istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istiod-remote/files/gateway-injection-template.yaml

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istiod-remote/files/gateway-injection-template.yaml (about)

     1  {{- $containers := list }}
     2  {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
     3  metadata:
     4    labels:
     5      service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
     6      service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
     7    annotations: {
     8      istio.io/rev: {{ .Revision | default "default" | quote }},
     9      {{- if eq (len $containers) 1 }}
    10      kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
    11      kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
    12      {{ end }}
    13    }
    14  spec:
    15    securityContext:
    16      sysctls:
    17      - name: net.ipv4.ip_unprivileged_port_start
    18        value: "0"
    19    containers:
    20    - name: istio-proxy
    21    {{- if contains "/" .Values.global.proxy.image }}
    22      image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
    23    {{- else }}
    24      image: "{{ .ProxyImage }}"
    25    {{- end }}
    26      ports:
    27      - containerPort: 15090
    28        protocol: TCP
    29        name: http-envoy-prom
    30      args:
    31      - proxy
    32      - router
    33      - --domain
    34      - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
    35      - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
    36      - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
    37      - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
    38    {{- if .Values.global.sts.servicePort }}
    39      - --stsPort={{ .Values.global.sts.servicePort }}
    40    {{- end }}
    41    {{- if .Values.global.logAsJson }}
    42      - --log_as_json
    43    {{- end }}
    44    {{- if .Values.global.proxy.lifecycle }}
    45      lifecycle:
    46        {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
    47    {{- end }}
    48      securityContext:
    49        runAsUser: {{ .ProxyUID | default "1337" }}
    50        runAsGroup: {{ .ProxyGID | default "1337" }}
    51      env:
    52      - name: PILOT_CERT_PROVIDER
    53        value: {{ .Values.global.pilotCertProvider }}
    54      - name: CA_ADDR
    55      {{- if .Values.global.caAddress }}
    56        value: {{ .Values.global.caAddress }}
    57      {{- else }}
    58        value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
    59      {{- end }}
    60      - name: POD_NAME
    61        valueFrom:
    62          fieldRef:
    63            fieldPath: metadata.name
    64      - name: POD_NAMESPACE
    65        valueFrom:
    66          fieldRef:
    67            fieldPath: metadata.namespace
    68      - name: INSTANCE_IP
    69        valueFrom:
    70          fieldRef:
    71            fieldPath: status.podIP
    72      - name: SERVICE_ACCOUNT
    73        valueFrom:
    74          fieldRef:
    75            fieldPath: spec.serviceAccountName
    76      - name: HOST_IP
    77        valueFrom:
    78          fieldRef:
    79            fieldPath: status.hostIP
    80      - name: ISTIO_CPU_LIMIT
    81        valueFrom:
    82          resourceFieldRef:
    83            resource: limits.cpu
    84      - name: PROXY_CONFIG
    85        value: |
    86               {{ protoToJSON .ProxyConfig }}
    87      - name: ISTIO_META_POD_PORTS
    88        value: |-
    89          [
    90          {{- $first := true }}
    91          {{- range $index1, $c := .Spec.Containers }}
    92            {{- range $index2, $p := $c.Ports }}
    93              {{- if (structToJSON $p) }}
    94              {{if not $first}},{{end}}{{ structToJSON $p }}
    95              {{- $first = false }}
    96              {{- end }}
    97            {{- end}}
    98          {{- end}}
    99          ]
   100      - name: GOMEMLIMIT
   101        valueFrom:
   102          resourceFieldRef:
   103            resource: limits.memory
   104      - name: GOMAXPROCS
   105        valueFrom:
   106          resourceFieldRef:
   107            resource: limits.cpu
   108      {{- if .CompliancePolicy }}
   109      - name: COMPLIANCE_POLICY
   110        value: "{{ .CompliancePolicy }}"
   111      {{- end }}
   112      - name: ISTIO_META_APP_CONTAINERS
   113        value: "{{ $containers | join "," }}"
   114      - name: ISTIO_META_CLUSTER_ID
   115        value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
   116      - name: ISTIO_META_NODE_NAME
   117        valueFrom:
   118          fieldRef:
   119            fieldPath: spec.nodeName
   120      - name: ISTIO_META_INTERCEPTION_MODE
   121        value: "{{ .ProxyConfig.InterceptionMode.String }}"
   122      {{- if .Values.global.network }}
