A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
fix
+12
-6
+8
-2
cmd/test/main.go
+8
-2
cmd/test/main.go
···
31
31
if err := pcscdMgr.Start(); err != nil {
32
32
log.Fatalf("Failed to start pcscd: %v", err)
33
33
}
34
-
defer pcscdMgr.Stop()
34
+
defer func() {
35
+
if err := pcscdMgr.Stop(); err != nil {
36
+
logger.Error(err, "Failed to stop pcscd")
37
+
}
38
+
}()
35
39
logger.Info("pcscd daemon started successfully")
36
40
37
41
// Set up signal handling for graceful shutdown
···
40
44
go func() {
41
45
<-sigChan
42
46
logger.Info("Received shutdown signal, stopping pcscd")
43
-
pcscdMgr.Stop()
47
+
if err := pcscdMgr.Stop(); err != nil {
48
+
logger.Error(err, "Failed to stop pcscd during shutdown")
49
+
}
44
50
os.Exit(0)
45
51
}()
46
52
+4
-4
internal/controller/hsmpool_agent_controller.go
+4
-4
internal/controller/hsmpool_agent_controller.go
···
664
664
},
665
665
},
666
666
SecurityContext: &corev1.SecurityContext{
667
-
Privileged: truePtr, // Still no privileged containers
668
-
AllowPrivilegeEscalation: truePtr, // Still no privilege escalation
669
-
ReadOnlyRootFilesystem: falsePtr, // Possible with distroless
670
-
RunAsNonRoot: falsePtr, // Root required for USB
667
+
Privileged: falsePtr, // No privileged container needed
668
+
AllowPrivilegeEscalation: falsePtr, // No privilege escalation needed
669
+
ReadOnlyRootFilesystem: falsePtr, // pcscd needs writable /run and /var/lock
670
+
RunAsNonRoot: falsePtr, // Root required for USB device access
671
671
RunAsUser: &rootUserId,
672
672
SeccompProfile: &corev1.SeccompProfile{
673
673
Type: corev1.SeccompProfileTypeRuntimeDefault,