Secret Store & Port Installation¶
The port is the CloudTaser Port component that runs alongside your EU-hosted OpenBao (or HashiCorp Vault) instance. It connects outbound to the beacon relay and proxies secret requests from your Kubernetes cluster to the secret store. Secrets travel through an mTLS tunnel -- the beacon relay sees only encrypted bytes.
What the port does
The port is the secret-store-side half of the beacon relay connection. It connects outbound to the beacon on TCP 443, authenticates the operator broker via mTLS, and forwards secret requests to the local OpenBao instance. No inbound ports are required on the secret store.
Prerequisites¶
| Requirement | Minimum | Recommended |
|---|---|---|
| Secret store | OpenBao 2.x (also compatible with HashiCorp Vault 1.15+) | OpenBao (no license concerns) |
| KV v2 secrets engine | Enabled | Enabled at secret/ path |
| TLS | Required | TLS with a trusted CA certificate |
| Beacon relay | Deployed and reachable on TCP 443 | See Beacon Relay Installation |
| cloudtaser CLI | v0.19.102 | Latest |
Jurisdiction matters
The secret store must run in an EU jurisdiction. Deploying outside the EU undermines the entire sovereignty model. Choose an EU data center, or an EU cloud region such as europe-west1 (Belgium), europe-west3 (Frankfurt), or europe-west4 (Netherlands).
Step 1: Deploy the secret store¶
If you already have an OpenBao or HashiCorp Vault instance running in the EU with KV v2 enabled, skip to Step 2.
Option A: Kubernetes (Helm)¶
Deploy OpenBao on Kubernetes using the CLI:
This installs OpenBao via Helm, initializes it, unseals it, and enables KV v2. Unseal keys are stored at ~/.cloudtaser/openbao-init.json.
For HA (3-node Raft cluster):
Preview before applying
Pass --dry-run to see the generated Helm values without deploying:
Option B: Docker Compose¶
Generate a Docker Compose project for single-host deployments:
Option C: Linux host (systemd)¶
Generate a systemd service for bare-metal or VM deployments:
Option D: Use HashiCorp Vault¶
If you run HashiCorp Vault, pass --backend vault:
cloudtaser-cli source install --type kubernetes \
--backend vault \
--image hashicorp/vault \
--tag 1.17
Step 2: Configure the secret store¶
After the secret store is running, configure the policies, roles, and Kubernetes auth method required for cloudtaser:
cloudtaser-cli source configure \
--openbao-addr https://vault.eu.example.com \
--token hvs.YOUR_ADMIN_TOKEN
This command:
- Enables audit logging
- Enables the KV v2 secrets engine (if not already enabled)
- Enables the Kubernetes auth backend
- Creates the
cloudtaserpolicy with read access to secret paths - Creates the
cloudtaserrole bound to the operator service account - Creates the operator-specific policy and role
Preview before applying
Pass --dry-run to see the configuration changes without applying them:
Step 3: Optional advanced pre-registration¶
The normal ctb1 simple-connect path uses cloudtaser-cli source install port --beacon-token-file on the secret-store side and cloudtaser-cli target install --beacon-token-file on the target side. In that flow, the port auto-registers the target fingerprint during the authenticated init exchange.
Use source register only for advanced or bulk pre-registration workflows where you want to approve fingerprints before the target cluster connects.
On the cluster side, get the cluster fingerprint:
On the secret-store side, pre-register the cluster:
cloudtaser-cli source register \
--fingerprint <cluster-fingerprint> \
--secretstore-address https://vault.eu.example.com \
--secretstore-token hvs.YOUR_ADMIN_TOKEN
This command:
- Generates mTLS certificates (CA, port cert, broker cert) -- all in memory
- Stores the certificates and configuration in the secret store
- Computes the info hash used to match port and broker through the beacon
- Creates a dedicated namespace in the secret store for the cluster at
cloudtaser/<fingerprint[:8]> - Registers the cluster fingerprint
Step 4: Start the port¶
The port runs alongside your secret store and connects outbound to the beacon. Deploy it using one of the following methods.
