From 34d85046c26841fef171b2eccbc1d51d452c0a2f Mon Sep 17 00:00:00 2001 From: Uri Sarid Date: Sat, 29 Apr 2023 15:03:36 -0700 Subject: [PATCH 1/6] Documenting the telemetry capability of Otterize OSS. This does not yet include updating the configuration docs. --- docs/otterize-oss/README.mdx | 15 +++++- docs/otterize-oss/_category_.json | 4 ++ docs/otterize-oss/usage-telemetry.mdx | 48 +++++++++++++++++++ .../intents-operator/helm-chart.mdx | 12 ++--- 4 files changed, 71 insertions(+), 8 deletions(-) create mode 100644 docs/otterize-oss/_category_.json create mode 100644 docs/otterize-oss/usage-telemetry.mdx diff --git a/docs/otterize-oss/README.mdx b/docs/otterize-oss/README.mdx index 45f505ced..0166f1b91 100644 --- a/docs/otterize-oss/README.mdx +++ b/docs/otterize-oss/README.mdx @@ -7,7 +7,10 @@ Otterize OSS implements intent-based access control (IBAC) in a single Kubernete It is a fully standalone, free and open-source software implementation of IBAC built for cloud-native teams that use Kubernetes at the core of their infrastructure. -It consists of several components: +## Components + +Otterize OSS consists of several components, which work together to provide IBAC capabilities. + - The [Otterize intents operator](/reference/configuration/intents-operator) that translates ClientIntents resources to access controls using plugins, which currently include: - A network policies manager to control pod-to-pod access. @@ -17,9 +20,17 @@ to handle pod identities and manage certificates. - The [Otterize network mapper](/reference/configuration/network-mapper) that sniffs pod-to-pod traffic and builds a network map, which is useful on its own and may also be exported as client intents files for bootstrapping IBAC. +This list will grow over time, as more capabilities are added, in particular support for more access controls, credentials managers, and integrations with useful tooling. + The Otterize OSS code base and issues are managed [on GitHub](https://github.com/otterize). -To get started with Otterize OSS, see the tutorials for [network policies](/quick-tutorials/k8s-network-policies), [Kafka](/quick-tutorials/k8s-kafka-mtls), [network mapping](/quick-tutorials/k8s-network-mapper), and [mTLS](/quick-tutorials/k8s-mtls). +To get started with Otterize OSS, see the tutorials for [network policies](/quick-tutorials/k8s-network-policies), [Kafka](/quick-tutorials/k8s-kafka-mtls), [network mapping](/quick-tutorials/k8s-network-mapper), and [Istio service mesh](/quick-tutorials/k8s-istio-authorization-policies). + +## Usage metrics + +Components in Otterize OSS collect usage information — counts of events like `INTENTS_APPLIED`, `NETWORK_POLICY_CREATED`, `KAFKA_ACL_DELETED`, etc. — and can report those back to the Otterize team. This is entirely optional and does not affect the functionality of Otterize OSS, but it does help the team at Otterize understand what the community finds useful and hence how to improve it. (Of course, direct feedback through the [Otterize Community Slack](https://joinslack.otterize.com/) is very much appreciated too.) For more information, including what is sent and how to turn it off or on, see [the usage telemetry documentation](/otterize-oss/usage-telemetry). + +## Roadmap The near-term roadmap for Otterize OSS currently includes: - [[Done](https://github.com/otterize/otterize-cli/releases/tag/v0.1.17)] Adding **network map visualization** capabilities to the Otterize CLI, so you can get network map images from the network mapper. diff --git a/docs/otterize-oss/_category_.json b/docs/otterize-oss/_category_.json new file mode 100644 index 000000000..4a4e6305a --- /dev/null +++ b/docs/otterize-oss/_category_.json @@ -0,0 +1,4 @@ +{ + "position": 7, + "collapsed": true +} \ No newline at end of file diff --git a/docs/otterize-oss/usage-telemetry.mdx b/docs/otterize-oss/usage-telemetry.mdx new file mode 100644 index 000000000..e44423451 --- /dev/null +++ b/docs/otterize-oss/usage-telemetry.mdx @@ -0,0 +1,48 @@ +--- +title: Usage telemetry +--- + +Operators in Otterize OSS report anonymous usage information back to the Otterize team, to help the team understand how the software is used in the community and what aspects users find useful. No personal or