Merge branch 'main' of ssh://github.com/otterize/docs into bglynn/egr…

…ess-access-control-tutorial

.github/workflows/test-build.yml

@@ -19,4 +19,4 @@ jobs:
       - name: Install dependencies
         run: yarn install --frozen-lockfile
       - name: Test build website
-        run: yarn build
+        run: yarn validate

docs/_common/install-otterize-cli.md

@@ -13,15 +13,15 @@ brew install otterize/otterize/otterize-cli
 <TabItem value="Apple Silicon" label="Apple Silicon">
 
 ```bash
-curl -LJO https://get.otterize.com/otterize-cli/v1.0.4/otterize_macOS_arm64_notarized.zip
+curl -LJO https://get.otterize.com/otterize-cli/v1.0.5/otterize_macOS_arm64_notarized.zip
 tar xf otterize_macOS_arm64_notarized.zip
 sudo cp otterize /usr/local/bin  # optionally move to PATH
 ```
 </TabItem>
 <TabItem value="Intel 64-bit" label="Intel 64-bit">
 
 ```bash
-curl -LJO https://get.otterize.com/otterize-cli/v1.0.4/otterize_macOS_x86_64_notarized.zip
+curl -LJO https://get.otterize.com/otterize-cli/v1.0.5/otterize_macOS_x86_64_notarized.zip
 tar xf otterize_macOS_x86_64_notarized.zip
 sudo cp otterize /usr/local/bin  # optionally move to PATH
 ```
@@ -42,7 +42,7 @@ scoop install otterize-cli
 <TabItem value="64-bit" label="64-bit">
 
 ```PowerShell
-Invoke-WebRequest -Uri https://get.otterize.com/otterize-cli/v1.0.4/otterize_windows_x86_64.zip -OutFile otterize_Windows_x86_64.zip
+Invoke-WebRequest -Uri https://get.otterize.com/otterize-cli/v1.0.5/otterize_windows_x86_64.zip -OutFile otterize_Windows_x86_64.zip
 Expand-Archive otterize_Windows_x86_64.zip -DestinationPath .
 # optionally move to PATH
 ```
@@ -54,7 +54,7 @@ Expand-Archive otterize_Windows_x86_64.zip -DestinationPath .
 <TabItem value="64-bit" label="64-bit">
 
 ```bash
-wget https://get.otterize.com/otterize-cli/v1.0.4/otterize_linux_x86_64.tar.gz
+wget https://get.otterize.com/otterize-cli/v1.0.5/otterize_linux_x86_64.tar.gz
 tar xf otterize_linux_x86_64.tar.gz
 sudo cp otterize /usr/local/bin  # optionally move to PATH
 ```

docs/faq/README.mdx

@@ -36,7 +36,7 @@ the labels which Otterize configured Kubernetes to put on the pod serve as a kin
 IBAC is short for intent-based access control, which is **a new paradigm** for configuring service-to-service access
 control based on the client service declaring what server calls (or operations) it intends to make.
 
-For more information, see the [IBAC documentation page](/intent-based-access-control).
+For more information, see the [IBAC documentation page](/overview/intent-based-access-control).
 
 </details>
 
@@ -87,7 +87,7 @@ to integrate with your infrastructure, e.g. for integrating with Kafka outside o
 
 Sure, in fact we recommend that you roll out IBAC gradually, to grow your and your organization's confidence in this approach.
 Change, even when positive, is not always easy to manage. Tools such as the network mapper let you bootstrap intents files to make
-adoption by teams that own specific services much easier. Read the various tutorials for [network policies](/quickstart/access-control/k8s-network-policies), [Kafka](/quickstart/access-control/k8s-kafka-mtls), [network mapping](/quickstart/visualization/k8s-network-mapper).
+adoption by teams that own specific services much easier. Read the various tutorials for [network policies](/features/network-mapping-network-policies/tutorials/k8s-network-policies), [Kafka](/features/kafka/tutorials/k8s-kafka-mtls), [network mapping](/features/network-mapping-network-policies/tutorials/k8s-network-mapper).
 to see how to roll out IBAC gradually for various use cases.
 
 </details>
@@ -98,7 +98,7 @@ to see how to roll out IBAC gradually for various use cases.
 
 Otterize's approach is to configure and use your existing infrastructure as much as possible, rather than replacing existing components, and help you achieve zero-trust through effective use of authentication and authorization across heterogeneous infrastructures and tech stacks. The drivers for authentication and authorization are client intents: metadata that's used to configure enforcement points.
 
-In contrast, service meshes aim to solve a whole slew of problems and tasks related to microservices, such as request routing and load balancing, circuit breaking, retries, rate limiting, blue/green deployment, service discovery, observability and metrics, as well as authentication and authorization. Otterize does not aim to do all of these things &mdash; only authentication and authorization. And even there, it does not aim to replace enforcement points for authN/authZ &mdash; it just configures them based on client intents and any overriding rules. So if a service mesh is used to enforce access, Otterize would configure it based on client intents (and any override rules) &mdash; as we do with [our support for Istio](/quickstart/access-control/k8s-istio-authorization-policies).
+In contrast, service meshes aim to solve a whole slew of problems and tasks related to microservices, such as request routing and load balancing, circuit breaking, retries, rate limiting, blue/green deployment, service discovery, observability and metrics, as well as authentication and authorization. Otterize does not aim to do all of these things &mdash; only authentication and authorization. And even there, it does not aim to replace enforcement points for authN/authZ &mdash; it just configures them based on client intents and any overriding rules. So if a service mesh is used to enforce access, Otterize would configure it based on client intents (and any override rules) &mdash; as we do with [our support for Istio](/features/istio/tutorials/k8s-istio-authorization-policies).
 
