istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml (about) 1 {{- define "resources" }} 2 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 3 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} 4 requests: 5 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} 6 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" 7 {{ end }} 8 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} 9 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" 10 {{ end }} 11 {{- end }} 12 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 13 limits: 14 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} 15 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" 16 {{ end }} 17 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} 18 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" 19 {{ end }} 20 {{- end }} 21 {{- else }} 22 {{- if .Values.global.proxy.resources }} 23 {{ toYaml .Values.global.proxy.resources | indent 6 }} 24 {{- end }} 25 {{- end }} 26 {{- end }} 27 {{- $containers := list }} 28 {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} 29 metadata: 30 labels: 31 {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} 32 service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} 33 service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} 34 annotations: { 35 istio.io/rev: {{ .Revision | default "default" | quote }}, 36 {{- if ge (len $containers) 1 }} 37 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} 38 kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", 39 {{- end }} 40 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} 41 kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", 42 {{- end }} 43 {{- end }} 44 sidecar.istio.io/rewriteAppHTTPProbers: "false", 45 } 46 spec: 47 containers: 48 - name: istio-proxy 49 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 50 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 51 {{- else }} 52 image: "{{ .ProxyImage }}" 53 {{- end }} 54 ports: 55 - containerPort: 15020 56 protocol: TCP 57 name: mesh-metrics 58 args: 59 - proxy 60 - sidecar 61 - --domain 62 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 63 - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} 64 - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} 65 - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} 66 {{- if .Values.global.sts.servicePort }} 67 - --stsPort={{ .Values.global.sts.servicePort }} 68 {{- end }} 69 {{- if .Values.global.logAsJson }} 70 - --log_as_json 71 {{- end }} 72 lifecycle: 73 postStart: 74 exec: 75 command: 76 - pilot-agent 77 - wait 78 - --url=http://localhost:15020/healthz/ready 79 env: 80 - name: ISTIO_META_GENERATOR 81 value: grpc 82 - name: OUTPUT_CERTS 83 value: /var/lib/istio/data 84 {{- if eq .InboundTrafficPolicyMode "localhost" }} 85 - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION 86 value: "true" 87 {{- end }} 88 - name: PILOT_CERT_PROVIDER 89 value: {{ .Values.global.pilotCertProvider }} 90 - name: CA_ADDR 91 {{- if .Values.global.caAddress }} 92 value: {{ .Values.global.caAddress }} 93 {{- else }} 94 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 95 {{- end }} 96 - name: POD_NAME 97 valueFrom: 98 fieldRef: 99 fieldPath: metadata.name 100 - name: POD_NAMESPACE 101 valueFrom: 102 fieldRef: 103 fieldPath: metadata.namespace 104 - name: INSTANCE_IP 105 valueFrom: 106 fieldRef: 107 fieldPath: status.podIP 108 - name: SERVICE_ACCOUNT 109 valueFrom: 110 fieldRef: 111 fieldPath: spec.serviceAccountName 112 - name: HOST_IP 113 valueFrom: 114 fieldRef: 115 fieldPath: status.hostIP 116 - name: PROXY_CONFIG 117 value: | 118 {{ protoToJSON .ProxyConfig }} 119 - name: ISTIO_META_POD_PORTS 120 value: |- 121 [ 122 {{- $first := true }} 123 {{- range $index1, $c := .Spec.Containers }} 124 {{- range $index2, $p := $c.Ports }} 125 {{- if (structToJSON $p) }} 126 {{if not $first}},{{end}}{{ structToJSON $p }} 127 {{- $first = false }} 128 {{- end }} 129 {{- end}} 130 {{- end}} 131 ] 132 - name: ISTIO_META_APP_CONTAINERS 133 value: "{{ $containers | join "," }}" 134 - name: ISTIO_META_CLUSTER_ID 135 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 136 - name: ISTIO_META_NODE_NAME 137 valueFrom: 138 fieldRef: 139 fieldPath: spec.nodeName 140 {{- if .Values.global.network }} 141 - name: ISTIO_META_NETWORK 142 value: "{{ .Values.global.network }}" 143 {{- end }} 144 {{- if .DeploymentMeta.Name }} 145 - name: ISTIO_META_WORKLOAD_NAME 146 value: "{{ .DeploymentMeta.Name }}" 147 {{ end }} 148 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} 149 - name: ISTIO_META_OWNER 150 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} 151 {{- end}} 152 {{- if .Values.global.meshID }} 153 - name: ISTIO_META_MESH_ID 154 value: "{{ .Values.global.meshID }}" 155 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 156 - name: ISTIO_META_MESH_ID 