evan.jarrett.net / hsm-secrets-operator
A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

rip out ccid

Evan Jarrett dc50c7a5 7480bfda

+4 -52
+1 -10
Dockerfile
··· 80 80 COPY --from=builder /usr/sbin/pcscd /usr/sbin/ 81 81 COPY --from=builder /usr/bin/pkcs11-tool /usr/bin/ 82 82 83 - # Copy udev rules for HSM devices (CCID support) 84 - COPY --from=builder /lib/udev/rules.d/92-libccid.rules /lib/udev/rules.d/ 85 - 86 - # Copy CCID drivers for pcscd 87 - COPY --from=builder /usr/lib/pcsc /usr/lib/pcsc 88 - 89 - # Copy CCID configuration file (needed for Info.plist symlink) 90 - COPY --from=builder /etc/libccid_Info.plist /etc/ 91 - 92 83 # Copy CA certificates 93 84 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ 94 85 95 - # Copy runtime directories 86 + # Copy runtime directories (but NOT pcsc drivers - avoiding CCID) 96 87 COPY --from=builder /var/run/pcscd /run/pcscd 97 88 COPY --from=builder /var/lock/pcsc /var/lock/pcsc 98 89
+2 -41
entrypoint.sh
··· 22 22 udevadm settle --timeout=2 2>/dev/null || true 23 23 fi 24 24 25 - # Apply CCID interface fix for Pico HSM 26 - echo "Applying CCID interface fix for Pico HSM..." 27 - 28 - # Check if we can modify the CCID configuration 29 - CCID_CONFIG="/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist" 30 - if [ -f "$CCID_CONFIG" ]; then 31 - # Create backup 32 - cp "$CCID_CONFIG" /tmp/Info.plist.backup 33 - 34 - echo "Original CCID driver options:" 35 - grep -A 1 "ifdDriverOptions" "$CCID_CONFIG" || echo "Not found" 36 - 37 - # Fix: Enable CCID Exchange option (0x01) for interface flexibility 38 - # This makes CCID more permissive about interface selection 39 - if grep -q "<string>0x0000</string>" "$CCID_CONFIG"; then 40 - sed -i 's/<string>0x0000<\/string>/<string>0x0001<\/string>/' "$CCID_CONFIG" 41 - echo "✅ Enabled DRIVER_OPTION_CCID_EXCHANGE_AUTHORIZED (0x01)" 42 - else 43 - echo "⚠️ CCID driver options already modified or not found" 44 - fi 45 - 46 - echo "Modified CCID driver options:" 47 - grep -A 1 "ifdDriverOptions" "$CCID_CONFIG" || echo "Not found" 48 - 49 - echo "CCID interface fix applied:" 50 - echo "- Pico HSM interface 0 should now be tried first" 51 - echo "- CCID will be more flexible about interface detection" 52 - echo "- Debug environment variables: LIBCCID_ifdLogLevel=$LIBCCID_ifdLogLevel" 53 - else 54 - echo "❌ CCID Info.plist not found at $CCID_CONFIG" 55 - echo "Falling back to environment variables only" 56 - fi 57 - 58 - # Start pcscd with debug output 59 - echo "Starting pcscd..." 25 + # Start pcscd (no CCID drivers available, will use direct access) 60 26 pcscd -f -d -a & 61 27 PCSCD_PID=$! 62 28 63 29 sleep 3 64 30 65 - # Verify pcscd started successfully 31 + # Verify pcscd started 66 32 if ! kill -0 $PCSCD_PID 2>/dev/null; then 67 33 echo "ERROR: pcscd failed to start" 68 - echo "Checking USB access permissions..." 69 - # Try to access a USB device to see the actual error 70 - cat /dev/bus/usb/001/001 > /dev/null 2>&1 || echo "Cannot read USB devices: $?" 71 34 exit 1 72 35 fi 73 - 74 - echo "pcscd started successfully with PID $PCSCD_PID" 75 36 fi 76 37 77 38 # Entrypoint script for HSM Secrets Operator
+1 -1
internal/controller/hsmpool_agent_controller.go
··· 665 665 }, 666 666 SecurityContext: &corev1.SecurityContext{ 667 667 Privileged: truePtr, // Still no privileged containers 668 - AllowPrivilegeEscalation: falsePtr, // Still no privilege escalation 668 + AllowPrivilegeEscalation: truePtr, // Still no privilege escalation 669 669 ReadOnlyRootFilesystem: falsePtr, // Possible with distroless 670 670 RunAsNonRoot: falsePtr, // Root required for USB 671 671 RunAsUser: &rootUserId,