You can add annotations to kubernetes Pods objects to customize piggy behavior.
piggysec.com/aws-secret-namespecifies a AWS secret name e.g. "/myapp/name"piggysec.com/aws-regionspecifies a AWS secret manager region e.g. "ap-southeast-1"
piggysec.com/piggy-env-imageoverrides a piggy-env image location. If no value specifies, the piggy-env image location will be taken from piggy-webhooks settings on helm chartpiggysec.com/piggy-env-image-pull-policyoverrides a piggy-env image pull policy. If no value specifies, the piggy-env image pull policy will be taken from piggy-webhooks settings on helm chartpiggysec.com/piggy-env-resource-cpu-requestoverrides a piggy-env init-container resource CPU requests. Default to50mpiggysec.com/piggy-env-resource-memory-requestoverrides a piggy-env init-container resource memory requests. Default to64Mipiggysec.com/piggy-env-resource-cpu-limitoverrides a piggy-env init-container resource CPU limit. Default to200mpiggysec.com/piggy-env-resource-memory-limitoverrides a piggy-env init-container resource memory limit. Default to64Mipiggysec.com/piggy-psp-allow-privilege-escalationallow a piggy-env init-container to run as root. Default tofalsepiggysec.com/piggy-addressan endpoint of piggy-webhooks. This is required when it is running in proxy mode.piggysec.com/piggy-ignore-no-envdo not terminate the container if no variable found on secret manager. Default tofalse. Set this value tofalseis recommended in most application. The container will not start if environment variable is missing.piggysec.com/piggy-enforce-integrityenforce checking command integrity before inject secrets into. Default totrue. Set this value totrueis recommended in most application. Set tofalsewill allow piggy-env to run on different argumentspiggysec.com/debugallows to run piggy-env in debug mode. Default tofalse.piggysec.com/standaloneallows to run piggy-env in standalone mode. Default tofalse. If this value istrue, the piggysec.com/piggy-address will not be used.piggysec.com/piggy-enforce-service-accountForce to checkPIGGY_ALLOWED_SAenv value in AWS secret managerpiggysec.com/piggy-default-secret-name-prefixSet default prefix string for secret namepiggysec.com/piggy-default-secret-name-suffixSet default suffix string for secret namepiggysec.com/piggy-dns-resolverSet Golang DNS resolver such astcp,udp. See https://pkg.go.dev/netpiggysec.com/piggy-initial-delaySet delay in n[ns|us|ms|s|m|h] before start retrieving secrets. If you are using Istio Envoy, you may need to set this value to2s. The Envoy will block all outgoing requests from piggy-env until Envoy is fully started. Add this delay value to allow Envoy to operate before running piggy.piggysec.com/piggy-number-of-retrySet number of retry to retrieving secrets before given up. Each retry will wait for 500 milliseconds. You can use this to resolve delay initialize pods setting such as Istio Envoy.
piggysec.com/image-pull-secreta name of container image pull secret. The piggy will try to read the container image by using secret in the following order- pod.spec.imagePullSecrets
piggysec.com/image-pull-secretannotation- ServiceAccount permission from cloud
piggysec.com/image-pull-secret-namespacea name of container image pull secret namespace.piggysec.com/image-skip-verify-registryskip verify registry when trying to read the image. Default totrue