| apiVersion: apps/v1 |
| kind: Deployment |
| metadata: |
| name: istiod |
| namespace: dubbo-system |
| labels: |
| app: istiod |
| istio.io/rev: default |
| install.operator.istio.io/owning-resource: unknown |
| operator.istio.io/component: "Pilot" |
| istio: pilot |
| release: istio |
| spec: |
| strategy: |
| rollingUpdate: |
| maxSurge: 100% |
| maxUnavailable: 25% |
| selector: |
| matchLabels: |
| istio: pilot |
| template: |
| metadata: |
| labels: |
| app: istiod |
| istio.io/rev: default |
| install.operator.istio.io/owning-resource: unknown |
| sidecar.istio.io/inject: "false" |
| operator.istio.io/component: "Pilot" |
| istio: pilot |
| annotations: |
| prometheus.io/port: "15014" |
| prometheus.io/scrape: "true" |
| sidecar.istio.io/inject: "false" |
| spec: |
| serviceAccountName: istiod |
| securityContext: |
| fsGroup: 1337 |
| containers: |
| - name: discovery |
| image: "apache/dubbo-pilot:latest" |
| args: |
| - "discovery" |
| - --monitoringAddr=:15014 |
| - --log_output_level=default:info |
| - --domain |
| - cluster.local |
| - --keepaliveMaxServerConnectionAge |
| - "30m" |
| ports: |
| - containerPort: 8080 |
| protocol: TCP |
| - containerPort: 15010 |
| protocol: TCP |
| - containerPort: 15017 |
| protocol: TCP |
| readinessProbe: |
| httpGet: |
| path: /ready |
| port: 8080 |
| initialDelaySeconds: 1 |
| periodSeconds: 3 |
| timeoutSeconds: 5 |
| env: |
| - name: REVISION |
| value: "default" |
| - name: JWT_POLICY |
| value: third-party-jwt |
| - name: PILOT_CERT_PROVIDER |
| value: istiod |
| - name: POD_NAME |
| valueFrom: |
| fieldRef: |
| apiVersion: v1 |
| fieldPath: metadata.name |
| - name: POD_NAMESPACE |
| valueFrom: |
| fieldRef: |
| apiVersion: v1 |
| fieldPath: metadata.namespace |
| - name: SERVICE_ACCOUNT |
| valueFrom: |
| fieldRef: |
| apiVersion: v1 |
| fieldPath: spec.serviceAccountName |
| - name: KUBECONFIG |
| value: /var/run/secrets/remote/config |
| - name: PILOT_TRACE_SAMPLING |
| value: "1" |
| - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND |
| value: "true" |
| - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND |
| value: "true" |
| - name: ISTIOD_ADDR |
| value: istiod.dubbo-system.svc:15012 |
| - name: PILOT_ENABLE_ANALYSIS |
| value: "false" |
| - name: CLUSTER_ID |
| value: "Kubernetes" |
| resources: |
| requests: |
| cpu: 500m |
| memory: 2048Mi |
| securityContext: |
| allowPrivilegeEscalation: false |
| readOnlyRootFilesystem: true |
| runAsUser: 1337 |
| runAsGroup: 1337 |
| runAsNonRoot: true |
| capabilities: |
| drop: |
| - ALL |
| volumeMounts: |
| - name: istio-token |
| mountPath: /var/run/secrets/tokens |
| readOnly: true |
| - name: local-certs |
| mountPath: /var/run/secrets/istio-dns |
| - name: cacerts |
| mountPath: /etc/cacerts |
| readOnly: true |
| - name: istio-kubeconfig |
| mountPath: /var/run/secrets/remote |
| readOnly: true |
| volumes: |
| # Technically not needed on this pod - but it helps debugging/testing SDS |
| # Should be removed after everything works. |
| - emptyDir: |
| medium: Memory |
| name: local-certs |
| - name: istio-token |
| projected: |
| sources: |
| - serviceAccountToken: |
| audience: istio-ca |
| expirationSeconds: 43200 |
| path: istio-token |
| # Optional: user-generated root |
| - name: cacerts |
| secret: |
| secretName: cacerts |
| optional: true |
| - name: istio-kubeconfig |
| secret: |
| secretName: istio-kubeconfig |
| optional: true |
| --- |