data: config: |- policy: enabled alwaysInjectSelector: [] neverInjectSelector: [] template: | rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} {{- if or (not .Values.istio_cni.enabled) .Values.global.proxy.enableCoreDump }} initContainers: {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} {{- if not .Values.istio_cni.enabled }} - name: istio-init {{- if contains "/" .Values.global.proxy_init.image }} image: "{{ .Values.global.proxy_init.image }}" {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} command: - istio-iptables - "-p" - 15001 - "-z" - "15006" - "-u" - 1337 - "-m" - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - "-i" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - "-x" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - "-b" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" - "-d" - "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - "-o" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" {{ end -}} {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - "-k" - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" {{ end -}} imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" {{- if .Values.global.proxy_init.resources }} resources: {{ toYaml .Values.global.proxy_init.resources | indent 4 }} {{- else }} resources: {} {{- end }} securityContext: runAsUser: 0 runAsNonRoot: false capabilities: add: - NET_ADMIN {{- if .Values.global.proxy.privileged }} privileged: true {{- end }} restartPolicy: Always {{- end }} {{ end -}} {{- if eq .Values.global.proxy.enableCoreDump true }} - name: enable-core-dump args: - -c - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited command: - /bin/sh {{- if contains "/" .Values.global.proxy_init.image }} image: "{{ .Values.global.proxy_init.image }}" {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" resources: {} securityContext: runAsUser: 0 runAsNonRoot: false privileged: true {{ end }} {{- end }} containers: - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" {{- end }} ports: - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - sidecar - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --configPath - "/etc/istio/proxy" - --binaryPath - "/usr/local/bin/envoy" - --serviceCluster {{ if ne "" (index .ObjectMeta.Labels "app") -}} - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" {{ else -}} - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" {{ end -}} - --drainDuration - "{{ formatDuration .ProxyConfig.DrainDuration }}" - --parentShutdownDuration - "{{ formatDuration .ProxyConfig.ParentShutdownDuration }}" - --discoveryAddress - "{{ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress }}" {{- if eq .Values.global.proxy.tracer "lightstep" }} - --lightstepAddress - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAddress }}" - --lightstepAccessToken - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken }}" - --lightstepSecure={{ .ProxyConfig.GetTracing.GetLightstep.GetSecure }} - --lightstepCacertPath - "{{ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}" {{- else if eq .Values.global.proxy.tracer "zipkin" }} - --zipkinAddress - "{{ .ProxyConfig.GetTracing.GetZipkin.GetAddress }}" {{- else if eq .Values.global.proxy.tracer "datadog" }} - --datadogAgentAddress - "{{ .ProxyConfig.GetTracing.GetDatadog.GetAddress }}" {{- end }} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} - --connectTimeout - "{{ formatDuration .ProxyConfig.ConnectTimeout }}" {{- if .Values.global.proxy.envoyStatsd.enabled }} - --statsdUdpAddress - "{{ .ProxyConfig.StatsdUdpAddress }}" {{- end }} {{- if .Values.global.proxy.envoyMetricsService.enabled }} - --envoyMetricsServiceAddress - "{{ .ProxyConfig.GetEnvoyMetricsService.GetAddress }}" {{- end }} {{- if .Values.global.proxy.envoyAccessLogService.enabled }} - --envoyAccessLogServiceAddress - "{{ .ProxyConfig.GetEnvoyAccessLogService.GetAddress }}" {{- end }} - --proxyAdminPort - "{{ .ProxyConfig.ProxyAdminPort }}" {{ if gt .ProxyConfig.Concurrency 0 -}} - --concurrency - "{{ .ProxyConfig.Concurrency }}" {{ end -}} {{- if .Values.global.controlPlaneSecurityEnabled }} - --controlPlaneAuthPolicy - MUTUAL_TLS {{- else }} - --controlPlaneAuthPolicy - NONE {{- end }} - --dnsRefreshRate - {{ valueOrDefault .Values.global.proxy.dnsRefreshRate "300s" }} {{- if (ne (annotation .ObjectMeta "status.sidecar.istio.io/port" .Values.global.proxy.statusPort) "0") }} - --statusPort - "{{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}" - --applicationPorts - "{{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) }}" {{- end }} {{- if .Values.global.trustDomain }} - --trust-domain={{ .Values.global.trustDomain }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - --templateFile=/etc/istio/custom-bootstrap/envoy_bootstrap.json {{- end }} env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP {{- if eq .Values.global.proxy.tracer "datadog" }} {{- if isset .ObjectMeta.Annotations `apm.datadoghq.com/env` }} {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} {{- end }} - name: ISTIO_META_POD_PORTS value: |- [ {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{if or (ne $index1 0) (ne $index2 0)}},{{end}}{{ structToJSON $p }} {{- end}} {{- end}} ] - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: ISTIO_META_CONFIG_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: SDS_ENABLED value: "{{ .Values.global.sds.enabled }}" - name: ISTIO_META_INTERCEPTION_MODE value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - name: ISTIO_META_INCLUDE_INBOUND_PORTS value: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (applicationPorts .Spec.Containers) }}" {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{ if .ObjectMeta.Annotations }} - name: ISTIO_METAJSON_ANNOTATIONS value: | {{ toJSON .ObjectMeta.Annotations }} {{ end }} {{ if .ObjectMeta.Labels }} - name: ISTIO_METAJSON_LABELS value: | {{ toJSON .ObjectMeta.Labels }} {{ end }} {{- if .DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: {{ .DeploymentMeta.Name }} {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://api/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: ISTIO_BOOTSTRAP_OVERRIDE value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" {{- end }} {{- if .Values.global.sds.customTokenDirectory }} - name: ISTIO_META_SDS_TOKEN_PATH value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken" {{- end }} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if .Values.global.trustDomain }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.trustDomain }}" {{- end }} {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} readinessProbe: httpGet: path: /healthz/ready port: {{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }} initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} {{ end -}} securityContext: {{- if .Values.global.proxy.privileged }} privileged: true {{- end }} {{- if ne .Values.global.proxy.enableCoreDump true }} readOnlyRootFilesystem: true {{- end }} {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} capabilities: add: - NET_ADMIN runAsGroup: 1337 {{ else -}} {{ if .Values.global.sds.enabled }} runAsGroup: 1337 {{- end }} runAsUser: 1337 {{- end }} resources: {{ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} requests: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" {{ end}} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" {{ end }} {{ else -}} {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 4 }} {{- end }} {{ end -}} volumeMounts: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - mountPath: /etc/istio/custom-bootstrap name: custom-bootstrap-volume {{- end }} - mountPath: /etc/istio/proxy name: istio-envoy {{- if .Values.global.sds.enabled }} - mountPath: /var/run/sds name: sds-uds-path readOnly: true - mountPath: /var/run/secrets/tokens name: istio-token {{- if .Values.global.sds.customTokenDirectory }} - mountPath: "{{ .Values.global.sds.customTokenDirectory -}}" name: custom-sds-token readOnly: true {{- end }} {{- else }} - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} - mountPath: {{ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }} name: lightstep-certs readOnly: true {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - name: "{{ $index }}" {{ toYaml $value | indent 4 }} {{ end }} {{- end }} - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes image: calico/dikastes:v3.26.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false livenessProbe: exec: command: - /healthz - liveness initialDelaySeconds: 3 periodSeconds: 3 readinessProbe: exec: command: - /healthz - readiness initialDelaySeconds: 3 periodSeconds: 3 volumeMounts: - mountPath: /var/run/dikastes name: dikastes-sock - mountPath: /var/run/felix name: felix-sync volumes: {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: custom-bootstrap-volume configMap: name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} {{- end }} - emptyDir: medium: Memory name: istio-envoy {{- if .Values.global.sds.enabled }} - name: sds-uds-path hostPath: path: /var/run/sds - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if .Values.global.sds.customTokenDirectory }} - name: custom-sds-token secret: secretName: sdstokensecret {{- end }} {{- else }} - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - name: "{{ $index }}" {{ toYaml $value | indent 2 }} {{ end }} {{ end }} {{- end }} {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} - name: lightstep-certs secret: optional: true secretName: lightstep.cacert {{- end }} - name: dikastes-sock emptyDir: medium: Memory - name: felix-sync csi: driver: "csi.tigera.io" {{- if .Values.global.podDNSSearchNamespaces }} dnsConfig: searches: {{- range .Values.global.podDNSSearchNamespaces }} - {{ render . }} {{- end }} {{- end }} injectedAnnotations: