evan.jarrett.net / hsm-secrets-operator
A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

use trixie-slim

Evan Jarrett dfc166df a6d337fd

+41 -93
+15 -93
Dockerfile
··· 42 42 # Build test utility for manual testing/debugging 43 43 RUN CGO_ENABLED=1 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -ldflags="-s -w" -o test cmd/test/main.go 44 44 45 - # Collect all runtime dependencies using iterative discovery: 46 - # 1. Start with ldd on binaries → get compile-time linked libraries 47 - # 2. Recursively: ldd on discovered libraries → get their dependencies 48 - # 3. strings scan discovered libraries → find dlopen'd libraries (like libgcc_s, libpcsclite_real) 49 - # 4. Repeat step 2-3 on newly discovered libraries until no new deps found 50 - RUN echo "Discovering runtime dependencies (iterative)..." && \ 51 - # Define binaries to scan (includes CCID driver to catch libusb dependency) 52 - SCAN_BINARIES="/workspace/hsm-operator /workspace/test /usr/sbin/pcscd /usr/bin/pkcs11-tool /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so" && \ 53 - mkdir -p /runtime-deps && \ 54 - touch /tmp/deps_all.txt /tmp/deps_previous.txt /tmp/deps_new.txt && \ 55 - # Start with our binaries 56 - echo "$SCAN_BINARIES" | tr ' ' '\n' > /tmp/deps_new.txt && \ 57 - ITERATION=0 && \ 58 - while [ -s /tmp/deps_new.txt ] && [ $ITERATION -lt 10 ]; do \ 59 - ITERATION=$((ITERATION + 1)) && \ 60 - NEW_COUNT=$(wc -l < /tmp/deps_new.txt) && \ 61 - echo "Iteration $ITERATION: Processing $NEW_COUNT new items..." && \ 62 - # Run ldd on new items 63 - for item in $(cat /tmp/deps_new.txt); do \ 64 - if [ -f "$item" ]; then \ 65 - ldd "$item" 2>/dev/null | grep "=>" | awk '{print $3}' | grep -v "^$" || true; \ 66 - # Also get dynamic linker 67 - ldd "$item" 2>/dev/null | grep -o '/lib.*/ld-linux[^ ]*' || true; \ 68 - fi; \ 69 - done >> /tmp/deps_all.txt && \ 70 - # Scan new items for dlopen'd libraries (strings method) 71 - for item in $(cat /tmp/deps_new.txt); do \ 72 - if [ -f "$item" ]; then \ 73 - strings "$item" 2>/dev/null | grep -E '\.so(\.[0-9]+)*$' | while read soname; do \ 74 - find /usr/lib /lib -name "$soname" 2>/dev/null || true; \ 75 - done; \ 76 - fi; \ 77 - done >> /tmp/deps_all.txt && \ 78 - # Find newly discovered deps (not in previous iterations) 79 - sort -u /tmp/deps_all.txt > /tmp/deps_all_sorted.txt && \ 80 - comm -13 /tmp/deps_previous.txt /tmp/deps_all_sorted.txt > /tmp/deps_new.txt && \ 81 - cp /tmp/deps_all_sorted.txt /tmp/deps_previous.txt; \ 82 - done && \ 83 - # Copy all libraries except /lib/* paths (will be symlinked to /usr/lib) 84 - sort -u /tmp/deps_all.txt > /tmp/deps.txt && \ 85 - echo "Found $(wc -l < /tmp/deps.txt) unique library paths after $ITERATION iterations" && \ 86 - cat /tmp/deps.txt && \ 87 - for lib in $(cat /tmp/deps.txt); do \ 88 - # Skip /lib/* paths (but not /lib64/* which is separate) 89 - if [ -f "$lib" ] && ! echo "$lib" | grep -q "^/lib/"; then \ 90 - dir=$(dirname "$lib"); \ 91 - mkdir -p "/runtime-deps$dir"; \ 92 - cp -L "$lib" "/runtime-deps$lib"; \ 93 - fi; \ 94 - done && \ 95 - # Create single directory-level symlink: /lib → /usr/lib 96 - ln -s /usr/lib /runtime-deps/lib && \ 97 - echo "Dependencies collected to /runtime-deps (/lib symlinked to /usr/lib)" && \ 98 - # Verify all binaries can find their dependencies 99 - echo "Testing binaries for missing dependencies..." && \ 100 - for binary in $SCAN_BINARIES; do \ 101 - echo "Testing $binary..."; \ 102 - ldd "$binary" 2>&1 | grep "not found" && echo "ERROR: Missing dependencies for $binary" && exit 1 || true; \ 103 - done && \ 104 - echo "All binaries have satisfied dependencies" 45 + # No runtime dependency discovery needed - debian:trixie-slim has all required libs 105 46 106 - # Create symlinks for opensc-pkcs11.so for both architectures (FROM scratch has no shell) 107 - RUN mkdir -p /tmp/pkcs11-links/x86_64-linux-gnu /tmp/pkcs11-links/aarch64-linux-gnu && \ 108 - ln -s /usr/lib/pkcs11/opensc-pkcs11.so /tmp/pkcs11-links/x86_64-linux-gnu/opensc-pkcs11.so && \ 109 - ln -s /usr/lib/pkcs11/opensc-pkcs11.so /tmp/pkcs11-links/aarch64-linux-gnu/opensc-pkcs11.so 47 + # Stage 2: Debian Trixie Slim (minimal but functional for USB hardware interaction) 48 + # Provides proper runtime environment for libudev USB device enumeration 49 + # Slightly larger than distroless (~140MB vs ~20MB) but required for CCID/USB reliability 50 + FROM debian:trixie-slim 110 51 111 - # Stage 2: Ultra-minimal FROM scratch runtime (no shell, no distro) 112 - # Maximum security: smallest possible attack surface (~15MB vs ~30MB distroless) 113 - FROM scratch 52 + # Install only the essential runtime packages (minimal attack surface) 53 + # debian:trixie-slim already has libc, but we need USB/smartcard libraries 54 + RUN apt-get update && apt-get install -y --no-install-recommends \ 55 + opensc \ 56 + pcscd \ 57 + libccid \ 58 + libpcsclite1 \ 59 + libusb-1.0-0 \ 60 + ca-certificates \ 61 + && rm -rf /var/lib/apt/lists/* 114 62 115 63 # Copy minimal user/group files for nonroot user (secure by default) 116 64 COPY --from=builder /tmp/passwd /etc/passwd 117 65 COPY --from=builder /tmp/group /etc/group 118 - 119 - # Copy all runtime library dependencies (auto-discovered via ldd/strings) 120 - # Includes dynamic linker (ld-linux-*.so) for all architectures (x86_64, arm64, etc.) 121 - COPY --from=builder /runtime-deps / 122 - 123 - # Copy PKCS#11 library and symlinks for all architectures 124 - # Main copy: /usr/lib/pkcs11/ - actual file location 125 - COPY --from=builder /usr/lib/*/opensc-pkcs11.so /usr/lib/pkcs11/ 126 - # Symlinks created in builder stage for pkcs11-tool default paths (works for both amd64 and arm64) 127 - COPY --from=builder /tmp/pkcs11-links/ /usr/lib/ 128 - 129 - # Copy essential binaries 130 - COPY --from=builder /usr/sbin/pcscd /usr/sbin/ 131 - COPY --from=builder /usr/bin/pkcs11-tool /usr/bin/ 132 - 133 - # Copy udev rules for HSM devices (CCID support) 134 - COPY --from=builder /lib/udev/rules.d/92-libccid.rules /lib/udev/rules.d/ 135 - 136 - # Copy CCID drivers for pcscd (Debian Trixie provides v1.6.2 with native Pico HSM multi-interface support) 137 - COPY --from=builder /usr/lib/pcsc /usr/lib/pcsc 138 - 139 - # Copy CCID configuration file (needed for Info.plist symlink) 140 - COPY --from=builder /etc/libccid_Info.plist /etc/ 141 - 142 - # Copy CA certificates 143 - COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ 144 66 145 67 # Copy application binary (manages pcscd lifecycle internally - no shell needed) 146 68 COPY --from=builder /workspace/hsm-operator /hsm-operator
+26
cmd/test/main.go
··· 5 5 "fmt" 6 6 "log" 7 7 "os" 8 + "os/signal" 9 + "syscall" 8 10 11 + "github.com/evanjarrett/hsm-secrets-operator/internal/agent" 9 12 "github.com/evanjarrett/hsm-secrets-operator/internal/hsm" 13 + ctrl "sigs.k8s.io/controller-runtime" 10 14 ) 11 15 12 16 func main() { ··· 17 21 18 22 operation := os.Args[1] 19 23 pin := os.Args[2] 24 + 25 + // Set up logger 26 + logger := ctrl.Log.WithName("test-hsm") 27 + 28 + // Start pcscd daemon 29 + logger.Info("Starting pcscd daemon") 30 + pcscdMgr := agent.NewPCSCDManager(logger, true) // true = debug output enabled 31 + if err := pcscdMgr.Start(); err != nil { 32 + log.Fatalf("Failed to start pcscd: %v", err) 33 + } 34 + defer pcscdMgr.Stop() 35 + logger.Info("pcscd daemon started successfully") 36 + 37 + // Set up signal handling for graceful shutdown 38 + sigChan := make(chan os.Signal, 1) 39 + signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM) 40 + go func() { 41 + <-sigChan 42 + logger.Info("Received shutdown signal, stopping pcscd") 43 + pcscdMgr.Stop() 44 + os.Exit(0) 45 + }() 20 46 21 47 // Get library path from environment or use default 22 48 libraryPath := os.Getenv("PKCS11_LIBRARY")