Skip to content

Commit

Permalink
Rename external traffic flags
Browse files Browse the repository at this point in the history
  • Loading branch information
@NetanelBollag
NetanelBollag committed Oct 4, 2023
1 parent 26f4699 commit a255b37
Show file tree
Hide file tree
Showing 6 changed files with 59 additions and 34 deletions.
33 changes: 17 additions & 16 deletions intents-operator/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,22 +12,23 @@
| `global.serviceNameOverrideAnnotationName` | Which annotation to use (in the [service name resolution algorithm](https://docs.otterize.com/reference/service-identities#kubernetes-service-identity-resolution)) for setting a pod's service name, if not the default. Use this if you already have annotations on your pods that provide the correct service name. | `intents.otterize.com/service-name` |

## Operator parameters
| Key | Description | Default |
|---------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------|
| `operator.image.repository` | Intents Operator image repository. | `otterize` |
| `operator.image.image` | Intents Operator image. | `intents-operator` |
| `operator.image.tag` | Intents Operator image tag. | `latest` |
| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` |
| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and get tls certificate. | `false` |
| `operator.mode` | `defaultActive` or `defaultShadow`. When `defaultActive` is set, enforcement is enabled by default. When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource. | `defaultActive` |
| `operator.enableEnforcement` | (deprecated, use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings | `true` |
| `operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to ClientIntents | `true` |
| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to ClientIntents of type Kafka | `true` |
| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to ClientIntents | `true` |
| `operator.autoCreateNetworkPoliciesForExternalTraffic` | Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` |
| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` |
| `operator.resources` | Resources override. | |
| `operator.enableDatabaseReconciler` | **experimental** - Enables experimental support for database intents (coming soon!) | `false` |
| Key | Description | Default |
|---------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|
| `operator.image.repository` | Intents Operator image repository. | `otterize` |
| `operator.image.image` | Intents Operator image. | `intents-operator` |
| `operator.image.tag` | Intents Operator image tag. | `latest` |
| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` |
| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and get tls certificate. | `false` |
| `operator.mode` | `defaultActive` or `defaultShadow`. When `defaultActive` is set, enforcement is enabled by default. When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource. | `defaultActive` |
| `operator.enableEnforcement` | (deprecated, use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings | `true` |
| `operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to ClientIntents | `true` |
| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to ClientIntents of type Kafka | `true` |
| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to ClientIntents | `true` |
| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services blocked by Otterize when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` |
| `operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` |
| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` |
| `operator.resources` | Resources override. | |
| `operator.enableDatabaseReconciler` | **experimental** - Enables experimental support for database intents (coming soon!) | `false` |

## Watcher parameters
| Key | Description | Default |
Expand Down
15 changes: 15 additions & 0 deletions intents-operator/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,3 +34,18 @@ false
{{- fail (printf "Valid values for `mode`: `defaultActive` and `defaultShadow`, but you specified `%s`" .Values.operator.mode) -}}
{{- end -}}
{{- end -}}

{{- define "otterize.operator.allowExternalTraffic" -}}
{{- if or (not (kindIs "invalid" .Values.operator.autoCreateNetworkPoliciesForExternalTraffic) ) (not (kindIs "invalid" .Values.operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement) ) -}}
{{- fail "`autoCreateNetworkPoliciesForExternalTraffic` is deprecated, please use `allowExternalTraffic` instead. \nValid values for `allowExternalTraffic`: \n\t`off` \t\t\t(equivalent to `autoCreateNetworkPoliciesForExternalTraffic`=false) \n\t`ifBlockedByOtterize` \t(equivalent to `autoCreateNetworkPoliciesForExternalTraffic`=true) \n\t`always` \t\t(equivalent to `autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement`=true)" -}}
{{- end -}}
{{- if (eq "off" .Values.operator.allowExternalTraffic) -}}
off
{{- else if (eq "always" .Values.operator.allowExternalTraffic) -}}
always
{{- else if (eq "ifBlockedByOtterize" .Values.operator.allowExternalTraffic) -}}
if-blocked-by-otterize
{{- else -}}
{{- fail (printf "Valid values for `allowExternalTraffic`: `off`, `ifBlockedByOtterize` and `always`, but you specified `%s`" .Values.operator.allowExternalTraffic) -}}
{{- end -}}
{{- end -}}
7 changes: 1 addition & 6 deletions intents-operator/templates/intents-operator-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,12 +56,7 @@ spec:
{{- if eq false .Values.operator.enableKafkaACLCreation }}
- --enable-kafka-acl-creation=false
{{- end }}
{{- if eq false .Values.operator.autoCreateNetworkPoliciesForExternalTraffic }}
- --auto-create-network-policies-for-external-traffic=false
{{- end }}
{{- if eq true .Values.operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement }}
- --exp-auto-create-network-policies-for-external-traffic-disable-intents-requirement=true
{{- end }}
- --allow-external-traffic={{ template "otterize.operator.allowExternalTraffic" . }}
{{- range .Values.watchedNamespaces }}
- --watched-namespaces={{ . | quote }}
{{- end }}
Expand Down
17 changes: 15 additions & 2 deletions intents-operator/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,21 @@ operator:
# In either case, you can also use the other flags that control network policy creation, etc, to disable enforcement for a specific
enableNetworkPolicyCreation: true
enableKafkaACLCreation: true
autoCreateNetworkPoliciesForExternalTraffic: true
autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement: false
# **Deprecated, use allowExternalTraffic instead**
autoCreateNetworkPoliciesForExternalTraffic: # deprecated, use allowExternalTraffic instead
# **Deprecated, use allowExternalTraffic instead**
autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement: # deprecated, use allowExternalTraffic instead

# `allowExternalTraffic` controls whether the intents-operator will automatically create network policies for services
# that are accessible to external traffic.
# Possible values are:
# - `ifBlockedByOtterize` (default) - only create network policies for services that are protected by otterize
# - `off` - never create network policies for external traffic. If server is protected by
# otterize and meant to be accessible from outside the cluster, it may need a
# manually created network policy to allow external traffic
# - `always` - create network policies for every service that is accessible from outside the
# cluster, regardless of whether it is protected by otterize or not
allowExternalTraffic: ifBlockedByOtterize
enableIstioPolicyCreation: true
enableDatabaseReconciler: false

Expand Down
Loading

0 comments on commit a255b37

Please sign in to comment.