istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml (about) 1 {{- $subsets := .Subsets }} 2 {{- $cluster := .Cluster }} 3 {{- range $i, $subset := $subsets }} 4 apiVersion: apps/v1 5 kind: Deployment 6 metadata: 7 name: {{ $.Service }}-{{ $subset.Version }} 8 spec: 9 replicas: 1 10 selector: 11 matchLabels: 12 istio.io/test-vm: {{ $.Service }} 13 istio.io/test-vm-version: {{ $subset.Version }} 14 template: 15 metadata: 16 annotations: 17 # Sidecar is inside the pod to simulate VMs - do not inject 18 sidecar.istio.io/inject: "false" 19 labels: 20 # Label should not be selected. We will create a workload entry instead 21 istio.io/test-vm: {{ $.Service }} 22 istio.io/test-vm-version: {{ $subset.Version }} 23 # HBONE enabled proxy lives inside the VM. Don't use CNI to redirect. 24 istio.io/dataplane-mode: none 25 spec: 26 # Disable kube-dns, to mirror VM 27 # we set policy to none and explicitly provide a set of invalid values 28 # for nameservers, search namespaces, etc. ndots is set to 1 so that 29 # the application will first try to resolve the hostname (a, a.ns, etc.) as is 30 # before attempting to add the search namespaces. 31 dnsPolicy: None 32 dnsConfig: 33 nameservers: 34 - "8.8.8.8" 35 options: 36 - name: "ndots" 37 value: "1" 38 {{- if $.VM.IstioHost }} 39 # Override the istiod host to force traffic through east-west gateway. 40 hostAliases: 41 - ip: {{ $.VM.IstioIP }} 42 hostnames: 43 - {{ $.VM.IstioHost }} 44 {{- end }} 45 # Disable service account mount, to mirror VM 46 automountServiceAccountToken: false 47 {{- if $.ImagePullSecretName }} 48 imagePullSecrets: 49 - name: {{ $.ImagePullSecretName }} 50 {{- end }} 51 containers: 52 - name: istio-proxy 53 image: {{ $.ImageHub }}/{{ $.VM.Image }}:{{ $.ImageTag }} 54 imagePullPolicy: {{ $.ImagePullPolicy }} 55 securityContext: 56 capabilities: 57 add: 58 - NET_ADMIN 59 - SYS_RESOURCE # Required for core dumps 60 runAsUser: 1338 61 runAsGroup: 1338 62 command: 63 - bash 64 - -c 65 - |- 66 # Sudo and ulimits is problematic. There must be a better way to do this, but for now we can hack it 67 # See https://superuser.com/questions/1733614/how-to-configure-core-dumps-ulimit-c-from-within-sudo-within-docker 68 function override_core_limits() { 69 while ! pgrep -u istio-proxy envoy; do 70 echo "Envoy isn't running yet, trying again..." 71 pgrep -u istio-proxy envoy 72 sleep .1 73 done 74 pid="$(pgrep -u istio-proxy envoy)" 75 sudo prlimit -p "${pid}" --core=unlimited 76 } 77 # To support image builders which cannot do RUN, do the run commands at startup. 78 # This exploits the fact the images remove the installer once its installed. 79 # This is a horrible idea for production images, but these are just for tests. 80 [[ -f /tmp/istio-sidecar.rpm ]] && sudo rpm -vi /tmp/istio-sidecar.rpm && sudo rm /tmp/istio-sidecar.rpm 81 [[ -f /tmp/istio-sidecar.deb ]] && sudo dpkg -i /tmp/istio-sidecar.deb && sudo rm /tmp/istio-sidecar.deb 82 83 # Read root cert from and place signed certs here (can't mount directly or the dir would be unwritable) 84 sudo mkdir -p /var/run/secrets/istio 85 86 # hack: remove certs that are bundled in the image 87 sudo rm /var/run/secrets/istio/cert-chain.pem 88 sudo rm /var/run/secrets/istio/key.pem 89 sudo chown -R istio-proxy /var/run/secrets 90 91 # Change coredump directory to the correct user. Note this is a volume so we persist between crashes 92 sudo chown -R istio-proxy:istio-proxy /var/lib/istio/data 93 94 # place mounted bootstrap files (token is mounted directly to the correct location) 95 sudo cp /var/run/secrets/istio/bootstrap/root-cert.pem /var/run/secrets/istio/root-cert.pem 96 sudo cp /var/run/secrets/istio/bootstrap/*.env /var/lib/istio/envoy/ 97 