add helm chart · evan.jarrett.net/hsm-secrets-operator@1c4f25b

+28

.cr.yaml

··· 1 + # Configuration for chart-releaser-action 2 + # See: https://github.com/helm/chart-releaser 3 + 4 + owner: evanjarrett 5 + git-repo: hsm-secrets-operator 6 + charts-dir: helm 7 + target-branch: main 8 + pages-branch: gh-pages 9 + pages-index-path: . 10 + release-name-template: "{{ .Name }}-{{ .Version }}" 11 + commit-username: "$GITHUB_ACTOR" 12 + commit-email: "$GITHUB_ACTOR@users.noreply.github.com" 13 + 14 + # Package configuration 15 + package-path: .cr-release-packages 16 + index-path: . 17 + pages-url: https://evanjarrett.github.io/hsm-secrets-operator/ 18 + 19 + # GitHub release configuration 20 + generate-release-notes: true 21 + make-release-latest: true 22 + 23 + # Skip existing releases 24 + skip-existing: true 25 + 26 + # Charts to exclude from release (if any) 27 + # exclude-charts: 28 + # - example-chart

+43

.github/workflows/chart-release.yml

··· 1 + name: Release Helm Charts 2 + 3 + on: 4 + push: 5 + branches: 6 + - main 7 + paths: 8 + - 'helm/**' 9 + 10 + permissions: 11 + contents: read 12 + pages: write 13 + id-token: write 14 + 15 + jobs: 16 + release: 17 + permissions: 18 + contents: write 19 + runs-on: ubuntu-latest 20 + steps: 21 + - name: Checkout 22 + uses: actions/checkout@v4 23 + with: 24 + fetch-depth: 0 25 + 26 + - name: Configure Git 27 + run: | 28 + git config user.name "$GITHUB_ACTOR" 29 + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" 30 + 31 + - name: Install Helm 32 + uses: azure/setup-helm@v4 33 + with: 34 + version: '3.14.0' 35 + 36 + - name: Run chart-releaser 37 + uses: helm/chart-releaser-action@v1.6.0 38 + with: 39 + charts_dir: helm 40 + config: .cr.yaml 41 + env: 42 + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 43 +

+36 -2

.github/workflows/lint.yml

··· 5 5 pull_request: 6 6 7 7 jobs: 8 - lint: 9 - name: Run on Ubuntu 8 + golint: 9 + name: Go Lint 10 10 runs-on: ubuntu-latest 11 11 steps: 12 12 - name: Clone the code ··· 21 21 uses: golangci/golangci-lint-action@v8 22 22 with: 23 23 version: v2.4.0 24 + 25 + helm-lint: 26 + name: Helm Lint 27 + runs-on: ubuntu-latest 28 + steps: 29 + - name: Checkout 30 + uses: actions/checkout@v4 31 + 32 + - name: Set up Helm 33 + uses: azure/setup-helm@v4 34 + with: 35 + version: '3.14.0' 36 + 37 + - name: Lint Helm chart 38 + run: | 39 + helm lint helm/hsm-secrets-operator 40 + 41 + - name: Template Helm chart 42 + run: | 43 + helm template test helm/hsm-secrets-operator > /tmp/rendered.yaml 44 + 45 + - name: Validate rendered templates 46 + run: | 47 + # Basic YAML validation for multiple documents 48 + python -c " 49 + import yaml 50 + with open('/tmp/rendered.yaml', 'r') as f: 51 + docs = yaml.safe_load_all(f) 52 + count = 0 53 + for doc in docs: 54 + if doc is not None: 55 + count += 1 56 + print(f'YAML validation passed - {count} documents found') 57 + "

+158

helm/hsm-secrets-operator/.helm-docs/README.md.gotmpl

··· 1 + {{ template "chart.header" . }} 2 + {{ template "chart.description" . }} 3 + 4 + {{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} 5 + 6 + {{ template "chart.homepageLine" . }} 7 + 8 + {{ template "chart.maintainersSection" . }} 9 + 10 + {{ template "chart.sourcesSection" . }} 11 + 12 + {{ template "chart.requirementsSection" . }} 13 + 14 + ## Prerequisites 15 + 16 + - Kubernetes 1.20+ 17 + - Helm 3.0+ 18 + - (Optional) Prometheus Operator for metrics collection 19 + 20 + ## Installing the Chart 21 + 22 + To install the chart with the release name `{{ template "chart.name" . }}`: 23 + 24 + ```bash 25 + helm repo add hsm-secrets-operator https://evanjarrett.github.io/hsm-secrets-operator/ 26 + helm repo update 27 + helm install {{ template "chart.name" . }} hsm-secrets-operator/{{ template "chart.name" . }} 28 + ``` 29 + 30 + ## Uninstalling the Chart 31 + 32 + To uninstall/delete the `{{ template "chart.name" . }}` deployment: 33 + 34 + ```bash 35 + helm uninstall {{ template "chart.name" . }} 36 + ``` 37 + 38 + ## Configuration 39 + 40 + {{ template "chart.valuesSection" . }} 41 + 42 + ## Usage Examples 43 + 44 + ### Basic Installation 45 + 46 + ```bash 47 + # Install with default settings (mock HSM for testing) 48 + helm install {{ template "chart.name" . }} hsm-secrets-operator/{{ template "chart.name" . }} 49 + ``` 50 + 51 + ### Production Installation with PKCS#11 52 + 53 + ```bash 54 + # Create HSM PIN secret first 55 + kubectl create secret generic hsm-pin --from-literal=pin=your-hsm-pin 56 + 57 + # Install with PKCS#11 configuration 58 + helm install {{ template "chart.name" . }} hsm-secrets-operator/{{ template "chart.name" . }} \ 59 + --set hsm.clientType=pkcs11 \ 60 + --set hsm.pkcs11.library=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so \ 61 + --set hsm.pkcs11.slotId=0 62 + ``` 63 + 64 + ### Installation with Examples 65 + 66 + ```bash 67 + # Install with example resources 68 + helm install {{ template "chart.name" . }} hsm-secrets-operator/{{ template "chart.name" . }} \ 69 + --set examples.hsmsecret.enabled=true \ 70 + --set examples.hsmdevice.enabled=true 71 + ``` 72 + 73 + ### Installation with Prometheus Monitoring 74 + 75 + ```bash 76 + # Install with ServiceMonitor for Prometheus 77 + helm install {{ template "chart.name" . }} hsm-secrets-operator/{{ template "chart.name" . }} \ 78 + --set metrics.serviceMonitor.enabled=true \ 79 + --set metrics.serviceMonitor.namespace=monitoring 80 + ``` 81 + 82 + ## Custom Resources 83 + 84 + After installation, you can create HSM secrets using the custom resources: 85 + 86 + ### HSMSecret Example 87 + 88 + ```yaml 89 + apiVersion: hsm.j5t.io/v1alpha1 90 + kind: HSMSecret 91 + metadata: 92 + name: database-credentials 93 + namespace: production 94 + spec: 95 + hsmPath: "secrets/production/database-credentials" 96 + secretName: "database-credentials" 97 + autoSync: true 98 + syncInterval: 300 99 + secretType: Opaque 100 + ``` 101 + 102 + ### HSMDevice Example 103 + 104 + ```yaml 105 + apiVersion: hsm.j5t.io/v1alpha1 106 + kind: HSMDevice 107 + metadata: 108 + name: pico-hsm-discovery 109 + namespace: {{ template "chart.name" . }}-system 110 + spec: 111 + deviceType: "pico-hsm" 112 + discovery: 113 + usb: 114 + enabled: true 115 + vendorId: "1234" 116 + productId: "5678" 117 + ``` 118 + 119 + ## Troubleshooting 120 + 121 + ### Check Operator Status 122 + 123 + ```bash 124 + kubectl get deployment {{ template "chart.name" . }}-controller-manager 125 + kubectl logs -f deployment/{{ template "chart.name" . }}-controller-manager 126 + ``` 127 + 128 + ### Check Custom Resources 129 + 130 + ```bash 131 + kubectl get hsmsecrets --all-namespaces 132 + kubectl get hsmdevices --all-namespaces 133 + kubectl describe hsmsecret <name> -n <namespace> 134 + ``` 135 + 136 + ### Check Device Discovery 137 + 138 + ```bash 139 + kubectl get daemonset {{ template "chart.name" . }}-discovery 140 + kubectl logs daemonset/{{ template "chart.name" . }}-discovery 141 + ``` 142 + 143 + ## Development 144 + 145 + To modify and test the chart: 146 + 147 + ```bash 148 + # Lint the chart 149 + helm lint ./helm/{{ template "chart.name" . }} 150 + 151 + # Test template rendering 152 + helm template {{ template "chart.name" . }} ./helm/{{ template "chart.name" . }} 153 + 154 + # Install with dry-run 155 + helm install {{ template "chart.name" . }} ./helm/{{ template "chart.name" . }} --dry-run --debug 156 + ``` 157 + 158 + {{ template "helm-docs.versionFooter" . }}

+22

helm/hsm-secrets-operator/Chart.yaml

··· 1 + apiVersion: v2 2 + name: hsm-secrets-operator 3 + description: A Kubernetes operator that bridges Pico HSM binary data storage with Kubernetes Secrets 4 + type: application 5 + version: 0.1.0 6 + appVersion: "latest" 7 + icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/kubernetes/icon/color/kubernetes-icon-color.svg 8 + home: https://github.com/evanjarrett/hsm-secrets-operator 9 + sources: 10 + - https://github.com/evanjarrett/hsm-secrets-operator 11 + maintainers: 12 + - name: Evan Jarrett 13 + keywords: 14 + - kubernetes 15 + - operator 16 + - hsm 17 + - secrets 18 + - security 19 + - pkcs11 20 + - pico-hsm 21 + annotations: 22 + category: Security

