--- apiVersion: v1 items: - apiVersion: v1 data: service: | metadata: annotations: service.beta.openshift.io/serving-cert-secret-name: "data-science-gateway-service-tls" spec: type: ClusterIP kind: ConfigMap metadata: annotations: platform.opendatahub.io/instance.generation: "2" platform.opendatahub.io/instance.name: default-gateway platform.opendatahub.io/instance.uid: e94de65a-ae02-4c8f-837d-92728ba6fef4 platform.opendatahub.io/type: Open Data Hub platform.opendatahub.io/version: 3.5.0-ea.1 creationTimestamp: "2026-06-09T15:13:14Z" labels: platform.opendatahub.io/part-of: gatewayconfig managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: f:service: {} f:metadata: f:annotations: f:platform.opendatahub.io/instance.generation: {} f:platform.opendatahub.io/instance.name: {} f:platform.opendatahub.io/instance.uid: {} f:platform.opendatahub.io/type: {} f:platform.opendatahub.io/version: {} f:labels: f:platform.opendatahub.io/part-of: {} f:ownerReferences: k:{"uid":"e94de65a-ae02-4c8f-837d-92728ba6fef4"}: {} manager: gatewayconfig operation: Apply time: "2026-06-09T15:13:46Z" name: data-science-gateway-config namespace: openshift-ingress ownerReferences: - apiVersion: services.platform.opendatahub.io/v1alpha1 blockOwnerDeletion: true controller: true kind: GatewayConfig name: default-gateway uid: e94de65a-ae02-4c8f-837d-92728ba6fef4 resourceVersion: "17215" uid: e5e8eeac-c923-478c-a593-476584af46e7 - apiVersion: v1 data: ca-crl.pem: "" kind: ConfigMap metadata: creationTimestamp: "2026-06-09T15:13:45Z" labels: istio.io/config: "true" openshift.io/mesh: "true" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca-crl.pem: {} f:metadata: f:labels: .: {} f:istio.io/config: {} f:openshift.io/mesh: {} manager: pilot-discovery operation: Update time: "2026-06-09T15:13:45Z" name: istio-ca-crl namespace: openshift-ingress resourceVersion: "17181" uid: 82bbccf9-fd8a-4f42-a034-93eaba82de45 - apiVersion: v1 kind: ConfigMap metadata: annotations: control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"istiod-openshift-gateway-75c67f8887-c8qhx","holderKey":"openshift-gateway","leaseDurationSeconds":30,"acquireTime":"2026-06-09T15:13:45Z","renewTime":"2026-06-09T15:22:38Z","leaderTransitions":0}' creationTimestamp: "2026-06-09T15:13:45Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:control-plane.alpha.kubernetes.io/leader: {} manager: pilot-discovery operation: Update time: "2026-06-09T15:22:38Z" name: istio-ip-autoallocate namespace: openshift-ingress resourceVersion: "29203" uid: 94683e04-da6b-4f12-a435-697655268ea7 - apiVersion: v1 data: mesh: |- accessLogFile: /dev/stdout defaultConfig: discoveryAddress: istiod-openshift-gateway.openshift-ingress.svc:15012 proxyHeaders: envoyDebugHeaders: disabled: true metadataExchangeHeaders: mode: IN_MESH server: disabled: true defaultProviders: metrics: - prometheus enablePrometheusMerge: true ingressControllerMode: "OFF" rootNamespace: openshift-ingress trustDomain: cluster.local meshNetworks: 'networks: {}' kind: ConfigMap metadata: annotations: meta.helm.sh/release-name: openshift-gateway-istiod meta.helm.sh/release-namespace: openshift-ingress creationTimestamp: "2026-06-09T15:13:41Z" labels: app.kubernetes.io/instance: openshift-gateway-istiod app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: istiod app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.27.3 helm.sh/chart: istiod-1.27.3 istio.io/rev: openshift-gateway managed-by: sail-operator operator.istio.io/component: Pilot release: openshift-gateway-istiod managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:mesh: {} f:meshNetworks: {} f:metadata: f:annotations: .: {} f:meta.helm.sh/release-name: {} f:meta.helm.sh/release-namespace: {} f:labels: .: {} f:app.kubernetes.io/instance: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.kubernetes.io/version: {} f:helm.sh/chart: {} f:istio.io/rev: {} f:managed-by: {} f:operator.istio.io/component: {} f:release: {} f:ownerReferences: .: {} k:{"uid":"58de0e7f-7250-4892-8c3d-6a901edbcff1"}: {} manager: sail-operator operation: Update time: "2026-06-09T15:13:41Z" name: istio-openshift-gateway namespace: openshift-ingress ownerReferences: - apiVersion: sailoperator.io/v1 blockOwnerDeletion: true controller: true kind: IstioRevision name: openshift-gateway uid: 58de0e7f-7250-4892-8c3d-6a901edbcff1 resourceVersion: "17020" uid: 40b72a1c-4657-4e04-9da4-94cca795505d - apiVersion: v1 data: config: |- # defaultTemplates defines the default template to use for pods that do not explicitly specify a template defaultTemplates: [sidecar] policy: enabled alwaysInjectSelector: [] neverInjectSelector: [] injectedAnnotations: template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}" templates: sidecar: | {{- define "resources" }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} requests: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" {{ end }} {{- end }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} limits: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" {{ end }} {{- end }} {{- else }} {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 6 }} {{- end }} {{- end }} {{- end }} {{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} {{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} {{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} {{- end }} service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { istio.io/rev: {{ .Revision | default "default" | quote }}, {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", {{- end }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{- end }} {{- end }} {{- if .Values.pilot.cni.enabled }} {{- if eq .Values.pilot.cni.provider "multus" }} k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', {{- end }} sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", {{- end }} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", {{- end }} {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} {{- end }} } spec: {{- $holdProxy := and (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) (not $nativeSidecar) }} {{- $noInitContainer := and (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) (not $nativeSidecar) }} {{ if $noInitContainer }} initContainers: [] {{ else -}} initContainers: {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} {{ if .Values.pilot.cni.enabled -}} - name: istio-validation {{ else -}} - name: istio-init {{ end -}} {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} args: - istio-iptables - "-p" - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - "-z" - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - "-u" - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} - "-m" - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - "-i" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - "-x" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - "-b" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - "-d" {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" {{- else }} - "15090,15021" {{- end }} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - "-q" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" {{ end -}} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - "-o" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" {{ end -}} {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} - "-k" - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - "-k" - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" {{ end -}} {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - "-c" - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" {{ end -}} - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" {{ if .Values.global.logAsJson -}} - "--log_as_json" {{ end -}} {{ if .Values.pilot.cni.enabled -}} - "--run-validation" - "--skip-rule-apply" {{ else if .Values.global.proxy_init.forceApplyIptables -}} - "--force-apply" {{ end -}} {{ if .Values.global.nativeNftables -}} - "--native-nftables" {{ end -}} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} env: {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} resources: {{ template "resources" . }} securityContext: allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} privileged: {{ .Values.global.proxy.privileged }} capabilities: {{- if not .Values.pilot.cni.enabled }} add: - NET_ADMIN - NET_RAW {{- end }} drop: - ALL {{- if not .Values.pilot.cni.enabled }} readOnlyRootFilesystem: false runAsGroup: 0 runAsNonRoot: false runAsUser: 0 {{- else }} readOnlyRootFilesystem: true runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} runAsNonRoot: true {{- end }} {{ end -}} {{ end -}} {{ if not $nativeSidecar }} containers: {{ end }} - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} {{ if $nativeSidecar }}restartPolicy: Always{{end}} ports: - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - sidecar - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.outlierLogPath }} - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} {{- end}} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} {{- else if $holdProxy }} lifecycle: postStart: exec: command: - pilot-agent - wait {{- else if $nativeSidecar }} {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} lifecycle: preStop: exec: command: - pilot-agent - request - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - POST - drain {{- end }} env: {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: |- [ {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{- if (structToJSON $p) }} {{if not $first}},{{end}}{{ structToJSON $p }} {{- $first = false }} {{- end }} {{- end}} {{- end}} ] - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu {{- if .CompliancePolicy }} - name: COMPLIANCE_POLICY value: "{{ .CompliancePolicy }}" {{- end }} - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ . }}" {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: ISTIO_BOOTSTRAP_OVERRIDE value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" {{- end }} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} {{ if .Values.global.proxy.startupProbe.enabled }} startupProbe: httpGet: path: /healthz/ready port: 15021 initialDelaySeconds: 0 periodSeconds: 1 timeoutSeconds: 3 failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} {{ end }} readinessProbe: httpGet: path: /healthz/ready port: 15021 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} timeoutSeconds: 3 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} {{ end -}} securityContext: {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} allowPrivilegeEscalation: true capabilities: add: - NET_ADMIN drop: - ALL privileged: true readOnlyRootFilesystem: true runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: false runAsUser: 0 {{- else }} allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} capabilities: {{ if or $tproxy $capNetBindService -}} add: {{ if $tproxy -}} - NET_ADMIN {{- end }} {{ if $capNetBindService -}} - NET_BIND_SERVICE {{- end }} {{- end }} drop: - ALL privileged: {{ .Values.global.proxy.privileged }} readOnlyRootFilesystem: true {{ if or $tproxy $capNetBindService -}} runAsNonRoot: false runAsUser: 0 runAsGroup: 1337 {{- else -}} runAsNonRoot: true runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} {{- end }} {{- end }} resources: {{ template "resources" . }} volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds - name: credential-socket mountPath: /var/run/secrets/credential-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/run/secrets/istio/crl name: istio-ca-crl {{- end }} - mountPath: /var/lib/istio/data name: istio-data {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - mountPath: /etc/istio/custom-bootstrap name: custom-bootstrap-volume {{- end }} # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} name: lightstep-certs readOnly: true {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - name: "{{ $index }}" {{ toYaml $value | indent 6 }} {{ end }} {{- end }} volumes: - emptyDir: name: workload-socket - emptyDir: name: credential-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else }} - emptyDir: name: workload-certs {{- end }} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: custom-bootstrap-volume configMap: name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-envoy - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} - name: istio-ca-crl configMap: name: istio-ca-crl optional: true {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - name: "{{ $index }}" {{ toYaml $value | indent 4 }} {{ end }} {{ end }} {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - name: lightstep-certs secret: optional: true secretName: lightstep.cacert {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} gateway: | {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: istio.io/rev: {{ .Revision | default "default" | quote }} {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" {{- end }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" {{- end }} {{- end }} spec: securityContext: {{- if .Values.gateways.securityContext }} {{- toYaml .Values.gateways.securityContext | nindent 4 }} {{- else }} sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" {{- end }} containers: - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} ports: - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - router - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} {{- end }} securityContext: runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} env: - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: |- [ {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{- if (structToJSON $p) }} {{if not $first}},{{end}}{{ structToJSON $p }} {{- $first = false }} {{- end }} {{- end}} {{- end}} ] - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu {{- if .CompliancePolicy }} - name: COMPLIANCE_POLICY value: "{{ .CompliancePolicy }}" {{- end }} - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: "{{ .ProxyConfig.InterceptionMode.String }}" {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{- if .DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ .DeploymentMeta.Name }}" {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: ISTIO_BOOTSTRAP_OVERRIDE value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" {{- end }} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} readinessProbe: httpGet: path: /healthz/ready port: 15021 initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} timeoutSeconds: 3 failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds - name: credential-socket mountPath: /var/run/secrets/credential-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - mountPath: /etc/istio/custom-bootstrap name: custom-bootstrap-volume {{- end }} # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod volumes: - emptyDir: name: workload-socket - emptyDir: {} name: credential-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else}} - emptyDir: {} name: workload-certs {{- end }} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: custom-bootstrap-volume configMap: name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-envoy - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} grpc-simple: | metadata: annotations: sidecar.istio.io/rewriteAppHTTPProbers: "false" spec: initContainers: - name: grpc-bootstrap-init image: busybox:1.28 volumeMounts: - mountPath: /var/lib/grpc/data/ name: grpc-io-proxyless-bootstrap env: - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: ISTIO_NAMESPACE value: | {{ .Values.global.istioNamespace }} command: - sh - "-c" - |- NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" echo ' { "xds_servers": [ { "server_uri": "'${SERVER_URI}'", "channel_creds": [{"type": "insecure"}], "server_features" : ["xds_v3"] } ], "node": { "id": "'${NODE_ID}'", "metadata": { "GENERATOR": "grpc" } } }' > /var/lib/grpc/data/bootstrap.json containers: {{- range $index, $container := .Spec.Containers }} - name: {{ $container.Name }} env: - name: GRPC_XDS_BOOTSTRAP value: /var/lib/grpc/data/bootstrap.json - name: GRPC_GO_LOG_VERBOSITY_LEVEL value: "99" - name: GRPC_GO_LOG_SEVERITY_LEVEL value: info volumeMounts: - mountPath: /var/lib/grpc/data/ name: grpc-io-proxyless-bootstrap {{- end }} volumes: - name: grpc-io-proxyless-bootstrap emptyDir: {} grpc-agent: | {{- define "resources" }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} requests: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" {{ end }} {{- end }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} limits: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" {{ end }} {{- end }} {{- else }} {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 6 }} {{- end }} {{- end }} {{- end }} {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { istio.io/rev: {{ .Revision | default "default" | quote }}, {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", {{- end }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{- end }} {{- end }} sidecar.istio.io/rewriteAppHTTPProbers: "false", } spec: containers: - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} ports: - containerPort: 15020 protocol: TCP name: mesh-metrics args: - proxy - sidecar - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} lifecycle: postStart: exec: command: - pilot-agent - wait - --url=http://localhost:15020/healthz/ready env: - name: ISTIO_META_GENERATOR value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: |- [ {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{- if (structToJSON $p) }} {{if not $first}},{{end}}{{ structToJSON $p }} {{- $first = false }} {{- end }} {{- end}} {{- end}} ] - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{- if .DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ .DeploymentMeta.Name }}" {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} # grpc uses xds:/// to resolve – no need to resolve VIP - name: ISTIO_META_DNS_CAPTURE value: "false" - name: DISABLE_ENVOY value: "true" {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} readinessProbe: httpGet: path: /healthz/ready port: 15020 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} timeoutSeconds: 3 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} resources: {{ template "resources" . }} volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data # UDS channel between istioagent and gRPC client for XDS/SDS - mountPath: /etc/istio/proxy name: istio-xds - mountPath: /var/run/secrets/tokens name: istio-token {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - name: "{{ $index }}" {{ toYaml $value | indent 6 }} {{ end }} {{- end }} {{- range $index, $container := .Spec.Containers }} {{ if not (eq $container.Name "istio-proxy") }} - name: {{ $container.Name }} env: - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" value: "true" - name: "GRPC_XDS_BOOTSTRAP" value: "/etc/istio/proxy/grpc-bootstrap.json" volumeMounts: - mountPath: /var/lib/istio/data name: istio-data # UDS channel between istioagent and gRPC client for XDS/SDS - mountPath: /etc/istio/proxy name: istio-xds {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- end }} {{- end }} volumes: - emptyDir: name: workload-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else }} - emptyDir: name: workload-certs {{- end }} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: custom-bootstrap-volume configMap: name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-xds - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - name: "{{ $index }}" {{ toYaml $value | indent 4 }} {{ end }} {{ end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} waypoint: | apiVersion: v1 kind: ServiceAccount metadata: name: {{.ServiceAccount | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} {{- if ge .KubeVersion 128 }} # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" {{- end }} --- apiVersion: apps/v1 kind: Deployment metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" .ControllerLabel ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" spec: selector: matchLabels: "{{.GatewayNameLabel}}": "{{.Name}}" template: metadata: annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") (strdict "istio.io/rev" (.Revision | default "default")) (strdict "prometheus.io/path" "/stats/prometheus" "prometheus.io/port" "15020" "prometheus.io/scrape" "true" ) | nindent 8 }} labels: {{- toJsonMap (strdict "sidecar.istio.io/inject" "false" "istio.io/dataplane-mode" "none" "service.istio.io/canonical-name" .DeploymentName "service.istio.io/canonical-revision" "latest" ) .