istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/gateway/templates/deployment.yaml (about) 1 apiVersion: apps/v1 2 kind: {{ .Values.kind | default "Deployment" }} 3 metadata: 4 name: {{ include "gateway.name" . }} 5 namespace: {{ .Release.Namespace }} 6 labels: 7 {{- include "gateway.labels" . | nindent 4}} 8 annotations: 9 {{- .Values.annotations | toYaml | nindent 4 }} 10 spec: 11 {{- if not .Values.autoscaling.enabled }} 12 {{- with .Values.replicaCount }} 13 replicas: {{ . }} 14 {{- end }} 15 {{- end }} 16 selector: 17 matchLabels: 18 {{- include "gateway.selectorLabels" . | nindent 6 }} 19 template: 20 metadata: 21 {{- with .Values.podAnnotations }} 22 annotations: 23 {{- toYaml . | nindent 8 }} 24 {{- end }} 25 labels: 26 sidecar.istio.io/inject: "true" 27 {{- with .Values.revision }} 28 istio.io/rev: {{ . | quote }} 29 {{- end }} 30 {{- include "gateway.podLabels" . | nindent 8 }} 31 spec: 32 {{- with .Values.imagePullSecrets }} 33 imagePullSecrets: 34 {{- toYaml . | nindent 8 }} 35 {{- end }} 36 serviceAccountName: {{ include "gateway.serviceAccountName" . }} 37 securityContext: 38 {{- if .Values.securityContext }} 39 {{- toYaml .Values.securityContext | nindent 8 }} 40 {{- else }} 41 # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 42 sysctls: 43 - name: net.ipv4.ip_unprivileged_port_start 44 value: "0" 45 {{- end }} 46 {{- with .Values.volumes }} 47 volumes: 48 {{ toYaml . | nindent 8 }} 49 {{- end }} 50 containers: 51 - name: istio-proxy 52 # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection 53 image: auto 54 {{- with .Values.imagePullPolicy }} 55 imagePullPolicy: {{ . }} 56 {{- end }} 57 securityContext: 58 {{- if .Values.containerSecurityContext }} 59 {{- toYaml .Values.containerSecurityContext | nindent 12 }} 60 {{- else }} 61 capabilities: 62 drop: 63 - ALL 64 allowPrivilegeEscalation: false 65 privileged: false 66 readOnlyRootFilesystem: true 67 {{- if not (eq .Values.platform "openshift") }} 68 runAsUser: 1337 69 runAsGroup: 1337 70 {{- end }} 71 runAsNonRoot: true 72 {{- end }} 73 env: 74 {{- with .Values.networkGateway }} 75 - name: ISTIO_META_REQUESTED_NETWORK_VIEW 76 value: "{{.}}" 77 {{- end }} 78 {{- range $key, $val := .Values.env }} 79 - name: {{ $key }} 80 value: {{ $val | quote }} 81 {{- end }} 82 ports: 83 - containerPort: 15090 84 protocol: TCP 85 name: http-envoy-prom 86 resources: 87 {{- toYaml .Values.resources | nindent 12 }} 88 {{- with .Values.volumeMounts }} 89 volumeMounts: 90 {{ toYaml . | nindent 12 }} 91 {{- end }} 92 {{- with .Values.nodeSelector }} 93 nodeSelector: 94 {{- toYaml . | nindent 8 }} 95 {{- end }} 96 {{- with .Values.affinity }} 97 affinity: 98 {{- toYaml . | nindent 8 }} 99 {{- end }} 100 {{- with .Values.tolerations }} 101 tolerations: 102 {{- toYaml . | nindent 8 }} 103 {{- end }} 104 {{- with .Values.topologySpreadConstraints }} 105 topologySpreadConstraints: 106 {{- toYaml . | nindent 8 }} 107 {{- end }} 108 terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} 109 {{- with .Values.priorityClassName }} 110 priorityClassName: {{ . }} 111 {{- end }}