Skip to content

Commit

Permalink
operator [N] [CI] leaksignal-operator (1.3.1)
Browse files Browse the repository at this point in the history
  • Loading branch information
@Protryon
Protryon authored Feb 1, 2024
1 parent 82757bd commit 6457272
Show file tree
Hide file tree
Showing 5 changed files with 336 additions and 0 deletions.
79 changes: 79 additions & 0 deletions operators/leaksignal-operator/1.3.1/manifests/leaksignal-cluster.crd.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: cluster-leaksignal-istios.leaksignal.com
spec:
group: leaksignal.com
names:
kind: ClusterLeaksignalIstio
singular: cluster-leaksignal-istio
plural: cluster-leaksignal-istios
shortNames:
- cluster-leaksignal-istio
scope: Cluster
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
description: Deploy LeakSignal Proxy in all istio-enabled namespaces, can be overriden by local LeaksignalIstios.
properties:
spec:
type: object
properties:
proxyVersion:
type: string
description: Version string for LeakSignal Proxy deployment.
proxyHash:
type: string
description: Hash of the downloaded bundle for LeakSignal Proxy. Will depend on your version and deployment mechanism (nginx, envoy, WASM).
apiKey:
type: string
description: API Key from the LeakSignal Command dashboard. Alternatively, the deployment name from LeakAgent.
upstreamLocation:
type: string
description: Hostname of upstream location to send metrics to. Default is `ingestion.app.leaksignal.com`.
proxyPrefix:
type: string
description: Prefix of binary to pull. Defaults to `s3/leakproxy`. For LeakAgent deployments, use `proxy`.
tls:
type: boolean
description: If `true` (default), TLS/HTTPS is used for telemetry upload and downloading LeakSignal Proxy. LeakAgent is usually `false`.
upstreamPort:
type: integer
description: Port of upstream ingestion. Defaults to 80/443 depending on `tls`. Recommended 8121 for LeakAgent.
caBundle:
type: string
description: "Location of CA bundle in istio-proxy. Default is `/etc/ssl/certs/ca-certificates.crt` which is suitable for Istio. \
OpenShift Service Mesh requires `/etc/ssl/certs/ca-bundle.crt`."
refreshPodsOnUpdate:
type: boolean
description: "For WASM mode, redeploys all pods with Istio sidecars affected by a LeakSignal Proxy upgrade. This provides more consistent behavior. \
Default is `true`."
grpcMode:
type: string
enum: ["default", "envoy"]
description: Whether to use Google GRPC or Envoy GRPC for WASM deployments.
enableStreaming:
type: boolean
description: If `true` (default), then L4 streams are also scanned by LeakSignal Proxy.
native:
type: boolean
description: "If `true` (not default), istio-proxy containers are updated to a corresponding image with support for dynamic plugins, \
and the native LeakSignal Proxy module is installed."
failOpen:
type: boolean
description: If `true` (default), if LeakSignal Proxy has a failure, then all traffic is routed around it.
workloadSelector:
type: object
description: Pod selector for workloads.
properties:
labels:
type: object
description: Labels to match any pod before deploying LeakSignal.
additionalProperties:
type: string
required: ["proxyVersion", "proxyHash", "apiKey"]
164 changes: 164 additions & 0 deletions operators/leaksignal-operator/1.3.1/manifests/leaksignal.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,164 @@
---
apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
name: leaksignal-operator.v1.3.1
annotations:
capabilities: Full Lifecycle
categories: Security
containerImage: docker.io/leaksignal/leaksignal-operator@sha256:3031208c57b9fd8a367e3378b05896feae03e6c358a21259918796e9b0127ec1
createdAt: '2024-01-31T00:00:00Z'
support: LeakSignal Inc. https://leaksignal.com
description: Secure your data in seconds with the LeakSignal Operator.
repository: https://github.com/leaksignal/leaksignal-operator
certified: 'false'
alm-examples: |
[
{
"apiVersion": "leaksignal.com/v1",
"kind": "LeaksignalIstio",
"metadata": {
"name": "leaksignal-istio"
},
"spec": {
"proxyHash": "fcecd3a3b099bebb432cf78e48c6f3f24a7d71b92e06b75ba5301877554960ff",
"proxyVersion": "2024_01_29_22_53_36_5a454f0_0.9.5",
"apiKey": "example"
}
},
{
"apiVersion": "leaksignal.com/v1",
"kind": "ClusterLeaksignalIstio",
"metadata": {
"name": "leaksignal-istio"
},
"spec": {
"proxyHash": "fcecd3a3b099bebb432cf78e48c6f3f24a7d71b92e06b75ba5301877554960ff",
"proxyVersion": "2024_01_29_22_53_36_5a454f0_0.9.5",
"apiKey": "example"
}
}
]
spec:
description: Secure your data in seconds with the LeakSignal Operator.
