Sidecar

The sidecar resource creates a supplementary container that runs alongside a target container. Sidecars are commonly used for logging, monitoring, proxying, or other supporting services that complement the main application container.

Use Cases

As a lab author, you can use sidecars to enhance your lab environment without modifying main application containers:

Add Observability: Attach log collectors (e.g. Fluent Bit), metrics exporters (e.g. Prometheus node-exporter), or APM agents to demonstrate monitoring without changing your app
Simulate Production Patterns: Include service mesh proxies (e.g. Envoy), load balancers, or security scanners to show real-world architectures
Provide Development Tools: Add debugging containers, code hot-reload watchers, or development proxies to create better learning experiences

Sidecars let you create rich, multi-container lab environments that mirror production complexity while keeping your main application containers simple and focused.

HCL Syntax

Basic Syntax

1
resource "sidecar" "proxy" {
2
  target = resource.container.app
3

4
  image {
5
    name = "envoy:latest"
6
  }
7
}

Full Syntax

1
resource "sidecar" "monitoring" {
2
  target = resource.container.app
3

4
  image {
5
    name = "prometheus/node-exporter:latest"
6
    username = "registry_user"
7
    password = "registry_pass"
8
  }
9

10
  # Container configuration
11
  entrypoint = ["/bin/node_exporter"]
12
  command = ["--path.rootfs=/host"]
13
  privileged = false
14
  max_restart_count = 3
15

16
  # Environment variables
17
  environment = {
18
    NODE_ID = "worker-1"
19
    METRICS_PORT = "9100"
20
  }
21

22
  # Labels
23
  labels = {
24
    service = "monitoring"
25
    component = "exporter"
26
  }
27

28
  # Volume mounts
29
  volume {
30
    source = "/proc"
31
    destination = "/host/proc"
32
    type = "bind"
33
    read_only = true
34
  }
35

36
  volume {
37
    source = "/sys"
38
    destination = "/host/sys"
39
    type = "bind"
40
    read_only = true
41
  }
42

43
  # Resource constraints
44
  resources {
45
    cpu = 100      # 0.1 CPU
46
    memory = 128   # 128MB
47

48
    gpu {
49
      driver = "nvidia"
50
      device_ids = ["0"]
51
    }
52
  }
53

54
  # Health check
55
  health_check {
56
    timeout = "30s"
57

58
    http {
59
      address = "http://localhost:9100/metrics"
60
      success_codes = [200]
61
    }
62

63
    tcp {
64
      address = "localhost:9100"
65
    }
66

67
    exec {
68
      script = <<-EOF
69
        #!/bin/bash
70
        curl -f http://localhost:9100/metrics || exit 1
71
      EOF
72
    }
73
  }
74
}

Fields

Field	Required	Type	Description
`target`	✓	reference to `container`	Reference to the target container this sidecar runs alongside
`image`	✓	block	Container image configuration
`entrypoint`		list(string)	Override the container’s entrypoint
`command`		list(string)	Command arguments to pass to the container
`environment`		map(string)	Environment variables to set in the container
`labels`		map(string)	Labels to apply to the container
`privileged`		bool	Whether to run the container in privileged mode
`max_restart_count`		number	Maximum number of times to restart the container on failure
`volume`		block	Volume mounts (repeatable)
`resources`		block	Resource constraints
`health_check`		block	Health check configuration

Image Configuration

sidecar → image

Configures the Docker image to use for the sidecar container.

Field	Required	Type	Description
`name`	✓	string	Image name and tag (e.g., “nginx:latest”, “docker.io/library/redis:6”)
`username`		string	Username for private registry authentication
`password`		string	Password for private registry authentication

Volume Configuration

sidecar → volume

Configures volume mounts for the sidecar container. This block can be repeated to mount multiple volumes.

Field	Required	Type	Description
`source`	✓	string	Source path on the host (relative paths are relative to the HCL file)
`destination`	✓	string	Destination path inside the container (must be absolute)
`type`		string	Volume type: “bind”, “volume”, or “tmpfs”. Defaults to “bind”.
`read_only`		bool	Whether the volume should be read-only
`bind_propagation`		string	Bind propagation mode: “shared”, “private”, “slave”, “rslave”, “rprivate”
`bind_propagation_non_recursive`		bool	Whether to use non-recursive bind mounting
`selinux_relabel`		string	SELinux relabeling mode: “shared” or “private”

Resource Constraints

sidecar → resources

Configures CPU, memory, and GPU resource limits for the sidecar container.

Field	Type	Description
`cpu`	number	CPU limit in MHz (1000 = 1 CPU core)
`cpu_pin`	list(number)	Pin container to specific CPU cores
`memory`	number	Memory limit in megabytes
`gpu`	block	GPU resource allocation

GPU Configuration

sidecar → resources → gpu

Configures GPU resource allocation for the sidecar container.

