From 865e40415a9f61ce872c18e56b52a868f7c984b2 Mon Sep 17 00:00:00 2001 From: Ori Shoshan Date: Wed, 3 Apr 2024 10:28:05 +0300 Subject: [PATCH 1/7] Fix docs --- .../intents-operator/helm-chart.mdx | 35 +++++++++--------- .../configuration/otterize-chart/README.mdx | 37 ++++++++++--------- 2 files changed, 37 insertions(+), 35 deletions(-) diff --git a/docs/reference/configuration/intents-operator/helm-chart.mdx b/docs/reference/configuration/intents-operator/helm-chart.mdx index db3fd8b0b..5fb25b563 100644 --- a/docs/reference/configuration/intents-operator/helm-chart.mdx +++ b/docs/reference/configuration/intents-operator/helm-chart.mdx @@ -30,23 +30,24 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor | `global.aws.eksClusterNameOverride` | EKS cluster name (overrides auto-detection) | `(none)` | ## Operator parameters -| Key | Description | Default | -|---------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------| -| `operator.image.repository` | Intents Operator image repository. | `otterize` | -| `operator.image.image` | Intents Operator image. | `intents-operator` | -| `operator.image.tag` | Intents Operator image tag. | `latest` | -| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | -| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` | -| `operator.mode` | `defaultActive` or `defaultShadow`.
When `defaultActive` is set, enforcement is enabled by default.
When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` | -| `operator.enableEnforcement` | (**Deprecated**; use `mode` instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | `true` | -| `operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to `ClientIntents`. | `true` | -| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. | `true` | -| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to `ClientIntents`. | `true` | -| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | -| `operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | -| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` | -| `operator.resources` | Resources override. | | -| `operator.enableDatabaseCredentialsCreation` | Enables support for database intents | `true` | +| Key | Description | Default | +|---------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------| +| `operator.image.repository` | Intents Operator image repository. | `otterize` | +| `operator.image.image` | Intents Operator image. | `intents-operator` | +| `operator.image.tag` | Intents Operator image tag. | `latest` | +| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | +| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` | +| `operator.mode` | `defaultActive` or `defaultShadow`.
When `defaultActive` is set, enforcement is enabled by default.
When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` | +| `operator.enableEnforcement` | (**Deprecated**; use `mode` instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | `true` | +| `operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to `ClientIntents`. | `true` | +| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. | `true` | +| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to `ClientIntents`. | `true` | +| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | +| `operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | +| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` | +| `operator.resources` | Resources override. | | +| `operator.enableDatabaseCredentialsCreation` | Enables support for database intents | `true` | +| `watchedNamespaces` | List of namespaces the intents operator should watch. The operator will be blind to any namespace not in this list. | `(nil) meaning watch all` | ## Watcher parameters | Key | Description | Default | diff --git a/docs/reference/configuration/otterize-chart/README.mdx b/docs/reference/configuration/otterize-chart/README.mdx index f10a36ab0..e76f57d86 100644 --- a/docs/reference/configuration/otterize-chart/README.mdx +++ b/docs/reference/configuration/otterize-chart/README.mdx @@ -57,24 +57,25 @@ These parameters are used by multiple charts, and must be kept the same for the All configurable parameters of intents-operator can be configured under the alias `intentsOperator`. Further information about intents-operator parameters can be found [in the intents operator's Helm chart](https://github.com/otterize/helm-charts/tree/main/intents-operator). -## Operator parameters -| Key | Description | Default | -|---------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------| -| `intentsOperator.operator.image.repository` | Intents Operator image repository. | `otterize` | -| `intentsOperator.operator.image.image` | Intents Operator image. | `intents-operator` | -| `intentsOperator.operator.image.tag` | Intents Operator image tag. | `latest` | -| `intentsOperator.operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | -| `intentsOperator.operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` | -| `intentsOperator.operator.mode` | `defaultActive` or `defaultShadow`.
When `defaultActive` is set, enforcement is enabled by default.
When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` | -| `intentsOperator.operator.enableEnforcement` | (**Deprecated**; use `mode` instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | `true` | -| `intentsOperator.operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to `ClientIntents`. | `true` | -| `intentsOperator.operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. | `true` | -| `intentsOperator.operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to `ClientIntents`. | `true` | -| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | -| `operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | -| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` | -| `intentsOperator.operator.resources` | Resources override. | | -| `intentsOperator.operator.enableDatabaseCredentialsCreation` | Enables support for database intents | `true` | +### Intents operator parameters +| Key | Description | Default | +|---------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------| +| `intentsOperator.operator.image.repository` | Intents Operator image repository. | `otterize` | +| `intentsOperator.operator.image.image` | Intents Operator image. | `intents-operator` | +| `intentsOperator.operator.image.tag` | Intents Operator image tag. | `latest` | +| `intentsOperator.operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | +| `intentsOperator.operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` | +| `intentsOperator.operator.mode` | `defaultActive` or `defaultShadow`.
When `defaultActive` is set, enforcement is enabled by default.
When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` | +| `intentsOperator.operator.enableEnforcement` | (**Deprecated**; use `mode` instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | `true` | +| `intentsOperator.operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to `ClientIntents`. | `true` | +| `intentsOperator.operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. | `true` | +| `intentsOperator.operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to `ClientIntents`. | `true` | +| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | +| `operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | +| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` | +| `intentsOperator.operator.resources` | Resources override. | | +| `intentsOperator.operator.enableDatabaseCredentialsCreation` | Enables support for database intents | `true` | +| `intentsOperator.watchedNamespaces` | List of namespaces the intents operator should watch. The operator will be blind to any namespace not in this list. | `(nil) meaning watch all` | ## SPIRE parameters From 878b8966c1094db2fb7d8008431fa562a02b6c0e Mon Sep 17 00:00:00 2001 From: Nicolas Vermande Date: Wed, 24 Apr 2024 13:46:22 +0100 Subject: [PATCH 2/7] fix netpol automation tutorial pre-requisites (#233) --- .../tutorials/k8s-network-policies.mdx | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/features/network-mapping-network-policies/tutorials/k8s-network-policies.mdx b/docs/features/network-mapping-network-policies/tutorials/k8s-network-policies.mdx index c64833ee7..b8c9a5f2b 100644 --- a/docs/features/network-mapping-network-policies/tutorials/k8s-network-policies.mdx +++ b/docs/features/network-mapping-network-policies/tutorials/k8s-network-policies.mdx @@ -24,9 +24,7 @@ In this tutorial, we will: ## Prerequisites ### Install Otterize on your cluster -To deploy Otterize, head over to [Otterize Cloud](https://app.otterize.com) and associate a Kubernetes cluster on the [Integrations page](https://app.otterize.com/integrations), and follow the instructions. - -We will also need the [Otterize CLI](/overview/installation#install-the-otterize-cli). +To deploy Otterize, head over to [Otterize Cloud](https://app.otterize.com) and create a Kubernetes integration on the [Integrations page](https://app.otterize.com/integrations), and follow the instructions. *Make sure to enable enforcement mode for this tutorial*. If you already have a Kubernetes cluster connected, skip this step. ## Tutorial From fb28959ff19ea10bb7af8e6ee1e135814495ce67 Mon Sep 17 00:00:00 2001 From: Nicolas Vermande Date: Mon, 29 Apr 2024 08:41:38 +0100 Subject: [PATCH 3/7] Change font size and sidebar width (#231) --- src/css/custom.css | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/css/custom.css b/src/css/custom.css index 4935b0550..9706b4009 100644 --- a/src/css/custom.css +++ b/src/css/custom.css @@ -18,7 +18,7 @@ --ifm-color-primary-lighter: #377fad; --ifm-color-primary-lightest: #408fc2; --ifm-code-font-size: 85%; - --ifm-font-size-base: 0.85rem; + --ifm-font-size-base: 1rem; --ifm-font-weight-base: 400; --ifm-h1-font-size: 2.5rem; --ifm-code-border-radius: 5px; @@ -136,7 +136,7 @@ article { /* Allow for slightly longer sidebar items than the default width */ :root { - --doc-sidebar-width: 350px !important; + --doc-sidebar-width: 300px !important; } /* Auto-wrap text in code blocks @@ -400,4 +400,4 @@ footer .container-fluid { .hideme { display: none !important; -} \ No newline at end of file +} From 8b068af88abb5968482dfbb799ea0e44c51a6892 Mon Sep 17 00:00:00 2001 From: Nicolas Vermande Date: Tue, 30 Apr 2024 08:36:55 +0100 Subject: [PATCH 4/7] fix typo (#232) --- docs/features/aws-iam/tutorials/aws-iam-eks.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/features/aws-iam/tutorials/aws-iam-eks.mdx b/docs/features/aws-iam/tutorials/aws-iam-eks.mdx index 7a468bb6f..e1488a1d4 100644 --- a/docs/features/aws-iam/tutorials/aws-iam-eks.mdx +++ b/docs/features/aws-iam/tutorials/aws-iam-eks.mdx @@ -48,7 +48,7 @@ aws eks update-kubeconfig --region us-west-2 --name otterize-iam-eks-tutorial ### 2. Deploy Otterize for AWS IAM To deploy Otterize, head over to [Otterize Cloud](https://app.otterize.com) and: -1. Create a Kubernetes Integration on the [Integrations page](https://app.otterize.com/integrations), and follow the instructions. *Make sure to enable enforcement mode for this tutorial.* If you already have a Kubernetes cluster connected, skip this step. +1. Create a Kubernetes integration on the [Integrations page](https://app.otterize.com/integrations), and follow the instructions. *Make sure to enable enforcement mode for this tutorial.* If you already have a Kubernetes cluster connected, skip this step. 2. Create an AWS IAM integration on the [Integrations page](https://app.otterize.com/integrations). From deeda4d1b922fde1fb025b2cf322ea9a0f9d77a8 Mon Sep 17 00:00:00 2001 From: Ori Shoshan Date: Tue, 30 Apr 2024 19:19:25 +0300 Subject: [PATCH 5/7] Fix image, repository and tag docs --- docs/features/istio/reference.mdx | 18 +++++++------- docs/features/kafka/reference.mdx | 20 ++++++++-------- .../credentials-operator/helm-chart.mdx | 12 +++++----- .../intents-operator/helm-chart.mdx | 6 ++--- .../network-mapper/helm-chart.mdx | 24 +++++++++---------- .../network-mapper/kafka-watcher.mdx | 20 ++++++++-------- .../configuration/otterize-chart/README.mdx | 8 +++---- 7 files changed, 54 insertions(+), 54 deletions(-) diff --git a/docs/features/istio/reference.mdx b/docs/features/istio/reference.mdx index edf4247bb..7df5d9741 100644 --- a/docs/features/istio/reference.mdx +++ b/docs/features/istio/reference.mdx @@ -25,14 +25,14 @@ spec: ### Helm Chart options -| Key | Description | Default | -|---------------------------------|-----------------------------------------|--------------------------------| -| `istiowatcher.enable` | Enable Istio watcher deployment (beta). | `false` | -| `istiowatcher.image.repository` | Istio watcher image repository. | `otterize` | -| `istiowatcher.image.image` | Istio watcher image. | `network-mapper-istio-watcher` | -| `istiowatcher.image.tag` | Istio watcher image tag. | `latest` | -| `istiowatcher.pullPolicy` | Istio watcher pull policy. | `(none)` | -| `istiowatcher.pullSecrets` | Istio watcher pull secrets. | `(none)` | -| `istiowatcher.resources` | Resources override. | `(none)` | +| Key | Description | Default | +|----------------------------|-----------------------------------------|--------------------------------| +| `istiowatcher.enable` | Enable Istio watcher deployment (beta). | `false` | +| `istiowatcher.repository` | Istio watcher image repository. | `otterize` | +| `istiowatcher.image` | Istio watcher image. | `network-mapper-istio-watcher` | +| `istiowatcher.tag` | Istio watcher image tag. | `(pinned to latest version as of this Helm chart version's publish)` | +| `istiowatcher.pullPolicy` | Istio watcher pull policy. | `(none)` | +| `istiowatcher.pullSecrets` | Istio watcher pull secrets. | `(none)` | +| `istiowatcher.resources` | Resources override. | `(none)` | View the [Helm chart reference](/reference/configuration/otterize-chart) for all other options \ No newline at end of file diff --git a/docs/features/kafka/reference.mdx b/docs/features/kafka/reference.mdx index a2f704193..cadbf8bcf 100644 --- a/docs/features/kafka/reference.mdx +++ b/docs/features/kafka/reference.mdx @@ -46,15 +46,15 @@ spec: ### Helm Chart options -| Key | Description | Default | -|---------------------------------|-------------------------------------------------------------|--------------------------------| -| `kafkawatcher.enable` | Enable Kafka watcher deployment (beta). | `false` | -| `kafkawatcher.image.repository` | Kafka watcher image repository. | `otterize` | -| `kafkawatcher.image.image` | Kafka watcher image. | `network-mapper-kafka-watcher` | -| `kafkawatcher.image.tag` | Kafka watcher image tag. | `latest` | -| `kafkawatcher.pullPolicy` | Kafka watcher pull policy. | `(none)` | -| `kafkawatcher.pullSecrets` | Kafka watcher pull secrets. | `(none)` | -| `kafkawatcher.resources` | Resources override. | `(none)` | -| `kafkawatcher.kafkaServers` | Kafka servers to watch, specified as `pod.namespace` items. | `(none)` | +| Key | Description | Default | +|-----------------------------|-------------------------------------------------------------|--------------------------------| +| `kafkawatcher.enable` | Enable Kafka watcher deployment (beta). | `false` | +| `kafkawatcher.repository` | Kafka watcher image repository. | `otterize` | +| `kafkawatcher.image` | Kafka watcher image. | `network-mapper-kafka-watcher` | +| `kafkawatcher.tag` | Kafka watcher image tag. | `(pinned to latest version as of this Helm chart version's publish)` | +| `kafkawatcher.pullPolicy` | Kafka watcher pull policy. | `(none)` | +| `kafkawatcher.pullSecrets` | Kafka watcher pull secrets. | `(none)` | +| `kafkawatcher.resources` | Resources override. | `(none)` | +| `kafkawatcher.kafkaServers` | Kafka servers to watch, specified as `pod.namespace` items. | `(none)` | View the [Helm chart reference](/reference/configuration/otterize-chart) for all other options \ No newline at end of file diff --git a/docs/reference/configuration/credentials-operator/helm-chart.mdx b/docs/reference/configuration/credentials-operator/helm-chart.mdx index d9f7e0e60..ec1f09231 100644 --- a/docs/reference/configuration/credentials-operator/helm-chart.mdx +++ b/docs/reference/configuration/credentials-operator/helm-chart.mdx @@ -37,12 +37,12 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor ## Operator parameters -| Key | Description | Default | -|-----------------------------|----------------------------|------------------------------| -| `operator.image.repository` | Operator image repository. | `otterize` | -| `operator.image.image` | Operator image. | `credentials-operator` | -| `operator.image.tag` | Operator image tag. | `latest` | -| `operator.pullPolicy` | Operator pull policy. | `(none)` | +| Key | Description | Default | +|-----------------------|----------------------------|------------------------| +| `operator.repository` | Operator image repository. | `otterize` | +| `operator.image` | Operator image. | `credentials-operator` | +| `operator.tag` | Operator image tag. | `(pinned to latest version as of this Helm chart version's publish)` | +| `operator.pullPolicy` | Operator pull policy. | `(none)` | ## Cloud parameters diff --git a/docs/reference/configuration/intents-operator/helm-chart.mdx b/docs/reference/configuration/intents-operator/helm-chart.mdx index 21f6bdb28..1e6faf410 100644 --- a/docs/reference/configuration/intents-operator/helm-chart.mdx +++ b/docs/reference/configuration/intents-operator/helm-chart.mdx @@ -32,9 +32,9 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor ## Operator parameters | Key | Description | Default | |---------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------| -| `operator.image.repository` | Intents Operator image repository. | `otterize` | -| `operator.image.image` | Intents Operator image. | `intents-operator` | -| `operator.image.tag` | Intents Operator image tag. | `latest` | +| `operator.repository` | Intents Operator image repository. | `otterize` | +| `operator.image` | Intents Operator image. | `intents-operator` | +| `operator.tag` | Intents Operator image tag. | `(pinned to latest version as of this Helm chart version's publish)` | | `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | | `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` | | `operator.mode` | `defaultActive` or `defaultShadow`.
When `defaultActive` is set, enforcement is enabled by default.
