istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/gateways/istio-ingress/templates/deployment.yaml (about) 1 {{- $gateway := index .Values "gateways" "istio-ingressgateway" }} 2 {{- if eq $gateway.injectionTemplate "" }} 3 apiVersion: apps/v1 4 kind: Deployment 5 metadata: 6 name: {{ $gateway.name }} 7 namespace: {{ .Release.Namespace }} 8 labels: 9 {{ $gateway.labels | toYaml | indent 4 }} 10 release: {{ .Release.Name }} 11 istio.io/rev: {{ .Values.revision | default "default" | quote }} 12 install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 13 operator.istio.io/component: "IngressGateways" 14 spec: 15 {{- if not $gateway.autoscaleEnabled }} 16 {{- if $gateway.replicaCount }} 17 replicas: {{ $gateway.replicaCount }} 18 {{- end }} 19 {{- end }} 20 selector: 21 matchLabels: 22 {{ $gateway.labels | toYaml | indent 6 }} 23 strategy: 24 rollingUpdate: 25 maxSurge: {{ $gateway.rollingMaxSurge }} 26 maxUnavailable: {{ $gateway.rollingMaxUnavailable }} 27 template: 28 metadata: 29 labels: 30 {{ $gateway.labels | toYaml | indent 8 }} 31 {{- if eq .Release.Namespace "istio-system"}} 32 heritage: Tiller 33 release: istio 34 chart: gateways 35 {{- end }} 36 service.istio.io/canonical-name: {{ $gateway.name }} 37 service.istio.io/canonical-revision: {{ index $gateway.labels "app.kubernetes.io/version" | default (index $gateway.labels "version") | default .Values.revision | default "latest" | quote }} 38 istio.io/rev: {{ .Values.revision | default "default" | quote }} 39 install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 40 operator.istio.io/component: "IngressGateways" 41 sidecar.istio.io/inject: "false" 42 annotations: 43 istio.io/rev: {{ .Values.revision | default "default" | quote }} 44 {{- if .Values.meshConfig.enablePrometheusMerge }} 45 prometheus.io/port: "15020" 46 prometheus.io/scrape: "true" 47 prometheus.io/path: "/stats/prometheus" 48 {{- end }} 49 sidecar.istio.io/inject: "false" 50 {{- if $gateway.podAnnotations }} 51 {{ toYaml $gateway.podAnnotations | indent 8 }} 52 {{ end }} 53 spec: 54 {{- if not $gateway.runAsRoot }} 55 securityContext: 56 {{- if not (eq .Values.global.platform "openshift") }} 57 runAsUser: 1337 58 runAsGroup: 1337 59 {{- end }} 60 runAsNonRoot: true 61 {{- end }} 62 serviceAccountName: {{ $gateway.name }}-service-account 63 {{- if .Values.global.priorityClassName }} 64 priorityClassName: "{{ .Values.global.priorityClassName }}" 65 {{- end }} 66 {{- if .Values.global.proxy.enableCoreDump }} 67 initContainers: 68 - name: enable-core-dump 69 {{- if contains "/" .Values.global.proxy.image }} 70 image: "{{ .Values.global.proxy.image }}" 71 {{- else }} 72 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}" 73 {{- end }} 74 {{- if .Values.global.imagePullPolicy }} 75 imagePullPolicy: {{ .Values.global.imagePullPolicy }} 76 {{- end }} 77 command: 78 - /bin/sh 79 args: 80 - -c 81 - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited 82 securityContext: 83 runAsUser: 0 84 runAsGroup: 0 85 runAsNonRoot: false 86 privileged: true 87 {{- end }} 88 containers: 89 - name: istio-proxy 90 {{- if contains "/" .Values.global.proxy.image }} 91 image: "{{ .Values.global.proxy.image }}" 92 {{- else }} 93 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}" 94 {{- end }} 95 {{- if .Values.global.imagePullPolicy }} 96 imagePullPolicy: {{ .Values.global.imagePullPolicy }} 97 {{- end }} 98 ports: 99 {{- range $key, $val := $gateway.ports }} 100 - containerPort: {{ $val.targetPort | default $val.port }} 101 protocol: {{ $val.protocol | default "TCP" }} 102 {{- end }} 103 - containerPort: 15090 104 protocol: TCP 105 name: http-envoy-prom 106 args: 107 - proxy 108 - router 109 - --domain 110 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 111 {{- if .Values.global.proxy.logLevel }} 112 - --proxyLogLevel={{ .Values.global.proxy.logLevel }} 113 {{- end}} 114 {{- if .Values.global.proxy.componentLogLevel }} 115 - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} 116 {{- end}} 117 {{- if .Values.global.logging.level }} 118 - --log_output_level={{ .Values.global.logging.level }} 119 {{- end}} 120 {{- if .Values.global.logAsJson }} 121 - --log_as_json 122 {{- end }} 123 {{- if .Values.global.sts.servicePort }} 124 - --stsPort={{ .Values.global.sts.servicePort }} 125 {{- end }} 126 {{- if not $gateway.runAsRoot }} 127 securityContext: 128 allowPrivilegeEscalation: false 129 capabilities: 130 drop: 131 - ALL 132 privileged: false 133 readOnlyRootFilesystem: true 134 {{- end }} 135 readinessProbe: 136 failureThreshold: 30 137 httpGet: 138 path: /healthz/ready 139 port: 15021 140 scheme: HTTP 141 initialDelaySeconds: 1 142 periodSeconds: 2 143 successThreshold: 1 144 timeoutSeconds: 1 145 resources: 146 {{- if $gateway.resources }} 147 {{ toYaml $gateway.resources | indent 12 }} 148 {{- else }} 149 {{ toYaml .Values.global.defaultResources | indent 12 }} 150 {{- end }} 151 env: 152 - name: PILOT_CERT_PROVIDER 153 value: {{ .Values.global.pilotCertProvider }} 154 - name: CA_ADDR 155 {{- if .Values.global.caAddress }} 156 value: {{ .Values.global.caAddress }} 157 {{- else }} 158 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 159 {{- end }} 160 - name: NODE_NAME 161 valueFrom: 162 fieldRef: 163 apiVersion: v1 164 fieldPath: spec.nodeName 165 - name: POD_NAME 166 valueFrom: 167 fieldRef: 168 apiVersion: v1 169 fieldPath: metadata.name 170 - name: POD_NAMESPACE 171 valueFrom: 172 fieldRef: 173 apiVersion: v1 174 fieldPath: metadata.namespace 175 - name: INSTANCE_IP 176 valueFrom: 177 fieldRef: 178 apiVersion: v1 179 fieldPath: status.podIP 180 - name: HOST_IP 181 valueFrom: 182 fieldRef: 183 apiVersion: v1 184 fieldPath: status.hostIP 185 - name: ISTIO_CPU_LIMIT 186 valueFrom: 187 resourceFieldRef: 188 resource: limits.cpu 189 - name: SERVICE_ACCOUNT 190 valueFrom: 191 fieldRef: 192 fieldPath: spec.serviceAccountName 193 - name: ISTIO_META_WORKLOAD_NAME 194 value: {{ $gateway.name }} 195 - name: ISTIO_META_OWNER 196 value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }} 197 {{- if $.Values.global.meshID }} 198 - name: ISTIO_META_MESH_ID 199 value: "{{ $.Values.global.meshID }}" 200 {{- else if .Values.meshConfig.trustDomain }} 201 - name: ISTIO_META_MESH_ID 202 value: "{{ .Values.meshConfig.trustDomain }}" 203 {{- end }} 204 {{- if .Values.meshConfig.trustDomain }} 205 - name: TRUST_DOMAIN 206 value: "{{ .Values.meshConfig.trustDomain }}" 207 {{- end }} 208 {{- if not $gateway.runAsRoot }} 209 - name: ISTIO_META_UNPRIVILEGED_POD 210 value: "true" 211 {{- end }} 212 {{- range $key, $val := $gateway.env }} 213 - name: {{ $key }} 214 value: "{{ $val }}" 215 {{- end }} 216 {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} 217 - name: {{ $key }} 218 value: "{{ $value }}" 219 {{- end }} 220 {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }} 221 {{- if and (not $network_set) .Values.global.network }} 222 - name: ISTIO_META_NETWORK 223 value: "{{ .Values.global.network }}" 224 {{- end }} 225 - name: ISTIO_META_CLUSTER_ID 226 value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" 227 - name: ISTIO_META_NODE_NAME 228 valueFrom: 229 fieldRef: 230 fieldPath: spec.nodeName 231 volumeMounts: 232 - name: workload-socket 233 mountPath: /var/run/secrets/workload-spiffe-uds 234 - name: credential-socket 235 mountPath: /var/run/secrets/credential-uds 236 - name: workload-certs 237 mountPath: /var/run/secrets/workload-spiffe-credentials 238 - name: istio-envoy 239 mountPath: /etc/istio/proxy 240 - name: config-volume 241 mountPath: /etc/istio/config 242 {{- if eq .Values.global.pilotCertProvider "istiod" }} 243 - mountPath: /var/run/secrets/istio 244 name: istiod-ca-cert 245 {{- end }} 246 - name: istio-token 247 mountPath: /var/run/secrets/tokens 248 readOnly: true 249 {{- if .Values.global.mountMtlsCerts }} 250 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 251 - name: istio-certs 252 mountPath: /etc/certs 253 readOnly: true 254 {{- end }} 255 - mountPath: /var/lib/istio/data 256 name: istio-data 257 - name: podinfo 258 mountPath: /etc/istio/pod 259 {{- range $gateway.secretVolumes }} 260 - name: {{ .name }} 261 mountPath: {{ .mountPath | quote }} 262 readOnly: true 263 {{- end }} 264 {{- range $gateway.configVolumes }} 265 {{- if .mountPath }} 266 - name: {{ .name }} 267 mountPath: {{ .mountPath | quote }} 268 readOnly: true 269 {{- end }} 270 {{- end }} 271 {{- if $gateway.additionalContainers }} 272 {{ toYaml $gateway.additionalContainers | indent 8 }} 273 {{- end }} 274 volumes: 275 - emptyDir: {} 276 name: workload-socket 277 - emptyDir: {} 278 name: credential-socket 279 - emptyDir: {} 280 name: workload-certs 281 {{- if eq .Values.global.pilotCertProvider "istiod" }} 282 - name: istiod-ca-cert 283 configMap: 284 name: istio-ca-root-cert 285 {{- end }} 286 - name: podinfo 287 downwardAPI: 288 items: 289 - path: "labels" 290 fieldRef: 291 fieldPath: metadata.labels 292 - path: "annotations" 293 fieldRef: 294 fieldPath: metadata.annotations 295 - name: istio-envoy 296 emptyDir: {} 297 - name: istio-data 298 emptyDir: {} 299 - name: istio-token 300 projected: 301 sources: 302 - serviceAccountToken: 303 path: istio-token 304 expirationSeconds: 43200 305 audience: {{ .Values.global.sds.token.aud }} 306 {{- if .Values.global.mountMtlsCerts }} 307 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 308 - name: istio-certs 309 secret: 310 secretName: istio.istio-ingressgateway-service-account 311 optional: true 312 {{- end }} 313 - name: config-volume 314 configMap: 315 name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 316 optional: true 317 {{- range $gateway.secretVolumes }} 318 - name: {{ .name }} 319 secret: 320 secretName: {{ .secretName | quote }} 321 optional: true 322 {{- end }} 323 {{- range $gateway.configVolumes }} 324 - name: {{ .name }} 325 configMap: 326 name: {{ .configMapName | quote }} 327 optional: true 328 {{- end }} 329 affinity: 330 {{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} 331 {{- include "podAntiAffinity" $gateway | indent 6 }} 332 {{- if $gateway.tolerations }} 333 tolerations: 334 {{ toYaml $gateway.tolerations | indent 6 }} 335 {{- else if .Values.global.defaultTolerations }} 336 tolerations: 337 {{ toYaml .Values.global.defaultTolerations | indent 6 }} 338 {{- end }} 339 {{- end }}