displayName: LeakSignal Operator
minKubeVersion: 1.23.0
keywords:
- leaksignal
- istio
- wasm
maintainers:
- email: [email protected]
name: Max Bruce
maturity: stable
provider:
name: LeakSignal
url: leaksignal.com
links:
- name: Documentation
url: https://www.leaksignal.com/docs/Operator/Getting%20Started
version: 1.3.1
relatedImages:
- name: operator
image: docker.io/leaksignal/leaksignal-operator@sha256:3031208c57b9fd8a367e3378b05896feae03e6c358a21259918796e9b0127ec1
icon:
- base64data: |-
iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAIAAAD8GO2jAAAACXBIWXMAAAsTAAALEwEAmpwYAAADVklEQVRIiaVW34tVZRRda+1v7ji31PGUM1D+IBR9EJVBmTSTIC18ytfwwfwBik8K0kODov+AT6kQUYGiRfQ0Q
Y/lQ5BGEFFIoiApwUgMwmDjjHrv9uGcc+85595z7lU39+Ge73x8a+211/72YRRFs7OzklAeb4oE/3CfhqPpAOoAyPjtQ/fXTd8tGFzVbE7DARB8Sbzw6MnEkwZqtVrF0XFcIxz4B/gS2FGyZz0wD3j+NwagXq/3OJ
78S3LAQQed/El62wwsbtwa5KSDKQB/AXsDDJF3yQI1J08EtVRKqWDClAVwABjqAbDOYl5oJ5FinA1WxBD/lLVOf0TY8sHazOPHlQrRpP+l5YR57tW4+4DpR8+sOu6Ie8gZ4Zx0EMC/ryy+DEAdiuZBQK6VPlM2myS
PHZZzoAF7ZStEEADhSyMHfjatqHRqC2m3NK8WhhyYNo1ad34k4a8uiXfPmTZYHxjA+2bOtCRkI+gtswqAKAaYod5gF4Bl0kiHgGeCedAN8WPZsvLUMxmQH3alT34Twn3xqClr/EjcOxAWJEKXRhtgymQZmhulTTEv
8nbcZcLnnabsFSQFEMCvQMPby+fF34BdJIhLBKQH4LRXHFUecQZnjS12S0z3RAfuBYvtu0Z6rdrH5RmEOAOQQMLQgRECxFUka1PATPP5+CNx0aRl9CVOmR2RasSwNCm5dNq08BkLgLyLtDInQvL/vSCP24rc2U8nd
gAoVvmafDDHLxFk1AHqhvQRccWfS6WL0fC2NuNijJAbTSqKwz79ShIYGno2RuSE6YegxX0oRhK1nhMtG9KhZDzwprSl21wrAvQemSBESJtM3xaGonTCqto77oPSiMjDQe4eOcfoO5uOhrcpE/BmgLWfOk5wVA79bW
Ye5MpO4yx9fhLUskfZQKgC+KDLNGZreOy3jqEPFFbiy640VoNp2szkwO9Nm4GvGk3kOoPHTJPGlwu3VmkG5NcDwY1OuuTiLdMXZttLqvpOmu51aTx1cA8XjZv2B9sXtNs0ZqqrmyYAgHfN5pJBzbg8J0Pq4D5sWhn
kAUvvq1aRiCsDaaIvAjAqXlCHEYjfxTqJvhutC+tF0nHTf8p/I4FO/G0a7rMGnWHAduBTcooqfq0CDlwFo0ydSD4F3dgfyiYvCZYAAAAASUVORK5CYII=
mediatype: image/png
customresourcedefinitions:
owned:
- name: leaksignal-istios.leaksignal.com
version: v1
kind: LeaksignalIstio
description: Deploy LeakSignal Proxy in a specific namespace.
displayName: LeaksignalIstio
- name: cluster-leaksignal-istios.leaksignal.com
version: v1
kind: ClusterLeaksignalIstio
description: Deploy LeakSignal Proxy in all istio-enabled namespaces, can be overriden by local LeaksignalIstios.
