evan.jarrett.net / hsm-secrets-operator
A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

update chart

Evan Jarrett c8e8a436 ea1a8006

+32 -8
+1 -1
CLAUDE.md
··· 216 216 217 217 # PKCS#11 configuration per device 218 218 pkcs11: 219 - libraryPath: "/usr/lib/libsc-hsm-pkcs11.so" 219 + libraryPath: "/usr/lib/libsc-hsm-pkcs11.so" # Example path - configure for your system 220 220 slotId: 0 221 221 pinSecret: 222 222 name: "pico-hsm-pin"
+1 -4
cmd/discovery/main.go
··· 94 94 // Initialize USB discoverer with detection method preference 95 95 usbDiscoverer := discovery.NewUSBDiscovererWithMethod(detectionMethod) 96 96 97 - // Initialize mirroring manager for cross-node HSM device synchronization 98 - mirroringManager := discovery.NewMirroringManager(mgr.GetClient(), nodeName) 99 - 100 97 // Initialize device manager for Kubernetes resource management 101 98 deviceManager := discovery.NewHSMDeviceManager(hsmv1alpha1.HSMDeviceTypePicoHSM, "pico-hsm") 102 99 ··· 105 102 Scheme: mgr.GetScheme(), 106 103 NodeName: nodeName, 107 104 USBDiscoverer: usbDiscoverer, 108 - MirroringManager: mirroringManager, 105 + MirroringManager: nil, // Discovery doesn't handle secret mirroring 109 106 DeviceManager: deviceManager, 110 107 }).SetupWithManager(mgr); err != nil { 111 108 setupLog.Error(err, "unable to create controller", "controller", "HSMDevice")
+2 -2
helm/hsm-secrets-operator/Chart.yaml
··· 2 2 name: hsm-secrets-operator 3 3 description: A Kubernetes operator that bridges Pico HSM binary data storage with Kubernetes Secrets 4 4 type: application 5 - version: 0.2.4 6 - appVersion: v0.2.4 5 + version: 0.2.5 6 + appVersion: v0.2.5 7 7 icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/kubernetes/icon/color/kubernetes-icon-color.svg 8 8 home: https://github.com/evanjarrett/hsm-secrets-operator 9 9 sources:
+28 -1
internal/hsm/client.go
··· 90 90 } 91 91 92 92 // DefaultConfig returns a default HSM configuration 93 + // NOTE: PKCS11LibraryPath must be set from HSMDevice.Spec.PKCS11.LibraryPath 93 94 func DefaultConfig() Config { 94 95 return Config{ 95 - PKCS11LibraryPath: "/usr/lib/opensc-pkcs11.so", 96 + PKCS11LibraryPath: "", // Must be configured per-device 96 97 SlotID: 0, 97 98 ConnectionTimeout: 30 * time.Second, 98 99 RetryAttempts: 3, 99 100 RetryDelay: 2 * time.Second, 100 101 } 102 + } 103 + 104 + // ConfigFromHSMDevice creates a Config from HSMDevice spec 105 + func ConfigFromHSMDevice(hsmDevice HSMDeviceSpec, pin string) Config { 106 + config := DefaultConfig() 107 + 108 + if hsmDevice.PKCS11 != nil { 109 + config.PKCS11LibraryPath = hsmDevice.PKCS11.LibraryPath 110 + config.SlotID = uint(hsmDevice.PKCS11.SlotId) 111 + config.TokenLabel = hsmDevice.PKCS11.TokenLabel 112 + } 113 + 114 + config.PIN = pin 115 + return config 116 + } 117 + 118 + // HSMDeviceSpec represents the HSMDevice spec for config creation 119 + // This avoids importing the full v1alpha1 package in the hsm package 120 + type HSMDeviceSpec struct { 121 + PKCS11 *PKCS11Config `json:"pkcs11,omitempty"` 122 + } 123 + 124 + type PKCS11Config struct { 125 + LibraryPath string `json:"libraryPath,omitempty"` 126 + SlotId int32 `json:"slotId,omitempty"` 127 + TokenLabel string `json:"tokenLabel,omitempty"` 101 128 } 102 129 103 130 // CalculateChecksum calculates SHA256 checksum of secret data