Skip to main content

Optional Sidecar Annotations

How to customize your sidecar configuration with annotations.

Here are additional annotation values for the sidecar:

AnnotationDescription
sidecar.speedscale.com/injectAdd the sidecar to your: deployment, job, stateful set or daemon set.
sidecar.speedscale.com/insert-init-firstAdd Speedscale's init container as the first in the list on the target workload.
sidecar.speedscale.com/capture-modeSidecar capture mode. Supported values are proxy (default), wasm or istio
sidecar.speedscale.com/capture-node-trafficConfigure inbound traffic originating from underlying Kubernetes node on which a pod is running to be routed through the proxy. The default behavior is to ignore inbound Kubernetes node traffic (e.g. readiness and liveness checks).Boolean string "true" or "false" (default). Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise.
sidecar.speedscale.com/proxy-typeType of proxy the sidecar should operate as, transparent (default), reverse, or http. Only valid if capture-mode is proxy, ignored otherwise.
"sidecar.speedscale.com/proxy-protocolSet the protocol for the outbound proxy. Only valid if proxy-type is reverse or http. Supported values: http, tcp, tcp+http, tcp+socks
sidecar.speedscale.com/proxy-hostSet the host where you want to forward traffic. Only valid if capture-mode is proxy
sidecar.speedscale.com/proxy-portSet the port where you want to forward traffic. Only valid if capture-mode is proxy
sidecar.speedscale.com/proxy-in-portSets the PROXY_IN_PORT environment variable. Only valid if capture-mode is proxy
sidecar.speedscale.com/proxy-out-portSets the PROXY_OUT_PORT environment variable. Only valid if capture-mode is proxy
sidecar.speedscale.com/envoy-filterName of the provisioned Envoy filter. Only valid if capture-mode is wasm
sidecar.speedscale.com/tls-outSet to "true" or "false" to configure TLS outbound interception. Defaults to "true"
sidecar.speedscale.com/tls-in-secretKubernetes secret with the TLS keys to use for inbound traffic, these keys will be exposed to API clients. Enables TLS inbound interception (see more details below).
sidecar.speedscale.com/tls-in-privateFilename of the TLS Inbound Private key (default tls.key).
sidecar.speedscale.com/tls-in-publicFilename of the TLS Inbound Public cert (default tls.crt).
sidecar.speedscale.com/tls-mutual-secretKubernetes secret with the TLS keys to use for outbound Mutual TLS traffic.
sidecar.speedscale.com/tls-mutual-privateFilename of the Mutual TLS Private Key (default tls.key).
sidecar.speedscale.com/tls-mutual-publicFilename of the Mutual TLS Public cert (default tls.crt).
sidecar.speedscale.com/ignore-src-ipsComma separated string of source IPv4 addresses or IPv4 CIDR blocks for inbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. Example: sidecar.speedscale.com/ignore-src-ips: "10.10.0.40,10.200.10.0/24"
sidecar.speedscale.com/ignore-src-hostsComma separated string of source hostnames for inbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. Wildcards are not currently supported. Example: sidecar.speedscale.com/ignore-src-hosts: "example.com,mysvc.internal"
sidecar.speedscale.com/ignore-dst-ipsComma separated string of destination IPv4 addresses or IPv4 CIDR blocks for outbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. Wildcards are not currently supported. Example: sidecar.speedscale.com/ignore-dst-ips: "10.10.0.40,10.200.10.0/24"
sidecar.speedscale.com/ignore-dst-hostsComma separated string of destination hostnames for outbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. Wildcards are not currently supported. Example: sidecar.speedscale.com/ignore-dst-hosts: "example.com,mysvc.internal"
sidecar.speedscale.com/cpu-limitSpecifies the CPU limit for Speedscales proxy sidecar
sidecar.speedscale.com/cpu-requestSpecifies the CPU request for Speedscales proxy sidecar
sidecar.speedscale.com/memory-limitSpecifies the memory limit for Speedscales proxy sidecar
sidecar.speedscale.com/memory-requestSpecifies the memory request for Speedscales proxy sidecar

Capture Mode

Depending upon your environment you may want to customize the capture mode being used:

  • proxy is the default and should be used if there is no other sidecar.
  • wasm is what should be used if you have an istio sidecar already.

TLS Inbound Interception

The sidecar will be listening for incoming transactions, and must present to the client the correct certificate. Because you already have TLS configured, the cert files you are using must be provided to the sidecar. There are the fields:

  • tlsinsecret (required) is the name of the Kubernetes secret
  • tlsinprivate (optional) is the filename of the private key inside the secret (default: tls.key)
  • tlsinpublic (optional) is the filename of the public cert inside the secret (default: tls.crt)

When your deployment is injected, the sidecar will have an extra environment variable TLS_IN_UNWRAP=true, TLS_IN_PUBLIC_KEY, TLS_IN_PRIVATE_KEY and a volume mount to access the files from the provided secret.

  annotations:
sidecar.speedscale.com/inject: "true"
sidecar.speedscale.com/tls-out: "true"
sidecar.speedscale.com/tls-in-secret: "my-tls-secret"
sidecar.speedscale.com/tls-in-private: "tls.key"
sidecar.speedscale.com/tls-in-public: "tls.crt"

TLS Outbound Interception

To unwrap outbound TLS calls there are multiple steps required:

  • Configure the sidecar to enable outbound TLS interception
  • Configure your application to trust the new TLS Certificates

When your deployment is injected, the sidecar will have an extra environment variable TLS_OUT_UNWRAP=true and a volume mount to access the files from the speedscale-certs secret. The operator will automatically create a secret named speedscale-certs and put into the namespace. All that is required is to add this annotation to your deployment:

  annotations:
sidecar.speedscale.com/inject: "true"
sidecar.speedscale.com/tls-out: "true"

Mutual Authentication for Outbound Calls

If your backend system requires [Mutual Authentication](https://tools.ietf. Org/html/rfc8120) (aka Mutual TLS or 2-Way TLS), this requires configuring the sidecar with an additional X509 key pair. During the TLS handshake, the backend system will request a Client Certificate. This is the certificate that goproxy will present. There are the fields:

  • tlsmutualsecret (required) is the name of the Kubernetes secret
  • tlsmutualprivate (optional) is the filename of the private key inside the secret (default: tls.key)
  • tlsmutualpublic (optional) is the filename of the public cert inside the secret (default: tls.crt)

When your deployment is injected, the sidecar will have extra environment variables TLS_MUTUAL_PUBLIC_KEY and TLS_MUTUAL_PRIVATE_KEY and a volume mount to access the files from the provided secret. You must provide a Kubernetes secret that has the TLS private key and public cert. The name of the secret and the names of the files can be provided to operator to inject automatically.

  annotations:
sidecar.speedscale.com/inject: "true"
sidecar.speedscale.com/tls-out: "true"
sidecar.speedscale.com/tls-mutual-secret: "my-tls-secret"
sidecar.speedscale.com/tls-mutual-private: "tls.key"
sidecar.speedscale.com/tls-mutual-public: "tls.crt"