evan.jarrett.net / hsm-secrets-operator
A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix tests and manager naming

Evan Jarrett 668203c3 98613855

+16 -783
+1 -1
config/rbac/service_account.yaml
··· 4 4 labels: 5 5 app.kubernetes.io/name: hsm-secrets-operator 6 6 app.kubernetes.io/managed-by: kustomize 7 - name: controller-manager 7 + name: hsm-secrets-operator 8 8 namespace: system
-377
examples/advanced/talos-build-guide.md
··· 1 - # HSM Secrets Operator for Talos Linux 2 - 3 - This guide shows how to deploy the HSM Secrets Operator on Talos Linux, which requires special handling for PKCS#11 libraries due to its immutable filesystem. 4 - 5 - ## Talos Linux Challenges 6 - 7 - Talos Linux presents unique challenges for HSM integration: 8 - 9 - 1. **Immutable Root Filesystem**: Can't install libraries at runtime 10 - 2. **Minimal Base**: No package managers or build tools 11 - 3. **Container-Only**: All software must run in containers 12 - 4. **Security Focus**: Restricted permissions and capabilities 13 - 14 - ## Solutions for Talos 15 - 16 - ### Option 1: Custom Operator Image (Recommended) 17 - 18 - Build the operator with PKCS#11 libraries included: 19 - 20 - ```bash 21 - # Build custom operator image with libraries 22 - docker build -f Dockerfile.talos -t hsm-secrets-operator:talos . 23 - 24 - # Push to your registry 25 - docker tag hsm-secrets-operator:talos your-registry.com/hsm-secrets-operator:talos 26 - docker push your-registry.com/hsm-secrets-operator:talos 27 - ``` 28 - 29 - **Advantages**: 30 - - Single image deployment 31 - - Fast startup (no init containers) 32 - - Libraries tested and verified 33 - - Immutable and reproducible 34 - 35 - **Use when**: 36 - - You control the container registry 37 - - You know which HSM vendors you'll use 38 - - You want the simplest deployment 39 - 40 - ### Option 2: Init Container Pattern 41 - 42 - Use init containers to provide libraries at runtime: 43 - 44 - ```bash 45 - # Build library provider image 46 - docker build -f Dockerfile.pkcs11-init -t pkcs11-libraries:latest . 47 - docker push your-registry.com/pkcs11-libraries:latest 48 - ``` 49 - 50 - **Advantages**: 51 - - Flexible library management 52 - - Can update libraries without rebuilding operator 53 - - Supports multiple vendor libraries 54 - - Good for testing different libraries 55 - 56 - **Use when**: 57 - - You need flexibility for different HSM vendors 58 - - You're still evaluating which libraries to use 59 - - You want to update libraries independently 60 - 61 - ## Building for Talos 62 - 63 - ### Custom Operator Image Build 64 - 65 - ```bash 66 - #!/bin/bash 67 - # build-talos.sh - Build script for Talos deployment 68 - 69 - set -e 70 - 71 - REGISTRY=${REGISTRY:-"your-registry.com"} 72 - TAG=${TAG:-"talos-$(date +%Y%m%d)"} 73 - IMAGE_NAME="hsm-secrets-operator" 74 - 75 - echo "Building HSM Secrets Operator for Talos Linux..." 76 - echo "Registry: $REGISTRY" 77 - echo "Tag: $TAG" 78 - 79 - # Build the custom image with PKCS#11 libraries 80 - docker build \ 81 - -f Dockerfile.talos \ 82 - -t $REGISTRY/$IMAGE_NAME:$TAG \ 83 - -t $REGISTRY/$IMAGE_NAME:talos-latest \ 84 - . 