Sample YAML files
project.yaml
apiVersion: project.openshift.io/v1
kind: Project
metadata:
annotations:
openshift.io/description: ""
openshift.io/display-name: test
openshift.io/requester: kube:admin
name: nscop-test
spec:
finalizers:
- kubernetes
status:
phase: Activecm.yaml
kind: ConfigMap
apiVersion: v1
metadata:
name: config
namespace: nscop-test
data:
config: |
syntax-version=1
[nethsm_imports]
local_module=1
remote_esn=5F08-02E0-D947
remote_ip=xx.xxx.xxx.xx
remote_port=9004
keyhash=732523000c324c8a674236d1ad783a4dae0179fe
privileged=0pv_nfast_kmdata_definition.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: nfast-kmdata
labels:
type: local
spec:
storageClassName: manual
capacity:
storage: 1G
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
hostPath:
path: /opt/nfast/kmdatapv_nfast_sockets_definition.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: nfast-sockets
labels:
type: local
spec:
storageClassName: manual
capacity:
storage: 1G
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
hostPath:
path: /opt/nfast/socketspv_nfast_kmdata_claim.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name : nfast-kmdata
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-storage
resources:
requests:
storage: 1G
storageClassName: manualpv_nfast_sockets_claim.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name : nfast-sockets
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-storage
resources:
requests:
storage: 1G
storageClassName: manualpod_dummy.yaml
kind: Pod
apiVersion: v1
metadata:
generateName: nscop-test-dummy-
namespace: nscop-test
labels:
app: nshield
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nscop-container
securityContext:
privileged: true
command:
- sh
- '-c'
- sleep 3600
image: >-
<external-docker-registry-IP-address>/cv-nshield-app-container
ports:
- containerPort: 8080
protocol: TCP
resources: {}
volumeMounts:
- mountPath: /opt/nfast/sockets
name: nscop-sockets
- mountPath: /opt/nfast/kmdata
name: nscop-kmdata
securityContext: {}
volumes:
- name: nscop-sockets
persistentVolumeClaim:
claimName: nfast-sockets
- name: nscop-kmdata
persistentVolumeClaim:
claimName: nfast-kmdata pod_hwsp.yaml
kind: Pod
apiVersion: v1
metadata:
generateName: nscop-hwsp-
namespace: nscop-test
labels:
app: nshield
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nscop-hwsp
securityContext:
privileged: true
image: >-
<external-docker-registry-IP-address>/cv-nshield-hwsp-container
ports:
- containerPort: 8080
protocol: TCP
resources: {}
volumeMounts:
- name: nscop-config
mountPath: /opt/nfast/kmdata/config
- name: nscop-hardserver
mountPath: /opt/nfast/kmdata/hardserver.d
- name: nscop-sockets
mountPath: /opt/nfast/sockets
securityContext: {}
volumes:
- name: nscop-config
configMap:
name: config
defaultMode: 420
- name: nscop-hardserver
emptyDir: {}
- name: nscop-sockets
persistentVolumeClaim:
claimName: nfast-socketspod_enquiry_container.yaml
kind: Pod
apiVersion: v1
metadata:
generateName: nscop-test-enquiry-
namespace: nscop-test
labels:
app: nshield
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nscop-container
securityContext:
privileged: true
command: ["sh", "-c"]
args:
- echo CONTAINER SCRIPT STARTED;
/opt/nfast/bin/enquiry;
echo CONTAINER SCRIPT DONE && sleep 3600
image: >-
<external-docker-registry-IP-address>/cv-nshield-app-container
ports:
- containerPort: 8080
protocol: TCP
resources: {}
volumeMounts:
- mountPath: /opt/nfast/sockets
name: nscop-sockets
- mountPath: /opt/nfast/kmdata
name: nscop-kmdata
securityContext: {}
volumes:
- name: nscop-sockets
persistentVolumeClaim:
claimName: nfast-sockets
- name: nscop-kmdata
persistentVolumeClaim:
claimName: nfast-kmdatapod_nfkminfo_container.yaml
kind: Pod
apiVersion: v1
metadata:
generateName: nscop-test-nfkminfo-
namespace: nscop-test
labels:
app: nshield
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nscop-container
securityContext:
privileged: true
command: ["sh", "-c"]
args:
- echo CONTAINER SCRIPT STARTED;
/opt/nfast/bin/nfkminfo;
echo CONTAINER SCRIPT DONE && sleep 3600
image: >-
<external-docker-registry-IP-address>/cv-nshield-app-container
ports:
- containerPort: 8080
protocol: TCP
resources: {}
volumeMounts:
- mountPath: /opt/nfast/sockets
name: nscop-sockets
- mountPath: /opt/nfast/kmdata
name: nscop-kmdata
securityContext: {}
volumes:
- name: nscop-sockets
persistentVolumeClaim:
claimName: nfast-sockets
- name: nscop-kmdata
persistentVolumeClaim:
claimName: nfast-kmdatapod_generatekeymodule_container.yaml
This example calls the generatekey command and uses some of the variables in the cardcred secret.
