andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-partner-charts/charts/citrix/citrix-cpx-istio-sidecar-in.../templates/cpx-sidecar-injector-config...

264 lines
9.0 KiB
YAML
Raw Blame History

# This configmap stores the sidecar proxy info and arguments needed
apiVersion: v1
kind: ConfigMap
metadata:
name: cpx-istio-sidecar-injector
namespace: {{.Release.Namespace}}
labels:
app: cpx-sidecar-injector
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
istio: sidecar-injector
data:
config: |-
policy: enabled
# If user does *NOT* want to inject sidecar on some pods based on label,
# then mention such labels in 'neverInjectSelector' entry.
# Note: This is valid only when istio's sidecar-injector image is running.
neverInjectSelector:
- matchExpressions:
- {key: citrix.com/no.sidecar, operator: Exists}
# Here, if pod has a label citrix.com/no.sidecar, then sidecar won't be injected for that pod.
template: |-
containers:
- name: istio-adaptor
image: {{ tpl .Values.xDSAdaptor.image . }}
imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: APPLICATION_NAME
valueFrom:
fieldRef:
fieldPath: metadata.labels['app']
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
{{- if .Values.certProvider.caAddr }}
- name: CA_ADDR
value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012
- name: TRUST_DOMAIN
value: {{ .Values.certProvider.trustDomain }} #cluster.local
- name: CLUSTER_ID
value: {{ .Values.certProvider.clusterId }} #Kubernetes
- name: CERT_TTL_IN_HOURS
value: {{ .Values.certProvider.certTTLinHours }}
- name: JWT_POLICY
value: {{ include "jwtValue" . | quote }} # third-party-jwt if Kubernetes cluster supports third-party tokens
{{- end }}
- name: NS_USER
value: nsroot
- name: NS_PASSWORD
value: nsroot
{{- if eq .Values.coe.coeTracing true }}
- name: COE_TRACING
value: "TRUE"
{{- end }}
- name: ENABLE_LABELS_FEATURE
value: {{ .Values.cpxProxy.enableLabelsFeature | quote }}
{{- if eq .Values.xDSAdaptor.defaultSSLListenerOn443 true }}
- name: DEFAULT_SSL_LISTENER_ON_443
value: "TRUE"
{{- end }}
- name: LOGLEVEL
value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }}
{{- if eq .Values.xDSAdaptor.jsonLog true }}
- name: JSONLOG
value: "TRUE"
{{- end }}
args:
- -ads-server
{{- if eq .Values.xDSAdaptor.secureConnect true }}
- {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012
{{- else }}
- {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010
{{- end }}
- -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect}}
- -ads-server-SAN
- {{ .Values.istioPilot.SAN }}
- -istio-proxy-type
- {{ .Values.xDSAdaptor.proxyType | default "sidecar" | quote }}
- -citrix-adc
- "{{- .Values.cpxProxy.netscalerUrl }}:{{- .Values.cpxProxy.mgmtHttpPort | toString }}"
- -citrix-adc-password
- "/var/deviceinfo/random_id"
{{- if .Values.ADMSettings.ADMIP }}
- -citrix-adm
- {{ .Values.ADMSettings.ADMIP }}
{{- end }}
{{- if .Values.cpxProxy.cpxLicenseAggregator }}
- -citrix-license-server
- {{ .Values.cpxProxy.cpxLicenseAggregator }}
{{- else if .Values.ADMSettings.licenseServerIP }}
- -citrix-license-server
- {{ .Values.ADMSettings.licenseServerIP }}
{{- end }}
{{- if .Values.coe.coeURL }}
- -coe
- {{ .Values.coe.coeURL }}
{{- end }}
volumeMounts:
- mountPath: /var/deviceinfo
name: cpx-pwd
{{- $jwtpolicy := include "jwtValue" . }}
