Skip to content

Commit

Permalink
Rename external access flags
Browse files Browse the repository at this point in the history
  • Loading branch information
@NetanelBollag
NetanelBollag committed Oct 5, 2023
1 parent 7cadfc3 commit a9f6a32
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 32 deletions.
33 changes: 17 additions & 16 deletions docs/reference/configuration/intents-operator/helm-chart.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,22 +29,23 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor


## Operator parameters
| Key | Description | Default |
|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------|
| `operator.image.repository` | Intents Operator image repository. | `otterize` |
| `operator.image.image` | Intents Operator image. | `intents-operator` |
| `operator.image.tag` | Intents Operator image tag. | `latest` |
| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` |
| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` |
| `operator.mode` | `defaultActive` or `defaultShadow`. <br/>When `defaultActive` is set, enforcement is enabled by default. <br/>When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` |
| `operator.enableEnforcement` | (**Deprecated**; use `mode` instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | `true` |
| `operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to `ClientIntents`. | `true` |
| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. | `true` |
| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to `ClientIntents`. | `true` |
| `operator.autoCreateNetworkPoliciesForExternalTraffic` | Automatically allow external traffic, if a new `ClientIntents` resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` |
| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require `ClientIntents` resources &mdash; simply create network policies based off of the existence of an Ingress/Service resource. | `false` |
| `operator.resources` | Resources override. | |
| `operator.enableDatabaseReconciler` | **experimental** - Enables experimental support for database intents (coming soon!) | `false` |
| Key | Description | Default |
|---------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|
| `operator.image.repository` | Intents Operator image repository. | `otterize` |
| `operator.image.image` | Intents Operator image. | `intents-operator` |
| `operator.image.tag` | Intents Operator image tag. | `latest` |
| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` |
| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` |
| `operator.mode` | `defaultActive` or `defaultShadow`. <br/>When `defaultActive` is set, enforcement is enabled by default. <br/>When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` |
| `operator.enableEnforcement` | (**Deprecated**; use `mode` instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | `true` |
| `operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to `ClientIntents`. | `true` |
| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. | `true` |
| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to `ClientIntents`. | `true` |
| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services blocked by Otterize when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` |
| `operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` |
| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` |
| `operator.resources` | Resources override. | |
| `operator.enableDatabaseReconciler` | **experimental** - Enables experimental support for database intents (coming soon!) | `false` |

## Watcher parameters
| Key | Description | Default |
Expand Down
Loading

0 comments on commit a9f6a32

Please sign in to comment.