kind: Pod
apiVersion: v1
metadata:
generateName: nscop-test-generatekeymodule-
namespace: nscop-test
labels:
app: nshield
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nscop-container
securityContext:
privileged: true
envFrom:
- secretRef:
name: cardcred
env:
- name: MY_POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
command: ["sh", "-c"]
args:
- echo CONTAINER SCRIPT STARTED;
/opt/nfast/bin/generatekey --generate --batch -m$CARDMODULE pkcs11 protect=module type=rsa size=2048 pubexp=65537 plainname=modulekey-$MY_POD_UID nvram=no recovery=yes;
echo "list keys" | /opt/nfast/bin/rocs;
echo CONTAINER SCRIPT DONE && sleep 3600
image: >-
<external-docker-registry-IP-address>/cv-nshield-app-container
ports:
- containerPort: 8080
protocol: TCP
resources: {}
volumeMounts:
- mountPath: /opt/nfast/sockets
name: nscop-sockets
- mountPath: /opt/nfast/kmdata
name: nscop-kmdata
securityContext: {}
volumes:
- name: nscop-sockets
persistentVolumeClaim:
claimName: nfast-sockets
- name: nscop-kmdata
persistentVolumeClaim:
claimName: nfast-kmdatapod_generatekeysoftcard_container.yaml
This example calls the sofcardexpect.sh script, which does the call to the generatekey command.
The script uses environment variables created in the pod, coming from the cardcred secret.
One of the variables is the CARDPP variable which is the passphrase for the softcard.
kind: Pod
apiVersion: v1
metadata:
generateName: nscop-test-generatekeysoftcard-
namespace: nscop-test
labels:
app: nshield
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nscop-container
securityContext:
privileged: true
image: >-
<external-docker-registry-IP-address>/cv-nshield-app-container
envFrom:
- secretRef:
name: cardcred
env:
- name: MY_POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
command: ["sh", "-c"]
args:
- echo CONTAINER SCRIPT STARTED;
/opt/nfast/kmdata/bin/softcardexpect.sh $CARDMODULE $SOFTCARD $SOFTCARDKEY-$MY_POD_UID;
echo "list keys" | /opt/nfast/bin/rocs;
echo CONTAINER SCRIPT DONE && sleep 3600
ports:
- containerPort: 8080
protocol: TCP
resources: {}
volumeMounts:
- mountPath: /opt/nfast/sockets
name: nscop-sockets
- mountPath: /opt/nfast/kmdata
name: nscop-kmdata
securityContext: {}
volumes:
- name: nscop-sockets
persistentVolumeClaim:
claimName: nfast-sockets
- name: nscop-kmdata
persistentVolumeClaim:
claimName: nfast-kmdatapod_generatekeyocs_container.yaml
This example calls the ocsexpect.sh script, which does the call to the generatekey command.
The script uses environment variables created in the pod, coming from the cardcred secret.
One of the variables is the CARDPP variable which is the passphrase for the softcard.
