Quick Start — 6 steps to your first protected pod

From zero to a pod with secrets injected from EU vault in under 10 minutes.

Prerequisites

• Kubernetes cluster (1.28+) with kubectl configured
• Helm 3
• An OpenBao / HashiCorp Vault instance reachable from your machine

---

1 — Install the CLI

macOS (Homebrew)Linux

brew tap cloudtaser/tap https://codeberg.org/cloudtaser/homebrew-tap
brew install cloudtaser/tap/cloudtaser

curl -sL "https://releases.cloudtaser.io/cli/v0.18.28/cloudtaser-cli-linux-amd64" \
  -o /usr/local/bin/cloudtaser-cli && chmod +x /usr/local/bin/cloudtaser-cli

2 — Install the operator

helm repo add cloudtaser https://charts.cloudtaser.io
helm repo update
helm install cloudtaser cloudtaser/cloudtaser \
  --namespace cloudtaser-system --create-namespace

3 — Connect your cluster to the secret store

cloudtaser-cli target install

This registers the cluster fingerprint, establishes the beacon relay connection, and deploys the bridge. No direct network path between cluster and vault is needed — everything routes over TCP 443.

4 — Store a test secret

export BAO_ADDR=https://your-vault.eu.example.com
export BAO_TOKEN=hvs.YOUR_TOKEN
bao kv put secret/quickstart/db password="s3cret" username="app_user"

5 — Annotate a workload

Add these annotations to any Deployment pod template:

annotations:
  cloudtaser.io/inject: "true"
  cloudtaser.io/secret-paths: "secret/data/quickstart/db"
  cloudtaser.io/env-map: "password=PGPASSWORD,username=PGUSER"

Apply it:

kubectl apply -f your-deployment.yaml

6 — Verify

# Pod is running with injected secrets
cloudtaser-cli target status

# Secret is NOT in /proc/1/environ (injected after exec, not at launch)
kubectl exec deploy/your-app -- cat /proc/1/environ | tr '\0' '\n' | grep PGPASSWORD
# → (no output — correct)

---

For the full walkthrough including verification steps and compliance checks, see the complete quickstart.