evan.jarrett.net / hsm-secrets-operator
A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

pass debug logger into agent and pcscd manager

Evan Jarrett 75df81d3 3b59c451

+30 -20
+1 -1
Makefile
··· 3 3 # To re-generate a bundle for another specific version without changing the standard setup, you can: 4 4 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) 5 5 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) 6 - VERSION ?= 0.6.35 6 + VERSION ?= 0.6.36 7 7 8 8 # CHANNELS define the bundle channels used in the bundle. 9 9 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
+3 -3
cmd/hsm-operator/main.go
··· 50 50 i := 0 51 51 for i < len(args) { 52 52 arg := args[i] 53 - if strings.HasPrefix(arg, "--mode=") { 54 - modeArg = strings.TrimPrefix(arg, "--mode=") 53 + if after, ok := strings.CutPrefix(arg, "--mode="); ok { 54 + modeArg = after 55 55 globalArgs = append(globalArgs, arg) 56 56 i++ 57 57 } else if arg == "--mode" && i+1 < len(args) { ··· 126 126 os.Exit(1) 127 127 } 128 128 case "agent": 129 - if err := agent.Run(modeSpecificArgs); err != nil { 129 + if err := agent.Run(modeSpecificArgs, logLevel); err != nil { 130 130 setupLog.Error(err, "Agent mode failed") 131 131 os.Exit(1) 132 132 }
+2 -2
helm/hsm-secrets-operator/Chart.yaml
··· 2 2 name: hsm-secrets-operator 3 3 description: A Kubernetes operator that bridges Pico HSM binary data storage with Kubernetes Secrets 4 4 type: application 5 - version: 0.6.35 6 - appVersion: v0.6.35 5 + version: 0.6.36 6 + appVersion: v0.6.36 7 7 icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/kubernetes/icon/color/kubernetes-icon-color.svg 8 8 home: https://github.com/evanjarrett/hsm-secrets-operator 9 9 sources:
+14 -6
internal/agent/pcscd_manager.go
··· 34 34 ctx context.Context 35 35 cancel context.CancelFunc 36 36 logger logr.Logger 37 + debug bool // Enable pcscd debug output (-d flag) 37 38 } 38 39 39 40 // NewPCSCDManager creates a new PCSCD manager instance. 40 - func NewPCSCDManager(logger logr.Logger) *PCSCDManager { 41 + // If debug is true, pcscd will be started with -d flag for verbose output. 42 + func NewPCSCDManager(logger logr.Logger, debug bool) *PCSCDManager { 41 43 ctx, cancel := context.WithCancel(context.Background()) 42 44 return &PCSCDManager{ 43 45 ctx: ctx, 44 46 cancel: cancel, 45 47 logger: logger.WithName("pcscd-manager"), 48 + debug: debug, 46 49 } 47 50 } 48 51 ··· 63 66 p.logger.Error(err, "Failed to create runtime directory", "dir", dir) 64 67 return fmt.Errorf("failed to create runtime directory %s: %w", dir, err) 65 68 } 66 - p.logger.V(1).Info("Runtime directory ready", "dir", dir) 69 + p.logger.Info("Runtime directory ready", "dir", dir) 67 70 } 68 71 69 72 // Clean up stale socket file from previous runs ··· 73 76 p.logger.Error(err, "Failed to remove stale socket", "path", socketPath) 74 77 return fmt.Errorf("failed to remove stale socket %s: %w", socketPath, err) 75 78 } 76 - p.logger.V(1).Info("Cleaned up stale socket", "path", socketPath) 79 + p.logger.Info("Cleaned up stale socket", "path", socketPath) 77 80 78 81 // Start pcscd with: 79 82 // -f: foreground mode (don't daemonize) 80 - // -d: debug output (helps troubleshooting) 83 + // -d: debug output (conditional on debug flag) 81 84 // --disable-polkit: disable PolicyKit (no D-Bus in container) 82 - p.cmd = exec.CommandContext(p.ctx, "/usr/sbin/pcscd", "-f", "-d", "--disable-polkit") 85 + args := []string{"-f", "--disable-polkit"} 86 + if p.debug { 87 + args = append(args, "-d") 88 + p.logger.Info("Starting pcscd with debug output enabled") 89 + } 90 + p.cmd = exec.CommandContext(p.ctx, "/usr/sbin/pcscd", args...) 83 91 84 92 // Pipe output to parent process for centralized logging 85 93 p.cmd.Stdout = os.Stdout ··· 169 177 // /var/run/pcscd is the legacy path (symlink on normal systems, but not in FROM scratch) 170 178 socketPaths := []string{"/run/pcscd/pcscd.comm", "/var/run/pcscd/pcscd.comm"} 171 179 172 - p.logger.V(1).Info("Waiting for pcscd to be ready", "paths", socketPaths) 180 + p.logger.Info("Waiting for pcscd to be ready", "paths", socketPaths) 173 181 174 182 for i := range maxAttempts { 175 183 // Check if the socket exists at either location
+5 -5
internal/agent/pcscd_manager_test.go
··· 29 29 30 30 func TestNewPCSCDManager(t *testing.T) { 31 31 logger := zap.New(zap.UseDevMode(true)) 32 - mgr := NewPCSCDManager(logger) 32 + mgr := NewPCSCDManager(logger, false) 33 33 34 34 if mgr == nil { 35 35 t.Fatal("NewPCSCDManager returned nil") ··· 69 69 func TestPCSCDManager_MultipleStartAttempts(t *testing.T) { 70 70 // Test that calling Start() multiple times fails appropriately 71 71 logger := zap.New(zap.UseDevMode(true)) 72 - mgr := NewPCSCDManager(logger) 72 + mgr := NewPCSCDManager(logger, false) 73 73 74 74 // Mock the cmd to prevent actual pcscd start 75 75 // In real implementation, we'd need dependency injection or interface ··· 94 94 func TestPCSCDManager_StopWithoutStart(t *testing.T) { 95 95 // Test that Stop() is safe to call even if Start() was never called 96 96 logger := zap.New(zap.UseDevMode(true)) 97 - mgr := NewPCSCDManager(logger) 97 + mgr := NewPCSCDManager(logger, false) 98 98 99 99 // Should not panic or error 100 100 err := mgr.Stop() ··· 106 106 func TestPCSCDManager_ContextCancellation(t *testing.T) { 107 107 // Test that cancelling the context affects the manager 108 108 logger := zap.New(zap.UseDevMode(true)) 109 - mgr := NewPCSCDManager(logger) 109 + mgr := NewPCSCDManager(logger, false) 110 110 111 111 // Verify context is not cancelled initially 112 112 select { ··· 153 153 } 154 154 155 155 logger := getPCSCDTestLogger() 156 - mgr := NewPCSCDManager(logger) 156 + mgr := NewPCSCDManager(logger, false) 157 157 158 158 // Start pcscd 159 159 if err := mgr.Start(); err != nil {
+5 -3
internal/modes/agent/agent.go
··· 50 50 } 51 51 52 52 // Run starts the agent mode 53 - func Run(args []string) error { 53 + func Run(args []string, logLevel string) error { 54 54 // Create a new flag set for agent-specific flags 55 55 fs := flag.NewFlagSet("agent", flag.ContinueOnError) 56 56 ··· 143 143 144 144 if usePKCS11 { 145 145 // Start pcscd daemon before initializing PKCS#11 client 146 - setupLog.Info("Starting pcscd daemon for hardware HSM support") 147 - pcscdMgr := agent.NewPCSCDManager(setupLog) 146 + // Enable debug output when log level is debug 147 + debugMode := logLevel == "debug" 148 + setupLog.Info("Starting pcscd daemon for hardware HSM support", "debug", debugMode) 149 + pcscdMgr := agent.NewPCSCDManager(setupLog, debugMode) 148 150 if err := pcscdMgr.Start(); err != nil { 149 151 return fmt.Errorf("failed to start pcscd: %w", err) 150 152 }