displayName: ClusterLeaksignalIstio
install:
strategy: deployment
spec:
clusterPermissions:
- rules:
- apiGroups: [""]
resources:
- namespaces
- pods
verbs:
- list
- get
- delete
- apiGroups: ["apps"]
resources:
- deployments
- replicasets
- statefulsets
verbs:
- list
- get
- patch
- update
- apiGroups:
- leaksignal.com
resources:
- cluster-leaksignal-istios
- leaksignal-istios
verbs:
- get
- watch
- list
- patch
- apiGroups:
- networking.istio.io
resources:
- envoyfilters
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
serviceAccountName: leaksignal-operator
deployments:
- name: leaksignal-operator
spec:
replicas: 1
selector:
matchLabels:
app: leaksignal-operator
template:
metadata:
labels:
app: leaksignal-operator
spec:
containers:
- name: leaksignal-operator
image: docker.io/leaksignal/leaksignal-operator@sha256:3031208c57b9fd8a367e3378b05896feae03e6c358a21259918796e9b0127ec1
resources:
requests:
memory: 256Mi
cpu: 500m
limits:
memory: 1Gi
cpu: 1.0
serviceAccountName: leaksignal-operator
installModes:
- supported: false
type: OwnNamespace
- supported: false
type: SingleNamespace
- supported: false
type: MultiNamespace
- supported: true
type: AllNamespaces
79 changes: 79 additions & 0 deletions operators/leaksignal-operator/1.3.1/manifests/leaksignal.crd.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: leaksignal-istios.leaksignal.com
spec:
group: leaksignal.com
names:
kind: LeaksignalIstio
singular: leaksignal-istio
plural: leaksignal-istios
shortNames:
- leaksignal-istio
scope: Namespaced
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
description: Deploy LeakSignal Proxy in a specific namespace.
properties:
spec:
type: object
properties:
proxyVersion:
type: string
description: Version string for LeakSignal Proxy deployment.
proxyHash:
type: string
description: Hash of the downloaded bundle for LeakSignal Proxy. Will depend on your version and deployment mechanism (nginx, envoy, WASM).
apiKey:
type: string
description: API Key from the LeakSignal Command dashboard. Alternatively, the deployment name from LeakAgent.
upstreamLocation:
type: string
description: Hostname of upstream location to send metrics to. Default is `ingestion.app.leaksignal.com`.
proxyPrefix:
type: string
description: Prefix of binary to pull. Defaults to `s3/leakproxy`. For LeakAgent deployments, use `proxy`.
tls:
type: boolean
description: If `true` (default), TLS/HTTPS is used for telemetry upload and downloading LeakSignal Proxy. LeakAgent is usually `false`.
upstreamPort:
type: integer
description: Port of upstream ingestion. Defaults to 80/443 depending on `tls`. Recommended 8121 for LeakAgent.
caBundle:
type: string
description: "Location of CA bundle in istio-proxy. Default is `/etc/ssl/certs/ca-certificates.crt` which is suitable for Istio. \
OpenShift Service Mesh requires `/etc/ssl/certs/ca-bundle.crt`."
refreshPodsOnUpdate:
type: boolean
description: "For WASM mode, redeploys all pods with Istio sidecars affected by a LeakSignal Proxy upgrade. This provides more consistent behavior. \
Default is `true`."
grpcMode:
type: string
enum: ["default", "envoy"]
description: Whether to use Google GRPC or Envoy GRPC for WASM deployments.
enableStreaming:
type: boolean
description: If `true` (default), then L4 streams are also scanned by LeakSignal Proxy.
native:
type: boolean
description: "If `true` (not default), istio-proxy containers are updated to a corresponding image with support for dynamic plugins, \
and the native LeakSignal Proxy module is installed."
failOpen:
type: boolean
description: If `true` (default), if LeakSignal Proxy has a failure, then all traffic is routed around it.
workloadSelector:
type: object
description: Pod selector for workloads.
properties:
labels:
type: object
description: Labels to match any pod before deploying LeakSignal.
additionalProperties:
type: string
required: ["proxyVersion", "proxyHash", "apiKey"]
8 changes: 8 additions & 0 deletions operators/leaksignal-operator/1.3.1/metadata/annotations.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
annotations:
# Core bundle annotations.
operators.operatorframework.io.bundle.mediatype.v1: registry+v1
operators.operatorframework.io.bundle.manifests.v1: manifests/
operators.operatorframework.io.bundle.metadata.v1: metadata/
operators.operatorframework.io.bundle.package.v1: leaksignal-operator
operators.operatorframework.io.bundle.channels.v1: stable
com.redhat.openshift.versions: v4.6-v4.14
6 changes: 6 additions & 0 deletions operators/leaksignal-operator/ci.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
# Use `replaces-mode` or `semver-mode`. Once you switch to `semver-mode`, there is no easy way back.
updateGraph: semver-mode
addReviewers: true
reviewers:
- protryon

0 comments on commit 6457272

Please sign in to comment.