--- apiVersion: v1 items: - apiVersion: v1 data: root-cert.pem: | -----BEGIN CERTIFICATE----- MIIC/DCCAeSgAwIBAgIQTxIVeoOmDPGEP2hzf6F9sTANBgkqhkiG9w0BAQsFADAY MRYwFAYDVQQKEw1jbHVzdGVyLmxvY2FsMB4XDTI2MDQyMjE4NTQyNVoXDTM2MDQx OTE4NTQyNVowGDEWMBQGA1UEChMNY2x1c3Rlci5sb2NhbDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAKtqzszHLWkLpWr0nEwlmR7cRHr5RHXS8pXCIh76 Y/rM+kKNLlNCKl2oQQp4HS8sJ3vF5T3Zo4Z+rCQHmm1Kv14BhKM2Ul/joDzbz7Kw mFghoYdgsdopSUvB2N2WsZmGU/hHF99CTUMxV3Jzk1TxN/xl2vtRfajjIoGGqXSs BJ+Xv7Xjbtw6QwRiLVjk7+mCEvwnyvYmGxE+ikZDuU5BHEUugeVRN+eY13DCtUs0 bzoyGk1jjOJ8PWVr/eJATHztWaJWymqJiUkjAlsrwcGK9zPmOM2l3RgPh37gbAc7 qnlsC65rERRiOmqFfxEFQ7jRZ+gBCjdQpMilja+Uf5p35jMCAwEAAaNCMEAwDgYD VR0PAQH/BAQDAgIEMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGEKNDAPYqNN HuJqVHKPxkCSHD15MA0GCSqGSIb3DQEBCwUAA4IBAQCQ8vBXxks1OQNisIrrxZy7 Pf477521LpFZA8xqcSFl8LUMVvhLQQj1x/0p7H7hYSMKfrY4bxM+Uy5WxdNuFFrZ Sr7SFcWnchMaI5eXKmIO5wuoAlpLW5F+MB0fzcd1GLyYFrrAlvo18nWvA4c661Z/ e9mT4ClLGcez4WT7OBcpu0+3kdAlCBkyb7xwYQX24U62uitKypz+O7ojJOpwRF3l qGvHSRM7IQ70kieLSG7ICn7pxj8pEiiTGohJra4W+Dw1eNtPMSf0SVkN6YkevwD9 JvoKyGJ+FuqtJRcfv8kWpXSk1u3ZkzCNh8upP5uS/CPwVN769s+/LQZ1Ju6qaaNg -----END CERTIFICATE----- kind: ConfigMap metadata: creationTimestamp: "2026-04-22T18:54:28Z" labels: istio.io/config: "true" openshift.io/mesh: "true" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:root-cert.pem: {} f:metadata: f:labels: .: {} f:istio.io/config: {} f:openshift.io/mesh: {} manager: pilot-discovery operation: Update time: "2026-04-22T18:54:28Z" name: istio-ca-root-cert namespace: openshift-ingress resourceVersion: "15255" uid: 87d236ea-e1c9-4d39-8b28-0ca6ec3b56a2 - apiVersion: v1 kind: ConfigMap metadata: annotations: control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"istiod-openshift-gateway-55ff986f96-m6qfm","holderKey":"openshift-gateway","leaseDurationSeconds":30,"acquireTime":"2026-04-22T18:56:39Z","renewTime":"2026-04-22T19:15:10Z","leaderTransitions":1}' creationTimestamp: "2026-04-22T18:54:25Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:control-plane.alpha.kubernetes.io/leader: {} manager: pilot-discovery operation: Update time: "2026-04-22T19:15:10Z" name: istio-gateway-status-leader namespace: openshift-ingress resourceVersion: "37283" uid: d7cfc8c8-7c4c-4670-af5c-621c00f54261 - apiVersion: v1 kind: ConfigMap metadata: annotations: control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"istiod-openshift-gateway-55ff986f96-m6qfm","holderKey":"openshift-gateway","leaseDurationSeconds":30,"acquireTime":"2026-04-22T18:56:36Z","renewTime":"2026-04-22T19:15:07Z","leaderTransitions":1}' creationTimestamp: "2026-04-22T18:54:25Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:control-plane.alpha.kubernetes.io/leader: {} manager: pilot-discovery operation: Update time: "2026-04-22T19:15:07Z" name: istio-ip-autoallocate namespace: openshift-ingress resourceVersion: "37256" uid: 6034759d-884f-451e-bfac-3e04521efaa0 - apiVersion: v1 data: mesh: |- accessLogFile: /dev/stdout defaultConfig: discoveryAddress: istiod-openshift-gateway.openshift-ingress.svc:15012 proxyHeaders: envoyDebugHeaders: disabled: true metadataExchangeHeaders: mode: IN_MESH server: disabled: true defaultProviders: metrics: - prometheus enablePrometheusMerge: true ingressControllerMode: "OFF" rootNamespace: openshift-ingress trustDomain: cluster.local meshNetworks: 'networks: {}' kind: ConfigMap metadata: annotations: meta.helm.sh/release-name: openshift-gateway-istiod meta.helm.sh/release-namespace: openshift-ingress creationTimestamp: "2026-04-22T18:54:21Z" labels: app.kubernetes.io/instance: openshift-gateway-istiod app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: istiod app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.26.2 helm.sh/chart: istiod-1.26.2 istio.io/rev: openshift-gateway managed-by: sail-operator operator.istio.io/component: Pilot release: openshift-gateway-istiod managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:mesh: {} f:meshNetworks: {} f:metadata: f:annotations: .: {} f:meta.helm.sh/release-name: {} f:meta.helm.sh/release-namespace: {} f:labels: .: {} f:app.kubernetes.io/instance: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.kubernetes.io/version: {} f:helm.sh/chart: {} f:istio.io/rev: {} f:managed-by: {} f:operator.istio.io/component: {} f:release: {} f:ownerReferences: .: {} k:{"uid":"95c53eaa-53ac-4df8-b396-28a240fbadde"}: {} manager: sail-operator operation: Update time: "2026-04-22T18:54:21Z" name: istio-openshift-gateway namespace: openshift-ingress ownerReferences: - apiVersion: sailoperator.io/v1 blockOwnerDeletion: true controller: true kind: IstioRevision name: openshift-gateway uid: 95c53eaa-53ac-4df8-b396-28a240fbadde resourceVersion: "15055" uid: b1eda715-80f8-4ca9-abc8-38291ba608fe - apiVersion: v1 data: config: |- # defaultTemplates defines the default template to use for pods that do not explicitly specify a template defaultTemplates: [sidecar] policy: enabled alwaysInjectSelector: [] neverInjectSelector: [] injectedAnnotations: template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}" templates: sidecar: | {{- define "resources" }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} requests: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" {{ end }} {{- end }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} limits: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" {{ end }} {{- end }} {{- else }} {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 6 }} {{- end }} {{- end }} {{- end }} {{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} {{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} {{- end }} service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { istio.io/rev: {{ .Revision | default "default" | quote }}, {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", {{- end }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{- end }} {{- end }} {{- if .Values.pilot.cni.enabled }} {{- if eq .Values.pilot.cni.provider "multus" }} k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', {{- end }} sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", {{- end }} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", {{- end }} {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} {{- end }} } spec: {{- $holdProxy := and (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) (not $nativeSidecar) }} {{- $noInitContainer := and (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) (not $nativeSidecar) }} {{ if $noInitContainer }} initContainers: [] {{ else -}} initContainers: {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} {{ if .Values.pilot.cni.enabled -}} - name: istio-validation {{ else -}} - name: istio-init {{ end -}} {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} args: - istio-iptables - "-p" - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - "-z" - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - "-u" - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} - "-m" - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - "-i" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - "-x" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - "-b" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - "-d" {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" {{- else }} - "15090,15021" {{- end }} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - "-q" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" {{ end -}} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - "-o" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" {{ end -}} {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - "-k" - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" {{ end -}} {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} - "-k" - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" {{ end -}} {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - "-c" - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" {{ end -}} - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" {{ if .Values.global.logAsJson -}} - "--log_as_json" {{ end -}} {{ if .Values.pilot.cni.enabled -}} - "--run-validation" - "--skip-rule-apply" {{ else if .Values.global.proxy_init.forceApplyIptables -}} - "--force-apply" {{ end -}} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} env: {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} resources: {{ template "resources" . }} securityContext: allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} privileged: {{ .Values.global.proxy.privileged }} capabilities: {{- if not .Values.pilot.cni.enabled }} add: - NET_ADMIN - NET_RAW {{- end }} drop: - ALL {{- if not .Values.pilot.cni.enabled }} readOnlyRootFilesystem: false runAsGroup: 0 runAsNonRoot: false runAsUser: 0 {{- else }} readOnlyRootFilesystem: true runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} runAsNonRoot: true {{- end }} {{ end -}} {{ end -}} {{ if not $nativeSidecar }} containers: {{ end }} - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} {{ if $nativeSidecar }}restartPolicy: Always{{end}} ports: - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - sidecar - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.outlierLogPath }} - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} {{- end}} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} {{- else if $holdProxy }} lifecycle: postStart: exec: command: - pilot-agent - wait {{- else if $nativeSidecar }} {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} lifecycle: preStop: exec: command: - pilot-agent - request - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - POST - drain {{- end }} env: {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: |- [ {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{- if (structToJSON $p) }} {{if not $first}},{{end}}{{ structToJSON $p }} {{- $first = false }} {{- end }} {{- end}} {{- end}} ] - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu {{- if .CompliancePolicy }} - name: COMPLIANCE_POLICY value: "{{ .CompliancePolicy }}" {{- end }} - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ . }}" {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: ISTIO_BOOTSTRAP_OVERRIDE value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" {{- end }} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} {{ if .Values.global.proxy.startupProbe.enabled }} startupProbe: httpGet: path: /healthz/ready port: 15021 initialDelaySeconds: 0 periodSeconds: 1 timeoutSeconds: 3 failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} {{ end }} readinessProbe: httpGet: path: /healthz/ready port: 15021 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} timeoutSeconds: 3 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} {{ end -}} securityContext: {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} allowPrivilegeEscalation: true capabilities: add: - NET_ADMIN drop: - ALL privileged: true readOnlyRootFilesystem: true runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: false runAsUser: 0 {{- else }} allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} capabilities: {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} add: {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - NET_ADMIN {{- end }} {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - NET_BIND_SERVICE {{- end }} {{- end }} drop: - ALL privileged: {{ .Values.global.proxy.privileged }} readOnlyRootFilesystem: true {{ if or ($tproxy) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} runAsNonRoot: false runAsUser: 0 runAsGroup: 1337 {{- else -}} runAsNonRoot: true runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} {{- end }} {{- end }} resources: {{ template "resources" . }} volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds - name: credential-socket mountPath: /var/run/secrets/credential-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - mountPath: /etc/istio/custom-bootstrap name: custom-bootstrap-volume {{- end }} # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} name: lightstep-certs readOnly: true {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - name: "{{ $index }}" {{ toYaml $value | indent 6 }} {{ end }} {{- end }} volumes: - emptyDir: name: workload-socket - emptyDir: name: credential-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else }} - emptyDir: name: workload-certs {{- end }} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: custom-bootstrap-volume configMap: name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-envoy - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:root-cert path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - name: "{{ $index }}" {{ toYaml $value | indent 4 }} {{ end }} {{ end }} {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - name: lightstep-certs secret: optional: true secretName: lightstep.cacert {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} gateway: | {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: istio.io/rev: {{ .Revision | default "default" | quote }} {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" {{- end }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" {{- end }} {{- end }} spec: securityContext: {{- if .Values.gateways.securityContext }} {{- toYaml .Values.gateways.securityContext | nindent 4 }} {{- else }} sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" {{- end }} containers: - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} ports: - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - router - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} {{- end }} securityContext: runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} env: - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: |- [ {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{- if (structToJSON $p) }} {{if not $first}},{{end}}{{ structToJSON $p }} {{- $first = false }} {{- end }} {{- end}} {{- end}} ] - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu {{- if .CompliancePolicy }} - name: COMPLIANCE_POLICY value: "{{ .CompliancePolicy }}" {{- end }} - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: "{{ .ProxyConfig.InterceptionMode.String }}" {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{- if .DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ .DeploymentMeta.Name }}" {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} readinessProbe: httpGet: path: /healthz/ready port: 15021 initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} timeoutSeconds: 3 failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds - name: credential-socket mountPath: /var/run/secrets/credential-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod volumes: - emptyDir: {} name: workload-socket - emptyDir: {} name: credential-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else}} - emptyDir: {} name: workload-certs {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-envoy - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:root-cert path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} grpc-simple: | metadata: annotations: sidecar.istio.io/rewriteAppHTTPProbers: "false" spec: initContainers: - name: grpc-bootstrap-init image: busybox:1.28 volumeMounts: - mountPath: /var/lib/grpc/data/ name: grpc-io-proxyless-bootstrap env: - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: ISTIO_NAMESPACE value: | {{ .Values.global.istioNamespace }} command: - sh - "-c" - |- NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" echo ' { "xds_servers": [ { "server_uri": "'${SERVER_URI}'", "channel_creds": [{"type": "insecure"}], "server_features" : ["xds_v3"] } ], "node": { "id": "'${NODE_ID}'", "metadata": { "GENERATOR": "grpc" } } }' > /var/lib/grpc/data/bootstrap.json containers: {{- range $index, $container := .Spec.Containers }} - name: {{ $container.Name }} env: - name: GRPC_XDS_BOOTSTRAP value: /var/lib/grpc/data/bootstrap.json - name: GRPC_GO_LOG_VERBOSITY_LEVEL value: "99" - name: GRPC_GO_LOG_SEVERITY_LEVEL value: info volumeMounts: - mountPath: /var/lib/grpc/data/ name: grpc-io-proxyless-bootstrap {{- end }} volumes: - name: grpc-io-proxyless-bootstrap emptyDir: {} grpc-agent: | {{- define "resources" }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} requests: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" {{ end }} {{- end }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} limits: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" {{ end }} {{- end }} {{- else }} {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 6 }} {{- end }} {{- end }} {{- end }} {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { istio.io/rev: {{ .Revision | default "default" | quote }}, {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", {{- end }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{- end }} {{- end }} sidecar.istio.io/rewriteAppHTTPProbers: "false", } spec: containers: - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} ports: - containerPort: 15020 protocol: TCP name: mesh-metrics args: - proxy - sidecar - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} lifecycle: postStart: exec: command: - pilot-agent - wait - --url=http://localhost:15020/healthz/ready env: - name: ISTIO_META_GENERATOR value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: |- [ {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{- if (structToJSON $p) }} {{if not $first}},{{end}}{{ structToJSON $p }} {{- $first = false }} {{- end }} {{- end}} {{- end}} ] - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{- if .DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ .DeploymentMeta.Name }}" {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} # grpc uses xds:/// to resolve – no need to resolve VIP - name: ISTIO_META_DNS_CAPTURE value: "false" - name: DISABLE_ENVOY value: "true" {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} readinessProbe: httpGet: path: /healthz/ready port: 15020 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} timeoutSeconds: 3 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} resources: {{ template "resources" . }} volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data # UDS channel between istioagent and gRPC client for XDS/SDS - mountPath: /etc/istio/proxy name: istio-xds - mountPath: /var/run/secrets/tokens name: istio-token {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - name: "{{ $index }}" {{ toYaml $value | indent 6 }} {{ end }} {{- end }} {{- range $index, $container := .Spec.Containers }} {{ if not (eq $container.Name "istio-proxy") }} - name: {{ $container.Name }} env: - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" value: "true" - name: "GRPC_XDS_BOOTSTRAP" value: "/etc/istio/proxy/grpc-bootstrap.json" volumeMounts: - mountPath: /var/lib/istio/data name: istio-data # UDS channel between istioagent and gRPC client for XDS/SDS - mountPath: /etc/istio/proxy name: istio-xds {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- end }} {{- end }} volumes: - emptyDir: name: workload-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else }} - emptyDir: name: workload-certs {{- end }} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: custom-bootstrap-volume configMap: name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-xds - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:root-cert path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - name: "{{ $index }}" {{ toYaml $value | indent 4 }} {{ end }} {{ end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} waypoint: | apiVersion: v1 kind: ServiceAccount metadata: name: {{.ServiceAccount | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} {{- if ge .KubeVersion 128 }} # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" {{- end }} --- apiVersion: apps/v1 kind: Deployment metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-mesh-controller" ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" spec: selector: matchLabels: "{{.GatewayNameLabel}}": "{{.Name}}" template: metadata: annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") (strdict "istio.io/rev" (.Revision | default "default")) (strdict "prometheus.io/path" "/stats/prometheus" "prometheus.io/port" "15020" "prometheus.io/scrape" "true" ) | nindent 8 }} labels: {{- toJsonMap (strdict "sidecar.istio.io/inject" "false" "istio.io/dataplane-mode" "none" "service.istio.io/canonical-name" .DeploymentName "service.istio.io/canonical-revision" "latest" ) .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-mesh-controller" ) | nindent 8}} spec: {{- if .Values.global.waypoint.affinity }} affinity: {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} {{- end }} {{- if .Values.global.waypoint.topologySpreadConstraints }} topologySpreadConstraints: {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} {{- end }} {{- if .Values.global.waypoint.nodeSelector }} nodeSelector: {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} {{- end }} {{- if .Values.global.waypoint.tolerations }} tolerations: {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} {{- end }} terminationGracePeriodSeconds: 2 serviceAccountName: {{.ServiceAccount | quote}} containers: - name: istio-proxy ports: - containerPort: 15020 name: metrics protocol: TCP - containerPort: 15021 name: status-port protocol: TCP - containerPort: 15090 protocol: TCP name: http-envoy-prom {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} args: - proxy - waypoint - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --serviceCluster - {{.ServiceAccount}}.$(POD_NAMESPACE) - --proxyLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - --proxyComponentLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - --log_output_level - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.outlierLogPath }} - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} {{- end}} env: - name: ISTIO_META_SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} {{- if .ProxyConfig.ProxyMetadata }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} {{- if $network }} - name: ISTIO_META_NETWORK value: "{{ $network }}" {{- end }} - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_WORKLOAD_NAME value: {{.DeploymentName}} - name: ISTIO_META_OWNER value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- if .Values.global.waypoint.resources }} resources: {{- toYaml .Values.global.waypoint.resources | nindent 10 }} {{- end }} startupProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 1 successThreshold: 1 timeoutSeconds: 1 readinessProbe: failureThreshold: 4 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 0 periodSeconds: 15 successThreshold: 1 timeoutSeconds: 1 securityContext: privileged: false {{- if not (eq .Values.global.platform "openshift") }} runAsGroup: 1337 runAsUser: 1337 {{- end }} allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: - ALL {{- if .Values.gateways.seccompProfile }} seccompProfile: {{- toYaml .Values.gateways.seccompProfile | nindent 12 }} {{- end }} volumeMounts: - mountPath: /var/run/secrets/workload-spiffe-uds name: workload-socket - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/lib/istio/data name: istio-data - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token - mountPath: /etc/istio/pod name: istio-podinfo volumes: - emptyDir: {} name: workload-socket - emptyDir: medium: Memory name: istio-envoy - emptyDir: medium: Memory name: go-proxy-envoy - emptyDir: {} name: istio-data - emptyDir: {} name: go-proxy-data - downwardAPI: items: - fieldRef: fieldPath: metadata.labels path: labels - fieldRef: fieldPath: metadata.annotations path: annotations name: istio-podinfo - name: istio-token projected: sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:root-cert path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} --- apiVersion: v1 kind: Service metadata: annotations: {{ toJsonMap (strdict "networking.istio.io/traffic-distribution" "PreferClose") (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version" ) | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" spec: ipFamilyPolicy: PreferDualStack ports: {{- range $key, $val := .Ports }} - name: {{ $val.Name | quote }} port: {{ $val.Port }} protocol: TCP appProtocol: {{ $val.AppProtocol }} {{- end }} selector: "{{.GatewayNameLabel}}": "{{.Name}}" {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} {{- end }} type: {{ .ServiceType | quote }} --- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: {{.DeploymentName | quote}} maxReplicas: 1 --- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: selector: matchLabels: gateway.networking.k8s.io/gateway-name: {{.Name|quote}} kube-gateway: | apiVersion: v1 kind: ServiceAccount metadata: name: {{.ServiceAccount | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} {{- if ge .KubeVersion 128 }} # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" {{- end }} --- apiVersion: apps/v1 kind: Deployment metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-gateway-controller" ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: selector: matchLabels: "{{.GatewayNameLabel}}": {{.Name}} template: metadata: annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") (strdict "istio.io/rev" (.Revision | default "default")) (strdict "prometheus.io/path" "/stats/prometheus" "prometheus.io/port" "15020" "prometheus.io/scrape" "true" ) | nindent 8 }} labels: {{- toJsonMap (strdict "sidecar.istio.io/inject" "false" "service.istio.io/canonical-name" .DeploymentName "service.istio.io/canonical-revision" "latest" ) .