1--- 2# Source: istio-discovery/templates/poddisruptionbudget.yaml 3apiVersion: policy/v1beta1 4kind: PodDisruptionBudget 5metadata: 6 name: istiod 7 namespace: istio-system 8 labels: 9 app: istiod 10 istio.io/rev: default 11 release: istio 12 istio: pilot 13spec: 14 minAvailable: 1 15 selector: 16 matchLabels: 17 app: istiod 18 istio: pilot 19--- 20# Source: istio-discovery/templates/configmap.yaml 21apiVersion: v1 22kind: ConfigMap 23metadata: 24 name: istio 25 namespace: istio-system 26 labels: 27 istio.io/rev: default 28 release: istio 29data: 30 31 # Configuration file for the mesh networks to be used by the Split Horizon EDS. 32 meshNetworks: |- 33 networks: {} 34 35 mesh: |- 36 accessLogEncoding: TEXT 37 accessLogFile: "" 38 accessLogFormat: "" 39 defaultConfig: 40 concurrency: 2 41 configPath: ./etc/istio/proxy 42 connectTimeout: 10s 43 controlPlaneAuthPolicy: NONE 44 discoveryAddress: istiod.istio-system.svc:15012 45 drainDuration: 45s 46 parentShutdownDuration: 1m0s 47 proxyAdminPort: 15000 48 proxyMetadata: 49 DNS_AGENT: "" 50 serviceCluster: istio-proxy 51 tracing: 52 tlsSettings: 53 caCertificates: null 54 clientCertificate: null 55 mode: DISABLE 56 privateKey: null 57 sni: null 58 subjectAltNames: [] 59 zipkin: 60 address: zipkin.istio-system:9411 61 disableMixerHttpReports: true 62 disablePolicyChecks: true 63 enableAutoMtls: true 64 enableEnvoyAccessLogService: false 65 enablePrometheusMerge: false 66 enableTracing: true 67 ingressClass: istio 68 ingressControllerMode: STRICT 69 ingressService: istio-ingressgateway 70 localityLbSetting: 71 enabled: true 72 outboundTrafficPolicy: 73 mode: ALLOW_ANY 74 protocolDetectionTimeout: 100ms 75 reportBatchMaxEntries: 100 76 reportBatchMaxTime: 1s 77 sdsUdsPath: unix:/etc/istio/proxy/SDS 78 trustDomain: cluster.local 79 trustDomainAliases: null 80--- 81# Source: istio-discovery/templates/istiod-injector-configmap.yaml 82apiVersion: v1 83kind: ConfigMap 84metadata: 85 name: istio-sidecar-injector 86 namespace: istio-system 87 labels: 88 istio.io/rev: default 89 release: istio 90data: 91 92 values: |- 93 { 94 "global": { 95 "arch": { 96 "amd64": 2, 97 "ppc64le": 2, 98 "s390x": 2 99 }, 100 "caAddress": "", 101 "centralIstiod": false, 102 "certificates": [], 103 "configRootNamespace": "istio-system", 104 "configValidation": true, 105 "controlPlaneSecurityEnabled": true, 106 "createRemoteSvcEndpoints": false, 107 "defaultConfigVisibilitySettings": [], 108 "defaultNodeSelector": {}, 109 "defaultPodDisruptionBudget": { 110 "enabled": true 111 }, 112 "defaultResources": { 113 "requests": { 114 "cpu": "10m" 115 } 116 }, 117 "defaultTolerations": [], 118 "disablePolicyChecks": true, 119 "enableHelmTest": false, 120 "enableTracing": true, 121 "hub": "gcr.io/istio-testing", 122 "imagePullPolicy": "", 123 "imagePullSecrets": [], 124 "istioNamespace": "istio-system", 125 "istiod": { 126 "enableAnalysis": false, 127 "enabled": true 128 }, 129 "jwtPolicy": "third-party-jwt", 130 "localityLbSetting": { 131 "enabled": true 132 }, 133 "logAsJson": false, 134 "logging": { 135 "level": "default:info" 136 }, 137 "meshExpansion": { 138 "enabled": false, 139 "useILB": false 140 }, 141 "meshID": "", 142 "meshNetworks": {}, 143 "mountMtlsCerts": false, 144 "mtls": { 145 "auto": true, 146 "enabled": false 147 }, 148 "multiCluster": { 149 "clusterName": "", 150 "enabled": false 151 }, 152 "network": "", 153 "omitSidecarInjectorConfigMap": false, 154 "oneNamespace": false, 155 "operatorManageWebhooks": false, 156 "outboundTrafficPolicy": { 157 "mode": "ALLOW_ANY" 158 }, 159 "pilotCertProvider": "istiod", 160 "policyCheckFailOpen": false, 161 "policyNamespace": "istio-system", 162 "priorityClassName": "", 163 "prometheusNamespace": "istio-system", 164 "proxy": { 165 "accessLogEncoding": "TEXT", 166 "accessLogFile": "", 167 "accessLogFormat": "", 168 "autoInject": "enabled", 169 "clusterDomain": "cluster.local", 170 "componentLogLevel": "misc:error", 171 "concurrency": 2, 172 "enableCoreDump": false, 173 "envoyAccessLogService": { 174 "enabled": false, 175 "host": null, 176 "port": null, 177 "tcpKeepalive": { 178 "interval": "10s", 179 "probes": 3, 180 "time": "10s" 181 }, 182 "tlsSettings": { 183 "caCertificates": null, 184 "clientCertificate": null, 185 "mode": "DISABLE", 186 "privateKey": null, 187 "sni": null, 188 "subjectAltNames": [] 189 } 190 }, 191 "envoyMetricsService": { 192 "enabled": false, 193 "host": null, 194 "port": null, 195 "tcpKeepalive": { 196 "interval": "10s", 197 "probes": 3, 198 "time": "10s" 199 }, 200 "tlsSettings": { 201 "caCertificates": null, 202 "clientCertificate": null, 203 "mode": "DISABLE", 204 "privateKey": null, 205 "sni": null, 206 "subjectAltNames": [] 207 } 208 }, 209 "envoyStatsd": { 210 "enabled": false, 211 "host": null, 212 "port": null 213 }, 214 "excludeIPRanges": "", 215 "excludeInboundPorts": "", 216 "excludeOutboundPorts": "", 217 "image": "proxyv2", 218 "includeIPRanges": "*", 219 "logLevel": "warning", 220 "privileged": false, 221 "protocolDetectionTimeout": "100ms", 222 "readinessFailureThreshold": 30, 223 "readinessInitialDelaySeconds": 1, 224 "readinessPeriodSeconds": 2, 225 "resources": { 226 "limits": { 227 "cpu": "2000m", 228 "memory": "1024Mi" 229 }, 230 "requests": { 231 "cpu": "100m", 232 "memory": "128Mi" 233 } 234 }, 235 "statusPort": 15020, 236 "tracer": "zipkin" 237 }, 238 "proxy_init": { 239 "image": "proxyv2", 240 "resources": { 241 "limits": { 242 "cpu": "100m", 243 "memory": "50Mi" 