85 - 86 - echo "Build completed successfully!" 87 - echo "Images tagged:" 88 - echo " $REGISTRY/$IMAGE_NAME:$TAG" 89 - echo " $REGISTRY/$IMAGE_NAME:talos-latest" 90 - 91 - # Push to registry 92 - read -p "Push to registry? (y/N): " -n 1 -r 93 - echo 94 - if [[ $REPLY =~ ^[Yy]$ ]]; then 95 - docker push $REGISTRY/$IMAGE_NAME:$TAG 96 - docker push $REGISTRY/$IMAGE_NAME:talos-latest 97 - echo "Images pushed to registry" 98 - else 99 - echo "Skipping registry push" 100 - fi 101 - ``` 102 - 103 - ### Library Testing Script 104 - 105 - ```bash 106 - #!/bin/bash 107 - # test-libraries.sh - Test PKCS#11 libraries in container 108 - 109 - CONTAINER_NAME="test-pkcs11-libs" 110 - IMAGE_NAME="hsm-secrets-operator:talos" 111 - 112 - echo "Testing PKCS#11 libraries in container..." 113 - 114 - # Run container with library testing 115 - docker run --rm --name $CONTAINER_NAME $IMAGE_NAME /bin/sh -c ' 116 - echo "=== Testing PKCS#11 Libraries ===" 117 - echo "Library path: $LD_LIBRARY_PATH" 118 - echo "PKCS#11 module path: $PKCS11_MODULE_PATH" 119 - echo "" 120 - 121 - echo "=== Available Libraries ===" 122 - ls -la /usr/local/lib/pkcs11/ 123 - echo "" 124 - 125 - echo "=== Library Dependencies ===" 126 - for lib in /usr/local/lib/pkcs11/*.so; do 127 - if [ -f "$lib" ]; then 128 - echo "Testing: $lib" 129 - ldd "$lib" 2>/dev/null || echo " Static library or dependencies not found" 130 - fi 131 - done 132 - echo "" 133 - 134 - echo "=== PKCS#11 Function Check ===" 135 - for lib in /usr/local/lib/pkcs11/*.so; do 136 - if [ -f "$lib" ]; then 137 - echo "Checking PKCS#11 functions in: $lib" 138 - objdump -T "$lib" | grep -E "(C_GetFunctionList|C_Initialize)" | head -2 139 - fi 140 - done 141 - ' 142 - 143 - echo "Library testing completed" 144 - ``` 145 - 146 - ## Deployment on Talos 147 - 148 - ### 1. Node Preparation 149 - 150 - Label your Talos nodes that have HSM devices: 151 - 152 - ```bash 153 - # Label nodes with HSM hardware 154 - kubectl label node talos-worker-1 hsm.j5t.io/enabled=true 155 - kubectl label node talos-worker-2 hsm.j5t.io/enabled=true 156 - 157 - # Verify node labels 158 - kubectl get nodes --show-labels | grep hsm 159 - ``` 160 - 161 - ### 2. Deploy Operator 162 - 163 - ```bash 164 - # Apply CRDs first 165 - kubectl apply -f config/crd/bases/ 166 - 167 - # Deploy with Talos-specific configuration 168 - kubectl apply -f examples/advanced/talos-deployment.yaml 169 - 170 - # Wait for deployment 171 - kubectl wait --for=condition=available deployment/hsm-secrets-operator-controller-manager -n hsm-secrets-operator-system --timeout=300s 172 - ``` 173 - 174 - ### 3. Verify Deployment 175 - 176 - ```bash 177 - # Check operator status 178 - kubectl get pods -n hsm-secrets-operator-system 179 - 180 - # Check init container logs (if using init container pattern) 181 - kubectl logs -n hsm-secrets-operator-system deployment/hsm-secrets-operator-controller-manager -c pkcs11-installer 182 - 183 - # Check operator logs 184 - kubectl logs -n hsm-secrets-operator-system deployment/hsm-secrets-operator-controller-manager -c manager 185 - 186 - # Test HSM device discovery 187 - kubectl get hsmdevice 188 - kubectl describe hsmdevice talos-pico-hsm 189 - ``` 190 - 191 - ### 4. Create Test Secret 192 - 193 - ```bash 194 - # Create test HSMSecret 195 - cat <<EOF | kubectl apply -f - 196 - apiVersion: hsm.j5t.io/v1alpha1 197 - kind: HSMSecret 198 - metadata: 199 - name: talos-test-secret 200 - namespace: default 201 - spec: 202 - hsmPath: "secrets/talos/test-secret" 203 - secretName: "talos-test-secret" 204 - autoSync: true 205 - syncInterval: 300 206 - EOF 207 - 208 - # Check secret status 209 - kubectl get hsmsecret talos-test-secret 210 - kubectl get secret talos-test-secret 211 - ``` 212 - 213 - ## Talos-Specific Configuration 214 - 215 - ### Machine Configuration 216 - 217 - Add USB device access to your Talos machine configuration: 218 - 219 - ```yaml 220 - # talos-machine-config.yaml 221 - machine: 222 - kernel: 223 - modules: 224 - - name: usbcore 225 - - name: usb_common 226 - - name: usbhid 227 - 228 - # Allow USB device access 229 - sysctls: 230 - kernel.yama.ptrace_scope: 0 231 - 232 - # Device tree for USB HSM devices 233 - deviceTree: 234 - devices: 235 - - /dev/bus/usb 236 - 237 - cluster: 238 - # Enable device plugins 239 - extraManifests: 240 - - https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/deployment/overlays/default/kustomization.yaml 241 - ``` 242 - 243 - ### Talos Extensions (if needed) 244 - 245 - For hardware-specific drivers, you might need custom Talos extensions: 246 - 247 - ```yaml 248 - # talos-extensions.yaml 249 - machine: 250 - install: 251 - extensions: 252 - - image: ghcr.io/siderolabs/intel-ucode:20230613 253 - - image: your-registry.com/hsm-driver-extension:v1.0.0 254 - ``` 255 - 256 - ## Security Considerations for Talos 257 - 258 - ### Pod Security Standards 259 - 260 - ```yaml 261 - apiVersion: v1 262 - kind: Namespace 263 - metadata: 264 - name: hsm-secrets-operator-system 265 - labels: 266 - pod-security.kubernetes.io/enforce: restricted 267 - pod-security.kubernetes.io/audit: restricted 268 - pod-security.kubernetes.io/warn: restricted 269 - ``` 270 - 271 - ### Network Policies 272 - 273 - ```yaml 274 - apiVersion: networking.k8s.io/v1 275 - kind: NetworkPolicy 276 - metadata: 277 - name: hsm-operator-talos-netpol 278 - namespace: hsm-secrets-operator-system 279 - spec: 280 - podSelector: 281 - matchLabels: 282 - control-plane: controller-manager 283 - policyTypes: 284 - - Ingress 285 - - Egress 286 - ingress: 287 - - from: 288 - - namespaceSelector: {} 289 - egress: 290 - - to: [] # Allow all egress for K8s API and HSM communication 291 - ``` 292 - 293 - ## Troubleshooting Talos Deployments 294 - 295 - ### Common Issues 296 - 297 - 1. **USB Device Access** 298 - ```bash 299 - # Check USB devices on Talos node 300 - talosctl -n NODE_IP dmesg | grep -i usb 301 - 302 - # List USB devices 303 - talosctl -n NODE_IP exec -- lsusb 304 - ``` 305 - 306 - 2. **Library Loading Issues** 307 - ```bash 308 - # Check library in container 309 - kubectl exec -it deployment/hsm-secrets-operator-controller-manager -n hsm-secrets-operator-system -- ls -la /usr/local/lib/pkcs11/ 310 - 311 - # Test library loading 312 - kubectl exec -it deployment/hsm-secrets-operator-controller-manager -n hsm-secrets-operator-system -- ldd /usr/local/lib/pkcs11/opensc-pkcs11.so 313 - ``` 314 - 315 - 3. **Permission Issues** 316 - ```bash 317 - # Check container security context 318 - kubectl get pod -n hsm-secrets-operator-system -o yaml | grep -A 10 securityContext 319 - 320 - # Check device permissions 321 - kubectl exec -it deployment/hsm-secrets-operator-controller-manager -n hsm-secrets-operator-system -- ls -la /dev/bus/usb/ 322 - ``` 323 - 324 - ### Debug Commands 325 - 326 - ```bash 327 - # Talos system information 328 - talosctl -n NODE_IP version 329 - talosctl -n NODE_IP get members 330 - 331 - # Container runtime information 332 - talosctl -n NODE_IP containers 333 - 334 - # Kubernetes node information 335 - kubectl describe node TALOS_NODE 336 - 337 - # HSM operator debugging 338 - kubectl logs -f -n hsm-secrets-operator-system deployment/hsm-secrets-operator-controller-manager 339 - 340 - # HSM device status 341 - kubectl get hsmdevice -o yaml 342 - ``` 343 - 344 - ## Performance Optimization for Talos 345 - 346 - ### Resource Management 347 - 348 - ```yaml 349 - resources: 350 - requests: 351 - cpu: 100m 352 - memory: 128Mi 353 - # Request specific resources for HSM devices 354 - vendor.com/hsm: 1 355 - limits: 356 - cpu: 1000m 357 - memory: 512Mi 358 - vendor.com/hsm: 1 359 - ``` 360 - 361 - ### Node Affinity 362 - 363 - ```yaml 364 - affinity: 365 - nodeAffinity: 366 - requiredDuringSchedulingIgnoredDuringExecution: 367 - nodeSelectorTerms: 368 - - matchExpressions: 369 - - key: hsm.j5t.io/enabled 370 - operator: In 371 - values: ["true"] 372 - - key: kubernetes.io/arch 373 - operator: In 374 - values: ["amd64"] 375 - ``` 376 - 377 - This comprehensive guide provides everything needed to successfully deploy the HSM Secrets Operator on Talos Linux with proper PKCS#11 library support!
-386
examples/advanced/talos-deployment.yaml
··· 1 - # HSM Secrets Operator deployment for Talos Linux 2 - # Talos has immutable rootfs, so libraries must be provided via containers 3 - 4 - --- 5 - # ConfigMap with custom PKCS#11 library configuration 6 - apiVersion: v1 7 - kind: ConfigMap 8 - metadata: 9 - name: talos-hsm-config 10 - namespace: hsm-secrets-operator-system 11 - data: 12 - # Library installation script 13 - install-libs.sh: | 14 - #!/bin/sh 15 - set -e 16 - 17 - echo "Installing PKCS#11 libraries for Talos Linux..." 18 - 19 - # Create directories 20 - mkdir -p /shared/lib/pkcs11 21 - mkdir -p /shared/etc/pkcs11 22 - 23 - # Copy libraries from init container 24 - if [ -d "/vendor-libs" ]; then 25 - cp -v /vendor-libs/*.so /shared/lib/pkcs11/ 26 - chmod 755 /shared/lib/pkcs11/*.so 27 - fi 28 - 29 - # Create library configuration 30 - cat > /shared/etc/pkcs11/pkcs11.conf << EOF 31 - # PKCS#11 configuration for HSM devices 32 - module: /shared/lib/pkcs11/opensc-pkcs11.so 33 - slot-description: OpenSC 34 - EOF 35 - 36 - # List installed libraries 37 - echo "Installed libraries:" 38 - ls -la /shared/lib/pkcs11/ 39 - 40 - echo "Library installation completed" 41 - 42 - --- 43 - # Init container image with PKCS#11 libraries 44 - # This would be built separately