github.com/replicatedcom/ship@v0.50.0/integration/init/istio-1.0.3/expected/.ship/upstream/templates/sidecar-injector-configmap.yaml (about) 1 {{- if not .Values.global.omitSidecarInjectorConfigMap }} 2 apiVersion: v1 3 kind: ConfigMap 4 metadata: 5 name: istio-sidecar-injector 6 namespace: {{ .Release.Namespace }} 7 labels: 8 app: {{ template "istio.name" . }} 9 chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 10 release: {{ .Release.Name }} 11 heritage: {{ .Release.Service }} 12 istio: sidecar-injector 13 data: 14 config: |- 15 policy: {{ .Values.global.proxy.autoInject }} 16 template: |- 17 initContainers: 18 - name: istio-init 19 {{- if contains "/" .Values.global.proxy_init.image }} 20 image: "{{ .Values.global.proxy_init.image }}" 21 {{- else }} 22 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" 23 {{- end }} 24 args: 25 - "-p" 26 - {{ "[[ .MeshConfig.ProxyListenPort ]]" }} 27 - "-u" 28 - 1337 29 - "-m" 30 - {{ "[[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]]" }} 31 - "-i" 32 - {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` " }} "{{ .Values.global.proxy.includeIPRanges }}" {{ " ]]\"" }} 33 - "-x" 34 - {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` " }} "{{ .Values.global.proxy.excludeIPRanges }}" {{ " ]]\"" }} 35 - "-b" 36 - {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]\"" }} 37 - "-d" 38 - {{ "\"[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` " }} "{{ .Values.global.proxy.excludeInboundPorts }}" {{ ") ]]\"" }} 39 imagePullPolicy: {{ .Values.global.imagePullPolicy }} 40 securityContext: 41 capabilities: 42 add: 43 - NET_ADMIN 44 privileged: true 45 restartPolicy: Always 46 {{- if .Values.global.proxy.enableCoreDump }} 47 - args: 48 - -c 49 - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited 50 command: 51 - /bin/sh 52 image: {{ .Values.global.hub }}/proxy_init:{{ .Values.global.tag }} 53 imagePullPolicy: IfNotPresent 54 name: enable-core-dump 55 resources: {} 56 securityContext: 57 privileged: true 58 {{ end }} 59 containers: 60 - name: istio-proxy 61 {{- if contains "/" .Values.global.proxy.image }} 62 image: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` " }} "{{ .Values.global.proxy.image }}" {{ " ]]" }} 63 {{- else }} 64 image: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` " }} "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" {{ " ]]" }} 65 {{- end }} 66 {{ if ne .Values.global.proxy.stats.prometheusPort 0. }} 67 ports: 68 - containerPort: {{ .Values.global.proxy.stats.prometheusPort }} 69 protocol: TCP 70 name: http-envoy-prom 71 {{ end }} 72 args: 73 - proxy 74 - sidecar 75 - --configPath 76 - {{ "[[ .ProxyConfig.ConfigPath ]]" }} 77 - --binaryPath 78 - {{ "[[ .ProxyConfig.BinaryPath ]]" }} 79 - --serviceCluster 80 {{ "[[ if ne \"\" (index .ObjectMeta.Labels \"app\") -]]" }} 81 - {{ "[[ index .ObjectMeta.Labels \"app\" ]]" }} 82 {{ "[[ else -]]" }} 83 - "istio-proxy" 84 {{ "[[ end -]]" }} 85 - --drainDuration 86 - {{ "[[ formatDuration .ProxyConfig.DrainDuration ]]" }} 87 - --parentShutdownDuration 88 - {{ "[[ formatDuration .ProxyConfig.ParentShutdownDuration ]]" }} 89 - --discoveryAddress 90 - {{ "[[ .ProxyConfig.DiscoveryAddress ]]" }} 91 - --discoveryRefreshDelay 92 - {{ "[[ formatDuration .ProxyConfig.DiscoveryRefreshDelay ]]" }} 93 - --zipkinAddress 94 - {{ "[[ .ProxyConfig.ZipkinAddress ]]" }} 95 - --connectTimeout 96 - {{ "[[ formatDuration .ProxyConfig.ConnectTimeout ]]" }} 97 {{- if .Values.global.proxy.envoyStatsd.enabled }} 98 - --statsdUdpAddress 99 - {{ "[[ .ProxyConfig.StatsdUdpAddress ]]" }} 100 {{- end }} 101 - --proxyAdminPort 102 - {{ "[[ .ProxyConfig.ProxyAdminPort ]]" }} 103 {{ "[[ if gt .ProxyConfig.Concurrency 0 -]]" }} 104 - --concurrency 105 - {{ "[[ .ProxyConfig.Concurrency ]]" }} 106 {{ "[[ end -]]" }} 107 - --controlPlaneAuthPolicy 108 - {{ "[[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]]" }} 109 {{ "[[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") \"0\") ]]" }} 110 - --statusPort 111 - {{ "[[ annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ " ]]" }} 112 - --applicationPorts 113 - {{ "\"[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]\"" }} 114 {{ "[[- end ]]" }} 115 env: 116 - name: POD_NAME 117 valueFrom: 118 fieldRef: 119 fieldPath: metadata.name 120 - name: POD_NAMESPACE 121 valueFrom: 122 fieldRef: 123 fieldPath: metadata.namespace 124 - name: INSTANCE_IP 125 valueFrom: 126 fieldRef: 127 fieldPath: status.podIP 128 - name: ISTIO_META_POD_NAME 129 valueFrom: 130 fieldRef: 131 fieldPath: metadata.name 132 - name: ISTIO_META_INTERCEPTION_MODE 133 value: {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]" }} 134 {{ "[[ if .ObjectMeta.Annotations ]]" }} 135 - name: ISTIO_METAJSON_ANNOTATIONS 136 value: | 137 {{ "[[ toJson .ObjectMeta.Annotations ]]" }} 138 {{ "[[ end ]]" }} 139 {{ "[[ range $k,$v := .ObjectMeta.Labels ]]" }} 140 - name: ISTIO_META_{{ "[[ $k ]]" }} 141 value: "{{ "[[ $v ]]" }}" 142 {{ "[[ end ]]" }} 143 imagePullPolicy: {{ .Values.global.imagePullPolicy }} 144 {{ "[[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") \"0\") ]]" }} 145 readinessProbe: 146 httpGet: 147 path: /healthz/ready 148 port: {{ "[[ annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ " ]]" }} 149 initialDelaySeconds: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` " }} {{ .Values.global.proxy.readinessInitialDelaySeconds }} {{ " ]]" }} 150 periodSeconds: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` " }} {{ .Values.global.proxy.readinessPeriodSeconds }} {{ " ]]" }} 151 failureThreshold: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` " }} {{ .Values.global.proxy.readinessFailureThreshold }} {{ " ]]" }} 152 {{ "[[ end -]]" -}} 153 securityContext: 154 {{ if .Values.global.proxy.privileged }} 155 privileged: true 156 {{ end -}} 157 {{- if ne .Values.global.proxy.enableCoreDump true }} 158 readOnlyRootFilesystem: true 159 {{- end }} 160 {{ "[[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) \"TPROXY\" -]]" }} 161 capabilities: 162 add: 163 - NET_ADMIN 164 runAsGroup: 1337 165 {{ "[[ else -]]" }} 166 runAsUser: 1337 167 {{ "[[ end -]]" }} 168 restartPolicy: Always 169 resources: 170 {{ "[[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]]" }} 171 requests: 172 cpu: {{ "\"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]\"" }} 173 memory: {{ "\"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]\"" }} 174 {{ "[[ else -]]" }} 175 {{- if .Values.global.proxy.resources }} 176 {{ toYaml .Values.global.proxy.resources | indent 10 }} 177 {{- end }} 178 {{ "[[ end -]]" }} 179 volumeMounts: 180 - mountPath: /etc/istio/proxy 181 name: istio-envoy 182 - mountPath: /etc/certs/ 183 name: istio-certs 184 readOnly: true 185 volumes: 186 - emptyDir: 187 medium: Memory 188 name: istio-envoy 189 - name: istio-certs 190 secret: 191 optional: true 192 {{ "[[ if eq .Spec.ServiceAccountName \"\" -]]" }} 193 secretName: istio.default 194 {{ "[[ else -]]" }} 195 secretName: {{ "[[ printf \"istio.%s\" .Spec.ServiceAccountName ]]" }} 196 {{ "[[ end -]]" }} 197 {{- end }}