--- apiVersion: v1 items: - apiVersion: v1 data: root-cert.pem: | -----BEGIN CERTIFICATE----- MIIC/TCCAeWgAwIBAgIRAK7d8Xa4fxH7hn37uavThJcwDQYJKoZIhvcNAQELBQAw GDEWMBQGA1UEChMNY2x1c3Rlci5sb2NhbDAeFw0yNjA0MTcwNzU5NTRaFw0zNjA0 MTQwNzU5NTRaMBgxFjAUBgNVBAoTDWNsdXN0ZXIubG9jYWwwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQDLa3t3glD9op57cjWA8bW7MQsTmuJqsSrN0SF6 ep9T/1LHMMpgCrK4WqW8mQqqpkEEXA61AkVE21emViVDWbXb3DmQdXguiB+pjlqX p0IZvVQecAhfzvI6CRR2QEcI2tLcIW0c/6c0EJkr0jZC9f9E9UKmoJdln8hMFF7D pbF7JIV20RjPd+cGX4sII+mg0WnYWFI9QoyOwjFXKkCW1wKeLgW0lkYANjWIN0GV rBEzCjoMFh9BA/uUQh4O+z4zStbqrzJwJBe69Lr4tkfVT6crFH44CJjdI26+h2f9 nsQE32dpCB3Ry/33/eJP7E9c8CkerER2TngYYjyuxSPg210FAgMBAAGjQjBAMA4G A1UdDwEB/wQEAwICBDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRZnPLF5DaL 6wgmpdERkU8QpYBqqjANBgkqhkiG9w0BAQsFAAOCAQEAqR/1AmYVqn1JbNiAGBM3 ckPnZH3/9GA61vBDc2PGmXu5/WAOCiEEn6+SrNBMfCP13xNHrsIkVOa8uMoC4sS2 fOBE6DVj1DugCibqtLyWWQI0AAuphDDA0huhaSHD/a9tWUT1Ov8alH34KAvlYAfD A1iLSsSLne/BNwAmGNWmPZ2t0d32jVvqjif526gH/O8dsnC+ENBNnQkJm3qSOi/w UbkaVtMw8YHkXhBZ37w/Fft7lYS7pRHSklG4r5SoXj7BERR56EhSrTsPTmqpCZMv 9TLAaqvccjBpodIFqPo0fL5zeNTlbzwavCNymqDuHYdGzJcCc+hJSz3BYSGvqL7v kA== -----END CERTIFICATE----- kind: ConfigMap metadata: creationTimestamp: "2026-04-17T07:59:57Z" labels: istio.io/config: "true" openshift.io/mesh: "true" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:root-cert.pem: {} f:metadata: f:labels: .: {} f:istio.io/config: {} f:openshift.io/mesh: {} manager: pilot-discovery operation: Update time: "2026-04-17T07:59:57Z" name: istio-ca-root-cert namespace: openshift-ingress resourceVersion: "15070" uid: 455cdd4e-7a72-4482-9f3d-e01425c07ecd - apiVersion: v1 kind: ConfigMap metadata: annotations: control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"istiod-openshift-gateway-55ff986f96-hwfxc","holderKey":"openshift-gateway","leaseDurationSeconds":30,"acquireTime":"2026-04-17T08:02:03Z","renewTime":"2026-04-17T08:22:34Z","leaderTransitions":1}' creationTimestamp: "2026-04-17T07:59:54Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:control-plane.alpha.kubernetes.io/leader: {} manager: pilot-discovery operation: Update time: "2026-04-17T08:22:34Z" name: istio-gateway-status-leader namespace: openshift-ingress resourceVersion: "37347" uid: 02b49aec-9093-403d-af34-5c7804bb8524 - apiVersion: v1 kind: ConfigMap metadata: annotations: control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"istiod-openshift-gateway-55ff986f96-hwfxc","holderKey":"openshift-gateway","leaseDurationSeconds":30,"acquireTime":"2026-04-17T08:02:02Z","renewTime":"2026-04-17T08:22:34Z","leaderTransitions":1}' creationTimestamp: "2026-04-17T07:59:54Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:control-plane.alpha.kubernetes.io/leader: {} manager: pilot-discovery operation: Update time: "2026-04-17T08:22:34Z" name: istio-ip-autoallocate namespace: openshift-ingress resourceVersion: "37343" uid: 9375a117-a001-4f56-901b-6f15563a473f - apiVersion: v1 data: mesh: |- accessLogFile: /dev/stdout defaultConfig: discoveryAddress: istiod-openshift-gateway.openshift-ingress.svc:15012 proxyHeaders: envoyDebugHeaders: disabled: true metadataExchangeHeaders: mode: IN_MESH server: disabled: true defaultProviders: metrics: - prometheus enablePrometheusMerge: true ingressControllerMode: "OFF" rootNamespace: openshift-ingress trustDomain: cluster.local meshNetworks: 'networks: {}' kind: ConfigMap metadata: annotations: meta.helm.sh/release-name: openshift-gateway-istiod meta.helm.sh/release-namespace: openshift-ingress creationTimestamp: "2026-04-17T07:59:50Z" labels: app.kubernetes.io/instance: openshift-gateway-istiod app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: istiod app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.26.2 helm.sh/chart: istiod-1.26.2 istio.io/rev: openshift-gateway managed-by: sail-operator operator.istio.io/component: Pilot release: openshift-gateway-istiod managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:mesh: {} f:meshNetworks: {} f:metadata: f:annotations: .: {} f:meta.helm.sh/release-name: {} f:meta.helm.sh/release-namespace: {} f:labels: .: {} f:app.kubernetes.io/instance: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.kubernetes.io/version: {} f:helm.sh/chart: {} f:istio.io/rev: {} f:managed-by: {} f:operator.istio.io/component: {} f:release: {} f:ownerReferences: .: {} k:{"uid":"950bdc7e-cfff-47b4-ad26-6f0d1c768095"}: {} manager: sail-operator operation: Update time: "2026-04-17T07:59:50Z" name: istio-openshift-gateway namespace: openshift-ingress ownerReferences: - apiVersion: sailoperator.io/v1 blockOwnerDeletion: true controller: true kind: IstioRevision name: openshift-gateway uid: 950bdc7e-cfff-47b4-ad26-6f0d1c768095 resourceVersion: "14586" uid: 7d915b2c-0b7e-45e4-9d9d-cc2730b3db5c - apiVersion: v1 data: config: |- # defaultTemplates defines the default template to use for pods that do not explicitly specify a template defaultTemplates: [sidecar] policy: enabled alwaysInjectSelector: [] neverInjectSelector: [] injectedAnnotations: template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}" templates: sidecar: | {{- define "resources" }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} requests: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" {{ end }} {{- end }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} limits: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" {{ end }} {{- end }} {{- else }} {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 6 }} {{- end }} {{- end }} {{- end }} {{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} {{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} {{- end }} service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { istio.io/rev: {{ .Revision | default "default" | quote }}, {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", {{- end }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{- end }} {{- end }} {{- if .Values.pilot.cni.enabled }} {{- if eq .Values.pilot.cni.provider "multus" }} k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', {{- end }} sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", {{- end }} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", {{- end }} {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} {{- end }} } spec: {{- $holdProxy := and (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) (not $nativeSidecar) }} {{- $noInitContainer := and (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) (not $nativeSidecar) }} {{ if $noInitContainer }} initContainers: [] {{ else -}} initContainers: {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} {{ if .Values.pilot.cni.enabled -}} - name: istio-validation {{ else -}} - name: istio-init {{ end -}} {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} args: - istio-iptables - "-p" - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - "-z" - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - "-u" - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} - "-m" - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - "-i" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - "-x" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - "-b" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - "-d" {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" {{- else }} - "15090,15021" {{- end }} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - "-q" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" {{ end -}} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - "-o" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" {{ end -}} {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - "-k" - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" {{ end -}} {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} - "-k" - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" {{ end -}} {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - "-c" - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" {{ end -}} - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" {{ if .Values.global.logAsJson -}} - "--log_as_json" {{ end -}} {{ if .Values.pilot.cni.enabled -}} - "--run-validation" - "--skip-rule-apply" {{ else if .Values.global.proxy_init.forceApplyIptables -}} - "--force-apply" {{ end -}} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} env: {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} resources: {{ template "resources" . }} securityContext: allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} privileged: {{ .Values.global.proxy.privileged }} capabilities: {{- if not .Values.pilot.cni.enabled }} add: - NET_ADMIN - NET_RAW {{- end }} drop: - ALL {{- if not .Values.pilot.cni.enabled }} readOnlyRootFilesystem: false runAsGroup: 0 runAsNonRoot: false runAsUser: 0 {{- else }} readOnlyRootFilesystem: true runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} runAsNonRoot: true {{- end }} {{ end -}} {{ end -}} {{ if not $nativeSidecar }} containers: {{ end }} - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} {{ if $nativeSidecar }}restartPolicy: Always{{end}} ports: - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - sidecar - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.outlierLogPath }} - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} {{- end}} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} {{- else if $holdProxy }} lifecycle: postStart: exec: command: - pilot-agent - wait {{- else if $nativeSidecar }} {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} lifecycle: preStop: exec: command: - pilot-agent - request - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - POST - drain {{- end }} env: {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: |- [ {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{- if (structToJSON $p) }} {{if not $first}},{{end}}{{ structToJSON $p }} {{- $first = false }} {{- end }} {{- end}} {{- end}} ] - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu {{- if .CompliancePolicy }} - name: COMPLIANCE_POLICY value: "{{ .CompliancePolicy }}" {{- end }} - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ . }}" {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: ISTIO_BOOTSTRAP_OVERRIDE value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" {{- end }} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} {{ if .Values.global.proxy.startupProbe.enabled }} startupProbe: httpGet: path: /healthz/ready port: 15021 initialDelaySeconds: 0 periodSeconds: 1 timeoutSeconds: 3 failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} {{ end }} readinessProbe: httpGet: path: /healthz/ready port: 15021 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} timeoutSeconds: 3 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} {{ end -}} securityContext: {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} allowPrivilegeEscalation: true capabilities: add: - NET_ADMIN drop: - ALL privileged: true readOnlyRootFilesystem: true runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: false runAsUser: 0 {{- else }} allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} capabilities: {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} add: {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - NET_ADMIN {{- end }} {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - NET_BIND_SERVICE {{- end }} {{- end }} drop: - ALL privileged: {{ .Values.global.proxy.privileged }} readOnlyRootFilesystem: true {{ if or ($tproxy) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} runAsNonRoot: false runAsUser: 0 runAsGroup: 1337 {{- else -}} runAsNonRoot: true runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} {{- end }} {{- end }} resources: {{ template "resources" . }} volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds - name: credential-socket mountPath: /var/run/secrets/credential-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - mountPath: /etc/istio/custom-bootstrap name: custom-bootstrap-volume {{- end }} # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} name: lightstep-certs readOnly: true {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - name: "{{ $index }}" {{ toYaml $value | indent 6 }} {{ end }} {{- end }} volumes: - emptyDir: name: workload-socket - emptyDir: name: credential-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else }} - emptyDir: name: workload-certs {{- end }} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: custom-bootstrap-volume configMap: name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-envoy - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:root-cert path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - name: "{{ $index }}" {{ toYaml $value | indent 4 }} {{ end }} {{ end }} {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - name: lightstep-certs secret: optional: true secretName: lightstep.cacert {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} gateway: | {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: istio.io/rev: {{ .Revision | default "default" | quote }} {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" {{- end }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" {{- end }} {{- end }} spec: securityContext: {{- if .Values.gateways.securityContext }} {{- toYaml .Values.gateways.securityContext | nindent 4 }} {{- else }} sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" {{- end }} containers: - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} ports: - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - router - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} {{- end }} securityContext: runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} env: - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: |- [ {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{- if (structToJSON $p) }} {{if not $first}},{{end}}{{ structToJSON $p }} {{- $first = false }} {{- end }} {{- end}} {{- end}} ] - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu {{- if .CompliancePolicy }} - name: COMPLIANCE_POLICY value: "{{ .CompliancePolicy }}" {{- end }} - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: "{{ .ProxyConfig.InterceptionMode.String }}" {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{- if .DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ .DeploymentMeta.Name }}" {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} readinessProbe: httpGet: path: /healthz/ready port: 15021 initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} timeoutSeconds: 3 failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds - name: credential-socket mountPath: /var/run/secrets/credential-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod volumes: - emptyDir: {} name: workload-socket - emptyDir: {} name: credential-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else}} - emptyDir: {} name: workload-certs {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-envoy - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:root-cert path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} grpc-simple: | metadata: annotations: sidecar.istio.io/rewriteAppHTTPProbers: "false" spec: initContainers: - name: grpc-bootstrap-init image: busybox:1.28 volumeMounts: - mountPath: /var/lib/grpc/data/ name: grpc-io-proxyless-bootstrap env: - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: ISTIO_NAMESPACE value: | {{ .Values.global.istioNamespace }} command: - sh - "-c" - |- NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" echo ' { "xds_servers": [ { "server_uri": "'${SERVER_URI}'", "channel_creds": [{"type": "insecure"}], "server_features" : ["xds_v3"] } ], "node": { "id": "'${NODE_ID}'", "metadata": { "GENERATOR": "grpc" } } }' > /var/lib/grpc/data/bootstrap.json containers: {{- range $index, $container := .Spec.Containers }} - name: {{ $container.Name }} env: - name: GRPC_XDS_BOOTSTRAP value: /var/lib/grpc/data/bootstrap.json - name: GRPC_GO_LOG_VERBOSITY_LEVEL value: "99" - name: GRPC_GO_LOG_SEVERITY_LEVEL value: info volumeMounts: - mountPath: /var/lib/grpc/data/ name: grpc-io-proxyless-bootstrap {{- end }} volumes: - name: grpc-io-proxyless-bootstrap emptyDir: {} grpc-agent: | {{- define "resources" }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} requests: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" {{ end }} {{- end }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} limits: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" {{ end }} {{- end }} {{- else }} {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 6 }} {{- end }} {{- end }} {{- end }} {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { istio.io/rev: {{ .Revision | default "default" | quote }}, {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", {{- end }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{- end }} {{- end }} sidecar.istio.io/rewriteAppHTTPProbers: "false", } spec: containers: - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} ports: - containerPort: 15020 protocol: TCP name: mesh-metrics args: - proxy - sidecar - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} lifecycle: postStart: exec: command: - pilot-agent - wait - --url=http://localhost:15020/healthz/ready env: - name: ISTIO_META_GENERATOR value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: |- [ {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{- if (structToJSON $p) }} {{if not $first}},{{end}}{{ structToJSON $p }} {{- $first = false }} {{- end }} {{- end}} {{- end}} ] - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{- if .DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ .DeploymentMeta.Name }}" {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} # grpc uses xds:/// to resolve – no need to resolve VIP - name: ISTIO_META_DNS_CAPTURE value: "false" - name: DISABLE_ENVOY value: "true" {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} readinessProbe: httpGet: path: /healthz/ready port: 15020 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} timeoutSeconds: 3 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} resources: {{ template "resources" . }} volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data # UDS channel between istioagent and gRPC client for XDS/SDS - mountPath: /etc/istio/proxy name: istio-xds - mountPath: /var/run/secrets/tokens name: istio-token {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - name: "{{ $index }}" {{ toYaml $value | indent 6 }} {{ end }} {{- end }} {{- range $index, $container := .Spec.Containers }} {{ if not (eq $container.Name "istio-proxy") }} - name: {{ $container.Name }} env: - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" value: "true" - name: "GRPC_XDS_BOOTSTRAP" value: "/etc/istio/proxy/grpc-bootstrap.json" volumeMounts: - mountPath: /var/lib/istio/data name: istio-data # UDS channel between istioagent and gRPC client for XDS/SDS - mountPath: /etc/istio/proxy name: istio-xds {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- end }} {{- end }} volumes: - emptyDir: name: workload-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else }} - emptyDir: name: workload-certs {{- end }} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: custom-bootstrap-volume configMap: name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-xds - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:root-cert path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - name: "{{ $index }}" {{ toYaml $value | indent 4 }} {{ end }} {{ end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} waypoint: | apiVersion: v1 kind: ServiceAccount metadata: name: {{.ServiceAccount | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} {{- if ge .KubeVersion 128 }} # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" {{- end }} --- apiVersion: apps/v1 kind: Deployment metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-mesh-controller" ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" spec: selector: matchLabels: "{{.GatewayNameLabel}}": "{{.Name}}" template: metadata: annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") (strdict "istio.io/rev" (.Revision | default "default")) (strdict "prometheus.io/path" "/stats/prometheus" "prometheus.io/port" "15020" "prometheus.io/scrape" "true" ) | nindent 8 }} labels: {{- toJsonMap (strdict "sidecar.istio.io/inject" "false" "istio.io/dataplane-mode" "none" "service.istio.io/canonical-name" .DeploymentName "service.istio.io/canonical-revision" "latest" ) .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-mesh-controller" ) | nindent 8}} spec: {{- if .Values.global.waypoint.affinity }} affinity: {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} {{- end }} {{- if .Values.global.waypoint.topologySpreadConstraints }} topologySpreadConstraints: {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} {{- end }} {{- if .Values.global.waypoint.nodeSelector }} nodeSelector: {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} {{- end }} {{- if .Values.global.waypoint.tolerations }} tolerations: {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} {{- end }} terminationGracePeriodSeconds: 2 serviceAccountName: {{.ServiceAccount | quote}} containers: - name: istio-proxy ports: - containerPort: 15020 name: metrics protocol: TCP - containerPort: 15021 name: status-port protocol: TCP - containerPort: 15090 protocol: TCP name: http-envoy-prom {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} args: - proxy - waypoint - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --serviceCluster - {{.ServiceAccount}}.$(POD_NAMESPACE) - --proxyLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - --proxyComponentLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - --log_output_level - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.outlierLogPath }} - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} {{- end}} env: - name: ISTIO_META_SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} {{- if .ProxyConfig.ProxyMetadata }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} {{- if $network }} - name: ISTIO_META_NETWORK value: "{{ $network }}" {{- end }} - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_WORKLOAD_NAME value: {{.DeploymentName}} - name: ISTIO_META_OWNER value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- if .Values.global.waypoint.resources }} resources: {{- toYaml .Values.global.waypoint.resources | nindent 10 }} {{- end }} startupProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 1 successThreshold: 1 timeoutSeconds: 1 readinessProbe: failureThreshold: 4 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 0 periodSeconds: 15 successThreshold: 1 timeoutSeconds: 1 securityContext: privileged: false {{- if not (eq .Values.global.platform "openshift") }} runAsGroup: 1337 runAsUser: 1337 {{- end }} allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: - ALL {{- if .Values.gateways.seccompProfile }} seccompProfile: {{- toYaml .Values.gateways.seccompProfile | nindent 12 }} {{- end }} volumeMounts: - mountPath: /var/run/secrets/workload-spiffe-uds name: workload-socket - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/lib/istio/data name: istio-data - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token - mountPath: /etc/istio/pod name: istio-podinfo volumes: - emptyDir: {} name: workload-socket - emptyDir: medium: Memory name: istio-envoy - emptyDir: medium: Memory name: go-proxy-envoy - emptyDir: {} name: istio-data - emptyDir: {} name: go-proxy-data - downwardAPI: items: - fieldRef: fieldPath: metadata.labels path: labels - fieldRef: fieldPath: metadata.annotations path: annotations name: istio-podinfo - name: istio-token projected: sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:root-cert path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} --- apiVersion: v1 kind: Service metadata: annotations: {{ toJsonMap (strdict "networking.istio.io/traffic-distribution" "PreferClose") (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version" ) | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" spec: ipFamilyPolicy: PreferDualStack ports: {{- range $key, $val := .Ports }} - name: {{ $val.Name | quote }} port: {{ $val.Port }} protocol: TCP appProtocol: {{ $val.AppProtocol }} {{- end }} selector: "{{.GatewayNameLabel}}": "{{.Name}}" {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} {{- end }} type: {{ .ServiceType | quote }} --- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: {{.DeploymentName | quote}} maxReplicas: 1 --- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: selector: matchLabels: gateway.networking.k8s.io/gateway-name: {{.Name|quote}} kube-gateway: | apiVersion: v1 kind: ServiceAccount metadata: name: {{.ServiceAccount | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} {{- if ge .KubeVersion 128 }} # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" {{- end }} --- apiVersion: apps/v1 kind: Deployment metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-gateway-controller" ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: selector: matchLabels: "{{.GatewayNameLabel}}": {{.Name}} template: metadata: annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") (strdict "istio.io/rev" (.Revision | default "default")) (strdict "prometheus.io/path" "/stats/prometheus" "prometheus.io/port" "15020" "prometheus.io/scrape" "true" ) | nindent 8 }} labels: {{- toJsonMap (strdict "sidecar.istio.io/inject" "false" "service.istio.io/canonical-name" .DeploymentName "service.istio.io/canonical-revision" "latest" ) .