Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rename external access flags #149

Merged
merged 2 commits into from
Nov 12, 2023
Merged

Rename external access flags #149

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
786c882
Rename external access flags
NetanelBollag Oct 5, 2023
e8ae43e
Improve writing
NetanelBollag Oct 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 17 additions & 16 deletions docs/reference/configuration/intents-operator/helm-chart.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,22 +29,23 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor


## Operator parameters
| Key | Description | Default |
|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------|
| `operator.image.repository` | Intents Operator image repository. | `otterize` |
| `operator.image.image` | Intents Operator image. | `intents-operator` |
| `operator.image.tag` | Intents Operator image tag. | `latest` |
| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` |
| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` |
| `operator.mode` | `defaultActive` or `defaultShadow`. <br/>When `defaultActive` is set, enforcement is enabled by default. <br/>When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` |
| `operator.enableEnforcement` | (**Deprecated**; use `mode` instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | `true` |
| `operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to `ClientIntents`. | `true` |
| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. | `true` |
| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to `ClientIntents`. | `true` |
| `operator.autoCreateNetworkPoliciesForExternalTraffic` | Automatically allow external traffic, if a new `ClientIntents` resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` |
| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require `ClientIntents` resources &mdash; simply create network policies based off of the existence of an Ingress/Service resource. | `false` |
| `operator.resources` | Resources override. | |
| `operator.enableDatabaseReconciler` | **experimental** - Enables experimental support for database intents (coming soon!) | `false` |
| Key | Description | Default |
|---------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|
| `operator.image.repository` | Intents Operator image repository. | `otterize` |
| `operator.image.image` | Intents Operator image. | `intents-operator` |
| `operator.image.tag` | Intents Operator image tag. | `latest` |
| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` |
| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` |
| `operator.mode` | `defaultActive` or `defaultShadow`. <br/>When `defaultActive` is set, enforcement is enabled by default. <br/>When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` |
| `operator.enableEnforcement` | (**Deprecated**; use `mode` instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | `true` |
| `operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to `ClientIntents`. | `true` |
| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. | `true` |
| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to `ClientIntents`. | `true` |
| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` |
| `operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` |
| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` |
| `operator.resources` | Resources override. | |
| `operator.enableDatabaseReconciler` | **experimental** - Enables experimental support for database intents (coming soon!) | `false` |

## Watcher parameters
| Key | Description | Default |
Expand Down
Loading
Loading