244 }, 245 "requests": { 246 "cpu": "10m", 247 "memory": "10Mi" 248 } 249 } 250 }, 251 "remotePilotAddress": "", 252 "remotePolicyAddress": "", 253 "remoteTelemetryAddress": "", 254 "sds": { 255 "enabled": false, 256 "token": { 257 "aud": "istio-ca" 258 }, 259 "udsPath": "" 260 }, 261 "sts": { 262 "servicePort": 0 263 }, 264 "tag": "latest", 265 "telemetryNamespace": "istio-system", 266 "tracer": { 267 "datadog": { 268 "address": "$(HOST_IP):8126" 269 }, 270 "lightstep": { 271 "accessToken": "", 272 "address": "" 273 }, 274 "stackdriver": { 275 "debug": false, 276 "maxNumberOfAnnotations": 200, 277 "maxNumberOfAttributes": 200, 278 "maxNumberOfMessageEvents": 200 279 }, 280 "zipkin": { 281 "address": "" 282 } 283 }, 284 "trustDomain": "cluster.local", 285 "trustDomainAliases": [], 286 "useMCP": false 287 }, 288 "revision": "", 289 "sidecarInjectorWebhook": { 290 "alwaysInjectSelector": [], 291 "enableNamespacesByDefault": false, 292 "injectLabel": "istio-injection", 293 "injectedAnnotations": {}, 294 "neverInjectSelector": [], 295 "objectSelector": { 296 "autoInject": true, 297 "enabled": false 298 } 299 } 300 } 301 302 # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching 303 # and istiod webhook functionality. 304 # 305 # New fields should not use Values - it is a 'primary' config object, users should be able 306 # to fine tune it or use it with kube-inject. 307 config: |- 308 policy: enabled 309 alwaysInjectSelector: 310 [] 311 neverInjectSelector: 312 [] 313 injectedAnnotations: 314 315 template: | 316 rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} 317 initContainers: 318 {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} 319 {{ if .Values.istio_cni.enabled -}} 320 - name: istio-validation 321 {{ else -}} 322 - name: istio-init 323 {{ end -}} 324 {{- if contains "/" .Values.global.proxy_init.image }} 325 image: "{{ .Values.global.proxy_init.image }}" 326 {{- else }} 327 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" 328 {{- end }} 329 args: 330 - istio-iptables 331 - "-p" 332 - 15001 333 - "-z" 334 - "15006" 335 - "-u" 336 - 1337 337 - "-m" 338 - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" 339 - "-i" 340 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" 341 - "-x" 342 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" 343 - "-b" 344 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" 345 - "-d" 346 {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} 347 - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" 348 {{- else }} 349 - "15090,15021" 350 {{- end }} 351 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} 352 - "-o" 353 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" 354 {{ end -}} 355 {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} 356 - "-k" 357 - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" 358 {{ end -}} 359 {{ if .Values.istio_cni.enabled -}} 360 - "--run-validation" 361 - "--skip-rule-apply" 362 {{ end -}} 363 imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" 364 {{- if .Values.global.proxy_init.resources }} 365 env: 366 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 367 - name: {{ $key }} 368 value: "{{ $value }}" 369 {{- end }} 370 resources: 371 {{ toYaml .Values.global.proxy_init.resources | indent 4 }} 372 {{- else }} 373 resources: {} 374 {{- end }} 375 securityContext: 376 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 377 privileged: {{ .Values.global.proxy.privileged }} 378 capabilities: 379 {{- if not .Values.istio_cni.enabled }} 380 add: 381 - NET_ADMIN 382 - NET_RAW 383 {{- end }} 384 drop: 385 - ALL 386 {{- if not .Values.istio_cni.enabled }} 387 readOnlyRootFilesystem: false 388 runAsGroup: 0 389 runAsNonRoot: false 390 runAsUser: 0 391 {{- else }} 392 readOnlyRootFilesystem: true 393 runAsGroup: 1337 394 runAsUser: 1337 395 runAsNonRoot: true 396 {{- end }} 397 restartPolicy: Always 398 {{ end -}} 399 {{- if eq .Values.global.proxy.enableCoreDump true }} 400 - name: enable-core-dump 401 args: 402 - -c 403 - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited 404 command: 405 - /bin/sh 406 {{- if contains "/" .Values.global.proxy_init.image }} 407 image: "{{ .Values.global.proxy_init.image }}" 408 {{- else }} 409 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" 410 {{- end }} 411 imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" 412 resources: {} 413 securityContext: 414 allowPrivilegeEscalation: true 415 capabilities: 416 add: 417 - SYS_ADMIN 418 drop: 419 - ALL 420 privileged: true 421 readOnlyRootFilesystem: false 422 runAsGroup: 0 423 runAsNonRoot: false 424 runAsUser: 0 425 {{ end }} 426 containers: 427 - name: istio-proxy 428 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 429 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 430 {{- else }} 431 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" 432 {{- end }} 433 ports: 434 - containerPort: 15090 435 protocol: TCP 436 name: http-envoy-prom 437 args: 438 - proxy 439 - sidecar 440 - --domain 441 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 442 - --serviceCluster 443 {{ if ne "" (index .ObjectMeta.Labels "app") -}} 444 - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" 445 {{ else -}} 446 - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" 447 {{ end -}} 448 - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} 449 - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} 450 {{- if .Values.global.sts.servicePort }} 451 - --stsPort={{ .Values.global.sts.servicePort }} 452 {{- end }} 453 {{- if .Values.global.trustDomain }} 454 - --trust-domain={{ .Values.global.trustDomain }} 455 {{- end }} 456 {{- if .Values.global.logAsJson }} 457 - --log_as_json 458 {{- end }} 459 {{- if gt .ProxyConfig.Concurrency 0 }} 460 - --concurrency 461 - "{{ .ProxyConfig.Concurrency }}" 462 {{- end -}} 463 {{- if .Values.global.proxy.lifecycle }} 464 lifecycle: 465 {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} 466 {{- end }} 467 env: 468 - name: JWT_POLICY 469 value: {{ .Values.global.jwtPolicy }} 470 - name: PILOT_CERT_PROVIDER 471 value: {{ .Values.global.pilotCertProvider }} 472 # Temp, pending PR to make it default or based on the istiodAddr env 473 - name: CA_ADDR 474 {{- if .Values.global.caAddress }} 475 value: {{ .Values.global.caAddress }} 476 {{- else }} 477 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 478 {{- end }} 479 - name: POD_NAME 480 valueFrom: 481 fieldRef: 482 fieldPath: metadata.name 483 - name: POD_NAMESPACE 484 valueFrom: 485 fieldRef: 486 fieldPath: metadata.namespace 487 - name: INSTANCE_IP 488 valueFrom: 489 fieldRef: 490 fieldPath: status.podIP 491 - name: SERVICE_ACCOUNT 492 valueFrom: 493 fieldRef: 494 fieldPath: spec.serviceAccountName 495 - name: HOST_IP 496 valueFrom: 497 fieldRef: 498 fieldPath: status.hostIP 499 - name: CANONICAL_SERVICE 500 valueFrom: 501 fieldRef: 502 fieldPath: metadata.labels['service.istio.io/canonical-name'] 503 - name: CANONICAL_REVISION 504 valueFrom: 505 fieldRef: 506 fieldPath: metadata.labels['service.istio.io/canonical-revision'] 507 - name: PROXY_CONFIG 508 value: | 509 {{ protoToJSON .ProxyConfig }} 510 - name: ISTIO_META_POD_PORTS 511 value: |- 512 [ 513 {{- $first := true }} 514 {{- range $index1, $c := .Spec.Containers }} 515 {{- range $index2, $p := $c.Ports }} 516 {{- if (structToJSON $p) }} 517 {{if not $first}},{{end}}{{ structToJSON $p }} 518 {{- $first = false }} 519 {{- end }} 520 {{- end}} 521 {{- end}} 522 ] 523 - name: ISTIO_META_APP_CONTAINERS 524 value: |- 525 [ 526 {{- range $index, $container := .Spec.Containers }} 527 {{- if ne $index 0}},{{- end}} 528 {{ $container.Name }} 529 {{- end}} 530 ] 531 - name: ISTIO_META_CLUSTER_ID 532 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 533 - name: ISTIO_META_INTERCEPTION_MODE 534 value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" 535 {{- if .Values.global.network }} 536 - name: ISTIO_META_NETWORK 537 value: "{{ .Values.global.network }}" 538 {{- end }} 539 {{ if .ObjectMeta.Annotations }} 540 - name: ISTIO_METAJSON_ANNOTATIONS 541 value: | 542 {{ toJSON .ObjectMeta.Annotations }} 543 {{ end }} 544 {{- if .DeploymentMeta.Name }} 545 - name: ISTIO_META_WORKLOAD_NAME 546 value: {{ .DeploymentMeta.Name }} 547 {{ end }} 548 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} 549 - name: ISTIO_META_OWNER 550 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} 551 {{- end}} 552 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 553 - name: ISTIO_BOOTSTRAP_OVERRIDE 554 value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" 555 {{- end }} 556 {{- if .Values.global.meshID }} 557 - name: ISTIO_META_MESH_ID 558 value: "{{ .Values.global.meshID }}" 559 {{- else if .Values.global.trustDomain }} 560 - name: ISTIO_META_MESH_ID 561 value: "{{ .Values.global.trustDomain }}" 562 {{- end }} 563 {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} 564 {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} 565 - name: {{ $key }} 566 value: "{{ $value }}" 567 {{- end }} 568 {{- end }} 569 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 570 - name: {{ $key }} 571 value: "{{ $value }}" 572 {{- end }} 573 imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" 574 {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} 575 readinessProbe: 576 httpGet: 577 path: /healthz/ready 578 port: 15021 579 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} 580 periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} 581 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} 582 {{ end -}} 583 securityContext: 584 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 585 capabilities: 586 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} 587 add: 588 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} 589 - NET_ADMIN 590 {{- end }} 591 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} 592 - NET_BIND_SERVICE 593 {{- end }} 594 {{- end }} 595 drop: 596 - ALL 597 privileged: {{ .Values.global.proxy.privileged }} 598 readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} 599 runAsGroup: 1337 600 fsGroup: 1337 601 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} 602 runAsNonRoot: false 603 runAsUser: 0 604 {{- else -}} 605 runAsNonRoot: true 606 runAsUser: 1337 607 {{- end }} 608 resources: 609 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 610 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} 611 requests: 612 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} 613 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" 614 {{ end }} 615 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} 616 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" 617 {{ end }} 618 {{- end }} 619 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 620 limits: 621 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} 622 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" 623 {{ end }} 624 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} 