Sample YAML files

project.yaml

apiVersion: project.openshift.io/v1
kind: Project
metadata:
  annotations:
    openshift.io/description: ""
    openshift.io/display-name: test
    openshift.io/requester: kube:admin
  name: nscop-test
spec:
  finalizers:
  - kubernetes
status:
  phase: Active

cm.yaml

kind: ConfigMap
apiVersion: v1
metadata:
  name: config
  namespace: nscop-test
data:
  config: |
    syntax-version=1

    [nethsm_imports]
    local_module=1
    remote_esn=5F08-02E0-D947
    remote_ip=xx.xxx.xxx.xx
    remote_port=9004
    keyhash=732523000c324c8a674236d1ad783a4dae0179fe
    privileged=0

pv_nfast_kmdata_definition.yaml

apiVersion: v1
kind: PersistentVolume
metadata:
  name: nfast-kmdata
  labels:
    type: local
spec:
  storageClassName: manual
  capacity:
    storage: 1G 
  accessModes:
    - ReadWriteOnce 
  persistentVolumeReclaimPolicy: Retain
  hostPath:
    path: /opt/nfast/kmdata

pv_nfast_sockets_definition.yaml

apiVersion: v1
kind: PersistentVolume
metadata:
  name: nfast-sockets
  labels:
    type: local
spec:
  storageClassName: manual
  capacity:
    storage: 1G 
  accessModes:
    - ReadWriteOnce 
  persistentVolumeReclaimPolicy: Retain
  hostPath:
    path: /opt/nfast/sockets

pv_nfast_kmdata_claim.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name : nfast-kmdata
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: local-storage
  resources:
    requests:
      storage: 1G
  storageClassName: manual

pv_nfast_sockets_claim.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name : nfast-sockets
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: local-storage
  resources:
    requests:
      storage: 1G
  storageClassName: manual

pod_dummy.yaml

kind: Pod
apiVersion: v1
metadata:
  generateName: nscop-test-dummy-
  namespace: nscop-test
  labels:
    app: nshield
spec:
  imagePullSecrets:
    - name: regcred
  containers:
    - name: nscop-container
      securityContext:
        privileged: true
      command:
        - sh
        - '-c'
        - sleep 3600
      image: >-
        <external-docker-registry-IP-address>/cv-nshield-app-container
      ports:
        - containerPort: 8080
          protocol: TCP
      resources: {}
      volumeMounts:
        - mountPath: /opt/nfast/sockets
          name: nscop-sockets
        - mountPath: /opt/nfast/kmdata
          name: nscop-kmdata
  securityContext: {}
  volumes:
    - name: nscop-sockets
      persistentVolumeClaim:
        claimName: nfast-sockets
    - name: nscop-kmdata
      persistentVolumeClaim:
        claimName: nfast-kmdata 

pod_hwsp.yaml

kind: Pod
apiVersion: v1
metadata:
  generateName: nscop-hwsp-
  namespace: nscop-test
  labels:
    app: nshield
spec:
  imagePullSecrets:
    - name: regcred
  containers:
    - name: nscop-hwsp
      securityContext:
        privileged: true
      image: >-
        <external-docker-registry-IP-address>/cv-nshield-hwsp-container
      ports:
        - containerPort: 8080
          protocol: TCP
      resources: {}
      volumeMounts:
        - name: nscop-config
          mountPath: /opt/nfast/kmdata/config
        - name: nscop-hardserver
          mountPath: /opt/nfast/kmdata/hardserver.d
        - name: nscop-sockets
          mountPath: /opt/nfast/sockets
  securityContext: {}
  volumes:
    - name: nscop-config
      configMap:
        name: config
        defaultMode: 420
    - name: nscop-hardserver
      emptyDir: {}
    - name: nscop-sockets
      persistentVolumeClaim:
        claimName: nfast-sockets

