# yamllint disable rule:hyphens rule:commas rule:indentation rule:line-length apiVersion: v1 kind: ConfigMap metadata: name: istio-sidecar-injector namespace: istio-system labels: app: istio chart: istio heritage: Tiller release: istio istio: sidecar-injector data: config: |- policy: enabled template: |- rewriteAppHTTPProbe: false initContainers: [[ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) "NONE" ]] - name: istio-init image: "iecedge/proxy_init-arm64:1.2.3" args: - "-p" - [[ .MeshConfig.ProxyListenPort ]] - "-u" - 1337 - "-m" - [[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]] - "-i" - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` "*" ]]" - "-x" - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` "" ]]" - "-b" - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]" - "-d" - "[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` "" ) ]]" [[ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -]] - "-k" - "[[ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` ]]" [[ end -]] imagePullPolicy: IfNotPresent resources: requests: cpu: 10m memory: 10Mi limits: cpu: 100m memory: 50Mi securityContext: runAsUser: 0 runAsNonRoot: false capabilities: add: - NET_ADMIN restartPolicy: Always [[ end -]] containers: - name: istio-proxy image: [[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` "iecedge/proxyv2-arm64:1.2.3" ]] ports: - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - sidecar - --domain - $(POD_NAMESPACE).svc.cluster.local - --configPath - [[ .ProxyConfig.ConfigPath ]] - --binaryPath - [[ .ProxyConfig.BinaryPath ]] - --serviceCluster [[ if ne "" (index .ObjectMeta.Labels "app") -]] - [[ index .ObjectMeta.Labels "app" ]].$(POD_NAMESPACE) [[ else -]] - [[ valueOrDefault .DeploymentMeta.Name "istio-proxy" ]].[[ valueOrDefault .DeploymentMeta.Namespace "default" ]] [[ end -]] - --drainDuration - [[ formatDuration .ProxyConfig.DrainDuration ]] - --parentShutdownDuration - [[ formatDuration .ProxyConfig.ParentShutdownDuration ]] - --discoveryAddress - [[ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress ]] - --zipkinAddress - [[ .ProxyConfig.GetTracing.GetZipkin.GetAddress ]] - --connectTimeout - [[ formatDuration .ProxyConfig.ConnectTimeout ]] - --proxyAdminPort - [[ .ProxyConfig.ProxyAdminPort ]] [[ if gt .ProxyConfig.Concurrency 0 -]] - --concurrency - [[ .ProxyConfig.Concurrency ]] [[ end -]] - --controlPlaneAuthPolicy - [[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]] [[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) "0") ]] - --statusPort - [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ]] - --applicationPorts - "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]" [[- end ]] env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: ISTIO_META_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: ISTIO_META_CONFIG_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: ISTIO_META_INTERCEPTION_MODE value: [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]] [[ if .ObjectMeta.Annotations ]] - name: ISTIO_METAJSON_ANNOTATIONS value: | [[ toJSON .ObjectMeta.Annotations ]] [[ end ]] [[ if .ObjectMeta.Labels ]] - name: ISTIO_METAJSON_LABELS value: | [[ toJSON .ObjectMeta.Labels ]] [[ end ]] [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]] - name: ISTIO_BOOTSTRAP_OVERRIDE value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" [[- end ]] imagePullPolicy: IfNotPresent [[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) "0") ]] readinessProbe: httpGet: path: /healthz/ready port: [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ]] initialDelaySeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` 1 ]] periodSeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` 2 ]] failureThreshold: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` 30 ]] [[ end -]]securityContext: readOnlyRootFilesystem: true [[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) "TPROXY" -]] capabilities: add: - NET_ADMIN runAsGroup: 1337 [[ else -]] runAsUser: 1337 [[- end ]] resources: [[ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]] requests: [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]] cpu: "[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]" [[ end ]] [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]] memory: "[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]" [[ end ]] [[ else -]] limits: cpu: 2000m memory: 1024Mi requests: cpu: 10m memory: 40Mi [[ end -]] volumeMounts: [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]] - mountPath: /etc/istio/custom-bootstrap name: custom-bootstrap-volume [[- end ]] - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /etc/certs/ name: istio-certs readOnly: true [[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` ]] [[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) ]] - name: "[[ $index ]]" [[ toYaml $value | indent 4 ]] [[ end ]] [[- end ]] - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes image: calico/dikastes:v3.3.6 args: ["/dikastes", "server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] livenessProbe: exec: command: - /healthz - liveness initialDelaySeconds: 3 periodSeconds: 3 readinessProbe: exec: command: - /healthz - readiness initialDelaySeconds: 3 periodSeconds: 3 volumeMounts: - mountPath: /var/run/dikastes name: dikastes-sock - mountPath: /var/run/felix name: felix-sync volumes: [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]] - name: custom-bootstrap-volume configMap: name: [[ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` `` ]] [[- end ]] - emptyDir: medium: Memory name: istio-envoy - name: istio-certs secret: optional: true [[ if eq .Spec.ServiceAccountName "" -]] secretName: istio.default [[ else -]] secretName: [[ printf "istio.%s" .Spec.ServiceAccountName ]] [[ end -]] [[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` ]] [[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) ]] - name: "[[ $index ]]" [[ toYaml $value | indent 2 ]] [[ end ]] [[ end ]] - name: dikastes-sock emptyDir: medium: Memory - name: felix-sync flexVolume: driver: nodeagent/uds