+228

helm/hsm-secrets-operator/README.md

··· 1 + # HSM Secrets Operator Helm Chart 2 + 3 + A Kubernetes operator that bridges Pico HSM binary data storage with Kubernetes Secrets, providing true secret portability through hardware-based storage. 4 + 5 + ## Prerequisites 6 + 7 + - Kubernetes 1.20+ 8 + - Helm 3.0+ 9 + - (Optional) Prometheus Operator for metrics collection 10 + 11 + ## Installing the Chart 12 + 13 + To install the chart with the release name `hsm-secrets-operator`: 14 + 15 + ```bash 16 + helm install hsm-secrets-operator ./helm/hsm-secrets-operator 17 + ``` 18 + 19 + ## Uninstalling the Chart 20 + 21 + To uninstall/delete the `hsm-secrets-operator` deployment: 22 + 23 + ```bash 24 + helm uninstall hsm-secrets-operator 25 + ``` 26 + 27 + The command removes all the Kubernetes components associated with the chart and deletes the release. 28 + 29 + ## Configuration 30 + 31 + The following table lists the configurable parameters of the HSM Secrets Operator chart and their default values. 32 + 33 + ### Image Configuration 34 + 35 + | Parameter | Description | Default | 36 + |-----------|-------------|---------| 37 + | `image.repository` | Operator image repository | `hsm-secrets-operator` | 38 + | `image.pullPolicy` | Image pull policy | `IfNotPresent` | 39 + | `image.tag` | Image tag (defaults to chart appVersion) | `""` | 40 + | `imagePullSecrets` | Image pull secrets | `[]` | 41 + 42 + ### Controller Configuration 43 + 44 + | Parameter | Description | Default | 45 + |-----------|-------------|---------| 46 + | `controllerManager.replicas` | Number of controller replicas | `1` | 47 + | `controllerManager.resources.limits.cpu` | CPU limit | `500m` | 48 + | `controllerManager.resources.limits.memory` | Memory limit | `128Mi` | 49 + | `controllerManager.resources.requests.cpu` | CPU request | `10m` | 50 + | `controllerManager.resources.requests.memory` | Memory request | `64Mi` | 51 + 52 + ### HSM Configuration 53 + 54 + | Parameter | Description | Default | 55 + |-----------|-------------|---------| 56 + | `hsm.clientType` | HSM client type (`mock` or `pkcs11`) | `mock` | 57 + | `hsm.pkcs11.library` | PKCS#11 library path | `/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so` | 58 + | `hsm.pkcs11.slotId` | HSM slot ID | `0` | 59 + | `hsm.pkcs11.pinSecret.name` | Secret name containing HSM PIN | `hsm-pin` | 60 + | `hsm.pkcs11.pinSecret.key` | Secret key containing HSM PIN | `pin` | 61 + 62 + ### Discovery Configuration 63 + 64 + | Parameter | Description | Default | 65 + |-----------|-------------|---------| 66 + | `discovery.enabled` | Enable device discovery DaemonSet | `true` | 67 + | `discovery.usb.enabled` | Enable USB device discovery | `true` | 68 + | `discovery.usb.deviceTypes` | List of HSM device types to discover | `["pico-hsm", "smartcard-hsm"]` | 69 + | `discovery.path.enabled` | Enable path-based discovery | `true` | 70 + | `discovery.path.patterns` | Device path patterns to scan | `["/dev/ttyUSB*", "/dev/hidraw*"]` | 71 + 72 + ### API Configuration 73 + 74 + | Parameter | Description | Default | 75 + |-----------|-------------|---------| 76 + | `api.enabled` | Enable REST API server | `true` | 77 + | `api.port` | API server port | `8080` | 78 + 79 + ### Metrics Configuration 80 + 81 + | Parameter | Description | Default | 82 + |-----------|-------------|---------| 83 + | `metrics.enabled` | Enable metrics collection | `true` | 84 + | `metrics.serviceMonitor.enabled` | Create ServiceMonitor for Prometheus | `false` | 85 + | `metrics.serviceMonitor.namespace` | ServiceMonitor namespace | `""` | 86 + | `metrics.serviceMonitor.labels` | ServiceMonitor labels | `{}` | 87 + 88 + ### RBAC Configuration 89 + 90 + | Parameter | Description | Default | 91 + |-----------|-------------|---------| 92 + | `serviceAccount.create` | Create service account | `true` | 93 + | `serviceAccount.annotations` | Service account annotations | `{}` | 94 + | `serviceAccount.name` | Service account name | `""` | 95 + | `rbac.create` | Create RBAC resources | `true` | 96 + 97 + ### Examples Configuration 98 + 99 + | Parameter | Description | Default | 100 + |-----------|-------------|---------| 101 + | `examples.hsmsecret.enabled` | Create example HSMSecret resources | `false` | 102 + | `examples.hsmdevice.enabled` | Create example HSMDevice resources | `false` | 103 + 104 + ### Other Configuration 105 + 106 + | Parameter | Description | Default | 107 + |-----------|-------------|---------| 108 + | `crds.install` | Install CRDs | `true` | 109 + | `crds.keep` | Keep CRDs on uninstall | `true` | 110 + | `config.defaultSyncInterval` | Default sync interval (seconds) | `300` | 111 + | `config.defaultSecretType` | Default Kubernetes secret type | `Opaque` | 112 + | `config.verboseLogging` | Enable verbose logging | `false` | 113 + 114 + ## Usage Examples 115 + 116 + ### Basic Installation 117 + 118 + ```bash 119 + # Install with default settings (mock HSM for testing) 120 + helm install hsm-secrets-operator ./helm/hsm-secrets-operator 121 + ``` 122 + 123 + ### Production Installation with PKCS#11 124 + 125 + ```bash 126 + # Create HSM PIN secret first 127 + kubectl create secret generic hsm-pin --from-literal=pin=your-hsm-pin 128 + 129 + # Install with PKCS#11 configuration 130 + helm install hsm-secrets-operator ./helm/hsm-secrets-operator \ 131 + --set hsm.clientType=pkcs11 \ 132 + --set hsm.pkcs11.library=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so \ 133 + --set hsm.pkcs11.slotId=0 134 + ``` 135 + 136 + ### Installation with Examples 137 + 138 + ```bash 139 + # Install with example resources 140 + helm install hsm-secrets-operator ./helm/hsm-secrets-operator \ 141 + --set examples.hsmsecret.enabled=true \ 142 + --set examples.hsmdevice.enabled=true 143 + ``` 144 + 145 + ### Installation with Prometheus Monitoring 146 + 147 + ```bash 148 + # Install with ServiceMonitor for Prometheus 149 + helm install hsm-secrets-operator ./helm/hsm-secrets-operator \ 150 + --set metrics.serviceMonitor.enabled=true \ 151 + --set metrics.serviceMonitor.namespace=monitoring 152 + ``` 153 + 154 + ## Custom Resources 155 + 156 + After installation, you can create HSM secrets using the custom resources: 157 + 158 + ### HSMSecret Example 159 + 160 + ```yaml 161 + apiVersion: hsm.j5t.io/v1alpha1 162 + kind: HSMSecret 163 + metadata: 164 + name: database-credentials 165 + namespace: production 166 + spec: 167 + hsmPath: "secrets/production/database-credentials" 168 + secretName: "database-credentials" 169 + autoSync: true 170 + syncInterval: 300 171 + secretType: Opaque 172 + ``` 173 + 174 + ### HSMDevice Example 175 + 176 + ```yaml 177 + apiVersion: hsm.j5t.io/v1alpha1 178 + kind: HSMDevice 179 + metadata: 180 + name: pico-hsm-discovery 181 + namespace: hsm-secrets-operator-system 182 + spec: 183 + deviceType: "pico-hsm" 184 + discovery: 185 + usb: 186 + enabled: true 187 + vendorId: "1234" 188 + productId: "5678" 189 + ``` 190 + 191 + ## Troubleshooting 192 + 193 + ### Check Operator Status 194 + 195 + ```bash 196 + kubectl get deployment hsm-secrets-operator-controller-manager 197 + kubectl logs -f deployment/hsm-secrets-operator-controller-manager 198 + ``` 199 + 200 + ### Check Custom Resources 201 + 202 + ```bash 203 + kubectl get hsmsecrets --all-namespaces 204 + kubectl get hsmdevices --all-namespaces 205 + kubectl describe hsmsecret <name> -n <namespace> 206 + ``` 207 + 208 + ### Check Device Discovery 209 + 210 + ```bash 211 + kubectl get daemonset hsm-secrets-operator-discovery 212 + kubectl logs daemonset/hsm-secrets-operator-discovery 213 + ``` 214 + 215 + ## Development 216 + 217 + To modify and test the chart: 218 + 219 + ```bash 220 + # Lint the chart 221 + helm lint ./helm/hsm-secrets-operator 222 + 223 + # Test template rendering 224 + helm template hsm-secrets-operator ./helm/hsm-secrets-operator 225 + 226 + # Install with dry-run 227 + helm install hsm-secrets-operator ./helm/hsm-secrets-operator --dry-run --debug 228 + ```

+37

helm/hsm-secrets-operator/ct.yaml

··· 1 + # Chart testing configuration for chart-testing (ct) 2 + helm-extra-args: --timeout 600s 3 + check-version-increment: true 4 + validate-maintainers: false 5 + validate-chart-schema: true 6 + validate-yaml-schema: true 7 + 8 + # Test configuration 9 + test-groups: 10 + - name: default 11 + tests: 12 + - templates/tests/ 13 + 14 + # Additional Helm repositories for dependencies 15 + helm-repos: 16 + - name: bitnami 17 + url: https://charts.bitnami.com/bitnami 18 + 19 + # Chart directories (relative to repository root) 20 + chart-dirs: 21 + - helm 22 + 23 + # Target branches for change detection 24 + target-branch: main 25 + 26 + # Additional chart testing configuration 27 + excluded-charts: [] 28 + chart-yaml-schema: /etc/ct/chart_schema.yaml 29 + lint-conf: /etc/ct/lintconf.yaml 30 + helm-dependency-extra-args: [] 31 + 32 + # Kubernetes version matrix for testing 33 + upgrade-extra-args: [] 34 + namespace-labels: 35 + pod-security.kubernetes.io/enforce: restricted 36 + pod-security.kubernetes.io/audit: restricted 37 + pod-security.kubernetes.io/warn: restricted

