Helm Values Reference¶
Complete reference for Helm values maintained in the cloudtaser-helm and cloudtaser-port source repositories. The primary cloudtaser chart is published at https://charts.cloudtaser.io; the OpenBao chart described later on this page is source-only.
For the operator-specific and unified chart overview, see Helm Values. For the source-only OpenBao chart, see Source-only OpenBao Helm Values.
cloudtaser Chart (cloudtaser-helm)¶
Chart: cloudtaser
Source: cloudtaser-helm/charts/cloudtaser/values.yaml
This is the primary chart for deploying cloudtaser into a Kubernetes cluster. It includes the operator, wrapper image configuration, eBPF daemonset, S3 proxy defaults, DB proxy defaults, NetworkPolicy, and PodDisruptionBudget.
Image tag defaults
The current published chart (v1.0.264) bundles operator v0.13.153. The latest standalone operator release is v0.13.155 and is not automatically the chart default. Use helm show values cloudtaser/cloudtaser (after helm repo add cloudtaser https://charts.cloudtaser.io) to verify the published defaults.
Global¶
| Value | Type | Default | Description |
|---|---|---|---|
namespace |
string |
cloudtaser-system |
Namespace for all cloudtaser components |
imagePullSecrets |
list |
[] |
Image pull secrets for private registries |
operator.*¶
Operator deployment configuration.
| Value | Type | Default | Description |
|---|---|---|---|
operator.ha |
bool |
false |
Enable HA mode (multiple replicas with leader election) |
operator.replicaCount |
int |
1 |
Number of operator pod replicas. Use 2+ for HA |
operator.leaderElect |
bool |
false |
Enable leader election. Required when replicaCount > 1 |
operator.image.repository |
string |
europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-operator |
Operator container image repository |
operator.image.tag |
string |
v0.13.153 |
Operator image tag bundled by chart v1.0.264 |
operator.image.pullPolicy |
string |
IfNotPresent |
Image pull policy |
operator.resources.requests.cpu |
string |
50m |
CPU request for operator pods |
operator.resources.requests.memory |
string |
64Mi |
Memory request for operator pods |
operator.resources.limits.cpu |
string |
200m |
CPU limit for operator pods |
operator.resources.limits.memory |
string |
128Mi |
Memory limit for operator pods |
operator.secretstore.address |
string |
"" |
Default secret store address (OpenBao/HashiCorp Vault) for token renewal. Pods override this via annotations. Legacy alias: operator.vault.address. |
operator.webhook.port |
int |
9443 |
Port the webhook server listens on |
operator.webhook.failurePolicy |
string |
Fail |
Webhook failure policy: Fail blocks pod creation if webhook is unreachable, Ignore allows pods to start without injection |
operator.webhook.timeoutSeconds |
int |
10 |
Timeout for webhook admission requests |
failurePolicy: Fail
The default Fail policy prevents unprotected pods from running if the operator is unavailable. This is the safer choice for production. Set to Ignore only in development or with a fallback mechanism.
wrapper.*¶
Wrapper image used by the init container during wrapper injection.
| Value | Type | Default | Description |
|---|---|---|---|
wrapper.image.repository |
string |
europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-wrapper |
Wrapper binary image |
wrapper.image.tag |
string |
v0.2.168 |
Wrapper image tag |
s3proxy.*¶
S3 encryption proxy sidecar image configuration.
| Value | Type | Default | Description |
|---|---|---|---|
s3proxy.image.repository |
string |
europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-s3-proxy |
S3 proxy image |
s3proxy.image.tag |
string |
v0.2.39 |
S3 proxy image tag |
ebpf.*¶
eBPF runtime enforcement daemonset.
