evan.jarrett.net / hsm-secrets-operator
A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

hsm-secrets-operator / examples / deployment / complete-setup.yaml
at main 382 lines 8.0 kB view raw
Evan Jarrett add in new hsm plugin, clean up examples dir
18461c09
1# Complete HSM Secrets Operator Setup Example 2# This file demonstrates a full deployment with all components 3 4--- 5# Namespace for the operator 6apiVersion: v1 7kind: Namespace 8metadata: 9 name: hsm-secrets-operator-system 10 labels: 11 control-plane: controller-manager 12 app.kubernetes.io/name: hsm-secrets-operator 13 app.kubernetes.io/version: v1.0.0 14 15--- 16# HSM Device Configuration 17apiVersion: hsm.j5t.io/v1alpha1 18kind: HSMDevice 19metadata: 20 name: production-hsm 21 namespace: hsm-secrets-operator-system 22 labels: 23 environment: production 24 device-type: pico-hsm 25spec: 26 deviceType: PicoHSM 27 28 # Discovery configuration 29 discovery: 30 usb: 31 vendorId: "20a0" 32 productId: "4230" 33 34 # PKCS#11 configuration 35 pkcs11: 36 libraryPath: "/usr/lib/opensc-pkcs11.so" 37 slotId: 0 38 pinSecret: 39 name: "production-hsm-pin" 40 key: "pin" 41 tokenLabel: "PicoHSM" 42 43 nodeSelector: 44 hsm.j5t.io/enabled: "true" 45 maxDevices: 2 46 47--- 48# Production Database Secret 49apiVersion: hsm.j5t.io/v1alpha1 50kind: HSMSecret 51metadata: 52 name: production-database 53 namespace: production 54 labels: 55 app: webapp 56 type: database 57 criticality: high 58spec: 59 # HSM path is automatically set to the metadata.name (production-database) 60 parentRef: 61 name: controller-manager 62 namespace: hsm-secrets-operator-system 63 secretName: "webapp-database-credentials" 64 autoSync: true 65 syncInterval: 600 # 10 minutes 66 secretType: Opaque 67 68--- 69# TLS Certificate Secret 70apiVersion: hsm.j5t.io/v1alpha1 71kind: HSMSecret 72metadata: 73 name: webapp-tls 74 namespace: production 75 labels: 76 app: webapp 77 type: tls 78spec: 79 # HSM path is automatically set to the metadata.name (webapp-tls) 80 parentRef: 81 name: controller-manager 82 namespace: hsm-secrets-operator-system 83 secretName: "webapp-tls-cert" 84 autoSync: true 85 syncInterval: 3600 # 1 hour 86 secretType: kubernetes.io/tls 87 88--- 89# Production Namespace 90apiVersion: v1 91kind: Namespace 92metadata: 93 name: production 94 labels: 95 environment: production 96 hsm.j5t.io/enabled: "true" 97 98--- 99# Web Application Deployment 100apiVersion: apps/v1 101kind: Deployment 102metadata: 103 name: webapp 104 namespace: production 105 labels: 106 app: webapp 107 version: v1.0.0 108spec: 109 replicas: 3 110 strategy: 111 type: RollingUpdate 112 rollingUpdate: 113 maxUnavailable: 1 114 maxSurge: 1 115 selector: 116 matchLabels: 117 app: webapp 118 template: 119 metadata: 120 labels: 121 app: webapp 122 version: v1.0.0 123 spec: 124 # Pod anti-affinity for high availability 125 affinity: 126 podAntiAffinity: 127 preferredDuringSchedulingIgnoredDuringExecution: 128 - weight: 100 129 podAffinityTerm: 130 labelSelector: 131 matchExpressions: 132 - key: app 133 operator: In 134 values: 135 - webapp 136 topologyKey: kubernetes.io/hostname 137 138 containers: 139 - name: webapp 140 image: nginx:1.21-alpine 141 ports: 142 - containerPort: 8080 143 name: http 144 145 # Use HSM-backed secrets 146 env: 147 - name: DATABASE_URL 148 valueFrom: 149 secretKeyRef: 150 name: webapp-database-credentials 151 key: database_url 152 - name: DB_USERNAME 153 valueFrom: 154 secretKeyRef: 155 name: webapp-database-credentials 156 key: username 157 - name: DB_PASSWORD 158 valueFrom: 159 secretKeyRef: 160 name: webapp-database-credentials 161 key: password 162 163 # Mount TLS certificate 164 volumeMounts: 165 - name: tls-certs 166 mountPath: /etc/ssl/certs/webapp 167 readOnly: true 168 169 # Health checks 170 livenessProbe: 171 httpGet: 172 path: /health 173 port: 8080 174 scheme: HTTP 175 initialDelaySeconds: 30 176 periodSeconds: 10 177 timeoutSeconds: 5 178 179 readinessProbe: 180 