+101

helm/hsm-secrets-operator/templates/NOTES.txt

··· 1 + 1. HSM Secrets Operator has been deployed successfully! 2 + 3 + Chart version: {{ .Chart.Version }} 4 + App version: {{ .Chart.AppVersion }} 5 + 6 + 2. The operator is running with the following configuration: 7 + 8 + {{- if eq .Values.hsm.clientType "mock" }} 9 + 🔧 HSM Client: Mock (for testing) 10 + {{- else if eq .Values.hsm.clientType "pkcs11" }} 11 + 🔐 HSM Client: PKCS#11 (production) 12 + 📚 PKCS#11 Library: {{ .Values.hsm.pkcs11.library }} 13 + 🎰 Slot ID: {{ .Values.hsm.pkcs11.slotId }} 14 + {{- end }} 15 + 16 + {{- if .Values.discovery.enabled }} 17 + 🔍 Device Discovery: Enabled (DaemonSet deployed) 18 + {{- if .Values.discovery.usb.enabled }} 19 + 📱 USB Discovery: {{ join ", " .Values.discovery.usb.deviceTypes }} 20 + {{- end }} 21 + {{- if .Values.discovery.path.enabled }} 22 + 📁 Path Discovery: {{ join ", " .Values.discovery.path.patterns }} 23 + {{- end }} 24 + {{- else }} 25 + 🔍 Device Discovery: Disabled 26 + {{- end }} 27 + 28 + 3. Check the operator status: 29 + 30 + kubectl get deployment {{ include "hsm-secrets-operator.controllerManagerName" . }} -n {{ .Release.Namespace }} 31 + kubectl logs -f deployment/{{ include "hsm-secrets-operator.controllerManagerName" . }} -n {{ .Release.Namespace }} 32 + 33 + 4. View Custom Resources: 34 + 35 + # List HSM Secrets 36 + kubectl get hsmsecrets --all-namespaces 37 + 38 + # List HSM Devices 39 + kubectl get hsmdevices --all-namespaces 40 + 41 + # Describe a specific HSM Secret (if any exist) 42 + kubectl describe hsmsecret <secret-name> -n <namespace> 43 + 44 + 5. Create your first HSM Secret: 45 + 46 + cat <<EOF | kubectl apply -f - 47 + apiVersion: hsm.j5t.io/v1alpha1 48 + kind: HSMSecret 49 + metadata: 50 + name: my-first-secret 51 + namespace: {{ .Release.Namespace }} 52 + spec: 53 + hsmPath: "secrets/{{ .Release.Namespace }}/my-first-secret" 54 + secretName: "my-first-secret" 55 + autoSync: true 56 + syncInterval: {{ .Values.config.defaultSyncInterval }} 57 + EOF 58 + 59 + {{- if .Values.api.enabled }} 60 + 61 + 6. API Server is available at: 62 + 63 + kubectl port-forward svc/{{ include "hsm-secrets-operator.fullname" . }}-api {{ .Values.api.port }}:{{ .Values.api.port }} -n {{ .Release.Namespace }} 64 + 65 + Then access: http://localhost:{{ .Values.api.port }} 66 + {{- end }} 67 + 68 + {{- if .Values.metrics.enabled }} 69 + 70 + 7. Metrics are available at: 71 + 72 + kubectl port-forward svc/{{ include "hsm-secrets-operator.metricsServiceName" . }} 8443:8443 -n {{ .Release.Namespace }} 73 + 74 + Then access: https://localhost:8443/metrics 75 + {{- end }} 76 + 77 + {{- if .Values.discovery.enabled }} 78 + 79 + 8. Device discovery is running. Check discovered devices: 80 + 81 + kubectl get hsmdevices --all-namespaces 82 + kubectl logs daemonset/{{ include "hsm-secrets-operator.fullname" . }}-discovery -n {{ .Release.Namespace }} 83 + {{- end }} 84 + 85 + {{- if .Values.examples.hsmsecret.enabled }} 86 + 87 + 9. Example HSMSecret resources have been created. Check them with: 88 + 89 + kubectl get hsmsecrets -n {{ .Release.Namespace }} 90 + {{- end }} 91 + 92 + {{- if .Values.examples.hsmdevice.enabled }} 93 + 94 + 10. Example HSMDevice resources have been created. Check them with: 95 + 96 + kubectl get hsmdevices -n {{ .Release.Namespace }} 97 + {{- end }} 98 + 99 + For more information, visit: https://github.com/evanjarrett/hsm-secrets-operator 100 + 101 + Happy secret managing! 🔐

+91

helm/hsm-secrets-operator/templates/_helpers.tpl

··· 1 + {{/* 2 + Expand the name of the chart. 3 + */}} 4 + {{- define "hsm-secrets-operator.name" -}} 5 + {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 + {{- end }} 7 + 8 + {{/* 9 + Create a default fully qualified app name. 10 + We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 + If release name contains chart name it will be used as a full name. 12 + */}} 13 + {{- define "hsm-secrets-operator.fullname" -}} 14 + {{- if .Values.fullnameOverride }} 15 + {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 + {{- else }} 17 + {{- $name := default .Chart.Name .Values.nameOverride }} 18 + {{- if contains $name .Release.Name }} 19 + {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 + {{- else }} 21 + {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 + {{- end }} 23 + {{- end }} 24 + {{- end }} 25 + 26 + {{/* 27 + Create chart name and version as used by the chart label. 28 + */}} 29 + {{- define "hsm-secrets-operator.chart" -}} 30 + {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 + {{- end }} 32 + 33 + {{/* 34 + Common labels 35 + */}} 36 + {{- define "hsm-secrets-operator.labels" -}} 37 + helm.sh/chart: {{ include "hsm-secrets-operator.chart" . }} 38 + {{ include "hsm-secrets-operator.selectorLabels" . }} 39 + {{- if .Chart.AppVersion }} 40 + app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 + {{- end }} 42 + app.kubernetes.io/managed-by: {{ .Release.Service }} 43 + {{- end }} 44 + 45 + {{/* 46 + Selector labels 47 + */}} 48 + {{- define "hsm-secrets-operator.selectorLabels" -}} 49 + app.kubernetes.io/name: {{ include "hsm-secrets-operator.name" . }} 50 + app.kubernetes.io/instance: {{ .Release.Name }} 51 + {{- end }} 52 + 53 + {{/* 54 + Create the name of the service account to use 55 + */}} 56 + {{- define "hsm-secrets-operator.serviceAccountName" -}} 57 + {{- if .Values.serviceAccount.create }} 58 + {{- default (include "hsm-secrets-operator.fullname" .) .Values.serviceAccount.name }} 59 + {{- else }} 60 + {{- default "default" .Values.serviceAccount.name }} 61 + {{- end }} 62 + {{- end }} 63 + 64 + {{/* 65 + Create the name of the controller manager 66 + */}} 67 + {{- define "hsm-secrets-operator.controllerManagerName" -}} 68 + {{- printf "%s-controller-manager" (include "hsm-secrets-operator.fullname" .) }} 69 + {{- end }} 70 + 71 + {{/* 72 + Create the name of the metrics service 73 + */}} 74 + {{- define "hsm-secrets-operator.metricsServiceName" -}} 75 + {{- printf "%s-metrics-service" (include "hsm-secrets-operator.fullname" .) }} 76 + {{- end }} 77 + 78 + {{/* 79 + Create the image reference 80 + */}} 81 + {{- define "hsm-secrets-operator.image" -}} 82 + {{- $tag := .Values.image.tag | default .Chart.AppVersion }} 83 + {{- printf "%s:%s" .Values.image.repository $tag }} 84 + {{- end }} 85 + 86 + {{/* 87 + Create system namespace name 88 + */}} 89 + {{- define "hsm-secrets-operator.systemNamespace" -}} 90 + {{- printf "%s-system" (include "hsm-secrets-operator.fullname" .) }} 91 + {{- end }}

+334

helm/hsm-secrets-operator/templates/crds/hsm.j5t.io_hsmdevices.yaml

··· 1 + {{- if .Values.crds.install }} 2 + --- 3 + apiVersion: apiextensions.k8s.io/v1 4 + kind: CustomResourceDefinition 5 + metadata: 6 + annotations: 7 + controller-gen.kubebuilder.io/version: v0.18.0 8 + {{- if not .Values.crds.keep }} 9 + "helm.sh/hook": pre-install,pre-upgrade 10 + "helm.sh/hook-delete-policy": before-hook-creation 11 + {{- end }} 12 + name: hsmdevices.hsm.j5t.io 13 + labels: 14 + {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 15 + spec: 16 + group: hsm.j5t.io 17 + names: 18 + kind: HSMDevice 19 + listKind: HSMDeviceList 20 + plural: hsmdevices 21 + shortNames: 22 + - hsmdev 23 + singular: hsmdevice 24 + scope: Namespaced 25 + versions: 26 + - additionalPrinterColumns: 27 + - jsonPath: .spec.deviceType 28 + name: Type 29 + type: string 30 + - jsonPath: .status.totalDevices 31 + name: Total 32 + type: integer 33 + - jsonPath: .status.availableDevices 34 + name: Available 35 + type: integer 36 + - jsonPath: .status.phase 37 + name: Phase 38 + type: string 39 + - jsonPath: .status.lastDiscoveryTime 40 + name: Last Discovery 41 + type: date 42 + - jsonPath: .metadata.creationTimestamp 43 + name: Age 44 + type: date 45 + name: v1alpha1 46 + schema: 47 + openAPIV3Schema: 48 + description: HSMDevice is the Schema for the hsmdevices API. 49 + properties: 50 + apiVersion: 51 + description: |- 52 + APIVersion defines the versioned schema of this representation of an object. 53 + Servers should convert recognized schemas to the latest internal value, and 54 + may reject unrecognized values. 55 + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 56 + type: string 57 + kind: 58 + description: |- 59 + Kind is a string value representing the REST resource this object represents. 60 + Servers may infer this from the endpoint the client submits requests to. 61 + Cannot be updated. 62 + In CamelCase. 63 + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 64 + type: string 65 + metadata: 66 + type: object 67 + spec: 68 + description: HSMDeviceSpec defines the desired state of HSMDevice. 69 + properties: 70 + devicePath: 71 + description: DevicePath defines path-based device discovery criteria 72 + properties: 73 + path: 74 + description: Path is the device path pattern (e.g., "/dev/ttyUSB*", 75 + "/dev/sc-hsm*") 76 + type: string 77 + permissions: 78 + description: Permissions are the required permissions for device 79 + access 80 + type: string 81 + required: 82 + - path 83 + type: object 84 + deviceType: 85 + description: DeviceType specifies the type of HSM device 86 + type: string 87 + maxDevices: 88 + default: 10 89 + description: MaxDevices limits how many instances of this device can 90 + be discovered 91 + format: int32 92 + type: integer 93 + mirroring: 94 + description: Mirroring configures cross-node device mirroring for 95 + high availability 96 + properties: 97 + autoFailover: 98 + default: true 99 + description: AutoFailover enables automatic failover to healthy 100 + nodes 101 + type: boolean 102 + policy: 103 + default: None 104 + description: Policy specifies the mirroring strategy 105 + type: string 106 + primaryNode: 107 + description: PrimaryNode specifies the preferred primary node 108 + for write operations 109 + type: string 110 + syncInterval: 111 + default: 60 112 + description: SyncInterval defines how often to sync device data 113 + across nodes (in seconds) 114 + format: int32 115 + type: integer 116 + targetNodes: 117 + description: |- 118 + TargetNodes specifies nodes that should have mirrored access 119 + If empty, mirrors to all nodes with the device 120 + items: 121 + type: string 122 + type: array 123 + type: object 124 + nodeSelector: 125 + additionalProperties: 126 + type: string 127 + description: NodeSelector specifies which nodes should be scanned 128 + for this device 129 + type: object 130 + pkcs11LibraryPath: 131 + description: PKCS11LibraryPath is the path to the PKCS#11 library 132 + for this device 133 + type: string 134 + usb: 135 + description: USB defines USB-based device discovery criteria 136 + properties: 137 + productId: 138 + description: ProductID is the USB product ID (e.g., "4230" for 139 + Pico HSM) 140 + type: string 141 + serialNumber: 142 + description: SerialNumber optionally matches a specific device 143 + serial number 144 + type: string 145 + vendorId: 146 + description: VendorID is the USB vendor ID (e.g., "20a0" for Pico 147 + HSM) 148 + type: string 149 + required: 150 + - productId 151 + - vendorId 152 + type: object 153 + required: 154 + - deviceType 155 + type: object 156 + status: 157 + description: HSMDeviceStatus defines the observed state of HSMDevice. 158 + properties: 159 + availableDevices: 160 + description: AvailableDevices is the number of currently available 161 + devices 162 + format: int32 163 + type: integer 164 + conditions: 165 + description: Conditions represent the latest available observations 166 + of the device state 167 + items: 168 + description: Condition contains details for one aspect of the current 169 + state of this API Resource. 170 + properties: 171 + lastTransitionTime: 172 + description: |- 173 + lastTransitionTime is the last time the condition transitioned from one status to another. 174 + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. 175 + format: date-time 176 + type: string 177 + message: 178 + description: |- 179 + message is a human readable message indicating details about the transition. 180 + This may be an empty string. 181 + maxLength: 32768 182 + type: string 183 + observedGeneration: 184 + description: |- 185 + observedGeneration represents the .metadata.generation that the condition was set based upon. 186 + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date 187 + with respect to the current state of the instance. 188 + format: int64 189 + minimum: 0 190 + type: integer 191 + reason: 192 + description: |- 193 + reason contains a programmatic identifier indicating the reason for the condition's last transition. 194 + Producers of specific condition types may define expected values and meanings for this field, 195 + and whether the values are considered a guaranteed API. 196 + The value should be a CamelCase string. 197 + This field may not be empty. 198 + maxLength: 1024 199 + minLength: 1 200 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 201 + type: string 202 + status: 203 + description: status of the condition, one of True, False, Unknown. 204 + enum: 205 + - "True" 206 + - "False" 207 + - Unknown 208 + type: string 209 + type: 210 + description: type of condition in CamelCase or in foo.example.com/CamelCase. 211 + maxLength: 316 212 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 213 + type: string 214 + required: 215 + - lastTransitionTime 216 + - message 217 + - reason 218 + - status 219 + - type 220 + type: object 221 + type: array 222 + discoveredDevices: 223 + description: DiscoveredDevices lists all discovered devices matching 224 + the spec 225 + items: 226 + description: DiscoveredDevice represents a discovered HSM device 227 + instance 228 + properties: 229 + available: 230 + description: Available indicates if the device is currently 231 + available for use 232 + type: boolean 233 + deviceInfo: 234 + additionalProperties: 235 + type: string 236 + description: DeviceInfo contains additional device information 237 + type: object 238 + devicePath: 239 + description: DevicePath is the system path to the discovered 240 + device 241 + type: string 242 + health: 243 + description: Health represents the health status of the device 244 + type: string 245 + lastSeen: 246 + description: LastSeen is the timestamp when the device was last 247 + detected 248 + format: date-time 249 + type: string 250 + lastSyncTime: 251 + description: LastSyncTime is when this device was last synchronized 252 + format: date-time 253 + type: string 254 + mirroredFrom: 255 + description: MirroredFrom indicates the primary device this 256 + is mirrored from 257 + type: string 258 + nodeName: 259 + description: NodeName is the name of the node where the device 260 + was discovered 261 + type: string 262 + resourceName: 263 + description: ResourceName is the Kubernetes resource name for 264 + this device 265 + type: string 266 + role: 267 + description: Role indicates the role of this device in a mirrored 268 + setup 269 + type: string 270 + serialNumber: 271 + description: SerialNumber is the serial number of the device 272 + (if available) 273 + type: string 274 + required: 275 + - available 276 + - devicePath 277 + - lastSeen 278 + - nodeName 279 + type: object 280 + type: array 281 + lastDiscoveryTime: 282 + description: LastDiscoveryTime is the timestamp of the last discovery 283 + scan 284 + format: date-time 285 + type: string 286 + mirroring: 287 + description: Mirroring represents the status of device mirroring 288 + properties: 289 + enabled: 290 + description: Enabled indicates if mirroring is currently active 291 + type: boolean 292 + failoverCount: 293 + description: FailoverCount tracks the number of failovers that 294 + have occurred 295 + format: int32 296 + type: integer 297 + lastSyncTime: 298 + description: LastSyncTime is when devices were last synchronized 299 + format: date-time 300 + type: string 301 + mirroredNodes: 302 + description: MirroredNodes lists nodes with mirrored access 303 + items: 304 + type: string 305 + type: array 306 + primaryNode: 307 + description: PrimaryNode is the current primary node 308 + type: string 309 + syncErrors: 310 + description: SyncErrors tracks synchronization errors 311 + items: 312 + type: string 313 + type: array 314 + required: 315 + - enabled 316 + - failoverCount 317 + type: object 318 + phase: 319 + description: Phase represents the current phase of device discovery 320 + type: string 321 + totalDevices: 322 + description: TotalDevices is the total number of discovered devices 323 + format: int32 324 + type: integer 325 + required: 326 + - availableDevices 327 + - totalDevices 328 + type: object 329 + type: object 330 + served: true 331 + storage: true 332 + subresources: 333 + status: {} 334 + {{- end }}

