Skip to main content

Optional Sidecar Annotations

How to customize your sidecar configuration with annotations.

Here are additional annotation values for the sidecar:

AnnotationDescriptionSupported Values
sidecar.speedscale.com/injectAdd the sidecar to your: deployment, job, stateful set or daemon set.Boolean
Default: "false"
sidecar.speedscale.com/insert-init-firstAdd Speedscale's init container as the first in the list on the target workload.Boolean
Default: "false"
sidecar.speedscale.com/capture-modeSidecar capture mode. The only supported value is proxy (default)
  • proxy
  • Default: proxy
sidecar.speedscale.com/capture-node-trafficConfigure inbound traffic originating from underlying Kubernetes node on which a pod is running to be routed through the proxy. The default behavior is to ignore inbound Kubernetes node traffic (e.g. readiness and liveness checks). Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise.Boolean
Default: "false"
sidecar.speedscale.com/proxy-typeType of proxy the sidecar should operate as. Only valid if capture-mode is proxy, ignored otherwise.
  • transparent
  • reverse
  • forward
  • dual
  • Default: transparent
sidecar.speedscale.com/proxy-protocolSet the protocol for reverse, forward, or dual proxy types. Not valid if proxy-type is transparent.
  • tcp (only applies to reverse/inbound)
  • http
  • socks
  • tcp:http
  • tcp:socks
sidecar.speedscale.com/proxy-hostSet the host where you want to forward traffic. Only valid if capture-mode is proxyString
sidecar.speedscale.com/proxy-portSet the port where you want to forward traffic. Only valid if capture-mode is proxyString
sidecar.speedscale.com/proxy-in-portSets the PROXY_IN_PORT environment variable. Only valid if capture-mode is proxyString
sidecar.speedscale.com/proxy-out-portSets the PROXY_OUT_PORT environment variable. Only valid if capture-mode is proxyString
sidecar.speedscale.com/tls-outEnables or disables TLS outbound interception.
  • "true"
  • "false"
  • Default: "true"
sidecar.speedscale.com/tls-in-secretKubernetes secret with the TLS keys to use for inbound traffic, these keys will be exposed to API clients. Enables TLS inbound interception (see more details below).String
sidecar.speedscale.com/tls-in-privateFilename of the TLS Inbound Private key.String
Default: tls.key
sidecar.speedscale.com/tls-in-publicFilename of the TLS Inbound Public cert.String
Default: tls.crt
sidecar.speedscale.com/tls-mutual-secretKubernetes secret with the TLS keys to use for outbound Mutual TLS traffic.String
sidecar.speedscale.com/tls-mutual-privateFilename of the Mutual TLS Private Key.String
Default: tls.key
sidecar.speedscale.com/tls-mutual-publicFilename of the Mutual TLS Public cert.String
Default: tls.crt
sidecar.speedscale.com/ignore-src-ipsIPv4 addresses or IPv4 CIDR blocks for inbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise.Comma separated string.
Example: sidecar.speedscale.com/ignore-src-ips: "10.10.0.40,10.200.10.0/24"
sidecar.speedscale.com/ignore-src-hostsSource hostnames for inbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. Wildcards are not currently supported.Comma separated string.
Example: sidecar.speedscale.com/ignore-src-hosts: "example.com,mysvc.internal"
sidecar.speedscale.com/ignore-dst-ipsDestination IPv4 addresses or IPv4 CIDR blocks for outbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise.Comma separated string.
Wildcards are not currently supported.
Example: sidecar.speedscale.com/ignore-dst-ips: "10.10.0.40,10.200.10.0/24"
sidecar.speedscale.com/ignore-dst-hostsDestination hostnames for outbound traffic that should not be routed through the proxy. Only valid if capture-mode is proxy and proxy-type is transparent, ignored otherwise. Wildcards are not currently supported.Comma separated string.
Wildcards are not currently supported.
Example: sidecar.speedscale.com/ignore-dst-hosts: "example.com,mysvc.internal"
sidecar.speedscale.com/ignore-loopbackIgnore any traffic whose target is a loopback interface. This has the effect of discarding pod-local traffic. Only valid when proxy-type is transparentBoolean
Default: "false"
sidecar.speedscale.com/track-loopbackTrack and redirect outbound traffic depending on its destination interface. Normal external traffic will be redirected to PROXY_OUT_PORT but traffic directed at a loopback interface will be redirected to PROXY_IN_PORT. Enable this setting if you need to capture port forwarded traffi. Only valid when proxy-type is transparentBoolean
Default: "false"
sidecar.speedscale.com/cpu-limitCPU limit for Speedscales proxy sidecarCPU resource units
sidecar.speedscale.com/cpu-requestCPU request for Speedscales proxy sidecarCPU resource units
sidecar.speedscale.com/memory-limitMemory limit for Speedscales proxy sidecarMemory resource units
sidecar.speedscale.com/memory-requestMemory request for Speedscales proxy sidecarMemory resource units
sidecar.speedscale.com/kube-api-supportUse this setting so your pod can see egress calls to the kube api server.Boolean
Default: "false"

