| apiVersion: apps/v1 |
| kind: Deployment |
| metadata: |
| name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} |
| namespace: {{ .Release.Namespace }} |
| labels: |
| app: istiod |
| istio.io/rev: {{ .Values.revision | default "default" }} |
| install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} |
| operator.istio.io/component: "Pilot" |
| istio: pilot |
| release: {{ .Release.Name }} |
| {{- range $key, $val := .Values.pilot.deploymentLabels }} |
| {{ $key }}: "{{ $val }}" |
| {{- end }} |
| spec: |
| {{- if not .Values.pilot.autoscaleEnabled }} |
| {{- if .Values.pilot.replicaCount }} |
| replicas: {{ .Values.pilot.replicaCount }} |
| {{- end }} |
| {{- end }} |
| strategy: |
| rollingUpdate: |
| maxSurge: {{ .Values.pilot.rollingMaxSurge }} |
| maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }} |
| selector: |
| matchLabels: |
| {{- if ne .Values.revision "" }} |
| app: istiod |
| istio.io/rev: {{ .Values.revision | default "default" }} |
| {{- else }} |
| istio: pilot |
| {{- end }} |
| template: |
| metadata: |
| labels: |
| app: istiod |
| istio.io/rev: {{ .Values.revision | default "default" }} |
| install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} |
| sidecar.istio.io/inject: "false" |
| operator.istio.io/component: "Pilot" |
| {{- if ne .Values.revision "" }} |
| istio: istiod |
| {{- else }} |
| istio: pilot |
| {{- end }} |
| {{- range $key, $val := .Values.pilot.podLabels }} |
| {{ $key }}: "{{ $val }}" |
| {{- end }} |
| annotations: |
| {{- if .Values.meshConfig.enablePrometheusMerge }} |
| prometheus.io/port: "15014" |
| prometheus.io/scrape: "true" |
| {{- end }} |
| sidecar.istio.io/inject: "false" |
| {{- if .Values.pilot.podAnnotations }} |
| {{ toYaml .Values.pilot.podAnnotations | indent 8 }} |
| {{- end }} |
| spec: |
| {{- if .Values.pilot.nodeSelector }} |
| nodeSelector: |
| {{ toYaml .Values.pilot.nodeSelector | indent 8 }} |
| {{- end }} |
| {{- with .Values.pilot.affinity }} |
| affinity: |
| {{- toYaml . | nindent 8 }} |
| {{- end }} |
| {{- with .Values.pilot.tolerations }} |
| tolerations: |
| {{- toYaml . | nindent 8 }} |
| {{- end }} |
| serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} |
| {{- if .Values.global.priorityClassName }} |
| priorityClassName: "{{ .Values.global.priorityClassName }}" |
| {{- end }} |
| securityContext: |
| fsGroup: 1337 |
| containers: |
| - name: discovery |
| {{- if contains "/" .Values.pilot.image }} |
| image: "{{ .Values.pilot.image }}" |
| {{- else }} |
| image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "dubbo-pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}" |
| {{- end }} |
| {{- if .Values.global.imagePullPolicy }} |
| imagePullPolicy: {{ .Values.global.imagePullPolicy }} |
| {{- end }} |
| args: |
| - "discovery" |
| - --monitoringAddr=:15014 |
| {{- if .Values.global.logging.level }} |
| - --log_output_level={{ .Values.global.logging.level }} |
| {{- end}} |
| {{- if .Values.global.logAsJson }} |
| - --log_as_json |
| {{- end }} |
| - --domain |
| - {{ .Values.global.proxy.clusterDomain }} |
| {{- if .Values.global.oneNamespace }} |
| - "-a" |
| - {{ .Release.Namespace }} |
| {{- end }} |
| {{- if .Values.pilot.plugins }} |
| - --plugins={{ .Values.pilot.plugins }} |
| {{- end }} |
| - --keepaliveMaxServerConnectionAge |
| - "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}" |
| ports: |
| - containerPort: 8080 |