| Value | Type | Default | Description |
|---|---|---|---|
ebpf.enabled |
bool |
true |
Deploy the eBPF enforcement daemonset |
ebpf.image.repository |
string |
europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-ebpf |
eBPF agent image |
ebpf.image.tag |
string |
v0.13.121 |
eBPF agent image tag |
ebpf.image.pullPolicy |
string |
IfNotPresent |
Image pull policy |
ebpf.enforceMode |
bool |
true |
Enable enforcement (block syscalls). When false, the agent only logs events |
ebpf.logAll |
bool |
false |
Log all monitored syscalls, not just security violations. Generates high event volume |
ebpf.reactiveKill |
bool |
true |
SIGKILL processes that leak secrets when kprobe enforcement is unavailable. Active on kernels without CONFIG_BPF_KPROBE_OVERRIDE (e.g. RHEL 8, Ubuntu 20.04 generic, Amazon Linux 2). Synchronous blocking is the default on GKE COS, EKS AL2023, AKS Ubuntu 22.04. See Kernel Compatibility. |
ebpf.priorityClassName |
string |
"" |
Priority class for eBPF pods. Set to system-node-critical for production (requires GKE quota) |
ebpf.resources.requests.cpu |
string |
100m |
CPU request for eBPF agent pods |
ebpf.resources.requests.memory |
string |
128Mi |
Memory request for eBPF agent pods |
ebpf.resources.limits.cpu |
string |
500m |
CPU limit for eBPF agent pods |
ebpf.resources.limits.memory |
string |
512Mi |
Memory limit for eBPF agent pods |
Reactive kill
Reactive kill is the fallback mode for kernels without CONFIG_BPF_KPROBE_OVERRIDE. GKE Container-Optimized OS, EKS Amazon Linux 2023, and AKS Ubuntu 22.04+ all ship with kprobe override enabled and use synchronous blocking. The kernels that fall back to reactive kill include RHEL 8, Ubuntu 20.04 (generic kernel), and Amazon Linux 2 (default kernel). See Kernel Compatibility for the full per-distro matrix.
networkPolicy.*¶
Auto-generated NetworkPolicy for OpenBao egress.
| Value | Type | Default | Description |
|---|---|---|---|
networkPolicy.enabled |
bool |
false |
Create a NetworkPolicy allowing egress only to the OpenBao endpoint |
networkPolicy.vaultCIDR |
string |
"" |
CIDR for the OpenBao server. When empty, egress to OpenBao port is allowed to any destination |
networkPolicy.vaultPort |
int |
8200 |
OpenBao server port for egress rules |
pdb.*¶
PodDisruptionBudget configuration.
| Value | Type | Default | Description |
|---|---|---|---|
pdb.enabled |
bool |
false |
Create a PodDisruptionBudget for the operator |
pdb.operator.minAvailable |
int |
1 |
Minimum number of operator pods that must be available during disruptions |
Full Default Values¶
namespace: cloudtaser-system
imagePullSecrets: []
operator:
ha: false
replicaCount: 1
leaderElect: false
image:
repository: europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-operator
tag: "v0.13.153"
pullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
vaultAddress: ""
webhook:
port: 9443
failurePolicy: Fail
timeoutSeconds: 10
wrapper:
image:
repository: europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-wrapper
tag: "v0.2.168"
s3proxy:
image:
repository: europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-s3-proxy
tag: "v0.2.39"
ebpf:
enabled: true
image:
repository: europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-ebpf
tag: "v0.13.121"
pullPolicy: IfNotPresent
enforceMode: true
logAll: false
reactiveKill: true
priorityClassName: ""
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
networkPolicy:
enabled: false
vaultCIDR: ""
vaultPort: 8200
pdb:
enabled: false
operator:
minAvailable: 1
Source-only OpenBao Chart (cloudtaser-port repository)¶
Chart: cloudtaser-openbao
Source: cloudtaser-port/charts/cloudtaser-openbao/values.yaml
Deploys OpenBao in HA mode and bootstraps it for cloudtaser using cloudtaser-cli source install + cloudtaser-cli source configure. See the full source-only OpenBao Helm values for detailed documentation including bootstrap job details.
Not published in the CloudTaser Helm repository
This source chart is not available as cloudtaser/cloudtaser-port. Use cloudtaser-cli source install port for the supported port deployment flow, or check out the cloudtaser-port source repository before using this OpenBao bootstrap chart.