and pushed to your registry 45 - apiVersion: v1 46 - kind: ConfigMap 47 - metadata: 48 - name: pkcs11-init-dockerfile 49 - namespace: hsm-secrets-operator-system 50 - data: 51 - Dockerfile: | 52 - FROM alpine:3.18 53 - 54 - # Install build dependencies 55 - RUN apk add --no-cache \ 56 - wget \ 57 - unzip \ 58 - build-base \ 59 - autoconf \ 60 - automake \ 61 - libtool \ 62 - pkgconfig \ 63 - openssl-dev \ 64 - libusb-dev \ 65 - pcsc-lite-dev 66 - 67 - # Install OpenSC (most common) 68 - RUN wget https://github.com/OpenSC/OpenSC/releases/download/0.24.0/opensc-0.24.0.tar.gz && \ 69 - tar -xzf opensc-0.24.0.tar.gz && \ 70 - cd opensc-0.24.0 && \ 71 - ./configure --prefix=/usr/local --enable-pcsc --enable-openssl && \ 72 - make && make install 73 - 74 - # Install YubiKey library (optional) 75 - RUN wget https://developers.yubico.com/yubico-piv-tool/Releases/yubico-piv-tool-2.4.0.tar.gz && \ 76 - tar -xzf yubico-piv-tool-2.4.0.tar.gz && \ 77 - cd yubico-piv-tool-2.4.0 && \ 78 - ./configure --prefix=/usr/local && \ 79 - make && make install 80 - 81 - # Copy libraries to vendor-libs directory 82 - RUN mkdir -p /vendor-libs && \ 83 - cp /usr/local/lib/pkcs11/*.so /vendor-libs/ && \ 84 - cp /usr/local/lib/libykcs11*.so /vendor-libs/ 2>/dev/null || true 85 - 86 - # Copy installation script 87 - COPY install-libs.sh /usr/local/bin/ 88 - RUN chmod +x /usr/local/bin/install-libs.sh 89 - 90 - ENTRYPOINT ["/usr/local/bin/install-libs.sh"] 91 - 92 - --- 93 - # Updated HSM Secrets Operator Deployment for Talos 94 - apiVersion: apps/v1 95 - kind: Deployment 96 - metadata: 97 - name: hsm-secrets-operator-controller-manager 98 - namespace: hsm-secrets-operator-system 99 - labels: 100 - app.kubernetes.io/component: manager 101 - app.kubernetes.io/created-by: hsm-secrets-operator 102 - app.kubernetes.io/instance: controller-manager 103 - app.kubernetes.io/managed-by: kustomize 104 - app.kubernetes.io/name: deployment 105 - app.kubernetes.io/part-of: hsm-secrets-operator 106 - control-plane: controller-manager 107 - spec: 108 - replicas: 1 109 - selector: 110 - matchLabels: 111 - control-plane: controller-manager 112 - template: 113 - metadata: 114 - annotations: 115 - kubectl.kubernetes.io/default-container: manager 116 - labels: 117 - control-plane: controller-manager 118 - spec: 119 - # Security context for Talos 120 - securityContext: 121 - runAsNonRoot: true 122 - seccompProfile: 123 - type: RuntimeDefault 124 - 125 - # Init container to provide PKCS#11 libraries 126 - initContainers: 127 - - name: pkcs11-installer 128 - # This image contains the PKCS#11 libraries 129 - image: your-registry.com/pkcs11-libraries:latest 130 - imagePullPolicy: IfNotPresent 131 - 132 - command: 133 - - /bin/sh 134 - - -c 135 - - | 136 - echo "Setting up PKCS#11 libraries for Talos..." 