Skip to content

Commit

Permalink
operator leaksignal-operator (1.6.2)
Browse files Browse the repository at this point in the history
  • Loading branch information
@Protryon
Protryon authored Feb 14, 2024
1 parent cc60a81 commit 95e7b75
Show file tree
Hide file tree
Showing 6 changed files with 448 additions and 0 deletions.
91 changes: 91 additions & 0 deletions operators/leaksignal-operator/1.6.2/manifests/leaksignal-cluster.crd.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: cluster-leaksignal-istios.leaksignal.com
spec:
group: leaksignal.com
names:
kind: ClusterLeaksignalIstio
singular: cluster-leaksignal-istio
plural: cluster-leaksignal-istios
shortNames:
- cluster-leaksignal-istio
scope: Cluster
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
description: Deploy LeakSignal Proxy in all istio-enabled namespaces, can be overriden by local LeaksignalIstios.
properties:
spec:
type: object
properties:
proxyVersion:
type: string
description: Version string for LeakSignal Proxy deployment.
proxyHash:
type: string
description: Hash of the downloaded bundle for LeakSignal Proxy. Will depend on your version and deployment mechanism (nginx, envoy, WASM).
apiKey:
type: string
description: API Key from the LeakSignal Command dashboard. Alternatively, the deployment name from LeakAgent.
upstreamLocation:
type: string
description: Hostname of upstream location to send metrics to. Default is `ingestion.app.leaksignal.com`.
proxyPrefix:
type: string
description: Prefix of binary to pull. Defaults to `s3/leakproxy`. For LeakAgent deployments, use `proxy`.
tls:
type: boolean
description: If `true` (default), TLS/HTTPS is used for telemetry upload and downloading LeakSignal Proxy. LeakAgent is usually `false`.
upstreamPort:
type: integer
description: Port of upstream ingestion. Defaults to 80/443 depending on `tls`. Recommended 8121 for LeakAgent.
caBundle:
type: string
description: "Location of CA bundle in istio-proxy. Default is `/etc/ssl/certs/ca-certificates.crt` which is suitable for Istio. \
OpenShift Service Mesh requires `/etc/ssl/certs/ca-bundle.crt`."
refreshPodsOnUpdate:
type: boolean
description: "For WASM mode, redeploys all pods with Istio sidecars affected by a LeakSignal Proxy upgrade. This provides more consistent behavior. \
Default is `true`."
refreshPodsOnStale:
type: boolean
description: "Detects pods that should have leaksignal deployed, but dont, and restarts them."
grpcMode:
type: string
enum: ["default", "envoy"]
description: Whether to use Google GRPC or Envoy GRPC for WASM deployments.
enableStreaming:
type: boolean
description: If `true` (default), then L4 streams are also scanned by LeakSignal Proxy.
native:
type: boolean
description: "If `true` (not default), istio-proxy containers are updated to a corresponding image with support for dynamic plugins, \
and the native LeakSignal Proxy module is installed."
failOpen:
type: boolean
description: If `true` (default), if LeakSignal Proxy has a failure, then all traffic is routed around it.
nativeRepo:
type: string
description: Default is `leaksignal/istio-proxy`. If no tag is specified, it is inferred from the existing proxy image on each given pod.
proxyPullLocation:
type: string
description: Format `https?://domain(:port)?/`. Defaults to `https://leakproxy.s3.us-west-2.amazonaws.com/`.
nativeProxyMemoryLimit:
type: string
description: Alternative memory limit for Istio sidecars running native modules. Useful to mitigate a surge of memory usage when loading the proxy.
workloadSelector:
type: object
description: Pod selector for workloads.
properties:
labels:
type: object
description: Labels to match any pod before deploying LeakSignal.
additionalProperties:
type: string
required: ["proxyVersion", "proxyHash", "apiKey"]
221 changes: 221 additions & 0 deletions operators/leaksignal-operator/1.6.2/manifests/leaksignal.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,221 @@
---
apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
name: leaksignal-operator.v1.6.2
annotations:
capabilities: Full Lifecycle
categories: Security
containerImage: docker.io/leaksignal/leaksignal-operator@sha256:e98c702ceb409ff4ac00b13407a593a80d706777d8f5db0134fa60d2d81522f1
createdAt: '2024-01-31T00:00:00Z'
support: LeakSignal Inc. https://leaksignal.com
description: Secure your data in seconds with the LeakSignal Operator.
repository: https://github.com/leaksignal/leaksignal-operator
certified: 'false'
alm-examples: |
[
{
"apiVersion": "leaksignal.com/v1",
"kind": "LeaksignalIstio",
"metadata": {
"name": "leaksignal-istio"
},
"spec": {
"proxyHash": "fcecd3a3b099bebb432cf78e48c6f3f24a7d71b92e06b75ba5301877554960ff",
"proxyVersion": "2024_01_29_22_53_36_5a454f0_0.9.5",
"apiKey": "example"
}
},
{
"apiVersion": "leaksignal.com/v1",
"kind": "ClusterLeaksignalIstio",
"metadata": {
"name": "leaksignal-istio"
},
"spec": {
"proxyHash": "fcecd3a3b099bebb432cf78e48c6f3f24a7d71b92e06b75ba5301877554960ff",
"proxyVersion": "2024_01_29_22_53_36_5a454f0_0.9.5",
"apiKey": "example"
}
}
]
spec:
description: Secure your data in seconds with the LeakSignal Operator.
displayName: LeakSignal Operator
minKubeVersion: 1.23.0
keywords:
- leaksignal
- istio
- wasm
maintainers:
- email: [email protected]
name: Max Bruce
maturity: stable
provider:
name: LeakSignal
url: leaksignal.com
links:
- name: Documentation
url: https://www.leaksignal.com/docs/Operator/Getting%20Started
version: 1.6.2
relatedImages:
- name: operator
image: docker.io/leaksignal/leaksignal-operator@sha256:e98c702ceb409ff4ac00b13407a593a80d706777d8f5db0134fa60d2d81522f1
icon:
- base64data: |-
iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAIAAAD8GO2jAAAACXBIWXMAAAsTAAALEwEAmpwYAAADVklEQVRIiaVW34tVZRRda+1v7ji31PGUM1D+IBR9EJVBmTSTIC18ytfwwfwBik8K0kODov+AT6kQUYGiRfQ0Q
Y/lQ5BGEFFIoiApwUgMwmDjjHrv9uGcc+85595z7lU39+Ge73x8a+211/72YRRFs7OzklAeb4oE/3CfhqPpAOoAyPjtQ/fXTd8tGFzVbE7DARB8Sbzw6MnEkwZqtVrF0XFcIxz4B/gS2FGyZz0wD3j+NwagXq/3OJ
78S3LAQQed/El62wwsbtwa5KSDKQB/AXsDDJF3yQI1J08EtVRKqWDClAVwABjqAbDOYl5oJ5FinA1WxBD/lLVOf0TY8sHazOPHlQrRpP+l5YR57tW4+4DpR8+sOu6Ie8gZ4Zx0EMC/ryy+DEAdiuZBQK6VPlM2myS
PHZZzoAF7ZStEEADhSyMHfjatqHRqC2m3NK8WhhyYNo1ad34k4a8uiXfPmTZYHxjA+2bOtCRkI+gtswqAKAaYod5gF4Bl0kiHgGeCedAN8WPZsvLUMxmQH3alT34Twn3xqClr/EjcOxAWJEKXRhtgymQZmhulTTEv
8nbcZcLnnabsFSQFEMCvQMPby+fF34BdJIhLBKQH4LRXHFUecQZnjS12S0z3RAfuBYvtu0Z6rdrH5RmEOAOQQMLQgRECxFUka1PATPP5+CNx0aRl9CVOmR2RasSwNCm5dNq08BkLgLyLtDInQvL/vSCP24rc2U8nd
gAoVvmafDDHLxFk1AHqhvQRccWfS6WL0fC2NuNijJAbTSqKwz79ShIYGno2RuSE6YegxX0oRhK1nhMtG9KhZDzwprSl21wrAvQemSBESJtM3xaGonTCqto77oPSiMjDQe4eOcfoO5uOhrcpE/BmgLWfOk5wVA79bW
Ye5MpO4yx9fhLUskfZQKgC+KDLNGZreOy3jqEPFFbiy640VoNp2szkwO9Nm4GvGk3kOoPHTJPGlwu3VmkG5NcDwY1OuuTiLdMXZttLqvpOmu51aTx1cA8XjZv2B9sXtNs0ZqqrmyYAgHfN5pJBzbg8J0Pq4D5sWhn
kAUvvq1aRiCsDaaIvAjAqXlCHEYjfxTqJvhutC+tF0nHTf8p/I4FO/G0a7rMGnWHAduBTcooqfq0CDlwFo0ydSD4F3dgfyiYvCZYAAAAASUVORK5CYII=
mediatype: image/png
customresourcedefinitions:
owned:
- name: leaksignal-istios.leaksignal.com
version: v1
kind: LeaksignalIstio
description: Deploy LeakSignal Proxy in a specific namespace.
displayName: LeaksignalIstio
- name: cluster-leaksignal-istios.leaksignal.com
version: v1
kind: ClusterLeaksignalIstio
description: Deploy LeakSignal Proxy in all istio-enabled namespaces, can be overriden by local LeaksignalIstios.
displayName: ClusterLeaksignalIstio
install:
strategy: deployment
spec:
permissions:
- serviceAccountName: leaksignal-operator
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- get
- watch
- list
- create
- update
- patch
- delete