+226

helm/hsm-secrets-operator/templates/crds/hsm.j5t.io_hsmsecrets.yaml

··· 1 + {{- if .Values.crds.install }} 2 + --- 3 + apiVersion: apiextensions.k8s.io/v1 4 + kind: CustomResourceDefinition 5 + metadata: 6 + annotations: 7 + controller-gen.kubebuilder.io/version: v0.18.0 8 + {{- if not .Values.crds.keep }} 9 + "helm.sh/hook": pre-install,pre-upgrade 10 + "helm.sh/hook-delete-policy": before-hook-creation 11 + {{- end }} 12 + name: hsmsecrets.hsm.j5t.io 13 + labels: 14 + {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 15 + spec: 16 + group: hsm.j5t.io 17 + names: 18 + kind: HSMSecret 19 + listKind: HSMSecretList 20 + plural: hsmsecrets 21 + shortNames: 22 + - hsmsec 23 + singular: hsmsecret 24 + scope: Namespaced 25 + versions: 26 + - additionalPrinterColumns: 27 + - jsonPath: .spec.hsmPath 28 + name: HSM Path 29 + type: string 30 + - jsonPath: .spec.secretName 31 + name: Secret Name 32 + type: string 33 + - jsonPath: .status.syncStatus 34 + name: Sync Status 35 + type: string 36 + - jsonPath: .status.lastSyncTime 37 + name: Last Sync 38 + type: date 39 + - jsonPath: .metadata.creationTimestamp 40 + name: Age 41 + type: date 42 + name: v1alpha1 43 + schema: 44 + openAPIV3Schema: 45 + description: HSMSecret is the Schema for the hsmsecrets API. 46 + properties: 47 + apiVersion: 48 + description: |- 49 + APIVersion defines the versioned schema of this representation of an object. 50 + Servers should convert recognized schemas to the latest internal value, and 51 + may reject unrecognized values. 52 + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 53 + type: string 54 + kind: 55 + description: |- 56 + Kind is a string value representing the REST resource this object represents. 57 + Servers may infer this from the endpoint the client submits requests to. 58 + Cannot be updated. 59 + In CamelCase. 60 + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 61 + type: string 62 + metadata: 63 + type: object 64 + spec: 65 + description: HSMSecretSpec defines the desired state of HSMSecret. 66 + properties: 67 + autoSync: 68 + default: true 69 + description: AutoSync enables bidirectional synchronization between 70 + HSM and Kubernetes Secret 71 + type: boolean 72 + hsmPath: 73 + description: |- 74 + HSMPath is the path on the Pico HSM where the secret data is stored 75 + Example: "secrets/appnamespace/appname-secret" 76 + type: string 77 + secretName: 78 + description: |- 79 + SecretName is the name of the Kubernetes Secret object to create/update 80 + Defaults to the HSMSecret name if not specified 81 + type: string 82 + secretType: 83 + default: Opaque 84 + description: SecretType specifies the type of Kubernetes Secret to 85 + create 86 + type: string 87 + syncInterval: 88 + default: 300 89 + description: |- 90 + SyncInterval defines how often to check for HSM changes (in seconds) 91 + Only applies when AutoSync is true 92 + format: int32 93 + type: integer 94 + required: 95 + - hsmPath 96 + type: object 97 + status: 98 + description: HSMSecretStatus defines the observed state of HSMSecret. 99 + properties: 100 + conditions: 101 + description: Conditions represent the latest available observations 102 + of the HSMSecret's current state 103 + items: 104 + description: Condition contains details for one aspect of the current 105 + state of this API Resource. 106 + properties: 107 + lastTransitionTime: 108 + description: |- 109 + lastTransitionTime is the last time the condition transitioned from one status to another. 110 + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. 111 + format: date-time 112 + type: string 113 + message: 114 + description: |- 115 + message is a human readable message indicating details about the transition. 116 + This may be an empty string. 117 + maxLength: 32768 118 + type: string 119 + observedGeneration: 120 + description: |- 121 + observedGeneration represents the .metadata.generation that the condition was set based upon. 122 + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date 123 + with respect to the current state of the instance. 124 + format: int64 125 + minimum: 0 126 + type: integer 127 + reason: 128 + description: |- 129 + reason contains a programmatic identifier indicating the reason for the condition's last transition. 130 + Producers of specific condition types may define expected values and meanings for this field, 131 + and whether the values are considered a guaranteed API. 132 + The value should be a CamelCase string. 133 + This field may not be empty. 134 + maxLength: 1024 135 + minLength: 1 136 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 137 + type: string 138 + status: 139 + description: status of the condition, one of True, False, Unknown. 140 + enum: 141 + - "True" 142 + - "False" 143 + - Unknown 144 + type: string 145 + type: 146 + description: type of condition in CamelCase or in foo.example.com/CamelCase. 147 + maxLength: 316 148 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 149 + type: string 150 + required: 151 + - lastTransitionTime 152 + - message 153 + - reason 154 + - status 155 + - type 156 + type: object 157 + type: array 158 + hsmChecksum: 159 + description: HSMChecksum is the SHA256 checksum of the HSM data 160 + type: string 161 + lastError: 162 + description: LastError contains the last error message if SyncStatus 163 + is Error 164 + type: string 165 + lastSyncTime: 166 + description: LastSyncTime is the timestamp of the last successful 167 + synchronization 168 + format: date-time 169 + type: string 170 + secretChecksum: 171 + description: SecretChecksum is the SHA256 checksum of the Kubernetes 172 + Secret data 173 + type: string 174 + secretRef: 175 + description: SecretRef references the created Kubernetes Secret 176 + properties: 177 + apiVersion: 178 + description: API version of the referent. 179 + type: string 180 + fieldPath: 181 + description: |- 182 + If referring to a piece of an object instead of an entire object, this string 183 + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. 184 + For example, if the object reference is to a container within a pod, this would take on a value like: 185 + "spec.containers{name}" (where "name" refers to the name of the container that triggered 186 + the event) or if no container name is specified "spec.containers[2]" (container with 187 + index 2 in this pod). This syntax is chosen only to have some well-defined way of 188 + referencing a part of an object. 189 + type: string 190 + kind: 191 + description: |- 192 + Kind of the referent. 193 + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 194 + type: string 195 + name: 196 + description: |- 197 + Name of the referent. 198 + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 199 + type: string 200 + namespace: 201 + description: |- 202 + Namespace of the referent. 203 + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ 204 + type: string 205 + resourceVersion: 206 + description: |- 207 + Specific resourceVersion to which this reference is made, if any. 208 + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency 209 + type: string 210 + uid: 211 + description: |- 212 + UID of the referent. 213 + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids 214 + type: string 215 + type: object 216 + x-kubernetes-map-type: atomic 217 + syncStatus: 218 + description: SyncStatus indicates the current synchronization status 219 + type: string 220 + type: object 221 + type: object 222 + served: true 223 + storage: true 224 + subresources: 225 + status: {} 226 + {{- end }}

