1--- 2# Source: istio-discovery/templates/poddisruptionbudget.yaml 3 4apiVersion: policy/v1beta1 5kind: PodDisruptionBudget 6metadata: 7 name: istiod 8 namespace: istio-system 9 labels: 10 app: istiod 11 istio.io/rev: default 12 release: istio-base 13 istio: pilot 14spec: 15 minAvailable: 1 16 selector: 17 matchLabels: 18 app: istiod 19 istio: pilot 20--- 21 22--- 23# Source: istio-discovery/templates/configmap.yaml 24 25 26 27 28apiVersion: v1 29kind: ConfigMap 30metadata: 31 name: istio 32 namespace: istio-system 33 labels: 34 istio.io/rev: default 35 release: istio-base 36data: 37 38 # Configuration file for the mesh networks to be used by the Split Horizon EDS. 39 meshNetworks: |- 40 networks: {} 41 42 mesh: |- 43 accessLogEncoding: TEXT 44 accessLogFile: "" 45 accessLogFormat: "" 46 defaultConfig: 47 concurrency: 2 48 configPath: /etc/istio/proxy 49 connectTimeout: 10s 50 controlPlaneAuthPolicy: NONE 51 discoveryAddress: istiod.istio-system.svc:15012 52 drainDuration: 45s 53 parentShutdownDuration: 1m0s 54 proxyAdminPort: 15000 55 proxyMetadata: 56 DNS_AGENT: "" 57 serviceCluster: istio-proxy 58 tracing: 59 zipkin: 60 address: zipkin.istio-system:9411 61 disableMixerHttpReports: true 62 disablePolicyChecks: true 63 enableAutoMtls: true 64 enableEnvoyAccessLogService: false 65 enablePrometheusMerge: false 66 enableTracing: true 67 ingressClass: istio 68 ingressControllerMode: STRICT 69 ingressService: istio-ingressgateway 70 localityLbSetting: 71 enabled: true 72 outboundTrafficPolicy: 73 mode: ALLOW_ANY 74 protocolDetectionTimeout: 100ms 75 reportBatchMaxEntries: 100 76 reportBatchMaxTime: 1s 77 sdsUdsPath: unix:/etc/istio/proxy/SDS 78 trustDomain: cluster.local 79 trustDomainAliases: null 80 81--- 82 83--- 84# Source: istio-discovery/templates/istiod-injector-configmap.yaml 85 86apiVersion: v1 87kind: ConfigMap 88metadata: 89 name: istio-sidecar-injector 90 namespace: istio-system 91 labels: 92 istio.io/rev: default 93 release: istio-base 94data: 95 96 values: |- 97 { 98 "global": { 99 "arch": { 100 "amd64": 2, 101 "ppc64le": 2, 102 "s390x": 2 103 }, 104 "caAddress": "", 105 "certificates": [], 106 "configRootNamespace": "istio-system", 107 "configValidation": true, 108 "controlPlaneSecurityEnabled": true, 109 "createRemoteSvcEndpoints": false, 110 "defaultConfigVisibilitySettings": [], 111 "defaultNodeSelector": {}, 112 "defaultPodDisruptionBudget": { 113 "enabled": true 114 }, 115 "defaultResources": { 116 "requests": { 117 "cpu": "10m" 118 } 119 }, 120 "defaultTolerations": [], 121 "disablePolicyChecks": true, 122 "enableHelmTest": false, 123 "enableTracing": true, 124 "hub": "gcr.io/istio-testing", 125 "imagePullPolicy": "", 126 "imagePullSecrets": [], 127 "istioNamespace": "istio-system", 128 "istiod": { 129 "enableAnalysis": false, 130 "enabled": true 131 }, 132 "jwtPolicy": "third-party-jwt", 133 "localityLbSetting": { 134 "enabled": true 135 }, 136 "logAsJson": false, 137 "logging": { 138 "level": "default:info" 139 }, 140 "meshExpansion": { 141 "enabled": false, 142 "useILB": false 143 }, 144 "meshID": "", 145 "meshNetworks": {}, 146 "mountMtlsCerts": false, 147 "mtls": { 148 "auto": true, 149 "enabled": false 150 }, 151 "multiCluster": { 152 "clusterName": "", 153 "enabled": false 154 }, 155 "network": "", 156 "omitSidecarInjectorConfigMap": false, 157 "oneNamespace": false, 158 "operatorManageWebhooks": false, 159 "outboundTrafficPolicy": { 160 "mode": "ALLOW_ANY" 161 }, 162 "pilotCertProvider": "istiod", 163 "policyCheckFailOpen": false, 164 "policyNamespace": "istio-system", 165 "priorityClassName": "", 166 "prometheusNamespace": "istio-system", 167 "proxy": { 168 "accessLogEncoding": "TEXT", 169 "accessLogFile": "", 170 "accessLogFormat": "", 171 "autoInject": "enabled", 172 "clusterDomain": "cluster.local", 173 "componentLogLevel": "misc:error", 174 "concurrency": 2, 175 "enableCoreDump": false, 176 "envoyAccessLogService": { 177 "enabled": false, 178 "host": null, 179 "port": null, 180 "tcpKeepalive": { 181 "interval": "10s", 182 "probes": 3, 183 "time": "10s" 184 }, 185 "tlsSettings": { 186 "caCertificates": null, 187 "clientCertificate": null, 188 "mode": "DISABLE", 189 "privateKey": null, 190 "sni": null, 191 "subjectAltNames": [] 192 } 193 }, 194 "envoyMetricsService": { 195 "enabled": false, 196 "host": null, 197 "port": null, 198 "tcpKeepalive": { 199 "interval": "10s", 200 "probes": 3, 201 "time": "10s" 202 }, 203 "tlsSettings": { 204 "caCertificates": null, 205 "clientCertificate": null, 206 "mode": "DISABLE", 207 "privateKey": null, 208 "sni": null, 209 "subjectAltNames": [] 210 } 211 }, 212 "envoyStatsd": { 213 "enabled": false, 214 "host": null, 215 "port": null 216 }, 217 "excludeIPRanges": "", 218 "excludeInboundPorts": "", 219 "excludeOutboundPorts": "", 220 "image": "proxyv2", 221 "includeIPRanges": "*", 222 "logLevel": "warning", 223 "privileged": false, 224 "protocolDetectionTimeout": "100ms", 225 "readinessFailureThreshold": 30, 226 "readinessInitialDelaySeconds": 1, 227 "readinessPeriodSeconds": 2, 228 "resources": { 229 "limits": { 230 "cpu": "2000m", 231 "memory": "1024Mi" 232 }, 233 "requests": { 234 "cpu": "100m", 235 "memory": "128Mi" 236 } 237 }, 238 "statusPort": 15020, 239 "tracer": "zipkin" 240 }, 241 "proxy_init": { 242 "image": "proxyv2", 243 "resources": { 244 "limits": { 245 "cpu": "100m", 246 "memory": "50Mi" 247 }, 248 "requests": { 249 "cpu": "10m", 250 "memory": "10Mi" 251 } 252 } 253 }, 254 "remotePilotAddress": "", 255 "remotePolicyAddress": "", 256 "remoteTelemetryAddress": "", 257 "sds": { 258 "enabled": false, 259 "token": { 260 "aud": "istio-ca" 261 }, 262 "udsPath": "" 263 }, 264 "sts": { 265 "servicePort": 0 266 }, 267 "tag": "latest", 268 "telemetryNamespace": "istio-system", 269 "tracer": { 270 "datadog": { 271 "address": "$(HOST_IP):8126" 272 }, 273 "lightstep": { 274 "accessToken": "", 275 "address": "" 276 }, 277 "stackdriver": { 278 "debug": false, 279 "maxNumberOfAnnotations": 200, 280 "maxNumberOfAttributes": 200, 281 "maxNumberOfMessageEvents": 200 282 }, 283 "zipkin": { 284 "address": "" 285 } 286 }, 287 "trustDomain": "cluster.local", 288 "trustDomainAliases": [], 289 "useMCP": false 290 }, 291 "revision": "", 292 "sidecarInjectorWebhook": { 293 "alwaysInjectSelector": [], 294 "enableNamespacesByDefault": false, 295 "injectLabel": "istio-injection", 296 "injectedAnnotations": {}, 297 "neverInjectSelector": [], 298 "objectSelector": { 299 "autoInject": true, 300 "enabled": false 301 } 302 } 303 } 304 305 # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching 306 # and istiod webhook functionality. 307 # 308 # New fields should not use Values - it is a 'primary' config object, users should be able 309 # to fine tune it or use it with kube-inject. 310 config: |- 311 policy: enabled 312 alwaysInjectSelector: 313 [] 314 neverInjectSelector: 315 [] 316 injectedAnnotations: 317 318 template: | 319 rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} 320 initContainers: 321 {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} 322 {{ if .Values.istio_cni.enabled -}} 323 - name: istio-validation 324 {{ else -}} 325 - name: istio-init 326 {{ end -}} 327 {{- if contains "/" .Values.global.proxy_init.image }} 328 image: "{{ .Values.global.proxy_init.image }}" 329 {{- else }} 330 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" 331 {{- end }} 332 args: 333 - istio-iptables 334 - "-p" 335 - 15001 336 - "-z" 337 - "15006" 338 - "-u" 339 - 1337 340 - "-m" 341 - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" 342 - "-i" 343 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" 344 - "-x" 345 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" 346 - "-b" 347 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" 348 - "-d" 349 - "15090,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" 350 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} 351 - "-o" 352 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" 353 {{ end -}} 354 {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} 355 - "-k" 356 - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" 357 {{ end -}} 358 {{ if .Values.istio_cni.enabled -}} 359 - "--run-validation" 360 - "--skip-rule-apply" 361 {{ end -}} 362 imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" 363 {{- if .Values.global.proxy_init.resources }} 364 env: 365 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 366 - name: {{ $key }} 367 value: "{{ $value }}" 368 {{- end }} 369 resources: 370 {{ toYaml .Values.global.proxy_init.resources | indent 4 }} 371 {{- else }} 372 resources: {} 373 {{- end }} 374 securityContext: 375 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 376 privileged: {{ .Values.global.proxy.privileged }} 377 capabilities: 378 {{- if not .Values.istio_cni.enabled }} 379 add: 380 - NET_ADMIN 381 - NET_RAW 382 {{- end }} 383 drop: 384 - ALL 385 {{- if not .Values.istio_cni.enabled }} 386 readOnlyRootFilesystem: false 387 runAsGroup: 0 388 runAsNonRoot: false 389 runAsUser: 0 390 {{- else }} 391 readOnlyRootFilesystem: true 392 runAsGroup: 1337 393 runAsUser: 1337 394 runAsNonRoot: true 395 {{- end }} 396 restartPolicy: Always 397 {{ end -}} 398 {{- if eq .Values.global.proxy.enableCoreDump true }} 399 - name: enable-core-dump 400 args: 401 - -c 402 - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited 403 command: 404 - /bin/sh 405 {{- if contains "/" .Values.global.proxy_init.image }} 406 image: "{{ .Values.global.proxy_init.image }}" 407 {{- else }} 408 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" 409 {{- end }} 410 imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" 411 resources: {} 412 securityContext: 413 allowPrivilegeEscalation: true 414 capabilities: 415 add: 416 - SYS_ADMIN 417 drop: 418 - ALL 419 privileged: true 420 readOnlyRootFilesystem: false 421 runAsGroup: 0 422 runAsNonRoot: false 423 runAsUser: 0 424 {{ end }} 425 containers: 426 - name: istio-proxy 427 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 428 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 429 {{- else }} 430 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" 431 {{- end }} 432 ports: 433 - containerPort: 15090 434 protocol: TCP 435 name: http-envoy-prom 436 args: 437 - proxy 438 - sidecar 439 - --domain 440 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 441 - --serviceCluster 442 {{ if ne "" (index .ObjectMeta.Labels "app") -}} 443 - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" 444 {{ else -}} 445 - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" 446 {{ end -}} 447 - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} 448 - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} 449 {{- if .Values.global.sts.servicePort }} 450 - --stsPort={{ .Values.global.sts.servicePort }} 451 {{- end }} 452 {{- if .Values.global.trustDomain }} 453 - --trust-domain={{ .Values.global.trustDomain }} 454 {{- end }} 455 {{- if .Values.global.logAsJson }} 456 - --log_as_json 457 {{- end }} 458 {{- if .Values.global.proxy.lifecycle }} 459 lifecycle: 460 {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} 461 {{- end }} 462 env: 463 - name: JWT_POLICY 464 value: {{ .Values.global.jwtPolicy }} 465 - name: PILOT_CERT_PROVIDER 466 value: {{ .Values.global.pilotCertProvider }} 467 # Temp, pending PR to make it default or based on the istiodAddr env 468 - name: CA_ADDR 469 {{- if .Values.global.caAddress }} 470 value: {{ .Values.global.caAddress }} 471 {{- else }} 472 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 473 {{- end }} 474 - name: POD_NAME 475 valueFrom: 476 fieldRef: 477 fieldPath: metadata.name 478 - name: POD_NAMESPACE 479 valueFrom: 480 fieldRef: 481 fieldPath: metadata.namespace 482 - name: INSTANCE_IP 483 valueFrom: 484 fieldRef: 485 fieldPath: status.podIP 486 - name: SERVICE_ACCOUNT 487 valueFrom: 488 fieldRef: 489 fieldPath: spec.serviceAccountName 490 - name: HOST_IP 491 valueFrom: 492 fieldRef: 493 fieldPath: status.hostIP 494 - name: MESH_CONFIG 495 value: | 496 {{ protoToJSON .MeshConfig }} 497 - name: ISTIO_META_POD_PORTS 498 value: |- 499 [ 500 {{- $first := true }} 501 {{- range $index1, $c := .Spec.Containers }} 502 {{- range $index2, $p := $c.Ports }} 503 {{- if (structToJSON $p) }} 504 {{if not $first}},{{end}}{{ structToJSON $p }} 505 {{- $first = false }} 506 {{- end }} 507 {{- end}} 508 {{- end}} 509 ] 510 - name: ISTIO_META_APP_CONTAINERS 511 value: |- 512 [ 513 {{- range $index, $container := .Spec.Containers }} 514 {{- if ne $index 0}},{{- end}} 515 {{ $container.Name }} 516 {{- end}} 517 ] 518 - name: ISTIO_META_CLUSTER_ID 519 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 520 - name: ISTIO_META_INTERCEPTION_MODE 521 value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" 522 {{- if .Values.global.network }} 523 - name: ISTIO_META_NETWORK 524 value: "{{ .Values.global.network }}" 525 {{- end }} 526 {{ if .ObjectMeta.Annotations }} 527 - name: ISTIO_METAJSON_ANNOTATIONS 528 value: | 529 {{ toJSON .ObjectMeta.Annotations }} 530 {{ end }} 531 {{- if .DeploymentMeta.Name }} 532 - name: ISTIO_META_WORKLOAD_NAME 533 value: {{ .DeploymentMeta.Name }} 534 {{ end }} 535 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} 536 - name: ISTIO_META_OWNER 537 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} 538 {{- end}} 539 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 540 - name: ISTIO_BOOTSTRAP_OVERRIDE 541 value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" 542 {{- end }} 543 {{- if .Values.global.meshID }} 544 - name: ISTIO_META_MESH_ID 545 value: "{{ .Values.global.meshID }}" 546 {{- else if .Values.global.trustDomain }} 547 - name: ISTIO_META_MESH_ID 548 value: "{{ .Values.global.trustDomain }}" 549 {{- end }} 550 {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} 551 {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} 552 - name: {{ $key }} 553 value: "{{ $value }}" 554 {{- end }} 555 {{- end }} 556 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 557 - name: {{ $key }} 558 value: "{{ $value }}" 559 {{- end }} 560 imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" 561 {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} 562 readinessProbe: 563 httpGet: 564 path: /healthz/ready 565 port: 15090 566 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} 567 periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} 568 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} 569 {{ end -}} 570 securityContext: 571 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 572 capabilities: 573 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} 574 add: 575 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} 576 - NET_ADMIN 577 {{- end }} 578 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} 579 - NET_BIND_SERVICE 580 {{- end }} 581 {{- end }} 582 drop: 583 - ALL 584 privileged: {{ .Values.global.proxy.privileged }} 585 readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} 586 runAsGroup: 1337 587 fsGroup: 1337 588 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} 589 runAsNonRoot: false 590 runAsUser: 0 591 {{- else -}} 592 runAsNonRoot: true 593 runAsUser: 1337 594 {{- end }} 595 resources: 596 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 597 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} 598 requests: 599 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} 600 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" 601 {{ end }} 602 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} 603 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" 604 {{ end }} 605 {{- end }} 606 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 607 limits: 608 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} 609 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" 610 {{ end }} 611 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} 612 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" 613 {{ end }} 614 {{- end }} 615 {{- else }} 616 {{- if .Values.global.proxy.resources }} 617 {{ toYaml .Values.global.proxy.resources | indent 4 }} 618 {{- end }} 619 {{- end }} 620 