controlplane.yaml

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: istiocontrolplane
  namespace: {{ .Release.Namespace }}
spec:
  profile: {{ .Values.profile }}
  hub: {{ .Values.hub }}
  tag: {{ .Values.tag }}

  components:
    pilot:
      k8s:
{{- if and .Values.istiod.hpaSpec.maxReplicas .Values.istiod.hpaSpec.minReplicas }}
        hpaSpec:
          maxReplicas: {{ .Values.istiod.hpaSpec.maxReplicas }}
          minReplicas: {{ .Values.istiod.hpaSpec.minReplicas }}
          scaleTargetRef:
            apiVersion: apps/v1
            kind: Deployment
            name: istiod
          metrics:
            {{- toYaml .Values.istiod.hpaSpec.metrics | nindent 12 }}
{{- end }}
        replicaCount: {{ .Values.istiod.replicaCount }}
        resources:
          {{- toYaml .Values.istiod.resources | nindent 10 }}
        strategy:
          {{- toYaml .Values.istiod.strategy | nindent 10 }}
        serviceAnnotations:
          {{- .Values.istiod.serviceAnnotations | default (dict) | toYaml | nindent 10 }}
        podAnnotations:
          {{- .Values.istiod.podAnnotations | default (dict) | toYaml | nindent 10 }}
        nodeSelector:
          {{- .Values.istiod.nodeSelector | default (dict) | toYaml | nindent 10 }}
        affinity:
          {{- .Values.istiod.affinity | default (dict) | toYaml | nindent 10 }}
        tolerations:
          {{- .Values.istiod.tolerations | default (list) | toYaml | nindent 10 }}
    {{- if .Values.openshift }}
    {{- with .Values.cni }}
    cni:
      enabled: true
      namespace: kube-system
      k8s:
        podAnnotations:
          {{- .podAnnotations | default (dict) | toYaml | nindent 10 }}
        nodeSelector:
          {{- .nodeSelector | default (dict) | toYaml | nindent 10 }}
        tolerations:
          {{- .tolerations | default (list) | toYaml | nindent 10 }}
        affinity:
          {{- .affinity | default (dict) | toYaml | nindent 10 }}
    {{- end }}
    {{- end }}
    ingressGateways:
      - name: istio-ingressgateway
        namespace: {{ .Release.Namespace }}
        enabled: true
        label:
          {{- toYaml .Values.ingressGateway.labels | default (dict) | nindent 10 }}
        k8s:
          service:
            type: {{ .Values.ingressGateway.type }}
            ports:
              {{- range $k, $v := .Values.ingressGateway.ports }}
              {{- /* Input validation */}}
              {{- if not $v.name }}
                {{- fail "missing field 'name' in ports object" }}
              {{- else if not $v.port }}
                {{- fail "missing field 'port' in ports object" }}
              {{- else if eq $.Values.ingressGateway.type "NodePort" }}
                {{- if not $v.nodePort }}
                  {{- fail "'nodePort' must be defined when type is NodePort" }}
                {{- else if or (lt (int $v.nodePort) 30000) (gt (int $v.nodePort) 32767) }}
                  {{- fail "nodePort value outside of acceptable range (30000-32767)" }}
                {{- end }}
              {{- end }}
              {{- /* Actual port object rendering */}}
              -
                {{- range $pk, $pv := $v }}
                {{ $pk }}: {{ $pv }}
                {{- end }}
              {{- end }}
          hpaSpec:
            minReplicas: {{ .Values.ingressGateway.minReplicas }}
            maxReplicas: {{ .Values.ingressGateway.maxReplicas }}
            metrics:
              {{- toYaml .Values.ingressGateway.scaleMetrics | nindent 12 }}
            scaleTargetRef:
              apiVersion: apps/v1
              kind: Deployment
              name: istio-ingressgateway
          strategy:
            rollingUpdate:
              maxSurge: 100%
              maxUnavailable: 25%
          resources:
            {{- toYaml .Values.ingressGateway.resources | indent 12 }}
          serviceAnnotations:
            {{- .Values.ingressGateway.serviceAnnotations | default (dict) | toYaml | nindent 12 }}
          podAnnotations:
            {{- .Values.ingressGateway.podAnnotations | default (dict) | toYaml | nindent 12 }}
          nodeSelector:
            {{- .Values.ingressGateway.nodeSelector | default (dict) | toYaml | nindent 12 }}
          affinity:
            {{- .Values.ingressGateway.affinity | default (dict) | toYaml | nindent 12 }}
          tolerations:
            {{- .Values.ingressGateway.tolerations | default (list) | toYaml | nindent 12 }}
      {{- range $i := .Values.extraIngressGateways }}
      - name: {{ $i.name }}
        namespace: {{ $.Release.Namespace }}
        enabled: true
        label:
          {{- toYaml $i.labels | default (dict) | nindent 10 }}
        k8s:
          service:
            type: {{ $i.type }}
            ports:
              {{- range $k, $v := $i.ports }}
              {{- /* Input validation */}}
              {{- if not $v.name }}
                {{- fail "missing field 'name' in ports object" }}
              {{- else if not $v.port }}
                {{- fail "missing field 'port' in ports object" }}
              {{- else if eq $i.type "NodePort" }}
                {{- if not $v.nodePort }}
                  {{- fail "'nodePort' must be defined when type is NodePort" }}
                {{- else if or (lt (int $v.nodePort) 30000) (gt (int $v.nodePort) 32767) }}
                  {{- fail "nodePort value outside of acceptable range (30000-32767)" }}
                {{- end }}
              {{- end }}
              {{- /* Actual port object rendering */}}
              -
                {{- range $pk, $pv := $v }}
                {{ $pk }}: {{ $pv }}
                {{- end }}
              {{- end }}
          {{- if $i.k8s.hpaSpec }}
          hpaSpec:
            minReplicas: {{ $i.k8s.hpaSpec.minReplicas }}
            maxReplicas: {{ $i.k8s.hpaSpec.maxReplicas }}
            metrics:
              {{ if $i.k8s.hpaSpec.metrics }}
              {{- toYaml $i.k8s.hpaSpec.metrics | indent 12 }}
              {{ else }}
              {{- /* default metrics, backwards compatible */}}
              - type: Resource
                resource:
                  name: cpu
                  targetAverageUtilization: 60
            {{- end }}
            scaleTargetRef:
              apiVersion: apps/v1
              kind: Deployment
              name: {{ $i.name }}
          {{- end }}
          strategy:
            rollingUpdate:
              maxSurge: 100%
              maxUnavailable: 25%
          resources:
            {{- toYaml .k8s.resources | nindent 12 }}
          serviceAnnotations:
            {{- .k8s.serviceAnnotations | default (dict) | toYaml | nindent 12 }}
          podAnnotations:
            {{- .k8s.podAnnotations | default (dict) | toYaml | nindent 12 }}
          nodeSelector:
            {{- .k8s.nodeSelector | default (dict) | toYaml | nindent 12 }}
          affinity:
            {{- .k8s.affinity | default (dict) | toYaml | nindent 12 }}
          tolerations:
            {{- .k8s.tolerations | default (list) | toYaml | nindent 12 }}
  {{- end }}

