evan.jarrett.net / hsm-secrets-operator
A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

fixes

Evan Jarrett c735b0fa e9282fbb

+114 -316
+34 -96
.github/workflows/docker-publish.yml
··· 14 14 REGISTRY: ghcr.io 15 15 # github.repository as <account>/<repo> 16 16 IMAGE_NAME: ${{ github.repository }} 17 - DISCOVERY_IMAGE_NAME: ${{ github.repository }}-discovery 18 17 19 18 20 19 jobs: ··· 22 21 ci-check: 23 22 uses: ./.github/workflows/ci.yml 24 23 25 - build-manager: 26 - runs-on: ubuntu-latest 24 + build-unified: 25 + runs-on: ${{ matrix.runner }} 27 26 needs: ci-check 28 27 permissions: 29 28 contents: read ··· 32 31 # with sigstore/fulcio when running outside of PRs. 33 32 id-token: write 34 33 35 - steps: 36 - - name: Checkout repository 37 - uses: actions/checkout@v4 38 - 39 - # Install the cosign tool except on PR 40 - # https://github.com/sigstore/cosign-installer 41 - - name: Install cosign 42 - if: github.event_name != 'pull_request' 43 - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 44 - with: 45 - cosign-release: 'v2.2.4' 46 - 47 - # Set up BuildKit Docker container builder to be able to build 48 - # multi-platform images and export cache 49 - # https://github.com/docker/setup-buildx-action 50 - - name: Set up Docker Buildx 51 - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 52 - 53 - # Login against a Docker registry except on PR 54 - # https://github.com/docker/login-action 55 - - name: Log into registry ${{ env.REGISTRY }} 56 - if: github.event_name != 'pull_request' 57 - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 58 - with: 59 - registry: ${{ env.REGISTRY }} 60 - username: ${{ github.actor }} 61 - password: ${{ secrets.GITHUB_TOKEN }} 62 - 63 - # Extract metadata (tags, labels) for Docker 64 - # https://github.com/docker/metadata-action 65 - - name: Extract Docker metadata for Manager 66 - id: meta-manager 67 - uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 68 - with: 69 - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} 70 - 71 - # Build and push Manager Docker image with Buildx (don't push on PR) 72 - # Only build for amd64 to avoid long sc-hsm-embedded cross-compilation 73 - # https://github.com/docker/build-push-action 74 - - name: Build and push Manager Docker image 75 - id: build-and-push-manager 76 - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 77 - with: 78 - context: . 79 - file: ./Dockerfile 80 - push: ${{ github.event_name != 'pull_request' }} 81 - tags: ${{ steps.meta-manager.outputs.tags }} 82 - labels: ${{ steps.meta-manager.outputs.labels }} 83 - cache-from: type=gha,scope=manager 84 - cache-to: type=gha,mode=max,scope=manager 85 - platforms: linux/amd64 86 - 87 - # Sign the Manager Docker image digest except on PRs. 88 - - name: Sign the published Manager Docker image 89 - if: ${{ github.event_name != 'pull_request' }} 90 - env: 91 - TAGS: ${{ steps.meta-manager.outputs.tags }} 92 - DIGEST: ${{ steps.build-and-push-manager.outputs.digest }} 93 - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} 94 - 95 - build-discovery: 96 - runs-on: ${{ matrix.runner }} 97 - needs: ci-check 98 - permissions: 99 - contents: read 100 - packages: write 101 - id-token: write 102 - 103 34 strategy: 104 35 fail-fast: false 105 36 matrix: 106 37 include: 107 38 - runner: ubuntu-latest 108 39 platform: linux/amd64 109 - cache-scope: discovery-amd64 40 + cache-scope: unified-amd64 110 41 - runner: ubuntu-24.04-arm # Native ARM64 runner 111 42 platform: linux/arm64 112 - cache-scope: discovery-arm64 43 + cache-scope: unified-arm64 113 44 114 45 steps: 115 46 - name: Prepare ··· 121 52 uses: actions/checkout@v4 