| apiVersion: v1 |
| kind: ConfigMap |
| metadata: |
| name: istio-sidecar-injector |
| namespace: istio-system |
| labels: |
| istio.io/rev: default |
| release: istio |
| data: |
| |
| values: |- |
| { |
| "global": { |
| "arch": { |
| "amd64": 2, |
| "ppc64le": 2, |
| "s390x": 2 |
| }, |
| "configNamespace": "istio-system", |
| "configValidation": true, |
| "controlPlaneSecurityEnabled": true, |
| "defaultNodeSelector": {}, |
| "defaultPodDisruptionBudget": { |
| "enabled": true |
| }, |
| "defaultResources": { |
| "requests": { |
| "cpu": "10m" |
| } |
| }, |
| "enableHelmTest": false, |
| "enabled": true, |
| "hub": "docker.io/istio", |
| "imagePullPolicy": "", |
| "imagePullSecrets": [], |
| "istioNamespace": "istio-system", |
| "istiod": { |
| "enableAnalysis": false, |
| "enabled": true |
| }, |
| "jwtPolicy": "first-party-jwt", |
| "logAsJson": false, |
| "logging": { |
| "level": "default:info" |
| }, |
| "meshExpansion": { |
| "enabled": false, |
| "useILB": false |
| }, |
| "meshNetworks": {}, |
| "mountMtlsCerts": false, |
| "multiCluster": { |
| "clusterName": "", |
| "enabled": false |
| }, |
| "namespace": "istio-system", |
| "network": "", |
| "omitSidecarInjectorConfigMap": false, |
| "oneNamespace": false, |
| "operatorManageWebhooks": false, |
| "pilotCertProvider": "istiod", |
| "policyNamespace": "istio-system", |
| "priorityClassName": "", |
| "prometheusNamespace": "istio-system", |
| "proxy": { |
| "autoInject": "enabled", |
| "clusterDomain": "cluster.local", |
| "componentLogLevel": "misc:error", |
| "enableCoreDump": false, |
| "envoyStatsd": { |
| "enabled": false |
| }, |
| "excludeIPRanges": "", |
| "excludeInboundPorts": "", |
| "excludeOutboundPorts": "", |
| "image": "proxyv2", |
| "includeIPRanges": "*", |
| "logLevel": "warning", |
| "privileged": false, |
| "readinessFailureThreshold": 30, |
| "readinessInitialDelaySeconds": 1, |
| "readinessPeriodSeconds": 2, |
| "resources": { |
| "limits": { |
| "cpu": "2000m", |
| "memory": "1024Mi" |
| }, |
| "requests": { |
| "cpu": "100m", |
| "memory": "128Mi" |
| } |
| }, |
| "statusPort": 15020, |
| "tracer": "zipkin" |
| }, |
| "proxy_init": { |
| "image": "proxyv2", |
| "resources": { |
| "limits": { |
| "cpu": "100m", |
| "memory": "50Mi" |
| }, |
| "requests": { |
| "cpu": "10m", |
| "memory": "10Mi" |
| } |
| } |
| }, |
| "sds": { |
| "token": { |
| "aud": "istio-ca" |
| } |
| }, |
| "securityNamespace": "istio-system", |
| "sts": { |
| "servicePort": 0 |
| }, |
| "tag": "1.6.3", |
| "telemetryNamespace": "istio-system", |
| "tracer": { |
| "datadog": { |
| "address": "$(HOST_IP):8126" |
| }, |
| "lightstep": { |
| "accessToken": "", |
| "address": "" |
| }, |
| "stackdriver": { |
| "debug": false, |
| "maxNumberOfAnnotations": 200, |
| "maxNumberOfAttributes": 200, |
| "maxNumberOfMessageEvents": 200 |
| }, |
| "zipkin": { |
| "address": "" |
| } |
| }, |
| "trustDomain": "cluster.local", |
| "useMCP": false |
| }, |
| "istio_cni": { |
| "enabled": false |
| }, |
| "revision": "", |
| "sidecarInjectorWebhook": { |
| "alwaysInjectSelector": [], |
| "enableNamespacesByDefault": false, |
| "enabled": false, |
| "injectLabel": "istio-injection", |
| "injectedAnnotations": {}, |
| "namespace": "istio-system", |
| "neverInjectSelector": [], |
| "objectSelector": { |
| "autoInject": true, |
| "enabled": false |
| }, |
| "rewriteAppHTTPProbe": false |
| } |
| } |
| |
| # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching |
| # and istiod webhook functionality. |
| # |
| # New fields should not use Values - it is a 'primary' config object, users should be able |
| # to fine tune it or use it with kube-inject. |
| config: |- |
| policy: enabled |
| alwaysInjectSelector: |
| [] |
| neverInjectSelector: |
| [] |
| injectedAnnotations: |
| |
| template: | |
| rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} |
| initContainers: |
| {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} |
| {{ if .Values.istio_cni.enabled -}} |
| - name: istio-validation |
| {{ else -}} |
| - name: istio-init |
| {{ end -}} |
| {{- if contains "/" .Values.global.proxy_init.image }} |
| image: "{{ .Values.global.proxy_init.image }}" |
| {{- else }} |
| image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" |
| {{- end }} |
| args: |
| - istio-iptables |
| - "-p" |
| - 15001 |
| - "-z" |
| - "15006" |
| - "-u" |
| - 1337 |
| - "-m" |
| - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" |
