Otterize OSS Helm chart
The Otterize OSS Helm chart is a chart that installs all Otterize components and supporting components together, and configures them to work with each other. For example, it configures the credentials operator to work with the deployed SPIRE server, and the intents operator to get mTLS credentials from the credentials operator.
Parameters
Deployment parameters
| Key | Description | Default |
|---|---|---|
global.deployment.spire | Whether or not to deploy SPIRE. Required for mTLS, if not using Otterize Cloud. | true |
global.deployment.credentialsOperator | Whether or not to deploy credentials-operator. Required to provision mTLS credentials, database username/password, and AWS IAM roles. | true |
global.deployment.intentsOperator | Whether or not to deploy intents-operator. | true |
global.deployment.networkMapper | Whether or not to deploy network-mapper. | true |
Global parameters
These parameters are used by multiple charts, and must be kept the same for the correct functioning of the separate components.
| Key | Description | Default |
|---|---|---|
global.spiffe.CASubject | The Subject that CA certificates should use (see below). | |
global.spiffe.CASubject.country | SPIRE's CA certificates Country value. | "US" |
global.spiffe.CASubject.organization | SPIRE's CA certificates Organization Value. | "SPIRE" |
global.spiffe.trustDomain | The trust domain that SPIRE will use. | "example.org" |
global.certificateProvider | What provider should be used to generate certificates/credentials - "spire", "otterize-cloud" or "cert-manager" | "spire" |
global.spire.serverServiceName | Name of the Kubernetes service that will be created for SPIRE-server. | |
global.allowGetAllResources | If defined overrides allowGetAllResources in subcharts. Gives get, list and watch permission to watch on all resources. This is used to resolve service names when pods have owners that are custom resources. When disabled, a limited set of permissions is used that only allows access to built-in Kubernetes resources that deploy Pods and Pods themselves - Deployments, StatefulSets, DaemonSets, ReplicaSets and Services. Resolving may not be able to complete if the owning resource is not one of those. | |
global.telemetry.enabled | If set to false, anonymous telemetries collection will be disabled | true |
global.commonAnnotations | Annotations to add to all deployed objects | {} |
global.commonLabels | Labels to add to all deployed objects | {} |
global.podAnnotations | Annotations to add to all deployed pods | {} |
global.podLabels | Labels to add to all deployed pods | {} |
global.serviceNameOverrideAnnotationName | Which annotation to use (in the service name resolution algorithm) for setting a pod's service name, if not the default. Use this if you already have annotations on your pods that provide the correct service name. | intents.otterize.com/service-name |
Cloud parameters
| Key | Description | Default |
|---|---|---|
global.otterizeCloud.credentials.clientId | Client ID for connecting to Otterize Cloud. | (none) |
global.otterizeCloud.credentials.clientSecret | Client secret for connecting to Otterize Cloud. | (none) |
global.otterizeCloud.credentials.clientSecretKeyRef.secretName | If specified, the name of a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret. | (none) |
global.otterizeCloud.credentials.clientSecretKeyRef.secretKey | If specified, the key for the clientSecret in a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret. | (none) |
global.otterizeCloud.apiAddress | Overrides Otterize Cloud default API address. | (none) |
global.otterizeCloud.apiExtraCAPEMSecret | The name of a secret containing a single CA.pem file for an extra root CA used to connect to Otterize Cloud. The secret should be placed in the same namespace as the Otterize deployment. | (none) |
AWS Integration parameters
| Key | Description | Default |
|---|---|---|
global.aws.enabled | Enable or disable AWS integration | false |
global.aws.eksClusterNameOverride | EKS cluster name (overrides auto-detection) | (none) |
Intents operator parameters
All configurable parameters of intents-operator can be configured under the alias intentsOperator.