organizational identifying information is transmitted in these metrics: they only reflect patterns of usage. You may opt out at any time through a single configuration flag. + +## What information is collected? + +The information reported by Otterize OSS is defined in the [GraphQL schema of the telemetry source code](https://github.com/otterize/intents-operator/blob/main/src/shared/telemetries/telemetriesgql/schema.graphql); this is the GraphQL schema shared with the Otterize incoming telemetry GraphQL endpoint. Usage information is sent as events, each containing the event type, sometimes also a count, and some identifiers to allow correlating multiple events to understand usage. + +### Identifiers + +| Identifier | Value | +|:----------------------|:---------------------------------------------------------------------------------------------------------------------| +| `componentType` | Which Otterize OSS component sent the event: one of `INTENTS_OPERATOR`, `CREDENTIALS_OPERATOR`, `NETWORK_MAPPER` or `OTTERIZE_CLI`. | +| `version` | The version of the Otterize OSS component. | +| `componentInstanceId` | A randomly-generated UUID identifying the installed instance of the component, to allow correlating its events. | +| `contextId` | A hash (for anonymity) of an identifier of the context in which the component is installed. For example, for components running in a Kubernetes cluster, this is a hash of the UUID of the `kube-system` namespace in the cluster. | + +### Events + +| Event type | Meaning | +|:----------------------------------|:----------------------------------------------------------------------------------------------------------| +| `INTENTS_DELETED` | A count of how many intents were deleted. | +| `INTENTS_APPLIED` | A count of how many declared intents were applied. | +| `INTENTS_DISCOVERED` | A count of how many intents were discovered by the network mapper. | +| `KAFKA_SERVER_CONFIG_APPLIED` | A Kafka Server Config was applied (i.e. the intents operator will recognize it as a Kafka broker). | +| `KAFKA_SERVER_CONFIG_DELETED` | A Kafka Server Config was deleted. | +| `NETWORK_POLICY_CREATED` | A count of how many network policies were created by the intents operator. | +| `NETWORK_POLICY_DELETED` | A count of how many network policies were deleted by the intents operator. | +| `KAFKA_ACL_CREATED` | A count of how many Kafka ACLs were created by the intents operator. | +| `KAFKA_ACL_DELETED` | A count of how many Kafka ACLs were deleted by the intents operator. | +| `ISTIO_POLICY_CREATED` | A count of how many Istio authorization policies were created by the intents operator. | +| `ISTIO_POLICY_DELETED` | A count of how many Istio authorization policies were deleted by the intents operator. | +| `MAPPER_EXPORT` | The CLI command `otterize network-mapper export...` was invoked. | +| `STARTED` | The operator was started. | + +## Configuring whether to report usage information + +To configure whether to report usage information to the Otterize team, use the `telemetry` flag in the installation/configuration of Otterize OSS. By default, telemetry is enabled. + +To **disable** sending usage information: + - Via the Otterize OSS Helm chart: `--set global.telemetry.enable=false`. + - Via en environment variable: `OTTERIZE_TELEMETRY_ENABLED=false`. + - If running an operator directly: `telemetry-enabled=false`. + +If the `telemetry` flag is omitted or set to `true`, telemetry will be enabled: usage information will be reported. + diff --git a/docs/reference/configuration/intents-operator/helm-chart.mdx b/docs/reference/configuration/intents-operator/helm-chart.mdx index 3b070f87e..cbeeea684 100644 --- a/docs/reference/configuration/intents-operator/helm-chart.mdx +++ b/docs/reference/configuration/intents-operator/helm-chart.mdx @@ -18,17 +18,17 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor ## Global parameters | Key | Description | Default | -|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|---------| +|:---------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------|---------| | `global.allowGetAllResources` | If defined overrides `allowGetAllResources`. | | ## Operator parameters | Key | Description | Default | -|--------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------| +|:-------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------| | `operator.image.repository` | intents operator image repository. | `otterize` | | `operator.image.image` | intents operator image. | `intents-operator` | | `operator.image.tag` | intents operator image tag. | `latest` | | `operator.pullPolicy` | intents operator image pull policy. | `(none)` | -| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and get tls certificate. | `false` | +| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and get tls certificate. | `false` | | `operator.enableEnforcement` | If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings | `true` | | `operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to ClientIntents | `true` | | `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to ClientIntents of type Kafka | `true` | @@ -37,7 +37,7 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor ## Watcher parameters | Key | Description | Default | -|----------------------------|----------------------------|--------------------------------| +|:---------------------------|:---------------------------|:-------------------------------| | `watcher.image.repository` | Watcher image repository. | `otterize` | | `watcher.image.image` | Watcher image. | `intents-operator-pod-watcher` | | `watcher.image.tag` | Watcher image tag. | `latest` | @@ -46,7 +46,7 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor ## Cloud parameters | Key | Description | Default | -|-------------------------------------------------|-------------------------------------------------|----------| +|:------------------------------------------------|:------------------------------------------------|:---------| | `global.otterizeCloud.credentials.clientId` | Client ID for connecting to Otterize Cloud. | `(none)` | | `global.otterizeCloud.credentials.clientSecret` | Client secret for connecting to Otterize Cloud. | `(none)` | | `global.otterizeCloud.apiAddress` | Overrides Otterize Cloud default API address. | `(none)` | @@ -54,5 +54,5 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor ## Common parameters | Key | Description | Default | -|------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------| +|:-----------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------| | `allowGetAllResources` | Gives get, list and watch permission to watch on all resources. This is used to resolve service names when pods have owners that are custom resources. When disabled, a limited set of permissions is used that only allows access to built-in Kubernetes resources that deploy Pods and Pods themselves - Deployments, StatefulSets, DaemonSets, ReplicaSets and Services. Resolving may not be able to complete if the owning resource is not one of those. | `true` | From c80120fd7edc72370d9e1a14cfab78e58b87f009 Mon Sep 17 00:00:00 2001 From: "omri.s" Date: Sun, 30 Apr 2023 17:03:13 +0300 Subject: [PATCH 2/6] enable -> enabled --- docs/otterize-oss/usage-telemetry.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/otterize-oss/usage-telemetry.mdx b/docs/otterize-oss/usage-telemetry.mdx index e44423451..5aa833575 100644 --- a/docs/otterize-oss/usage-telemetry.mdx +++ b/docs/otterize-oss/usage-telemetry.mdx @@ -40,7 +40,7 @@ The information reported by Otterize OSS is defined in the [GraphQL schema of th To configure whether to report usage information to the Otterize team, use the `telemetry` flag in the installation/configuration of Otterize OSS. By default, telemetry is enabled. To **disable** sending usage information: - - Via the Otterize OSS Helm chart: `--set global.telemetry.enable=false`. + - Via the Otterize OSS Helm chart: `--set global.telemetry.enabled=false`. - Via en environment variable: `OTTERIZE_TELEMETRY_ENABLED=false`. - If running an operator directly: `telemetry-enabled=false`. From bc162471d9a1228a45840e3ca6583b7cffa171dd Mon Sep 17 00:00:00 2001 From: Uri Sarid Date: Tue, 2 May 2023 21:22:35 -0700 Subject: [PATCH 3/6] Updating the docs per the latest schema of telemetry metrics. --- docs/otterize-oss/usage-telemetry.mdx | 48 +++++++++++++++------------ 1 file changed, 27 insertions(+), 21 deletions(-) diff --git a/docs/otterize-oss/usage-telemetry.mdx