github.com/replicatedcom/ship@v0.50.0/integration/init/istio/expected/.ship/upstream/templates/sidecar-injector-configmap.yaml (about) 1 {{- if not .Values.global.omitSidecarInjectorConfigMap }} 2 apiVersion: v1 3 kind: ConfigMap 4 metadata: 5 name: istio-sidecar-injector 6 namespace: {{ .Release.Namespace }} 7 labels: 8 app: {{ template "istio.name" . }} 9 chart: {{ template "istio.chart" . }} 10 heritage: {{ .Release.Service }} 11 release: {{ .Release.Name }} 12 istio: sidecar-injector 13 data: 14 config: |- 15 policy: {{ .Values.global.proxy.autoInject }} 16 template: |- 17 initContainers: 18 - name: istio-init 19 {{- if contains "/" .Values.global.proxy_init.image }} 20 image: "{{ .Values.global.proxy_init.image }}" 21 {{- else }} 22 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" 23 {{- end }} 24 args: 25 - "-p" 26 - {{ "[[ .MeshConfig.ProxyListenPort ]]" }} 27 - "-u" 28 - 1337 29 - "-m" 30 - {{ "[[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]]" }} 31 - "-i" 32 - {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` " }} "{{ .Values.global.proxy.includeIPRanges }}" {{ " ]]\"" }} 33 - "-x" 34 - {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` " }} "{{ .Values.global.proxy.excludeIPRanges }}" {{ " ]]\"" }} 35 - "-b" 36 - {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]\"" }} 37 - "-d" 38 - {{ "\"[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` " }} "{{ .Values.global.proxy.excludeInboundPorts }}" {{ ") ]]\"" }} 39 imagePullPolicy: {{ .Values.global.imagePullPolicy }} 40 resources: 41 requests: 42 cpu: 10m 43 memory: 10Mi 44 limits: 45 cpu: 10m 46 memory: 10Mi 47 securityContext: 48 capabilities: 49 add: 50 - NET_ADMIN 51 {{ if .Values.global.proxy.privileged }} 52 privileged: true 53 {{ end -}} 54 restartPolicy: Always 55 {{ if eq .Values.global.proxy.enableCoreDump true }} 56 - name: enable-core-dump 57 args: 58 - -c 59 - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited 60 command: 61 - /bin/sh 62 {{- if contains "/" .Values.global.proxy_init.image }} 63 image: "{{ .Values.global.proxy_init.image }}" 64 {{- else }} 65 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" 66 {{- end }} 67 imagePullPolicy: IfNotPresent 68 resources: {} 69 securityContext: 70 privileged: true 71 {{ end }} 72 containers: 73 - name: istio-proxy 74 {{- if contains "/" .Values.global.proxy.image }} 75 image: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` " }} "{{ .Values.global.proxy.image }}" {{ " ]]" }} 76 {{- else }} 77 image: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` " }} "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" {{ " ]]" }} 78 {{- end }} 79 {{ if ne .Values.global.proxy.stats.prometheusPort 0. }} 80 ports: 81 - containerPort: {{ .Values.global.proxy.stats.prometheusPort }} 82 protocol: TCP 83 name: http-envoy-prom 84 {{ end }} 85 args: 86 - proxy 87 - sidecar 88 {{- if .Values.global.proxy.proxyDomain }} 89 - --domain 90 - {{ .Values.global.proxy.proxyDomain }} 91 {{- end }} 92 - --configPath 93 - {{ "[[ .ProxyConfig.ConfigPath ]]" }} 94 - --binaryPath 95 - {{ "[[ .ProxyConfig.BinaryPath ]]" }} 96 - --serviceCluster 97 {{ "[[ if ne \"\" (index .ObjectMeta.Labels \"app\") -]]" }} 98 - {{ "[[ index .ObjectMeta.Labels \"app\" ]].[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]]" }} 99 {{ "[[ else -]]" }} 100 - {{ "[[ valueOrDefault .DeploymentMeta.Name \"istio-proxy\" ]].[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]]" }} 101 {{ "[[ end -]]" }} 102 - --drainDuration 103 - {{ "[[ formatDuration .ProxyConfig.DrainDuration ]]" }} 104 - --parentShutdownDuration 105 - {{ "[[ formatDuration .ProxyConfig.ParentShutdownDuration ]]" }} 106 - --discoveryAddress 107 - {{ "[[ .ProxyConfig.DiscoveryAddress ]]" }} 108 {{- if eq .Values.global.proxy.tracer "lightstep" }} 109 - --lightstepAddress 110 - {{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetAddress ]]" }} 111 - --lightstepAccessToken 112 - {{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken ]]" }} 113 - --lightstepSecure={{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetSecure ]]" }} 114 - --lightstepCacertPath 115 - {{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath ]]" }} 116 {{- else if eq .Values.global.proxy.tracer "zipkin" }} 117 - --zipkinAddress 118 - {{ "[[ .ProxyConfig.GetTracing.GetZipkin.GetAddress ]]" }} 119 {{- end }} 120 - --connectTimeout 