122 53 123 54 # Install the cosign tool except on PR 55 + # https://github.com/sigstore/cosign-installer 124 56 - name: Install cosign 125 57 if: github.event_name != 'pull_request' 126 58 uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 127 59 with: 128 60 cosign-release: 'v2.2.4' 129 61 130 - # Set up BuildKit Docker container builder 62 + # Set up BuildKit Docker container builder to be able to build 63 + # multi-platform images and export cache 64 + # https://github.com/docker/setup-buildx-action 131 65 - name: Set up Docker Buildx 132 66 uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 133 67 with: 134 68 platforms: ${{ matrix.platform }} 135 69 136 70 # Login against a Docker registry except on PR 71 + # https://github.com/docker/login-action 137 72 - name: Log into registry ${{ env.REGISTRY }} 138 73 if: github.event_name != 'pull_request' 139 74 uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 ··· 142 77 username: ${{ github.actor }} 143 78 password: ${{ secrets.GITHUB_TOKEN }} 144 79 145 - # Extract metadata for Discovery image 146 - - name: Extract Docker metadata for Discovery 147 - id: meta-discovery 80 + # Extract metadata (tags, labels) for Docker 81 + # https://github.com/docker/metadata-action 82 + - name: Extract Docker metadata 83 + id: meta 148 84 uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 149 85 with: 150 - images: ${{ env.REGISTRY }}/${{ env.DISCOVERY_IMAGE_NAME }} 86 + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} 151 87 152 - # Build and push Discovery Docker image by digest 153 - - name: Build and push Discovery Docker image 154 - id: build-and-push-discovery 88 + # Build and push unified Docker image by digest 89 + # https://github.com/docker/build-push-action 90 + - name: Build and push unified Docker image 91 + id: build-and-push 155 92 uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 156 93 with: 157 94 context: . 158 - file: ./Dockerfile.discovery 95 + file: ./Dockerfile 159 96 push: ${{ github.event_name != 'pull_request' }} 160 97 platforms: ${{ matrix.platform }} 161 - labels: ${{ steps.meta-discovery.outputs.labels }} 98 + labels: ${{ steps.meta.outputs.labels }} 162 99 cache-from: type=gha,scope=${{ matrix.cache-scope }} 163 100 cache-to: type=gha,mode=max,scope=${{ matrix.cache-scope }} 164 - outputs: type=image,name=${{ env.REGISTRY }}/${{ env.DISCOVERY_IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true 101 + outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true 165 102 166 103 - name: Export digest 167 104 run: | 168 105 mkdir -p /tmp/digests 169 - digest="${{ steps.build-and-push-discovery.outputs.digest }}" 106 + digest="${{ steps.build-and-push.outputs.digest }}" 170 107 touch "/tmp/digests/${digest#sha256:}" 171 108 172 109 - name: Upload digest ··· 176 113 path: /tmp/digests/* 177 114 if-no-files-found: error 178 115 retention-days: 1 116 + 179 117 merge-manifest: 180 118 runs-on: ubuntu-latest 181 - needs: [build-discovery] 119 + needs: [build-unified] 182 120 if: github.event_name != 'pull_request' 183 121 permissions: 184 122 contents: read ··· 210 148 username: ${{ github.actor }} 211 149 password: ${{ secrets.GITHUB_TOKEN }} 212 150 213 - # Extract metadata for Discovery image 214 - - name: Extract Docker metadata for Discovery 215 - id: meta-discovery 151 + # Extract metadata for unified image 152 + - name: Extract Docker metadata 153 + id: meta 216 154 uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 217 155 with: 218 - images: ${{ env.REGISTRY }}/${{ env.DISCOVERY_IMAGE_NAME }} 156 + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} 219 157 220 158 - name: Create manifest list and push 221 159 working-directory: /tmp/digests 222 160 run: | 223 161 docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ 224 - $(printf '${{ env.REGISTRY }}/${{ env.DISCOVERY_IMAGE_NAME }}@sha256:%s ' *) 162 + $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *) 225 163 226 164 - name: Get manifest digest 227 165 id: manifest 228 166 run: | 229 - DIGEST=$(docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.DISCOVERY_IMAGE_NAME }}:${{ steps.meta-discovery.outputs.version }} | grep "Digest:" | head -1 | awk '{print $2}') 167 + DIGEST=$(docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} | grep "Digest:" | head -1 | awk '{print $2}') 230 168 echo "digest=$DIGEST" >> $GITHUB_OUTPUT 231 169 232 - # Sign the Discovery Docker manifest 233 - - name: Sign the published Discovery Docker image 170 + # Sign the unified Docker manifest 171 + - name: Sign the published Docker image 234 172 env: 235 - TAGS: ${{ steps.meta-discovery.outputs.tags }} 173 + TAGS: ${{ steps.meta.outputs.tags }} 236 174 DIGEST: ${{ steps.manifest.outputs.digest }} 237 175 run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} 238 176 239 177 - name: Inspect image 240 178 run: | 241 - docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.DISCOVERY_IMAGE_NAME }}:${{ steps.meta-discovery.outputs.version }} 179 + docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
+5 -1
Dockerfile
··· 21 21 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. 22 22 RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/manager/main.go 23 23 RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o agent cmd/agent/main.go 24 + RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o discovery cmd/discovery/main.go 24 25 25 26 FROM alpine:3.22 AS base 26 27 ··· 57 58 WORKDIR / 58 59 COPY --from=builder /workspace/manager . 59 60 COPY --from=builder /workspace/agent . 61 + COPY --from=builder /workspace/discovery . 62 + COPY entrypoint.sh /entrypoint.sh 63 + RUN chmod +x /entrypoint.sh 60 64 USER 65532:65532 61 65 62 - ENTRYPOINT ["/manager"] 66 + ENTRYPOINT ["/entrypoint.sh"]
-58
Dockerfile.discovery
··· 1 - # Lightweight discovery agent - no HSM libraries needed 2 - FROM golang:1.24-alpine AS builder 3 - ARG TARGETOS 4 - ARG TARGETARCH 5 - 6 - WORKDIR /workspace 7 - # Copy the Go Modules manifests 8 - COPY go.mod go.mod 9 - COPY go.sum go.sum 10 - # cache deps before building and copying source so that we don't need to re-download as much 11 - # and so that source changes don't invalidate our downloaded layer 12 - RUN go mod download 13 - 14 - # Copy the go source (only what's needed for discovery) 15 - COPY cmd/discovery/ cmd/discovery/ 16 - COPY api/ api/ 17 - COPY internal/ internal/ 18 - 19 - # Build discovery binary only 20 - RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o discovery cmd/discovery/main.go 21 - 22 - FROM alpine:3.22 AS base 23 - 24 - # Update Alpine packages 25 - RUN apk update 26 - 27 - # Install compilation tools 28 - RUN apk add --no-cache \ 29 - git \ 30 - gcc \ 31 - g++ \ 32 - make \ 33 - cmake \ 34 - pkgconfig \ 35 - openssl-dev \ 36 - pcsc-lite-dev \ 37 - libusb-dev \ 38 - autoconf \ 39 - automake \ 40 - libtool 41 - 42 - RUN cd / && git clone https://github.com/CardContact/sc-hsm-embedded.git 43 - WORKDIR /sc-hsm-embedded 44 - RUN autoreconf -fi && ./configure 45 - RUN make && make install 46 - 47 - FROM alpine:3.22 48 - RUN apk add --no-cache opensc-dev ccid pcsc-lite openssl libtool libusb 49 - 50 - COPY --from=base /usr/lib/libssl.so* /usr/lib/ 51 - COPY --from=base /usr/lib/libcrypto.so* /usr/lib/ 52 - COPY --from=base /usr/local/ /usr/local/ 53 - 54 - WORKDIR / 55 - COPY --from=builder /workspace/discovery . 56 - USER 65532:65532 57 - 58 - ENTRYPOINT ["/discovery"]