Field	Required	Type	Description
`driver`	✓	string	GPU driver to use (e.g., “nvidia”)
`device_ids`	✓	list(string)	GPU device IDs to allocate

Health Monitoring

sidecar → health_check

Configures health checks to monitor sidecar status and availability.

Field	Required	Type	Description
`timeout`	✓	string	Maximum time to wait for health check (e.g., ”30s”, “2m”)
`http`		block	HTTP health check (repeatable)
`tcp`		block	TCP health check (repeatable)
`exec`		block	Execute command health check (repeatable)

HTTP Health Check

sidecar → health_check → http

Defines an HTTP-based health check that sends requests to specified endpoints.

Field	Required	Type	Description
`address`	✓	string	URL to check
`method`		string	HTTP method to use. Defaults to “GET”.
`body`		string	Request body to send
`headers`		map(list(string))	HTTP headers to send
`success_codes`		list(number)	HTTP status codes that indicate success. Defaults to [200].

TCP Health Check

sidecar → health_check → tcp

Defines a TCP-based health check that verifies network connectivity.

Field	Required	Type	Description
`address`	✓	string	Address to check (e.g., “localhost:8080”)

Exec Health Check

sidecar → health_check → exec

Defines a command-based health check that executes a script or command to determine sidecar health.

Field	Type	Description
`command`	list(string)	Command to execute
`script`	string	Script to execute
`exit_code`	number	Expected exit code for success. Defaults to 0.

Computed Attributes

The following attributes are set by the system after the sidecar is created:

Field	Type	Description
`meta.id`	string	Full resource ID (e.g., `resource.sidecar.proxy`)
`meta.type`	string	Resource type (`sidecar`)
`meta.name`	string	Resource name
`container_name`	string	Fully qualified domain name for accessing the sidecar

Validation Rules

Target requirement: Must reference a valid container resource
Volume source paths: Made absolute relative to the config file location
Health check timeout: Must be a valid Go duration string (e.g., ”30s”, “2m”)
CPU limits: Specified in MHz where 1000 = 1 CPU core
Memory limits: Specified in megabytes

Examples

Logging Sidecar Example

1
resource "container" "app" {
2
  image {
3
    name = "myapp:latest"
4
  }
5
}
6

7
resource "sidecar" "logs" {
8
  target = resource.container.app
9

10
  image {
11
    name = "fluent/fluent-bit:latest"
12
  }
13

14
  volume {
15
    source = "./fluent-bit.conf"
16
    destination = "/fluent-bit/etc/fluent-bit.conf"
17
    type = "bind"
18
    read_only = true
19
  }
20
}

Proxy Sidecar Example

1
resource "container" "backend" {
2
  image {
3
    name = "backend-service:latest"
4
  }
5
}
6

7
resource "sidecar" "proxy" {
8
  target = resource.container.backend
9

10
  image {
11
    name = "envoyproxy/envoy:v1.28.0"
12
  }
13

14
  command = [
15
    "envoy",
16
    "-c", "/etc/envoy/envoy.yaml",
17
    "--service-cluster", "backend",
18
    "--service-node", "backend-proxy"
19
  ]
20

21
  volume {
22
    source = "./envoy.yaml"
23
    destination = "/etc/envoy/envoy.yaml"
24
    type = "bind"
25
    read_only = true
26
  }
27

28
  health_check {
29
    timeout = "10s"
30

31
    http {
32
      address = "http://localhost:9901/ready"
33
      success_codes = [200]
34
    }
35
  }
36
}

Monitoring Sidecar with Resource Constraints

1
resource "container" "web" {
2
  image {
3
    name = "nginx:alpine"
4
  }
5
}
6

7
resource "sidecar" "metrics" {
8
  target = resource.container.web
9

10
  image {
11
    name = "nginx/nginx-prometheus-exporter:latest"
12
  }
13

14
  command = [
15
    "-nginx.scrape-uri=http://localhost:8080/metrics"
16
  ]
17

18
  resources {
19
    cpu = 50      # 0.05 CPU
20
    memory = 64   # 64MB
21
  }
22

23
  health_check {
24
    timeout = "5s"
25

26
    tcp {
27
      address = "localhost:9113"
28
    }
29
  }
30
}

Best Practices

Resource Limits: Set appropriate CPU and memory limits to prevent sidecars from consuming excessive resources
Health Checks: Configure health checks for critical sidecars to ensure they’re functioning properly
Volume Mounts: Use read-only mounts when the sidecar only needs to read configuration files
Image Tags: Always specify explicit image tags rather than using latest
Target Dependencies: Ensure the target container is properly configured before adding sidecars
Single Responsibility: Keep each sidecar focused on a single function (logging, monitoring, proxying)
Shared Volumes: Use shared volumes to facilitate communication between the main container and sidecar