1template: | 2 rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} 3 initContainers: 4 {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} 5 {{ if .Values.istio_cni.enabled -}} 6 - name: istio-validation 7 {{ else -}} 8 - name: istio-init 9 {{ end -}} 10 {{- if contains "/" .Values.global.proxy_init.image }} 11 image: "{{ .Values.global.proxy_init.image }}" 12 {{- else }} 13 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" 14 {{- end }} 15 args: 16 - istio-iptables 17 - "-p" 18 - 15001 19 - "-z" 20 - "15006" 21 - "-u" 22 - 1337 23 - "-m" 24 - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" 25 - "-i" 26 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" 27 - "-x" 28 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" 29 - "-b" 30 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" 31 - "-d" 32 {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} 33 - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" 34 {{- else }} 35 - "15090,15021" 36 {{- end }} 37 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} 38 - "-o" 39 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" 40 {{ end -}} 41 {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} 42 - "-k" 43 - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" 44 {{ end -}} 45 {{ if .Values.istio_cni.enabled -}} 46 - "--run-validation" 47 - "--skip-rule-apply" 48 {{ end -}} 49 imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" 50 {{- if .Values.global.proxy_init.resources }} 51 env: 52 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 53 - name: {{ $key }} 54 value: "{{ $value }}" 55 {{- end }} 56 resources: 57 {{ toYaml .Values.global.proxy_init.resources | indent 4 }} 58 {{- else }} 59 resources: {} 60 {{- end }} 61 securityContext: 62 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 63 privileged: {{ .Values.global.proxy.privileged }} 64 capabilities: 65 {{- if not .Values.istio_cni.enabled }} 66 add: 67 - NET_ADMIN 68 - NET_RAW 69 {{- end }} 70 drop: 71 - ALL 72 {{- if not .Values.istio_cni.enabled }} 73 readOnlyRootFilesystem: false 74 runAsGroup: 0 75 runAsNonRoot: false 76 runAsUser: 0 77 {{- else }} 78 readOnlyRootFilesystem: true 79 runAsGroup: 1337 80 runAsUser: 1337 81 runAsNonRoot: true 82 {{- end }} 83 restartPolicy: Always 84 {{ end -}} 85 {{- if eq .Values.global.proxy.enableCoreDump true }} 86 - name: enable-core-dump 87 args: 88 - -c 89 - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited 90 command: 91 - /bin/sh 92 {{- if contains "/" .Values.global.proxy_init.image }} 93 image: "{{ .Values.global.proxy_init.image }}" 94 {{- else }} 95 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" 96 {{- end }} 97 imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" 98 resources: {} 99 securityContext: 100 allowPrivilegeEscalation: true 101 capabilities: 102 add: 103 - SYS_ADMIN 104 drop: 105 - ALL 106 privileged: true 107 readOnlyRootFilesystem: false 108 runAsGroup: 0 109 runAsNonRoot: false 110 runAsUser: 0 111 {{ end }} 112 containers: 113 - name: istio-proxy 114 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 115 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 116 {{- else }} 117 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" 118 {{- end }} 119 ports: 120 - containerPort: 15090 121 protocol: TCP 122 name: http-envoy-prom 123 args: 124 - proxy 125 - sidecar 126 - --domain 127 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 128 - --serviceCluster 129 {{ if ne "" (index .ObjectMeta.Labels "app") -}} 130 - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" 131 {{ else -}} 132 - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" 133 {{ end -}} 134 - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} 135 - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} 136 {{- if .Values.global.sts.servicePort }} 137 - --stsPort={{ .Values.global.sts.servicePort }} 138 {{- end }} 139 {{- if .Values.global.trustDomain }} 140 - --trust-domain={{ .Values.global.trustDomain }} 141 {{- end }} 142 {{- if .Values.global.logAsJson }} 143 - --log_as_json 144 {{- end }} 145 {{- if gt .ProxyConfig.Concurrency 0 }} 146 - --concurrency 147 - "{{ .ProxyConfig.Concurrency }}" 148 {{- end -}} 149 {{- if .Values.global.proxy.lifecycle }} 150 lifecycle: 151 {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} 152 {{- end }} 153 env: 154 - name: JWT_POLICY 155 value: {{ .Values.global.jwtPolicy }} 156 - name: PILOT_CERT_PROVIDER 157 value: {{ .Values.global.pilotCertProvider }} 158 # Temp, pending PR to make it default or based on the istiodAddr env 