Skip to main content
Complete reference for configuring the gateway and coordinator. All values are set via Helm chart values, which generate Kubernetes ConfigMaps with the corresponding environment variables.

Gateway (Aegis Shield)

Core settings

Environment VariableHelm ValueDefaultDescription
TAKUMO_LISTEN_ADDRserver.port0.0.0.0:8080Address and port the gateway listens on
TAKUMO_SHUTDOWN_TIMEOUTserver.shutdownTimeout30Graceful shutdown timeout in seconds
TAKUMO_AUTH_MODEauth.modejwtAuthentication mode (jwt or none)
TAKUMO_AUTH_ISSUERauth.issuerhttps://cloud.takumo.ioExpected JWT issuer
TAKUMO_AUTH_AUDIENCEauth.audienceaegis-gatewayExpected JWT audience
TAKUMO_AUTH_PUBLIC_KEY_PATHsecrets.jwt.key-Path to JWT public key (mounted at /etc/takumo/keys/)
TAKUMO_FAIL_MODEaegis.failModefail_closedBehavior when coordinator is unreachable: fail_closed rejects requests, fail_open passes them through
TAKUMO_MAX_VAULT_ENTRIESaegis.maxVaultEntries10000Maximum secrets held in the in-memory vault
TAKUMO_MAX_CONCURRENT_SESSIONSaegis.maxConcurrentSessions5000Maximum concurrent active sessions

Cloud and coordinator

Environment VariableHelm ValueDefaultDescription
TAKUMO_CLOUD_ENABLEDcloud.enabledtrueEnable cloud connector (set false for air-gapped)
TAKUMO_CLOUD_URLcloud.urlhttps://cloud.takumo.ioCloud dashboard URL
TAKUMO_CONNECTOR_ENABLEDconnector.grpcUrl-Auto-set to true when connector.grpcUrl is provided
TAKUMO_COORDINATOR_URLconnector.grpcUrl-Coordinator gRPC URL (e.g., gateway-coordinator.takumo.svc:9090)
TAKUMO_AUTH_EXCHANGE_ENABLEDconnector.exchangeEnabledfalseEnable API key exchange via coordinator
TAKUMO_AUTH_EXCHANGE_URLconnector.exchangeUrl-Coordinator HTTP URL for token exchange
TAKUMO_JWKS_ENDPOINTconnector.jwksEndpoint-JWKS endpoint for key rotation
TAKUMO_JWKS_REFRESH_INTERVALconnector.jwksRefreshInterval300JWKS refresh interval in seconds

Rate limiting

Environment VariableHelm ValueDefaultDescription
TAKUMO_RATE_LIMIT_ENABLEDrateLimit.enabledtrueEnable rate limiting
TAKUMO_RATE_LIMIT_ORG_RPMrateLimit.orgRpm1000Organization-level requests per minute
TAKUMO_RATE_LIMIT_USER_RPMrateLimit.userRpm60User-level requests per minute
TAKUMO_RATE_LIMIT_POD_ESTIMATErateLimit.fallbackPodEstimate5Assumed pod count when no shared state is available

Logging

Environment VariableHelm ValueDefaultDescription
TAKUMO_LOG_FORMATlog.formatjsonLog format (json or pretty)
RUST_LOGlog.levelinfo,takumo=debugRust log level directive

Coordinator

Server

Environment VariableHelm ValueDefaultDescription
TAKUMO_HTTP_PORTserver.httpPort8080HTTP API port
TAKUMO_GRPC_PORTserver.grpcPort9090gRPC port for gateway connections
TAKUMO_SHUTDOWN_TIMEOUTserver.shutdownTimeout30Graceful shutdown timeout in seconds

Authentication

Environment VariableHelm ValueDefaultDescription
TAKUMO_JWT_ISSUERauth.issuerhttps://cloud.takumo.ioJWT issuer claim
TAKUMO_JWT_AUDIENCEauth.audienceaegis-shieldJWT audience claim
TAKUMO_JWT_TTL_SECSauth.jwtTtlSecs300JWT token time-to-live in seconds

Coordinator behavior

Environment VariableHelm ValueDefaultDescription
TAKUMO_POLICY_DEBOUNCE_MScoordinator.policyDebouncMs500Debounce time in ms before pushing policy updates to gateways
TAKUMO_HEALTH_STALE_SECScoordinator.healthStaleSecs120Seconds before a gateway is marked stale
TAKUMO_TELEMETRY_BATCH_SIZEcoordinator.telemetryBatchSize500Audit events per database write batch
TAKUMO_TELEMETRY_FLUSH_INTERVAL_MScoordinator.telemetryFlushIntervalMs5000Maximum time between telemetry flushes in ms
TAKUMO_MAX_CONNECTIONS_PER_ORGcoordinator.maxConnectionsPerOrg100Maximum gateway connections per organization

Secrets management

The Helm charts support three secrets providers, controlled by secrets.provider:
Uses Bitnami Sealed Secrets for encrypting secrets in Git. Set encryptedData fields in your values file with the output of kubeseal.
secrets:
  provider: sealed
  database:
    enabled: true
    secretName: coordinator-database
    encryptedData: "AgBy3i4OJSWK+PiTySYZZA9rO..."
This is the default for SaaS and staging environments.
Uses the External Secrets Operator for pulling secrets from Vault, AWS Secrets Manager, GCP Secret Manager, or Azure Key Vault.
secrets:
  provider: external
You manage the ExternalSecret resources separately.
You create Kubernetes secrets directly. This is the default for on-prem deployments.
secrets:
  provider: manual
  database:
    enabled: true
    secretName: coordinator-database
    key: database-url
    directKey: database-url-direct
Create the secrets with kubectl create secret before installing the Helm chart.

Autoscaling

Both charts include HPA configuration with identical defaults: 
autoscaling:
  enabled: true
  minReplicas: 2
  maxReplicas: 10
  targetCPUUtilizationPercentage: 70
  targetMemoryUtilizationPercentage: 80
  behavior:
    scaleDown:
      stabilizationWindowSeconds: 300
      policies:
        - type: Percent
          value: 25
          periodSeconds: 60
    scaleUp:
      stabilizationWindowSeconds: 30
      policies:
        - type: Percent
          value: 100
          periodSeconds: 30
        - type: Pods
          value: 4
          periodSeconds: 60
Scale-down is conservative (25% per minute, 5-minute stabilization). Scale-up is aggressive (100% or 4 pods per 30 seconds).

Resource defaults

Both services use the same resource requests and limits: 
resources:
  requests:
    cpu: 100m
    memory: 256Mi
  limits:
    cpu: 500m
    memory: 512Mi

Pod security

Both charts enforce a restrictive security context by default: 
podSecurityContext:
  runAsNonRoot: true
  runAsUser: 65534
  runAsGroup: 65534
  fsGroup: 65534
  seccompProfile:
    type: RuntimeDefault

containerSecurityContext:
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
Containers run as nobody (UID 65534) with a read-only root filesystem and all Linux capabilities dropped.