From ad0a64629a60e64d3620965c0f59ade65fe40247 Mon Sep 17 00:00:00 2001 From: Evyatar Meged Date: Sun, 23 Jun 2024 10:27:51 +0300 Subject: [PATCH] Adding reference for new secret rotation interval entry in credentials operator (#245) --- .../credentials-operator/helm-chart.mdx | 21 +++-- .../intents-operator/helm-chart.mdx | 39 ++++---- .../network-mapper/helm-chart.mdx | 90 +++++++++---------- .../configuration/otterize-chart/README.mdx | 80 +++++++++-------- 4 files changed, 124 insertions(+), 106 deletions(-) diff --git a/docs/reference/configuration/credentials-operator/helm-chart.mdx b/docs/reference/configuration/credentials-operator/helm-chart.mdx index 302941c75..9580d27ac 100644 --- a/docs/reference/configuration/credentials-operator/helm-chart.mdx +++ b/docs/reference/configuration/credentials-operator/helm-chart.mdx @@ -37,12 +37,13 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor ## Operator parameters -| Key | Description | Default | -|-----------------------|----------------------------|----------------------------------------------------------------------| -| `operator.repository` | Operator image repository. | `otterize` | -| `operator.image` | Operator image. | `credentials-operator` | -| `operator.tag` | Operator image tag. | `(pinned to latest version as of this Helm chart version's publish)` | -| `operator.pullPolicy` | Operator pull policy. | `(none)` | +| Key | Description | Default | +|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------| +| `operator.repository` | Operator image repository. | `otterize` | +| `operator.image` | Operator image. | `credentials-operator` | +| `operator.tag` | Operator image tag. | `(pinned to latest version as of this Helm chart version's publish)` | +| `operator.pullPolicy` | Operator pull policy. | `(none)` | +| `operator.extraEnvVars` | Extra environment variables to pass to the credentials operator pod. To set an environment variable: `"operator.extraEnvVars[0].name=MY_ENV_VAR"`, to set its value: `"operator.extraEnvVars[0].value=someValue"` | ## Cloud parameters @@ -62,6 +63,7 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor |-----------------------|----------------------------------------------------------------------------------------------------------------|------------------------| | `spire.serverAddress` | Specify the SPIRE-server's address. You should use either this OR `global.spire.serverServiceName` (not both). | | | `spire.socketsPath` | SPIRE sockets path. The operator will expect to find agent.sock in the host-mounted folder | `"/run/spire/sockets"` | + ## Common parameters | Key | Description | Default | |------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------| @@ -71,4 +73,9 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor ## AWS integration parameters | Key | Description | Default | |---------------|----------------------------------------------------------|----------| -| `aws.roleARN` | ARN of the AWS role the operator will use to access AWS. | `(none)` | \ No newline at end of file +| `aws.roleARN` | ARN of the AWS role the operator will use to access AWS. | `(none)` | + +## Credentials operator parameters +| Key | Description | Default | +|----------------------------------|-------------------------------------------------------------------------------------------------------------------------------|---------| +| `databaseSecretRotationInterval` | Interval in which secrets created by the credentials operator will be rotated. Valid time units are "ns", "ms", "s", "m", "h" | `8h` | \ No newline at end of file diff --git a/docs/reference/configuration/intents-operator/helm-chart.mdx b/docs/reference/configuration/intents-operator/helm-chart.mdx index 61d4c578e..13554db7b 100644 --- a/docs/reference/configuration/intents-operator/helm-chart.mdx +++ b/docs/reference/configuration/intents-operator/helm-chart.mdx @@ -30,25 +30,26 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor | `global.aws.eksClusterNameOverride` | EKS cluster name (overrides auto-detection) | `(none)` | ## Operator parameters -| Key | Description | Default | -|---------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------| -| `operator.repository` | Intents Operator image repository. | `otterize` | -| `operator.image` | Intents Operator image. | `intents-operator` | -| `operator.tag` | Intents Operator image tag. | `(pinned to latest version as of this Helm chart version's publish)` | -| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | -| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` | -| `operator.mode` | `defaultActive` or `defaultShadow`.
