istio.io/istio@v0.0.0-20240520182934-d79c90f27776/operator/cmd/mesh/testdata/manifest-generate/output/pilot_default.golden.yaml (about) 1 apiVersion: v1 2 kind: ServiceAccount 3 metadata: 4 labels: 5 app: istiod 6 release: istio 7 name: istiod 8 namespace: istio-system 9 10 --- 11 apiVersion: rbac.authorization.k8s.io/v1 12 kind: ClusterRole 13 metadata: 14 labels: 15 app: istio-reader 16 release: istio 17 name: istio-reader-clusterrole-istio-system 18 rules: 19 - apiGroups: 20 - config.istio.io 21 - security.istio.io 22 - networking.istio.io 23 - authentication.istio.io 24 - rbac.istio.io 25 resources: 26 - '*' 27 verbs: 28 - get 29 - list 30 - watch 31 - apiGroups: 32 - "" 33 resources: 34 - endpoints 35 - pods 36 - services 37 - nodes 38 - replicationcontrollers 39 - namespaces 40 - secrets 41 verbs: 42 - get 43 - list 44 - watch 45 - apiGroups: 46 - networking.istio.io 47 resources: 48 - workloadentries 49 verbs: 50 - get 51 - watch 52 - list 53 - apiGroups: 54 - networking.x-k8s.io 55 - gateway.networking.k8s.io 56 resources: 57 - gateways 58 verbs: 59 - get 60 - watch 61 - list 62 - apiGroups: 63 - apiextensions.k8s.io 64 resources: 65 - customresourcedefinitions 66 verbs: 67 - get 68 - list 69 - watch 70 - apiGroups: 71 - discovery.k8s.io 72 resources: 73 - endpointslices 74 verbs: 75 - get 76 - list 77 - watch 78 - apiGroups: 79 - multicluster.x-k8s.io 80 resources: 81 - serviceexports 82 verbs: 83 - get 84 - list 85 - watch 86 - create 87 - delete 88 - apiGroups: 89 - multicluster.x-k8s.io 90 resources: 91 - serviceimports 92 verbs: 93 - get 94 - list 95 - watch 96 - apiGroups: 97 - apps 98 resources: 99 - replicasets 100 verbs: 101 - get 102 - list 103 - watch 104 - apiGroups: 105 - authentication.k8s.io 106 resources: 107 - tokenreviews 108 verbs: 109 - create 110 - apiGroups: 111 - authorization.k8s.io 112 resources: 113 - subjectaccessreviews 114 verbs: 115 - create 116 117 --- 118 apiVersion: rbac.authorization.k8s.io/v1 119 kind: ClusterRole 120 metadata: 121 labels: 122 app: istiod 123 release: istio 124 name: istiod-clusterrole-istio-system 125 rules: 126 - apiGroups: 127 - admissionregistration.k8s.io 128 resources: 129 - mutatingwebhookconfigurations 130 verbs: 131 - get 132 - list 133 - watch 134 - update 135 - patch 136 - apiGroups: 137 - admissionregistration.k8s.io 138 resources: 139 - validatingwebhookconfigurations 140 verbs: 141 - get 142 - list 143 - watch 144 - update 145 - apiGroups: 146 - config.istio.io 147 - security.istio.io 148 - networking.istio.io 149 - authentication.istio.io 150 - rbac.istio.io 151 - telemetry.istio.io 152 - extensions.istio.io 153 resources: 154 - '*' 155 verbs: 156 - get 157 - watch 158 - list 159 - apiGroups: 160 - networking.istio.io 161 resources: 162 - workloadentries 163 verbs: 164 - get 165 - watch 166 - list 167 - update 168 - patch 169 - create 170 - delete 171 - apiGroups: 172 - networking.istio.io 173 resources: 174 - workloadentries/status 175 verbs: 176 - get 177 - watch 178 - list 179 - update 180 - patch 181 - create 182 - delete 183 - apiGroups: 184 - apiextensions.k8s.io 185 resources: 186 - customresourcedefinitions 187 verbs: 188 - get 189 - list 190 - watch 191 - apiGroups: 192 - "" 193 resources: 194 - pods 195 - nodes 196 - services 197 - namespaces 198 - endpoints 199 verbs: 200 - get 201 - list 202 - watch 203 - apiGroups: 204 - discovery.k8s.io 205 resources: 206 - endpointslices 207 verbs: 208 - get 209 - list 210 - watch 211 - apiGroups: 212 - networking.k8s.io 213 resources: 214 - ingresses 215 - ingressclasses 216 verbs: 217 - get 218 - list 219 - watch 220 - apiGroups: 221 - networking.k8s.io 222 resources: 223 - ingresses/status 224 verbs: 225 - '*' 226 - apiGroups: 227 - "" 228 resources: 229 - configmaps 230 verbs: 231 - create 232 - get 233 - list 234 - watch 235 - update 236 - apiGroups: 237 - authentication.k8s.io 238 resources: 239 - tokenreviews 240 verbs: 241 - create 242 - apiGroups: 243 - authorization.k8s.io 244 resources: 245 - subjectaccessreviews 246 verbs: 247 - create 248 - apiGroups: 249 - networking.x-k8s.io 250 - gateway.networking.k8s.io 251 resources: 252 - '*' 253 verbs: 254 - get 255 - watch 256 - list 257 - apiGroups: 258 - networking.x-k8s.io 259 - gateway.networking.k8s.io 260 resources: 261 - '*' 262 verbs: 263 - update 264 - patch 265 - apiGroups: 266 - gateway.networking.k8s.io 267 resources: 268 - gatewayclasses 269 verbs: 270 - create 271 - update 272 - patch 273 - delete 274 - apiGroups: 275 - "" 276 resources: 277 - secrets 278 verbs: 279 - get 280 - watch 281 - list 282 - apiGroups: 283 - multicluster.x-k8s.io 284 resources: 285 - serviceexports 286 verbs: 287 - get 288 - watch 289 - list 290 - create 291 - delete 292 - apiGroups: 293 - multicluster.x-k8s.io 294 resources: 295 - serviceimports 296 verbs: 297 - get 298 - watch 299 - list 300 301 --- 302 apiVersion: rbac.authorization.k8s.io/v1 303 kind: ClusterRole 304 metadata: 305 labels: 306 app: istiod 307 release: istio 308 name: istiod-gateway-controller-istio-system 309 rules: 310 - apiGroups: 311 - apps 312 resources: 313 - deployments 314 verbs: 315 - get 316 - watch 317 - list 318 - update 319 - patch 320 - create 321 - delete 322 - apiGroups: 323 - "" 324 resources: 325 - services 326 verbs: 327 - get 328 - watch 329 - list 330 - update 331 - patch 332 - create 333 - delete 334 - apiGroups: 335 - "" 336 resources: 337 - serviceaccounts 338 verbs: 339 - get 340 - watch 341 - list 342 - update 343 - patch 344 - create 345 - delete 346 347 --- 348 apiVersion: rbac.authorization.k8s.io/v1 349 kind: ClusterRoleBinding 350 metadata: 351 labels: 352 app: istio-reader 353 release: istio 354 name: istio-reader-clusterrole-istio-system 355 roleRef: 356 apiGroup: rbac.authorization.k8s.io 357 kind: ClusterRole 358 name: istio-reader-clusterrole-istio-system 359 subjects: 360 - kind: ServiceAccount 361 name: istio-reader-service-account 362 namespace: istio-system 363 364 --- 365 apiVersion: rbac.authorization.k8s.io/v1 366 kind: ClusterRoleBinding 367 metadata: 368 labels: 369 app: istiod 370 release: istio 371 name: istiod-clusterrole-istio-system 372 roleRef: 373 apiGroup: rbac.authorization.k8s.io 374 kind: ClusterRole 375 name: istiod-clusterrole-istio-system 376 subjects: 377 - kind: ServiceAccount 378 name: istiod 379 namespace: istio-system 380 381 --- 382 apiVersion: rbac.authorization.k8s.io/v1 383 kind: ClusterRoleBinding 384 metadata: 385 labels: 386 app: istiod 387 release: istio 388 name: istiod-gateway-controller-istio-system 389 roleRef: 390 apiGroup: rbac.authorization.k8s.io 391 kind: ClusterRole 392 name: istiod-gateway-controller-istio-system 393 subjects: 394 - kind: ServiceAccount 395 name: istiod 396 namespace: istio-system 397 398 --- 399 apiVersion: admissionregistration.k8s.io/v1 400 kind: ValidatingWebhookConfiguration 401 metadata: 402 labels: 403 app: istiod 404 istio: istiod 405 istio.io/rev: default 406 release: istio 407 name: istio-validator-istio-system 408 webhooks: 409 - admissionReviewVersions: 410 - v1beta1 411 - v1 412 clientConfig: 413 service: 414 name: istiod 415 namespace: istio-system 416 path: /validate 417 failurePolicy: Ignore 418 name: rev.validation.istio.io 419 objectSelector: 420 matchExpressions: 421 - key: istio.io/rev 422 operator: In 423 values: 424 - default 425 rules: 426 - apiGroups: 427 - security.istio.io 428 - networking.istio.io 429 - telemetry.istio.io 430 - extensions.istio.io 431 apiVersions: 432 - '*' 433 operations: 434 - CREATE 435 - UPDATE 436 resources: 437 - '*' 438 sideEffects: None 439 440 --- 441 apiVersion: v1 442 data: 443 mesh: |- 444 defaultConfig: 445 discoveryAddress: istiod.istio-system.svc:15012 446 tracing: 447 zipkin: 448 address: zipkin.istio-system:9411 449 defaultProviders: 450 metrics: 451 - prometheus 452 enablePrometheusMerge: true 453 rootNamespace: istio-control 454 trustDomain: cluster.local 455 meshNetworks: 'networks: {}' 456 kind: ConfigMap 457 metadata: 458 labels: 459 install.operator.istio.io/owning-resource: unknown 460 istio.io/rev: default 461 operator.istio.io/component: Pilot 462 release: istio 463 name: istio 464 namespace: istio-system 465 466 --- 467 apiVersion: v1 468 data: 469 config: |- 470 # defaultTemplates defines the default template to use for pods that do not explicitly specify a template 471 defaultTemplates: [sidecar] 472 policy: enabled 473 alwaysInjectSelector: 474 [] 475 neverInjectSelector: 476 [] 477 injectedAnnotations: 478 template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}" 479 templates: 480 sidecar: | 481 {{- define "resources" }} 482 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 483 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} 484 requests: 485 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} 486 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" 487 {{ end }} 488 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} 489 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" 490 {{ end }} 491 {{- end }} 492 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 493 limits: 494 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} 495 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" 496 {{ end }} 497 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} 498 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" 499 {{ end }} 500 {{- end }} 501 {{- else }} 502 {{- if .Values.global.proxy.resources }} 503 {{ toYaml .Values.global.proxy.resources | indent 6 }} 504 {{- end }} 505 {{- end }} 