evan.jarrett.net / hsm-secrets-operator
A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix pcscd rundir

Evan Jarrett bf8f0621 5e3470a7

+15 -16
-11
Dockerfile
··· 1 - # Multi-stage distroless Dockerfile for maximum security with USB access 2 - # Phase 2: Root + Distroless - compensates for root requirement with minimal attack surface 3 - 4 1 # Stage 1: Go builder (also serves as dependency source) 5 2 FROM golang:1.24-trixie AS builder 6 3 ARG TARGETOS ··· 19 16 libpcsclite-dev \ 20 17 libusb-1.0-0-dev \ 21 18 && rm -rf /var/lib/apt/lists/* 22 - 23 - # Create necessary runtime directories 24 - RUN mkdir -p /run/pcscd /var/run/pcscd /var/lock/pcsc && \ 25 - chmod 755 /run/pcscd /var/run/pcscd /var/lock/pcsc 26 19 27 20 # Create minimal /etc/passwd and /etc/group for nonroot user (65532:65532) 28 21 RUN echo "nonroot:x:65532:65532:nonroot:/:" > /tmp/passwd && \ ··· 133 126 134 127 # Copy CA certificates 135 128 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ 136 - 137 - # Copy runtime directories (pcscd will use these) 138 - COPY --from=builder /var/run/pcscd /run/pcscd 139 - COPY --from=builder /var/lock/pcsc /var/lock/pcsc 140 129 141 130 # Copy application binary (manages pcscd lifecycle internally - no shell needed) 142 131 COPY --from=builder /workspace/hsm-operator /hsm-operator
+1 -1
Makefile
··· 3 3 # To re-generate a bundle for another specific version without changing the standard setup, you can: 4 4 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) 5 5 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) 6 - VERSION ?= 0.6.33 6 + VERSION ?= 0.6.34 7 7 8 8 # CHANNELS define the bundle channels used in the bundle. 9 9 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
+2 -2
helm/hsm-secrets-operator/Chart.yaml
··· 2 2 name: hsm-secrets-operator 3 3 description: A Kubernetes operator that bridges Pico HSM binary data storage with Kubernetes Secrets 4 4 type: application 5 - version: 0.6.33 6 - appVersion: v0.6.33 5 + version: 0.6.34 6 + appVersion: v0.6.34 7 7 icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/kubernetes/icon/color/kubernetes-icon-color.svg 8 8 home: https://github.com/evanjarrett/hsm-secrets-operator 9 9 sources:
+12 -2
internal/agent/pcscd_manager.go
··· 56 56 57 57 p.logger.Info("Starting pcscd daemon") 58 58 59 + // Ensure runtime directories exist (volumes may be empty initially) 60 + dirs := []string{"/run/pcscd", "/var/lock/pcsc"} 61 + for _, dir := range dirs { 62 + if err := os.MkdirAll(dir, 0755); err != nil { 63 + p.logger.Error(err, "Failed to create runtime directory", "dir", dir) 64 + return fmt.Errorf("failed to create runtime directory %s: %w", dir, err) 65 + } 66 + p.logger.V(1).Info("Runtime directory ready", "dir", dir) 67 + } 68 + 59 69 // Start pcscd with: 60 70 // -f: foreground mode (don't daemonize) 71 + // -d: debug output (helps troubleshooting) 61 72 // --disable-polkit: disable PolicyKit (no D-Bus in container) 62 - // Note: Removed -d and -a debug flags for production - add back if needed 63 - p.cmd = exec.CommandContext(p.ctx, "/usr/sbin/pcscd", "-f", "--disable-polkit") 73 + p.cmd = exec.CommandContext(p.ctx, "/usr/sbin/pcscd", "-f", "-d", "--disable-polkit") 64 74 65 75 // Pipe output to parent process for centralized logging 66 76 p.cmd.Stdout = os.Stdout