Istio & OSSM

The easiest way to deploy for Istio and OpenShift Service Mesh is via the LeakSignal Operator.

Deploying the Operator

LeakSignal Operator is available on OperatorHub, or as a Certified Operator on OpenShift OperatorHub.

You can also install the operator via a Helm Chart:

$ helm upgrade --install leaksignal-operator oci://registry-1.docker.io/leaksignal/leaksignal-operator \
  --version 1.6.2-helm \
  --namespace leaksignal-operator \
  --create-namespace

If updating from a previous version via Helm, make sure to manually update the CRDs:

$ kubectl apply -f https://raw.githubusercontent.com/leaksignal/leaksignal-operator/v1.6.2/crds/leaksignal-crd.yaml https://raw.githubusercontent.com/leaksignal/leaksignal-operator/v1.6.2/crds/leaksignal-cluster-crd.yaml

You can find the code, CRDs, and Helm Charts on GitHub and more documentation Here.

Native vs WASM

For Istio & OSSM, there are two available deployment modes: Native & WASM.

WASM provides a full sandbox for LeakSignal to run in, providing redundancy in case of failure.
Native provides more performance for less resource usage, and in some environments, more reliable networking. It also supports live hot-reloading for new versions of the proxy unlike WASM. It is not fully supported on OSSM though.

So which should I pick?

On OSSM, WASM is recommended. Native mode requires a custom Envoy proxy image to support dynamically loaded Native proxy modules which is not currently available for OSSM, and some OSSM features will not work with the LeakSignal-provided proxy image.

If you are concerned with deploying executable code into all of your Service Mesh Sidecars, WASM might also be the right choice for you, as it provides a fully sandboxed environment.

If you want to minimize resource usage, get latency improvements, and more reliable networking to Command, Native is a great choice.

Deploying the Proxy

With the Operator deployed, you can now deploy LeakSignal Proxy.

Single Namespace

To deploy in a single namespace, you can create a LeakSignalIstio:

apiVersion: leaksignal.com/v1
kind: LeaksignalIstio
metadata:
  name: leaksignal-istio
spec:
  # Version information is available at https://github.com/leaksignal/leaksignal/releases
  proxyVersion: 2024_02_14_13_47_18_c5db81b_0.10.1
  proxyHash: a3e851833223951f3460c4851d088ff1efc0a955cba7a68c7cafa0e596c474b2
  # from Command, or the Deployment name in LeakAgent
  apiKey: MY_API_KEY

Single Namespace (Native)

If you want to deploy with Native mode, there will be a different proxyHash and a native: true flag:

apiVersion: leaksignal.com/v1
kind: LeaksignalIstio
metadata:
  name: leaksignal-istio
spec:
  # Version information is available at https://github.com/leaksignal/leaksignal/releases
  proxyVersion: 2024_02_14_13_47_18_c5db81b_0.10.1
  proxyHash: e39c76c48fe7416372bc28775024dc688daf761161880a232f76d2a891b76ff5
  native: true
  # from Command, or the Deployment name in LeakAgent
  apiKey: MY_API_KEY

Cluster-Wide

If you would like to deploy LeakSignal Proxy in all namespaces, you can create a ClusterLeaksignalIstio. Any namespaces that contain a LeaksignalIstio will not be affected.

apiVersion: leaksignal.com/v1
kind: ClusterLeaksignalIstio
metadata:
  name: leaksignal-istio
spec:
  # Version information is available at https://github.com/leaksignal/leaksignal/releases
  proxyVersion: 2024_02_14_13_47_18_c5db81b_0.10.1
  proxyHash: a3e851833223951f3460c4851d088ff1efc0a955cba7a68c7cafa0e596c474b2
  # from Command, or the Deployment name in LeakAgent
  apiKey: MY_API_KEY

Deploying the Operator​

Native vs WASM​

So which should I pick?​

Deploying the Proxy​

Single Namespace​

Single Namespace (Native)​

Cluster-Wide​