Doc restructuring

.gitignore

@@ -21,3 +21,4 @@ yarn-error.log*
 
 .idea
 package-lock.json
+.vercel

docs/features/README.mdx

@@ -0,0 +1,54 @@
+---
+sidebar_position: 1
+title: Features
+hide_title: true
+---
+
+
+import {
+    useCurrentSidebarCategory
+} from '@docusaurus/theme-common';
+
+
+
+export default function FeatureCards() {
+    const category = useCurrentSidebarCategory();
+    const features = category.items;
+    console.log(JSON.stringify(features));
+    return (
+        <div className="tw-m-8">
+            <h1 className="tw-text-2xl tw-font-medium">Features</h1>
+            <p className="tw-">
+                Otterize makes it easy to create and visualize authorization for your Kubernetes clusters across a
+                variety of
+                services. Explore each below.
+            </p>
+            <div role="list" className="tw-grid tw-gap-6 tw-grid-cols-3">
+                {features.map((feature) => (
+                    <div key={feature.label}
+                         className="tw-col-span-1 tw-flex tw-flex-col tw-divide-y tw-divide-gray-200 tw-rounded-lg tw-border tw-border-solid tw-border-primary-500 tw-bg-white tw-text-center tw-border-1 tw-border-primary-400 tw-border-solid hover:tw-border-primary-600 hover:tw-shadow-md">
+                            <a href={feature.href} className="hover:tw-no-underline hover:tw-font-extrabold">
+                                <div className="tw-flex tw-flex-1 tw-flex-col tw-p-8">
+                                    <div
+                                        className=" tw-flex tw-max-h-16 tw-h-16 tw-w-full text-center tw-justify-center ">
+                                        {feature.customProps && feature.customProps.image &&
+                                            <img className="justify-self-center tw-max-h-16"
+                                                 src={feature.customProps.image}
+                                                 alt=""/>
+                                        }
+                                    </div>
+                                    <h3 className="tw-mt-6 tw-text-lg tw-font-semibold tw-text-gray-black">{feature.label}</h3>
+                                </div>
+                            </a>
+                    </div>
+                ))}
+            </div>
+        </div>
+    )
+}
+
+
+
+
+
+

docs/features/_category_.json

@@ -0,0 +1,8 @@
+{
+  "label": "Features",
+  "position": 3,
+  "collapsed": false,
+  "customProps": {
+    "image": "/img/icons/aws.png"
+  }
+}

docs/features/aws-iam/_category_.json

@@ -0,0 +1,8 @@
+{
+  "label": "AWS IAM",
+  "position": 2,
+  "collapsed": true,
+  "customProps": {
+    "image": "/img/icons/aws.png"
+  }
+}

docs/features/aws-iam/index.mdx

@@ -0,0 +1,46 @@
+---
+sidebar_position: 1
+title: AWS IAM | Overview
+hide_table_of_contents: true
+hide_title: true
+---
+
+# AWS IAM
+
+Otterize can provide least-privilege access from your EKS Kubernetes clusters to AWS Resources with [IBAC](/overview/intent-based-access-control/) support for AWS's IAM policies.
+
+### About
+
+In many workloads, EKS clusters must access external cloud resources such as databases, object storage, or additional services. Otterize provides unique credentials and policies for each pod for exactly the authorization they require.
+
+### How does it work
+
+To follow along with a full example, take a look at [Automate AWS IAM for EKS](/features/aws-iam/tutorials/aws-iam-eks)
+
+1. First, the EKS cluster must have [Otterize installed](/overview/installation).
+2. We must label the pod with `credentials-operator.otterize.com/create-aws-role: "true"`
+3. Once that is complete, Otterize’s credential operator will create a role and an `AssumeRolePolicy` bound to ServiceAccount.
+4. At this point, the role does not have the ability to perform any actions. We will need to create a ClientIntents YAML for the access the service requires and apply it to our cluster. Below is an example of a ClientIntents file for accessing an S3 bucket. View the [reference](/features/aws-iam/reference) to learn more about the AWS IAM Client Intent syntax.
+5. Once the intent is applied, a new policy will be attached to the service’s role with the appropriate access.
+
+```yaml
+apiVersion: k8s.otterize.com/v1alpha3
+kind: ClientIntents
+metadata:
+  name: server
+spec:
+  service:
+    name: server
+  calls:
+    - name: arn:aws:s3:::example-bucket-*/*
+      type: aws
+      awsActions:
+        - "s3:PutObject"
+        - "s3:GetObject"
+```
+
+### Coming soon
+
+Building least-privilege access can be difficult. Many actions have dependent actions, or services can require a lot of access to perform their functions. To help reduce this burden, Otterize will provide automated ClientIntents based on the actions your service actually requires by detecting the calls being made and converting them into the necessary YAML syntax.
+
+