| protocol: TCP |
| - containerPort: 15010 |
| protocol: TCP |
| - containerPort: 15017 |
| protocol: TCP |
| readinessProbe: |
| httpGet: |
| path: /ready |
| port: 8080 |
| initialDelaySeconds: 1 |
| periodSeconds: 3 |
| timeoutSeconds: 5 |
| env: |
| - name: REVISION |
| value: "{{ .Values.revision | default `default` }}" |
| - name: JWT_POLICY |
| value: {{ .Values.global.jwtPolicy }} |
| - name: PILOT_CERT_PROVIDER |
| value: {{ .Values.global.pilotCertProvider }} |
| - name: POD_NAME |
| valueFrom: |
| fieldRef: |
| apiVersion: v1 |
| fieldPath: metadata.name |
| - name: POD_NAMESPACE |
| valueFrom: |
| fieldRef: |
| apiVersion: v1 |
| fieldPath: metadata.namespace |
| - name: SERVICE_ACCOUNT |
| valueFrom: |
| fieldRef: |
| apiVersion: v1 |
| fieldPath: spec.serviceAccountName |
| - name: KUBECONFIG |
| value: /var/run/secrets/remote/config |
| {{- if .Values.pilot.env }} |
| {{- range $key, $val := .Values.pilot.env }} |
| - name: {{ $key }} |
| value: "{{ $val }}" |
| {{- end }} |
| {{- end }} |
| {{- if .Values.pilot.traceSampling }} |
| - name: PILOT_TRACE_SAMPLING |
| value: "{{ .Values.pilot.traceSampling }}" |
| {{- end }} |
| - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND |
| value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}" |
| - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND |
| value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}" |
| - name: ISTIOD_ADDR |
| value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012 |
| - name: PILOT_ENABLE_ANALYSIS |
| value: "{{ .Values.global.istiod.enableAnalysis }}" |
| - name: CLUSTER_ID |
| value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" |
| resources: |
| {{- if .Values.pilot.resources }} |
| {{ toYaml .Values.pilot.resources | trim | indent 12 }} |
| {{- else }} |
| {{ toYaml .Values.global.defaultResources | trim | indent 12 }} |
| {{- end }} |
| securityContext: |
| allowPrivilegeEscalation: false |
| readOnlyRootFilesystem: true |
| runAsUser: 1337 |
| runAsGroup: 1337 |
| runAsNonRoot: true |
| capabilities: |
| drop: |
| - ALL |
| volumeMounts: |
| {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} |
| - name: istio-token |
| mountPath: /var/run/secrets/tokens |
| readOnly: true |
| {{- end }} |
| - name: local-certs |
| mountPath: /var/run/secrets/istio-dns |
| - name: cacerts |
| mountPath: /etc/cacerts |
| readOnly: true |
| - name: istio-kubeconfig |
| mountPath: /var/run/secrets/remote |
| readOnly: true |
| {{- if .Values.pilot.jwksResolverExtraRootCA }} |
| - name: extracacerts |
| mountPath: /cacerts |
| {{- end }} |
| volumes: |
| # Technically not needed on this pod - but it helps debugging/testing SDS |
| # Should be removed after everything works. |
| - emptyDir: |
| medium: Memory |
| name: local-certs |
| {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} |
| - name: istio-token |
| projected: |
| sources: |
| - serviceAccountToken: |
| audience: {{ .Values.global.sds.token.aud }} |
| expirationSeconds: 43200 |
| path: istio-token |
| {{- end }} |
| # Optional: user-generated root |
| - name: cacerts |
| secret: |
| secretName: cacerts |
| optional: true |
| - name: istio-kubeconfig |
| secret: |
| secretName: istio-kubeconfig |
| optional: true |
| {{- if .Values.pilot.jwksResolverExtraRootCA }} |
| - name: extracacerts |
| configMap: |
| name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} |
| {{- end }} |
| --- |