Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added documentation for PostgreSQL support #183

Merged
merged 1 commit into from
Dec 17, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion docs/reference/configuration/intents-operator/README.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -69,13 +69,16 @@ The intents operator can also be configured to process client intents *without*

The Otterize credentials operator automatically registers client pods with the credentials service — either a SPIRE server, or the Otterize Cloud-managed credentials service — and writes the trusted credentials generated by that service into Kubernetes secrets for use by those pods. The intents operator takes `ClientIntents` with `type: kafka` and creates Kafka ACLs that grant the requested access to the cryptographic identities (SVIDs) created by the credentials operator.


#### ACL creation and consumer groups
A Kafka client may specify a consumer group ID when consuming a topic. When it does so, it requires DESCRIBE and READ access to the consumer group resource.
To enable this, the intents operator creates an ACL enabling all consumers to read and describe all consumer groups.
The permission check performed by the AclAuthorizer for a consumer group also takes into account whether the consumer has the appropriate access to the topic
it is attempting to read, so the end result is that the topic ACLs determine actual access.

### PostgreSQL users & access
The intents operator automatically creates, and updates credentials in PostgreSQL databases according to the declared intents. It works together with the Otterize credentials operator to easily enable secure access to PostgreSQL from client pods, all in your Kubernetes cluster.

Try the [Just-in-time PostgreSQL users & access](https://docs.otterize.com/quickstart/access-control/postgresql) tutorial to learn more.

### Istio AuthorizationPolicy
The intents operator automatically creates, updates and deletes Istio authorization policies, automatically looks up service accounts for client pods and labels server pods, to reflect precisely the client-to-server calls declared in client intents files.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor
| `operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` |
| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` |
| `operator.resources` | Resources override. | |
| `operator.enableDatabaseReconciler` | **experimental** - Enables experimental support for database intents (coming soon!) | `false` |
| `operator.enableDatabaseCredentialsCreation` | Enables support for database intents | `true` |

## Watcher parameters
| Key | Description | Default |
Expand Down
2 changes: 1 addition & 1 deletion docs/reference/configuration/otterize-chart/README.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ Further information about intents-operator parameters can be found [in the inten
| `operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` |
| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` |
| `intentsOperator.operator.resources` | Resources override. | |
| `intentsOperator.operator.enableDatabaseReconciler` | **experimental** - Enables experimental support for database intents (coming soon!) | `false` |
| `intentsOperator.operator.enableDatabaseCredentialsCreation` | Enables support for database intents | `true` |


## SPIRE parameters
Expand Down
Loading