When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` | diff --git a/docs/reference/configuration/network-mapper/helm-chart.mdx b/docs/reference/configuration/network-mapper/helm-chart.mdx index 3a9ac28a0..292237c5e 100644 --- a/docs/reference/configuration/network-mapper/helm-chart.mdx +++ b/docs/reference/configuration/network-mapper/helm-chart.mdx @@ -15,9 +15,9 @@ Checkout the network mapper [tutorial](/features/network-mapping-network-policie ## Mapper parameters | Key | Description | Default | |--------------------------------|-------------------------------------------------------------------------------------------------|------------------| -| `mapper.image.repository` | Mapper image repository. | `otterize` | -| `mapper.image.image` | Mapper image. | `network-mapper` | -| `mapper.image.tag` | Mapper image tag. | `latest` | +| `mapper.repository` | Mapper image repository. | `otterize` | +| `mapper.image` | Mapper image. | `network-mapper` | +| `mapper.tag` | Mapper image tag. | `(pinned to latest version as of this Helm chart version's publish)` | | `mapper.pullPolicy` | Mapper pull policy. | `(none)` | | `mapper.resources` | Resources override. | `(none)` | | `mapper.uploadIntervalSeconds` | Interval for uploading data to cloud | `60` | @@ -38,9 +38,9 @@ Checkout the network mapper [tutorial](/features/network-mapping-network-policie ## Sniffer parameters | Key | Description | Default | |-----------------------------|---------------------------|--------------------------| -| `sniffer.image.repository` | Sniffer image repository. | `otterize` | -| `sniffer.image.image` | Sniffer image. | `network-mapper-sniffer` | -| `sniffer.image.tag` | Sniffer image tag. | `latest` | +| `sniffer.repository` | Sniffer image repository. | `otterize` | +| `sniffer.image` | Sniffer image. | `network-mapper-sniffer` | +| `sniffer.tag` | Sniffer image tag. | `(pinned to latest version as of this Helm chart version's publish)` | | `sniffer.pullPolicy` | Sniffer pull policy. | `(none)` | | `sniffer.resources` | Resources override. | `(none)` | | `sniffer.tolerations` | Tolerations override. | `(none)` | @@ -51,9 +51,9 @@ Checkout the network mapper [tutorial](/features/network-mapping-network-policie | Key | Description | Default | |---------------------------------|-------------------------------------------------------------|--------------------------------| | `kafkawatcher.enable` | Enable Kafka watcher deployment (beta). | `false` | -| `kafkawatcher.image.repository` | Kafka watcher image repository. | `otterize` | -| `kafkawatcher.image.image` | Kafka watcher image. | `network-mapper-kafka-watcher` | -| `kafkawatcher.image.tag` | Kafka watcher image tag. | `latest` | +| `kafkawatcher.repository` | Kafka watcher image repository. | `otterize` | +| `kafkawatcher.image` | Kafka watcher image. | `network-mapper-kafka-watcher` | +| `kafkawatcher.tag` | Kafka watcher image tag. | `(pinned to latest version as of this Helm chart version's publish)` | | `kafkawatcher.pullPolicy` | Kafka watcher pull policy. | `(none)` | | `kafkawatcher.pullSecrets` | Kafka watcher pull secrets. | `(none)` | | `kafkawatcher.resources` | Resources override. | `(none)` | @@ -63,9 +63,9 @@ Checkout the network mapper [tutorial](/features/network-mapping-network-policie | Key | Description | Default | |---------------------------------|-----------------------------------------|--------------------------------| | `istiowatcher.enable` | Enable Istio watcher deployment (beta). | `false` | -| `istiowatcher.image.repository` | Istio watcher image repository. | `otterize` | -| `istiowatcher.image.image` | Istio watcher image. | `network-mapper-istio-watcher` | -| `istiowatcher.image.tag` | Istio watcher image tag. | `latest` | +| `istiowatcher.repository` | Istio watcher image repository. | `otterize` | +| `istiowatcher.image` | Istio watcher image. | `network-mapper-istio-watcher` | +| `istiowatcher.tag` | Istio watcher image tag. | `(pinned to latest version as of this Helm chart version's publish)` | | `istiowatcher.pullPolicy` | Istio watcher pull policy. | `(none)` | | `istiowatcher.pullSecrets` | Istio watcher pull secrets. | `(none)` | | `istiowatcher.resources` | Resources override. | `(none)` | diff --git a/docs/reference/configuration/network-mapper/kafka-watcher.mdx b/docs/reference/configuration/network-mapper/kafka-watcher.mdx index 5161d9246..bdb29e25d 100644 --- a/docs/reference/configuration/network-mapper/kafka-watcher.mdx +++ b/docs/reference/configuration/network-mapper/kafka-watcher.mdx @@ -13,16 +13,16 @@ Make sure to include `--set kafkaServers={}` and provide a list of Kafka servers Servers in the list should be specified as `name.namespace`. ## Kafka watcher parameters -| Key | Description | Default | -|---------------------------------|-------------------------------------------------------------|--------------------------------| -| `kafkawatcher.enable` | Enable Kafka watcher deployment (beta). | `false` | -| `kafkawatcher.image.repository` | Kafka watcher image repository. | `otterize` | -| `kafkawatcher.image.image` | Kafka watcher image. | `network-mapper-kafka-watcher` | -| `kafkawatcher.image.tag` | Kafka watcher image tag. | `latest` | -| `kafkawatcher.pullPolicy` | Kafka watcher pull policy. | `(none)` | -| `kafkawatcher.pullSecrets` | Kafka watcher pull secrets. | `(none)` | -| `kafkawatcher.resources` | Resources override. | `(none)` | -| `kafkawatcher.kafkaServers` | Kafka servers to watch, specified as `pod.namespace` items. | `(none)` | +| Key | Description | Default | +|-----------------------------|-------------------------------------------------------------|--------------------------------| +| `kafkawatcher.enable` | Enable Kafka watcher deployment (beta). | `false` | +| `kafkawatcher.repository` | Kafka watcher image repository. | `otterize` | +| `kafkawatcher.image` | Kafka watcher image. | `network-mapper-kafka-watcher` | +| `kafkawatcher.tag` | Kafka watcher image tag. | `(pinned to latest version as of this Helm chart version's publish)` | +| `kafkawatcher.pullPolicy` | Kafka watcher pull policy. | `(none)` | +| `kafkawatcher.pullSecrets` | Kafka watcher pull secrets. | `(none)` | +| `kafkawatcher.resources` | Resources override. | `(none)` | +| `kafkawatcher.kafkaServers` | Kafka servers to watch, specified as `pod.namespace` items. | `(none)` | ## Enabling debug logs in Kafka servers The Kafka watcher periodically examines logs of Kafka servers provided by the user through configuration, diff --git a/docs/reference/configuration/otterize-chart/README.mdx b/docs/reference/configuration/otterize-chart/README.mdx index f2b29335d..2854c9d60 100644 --- a/docs/reference/configuration/otterize-chart/README.mdx +++ b/docs/reference/configuration/otterize-chart/README.mdx @@ -57,12 +57,12 @@ These parameters are used by multiple charts, and must be kept the same for the All configurable parameters of intents-operator can be configured under the alias `intentsOperator`. Further information about intents-operator parameters can be found [in the intents operator's Helm chart](https://github.com/otterize/helm-charts/tree/main/intents-operator). -## Operator parameters +## Intents Operator parameters | Key | Description | Default | |-------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------| -| `intentsOperator.operator.image.repository` | Intents Operator image repository. | `otterize` | -| `intentsOperator.operator.image.image` | Intents Operator image. | `intents-operator` | -| `intentsOperator.operator.image.tag` | Intents Operator image tag. | `latest` | +| `intentsOperator.operator.repository` | Intents Operator image repository. | `otterize` | +| `intentsOperator.operator.image` | Intents Operator image. | `intents-operator` | +| `intentsOperator.operator.tag` | Intents Operator image tag. | `(pinned to latest version as of this Helm chart version's publish)` | | `intentsOperator.operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | | `intentsOperator.operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` | | `intentsOperator.operator.mode` | `defaultActive` or `defaultShadow`.