When `defaultActive` is set, enforcement is enabled by default.
When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` | -| `operator.enableEnforcement` | (**Deprecated**; use `mode` instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | `true` | -| `operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to `ClientIntents`. | `true` | -| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. | `true` | -| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to `ClientIntents`. | `true` | -| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | -| `operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | -| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` | -| `operator.resources` | Resources override. | | -| `operator.enableDatabaseCredentialsCreation` | Enables support for database intents | `true` | -| `enforcedNamespaces` | When using "shadow enforcement" mode, namespaces in this list will be treated as if the enforcement were active. | `(nil) ` | -| `watchedNamespaces` | List of namespaces the intents operator should watch. The operator will be blind to any namespace not in this list. | `(nil) meaning watch all` | +| Key | Description | Default | +|---------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------| +| `operator.repository` | Intents Operator image repository. | `otterize` | +| `operator.image` | Intents Operator image. | `intents-operator` | +| `operator.tag` | Intents Operator image tag. | `(pinned to latest version as of this Helm chart version's publish)` | +| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | +| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` | +| `operator.mode` | `defaultActive` or `defaultShadow`.
When `defaultActive` is set, enforcement is enabled by default.
When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` | +| `operator.enableEnforcement` | (**Deprecated**; use `mode` instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | `true` | +| `operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to `ClientIntents`. | `true` | +| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. | `true` | +| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to `ClientIntents`. | `true` | +| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | +| `operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | +| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` | +| `operator.resources` | Resources override. | | +| `operator.enableDatabaseCredentialsCreation` | Enables support for database intents | `true` | +| `enforcedNamespaces` | When using "shadow enforcement" mode, namespaces in this list will be treated as if the enforcement were active. | `(nil) ` | +| `watchedNamespaces` | List of namespaces the intents operator should watch. The operator will be blind to any namespace not in this list. | `(nil) meaning watch all` | +| `extraEnvVars` | Extra environment variables to pass to the intents operator pod. To set an environment variable: `"extraEnvVars[0].name=MY_ENV_VAR"`, to set its value: `"extraEnvVars[0].value=someValue"` | ## Cloud parameters diff --git a/docs/reference/configuration/network-mapper/helm-chart.mdx b/docs/reference/configuration/network-mapper/helm-chart.mdx index 292237c5e..537c0a146 100644 --- a/docs/reference/configuration/network-mapper/helm-chart.mdx +++ b/docs/reference/configuration/network-mapper/helm-chart.mdx @@ -13,15 +13,15 @@ Checkout the network mapper [tutorial](/features/network-mapping-network-policie # Parameters ## Mapper parameters -| Key | Description | Default | -|--------------------------------|-------------------------------------------------------------------------------------------------|------------------| -| `mapper.repository` | Mapper image repository. | `otterize` | -| `mapper.image` | Mapper image. | `network-mapper` | -| `mapper.tag` | Mapper image tag. | `(pinned to latest version as of this Helm chart version's publish)` | -| `mapper.pullPolicy` | Mapper pull policy. | `(none)` | -| `mapper.resources` | Resources override. | `(none)` | -| `mapper.uploadIntervalSeconds` | Interval for uploading data to cloud | `60` | -| `mapper.extraEnvVars` | List of extra env vars for the mapper, formatted as in the Kubernetes PodSpec (name and value). | `(none)` | +| Key | Description | Default | +|--------------------------------|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------------| +| `mapper.repository` | Mapper