137 - 138 - # Create directory structure 139 - mkdir -p /shared/lib/pkcs11 140 - mkdir -p /shared/etc/pkcs11 141 - 142 - # Copy pre-built libraries 143 - cp -v /usr/local/lib/pkcs11/* /shared/lib/pkcs11/ 2>/dev/null || true 144 - cp -v /usr/local/lib/libykcs11* /shared/lib/pkcs11/ 2>/dev/null || true 145 - 146 - # Set permissions 147 - chmod 755 /shared/lib/pkcs11/*.so 148 - 149 - # Create ldconfig cache equivalent 150 - echo "/shared/lib/pkcs11" > /shared/etc/ld.so.conf 151 - 152 - # Verify libraries 153 - echo "Available PKCS#11 libraries:" 154 - ls -la /shared/lib/pkcs11/ 155 - 156 - # Test library loading (basic check) 157 - for lib in /shared/lib/pkcs11/*.so; do 158 - if [ -f "$lib" ]; then 159 - echo "Testing library: $lib" 160 - # Basic symbol check 161 - if command -v objdump >/dev/null; then 162 - objdump -T "$lib" | grep C_GetFunctionList || echo " Warning: C_GetFunctionList not found" 163 - fi 164 - fi 165 - done 166 - 167 - echo "PKCS#11 library setup completed" 168 - 169 - volumeMounts: 170 - - name: pkcs11-libs 171 - mountPath: /shared 172 - 173 - resources: 174 - requests: 175 - cpu: 100m 176 - memory: 128Mi 177 - limits: 178 - cpu: 500m 179 - memory: 256Mi 180 - 181 - securityContext: 182 - allowPrivilegeEscalation: false 183 - capabilities: 184 - drop: 185 - - ALL 186 - readOnlyRootFilesystem: true 187 - runAsNonRoot: true 188 - runAsUser: 65534 189 - 190 - containers: 191 - - name: manager 192 - args: 193 - - --leader-elect 194 - - --health-probe-bind-address=:8081 195 - - --metrics-bind-address=127.0.0.1:8080 196 - - --enable-api=true 197 - - --api-port=8090 198 - command: 199 - - /manager 200 - image: controller:latest 201 - 202 - # Environment variables for library paths 203 - env: 204 - - name: LD_LIBRARY_PATH 205 - value: "/shared/lib/pkcs11:/usr/local/lib" 206 - - name: PKCS11_MODULE_PATH 207 - value: "/shared/lib/pkcs11" 208 - - name: OPENSC_CONF 209 - value: "/shared/etc/pkcs11/opensc.conf" 210 - 211 - livenessProbe: 212 - httpGet: 213 - path: /healthz 214 - port: 8081 215 - initialDelaySeconds: 15 216 - periodSeconds: 20 217 - 218 - readinessProbe: 219 - httpGet: 220 - path: /readyz 221 - port: 8081 222 - initialDelaySeconds: 5 223 - periodSeconds: 10 224 - 225 - resources: 226 - limits: 227 - cpu: 500m 228 - memory: 128Mi 229 - requests: 230 - cpu: 10m 231 - memory: 64Mi 232 - 233 - securityContext: 234 - allowPrivilegeEscalation: false 235 - capabilities: 236 - drop: 237 - - ALL 238 - readOnlyRootFilesystem: true 239 - runAsNonRoot: true 240 - runAsUser: 65532 241 - 242 - # Mount the shared libraries 243 - volumeMounts: 244 - - name: pkcs11-libs 245 - mountPath: /shared 246 - readOnly: true 247 - - name: tmp 248 - mountPath: /tmp 249 - 250 - ports: 251 - - containerPort: 8090 252 - name: api 253 - protocol: TCP 254 - - containerPort: 8080 255 - name: metrics 256 - protocol: TCP 257 - - containerPort: 8081 258 - name: health 259 - protocol: TCP 260 - 261 - volumes: 262 - - name: pkcs11-libs 263 - emptyDir: {} 264 - - name: tmp 265 - emptyDir: {} 266 - 267 - serviceAccountName: hsm-secrets-operator-controller-manager 268 - terminationGracePeriodSeconds: 10 269 - 270 - # Node selection for Talos with HSM devices 271 - nodeSelector: 272 - node.kubernetes.io/instance-type: worker 273 - 274 - # Tolerations for Talos nodes 275 - tolerations: 276 - - effect: NoSchedule 277 - key: node-role.kubernetes.io/control-plane 278 - operator: Equal 279 - - effect: NoSchedule 280 - key: node-role.kubernetes.io/master 281 - operator: Equal 282 - 283 - --- 284 - # HSM Device configuration for Talos 285 - apiVersion: hsm.j5t.io/v1alpha1 286 - kind: HSMDevice 287 - metadata: 288 - name: talos-pico-hsm 289 - namespace: default 290 - labels: 291 - os: talos 292 - device-type: pico-hsm 293 - spec: 294 - deviceType: PicoHSM 295 - 296 - # USB device discovery 297 - usb: 298 - vendorId: "20a0" 299 - productId: "4230" 300 - 301 - # Use the library from shared volume 302 - pkcs11LibraryPath: "/shared/lib/pkcs11/opensc-pkcs11.so" 303 - 304 - # Select Talos worker nodes 305 - nodeSelector: 306 - node.kubernetes.io/instance-type: worker 307 - 308 - maxDevices: 2 309 - 310 - # Enable mirroring for HA on Talos 311 - mirroring: 312 - policy: "ReadOnly" 313 - syncInterval: 300 314 - autoFailover: true 315 - 316 - --- 317 - # Service for API access 318 - apiVersion: v1 319 - kind: Service 320 - metadata: 321 - name: hsm-secrets-operator-api 322 - namespace: hsm-secrets-operator-system 323 - labels: 324 - app.kubernetes.io/component: api 325 - control-plane: controller-manager 326 - spec: 327 - ports: 328 - - name: api 329 - port: 8090 330 - protocol: TCP 331 - targetPort: 8090 332 - selector: 333 - control-plane: controller-manager 334 - type: ClusterIP 335 - 336 - --- 337 - # NetworkPolicy for Talos security 338 - apiVersion: networking.k8s.io/v1 339 - kind: NetworkPolicy 340 - metadata: 341 - name: hsm-operator-talos-policy 342 - namespace: hsm-secrets-operator-system 343 - spec: 344 - podSelector: 345 - matchLabels: 346 - control-plane: controller-manager 347 - policyTypes: 348 - - Ingress 349 - - Egress 350 - ingress: 351 - - from: 352 - - namespaceSelector: {} 353 - ports: 354 - - protocol: TCP 355 - port: 8090 # API 356 - - protocol: TCP 357 - port: 8080 # Metrics 358 - - protocol: TCP 359 - port: 8081 # Health 360 - egress: 361 - - {} # Allow all egress for HSM communication and K8s API 362 - 363 - --- 364 - # Pod Security Policy for Talos (if PSP is enabled) 365 - apiVersion: policy/v1beta1 366 - kind: PodSecurityPolicy 367 - metadata: 368 - name: hsm-operator-psp 369 - spec: 370 - privileged: false 371 - allowPrivilegeEscalation: false 372 - requiredDropCapabilities: 373 - - ALL 374 - volumes: 375 - - 'configMap' 376 - - 'emptyDir' 377 - - 'projected' 378 - - 'secret' 379 - - 'downwardAPI' 380 - - 'persistentVolumeClaim' 381 - runAsUser: 382 - rule: 'MustRunAsNonRoot' 383 - seLinux: 384 - rule: 'RunAsAny' 385 - fsGroup: 386 - rule: 'RunAsAny'
+2 -2
helm/hsm-secrets-operator/Chart.yaml
··· 2 2 name: hsm-secrets-operator 3 3 description: A Kubernetes operator that bridges Pico HSM binary data storage with Kubernetes Secrets 4 4 type: application 5 - version: 0.5.10 6 - appVersion: v0.5.10 5 + version: 0.5.11 6 + appVersion: v0.5.11 7 7 icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/kubernetes/icon/color/kubernetes-icon-color.svg 8 8 home: https://github.com/evanjarrett/hsm-secrets-operator 9 9 sources:
+4 -4
internal/controller/hsmsecret_parentref_test.go
