istio.io/istio@v0.0.0-20240520182934-d79c90f27776/operator/cmd/mesh/testdata/manifest-generate/output/sidecar_template.golden.yaml (about) 1 apiVersion: v1 2 data: 3 config: |- 4 # defaultTemplates defines the default template to use for pods that do not explicitly specify a template 5 defaultTemplates: 6 - sidecar 7 - credential-volume 8 policy: enabled 9 alwaysInjectSelector: 10 [] 11 neverInjectSelector: 12 [] 13 injectedAnnotations: 14 template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}" 15 templates: 16 sidecar: | 17 {{- define "resources" }} 18 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 19 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} 20 requests: 21 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} 22 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" 23 {{ end }} 24 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} 25 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" 26 {{ end }} 27 {{- end }} 28 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 29 limits: 30 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} 31 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" 32 {{ end }} 33 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} 34 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" 35 {{ end }} 36 {{- end }} 37 {{- else }} 38 {{- if .Values.global.proxy.resources }} 39 {{ toYaml .Values.global.proxy.resources | indent 6 }} 40 {{- end }} 41 {{- end }} 42 {{- end }} 43 {{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} 44 {{- $containers := list }} 45 {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} 46 metadata: 47 labels: 48 security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} 49 {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} 50 networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} 51 {{- end }} 52 service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} 53 service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} 54 annotations: { 55 istio.io/rev: {{ .Revision | default "default" | quote }}, 56 {{- if ge (len $containers) 1 }} 57 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} 58 kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", 59 {{- end }} 60 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} 61 kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", 62 {{- end }} 63 {{- end }} 64 {{- if .Values.istio_cni.enabled }} 65 {{- if not .Values.istio_cni.chained }} 66 k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', 67 {{- end }} 68 sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", 69 {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} 70 {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} 71 {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} 72 traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", 73 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} 74 traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", 75 {{- end }} 76 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} 77 traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", 78 {{- end }} 79 {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} 80 {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} 81 {{- end }} 82 } 83 spec: 84 {{- $holdProxy := and 85 (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) 86 (not $nativeSidecar) }} 87 initContainers: 88 {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} 89 {{ if .Values.istio_cni.enabled -}} 90 - name: istio-validation 91 {{ else -}} 92 - name: istio-init 93 {{ end -}} 94 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} 95 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" 96 {{- else }} 97 image: "{{ .ProxyImage }}" 98 {{- end }} 99 args: 100 - istio-iptables 101 - "-p" 102 - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} 103 - "-z" 104 - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} 105 - "-u" 106 - {{ .ProxyUID | default "1337" | quote }} 107 - "-m" 108 - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" 109 - "-i" 110 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" 111 - "-x" 112 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" 113 - "-b" 114 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" 115 - "-d" 116 {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} 117 - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" 118 {{- else }} 119 - "15090,15021" 120 {{- end }} 121 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} 122 - "-q" 123 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" 124 {{ end -}} 125 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} 126 - "-o" 127 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" 128 {{ end -}} 129 {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} 130 - "-k" 131 - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" 132 {{ end -}} 133 {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} 134 - "-c" 135 - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" 136 {{ end -}} 137 - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" 138 {{ if .Values.global.logAsJson -}} 139 - "--log_as_json" 140 {{ end -}} 141 {{ if .Values.istio_cni.enabled -}} 142 - "--run-validation" 143 - "--skip-rule-apply" 144 {{ end -}} 145 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 146 {{- if .ProxyConfig.ProxyMetadata }} 147 env: 148 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 149 - name: {{ $key }} 150 value: "{{ $value }}" 151 {{- end }} 152 {{- end }} 153 resources: 154 {{ template "resources" . }} 155 securityContext: 156 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 157 privileged: {{ .Values.global.proxy.privileged }} 158 capabilities: 159 {{- if not .Values.istio_cni.enabled }} 160 add: 161 - NET_ADMIN 162 - NET_RAW 163 {{- end }} 164 drop: 165 - ALL 166 {{- if not .Values.istio_cni.enabled }} 167 readOnlyRootFilesystem: false 168 runAsGroup: 0 169 runAsNonRoot: false 170 runAsUser: 0 171 {{- else }} 172 readOnlyRootFilesystem: true 173 runAsGroup: {{ .ProxyGID | default "1337" }} 174 runAsUser: {{ .ProxyUID | default "1337" }} 175 runAsNonRoot: true 176 {{- end }} 177 {{ end -}} 178 {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} 179 - name: enable-core-dump 180 args: 181 - -c 182 - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited 183 command: 184 - /bin/sh 185 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} 186 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" 187 {{- else }} 188 image: "{{ .ProxyImage }}" 189 {{- end }} 190 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 191 resources: 192 {{ template "resources" . }} 193 securityContext: 194 allowPrivilegeEscalation: true 195 capabilities: 196 add: 197 - SYS_ADMIN 198 drop: 199 - ALL 200 privileged: true 201 readOnlyRootFilesystem: false 202 runAsGroup: 0 203 runAsNonRoot: false 204 runAsUser: 0 205 {{ end }} 206 {{ if not $nativeSidecar }} 207 containers: 208 {{ end }} 209 - name: istio-proxy 210 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 211 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 212 {{- else }} 213 image: "{{ .ProxyImage }}" 214 {{- end }} 215 {{ if $nativeSidecar }}restartPolicy: Always{{end}} 216 ports: 217 - containerPort: 15090 218 protocol: TCP 219 name: http-envoy-prom 220 args: 221 - proxy 222 - sidecar 223 - --domain 224 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 225 - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} 226 - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} 227 - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} 228 {{- if .Values.global.sts.servicePort }} 229 - --stsPort={{ .Values.global.sts.servicePort }} 230 {{- end }} 231 {{- if .Values.global.logAsJson }} 232 - --log_as_json 233 {{- end }} 234 {{- if .Values.global.proxy.lifecycle }} 235 lifecycle: 236 {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} 237 {{- else if $holdProxy }} 238 lifecycle: 239 postStart: 240 exec: 241 command: 242 - pilot-agent 243 - wait 244 {{- else if $nativeSidecar }} 245 {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} 246 lifecycle: 247 preStop: 248 exec: 249 command: 250 - pilot-agent 251 - request 252 - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} 253 - POST 254 - drain 255 {{- end }} 256 env: 257 {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} 258 - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION 259 value: "true" 260 {{- end }} 261 - name: JWT_POLICY 262 value: {{ .Values.global.jwtPolicy }} 263 - name: PILOT_CERT_PROVIDER 264 value: {{ .Values.global.pilotCertProvider }} 265 - name: CA_ADDR 266 {{- if .Values.global.caAddress }} 267 value: {{ .Values.global.caAddress }} 268 {{- else }} 269 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 270 {{- end }} 271 - name: POD_NAME 272 valueFrom: 273 fieldRef: 274 fieldPath: metadata.name 275 - name: POD_NAMESPACE 276 valueFrom: 277 fieldRef: 278 fieldPath: metadata.namespace 279 - name: INSTANCE_IP 280 valueFrom: 281 fieldRef: 282 fieldPath: status.podIP 283 - name: SERVICE_ACCOUNT 284 valueFrom: 285 fieldRef: 286 fieldPath: spec.serviceAccountName 287 - name: HOST_IP 288 valueFrom: 289 fieldRef: 290 fieldPath: status.hostIP 291 - name: ISTIO_CPU_LIMIT 292 valueFrom: 293 resourceFieldRef: 294 resource: limits.cpu 295 - name: PROXY_CONFIG 296 value: | 297 {{ protoToJSON .ProxyConfig }} 298 - name: ISTIO_META_POD_PORTS 299 value: |- 300 [ 301 {{- $first := true }} 302 {{- range $index1, $c := .Spec.Containers }} 303 {{- range $index2, $p := $c.Ports }} 304 {{- if (structToJSON $p) }} 305 {{if not $first}},{{end}}{{ structToJSON $p }} 306 {{- $first = false }} 307 {{- end }} 308 {{- end}} 309 {{- end}} 310 ] 311 - name: ISTIO_META_APP_CONTAINERS 312 value: "{{ $containers | join "," }}" 313 - name: GOMEMLIMIT 314 valueFrom: 315 resourceFieldRef: 316 resource: limits.memory 317 - name: GOMAXPROCS 318 valueFrom: 319 resourceFieldRef: 320 resource: limits.cpu 321 - name: ISTIO_META_CLUSTER_ID 322 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 323 - name: ISTIO_META_NODE_NAME 324 valueFrom: 325 fieldRef: 326 fieldPath: spec.nodeName 327 - name: ISTIO_META_INTERCEPTION_MODE 328 value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" 329 {{- if .Values.global.network }} 330 - name: ISTIO_META_NETWORK 331 value: "{{ .Values.global.network }}" 332 {{- end }} 333 {{- if .DeploymentMeta.Name }} 334 - name: ISTIO_META_WORKLOAD_NAME 335 value: "{{ .DeploymentMeta.Name }}" 336 {{ end }} 337 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} 338 - name: ISTIO_META_OWNER 339 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} 340 {{- end}} 341 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 342 - name: ISTIO_BOOTSTRAP_OVERRIDE 343 value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" 344 {{- end }} 345 {{- if .Values.global.meshID }} 346 - name: ISTIO_META_MESH_ID 347 value: "{{ .Values.global.meshID }}" 348 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 349 - name: ISTIO_META_MESH_ID 350 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 351 {{- end }} 352 {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 353 - name: TRUST_DOMAIN 354 value: "{{ . }}" 355 {{- end }} 356 {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} 357 {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} 358 - name: {{ $key }} 359 value: "{{ $value }}" 360 {{- end }} 361 {{- end }} 362 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 363 - name: {{ $key }} 364 value: "{{ $value }}" 365 {{- end }} 366 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 367 {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} 368 {{ if .Values.global.proxy.startupProbe.enabled }} 369 startupProbe: 370 httpGet: 371 path: /healthz/ready 372 port: 15021 373 initialDelaySeconds: 0 374 periodSeconds: 1 375 timeoutSeconds: 3 376 failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} 377 {{ end }} 378 readinessProbe: 379 httpGet: 380 path: /healthz/ready 381 port: 15021 382 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} 383 periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} 384 timeoutSeconds: 3 385 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} 386 {{ end -}} 387 securityContext: 388 {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} 389 allowPrivilegeEscalation: true 390 capabilities: 391 add: 392 - NET_ADMIN 393 drop: 394 - ALL 395 privileged: true 396 readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} 397 runAsGroup: {{ .ProxyGID | default "1337" }} 398 runAsNonRoot: false 399 runAsUser: 0 400 {{- else }} 401 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 402 capabilities: 403 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} 404 add: 405 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} 406 - NET_ADMIN 407 {{- end }} 408 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} 409 - NET_BIND_SERVICE 410 {{- end }} 411 {{- end }} 412 drop: 413 - ALL 414 privileged: {{ .Values.global.proxy.privileged }} 415 readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} 416 runAsGroup: {{ .ProxyGID | default "1337" }} 417 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} 418 runAsNonRoot: false 419 runAsUser: 0 420 {{- else -}} 421 runAsNonRoot: true 422 runAsUser: {{ .ProxyUID | default "1337" }} 423 {{- end }} 424 {{- end }} 425 resources: 426 {{ template "resources" . }} 427 volumeMounts: 428 - name: workload-socket 429 mountPath: /var/run/secrets/workload-spiffe-uds 430 - name: credential-socket 431 mountPath: /var/run/secrets/credential-uds 432 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 433 - name: gke-workload-certificate 434 mountPath: /var/run/secrets/workload-spiffe-credentials 435 readOnly: true 436 {{- else }} 437 - name: workload-certs 438 mountPath: /var/run/secrets/workload-spiffe-credentials 439 {{- end }} 440 {{- if eq .Values.global.pilotCertProvider "istiod" }} 441 - mountPath: /var/run/secrets/istio 442 name: istiod-ca-cert 443 {{- end }} 444 {{- if eq .Values.global.pilotCertProvider "kubernetes" }} 445 - mountPath: /var/run/secrets/istio/kubernetes 446 name: kube-ca-cert 447 {{- end }} 448 - mountPath: /var/lib/istio/data 449 name: istio-data 450 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 451 - mountPath: /etc/istio/custom-bootstrap 452 name: custom-bootstrap-volume 453 {{- end }} 454 # SDS channel between istioagent and Envoy 455 - mountPath: /etc/istio/proxy 456 name: istio-envoy 457 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 458 - mountPath: /var/run/secrets/tokens 459 name: istio-token 460 {{- end }} 461 {{- if .Values.global.mountMtlsCerts }} 462 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 463 - mountPath: /etc/certs/ 464 name: istio-certs 465 readOnly: true 466 {{- end }} 467 - name: istio-podinfo 468 mountPath: /etc/istio/pod 469 {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} 470 - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} 471 name: lightstep-certs 472 readOnly: true 473 {{- end }} 474 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} 475 {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} 476 - name: "{{ $index }}" 477 {{ toYaml $value | indent 6 }} 478 {{ end }} 479 {{- end }} 480 volumes: 481 - emptyDir: 482 name: workload-socket 483 - emptyDir: 484 name: credential-socket 485 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 486 - name: gke-workload-certificate 487 csi: 488 driver: workloadcertificates.security.cloud.google.com 489 {{- else }} 490 - emptyDir: 491 name: workload-certs 492 {{- end }} 493 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 494 - name: custom-bootstrap-volume 495 configMap: 496 name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} 497 {{- end }} 498 # SDS channel between istioagent and Envoy 499 - emptyDir: 500 medium: Memory 501 name: istio-envoy 502 - name: istio-data 503 emptyDir: {} 504 - name: istio-podinfo 505 downwardAPI: 506 items: 507 - path: "labels" 508 fieldRef: 509 fieldPath: metadata.labels 510 - path: "annotations" 511 fieldRef: 512 fieldPath: metadata.annotations 513 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 514 - name: istio-token 515 projected: 516 sources: 517 - serviceAccountToken: 518 path: istio-token 519 expirationSeconds: 43200 520 audience: {{ .Values.global.sds.token.aud }} 521 {{- end }} 522 {{- if eq .Values.global.pilotCertProvider "istiod" }} 523 - name: istiod-ca-cert 524 configMap: 525 name: istio-ca-root-cert 526 {{- end }} 527 {{- if eq .Values.global.pilotCertProvider "kubernetes" }} 528 - name: kube-ca-cert 529 configMap: 530 name: kube-root-ca.crt 531 {{- end }} 532 {{- if .Values.global.mountMtlsCerts }} 533 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 534 - name: istio-certs 535 secret: 536 optional: true 537 {{ if eq .Spec.ServiceAccountName "" }} 538 secretName: istio.default 539 {{ else -}} 540 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 541 {{ end -}} 542 {{- end }} 543 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} 544 {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} 545 - name: "{{ $index }}" 546 {{ toYaml $value | indent 4 }} 547 {{ end }} 548 {{ end }} 549 {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} 550 - name: lightstep-certs 551 secret: 552 optional: true 553 secretName: lightstep.cacert 554 {{- end }} 555 {{- if .Values.global.imagePullSecrets }} 556 imagePullSecrets: 557 {{- range .Values.global.imagePullSecrets }} 558 - name: {{ . }} 559 {{- end }} 560 {{- end }} 561 gateway: | 562 {{- $containers := list }} 563 {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} 564 metadata: 565 labels: 566 service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} 567 service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} 568 annotations: { 569 istio.io/rev: {{ .Revision | default "default" | quote }}, 570 {{- if eq (len $containers) 1 }} 571 kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", 572 kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", 573 {{ end }} 574 } 575 spec: 576 containers: 577 - name: istio-proxy 578 {{- if contains "/" .Values.global.proxy.image }} 579 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 580 {{- else }} 581 image: "{{ .ProxyImage }}" 582 {{- end }} 583 ports: 584 - containerPort: 15090 585 protocol: TCP 586 name: http-envoy-prom 587 args: 588 - proxy 589 - router 590 - --domain 591 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 592 - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} 593 - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} 594 - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} 595 {{- if .Values.global.sts.servicePort }} 596 - --stsPort={{ .Values.global.sts.servicePort }} 597 {{- end }} 598 {{- if .Values.global.logAsJson }} 599 - --log_as_json 600 {{- end }} 601 {{- if .Values.global.proxy.lifecycle }} 602 lifecycle: 603 {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} 604 {{- end }} 605 securityContext: 606 runAsUser: {{ .ProxyUID | default "1337" }} 607 runAsGroup: {{ .ProxyGID | default "1337" }} 608 env: 609 - name: JWT_POLICY 610 value: {{ .Values.global.jwtPolicy }} 611 - name: PILOT_CERT_PROVIDER 612 value: {{ .Values.global.pilotCertProvider }} 613 - name: CA_ADDR 614 {{- if .Values.global.caAddress }} 615 value: {{ .Values.global.caAddress }} 616 {{- else }} 617 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 618 {{- end }} 619 - name: POD_NAME 620 valueFrom: 621 fieldRef: 622 fieldPath: metadata.name 623 - name: POD_NAMESPACE 624 valueFrom: 625 fieldRef: 626 fieldPath: metadata.namespace 627 - name: INSTANCE_IP 628 valueFrom: 629 fieldRef: 630 fieldPath: status.podIP 631 - name: SERVICE_ACCOUNT 632 valueFrom: 633 fieldRef: 634 fieldPath: spec.serviceAccountName 635 - name: HOST_IP 636 valueFrom: 637 fieldRef: 638 fieldPath: status.hostIP 639 - name: ISTIO_CPU_LIMIT 640 valueFrom: 641 resourceFieldRef: 642 resource: limits.cpu 643 - name: PROXY_CONFIG 644 value: | 645 {{ protoToJSON .ProxyConfig }} 646 - name: ISTIO_META_POD_PORTS 647 value: |- 648 [ 649 {{- $first := true }} 650 {{- range $index1, $c := .Spec.Containers }} 651 {{- range $index2, $p := $c.Ports }} 652 {{- if (structToJSON $p) }} 653 {{if not $first}},{{end}}{{ structToJSON $p }} 654 {{- $first = false }} 655 {{- end }} 656 {{- end}} 657 {{- end}} 658 ] 659 - name: GOMEMLIMIT 660 valueFrom: 661 resourceFieldRef: 662 resource: limits.memory 663 - name: GOMAXPROCS 664 valueFrom: 665 resourceFieldRef: 666 resource: limits.cpu 667 - name: ISTIO_META_APP_CONTAINERS 668 value: "{{ $containers | join "," }}" 669 - name: ISTIO_META_CLUSTER_ID 670 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 671 - name: ISTIO_META_NODE_NAME 672 valueFrom: 673 fieldRef: 674 fieldPath: spec.nodeName 675 - name: ISTIO_META_INTERCEPTION_MODE 676 value: "{{ .ProxyConfig.InterceptionMode.String }}" 677 {{- if .Values.global.network }} 678 - name: ISTIO_META_NETWORK 679 value: "{{ .Values.global.network }}" 680 {{- end }} 681 {{- if .DeploymentMeta.Name }} 682 - name: ISTIO_META_WORKLOAD_NAME 683 value: "{{ .DeploymentMeta.Name }}" 684 {{ end }} 685 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} 686 - name: ISTIO_META_OWNER 687 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} 688 {{- end}} 689 {{- if .Values.global.meshID }} 690 - name: ISTIO_META_MESH_ID 691 value: "{{ .Values.global.meshID }}" 692 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 693 - name: ISTIO_META_MESH_ID 694 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 695 {{- end }} 696 {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 697 - name: TRUST_DOMAIN 698 value: "{{ . }}" 699 {{- end }} 700 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 701 - name: {{ $key }} 702 value: "{{ $value }}" 703 {{- end }} 704 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 705 readinessProbe: 706 httpGet: 707 path: /healthz/ready 708 port: 