506 {{- end }} 507 {{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} 508 {{- $containers := list }} 509 {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} 510 metadata: 511 labels: 512 security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} 513 {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} 514 networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} 515 {{- end }} 516 service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} 517 service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} 518 annotations: { 519 istio.io/rev: {{ .Revision | default "default" | quote }}, 520 {{- if ge (len $containers) 1 }} 521 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} 522 kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", 523 {{- end }} 524 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} 525 kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", 526 {{- end }} 527 {{- end }} 528 {{- if .Values.istio_cni.enabled }} 529 {{- if not .Values.istio_cni.chained }} 530 k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', 531 {{- end }} 532 sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", 533 {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} 534 {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} 535 {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} 536 traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", 537 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} 538 traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", 539 {{- end }} 540 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} 541 traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", 542 {{- end }} 543 {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} 544 {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} 545 {{- end }} 546 } 547 spec: 548 {{- $holdProxy := and 549 (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) 550 (not $nativeSidecar) }} 551 initContainers: 552 {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} 553 {{ if .Values.istio_cni.enabled -}} 554 - name: istio-validation 555 {{ else -}} 556 - name: istio-init 557 {{ end -}} 558 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} 559 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" 560 {{- else }} 561 image: "{{ .ProxyImage }}" 562 {{- end }} 563 args: 564 - istio-iptables 565 - "-p" 566 - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} 567 - "-z" 568 - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} 569 - "-u" 570 - {{ .ProxyUID | default "1337" | quote }} 571 - "-m" 572 - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" 573 - "-i" 574 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" 575 - "-x" 576 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" 577 - "-b" 578 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" 579 - "-d" 580 {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} 581 - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" 582 {{- else }} 583 - "15090,15021" 584 {{- end }} 585 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} 586 - "-q" 587 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" 588 {{ end -}} 589 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} 590 - "-o" 591 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" 592 {{ end -}} 593 {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} 594 - "-k" 595 - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" 596 {{ end -}} 597 {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} 598 - "-c" 599 - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" 600 {{ end -}} 601 - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" 602 {{ if .Values.global.logAsJson -}} 603 - "--log_as_json" 604 {{ end -}} 605 {{ if .Values.istio_cni.enabled -}} 606 - "--run-validation" 607 - "--skip-rule-apply" 608 {{ end -}} 609 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 610 {{- if .ProxyConfig.ProxyMetadata }} 611 env: 612 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 613 - name: {{ $key }} 614 value: "{{ $value }}" 615 {{- end }} 616 {{- end }} 617 resources: 618 {{ template "resources" . }} 619 securityContext: 620 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 621 privileged: {{ .Values.global.proxy.privileged }} 622 capabilities: 623 {{- if not .Values.istio_cni.enabled }} 624 add: 625 - NET_ADMIN 626 - NET_RAW 627 {{- end }} 628 drop: 629 - ALL 630 {{- if not .Values.istio_cni.enabled }} 631 readOnlyRootFilesystem: false 632 runAsGroup: 0 633 runAsNonRoot: false 634 runAsUser: 0 635 {{- else }} 636 readOnlyRootFilesystem: true 637 runAsGroup: {{ .ProxyGID | default "1337" }} 638 runAsUser: {{ .ProxyUID | default "1337" }} 639 runAsNonRoot: true 640 {{- end }} 641 {{ end -}} 642 {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} 643 - name: enable-core-dump 644 args: 645 - -c 646 - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited 647 command: 648 - /bin/sh 649 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} 650 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" 651 {{- else }} 652 image: "{{ .ProxyImage }}" 653 {{- end }} 654 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 655 resources: 656 {{ template "resources" . }} 657 securityContext: 658 allowPrivilegeEscalation: true 659 capabilities: 660 add: 661 - SYS_ADMIN 662 drop: 663 - ALL 664 privileged: true 665 readOnlyRootFilesystem: false 666 runAsGroup: 0 667 runAsNonRoot: false 668 runAsUser: 0 669 {{ end }} 670 {{ if not $nativeSidecar }} 671 containers: 672 {{ end }} 673 - name: istio-proxy 674 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 675 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 676 {{- else }} 677 image: "{{ .ProxyImage }}" 678 {{- end }} 679 {{ if $nativeSidecar }}restartPolicy: Always{{end}} 680 ports: 681 - containerPort: 15090 682 protocol: TCP 683 name: http-envoy-prom 684 args: 685 - proxy 686 - sidecar 687 - --domain 688 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 689 - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} 690 - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} 691 - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} 692 {{- if .Values.global.sts.servicePort }} 693 - --stsPort={{ .Values.global.sts.servicePort }} 694 {{- end }} 695 {{- if .Values.global.logAsJson }} 696 - --log_as_json 697 {{- end }} 698 {{- if .Values.global.proxy.lifecycle }} 699 lifecycle: 700 {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} 701 {{- else if $holdProxy }} 702 lifecycle: 703 postStart: 704 exec: 705 command: 706 - pilot-agent 707 - wait 708 {{- else if $nativeSidecar }} 709 {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} 710 lifecycle: 711 preStop: 712 exec: 713 command: 714 - pilot-agent 715 - request 716 - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} 717 - POST 718 - drain 719 {{- end }} 720 env: 721 {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} 722 - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION 723 value: "true" 724 {{- end }} 725 - name: JWT_POLICY 726 value: {{ .Values.global.jwtPolicy }} 727 - name: PILOT_CERT_PROVIDER 728 value: {{ .Values.global.pilotCertProvider }} 729 - name: CA_ADDR 730 {{- if .Values.global.caAddress }} 731 value: {{ .Values.global.caAddress }} 732 {{- else }} 733 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 734 {{- end }} 735 - name: POD_NAME 736 valueFrom: 737 fieldRef: 738 fieldPath: metadata.name 739 - name: POD_NAMESPACE 740 valueFrom: 741 fieldRef: 742 fieldPath: metadata.namespace 743 - name: INSTANCE_IP 744 valueFrom: 745 fieldRef: 746 fieldPath: status.podIP 747 - name: SERVICE_ACCOUNT 748 valueFrom: 749 fieldRef: 750 fieldPath: spec.serviceAccountName 751 - name: HOST_IP 752 valueFrom: 753 fieldRef: 754 fieldPath: status.hostIP 755 - name: ISTIO_CPU_LIMIT 756 valueFrom: 757 resourceFieldRef: 758 resource: limits.cpu 759 - name: PROXY_CONFIG 760 value: | 761 {{ protoToJSON .ProxyConfig }} 762 - name: ISTIO_META_POD_PORTS 763 value: |- 764 [ 765 {{- $first := true }} 766 {{- range $index1, $c := .Spec.Containers }} 767 {{- range $index2, $p := $c.Ports }} 768 {{- if (structToJSON $p) }} 769 {{if not $first}},{{end}}{{ structToJSON $p }} 770 {{- $first = false }} 771 {{- end }} 772 {{- end}} 773 {{- end}} 774 ] 775 - name: ISTIO_META_APP_CONTAINERS 776 value: "{{ $containers | join "," }}" 777 - name: GOMEMLIMIT 778 valueFrom: 779 resourceFieldRef: 780 resource: limits.memory 781 - name: GOMAXPROCS 782 valueFrom: 783 resourceFieldRef: 784 resource: limits.cpu 785 - name: ISTIO_META_CLUSTER_ID 786 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 787 - name: ISTIO_META_NODE_NAME 788 valueFrom: 789 fieldRef: 790 fieldPath: spec.nodeName 791 - name: ISTIO_META_INTERCEPTION_MODE 792 value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" 793 {{- if .Values.global.network }} 794 - name: ISTIO_META_NETWORK 795 value: "{{ .Values.global.network }}" 796 {{- end }} 797 {{- if .DeploymentMeta.Name }} 798 - name: ISTIO_META_WORKLOAD_NAME 799 value: "{{ .DeploymentMeta.Name }}" 800 {{ end }} 801 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} 802 - name: ISTIO_META_OWNER 803 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} 804 {{- end}} 805 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 806 - name: ISTIO_BOOTSTRAP_OVERRIDE 807 value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" 808 {{- end }} 809 {{- if .Values.global.meshID }} 810 - name: ISTIO_META_MESH_ID 811 value: "{{ .Values.global.meshID }}" 812 