src/foundation/service_mesh/Istio/istio-inject-configmap-1.1.7.yaml

   1 # yamllint disable rule:hyphens rule:commas rule:indentation rule:line-length
   2 apiVersion: v1
   3 kind: ConfigMap
   4 metadata:
   5   name: istio-sidecar-injector
   6   namespace: istio-system
   7   labels:
   8     app: istio
   9     chart: istio
  10     heritage: Tiller
  11     release: istio
  12     istio: sidecar-injector
  13 data:
  14   config: |-
  15     policy: enabled
  16     template: |-
  17       rewriteAppHTTPProbe: false
  18       initContainers:
  19       [[ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) "NONE" ]]
  20       - name: istio-init
  21         image: "iecedge/proxy_init-arm64:1.2.3"
  22         args:
  23         - "-p"
  24         - [[ .MeshConfig.ProxyListenPort ]]
  25         - "-u"
  26         - 1337
  27         - "-m"
  28         - [[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]]
  29         - "-i"
  30         - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges`  "*"  ]]"
  31         - "-x"
  32         - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges`  ""  ]]"
  33         - "-b"
  34         - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]"
  35         - "-d"
  36         - "[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port`  15020 ) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts`  "" ) ]]"
  37         [[ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -]]
  38         - "-k"
  39         - "[[ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` ]]"
  40         [[ end -]]
  41         imagePullPolicy: IfNotPresent
  42         resources:
  43           requests:
  44             cpu: 10m
  45             memory: 10Mi
  46           limits:
  47             cpu: 100m
  48             memory: 50Mi
  49         securityContext:
  50           runAsUser: 0
  51           runAsNonRoot: false
  52           capabilities:
  53             add:
  54             - NET_ADMIN
  55         restartPolicy: Always
  56       [[ end -]]
  57       containers:
  58       - name: istio-proxy
  59         image: [[ annotation .ObjectMeta `sidecar.istio.io/proxyImage`  "iecedge/proxyv2-arm64:1.2.3"  ]]
  60         ports:
  61         - containerPort: 15090
  62           protocol: TCP
  63           name: http-envoy-prom
  64         args:
  65         - proxy
  66         - sidecar
  67         - --domain
  68         - $(POD_NAMESPACE).svc.cluster.local
  69         - --configPath
  70         - [[ .ProxyConfig.ConfigPath ]]
  71         - --binaryPath
  72         - [[ .ProxyConfig.BinaryPath ]]
  73         - --serviceCluster
  74         [[ if ne "" (index .ObjectMeta.Labels "app") -]]
  75         - [[ index .ObjectMeta.Labels "app" ]].$(POD_NAMESPACE)
  76         [[ else -]]
  77         - [[ valueOrDefault .DeploymentMeta.Name "istio-proxy" ]].[[ valueOrDefault .DeploymentMeta.Namespace "default" ]]
  78         [[ end -]]
  79         - --drainDuration
  80         - [[ formatDuration .ProxyConfig.DrainDuration ]]
  81         - --parentShutdownDuration
  82         - [[ formatDuration .ProxyConfig.ParentShutdownDuration ]]
  83         - --discoveryAddress
  84         - [[ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress ]]
  85         - --zipkinAddress
  86         - [[ .ProxyConfig.GetTracing.GetZipkin.GetAddress ]]
  87         - --connectTimeout
  88         - [[ formatDuration .ProxyConfig.ConnectTimeout ]]
  89         - --proxyAdminPort
  90         - [[ .ProxyConfig.ProxyAdminPort ]]
  91         [[ if gt .ProxyConfig.Concurrency 0 -]]
  92         - --concurrency
  93         - [[ .ProxyConfig.Concurrency ]]
  94         [[ end -]]
  95         - --controlPlaneAuthPolicy
  96         - [[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]]
  97       [[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port`  15020 ) "0") ]]
  98         - --statusPort
  99         - [[ annotation .ObjectMeta `status.sidecar.istio.io/port`  15020  ]]
 100         - --applicationPorts
 101         - "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]"
 102       [[- end ]]
 103         env:
 104         - name: POD_NAME
 105           valueFrom:
 106             fieldRef:
 107               fieldPath: metadata.name
 108         - name: POD_NAMESPACE
 109           valueFrom:
 110             fieldRef:
 111               fieldPath: metadata.namespace
 112         - name: INSTANCE_IP
 113           valueFrom:
 114             fieldRef:
 115               fieldPath: status.podIP
 116
 117         - name: ISTIO_META_POD_NAME
 118           valueFrom:
 119             fieldRef:
 120               fieldPath: metadata.name
 121         - name: ISTIO_META_CONFIG_NAMESPACE
 122           valueFrom:
 123             fieldRef:
 124               fieldPath: metadata.namespace
 125         - name: ISTIO_META_INTERCEPTION_MODE
