istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml (about) 1 apiVersion: v1 2 kind: ServiceAccount 3 metadata: 4 name: {{.ServiceAccount | quote}} 5 namespace: {{.Namespace | quote}} 6 annotations: 7 {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 8 labels: 9 {{- toJsonMap 10 .InfrastructureLabels 11 (strdict 12 "gateway.networking.k8s.io/gateway-name" .Name 13 "istio.io/gateway-name" .Name 14 ) | nindent 4 }} 15 {{- if ge .KubeVersion 128 }} 16 # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 17 ownerReferences: 18 - apiVersion: gateway.networking.k8s.io/v1beta1 19 kind: Gateway 20 name: "{{.Name}}" 21 uid: "{{.UID}}" 22 {{- end }} 23 --- 24 apiVersion: apps/v1 25 kind: Deployment 26 metadata: 27 name: {{.DeploymentName | quote}} 28 namespace: {{.Namespace | quote}} 29 annotations: 30 {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 31 labels: 32 {{- toJsonMap 33 .InfrastructureLabels 34 (strdict 35 "gateway.networking.k8s.io/gateway-name" .Name 36 "istio.io/gateway-name" .Name 37 ) | nindent 4 }} 38 ownerReferences: 39 - apiVersion: gateway.networking.k8s.io/v1beta1 40 kind: Gateway 41 name: {{.Name}} 42 uid: "{{.UID}}" 43 spec: 44 selector: 45 matchLabels: 46 "{{.GatewayNameLabel}}": {{.Name}} 47 template: 48 metadata: 49 annotations: 50 {{- toJsonMap 51 (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") 52 (strdict "istio.io/rev" (.Revision | default "default")) 53 (strdict 54 "prometheus.io/path" "/stats/prometheus" 55 "prometheus.io/port" "15020" 56 "prometheus.io/scrape" "true" 57 ) | nindent 8 }} 58 labels: 59 {{- toJsonMap 60 (strdict 61 "sidecar.istio.io/inject" "false" 62 "service.istio.io/canonical-name" .DeploymentName 63 "service.istio.io/canonical-revision" "latest" 64 ) 65 .InfrastructureLabels 66 (strdict 67 "gateway.networking.k8s.io/gateway-name" .Name 68 "istio.io/gateway-name" .Name 69 ) | nindent 8 }} 70 spec: 71 securityContext: 72 sysctls: 73 - name: net.ipv4.ip_unprivileged_port_start 74 value: "0" 75 serviceAccountName: {{.ServiceAccount | quote}} 76 containers: 77 - name: istio-proxy 78 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 79 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 80 {{- else }} 81 image: "{{ .ProxyImage }}" 82 {{- end }} 83 {{- if .Values.global.proxy.resources }} 84 resources: 85 {{- toYaml .Values.global.proxy.resources | nindent 10 }} 86 {{- end }} 87 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 88 securityContext: 89 capabilities: 90 drop: 91 - ALL 92 allowPrivilegeEscalation: false 93 privileged: false 94 readOnlyRootFilesystem: true 95 runAsUser: {{ .ProxyUID | default "1337" }} 96 runAsGroup: {{ .ProxyGID | default "1337" }} 97 runAsNonRoot: true 98 ports: 99 - containerPort: 15021 100 name: status-port 101 protocol: TCP 102 - containerPort: 15090 103 protocol: TCP 104 name: http-envoy-prom 105 args: 106 - proxy 107 - router 108 - --domain 109 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 110 - --proxyLogLevel 111 - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} 112 - --proxyComponentLogLevel 113 - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} 114 - --log_output_level 115 - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} 116 {{- if .Values.global.sts.servicePort }} 117 - --stsPort={{ .Values.global.sts.servicePort }} 118 {{- end }} 119 {{- if .Values.global.logAsJson }} 120 - --log_as_json 121 {{- end }} 122 {{- if .Values.global.proxy.lifecycle }} 123 lifecycle: 124 {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} 125 {{- end }} 126 env: 127 - name: PILOT_CERT_PROVIDER 128 value: {{ .Values.global.pilotCertProvider }} 129 - name: CA_ADDR 130 {{- if .Values.global.caAddress }} 131 value: {{ .Values.global.caAddress }} 132 {{- else }} 133 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 134 {{- end }} 135 - name: POD_NAME 136 valueFrom: 137 fieldRef: 138 fieldPath: metadata.name 139 - name: POD_NAMESPACE 140 valueFrom: 141 fieldRef: 142 fieldPath: metadata.namespace 143 - name: INSTANCE_IP 144 valueFrom: 145 fieldRef: 146 fieldPath: status.podIP 147 - name: SERVICE_ACCOUNT 148 valueFrom: 149 fieldRef: 150 fieldPath: spec.serviceAccountName 151 - name: HOST_IP 152 valueFrom: 153 fieldRef: 154 fieldPath: status.hostIP 155 - name: ISTIO_CPU_LIMIT 156 valueFrom: 157 resourceFieldRef: 158 resource: limits.cpu 159 - name: PROXY_CONFIG 160 value: | 161 {{ protoToJSON .ProxyConfig }} 162 - name: ISTIO_META_POD_PORTS 163 value: "[]" 164 - name: ISTIO_META_APP_CONTAINERS 165 value: "" 166 - name: GOMEMLIMIT 167 valueFrom: 168 resourceFieldRef: 169 resource: limits.memory 170 - name: GOMAXPROCS 171 valueFrom: 172 resourceFieldRef: 173 resource: limits.cpu 174 - name: ISTIO_META_CLUSTER_ID 175 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" 176 - name: ISTIO_META_NODE_NAME 177 valueFrom: 178 fieldRef: 179 fieldPath: spec.nodeName 180 - name: ISTIO_META_INTERCEPTION_MODE 181 value: "{{ .ProxyConfig.InterceptionMode.String }}" 182 {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} 183 - name: ISTIO_META_NETWORK 184 value: {{.