   123      - name: ISTIO_META_NETWORK
   124        value: "{{ .Values.global.network }}"
   125      {{- end }}
   126      {{- if .DeploymentMeta.Name }}
   127      - name: ISTIO_META_WORKLOAD_NAME
   128        value: "{{ .DeploymentMeta.Name }}"
   129      {{ end }}
   130      {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
   131      - name: ISTIO_META_OWNER
   132        value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
   133      {{- end}}
   134      {{- if .Values.global.meshID }}
   135      - name: ISTIO_META_MESH_ID
   136        value: "{{ .Values.global.meshID }}"
   137      {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
   138      - name: ISTIO_META_MESH_ID
   139        value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
   140      {{- end }}
   141      {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
   142      - name: TRUST_DOMAIN
   143        value: "{{ . }}"
   144      {{- end }}
   145      {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
   146      - name: {{ $key }}
   147        value: "{{ $value }}"
   148      {{- end }}
   149      {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
   150      readinessProbe:
   151        httpGet:
   152          path: /healthz/ready
   153          port: 15021
   154        initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
   155        periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
   156        timeoutSeconds: 3
   157        failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
   158      volumeMounts:
   159      - name: workload-socket
   160        mountPath: /var/run/secrets/workload-spiffe-uds
   161      - name: credential-socket
   162        mountPath: /var/run/secrets/credential-uds
   163      {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
   164      - name: gke-workload-certificate
   165        mountPath: /var/run/secrets/workload-spiffe-credentials
   166        readOnly: true
   167      {{- else }}
   168      - name: workload-certs
   169        mountPath: /var/run/secrets/workload-spiffe-credentials
   170      {{- end }}
   171      {{- if eq .Values.global.pilotCertProvider "istiod" }}
   172      - mountPath: /var/run/secrets/istio
   173        name: istiod-ca-cert
   174      {{- end }}
   175      - mountPath: /var/lib/istio/data
   176        name: istio-data
   177      # SDS channel between istioagent and Envoy
   178      - mountPath: /etc/istio/proxy
   179        name: istio-envoy
   180      - mountPath: /var/run/secrets/tokens
   181        name: istio-token
   182      {{- if .Values.global.mountMtlsCerts }}
   183      # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
   184      - mountPath: /etc/certs/
   185        name: istio-certs
   186        readOnly: true
   187      {{- end }}
   188      - name: istio-podinfo
   189        mountPath: /etc/istio/pod
   190    volumes:
   191    - emptyDir: {}
   192      name: workload-socket
   193    - emptyDir: {}
   194      name: credential-socket
   195    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
   196    - name: gke-workload-certificate
   197      csi:
   198        driver: workloadcertificates.security.cloud.google.com
   199    {{- else}}
   200    - emptyDir: {}
   201      name: workload-certs
   202    {{- end }}
   203    # SDS channel between istioagent and Envoy
   204    - emptyDir:
   205        medium: Memory
   206      name: istio-envoy
   207    - name: istio-data
   208      emptyDir: {}
   209    - name: istio-podinfo
   210      downwardAPI:
   211        items:
   212          - path: "labels"
   213            fieldRef:
   214              fieldPath: metadata.labels
   215          - path: "annotations"
   216            fieldRef:
   217              fieldPath: metadata.annotations
   218    - name: istio-token
   219      projected:
   220        sources:
   221        - serviceAccountToken:
   222            path: istio-token
   223            expirationSeconds: 43200
   224            audience: {{ .Values.global.sds.token.aud }}
   225    {{- if eq .Values.global.pilotCertProvider "istiod" }}
   226    - name: istiod-ca-cert
   227      configMap:
   228        name: istio-ca-root-cert
   229    {{- end }}
   230    {{- if .Values.global.mountMtlsCerts }}
   231    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
   232    - name: istio-certs
   233      secret:
   234        optional: true
   235        {{ if eq .Spec.ServiceAccountName "" }}
   236        secretName: istio.default
   237        {{ else -}}
   238        secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
   239        {{  end -}}
   240    {{- end }}
   241    {{- if .Values.global.imagePullSecrets }}
   242    imagePullSecrets:
   243      {{- range .Values.global.imagePullSecrets }}
   244      - name: {{ . }}
   245      {{- end }}
   246    {{- end }}