TLS Inbound Interception

The sidecar will be listening for incoming transactions, and must present to the client the correct certificate. Because you already have TLS configured, the cert files you are using must be provided to the sidecar. There are the fields:

  • tlsinsecret (required) is the name of the Kubernetes secret
  • tlsinprivate (optional) is the filename of the private key inside the secret (default: tls.key)
  • tlsinpublic (optional) is the filename of the public cert inside the secret (default: tls.crt)

When your deployment is injected, the sidecar will have an extra environment variable TLS_IN_UNWRAP=true, TLS_IN_PUBLIC_KEY, TLS_IN_PRIVATE_KEY and a volume mount to access the files from the provided secret.

  annotations:
sidecar.speedscale.com/inject: "true"
sidecar.speedscale.com/tls-out: "true"
sidecar.speedscale.com/tls-in-secret: "my-tls-secret"
sidecar.speedscale.com/tls-in-private: "tls.key"
sidecar.speedscale.com/tls-in-public: "tls.crt"

TLS Outbound Interception

To unwrap outbound TLS calls there are multiple steps required:

  • Configure the sidecar to enable outbound TLS interception
  • Configure your application to trust the new TLS Certificates

When your deployment is injected, the sidecar will have an extra environment variable TLS_OUT_UNWRAP=true and a volume mount to access the files from the speedscale-certs secret. The operator will automatically create a secret named speedscale-certs and put into the namespace. All that is required is to add this annotation to your deployment:

  annotations:
sidecar.speedscale.com/inject: "true"
sidecar.speedscale.com/tls-out: "true"

Mutual Authentication for Outbound Calls

If your backend system requires [Mutual Authentication](https://tools.ietf. Org/html/rfc8120) (aka Mutual TLS or 2-Way TLS), this requires configuring the sidecar with an additional X509 key pair. During the TLS handshake, the backend system will request a Client Certificate. This is the certificate that goproxy will present. There are the fields:

  • tlsmutualsecret (required) is the name of the Kubernetes secret
  • tlsmutualprivate (optional) is the filename of the private key inside the secret (default: tls.key)
  • tlsmutualpublic (optional) is the filename of the public cert inside the secret (default: tls.crt)

When your deployment is injected, the sidecar will have extra environment variables TLS_MUTUAL_PUBLIC_KEY and TLS_MUTUAL_PRIVATE_KEY and a volume mount to access the files from the provided secret. You must provide a Kubernetes secret that has the TLS private key and public cert. The name of the secret and the names of the files can be provided to operator to inject automatically.

  annotations:
sidecar.speedscale.com/inject: "true"
sidecar.speedscale.com/tls-out: "true"
sidecar.speedscale.com/tls-mutual-secret: "my-tls-secret"
sidecar.speedscale.com/tls-mutual-private: "tls.key"
sidecar.speedscale.com/tls-mutual-public: "tls.crt"