From 66293d5d32c1ae34de13d38dac180071597dbf60 Mon Sep 17 00:00:00 2001 From: "omri.s" Date: Wed, 4 Oct 2023 18:36:48 +0300 Subject: [PATCH 01/13] Add v1alpha3 version of intents with conversion webhook --- ...lientintents-customresourcedefinition.yaml | 357 ++++++++++++------ ...erverconfigs-customresourcedefinition.yaml | 1 - ...ctedservices-customresourcedefinition.yaml | 1 - 3 files changed, 244 insertions(+), 115 deletions(-) diff --git a/intents-operator/crds/clientintents-customresourcedefinition.yaml b/intents-operator/crds/clientintents-customresourcedefinition.yaml index 1f5f4256..b2d04741 100644 --- a/intents-operator/crds/clientintents-customresourcedefinition.yaml +++ b/intents-operator/crds/clientintents-customresourcedefinition.yaml @@ -1,13 +1,21 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.9.0 - "helm.sh/resource-policy": keep creationTimestamp: null name: clientintents.k8s.otterize.com spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: intents-operator-webhook-service + namespace: {{ .Release.Namespace }} + path: /convert + conversionReviewVersions: + - v1 group: k8s.otterize.com names: kind: ClientIntents @@ -16,126 +24,249 @@ spec: singular: clientintents scope: Namespaced versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - description: ClientIntents is the Schema for the intents API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation + - name: v1alpha2 + schema: + openAPIV3Schema: + description: ClientIntents is the Schema for the intents API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IntentsSpec defines the desired state of ClientIntents - properties: - calls: - items: - properties: - databaseResources: - items: - properties: - operations: - items: - enum: - - ALL - - SELECT - - INSERT - - UPDATE - - DELETE + type: string + metadata: + type: object + spec: + description: IntentsSpec defines the desired state of ClientIntents + properties: + calls: + items: + properties: + databaseResources: + items: + properties: + operations: + items: + enum: + - ALL + - SELECT + - INSERT + - UPDATE + - DELETE + type: string + type: array + table: + type: string + required: + - operations + - table + type: object + type: array + name: + type: string + resources: + items: + properties: + methods: + items: + enum: + - GET + - POST + - PUT + - DELETE + - OPTIONS + - TRACE + - PATCH + - CONNECT + type: string + type: array + path: type: string - type: array - table: - type: string - required: - - operations - - table - type: object - type: array + required: + - methods + - path + type: object + type: array + topics: + items: + properties: + name: + type: string + operations: + items: + enum: + - all + - consume + - produce + - create + - alter + - delete + - describe + - ClusterAction + - DescribeConfigs + - AlterConfigs + - IdempotentWrite + type: string + type: array + required: + - name + - operations + type: object + type: array + type: + enum: + - http + - kafka + - database + type: string + required: + - name + type: object + type: array + service: + properties: name: type: string - resources: - items: - properties: - methods: - items: - enum: - - GET - - POST - - PUT - - DELETE - - OPTIONS - - TRACE - - PATCH - - CONNECT + required: + - name + type: object + required: + - calls + - service + type: object + status: + description: IntentsStatus defines the observed state of ClientIntents + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + description: ClientIntents is the Schema for the intents API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IntentsSpec defines the desired state of ClientIntents + properties: + calls: + items: + properties: + HTTPResources: + items: + properties: + methods: + items: + enum: + - GET + - POST + - PUT + - DELETE + - OPTIONS + - TRACE + - PATCH + - CONNECT + type: string + type: array + path: type: string - type: array - path: - type: string - required: - - methods - - path - type: object - type: array - topics: - items: - properties: - name: - type: string - operations: - items: - enum: - - all - - consume - - produce - - create - - alter - - delete - - describe - - ClusterAction - - DescribeConfigs - - AlterConfigs - - IdempotentWrite + required: + - methods + - path + type: object + type: array + databaseResources: + items: + properties: + operations: + items: + enum: + - ALL + - SELECT + - INSERT + - UPDATE + - DELETE + type: string + type: array + table: type: string - type: array - required: - - name - - operations - type: object - type: array - type: - enum: - - http - - kafka - - database + required: + - operations + - table + type: object + type: array + kafkaTopics: + items: + properties: + name: + type: string + operations: + items: + enum: + - all + - consume + - produce + - create + - alter + - delete + - describe + - ClusterAction + - DescribeConfigs + - AlterConfigs + - IdempotentWrite + type: string + type: array + required: + - name + - operations + type: object + type: array + name: + type: string + type: + enum: + - http + - kafka + - database + type: string + required: + - name + type: object + type: array + service: + properties: + name: type: string required: - - name + - name type: object - type: array - service: - properties: - name: - type: string - required: - - name - type: object - required: - - calls - - service - type: object - status: - description: IntentsStatus defines the observed state of ClientIntents - type: object - type: object - served: true - storage: true - subresources: - status: {} + required: + - calls + - service + type: object + status: + description: IntentsStatus defines the observed state of ClientIntents + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/intents-operator/crds/kafkaserverconfigs-customresourcedefinition.yaml b/intents-operator/crds/kafkaserverconfigs-customresourcedefinition.yaml index d7d5700d..970748fe 100644 --- a/intents-operator/crds/kafkaserverconfigs-customresourcedefinition.yaml +++ b/intents-operator/crds/kafkaserverconfigs-customresourcedefinition.yaml @@ -4,7 +4,6 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.9.0 - "helm.sh/resource-policy": keep creationTimestamp: null name: kafkaserverconfigs.k8s.otterize.com spec: diff --git a/intents-operator/crds/protectedservices-customresourcedefinition.yaml b/intents-operator/crds/protectedservices-customresourcedefinition.yaml index 85f3cb6d..668ed3ab 100644 --- a/intents-operator/crds/protectedservices-customresourcedefinition.yaml +++ b/intents-operator/crds/protectedservices-customresourcedefinition.yaml @@ -4,7 +4,6 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.9.0 - "helm.sh/resource-policy": keep creationTimestamp: null name: protectedservices.k8s.otterize.com spec: From 3b17b2ec6e73ba7521b1d3132357bf765bc50b92 Mon Sep 17 00:00:00 2001 From: "omri.s" Date: Thu, 5 Oct 2023 14:42:32 +0300 Subject: [PATCH 02/13] merge from main --- ...lientintents-customresourcedefinition.yaml | 452 +++++++++--------- .../intents-operator-manager-clusterrole.yaml | 20 - ...rize-validating-webhook-configuration.yaml | 30 +- 3 files changed, 246 insertions(+), 256 deletions(-) diff --git a/intents-operator/crds/clientintents-customresourcedefinition.yaml b/intents-operator/crds/clientintents-customresourcedefinition.yaml index b2d04741..8597df70 100644 --- a/intents-operator/crds/clientintents-customresourcedefinition.yaml +++ b/intents-operator/crds/clientintents-customresourcedefinition.yaml @@ -15,7 +15,7 @@ spec: namespace: {{ .Release.Namespace }} path: /convert conversionReviewVersions: - - v1 + - v1 group: k8s.otterize.com names: kind: ClientIntents @@ -24,249 +24,249 @@ spec: singular: clientintents scope: Namespaced versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - description: ClientIntents is the Schema for the intents API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation + - name: v1alpha2 + schema: + openAPIV3Schema: + description: ClientIntents is the Schema for the intents API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IntentsSpec defines the desired state of ClientIntents - properties: - calls: - items: - properties: - databaseResources: - items: - properties: - operations: - items: - enum: - - ALL - - SELECT - - INSERT - - UPDATE - - DELETE - type: string - type: array - table: + type: string + metadata: + type: object + spec: + description: IntentsSpec defines the desired state of ClientIntents + properties: + calls: + items: + properties: + databaseResources: + items: + properties: + operations: + items: + enum: + - ALL + - SELECT + - INSERT + - UPDATE + - DELETE type: string - required: - - operations - - table - type: object - type: array - name: - type: string - resources: - items: - properties: - methods: - items: - enum: - - GET - - POST - - PUT - - DELETE - - OPTIONS - - TRACE - - PATCH - - CONNECT - type: string - type: array - path: + type: array + table: + type: string + required: + - operations + - table + type: object + type: array + name: + type: string + resources: + items: + properties: + methods: + items: + enum: + - GET + - POST + - PUT + - DELETE + - OPTIONS + - TRACE + - PATCH + - CONNECT type: string - required: - - methods - - path - type: object - type: array - topics: - items: - properties: - name: + type: array + path: + type: string + required: + - methods + - path + type: object + type: array + topics: + items: + properties: + name: + type: string + operations: + items: + enum: + - all + - consume + - produce + - create + - alter + - delete + - describe + - ClusterAction + - DescribeConfigs + - AlterConfigs + - IdempotentWrite type: string - operations: - items: - enum: - - all - - consume - - produce - - create - - alter - - delete - - describe - - ClusterAction - - DescribeConfigs - - AlterConfigs - - IdempotentWrite - type: string - type: array - required: - - name - - operations - type: object - type: array - type: - enum: - - http - - kafka - - database - type: string - required: - - name - type: object - type: array - service: - properties: - name: + type: array + required: + - name + - operations + type: object + type: array + type: + enum: + - http + - kafka + - database type: string required: - - name + - name type: object - required: - - calls - - service - type: object - status: - description: IntentsStatus defines the observed state of ClientIntents - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha3 - schema: - openAPIV3Schema: - description: ClientIntents is the Schema for the intents API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation + type: array + service: + properties: + name: + type: string + required: + - name + type: object + required: + - calls + - service + type: object + status: + description: IntentsStatus defines the observed state of ClientIntents + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + description: ClientIntents is the Schema for the intents API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IntentsSpec defines the desired state of ClientIntents - properties: - calls: - items: - properties: - HTTPResources: - items: - properties: - methods: - items: - enum: - - GET - - POST - - PUT - - DELETE - - OPTIONS - - TRACE - - PATCH - - CONNECT - type: string - type: array - path: + type: string + metadata: + type: object + spec: + description: IntentsSpec defines the desired state of ClientIntents + properties: + calls: + items: + properties: + HTTPResources: + items: + properties: + methods: + items: + enum: + - GET + - POST + - PUT + - DELETE + - OPTIONS + - TRACE + - PATCH + - CONNECT type: string - required: - - methods - - path - type: object - type: array - databaseResources: - items: - properties: - operations: - items: - enum: - - ALL - - SELECT - - INSERT - - UPDATE - - DELETE - type: string - type: array - table: + type: array + path: + type: string + required: + - methods + - path + type: object + type: array + databaseResources: + items: + properties: + operations: + items: + enum: + - ALL + - SELECT + - INSERT + - UPDATE + - DELETE type: string - required: - - operations - - table - type: object - type: array - kafkaTopics: - items: - properties: - name: + type: array + table: + type: string + required: + - operations + - table + type: object + type: array + kafkaTopics: + items: + properties: + name: + type: string + operations: + items: + enum: + - all + - consume + - produce + - create + - alter + - delete + - describe + - ClusterAction + - DescribeConfigs + - AlterConfigs + - IdempotentWrite type: string - operations: - items: - enum: - - all - - consume - - produce - - create - - alter - - delete - - describe - - ClusterAction - - DescribeConfigs - - AlterConfigs - - IdempotentWrite - type: string - type: array - required: - - name - - operations - type: object - type: array - name: - type: string - type: - enum: - - http - - kafka - - database - type: string - required: - - name - type: object - type: array - service: - properties: + type: array + required: + - name + - operations + type: object + type: array name: type: string + type: + enum: + - http + - kafka + - database + type: string required: - - name + - name type: object - required: - - calls - - service - type: object - status: - description: IntentsStatus defines the observed state of ClientIntents - type: object - type: object - served: true - storage: true - subresources: - status: {} + type: array + service: + properties: + name: + type: string + required: + - name + type: object + required: + - calls + - service + type: object + status: + description: IntentsStatus defines the observed state of ClientIntents + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/intents-operator/templates/intents-operator-manager-clusterrole.yaml b/intents-operator/templates/intents-operator-manager-clusterrole.yaml index a9cc88a2..6d26276a 100644 --- a/intents-operator/templates/intents-operator-manager-clusterrole.yaml +++ b/intents-operator/templates/intents-operator-manager-clusterrole.yaml @@ -4,16 +4,6 @@ kind: ClusterRole metadata: creationTimestamp: null name: otterize-intents-operator-manager-role - labels: - {{- with .Values.global.commonLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - app.kubernetes.io/version: {{ .Chart.Version }} - annotations: - {{- with .Values.global.commonAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - app.kubernetes.io/version: {{ .Chart.Version }} rules: - apiGroups: - "" @@ -192,13 +182,3 @@ rules: - patch - update - watch -{{ if or (and (eq .Values.global.allowGetAllResources nil) .Values.allowGetAllResources) .Values.global.allowGetAllResources}} -- apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch -{{ end }} \ No newline at end of file diff --git a/intents-operator/templates/otterize-validating-webhook-configuration.yaml b/intents-operator/templates/otterize-validating-webhook-configuration.yaml index af007b78..36f0affd 100644 --- a/intents-operator/templates/otterize-validating-webhook-configuration.yaml +++ b/intents-operator/templates/otterize-validating-webhook-configuration.yaml @@ -1,18 +1,28 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/created-by: intents-operator + app.kubernetes.io/instance: webhook-service + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: service + app.kubernetes.io/part-of: intents-operator + name: webhook-service + namespace: system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + control-plane: controller-manager +--- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: creationTimestamp: null name: otterize-validating-webhook-configuration - labels: - {{- with .Values.global.commonLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - app.kubernetes.io/version: {{ .Chart.Version }} - annotations: - {{- with .Values.global.commonAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - app.kubernetes.io/version: {{ .Chart.Version }} webhooks: - admissionReviewVersions: - v1 From 5122869dd6bbaa7f66bef2f9457b4c247a8756e9 Mon Sep 17 00:00:00 2001 From: "omri.s" Date: Thu, 5 Oct 2023 18:24:29 +0300 Subject: [PATCH 03/13] fixup --- ...lientintents-customresourcedefinition.yaml | 1 + ...erverconfigs-customresourcedefinition.yaml | 1 + ...ctedservices-customresourcedefinition.yaml | 1 + ...rize-validating-webhook-configuration.yaml | 40 +++++++++---------- 4 files changed, 23 insertions(+), 20 deletions(-) diff --git a/intents-operator/crds/clientintents-customresourcedefinition.yaml b/intents-operator/crds/clientintents-customresourcedefinition.yaml index 8597df70..27d879f1 100644 --- a/intents-operator/crds/clientintents-customresourcedefinition.yaml +++ b/intents-operator/crds/clientintents-customresourcedefinition.yaml @@ -3,6 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.9.0 + "helm.sh/resource-policy": keep creationTimestamp: null name: clientintents.k8s.otterize.com spec: diff --git a/intents-operator/crds/kafkaserverconfigs-customresourcedefinition.yaml b/intents-operator/crds/kafkaserverconfigs-customresourcedefinition.yaml index 970748fe..d7d5700d 100644 --- a/intents-operator/crds/kafkaserverconfigs-customresourcedefinition.yaml +++ b/intents-operator/crds/kafkaserverconfigs-customresourcedefinition.yaml @@ -4,6 +4,7 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.9.0 + "helm.sh/resource-policy": keep creationTimestamp: null name: kafkaserverconfigs.k8s.otterize.com spec: diff --git a/intents-operator/crds/protectedservices-customresourcedefinition.yaml b/intents-operator/crds/protectedservices-customresourcedefinition.yaml index 668ed3ab..85f3cb6d 100644 --- a/intents-operator/crds/protectedservices-customresourcedefinition.yaml +++ b/intents-operator/crds/protectedservices-customresourcedefinition.yaml @@ -4,6 +4,7 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.9.0 + "helm.sh/resource-policy": keep creationTimestamp: null name: protectedservices.k8s.otterize.com spec: diff --git a/intents-operator/templates/otterize-validating-webhook-configuration.yaml b/intents-operator/templates/otterize-validating-webhook-configuration.yaml index 36f0affd..c488adda 100644 --- a/intents-operator/templates/otterize-validating-webhook-configuration.yaml +++ b/intents-operator/templates/otterize-validating-webhook-configuration.yaml @@ -1,23 +1,3 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/created-by: intents-operator - app.kubernetes.io/instance: webhook-service - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: service - app.kubernetes.io/part-of: intents-operator - name: webhook-service - namespace: system -spec: - ports: - - port: 443 - protocol: TCP - targetPort: 9443 - selector: - control-plane: controller-manager ---- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: @@ -44,6 +24,26 @@ webhooks: resources: - clientintents sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: intents-operator-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-k8s-otterize-com-v1alpha3-clientintents + failurePolicy: Fail + name: clientintentsv1alpha3.kb.io + rules: + - apiGroups: + - k8s.otterize.com + apiVersions: + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - clientintents + sideEffects: None - admissionReviewVersions: - v1 clientConfig: From 65c0e4e5889d6f7afa276d49b0365674df4dda47 Mon Sep 17 00:00:00 2001 From: "omri.s" Date: Sun, 8 Oct 2023 16:36:59 +0300 Subject: [PATCH 04/13] Add ensure clientIntentsCRD --- .../crds/clientintents-customresourcedefinition.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/intents-operator/crds/clientintents-customresourcedefinition.yaml b/intents-operator/crds/clientintents-customresourcedefinition.yaml index 27d879f1..ee6a94b0 100644 --- a/intents-operator/crds/clientintents-customresourcedefinition.yaml +++ b/intents-operator/crds/clientintents-customresourcedefinition.yaml @@ -13,7 +13,7 @@ spec: clientConfig: service: name: intents-operator-webhook-service - namespace: {{ .Release.Namespace }} + namespace: otterize-system path: /convert conversionReviewVersions: - v1 From 82268e5007dccece75d968e0ea580119eb452ec5 Mon Sep 17 00:00:00 2001 From: "omri.s" Date: Sun, 8 Oct 2023 18:21:57 +0300 Subject: [PATCH 05/13] Add patch permissions to intents clusterRole --- .../intents-operator-manager-clusterrole.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/intents-operator/templates/intents-operator-manager-clusterrole.yaml b/intents-operator/templates/intents-operator-manager-clusterrole.yaml index 6d26276a..d42d6469 100644 --- a/intents-operator/templates/intents-operator-manager-clusterrole.yaml +++ b/intents-operator/templates/intents-operator-manager-clusterrole.yaml @@ -4,6 +4,16 @@ kind: ClusterRole metadata: creationTimestamp: null name: otterize-intents-operator-manager-role + labels: + {{- with .Values.global.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} + annotations: + {{- with .Values.global.commonAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} rules: - apiGroups: - "" @@ -67,6 +77,7 @@ rules: - customresourcedefinitions verbs: - create + - patch - get - list - update @@ -182,3 +193,13 @@ rules: - patch - update - watch +{{ if or (and (eq .Values.global.allowGetAllResources nil) .Values.allowGetAllResources) .Values.global.allowGetAllResources}} +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch +{{ end }} \ No newline at end of file From 16f045a4f8264638896773e3529c2e4b767b8a20 Mon Sep 17 00:00:00 2001 From: Netanel Bollag Date: Mon, 2 Oct 2023 20:29:09 +0300 Subject: [PATCH 06/13] Rename external traffic flags --- intents-operator/README.md | 33 ++++++++++--------- intents-operator/templates/_helpers.tpl | 15 +++++++++ .../intents-operator-deployment.yaml | 7 +--- intents-operator/values.yaml | 17 ++++++++-- otterize-kubernetes/README.md | 19 ++++++----- otterize-kubernetes/values.yaml | 2 +- 6 files changed, 59 insertions(+), 34 deletions(-) diff --git a/intents-operator/README.md b/intents-operator/README.md index 6e811815..c5f541f7 100644 --- a/intents-operator/README.md +++ b/intents-operator/README.md @@ -12,22 +12,23 @@ | `global.serviceNameOverrideAnnotationName` | Which annotation to use (in the [service name resolution algorithm](https://docs.otterize.com/reference/service-identities#kubernetes-service-identity-resolution)) for setting a pod's service name, if not the default. Use this if you already have annotations on your pods that provide the correct service name. | `intents.otterize.com/service-name` | ## Operator parameters -| Key | Description | Default | -|---------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------| -| `operator.image.repository` | Intents