Skip to content

Helm Values Reference

cloudtaser provides two Helm charts: the operator chart for standalone operator installation, and the unified cloudtaser chart that bundles the operator, wrapper configuration, and S3 proxy defaults into a single release.

The Helm charts control how cloudtaser is deployed into your Kubernetes cluster. Key decisions include the number of operator replicas (for high availability), the webhook failure policy (which determines whether pods can start without cloudtaser protection), and resource allocation for each component. All configuration is declarative and version-controlled through standard Helm values files.

Operator Chart

Chart: cloudtaser Repository: https://charts.cloudtaser.io

Image registry paths

The europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/ image paths shown below are the default values from the Helm chart. You do not need to configure a separate registry -- these images are public and pulled automatically.

Installation

helm repo add cloudtaser https://charts.cloudtaser.io
helm repo update

helm install cloudtaser cloudtaser/cloudtaser \
  --namespace cloudtaser-system \
  --create-namespace \
  --values values.yaml

Values

replicaCount
Type int
Default 2

Number of operator pod replicas. Use at least 2 for high availability in production. The operator uses leader election, so only one replica is active at a time.

replicaCount: 2

image

Field Type Default
image.repository string europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-operator
image.tag string Chart appVersion
image.pullPolicy string IfNotPresent

The operator container image.

image:
  repository: europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-operator
  tag: "v0.6.9"
  pullPolicy: IfNotPresent

initImage

Field Type Default
initImage.repository string europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-wrapper
initImage.tag string Chart appVersion

The wrapper binary image used by the init container during wrapper injection. The init container copies the wrapper binary into a shared emptyDir volume.

initImage:
  repository: europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-wrapper
  tag: "v0.1.6"

resources
Type corev1.ResourceRequirements

Resource requests and limits for the operator pods.

resources:
  requests:
    cpu: "50m"
    memory: "128Mi"
  limits:
    cpu: "500m"
    memory: "256Mi"

webhook

Field Type Default Description
webhook.port int 9443 Port the webhook server listens on
webhook.failurePolicy string Fail Webhook failure policy (Fail or Ignore)
webhook.timeoutSeconds int 10 Timeout for webhook requests 
webhook:
  port: 9443
  failurePolicy: Fail
  timeoutSeconds: 10

Failure policy

The default Fail policy means that if the webhook is unreachable, pod creation is blocked. This is the safer choice for production -- it prevents un-injected pods from running with secrets potentially exposed in etcd. Set to Ignore only in development or if you have a fallback mechanism.

secretBackend
Type string
Default vault

Controls where the operator stores its own operational secrets (webhook TLS certificates, broker mTLS certificates, broker authentication tokens). With vault (the default), the operator authenticates to OpenBao using Kubernetes auth and stores secrets at secret/cloudtaser/system/*. With kubernetes, it falls back to Kubernetes Secrets.

secretBackend: vault

When to use inmemory

Use secretBackend: inmemory only for local development (kind, minikube), environments where OpenBao is not available at operator startup, or gradual migration from older installations. In production, use vault to keep operational secrets out of etcd. See Zero Kubernetes Secrets Architecture.

vault

Field Type Default Description
vault.address string "" OpenBao address for operator secret storage and workload injection
vault.authPath string kubernetes OpenBao Kubernetes auth method mount path
vault.role string cloudtaser-operator OpenBao role for operator authentication
vault.secretPrefix string secret/cloudtaser/system OpenBao path prefix for operator secrets
vault.tlsSkipVerify bool false Skip TLS verification for OpenBao (development only)
vault.caCert string "" PEM-encoded CA certificate for OpenBao TLS verification 
vault:
  address: "https://vault.eu.example.com"
  authPath: kubernetes
  role: cloudtaser-operator
  secretPrefix: secret/cloudtaser/system
  tlsSkipVerify: false
  caCert: ""

These values are used when secretBackend: vault. The vault.address is also used as the default OpenBao address for workload secret injection (overridable per-workload via annotations). Run cloudtaser-cli source install + cloudtaser-cli source configure to create the required OpenBao policy and Kubernetes auth role before deploying the operator with OpenBao backend.

serviceAccount

Field Type Default Description
serviceAccount.create bool true Create a service account for the operator
serviceAccount.name string "" Override the service account name (defaults to release name)
serviceAccount.annotations map {} Annotations to add to the service account 
serviceAccount:
  create: true
  name: ""
  annotations:
    iam.gke.io/gcp-service-account: [email protected]

nodeSelector
Type map[string]string
Default {} 
nodeSelector:
  kubernetes.io/arch: amd64

tolerations
Type []corev1.Toleration
Default [] 
tolerations:
  - key: "node-role.kubernetes.io/control-plane"
    operator: "Exists"
    effect: "NoSchedule"

affinity
Type corev1.Affinity
Default {} 
affinity:
  podAntiAffinity:
    preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 100
        podAffinityTerm:
          labelSelector:
            matchExpressions:
              - key: app.kubernetes.io/name
                operator: In
                values:
                  - cloudtaser-operator
          topologyKey: kubernetes.io/hostname

Default Values Summary

Value Default
replicaCount 2
image.repository europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-operator
image.tag Chart appVersion
image.pullPolicy IfNotPresent
initImage.repository europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-wrapper
initImage.tag Chart appVersion
secretBackend vault
vault.address ""
vault.authPath kubernetes
vault.role cloudtaser-operator
vault.secretPrefix secret/cloudtaser/system
vault.tlsSkipVerify false
vault.caCert ""
resources.requests.cpu 50m
resources.requests.memory 128Mi
resources.limits.cpu 500m
resources.limits.memory 256Mi
webhook.port 9443
webhook.failurePolicy Fail
webhook.timeoutSeconds 10
serviceAccount.create true
nodeSelector {}
tolerations []
affinity {}

Unified cloudtaser Chart

Chart: cloudtaser Repository: https://charts.cloudtaser.io

The unified chart bundles the operator, wrapper defaults, and S3 proxy configuration into a single Helm release. It uses subcharts and exposes grouped values under operator.*, wrapper.*, and s3proxy.* prefixes.