625 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" 626 {{ end }} 627 {{- end }} 628 {{- else }} 629 {{- if .Values.global.proxy.resources }} 630 {{ toYaml .Values.global.proxy.resources | indent 4 }} 631 {{- end }} 632 {{- end }} 633 volumeMounts: 634 {{- if eq .Values.global.pilotCertProvider "istiod" }} 635 - mountPath: /var/run/secrets/istio 636 name: istiod-ca-cert 637 {{- end }} 638 - mountPath: /var/lib/istio/data 639 name: istio-data 640 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 641 - mountPath: /etc/istio/custom-bootstrap 642 name: custom-bootstrap-volume 643 {{- end }} 644 # SDS channel between istioagent and Envoy 645 - mountPath: /etc/istio/proxy 646 name: istio-envoy 647 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 648 - mountPath: /var/run/secrets/tokens 649 name: istio-token 650 {{- end }} 651 {{- if .Values.global.mountMtlsCerts }} 652 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 653 - mountPath: /etc/certs/ 654 name: istio-certs 655 readOnly: true 656 {{- end }} 657 - name: istio-podinfo 658 mountPath: /etc/istio/pod 659 {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} 660 - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} 661 name: lightstep-certs 662 readOnly: true 663 {{- end }} 664 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} 665 {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} 666 - name: "{{ $index }}" 667 {{ toYaml $value | indent 4 }} 668 {{ end }} 669 {{- end }} 670 volumes: 671 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 672 - name: custom-bootstrap-volume 673 configMap: 674 name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} 675 {{- end }} 676 # SDS channel between istioagent and Envoy 677 - emptyDir: 678 medium: Memory 679 name: istio-envoy 680 - name: istio-data 681 emptyDir: {} 682 - name: istio-podinfo 683 downwardAPI: 684 items: 685 - path: "labels" 686 fieldRef: 687 fieldPath: metadata.labels 688 - path: "annotations" 689 fieldRef: 690 fieldPath: metadata.annotations 691 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 692 - name: istio-token 693 projected: 694 sources: 695 - serviceAccountToken: 696 path: istio-token 697 expirationSeconds: 43200 698 audience: {{ .Values.global.sds.token.aud }} 699 {{- end }} 700 {{- if eq .Values.global.pilotCertProvider "istiod" }} 701 - name: istiod-ca-cert 702 configMap: 703 name: istio-ca-root-cert 704 {{- end }} 705 {{- if .Values.global.mountMtlsCerts }} 706 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 707 - name: istio-certs 708 secret: 709 optional: true 710 {{ if eq .Spec.ServiceAccountName "" }} 711 secretName: istio.default 712 {{ else -}} 713 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 714 {{ end -}} 715 {{- end }} 716 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} 717 {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} 718 - name: "{{ $index }}" 719 {{ toYaml $value | indent 2 }} 720 {{ end }} 721 {{ end }} 722 {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} 723 - name: lightstep-certs 724 secret: 725 optional: true 726 secretName: lightstep.cacert 727 {{- end }} 728 {{- if .Values.global.podDNSSearchNamespaces }} 729 dnsConfig: 730 searches: 731 {{- range .Values.global.podDNSSearchNamespaces }} 732 - {{ render . }} 733 {{- end }} 734 {{- end }} 735 podRedirectAnnot: 736 {{- if and (.Values.istio_cni.enabled) (not .Values.istio_cni.chained) }} 737 {{ if isset .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks` }} 738 k8s.v1.cni.cncf.io/networks: "{{ index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`}}, istio-cni" 739 {{- else }} 740 k8s.v1.cni.cncf.io/networks: "istio-cni" 741 {{- end }} 742 {{- end }} 743 sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" 744 traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" 745 traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" 746 traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" 747 traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" 748 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} 749 traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" 750 {{- end }} 751 traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" 752 {{- if .Values.global.imagePullSecrets }} 753 imagePullSecrets: 754 {{- range .Values.global.imagePullSecrets }} 755 - name: {{ . }} 756 {{- end }} 757 {{- end }} 758--- 759# Source: istio-discovery/templates/service.yaml 760apiVersion: v1 761kind: Service 762metadata: 763 name: istiod 764 namespace: istio-system 765 labels: 766 istio.io/rev: default 767 app: istiod 768 istio: pilot 769 release: istio 770spec: 771 ports: 772 - port: 15010 773 name: grpc-xds # plaintext 774 - port: 15012 775 name: https-dns # mTLS with k8s-signed cert 776 - port: 443 777 name: https-webhook # validation and injection 778 targetPort: 15017 779 - port: 15014 780 name: http-monitoring # prometheus stats 781 - name: dns-tls 782 port: 853 783 targetPort: 15053 784 protocol: TCP 785 selector: 786 app: istiod 787 # Label used by the 'default' service. For versioned deployments we match with app and version. 