When `defaultActive` is set, enforcement is enabled by default.
When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` | From e40f354a7d53b0a4fc99e6293e4aac4d38a4fa13 Mon Sep 17 00:00:00 2001 From: Ori Shoshan Date: Fri, 3 May 2024 10:20:06 +0300 Subject: [PATCH 6/7] Fix clientSecretKeyRef docs --- .../credentials-operator/helm-chart.mdx | 30 +++++++++---------- .../intents-operator/helm-chart.mdx | 16 +++++----- .../configuration/otterize-chart/README.mdx | 16 +++++----- 3 files changed, 30 insertions(+), 32 deletions(-) diff --git a/docs/reference/configuration/credentials-operator/helm-chart.mdx b/docs/reference/configuration/credentials-operator/helm-chart.mdx index ec1f09231..302941c75 100644 --- a/docs/reference/configuration/credentials-operator/helm-chart.mdx +++ b/docs/reference/configuration/credentials-operator/helm-chart.mdx @@ -37,25 +37,23 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor ## Operator parameters -| Key | Description | Default | -|-----------------------|----------------------------|------------------------| -| `operator.repository` | Operator image repository. | `otterize` | -| `operator.image` | Operator image. | `credentials-operator` | -| `operator.tag` | Operator image tag. | `(pinned to latest version as of this Helm chart version's publish)` | -| `operator.pullPolicy` | Operator pull policy. | `(none)` | +| Key | Description | Default | +|-----------------------|----------------------------|----------------------------------------------------------------------| +| `operator.repository` | Operator image repository. | `otterize` | +| `operator.image` | Operator image. | `credentials-operator` | +| `operator.tag` | Operator image tag. | `(pinned to latest version as of this Helm chart version's publish)` | +| `operator.pullPolicy` | Operator pull policy. | `(none)` | ## Cloud parameters -| Key | Description | Default | -|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| -| `global.otterizeCloud.credentials.clientId` | Client ID for connecting to Otterize Cloud. | `(none)` | -| `global.otterizeCloud.credentials.clientSecret` | Client secret for connecting to Otterize Cloud. | `(none)` | -| `global.otterizeCloud.credentials.secretKeyRef.secretName` | If specified, the name of a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret. | `(none)` | -| `global.otterizeCloud.credentials.secretKeyRef.secretKey` | If specified, the key for the clientSecret in a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret. | `(none)` | -| `global.otterizeCloud.apiAddress` | Overrides Otterize Cloud default API address. | `(none)` | -| `global.otterizeCloud.apiExtraCAPEMSecret` | The name of a secret containing a single `CA.pem` file for an extra root CA used to connect to Otterize Cloud. The secret should be placed in the same namespace as the Otterize deployment. | `(none)` | -| `global.aws.enabled` | Enable or disable AWS integration | `false` | -| `global.aws.eksClusterNameOverride` | EKS cluster name (overrides auto-detection) | `(none)` | +| Key | Description | Default | +|------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| +| `global.otterizeCloud.credentials.clientId` | Client ID for connecting to Otterize Cloud. | `(none)` | +| `global.otterizeCloud.credentials.clientSecret` | Client secret for connecting to Otterize Cloud. | `(none)` | +| `global.otterizeCloud.credentials.clientSecretKeyRef.secretName` | If specified, the name of a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret. | `(none)` | +| `global.otterizeCloud.credentials.clientSecretKeyRef.secretKey` | If specified, the key for the clientSecret in a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret. | `(none)` | +| `global.otterizeCloud.apiAddress` | Overrides Otterize Cloud default API address. | `(none)` | +| `global.otterizeCloud.apiExtraCAPEMSecret` | The name of a secret containing a single `CA.pem` file for an extra root CA used to connect to Otterize Cloud. The secret should be placed in the same namespace as the Otterize deployment. | `(none)` | ## SPIRE parameters diff --git a/docs/reference/configuration/intents-operator/helm-chart.mdx b/docs/reference/configuration/intents-operator/helm-chart.mdx index 1e6faf410..61d4c578e 100644 --- a/docs/reference/configuration/intents-operator/helm-chart.mdx +++ b/docs/reference/configuration/intents-operator/helm-chart.mdx @@ -52,14 +52,14 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor ## Cloud parameters -| Key | Description | Default | -|:-----------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------| -| `global.otterizeCloud.credentials.clientId` | Client ID for connecting to Otterize Cloud. | `(none)` | -| `global.otterizeCloud.credentials.clientSecret` | Client secret for connecting to Otterize Cloud. | `(none)` | -| `global.otterizeCloud.credentials.secretKeyRef.secretName` | If specified, the name of a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret. | `(none)` | -| `global.otterizeCloud.credentials.secretKeyRef.secretKey` | If specified, the key for the clientSecret in a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret. | `(none)` | -| `global.otterizeCloud.apiAddress` | Overrides Otterize Cloud default API address. | `(none)` | -| `global.otterizeCloud.apiExtraCAPEMSecret` | The name of a secret containing a single `CA.pem` file for an extra root CA used to connect to Otterize Cloud. The secret should be placed in the same namespace as the Otterize deployment. | `(none)` | +| Key | Description | Default | +|------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| +| `global.otterizeCloud.credentials.clientId` | Client ID for connecting to Otterize Cloud. | `(none)` | +| `global.otterizeCloud.credentials.clientSecret` | Client secret for connecting to Otterize Cloud. | `(none)` | +| `global.otterizeCloud.credentials.clientSecretKeyRef.secretName` | If specified, the name of a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret. | `(none)` | +| `global.otterizeCloud.credentials.clientSecretKeyRef.secretKey` | If specified, the key for the clientSecret in a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret. | `(none)` | +| `global.otterizeCloud.apiAddress` | Overrides