evan.jarrett.net / hsm-secrets-operator
A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

update claude.md

Evan Jarrett a287f814 3c464ede

+4 -9
+4 -6
CLAUDE.md
··· 56 56 - **HSMPool-based Agent Discovery**: API and controllers query HSMPool to find all agent instances for a device type 57 57 - **Multiple Agent Instances**: Each physical device gets its own agent pod (e.g., `hsm-agent-pico-hsm-0`, `hsm-agent-pico-hsm-1`) 58 58 - **Multi-Agent Operations**: API operations (list, write, delete) work across all agents when mirroring is enabled 59 - - **Automatic Synchronization**: HSMMirrorReconciler handles conflict detection and resolution between devices 59 + - **Automatic Synchronization**: Multi-device operations handle conflict detection and resolution between devices 60 60 61 61 **gRPC Communication Architecture:** 62 62 - Protocol definition in `api/proto/hsm/v1/hsm.proto` with 10 HSM operations ··· 70 70 Manager Controllers: 71 71 ├── HSMSecretReconciler - HSM to K8s Secret sync 72 72 ├── HSMPoolReconciler - Aggregates discovery reports from pod annotations 73 - ├── HSMPoolAgentReconciler - Deploys agents when pools are ready 74 - ├── HSMMirrorReconciler - Multi-device HSM mirroring and conflict resolution 73 + ├── HSMPoolAgentReconciler - Deploys agents dynamically when devices are ready 75 74 └── DiscoveryDaemonSetReconciler - Manages discovery DaemonSet lifecycle 76 75 77 76 Discovery Controllers: ··· 137 136 # Production image (agent has PKCS#11 support) 138 137 make docker-build IMG=hsm-secrets-operator:latest 139 138 140 - # Testing image (mock clients only, no CGO dependencies) 141 - make docker-build-testing IMG=hsm-secrets-operator:latest 139 + # Production build only (testing handled via build tags) 142 140 143 141 # Deploy to cluster 144 142 make deploy IMG=hsm-secrets-operator:latest ··· 325 323 1. `HSMSecretReconciler` reads from HSM via gRPC agents 326 324 2. `HSMPoolReconciler` aggregates device discovery reports from pod annotations (race-free) 327 325 3. `HSMPoolAgentReconciler` deploys agents dynamically when devices are ready 328 - 4. `HSMSyncReconciler` handles multi-device HSM synchronization (HSM ↔ HSM only) 326 + 4. Multi-device operations provide HSM synchronization capabilities 329 327 330 328 **Agent Discovery Architecture:** 331 329 - **HSMPool as Source of Truth**: API and controllers query HSMPool.Status.AggregatedDevices instead of individual HSMDevice resources
-3
internal/modes/manager/manager.go
··· 251 251 return err 252 252 } 253 253 254 - // HSM mirroring is now handled by the sync package and HSMSyncReconciler 255 - // Device discovery is handled by separate discovery daemon 256 - 257 254 // Get current operator namespace and name 258 255 operatorNamespace := getCurrentNamespace() 259 256 operatorName := getOperatorName()