···6677**Remote Kubernetes Environment**: The Kubernetes cluster is running remotely, NOT on this local development system. Any local device checks (like `ls /dev/tty*` or local USB device detection) will NOT work and will not reflect the actual state of devices on the remote cluster nodes.
8899+**Sync Architecture**: The operator implements **unidirectional sync from HSM to Kubernetes Secrets only**. HSM is the authoritative source of truth. K8s Secrets are read-only replicas that get updated when HSM data changes. There is no K8s → HSM sync functionality.
1010+911## Project Overview
10121111-A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability through hardware-based security. The operator implements a controller pattern that maintains bidirectional synchronization between HSM binary data files and Kubernetes Secret objects using a unified binary architecture with gRPC communication, automatic USB device discovery, and dynamic agent deployment.
1313+A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability through hardware-based security. The operator implements a controller pattern that synchronizes HSM binary data files to Kubernetes Secret objects using a unified binary architecture with gRPC communication, automatic USB device discovery, and dynamic agent deployment.
12141315## Architecture: Unified Binary with Mode-Based Operation
1416···5557**Controller Hierarchy:**
5658```
5759Manager Controllers:
5858-├── HSMSecretReconciler - Bidirectional HSM/K8s Secret sync
6060+├── HSMSecretReconciler - HSM to K8s Secret sync
5961├── HSMPoolReconciler - Aggregates discovery reports from pod annotations
6062├── HSMPoolAgentReconciler - Deploys agents when pools are ready
6163└── DiscoveryDaemonSetReconciler - Manages discovery DaemonSet lifecycle
···142144metadata:
143145 name: my-secret # HSM path = metadata.name
144146spec:
145145- autoSync: true # Bidirectional sync (default)
147147+ autoSync: true # Automatic sync from HSM to K8s (default)
146148 syncInterval: 30 # Sync interval in seconds
147149status:
148150 syncStatus: "InSync" # InSync|OutOfSync|Error|Pending
···275277- **Agent crash loop**: Check library path and PIN secret configuration
276278- **gRPC connection failed**: Verify agent on port 9090, check service/endpoint configuration
277279- **Proto generation issues**: Install buf tool (`go install github.com/bufbuild/buf/cmd/buf@latest`)
280280+- **Metadata keys in K8s Secrets**: If you see `_metadata` keys in Kubernetes Secrets, this indicates a bug in the PKCS#11 client filtering (should be excluded in `ReadSecret`)
278281279282## Manual HSM Access
280283···295298**Secret Storage Structure:**
296299- Each K8s Secret becomes multiple PKCS#11 data objects
297300- Object naming: `secret-name/key-name` (e.g., `user-credentials/api_key`)
301301+- Metadata stored separately with `/_metadata` suffix (filtered out from K8s Secrets)
298302- Private objects require PIN authentication to access
303303+304304+## Code Architecture Critical Points
305305+306306+**Controller Interaction Flow:**
307307+1. `HSMSecretReconciler` reads from HSM via gRPC agents
308308+2. `HSMPoolReconciler` aggregates device discovery reports from pod annotations (race-free)
309309+3. `HSMPoolAgentReconciler` deploys agents dynamically when devices are ready
310310+4. `HSMSyncReconciler` handles multi-device HSM synchronization (HSM ↔ HSM only)
311311+312312+**PKCS#11 Client Implementation:**
313313+- Production: `internal/hsm/pkcs11_client.go` with CGO
314314+- Testing: `internal/hsm/pkcs11_client_nocgo.go` and `mock_client.go`
315315+- **Critical**: ReadSecret must filter out `metadataKeySuffix` ("/_metadata") objects
316316+- Build tags control which client is compiled
317317+318318+**Protocol Buffer Workflow:**
319319+1. Modify `api/proto/hsm/v1/hsm.proto`
320320+2. Run `buf generate` to update Go code
321321+3. Implement in `internal/agent/grpc_server.go`
322322+4. Update client calls in controller or agent code
299323300324This operator provides secure, hardware-backed secret management that integrates seamlessly with Kubernetes while maintaining the security benefits of HSM-based storage.
+2-2
README.md
···4455## Description
6677-The HSM Secrets Operator implements a controller pattern that maintains bidirectional synchronization between HSM binary data files and Kubernetes Secret objects. It uses a four-binary architecture with gRPC communication, automatic USB device discovery, and dynamic agent deployment to provide secure, hardware-backed secret management in Kubernetes environments.
77+The HSM Secrets Operator implements a controller pattern that synchronizes HSM binary data files to Kubernetes Secret objects. It uses a unified binary architecture with gRPC communication, automatic USB device discovery, and dynamic agent deployment to provide secure, hardware-backed secret management in Kubernetes environments.
8899### Key Features
10101111- **Hardware Security**: Leverages Pico HSM and other PKCS#11 compatible devices for tamper-resistant secret storage
1212-- **Bidirectional Sync**: Automatic synchronization between HSM storage and Kubernetes Secrets
1212+- **Automatic Sync**: Synchronization from HSM storage to Kubernetes Secrets
1313- **Device Discovery**: Automatic USB HSM device detection with support for multiple device types
1414- **Agent Architecture**: Dynamic deployment of HSM agent pods with node affinity for direct hardware access
1515- **gRPC Communication**: High-performance gRPC protocol for manager-agent communication with fallback to HTTP
+1-1
api/v1alpha1/hsmsecret_types.go
···6161 // +optional
6262 SecretName string `json:"secretName,omitempty"`
63636464- // AutoSync enables bidirectional synchronization between HSM and Kubernetes Secret
6464+ // AutoSync enables automatic synchronization from HSM to Kubernetes Secret
6565 // +kubebuilder:default=true
6666 // +optional
6767 AutoSync bool `json:"autoSync,omitempty"`
+2-2
config/crd/bases/hsm.j5t.io_hsmsecrets.yaml
···5656 properties:
5757 autoSync:
5858 default: true
5959- description: AutoSync enables bidirectional synchronization between
6060- HSM and Kubernetes Secret
5959+ description: AutoSync enables automatic synchronization from HSM to
6060+ Kubernetes Secret
6161 type: boolean
6262 parentRef:
6363 description: |-
+1-1
examples/basic/README.md
···77777878### HSMSecret
7979Represents a secret stored on the HSM and manages:
8080-- Bidirectional sync with Kubernetes Secrets
8080+- Sync from HSM to Kubernetes Secrets
8181- Data integrity with checksums
8282- Automatic updates when HSM data changes
8383
+1-1
examples/basic/database-secret.yaml
···1515 # Name of the Kubernetes Secret to create/maintain
1616 secretName: "database-credentials"
17171818- # Enable bidirectional synchronization
1818+ # Enable automatic sync from HSM to Kubernetes
1919 autoSync: true
20202121 # Check for changes every 5 minutes (300 seconds)