evan.jarrett.net / hsm-secrets-operator
A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

fixes

Evan Jarrett 0e45e842 dfc166df

+8 -7
+8 -7
Dockerfile
··· 1 - # Stage 1: Go builder (also serves as dependency source) 1 + # Stage 1: Go builder 2 2 FROM golang:1.24-trixie AS builder 3 3 ARG TARGETOS 4 4 ARG TARGETARCH 5 5 6 - # Install both runtime and development packages in single stage 6 + # Install runtime and build dependencies 7 7 RUN apt-get update && apt-get install -y \ 8 8 opensc \ 9 9 pcscd \ ··· 42 42 # Build test utility for manual testing/debugging 43 43 RUN CGO_ENABLED=1 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -ldflags="-s -w" -o test cmd/test/main.go 44 44 45 - # No runtime dependency discovery needed - debian:trixie-slim has all required libs 46 - 47 45 # Stage 2: Debian Trixie Slim (minimal but functional for USB hardware interaction) 48 46 # Provides proper runtime environment for libudev USB device enumeration 49 - # Slightly larger than distroless (~140MB vs ~20MB) but required for CCID/USB reliability 50 47 FROM debian:trixie-slim 51 48 52 49 # Install only the essential runtime packages (minimal attack surface) 53 - # debian:trixie-slim already has libc, but we need USB/smartcard libraries 54 50 RUN apt-get update && apt-get install -y --no-install-recommends \ 55 51 opensc \ 56 52 pcscd \ ··· 64 60 COPY --from=builder /tmp/passwd /etc/passwd 65 61 COPY --from=builder /tmp/group /etc/group 66 62 63 + # Create runtime directories for pcscd with proper permissions 64 + # Agent mode requires root for USB device access (standard for HSM/smartcard ops) 65 + RUN mkdir -p /run/pcscd /var/lock/pcsc && \ 66 + chmod 755 /run/pcscd /var/lock/pcsc 67 + 67 68 # Copy application binary (manages pcscd lifecycle internally - no shell needed) 68 69 COPY --from=builder /workspace/hsm-operator /hsm-operator 69 70 ··· 75 76 USER 65532:65532 76 77 77 78 # Direct binary execution - pcscd lifecycle managed by Go code in agent mode 78 - ENTRYPOINT ["/hsm-operator"] 79 + ENTRYPOINT ["/hsm-operator"]