You can add annotations to kubernetes Pods objects to customize piggy behavior.
piggysec.com/aws-secret-name
specifies a AWS secret name e.g. "/myapp/name"piggysec.com/aws-region
specifies a AWS secret manager region e.g. "ap-southeast-1"
piggysec.com/piggy-env-image
overrides a piggy-env image location. If no value specifies, the piggy-env image location will be taken from piggy-webhooks settings on helm chartpiggysec.com/piggy-env-image-pull-policy
overrides a piggy-env image pull policy. If no value specifies, the piggy-env image pull policy will be taken from piggy-webhooks settings on helm chartpiggysec.com/piggy-env-resource-cpu-request
overrides a piggy-env init-container resource CPU requests. Default to50m
piggysec.com/piggy-env-resource-memory-request
overrides a piggy-env init-container resource memory requests. Default to64Mi
piggysec.com/piggy-env-resource-cpu-limit
overrides a piggy-env init-container resource CPU limit. Default to200m
piggysec.com/piggy-env-resource-memory-limit
overrides a piggy-env init-container resource memory limit. Default to64Mi
piggysec.com/piggy-psp-allow-privilege-escalation
allow a piggy-env init-container to run as root. Default tofalse
piggysec.com/piggy-address
an endpoint of piggy-webhooks. This is required when it is running in proxy mode.piggysec.com/piggy-ignore-no-env
do not terminate the container if no variable found on secret manager. Default tofalse
. Set this value tofalse
is recommended in most application. The container will not start if environment variable is missing.piggysec.com/piggy-enforce-integrity
enforce checking command integrity before inject secrets into. Default totrue
. Set this value totrue
is recommended in most application. Set tofalse
will allow piggy-env to run on different argumentspiggysec.com/debug
allows to run piggy-env in debug mode. Default tofalse
.piggysec.com/standalone
allows to run piggy-env in standalone mode. Default tofalse
. If this value istrue
, the piggysec.com/piggy-address will not be used.piggysec.com/piggy-enforce-service-account
Force to checkPIGGY_ALLOWED_SA
env value in AWS secret managerpiggysec.com/piggy-default-secret-name-prefix
Set default prefix string for secret namepiggysec.com/piggy-default-secret-name-suffix
Set default suffix string for secret namepiggysec.com/piggy-dns-resolver
Set Golang DNS resolver such astcp
,udp
. See https://pkg.go.dev/netpiggysec.com/piggy-initial-delay
Set delay in n[ns|us|ms|s|m|h] before start retrieving secrets. If you are using Istio Envoy, you may need to set this value to2s
. The Envoy will block all outgoing requests from piggy-env until Envoy is fully started. Add this delay value to allow Envoy to operate before running piggy.piggysec.com/piggy-number-of-retry
Set number of retry to retrieving secrets before given up. Each retry will wait for 500 milliseconds. You can use this to resolve delay initialize pods setting such as Istio Envoy.
piggysec.com/image-pull-secret
a name of container image pull secret. The piggy will try to read the container image by using secret in the following order- pod.spec.imagePullSecrets
piggysec.com/image-pull-secret
annotation- ServiceAccount permission from cloud
piggysec.com/image-pull-secret-namespace
a name of container image pull secret namespace.piggysec.com/image-skip-verify-registry
skip verify registry when trying to read the image. Default totrue