+117

helm/hsm-secrets-operator/templates/daemonset.yaml

··· 1 + {{- if .Values.discovery.enabled }} 2 + --- 3 + apiVersion: apps/v1 4 + kind: DaemonSet 5 + metadata: 6 + name: {{ include "hsm-secrets-operator.fullname" . }}-discovery 7 + namespace: {{ .Release.Namespace }} 8 + labels: 9 + {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 10 + app.kubernetes.io/component: discovery 11 + app.kubernetes.io/part-of: hsm-secrets-operator 12 + spec: 13 + selector: 14 + matchLabels: 15 + {{- include "hsm-secrets-operator.selectorLabels" . | nindent 6 }} 16 + app.kubernetes.io/component: discovery 17 + template: 18 + metadata: 19 + annotations: 20 + {{- with .Values.podAnnotations }} 21 + {{- toYaml . | nindent 8 }} 22 + {{- end }} 23 + labels: 24 + {{- include "hsm-secrets-operator.selectorLabels" . | nindent 8 }} 25 + app.kubernetes.io/component: discovery 26 + {{- with .Values.podLabels }} 27 + {{- toYaml . | nindent 8 }} 28 + {{- end }} 29 + spec: 30 + {{- with .Values.imagePullSecrets }} 31 + imagePullSecrets: 32 + {{- toYaml . | nindent 8 }} 33 + {{- end }} 34 + serviceAccountName: {{ include "hsm-secrets-operator.serviceAccountName" . }} 35 + securityContext: 36 + {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }} 37 + containers: 38 + - name: discovery 39 + image: {{ include "hsm-secrets-operator.image" . }} 40 + imagePullPolicy: {{ .Values.image.pullPolicy }} 41 + command: 42 + - /manager 43 + args: 44 + - --mode=discovery 45 + - --node-name=$(NODE_NAME) 46 + {{- if .Values.config.verboseLogging }} 47 + - --zap-log-level=debug 48 + {{- end }} 49 + env: 50 + - name: NODE_NAME 51 + valueFrom: 52 + fieldRef: 53 + fieldPath: spec.nodeName 54 + - name: USB_DISCOVERY_ENABLED 55 + value: {{ .Values.discovery.usb.enabled | quote }} 56 + - name: PATH_DISCOVERY_ENABLED 57 + value: {{ .Values.discovery.path.enabled | quote }} 58 + {{- if .Values.discovery.usb.enabled }} 59 + - name: USB_DEVICE_TYPES 60 + value: {{ join "," .Values.discovery.usb.deviceTypes | quote }} 61 + {{- end }} 62 + {{- if .Values.discovery.path.enabled }} 63 + - name: PATH_PATTERNS 64 + value: {{ join "," .Values.discovery.path.patterns | quote }} 65 + {{- end }} 66 + resources: 67 + {{- toYaml .Values.controllerManager.resources | nindent 12 }} 68 + securityContext: 69 + {{- toYaml .Values.controllerManager.securityContext | nindent 12 }} 70 + volumeMounts: 71 + - name: dev 72 + mountPath: /dev 73 + readOnly: true 74 + - name: sys 75 + mountPath: /sys 76 + readOnly: true 77 + {{- if eq .Values.hsm.clientType "pkcs11" }} 78 + - name: pkcs11-lib 79 + mountPath: /usr/lib/x86_64-linux-gnu 80 + readOnly: true 81 + {{- end }} 82 + volumes: 83 + - name: dev 84 + hostPath: 85 + path: /dev 86 + type: Directory 87 + - name: sys 88 + hostPath: 89 + path: /sys 90 + type: Directory 91 + {{- if eq .Values.hsm.clientType "pkcs11" }} 92 + - name: pkcs11-lib 93 + hostPath: 94 + path: /usr/lib/x86_64-linux-gnu 95 + type: Directory 96 + {{- end }} 97 + hostNetwork: false 98 + hostPID: false 99 + hostIPC: false 100 + {{- with .Values.nodeSelector }} 101 + nodeSelector: 102 + {{- toYaml . | nindent 8 }} 103 + {{- end }} 104 + {{- with .Values.affinity }} 105 + affinity: 106 + {{- toYaml . | nindent 8 }} 107 + {{- end }} 108 + {{- with .Values.tolerations }} 109 + tolerations: 110 + {{- toYaml . | nindent 8 }} 111 + {{- end }} 112 + updateStrategy: 113 + type: RollingUpdate 114 + rollingUpdate: 115 + maxSurge: 0 116 + maxUnavailable: 1 117 + {{- end }}

+173

helm/hsm-secrets-operator/templates/deployment.yaml

··· 1 + apiVersion: apps/v1 2 + kind: Deployment 3 + metadata: 4 + name: {{ include "hsm-secrets-operator.controllerManagerName" . }} 5 + namespace: {{ .Release.Namespace }} 6 + labels: 7 + {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 8 + control-plane: controller-manager 9 + app.kubernetes.io/component: manager 10 + app.kubernetes.io/part-of: hsm-secrets-operator 11 + spec: 12 + replicas: {{ .Values.controllerManager.replicas }} 13 + selector: 14 + matchLabels: 15 + {{- include "hsm-secrets-operator.selectorLabels" . | nindent 6 }} 16 + control-plane: controller-manager 17 + template: 18 + metadata: 19 + annotations: 20 + kubectl.kubernetes.io/default-container: manager 21 + {{- with .Values.podAnnotations }} 22 + {{- toYaml . | nindent 8 }} 23 + {{- end }} 24 + labels: 25 + {{- include "hsm-secrets-operator.selectorLabels" . | nindent 8 }} 26 + control-plane: controller-manager 27 + {{- with .Values.podLabels }} 28 + {{- toYaml . | nindent 8 }} 29 + {{- end }} 30 + spec: 31 + {{- with .Values.imagePullSecrets }} 32 + imagePullSecrets: 33 + {{- toYaml . | nindent 8 }} 34 + {{- end }} 35 + serviceAccountName: {{ include "hsm-secrets-operator.serviceAccountName" . }} 36 + securityContext: 37 + {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }} 38 + containers: 39 + - name: manager 40 + image: {{ include "hsm-secrets-operator.image" . }} 41 + imagePullPolicy: {{ .Values.image.pullPolicy }} 42 + command: 43 + - /manager 44 + args: 45 + - --leader-elect={{ .Values.leaderElection.enabled }} 46 + {{- if .Values.config.verboseLogging }} 47 + - --zap-log-level=debug 48 + {{- end }} 49 + {{- if .Values.metrics.enabled }} 50 + - --metrics-bind-address=0.0.0.0:8080 51 + {{- else }} 52 + - --metrics-bind-address=0 53 + {{- end }} 54 + {{- if .Values.health.port }} 55 + - --health-probe-bind-address=:{{ .Values.health.port }} 56 + {{- end }} 57 + env: 58 + - name: HSM_CLIENT_TYPE 59 + value: {{ .Values.hsm.clientType | quote }} 60 + {{- if eq .Values.hsm.clientType "pkcs11" }} 61 + - name: PKCS11_LIBRARY 62 + value: {{ .Values.hsm.pkcs11.library | quote }} 63 + - name: PKCS11_SLOT_ID 64 + value: {{ .Values.hsm.pkcs11.slotId | quote }} 65 + {{- if .Values.hsm.pkcs11.pinSecret }} 66 + - name: PKCS11_PIN 67 + valueFrom: 68 + secretKeyRef: 69 + name: {{ .Values.hsm.pkcs11.pinSecret.name }} 70 + key: {{ .Values.hsm.pkcs11.pinSecret.key }} 71 + {{- end }} 72 + {{- end }} 73 + - name: DEFAULT_SYNC_INTERVAL 74 + value: {{ .Values.config.defaultSyncInterval | quote }} 75 + - name: DEFAULT_SECRET_TYPE 76 + value: {{ .Values.config.defaultSecretType | quote }} 77 + ports: 78 + {{- if .Values.metrics.enabled }} 79 + - name: metrics 80 + containerPort: 8080 81 + protocol: TCP 82 + {{- end }} 83 + {{- if .Values.health.port }} 84 + - name: health 85 + containerPort: {{ .Values.health.port }} 86 + protocol: TCP 87 + {{- end }} 88 + {{- if .Values.api.enabled }} 89 + - name: api 90 + containerPort: {{ .Values.api.port }} 91 + protocol: TCP 92 + {{- end }} 93 + {{- if .Values.webhook.enabled }} 94 + - name: webhook 95 + containerPort: {{ .Values.webhook.port }} 96 + protocol: TCP 97 + {{- end }} 98 + {{- if .Values.health.port }} 99 + livenessProbe: 100 + httpGet: 101 + path: /healthz 102 + port: {{ .Values.health.port }} 103 + initialDelaySeconds: 15 104 + periodSeconds: 20 105 + readinessProbe: 106 + httpGet: 107 + path: /readyz 108 + port: {{ .Values.health.port }} 109 + initialDelaySeconds: 5 110 + periodSeconds: 10 111 + {{- end }} 112 + resources: 113 + {{- toYaml .Values.controllerManager.resources | nindent 12 }} 114 + securityContext: 115 + {{- toYaml .Values.controllerManager.securityContext | nindent 12 }} 116 + {{- if or (eq .Values.hsm.clientType "pkcs11") .Values.discovery.enabled }} 117 + volumeMounts: 118 + {{- if eq .Values.hsm.clientType "pkcs11" }} 119 + - name: pkcs11-lib 120 + mountPath: /usr/lib/x86_64-linux-gnu 121 + readOnly: true 122 + {{- end }} 123 + {{- if .Values.discovery.enabled }} 124 + - name: dev 125 + mountPath: /dev 126 + readOnly: true 127 + - name: sys 128 + mountPath: /sys 129 + readOnly: true 130 + {{- end }} 131 + {{- if .Values.webhook.enabled }} 132 + - name: webhook-certs 133 + mountPath: /tmp/k8s-webhook-server/serving-certs 134 + readOnly: true 135 + {{- end }} 136 + {{- end }} 137 + {{- if or (eq .Values.hsm.clientType "pkcs11") .Values.discovery.enabled .Values.webhook.enabled }} 138 + volumes: 139 + {{- if eq .Values.hsm.clientType "pkcs11" }} 140 + - name: pkcs11-lib 141 + hostPath: 142 + path: /usr/lib/x86_64-linux-gnu 143 + type: Directory 144 + {{- end }} 145 + {{- if .Values.discovery.enabled }} 146 + - name: dev 147 + hostPath: 148 + path: /dev 149 + type: Directory 150 + - name: sys 151 + hostPath: 152 + path: /sys 153 + type: Directory 154 + {{- end }} 155 + {{- if .Values.webhook.enabled }} 156 + - name: webhook-certs 157 + secret: 158 + secretName: {{ .Values.webhook.secret.name }} 159 + {{- end }} 160 + {{- end }} 161 + {{- with .Values.nodeSelector }} 162 + nodeSelector: 163 + {{- toYaml . | nindent 8 }} 164 + {{- end }} 165 + {{- with .Values.affinity }} 166 + affinity: 167 + {{- toYaml . | nindent 8 }} 168 + {{- end }} 169 + {{- with .Values.tolerations }} 170 + tolerations: 171 + {{- toYaml . | nindent 8 }} 172 + {{- end }} 173 + terminationGracePeriodSeconds: 10

