Helm chart
You can use the intents operator's Helm chart to deploy the intents operator on its own, and configure it to work with the Otterize credentials operator to acquire mTLS credentials. But it is recommended to deploy the operator as part of the Otterize OSS Helm chart, which comes with a SPIRE server and the credentials operator, rather than managing it independently.
If you would like to deploy it on its own, add the Otterize Helm chart repository and configure the operator:
helm repo add otterize https://helm.otterize.com
helm repo update
helm install otterize-intents-operator otterize/intents-operator -n otterize-system --create-namespace
Parameters
Global parameters
| Key | Description | Default |
|---|---|---|
global.allowGetAllResources | If defined overrides allowGetAllResources. | |
global.telemetry.enabled | If set to false, anonymous telemetries collection will be disabled. | true |
global.commonAnnotations | Annotations to add to all deployed objects. | {} |
global.commonLabels | Labels to add to all deployed objects. | {} |
global.podAnnotations | Annotations to add to all deployed pods. | {} |
global.podLabels | Labels to add to all deployed pods. | {} |
global.serviceNameOverrideAnnotationName | Which annotation to use (in the service name resolution algorithm) for setting a pod's service name, if not the default. Use this if you already have annotations on your pods that provide the correct service name. | intents.otterize.com/service-name |
global.aws.enabled | Enable or disable AWS integration | false |
global.aws.eksClusterNameOverride | EKS cluster name (overrides auto-detection) | (none) |
Operator parameters
| Key | Description | Default |
|---|---|---|
operator.image.repository | Intents Operator image repository. | otterize |
operator.image.image | Intents Operator image. | intents-operator |
operator.image.tag | Intents Operator image tag. | latest |
operator.pullPolicy | Intents Operator image pull policy. | (none) |
operator.autoGenerateTLSUsingCredentialsOperator | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | false |
operator.mode | defaultActive or defaultShadow. When defaultActive is set, enforcement is enabled by default. When defaultShadow is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource. | defaultActive |
operator.enableEnforcement | (Deprecated; use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | true |
operator.enableNetworkPolicyCreation | Whether the operator should create network policies according to ClientIntents. | true |
operator.enableKafkaACLCreation | Whether the operator should create Kafka ACL rules according to ClientIntents of type Kafka. | true |
operator.enableIstioPolicyCreation | Whether the operator should create Istio authorization policies according to ClientIntents. | true |
operator.allowExternalTraffic | ifBlockedByOtterize, off or always (this option is experimental). Specify how the operator handles external traffic for Ingress/Service resources: ifBlockedByOtterize automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing off may necessitate manual network policy creation to allow external traffic, while always automatically creates policies for all such resource that are visible to the operator. | ifBlockedByOtterize |
operator.autoCreateNetworkPoliciesForExternalTraffic | (deprecated, use allowExternalTraffic instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | true |
operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement | (deprecated, use allowExternalTraffic instead) experimental - If autoCreateNetworkPoliciesForExternalTraffic is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | false |
operator.resources | Resources override. | |
operator.enableDatabaseReconciler | experimental - Enables experimental support for database intents (coming soon!) | false |
Watcher parameters
| Key | Description | Default |
|---|---|---|
watcher.image.repository | Watcher image repository. | otterize |
watcher.image.image | Watcher image. | intents-operator-pod-watcher |
watcher.image.tag | Watcher image tag. | latest |
watcher.pullPolicy | Watcher image pull policy. | (none) |
watcher.resources | Watcher Resources. |
Cloud parameters
| Key | Description | Default |
|---|---|---|
global.otterizeCloud.credentials.clientId | Client ID for connecting to Otterize Cloud. | (none) |
global.otterizeCloud.credentials.clientSecret | Client secret for connecting to Otterize Cloud. | (none) |
global.otterizeCloud.credentials.secretKeyRef.secretName | If specified, the name of a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret. | (none) |
global.otterizeCloud.credentials.secretKeyRef.secretKey | If specified, the key for the clientSecret in a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret. | (none) |
global.otterizeCloud.apiAddress | Overrides Otterize Cloud default API address. | (none) |
global.otterizeCloud.apiExtraCAPEMSecret | The name of a secret containing a single CA.pem file for an extra root CA used to connect to Otterize Cloud. The secret should be placed in the same namespace as the Otterize deployment. | (none) |
Common parameters
| Key | Description | Default |
|---|---|---|
allowGetAllResources | Gives get, list and watch permission to watch on all resources. This is used to resolve service names when pods have owners that are custom resources. When disabled, a limited set of permissions is used that only allows access to built-in Kubernetes resources that deploy Pods and Pods themselves - Deployments, StatefulSets, DaemonSets, ReplicaSets and Services. Resolving may not be able to complete if the owning resource is not one of those. | true |
AWS integration parameters
| Key | Description | Default |
|---|---|---|
aws.roleARN | ARN of the AWS role the operator will use to access AWS. | (none) |