istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pkg/kube/inject/testdata/inputs/hello.yaml.3.template.gen.yaml (about) 1 # defaultTemplates defines the default template to use for pods that do not explicitly specify a template 2 defaultTemplates: [sidecar] 3 policy: enabled 4 alwaysInjectSelector: 5 [] 6 neverInjectSelector: 7 [] 8 injectedAnnotations: 9 template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}" 10 templates: 11 sidecar: | 12 {{- define "resources" }} 13 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 14 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} 15 requests: 16 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} 17 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" 18 {{ end }} 19 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} 20 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" 21 {{ end }} 22 {{- end }} 23 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 24 limits: 25 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} 26 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" 27 {{ end }} 28 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} 29 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" 30 {{ end }} 31 {{- end }} 32 {{- else }} 33 {{- if .Values.global.proxy.resources }} 34 {{ toYaml .Values.global.proxy.resources | indent 6 }} 35 {{- end }} 36 {{- end }} 37 {{- end }} 38 {{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} 39 {{- $containers := list }} 40 {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} 41 metadata: 42 labels: 43 security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} 44 {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} 45 networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} 46 {{- end }} 47 service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} 48 service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} 49 annotations: { 50 istio.io/rev: {{ .Revision | default "default" | quote }}, 51 {{- if ge (len $containers) 1 }} 52 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} 53 kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", 54 {{- end }} 55 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} 56 kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", 57 {{- end }} 58 {{- end }} 59 {{- if or .Values.pilot.cni.enabled .Values.istio_cni.enabled }} 60 {{- if or (eq .Values.pilot.cni.provider "multus") (eq .Values.istio_cni.provider "multus") (not .Values.istio_cni.chained)}} 61 k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', 62 {{- end }} 63 sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", 64 {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} 65 {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} 66 {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} 67 traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", 68 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} 69 traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", 70 {{- end }} 71 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} 72 traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", 73 {{- end }} 74 {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} 75 {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} 76 {{- end }} 77 } 78 spec: 79 {{- $holdProxy := and 80 (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) 81 (not $nativeSidecar) }} 82 initContainers: 83 {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} 84 {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} 85 - name: istio-validation 86 {{ else -}} 87 - name: istio-init 88 {{ end -}} 89 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} 90 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" 91 {{- else }} 92 image: "{{ .ProxyImage }}" 93 {{- end }} 94 args: 95 - istio-iptables 96 - "-p" 97 - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} 98 - "-z" 99 - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} 100 - "-u" 101 - {{ .ProxyUID | default "1337" | quote }} 102 - "-m" 103 - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" 104 - "-i" 105 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" 106 - "-x" 107 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" 108 - "-b" 109 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" 110 - "-d" 111 {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} 112 - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" 113 {{- else }} 114 - "15090,15021" 115 {{- end }} 116 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} 117 - "-q" 118 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" 119 {{ end -}} 120 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} 121 - "-o" 122 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" 123 {{ end -}} 124 {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} 125 - "-k" 126 - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" 127 {{ end -}} 128 {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} 129 - "-c" 130 - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" 131 {{ end -}} 132 - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" 133 {{ if .Values.global.logAsJson -}} 134 - "--log_as_json" 135 {{ end -}} 136 {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} 137 - "--run-validation" 138 - "--skip-rule-apply" 139 {{ end -}} 140 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 141 {{- if .ProxyConfig.ProxyMetadata }} 142 env: 143 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 144 - name: {{ $key }} 145 value: "{{ $value }}" 146 {{- end }} 147 {{- end }} 148 resources: 149 {{ template "resources" . }} 150 securityContext: 151 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 152 privileged: {{ .Values.global.proxy.privileged }} 153 capabilities: 154 {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} 155 add: 156 - NET_ADMIN 157 - NET_RAW 158 {{- end }} 159 drop: 160 - ALL 161 {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} 162 readOnlyRootFilesystem: false 163 runAsGroup: 0 164 runAsNonRoot: false 165 runAsUser: 0 166 {{- else }} 167 readOnlyRootFilesystem: true 168 runAsGroup: {{ .ProxyGID | default "1337" }} 169 runAsUser: {{ .ProxyUID | default "1337" }} 170 runAsNonRoot: true 171 {{- end }} 172 {{ end -}} 173 {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} 174 - name: enable-core-dump 175 args: 176 - -c 177 - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited 178 command: 179 - /bin/sh 180 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} 181 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" 182 {{- else }} 183 image: "{{ .ProxyImage }}" 184 {{- end }} 185 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 186 resources: 187 {{ template "resources" . }} 188 securityContext: 189 allowPrivilegeEscalation: true 190 capabilities: 191 add: 192 - SYS_ADMIN 193 