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" .ControllerLabel ) | nindent 8}} spec: {{- if .Values.global.waypoint.affinity }} affinity: {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} {{- end }} {{- if .Values.global.waypoint.topologySpreadConstraints }} topologySpreadConstraints: {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} {{- end }} {{- if .Values.global.waypoint.nodeSelector }} nodeSelector: {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} {{- end }} {{- if .Values.global.waypoint.tolerations }} tolerations: {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} {{- end }} terminationGracePeriodSeconds: 2 serviceAccountName: {{.ServiceAccount | quote}} containers: - name: istio-proxy ports: - containerPort: 15020 name: metrics protocol: TCP - containerPort: 15021 name: status-port protocol: TCP - containerPort: 15090 protocol: TCP name: http-envoy-prom {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} args: - proxy - waypoint - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --serviceCluster - {{.ServiceAccount}}.$(POD_NAMESPACE) - --proxyLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - --proxyComponentLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - --log_output_level - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.outlierLogPath }} - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} {{- end}} env: - name: ISTIO_META_SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} {{- if .ProxyConfig.ProxyMetadata }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} {{- if $network }} - name: ISTIO_META_NETWORK value: "{{ $network }}" {{- end }} - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_WORKLOAD_NAME value: {{.DeploymentName}} - name: ISTIO_META_OWNER value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- if .Values.global.waypoint.resources }} resources: {{- toYaml .Values.global.waypoint.resources | nindent 10 }} {{- end }} startupProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 1 successThreshold: 1 timeoutSeconds: 1 readinessProbe: failureThreshold: 4 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 0 periodSeconds: 15 successThreshold: 1 timeoutSeconds: 1 securityContext: privileged: false {{- if not (eq .Values.global.platform "openshift") }} runAsGroup: 1337 runAsUser: 1337 {{- end }} allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: - ALL {{- if .Values.gateways.seccompProfile }} seccompProfile: {{- toYaml .Values.gateways.seccompProfile | nindent 12 }} {{- end }} volumeMounts: - mountPath: /var/run/secrets/workload-spiffe-uds name: workload-socket - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/lib/istio/data name: istio-data - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token - mountPath: /etc/istio/pod name: istio-podinfo volumes: - emptyDir: {} name: workload-socket - emptyDir: medium: Memory name: istio-envoy - emptyDir: medium: Memory name: go-proxy-envoy - emptyDir: {} name: istio-data - emptyDir: {} name: go-proxy-data - downwardAPI: items: - fieldRef: fieldPath: metadata.labels path: labels - fieldRef: fieldPath: metadata.annotations path: annotations name: istio-podinfo - name: istio-token projected: sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} --- apiVersion: v1 kind: Service metadata: annotations: {{ toJsonMap (strdict "networking.istio.io/traffic-distribution" "PreferClose") (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version" ) | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" spec: ipFamilyPolicy: PreferDualStack ports: {{- range $key, $val := .Ports }} - name: {{ $val.Name | quote }} port: {{ $val.Port }} protocol: TCP appProtocol: {{ $val.AppProtocol }} {{- end }} selector: "{{.GatewayNameLabel}}": "{{.Name}}" {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} {{- end }} type: {{ .ServiceType | quote }} --- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: {{.DeploymentName | quote}} maxReplicas: 1 --- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: selector: matchLabels: gateway.networking.k8s.io/gateway-name: {{.Name|quote}} kube-gateway: | apiVersion: v1 kind: ServiceAccount metadata: name: {{.ServiceAccount | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} {{- if ge .KubeVersion 128 }} # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" {{- end }} --- apiVersion: apps/v1 kind: Deployment metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-gateway-controller" ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: selector: matchLabels: "{{.GatewayNameLabel}}": {{.Name}} template: metadata: annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") (strdict "istio.io/rev" (.Revision | default "default")) (strdict "prometheus.io/path" "/stats/prometheus" "prometheus.io/port" "15020" "prometheus.io/scrape" "true" ) | nindent 8 }} labels: {{- toJsonMap (strdict "sidecar.istio.io/inject" "false" "service.istio.io/canonical-name" .DeploymentName "service.istio.io/canonical-revision" "latest" ) .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-gateway-controller" ) | nindent 8 }} spec: securityContext: {{- if .Values.gateways.securityContext }} {{- toYaml .Values.gateways.securityContext | nindent 8 }} {{- else }} sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" {{- if .Values.gateways.seccompProfile }} seccompProfile: {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} {{- end }} {{- end }} serviceAccountName: {{.ServiceAccount | quote}} containers: - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} {{- if .Values.global.proxy.resources }} resources: {{- toYaml .Values.global.proxy.resources | nindent 10 }} {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} securityContext: capabilities: drop: - ALL allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: - containerPort: 15020 name: metrics protocol: TCP - containerPort: 15021 name: status-port protocol: TCP - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - router - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - --proxyComponentLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - --log_output_level - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} {{- end }} env: - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: "[]" - name: ISTIO_META_APP_CONTAINERS value: "" - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: "{{ .ProxyConfig.InterceptionMode.String }}" {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - name: ISTIO_META_NETWORK value: {{.