evan.jarrett.net / hsm-secrets-operator
A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

debug

Evan Jarrett 3eef8e36 bc72a276

+57 -22
+6 -1
Dockerfile
··· 30 30 RUN CGO_ENABLED=1 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o hsm-operator cmd/hsm-operator/main.go 31 31 32 32 FROM alpine:3.22 33 - RUN apk add --no-cache opensc-dev ccid pcsc-lite openssl libtool libusb ca-certificates eudev polkit 33 + RUN apk add --no-cache opensc-dev ccid pcsc-lite openssl libtool libusb ca-certificates eudev 34 34 35 35 WORKDIR / 36 36 COPY --from=builder /workspace/hsm-operator . 37 37 COPY --from=builder /workspace/web ./web/ 38 38 COPY entrypoint.sh /entrypoint.sh 39 39 RUN chmod +x /entrypoint.sh 40 + 41 + RUN mkdir -p /var/run/pcscd /var/lock/pcsc && \ 42 + chown -R 65532:65532 /var/run/pcscd /var/lock/pcsc && \ 43 + chmod 755 /var/run/pcscd /var/lock/pcsc 44 + 40 45 USER 65532:65532 41 46 42 47 ENTRYPOINT ["/entrypoint.sh"]
+32 -2
entrypoint.sh
··· 1 1 #!/bin/sh 2 2 set -e 3 3 4 - pcscd -d -a & 5 - sleep 2 4 + # Debug: Show user and USB device permissions for agent mode only 5 + if [ "$1" = "agent" ]; then 6 + echo "Starting pcscd as user: $(id)" 7 + echo "Groups: $(groups)" 8 + echo "USB device permissions:" 9 + if [ -d /dev/bus/usb ]; then 10 + ls -la /dev/bus/usb/ | head -20 11 + echo "Checking for specific USB devices..." 12 + find /dev/bus/usb -type c -exec ls -la {} \; 2>/dev/null | grep -E "20a0|4230" || echo "No HSM devices found by vendor/product ID yet" 13 + else 14 + echo "ERROR: /dev/bus/usb not mounted" 15 + exit 1 16 + fi 17 + 18 + # Start pcscd with debug output 19 + echo "Starting pcscd..." 20 + pcscd -f -d -a & 21 + PCSCD_PID=$! 22 + 23 + sleep 3 24 + 25 + # Verify pcscd started successfully 26 + if ! kill -0 $PCSCD_PID 2>/dev/null; then 27 + echo "ERROR: pcscd failed to start" 28 + echo "Checking USB access permissions..." 29 + # Try to access a USB device to see the actual error 30 + cat /dev/bus/usb/001/001 > /dev/null 2>&1 || echo "Cannot read USB devices: $?" 31 + exit 1 32 + fi 33 + 34 + echo "pcscd started successfully with PID $PCSCD_PID" 35 + fi 6 36 7 37 # Entrypoint script for HSM Secrets Operator 8 38 # Supports running manager, discovery, or agent binaries from the same container
+19 -19
internal/controller/hsmpool_agent_controller.go
··· 531 531 } 532 532 533 533 targetNode := specificDevice.NodeName 534 - devicePath := specificDevice.DevicePath 535 534 deviceName := hsmPool.OwnerReferences[0].Name 536 535 537 536 // Get agent image from config or fallback to auto-detection ··· 545 544 546 545 var replicas int32 = 1 547 546 // var rootUserId int64 = 0 548 - var pcscdUserId int64 = 100 549 - var pcscdGroupId int64 = 101 547 + var pcscdUserId int64 = 65532 548 + var pcscdGroupId int64 = 65532 550 549 falsePtr := new(bool) 551 550 *falsePtr = false 552 551 truePtr := new(bool) 553 552 *truePtr = true 554 - hostPath := corev1.HostPathCharDev 553 + hostPathDirectory := corev1.HostPathDirectory 555 554 556 555 deployment := &appsv1.Deployment{ 557 556 ObjectMeta: metav1.ObjectMeta{ ··· 671 670 }, 672 671 SecurityContext: &corev1.SecurityContext{ 673 672 Privileged: falsePtr, 674 - AllowPrivilegeEscalation: truePtr, 675 - // Capabilities: &corev1.Capabilities{ 676 - // Drop: []corev1.Capability{}, 677 - // Add: []corev1.Capability{ 678 - // "SYS_ADMIN", 679 - // }, 680 - // }, 681 - ReadOnlyRootFilesystem: falsePtr, 682 - RunAsNonRoot: truePtr, 683 - RunAsUser: &pcscdUserId, 673 + AllowPrivilegeEscalation: falsePtr, 674 + ReadOnlyRootFilesystem: falsePtr, 675 + RunAsNonRoot: truePtr, 676 + RunAsUser: &pcscdUserId, 677 + Capabilities: &corev1.Capabilities{ 678 + Drop: []corev1.Capability{"ALL"}, 679 + }, 680 + SeccompProfile: &corev1.SeccompProfile{ 681 + Type: corev1.SeccompProfileTypeRuntimeDefault, 682 + }, 684 683 }, 685 684 VolumeMounts: []corev1.VolumeMount{ 686 685 { ··· 688 687 MountPath: "/tmp", 689 688 }, 690 689 { 691 - Name: "hsm-device", 692 - MountPath: "/dev/hsm", 690 + Name: "usb-bus", 691 + MountPath: "/dev/bus/usb", 692 + ReadOnly: false, 693 693 }, 694 694 { 695 695 Name: "pcscd-run", ··· 706 706 }, 707 707 }, 708 708 { 709 - Name: "hsm-device", 709 + Name: "usb-bus", 710 710 VolumeSource: corev1.VolumeSource{ 711 711 HostPath: &corev1.HostPathVolumeSource{ 712 - Path: devicePath, 713 - Type: &hostPath, 712 + Path: "/dev/bus/usb", 713 + Type: &hostPathDirectory, 714 714 }, 715 715 }, 716 716 },