Sidecar sidecar
The Sidecar resource allows you to run associated processes for Containers.
Sidecar does not have its own network, a Sidecar resource shares the network
with the target container. For example, localhost in the sidecar is localhost
in the container.
Sidecar resources are not routable in the same way as container resources are. You can not map an ingress to a sidecar and a sidecar can not expose ports. Traffic which is destined for a process running in a sidecar must be sent to the target container.
Properties
- Name
target- Type
- (string: "")
- Required
- required
- Readonly
- Description
The id of a container to attach the sidecar to.
resource.container.mine.meta.id
- Name
image- Type
- (image: {})
- Required
- required
- Readonly
- Description
Image defines a Docker image to use when creating the container.
- Name
entrypoint- Type
- ([]string: [])
- Required
- Readonly
- Description
Entrypoint for the container, if not set, Jumppad starts the container using the entrypoint defined in the Docker image.
- Name
command- Type
- ([]string: [])
- Required
- Readonly
- Description
Command allows you to specify a command to execute when starting a container. Command is specified as an array of strings, each part of the command is a separate string.
For example, to start a container and follow logs at /dev/null the following command could be used.
command = [ "tail", "-f", "/dev/null" ]
- Name
environment- Type
- (map[string]string: map[]{})
- Required
- Readonly
- Description
Allows you to set environment variables in the container.
env { PATH = "/user/local/bin" }
- Name
volume- Type
- (volume: {})
- Required
- Readonly
- Description
A volume allows you to specify a local volume which is mounted to the container when it is created. This stanza can be specified multiple times.
volume { source = "./" destination = "/files" }
- Name
port- Type
- (port: {})
- Required
- Readonly
- Description
A port stanza allows you to expose container ports on the local network or host. This stanza can be specified multiple times.
port { local = 80 host = 8080 }
- Name
port_range- Type
- (port_range: {})
- Required
- Readonly
- Description
A port_range stanza allows you to expose a range of container ports on the local network or host. This stanza can be specified multiple times.
The following example would create 11 ports from 80 to 90 (inclusive) and expose them to the host machine.
port { range = "80-90" enable_host = true }
- Name
privileged- Type
- (bool: false)
- Required
- Readonly
- Description
Should the container run in Docker privileged mode?
- Name
max_restart_count- Type
- (int: 0)
- Required
- Readonly
- Description
The maximum number of times a container will be restarted when it exits with a status code other than 0
- Name
resources- Type
- (resources: {})
- Required
- Readonly
- Description
Define resource constraints for the container
- Name
health_check- Type
- (health_check: {})
- Required
- Readonly
- Description
Define a health check for the container, the resource will only be marked as successfully created when the health check passes.
health_check { timeout = "30s" http { address = "http://localhost:8500/v1/status/leader" success_codes = [200] } tcp { address = "http://localhost:8500/v1/status/leader" } exec { script = <<-EOF #!/bin/bash curl "http://localhost:9090" EOF } }
- Name
run_as- Type
- (run_as: {})
- Required
- Readonly
- Description
Allows the container to be run as a specific user or group.
run_as { user = "1000" group = "nicj" }
- Name
build- Type
- (build: {})
- Required
- Readonly
- Description
Build a container from the given file and context before running the container.
build { file = "./Dockerfile" context = "./src" }Images are cached in the local Docker engine using the following convention.
jumppad.dev/localcache/<resource_name>:latestOnce cached images are not rebuild with every
runto force the update of an image you can use the--force-updateflag withrun.jumppad up --force-update ./build
- Name
container_name- Type
- (string: "")
- Required
- Readonly
- readonly
- Description
Fully qualified resource name for the container, this value can be used to access the container from within the Docker network.
container_nameis also the name of the created Docker container.name.container.local.jmpd.in
image
Image defines a Docker image used when creating this container. An Image can be stored in a public or a private repository.
- Name
name- Type
- (string: "")
- Required
- required
- Readonly
- Description
Name of the image to use when creating the container, can either be the full canonical name or short name for Docker official images. e.g.
consul:v1.6.1ordocker.io/consul:v1.6.1.