{{- if eq $jwtpolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
- mountPath: /etc/nslogin
name: nslogin
readOnly: true
- name: certs
mountPath: /etc/certs
- name: istiod-ca-cert
mountPath: /etc/rootcert/
- name: podinfo
mountPath: /etc/podinfo
securityContext:
readOnlyRootFilesystem: true
runAsGroup: 32024
runAsUser: 32024 # UID of xds-adaptor container's user
runAsNonRoot: true
- name: cpx-proxy
image: {{ tpl .Values.cpxProxy.image . }}
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if .Values.cpxProxy.cpxLicenseAggregator }}
- name: "CLA"
value: "{{ .Values.cpxProxy.cpxLicenseAggregator }}"
{{- else if .Values.ADMSettings.licenseServerIP }}
- name: "LS_IP"
value: {{ .Values.ADMSettings.licenseServerIP }}
- name: "LS_PORT"
value: {{ .Values.ADMSettings.licenseServerPort }}
{{- end}}
- name: "EULA"
value: "{{ .Values.cpxProxy.EULA }}"
- name: "CPX_SIDECAR_MODE"
value: {{ .Values.cpxProxy.cpxSidecarMode | quote }}
- name: "CPX_DISABLE_PROBE"
value: "{{ .Values.cpxProxy.cpxDisableProbe }}"
- name: "MGMT_HTTP_PORT"
value: {{ .Values.cpxProxy.mgmtHttpPort | quote }}
- name: "MGMT_HTTPS_PORT"
value: {{ .Values.cpxProxy.mgmtHttpsPort | quote }}
- name: "KUBERNETES_TASK_ID"
value: ""
- name: "NS_CPX_LITE"
value: 1
{{- if or .Values.coe.coeURL .Values.ADMSettings.ADMIP }}
- name: "NS_ENABLE_NEWNSLOG"
value: 1
{{- end }}
{{- if .Values.ADMSettings.ADMIP }}
- name: "NS_MGMT_SERVER"
value: {{ .Values.ADMSettings.ADMIP | quote }}
- name: "NS_HTTP_PORT"
value: {{ .Values.cpxProxy.mgmtHttpPort | quote }}
- name: "NS_HTTPS_PORT"
value: {{ .Values.cpxProxy.mgmtHttpsPort | quote }}
- name: "ANALYTICS_SERVER"
value: {{ .Values.ADMSettings.ADMIP | quote }}
- name: "ANALYTICS_SERVER_PORT"
value: {{.Values.ADMSettings.analyticsServerPort | quote }}
{{- end }}
- name: "LOGSTREAM_COLLECTOR_IP"
value: {{ .Values.ADMSettings.ADMIP | default "" | quote }}
{{- if and ( or ( .Values.ADMSettings.licenseServerIP ) ( .Values.cpxProxy.cpxLicenseAggregator ) ) ( eq .Values.ADMSettings.bandWidthLicense true ) }}
- name: "BANDWIDTH" #Need to set env var BANDWIDTH in order to provide Bandwidth license to Citrix ADC CPX from ADM or CPX License Aggregator
value: {{ .Values.ADMSettings.bandWidth | quote }}
- name: "EDITION"
value: {{ .Values.ADMSettings.licenseEdition | quote }}
{{- end }}
{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }}
- name: NS_MGMT_USER
valueFrom:
secretKeyRef:
name: admlogin
key: username
- name: NS_MGMT_PASS
valueFrom:
secretKeyRef:
name: admlogin
key: password
{{- end }}
volumeMounts:
- mountPath: /cpx/conf/
name: cpx-conf
- mountPath: /var/deviceinfo
name: cpx-pwd
- mountPath: /cpx/crash/
name: cpx-crash
volumes:
- name: cpx-conf
emptyDir: {}
- name: cpx-pwd
emptyDir: {}
- name: cpx-crash
emptyDir: {}
- name: nslogin
secret:
optional: true
secretName: nslogin
- name: certs
emptyDir: {}
{{- $jwtpolicy := include "jwtValue" . }}
{{- if eq $jwtpolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
{{- end }}
- name: istiod-ca-cert
configMap:
defaultMode: 0777
name: istio-ca-root-cert
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
values: |-
{
"global": {
"jwtPolicy": "third-party-jwt",
},
"adcSelector": {
"adc": "citrix",
}
}
---
Reference in New Issue View Git Blame Copy Permalink