From 052ab184b172943a0e8c35b056b80f9a9419f3ee Mon Sep 17 00:00:00 2001 From: Protryon Date: Tue, 17 Dec 2024 11:51:36 -0800 Subject: [PATCH] operator leaksignal-operator (1.9.1) Signed-off-by: Protryon --- .../manifests/leaksignal-cluster.crd.yaml | 94 ++++++++ .../manifests/leaksignal-network-tap.crd.yaml | 66 +++++ .../leaksignal.clusterserviceversion.yaml | 227 ++++++++++++++++++ .../1.9.1/manifests/leaksignal.crd.yaml | 97 ++++++++ .../1.9.1/manifests/priority-class.yaml | 9 + .../1.9.1/manifests/service.yaml | 16 ++ .../1.9.1/metadata/annotations.yaml | 9 + 7 files changed, 518 insertions(+) create mode 100644 operators/leaksignal-operator/1.9.1/manifests/leaksignal-cluster.crd.yaml create mode 100644 operators/leaksignal-operator/1.9.1/manifests/leaksignal-network-tap.crd.yaml create mode 100644 operators/leaksignal-operator/1.9.1/manifests/leaksignal.clusterserviceversion.yaml create mode 100644 operators/leaksignal-operator/1.9.1/manifests/leaksignal.crd.yaml create mode 100644 operators/leaksignal-operator/1.9.1/manifests/priority-class.yaml create mode 100644 operators/leaksignal-operator/1.9.1/manifests/service.yaml create mode 100644 operators/leaksignal-operator/1.9.1/metadata/annotations.yaml diff --git a/operators/leaksignal-operator/1.9.1/manifests/leaksignal-cluster.crd.yaml b/operators/leaksignal-operator/1.9.1/manifests/leaksignal-cluster.crd.yaml new file mode 100644 index 00000000000..da5b15d44f3 --- /dev/null +++ b/operators/leaksignal-operator/1.9.1/manifests/leaksignal-cluster.crd.yaml @@ -0,0 +1,94 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: cluster-leaksignal-istios.leaksignal.com +spec: + group: leaksignal.com + names: + kind: ClusterLeaksignalIstio + singular: cluster-leaksignal-istio + plural: cluster-leaksignal-istios + shortNames: + - cluster-leaksignal-istio + scope: Cluster + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + description: Deploy LeakSignal Proxy in all istio-enabled namespaces, can be overriden by local LeaksignalIstios. + properties: + spec: + type: object + properties: + proxyVersion: + type: string + description: Version string for LeakSignal Proxy deployment. + proxyHash: + type: string + description: Hash of the downloaded bundle for LeakSignal Proxy. Will depend on your version and deployment mechanism (nginx, envoy, WASM). + apiKey: + type: string + description: API Key from the LeakSignal Command dashboard. Alternatively, the deployment name from LeakAgent. + upstreamLocation: + type: string + description: Hostname of upstream location to send metrics to. Default is `ingestion.app.leaksignal.com`. + proxyPrefix: + type: string + description: Prefix of binary to pull. Defaults to `s3/leakproxy`. For LeakAgent deployments, use `proxy`. + tls: + type: boolean + description: If `true` (default), TLS/HTTPS is used for telemetry upload and downloading LeakSignal Proxy. LeakAgent is usually `false`. + upstreamPort: + type: integer + description: Port of upstream ingestion. Defaults to 80/443 depending on `tls`. Recommended 8121 for LeakAgent. + caBundle: + type: string + description: "Location of CA bundle in istio-proxy. Default is `/etc/ssl/certs/ca-certificates.crt` which is suitable for Istio. \ + OpenShift Service Mesh requires `/etc/ssl/certs/ca-bundle.crt`." + refreshPodsOnUpdate: + type: boolean + description: "For WASM mode, redeploys all pods with Istio sidecars affected by a LeakSignal Proxy upgrade. This provides more consistent behavior. \ + Default is `true`." + refreshPodsOnStale: + type: boolean + description: "Detects pods that should have leaksignal deployed, but dont, and restarts them." + grpcMode: + type: string + enum: ["default", "envoy"] + description: Whether to use Google GRPC or Envoy GRPC for WASM deployments. + enableStreaming: + type: boolean + description: If `true` (default), then L4 streams are also scanned by LeakSignal Proxy. + native: + type: boolean + description: "If `true` (not default), istio-proxy containers are updated to a corresponding image with support for dynamic plugins, \ + and the native LeakSignal Proxy module is installed." + failOpen: + type: boolean + description: If `true` (default), if LeakSignal Proxy has a failure, then all traffic is routed around it. + nativeRepo: + type: string + description: Default is `leaksignal/istio-proxy`. If no tag is specified, it is inferred from the existing proxy image on each given pod. + proxyPullLocation: + type: string + description: Format `https?://domain(:port)?/`. Defaults to `https://leakproxy.s3.us-west-2.amazonaws.com/`. + nativeProxyMemoryLimit: + type: string + description: Alternative memory limit for Istio sidecars running native modules. Useful to mitigate a surge of memory usage when loading the proxy. + workloadSelector: + type: object + description: Pod selector for workloads. + properties: + labels: + type: object + description: Labels to match any pod before deploying LeakSignal. + additionalProperties: + type: string + enableClientInterception: + type: boolean + description: If true (default), then certificates are installed in pods for outbound TLS interception. + required: ["proxyVersion", "proxyHash", "apiKey"] diff --git a/operators/leaksignal-operator/1.9.1/manifests/leaksignal-network-tap.crd.yaml b/operators/leaksignal-operator/1.9.1/manifests/leaksignal-network-tap.crd.yaml new file mode 100644 index 00000000000..6c86b2aded5 --- /dev/null +++ b/operators/leaksignal-operator/1.9.1/manifests/leaksignal-network-tap.crd.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: leaksignal-network-taps.leaksignal.com +spec: + group: leaksignal.com + names: + kind: LeaksignalNetworkTap + singular: leaksignal-network-tap + plural: leaksignal-network-taps + shortNames: + - leaktap + scope: Cluster + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + description: Deploy LeakSignal LeakTap in all namespaces. + properties: + spec: + type: object + properties: + repo: + type: string + description: Image used for LeakTap. Default is `leaksignal/leaktap:latest`. + apiKey: + type: string + description: API Key from the LeakSignal Command dashboard. Alternatively, the deployment name from LeakAgent. + upstreamLocation: + type: string + description: URL of upstream location to send metrics to. Default is `https://ingestion.app.leaksignal.com`. + podSelector: + type: object + description: Label filter for pods. + properties: + labels: + type: object + description: Labels to match any pod before deploying LeakSignal. + additionalProperties: + type: string + namespaceSelector: + type: object + description: Label filter for namespaces. + properties: + labels: + type: object + description: Labels to match any namespace before deploying LeakSignal. + additionalProperties: + type: string + nodeSelector: + type: object + description: Label filter for nodes. + properties: + labels: + type: object + description: Labels to match any node before deploying LeakSignal. + additionalProperties: + type: string + enableClientInterception: + type: boolean + description: If true (default), then certificates are installed in pods for outbound TLS interception. + required: ["apiKey"] diff --git a/operators/leaksignal-operator/1.9.1/manifests/leaksignal.clusterserviceversion.yaml b/operators/leaksignal-operator/1.9.1/manifests/leaksignal.clusterserviceversion.yaml new file mode 100644 index 00000000000..22e1d0a3200 --- /dev/null +++ b/operators/leaksignal-operator/1.9.1/manifests/leaksignal.clusterserviceversion.yaml @@ -0,0 +1,227 @@ +--- +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + name: leaksignal-operator.v1.9.1 + annotations: + capabilities: Full Lifecycle + categories: Security + containerImage: docker.io/leaksignal/leaksignal-operator@sha256:762277b090810d1412e81ae4e9539896c98be28c88fc5f284361243eb8b84208 + createdAt: '2024-01-31T00:00:00Z' + support: LeakSignal Inc. https://leaksignal.com + description: Secure your data in seconds with the LeakSignal Operator. + repository: https://github.com/leaksignal/leaksignal-operator + certified: 'false' + alm-examples: | + [ + { + "apiVersion": "leaksignal.com/v1", + "kind": "LeaksignalIstio", + "metadata": { + "name": "leaksignal-istio" + }, + "spec": { + "proxyHash": "fcecd3a3b099bebb432cf78e48c6f3f24a7d71b92e06b75ba5301877554960ff", + "proxyVersion": "2024_01_29_22_53_36_5a454f0_0.9.5", + "apiKey": "example" + } + }, + { + "apiVersion": "leaksignal.com/v1", + "kind": "ClusterLeaksignalIstio", + "metadata": { + "name": "leaksignal-istio" + }, + "spec": { + "proxyHash": "fcecd3a3b099bebb432cf78e48c6f3f24a7d71b92e06b75ba5301877554960ff", + "proxyVersion": "2024_01_29_22_53_36_5a454f0_0.9.5", + "apiKey": "example" + } + } + ] +spec: + description: Secure your data in seconds with the LeakSignal Operator. + displayName: LeakSignal Operator + minKubeVersion: 1.23.0 + keywords: + - leaksignal + - istio + - wasm + maintainers: + - email: max@leaksignal.com + name: Max Bruce + maturity: stable + provider: + name: LeakSignal + url: leaksignal.com + links: + - name: Documentation + url: https://www.leaksignal.com/docs/Operator/Getting%20Started + version: 1.9.1 + relatedImages: + - name: operator + image: docker.io/leaksignal/leaksignal-operator@sha256:762277b090810d1412e81ae4e9539896c98be28c88fc5f284361243eb8b84208 + icon: + - base64data: |- + iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAIAAAD8GO2jAAAACXBIWXMAAAsTAAALEwEAmpwYAAADVklEQVRIiaVW34tVZRRda+1v7ji31PGUM1D+IBR9EJVBmTSTIC18ytfwwfwBik8K0kODov+AT6kQUYGiRfQ0Q + Y/lQ5BGEFFIoiApwUgMwmDjjHrv9uGcc+85595z7lU39+Ge73x8a+211/72YRRFs7OzklAeb4oE/3CfhqPpAOoAyPjtQ/fXTd8tGFzVbE7DARB8Sbzw6MnEkwZqtVrF0XFcIxz4B/gS2FGyZz0wD3j+NwagXq/3OJ + 78S3LAQQed/El62wwsbtwa5KSDKQB/AXsDDJF3yQI1J08EtVRKqWDClAVwABjqAbDOYl5oJ5FinA1WxBD/lLVOf0TY8sHazOPHlQrRpP+l5YR57tW4+4DpR8+sOu6Ie8gZ4Zx0EMC/ryy+DEAdiuZBQK6VPlM2myS + PHZZzoAF7ZStEEADhSyMHfjatqHRqC2m3NK8WhhyYNo1ad34k4a8uiXfPmTZYHxjA+2bOtCRkI+gtswqAKAaYod5gF4Bl0kiHgGeCedAN8WPZsvLUMxmQH3alT34Twn3xqClr/EjcOxAWJEKXRhtgymQZmhulTTEv + 8nbcZcLnnabsFSQFEMCvQMPby+fF34BdJIhLBKQH4LRXHFUecQZnjS12S0z3RAfuBYvtu0Z6rdrH5RmEOAOQQMLQgRECxFUka1PATPP5+CNx0aRl9CVOmR2RasSwNCm5dNq08BkLgLyLtDInQvL/vSCP24rc2U8nd + gAoVvmafDDHLxFk1AHqhvQRccWfS6WL0fC2NuNijJAbTSqKwz79ShIYGno2RuSE6YegxX0oRhK1nhMtG9KhZDzwprSl21wrAvQemSBESJtM3xaGonTCqto77oPSiMjDQe4eOcfoO5uOhrcpE/BmgLWfOk5wVA79bW + Ye5MpO4yx9fhLUskfZQKgC+KDLNGZreOy3jqEPFFbiy640VoNp2szkwO9Nm4GvGk3kOoPHTJPGlwu3VmkG5NcDwY1OuuTiLdMXZttLqvpOmu51aTx1cA8XjZv2B9sXtNs0ZqqrmyYAgHfN5pJBzbg8J0Pq4D5sWhn + kAUvvq1aRiCsDaaIvAjAqXlCHEYjfxTqJvhutC+tF0nHTf8p/I4FO/G0a7rMGnWHAduBTcooqfq0CDlwFo0ydSD4F3dgfyiYvCZYAAAAASUVORK5CYII= + mediatype: image/png + customresourcedefinitions: + owned: + - name: leaksignal-istios.leaksignal.com + version: v1 + kind: LeaksignalIstio + description: Deploy LeakSignal Proxy in a specific namespace. + displayName: LeaksignalIstio + - name: cluster-leaksignal-istios.leaksignal.com + version: v1 + kind: ClusterLeaksignalIstio + description: Deploy LeakSignal Proxy in all istio-enabled namespaces, can be overriden by local LeaksignalIstios. + displayName: ClusterLeaksignalIstio + install: + strategy: deployment + spec: + permissions: + - serviceAccountName: leaksignal-operator + rules: + - apiGroups: [""] + resources: + - secrets + verbs: + - get + - watch + - list + - create + - update + - patch + - delete + + clusterPermissions: + - rules: + - apiGroups: [""] + resources: + - pods + verbs: + - list + - get + - delete + - patch + - update + - apiGroups: [""] + resources: + - namespaces + - services + verbs: + - list + - get + - apiGroups: ["apps"] + resources: + - deployments + - replicasets + - statefulsets + - daemonsets + verbs: + - list + - get + - patch + - update + - create + - replace + - delete + - apiGroups: + - leaksignal.com + resources: + - cluster-leaksignal-istios + - leaksignal-istios + - leaksignal-network-taps + verbs: + - get + - watch + - list + - patch + - apiGroups: + - networking.istio.io + resources: + - envoyfilters + verbs: + - get + - watch + - list + - create + - update + - patch + - delete + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - watch + - list + - create + - update + - patch + - delete + resourceNames: + - z-leaksignal-operator + - apiGroups: ["argoproj.io"] + resources: + - rollouts + verbs: + - list + - get + - patch + - update + serviceAccountName: leaksignal-operator + deployments: + - name: leaksignal-operator + spec: + replicas: 1 + selector: + matchLabels: + app: leaksignal-operator + template: + metadata: + labels: + app: leaksignal-operator + ls-native: excluded + spec: + priorityClassName: leaksignal-operator + containers: + - name: leaksignal-operator + image: docker.io/leaksignal/leaksignal-operator@sha256:8f7982a4c7a513a888ebd0e9ac1830e94c83ef17c2edbe98f8434fe9be059878 + volumeMounts: + - name: proxy-store + mountPath: /proxy + ports: + - containerPort: 8443 + name: webhook-tls + - containerPort: 2049 + name: nfs-proxy + resources: + requests: + memory: 256Mi + cpu: 500m + limits: + memory: 1Gi + cpu: 1.0 + serviceAccountName: leaksignal-operator + volumes: + - name: proxy-store + emptyDir: {} + installModes: + - supported: false + type: OwnNamespace + - supported: false + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces diff --git a/operators/leaksignal-operator/1.9.1/manifests/leaksignal.crd.yaml b/operators/leaksignal-operator/1.9.1/manifests/leaksignal.crd.yaml new file mode 100644 index 00000000000..9528dff8d30 --- /dev/null +++ b/operators/leaksignal-operator/1.9.1/manifests/leaksignal.crd.yaml @@ -0,0 +1,97 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: leaksignal-istios.leaksignal.com +spec: + group: leaksignal.com + names: + kind: LeaksignalIstio + singular: leaksignal-istio + plural: leaksignal-istios + shortNames: + - leaksignal-istio + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + description: Deploy LeakSignal Proxy in a specific namespace. + properties: + spec: + type: object + properties: + proxyVersion: + type: string + description: Version string for LeakSignal Proxy deployment. + proxyHash: + type: string + description: Hash of the downloaded bundle for LeakSignal Proxy. Will depend on your version and deployment mechanism (nginx, envoy, WASM). + apiKey: + type: string + description: API Key from the LeakSignal Command dashboard. Alternatively, the deployment name from LeakAgent. + upstreamLocation: + type: string + description: Hostname of upstream location to send metrics to. Default is `ingestion.app.leaksignal.com`. + proxyPrefix: + type: string + description: Prefix of binary to pull. Defaults to `s3/leakproxy`. For LeakAgent deployments, use `proxy`. + tls: + type: boolean + description: If `true` (default), TLS/HTTPS is used for telemetry upload and downloading LeakSignal Proxy. LeakAgent is usually `false`. + upstreamPort: + type: integer + description: Port of upstream ingestion. Defaults to 80/443 depending on `tls`. Recommended 8121 for LeakAgent. + caBundle: + type: string + description: "Location of CA bundle in istio-proxy. Default is `/etc/ssl/certs/ca-certificates.crt` which is suitable for Istio. \ + OpenShift Service Mesh requires `/etc/ssl/certs/ca-bundle.crt`." + refreshPodsOnUpdate: + type: boolean + description: "For WASM mode, redeploys all pods with Istio sidecars affected by a LeakSignal Proxy upgrade. This provides more consistent behavior. \ + Default is `true`." + refreshPodsOnStale: + type: boolean + description: "Detects pods that should have leaksignal deployed, but dont, and restarts them." + grpcMode: + type: string + enum: ["default", "envoy"] + description: Whether to use Google GRPC or Envoy GRPC for WASM deployments. + enableStreaming: + type: boolean + description: If `true` (default), then L4 streams are also scanned by LeakSignal Proxy. + native: + type: boolean + description: "If `true` (not default), istio-proxy containers are updated to a corresponding image with support for dynamic plugins, \ + and the native LeakSignal Proxy module is installed." + failOpen: + type: boolean + description: If `true` (default), if LeakSignal Proxy has a failure, then all traffic is routed around it. + istioName: + type: string + description: If set, use an alternate name for created EnvoyFilter objects, to allow multiple LeaksignalIstio objects in one namespace. + nativeRepo: + type: string + description: Default is `leaksignal/istio-proxy`. If no tag is specified, it is inferred from the existing proxy image on each given pod. + proxyPullLocation: + type: string + description: Format `https?://domain(:port)?/`. Defaults to being based on `upstreamLocation`, `upstreamPort`, `tls`, and `proxyPrefix`. + nativeProxyMemoryLimit: + type: string + description: Alternative memory limit for Istio sidecars running native modules. Useful to mitigate a surge of memory usage when loading the proxy. + workloadSelector: + type: object + description: Pod selector for workloads. + properties: + labels: + type: object + description: Labels to match any pod before deploying LeakSignal. + additionalProperties: + type: string + enableClientInterception: + type: boolean + description: If true (default), then certificates are installed in pods for outbound TLS interception. + required: ["proxyVersion", "proxyHash", "apiKey"] diff --git a/operators/leaksignal-operator/1.9.1/manifests/priority-class.yaml b/operators/leaksignal-operator/1.9.1/manifests/priority-class.yaml new file mode 100644 index 00000000000..12de39d8e52 --- /dev/null +++ b/operators/leaksignal-operator/1.9.1/manifests/priority-class.yaml @@ -0,0 +1,9 @@ +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: leaksignal-operator + labels: + app: leaksignal-operator +preemptionPolicy: PreemptLowerPriority +value: 10000 +globalDefault: false diff --git a/operators/leaksignal-operator/1.9.1/manifests/service.yaml b/operators/leaksignal-operator/1.9.1/manifests/service.yaml new file mode 100644 index 00000000000..55536f60528 --- /dev/null +++ b/operators/leaksignal-operator/1.9.1/manifests/service.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: leaksignal-operator + labels: + app: leaksignal-operator +spec: + type: ClusterIP + selector: + app: leaksignal-operator + ports: + - protocol: TCP + port: 8443 + targetPort: 8443 + name: webhook-tls diff --git a/operators/leaksignal-operator/1.9.1/metadata/annotations.yaml b/operators/leaksignal-operator/1.9.1/metadata/annotations.yaml new file mode 100644 index 00000000000..61153cd1969 --- /dev/null +++ b/operators/leaksignal-operator/1.9.1/metadata/annotations.yaml @@ -0,0 +1,9 @@ +--- +annotations: + # Core bundle annotations. + operators.operatorframework.io.bundle.mediatype.v1: registry+v1 + operators.operatorframework.io.bundle.manifests.v1: manifests/ + operators.operatorframework.io.bundle.metadata.v1: metadata/ + operators.operatorframework.io.bundle.package.v1: leaksignal-operator + operators.operatorframework.io.bundle.channels.v1: stable + com.redhat.openshift.versions: v4.6-v4.14