pod_enquiry_container.yaml

kind: Pod
apiVersion: v1
metadata:
  generateName: nscop-test-enquiry-
  namespace: nscop-test
  labels:
    app: nshield
spec:
  imagePullSecrets:
    - name: regcred
  containers:
    - name: nscop-container
      securityContext:
        privileged: true
      command: ["sh", "-c"]
      args:
        - echo CONTAINER SCRIPT STARTED;
          /opt/nfast/bin/enquiry;
          echo CONTAINER SCRIPT DONE && sleep 3600
      image: >-
        <external-docker-registry-IP-address>/cv-nshield-app-container
      ports:
        - containerPort: 8080
          protocol: TCP
      resources: {}
      volumeMounts:
        - mountPath: /opt/nfast/sockets
          name: nscop-sockets
        - mountPath: /opt/nfast/kmdata
          name: nscop-kmdata
  securityContext: {}
  volumes:
    - name: nscop-sockets
      persistentVolumeClaim:
        claimName: nfast-sockets
    - name: nscop-kmdata
      persistentVolumeClaim:
        claimName: nfast-kmdata

pod_nfkminfo_container.yaml

kind: Pod
apiVersion: v1
metadata:
  generateName: nscop-test-nfkminfo-
  namespace: nscop-test
  labels:
    app: nshield
spec:
  imagePullSecrets:
    - name: regcred
  containers:
    - name: nscop-container
      securityContext:
        privileged: true
      command: ["sh", "-c"]
      args:
        - echo CONTAINER SCRIPT STARTED;
          /opt/nfast/bin/nfkminfo;
          echo CONTAINER SCRIPT DONE && sleep 3600
      image: >-
        <external-docker-registry-IP-address>/cv-nshield-app-container
      ports:
        - containerPort: 8080
          protocol: TCP
      resources: {}
      volumeMounts:
        - mountPath: /opt/nfast/sockets
          name: nscop-sockets
        - mountPath: /opt/nfast/kmdata
          name: nscop-kmdata
  securityContext: {}
  volumes:
    - name: nscop-sockets
      persistentVolumeClaim:
        claimName: nfast-sockets
    - name: nscop-kmdata
      persistentVolumeClaim:
        claimName: nfast-kmdata

pod_generatekeymodule_container.yaml

This example calls the generatekey command and uses some of the variables in the cardcred secret.

kind: Pod
apiVersion: v1
metadata:
  generateName: nscop-test-generatekeymodule-
  namespace: nscop-test
  labels:
    app: nshield
spec:
  imagePullSecrets:
    - name: regcred
  containers:
    - name: nscop-container
      securityContext:
        privileged: true
      envFrom:
        - secretRef:
            name: cardcred
      env:
        - name: MY_POD_UID
          valueFrom:
            fieldRef:
               fieldPath: metadata.uid
      command: ["sh", "-c"]
      args:
        - echo CONTAINER SCRIPT STARTED;
          /opt/nfast/bin/generatekey --generate --batch -m$CARDMODULE pkcs11 protect=module type=rsa size=2048 pubexp=65537 plainname=modulekey-$MY_POD_UID nvram=no recovery=yes;
          echo "list keys" | /opt/nfast/bin/rocs;
          echo CONTAINER SCRIPT DONE && sleep 3600
      image: >-
        <external-docker-registry-IP-address>/cv-nshield-app-container
      ports:
        - containerPort: 8080
          protocol: TCP
      resources: {}
      volumeMounts:
        - mountPath: /opt/nfast/sockets
          name: nscop-sockets
        - mountPath: /opt/nfast/kmdata
          name: nscop-kmdata
  securityContext: {}
  volumes:
    - name: nscop-sockets
      persistentVolumeClaim:
        claimName: nfast-sockets
    - name: nscop-kmdata
      persistentVolumeClaim:
        claimName: nfast-kmdata

pod_generatekeysoftcard_container.yaml

This example calls the sofcardexpect.sh script, which does the call to the generatekey command. The script uses environment variables created in the pod, coming from the cardcred secret. One of the variables is the CARDPP variable which is the passphrase for the softcard.

