remove mounts · evan.jarrett.net/hsm-secrets-operator@4459ca4

-11

helm/hsm-secrets-operator/templates/daemonset.yaml

··· 78 78 - name: sys 79 79 mountPath: /sys 80 80 readOnly: true 81 - {{- if eq .Values.hsm.clientType "pkcs11" }} 82 - - name: pkcs11-lib 83 - mountPath: /usr/lib/x86_64-linux-gnu 84 - readOnly: true 85 - {{- end }} 86 81 volumes: 87 82 - name: plugins-registry 88 83 hostPath: ··· 100 95 hostPath: 101 96 path: /sys 102 97 type: Directory 103 - {{- if eq .Values.hsm.clientType "pkcs11" }} 104 - - name: pkcs11-lib 105 - hostPath: 106 - path: /usr/lib/x86_64-linux-gnu 107 - type: Directory 108 - {{- end }} 109 98 hostNetwork: false 110 99 hostPID: false 111 100 hostIPC: false

-11

helm/hsm-secrets-operator/templates/deployment.yaml

··· 104 104 {{- toYaml .Values.controllerManager.securityContext | nindent 12 }} 105 105 {{- if or (eq .Values.hsm.clientType "pkcs11") .Values.discovery.enabled }} 106 106 volumeMounts: 107 - {{- if eq .Values.hsm.clientType "pkcs11" }} 108 - - name: pkcs11-lib 109 - mountPath: /usr/lib/x86_64-linux-gnu 110 - readOnly: true 111 - {{- end }} 112 107 {{- if .Values.discovery.enabled }} 113 108 - name: dev 114 109 mountPath: /dev ··· 125 120 {{- end }} 126 121 {{- if or (eq .Values.hsm.clientType "pkcs11") .Values.discovery.enabled .Values.webhook.enabled }} 127 122 volumes: 128 - {{- if eq .Values.hsm.clientType "pkcs11" }} 129 - - name: pkcs11-lib 130 - hostPath: 131 - path: /usr/lib/x86_64-linux-gnu 132 - type: Directory 133 - {{- end }} 134 123 {{- if .Values.discovery.enabled }} 135 124 - name: dev 136 125 hostPath:

+69 -69

helm/hsm-secrets-operator/values.yaml

··· 164 164 # Enable HSMDevice resource creation 165 165 enabled: false 166 166 # List of HSM devices to create and manage 167 - devices: 168 - - name: "pico-hsm-discovery" 169 - namespace: "default" 170 - deviceType: "PicoHSM" 171 - maxDevices: 5 172 - # Discovery configuration 173 - discovery: 174 - usb: 175 - vendorId: "20a0" 176 - productId: "4230" 177 - # PKCS#11 configuration 178 - pkcs11: 179 - libraryPath: "/usr/lib/libsc-hsm-pkcs11.so" 180 - slotId: 0 181 - pinSecret: 182 - name: "pico-hsm-pin" 183 - key: "pin" 184 - - name: "smartcard-hsm-discovery" 185 - namespace: "default" 186 - deviceType: "SmartCard-HSM" 187 - maxDevices: 3 188 - # Discovery configuration 189 - discovery: 190 - usb: 191 - vendorId: "04e6" 192 - productId: "5816" 193 - # PKCS#11 configuration 194 - pkcs11: 195 - libraryPath: "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" 196 - slotId: 0 197 - pinSecret: 198 - name: "smartcard-hsm-pin" 199 - key: "pin" 200 - # Example: YubiKey HSM with custom configuration 201 - - name: "yubikey-hsm" 202 - namespace: "default" 203 - deviceType: "Generic" 204 - maxDevices: 2 205 - discovery: 206 - usb: 207 - vendorId: "1050" 208 - productId: "0407" 209 - pkcs11: 210 - libraryPath: "/usr/lib/x86_64-linux-gnu/libykcs11.so" 211 - slotId: 9 212 - tokenLabel: "YubiHSM" 213 - pinSecret: 214 - name: "yubikey-pin" 215 - key: "pin" 216 - namespace: "security" # Different namespace 217 - # Only create this device on nodes with specific label 218 - nodeSelector: 219 - hsm-type: "yubikey" 220 - # Example: Device path-based discovery for custom HSM 221 - - name: "custom-hsm-path" 222 - namespace: "security" 223 - deviceType: "Generic" 224 - maxDevices: 1 225 - discovery: 226 - devicePath: 227 - path: "/dev/custom-hsm*" 228 - permissions: "0666" 229 - pkcs11: 230 - libraryPath: "/opt/custom-hsm/lib/libcustom-pkcs11.so" 231 - slotId: 1 232 - pinSecret: 233 - name: "custom-hsm-credentials" 234 - key: "hsm-pin" 235 - namespace: "security" 167 + # devices: 168 + # - name: "pico-hsm-discovery" 169 + # namespace: "default" 170 + # deviceType: "PicoHSM" 171 + # maxDevices: 5 172 + # # Discovery configuration 173 + # discovery: 174 + # usb: 175 + # vendorId: "20a0" 176 + # productId: "4230" 177 + # # PKCS#11 configuration 178 + # pkcs11: 179 + # libraryPath: "/usr/lib/libsc-hsm-pkcs11.so" 180 + # slotId: 0 181 + # pinSecret: 182 + # name: "pico-hsm-pin" 183 + # key: "pin" 184 + # - name: "smartcard-hsm-discovery" 185 + # namespace: "default" 186 + # deviceType: "SmartCard-HSM" 187 + # maxDevices: 3 188 + # # Discovery configuration 189 + # discovery: 190 + # usb: 191 + # vendorId: "04e6" 192 + # productId: "5816" 193 + # # PKCS#11 configuration 194 + # pkcs11: 195 + # libraryPath: "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" 196 + # slotId: 0 197 + # pinSecret: 198 + # name: "smartcard-hsm-pin" 199 + # key: "pin" 200 + # # Example: YubiKey HSM with custom configuration 201 + # - name: "yubikey-hsm" 202 + # namespace: "default" 203 + # deviceType: "Generic" 204 + # maxDevices: 2 205 + # discovery: 206 + # usb: 207 + # vendorId: "1050" 208 + # productId: "0407" 209 + # pkcs11: 210 + # libraryPath: "/usr/lib/x86_64-linux-gnu/libykcs11.so" 211 + # slotId: 9 212 + # tokenLabel: "YubiHSM" 213 + # pinSecret: 214 + # name: "yubikey-pin" 215 + # key: "pin" 216 + # namespace: "security" # Different namespace 217 + # # Only create this device on nodes with specific label 218 + # nodeSelector: 219 + # hsm-type: "yubikey" 220 + # # Example: Device path-based discovery for custom HSM 221 + # - name: "custom-hsm-path" 222 + # namespace: "security" 223 + # deviceType: "Generic" 224 + # maxDevices: 1 225 + # discovery: 226 + # devicePath: 227 + # path: "/dev/custom-hsm*" 228 + # permissions: "0666" 229 + # pkcs11: 230 + # libraryPath: "/opt/custom-hsm/lib/libcustom-pkcs11.so" 231 + # slotId: 1 232 + # pinSecret: 233 + # name: "custom-hsm-credentials" 234 + # key: "hsm-pin" 235 + # namespace: "security" 236 236 237 237 # HSM Secret Configuration 238 238 hsmsecret:

Configure Feed

Configure Feed