Global¶
| Value | Type | Default | Description |
|---|---|---|---|
namespace |
string |
cloudtaser-vault |
Namespace for the OpenBao deployment |
openbao.*¶
Passed through to the upstream OpenBao Helm chart.
| Value | Type | Default | Description |
|---|---|---|---|
openbao.server.ha.enabled |
bool |
true |
Enable HA mode |
openbao.server.ha.replicas |
int |
3 |
Number of HA replicas |
openbao.server.ha.raft.enabled |
bool |
true |
Use Raft for HA storage backend |
openbao.server.auditStorage.enabled |
bool |
true |
Enable persistent storage for audit logs |
openbao.server.auditStorage.size |
string |
10Gi |
Audit storage volume size |
openbao.server.dataStorage.enabled |
bool |
true |
Enable persistent storage for data |
openbao.server.dataStorage.size |
string |
10Gi |
Data storage volume size |
openbao.server.resources.requests.cpu |
string |
250m |
CPU request |
openbao.server.resources.requests.memory |
string |
256Mi |
Memory request |
openbao.server.resources.limits.cpu |
string |
1 |
CPU limit |
openbao.server.resources.limits.memory |
string |
512Mi |
Memory limit |
openbao.injector.enabled |
bool |
false |
Disable the OpenBao injector (cloudtaser uses its own webhook) |
OpenBao injector disabled
The OpenBao injector is explicitly disabled. cloudtaser uses its own mutating webhook via cloudtaser-operator. Running both injectors would cause conflicts.
bootstrap.*¶
Post-install bootstrap Job that runs cloudtaser-cli source install + cloudtaser-cli source configure.
| Value | Type | Default | Description |
|---|---|---|---|
bootstrap.enabled |
bool |
true |
Enable the bootstrap Job |
bootstrap.image.repository |
string |
europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-cli |
Bootstrap container image |
bootstrap.image.tag |
string |
latest |
Bootstrap image tag |
bootstrap.image.pullPolicy |
string |
IfNotPresent |
Image pull policy |
bootstrap.shamir.shares |
int |
5 |
Number of Shamir key shares generated during initialization |
bootstrap.shamir.threshold |
int |
3 |
Minimum shares required to unseal |
bootstrap.kv.path |
string |
secret |
KV v2 secret engine mount path |
bootstrap.auth.path |
string |
kubernetes |
Kubernetes auth method mount path |
bootstrap.policy.name |
string |
cloudtaser |
Policy name for cloudtaser read access |
bootstrap.policy.kvReadPaths |
list |
["secret/data/*", "secret/metadata/*"] |
KV paths the policy grants read access to |
bootstrap.role.name |
string |
cloudtaser |
Kubernetes auth role name |
bootstrap.role.boundServiceAccountNames |
string |
* |
Service accounts allowed to authenticate |
bootstrap.role.boundServiceAccountNamespaces |
string |
* |
Namespaces allowed to authenticate |
bootstrap.role.ttl |
string |
1h |
Token TTL for authenticated pods |
bootstrap.outputSecret.name |
string |
cloudtaser-openbao-init |
Kubernetes Secret name for unseal keys and root token |
Full Default Values¶
namespace: cloudtaser-vault
openbao:
server:
ha:
enabled: true
replicas: 3
raft:
enabled: true
auditStorage:
enabled: true
size: 10Gi
dataStorage:
enabled: true
size: 10Gi
resources:
requests:
cpu: 250m
memory: 256Mi
limits:
cpu: "1"
memory: 512Mi
injector:
enabled: false
bootstrap:
enabled: true
image:
repository: europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-cli
tag: "latest"
pullPolicy: IfNotPresent
shamir:
shares: 5
threshold: 3
kv:
path: "secret"
auth:
path: "kubernetes"
policy:
name: "cloudtaser"
kvReadPaths:
- "secret/data/*"
- "secret/metadata/*"
role:
name: "cloudtaser"
boundServiceAccountNames: "*"
boundServiceAccountNamespaces: "*"
ttl: "1h"
outputSecret:
name: "cloudtaser-openbao-init"
Common Configuration Patterns¶
Production HA with enforcement¶
operator:
ha: true
replicaCount: 3
leaderElect: true
vaultAddress: "https://vault.eu.example.com"
webhook:
failurePolicy: Fail
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 256Mi
ebpf:
enabled: true
enforceMode: true
reactiveKill: true
priorityClassName: "system-node-critical"
resources:
requests:
cpu: 200m
memory: 256Mi
limits:
cpu: 1000m
memory: 1Gi
networkPolicy:
enabled: true
vaultCIDR: "10.128.0.0/16"
vaultPort: 8200
pdb:
enabled: true
operator:
minAvailable: 1
Development / testing¶
operator:
ha: false
replicaCount: 1
leaderElect: false
webhook:
failurePolicy: Ignore
ebpf:
enabled: false
networkPolicy:
enabled: false
pdb:
enabled: false