Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

operator leaksignal-operator (1.9.1) #5439

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

operator leaksignal-operator (1.9.1) #5439

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 94 additions & 0 deletions operators/leaksignal-operator/1.9.1/manifests/leaksignal-cluster.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: cluster-leaksignal-istios.leaksignal.com
spec:
group: leaksignal.com
names:
kind: ClusterLeaksignalIstio
singular: cluster-leaksignal-istio
plural: cluster-leaksignal-istios
shortNames:
- cluster-leaksignal-istio
scope: Cluster
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
description: Deploy LeakSignal Proxy in all istio-enabled namespaces, can be overriden by local LeaksignalIstios.
properties:
spec:
type: object
properties:
proxyVersion:
type: string
description: Version string for LeakSignal Proxy deployment.
proxyHash:
type: string
description: Hash of the downloaded bundle for LeakSignal Proxy. Will depend on your version and deployment mechanism (nginx, envoy, WASM).
apiKey:
type: string
description: API Key from the LeakSignal Command dashboard. Alternatively, the deployment name from LeakAgent.
upstreamLocation:
type: string
description: Hostname of upstream location to send metrics to. Default is `ingestion.app.leaksignal.com`.
proxyPrefix:
type: string
description: Prefix of binary to pull. Defaults to `s3/leakproxy`. For LeakAgent deployments, use `proxy`.
tls:
type: boolean
description: If `true` (default), TLS/HTTPS is used for telemetry upload and downloading LeakSignal Proxy. LeakAgent is usually `false`.
upstreamPort:
type: integer
description: Port of upstream ingestion. Defaults to 80/443 depending on `tls`. Recommended 8121 for LeakAgent.
caBundle:
type: string
description: "Location of CA bundle in istio-proxy. Default is `/etc/ssl/certs/ca-certificates.crt` which is suitable for Istio. \
OpenShift Service Mesh requires `/etc/ssl/certs/ca-bundle.crt`."
refreshPodsOnUpdate:
type: boolean
description: "For WASM mode, redeploys all pods with Istio sidecars affected by a LeakSignal Proxy upgrade. This provides more consistent behavior. \
Default is `true`."
refreshPodsOnStale:
type: boolean
description: "Detects pods that should have leaksignal deployed, but dont, and restarts them."
grpcMode:
type: string
enum: ["default", "envoy"]
description: Whether to use Google GRPC or Envoy GRPC for WASM deployments.
enableStreaming:
type: boolean
description: If `true` (default), then L4 streams are also scanned by LeakSignal Proxy.
native:
type: boolean
description: "If `true` (not default), istio-proxy containers are updated to a corresponding image with support for dynamic plugins, \
and the native LeakSignal Proxy module is installed."
failOpen:
type: boolean
description: If `true` (default), if LeakSignal Proxy has a failure, then all traffic is routed around it.
nativeRepo:
type: string
description: Default is `leaksignal/istio-proxy`. If no tag is specified, it is inferred from the existing proxy image on each given pod.
proxyPullLocation:
type: string
description: Format `https?://domain(:port)?/`. Defaults to `https://leakproxy.s3.us-west-2.amazonaws.com/`.
nativeProxyMemoryLimit:
type: string
description: Alternative memory limit for Istio sidecars running native modules. Useful to mitigate a surge of memory usage when loading the proxy.
workloadSelector:
type: object
description: Pod selector for workloads.
properties:
labels:
type: object
description: Labels to match any pod before deploying LeakSignal.
additionalProperties:
type: string
enableClientInterception:
type: boolean
description: If true (default), then certificates are installed in pods for outbound TLS interception.
required: ["proxyVersion", "proxyHash", "apiKey"]
66 changes: 66 additions & 0 deletions operators/leaksignal-operator/1.9.1/manifests/leaksignal-network-tap.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: leaksignal-network-taps.leaksignal.com
spec:
group: leaksignal.com
names:
kind: LeaksignalNetworkTap
singular: leaksignal-network-tap
plural: leaksignal-network-taps
shortNames:
- leaktap
scope: Cluster
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
description: Deploy LeakSignal LeakTap in all namespaces.
properties:
spec:
type: object
properties:
repo:
type: string
description: Image used for LeakTap. Default is `leaksignal/leaktap:latest`.
apiKey:
type: string
description: API Key from the LeakSignal Command dashboard. Alternatively, the deployment name from LeakAgent.
upstreamLocation:
type: string
