Istio & OSSM
The easiest way to deploy for Istio and OpenShift Service Mesh is via the LeakSignal Operator.
Deploying the Operator
LeakSignal Operator is available on OperatorHub, or as a Certified Operator on OpenShift OperatorHub.
You can also install the operator via a Helm Chart:
$ helm upgrade --install leaksignal-operator oci://registry-1.docker.io/leaksignal/leaksignal-operator \
--version 0.11.2-helm \
--namespace leaksignal-operator \
--create-namespace
If updating from a previous version via Helm, make sure to manually update the CRDs:
$ kubectl apply -f https://raw.githubusercontent.com/leaksignal/leaksignal-operator/v1.6.2/crds/leaksignal-crd.yaml https://raw.githubusercontent.com/leaksignal/leaksignal-operator/v1.6.2/crds/leaksignal-cluster-crd.yaml
You can find the code, CRDs, and Helm Charts on GitHub and more documentation Here.
Native vs WASM
For Istio & OSSM, there are two available deployment modes: Native & WASM.
- WASM provides a full sandbox for LeakSignal to run in, providing redundancy in case of failure.
- Native provides more performance for less resource usage, and in some environments, more reliable networking. It also supports live hot-reloading for new versions of the proxy unlike WASM. It is not fully supported on OSSM though.
So which should I pick?
On OSSM, WASM is recommended. Native mode requires a custom Envoy proxy image to support dynamically loaded Native proxy modules which is not currently available for OSSM, and some OSSM features will not work with the LeakSignal-provided proxy image.
If you are concerned with deploying executable code into all of your Service Mesh Sidecars, WASM might also be the right choice for you, as it provides a fully sandboxed environment.
If you want to minimize resource usage, get latency improvements, and more reliable networking to Command, Native is a great choice.
Deploying the Proxy
With the Operator deployed, you can now deploy LeakSignal Proxy.
Single Namespace
To deploy in a single namespace, you can create a LeakSignalIstio:
apiVersion: leaksignal.com/v1
kind: LeaksignalIstio
metadata:
name: leaksignal-istio
spec:
# Version information is available at https://github.com/leaksignal/leaksignal/releases
proxyVersion: 2024_02_14_13_47_18_c5db81b_0.10.1
proxyHash: a3e851833223951f3460c4851d088ff1efc0a955cba7a68c7cafa0e596c474b2
# from Command, or the Deployment name in LeakAgent
apiKey: MY_API_KEY
Single Namespace (Native)
If you want to deploy with Native mode, there will be a different proxyHash
and a native: true
flag:
apiVersion: leaksignal.com/v1
kind: LeaksignalIstio
metadata:
name: leaksignal-istio
spec:
# Version information is available at https://github.com/leaksignal/leaksignal/releases
proxyVersion: 2024_02_14_13_47_18_c5db81b_0.10.1
proxyHash: e39c76c48fe7416372bc28775024dc688daf761161880a232f76d2a891b76ff5
native: true
# from Command, or the Deployment name in LeakAgent
apiKey: MY_API_KEY
Cluster-Wide
If you would like to deploy LeakSignal Proxy in all namespaces, you can create a ClusterLeaksignalIstio. Any namespaces that contain a LeaksignalIstio will not be affected.
apiVersion: leaksignal.com/v1
kind: ClusterLeaksignalIstio
metadata:
name: leaksignal-istio
spec:
# Version information is available at https://github.com/leaksignal/leaksignal/releases
proxyVersion: 2024_02_14_13_47_18_c5db81b_0.10.1
proxyHash: a3e851833223951f3460c4851d088ff1efc0a955cba7a68c7cafa0e596c474b2
# from Command, or the Deployment name in LeakAgent
apiKey: MY_API_KEY