|quote}} {{- end }} - name: ISTIO_META_WORKLOAD_NAME value: {{.DeploymentName|quote}} - name: ISTIO_META_OWNER value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - name: ISTIO_META_REQUESTED_NETWORK_VIEW value: {{.|quote}} {{- end }} startupProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 1 successThreshold: 1 timeoutSeconds: 1 readinessProbe: failureThreshold: 4 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 0 periodSeconds: 15 successThreshold: 1 timeoutSeconds: 1 volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds - name: credential-socket mountPath: /var/run/secrets/credential-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token - name: istio-podinfo mountPath: /etc/istio/pod volumes: - emptyDir: {} name: workload-socket - emptyDir: {} name: credential-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else}} - emptyDir: {} name: workload-certs {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-envoy - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} --- apiVersion: v1 kind: Service metadata: annotations: {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: {{.UID}} spec: ipFamilyPolicy: PreferDualStack ports: {{- range $key, $val := .Ports }} - name: {{ $val.Name | quote }} port: {{ $val.Port }} protocol: TCP appProtocol: {{ $val.AppProtocol }} {{- end }} selector: "{{.GatewayNameLabel}}": {{.Name}} {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} {{- end }} type: {{ .ServiceType | quote }} --- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: {{.DeploymentName | quote}} maxReplicas: 1 --- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: selector: matchLabels: gateway.networking.k8s.io/gateway-name: {{.Name|quote}} values: |- { "gateways": { "seccompProfile": {}, "securityContext": {} }, "global": { "caAddress": "", "caName": "", "certSigners": [], "configCluster": false, "configValidation": true, "defaultPodDisruptionBudget": { "enabled": false }, "defaultResources": { "requests": { "cpu": "10m" } }, "externalIstiod": false, "hub": "gcr.io/istio-release", "imagePullPolicy": "", "imagePullSecrets": [], "istioNamespace": "openshift-ingress", "istiod": { "enableAnalysis": false }, "logAsJson": false, "logging": { "level": "default:info" }, "meshID": "", "meshNetworks": {}, "mountMtlsCerts": false, "multiCluster": { "clusterName": "" }, "nativeNftables": false, "network": "", "networkPolicy": { "enabled": false }, "omitSidecarInjectorConfigMap": false, "operatorManageWebhooks": false, "pilotCertProvider": "istiod", "platform": "openshift", "priorityClassName": "system-cluster-critical", "proxy": { "autoInject": "enabled", "clusterDomain": "cluster.local", "componentLogLevel": "misc:error", "excludeIPRanges": "", "excludeInboundPorts": "", "excludeOutboundPorts": "", "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371", "includeIPRanges": "*", "includeInboundPorts": "*", "includeOutboundPorts": "", "logLevel": "warning", "outlierLogPath": "", "privileged": false, "readinessFailureThreshold": 4, "readinessInitialDelaySeconds": 0, "readinessPeriodSeconds": 15, "resources": { "limits": { "cpu": "2000m", "memory": "1024Mi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "startupProbe": { "enabled": true, "failureThreshold": 600 }, "statusPort": 15020, "tracer": "none" }, "proxy_init": { "forceApplyIptables": false, "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371" }, "remotePilotAddress": "", "sds": { "token": { "aud": "istio-ca" } }, "sts": { "servicePort": 0 }, "tag": "1.27.3", "trustBundleName": "openshift-gw-ca-root-cert", "variant": "", "waypoint": { "affinity": {}, "nodeSelector": {}, "resources": { "limits": { "cpu": "2", "memory": "1Gi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "tolerations": [], "topologySpreadConstraints": [] } }, "pilot": { "cni": { "chained": false, "cniBinDir": "/var/lib/cni/bin", "cniConfDir": "/etc/cni/multus/net.d", "cniConfFileName": "istio-cni.conf", "enabled": false, "provider": "multus" }, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" } }, "revision": "openshift-gateway", "sidecarInjectorWebhook": { "alwaysInjectSelector": [], "defaultTemplates": [], "enableNamespacesByDefault": false, "injectedAnnotations": {}, "neverInjectSelector": [], "reinvocationPolicy": "Never", "rewriteAppHTTPProbe": true, "templates": {} } } kind: ConfigMap metadata: annotations: meta.helm.sh/release-name: openshift-gateway-istiod meta.helm.sh/release-namespace: openshift-ingress creationTimestamp: "2026-06-09T15:13:41Z" labels: app.kubernetes.io/instance: openshift-gateway-istiod app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: istiod app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.27.3 helm.sh/chart: istiod-1.27.3 istio.io/rev: openshift-gateway managed-by: sail-operator operator.istio.io/component: Pilot release: openshift-gateway-istiod managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:config: {} f:values: {} f:metadata: f:annotations: .: {} f:meta.helm.sh/release-name: {} f:meta.helm.sh/release-namespace: {} f:labels: .: {} f:app.kubernetes.io/instance: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.kubernetes.io/version: {} f:helm.sh/chart: {} f:istio.io/rev: {} f:managed-by: {} f:operator.istio.io/component: {} f:release: {} f:ownerReferences: .: {} k:{"uid":"58de0e7f-7250-4892-8c3d-6a901edbcff1"}: {} manager: sail-operator operation: Update time: "2026-06-09T15:13:41Z" name: istio-sidecar-injector-openshift-gateway namespace: openshift-ingress ownerReferences: - apiVersion: sailoperator.io/v1 blockOwnerDeletion: true controller: true kind: IstioRevision name: openshift-gateway uid: 58de0e7f-7250-4892-8c3d-6a901edbcff1 resourceVersion: "17024" uid: a9d738a7-b4ae-42e0-aeb4-83a495405d62 - apiVersion: v1 data: ca.crt: | -----BEGIN CERTIFICATE----- MIIDPDCCAiSgAwIBAgIIVz3DdozVAHswDQYJKoZIhvcNAQELBQAwJjESMBAGA1UE CxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdyb290LWNhMB4XDTI2MDYwOTE0NTMwNFoX