--- apiVersion: v1 items: - apiVersion: v1 data: service: | metadata: annotations: service.beta.openshift.io/serving-cert-secret-name: "data-science-gateway-service-tls" spec: type: ClusterIP kind: ConfigMap metadata: annotations: platform.opendatahub.io/instance.generation: "2" platform.opendatahub.io/instance.name: default-gateway platform.opendatahub.io/instance.uid: 1a1c21f9-2e10-4c0d-8fba-0bf6e5b13f07 platform.opendatahub.io/type: Open Data Hub platform.opendatahub.io/version: 3.5.0-ea.1 creationTimestamp: "2026-06-08T18:25:27Z" labels: platform.opendatahub.io/part-of: gatewayconfig managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: f:service: {} f:metadata: f:annotations: f:platform.opendatahub.io/instance.generation: {} f:platform.opendatahub.io/instance.name: {} f:platform.opendatahub.io/instance.uid: {} f:platform.opendatahub.io/type: {} f:platform.opendatahub.io/version: {} f:labels: f:platform.opendatahub.io/part-of: {} f:ownerReferences: k:{"uid":"1a1c21f9-2e10-4c0d-8fba-0bf6e5b13f07"}: {} manager: gatewayconfig operation: Apply time: "2026-06-08T18:26:00Z" name: data-science-gateway-config namespace: openshift-ingress ownerReferences: - apiVersion: services.platform.opendatahub.io/v1alpha1 blockOwnerDeletion: true controller: true kind: GatewayConfig name: default-gateway uid: 1a1c21f9-2e10-4c0d-8fba-0bf6e5b13f07 resourceVersion: "17408" uid: dfe89fcf-d14c-41b5-9e49-ac1512444361 - apiVersion: v1 data: ca-crl.pem: "" kind: ConfigMap metadata: creationTimestamp: "2026-06-08T18:26:00Z" labels: istio.io/config: "true" openshift.io/mesh: "true" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca-crl.pem: {} f:metadata: f:labels: .: {} f:istio.io/config: {} f:openshift.io/mesh: {} manager: pilot-discovery operation: Update time: "2026-06-08T18:26:00Z" name: istio-ca-crl namespace: openshift-ingress resourceVersion: "17363" uid: efdf2f85-32b2-44ca-8853-64659150d1f0 - apiVersion: v1 kind: ConfigMap metadata: annotations: control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"istiod-openshift-gateway-75c67f8887-mn7vf","holderKey":"openshift-gateway","leaseDurationSeconds":30,"acquireTime":"2026-06-08T18:25:59Z","renewTime":"2026-06-08T18:56:25Z","leaderTransitions":0}' creationTimestamp: "2026-06-08T18:25:59Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:control-plane.alpha.kubernetes.io/leader: {} manager: pilot-discovery operation: Update time: "2026-06-08T18:56:25Z" name: istio-ip-autoallocate namespace: openshift-ingress resourceVersion: "50401" uid: 1fe49616-265c-4645-8c04-8ca2cd826611 - apiVersion: v1 data: mesh: |- accessLogFile: /dev/stdout defaultConfig: discoveryAddress: istiod-openshift-gateway.openshift-ingress.svc:15012 proxyHeaders: envoyDebugHeaders: disabled: true metadataExchangeHeaders: mode: IN_MESH server: disabled: true defaultProviders: metrics: - prometheus enablePrometheusMerge: true ingressControllerMode: "OFF" rootNamespace: openshift-ingress trustDomain: cluster.local meshNetworks: 'networks: {}' kind: ConfigMap metadata: annotations: meta.helm.sh/release-name: openshift-gateway-istiod meta.helm.sh/release-namespace: openshift-ingress creationTimestamp: "2026-06-08T18:25:55Z" labels: app.kubernetes.io/instance: openshift-gateway-istiod app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: istiod app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.27.3 helm.sh/chart: istiod-1.27.3 istio.io/rev: openshift-gateway managed-by: sail-operator operator.istio.io/component: Pilot release: openshift-gateway-istiod managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:mesh: {} f:meshNetworks: {} f:metadata: f:annotations: .: {} f:meta.helm.sh/release-name: {} f:meta.helm.sh/release-namespace: {} f:labels: .: {} f:app.kubernetes.io/instance: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.kubernetes.io/version: {} f:helm.sh/chart: {} f:istio.io/rev: {} f:managed-by: {} f:operator.istio.io/component: {} f:release: {} f:ownerReferences: .: {} k:{"uid":"1b20b7fd-8ee7-4635-b916-5a91df392ad2"}: {} manager: sail-operator operation: Update time: "2026-06-08T18:25:55Z" name: istio-openshift-gateway namespace: openshift-ingress ownerReferences: - apiVersion: sailoperator.io/v1 blockOwnerDeletion: true controller: true kind: IstioRevision name: openshift-gateway uid: 1b20b7fd-8ee7-4635-b916-5a91df392ad2 resourceVersion: "17212" uid: 55d49e0c-d7ce-4cdb-91ea-8256f9285be6 - apiVersion: v1 data: config: |- # defaultTemplates defines the default template to use for pods that do not explicitly specify a template defaultTemplates: [sidecar] policy: enabled alwaysInjectSelector: [] neverInjectSelector: [] injectedAnnotations: template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}" templates: sidecar: | {{- define "resources" }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} requests: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" {{ end }} {{- end }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} limits: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" {{ end }} {{- end }} {{- else }} {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 6 }} {{- end }} {{- end }} {{- end }} {{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} {{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} {{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} {{- end }} service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { istio.io/rev: {{ .Revision | default "default" | quote }}, {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", {{- end }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{- end }} {{- end }} {{- if .Values.pilot.cni.enabled }} {{- if eq .Values.pilot.cni.provider "multus" }} k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', {{- end }} sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", {{- end }} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", {{- end }} {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} {{- end }} } spec: {{- $holdProxy := and (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) (not $nativeSidecar) }} {{- $noInitContainer := and (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) (not $nativeSidecar) }} {{ if $noInitContainer }} initContainers: [] {{ else -}} initContainers: {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} {{ if .Values.pilot.cni.enabled -}} - name: istio-validation {{ else -}} - name: istio-init {{ end -}} {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} args: - istio-iptables - "-p" - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - "-z" - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - "-u" - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} - "-m" - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - "-i" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - "-x" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - "-b" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - "-d" {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" {{- else }} - "15090,15021" {{- end }} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - "-q" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" {{ end -}} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - "-o" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" {{ end -}} {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} - "-k" - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - "-k" - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" {{ end -}} {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - "-c" - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" {{ end -}} - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" {{ if .Values.global.logAsJson -}} - "--log_as_json" {{ end -}} {{ if .Values.pilot.cni.enabled -}} - "--run-validation" - "--skip-rule-apply" {{ else if .Values.global.proxy_init.forceApplyIptables -}} - "--force-apply" {{ end -}} {{ if .Values.global.nativeNftables -}} - "--native-nftables" {{ end -}} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} env: {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} resources: {{ template "resources" . }} securityContext: allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} privileged: {{ .Values.global.proxy.privileged }} capabilities: {{- if not .Values.pilot.cni.enabled }} add: - NET_ADMIN - NET_RAW {{- end }} drop: - ALL {{- if not .Values.pilot.cni.enabled }} readOnlyRootFilesystem: false runAsGroup: 0 runAsNonRoot: false runAsUser: 0 {{- else }} readOnlyRootFilesystem: true runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} runAsNonRoot: true {{- end }} {{ end -}} {{ end -}} {{ if not $nativeSidecar }} containers: {{ end }} - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} {{ if $nativeSidecar }}restartPolicy: Always{{end}} ports: - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - sidecar - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.outlierLogPath }} - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} {{- end}} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} {{- else if $holdProxy }} lifecycle: postStart: exec: command: - pilot-agent - wait {{- else if $nativeSidecar }} {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} lifecycle: preStop: exec: command: - pilot-agent - request - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - POST - drain {{- end }} env: {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: |- [ {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{- if (structToJSON $p) }} {{if not $first}},{{end}}{{ structToJSON $p }} {{- $first = false }} {{- end }} {{- end}} {{- end}} ] - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu {{- if .CompliancePolicy }} - name: COMPLIANCE_POLICY value: "{{ .CompliancePolicy }}" {{- end }} - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ . }}" {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: ISTIO_BOOTSTRAP_OVERRIDE value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" {{- end }} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} {{ if .Values.global.proxy.startupProbe.enabled }} startupProbe: httpGet: path: /healthz/ready port: 15021 initialDelaySeconds: 0 periodSeconds: 1 timeoutSeconds: 3 failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} {{ end }} readinessProbe: httpGet: path: /healthz/ready port: 15021 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} timeoutSeconds: 3 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} {{ end -}} securityContext: {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} allowPrivilegeEscalation: true capabilities: add: - NET_ADMIN drop: - ALL privileged: true readOnlyRootFilesystem: true runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: false runAsUser: 0 {{- else }} allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} capabilities: {{ if or $tproxy $capNetBindService -}} add: {{ if $tproxy -}} - NET_ADMIN {{- end }} {{ if $capNetBindService -}} - NET_BIND_SERVICE {{- end }} {{- end }} drop: - ALL privileged: {{ .Values.global.proxy.privileged }} readOnlyRootFilesystem: true {{ if or $tproxy $capNetBindService -}} runAsNonRoot: false runAsUser: 0 runAsGroup: 1337 {{- else -}} runAsNonRoot: true runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} {{- end }} {{- end }} resources: {{ template "resources" . }} volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds - name: credential-socket mountPath: /var/run/secrets/credential-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/run/secrets/istio/crl name: istio-ca-crl {{- end }} - mountPath: /var/lib/istio/data name: istio-data {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - mountPath: /etc/istio/custom-bootstrap name: custom-bootstrap-volume {{- end }} # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} name: lightstep-certs readOnly: true {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - name: "{{ $index }}" {{ toYaml $value | indent 6 }} {{ end }} {{- end }} volumes: - emptyDir: name: workload-socket - emptyDir: name: credential-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else }} - emptyDir: name: workload-certs {{- end }} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: custom-bootstrap-volume configMap: name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-envoy - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} - name: istio-ca-crl configMap: name: istio-ca-crl optional: true {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - name: "{{ $index }}" {{ toYaml $value | indent 4 }} {{ end }} {{ end }} {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - name: lightstep-certs secret: optional: true secretName: lightstep.cacert {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} gateway: | {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: istio.io/rev: {{ .Revision | default "default" | quote }} {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" {{- end }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" {{- end }} {{- end }} spec: securityContext: {{- if .Values.gateways.securityContext }} {{- toYaml .Values.gateways.securityContext | nindent 4 }} {{- else }} sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" {{- end }} containers: - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} ports: - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - router - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} {{- end }} securityContext: runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} env: - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: |- [ {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{- if (structToJSON $p) }} {{if not $first}},{{end}}{{ structToJSON $p }} {{- $first = false }} {{- end }} {{- end}} {{- end}} ] - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu {{- if .CompliancePolicy }} - name: COMPLIANCE_POLICY value: "{{ .CompliancePolicy }}" {{- end }} - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: "{{ .ProxyConfig.InterceptionMode.String }}" {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{- if .DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ .DeploymentMeta.Name }}" {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: ISTIO_BOOTSTRAP_OVERRIDE value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" {{- end }} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} readinessProbe: httpGet: path: /healthz/ready port: 15021 initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} timeoutSeconds: 3 failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds - name: credential-socket mountPath: /var/run/secrets/credential-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - mountPath: /etc/istio/custom-bootstrap name: custom-bootstrap-volume {{- end }} # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod volumes: - emptyDir: name: workload-socket - emptyDir: {} name: credential-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else}} - emptyDir: {} name: workload-certs {{- end }} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: custom-bootstrap-volume configMap: name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-envoy - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} grpc-simple: | metadata: annotations: sidecar.istio.io/rewriteAppHTTPProbers: "false" spec: initContainers: - name: grpc-bootstrap-init image: busybox:1.28 volumeMounts: - mountPath: /var/lib/grpc/data/ name: grpc-io-proxyless-bootstrap env: - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: ISTIO_NAMESPACE value: | {{ .Values.global.istioNamespace }} command: - sh - "-c" - |- NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" echo ' { "xds_servers": [ { "server_uri": "'${SERVER_URI}'", "channel_creds": [{"type": "insecure"}], "server_features" : ["xds_v3"] } ], "node": { "id": "'${NODE_ID}'", "metadata": { "GENERATOR": "grpc" } } }' > /var/lib/grpc/data/bootstrap.json containers: {{- range $index, $container := .Spec.Containers }} - name: {{ $container.Name }} env: - name: GRPC_XDS_BOOTSTRAP value: /var/lib/grpc/data/bootstrap.json - name: GRPC_GO_LOG_VERBOSITY_LEVEL value: "99" - name: GRPC_GO_LOG_SEVERITY_LEVEL value: info volumeMounts: - mountPath: /var/lib/grpc/data/ name: grpc-io-proxyless-bootstrap {{- end }} volumes: - name: grpc-io-proxyless-bootstrap emptyDir: {} grpc-agent: | {{- define "resources" }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} requests: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" {{ end }} {{- end }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} limits: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" {{ end }} {{- end }} {{- else }} {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 6 }} {{- end }} {{- end }} {{- end }} {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { istio.io/rev: {{ .Revision | default "default" | quote }}, {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", {{- end }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{- end }} {{- end }} sidecar.istio.io/rewriteAppHTTPProbers: "false", } spec: containers: - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} ports: - containerPort: 15020 protocol: TCP name: mesh-metrics args: - proxy - sidecar - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} lifecycle: postStart: exec: command: - pilot-agent - wait - --url=http://localhost:15020/healthz/ready env: - name: ISTIO_META_GENERATOR value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: |- [ {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{- if (structToJSON $p) }} {{if not $first}},{{end}}{{ structToJSON $p }} {{- $first = false }} {{- end }} {{- end}} {{- end}} ] - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{- if .DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ .DeploymentMeta.Name }}" {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} # grpc uses xds:/// to resolve – no need to resolve VIP - name: ISTIO_META_DNS_CAPTURE value: "false" - name: DISABLE_ENVOY value: "true" {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} readinessProbe: httpGet: path: /healthz/ready port: 15020 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} timeoutSeconds: 3 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} resources: {{ template "resources" . }} volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data # UDS channel between istioagent and gRPC client for XDS/SDS - mountPath: /etc/istio/proxy name: istio-xds - mountPath: /var/run/secrets/tokens name: istio-token {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - name: "{{ $index }}" {{ toYaml $value | indent 6 }} {{ end }} {{- end }} {{- range $index, $container := .Spec.Containers }} {{ if not (eq $container.Name "istio-proxy") }} - name: {{ $container.Name }} env: - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" value: "true" - name: "GRPC_XDS_BOOTSTRAP" value: "/etc/istio/proxy/grpc-bootstrap.json" volumeMounts: - mountPath: /var/lib/istio/data name: istio-data # UDS channel between istioagent and gRPC client for XDS/SDS - mountPath: /etc/istio/proxy name: istio-xds {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- end }} {{- end }} volumes: - emptyDir: name: workload-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else }} - emptyDir: name: workload-certs {{- end }} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: custom-bootstrap-volume configMap: name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-xds - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - name: "{{ $index }}" {{ toYaml $value | indent 4 }} {{ end }} {{ end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} waypoint: | apiVersion: v1 kind: ServiceAccount metadata: name: {{.ServiceAccount | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} {{- if ge .KubeVersion 128 }} # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" {{- end }} --- apiVersion: apps/v1 kind: Deployment metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" .ControllerLabel ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" spec: selector: matchLabels: "{{.GatewayNameLabel}}": "{{.Name}}" template: metadata: annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") (strdict "istio.io/rev" (.Revision | default "default")) (strdict "prometheus.io/path" "/stats/prometheus" "prometheus.io/port" "15020" "prometheus.io/scrape" "true" ) | nindent 8 }} labels: {{- toJsonMap (strdict "sidecar.istio.io/inject" "false" "istio.io/dataplane-mode" "none" "service.istio.io/canonical-name" .DeploymentName "service.istio.io/canonical-revision" "latest" ) .