|quote}} 185 {{- end }} 186 - name: ISTIO_META_WORKLOAD_NAME 187 value: {{.DeploymentName|quote}} 188 - name: ISTIO_META_OWNER 189 value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" 190 {{- if .Values.global.meshID }} 191 - name: ISTIO_META_MESH_ID 192 value: "{{ .Values.global.meshID }}" 193 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 194 - name: ISTIO_META_MESH_ID 195 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 196 {{- end }} 197 {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 198 - name: TRUST_DOMAIN 199 value: "{{ . }}" 200 {{- end }} 201 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 202 - name: {{ $key }} 203 value: "{{ $value }}" 204 {{- end }} 205 {{- with (index .InfrastructureLabels "topology.istio.io/network") }} 206 - name: ISTIO_META_REQUESTED_NETWORK_VIEW 207 value: {{.|quote}} 208 {{- end }} 209 startupProbe: 210 failureThreshold: 30 211 httpGet: 212 path: /healthz/ready 213 port: 15021 214 scheme: HTTP 215 initialDelaySeconds: 1 216 periodSeconds: 1 217 successThreshold: 1 218 timeoutSeconds: 1 219 readinessProbe: 220 failureThreshold: 4 221 httpGet: 222 path: /healthz/ready 223 port: 15021 224 scheme: HTTP 225 initialDelaySeconds: 0 226 periodSeconds: 15 227 successThreshold: 1 228 timeoutSeconds: 1 229 volumeMounts: 230 - name: workload-socket 231 mountPath: /var/run/secrets/workload-spiffe-uds 232 - name: credential-socket 233 mountPath: /var/run/secrets/credential-uds 234 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 235 - name: gke-workload-certificate 236 mountPath: /var/run/secrets/workload-spiffe-credentials 237 readOnly: true 238 {{- else }} 239 - name: workload-certs 240 mountPath: /var/run/secrets/workload-spiffe-credentials 241 {{- end }} 242 {{- if eq .Values.global.pilotCertProvider "istiod" }} 243 - mountPath: /var/run/secrets/istio 244 name: istiod-ca-cert 245 {{- end }} 246 - mountPath: /var/lib/istio/data 247 name: istio-data 248 # SDS channel between istioagent and Envoy 249 - mountPath: /etc/istio/proxy 250 name: istio-envoy 251 - mountPath: /var/run/secrets/tokens 252 name: istio-token 253 - name: istio-podinfo 254 mountPath: /etc/istio/pod 255 volumes: 256 - emptyDir: {} 257 name: workload-socket 258 - emptyDir: {} 259 name: credential-socket 260 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 261 - name: gke-workload-certificate 262 csi: 263 driver: workloadcertificates.security.cloud.google.com 264 {{- else}} 265 - emptyDir: {} 266 name: workload-certs 267 {{- end }} 268 # SDS channel between istioagent and Envoy 269 - emptyDir: 270 medium: Memory 271 name: istio-envoy 272 - name: istio-data 273 emptyDir: {} 274 - name: istio-podinfo 275 downwardAPI: 276 items: 277 - path: "labels" 278 fieldRef: 279 fieldPath: metadata.labels 280 - path: "annotations" 281 fieldRef: 282 fieldPath: metadata.annotations 283 - name: istio-token 284 projected: 285 sources: 286 - serviceAccountToken: 287 path: istio-token 288 expirationSeconds: 43200 289 audience: {{ .Values.global.sds.token.aud }} 290 {{- if eq .Values.global.pilotCertProvider "istiod" }} 291 - name: istiod-ca-cert 292 configMap: 293 name: istio-ca-root-cert 294 {{- end }} 295 {{- if .Values.global.imagePullSecrets }} 296 imagePullSecrets: 297 {{- range .Values.global.imagePullSecrets }} 298 - name: {{ . }} 299 {{- end }} 300 {{- end }} 301 --- 302 apiVersion: v1 303 kind: Service 304 metadata: 305 annotations: 306 {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 307 labels: 308 {{- toJsonMap 309 .InfrastructureLabels 310 (strdict 311 "gateway.networking.k8s.io/gateway-name" .Name 312 "istio.io/gateway-name" .Name 313 ) | nindent 4 }} 314 name: {{.DeploymentName | quote}} 315 namespace: {{.Namespace | quote}} 316 ownerReferences: 317 - apiVersion: gateway.networking.k8s.io/v1beta1 318 kind: Gateway 319 name: {{.Name}} 320 uid: {{.UID}} 321 spec: 322 ports: 323 {{- range $key, $val := .Ports }} 324 - name: {{ $val.Name | quote }} 325 port: {{ $val.Port }} 326 protocol: TCP 327 appProtocol: {{ $val.AppProtocol }} 328 {{- end }} 329 selector: 330 "{{.GatewayNameLabel}}": {{.Name}} 331 {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} 332 loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} 333 {{- end }} 334 type: {{ .ServiceType | quote }} 335 ---