evan.jarrett.net / hsm-secrets-operator
A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

chore: bump version to 0.6.16

Evan Jarrett 36857511 fe69d6fa

+20 -4
+6
Dockerfile
··· 38 38 COPY entrypoint.sh /entrypoint.sh 39 39 RUN chmod +x /entrypoint.sh 40 40 41 + # Create USB device access groups and add user to them 42 + RUN addgroup -g 20 dialout && \ 43 + adduser 65532 dialout && \ 44 + addgroup -g 85 usb 2>/dev/null || true && \ 45 + adduser 65532 usb 2>/dev/null || true 46 + 41 47 RUN mkdir -p /var/run/pcscd /var/lock/pcsc && \ 42 48 chown -R 65532:65532 /var/run/pcscd /var/lock/pcsc && \ 43 49 chmod 755 /var/run/pcscd /var/lock/pcsc
+1 -1
Makefile
··· 3 3 # To re-generate a bundle for another specific version without changing the standard setup, you can: 4 4 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) 5 5 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) 6 - VERSION ?= 0.6.15 6 + VERSION ?= 0.6.16 7 7 8 8 # CHANNELS define the bundle channels used in the bundle. 9 9 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
+7
entrypoint.sh
··· 15 15 exit 1 16 16 fi 17 17 18 + # Try to trigger udev rules for USB devices 19 + if command -v udevadm >/dev/null 2>&1; then 20 + echo "Triggering udev rules for USB devices..." 21 + udevadm trigger --subsystem-match=usb --action=add 2>/dev/null || true 22 + udevadm settle --timeout=2 2>/dev/null || true 23 + fi 24 + 18 25 # Start pcscd with debug output 19 26 echo "Starting pcscd..." 20 27 pcscd -f -d -a &
+2 -2
helm/hsm-secrets-operator/Chart.yaml
··· 2 2 name: hsm-secrets-operator 3 3 description: A Kubernetes operator that bridges Pico HSM binary data storage with Kubernetes Secrets 4 4 type: application 5 - version: 0.6.15 6 - appVersion: v0.6.15 5 + version: 0.6.16 6 + appVersion: v0.6.16 7 7 icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/kubernetes/icon/color/kubernetes-icon-color.svg 8 8 home: https://github.com/evanjarrett/hsm-secrets-operator 9 9 sources:
+4 -1
internal/controller/hsmpool_agent_controller.go
··· 613 613 SecurityContext: &corev1.PodSecurityContext{ 614 614 RunAsUser: &pcscdUserId, 615 615 RunAsGroup: &pcscdGroupId, 616 - RunAsNonRoot: falsePtr, 616 + RunAsNonRoot: truePtr, 617 617 }, 618 618 ServiceAccountName: r.ServiceAccountName, 619 619 Containers: []corev1.Container{ ··· 676 676 RunAsUser: &pcscdUserId, 677 677 Capabilities: &corev1.Capabilities{ 678 678 Drop: []corev1.Capability{"ALL"}, 679 + Add: []corev1.Capability{ 680 + "DAC_OVERRIDE", // Allow bypassing file permission checks for USB devices 681 + }, 679 682 }, 680 683 SeccompProfile: &corev1.SeccompProfile{ 681 684 Type: corev1.SeccompProfileTypeRuntimeDefault,