Operator image repository. | `otterize` | -| `operator.image.image` | Intents Operator image. | `intents-operator` | -| `operator.image.tag` | Intents Operator image tag. | `latest` | -| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | -| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and get tls certificate. | `false` | -| `operator.mode` | `defaultActive` or `defaultShadow`. When `defaultActive` is set, enforcement is enabled by default. When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource. | `defaultActive` | -| `operator.enableEnforcement` | (deprecated, use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings | `true` | -| `operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to ClientIntents | `true` | -| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to ClientIntents of type Kafka | `true` | -| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to ClientIntents | `true` | -| `operator.autoCreateNetworkPoliciesForExternalTraffic` | Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | -| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` | -| `operator.resources` | Resources override. | | -| `operator.enableDatabaseReconciler` | **experimental** - Enables experimental support for database intents (coming soon!) | `false` | +| Key | Description | Default | +|---------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------| +| `operator.image.repository` | Intents Operator image repository. | `otterize` | +| `operator.image.image` | Intents Operator image. | `intents-operator` | +| `operator.image.tag` | Intents Operator image tag. | `latest` | +| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | +| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and get tls certificate. | `false` | +| `operator.mode` | `defaultActive` or `defaultShadow`. When `defaultActive` is set, enforcement is enabled by default. When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource. | `defaultActive` | +| `operator.enableEnforcement` | (deprecated, use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings | `true` | +| `operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to ClientIntents | `true` | +| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to ClientIntents of type Kafka | `true` | +| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to ClientIntents | `true` | +| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services blocked by Otterize when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | +| `operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | +| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` | +| `operator.resources` | Resources override. | | +| `operator.enableDatabaseReconciler` | **experimental** - Enables experimental support for database intents (coming soon!) | `false` | ## Watcher parameters | Key | Description | Default | diff --git a/intents-operator/templates/_helpers.tpl b/intents-operator/templates/_helpers.tpl index 614024aa..461cab34 100644 --- a/intents-operator/templates/_helpers.tpl +++ b/intents-operator/templates/_helpers.tpl @@ -34,3 +34,18 @@ false {{- fail (printf "Valid values for `mode`: `defaultActive` and `defaultShadow`, but you specified `%s`" .Values.operator.mode) -}} {{- end -}} {{- end -}} + +{{- define "otterize.operator.allowExternalTraffic" -}} + {{- if or (not (kindIs "invalid" .Values.operator.autoCreateNetworkPoliciesForExternalTraffic) ) (not (kindIs "invalid" .Values.operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement) ) -}} + {{- fail "`autoCreateNetworkPoliciesForExternalTraffic` is deprecated, please use `allowExternalTraffic` instead. \nValid values for `allowExternalTraffic`: \n\t`off` \t\t\t(equivalent to `autoCreateNetworkPoliciesForExternalTraffic`=false) \n\t`ifBlockedByOtterize` \t(equivalent to `autoCreateNetworkPoliciesForExternalTraffic`=true) \n\t`always` \t\t(equivalent to `autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement`=true)" -}} + {{- end -}} + {{- if (eq "off" .Values.operator.allowExternalTraffic) -}} +off + {{- else if (eq "always" .Values.operator.allowExternalTraffic) -}} +always + {{- else if (eq "ifBlockedByOtterize" .Values.operator.allowExternalTraffic) -}} +if-blocked-by-otterize + {{- else -}} + {{- fail (printf "Valid values for `allowExternalTraffic`: `off`, `ifBlockedByOtterize` and `always`, but you specified `%s`" .Values.operator.allowExternalTraffic) -}} + {{- end -}} +{{- end -}} diff --git a/intents-operator/templates/intents-operator-deployment.yaml b/intents-operator/templates/intents-operator-deployment.yaml index 8c838d57..1ee97306 100644 --- a/intents-operator/templates/intents-operator-deployment.yaml +++ b/intents-operator/templates/intents-operator-deployment.yaml @@ -56,12 +56,7 @@ spec: {{- if eq false .Values.operator.enableKafkaACLCreation }} - --enable-kafka-acl-creation=false {{- end }} - {{- if eq false .Values.operator.autoCreateNetworkPoliciesForExternalTraffic }} - - --auto-create-network-policies-for-external-traffic=false - {{- end }} - {{- if eq true .Values.operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement }} - - --exp-auto-create-network-policies-for-external-traffic-disable-intents-requirement=true - {{- end }} + - --allow-external-traffic={{ template "otterize.operator.allowExternalTraffic" . }} {{- range .Values.watchedNamespaces }} - --watched-namespaces={{ . | quote }} {{- end }} diff --git a/intents-operator/values.yaml b/intents-operator/values.yaml index 031a24f3..47cc5d2b 100644 --- a/intents-operator/values.yaml +++ b/intents-operator/values.yaml @@ -15,8 +15,21 @@ operator: # In either case, you can also use the other flags that control network policy creation, etc, to disable enforcement for a specific enableNetworkPolicyCreation: true enableKafkaACLCreation: true - autoCreateNetworkPoliciesForExternalTraffic: true - autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement: false + # **Deprecated, use allowExternalTraffic instead** + autoCreateNetworkPoliciesForExternalTraffic: # deprecated, use allowExternalTraffic instead + # **Deprecated, use allowExternalTraffic instead** + autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement: # deprecated, use allowExternalTraffic instead + + # `allowExternalTraffic` controls whether the intents-operator will automatically create network policies for services + # that are accessible to external traffic. + # Possible values are: + # - `ifBlockedByOtterize` (default) - only create network policies for services that are protected by otterize + # - `off` - never create network policies for external traffic. If server is protected by + # otterize and meant to be accessible from outside the cluster, it may need a + # manually created network policy to allow external traffic + # - `always` - create network policies for every service that is accessible from outside the + # cluster, regardless of whether it is protected by otterize or not + allowExternalTraffic: ifBlockedByOtterize enableIstioPolicyCreation: true enableDatabaseReconciler: false diff --git a/otterize-kubernetes/README.md b/otterize-kubernetes/README.md index cf52ac7e..3b58aedd 100644 --- a/otterize-kubernetes/README.md +++ b/otterize-kubernetes/README.md @@ -41,15 +41,16 @@ These parameters are used by multiple charts, and must be kept the same for the All configurable parameters of intents-operator can be configured under the alias `intentsOperator`. Further information