{{- $unprivilegedPortSupported := true }} {{- range $index, $node := (lookup "v1" "Node" "default" "").items }} {{- $kernelVersion := $node.status.nodeInfo.kernelVersion }} {{- if $kernelVersion }} {{- $kernelVersion = regexFind "^(\\d+\\.\\d+\\.\\d+)" $kernelVersion }} {{- if and $kernelVersion (semverCompare "<4.11.0" $kernelVersion) }} {{- $unprivilegedPortSupported = false }} {{- end }} {{- end }} {{- end -}} apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "gateway.name" . }} namespace: {{ .Release.Namespace }} labels: {{- include "gateway.labels" . | nindent 4}} annotations: {{- .Values.gateway.annotations | toYaml | nindent 4 }} spec: {{- if not .Values.gateway.autoscaling.enabled }} {{- if not (or .Values.global.local .Values.global.kind) }} replicas: {{ .Values.gateway.replicas }} {{- else }} replicas: 1 {{- end }} {{- end }} selector: matchLabels: {{- include "gateway.selectorLabels" . | nindent 6 }} strategy: rollingUpdate: maxSurge: {{ .Values.gateway.rollingMaxSurge }} {{- if or .Values.global.local .Values.global.kind }} maxUnavailable: 100% {{- else }} maxUnavailable: {{ .Values.gateway.rollingMaxUnavailable }} {{- end }} template: metadata: annotations: {{- if .Values.global.enableHigressIstio }} "enableHigressIstio": "true" {{- end }} {{- if .Values.gateway.podAnnotations }} {{- toYaml .Values.gateway.podAnnotations | nindent 8 }} {{- end }} labels: sidecar.istio.io/inject: "false" {{- with .Values.gateway.revision }} istio.io/rev: {{ . }} {{- end }} {{- include "gateway.selectorLabels" . | nindent 8 }} spec: {{- with .Values.gateway.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ include "gateway.serviceAccountName" . }} securityContext: {{- if .Values.gateway.securityContext }} {{- toYaml .Values.gateway.securityContext | nindent 8 }} {{- else if and $unprivilegedPortSupported (and (not .Values.gateway.hostNetwork) (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion)) }} # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" {{- end }} containers: - name: higress-gateway image: "{{ .Values.hub }}/{{ .Values.gateway.image }}:{{ .Values.gateway.tag | default .Chart.AppVersion }}" args: - proxy - router - --domain - $(POD_NAMESPACE).svc.cluster.local - --proxyLogLevel=warning - --proxyComponentLogLevel=misc:error - --log_output_level=all:info - --serviceCluster=higress-gateway securityContext: {{- if .Values.gateway.containerSecurityContext }} {{- toYaml .Values.gateway.containerSecurityContext | nindent 12 }} {{- else if and $unprivilegedPortSupported (and (not .Values.gateway.hostNetwork) (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion)) }} # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 capabilities: drop: - ALL allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsUser: 1337 runAsGroup: 1337 runAsNonRoot: true {{- else }} capabilities: drop: - ALL add: - NET_BIND_SERVICE runAsUser: 0 runAsGroup: 1337 runAsNonRoot: false allowPrivilegeEscalation: true readOnlyRootFilesystem: true {{- end }} env: - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.hostIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: PROXY_XDS_VIA_AGENT value: "true" - name: ENABLE_INGRESS_GATEWAY_SDS value: "false" - name: JWT_POLICY value: {{ include "controller.jwtPolicy" . }} - name: ISTIO_META_HTTP10 value: "1" - name: ISTIO_META_CLUSTER_ID value: "{{ $.Values.clusterName | default `Kubernetes` }}" - name: INSTANCE_NAME value: "higress-gateway" {{- if include "skywalking.enabled" . }} - name: ISTIO_BOOTSTRAP_OVERRIDE value: /etc/istio/custom-bootstrap/custom_bootstrap.json {{- end }} {{- with .Values.gateway.networkGateway }} - name: ISTIO_META_REQUESTED_NETWORK_VIEW value: "{{.}}" {{- end }} {{- range $key, $val := .Values.env }} - name: {{ $key }} value: {{ $val | quote }} {{- end }} ports: - containerPort: 15090 protocol: TCP name: http-envoy-prom {{- if or .Values.global.local .Values.global.kind }} - containerPort: 80 hostPort: 80 name: http protocol: TCP - containerPort: 443 hostPort: 443 name: https protocol: TCP {{- end }} readinessProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 3 {{- if not (or .Values.global.local .Values.global.kind) }} resources: {{- toYaml .Values.gateway.resources | nindent 12 }} {{- end }} volumeMounts: {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }} - name: istio-token mountPath: /var/run/secrets/tokens readOnly: true {{- end }} - name: config mountPath: /etc/istio/config - name: istio-ca-root-cert mountPath: /var/run/secrets/istio - name: istio-data mountPath: /var/lib/istio/data - name: podinfo mountPath: /etc/istio/pod - name: proxy-socket mountPath: /etc/istio/proxy {{- if include "skywalking.enabled" . }} - mountPath: /etc/istio/custom-bootstrap name: custom-bootstrap-volume {{- end }} {{- if .Values.gateway.hostNetwork }} hostNetwork: {{ .Values.gateway.hostNetwork }} dnsPolicy: ClusterFirstWithHostNet {{- end }} {{- with .Values.gateway.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.gateway.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.gateway.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} volumes: {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }} - name: istio-token projected: sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token {{- end }} - name: istio-ca-root-cert configMap: {{- if .Values.global.enableHigressIstio }} name: istio-ca-root-cert {{- else }} name: higress-ca-root-cert {{- end }} - name: config configMap: name: higress-config {{- if include "skywalking.enabled" . }} - configMap: defaultMode: 420 name: higress-custom-bootstrap name: custom-bootstrap-volume {{- end }} - name: istio-data emptyDir: {} - name: proxy-socket emptyDir: {} - name: podinfo downwardAPI: defaultMode: 420 items: - fieldRef: apiVersion: v1 fieldPath: metadata.labels path: labels - fieldRef: apiVersion: v1 fieldPath: metadata.annotations path: annotations - path: cpu-request resourceFieldRef: containerName: higress-gateway divisor: 1m resource: requests.cpu - path: cpu-limit resourceFieldRef: containerName: higress-gateway divisor: 1m resource: limits.cpu