Helm Values Reference¶
CloudTaser provides two Helm charts: the operator chart for standalone operator installation, and the unified cloudtaser chart that bundles the operator, wrapper configuration, and S3 proxy defaults into a single release.
Operator Chart¶
Chart: cloudtaser-operator
Repository: oci://europe-docker.pkg.dev/skipops/cloudtaser-helm
Installation¶
helm install cloudtaser-operator \
oci://europe-docker.pkg.dev/skipops/cloudtaser-helm/cloudtaser-operator \
--namespace cloudtaser-system \
--create-namespace \
--values values.yaml
Values¶
replicaCount¶
| Type | int |
| Default | 2 |
Number of operator pod replicas. Use at least 2 for high availability in production. The operator uses leader election, so only one replica is active at a time.
image¶
| Field | Type | Default |
|---|---|---|
image.repository |
string |
europe-docker.pkg.dev/skipops/cloudtaser/operator |
image.tag |
string |
Chart appVersion |
image.pullPolicy |
string |
IfNotPresent |
The operator container image.
image:
repository: europe-docker.pkg.dev/skipops/cloudtaser/operator
tag: "v0.1.0"
pullPolicy: IfNotPresent
initImage¶
| Field | Type | Default |
|---|---|---|
initImage.repository |
string |
europe-docker.pkg.dev/skipops/cloudtaser/wrapper |
initImage.tag |
string |
Chart appVersion |
The wrapper binary image used by the init container during sidecar injection. The init container copies the wrapper binary into a shared emptyDir volume.
resources¶
| Type | corev1.ResourceRequirements |
Resource requests and limits for the operator pods.
webhook¶
| Field | Type | Default | Description |
|---|---|---|---|
webhook.port |
int |
9443 |
Port the webhook server listens on |
webhook.failurePolicy |
string |
Fail |
Webhook failure policy (Fail or Ignore) |
webhook.timeoutSeconds |
int |
10 |
Timeout for webhook requests |
Failure policy
The default Fail policy means that if the webhook is unreachable, pod creation is blocked. This is the safer choice for production -- it prevents un-injected pods from running with secrets potentially exposed in etcd. Set to Ignore only in development or if you have a fallback mechanism.
serviceAccount¶
| Field | Type | Default | Description |
|---|---|---|---|
serviceAccount.create |
bool |
true |
Create a service account for the operator |
serviceAccount.name |
string |
"" |
Override the service account name (defaults to release name) |
serviceAccount.annotations |
map |
{} |
Annotations to add to the service account |
serviceAccount:
create: true
name: ""
annotations:
iam.gke.io/gcp-service-account: cloudtaser@myproject.iam.gserviceaccount.com
nodeSelector¶
| Type | map[string]string |
| Default | {} |
tolerations¶
| Type | []corev1.Toleration |
| Default | [] |
affinity¶
| Type | corev1.Affinity |
| Default | {} |
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- cloudtaser-operator
topologyKey: kubernetes.io/hostname
Default Values Summary¶
| Value | Default |
|---|---|
replicaCount |
2 |
image.repository |
europe-docker.pkg.dev/skipops/cloudtaser/operator |
image.tag |
Chart appVersion |
image.pullPolicy |
IfNotPresent |
initImage.repository |
europe-docker.pkg.dev/skipops/cloudtaser/wrapper |
initImage.tag |
Chart appVersion |
resources.requests.cpu |
50m |
resources.requests.memory |
128Mi |
resources.limits.cpu |
500m |
resources.limits.memory |
256Mi |
webhook.port |
9443 |
webhook.failurePolicy |
Fail |
webhook.timeoutSeconds |
10 |
serviceAccount.create |
true |
nodeSelector |
{} |
tolerations |
[] |
affinity |
{} |
Unified CloudTaser Chart¶
Chart: cloudtaser
Repository: oci://europe-docker.pkg.dev/skipops/cloudtaser-helm
The unified chart bundles the operator, wrapper defaults, and S3 proxy configuration into a single Helm release. It uses subcharts and exposes grouped values under operator.*, wrapper.*, and s3proxy.* prefixes.
