Reference
ClientIntents example (YAML)
apiVersion: k8s.otterize.com/v1alpha3
kind: ClientIntents
metadata:
# The name of the pod that will be granted access
name: client
spec:
service:
name: client
calls:
# The Azure resource ID that references the resource(s) for the authorization. Subscription & resource group are automatically appended.
- name: "/providers/Microsoft.Storage/storageAccounts/otterizeazureiamtutorial/blobServices/default/containers/otterizeazureiamtutorialcontainer1"
type: azure
# one or more Azure roles that will be provided to the specified resources
azureRoles:
- "Storage Blob Data Contributor"
- name: "/providers/Microsoft.Storage/storageAccounts/otterizeazureiamtutorial/blobServices/default/containers/otterizeazureiamtutorialcontainer2"
# one or more Azure actions that can be performed on the specified resources (cannot be used with azureRoles)
azureActions:
- "Microsoft.Storage/storageAccounts/blobServices/containers/read"
# one or more Azure data actions that can be performed on the specified resources (cannot be used with azureRoles)
azureDataActions:
- "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
- name: "/providers/Microsoft.KeyVault/vaults/otterizetutorialazureiamkeyvault"
type: azure
# Optional - Grant Azure Key Vault data plane access by using Key Vault access policy
azureKeyVaultPolicy:
certificatePermissions:
- "all"
keyPermissions:
- "all"
secretPermissions:
- "all"
storagePermissions:
- "get"
- "list"
Annotations
Key | Description | Default |
---|---|---|
credentials-operator.otterize.com/create-azure-workload-identity | When set to true, the credential operator will create an Azure workload identity the associated pod | false |
Helm Chart options
Key | Description | Default |
---|---|---|
global.azure.enabled | Enable or disable Azure integration | false |
azure.userAssignedIdentityID | ID of the user assigned identity used by the operator to access Azure. | (none) |
azure.subscriptionID | ID of the Azure subscription in which the AKS cluster is deployed. | (none) |
azure.resoureceGroup | Name of the Azure resource group in which the AKS cluster is deployed. | (none) |
azure.aksClusterName | Name of the AKS cluster in which the operator is deployed. | (none) |
View the Helm chart reference for all other options
Azure locks support
note
Azure locks are not supported in the current version of Otterize. The Otterize operators will attempt to create, update and delete Azure managed identities, and Azure locks will prevent it. Please ensure you don't have Azure locks. Contact us through the Otterize Community Slack for more details.