Helm chart
You can use the credentials operator's Helm chart to deploy the credentials operator on its own, and configure a SPIRE server for it to work with according to the parameters value. But it is recommended to deploy the operator as part of the Otterize OSS Helm chart, which comes with a SPIRE server and the intents operator, rather than managing it independently.
If you would like to deploy it on its own, add the Otterize Helm chart repository and configure the operator:
helm repo add otterize https://helm.otterize.com
helm repo update
helm install otterize-credentials-operator otterize/credentials-operator -n otterize-system --create-namespace
Parameters
Global parameters
| Key | Description | Default |
|---|---|---|
global.certificateProvider | What provider should be used to generate certificates - "spire", "otterize-cloud" or "cert-manager" | "spire" |
global.spire.serverServiceName | If deployed with SPIRE, this key specifies SPIRE-server's service name. You should use either this OR spire.serverAddress (not both). | |
global.allowGetAllResources | If defined overrides | false |
global.commonAnnotations | Annotations to add to all deployed objects | {} |
global.commonLabels | Labels to add to all deployed objects | {} |
global.podAnnotations | Annotations to add to all deployed pods | {} |
global.podLabels | Labels to add to all deployed pods | {} |
global.serviceNameOverrideAnnotationName | Which annotation to use (in the service name resolution algorithm) for setting a pod's service name, if not the default. Use this if you already have annotations on your pods that provide the correct service name. | intents.otterize.com/service-name |
cert-manager parameters
| Key | Description | Default |
|---|---|---|
certManager.issuerName | The cert-manager Issuer (or ClusterIssuer if useClusterIssuer is set) to be used for certificate generation | "" |
certManager.useClusterIssuer | Use ClusterIssuer. If false, looks for a namespace-scoped Issuer. | true |
certManager.autoApprove | Makes the credentials-operator auto-approve its CertificateRequests. Use when the cert-manager default auto-approver is disabled. | false |
Operator parameters
| Key | Description | Default |
|---|---|---|
operator.repository | Operator image repository. | otterize |
operator.image | Operator image. | credentials-operator |
operator.tag | Operator image tag. | (pinned to latest version as of this Helm chart version's publish) |
operator.pullPolicy | Operator pull policy. | (none) |
operator.extraEnvVars | Extra environment variables to pass to the credentials operator pod. To set an environment variable: "operator.extraEnvVars[0].name=MY_ENV_VAR", to set its value: "operator.extraEnvVars[0].value=someValue" |
Cloud parameters
| Key | Description | Default |
|---|---|---|
global.otterizeCloud.credentials.clientId | Client ID for connecting to Otterize Cloud. | (none) |
global.otterizeCloud.credentials.clientSecret | Client secret for connecting to Otterize Cloud. | (none) |
global.otterizeCloud.credentials.clientSecretKeyRef.secretName | If specified, the name of a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret. | (none) |
global.otterizeCloud.credentials.clientSecretKeyRef.secretKey | If specified, the key for the clientSecret in a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret. | (none) |
global.otterizeCloud.apiAddress | Overrides Otterize Cloud default API address. | (none) |
global.otterizeCloud.apiExtraCAPEMSecret | The name of a secret containing a single CA.pem file for an extra root CA used to connect to Otterize Cloud. The secret should be placed in the same namespace as the Otterize deployment. | (none) |
SPIRE parameters
| Key | Description | Default |
|---|---|---|
spire.serverAddress | Specify the SPIRE-server's address. You should use either this OR global.spire.serverServiceName (not both). | |
spire.socketsPath | SPIRE sockets path. The operator will expect to find agent.sock in the host-mounted folder | "/run/spire/sockets" |
Common parameters
| Key | Description | Default |
|---|---|---|
allowGetAllResources | Gives get, list and watch permission to watch on all resources. This is used to resolve service names when pods have owners that are custom resources. When disabled, a limited set of permissions is used that only allows access to built-in Kubernetes resources that deploy Pods and Pods themselves - Deployments, StatefulSets, DaemonSets, ReplicaSets and Services. Resolving may not be able to complete if the owning resource is not one of those. | true |
resources | Resources of the container | {} |
AWS integration parameters
| Key | Description | Default |
|---|---|---|
aws.roleARN | ARN of the AWS role the operator will use to access AWS. | (none) |
Credentials operator parameters
| Key | Description | Default |
|---|---|---|
databaseSecretRotationInterval | Interval in which secrets created by the credentials operator will be rotated. Valid time units are "ns", "ms", "s", "m", "h" | 8h |
enableSecretRotation | Whether periodic secret rotation is enabled | false |