description: URL of upstream location to send metrics to. Default is `https://ingestion.app.leaksignal.com`.
podSelector:
type: object
description: Label filter for pods.
properties:
labels:
type: object
description: Labels to match any pod before deploying LeakSignal.
additionalProperties:
type: string
namespaceSelector:
type: object
description: Label filter for namespaces.
properties:
labels:
type: object
description: Labels to match any namespace before deploying LeakSignal.
additionalProperties:
type: string
nodeSelector:
type: object
description: Label filter for nodes.
properties:
labels:
type: object
description: Labels to match any node before deploying LeakSignal.
additionalProperties:
type: string
enableClientInterception:
type: boolean
description: If true (default), then certificates are installed in pods for outbound TLS interception.
required: ["apiKey"]
227 changes: 227 additions & 0 deletions operators/leaksignal-operator/1.9.1/manifests/leaksignal.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,227 @@
---
apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
name: leaksignal-operator.v1.9.1
annotations:
capabilities: Full Lifecycle
categories: Security
containerImage: docker.io/leaksignal/leaksignal-operator@sha256:762277b090810d1412e81ae4e9539896c98be28c88fc5f284361243eb8b84208
createdAt: '2024-01-31T00:00:00Z'
support: LeakSignal Inc. https://leaksignal.com
description: Secure your data in seconds with the LeakSignal Operator.
repository: https://github.com/leaksignal/leaksignal-operator
certified: 'false'
alm-examples: |
[
{
"apiVersion": "leaksignal.com/v1",
"kind": "LeaksignalIstio",
"metadata": {
"name": "leaksignal-istio"
},
"spec": {
"proxyHash": "fcecd3a3b099bebb432cf78e48c6f3f24a7d71b92e06b75ba5301877554960ff",
"proxyVersion": "2024_01_29_22_53_36_5a454f0_0.9.5",
"apiKey": "example"
}
},
{
"apiVersion": "leaksignal.com/v1",
"kind": "ClusterLeaksignalIstio",
"metadata": {
"name": "leaksignal-istio"
},
"spec": {
"proxyHash": "fcecd3a3b099bebb432cf78e48c6f3f24a7d71b92e06b75ba5301877554960ff",
"proxyVersion": "2024_01_29_22_53_36_5a454f0_0.9.5",
"apiKey": "example"
}
}
]
spec:
description: Secure your data in seconds with the LeakSignal Operator.
displayName: LeakSignal Operator
minKubeVersion: 1.23.0
keywords:
- leaksignal
- istio
- wasm
maintainers:
- email: [email protected]
name: Max Bruce
maturity: stable
provider:
name: LeakSignal
url: leaksignal.com
links:
- name: Documentation
url: https://www.leaksignal.com/docs/Operator/Getting%20Started
version: 1.9.1
relatedImages:
- name: operator
image: docker.io/leaksignal/leaksignal-operator@sha256:762277b090810d1412e81ae4e9539896c98be28c88fc5f284361243eb8b84208
icon:
- base64data: |-
iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAIAAAD8GO2jAAAACXBIWXMAAAsTAAALEwEAmpwYAAADVklEQVRIiaVW34tVZRRda+1v7ji31PGUM1D+IBR9EJVBmTSTIC18ytfwwfwBik8K0kODov+AT6kQUYGiRfQ0Q
Y/lQ5BGEFFIoiApwUgMwmDjjHrv9uGcc+85595z7lU39+Ge73x8a+211/72YRRFs7OzklAeb4oE/3CfhqPpAOoAyPjtQ/fXTd8tGFzVbE7DARB8Sbzw6MnEkwZqtVrF0XFcIxz4B/gS2FGyZz0wD3j+NwagXq/3OJ
78S3LAQQed/El62wwsbtwa5KSDKQB/AXsDDJF3yQI1J08EtVRKqWDClAVwABjqAbDOYl5oJ5FinA1WxBD/lLVOf0TY8sHazOPHlQrRpP+l5YR57tW4+4DpR8+sOu6Ie8gZ4Zx0EMC/ryy+DEAdiuZBQK6VPlM2myS
PHZZzoAF7ZStEEADhSyMHfjatqHRqC2m3NK8WhhyYNo1ad34k4a8uiXfPmTZYHxjA+2bOtCRkI+gtswqAKAaYod5gF4Bl0kiHgGeCedAN8WPZsvLUMxmQH3alT34Twn3xqClr/EjcOxAWJEKXRhtgymQZmhulTTEv
8nbcZcLnnabsFSQFEMCvQMPby+fF34BdJIhLBKQH4LRXHFUecQZnjS12S0z3RAfuBYvtu0Z6rdrH5RmEOAOQQMLQgRECxFUka1PATPP5+CNx0aRl9CVOmR2RasSwNCm5dNq08BkLgLyLtDInQvL/vSCP24rc2U8nd
gAoVvmafDDHLxFk1AHqhvQRccWfS6WL0fC2NuNijJAbTSqKwz79ShIYGno2RuSE6YegxX0oRhK1nhMtG9KhZDzwprSl21wrAvQemSBESJtM3xaGonTCqto77oPSiMjDQe4eOcfoO5uOhrcpE/BmgLWfOk5wVA79bW
Ye5MpO4yx9fhLUskfZQKgC+KDLNGZreOy3jqEPFFbiy640VoNp2szkwO9Nm4GvGk3kOoPHTJPGlwu3VmkG5NcDwY1OuuTiLdMXZttLqvpOmu51aTx1cA8XjZv2B9sXtNs0ZqqrmyYAgHfN5pJBzbg8J0Pq4D5sWhn
kAUvvq1aRiCsDaaIvAjAqXlCHEYjfxTqJvhutC+tF0nHTf8p/I4FO/G0a7rMGnWHAduBTcooqfq0CDlwFo0ydSD4F3dgfyiYvCZYAAAAASUVORK5CYII=
mediatype: image/png
customresourcedefinitions:
owned:
- name: leaksignal-istios.leaksignal.com
version: v1
kind: LeaksignalIstio
description: Deploy LeakSignal Proxy in a specific namespace.
displayName: LeaksignalIstio
- name: cluster-leaksignal-istios.leaksignal.com
version: v1
kind: ClusterLeaksignalIstio
description: Deploy LeakSignal Proxy in all istio-enabled namespaces, can be overriden by local LeaksignalIstios.
displayName: ClusterLeaksignalIstio
install:
strategy: deployment
spec:
permissions:
- serviceAccountName: leaksignal-operator
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- get
- watch
- list
- create
- update
- patch
- delete

