evan.jarrett.net / hsm-secrets-operator
A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

hsm-secrets-operator / config / samples / README.md
at main 75 lines 2.1 kB view raw view rendered
Evan Jarrett update hsmsecrets to have a parentref that point back to the operator that manages them. this allows hsmsecrets to be deployed outside of the operator namespace
942dfe04
1# HSMSecret Cross-Namespace Support 2 3This directory contains sample HSMSecret manifests demonstrating cross-namespace functionality. 4 5## ParentRef-Based Operator Association 6 7When multiple HSM operator instances are deployed in a cluster, HSMSecrets use `parentRef` to specify which operator should handle them: 8 9```yaml 10apiVersion: hsm.j5t.io/v1alpha1 11kind: HSMSecret 12metadata: 13 name: my-secret 14 namespace: production 15spec: 16 parentRef: 17 name: controller-manager 18 namespace: hsm-operator-system 19 # ... rest of spec 20``` 21 22## Behavior 23 24- **With parentRef**: Only the operator with matching name and namespace will handle the HSMSecret 25- **Without parentRef**: HSMSecret is ignored by all operators (explicit association required) 26 27## Architecture 28 29- **HSMSecrets**: Can be created in any namespace 30- **Kubernetes Secrets**: Created in the same namespace as their HSMSecret 31- **Operator Infrastructure**: HSMDevices, HSMPools, agents remain in the operator's namespace 32- **RBAC**: ClusterRole provides cluster-wide permissions 33 34## Helm Integration 35 36When deploying via Helm, the `parentRef` is automatically added to HSMSecrets: 37 38```yaml 39# In Helm values.yaml 40hsmsecret: 41 enabled: true 42 secrets: 43 - name: "database-credentials" 44 namespace: "production" 45 secretName: "db-secrets" 46 syncInterval: 300 47 autoSync: true 48 - name: "api-keys" 49 namespace: "development" 50 secretName: "third-party-keys" 51 syncInterval: 60 52``` 53 54This creates HSMSecrets with automatically generated `parentRef`: 55 56```yaml 57apiVersion: hsm.j5t.io/v1alpha1 58kind: HSMSecret 59metadata: 60 name: database-credentials 61 namespace: production 62spec: 63 parentRef: 64 name: my-release-hsm-secrets-operator-controller-manager 65 namespace: my-operator-namespace 66 secretName: db-secrets 67 syncInterval: 300 68 autoSync: true 69``` 70 71**Benefits**: 72- No manual parentRef configuration needed 73- Automatic association with the deploying Helm release 74- Multi-tenant support for multiple operator deployments 75- Cross-namespace secret management with explicit operator ownership