788 # This avoids default deployment picking the canary 789 istio: pilot 790--- 791# Source: istio-discovery/templates/deployment.yaml 792apiVersion: apps/v1 793kind: Deployment 794metadata: 795 name: istiod 796 namespace: istio-system 797 labels: 798 app: istiod 799 istio.io/rev: default 800 istio: pilot 801 release: istio 802spec: 803 strategy: 804 rollingUpdate: 805 maxSurge: 100% 806 maxUnavailable: 25% 807 selector: 808 matchLabels: 809 istio: pilot 810 template: 811 metadata: 812 labels: 813 app: istiod 814 istio.io/rev: default 815 istio: pilot 816 annotations: 817 sidecar.istio.io/inject: "false" 818 spec: 819 serviceAccountName: istiod-service-account 820 securityContext: 821 fsGroup: 1337 822 containers: 823 - name: discovery 824 image: "gcr.io/istio-testing/pilot:latest" 825 args: 826 - "discovery" 827 - --monitoringAddr=:15014 828 - --log_output_level=default:info 829 - --domain 830 - cluster.local 831 - --trust-domain=cluster.local 832 - --keepaliveMaxServerConnectionAge 833 - "30m" 834 ports: 835 - containerPort: 8080 836 - containerPort: 15010 837 - containerPort: 15017 838 - containerPort: 15053 839 readinessProbe: 840 httpGet: 841 path: /ready 842 port: 8080 843 initialDelaySeconds: 5 844 periodSeconds: 5 845 timeoutSeconds: 5 846 env: 847 - name: REVISION 848 value: "default" 849 - name: JWT_POLICY 850 value: third-party-jwt 851 - name: PILOT_CERT_PROVIDER 852 value: istiod 853 - name: POD_NAME 854 valueFrom: 855 fieldRef: 856 apiVersion: v1 857 fieldPath: metadata.name 858 - name: POD_NAMESPACE 859 valueFrom: 860 fieldRef: 861 apiVersion: v1 862 fieldPath: metadata.namespace 863 - name: SERVICE_ACCOUNT 864 valueFrom: 865 fieldRef: 866 apiVersion: v1 867 fieldPath: spec.serviceAccountName 868 - name: PILOT_TRACE_SAMPLING 869 value: "1" 870 - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND 871 value: "true" 872 - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND 873 value: "true" 874 - name: INJECTION_WEBHOOK_CONFIG_NAME 875 value: istio-sidecar-injector 876 - name: ISTIOD_ADDR 877 value: istiod.istio-system.svc:15012 878 - name: PILOT_ENABLE_ANALYSIS 879 value: "false" 880 - name: CLUSTER_ID 881 value: "Kubernetes" 882 - name: CENTRAL_ISTIOD 883 value: "false" 884 resources: 885 requests: 886 cpu: 500m 887 memory: 2048Mi 888 securityContext: 889 runAsUser: 1337 890 runAsGroup: 1337 891 runAsNonRoot: true 892 capabilities: 893 drop: 894 - ALL 895 volumeMounts: 896 - name: config-volume 897 mountPath: /etc/istio/config 898 - name: istio-token 899 mountPath: /var/run/secrets/tokens 900 readOnly: true 901 - name: local-certs 902 mountPath: /var/run/secrets/istio-dns 903 - name: cacerts 904 mountPath: /etc/cacerts 905 readOnly: true 906 - name: inject 907 mountPath: /var/lib/istio/inject 908 readOnly: true 909 volumes: 910 # Technically not needed on this pod - but it helps debugging/testing SDS 911 # Should be removed after everything works. 912 - emptyDir: 913 medium: Memory 914 name: local-certs 915 - name: istio-token 916 projected: 917 sources: 918 - serviceAccountToken: 919 audience: istio-ca 920 expirationSeconds: 43200 921 path: istio-token 922 # Optional: user-generated root 923 - name: cacerts 924 secret: 925 secretName: cacerts 926 optional: true 927 # Optional - image should have 928 - name: inject 929 configMap: 930 name: istio-sidecar-injector 931 optional: true 932 - name: config-volume 933 configMap: 934 name: istio 935--- 936# Source: istio-discovery/templates/autoscale.yaml 937apiVersion: autoscaling/v2beta1 938kind: HorizontalPodAutoscaler 939metadata: 940 name: istiod 941 namespace: istio-system 942 labels: 943 app: istiod 944 release: istio 945 istio.io/rev: default 946spec: 947 maxReplicas: 5 948 minReplicas: 1 949 scaleTargetRef: 950 apiVersion: apps/v1 951 kind: Deployment 952 name: istiod 953 metrics: 954 - type: Resource 955 resource: 956 name: cpu 957 targetAverageUtilization: 80 958--- 959# Source: istio-discovery/templates/telemetryv2_1.4.yaml 960apiVersion: networking.istio.io/v1alpha3 961kind: EnvoyFilter 962metadata: 963 name: metadata-exchange-1.4 964 namespace: istio-system 965 labels: 966 istio.io/rev: default 967spec: 968 configPatches: 969 - applyTo: HTTP_FILTER 970 match: 971 context: ANY # inbound, outbound, and gateway 972 proxy: 973 proxyVersion: '^1\.4.*' 974 listener: 975 filterChain: 976 filter: 977 name: "envoy.http_connection_manager" 978 patch: 979 operation: INSERT_BEFORE 980 value: 981 name: envoy.filters.http.wasm 982 config: 983 config: 984 configuration: envoy.wasm.metadata_exchange 985 vm_config: 986 runtime: envoy.wasm.runtime.null 987 code: 988 inline_string: envoy.wasm.metadata_exchange 989--- 990# Source: istio-discovery/templates/telemetryv2_1.4.yaml 991apiVersion: networking.istio.io/v1alpha3 992kind: EnvoyFilter 993metadata: 994 name: stats-filter-1.4 995 namespace: istio-system 996 labels: 997 istio.io/rev: default 998spec: 999 configPatches: 1000 - applyTo: HTTP_FILTER 1001 match: 1002 context: SIDECAR_OUTBOUND 1003 proxy: 1004 proxyVersion: '^1\.4.*' 1005 listener: 1006 filterChain: 1007 filter: 1008 name: "envoy.http_connection_manager" 1009 subFilter: 1010 name: "envoy.router" 1011 patch: 1012 operation: INSERT_BEFORE 1013 value: 1014 name: envoy.filters.http.wasm 1015 config: 1016 config: 1017 root_id: stats_outbound 1018 configuration: | 1019 { 1020 "debug": "false", 1021 "stat_prefix": "istio", 1022 } 1023 vm_config: 1024 vm_id: stats_outbound 1025 runtime: envoy.wasm.runtime.null 1026 code: 1027 inline_string: envoy.wasm.stats 1028 - applyTo: HTTP_FILTER 1029 match: 1030 context: SIDECAR_INBOUND 1031 proxy: 1032 proxyVersion: '^1\.4.