| - "-i" |
| - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" |
| - "-x" |
| - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" |
| - "-b" |
| - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" |
| - "-d" |
| - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" |
| {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} |
| - "-o" |
| - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" |
| {{ end -}} |
| {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} |
| - "-k" |
| - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" |
| {{ end -}} |
| {{ if .Values.istio_cni.enabled -}} |
| - "--run-validation" |
| - "--skip-rule-apply" |
| {{ end -}} |
| imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" |
| {{- if .Values.global.proxy_init.resources }} |
| env: |
| {{- range $key, $value := .ProxyConfig.ProxyMetadata }} |
| - name: {{ $key }} |
| value: "{{ $value }}" |
| {{- end }} |
| resources: |
| {{ toYaml .Values.global.proxy_init.resources | indent 4 }} |
| {{- else }} |
| resources: {} |
| {{- end }} |
| securityContext: |
| allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} |
| privileged: {{ .Values.global.proxy.privileged }} |
| capabilities: |
| {{- if not .Values.istio_cni.enabled }} |
| add: |
| - NET_ADMIN |
| - NET_RAW |
| {{- end }} |
| drop: |
| - ALL |
| {{- if not .Values.istio_cni.enabled }} |
| readOnlyRootFilesystem: false |
| runAsGroup: 0 |
| runAsNonRoot: false |
| runAsUser: 0 |
| {{- else }} |
| readOnlyRootFilesystem: true |
| runAsGroup: 1337 |
| runAsUser: 1337 |
| runAsNonRoot: true |
| {{- end }} |
| restartPolicy: Always |
| {{ end -}} |
| {{- if eq .Values.global.proxy.enableCoreDump true }} |
| - name: enable-core-dump |
| args: |
| - -c |
| - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited |
| command: |
| - /bin/sh |
| {{- if contains "/" .Values.global.proxy_init.image }} |
| image: "{{ .Values.global.proxy_init.image }}" |
| {{- else }} |
| image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" |
| {{- end }} |
| imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" |
| resources: {} |
| securityContext: |
| allowPrivilegeEscalation: true |
| capabilities: |
| add: |
| - SYS_ADMIN |
| drop: |
| - ALL |
| privileged: true |
| readOnlyRootFilesystem: false |
| runAsGroup: 0 |
| runAsNonRoot: false |
| runAsUser: 0 |
| {{ end }} |
| containers: |
| - name: istio-proxy |
| {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} |
| image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" |
| {{- else }} |
| image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" |
| {{- end }} |
| ports: |
| - containerPort: 15090 |
| protocol: TCP |
| name: http-envoy-prom |
| args: |
| - proxy |
| - sidecar |
| - --domain |
| - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} |
| - --serviceCluster |
| {{ if ne "" (index .ObjectMeta.Labels "app") -}} |
| - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" |
| {{ else -}} |
| - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" |
| {{ end -}} |
| - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} |
| - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} |
| {{- if .Values.global.sts.servicePort }} |
| - --stsPort={{ .Values.global.sts.servicePort }} |
| {{- end }} |
| {{- if .Values.global.trustDomain }} |
| - --trust-domain={{ .Values.global.trustDomain }} |
| {{- end }} |
| {{- if .Values.global.logAsJson }} |
| - --log_as_json |
| {{- end }} |
| {{- if gt .ProxyConfig.Concurrency 0 }} |
| - --concurrency |
| - "{{ .ProxyConfig.Concurrency }}" |
| {{- end -}} |
| {{- if .Values.global.proxy.lifecycle }} |
| lifecycle: |
| {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} |
| {{- end }} |
| lifecycle: |
| preStop: |
| exec: |
| command: |
| - "/bin/sh" |
| - "-c" |
| - "while [ $(netstat -plunt | grep tcp | grep -v envoy | wc -l | xargs) -ne 0 ]; do sleep 1; done" |
| env: |
| - name: JWT_POLICY |
| value: {{ .Values.global.jwtPolicy }} |
| - name: PILOT_CERT_PROVIDER |
| value: {{ .Values.global.pilotCertProvider }} |
| # Temp, pending PR to make it default or based on the istiodAddr env |
| - name: CA_ADDR |
| {{- if .Values.global.caAddress }} |
| value: {{ .Values.global.caAddress }} |
| {{- else }} |
| value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 |
| {{- end }} |
| - name: POD_NAME |
| valueFrom: |
| fieldRef: |
| fieldPath: metadata.name |
| - name: POD_NAMESPACE |
| valueFrom: |
