--- apiVersion: v1 items: - apiVersion: v1 data: service: | metadata: annotations: service.beta.openshift.io/serving-cert-secret-name: "data-science-gateway-service-tls" spec: type: ClusterIP kind: ConfigMap metadata: annotations: platform.opendatahub.io/instance.generation: "2" platform.opendatahub.io/instance.name: default-gateway platform.opendatahub.io/instance.uid: cfe15d11-addd-4196-b8d1-37e51b2ed568 platform.opendatahub.io/type: Open Data Hub platform.opendatahub.io/version: 3.5.0-ea.1 creationTimestamp: "2026-06-10T23:06:48Z" labels: platform.opendatahub.io/part-of: gatewayconfig managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: f:service: {} f:metadata: f:annotations: f:platform.opendatahub.io/instance.generation: {} f:platform.opendatahub.io/instance.name: {} f:platform.opendatahub.io/instance.uid: {} f:platform.opendatahub.io/type: {} f:platform.opendatahub.io/version: {} f:labels: f:platform.opendatahub.io/part-of: {} f:ownerReferences: k:{"uid":"cfe15d11-addd-4196-b8d1-37e51b2ed568"}: {} manager: gatewayconfig operation: Apply time: "2026-06-10T23:07:24Z" name: data-science-gateway-config namespace: openshift-ingress ownerReferences: - apiVersion: services.platform.opendatahub.io/v1alpha1 blockOwnerDeletion: true controller: true kind: GatewayConfig name: default-gateway uid: cfe15d11-addd-4196-b8d1-37e51b2ed568 resourceVersion: "17281" uid: 9a029b32-a072-4b6f-a7ef-8bb0cb1b42a3 - apiVersion: v1 data: service: | metadata: annotations: # OpenShift service-ca-operator auto-provisions a TLS certificate into this Secret. # The Secret name here MUST match the certificateRefs in the Gateway listener. service.beta.openshift.io/serving-cert-secret-name: "maas-gw-service-tls" spec: # ClusterIP avoids provisioning an external LoadBalancer; the OpenShift Route # handles external ingress instead. type: ClusterIP kind: ConfigMap metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"v1","data":{"service":"metadata:\n annotations:\n # OpenShift service-ca-operator auto-provisions a TLS certificate into this Secret.\n # The Secret name here MUST match the certificateRefs in the Gateway listener.\n service.beta.openshift.io/serving-cert-secret-name: \"maas-gw-service-tls\"\nspec:\n # ClusterIP avoids provisioning an external LoadBalancer; the OpenShift Route\n # handles external ingress instead.\n type: ClusterIP\n"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"gw-options","namespace":"openshift-ingress"}} creationTimestamp: "2026-06-10T23:09:08Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:service: {} f:metadata: f:annotations: .: {} f:kubectl.kubernetes.io/last-applied-configuration: {} manager: kubectl-client-side-apply operation: Update time: "2026-06-10T23:09:08Z" name: gw-options namespace: openshift-ingress resourceVersion: "21938" uid: 0cd4d5af-ee43-48cf-bc43-0cec00b2ab0c - apiVersion: v1 data: ca-crl.pem: "" kind: ConfigMap metadata: creationTimestamp: "2026-06-10T23:07:24Z" labels: istio.io/config: "true" openshift.io/mesh: "true" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca-crl.pem: {} f:metadata: f:labels: .: {} f:istio.io/config: {} f:openshift.io/mesh: {} manager: pilot-discovery operation: Update time: "2026-06-10T23:07:24Z" name: istio-ca-crl namespace: openshift-ingress resourceVersion: "17235" uid: e25c4f73-e374-4aed-bcfd-cfecbee80f99 - apiVersion: v1 kind: ConfigMap metadata: annotations: control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"istiod-openshift-gateway-75c67f8887-68gjk","holderKey":"openshift-gateway","leaseDurationSeconds":30,"acquireTime":"2026-06-10T23:07:23Z","renewTime":"2026-06-10T23:39:26Z","leaderTransitions":0}' creationTimestamp: "2026-06-10T23:07:23Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:control-plane.alpha.kubernetes.io/leader: {} manager: pilot-discovery operation: Update time: "2026-06-10T23:39:26Z" name: istio-ip-autoallocate namespace: openshift-ingress resourceVersion: "51669" uid: f83623bf-9db9-45a1-bb64-14ba84cd9497 - apiVersion: v1 data: mesh: |- accessLogFile: /dev/stdout defaultConfig: discoveryAddress: istiod-openshift-gateway.openshift-ingress.svc:15012 proxyHeaders: envoyDebugHeaders: disabled: true metadataExchangeHeaders: mode: IN_MESH server: disabled: true defaultProviders: metrics: - prometheus enablePrometheusMerge: true ingressControllerMode: "OFF" rootNamespace: openshift-ingress trustDomain: cluster.local meshNetworks: 'networks: {}' kind: ConfigMap metadata: annotations: meta.helm.sh/release-name: openshift-gateway-istiod meta.helm.sh/release-namespace: openshift-ingress creationTimestamp: "2026-06-10T23:07:19Z" labels: app.kubernetes.io/instance: openshift-gateway-istiod app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: istiod app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.27.3 helm.sh/chart: istiod-1.27.3 istio.io/rev: openshift-gateway managed-by: sail-operator operator.istio.io/component: Pilot release: openshift-gateway-istiod managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:mesh: {} f:meshNetworks: {} f:metadata: f:annotations: .: {} f:meta.helm.sh/release-name: {} f:meta.helm.sh/release-namespace: {} f:labels: .: {} f:app.kubernetes.io/instance: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.kubernetes.io/version: {} f:helm.sh/chart: {} f:istio.io/rev: {} f:managed-by: {} f:operator.istio.io/component: {} f:release: {} f:ownerReferences: .: {} k:{"uid":"6831dc79-4b78-40b5-8c08-eb96e8161e6e"}: {} manager: sail-operator operation: Update time: "2026-06-10T23:07:19Z" name: istio-openshift-gateway namespace: openshift-ingress ownerReferences: - apiVersion: sailoperator.io/v1 blockOwnerDeletion: true controller: true kind: IstioRevision name: openshift-gateway uid: 6831dc79-4b78-40b5-8c08-eb96e8161e6e resourceVersion: "16715" uid: 99db3d62-b059-4930-b34f-efcdca42e273 - apiVersion: v1 data: config: |- # defaultTemplates defines the default template to use for pods that do not explicitly specify a template defaultTemplates: [sidecar] policy: enabled alwaysInjectSelector: [] neverInjectSelector: [] injectedAnnotations: template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}" templates: sidecar: | {{- define "resources" }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} requests: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" {{ end }} {{- end }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} limits: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" {{ end }} {{- end }} {{- else }} {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 6 }} {{- end }} {{- end }} {{- end }} {{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} {{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} {{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} {{- end }} service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { istio.io/rev: {{ .Revision | default "default" | quote }}, {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", {{- end }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{- end }} {{- end }} {{- if .Values.pilot.cni.enabled }} {{- if eq .Values.pilot.cni.provider "multus" }} k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', {{- end }} sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", {{- end }} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", {{- end }} {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} {{- end }} } spec: {{- $holdProxy := and (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) (not $nativeSidecar) }} {{- $noInitContainer := and (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) (not $nativeSidecar) }} {{ if $noInitContainer }} initContainers: [] {{ else -}} initContainers: {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} {{ if .Values.pilot.cni.enabled -}} - name: istio-validation {{ else -}} - name: istio-init {{ end -}} {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} args: - istio-iptables - "-p" - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - "-z" - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - "-u" - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} - "-m" - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - "-i" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - "-x" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - "-b" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - "-d" {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" {{- else }} - "15090,15021" {{- end }} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - "-q" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" {{ end -}} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - "-o" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" {{ end -}} {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} - "-k" - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - "-k" - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" {{ end -}} {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - "-c" - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" {{ end -}} - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" {{ if .Values.global.logAsJson -}} - "--log_as_json" {{ end -}} {{ if .Values.pilot.cni.enabled -}} - "--run-validation" - "--skip-rule-apply" {{ else if .Values.global.proxy_init.forceApplyIptables -}} - "--force-apply" {{ end -}} {{ if .Values.global.nativeNftables -}} - "--native-nftables" {{ end -}} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} env: {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} resources: {{ template "resources" . }} securityContext: allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} privileged: {{ .Values.global.proxy.privileged }} capabilities: {{- if not .Values.pilot.cni.enabled }} add: - NET_ADMIN - NET_RAW {{- end }} drop: - ALL {{- if not .Values.pilot.cni.enabled }} readOnlyRootFilesystem: false runAsGroup: 0 runAsNonRoot: false runAsUser: 0 {{- else }} readOnlyRootFilesystem: true runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} runAsNonRoot: true {{- end }} {{ end -}} {{ end -}} {{ if not $nativeSidecar }} containers: {{ end }} - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} {{ if $nativeSidecar }}restartPolicy: Always{{end}} ports: - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - sidecar - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.outlierLogPath }} - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} {{- end}} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} {{- else if $holdProxy }} lifecycle: postStart: exec: command: - pilot-agent - wait {{- else if $nativeSidecar }} {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} lifecycle: preStop: exec: command: - pilot-agent - request - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - POST - drain {{- end }} env: {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: |- [ {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{- if (structToJSON $p) }} {{if not $first}},{{end}}{{ structToJSON $p }} {{- $first = false }} {{- end }} {{- end}} {{- end}} ] - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu {{- if .CompliancePolicy }} - name: COMPLIANCE_POLICY value: "{{ .CompliancePolicy }}" {{- end }} - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ . }}" {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: ISTIO_BOOTSTRAP_OVERRIDE value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" {{- end }} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} {{ if .Values.global.proxy.startupProbe.enabled }} startupProbe: httpGet: path: /healthz/ready port: 15021 initialDelaySeconds: 0 periodSeconds: 1 timeoutSeconds: 3 failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} {{ end }} readinessProbe: httpGet: path: /healthz/ready port: 15021 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} timeoutSeconds: 3 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} {{ end -}} securityContext: {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} allowPrivilegeEscalation: true capabilities: add: - NET_ADMIN drop: - ALL privileged: true readOnlyRootFilesystem: true runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: false runAsUser: 0 {{- else }} allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} capabilities: {{ if or $tproxy $capNetBindService -}} add: {{ if $tproxy -}} - NET_ADMIN {{- end }} {{ if $capNetBindService -}} - NET_BIND_SERVICE {{- end }} {{- end }} drop: - ALL privileged: {{ .Values.global.proxy.privileged }} readOnlyRootFilesystem: true {{ if or $tproxy $capNetBindService -}} runAsNonRoot: false runAsUser: 0 runAsGroup: 1337 {{- else -}} runAsNonRoot: true runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} {{- end }} {{- end }} resources: {{ template "resources" . }} volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds - name: credential-socket mountPath: /var/run/secrets/credential-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/run/secrets/istio/crl name: istio-ca-crl {{- end }} - mountPath: /var/lib/istio/data name: istio-data {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - mountPath: /etc/istio/custom-bootstrap name: custom-bootstrap-volume {{- end }} # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} name: lightstep-certs readOnly: true {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - name: "{{ $index }}" {{ toYaml $value | indent 6 }} {{ end }} {{- end }} volumes: - emptyDir: name: workload-socket - emptyDir: name: credential-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else }} - emptyDir: name: workload-certs {{- end }} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: custom-bootstrap-volume configMap: name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-envoy - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} - name: istio-ca-crl configMap: name: istio-ca-crl optional: true {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - name: "{{ $index }}" {{ toYaml $value | indent 4 }} {{ end }} {{ end }} {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - name: lightstep-certs secret: optional: true secretName: lightstep.cacert {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} gateway: | {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: istio.io/rev: {{ .Revision | default "default" | quote }} {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" {{- end }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" {{- end }} {{- end }} spec: securityContext: {{- if .Values.gateways.securityContext }} {{- toYaml .Values.gateways.securityContext | nindent 4 }} {{- else }} sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" {{- end }} containers: - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} ports: - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - router - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} {{- end }} securityContext: runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} env: - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: |- [ {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{- if (structToJSON $p) }} {{if not $first}},{{end}}{{ structToJSON $p }} {{- $first = false }} {{- end }} {{- end}} {{- end}} ] - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu {{- if .CompliancePolicy }} - name: COMPLIANCE_POLICY value: "{{ .CompliancePolicy }}" {{- end }} - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: "{{ .ProxyConfig.InterceptionMode.String }}" {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{- if .DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ .DeploymentMeta.Name }}" {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: ISTIO_BOOTSTRAP_OVERRIDE value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" {{- end }} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} readinessProbe: httpGet: path: /healthz/ready port: 15021 initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} timeoutSeconds: 3 failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds - name: credential-socket mountPath: /var/run/secrets/credential-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - mountPath: /etc/istio/custom-bootstrap name: custom-bootstrap-volume {{- end }} # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod volumes: - emptyDir: name: workload-socket - emptyDir: {} name: credential-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else}} - emptyDir: {} name: workload-certs {{- end }} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: custom-bootstrap-volume configMap: name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-envoy - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} grpc-simple: | metadata: annotations: sidecar.istio.io/rewriteAppHTTPProbers: "false" spec: initContainers: - name: grpc-bootstrap-init image: busybox:1.28 volumeMounts: - mountPath: /var/lib/grpc/data/ name: grpc-io-proxyless-bootstrap env: - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: ISTIO_NAMESPACE value: | {{ .Values.global.istioNamespace }} command: - sh - "-c" - |- NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" echo ' { "xds_servers": [ { "server_uri": "'${SERVER_URI}'", "channel_creds": [{"type": "insecure"}], "server_features" : ["xds_v3"] } ], "node": { "id": "'${NODE_ID}'", "metadata": { "GENERATOR": "grpc" } } }' > /var/lib/grpc/data/bootstrap.json containers: {{- range $index, $container := .Spec.Containers }} - name: {{ $container.Name }} env: - name: GRPC_XDS_BOOTSTRAP value: /var/lib/grpc/data/bootstrap.json - name: GRPC_GO_LOG_VERBOSITY_LEVEL value: "99" - name: GRPC_GO_LOG_SEVERITY_LEVEL value: info volumeMounts: - mountPath: /var/lib/grpc/data/ name: grpc-io-proxyless-bootstrap {{- end }} volumes: - name: grpc-io-proxyless-bootstrap emptyDir: {} grpc-agent: | {{- define "resources" }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} requests: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" {{ end }} {{- end }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} limits: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" {{ end }} {{- end }} {{- else }} {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 6 }} {{- end }} {{- end }} {{- end }} {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { istio.io/rev: {{ .Revision | default "default" | quote }}, {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", {{- end }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{- end }} {{- end }} sidecar.istio.io/rewriteAppHTTPProbers: "false", } spec: containers: - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} ports: - containerPort: 15020 protocol: TCP name: mesh-metrics args: - proxy - sidecar - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} lifecycle: postStart: exec: command: - pilot-agent - wait - --url=http://localhost:15020/healthz/ready env: - name: ISTIO_META_GENERATOR value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: |- [ {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{- if (structToJSON $p) }} {{if not $first}},{{end}}{{ structToJSON $p }} {{- $first = false }} {{- end }} {{- end}} {{- end}} ] - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{- if .DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ .DeploymentMeta.Name }}" {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} # grpc uses xds:/// to resolve – no need to resolve VIP - name: ISTIO_META_DNS_CAPTURE value: "false" - name: DISABLE_ENVOY value: "true" {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} readinessProbe: httpGet: path: /healthz/ready port: 15020 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} timeoutSeconds: 3 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} resources: {{ template "resources" . }} volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data # UDS channel between istioagent and gRPC client for XDS/SDS - mountPath: /etc/istio/proxy name: istio-xds - mountPath: /var/run/secrets/tokens name: istio-token {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - name: "{{ $index }}" {{ toYaml $value | indent 6 }} {{ end }} {{- end }} {{- range $index, $container := .Spec.Containers }} {{ if not (eq $container.Name "istio-proxy") }} - name: {{ $container.Name }} env: - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" value: "true" - name: "GRPC_XDS_BOOTSTRAP" value: "/etc/istio/proxy/grpc-bootstrap.json" volumeMounts: - mountPath: /var/lib/istio/data name: istio-data # UDS channel between istioagent and gRPC client for XDS/SDS - mountPath: /etc/istio/proxy name: istio-xds {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- end }} {{- end }} volumes: - emptyDir: name: workload-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else }} - emptyDir: name: workload-certs {{- end }} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: custom-bootstrap-volume configMap: name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-xds - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - name: "{{ $index }}" {{ toYaml $value | indent 4 }} {{ end }} {{ end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} waypoint: | apiVersion: v1 kind: ServiceAccount metadata: name: {{.ServiceAccount | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} {{- if ge .KubeVersion 128 }} # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" {{- end }} --- apiVersion: apps/v1 kind: Deployment metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" .ControllerLabel ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" spec: selector: matchLabels: "{{.GatewayNameLabel}}": "{{.Name}}" template: metadata: annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") (strdict "istio.io/rev" (.Revision | default "default")) (strdict "prometheus.io/path" "/stats/prometheus" "prometheus.io/port" "15020" "prometheus.io/scrape" "true" ) | nindent 8 }} labels: {{- toJsonMap (strdict "sidecar.istio.io/inject" "false" "istio.io/dataplane-mode" "none" "service.istio.io/canonical-name" .DeploymentName "service.istio.io/canonical-revision" "latest" ) .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" .ControllerLabel ) | nindent 8}} spec: {{- if .Values.global.waypoint.affinity }} affinity: {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} {{- end }} {{- if .Values.global.waypoint.topologySpreadConstraints }} topologySpreadConstraints: {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} {{- end }} {{- if .Values.global.waypoint.nodeSelector }} nodeSelector: {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} {{- end }} {{- if .Values.global.waypoint.tolerations }} tolerations: {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} {{- end }} terminationGracePeriodSeconds: 2 serviceAccountName: {{.ServiceAccount | quote}} containers: - name: istio-proxy ports: - containerPort: 15020 name: metrics protocol: TCP - containerPort: 15021 name: status-port protocol: TCP - containerPort: 15090 protocol: TCP name: http-envoy-prom {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} args: - proxy - waypoint - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --serviceCluster - {{.ServiceAccount}}.$(POD_NAMESPACE) - --proxyLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - --proxyComponentLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - --log_output_level - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.outlierLogPath }} - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} {{- end}} env: - name: ISTIO_META_SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} {{- if .ProxyConfig.ProxyMetadata }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} {{- if $network }} - name: ISTIO_META_NETWORK value: "{{ $network }}" {{- end }} - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_WORKLOAD_NAME value: {{.DeploymentName}} - name: ISTIO_META_OWNER value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- if .Values.global.waypoint.resources }} resources: {{- toYaml .Values.global.waypoint.resources | nindent 10 }} {{- end }} startupProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 1 successThreshold: 1 timeoutSeconds: 1 readinessProbe: failureThreshold: 4 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 0 periodSeconds: 15 successThreshold: 1 timeoutSeconds: 1 securityContext: privileged: false {{- if not (eq .Values.global.platform "openshift") }} runAsGroup: 1337 runAsUser: 1337 {{- end }} allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: - ALL {{- if .Values.gateways.seccompProfile }} seccompProfile: {{- toYaml .Values.gateways.seccompProfile | nindent 12 }} {{- end }} volumeMounts: - mountPath: /var/run/secrets/workload-spiffe-uds name: workload-socket - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/lib/istio/data name: istio-data - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token - mountPath: /etc/istio/pod name: istio-podinfo volumes: - emptyDir: {} name: workload-socket - emptyDir: medium: Memory name: istio-envoy - emptyDir: medium: Memory name: go-proxy-envoy - emptyDir: {} name: istio-data - emptyDir: {} name: go-proxy-data - downwardAPI: items: - fieldRef: fieldPath: metadata.labels path: labels - fieldRef: fieldPath: metadata.annotations path: annotations name: istio-podinfo - name: istio-token projected: sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} --- apiVersion: v1 kind: Service metadata: annotations: {{ toJsonMap (strdict "networking.istio.io/traffic-distribution" "PreferClose") (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version" ) | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" spec: ipFamilyPolicy: PreferDualStack ports: {{- range $key, $val := .Ports }} - name: {{ $val.Name | quote }} port: {{ $val.Port }} protocol: TCP appProtocol: {{ $val.AppProtocol }} {{- end }} selector: "{{.GatewayNameLabel}}": "{{.Name}}" {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} {{- end }} type: {{ .ServiceType | quote }} --- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: {{.DeploymentName | quote}} maxReplicas: 1 --- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: selector: matchLabels: gateway.networking.k8s.io/gateway-name: {{.Name|quote}} kube-gateway: | apiVersion: v1 kind: ServiceAccount metadata: name: {{.ServiceAccount | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} {{- if ge .KubeVersion 128 }} # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" {{- end }} --- apiVersion: apps/v1 kind: Deployment metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-gateway-controller" ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: selector: matchLabels: "{{.GatewayNameLabel}}": {{.Name}} template: metadata: annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") (strdict "istio.io/rev" (.Revision | default "default")) (strdict "prometheus.io/path" "/stats/prometheus" "prometheus.io/port" "15020" "prometheus.io/scrape" "true" ) | nindent 8 }} labels: {{- toJsonMap (strdict "sidecar.istio.io/inject" "false" "service.istio.io/canonical-name" .DeploymentName "service.istio.io/canonical-revision" "latest" ) .