Skip to content

Commit

Permalink
Merge branch 'netanelb/rename-allow-external-policy-flags' into HEAD
Browse files Browse the repository at this point in the history
  • Loading branch information
@NetanelBollag
NetanelBollag committed Nov 12, 2023
2 parents 35ccd9d + 9bca9b8 commit dacc9aa
Show file tree
Hide file tree
Showing 8 changed files with 61 additions and 37 deletions.
2 changes: 1 addition & 1 deletion intents-operator/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: intents-operator
description: Otterize intents operator
type: application
version: 1.0.1
appVersion: v1.0.42
appVersion: v1.0.43
home: https://github.com/otterize/intents-operator
sources:
- https://github.com/otterize/intents-operator
35 changes: 18 additions & 17 deletions intents-operator/README.md
View file

Large diffs are not rendered by default.

1 change: 0 additions & 1 deletion intents-operator/crds/kafkaserverconfigs-customresourcedefinition.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.9.0
"helm.sh/resource-policy": keep
creationTimestamp: null
name: kafkaserverconfigs.k8s.otterize.com
spec:
Expand Down
15 changes: 15 additions & 0 deletions intents-operator/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,3 +34,18 @@ false
{{- fail (printf "Valid values for `mode`: `defaultActive` and `defaultShadow`, but you specified `%s`" .Values.operator.mode) -}}
{{- end -}}
{{- end -}}

{{- define "otterize.operator.allowExternalTraffic" -}}
{{- if or (not (kindIs "invalid" .Values.operator.autoCreateNetworkPoliciesForExternalTraffic) ) (not (kindIs "invalid" .Values.operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement) ) -}}
{{- fail "`autoCreateNetworkPoliciesForExternalTraffic` is deprecated, please use `allowExternalTraffic` instead. \nValid values for `allowExternalTraffic`: \n\t`off` \t\t\t(equivalent to `autoCreateNetworkPoliciesForExternalTraffic`=false) \n\t`ifBlockedByOtterize` \t(equivalent to `autoCreateNetworkPoliciesForExternalTraffic`=true) \n\t`always` \t\t(equivalent to `autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement`=true)" -}}
{{- end -}}
{{- if (eq "off" .Values.operator.allowExternalTraffic) -}}
off
{{- else if (eq "always" .Values.operator.allowExternalTraffic) -}}
always
{{- else if (eq "ifBlockedByOtterize" .Values.operator.allowExternalTraffic) -}}
if-blocked-by-otterize
{{- else -}}
{{- fail (printf "Valid values for `allowExternalTraffic`: `off`, `ifBlockedByOtterize` and `always`, but you specified `%s`" .Values.operator.allowExternalTraffic) -}}
{{- end -}}
{{- end -}}
7 changes: 1 addition & 6 deletions intents-operator/templates/intents-operator-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,12 +56,7 @@ spec:
{{- if eq false .Values.operator.enableKafkaACLCreation }}
- --enable-kafka-acl-creation=false
{{- end }}
{{- if eq false .Values.operator.autoCreateNetworkPoliciesForExternalTraffic }}
- --auto-create-network-policies-for-external-traffic=false
{{- end }}
{{- if eq true .Values.operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement }}
- --exp-auto-create-network-policies-for-external-traffic-disable-intents-requirement=true
{{- end }}
- --allow-external-traffic={{ template "otterize.operator.allowExternalTraffic" . }}
{{- range .Values.watchedNamespaces }}
- --watched-namespaces={{ . | quote }}
{{- end }}
Expand Down
17 changes: 15 additions & 2 deletions intents-operator/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,21 @@ operator:
# In either case, you can also use the other flags that control network policy creation, etc, to disable enforcement for a specific
enableNetworkPolicyCreation: true
enableKafkaACLCreation: true
autoCreateNetworkPoliciesForExternalTraffic: true
autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement: false
# **Deprecated, use allowExternalTraffic instead**
autoCreateNetworkPoliciesForExternalTraffic: # deprecated, use allowExternalTraffic instead
# **Deprecated, use allowExternalTraffic instead**
autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement: # deprecated, use allowExternalTraffic instead

# `allowExternalTraffic` controls whether the intents-operator will automatically create network policies for services
# that are accessible to external traffic.
# Possible values are:
# - `ifBlockedByOtterize` (default) - only create network policies for services that are protected by otterize
# - `off` - never create network policies for external traffic. If server is protected by
# otterize and meant to be accessible from outside the cluster, it may need a
# manually created network policy to allow external traffic
# - `always` - create network policies for every service that is accessible from outside the
# cluster, regardless of whether it is protected by otterize or not
allowExternalTraffic: ifBlockedByOtterize
enableIstioPolicyCreation: true
enableDatabaseReconciler: false
enableEgressNetworkPolicyCreation: false
Expand Down
19 changes: 10 additions & 9 deletions otterize-kubernetes/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,15 +41,16 @@ These parameters are used by multiple charts, and must be kept the same for the
All configurable parameters of intents-operator can be configured under the alias `intentsOperator`.
Further information about intents-operator parameters can be found [in the Intents Operator's helm chart](https://github.com/otterize/helm-charts/tree/main/intents-operator).

| Key | Description | Default |
|------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------|
| `intentsOperator.autoGenerateTLSUsingCredentialsOperator` | Use credentials-operator to create TLS cert for intents-operator. | `true` |
| `operator.mode` | `defaultActive` or `defaultShadow`. When `defaultActive` is set, enforcement is enabled by default. When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource. | `defaultActive` |
| `intentsOperator.operator.enableEnforcement` | (deprecated, use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings | `true` |
| `intentsOperator.operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to the ClientIntents | `true` |
| `intentsOperator.operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to the ClientIntents of type Kafka | `true` |
| `intentsOperator.operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to ClientIntents | `true` |
| `intentsOperator.operator.autoCreateNetworkPoliciesForExternalTraffic` | Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` |
| Key | Description | Default |
|------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|
| `intentsOperator.autoGenerateTLSUsingCredentialsOperator` | Use credentials-operator to create TLS cert for intents-operator. | `true` |
| `operator.mode` | `defaultActive` or `defaultShadow`. When `defaultActive` is set, enforcement is enabled by default. When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource. | `defaultActive` |
| `intentsOperator.operator.enableEnforcement` | (deprecated, use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings | `true` |
| `intentsOperator.operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to the ClientIntents | `true` |
| `intentsOperator.operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to the ClientIntents of type Kafka | `true` |
| `intentsOperator.operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to ClientIntents | `true` |
| `intentsOperator.operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` |
| `intentsOperator.operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` |

## Telemetry

Expand Down
2 changes: 1 addition & 1 deletion otterize-kubernetes/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ intentsOperator:
autoGenerateTLSUsingCredentialsOperator: true
enableNetworkPolicyCreation: true
enableKafkaACLCreation: true
autoCreateNetworkPoliciesForExternalTraffic: true
allowExternalTraffic: ifBlockedByOtterize
enableIstioPolicyCreation: true
watchedNamespaces: null # by default, watch all

Expand Down

0 comments on commit dacc9aa

Please sign in to comment.