Otterize Cloud default API address. | `(none)` | +| `global.otterizeCloud.apiExtraCAPEMSecret` | The name of a secret containing a single `CA.pem` file for an extra root CA used to connect to Otterize Cloud. The secret should be placed in the same namespace as the Otterize deployment. | `(none)` | ## Common parameters | Key | Description | Default | diff --git a/docs/reference/configuration/otterize-chart/README.mdx b/docs/reference/configuration/otterize-chart/README.mdx index 2854c9d60..aeabec0dd 100644 --- a/docs/reference/configuration/otterize-chart/README.mdx +++ b/docs/reference/configuration/otterize-chart/README.mdx @@ -38,14 +38,14 @@ These parameters are used by multiple charts, and must be kept the same for the ## Cloud parameters -| Key | Description | Default | -|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| -| `global.otterizeCloud.credentials.clientId` | Client ID for connecting to Otterize Cloud. | `(none)` | -| `global.otterizeCloud.credentials.clientSecret` | Client secret for connecting to Otterize Cloud. | `(none)` | -| `global.otterizeCloud.credentials.secretKeyRef.secretName` | If specified, the name of a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret. | `(none)` | -| `global.otterizeCloud.credentials.secretKeyRef.secretKey` | If specified, the key for the clientSecret in a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret. | `(none)` | -| `global.otterizeCloud.apiAddress` | Overrides Otterize Cloud default API address. | `(none)` | -| `global.otterizeCloud.apiExtraCAPEMSecret` | The name of a secret containing a single `CA.pem` file for an extra root CA used to connect to Otterize Cloud. The secret should be placed in the same namespace as the Otterize deployment. | `(none)` | +| Key | Description | Default | +|------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| +| `global.otterizeCloud.credentials.clientId` | Client ID for connecting to Otterize Cloud. | `(none)` | +| `global.otterizeCloud.credentials.clientSecret` | Client secret for connecting to Otterize Cloud. | `(none)` | +| `global.otterizeCloud.credentials.clientSecretKeyRef.secretName` | If specified, the name of a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret. | `(none)` | +| `global.otterizeCloud.credentials.clientSecretKeyRef.secretKey` | If specified, the key for the clientSecret in a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret. | `(none)` | +| `global.otterizeCloud.apiAddress` | Overrides Otterize Cloud default API address. | `(none)` | +| `global.otterizeCloud.apiExtraCAPEMSecret` | The name of a secret containing a single `CA.pem` file for an extra root CA used to connect to Otterize Cloud. The secret should be placed in the same namespace as the Otterize deployment. | `(none)` | ## AWS Integration parameters | Key | Description | Default | From 442f647db4328993c3fd5465a5f218db053a9f2b Mon Sep 17 00:00:00 2001 From: Evyatar Meged Date: Sun, 5 May 2024 13:15:47 +0300 Subject: [PATCH 7/7] Editing database tutorials to use new OSS enforcement (#234) --- docs/features/postgresql/_category_.json | 1 - docs/features/postgresql/index.mdx | 20 +++-- .../postgresql/tutorials/postgres-mapping.mdx | 18 +++- .../postgresql/tutorials/postgres.mdx | 87 ++++++++----------- docs/getting-started/README.mdx | 15 ++-- src/css/custom.css | 4 - 6 files changed, 72 insertions(+), 73 deletions(-) diff --git a/docs/features/postgresql/_category_.json b/docs/features/postgresql/_category_.json index 233ddc86c..94a4efd26 100644 --- a/docs/features/postgresql/_category_.json +++ b/docs/features/postgresql/_category_.json @@ -2,7 +2,6 @@ "label": "PostgreSQL", "position": 5, "collapsed": true, - "className": "hideme", "customProps": { "image": "/img/icons/postgresql-no-word-mark.svg" } diff --git a/docs/features/postgresql/index.mdx b/docs/features/postgresql/index.mdx index c368263d1..a485f148e 100644 --- a/docs/features/postgresql/index.mdx +++ b/docs/features/postgresql/index.mdx @@ -24,8 +24,6 @@ export const postgres_tutorials = [ Otterize is able to create just-in-time username-and-password pairs for your service, providing them as a Kubernetes Secret that can be mounted to file or mapped to environment variables, as well as `GRANT`ing access to databases and tables, based on `ClientIntents` ([Intents-Based Access Control](/overview/intent-based-access-control)) declarations. In addition, Otterize can map the access to your PostgreSQL database, showing you which service is accessing which database, table and which operation it's performing. This can be used to automatically generate the `ClientIntents` declarations. -Unlike other access controls in Otterize, PostgreSQL support is exclusively available when using Otterize Cloud. - ### Tutorials To learn how to use the Intents Operator and Credentials Operator to enforce access using PostgreSQL GRANTs, or map access to your PostgreSQL database, try one of these quickstart tutorials. @@ -38,8 +36,20 @@ To learn how to use the Intents Operator and Credentials Operator to enforce acc Otterize Cloud will create a unique PostgreSQL username-password combination for each service's use, exposed via a Kubernetes Secret. The service will use these credentials to connect to the database. `ClientIntents` will define the access required by that service. As the intents are applied, Otterize Cloud will keep the database's list of users and GRANTs up to date so that the service is able to access it. -1. To get started, your cluster must have Otterize Cloud installed. -2. You’ll need to [integrate](https://app.otterize.com/integrations) your database by providing a connection URL and admin-level credentials to manage permissions in your database. +1. To get started, your cluster must have Otterize deployed. +2. You'll need to create a `PostgreSQLServerConfig` in your cluster, providing a connection URL and admin-level credentials for Otterize to manage permissions in your database. Below is an example `PostgreSQLServerConfig` resource. +```yaml +apiVersion: k8s.otterize.com/v1alpha3 +kind: PostgreSQLServerConfig +metadata: + name: postgres-tutorial-db # database instance name - should match the target in ClientIntents +spec: + address: # Your Postgres address + credentials: + username: # Username Otterize will connect with & configure permissions as + password: # Password for above username +``` + 3. Each service can request a username-password Secret to be created, by annotating the Pod with `credentials-operator.otterize.com/user-password-secret-name`. Below is an example of that annotation and passing the generated credentials into a container with environmental variables. ```yaml @@ -94,7 +104,7 @@ spec: service: name: server calls: - - name: otterize-tutorial-postgres # Same name as our integration + - name: postgres-tutorial-db # Same name as our PostgresSQLServerConfig metadata.name type: database databaseResources: - databaseName: otterize-tutorial diff --git a/docs/features/postgresql/tutorials/postgres-mapping.mdx b/docs/features/postgresql/tutorials/postgres-mapping.mdx index 32202f76b..b80afc890 100644 --- a/docs/features/postgresql/tutorials/postgres-mapping.mdx +++ b/docs/features/postgresql/tutorials/postgres-mapping.mdx @@ -135,14 +135,26 @@ If your Cloud SQL instance is handling any requests, you may now open your [Pub/Sub topic's metrics](https://console.cloud.google.com/cloudpubsub/topic/list) page and observe how audit log records are being directed to it. +### Apply a PostgreSQLServerConfig in your cluster +To enable Otterize operators to access your database, apply a PostgreSQLServerConfig in your cluster: +```yaml +apiVersion: k8s.otterize.com/v1alpha3 +kind: PostgreSQLServerConfig +metadata: + name: otterize-tutorial-cloudsql # database instance name - should match the target in ClientIntents +spec: + address: # Your CloudSQL database address + credentials: + username: # Username Otterize will connect with & configure permissions as + password: # Password for above username +``` + ### Create an Otterize database integration and configure visibility log collection To configure Otterize Cloud to subscribe and start consuming your Cloud SQL instance's audit logs, create an Otterize database integration and configure it with your GCP project and Pub/Sub topic: - Navigate to the [Integrations page](https://app.otterize.com/integrations) on Otterize Cloud and click the + Add Integration button to create a new integration - Choose the Database integration type -- Name your integration otterize-tutorial-cloudsql (this name will be used later in this tutorial) -- Follow the form to provide your database information & credentials -- Click Test Connection to ensure that Otterize Cloud is able to access your database instance +- Name your integration otterize-tutorial-cloudsql - Under Visibility settings, choose to collect visibility logs using a GCP Pub/Sub topic - Enter your GCP Project ID & Topic name - Click Test Visibility to ensure that Otterize Cloud is able to subscribe to your Pub/Sub topic diff --git a/docs/features/postgresql/tutorials/postgres.mdx b/docs/features/postgresql/tutorials/postgres.mdx index 7f63d9a63..a4a1e415c 100644 --- a/docs/features/postgresql/tutorials/postgres.mdx +++ b/docs/features/postgresql/tutorials/postgres.mdx @@ -33,8 +33,7 @@ The server needs appropriate permissions to access the database. You could use o In this tutorial, we will: * Deploy an example cluster -* Make our database accessible to Otterize Cloud -* Connect our cluster and database to Otterize Cloud +* Deploy Otterize in our cluster and give it access to our database instance * Declare a ClientIntents resource for the server, specifying required access * See that the required access has been granted @@ -53,12 +52,11 @@ Then start your Minikube cluster with Calico, in order to enforce network polici ```shell minikube start --cpus=4 --memory 4096 --disk-size 32g --cni=calico ``` - +#### 2. Deploy Otterize +To deploy Otterize, head over to [Otterize Cloud](https://app.otterize.com) and associate a Kubernetes cluster on the [Integrations page](https://app.otterize.com/integrations), and follow the instructions. If you already have a Kubernetes cluster connected, skip this step. -#### 2. ngrok -We will be using it to create a proxy to connect our locally running database to Otterize Cloud, for the tutorial's purposes. Once you have a [ngrok account](https://dashboard.ngrok.com/signup), you’ll want to install it in your terminal using the instructions found here: [ngrok install](https://ngrok.com/download) # Tutorial @@ -80,49 +78,33 @@ kubectl create namespace otterize-tutorial-postgres kubectl apply -n otterize-tutorial-postgres -f ${ABSOLUTE_URL}/code-examples/postgres/client-server-database.yaml ``` -### Make the database accessible to Otterize Cloud - -We need to allow Otterize Cloud to access the database server so Otterize Cloud can configure on-demand credentials for our server’s access. This tutorial will expose our database port to our local environment and then proxy it to Otterize Cloud using ngrok. We will need both of these processes up and running during the rest of this tutorial. - -In a new terminal window, run the following command to forward our database port from our cluster into your local environment: -```shell -kubectl port-forward svc/database 5432:5432 -n otterize-tutorial-postgres +### Deploy a PostgresServerConfig to allow Otterize DB access +```yaml +apiVersion: k8s.otterize.com/v1alpha3 +kind: PostgreSQLServerConfig +metadata: + name: postgres-tutorial-db +spec: + address: database.otterize-tutorial-postgres.svc.cluster.local:5432 + credentials: + username: otterize-tutorial + password: jeffdog523 ``` +The above CRD tells Otterize how to access a database instance named `postgres-tutorial-db`, meaning that when intents +are applied requesting access permissions to `postgres-tutorial-db`, Otterize operators will be able to configure +them. -Now that your database port is accessible to your local environment, we are using ngrok to make that available to Otterize Cloud. For production uses, this can be done through firewall configurations. +In this tutorial, the `database` workload already comes with the predefined