httpGet: 181 path: /ready 182 port: 8080 183 scheme: HTTP 184 initialDelaySeconds: 5 185 periodSeconds: 5 186 timeoutSeconds: 3 187 188 resources: 189 requests: 190 cpu: 100m 191 memory: 128Mi 192 limits: 193 cpu: 500m 194 memory: 512Mi 195 196 securityContext: 197 runAsNonRoot: true 198 runAsUser: 1000 199 allowPrivilegeEscalation: false 200 capabilities: 201 drop: 202 - ALL 203 204 volumes: 205 - name: tls-certs 206 secret: 207 secretName: webapp-tls-cert 208 209 securityContext: 210 fsGroup: 2000 211 212--- 213# Service for the web application 214apiVersion: v1 215kind: Service 216metadata: 217 name: webapp-service 218 namespace: production 219 labels: 220 app: webapp 221spec: 222 selector: 223 app: webapp 224 ports: 225 - port: 80 226 targetPort: 8080 227 name: http 228 type: ClusterIP 229 230--- 231# Ingress with TLS 232apiVersion: networking.k8s.io/v1 233kind: Ingress 234metadata: 235 name: webapp-ingress 236 namespace: production 237 labels: 238 app: webapp 239 annotations: 240 nginx.ingress.kubernetes.io/ssl-redirect: "true" 241 nginx.ingress.kubernetes.io/force-ssl-redirect: "true" 242spec: 243 tls: 244 - hosts: 245 - webapp.example.com 246 secretName: webapp-tls-cert # HSM-backed TLS certificate 247 rules: 248 - host: webapp.example.com 249 http: 250 paths: 251 - path: / 252 pathType: Prefix 253 backend: 254 service: 255 name: webapp-service 256 port: 257 number: 80 258 259--- 260# Horizontal Pod Autoscaler 261apiVersion: autoscaling/v2 262kind: HorizontalPodAutoscaler 263metadata: 264 name: webapp-hpa 265 namespace: production 266spec: 267 scaleTargetRef: 268 apiVersion: apps/v1 269 kind: Deployment 270 name: webapp 271 minReplicas: 3 272 maxReplicas: 10 273 metrics: 274 - type: Resource 275 resource: 276 name: cpu 277 target: 278 type: Utilization 279 averageUtilization: 70 280 - type: Resource 281 resource: 282 name: memory 283 target: 284 type: Utilization 285 averageUtilization: 80 286 287--- 288# Pod Disruption Budget 289apiVersion: policy/v1 290kind: PodDisruptionBudget 291metadata: 292 name: webapp-pdb 293 namespace: production 294spec: 295 minAvailable: 2 296 selector: 297 matchLabels: 298 app: webapp 299 300--- 301# Network Policy for production environment 302apiVersion: networking.k8s.io/v1 303kind: NetworkPolicy 304metadata: 305 name: webapp-network-policy 306 namespace: production 307spec: 308 podSelector: 309 matchLabels: 310 app: webapp 311 policyTypes: 312 - Ingress 313 - Egress 314 ingress: 315 - from: 316 - namespaceSelector: 317 matchLabels: 318 name: ingress-nginx 319 ports: 320 - protocol: TCP 321 port: 8080 322 egress: 323 - to: 324 - namespaceSelector: {} 325 ports: 326 - protocol: TCP 327 port: 5432 # Database 328 - protocol: TCP 329 port: 443 # HTTPS 330 - protocol: UDP 331 port: 53 # DNS 332 333--- 334# RBAC for production applications 335apiVersion: rbac.authorization.k8s.io/v1 336kind: Role 337metadata: 338 namespace: production 339 name: webapp-secrets-reader 340rules: 341- apiGroups: [""] 342 resources: ["secrets"] 343 verbs: ["get", "list"] 344- apiGroups: ["hsm.j5t.io"] 345 resources: ["hsmsecrets"] 346 verbs: ["get", "list", "watch"] 347 348--- 349apiVersion: rbac.authorization.k8s.io/v1 350kind: RoleBinding 351metadata: 352 name: webapp-secrets-access 353 namespace: production 354subjects: 355- kind: ServiceAccount 356 name: default 357 namespace: production 358roleRef: 359 kind: Role 360 name: webapp-secrets-reader 361 apiGroup: rbac.authorization.k8s.io 362 363--- 364# Monitoring: ServiceMonitor for Prometheus 365apiVersion: monitoring.coreos.com/v1 366kind: ServiceMonitor 367metadata: 368 name: hsm-operator-metrics 369 namespace: hsm-secrets-operator-system 370 labels: 371 app: hsm-secrets-operator 372spec: 373 selector: 374 matchLabels: 375 control-plane: controller-manager 376 endpoints: 377 - port: https 378 path: /metrics 379 scheme: https 380 bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token 381 tlsConfig: 382 insecureSkipVerify: true