docs/features/aws-iam/reference.mdx

@@ -0,0 +1,47 @@
+---
+sidebar_position: 3
+title: Reference
+---
+
+### ClientIntents example (YAML)
+
+```yaml
+apiVersion: k8s.otterize.com/v1alpha3
+kind: ClientIntents
+metadata:
+  name: server
+spec:
+  service:
+    # The name of the pod that will be granted access
+    name: server
+  calls:
+      # The AWS ARN or ARN wildcard that references the resource(s) for the authorization
+    - name: arn:aws:s3:::example-bucket-*/*
+      type: aws
+      # one or more AWS Actions or Action wildcards that will be provided to the specified resources
+      awsActions:
+        - "s3:PutObject"
+        - "s3:GetObject"
+      # Multiple call definitions can be defined for a single service.
+	- name: arn:aws:s3:::read-only-bucket-*/*
+      type: aws
+      awsActions:
+        - "s3:GetObject"
+```
+
+### Annotations
+
+| Key                                                        | Description                                                                                                                                                                                  | Default  |
+|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
+| `credentials-operator.otterize.com/create-aws-role` | By setting to **true** the credential operator will create an unique AWS Role for the associated pod | `false` |
+
+
+### Helm Chart options
+
+| Key                                                        | Description                                                                                                                                                                                  | Default  |
+|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
+| `global.aws.enabled`                                       | Enable or disable AWS integration                                                                                                                                                            | `false`  |
+| `global.aws.eksClusterNameOverride`                        | EKS cluster name (overrides auto-detection)                                                                                                                                                  | `(none)` |
+| `aws.roleARN` | ARN of the AWS role the operator will use to access AWS. By defeault, Otterize will create a unique role for each service an annotate the service with the role's ARN. | `(none)` |
+
+View the [helm chart reference](/reference/configuration/otterize-chart) for all other options

docs/quickstart/visualization/_category_.json → docs/features/aws-iam/tutorials/_category_.json

@@ -1,5 +1,5 @@
 {
-  "label": "Visualization",
+  "label": "Tutorials",
   "position": 2,
   "collapsed": false
 }

docs/quickstart/access-control/aws-iam-eks.mdx → docs/features/aws-iam/tutorials/aws-iam-eks.mdx

@@ -21,7 +21,7 @@ In this tutorial, we will:
 ## Prerequisites
 Already have Otterize deployed with the IAM integration configured on your cluster? [Skip to the tutorial.](#tutorial)
 
-#### 1. Create an AWS EKS cluster
+### 1. Create an AWS EKS cluster
 Before you start, you'll need an AWS EKS cluster. Any cluster will do; there are no special requirements or setup.
 
 <details>
@@ -86,7 +86,7 @@ Don't forget to configure your kubeconfig for your cluster. If using the example
 aws eks update-kubeconfig --region us-west-2 --name otterize-iam-eks-tutorial
 ```
 
-#### 2. Deploy Otterize for AWS IAM
+### 2. Deploy Otterize for AWS IAM
 To deploy Otterize, head over to [Otterize Cloud](https://app.otterize.com) and:
 
 1. Create a Kubernetes cluster on the [Clusters page](https://app.otterize.com/clusters), and follow the instructions. *Make sure to enable enforcement mode for this tutorial.* If you already have a Kubernetes cluster connected, skip this step.
@@ -187,7 +187,7 @@ kubectl patch deployment -n otterize-tutorial-iam server --type='json' -p="[{\"o
 <summary>Expand to see the deployment YAML</summary>
 
 ```yaml
-{@include: ../../../static/code-examples/aws-iam-eks/client-and-server.yaml}
+{@include: ../../../../static/code-examples/aws-iam-eks/client-and-server.yaml}
 ```
 
 </details>
@@ -287,7 +287,7 @@ By annotating the pod, we've created an IAM role. We now need to specify what we
 
 We will specify the following ClientIntents, granting the PutObject permission to the `otterize-tutorial-bucket` S3 bucket.
 ```yaml
-{@include: ../../../static/code-examples/aws-iam-eks/clientintents.yaml}
+{@include: ../../../../static/code-examples/aws-iam-eks/clientintents.yaml}
 ```
 
 To apply these intents, run the following command:
@@ -324,7 +324,7 @@ aws s3 ls $BUCKET_NAME
 2023-11-17 20:42:55         19 testfile.3.txt
 ```
 
-## What's next?
+### What's next?
 