+47

helm/hsm-secrets-operator/templates/examples.yaml

··· 1 + {{- if .Values.examples.hsmsecret.enabled }} 2 + {{- range .Values.examples.hsmsecret.samples }} 3 + --- 4 + apiVersion: hsm.j5t.io/v1alpha1 5 + kind: HSMSecret 6 + metadata: 7 + name: {{ .name }} 8 + namespace: {{ .namespace | default $.Release.Namespace }} 9 + labels: 10 + {{- include "hsm-secrets-operator.labels" $ | nindent 4 }} 11 + app.kubernetes.io/component: example 12 + spec: 13 + hsmPath: {{ .hsmPath }} 14 + {{- with .secretName }} 15 + secretName: {{ . }} 16 + {{- end }} 17 + {{- with .secretType }} 18 + secretType: {{ . }} 19 + {{- end }} 20 + {{- with .syncInterval }} 21 + syncInterval: {{ . }} 22 + {{- end }} 23 + autoSync: {{ .autoSync | default true }} 24 + {{- end }} 25 + {{- end }} 26 + 27 + {{- if .Values.examples.hsmdevice.enabled }} 28 + {{- range .Values.examples.hsmdevice.samples }} 29 + --- 30 + apiVersion: hsm.j5t.io/v1alpha1 31 + kind: HSMDevice 32 + metadata: 33 + name: {{ .name }} 34 + namespace: {{ .namespace | default $.Release.Namespace }} 35 + labels: 36 + {{- include "hsm-secrets-operator.labels" $ | nindent 4 }} 37 + app.kubernetes.io/component: example 38 + spec: 39 + {{- with .deviceType }} 40 + deviceType: {{ . }} 41 + {{- end }} 42 + {{- with .discovery }} 43 + discovery: 44 + {{- toYaml . | nindent 4 }} 45 + {{- end }} 46 + {{- end }} 47 + {{- end }}

+207

helm/hsm-secrets-operator/templates/rbac/role.yaml

··· 1 + {{- if .Values.rbac.create -}} 2 + --- 3 + apiVersion: rbac.authorization.k8s.io/v1 4 + kind: ClusterRole 5 + metadata: 6 + name: {{ include "hsm-secrets-operator.fullname" . }}-manager-role 7 + labels: 8 + {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 9 + rules: 10 + - apiGroups: 11 + - "" 12 + resources: 13 + - events 14 + verbs: 15 + - create 16 + - patch 17 + - apiGroups: 18 + - "" 19 + resources: 20 + - secrets 21 + verbs: 22 + - create 23 + - delete 24 + - get 25 + - list 26 + - patch 27 + - update 28 + - watch 29 + - apiGroups: 30 + - hsm.j5t.io 31 + resources: 32 + - hsmdevices 33 + verbs: 34 + - create 35 + - delete 36 + - get 37 + - list 38 + - patch 39 + - update 40 + - watch 41 + - apiGroups: 42 + - hsm.j5t.io 43 + resources: 44 + - hsmdevices/finalizers 45 + verbs: 46 + - update 47 + - apiGroups: 48 + - hsm.j5t.io 49 + resources: 50 + - hsmdevices/status 51 + verbs: 52 + - get 53 + - patch 54 + - update 55 + - apiGroups: 56 + - hsm.j5t.io 57 + resources: 58 + - hsmsecrets 59 + verbs: 60 + - create 61 + - delete 62 + - get 63 + - list 64 + - patch 65 + - update 66 + - watch 67 + - apiGroups: 68 + - hsm.j5t.io 69 + resources: 70 + - hsmsecrets/finalizers 71 + verbs: 72 + - update 73 + - apiGroups: 74 + - hsm.j5t.io 75 + resources: 76 + - hsmsecrets/status 77 + verbs: 78 + - get 79 + - patch 80 + - update 81 + 82 + --- 83 + apiVersion: rbac.authorization.k8s.io/v1 84 + kind: ClusterRoleBinding 85 + metadata: 86 + name: {{ include "hsm-secrets-operator.fullname" . }}-manager-rolebinding 87 + labels: 88 + {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 89 + roleRef: 90 + apiGroup: rbac.authorization.k8s.io 91 + kind: ClusterRole 92 + name: {{ include "hsm-secrets-operator.fullname" . }}-manager-role 93 + subjects: 94 + - kind: ServiceAccount 95 + name: {{ include "hsm-secrets-operator.serviceAccountName" . }} 96 + namespace: {{ .Release.Namespace }} 97 + 98 + --- 99 + apiVersion: rbac.authorization.k8s.io/v1 100 + kind: Role 101 + metadata: 102 + name: {{ include "hsm-secrets-operator.fullname" . }}-leader-election-role 103 + namespace: {{ .Release.Namespace }} 104 + labels: 105 + {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 106 + rules: 107 + - apiGroups: 108 + - "" 109 + resources: 110 + - configmaps 111 + verbs: 112 + - get 113 + - list 114 + - watch 115 + - create 116 + - update 117 + - patch 118 + - delete 119 + - apiGroups: 120 + - coordination.k8s.io 121 + resources: 122 + - leases 123 + verbs: 124 + - get 125 + - list 126 + - watch 127 + - create 128 + - update 129 + - patch 130 + - delete 131 + - apiGroups: 132 + - "" 133 + resources: 134 + - events 135 + verbs: 136 + - create 137 + - patch 138 + 139 + --- 140 + apiVersion: rbac.authorization.k8s.io/v1 141 + kind: RoleBinding 142 + metadata: 143 + name: {{ include "hsm-secrets-operator.fullname" . }}-leader-election-rolebinding 144 + namespace: {{ .Release.Namespace }} 145 + labels: 146 + {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 147 + roleRef: 148 + apiGroup: rbac.authorization.k8s.io 149 + kind: Role 150 + name: {{ include "hsm-secrets-operator.fullname" . }}-leader-election-role 151 + subjects: 152 + - kind: ServiceAccount 153 + name: {{ include "hsm-secrets-operator.serviceAccountName" . }} 154 + namespace: {{ .Release.Namespace }} 155 + 156 + {{- if .Values.metrics.enabled }} 157 + --- 158 + apiVersion: rbac.authorization.k8s.io/v1 159 + kind: ClusterRole 160 + metadata: 161 + name: {{ include "hsm-secrets-operator.fullname" . }}-metrics-reader 162 + labels: 163 + {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 164 + rules: 165 + - nonResourceURLs: 166 + - /metrics 167 + verbs: 168 + - get 169 + 170 + --- 171 + apiVersion: rbac.authorization.k8s.io/v1 172 + kind: ClusterRole 173 + metadata: 174 + name: {{ include "hsm-secrets-operator.fullname" . }}-proxy-role 175 + labels: 176 + {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 177 + rules: 178 + - apiGroups: 179 + - authentication.k8s.io 180 + resources: 181 + - tokenreviews 182 + verbs: 183 + - create 184 + - apiGroups: 185 + - authorization.k8s.io 186 + resources: 187 + - subjectaccessreviews 188 + verbs: 189 + - create 190 + 191 + --- 192 + apiVersion: rbac.authorization.k8s.io/v1 193 + kind: ClusterRoleBinding 194 + metadata: 195 + name: {{ include "hsm-secrets-operator.fullname" . }}-proxy-rolebinding 196 + labels: 197 + {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 198 + roleRef: 199 + apiGroup: rbac.authorization.k8s.io 200 + kind: ClusterRole 201 + name: {{ include "hsm-secrets-operator.fullname" . }}-proxy-role 202 + subjects: 203 + - kind: ServiceAccount 204 + name: {{ include "hsm-secrets-operator.serviceAccountName" . }} 205 + namespace: {{ .Release.Namespace }} 206 + {{- end }} 207 + {{- end }}

+14

helm/hsm-secrets-operator/templates/rbac/service_account.yaml

··· 1 + {{- if .Values.serviceAccount.create -}} 2 + apiVersion: v1 3 + kind: ServiceAccount 4 + metadata: 5 + name: {{ include "hsm-secrets-operator.serviceAccountName" . }} 6 + namespace: {{ .Release.Namespace }} 7 + labels: 8 + {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 9 + {{- with .Values.serviceAccount.annotations }} 10 + annotations: 11 + {{- toYaml . | nindent 4 }} 12 + {{- end }} 13 + automountServiceAccountToken: true 14 + {{- end }}

+66

helm/hsm-secrets-operator/templates/service.yaml

··· 1 + {{- if .Values.metrics.enabled }} 2 + --- 3 + apiVersion: v1 4 + kind: Service 5 + metadata: 6 + name: {{ include "hsm-secrets-operator.metricsServiceName" . }} 7 + namespace: {{ .Release.Namespace }} 8 + labels: 9 + {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 10 + control-plane: controller-manager 11 + app.kubernetes.io/component: kube-rbac-proxy 12 + app.kubernetes.io/part-of: hsm-secrets-operator 13 + spec: 14 + ports: 15 + - name: https 16 + port: 8443 17 + protocol: TCP 18 + targetPort: 8080 19 + selector: 20 + {{- include "hsm-secrets-operator.selectorLabels" . | nindent 4 }} 21 + control-plane: controller-manager 22 + {{- end }} 23 + 24 + {{- if .Values.api.enabled }} 25 + --- 26 + apiVersion: v1 27 + kind: Service 28 + metadata: 29 + name: {{ include "hsm-secrets-operator.fullname" . }}-api 30 + namespace: {{ .Release.Namespace }} 31 + labels: 32 + {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 33 + app.kubernetes.io/component: api 34 + app.kubernetes.io/part-of: hsm-secrets-operator 35 + spec: 36 + ports: 37 + - name: api 38 + port: {{ .Values.api.port }} 39 + protocol: TCP 40 + targetPort: {{ .Values.api.port }} 41 + selector: 42 + {{- include "hsm-secrets-operator.selectorLabels" . | nindent 4 }} 43 + control-plane: controller-manager 44 + {{- end }} 45 + 46 + {{- if .Values.webhook.enabled }} 47 + --- 48 + apiVersion: v1 49 + kind: Service 50 + metadata: 51 + name: {{ include "hsm-secrets-operator.fullname" . }}-webhook-service 52 + namespace: {{ .Release.Namespace }} 53 + labels: 54 + {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 55 + app.kubernetes.io/component: webhook 56 + app.kubernetes.io/part-of: hsm-secrets-operator 57 + spec: 58 + ports: 59 + - name: webhook 60 + port: {{ .Values.webhook.port }} 61 + protocol: TCP 62 + targetPort: {{ .Values.webhook.port }} 63 + selector: 64 + {{- include "hsm-secrets-operator.selectorLabels" . | nindent 4 }} 65 + control-plane: controller-manager 66 + {{- end }}

