthzServer := health.NewServer(health.Options{Log: log})
 		healthzServer.Ready()
-		runErr := healthzServer.Run(ctx, opts.HealthzPort)
+		runErr := healthzServer.Run(ctx, opts.HealthzListenAddress, opts.HealthzPort)
 		if runErr != nil {
 			return fmt.Errorf("failed to start healthz server: %s", runErr)
 		}

cmd/sentry/options/options.go

@@ -35,7 +35,9 @@ const (
 type Options struct {
 	ConfigName            string
 	Port                  int
+	ListenAddress         string
 	HealthzPort           int
+	HealthzListenAddress  string
 	IssuerCredentialsPath string
 	TrustDomain           string
 	Kubeconfig            string
@@ -76,7 +78,9 @@ func New(origArgs []string) *Options {
 	fs.StringVar(&opts.IssuerKeyFilename, "issuer-key-filename", config.DefaultIssuerKeyFilename, "Issuer private key filename")
 	fs.StringVar(&opts.TrustDomain, "trust-domain", "localhost", "The CA trust domain")
 	fs.IntVar(&opts.Port, "port", config.DefaultPort, "The port for the sentry server to listen on")
+	fs.StringVar(&opts.ListenAddress, "listen-address", "", "The listen address for the sentry server")
 	fs.IntVar(&opts.HealthzPort, "healthz-port", 8080, "The port for the healthz server to listen on")
+	fs.StringVar(&opts.HealthzListenAddress, "healthz-listen-address", "", "The listening address for the healthz server")
 
 	if home := homedir.HomeDir(); home != "" {
 		fs.StringVar(&opts.Kubeconfig, "kubeconfig", filepath.Join(home, ".kube", "config"), "(optional) absolute path to the kubeconfig file")

pkg/api/http/config.go

@@ -20,6 +20,7 @@ type ServerConfig struct {
 	Port                    int
 	APIListenAddresses      []string
 	PublicPort              *int
+	PublicListenAddress     string
 	ProfilePort             int
 	AllowedOrigins          string
 	EnableProfiling         bool

pkg/api/http/server.go

@@ -174,7 +174,7 @@ func (s *server) StartNonBlocking() error {
 		s.setupRoutes(publicR, s.api.PublicEndpoints())
 
 		healthServer := &http.Server{
-			Addr:              fmt.Sprintf(":%d", *s.config.PublicPort),
+			Addr:              fmt.Sprintf("%s:%d", s.config.PublicListenAddress, *s.config.PublicPort),
 			Handler:           publicR,
 			ReadHeaderTimeout: 10 * time.Second,
 			MaxHeaderBytes:    s.config.ReadBufferSize,

pkg/health/server.go

@@ -28,7 +28,7 @@ import (
 
 // Server is the interface for the healthz server.
 type Server interface {
-	Run(context.Context, int) error
+	Run(context.Context, string, int) error
 	Ready()
 }
 
@@ -107,10 +107,10 @@ func (s *server) Ready() {
 }
 
 // Run starts a net/http server with a healthz endpoint.
-func (s *server) Run(ctx context.Context, port int) error {
+func (s *server) Run(ctx context.Context, listenAddress string, port int) error {
 	//nolint:gosec
 	srv := &http.Server{
-		Addr:        fmt.Sprintf(":%d", port),
+		Addr:        fmt.Sprintf("%s:%d", listenAddress, port),
 		Handler:     s.router,
 		BaseContext: func(_ net.Listener) context.Context { return ctx },
 	}