/
envoy.istio
/
istio
GigaCode
beta
ОбзорЦентр заботыВойти

istio

Форк
0
Ветки: 75Коммиты: 22559Теги: 336
istio
/manifests
/charts
/gateways
/istio-egress
/templates
/
deployment.yaml 
339 строк · 12.1 Кб
1
{{- $gateway := index .Values "gateways" "istio-egressgateway" }}
2
{{- if eq $gateway.injectionTemplate "" }}
3
apiVersion: apps/v1
4
kind: Deployment
5
metadata:
6
  name: {{ $gateway.name }}
7
  namespace: {{ .Release.Namespace }}
8
  labels:
9
{{ $gateway.labels | toYaml | indent 4 }}
10
    release: {{ .Release.Name }}
11
    istio.io/rev: {{ .Values.revision | default "default" }}
12
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
13
    operator.istio.io/component: "EgressGateways"
14
spec:
15
{{- if not $gateway.autoscaleEnabled }}
16
{{- if $gateway.replicaCount }}
17
  replicas: {{ $gateway.replicaCount }}
18
{{- end }}
19
{{- end }}
20
  selector:
21
    matchLabels:
22
{{ $gateway.labels | toYaml | indent 6 }}
23
  strategy:
24
    rollingUpdate:
25
      maxSurge: {{ $gateway.rollingMaxSurge }}
26
      maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
27
  template:
28
    metadata:
29
      labels:
30
{{ $gateway.labels | toYaml | indent 8 }}
31
{{- if eq .Release.Namespace "istio-system"}}
32
        heritage: Tiller
33
        release: istio
34
        chart: gateways
35
{{- end }}
36
        service.istio.io/canonical-name: {{ $gateway.name }}
37
        service.istio.io/canonical-revision: {{ index $gateway.labels "app.kubernetes.io/version" | default (index $gateway.labels "version") | default .Values.revision | default "latest" }}
38
        istio.io/rev: {{ .Values.revision | default "default" }}
39
        install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
40
        operator.istio.io/component: "EgressGateways"
41
        sidecar.istio.io/inject: "false"
42
      annotations:
43
        istio.io/rev: {{ .Values.revision | default "default" }}
44
        {{- if .Values.meshConfig.enablePrometheusMerge }}
45
        prometheus.io/port: "15020"
46
        prometheus.io/scrape: "true"
47
        prometheus.io/path: "/stats/prometheus"
48
        {{- end }}
49
        sidecar.istio.io/inject: "false"
50
{{- if $gateway.podAnnotations }}
51
{{ toYaml $gateway.podAnnotations | indent 8 }}
52
{{ end }}
53
    spec:
54
{{- if not $gateway.runAsRoot }}
55
      securityContext:
56
{{- if not (eq .Values.global.platform "openshift") }}
57
        runAsUser: 1337
58
        runAsGroup: 1337
59
{{- end }}
60
        runAsNonRoot: true
61
{{- end }}
62
      serviceAccountName: {{ $gateway.name }}-service-account
63
{{- if .Values.global.priorityClassName }}
64
      priorityClassName: "{{ .Values.global.priorityClassName }}"
65
{{- end }}
66
{{- if .Values.global.proxy.enableCoreDump }}
67
      initContainers:
68
        - name: enable-core-dump
69
{{- if contains "/" .Values.global.proxy.image }}
70
          image: "{{ .Values.global.proxy.image }}"
71
{{- else }}
72
          image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}"
73
{{- end }}
74
{{- if .Values.global.imagePullPolicy }}
75
          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
76
{{- end }}
77
          command:
78
            - /bin/sh
79
          args:
80
            - -c
81
            - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
82
          securityContext:
83
            runAsUser: 0
84
            runAsGroup: 0
85
            runAsNonRoot: false
86
            privileged: true
87
{{- end }}
88
      containers:
89
        - name: istio-proxy
90
{{- if contains "/" .Values.global.proxy.image }}
91
          image: "{{ .Values.global.proxy.image }}"
92
{{- else }}
93
          image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}"
94
{{- end }}
95
{{- if .Values.global.imagePullPolicy }}
96
          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
97
{{- end }}
98
          ports:
99
            {{- range $key, $val := $gateway.ports }}
100
            - containerPort: {{ $val.targetPort | default $val.port }}
101
              protocol: {{ $val.protocol | default "TCP" }}
102
            {{- end }}
103
            - containerPort: 15090
104
              protocol: TCP
105
              name: http-envoy-prom
106
          args:
107
          - proxy
108
          - router
109
          - --domain
110
          - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
111
        {{- if .Values.global.proxy.logLevel }}
112
          - --proxyLogLevel={{ .Values.global.proxy.logLevel }}
113
