[Master] Respect disabling placement with global.actors.enabled (dapr#8589)

* allow globally disabling placement connection

Signed-off-by: Cassandra Coyle <[email protected]>

* add test

Signed-off-by: Cassandra Coyle <[email protected]>

* cherrypick

Signed-off-by: Cassandra Coyle <[email protected]>

---------

Signed-off-by: Cassandra Coyle <[email protected]>
Co-authored-by: Dapr Bot <[email protected]>

Author: cicoyle

docs/release_notes/v1.15.4.md

@@ -3,8 +3,12 @@
 This update includes bug fixes:
 
 - [Fix degradation of Workflow runtime performance over time](#fix-degradation-of-workflow-runtime-performance-over-time)
-- [Allow Service Account for MetalBear mirrord operator in sidecar injector](#allow-service-account-for-metalbear-mirrord-operator-in-sidecar-injector)
+- [Fix remote Actor invocation 500 retry](#fix-remote-actor-invocation-500-retry)
+- [Fix Global Actors Enabled Configuration](#fix-global-actors-enabled-configuration)
 - [Prevent panic of reminder operations on slow Actor Startup](#prevent-panic-of-reminder-operations-on-slow-actor-startup)
+- [Remove client-side rate limiter from Sentry](#remove-client-side-rate-limiter-from-sentry)
+- [Allow Service Account for MetalBear mirrord operator in sidecar injector](#allow-service-account-for-metalbear-mirrord-operator-in-sidecar-injector)
+- [Fix Scheduler Client connection pruning](#fix-scheduler-client-connection-pruning)
 
 ## Fix degradation of Workflow runtime performance over time
 
@@ -26,23 +30,48 @@ This caused Jobs to fail, and enter failure policy retry loops.
 
 Refactor the Scheduler connection pool logic to properly prune stale connections to prevent job execution occurring on stale connections and causing failure policy loops.
 
-## Allow Service Account for MetalBear mirrord operator in sidecar injector
+## Fix remote Actor invocation 500 retry
 
 ### Problem
 
-Mirrord Operator is not on the allow list of Service Accounts for the dapr sidecar injector.
+An actor invocation across hosts which result in a 500 HTTP header response code would result in the request being retried 5 times.
 
 ### Impact
 
-Running mirrord in `copy_target` mode would cause the pod to initalise with without the dapr container.
+Services which return a 500 HTTP header response code would result in requests under normal operation to return slowly, and request the service on the same request multiple times.
 
 ### Root cause
 
-Mirrord Operator is not on the allow list of Service Accounts for the dapr sidecar injector.
+The Actor engine considered a 500 HTTP header response code to be a retriable error, rather than a successful request which returned a non-200 status code.
 
 ### Solution
 
-Add the Mirrord Operator into the allow list of Service Accounts for the dapr sidecar injector.
+Remove the 500 HTTP header response code from the list of retriable errors.
+
+### Problem
+
+## Fix Global Actors Enabled Configuration
+
+### Problem
+
+When `global.actors.enabled` was set to `false` via Helm or the environment variable `ACTORS_ENABLED=false`, the Dapr sidecar would still attempt to connect to the placement service, causing readiness probe failures and repeatedly logged errors about failing to connect to placement.
+Fixes this [issue](https://github.com/dapr/dapr/issues/8551).
+
+### Impact
+
+Dapr sidecars would fail their readiness probes and log errors like:
+```
+Failed to connect to placement dns:///dapr-placement-server.dapr-system.svc.cluster.local:50005: failed to create placement client: rpc error: code = Unavailable desc = last resolver error: produced zero addresses
+```
+
+### Root cause
+
+The sidecar injector was not properly respecting the global actors enabled configuration when setting up the placement service connection.
+
+### Solution
+
+The sidecar injector now properly respects the `global.actors.enabled` helm configuration and `ACTORS_ENABLED` environment variable. When set to `false`, it will not attempt to connect to the placement service, allowing the sidecar to start successfully without actor functionality.
+
 
 ## Prevent panic of reminder operations on slow Actor Startup
 
@@ -61,3 +90,57 @@ The Dapr runtime would attempt to use the reminder service before it was initial
 ### Solution
 