*' 1033 listener: 1034 filterChain: 1035 filter: 1036 name: "envoy.http_connection_manager" 1037 subFilter: 1038 name: "envoy.router" 1039 patch: 1040 operation: INSERT_BEFORE 1041 value: 1042 name: envoy.filters.http.wasm 1043 config: 1044 config: 1045 root_id: stats_inbound 1046 configuration: | 1047 { 1048 "debug": "false", 1049 "stat_prefix": "istio", 1050 } 1051 vm_config: 1052 vm_id: stats_inbound 1053 runtime: envoy.wasm.runtime.null 1054 code: 1055 inline_string: envoy.wasm.stats 1056 - applyTo: HTTP_FILTER 1057 match: 1058 context: GATEWAY 1059 proxy: 1060 proxyVersion: '^1\.4.*' 1061 listener: 1062 filterChain: 1063 filter: 1064 name: "envoy.http_connection_manager" 1065 subFilter: 1066 name: "envoy.router" 1067 patch: 1068 operation: INSERT_BEFORE 1069 value: 1070 name: envoy.filters.http.wasm 1071 config: 1072 config: 1073 root_id: stats_outbound 1074 configuration: | 1075 { 1076 "debug": "false", 1077 "stat_prefix": "istio", 1078 "disable_host_header_fallback": true, 1079 } 1080 vm_config: 1081 vm_id: stats_outbound 1082 runtime: envoy.wasm.runtime.null 1083 code: 1084 inline_string: envoy.wasm.stats 1085--- 1086# Source: istio-discovery/templates/telemetryv2_1.5.yaml 1087apiVersion: networking.istio.io/v1alpha3 1088kind: EnvoyFilter 1089metadata: 1090 name: metadata-exchange-1.5 1091 namespace: istio-system 1092 labels: 1093 istio.io/rev: default 1094spec: 1095 configPatches: 1096 - applyTo: HTTP_FILTER 1097 match: 1098 context: ANY # inbound, outbound, and gateway 1099 proxy: 1100 proxyVersion: '^1\.5.*' 1101 listener: 1102 filterChain: 1103 filter: 1104 name: "envoy.http_connection_manager" 1105 patch: 1106 operation: INSERT_BEFORE 1107 value: 1108 name: envoy.filters.http.wasm 1109 typed_config: 1110 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1111 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 1112 value: 1113 config: 1114 configuration: envoy.wasm.metadata_exchange 1115 vm_config: 1116 runtime: envoy.wasm.runtime.null 1117 code: 1118 local: 1119 inline_string: envoy.wasm.metadata_exchange 1120--- 1121# Source: istio-discovery/templates/telemetryv2_1.5.yaml 1122apiVersion: networking.istio.io/v1alpha3 1123kind: EnvoyFilter 1124metadata: 1125 name: tcp-metadata-exchange-1.5 1126 namespace: istio-system 1127 labels: 1128 istio.io/rev: default 1129spec: 1130 configPatches: 1131 - applyTo: NETWORK_FILTER 1132 match: 1133 context: SIDECAR_INBOUND 1134 proxy: 1135 proxyVersion: '^1\.5.*' 1136 listener: {} 1137 patch: 1138 operation: INSERT_BEFORE 1139 value: 1140 name: envoy.filters.network.metadata_exchange 1141 config: 1142 protocol: istio-peer-exchange 1143 - applyTo: CLUSTER 1144 match: 1145 context: SIDECAR_OUTBOUND 1146 proxy: 1147 proxyVersion: '^1\.5.*' 1148 cluster: {} 1149 patch: 1150 operation: MERGE 1151 value: 1152 filters: 1153 - name: envoy.filters.network.upstream.metadata_exchange 1154 typed_config: 1155 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1156 type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange 1157 value: 1158 protocol: istio-peer-exchange 1159 - applyTo: CLUSTER 1160 match: 1161 context: GATEWAY 1162 proxy: 1163 proxyVersion: '^1\.5.*' 1164 cluster: {} 1165 patch: 1166 operation: MERGE 1167 value: 1168 filters: 1169 - name: envoy.filters.network.upstream.metadata_exchange 1170 typed_config: 1171 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1172 type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange 1173 value: 1174 protocol: istio-peer-exchange 1175--- 1176# Source: istio-discovery/templates/telemetryv2_1.5.yaml 1177apiVersion: networking.istio.io/v1alpha3 1178kind: EnvoyFilter 1179metadata: 1180 name: stats-filter-1.5 1181 namespace: istio-system 1182 labels: 1183 istio.io/rev: default 1184spec: 1185 configPatches: 1186 - applyTo: HTTP_FILTER 1187 match: 1188 context: SIDECAR_OUTBOUND 1189 proxy: 1190 proxyVersion: '^1\.5.*' 1191 listener: 1192 filterChain: 1193 filter: 1194 name: "envoy.http_connection_manager" 1195 subFilter: 1196 name: "envoy.router" 1197 patch: 1198 operation: INSERT_BEFORE 1199 value: 1200 name: envoy.filters.http.wasm 1201 typed_config: 1202 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1203 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 1204 value: 1205 config: 1206 root_id: stats_outbound 1207 configuration: | 1208 { 1209 "debug": "false", 1210 "stat_prefix": "istio", 1211 } 1212 vm_config: 1213 vm_id: stats_outbound 1214 runtime: envoy.wasm.runtime.null 1215 code: 1216 local: 1217 inline_string: envoy.wasm.stats 1218 - applyTo: HTTP_FILTER 1219 match: 1220 context: SIDECAR_INBOUND 1221 proxy: 1222 proxyVersion: '^1\.5.*' 1223 listener: 1224 filterChain: 1225 filter: 1226 name: "envoy.http_connection_manager" 1227 subFilter: 1228 name: "envoy.router" 1229 patch: 1230 operation: INSERT_BEFORE 1231 value: 1232 name: envoy.filters.http.wasm 1233 typed_config: 1234 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1235 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 1236 value: 1237 config: 1238 root_id: stats_inbound 1239 configuration: | 1240 { 1241 "debug": "false", 1242 "stat_prefix": "istio", 1243 } 1244 vm_config: 1245 vm_id: stats_inbound 1246 runtime: envoy.wasm.runtime.null 1247 code: 1248 local: 1249 inline_string: envoy.wasm.stats 1250 - applyTo: HTTP_FILTER 1251 match: 1252 context: GATEWAY 1253 proxy: 1254 proxyVersion: '^1\.5.