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 813 - name: ISTIO_META_MESH_ID 814 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 815 {{- end }} 816 {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 817 - name: TRUST_DOMAIN 818 value: "{{ . }}" 819 {{- end }} 820 {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} 821 {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} 822 - name: {{ $key }} 823 value: "{{ $value }}" 824 {{- end }} 825 {{- end }} 826 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 827 - name: {{ $key }} 828 value: "{{ $value }}" 829 {{- end }} 830 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 831 {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} 832 {{ if .Values.global.proxy.startupProbe.enabled }} 833 startupProbe: 834 httpGet: 835 path: /healthz/ready 836 port: 15021 837 initialDelaySeconds: 0 838 periodSeconds: 1 839 timeoutSeconds: 3 840 failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} 841 {{ end }} 842 readinessProbe: 843 httpGet: 844 path: /healthz/ready 845 port: 15021 846 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} 847 periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} 848 timeoutSeconds: 3 849 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} 850 {{ end -}} 851 securityContext: 852 {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} 853 allowPrivilegeEscalation: true 854 capabilities: 855 add: 856 - NET_ADMIN 857 drop: 858 - ALL 859 privileged: true 860 readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} 861 runAsGroup: {{ .ProxyGID | default "1337" }} 862 runAsNonRoot: false 863 runAsUser: 0 864 {{- else }} 865 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 866 capabilities: 867 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} 868 add: 869 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} 870 - NET_ADMIN 871 {{- end }} 872 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} 873 - NET_BIND_SERVICE 874 {{- end }} 875 {{- end }} 876 drop: 877 - ALL 878 privileged: {{ .Values.global.proxy.privileged }} 879 readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} 880 runAsGroup: {{ .ProxyGID | default "1337" }} 881 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} 882 runAsNonRoot: false 883 runAsUser: 0 884 {{- else -}} 885 runAsNonRoot: true 886 runAsUser: {{ .ProxyUID | default "1337" }} 887 {{- end }} 888 {{- end }} 889 resources: 890 {{ template "resources" . }} 891 volumeMounts: 892 - name: workload-socket 893 mountPath: /var/run/secrets/workload-spiffe-uds 894 - name: credential-socket 895 mountPath: /var/run/secrets/credential-uds 896 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 897 - name: gke-workload-certificate 898 mountPath: /var/run/secrets/workload-spiffe-credentials 899 readOnly: true 900 {{- else }} 901 - name: workload-certs 902 mountPath: /var/run/secrets/workload-spiffe-credentials 903 {{- end }} 904 {{- if eq .Values.global.pilotCertProvider "istiod" }} 905 - mountPath: /var/run/secrets/istio 906 name: istiod-ca-cert 907 {{- end }} 908 {{- if eq .Values.global.pilotCertProvider "kubernetes" }} 909 - mountPath: /var/run/secrets/istio/kubernetes 910 name: kube-ca-cert 911 {{- end }} 912 - mountPath: /var/lib/istio/data 913 name: istio-data 914 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 915 - mountPath: /etc/istio/custom-bootstrap 916 name: custom-bootstrap-volume 917 {{- end }} 918 # SDS channel between istioagent and Envoy 919 - mountPath: /etc/istio/proxy 920 name: istio-envoy 921 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 922 - mountPath: /var/run/secrets/tokens 923 name: istio-token 924 {{- end }} 925 {{- if .Values.global.mountMtlsCerts }} 926 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 927 - mountPath: /etc/certs/ 928 name: istio-certs 929 readOnly: true 930 {{- end }} 931 - name: istio-podinfo 932 mountPath: /etc/istio/pod 933 {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} 934 - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} 935 name: lightstep-certs 936 readOnly: true 937 {{- end }} 938 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} 939 {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} 940 - name: "{{ $index }}" 941 {{ toYaml $value | indent 6 }} 942 {{ end }} 943 {{- end }} 944 volumes: 945 - emptyDir: 946 name: workload-socket 947 - emptyDir: 948 name: credential-socket 949 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 950 - name: gke-workload-certificate 951 csi: 952 driver: workloadcertificates.security.cloud.google.com 953 {{- else }} 954 - emptyDir: 955 name: workload-certs 956 {{- end }} 957 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 958 - name: custom-bootstrap-volume 959 configMap: 960 name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} 961 {{- end }} 962 # SDS channel between istioagent and Envoy 963 - emptyDir: 964 medium: Memory 965 name: istio-envoy 966 - name: istio-data 967 emptyDir: {} 968 - name: istio-podinfo 969 downwardAPI: 970 items: 971 - path: "labels" 972 fieldRef: 973 fieldPath: metadata.labels 974 - path: "annotations" 975 fieldRef: 976 fieldPath: metadata.annotations 977 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 978 - name: istio-token 979 projected: 980 sources: 981 - serviceAccountToken: 982 path: istio-token 983 expirationSeconds: 43200 984 audience: {{ .Values.global.sds.token.aud }} 985 {{- end }} 986 {{- if eq .Values.global.pilotCertProvider "istiod" }} 987 - name: istiod-ca-cert 988 configMap: 989 name: istio-ca-root-cert 990 {{- end }} 991 {{- if eq .Values.global.pilotCertProvider "kubernetes" }} 992 - name: kube-ca-cert 993 configMap: 994 name: kube-root-ca.crt 995 {{- end }} 996 {{- if .Values.global.mountMtlsCerts }} 997 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 998 - name: istio-certs 999 secret: 1000 optional: true 1001 {{ if eq .Spec.ServiceAccountName "" }} 1002 secretName: istio.default 1003 {{ else -}} 1004 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 1005 {{ end -}} 1006 {{- end }} 1007 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} 1008 {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} 1009 - name: "{{ $index }}" 1010 {{ toYaml $value | indent 4 }} 1011 {{ end }} 1012 {{ end }} 1013 {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} 1014 - name: lightstep-certs 1015 secret: 1016 optional: true 1017 secretName: lightstep.cacert 1018 {{- end }} 1019 {{- if .Values.global.imagePullSecrets }} 1020 imagePullSecrets: 1021 {{- range .Values.global.imagePullSecrets }} 1022 - name: {{ . }} 1023 {{- end }} 1024 {{- end }} 1025 gateway: | 1026 {{- $containers := list }} 1027 {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} 1028 metadata: 1029 labels: 1030 service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} 1031 service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} 1032 annotations: { 1033 istio.io/rev: {{ .Revision | default "default" | quote }}, 1034 {{- if eq (len $containers) 1 }} 1035 kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", 1036 kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", 1037 {{ end }} 1038 } 1039 spec: 1040 containers: 1041 - name: istio-proxy 1042 {{- if contains "/" .Values.global.proxy.image }} 1043 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 1044 {{- else }} 1045 image: "{{ .ProxyImage }}" 1046 {{- end }} 1047 ports: 1048 - containerPort: 15090 1049 protocol: TCP 1050 name: http-envoy-prom 1051 args: 1052 - proxy 1053 - router 1054 - --domain 1055 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 1056 - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} 1057 - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} 1058 - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} 1059 {{- if .Values.global.sts.servicePort }} 1060 - --stsPort={{ .Values.global.sts.servicePort }} 1061 {{- end }} 1062 {{- if .Values.global.logAsJson }} 1063 - --log_as_json 1064 {{- end }} 1065 {{- if .Values.global.proxy.lifecycle }} 1066 lifecycle: 1067 {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} 1068 {{- end }} 1069 securityContext: 1070 runAsUser: {{ .ProxyUID | default "1337" }} 1071 runAsGroup: {{ .ProxyGID | default "1337" }} 1072 env: 1073 - name: JWT_POLICY 1074 value: {{ .Values.global.jwtPolicy }} 1075 - name: PILOT_CERT_PROVIDER 1076 value: {{ .Values.global.pilotCertProvider }} 1077 - name: CA_ADDR 1078 {{- if .Values.global.caAddress }} 1079 value: {{ .Values.global.caAddress }} 1080 {{- else }} 1081 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 1082 {{- end }} 1083 - name: POD_NAME 1084 valueFrom: 1085 fieldRef: 1086 fieldPath: metadata.name 1087 - name: POD_NAMESPACE 1088 valueFrom: 1089 fieldRef: 1090 fieldPath: metadata.namespace 1091 - name: INSTANCE_IP 1092 valueFrom: 1093 fieldRef: 1094 fieldPath: status.podIP 1095 - name: SERVICE_ACCOUNT 1096 valueFrom: 1097 fieldRef: 1098 fieldPath: spec.serviceAccountName 1099 - name: HOST_IP 1100 valueFrom: 1101 fieldRef: 1102 fieldPath: status.hostIP 1103 - name: ISTIO_CPU_LIMIT 1104 valueFrom: 1105 resourceFieldRef: 1106 resource: limits.cpu 1107 - name: PROXY_CONFIG 1108 value: | 1109 {{ protoToJSON .ProxyConfig }} 1110 - name: ISTIO_META_POD_PORTS 1111 value: |- 1112 [ 1113 {{- $first := true }} 1114 {{- range $index1, $c := .Spec.Containers }} 1115 {{- range $index2, $p := $c.Ports }} 1116 {{- if (structToJSON $p) }} 1117 {{if not $first}},{{end}}{{ structToJSON $p }} 1118 {{- $first = false }} 1119 {{- end }} 1120 {{- end}} 1121 {{- end}} 