| fieldRef: |
| fieldPath: metadata.namespace |
| - name: INSTANCE_IP |
| valueFrom: |
| fieldRef: |
| fieldPath: status.podIP |
| - name: SERVICE_ACCOUNT |
| valueFrom: |
| fieldRef: |
| fieldPath: spec.serviceAccountName |
| - name: HOST_IP |
| valueFrom: |
| fieldRef: |
| fieldPath: status.hostIP |
| - name: CANONICAL_SERVICE |
| valueFrom: |
| fieldRef: |
| fieldPath: metadata.labels['service.istio.io/canonical-name'] |
| - name: CANONICAL_REVISION |
| valueFrom: |
| fieldRef: |
| fieldPath: metadata.labels['service.istio.io/canonical-revision'] |
| - name: PROXY_CONFIG |
| value: | |
| {{ protoToJSON .ProxyConfig }} |
| - name: ISTIO_META_POD_PORTS |
| value: |- |
| [ |
| {{- $first := true }} |
| {{- range $index1, $c := .Spec.Containers }} |
| {{- range $index2, $p := $c.Ports }} |
| {{- if (structToJSON $p) }} |
| {{if not $first}},{{end}}{{ structToJSON $p }} |
| {{- $first = false }} |
| {{- end }} |
| {{- end}} |
| {{- end}} |
| ] |
| - name: ISTIO_META_APP_CONTAINERS |
| value: |- |
| [ |
| {{- range $index, $container := .Spec.Containers }} |
| {{- if ne $index 0}},{{- end}} |
| {{ $container.Name }} |
| {{- end}} |
| ] |
| - name: ISTIO_META_CLUSTER_ID |
| value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" |
| - name: ISTIO_META_INTERCEPTION_MODE |
| value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" |
| {{- if .Values.global.network }} |
| - name: ISTIO_META_NETWORK |
| value: "{{ .Values.global.network }}" |
| {{- end }} |
| {{ if .ObjectMeta.Annotations }} |
| - name: ISTIO_METAJSON_ANNOTATIONS |
| value: | |
| {{ toJSON .ObjectMeta.Annotations }} |
| {{ end }} |
| {{- if .DeploymentMeta.Name }} |
| - name: ISTIO_META_WORKLOAD_NAME |
| value: {{ .DeploymentMeta.Name }} |
| {{ end }} |
| {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} |
| - name: ISTIO_META_OWNER |
| value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} |
| {{- end}} |
| {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} |
| - name: ISTIO_BOOTSTRAP_OVERRIDE |
| value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" |
| {{- end }} |
| {{- if .Values.global.meshID }} |
| - name: ISTIO_META_MESH_ID |
| value: "{{ .Values.global.meshID }}" |
| {{- else if .Values.global.trustDomain }} |
| - name: ISTIO_META_MESH_ID |
| value: "{{ .Values.global.trustDomain }}" |
| {{- end }} |
| {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} |
| {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} |
| - name: {{ $key }} |
| value: "{{ $value }}" |
| {{- end }} |
| {{- end }} |
| {{- range $key, $value := .ProxyConfig.ProxyMetadata }} |
| - name: {{ $key }} |
| value: "{{ $value }}" |
| {{- end }} |
| imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" |
| {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} |
| readinessProbe: |
| httpGet: |
| path: /healthz/ready |
| port: 15021 |
| initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} |
| periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} |
| failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} |
| {{ end -}} |
| securityContext: |
| allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} |
| capabilities: |
| {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} |
| add: |
| {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} |
| - NET_ADMIN |
| {{- end }} |
| {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} |
| - NET_BIND_SERVICE |
| {{- end }} |
| {{- end }} |
| drop: |
| - ALL |
| privileged: {{ .Values.global.proxy.privileged }} |
| readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} |
| runAsGroup: 1337 |
| fsGroup: 1337 |
| {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} |
| runAsNonRoot: false |
| runAsUser: 0 |
| {{- else -}} |
| runAsNonRoot: true |
| runAsUser: 1337 |
| {{- end }} |
| resources: |
| {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} |
| {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} |
| requests: |
| {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} |
| cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" |
| {{ end }} |
| {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} |
| memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" |
| {{ end }} |
| {{- end }} |
| {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} |
| limits: |
| {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} |
| cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" |
| {{ end }} |