b/docs/otterize-oss/usage-telemetry.mdx index 5aa833575..f5b2ba2a9 100644 --- a/docs/otterize-oss/usage-telemetry.mdx +++ b/docs/otterize-oss/usage-telemetry.mdx @@ -6,34 +6,40 @@ Operators in Otterize OSS report anonymous usage information back to the Otteriz ## What information is collected? -The information reported by Otterize OSS is defined in the [GraphQL schema of the telemetry source code](https://github.com/otterize/intents-operator/blob/main/src/shared/telemetries/telemetriesgql/schema.graphql); this is the GraphQL schema shared with the Otterize incoming telemetry GraphQL endpoint. Usage information is sent as events, each containing the event type, sometimes also a count, and some identifiers to allow correlating multiple events to understand usage. +The information reported by Otterize OSS is defined in the [GraphQL schema of the telemetry source code](https://github.com/otterize/intents-operator/blob/main/src/shared/telemetries/telemetriesgql/schema.graphql); this is the GraphQL schema shared with the Otterize incoming-telemetry GraphQL endpoint. Usage information is sent as events, each containing the event type, sometimes also a count, and some identifiers to allow correlating multiple events in order to understand usage. ### Identifiers -| Identifier | Value | -|:----------------------|:---------------------------------------------------------------------------------------------------------------------| -| `componentType` | Which Otterize OSS component sent the event: one of `INTENTS_OPERATOR`, `CREDENTIALS_OPERATOR`, `NETWORK_MAPPER` or `OTTERIZE_CLI`. | -| `version` | The version of the Otterize OSS component. | -| `componentInstanceId` | A randomly-generated UUID identifying the installed instance of the component, to allow correlating its events. | +| Identifier | Value | +|:----------------------|:-------------------------------------------------------------------------------------------------------------------------------------| +| `componentType` | Which Otterize OSS component sent the event: one of `INTENTS_OPERATOR`, `CREDENTIALS_OPERATOR`, `NETWORK_MAPPER` or `CLI`. | +| `componentInstanceId` | A randomly-generated UUID identifying the installed instance of the component, to allow correlating its events. | | `contextId` | A hash (for anonymity) of an identifier of the context in which the component is installed. For example, for components running in a Kubernetes cluster, this is a hash of the UUID of the `kube-system` namespace in the cluster. | +| `version` | The version of the Otterize OSS component. | +| `cloudClientId` | If connected to Otterize Cloud: the client id used to connect with Otterize Cloud, to allow correlating events with Cloud usage info. | ### Events -| Event type | Meaning | -|:----------------------------------|:----------------------------------------------------------------------------------------------------------| -| `INTENTS_DELETED` | A count of how many intents were deleted. | -| `INTENTS_APPLIED` | A count of how many declared intents were applied. | -| `INTENTS_DISCOVERED` | A count of how many intents were discovered by the network mapper. | -| `KAFKA_SERVER_CONFIG_APPLIED` | A Kafka Server Config was applied (i.e. the intents operator will recognize it as a Kafka broker). | -| `KAFKA_SERVER_CONFIG_DELETED` | A Kafka Server Config was deleted. | -| `NETWORK_POLICY_CREATED` | A count of how many network policies were created by the intents operator. | -| `NETWORK_POLICY_DELETED` | A count of how many network policies were deleted by the intents operator. | -| `KAFKA_ACL_CREATED` | A count of how many Kafka ACLs were created by the intents operator. | -| `KAFKA_ACL_DELETED` | A count of how many Kafka ACLs were deleted by the intents operator. | -| `ISTIO_POLICY_CREATED` | A count of how many Istio authorization policies were created by the intents operator. | -| `ISTIO_POLICY_DELETED` | A count of how many Istio authorization policies were deleted by the intents operator. | -| `MAPPER_EXPORT` | The CLI command `otterize network-mapper export...