-128
Dockerfile.talos
··· 1 - # Multi-stage Dockerfile for HSM Secrets Operator with PKCS#11 libraries 2 - # Optimized for Talos Linux deployments 3 - 4 - # Stage 1: Build PKCS#11 libraries 5 - FROM alpine:3.18 AS pkcs11-builder 6 - 7 - # Install build dependencies 8 - RUN apk add --no-cache \ 9 - wget \ 10 - tar \ 11 - gzip \ 12 - build-base \ 13 - autoconf \ 14 - automake \ 15 - libtool \ 16 - pkgconfig \ 17 - openssl-dev \ 18 - libusb-dev \ 19 - pcsc-lite-dev \ 20 - flex \ 21 - help2man 22 - 23 - # Build OpenSC (most common PKCS#11 library) 24 - ENV OPENSC_VERSION=0.24.0 25 - RUN wget https://github.com/OpenSC/OpenSC/releases/download/${OPENSC_VERSION}/opensc-${OPENSC_VERSION}.tar.gz && \ 26 - tar -xzf opensc-${OPENSC_VERSION}.tar.gz && \ 27 - cd opensc-${OPENSC_VERSION} && \ 28 - ./configure \ 29 - --prefix=/usr/local \ 30 - --enable-pcsc \ 31 - --enable-openssl \ 32 - --disable-static \ 33 - --enable-shared && \ 34 - make -j$(nproc) && \ 35 - make install 36 - 37 - # Build YubiKey PKCS#11 library (optional but common) 38 - ENV YUBICO_PIV_VERSION=2.4.0 39 - RUN wget https://developers.yubico.com/yubico-piv-tool/Releases/yubico-piv-tool-${YUBICO_PIV_VERSION}.tar.gz && \ 40 - tar -xzf yubico-piv-tool-${YUBICO_PIV_VERSION}.tar.gz && \ 41 - cd yubico-piv-tool-${YUBICO_PIV_VERSION} && \ 42 - ./configure --prefix=/usr/local && \ 43 - make -j$(nproc) && \ 44 - make install 45 - 46 - # Build SoftHSM (useful for testing and dev environments) 47 - ENV SOFTHSM_VERSION=2.6.1 48 - RUN wget https://dist.opendnssec.org/source/softhsm-${SOFTHSM_VERSION}.tar.gz && \ 49 - tar -xzf softhsm-${SOFTHSM_VERSION}.tar.gz && \ 50 - cd softhsm-${SOFTHSM_VERSION} && \ 51 - ./configure --prefix=/usr/local && \ 52 - make -j$(nproc) && \ 53 - make install 54 - 55 - # Organize libraries for runtime stage 56 - RUN mkdir -p /pkcs11-libs && \ 57 - cp /usr/local/lib/pkcs11/*.so /pkcs11-libs/ && \ 58 - cp /usr/local/lib/libykcs11*.so /pkcs11-libs/ 2>/dev/null || true && \ 59 - cp /usr/local/lib/libsofthsm2.so /pkcs11-libs/ 2>/dev/null || true && \ 60 - chmod 755 /pkcs11-libs/*.so 61 - 62 - # Create library configuration files 63 - RUN mkdir -p /pkcs11-config 64 - COPY <<EOF /pkcs11-config/opensc.conf 65 - # OpenSC Configuration for HSM Secrets Operator 66 - app default { 67 - card_drivers = piv, openpgp, sc-hsm; 68 - reader_drivers = pcsc, openct; 69 - } 70 - EOF 71 - 72 - # Stage 2: Build Go application 73 - FROM golang:1.24-alpine AS go-builder 74 - 75 - ARG TARGETOS 76 - ARG TARGETARCH 77 - 78 - WORKDIR /workspace 79 - 80 - # Copy the Go Modules manifests 81 - COPY go.mod go.mod 82 - COPY go.sum go.sum 83 - 84 - # Cache deps before building and copying source so that we don't need to re-download as much 85 - # and so that source changes don't invalidate our downloaded layer 86 - RUN go mod download 87 - 88 - # Copy the go source 89 - COPY cmd/main.go cmd/main.go 90 - COPY api/ api/ 91 - COPY internal/ internal/ 92 - 93 - # Build 94 - # the GOARCH has not a default value to allow the binary be built according to the host where the command 95 - # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO 96 - # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, 97 - # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. 