1 # yamllint disable rule:hyphens rule:commas rule:indentation rule:line-length
5 name: istio-sidecar-injector
6 namespace: istio-system
12 istio: sidecar-injector
17 rewriteAppHTTPProbe: false
19 [[ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) "NONE" ]]
21 image: "iecedge/proxy_init-arm64:1.2.3"
24 - [[ .MeshConfig.ProxyListenPort ]]
28 - [[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]]
30 - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` "*" ]]"
32 - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` "" ]]"
34 - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]"
36 - "[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` "" ) ]]"
37 [[ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -]]
39 - "[[ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` ]]"
41 imagePullPolicy: IfNotPresent
59 image: [[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` "iecedge/proxyv2-arm64:1.2.3" ]]
61 - containerPort: 15090
68 - $(POD_NAMESPACE).svc.cluster.local
70 - [[ .ProxyConfig.ConfigPath ]]
72 - [[ .ProxyConfig.BinaryPath ]]
74 [[ if ne "" (index .ObjectMeta.Labels "app") -]]
75 - [[ index .ObjectMeta.Labels "app" ]].$(POD_NAMESPACE)
77 - [[ valueOrDefault .DeploymentMeta.Name "istio-proxy" ]].[[ valueOrDefault .DeploymentMeta.Namespace "default" ]]
80 - [[ formatDuration .ProxyConfig.DrainDuration ]]
81 - --parentShutdownDuration
82 - [[ formatDuration .ProxyConfig.ParentShutdownDuration ]]
84 - [[ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress ]]
86 - [[ .ProxyConfig.GetTracing.GetZipkin.GetAddress ]]
88 - [[ formatDuration .ProxyConfig.ConnectTimeout ]]
90 - [[ .ProxyConfig.ProxyAdminPort ]]
91 [[ if gt .ProxyConfig.Concurrency 0 -]]
93 - [[ .ProxyConfig.Concurrency ]]
95 - --controlPlaneAuthPolicy
96 - [[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]]
97 [[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) "0") ]]
99 - [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ]]
101 - "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]"
107 fieldPath: metadata.name
108 - name: POD_NAMESPACE
111 fieldPath: metadata.namespace
115 fieldPath: status.podIP
117 - name: ISTIO_META_POD_NAME
120 fieldPath: metadata.name
121 - name: ISTIO_META_CONFIG_NAMESPACE
124 fieldPath: metadata.namespace
125 - name: ISTIO_META_INTERCEPTION_MODE
126 value: [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]]
127 [[ if .ObjectMeta.Annotations ]]
128 - name: ISTIO_METAJSON_ANNOTATIONS
130 [[ toJSON .ObjectMeta.Annotations ]]
132 [[ if .ObjectMeta.Labels ]]
133 - name: ISTIO_METAJSON_LABELS
135 [[ toJSON .ObjectMeta.Labels ]]
137 [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]
138 - name: ISTIO_BOOTSTRAP_OVERRIDE
139 value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
141 imagePullPolicy: IfNotPresent
142 [[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) "0") ]]
146 port: [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ]]
147 initialDelaySeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` 1 ]]
148 periodSeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` 2 ]]
149 failureThreshold: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` 30 ]]
150 [[ end -]]securityContext:
151 readOnlyRootFilesystem: true
152 [[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) "TPROXY" -]]
162 [[ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]]
164 [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]]
165 cpu: "[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]"
167 [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]]
168 memory: "[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]"
180 [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]
181 - mountPath: /etc/istio/custom-bootstrap
182 name: custom-bootstrap-volume
184 - mountPath: /etc/istio/proxy
186 - mountPath: /etc/certs/
189 [[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` ]]
190 [[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) ]]
191 - name: "[[ $index ]]"
192 [[ toYaml $value | indent 4 ]]
195 - mountPath: /var/run/dikastes
198 image: calico/dikastes:v3.3.6
199 args: ["/dikastes", "server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"]
205 initialDelaySeconds: 3
212 initialDelaySeconds: 3
215 - mountPath: /var/run/dikastes
217 - mountPath: /var/run/felix
220 [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]
221 - name: custom-bootstrap-volume
223 name: [[ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` `` ]]
231 [[ if eq .Spec.ServiceAccountName "" -]]
232 secretName: istio.default
234 secretName: [[ printf "istio.%s" .Spec.ServiceAccountName ]]
236 [[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` ]]
237 [[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) ]]
238 - name: "[[ $index ]]"
239 [[ toYaml $value | indent 2 ]]
242 - name: dikastes-sock
247 driver: nodeagent/uds