DTM2MDYwNjE0NTMwNFowJjESMBAGA1UECxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdy b290LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtgKil8KPOziQ FkOsKt9iMFJV2ikBGhAnAD2xDq4Mo4Rcr1jcVnF+s3xESMRfm1S6PGBZtwdHeW/J zE3fX5kKkrAaJGBZ6HcWd8mnfoY7b7ayHsw33iAa2YUX2CczBAM672XlDkX9X/0X JxHW31fveIvKNDsRXRdqeX1X6JnyU1WMngbC2Uh3tbbugrhuGlkxD/TAxBtD3rmA yJncXA/q3yRdBaQCF8udRdDN05Rc95Oz44dP26M5Fl6BnNVrr2YFzpDI9+VHtEvW KlzaoqluY5L3uSc0R/xQ5KBmoqbOUEaMRcJQ58w81LD1NOIALLyeDDJ+D2n7vmvo sObqykYErwIDAQABo24wbDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB /zBJBgNVHQ4EQgRALsW7Tyg3pvnMF7It+NrPgTnBPrnV2IXPny5OxfiK5ak2z239 z0fVugfQNNauY09RMkhtN4+v5rz4bftqeQM6mTANBgkqhkiG9w0BAQsFAAOCAQEA ffNUyGbtGvdz9pe017dLPJ87hkdYXxPFbZtschzFRopl+6C8Jws14Ji+64Dajcy/ a9P7nZQuCkck9OQbJ6kgJHwS3gyMAyX+tHdoW0HxgozEgqecEyY7DtJ8Gqk1Q8MP ZrCvrZ/lWBWS12M6YgOkvlWBMN4J3DkjI3BWavAFoTWX8sIJ7ExXMyq+85lChn2I jyvpBUUhTwV7N5KdhvRNbjo+yJSmR8JBAt287sSaPCoitsiF3TjhgQWIjuIuMi/A a90rMZF72//c4f5TK1ll8KMGm/WoKnA7hZQv7FeZr1k+Rv+57368zZDydnrgvOBK jiMynG1FAB3W3kCWpxWUWQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEADCCAuigAwIBAgIIPNhQsvhC+/QwDQYJKoZIhvcNAQELBQAwJjESMBAGA1UE CxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdyb290LWNhMB4XDTI2MDYwOTE0NTM0OFoX DTI3MDYwOTE0NTM0OFowMDESMBAGA1UEChMJb3BlbnNoaWZ0MRowGAYDVQQDExFv cGVuc2hpZnQtaW5ncmVzczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ALzDFKWZHjvTWnRZ+T/jeTXuAWycP7fv2mFn7yCyL5IpzM6vMdFhdxdo2VNkhLsg NIGMQE/ZYWroZESXbsKaV9tp+U90abhciyDo/AMde0H1lVQIlPgFqKWoIf3v1V7j WoNS0k26wSjRDQJ2QbIy7DF4v1rrVag3EroljDvkOMWeVWlk49X8kZ7nmIts7L1Z eCZzTdXSWGqEdXhX/S5GD5WAZEeLcXlttEJKAY91eSIk5zr4Z6JBRXUbZby/hYon WfNKkksb7SMTHOUPxk6wZq7M9WAO3z6VU7Ef5EGe+EZcjc66DOFtPKM/8Y64otWw OnBz1AqZjmd4ipPhLiiuSvUCAwEAAaOCASYwggEiMA4GA1UdDwEB/wQEAwIFoDAd BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBJBgNV HQ4EQgRAaCD8Z4OIbcHx+wWR03l3Ru5yS4IRD2lfHk82Jwg2PSzZ0S13CvhHR4mI NyoSqiZrXUPSthWTuWWYnytvRz+9oDBLBgNVHSMERDBCgEAuxbtPKDem+cwXsi34 2s+BOcE+udXYhc+fLk7F+IrlqTbPbf3PR9W6B9A01q5jT1EySG03j6/mvPht+2p5 AzqZMEsGA1UdEQREMEKCQCouYXBwcy4xNjA5OWRjNy00ODY3LTQ0NmQtYTIyMi1m ZjVhZmE5N2I5ZGMucHJvZC5rb25mbHV4ZWFhcy5jb20wDQYJKoZIhvcNAQELBQAD ggEBACgO1BeR58gkLhcbFjPdhlKax7fgNfxRzCYzf1dUv6aeePHPHax5tug5TWBJ s6tMIjMdEUKm2REVqAd9AV+0VTC8CENLzFfXJaxpz+vD/er+dPY/eYONIU7NvgBW P6wrV7Ilp3rf0mwC4aSl2z+Hz9zC4igSUtXdMtQS+aeq7d1t/Ol5p4UWyxbOrGTX 2hsmdNuhbeWKSAdvntXf9zwTjRivO7LkCvwzungll7b6ohw9hbMaACqetQY6JdO+ ylleXgjwUxJLrvKjTXdDpmwmwhAyCzWcD2W7+cKaaowp5b9AcjJfrKEtdd3UNh6J KLfhF3TdzDwWKVUs5ns5z0paMeE= -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: kubernetes.io/description: Contains a CA bundle that can be used to verify the kube-apiserver when using internal endpoints such as the internal service IP or kubernetes.default.svc. No other usage is guaranteed across distributions of Kubernetes clusters. creationTimestamp: "2026-06-09T14:55:30Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca.crt: {} f:metadata: f:annotations: .: {} f:kubernetes.io/description: {} manager: kube-controller-manager operation: Update time: "2026-06-09T14:56:14Z" name: kube-root-ca.crt namespace: openshift-ingress resourceVersion: "3824" uid: e6aebc07-8e3b-4c83-b53d-e458f96591e1 - apiVersion: v1 data: cabundle.crt: |- -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIIeGcwcxZNkq0wDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc4MTAxNzU3OTAe Fw0yNjA2MDkxNTA2MTlaFw0yODA4MDcxNTA2MjBaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3ODEwMTc1NzkwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDziTq/YnU0Ao2Rjp8SRDz/KF4v6ScO2fQE jxyiUgyoKvRYVH1o+/JpeO0KthKl9ClhrWTWfgfAjjzijxBHSlVdjLW3cnAqRq+Y JFsrPy0nCHS/7F7pA7j09ywQ92y9WbiL/2FKJ5WeePp3/hJxS4VpQZTFTNUPR6J6 3PjIRWwkrPJMb5oOXHhodLxZ221ZuIgTEh/7U11fmtDz67DH8l98tDA375xpd7lZ r00zr48z5P8DrQdyjygoEDoG2Y/cNj5MBCQ0moXvJf7V7JRpJzwL5aWuOppg69Vn kAlp1onE0JiGyQYp07YyrPHZnTCMMr6iolx/ODhTmcTcGxO+g0HJAgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ5yhfg l0si8LoRwoezl1Eje2e8CTAfBgNVHSMEGDAWgBQ5yhfgl0si8LoRwoezl1Eje2e8 CTANBgkqhkiG9w0BAQsFAAOCAQEAdzGgc+HkMB6cjl+KcCcMmjuEVlW6O+ol6Dp3 hxSRjS0QoGYvinbjbPI8h9EeMp18R4vjWb1U+Aq7t4M3vk05pw2TjjRskBR5SWJJ P1FAIWx4kmzD3FIQQPv59sf7PP/Q16wMcW+6EaSfJ9ZudER9x34bkuUKxUoJmHku wJJp/5UVHVw4A13LpZFCBlS5P/VWDR7PCrq3EcXZVhfA9VpDpFhpk7PnuTBU1OeR y+QIw1UY867AWs2r2R4HbLQYmyrtgQ9TxnqbMhG15a0v3LA+hE6POfgsPuz2bnA4 nh5dqH10ZpTwJFopPnQTfRuNBQWn6QzfNyMDJYpNzvk8Dsj7tQ== -----END CERTIFICATE----- kind: ConfigMap metadata: creationTimestamp: "2026-06-09T15:13:12Z" labels: opendatahub.io/managed: "true" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:cabundle.crt: {} f:metadata: f:labels: .: {} f:opendatahub.io/managed: {} manager: manager operation: Update time: "2026-06-09T15:13:12Z" name: odh-kserve-custom-ca-bundle namespace: openshift-ingress resourceVersion: "15811" uid: fa4fb18c-5c3b-4dc9-aedd-4ca7db62aa07 - apiVersion: v1 data: root-cert.pem: | -----BEGIN CERTIFICATE----- MIIC/DCCAeSgAwIBAgIQGRjrJQE6KhfBKBU+2GmJzTANBgkqhkiG9w0BAQsFADAY MRYwFAYDVQQKEw1jbHVzdGVyLmxvY2FsMB4XDTI2MDYwOTE1MTM0NVoXDTM2MDYw NjE1MTM0NVowGDEWMBQGA1UEChMNY2x1c3Rlci5sb2NhbDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAK598+EpZvCeImfNQwi4zPCsZ4/cIDjq61/aHo9D 7kJlry4HwaKb4VT00LAbvpr9hgn3ImVtOnepCpDM87q5asZHlvp40BvvJvyDGu7W I3eAZShbcGDe2+6QmxFsNIbLoD+HSsf7L+f2+eKbRCGg6ojWr4rPUIk+nkR+BMvy kIS1c53mVq34oii2+5ChIW7692wIh0CaBRYXkf7DKf1uyAimJsx+FsyLXwct8oW1 MpUwUW3xbkea5Urdciyjzkb91U/KW9l2RawHdmD4MKkKSi/5AocKaT1tkhUCut85 17W+pAvys3CqUcckmgthkXdgAWFajBf2++bUGSbZzMNE2m8CAwEAAaNCMEAwDgYD VR0PAQH/BAQDAgIEMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFK6draOw4IMx rw7qncOudGO9oNCTMA0GCSqGSIb3DQEBCwUAA4IBAQCmrxkzPMvEyJ4PDmXZaFd4 rIz+6ZgJhs9VpDT9tAZsYJZCPgWK0d6mp6rsVcuC2RXXoUqQArQCGMC10WkE7xqM lAZqhLx2dEwIRy/e2cSbWzhBL6CSa3Jr6Y19ZeF+le9FqAloQ35+ybT/JYkdy/+P z/tgUKk5ZxhTgVOkVsRweNnWMgYvwgPQLpjhyL87DzDkB1VhCrZ9VZT/v74Sy33D 5T82GCVu3KiTLY9I4S2+81+MSciRb+5BqQlNO0BB498I5HmluoArCtl8Bsmer1Z+ KJK7R8za324LIG26eNqoWyasds9l1A+vGIa99tMaMvE6JAiGqV2m+58i6o4cBM5+ -----END CERTIFICATE----- kind: ConfigMap metadata: creationTimestamp: "2026-06-09T15:13:45Z" labels: istio.io/config: "true" openshift.io/mesh: "true" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:root-cert.pem: {} f:metadata: f:labels: .: {} f:istio.io/config: {} f:openshift.io/mesh: {} manager: pilot-discovery operation: Update time: "2026-06-09T15:13:45Z" name: openshift-gw-ca-root-cert namespace: openshift-ingress resourceVersion: "17179" uid: e35e3fe3-c5c4-47df-b362-d62d04bdb7a6 - apiVersion: v1 data: service-ca.crt: | -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIIeGcwcxZNkq0wDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc4MTAxNzU3OTAe Fw0yNjA2MDkxNTA2MTlaFw0yODA4MDcxNTA2MjBaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3ODEwMTc1NzkwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDziTq/YnU0Ao2Rjp8SRDz/KF4v6ScO2fQE jxyiUgyoKvRYVH1o+/JpeO0KthKl9ClhrWTWfgfAjjzijxBHSlVdjLW3cnAqRq+Y JFsrPy0nCHS/7F7pA7j09ywQ92y9WbiL/2FKJ5WeePp3/hJxS4VpQZTFTNUPR6J6 3PjIRWwkrPJMb5oOXHhodLxZ221ZuIgTEh/7U11fmtDz67DH8l98tDA375xpd7lZ r00zr48z5P8DrQdyjygoEDoG2Y/cNj5MBCQ0moXvJf7V7JRpJzwL5aWuOppg69Vn kAlp1onE0JiGyQYp07YyrPHZnTCMMr6iolx/ODhTmcTcGxO+g0HJAgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ5yhfg l0si8LoRwoezl1Eje2e8CTAfBgNVHSMEGDAWgBQ5yhfgl0si8LoRwoezl1Eje2e8 CTANBgkqhkiG9w0BAQsFAAOCAQEAdzGgc+HkMB6cjl+KcCcMmjuEVlW6O+ol6Dp3 hxSRjS0QoGYvinbjbPI8h9EeMp18R4vjWb1U+Aq7t4M3vk05pw2TjjRskBR5SWJJ P1FAIWx4kmzD3FIQQPv59sf7PP/Q16wMcW+6EaSfJ9ZudER9x34bkuUKxUoJmHku wJJp/5UVHVw4A13LpZFCBlS5P/VWDR7PCrq3EcXZVhfA9VpDpFhpk7PnuTBU1OeR y+QIw1UY867AWs2r2R4HbLQYmyrtgQ9TxnqbMhG15a0v3LA+hE6POfgsPuz2bnA4 nh5dqH10ZpTwJFopPnQTfRuNBQWn6QzfNyMDJYpNzvk8Dsj7tQ== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: service.beta.openshift.io/inject-cabundle: "true" creationTimestamp: "2026-06-09T14:55:30Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: {} f:metadata: f:annotations: .: {} f:service.beta.openshift.io/inject-cabundle: {} manager: kube-controller-manager operation: Update time: "2026-06-09T14:55:30Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: f:service-ca.crt: {} manager: service-ca-operator operation: Update time: "2026-06-09T15:06:30Z" name: openshift-service-ca.crt namespace: openshift-ingress resourceVersion: "9223" uid: 4bb10ed0-9ef3-4ec3-9c81-81c19fc941a5 - apiVersion: v1 data: api-translation-plugin: api-translation:api-translation apikey-injection-plugin: apikey-injection:apikey-injection model-provider-resolver-plugin: model-provider-resolver:model-provider-resolver model-to-header-plugin: body-field-to-header:model-extractor:{"fieldName":"model","headerName":"X-Gateway-Model-Name"} kind: ConfigMap metadata: creationTimestamp: "2026-06-09T15:18:07Z" labels: app.kubernetes.io/component: api app.kubernetes.io/name: maas-api app.kubernetes.io/part-of: models-as-a-service app.opendatahub.io/modelsasservice: "true" maas.opendatahub.io/tenant-name: default-tenant maas.opendatahub.io/tenant-namespace: models-as-a-service managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: f:api-translation-plugin: {} f:apikey-injection-plugin: {} f:model-provider-resolver-plugin: {} f:model-to-header-plugin: {} f:metadata: f:labels: f:app.kubernetes.io/component: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.opendatahub.io/modelsasservice: {} f:maas.opendatahub.io/tenant-name: {} f:maas.opendatahub.io/tenant-namespace: {} f:ownerReferences: k:{"uid":"76d108df-76c9-4e2a-9e73-1b44d7c58de9"}: {} manager: maas-controller operation: Apply time: "2026-06-09T15:18:07Z" name: payload-processing-plugins namespace: openshift-ingress ownerReferences: - apiVersion: maas.opendatahub.io/v1alpha1 blockOwnerDeletion: true controller: true kind: Config name: default uid: 76d108df-76c9-4e2a-9e73-1b44d7c58de9 resourceVersion: "25038" uid: eb805348-1a7c-446c-a674-af6469d295ca - apiVersion: v1 data: service-ca.crt: | -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIIeGcwcxZNkq0wDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc4MTAxNzU3OTAe Fw0yNjA2MDkxNTA2MTlaFw0yODA4MDcxNTA2MjBaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3ODEwMTc1NzkwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDziTq/YnU0Ao2Rjp8SRDz/KF4v6ScO2fQE jxyiUgyoKvRYVH1o+/JpeO0KthKl9ClhrWTWfgfAjjzijxBHSlVdjLW3cnAqRq+Y JFsrPy0nCHS/7F7pA7j09ywQ92y9WbiL/2FKJ5WeePp3/hJxS4VpQZTFTNUPR6J6 3PjIRWwkrPJMb5oOXHhodLxZ221ZuIgTEh/7U11fmtDz67DH8l98tDA375xpd7lZ r00zr48z5P8DrQdyjygoEDoG2Y/cNj5MBCQ0moXvJf7V7JRpJzwL5aWuOppg69Vn kAlp1onE0JiGyQYp07YyrPHZnTCMMr6iolx/ODhTmcTcGxO+g0HJAgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ5yhfg l0si8LoRwoezl1Eje2e8CTAfBgNVHSMEGDAWgBQ5yhfgl0si8LoRwoezl1Eje2e8 CTANBgkqhkiG9w0BAQsFAAOCAQEAdzGgc+HkMB6cjl+KcCcMmjuEVlW6O+ol6Dp3 hxSRjS0QoGYvinbjbPI8h9EeMp18R4vjWb1U+Aq7t4M3vk05pw2TjjRskBR5SWJJ P1FAIWx4kmzD3FIQQPv59sf7PP/Q16wMcW+6EaSfJ9ZudER9x34bkuUKxUoJmHku wJJp/5UVHVw4A13LpZFCBlS5P/VWDR7PCrq3EcXZVhfA9VpDpFhpk7PnuTBU1OeR y+QIw1UY867AWs2r2R4HbLQYmyrtgQ9TxnqbMhG15a0v3LA+hE6POfgsPuz2bnA4 nh5dqH10ZpTwJFopPnQTfRuNBQWn6QzfNyMDJYpNzvk8Dsj7tQ== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: description: ConfigMap providing service CA bundle. openshift.io/description: Configmap is added/updated with a data item containing the CA signing bundle that can be used to verify service-serving certificates openshift.io/owning-component: service-ca service.beta.openshift.io/inject-cabundle: "true" creationTimestamp: "2026-06-09T14:55:34Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:description: {} f:service.beta.openshift.io/inject-cabundle: {} manager: ingress-operator operation: Update time: "2026-06-09T14:55:34Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:service-ca.crt: {} f:metadata: f:annotations: f:openshift.io/description: {} f:openshift.io/owning-component: {} manager: service-ca-operator operation: Update time: "2026-06-09T15:06:30Z" name: service-ca-bundle namespace: openshift-ingress resourceVersion: "8944" uid: a32bdf68-1f4d-4bc3-a4ed-c59e378a7e67 - apiVersion: v1 data: merged-values: |- { "affinity": {}, "autoscaleBehavior": {}, "autoscaleEnabled": true, "autoscaleMax": 5, "autoscaleMin": 1, "base": { "enableIstioConfigCRDs": true }, "cni": { "chained": false, "cniBinDir": "/var/lib/cni/bin", "cniConfDir": "/etc/cni/multus/net.d", "cniConfFileName": "istio-cni.conf", "enabled": false, "provider": "multus" }, "configMap": true, "cpu": { "targetAverageUtilization": 80 }, "defaultRevision": "", "deploymentAnnotations": {}, "deploymentLabels": {}, "enabled": true, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" }, "envVarFrom": [], "experimental": { "stableValidationPolicy": false }, "extraContainerArgs": [], "gatewayClasses": {}, "gateways": { "seccompProfile": {}, "securityContext": {} }, "global": { "caAddress": "", "caName": "", "certSigners": [], "configCluster": false, "configValidation": true, "defaultPodDisruptionBudget": { "enabled": false }, "defaultResources": { "requests": { "cpu": "10m" } }, "externalIstiod": false, "hub": "gcr.io/istio-release", "imagePullPolicy": "", "imagePullSecrets": [], "istioNamespace": "openshift-ingress", "istiod": { "enableAnalysis": false }, "logAsJson": false, "logging": { "level": "default:info" }, "meshID": "", "meshNetworks": {}, "mountMtlsCerts": false, "multiCluster": { "clusterName": "" }, "nativeNftables": false, "network": "", "networkPolicy": { "enabled": false }, "omitSidecarInjectorConfigMap": false, "operatorManageWebhooks": false, "pilotCertProvider": "istiod", "platform": "openshift", "priorityClassName": "system-cluster-critical", "proxy": { "autoInject": "enabled", "clusterDomain": "cluster.local", "componentLogLevel": "misc:error", "excludeIPRanges": "", "excludeInboundPorts": "", "excludeOutboundPorts": "", "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371", "includeIPRanges": "*", "includeInboundPorts": "*", "includeOutboundPorts": "", "logLevel": "warning", "outlierLogPath": "", "privileged": false, "readinessFailureThreshold": 4, "readinessInitialDelaySeconds": 0, "readinessPeriodSeconds": 15, "resources": { "limits": { "cpu": "2000m", "memory": "1024Mi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "startupProbe": { "enabled": true, "failureThreshold": 600 }, "statusPort": 15020, "tracer": "none" }, "proxy_init": { "forceApplyIptables": false, "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371" }, "remotePilotAddress": "", "sds": { "token": { "aud": "istio-ca" } }, "sts": { "servicePort": 0 }, "tag": "1.27.3", "trustBundleName": "openshift-gw-ca-root-cert", "variant": "", "waypoint": { "affinity": {}, "nodeSelector": {}, "resources": { "limits": { "cpu": "2", "memory": "1Gi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "tolerations": [], "topologySpreadConstraints": [] } }, "hub": "", "image": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:f118bf81f44443fbdab23b689c97e9801eba8799c7af85228f914d8cd8afe6c0", "initContainers": [], "ipFamilies": [], "ipFamilyPolicy": "", "istiodRemote": { "enabled": false, "enabledLocalInjectorIstiod": false, "injectionCABundle": "", "injectionPath": "/inject", "injectionURL": "" }, "jwksResolverExtraRootCA": "", "keepaliveMaxServerConnectionAge": "30m", "memory": {}, "meshConfig": { "accessLogFile": "/dev/stdout", "defaultConfig": { "proxyHeaders": { "envoyDebugHeaders": { "disabled": true }, "metadataExchangeHeaders": { "mode": "IN_MESH" }, "server": { "disabled": true } } }, "enablePrometheusMerge": true, "ingressControllerMode": "OFF" }, "nodeSelector": {}, "ownerName": "", "pdb": { "minAvailable": 1, "unhealthyPodEvictionPolicy": "" }, "pilot": { "cni": { "enabled": false, "provider": "multus" }, "enabled": true, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" }, "image": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:f118bf81f44443fbdab23b689c97e9801eba8799c7af85228f914d8cd8afe6c0", "podAnnotations": { "target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}" } }, "podAnnotations": { "target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}" }, "podLabels": {}, "replicaCount": 1, "resources": { "requests": { "cpu": "500m", "memory": "2048Mi" } }, "revision": "openshift-gateway", "revisionTags": [], "rollingMaxSurge": "100%", "rollingMaxUnavailable": "25%", "seLinuxOptions": { "type": "spc_t" }, "seccompProfile": {}, "serviceAccountAnnotations": {}, "serviceAnnotations": {}, "sidecarInjectorWebhook": { "alwaysInjectSelector": [], "defaultTemplates": [], "enableNamespacesByDefault": false, "injectedAnnotations": {}, "neverInjectSelector": [], "reinvocationPolicy": "Never", "rewriteAppHTTPProbe": true, "templates": {} }, "sidecarInjectorWebhookAnnotations": {}, "tag": "", "taint": { "enabled": false, "namespace": "" }, "telemetry": { "enabled": true, "v2": { "enabled": true, "prometheus": { "enabled": true }, "stackdriver": { "enabled": false } } }, "tolerations": [], "topologySpreadConstraints": [], "traceSampling": 1, "trustedZtunnelName": "", "trustedZtunnelNamespace": "kube-system", "variant": "", "volumeMounts": [], "volumes": [] } original-values: |- { "defaultRevision": "", "global": { "configValidation": true, "defaultPodDisruptionBudget": { "enabled": false }, "istioNamespace": "openshift-ingress", "platform": "openshift", "priorityClassName": "system-cluster-critical", "proxy": { "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371" }, "proxy_init": { "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371" }, "trustBundleName": "openshift-gw-ca-root-cert" }, "meshConfig": { "accessLogFile": "/dev/stdout", "defaultConfig": { "proxyHeaders": { "envoyDebugHeaders": { "disabled": true }, "metadataExchangeHeaders": { "mode": "IN_MESH" }, "server": { "disabled": true } } }, "ingressControllerMode": "OFF" }, "pilot": { "cni": { "enabled": false }, "enabled": true, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" }, "image": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:f118bf81f44443fbdab23b689c97e9801eba8799c7af85228f914d8cd8afe6c0", "podAnnotations": { "target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}" } }, "revision": "openshift-gateway", "sidecarInjectorWebhook": { "enableNamespacesByDefault": false } } kind: ConfigMap metadata: annotations: kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. meta.helm.sh/release-name: openshift-gateway-istiod meta.helm.sh/release-namespace: openshift-ingress creationTimestamp: "2026-06-09T15:13:41Z" labels: app.kubernetes.io/instance: openshift-gateway-istiod app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: istiod app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.27.3 helm.sh/chart: istiod-1.27.3 istio.io/rev: openshift-gateway managed-by: sail-operator operator.istio.io/component: Pilot release: openshift-gateway-istiod managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:merged-values: {} f:original-values: {} f:metadata: f:annotations: .: {} f:kubernetes.io/description: {} f:meta.helm.sh/release-name: {} f:meta.helm.sh/release-namespace: {} f:labels: .: {} f:app.kubernetes.io/instance: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.kubernetes.io/version: {} f:helm.sh/chart: {} f:istio.io/rev: {} f:managed-by: {} f:operator.istio.io/component: {} f:release: {} f:ownerReferences: .: {} k:{"uid":"58de0e7f-7250-4892-8c3d-6a901edbcff1"}: {} manager: sail-operator operation: Update time: "2026-06-09T15:13:41Z" name: values-openshift-gateway namespace: openshift-ingress ownerReferences: - apiVersion: sailoperator.io/v1 blockOwnerDeletion: true controller: true kind: IstioRevision name: openshift-gateway uid: 58de0e7f-7250-4892-8c3d-6a901edbcff1 resourceVersion: "17021" uid: ec1859d1-9d62-4afb-9e4b-7850ea039bef kind: ConfigMapList metadata: resourceVersion: "29302"