username & password, but for future uses a +role will have to be created in the database to grant Otterize access as well as the ability to configure other users. +:::caution +The type PostgreSQLServerConfig should be considered as sensitive and require high cluster privileges to access. +::: -In a new terminal window, run: +Let's apply the above `PostgreSQLServerConfig` so Otterize will know how to access our database instance. ```shell -ngrok tcp 5432 +kubectl apply -f pgserverconf.yaml ``` -Once ngrok is running, make note of the *Forwarding* host and port. Will need this for our next step. - -### Integrate the database to Otterize Cloud - -To add the database, we head over to the [Integrations page](https://app.otterize.com/integrations) - -1. Click *Add Integration* -2. Select Integration Type: *Database* -3. Provide a name for the integration: *otterize-tutorial-postgres* -4. Leave the database type set to *PostgreSQL* -5. Copy your *Forwarding* host and port from ngrok in the *Address* Field. This will look something like `0.tcp.us-cal-1.ngrok.io:14192`. Be sure to remove the `tcp://` portion of the URL. -6. *Username*: otterize-tutorial, *Password*: jeffdog523 -1. Note this is a superuser, which allows Otterize to create unique credentials for each service. For production, it is recommended to create a privileged user for Otterize’s exclusive use. This user should have the necessary permissions to GRANT access to any databases and tables you want it to manage. -7. Hit *Test Connection*, and you should see an “OK” status. -8. Hit the Add button to complete the integration - -### Integrate the cluster to Otterize Cloud -Create a Kubernetes integration on the [Integrations page](https://app.otterize.com/integrations), and follow the instructions. - -In the second step, after providing an integration name and environment, choose: - -1. mTLS and Kafka Support: None -2. Enforcement mode: Enabled. -3. Copy and run the Helm upgrade command. -4. You should see the Connection status change. - - ### View logs for the server After the client, server, and database are up and running, we can see that the server does not have the appropriate access to the database by inspecting the logs with the following command. @@ -130,15 +112,16 @@ After the client, server, and database are up and running, we can see that the s kubectl logs -f -n otterize-tutorial-postgres deploy/server ``` - Example log: - pq: password authentication failed for user "svc_9cigb2qemv_otterize_tutorial_postgres_server" +Unable to perform INSERT operation +

+Unable to perform SELECT operation
### Define your ClientIntents -ClientIntents are Otterize’s way of defining access through unique relationships, which lead to perfectly scoped access. In this example, we provide our `server` service the ability to insert select records to allow it to access the database. +ClientIntents are Otterize’s way of defining access through unique relationships, which lead to perfectly scoped access. In this example, we provide our `server` workload the ability to insert and select records to allow it to access the database. Below is our `intents.yaml` file. As you can see, it is scoped to our database named `otterize-tutorial` and our `public.example` table. We also have limited the access to just `SELECT` and `INSERT` operations. We could add more databases, tables, or operations if our service required more access. @@ -153,7 +136,7 @@ spec: service: name: server calls: - - name: otterize-tutorial-postgres # Same name as our integration + - name: postgres-tutorial-db # Same name as our PostgresSQLServerConfig metadata.name type: database databaseResources: - databaseName: otterize-tutorial @@ -163,7 +146,7 @@ spec: - INSERT ``` -We can now apply our intents. Behind the scenes, Otterize Cloud runs `CREATE USER` and `GRANT` queries on the database, making our `SELECT` and `INSERT` errors disappear. +We can now apply our intents. Behind the scenes,the Otterize credentials-operator created the user for our `server` workload while the intents-operator ran `GRANT` queries on the database, making our `SELECT` and `INSERT` errors disappear. ```shell kubectl apply -f intents.yaml @@ -171,8 +154,9 @@ kubectl apply -f intents.yaml Example log: - Successfully INSERTED into our table - Successfully SELECTED, most recent value: 2024-01-22T18:48:43Z +Successfully INSERTED into our table + +Successfully SELECTED, most recent value: 2024-04-30T13:20:46Z That’s it! If your service’s functionality changes, adding or removing access is as simple as updating your ClientIntents definitions. For fun, try altering the `operations` to just `SELECT` or `INSERT`. @@ -180,7 +164,6 @@ That’s it! If your service’s functionality changes, adding or removing acces # Teardown To remove the deployed examples, run: ```shell +kubectl delete clientintents.k8s.otterize.com -n otterize-tutorial-postgres client-intents-for-server && \ kubectl delete namespace otterize-tutorial-postgres -``` - -End the ngrok and port forwarding processes by closing the terminal windows or Ctrl-C the processes. \ No newline at end of file +``` \ No newline at end of file diff --git a/docs/getting-started/README.mdx b/docs/getting-started/README.mdx index b551bfce6..edf2618c1 100644 --- a/docs/getting-started/README.mdx +++ b/docs/getting-started/README.mdx @@ -44,18 +44,17 @@ export const features = [ icon: '/img/icons/kafka-no-word-mark.svg', url: '/features/kafka/' }, + { + title: 'PostgreSQL', + icon: '/img/icons/postgresql-no-word-mark.svg', + url: '/features/postgresql/' + }, { title: 'Istio', icon: '/img/icons/istio-no-word-mark.svg', url: '/features/istio/' - }]; - -[//]: # ({) -[//]: # (title: 'PostgreSQL',) -[//]: # ( icon: '/img/icons/postgresql-no-word-mark.svg',) -[//]: # ( url: '/features/postgresql/') -[//]: # ( },) - + }, +]; export const tutorials_access = [ { diff --git a/src/css/custom.css b/src/css/custom.css index 9706b4009..2cad08536 100644 --- a/src/css/custom.css +++ b/src/css/custom.css @@ -397,7 +397,3 @@ footer .container-fluid { .dropdown > .navbar__link:after { display: none; } - -.hideme { - display: none !important; -}