kind: Pod
apiVersion: v1
metadata:
  generateName: nscop-test-generatekeysoftcard-
  namespace: nscop-test
  labels:
    app: nshield
spec:
  imagePullSecrets:
    - name: regcred
  containers:
    - name: nscop-container
      securityContext:
        privileged: true
      image: >-
        <external-docker-registry-IP-address>/cv-nshield-app-container
      envFrom:
        - secretRef:
            name: cardcred
      env:
        - name: MY_POD_UID
          valueFrom:
            fieldRef:
               fieldPath: metadata.uid
      command: ["sh", "-c"]
      args:
        - echo CONTAINER SCRIPT STARTED;
          /opt/nfast/kmdata/bin/softcardexpect.sh $CARDMODULE $SOFTCARD $SOFTCARDKEY-$MY_POD_UID;
          echo "list keys" | /opt/nfast/bin/rocs;
          echo CONTAINER SCRIPT DONE && sleep 3600
      ports:
        - containerPort: 8080
          protocol: TCP
      resources: {}
      volumeMounts:
        - mountPath: /opt/nfast/sockets
          name: nscop-sockets
        - mountPath: /opt/nfast/kmdata
          name: nscop-kmdata
  securityContext: {}
  volumes:
    - name: nscop-sockets
      persistentVolumeClaim:
        claimName: nfast-sockets
    - name: nscop-kmdata
      persistentVolumeClaim:
        claimName: nfast-kmdata

pod_generatekeyocs_container.yaml

This example calls the ocsexpect.sh script, which does the call to the generatekey command. The script uses environment variables created in the pod, coming from the cardcred secret. One of the variables is the CARDPP variable which is the passphrase for the softcard.

kind: Pod
apiVersion: v1
metadata:
  generateName: nscop-test-generatekeyocs-
  namespace: nscop-test
  labels:
    app: nshield
spec:
  imagePullSecrets:
    - name: regcred
  containers:
    - name: nscop-container
      securityContext:
        privileged: true
      image: >-
        <external-docker-registry-IP-address>/cv-nshield-app-container
      envFrom:
        - secretRef:
            name: cardcred
      env:
        - name: MY_POD_UID
          valueFrom:
            fieldRef:
               fieldPath: metadata.uid
      command: ["sh", "-c"]
      args:
        - echo CONTAINER SCRIPT STARTED;
          /opt/nfast/kmdata/bin/ocsexpect.sh $CARDMODULE $OCS $OCSKEY-$MY_POD_UID;
          echo "list keys" | /opt/nfast/bin/rocs;
          echo CONTAINER SCRIPT DONE && sleep 3600
      ports:
        - containerPort: 8080
          protocol: TCP
      resources: {}
      volumeMounts:
        - mountPath: /opt/nfast/sockets
          name: nscop-sockets
        - mountPath: /opt/nfast/kmdata
          name: nscop-kmdata
  securityContext: {}
  volumes:
    - name: nscop-sockets
      persistentVolumeClaim:
        claimName: nfast-sockets
    - name: nscop-kmdata
      persistentVolumeClaim:
        claimName: nfast-kmdata

pod_rocs_container.yaml

kind: Pod
apiVersion: v1
metadata:
  generateName: nscop-test-rocs-
  namespace: nscop-test
  labels:
    app: nshield
spec:
  imagePullSecrets:
    - name: regcred
  containers:
    - name: nscop-container
      securityContext:
        privileged: true
      command: ["sh", "-c"]
      args:
        - echo CONTAINER SCRIPT STARTED;
          echo "list keys" | /opt/nfast/bin/rocs;
          echo CONTAINER SCRIPT DONE && sleep 3600
      image: >-
        <external-docker-registry-IP-address>/cv-nshield-app-container
      ports:
        - containerPort: 8080
          protocol: TCP
      resources: {}
      volumeMounts:
        - mountPath: /opt/nfast/sockets
          name: nscop-sockets
        - mountPath: /opt/nfast/kmdata
          name: nscop-kmdata
  securityContext: {}
  volumes:
    - name: nscop-sockets
      persistentVolumeClaim:
        claimName: nfast-sockets
    - name: nscop-kmdata
      persistentVolumeClaim:
        claimName: nfast-kmdata

