diff --git a/docs/reference/configuration/intents-operator/helm-chart.mdx b/docs/reference/configuration/intents-operator/helm-chart.mdx index db3fd8b0b..21f6bdb28 100644 --- a/docs/reference/configuration/intents-operator/helm-chart.mdx +++ b/docs/reference/configuration/intents-operator/helm-chart.mdx @@ -30,32 +30,26 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor | `global.aws.eksClusterNameOverride` | EKS cluster name (overrides auto-detection) | `(none)` | ## Operator parameters -| Key | Description | Default | -|---------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------| -| `operator.image.repository` | Intents Operator image repository. | `otterize` | -| `operator.image.image` | Intents Operator image. | `intents-operator` | -| `operator.image.tag` | Intents Operator image tag. | `latest` | -| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | -| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` | -| `operator.mode` | `defaultActive` or `defaultShadow`.
When `defaultActive` is set, enforcement is enabled by default.
When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` | -| `operator.enableEnforcement` | (**Deprecated**; use `mode` instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | `true` | -| `operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to `ClientIntents`. | `true` | -| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. | `true` | -| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to `ClientIntents`. | `true` | -| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | -| `operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | -| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` | -| `operator.resources` | Resources override. | | -| `operator.enableDatabaseCredentialsCreation` | Enables support for database intents | `true` | +| Key | Description | Default | +|---------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------| +| `operator.image.repository` | Intents Operator image repository. | `otterize` | +| `operator.image.image` | Intents Operator image. | `intents-operator` | +| `operator.image.tag` | Intents Operator image tag. | `latest` | +| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | +| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` | +| `operator.mode` | `defaultActive` or `defaultShadow`.
When `defaultActive` is set, enforcement is enabled by default.
When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` | +| `operator.enableEnforcement` | (**Deprecated**; use `mode` instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | `true` | +| `operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to `ClientIntents`. | `true` | +| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. | `true` | +| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to `ClientIntents`. | `true` | +| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | +| `operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | +| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` | +| `operator.resources` | Resources override. | | +| `operator.enableDatabaseCredentialsCreation` | Enables support for database intents | `true` | +| `enforcedNamespaces` | When using "shadow enforcement" mode, namespaces in this list will be treated as if the enforcement were active. | `(nil) ` | +| `watchedNamespaces` | List of namespaces the intents operator should watch. The operator will be blind to any namespace not in this list. | `(nil) meaning watch all` | -## Watcher parameters -| Key | Description | Default | -|:---------------------------|:---------------------------|:-------------------------------| -| `watcher.image.repository` | Watcher image repository. | `otterize` | -| `watcher.image.image` | Watcher image. | `intents-operator-pod-watcher` | -| `watcher.image.tag` | Watcher image tag. | `latest` | -| `watcher.pullPolicy` | Watcher image pull policy. | `(none)` | -| `watcher.resources` | Watcher Resources. | | ## Cloud parameters | Key | Description | Default | diff --git a/docs/reference/configuration/otterize-chart/README.mdx b/docs/reference/configuration/otterize-chart/README.mdx index f10a36ab0..f2b29335d 100644 --- a/docs/reference/configuration/otterize-chart/README.mdx +++ b/docs/reference/configuration/otterize-chart/README.mdx @@ -58,23 +58,24 @@ All configurable parameters of intents-operator can be configured under the alia Further information about intents-operator parameters can be found [in the intents operator's Helm chart](https://github.com/otterize/helm-charts/tree/main/intents-operator). ## Operator parameters -| Key | Description | Default | -|---------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------| -| `intentsOperator.operator.image.repository` | Intents Operator image repository. | `otterize` | -| `intentsOperator.operator.image.image` | Intents Operator image. | `intents-operator` | -| `intentsOperator.operator.image.tag` | Intents Operator image tag. | `latest` | -| `intentsOperator.operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | -| `intentsOperator.operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` | -| `intentsOperator.operator.mode` | `defaultActive` or `defaultShadow`.
When `defaultActive` is set, enforcement is enabled by default.
When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` | -| `intentsOperator.operator.enableEnforcement` | (**Deprecated**; use `mode` instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | `true` | -| `intentsOperator.operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to `ClientIntents`. | `true` | -| `intentsOperator.operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. | `true` | -| `intentsOperator.operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to `ClientIntents`. | `true` | -| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | -| `operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | -| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` | -| `intentsOperator.operator.resources` | Resources override. | | -| `intentsOperator.operator.enableDatabaseCredentialsCreation` | Enables support for database intents | `true` | +| Key | Description | Default | +|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------| +| `intentsOperator.operator.image.repository` | Intents Operator image repository. | `otterize` | +| `intentsOperator.operator.image.image` | Intents Operator image. | `intents-operator` | +| `intentsOperator.operator.image.tag` | Intents Operator image tag. | `latest` | +| `intentsOperator.operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | +| `intentsOperator.operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` | +| `intentsOperator.operator.mode` | `defaultActive` or `defaultShadow`.
When `defaultActive` is set, enforcement is enabled by default.
When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` | +| `intentsOperator.operator.enableEnforcement` | (**Deprecated**; use `mode` instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | `true` | +| `intentsOperator.operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to `ClientIntents`. | `true` | +| `intentsOperator.operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. | `true` | +| `intentsOperator.operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to `ClientIntents`. | `true` | +| `intentsOperator.operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | +| `intentsOperator.operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | +| `intentsOperator.operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` | +| `intentsOperator.operator.resources` | Resources override. | | +| `intentsOperator.operator.enableDatabaseCredentialsCreation` | Enables support for database intents | `true` | +| `intentsOperator.enforcedNamespaces` | When using "shadow enforcement" mode, namespaces in this list will be treated as if the enforcement were active. | `(nil) ` | ## SPIRE parameters