volumeMounts: 621 {{- if eq .Values.global.pilotCertProvider "istiod" }} 622 - mountPath: /var/run/secrets/istio 623 name: istiod-ca-cert 624 {{- end }} 625 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 626 - mountPath: /etc/istio/custom-bootstrap 627 name: custom-bootstrap-volume 628 {{- end }} 629 # SDS channel between istioagent and Envoy 630 - mountPath: /etc/istio/proxy 631 name: istio-envoy 632 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 633 - mountPath: /var/run/secrets/tokens 634 name: istio-token 635 {{- end }} 636 {{- if .Values.global.mountMtlsCerts }} 637 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 638 - mountPath: /etc/certs/ 639 name: istio-certs 640 readOnly: true 641 {{- end }} 642 - name: istio-podinfo 643 mountPath: /etc/istio/pod 644 {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} 645 - mountPath: {{ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }} 646 name: lightstep-certs 647 readOnly: true 648 {{- end }} 649 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} 650 {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} 651 - name: "{{ $index }}" 652 {{ toYaml $value | indent 4 }} 653 {{ end }} 654 {{- end }} 655 volumes: 656 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 657 - name: custom-bootstrap-volume 658 configMap: 659 name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} 660 {{- end }} 661 # SDS channel between istioagent and Envoy 662 - emptyDir: 663 medium: Memory 664 name: istio-envoy 665 - name: istio-podinfo 666 downwardAPI: 667 items: 668 - path: "labels" 669 fieldRef: 670 fieldPath: metadata.labels 671 - path: "annotations" 672 fieldRef: 673 fieldPath: metadata.annotations 674 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 675 - name: istio-token 676 projected: 677 sources: 678 - serviceAccountToken: 679 path: istio-token 680 expirationSeconds: 43200 681 audience: {{ .Values.global.sds.token.aud }} 682 {{- end }} 683 {{- if eq .Values.global.pilotCertProvider "istiod" }} 684 - name: istiod-ca-cert 685 configMap: 686 name: istio-ca-root-cert 687 {{- end }} 688 {{- if .Values.global.mountMtlsCerts }} 689 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 690 - name: istio-certs 691 secret: 692 optional: true 693 {{ if eq .Spec.ServiceAccountName "" }} 694 secretName: istio.default 695 {{ else -}} 696 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 697 {{ end -}} 698 {{- end }} 699 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} 700 {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} 701 - name: "{{ $index }}" 702 {{ toYaml $value | indent 2 }} 703 {{ end }} 704 {{ end }} 705 {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} 706 - name: lightstep-certs 707 secret: 708 optional: true 709 secretName: lightstep.cacert 710 {{- end }} 711 {{- if .Values.global.podDNSSearchNamespaces }} 712 dnsConfig: 713 searches: 714 {{- range .Values.global.podDNSSearchNamespaces }} 715 - {{ render . }} 716 {{- end }} 717 {{- end }} 718 podRedirectAnnot: 719 {{- if and (.Values.istio_cni.enabled) (not .Values.istio_cni.chained) }} 720 {{ if isset .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks` }} 721 k8s.v1.cni.cncf.io/networks: "{{ index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`}}, istio-cni" 722 {{- else }} 723 k8s.v1.cni.cncf.io/networks: "istio-cni" 724 {{- end }} 725 {{- end }} 726 sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" 727 traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" 728 traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" 729 traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" 730 traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" 731 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} 732 traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" 733 {{- end }} 734 traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" 735 {{- if .Values.global.imagePullSecrets }} 736 imagePullSecrets: 737 {{- range .Values.global.imagePullSecrets }} 738 - name: {{ . }} 739 {{- end }} 740 {{- end }} 741--- 742# Source: istio-discovery/templates/service.yaml 743apiVersion: v1 744kind: Service 745metadata: 746 name: istiod 747 namespace: istio-system 748 labels: 749 istio.io/rev: default 750 app: istiod 751 istio: pilot 752 release: istio-base 753spec: 754 ports: 755 - port: 15010 756 name: grpc-xds # plaintext 757 - port: 15012 758 name: https-dns # mTLS with k8s-signed cert 759 - port: 443 760 name: https-webhook # validation and injection 761 targetPort: 15017 762 - port: 15014 763 name: http-monitoring # prometheus stats 764 - name: dns 765 port: 53 766 targetPort: 15053 767 protocol: UDP 768 - name: dns-tls 769 port: 853 770 targetPort: 15053 771 protocol: TCP 772 selector: 773 app: istiod 774 # Label used by the 'default' service. For versioned deployments we match with app and version. 