Skip to content

Helm Values Reference

CloudTaser provides two Helm charts: the operator chart for standalone operator installation, and the unified cloudtaser chart that bundles the operator, wrapper configuration, and S3 proxy defaults into a single release.

Operator Chart

Chart: cloudtaser-operator Repository: oci://europe-docker.pkg.dev/skipops/cloudtaser-helm

Installation

helm install cloudtaser-operator \
  oci://europe-docker.pkg.dev/skipops/cloudtaser-helm/cloudtaser-operator \
  --namespace cloudtaser-system \
  --create-namespace \
  --values values.yaml

Values

replicaCount
Type int
Default 2

Number of operator pod replicas. Use at least 2 for high availability in production. The operator uses leader election, so only one replica is active at a time.

replicaCount: 2

image

Field Type Default
image.repository string europe-docker.pkg.dev/skipops/cloudtaser/operator
image.tag string Chart appVersion
image.pullPolicy string IfNotPresent

The operator container image.

image:
  repository: europe-docker.pkg.dev/skipops/cloudtaser/operator
  tag: "v0.1.0"
  pullPolicy: IfNotPresent

initImage

Field Type Default
initImage.repository string europe-docker.pkg.dev/skipops/cloudtaser/wrapper
initImage.tag string Chart appVersion

The wrapper binary image used by the init container during sidecar injection. The init container copies the wrapper binary into a shared emptyDir volume.

initImage:
  repository: europe-docker.pkg.dev/skipops/cloudtaser/wrapper
  tag: "v0.2.0"

resources
Type corev1.ResourceRequirements

Resource requests and limits for the operator pods.

resources:
  requests:
    cpu: "50m"
    memory: "128Mi"
  limits:
    cpu: "500m"
    memory: "256Mi"

webhook

Field Type Default Description
webhook.port int 9443 Port the webhook server listens on
webhook.failurePolicy string Fail Webhook failure policy (Fail or Ignore)
webhook.timeoutSeconds int 10 Timeout for webhook requests 
webhook:
  port: 9443
  failurePolicy: Fail
  timeoutSeconds: 10

Failure policy

The default Fail policy means that if the webhook is unreachable, pod creation is blocked. This is the safer choice for production -- it prevents un-injected pods from running with secrets potentially exposed in etcd. Set to Ignore only in development or if you have a fallback mechanism.

serviceAccount

Field Type Default Description
serviceAccount.create bool true Create a service account for the operator
serviceAccount.name string "" Override the service account name (defaults to release name)
serviceAccount.annotations map {} Annotations to add to the service account 
serviceAccount:
  create: true
  name: ""
  annotations:
    iam.gke.io/gcp-service-account: [email protected]

nodeSelector
Type map[string]string
Default {} 
nodeSelector:
  kubernetes.io/arch: amd64

tolerations
Type []corev1.Toleration
Default [] 
tolerations:
  - key: "node-role.kubernetes.io/control-plane"
    operator: "Exists"
    effect: "NoSchedule"

affinity
Type corev1.Affinity
Default {} 
affinity:
  podAntiAffinity:
    preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 100
        podAffinityTerm:
          labelSelector:
            matchExpressions:
              - key: app.kubernetes.io/name
                operator: In
                values:
                  - cloudtaser-operator
          topologyKey: kubernetes.io/hostname

Default Values Summary

Value Default
replicaCount 2
image.repository europe-docker.pkg.dev/skipops/cloudtaser/operator
image.tag Chart appVersion
image.pullPolicy IfNotPresent
initImage.repository europe-docker.pkg.dev/skipops/cloudtaser/wrapper
initImage.tag Chart appVersion
resources.requests.cpu 50m
resources.requests.memory 128Mi
resources.limits.cpu 500m
resources.limits.memory 256Mi
webhook.port 9443
webhook.failurePolicy Fail
webhook.timeoutSeconds 10
serviceAccount.create true
nodeSelector {}
tolerations []
affinity {}

Unified CloudTaser Chart

Chart: cloudtaser Repository: oci://europe-docker.pkg.dev/skipops/cloudtaser-helm

The unified chart bundles the operator, wrapper defaults, and S3 proxy configuration into a single Helm release. It uses subcharts and exposes grouped values under operator.*, wrapper.*, and s3proxy.* prefixes.

Installation

helm install cloudtaser \
  oci://europe-docker.pkg.dev/skipops/cloudtaser-helm/cloudtaser \
  --namespace cloudtaser-system \
  --create-namespace \
  --values values.yaml

operator.*

All values from the operator chart are available under the operator prefix.

operator:
  replicaCount: 2
  image:
    repository: europe-docker.pkg.dev/skipops/cloudtaser/operator
    tag: "v0.1.0"
  webhook:
    failurePolicy: Fail
    timeoutSeconds: 10
  resources:
    requests:
      cpu: "50m"
      memory: "128Mi"
    limits:
      cpu: "500m"
      memory: "256Mi"

wrapper.*

Default configuration for the wrapper sidecar injected into workloads. These values serve as cluster-wide defaults and can be overridden per-workload via CloudTaserConfig CRs or annotations.