- Name
username- Type
- (string: "")
- Required
- Readonly
- Description
Username to use when connecting to a private image repository
- Name
password- Type
- (string: "")
- Required
- Readonly
- Description
Password to use when connecting to a private image repository, for both username and password interpolated environment variables can be used in place of static values.
image { name = "myregistry.io/myimage:latest" username = env("REGISTRY_USERNAME") password = env("REGISTRY_PASSWORD") }
volume
A volume type allows the specification of an attached volume.
- Name
source- Type
- (string: "")
- Required
- required
- Readonly
- Description
The source volume to mount in the container, can be specified as a relative
./or absolute path/usr/local/bin. Relative paths are relative to the file declaring the container.
- Name
destination- Type
- (string: "")
- Required
- required
- Readonly
- Description
The destination in the container to mount the volume to, must be an absolute path.
- Name
type- Type
- (string: bind)
- Required
- Readonly
- Description
The type of the mount, can be one of the following values:
- bind: bind the source path to the destination path in the container
- volume: source is a Docker volume
- tmpfs: create a temporary filesystem
- Name
bind_propagation- Type
- (string: rprivate)
- Required
- Readonly
- Description
Configures bind propagation for Docker volume mounts, only applies to bind mounts, can be one of the following values:
- shared
- slave
- private
- rslave
- rprivate
For more information please see the Docker documentation https://docs.docker.com/storage/bind-mounts/#configure-bind-propagation
- Name
bind_propagation_non_recursive- Type
- (boolean: false)
- Required
- Readonly
- Description
Configures recursiveness of the bind mount. By default Docker mounts with the equivalent of
mount --rbindmeaning that mounts below the the source directory are visible in the container. For instance runningdocker run --rm --mount type=bind,src=/,target=/host,readonly busyboxwill make/runof the host available as/host/runin the container -- and to make matters even worse it will be writable (since only the toplevel bind is set readonly, not the children). Ifbind_propagation_non_recursiveis set totruethen the container will only see an empty/host/run, meaning thetmpfswhich is typically mounted to/runon the host is not propagated into the container.
- Name
selinux_relabel- Type
- (string: "")
- Required
- Readonly
- Description
Configures Selinux relabeling for the container (usually specified as :z or :Z) and can be one of the following values:
- shared (Equivalent to :z)
- private (Equivalent to :Z)
health_check
A health_check stanza allows the definition of a health check which must pass before
the container is marked as successfully created. There are three different types
of healthcheck http, tcp, and exec, these are not mutually exclusive, it is
possible to define more than one health check.
Health checks are executed sequentially, if one health check fails, the following
checks are not executed. The execution order is http, tcp, `exec.
health_check {
timeout = "30s"
http {
address = "http://localhost:8500/v1/status/leader"
success_codes = [200]
}
http {
address = "http://localhost:8500/v1"
success_codes = [200]
}
tcp {
address = "localhost:8500"
}
exec {
script = <<-EOF
#!/bin/bash
curl "http://localhost:9090"
EOF
}
}
- Name
timeout- Type
- (duration: )
- Required
- required
- Readonly
- Description
The maximum duration to wait before marking the health check as failed. Expressed as a Go duration, e.g.
1s= 1 second,100ms= 100 milliseconds.
- Name
http- Type
- (http_health_check: {})
- Required
- Readonly
- Description
HTTP Health Check block defining the address to check and expected status codes.
Can be specified more than once.
- Name
tcp- Type
- (tpc_health_check: {})
- Required
- Readonly
- Description
TCP Health Check block defining the address to test.
Can be specified more than once.
- Name
exec- Type
- (exec_health_check: {})
- Required
- Readonly
- Description
Exec Health Check block defining either a command to run in the current container, or a script to execute.
Can be specified more than once.
http_health_check
A HTTP health check executes a HTTP GET request for the given address and evaluates
the response against the expected success_codes. If the reponse matches any of
the given codes the check passes.
http {
address = "http://localhost:8500/v1/status/leader"
method = "GET"
body = <<-EOF
{"test": "123"}
EOF
headers = {
"X-Auth-Token": ["abc123"]
}
success_codes = [200]
}
- Name
address- Type
- (string: "")
- Required
- required
- Readonly
- Description
The URL to check, health check expects a HTTP status code to be returned by the URL in order to pass the health check.
