Skip to main content

Helm chart

You can use the credentials operator's Helm chart to deploy the credentials operator on its own, and configure a SPIRE server for it to work with according to the parameters value. But it is recommended to deploy the operator as part of the Otterize OSS Helm chart, which comes with a SPIRE server and the intents operator, rather than managing it independently.

If you would like to deploy it on its own, add the Otterize Helm chart repository and configure the operator:

  helm repo add otterize
helm repo update
helm install otterize-credentials-operator otterize/credentials-operator -n otterize-system --create-namespace


Global parameters

global.certificateProviderWhat provider should be used to generate certificates - "spire", "otterize-cloud" or "cert-manager""spire"
global.spire.serverServiceNameIf deployed with SPIRE, this key specifies SPIRE-server's service name. You should use either this OR spire.serverAddress (not both).
global.allowGetAllResourcesIf defined overridesfalse
global.commonAnnotationsAnnotations to add to all deployed objects{}
global.commonLabelsLabels to add to all deployed objects{}
global.podAnnotationsAnnotations to add to all deployed pods{}
global.podLabelsLabels to add to all deployed pods{}
global.serviceNameOverrideAnnotationNameWhich annotation to use (in the service name resolution algorithm) for setting a pod's service name, if not the default. Use this if you already have annotations on your pods that provide the correct service

cert-manager parameters

certManager.issuerNameThe cert-manager Issuer (or ClusterIssuer if useClusterIssuer is set) to be used for certificate generation""
certManager.useClusterIssuerUse ClusterIssuer. If false, looks for a namespace-scoped Issuer.true
certManager.autoApproveMakes the credentials-operator auto-approve its CertificateRequests. Use when the cert-manager default auto-approver is disabled.false

Operator parameters

operator.repositoryOperator image repository.otterize
operator.imageOperator image.credentials-operator
operator.tagOperator image tag.(pinned to latest version as of this Helm chart version's publish)
operator.pullPolicyOperator pull policy.(none)
operator.extraEnvVarsExtra environment variables to pass to the credentials operator pod. To set an environment variable: "operator.extraEnvVars[0].name=MY_ENV_VAR", to set its value: "operator.extraEnvVars[0].value=someValue"

Cloud parameters

global.otterizeCloud.credentials.clientIdClient ID for connecting to Otterize Cloud.(none)
global.otterizeCloud.credentials.clientSecretClient secret for connecting to Otterize Cloud.(none)
global.otterizeCloud.credentials.clientSecretKeyRef.secretNameIf specified, the name of a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret.(none)
global.otterizeCloud.credentials.clientSecretKeyRef.secretKeyIf specified, the key for the clientSecret in a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret.(none)
global.otterizeCloud.apiAddressOverrides Otterize Cloud default API address.(none)
global.otterizeCloud.apiExtraCAPEMSecretThe name of a secret containing a single CA.pem file for an extra root CA used to connect to Otterize Cloud. The secret should be placed in the same namespace as the Otterize deployment.(none)

SPIRE parameters

spire.serverAddressSpecify the SPIRE-server's address. You should use either this OR global.spire.serverServiceName (not both).
spire.socketsPathSPIRE sockets path. The operator will expect to find agent.sock in the host-mounted folder"/run/spire/sockets"

Common parameters

allowGetAllResourcesGives get, list and watch permission to watch on all resources. This is used to resolve service names when pods have owners that are custom resources. When disabled, a limited set of permissions is used that only allows access to built-in Kubernetes resources that deploy Pods and Pods themselves - Deployments, StatefulSets, DaemonSets, ReplicaSets and Services. Resolving may not be able to complete if the owning resource is not one of those.true
resourcesResources of the container{}

AWS integration parameters

aws.roleARNARN of the AWS role the operator will use to access AWS.(none)

Credentials operator parameters

databaseSecretRotationIntervalInterval in which secrets created by the credentials operator will be rotated. Valid time units are "ns", "ms", "s", "m", "h"8h