apiVersion: hsm.j5t.io/v1alpha1
kind: HSMDevice
metadata:
  name: pico-hsm
  namespace: default
  labels:
    device-type: pico-hsm
    environment: production
spec:
  # Device type for auto-discovery
  deviceType: PicoHSM
  
  # Discovery configuration
  discovery:
    # USB device specifications for Pico HSM
    usb:
      vendorId: "20a0"
      productId: "4230"
      # serialNumber: "12345"  # Optional: specific device serial
    
    # Alternative: Manual path specification
    # devicePath:
    #   path: "/dev/sc-hsm*"
    #   permissions: "0666"
  
  # PKCS#11 configuration
  pkcs11:
    libraryPath: "/usr/lib/opensc-pkcs11.so"  # Use OpenSC for Pico HSM
    slotId: 0
    pinSecret:
      name: "pico-hsm-pin"
      key: "pin"
    tokenLabel: "PicoHSM"
  
  # Node selection (optional - runs on all nodes if not specified)
  nodeSelector:
    # kubernetes.io/hostname: "worker-node-1"
    hsm.j5t.io/enabled: "true"
  
  # Maximum number of devices to discover
  maxDevices: 2

---
# Optional: Node label for HSM-enabled nodes
# Run this on nodes with HSM devices:
# kubectl label node worker-node-1 hsm.j5t.io/enabled=true