Skip to main content

Helm chart

You can use the intents operator's Helm chart to deploy the intents operator on its own, and configure it to work with the Otterize credentials operator to acquire mTLS credentials. But it is recommended to deploy the operator as part of the Otterize OSS Helm chart, which comes with a SPIRE server and the credentials operator, rather than managing it independently.

If you would like to deploy it on its own, add the Otterize Helm chart repository and configure the operator:

  helm repo add otterize https://helm.otterize.com
helm repo update
helm install otterize-intents-operator otterize/intents-operator -n otterize-system --create-namespace

Parameters

Global parameters

KeyDescriptionDefault
global.allowGetAllResourcesIf defined overrides allowGetAllResources.
global.telemetry.enabledIf set to false, anonymous telemetries collection will be disabled.true
global.commonAnnotationsAnnotations to add to all deployed objects.{}
global.commonLabelsLabels to add to all deployed objects.{}
global.podAnnotationsAnnotations to add to all deployed pods.{}
global.podLabelsLabels to add to all deployed pods.{}
global.serviceNameOverrideAnnotationNameWhich annotation to use (in the service name resolution algorithm) for setting a pod's service name, if not the default. Use this if you already have annotations on your pods that provide the correct service name.intents.otterize.com/service-name
global.aws.enabledEnable or disable AWS integrationfalse
global.aws.eksClusterNameOverrideEKS cluster name (overrides auto-detection)(none)

Operator parameters

KeyDescriptionDefault
operator.repositoryIntents Operator image repository.otterize
operator.imageIntents Operator image.intents-operator
operator.tagIntents Operator image tag.(pinned to latest version as of this Helm chart version's publish)
operator.pullPolicyIntents Operator image pull policy.(none)
operator.pullSecretsIntents Operator image pull secrets.(none)
operator.autoGenerateTLSUsingCredentialsOperatorIf set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate.false
operator.modedefaultActive or defaultShadow.
When defaultActive is set, enforcement is enabled by default.
When defaultShadow is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource.
defaultActive
operator.enableEnforcement(Deprecated; use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings.true
operator.enableNetworkPolicyCreationWhether the operator should create ingress network policies according to ClientIntents.true
operator.enableEgressNetworkPolicyCreationWhether the operator should create egress network policies according to ClientIntents.false
operator.enableKafkaACLCreationWhether the operator should create Kafka ACL rules according to ClientIntents of type Kafka.true
operator.enableIstioPolicyCreationWhether the operator should create Istio authorization policies according to ClientIntents.true
operator.allowExternalTrafficifBlockedByOtterize, off or always. Specify how the operator handles external traffic for Ingress/Service resources: ifBlockedByOtterize automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing off may necessitate manual network policy creation to allow external traffic, while always automatically creates policies for all such resource that are visible to the operator.ifBlockedByOtterize
operator.ingressControllerConfigsRestricts the automatically created external traffic network policies to only allow access to an ingress controller within the cluster. Only relevant if you use an in-cluster ingress controller, such as nginx or HAProxy. A list of objects with keys name, namespace and kind, such as ingress-nginx-controller, nginx and Deployment.(none)
operator.ingressControllerAWSALBExemptIf set to true, the operator will allow all traffic if an Ingress is managed by the AWS ALB Ingress Controller.false
operator.externallyManagedPolicyWorkloadsWorkloads for which the intents-operator should not manage network policies. These are assumed to have externally managed network policies, which will allow any traffic to/from them.(none)
operator.resourcesResources override.
operator.enableDatabaseCredentialsCreationEnables support for database intentstrue
operator.hostNetworkUse hostNetwork instead of pod networkingfalse
operator.metricsPortSpecify metrics binding port
enforcedNamespacesWhen using "shadow enforcement" mode, namespaces in this list will be treated as if the enforcement were active.(nil)
watchedNamespacesList of namespaces the intents operator should watch. The operator will be blind to any namespace not in this list.(nil) meaning watch all
extraEnvVarsExtra environment variables to pass to the intents operator pod. To set an environment variable: "extraEnvVars[0].name=MY_ENV_VAR", to set its value: "extraEnvVars[0].value=someValue"

Cloud parameters

KeyDescriptionDefault
global.otterizeCloud.credentials.clientIdClient ID for connecting to Otterize Cloud.(none)
global.otterizeCloud.credentials.clientSecretClient secret for connecting to Otterize Cloud.(none)
global.otterizeCloud.credentials.clientSecretKeyRef.secretNameIf specified, the name of a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret.(none)
global.otterizeCloud.credentials.clientSecretKeyRef.secretKeyIf specified, the key for the clientSecret in a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret.(none)
global.otterizeCloud.apiAddressOverrides Otterize Cloud default API address.(none)
global.otterizeCloud.apiExtraCAPEMSecretThe name of a secret containing a single CA.pem file for an extra root CA used to connect to Otterize Cloud. The secret should be placed in the same namespace as the Otterize deployment.(none)

Common parameters

KeyDescriptionDefault
allowGetAllResourcesGives get, list and watch permission to watch on all resources. This is used to resolve service names when pods have owners that are custom resources. When disabled, a limited set of permissions is used that only allows access to built-in Kubernetes resources that deploy Pods and Pods themselves - Deployments, StatefulSets, DaemonSets, ReplicaSets and Services. Resolving may not be able to complete if the owning resource is not one of those.true

AWS integration parameters

KeyDescriptionDefault
aws.roleARNARN of the AWS role the operator will use to access AWS.(none)