istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml (about) 1 apiVersion: apps/v1 2 kind: Deployment 3 metadata: 4 name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 5 namespace: {{ .Release.Namespace }} 6 labels: 7 app: istiod 8 istio.io/rev: {{ .Values.revision | default "default" | quote }} 9 install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 10 operator.istio.io/component: "Pilot" 11 istio: pilot 12 release: {{ .Release.Name }} 13 {{- range $key, $val := .Values.pilot.deploymentLabels }} 14 {{ $key }}: "{{ $val }}" 15 {{- end }} 16 spec: 17 {{- if not .Values.pilot.autoscaleEnabled }} 18 {{- if .Values.pilot.replicaCount }} 19 replicas: {{ .Values.pilot.replicaCount }} 20 {{- end }} 21 {{- end }} 22 strategy: 23 rollingUpdate: 24 maxSurge: {{ .Values.pilot.rollingMaxSurge }} 25 maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }} 26 selector: 27 matchLabels: 28 {{- if ne .Values.revision "" }} 29 app: istiod 30 istio.io/rev: {{ .Values.revision | default "default" | quote }} 31 {{- else }} 32 istio: pilot 33 {{- end }} 34 template: 35 metadata: 36 labels: 37 app: istiod 38 istio.io/rev: {{ .Values.revision | default "default" | quote }} 39 install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 40 sidecar.istio.io/inject: "false" 41 operator.istio.io/component: "Pilot" 42 {{- if ne .Values.revision "" }} 43 istio: istiod 44 {{- else }} 45 istio: pilot 46 {{- end }} 47 {{- range $key, $val := .Values.pilot.podLabels }} 48 {{ $key }}: "{{ $val }}" 49 {{- end }} 50 istio.io/dataplane-mode: none 51 annotations: 52 {{- if .Values.meshConfig.enablePrometheusMerge }} 53 prometheus.io/port: "15014" 54 prometheus.io/scrape: "true" 55 {{- end }} 56 sidecar.istio.io/inject: "false" 57 {{- if .Values.pilot.podAnnotations }} 58 {{ toYaml .Values.pilot.podAnnotations | indent 8 }} 59 {{- end }} 60 spec: 61 {{- if .Values.pilot.nodeSelector }} 62 nodeSelector: 63 {{ toYaml .Values.pilot.nodeSelector | indent 8 }} 64 {{- end }} 65 {{- with .Values.pilot.affinity }} 66 affinity: 67 {{- toYaml . | nindent 8 }} 68 {{- end }} 69 tolerations: 70 - key: cni.istio.io/not-ready 71 operator: "Exists" 72 {{- with .Values.pilot.tolerations }} 73 {{- toYaml . | nindent 8 }} 74 {{- end }} 75 {{- with .Values.pilot.topologySpreadConstraints }} 76 topologySpreadConstraints: 77 {{- toYaml . | nindent 8 }} 78 {{- end }} 79 serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 80 {{- if .Values.global.priorityClassName }} 81 priorityClassName: "{{ .Values.global.priorityClassName }}" 82 {{- end }} 83 containers: 84 - name: discovery 85 {{- if contains "/" .Values.pilot.image }} 86 image: "{{ .Values.pilot.image }}" 87 {{- else }} 88 image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}{{with (.Values.pilot.variant | default .Values.global.variant)}}-{{.}}{{end}}" 89 {{- end }} 90 {{- if .Values.global.imagePullPolicy }} 91 imagePullPolicy: {{ .Values.global.imagePullPolicy }} 92 {{- end }} 93 args: 94 - "discovery" 95 - --monitoringAddr=:15014 96 {{- if .Values.global.logging.level }} 97 - --log_output_level={{ .Values.global.logging.level }} 98 {{- end}} 99 {{- if .Values.global.logAsJson }} 100 - --log_as_json 101 {{- end }} 102 - --domain 103 - {{ .Values.global.proxy.clusterDomain }} 104 {{- if .Values.pilot.taint.namespace }} 105 - --cniNamespace={{ .Values.pilot.taint.namespace }} 106 {{- end }} 107 - --keepaliveMaxServerConnectionAge 108 - "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}" 109 {{- if .Values.pilot.extraContainerArgs }} 110 {{- with .Values.pilot.extraContainerArgs }} 111 {{- toYaml . | nindent 10 }} 112 {{- end }} 113 {{- end }} 114 ports: 115 - containerPort: 8080 116 protocol: TCP 117 - containerPort: 15010 118 protocol: TCP 119 - containerPort: 15017 120 protocol: TCP 121 readinessProbe: 122 httpGet: 123 path: /ready 124 port: 8080 125 initialDelaySeconds: 1 126 periodSeconds: 3 127 timeoutSeconds: 5 128 env: 129 - name: REVISION 130 value: "{{ .Values.revision | default `default` }}" 131 - name: PILOT_CERT_PROVIDER 132 value: {{ .Values.global.pilotCertProvider }} 133 - name: POD_NAME 134 valueFrom: 135 fieldRef: 136 apiVersion: v1 137 fieldPath: metadata.name 138 - name: POD_NAMESPACE 139 valueFrom: 140 fieldRef: 141 apiVersion: v1 142 fieldPath: metadata.namespace 143 - name: SERVICE_ACCOUNT 144 valueFrom: 145 fieldRef: 146 apiVersion: v1 147 fieldPath: spec.serviceAccountName 148 - name: KUBECONFIG 149 value: /var/run/secrets/remote/config 150 {{- if .Values.pilot.env }} 151 {{- range $key, $val := .Values.pilot.env }} 152 - name: {{ $key }} 153 value: "{{ $val }}" 154 {{- end }} 155 {{- end }} 156 {{- if .Values.pilot.traceSampling }} 157 - name: PILOT_TRACE_SAMPLING 158 value: "{{ .Values.pilot.traceSampling }}" 159 {{- end }} 160 - name: PILOT_ENABLE_ANALYSIS 161 value: "{{ .Values.global.istiod.enableAnalysis }}" 162 - name: CLUSTER_ID 163 value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" 164 - name: GOMEMLIMIT 165 valueFrom: 166 resourceFieldRef: 167 resource: limits.memory 168 - name: GOMAXPROCS 169 valueFrom: 170 resourceFieldRef: 171 resource: limits.cpu 172 - name: PLATFORM 173 value: "{{ .Values.global.platform }}" 174 resources: 175 {{- if .Values.pilot.resources }} 176 {{ toYaml .Values.pilot.resources | trim | indent 12 }} 177 {{- else }} 178 {{ toYaml .Values.global.defaultResources | trim | indent 12 }} 179 {{- end }} 180 securityContext: 181 allowPrivilegeEscalation: false 182 readOnlyRootFilesystem: true 183 runAsNonRoot: true 184 capabilities: 185 drop: 186 - ALL 187 {{- if .Values.pilot.seccompProfile }} 188 seccompProfile: 189 {{ toYaml .Values.pilot.seccompProfile | trim | indent 14 }} 190 {{- end }} 191 volumeMounts: 192 - name: istio-token 193 mountPath: /var/run/secrets/tokens 194 readOnly: true 195 - name: local-certs 196 mountPath: /var/run/secrets/istio-dns 197 - name: cacerts 198 mountPath: /etc/cacerts 199 readOnly: true 200 - name: istio-kubeconfig 201 mountPath: /var/run/secrets/remote 202 readOnly: true 203 {{- if .Values.pilot.jwksResolverExtraRootCA }} 204 - name: extracacerts 205 mountPath: /cacerts 206 {{- end }} 207 - name: istio-csr-dns-cert 208 mountPath: /var/run/secrets/istiod/tls 209 readOnly: true 210 - name: istio-csr-ca-configmap 211 mountPath: /var/run/secrets/istiod/ca 212 readOnly: true 213 {{- with .Values.pilot.volumeMounts }} 214 {{- toYaml . | nindent 10 }} 215 {{- end }} 216 volumes: 217 # Technically not needed on this pod - but it helps debugging/testing SDS 218 # Should be removed after everything works. 219 - emptyDir: 220 medium: Memory 221 name: local-certs 222 - name: istio-token 223 projected: 224 sources: 225 - serviceAccountToken: 226 audience: {{ .Values.global.sds.token.aud }} 227 expirationSeconds: 43200 228 path: istio-token 229 # Optional: user-generated root 230 - name: cacerts 231 secret: 232 secretName: cacerts 233 optional: true 234 - name: istio-kubeconfig 235 secret: 236 secretName: istio-kubeconfig 237 optional: true 238 # Optional: istio-csr dns pilot certs 239 - name: istio-csr-dns-cert 240 secret: 241 secretName: istiod-tls 242 optional: true 243 - name: istio-csr-ca-configmap 244 configMap: 245 name: istio-ca-root-cert 246 defaultMode: 420 247 optional: true 248 {{- if .Values.pilot.jwksResolverExtraRootCA }} 249 - name: extracacerts 250 configMap: 251 name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 252 {{- end }} 253 {{- with .Values.pilot.volumes }} 254 {{- toYaml . | nindent 6}} 255 {{- end }} 256 257 ---