Installation¶
helm install cloudtaser \
oci://europe-docker.pkg.dev/skipops/cloudtaser-helm/cloudtaser \
--namespace cloudtaser-system \
--create-namespace \
--values values.yaml
operator.*¶
All values from the operator chart are available under the operator prefix.
operator:
replicaCount: 2
image:
repository: europe-docker.pkg.dev/skipops/cloudtaser/operator
tag: "v0.1.0"
webhook:
failurePolicy: Fail
timeoutSeconds: 10
resources:
requests:
cpu: "50m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "256Mi"
wrapper.*¶
Default configuration for the wrapper sidecar injected into workloads. These values serve as cluster-wide defaults and can be overridden per-workload via CloudTaserConfig CRs or annotations.
| Value | Type | Default | Description |
|---|---|---|---|
wrapper.image.repository |
string |
europe-docker.pkg.dev/skipops/cloudtaser/wrapper |
Wrapper container image |
wrapper.image.tag |
string |
Chart appVersion | Wrapper image tag |
wrapper.resources.requests.cpu |
string |
10m |
CPU request for injected wrapper |
wrapper.resources.requests.memory |
string |
32Mi |
Memory request for injected wrapper |
wrapper.resources.limits.cpu |
string |
100m |
CPU limit for injected wrapper |
wrapper.resources.limits.memory |
string |
64Mi |
Memory limit for injected wrapper |
wrapper.defaultRotation |
string |
none |
Default rotation strategy |
wrapper.healthAddr |
string |
:8081 |
Health check listen address |
wrapper.renewalInterval |
string |
5m |
Vault token renewal interval |
wrapper.requireMlock |
bool |
true |
Require mlock for memory protection |
wrapper.requireMemfdSecret |
bool |
false |
Require memfd_secret (kernel 5.14+) |
wrapper:
image:
repository: europe-docker.pkg.dev/skipops/cloudtaser/wrapper
tag: "v0.2.0"
resources:
requests:
cpu: "10m"
memory: "32Mi"
limits:
cpu: "100m"
memory: "64Mi"
defaultRotation: "none"
healthAddr: ":8081"
renewalInterval: "5m"
requireMlock: true
requireMemfdSecret: false
s3proxy.*¶
Configuration for the S3 encryption proxy sidecar.
| Value | Type | Default | Description |
|---|---|---|---|
s3proxy.image.repository |
string |
europe-docker.pkg.dev/skipops/cloudtaser/s3-proxy |
S3 proxy image |
s3proxy.image.tag |
string |
Chart appVersion | S3 proxy image tag |
s3proxy.resources.requests.cpu |
string |
20m |
CPU request |
s3proxy.resources.requests.memory |
string |
64Mi |
Memory request |
s3proxy.resources.limits.cpu |
string |
200m |
CPU limit |
s3proxy.resources.limits.memory |
string |
256Mi |
Memory limit |
s3proxy.listenAddr |
string |
:8099 |
Proxy listen address |
s3proxy.healthAddr |
string |
:8098 |
Health check listen address |
s3proxy.maxObjectSize |
string |
5Gi |
Maximum object size for encryption |
s3proxy.defaultTransitMount |
string |
transit |
Default Vault Transit mount path |
s3proxy:
image:
repository: europe-docker.pkg.dev/skipops/cloudtaser/s3-proxy
tag: "v0.1.0"
resources:
requests:
cpu: "20m"
memory: "64Mi"
limits:
cpu: "200m"
memory: "256Mi"
listenAddr: ":8099"
healthAddr: ":8098"
maxObjectSize: "5Gi"
defaultTransitMount: "transit"
Full Example (Unified Chart)¶
operator:
replicaCount: 2
image:
repository: europe-docker.pkg.dev/skipops/cloudtaser/operator
tag: "v0.1.0"
webhook:
failurePolicy: Fail
timeoutSeconds: 10
resources:
requests:
cpu: "100m"
memory: "256Mi"
limits:
cpu: "1000m"
memory: "512Mi"
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- cloudtaser-operator
topologyKey: kubernetes.io/hostname
wrapper:
image:
repository: europe-docker.pkg.dev/skipops/cloudtaser/wrapper
tag: "v0.2.0"
resources:
requests:
cpu: "10m"
memory: "32Mi"
limits:
cpu: "100m"
memory: "64Mi"
defaultRotation: "none"
requireMlock: true
requireMemfdSecret: false
s3proxy:
image:
repository: europe-docker.pkg.dev/skipops/cloudtaser/s3-proxy
tag: "v0.1.0"
resources:
requests:
cpu: "20m"
memory: "64Mi"
limits:
cpu: "200m"
memory: "256Mi"
maxObjectSize: "5Gi"
Upgrading¶
helm upgrade cloudtaser \
oci://europe-docker.pkg.dev/skipops/cloudtaser-helm/cloudtaser \
--namespace cloudtaser-system \
--values values.yaml
Wrapper image updates
Upgrading the Helm chart updates the operator and the default wrapper image tag. Existing pods will continue using their current wrapper version until they are restarted. To roll out the new wrapper version across all workloads, perform a rolling restart of your Deployments after the Helm upgrade.