istio.io/istio@v0.0.0-20240520182934-d79c90f27776/operator/cmd/mesh/testdata/manifest-generate/output/ingressgateway_k8s_settings.golden.yaml (about) 1 apiVersion: apps/v1 2 kind: Deployment 3 metadata: 4 labels: 5 app: istio-ingressgateway 6 install.operator.istio.io/owning-resource: unknown 7 istio: ingressgateway 8 istio.io/rev: default 9 operator.istio.io/component: IngressGateways 10 release: istio 11 name: istio-ingressgateway 12 namespace: istio-system 13 spec: 14 selector: 15 matchLabels: 16 app: istio-ingressgateway 17 istio: ingressgateway 18 strategy: 19 rollingUpdate: 20 maxSurge: 100% 21 maxUnavailable: 25% 22 template: 23 metadata: 24 annotations: 25 istio.io/rev: default 26 prometheus.io/path: /stats/prometheus 27 prometheus.io/port: "15020" 28 prometheus.io/scrape: "true" 29 sidecar.istio.io/inject: "false" 30 labels: 31 app: istio-ingressgateway 32 chart: gateways 33 heritage: Tiller 34 install.operator.istio.io/owning-resource: unknown 35 istio: ingressgateway 36 istio.io/rev: default 37 operator.istio.io/component: IngressGateways 38 release: istio 39 service.istio.io/canonical-name: istio-ingressgateway 40 service.istio.io/canonical-revision: latest 41 sidecar.istio.io/inject: "false" 42 spec: 43 affinity: 44 nodeAffinity: 45 preferredDuringSchedulingIgnoredDuringExecution: null 46 requiredDuringSchedulingIgnoredDuringExecution: null 47 containers: 48 - args: 49 - proxy 50 - router 51 - --domain 52 - $(POD_NAMESPACE).svc.cluster.local 53 - --proxyLogLevel=warning 54 - --proxyComponentLogLevel=misc:error 55 - --log_output_level=default:info 56 env: 57 - name: JWT_POLICY 58 value: third-party-jwt 59 - name: PILOT_CERT_PROVIDER 60 value: istiod 61 - name: CA_ADDR 62 value: istiod.istio-system.svc:15012 63 - name: NODE_NAME 64 valueFrom: 65 fieldRef: 66 apiVersion: v1 67 fieldPath: spec.nodeName 68 - name: POD_NAME 69 valueFrom: 70 fieldRef: 71 apiVersion: v1 72 fieldPath: metadata.name 73 - name: POD_NAMESPACE 74 valueFrom: 75 fieldRef: 76 apiVersion: v1 77 fieldPath: metadata.namespace 78 - name: INSTANCE_IP 79 valueFrom: 80 fieldRef: 81 apiVersion: v1 82 fieldPath: status.podIP 83 - name: HOST_IP 84 valueFrom: 85 fieldRef: 86 apiVersion: v1 87 fieldPath: status.hostIP 88 - name: ISTIO_CPU_LIMIT 89 valueFrom: 90 resourceFieldRef: 91 resource: limits.cpu 92 - name: SERVICE_ACCOUNT 93 valueFrom: 94 fieldRef: 95 fieldPath: spec.serviceAccountName 96 - name: ISTIO_META_WORKLOAD_NAME 97 value: istio-ingressgateway 98 - name: ISTIO_META_OWNER 99 value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway 100 - name: ISTIO_META_MESH_ID 101 value: cluster.local 102 - name: TRUST_DOMAIN 103 value: cluster.local 104 - name: ISTIO_META_UNPRIVILEGED_POD 105 value: "true" 106 - name: ISTIO_META_CLUSTER_ID 107 value: Kubernetes 108 - name: ISTIO_META_NODE_NAME 109 valueFrom: 110 fieldRef: 111 fieldPath: spec.nodeName 112 image: gcr.io/istio-testing/proxyv2:latest 113 name: istio-proxy 114 ports: 115 - containerPort: 15021 116 protocol: TCP 117 - containerPort: 8080 118 protocol: TCP 119 - containerPort: 8443 120 protocol: TCP 121 - containerPort: 15090 122 name: http-envoy-prom 123 protocol: TCP 124 readinessProbe: 