clusterPermissions:
- rules:
- apiGroups: [""]
resources:
- pods
verbs:
- list
- get
- delete
- patch
- update
- apiGroups: [""]
resources:
- namespaces
- services
verbs:
- list
- get
- apiGroups: ["apps"]
resources:
- deployments
- replicasets
- statefulsets
- daemonsets
verbs:
- list
- get
- patch
- update
- create
- replace
- delete
- apiGroups:
- leaksignal.com
resources:
- cluster-leaksignal-istios
- leaksignal-istios
- leaksignal-network-taps
verbs:
- get
- watch
- list
- patch
- apiGroups:
- networking.istio.io
resources:
- envoyfilters
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
resourceNames:
- z-leaksignal-operator
- apiGroups: ["argoproj.io"]
resources:
- rollouts
verbs:
- list
- get
- patch
- update
serviceAccountName: leaksignal-operator
deployments:
- name: leaksignal-operator
spec:
replicas: 1
selector:
matchLabels:
app: leaksignal-operator
template:
metadata:
labels:
app: leaksignal-operator
ls-native: excluded
spec:
priorityClassName: leaksignal-operator
containers:
- name: leaksignal-operator
image: docker.io/leaksignal/leaksignal-operator@sha256:8f7982a4c7a513a888ebd0e9ac1830e94c83ef17c2edbe98f8434fe9be059878
volumeMounts:
- name: proxy-store
mountPath: /proxy
ports:
- containerPort: 8443
name: webhook-tls
- containerPort: 2049
name: nfs-proxy
resources:
requests:
memory: 256Mi
cpu: 500m
limits:
memory: 1Gi
cpu: 1.0
serviceAccountName: leaksignal-operator
volumes:
- name: proxy-store
emptyDir: {}
installModes:
- supported: false
type: OwnNamespace
- supported: false
type: SingleNamespace
- supported: false
type: MultiNamespace
- supported: true
type: AllNamespaces
Loading
Loading