Kubernetes Annotations
Below are all the relevant Kubernetes annotations for Speedscale.
Sidecar Annotations
These annotations relate to the proxy sidecar that Speedscale attaches to your workload with operator v1.
| Annotation | Description | Supported Values |
|---|---|---|
sidecar.speedscale.com/inject | Add the sidecar to your: deployment, job, stateful set or daemon set. | Boolean Default: "false" |
sidecar.speedscale.com/insert-init-first | Add Speedscale's init container as the first in the list on the target workload. | Boolean Default: "false" |
sidecar.speedscale.com/capture-mode | Sidecar capture mode. The only supported value is proxy (default) |
|
sidecar.speedscale.com/capture-node-traffic | Configure inbound traffic originating from underlying Kubernetes node on which a pod is running to be routed through the proxy. The default behavior is to ignore inbound Kubernetes node traffic (e.g. readiness and liveness checks). Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. | Boolean Default: "false" |
sidecar.speedscale.com/proxy-type | Type of proxy the sidecar should operate as. Only valid if capture-mode is proxy, ignored otherwise. |
|
sidecar.speedscale.com/proxy-protocol | Set the protocol for reverse, forward, or dual proxy types. Not valid if proxy-type is transparent. |
|
sidecar.speedscale.com/proxy-host | Set the host where you want to forward traffic. Only valid if capture-mode is proxy | String |
sidecar.speedscale.com/proxy-port | Set the port where you want to forward traffic. Only valid if capture-mode is proxy | String |
sidecar.speedscale.com/proxy-in-port | Sets the PROXY_IN_PORT environment variable. Only valid if capture-mode is proxy | String |
sidecar.speedscale.com/proxy-out-port | Sets the PROXY_OUT_PORT environment variable. Only valid if capture-mode is proxy | String |
sidecar.speedscale.com/tls-out | Enables or disables TLS outbound interception. |
|
sidecar.speedscale.com/tls-in-secret | Kubernetes secret with the TLS keys to use for inbound traffic, these keys will be exposed to API clients. Enables TLS inbound interception (see more details below). | String |
sidecar.speedscale.com/tls-in-private | Filename of the TLS Inbound Private key. | String Default: tls.key |
sidecar.speedscale.com/tls-in-public | Filename of the TLS Inbound Public cert. | String Default: tls.crt |
sidecar.speedscale.com/tls-mutual-secret | Kubernetes secret with the TLS keys to use for outbound Mutual TLS traffic. | String |
sidecar.speedscale.com/tls-mutual-private | Filename of the Mutual TLS Private Key. | String Default: tls.key |
sidecar.speedscale.com/tls-mutual-public | Filename of the Mutual TLS Public cert. | String Default: tls.crt |
sidecar.speedscale.com/ignore-src-ips | IPv4 addresses or IPv4 CIDR blocks for inbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. | Comma separated string. Example: sidecar.speedscale.com/ignore-src-ips: "10.10.0.40,10.200.10.0/24" |
sidecar.speedscale.com/ignore-src-hosts | Source hostnames for inbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. Wildcards are not currently supported. | Comma separated string. Example: sidecar.speedscale.com/ignore-src-hosts: "example.com,mysvc.internal" |
sidecar.speedscale.com/ignore-dst-ips | Destination IPv4 addresses or IPv4 CIDR blocks for outbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. | Comma separated string. Wildcards are not currently supported. Example: sidecar.speedscale.com/ignore-dst-ips: "10.10.0.40,10.200.10.0/24" |
sidecar.speedscale.com/ignore-dst-hosts | Destination hostnames for outbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. Wildcards are not currently supported. | Comma separated string. Wildcards are not currently supported. Example: sidecar.speedscale.com/ignore-dst-hosts: "example.com,mysvc.internal" |
sidecar.speedscale.com/ignore-loopback | Ignore any traffic whose target is a loopback interface. This has the effect of discarding pod-local traffic. Only valid when proxy-type is transparent | Boolean Default: "false" |
sidecar.speedscale.com/track-loopback | Track and redirect outbound traffic depending on its destination interface. Normal external traffic will be redirected to PROXY_OUT_PORT but traffic directed at a loopback interface will be redirected to PROXY_IN_PORT. Enable this setting if you need to capture port forwarded traffi. Only valid when proxy-type is transparent | Boolean Default: "false" |
sidecar.speedscale.com/cpu-limit | CPU limit for Speedscales proxy sidecar | CPU resource units |
sidecar.speedscale.com/cpu-request | CPU request for Speedscales proxy sidecar | CPU resource units |
sidecar.speedscale.com/memory-limit | Memory limit for Speedscales proxy sidecar | Memory resource units |
sidecar.speedscale.com/memory-request | Memory request for Speedscales proxy sidecar | Memory resource units |
sidecar.speedscale.com/kube-api-support | Use this setting so your pod can see egress calls to the kube api server. | Boolean Default: "false" |
Replay Annotations
These annotations control traffic replay for your workload with operator v1.
| Annotation | Description | Supported Values |
|---|---|---|
replay.speedscale.com/env-id | Name of the TrafficReplay Custom Resource tied to a replay for this workload | Strings, automatically assigned |
replay.speedscale.com/snapshot-id | ID of the Snapshot that is used to recreate traffic. | UUIDs for Snapshots |
replay.speedscale.com/testconfig-id | ID of the test configuration used to recreate to traffic. | String of valid test configuration. Default: standard |
replay.speedscale.com/build-tag | Link a unique tag, build hash, etc. to the Speedscale report. That way you can connect the report results to the version of the code that was tested. | String |
replay.speedscale.com/mode | Defines how a replay will test the system. |
|
replay.speedscale.com/timeout | Specifies a timeout for a replay. Ignored when replay mode is responder-only | Duration |
replay.speedscale.com/secrets | Use this setting to provide a list of secrets for the replay system to load (ex: JWT passwords). | Comma separated list of strings |
replay.speedscale.com/cleanup | Cleans up provisioned resources after a traffic replay. |
|
replay.speedscale.com/sut-url | Use this setting to override the URL the generator automatically determines (useful if you have customized your service definition). | URL |
replay.speedscale.com/collect-logs | Collect logs from the system under test. | Boolean Default: "true" |
replay.speedscale.com/generator-low-data | Forces the generator into a high efficiency/low data output mode. This is ideal for high volume performance tests. | Boolean Default: "false" |
replay.speedscale.com/responder-low-data | Forces the responder into a high efficiency/low data output mode. This is ideal for high volume performance tests. | Boolean Default: "false" |
note
The operator will remove all listed replay annotations from the workload during admission review and move them into an associated TrafficReplay Custom Resource.
This prevents side effects such as the operator observing and executing the same replay after it has finished.
It also allows subsequent runs of the same replay by applying the same manifests, or incorporating the annotations into a GitOps workflow.
Common Annotations
These annotations are common across workloads and Speedscale's Custom Resources.
| Annotation | Description | Supported Values |
|---|---|---|
operator.speedscale.com/ignore | Instructs the operator to skip processing of this workload regardless of any other Speedscale annotations. Changes made to a workload manually AFTER this annotation was added won’t be reverted by the operator. | Boolean Default: false |
operator.speedscale.com/sut | Indicates that this workload has a sidecar injected AND/OR replay running. (SUT stands for System Under Test) | Boolean |
operator.speedscale.com/managed-by | Unique name of the operator instance which manages this workload or TrafficReplay CR. This is to prevent race conditions in cases where multiple Speedscale operators are installed to different namespaces. | String Sourced from INSTANCE_ID var in the operator’s ConfigMap |