Kubernetes Annotations
Below are all the relevant Kubernetes annotations for Speedscale.
Sidecar Annotations
These annotations relate to the proxy sidecar that Speedscale attaches to your workload with operator v1.
| Annotation | Description |
|---|---|
sidecar.speedscale.com/inject | Add the sidecar to your: deployment, job, stateful set or daemon set. |
sidecar.speedscale.com/insert-init-first | Add Speedscale's init container as the first in the list on the target workload. |
sidecar.speedscale.com/capture-mode | Sidecar capture mode. Supported values are proxy (default), wasm or istio |
sidecar.speedscale.com/capture-node-traffic | Configure inbound traffic originating from underlying Kubernetes node on which a pod is running to be routed through the proxy. The default behavior is to ignore inbound Kubernetes node traffic (e.g. readiness and liveness checks).Boolean string "true" or "false" (default). Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. |
sidecar.speedscale.com/proxy-type | Type of proxy the sidecar should operate as, transparent (default), reverse, or http. Only valid if capture-mode is proxy, ignored otherwise. |
"sidecar.speedscale.com/proxy-protocol | Set the protocol for the outbound proxy. Only valid if proxy-type is reverse or http. Supported values: http, tcp, tcp+http, tcp+socks |
sidecar.speedscale.com/proxy-host | Set the host where you want to forward traffic. Only valid if capture-mode is proxy |
sidecar.speedscale.com/proxy-port | Set the port where you want to forward traffic. Only valid if capture-mode is proxy |
sidecar.speedscale.com/proxy-in-port | Sets the PROXY_IN_PORT environment variable. Only valid if capture-mode is proxy |
sidecar.speedscale.com/proxy-out-port | Sets the PROXY_OUT_PORT environment variable. Only valid if capture-mode is proxy |
sidecar.speedscale.com/envoy-filter | Name of the provisioned Envoy filter. Only valid if capture-mode is wasm |
sidecar.speedscale.com/tls-out | Set to "true" or "false" to configure TLS outbound interception. Defaults to "true" |
sidecar.speedscale.com/tls-in-secret | Kubernetes secret with the TLS keys to use for inbound traffic, these keys will be exposed to API clients. Enables TLS inbound interception (see more details below). |
sidecar.speedscale.com/tls-in-private | Filename of the TLS Inbound Private key (default tls.key). |
sidecar.speedscale.com/tls-in-public | Filename of the TLS Inbound Public cert (default tls.crt). |
sidecar.speedscale.com/tls-mutual-secret | Kubernetes secret with the TLS keys to use for outbound Mutual TLS traffic. |
sidecar.speedscale.com/tls-mutual-private | Filename of the Mutual TLS Private Key (default tls.key). |
sidecar.speedscale.com/tls-mutual-public | Filename of the Mutual TLS Public cert (default tls.crt). |
sidecar.speedscale.com/ignore-src-ips | Comma separated string of source IPv4 addresses or IPv4 CIDR blocks for inbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. Example: sidecar.speedscale.com/ignore-src-ips: "10.10.0.40,10.200.10.0/24" |
sidecar.speedscale.com/ignore-src-hosts | Comma separated string of source hostnames for inbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. Wildcards are not currently supported. Example: sidecar.speedscale.com/ignore-src-hosts: "example.com,mysvc.internal" |
sidecar.speedscale.com/ignore-dst-ips | Comma separated string of destination IPv4 addresses or IPv4 CIDR blocks for outbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. Wildcards are not currently supported. Example: sidecar.speedscale.com/ignore-dst-ips: "10.10.0.40,10.200.10.0/24" |
sidecar.speedscale.com/ignore-dst-hosts | Comma separated string of destination hostnames for outbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. Wildcards are not currently supported. Example: sidecar.speedscale.com/ignore-dst-hosts: "example.com,mysvc.internal" |
sidecar.speedscale.com/cpu-limit | Specifies the CPU limit for Speedscales proxy sidecar |
sidecar.speedscale.com/cpu-request | Specifies the CPU request for Speedscales proxy sidecar |
sidecar.speedscale.com/memory-limit | Specifies the memory limit for Speedscales proxy sidecar |
sidecar.speedscale.com/memory-request | Specifies the memory request for Speedscales proxy sidecar |
Replay Annotations
These annotations control traffic replay for your workload with operator v1.
| Annotation | Description |
|---|---|
replay.speedscale.com/env-id | Name of the TrafficReplay Custom Resource tied to a replay for this workload |
replay.speedscale.com/snapshot-id | ID of the Snapshot that is used to recreate traffic. |
replay.speedscale.com/testconfig-id | ID of the test configuration used to recreate to traffic. (Default: standard) |
replay.speedscale.com/build-tag | Link a unique tag, build hash, etc. to the Speedscale report. That way you can connect the report results to the version of the code that was tested. |
replay.speedscale.com/mode | Defines how a replay will test the system. Values are full-replay, responder-only, and generator-only (default: full-replay). full-replay will deploy generators to recreate observed requests, and responders to recreate observed responses. responder-only will create an infinitely running replay that responds to requests with observed responses. generator-only will recreate obeserved requests to the system under replay. |
replay.speedscale.com/timeout | Specifies a timeout for a replay. Ignored when replay mode is responder-only |
replay.speedscale.com/secrets | Use this setting to provide a list of secrets for the replay system to load (ex: JWT passwords). |
replay.speedscale.com/cleanup | Cleans up provisioned resources after a traffic replay. Possible values: inventory, all, none (default: inventory). inventory will remove objects related to Speedscale's replay of traffic once finished, as well as reverting changes to the workload. all removes all replay objects, as well as the system under test. none will leave all resources on the system after a test run. |
replay.speedscale.com/sut-url | Use this setting to override the URL the generator automatically determines (useful if you have customized your service definition). |
replay.speedscale.com/collect-logs | Set to "true" to collect logs from the system under test (default: true). |
replay.speedscale.com/responder-low-data | Set to "true" to force the responder into a high efficiency/low data output mode. This is ideal for high volume performance tests. |
replay.speedscale.com/timeout | Specifies a timeout for a replay. Ignored when replay mode is responder-only |
note
The operator will remove all listed replay annotations from the workload during admission review and move them into an associated TrafficReplay Custom Resource.
This prevents side effects such as the operator observing and executing the same replay after it has finished.
It also allows subsequent runs of the same replay by applying the same manifests, or incorporating the annotations into a GitOps workflow.
Common Annotations
These annotations are common across workloads and Speedscale's Custom Resources.
| Annotation | Description |
|---|---|
operator.speedscale.com/ignore | The presence of this annotation on a workload instructs the operator to skip processing of the workload regardless of any other Speedscale annotations. Changes made to a workload manually AFTER this annotation was added won’t be reverted by the operator. |
operator.speedscale.com/sut | The presence of this annotation on a workload indicates that this workload has a sidecar injected AND/OR replay running. (SUT stands for System Under Test) |
operator.speedscale.com/managed-by | This annotation on a workload or TrafficReplay CR defines a unique name of the operator instance which manages this resource (sourced from INSTANCE_ID var in the operator’s ConfigMap). This is to prevent race conditions in cases where multiple Speedscale operators are installed to different namespaces. |