- Name
method- Type
- (string: GET)
- Required
- Readonly
- Description
HTTP method to use when executing the check
- Name
body- Type
- (string: "")
- Required
- Readonly
- Description
HTTP body to send with the request
- Name
body- Type
- (string: "")
- Required
- Readonly
- Description
HTTP body to send with the request
- Name
headers- Type
- (map[string][string]: map[]{})
- Required
- Readonly
- Description
HTTP headers to send with the check
- Name
success_codes- Type
- ([]number: 200)
- Required
- Readonly
- Description
HTTP status codes returned from the endpoint when called. If the returned status code matches any in the array then the health check will pass.
tcp_health_check
A TCP health check attempts to open a connection to the given address. If a connection can be opened then the check passes.
tcp {
address = "localhost:8500"
}
- Name
address- Type
- (string: "")
- Required
- required
- Readonly
- Description
The adress to check.
exec_health_check
Exec health checks allow you to execute a command or script in the current container.
If the command or script receives an exit code 0 the check passes.
- Name
command- Type
- ([]string: [])
- Required
- Readonly
- Description
A command to execute.
exec { command = ["pg_isready"] }
- Name
script- Type
- (string: "")
- Required
- Readonly
- Description
A script to execute in the target container, the script is coppied to the container into the
/tmpdirectory and is then executed.exec { script = <<-EOF #!/bin/bash FILE=/etc/resolv.conf if [ -f "$FILE" ]; then echo "$FILE exists." fi EOF }
resources
A resources type allows you to configure the maximum resources which can be consumed.
- Name
cpu- Type
- (int: )
- Required
- Readonly
- Description
Set the maximum CPU which can be consumed by the container in MHz, 1 CPU == 1000MHz.
- Name
cpu_pin- Type
- ([]int: [])
- Required
- Readonly
- Description
Pin the container CPU consumption to one or more logical CPUs. For example to pin the container to the core 1 and 4.
resources { cpi_pin = [1,4] }
- Name
memory- Type
- (string: "")
- Required
- Readonly
- Description
Maximum memory which a container can consume, specified in Megabytes.
- Name
gpu- Type
- (gpu: {})
- Required
- Readonly
- Description
GPU settings to pass through to container
gpu
GPU support allows you to pass through GPU devices to the container, this is useful for running GPU accelerated workloads.
For more information on GPU support in Docker see the official documentation.
- Name
driver- Type
- (string: "")
- Required
- Readonly
- Description
The GPU driver to use, i.e "nvidia", note: This has not been tested this with AMD or other GPUs.
- Name
device_ids- Type
- ([]string: [])
- Required
- Readonly
- Description
The GPUs to pass to the container, i.e "0", "1", "2".
resources {
gpu {
driver = "nvidia"
device_ids = ["0", "1"]
}
}
run_as
User and Group configuration to be used when running a container, by default Docker runs commands in the container as root id 0.
- Name
user- Type
- (string: "")
- Required
- Readonly
- Description
Linux user ID or user name to run the container as, this overrides the default user configured in the container image.
- Name
group- Type
- (string: "")
- Required
- Readonly
- Description
Linux group ID or group name to run the container as, this overrides the default group configured in the container image.
- Name
cluster- Type
- (string: "")
- Required
- required
- Readonly
- readonly
- Description
Text
code
- Name
cluster- Type
- (string: "")
- Required
- required
- Readonly
- readonly
- Description
Text
Meta Properties
In addition to the main properties, all resources have meta properties, such
as the id of the resource. To see the list of these properties please see the
Meta Properties section in the documentation /docs/resources/meta.
Examples
Container with Sidecar
resource "container" "consul" {
image {
name = "consul:${variable.consul_version}"
}
command = ["consul", "agent", "-config-file", "/config/config.hcl"]
volume {
source = "./"
destination = "/files"
}
volume {
source = resource.template.consul_config.destination
destination = "/config/config.hcl"
}
network {
id = resource.network.onprem.meta.id
ip_address = "10.6.0.200" // optional
aliases = ["myalias"]
}
environment = {
something = variable.something
foo = env("BAH")
file = file("./conf.txt")
abc = "123"
SHIPYARD_FOLDER = shipyard()
HOME_FOLDER = home()
}
port_range {
range = "8500-8502"
enable_host = true
}
}
resource "sidecar" "envoy" {
target = resource.container.consul.meta.id
image {
name = "envoyproxy/envoy:v${variable.envoy_version}"
}
command = ["tail", "-f", "/dev/null"]
volume {
source = data("config")
destination = "/config"
}
}