drop: 194 - ALL 195 privileged: true 196 readOnlyRootFilesystem: false 197 runAsGroup: 0 198 runAsNonRoot: false 199 runAsUser: 0 200 {{ end }} 201 {{ if not $nativeSidecar }} 202 containers: 203 {{ end }} 204 - name: istio-proxy 205 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 206 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 207 {{- else }} 208 image: "{{ .ProxyImage }}" 209 {{- end }} 210 {{ if $nativeSidecar }}restartPolicy: Always{{end}} 211 ports: 212 - containerPort: 15090 213 protocol: TCP 214 name: http-envoy-prom 215 args: 216 - proxy 217 - sidecar 218 - --domain 219 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 220 - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} 221 - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} 222 - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} 223 {{- if .Values.global.sts.servicePort }} 224 - --stsPort={{ .Values.global.sts.servicePort }} 225 {{- end }} 226 {{- if .Values.global.logAsJson }} 227 - --log_as_json 228 {{- end }} 229 {{- if .Values.global.proxy.outlierLogPath }} 230 - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} 231 {{- end}} 232 {{- if .Values.global.proxy.lifecycle }} 233 lifecycle: 234 {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} 235 {{- else if $holdProxy }} 236 lifecycle: 237 postStart: 238 exec: 239 command: 240 - pilot-agent 241 - wait 242 {{- else if $nativeSidecar }} 243 {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} 244 lifecycle: 245 preStop: 246 exec: 247 command: 248 - pilot-agent 249 - request 250 - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} 251 - POST 252 - drain 253 {{- end }} 254 env: 255 {{- if eq .InboundTrafficPolicyMode "localhost" }} 256 - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION 257 value: "true" 258 {{- end }} 259 - name: PILOT_CERT_PROVIDER 260 value: {{ .Values.global.pilotCertProvider }} 261 - name: CA_ADDR 262 {{- if .Values.global.caAddress }} 263 value: {{ .Values.global.caAddress }} 264 {{- else }} 265 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 266 {{- end }} 267 - name: POD_NAME 268 valueFrom: 269 fieldRef: 270 fieldPath: metadata.name 271 - name: POD_NAMESPACE 272 valueFrom: 273 fieldRef: 274 fieldPath: metadata.namespace 275 - name: INSTANCE_IP 276 valueFrom: 277 fieldRef: 278 fieldPath: status.podIP 279 - name: SERVICE_ACCOUNT 280 valueFrom: 281 fieldRef: 282 fieldPath: spec.serviceAccountName 283 - name: HOST_IP 284 valueFrom: 285 fieldRef: 286 fieldPath: status.hostIP 287 - name: ISTIO_CPU_LIMIT 288 valueFrom: 289 resourceFieldRef: 290 resource: limits.cpu 291 - name: PROXY_CONFIG 292 value: | 293 {{ protoToJSON .ProxyConfig }} 294 - name: ISTIO_META_POD_PORTS 295 value: |- 296 [ 297 {{- $first := true }} 298 {{- range $index1, $c := .Spec.Containers }} 299 {{- range $index2, $p := $c.Ports }} 300 {{- if (structToJSON $p) }} 301 {{if not $first}},{{end}}{{ structToJSON $p }} 302 {{- $first = false }} 303 {{- end }} 304 {{- end}} 305 {{- end}} 306 ] 307 - name: ISTIO_META_APP_CONTAINERS 308 value: "{{ $containers | join "," }}" 309 - name: GOMEMLIMIT 310 valueFrom: 311 resourceFieldRef: 312 resource: limits.memory 313 - name: GOMAXPROCS 314 valueFrom: 315 resourceFieldRef: 316 resource: limits.cpu 317 {{- if .CompliancePolicy }} 318 - name: COMPLIANCE_POLICY 319 value: "{{ .CompliancePolicy }}" 320 {{- end }} 321 - name: ISTIO_META_CLUSTER_ID 322 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 323 - name: ISTIO_META_NODE_NAME 324 valueFrom: 325 fieldRef: 326 fieldPath: spec.nodeName 327 - name: ISTIO_META_INTERCEPTION_MODE 328 value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" 329 {{- if .Values.global.network }} 330 - name: ISTIO_META_NETWORK 331 value: "{{ .Values.global.network }}" 332 {{- end }} 333 {{- if .DeploymentMeta.Name }} 334 - name: ISTIO_META_WORKLOAD_NAME 335 value: "{{ .DeploymentMeta.Name }}" 336 {{ end }} 337 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} 338 - name: ISTIO_META_OWNER 339 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} 340 {{- end}} 341 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 342 - name: ISTIO_BOOTSTRAP_OVERRIDE 343 value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" 344 {{- end }} 345 {{- if .Values.global.meshID }} 346 - name: ISTIO_META_MESH_ID 347 value: "{{ .Values.global.meshID }}" 348 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 349 - name: ISTIO_META_MESH_ID 350 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 351 {{- end }} 352 {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 353 - name: TRUST_DOMAIN 354 value: "{{ . }}" 355 {{- end }} 356 {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} 357 {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} 358 - name: {{ $key }} 359 value: "{{ $value }}" 360 {{- end }} 361 {{- end }} 362 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 363 - name: {{ $key }} 364 value: "{{ $value }}" 365 {{- end }} 366 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 367 {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} 368 {{ if .Values.global.proxy.startupProbe.enabled }} 369 startupProbe: 370 httpGet: 371 path: /healthz/ready 372 port: 15021 373 initialDelaySeconds: 0 374 periodSeconds: 1 375 timeoutSeconds: 3 376 failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} 377 {{ end }} 378 readinessProbe: 379 httpGet: 380 path: /healthz/ready 381 port: 15021 382 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} 383 periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} 384 timeoutSeconds: 3 385 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} 386 {{ end -}} 387 securityContext: 388 {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} 389 allowPrivilegeEscalation: true 390 capabilities: 391 add: 392 - NET_ADMIN 393 drop: 394 - ALL 395 privileged: true 396 readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} 397 runAsGroup: {{ .ProxyGID | default "1337" }} 398 runAsNonRoot: false 399 runAsUser: 0 400 {{- else }} 401 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 402 capabilities: 403 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} 404 add: 405 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} 406 - NET_ADMIN 407 {{- end }} 408 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} 409 - NET_BIND_SERVICE 410 {{- end }} 411 {{- end }} 412 drop: 413 - ALL 414 privileged: {{ .Values.global.proxy.privileged }} 415 readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} 416 runAsGroup: {{ .ProxyGID | default "1337" }} 417 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} 418 runAsNonRoot: false 419 runAsUser: 0 420 {{- else -}} 421 runAsNonRoot: true 422 runAsUser: {{ .ProxyUID | default "1337" }} 423 {{- end }} 424 {{- end }} 425 resources: 426 {{ template "resources" . }} 427 volumeMounts: 