blob: 2beddb5599d6a5f6478a1bc15329ef47232f305d [file] [log] [blame]
apiVersion: apps/v1
kind: Deployment
metadata:
name: istiod
namespace: dubbo-system
labels:
app: istiod
istio.io/rev: default
install.operator.istio.io/owning-resource: unknown
operator.istio.io/component: "Pilot"
istio: pilot
release: istio
spec:
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
selector:
matchLabels:
istio: pilot
template:
metadata:
labels:
app: istiod
istio.io/rev: default
install.operator.istio.io/owning-resource: unknown
sidecar.istio.io/inject: "false"
operator.istio.io/component: "Pilot"
istio: pilot
annotations:
prometheus.io/port: "15014"
prometheus.io/scrape: "true"
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istiod
securityContext:
fsGroup: 1337
containers:
- name: discovery
image: "apache/dubbo-pilot:latest"
args:
- "discovery"
- --monitoringAddr=:15014
- --log_output_level=default:info
- --domain
- cluster.local
- --keepaliveMaxServerConnectionAge
- "30m"
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 15010
protocol: TCP
- containerPort: 15017
protocol: TCP
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 1
periodSeconds: 3
timeoutSeconds: 5
env:
- name: REVISION
value: "default"
- name: JWT_POLICY
value: third-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
- name: KUBECONFIG
value: /var/run/secrets/remote/config
- name: PILOT_TRACE_SAMPLING
value: "1"
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
value: "true"
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
value: "true"
- name: ISTIOD_ADDR
value: istiod.dubbo-system.svc:15012
- name: PILOT_ENABLE_ANALYSIS
value: "false"
- name: CLUSTER_ID
value: "Kubernetes"
resources:
requests:
cpu: 500m
memory: 2048Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
- name: local-certs
mountPath: /var/run/secrets/istio-dns
- name: cacerts
mountPath: /etc/cacerts
readOnly: true
- name: istio-kubeconfig
mountPath: /var/run/secrets/remote
readOnly: true
volumes:
# Technically not needed on this pod - but it helps debugging/testing SDS
# Should be removed after everything works.
- emptyDir:
medium: Memory
name: local-certs
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
# Optional: user-generated root
- name: cacerts
secret:
secretName: cacerts
optional: true
- name: istio-kubeconfig
secret:
secretName: istio-kubeconfig
optional: true
---