98 - RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go 99 - 100 - # Stage 3: Runtime image optimized for Talos 101 - FROM gcr.io/distroless/static:nonroot 102 - 103 - # Labels for image metadata 104 - LABEL org.opencontainers.image.title="HSM Secrets Operator for Talos" 105 - LABEL org.opencontainers.image.description="Kubernetes operator for managing HSM-backed secrets on Talos Linux" 106 - LABEL org.opencontainers.image.vendor="HSM Secrets Operator" 107 - LABEL org.opencontainers.image.licenses="Apache-2.0" 108 - 109 - # Copy PKCS#11 libraries from builder stage 110 - COPY --from=pkcs11-builder /pkcs11-libs/* /usr/local/lib/pkcs11/ 111 - COPY --from=pkcs11-builder /pkcs11-config/* /etc/pkcs11/ 112 - 113 - # Copy runtime dependencies (minimal) 114 - COPY --from=pkcs11-builder /usr/local/lib/libopensc.so* /usr/local/lib/ 115 - COPY --from=pkcs11-builder /usr/local/lib/libykcs11.so* /usr/local/lib/ 116 - COPY --from=pkcs11-builder /usr/local/lib/libsofthsm2.so* /usr/local/lib/ 117 - 118 - # Copy the manager binary 119 - COPY --from=go-builder /workspace/manager . 120 - 121 - # Set library path for PKCS#11 libraries 122 - ENV LD_LIBRARY_PATH="/usr/local/lib/pkcs11:/usr/local/lib" 123 - ENV PKCS11_MODULE_PATH="/usr/local/lib/pkcs11" 124 - ENV OPENSC_CONF="/etc/pkcs11/opensc.conf" 125 - 126 - USER 65532:65532 127 - 128 - ENTRYPOINT ["/manager"]
+5 -19
Makefile
··· 51 51 OPERATOR_SDK_VERSION ?= v1.41.1 52 52 # Image URL to use all building/pushing image targets 53 53 IMG ?= controller:latest 54 - DISCOVERY_IMG ?= hsm-discovery:latest 55 54 56 55 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) 57 56 ifeq (,$(shell go env GOBIN)) ··· 187 186 docker-push: ## Push docker image with the manager. 188 187 $(CONTAINER_TOOL) push ${IMG} 189 188 190 - .PHONY: docker-build-discovery 191 - docker-build-discovery: ## Build docker image for the discovery agent (native sysfs, distroless). 192 - $(CONTAINER_TOOL) build -f Dockerfile.discovery -t ${DISCOVERY_IMG} . 193 - 194 - .PHONY: docker-push-discovery 195 - docker-push-discovery: ## Push docker image for the discovery agent. 196 - $(CONTAINER_TOOL) push ${DISCOVERY_IMG} 197 - 198 - .PHONY: docker-build-all 199 - docker-build-all: docker-build docker-build-discovery ## Build both docker images. 200 - 201 - .PHONY: docker-push-all 202 - docker-push-all: docker-push docker-push-discovery ## Push both docker images. 189 + .PHONY: docker-build-multiarch 190 + docker-build-multiarch: ## Build docker image for multiple architectures and push. 191 + $(CONTAINER_TOOL) buildx build --platform linux/amd64,linux/arm64 --push -t ${IMG} . 203 192 204 193 # PLATFORMS defines the target platforms for the manager image be built to provide support to multiple 205 194 # architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to: ··· 209 198 # To adequately provide solutions that are compatible with multiple platforms, you should consider using this option. 210 199 PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le 211 200 .PHONY: docker-buildx 212 - docker-buildx: ## Build and push docker image for the manager for cross-platform support 213 - # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile 214 - sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross 201 + docker-buildx: ## Build and push docker image for cross-platform support (linux/amd64,linux/arm64) 215 202 - $(CONTAINER_TOOL) buildx create --name hsm-secrets-operator-builder 216 203 $(CONTAINER_TOOL) buildx use hsm-secrets-operator-builder 217 - - $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross . 204 + - $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag ${IMG} . 218 205 - $(CONTAINER_TOOL) buildx rm hsm-secrets-operator-builder 219 - rm Dockerfile.cross 220 206 221 207 .PHONY: build-installer 222 208 build-installer: manifests generate kustomize ## Generate a consolidated YAML with CRDs and deployment.
