Skip to content

Helm Values Reference

Complete reference for all Helm values across CloudTaser charts. This page documents every value with its type, default, and description, sourced directly from the values.yaml files in cloudtaser-helm and cloudtaser-onprem.

For the operator-specific and unified chart overview, see Helm Values. For the on-prem OpenBao chart, see On-Prem Helm Values.

CloudTaser Chart (cloudtaser-helm)

Chart: cloudtaser Source: cloudtaser-helm/charts/cloudtaser/values.yaml

This is the primary chart for deploying CloudTaser into a Kubernetes cluster. It includes the operator, wrapper image configuration, eBPF daemonset, S3 proxy defaults, NetworkPolicy, and PodDisruptionBudget.

Global

Value Type Default Description
namespace string cloudtaser-system Namespace for all CloudTaser components
imagePullSecrets list [] Image pull secrets for private registries

operator.*

Operator deployment configuration.

Value Type Default Description
operator.ha bool false Enable HA mode (multiple replicas with leader election)
operator.replicaCount int 1 Number of operator pod replicas. Use 2+ for HA
operator.leaderElect bool false Enable leader election. Required when replicaCount > 1
operator.image.repository string europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-operator Operator container image repository
operator.image.tag string v0.5.14-amd64 Operator image tag
operator.image.pullPolicy string IfNotPresent Image pull policy
operator.resources.requests.cpu string 50m CPU request for operator pods
operator.resources.requests.memory string 64Mi Memory request for operator pods
operator.resources.limits.cpu string 200m CPU limit for operator pods
operator.resources.limits.memory string 128Mi Memory limit for operator pods
operator.vaultAddress string "" Default Vault/OpenBao address for token renewal. Pods override this via annotations
operator.webhook.port int 9443 Port the webhook server listens on
operator.webhook.failurePolicy string Fail Webhook failure policy: Fail blocks pod creation if webhook is unreachable, Ignore allows pods to start without injection
operator.webhook.timeoutSeconds int 10 Timeout for webhook admission requests

failurePolicy: Fail

The default Fail policy prevents unprotected pods from running if the operator is unavailable. This is the safer choice for production. Set to Ignore only in development or with a fallback mechanism.

wrapper.*

Wrapper image used by the init container during sidecar injection.

Value Type Default Description
wrapper.image.repository string europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-wrapper Wrapper binary image
wrapper.image.tag string v0.0.31-amd64 Wrapper image tag

s3proxy.*

S3 encryption proxy sidecar image configuration.

Value Type Default Description
s3proxy.image.repository string europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-s3-proxy S3 proxy image
s3proxy.image.tag string v0.2.7-amd64 S3 proxy image tag

ebpf.*

eBPF runtime enforcement daemonset.

Value Type Default Description
ebpf.enabled bool true Deploy the eBPF enforcement daemonset
ebpf.image.repository string europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-ebpf eBPF agent image
ebpf.image.tag string v0.1.21-amd64 eBPF agent image tag
ebpf.image.pullPolicy string IfNotPresent Image pull policy
ebpf.enforceMode bool true Enable enforcement (block syscalls). When false, the agent only logs events
ebpf.logAll bool false Log all monitored syscalls, not just security violations. Generates high event volume
ebpf.reactiveKill bool true SIGKILL processes that leak secrets when kprobe enforcement is unavailable. Active on kernels without CONFIG_BPF_KPROBE_OVERRIDE (all major cloud providers)
ebpf.priorityClassName string "" Priority class for eBPF pods. Set to system-node-critical for production (requires GKE quota)
ebpf.resources.requests.cpu string 100m CPU request for eBPF agent pods
ebpf.resources.requests.memory string 128Mi Memory request for eBPF agent pods
ebpf.resources.limits.cpu string 500m CPU limit for eBPF agent pods
ebpf.resources.limits.memory string 512Mi Memory limit for eBPF agent pods

Reactive kill

On all major cloud provider kernels (GKE, EKS, AKS), CONFIG_BPF_KPROBE_OVERRIDE is not enabled. The agent uses reactive kill (SIGKILL after detection) instead of synchronous blocking. The race window is microseconds -- an attacker reading /proc/pid/environ is killed before they can exfiltrate data over the network.

networkPolicy.*

Auto-generated NetworkPolicy for vault egress.

Value Type Default Description
networkPolicy.enabled bool false Create a NetworkPolicy allowing egress only to the vault endpoint
networkPolicy.vaultCIDR string "" CIDR for the vault server. When empty, egress to the vault port is allowed to any destination
networkPolicy.vaultPort int 8200 Vault server port for egress rules

pdb.*

PodDisruptionBudget configuration.

Value Type Default Description
pdb.enabled bool false Create a PodDisruptionBudget for the operator
pdb.operator.minAvailable int 1 Minimum number of operator pods that must be available during disruptions

Full Default Values

namespace: cloudtaser-system

imagePullSecrets: []

operator:
  ha: false
  replicaCount: 1
  leaderElect: false
  image:
    repository: europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-operator
    tag: "v0.5.14-amd64"
    pullPolicy: IfNotPresent
  resources:
    requests:
      cpu: 50m
      memory: 64Mi
    limits:
      cpu: 200m
      memory: 128Mi
  vaultAddress: ""
  webhook:
    port: 9443
    failurePolicy: Fail
    timeoutSeconds: 10

wrapper:
  image:
    repository: europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-wrapper
    tag: "v0.0.31-amd64"

s3proxy:
  image:
    repository: europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-s3-proxy
    tag: "v0.2.7-amd64"

ebpf:
  enabled: true
  image:
    repository: europe-west4-docker.pkg.dev/skipopsmain/cloudtaser/cloudtaser-ebpf
    tag: "v0.1.21-amd64"
    pullPolicy: IfNotPresent
  enforceMode: true
  logAll: false
  reactiveKill: true
  priorityClassName: ""
  resources:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 500m
      memory: 512Mi

networkPolicy:
  enabled: false
  vaultCIDR: ""
  vaultPort: 8200

pdb:
  enabled: false
  operator:
    minAvailable: 1

On-Prem OpenBao Chart (cloudtaser-onprem)

Chart: cloudtaser-openbao Source: cloudtaser-onprem/charts/cloudtaser-openbao/values.yaml

Deploys OpenBao in HA mode and bootstraps it for CloudTaser using cloudtaser-cli secretstore init. See the full On-Prem Helm Values for detailed documentation including bootstrap job details.