159 - name: CA_ADDR 160 {{- if .Values.global.caAddress }} 161 value: {{ .Values.global.caAddress }} 162 {{- else }} 163 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 164 {{- end }} 165 - name: POD_NAME 166 valueFrom: 167 fieldRef: 168 fieldPath: metadata.name 169 - name: POD_NAMESPACE 170 valueFrom: 171 fieldRef: 172 fieldPath: metadata.namespace 173 - name: INSTANCE_IP 174 valueFrom: 175 fieldRef: 176 fieldPath: status.podIP 177 - name: SERVICE_ACCOUNT 178 valueFrom: 179 fieldRef: 180 fieldPath: spec.serviceAccountName 181 - name: HOST_IP 182 valueFrom: 183 fieldRef: 184 fieldPath: status.hostIP 185 - name: CANONICAL_SERVICE 186 valueFrom: 187 fieldRef: 188 fieldPath: metadata.labels['service.istio.io/canonical-name'] 189 - name: CANONICAL_REVISION 190 valueFrom: 191 fieldRef: 192 fieldPath: metadata.labels['service.istio.io/canonical-revision'] 193 - name: PROXY_CONFIG 194 value: | 195 {{ protoToJSON .ProxyConfig }} 196 - name: ISTIO_META_POD_PORTS 197 value: |- 198 [ 199 {{- $first := true }} 200 {{- range $index1, $c := .Spec.Containers }} 201 {{- range $index2, $p := $c.Ports }} 202 {{- if (structToJSON $p) }} 203 {{if not $first}},{{end}}{{ structToJSON $p }} 204 {{- $first = false }} 205 {{- end }} 206 {{- end}} 207 {{- end}} 208 ] 209 - name: ISTIO_META_APP_CONTAINERS 210 value: |- 211 [ 212 {{- range $index, $container := .Spec.Containers }} 213 {{- if ne $index 0}},{{- end}} 214 {{ $container.Name }} 215 {{- end}} 216 ] 217 - name: ISTIO_META_CLUSTER_ID 218 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 219 - name: ISTIO_META_INTERCEPTION_MODE 220 value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" 221 {{- if .Values.global.network }} 222 - name: ISTIO_META_NETWORK 223 value: "{{ .Values.global.network }}" 224 {{- end }} 225 {{ if .ObjectMeta.Annotations }} 226 - name: ISTIO_METAJSON_ANNOTATIONS 227 value: | 228 {{ toJSON .ObjectMeta.Annotations }} 229 {{ end }} 230 {{- if .DeploymentMeta.Name }} 231 - name: ISTIO_META_WORKLOAD_NAME 232 value: {{ .DeploymentMeta.Name }} 233 {{ end }} 234 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} 235 - name: ISTIO_META_OWNER 236 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} 237 {{- end}} 238 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 239 - name: ISTIO_BOOTSTRAP_OVERRIDE 240 value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" 241 {{- end }} 242 {{- if .Values.global.meshID }} 243 - name: ISTIO_META_MESH_ID 244 value: "{{ .Values.global.meshID }}" 245 {{- else if .Values.global.trustDomain }} 246 - name: ISTIO_META_MESH_ID 247 value: "{{ .Values.global.trustDomain }}" 248 {{- end }} 249 {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} 250 {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} 251 - name: {{ $key }} 252 value: "{{ $value }}" 253 {{- end }} 254 {{- end }} 255 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 256 - name: {{ $key }} 257 value: "{{ $value }}" 258 {{- end }} 259 imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" 260 {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} 261 readinessProbe: 262 httpGet: 263 path: /healthz/ready 264 port: 15021 265 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} 266 periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} 267 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} 268 {{ end -}} 269 securityContext: 270 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 271 capabilities: 272 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} 273 add: 274 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} 275 - NET_ADMIN 276 {{- end }} 277 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} 278 - NET_BIND_SERVICE 279 {{- end }} 280 {{- end }} 281 drop: 282 - ALL 283 privileged: {{ .Values.global.proxy.privileged }} 284 readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} 285 runAsGroup: 1337 286 fsGroup: 1337 287 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} 288 runAsNonRoot: false 289 runAsUser: 0 290 {{- else -}} 291 runAsNonRoot: true 292 runAsUser: 1337 293 {{- end }} 294 resources: 295 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 296 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} 297 requests: 298 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} 299 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" 300 {{ end }} 301 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} 302 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" 303 {{ end }} 304 {{- end }} 305 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 306 limits: 