` was invoked. | -| `STARTED` | The operator was started. | +| Event type | Meaning | +|:----------------------------------|:-----------------------------------------------------------------------------------------------------| +| `INTENTS_DELETED` | How many intents were deleted. | +| `INTENTS_APPLIED` | How many declared intents were applied. | +| `INTENTS_DISCOVERED` | How many intents were discovered by the network mapper. | +| `INTENTS_DISCOVERED_SOCKET_SCAN` | How many intents were discovered by the network watcher ("sniffer") via scanning for open sockets. | +| `INTENTS_DISCOVERED_DNS` | How many intents were discovered by the network watcher ("sniffer") via reading DNS query responses. | +| `INTENTS_DISCOVERED_KAFKA` | How many intents were discovered by the Kafka watcher. | +| `INTENTS_DISCOVERED_ISTIO` | How many intents were discovered by the Istio watcher. | +| `MAPPER_EXPORT ` | How many intents from the network mapper were exported by the CLI: `otterize mapper export...`. | +| `MAPPER_VISUALIZE` | How many intents from the network mapper were visualized by the CLI: `otterize mapper visualize...`. | +| `KAFKA_SERVER_CONFIG_APPLIED` | A Kafka Server Config was applied (i.e. the intents operator will recognize it as a Kafka broker). | +| `KAFKA_SERVER_CONFIG_DELETED` | A Kafka Server Config was deleted. | +| `NETWORK_POLICY_CREATED` | How many network policies were created by the intents operator. | +| `NETWORK_POLICY_DELETED` | How many network policies were deleted by the intents operator. | +| `KAFKA_ACL_CREATED` | How many Kafka ACLs were created by the intents operator. | +| `KAFKA_ACL_DELETED` | How many Kafka ACLs were deleted by the intents operator. | +| `ISTIO_POLICY_CREATED` | How many Istio authorization policies were created by the intents operator. | +| `ISTIO_POLICY_DELETED` | How many Istio authorization policies were deleted by the intents operator. | +| `STARTED` | The operator was started. | ## Configuring whether to report usage information From 4e898987bb82c933c0fd4a109f4e8406409d3676 Mon Sep 17 00:00:00 2001 From: "omri.s" Date: Wed, 3 May 2023 15:19:34 +0300 Subject: [PATCH 4/6] pluralize --- docs/otterize-oss/usage-telemetry.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/otterize-oss/usage-telemetry.mdx b/docs/otterize-oss/usage-telemetry.mdx index f5b2ba2a9..0d8d552b3 100644 --- a/docs/otterize-oss/usage-telemetry.mdx +++ b/docs/otterize-oss/usage-telemetry.mdx @@ -33,12 +33,12 @@ The information reported by Otterize OSS is defined in the [GraphQL schema of th | `MAPPER_VISUALIZE` | How many intents from the network mapper were visualized by the CLI: `otterize mapper visualize...`. | | `KAFKA_SERVER_CONFIG_APPLIED` | A Kafka Server Config was applied (i.e. the intents operator will recognize it as a Kafka broker). | | `KAFKA_SERVER_CONFIG_DELETED` | A Kafka Server Config was deleted. | -| `NETWORK_POLICY_CREATED` | How many network policies were created by the intents operator. | -| `NETWORK_POLICY_DELETED` | How many network policies were deleted by the intents operator. | -| `KAFKA_ACL_CREATED` | How many Kafka ACLs were created by the intents operator. | -| `KAFKA_ACL_DELETED` | How many Kafka ACLs were deleted by the intents operator. | -| `ISTIO_POLICY_CREATED` | How many Istio authorization policies were created by the intents operator. | -| `ISTIO_POLICY_DELETED` | How many Istio authorization policies were deleted by the intents operator. | +| `NETWORK_POLICIES_CREATED` | How many network policies were created by the intents operator. | +| `NETWORK_POLICIES_DELETED` | How many network policies were deleted by the intents operator. | +| `KAFKA_ACLS_CREATED` | How many Kafka ACLs were created by the intents operator. | +| `KAFKA_ACLS_DELETED` | How many Kafka ACLs were deleted by the intents operator. | +| `ISTIO_POLICIES_CREATED` | How many Istio authorization policies were created by the intents operator. | +| `ISTIO_POLICIES_DELETED` | How many Istio authorization policies were deleted by the intents operator. | | `STARTED` | The operator was started. | ## Configuring whether to report usage information From 49bbce8da3f3fe2368a8be116da788561d5af6e5 Mon Sep 17 00:00:00 2001 From: Ori Shoshan Date: Wed, 3 May 2023 18:56:47 +0300 Subject: [PATCH 5/6] Update usage-telemetry.mdx --- docs/otterize-oss/usage-telemetry.