{{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{ end }} sidecar.istio.io/rewriteAppHTTPProbers: "false", } spec: containers: {{- range $index, $container := .Spec.Containers }} {{ if not (eq $container.Name "istio-proxy") }} - name: {{ $container.Name }} env: - name: DUBBO_XDS_ENABLE value: "true" - name: ISTIO_META_GENERATOR value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - name: JWT_POLICY value: {{ $.Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ $.Values.global.pilotCertProvider }} - name: CA_ADDR {{- if $.Values.global.caAddress }} value: {{ $.Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq $.Values.revision "") }}-{{ $.Values.revision }}{{- end }}.{{ $.Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: PROXY_CONFIG value: | {{ protoToJSON $.ProxyConfig }} - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault $.Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_INTERCEPTION_MODE value: "{{ or (index $.ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) $.ProxyConfig.InterceptionMode.String }}" {{- if $.Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ $.Values.global.network }}" {{- end }} {{- if $.DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ $.DeploymentMeta.Name }}" {{ end }} {{- if and $.TypeMeta.APIVersion $.DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ $.TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault $.DeploymentMeta.Namespace `default` }}/{{ toLower $.TypeMeta.Kind}}s/{{ $.DeploymentMeta.Name }} {{- end}} {{- if $.Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ $.Values.global.meshID }}" {{- else if (valueOrDefault $.MeshConfig.TrustDomain $.Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault $.MeshConfig.TrustDomain $.Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault $.MeshConfig.TrustDomain $.Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- range $key, $value := $.ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} # grpc uses xds:/// to resolve – no need to resolve VIP - name: ISTIO_META_DNS_CAPTURE value: "false" - name: DISABLE_ENVOY value: "true" volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials {{- if eq $.Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data # UDS channel between istioagent and gRPC client for XDS/SDS - mountPath: /etc/istio/proxy name: istio-xds {{- if eq $.Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod {{- if isset $.ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} {{ range $index, $value := fromJSON (index $.ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - name: "{{ $index }}" {{ toYaml $value | indent 6 }} {{ end }} {{- end }} volumes: - emptyDir: {} name: workload-socket - emptyDir: {} name: workload-certs # UDS channel between istioagent and gRPC client for XDS/SDS - emptyDir: medium: Memory name: istio-xds - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations {{- if eq $.Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ $.Values.global.sds.token.aud }} {{- end }} {{- if eq $.Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: name: istio-ca-root-cert {{- end }} {{- if isset $.ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} {{range $index, $value := fromJSON (index $.ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - name: "{{ $index }}" {{ toYaml $value | indent 4 }} {{ end }} {{ end }} {{- end }} {{- end }}