Value Type Default Description
wrapper.image.repository string europe-docker.pkg.dev/skipops/cloudtaser/wrapper Wrapper container image
wrapper.image.tag string Chart appVersion Wrapper image tag
wrapper.resources.requests.cpu string 10m CPU request for injected wrapper
wrapper.resources.requests.memory string 32Mi Memory request for injected wrapper
wrapper.resources.limits.cpu string 100m CPU limit for injected wrapper
wrapper.resources.limits.memory string 64Mi Memory limit for injected wrapper
wrapper.defaultRotation string none Default rotation strategy
wrapper.healthAddr string :8081 Health check listen address
wrapper.renewalInterval string 5m Vault token renewal interval
wrapper.requireMlock bool true Require mlock for memory protection
wrapper.requireMemfdSecret bool false Require memfd_secret (kernel 5.14+) 
wrapper:
  image:
    repository: europe-docker.pkg.dev/skipops/cloudtaser/wrapper
    tag: "v0.2.0"
  resources:
    requests:
      cpu: "10m"
      memory: "32Mi"
    limits:
      cpu: "100m"
      memory: "64Mi"
  defaultRotation: "none"
  healthAddr: ":8081"
  renewalInterval: "5m"
  requireMlock: true
  requireMemfdSecret: false

s3proxy.*

Configuration for the S3 encryption proxy sidecar.

Value Type Default Description
s3proxy.image.repository string europe-docker.pkg.dev/skipops/cloudtaser/s3-proxy S3 proxy image
s3proxy.image.tag string Chart appVersion S3 proxy image tag
s3proxy.resources.requests.cpu string 20m CPU request
s3proxy.resources.requests.memory string 64Mi Memory request
s3proxy.resources.limits.cpu string 200m CPU limit
s3proxy.resources.limits.memory string 256Mi Memory limit
s3proxy.listenAddr string :8099 Proxy listen address
s3proxy.healthAddr string :8098 Health check listen address
s3proxy.maxObjectSize string 5Gi Maximum object size for encryption
s3proxy.defaultTransitMount string transit Default Vault Transit mount path 
s3proxy:
  image:
    repository: europe-docker.pkg.dev/skipops/cloudtaser/s3-proxy
    tag: "v0.1.0"
  resources:
    requests:
      cpu: "20m"
      memory: "64Mi"
    limits:
      cpu: "200m"
      memory: "256Mi"
  listenAddr: ":8099"
  healthAddr: ":8098"
  maxObjectSize: "5Gi"
  defaultTransitMount: "transit"

Full Example (Unified Chart)

values.yaml
operator:
  replicaCount: 2
  image:
    repository: europe-docker.pkg.dev/skipops/cloudtaser/operator
    tag: "v0.1.0"
  webhook:
    failurePolicy: Fail
    timeoutSeconds: 10
  resources:
    requests:
      cpu: "100m"
      memory: "256Mi"
    limits:
      cpu: "1000m"
      memory: "512Mi"
  affinity:
    podAntiAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
        - weight: 100
          podAffinityTerm:
            labelSelector:
              matchExpressions:
                - key: app.kubernetes.io/name
                  operator: In
                  values:
                    - cloudtaser-operator
            topologyKey: kubernetes.io/hostname

wrapper:
  image:
    repository: europe-docker.pkg.dev/skipops/cloudtaser/wrapper
    tag: "v0.2.0"
  resources:
    requests:
      cpu: "10m"
      memory: "32Mi"
    limits:
      cpu: "100m"
      memory: "64Mi"
  defaultRotation: "none"
  requireMlock: true
  requireMemfdSecret: false

s3proxy:
  image:
    repository: europe-docker.pkg.dev/skipops/cloudtaser/s3-proxy
    tag: "v0.1.0"
  resources:
    requests:
      cpu: "20m"
      memory: "64Mi"
    limits:
      cpu: "200m"
      memory: "256Mi"
  maxObjectSize: "5Gi"

Upgrading

helm upgrade cloudtaser \
  oci://europe-docker.pkg.dev/skipops/cloudtaser-helm/cloudtaser \
  --namespace cloudtaser-system \
  --values values.yaml

Wrapper image updates

Upgrading the Helm chart updates the operator and the default wrapper image tag. Existing pods will continue using their current wrapper version until they are restarted. To roll out the new wrapper version across all workloads, perform a rolling restart of your Deployments after the Helm upgrade.