A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1apiVersion: hsm.j5t.io/v1alpha1
2kind: HSMSecret
3metadata:
4 name: database-credentials
5 namespace: default
6 labels:
7 app: myapp
8 type: database
9 environment: production
10 annotations:
11 hsm.j5t.io/description: "PostgreSQL database credentials for production"
12spec:
13 # HSM path is automatically set to the metadata.name (database-credentials)
14
15 # ParentRef identifies which operator instance should handle this HSMSecret
16 parentRef:
17 name: controller-manager
18 namespace: hsm-secrets-operator-system
19
20 # Enable automatic sync from HSM to Kubernetes
21 autoSync: true
22
23 # Check for changes every 5 minutes (300 seconds)
24 syncInterval: 300
25
26---
27# Example of how to use the secret in a deployment
28apiVersion: apps/v1
29kind: Deployment
30metadata:
31 name: myapp-database
32 namespace: default
33spec:
34 replicas: 2
35 selector:
36 matchLabels:
37 app: myapp-database
38 template:
39 metadata:
40 labels:
41 app: myapp-database
42 spec:
43 containers:
44 - name: app
45 image: postgres:13
46 env:
47 # Use the HSM-backed secret
48 - name: POSTGRES_DB
49 valueFrom:
50 secretKeyRef:
51 name: database-credentials
52 key: database_name
53 - name: POSTGRES_USER
54 valueFrom:
55 secretKeyRef:
56 name: database-credentials
57 key: username
58 - name: POSTGRES_PASSWORD
59 valueFrom:
60 secretKeyRef:
61 name: database-credentials
62 key: password
63 - name: DATABASE_URL
64 valueFrom:
65 secretKeyRef:
66 name: database-credentials
67 key: database_url
68 ports:
69 - containerPort: 5432
70 name: postgres