istio.io/istio@v0.0.0-20240520182934-d79c90f27776/samples/security/spire/istio-spire-config.yaml (about) 1 apiVersion: install.istio.io/v1alpha1 2 kind: IstioOperator 3 metadata: 4 namespace: istio-system 5 spec: 6 profile: default 7 meshConfig: 8 trustDomain: example.org 9 values: 10 global: 11 # This is used to customize the sidecar template 12 sidecarInjectorWebhook: 13 templates: 14 spire: | 15 spec: 16 containers: 17 - name: istio-proxy 18 volumeMounts: 19 - name: workload-socket 20 mountPath: /run/secrets/workload-spiffe-uds 21 readOnly: true 22 volumes: 23 - name: workload-socket 24 csi: 25 driver: "csi.spiffe.io" 26 readOnly: true 27 components: 28 ingressGateways: 29 - name: istio-ingressgateway 30 enabled: true 31 label: 32 istio: ingressgateway 33 k8s: 34 overlays: 35 - apiVersion: apps/v1 36 kind: Deployment 37 name: istio-ingressgateway 38 patches: 39 - path: spec.template.spec.volumes.[name:workload-socket] 40 value: 41 name: workload-socket 42 csi: 43 driver: "csi.spiffe.io" 44 readOnly: true 45 - path: spec.template.spec.containers.[name:istio-proxy].volumeMounts.[name:workload-socket] 46 value: 47 name: workload-socket 48 mountPath: "/run/secrets/workload-spiffe-uds" 49 readOnly: true 50 - path: spec.template.spec.initContainers 51 value: 52 - name: wait-for-spire-socket 53 image: busybox:1.28 54 volumeMounts: 55 - name: workload-socket 56 mountPath: /run/secrets/workload-spiffe-uds 57 readOnly: true 58 env: 59 - name: CHECK_FILE 60 value: /run/secrets/workload-spiffe-uds/socket 61 command: 62 - sh 63 - "-c" 64 - |- 65 echo `date -Iseconds` Waiting for: ${CHECK_FILE} 66 while [[ ! -e ${CHECK_FILE} ]] ; do 67 echo `date -Iseconds` File does not exist: ${CHECK_FILE} 68 sleep 15 69 done 70 ls -l ${CHECK_FILE}