A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1apiVersion: hsm.j5t.io/v1alpha1
2kind: HSMSecret
3metadata:
4 name: webapp-tls-cert
5 namespace: default
6 labels:
7 app: webapp
8 type: tls-certificate
9 annotations:
10 hsm.j5t.io/description: "TLS certificate and key for webapp.example.com"
11spec:
12 # HSM path is automatically set to the metadata.name (webapp-tls-cert)
13
14 # ParentRef identifies which operator instance should handle this HSMSecret
15 parentRef:
16 name: controller-manager
17 namespace: hsm-secrets-operator-system
18
19 # Name of the TLS Secret to create (optional, defaults to metadata.name)
20 secretName: "webapp-tls"
21
22 # Enable automatic sync
23 autoSync: true
24
25 # Check for certificate updates every hour
26 syncInterval: 3600
27
28 # Create a TLS secret type
29 secretType: kubernetes.io/tls
30
31---
32# Example Ingress using the TLS secret
33apiVersion: networking.k8s.io/v1
34kind: Ingress
35metadata:
36 name: webapp-ingress
37 namespace: default
38 annotations:
39 cert-manager.io/cluster-issuer: "letsencrypt-prod"
40 nginx.ingress.kubernetes.io/ssl-redirect: "true"
41spec:
42 tls:
43 - hosts:
44 - webapp.example.com
45 # Use the HSM-backed TLS secret
46 secretName: webapp-tls
47 rules:
48 - host: webapp.example.com
49 http:
50 paths:
51 - path: /
52 pathType: Prefix
53 backend:
54 service:
55 name: webapp-service
56 port:
57 number: 80
58
59---
60# Example service for the webapp
61apiVersion: v1
62kind: Service
63metadata:
64 name: webapp-service
65 namespace: default
66spec:
67 selector:
68 app: webapp
69 ports:
70 - port: 80
71 targetPort: 8080
72 name: http
73 type: ClusterIP