775 # This avoids default deployment picking the canary 776 istio: pilot 777--- 778 779--- 780# Source: istio-discovery/templates/deployment.yaml 781apiVersion: apps/v1 782kind: Deployment 783metadata: 784 name: istiod 785 namespace: istio-system 786 labels: 787 app: istiod 788 istio.io/rev: default 789 istio: pilot 790 release: istio-base 791spec: 792 strategy: 793 rollingUpdate: 794 maxSurge: 100% 795 maxUnavailable: 25% 796 selector: 797 matchLabels: 798 istio: pilot 799 template: 800 metadata: 801 labels: 802 app: istiod 803 istio.io/rev: default 804 istio: pilot 805 annotations: 806 sidecar.istio.io/inject: "false" 807 spec: 808 serviceAccountName: istio-pilot-service-account 809 securityContext: 810 fsGroup: 1337 811 containers: 812 - name: discovery 813 image: "gcr.io/istio-testing/pilot:latest" 814 args: 815 - "discovery" 816 - --monitoringAddr=:15014 817 - --log_output_level=default:info 818 - --domain 819 - cluster.local 820 - --trust-domain=cluster.local 821 - --keepaliveMaxServerConnectionAge 822 - "30m" 823 ports: 824 - containerPort: 8080 825 - containerPort: 15010 826 - containerPort: 15017 827 - containerPort: 15053 828 readinessProbe: 829 httpGet: 830 path: /ready 831 port: 8080 832 initialDelaySeconds: 5 833 periodSeconds: 5 834 timeoutSeconds: 5 835 env: 836 - name: REVISION 837 value: "default" 838 - name: JWT_POLICY 839 value: third-party-jwt 840 - name: PILOT_CERT_PROVIDER 841 value: istiod 842 - name: POD_NAME 843 valueFrom: 844 fieldRef: 845 apiVersion: v1 846 fieldPath: metadata.name 847 - name: POD_NAMESPACE 848 valueFrom: 849 fieldRef: 850 apiVersion: v1 851 fieldPath: metadata.namespace 852 - name: SERVICE_ACCOUNT 853 valueFrom: 854 fieldRef: 855 apiVersion: v1 856 fieldPath: spec.serviceAccountName 857 - name: PILOT_TRACE_SAMPLING 858 value: "1" 859 - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND 860 value: "true" 861 - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND 862 value: "true" 863 - name: INJECTION_WEBHOOK_CONFIG_NAME 864 value: istio-sidecar-injector 865 - name: ISTIOD_ADDR 866 value: istiod.istio-system.svc:15012 867 - name: PILOT_ENABLE_ANALYSIS 868 value: "false" 869 - name: CLUSTER_ID 870 value: "Kubernetes" 871 resources: 872 requests: 873 cpu: 500m 874 memory: 2048Mi 875 securityContext: 876 runAsUser: 1337 877 runAsGroup: 1337 878 runAsNonRoot: true 879 capabilities: 880 drop: 881 - ALL 882 volumeMounts: 883 - name: config-volume 884 mountPath: /etc/istio/config 885 - name: istio-token 886 mountPath: /var/run/secrets/tokens 887 readOnly: true 888 - name: local-certs 889 mountPath: /var/run/secrets/istio-dns 890 - name: cacerts 891 mountPath: /etc/cacerts 892 readOnly: true 893 - name: inject 894 mountPath: /var/lib/istio/inject 895 readOnly: true 896 volumes: 897 # Technically not needed on this pod - but it helps debugging/testing SDS 898 # Should be removed after everything works. 899 - emptyDir: 900 medium: Memory 901 name: local-certs 902 - name: istio-token 903 projected: 904 sources: 905 - serviceAccountToken: 906 audience: istio-ca 907 expirationSeconds: 43200 908 path: istio-token 909 # Optional: user-generated root 910 - name: cacerts 911 secret: 912 secretName: cacerts 913 optional: true 914 # Optional - image should have 915 - name: inject 916 configMap: 917 name: istio-sidecar-injector 918 optional: true 919 - name: config-volume 920 configMap: 921 name: istio 922--- 923 924--- 925# Source: istio-discovery/templates/autoscale.yaml 926 927apiVersion: autoscaling/v2beta1 928kind: HorizontalPodAutoscaler 929metadata: 930 name: istiod 931 namespace: istio-system 932 labels: 933 app: istiod 934 release: istio-base 935 istio.io/rev: default 936spec: 937 maxReplicas: 5 938 minReplicas: 1 939 scaleTargetRef: 940 apiVersion: apps/v1 941 kind: Deployment 942 name: istiod 943 metrics: 944 - type: Resource 945 resource: 946 name: cpu 947 targetAverageUtilization: 80 948--- 949--- 950# Source: istio-discovery/templates/telemetryv2_1.4.yaml 951 952apiVersion: networking.istio.io/v1alpha3 953kind: EnvoyFilter 954metadata: 955 name: metadata-exchange-1.4 956 namespace: istio-system 957 labels: 958 istio.io/rev: default 959spec: 960 configPatches: 961 - applyTo: HTTP_FILTER 962 match: 963 context: ANY # inbound, outbound, and gateway 964 proxy: 965 proxyVersion: '^1\.4.*' 966 listener: 967 filterChain: 968 filter: 969 name: "envoy.http_connection_manager" 970 patch: 971 operation: INSERT_BEFORE 972 value: 973 name: envoy.filters.http.wasm 974 config: 975 config: 976 configuration: envoy.wasm.metadata_exchange 977 vm_config: 978 runtime: envoy.wasm.runtime.null 979 code: 980 inline_string: envoy.wasm.metadata_exchange 981--- 982apiVersion: networking.istio.io/v1alpha3 983kind: EnvoyFilter 984metadata: 985 name: stats-filter-1.4 986 namespace: istio-system 987 labels: 988 istio.io/rev: default 989spec: 990 configPatches: 991 - applyTo: HTTP_FILTER 992 match: 993 context: SIDECAR_OUTBOUND 994 proxy: 995 proxyVersion: '^1\.4.*' 996 listener: 997 filterChain: 998 filter: 999 name: "envoy.http_connection_manager" 1000 subFilter: 1001 name: "envoy.router" 1002 patch: 1003 operation: INSERT_BEFORE 1004 value: 1005 name: envoy.filters.http.wasm 1006 config: 1007 config: 1008 root_id: stats_outbound 1009 configuration: | 1010 { 1011 "debug": "false", 1012 "stat_prefix": "istio", 1013 } 1014 vm_config: 1015 vm_id: stats_outbound 1016 runtime: envoy.wasm.runtime.null 1017 code: 1018 inline_string: envoy.wasm.stats 1019 - applyTo: HTTP_FILTER 1020 match: 1021 context: SIDECAR_INBOUND 1022 proxy: 1023 proxyVersion: '^1\.4.