istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istiod-remote/files/injection-template.yaml (about) 1 {{- define "resources" }} 2 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 3 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} 4 requests: 5 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} 6 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" 7 {{ end }} 8 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} 9 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" 10 {{ end }} 11 {{- end }} 12 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 13 limits: 14 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} 15 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" 16 {{ end }} 17 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} 18 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" 19 {{ end }} 20 {{- end }} 21 {{- else }} 22 {{- if .Values.global.proxy.resources }} 23 {{ toYaml .Values.global.proxy.resources | indent 6 }} 24 {{- end }} 25 {{- end }} 26 {{- end }} 27 {{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} 28 {{- $containers := list }} 29 {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} 30 metadata: 31 labels: 32 security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} 33 {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} 34 networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} 35 {{- end }} 36 service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} 37 service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} 38 annotations: { 39 istio.io/rev: {{ .Revision | default "default" | quote }}, 40 {{- if ge (len $containers) 1 }} 41 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} 42 kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", 43 {{- end }} 44 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} 45 kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", 46 {{- end }} 47 {{- end }} 48 {{- if or .Values.pilot.cni.enabled .Values.istio_cni.enabled }} 49 {{- if or (eq .Values.pilot.cni.provider "multus") (eq .Values.istio_cni.provider "multus") (not .Values.istio_cni.chained)}} 50 k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', 51 {{- end }} 52 sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", 53 {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} 54 {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} 55 {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} 56 traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", 57 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} 58 traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", 59 {{- end }} 60 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} 61 traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", 62 {{- end }} 63 {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} 64 {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} 65 {{- end }} 66 } 67 spec: 68 {{- $holdProxy := and 69 (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) 70 (not $nativeSidecar) }} 71 initContainers: 72 {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} 73 {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} 74 - name: istio-validation 75 {{ else -}} 76 - name: istio-init 77 {{ end -}} 78 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} 79 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" 80 {{- else }} 81 image: "{{ .ProxyImage }}" 82 {{- end }} 83 args: 84 - istio-iptables 85 - "-p" 86 - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} 87 - "-z" 88 - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} 89 - "-u" 90 - {{ .ProxyUID | default "1337" | quote }} 91 - "-m" 92 - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" 93 - "-i" 94 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" 95 - "-x" 96 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" 97 - "-b" 98 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" 99 - "-d" 100 {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} 101 - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" 102 {{- else }} 103 - "15090,15021" 104 {{- end }} 105 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} 106 - "-q" 107 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" 108 {{ end -}} 109 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} 110 - "-o" 111 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" 112 {{ end -}} 113 {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} 114 - "-k" 115 - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" 116 {{ end -}} 117 {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} 118 - "-c" 119 - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" 120 {{ end -}} 121 - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" 122 {{ if .Values.global.logAsJson -}} 123 - "--log_as_json" 124 {{ end -}} 125 {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} 126 - "--run-validation" 127 - "--skip-rule-apply" 128 {{ end -}} 129 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 130 {{- if .ProxyConfig.ProxyMetadata }} 131 env: 132 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 133 - name: {{ $key }} 134 value: "{{ $value }}" 135 {{- end }} 136 {{- end }} 137 resources: 138 {{ template "resources" . }} 139 securityContext: 140 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 141 privileged: {{ .Values.global.proxy.privileged }} 142 capabilities: 143 {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} 144 add: 145 - NET_ADMIN 146 - NET_RAW 147 {{- end }} 148 drop: 149 - ALL 150 {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} 151 readOnlyRootFilesystem: false 152 runAsGroup: 0 153 runAsNonRoot: false 154 runAsUser: 0 155 {{- else }} 156 readOnlyRootFilesystem: true 157 runAsGroup: {{ .ProxyGID | default "1337" }} 158 runAsUser: {{ .ProxyUID | default "1337" }} 159 runAsNonRoot: true 160 {{- end }} 161 {{ end -}} 162 {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} 163 - name: enable-core-dump 164 args: 165 - -c 166 - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited 167 command: 168 - /bin/sh 169 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} 170 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" 171 {{- else }} 172 image: "{{ .ProxyImage }}" 173 {{- end }} 174 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 175 resources: 176 {{ template "resources" . }} 177 securityContext: 178 allowPrivilegeEscalation: true 179 capabilities: 180 add: 181 - SYS_ADMIN 182 drop: 183 - ALL 184 privileged: true 185 readOnlyRootFilesystem: false 186 runAsGroup: 0 187 runAsNonRoot: false 188 runAsUser: 0 189 {{ end }} 190 {{ if not $nativeSidecar }} 191 containers: 192 {{ end }} 193 - name: istio-proxy 194 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 195 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 196 {{- else }} 197 image: "{{ .ProxyImage }}" 198 {{- end }} 199 {{ if $nativeSidecar }}restartPolicy: Always{{end}} 200 ports: 201 - containerPort: 15090 202 protocol: TCP 203 name: http-envoy-prom 204 args: 205 - proxy 206 - sidecar 207 - --domain 208 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 209 - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} 210 - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} 211 - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} 212 {{- if .Values.global.sts.servicePort }} 213 - --stsPort={{ .Values.global.sts.servicePort }} 214 {{- end }} 215 {{- if .Values.global.logAsJson }} 216 - --log_as_json 217 {{- end }} 218 {{- if .Values.global.proxy.outlierLogPath }} 219 - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} 220 {{- end}} 221 {{- if .Values.global.proxy.lifecycle }} 222 lifecycle: 223 {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} 224 {{- else if $holdProxy }} 225 lifecycle: 226 postStart: 227 exec: 228 command: 229 - pilot-agent 230 - wait 231 {{- else if $nativeSidecar }} 232 {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} 233 lifecycle: 234 preStop: 235 exec: 236 command: 237 - pilot-agent 238 - request 239 - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} 240 - POST 241 - drain 242 {{- end }} 243 env: 244 {{- if eq .InboundTrafficPolicyMode "localhost" }} 245 - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION 246 value: "true" 247 {{- end }} 248 - name: PILOT_CERT_PROVIDER 249 value: {{ .Values.global.pilotCertProvider }} 250 - name: CA_ADDR 251 {{- if .Values.global.caAddress }} 252 value: {{ .Values.global.caAddress }} 253 {{- else }} 254 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 255 {{- end }} 256 - name: POD_NAME 257 valueFrom: 258 fieldRef: 259 fieldPath: metadata.name 260 - name: POD_NAMESPACE 261 valueFrom: 262 fieldRef: 263 fieldPath: metadata.namespace 264 - name: INSTANCE_IP 265 valueFrom: 266 fieldRef: 267 fieldPath: status.podIP 268 - name: SERVICE_ACCOUNT 269 valueFrom: 270 fieldRef: 271 fieldPath: spec.serviceAccountName 272 - name: HOST_IP 273 valueFrom: 274 fieldRef: 275 fieldPath: status.hostIP 276 - name: ISTIO_CPU_LIMIT 277 valueFrom: 278 resourceFieldRef: 279 resource: limits.cpu 280 - name: PROXY_CONFIG 281 value: | 282 {{ protoToJSON .ProxyConfig }} 283 - name: ISTIO_META_POD_PORTS 284 value: |- 285 [ 286 {{- $first := true }} 287 {{- range $index1, $c := .Spec.Containers }} 288 {{- range $index2, $p := $c.Ports }} 289 {{- if (structToJSON $p) }} 290 {{if not $first}},{{end}}{{ structToJSON $p }} 291 {{- $first = false }} 292 {{- end }} 293 {{- end}} 294 {{- end}} 295 ] 296 - name: ISTIO_META_APP_CONTAINERS 297 value: "{{ $containers | join "," }}" 298 - name: GOMEMLIMIT 299 valueFrom: 300 resourceFieldRef: 301 resource: limits.memory 302 - name: GOMAXPROCS 303 valueFrom: 304 resourceFieldRef: 305 resource: limits.cpu 306 {{- if .CompliancePolicy }} 307 - name: COMPLIANCE_POLICY 308 value: "{{ .CompliancePolicy }}" 309 {{- end }} 310 - name: ISTIO_META_CLUSTER_ID 311 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 312 - name: ISTIO_META_NODE_NAME 313 valueFrom: 314 fieldRef: 315 fieldPath: spec.nodeName 316 - name: ISTIO_META_INTERCEPTION_MODE 317 value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" 318 {{- if .Values.global.network }} 319 - name: ISTIO_META_NETWORK 320 value: "{{ .Values.global.network }}" 321 {{- end }} 322 {{- if .DeploymentMeta.Name }} 323 - name: ISTIO_META_WORKLOAD_NAME 324 value: "{{ .DeploymentMeta.Name }}" 325 {{ end }} 326 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} 327 - name: ISTIO_META_OWNER 328 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} 329 {{- end}} 330 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 331 - name: ISTIO_BOOTSTRAP_OVERRIDE 332 value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" 333 {{- end }} 334 {{- if .Values.global.meshID }} 335 - name: ISTIO_META_MESH_ID 336 value: "{{ .Values.global.meshID }}" 337 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 338 - name: ISTIO_META_MESH_ID 339 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 340 {{- end }} 341 {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 342 - name: TRUST_DOMAIN 343 value: "{{ . }}" 344 {{- end }} 345 {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} 346 {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} 347 - name: {{ $key }} 348 value: "{{ $value }}" 349 {{- end }} 350 {{- end }} 351 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 352 - name: {{ $key }} 353 value: "{{ $value }}" 354 {{- end }} 355 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 356 {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} 357 {{ if .Values.global.proxy.startupProbe.enabled }} 358 startupProbe: 359 httpGet: 360 path: /healthz/ready 361 port: 15021 362 initialDelaySeconds: 0 363 periodSeconds: 1 364 timeoutSeconds: 3 365 failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} 366 {{ end }} 367 readinessProbe: 368 httpGet: 369 path: /healthz/ready 370 port: 15021 371 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} 372 periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} 373 timeoutSeconds: 3 374 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} 375 {{ end -}} 376 securityContext: 377 {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} 378 allowPrivilegeEscalation: true 379 capabilities: 380 add: 381 - NET_ADMIN 382 drop: 383 - ALL 384 privileged: true 385 readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} 386 runAsGroup: {{ .ProxyGID | default "1337" }} 387 runAsNonRoot: false 388 runAsUser: 0 389 {{- else }} 390 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 391 capabilities: 392 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} 393 add: 394 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} 395 - NET_ADMIN 396 {{- end }} 397 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} 398 - NET_BIND_SERVICE 399 {{- end }} 400 {{- end }} 401 drop: 402 - ALL 403 privileged: {{ .Values.global.proxy.privileged }} 404 readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} 405 runAsGroup: {{ .ProxyGID | default "1337" }} 406 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} 407 runAsNonRoot: false 408 runAsUser: 0 409 {{- else -}} 410 runAsNonRoot: true 411 runAsUser: {{ .ProxyUID | default "1337" }} 412 {{- end }} 413 {{- end }} 414 resources: 415 {{ template "resources" . }} 416 volumeMounts: 417 - name: workload-socket 418 mountPath: /var/run/secrets/workload-spiffe-uds 419 - name: credential-socket 420 mountPath: /var/run/secrets/credential-uds 421 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 422 - name: gke-workload-certificate 423 mountPath: /var/run/secrets/workload-spiffe-credentials 424 readOnly: true 425 {{- else }} 426 - name: workload-certs 427 mountPath: /var/run/secrets/workload-spiffe-credentials 428 {{- end }} 429 {{- if eq .Values.global.pilotCertProvider "istiod" }} 430 - mountPath: /var/run/secrets/istio 431 name: istiod-ca-cert 432 {{- end }} 433 {{- if eq .Values.global.pilotCertProvider "kubernetes" }} 434 - mountPath: /var/run/secrets/istio/kubernetes 435 name: kube-ca-cert 436 {{- end }} 437 - mountPath: /var/lib/istio/data 438 name: istio-data 439 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 440 - mountPath: /etc/istio/custom-bootstrap 441 name: custom-bootstrap-volume 442 {{- end }} 443 # SDS channel between istioagent and Envoy 444 - mountPath: /etc/istio/proxy 445 name: istio-envoy 446 - mountPath: /var/run/secrets/tokens 447 name: istio-token 448 {{- if .Values.global.mountMtlsCerts }} 449 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 450 - mountPath: /etc/certs/ 451 name: istio-certs 452 readOnly: true 453 {{- end }} 454 - name: istio-podinfo 455 mountPath: /etc/istio/pod 456 {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} 457 - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} 458 name: lightstep-certs 459 readOnly: true 460 {{- end }} 461 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} 462 {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} 463 - name: "{{ $index }}" 464 {{ toYaml $value | indent 6 }} 465 {{ end }} 466 {{- end }} 467 volumes: 468 - emptyDir: 469 name: workload-socket 470 - emptyDir: 471 name: credential-socket 472 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 473 - name: gke-workload-certificate 474 csi: 475 driver: workloadcertificates.security.cloud.google.com 476 {{- else }} 477 - emptyDir: 478 name: workload-certs 479 {{- end }} 480 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 481 - name: custom-bootstrap-volume 482 configMap: 483 name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} 484 {{- end }} 485 # SDS channel between istioagent and Envoy 486 - emptyDir: 487 medium: Memory 488 name: istio-envoy 489 - name: istio-data 490 emptyDir: {} 491 - name: istio-podinfo 492 downwardAPI: 493 items: 494 - path: "labels" 495 fieldRef: 496 fieldPath: metadata.labels 497 - path: "annotations" 498 fieldRef: 499 fieldPath: metadata.annotations 500 - name: istio-token 501 projected: 502 sources: 503 - serviceAccountToken: 504 path: istio-token 505 expirationSeconds: 43200 506 audience: {{ .Values.global.sds.token.aud }} 507 {{- if eq .Values.global.pilotCertProvider "istiod" }} 508 - name: istiod-ca-cert 509 configMap: 510 name: istio-ca-root-cert 511 {{- end }} 512 {{- if eq .Values.global.pilotCertProvider "kubernetes" }} 513 - name: kube-ca-cert 514 configMap: 515 name: kube-root-ca.crt 516 {{- end }} 517 {{- if .Values.global.mountMtlsCerts }} 518 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 519 - name: istio-certs 520 secret: 521 optional: true 522 {{ if eq .Spec.ServiceAccountName "" }} 523 secretName: istio.default 524 {{ else -}} 525 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 526 {{ end -}} 527 {{- end }} 528 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} 529 {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} 530 - name: "{{ $index }}" 531 {{ toYaml $value | indent 4 }} 532 {{ end }} 533 {{ end }} 534 {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} 535 - name: lightstep-certs 536 secret: 537 optional: true 538 secretName: lightstep.cacert 539 {{- end }} 540 {{- if .Values.global.imagePullSecrets }} 541 imagePullSecrets: 542 {{- range .Values.global.imagePullSecrets }} 543 - name: {{ . }} 544 {{- end }} 545 {{- end }}