operator.repository | Intents Operator image repository. | otterize |
operator.image | Intents Operator image. | intents-operator |
operator.tag | Intents Operator image tag. | (pinned to latest version as of this Helm chart version's publish) |
operator.pullPolicy | Intents Operator image pull policy. | (none) |
operator.pullSecrets | Intents Operator image pull secrets. | (none) |
operator.autoGenerateTLSUsingCredentialsOperator | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | false |
operator.mode | defaultActive or defaultShadow . When defaultActive is set, enforcement is enabled by default. When defaultShadow is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource. | defaultActive |
operator.enableEnforcement | (Deprecated; use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | true |
operator.enableNetworkPolicyCreation | Whether the operator should create ingress network policies according to ClientIntents . | true |
operator.enableEgressNetworkPolicyCreation | Whether the operator should create egress network policies according to ClientIntents . | false |
operator.enableKafkaACLCreation | Whether the operator should create Kafka ACL rules according to ClientIntents of type Kafka. | true |
operator.enableIstioPolicyCreation | Whether the operator should create Istio authorization policies according to ClientIntents . | true |
operator.allowExternalTraffic | ifBlockedByOtterize , off or always . Specify how the operator handles external traffic for Ingress/Service resources: ifBlockedByOtterize automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing off may necessitate manual network policy creation to allow external traffic, while always automatically creates policies for all such resource that are visible to the operator. | ifBlockedByOtterize |
operator.ingressControllerConfigs | Restricts the automatically created external traffic network policies to only allow access to an ingress controller within the cluster. Only relevant if you use an in-cluster ingress controller, such as nginx or HAProxy. A list of objects with keys name , namespace and kind , such as ingress-nginx-controller , nginx and Deployment . | (none) |
operator.ingressControllerAWSALBExempt | If set to true, the operator will allow all traffic if an Ingress is managed by the AWS ALB Ingress Controller. | false |
operator.externallyManagedPolicyWorkloads | Workloads for which the intents-operator should not manage network policies. These are assumed to have externally managed network policies, which will allow any traffic to/from them. | (none) |
operator.resources | Resources override. | |
operator.enableDatabaseCredentialsCreation | Enables support for database intents | true |
operator.hostNetwork | Use hostNetwork instead of pod networking | false |
operator.metricsPort | Specify metrics binding port | |
enforcedNamespaces | When using "shadow enforcement" mode, namespaces in this list will be treated as if the enforcement were active. | (nil) |
watchedNamespaces | List of namespaces the intents operator should watch. The operator will be blind to any namespace not in this list. | (nil) meaning watch all |
extraEnvVars | Extra environment variables to pass to the intents operator pod. To set an environment variable: "extraEnvVars[0].name=MY_ENV_VAR" , to set its value: "extraEnvVars[0].value=someValue" | |