apiVersion: v1
data:
  config: |
    policy: enabled
    template: |-
      initContainers:
      - name: istio-init
        image: docker.io/istio/proxy_init:0.7.1
        args:
        - "-p"
        - {{ .MeshConfig.ProxyListenPort }}
        - "-u"
        - 1337
        imagePullPolicy: IfNotPresent
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
        restartPolicy: Always
      containers:
      - name: istio-proxy
        image: docker.io/istio/proxy:0.7.1
        args:
        - proxy
        - sidecar
        - --configPath
        - {{ .ProxyConfig.ConfigPath }}
        - --binaryPath
        - {{ .ProxyConfig.BinaryPath }}
        - --serviceCluster
        {{ if ne "" (index .ObjectMeta.Labels "app") -}}
        - {{ index .ObjectMeta.Labels "app" }}
        {{ else -}}
        - "istio-proxy"
        {{ end -}}
        - --drainDuration
        - {{ formatDuration .ProxyConfig.DrainDuration }}
        - --parentShutdownDuration
        - {{ formatDuration .ProxyConfig.ParentShutdownDuration }}
        - --discoveryAddress
        - {{ .ProxyConfig.DiscoveryAddress }}
        - --discoveryRefreshDelay
        - {{ formatDuration .ProxyConfig.DiscoveryRefreshDelay }}
        - --zipkinAddress
        - {{ .ProxyConfig.ZipkinAddress }}
        - --connectTimeout
        - {{ formatDuration .ProxyConfig.ConnectTimeout }}
        - --statsdUdpAddress
        - {{ .ProxyConfig.StatsdUdpAddress }}
        - --proxyAdminPort
        - {{ .ProxyConfig.ProxyAdminPort }}
        - --controlPlaneAuthPolicy
        - {{ .ProxyConfig.ControlPlaneAuthPolicy }}
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: INSTANCE_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        imagePullPolicy: IfNotPresent
        securityContext:
            privileged: false
            readOnlyRootFilesystem: true
            runAsUser: 1337
        restartPolicy: Always
        volumeMounts:
        - mountPath: /etc/istio/proxy
          name: istio-envoy
        - mountPath: /etc/certs/
          name: istio-certs
          readOnly: true
      imagePullSecrets:
        - name: parkhubprime-kuberbot-pull-secret
      volumes:
      - emptyDir:
          medium: Memory
        name: istio-envoy
      - name: istio-certs
        secret:
          optional: true
          {{ if eq .Spec.ServiceAccountName "" -}}
          secretName: istio.default
          {{ else -}}
          secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
          {{ end -}}
kind: ConfigMap
metadata:
  name: istio-inject
  namespace: istio-system