 126           value: [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]]
 127         [[ if .ObjectMeta.Annotations ]]
 128         - name: ISTIO_METAJSON_ANNOTATIONS
 129           value: |
 130                  [[ toJSON .ObjectMeta.Annotations ]]
 131         [[ end ]]
 132         [[ if .ObjectMeta.Labels ]]
 133         - name: ISTIO_METAJSON_LABELS
 134           value: |
 135                  [[ toJSON .ObjectMeta.Labels ]]
 136         [[ end ]]
 137         [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]
 138         - name: ISTIO_BOOTSTRAP_OVERRIDE
 139           value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
 140         [[- end ]]
 141         imagePullPolicy: IfNotPresent
 142         [[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port`  15020 ) "0") ]]
 143         readinessProbe:
 144           httpGet:
 145             path: /healthz/ready
 146             port: [[ annotation .ObjectMeta `status.sidecar.istio.io/port`  15020  ]]
 147           initialDelaySeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds`  1  ]]
 148           periodSeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds`  2  ]]
 149           failureThreshold: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold`  30  ]]
 150         [[ end -]]securityContext:
 151           readOnlyRootFilesystem: true
 152           [[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) "TPROXY" -]]
 153           capabilities:
 154             add:
 155             - NET_ADMIN
 156           runAsGroup: 1337
 157           [[ else -]]
 158
 159           runAsUser: 1337
 160           [[- end ]]
 161         resources:
 162           [[ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]]
 163           requests:
 164             [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]]
 165             cpu: "[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]"
 166             [[ end ]]
 167             [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]]
 168             memory: "[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]"
 169             [[ end ]]
 170         [[ else -]]
 171           limits:
 172             cpu: 2000m
 173             memory: 1024Mi
 174           requests:
 175             cpu: 10m
 176             memory: 40Mi
 177
 178         [[ end -]]
 179         volumeMounts:
 180         [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]
 181         - mountPath: /etc/istio/custom-bootstrap
 182           name: custom-bootstrap-volume
 183         [[- end ]]
 184         - mountPath: /etc/istio/proxy
 185           name: istio-envoy
 186         - mountPath: /etc/certs/
 187           name: istio-certs
 188           readOnly: true
 189           [[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` ]]
 190           [[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) ]]
 191         - name: "[[ $index ]]"
 192           [[ toYaml $value | indent 4 ]]
 193           [[ end ]]
 194           [[- end ]]
 195         - mountPath: /var/run/dikastes
 196           name: dikastes-sock
 197       - name: dikastes
 198         image: calico/dikastes:v3.3.6
 199         args: ["/dikastes", "server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"]
 200         livenessProbe:
 201           exec:
 202             command:
 203             - /healthz
 204             - liveness
 205           initialDelaySeconds: 3
 206           periodSeconds: 3
 207         readinessProbe:
 208           exec:
 209             command:
 210             - /healthz
 211             - readiness
 212           initialDelaySeconds: 3
 213           periodSeconds: 3
 214         volumeMounts:
 215         - mountPath: /var/run/dikastes
 216           name: dikastes-sock
 217         - mountPath: /var/run/felix
 218           name: felix-sync
 219       volumes:
 220       [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]
 221       - name: custom-bootstrap-volume
 222         configMap:
 223           name: [[ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` `` ]]
 224       [[- end ]]
 225       - emptyDir:
 226           medium: Memory
 227         name: istio-envoy
 228       - name: istio-certs
 229         secret:
 230           optional: true
 231           [[ if eq .Spec.ServiceAccountName "" -]]
 232           secretName: istio.default
 233           [[ else -]]
 234           secretName: [[ printf "istio.%s" .Spec.ServiceAccountName ]]
 235           [[ end -]]
 236         [[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` ]]
 237         [[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) ]]
 238       - name: "[[ $index ]]"
 239         [[ toYaml $value | indent 2 ]]
 240         [[ end ]]
 241         [[ end ]]
 242       - name: dikastes-sock
 243         emptyDir:
 244           medium: Memory
 245       - name: felix-sync
 246         flexVolume:
 247           driver: nodeagent/uds