CLI-managed Kubernetes deployment (recommended)¶
cloudtaser-cli source install port \
--namespace cloudtaser-vault \
--secretstore-k8s-namespace cloudtaser-vault \
--beacon-token-file ./beacon.token
The public CloudTaser Helm repository does not publish a cloudtaser/cloudtaser-port chart. source install port is the supported Kubernetes flow: it configures the port from the ctb1 beacon token, verifies the port image, and deploys the Kubernetes workload.
Systemd service (bare-metal or VM secret stores)¶
For OpenBao installations running directly on a Linux host:
cloudtaser-port \
--vault-addr https://127.0.0.1:8200 \
--beacon-address beacon.example.com:443 \
--beacon-info-hash <generated-hash> \
--tls-cert /etc/cloudtaser/port/client.crt \
--tls-key /etc/cloudtaser/port/client.key \
--tls-ca /etc/cloudtaser/port/ca.crt
Or as a systemd unit:
[Unit]
Description=cloudtaser Port (Beacon Relay)
After=network-online.target openbao.service
Wants=network-online.target
[Service]
ExecStart=/usr/local/bin/cloudtaser-port \
--vault-addr https://127.0.0.1:8200 \
--beacon-address beacon.example.com:443 \
--beacon-info-hash <generated-hash> \
--tls-cert /etc/cloudtaser/port/client.crt \
--tls-key /etc/cloudtaser/port/client.key \
--tls-ca /etc/cloudtaser/port/ca.crt
Restart=always
RestartSec=5
User=openbao
[Install]
WantedBy=multi-user.target
In the normal ctb1 flow, source install port --beacon-token-file configures the port from the beacon token and auto-registration supplies per-cluster material during init. In advanced pre-registration flows, the info hash is output by cloudtaser-cli source register in Step 3.
Step 5: Verify¶
Confirm the port has connected to the beacon and the secret store is reachable:
cloudtaser-cli source status \
--secretstore-address https://vault.eu.example.com \
--secretstore-token hvs.YOUR_ADMIN_TOKEN
Check the port logs for a successful beacon connection:
If you see init peer closed connection cleanly in the port logs, the most likely cause is a beacon-salt or fingerprint mismatch. Verify the fingerprint exists in the secret store:
The fingerprint stored there must match the cluster fingerprint from cloudtaser-cli target fingerprint.
Next steps¶
The secret store and port are ready. Proceed to deploy the cloudtaser operator on your Kubernetes cluster:
- Operator Installation -- deploy the operator and eBPF agent via Helm
- Quick Start -- store a test secret, annotate a workload, and verify injection
Once the operator is installed, it connects to the beacon automatically and starts accepting secret requests through the relay.
Troubleshooting¶
| Symptom | Cause | Fix |
|---|---|---|
| Port cannot connect to beacon | Egress firewall blocking TCP 443 | Allow outbound TCP 443 to the beacon address |
init peer closed connection cleanly in port logs |
Fingerprint or beacon-salt mismatch | For normal ctb1 installs, re-run source install port and target install with the same beacon token. For advanced pre-registration, verify the pre-registered fingerprint matches target fingerprint |
| Port connects but secrets not fetching | Kubernetes auth not configured | Run source configure or verify the auth method in the secret store |
source install fails with init error |
Secret store already initialized | Skip to Step 2 (configure) if the secret store is already running |
permission denied from the secret store |
Admin token expired or insufficient policy | Provide a valid root or admin token with --secretstore-token |
For more details, see Troubleshooting.
Related¶
- Beacon Relay Installation -- deploy the beacon relay that connects the port to the cluster
- Operator Installation -- deploy the operator on the Kubernetes cluster
- Source-only OpenBao Helm Values -- reference for the OpenBao bootstrap chart maintained in the
cloudtaser-portsource repository; it is not published ascloudtaser/cloudtaser-port - Self-Bootstrap Protocol -- how the operator self-bootstraps through the beacon
- Beacon Relay Architecture -- trust model and security properties