 Correctly return an errors that the actor runtime was not ready in time for the reminder operation.
+
+## Remove client-side rate limiter from Sentry
+
+### Problem
+
+A cold start of many Dapr deployments would take a long time, and even cause some crash loops.
+
+### Impact
+
+A large Dapr deployment would take a non-linear more amount of time that a smaller one to completely roll out.
+
+### Root cause
+
+The Sentry Kubernetes client was configured with a rate limiter which would be exhausted when services all new Dapr deployment at once, cause many client to wait significantly.
+
+### Solution
+
+Remove the client-side rate limiting from the Sentry Kubernetes client.
+
+## Allow Service Account for MetalBear mirrord operator in sidecar injector
+
+### Problem
+
+Mirrord Operator is not on the allow list of Service Accounts for the dapr sidecar injector.
+
+### Impact
+
+Running mirrord in `copy_target` mode would cause the pod to initalise without the dapr container.
+
+### Root cause
+
+Mirrord Operator is not on the allow list of Service Accounts for the dapr sidecar injector.
+
+### Solution
+
+Add the Mirrord Operator into the allow list of Service Accounts for the dapr sidecar injector.
+
+## Fix Scheduler Client connection pruning
+
+### Problem
+
+Daprd would attempt to connect to stale Scheduler addresses.
+
+### Impact
+
+Network resource usage and error reporting from service mesh sidecars.
+
+### Root cause
+
+Daprd would not close Scheduler gRPC connections to hosts which no longer exist.
+
+### Solution
+
+Daprd now closes connections to Scheduler hosts when they are no longer in the list of active hosts.

pkg/injector/service/config_test.go

@@ -26,12 +26,27 @@ import (
 )
 
 func TestGetInjectorConfig(t *testing.T) {
+	t.Setenv("NAMESPACE", "test-namespace")
+	t.Setenv("SIDECAR_IMAGE", "daprd-test-image")
+
+	t.Run("respect globally disabling placement", func(t *testing.T) {
+		t.Setenv("ACTORS_ENABLED", "false")
+		cfg, err := GetConfig()
+		require.NoError(t, err)
+		assert.False(t, cfg.parsedActorsEnabled)
+		assert.Equal(t, "false", cfg.ActorsEnabled)
+	})
+	t.Run("default placement is enabled", func(t *testing.T) {
+		cfg, err := GetConfig()
+		require.NoError(t, err)
+		assert.Empty(t, cfg.ActorsEnabled)
+		assert.True(t, cfg.parsedActorsEnabled)
+	})
+
 	t.Run("with kube cluster domain env", func(t *testing.T) {
 		t.Setenv("TLS_CERT_FILE", "test-cert-file")
 		t.Setenv("TLS_KEY_FILE", "test-key-file")
-		t.Setenv("SIDECAR_IMAGE", "daprd-test-image")
 		t.Setenv("SIDECAR_IMAGE_PULL_POLICY", "Always")
-		t.Setenv("NAMESPACE", "test-namespace")
 		t.Setenv("KUBE_CLUSTER_DOMAIN", "cluster.local")
 		t.Setenv("ALLOWED_SERVICE_ACCOUNTS", "test1:test-service-account1,test2:test-service-account2")
 		t.Setenv("ALLOWED_SERVICE_ACCOUNTS_PREFIX_NAMES", "namespace:test-service-account1,namespace2*:test-service-account2")
@@ -49,9 +64,7 @@ func TestGetInjectorConfig(t *testing.T) {
 	t.Run("not set kube cluster domain env", func(t *testing.T) {
 		t.Setenv("TLS_CERT_FILE", "test-cert-file")
 		t.Setenv("TLS_KEY_FILE", "test-key-file")
-		t.Setenv("SIDECAR_IMAGE", "daprd-test-image")
 		t.Setenv("SIDECAR_IMAGE_PULL_POLICY", "IfNotPresent")
-		t.Setenv("NAMESPACE", "test-namespace")
 		t.Setenv("KUBE_CLUSTER_DOMAIN", "")
 
 		cfg, err := GetConfig()
@@ -65,8 +78,6 @@ func TestGetInjectorConfig(t *testing.T) {
 	t.Run("sidecar run options not set", func(t *testing.T) {
 		t.Setenv("TLS_CERT_FILE", "test-cert-file")
 		t.Setenv("TLS_KEY_FILE", "test-key-file")
-		t.Setenv("SIDECAR_IMAGE", "daprd-test-image")
-		t.Setenv("NAMESPACE", "test-namespace")
 
 		// Default values are true
 		t.Setenv("SIDECAR_RUN_AS_NON_ROOT", "")

pkg/injector/service/pod_patch.go

@@ -80,10 +80,13 @@ func (i *injector) getPodPatchOperations(ctx context.Context, ar *admissionv1.Ad
 	sidecar.CurrentTrustAnchors = trustAnchors
 	sidecar.DisableTokenVolume = !token.HasKubernetesToken()
 
-	// Set addresses for actor services
+	// Set addresses for actor services only if it's not explicitly globally disabled
 	// Even if actors are disabled, however, the placement-host-address flag will still be included if explicitly set in the annotation dapr.io/placement-host-address
 	// So, if the annotation is already set, we accept that and also use placement for actors services
-	if sidecar.PlacementAddress == "" {
+	if !i.config.GetActorsEnabled() {
+		sidecar.ActorsService = ""
+		sidecar.PlacementAddress = ""
+	} else if sidecar.PlacementAddress == "" {
 		// Set configuration for the actors service
 		actorsSvcName, actorsSvc := i.config.GetActorsService()
 		actorsSvcAddr := actorsSvc.Address(i.config.Namespace, i.config.KubeClusterDomain)