*' 1024 listener: 1025 filterChain: 1026 filter: 1027 name: "envoy.http_connection_manager" 1028 subFilter: 1029 name: "envoy.router" 1030 patch: 1031 operation: INSERT_BEFORE 1032 value: 1033 name: envoy.filters.http.wasm 1034 config: 1035 config: 1036 root_id: stats_inbound 1037 configuration: | 1038 { 1039 "debug": "false", 1040 "stat_prefix": "istio", 1041 } 1042 vm_config: 1043 vm_id: stats_inbound 1044 runtime: envoy.wasm.runtime.null 1045 code: 1046 inline_string: envoy.wasm.stats 1047 - applyTo: HTTP_FILTER 1048 match: 1049 context: GATEWAY 1050 proxy: 1051 proxyVersion: '^1\.4.*' 1052 listener: 1053 filterChain: 1054 filter: 1055 name: "envoy.http_connection_manager" 1056 subFilter: 1057 name: "envoy.router" 1058 patch: 1059 operation: INSERT_BEFORE 1060 value: 1061 name: envoy.filters.http.wasm 1062 config: 1063 config: 1064 root_id: stats_outbound 1065 configuration: | 1066 { 1067 "debug": "false", 1068 "stat_prefix": "istio", 1069 "disable_host_header_fallback": true, 1070 } 1071 vm_config: 1072 vm_id: stats_outbound 1073 runtime: envoy.wasm.runtime.null 1074 code: 1075 inline_string: envoy.wasm.stats 1076--- 1077 1078--- 1079# Source: istio-discovery/templates/telemetryv2_1.5.yaml 1080 1081apiVersion: networking.istio.io/v1alpha3 1082kind: EnvoyFilter 1083metadata: 1084 name: metadata-exchange-1.5 1085 namespace: istio-system 1086 labels: 1087 istio.io/rev: default 1088spec: 1089 configPatches: 1090 - applyTo: HTTP_FILTER 1091 match: 1092 context: ANY # inbound, outbound, and gateway 1093 proxy: 1094 proxyVersion: '^1\.5.*' 1095 listener: 1096 filterChain: 1097 filter: 1098 name: "envoy.http_connection_manager" 1099 patch: 1100 operation: INSERT_BEFORE 1101 value: 1102 name: envoy.filters.http.wasm 1103 typed_config: 1104 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1105 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 1106 value: 1107 config: 1108 configuration: envoy.wasm.metadata_exchange 1109 vm_config: 1110 runtime: envoy.wasm.runtime.null 1111 code: 1112 local: 1113 inline_string: envoy.wasm.metadata_exchange 1114--- 1115apiVersion: networking.istio.io/v1alpha3 1116kind: EnvoyFilter 1117metadata: 1118 name: tcp-metadata-exchange-1.5 1119 namespace: istio-system 1120 labels: 1121 istio.io/rev: default 1122spec: 1123 configPatches: 1124 - applyTo: NETWORK_FILTER 1125 match: 1126 context: SIDECAR_INBOUND 1127 proxy: 1128 proxyVersion: '^1\.5.*' 1129 listener: {} 1130 patch: 1131 operation: INSERT_BEFORE 1132 value: 1133 name: envoy.filters.network.metadata_exchange 1134 config: 1135 protocol: istio-peer-exchange 1136 - applyTo: CLUSTER 1137 match: 1138 context: SIDECAR_OUTBOUND 1139 proxy: 1140 proxyVersion: '^1\.5.*' 1141 cluster: {} 1142 patch: 1143 operation: MERGE 1144 value: 1145 filters: 1146 - name: envoy.filters.network.upstream.metadata_exchange 1147 typed_config: 1148 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1149 type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange 1150 value: 1151 protocol: istio-peer-exchange 1152 - applyTo: CLUSTER 1153 match: 1154 context: GATEWAY 1155 proxy: 1156 proxyVersion: '^1\.5.*' 1157 cluster: {} 1158 patch: 1159 operation: MERGE 1160 value: 1161 filters: 1162 - name: envoy.filters.network.upstream.metadata_exchange 1163 typed_config: 1164 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1165 type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange 1166 value: 1167 protocol: istio-peer-exchange 1168--- 1169apiVersion: networking.istio.io/v1alpha3 1170kind: EnvoyFilter 1171metadata: 1172 name: stats-filter-1.5 1173 namespace: istio-system 1174 labels: 1175 istio.io/rev: default 1176spec: 1177 configPatches: 1178 - applyTo: HTTP_FILTER 1179 match: 1180 context: SIDECAR_OUTBOUND 1181 proxy: 1182 proxyVersion: '^1\.5.*' 1183 listener: 1184 filterChain: 1185 filter: 1186 name: "envoy.http_connection_manager" 1187 subFilter: 1188 name: "envoy.router" 1189 patch: 1190 operation: INSERT_BEFORE 1191 value: 1192 name: envoy.filters.http.wasm 1193 typed_config: 1194 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1195 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 1196 value: 1197 config: 1198 root_id: stats_outbound 1199 configuration: | 1200 { 1201 "debug": "false", 1202 "stat_prefix": "istio", 1203 } 1204 vm_config: 1205 vm_id: stats_outbound 1206 runtime: envoy.wasm.runtime.null 1207 code: 1208 local: 1209 inline_string: envoy.wasm.stats 1210 - applyTo: HTTP_FILTER 1211 match: 1212 context: SIDECAR_INBOUND 1213 proxy: 1214 proxyVersion: '^1\.5.*' 1215 listener: 1216 filterChain: 1217 filter: 1218 name: "envoy.http_connection_manager" 1219 subFilter: 1220 name: "envoy.router" 1221 patch: 1222 operation: INSERT_BEFORE 1223 value: 1224 name: envoy.filters.http.wasm 1225 typed_config: 1226 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1227 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 1228 value: 1229 config: 1230 root_id: stats_inbound 1231 configuration: | 1232 { 1233 "debug": "false", 1234 "stat_prefix": "istio", 1235 } 1236 vm_config: 1237 vm_id: stats_inbound 1238 runtime: envoy.wasm.runtime.null 1239 code: 1240 local: 1241 inline_string: envoy.wasm.stats 1242 - applyTo: HTTP_FILTER 1243 match: 1244 context: GATEWAY 1245 proxy: 1246 proxyVersion: '^1\.5.