1122 ] 1123 - name: GOMEMLIMIT 1124 valueFrom: 1125 resourceFieldRef: 1126 resource: limits.memory 1127 - name: GOMAXPROCS 1128 valueFrom: 1129 resourceFieldRef: 1130 resource: limits.cpu 1131 - name: ISTIO_META_APP_CONTAINERS 1132 value: "{{ $containers | join "," }}" 1133 - name: ISTIO_META_CLUSTER_ID 1134 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 1135 - name: ISTIO_META_NODE_NAME 1136 valueFrom: 1137 fieldRef: 1138 fieldPath: spec.nodeName 1139 - name: ISTIO_META_INTERCEPTION_MODE 1140 value: "{{ .ProxyConfig.InterceptionMode.String }}" 1141 {{- if .Values.global.network }} 1142 - name: ISTIO_META_NETWORK 1143 value: "{{ .Values.global.network }}" 1144 {{- end }} 1145 {{- if .DeploymentMeta.Name }} 1146 - name: ISTIO_META_WORKLOAD_NAME 1147 value: "{{ .DeploymentMeta.Name }}" 1148 {{ end }} 1149 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} 1150 - name: ISTIO_META_OWNER 1151 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} 1152 {{- end}} 1153 {{- if .Values.global.meshID }} 1154 - name: ISTIO_META_MESH_ID 1155 value: "{{ .Values.global.meshID }}" 1156 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 1157 - name: ISTIO_META_MESH_ID 1158 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 1159 {{- end }} 1160 {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 1161 - name: TRUST_DOMAIN 1162 value: "{{ . }}" 1163 {{- end }} 1164 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 1165 - name: {{ $key }} 1166 value: "{{ $value }}" 1167 {{- end }} 1168 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 1169 readinessProbe: 1170 httpGet: 1171 path: /healthz/ready 1172 port: 15021 1173 initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} 1174 periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} 1175 timeoutSeconds: 3 1176 failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} 1177 volumeMounts: 1178 - name: workload-socket 1179 mountPath: /var/run/secrets/workload-spiffe-uds 1180 - name: credential-socket 1181 mountPath: /var/run/secrets/credential-uds 1182 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 1183 - name: gke-workload-certificate 1184 mountPath: /var/run/secrets/workload-spiffe-credentials 1185 readOnly: true 1186 {{- else }} 1187 - name: workload-certs 1188 mountPath: /var/run/secrets/workload-spiffe-credentials 1189 {{- end }} 1190 {{- if eq .Values.global.pilotCertProvider "istiod" }} 1191 - mountPath: /var/run/secrets/istio 1192 name: istiod-ca-cert 1193 {{- end }} 1194 - mountPath: /var/lib/istio/data 1195 name: istio-data 1196 # SDS channel between istioagent and Envoy 1197 - mountPath: /etc/istio/proxy 1198 name: istio-envoy 1199 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 1200 - mountPath: /var/run/secrets/tokens 1201 name: istio-token 1202 {{- end }} 1203 {{- if .Values.global.mountMtlsCerts }} 1204 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 1205 - mountPath: /etc/certs/ 1206 name: istio-certs 1207 readOnly: true 1208 {{- end }} 1209 - name: istio-podinfo 1210 mountPath: /etc/istio/pod 1211 volumes: 1212 - emptyDir: {} 1213 name: workload-socket 1214 - emptyDir: {} 1215 name: credential-socket 1216 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 1217 - name: gke-workload-certificate 1218 csi: 1219 driver: workloadcertificates.security.cloud.google.com 1220 {{- else}} 1221 - emptyDir: {} 1222 name: workload-certs 1223 {{- end }} 1224 # SDS channel between istioagent and Envoy 1225 - emptyDir: 1226 medium: Memory 1227 name: istio-envoy 1228 - name: istio-data 1229 emptyDir: {} 1230 - name: istio-podinfo 1231 downwardAPI: 1232 items: 1233 - path: "labels" 1234 fieldRef: 1235 fieldPath: metadata.labels 1236 - path: "annotations" 1237 fieldRef: 1238 fieldPath: metadata.annotations 1239 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 1240 - name: istio-token 1241 projected: 1242 sources: 1243 - serviceAccountToken: 1244 path: istio-token 1245 expirationSeconds: 43200 1246 audience: {{ .Values.global.sds.token.aud }} 1247 {{- end }} 1248 {{- if eq .Values.global.pilotCertProvider "istiod" }} 1249 - name: istiod-ca-cert 1250 configMap: 1251 name: istio-ca-root-cert 1252 {{- end }} 1253 {{- if .Values.global.mountMtlsCerts }} 1254 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 1255 - name: istio-certs 1256 secret: 1257 optional: true 1258 {{ if eq .Spec.ServiceAccountName "" }} 1259 secretName: istio.default 1260 {{ else -}} 1261 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 1262 {{ end -}} 1263 {{- end }} 1264 {{- if .Values.global.imagePullSecrets }} 1265 imagePullSecrets: 1266 {{- range .Values.global.imagePullSecrets }} 1267 - name: {{ . }} 1268 {{- end }} 1269 {{- end }} 1270 grpc-simple: | 1271 metadata: 1272 annotations: 1273 sidecar.istio.io/rewriteAppHTTPProbers: "false" 1274 spec: 1275 initContainers: 1276 - name: grpc-bootstrap-init 1277 image: busybox:1.28 1278 volumeMounts: 1279 - mountPath: /var/lib/grpc/data/ 1280 name: grpc-io-proxyless-bootstrap 1281 env: 1282 - name: INSTANCE_IP 1283 valueFrom: 1284 fieldRef: 1285 fieldPath: status.podIP 1286 - name: POD_NAME 1287 valueFrom: 1288 fieldRef: 1289 fieldPath: metadata.name 1290 - name: POD_NAMESPACE 1291 valueFrom: 1292 fieldRef: 1293 fieldPath: metadata.namespace 1294 - name: ISTIO_NAMESPACE 1295 value: | 1296 {{ .Values.global.istioNamespace }} 1297 command: 1298 - sh 1299 - "-c" 1300 - |- 1301 NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" 1302 SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" 1303 echo ' 1304 { 1305 "xds_servers": [ 1306 { 1307 "server_uri": "'${SERVER_URI}'", 1308 "channel_creds": [{"type": "insecure"}], 1309 "server_features" : ["xds_v3"] 1310 } 1311 ], 1312 "node": { 1313 "id": "'${NODE_ID}'", 1314 "metadata": { 1315 "GENERATOR": "grpc" 1316 } 1317 } 1318 }' > /var/lib/grpc/data/bootstrap.json 1319 containers: 1320 {{- range $index, $container := .Spec.Containers }} 1321 - name: {{ $container.Name }} 1322 env: 1323 - name: GRPC_XDS_BOOTSTRAP 1324 value: /var/lib/grpc/data/bootstrap.json 1325 - name: GRPC_GO_LOG_VERBOSITY_LEVEL 1326 value: "99" 1327 - name: GRPC_GO_LOG_SEVERITY_LEVEL 1328 value: info 1329 volumeMounts: 1330 - mountPath: /var/lib/grpc/data/ 1331 name: grpc-io-proxyless-bootstrap 1332 {{- end }} 1333 volumes: 1334 - name: grpc-io-proxyless-bootstrap 1335 emptyDir: {} 1336 grpc-agent: | 1337 {{- define "resources" }} 1338 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 1339 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} 1340 requests: 1341 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} 1342 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" 1343 {{ end }} 1344 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} 1345 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" 1346 {{ end }} 1347 {{- end }} 1348 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 1349 limits: 1350 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} 1351 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" 1352 {{ end }} 1353 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} 1354 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" 1355 {{ end }} 1356 {{- end }} 1357 {{- else }} 1358 {{- if .Values.global.proxy.resources }} 1359 {{ toYaml .Values.global.proxy.resources | indent 6 }} 1360 {{- end }} 1361 {{- end }} 1362 {{- end }} 1363 {{- $containers := list }} 1364 {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} 1365 metadata: 1366 labels: 1367 {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} 1368 service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} 1369 service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} 1370 annotations: { 1371 istio.io/rev: {{ .Revision | default "default" }}, 1372 {{- if ge (len $containers) 1 }} 1373 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} 1374 kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", 1375 {{- end }} 1376 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} 1377 kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", 1378 {{- end }} 1379 {{- end }} 1380 sidecar.istio.io/rewriteAppHTTPProbers: "false", 1381 } 1382 spec: 1383 containers: 1384 - name: istio-proxy 1385 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 1386 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 1387 {{- else }} 1388 image: "{{ .ProxyImage }}" 1389 {{- end }} 1390 ports: 1391 - containerPort: 15020 1392 protocol: TCP 1393 name: mesh-metrics 1394 args: 1395 - proxy 1396 - sidecar 1397 - --domain 1398 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 1399 - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} 1400 - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} 1401 - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} 1402 {{- if .Values.global.sts.servicePort }} 1403 - --stsPort={{ .Values.global.sts.servicePort }} 1404 {{- end }} 1405 {{- if .Values.global.logAsJson }} 1406 - --log_as_json 1407 {{- end }} 1408 lifecycle: 1409 postStart: 1410 exec: 1411 command: 1412 - pilot-agent 1413 - wait 1414 - --url=http://localhost:15020/healthz/ready 1415 env: 1416 - name: ISTIO_META_GENERATOR 1417 value: grpc 1418 - name: OUTPUT_CERTS 1419 value: /var/lib/istio/data 1420 {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} 1421 - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION 1422 value: "true" 1423 {{- end }} 1424 - name: JWT_POLICY 1425 value: {{ .Values.global.jwtPolicy }} 1426 - name: PILOT_CERT_PROVIDER 1427 value: {{ .Values.global.pilotCertProvider }} 1428 - name: CA_ADDR 1429 {{- if .Values.global.caAddress }} 1430 value: {{ .Values.global.caAddress }} 1431 {{- else }} 1432 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 1433 {{- end }} 1434 - name: POD_NAME 1435 valueFrom: 1436 fieldRef: 1437 fieldPath: metadata.name 1438 - name: POD_NAMESPACE 1439 valueFrom: 1440 fieldRef: 1441 fieldPath: metadata.namespace 1442 - name: INSTANCE_IP 1443 valueFrom: 1444 fieldRef: 1445 fieldPath: status.podIP 1446 - name: SERVICE_ACCOUNT 1447 valueFrom: 1448 fieldRef: 1449 fieldPath: spec.serviceAccountName 1450 - name: HOST_IP 1451 valueFrom: 1452 fieldRef: 1453 fieldPath: status.hostIP 1454 - name: PROXY_CONFIG 1455 value: | 1456 {{ protoToJSON .ProxyConfig }} 1457 - name: ISTIO_META_POD_PORTS 1458 value: |- 1459 [ 1460 {{- $first := true }} 1461 {{- range $index1, $c := .Spec.Containers }} 1462 {{- range $index2, $p := $c.Ports }} 1463 {{- if (structToJSON $p) }} 1464 {{if not $first}},{{end}}{{ structToJSON $p }} 1465 {{- $first = false }} 1466 {{- end }} 1467 {{- end}} 1468 {{- end}} 1469 ] 1470 - name: ISTIO_META_APP_CONTAINERS 1471 value: "{{ $containers | join "," }}" 1472 - name: ISTIO_META_CLUSTER_ID 1473 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 1474 - name: ISTIO_META_NODE_NAME 1475 valueFrom: 1476 fieldRef: 1477 fieldPath: spec.nodeName 1478 {{- if .Values.global.network }} 1479 - name: ISTIO_META_NETWORK 1480 value: "{{ .Values.global.network }}" 1481 {{- end }} 1482 {{- if .DeploymentMeta.Name }} 1483 - name: ISTIO_META_WORKLOAD_NAME 1484 value: "{{ .DeploymentMeta.Name }}" 1485 {{ end }} 1486 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} 1487 - name: ISTIO_META_OWNER 1488 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} 1489 {{- end}} 1490 {{- if .Values.global.meshID }} 1491 - name: ISTIO_META_MESH_ID 1492 value: "{{ .Values.global.meshID }}" 1493 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 1494 - name: ISTIO_META_MESH_ID 1495 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 1496 {{- end }} 1497 {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 1498 - name: TRUST_DOMAIN 1499 value: "{{ . }}" 1500 {{- end }} 1501 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 1502 - name: {{ $key }} 1503 value: "{{ $value }}" 1504 {{- end }} 1505 # grpc uses xds:/// to resolve – no need to resolve VIP 1506 - name: ISTIO_META_DNS_CAPTURE 1507 value: "false" 1508 - name: DISABLE_ENVOY 1509 value: "true" 1510 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 1511 {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} 1512 readinessProbe: 1513 httpGet: 1514 path: /healthz/ready 1515 port: 15020 1516 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} 1517 periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} 1518 timeoutSeconds: 3 1519 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} 1520 resources: 1521 {{ template "resources" . }} 1522 volumeMounts: 1523 - name: workload-socket 1524 mountPath: /var/run/secrets/workload-spiffe-uds 1525 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 1526 - name: gke-workload-certificate 1527 mountPath: /var/run/secrets/workload-spiffe-credentials 1528 readOnly: true 1529 {{- else }} 1530 - name: workload-certs 1531 mountPath: /var/run/secrets/workload-spiffe-credentials 1532 {{- end }} 1533 {{- if eq .Values.global.pilotCertProvider "istiod" }} 1534 - mountPath: /var/run/secrets/istio 1535 name: istiod-ca-cert 1536 {{- end }} 1537 - mountPath: /var/lib/istio/data 1538 name: istio-data 1539 # UDS channel between istioagent and gRPC client for XDS/SDS 1540 - mountPath: /etc/istio/proxy 1541 name: istio-xds 1542 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 1543 - mountPath: /var/run/secrets/tokens 1544 name: istio-token 1545 {{- end }} 1546 {{- if .Values.global.mountMtlsCerts }} 1547 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 1548 - mountPath: /etc/certs/ 1549 name: istio-certs 1550 readOnly: true 1551 {{- end }} 1552 - name: istio-podinfo 1553 mountPath: /etc/istio/pod 1554 {{- end }} 1555 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} 1556 {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} 1557 - name: "{{ $index }}" 1558 {{ toYaml $value | indent 6 }} 1559 {{ end }} 1560 {{- end }} 1561 {{- range $index, $container := .Spec.Containers }} 1562 {{ if not (eq $container.Name "istio-proxy") }} 1563 - name: {{ $container.Name }} 1564 env: 1565 - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" 1566 value: "true" 1567 - name: "GRPC_XDS_BOOTSTRAP" 1568 value: "/etc/istio/proxy/grpc-bootstrap.json" 1569 volumeMounts: 1570 - mountPath: /var/lib/istio/data 1571 name: istio-data 1572 # UDS channel between istioagent and gRPC client for XDS/SDS 1573 - mountPath: /etc/istio/proxy 1574 name: istio-xds 1575 {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} 1576 - name: gke-workload-certificate 1577 mountPath: /var/run/secrets/workload-spiffe-credentials 1578 readOnly: true 1579 {{- else }} 1580 - name: workload-certs 1581 mountPath: /var/run/secrets/workload-spiffe-credentials 1582 {{- end }} 1583 {{- end }} 1584 {{- end }} 1585 volumes: 1586 - emptyDir: 1587 name: workload-socket 1588 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 1589 - name: gke-workload-certificate 1590 csi: 1591 driver: workloadcertificates.security.cloud.google.com 1592 {{- else }} 1593 - emptyDir: 1594 name: workload-certs 1595 {{- end }} 1596 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 1597 - name: custom-bootstrap-volume 1598 configMap: 1599 name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} 1600 {{- end }} 1601 # SDS channel between istioagent and Envoy 1602 - emptyDir: 1603 medium: Memory 1604 name: istio-xds 1605 - name: istio-data 1606 emptyDir: {} 1607 - name: istio-podinfo 1608 downwardAPI: 1609 items: 1610 - path: "labels" 1611 fieldRef: 1612 fieldPath: metadata.labels 1613 - path: "annotations" 1614 fieldRef: 1615 fieldPath: metadata.annotations 1616 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 1617 - name: istio-token 1618 projected: 1619 sources: 1620 - serviceAccountToken: 1621 path: istio-token 1622 expirationSeconds: 43200 1623 audience: {{ .Values.global.sds.token.aud }} 1624 {{- end }} 1625 {{- if eq .Values.global.pilotCertProvider "istiod" }} 1626 - name: istiod-ca-cert 1627 configMap: 1628 name: istio-ca-root-cert 1629 {{- end }} 1630 {{- if .Values.global.mountMtlsCerts }} 1631 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 1632 - name: istio-certs 1633 secret: 1634 optional: true 1635 {{ if eq .Spec.ServiceAccountName "" }} 1636 secretName: istio.default 1637 {{ else -}} 1638 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 1639 {{ end -}} 1640 {{- end }} 1641 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} 1642 {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} 1643 - name: "{{ $index }}" 1644 {{ toYaml $value | indent 4 }} 1645 {{ end }} 1646 {{ end }} 1647 {{- if .Values.global.imagePullSecrets }} 1648 imagePullSecrets: 1649 {{- range .Values.global.imagePullSecrets }} 1650 - name: {{ . }} 1651 {{- end }} 1652 {{- end }} 1653 waypoint: | 1654 apiVersion: v1 1655 kind: ServiceAccount 1656 metadata: 1657 name: {{.ServiceAccount | quote}} 1658 namespace: {{.Namespace | quote}} 1659 annotations: 1660 {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 1661 labels: 1662 {{- toJsonMap 1663 .InfrastructureLabels 1664 (strdict 1665 "gateway.networking.k8s.io/gateway-name" .Name 1666 "istio.io/gateway-name" .Name 1667 ) | nindent 4 }} 1668 --- 1669 apiVersion: apps/v1 1670 kind: Deployment 1671 metadata: 1672 name: {{.DeploymentName | quote}} 1673 namespace: {{.Namespace | quote}} 1674 annotations: 1675 {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 1676 labels: 1677 {{- toJsonMap 1678 .InfrastructureLabels 1679 (strdict 1680 "gateway.networking.k8s.io/gateway-name" .Name 1681 "istio.io/gateway-name" .Name 1682 "gateway.istio.io/managed" "istio.io-mesh-controller" 1683 ) | nindent 4 }} 1684 ownerReferences: 1685 - apiVersion: gateway.networking.k8s.io/v1beta1 1686 kind: Gateway 1687 name: "{{.Name}}" 1688 uid: "{{.UID}}" 1689 spec: 1690 selector: 1691 matchLabels: 1692 "{{.GatewayNameLabel}}": "{{.Name}}" 1693 template: 1694 metadata: 1695 annotations: 1696 {{- toJsonMap 1697 (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") 1698 (strdict "istio.io/rev" (.Revision | default "default")) 1699 (strdict 1700 "ambient.istio.io/redirection" "disabled" 1701 "prometheus.io/path" "/stats/prometheus" 1702 "prometheus.io/port" "15020" 1703 "prometheus.io/scrape" "true" 1704 ) | nindent 8 }} 1705 labels: 1706 {{- toJsonMap 1707 (strdict 1708 "sidecar.istio.io/inject" "false" 1709 "service.istio.io/canonical-name" .DeploymentName 1710 "service.istio.io/canonical-revision" "latest" 1711 ) 1712 .InfrastructureLabels 1713 (strdict 1714 "gateway.networking.k8s.io/gateway-name" .Name 1715 "istio.io/gateway-name" .Name 1716 "gateway.istio.io/managed" "istio.io-mesh-controller" 1717 ) | nindent 8}} 1718 spec: 1719 terminationGracePeriodSeconds: 2 1720 serviceAccountName: {{.ServiceAccount | quote}} 1721 containers: 1722 - name: istio-proxy 1723 ports: 1724 - containerPort: 15021 1725 name: status-port 1726 protocol: TCP 1727 - containerPort: 15090 1728 protocol: TCP 1729 name: http-envoy-prom 1730 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 1731 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 1732 {{- else }} 1733 image: "{{ .ProxyImage }}" 1734 {{- end }} 1735 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 1736 args: 1737 - proxy 1738 - waypoint 1739 - --domain 1740 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 1741 - --serviceCluster 1742 - {{.ServiceAccount}}.