Skip to main content

Kubernetes Annotations

Below are all the relevant Kubernetes annotations for Speedscale.

Sidecar Annotations

These annotations relate to the proxy sidecar that Speedscale attaches to your workload with operator v1.

AnnotationDescription
sidecar.speedscale.com/injectAdd the sidecar to your: deployment, job, stateful set or daemon set.
sidecar.speedscale.com/insert-init-firstAdd Speedscale's init container as the first in the list on the target workload.
sidecar.speedscale.com/capture-modeSidecar capture mode. Supported values are proxy (default), wasm or istio
sidecar.speedscale.com/capture-node-trafficConfigure inbound traffic originating from underlying Kubernetes node on which a pod is running to be routed through the proxy. The default behavior is to ignore inbound Kubernetes node traffic (e.g. readiness and liveness checks).Boolean string "true" or "false" (default). Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise.
sidecar.speedscale.com/proxy-typeType of proxy the sidecar should operate as, transparent (default), reverse, or http. Only valid if capture-mode is proxy, ignored otherwise.
"sidecar.speedscale.com/proxy-protocolSet the protocol for the outbound proxy. Only valid if proxy-type is reverse or http. Supported values: http, tcp, tcp+http, tcp+socks
sidecar.speedscale.com/proxy-hostSet the host where you want to forward traffic. Only valid if capture-mode is proxy
sidecar.speedscale.com/proxy-portSet the port where you want to forward traffic. Only valid if capture-mode is proxy
sidecar.speedscale.com/proxy-in-portSets the PROXY_IN_PORT environment variable. Only valid if capture-mode is proxy
sidecar.speedscale.com/proxy-out-portSets the PROXY_OUT_PORT environment variable. Only valid if capture-mode is proxy
sidecar.speedscale.com/envoy-filterName of the provisioned Envoy filter. Only valid if capture-mode is wasm
sidecar.speedscale.com/tls-outSet to "true" or "false" to configure TLS outbound interception. Defaults to "true"
sidecar.speedscale.com/tls-in-secretKubernetes secret with the TLS keys to use for inbound traffic, these keys will be exposed to API clients. Enables TLS inbound interception (see more details below).
sidecar.speedscale.com/tls-in-privateFilename of the TLS Inbound Private key (default tls.key).
sidecar.speedscale.com/tls-in-publicFilename of the TLS Inbound Public cert (default tls.crt).
sidecar.speedscale.com/tls-mutual-secretKubernetes secret with the TLS keys to use for outbound Mutual TLS traffic.
sidecar.speedscale.com/tls-mutual-privateFilename of the Mutual TLS Private Key (default tls.key).
sidecar.speedscale.com/tls-mutual-publicFilename of the Mutual TLS Public cert (default tls.crt).
sidecar.speedscale.com/ignore-src-ipsComma separated string of source IPv4 addresses or IPv4 CIDR blocks for inbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. Example: sidecar.speedscale.com/ignore-src-ips: "10.10.0.40,10.200.10.0/24"
sidecar.speedscale.com/ignore-src-hostsComma separated string of source hostnames for inbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. Wildcards are not currently supported. Example: sidecar.speedscale.com/ignore-src-hosts: "example.com,mysvc.internal"
sidecar.speedscale.com/ignore-dst-ipsComma separated string of destination IPv4 addresses or IPv4 CIDR blocks for outbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. Wildcards are not currently supported. Example: sidecar.speedscale.com/ignore-dst-ips: "10.10.0.40,10.200.10.0/24"
sidecar.speedscale.com/ignore-dst-hostsComma separated string of destination hostnames for outbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. Wildcards are not currently supported. Example: sidecar.speedscale.com/ignore-dst-hosts: "example.com,mysvc.internal"
sidecar.speedscale.com/cpu-limitSpecifies the CPU limit for Speedscales proxy sidecar
sidecar.speedscale.com/cpu-requestSpecifies the CPU request for Speedscales proxy sidecar
sidecar.speedscale.com/memory-limitSpecifies the memory limit for Speedscales proxy sidecar
sidecar.speedscale.com/memory-requestSpecifies the memory request for Speedscales proxy sidecar

Replay Annotations

These annotations control traffic replay for your workload with operator v1.

AnnotationDescription
replay.speedscale.com/env-idName of the TrafficReplay Custom Resource tied to a replay for this workload
replay.speedscale.com/snapshot-idID of the Snapshot that is used to recreate traffic.
replay.speedscale.com/testconfig-idID of the test configuration used to recreate to traffic. (Default: standard)
replay.speedscale.com/build-tagLink a unique tag, build hash, etc. to the Speedscale report. That way you can connect the report results to the version of the code that was tested.
replay.speedscale.com/modeDefines how a replay will test the system. Values are full-replay, responder-only, and generator-only (default: full-replay). full-replay will deploy generators to recreate observed requests, and responders to recreate observed responses. responder-only will create an infinitely running replay that responds to requests with observed responses. generator-only will recreate obeserved requests to the system under replay.
replay.speedscale.com/timeoutSpecifies a timeout for a replay. Ignored when replay mode is responder-only
replay.speedscale.com/secretsUse this setting to provide a list of secrets for the replay system to load (ex: JWT passwords).
replay.speedscale.com/cleanupCleans up provisioned resources after a traffic replay. Possible values: inventory, all, none (default: inventory). inventory will remove objects related to Speedscale's replay of traffic once finished, as well as reverting changes to the workload. all removes all replay objects, as well as the system under test. none will leave all resources on the system after a test run.
replay.speedscale.com/sut-urlUse this setting to override the URL the generator automatically determines (useful if you have customized your service definition).
replay.speedscale.com/collect-logsSet to "true" to collect logs from the system under test (default: true).
replay.speedscale.com/responder-low-dataSet to "true" to force the responder into a high efficiency/low data output mode. This is ideal for high volume performance tests.
replay.speedscale.com/timeoutSpecifies a timeout for a replay. Ignored when replay mode is responder-only
note

The operator will remove all listed replay annotations from the workload during admission review and move them into an associated TrafficReplay Custom Resource. This prevents side effects such as the operator observing and executing the same replay after it has finished. It also allows subsequent runs of the same replay by applying the same manifests, or incorporating the annotations into a GitOps workflow.

Common Annotations

These annotations are common across workloads and Speedscale's Custom Resources.

AnnotationDescription
operator.speedscale.com/ignoreThe presence of this annotation on a workload instructs the operator to skip processing of the workload regardless of any other Speedscale annotations. Changes made to a workload manually AFTER this annotation was added won’t be reverted by the operator.
operator.speedscale.com/sutThe presence of this annotation on a workload indicates that this workload has a sidecar injected AND/OR replay running. (SUT stands for System Under Test)
operator.speedscale.com/managed-byThis annotation on a workload or TrafficReplay CR defines a unique name of the operator instance which manages this resource (sourced from INSTANCE_ID var in the operator’s ConfigMap). This is to prevent race conditions in cases where multiple Speedscale operators are installed to different namespaces.