15021 709 initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} 710 periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} 711 timeoutSeconds: 3 712 failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} 713 volumeMounts: 714 - name: workload-socket 715 mountPath: /var/run/secrets/workload-spiffe-uds 716 - name: credential-socket 717 mountPath: /var/run/secrets/credential-uds 718 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 719 - name: gke-workload-certificate 720 mountPath: /var/run/secrets/workload-spiffe-credentials 721 readOnly: true 722 {{- else }} 723 - name: workload-certs 724 mountPath: /var/run/secrets/workload-spiffe-credentials 725 {{- end }} 726 {{- if eq .Values.global.pilotCertProvider "istiod" }} 727 - mountPath: /var/run/secrets/istio 728 name: istiod-ca-cert 729 {{- end }} 730 - mountPath: /var/lib/istio/data 731 name: istio-data 732 # SDS channel between istioagent and Envoy 733 - mountPath: /etc/istio/proxy 734 name: istio-envoy 735 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 736 - mountPath: /var/run/secrets/tokens 737 name: istio-token 738 {{- end }} 739 {{- if .Values.global.mountMtlsCerts }} 740 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 741 - mountPath: /etc/certs/ 742 name: istio-certs 743 readOnly: true 744 {{- end }} 745 - name: istio-podinfo 746 mountPath: /etc/istio/pod 747 volumes: 748 - emptyDir: {} 749 name: workload-socket 750 - emptyDir: {} 751 name: credential-socket 752 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 753 - name: gke-workload-certificate 754 csi: 755 driver: workloadcertificates.security.cloud.google.com 756 {{- else}} 757 - emptyDir: {} 758 name: workload-certs 759 {{- end }} 760 # SDS channel between istioagent and Envoy 761 - emptyDir: 762 medium: Memory 763 name: istio-envoy 764 - name: istio-data 765 emptyDir: {} 766 - name: istio-podinfo 767 downwardAPI: 768 items: 769 - path: "labels" 770 fieldRef: 771 fieldPath: metadata.labels 772 - path: "annotations" 773 fieldRef: 774 fieldPath: metadata.annotations 775 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 776 - name: istio-token 777 projected: 778 sources: 779 - serviceAccountToken: 780 path: istio-token 781 expirationSeconds: 43200 782 audience: {{ .Values.global.sds.token.aud }} 783 {{- end }} 784 {{- if eq .Values.global.pilotCertProvider "istiod" }} 785 - name: istiod-ca-cert 786 configMap: 787 name: istio-ca-root-cert 788 {{- end }} 789 {{- if .Values.global.mountMtlsCerts }} 790 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 791 - name: istio-certs 792 secret: 793 optional: true 794 {{ if eq .Spec.ServiceAccountName "" }} 795 secretName: istio.default 796 {{ else -}} 797 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 798 {{ end -}} 799 {{- end }} 800 {{- if .Values.global.imagePullSecrets }} 801 imagePullSecrets: 802 {{- range .Values.global.imagePullSecrets }} 803 - name: {{ . }} 804 {{- end }} 805 {{- end }} 806 grpc-simple: | 807 metadata: 808 annotations: 809 sidecar.istio.io/rewriteAppHTTPProbers: "false" 810 spec: 811 initContainers: 812 - name: grpc-bootstrap-init 813 image: busybox:1.28 814 volumeMounts: 815 - mountPath: /var/lib/grpc/data/ 816 name: grpc-io-proxyless-bootstrap 817 env: 818 - name: INSTANCE_IP 819 valueFrom: 820 fieldRef: 821 fieldPath: status.podIP 822 - name: POD_NAME 823 valueFrom: 824 fieldRef: 825 fieldPath: metadata.name 826 - name: POD_NAMESPACE 827 valueFrom: 828 fieldRef: 829 fieldPath: metadata.namespace 830 - name: ISTIO_NAMESPACE 831 value: | 832 {{ .Values.global.istioNamespace }} 833 command: 834 - sh 835 - "-c" 836 - |- 837 NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" 838 SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" 839 echo ' 840 { 841 "xds_servers": [ 842 { 843 "server_uri": "'${SERVER_URI}'", 844 "channel_creds": [{"type": "insecure"}], 845 "server_features" : ["xds_v3"] 846 } 847 ], 848 "node": { 849 "id": "'${NODE_ID}'", 850 "metadata": { 851 "GENERATOR": "grpc" 852 } 853 } 854 }' > /var/lib/grpc/data/bootstrap.json 855 containers: 856 {{- range $index, $container := .Spec.Containers }} 857 - name: {{ $container.Name }} 858 env: 859 - name: GRPC_XDS_BOOTSTRAP 860 value: /var/lib/grpc/data/bootstrap.json 861 - name: GRPC_GO_LOG_VERBOSITY_LEVEL 862 value: "99" 863 - name: GRPC_GO_LOG_SEVERITY_LEVEL 864 value: info 865 volumeMounts: 866 - mountPath: /var/lib/grpc/data/ 867 name: grpc-io-proxyless-bootstrap 868 {{- end }} 869 volumes: 870 - name: grpc-io-proxyless-bootstrap 871 emptyDir: {} 872 grpc-agent: | 873 {{- define "resources" }} 874 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 875 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} 876 requests: 877 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} 878 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" 879 {{ end }} 880 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} 881 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" 882 {{ end }} 883 {{- end }} 884 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 885 limits: 886 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} 887 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" 888 {{ end }} 889 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} 890 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" 891 {{ end }} 892 {{- end }} 893 {{- else }} 894 {{- if .Values.global.proxy.resources }} 895 {{ toYaml .Values.global.proxy.resources | indent 6 }} 896 {{- end }} 897 {{- end }} 898 {{- end }} 899 {{- $containers := list }} 900 {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} 901 metadata: 902 labels: 903 {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} 904 service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} 905 service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} 906 annotations: { 907 istio.io/rev: {{ .Revision | default "default" }}, 908 {{- if ge (len $containers) 1 }} 909 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} 910 kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", 911 {{- end }} 912 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} 913 kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", 914 {{- end }} 915 {{- end }} 916 sidecar.istio.io/rewriteAppHTTPProbers: "false", 917 } 918 spec: 919 containers: 920 - name: istio-proxy 921 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 922 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 923 {{- else }} 924 image: "{{ .ProxyImage }}" 925 {{- end }} 926 ports: 927 - containerPort: 15020 928 protocol: TCP 929 name: mesh-metrics 930 args: 931 - proxy 932 - sidecar 933 - --domain 934 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 935 - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} 936 - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} 937 - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} 938 {{- if .Values.global.sts.servicePort }} 939 - --stsPort={{ .Values.global.sts.servicePort }} 940 {{- end }} 941 {{- if .Values.global.logAsJson }} 942 - --log_as_json 943 {{- end }} 944 lifecycle: 945 postStart: 946 exec: 947 command: 948 - pilot-agent 949 - wait 950 - --url=http://localhost:15020/healthz/ready 951 env: 952 - name: ISTIO_META_GENERATOR 953 value: grpc 954 - name: OUTPUT_CERTS 955 value: /var/lib/istio/data 956 {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} 957 - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION 958 value: "true" 959 {{- end }} 960 - name: JWT_POLICY 961 value: {{ .Values.global.jwtPolicy }} 962 - name: PILOT_CERT_PROVIDER 963 value: {{ .Values.global.pilotCertProvider }} 964 - name: CA_ADDR 965 {{- if .Values.global.caAddress }} 966 value: {{ .Values.global.caAddress }} 967 {{- else }} 968 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 969 {{- end }} 970 - name: POD_NAME 971 valueFrom: 972 fieldRef: 973 fieldPath: metadata.name 974 - name: POD_NAMESPACE 975 valueFrom: 976 fieldRef: 977 fieldPath: metadata.namespace 978 - name: INSTANCE_IP 979 valueFrom: 980 fieldRef: 981 fieldPath: status.podIP 982 - name: SERVICE_ACCOUNT 983 valueFrom: 984 fieldRef: 985 fieldPath: spec.serviceAccountName 986 - name: HOST_IP 987 valueFrom: 988 fieldRef: 989 fieldPath: status.hostIP 990 - name: PROXY_CONFIG 991 value: | 992 {{ protoToJSON .ProxyConfig }} 993 - name: ISTIO_META_POD_PORTS 994 value: |- 995 [ 996 {{- $first := true }} 997 {{- range $index1, $c := .Spec.Containers }} 998 {{- range $index2, $p := $c.Ports }} 999 {{- if (structToJSON $p) }} 1000 {{if not $first}},{{end}}{{ structToJSON $p }} 1001 {{- $first = false }} 1002 {{- end }} 1003 {{- end}} 1004 {{- end}} 1005 ] 1006 - name: ISTIO_META_APP_CONTAINERS 1007 value: "{{ $containers | join "," }}" 1008 - name: ISTIO_META_CLUSTER_ID 1009 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 1010 - name: ISTIO_META_NODE_NAME 1011 valueFrom: 1012 fieldRef: 1013 fieldPath: spec.nodeName 1014 {{- if .Values.global.network }} 1015 - name: ISTIO_META_NETWORK 1016 value: "{{ .Values.global.network }}" 1017 {{- end }} 1018 {{- if .DeploymentMeta.Name }} 1019 - name: ISTIO_META_WORKLOAD_NAME 1020 value: "{{ .DeploymentMeta.Name }}" 1021 {{ end }} 1022 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} 1023 - name: ISTIO_META_OWNER 1024 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} 1025 {{- end}} 1026 {{- if .Values.global.meshID }} 1027 - name: ISTIO_META_MESH_ID 1028 value: "{{ .Values.global.meshID }}" 1029 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 1030 - name: ISTIO_META_MESH_ID 1031 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 1032 {{- end }} 1033 {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 1034 - name: TRUST_DOMAIN 1035 value: "{{ . }}" 1036 {{- end }} 1037 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 1038 - name: {{ $key }} 1039 value: "{{ $value }}" 1040 {{- end }} 1041 # grpc uses xds:/// to resolve – no need to resolve VIP 1042 - name: ISTIO_META_DNS_CAPTURE 1043 value: "false" 1044 - name: DISABLE_ENVOY 1045 value: "true" 1046 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 1047 {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} 1048 readinessProbe: 1049 httpGet: 1050 path: /healthz/ready 1051 port: 15020 1052 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} 1053 periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} 1054 timeoutSeconds: 3 1055 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} 1056 resources: 1057 {{ template "resources" . }} 1058 volumeMounts: 1059 - name: workload-socket 1060 mountPath: /var/run/secrets/workload-spiffe-uds 1061 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 1062 - name: gke-workload-certificate 1063 mountPath: /var/run/secrets/workload-spiffe-credentials 1064 readOnly: true 1065 {{- else }} 1066 - name: workload-certs 1067 mountPath: /var/run/secrets/workload-spiffe-credentials 1068 {{- end }} 1069 {{- if eq .Values.global.pilotCertProvider "istiod" }} 1070 - mountPath: /var/run/secrets/istio 1071 name: istiod-ca-cert 1072 {{- end }} 1073 - mountPath: /var/lib/istio/data 1074 name: istio-data 1075 # UDS channel between istioagent and gRPC client for XDS/SDS 1076 - mountPath: /etc/istio/proxy 1077 name: istio-xds 1078 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 1079 - mountPath: /var/run/secrets/tokens 1080 name: istio-token 1081 {{- end }} 1082 {{- if .Values.global.mountMtlsCerts }} 1083 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 1084 - mountPath: /etc/certs/ 1085 name: istio-certs 1086 readOnly: true 1087 {{- end }} 1088 - name: istio-podinfo 1089 mountPath: /etc/istio/pod 1090 {{- end }} 1091 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} 1092 {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} 1093 - name: "{{ $index }}" 1094 {{ toYaml $value | indent 6 }} 1095 {{ end }} 1096 {{- end }} 1097 {{- range $index, $container := .Spec.Containers }} 1098 {{ if not (eq $container.Name "istio-proxy") }} 1099 - name: {{ $container.Name }} 1100 env: 1101 - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" 1102 value: "true" 1103 - name: "GRPC_XDS_BOOTSTRAP" 1104 value: "/etc/istio/proxy/grpc-bootstrap.json" 1105 volumeMounts: 1106 - mountPath: /var/lib/istio/data 1107 name: istio-data 1108 # UDS channel between istioagent and gRPC client for XDS/SDS 1109 - mountPath: /etc/istio/proxy 1110 name: istio-xds 1111 {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} 1112 - name: gke-workload-certificate 1113 mountPath: /var/run/secrets/workload-spiffe-credentials 1114 readOnly: true 1115 {{- else }} 1116 - name: workload-certs 1117 mountPath: /var/run/secrets/workload-spiffe-credentials 1118 {{- end }} 1119 {{- end }} 1120 {{- end }} 1121 volumes: 1122 - emptyDir: 1123 name: workload-socket 1124 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 1125 - name: gke-workload-certificate 1126 csi: 1127 driver: workloadcertificates.security.cloud.google.com 1128 {{- else }} 1129 - emptyDir: 1130 name: workload-certs 1131 {{- end }} 1132 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 1133 - name: custom-bootstrap-volume 1134 configMap: 1135 name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} 1136 {{- end }} 1137 # SDS channel between istioagent and Envoy 1138 - emptyDir: 1139 medium: Memory 1140 name: istio-xds 1141 - name: istio-data 1142 emptyDir: {} 1143 - name: istio-podinfo 1144 downwardAPI: 1145 items: 1146 - path: "labels" 1147 fieldRef: 1148 fieldPath: metadata.labels 1149 - path: "annotations" 1150 fieldRef: 1151 fieldPath: metadata.annotations 1152 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 1153 - name: istio-token 1154 projected: 1155 sources: 1156 - serviceAccountToken: 1157 path: istio-token 1158 expirationSeconds: 43200 1159 audience: {{ .Values.global.sds.token.aud }} 1160 {{- end }} 1161 {{- if eq .Values.global.pilotCertProvider "istiod" }} 1162 - name: istiod-ca-cert 1163 configMap: 1164 name: istio-ca-root-cert 1165 {{- end }} 1166 {{- if .Values.global.mountMtlsCerts }} 1167 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 1168 - name: istio-certs 1169 secret: 1170 optional: true 1171 {{ if eq .Spec.ServiceAccountName "" }} 1172 secretName: istio.default 1173 {{ else -}} 1174 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 1175 {{ end -}} 1176 {{- end }} 1177 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} 1178 {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} 1179 - name: "{{ $index }}" 1180 {{ toYaml $value | indent 4 }} 1181 {{ end }} 1182 {{ end }} 1183 {{- if .Values.global.imagePullSecrets }} 1184 imagePullSecrets: 1185 {{- range .Values.global.imagePullSecrets }} 1186 - name: {{ . }} 1187 {{- end }} 1188 {{- end }} 1189 waypoint: | 1190 apiVersion: v1 1191 kind: ServiceAccount 1192 metadata: 1193 name: {{.ServiceAccount | quote}} 1194 namespace: {{.Namespace | quote}} 1195 annotations: 1196 {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 1197 labels: 1198 {{- toJsonMap 1199 .InfrastructureLabels 1200 (strdict 1201 "gateway.networking.k8s.io/gateway-name" .Name 1202 "istio.io/gateway-name" .Name 1203 ) | nindent 4 }} 1204 --- 1205 apiVersion: apps/v1 1206 kind: Deployment 1207 metadata: 1208 name: {{.DeploymentName | quote}} 1209 namespace: {{.Namespace | quote}} 1210 annotations: 1211 {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 1212 labels: 1213 {{- toJsonMap 1214 .InfrastructureLabels 1215 (strdict 1216 "gateway.networking.k8s.io/gateway-name" .Name 1217 "istio.io/gateway-name" .Name 1218 "gateway.istio.io/managed" "istio.io-mesh-controller" 1219 ) | nindent 4 }} 1220 ownerReferences: 1221 - apiVersion: gateway.networking.k8s.io/v1beta1 1222 kind: Gateway 1223 name: "{{.Name}}" 1224 uid: "{{.UID}}" 1225 spec: 1226 selector: 1227 matchLabels: 1228 "{{.GatewayNameLabel}}": "{{.Name}}" 1229 template: 1230 metadata: 1231 annotations: 1232 {{- toJsonMap 1233 (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") 1234 (strdict "istio.io/rev" (.Revision | default "default")) 1235 (strdict 1236 "ambient.istio.io/redirection" "disabled" 1237 "prometheus.io/path" "/stats/prometheus" 1238 "prometheus.io/port" "15020" 1239 "prometheus.io/scrape" "true" 1240 ) | nindent 8 }} 1241 labels: 1242 {{- toJsonMap 1243 (strdict 1244 "sidecar.istio.io/inject" "false" 1245 "service.istio.io/canonical-name" .DeploymentName 1246 "service.istio.io/canonical-revision" "latest" 1247 ) 1248 .InfrastructureLabels 1249 (strdict 1250 "gateway.networking.k8s.io/gateway-name" .Name 1251 "istio.io/gateway-name" .Name 1252 "gateway.istio.io/managed" "istio.io-mesh-controller" 1253 ) | nindent 8}} 1254 spec: 1255 terminationGracePeriodSeconds: 2 1256 serviceAccountName: {{.ServiceAccount | quote}} 1257 containers: 1258 - name: istio-proxy 1259 ports: 1260 - containerPort: 15021 1261 name: status-port 1262 protocol: TCP 1263 - containerPort: 15090 1264 protocol: TCP 1265 name: http-envoy-prom 1266 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 1267 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 1268 {{- else }} 1269 image: "{{ .ProxyImage }}" 1270 {{- end }} 1271 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 1272 args: 1273 - proxy 1274 - waypoint 1275 - --domain 1276 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 1277 - --serviceCluster 1278 - {{.ServiceAccount}}.$(POD_NAMESPACE) 1279 - --proxyLogLevel 1280 - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} 1281 - --proxyComponentLogLevel 1282 - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} 1283 - --log_output_level 1284 - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} 1285 {{- if .Values.global.logAsJson }} 1286 - --log_as_json 1287 {{- end }} 1288 env: 1289 - name: ISTIO_META_SERVICE_ACCOUNT 1290 valueFrom: 1291 fieldRef: 1292 fieldPath: spec.serviceAccountName 1293 - name: ISTIO_META_NODE_NAME 1294 valueFrom: 1295 fieldRef: 1296 fieldPath: spec.nodeName 1297 - name: JWT_POLICY 1298 value: {{ .Values.global.jwtPolicy }} 1299 - name: PILOT_CERT_PROVIDER 1300 value: {{ .Values.global.pilotCertProvider }} 1301 - name: CA_ADDR 1302 {{- if .Values.global.caAddress }} 1303 value: {{ .Values.global.caAddress }} 1304 {{- else }} 1305 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 1306 {{- end }} 1307 - name: POD_NAME 1308 valueFrom: 1309 fieldRef: 1310 fieldPath: metadata.name 1311 - name: POD_NAMESPACE 1312 valueFrom: 1313 fieldRef: 1314 fieldPath: metadata.namespace 1315 - name: INSTANCE_IP 1316 valueFrom: 1317 fieldRef: 1318 fieldPath: status.podIP 1319 - name: SERVICE_ACCOUNT 1320 valueFrom: 1321 fieldRef: 1322 fieldPath: spec.serviceAccountName 1323 - name: HOST_IP 1324 valueFrom: 1325 fieldRef: 1326 fieldPath: status.hostIP 1327 - name: ISTIO_CPU_LIMIT 1328 valueFrom: 1329 resourceFieldRef: 1330 resource: limits.cpu 1331 - name: PROXY_CONFIG 1332 value: | 1333 {{ protoToJSON .ProxyConfig }} 1334 {{- if .ProxyConfig.ProxyMetadata }} 1335 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 1336 - name: {{ $key }} 1337 value: "{{ $value }}" 1338 {{- end }} 1339 {{- end }} 1340 - name: GOMEMLIMIT 1341 valueFrom: 1342 resourceFieldRef: 1343 resource: limits.memory 1344 - name: GOMAXPROCS 1345 valueFrom: 1346 resourceFieldRef: 1347 resource: limits.cpu 1348 - name: ISTIO_META_CLUSTER_ID 1349 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 1350 {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} 1351 {{- if $network }} 1352 - name: ISTIO_META_NETWORK 1353 value: "{{ $network }}" 1354 {{- end }} 1355 - name: ISTIO_META_INTERCEPTION_MODE 1356 value: REDIRECT 1357 - name: ISTIO_META_WORKLOAD_NAME 1358 value: {{.DeploymentName}} 1359 - name: ISTIO_META_OWNER 1360 value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} 1361 {{- if .Values.global.meshID }} 1362 - name: ISTIO_META_MESH_ID 1363 value: "{{ .Values.global.meshID }}" 1364 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 1365 - name: ISTIO_META_MESH_ID 1366 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 1367 {{- end }} 1368 resources: 1369 limits: 1370 cpu: "2" 1371 memory: 1Gi 1372 requests: 1373 cpu: 100m 1374 memory: 128Mi 1375 startupProbe: 1376 failureThreshold: 30 1377 httpGet: 1378 path: /healthz/ready 1379 port: 15021 1380 scheme: HTTP 1381 initialDelaySeconds: 1 1382 periodSeconds: 1 1383 successThreshold: 1 1384 timeoutSeconds: 1 1385 readinessProbe: 1386 failureThreshold: 4 1387 httpGet: 1388 path: /healthz/ready 1389 port: 15021 1390 scheme: HTTP 1391 initialDelaySeconds: 0 1392 periodSeconds: 15 1393 successThreshold: 1 1394 timeoutSeconds: 1 1395 securityContext: 1396 privileged: false 1397 runAsGroup: 1337 1398 runAsUser: 0 1399 capabilities: 1400 drop: 1401 - ALL 1402 volumeMounts: 1403 - name: workload-socket 1404 mountPath: /var/run/secrets/workload-spiffe-uds 1405 - mountPath: /var/run/secrets/istio 1406 name: istiod-ca-cert 1407 - mountPath: /var/lib/istio/data 1408 name: istio-data 1409 - mountPath: /etc/istio/proxy 1410 name: istio-envoy 1411 - mountPath: /var/run/secrets/tokens 1412 name: istio-token 1413 - mountPath: /etc/istio/pod 1414 name: istio-podinfo 1415 volumes: 1416 - emptyDir: {} 1417 name: workload-socket 1418 - emptyDir: 1419 medium: Memory 1420 name: istio-envoy 1421 - emptyDir: 1422 medium: Memory 1423 name: go-proxy-envoy 1424 - emptyDir: {} 1425 name: istio-data 1426 - emptyDir: {} 1427 name: go-proxy-data 1428 - downwardAPI: 1429 items: 1430 - fieldRef: 1431 fieldPath: metadata.labels 1432 path: labels 1433 - fieldRef: 1434 fieldPath: metadata.annotations 1435 path: annotations 1436 name: istio-podinfo 1437 - name: istio-token 1438 projected: 1439 sources: 1440 - serviceAccountToken: 1441 audience: istio-ca 1442 expirationSeconds: 43200 1443 path: istio-token 1444 - configMap: 1445 name: istio-ca-root-cert 1446 name: istiod-ca-cert 1447 {{- if .Values.global.imagePullSecrets }} 1448 imagePullSecrets: 1449 {{- range .Values.global.imagePullSecrets }} 1450 - name: {{ . }} 1451 {{- end }} 1452 {{- end }} 1453 --- 1454 apiVersion: v1 1455 kind: Service 1456 metadata: 1457 annotations: 1458 {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 1459 labels: 1460 {{- toJsonMap 1461 .InfrastructureLabels 1462 (strdict 1463 "gateway.networking.k8s.io/gateway-name" .Name 1464 "istio.io/gateway-name" .Name 1465 ) | nindent 4 }} 1466 name: {{.DeploymentName | quote}} 1467 namespace: {{.Namespace | quote}} 1468 ownerReferences: 1469 - apiVersion: gateway.networking.k8s.io/v1beta1 1470 kind: Gateway 1471 name: "{{.Name}}" 1472 uid: "{{.UID}}" 1473 spec: 1474 ports: 1475 {{- range $key, $val := .Ports }} 1476 - name: {{ $val.Name | quote }} 1477 port: {{ $val.Port }} 1478 protocol: TCP 1479 appProtocol: {{ $val.AppProtocol }} 1480 {{- end }} 1481 selector: 1482 "{{.GatewayNameLabel}}": "{{.Name}}" 1483 {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} 1484 loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} 1485 {{- end }} 1486 type: {{ .ServiceType | quote }} 1487 --- 1488 kube-gateway: | 1489 apiVersion: v1 1490 kind: ServiceAccount 1491 metadata: 1492 name: {{.ServiceAccount | quote}} 1493 namespace: {{.Namespace | quote}} 1494 annotations: 1495 {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 1496 labels: 1497 {{- toJsonMap 1498 .InfrastructureLabels 1499 (strdict 1500 "gateway.networking.k8s.io/gateway-name" .Name 1501 "istio.io/gateway-name" .Name 1502 ) | nindent 4 }} 1503 --- 1504 apiVersion: apps/v1 1505 kind: Deployment 1506 metadata: 1507 name: {{.DeploymentName | quote}} 1508 namespace: {{.Namespace | quote}} 1509 annotations: 1510 {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 1511 labels: 1512 {{- toJsonMap 1513 .InfrastructureLabels 1514 (strdict 1515 "gateway.networking.k8s.io/gateway-name" .Name 1516 "istio.io/gateway-name" .Name 1517 ) | nindent 4 }} 1518 ownerReferences: 1519 - apiVersion: gateway.networking.k8s.io/v1beta1 1520 kind: Gateway 1521 name: {{.Name}} 1522 uid: "{{.UID}}" 1523 spec: 1524 selector: 1525 matchLabels: 1526 "{{.GatewayNameLabel}}": {{.Name}} 1527 template: 1528 metadata: 1529 annotations: 1530 {{- toJsonMap 1531 (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") 1532 (strdict "istio.io/rev" (.Revision | default "default")) 1533 (strdict 1534 "prometheus.io/path" "/stats/prometheus" 1535 "prometheus.io/port" "15020" 1536 "prometheus.io/scrape" "true" 1537 ) | nindent 8 }} 1538 labels: 1539 {{- toJsonMap 1540 (strdict 1541 "sidecar.istio.io/inject" "false" 1542 "service.istio.io/canonical-name" .DeploymentName 1543 "service.istio.io/canonical-revision" "latest" 1544 ) 1545 .InfrastructureLabels 1546 (strdict 1547 "gateway.networking.k8s.io/gateway-name" .Name 1548 "istio.io/gateway-name" .Name 1549 ) | nindent 8 }} 1550 spec: 1551 {{- if .KubeVersion122 }} 1552 {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}} 1553 securityContext: 1554 sysctls: 1555 - name: net.ipv4.ip_unprivileged_port_start 1556 value: "0" 1557 {{- end }} 1558 serviceAccountName: {{.ServiceAccount | quote}} 1559 containers: 1560 - name: istio-proxy 1561 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 1562 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 1563 {{- else }} 1564 image: "{{ .ProxyImage }}" 1565 {{- end }} 1566 {{- if .Values.global.proxy.resources }} 1567 resources: 1568 {{- toYaml .Values.global.proxy.resources | nindent 10 }} 1569 {{- end }} 1570 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 1571 securityContext: 1572 {{- if .KubeVersion122 }} 1573 # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 1574 capabilities: 1575 drop: 1576 - ALL 1577 allowPrivilegeEscalation: false 1578 privileged: false 1579 readOnlyRootFilesystem: true 1580 runAsUser: {{ .ProxyUID | default "1337" }} 1581 runAsGroup: {{ .ProxyGID | default "1337" }} 1582 runAsNonRoot: true 1583 {{- else }} 1584 capabilities: 1585 drop: 1586 - ALL 1587 add: 1588 - NET_BIND_SERVICE 1589 runAsUser: 0 1590 runAsGroup: 1337 1591 runAsNonRoot: false 1592 allowPrivilegeEscalation: true 1593 readOnlyRootFilesystem: true 1594 {{- end }} 1595 ports: 1596 - containerPort: 15021 1597 name: status-port 1598 protocol: TCP 1599 - containerPort: 15090 1600 protocol: TCP 1601 name: http-envoy-prom 1602 args: 1603 - proxy 1604 - router 1605 - --domain 1606 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 1607 - --proxyLogLevel 1608 - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} 1609 - --proxyComponentLogLevel 1610 - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} 1611 - --log_output_level 1612 - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} 1613 {{- if .Values.global.sts.servicePort }} 1614 - --stsPort={{ .Values.global.sts.servicePort }} 1615 {{- end }} 1616 {{- if .Values.global.logAsJson }} 1617 - --log_as_json 1618 {{- end }} 1619 {{- if .Values.global.proxy.lifecycle }} 1620 lifecycle: 1621 {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} 1622 {{- end }} 1623 env: 1624 - name: JWT_POLICY 1625 value: {{ .Values.global.jwtPolicy }} 1626 - name: PILOT_CERT_PROVIDER 1627 value: {{ .Values.global.pilotCertProvider }} 1628 - name: CA_ADDR 1629 {{- if .Values.global.caAddress }} 1630 value: {{ .Values.global.caAddress }} 1631 {{- else }} 1632 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 1633 {{- end }} 1634 - name: POD_NAME 1635 valueFrom: 1636 fieldRef: 1637 fieldPath: metadata.name 1638 - name: POD_NAMESPACE 1639 valueFrom: 1640 fieldRef: 1641 fieldPath: metadata.namespace 1642 - name: INSTANCE_IP 1643 valueFrom: 1644 fieldRef: 1645 fieldPath: status.podIP 1646 - name: SERVICE_ACCOUNT 1647 valueFrom: 1648 fieldRef: 1649 fieldPath: spec.serviceAccountName 1650 - name: HOST_IP 1651 valueFrom: 1652 fieldRef: 1653 fieldPath: status.hostIP 1654 - name: ISTIO_CPU_LIMIT 1655 valueFrom: 1656 resourceFieldRef: 1657 resource: limits.cpu 1658 - name: PROXY_CONFIG 1659 value: | 1660 {{ protoToJSON .ProxyConfig }} 1661 - name: ISTIO_META_POD_PORTS 1662 value: "[]" 1663 - name: ISTIO_META_APP_CONTAINERS 1664 value: "" 1665 - name: GOMEMLIMIT 1666 valueFrom: 1667 resourceFieldRef: 1668 resource: limits.memory 1669 - name: GOMAXPROCS 1670 valueFrom: 1671 resourceFieldRef: 1672 resource: limits.cpu 1673 - name: ISTIO_META_CLUSTER_ID 1674 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" 1675 - name: ISTIO_META_NODE_NAME 1676 valueFrom: 1677 fieldRef: 1678 fieldPath: spec.nodeName 1679 - name: ISTIO_META_INTERCEPTION_MODE 1680 value: "{{ .ProxyConfig.InterceptionMode.String }}" 1681 {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} 1682 - name: ISTIO_META_NETWORK 1683 value: {{.|quote}} 1684 {{- end }} 1685 - name: ISTIO_META_WORKLOAD_NAME 1686 value: {{.DeploymentName|quote}} 1687 - name: ISTIO_META_OWNER 1688 value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" 1689 {{- if .Values.global.meshID }} 1690 - name: ISTIO_META_MESH_ID 1691 value: "{{ .Values.global.meshID }}" 1692 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 1693 - name: ISTIO_META_MESH_ID 1694 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 1695 {{- end }} 1696 {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 1697 - name: TRUST_DOMAIN 1698 value: "{{ . }}" 1699 {{- end }} 1700 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 1701 - name: {{ $key }} 1702 value: "{{ $value }}" 1703 {{- end }} 1704 {{- with (index .InfrastructureLabels "topology.istio.io/network") }} 1705 - name: ISTIO_META_REQUESTED_NETWORK_VIEW 1706 value: {{.