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-gateway-controller" ) | nindent 8 }} spec: securityContext: {{- if .Values.gateways.securityContext }} {{- toYaml .Values.gateways.securityContext | nindent 8 }} {{- else }} sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" {{- if .Values.gateways.seccompProfile }} seccompProfile: {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} {{- end }} {{- end }} serviceAccountName: {{.ServiceAccount | quote}} containers: - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} {{- if .Values.global.proxy.resources }} resources: {{- toYaml .Values.global.proxy.resources | nindent 10 }} {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} securityContext: capabilities: drop: - ALL allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: - containerPort: 15020 name: metrics protocol: TCP - containerPort: 15021 name: status-port protocol: TCP - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - router - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - --proxyComponentLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - --log_output_level - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} {{- end }} env: - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: "[]" - name: ISTIO_META_APP_CONTAINERS value: "" - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: "{{ .ProxyConfig.InterceptionMode.String }}" {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - name: ISTIO_META_NETWORK value: {{.|quote}} {{- end }} - name: ISTIO_META_WORKLOAD_NAME value: {{.DeploymentName|quote}} - name: ISTIO_META_OWNER value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - name: ISTIO_META_REQUESTED_NETWORK_VIEW value: {{.|quote}} {{- end }} startupProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 1 successThreshold: 1 timeoutSeconds: 1 readinessProbe: failureThreshold: 4 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 0 periodSeconds: 15 successThreshold: 1 timeoutSeconds: 1 volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds - name: credential-socket mountPath: /var/run/secrets/credential-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token - name: istio-podinfo mountPath: /etc/istio/pod volumes: - emptyDir: {} name: workload-socket - emptyDir: {} name: credential-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else}} - emptyDir: {} name: workload-certs {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-envoy - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:root-cert path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} --- apiVersion: v1 kind: Service metadata: annotations: {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: {{.UID}} spec: ipFamilyPolicy: PreferDualStack ports: {{- range $key, $val := .Ports }} - name: {{ $val.Name | quote }} port: {{ $val.Port }} protocol: TCP appProtocol: {{ $val.AppProtocol }} {{- end }} selector: "{{.GatewayNameLabel}}": {{.Name}} {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} {{- end }} type: {{ .ServiceType | quote }} --- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: {{.DeploymentName | quote}} maxReplicas: 1 --- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: selector: matchLabels: gateway.networking.k8s.io/gateway-name: {{.Name|quote}} values: |- { "gateways": { "seccompProfile": {}, "securityContext": {} }, "global": { "caAddress": "", "caName": "", "certSigners": [], "configCluster": false, "configValidation": true, "defaultPodDisruptionBudget": { "enabled": false }, "defaultResources": { "requests": { "cpu": "10m" } }, "externalIstiod": false, "hub": "gcr.io/istio-release", "imagePullPolicy": "", "imagePullSecrets": [], "istioNamespace": "openshift-ingress", "istiod": { "enableAnalysis": false }, "logAsJson": false, "logging": { "level": "default:info" }, "meshID": "", "meshNetworks": {}, "mountMtlsCerts": false, "multiCluster": { "clusterName": "", "enabled": false }, "network": "", "networkPolicy": { "enabled": false }, "omitSidecarInjectorConfigMap": false, "operatorManageWebhooks": false, "pilotCertProvider": "istiod", "platform": "openshift", "priorityClassName": "system-cluster-critical", "proxy": { "autoInject": "enabled", "clusterDomain": "cluster.local", "componentLogLevel": "misc:error", "excludeIPRanges": "", "excludeInboundPorts": "", "excludeOutboundPorts": "", "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe", "includeIPRanges": "*", "includeInboundPorts": "*", "includeOutboundPorts": "", "logLevel": "warning", "outlierLogPath": "", "privileged": false, "readinessFailureThreshold": 4, "readinessInitialDelaySeconds": 0, "readinessPeriodSeconds": 15, "resources": { "limits": { "cpu": "2000m", "memory": "1024Mi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "startupProbe": { "enabled": true, "failureThreshold": 600 }, "statusPort": 15020, "tracer": "none" }, "proxy_init": { "forceApplyIptables": false, "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe" }, "remotePilotAddress": "", "sds": { "token": { "aud": "istio-ca" } }, "sts": { "servicePort": 0 }, "tag": "1.26.2", "variant": "", "waypoint": { "affinity": {}, "nodeSelector": {}, "resources": { "limits": { "cpu": "2", "memory": "1Gi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "tolerations": [], "topologySpreadConstraints": [] } }, "pilot": { "cni": { "chained": false, "cniBinDir": "/var/lib/cni/bin", "cniConfDir": "/etc/cni/multus/net.d", "cniConfFileName": "istio-cni.conf", "enabled": false, "provider": "multus" }, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" } }, "revision": "openshift-gateway", "sidecarInjectorWebhook": { "alwaysInjectSelector": [], "defaultTemplates": [], "enableNamespacesByDefault": false, "injectedAnnotations": {}, "neverInjectSelector": [], "reinvocationPolicy": "Never", "rewriteAppHTTPProbe": true, "templates": {} } } kind: ConfigMap metadata: annotations: meta.helm.sh/release-name: openshift-gateway-istiod meta.helm.sh/release-namespace: openshift-ingress creationTimestamp: "2026-04-17T07:59:50Z" labels: app.kubernetes.io/instance: openshift-gateway-istiod app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: istiod app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.26.2 helm.sh/chart: istiod-1.26.2 istio.io/rev: openshift-gateway managed-by: sail-operator operator.istio.io/component: Pilot release: openshift-gateway-istiod managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:config: {} f:values: {} f:metadata: f:annotations: .: {} f:meta.helm.sh/release-name: {} f:meta.helm.sh/release-namespace: {} f:labels: .: {} f:app.kubernetes.io/instance: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.kubernetes.io/version: {} f:helm.sh/chart: {} f:istio.io/rev: {} f:managed-by: {} f:operator.istio.io/component: {} f:release: {} f:ownerReferences: .: {} k:{"uid":"950bdc7e-cfff-47b4-ad26-6f0d1c768095"}: {} manager: sail-operator operation: Update time: "2026-04-17T08:01:51Z" name: istio-sidecar-injector-openshift-gateway namespace: openshift-ingress ownerReferences: - apiVersion: sailoperator.io/v1 blockOwnerDeletion: true controller: true kind: IstioRevision name: openshift-gateway uid: 950bdc7e-cfff-47b4-ad26-6f0d1c768095 resourceVersion: "19243" uid: 956033f1-49b4-4848-b8ec-03f583f62f09 - apiVersion: v1 data: ca.crt: | -----BEGIN CERTIFICATE----- MIIDPDCCAiSgAwIBAgIICAPL386ZP0gwDQYJKoZIhvcNAQELBQAwJjESMBAGA1UE CxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdyb290LWNhMB4XDTI2MDQxNzA3NDUyN1oX DTM2MDQxNDA3NDUyN1owJjESMBAGA1UECxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdy b290LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvdXTxXBbyVrp a+OvLF5WfC1cxgDSR+PN4sdyJJ430iQBNBG3fygmpfYXeuEF7gbsWTGW+WyOo5W1 watoZvFt8Qu/CCxdc7IeLvvBlOPqttqofggh92P8p/WsKuvL+cZ3EwsT+e91Xw0+ ZESelSWoin81jC+QpltJo1klUznzLFxdpVvH5XxMqMNEg1TnYCg5zlTSyKri34og hoGIwcOMmNJ6byCKAi5zlpKEq5NpLozXVDJ3f/8bIKG3MbNijwIMxY4zzr7c5S2O E4RhQgwZl0DnFf25qdcIvgkbPjpL3LMuKVXISQdgokW2gweukgQh7gY3h+39pnbb Js0kVoJNJwIDAQABo24wbDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB /zBJBgNVHQ4EQgRAsCdJ5Ej/WlN3uHAW216nCcwUIyySipgwenU9kEWroJZ6KaFL 6tlHm4Tf2eaHlrdjMWzjn6nnpn5qOWJqhA685jANBgkqhkiG9w0BAQsFAAOCAQEA UzQAGXDzrNVjZ4ZaGYWj6TpZBwhQ9P/+Chd++mDA9lQgSh2hPGyctqs+x/6KkIyH CRsVatWZOb4X/sSsgRP5LqRHR1BKD0Z6GGYgHWksmzhZgC2AvZPmMLq7HxneuNYc lBII5wRcPdl0Hg8SjRxeYXE6ar3OYMSJOMMUuVma76mZ6An6cWH3iJhgNoQgkhAo blQc5MvPq+t/YCJjT7JG7gmHATvALDxVAC3GbgN5XD+JrM1G3qDN0PzO9Znvhb0Q ru3araQ54gEDd6uhaSvqTwDFTbFLgATAEzAm8CescJxAeSJgFWb3sdzgQFSG/MEy lmbGzct5fdL7ItkUGJSKsQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEADCCAuigAwIBAgIIXe0ZHBESqSAwDQYJKoZIhvcNAQELBQAwJjESMBAGA1UE CxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdyb290LWNhMB4XDTI2MDQxNzA3NDYwMVoX DTI3MDQxNzA3NDYwMVowMDESMBAGA1UEChMJb3BlbnNoaWZ0MRowGAYDVQQDExFv cGVuc2hpZnQtaW5ncmVzczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AM04JI0AJMACvNu2epBcixWoha3ujNMoXAAYX6U8AboeDbtPxgxRsbEwyaJrHNL6 5gJ3P89MmsKVLl2tK78sYhUfSRU6QOc59+Pjari9Y56HROZv/mUIRr3HK72UOVP/ NZvFLj3Dj507CAu8He9QBc7VF0aCnxuGrRMOFQmI43rP11dnSH338xmSz0TgG37B FZmMZEvVPbAhk4HghePfZQYO6F0/bIWPM0XAt7887QHB+awUaoz6HPar1WUfYTte hFr3IK0M8EJuqMprPS3/EVBRgutiHrBeX1YC/UBBIrNa6qX04iQm/GCtyz1+RaiZ BSXgHTJvBo5wN2/B6tk+0RECAwEAAaOCASYwggEiMA4GA1UdDwEB/wQEAwIFoDAd BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBJBgNV HQ4EQgRA1CUnTMP9oo4HhshUSr9pVkTab1+UOBR3TqJ8Kbyzksy1IV2p19c78PzU iC5QqnK9wTXyAFpXudEUo1Hg5MabfzBLBgNVHSMERDBCgECwJ0nkSP9aU3e4cBbb XqcJzBQjLJKKmDB6dT2QRauglnopoUvq2UebhN/Z5oeWt2MxbOOfqeemfmo5YmqE DrzmMEsGA1UdEQREMEKCQCouYXBwcy5iMmQwYzY2Yi00MTdjLTRlYzYtYjE2OS02 MWQzYWZiMWYyZmQucHJvZC5rb25mbHV4ZWFhcy5jb20wDQYJKoZIhvcNAQELBQAD ggEBAEUuv/RuDhOjZ819G+HbFRgn9xPqOh1o/28vHQrlSpJUAbjXui86pi3WfsCT dKIx88fhKTbpmo9tBm+ThC/ZoB2dDYmA99hoO//4ohOsMhWsMsj8O6OxSss0Fc5O HacjjWNja8rxENCgen6YtghEiqnxq4XmrLbikn1+XBLbPben3d08IGeAPCOPN62d CxiKVSgy0gEN6vMThnY06xkTgv3MkyUZRbRwMB4MaIcNwkkxZstBUseajI6m8WUG rHdUhbBAAtxJMn9Av8lyyXQhJN8/w30Vh4UXZQVmv5KA32UhGazSlIH+xjwzK3uj pD010zTnGkEmUpel3nLTwMLI4sE= -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: kubernetes.io/description: Contains a CA bundle that can be used to verify the kube-apiserver when using internal endpoints such as the internal service IP or kubernetes.default.svc. No other usage is guaranteed across distributions of Kubernetes clusters. creationTimestamp: "2026-04-17T07:47:45Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca.crt: {} f:metadata: f:annotations: .: {} f:kubernetes.io/description: {} manager: kube-controller-manager operation: Update time: "2026-04-17T07:48:30Z" name: kube-root-ca.crt namespace: openshift-ingress resourceVersion: "3671" uid: 3748c8c4-eae7-4d70-8479-58c31ffae3d4 - apiVersion: v1 data: cabundle.crt: |- -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIIeUK9R/jekrcwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc3NjQxMjQ0MzAe Fw0yNjA0MTcwNzU0MDJaFw0yODA2MTUwNzU0MDNaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3NzY0MTI0NDMwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwxHa8kevV4PQRkvMCcgWcDI/zF2JJb1AQ LOzr4hhOmxmh9nUVoAG0jRU0IsujhfHnb6+lPCx8fPbGB3nSPl/2QjLgpnSaLnvh 65sJKZh5LLPsEb1I+rnsVYeDI5x7D1QDwV/H+mUyFplQ33b8kNbqXrg8XMYzxCyo U5glth8EycJe95VJUPEc6maCbIV+RYQURUCU/08CeAXsETFycA5yYmyM/BPM/rk4 GooNoG3JRQogdjsAl3srzYhW0EIO05mO2B9kW8RKWqZiQhZHYQgrMCzpMA+JB0Tb HlZRzaQP8huTTHq1r3AiLlrVyKItk3LjUZ9Zv0Mjfwi49EvS5pg1AgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQeygyM ItGDKu33vE0dauYZ9xrmQjAfBgNVHSMEGDAWgBQeygyMItGDKu33vE0dauYZ9xrm