Skip to main content

DevMesh

You can enable routing using DevMesh by opting each service into Signadot DevMesh injection. This is the preferred solution for users who do not have a service mesh and for those using Linkerd.

The DevMesh uses destination-side routing, where the routing decision happens at the destination service's pod. A DevMesh sidecar container on the destination service examines incoming requests and routes them to either the sandbox fork or the baseline service based on metadata in the request.

The DevMesh is a system of lightweight, purpose-built Go proxy sidecars that are built into the Signadot Operator and offer request routing functionality. This can be done by adding an annotation to each pod. If for example, the pods are created by a deployment, the annotation can be added to the deployment template as shown below.

apiVersion: apps/v1
kind: Deployment
metadata:
  ...
spec:
  template:
    metadata:
      annotations:
        sidecar.signadot.com/inject: "true"

In order to add the inject annotation to a particular deployment, you can run the following kubectl command.

kubectl -n <namespace> patch deployment <deployment-name> -p '{
   "spec":{
      "template":{
         "metadata":{
            "annotations":{
               "sidecar.signadot.com/inject": "true"
            }
         }
      }
   }
}'

If Signadot is already installed in the cluster, the Pods will have a DevMesh sidecar container injected, which will perform routing based on metadata in each request.

Enabling Injection at the Namespace Level

Operator v1.3.1+

Namespace-level DevMesh injection requires Signadot Operator v1.3.1 or later.

Instead of opting in pod by pod, you can enable DevMesh injection for every workload in a namespace by setting the sidecar.signadot.com/inject label to "true" on the Namespace itself.

apiVersion: v1
kind: Namespace
metadata:
  name: my-app
  labels:
    sidecar.signadot.com/inject: "true"

Or with kubectl:

kubectl label namespace my-app sidecar.signadot.com/inject=true

When a Pod is created in a labeled namespace, the DevMesh injector behaves as follows:

  • If the Pod has the sidecar.signadot.com/inject annotation, the Pod-level value wins. Setting it to "false" lets you opt a specific workload out of injection in an otherwise opted-in namespace.
  • If the Pod has no annotation, the namespace label determines whether the sidecar is injected.

Note that the value lives on the Namespace as a label (used by the injector during admission), while the per-Pod opt-in / opt-out lives on the Pod as an annotation.

Sidecar Annotation for Signadot Operator v0.13.2 or before (Deprecated in v0.14+)

When running Signadot Operator v0.13.2 or below, the sidecar annotation requires specifying the protocol of the workload as one of http or gRPC.

  • sidecar.signadot.com/inject: "http"
  • sidecar.signadot.com/inject: "grpc"

If you are running these v0.13.2 or below of the operator, the above annotations specifying the protocol must be used. See the v0.13.3 release notes for more details.