+25

helm/hsm-secrets-operator/templates/servicemonitor.yaml

··· 1 + {{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} 2 + --- 3 + apiVersion: monitoring.coreos.com/v1 4 + kind: ServiceMonitor 5 + metadata: 6 + name: {{ include "hsm-secrets-operator.fullname" . }}-metrics 7 + namespace: {{ .Values.metrics.serviceMonitor.namespace | default .Release.Namespace }} 8 + labels: 9 + {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 10 + {{- with .Values.metrics.serviceMonitor.labels }} 11 + {{- toYaml . | nindent 4 }} 12 + {{- end }} 13 + spec: 14 + endpoints: 15 + - path: /metrics 16 + port: https 17 + scheme: https 18 + bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token 19 + tlsConfig: 20 + insecureSkipVerify: true 21 + selector: 22 + matchLabels: 23 + {{- include "hsm-secrets-operator.selectorLabels" . | nindent 6 }} 24 + control-plane: controller-manager 25 + {{- end }}

+44

helm/hsm-secrets-operator/templates/tests/test-connection.yaml

··· 1 + apiVersion: v1 2 + kind: Pod 3 + metadata: 4 + name: "{{ include "hsm-secrets-operator.fullname" . }}-test-connection" 5 + namespace: {{ .Release.Namespace }} 6 + labels: 7 + {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 8 + annotations: 9 + "helm.sh/hook": test 10 + "helm.sh/hook-weight": "1" 11 + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 12 + spec: 13 + restartPolicy: Never 14 + containers: 15 + - name: wget 16 + image: busybox:1.36 17 + command: ['wget'] 18 + args: 19 + - '--no-check-certificate' 20 + - '--quiet' 21 + - '--timeout=30' 22 + - '--tries=1' 23 + - '--spider' 24 + {{- if .Values.metrics.enabled }} 25 + - 'http://{{ include "hsm-secrets-operator.metricsServiceName" . }}:8443/metrics' 26 + {{- else }} 27 + - 'http://{{ include "hsm-secrets-operator.controllerManagerName" . }}:8080/healthz' 28 + {{- end }} 29 + resources: 30 + limits: 31 + cpu: 100m 32 + memory: 128Mi 33 + requests: 34 + cpu: 10m 35 + memory: 32Mi 36 + securityContext: 37 + allowPrivilegeEscalation: false 38 + capabilities: 39 + drop: 40 + - ALL 41 + readOnlyRootFilesystem: true 42 + runAsNonRoot: true 43 + runAsUser: 1000 44 + runAsGroup: 1000

+86

helm/hsm-secrets-operator/templates/tests/test-crds.yaml

··· 1 + {{- if .Values.crds.install }} 2 + apiVersion: v1 3 + kind: Pod 4 + metadata: 5 + name: "{{ include "hsm-secrets-operator.fullname" . }}-test-crds" 6 + namespace: {{ .Release.Namespace }} 7 + labels: 8 + {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 9 + annotations: 10 + "helm.sh/hook": test 11 + "helm.sh/hook-weight": "2" 12 + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 13 + spec: 14 + restartPolicy: Never 15 + serviceAccountName: {{ include "hsm-secrets-operator.serviceAccountName" . }} 16 + containers: 17 + - name: kubectl 18 + image: bitnami/kubectl:1.29 19 + command: ['/bin/sh'] 20 + args: 21 + - -c 22 + - | 23 + echo "Testing CRD installation..." 24 + 25 + # Check if HSMSecret CRD exists 26 + if ! kubectl get crd hsmsecrets.hsm.j5t.io; then 27 + echo "ERROR: HSMSecret CRD not found" 28 + exit 1 29 + fi 30 + echo "✓ HSMSecret CRD found" 31 + 32 + # Check if HSMDevice CRD exists 33 + if ! kubectl get crd hsmdevices.hsm.j5t.io; then 34 + echo "ERROR: HSMDevice CRD not found" 35 + exit 1 36 + fi 37 + echo "✓ HSMDevice CRD found" 38 + 39 + # Test creating a sample HSMSecret (dry-run) 40 + cat <<EOF | kubectl apply --dry-run=client -f - 41 + apiVersion: hsm.j5t.io/v1alpha1 42 + kind: HSMSecret 43 + metadata: 44 + name: test-secret 45 + namespace: {{ .Release.Namespace }} 46 + spec: 47 + hsmPath: "secrets/test/test-secret" 48 + secretName: "test-secret" 49 + autoSync: true 50 + syncInterval: 300 51 + EOF 52 + echo "✓ HSMSecret validation passed" 53 + 54 + # Test creating a sample HSMDevice (dry-run) 55 + cat <<EOF | kubectl apply --dry-run=client -f - 56 + apiVersion: hsm.j5t.io/v1alpha1 57 + kind: HSMDevice 58 + metadata: 59 + name: test-device 60 + namespace: {{ .Release.Namespace }} 61 + spec: 62 + deviceType: "pico-hsm" 63 + discovery: 64 + usb: 65 + enabled: true 66 + EOF 67 + echo "✓ HSMDevice validation passed" 68 + 69 + echo "All CRD tests passed!" 70 + resources: 71 + limits: 72 + cpu: 200m 73 + memory: 256Mi 74 + requests: 75 + cpu: 50m 76 + memory: 64Mi 77 + securityContext: 78 + allowPrivilegeEscalation: false 79 + capabilities: 80 + drop: 81 + - ALL 82 + readOnlyRootFilesystem: true 83 + runAsNonRoot: true 84 + runAsUser: 1001 85 + runAsGroup: 1001 86 + {{- end }}

+185

helm/hsm-secrets-operator/values.yaml

··· 1 + # Default values for hsm-secrets-operator. 2 + # This is a YAML-formatted file. 3 + # Declare variables to be passed into your templates. 4 + 5 + # Operator image configuration 6 + image: 7 + repository: hsm-secrets-operator 8 + pullPolicy: IfNotPresent 9 + tag: "" # Defaults to the chart appVersion 10 + 11 + imagePullSecrets: [] 12 + nameOverride: "" 13 + fullnameOverride: "" 14 + 15 + # Controller manager configuration 16 + controllerManager: 17 + # Number of replicas for the controller manager 18 + replicas: 1 19 + 20 + # Resource limits and requests 21 + resources: 22 + limits: 23 + cpu: 500m 24 + memory: 128Mi 25 + requests: 26 + cpu: 10m 27 + memory: 64Mi 28 + 29 + # Security context for the controller container 30 + securityContext: 31 + allowPrivilegeEscalation: false 32 + capabilities: 33 + drop: 34 + - "ALL" 35 + 36 + # Pod security context 37 + podSecurityContext: 38 + runAsNonRoot: true 39 + # runAsUser: 1001 40 + 41 + # Service account configuration 42 + serviceAccount: 43 + # Specifies whether a service account should be created 44 + create: true 45 + # Annotations to add to the service account 46 + annotations: {} 47 + # The name of the service account to use. 48 + # If not set and create is true, a name is generated using the fullname template 49 + name: "" 50 + 51 + # RBAC configuration 52 + rbac: 53 + # Specifies whether RBAC resources should be created 54 + create: true 55 + 56 + # Pod annotations 57 + podAnnotations: {} 58 + 59 + # Pod labels 60 + podLabels: {} 61 + 62 + # Node selector for controller pods 63 + nodeSelector: {} 64 + 65 + # Tolerations for controller pods 66 + tolerations: [] 67 + 68 + # Affinity for controller pods 69 + affinity: {} 70 + 71 + # HSM configuration 72 + hsm: 73 + # HSM client type: "mock" for testing, "pkcs11" for production 74 + clientType: "mock" 75 + 76 + # PKCS#11 library configuration (used when clientType is "pkcs11") 77 + pkcs11: 78 + # Path to the PKCS#11 library 79 + library: "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" 80 + # HSM slot ID 81 + slotId: 0 82 + # HSM PIN (should be provided via secret) 83 + pinSecret: 84 + name: "hsm-pin" 85 + key: "pin" 86 + 87 + # Device discovery configuration 88 + discovery: 89 + # Enable device discovery (DaemonSet) 90 + enabled: true 91 + 92 + # USB device discovery 93 + usb: 94 + enabled: true 95 + # Well-known HSM device types to discover 96 + deviceTypes: 97 + - "pico-hsm" 98 + - "smartcard-hsm" 99 + 100 + # Path-based device discovery 101 + path: 102 + enabled: true 103 + patterns: 104 + - "/dev/ttyUSB*" 105 + - "/dev/hidraw*" 106 + 107 + # API server configuration 108 + api: 109 + # Enable the REST API server 110 + enabled: true 111 + # Port for the API server 112 + port: 8080 113 + # Enable metrics endpoint 114 + metrics: 115 + enabled: true 116 + port: 8443 117 + 118 + # Metrics configuration 119 + metrics: 120 + # Enable metrics collection 121 + enabled: true 122 + # Service monitor for Prometheus 123 + serviceMonitor: 124 + enabled: false 125 + namespace: "" 126 + labels: {} 127 + 128 + # Webhook configuration 129 + webhook: 130 + # Enable admission webhooks 131 + enabled: true 132 + port: 9443 133 + 134 + # Certificate configuration 135 + certManager: 136 + enabled: false 137 + 138 + # Certificate Secret (when certManager is disabled) 139 + # You need to provide your own certificates 140 + secret: 141 + name: webhook-server-certs 142 + 143 + # Health check configuration 144 + health: 145 + # Health check probe port 146 + port: 8081 147 + 148 + # Leader election configuration 149 + leaderElection: 150 + enabled: true 151 + 152 + # Custom Resource Definitions 153 + crds: 154 + # Install CRDs as part of the chart 155 + install: true 156 + # Keep CRDs when the chart is uninstalled 157 + keep: true 158 + 159 + # Examples and samples 160 + examples: 161 + # Create sample HSMSecret resources 162 + hsmsecret: 163 + enabled: false 164 + samples: 165 + - name: "example-secret" 166 + namespace: "default" 167 + hsmPath: "secrets/examples/example-secret" 168 + syncInterval: 300 169 + 170 + # Create sample HSMDevice resources 171 + hsmdevice: 172 + enabled: false 173 + samples: 174 + - name: "pico-hsm-discovery" 175 + namespace: "default" 176 + deviceType: "pico-hsm" 177 + 178 + # Additional configuration 179 + config: 180 + # Default sync interval for HSMSecrets (seconds) 181 + defaultSyncInterval: 300 182 + # Default secret type for created Kubernetes secrets 183 + defaultSecretType: "Opaque" 184 + # Enable verbose logging 185 + verboseLogging: false