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/otterize-oss/usage-telemetry.mdx b/docs/otterize-oss/usage-telemetry.mdx index 0d8d552b3..657c50177 100644 --- a/docs/otterize-oss/usage-telemetry.mdx +++ b/docs/otterize-oss/usage-telemetry.mdx @@ -47,7 +47,7 @@ To configure whether to report usage information to the Otterize team, use the ` To **disable** sending usage information: - Via the Otterize OSS Helm chart: `--set global.telemetry.enabled=false`. - - Via en environment variable: `OTTERIZE_TELEMETRY_ENABLED=false`. + - Via an environment variable: `OTTERIZE_TELEMETRY_ENABLED=false`. - If running an operator directly: `telemetry-enabled=false`. If the `telemetry` flag is omitted or set to `true`, telemetry will be enabled: usage information will be reported. From ba208bd2a230f497918b3375e0cb830e8c5f0be2 Mon Sep 17 00:00:00 2001 From: "omri.s" Date: Thu, 4 May 2023 15:04:07 +0300 Subject: [PATCH 6/6] add helm chart values --- docs/reference/configuration/intents-operator/helm-chart.mdx | 2 ++ docs/reference/configuration/network-mapper/helm-chart.mdx | 2 ++ docs/reference/configuration/otterize-chart/README.mdx | 3 ++- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/reference/configuration/intents-operator/helm-chart.mdx b/docs/reference/configuration/intents-operator/helm-chart.mdx index cbeeea684..e1f16f5d8 100644 --- a/docs/reference/configuration/intents-operator/helm-chart.mdx +++ b/docs/reference/configuration/intents-operator/helm-chart.mdx @@ -20,6 +20,8 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor | Key | Description | Default | |:---------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------|---------| | `global.allowGetAllResources` | If defined overrides `allowGetAllResources`. | | +| `global.telemetry.enabled` | If set to `false`, anonymous telemetries collection will be disabled | `true` | + ## Operator parameters | Key | Description | Default | diff --git a/docs/reference/configuration/network-mapper/helm-chart.mdx b/docs/reference/configuration/network-mapper/helm-chart.mdx index 2992b0bd4..4fd6d9f1c 100644 --- a/docs/reference/configuration/network-mapper/helm-chart.mdx +++ b/docs/reference/configuration/network-mapper/helm-chart.mdx @@ -67,6 +67,8 @@ Checkout the network mapper [tutorial](/quick-tutorials/k8s-network-mapper) to s | Key | Description | Default | |----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|---------| | `global.allowGetAllResources` | If defined overrides `allowGetAllResources`. | | +| `global.telemetry.enabled` | If set to `false`, anonymous telemetries collection will be disabled | `true` | + ## Common parameters | Key | Description | Default | diff --git a/docs/reference/configuration/otterize-chart/README.mdx b/docs/reference/configuration/otterize-chart/README.mdx index 4671c6967..4a22a26e1 100644 --- a/docs/reference/configuration/otterize-chart/README.mdx +++ b/docs/reference/configuration/otterize-chart/README.mdx @@ -25,9 +25,10 @@ These parameters are used by multiple charts, and must be kept the same for the | `global.spiffe.CASubject` | The Subject that CA certificates should use (see below). | | | `global.spiffe.CASubject.country` | SPIRE's CA certificates `Country` value. | `"US"` | | `global.spiffe.CASubject.organization` | SPIRE's CA certificates `Organization` Value. | `"SPIRE"` | -| `global.spiffe.trustDomain` | The trust domain that SPIRE will use. | `"example.org"` | +| `global.spiffe.trustDomain` | The trust domain that SPIRE will use. | `"example.org"` | | `global.spire.serverServiceName` | Name of the Kubernetes service that will be created for SPIRE-server. | | | `global.allowGetAllResources` | If defined overrides `allowGetAllResources` in subcharts. Gives get, list and watch permission to watch on all resources. This is used to resolve service names when pods have owners that are custom resources. When disabled, a limited set of permissions is used that only allows access to built-in Kubernetes resources that deploy Pods and Pods themselves - Deployments, StatefulSets, DaemonSets, ReplicaSets and Services. Resolving may not be able to complete if the owning resource is not one of those. | | +| `global.telemetry.enabled` | If set to `false`, anonymous telemetries collection will be disabled | `true` | ## Cloud parameters | Key | Description | Default |