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-gateway-controller" ) | nindent 8 }} spec: securityContext: {{- if .Values.gateways.securityContext }} {{- toYaml .Values.gateways.securityContext | nindent 8 }} {{- else }} sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" {{- if .Values.gateways.seccompProfile }} seccompProfile: {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} {{- end }} {{- end }} serviceAccountName: {{.ServiceAccount | quote}} containers: - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} {{- if .Values.global.proxy.resources }} resources: {{- toYaml .Values.global.proxy.resources | nindent 10 }} {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} securityContext: capabilities: drop: - ALL allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: - containerPort: 15020 name: metrics protocol: TCP - containerPort: 15021 name: status-port protocol: TCP - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - router - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - --proxyComponentLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - --log_output_level - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} {{- end }} env: - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: "[]" - name: ISTIO_META_APP_CONTAINERS value: "" - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: "{{ .ProxyConfig.InterceptionMode.String }}" {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - name: ISTIO_META_NETWORK value: {{.|quote}} {{- end }} - name: ISTIO_META_WORKLOAD_NAME value: {{.DeploymentName|quote}} - name: ISTIO_META_OWNER value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - name: ISTIO_META_REQUESTED_NETWORK_VIEW value: {{.|quote}} {{- end }} startupProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 1 successThreshold: 1 timeoutSeconds: 1 readinessProbe: failureThreshold: 4 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 0 periodSeconds: 15 successThreshold: 1 timeoutSeconds: 1 volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds - name: credential-socket mountPath: /var/run/secrets/credential-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token - name: istio-podinfo mountPath: /etc/istio/pod volumes: - emptyDir: {} name: workload-socket - emptyDir: {} name: credential-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else}} - emptyDir: {} name: workload-certs {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-envoy - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} --- apiVersion: v1 kind: Service metadata: annotations: {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: {{.UID}} spec: ipFamilyPolicy: PreferDualStack ports: {{- range $key, $val := .Ports }} - name: {{ $val.Name | quote }} port: {{ $val.Port }} protocol: TCP appProtocol: {{ $val.AppProtocol }} {{- end }} selector: "{{.GatewayNameLabel}}": {{.Name}} {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} {{- end }} type: {{ .ServiceType | quote }} --- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: {{.DeploymentName | quote}} maxReplicas: 1 --- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: selector: matchLabels: gateway.networking.k8s.io/gateway-name: {{.Name|quote}} values: |- { "gateways": { "seccompProfile": {}, "securityContext": {} }, "global": { "caAddress": "", "caName": "", "certSigners": [], "configCluster": false, "configValidation": true, "defaultPodDisruptionBudget": { "enabled": false }, "defaultResources": { "requests": { "cpu": "10m" } }, "externalIstiod": false, "hub": "gcr.io/istio-release", "imagePullPolicy": "", "imagePullSecrets": [], "istioNamespace": "openshift-ingress", "istiod": { "enableAnalysis": false }, "logAsJson": false, "logging": { "level": "default:info" }, "meshID": "", "meshNetworks": {}, "mountMtlsCerts": false, "multiCluster": { "clusterName": "" }, "nativeNftables": false, "network": "", "networkPolicy": { "enabled": false }, "omitSidecarInjectorConfigMap": false, "operatorManageWebhooks": false, "pilotCertProvider": "istiod", "platform": "openshift", "priorityClassName": "system-cluster-critical", "proxy": { "autoInject": "enabled", "clusterDomain": "cluster.local", "componentLogLevel": "misc:error", "excludeIPRanges": "", "excludeInboundPorts": "", "excludeOutboundPorts": "", "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371", "includeIPRanges": "*", "includeInboundPorts": "*", "includeOutboundPorts": "", "logLevel": "warning", "outlierLogPath": "", "privileged": false, "readinessFailureThreshold": 4, "readinessInitialDelaySeconds": 0, "readinessPeriodSeconds": 15, "resources": { "limits": { "cpu": "2000m", "memory": "1024Mi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "startupProbe": { "enabled": true, "failureThreshold": 600 }, "statusPort": 15020, "tracer": "none" }, "proxy_init": { "forceApplyIptables": false, "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371" }, "remotePilotAddress": "", "sds": { "token": { "aud": "istio-ca" } }, "sts": { "servicePort": 0 }, "tag": "1.27.3", "trustBundleName": "openshift-gw-ca-root-cert", "variant": "", "waypoint": { "affinity": {}, "nodeSelector": {}, "resources": { "limits": { "cpu": "2", "memory": "1Gi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "tolerations": [], "topologySpreadConstraints": [] } }, "pilot": { "cni": { "chained": false, "cniBinDir": "/var/lib/cni/bin", "cniConfDir": "/etc/cni/multus/net.d", "cniConfFileName": "istio-cni.conf", "enabled": false, "provider": "multus" }, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" } }, "revision": "openshift-gateway", "sidecarInjectorWebhook": { "alwaysInjectSelector": [], "defaultTemplates": [], "enableNamespacesByDefault": false, "injectedAnnotations": {}, "neverInjectSelector": [], "reinvocationPolicy": "Never", "rewriteAppHTTPProbe": true, "templates": {} } } kind: ConfigMap metadata: annotations: meta.helm.sh/release-name: openshift-gateway-istiod meta.helm.sh/release-namespace: openshift-ingress creationTimestamp: "2026-06-10T23:07:19Z" labels: app.kubernetes.io/instance: openshift-gateway-istiod app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: istiod app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.27.3 helm.sh/chart: istiod-1.27.3 istio.io/rev: openshift-gateway managed-by: sail-operator operator.istio.io/component: Pilot release: openshift-gateway-istiod managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:config: {} f:values: {} f:metadata: f:annotations: .: {} f:meta.helm.sh/release-name: {} f:meta.helm.sh/release-namespace: {} f:labels: .: {} f:app.kubernetes.io/instance: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.kubernetes.io/version: {} f:helm.sh/chart: {} f:istio.io/rev: {} f:managed-by: {} f:operator.istio.io/component: {} f:release: {} f:ownerReferences: .: {} k:{"uid":"6831dc79-4b78-40b5-8c08-eb96e8161e6e"}: {} manager: sail-operator operation: Update