istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/ztunnel/templates/daemonset.yaml (about) 1 apiVersion: apps/v1 2 kind: DaemonSet 3 metadata: 4 name: ztunnel 5 namespace: {{ .Release.Namespace }} 6 labels: 7 {{- .Values.labels | toYaml | nindent 4}} 8 annotations: 9 {{- .Values.annotations | toYaml | nindent 4 }} 10 spec: 11 updateStrategy: 12 rollingUpdate: 13 maxSurge: 1 14 maxUnavailable: 0 15 selector: 16 matchLabels: 17 app: ztunnel 18 template: 19 metadata: 20 labels: 21 sidecar.istio.io/inject: "false" 22 istio.io/dataplane-mode: none 23 app: ztunnel 24 {{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} 25 annotations: 26 sidecar.istio.io/inject: "false" 27 {{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} 28 spec: 29 nodeSelector: 30 kubernetes.io/os: linux 31 {{- if .Values.nodeSelector }} 32 {{ toYaml .Values.nodeSelector | indent 8 }} 33 {{- end }} 34 {{- if .Values.affinity }} 35 affinity: 36 {{ toYaml .Values.affinity | trim | indent 8 }} 37 {{- end }} 38 serviceAccountName: ztunnel 39 tolerations: 40 - effect: NoSchedule 41 operator: Exists 42 - key: CriticalAddonsOnly 43 operator: Exists 44 - effect: NoExecute 45 operator: Exists 46 containers: 47 - name: istio-proxy 48 {{- if contains "/" .Values.image }} 49 image: "{{ .Values.image }}" 50 {{- else }} 51 image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" 52 {{- end }} 53 ports: 54 - containerPort: 15020 55 name: ztunnel-stats 56 protocol: TCP 57 resources: 58 {{- if .Values.resources }} 59 {{ toYaml .Values.resources | trim | indent 10 }} 60 {{- end }} 61 {{- with .Values.imagePullPolicy }} 62 imagePullPolicy: {{ . }} 63 {{- end }} 64 securityContext: 65 allowPrivilegeEscalation: false 66 privileged: false 67 capabilities: 68 drop: 69 - ALL 70 add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html 71 - NET_ADMIN # Required for TPROXY and setsockopt 72 - SYS_ADMIN # Required for `setns` - doing things in other netns 73 - NET_RAW # Required for RAW/PACKET sockets, TPROXY 74 readOnlyRootFilesystem: true 75 runAsGroup: 1337 76 runAsNonRoot: false 77 runAsUser: 0 78 {{- if .Values.seLinuxOptions }} 79 seLinuxOptions: 80 {{ toYaml .Values.seLinuxOptions | trim | indent 12 }} 81 {{- end }} 82 readinessProbe: 83 httpGet: 84 port: 15021 85 path: /healthz/ready 86 args: 87 - proxy 88 - ztunnel 89 env: 90 - name: CA_ADDRESS 91 {{- if .Values.caAddress }} 92 value: {{ .Values.caAddress }} 93 {{- else }} 94 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 95 {{- end }} 96 - name: XDS_ADDRESS 97 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 98 - name: RUST_LOG 99 value: {{ .Values.logLevel | quote }} 100 - name: ISTIO_META_CLUSTER_ID 101 value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} 102 - name: INPOD_ENABLED 103 value: "true" 104 - name: ISTIO_META_DNS_PROXY_ADDR 105 value: "127.0.0.1:15053" 106 - name: POD_NAME 107 valueFrom: 108 fieldRef: 109 fieldPath: metadata.name 110 - name: POD_NAMESPACE 111 valueFrom: 112 fieldRef: 113 fieldPath: metadata.namespace 114 - name: NODE_NAME 115 valueFrom: 116 fieldRef: 117 fieldPath: spec.nodeName 118 - name: INSTANCE_IP 119 valueFrom: 120 fieldRef: 121 fieldPath: status.podIP 122 - name: SERVICE_ACCOUNT 123 valueFrom: 124 fieldRef: 125 fieldPath: spec.serviceAccountName 126 {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} 127 {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} 128 - name: {{ $key }} 129 value: "{{ $value }}" 130 {{- end }} 131 {{- end }} 132 {{- with .Values.env }} 133 {{- range $key, $val := . }} 134 - name: {{ $key }} 135 value: "{{ $val }}" 136 {{- end }} 137 {{- end }} 138 volumeMounts: 139 - mountPath: /var/run/secrets/istio 140 name: istiod-ca-cert 141 - mountPath: /var/run/secrets/tokens 142 name: istio-token 143 - mountPath: /var/run/ztunnel 144 name: cni-ztunnel-sock-dir 145 - mountPath: /tmp 146 name: tmp 147 {{- with .Values.volumeMounts }} 148 {{- toYaml . | nindent 8 }} 149 {{- end }} 150 priorityClassName: system-node-critical 151 terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} 152 volumes: 153 - name: istio-token 154 projected: 155 sources: 156 - serviceAccountToken: 157 path: istio-token 158 expirationSeconds: 43200 159 audience: istio-ca 160 - name: istiod-ca-cert 161 configMap: 162 name: istio-ca-root-cert 163 - name: cni-ztunnel-sock-dir 164 hostPath: 165 path: /var/run/ztunnel 166 type: DirectoryOrCreate # ideally this would be a socket, but ztunnel may not have started yet. 167 # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one 168 - name: tmp 169 emptyDir: {} 170 {{- with .Values.volumes }} 171 {{- toYaml . | nindent 6}} 172 {{- end }}