image repository. | `otterize` | +| `mapper.image` | Mapper image. | `network-mapper` | +| `mapper.tag` | Mapper image tag. | `(pinned to latest version as of this Helm chart version's publish)` | +| `mapper.pullPolicy` | Mapper pull policy. | `(none)` | +| `mapper.resources` | Resources override. | `(none)` | +| `mapper.uploadIntervalSeconds` | Interval for uploading data to cloud | `60` | +| `mapper.extraEnvVars` | List of extra env vars for the mapper, formatted as in the Kubernetes PodSpec (name and value). | `(none)` | ## Internet-facing traffic reporting | Key | Description | Default | @@ -36,39 +36,39 @@ Checkout the network mapper [tutorial](/features/network-mapping-network-policie | `opentelemetry.metricName` | The name of the OpenTelemetry metric name exported for the Grafana Tempo-style metric. | `traces_service_graph_request_total` | ## Sniffer parameters -| Key | Description | Default | -|-----------------------------|---------------------------|--------------------------| -| `sniffer.repository` | Sniffer image repository. | `otterize` | -| `sniffer.image` | Sniffer image. | `network-mapper-sniffer` | -| `sniffer.tag` | Sniffer image tag. | `(pinned to latest version as of this Helm chart version's publish)` | -| `sniffer.pullPolicy` | Sniffer pull policy. | `(none)` | -| `sniffer.resources` | Resources override. | `(none)` | -| `sniffer.tolerations` | Tolerations override. | `(none)` | -| `sniffer.priorityClassName` | Set priorityClassName. | `(none)` | +| Key | Description | Default | +|-----------------------------|---------------------------|----------------------------------------------------------------------| +| `sniffer.repository` | Sniffer image repository. | `otterize` | +| `sniffer.image` | Sniffer image. | `network-mapper-sniffer` | +| `sniffer.tag` | Sniffer image tag. | `(pinned to latest version as of this Helm chart version's publish)` | +| `sniffer.pullPolicy` | Sniffer pull policy. | `(none)` | +| `sniffer.resources` | Resources override. | `(none)` | +| `sniffer.tolerations` | Tolerations override. | `(none)` | +| `sniffer.priorityClassName` | Set priorityClassName. | `(none)` | ## Kafka watcher parameters -| Key | Description | Default | -|---------------------------------|-------------------------------------------------------------|--------------------------------| -| `kafkawatcher.enable` | Enable Kafka watcher deployment (beta). | `false` | -| `kafkawatcher.repository` | Kafka watcher image repository. | `otterize` | -| `kafkawatcher.image` | Kafka watcher image. | `network-mapper-kafka-watcher` | -| `kafkawatcher.tag` | Kafka watcher image tag. | `(pinned to latest version as of this Helm chart version's publish)` | -| `kafkawatcher.pullPolicy` | Kafka watcher pull policy. | `(none)` | -| `kafkawatcher.pullSecrets` | Kafka watcher pull secrets. | `(none)` | -| `kafkawatcher.resources` | Resources override. | `(none)` | -| `kafkawatcher.kafkaServers` | Kafka servers to watch, specified as `pod.namespace` items. | `(none)` | +| Key | Description | Default | +|-----------------------------|-------------------------------------------------------------|----------------------------------------------------------------------| +| `kafkawatcher.enable` | Enable Kafka watcher deployment (beta). | `false` | +| `kafkawatcher.repository` | Kafka watcher image repository. | `otterize` | +| `kafkawatcher.image` | Kafka watcher image. | `network-mapper-kafka-watcher` | +| `kafkawatcher.tag` | Kafka watcher image tag. | `(pinned to latest version as of this Helm chart version's publish)` | +| `kafkawatcher.pullPolicy` | Kafka watcher pull policy. | `(none)` | +| `kafkawatcher.pullSecrets` | Kafka watcher pull secrets. | `(none)` | +| `kafkawatcher.resources` | Resources override. | `(none)` | +| `kafkawatcher.kafkaServers` | Kafka servers to watch, specified as `pod.namespace` items. | `(none)` | ## Istio watcher parameters -| Key | Description | Default | -|---------------------------------|-----------------------------------------|--------------------------------| -| `istiowatcher.enable` | Enable Istio watcher deployment (beta). | `false` | -| `istiowatcher.repository` | Istio watcher image repository. | `otterize` | -| `istiowatcher.image` | Istio watcher image. | `network-mapper-istio-watcher` | -| `istiowatcher.tag` | Istio watcher image tag. | `(pinned to latest version as