$(POD_NAMESPACE) 1743 - --proxyLogLevel 1744 - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} 1745 - --proxyComponentLogLevel 1746 - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} 1747 - --log_output_level 1748 - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} 1749 {{- if .Values.global.logAsJson }} 1750 - --log_as_json 1751 {{- end }} 1752 env: 1753 - name: ISTIO_META_SERVICE_ACCOUNT 1754 valueFrom: 1755 fieldRef: 1756 fieldPath: spec.serviceAccountName 1757 - name: ISTIO_META_NODE_NAME 1758 valueFrom: 1759 fieldRef: 1760 fieldPath: spec.nodeName 1761 - name: JWT_POLICY 1762 value: {{ .Values.global.jwtPolicy }} 1763 - name: PILOT_CERT_PROVIDER 1764 value: {{ .Values.global.pilotCertProvider }} 1765 - name: CA_ADDR 1766 {{- if .Values.global.caAddress }} 1767 value: {{ .Values.global.caAddress }} 1768 {{- else }} 1769 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 1770 {{- end }} 1771 - name: POD_NAME 1772 valueFrom: 1773 fieldRef: 1774 fieldPath: metadata.name 1775 - name: POD_NAMESPACE 1776 valueFrom: 1777 fieldRef: 1778 fieldPath: metadata.namespace 1779 - name: INSTANCE_IP 1780 valueFrom: 1781 fieldRef: 1782 fieldPath: status.podIP 1783 - name: SERVICE_ACCOUNT 1784 valueFrom: 1785 fieldRef: 1786 fieldPath: spec.serviceAccountName 1787 - name: HOST_IP 1788 valueFrom: 1789 fieldRef: 1790 fieldPath: status.hostIP 1791 - name: ISTIO_CPU_LIMIT 1792 valueFrom: 1793 resourceFieldRef: 1794 resource: limits.cpu 1795 - name: PROXY_CONFIG 1796 value: | 1797 {{ protoToJSON .ProxyConfig }} 1798 {{- if .ProxyConfig.ProxyMetadata }} 1799 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 1800 - name: {{ $key }} 1801 value: "{{ $value }}" 1802 {{- end }} 1803 {{- end }} 1804 - name: GOMEMLIMIT 1805 valueFrom: 1806 resourceFieldRef: 1807 resource: limits.memory 1808 - name: GOMAXPROCS 1809 valueFrom: 1810 resourceFieldRef: 1811 resource: limits.cpu 1812 - name: ISTIO_META_CLUSTER_ID 1813 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 1814 {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} 1815 {{- if $network }} 1816 - name: ISTIO_META_NETWORK 1817 value: "{{ $network }}" 1818 {{- end }} 1819 - name: ISTIO_META_INTERCEPTION_MODE 1820 value: REDIRECT 1821 - name: ISTIO_META_WORKLOAD_NAME 1822 value: {{.DeploymentName}} 1823 - name: ISTIO_META_OWNER 1824 value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} 1825 {{- if .Values.global.meshID }} 1826 - name: ISTIO_META_MESH_ID 1827 value: "{{ .Values.global.meshID }}" 1828 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 1829 - name: ISTIO_META_MESH_ID 1830 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 1831 {{- end }} 1832 resources: 1833 limits: 1834 cpu: "2" 1835 memory: 1Gi 1836 requests: 1837 cpu: 100m 1838 memory: 128Mi 1839 startupProbe: 1840 failureThreshold: 30 1841 httpGet: 1842 path: /healthz/ready 1843 port: 15021 1844 scheme: HTTP 1845 initialDelaySeconds: 1 1846 periodSeconds: 1 1847 successThreshold: 1 1848 timeoutSeconds: 1 1849 readinessProbe: 1850 failureThreshold: 4 1851 httpGet: 1852 path: /healthz/ready 1853 port: 15021 1854 scheme: HTTP 1855 initialDelaySeconds: 0 1856 periodSeconds: 15 1857 successThreshold: 1 1858 timeoutSeconds: 1 1859 securityContext: 1860 privileged: false 1861 runAsGroup: 1337 1862 runAsUser: 0 1863 capabilities: 1864 drop: 1865 - ALL 1866 volumeMounts: 1867 - name: workload-socket 1868 mountPath: /var/run/secrets/workload-spiffe-uds 1869 - mountPath: /var/run/secrets/istio 1870 name: istiod-ca-cert 1871 - mountPath: /var/lib/istio/data 1872 name: istio-data 1873 - mountPath: /etc/istio/proxy 1874 name: istio-envoy 1875 - mountPath: /var/run/secrets/tokens 1876 name: istio-token 1877 - mountPath: /etc/istio/pod 1878 name: istio-podinfo 1879 volumes: 1880 - emptyDir: {} 1881 name: workload-socket 1882 - emptyDir: 1883 medium: Memory 1884 name: istio-envoy 1885 - emptyDir: 1886 medium: Memory 1887 name: go-proxy-envoy 1888 - emptyDir: {} 1889 name: istio-data 1890 - emptyDir: {} 1891 name: go-proxy-data 1892 - downwardAPI: 1893 items: 1894 - fieldRef: 1895 fieldPath: metadata.labels 1896 path: labels 1897 - fieldRef: 1898 fieldPath: metadata.annotations 1899 path: annotations 1900 name: istio-podinfo 1901 - name: istio-token 1902 projected: 1903 sources: 1904 - serviceAccountToken: 1905 audience: istio-ca 1906 expirationSeconds: 43200 1907 path: istio-token 1908 - configMap: 1909 name: istio-ca-root-cert 1910 name: istiod-ca-cert 1911 {{- if .Values.global.imagePullSecrets }} 1912 imagePullSecrets: 1913 {{- range .Values.global.imagePullSecrets }} 1914 - name: {{ . }} 1915 {{- end }} 1916 {{- end }} 1917 --- 1918 apiVersion: v1 1919 kind: Service 1920 metadata: 1921 annotations: 1922 {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 1923 labels: 1924 {{- toJsonMap 1925 .InfrastructureLabels 1926 (strdict 1927 "gateway.networking.k8s.io/gateway-name" .Name 1928 "istio.io/gateway-name" .Name 1929 ) | nindent 4 }} 1930 name: {{.DeploymentName | quote}} 1931 namespace: {{.Namespace | quote}} 1932 ownerReferences: 1933 - apiVersion: gateway.networking.k8s.io/v1beta1 1934 kind: Gateway 1935 name: "{{.Name}}" 1936 uid: "{{.UID}}" 1937 spec: 1938 ports: 1939 {{- range $key, $val := .Ports }} 1940 - name: {{ $val.Name | quote }} 1941 port: {{ $val.Port }} 1942 protocol: TCP 1943 appProtocol: {{ $val.AppProtocol }} 1944 {{- end }} 1945 selector: 1946 "{{.GatewayNameLabel}}": "{{.Name}}" 1947 {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} 1948 loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} 1949 {{- end }} 1950 type: {{ .ServiceType | quote }} 1951 --- 1952 kube-gateway: | 1953 apiVersion: v1 1954 kind: ServiceAccount 1955 metadata: 1956 name: {{.ServiceAccount | quote}} 1957 namespace: {{.Namespace | quote}} 1958 annotations: 1959 {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 1960 labels: 1961 {{- toJsonMap 1962 .InfrastructureLabels 1963 (strdict 1964 "gateway.networking.k8s.io/gateway-name" .Name 1965 "istio.io/gateway-name" .Name 1966 ) | nindent 4 }} 1967 --- 1968 apiVersion: apps/v1 1969 kind: Deployment 1970 metadata: 1971 name: {{.DeploymentName | quote}} 1972 namespace: {{.Namespace | quote}} 1973 annotations: 1974 {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 1975 labels: 1976 {{- toJsonMap 1977 .InfrastructureLabels 1978 (strdict 1979 "gateway.networking.k8s.io/gateway-name" .Name 1980 "istio.io/gateway-name" .Name 1981 ) | nindent 4 }} 1982 ownerReferences: 1983 - apiVersion: gateway.networking.k8s.io/v1beta1 1984 kind: Gateway 1985 name: {{.Name}} 1986 uid: "{{.UID}}" 1987 spec: 1988 selector: 1989 matchLabels: 1990 "{{.GatewayNameLabel}}": {{.Name}} 1991 template: 1992 metadata: 1993 annotations: 1994 {{- toJsonMap 1995 (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") 1996 (strdict "istio.io/rev" (.Revision | default "default")) 1997 (strdict 1998 "prometheus.io/path" "/stats/prometheus" 1999 "prometheus.io/port" "15020" 2000 "prometheus.io/scrape" "true" 2001 ) | nindent 8 }} 2002 labels: 2003 {{- toJsonMap 2004 (strdict 2005 "sidecar.istio.io/inject" "false" 2006 "service.istio.io/canonical-name" .DeploymentName 2007 "service.istio.io/canonical-revision" "latest" 2008 ) 2009 .InfrastructureLabels 2010 (strdict 2011 "gateway.networking.k8s.io/gateway-name" .Name 2012 "istio.io/gateway-name" .Name 2013 ) | nindent 8 }} 2014 spec: 2015 {{- if .KubeVersion122 }} 2016 {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}} 2017 securityContext: 2018 sysctls: 2019 - name: net.ipv4.ip_unprivileged_port_start 2020 value: "0" 2021 {{- end }} 2022 serviceAccountName: {{.ServiceAccount | quote}} 2023 containers: 2024 - name: istio-proxy 2025 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 2026 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 2027 {{- else }} 2028 image: "{{ .ProxyImage }}" 2029 {{- end }} 2030 {{- if .Values.global.proxy.resources }} 2031 resources: 2032 {{- toYaml .Values.global.proxy.resources | nindent 10 }} 2033 {{- end }} 2034 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 2035 securityContext: 2036 {{- if .KubeVersion122 }} 2037 # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 2038 capabilities: 2039 drop: 2040 - ALL 2041 allowPrivilegeEscalation: false 2042 privileged: false 2043 readOnlyRootFilesystem: true 2044 runAsUser: {{ .ProxyUID | default "1337" }} 2045 runAsGroup: {{ .ProxyGID | default "1337" }} 2046 runAsNonRoot: true 2047 {{- else }} 2048 capabilities: 2049 drop: 2050 - ALL 2051 add: 2052 - NET_BIND_SERVICE 2053 runAsUser: 0 2054 runAsGroup: 1337 2055 runAsNonRoot: false 2056 allowPrivilegeEscalation: true 2057 readOnlyRootFilesystem: true 2058 {{- end }} 2059 ports: 2060 - containerPort: 15021 2061 name: status-port 2062 protocol: TCP 2063 - containerPort: 15090 2064 protocol: TCP 2065 name: http-envoy-prom 2066 args: 2067 - proxy 2068 - router 2069 - --domain 2070 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 2071 - --proxyLogLevel 2072 - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} 2073 - --proxyComponentLogLevel 2074 - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} 2075 - --log_output_level 2076 - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} 2077 {{- if .Values.global.sts.servicePort }} 2078 - --stsPort={{ .Values.global.sts.servicePort }} 2079 {{- end }} 2080 {{- if .Values.global.logAsJson }} 2081 - --log_as_json 2082 {{- end }} 2083 {{- if .Values.global.proxy.lifecycle }} 2084 lifecycle: 2085 {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} 2086 {{- end }} 2087 env: 2088 - name: JWT_POLICY 2089 value: {{ .Values.global.jwtPolicy }} 2090 - name: PILOT_CERT_PROVIDER 2091 value: {{ .Values.global.pilotCertProvider }} 2092 - name: CA_ADDR 2093 {{- if .Values.global.caAddress }} 2094 value: {{ .Values.global.caAddress }} 2095 {{- else }} 2096 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 2097 {{- end }} 2098 - name: POD_NAME 2099 valueFrom: 2100 fieldRef: 2101 fieldPath: metadata.name 2102 - name: POD_NAMESPACE 2103 valueFrom: 2104 fieldRef: 2105 fieldPath: metadata.namespace 2106 - name: INSTANCE_IP 2107 valueFrom: 2108 fieldRef: 2109 fieldPath: status.podIP 2110 - name: SERVICE_ACCOUNT 2111 valueFrom: 2112 fieldRef: 2113 fieldPath: spec.serviceAccountName 2114 - name: HOST_IP 2115 valueFrom: 2116 fieldRef: 2117 fieldPath: status.hostIP 2118 - name: ISTIO_CPU_LIMIT 2119 valueFrom: 2120 resourceFieldRef: 2121 resource: limits.cpu 2122 - name: PROXY_CONFIG 2123 value: | 2124 {{ protoToJSON .ProxyConfig }} 2125 - name: ISTIO_META_POD_PORTS 2126 value: "[]" 2127 - name: ISTIO_META_APP_CONTAINERS 2128 value: "" 2129 - name: GOMEMLIMIT 2130 valueFrom: 2131 resourceFieldRef: 2132 resource: limits.memory 2133 - name: GOMAXPROCS 2134 valueFrom: 2135 resourceFieldRef: 2136 resource: limits.cpu 2137 - name: ISTIO_META_CLUSTER_ID 2138 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" 2139 - name: ISTIO_META_NODE_NAME 2140 valueFrom: 2141 fieldRef: 2142 fieldPath: spec.nodeName 2143 - name: ISTIO_META_INTERCEPTION_MODE 2144 value: "{{ .ProxyConfig.InterceptionMode.String }}" 2145 {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} 2146 - name: ISTIO_META_NETWORK 2147 value: {{.|quote}} 2148 {{- end }} 2149 - name: ISTIO_META_WORKLOAD_NAME 2150 value: {{.DeploymentName|quote}} 2151 - name: ISTIO_META_OWNER 2152 value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" 2153 {{- if .Values.global.meshID }} 2154 - name: ISTIO_META_MESH_ID 2155 value: "{{ .Values.global.meshID }}" 2156 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 2157 - name: ISTIO_META_MESH_ID 2158 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 2159 {{- end }} 2160 {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 2161 - name: TRUST_DOMAIN 2162 value: "{{ . }}" 2163 {{- end }} 2164 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 2165 - name: {{ $key }} 2166 value: "{{ $value }}" 2167 {{- end }} 2168 {{- with (index .InfrastructureLabels "topology.istio.io/network") }} 2169 - name: ISTIO_META_REQUESTED_NETWORK_VIEW 2170 value: {{.|quote}} 2171 {{- end }} 2172 startupProbe: 2173 failureThreshold: 30 2174 httpGet: 2175 path: /healthz/ready 2176 port: 15021 2177 scheme: HTTP 2178 initialDelaySeconds: 1 2179 periodSeconds: 1 2180 successThreshold: 1 2181 timeoutSeconds: 1 2182 readinessProbe: 2183 failureThreshold: 4 2184 httpGet: 2185 path: /healthz/ready 2186 port: 15021 2187 scheme: HTTP 2188 initialDelaySeconds: 0 2189 periodSeconds: 15 2190 successThreshold: 1 2191 timeoutSeconds: 1 2192 volumeMounts: 2193 - name: workload-socket 2194 mountPath: /var/run/secrets/workload-spiffe-uds 2195 - name: credential-socket 2196 mountPath: /var/run/secrets/credential-uds 2197 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 2198 - name: gke-workload-certificate 2199 mountPath: /var/run/secrets/workload-spiffe-credentials 2200 readOnly: true 2201 {{- else }} 2202 - name: workload-certs 2203 mountPath: /var/run/secrets/workload-spiffe-credentials 2204 {{- end }} 2205 {{- if eq .Values.global.pilotCertProvider "istiod" }} 2206 - mountPath: /var/run/secrets/istio 2207 name: istiod-ca-cert 2208 {{- end }} 2209 - mountPath: /var/lib/istio/data 2210 name: istio-data 2211 # SDS channel between istioagent and Envoy 2212 - mountPath: /etc/istio/proxy 2213 name: istio-envoy 2214 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 2215 - mountPath: /var/run/secrets/tokens 2216 name: istio-token 2217 {{- end }} 2218 - name: istio-podinfo 2219 mountPath: /etc/istio/pod 2220 volumes: 2221 - emptyDir: {} 2222 name: workload-socket 2223 - emptyDir: {} 2224 name: credential-socket 2225 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 2226 - name: gke-workload-certificate 2227 csi: 2228 driver: workloadcertificates.security.cloud.google.com 2229 {{- else}} 2230 - emptyDir: {} 2231 name: workload-certs 2232 {{- end }} 2233 # SDS channel between istioagent and Envoy 2234 - emptyDir: 2235 medium: Memory 2236 name: istio-envoy 2237 - name: istio-data 2238 emptyDir: {} 2239 - name: istio-podinfo 2240 downwardAPI: 2241 items: 2242 - path: "labels" 2243 fieldRef: 2244 fieldPath: metadata.labels 2245 - path: "annotations" 2246 fieldRef: 2247 fieldPath: metadata.annotations 2248 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 2249 - name: istio-token 2250 projected: 2251 sources: 2252 - serviceAccountToken: 2253 path: istio-token 2254 expirationSeconds: 43200 2255 audience: {{ .Values.global.sds.token.aud }} 2256 {{- end }} 2257 {{- if eq .Values.global.pilotCertProvider "istiod" }} 2258 - name: istiod-ca-cert 2259 configMap: 2260 name: istio-ca-root-cert 2261 {{- end }} 2262 {{- if .Values.global.imagePullSecrets }} 2263 imagePullSecrets: 2264 {{- range .Values.global.imagePullSecrets }} 2265 - name: {{ . }} 2266 {{- end }} 2267 {{- end }} 2268 --- 2269 apiVersion: v1 2270 kind: Service 2271 metadata: 2272 annotations: 2273 {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 2274 labels: 2275 {{- toJsonMap 2276 .InfrastructureLabels 2277 (strdict 2278 "gateway.networking.k8s.io/gateway-name" .Name 2279 "istio.io/gateway-name" .Name 2280 ) | nindent 4 }} 2281 name: {{.DeploymentName | quote}} 2282 namespace: {{.Namespace | quote}} 2283 ownerReferences: 2284 - apiVersion: gateway.networking.k8s.io/v1beta1 2285 kind: Gateway 2286 name: {{.Name}} 2287 uid: {{.UID}} 2288 spec: 2289 ports: 2290 {{- range $key, $val := .Ports }} 2291 - name: {{ $val.Name | quote }} 2292 port: {{ $val.Port }} 2293 protocol: TCP 2294 appProtocol: {{ $val.AppProtocol }} 2295 {{- end }} 2296 selector: 2297 "{{.GatewayNameLabel}}": {{.Name}} 2298 {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} 2299 loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} 2300 {{- end }} 2301 type: {{ .ServiceType | quote }} 2302 --- 2303 values: |- 2304 { 2305 "global": { 2306 "autoscalingv2API": true, 2307 "caAddress": "", 2308 "caName": "", 2309 "certSigners": [], 2310 "configCluster": false, 2311 "configValidation": true, 2312 "defaultPodDisruptionBudget": { 2313 "enabled": true 2314 }, 2315 "defaultResources": { 2316 "requests": { 2317 "cpu": "10m" 2318 } 2319 }, 2320 "enabled": false, 2321 "externalIstiod": false, 2322 "hub": "docker.io/istio", 2323 "imagePullPolicy": "", 2324 "imagePullSecrets": [], 2325 "istioNamespace": "istio-system", 2326 "istiod": { 2327 "enableAnalysis": false 2328 }, 2329 "jwtPolicy": "third-party-jwt", 2330 "logAsJson": false, 2331 "logging": { 2332 "level": "default:info" 2333 }, 2334 "meshID": "", 2335 "meshNetworks": {}, 2336 "mountMtlsCerts": false, 2337 "multiCluster": { 2338 "clusterName": "", 2339 "enabled": false 2340 }, 2341 "namespace": "istio-system", 2342 "network": "", 2343 "omitSidecarInjectorConfigMap": false, 2344 "oneNamespace": false, 2345 "operatorManageWebhooks": false, 2346 "pilotCertProvider": "istiod", 2347 "priorityClassName": "", 2348 "proxy": { 2349 "autoInject": "enabled", 2350 "clusterDomain": "cluster.local", 2351 "componentLogLevel": "misc:error", 2352 "enableCoreDump": false, 2353 "excludeIPRanges": "", 2354 "excludeInboundPorts": "", 2355 "excludeOutboundPorts": "", 2356 "image": "proxyv2", 2357 "includeIPRanges": "*", 2358 "includeInboundPorts": "*", 2359 "includeOutboundPorts": "", 2360 "logLevel": "warning", 2361 "privileged": false, 2362 "readinessFailureThreshold": 4, 2363 "readinessInitialDelaySeconds": 0, 2364 "readinessPeriodSeconds": 15, 2365 "resources": { 2366 "limits": { 2367 "cpu": "2000m", 2368 "memory": "1024Mi" 2369 }, 2370 "requests": { 2371 "cpu": "100m", 2372 "memory": "128Mi" 2373 } 2374 }, 2375 "startupProbe": { 2376 "enabled": true, 2377 "failureThreshold": 600 2378 }, 2379 "statusPort": 15020, 2380 "tracer": "zipkin" 2381 }, 2382 "proxy_init": { 2383 "image": "proxyv2" 2384 }, 2385 "remotePilotAddress": "", 2386 "sds": { 2387 "token": { 2388 "aud": "istio-ca" 2389 } 2390 }, 2391 "sts": { 2392 "servicePort": 0 2393 }, 2394 "tag": "1.1.4", 2395 "variant": "" 2396 }, 2397 "istio_cni": { 2398 "chained": true, 2399 "enabled": false 2400 }, 2401 "revision": "", 2402 "sidecarInjectorWebhook": { 2403 "alwaysInjectSelector": [], 2404 "defaultTemplates": [], 2405 "enableNamespacesByDefault": false, 2406 "injectedAnnotations": {}, 2407 "neverInjectSelector": [], 2408 "reinvocationPolicy": "Never", 2409 "rewriteAppHTTPProbe": true, 2410 "templates": {} 2411 } 2412 } 2413 kind: ConfigMap 2414 metadata: 2415 labels: 2416 install.operator.istio.io/owning-resource: unknown 2417 istio.io/rev: default 2418 operator.istio.io/component: Pilot 2419 release: istio 2420 name: istio-sidecar-injector 2421 namespace: istio-system 2422 2423 --- 2424 apiVersion: admissionregistration.k8s.io/v1 2425 kind: MutatingWebhookConfiguration 2426 metadata: 2427 labels: 2428 app: sidecar-injector 2429 install.operator.istio.io/owning-resource: unknown 2430 istio.io/rev: default 2431 operator.istio.io/component: Pilot 2432 release: istio 2433 name: istio-sidecar-injector 2434 webhooks: 2435 - admissionReviewVersions: 2436 - v1beta1 2437 - v1 2438 clientConfig: 2439 service: 2440 name: istiod 2441 namespace: istio-system 2442 path: /inject 2443 port: 443 2444 failurePolicy: Fail 2445 name: rev.namespace.sidecar-injector.istio.io 2446 namespaceSelector: 2447 matchExpressions: 2448 - key: istio.io/rev 2449 operator: In 2450 values: 2451 - default 2452 - key: istio-injection 2453 operator: DoesNotExist 2454 objectSelector: 2455 matchExpressions: 2456 - key: sidecar.istio.io/inject 2457 operator: NotIn 2458 values: 2459 - "false" 2460 reinvocationPolicy: Never 2461 rules: 2462 - apiGroups: 2463 - "" 2464 apiVersions: 2465 - v1 2466 operations: 2467 - CREATE 2468 resources: 2469 - pods 2470 sideEffects: None 2471 - admissionReviewVersions: 2472 - v1beta1 2473 - v1 2474 clientConfig: 2475 service: 2476 name: istiod 2477 namespace: istio-system 2478 path: /inject 2479 port: 443 2480 failurePolicy: Fail 2481 name: rev.object.sidecar-injector.istio.io 2482 namespaceSelector: 2483 matchExpressions: 2484 - key: istio.io/rev 2485 operator: DoesNotExist 2486 - key: istio-injection 2487 operator: DoesNotExist 2488 objectSelector: 2489 matchExpressions: 2490 - key: sidecar.istio.io/inject 2491 operator: NotIn 2492 values: 2493 - "false" 2494 - key: istio.io/rev 2495 operator: In 2496 values: 2497 - default 2498 reinvocationPolicy: Never 2499 rules: 2500 - apiGroups: 2501 - "" 2502 apiVersions: 2503 - v1 2504 operations: 2505 - CREATE 2506 resources: 2507 - pods 2508 sideEffects: None 2509 - admissionReviewVersions: 2510 - v1beta1 2511 - v1 2512 clientConfig: 2513 service: 2514 name: istiod 2515 namespace: istio-system 2516 path: /inject 2517 port: 443 2518 failurePolicy: Fail 2519 name: namespace.sidecar-injector.istio.io 2520 namespaceSelector: 2521 matchExpressions: 2522 - key: istio-injection 2523 operator: In 2524 values: 2525 - enabled 2526 objectSelector: 2527 matchExpressions: 2528 - key: sidecar.istio.io/inject 2529 operator: NotIn 2530 values: 2531 - "false" 2532 reinvocationPolicy: Never 2533 rules: 2534 - apiGroups: 2535 - "" 2536 apiVersions: 2537 - v1 2538 operations: 2539 - CREATE 2540 resources: 2541 - pods 2542 sideEffects: None 2543 - admissionReviewVersions: 2544 - v1beta1 2545 - v1 2546 clientConfig: 2547 service: 2548 name: istiod 2549 namespace: istio-system 2550 path: /inject 2551 port: 443 2552 failurePolicy: Fail 2553 name: object.sidecar-injector.istio.io 2554 namespaceSelector: 2555 matchExpressions: 2556 - key: istio-injection 2557 operator: DoesNotExist 2558 - key: istio.io/rev 2559 operator: DoesNotExist 2560 objectSelector: 2561 matchExpressions: 2562 - key: sidecar.istio.io/inject 2563 operator: In 2564 values: 2565 - "true" 2566 - key: istio.io/rev 2567 operator: DoesNotExist 2568 reinvocationPolicy: Never 2569 rules: 2570 - apiGroups: 2571 - "" 2572 apiVersions: 2573 - v1 2574 operations: 2575 - CREATE 2576 resources: 2577 - pods 2578 sideEffects: None 2579 2580 --- 2581 apiVersion: apps/v1 2582 kind: Deployment 2583 metadata: 2584 labels: 2585 app: istiod 2586 install.operator.istio.io/owning-resource: unknown 2587 istio: pilot 2588 istio.io/rev: default 2589 operator.istio.io/component: Pilot 2590 release: istio 2591 name: istiod 2592 namespace: istio-system 2593 spec: 2594 selector: 2595 matchLabels: 2596 istio: pilot 2597 strategy: 2598 rollingUpdate: 2599 maxSurge: 100% 2600 maxUnavailable: 25% 2601 template: 2602 metadata: 2603 annotations: 2604 ambient.istio.io/redirection: disabled 2605 prometheus.io/port: "15014" 2606 prometheus.io/scrape: "true" 2607 sidecar.istio.io/inject: "false" 2608 labels: 2609 app: istiod 2610 install.operator.istio.io/owning-resource: unknown 2611 istio: pilot 2612 istio.io/rev: default 2613 operator.istio.io/component: Pilot 2614 sidecar.istio.io/inject: "false" 2615 spec: 2616 containers: 2617 - args: 2618 - discovery 2619 - --monitoringAddr=:15014 2620 - --log_output_level=default:info 2621 - --domain 2622 - cluster.local 2623 - --keepaliveMaxServerConnectionAge 2624 - 30m 2625 env: 2626 - name: REVISION 2627 value: default 2628 - name: JWT_POLICY 2629 value: third-party-jwt 2630 - name: PILOT_CERT_PROVIDER 2631 value: istiod 2632 - name: POD_NAME 2633 valueFrom: 2634 fieldRef: 2635 apiVersion: v1 2636 fieldPath: metadata.name 2637 - name: POD_NAMESPACE 2638 valueFrom: 2639 fieldRef: 2640 apiVersion: v1 2641 fieldPath: metadata.namespace 2642 - name: SERVICE_ACCOUNT 2643 valueFrom: 2644 fieldRef: 2645 apiVersion: v1 2646 fieldPath: spec.serviceAccountName 2647 - name: KUBECONFIG 2648 value: /var/run/secrets/remote/config 2649 - name: PILOT_TRACE_SAMPLING 2650 value: "1" 2651 - name: PILOT_ENABLE_ANALYSIS 2652 value: "false" 2653 - name: CLUSTER_ID 2654 value: Kubernetes 2655 - name: GOMEMLIMIT 2656 valueFrom: 2657 resourceFieldRef: 2658 resource: limits.memory 2659 - name: GOMAXPROCS 2660 valueFrom: 2661 resourceFieldRef: 2662 resource: limits.cpu 2663 - name: PLATFORM 2664 value: "" 2665 image: docker.io/istio/pilot:1.1.4 2666 name: discovery 2667 ports: 2668 - containerPort: 8080 2669 protocol: TCP 2670 - containerPort: 15010 2671 protocol: TCP 2672 - containerPort: 15017 2673 protocol: TCP 2674 readinessProbe: 2675 httpGet: 2676 path: /ready 2677 port: 8080 2678 initialDelaySeconds: 1 2679 periodSeconds: 3 2680 timeoutSeconds: 5 2681 resources: 2682 requests: 2683 cpu: 500m 2684 memory: 2048Mi 2685 securityContext: 2686 allowPrivilegeEscalation: false 2687 capabilities: 2688 drop: 2689 - ALL 2690 readOnlyRootFilesystem: true 2691 runAsNonRoot: true 2692 volumeMounts: 2693 - mountPath: /var/run/secrets/tokens 2694 name: istio-token 2695 readOnly: true 2696 - mountPath: /var/run/secrets/istio-dns 2697 name: local-certs 2698 - mountPath: /etc/cacerts 2699 name: cacerts 2700 readOnly: true 2701 - mountPath: /var/run/secrets/remote 2702 name: istio-kubeconfig 2703 readOnly: true 2704 - mountPath: /var/run/secrets/istiod/tls 2705 name: istio-csr-dns-cert 2706 readOnly: true 2707 - mountPath: /var/run/secrets/istiod/ca 2708 name: istio-csr-ca-configmap 2709 readOnly: true 2710 serviceAccountName: istiod 2711 volumes: 2712 - emptyDir: 2713 medium: Memory 2714 name: local-certs 2715 - name: istio-token 2716 projected: 2717 sources: 2718 - serviceAccountToken: 2719 audience: istio-ca 2720 expirationSeconds: 43200 2721 path: istio-token 2722 - name: cacerts 2723 secret: 2724 optional: true 2725 secretName: cacerts 2726 - name: istio-kubeconfig 2727 secret: 2728 optional: true 2729 secretName: istio-kubeconfig 2730 - name: istio-csr-dns-cert 2731 secret: 2732 optional: true 2733 secretName: istiod-tls 2734 - configMap: 2735 defaultMode: 420 2736 name: istio-ca-root-cert 2737 optional: true 2738 name: istio-csr-ca-configmap 2739 2740 --- 2741 apiVersion: policy/v1 2742 kind: PodDisruptionBudget 2743 metadata: 2744 labels: 2745 app: istiod 2746 install.operator.istio.io/owning-resource: unknown 2747 istio: pilot 2748 istio.io/rev: default 2749 operator.istio.io/component: Pilot 2750 release: istio 2751 name: istiod 2752 namespace: istio-system 2753 spec: 2754 minAvailable: 1 2755 selector: 2756 matchLabels: 2757 app: istiod 2758 istio: pilot 2759 2760 --- 2761 apiVersion: rbac.authorization.k8s.io/v1 2762 kind: Role 2763 metadata: 2764 labels: 2765 app: istiod 2766 release: istio 2767 name: istiod 2768 namespace: istio-system 2769 rules: 2770 - apiGroups: 2771 - networking.istio.io 2772 resources: 2773 - gateways 2774 verbs: 2775 - create 2776 - apiGroups: 2777 - "" 2778 resources: 2779 - secrets 2780 verbs: 2781 - create 2782 - get 2783 - watch 2784 - list 2785 - update 2786 - delete 2787 - apiGroups: 2788 - "" 2789 resources: 2790 - configmaps 2791 verbs: 2792 - delete 2793 - apiGroups: 2794 - coordination.k8s.io 2795 resources: 2796 - leases 2797 verbs: 2798 - get 2799 - update 2800 - patch 2801 - create 2802 2803 --- 2804 apiVersion: rbac.authorization.k8s.io/v1 2805 kind: RoleBinding 2806 metadata: 2807 labels: 2808 app: istiod 2809 release: istio 2810 name: istiod 2811 namespace: istio-system 2812 roleRef: 2813 apiGroup: rbac.authorization.k8s.io 2814 kind: Role 2815 name: istiod 2816 subjects: 2817 - kind: ServiceAccount 2818 name: istiod 2819 namespace: istio-system 2820 2821 --- 2822 apiVersion: autoscaling/v2 2823 kind: HorizontalPodAutoscaler 2824 metadata: 2825 labels: 2826 app: istiod 2827 install.operator.istio.io/owning-resource: unknown 2828 istio.io/rev: default 2829 operator.istio.io/component: Pilot 2830 release: istio 2831 name: istiod 2832 namespace: istio-system 2833 spec: 2834 maxReplicas: 5 2835 metrics: 2836 - resource: 2837 name: cpu 2838 target: 2839 averageUtilization: 80 2840 type: Utilization 2841 type: Resource 2842 minReplicas: 1 2843 scaleTargetRef: 2844 apiVersion: apps/v1 2845 kind: Deployment 2846 name: istiod 2847 2848 --- 2849 apiVersion: v1 2850 kind: Service 2851 metadata: 2852 labels: 2853 app: istiod 2854 install.operator.istio.io/owning-resource: unknown 2855 istio: pilot 2856 istio.io/rev: default 2857 operator.istio.io/component: Pilot 2858 release: istio 2859 name: istiod 2860 namespace: istio-system 2861 spec: 2862 ports: 2863 - name: grpc-xds 2864 port: 15010 2865 protocol: TCP 2866 - name: https-dns 2867 port: 15012 2868 protocol: TCP 2869 - name: https-webhook 2870 port: 443 2871 protocol: TCP 2872 targetPort: 15017 2873 - name: http-monitoring 2874 port: 15014 2875 protocol: TCP 2876 selector: 2877 app: istiod 2878 istio: pilot 2879 2880 ---