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" .ControllerLabel ) | nindent 8}} spec: {{- if .Values.global.waypoint.affinity }} affinity: {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} {{- end }} {{- if .Values.global.waypoint.topologySpreadConstraints }} topologySpreadConstraints: {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} {{- end }} {{- if .Values.global.waypoint.nodeSelector }} nodeSelector: {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} {{- end }} {{- if .Values.global.waypoint.tolerations }} tolerations: {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} {{- end }} terminationGracePeriodSeconds: 2 serviceAccountName: {{.ServiceAccount | quote}} containers: - name: istio-proxy ports: - containerPort: 15020 name: metrics protocol: TCP - containerPort: 15021 name: status-port protocol: TCP - containerPort: 15090 protocol: TCP name: http-envoy-prom {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} args: - proxy - waypoint - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --serviceCluster - {{.ServiceAccount}}.$(POD_NAMESPACE) - --proxyLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - --proxyComponentLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - --log_output_level - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.outlierLogPath }} - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} {{- end}} env: - name: ISTIO_META_SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} {{- if .ProxyConfig.ProxyMetadata }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} {{- if $network }} - name: ISTIO_META_NETWORK value: "{{ $network }}" {{- end }} - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_WORKLOAD_NAME value: {{.DeploymentName}} - name: ISTIO_META_OWNER value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- if .Values.global.waypoint.resources }} resources: {{- toYaml .Values.global.waypoint.resources | nindent 10 }} {{- end }} startupProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 1 successThreshold: 1 timeoutSeconds: 1 readinessProbe: failureThreshold: 4 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 0 periodSeconds: 15 successThreshold: 1 timeoutSeconds: 1 securityContext: privileged: false {{- if not (eq .Values.global.platform "openshift") }} runAsGroup: 1337 runAsUser: 1337 {{- end }} allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: - ALL {{- if .Values.gateways.seccompProfile }} seccompProfile: {{- toYaml .Values.gateways.seccompProfile | nindent 12 }} {{- end }} volumeMounts: - mountPath: /var/run/secrets/workload-spiffe-uds name: workload-socket - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/lib/istio/data name: istio-data - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token - mountPath: /etc/istio/pod name: istio-podinfo volumes: - emptyDir: {} name: workload-socket - emptyDir: medium: Memory name: istio-envoy - emptyDir: medium: Memory name: go-proxy-envoy - emptyDir: {} name: istio-data - emptyDir: {} name: go-proxy-data - downwardAPI: items: - fieldRef: fieldPath: metadata.labels path: labels - fieldRef: fieldPath: metadata.annotations path: annotations name: istio-podinfo - name: istio-token projected: sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token - name: istiod-ca-cert {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} --- apiVersion: v1 kind: Service metadata: annotations: {{ toJsonMap (strdict "networking.istio.io/traffic-distribution" "PreferClose") (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version" ) | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" spec: ipFamilyPolicy: PreferDualStack ports: {{- range $key, $val := .Ports }} - name: {{ $val.Name | quote }} port: {{ $val.Port }} protocol: TCP appProtocol: {{ $val.AppProtocol }} {{- end }} selector: "{{.GatewayNameLabel}}": "{{.Name}}" {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} {{- end }} type: {{ .ServiceType | quote }} --- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: {{.DeploymentName | quote}} maxReplicas: 1 --- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: selector: matchLabels: gateway.networking.k8s.io/gateway-name: {{.Name|quote}} kube-gateway: | apiVersion: v1 kind: ServiceAccount metadata: name: {{.ServiceAccount | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} {{- if ge .KubeVersion 128 }} # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: "{{.Name}}" uid: "{{.UID}}" {{- end }} --- apiVersion: apps/v1 kind: Deployment metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-gateway-controller" ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: selector: matchLabels: "{{.GatewayNameLabel}}": {{.Name}} template: metadata: annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") (strdict "istio.io/rev" (.Revision | default "default")) (strdict "prometheus.io/path" "/stats/prometheus" "prometheus.io/port" "15020" "prometheus.io/scrape" "true" ) | nindent 8 }} labels: {{- toJsonMap (strdict "sidecar.istio.io/inject" "false" "service.istio.io/canonical-name" .DeploymentName "service.istio.io/canonical-revision" "latest" ) .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-gateway-controller" ) | nindent 8 }} spec: securityContext: {{- if .Values.gateways.securityContext }} {{- toYaml .Values.gateways.securityContext | nindent 8 }} {{- else }} sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" {{- if .Values.gateways.seccompProfile }} seccompProfile: {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} {{- end }} {{- end }} serviceAccountName: {{.ServiceAccount | quote}} containers: - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} {{- if .Values.global.proxy.resources }} resources: {{- toYaml .Values.global.proxy.resources | nindent 10 }} {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} securityContext: capabilities: drop: - ALL allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: - containerPort: 15020 name: metrics protocol: TCP - containerPort: 15021 name: status-port protocol: TCP - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - router - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --proxyLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - --proxyComponentLogLevel - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - --log_output_level - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} {{- end }} env: - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: "[]" - name: ISTIO_META_APP_CONTAINERS value: "" - name: GOMEMLIMIT valueFrom: resourceFieldRef: resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: "{{ .ProxyConfig.InterceptionMode.String }}" {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - name: ISTIO_META_NETWORK value: {{.