Skip to main content

Reference

ClientIntents example (YAML)

apiVersion: k8s.otterize.com/v1alpha3
kind: ClientIntents
metadata:
# The name of the pod that will be granted access
name: client
spec:
service:
name: client
calls:
# The Azure resource ID that references the resource(s) for the authorization. Subscription & resource group are automatically appended.
- name: "/providers/Microsoft.Storage/storageAccounts/otterizeazureiamtutorial/blobServices/default/containers/otterizeazureiamtutorialcontainer1"
type: azure
# one or more Azure roles that will be provided to the specified resources
azureRoles:
- "Storage Blob Data Contributor"
- name: "/providers/Microsoft.Storage/storageAccounts/otterizeazureiamtutorial/blobServices/default/containers/otterizeazureiamtutorialcontainer2"
# one or more Azure actions that can be performed on the specified resources (cannot be used with azureRoles)
azureActions:
- "Microsoft.Storage/storageAccounts/blobServices/containers/read"
# one or more Azure data actions that can be performed on the specified resources (cannot be used with azureRoles)
azureDataActions:
- "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
- name: "/providers/Microsoft.KeyVault/vaults/otterizetutorialazureiamkeyvault"
type: azure
# Optional - Grant Azure Key Vault data plane access by using Key Vault access policy
azureKeyVaultPolicy:
certificatePermissions:
- "all"
keyPermissions:
- "all"
secretPermissions:
- "all"
storagePermissions:
- "get"
- "list"

Annotations

KeyDescriptionDefault
credentials-operator.otterize.com/create-azure-workload-identityWhen set to true, the credential operator will create an Azure workload identity the associated podfalse

Helm Chart options

KeyDescriptionDefault
global.azure.enabledEnable or disable Azure integrationfalse
azure.userAssignedIdentityIDID of the user assigned identity used by the operator to access Azure.(none)
azure.subscriptionIDID of the Azure subscription in which the AKS cluster is deployed.(none)
azure.resoureceGroupName of the Azure resource group in which the AKS cluster is deployed.(none)
azure.aksClusterNameName of the AKS cluster in which the operator is deployed.(none)

View the Helm chart reference for all other options

Azure locks support

note

Azure locks are not supported in the current version of Otterize. The Otterize operators will attempt to create, update and delete Azure managed identities, and Azure locks will prevent it. Please ensure you don't have Azure locks. Contact us through the Otterize Community Slack for more details.