apiVersion: v1 kind: ServiceAccount metadata: name: cluster-local-gateway-service-account namespace: istio-system labels: app: cluster-local-gateway istio: cluster-local-gateway release: istio istio.io/rev: default install.operator.istio.io/owning-resource: unknown operator.istio.io/component: "IngressGateways" --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: cluster-local-gateway install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway istio.io/rev: default operator.istio.io/component: IngressGateways release: istio name: cluster-local-gateway namespace: istio-system spec: selector: matchLabels: app: cluster-local-gateway istio: cluster-local-gateway strategy: rollingUpdate: maxSurge: 100% maxUnavailable: 25% template: metadata: annotations: prometheus.io/path: /stats/prometheus prometheus.io/port: "15020" prometheus.io/scrape: "true" sidecar.istio.io/inject: "false" labels: app: cluster-local-gateway chart: gateways heritage: Tiller install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway istio.io/rev: default operator.istio.io/component: IngressGateways release: istio service.istio.io/canonical-name: cluster-local-gateway service.istio.io/canonical-revision: latest sidecar.istio.io/inject: "false" spec: affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: kubernetes.io/arch operator: In values: - amd64 weight: 2 - preference: matchExpressions: - key: kubernetes.io/arch operator: In values: - ppc64le weight: 2 - preference: matchExpressions: - key: kubernetes.io/arch operator: In values: - s390x weight: 2 requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x containers: - args: - proxy - router - --domain - $(POD_NAMESPACE).svc.cluster.local - --proxyLogLevel=warning - --proxyComponentLogLevel=misc:error - --log_output_level=default:info - --serviceCluster - cluster-local-gateway env: - name: JWT_POLICY value: third-party-jwt - name: PILOT_CERT_PROVIDER value: istiod - name: CA_ADDR value: istiod.istio-system.svc:15012 - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.hostIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: CANONICAL_SERVICE valueFrom: fieldRef: fieldPath: metadata.labels['service.istio.io/canonical-name'] - name: CANONICAL_REVISION valueFrom: fieldRef: fieldPath: metadata.labels['service.istio.io/canonical-revision'] - name: ISTIO_META_WORKLOAD_NAME value: cluster-local-gateway - name: ISTIO_META_OWNER value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway - name: ISTIO_META_UNPRIVILEGED_POD value: "true" - name: ISTIO_META_ROUTER_MODE value: sni-dnat - name: ISTIO_META_CLUSTER_ID value: Kubernetes image: docker.io/istio/proxyv2:1.9.6 name: istio-proxy ports: - containerPort: 15020 protocol: TCP - containerPort: 8080 protocol: TCP - containerPort: 15090 name: http-envoy-prom protocol: TCP readinessProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 1 resources: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true volumeMounts: - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /etc/istio/config name: config-volume - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/run/secrets/tokens name: istio-token readOnly: true - mountPath: /var/lib/istio/data name: istio-data - mountPath: /etc/istio/pod name: podinfo - mountPath: /etc/istio/ingressgateway-certs name: ingressgateway-certs readOnly: true - mountPath: /etc/istio/ingressgateway-ca-certs name: ingressgateway-ca-certs readOnly: true securityContext: fsGroup: 1337 runAsGroup: 1337 runAsNonRoot: true runAsUser: 1337 serviceAccountName: cluster-local-gateway-service-account volumes: - configMap: name: istio-ca-root-cert name: istiod-ca-cert - downwardAPI: items: - fieldRef: fieldPath: metadata.labels path: labels - fieldRef: fieldPath: metadata.annotations path: annotations - path: cpu-limit resourceFieldRef: containerName: istio-proxy divisor: 1m resource: limits.cpu - path: cpu-request resourceFieldRef: containerName: istio-proxy divisor: 1m resource: requests.cpu name: podinfo - emptyDir: {} name: istio-envoy - emptyDir: {} name: istio-data - name: istio-token projected: sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token - configMap: name: istio optional: true name: config-volume - name: ingressgateway-certs secret: optional: true secretName: istio-ingressgateway-certs - name: ingressgateway-ca-certs secret: optional: true secretName: istio-ingressgateway-ca-certs --- apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: cluster-local-gateway namespace: istio-system labels: app: cluster-local-gateway istio: cluster-local-gateway release: istio istio.io/rev: default install.operator.istio.io/owning-resource: unknown operator.istio.io/component: "IngressGateways" spec: minAvailable: 1 selector: matchLabels: app: cluster-local-gateway istio: cluster-local-gateway --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: cluster-local-gateway-sds namespace: istio-system labels: release: istio istio.io/rev: default install.operator.istio.io/owning-resource: unknown operator.istio.io/component: "IngressGateways" rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cluster-local-gateway-sds namespace: istio-system labels: release: istio istio.io/rev: default install.operator.istio.io/owning-resource: unknown operator.istio.io/component: "IngressGateways" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: cluster-local-gateway-sds subjects: - kind: ServiceAccount name: cluster-local-gateway-service-account --- apiVersion: v1 kind: Service metadata: annotations: labels: app: cluster-local-gateway install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway istio.io/rev: default operator.istio.io/component: IngressGateways release: istio name: cluster-local-gateway namespace: istio-system spec: ports: - name: status-port port: 15020 protocol: TCP targetPort: 15020 - name: http2 port: 80 protocol: TCP targetPort: 8080 selector: app: cluster-local-gateway istio: cluster-local-gateway type: ClusterIP