evan.jarrett.net / hsm-secrets-operator
A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

update

Evan Jarrett 972731ea 5ea339ac

+56 -9
+2
.github/workflows/ci.yml
··· 2 2 3 3 on: 4 4 push: 5 + tags-ignore: 6 + - '**' 5 7 pull_request: 6 8 workflow_call: 7 9
+2 -2
helm/hsm-secrets-operator/Chart.yaml
··· 2 2 name: hsm-secrets-operator 3 3 description: A Kubernetes operator that bridges Pico HSM binary data storage with Kubernetes Secrets 4 4 type: application 5 - version: 0.2.8 6 - appVersion: v0.2.8 5 + version: 0.2.9 6 + appVersion: v0.2.9 7 7 icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/kubernetes/icon/color/kubernetes-icon-color.svg 8 8 home: https://github.com/evanjarrett/hsm-secrets-operator 9 9 sources:
+52 -7
internal/controller/hsmdevice_controller.go
··· 257 257 return r.discoverUSBDevices(ctx, &tempDevice) 258 258 } 259 259 260 + // deviceListsEqual compares two lists of discovered devices for equality 261 + func deviceListsEqual(a, b []hsmv1alpha1.DiscoveredDevice) bool { 262 + if len(a) != len(b) { 263 + return false 264 + } 265 + 266 + // Create maps for comparison (using device path and node as key) 267 + aMap := make(map[string]hsmv1alpha1.DiscoveredDevice) 268 + for _, device := range a { 269 + key := device.NodeName + ":" + device.DevicePath 270 + aMap[key] = device 271 + } 272 + 273 + for _, device := range b { 274 + key := device.NodeName + ":" + device.DevicePath 275 + if _, exists := aMap[key]; !exists { 276 + return false 277 + } 278 + } 279 + 280 + return true 281 + } 282 + 260 283 // shouldDiscoverOnNode determines if device discovery should run on this node 261 284 func (r *HSMDeviceReconciler) shouldDiscoverOnNode(hsmDevice *hsmv1alpha1.HSMDevice) bool { 262 285 // If no node selector is specified, discover on all nodes ··· 299 322 } 300 323 301 324 // updateStatus updates the HSMDevice status 325 + // nolint:gocyclo // Complex status update logic is kept together for maintainability 302 326 func (r *HSMDeviceReconciler) updateStatus(ctx context.Context, hsmDevice *hsmv1alpha1.HSMDevice, phase hsmv1alpha1.HSMDevicePhase, devices []hsmv1alpha1.DiscoveredDevice, errorMsg string) (ctrl.Result, error) { 303 327 now := metav1.Now() 304 328 ··· 316 340 hsmDevice.Status.Phase = phase 317 341 } 318 342 319 - // Check if device count changed 320 - newDeviceCount := int32(len(devices)) 321 - if hsmDevice.Status.TotalDevices != newDeviceCount { 343 + // Merge discovered devices from this node with devices from other nodes 344 + currentNodeName := r.getNodeName() 345 + staleThreshold := 5 * time.Minute // Consider devices stale after 5 minutes 346 + 347 + // Keep devices from other nodes, remove old entries from current node and stale devices 348 + var mergedDevices []hsmv1alpha1.DiscoveredDevice 349 + for _, existingDevice := range hsmDevice.Status.DiscoveredDevices { 350 + if existingDevice.NodeName != currentNodeName { 351 + // Check if device from other node is stale 352 + if time.Since(existingDevice.LastSeen.Time) < staleThreshold { 353 + // Keep fresh devices from other nodes 354 + mergedDevices = append(mergedDevices, existingDevice) 355 + } 356 + // Stale devices are dropped 357 + } 358 + // Devices from current node are replaced with fresh discovery 359 + } 360 + 361 + // Add new devices from current node 362 + mergedDevices = append(mergedDevices, devices...) 363 + 364 + // Check if device list changed 365 + newDeviceCount := int32(len(mergedDevices)) 366 + if hsmDevice.Status.TotalDevices != newDeviceCount || !deviceListsEqual(hsmDevice.Status.DiscoveredDevices, mergedDevices) { 322 367 needsUpdate = true 323 368 hsmDevice.Status.TotalDevices = newDeviceCount 324 - hsmDevice.Status.DiscoveredDevices = devices 369 + hsmDevice.Status.DiscoveredDevices = mergedDevices 325 370 } 326 371 327 372 // Only update LastDiscoveryTime if there are significant changes or it's been a while ··· 344 389 hsmDevice.Status.LastDiscoveryTime = &now 345 390 } 346 391 347 - // Count available devices 392 + // Count available devices from merged list 348 393 availableCount := int32(0) 349 - for _, device := range devices { 394 + for _, device := range mergedDevices { 350 395 if device.Available { 351 396 availableCount++ 352 397 } ··· 362 407 conditionType := "DeviceDiscovery" 363 408 conditionStatus := metav1.ConditionTrue 364 409 reason := string(phase) 365 - message := fmt.Sprintf("Discovered %d devices", len(devices)) 410 + message := fmt.Sprintf("Discovered %d devices", len(mergedDevices)) 366 411 367 412 if phase == hsmv1alpha1.HSMDevicePhaseError { 368 413 conditionStatus = metav1.ConditionFalse