Further information about intents-operator parameters can be found in the intents operator's Helm chart.
| Key | Description | Default |
|---|---|---|
intentsOperator.operator.repository | Intents Operator image repository. | otterize |
intentsOperator.operator.image | Intents Operator image. | intents-operator |
intentsOperator.operator.tag | Intents Operator image tag. | (pinned to latest version as of this Helm chart version's publish) |
intentsOperator.operator.pullPolicy | Intents Operator image pull policy. | (none) |
intentsOperator.operator.autoGenerateTLSUsingCredentialsOperator | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | false |
intentsOperator.operator.mode | defaultActive or defaultShadow. When defaultActive is set, enforcement is enabled by default. When defaultShadow is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource. | defaultActive |
intentsOperator.operator.enableEnforcement | (Deprecated; use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | true |
intentsOperator.operator.enableNetworkPolicyCreation | Whether the operator should create ingress network policies according to ClientIntents. | true |
intentsOperator.operator.enableEgressNetworkPolicyCreation | Whether the operator should create egress network policies according to ClientIntents. | false |
intentsOperator.operator.enableKafkaACLCreation | Whether the operator should create Kafka ACL rules according to ClientIntents of type Kafka. | true |
intentsOperator.operator.enableIstioPolicyCreation | Whether the operator should create Istio authorization policies according to ClientIntents. | true |
intentsOperator.operator.allowExternalTraffic | ifBlockedByOtterize, off or always. Specify how the operator handles external traffic for Ingress/Service resources: ifBlockedByOtterize automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing off may necessitate manual network policy creation to allow external traffic, while always automatically creates policies for all such resource that are visible to the operator. | ifBlockedByOtterize |
intentsOperator.operator.ingressControllerConfigs | Restricts the automatically created external traffic network policies to only allow access to an ingress controller within the cluster. Only relevant if you use an in-cluster ingress controller, such as nginx or HAProxy. A list of objects with keys name, namespace and kind, such as ingress-nginx-controller, nginx and Deployment. | (none) |
intentsOperator.operator.ingressControllerAWSALBExempt | If set to true, the operator will allow all traffic if an Ingress is managed by the AWS ALB Ingress Controller. | false |
intentsOperator.operator.resources | Resources override. | |
intentsOperator.operator.enableDatabaseCredentialsCreation | Enables support for database intents | true |
intentsOperator.enforcedNamespaces | When using "shadow enforcement" mode, namespaces in this list will be treated as if the enforcement were active. | (nil) |
intentsOperator.operator.extraEnvVars | Extra environment variables to pass to the intents operator pod. To set an environment variable: "intentsOperator.operator.extraEnvVars[0].name=MY_ENV_VAR", to set its value: "intentsOperator.operator.extraEnvVars[0].value=someValue" |
SPIRE parameters
All configurable parameters of SPIRE can be configured under the alias spire.
Further information about SPIRE parameters can be found in SPIRE's Helm chart.
Network mapper parameters
All configurable parameters of the network mapper can be configured under the alias networkMapper.
Further information about network mapper parameters can be found in the network mapper's chart.
| Key | Description | Default |
|---|---|---|
networkMapper.mapper.extraEnvVars | Extra environment variables to pass to the network mapper pod. To set an environment variable: "networkMapper.mapper.extraEnvVars[0].name=MY_ENV_VAR", to set its value: "networkMapper.mapper.extraEnvVars[0].value=someValue" |
Credentials operator parameters
All configurable parameters of the credentials operator can be configured under the alias credentialsOperator.
Further information about network mapper parameters can be found in the credentials operator's chart.
| Key | Description | Default |
|---|---|---|
credentialsOperator.databaseSecretRotationInterval | Interval in which secrets created by the credentials operator will be rotated. Valid time units are "ns", "ms", "s", "m", "h" | 8h |
credentialsOperator.enableSecretRotation | Whether periodic secret rotation is enabled | false |
credentialsOperator.operator.extraEnvVars | Extra environment variables to pass to the credentials operator pod. To set an environment variable: "credentialsOperator.operator.extraEnvVars[0].name=MY_ENV_VAR", to set its value: "credentialsOperator.operator.extraEnvVars[0].value=someValue" |
Resource configuration
| Component | Key | Default |
|---|---|---|
| Intents operator | intentsOperator.operator.resources | (none) |
| Intents operator - watcher | intentsOperator.watcher.resources | (none) |
| SPIRE Server | spire.server.resources | (none) |
| SPIRE Agent | spire.agent.resources | (none) |
| credentials operator | credentialsOperator.resources | (none) |