Getting Started
CRDs
There are two CRDs (custom resource definitions) owned by the LeakSignal Operator:
LeaksignalIstio
LeaksignalIstio CRs (custom resources) configure LeakSignal proxies to be added to the Istio sidecars in the same namespace as the LeaksignalIstio object.
EnvoyFilter objects are created and managed by the operator to faciliate this. Pods with sidecars are automatically restarted to allow for changes to propagate (WASM only).
Automatic pod refreshment can be disabled with the spec.refreshPodsOnUpdate
value.
ClusterLeaksignalIstio
ClusterLeaksignalIstio CRs create a default configuration for all Istio sidecars in all namespaces except for those containing a LeaksignalIstio CR.
They are cluster-scoped objects, and have the same format as LeaksignalIstio objects.
Examples
Push to Leaksignal Command
This configuration will push telemetry to the LeakSignal Dashboard.
apiVersion: leaksignal.com/v1
kind: LeaksignalIstio
metadata:
name: leaksignal-istio
spec:
proxyVersion: 2024_02_14_13_47_18_c5db81b_0.10.1
proxyHash: a3e851833223951f3460c4851d088ff1efc0a955cba7a68c7cafa0e596c474b2
apiKey: MY_API_KEY
Push to Entrprise Leaksignal Command On-Prem
This configuration will push telemetry to an on-prem deployment of LeakSignal Dashboard.
apiVersion: leaksignal.com/v1
kind: LeaksignalIstio
metadata:
name: leaksignal-istio
spec:
proxyVersion: 2024_02_14_13_47_18_c5db81b_0.10.1
proxyHash: a3e851833223951f3460c4851d088ff1efc0a955cba7a68c7cafa0e596c474b2
apiKey: MY_API_KEY
upstreamLocation: ingestion.leaksignal.mydomain.com
Or with OpenShift Service Mesh:
apiVersion: leaksignal.com/v1
kind: LeaksignalIstio
metadata:
name: leaksignal-istio
spec:
proxyVersion: 2024_02_14_13_47_18_c5db81b_0.10.1
proxyHash: a3e851833223951f3460c4851d088ff1efc0a955cba7a68c7cafa0e596c474b2
apiKey: MY_API_KEY
upstreamLocation: ingestion.leaksignal.mydomain.com
caBundle: /etc/ssl/certs/ca-bundle.crt
Push to local LeakAgent
This configuration will push telemetry to a same-cluster LeakAgent deployment.
apiVersion: leaksignal.com/v1
kind: LeaksignalIstio
metadata:
name: leaksignal-istio
spec:
proxyVersion: 2024_02_14_13_47_18_c5db81b_0.10.1
proxyHash: a3e851833223951f3460c4851d088ff1efc0a955cba7a68c7cafa0e596c474b2
apiKey: my_policy_name
upstreamLocation: leakagent.leakagent.svc.cluster.local
upstreamPort: 8121
tls: false
Push to remote LeakAgent
This configuration will push telemetry to a remote LeakAgent deployment behind an Ingress providing TLS termination.
apiVersion: leaksignal.com/v1
kind: LeaksignalIstio
metadata:
name: leaksignal-istio
spec:
proxyVersion: 2024_02_14_13_47_18_c5db81b_0.10.1
proxyHash: a3e851833223951f3460c4851d088ff1efc0a955cba7a68c7cafa0e596c474b2
apiKey: my_policy_name
upstreamLocation: leakagent.mydomain.com
upstreamPort: 443