 Unlike Otterize, service meshes generally aim to be the a one-stop-shop for all your needs, replacing many of the technologies you currently use. For many, this actually turns out to be friction, especially if you just want to apply authorization, and don't wish to change various technologies that are already working for you.
 

docs/features/azure-iam/_category_.json

@@ -0,0 +1,8 @@
+{
+  "label": "Azure IAM",
+  "position": 2,
+  "collapsed": true,
+  "customProps": {
+    "image": "/img/icons/azure.png"
+  }
+}

docs/features/azure-iam/index.mdx

@@ -0,0 +1,68 @@
+---
+sidebar_position: 1
+title: Azure IAM | Overview
+hide_table_of_contents: true
+hide_title: true
+---
+
+import DocsLinkCard from "@site/src/components/LinkCard";
+
+export const tutorials = [
+    {
+        title: 'Automate Azure IAM for AKS',
+        description: 'Create just-in-time Azure workload identities & role assignments that are kept in sync with your workloads',
+        url: '/features/azure-iam/tutorials/azure-iam-aks'
+    },
+];
+
+
+# Azure IAM
+
+:::info
+Azure IAM support is currently a part of our early access program.
+Sign up to the [Early Access Beta Program](https://otterize.com/EarlyAccessBetaProgram) and we'll be in touch!
+:::
+
+
+Otterize can create just-in-time Azure IAM workload identities & role assignments for your workloads running on AKS Kubernetes clusters, greatly simplifying the lifecycle of managing Azure IAM identities and roles.
+
+### Tutorials
+
+To learn how to use the Intents Operator and Credentials Operator to manage just-in-time Azure IAM access, check out the tutorial.
+<DocsLinkCard items={tutorials} colSize={"sm"}/>
+
+
+### How does Otterize work with Azure IAM?
+
+1. First, the AKS cluster must have [Otterize installed](/overview/installation), as well as the Otterize Azure integration configured.
+2. To have a workload identity created for a pod, label the pod with `credentials-operator.otterize.com/create-azure-workload-identity: "true"`
+3. The credentials operator will create an Azure workload identity and federated identity credential bound to the pod's ServiceAccount. The ServiceAccount will be annotated automatically.
+4. At this point, the pod is able to assume the identity, but it does not have the permissions to perform any actions.
+We will need to create a ClientIntents YAML for the access the service requires and apply it to our cluster.
+Below is an example of a ClientIntents file for accessing an Azure Storage Blobs bucket.
+View the [reference](/features/azure-iam/reference) to learn more about the Azure IAM ClientIntents syntax.
+5. Once the intent is applied, the intents operator will create a new role assignment, which will be attached to the workload identity with the appropriate access.
+6. Done!
+
+```yaml
+apiVersion: k8s.otterize.com/v1alpha3
+kind: ClientIntents
+metadata:
+  name: client
+  namespace: otterize-tutorial-azure-iam
+spec:
+  service:
+    name: client
+  calls:
+    - name: "/providers/Microsoft.Storage/storageAccounts/otterizetutorialazureiam/blobServices/default/containers/test"
+      type: azure
+      azureRoles:
+        - "Storage Blob Data Contributor"
+```
+
+### Automatically generating ClientIntents for Azure IAM
+
+Figuring out which access you need for Azure can be a painful, trial and error process, and something you _must_ do if you're tightening production access.
+
+Otterize is getting ready to release support for using existing traffic to generate least-privilege Azure IAM policies. Keen to try this out as part of early access? Sign up to the [Early Access Beta Program](https://otterize.com/EarlyAccessBetaProgram) and we'll be in touch!
+

docs/features/azure-iam/reference.mdx

@@ -0,0 +1,43 @@
+---
+sidebar_position: 3
+title: Reference
+---
+
+### ClientIntents example (YAML)
+
+```yaml
+apiVersion: k8s.otterize.com/v1alpha3
+kind: ClientIntents
+metadata:
+  # The name of the pod that will be granted access
+  name: client
+spec:
+  service:
+    name: client
+  calls:
+    # The Azure resource ID that references the resource(s) for the authorization. Subscription & resource group are automatically appended.
+    - name: "/providers/Microsoft.Storage/storageAccounts/otterizeazureiamtutorial/blobServices/default/containers/otterizeazureiamtutorialcontainer"
+      type: azure
+      # one or more Azure roles that will be provided to the specified resources
+      azureRoles:
+        - "Storage Blob Data Contributor"
+```
+
+### Annotations
+
+| Key                                                        | Description                                                                                                                                                                                  | Default  |
+|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
+| `credentials-operator.otterize.com/create-azure-workload-identity` | By setting to **true** the credential operator will create an Azure workload identity the associated pod | `false` |
+
+
+### Helm Chart options
+
+| Key                                                        | Description                                                                                                                                                                                  | Default  |
+|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
+| `global.azure.enabled`                                       | Enable or disable Azure integration                                                                                                                                                            | `false`  |
+| `azure.userAssignedIdentityID` | ID of the user assigned identity used by the operator to access Azure. | `(none)` |
+| `azure.subscriptionID`         | ID of the Azure subscription in which the AKS cluster is deployed.     | `(none)` |
+| `azure.resoureceGroup`         | Name of the Azure resource group in which the AKS cluster is deployed. | `(none)` |
+| `azure.aksClusterName`         | Name of the AKS cluster in which the operator is deployed.             | `(none)` |
+
+View the [Helm chart reference](/reference/configuration/otterize-chart) for all other options

docs/features/azure-iam/tutorials/_category_.json

@@ -0,0 +1,5 @@
+{
+  "label": "Tutorials",
+  "position": 2,
+  "collapsed": false
+}