307 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} 308 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" 309 {{ end }} 310 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} 311 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" 312 {{ end }} 313 {{- end }} 314 {{- else }} 315 {{- if .Values.global.proxy.resources }} 316 {{ toYaml .Values.global.proxy.resources | indent 4 }} 317 {{- end }} 318 {{- end }} 319 volumeMounts: 320 {{- if eq .Values.global.pilotCertProvider "istiod" }} 321 - mountPath: /var/run/secrets/istio 322 name: istiod-ca-cert 323 {{- end }} 324 - mountPath: /var/lib/istio/data 325 name: istio-data 326 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 327 - mountPath: /etc/istio/custom-bootstrap 328 name: custom-bootstrap-volume 329 {{- end }} 330 # SDS channel between istioagent and Envoy 331 - mountPath: /etc/istio/proxy 332 name: istio-envoy 333 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 334 - mountPath: /var/run/secrets/tokens 335 name: istio-token 336 {{- end }} 337 {{- if .Values.global.mountMtlsCerts }} 338 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 339 - mountPath: /etc/certs/ 340 name: istio-certs 341 readOnly: true 342 {{- end }} 343 - name: istio-podinfo 344 mountPath: /etc/istio/pod 345 {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} 346 - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} 347 name: lightstep-certs 348 readOnly: true 349 {{- end }} 350 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} 351 {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} 352 - name: "{{ $index }}" 353 {{ toYaml $value | indent 4 }} 354 {{ end }} 355 {{- end }} 356 volumes: 357 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 358 - name: custom-bootstrap-volume 359 configMap: 360 name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} 361 {{- end }} 362 # SDS channel between istioagent and Envoy 363 - emptyDir: 364 medium: Memory 365 name: istio-envoy 366 - name: istio-data 367 emptyDir: {} 368 - name: istio-podinfo 369 downwardAPI: 370 items: 371 - path: "labels" 372 fieldRef: 373 fieldPath: metadata.labels 374 - path: "annotations" 375 fieldRef: 376 fieldPath: metadata.annotations 377 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 378 - name: istio-token 379 projected: 380 sources: 381 - serviceAccountToken: 382 path: istio-token 383 expirationSeconds: 43200 384 audience: {{ .Values.global.sds.token.aud }} 385 {{- end }} 386 {{- if eq .Values.global.pilotCertProvider "istiod" }} 387 - name: istiod-ca-cert 388 configMap: 389 name: istio-ca-root-cert 390 {{- end }} 391 {{- if .Values.global.mountMtlsCerts }} 392 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 393 - name: istio-certs 394 secret: 395 optional: true 396 {{ if eq .Spec.ServiceAccountName "" }} 397 secretName: istio.default 398 {{ else -}} 399 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 400 {{ end -}} 401 {{- end }} 402 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} 403 {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} 404 - name: "{{ $index }}" 405 {{ toYaml $value | indent 2 }} 406 {{ end }} 407 {{ end }} 408 {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} 409 - name: lightstep-certs 410 secret: 411 optional: true 412 secretName: lightstep.cacert 413 {{- end }} 414 {{- if .Values.global.podDNSSearchNamespaces }} 415 dnsConfig: 416 searches: 417 {{- range .Values.global.podDNSSearchNamespaces }} 418 - {{ render . }} 419 {{- end }} 420 {{- end }} 421 podRedirectAnnot: 422 {{- if and (.Values.istio_cni.enabled) (not .Values.istio_cni.chained) }} 423 {{ if isset .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks` }} 424 k8s.v1.cni.cncf.io/networks: "{{ index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`}}, istio-cni" 425 {{- else }} 426 k8s.v1.cni.cncf.io/networks: "istio-cni" 427 {{- end }} 428 {{- end }} 429 sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" 430 traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" 431 traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" 432 traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" 433 traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" 434 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} 435 traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" 436 {{- end }} 437 traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" 438 {{- if .Values.global.imagePullSecrets }} 439 imagePullSecrets: 440 {{- range .Values.global.imagePullSecrets }} 441 - name: {{ . }} 442 {{- end }} 443 {{- end }} 444