|quote}} {{- end }} - name: ISTIO_META_WORKLOAD_NAME value: {{.DeploymentName|quote}} - name: ISTIO_META_OWNER value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - name: ISTIO_META_REQUESTED_NETWORK_VIEW value: {{.|quote}} {{- end }} startupProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 1 successThreshold: 1 timeoutSeconds: 1 readinessProbe: failureThreshold: 4 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 0 periodSeconds: 15 successThreshold: 1 timeoutSeconds: 1 volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds - name: credential-socket mountPath: /var/run/secrets/credential-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials readOnly: true {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token - name: istio-podinfo mountPath: /etc/istio/pod volumes: - emptyDir: {} name: workload-socket - emptyDir: {} name: credential-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: driver: workloadcertificates.security.cloud.google.com {{- else}} - emptyDir: {} name: workload-certs {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-envoy - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} projected: sources: - clusterTrustBundle: name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} path: root-cert.pem {{- else }} configMap: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} --- apiVersion: v1 kind: Service metadata: annotations: {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: {{.UID}} spec: ipFamilyPolicy: PreferDualStack ports: {{- range $key, $val := .Ports }} - name: {{ $val.Name | quote }} port: {{ $val.Port }} protocol: TCP appProtocol: {{ $val.AppProtocol }} {{- end }} selector: "{{.GatewayNameLabel}}": {{.Name}} {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} {{- end }} type: {{ .ServiceType | quote }} --- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: {{.DeploymentName | quote}} maxReplicas: 1 --- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} annotations: {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: {{.Name}} uid: "{{.UID}}" spec: selector: matchLabels: gateway.networking.k8s.io/gateway-name: {{.Name|quote}} values: |- { "gateways": { "seccompProfile": {}, "securityContext": {} }, "global": { "caAddress": "", "caName": "", "certSigners": [], "configCluster": false, "configValidation": true, "defaultPodDisruptionBudget": { "enabled": false }, "defaultResources": { "requests": { "cpu": "10m" } }, "externalIstiod": false, "hub": "gcr.io/istio-release", "imagePullPolicy": "", "imagePullSecrets": [], "istioNamespace": "openshift-ingress", "istiod": { "enableAnalysis": false }, "logAsJson": false, "logging": { "level": "default:info" }, "meshID": "", "meshNetworks": {}, "mountMtlsCerts": false, "multiCluster": { "clusterName": "" }, "nativeNftables": false, "network": "", "networkPolicy": { "enabled": false }, "omitSidecarInjectorConfigMap": false, "operatorManageWebhooks": false, "pilotCertProvider": "istiod", "platform": "openshift", "priorityClassName": "system-cluster-critical", "proxy": { "autoInject": "enabled", "clusterDomain": "cluster.local", "componentLogLevel": "misc:error", "excludeIPRanges": "", "excludeInboundPorts": "", "excludeOutboundPorts": "", "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371", "includeIPRanges": "*", "includeInboundPorts": "*", "includeOutboundPorts": "", "logLevel": "warning", "outlierLogPath": "", "privileged": false, "readinessFailureThreshold": 4, "readinessInitialDelaySeconds": 0, "readinessPeriodSeconds": 15, "resources": { "limits": { "cpu": "2000m", "memory": "1024Mi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "startupProbe": { "enabled": true, "failureThreshold": 600 }, "statusPort": 15020, "tracer": "none" }, "proxy_init": { "forceApplyIptables": false, "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371" }, "remotePilotAddress": "", "sds": { "token": { "aud": "istio-ca" } }, "sts": { "servicePort": 0 }, "tag": "1.27.3", "trustBundleName": "openshift-gw-ca-root-cert", "variant": "", "waypoint": { "affinity": {}, "nodeSelector": {}, "resources": { "limits": { "cpu": "2", "memory": "1Gi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "tolerations": [], "topologySpreadConstraints": [] } }, "pilot": { "cni": { "chained": false, "cniBinDir": "/var/lib/cni/bin", "cniConfDir": "/etc/cni/multus/net.d", "cniConfFileName": "istio-cni.conf", "enabled": false, "provider": "multus" }, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" } }, "revision": "openshift-gateway", "sidecarInjectorWebhook": { "alwaysInjectSelector": [], "defaultTemplates": [], "enableNamespacesByDefault": false, "injectedAnnotations": {}, "neverInjectSelector": [], "reinvocationPolicy": "Never", "rewriteAppHTTPProbe": true, "templates": {} } } kind: ConfigMap metadata: annotations: meta.helm.sh/release-name: openshift-gateway-istiod meta.helm.sh/release-namespace: openshift-ingress creationTimestamp: "2026-06-08T18:25:55Z" labels: app.kubernetes.io/instance: openshift-gateway-istiod app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: istiod app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.27.3 helm.sh/chart: istiod-1.27.3 istio.io/rev: openshift-gateway managed-by: sail-operator operator.istio.io/component: Pilot release: openshift-gateway-istiod managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:config: {} f:values: {} f:metadata: f:annotations: .: {} f:meta.helm.sh/release-name: {} f:meta.helm.sh/release-namespace: {} f:labels: .: {} f:app.kubernetes.io/instance: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.kubernetes.io/version: {} f:helm.sh/chart: {} f:istio.io/rev: {} f:managed-by: {} f:operator.istio.io/component: {} f:release: {} f:ownerReferences: .: {} k:{"uid":"1b20b7fd-8ee7-4635-b916-5a91df392ad2"}: {} manager: sail-operator operation: Update time: "2026-06-08T18:25:55Z" name: istio-sidecar-injector-openshift-gateway namespace: openshift-ingress ownerReferences: - apiVersion: sailoperator.io/v1 blockOwnerDeletion: true controller: true kind: IstioRevision name: openshift-gateway uid: 1b20b7fd-8ee7-4635-b916-5a91df392ad2 resourceVersion: "17214" uid: 9c1474d6-c25d-4614-ade8-bba5d0d1848a - apiVersion: v1 data: ca.crt: | -----BEGIN CERTIFICATE----- MIIDPDCCAiSgAwIBAgIIUpTQSLpN8LIwDQYJKoZIhvcNAQELBQAwJjESMBAGA1UE CxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdyb290LWNhMB4XDTI2MDYwODE4MDYwNFoX DTM2MDYwNTE4MDYwNFowJjESMBAGA1UECxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdy b290LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4G3YEQlXUcyL t3Tc6S3z5YDOCOuG6W/a3Uc62B/UQXQSXlBjm5y04A/SJ4UOaImYy6j9AnoIsrr8 U4cKaGOkBr4RR+8SkU6n1Y376wC32ZZ10E/ZCiSIdBIzsifd8I6AO48iVUx/hX+o HQEQOz+u18pAyoi/WvbA8wQemsQi3TADn+5O+nDKM0UxJWNoJaCVP+9KUZQicVxQ XftPvMnHvNUx9NpMoSQVd3AqexBZ8s9P+F1u6wTCWnzI9M18bhYrolTE3qM1IErw zWfbQksToIrp0EgNPvo9yBBwUxmkB+O6j/Wt2xR7xRfx1Ttcihj4QaoGg9Fnh9TJ Hka8qzrV4QIDAQABo24wbDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB /zBJBgNVHQ4EQgRAU11wfOheIp05YH5HmSbnvV4Nrmn4zwuufvz05/b3TYpNusle cV80u8ALQDSglsPZ+KMHLQvgarCcvPClSd0GgjANBgkqhkiG9w0BAQsFAAOCAQEA TWaM0ThRp6IBTny5pqXvTARwiuaWEP58hdqVXdNYkwHXUL0sM4xcQK8qmBJYDFQO 4KAWMP/nanzOd2IEzSOUKaVxXpzz48bdRQ/NgZEcW/CpqKIzEj2xlU/fUpz72O5t Z4YivOB+Mlf1DvC7uONyt4OicRXkdLt+ksV2fyP/aVa3PT3DcauU17kS5YoHA8Ve wvpPlHtnBz5oJezhr1a4LoXMGIzIi7+CuYWvHbE+cLKVHBraUNffPJQn9x1ykbmk zFVRJ4j0+tMtRd6j6/wHOkxnaCIMx7FlO4E3sTwLXOBLqiXxdB6dXurgQgXpLTtN 03aCKfaHQlamYaOfohKSwA== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEADCCAuigAwIBAgIIXrVKuusUIF0wDQYJKoZIhvcNAQELBQAwJjESMBAGA1UE CxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdyb290LWNhMB4XDTI2MDYwODE4MDY0MFoX DTI3MDYwODE4MDY0MFowMDESMBAGA1UEChMJb3BlbnNoaWZ0MRowGAYDVQQDExFv cGVuc2hpZnQtaW5ncmVzczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ALwUojFWDiIZAKqlMGsb+9/anfVsb20RNdQwHRYYc70j78c3MqVdiD50y4zlqqME eEPKW9SNCm9fncEi3S7i2o0rd1harZytvdGb96o6UjVjquQM5NezraNGZSOPGZWc vKzAjqOHxBvDVeV1lkbl1U8sZHKTCExHNVcuO6jOji+8p9T16aXakqVyy457eXqc QxHz1syq0xEIo4NtDcqDiOi9wRb+vgZKQBHn+Fux0qebj0zqbwuRW0qWCDM5avIi adVqYA4fscd2rI7mch4k1cZl9UK4a5FJQRz+u3SA5YGqnprx/YA3Made8qj2Qyu0 68YPGjOCyK8iHRkgYFNxS8sCAwEAAaOCASYwggEiMA4GA1UdDwEB/wQEAwIFoDAd BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBJBgNV HQ4EQgRAzmIupZ2QgRJDFDJguoozaToQ/jpWqiceYAA4SJQopcZ0fnTHHsyq+swh vw+wJH6R4MyRnrZDk6ybAFY4y3N1RTBLBgNVHSMERDBCgEBTXXB86F4inTlgfkeZ Jue9Xg2uafjPC65+/PTn9vdNik26yV5xXzS7wAtANKCWw9n4owctC+BqsJy88KVJ 3QaCMEsGA1UdEQREMEKCQCouYXBwcy44NDUwNDQxNC1jNjFhLTQ4MjEtYWM5NC01 NzM2MjNhYWMzNTMucHJvZC5rb25mbHV4ZWFhcy5jb20wDQYJKoZIhvcNAQELBQAD ggEBALEzScp1Blsv8henHbPwkurf4ZT/whdIbdCdb9AoxYZ3RN3yY+8IREIkRf3w 9x3CPEmsPuXj76TTLDJhoLZXYzGijngF9gZwF2DMdkO14knUEdbNdyJWp8dHsmY1 Ds/04Y4G7dOKtzJGKlsyP30S1desS5TFPXAtxL0ab33p/v1UnqL6IyCwMxbtcbJE 68jpz1Iq/CqHiSz3VjmLX/hw6LlVQGkQU7M3GFYxIqKeEzEvof2N8GgCJye6v2Le d4ULN95VYbIHK5cFiU2HPL4P1TU7PVg++bX8KkyfbAdlH3ZP9598VM44GdtF8sxj ix1KqnS7i+FM5TGThhB1FORtaJs= -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: kubernetes.io/description: Contains a CA bundle that can be used to verify the kube-apiserver when using internal endpoints such as the internal service IP or kubernetes.default.svc. No other usage is guaranteed across distributions of Kubernetes clusters. creationTimestamp: "2026-06-08T18:08:17Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca.crt: {} f:metadata: f:annotations: .: {} f:kubernetes.io/description: {} manager: kube-controller-manager operation: Update time: "2026-06-08T18:09:28Z" name: kube-root-ca.crt namespace: openshift-ingress resourceVersion: "4380" uid: 84540d73-9f04-4255-b0df-4347ae261ae2 - apiVersion: v1 data: cabundle.crt: |- -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIIYxfROLaxorswDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc4MDk0Mjc3MjAe Fw0yNjA2MDgxODE5MzJaFw0yODA4MDYxODE5MzNaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3ODA5NDI3NzIwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0m3ZwimGKbU/RP9MRtrlPCXZ5SEY5P3PR QLAr1+l6W0lgeocSzvvG9KWDd2yb5AOJPlAoZJWzbGtbr/ZfZX7XLzYQauyGKGyl UQaoFkN97kVyYkDYyzMFxysVyrEoEGgCka4Syl6C4dQx03YxzrNyHAn6C7Fa8p1H y/lG94TMYpINN2tHgGrhrOu78P4VSfe2sr0uyXIkRHXE7j50IdNYx6TATvtu7CHy y1upPaqfkI2udG3gOQs8OdowpZdV/wpQuExTLO+Rwa5blcgaptZ4iAqgJ3FWEo9m PJWFWyYda0Q2lk3JZUjzVlpHqYUc6DJJLDTzJeUx2Xy1ubFhlHjpAgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRbS0z4 LIGH8sboEC8LUj7E90AiJDAfBgNVHSMEGDAWgBRbS0z4LIGH8sboEC8LUj7E90Ai JDANBgkqhkiG9w0BAQsFAAOCAQEAbgXlF56GyYQ/BRHFg1AdDbAtB+DlZsfbIi7o k3aRN0l28AK2UQzs6eMNUbnW/JPkCCa6R3dkHEs7KX8PlAFEjQtkeLySteVfL1O9 Rvgt8OHH3zkO0sCRAcqBemXcBakrbS1azqe/A9oW0+tIJfgKqcJthtK/ZRkvHvaH lQ48Fy4oFEbmXBKq9E0Ogk7u2H8qURQP6lRjEelKfCRRdG5YrRBgkLddA2maNf8Y ZGilKm5KyVJs2maBC4ZSs2NZGqFLZxFboaVTIjSLKnkNqtI1ZCMr7D2b6VoFGT4U gc2K/9z2BfRIOyrmSDwnDcV9biTIQMIgQ56dvmXE3X+bt3i5SQ== -----END CERTIFICATE----- kind: ConfigMap metadata: creationTimestamp: "2026-06-08T18:25:35Z" labels: opendatahub.io/managed: "true" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:cabundle.crt: {} f:metadata: f:labels: .: {} f:opendatahub.io/managed: {} manager: manager operation: Update time: "2026-06-08T18:25:35Z" name: odh-kserve-custom-ca-bundle namespace: openshift-ingress resourceVersion: "16234" uid: 6c60d827-c0b2-4b62-bbb4-fab95776ad85 - apiVersion: v1 data: root-cert.pem: | -----BEGIN CERTIFICATE----- MIIC/TCCAeWgAwIBAgIRAPzP8eEQuvQDz75ELAewV9gwDQYJKoZIhvcNAQELBQAw GDEWMBQGA1UEChMNY2x1c3Rlci5sb2NhbDAeFw0yNjA2MDgxODI1NTlaFw0zNjA2 MDUxODI1NTlaMBgxFjAUBgNVBAoTDWNsdXN0ZXIubG9jYWwwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQCz0YQIpLcYQ2VZsGAUF3e1wf3O71nMAV0PIbwY teDJOZloPsObGpNsU/zYN9Hz8NQ1I/QEhv8D2uc4AU9C2kICdDlBhfS4zva1gblO v2rXMLfZhEHfnFyvZJyc1iLXqsy2Bpalv46OIhchKVManiLcbZWCvFZ+P64Bo9Xe qpMG01bx1zmxBSsqDjhJLkNHvv+Tqn+YWC9boWrOOVdHyDgkf4ksqk9dtyzeETiI S7qj4HGebV2/1/KXnx11L2UQb8l1QLC7AnH4h8Sgn5bCJiaDZdbdDXnBxjLT5EQQ 2lko0U0DFjFkhZglId/SMhm+tDfAaM3oZhxdryvsbIX4hWX7AgMBAAGjQjBAMA4G A1UdDwEB/wQEAwICBDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQqVgabtAFE 1XpOFzesh0ZNrGmcnjANBgkqhkiG9w0BAQsFAAOCAQEAS1FYECxzskD/Z8Lp3L7I gOyYp8yYV3Hwcojyh3sijnuvjJn9/VylYhUktfZEuQs5cQT2P9y4QbHmnFrpJMUs CzZ+YiiIws05bjMTbkqVymsOSq8CrdQSi17YdzETxRgI1jgFaPhebSuWBQqzjA82 yOBTb07ZV4aRoZwnAmSkuW7XPJROwoan8qiPCmQnZ5lRk39QzgEdrkwbNHCvR8mQ k0S5T5T/0c3LlFMr5eHa3RBcQTs0tmpaGleHD7+tS0di2lM2UOvzRpzxyyRSgRcy 8Gl8qtldKdGeP0sAv0ndJkZ1Y5af4GkXU1lwRg3bpF0MUtkIKR2qd/bhFLx7F4kY Qw== -----END CERTIFICATE----- kind: ConfigMap metadata: creationTimestamp: "2026-06-08T18:26:00Z" labels: istio.io/config: "true" openshift.io/mesh: "true" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:root-cert.pem: {} f:metadata: f:labels: .: {} f:istio.io/config: {} f:openshift.io/mesh: {} manager: pilot-discovery operation: Update time: "2026-06-08T18:26:00Z" name: openshift-gw-ca-root-cert namespace: openshift-ingress resourceVersion: "17359" uid: 4e2dc310-92c4-4922-bfb6-105cac5e7c9c - apiVersion: v1 data: service-ca.crt: | -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIIYxfROLaxorswDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc4MDk0Mjc3MjAe Fw0yNjA2MDgxODE5MzJaFw0yODA4MDYxODE5MzNaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3ODA5NDI3NzIwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0m3ZwimGKbU/RP9MRtrlPCXZ5SEY5P3PR QLAr1+l6W0lgeocSzvvG9KWDd2yb5AOJPlAoZJWzbGtbr/ZfZX7XLzYQauyGKGyl UQaoFkN97kVyYkDYyzMFxysVyrEoEGgCka4Syl6C4dQx03YxzrNyHAn6C7Fa8p1H y/lG94TMYpINN2tHgGrhrOu78P4VSfe2sr0uyXIkRHXE7j50IdNYx6TATvtu7CHy y1upPaqfkI2udG3gOQs8OdowpZdV/wpQuExTLO+Rwa5blcgaptZ4iAqgJ3FWEo9m PJWFWyYda0Q2lk3JZUjzVlpHqYUc6DJJLDTzJeUx2Xy1ubFhlHjpAgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRbS0z4 LIGH8sboEC8LUj7E90AiJDAfBgNVHSMEGDAWgBRbS0z4LIGH8sboEC8LUj7E90Ai JDANBgkqhkiG9w0BAQsFAAOCAQEAbgXlF56GyYQ/BRHFg1AdDbAtB+DlZsfbIi7o k3aRN0l28AK2UQzs6eMNUbnW/JPkCCa6R3dkHEs7KX8PlAFEjQtkeLySteVfL1O9 Rvgt8OHH3zkO0sCRAcqBemXcBakrbS1azqe/A9oW0+tIJfgKqcJthtK/ZRkvHvaH lQ48Fy4oFEbmXBKq9E0Ogk7u2H8qURQP6lRjEelKfCRRdG5YrRBgkLddA2maNf8Y ZGilKm5KyVJs2maBC4ZSs2NZGqFLZxFboaVTIjSLKnkNqtI1ZCMr7D2b6VoFGT4U gc2K/9z2BfRIOyrmSDwnDcV9biTIQMIgQ56dvmXE3X+bt3i5SQ== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: service.beta.openshift.io/inject-cabundle: "true" creationTimestamp: "2026-06-08T18:08:17Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: {} f:metadata: f:annotations: .: {} f:service.beta.openshift.io/inject-cabundle: {} manager: kube-controller-manager operation: Update time: "2026-06-08T18:08:17Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: f:service-ca.crt: {} manager: service-ca-operator operation: Update time: "2026-06-08T18:19:42Z" name: openshift-service-ca.crt namespace: openshift-ingress resourceVersion: "9502" uid: 0accc995-dfd9-47b9-a662-b88776056dd5 - apiVersion: v1 data: api-translation-plugin: api-translation:api-translation apikey-injection-plugin: apikey-injection:apikey-injection model-provider-resolver-plugin: model-provider-resolver:model-provider-resolver model-to-header-plugin: body-field-to-header:model-extractor:{"fieldName":"model","headerName":"X-Gateway-Model-Name"} kind: ConfigMap metadata: creationTimestamp: "2026-06-08T18:30:20Z" labels: app.kubernetes.io/component: api app.kubernetes.io/name: maas-api app.kubernetes.io/part-of: models-as-a-service app.opendatahub.io/modelsasservice: "true" maas.opendatahub.io/tenant-name: default-tenant maas.opendatahub.io/tenant-namespace: models-as-a-service managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: f:api-translation-plugin: {} f:apikey-injection-plugin: {} f:model-provider-resolver-plugin: {} f:model-to-header-plugin: {} f:metadata: f:labels: f:app.kubernetes.io/component: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.opendatahub.io/modelsasservice: {} f:maas.opendatahub.io/tenant-name: {} f:maas.opendatahub.io/tenant-namespace: {} f:ownerReferences: k:{"uid":"b37a9183-7beb-4260-a715-c7a0d069b5d5"}: {} manager: maas-controller operation: Apply time: "2026-06-08T18:30:20Z" name: payload-processing-plugins namespace: openshift-ingress ownerReferences: - apiVersion: maas.opendatahub.io/v1alpha1 blockOwnerDeletion: true controller: true kind: Config name: default uid: b37a9183-7beb-4260-a715-c7a0d069b5d5 resourceVersion: "25316" uid: f8b24191-ce4f-44b7-95bd-88d9b86004f2 - apiVersion: v1 data: service-ca.crt: | -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIIYxfROLaxorswDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc4MDk0Mjc3MjAe Fw0yNjA2MDgxODE5MzJaFw0yODA4MDYxODE5MzNaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3ODA5NDI3NzIwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0m3ZwimGKbU/RP9MRtrlPCXZ5SEY5P3PR QLAr1+l6W0lgeocSzvvG9KWDd2yb5AOJPlAoZJWzbGtbr/ZfZX7XLzYQauyGKGyl UQaoFkN97kVyYkDYyzMFxysVyrEoEGgCka4Syl6C4dQx03YxzrNyHAn6C7Fa8p1H y/lG94TMYpINN2tHgGrhrOu78P4VSfe2sr0uyXIkRHXE7j50IdNYx6TATvtu7CHy y1upPaqfkI2udG3gOQs8OdowpZdV/wpQuExTLO+Rwa5blcgaptZ4iAqgJ3FWEo9m PJWFWyYda0Q2lk3JZUjzVlpHqYUc6DJJLDTzJeUx2Xy1ubFhlHjpAgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRbS0z4 LIGH8sboEC8LUj7E90AiJDAfBgNVHSMEGDAWgBRbS0z4LIGH8sboEC8LUj7E90Ai JDANBgkqhkiG9w0BAQsFAAOCAQEAbgXlF56GyYQ/BRHFg1AdDbAtB+DlZsfbIi7o k3aRN0l28AK2UQzs6eMNUbnW/JPkCCa6R3dkHEs7KX8PlAFEjQtkeLySteVfL1O9 Rvgt8OHH3zkO0sCRAcqBemXcBakrbS1azqe/A9oW0+tIJfgKqcJthtK/ZRkvHvaH lQ48Fy4oFEbmXBKq9E0Ogk7u2H8qURQP6lRjEelKfCRRdG5YrRBgkLddA2maNf8Y ZGilKm5KyVJs2maBC4ZSs2NZGqFLZxFboaVTIjSLKnkNqtI1ZCMr7D2b6VoFGT4U gc2K/9z2BfRIOyrmSDwnDcV9biTIQMIgQ56dvmXE3X+bt3i5SQ== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: description: ConfigMap providing service CA bundle. openshift.io/description: Configmap is added/updated with a data item containing the CA signing bundle that can be used to verify service-serving certificates openshift.io/owning-component: service-ca service.beta.openshift.io/inject-cabundle: "true" creationTimestamp: "2026-06-08T18:08:27Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:description: {} f:service.beta.openshift.io/inject-cabundle: {} manager: ingress-operator operation: Update time: "2026-06-08T18:08:27Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:service-ca.crt: {} f:metadata: f:annotations: f:openshift.io/description: {} f:openshift.io/owning-component: {} manager: service-ca-operator operation: Update time: "2026-06-08T18:19:42Z" name: service-ca-bundle namespace: openshift-ingress resourceVersion: "9037" uid: deeb2b16-d063-4690-a094-c25a5cac9812 - apiVersion: v1 data: merged-values: |- { "affinity": {}, "autoscaleBehavior": {}, "autoscaleEnabled": true, "autoscaleMax": 5, "autoscaleMin": 1, "base": { "enableIstioConfigCRDs": true }, "cni": { "chained": false, "cniBinDir": "/var/lib/cni/bin", "cniConfDir": "/etc/cni/multus/net.d", "cniConfFileName": "istio-cni.conf", "enabled": false, "provider": "multus" }, "configMap": true, "cpu": { "targetAverageUtilization": 80 }, "defaultRevision": "", "deploymentAnnotations": {}, "deploymentLabels": {}, "enabled": true, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" }, "envVarFrom": [], "experimental": { "stableValidationPolicy": false }, "extraContainerArgs": [], "gatewayClasses": {}, "gateways": { "seccompProfile": {}, "securityContext": {} }, "global": { "caAddress": "", "caName": "", "certSigners": [], "configCluster": false, "configValidation": true, "defaultPodDisruptionBudget": { "enabled": false }, "defaultResources": { "requests": { "cpu": "10m" } }, "externalIstiod": false, "hub": "gcr.io/istio-release", "imagePullPolicy": "", "imagePullSecrets": [], "istioNamespace": "openshift-ingress", "istiod": { "enableAnalysis": false }, "logAsJson": false, "logging": { "level": "default:info" }, "meshID": "", "meshNetworks": {}, "mountMtlsCerts": false, "multiCluster": { "clusterName": "" }, "nativeNftables": false, "network": "", "networkPolicy": { "enabled": false }, "omitSidecarInjectorConfigMap": false, "operatorManageWebhooks": false, "pilotCertProvider": "istiod", "platform": "openshift", "priorityClassName": "system-cluster-critical", "proxy": { "autoInject": "enabled", "clusterDomain": "cluster.local", "componentLogLevel": "misc:error", "excludeIPRanges": "", "excludeInboundPorts": "", "excludeOutboundPorts": "", "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371", "includeIPRanges": "*", "includeInboundPorts": "*", "includeOutboundPorts": "", "logLevel": "warning", "outlierLogPath": "", "privileged": false, "readinessFailureThreshold": 4, "readinessInitialDelaySeconds": 0, "readinessPeriodSeconds": 15, "resources": { "limits": { "cpu": "2000m", "memory": "1024Mi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "startupProbe": { "enabled": true, "failureThreshold": 600 }, "statusPort": 15020, "tracer": "none" }, "proxy_init": { "forceApplyIptables": false, "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371" }, "remotePilotAddress": "", "sds": { "token": { "aud": "istio-ca" } }, "sts": { "servicePort": 0 }, "tag": "1.27.3", "trustBundleName": "openshift-gw-ca-root-cert", "variant": "", "waypoint": { "affinity": {}, "nodeSelector": {}, "resources": { "limits": { "cpu": "2", "memory": "1Gi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "tolerations": [], "topologySpreadConstraints": [] } }, "hub": "", "image": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:f118bf81f44443fbdab23b689c97e9801eba8799c7af85228f914d8cd8afe6c0", "initContainers": [], "ipFamilies": [], "ipFamilyPolicy": "", "istiodRemote": { "enabled": false, "enabledLocalInjectorIstiod": false, "injectionCABundle": "", "injectionPath": "/inject", "injectionURL": "" }, "jwksResolverExtraRootCA": "", "keepaliveMaxServerConnectionAge": "30m", "memory": {}, "meshConfig": { "accessLogFile": "/dev/stdout", "defaultConfig": { "proxyHeaders": { "envoyDebugHeaders": { "disabled": true }, "metadataExchangeHeaders": { "mode": "IN_MESH" }, "server": { "disabled": true } } }, "enablePrometheusMerge": true, "ingressControllerMode": "OFF" }, "nodeSelector": {}, "ownerName": "", "pdb": { "minAvailable": 1, "unhealthyPodEvictionPolicy": "" }, "pilot": { "cni": { "enabled": false, "provider": "multus" }, "enabled": true, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" }, "image": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:f118bf81f44443fbdab23b689c97e9801eba8799c7af85228f914d8cd8afe6c0", "podAnnotations": { "target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}" } }, "podAnnotations": { "target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}" }, "podLabels": {}, "replicaCount": 1, "resources": { "requests": { "cpu": "500m", "memory": "2048Mi" } }, "revision": "openshift-gateway", "revisionTags": [], "rollingMaxSurge": "100%", "rollingMaxUnavailable": "25%", "seLinuxOptions": { "type": "spc_t" }, "seccompProfile": {}, "serviceAccountAnnotations": {}, "serviceAnnotations": {}, "sidecarInjectorWebhook": { "alwaysInjectSelector": [], "defaultTemplates": [], "enableNamespacesByDefault": false, "injectedAnnotations": {}, "neverInjectSelector": [], "reinvocationPolicy": "Never", "rewriteAppHTTPProbe": true, "templates": {} }, "sidecarInjectorWebhookAnnotations": {}, "tag": "", "taint": { "enabled": false, "namespace": "" }, "telemetry": { "enabled": true, "v2": { "enabled": true, "prometheus": { "enabled": true }, "stackdriver": { "enabled": false } } }, "tolerations": [], "topologySpreadConstraints": [], "traceSampling": 1, "trustedZtunnelName": "", "trustedZtunnelNamespace": "kube-system", "variant": "", "volumeMounts": [], "volumes": [] } original-values: |- { "defaultRevision": "", "global": { "configValidation": true, "defaultPodDisruptionBudget": { "enabled": false }, "istioNamespace": "openshift-ingress", "platform": "openshift", "priorityClassName": "system-cluster-critical", "proxy": { "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371" }, "proxy_init": { "image": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371" }, "trustBundleName": "openshift-gw-ca-root-cert" }, "meshConfig": { "accessLogFile": "/dev/stdout", "defaultConfig": { "proxyHeaders": { "envoyDebugHeaders": { "disabled": true }, "metadataExchangeHeaders": { "mode": "IN_MESH" }, "server": { "disabled": true } } }, "ingressControllerMode": "OFF" }, "pilot": { "cni": { "enabled": false }, "enabled": true, "env": { "ENABLE_GATEWAY_API_INFERENCE_EXTENSION": "true", "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", "PILOT_ENABLE_GATEWAY_API": "true", "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", "PILOT_ENABLE_GATEWAY_API_STATUS": "true", "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false" }, "image": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:f118bf81f44443fbdab23b689c97e9801eba8799c7af85228f914d8cd8afe6c0", "podAnnotations": { "target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}" } }, "revision": "openshift-gateway", "sidecarInjectorWebhook": { "enableNamespacesByDefault": false } } kind: ConfigMap metadata: annotations: kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. meta.helm.sh/release-name: openshift-gateway-istiod meta.helm.sh/release-namespace: openshift-ingress creationTimestamp: "2026-06-08T18:25:55Z" labels: app.kubernetes.io/instance: openshift-gateway-istiod app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: istiod app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.27.3 helm.sh/chart: istiod-1.27.3 istio.io/rev: openshift-gateway managed-by: sail-operator operator.istio.io/component: Pilot release: openshift-gateway-istiod managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:merged-values: {} f:original-values: {} f:metadata: f:annotations: .: {} f:kubernetes.io/description: {} f:meta.helm.sh/release-name: {} f:meta.helm.sh/release-namespace: {} f:labels: .: {} f:app.kubernetes.io/instance: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.kubernetes.io/version: {} f:helm.sh/chart: {} f:istio.io/rev: {} f:managed-by: {} f:operator.istio.io/component: {} f:release: {} f:ownerReferences: .: {} k:{"uid":"1b20b7fd-8ee7-4635-b916-5a91df392ad2"}: {} manager: sail-operator operation: Update time: "2026-06-08T18:25:55Z" name: values-openshift-gateway namespace: openshift-ingress ownerReferences: - apiVersion: sailoperator.io/v1 blockOwnerDeletion: true controller: true kind: IstioRevision name: openshift-gateway uid: 1b20b7fd-8ee7-4635-b916-5a91df392ad2 resourceVersion: "17213" uid: 9b2b9a1a-5787-492b-a112-f6ff80bb2587 kind: ConfigMapList metadata: resourceVersion: "50482"