*' 1255 listener: 1256 filterChain: 1257 filter: 1258 name: "envoy.http_connection_manager" 1259 subFilter: 1260 name: "envoy.router" 1261 patch: 1262 operation: INSERT_BEFORE 1263 value: 1264 name: envoy.filters.http.wasm 1265 typed_config: 1266 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1267 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 1268 value: 1269 config: 1270 root_id: stats_outbound 1271 configuration: | 1272 { 1273 "debug": "false", 1274 "stat_prefix": "istio", 1275 "disable_host_header_fallback": true, 1276 } 1277 vm_config: 1278 vm_id: stats_outbound 1279 runtime: envoy.wasm.runtime.null 1280 code: 1281 local: 1282 inline_string: envoy.wasm.stats 1283--- 1284# Source: istio-discovery/templates/telemetryv2_1.5.yaml 1285apiVersion: networking.istio.io/v1alpha3 1286kind: EnvoyFilter 1287metadata: 1288 name: tcp-stats-filter-1.5 1289 namespace: istio-system 1290 labels: 1291 istio.io/rev: default 1292spec: 1293 configPatches: 1294 - applyTo: NETWORK_FILTER 1295 match: 1296 context: SIDECAR_INBOUND 1297 proxy: 1298 proxyVersion: '^1\.5.*' 1299 listener: 1300 filterChain: 1301 filter: 1302 name: "envoy.tcp_proxy" 1303 patch: 1304 operation: INSERT_BEFORE 1305 value: 1306 name: envoy.filters.network.wasm 1307 typed_config: 1308 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1309 type_url: type.googleapis.com/envoy.config.filter.network.wasm.v2.Wasm 1310 value: 1311 config: 1312 root_id: stats_inbound 1313 configuration: | 1314 { 1315 "debug": "false", 1316 "stat_prefix": "istio", 1317 } 1318 vm_config: 1319 vm_id: tcp_stats_inbound 1320 runtime: envoy.wasm.runtime.null 1321 code: 1322 local: 1323 inline_string: "envoy.wasm.stats" 1324 - applyTo: NETWORK_FILTER 1325 match: 1326 context: SIDECAR_OUTBOUND 1327 proxy: 1328 proxyVersion: '^1\.5.*' 1329 listener: 1330 filterChain: 1331 filter: 1332 name: "envoy.tcp_proxy" 1333 patch: 1334 operation: INSERT_BEFORE 1335 value: 1336 name: envoy.filters.network.wasm 1337 typed_config: 1338 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1339 type_url: type.googleapis.com/envoy.config.filter.network.wasm.v2.Wasm 1340 value: 1341 config: 1342 root_id: stats_outbound 1343 configuration: | 1344 { 1345 "debug": "false", 1346 "stat_prefix": "istio", 1347 } 1348 vm_config: 1349 vm_id: tcp_stats_outbound 1350 runtime: envoy.wasm.runtime.null 1351 code: 1352 local: 1353 inline_string: "envoy.wasm.stats" 1354 - applyTo: NETWORK_FILTER 1355 match: 1356 context: GATEWAY 1357 proxy: 1358 proxyVersion: '^1\.5.*' 1359 listener: 1360 filterChain: 1361 filter: 1362 name: "envoy.tcp_proxy" 1363 patch: 1364 operation: INSERT_BEFORE 1365 value: 1366 name: envoy.filters.network.wasm 1367 typed_config: 1368 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1369 type_url: type.googleapis.com/envoy.config.filter.network.wasm.v2.Wasm 1370 value: 1371 config: 1372 root_id: stats_outbound 1373 configuration: | 1374 { 1375 "debug": "false", 1376 "stat_prefix": "istio", 1377 } 1378 vm_config: 1379 vm_id: tcp_stats_outbound 1380 runtime: envoy.wasm.runtime.null 1381 code: 1382 local: 1383 inline_string: "envoy.wasm.stats" 1384--- 1385# Source: istio-discovery/templates/telemetryv2_1.6.yaml 1386apiVersion: networking.istio.io/v1alpha3 1387kind: EnvoyFilter 1388metadata: 1389 name: metadata-exchange-1.6 1390 namespace: istio-system 1391 labels: 1392 istio.io/rev: default 1393spec: 1394 configPatches: 1395 - applyTo: HTTP_FILTER 1396 match: 1397 context: ANY # inbound, outbound, and gateway 1398 proxy: 1399 proxyVersion: '^1\.6.*' 1400 listener: 1401 filterChain: 1402 filter: 1403 name: "envoy.http_connection_manager" 1404 patch: 1405 operation: INSERT_BEFORE 1406 value: 1407 name: istio.metadata_exchange 1408 typed_config: 1409 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1410 type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm 1411 value: 1412 config: 1413 configuration: | 1414 {} 1415 vm_config: 1416 runtime: envoy.wasm.runtime.null 1417 code: 1418 local: 1419 inline_string: envoy.wasm.metadata_exchange 1420--- 1421# Source: istio-discovery/templates/telemetryv2_1.6.yaml 1422apiVersion: networking.istio.io/v1alpha3 1423kind: EnvoyFilter 1424metadata: 1425 name: tcp-metadata-exchange-1.6 1426 namespace: istio-system 1427 labels: 1428 istio.io/rev: default 1429spec: 1430 configPatches: 1431 - applyTo: NETWORK_FILTER 1432 match: 1433 context: SIDECAR_INBOUND 1434 proxy: 1435 proxyVersion: '^1\.6.*' 1436 listener: {} 1437 patch: 1438 operation: INSERT_BEFORE 1439 value: 1440 name: istio.metadata_exchange 1441 typed_config: 1442 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1443 type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange 1444 value: 1445 protocol: istio-peer-exchange 1446 - applyTo: CLUSTER 1447 match: 1448 context: SIDECAR_OUTBOUND 1449 proxy: 1450 proxyVersion: '^1\.6.*' 1451 cluster: {} 1452 patch: 1453 operation: MERGE 1454 value: 1455 filters: 1456 - name: istio.metadata_exchange 1457 typed_config: 1458 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1459 type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange 1460 value: 1461 protocol: istio-peer-exchange 1462 - applyTo: CLUSTER 1463 match: 1464 context: GATEWAY 1465 proxy: 1466 proxyVersion: '^1\.6.*' 1467 cluster: {} 1468 patch: 1469 operation: MERGE 1470 value: 1471 filters: 1472 - name: istio.metadata_exchange 1473 typed_config: 1474 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1475 type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange 1476 value: 1477 protocol: istio-peer-exchange 1478--- 1479# Source: istio-discovery/templates/telemetryv2_1.6.yaml 1480apiVersion: networking.istio.io/v1alpha3 1481kind: EnvoyFilter 1482metadata: 1483 name: stats-filter-1.6 1484 namespace: istio-system 1485 labels: 1486 istio.io/rev: default 1487spec: 1488 configPatches: 1489 - applyTo: HTTP_FILTER 1490 match: 1491 context: SIDECAR_OUTBOUND 1492 proxy: 1493 proxyVersion: '^1\.6.