of this Helm chart version's publish)` | -| `istiowatcher.pullPolicy` | Istio watcher pull policy. | `(none)` | -| `istiowatcher.pullSecrets` | Istio watcher pull secrets. | `(none)` | -| `istiowatcher.resources` | Resources override. | `(none)` | +| Key | Description | Default | +|----------------------------|-----------------------------------------|----------------------------------------------------------------------| +| `istiowatcher.enable` | Enable Istio watcher deployment (beta). | `false` | +| `istiowatcher.repository` | Istio watcher image repository. | `otterize` | +| `istiowatcher.image` | Istio watcher image. | `network-mapper-istio-watcher` | +| `istiowatcher.tag` | Istio watcher image tag. | `(pinned to latest version as of this Helm chart version's publish)` | +| `istiowatcher.pullPolicy` | Istio watcher pull policy. | `(none)` | +| `istiowatcher.pullSecrets` | Istio watcher pull secrets. | `(none)` | +| `istiowatcher.resources` | Resources override. | `(none)` | ## Cloud parameters | Key | Description | Default | @@ -81,14 +81,14 @@ Checkout the network mapper [tutorial](/features/network-mapping-network-policie | `global.otterizeCloud.apiExtraCAPEMSecret` | The name of a secret containing a single `CA.pem` file for an extra root CA used to connect to Otterize Cloud. The secret should be placed in the same namespace as the Otterize deployment. | `(none)` | ## Global parameters -| Key | Description | Default | -|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|---------| -| `global.allowGetAllResources` | If defined overrides `allowGetAllResources`. | | -| `global.telemetry.enabled` | If set to `false`, anonymous telemetries collection will be disabled | `true` | -| `global.commonAnnotations` | Annotations to add to all deployed objects | {} | -| `global.commonLabels` | Labels to add to all deployed objects | {} | -| `global.podAnnotations` | Annotations to add to all deployed pods | {} | -| `global.podLabels` | Labels to add to all deployed pods | {} | +| Key | Description | Default | +|--------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------| +| `global.allowGetAllResources` | If defined overrides `allowGetAllResources`. | | +| `global.telemetry.enabled` | If set to `false`, anonymous telemetries collection will be disabled | `true` | +| `global.commonAnnotations` | Annotations to add to all deployed objects | {} | +| `global.commonLabels` | Labels to add to all deployed objects | {} | +| `global.podAnnotations` | Annotations to add to all deployed pods | {} | +| `global.podLabels` | Labels to add to all deployed pods | {} | | `global.serviceNameOverrideAnnotationName` | Which annotation to use (in the [service name resolution algorithm](/reference/service-identities#kubernetes-service-identity-resolution)) for setting a pod's service name, if not the default. Use this if you already have annotations on your pods that provide the correct service name. | `intents.otterize.com/service-name` | diff --git a/docs/reference/configuration/otterize-chart/README.mdx b/docs/reference/configuration/otterize-chart/README.mdx index aeabec0dd..1d6bedc1f 100644 --- a/docs/reference/configuration/otterize-chart/README.mdx +++ b/docs/reference/configuration/otterize-chart/README.mdx @@ -20,21 +20,21 @@ For example, it configures the credentials operator to work with the deployed SP ## Global parameters These parameters are used by multiple charts, and must be kept the same for the correct functioning of the separate components. -| Key | Description | Default | -|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------| -| `global.spiffe.CASubject` | The Subject that CA certificates should use (see below). | | -| `global.spiffe.CASubject.country` | SPIRE's CA certificates `Country` value. | `"US"` | -| `global.spiffe.CASubject.organization` | SPIRE's CA certificates `Organization` Value. | `"SPIRE"` | -| `global.spiffe.trustDomain` | The trust domain that SPIRE will use. | `"example.org"` | -| `global.certificateProvider` | What provider should be used to generate certificates/credentials - `"spire"`, `"otterize-cloud"` or `"cert-manager"` | `"spire"` | -| `global.spire.serverServiceName` | Name of the Kubernetes service that will be created for SPIRE-server. | | -| `global.allowGetAllResources` | If defined overrides `allowGetAllResources` in subcharts. Gives get, list and watch permission to watch on