··· 31 31 func TestShouldHandleSecret(t *testing.T) { 32 32 reconciler := &HSMSecretReconciler{ 33 33 OperatorNamespace: "hsm-operator-system", 34 - OperatorName: "controller-manager", 34 + OperatorName: "hsm-secrets-operator-controller-manager", 35 35 } 36 36 37 37 tests := []struct { ··· 61 61 }, 62 62 Spec: hsmv1alpha1.HSMSecretSpec{ 63 63 ParentRef: &hsmv1alpha1.ParentReference{ 64 - Name: "controller-manager", 64 + Name: "hsm-secrets-operator-controller-manager", 65 65 Namespace: stringPtr("hsm-operator-system"), 66 66 }, 67 67 }, ··· 93 93 }, 94 94 Spec: hsmv1alpha1.HSMSecretSpec{ 95 95 ParentRef: &hsmv1alpha1.ParentReference{ 96 - Name: "controller-manager", 96 + Name: "hsm-secrets-operator-controller-manager", 97 97 Namespace: stringPtr("other-operator-system"), 98 98 }, 99 99 }, ··· 109 109 }, 110 110 Spec: hsmv1alpha1.HSMSecretSpec{ 111 111 ParentRef: &hsmv1alpha1.ParentReference{ 112 - Name: "controller-manager", 112 + Name: "hsm-secrets-operator-controller-manager", 113 113 // Namespace is nil, should default to operator namespace 114 114 }, 115 115 },
+4 -9
internal/discovery/usb_test.go
··· 407 407 logger: logr.Discard(), 408 408 } 409 409 410 - // Test with no devices present - should return empty 411 - path := discoverer.findCommonDevicePath("20a0", "4230") 412 - // In a clean test environment, this should return empty since no devices exist 413 - // But since we can't control the actual filesystem, let's test the logic differently 414 - 415 410 // Test with unknown vendor ID - this should always return empty since no known paths exist for it 416 - path = discoverer.findCommonDevicePath("unknown", "unknown") 411 + unknownPath := discoverer.findCommonDevicePath("unknown", "unknown") 417 412 418 413 // The function checks actual filesystem paths, so we can't guarantee it returns empty 419 414 // Instead, let's verify it returns a string (empty or path) 420 - assert.IsType(t, "", path) 415 + assert.IsType(t, "", unknownPath) 421 416 422 417 // Test that if a path is returned, it's one of the expected common paths 423 - if path != "" { 418 + if unknownPath != "" { 424 419 expectedPaths := []string{ 425 420 "/dev/ttyUSB0", "/dev/ttyUSB1", "/dev/ttyUSB2", "/dev/ttyUSB3", 426 421 "/dev/ttyACM0", "/dev/ttyACM1", "/dev/ttyACM2", "/dev/ttyACM3", 427 422 "/dev/sc-hsm", "/dev/pkcs11", 428 423 } 429 - assert.Contains(t, expectedPaths, path) 424 + assert.Contains(t, expectedPaths, unknownPath) 430 425 } 431 426 } 432 427
+5 -4
internal/modes/manager/manager.go
··· 77 77 // Check if deployment name is provided via downward API 78 78 if hostname := os.Getenv("HOSTNAME"); hostname != "" { 79 79 // Kubernetes deployment pods have hostname like: deployment-name-replicaset-hash-pod-hash 80 - // Extract just the deployment name part 80 + // Extract the deployment name by removing the last two parts (replicaset-hash and pod-hash) 81 81 parts := strings.Split(hostname, "-") 82 - if len(parts) >= 2 { 83 - // Return the first two parts as deployment name (e.g., "controller-manager") 84 - return strings.Join(parts[:2], "-") 82 + if len(parts) >= 3 { 83 + // Remove last two parts (replicaset hash and pod hash) to get deployment name 84 + deploymentParts := parts[:len(parts)-2] 85 + return strings.Join(deploymentParts, "-") 85 86 } 86 87 return hostname 87 88 }