*' 1247 listener: 1248 filterChain: 1249 filter: 1250 name: "envoy.http_connection_manager" 1251 subFilter: 1252 name: "envoy.router" 1253 patch: 1254 operation: INSERT_BEFORE 1255 value: 1256 name: envoy.filters.http.wasm 1257 typed_config: 1258 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1259 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 1260 value: 1261 config: 1262 root_id: stats_outbound 1263 configuration: | 1264 { 1265 "debug": "false", 1266 "stat_prefix": "istio", 1267 "disable_host_header_fallback": true, 1268 } 1269 vm_config: 1270 vm_id: stats_outbound 1271 runtime: envoy.wasm.runtime.null 1272 code: 1273 local: 1274 inline_string: envoy.wasm.stats 1275--- 1276apiVersion: networking.istio.io/v1alpha3 1277kind: EnvoyFilter 1278metadata: 1279 name: tcp-stats-filter-1.5 1280 namespace: istio-system 1281 labels: 1282 istio.io/rev: default 1283spec: 1284 configPatches: 1285 - applyTo: NETWORK_FILTER 1286 match: 1287 context: SIDECAR_INBOUND 1288 proxy: 1289 proxyVersion: '^1\.5.*' 1290 listener: 1291 filterChain: 1292 filter: 1293 name: "envoy.tcp_proxy" 1294 patch: 1295 operation: INSERT_BEFORE 1296 value: 1297 name: envoy.filters.network.wasm 1298 typed_config: 1299 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1300 type_url: type.googleapis.com/envoy.config.filter.network.wasm.v2.Wasm 1301 value: 1302 config: 1303 root_id: stats_inbound 1304 configuration: | 1305 { 1306 "debug": "false", 1307 "stat_prefix": "istio", 1308 } 1309 vm_config: 1310 vm_id: stats_inbound 1311 runtime: envoy.wasm.runtime.null 1312 code: 1313 local: 1314 inline_string: "envoy.wasm.stats" 1315 - applyTo: NETWORK_FILTER 1316 match: 1317 context: SIDECAR_OUTBOUND 1318 proxy: 1319 proxyVersion: '^1\.5.*' 1320 listener: 1321 filterChain: 1322 filter: 1323 name: "envoy.tcp_proxy" 1324 patch: 1325 operation: INSERT_BEFORE 1326 value: 1327 name: envoy.filters.network.wasm 1328 typed_config: 1329 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1330 type_url: type.googleapis.com/envoy.config.filter.network.wasm.v2.Wasm 1331 value: 1332 config: 1333 root_id: stats_outbound 1334 configuration: | 1335 { 1336 "debug": "false", 1337 "stat_prefix": "istio", 1338 } 1339 vm_config: 1340 vm_id: stats_outbound 1341 runtime: envoy.wasm.runtime.null 1342 code: 1343 local: 1344 inline_string: "envoy.wasm.stats" 1345 - applyTo: NETWORK_FILTER 1346 match: 1347 context: GATEWAY 1348 proxy: 1349 proxyVersion: '^1\.5.*' 1350 listener: 1351 filterChain: 1352 filter: 1353 name: "envoy.tcp_proxy" 1354 patch: 1355 operation: INSERT_BEFORE 1356 value: 1357 name: envoy.filters.network.wasm 1358 typed_config: 1359 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1360 type_url: type.googleapis.com/envoy.config.filter.network.wasm.v2.Wasm 1361 value: 1362 config: 1363 root_id: stats_outbound 1364 configuration: | 1365 { 1366 "debug": "false", 1367 "stat_prefix": "istio", 1368 } 1369 vm_config: 1370 vm_id: stats_outbound 1371 runtime: envoy.wasm.runtime.null 1372 code: 1373 local: 1374 inline_string: "envoy.wasm.stats" 1375--- 1376 1377--- 1378# Source: istio-discovery/templates/telemetryv2_1.6.yaml 1379 1380apiVersion: networking.istio.io/v1alpha3 1381kind: EnvoyFilter 1382metadata: 1383 name: metadata-exchange-1.6 1384 namespace: istio-system 1385 labels: 1386 istio.io/rev: default 1387spec: 1388 configPatches: 1389 - applyTo: HTTP_FILTER 1390 match: 1391 context: ANY # inbound, outbound, and gateway 1392 proxy: 1393 proxyVersion: '^1\.6.*' 1394 listener: 1395 filterChain: 1396 filter: 1397 name: "envoy.http_connection_manager" 1398 patch: 1399 operation: INSERT_BEFORE 1400 value: 1401 name: istio.metadata_exchange 1402 typed_config: 1403 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1404 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 1405 value: 1406 config: 1407 configuration: envoy.wasm.metadata_exchange 1408 vm_config: 1409 runtime: envoy.wasm.runtime.null 1410 code: 1411 local: 1412 inline_string: envoy.wasm.metadata_exchange 1413--- 1414apiVersion: networking.istio.io/v1alpha3 1415kind: EnvoyFilter 1416metadata: 1417 name: tcp-metadata-exchange-1.6 1418 namespace: istio-system 1419 labels: 1420 istio.io/rev: default 1421spec: 1422 configPatches: 1423 - applyTo: NETWORK_FILTER 1424 match: 1425 context: SIDECAR_INBOUND 1426 proxy: 1427 proxyVersion: '^1\.6.*' 1428 listener: {} 1429 patch: 1430 operation: INSERT_BEFORE 1431 value: 1432 name: istio.metadata_exchange 1433 typed_config: 1434 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1435 type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange 1436 value: 1437 protocol: istio-peer-exchange 1438 - applyTo: CLUSTER 1439 match: 1440 context: SIDECAR_OUTBOUND 1441 proxy: 1442 proxyVersion: '^1\.6.*' 1443 cluster: {} 1444 patch: 1445 operation: MERGE 1446 value: 1447 filters: 1448 - name: istio.metadata_exchange 1449 typed_config: 1450 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1451 type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange 1452 value: 1453 protocol: istio-peer-exchange 1454 - applyTo: CLUSTER 1455 match: 1456 context: GATEWAY 1457 proxy: 1458 proxyVersion: '^1\.6.*' 1459 cluster: {} 1460 patch: 1461 operation: MERGE 1462 value: 1463 filters: 1464 - name: istio.metadata_exchange 1465 typed_config: 1466 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1467 type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange 1468 value: 1469 protocol: istio-peer-exchange 1470--- 1471apiVersion: networking.istio.io/v1alpha3 1472kind: EnvoyFilter 1473metadata: 1474 name: stats-filter-1.6 1475 namespace: istio-system 1476 labels: 1477 istio.io/rev: default 1478spec: 1479 configPatches: 1480 - applyTo: HTTP_FILTER 1481 match: 1482 context: SIDECAR_OUTBOUND 1483 proxy: 1484 proxyVersion: '^1\.6.