sudo cp /var/run/secrets/istio/bootstrap/mesh.yaml /etc/istio/config/mesh 98 99 # don't overwrite /etc/hosts since it's managed by kubeproxy 100 #sudo sh -c 'cat /var/run/secrets/istio/bootstrap/hosts >> /etc/hosts' 101 102 # since we're not overwriting /etc/hosts on k8s, verify that istiod hostname in /etc/hosts 103 # matches the value generated by istioctl 104 echo "checking istio host" 105 SYSTEM_HOST=$(cat /etc/hosts | grep istiod) 106 ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) 107 if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then 108 echo "istiod host in /etc/hosts does not match value generated by istioctl" 109 echo "/etc/hosts: $SYSTEM_HOST" 110 echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" 111 exit 1 112 fi 113 echo "istiod host ok" 114 115 # read certs from correct directory 116 sudo sh -c 'echo PROV_CERT=/var/run/secrets/istio >> /var/lib/istio/envoy/cluster.env' 117 sudo sh -c 'echo OUTPUT_CERTS=/var/run/secrets/istio >> /var/lib/istio/envoy/cluster.env' 118 119 # This looks weird but Kubernetes escapes $$ to $; we want double dollar sign for current PID 120 pid="$$$$" 121 122 # Run the pilot agent and Envoy 123 # TODO: run with systemctl? 124 # Setup a script to start istio but exit the container if it exits. This more closely mirrors Pods. 125 # This is not strictly needed, but it makes our CI properly report crashes (including core dumps) 126 cat <<'EOF'>/tmp/start.sh 127 #!/bin/bash 128 /usr/local/bin/istio-start.sh 129 kill "$1" 130 EOF 131 chmod +x /tmp/start.sh 132 133 export ISTIO_AGENT_FLAGS="--concurrency 2 --proxyLogLevel warning,misc:error,rbac:debug,jwt:debug" 134 sudo -E /tmp/start.sh $pid & 135 override_core_limits& 136 /usr/local/bin/server --cluster "{{ $cluster }}" --version "{{ $subset.Version }}" \ 137 {{- range $i, $p := $.ContainerPorts }} 138 {{- if eq .Protocol "GRPC" }} 139 --grpc \ 140 {{- else if eq .Protocol "TCP" }} 141 --tcp \ 142 {{- else }} 143 --port \ 144 {{- end }} 145 "{{ $p.Port }}" \ 146 {{- if $p.ServerFirst }} 147 --server-first={{ $p.Port }} \ 148 {{- end }} 149 {{- if $p.TLS }} 150 --tls={{ $p.Port }} \ 151 {{- end }} 152 {{- if $p.InstanceIP }} 153 --bind-ip={{ $p.Port }} \ 154 {{- end }} 155 {{- if $p.LocalhostIP }} 156 --bind-localhost={{ $p.Port }} \ 157 {{- end }} 158 {{- end }} 159 --crt=/var/lib/istio/cert.crt \ 160 --key=/var/lib/istio/cert.key 161 env: 162 - name: INSTANCE_IP 163 valueFrom: 164 fieldRef: 165 fieldPath: status.podIP 166 - name: ISTIO_ENVOY_ENABLE_CORE_DUMP 167 value: "true" 168 volumeMounts: 169 - mountPath: /var/lib/istio/data 170 name: istio-data 171 - mountPath: /var/run/secrets/tokens 172 name: {{ $.Service }}-istio-token 173 - mountPath: /var/run/secrets/istio/bootstrap 174 name: istio-vm-bootstrap 175 {{- range $name, $value := $subset.Annotations }} 176 {{- if eq $name "sidecar.istio.io/bootstrapOverride" }} 177 - mountPath: /etc/istio-custom-bootstrap 178 name: custom-bootstrap-volume 179 {{- end }} 180 {{- end }} 181 {{- if $.IncludeExtAuthz }} 182 - name: ext-authz 183 image: {{ $.ImageHub }}/ext-authz:{{ $.ImageTag }} 184 imagePullPolicy: {{ $.ImagePullPolicy }} 185 ports: 186 - containerPort: 8000 187 - containerPort: 9000 188 {{- end }} 189 volumes: 190 - emptyDir: {} 191 name: istio-data 192 - secret: 193 secretName: {{ $.Service }}-istio-token 194 name: {{ $.Service }}-istio-token 195 - configMap: 196 name: {{ $.Service }}-{{ $subset.Version }}-vm-bootstrap 197 name: istio-vm-bootstrap 198 {{- range $name, $value := $subset.Annotations }} 199 {{- if eq $name "sidecar.istio.io/bootstrapOverride" }} 200 - name: custom-bootstrap-volume 201 configMap: 202 name: {{ $value }} 203 {{- end }} 204 {{- end }} 205 {{- end}}