*' 1494 listener: 1495 filterChain: 1496 filter: 1497 name: "envoy.http_connection_manager" 1498 subFilter: 1499 name: "envoy.router" 1500 patch: 1501 operation: INSERT_BEFORE 1502 value: 1503 name: istio.stats 1504 typed_config: 1505 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1506 type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm 1507 value: 1508 config: 1509 root_id: stats_outbound 1510 configuration: | 1511 { 1512 "debug": "false", 1513 "stat_prefix": "istio" 1514 } 1515 vm_config: 1516 vm_id: stats_outbound 1517 runtime: envoy.wasm.runtime.null 1518 code: 1519 local: 1520 inline_string: envoy.wasm.stats 1521 - applyTo: HTTP_FILTER 1522 match: 1523 context: SIDECAR_INBOUND 1524 proxy: 1525 proxyVersion: '^1\.6.*' 1526 listener: 1527 filterChain: 1528 filter: 1529 name: "envoy.http_connection_manager" 1530 subFilter: 1531 name: "envoy.router" 1532 patch: 1533 operation: INSERT_BEFORE 1534 value: 1535 name: istio.stats 1536 typed_config: 1537 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1538 type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm 1539 value: 1540 config: 1541 root_id: stats_inbound 1542 configuration: | 1543 { 1544 "debug": "false", 1545 "stat_prefix": "istio" 1546 } 1547 vm_config: 1548 vm_id: stats_inbound 1549 runtime: envoy.wasm.runtime.null 1550 code: 1551 local: 1552 inline_string: envoy.wasm.stats 1553 - applyTo: HTTP_FILTER 1554 match: 1555 context: GATEWAY 1556 proxy: 1557 proxyVersion: '^1\.6.*' 1558 listener: 1559 filterChain: 1560 filter: 1561 name: "envoy.http_connection_manager" 1562 subFilter: 1563 name: "envoy.router" 1564 patch: 1565 operation: INSERT_BEFORE 1566 value: 1567 name: istio.stats 1568 typed_config: 1569 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1570 type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm 1571 value: 1572 config: 1573 root_id: stats_outbound 1574 configuration: | 1575 { 1576 "debug": "false", 1577 "stat_prefix": "istio", 1578 "disable_host_header_fallback": true 1579 } 1580 vm_config: 1581 vm_id: stats_outbound 1582 runtime: envoy.wasm.runtime.null 1583 code: 1584 local: 1585 inline_string: envoy.wasm.stats 1586--- 1587# Source: istio-discovery/templates/telemetryv2_1.6.yaml 1588apiVersion: networking.istio.io/v1alpha3 1589kind: EnvoyFilter 1590metadata: 1591 name: tcp-stats-filter-1.6 1592 namespace: istio-system 1593 labels: 1594 istio.io/rev: default 1595spec: 1596 configPatches: 1597 - applyTo: NETWORK_FILTER 1598 match: 1599 context: SIDECAR_INBOUND 1600 proxy: 1601 proxyVersion: '^1\.6.*' 1602 listener: 1603 filterChain: 1604 filter: 1605 name: "envoy.tcp_proxy" 1606 patch: 1607 operation: INSERT_BEFORE 1608 value: 1609 name: istio.stats 1610 typed_config: 1611 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1612 type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm 1613 value: 1614 config: 1615 root_id: stats_inbound 1616 configuration: | 1617 { 1618 "debug": "false", 1619 "stat_prefix": "istio" 1620 } 1621 vm_config: 1622 vm_id: tcp_stats_inbound 1623 runtime: envoy.wasm.runtime.null 1624 code: 1625 local: 1626 inline_string: "envoy.wasm.stats" 1627 - applyTo: NETWORK_FILTER 1628 match: 1629 context: SIDECAR_OUTBOUND 1630 proxy: 1631 proxyVersion: '^1\.6.*' 1632 listener: 1633 filterChain: 1634 filter: 1635 name: "envoy.tcp_proxy" 1636 patch: 1637 operation: INSERT_BEFORE 1638 value: 1639 name: istio.stats 1640 typed_config: 1641 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1642 type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm 1643 value: 1644 config: 1645 root_id: stats_outbound 1646 configuration: | 1647 { 1648 "debug": "false", 1649 "stat_prefix": "istio" 1650 } 1651 vm_config: 1652 vm_id: tcp_stats_outbound 1653 runtime: envoy.wasm.runtime.null 1654 code: 1655 local: 1656 inline_string: "envoy.wasm.stats" 1657 - applyTo: NETWORK_FILTER 1658 match: 1659 context: GATEWAY 1660 proxy: 1661 proxyVersion: '^1\.6.*' 1662 listener: 1663 filterChain: 1664 filter: 1665 name: "envoy.tcp_proxy" 1666 patch: 1667 operation: INSERT_BEFORE 1668 value: 1669 name: istio.stats 1670 typed_config: 1671 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1672 type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm 1673 value: 1674 config: 1675 root_id: stats_outbound 1676 configuration: | 1677 { 1678 "debug": "false", 1679 "stat_prefix": "istio" 1680 } 1681 vm_config: 1682 vm_id: tcp_stats_outbound 1683 runtime: envoy.wasm.runtime.null 1684 code: 1685 local: 1686 inline_string: "envoy.wasm.stats" 1687--- 1688# Source: istio-discovery/templates/mutatingwebhook.yaml 1689# Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) 1690apiVersion: admissionregistration.k8s.io/v1beta1 1691kind: MutatingWebhookConfiguration 1692metadata: 1693 name: istio-sidecar-injector 1694 1695 labels: 1696 istio.io/rev: default 1697 app: sidecar-injector 1698 release: istio 1699webhooks: 1700 - name: sidecar-injector.istio.io 1701 clientConfig: 1702 service: 1703 name: istiod 1704 namespace: istio-system 1705 path: "/inject" 1706 caBundle: "" 1707 sideEffects: None 1708 rules: 1709 - operations: [ "CREATE" ] 1710 apiGroups: [""] 1711 apiVersions: ["v1"] 1712 resources: ["pods"] 1713 failurePolicy: Fail 1714 namespaceSelector: 1715 matchLabels: 1716 istio-injection: enabled 1717