time: "2026-06-10T23:07:19Z" name: istio-sidecar-injector-openshift-gateway namespace: openshift-ingress ownerReferences: - apiVersion: sailoperator.io/v1 blockOwnerDeletion: true controller: true kind: IstioRevision name: openshift-gateway uid: 6831dc79-4b78-40b5-8c08-eb96e8161e6e resourceVersion: "16717" uid: 9501dd0b-b164-41bc-a2b8-9cb28bb60eae - apiVersion: v1 data: ca.crt: | -----BEGIN CERTIFICATE----- MIIDPDCCAiSgAwIBAgIIVnkaPAlfDm4wDQYJKoZIhvcNAQELBQAwJjESMBAGA1UE CxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdyb290LWNhMB4XDTI2MDYxMDIyNTAxN1oX DTM2MDYwNzIyNTAxN1owJjESMBAGA1UECxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdy b290LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+RR7C5qVARmv Q1la5fKrEx5IIecI48e8RdU6L676hcLBfi0qeQNJ0o58xXQDcIw6MZY9cuXYgxxA KIIzsBjHpj4/JQ7NaR+jWadAb3HCX8Fu1h3AYnt3GpMMkGVxxeAsYksp7UNjxlan oUdP+wtCfcX366pYcUs9BOs1aoWBvwAss5BVa+/re6fSt0xT5oe1b+6OhwoVZ8x0 yctbkQwoQuiIuBtoBdXQveBHFGyxb3m9oI9G8LEPEe5iIG3/M3HOM5MqhGmnzljV L0c69AZNik/rFmQwvnC4alwI+r2UzCvv7e2tp+q191qoSgBRpHKifixH5DHfrbCQ GNi7DRI8LwIDAQABo24wbDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB /zBJBgNVHQ4EQgRAhtxQbErFM/AMJkIJV0AvN/SnMUIyY2ioCC540uy++KxyFHGU E7d+cf3JOQz9O5MRu4yvnzARpV/TQeNYE/bYpTANBgkqhkiG9w0BAQsFAAOCAQEA Q/QKUrfkVZX/kFEk2Dbg0PytB/yT2r7awWoguUE7bznT5JluDDxs6d+olB49P/I7 F14fazBcwOhXc8sfUOG+3Z9IzonHX8NQO4x55JONlX/4xM0L8miiXySmB8kEFwW0 G/Bbkqalt4iX+jqPMi6k8OdLcY+rRhCCH3MGxpnJLIKNNoo6RLTXefMYitYGSe4D 7j5VElfjE4p0VJmlUB3+FQh9NLjVGPWSATYxT2VBI6XzcetqghNAMK7G15BcKMbs 1bNGDNkf8gSXn88iLzqbMPuykqaDtfH5F1b7oCMp0PzXSsbKzxiq2nf5CzKliLCU toNPH5+boiVx/YkqgNnOpA== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEADCCAuigAwIBAgIICzqyLvxdpR8wDQYJKoZIhvcNAQELBQAwJjESMBAGA1UE CxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdyb290LWNhMB4XDTI2MDYxMDIyNTA0NFoX DTI3MDYxMDIyNTA0NFowMDESMBAGA1UEChMJb3BlbnNoaWZ0MRowGAYDVQQDExFv cGVuc2hpZnQtaW5ncmVzczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AJsFQO9GYRpVClWtLFDCSzj0qbauwI431KGxL0XipUAyyeA3/To7xnECqwUlmsfp HNMD8+dqvj+n+52YVtHJB0JlSGPkgpzVASRiCFrQCnxkwdUJFnOQgX69v+zJ5l0I xJ0Pf3uk8xRXUbId0PnPNih3VRgjwFAhcU7GRuHBJNvFpnpVzjHOFjdWEKogroSh Froqfqmsh9ZWTAhv1c4RuQzXz6a2D2n7j7/VnOwb+E4XZoNNJkO0oDlUDFxQBvxH /nUWHGkYhgtmeifkf+D/vOAII2SmT5LSYuFuhj7+OxqqtlxxCDRPYbIdszZrxDko sJsb1SUD6aeixfS2NVWcZrUCAwEAAaOCASYwggEiMA4GA1UdDwEB/wQEAwIFoDAd BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBJBgNV HQ4EQgRA5RTEWHcHEbC9h0Bv+wgS2YodxocSwv9NtPK4+ojSV6R+1i7Wx2FP+j7O 31cjiHdTm5XFm98bs1VQkAm+VD9HtzBLBgNVHSMERDBCgECG3FBsSsUz8AwmQglX QC839KcxQjJjaKgILnjS7L74rHIUcZQTt35x/ck5DP07kxG7jK+fMBGlX9NB41gT 9tilMEsGA1UdEQREMEKCQCouYXBwcy5iZjdjNjAxNS1iOGIyLTRjMTgtOTE3ZC1i YzJiZTAzODZiODAucHJvZC5rb25mbHV4ZWFhcy5jb20wDQYJKoZIhvcNAQELBQAD ggEBAFmpQgDQrY74IcJveYLIecPVCaekPcwR5lVtRehSEbeOWhPxMnWzZmJJmVK1 BUGgZuYdQnCZBRPd9t5R6G+0iDtcXupR5WcTdge/1RLGS9MVIdC4BCzNWHh/lwi1 51wzE1LPA/HmbnilmzmflIOONTa8A4g4/2eMfD+juqzJyQAmPf/aFzLua+YLufDa TLpjYf1nsDXSaysYe4Gia1Iu2Vwhnn1WdnlEiN+ArQQxUgC5qv/bIcWJMVF56RJV f4Znd7QKTgforgpHMeeOuk+hGIFJVIvEQtBmE6EAzB9cbVwkS7ufxLhIu0J24CVL owDz4Y+RhAUsdp0avVUOUuyzRcw= -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: kubernetes.io/description: Contains a CA bundle that can be used to verify the kube-apiserver when using internal endpoints such as the internal service IP or kubernetes.default.svc. No other usage is guaranteed across distributions of Kubernetes clusters. creationTimestamp: "2026-06-10T22:52:07Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca.crt: {} f:metadata: f:annotations: .: {} f:kubernetes.io/description: {} manager: kube-controller-manager operation: Update time: "2026-06-10T22:52:39Z" name: kube-root-ca.crt namespace: openshift-ingress resourceVersion: "2957" uid: 5d6590fa-9fc8-4bba-86c5-559f42b0603f - apiVersion: v1 data: cabundle.crt: |- -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIILROEBxCNkhgwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc4MTEzMjU2NTAe Fw0yNjA2MTAyMzAyNDRaFw0yODA4MDgyMzAyNDVaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3ODExMzI1NjUwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBol+Pv2kS3vVH3qFO8HgoDmj+VHz6joHA h/Z0e/YKUWD9gy5Hl4Fgdb9kY41izNutMg3uJ3dzT1u+YR5HC4ui6tH3E59efkVI KzbiMf7dVqiKSxi05bVFR7OewymlvAGX9+bBGCvm50Sm1smLr+wsg7FoP22PqxpD bfwZ32HyHsabwnHmg8SVQ73oqUBr2EO8ATwwkJpDsihssuHgdNDe4LzHRVDy8DFO QmJ82JDE6/8lf8iWCQm3EIjyKVMx+E4QDyjNBtyf08gCmEUM5FUNyeEsOlbZHcem GJ+lohhsccsjdet+2JBs2wwWD/eS3I30hKkmiismtwXZgVcDlpi/AgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQUExwK NtZ0EXU42DzHKJKxePLk1zAfBgNVHSMEGDAWgBQUExwKNtZ0EXU42DzHKJKxePLk 1zANBgkqhkiG9w0BAQsFAAOCAQEAj4NZi8Me71C9gKTzPwMgUSlgdr63DI1Ue6ay XHloLnuzQ1AX9bvUPSKyY3seD8pRDnhi+Z9Lpl/1rvGUhBffL4tZQjLQxuXs03M5 Lj4veD48ASSHysW63JxnHqYJDwjNs9T/M5gyjld+gidodFP48riuXpBqGV6TF7O2 BfotM3hQ4MB5uNUJ+sicF5y7RcJATBm1cs/pXQ3I5ugNXWp9G3p7G61FHKtzSRLp naDSBUaW8WFSJY+fp8tTZx+TEjbuNEm1lFzVUmW1vNInwUeXnNvThsWx86XR92Iv ogMdwwpnxxned6a9ElQJ2ApYGMZFqiOOhB4kKyHGV/7DVdtmeQ== -----END CERTIFICATE----- kind: ConfigMap metadata: creationTimestamp: "2026-06-10T23:06:54Z" labels: opendatahub.io/managed: "true" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:cabundle.crt: {} f:metadata: f:labels: .: {} f:opendatahub.io/managed: {} manager: manager operation: Update time: "2026-06-10T23:06:54Z" name: odh-kserve-custom-ca-bundle namespace: openshift-ingress resourceVersion: "15672" uid: 73c7fc22-27b7-4ae6-88a2-50c474a5122e - apiVersion: v1 data: root-cert.pem: | -----BEGIN CERTIFICATE----- MIIC/DCCAeSgAwIBAgIQFthXTOjjtvnqhE90LtXfwDANBgkqhkiG9w0BAQsFADAY MRYwFAYDVQQKEw1jbHVzdGVyLmxvY2FsMB4XDTI2MDYxMDIzMDcyM1oXDTM2MDYw NzIzMDcyM1owGDEWMBQGA1UEChMNY2x1c3Rlci5sb2NhbDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAKtNjZZ0popo6Ksd2WydXI8zcX6NT7P0hcfICI03 DmNSjJmqJsqKSauzcelaPMGOur6u4n4JEQry6untdI6fuaVMBXRQWzAB1GjHYQtb Jx2JsJeBt6qZDVakYv6AcyxbopaOSvwKLk+h86qrVewwQbYudVuv+KOr872gJNb9 rLI8UUMxs88U1XISwFT6olHScCut8p8ZPPMu/HaBTTtxmPlJ1Qcz7VigQmTYUNCR suAlEsa5qleRdqdS/IbqQiJHV2rpC7zzGksU40Uw/evfZCaEwf28vTqHgP2H/9GT 6mDf3+2xyBlBUh3Kc08onVdiJhPCxybXxjEbNA9sssGPAvECAwEAAaNCMEAwDgYD VR0PAQH/BAQDAgIEMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPMZShdnALHr 6RkCUoSqCxT9ic2EMA0GCSqGSIb3DQEBCwUAA4IBAQAxakMMSOdAgsX3AIyWaKIX stiySMhpehyUvizJr7TU8Sp07EM5Nyr/xGD3RC1xdCoIj0KG0RrGzMhkxVnh2P2F JlSnHniyKCizxqdLbEflvqAPkGMFVQCUdKktp1QPepcIMrJ40ulMa9xp+ny1BM/u CVHlmRACZHNF0B5txEMP2m5KntM/dhLyW6AT4RDiYPfy0KqTcAbOPQtOdmE4qSKI IgrrOggds7fmhklBbB7cRdxaRGjQXq/3fZcrn2mJHj0GO2OtEOwY76t3q2ax+Ll5 9yyscTbVaCpJ76AVXZN5FMB03RS1K9ZmgdTUsItMY3Vc8ou7EGDQetCPrQKhkEVf -----END CERTIFICATE----- kind: ConfigMap metadata: creationTimestamp: "2026-06-10T23:07:24Z" labels: istio.io/config: "true" openshift.io/mesh: "true" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:root-cert.pem: {} f:metadata: f:labels: .: {} f:istio.io/config: {} f:openshift.io/mesh: {} manager: pilot-discovery operation: Update time: "2026-06-10T23:07:24Z" name: openshift-gw-ca-root-cert namespace: openshift-ingress resourceVersion: "17234" uid: 5d971bf5-1893-4a01-8fb8-cc457a0c4151 - apiVersion: v1 data: service-ca.crt: | -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIILROEBxCNkhgwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc4MTEzMjU2NTAe Fw0yNjA2MTAyMzAyNDRaFw0yODA4MDgyMzAyNDVaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3ODExMzI1NjUwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBol+Pv2kS3vVH3qFO8HgoDmj+VHz6joHA h/Z0e/YKUWD9gy5Hl4Fgdb9kY41izNutMg3uJ3dzT1u+YR5HC4ui6tH3E59efkVI KzbiMf7dVqiKSxi05bVFR7OewymlvAGX9+bBGCvm50Sm1smLr+wsg7FoP22PqxpD bfwZ32HyHsabwnHmg8SVQ73oqUBr2EO8ATwwkJpDsihssuHgdNDe4LzHRVDy8DFO QmJ82JDE6/8lf8iWCQm3EIjyKVMx+E4QDyjNBtyf08gCmEUM5FUNyeEsOlbZHcem GJ+lohhsccsjdet+2JBs2wwWD/eS3I30hKkmiismtwXZgVcDlpi/AgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQUExwK NtZ0EXU42DzHKJKxePLk1zAfBgNVHSMEGDAWgBQUExwKNtZ0EXU42DzHKJKxePLk 1zANBgkqhkiG9w0BAQsFAAOCAQEAj4NZi8Me71C9gKTzPwMgUSlgdr63DI1Ue6ay XHloLnuzQ1AX9bvUPSKyY3seD8pRDnhi+Z9Lpl/1rvGUhBffL4tZQjLQxuXs03M5 Lj4veD48ASSHysW63JxnHqYJDwjNs9T/M5gyjld+gidodFP48riuXpBqGV6TF7O2 BfotM3hQ4MB5uNUJ+sicF5y7RcJATBm1cs/pXQ3I5ugNXWp9G3p7G61FHKtzSRLp naDSBUaW8WFSJY+fp8tTZx+TEjbuNEm1lFzVUmW1vNInwUeXnNvThsWx86XR92Iv ogMdwwpnxxned6a9ElQJ2ApYGMZFqiOOhB4kKyHGV/7DVdtmeQ== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: service.beta.openshift.io/inject-cabundle: "true" creationTimestamp: "2026-06-10T22:52:07Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: {} f:metadata: f:annotations: .: {} f:service.beta.openshift.io/inject-cabundle: {} manager: kube-controller-manager operation: Update time: "2026-06-10T22:52:07Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: f:service-ca.crt: {} manager: service-ca-operator operation: Update time: "2026-06-10T23:02:56Z" name: openshift-service-ca.crt namespace: openshift-ingress resourceVersion: "9125" uid: e675e7f1-1b45-423c-b44a-667ad082f96e - apiVersion: v1 data: api-translation-plugin: api-translation:api-translation apikey-injection-plugin: apikey-injection:apikey-injection model-provider-resolver-plugin: model-provider-resolver:model-provider-resolver model-to-header-plugin: body-field-to-header:model-extractor:{"fieldName":"model","headerName":"X-Gateway-Model-Name"} kind: ConfigMap metadata: creationTimestamp: "2026-06-10T23:11:09Z" labels: app.kubernetes.io/component: api app.kubernetes.io/name: maas-api app.kubernetes.io/part-of: models-as-a-service app.opendatahub.io/modelsasservice: "true" maas.opendatahub.io/tenant-name: default-tenant maas.opendatahub.io/tenant-namespace: models-as-a-service managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: f:api-translation-plugin: {} f:apikey-injection-plugin: {} f:model-provider-resolver-plugin: {} f:model-to-header-plugin: {} f:metadata: f:labels: f:app.kubernetes.io/component: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.opendatahub.io/modelsasservice: {} f:maas.opendatahub.io/tenant-name: {} f:maas.opendatahub.io/tenant-namespace: {} f:ownerReferences: k:{"uid":"64f96b3a-6964-4e85-9471-a9505b136781"}: {} manager: maas-controller operation: Apply time: "2026-06-10T23:11:09Z" name: payload-processing-plugins namespace: openshift-ingress ownerReferences: - apiVersion: maas.opendatahub.io/v1alpha1 blockOwnerDeletion: true controller: true kind: Config name: default uid: 64f96b3a-6964-4e85-9471-a9505b136781 resourceVersion: "24323" uid: ecd54089-0a2e-4686-a92c-33e065254c56 - apiVersion: v1 data: service-ca.crt: | -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIILROEBxCNkhgwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc4MTEzMjU2NTAe Fw0yNjA2MTAyMzAyNDRaFw0yODA4MDgyMzAyNDVaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3ODExMzI1NjUwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBol+Pv2kS3vVH3qFO8HgoDmj+VHz6joHA h/Z0e/YKUWD9gy5Hl4Fgdb9kY41izNutMg3uJ3dzT1u+YR5HC4ui6tH3E59efkVI KzbiMf7dVqiKSxi05bVFR7OewymlvAGX9+bBGCvm50Sm1smLr+wsg7FoP22PqxpD bfwZ32HyHsabwnHmg8SVQ73oqUBr2EO8ATwwkJpDsihssuHgdNDe4LzHRVDy8DFO QmJ82JDE6/8lf8iWCQm3EIjyKVMx+E4QDyjNBtyf08gCmEUM5FUNyeEsOlbZHcem GJ+lohhsccsjdet+2JBs2wwWD/eS3I30hKkmiismtwXZgVcDlpi/AgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQUExwK NtZ0EXU42DzHKJKxePLk1zAfBgNVHSMEGDAWgBQUExwKNtZ0EXU42DzHKJKxePLk 1zANBgkqhkiG9w0BAQsFAAOCAQEAj4NZi8Me71C9gKTzPwMgUSlgdr63DI1Ue6ay XHloLnuzQ1AX9bvUPSKyY3seD8pRDnhi+Z9Lpl/1rvGUhBffL4tZQjLQxuXs03M5 Lj4veD48ASSHysW63JxnHqYJDwjNs9T/M5gyjld+gidodFP48riuXpBqGV6TF7O2 BfotM3hQ4MB5uNUJ+sicF5y7RcJATBm1cs/pXQ3I5ugNXWp9G3p7G61FHKtzSRLp naDSBUaW8WFSJY+fp8tTZx+TEjbuNEm1lFzVUmW1vNInwUeXnNvThsWx86XR92Iv ogMdwwpnxxned6a9ElQJ2ApYGMZFqiOOhB4kKyHGV/7DVdtmeQ== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: description: ConfigMap providing service CA bundle. openshift.io/description: Configmap is added/updated with a data item containing the CA signing bundle that can be used to verify service-serving certificates openshift.io/owning-component: service-ca service.beta.openshift.io/inject-cabundle: "true" creationTimestamp: "2026-06-10T22:52:11Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:description: {} f:service.beta.openshift.io/inject-cabundle: {} manager: ingress-operator operation: Update time: "2026-06-10T22:52:11Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:service-ca.crt: {} f:metadata: f:annotations: f:openshift.io/description: {} f:openshift.io/owning-component: {} manager: service-ca-operator operation: Update time: "2026-06-10T23:02:56Z" name: service-ca-bundle namespace: openshift-ingress resourceVersion: "8889" uid: baac81da-3403-41af-8518-3d9879c9ac00 - apiVersion: v1 data: merged-values: |- { "affinity": {}, "autoscaleBehavior": {}, "autoscaleEnabled": true, "autoscaleMax": 5, "autoscaleMin": 1, "base": { "enableIstioConfigCRDs": true }, "cni": { "chained": false, "cniBinDir": "/var/lib/cni/bin", "cniConfDir": "/etc/cni/multus/net.d", "cniConfFileName": "istio-cni.conf", "enabled": false, "provider": "multus" }, "configMap": true, "cpu": { "targetAverageUtilization": 80 }, "defaultRevision": "", "deploymentAnnotations": {}, "deploymentLabels": {}, "enabled": true, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" }, "envVarFrom": [], "experimental": { "stableValidationPolicy": false }, "extraContainerArgs": [], "gatewayClasses": {}, "gateways": { "seccompProfile": {}, "securityContext": {} }, "global": { "caAddress": "", "caName": "", "certSigners": [], "configCluster": false, "configValidation": true, "defaultPodDisruptionBudget": { "enabled": false }, "defaultResources": { "requests": { "cpu": "10m" } }, "externalIstiod": false, "hub": "gcr.io/istio-release", "imagePullPolicy": "", "imagePullSecrets": [], "istioNamespace": "openshift-ingress", "istiod": { "enableAnalysis": false }, "logAsJson": false, "logging": { "level": "default:info" }, "meshID": "", "meshNetworks": {}, "mountMtlsCerts": false, "multiCluster": { "clusterName": "" }, "nativeNftables": false, "network": "", "networkPolicy": { "enabled": false }, "omitSidecarInjectorConfigMap": false, "operatorManageWebhooks": false, "pilotCertProvider": "istiod", "platform": "openshift", "priorityClassName": "system-cluster-critical", "proxy": { "autoInject": "enabled", "clusterDomain": "cluster.local", "componentLogLevel": "misc:error", "excludeIPRanges": "", "excludeInboundPorts": "", "excludeOutboundPorts": "", "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371", "includeIPRanges": "*", "includeInboundPorts": "*", "includeOutboundPorts": "", "logLevel": "warning", "outlierLogPath": "", "privileged": false, "readinessFailureThreshold": 4, "readinessInitialDelaySeconds": 0, "readinessPeriodSeconds": 15, "resources": { "limits": { "cpu": "2000m", "memory": "1024Mi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "startupProbe": { "enabled": true, "failureThreshold": 600 }, "statusPort": 15020, "tracer": "none" }, "proxy_init": { "forceApplyIptables": false, "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371" }, "remotePilotAddress": "", "sds": { "token": { "aud": "istio-ca" } }, "sts": { "servicePort": 0 }, "tag": "1.27.3", "trustBundleName": "openshift-gw-ca-root-cert", "variant": "", "waypoint": { "affinity": {}, "nodeSelector": {}, "resources": { "limits": { "cpu": "2", "memory": "1Gi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "tolerations": [], "topologySpreadConstraints": [] } }, "hub": "", "image": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:f118bf81f44443fbdab23b689c97e9801eba8799c7af85228f914d8cd8afe6c0", "initContainers": [], "ipFamilies": [], "ipFamilyPolicy": "", "istiodRemote": { "enabled": false, "enabledLocalInjectorIstiod": false, "injectionCABundle": "", "injectionPath": "/inject", "injectionURL": "" }, "jwksResolverExtraRootCA": "", "keepaliveMaxServerConnectionAge": "30m", "memory": {}, "meshConfig": { "accessLogFile": "/dev/stdout", "defaultConfig": { "proxyHeaders": { "envoyDebugHeaders": { "disabled": true }, "metadataExchangeHeaders": { "mode": "IN_MESH" }, "server": { "disabled": true } } }, "enablePrometheusMerge": true, "ingressControllerMode": "OFF" }, "nodeSelector": {}, "ownerName": "", "pdb": { "minAvailable": 1, "unhealthyPodEvictionPolicy": "" }, "pilot": { "cni": { "enabled": false, "provider": "multus" }, "enabled": true, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" }, "image": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:f118bf81f44443fbdab23b689c97e9801eba8799c7af85228f914d8cd8afe6c0", "podAnnotations": { "target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}" } }, "podAnnotations": { "target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}" }, "podLabels": {}, "replicaCount": 1, "resources": { "requests": { "cpu": "500m", "memory": "2048Mi" } }, "revision": "openshift-gateway", "revisionTags": [], "rollingMaxSurge": "100%", "rollingMaxUnavailable": "25%", "seLinuxOptions": { "type": "spc_t" }, "seccompProfile": {}, "serviceAccountAnnotations": {}, "serviceAnnotations": {}, "sidecarInjectorWebhook": { "alwaysInjectSelector": [], "defaultTemplates": [], "enableNamespacesByDefault": false, "injectedAnnotations": {}, "neverInjectSelector": [], "reinvocationPolicy": "Never", "rewriteAppHTTPProbe": true, "templates": {} }, "sidecarInjectorWebhookAnnotations": {}, "tag": "", "taint": { "enabled": false, "namespace": "" }, "telemetry": { "enabled": true, "v2": { "enabled": true, "prometheus": { "enabled": true }, "stackdriver": { "enabled": false } } }, "tolerations": [], "topologySpreadConstraints": [], "traceSampling": 1, "trustedZtunnelName": "", "trustedZtunnelNamespace": "kube-system", "variant": "", "volumeMounts": [], "volumes": [] } original-values: |- { "defaultRevision": "", "global": { "configValidation": true, "defaultPodDisruptionBudget": { "enabled": false }, "istioNamespace": "openshift-ingress", "platform": "openshift", "priorityClassName": "system-cluster-critical", "proxy": { "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371" }, "proxy_init": { "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371" }, "trustBundleName": "openshift-gw-ca-root-cert" }, "meshConfig": { "accessLogFile": "/dev/stdout", "defaultConfig": { "proxyHeaders": { "envoyDebugHeaders": { "disabled": true }, "metadataExchangeHeaders": { "mode": "IN_MESH" }, "server": { "disabled": true } } }, "ingressControllerMode": "OFF" }, "pilot": { "cni": { "enabled": false }, "enabled": true, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" }, "image": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:f118bf81f44443fbdab23b689c97e9801eba8799c7af85228f914d8cd8afe6c0", "podAnnotations": { "target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}" } }, "revision": "openshift-gateway", "sidecarInjectorWebhook": { "enableNamespacesByDefault": false } } kind: ConfigMap metadata: annotations: kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. meta.helm.sh/release-name: openshift-gateway-istiod meta.helm.sh/release-namespace: openshift-ingress creationTimestamp: "2026-06-10T23:07:19Z" labels: app.kubernetes.io/instance: openshift-gateway-istiod app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: istiod app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.27.3 helm.sh/chart: istiod-1.27.3 istio.io/rev: openshift-gateway managed-by: sail-operator operator.istio.io/component: Pilot release: openshift-gateway-istiod managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:merged-values: {} f:original-values: {} f:metadata: f:annotations: .: {} f:kubernetes.io/description: {} f:meta.helm.sh/release-name: {} f:meta.helm.sh/release-namespace: {} f:labels: .: {} f:app.kubernetes.io/instance: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.kubernetes.io/version: {} f:helm.sh/chart: {} f:istio.io/rev: {} f:managed-by: {} f:operator.istio.io/component: {} f:release: {} f:ownerReferences: .: {} k:{"uid":"6831dc79-4b78-40b5-8c08-eb96e8161e6e"}: {} manager: sail-operator operation: Update time: "2026-06-10T23:07:19Z" name: values-openshift-gateway namespace: openshift-ingress ownerReferences: - apiVersion: sailoperator.io/v1 blockOwnerDeletion: true controller: true kind: IstioRevision name: openshift-gateway uid: 6831dc79-4b78-40b5-8c08-eb96e8161e6e resourceVersion: "16716" uid: 1b980a27-f0ae-4c4c-a7ae-26564d92481d kind: ConfigMapList metadata: resourceVersion: "51783"