all resources. This is used to resolve service names when pods have owners that are custom resources. When disabled, a limited set of permissions is used that only allows access to built-in Kubernetes resources that deploy Pods and Pods themselves - Deployments, StatefulSets, DaemonSets, ReplicaSets and Services. Resolving may not be able to complete if the owning resource is not one of those. | | -| `global.telemetry.enabled` | If set to `false`, anonymous telemetries collection will be disabled | `true` | -| `global.commonAnnotations` | Annotations to add to all deployed objects | {} | -| `global.commonLabels` | Labels to add to all deployed objects | {} | -| `global.podAnnotations` | Annotations to add to all deployed pods | {} | -| `global.podLabels` | Labels to add to all deployed pods | {} | -| `global.serviceNameOverrideAnnotationName` | Which annotation to use (in the [service name resolution algorithm](/reference/service-identities#kubernetes-service-identity-resolution)) for setting a pod's service name, if not the default. Use this if you already have annotations on your pods that provide the correct service name. | `intents.otterize.com/service-name` | +| Key | Description | Default | +|--------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------| +| `global.spiffe.CASubject` | The Subject that CA certificates should use (see below). | | +| `global.spiffe.CASubject.country` | SPIRE's CA certificates `Country` value. | `"US"` | +| `global.spiffe.CASubject.organization` | SPIRE's CA certificates `Organization` Value. | `"SPIRE"` | +| `global.spiffe.trustDomain` | The trust domain that SPIRE will use. | `"example.org"` | +| `global.certificateProvider` | What provider should be used to generate certificates/credentials - `"spire"`, `"otterize-cloud"` or `"cert-manager"` | `"spire"` | +| `global.spire.serverServiceName` | Name of the Kubernetes service that will be created for SPIRE-server. | | +| `global.allowGetAllResources` | If defined overrides `allowGetAllResources` in subcharts. Gives get, list and watch permission to watch on all resources. This is used to resolve service names when pods have owners that are custom resources. When disabled, a limited set of permissions is used that only allows access to built-in Kubernetes resources that deploy Pods and Pods themselves - Deployments, StatefulSets, DaemonSets, ReplicaSets and Services. Resolving may not be able to complete if the owning resource is not one of those. | | +| `global.telemetry.enabled` | If set to `false`, anonymous telemetries collection will be disabled | `true` | +| `global.commonAnnotations` | Annotations to add to all deployed objects | {} | +| `global.commonLabels` | Labels to add to all deployed objects | {} | +| `global.podAnnotations` | Annotations to add to all deployed pods | {} | +| `global.podLabels` | Labels to add to all deployed pods | {} | +| `global.serviceNameOverrideAnnotationName` | Which annotation to use (in the [service name resolution algorithm](/reference/service-identities#kubernetes-service-identity-resolution)) for setting a pod's service name, if not the default. Use this if you already have annotations on your pods that provide the correct service name. | `intents.otterize.com/service-name` | ## Cloud parameters @@ -57,25 +57,25 @@ These parameters are used by multiple charts, and must be kept the same for the All configurable parameters of intents-operator can be configured under the alias `intentsOperator`. Further information about intents-operator parameters can be found [in the intents operator's Helm chart](https://github.com/otterize/helm-charts/tree/main/intents-operator). -## Intents Operator parameters -| Key | Description | Default | -|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------| -| `intentsOperator.operator.repository` | Intents Operator image repository. | `otterize` | -| `intentsOperator.operator.image` | Intents Operator image. | `intents-operator` | -| `intentsOperator.operator.tag` | Intents Operator image tag. | `(pinned to latest version as of this Helm chart version's publish)` | -| `intentsOperator.operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | -| `intentsOperator.operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` | -| `intentsOperator.operator.mode` | `defaultActive` or `defaultShadow`.
When `defaultActive` is set, enforcement is enabled by default.