  meshConfig:
    accessLogFile: /dev/stdout
    enableTracing: {{ .Values.tracing.enabled }}
    defaultConfig:
      tracing:
        sampling: {{ .Values.tracing.sampling }}
      zipkinAddress: {{ .Values.tracing.address }}:{{.Values.tracing.port}}
    {{- if .Values.meshConfig }}
    {{- toYaml .Values.meshConfig | nindent 4 }}
    {{- end }}

  values:
    {{- if .Values.openshift }}
    cni:
      repair:
        enabled: false
      image: {{ .Values.cni.image.name }}
      hub: {{ .Values.cni.image.hub }}
      tag: {{ .Values.cni.image.tag }}
      cniBinDir: {{ .Values.cni.binDir | default "/var/lib/cni/bin" }}
      cniConfDir: {{ .Values.cni.confDir | default "/etc/cni/multus/net.d" }}
      chained: false
      cniConfFileName: {{ .Values.cni.confFileName | default "istio-cni.conf" }}
      excludeNamespaces:
       - istio-system
       - kube-system
      logLevel: {{ .Values.cni.logLevel | default "info" }}
    {{- end }}
    global:
      {{- if .Values.imagePullPolicy }}
      imagePullPolicy: {{ .Values.imagePullPolicy }}
      {{- end }}
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- if .Values.tracing.enabled }}
      tracer:
        zipkin:
          address: {{ .Values.tracing.address }}:{{.Values.tracing.port}}
      {{ end }}
      {{- if .Values.values.global }}
      {{- toYaml .Values.values.global | nindent 6 }}
      {{- end }}
    sidecarInjectorWebhook:
      rewriteAppHTTPProbe: true
      {{- if .Values.openshift }}
      injectedAnnotations:
        k8s.v1.cni.cncf.io/networks: istio-cni
      {{- end }}

      neverInjectSelector:
        - matchExpressions:
            - key: app.kubernetes.io/component
              operator: In
              values: [fluentd-configcheck]