# cloudtaser-helm-values.yaml # # The exact helm values applied at scenario step 2 of # https://cloudtaser.io/demo-lab. Referenced from the step as: # # helm install cloudtaser cloudtaser/cloudtaser \ # --namespace cloudtaser-system --create-namespace \ # -f https://cloudtaser.io/demo-lab/manifests/cloudtaser-helm-values.yaml # # Everything else in the chart stays at its default -- this file ONLY # contains the demo-specific overrides. The chart README has the full # value surface. # # Why the chosen overrides: # # operator.broker.beacon.enabled=true # Route all secret traffic through the cloudtaser-beacon relay # at beacon.cloudtaser.io:443 instead of expecting a direct network # path to the vault. This is the demo's architectural point: the # cluster has no path to the vault except via beacon -> bridge. # # operator.broker.beacon.address=beacon.cloudtaser.io:443 # Demo beacon endpoint. In production you'd point at your own # beacon deployment. # # operator.fingerprint.enabled=true # Require cluster-fingerprint verification. Scenario step 4 writes # this cluster's fingerprint into the vault; step 5's wrapper fetch # is rejected without a matching entry. This is what makes the # demo honest about the register step -- without verification on, # register would be ceremony, not enforcement. # # operator.readinessProbe.periodSeconds=3 # Tighter readinessProbe for the demo (chart 1.0.85+ parameterized this). # Saves ~5s avg / 10s p99 between operator init complete and `kubectl # rollout status` reflecting Ready. Drives step 4 closer to its 90s budget. # Default in chart is 10s; demo overrides to 3s. operator: broker: beacon: enabled: true address: beacon.cloudtaser.io:443 # beacon.cloudtaser.io serves a Let's Encrypt (ISRG Root X1) cert # via the Cloudflare edge. Verification path: trust the OS public # CA pool — the chart wires this through to the operator's # --beacon-trust-system-roots flag (cloudtaser-operator#261, v0.9.2+). # This is the same posture used by values-production.yaml and # values-saas.yaml against the same public beacon. # # The previous demo overrides (insecureSkipVerify=true, # allowInsecure=true) downgraded TLS verification on the # operator->beacon hop and were a release-blocker # (cloudtaser-io-website#275). They are removed here; the chart # defaults (both false) take over — paired-flag guardrail # (cloudtaser-operator#216) keeps a stray override loud. trustSystemRoots: true fingerprint: # Verification ON: the operator checks the cluster fingerprint # in vault source/clusters/ on every secret fetch. Step 4 of the # scenario IS the gate -- skip it and step 6's fetch fails. # Requires breathing room for the init-phase bridge handshake; # we bumped the CC node to n2d-standard-2 (8 GB) in # cloudtaser-terraform so this fits. enabled: true # Tighter readinessProbe for the demo (chart 1.0.85+ parameterized this). # Saves ~5s avg / 10s p99 between operator init complete and `kubectl # rollout status` reflecting Ready. Drives step 4 closer to its 90s budget. # Default in chart is 10s; demo overrides to 3s. readinessProbe: periodSeconds: 3 ebpf: # GKE Confidential Computing nodes (Ubuntu 6.8) set # kernel.perf_event_paranoid=4. This Ubuntu-specific hardened value # requires CAP_SYS_ADMIN for ALL perf_event_open(2) calls — even # CAP_PERFMON (the modern least-privilege chart default) is # insufficient. cilium/ebpf attaches tracepoints via perf_event_open # internally; without CAP_SYS_ADMIN every tracepoint attach returns # EACCES and the eBPF DaemonSet crash-loops. # # This override is correct and necessary for the demo cluster (a GKE # CC Ubuntu node). It is NOT a security bypass — CAP_SYS_ADMIN is # required by the node's own kernel hardening, not by a product gap. # For non-Ubuntu GKE nodes (COS, perf_event_paranoid=2) this override # is not needed and legacyCaps: false applies. # # See cloudtaser-ebpf#243 for root-cause analysis. legacyCaps: true