When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` | -| `intentsOperator.operator.enableEnforcement` | (**Deprecated**; use `mode` instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | `true` | -| `intentsOperator.operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to `ClientIntents`. | `true` | -| `intentsOperator.operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. | `true` | -| `intentsOperator.operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to `ClientIntents`. | `true` | -| `intentsOperator.operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | -| `intentsOperator.operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | -| `intentsOperator.operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` | -| `intentsOperator.operator.resources` | Resources override. | | -| `intentsOperator.operator.enableDatabaseCredentialsCreation` | Enables support for database intents | `true` | -| `intentsOperator.enforcedNamespaces` | When using "shadow enforcement" mode, namespaces in this list will be treated as if the enforcement were active. | `(nil) ` | +| Key | Description | Default | +|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------| +| `intentsOperator.operator.repository` | Intents Operator image repository. | `otterize` | +| `intentsOperator.operator.image` | Intents Operator image. | `intents-operator` | +| `intentsOperator.operator.tag` | Intents Operator image tag. | `(pinned to latest version as of this Helm chart version's publish)` | +| `intentsOperator.operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | +| `intentsOperator.operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` | +| `intentsOperator.operator.mode` | `defaultActive` or `defaultShadow`.
When `defaultActive` is set, enforcement is enabled by default.
When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` | +| `intentsOperator.operator.enableEnforcement` | (**Deprecated**; use `mode` instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | `true` | +| `intentsOperator.operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to `ClientIntents`. | `true` | +| `intentsOperator.operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. | `true` | +| `intentsOperator.operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to `ClientIntents`. | `true` | +| `intentsOperator.operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | +| `intentsOperator.operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | +| `intentsOperator.operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` | +| `intentsOperator.operator.resources` | Resources override. | | +| `intentsOperator.operator.enableDatabaseCredentialsCreation` | Enables support for database intents | `true` | +| `intentsOperator.enforcedNamespaces` | When using "shadow enforcement" mode, namespaces in this list will be treated as if the enforcement were active. | `(nil) ` | +| `intentsOperator.extraEnvVars` | Extra environment variables to pass to the intents operator pod. To set an environment variable: `"intentsOperator.extraEnvVars[0].name=MY_ENV_VAR"`, to set its value: `"intentsOperator.extraEnvVars[0].value=someValue"` | ## SPIRE parameters @@ -86,9 +86,19 @@ Further information about `SPIRE` parameters can be found [in SPIRE's Helm chart All configurable parameters of the network mapper can be configured under the alias `networkMapper`. Further information about network mapper parameters can be found [in the network mapper's chart](https://github.com/otterize/helm-charts/tree/main/network-mapper). +| Key | Description | Default | +|-------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------| +| `networkMapper.mapper.extraEnvVars` | Extra environment variables to pass to the network mapper pod. To set an environment variable: `"networkMapper.mapper.extraEnvVars[0].name=MY_ENV_VAR"`, to set its value: `"networkMapper.mapper.extraEnvVars[0].value=someValue"` | + + ## Credentials operator parameters All configurable parameters of the credentials operator can be configured under the alias `credentialsOperator`. -Further information about network mapper parameters can be found [in the network mapper's chart](https://github.com/otterize/helm-charts/tree/main/credentials-operator). +Further information about network mapper parameters can be found [in the credentials operator's chart](https://github.com/otterize/helm-charts/tree/main/credentials-operator). + +| Key | Description | Default | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------| +| `credentialsOperator.databaseSecretRotationInterval` | Interval in which secrets created by the credentials operator will be rotated. Valid time units are "ns", "ms", "s", "m", "h" | `8h` | +| `credentialsOperator.operator.extraEnvVars` | Extra environment variables to pass to the credentials operator pod. To set an environment variable: `"credentialsOperator.operator.extraEnvVars[0].name=MY_ENV_VAR"`, to set its value: `"credentialsOperator.operator.extraEnvVars[0].value=someValue"` | ## Resource configuration | Component | Key | Default |