157 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 158 {{- end }} 159 {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 160 - name: TRUST_DOMAIN 161 value: "{{ . }}" 162 {{- end }} 163 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 164 - name: {{ $key }} 165 value: "{{ $value }}" 166 {{- end }} 167 # grpc uses xds:/// to resolve – no need to resolve VIP 168 - name: ISTIO_META_DNS_CAPTURE 169 value: "false" 170 - name: DISABLE_ENVOY 171 value: "true" 172 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 173 {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} 174 readinessProbe: 175 httpGet: 176 path: /healthz/ready 177 port: 15020 178 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} 179 periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} 180 timeoutSeconds: 3 181 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} 182 resources: 183 {{ template "resources" . }} 184 volumeMounts: 185 - name: workload-socket 186 mountPath: /var/run/secrets/workload-spiffe-uds 187 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 188 - name: gke-workload-certificate 189 mountPath: /var/run/secrets/workload-spiffe-credentials 190 readOnly: true 191 {{- else }} 192 - name: workload-certs 193 mountPath: /var/run/secrets/workload-spiffe-credentials 194 {{- end }} 195 {{- if eq .Values.global.pilotCertProvider "istiod" }} 196 - mountPath: /var/run/secrets/istio 197 name: istiod-ca-cert 198 {{- end }} 199 - mountPath: /var/lib/istio/data 200 name: istio-data 201 # UDS channel between istioagent and gRPC client for XDS/SDS 202 - mountPath: /etc/istio/proxy 203 name: istio-xds 204 - mountPath: /var/run/secrets/tokens 205 name: istio-token 206 {{- if .Values.global.mountMtlsCerts }} 207 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 208 - mountPath: /etc/certs/ 209 name: istio-certs 210 readOnly: true 211 {{- end }} 212 - name: istio-podinfo 213 mountPath: /etc/istio/pod 214 {{- end }} 215 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} 216 {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} 217 - name: "{{ $index }}" 218 {{ toYaml $value | indent 6 }} 219 {{ end }} 220 {{- end }} 221 {{- range $index, $container := .Spec.Containers }} 222 {{ if not (eq $container.Name "istio-proxy") }} 223 - name: {{ $container.Name }} 224 env: 225 - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" 226 value: "true" 227 - name: "GRPC_XDS_BOOTSTRAP" 228 value: "/etc/istio/proxy/grpc-bootstrap.json" 229 volumeMounts: 230 - mountPath: /var/lib/istio/data 231 name: istio-data 232 # UDS channel between istioagent and gRPC client for XDS/SDS 233 - mountPath: /etc/istio/proxy 234 name: istio-xds 235 {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} 236 - name: gke-workload-certificate 237 mountPath: /var/run/secrets/workload-spiffe-credentials 238 readOnly: true 239 {{- else }} 240 - name: workload-certs 241 mountPath: /var/run/secrets/workload-spiffe-credentials 242 {{- end }} 243 {{- end }} 244 {{- end }} 245 volumes: 246 - emptyDir: 247 name: workload-socket 248 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 249 - name: gke-workload-certificate 250 csi: 251 driver: workloadcertificates.security.cloud.google.com 252 {{- else }} 253 - emptyDir: 254 name: workload-certs 255 {{- end }} 256 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 257 - name: custom-bootstrap-volume 258 configMap: 259 name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} 260 {{- end }} 261 # SDS channel between istioagent and Envoy 262 - emptyDir: 263 medium: Memory 264 name: istio-xds 265 - name: istio-data 266 emptyDir: {} 267 - name: istio-podinfo 268 downwardAPI: 269 items: 270 - path: "labels" 271 fieldRef: 272 fieldPath: metadata.labels 273 - path: "annotations" 274 fieldRef: 275 fieldPath: metadata.annotations 276 - name: istio-token 277 projected: 278 sources: 279 - serviceAccountToken: 280 path: istio-token 281 expirationSeconds: 43200 282 audience: {{ .Values.global.sds.token.aud }} 283 {{- if eq .Values.global.pilotCertProvider "istiod" }} 284 - name: istiod-ca-cert 285 configMap: 286 name: istio-ca-root-cert 287 {{- end }} 288 {{- if .Values.global.mountMtlsCerts }} 289 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 290 - name: istio-certs 291 secret: 292 optional: true 293 {{ if eq .Spec.ServiceAccountName "" }} 294 secretName: istio.default 295 {{ else -}} 296 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 297 {{ end -}} 298 {{- end }} 299 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} 300 {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} 301 - name: "{{ $index }}" 302 {{ toYaml $value | indent 4 }} 303 {{ end }} 304 {{ end }} 305 {{- if .Values.global.imagePullSecrets }} 306 imagePullSecrets: 307 {{- range .Values.global.imagePullSecrets }} 308 - name: {{ . }} 309 {{- end }} 310 {{- end }}