Skip to content

Commit

Permalink
Add postgres docs
Browse files Browse the repository at this point in the history
  • Loading branch information
Yarden Refaeli committed Dec 17, 2023
1 parent 91b6516 commit 8792d4b
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 3 deletions.
5 changes: 4 additions & 1 deletion docs/reference/configuration/intents-operator/README.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -69,13 +69,16 @@ The intents operator can also be configured to process client intents *without*

The Otterize credentials operator automatically registers client pods with the credentials service — either a SPIRE server, or the Otterize Cloud-managed credentials service — and writes the trusted credentials generated by that service into Kubernetes secrets for use by those pods. The intents operator takes `ClientIntents` with `type: kafka` and creates Kafka ACLs that grant the requested access to the cryptographic identities (SVIDs) created by the credentials operator.


#### ACL creation and consumer groups
A Kafka client may specify a consumer group ID when consuming a topic. When it does so, it requires DESCRIBE and READ access to the consumer group resource.
To enable this, the intents operator creates an ACL enabling all consumers to read and describe all consumer groups.
The permission check performed by the AclAuthorizer for a consumer group also takes into account whether the consumer has the appropriate access to the topic
it is attempting to read, so the end result is that the topic ACLs determine actual access.

### PostgreSQL users & access
The intents operator automatically creates, and updates credentials in PostgreSQL databases according to the declared intents. It works together with the Otterize credentials operator to easily enable secure access to PostgreSQL from client pods, all in your Kubernetes cluster.

Try the [Just-in-time PostgreSQL users & access](https://docs.otterize.com/quickstart/access-control/postgresql) tutorial to learn more.

### Istio AuthorizationPolicy
The intents operator automatically creates, updates and deletes Istio authorization policies, automatically looks up service accounts for client pods and labels server pods, to reflect precisely the client-to-server calls declared in client intents files.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor
| `operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` |
| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` |
| `operator.resources` | Resources override. | |
| `operator.enableDatabaseReconciler` | **experimental** - Enables experimental support for database intents (coming soon!) | `false` |
| `operator.enableDatabaseCredentialsCreation` | Enables support for database intents | `true` |

## Watcher parameters
| Key | Description | Default |
Expand Down
2 changes: 1 addition & 1 deletion docs/reference/configuration/otterize-chart/README.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ Further information about intents-operator parameters can be found [in the inten
| `operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` |
| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` |
| `intentsOperator.operator.resources` | Resources override. | |
| `intentsOperator.operator.enableDatabaseReconciler` | **experimental** - Enables experimental support for database intents (coming soon!) | `false` |
| `intentsOperator.operator.enableDatabaseCredentialsCreation` | Enables support for database intents | `true` |


## SPIRE parameters
Expand Down

0 comments on commit 8792d4b

Please sign in to comment.