kind: Pod
apiVersion: v1
metadata:
generateName: nscop-test-generatekeyocs-
namespace: nscop-test
labels:
app: nshield
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nscop-container
securityContext:
privileged: true
image: >-
<external-docker-registry-IP-address>/cv-nshield-app-container
envFrom:
- secretRef:
name: cardcred
env:
- name: MY_POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
command: ["sh", "-c"]
args:
- echo CONTAINER SCRIPT STARTED;
/opt/nfast/kmdata/bin/ocsexpect.sh $CARDMODULE $OCS $OCSKEY-$MY_POD_UID;
echo "list keys" | /opt/nfast/bin/rocs;
echo CONTAINER SCRIPT DONE && sleep 3600
ports:
- containerPort: 8080
protocol: TCP
resources: {}
volumeMounts:
- mountPath: /opt/nfast/sockets
name: nscop-sockets
- mountPath: /opt/nfast/kmdata
name: nscop-kmdata
securityContext: {}
volumes:
- name: nscop-sockets
persistentVolumeClaim:
claimName: nfast-sockets
- name: nscop-kmdata
persistentVolumeClaim:
claimName: nfast-kmdatapod_rocs_container.yaml
kind: Pod
apiVersion: v1
metadata:
generateName: nscop-test-rocs-
namespace: nscop-test
labels:
app: nshield
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nscop-container
securityContext:
privileged: true
command: ["sh", "-c"]
args:
- echo CONTAINER SCRIPT STARTED;
echo "list keys" | /opt/nfast/bin/rocs;
echo CONTAINER SCRIPT DONE && sleep 3600
image: >-
<external-docker-registry-IP-address>/cv-nshield-app-container
ports:
- containerPort: 8080
protocol: TCP
resources: {}
volumeMounts:
- mountPath: /opt/nfast/sockets
name: nscop-sockets
- mountPath: /opt/nfast/kmdata
name: nscop-kmdata
securityContext: {}
volumes:
- name: nscop-sockets
persistentVolumeClaim:
claimName: nfast-sockets
- name: nscop-kmdata
persistentVolumeClaim:
claimName: nfast-kmdatapod_all_container.yaml
kind: Pod
apiVersion: v1
metadata:
generateName: nscop-test-all-
namespace: nscop-test
labels:
app: nshield
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nscop-container
securityContext:
privileged: true
image: >-
<external-docker-registry-IP-address>/cv-nshield-app-container
envFrom:
- secretRef:
name: cardcred
env:
- name: MY_POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
command: ["sh", "-c"]
args:
- echo CONTAINER SCRIPT STARTED;
echo;
echo ------------------ enquiry;
/opt/nfast/bin/enquiry;
echo;
echo ------------------ nfkminfo;
/opt/nfast/bin/nfkminfo;
echo;
echo ------------------ Generating module key;
/opt/nfast/bin/generatekey --generate --batch -m$CARDMODULE pkcs11 protect=module type=rsa size=2048 pubexp=65537 plainname=modulekey-$MY_POD_UID nvram=no recovery=yes;
echo;
echo ------------------ Generating ocs key;
/opt/nfast/kmdata/bin/ocsexpect.sh $CARDMODULE $OCS $OCSKEY-$MY_POD_UID;
echo;
echo ------------------ Generating softcard key;
/opt/nfast/kmdata/bin/softcardexpect.sh $CARDMODULE $SOFTCARD $SOFTCARDKEY-$MY_POD_UID;
echo;
echo ------------------ list keys;
echo "list keys" | /opt/nfast/bin/rocs;
echo CONTAINER SCRIPT DONE && sleep 3600
ports:
- containerPort: 8080
protocol: TCP
resources: {}
volumeMounts:
- mountPath: /opt/nfast/sockets
name: nscop-sockets
- mountPath: /opt/nfast/kmdata
name: nscop-kmdata
securityContext: {}
volumes:
- name: nscop-sockets
persistentVolumeClaim:
claimName: nfast-sockets
- name: nscop-kmdata
persistentVolumeClaim:
claimName: nfast-kmdataocsexpect.sh
#!/usr/bin/expect
# Script to generate a key protected by an OCS card.
# You must pass the module, OCS name and the keyname to be created.
# The OCS Password is passed via the environment variable OCSPP
#
set MODULE [lindex $argv 0]
set OCS [lindex $argv 1]
set KEYNAME [lindex $argv 2]
sleep 2
spawn /opt/nfast/bin/generatekey -b -g -m$MODULE pkcs11 plainname=$KEYNAME type=rsa protect=token recovery=no size=2048 cardset=$OCS
expect "Enter passphrase:"
sleep 1
send -- "$env(CARDPP)\r"
expect eofsoftcardexpect.sh
#!/usr/bin/expect
# Script to generate a key protected by a Softcard card.
# You must pass the module, softcard name and the keyname to be created.
# The softcard Password is passed via the environment variable SOFTCARDPP
#
set MODULE [lindex $argv 0]
set SOFTCARD [lindex $argv 1]
set KEYNAME [lindex $argv 2]
sleep 2
spawn /opt/nfast/bin/generatekey -b -g -m$MODULE pkcs11 plainname=$KEYNAME type=rsa protect=softcard recovery=no size=2048 softcard=$SOFTCARD
expect "pass phrase for softcard"
sleep 1
send -- "$env(CARDPP)\r"
expect eof