A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

sync

+88 -49
+3
CLAUDE.md
··· 35 35 # OR run individually: 36 36 gofmt -w . # Format all Go files 37 37 golangci-lint run ./... # Lint all packages (REQUIRED before code changes) 38 + 39 + # Sync CRDs from config/ to helm/ after CRD changes 40 + make helm-sync # Sync generated CRDs to Helm templates 38 41 ``` 39 42 40 43 ### Docker Images
+6
Makefile
··· 97 97 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. 98 98 $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases 99 99 100 + .PHONY: helm-sync 101 + helm-sync: manifests ## Sync generated CRDs from config/ to helm/ templates 102 + @echo "Syncing CRDs from config/crd/bases/ to helm/hsm-secrets-operator/templates/crds/" 103 + cp config/crd/bases/*.yaml helm/hsm-secrets-operator/templates/crds/ 104 + @echo "✅ CRDs synced successfully" 105 + 100 106 .PHONY: generate 101 107 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. 102 108 $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
+79 -41
helm/hsm-secrets-operator/templates/crds/hsm.j5t.io_hsmdevices.yaml
··· 1 - {{- if .Values.crds.install }} 2 1 --- 3 2 apiVersion: apiextensions.k8s.io/v1 4 3 kind: CustomResourceDefinition 5 4 metadata: 6 5 annotations: 7 6 controller-gen.kubebuilder.io/version: v0.18.0 8 - {{- if not .Values.crds.keep }} 9 - "helm.sh/hook": pre-install,pre-upgrade 10 - "helm.sh/hook-delete-policy": before-hook-creation 11 - {{- end }} 12 7 name: hsmdevices.hsm.j5t.io 13 - labels: 14 - {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 15 8 spec: 16 9 group: hsm.j5t.io 17 10 names: ··· 67 60 spec: 68 61 description: HSMDeviceSpec defines the desired state of HSMDevice. 69 62 properties: 70 - devicePath: 71 - description: DevicePath defines path-based device discovery criteria 72 - properties: 73 - path: 74 - description: Path is the device path pattern (e.g., "/dev/ttyUSB*", 75 - "/dev/sc-hsm*") 76 - type: string 77 - permissions: 78 - description: Permissions are the required permissions for device 79 - access 80 - type: string 81 - required: 82 - - path 83 - type: object 84 63 deviceType: 85 64 description: DeviceType specifies the type of HSM device 86 65 type: string 66 + discovery: 67 + description: Discovery defines how to discover this HSM device 68 + properties: 69 + autoDiscovery: 70 + default: false 71 + description: AutoDiscovery enables automatic discovery based on 72 + device type 73 + type: boolean 74 + devicePath: 75 + description: DevicePath defines path-based device discovery criteria 76 + properties: 77 + path: 78 + description: Path is the device path pattern (e.g., "/dev/ttyUSB*", 79 + "/dev/sc-hsm*") 80 + type: string 81 + permissions: 82 + description: Permissions are the required permissions for 83 + device access 84 + type: string 85 + required: 86 + - path 87 + type: object 88 + usb: 89 + description: USB defines USB-based device discovery criteria 90 + properties: 91 + productId: 92 + description: ProductID is the USB product ID (e.g., "4230" 93 + for Pico HSM) 94 + type: string 95 + serialNumber: 96 + description: SerialNumber optionally matches a specific device 97 + serial number 98 + type: string 99 + vendorId: 100 + description: VendorID is the USB vendor ID (e.g., "20a0" for 101 + Pico HSM) 102 + type: string 103 + required: 104 + - productId 105 + - vendorId 106 + type: object 107 + type: object 87 108 maxDevices: 88 109 default: 10 89 110 description: MaxDevices limits how many instances of this device can ··· 127 148 description: NodeSelector specifies which nodes should be scanned 128 149 for this device 129 150 type: object 130 - pkcs11LibraryPath: 131 - description: PKCS11LibraryPath is the path to the PKCS#11 library 132 - for this device 133 - type: string 134 - usb: 135 - description: USB defines USB-based device discovery criteria 151 + pkcs11: 152 + description: PKCS11 defines PKCS#11 connection configuration for this 153 + device 136 154 properties: 137 - productId: 138 - description: ProductID is the USB product ID (e.g., "4230" for 139 - Pico HSM) 155 + libraryPath: 156 + description: LibraryPath is the path to the PKCS#11 library for 157 + this device 140 158 type: string 141 - serialNumber: 142 - description: SerialNumber optionally matches a specific device 143 - serial number 159 + pinSecret: 160 + description: PinSecret references a Kubernetes Secret containing 161 + the HSM PIN 162 + properties: 163 + key: 164 + description: Key is the key within the secret 165 + type: string 166 + name: 167 + description: Name is the name of the secret 168 + type: string 169 + namespace: 170 + description: Namespace is the namespace of the secret (optional, 171 + defaults to HSMDevice namespace) 172 + type: string 173 + required: 174 + - key 175 + - name 176 + type: object 177 + slotId: 178 + default: 0 179 + description: SlotId is the PKCS#11 slot ID to use for this device 180 + format: int32 181 + type: integer 182 + tokenLabel: 183 + description: TokenLabel optionally specifies the token label to 184 + match 144 185 type: string 145 - vendorId: 146 - description: VendorID is the USB vendor ID (e.g., "20a0" for Pico 147 - HSM) 148 - type: string 149 - required: 150 - - productId 151 - - vendorId 152 186 type: object 187 + pkcs11LibraryPath: 188 + description: |- 189 + PKCS11LibraryPath is the path to the PKCS#11 library for this device 190 + Deprecated: Use PKCS11.LibraryPath instead 191 + type: string 153 192 required: 154 193 - deviceType 155 194 type: object ··· 331 370 storage: true 332 371 subresources: 333 372 status: {} 334 - {{- end }}
-8
helm/hsm-secrets-operator/templates/crds/hsm.j5t.io_hsmsecrets.yaml
··· 1 - {{- if .Values.crds.install }} 2 1 --- 3 2 apiVersion: apiextensions.k8s.io/v1 4 3 kind: CustomResourceDefinition 5 4 metadata: 6 5 annotations: 7 6 controller-gen.kubebuilder.io/version: v0.18.0 8 - {{- if not .Values.crds.keep }} 9 - "helm.sh/hook": pre-install,pre-upgrade 10 - "helm.sh/hook-delete-policy": before-hook-creation 11 - {{- end }} 12 7 name: hsmsecrets.hsm.j5t.io 13 - labels: 14 - {{- include "hsm-secrets-operator.labels" . | nindent 4 }} 15 8 spec: 16 9 group: hsm.j5t.io 17 10 names: ··· 223 216 storage: true 224 217 subresources: 225 218 status: {} 226 - {{- end }}