| {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} |
| memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" |
| {{ end }} |
| {{- end }} |
| {{- else }} |
| {{- if .Values.global.proxy.resources }} |
| {{ toYaml .Values.global.proxy.resources | indent 4 }} |
| {{- end }} |
| {{- end }} |
| volumeMounts: |
| {{- if eq .Values.global.pilotCertProvider "istiod" }} |
| - mountPath: /var/run/secrets/istio |
| name: istiod-ca-cert |
| {{- end }} |
| - mountPath: /var/lib/istio/data |
| name: istio-data |
| {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} |
| - mountPath: /etc/istio/custom-bootstrap |
| name: custom-bootstrap-volume |
| {{- end }} |
| # SDS channel between istioagent and Envoy |
| - mountPath: /etc/istio/proxy |
| name: istio-envoy |
| {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} |
| - mountPath: /var/run/secrets/tokens |
| name: istio-token |
| {{- end }} |
| {{- if .Values.global.mountMtlsCerts }} |
| # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. |
| - mountPath: /etc/certs/ |
| name: istio-certs |
| readOnly: true |
| {{- end }} |
| - name: istio-podinfo |
| mountPath: /etc/istio/pod |
| {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} |
| - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} |
| name: lightstep-certs |
| readOnly: true |
| {{- end }} |
| {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} |
| {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} |
| - name: "{{ $index }}" |
| {{ toYaml $value | indent 4 }} |
| {{ end }} |
| {{- end }} |
| volumes: |
| {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} |
| - name: custom-bootstrap-volume |
| configMap: |
| name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} |
| {{- end }} |
| # SDS channel between istioagent and Envoy |
| - emptyDir: |
| medium: Memory |
| name: istio-envoy |
| - name: istio-data |
| emptyDir: {} |
| - name: istio-podinfo |
| downwardAPI: |
| items: |
| - path: "labels" |
| fieldRef: |
| fieldPath: metadata.labels |
| - path: "annotations" |
| fieldRef: |
| fieldPath: metadata.annotations |
| {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} |
| - name: istio-token |
| projected: |
| sources: |
| - serviceAccountToken: |
| path: istio-token |
| expirationSeconds: 43200 |
| audience: {{ .Values.global.sds.token.aud }} |
| {{- end }} |
| {{- if eq .Values.global.pilotCertProvider "istiod" }} |
| - name: istiod-ca-cert |
| configMap: |
| name: istio-ca-root-cert |
| {{- end }} |
| {{- if .Values.global.mountMtlsCerts }} |
| # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. |
| - name: istio-certs |
| secret: |
| optional: true |
| {{ if eq .Spec.ServiceAccountName "" }} |
| secretName: istio.default |
| {{ else -}} |
| secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} |
| {{ end -}} |
| {{- end }} |
| {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} |
| {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} |
| - name: "{{ $index }}" |
| {{ toYaml $value | indent 2 }} |
| {{ end }} |
| {{ end }} |
| {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} |
| - name: lightstep-certs |
| secret: |
| optional: true |
| secretName: lightstep.cacert |
| {{- end }} |
| {{- if .Values.global.podDNSSearchNamespaces }} |
| dnsConfig: |
| searches: |
| {{- range .Values.global.podDNSSearchNamespaces }} |
| - {{ render . }} |
| {{- end }} |
| {{- end }} |
| podRedirectAnnot: |
| {{- if and (.Values.istio_cni.enabled) (not .Values.istio_cni.chained) }} |
| {{ if isset .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks` }} |
| k8s.v1.cni.cncf.io/networks: "{{ index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`}}, istio-cni" |
| {{- else }} |
| k8s.v1.cni.cncf.io/networks: "istio-cni" |
| {{- end }} |
| {{- end }} |
| sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" |
| traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" |
| traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" |
| traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" |
| traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" |
| {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} |
| traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" |
| {{- end }} |
| traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" |
| {{- if .Values.global.imagePullSecrets }} |
| imagePullSecrets: |
| {{- range .Values.global.imagePullSecrets }} |
| - name: {{ . }} |
| {{- end }} |
| {{- end }} |