125 failureThreshold: 30 126 httpGet: 127 path: /healthz/ready 128 port: 15021 129 scheme: HTTP 130 initialDelaySeconds: 1 131 periodSeconds: 2 132 successThreshold: 1 133 timeoutSeconds: 1 134 resources: 135 limits: 136 cpu: 2000m 137 memory: 1024Mi 138 requests: 139 cpu: 100m 140 memory: 128Mi 141 securityContext: 142 allowPrivilegeEscalation: false 143 capabilities: 144 drop: 145 - ALL 146 privileged: false 147 readOnlyRootFilesystem: true 148 volumeMounts: 149 - mountPath: /var/run/secrets/workload-spiffe-uds 150 name: workload-socket 151 - mountPath: /var/run/secrets/credential-uds 152 name: credential-socket 153 - mountPath: /var/run/secrets/workload-spiffe-credentials 154 name: workload-certs 155 - mountPath: /etc/istio/proxy 156 name: istio-envoy 157 - mountPath: /etc/istio/config 158 name: config-volume 159 - mountPath: /var/run/secrets/istio 160 name: istiod-ca-cert 161 - mountPath: /var/run/secrets/tokens 162 name: istio-token 163 readOnly: true 164 - mountPath: /var/lib/istio/data 165 name: istio-data 166 - mountPath: /etc/istio/pod 167 name: podinfo 168 - mountPath: /etc/istio/ingressgateway-certs 169 name: ingressgateway-certs 170 readOnly: true 171 - mountPath: /etc/istio/ingressgateway-ca-certs 172 name: ingressgateway-ca-certs 173 readOnly: true 174 securityContext: 175 runAsGroup: 1337 176 runAsNonRoot: true 177 runAsUser: 1337 178 sysctls: 179 - name: net.ipv4.ip_local_port_range 180 value: 80 65535 181 serviceAccountName: istio-ingressgateway-service-account 182 volumes: 183 - emptyDir: {} 184 name: workload-socket 185 - emptyDir: {} 186 name: credential-socket 187 - emptyDir: {} 188 name: workload-certs 189 - configMap: 190 name: istio-ca-root-cert 191 name: istiod-ca-cert 192 - downwardAPI: 193 items: 194 - fieldRef: 195 fieldPath: metadata.labels 196 path: labels 197 - fieldRef: 198 fieldPath: metadata.annotations 199 path: annotations 200 name: podinfo 201 - emptyDir: {} 202 name: istio-envoy 203 - emptyDir: {} 204 name: istio-data 205 - name: istio-token 206 projected: 207 sources: 208 - serviceAccountToken: 209 audience: istio-ca 210 expirationSeconds: 43200 211 path: istio-token 212 - configMap: 213 name: istio 214 optional: true 215 name: config-volume 216 - name: ingressgateway-certs 217 secret: 218 optional: true 219 secretName: istio-ingressgateway-certs 220 - name: ingressgateway-ca-certs 221 secret: 222 optional: true 223 secretName: istio-ingressgateway-ca-certs 224 225 --- 226 227 228 apiVersion: apps/v1 229 kind: Deployment 230 metadata: 231 labels: 232 app: istio-ingressgateway 233 install.operator.istio.io/owning-resource: unknown 234 istio: ingressgateway 235 istio.io/rev: default 236 operator.istio.io/component: IngressGateways 237 release: istio 238 name: istio-ingressgateway-custom 239 namespace: istio-system 240 spec: 241 selector: 242 matchLabels: 243 app: istio-ingressgateway 244 istio: ingressgateway 245 strategy: 246 rollingUpdate: 247 maxSurge: 100% 248 maxUnavailable: 25% 249 template: 250 metadata: 251 annotations: 252 istio.io/rev: default 253 prometheus.io/path: /stats/prometheus 254 prometheus.io/port: "15020" 255 prometheus.io/scrape: "true" 256 sidecar.istio.io/inject: "false" 257 labels: 258 app: istio-ingressgateway 259 chart: gateways 260 heritage: Tiller 261 install.operator.istio.io/owning-resource: unknown 262 istio: ingressgateway 263 istio.io/rev: default 264 operator.istio.io/component: IngressGateways 265 release: istio 266 service.istio.io/canonical-name: istio-ingressgateway-custom 267 service.istio.io/canonical-revision: latest 268 sidecar.istio.io/inject: "false" 269 spec: 270 affinity: 271 nodeAffinity: 272 preferredDuringSchedulingIgnoredDuringExecution: null 273 requiredDuringSchedulingIgnoredDuringExecution: null 274 containers: 275 - args: 276 - proxy 277 - router 278 - --domain 279 - $(POD_NAMESPACE).svc.cluster.local 280 - --proxyLogLevel=warning 281 - --proxyComponentLogLevel=misc:error 282 - --log_output_level=default:info 283 env: 284 - name: JWT_POLICY 285 value: third-party-jwt 286 - name: PILOT_CERT_PROVIDER 287 value: istiod 288 - name: CA_ADDR 289 value: istiod.istio-system.svc:15012 290 - name: NODE_NAME 291 valueFrom: 292 fieldRef: 293 apiVersion: v1 294 fieldPath: spec.nodeName 295 - name: POD_NAME 296 valueFrom: 297 fieldRef: 298 apiVersion: v1 299 fieldPath: metadata.name 300 - name: POD_NAMESPACE 301 valueFrom: 302 fieldRef: 303 apiVersion: v1 304 fieldPath: metadata.namespace 305 - name: INSTANCE_IP 306 valueFrom: 307 fieldRef: 308 apiVersion: v1 309 fieldPath: status.podIP 310 - name: HOST_IP 311 valueFrom: 312 fieldRef: 313 apiVersion: v1 314 fieldPath: status.hostIP 315 - name: ISTIO_CPU_LIMIT 316 valueFrom: 317 resourceFieldRef: 318 resource: limits.cpu 319 - name: SERVICE_ACCOUNT 320 valueFrom: 321 fieldRef: 322 fieldPath: spec.serviceAccountName 323 - name: ISTIO_META_WORKLOAD_NAME 324 value: istio-ingressgateway-custom 325 - name: ISTIO_META_OWNER 326 value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway-custom 327 - name: ISTIO_META_MESH_ID 328 value: cluster.local 329 - name: TRUST_DOMAIN 330 value: cluster.local 331 - name: ISTIO_META_UNPRIVILEGED_POD 332 value: "true" 333 - name: ISTIO_META_CLUSTER_ID 334 value: Kubernetes 335 - name: ISTIO_META_NODE_NAME 336 valueFrom: 337 fieldRef: 338 fieldPath: spec.nodeName 339 image: gcr.io/istio-testing/proxyv2:latest 340 name: istio-proxy 341 ports: 342 - containerPort: 15021 343 protocol: TCP 344 - containerPort: 8080 345 protocol: TCP 346 - containerPort: 8443 347 protocol: TCP 348 - containerPort: 15090 349 name: http-envoy-prom 350 protocol: TCP 351 readinessProbe: 352 failureThreshold: 30 353 httpGet: 354 path: /healthz/ready 355 port: 15021 356 scheme: HTTP 357 initialDelaySeconds: 1 358 periodSeconds: 2 359 successThreshold: 1 360 timeoutSeconds: 1 361 resources: 362 limits: 363 cpu: 2000m 364 memory: 1024Mi 365 requests: 366 cpu: 100m 367 memory: 128Mi 368 securityContext: 369 allowPrivilegeEscalation: false 370 capabilities: 371 drop: 372 - ALL 373 privileged: false 374 readOnlyRootFilesystem: true 375 volumeMounts: 376 - mountPath: /var/run/secrets/workload-spiffe-uds 377 name: workload-socket 378 - mountPath: /var/run/secrets/credential-uds 379 name: credential-socket 380 - mountPath: /var/run/secrets/workload-spiffe-credentials 381 name: workload-certs 382 - mountPath: /etc/istio/proxy 383 name: istio-envoy 384 - mountPath: /etc/istio/config 385 name: config-volume 386 - mountPath: /var/run/secrets/istio 387 name: istiod-ca-cert 388 - mountPath: /var/run/secrets/tokens 389 name: istio-token 390 readOnly: true 391 - mountPath: /var/lib/istio/data 392 name: istio-data 393 - mountPath: /etc/istio/pod 394 name: podinfo 395 - mountPath: /etc/istio/ingressgateway-certs 396 name: ingressgateway-certs 397 readOnly: true 398 - mountPath: /etc/istio/ingressgateway-ca-certs 399 name: ingressgateway-ca-certs 400 readOnly: true 401 securityContext: 402 runAsGroup: 1337 403 runAsNonRoot: true 404 runAsUser: 1337 405 serviceAccountName: istio-ingressgateway-custom-service-account 406 volumes: 407 - emptyDir: {} 408 name: workload-socket 409 - emptyDir: {} 410 name: credential-socket 411 - emptyDir: {} 412 name: workload-certs 413 - configMap: 414 name: istio-ca-root-cert 415 name: istiod-ca-cert 416 - downwardAPI: 417 items: 418 - fieldRef: 419 fieldPath: metadata.labels 420 path: labels 421 - fieldRef: 422 fieldPath: metadata.annotations 423 path: annotations 424 name: podinfo 425 - emptyDir: {} 426 name: istio-envoy 427 - emptyDir: {} 428 name: istio-data 429 - name: istio-token 430 projected: 431 sources: 432 - serviceAccountToken: 433 audience: istio-ca 434 expirationSeconds: 43200 435 path: istio-token 436 - configMap: 437 name: istio 438 optional: true 439 name: config-volume 440 - name: ingressgateway-certs 441 secret: 442 optional: true 443 secretName: istio-ingressgateway-certs 444 - name: ingressgateway-ca-certs 445 secret: 446 optional: true 447 secretName: istio-ingressgateway-ca-certs 448 449 --- 450 451 452 apiVersion: v1 453 kind: Service 454 metadata: 455 annotations: 456 manifest-generate: testserviceAnnotation 457 labels: 458 app: istio-ingressgateway 459 install.operator.istio.io/owning-resource: unknown 460 istio: ingressgateway 461 istio.io/rev: default 462 operator.istio.io/component: IngressGateways 463 release: istio 464 name: istio-ingressgateway 465 namespace: istio-system 466 spec: 467 externalTrafficPolicy: Local 468 ports: 469 - name: status-port 470 port: 15021 471 protocol: TCP 472 targetPort: 15021 473 - name: http2 474 port: 80 475 protocol: TCP 476 targetPort: 8080 477 - name: https 478 port: 443 479 protocol: TCP 480 targetPort: 8443 481 selector: 482 app: istio-ingressgateway 483 istio: ingressgateway 484 type: LoadBalancer 485 486 --- 487 488 489 apiVersion: v1 490 kind: Service 491 metadata: 492 annotations: null 493 labels: 494 app: istio-ingressgateway 495 install.operator.istio.io/owning-resource: unknown 496 istio: ingressgateway 497 istio.io/rev: default 498 operator.istio.io/component: IngressGateways 499 release: istio 500 name: istio-ingressgateway-custom 501 namespace: istio-system 502 spec: 503 externalTrafficPolicy: Local 504 ports: 505 - name: status-port 506 port: 15021 507 protocol: TCP 508 targetPort: 15021 509 - name: http2 510 port: 80 511 protocol: TCP 512 targetPort: 8080 513 - name: https 514 port: 443 515 protocol: TCP 516 targetPort: 8443 517 selector: 518 app: istio-ingressgateway 519 istio: ingressgateway 520 type: LoadBalancer 521 522 ---