        {{- end}}
114
        {{- if .Values.global.proxy.componentLogLevel }}
115
          - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
116
        {{- end}}
117
        {{- if .Values.global.logging.level }}
118
          - --log_output_level={{ .Values.global.logging.level }}
119
        {{- end}}
120
        {{- if .Values.global.logAsJson }}
121
          - --log_as_json
122
        {{- end }}
123
        {{- if .Values.global.sts.servicePort }}
124
          - --stsPort={{ .Values.global.sts.servicePort }}
125
        {{- end }}
126
        {{- if not $gateway.runAsRoot }}
127
          securityContext:
128
            allowPrivilegeEscalation: false
129
            capabilities:
130
              drop:
131
              - ALL
132
            privileged: false
133
            readOnlyRootFilesystem: true
134
        {{- end }}
135
          readinessProbe:
136
            failureThreshold: 30
137
            httpGet:
138
              path: /healthz/ready
139
              port: 15021
140
              scheme: HTTP
141
            initialDelaySeconds: 1
142
            periodSeconds: 2
143
            successThreshold: 1
144
            timeoutSeconds: 1
145
          resources:
146
{{- if $gateway.resources }}
147
{{ toYaml $gateway.resources | indent 12 }}
148
{{- else }}
149
{{ toYaml .Values.global.defaultResources | indent 12 }}
150
{{- end }}
151
          env:
152
          - name: PILOT_CERT_PROVIDER
153
            value: {{ .Values.global.pilotCertProvider }}
154
          - name: CA_ADDR
155
          {{- if .Values.global.caAddress }}
156
            value: {{ .Values.global.caAddress }}
157
          {{- else }}
158
            value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
159
          {{- end }}
160
          - name: NODE_NAME
161
            valueFrom:
162
              fieldRef:
163
                apiVersion: v1
164
                fieldPath: spec.nodeName
165
          - name: POD_NAME
166
            valueFrom:
167
              fieldRef:
168
                apiVersion: v1
169
                fieldPath: metadata.name
170
          - name: POD_NAMESPACE
171
            valueFrom:
172
              fieldRef:
173
                apiVersion: v1
174
                fieldPath: metadata.namespace
175
          - name: INSTANCE_IP
176
            valueFrom:
177
              fieldRef:
178
                apiVersion: v1
179
                fieldPath: status.podIP
180
          - name: HOST_IP
181
            valueFrom:
182
              fieldRef:
183
                apiVersion: v1
184
                fieldPath: status.hostIP
185
          - name: ISTIO_CPU_LIMIT
186
            valueFrom:
187
              resourceFieldRef:
188
                resource: limits.cpu
189
          - name: SERVICE_ACCOUNT
190
            valueFrom:
191
              fieldRef:
192
                fieldPath: spec.serviceAccountName
193
          - name: ISTIO_META_WORKLOAD_NAME
194
            value: {{ $gateway.name }}
195
          - name: ISTIO_META_OWNER
196
            value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
197
          {{- if $.Values.global.meshID }}
198
          - name: ISTIO_META_MESH_ID
199
            value: "{{ $.Values.global.meshID }}"
200
          {{- else if .Values.meshConfig.trustDomain }}
201
          - name: ISTIO_META_MESH_ID
202
            value: "{{ .Values.meshConfig.trustDomain }}"
203
          {{- end }}
204
          {{- if .Values.meshConfig.trustDomain }}
205
          - name: TRUST_DOMAIN
206
            value: "{{ .Values.meshConfig.trustDomain }}"
207
          {{- end }}
208
          {{- if not $gateway.runAsRoot }}
209
          - name: ISTIO_META_UNPRIVILEGED_POD
210
            value: "true"
211
          {{- end }}
212
          {{- range $key, $val := $gateway.env }}
213
          - name: {{ $key }}
214
            value: "{{ $val }}"
215
          {{- end }}
216
          {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
217
          - name: {{ $key }}
218
            value: "{{ $value }}"
219
          {{- end }}
220
          {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
221
          {{- if and (not $network_set) .Values.global.network }}
222
          - name: ISTIO_META_NETWORK
223
            value: "{{ .Values.global.network }}"
224
          {{- end }}
225
          - name: ISTIO_META_CLUSTER_ID
226
            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
227
          - name: ISTIO_META_NODE_NAME
228
            valueFrom:
