Environment Variables Reference
This page is a centralized reference for every environment variable used by CloudTaser components. Each entry lists the variable name, which component reads it, the default value, and a description.
In Kubernetes, the operator's mutating webhook sets wrapper environment variables automatically based on pod annotations or a CloudTaserConfig CR. Manual configuration is only needed for systemd services, standalone testing, or non-Kubernetes environments.
Wrapper (cloudtaser-wrapper)
The wrapper runs as PID 1 in injected pods. It authenticates to vault, fetches secrets, and fork+execs the original application.
Vault Connection
| Variable |
Required |
Default |
Description |
VAULT_ADDR |
Yes |
-- |
OpenBao/Vault server address (e.g., https://vault.eu.example.com:8200). Must include scheme and port. |
VAULT_TOKEN |
Conditional |
-- |
Static Vault token. Required when VAULT_AUTH_METHOD=token. For Kubernetes deployments, the wrapper obtains a token automatically via Kubernetes auth. |
VAULT_AUTH_METHOD |
No |
kubernetes |
Auth method: kubernetes or token. Setting VAULT_TOKEN implicitly sets this to token. |
VAULT_AUTH_ROLE |
Conditional |
-- |
Vault Kubernetes auth role name. Required when VAULT_AUTH_METHOD=kubernetes. |
VAULT_AUTH_MOUNT_PATH |
No |
kubernetes |
Vault auth mount path (e.g., kubernetes mounts at auth/kubernetes). |
VAULT_SKIP_VERIFY |
No |
false |
Disable TLS certificate verification. Development only. |
Secret Configuration
| Variable |
Required |
Default |
Description |
CLOUDTASER_SECRET_PATHS |
Yes |
-- |
Comma-separated Vault KV v2 paths to fetch (e.g., secret/data/myapp/db,secret/data/myapp/api). Also accepts SECRET_PATHS for backward compatibility. |
CLOUDTASER_ENV_MAP |
Yes |
-- |
Vault field to env var mappings. Format: field1=VAR1,field2=VAR2;field3=VAR3. Semicolons separate groups corresponding to each secret path. Commas separate individual mappings within a group. |
Process Wrapping
| Variable |
Required |
Default |
Description |
CLOUDTASER_ORIGINAL_CMD |
Yes |
-- |
The original application entrypoint (e.g., /usr/bin/node). Set automatically by the webhook from the container image's ENTRYPOINT/CMD. |
CLOUDTASER_ORIGINAL_ARGS |
No |
-- |
Arguments for the original command. Accepts a JSON array (["server.js","--port","8080"]) or whitespace-separated string. |
Rotation
| Variable |
Required |
Default |
Description |
CLOUDTASER_ROTATION |
No |
restart |
How the wrapper handles secret changes during lease renewal. Values: restart (terminate and re-launch child with new secrets), sighup (send SIGHUP to child), none (fetch once, no rotation). |
RENEWAL_INTERVAL |
No |
30s |
How often the wrapper checks and renews Vault leases. Uses Go duration format (e.g., 30s, 5m, 1h). |
eBPF Integration
| Variable |
Required |
Default |
Description |
CLOUDTASER_EBPF_AGENT_ADDR |
No |
-- |
eBPF agent address. Accepts Unix socket (unix:///var/run/cloudtaser/agent.sock) or TCP (10.0.0.1:9443). Set automatically by the webhook when cloudtaser.io/ebpf: "true". |
CLOUDTASER_EBPF_NODE_IP |
No |
-- |
Node IP for deriving the eBPF agent gRPC address (<node_ip>:9443). Set automatically by the webhook via the downward API. Used as a fallback when CLOUDTASER_EBPF_AGENT_ADDR is not set. |
CLOUDTASER_POD_UID |
No |
-- |
Kubernetes pod UID for eBPF cgroup identification. Set automatically by the webhook via the downward API. |
Health Server
| Variable |
Required |
Default |
Description |
HEALTH_ADDR |
No |
:8199 |
Listen address for the wrapper's health/unseal HTTP server. Endpoints: GET /healthz (liveness), GET /readyz (readiness), POST /v1/unseal (sealed mode token delivery). |
Memory Protection
| Variable |
Required |
Default |
Description |
CLOUDTASER_REQUIRE_MLOCK |
No |
false |
When true, the wrapper exits if mlock() fails. Without mlock, secrets may be swapped to disk. Requires CAP_IPC_LOCK (added automatically by the webhook). |
CLOUDTASER_REQUIRE_MEMFD_SECRET |
No |
false |
When true, the wrapper exits if memfd_secret() is unavailable. Without memfd_secret, root can read secrets via kernel modules. Requires Linux 5.14+. |
| Variable |
Required |
Default |
Description |
CLOUDTASER_BROKER_TLS_CERT |
No |
-- |
Path to TLS certificate for the health/unseal server. When set with CLOUDTASER_BROKER_TLS_KEY, the server uses TLS instead of plain HTTP. |
CLOUDTASER_BROKER_TLS_KEY |
No |
-- |
Path to TLS private key for the health/unseal server. |
CLOUDTASER_BROKER_TLS_CA |
No |
-- |
Path to CA certificate for mutual TLS client verification on the /v1/unseal endpoint. |
eBPF Agent (cloudtaser-ebpf)
The eBPF agent runs as a DaemonSet on every node. It monitors and enforces kernel-level secret protection.