428 - name: workload-socket 429 mountPath: /var/run/secrets/workload-spiffe-uds 430 - name: credential-socket 431 mountPath: /var/run/secrets/credential-uds 432 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 433 - name: gke-workload-certificate 434 mountPath: /var/run/secrets/workload-spiffe-credentials 435 readOnly: true 436 {{- else }} 437 - name: workload-certs 438 mountPath: /var/run/secrets/workload-spiffe-credentials 439 {{- end }} 440 {{- if eq .Values.global.pilotCertProvider "istiod" }} 441 - mountPath: /var/run/secrets/istio 442 name: istiod-ca-cert 443 {{- end }} 444 {{- if eq .Values.global.pilotCertProvider "kubernetes" }} 445 - mountPath: /var/run/secrets/istio/kubernetes 446 name: kube-ca-cert 447 {{- end }} 448 - mountPath: /var/lib/istio/data 449 name: istio-data 450 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 451 - mountPath: /etc/istio/custom-bootstrap 452 name: custom-bootstrap-volume 453 {{- end }} 454 # SDS channel between istioagent and Envoy 455 - mountPath: /etc/istio/proxy 456 name: istio-envoy 457 - mountPath: /var/run/secrets/tokens 458 name: istio-token 459 {{- if .Values.global.mountMtlsCerts }} 460 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 461 - mountPath: /etc/certs/ 462 name: istio-certs 463 readOnly: true 464 {{- end }} 465 - name: istio-podinfo 466 mountPath: /etc/istio/pod 467 {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} 468 - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} 469 name: lightstep-certs 470 readOnly: true 471 {{- end }} 472 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} 473 {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} 474 - name: "{{ $index }}" 475 {{ toYaml $value | indent 6 }} 476 {{ end }} 477 {{- end }} 478 volumes: 479 - emptyDir: 480 name: workload-socket 481 - emptyDir: 482 name: credential-socket 483 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 484 - name: gke-workload-certificate 485 csi: 486 driver: workloadcertificates.security.cloud.google.com 487 {{- else }} 488 - emptyDir: 489 name: workload-certs 490 {{- end }} 491 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 492 - name: custom-bootstrap-volume 493 configMap: 494 name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} 495 {{- end }} 496 # SDS channel between istioagent and Envoy 497 - emptyDir: 498 medium: Memory 499 name: istio-envoy 500 - name: istio-data 501 emptyDir: {} 502 - name: istio-podinfo 503 downwardAPI: 504 items: 505 - path: "labels" 506 fieldRef: 507 fieldPath: metadata.labels 508 - path: "annotations" 509 fieldRef: 510 fieldPath: metadata.annotations 511 - name: istio-token 512 projected: 513 sources: 514 - serviceAccountToken: 515 path: istio-token 516 expirationSeconds: 43200 517 audience: {{ .Values.global.sds.token.aud }} 518 {{- if eq .Values.global.pilotCertProvider "istiod" }} 519 - name: istiod-ca-cert 520 configMap: 521 name: istio-ca-root-cert 522 {{- end }} 523 {{- if eq .Values.global.pilotCertProvider "kubernetes" }} 524 - name: kube-ca-cert 525 configMap: 526 name: kube-root-ca.crt 527 {{- end }} 528 {{- if .Values.global.mountMtlsCerts }} 529 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 530 - name: istio-certs 531 secret: 532 optional: true 533 {{ if eq .Spec.ServiceAccountName "" }} 534 secretName: istio.default 535 {{ else -}} 536 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 537 {{ end -}} 538 {{- end }} 539 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} 540 {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} 541 - name: "{{ $index }}" 542 {{ toYaml $value | indent 4 }} 543 {{ end }} 544 {{ end }} 545 {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} 546 - name: lightstep-certs 547 secret: 548 optional: true 549 secretName: lightstep.cacert 550 {{- end }} 551 {{- if .Values.global.imagePullSecrets }} 552 imagePullSecrets: 553 {{- range .Values.global.imagePullSecrets }} 554 - name: {{ . }} 555 {{- end }} 556 {{- end }} 557 gateway: | 558 {{- $containers := list }} 559 {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} 560 metadata: 561 labels: 562 service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} 563 service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} 564 annotations: { 565 istio.io/rev: {{ .Revision | default "default" | quote }}, 566 {{- if eq (len $containers) 1 }} 567 kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", 568 kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", 569 {{ end }} 570 } 571 spec: 572 securityContext: 573 sysctls: 574 - name: net.ipv4.ip_unprivileged_port_start 575 value: "0" 576 containers: 577 - name: istio-proxy 578 {{- if contains "/" .Values.global.proxy.image }} 579 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 580 {{- else }} 581 image: "{{ .ProxyImage }}" 582 {{- end }} 583 ports: 584 - containerPort: 15090 585 protocol: TCP 586 name: http-envoy-prom 587 args: 588 - proxy 589 - router 590 - --domain 591 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 592 - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} 593 - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} 594 - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} 595 {{- if .Values.global.sts.servicePort }} 596 - --stsPort={{ .Values.global.sts.servicePort }} 597 {{- end }} 598 {{- if .Values.global.logAsJson }} 599 - --log_as_json 600 {{- end }} 601 {{- if .Values.global.proxy.lifecycle }} 602 lifecycle: 603 {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} 604 {{- end }} 605 securityContext: 606 runAsUser: {{ .ProxyUID | default "1337" }} 607 runAsGroup: {{ .ProxyGID | default "1337" }} 608 env: 609 - name: PILOT_CERT_PROVIDER 610 value: {{ .Values.global.pilotCertProvider }} 611 - name: CA_ADDR 612 {{- if .Values.global.caAddress }} 613 value: {{ .Values.global.caAddress }} 614 {{- else }} 615 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 616 {{- end }} 617 - name: POD_NAME 618 valueFrom: 619 fieldRef: 620 fieldPath: metadata.name 621 - name: POD_NAMESPACE 622 valueFrom: 623 fieldRef: 624 fieldPath: metadata.namespace 625 - name: INSTANCE_IP 626 valueFrom: 627 fieldRef: 628 fieldPath: status.podIP 629 - name: SERVICE_ACCOUNT 630 valueFrom: 631 fieldRef: 632 fieldPath: spec.serviceAccountName 633 - name: HOST_IP 634 valueFrom: 635 fieldRef: 636 fieldPath: status.hostIP 637 - name: ISTIO_CPU_LIMIT 638 valueFrom: 639 resourceFieldRef: 640 resource: limits.cpu 641 - name: PROXY_CONFIG 642 value: | 643 {{ protoToJSON .ProxyConfig }} 644 - name: ISTIO_META_POD_PORTS 645 value: |- 646 [ 647 {{- $first := true }} 648 {{- range $index1, $c := .Spec.Containers }} 649 {{- range $index2, $p := $c.Ports }} 650 {{- if (structToJSON $p) }} 651 {{if not $first}},{{end}}{{ structToJSON $p }} 652 {{- $first = false }} 653 {{- end }} 654 {{- end}} 655 {{- end}} 656 ] 657 - name: GOMEMLIMIT 658 valueFrom: 659 resourceFieldRef: 660 resource: limits.memory 661 - name: GOMAXPROCS 662 valueFrom: 663 resourceFieldRef: 664 resource: limits.cpu 665 {{- if .CompliancePolicy }} 666 - name: COMPLIANCE_POLICY 667 value: "{{ .CompliancePolicy }}" 668 {{- end }} 669 - name: ISTIO_META_APP_CONTAINERS 670 value: "{{ $containers | join "," }}" 671 - name: ISTIO_META_CLUSTER_ID 672 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 673 - name: ISTIO_META_NODE_NAME 674 valueFrom: 675 fieldRef: 676 fieldPath: spec.nodeName 677 - name: ISTIO_META_INTERCEPTION_MODE 678 value: "{{ .ProxyConfig.InterceptionMode.String }}" 679 {{- if .Values.global.network }} 680 - name: ISTIO_META_NETWORK 681 value: "{{ .Values.global.network }}" 682 {{- end }} 683 {{- if .DeploymentMeta.Name }} 684 - name: ISTIO_META_WORKLOAD_NAME 685 value: "{{ .DeploymentMeta.Name }}" 686 {{ end }} 687 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} 688 - name: ISTIO_META_OWNER 689 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} 690 {{- end}} 691 {{- if .Values.global.meshID }} 692 - name: ISTIO_META_MESH_ID 693 value: "{{ .Values.global.meshID }}" 694 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 695 - name: ISTIO_META_MESH_ID 696 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 697 {{- end }} 698 {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 699 - name: TRUST_DOMAIN 700 value: "{{ . }}" 701 {{- end }} 702 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 703 - name: {{ $key }} 704 value: "{{ $value }}" 705 {{- end }} 706 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 707 readinessProbe: 708 httpGet: 709 path: /healthz/ready 710 port: 15021 711 initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} 712 periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} 713 timeoutSeconds: 3 714 failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} 715 volumeMounts: 716 - name: workload-socket 717 mountPath: /var/run/secrets/workload-spiffe-uds 718 - name: credential-socket 719 mountPath: /var/run/secrets/credential-uds 720 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 721 - name: gke-workload-certificate 722 mountPath: /var/run/secrets/workload-spiffe-credentials 723 readOnly: true 724 {{- else }} 725 - name: workload-certs 726 mountPath: /var/run/secrets/workload-spiffe-credentials 727 {{- end }} 728 {{- if eq .Values.global.pilotCertProvider "istiod" }} 729 - mountPath: /var/run/secrets/istio 730 name: istiod-ca-cert 731 {{- end }} 732 - mountPath: /var/lib/istio/data 733 name: istio-data 734 # SDS channel between istioagent and Envoy 735 - mountPath: /etc/istio/proxy 736 name: istio-envoy 737 - mountPath: /var/run/secrets/tokens 738 name: istio-token 739 {{- if .Values.global.mountMtlsCerts }} 740 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 741 - mountPath: /etc/certs/ 742 name: istio-certs 743 readOnly: true 744 {{- end }} 745 - name: istio-podinfo 746 mountPath: /etc/istio/pod 747 volumes: 748 - emptyDir: {} 749 name: workload-socket 750 - emptyDir: {} 751 name: credential-socket 752 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 753 - name: gke-workload-certificate 754 csi: 755 driver: workloadcertificates.security.cloud.google.com 756 {{- else}} 757 - emptyDir: {} 758 name: workload-certs 759 {{- end }} 760 # SDS channel between istioagent and Envoy 761 - emptyDir: 762 medium: Memory 763 name: istio-envoy 764 - name: istio-data 765 emptyDir: {} 766 - name: istio-podinfo 767 downwardAPI: 768 items: 769 - path: "labels" 770 fieldRef: 771 fieldPath: metadata.labels 772 - path: "annotations" 773 fieldRef: 774 fieldPath: metadata.annotations 775 - name: istio-token 776 projected: 777 sources: 778 - serviceAccountToken: 779 path: istio-token 780 expirationSeconds: 43200 781 audience: {{ .Values.global.sds.token.aud }} 782 {{- if eq .Values.global.pilotCertProvider "istiod" }} 783 - name: istiod-ca-cert 784 configMap: 785 name: istio-ca-root-cert 786 {{- end }} 787 {{- if .Values.global.mountMtlsCerts }} 788 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 789 - name: istio-certs 790 secret: 791 optional: true 792 {{ if eq .Spec.ServiceAccountName "" }} 793 secretName: istio.default 794 {{ else -}} 795 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 796 {{ end -}} 797 {{- end }} 798 {{- if .Values.global.imagePullSecrets }} 799 imagePullSecrets: 800 {{- range .Values.global.imagePullSecrets }} 801 - name: {{ . }} 802 {{- end }} 803 {{- end }} 804 grpc-simple: | 805 metadata: 806 annotations: 807 sidecar.istio.io/rewriteAppHTTPProbers: "false" 808 spec: 809 initContainers: 810 - name: grpc-bootstrap-init 811 image: busybox:1.28 812 volumeMounts: 813 - mountPath: /var/lib/grpc/data/ 814 name: grpc-io-proxyless-bootstrap 815 env: 816 - name: INSTANCE_IP 817 valueFrom: 818 fieldRef: 819 fieldPath: status.podIP 820 - name: POD_NAME 821 valueFrom: 822 fieldRef: 823 fieldPath: metadata.name 824 - name: POD_NAMESPACE 825 valueFrom: 826 fieldRef: 827 fieldPath: metadata.namespace 828 - name: ISTIO_NAMESPACE 829 value: | 830 {{ .Values.global.istioNamespace }} 831 command: 832 - sh 833 - "-c" 834 - |- 835 NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" 836 SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" 837 echo ' 838 { 839 "xds_servers": [ 840 { 841 "server_uri": "'${SERVER_URI}'", 842 "channel_creds": [{"type": "insecure"}], 843 "server_features" : ["xds_v3"] 844 } 845 ], 846 "node": { 847 "id": "'${NODE_ID}'", 848 "metadata": { 849 "GENERATOR": "grpc" 850 } 851 } 852 }' > /var/lib/grpc/data/bootstrap.json 853 containers: 854 {{- range $index, $container := .Spec.Containers }} 855 - name: {{ $container.Name }} 856 env: 857 - name: GRPC_XDS_BOOTSTRAP 858 value: /var/lib/grpc/data/bootstrap.json 859 - name: GRPC_GO_LOG_VERBOSITY_LEVEL 860 value: "99" 861 - name: GRPC_GO_LOG_SEVERITY_LEVEL 862 value: info 863 volumeMounts: 864 - mountPath: /var/lib/grpc/data/ 865 name: grpc-io-proxyless-bootstrap 866 {{- end }} 867 volumes: 868 - name: grpc-io-proxyless-bootstrap 869 emptyDir: {} 870 grpc-agent: | 871 {{- define "resources" }} 872 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 873 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} 874 requests: 875 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} 876 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" 877 {{ end }} 878 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} 879 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" 880 {{ end }} 881 {{- end }} 882 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 883 limits: 884 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} 885 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" 886 {{ end }} 887 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} 888 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" 