+310

scripts/install-chart.sh

··· 1 + #!/bin/bash 2 + # HSM Secrets Operator Helm Chart Installation Script 3 + 4 + set -euo pipefail 5 + 6 + # Configuration 7 + CHART_REPO_URL="https://evanjarrett.github.io/hsm-secrets-operator/" 8 + CHART_NAME="hsm-secrets-operator" 9 + RELEASE_NAME="hsm-secrets-operator" 10 + NAMESPACE="hsm-secrets-operator-system" 11 + 12 + # Colors for output 13 + RED='\033[0;31m' 14 + GREEN='\033[0;32m' 15 + YELLOW='\033[1;33m' 16 + BLUE='\033[0;34m' 17 + NC='\033[0m' # No Color 18 + 19 + # Functions 20 + log_info() { 21 + echo -e "${BLUE}[INFO]${NC} $1" 22 + } 23 + 24 + log_success() { 25 + echo -e "${GREEN}[SUCCESS]${NC} $1" 26 + } 27 + 28 + log_warn() { 29 + echo -e "${YELLOW}[WARN]${NC} $1" 30 + } 31 + 32 + log_error() { 33 + echo -e "${RED}[ERROR]${NC} $1" 34 + } 35 + 36 + usage() { 37 + cat << EOF 38 + HSM Secrets Operator Installation Script 39 + 40 + Usage: $0 [OPTIONS] 41 + 42 + Options: 43 + -h, --help Show this help message 44 + -n, --namespace Kubernetes namespace (default: ${NAMESPACE}) 45 + -r, --release Helm release name (default: ${RELEASE_NAME}) 46 + --mock Install with mock HSM client (default) 47 + --pkcs11 Install with PKCS#11 HSM client 48 + --library PKCS#11 library path (default: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so) 49 + --slot-id PKCS#11 slot ID (default: 0) 50 + --pin-secret Name of secret containing HSM PIN (required for PKCS#11) 51 + --examples Install with example resources 52 + --monitoring Enable Prometheus ServiceMonitor 53 + --dry-run Show what would be installed without actually installing 54 + --upgrade Upgrade existing installation 55 + --uninstall Uninstall the operator 56 + 57 + Examples: 58 + # Install with mock HSM (for testing) 59 + $0 --mock --examples 60 + 61 + # Install with PKCS#11 HSM 62 + kubectl create secret generic hsm-pin --from-literal=pin=your-hsm-pin 63 + $0 --pkcs11 --pin-secret hsm-pin 64 + 65 + # Upgrade existing installation 66 + $0 --upgrade --monitoring 67 + 68 + # Uninstall 69 + $0 --uninstall 70 + EOF 71 + } 72 + 73 + check_prerequisites() { 74 + log_info "Checking prerequisites..." 75 + 76 + if ! command -v kubectl &> /dev/null; then 77 + log_error "kubectl is not installed or not in PATH" 78 + exit 1 79 + fi 80 + 81 + if ! command -v helm &> /dev/null; then 82 + log_error "helm is not installed or not in PATH" 83 + exit 1 84 + fi 85 + 86 + # Check if cluster is accessible 87 + if ! kubectl cluster-info &> /dev/null; then 88 + log_error "Cannot connect to Kubernetes cluster" 89 + exit 1 90 + fi 91 + 92 + log_success "Prerequisites checked" 93 + } 94 + 95 + add_helm_repo() { 96 + log_info "Adding Helm repository..." 97 + if helm repo list | grep -q "${CHART_NAME}"; then 98 + log_info "Repository already exists, updating..." 99 + else 100 + helm repo add "${CHART_NAME}" "${CHART_REPO_URL}" 101 + fi 102 + helm repo update "${CHART_NAME}" 103 + log_success "Helm repository ready" 104 + } 105 + 106 + create_namespace() { 107 + log_info "Creating namespace ${NAMESPACE}..." 108 + kubectl create namespace "${NAMESPACE}" --dry-run=client -o yaml | kubectl apply -f - 109 + log_success "Namespace ${NAMESPACE} ready" 110 + } 111 + 112 + install_operator() { 113 + local helm_args=() 114 + 115 + # Build helm arguments 116 + if [[ "${DRY_RUN}" == "true" ]]; then 117 + helm_args+=(--dry-run --debug) 118 + log_info "Performing dry run..." 119 + fi 120 + 121 + if [[ "${UPGRADE}" == "true" ]]; then 122 + local cmd="upgrade" 123 + helm_args+=(--install) 124 + log_info "Upgrading operator..." 125 + else 126 + local cmd="install" 127 + log_info "Installing operator..." 128 + fi 129 + 130 + helm_args+=(--namespace "${NAMESPACE}") 131 + helm_args+=(--create-namespace) 132 + 133 + # HSM configuration 134 + if [[ "${HSM_TYPE}" == "pkcs11" ]]; then 135 + helm_args+=(--set hsm.clientType=pkcs11) 136 + helm_args+=(--set hsm.pkcs11.library="${PKCS11_LIBRARY}") 137 + helm_args+=(--set hsm.pkcs11.slotId="${PKCS11_SLOT_ID}") 138 + if [[ -n "${PIN_SECRET}" ]]; then 139 + helm_args+=(--set hsm.pkcs11.pinSecret.name="${PIN_SECRET}") 140 + fi 141 + else 142 + helm_args+=(--set hsm.clientType=mock) 143 + fi 144 + 145 + # Optional features 146 + if [[ "${EXAMPLES}" == "true" ]]; then 147 + helm_args+=(--set examples.hsmsecret.enabled=true) 148 + helm_args+=(--set examples.hsmdevice.enabled=true) 149 + fi 150 + 151 + if [[ "${MONITORING}" == "true" ]]; then 152 + helm_args+=(--set metrics.serviceMonitor.enabled=true) 153 + fi 154 + 155 + # Execute helm command 156 + helm "${cmd}" "${RELEASE_NAME}" "${CHART_NAME}/${CHART_NAME}" "${helm_args[@]}" 157 + 158 + if [[ "${DRY_RUN}" != "true" ]]; then 159 + log_success "Operator installed successfully!" 160 + 161 + # Wait for deployment 162 + log_info "Waiting for deployment to be ready..." 163 + kubectl wait --for=condition=available deployment/${RELEASE_NAME}-controller-manager \ 164 + --namespace="${NAMESPACE}" --timeout=300s 165 + 166 + log_success "Deployment is ready!" 167 + 168 + # Show status 169 + show_status 170 + fi 171 + } 172 + 173 + uninstall_operator() { 174 + log_info "Uninstalling operator..." 175 + 176 + if helm list --namespace "${NAMESPACE}" | grep -q "${RELEASE_NAME}"; then 177 + helm uninstall "${RELEASE_NAME}" --namespace "${NAMESPACE}" 178 + log_success "Operator uninstalled" 179 + else 180 + log_warn "Operator not found" 181 + fi 182 + 183 + # Optionally remove namespace 184 + read -p "Remove namespace ${NAMESPACE}? (y/N) " -n 1 -r 185 + echo 186 + if [[ $REPLY =~ ^[Yy]$ ]]; then 187 + kubectl delete namespace "${NAMESPACE}" --ignore-not-found 188 + log_success "Namespace removed" 189 + fi 190 + } 191 + 192 + show_status() { 193 + log_info "Current status:" 194 + echo 195 + 196 + # Helm release status 197 + helm status "${RELEASE_NAME}" --namespace "${NAMESPACE}" || true 198 + echo 199 + 200 + # Pod status 201 + log_info "Pods in namespace ${NAMESPACE}:" 202 + kubectl get pods --namespace="${NAMESPACE}" || true 203 + echo 204 + 205 + # Custom resources 206 + log_info "Custom resources:" 207 + kubectl get hsmsecrets,hsmdevices --all-namespaces 2>/dev/null || log_warn "No custom resources found" 208 + echo 209 + 210 + # Connection information 211 + log_info "To access the API server:" 212 + echo " kubectl port-forward svc/${RELEASE_NAME}-api 8080:8080 --namespace=${NAMESPACE}" 213 + echo 214 + 215 + log_info "To view logs:" 216 + echo " kubectl logs -f deployment/${RELEASE_NAME}-controller-manager --namespace=${NAMESPACE}" 217 + } 218 + 219 + # Default values 220 + NAMESPACE="hsm-secrets-operator-system" 221 + RELEASE_NAME="hsm-secrets-operator" 222 + HSM_TYPE="mock" 223 + PKCS11_LIBRARY="/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" 224 + PKCS11_SLOT_ID="0" 225 + PIN_SECRET="" 226 + EXAMPLES="false" 227 + MONITORING="false" 228 + DRY_RUN="false" 229 + UPGRADE="false" 230 + UNINSTALL="false" 231 + 232 + # Parse arguments 233 + while [[ $# -gt 0 ]]; do 234 + case $1 in 235 + -h|--help) 236 + usage 237 + exit 0 238 + ;; 239 + -n|--namespace) 240 + NAMESPACE="$2" 241 + shift 2 242 + ;; 243 + -r|--release) 244 + RELEASE_NAME="$2" 245 + shift 2 246 + ;; 247 + --mock) 248 + HSM_TYPE="mock" 249 + shift 250 + ;; 251 + --pkcs11) 252 + HSM_TYPE="pkcs11" 253 + shift 254 + ;; 255 + --library) 256 + PKCS11_LIBRARY="$2" 257 + shift 2 258 + ;; 259 + --slot-id) 260 + PKCS11_SLOT_ID="$2" 261 + shift 2 262 + ;; 263 + --pin-secret) 264 + PIN_SECRET="$2" 265 + shift 2 266 + ;; 267 + --examples) 268 + EXAMPLES="true" 269 + shift 270 + ;; 271 + --monitoring) 272 + MONITORING="true" 273 + shift 274 + ;; 275 + --dry-run) 276 + DRY_RUN="true" 277 + shift 278 + ;; 279 + --upgrade) 280 + UPGRADE="true" 281 + shift 282 + ;; 283 + --uninstall) 284 + UNINSTALL="true" 285 + shift 286 + ;; 287 + *) 288 + log_error "Unknown option: $1" 289 + usage 290 + exit 1 291 + ;; 292 + esac 293 + done 294 + 295 + # Validation 296 + if [[ "${HSM_TYPE}" == "pkcs11" && -z "${PIN_SECRET}" ]]; then 297 + log_error "PKCS#11 configuration requires --pin-secret to be specified" 298 + log_info "Create the secret first: kubectl create secret generic hsm-pin --from-literal=pin=your-hsm-pin" 299 + exit 1 300 + fi 301 + 302 + # Main execution 303 + if [[ "${UNINSTALL}" == "true" ]]; then 304 + uninstall_operator 305 + else 306 + check_prerequisites 307 + add_helm_repo 308 + create_namespace 309 + install_operator 310 + fi

Configure Feed

Configure Feed