Optional Sidecar Annotations
How to customize your sidecar configuration with annotations.
Here are additional annotation values for the sidecar:
Annotation | Description |
---|---|
sidecar.speedscale.com/inject | Add the sidecar to your: deployment, job, stateful set or daemon set. |
sidecar.speedscale.com/insert-init-first | Add Speedscale's init container as the first in the list on the target workload. |
sidecar.speedscale.com/capture-mode | Sidecar capture mode. Supported values are proxy (default), wasm or istio |
sidecar.speedscale.com/capture-node-traffic | Configure inbound traffic originating from underlying Kubernetes node on which a pod is running to be routed through the proxy. The default behavior is to ignore inbound Kubernetes node traffic (e.g. readiness and liveness checks).Boolean string "true" or "false" (default). Only valid if capture-mode is proxy and proxy-type is transparent , ignored otherwise. |
sidecar.speedscale.com/proxy-type | Type of proxy the sidecar should operate as, transparent (default), reverse , or http . Only valid if capture-mode is proxy , ignored otherwise. |
"sidecar.speedscale.com/proxy-protocol | Set the protocol for the outbound proxy. Only valid if proxy-type is reverse or http . Supported values: http , tcp , tcp+http , tcp+socks |
sidecar.speedscale.com/proxy-host | Set the host where you want to forward traffic. Only valid if capture-mode is proxy |
sidecar.speedscale.com/proxy-port | Set the port where you want to forward traffic. Only valid if capture-mode is proxy |
sidecar.speedscale.com/proxy-in-port | Sets the PROXY_IN_PORT environment variable. Only valid if capture-mode is proxy |
sidecar.speedscale.com/proxy-out-port | Sets the PROXY_OUT_PORT environment variable. Only valid if capture-mode is proxy |
sidecar.speedscale.com/envoy-filter | Name of the provisioned Envoy filter. Only valid if capture-mode is wasm |
sidecar.speedscale.com/tls-out | Set to "true" or "false" to configure TLS outbound interception. Defaults to "true" |
sidecar.speedscale.com/tls-in-secret | Kubernetes secret with the TLS keys to use for inbound traffic, these keys will be exposed to API clients. Enables TLS inbound interception (see more details below). |
sidecar.speedscale.com/tls-in-private | Filename of the TLS Inbound Private key (default tls.key). |
sidecar.speedscale.com/tls-in-public | Filename of the TLS Inbound Public cert (default tls.crt). |
sidecar.speedscale.com/tls-mutual-secret | Kubernetes secret with the TLS keys to use for outbound Mutual TLS traffic. |
sidecar.speedscale.com/tls-mutual-private | Filename of the Mutual TLS Private Key (default tls.key). |
sidecar.speedscale.com/tls-mutual-public | Filename of the Mutual TLS Public cert (default tls.crt). |
sidecar.speedscale.com/ignore-src-ips | Comma separated string of source IPv4 addresses or IPv4 CIDR blocks for inbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent , ignored otherwise. Example: sidecar.speedscale.com/ignore-src-ips: "10.10.0.40,10.200.10.0/24" |
sidecar.speedscale.com/ignore-src-hosts | Comma separated string of source hostnames for inbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent , ignored otherwise. Wildcards are not currently supported. Example: sidecar.speedscale.com/ignore-src-hosts: "example.com,mysvc.internal" |
sidecar.speedscale.com/ignore-dst-ips | Comma separated string of destination IPv4 addresses or IPv4 CIDR blocks for outbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent , ignored otherwise. Wildcards are not currently supported. Example: sidecar.speedscale.com/ignore-dst-ips: "10.10.0.40,10.200.10.0/24" |
sidecar.speedscale.com/ignore-dst-hosts | Comma separated string of destination hostnames for outbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent , ignored otherwise. Wildcards are not currently supported. Example: sidecar.speedscale.com/ignore-dst-hosts: "example.com,mysvc.internal" |
sidecar.speedscale.com/cpu-limit | Specifies the CPU limit for Speedscales proxy sidecar |
sidecar.speedscale.com/cpu-request | Specifies the CPU request for Speedscales proxy sidecar |
sidecar.speedscale.com/memory-limit | Specifies the memory limit for Speedscales proxy sidecar |
sidecar.speedscale.com/memory-request | Specifies the memory request for Speedscales proxy sidecar |
Capture Mode
Depending upon your environment you may want to customize the capture mode being used:
proxy
is the default and should be used if there is no other sidecar.wasm
is what should be used if you have an istio sidecar already.
TLS Inbound Interception
The sidecar will be listening for incoming transactions, and must present to the client the correct certificate. Because you already have TLS configured, the cert files you are using must be provided to the sidecar. There are the fields:
- tlsinsecret (required) is the name of the Kubernetes secret
- tlsinprivate (optional) is the filename of the private key inside the secret (default: tls.key)
- tlsinpublic (optional) is the filename of the public cert inside the secret (default: tls.crt)
When your deployment is injected, the sidecar will have an extra environment variable TLS_IN_UNWRAP=true, TLS_IN_PUBLIC_KEY, TLS_IN_PRIVATE_KEY and a volume mount to access the files from the provided secret.
annotations:
sidecar.speedscale.com/inject: "true"
sidecar.speedscale.com/tls-out: "true"
sidecar.speedscale.com/tls-in-secret: "my-tls-secret"
sidecar.speedscale.com/tls-in-private: "tls.key"
sidecar.speedscale.com/tls-in-public: "tls.crt"
TLS Outbound Interception
To unwrap outbound TLS calls there are multiple steps required:
- Configure the sidecar to enable outbound TLS interception
- Configure your application to trust the new TLS Certificates
When your deployment is injected, the sidecar will have an extra environment variable TLS_OUT_UNWRAP=true and a volume mount to access the files from the speedscale-certs secret. The operator will automatically create a secret named speedscale-certs and put into the namespace. All that is required is to add this annotation to your deployment:
annotations:
sidecar.speedscale.com/inject: "true"
sidecar.speedscale.com/tls-out: "true"
Mutual Authentication for Outbound Calls
If your backend system requires [Mutual Authentication](https://tools.ietf. Org/html/rfc8120) (aka Mutual TLS or 2-Way TLS), this requires configuring the sidecar with an additional X509 key pair. During the TLS handshake, the backend system will request a Client Certificate. This is the certificate that goproxy will present. There are the fields:
- tlsmutualsecret (required) is the name of the Kubernetes secret
- tlsmutualprivate (optional) is the filename of the private key inside the secret (default: tls.key)
- tlsmutualpublic (optional) is the filename of the public cert inside the secret (default: tls.crt)
When your deployment is injected, the sidecar will have extra environment variables TLS_MUTUAL_PUBLIC_KEY and TLS_MUTUAL_PRIVATE_KEY and a volume mount to access the files from the provided secret. You must provide a Kubernetes secret that has the TLS private key and public cert. The name of the secret and the names of the files can be provided to operator to inject automatically.
annotations:
sidecar.speedscale.com/inject: "true"
sidecar.speedscale.com/tls-out: "true"
sidecar.speedscale.com/tls-mutual-secret: "my-tls-secret"
sidecar.speedscale.com/tls-mutual-private: "tls.key"
sidecar.speedscale.com/tls-mutual-public: "tls.crt"