889 {{ end }} 890 {{- end }} 891 {{- else }} 892 {{- if .Values.global.proxy.resources }} 893 {{ toYaml .Values.global.proxy.resources | indent 6 }} 894 {{- end }} 895 {{- end }} 896 {{- end }} 897 {{- $containers := list }} 898 {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} 899 metadata: 900 labels: 901 {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} 902 service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} 903 service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} 904 annotations: { 905 istio.io/rev: {{ .Revision | default "default" | quote }}, 906 {{- if ge (len $containers) 1 }} 907 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} 908 kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", 909 {{- end }} 910 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} 911 kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", 912 {{- end }} 913 {{- end }} 914 sidecar.istio.io/rewriteAppHTTPProbers: "false", 915 } 916 spec: 917 containers: 918 - name: istio-proxy 919 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 920 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 921 {{- else }} 922 image: "{{ .ProxyImage }}" 923 {{- end }} 924 ports: 925 - containerPort: 15020 926 protocol: TCP 927 name: mesh-metrics 928 args: 929 - proxy 930 - sidecar 931 - --domain 932 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 933 - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} 934 - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} 935 - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} 936 {{- if .Values.global.sts.servicePort }} 937 - --stsPort={{ .Values.global.sts.servicePort }} 938 {{- end }} 939 {{- if .Values.global.logAsJson }} 940 - --log_as_json 941 {{- end }} 942 lifecycle: 943 postStart: 944 exec: 945 command: 946 - pilot-agent 947 - wait 948 - --url=http://localhost:15020/healthz/ready 949 env: 950 - name: ISTIO_META_GENERATOR 951 value: grpc 952 - name: OUTPUT_CERTS 953 value: /var/lib/istio/data 954 {{- if eq .InboundTrafficPolicyMode "localhost" }} 955 - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION 956 value: "true" 957 {{- end }} 958 - name: PILOT_CERT_PROVIDER 959 value: {{ .Values.global.pilotCertProvider }} 960 - name: CA_ADDR 961 {{- if .Values.global.caAddress }} 962 value: {{ .Values.global.caAddress }} 963 {{- else }} 964 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 965 {{- end }} 966 - name: POD_NAME 967 valueFrom: 968 fieldRef: 969 fieldPath: metadata.name 970 - name: POD_NAMESPACE 971 valueFrom: 972 fieldRef: 973 fieldPath: metadata.namespace 974 - name: INSTANCE_IP 975 valueFrom: 976 fieldRef: 977 fieldPath: status.podIP 978 - name: SERVICE_ACCOUNT 979 valueFrom: 980 fieldRef: 981 fieldPath: spec.serviceAccountName 982 - name: HOST_IP 983 valueFrom: 984 fieldRef: 985 fieldPath: status.hostIP 986 - name: PROXY_CONFIG 987 value: | 988 {{ protoToJSON .ProxyConfig }} 989 - name: ISTIO_META_POD_PORTS 990 value: |- 991 [ 992 {{- $first := true }} 993 {{- range $index1, $c := .Spec.Containers }} 994 {{- range $index2, $p := $c.Ports }} 995 {{- if (structToJSON $p) }} 996 {{if not $first}},{{end}}{{ structToJSON $p }} 997 {{- $first = false }} 998 {{- end }} 999 {{- end}} 1000 {{- end}} 1001 ] 1002 - name: ISTIO_META_APP_CONTAINERS 1003 value: "{{ $containers | join "," }}" 1004 - name: ISTIO_META_CLUSTER_ID 1005 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 1006 - name: ISTIO_META_NODE_NAME 1007 valueFrom: 1008 fieldRef: 1009 fieldPath: spec.nodeName 1010 {{- if .Values.global.network }} 1011 - name: ISTIO_META_NETWORK 1012 value: "{{ .Values.global.network }}" 1013 {{- end }} 1014 {{- if .DeploymentMeta.Name }} 1015 - name: ISTIO_META_WORKLOAD_NAME 1016 value: "{{ .DeploymentMeta.Name }}" 1017 {{ end }} 1018 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} 1019 - name: ISTIO_META_OWNER 1020 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} 1021 {{- end}} 1022 {{- if .Values.global.meshID }} 1023 - name: ISTIO_META_MESH_ID 1024 value: "{{ .Values.global.meshID }}" 1025 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 1026 - name: ISTIO_META_MESH_ID 1027 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 1028 {{- end }} 1029 {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 1030 - name: TRUST_DOMAIN 1031 value: "{{ . }}" 1032 {{- end }} 1033 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 1034 - name: {{ $key }} 1035 value: "{{ $value }}" 1036 {{- end }} 1037 # grpc uses xds:/// to resolve – no need to resolve VIP 1038 - name: ISTIO_META_DNS_CAPTURE 1039 value: "false" 1040 - name: DISABLE_ENVOY 1041 value: "true" 1042 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 1043 {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} 1044 readinessProbe: 1045 httpGet: 1046 path: /healthz/ready 1047 port: 15020 1048 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} 1049 periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} 1050 timeoutSeconds: 3 1051 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} 1052 resources: 1053 {{ template "resources" . }} 1054 volumeMounts: 1055 - name: workload-socket 1056 mountPath: /var/run/secrets/workload-spiffe-uds 1057 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 1058 - name: gke-workload-certificate 1059 mountPath: /var/run/secrets/workload-spiffe-credentials 1060 readOnly: true 1061 {{- else }} 1062 - name: workload-certs 1063 mountPath: /var/run/secrets/workload-spiffe-credentials 1064 {{- end }} 1065 {{- if eq .Values.global.pilotCertProvider "istiod" }} 1066 - mountPath: /var/run/secrets/istio 1067 name: istiod-ca-cert 1068 {{- end }} 1069 - mountPath: /var/lib/istio/data 1070 name: istio-data 1071 # UDS channel between istioagent and gRPC client for XDS/SDS 1072 - mountPath: /etc/istio/proxy 1073 name: istio-xds 1074 - mountPath: /var/run/secrets/tokens 1075 name: istio-token 1076 {{- if .Values.global.mountMtlsCerts }} 1077 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 1078 - mountPath: /etc/certs/ 1079 name: istio-certs 1080 readOnly: true 1081 {{- end }} 1082 - name: istio-podinfo 1083 mountPath: /etc/istio/pod 1084 {{- end }} 1085 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} 1086 {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} 1087 - name: "{{ $index }}" 1088 {{ toYaml $value | indent 6 }} 1089 {{ end }} 1090 {{- end }} 1091 {{- range $index, $container := .Spec.Containers }} 1092 {{ if not (eq $container.Name "istio-proxy") }} 1093 - name: {{ $container.Name }} 1094 env: 1095 - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" 1096 value: "true" 1097 - name: "GRPC_XDS_BOOTSTRAP" 1098 value: "/etc/istio/proxy/grpc-bootstrap.json" 1099 volumeMounts: 1100 - mountPath: /var/lib/istio/data 1101 name: istio-data 1102 # UDS channel between istioagent and gRPC