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-gateway-controller" ) | nindent 8 }} spec: securityContext: {{- if .Values.gateways.securityContext }} {{- toYaml .Values.gateways.securityContext | nindent 8 }} {{- else }} sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" {{- if .Values.gateways.seccompProfile }} seccompProfile: {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} {{- end }} {{- end }} serviceAccountName: {{.ServiceAccount | quote}} containers: - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} {{- if .Values.global.proxy.resources }} resources: {{- toYaml .Values.global.proxy.resources | nindent 10 }} {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} securityContext: capabilities: drop: - ALL allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: - containerPort: 15020 name: metrics protocol: TCP - containerPort: 15021 name: status-port protocol: TCP - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - router - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - --proxyComponentLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - --log_output_level - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} {{- end }} env: - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: "[]" - name: ISTIO_META_APP_CONTAINERS value: "" - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: "{{ .ProxyConfig.InterceptionMode.String }}" {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - name: ISTIO_META_NETWORK value: {{.|quote}} {{- end }} - name: ISTIO_META_WORKLOAD_NAME value: {{.DeploymentName|quote}} - name: ISTIO_META_OWNER value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - name: ISTIO_META_REQUESTED_NETWORK_VIEW value: {{.|quote}} {{- end }} startupProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 1 successThreshold: 1 timeoutSeconds: 1 readinessProbe: failureThreshold: 4 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 0 periodSeconds: 15 successThreshold: 1 timeoutSeconds: 1 volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds - name: credential-socket mountPath: /var/run/secrets/credential-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token - name: istio-podinfo mountPath: /etc/istio/pod volumes: - emptyDir: {} name: workload-socket - emptyDir: {} name: credential-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else}} - emptyDir: {} name: workload-certs {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-envoy - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:root-cert path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} --- apiVersion: v1 kind: Service metadata: annotations: {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: {{.UID}} spec: ipFamilyPolicy: PreferDualStack ports: {{- range $key, $val := .Ports }} - name: {{ $val.Name | quote }} port: {{ $val.Port }} protocol: TCP appProtocol: {{ $val.AppProtocol }} {{- end }} selector: "{{.GatewayNameLabel}}": {{.Name}} {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} {{- end }} type: {{ .ServiceType | quote }} --- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: {{.DeploymentName | quote}} maxReplicas: 1 --- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: selector: matchLabels: gateway.networking.k8s.io/gateway-name: {{.Name|quote}} values: |- { "gateways": { "seccompProfile": {}, "securityContext": {} }, "global": { "caAddress": "", "caName": "", "certSigners": [], "configCluster": false, "configValidation": true, "defaultPodDisruptionBudget": { "enabled": false }, "defaultResources": { "requests": { "cpu": "10m" } }, "externalIstiod": false, "hub": "gcr.io/istio-release", "imagePullPolicy": "", "imagePullSecrets": [], "istioNamespace": "openshift-ingress", "istiod": { "enableAnalysis": false }, "logAsJson": false, "logging": { "level": "default:info" }, "meshID": "", "meshNetworks": {}, "mountMtlsCerts": false, "multiCluster": { "clusterName": "", "enabled": false }, "network": "", "networkPolicy": { "enabled": false }, "omitSidecarInjectorConfigMap": false, "operatorManageWebhooks": false, "pilotCertProvider": "istiod", "platform": "openshift", "priorityClassName": "system-cluster-critical", "proxy": { "autoInject": "enabled", "clusterDomain": "cluster.local", "componentLogLevel": "misc:error", "excludeIPRanges": "", "excludeInboundPorts": "", "excludeOutboundPorts": "", "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe", "includeIPRanges": "*", "includeInboundPorts": "*", "includeOutboundPorts": "", "logLevel": "warning", "outlierLogPath": "", "privileged": false, "readinessFailureThreshold": 4, "readinessInitialDelaySeconds": 0, "readinessPeriodSeconds": 15, "resources": { "limits": { "cpu": "2000m", "memory": "1024Mi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "startupProbe": { "enabled": true, "failureThreshold": 600 }, "statusPort": 15020, "tracer": "none" }, "proxy_init": { "forceApplyIptables": false, "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe" }, "remotePilotAddress": "", "sds": { "token": { "aud": "istio-ca" } }, "sts": { "servicePort": 0 }, "tag": "1.26.2", "variant": "", "waypoint": { "affinity": {}, "nodeSelector": {}, "resources": { "limits": { "cpu": "2", "memory": "1Gi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "tolerations": [], "topologySpreadConstraints": [] } }, "pilot": { "cni": { "chained": false, "cniBinDir": "/var/lib/cni/bin", "cniConfDir": "/etc/cni/multus/net.d", "cniConfFileName": "istio-cni.conf", "enabled": false, "provider": "multus" }, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" } }, "revision": "openshift-gateway", "sidecarInjectorWebhook": { "alwaysInjectSelector": [], "defaultTemplates": [], "enableNamespacesByDefault": false, "injectedAnnotations": {}, "neverInjectSelector": [], "reinvocationPolicy": "Never", "rewriteAppHTTPProbe": true, "templates": {} } } kind: ConfigMap metadata: annotations: meta.helm.sh/release-name: openshift-gateway-istiod meta.helm.sh/release-namespace: openshift-ingress creationTimestamp: "2026-04-22T18:54:21Z" labels: app.kubernetes.io/instance: openshift-gateway-istiod app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: istiod app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.26.2 helm.sh/chart: istiod-1.26.2 istio.io/rev: openshift-gateway managed-by: sail-operator operator.istio.io/component: Pilot release: openshift-gateway-istiod managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:config: {} f:values: {} f:metadata: f:annotations: .: {} f:meta.helm.sh/release-name: {} f:meta.helm.sh/release-namespace: {} f:labels: .: {} f:app.kubernetes.io/instance: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.kubernetes.io/version: {} f:helm.sh/chart: {} f:istio.io/rev: {} f:managed-by: {} f:operator.istio.io/component: {} f:release: {} f:ownerReferences: .: {} k:{"uid":"95c53eaa-53ac-4df8-b396-28a240fbadde"}: {} manager: sail-operator operation: Update time: "2026-04-22T18:56:24Z" name: istio-sidecar-injector-openshift-gateway namespace: openshift-ingress ownerReferences: - apiVersion: sailoperator.io/v1 blockOwnerDeletion: true controller: true kind: IstioRevision name: openshift-gateway uid: 95c53eaa-53ac-4df8-b396-28a240fbadde resourceVersion: "20193" uid: 344a1f22-50b3-4ee0-b136-ba9fad9719b7 - apiVersion: v1 data: ca.crt: | -----BEGIN CERTIFICATE----- MIIDPDCCAiSgAwIBAgIIIz8YltnkVoswDQYJKoZIhvcNAQELBQAwJjESMBAGA1UE CxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdyb290LWNhMB4XDTI2MDQyMjE4NDAyOVoX DTM2MDQxOTE4NDAyOVowJjESMBAGA1UECxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdy b290LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1wPqtonGM54e HlDSzqb5nl8Cjn/+kpBn7wT9yBdO9Hl7W5cCXh26Y7ipc1VTVTTQDa3nZBK2jz2y DhtnKPDkFxk7J3FnlWqW0Cy4dxHe9m+ky1me5xGUFnY3Iq3qLE/MZQYvlMb5fLZp dEqiGB8OXimyGCGLNxoJ+Dhpvs905M4QyS8Vifj5EHPvfjCQ3v4qczoel1vBLp5l C1YOjZPQ0cLI2QLIflR2kdqRiqFOWjsJsEOUS3X63urJiPPx+2wHt7SfhFpaljQq ekr4RLbxMcJIjJBubNLA/dfuabiCCsO5eqUHuNVqN9LD8ZUI6tXrCyDZ9v2JmXY0 8F4LnMG/6wIDAQABo24wbDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB /zBJBgNVHQ4EQgRAMk2q7DAJDfnbMCk/W/tN4iVWtgYOm+yWjRCkkhi6ll/hf27c sR+f06RzofGTj/RYFtaCmAt1XHKx6j/ANQU4njANBgkqhkiG9w0BAQsFAAOCAQEA aCHpetTIsbPVgqwNl+faUI4aN/NdFhhKrCrioD5hTIWmrnfmWyx9WoTc5T4A0Vk1 NN+PM/yNKK8wxMxSHERiXa+FJ02RndoY+0/hbFzL0ytg+KWUyp+rmBrCY7vL5njW bjkG+v1vja04OfUkim3vd0RXMN0Q7wWuVKuNJ3kbAsON/iYOO5FGv1ObYon6EUuU 4TzhNlczA9cnuqVWCX+MDi2PQA+QryYi/8kOaRjM9TujUgpD4m8/oy3N/XqK1tRf wEJqC4L/YUEwDFCqgL9eKUXo2+Tb0+1NlNWX6m+ZG1OrHPlrI54+SGZnwqNyaqSm woazYthSsevNZBl2ucRwGA== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEADCCAuigAwIBAgIIP1KE5CF0xGowDQYJKoZIhvcNAQELBQAwJjESMBAGA1UE CxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdyb290LWNhMB4XDTI2MDQyMjE4NDA1N1oX DTI3MDQyMjE4NDA1N1owMDESMBAGA1UEChMJb3BlbnNoaWZ0MRowGAYDVQQDExFv cGVuc2hpZnQtaW5ncmVzczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AK7iuevejsxKi2yWuPyFjCJjRA4SVSeav8xdyRVnb0N5JttLmGzr/dYusGvmKQeq uhysiM+j1GfxlnPBLgv0TU6RPM8LPzbqcNoQr8yvuUeaEUEwU34ZchBY+WNUIEcE oVGwMIEcYgygPlIiSjd7quCwGQiadcc9jw1Z1D8JEV5QHoUwCISEk51auc7xY995 aWIAR9TrH5l7jl3nEINIOzKPBx8/JU7LAu5IcoOENT3I11RVVVPWIZ1pjbxw4Jaz Y24sPLVthO9QXv9cMdUYSijLwrvjt0FufV0OnxS6JDt2OR/bEuNoRjTUjdgZ5tdn Z98Lgr24qU0ay9jNRo7Qt2MCAwEAAaOCASYwggEiMA4GA1UdDwEB/wQEAwIFoDAd BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBJBgNV HQ4EQgRAnFr1OGmZIXyQC86y3EHd6XTGcEzvBlu767r30pEIiHWnDa28sY2RuS3J 9MlWP+Hsn6HHprzluJ2IEmviQ5G8JTBLBgNVHSMERDBCgEAyTarsMAkN+dswKT9b +03iJVa2Bg6b7JaNEKSSGLqWX+F/btyxH5/TpHOh8ZOP9FgW1oKYC3VccrHqP8A1 BTieMEsGA1UdEQREMEKCQCouYXBwcy42ZmMzNzczOC0yMzY3LTQxYjMtOTc5MS1k YmE3OTY3MzQyMWEucHJvZC5rb25mbHV4ZWFhcy5jb20wDQYJKoZIhvcNAQELBQAD ggEBAHX7UwhKuInLDbgTECMWs1Xig6uuFaFlvS0fd/juhkIx9GEb6B+kIwW8YOqF K0VIAU9XufbueVkFVUXSAUGLEpuHF5d5XjpbJxgfmZj7ZPSQEl5yNsRJ93qau78+ R8/l4TKE+0mjjHfzD1XXzvoJijfdnXKuZwAXbrjKnhR1ZgO0ZJQOZ1agpbLcQGl9 a/Be3JaRZMtND0SVnbqSouDHAX5z4lDHUNsXmSkR4BtigvFIgdvo6fIISh44F5n1 JojlnhbmOH1kRZOdD2/CX6/5aOs+TQIhRss7Dknsvw6sNgOfJOkLrO/zu235e3T4 pmgMyf2/exYclPwohkseGdix4TI= -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: kubernetes.io/description: Contains a CA bundle that can be used to verify the kube-apiserver when using internal endpoints such as the internal service IP or kubernetes.default.svc. No other usage is guaranteed across distributions of Kubernetes clusters. creationTimestamp: "2026-04-22T18:42:29Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca.crt: {} f:metadata: f:annotations: .: {} f:kubernetes.io/description: {} manager: kube-controller-manager operation: Update time: "2026-04-22T18:43:24Z" name: kube-root-ca.crt namespace: openshift-ingress resourceVersion: "4379" uid: a34f8eb5-e6e4-439b-bfc6-7cdecca76d7c - apiVersion: v1 data: cabundle.crt: |- -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIIPR8d5TBc7RQwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc3Njg4MzczODAe Fw0yNjA0MjIxODQ4NTdaFw0yODA2MjAxODQ4NThaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3NzY4ODM3MzgwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4fnpYNjyLUlDkVaIfgjOpW2CyMO3Qzq4l U31XzCcWfK6xCqFeqH4nmBRB+ORzYqjcryozXCyMlBz6EG8uXo0y1SRy+Hdxp04G ft2GDYPDp2y/rAH9Ap4YcHtSZRiQpT76UKceHqTJAcGjAf+LoDcgePU99ZC51kq1 qgT59IBP+mC544pYxPWMV3sGA1z8sohh+b4X1hj/IUR/fnqTHwpYzs2TYieGypl7 tVs/Dbqjnkunv9MGVlsX0tC1y3kGlHsmWPB7TNlWlWHV1g9r1mFJG6+jW5VGze3S QXbZKSzBIgY5bKQQ+cJc/oQmwiNJzifnv07KTG1oRfA14waukBZrAgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRm8v2p lN2S03EV4QvQ+wpOkR5KUTAfBgNVHSMEGDAWgBRm8v2plN2S03EV4QvQ+wpOkR5K