# cloudtaser-helm-values.yaml
#
# The exact helm values applied at scenario step 2 of
# https://cloudtaser.io/demo-lab. Referenced from the step as:
#
#   helm install cloudtaser cloudtaser/cloudtaser \
#     --namespace cloudtaser-system --create-namespace \
#     -f https://cloudtaser.io/demo-lab/manifests/cloudtaser-helm-values.yaml
#
# Everything else in the chart stays at its default -- this file ONLY
# contains the demo-specific overrides. The chart README has the full
# value surface.
#
# Why the chosen overrides:
#
#   operator.broker.beacon.enabled=true
#     Route all secret traffic through the cloudtaser-beacon relay
#     at beacon.cloudtaser.io:443 instead of expecting a direct network
#     path to the vault. This is the demo's architectural point: the
#     cluster has no path to the vault except via beacon -> bridge.
#
#   operator.broker.beacon.address=beacon.cloudtaser.io:443
#     Demo beacon endpoint. In production you'd point at your own
#     beacon deployment.
#
#   operator.fingerprint.enabled=true
#     Require cluster-fingerprint verification. Scenario step 4 writes
#     this cluster's fingerprint into the vault; step 5's wrapper fetch
#     is rejected without a matching entry. This is what makes the
#     demo honest about the register step -- without verification on,
#     register would be ceremony, not enforcement.
operator:
  broker:
    beacon:
      enabled: true
      address: beacon.cloudtaser.io:443
      # Cloudflare terminates beacon's TLS at the edge with a public
      # cert; the operator's init-phase needs either --beacon-ca to
      # pin the CA or --beacon-insecure-skip-verify to accept any.
      # For the demo we skip-verify (paired with the bridge doing the
      # same). Production sets beacon.caCert and drops this flag.
      insecureSkipVerify: true
      # Chart v1.0.51+ (cloudtaser-operator v0.6.32) guards
      # insecureSkipVerify behind a second explicit opt-in flag so
      # it can't be set accidentally. Pair required.
      allowInsecure: true
  fingerprint:
    # Verification ON: the operator checks the cluster fingerprint
    # in vault source/clusters/ on every secret fetch. Step 4 of the
    # scenario IS the gate -- skip it and step 6's fetch fails.
    # Requires breathing room for the init-phase bridge handshake;
    # we bumped the CC node to n2d-standard-2 (8 GB) in
    # cloudtaser-terraform so this fits.
    enabled: true