Helm Chart

The official Helm chart for installing Tetrapus on Kubernetes bundles the control plane, gateway, operator, the three CRDs, RBAC, and an optional SIEM forwarder sidecar. TLS material and Postgres are referenced via Secret refs — the chart never ships keys or stands up its own database.

Install

Bash 
helm repo add tetrapus https://charts.tetrapus.io
helm repo update

helm install tetrapus tetrapus/tetrapus \
    --namespace tetrapus-system \
    --create-namespace \
    --version 1.0.0 \
    --values my-values.yaml

What gets installed

graph TD HELM["helm install"] --> CRDS["Org / TenantPlane /<br/>KeyMaterial CRDs"] HELM --> RBAC["ClusterRole +<br/>ServiceAccount"] HELM --> CP["Control Plane<br/>Deployment + Service"] HELM --> GW["Gateway<br/>Deployment + Service"] HELM --> OP["Operator<br/>Deployment"] HELM --> SECRET["Bootstrap Secret<br/>(JWT key + admin email)"] HELM -.->|ingress.enabled| ING["Ingress"] HELM -.->|siem.enabled| SIEM["SIEM Sidecar"] OP -->|reconciles| ORG["Org CR<br/>(per-tenant)"] ORG --> POD["Per-Org<br/>Deployment + Service + PVC"]

values.yaml reference

YAML 
# Global image overrides applied to every component.
global:
  image:
    repository: tetrapus/server
    tag: "1.0.0"
    pullPolicy: IfNotPresent
  imagePullSecrets: []

# Control plane (single-instance today; HA-ready on the roadmap).
control_plane:
  enabled: true
  replicas: 1
  image: { repository: tetrapus/control, tag: "1.0.0" }
  service: { type: ClusterIP, port: 9100 }
  resources:
    requests: { cpu: "200m", memory: "256Mi" }
    limits:   { cpu: "1",    memory: "1Gi"   }

# Multi-region front-door.
gateway:
  enabled: true
  replicas: 2
  image: { repository: tetrapus/gateway, tag: "1.0.0" }
  service: { type: ClusterIP, port: 9200 }
  resources:
    requests: { cpu: "200m", memory: "256Mi" }
    limits:   { cpu: "2",    memory: "1Gi"   }

# Kubernetes operator: provisions per-Org pods.
operator:
  enabled: true
  image: { repository: tetrapus/operator, tag: "1.0.0" }
  resources:
    requests: { cpu: "100m", memory: "128Mi" }
    limits:   { cpu: "500m", memory: "512Mi" }
  watchNamespace: ""           # empty = cluster-wide
  defaults:
    storageClass: "standard"
    dataPlaneImage: "tetrapus/server:1.0.0"
    adminEmail: "admin@tetrapus.local"

# Postgres for the control plane. Either point at an external DB...
postgres:
  externalUrl: ""
  secretRef: { name: "", key: "url" }

# TLS material (Secret references). Chart never ships private keys.
tls:
  certSecretRef:
    name: "tetrapus-tls"
    certKey: "tls.crt"
    keyKey:  "tls.key"

# Ingress for the gateway.
ingress:
  enabled: false
  className: nginx
  host: api.tetrapus.example.com
  annotations: {}

# SIEM forwarder sidecar — emits the audit log to a SOC.
siem:
  enabled: false
  kind: syslog       # syslog | splunk | otlp
  endpoint: ""
  splunkToken: ""
  otlpHeaders: {}

# Bootstrap admin credentials baked into the control-plane secret.
bootstrap:
  adminEmail: "admin@tetrapus.local"
  jwtSigningKeySecretRef:
    name: "tetrapus-jwt"
    key:  "jwt.pem"

# Optional CMEK / customer-managed key reference (validated by operator).
cmek:
  enabled: false
  kmsUri: ""        # aws-kms: | gcp-kms: | azure-kv: | vault:

Toggles cheat sheet

Toggle Default Effect
siem.enabledfalseAdds an audit-forwarder sidecar (syslog / Splunk HEC / OTLP).
ingress.enabledfalseCreates an Ingress in front of the gateway. Bring your own controller.
operator.enabledtrueDisable to run the chart in "control-plane only" mode.
cmek.enabledfalseRoutes JWT signing through a customer-managed KMS URI.

Common patches

Production HA

YAML 
control_plane: { replicas: 3 }
gateway:       { replicas: 4 }
postgres:
  externalUrl: "postgres://tetrapus:****@pg.prod:5432/tetrapus_control"
  secretRef:   { name: "tetrapus-pg", key: "url" }
ingress:       { enabled: true, host: api.tetrapus.example.com }
siem:          { enabled: true, kind: splunk, endpoint: "https://siem:8088" }

Dev single-node

YAML 
control_plane: { replicas: 1 }
gateway:       { replicas: 1 }
operator:      { watchNamespace: "tetrapus-dev" }
postgres:      { externalUrl: "postgres://postgres@postgres.dev:5432/tetrapus_control" }

Related

Questions?

Reach out for help with integration, deployment, or custom domain codecs.

Get Started Request a Demo