client for XDS/SDS 1103 - mountPath: /etc/istio/proxy 1104 name: istio-xds 1105 {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} 1106 - name: gke-workload-certificate 1107 mountPath: /var/run/secrets/workload-spiffe-credentials 1108 readOnly: true 1109 {{- else }} 1110 - name: workload-certs 1111 mountPath: /var/run/secrets/workload-spiffe-credentials 1112 {{- end }} 1113 {{- end }} 1114 {{- end }} 1115 volumes: 1116 - emptyDir: 1117 name: workload-socket 1118 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 1119 - name: gke-workload-certificate 1120 csi: 1121 driver: workloadcertificates.security.cloud.google.com 1122 {{- else }} 1123 - emptyDir: 1124 name: workload-certs 1125 {{- end }} 1126 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 1127 - name: custom-bootstrap-volume 1128 configMap: 1129 name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} 1130 {{- end }} 1131 # SDS channel between istioagent and Envoy 1132 - emptyDir: 1133 medium: Memory 1134 name: istio-xds 1135 - name: istio-data 1136 emptyDir: {} 1137 - name: istio-podinfo 1138 downwardAPI: 1139 items: 1140 - path: "labels" 1141 fieldRef: 1142 fieldPath: metadata.labels 1143 - path: "annotations" 1144 fieldRef: 1145 fieldPath: metadata.annotations 1146 - name: istio-token 1147 projected: 1148 sources: 1149 - serviceAccountToken: 1150 path: istio-token 1151 expirationSeconds: 43200 1152 audience: {{ .Values.global.sds.token.aud }} 1153 {{- if eq .Values.global.pilotCertProvider "istiod" }} 1154 - name: istiod-ca-cert 1155 configMap: 1156 name: istio-ca-root-cert 1157 {{- end }} 1158 {{- if .Values.global.mountMtlsCerts }} 1159 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 1160 - name: istio-certs 1161 secret: 1162 optional: true 1163 {{ if eq .Spec.ServiceAccountName "" }} 1164 secretName: istio.default 1165 {{ else -}} 1166 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 1167 {{ end -}} 1168 {{- end }} 1169 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} 1170 {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} 1171 - name: "{{ $index }}" 1172 {{ toYaml $value | indent 4 }} 1173 {{ end }} 1174 {{ end }} 1175 {{- if .Values.global.imagePullSecrets }} 1176 imagePullSecrets: 1177 {{- range .Values.global.imagePullSecrets }} 1178 - name: {{ . }} 1179 {{- end }} 1180 {{- end }} 1181 waypoint: | 1182 apiVersion: v1 1183 kind: ServiceAccount 1184 metadata: 1185 name: {{.ServiceAccount | quote}} 1186 namespace: {{.Namespace | quote}} 1187 annotations: 1188 {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 1189 labels: 1190 {{- toJsonMap 1191 .InfrastructureLabels 1192 (strdict 1193 "gateway.networking.k8s.io/gateway-name" .Name 1194 "istio.io/gateway-name" .Name 1195 ) | nindent 4 }} 1196 {{- if ge .KubeVersion 128 }} 1197 # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 1198 ownerReferences: 1199 - apiVersion: gateway.networking.k8s.io/v1beta1 1200 kind: Gateway 1201 name: "{{.Name}}" 1202 uid: "{{.UID}}" 1203 {{- end }} 1204 --- 1205 apiVersion: apps/v1 1206 kind: Deployment 1207 metadata: 1208 name: {{.DeploymentName | quote}} 1209 namespace: {{.Namespace | quote}} 1210 annotations: 1211 {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 1212 labels: 1213 {{- toJsonMap 1214 .InfrastructureLabels 1215 (strdict 1216 "gateway.networking.k8s.io/gateway-name" .Name 1217 "istio.io/gateway-name" .Name 1218 "gateway.istio.io/managed" "istio.io-mesh-controller" 1219 ) | nindent 4 }} 1220 ownerReferences: 1221 - apiVersion: gateway.networking.k8s.io/v1beta1 1222 kind: Gateway 1223 name: "{{.Name}}" 1224 uid: "{{.UID}}" 1225 spec: 1226 selector: 1227 matchLabels: 1228 "{{.GatewayNameLabel}}": "{{.Name}}" 1229 template: 1230 metadata: 1231 annotations: 1232 {{- toJsonMap 1233 (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") 1234 (strdict "istio.io/rev" (.Revision | default "default")) 1235 (strdict 1236 "prometheus.io/path" "/stats/prometheus" 1237 "prometheus.io/port" "15020" 1238 "prometheus.io/scrape" "true" 1239 ) | nindent 8 }} 1240 labels: 1241 {{- toJsonMap 1242 (strdict 1243 "sidecar.istio.io/inject" "false" 1244 "istio.io/dataplane-mode" "none" 1245 "service.istio.io/canonical-name" .DeploymentName 1246 "service.istio.io/canonical-revision" "latest" 1247 ) 1248 .InfrastructureLabels 1249 (strdict 1250 "gateway.networking.k8s.io/gateway-name" .Name 1251 "istio.io/gateway-name" .Name 1252 "gateway.istio.io/managed" "istio.io-mesh-controller" 1253 ) | nindent 8}} 1254 spec: 1255 terminationGracePeriodSeconds: 2 1256 serviceAccountName: {{.ServiceAccount | quote}} 1257 containers: 1258 - name: istio-proxy 1259 ports: 1260 - containerPort: 15021 1261 name: status-port 1262 protocol: TCP 1263 - containerPort: 15090 1264 protocol: TCP 1265 name: http-envoy-prom 1266 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 1267 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 1268 {{- else }} 1269 image: "{{ .ProxyImage }}" 1270 {{- end }} 1271 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 1272 args: 1273 - proxy 1274 - waypoint 1275 - --domain 1276 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 1277 - --serviceCluster 1278 - {{.ServiceAccount}}.$(POD_NAMESPACE) 1279 - --proxyLogLevel 1280 - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} 1281 - --proxyComponentLogLevel 1282 - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} 1283 - --log_output_level 1284 - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} 1285 {{- if .Values.global.logAsJson }} 1286 - --log_as_json 1287 {{- end }} 1288 env: 1289 - name: ISTIO_META_SERVICE_ACCOUNT 1290 valueFrom: 1291 fieldRef: 1292 fieldPath: spec.serviceAccountName 1293 - name: ISTIO_META_NODE_NAME 1294 valueFrom: 1295 fieldRef: 1296 fieldPath: spec.nodeName 1297 - name: PILOT_CERT_PROVIDER 1298 value: {{ .Values.global.pilotCertProvider }} 1299 - name: CA_ADDR 1300 {{- if .Values.global.caAddress }} 1301 value: {{ .Values.global.caAddress }} 1302 {{- else }} 1303 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 1304 {{- end }} 1305 - name: POD_NAME 1306 valueFrom: 1307 fieldRef: 1308 fieldPath: metadata.name 1309 - name: POD_NAMESPACE 1310 valueFrom: 1311 fieldRef: 1312 fieldPath: metadata.namespace 1313 - name: INSTANCE_IP 1314 valueFrom: 1315 fieldRef: 1316 fieldPath: status.podIP 1317 - name: SERVICE_ACCOUNT 1318 valueFrom: 1319 fieldRef: 1320 fieldPath: spec.serviceAccountName 1321 - name: HOST_IP 1322 valueFrom: 1323 fieldRef: 1324 fieldPath: status.hostIP 1325 - name: ISTIO_CPU_LIMIT 1326 valueFrom: 1327 resourceFieldRef: 1328 resource: limits.cpu 1329 - name: PROXY_CONFIG 1330 value: | 1331 {{ protoToJSON .ProxyConfig }} 1332 {{- if .ProxyConfig.ProxyMetadata }} 1333 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 1334 - name: {{ $key }} 1335 value: "{{ $value }}" 1336 {{- end }} 1337 {{- end }} 1338 - name: GOMEMLIMIT 1339 valueFrom: 1340 resourceFieldRef: 1341 resource: limits.memory 1342 - name: GOMAXPROCS 1343 valueFrom: 1344 resourceFieldRef: 1345 resource: limits.cpu 1346 - name: ISTIO_META_CLUSTER_ID 1347 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 1348 {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} 1349 {{- if $network }} 1350 - name: ISTIO_META_NETWORK 1351 value: "{{ $network }}" 1352 {{- end }} 1353 - name: ISTIO_META_INTERCEPTION_MODE 1354 value: REDIRECT 1355 - name: ISTIO_META_WORKLOAD_NAME 1356 value: {{.DeploymentName}} 1357 - name: ISTIO_META_OWNER 1358 value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} 1359 {{- if .Values.global.meshID }} 1360 - name: ISTIO_META_MESH_ID 1361 value: "{{ .Values.global.meshID }}" 1362 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 1363 - name: ISTIO_META_MESH_ID 1364 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 1365 {{- end }} 1366 resources: 1367 limits: 1368 cpu: "2" 1369 memory: 1Gi 1370 requests: 1371 cpu: 100m 1372 memory: 128Mi 1373 startupProbe: 1374 failureThreshold: 30 1375 httpGet: 1376 path: /healthz/ready 1377 port: 15021 1378 scheme: HTTP 1379 initialDelaySeconds: 1 1380 periodSeconds: 1 1381 successThreshold: 1 1382 timeoutSeconds: 1 1383 readinessProbe: 1384 failureThreshold: 4 1385 httpGet: 1386 path: /healthz/ready 1387 port: 15021 1388 scheme: HTTP 1389 initialDelaySeconds: 0 1390 periodSeconds: 15 1391 successThreshold: 1 1392 timeoutSeconds: 1 1393 securityContext: 1394 privileged: false 1395 runAsGroup: 1337 1396 runAsUser: 0 1397 capabilities: 1398 drop: 1399 - ALL 1400 volumeMounts: 1401 - name: workload-socket 1402 mountPath: /var/run/secrets/workload-spiffe-uds 1403 - mountPath: /var/run/secrets/istio 1404 name: istiod-ca-cert 1405 - mountPath: /var/lib/istio/data 1406 name: istio-data 1407 - mountPath: /etc/istio/proxy 1408 name: istio-envoy 1409 - mountPath: /var/run/secrets/tokens 1410 name: istio-token 1411 - mountPath: /etc/istio/pod 1412 name: istio-podinfo 1413 volumes: 1414 - emptyDir: {} 1415 name: workload-socket 1416 - emptyDir: 1417 medium: Memory 1418 name: istio-envoy 1419 - emptyDir: 1420 medium: Memory 1421 name: go-proxy-envoy 1422 - emptyDir: {} 1423 name: istio-data 1424 - emptyDir: {} 1425 name: go-proxy-data 1426 - downwardAPI: 1427 items: 1428 - fieldRef: 1429 fieldPath: metadata.labels 1430 path: labels 1431 - fieldRef: 1432 fieldPath: metadata.annotations 1433 path: annotations 1434 name: istio-podinfo 1435 - name: istio-token 1436 projected: 1437 sources: 1438 - serviceAccountToken: 1439 audience: istio-ca 1440 expirationSeconds: 43200 1441 path: istio-token 1442 - configMap: 1443 name: istio-ca-root-cert 1444 name: istiod-ca-cert 1445 {{- if .Values.global.imagePullSecrets }} 1446 imagePullSecrets: 1447 {{- range .Values.global.imagePullSecrets }} 1448 - name: {{ . }} 1449 {{- end }} 1450 {{- end }} 1451 --- 1452 apiVersion: v1 1453 kind: Service 1454 metadata: 1455 annotations: 1456 {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 1457 labels: 1458 {{- toJsonMap 1459 .InfrastructureLabels 1460 (strdict 1461 "gateway.networking.k8s.io/gateway-name" .Name 1462 "istio.io/gateway-name" .Name 1463 ) | nindent 4 }} 1464 name: {{.DeploymentName | quote}} 1465 namespace: {{.Namespace | quote}} 1466 ownerReferences: 1467 - apiVersion: gateway.networking.k8s.io/v1beta1 1468 kind: Gateway 1469 name: "{{.Name}}" 1470 uid: "{{.UID}}" 1471 spec: 1472 ports: 1473 {{- range $key, $val := .Ports }} 1474 - name: {{ $val.Name | quote }} 1475 port: {{ $val.Port }} 1476 protocol: TCP 1477 appProtocol: {{ $val.AppProtocol }} 1478 {{- end }} 1479 selector: 1480 "{{.GatewayNameLabel}}": "{{.Name}}" 1481 {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} 1482 loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} 1483 {{- end }} 1484 type: {{ .ServiceType | quote }} 1485 --- 1486 kube-gateway: | 1487 apiVersion: v1 1488 kind: ServiceAccount 1489 metadata: 1490 name: {{.ServiceAccount | quote}} 1491 namespace: {{.Namespace | quote}} 1492 annotations: 1493 {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 1494 labels: 1495 {{- toJsonMap 1496 .InfrastructureLabels 1497 (strdict 1498 "gateway.networking.k8s.io/gateway-name" .Name 1499 "istio.io/gateway-name" .Name 1500 ) | nindent 4 }} 1501 {{- if ge .KubeVersion 128 }} 1502 # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 1503 ownerReferences: 1504 - apiVersion: gateway.networking.k8s.io/v1beta1 1505 kind: Gateway 1506 name: "{{.Name}}" 1507 uid: "{{.UID}}" 1508 {{- end }} 1509 --- 1510 apiVersion: apps/v1 1511 kind: Deployment 1512 metadata: 1513 name: {{.DeploymentName | quote}} 1514 namespace: {{.Namespace | quote}} 1515 annotations: 1516 {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 1517 labels: 1518 {{- toJsonMap 1519 .InfrastructureLabels 1520 (strdict 1521 "gateway.networking.k8s.io/gateway-name" .Name 1522 "istio.io/gateway-name" .Name 1523 ) | nindent 4 }} 1524 ownerReferences: 1525 - apiVersion: gateway.networking.k8s.io/v1beta1 1526 kind: Gateway 1527 name: {{.Name}} 1528 uid: "{{.UID}}" 1529 spec: 1530 selector: 1531 matchLabels: 1532 "{{.GatewayNameLabel}}": {{.Name}} 1533 template: 1534 metadata: 1535 annotations: 1536 {{- toJsonMap 1537 (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") 1538 (strdict "istio.io/rev" (.Revision | default "default")) 1539 (strdict 1540 "prometheus.io/path" "/stats/prometheus" 1541 "prometheus.io/port" "15020" 1542 "prometheus.io/scrape" "true" 1543 ) | nindent 8 }} 1544 labels: 1545 {{- toJsonMap 1546 (strdict 1547 "sidecar.istio.io/inject" "false" 1548 "service.istio.io/canonical-name" .DeploymentName 1549 "service.istio.io/canonical-revision" "latest" 1550 ) 1551 .InfrastructureLabels 1552 (strdict 1553 "gateway.networking.k8s.io/gateway-name" .Name 1554 "istio.io/gateway-name" .Name 1555 ) | nindent 8 }} 1556 spec: 1557 securityContext: 1558 sysctls: 1559 - name: net.ipv4.ip_unprivileged_port_start 1560 value: "0" 1561 serviceAccountName: {{.ServiceAccount | quote}} 1562 containers: 1563 - name: istio-proxy 1564 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 1565 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 1566 {{- else }} 1567 image: "{{ .ProxyImage }}" 1568 {{- end }} 1569 {{- if .Values.global.proxy.resources }} 1570 resources: 1571 {{- toYaml .Values.global.proxy.resources | nindent 10 }} 1572 {{- end }} 1573 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 1574 securityContext: 1575 capabilities: 1576 drop: 1577 - ALL 1578 allowPrivilegeEscalation: false 1579 privileged: false 1580 readOnlyRootFilesystem: true 1581 runAsUser: {{ .ProxyUID | default "1337" }} 1582 runAsGroup: {{ .ProxyGID | default "1337" }} 1583 runAsNonRoot: true 1584 ports: 1585 - containerPort: 15021 1586 name: status-port 