resource "docker_container" "{{.Node.DockerName}}-{{.Service.ID.TFString}}-sidecar" { name = "{{.Node.DockerName}}-{{.Service.ID.TFString}}-sidecar" network_mode = "container:${docker_container.{{.PodName}}.id}" image = docker_image.{{.ImageResource}}.image_id restart = "on-failure" {{- range $k, $v := .Labels }} labels { label = "{{ $k }}" value = "{{ $v }}" } {{- end }} volumes { volume_name = "{{.TLSVolumeName}}" container_path = "/consul/config/certs" read_only = true } {{ if .Service.EnableTransparentProxy }} capabilities { add = ["NET_ADMIN"] } entrypoint = [ "/bin/tproxy-startup.sh" ] {{ end }} env = [ "DP_CONSUL_ADDRESSES=server.{{.Node.Cluster}}-consulcluster.lan", {{ if .Node.IsV2 }} "DP_PROXY_ID={{.Service.Workload}}", {{ if .Enterprise }} "DP_PROXY_NAMESPACE={{.Service.ID.Namespace}}", "DP_PROXY_PARTITION={{.Service.ID.Partition}}", {{ end }} {{ else }} "DP_SERVICE_NODE_NAME={{.Node.PodName}}", "DP_PROXY_SERVICE_ID={{.Service.ID.Name}}-sidecar-proxy", {{ if .Enterprise }} "DP_SERVICE_NAMESPACE={{.Service.ID.Namespace}}", "DP_SERVICE_PARTITION={{.Service.ID.Partition}}", {{ end }} {{ end }} {{ if .Token }} "DP_CREDENTIAL_TYPE=static", "DP_CREDENTIAL_STATIC_TOKEN={{.Token}}", {{ end }} {{ if .Service.EnableTransparentProxy }} "REDIRECT_TRAFFIC_ARGS=-exclude-inbound-port=19000", {{ end }} // for demo purposes "DP_ENVOY_ADMIN_BIND_ADDRESS=0.0.0.0", "DP_ENVOY_ADMIN_BIND_PORT=19000", "DP_LOG_LEVEL=trace", "DP_CA_CERTS=/consul/config/certs/consul-agent-ca.pem", "DP_CONSUL_GRPC_PORT=8503", "DP_TLS_SERVER_NAME=server.{{.Node.Datacenter}}.consul", ] command = [ "/usr/local/bin/consul-dataplane", ] }