# This configmap stores the sidecar proxy info and arguments needed apiVersion: v1 kind: ConfigMap metadata: name: cpx-istio-sidecar-injector namespace: {{.Release.Namespace}} labels: app: cpx-sidecar-injector chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} istio: sidecar-injector data: config: |- policy: enabled # If user does *NOT* want to inject sidecar on some pods based on label, # then mention such labels in 'neverInjectSelector' entry. # Note: This is valid only when istio's sidecar-injector image is running. neverInjectSelector: - matchExpressions: - {key: citrix.com/no.sidecar, operator: Exists} # Here, if pod has a label citrix.com/no.sidecar, then sidecar won't be injected for that pod. template: |- containers: - name: istio-adaptor image: {{ tpl .Values.xDSAdaptor.image . }} imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }} env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: APPLICATION_NAME valueFrom: fieldRef: fieldPath: metadata.labels['app'] - name: SERVICE_ACCOUNT valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.serviceAccountName {{- if .Values.certProvider.caAddr }} - name: CA_ADDR value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012 - name: TRUST_DOMAIN value: {{ .Values.certProvider.trustDomain }} #cluster.local - name: CLUSTER_ID value: {{ .Values.certProvider.clusterId }} #Kubernetes - name: CERT_TTL_IN_HOURS value: {{ .Values.certProvider.certTTLinHours }} - name: JWT_POLICY value: {{ include "jwtValue" . | quote }} # third-party-jwt if Kubernetes cluster supports third-party tokens {{- end }} - name: NS_USER value: nsroot - name: NS_PASSWORD value: nsroot {{- if eq .Values.coe.coeTracing true }} - name: COE_TRACING value: "TRUE" {{- end }} - name: ENABLE_LABELS_FEATURE value: {{ .Values.cpxProxy.enableLabelsFeature | quote }} {{- if eq .Values.xDSAdaptor.defaultSSLListenerOn443 true }} - name: DEFAULT_SSL_LISTENER_ON_443 value: "TRUE" {{- end }} - name: LOGLEVEL value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }} {{- if eq .Values.xDSAdaptor.jsonLog true }} - name: JSONLOG value: "TRUE" {{- end }} args: - -ads-server {{- if eq .Values.xDSAdaptor.secureConnect true }} - {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012 {{- else }} - {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010 {{- end }} - -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect}} - -ads-server-SAN - {{ .Values.istioPilot.SAN }} - -istio-proxy-type - {{ .Values.xDSAdaptor.proxyType | default "sidecar" | quote }} - -citrix-adc - "{{- .Values.cpxProxy.netscalerUrl }}:{{- .Values.cpxProxy.mgmtHttpPort | toString }}" - -citrix-adc-password - "/var/deviceinfo/random_id" {{- if .Values.ADMSettings.ADMIP }} - -citrix-adm - {{ .Values.ADMSettings.ADMIP }} {{- end }} {{- if .Values.cpxProxy.cpxLicenseAggregator }} - -citrix-license-server - {{ .Values.cpxProxy.cpxLicenseAggregator }} {{- else if .Values.ADMSettings.licenseServerIP }} - -citrix-license-server - {{ .Values.ADMSettings.licenseServerIP }} {{- end }} {{- if .Values.coe.coeURL }} - -coe - {{ .Values.coe.coeURL }} {{- end }} volumeMounts: - mountPath: /var/deviceinfo name: cpx-pwd {{- $jwtpolicy := include "jwtValue" . }} {{- if eq $jwtpolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token {{- end }} - mountPath: /etc/nslogin name: nslogin readOnly: true - name: certs mountPath: /etc/certs - name: istiod-ca-cert mountPath: /etc/rootcert/ - name: podinfo mountPath: /etc/podinfo securityContext: readOnlyRootFilesystem: true runAsGroup: 32024 runAsUser: 32024 # UID of xds-adaptor container's user runAsNonRoot: true - name: cpx-proxy image: {{ tpl .Values.cpxProxy.image . }} imagePullPolicy: IfNotPresent securityContext: privileged: true env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace {{- if .Values.cpxProxy.cpxLicenseAggregator }} - name: "CLA" value: "{{ .Values.cpxProxy.cpxLicenseAggregator }}" {{- else if .Values.ADMSettings.licenseServerIP }} - name: "LS_IP" value: {{ .Values.ADMSettings.licenseServerIP }} - name: "LS_PORT" value: {{ .Values.ADMSettings.licenseServerPort }} {{- end}} - name: "EULA" value: "{{ .Values.cpxProxy.EULA }}" - name: "CPX_SIDECAR_MODE" value: {{ .Values.cpxProxy.cpxSidecarMode | quote }} - name: "CPX_DISABLE_PROBE" value: "{{ .Values.cpxProxy.cpxDisableProbe }}" - name: "MGMT_HTTP_PORT" value: {{ .Values.cpxProxy.mgmtHttpPort | quote }} - name: "MGMT_HTTPS_PORT" value: {{ .Values.cpxProxy.mgmtHttpsPort | quote }} - name: "KUBERNETES_TASK_ID" value: "" - name: "NS_CPX_LITE" value: 1 {{- if or .Values.coe.coeURL .Values.ADMSettings.ADMIP }} - name: "NS_ENABLE_NEWNSLOG" value: 1 {{- end }} {{- if .Values.ADMSettings.ADMIP }} - name: "NS_MGMT_SERVER" value: {{ .Values.ADMSettings.ADMIP | quote }} - name: "NS_HTTP_PORT" value: {{ .Values.cpxProxy.mgmtHttpPort | quote }} - name: "NS_HTTPS_PORT" value: {{ .Values.cpxProxy.mgmtHttpsPort | quote }} - name: "ANALYTICS_SERVER" value: {{ .Values.ADMSettings.ADMIP | quote }} - name: "ANALYTICS_SERVER_PORT" value: {{.Values.ADMSettings.analyticsServerPort | quote }} {{- end }} - name: "LOGSTREAM_COLLECTOR_IP" value: {{ .Values.ADMSettings.ADMIP | default "" | quote }} {{- if and ( or ( .Values.ADMSettings.licenseServerIP ) ( .Values.cpxProxy.cpxLicenseAggregator ) ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - name: "BANDWIDTH" #Need to set env var BANDWIDTH in order to provide Bandwidth license to Citrix ADC CPX from ADM or CPX License Aggregator value: {{ .Values.ADMSettings.bandWidth | quote }} - name: "EDITION" value: {{ .Values.ADMSettings.licenseEdition | quote }} {{- end }} {{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} - name: NS_MGMT_USER valueFrom: secretKeyRef: name: admlogin key: username - name: NS_MGMT_PASS valueFrom: secretKeyRef: name: admlogin key: password {{- end }} volumeMounts: - mountPath: /cpx/conf/ name: cpx-conf - mountPath: /var/deviceinfo name: cpx-pwd - mountPath: /cpx/crash/ name: cpx-crash volumes: - name: cpx-conf emptyDir: {} - name: cpx-pwd emptyDir: {} - name: cpx-crash emptyDir: {} - name: nslogin secret: optional: true secretName: nslogin - name: certs emptyDir: {} {{- $jwtpolicy := include "jwtValue" . }} {{- if eq $jwtpolicy "third-party-jwt" }} - name: istio-token projected: sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token {{- end }} - name: istiod-ca-cert configMap: defaultMode: 0777 name: istio-ca-root-cert - name: podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations values: |- { "global": { "jwtPolicy": "third-party-jwt", }, "adcSelector": { "adc": "citrix", } } ---