| apiVersion: apps/v1 |
| kind: Deployment |
| metadata: |
| name: istio-ingressgateway |
| namespace: dubbo-system |
| labels: |
| app: istio-ingressgateway |
| istio: ingressgateway |
| release: istio |
| istio.io/rev: default |
| install.operator.istio.io/owning-resource: unknown |
| operator.istio.io/component: "IngressGateways" |
| spec: |
| selector: |
| matchLabels: |
| app: istio-ingressgateway |
| istio: ingressgateway |
| strategy: |
| rollingUpdate: |
| maxSurge: 100% |
| maxUnavailable: 25% |
| template: |
| metadata: |
| labels: |
| app: istio-ingressgateway |
| istio: ingressgateway |
| heritage: Tiller |
| release: istio |
| chart: gateways |
| service.istio.io/canonical-name: istio-ingressgateway |
| service.istio.io/canonical-revision: latest |
| istio.io/rev: default |
| install.operator.istio.io/owning-resource: unknown |
| operator.istio.io/component: "IngressGateways" |
| sidecar.istio.io/inject: "false" |
| annotations: |
| prometheus.io/port: "15020" |
| prometheus.io/scrape: "true" |
| prometheus.io/path: "/stats/prometheus" |
| sidecar.istio.io/inject: "false" |
| spec: |
| securityContext: |
| runAsUser: 1337 |
| runAsGroup: 1337 |
| runAsNonRoot: true |
| fsGroup: 1337 |
| serviceAccountName: istio-ingressgateway-service-account |
| containers: |
| - name: istio-proxy |
| image: "gcr.io/istio-testing/mynewproxy:latest" |
| ports: |
| - containerPort: 15021 |
| protocol: TCP |
| - containerPort: 8080 |
| protocol: TCP |
| - containerPort: 8443 |
| protocol: TCP |
| - containerPort: 15090 |
| protocol: TCP |
| name: http-envoy-prom |
| args: |
| - proxy |
| - router |
| - --domain |
| - $(POD_NAMESPACE).svc.cluster.local |
| - --proxyLogLevel=warning |
| - --proxyComponentLogLevel=misc:error |
| - --log_output_level=default:info |
| securityContext: |
| allowPrivilegeEscalation: false |
| capabilities: |
| drop: |
| - ALL |
| privileged: false |
| readOnlyRootFilesystem: true |
| readinessProbe: |
| failureThreshold: 30 |
| httpGet: |
| path: /healthz/ready |
| port: 15021 |
| scheme: HTTP |
| initialDelaySeconds: 1 |
| periodSeconds: 2 |
| successThreshold: 1 |
| timeoutSeconds: 1 |
| resources: |
| limits: |
| cpu: 2000m |
| memory: 1024Mi |
| requests: |
| cpu: 100m |
| memory: 128Mi |
| env: |
| - name: JWT_POLICY |
| value: third-party-jwt |
| - name: PILOT_CERT_PROVIDER |
| value: istiod |
| - name: CA_ADDR |
| value: istiod.dubbo-system.svc:15012 |
| - name: NODE_NAME |
| valueFrom: |
| fieldRef: |
| apiVersion: v1 |
| fieldPath: spec.nodeName |
| - name: POD_NAME |
| valueFrom: |
| fieldRef: |
| apiVersion: v1 |
| fieldPath: metadata.name |
| - name: POD_NAMESPACE |
| valueFrom: |
| fieldRef: |
| apiVersion: v1 |
| fieldPath: metadata.namespace |
| - name: INSTANCE_IP |
| valueFrom: |
| fieldRef: |
| apiVersion: v1 |
| fieldPath: status.podIP |
| - name: HOST_IP |
| valueFrom: |
| fieldRef: |
| apiVersion: v1 |
| fieldPath: status.hostIP |
| - name: SERVICE_ACCOUNT |
| valueFrom: |
| fieldRef: |
| fieldPath: spec.serviceAccountName |
| - name: ISTIO_META_WORKLOAD_NAME |
| value: istio-ingressgateway |
| - name: ISTIO_META_OWNER |
| value: kubernetes://apis/apps/v1/namespaces/dubbo-system/deployments/istio-ingressgateway |
| - name: ISTIO_META_MESH_ID |
| value: "cluster.local" |
| - name: TRUST_DOMAIN |
| value: "cluster.local" |
| - name: ISTIO_META_UNPRIVILEGED_POD |
| value: "true" |
| - name: ISTIO_META_CLUSTER_ID |
| value: "Kubernetes" |
| volumeMounts: |
| - name: workload-socket |
| mountPath: /var/run/secrets/workload-spiffe-uds |
| - name: workload-certs |
| mountPath: /var/run/secrets/workload-spiffe-credentials |
| - name: istio-envoy |
| mountPath: /etc/istio/proxy |
| - name: config-volume |
| mountPath: /etc/istio/config |
| - mountPath: /var/run/secrets/istio |
| name: istiod-ca-cert |
| - name: istio-token |
| mountPath: /var/run/secrets/tokens |
| readOnly: true |
| - mountPath: /var/lib/istio/data |
| name: istio-data |
| - name: podinfo |
| mountPath: /etc/istio/pod |
| - name: ingressgateway-certs |
| mountPath: "/etc/istio/ingressgateway-certs" |
| readOnly: true |
| - name: ingressgateway-ca-certs |
| mountPath: "/etc/istio/ingressgateway-ca-certs" |
| readOnly: true |
| volumes: |
| - emptyDir: {} |
| name: workload-socket |
| - emptyDir: {} |
| name: workload-certs |
| - name: istiod-ca-cert |
| configMap: |
| name: istio-ca-root-cert |
| - name: podinfo |
| downwardAPI: |
| items: |
| - path: "labels" |
| fieldRef: |
| fieldPath: metadata.labels |
| - path: "annotations" |
| fieldRef: |
| fieldPath: metadata.annotations |
| - name: istio-envoy |
| emptyDir: {} |
| - name: istio-data |
| emptyDir: {} |
| - name: istio-token |
| projected: |
| sources: |
| - serviceAccountToken: |
| path: istio-token |
| expirationSeconds: 43200 |
| audience: istio-ca |
| - name: config-volume |
| configMap: |
| name: istio |
| optional: true |
| - name: ingressgateway-certs |
| secret: |
| secretName: "istio-ingressgateway-certs" |
| optional: true |
| - name: ingressgateway-ca-certs |
| secret: |
| secretName: "istio-ingressgateway-ca-certs" |
| optional: true |
| --- |