pod_all_container.yaml

kind: Pod
apiVersion: v1
metadata:
  generateName: nscop-test-all-
  namespace: nscop-test
  labels:
    app: nshield
spec:
  imagePullSecrets:
    - name: regcred
  containers:
    - name: nscop-container
      securityContext:
        privileged: true
      image: >-
        <external-docker-registry-IP-address>/cv-nshield-app-container
      envFrom:
        - secretRef:
            name: cardcred
      env:
        - name: MY_POD_UID
          valueFrom:
            fieldRef:
               fieldPath: metadata.uid
      command: ["sh", "-c"]
      args:
        - echo CONTAINER SCRIPT STARTED;
          echo;
          echo ------------------ enquiry;
          /opt/nfast/bin/enquiry;
          echo;
          echo ------------------ nfkminfo;
          /opt/nfast/bin/nfkminfo;
          echo;
          echo ------------------ Generating module key;
          /opt/nfast/bin/generatekey --generate --batch -m$CARDMODULE pkcs11 protect=module type=rsa size=2048 pubexp=65537 plainname=modulekey-$MY_POD_UID nvram=no recovery=yes;
          echo;
          echo ------------------ Generating ocs key;
          /opt/nfast/kmdata/bin/ocsexpect.sh $CARDMODULE $OCS $OCSKEY-$MY_POD_UID;
          echo;
          echo ------------------ Generating softcard key;
          /opt/nfast/kmdata/bin/softcardexpect.sh $CARDMODULE $SOFTCARD $SOFTCARDKEY-$MY_POD_UID;
          echo;
          echo ------------------ list keys;
          echo "list keys" | /opt/nfast/bin/rocs;
          echo CONTAINER SCRIPT DONE && sleep 3600
      ports:
        - containerPort: 8080
          protocol: TCP
      resources: {}
      volumeMounts:
        - mountPath: /opt/nfast/sockets
          name: nscop-sockets
        - mountPath: /opt/nfast/kmdata
          name: nscop-kmdata
  securityContext: {}
  volumes:
    - name: nscop-sockets
      persistentVolumeClaim:
        claimName: nfast-sockets
    - name: nscop-kmdata
      persistentVolumeClaim:
        claimName: nfast-kmdata

ocsexpect.sh

#!/usr/bin/expect
# Script to generate a key protected by an OCS card.
# You must pass the module, OCS name and the keyname to be created.
# The OCS Password is passed via the environment variable OCSPP
#
set MODULE [lindex $argv 0]
set OCS [lindex $argv 1]
set KEYNAME [lindex $argv 2]
sleep 2
spawn /opt/nfast/bin/generatekey -b -g -m$MODULE pkcs11 plainname=$KEYNAME type=rsa protect=token recovery=no size=2048 cardset=$OCS
expect "Enter passphrase:"
sleep 1
send -- "$env(CARDPP)\r"
expect eof

softcardexpect.sh

#!/usr/bin/expect
# Script to generate a key protected by a Softcard card.
# You must pass the module, softcard name and the keyname to be created.
# The softcard Password is passed via the environment variable SOFTCARDPP
#
set MODULE [lindex $argv 0]
set SOFTCARD [lindex $argv 1]
set KEYNAME [lindex $argv 2]
sleep 2
spawn /opt/nfast/bin/generatekey -b -g -m$MODULE pkcs11 plainname=$KEYNAME type=rsa protect=softcard recovery=no size=2048 softcard=$SOFTCARD
expect "pass phrase for softcard"
sleep 1
send -- "$env(CARDPP)\r"
expect eof