examples/basic/pico-hsm-device.yaml at main · evan.jarrett.net/hsm-secrets-operator

A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th

fork

hsm-secrets-operator / examples / basic / pico-hsm-device.yaml

at main 46 lines 1.1 kB view raw

wrap content

Evan Jarrett add in new hsm plugin, clean up examples dir 8mo ago

18461c09

 1apiVersion: hsm.j5t.io/v1alpha1
 2kind: HSMDevice
 3metadata:
 4  name: pico-hsm
 5  namespace: default
 6  labels:
 7    device-type: pico-hsm
 8    environment: production
 9spec:
10  # Device type for auto-discovery
11  deviceType: PicoHSM
12  
13  # Discovery configuration
14  discovery:
15    # USB device specifications for Pico HSM
16    usb:
17      vendorId: "20a0"
18      productId: "4230"
19      # serialNumber: "12345"  # Optional: specific device serial
20    
21    # Alternative: Manual path specification
22    # devicePath:
23    #   path: "/dev/sc-hsm*"
24    #   permissions: "0666"
25  
26  # PKCS#11 configuration
27  pkcs11:
28    libraryPath: "/usr/lib/opensc-pkcs11.so"  # Use OpenSC for Pico HSM
29    slotId: 0
30    pinSecret:
31      name: "pico-hsm-pin"
32      key: "pin"
33    tokenLabel: "PicoHSM"
34  
35  # Node selection (optional - runs on all nodes if not specified)
36  nodeSelector:
37    # kubernetes.io/hostname: "worker-node-1"
38    hsm.j5t.io/enabled: "true"
39  
40  # Maximum number of devices to discover
41  maxDevices: 2
42
43---
44# Optional: Node label for HSM-enabled nodes
45# Run this on nodes with HSM devices:
46# kubectl label node worker-node-1 hsm.j5t.io/enabled=true

Configure Feed

Configure Feed