Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ambient upstream: upstream XDS codegen and some misc #43422

Merged
merged 4 commits into from Feb 17, 2023
Merged

ambient upstream: upstream XDS codegen and some misc #43422

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3c161a3
ambient upstream: upstream XDS codegen and some misc
howardjohn Feb 17, 2023
a4962cd
fix config
howardjohn Feb 17, 2023
5894f12
Address comments
howardjohn Feb 17, 2023
266a1ee
lint
howardjohn Feb 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
212 changes: 212 additions & 0 deletions manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml
View file
Open in desktop
Expand Up @@ -1339,6 +1339,218 @@ data:
securityContext:
fsGroup: 1337
{{- end }}
waypoint: |
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{.ServiceAccount | quote}}
namespace: {{.Namespace | quote}}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{.DeploymentName | quote}}
namespace: {{.Namespace | quote}}
annotations:
{{- toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account") | nindent 4 }}
labels:
{{- toJsonMap .Labels | nindent 4 }}
ownerReferences:
- apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
name: "{{.Name}}"
uid: "{{.UID}}"
spec:
selector:
matchLabels:
istio.io/gateway-name: "{{.Name}}"
template:
metadata:
annotations:
{{- toJsonMap
(omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account")
(strdict
"ambient.istio.io/redirection" "disabled"
"prometheus.io/path" "/stats/prometheus"
"prometheus.io/port" "15020"
"prometheus.io/scrape" "true"
) | nindent 8 }}
labels:
{{- toJsonMap
(strdict
"sidecar.istio.io/inject" "false"
"service.istio.io/canonical-name" .DeploymentName
"service.istio.io/canonical-revision" "latest"
)
.Labels
(strdict
"istio.io/gateway-name" .Name
"gateway.istio.io/managed" "istio.io-mesh-controller"
) | nindent 8}}
spec:
terminationGracePeriodSeconds: 2
serviceAccountName: {{.ServiceAccount | quote}}
containers:
- args:
- proxy
- waypoint
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --serviceCluster
- {{.ServiceAccount}}.$(POD_NAMESPACE)
- --proxyLogLevel
- {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
- --proxyComponentLogLevel
- {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
- --log_output_level
- {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
- --concurrency
- "2"
env:
- name: ISTIO_META_SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ISTIO_META_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- name: ISTIO_META_INTERCEPTION_MODE
value: REDIRECT
- name: ISTIO_META_WORKLOAD_NAME
value: {{.DeploymentName}}
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
image: {{.ProxyImage}}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
name: istio-proxy
resources:
limits:
cpu: "2"
memory: 1Gi
requests:
cpu: 100m
memory: 128Mi
startupProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 1
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 4
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 1
securityContext:
privileged: true
runAsGroup: 1337
runAsUser: 0
capabilities:
add:
- NET_ADMIN
- NET_RAW
volumeMounts:
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /var/lib/istio/data
name: istio-data
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /var/run/secrets/tokens
name: istio-token
- mountPath: /etc/istio/pod
name: istio-podinfo
volumes:
- emptyDir:
medium: Memory
name: istio-envoy
- emptyDir:
medium: Memory
name: go-proxy-envoy
- emptyDir: {}
name: istio-data
- emptyDir: {}
name: go-proxy-data
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.labels
path: labels
- fieldRef:
fieldPath: metadata.annotations
path: annotations
name: istio-podinfo
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
- configMap:
name: istio-ca-root-cert
name: istiod-ca-cert
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
kube-gateway: |
apiVersion: v1
kind: ServiceAccount
Expand Down
4 changes: 4 additions & 0 deletions manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml
View file
Open in desktop
Expand Up @@ -60,6 +60,10 @@ data:
grpc-agent: |
{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }}
waypoint: |
{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }}
kube-gateway: |
{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }}
Expand Down
4 changes: 4 additions & 0 deletions manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml
View file
Open in desktop
Expand Up @@ -60,6 +60,10 @@ data:
grpc-agent: |
{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }}
waypoint: |
{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }}
kube-gateway: |
{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }}
Expand Down
Binary file modified operator/cmd/mesh/testdata/manifest-generate/data-snapshot.tar.gz
View file
Open in desktop
Binary file not shown.