Global

Value Type Default Description
namespace string cloudtaser-vault Namespace for the OpenBao deployment

openbao.*

Passed through to the upstream OpenBao Helm chart.

Value Type Default Description
openbao.server.ha.enabled bool true Enable HA mode
openbao.server.ha.replicas int 3 Number of HA replicas
openbao.server.ha.raft.enabled bool true Use Raft for HA storage backend
openbao.server.auditStorage.enabled bool true Enable persistent storage for audit logs
openbao.server.auditStorage.size string 10Gi Audit storage volume size
openbao.server.dataStorage.enabled bool true Enable persistent storage for data
openbao.server.dataStorage.size string 10Gi Data storage volume size
openbao.server.resources.requests.cpu string 250m CPU request
openbao.server.resources.requests.memory string 256Mi Memory request
openbao.server.resources.limits.cpu string 1 CPU limit
openbao.server.resources.limits.memory string 512Mi Memory limit
openbao.injector.enabled bool false Disable the OpenBao injector (CloudTaser uses its own webhook)

OpenBao injector disabled

The OpenBao injector is explicitly disabled. CloudTaser uses its own mutating webhook via cloudtaser-operator. Running both injectors would cause conflicts.

bootstrap.*

Post-install bootstrap Job that runs cloudtaser-cli secretstore init.

Value Type Default Description
bootstrap.enabled bool true Enable the bootstrap Job
bootstrap.image.repository string ghcr.io/cloudtaser/cloudtaser-cli Bootstrap container image
bootstrap.image.tag string latest Bootstrap image tag
bootstrap.image.pullPolicy string IfNotPresent Image pull policy
bootstrap.shamir.shares int 5 Number of Shamir key shares generated during initialization
bootstrap.shamir.threshold int 3 Minimum shares required to unseal
bootstrap.kv.path string secret KV v2 secret engine mount path
bootstrap.auth.path string kubernetes Kubernetes auth method mount path
bootstrap.policy.name string cloudtaser Policy name for CloudTaser read access
bootstrap.policy.kvReadPaths list ["secret/data/*", "secret/metadata/*"] KV paths the policy grants read access to
bootstrap.role.name string cloudtaser Kubernetes auth role name
bootstrap.role.boundServiceAccountNames string * Service accounts allowed to authenticate
bootstrap.role.boundServiceAccountNamespaces string * Namespaces allowed to authenticate
bootstrap.role.ttl string 1h Token TTL for authenticated pods
bootstrap.outputSecret.name string cloudtaser-openbao-init Kubernetes Secret name for unseal keys and root token

Full Default Values

namespace: cloudtaser-vault

openbao:
  server:
    ha:
      enabled: true
      replicas: 3
      raft:
        enabled: true
    auditStorage:
      enabled: true
      size: 10Gi
    dataStorage:
      enabled: true
      size: 10Gi
    resources:
      requests:
        cpu: 250m
        memory: 256Mi
      limits:
        cpu: "1"
        memory: 512Mi
  injector:
    enabled: false

bootstrap:
  enabled: true
  image:
    repository: ghcr.io/cloudtaser/cloudtaser-cli
    tag: "latest"
    pullPolicy: IfNotPresent
  shamir:
    shares: 5
    threshold: 3
  kv:
    path: "secret"
  auth:
    path: "kubernetes"
  policy:
    name: "cloudtaser"
    kvReadPaths:
      - "secret/data/*"
      - "secret/metadata/*"
  role:
    name: "cloudtaser"
    boundServiceAccountNames: "*"
    boundServiceAccountNamespaces: "*"
    ttl: "1h"
  outputSecret:
    name: "cloudtaser-openbao-init"

Common Configuration Patterns

Production HA with enforcement

values-production.yaml
operator:
  ha: true
  replicaCount: 3
  leaderElect: true
  vaultAddress: "https://vault.eu.example.com"
  webhook:
    failurePolicy: Fail
  resources:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 500m
      memory: 256Mi

ebpf:
  enabled: true
  enforceMode: true
  reactiveKill: true
  priorityClassName: "system-node-critical"
  resources:
    requests:
      cpu: 200m
      memory: 256Mi
    limits:
      cpu: 1000m
      memory: 1Gi

networkPolicy:
  enabled: true
  vaultCIDR: "10.128.0.0/16"
  vaultPort: 8200

pdb:
  enabled: true
  operator:
    minAvailable: 1

Development / testing

values-dev.yaml
operator:
  ha: false
  replicaCount: 1
  leaderElect: false
  webhook:
    failurePolicy: Ignore

ebpf:
  enabled: false

networkPolicy:
  enabled: false

pdb:
  enabled: false

Restricted on-prem vault access

values-restricted-onprem.yaml
bootstrap:
  shamir:
    shares: 7
    threshold: 4
  role:
    boundServiceAccountNames: "myapp-sa,worker-sa"
    boundServiceAccountNamespaces: "production,staging"
    ttl: "30m"
  policy:
    kvReadPaths:
      - "secret/data/myapp/*"
      - "secret/metadata/myapp/*"