| Variable |
Required |
Default |
Description |
EBPF_OBJECT_PATH |
No |
/opt/cloudtaser/secret_monitor.o |
Path to the compiled BPF object file. |
ENFORCE_MODE |
No |
false |
When true, the agent blocks secret exfiltration attempts (synchronous kprobe blocking or reactive SIGKILL). When false, the agent only logs events. |
LOG_ALL |
No |
false |
When true, logs all monitored syscall events, not just violations. Useful for debugging but generates high log volume. |
REACTIVE_KILL |
No |
Same as ENFORCE_MODE |
When true, SIGKILLs processes that attempt to exfiltrate secrets when synchronous kprobe enforcement is not available (requires kernel CONFIG_BPF_KPROBE_OVERRIDE). |
GLOBAL_PRIVESC_DETECT |
No |
true |
When true, detects kernel module loading and eBPF program loading from ALL PIDs, not just monitored ones. |
GRPC_LISTEN_ADDR |
No |
0.0.0.0:9443 |
gRPC server address for receiving PID registrations from wrapper instances. |
PLATFORM_ENDPOINT |
No |
-- |
CloudTaser Platform gRPC/HTTP endpoint for sending audit events. |
NODE_NAME |
No |
-- |
Kubernetes node name (set via downward API). |
HEALTH_LISTEN_ADDR |
No |
0.0.0.0:9090 |
HTTP health check server address. |
Secret Store Bootstrap (cloudtaser secretstore init)
These environment variables configure the cloudtaser secretstore init command. All can be overridden by CLI flags (flags take precedence).
| Variable |
Required |
Default |
Description |
OPENBAO_ADDR |
Yes |
-- |
Secret store service URL (e.g., http://openbao.vault.svc:8200). |
OPENBAO_NAMESPACE |
Yes |
-- |
Kubernetes namespace where the secret store is deployed. |
OPENBAO_RELEASE_NAME |
Yes |
-- |
Helm release name, used for per-pod DNS resolution (e.g., openbao). |
BOOTSTRAP_SHAMIR_SHARES |
No |
5 |
Number of Shamir secret shares for vault initialization. |
BOOTSTRAP_SHAMIR_THRESHOLD |
No |
3 |
Minimum number of shares required to unseal. |
BOOTSTRAP_KV_PATH |
No |
secret |
KV v2 engine mount path. |
BOOTSTRAP_AUTH_PATH |
No |
kubernetes |
Kubernetes auth method mount path. |
BOOTSTRAP_POLICY_NAME |
No |
cloudtaser |
Vault policy name created during bootstrap. |
BOOTSTRAP_ROLE_NAME |
No |
cloudtaser |
Vault role name created during bootstrap. |
BOOTSTRAP_OUTPUT_SECRET |
No |
cloudtaser-openbao-init |
Kubernetes Secret name where init output (unseal keys + root token) is stored. |
BOOTSTRAP_ROLE_BOUND_SA_NAMES |
No |
* |
Service account names allowed to authenticate via the created role. |
BOOTSTRAP_ROLE_BOUND_SA_NAMESPACES |
No |
* |
Namespaces whose service accounts can authenticate via the created role. |
BOOTSTRAP_ROLE_TTL |
No |
1h |
Token TTL for the created role. |
Operator (cloudtaser-operator)
The operator reads its configuration from Helm values, command-line flags, and the Kubernetes API (annotations and CRDs). It does not read environment variables directly for its own configuration. Instead, it sets wrapper environment variables on injected pods based on annotations and CloudTaserConfig CRs.
The environment variables the operator injects into pods are:
| Injected Variable |
Source |
CLOUDTASER_ORIGINAL_CMD |
Resolved from pod spec command or container image ENTRYPOINT |
CLOUDTASER_ORIGINAL_ARGS |
Resolved from pod spec args or container image CMD (JSON array) |
VAULT_ADDR |
cloudtaser.io/vault-address annotation or CloudTaserConfig |
VAULT_AUTH_METHOD |
cloudtaser.io/vault-auth-method annotation (default: kubernetes) |
VAULT_AUTH_ROLE |
cloudtaser.io/vault-role annotation or CloudTaserConfig |
VAULT_AUTH_MOUNT_PATH |
cloudtaser.io/vault-auth-path annotation or CloudTaserConfig |
CLOUDTASER_SECRET_PATHS |
cloudtaser.io/secret-paths annotation or CloudTaserConfig |
CLOUDTASER_ENV_MAP |
cloudtaser.io/env-map annotation or CloudTaserConfig |
CLOUDTASER_ROTATION |
cloudtaser.io/rotation annotation (default: restart) |
VAULT_SKIP_VERIFY |
cloudtaser.io/vault-tls-skip-verify or cloudtaser.io/vault-skip-verify annotation |
CLOUDTASER_EBPF_AGENT_ADDR |
Set to unix:///var/run/cloudtaser/agent.sock when cloudtaser.io/ebpf: "true" |
CLOUDTASER_POD_UID |
Set from downward API metadata.uid when eBPF is enabled |
CLOUDTASER_EBPF_NODE_IP |
Set from downward API status.hostIP when eBPF is enabled |