UTANBgkqhkiG9w0BAQsFAAOCAQEADKqbka4yIiLr+I1UZQk8HuGfBgt8Mihtk+eM CPC+JQerTXaEGfPhpKPUZdjdnw9SyKB0t8kkWEDwoWIxuSTLofi5IcPE1kjgBvo6 fc3XKxmQYbnUTBzYyiKvsStDe2LFEPAdX1x0XKoH7ppwc4fjbjdwf0y/N3NCKe9E V880/LnBR3M0dSKIcuIldNC9epEZQZFIevzU7Z5J81PPlWbI4OmSvGyHAGDUd7sb yev0qxAkMmhE9GdYIjGS/RFOy7yGgAY+Rd4jUZkakoreHORJxWRlrcM/RhfofI1J D/bzZrDgv2mtOFp5Y4ga5yGptIu/OkfFGf/95kfdU8XximXG4Q== -----END CERTIFICATE----- kind: ConfigMap metadata: creationTimestamp: "2026-04-22T18:57:47Z" labels: opendatahub.io/managed: "true" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:cabundle.crt: {} f:metadata: f:labels: .: {} f:opendatahub.io/managed: {} manager: manager operation: Update time: "2026-04-22T18:57:47Z" name: odh-kserve-custom-ca-bundle namespace: openshift-ingress resourceVersion: "21497" uid: 1acb839b-d869-4416-85f0-e0d508103291 - apiVersion: v1 data: service-ca.crt: | -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIIPR8d5TBc7RQwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc3Njg4MzczODAe Fw0yNjA0MjIxODQ4NTdaFw0yODA2MjAxODQ4NThaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3NzY4ODM3MzgwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4fnpYNjyLUlDkVaIfgjOpW2CyMO3Qzq4l U31XzCcWfK6xCqFeqH4nmBRB+ORzYqjcryozXCyMlBz6EG8uXo0y1SRy+Hdxp04G ft2GDYPDp2y/rAH9Ap4YcHtSZRiQpT76UKceHqTJAcGjAf+LoDcgePU99ZC51kq1 qgT59IBP+mC544pYxPWMV3sGA1z8sohh+b4X1hj/IUR/fnqTHwpYzs2TYieGypl7 tVs/Dbqjnkunv9MGVlsX0tC1y3kGlHsmWPB7TNlWlWHV1g9r1mFJG6+jW5VGze3S QXbZKSzBIgY5bKQQ+cJc/oQmwiNJzifnv07KTG1oRfA14waukBZrAgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRm8v2p lN2S03EV4QvQ+wpOkR5KUTAfBgNVHSMEGDAWgBRm8v2plN2S03EV4QvQ+wpOkR5K UTANBgkqhkiG9w0BAQsFAAOCAQEADKqbka4yIiLr+I1UZQk8HuGfBgt8Mihtk+eM CPC+JQerTXaEGfPhpKPUZdjdnw9SyKB0t8kkWEDwoWIxuSTLofi5IcPE1kjgBvo6 fc3XKxmQYbnUTBzYyiKvsStDe2LFEPAdX1x0XKoH7ppwc4fjbjdwf0y/N3NCKe9E V880/LnBR3M0dSKIcuIldNC9epEZQZFIevzU7Z5J81PPlWbI4OmSvGyHAGDUd7sb yev0qxAkMmhE9GdYIjGS/RFOy7yGgAY+Rd4jUZkakoreHORJxWRlrcM/RhfofI1J D/bzZrDgv2mtOFp5Y4ga5yGptIu/OkfFGf/95kfdU8XximXG4Q== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: service.beta.openshift.io/inject-cabundle: "true" creationTimestamp: "2026-04-22T18:42:29Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: {} f:metadata: f:annotations: .: {} f:service.beta.openshift.io/inject-cabundle: {} manager: kube-controller-manager operation: Update time: "2026-04-22T18:42:29Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: f:service-ca.crt: {} manager: service-ca-operator operation: Update time: "2026-04-22T18:49:06Z" name: openshift-service-ca.crt namespace: openshift-ingress resourceVersion: "8292" uid: bbe4a1be-4c9d-4630-83d2-543d88369874 - apiVersion: v1 data: service-ca.crt: | -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIIPR8d5TBc7RQwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc3Njg4MzczODAe Fw0yNjA0MjIxODQ4NTdaFw0yODA2MjAxODQ4NThaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3NzY4ODM3MzgwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4fnpYNjyLUlDkVaIfgjOpW2CyMO3Qzq4l U31XzCcWfK6xCqFeqH4nmBRB+ORzYqjcryozXCyMlBz6EG8uXo0y1SRy+Hdxp04G ft2GDYPDp2y/rAH9Ap4YcHtSZRiQpT76UKceHqTJAcGjAf+LoDcgePU99ZC51kq1 qgT59IBP+mC544pYxPWMV3sGA1z8sohh+b4X1hj/IUR/fnqTHwpYzs2TYieGypl7 tVs/Dbqjnkunv9MGVlsX0tC1y3kGlHsmWPB7TNlWlWHV1g9r1mFJG6+jW5VGze3S QXbZKSzBIgY5bKQQ+cJc/oQmwiNJzifnv07KTG1oRfA14waukBZrAgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRm8v2p lN2S03EV4QvQ+wpOkR5KUTAfBgNVHSMEGDAWgBRm8v2plN2S03EV4QvQ+wpOkR5K UTANBgkqhkiG9w0BAQsFAAOCAQEADKqbka4yIiLr+I1UZQk8HuGfBgt8Mihtk+eM CPC+JQerTXaEGfPhpKPUZdjdnw9SyKB0t8kkWEDwoWIxuSTLofi5IcPE1kjgBvo6 fc3XKxmQYbnUTBzYyiKvsStDe2LFEPAdX1x0XKoH7ppwc4fjbjdwf0y/N3NCKe9E V880/LnBR3M0dSKIcuIldNC9epEZQZFIevzU7Z5J81PPlWbI4OmSvGyHAGDUd7sb yev0qxAkMmhE9GdYIjGS/RFOy7yGgAY+Rd4jUZkakoreHORJxWRlrcM/RhfofI1J D/bzZrDgv2mtOFp5Y4ga5yGptIu/OkfFGf/95kfdU8XximXG4Q== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: description: ConfigMap providing service CA bundle. openshift.io/description: Configmap is added/updated with a data item containing the CA signing bundle that can be used to verify service-serving certificates openshift.io/owning-component: service-ca service.beta.openshift.io/inject-cabundle: "true" creationTimestamp: "2026-04-22T18:42:34Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:description: {} f:service.beta.openshift.io/inject-cabundle: {} manager: ingress-operator operation: Update time: "2026-04-22T18:42:34Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:service-ca.crt: {} f:metadata: f:annotations: f:openshift.io/description: {} f:openshift.io/owning-component: {} manager: service-ca-operator operation: Update time: "2026-04-22T18:49:06Z" name: service-ca-bundle namespace: openshift-ingress resourceVersion: "7945" uid: f8e33769-b740-4dbf-97e7-69be0bb8f816 - apiVersion: v1 data: merged-values: |- { "affinity": {}, "autoscaleBehavior": {}, "autoscaleEnabled": true, "autoscaleMax": 5, "autoscaleMin": 1, "base": { "enableIstioConfigCRDs": true }, "cni": { "chained": false, "cniBinDir": "/var/lib/cni/bin", "cniConfDir": "/etc/cni/multus/net.d", "cniConfFileName": "istio-cni.conf", "enabled": false, "provider": "multus" }, "configMap": true, "cpu": { "targetAverageUtilization": 80 }, "defaultRevision": "", "deploymentLabels": {}, "enabled": true, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" }, "envVarFrom": [], "experimental": { "stableValidationPolicy": false }, "extraContainerArgs": [], "gatewayClasses": {}, "gateways": { "seccompProfile": {}, "securityContext": {} }, "global": { "caAddress": "", "caName": "", "certSigners": [], "configCluster": false, "configValidation": true, "defaultPodDisruptionBudget": { "enabled": false }, "defaultResources": { "requests": { "cpu": "10m" } }, "externalIstiod": false, "hub": "gcr.io/istio-release", "imagePullPolicy": "", "imagePullSecrets": [], "istioNamespace": "openshift-ingress", "istiod": { "enableAnalysis": false }, "logAsJson": false, "logging": { "level": "default:info" }, "meshID": "", "meshNetworks": {}, "mountMtlsCerts": false, "multiCluster": { "clusterName": "", "enabled": false }, "network": "", "networkPolicy": { "enabled": false }, "omitSidecarInjectorConfigMap": false, "operatorManageWebhooks": false, "pilotCertProvider": "istiod", "platform": "openshift", "priorityClassName": "system-cluster-critical", "proxy": { "autoInject": "enabled", "clusterDomain": "cluster.local", "componentLogLevel": "misc:error", "excludeIPRanges": "", "excludeInboundPorts": "", "excludeOutboundPorts": "", "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe", "includeIPRanges": "*", "includeInboundPorts": "*", "includeOutboundPorts": "", "logLevel": "warning", "outlierLogPath": "", "privileged": false, "readinessFailureThreshold": 4, "readinessInitialDelaySeconds": 0, "readinessPeriodSeconds": 15, "resources": { "limits": { "cpu": "2000m", "memory": "1024Mi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "startupProbe": { "enabled": true, "failureThreshold": 600 }, "statusPort": 15020, "tracer": "none" }, "proxy_init": { "forceApplyIptables": false, "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe" }, "remotePilotAddress": "", "sds": { "token": { "aud": "istio-ca" } }, "sts": { "servicePort": 0 }, "tag": "1.26.2", "variant": "", "waypoint": { "affinity": {}, "nodeSelector": {}, "resources": { "limits": { "cpu": "2", "memory": "1Gi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "tolerations": [], "topologySpreadConstraints": [] } }, "hub": "", "image": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:028e10651db0d1ddb769a27c9483c6d41be6ac597f253afd9d599f395d9c82d8", "initContainers": [], "ipFamilies": [], "ipFamilyPolicy": "", "istiodRemote": { "enabled": false, "injectionCABundle": "", "injectionPath": "/inject", "injectionURL": "" }, "jwksResolverExtraRootCA": "", "keepaliveMaxServerConnectionAge": "30m", "memory": {}, "meshConfig": { "accessLogFile": "/dev/stdout", "defaultConfig": { "proxyHeaders": { "envoyDebugHeaders": { "disabled": true }, "metadataExchangeHeaders": { "mode": "IN_MESH" }, "server": { "disabled": true } } }, "enablePrometheusMerge": true, "ingressControllerMode": "OFF" }, "nodeSelector": {}, "ownerName": "", "pilot": { "cni": { "enabled": false, "provider": "multus" }, "enabled": true, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" }, "image": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:028e10651db0d1ddb769a27c9483c6d41be6ac597f253afd9d599f395d9c82d8", "podAnnotations": { "target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}" } }, "podAnnotations": { "target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}" }, "podLabels": {}, "replicaCount": 1, "resources": { "requests": { "cpu": "500m", "memory": "2048Mi" } }, "revision": "openshift-gateway", "revisionTags": [], "rollingMaxSurge": "100%", "rollingMaxUnavailable": "25%", "seLinuxOptions": { "type": "spc_t" }, "seccompProfile": {}, "serviceAccountAnnotations": {}, "serviceAnnotations": {}, "sidecarInjectorWebhook": { "alwaysInjectSelector": [], "defaultTemplates": [], "enableNamespacesByDefault": false, "injectedAnnotations": {}, "neverInjectSelector": [], "reinvocationPolicy": "Never", "rewriteAppHTTPProbe": true, "templates": {} }, "sidecarInjectorWebhookAnnotations": {}, "tag": "", "taint": { "enabled": false, "namespace": "" }, "telemetry": { "enabled": true, "v2": { "enabled": true, "prometheus": { "enabled": true }, "stackdriver": { "enabled": false } } }, "tolerations": [], "topologySpreadConstraints": [], "traceSampling": 1, "trustedZtunnelName": "", "trustedZtunnelNamespace": "kube-system", "variant": "", "volumeMounts": [], "volumes": [] } original-values: |- { "defaultRevision": "", "global": { "configValidation": true, "defaultPodDisruptionBudget": { "enabled": false }, "istioNamespace": "openshift-ingress", "platform": "openshift", "priorityClassName": "system-cluster-critical", "proxy": { "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe" }, "proxy_init": { "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe" } }, "meshConfig": { "accessLogFile": "/dev/stdout", "defaultConfig": { "proxyHeaders": { "envoyDebugHeaders": { "disabled": true }, "metadataExchangeHeaders": { "mode": "IN_MESH" }, "server": { "disabled": true } } }, "ingressControllerMode": "OFF" }, "pilot": { "cni": { "enabled": false }, "enabled": true, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" }, "image": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:028e10651db0d1ddb769a27c9483c6d41be6ac597f253afd9d599f395d9c82d8", "podAnnotations": { "target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}" } }, "revision": "openshift-gateway", "sidecarInjectorWebhook": { "enableNamespacesByDefault": false } } kind: ConfigMap metadata: annotations: kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. meta.helm.sh/release-name: openshift-gateway-istiod meta.helm.sh/release-namespace: openshift-ingress creationTimestamp: "2026-04-22T18:54:21Z" labels: app.kubernetes.io/instance: openshift-gateway-istiod app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: istiod app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.26.2 helm.sh/chart: istiod-1.26.2 istio.io/rev: openshift-gateway managed-by: sail-operator operator.istio.io/component: Pilot release: openshift-gateway-istiod managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:merged-values: {} f:original-values: {} f:metadata: f:annotations: .: {} f:kubernetes.io/description: {} f:meta.helm.sh/release-name: {} f:meta.helm.sh/release-namespace: {} f:labels: .: {} f:app.kubernetes.io/instance: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.kubernetes.io/version: {} f:helm.sh/chart: {} f:istio.io/rev: {} f:managed-by: {} f:operator.istio.io/component: {} f:release: {} f:ownerReferences: .: {} k:{"uid":"95c53eaa-53ac-4df8-b396-28a240fbadde"}: {} manager: sail-operator operation: Update time: "2026-04-22T18:56:24Z" name: values-openshift-gateway namespace: openshift-ingress ownerReferences: - apiVersion: sailoperator.io/v1 blockOwnerDeletion: true controller: true kind: IstioRevision name: openshift-gateway uid: 95c53eaa-53ac-4df8-b396-28a240fbadde resourceVersion: "20190" uid: 6efc8fd3-cf7b-4917-bf0c-b0c2a89c4894 kind: ConfigMapList metadata: resourceVersion: "37351"