clusterPermissions:
- rules:
- apiGroups: [""]
resources:
- pods
verbs:
- list
- get
- delete
- apiGroups: [""]
resources:
- namespaces
- services
verbs:
- list
- get
- apiGroups: ["apps"]
resources:
- deployments
- replicasets
- statefulsets
- daemonsets
verbs:
- list
- get
- patch
- update
- apiGroups:
- leaksignal.com
resources:
- cluster-leaksignal-istios
- leaksignal-istios
verbs:
- get
- watch
- list
- patch
- apiGroups:
- networking.istio.io
resources:
- envoyfilters
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
resourceNames:
- z-leaksignal-operator
- apiGroups: ["argoproj.io"]
resources:
- rollouts
verbs:
- list
- get
- patch
- update
serviceAccountName: leaksignal-operator
deployments:
- name: leaksignal-operator
spec:
replicas: 1
selector:
matchLabels:
app: leaksignal-operator
template:
metadata:
labels:
app: leaksignal-operator
ls-native: excluded
spec:
priorityClassName: leaksignal-operator
containers:
- name: leaksignal-operator
image: docker.io/leaksignal/leaksignal-operator@sha256:e98c702ceb409ff4ac00b13407a593a80d706777d8f5db0134fa60d2d81522f1
volumeMounts:
- name: proxy-store
mountPath: /proxy
ports:
- containerPort: 8443
name: webhook-tls
- containerPort: 2049
name: nfs-proxy
resources:
requests:
memory: 256Mi
cpu: 500m
limits:
memory: 1Gi
cpu: 1.0
serviceAccountName: leaksignal-operator
volumes:
- name: proxy-store
emptyDir: {}
installModes:
- supported: false
type: OwnNamespace
- supported: false
type: SingleNamespace
- supported: false
type: MultiNamespace
- supported: true
type: AllNamespaces
Loading

0 comments on commit 95e7b75

Please sign in to comment.