229
              fieldRef:
230
                fieldPath: spec.nodeName
231
          volumeMounts:
232
          - name: workload-socket
233
            mountPath: /var/run/secrets/workload-spiffe-uds
234
          - name: credential-socket
235
            mountPath: /var/run/secrets/credential-uds
236
          - name: workload-certs
237
            mountPath: /var/run/secrets/workload-spiffe-credentials
238
          - name: istio-envoy
239
            mountPath: /etc/istio/proxy
240
          - name: config-volume
241
            mountPath: /etc/istio/config
242
{{- if eq .Values.global.pilotCertProvider "istiod" }}
243
          - mountPath: /var/run/secrets/istio
244
            name: istiod-ca-cert
245
{{- end }}
246
          - name: istio-token
247
            mountPath: /var/run/secrets/tokens
248
            readOnly: true
249
          {{- if .Values.global.mountMtlsCerts }}
250
          # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
251
          - name: istio-certs
252
            mountPath: /etc/certs
253
            readOnly: true
254
          {{- end }}
255
          - mountPath: /var/lib/istio/data
256
            name: istio-data
257
          - name: podinfo
258
            mountPath: /etc/istio/pod
259
          {{- range $gateway.secretVolumes }}
260
          - name: {{ .name }}
261
            mountPath: {{ .mountPath | quote }}
262
            readOnly: true
263
          {{- end }}
264
          {{- range $gateway.configVolumes }}
265
          {{- if .mountPath }}
266
          - name: {{ .name }}
267
            mountPath: {{ .mountPath | quote }}
268
            readOnly: true
269
          {{- end }}
270
          {{- end }}
271
{{- if $gateway.additionalContainers }}
272
{{ toYaml $gateway.additionalContainers | indent 8 }}
273
{{- end }}
274
      volumes:
275
      - emptyDir: {}
276
        name: workload-socket
277
      - emptyDir: {}
278
        name: credential-socket
279
      - emptyDir: {}
280
        name: workload-certs
281
{{- if eq .Values.global.pilotCertProvider "istiod" }}
282
      - name: istiod-ca-cert
283
        configMap:
284
          name: istio-ca-root-cert
285
{{- end }}
286
      - name: podinfo
287
        downwardAPI:
288
          items:
289
            - path: "labels"
290
              fieldRef:
291
                fieldPath: metadata.labels
292
            - path: "annotations"
293
              fieldRef:
294
                fieldPath: metadata.annotations
295
      - name: istio-envoy
296
        emptyDir: {}
297
      - name: istio-data
298
        emptyDir: {}
299
      - name: istio-token
300
        projected:
301
          sources:
302
          - serviceAccountToken:
303
              path: istio-token
304
              expirationSeconds: 43200
305
              audience: {{ .Values.global.sds.token.aud }}
306
      {{- if .Values.global.mountMtlsCerts }}
307
      # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
308
      - name: istio-certs
309
        secret:
310
          secretName: istio.istio-egressgateway-service-account
311
          optional: true
312
      {{- end }}
313
      - name: config-volume
314
        configMap:
315
          name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
316
          optional: true
317
      {{- range $gateway.secretVolumes }}
318
      - name: {{ .name }}
319
        secret:
320
          secretName: {{ .secretName | quote }}
321
          optional: true
322
      {{- end }}
323
      {{- range $gateway.configVolumes }}
324
      - name: {{ .name }}
325
        configMap:
326
          name: {{ .configMapName | quote }}
327
          optional: true
328
      {{- end }}
329
      affinity:
330
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
331
      {{- include "podAntiAffinity" $gateway | indent 6 }}
332
{{- if $gateway.tolerations }}
333
      tolerations:
334
{{ toYaml $gateway.tolerations | indent 6 }}
335
{{- else if .Values.global.defaultTolerations }}
336
      tolerations:
337
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
338
{{- end }}
339
{{- end }}
340

Использование cookies

Мы используем файлы cookie в соответствии с Политикой конфиденциальности и Политикой использования cookies.

Нажимая кнопку «Принимаю», Вы даете АО «СберТех» согласие на обработку Ваших персональных данных в целях совершенствования нашего веб-сайта и Сервиса GitVerse, а также повышения удобства их использования.

Запретить использование cookies Вы можете самостоятельно в настройках Вашего браузера.