1587 protocol: TCP 1588 - containerPort: 15090 1589 protocol: TCP 1590 name: http-envoy-prom 1591 args: 1592 - proxy 1593 - router 1594 - --domain 1595 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 1596 - --proxyLogLevel 1597 - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} 1598 - --proxyComponentLogLevel 1599 - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} 1600 - --log_output_level 1601 - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} 1602 {{- if .Values.global.sts.servicePort }} 1603 - --stsPort={{ .Values.global.sts.servicePort }} 1604 {{- end }} 1605 {{- if .Values.global.logAsJson }} 1606 - --log_as_json 1607 {{- end }} 1608 {{- if .Values.global.proxy.lifecycle }} 1609 lifecycle: 1610 {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} 1611 {{- end }} 1612 env: 1613 - name: PILOT_CERT_PROVIDER 1614 value: {{ .Values.global.pilotCertProvider }} 1615 - name: CA_ADDR 1616 {{- if .Values.global.caAddress }} 1617 value: {{ .Values.global.caAddress }} 1618 {{- else }} 1619 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 1620 {{- end }} 1621 - name: POD_NAME 1622 valueFrom: 1623 fieldRef: 1624 fieldPath: metadata.name 1625 - name: POD_NAMESPACE 1626 valueFrom: 1627 fieldRef: 1628 fieldPath: metadata.namespace 1629 - name: INSTANCE_IP 1630 valueFrom: 1631 fieldRef: 1632 fieldPath: status.podIP 1633 - name: SERVICE_ACCOUNT 1634 valueFrom: 1635 fieldRef: 1636 fieldPath: spec.serviceAccountName 1637 - name: HOST_IP 1638 valueFrom: 1639 fieldRef: 1640 fieldPath: status.hostIP 1641 - name: ISTIO_CPU_LIMIT 1642 valueFrom: 1643 resourceFieldRef: 1644 resource: limits.cpu 1645 - name: PROXY_CONFIG 1646 value: | 1647 {{ protoToJSON .ProxyConfig }} 1648 - name: ISTIO_META_POD_PORTS 1649 value: "[]" 1650 - name: ISTIO_META_APP_CONTAINERS 1651 value: "" 1652 - name: GOMEMLIMIT 1653 valueFrom: 1654 resourceFieldRef: 1655 resource: limits.memory 1656 - name: GOMAXPROCS 1657 valueFrom: 1658 resourceFieldRef: 1659 resource: limits.cpu 1660 - name: ISTIO_META_CLUSTER_ID 1661 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" 1662 - name: ISTIO_META_NODE_NAME 1663 valueFrom: 1664 fieldRef: 1665 fieldPath: spec.nodeName 1666 - name: ISTIO_META_INTERCEPTION_MODE 1667 value: "{{ .ProxyConfig.InterceptionMode.String }}" 1668 {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} 1669 - name: ISTIO_META_NETWORK 1670 value: {{.|quote}} 1671 {{- end }} 1672 - name: ISTIO_META_WORKLOAD_NAME 1673 value: {{.DeploymentName|quote}} 1674 - name: ISTIO_META_OWNER 1675 value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" 1676 {{- if .Values.global.meshID }} 1677 - name: ISTIO_META_MESH_ID 1678 value: "{{ .Values.global.meshID }}" 1679 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 1680 - name: ISTIO_META_MESH_ID 1681 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 1682 {{- end }} 1683 {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 1684 - name: TRUST_DOMAIN 1685 value: "{{ . }}" 1686 {{- end }} 1687 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 1688 - name: {{ $key }} 1689 value: "{{ $value }}" 1690 {{- end }} 1691 {{- with (index .InfrastructureLabels "topology.istio.io/network") }} 1692 - name: ISTIO_META_REQUESTED_NETWORK_VIEW 1693 value: {{.|quote}} 1694 {{- end }} 1695 startupProbe: 1696 failureThreshold: 30 1697 httpGet: 1698 path: /healthz/ready 1699 port: 15021 1700 scheme: HTTP 1701 initialDelaySeconds: 1 1702 periodSeconds: 1 1703 successThreshold: 1 1704 timeoutSeconds: 1 1705 readinessProbe: 1706 failureThreshold: 4 1707 httpGet: 1708 path: /healthz/ready 1709 port: 15021 1710 scheme: HTTP 1711 initialDelaySeconds: 0 1712 periodSeconds: 15 1713 successThreshold: 1 1714 timeoutSeconds: 1 1715 volumeMounts: 1716 - name: workload-socket 1717 mountPath: /var/run/secrets/workload-spiffe-uds 1718 - name: credential-socket 1719 mountPath: /var/run/secrets/credential-uds 1720 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 1721 - name: gke-workload-certificate 1722 mountPath: /var/run/secrets/workload-spiffe-credentials 1723 readOnly: true 1724 {{- else }} 1725 - name: workload-certs 1726 mountPath: /var/run/secrets/workload-spiffe-credentials 1727 {{- end }} 1728 {{- if eq .Values.global.pilotCertProvider "istiod" }} 1729 - mountPath: /var/run/secrets/istio 1730 name: istiod-ca-cert 1731 {{- end }} 1732 - mountPath: /var/lib/istio/data 1733 name: istio-data 1734 # SDS channel between istioagent and Envoy 1735 - mountPath: /etc/istio/proxy 1736 name: istio-envoy 1737 - mountPath: /var/run/secrets/tokens 1738 name: istio-token 1739 - name: istio-podinfo 1740 mountPath: /etc/istio/pod 1741 volumes: 1742 - emptyDir: {} 1743 name: workload-socket 1744 - emptyDir: {} 1745 name: credential-socket 1746 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 1747 - name: gke-workload-certificate 1748 csi: 1749 driver: workloadcertificates.security.cloud.google.com 1750 {{- else}} 1751 - emptyDir: {} 1752 name: workload-certs 1753 {{- end }} 1754 # SDS channel between istioagent and Envoy 1755 - emptyDir: 1756 medium: Memory 1757 name: istio-envoy 1758 - name: istio-data 1759 emptyDir: {} 1760 - name: istio-podinfo 1761 downwardAPI: 1762 items: 1763 - path: "labels" 1764 fieldRef: 1765 fieldPath: metadata.labels 1766 - path: "annotations" 1767 fieldRef: 1768 fieldPath: metadata.annotations 1769 - name: istio-token 1770 projected: 1771 sources: 1772 - serviceAccountToken: 1773 path: istio-token 1774 expirationSeconds: 43200 1775 audience: {{ .Values.global.sds.token.aud }} 1776 {{- if eq .Values.global.pilotCertProvider "istiod" }} 1777 - name: istiod-ca-cert 1778 configMap: 1779 name: istio-ca-root-cert 1780 {{- end }} 1781 {{- if .Values.global.imagePullSecrets }} 1782 imagePullSecrets: 1783 {{- range .Values.global.imagePullSecrets }} 1784 - name: {{ . }} 1785 {{- end }} 1786 {{- end }} 1787 --- 1788 apiVersion: v1 1789 kind: Service 1790 metadata: 1791 annotations: 1792 {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 1793 labels: 1794 {{- toJsonMap 1795 .InfrastructureLabels 1796 (strdict 1797 "gateway.networking.k8s.io/gateway-name" .Name 1798 "istio.io/gateway-name" .Name 1799 ) | nindent 4 }} 1800 name: {{.DeploymentName | quote}} 1801 namespace: {{.Namespace | quote}} 1802 ownerReferences: 1803 - apiVersion: gateway.networking.k8s.io/v1beta1 1804 kind: Gateway 1805 name: {{.Name}} 1806 uid: {{.UID}} 1807 spec: 1808 ports: 1809 {{- range $key, $val := .Ports }} 1810 - name: {{ $val.Name | quote }} 1811 port: {{ $val.Port }} 1812 protocol: TCP 1813 appProtocol: {{ $val.AppProtocol }} 1814 {{- end }} 1815 selector: 1816 "{{.GatewayNameLabel}}": {{.Name}} 1817 {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} 1818 loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} 1819 {{- end }} 1820 type: {{ .ServiceType | quote }} 1821 ---