1
{{- $gateway := index .Values "gateways" "istio-egressgateway" }}
2
{{- if eq $gateway.injectionTemplate "" }}
6
name: {{ $gateway.name }}
7
namespace: {{ .Release.Namespace }}
9
{{ $gateway.labels | toYaml | indent 4 }}
10
release: {{ .Release.Name }}
11
istio.io/rev: {{ .Values.revision | default "default" }}
12
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
13
operator.istio.io/component: "EgressGateways"
15
{{- if not $gateway.autoscaleEnabled }}
16
{{- if $gateway.replicaCount }}
17
replicas: {{ $gateway.replicaCount }}
22
{{ $gateway.labels | toYaml | indent 6 }}
25
maxSurge: {{ $gateway.rollingMaxSurge }}
26
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
30
{{ $gateway.labels | toYaml | indent 8 }}
31
{{- if eq .Release.Namespace "istio-system"}}
36
service.istio.io/canonical-name: {{ $gateway.name }}
37
service.istio.io/canonical-revision: {{ index $gateway.labels "app.kubernetes.io/version" | default (index $gateway.labels "version") | default .Values.revision | default "latest" }}
38
istio.io/rev: {{ .Values.revision | default "default" }}
39
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
40
operator.istio.io/component: "EgressGateways"
41
sidecar.istio.io/inject: "false"
43
istio.io/rev: {{ .Values.revision | default "default" }}
44
{{- if .Values.meshConfig.enablePrometheusMerge }}
45
prometheus.io/port: "15020"
46
prometheus.io/scrape: "true"
47
prometheus.io/path: "/stats/prometheus"
49
sidecar.istio.io/inject: "false"
50
{{- if $gateway.podAnnotations }}
51
{{ toYaml $gateway.podAnnotations | indent 8 }}
54
{{- if not $gateway.runAsRoot }}
56
{{- if not (eq .Values.global.platform "openshift") }}
62
serviceAccountName: {{ $gateway.name }}-service-account
63
{{- if .Values.global.priorityClassName }}
64
priorityClassName: "{{ .Values.global.priorityClassName }}"
66
{{- if .Values.global.proxy.enableCoreDump }}
68
- name: enable-core-dump
69
{{- if contains "/" .Values.global.proxy.image }}
70
image: "{{ .Values.global.proxy.image }}"
72
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}"
74
{{- if .Values.global.imagePullPolicy }}
75
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
81
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
90
{{- if contains "/" .Values.global.proxy.image }}
91
image: "{{ .Values.global.proxy.image }}"
93
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}"
95
{{- if .Values.global.imagePullPolicy }}
96
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
99
{{- range $key, $val := $gateway.ports }}
100
- containerPort: {{ $val.targetPort | default $val.port }}
101
protocol: {{ $val.protocol | default "TCP" }}
103
- containerPort: 15090
105
name: http-envoy-prom
110
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
111
{{- if .Values.global.proxy.logLevel }}
112
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
114
{{- if .Values.global.proxy.componentLogLevel }}
115
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
117
{{- if .Values.global.logging.level }}
118
- --log_output_level={{ .Values.global.logging.level }}
120
{{- if .Values.global.logAsJson }}
123
{{- if .Values.global.sts.servicePort }}
124
- --stsPort={{ .Values.global.sts.servicePort }}
126
{{- if not $gateway.runAsRoot }}
128
allowPrivilegeEscalation: false
133
readOnlyRootFilesystem: true
141
initialDelaySeconds: 1
146
{{- if $gateway.resources }}
147
{{ toYaml $gateway.resources | indent 12 }}
149
{{ toYaml .Values.global.defaultResources | indent 12 }}
152
- name: PILOT_CERT_PROVIDER
153
value: {{ .Values.global.pilotCertProvider }}
155
{{- if .Values.global.caAddress }}
156
value: {{ .Values.global.caAddress }}
158
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
164
fieldPath: spec.nodeName
169
fieldPath: metadata.name
170
- name: POD_NAMESPACE
174
fieldPath: metadata.namespace
179
fieldPath: status.podIP
184
fieldPath: status.hostIP
185
- name: ISTIO_CPU_LIMIT
189
- name: SERVICE_ACCOUNT
192
fieldPath: spec.serviceAccountName
193
- name: ISTIO_META_WORKLOAD_NAME
194
value: {{ $gateway.name }}
195
- name: ISTIO_META_OWNER
196
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
197
{{- if $.Values.global.meshID }}
198
- name: ISTIO_META_MESH_ID
199
value: "{{ $.Values.global.meshID }}"
200
{{- else if .Values.meshConfig.trustDomain }}
201
- name: ISTIO_META_MESH_ID
202
value: "{{ .Values.meshConfig.trustDomain }}"
204
{{- if .Values.meshConfig.trustDomain }}
206
value: "{{ .Values.meshConfig.trustDomain }}"
208
{{- if not $gateway.runAsRoot }}
209
- name: ISTIO_META_UNPRIVILEGED_POD
212
{{- range $key, $val := $gateway.env }}
216
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
218
value: "{{ $value }}"
220
{{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
221
{{- if and (not $network_set) .Values.global.network }}
222
- name: ISTIO_META_NETWORK
223
value: "{{ .Values.global.network }}"
225
- name: ISTIO_META_CLUSTER_ID
226
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
227
- name: ISTIO_META_NODE_NAME
230
fieldPath: spec.nodeName
232
- name: workload-socket
233
mountPath: /var/run/secrets/workload-spiffe-uds
234
- name: credential-socket
235
mountPath: /var/run/secrets/credential-uds
236
- name: workload-certs
237
mountPath: /var/run/secrets/workload-spiffe-credentials
239
mountPath: /etc/istio/proxy
240
- name: config-volume
241
mountPath: /etc/istio/config
242
{{- if eq .Values.global.pilotCertProvider "istiod" }}
243
- mountPath: /var/run/secrets/istio
247
mountPath: /var/run/secrets/tokens
249
{{- if .Values.global.mountMtlsCerts }}
250
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
252
mountPath: /etc/certs
255
- mountPath: /var/lib/istio/data
258
mountPath: /etc/istio/pod
259
{{- range $gateway.secretVolumes }}
261
mountPath: {{ .mountPath | quote }}
264
{{- range $gateway.configVolumes }}
267
mountPath: {{ .mountPath | quote }}
271
{{- if $gateway.additionalContainers }}
272
{{ toYaml $gateway.additionalContainers | indent 8 }}
276
name: workload-socket
278
name: credential-socket
281
{{- if eq .Values.global.pilotCertProvider "istiod" }}
282
- name: istiod-ca-cert
284
name: istio-ca-root-cert
291
fieldPath: metadata.labels
292
- path: "annotations"
294
fieldPath: metadata.annotations
302
- serviceAccountToken:
304
expirationSeconds: 43200
305
audience: {{ .Values.global.sds.token.aud }}
306
{{- if .Values.global.mountMtlsCerts }}
307
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
310
secretName: istio.istio-egressgateway-service-account
313
- name: config-volume
315
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
317
{{- range $gateway.secretVolumes }}
320
secretName: {{ .secretName | quote }}
323
{{- range $gateway.configVolumes }}
326
name: {{ .configMapName | quote }}
330
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
331
{{- include "podAntiAffinity" $gateway | indent 6 }}
332
{{- if $gateway.tolerations }}
334
{{ toYaml $gateway.tolerations | indent 6 }}
335
{{- else if .Values.global.defaultTolerations }}
337
{{ toYaml .Values.global.defaultTolerations | indent 6 }}