+39
entrypoint.sh
··· 1 + #!/bin/sh 2 + set -e 3 + 4 + pcscd & 5 + sleep 2 6 + 7 + # Entrypoint script for HSM Secrets Operator 8 + # Supports running manager, discovery, or agent binaries from the same container 9 + 10 + case "$1" in 11 + "manager") 12 + shift 13 + exec /manager "$@" 14 + ;; 15 + "discovery") 16 + shift 17 + exec /discovery "$@" 18 + ;; 19 + "agent") 20 + shift 21 + exec /agent "$@" 22 + ;; 23 + "--manager") 24 + shift 25 + exec /manager "$@" 26 + ;; 27 + "--discovery") 28 + shift 29 + exec /discovery "$@" 30 + ;; 31 + "--agent") 32 + shift 33 + exec /agent "$@" 34 + ;; 35 + *) 36 + # Default to manager for backward compatibility 37 + exec /manager "$@" 38 + ;; 39 + esac
+2 -1
helm/hsm-secrets-operator/templates/daemonset.yaml
··· 43 43 image: {{ include "hsm-secrets-operator.discoveryImage" . }} 44 44 imagePullPolicy: {{ .Values.discoveryImage.pullPolicy }} 45 45 command: 46 - - /discovery 46 + - /entrypoint.sh 47 + - discovery 47 48 args: 48 49 - --node-name=$(NODE_NAME) 49 50 {{- if .Values.discovery.syncInterval }}
+2 -1
helm/hsm-secrets-operator/templates/deployment.yaml
··· 40 40 image: {{ include "hsm-secrets-operator.image" . }} 41 41 imagePullPolicy: {{ .Values.image.pullPolicy }} 42 42 command: 43 - - /manager 43 + - /entrypoint.sh 44 + - manager 44 45 args: 45 46 - --leader-elect={{ .Values.leaderElection.enabled }} 46 47 {{- if .Values.config.verboseLogging }}
+5 -3
helm/hsm-secrets-operator/values.yaml
··· 8 8 pullPolicy: IfNotPresent 9 9 tag: "" # Defaults to the chart appVersion 10 10 11 - # Discovery image configuration (separate lightweight image) 11 + # Discovery image configuration 12 + # Uses same unified image as manager and discoveryc 12 13 discoveryImage: 13 - repository: ghcr.io/evanjarrett/hsm-secrets-operator-discovery 14 + repository: ghcr.io/evanjarrett/hsm-secrets-operator 14 15 pullPolicy: IfNotPresent 15 16 tag: "" # Defaults to the chart appVersion 16 17 17 18 # Agent image configuration (for HSM agent pods) 19 + # Uses same unified image as manager and discoveryc 18 20 agentImage: 19 21 repository: ghcr.io/evanjarrett/hsm-secrets-operator 20 22 pullPolicy: IfNotPresent 21 - tag: "" # Defaults to the chart appVersion (uses same image as manager) 23 + tag: "" # Defaults to the chart appVersion (uses same unified image) 22 24 23 25 imagePullSecrets: [] 24 26 nameOverride: ""
+2 -2
internal/agent/deployment.go
··· 239 239 Name: "agent", 240 240 Image: m.AgentImage, 241 241 Command: []string{ 242 - "/agent", 242 + "/entrypoint.sh", 243 + "agent", 243 244 }, 244 245 Args: []string{ 245 - "--agent-mode", 246 246 "--device-name=" + hsmDevice.Name, 247 247 "--port=" + fmt.Sprintf("%d", AgentPort), 248 248 "--health-port=" + fmt.Sprintf("%d", AgentHealthPort),
+20 -7
internal/controller/hsmdevice_controller.go
··· 122 122 123 123 logger.Info("Device discovery completed", "foundDevices", len(discoveredDevices)) 124 124 125 - // Update status with discovered devices 126 - phase := hsmv1alpha1.HSMDevicePhaseReady 127 - if len(discoveredDevices) == 0 { 128 - phase = hsmv1alpha1.HSMDevicePhasePending 129 - } 130 - 131 - result, err := r.updateStatus(ctx, hsmDevice, phase, discoveredDevices, "") 125 + // Update status with discovered devices - phase will be calculated in updateStatus based on merged devices 126 + result, err := r.updateStatus(ctx, hsmDevice, hsmv1alpha1.HSMDevicePhaseReady, discoveredDevices, "") 132 127 if err != nil { 133 128 return result, err 134 129 } ··· 401 396 if hsmDevice.Status.AvailableDevices != availableCount { 402 397 needsUpdate = true 403 398 hsmDevice.Status.AvailableDevices = availableCount 399 + } 400 + 401 + // Calculate phase based on merged device list (not just current node's discovery) 402 + newPhase := hsmv1alpha1.HSMDevicePhaseReady 403 + if len(mergedDevices) == 0 { 404 + newPhase = hsmv1alpha1.HSMDevicePhasePending 405 + } 406 + 407 + // Override with error phase if needed 408 + if phase == hsmv1alpha1.HSMDevicePhaseError { 409 + newPhase = phase 410 + } 411 + 412 + // Check if phase changed 413 + if hsmDevice.Status.Phase != newPhase { 414 + needsUpdate = true 415 + hsmDevice.Status.Phase = newPhase 416 + phase = newPhase // Update the phase variable for condition logic 404 417 } 405 418 406 419 // Update conditions only if needed