QjANBgkqhkiG9w0BAQsFAAOCAQEAYO5Fkl/ESNEVtJ5/P9CkYtkQXjyl8QgYUDX+ mk6787b8ULKA11GjeQu2XoPQQa0NRj2ZabyVqUFvCrJlzNeukF7NLys+CDTA9fkb 8Ve+b5iuTpvf8vc213jDBiiw++hTvYkx+2aBXRtlrTKoyg6iVkXMRPfWl5IV+gWe zYb6g6lFoxiU/AoiyEF6HebHuY6uFPx0xrhVF7043jJEEZaQ9nLO7StVVm7kGuMk l+OQjmf+U/Iva2yn4epFImk5cui3M1wFoQyxYdLMAuaW0iHYMmVwFdsmlm3Gq9FO Z5xeoGGaMm8YjE9ZVkA8QSqNWyPBs06EbD6FhGCUeuZ+BA48xQ== -----END CERTIFICATE----- kind: ConfigMap metadata: creationTimestamp: "2026-04-17T08:03:16Z" labels: opendatahub.io/managed: "true" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:cabundle.crt: {} f:metadata: f:labels: .: {} f:opendatahub.io/managed: {} manager: manager operation: Update time: "2026-04-17T08:03:16Z" name: odh-kserve-custom-ca-bundle namespace: openshift-ingress resourceVersion: "20602" uid: f6efe10c-2505-4b23-bf40-e9d64f1ae304 - apiVersion: v1 data: service-ca.crt: | -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIIeUK9R/jekrcwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc3NjQxMjQ0MzAe Fw0yNjA0MTcwNzU0MDJaFw0yODA2MTUwNzU0MDNaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3NzY0MTI0NDMwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwxHa8kevV4PQRkvMCcgWcDI/zF2JJb1AQ LOzr4hhOmxmh9nUVoAG0jRU0IsujhfHnb6+lPCx8fPbGB3nSPl/2QjLgpnSaLnvh 65sJKZh5LLPsEb1I+rnsVYeDI5x7D1QDwV/H+mUyFplQ33b8kNbqXrg8XMYzxCyo U5glth8EycJe95VJUPEc6maCbIV+RYQURUCU/08CeAXsETFycA5yYmyM/BPM/rk4 GooNoG3JRQogdjsAl3srzYhW0EIO05mO2B9kW8RKWqZiQhZHYQgrMCzpMA+JB0Tb HlZRzaQP8huTTHq1r3AiLlrVyKItk3LjUZ9Zv0Mjfwi49EvS5pg1AgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQeygyM ItGDKu33vE0dauYZ9xrmQjAfBgNVHSMEGDAWgBQeygyMItGDKu33vE0dauYZ9xrm QjANBgkqhkiG9w0BAQsFAAOCAQEAYO5Fkl/ESNEVtJ5/P9CkYtkQXjyl8QgYUDX+ mk6787b8ULKA11GjeQu2XoPQQa0NRj2ZabyVqUFvCrJlzNeukF7NLys+CDTA9fkb 8Ve+b5iuTpvf8vc213jDBiiw++hTvYkx+2aBXRtlrTKoyg6iVkXMRPfWl5IV+gWe zYb6g6lFoxiU/AoiyEF6HebHuY6uFPx0xrhVF7043jJEEZaQ9nLO7StVVm7kGuMk l+OQjmf+U/Iva2yn4epFImk5cui3M1wFoQyxYdLMAuaW0iHYMmVwFdsmlm3Gq9FO Z5xeoGGaMm8YjE9ZVkA8QSqNWyPBs06EbD6FhGCUeuZ+BA48xQ== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: service.beta.openshift.io/inject-cabundle: "true" creationTimestamp: "2026-04-17T07:47:45Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: {} f:metadata: f:annotations: .: {} f:service.beta.openshift.io/inject-cabundle: {} manager: kube-controller-manager operation: Update time: "2026-04-17T07:47:45Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: f:service-ca.crt: {} manager: service-ca-operator operation: Update time: "2026-04-17T07:54:12Z" name: openshift-service-ca.crt namespace: openshift-ingress resourceVersion: "8229" uid: 48d96284-3601-4926-890e-2be180267c88 - apiVersion: v1 data: service-ca.crt: | -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIIeUK9R/jekrcwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc3NjQxMjQ0MzAe Fw0yNjA0MTcwNzU0MDJaFw0yODA2MTUwNzU0MDNaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3NzY0MTI0NDMwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwxHa8kevV4PQRkvMCcgWcDI/zF2JJb1AQ LOzr4hhOmxmh9nUVoAG0jRU0IsujhfHnb6+lPCx8fPbGB3nSPl/2QjLgpnSaLnvh 65sJKZh5LLPsEb1I+rnsVYeDI5x7D1QDwV/H+mUyFplQ33b8kNbqXrg8XMYzxCyo U5glth8EycJe95VJUPEc6maCbIV+RYQURUCU/08CeAXsETFycA5yYmyM/BPM/rk4 GooNoG3JRQogdjsAl3srzYhW0EIO05mO2B9kW8RKWqZiQhZHYQgrMCzpMA+JB0Tb HlZRzaQP8huTTHq1r3AiLlrVyKItk3LjUZ9Zv0Mjfwi49EvS5pg1AgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQeygyM ItGDKu33vE0dauYZ9xrmQjAfBgNVHSMEGDAWgBQeygyMItGDKu33vE0dauYZ9xrm QjANBgkqhkiG9w0BAQsFAAOCAQEAYO5Fkl/ESNEVtJ5/P9CkYtkQXjyl8QgYUDX+ mk6787b8ULKA11GjeQu2XoPQQa0NRj2ZabyVqUFvCrJlzNeukF7NLys+CDTA9fkb 8Ve+b5iuTpvf8vc213jDBiiw++hTvYkx+2aBXRtlrTKoyg6iVkXMRPfWl5IV+gWe zYb6g6lFoxiU/AoiyEF6HebHuY6uFPx0xrhVF7043jJEEZaQ9nLO7StVVm7kGuMk l+OQjmf+U/Iva2yn4epFImk5cui3M1wFoQyxYdLMAuaW0iHYMmVwFdsmlm3Gq9FO Z5xeoGGaMm8YjE9ZVkA8QSqNWyPBs06EbD6FhGCUeuZ+BA48xQ== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: description: ConfigMap providing service CA bundle. openshift.io/description: Configmap is added/updated with a data item containing the CA signing bundle that can be used to verify service-serving certificates openshift.io/owning-component: service-ca service.beta.openshift.io/inject-cabundle: "true" creationTimestamp: "2026-04-17T07:47:53Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:description: {} f:service.beta.openshift.io/inject-cabundle: {} manager: ingress-operator operation: Update time: "2026-04-17T07:47:53Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:service-ca.crt: {} f:metadata: f:annotations: f:openshift.io/description: {} f:openshift.io/owning-component: {} manager: service-ca-operator operation: Update time: "2026-04-17T07:54:12Z" name: service-ca-bundle namespace: openshift-ingress resourceVersion: "7832" uid: becc0890-b8a3-4a9d-addc-b34c67b2019e - apiVersion: v1 data: merged-values: |- { "affinity": {}, "autoscaleBehavior": {}, "autoscaleEnabled": true, "autoscaleMax": 5, "autoscaleMin": 1, "base": { "enableIstioConfigCRDs": true }, "cni": { "chained": false, "cniBinDir": "/var/lib/cni/bin", "cniConfDir": "/etc/cni/multus/net.d", "cniConfFileName": "istio-cni.conf", "enabled": false, "provider": "multus" }, "configMap": true, "cpu": { "targetAverageUtilization": 80 }, "defaultRevision": "", "deploymentLabels": {}, "enabled": true, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" }, "envVarFrom": [], "experimental": { "stableValidationPolicy": false }, "extraContainerArgs": [], "gatewayClasses": {}, "gateways": { "seccompProfile": {}, "securityContext": {} }, "global": { "caAddress": "", "caName": "", "certSigners": [], "configCluster": false, "configValidation": true, "defaultPodDisruptionBudget": { "enabled": false }, "defaultResources": { "requests": { "cpu": "10m" } }, "externalIstiod": false, "hub": "gcr.io/istio-release", "imagePullPolicy": "", "imagePullSecrets": [], "istioNamespace": "openshift-ingress", "istiod": { "enableAnalysis": false }, "logAsJson": false, "logging": { "level": "default:info" }, "meshID": "", "meshNetworks": {}, "mountMtlsCerts": false, "multiCluster": { "clusterName": "", "enabled": false }, "network": "", "networkPolicy": { "enabled": false }, "omitSidecarInjectorConfigMap": false, "operatorManageWebhooks": false, "pilotCertProvider": "istiod", "platform": "openshift", "priorityClassName": "system-cluster-critical", "proxy": { "autoInject": "enabled", "clusterDomain": "cluster.local", "componentLogLevel": "misc:error", "excludeIPRanges": "", "excludeInboundPorts": "", "excludeOutboundPorts": "", "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe", "includeIPRanges": "*", "includeInboundPorts": "*", "includeOutboundPorts": "", "logLevel": "warning", "outlierLogPath": "", "privileged": false, "readinessFailureThreshold": 4, "readinessInitialDelaySeconds": 0, "readinessPeriodSeconds": 15, "resources": { "limits": { "cpu": "2000m", "memory": "1024Mi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "startupProbe": { "enabled": true, "failureThreshold": 600 }, "statusPort": 15020, "tracer": "none" }, "proxy_init": { "forceApplyIptables": false, "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe" }, "remotePilotAddress": "", "sds": { "token": { "aud": "istio-ca" } }, "sts": { "servicePort": 0 }, "tag": "1.26.2", "variant": "", "waypoint": { "affinity": {}, "nodeSelector": {}, "resources": { "limits": { "cpu": "2", "memory": "1Gi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "tolerations": [], "topologySpreadConstraints": [] } }, "hub": "", "image": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:028e10651db0d1ddb769a27c9483c6d41be6ac597f253afd9d599f395d9c82d8", "initContainers": [], "ipFamilies": [], "ipFamilyPolicy": "", "istiodRemote": { "enabled": false, "injectionCABundle": "", "injectionPath": "/inject", "injectionURL": "" }, "jwksResolverExtraRootCA": "", "keepaliveMaxServerConnectionAge": "30m", "memory": {}, "meshConfig": { "accessLogFile": "/dev/stdout", "defaultConfig": { "proxyHeaders": { "envoyDebugHeaders": { "disabled": true }, "metadataExchangeHeaders": { "mode": "IN_MESH" }, "server": { "disabled": true } } }, "enablePrometheusMerge": true, "ingressControllerMode": "OFF" }, "nodeSelector": {}, "ownerName": "", "pilot": { "cni": { "enabled": false, "provider": "multus" }, "enabled": true, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" }, "image": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:028e10651db0d1ddb769a27c9483c6d41be6ac597f253afd9d599f395d9c82d8", "podAnnotations": { "target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}" } }, "podAnnotations": { "target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}" }, "podLabels": {}, "replicaCount": 1, "resources": { "requests": { "cpu": "500m", "memory": "2048Mi" } }, "revision": "openshift-gateway", "revisionTags": [], "rollingMaxSurge": "100%", "rollingMaxUnavailable": "25%", "seLinuxOptions": { "type": "spc_t" }, "seccompProfile": {}, "serviceAccountAnnotations": {}, "serviceAnnotations": {}, "sidecarInjectorWebhook": { "alwaysInjectSelector": [], "defaultTemplates": [], "enableNamespacesByDefault": false, "injectedAnnotations": {}, "neverInjectSelector": [], "reinvocationPolicy": "Never", "rewriteAppHTTPProbe": true, "templates": {} }, "sidecarInjectorWebhookAnnotations": {}, "tag": "", "taint": { "enabled": false, "namespace": "" }, "telemetry": { "enabled": true, "v2": { "enabled": true, "prometheus": { "enabled": true }, "stackdriver": { "enabled": false } } }, "tolerations": [], "topologySpreadConstraints": [], "traceSampling": 1, "trustedZtunnelName": "", "trustedZtunnelNamespace": "kube-system", "variant": "", "volumeMounts": [], "volumes": [] } original-values: |- { "defaultRevision": "", "global": { "configValidation": true, "defaultPodDisruptionBudget": { "enabled": false }, "istioNamespace": "openshift-ingress", "platform": "openshift", "priorityClassName": "system-cluster-critical", "proxy": { "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe" }, "proxy_init": { "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe" } }, "meshConfig": { "accessLogFile": "/dev/stdout", "defaultConfig": { "proxyHeaders": { "envoyDebugHeaders": { "disabled": true }, "metadataExchangeHeaders": { "mode": "IN_MESH" }, "server": { "disabled": true } } }, "ingressControllerMode": "OFF" }, "pilot": { "cni": { "enabled": false }, "enabled": true, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" }, "image": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:028e10651db0d1ddb769a27c9483c6d41be6ac597f253afd9d599f395d9c82d8", "podAnnotations": { "target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}" } }, "revision": "openshift-gateway", "sidecarInjectorWebhook": { "enableNamespacesByDefault": false } } kind: ConfigMap metadata: annotations: kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. meta.helm.sh/release-name: openshift-gateway-istiod meta.helm.sh/release-namespace: openshift-ingress creationTimestamp: "2026-04-17T07:59:50Z" labels: app.kubernetes.io/instance: openshift-gateway-istiod app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: istiod app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.26.2 helm.sh/chart: istiod-1.26.2 istio.io/rev: openshift-gateway managed-by: sail-operator operator.istio.io/component: Pilot release: openshift-gateway-istiod managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:merged-values: {} f:original-values: {} f:metadata: f:annotations: .: {} f:kubernetes.io/description: {} f:meta.helm.sh/release-name: {} f:meta.helm.sh/release-namespace: {} f:labels: .: {} f:app.kubernetes.io/instance: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.kubernetes.io/version: {} f:helm.sh/chart: {} f:istio.io/rev: {} f:managed-by: {} f:operator.istio.io/component: {} f:release: {} f:ownerReferences: .: {} k:{"uid":"950bdc7e-cfff-47b4-ad26-6f0d1c768095"}: {} manager: sail-operator operation: Update time: "2026-04-17T08:01:51Z" name: values-openshift-gateway namespace: openshift-ingress ownerReferences: - apiVersion: sailoperator.io/v1 blockOwnerDeletion: true controller: true kind: IstioRevision name: openshift-gateway uid: 950bdc7e-cfff-47b4-ad26-6f0d1c768095 resourceVersion: "19242" uid: a5e0892f-4fde-465e-9868-dd701d983b98 kind: ConfigMapList metadata: resourceVersion: "37401"