121 - {{ "[[ formatDuration .ProxyConfig.ConnectTimeout ]]" }} 122 {{- if .Values.global.proxy.envoyStatsd.enabled }} 123 - --statsdUdpAddress 124 - {{ "[[ .ProxyConfig.StatsdUdpAddress ]]" }} 125 {{- end }} 126 - --proxyAdminPort 127 - {{ "[[ .ProxyConfig.ProxyAdminPort ]]" }} 128 {{ "[[ if gt .ProxyConfig.Concurrency 0 -]]" }} 129 - --concurrency 130 - {{ "[[ .ProxyConfig.Concurrency ]]" }} 131 {{ "[[ end -]]" }} 132 - --controlPlaneAuthPolicy 133 - {{ "[[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]]" }} 134 {{ "[[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") \"0\") ]]" }} 135 - --statusPort 136 - {{ "[[ annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ " ]]" }} 137 - --applicationPorts 138 - {{ "\"[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]\"" }} 139 {{ "[[- end ]]" }} 140 env: 141 - name: POD_NAME 142 valueFrom: 143 fieldRef: 144 fieldPath: metadata.name 145 - name: POD_NAMESPACE 146 valueFrom: 147 fieldRef: 148 fieldPath: metadata.namespace 149 - name: INSTANCE_IP 150 valueFrom: 151 fieldRef: 152 fieldPath: status.podIP 153 - name: ISTIO_META_POD_NAME 154 valueFrom: 155 fieldRef: 156 fieldPath: metadata.name 157 - name: ISTIO_META_INTERCEPTION_MODE 158 value: {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]" }} 159 {{ "[[ if .ObjectMeta.Annotations ]]" }} 160 - name: ISTIO_METAJSON_ANNOTATIONS 161 value: | 162 {{ "[[ toJSON .ObjectMeta.Annotations ]]" }} 163 {{ "[[ end ]]" }} 164 {{ "[[ range $k,$v := .ObjectMeta.Labels ]]" }} 165 - name: ISTIO_META_{{ "[[ $k ]]" }} 166 value: "{{ "[[ $v ]]" }}" 167 {{ "[[ end ]]" }} 168 imagePullPolicy: {{ .Values.global.imagePullPolicy }} 169 {{ "[[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") \"0\") ]]" }} 170 readinessProbe: 171 httpGet: 172 path: /healthz/ready 173 port: {{ "[[ annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ " ]]" }} 174 initialDelaySeconds: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` " }} {{ .Values.global.proxy.readinessInitialDelaySeconds }} {{ " ]]" }} 175 periodSeconds: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` " }} {{ .Values.global.proxy.readinessPeriodSeconds }} {{ " ]]" }} 176 failureThreshold: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` " }} {{ .Values.global.proxy.readinessFailureThreshold }} {{ " ]]" }} 177 {{ "[[ end -]]" -}} 178 securityContext: 179 {{ if .Values.global.proxy.privileged }} 180 privileged: true 181 {{ end -}} 182 {{- if ne .Values.global.proxy.enableCoreDump true }} 183 readOnlyRootFilesystem: true 184 {{- end }} 185 {{ "[[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) \"TPROXY\" -]]" }} 186 capabilities: 187 add: 188 - NET_ADMIN 189 runAsGroup: 1337 190 {{ "[[ else -]]" }} 191 runAsUser: 1337 192 {{ "[[- end ]]" }} 193 resources: 194 {{ "[[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]]" }} 195 requests: 196 cpu: {{ "\"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]\"" }} 197 memory: {{ "\"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]\"" }} 198 {{ "[[ else -]]" }} 199 {{- if .Values.global.proxy.resources }} 200 {{ toYaml .Values.global.proxy.resources | indent 10 }} 201 {{- end }} 202 {{ "[[ end -]]" }} 203 volumeMounts: 204 - mountPath: /etc/istio/proxy 205 name: istio-envoy 206 - mountPath: /etc/certs/ 207 name: istio-certs 208 readOnly: true 209 {{ if .Values.global.sdsEnabled }} 210 - mountPath: /var/run/sds 211 name: sds-uds-path 212 {{- end }} 213 {{ if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} 214 - mountPath: {{ "[[ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath ]]" }} 215 name: lightstep-certs 216 readOnly: true 217 {{- end }} 218 volumes: 219 {{ if .Values.global.sdsEnabled }} 220 - name: sds-uds-path 221 hostPath: 222 path: /var/run/sds 223 {{- end }} 224 {{ if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} 225 - name: lightstep-certs 226 secret: 227 optional: true 228 secretName: lightstep.cacert 229 {{- end }} 230 - emptyDir: 231 medium: Memory 232 name: istio-envoy 233 - name: istio-certs 234 secret: 235 optional: true 236 {{ "[[ if eq .Spec.ServiceAccountName \"\" -]]" }} 237 secretName: istio.default 238 {{ "[[ else -]]" }} 239 secretName: {{ "[[ printf \"istio.%s\" .Spec.ServiceAccountName ]]" }} 240 {{ "[[ end -]]" }} 241 {{- end }} 242 {{- if .Values.global.podDNSConfig }} 243 {{ toYaml .Values.global.podDNSConfig | indent 8 }} 244 {{- end }}