Installation

helm repo add cloudtaser https://charts.cloudtaser.io
helm repo update

helm install cloudtaser cloudtaser/cloudtaser \
  --namespace cloudtaser-system \
  --create-namespace \
  --values values.yaml

operator.*

All values from the operator chart are available under the operator prefix.

operator:
  replicaCount: 2
  image:
    repository: europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-operator
    tag: "v0.6.9"
  secretBackend: vault
  vault:
    address: "https://vault.eu.example.com"
    authPath: kubernetes
    role: cloudtaser-operator
  webhook:
    failurePolicy: Fail
    timeoutSeconds: 10
  resources:
    requests:
      cpu: "50m"
      memory: "128Mi"
    limits:
      cpu: "500m"
      memory: "256Mi"

wrapper.*

Default configuration for the wrapper init container injected into workloads. These values serve as cluster-wide defaults and can be overridden per-workload via CloudTaserConfig CRs or annotations.

Value Type Default Description
wrapper.image.repository string europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-wrapper Wrapper container image
wrapper.image.tag string Chart appVersion Wrapper image tag
wrapper.resources.requests.cpu string 10m CPU request for injected wrapper
wrapper.resources.requests.memory string 32Mi Memory request for injected wrapper
wrapper.resources.limits.cpu string 100m CPU limit for injected wrapper
wrapper.resources.limits.memory string 64Mi Memory limit for injected wrapper
wrapper.defaultRotation string restart Default rotation strategy
wrapper.healthAddr string :8081 Health check listen address
wrapper.renewalInterval string 5m OpenBao token renewal interval
wrapper.requireMlock bool true Require mlock for memory protection
wrapper.requireMemfdSecret bool false Require memfd_secret (kernel 5.14+) 
wrapper:
  image:
    repository: europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-wrapper
    tag: "v0.1.6"
  resources:
    requests:
      cpu: "10m"
      memory: "32Mi"
    limits:
      cpu: "100m"
      memory: "64Mi"
  defaultRotation: "none"
  healthAddr: ":8081"
  renewalInterval: "5m"
  requireMlock: true
  requireMemfdSecret: false

s3proxy.*

Configuration for the S3 encryption proxy sidecar.

Value Type Default Description
s3proxy.image.repository string europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-s3-proxy S3 proxy image
s3proxy.image.tag string Chart appVersion S3 proxy image tag
s3proxy.resources.requests.cpu string 20m CPU request
s3proxy.resources.requests.memory string 64Mi Memory request
s3proxy.resources.limits.cpu string 200m CPU limit
s3proxy.resources.limits.memory string 256Mi Memory limit
s3proxy.listenAddr string :8099 Proxy listen address
s3proxy.healthAddr string :8098 Health check listen address
s3proxy.maxObjectSize string 5Gi Maximum object size for encryption
s3proxy.defaultTransitMount string transit Default OpenBao Transit mount path 
s3proxy:
  image:
    repository: europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-s3-proxy
    tag: "v0.2.13"
  resources:
    requests:
      cpu: "20m"
      memory: "64Mi"
    limits:
      cpu: "200m"
      memory: "256Mi"
  listenAddr: ":8099"
  healthAddr: ":8098"
  maxObjectSize: "5Gi"
  defaultTransitMount: "transit"

Full Example (Unified Chart)

values.yaml
operator:
  replicaCount: 2
  image:
    repository: europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-operator
    tag: "v0.6.9"
  secretBackend: vault
  vault:
    address: "https://vault.eu.example.com"
    authPath: kubernetes
    role: cloudtaser-operator
    secretPrefix: secret/cloudtaser/system
  webhook:
    failurePolicy: Fail
    timeoutSeconds: 10
  resources:
    requests:
      cpu: "100m"
      memory: "256Mi"
    limits:
      cpu: "1000m"
      memory: "512Mi"
  affinity:
    podAntiAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
        - weight: 100
          podAffinityTerm:
            labelSelector:
              matchExpressions:
                - key: app.kubernetes.io/name
                  operator: In
                  values:
                    - cloudtaser-operator
            topologyKey: kubernetes.io/hostname

wrapper:
  image:
    repository: europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-wrapper
    tag: "v0.1.6"
  resources:
    requests:
      cpu: "10m"
      memory: "32Mi"
    limits:
      cpu: "100m"
      memory: "64Mi"
  defaultRotation: "none"
  requireMlock: true
  requireMemfdSecret: false

s3proxy:
  image:
    repository: europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-s3-proxy
    tag: "v0.2.13"
  resources:
    requests:
      cpu: "20m"
      memory: "64Mi"
    limits:
      cpu: "200m"
      memory: "256Mi"
  maxObjectSize: "5Gi"

Upgrading

helm repo update

helm upgrade cloudtaser cloudtaser/cloudtaser \
  --namespace cloudtaser-system \
  --values values.yaml

Wrapper image updates

Upgrading the Helm chart updates the operator and the default wrapper image tag. Existing pods will continue using their current wrapper version until they are restarted. To roll out the new wrapper version across all workloads, perform a rolling restart of your Deployments after the Helm upgrade.