about intents-operator parameters can be found [in the Intents Operator's helm chart](https://github.com/otterize/helm-charts/tree/main/intents-operator). -| Key | Description | Default | -|------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------| -| `intentsOperator.autoGenerateTLSUsingCredentialsOperator` | Use credentials-operator to create TLS cert for intents-operator. | `true` | -| `operator.mode` | `defaultActive` or `defaultShadow`. When `defaultActive` is set, enforcement is enabled by default. When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource. | `defaultActive` | -| `intentsOperator.operator.enableEnforcement` | (deprecated, use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings | `true` | -| `intentsOperator.operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to the ClientIntents | `true` | -| `intentsOperator.operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to the ClientIntents of type Kafka | `true` | -| `intentsOperator.operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to ClientIntents | `true` | -| `intentsOperator.operator.autoCreateNetworkPoliciesForExternalTraffic` | Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | +| Key | Description | Default | +|------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------| +| `intentsOperator.autoGenerateTLSUsingCredentialsOperator` | Use credentials-operator to create TLS cert for intents-operator. | `true` | +| `operator.mode` | `defaultActive` or `defaultShadow`. When `defaultActive` is set, enforcement is enabled by default. When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource. | `defaultActive` | +| `intentsOperator.operator.enableEnforcement` | (deprecated, use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings | `true` | +| `intentsOperator.operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to the ClientIntents | `true` | +| `intentsOperator.operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to the ClientIntents of type Kafka | `true` | +| `intentsOperator.operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to ClientIntents | `true` | +| `intentsOperator.operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services blocked by Otterize when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | +| `intentsOperator.operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | ## Telemetry diff --git a/otterize-kubernetes/values.yaml b/otterize-kubernetes/values.yaml index 8fd8e0cc..31961d99 100644 --- a/otterize-kubernetes/values.yaml +++ b/otterize-kubernetes/values.yaml @@ -52,7 +52,7 @@ intentsOperator: autoGenerateTLSUsingCredentialsOperator: true enableNetworkPolicyCreation: true enableKafkaACLCreation: true - autoCreateNetworkPoliciesForExternalTraffic: true + allowExternalTraffic: ifBlockedByOtterize enableIstioPolicyCreation: true watchedNamespaces: null # by default, watch all From c3535635464b39e7faff4e5a8953e2783db2b076 Mon Sep 17 00:00:00 2001 From: Netanel Bollag Date: Mon, 16 Oct 2023 19:25:45 +0200 Subject: [PATCH 07/13] Increment version --- intents-operator/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/intents-operator/Chart.yaml b/intents-operator/Chart.yaml index 9e2da343..2b96dc8f 100644 --- a/intents-operator/Chart.yaml +++ b/intents-operator/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: intents-operator description: Otterize intents operator type: application -version: 1.0.0 +version: 1.0.1 appVersion: v1.0.40 home: https://github.com/otterize/intents-operator sources: From 782b16a0c3acecaa1c775c85b6822f1781e8d8e1 Mon Sep 17 00:00:00 2001 From: "omri.s" Date: Wed, 18 Oct 2023 15:51:45 +0300 Subject: [PATCH 08/13] fixup --- .../otterize-validating-webhook-configuration.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/intents-operator/templates/otterize-validating-webhook-configuration.yaml b/intents-operator/templates/otterize-validating-webhook-configuration.yaml index c488adda..613498ae 100644 --- a/intents-operator/templates/otterize-validating-webhook-configuration.yaml +++ b/intents-operator/templates/otterize-validating-webhook-configuration.yaml @@ -3,6 +3,16 @@ kind: ValidatingWebhookConfiguration metadata: creationTimestamp: null name: otterize-validating-webhook-configuration + labels: + {{- with .Values.global.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} + annotations: + {{- with .Values.global.commonAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} webhooks: - admissionReviewVersions: - v1 From e871c86c7c20e06187364d5bb67fcc8cd45ee341 Mon Sep 17 00:00:00 2001 From: Ori Shoshan Date: Thu, 19 Oct 2023 15:12:16 +0200 Subject: [PATCH 09/13] Add conversion webhook to KSC and PS --- ...lientintents-customresourcedefinition.yaml | 460 +++++++++--------- ...erverconfigs-customresourcedefinition.yaml | 221 ++++++--- ...ctedservices-customresourcedefinition.yaml | 96 ++-- .../intents-operator-manager-clusterrole.yaml | 2 +- 4 files changed, 438 insertions(+), 341 deletions(-) diff --git a/intents-operator/crds/clientintents-customresourcedefinition.yaml b/intents-operator/crds/clientintents-customresourcedefinition.yaml index ee6a94b0..2259f978 100644 --- a/intents-operator/crds/clientintents-customresourcedefinition.yaml +++ b/intents-operator/crds/clientintents-customresourcedefinition.yaml @@ -16,7 +16,7 @@ spec: namespace: otterize-system path: /convert conversionReviewVersions: - - v1 + - v1 group: k8s.otterize.com names: kind: ClientIntents @@ -25,249 +25,241 @@ spec: singular: clientintents scope: Namespaced versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - description: ClientIntents is the Schema for the intents API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IntentsSpec defines the desired state of ClientIntents - properties: - calls: - items: - properties: - databaseResources: - items: - properties: - operations: - items: - enum: - - ALL - - SELECT - - INSERT - - UPDATE - - DELETE + - name: v1alpha2 + schema: + openAPIV3Schema: + description: ClientIntents is the Schema for the intents API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IntentsSpec defines the desired state of ClientIntents + properties: + calls: + items: + properties: + databaseResources: + items: + properties: + operations: + items: + enum: + - ALL + - SELECT + - INSERT + - UPDATE + - DELETE + type: string + type: array + table: type: string - type: array - table: - type: string - required: - - operations - - table - type: object - type: array - name: - type: string - resources: - items: - properties: - methods: - items: - enum: - - GET - - POST - - PUT - - DELETE - - OPTIONS - - TRACE - - PATCH - - CONNECT + required: + - operations + - table + type: object + type: array + name: + type: string + resources: + items: + properties: + methods: + items: + enum: + - GET + - POST + - PUT + - DELETE + - OPTIONS + - TRACE + - PATCH + - CONNECT + type: string + type: array + path: type: string - type: array - path: - type: string - required: - - methods - - path - type: object - type: array - topics: - items: - properties: - name: - type: string - operations: - items: - enum: - - all - - consume - - produce - - create - - alter - - delete - - describe - - ClusterAction - - DescribeConfigs - - AlterConfigs - - IdempotentWrite + required: + - methods + - path + type: object + type: array + topics: + items: + properties: + name: type: string - type: array - required: - - name - - operations - type: object - type: array - type: - enum: - - http - - kafka - - database + operations: + items: + enum: + - all + - consume + - produce + - create + - alter + - delete + - describe + - ClusterAction + - DescribeConfigs + - AlterConfigs + - IdempotentWrite + type: string + type: array + required: + - name + - operations + type: object + type: array + type: + enum: + - http + - kafka + - database + type: string + required: + - name + type: object + type: array + service: + properties: + name: type: string required: - - name + - name type: object - type: array - service: - properties: - name: - type: string - required: - - name - type: object - required: - - calls - - service - type: object - status: - description: IntentsStatus defines the observed state of ClientIntents - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha3 - schema: - openAPIV3Schema: - description: ClientIntents is the Schema for the intents API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IntentsSpec defines the desired state of ClientIntents - properties: - calls: - items: - properties: - HTTPResources: - items: - properties: - methods: - items: - enum: - - GET - - POST - - PUT - - DELETE - - OPTIONS - - TRACE - - PATCH - - CONNECT + required: + - calls + - service + type: object + status: + description: IntentsStatus defines the observed state of ClientIntents + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + description: ClientIntents is the Schema for the intents API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IntentsSpec defines the desired state of ClientIntents + properties: + calls: + items: + properties: + HTTPResources: + items: + properties: + methods: + items: + enum: + - GET + - POST + - PUT + - DELETE + - OPTIONS + - TRACE + - PATCH + - CONNECT + type: string + type: array + path: type: string - type: array - path: - type: string - required: - - methods - - path - type: object - type: array - databaseResources: - items: - properties: - operations: - items: - enum: - - ALL - - SELECT - - INSERT - - UPDATE - - DELETE + required: + - methods + - path + type: object + type: array + databaseResources: + items: + properties: + operations: + items: + enum: + - ALL + - SELECT + - INSERT + - UPDATE + - DELETE + type: string + type: array + table: type: string - type: array - table: - type: string - required: - - operations - - table - type: object - type: array - kafkaTopics: - items: - properties: - name: - type: string - operations: - items: - enum: - - all - - consume - - produce - - create - - alter - - delete - - describe - - ClusterAction - - DescribeConfigs - - AlterConfigs - - IdempotentWrite + required: + - operations + - table + type: object + type: array + kafkaTopics: + items: + properties: + name: type: string - type: array - required: - - name - - operations - type: object - type: array + operations: + items: + enum: + - all + - consume + - produce + - create + - alter + - delete + - describe + - ClusterAction + - DescribeConfigs + - AlterConfigs + - IdempotentWrite + type: string + type: array + required: + - name + - operations + type: object + type: array + name: + type: string + type: + enum: + - http + - kafka + - database + type: string + required: + - name + type: object + type: array + service: + properties: name: type: string - type: - enum: - - http - - kafka - - database - type: string required: - - name + - name type: object - type: array - service: - properties: - name: - type: string - required: - - name - type: object - required: - - calls - - service - type: object - status: - description: IntentsStatus defines the observed state of ClientIntents - type: object - type: object - served: true - storage: true - subresources: - status: {} + required: + - calls + - service + type: object + status: + description: IntentsStatus defines the observed state of ClientIntents + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/intents-operator/crds/kafkaserverconfigs-customresourcedefinition.yaml b/intents-operator/crds/kafkaserverconfigs-customresourcedefinition.yaml index d7d5700d..dd6df6fd 100644 --- a/intents-operator/crds/kafkaserverconfigs-customresourcedefinition.yaml +++ b/intents-operator/crds/kafkaserverconfigs-customresourcedefinition.yaml @@ -4,10 +4,19 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.9.0 - "helm.sh/resource-policy": keep creationTimestamp: null name: kafkaserverconfigs.k8s.otterize.com spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: intents-operator-webhook-service + namespace: otterize-system + path: /convert + conversionReviewVersions: + - v1 group: k8s.otterize.com names: kind: KafkaServerConfig @@ -16,81 +25,145 @@ spec: singular: kafkaserverconfig scope: Namespaced versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - description: KafkaServerConfig is the Schema for the kafkaserverconfigs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KafkaServerConfigSpec defines the desired state of KafkaServerConfig - properties: - addr: - type: string - noAutoCreateIntentsForOperator: - description: If Intents for network policies are enabled, and there - are other Intents to this Kafka server, will automatically create - an Intent so that the Intents Operator can connect. Set to true - to disable. - type: boolean - service: - properties: - name: - type: string - required: - - name - type: object - tls: - properties: - certFile: - type: string - keyFile: - type: string - rootCAFile: - type: string - required: - - certFile - - keyFile - - rootCAFile - type: object - topics: - items: + - name: v1alpha2 + schema: + openAPIV3Schema: + description: KafkaServerConfig is the Schema for the kafkaserverconfigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KafkaServerConfigSpec defines the desired state of KafkaServerConfig + properties: + addr: + type: string + noAutoCreateIntentsForOperator: + description: If Intents for network policies are enabled, and there are other Intents to this Kafka server, will automatically create an Intent so that the Intents Operator can connect. Set to true to disable. + type: boolean + service: properties: - clientIdentityRequired: - type: boolean - intentsRequired: - type: boolean - pattern: - enum: - - literal - - prefix + name: type: string - topic: + required: + - name + type: object + tls: + properties: + certFile: + type: string + keyFile: + type: string + rootCAFile: + type: string + required: + - certFile + - keyFile + - rootCAFile + type: object + topics: + items: + properties: + clientIdentityRequired: + type: boolean + intentsRequired: + type: boolean + pattern: + enum: + - literal + - prefix + type: string + topic: + type: string + required: + - clientIdentityRequired + - intentsRequired + - pattern + - topic + type: object + type: array + type: object + status: + description: KafkaServerConfigStatus defines the observed state of KafkaServerConfig + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + description: KafkaServerConfig is the Schema for the kafkaserverconfigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KafkaServerConfigSpec defines the desired state of KafkaServerConfig + properties: + addr: + type: string + noAutoCreateIntentsForOperator: + description: If Intents for network policies are enabled, and there are other Intents to this Kafka server, will automatically create an Intent so that the Intents Operator can connect. Set to true to disable. + type: boolean + service: + properties: + name: + type: string + required: + - name + type: object + tls: + properties: + certFile: + type: string + keyFile: + type: string + rootCAFile: type: string required: - - clientIdentityRequired - - intentsRequired - - pattern - - topic + - certFile + - keyFile + - rootCAFile type: object - type: array - type: object - status: - description: KafkaServerConfigStatus defines the observed state of KafkaServerConfig - type: object - type: object - served: true - storage: true - subresources: - status: {} + topics: + items: + properties: + clientIdentityRequired: + type: boolean + intentsRequired: + type: boolean + pattern: + enum: + - literal + - prefix + type: string + topic: + type: string + required: + - clientIdentityRequired + - intentsRequired + - pattern + - topic + type: object + type: array + type: object + status: + description: KafkaServerConfigStatus defines the observed state of KafkaServerConfig + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/intents-operator/crds/protectedservices-customresourcedefinition.yaml b/intents-operator/crds/protectedservices-customresourcedefinition.yaml index 85f3cb6d..ec18ccc1 100644 --- a/intents-operator/crds/protectedservices-customresourcedefinition.yaml +++ b/intents-operator/crds/protectedservices-customresourcedefinition.yaml @@ -4,10 +4,19 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.9.0 - "helm.sh/resource-policy": keep creationTimestamp: null name: protectedservices.k8s.otterize.com spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: intents-operator-webhook-service + namespace: otterize-system + path: /convert + conversionReviewVersions: + - v1 group: k8s.otterize.com names: kind: ProtectedService @@ -16,34 +25,57 @@ spec: singular: protectedservice scope: Namespaced versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - description: ProtectedService is the Schema for the protectedservice API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ProtectedServiceSpec defines the desired state of ProtectedService - properties: - name: - type: string - type: object - status: - description: ProtectedServiceStatus defines the observed state of ProtectedService - type: object - type: object - served: true - storage: true - subresources: - status: {} + - name: v1alpha2 + schema: + openAPIV3Schema: + description: ProtectedService is the Schema for the protectedservice API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProtectedServiceSpec defines the desired state of ProtectedService + properties: + name: + type: string + type: object + status: + description: ProtectedServiceStatus defines the observed state of ProtectedService + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + description: ProtectedService is the Schema for the protectedservice API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProtectedServiceSpec defines the desired state of ProtectedService + properties: + name: + type: string + type: object + status: + description: ProtectedServiceStatus defines the observed state of ProtectedService + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/intents-operator/templates/intents-operator-manager-clusterrole.yaml b/intents-operator/templates/intents-operator-manager-clusterrole.yaml index d42d6469..ed94f91b 100644 --- a/intents-operator/templates/intents-operator-manager-clusterrole.yaml +++ b/intents-operator/templates/intents-operator-manager-clusterrole.yaml @@ -77,9 +77,9 @@ rules: - customresourcedefinitions verbs: - create - - patch - get - list + - patch - update - watch - apiGroups: From 7ac93ead1bfaf57767795a70b24c17d1203dc8ac Mon Sep 17 00:00:00 2001 From: "omri.s" Date: Thu, 19 Oct 2023 19:26:55 +0300 Subject: [PATCH 10/13] fixup --- ...ctedservices-customresourcedefinition.yaml | 1 + ...rize-validating-webhook-configuration.yaml | 30 ++++++++++++------- 2 files changed, 21 insertions(+), 10 deletions(-) diff --git a/intents-operator/crds/protectedservices-customresourcedefinition.yaml b/intents-operator/crds/protectedservices-customresourcedefinition.yaml index ec18ccc1..c0c89191 100644 --- a/intents-operator/crds/protectedservices-customresourcedefinition.yaml +++ b/intents-operator/crds/protectedservices-customresourcedefinition.yaml @@ -4,6 +4,7 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.9.0 + "helm.sh/resource-policy": keep creationTimestamp: null name: protectedservices.k8s.otterize.com spec: diff --git a/intents-operator/templates/otterize-validating-webhook-configuration.yaml b/intents-operator/templates/otterize-validating-webhook-configuration.yaml index 613498ae..5a79a5e9 100644 --- a/intents-operator/templates/otterize-validating-webhook-configuration.yaml +++ b/intents-operator/templates/otterize-validating-webhook-configuration.yaml @@ -3,16 +3,6 @@ kind: ValidatingWebhookConfiguration metadata: creationTimestamp: null name: otterize-validating-webhook-configuration - labels: - {{- with .Values.global.commonLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - app.kubernetes.io/version: {{ .Chart.Version }} - annotations: - {{- with .Values.global.commonAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - app.kubernetes.io/version: {{ .Chart.Version }} webhooks: - admissionReviewVersions: - v1 @@ -74,3 +64,23 @@ webhooks: resources: - protectedservice sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-k8s-otterize-com-v1alpha3-protectedservice + failurePolicy: Fail + name: protectedservicev1alpha3.kb.io + rules: + - apiGroups: + - k8s.otterize.com + apiVersions: + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - protectedservice + sideEffects: None From 0e867d44ce4ce9d611fca0a151d7aee5d5f01eab Mon Sep 17 00:00:00 2001 From: Ori Shoshan Date: Sat, 21 Oct 2023 15:09:41 +0200 Subject: [PATCH 11/13] improve makefile --- .../intents-operator-manager-clusterrole.yaml | 11 ++++++++++ ...rize-validating-webhook-configuration.yaml | 20 +++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/intents-operator/templates/intents-operator-manager-clusterrole.yaml b/intents-operator/templates/intents-operator-manager-clusterrole.yaml index ed94f91b..f41dbfa2 100644 --- a/intents-operator/templates/intents-operator-manager-clusterrole.yaml +++ b/intents-operator/templates/intents-operator-manager-clusterrole.yaml @@ -82,6 +82,17 @@ rules: - patch - update - watch +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch - apiGroups: - k8s.otterize.com resources: diff --git a/intents-operator/templates/otterize-validating-webhook-configuration.yaml b/intents-operator/templates/otterize-validating-webhook-configuration.yaml index 613498ae..d96409da 100644 --- a/intents-operator/templates/otterize-validating-webhook-configuration.yaml +++ b/intents-operator/templates/otterize-validating-webhook-configuration.yaml @@ -74,3 +74,23 @@ webhooks: resources: - protectedservice sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-k8s-otterize-com-v1alpha3-protectedservice + failurePolicy: Fail + name: protectedservicev1alpha3.kb.io + rules: + - apiGroups: + - k8s.otterize.com + apiVersions: + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - protectedservice + sideEffects: None From a83160a045a5e203db4d93b3aa20194f5d6ba660 Mon Sep 17 00:00:00 2001 From: Ori Shoshan Date: Sat, 21 Oct 2023 15:26:01 +0200 Subject: [PATCH 12/13] Update chart version --- intents-operator/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/intents-operator/Chart.yaml b/intents-operator/Chart.yaml index 9e2da343..2b96dc8f 100644 --- a/intents-operator/Chart.yaml +++ b/intents-operator/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: intents-operator description: Otterize intents operator type: application -version: 1.0.0 +version: 1.0.1 appVersion: v1.0.40 home: https://github.com/otterize/intents-operator sources: From 9bca9b84007f3f1db596c087e15780d29778c863 Mon Sep 17 00:00:00 2001 From: Netanel Bollag Date: Sun, 22 Oct 2023 19:26:13 +0200 Subject: [PATCH 13/13] Improve writing --- intents-operator/README.md | 34 +++++++++++++++++----------------- otterize-kubernetes/README.md | 20 ++++++++++---------- 2 files changed, 27 insertions(+), 27 deletions(-) diff --git a/intents-operator/README.md b/intents-operator/README.md index c5f541f7..87c4bc8d 100644 --- a/intents-operator/README.md +++ b/intents-operator/README.md @@ -12,23 +12,23 @@ | `global.serviceNameOverrideAnnotationName` | Which annotation to use (in the [service name resolution algorithm](https://docs.otterize.com/reference/service-identities#kubernetes-service-identity-resolution)) for setting a pod's service name, if not the default. Use this if you already have annotations on your pods that provide the correct service name. | `intents.otterize.com/service-name` | ## Operator parameters -| Key | Description | Default | -|---------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------| -| `operator.image.repository` | Intents Operator image repository. | `otterize` | -| `operator.image.image` | Intents Operator image. | `intents-operator` | -| `operator.image.tag` | Intents Operator image tag. | `latest` | -| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | -| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and get tls certificate. | `false` | -| `operator.mode` | `defaultActive` or `defaultShadow`. When `defaultActive` is set, enforcement is enabled by default. When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource. | `defaultActive` | -| `operator.enableEnforcement` | (deprecated, use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings | `true` | -| `operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to ClientIntents | `true` | -| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to ClientIntents of type Kafka | `true` | -| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to ClientIntents | `true` | -| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services blocked by Otterize when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | -| `operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | -| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` | -| `operator.resources` | Resources override. | | -| `operator.enableDatabaseReconciler` | **experimental** - Enables experimental support for database intents (coming soon!) | `false` | +| Key | Description | Default | +|---------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------| +| `operator.image.repository` | Intents Operator image repository. | `otterize` | +| `operator.image.image` | Intents Operator image. | `intents-operator` | +| `operator.image.tag` | Intents Operator image tag. | `latest` | +| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | +| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and get tls certificate. | `false` | +| `operator.mode` | `defaultActive` or `defaultShadow`. When `defaultActive` is set, enforcement is enabled by default. When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource. | `defaultActive` | +| `operator.enableEnforcement` | (deprecated, use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings | `true` | +| `operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to ClientIntents | `true` | +| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to ClientIntents of type Kafka | `true` | +| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to ClientIntents | `true` | +| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | +| `operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | +| `operator.autoCreateNetworkPoliciesForExternalTrafficDisableIntentsRequirement` | (deprecated, use `allowExternalTraffic` instead) **experimental** - If `autoCreateNetworkPoliciesForExternalTraffic` is enabled, do not require ClientIntents resources - simply create network policies based off of the existence of an Ingress/Service resource. | `false` | +| `operator.resources` | Resources override. | | +| `operator.enableDatabaseReconciler` | **experimental** - Enables experimental support for database intents (coming soon!) | `false` | ## Watcher parameters | Key | Description | Default | diff --git a/otterize-kubernetes/README.md b/otterize-kubernetes/README.md index 3b58aedd..782d592d 100644 --- a/otterize-kubernetes/README.md +++ b/otterize-kubernetes/README.md @@ -41,16 +41,16 @@ These parameters are used by multiple charts, and must be kept the same for the All configurable parameters of intents-operator can be configured under the alias `intentsOperator`. Further information about intents-operator parameters can be found [in the Intents Operator's helm chart](https://github.com/otterize/helm-charts/tree/main/intents-operator). -| Key | Description | Default | -|------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------| -| `intentsOperator.autoGenerateTLSUsingCredentialsOperator` | Use credentials-operator to create TLS cert for intents-operator. | `true` | -| `operator.mode` | `defaultActive` or `defaultShadow`. When `defaultActive` is set, enforcement is enabled by default. When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource. | `defaultActive` | -| `intentsOperator.operator.enableEnforcement` | (deprecated, use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings | `true` | -| `intentsOperator.operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to the ClientIntents | `true` | -| `intentsOperator.operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to the ClientIntents of type Kafka | `true` | -| `intentsOperator.operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to ClientIntents | `true` | -| `intentsOperator.operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services blocked by Otterize when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | -| `intentsOperator.operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | +| Key | Description | Default | +|------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------| +| `intentsOperator.autoGenerateTLSUsingCredentialsOperator` | Use credentials-operator to create TLS cert for intents-operator. | `true` | +| `operator.mode` | `defaultActive` or `defaultShadow`. When `defaultActive` is set, enforcement is enabled by default. When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource. | `defaultActive` | +| `intentsOperator.operator.enableEnforcement` | (deprecated, use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings | `true` | +| `intentsOperator.operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to the ClientIntents | `true` | +| `intentsOperator.operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to the ClientIntents of type Kafka | `true` | +| `intentsOperator.operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to ClientIntents | `true` | +| `intentsOperator.operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | +| `intentsOperator.operator.autoCreateNetworkPoliciesForExternalTraffic` | (deprecated, use `allowExternalTraffic` instead) Automatically allow external traffic, if a new ClientIntents resource would result in blocking external (internet) traffic and there is an Ingress/Service resource indicating external traffic is expected. | `true` | ## Telemetry