 Try out some of the other quick tutorials to learn about how to use ClientIntents to manage network policies, Istio policies, PostgreSQL access, and more. You can use a single ClientIntents resource to specify all the access required for a pod.
 

docs/features/istio/_category_.json

@@ -0,0 +1,8 @@
+{
+  "label": "Istio",
+  "position": 4,
+  "collapsed": true,
+  "customProps": {
+    "image": "/img/icons/istio-no-word-mark.svg"
+  }
+}

docs/features/istio/index.mdx

@@ -0,0 +1,99 @@
+---
+sidebar_position: 1
+title: Istio | Overview
+hide_title: true
+---
+
+import DocsLinkCard from "@site/src/components/LinkCard";
+
+export const istio_tutorials = [
+    {
+        title: 'Istio AuthorizationPolicy automation',
+        description: 'Generate AuthorizationPolicy docs from existing connections',
+        url: '/features/istio/examples/k8s-istio-authorization-policies'
+    },
+    {
+        title: 'Istio HTTP-level access mapping',
+        description: 'View the HTTP methods being used across services',
+        url: '/features/istio/examples/k8s-istio-water'
+    }
+];
+
+
+
+# Istio
+
+Otterize can map and secure access with Istio HTTP connections across your Kubernetes services.
+
+### About
+
+When enabling Istio support, Otterize's network mapping tool can determine which Kubernetes services are connected and which HTTP methods are being used. This graph of connections can then be leveraged to automate IBAC based access policies that result in Istio AuthorizationPolicy(s).
+
+### How does it work
+
+1. First, the cluster must have [Otterize installed](/overview/installation). With Istio support enabled by setting the following flag:
+
+```bash
+--set networkMapper.istiowatcher.enable=true
+```
+
+2. To monitor connections and HTTP methods, we need to enable connection telemetry data within Istio. This can be enabled with the following YAML:
+
+```yaml
+apiVersion: telemetry.istio.io/v1alpha1
+kind: Telemetry
+metadata:
+  name: mesh-default
+  namespace: istio-system
+spec:
+  # Configure access logging for Istio services
+  accessLogging:
+    # Define the access logging provider, in this case, Envoy
+    - providers:
+        - name: envoy
+  metrics:
+    # Configure metrics collection for Istio services using Prometheus
+    - providers:
+        - name: prometheus
+      # Customize metric tag overrides
+      overrides:
+        - tagOverrides:
+            # Map the "request_method" metric tag to "request.method" value
+            request_method:
+              value: request.method
+            # Map the "request_path" metric tag to "request.path" value
+            request_path:
+              value: request.path
+
+```
+
+Once installed, Otterize will query Envoy sidecars for known connections and building an in-memory map of the relationships. After the map is built your can then view those relationships.
+
+**To Manage Access**
+
+You simply need to define and apply your intent based access control ([IBAC](/overview/intent-based-access-control)) policies for your services.
+
+```yaml
+
+apiVersion: k8s.otterize.com/v1alpha3
+kind: ClientIntents
+metadata:
+  name: client
+  namespace: otterize-tutorial-istio
+spec:
+  service:
+    name: client
+  calls:
+    - name: server-abc
+      type: http
+      HTTPResources:
+        - path: /client-path
+          methods: [ GET ]
+
+```
+
+### Tutorials
+
+For further details about mapping, or access automation, view the tutorials below:
+
+<DocsLinkCard items={istio_tutorials} colSize={"sm"}/>

docs/features/istio/reference.mdx

@@ -0,0 +1,38 @@
+---
+sidebar_position: 3
+title: Reference
+---
+
+### ClientIntents example (YAML)
+
+```yaml
+apiVersion: k8s.otterize.com/v1alpha3
+kind: ClientIntents
+metadata:
+  name: client
+  namespace: otterize-tutorial-istio
+spec:
+  service:
+    name: client
+  calls:
+    - name: nginx
+      type: http
+      HTTPResources:
+        - path: /client-path
+          methods: [ GET ]
+```
+
+
+### Helm Chart options
+
+| Key                             | Description                             | Default                        |
+|---------------------------------|-----------------------------------------|--------------------------------|
+| `istiowatcher.enable`           | Enable Istio watcher deployment (beta). | `false`                        |
+| `istiowatcher.image.repository` | Istio watcher image repository.         | `otterize`                     |
+| `istiowatcher.image.image`      | Istio watcher image.                    | `network-mapper-istio-watcher` |
+| `istiowatcher.image.tag`        | Istio watcher image tag.                | `latest`                       |
+| `istiowatcher.pullPolicy`       | Istio watcher pull policy.              | `(none)`                       |
+| `istiowatcher.pullSecrets`      | Istio watcher pull secrets.             | `(none)`                       |
+| `istiowatcher.resources`        | Resources override.                     | `(none)`                       |
+
+View the [helm chart reference](/reference/configuration/otterize-chart) for all other options

docs/features/istio/tutorials/_category_.json

@@ -0,0 +1,5 @@
+{
+  "label": "Tutorials",
+  "position": 2,
+  "collapsed": false
+}