*' 1485 listener: 1486 filterChain: 1487 filter: 1488 name: "envoy.http_connection_manager" 1489 subFilter: 1490 name: "envoy.router" 1491 patch: 1492 operation: INSERT_BEFORE 1493 value: 1494 name: istio.stats 1495 typed_config: 1496 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1497 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 1498 value: 1499 config: 1500 root_id: stats_outbound 1501 configuration: | 1502 { 1503 "debug": "false", 1504 "stat_prefix": "istio", 1505 } 1506 vm_config: 1507 vm_id: stats_outbound 1508 runtime: envoy.wasm.runtime.null 1509 code: 1510 local: 1511 inline_string: envoy.wasm.stats 1512 - applyTo: HTTP_FILTER 1513 match: 1514 context: SIDECAR_INBOUND 1515 proxy: 1516 proxyVersion: '^1\.6.*' 1517 listener: 1518 filterChain: 1519 filter: 1520 name: "envoy.http_connection_manager" 1521 subFilter: 1522 name: "envoy.router" 1523 patch: 1524 operation: INSERT_BEFORE 1525 value: 1526 name: istio.stats 1527 typed_config: 1528 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1529 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 1530 value: 1531 config: 1532 root_id: stats_inbound 1533 configuration: | 1534 { 1535 "debug": "false", 1536 "stat_prefix": "istio", 1537 } 1538 vm_config: 1539 vm_id: stats_inbound 1540 runtime: envoy.wasm.runtime.null 1541 code: 1542 local: 1543 inline_string: envoy.wasm.stats 1544 - applyTo: HTTP_FILTER 1545 match: 1546 context: GATEWAY 1547 proxy: 1548 proxyVersion: '^1\.6.*' 1549 listener: 1550 filterChain: 1551 filter: 1552 name: "envoy.http_connection_manager" 1553 subFilter: 1554 name: "envoy.router" 1555 patch: 1556 operation: INSERT_BEFORE 1557 value: 1558 name: istio.stats 1559 typed_config: 1560 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1561 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 1562 value: 1563 config: 1564 root_id: stats_outbound 1565 configuration: | 1566 { 1567 "debug": "false", 1568 "stat_prefix": "istio", 1569 "disable_host_header_fallback": true, 1570 } 1571 vm_config: 1572 vm_id: stats_outbound 1573 runtime: envoy.wasm.runtime.null 1574 code: 1575 local: 1576 inline_string: envoy.wasm.stats 1577--- 1578apiVersion: networking.istio.io/v1alpha3 1579kind: EnvoyFilter 1580metadata: 1581 name: tcp-stats-filter-1.6 1582 namespace: istio-system 1583 labels: 1584 istio.io/rev: default 1585spec: 1586 configPatches: 1587 - applyTo: NETWORK_FILTER 1588 match: 1589 context: SIDECAR_INBOUND 1590 proxy: 1591 proxyVersion: '^1\.6.*' 1592 listener: 1593 filterChain: 1594 filter: 1595 name: "envoy.tcp_proxy" 1596 patch: 1597 operation: INSERT_BEFORE 1598 value: 1599 name: istio.stats 1600 typed_config: 1601 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1602 type_url: type.googleapis.com/envoy.config.filter.network.wasm.v2.Wasm 1603 value: 1604 config: 1605 root_id: stats_inbound 1606 configuration: | 1607 { 1608 "debug": "false", 1609 "stat_prefix": "istio", 1610 } 1611 vm_config: 1612 vm_id: stats_inbound 1613 runtime: envoy.wasm.runtime.null 1614 code: 1615 local: 1616 inline_string: "envoy.wasm.stats" 1617 - applyTo: NETWORK_FILTER 1618 match: 1619 context: SIDECAR_OUTBOUND 1620 proxy: 1621 proxyVersion: '^1\.6.*' 1622 listener: 1623 filterChain: 1624 filter: 1625 name: "envoy.tcp_proxy" 1626 patch: 1627 operation: INSERT_BEFORE 1628 value: 1629 name: istio.stats 1630 typed_config: 1631 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1632 type_url: type.googleapis.com/envoy.config.filter.network.wasm.v2.Wasm 1633 value: 1634 config: 1635 root_id: stats_outbound 1636 configuration: | 1637 { 1638 "debug": "false", 1639 "stat_prefix": "istio", 1640 } 1641 vm_config: 1642 vm_id: stats_outbound 1643 runtime: envoy.wasm.runtime.null 1644 code: 1645 local: 1646 inline_string: "envoy.wasm.stats" 1647 - applyTo: NETWORK_FILTER 1648 match: 1649 context: GATEWAY 1650 proxy: 1651 proxyVersion: '^1\.6.*' 1652 listener: 1653 filterChain: 1654 filter: 1655 name: "envoy.tcp_proxy" 1656 patch: 1657 operation: INSERT_BEFORE 1658 value: 1659 name: istio.stats 1660 typed_config: 1661 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 1662 type_url: type.googleapis.com/envoy.config.filter.network.wasm.v2.Wasm 1663 value: 1664 config: 1665 root_id: stats_outbound 1666 configuration: | 1667 { 1668 "debug": "false", 1669 "stat_prefix": "istio", 1670 } 1671 vm_config: 1672 vm_id: stats_outbound 1673 runtime: envoy.wasm.runtime.null 1674 code: 1675 local: 1676 inline_string: "envoy.wasm.stats" 1677--- 1678 1679--- 1680# Source: istio-discovery/templates/mutatingwebhook.yaml 1681# Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) 1682apiVersion: admissionregistration.k8s.io/v1beta1 1683kind: MutatingWebhookConfiguration 1684metadata: 1685 name: istio-sidecar-injector 1686 1687 labels: 1688 istio.io/rev: default 1689 app: sidecar-injector 1690 release: istio-base 1691webhooks: 1692 - name: sidecar-injector.istio.io 1693 clientConfig: 1694 service: 1695 name: istiod 1696 namespace: istio-system 1697 path: "/inject" 1698 caBundle: "" 1699 rules: 1700 - operations: [ "CREATE" ] 1701 apiGroups: [""] 1702 apiVersions: ["v1"] 1703 resources: ["pods"] 1704 failurePolicy: Fail 1705 namespaceSelector: 1706 matchLabels: 1707 istio-injection: enabled 1708 1709--- 1710# Source: istio-discovery/templates/configmap-jwks.yaml 1711 1712 1713