|quote}} 1707 {{- end }} 1708 startupProbe: 1709 failureThreshold: 30 1710 httpGet: 1711 path: /healthz/ready 1712 port: 15021 1713 scheme: HTTP 1714 initialDelaySeconds: 1 1715 periodSeconds: 1 1716 successThreshold: 1 1717 timeoutSeconds: 1 1718 readinessProbe: 1719 failureThreshold: 4 1720 httpGet: 1721 path: /healthz/ready 1722 port: 15021 1723 scheme: HTTP 1724 initialDelaySeconds: 0 1725 periodSeconds: 15 1726 successThreshold: 1 1727 timeoutSeconds: 1 1728 volumeMounts: 1729 - name: workload-socket 1730 mountPath: /var/run/secrets/workload-spiffe-uds 1731 - name: credential-socket 1732 mountPath: /var/run/secrets/credential-uds 1733 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 1734 - name: gke-workload-certificate 1735 mountPath: /var/run/secrets/workload-spiffe-credentials 1736 readOnly: true 1737 {{- else }} 1738 - name: workload-certs 1739 mountPath: /var/run/secrets/workload-spiffe-credentials 1740 {{- end }} 1741 {{- if eq .Values.global.pilotCertProvider "istiod" }} 1742 - mountPath: /var/run/secrets/istio 1743 name: istiod-ca-cert 1744 {{- end }} 1745 - mountPath: /var/lib/istio/data 1746 name: istio-data 1747 # SDS channel between istioagent and Envoy 1748 - mountPath: /etc/istio/proxy 1749 name: istio-envoy 1750 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 1751 - mountPath: /var/run/secrets/tokens 1752 name: istio-token 1753 {{- end }} 1754 - name: istio-podinfo 1755 mountPath: /etc/istio/pod 1756 volumes: 1757 - emptyDir: {} 1758 name: workload-socket 1759 - emptyDir: {} 1760 name: credential-socket 1761 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 1762 - name: gke-workload-certificate 1763 csi: 1764 driver: workloadcertificates.security.cloud.google.com 1765 {{- else}} 1766 - emptyDir: {} 1767 name: workload-certs 1768 {{- end }} 1769 # SDS channel between istioagent and Envoy 1770 - emptyDir: 1771 medium: Memory 1772 name: istio-envoy 1773 - name: istio-data 1774 emptyDir: {} 1775 - name: istio-podinfo 1776 downwardAPI: 1777 items: 1778 - path: "labels" 1779 fieldRef: 1780 fieldPath: metadata.labels 1781 - path: "annotations" 1782 fieldRef: 1783 fieldPath: metadata.annotations 1784 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 1785 - name: istio-token 1786 projected: 1787 sources: 1788 - serviceAccountToken: 1789 path: istio-token 1790 expirationSeconds: 43200 1791 audience: {{ .Values.global.sds.token.aud }} 1792 {{- end }} 1793 {{- if eq .Values.global.pilotCertProvider "istiod" }} 1794 - name: istiod-ca-cert 1795 configMap: 1796 name: istio-ca-root-cert 1797 {{- end }} 1798 {{- if .Values.global.imagePullSecrets }} 1799 imagePullSecrets: 1800 {{- range .Values.global.imagePullSecrets }} 1801 - name: {{ . }} 1802 {{- end }} 1803 {{- end }} 1804 --- 1805 apiVersion: v1 1806 kind: Service 1807 metadata: 1808 annotations: 1809 {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 1810 labels: 1811 {{- toJsonMap 1812 .InfrastructureLabels 1813 (strdict 1814 "gateway.networking.k8s.io/gateway-name" .Name 1815 "istio.io/gateway-name" .Name 1816 ) | nindent 4 }} 1817 name: {{.DeploymentName | quote}} 1818 namespace: {{.Namespace | quote}} 1819 ownerReferences: 1820 - apiVersion: gateway.networking.k8s.io/v1beta1 1821 kind: Gateway 1822 name: {{.Name}} 1823 uid: {{.UID}} 1824 spec: 1825 ports: 1826 {{- range $key, $val := .Ports }} 1827 - name: {{ $val.Name | quote }} 1828 port: {{ $val.Port }} 1829 protocol: TCP 1830 appProtocol: {{ $val.AppProtocol }} 1831 {{- end }} 1832 selector: 1833 "{{.GatewayNameLabel}}": {{.Name}} 1834 {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} 1835 loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} 1836 {{- end }} 1837 type: {{ .ServiceType | quote }} 1838 --- 1839 credential-volume: | 1840 spec: 1841 volumes: 1842 - name: application-credentials 1843 secret: 1844 secretName: secret 1845 containers: 1846 - name: istio-proxy 1847 volumeMounts: 1848 - name: application-credentials 1849 mountPath: /etc/istio/application-credentials 1850 readOnly: true 1851 values: |- 1852 { 1853 "global": { 1854 "autoscalingv2API": true, 1855 "caAddress": "", 1856 "caName": "", 1857 "certSigners": [], 1858 "configCluster": false, 1859 "configValidation": true, 1860 "defaultPodDisruptionBudget": { 1861 "enabled": true 1862 }, 1863 "defaultResources": { 1864 "requests": { 1865 "cpu": "10m" 1866 } 1867 }, 1868 "enabled": true, 1869 "externalIstiod": false, 1870 "hub": "gcr.io/istio-testing", 1871 "imagePullPolicy": "", 1872 "imagePullSecrets": [], 1873 "istioNamespace": "istio-system", 1874 "istiod": { 1875 "enableAnalysis": false 1876 }, 1877 "jwtPolicy": "third-party-jwt", 1878 "logAsJson": false, 1879 "logging": { 1880 "level": "default:info" 1881 }, 1882 "meshID": "", 1883 "meshNetworks": {}, 1884 "mountMtlsCerts": false, 1885 "multiCluster": { 1886 "clusterName": "", 1887 "enabled": false 1888 }, 1889 "namespace": "istio-system", 1890 "network": "", 1891 "omitSidecarInjectorConfigMap": false, 1892 "oneNamespace": false, 1893 "operatorManageWebhooks": false, 1894 "pilotCertProvider": "istiod", 1895 "priorityClassName": "", 1896 "proxy": { 1897 "autoInject": "enabled", 1898 "clusterDomain": "cluster.local", 1899 "componentLogLevel": "misc:error", 1900 "enableCoreDump": false, 1901 "excludeIPRanges": "", 1902 "excludeInboundPorts": "", 1903 "excludeOutboundPorts": "", 1904 "image": "proxyv2", 1905 "includeIPRanges": "*", 1906 "includeInboundPorts": "*", 1907 "includeOutboundPorts": "", 1908 "logLevel": "warning", 1909 "privileged": false, 1910 "readinessFailureThreshold": 4, 1911 "readinessInitialDelaySeconds": 0, 1912 "readinessPeriodSeconds": 15, 1913 "resources": { 1914 "limits": { 1915 "cpu": "2000m", 1916 "memory": "1024Mi" 1917 }, 1918 "requests": { 1919 "cpu": "100m", 1920 "memory": "128Mi" 1921 } 1922 }, 1923 "startupProbe": { 1924 "enabled": true, 1925 "failureThreshold": 600 1926 }, 1927 "statusPort": 15020, 1928 "tracer": "zipkin" 1929 }, 1930 "proxy_init": { 1931 "image": "proxyv2" 1932 }, 1933 "remotePilotAddress": "", 1934 "sds": { 1935 "token": { 1936 "aud": "istio-ca" 1937 } 1938 }, 1939 "sts": { 1940 "servicePort": 0 1941 }, 1942 "tag": "latest", 1943 "variant": "" 1944 }, 1945 "istio_cni": { 1946 "chained": true, 1947 "enabled": false 1948 }, 1949 "revision": "", 1950 "sidecarInjectorWebhook": { 1951 "alwaysInjectSelector": [], 1952 "defaultTemplates": [ 1953 "sidecar", 1954 "credential-volume" 1955 ], 1956 "enableNamespacesByDefault": false, 1957 "injectedAnnotations": {}, 1958 "neverInjectSelector": [], 1959 "reinvocationPolicy": "Never", 1960 "rewriteAppHTTPProbe": true, 1961 "templates": { 1962 "credential-volume": "spec:\n volumes:\n - name: application-credentials\n secret:\n secretName: secret\n containers:\n - name: istio-proxy\n volumeMounts:\n - name: application-credentials\n mountPath: /etc/istio/application-credentials\n readOnly: true\n" 1963 } 1964 } 1965 } 1966 kind: ConfigMap 1967 metadata: 1968 labels: 1969 install.operator.istio.io/owning-resource: unknown 1970 istio.io/rev: default 1971 operator.istio.io/component: Pilot 1972 release: istio 1973 name: istio-sidecar-injector 1974 namespace: istio-system 1975 1976 ---