Sample YAML files
project.yaml
apiVersion: project.openshift.io/v1
kind: Project
metadata:
annotations:
openshift.io/description: ""
openshift.io/display-name: test
openshift.io/requester: kube:admin
name: nscop-test
spec:
finalizers:
- kubernetes
status:
phase: Active
cm.yaml
kind: ConfigMap
apiVersion: v1
metadata:
name: config
namespace: nscop-test
data:
config: |
syntax-version=1
[nethsm_imports]
local_module=1
remote_esn=5F08-02E0-D947
remote_ip=xx.xxx.xxx.xx
remote_port=9004
keyhash=732523000c324c8a674236d1ad783a4dae0179fe
privileged=0
pv_nfast_kmdata_definition.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: nfast-kmdata
labels:
type: local
spec:
storageClassName: manual
capacity:
storage: 1G
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
hostPath:
path: /opt/nfast/kmdata
pv_nfast_sockets_definition.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: nfast-sockets
labels:
type: local
spec:
storageClassName: manual
capacity:
storage: 1G
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
hostPath:
path: /opt/nfast/sockets
pv_nfast_kmdata_claim.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name : nfast-kmdata
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-storage
resources:
requests:
storage: 1G
storageClassName: manual
pv_nfast_sockets_claim.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name : nfast-sockets
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-storage
resources:
requests:
storage: 1G
storageClassName: manual
pod_dummy.yaml
kind: Pod
apiVersion: v1
metadata:
generateName: nscop-test-dummy-
namespace: nscop-test
labels:
app: nshield
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nscop-container
securityContext:
privileged: true
command:
- sh
- '-c'
- sleep 3600
image: >-
<external-docker-registry-IP-address>/cv-nshield-app-container
ports:
- containerPort: 8080
protocol: TCP
resources: {}
volumeMounts:
- mountPath: /opt/nfast/sockets
name: nscop-sockets
- mountPath: /opt/nfast/kmdata
name: nscop-kmdata
securityContext: {}
volumes:
- name: nscop-sockets
persistentVolumeClaim:
claimName: nfast-sockets
- name: nscop-kmdata
persistentVolumeClaim:
claimName: nfast-kmdata
pod_hwsp.yaml
kind: Pod
apiVersion: v1
metadata:
generateName: nscop-hwsp-
namespace: nscop-test
labels:
app: nshield
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nscop-hwsp
securityContext:
privileged: true
image: >-
<external-docker-registry-IP-address>/cv-nshield-hwsp-container
ports:
- containerPort: 8080
protocol: TCP
resources: {}
volumeMounts:
- name: nscop-config
mountPath: /opt/nfast/kmdata/config
- name: nscop-hardserver
mountPath: /opt/nfast/kmdata/hardserver.d
- name: nscop-sockets
mountPath: /opt/nfast/sockets
securityContext: {}
volumes:
- name: nscop-config
configMap:
name: config
defaultMode: 420
- name: nscop-hardserver
emptyDir: {}
- name: nscop-sockets
persistentVolumeClaim:
claimName: nfast-sockets
pod_enquiry_container.yaml
kind: Pod
apiVersion: v1
metadata:
generateName: nscop-test-enquiry-
namespace: nscop-test
labels:
app: nshield
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nscop-container
securityContext:
privileged: true
command: ["sh", "-c"]
args:
- echo CONTAINER SCRIPT STARTED;
/opt/nfast/bin/enquiry;
echo CONTAINER SCRIPT DONE && sleep 3600
image: >-
<external-docker-registry-IP-address>/cv-nshield-app-container
ports:
- containerPort: 8080
protocol: TCP
resources: {}
volumeMounts:
- mountPath: /opt/nfast/sockets
name: nscop-sockets
- mountPath: /opt/nfast/kmdata
name: nscop-kmdata
securityContext: {}
volumes:
- name: nscop-sockets
persistentVolumeClaim:
claimName: nfast-sockets
- name: nscop-kmdata
persistentVolumeClaim:
claimName: nfast-kmdata
pod_nfkminfo_container.yaml
kind: Pod
apiVersion: v1
metadata:
generateName: nscop-test-nfkminfo-
namespace: nscop-test
labels:
app: nshield
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nscop-container
securityContext:
privileged: true
command: ["sh", "-c"]
args:
- echo CONTAINER SCRIPT STARTED;
/opt/nfast/bin/nfkminfo;
echo CONTAINER SCRIPT DONE && sleep 3600
image: >-
<external-docker-registry-IP-address>/cv-nshield-app-container
ports:
- containerPort: 8080
protocol: TCP
resources: {}
volumeMounts:
- mountPath: /opt/nfast/sockets
name: nscop-sockets
- mountPath: /opt/nfast/kmdata
name: nscop-kmdata
securityContext: {}
volumes:
- name: nscop-sockets
persistentVolumeClaim:
claimName: nfast-sockets
- name: nscop-kmdata
persistentVolumeClaim:
claimName: nfast-kmdata
pod_generatekeymodule_container.yaml
This example calls the generatekey
command and uses some of the variables in the cardcred
secret.
kind: Pod
apiVersion: v1
metadata:
generateName: nscop-test-generatekeymodule-
namespace: nscop-test
labels:
app: nshield
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nscop-container
securityContext:
privileged: true
envFrom:
- secretRef:
name: cardcred
env:
- name: MY_POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
command: ["sh", "-c"]
args:
- echo CONTAINER SCRIPT STARTED;
/opt/nfast/bin/generatekey --generate --batch -m$CARDMODULE pkcs11 protect=module type=rsa size=2048 pubexp=65537 plainname=modulekey-$MY_POD_UID nvram=no recovery=yes;
echo "list keys" | /opt/nfast/bin/rocs;
echo CONTAINER SCRIPT DONE && sleep 3600
image: >-
<external-docker-registry-IP-address>/cv-nshield-app-container
ports:
- containerPort: 8080
protocol: TCP
resources: {}
volumeMounts:
- mountPath: /opt/nfast/sockets
name: nscop-sockets
- mountPath: /opt/nfast/kmdata
name: nscop-kmdata
securityContext: {}
volumes:
- name: nscop-sockets
persistentVolumeClaim:
claimName: nfast-sockets
- name: nscop-kmdata
persistentVolumeClaim:
claimName: nfast-kmdata
pod_generatekeysoftcard_container.yaml
This example calls the sofcardexpect.sh
script, which does the call to the generatekey
command.
The script uses environment variables created in the pod, coming from the cardcred
secret.
One of the variables is the CARDPP
variable which is the passphrase for the softcard.
kind: Pod
apiVersion: v1
metadata:
generateName: nscop-test-generatekeysoftcard-
namespace: nscop-test
labels:
app: nshield
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nscop-container
securityContext:
privileged: true
image: >-
<external-docker-registry-IP-address>/cv-nshield-app-container
envFrom:
- secretRef:
name: cardcred
env:
- name: MY_POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
command: ["sh", "-c"]
args:
- echo CONTAINER SCRIPT STARTED;
/opt/nfast/kmdata/bin/softcardexpect.sh $CARDMODULE $SOFTCARD $SOFTCARDKEY-$MY_POD_UID;
echo "list keys" | /opt/nfast/bin/rocs;
echo CONTAINER SCRIPT DONE && sleep 3600
ports:
- containerPort: 8080
protocol: TCP
resources: {}
volumeMounts:
- mountPath: /opt/nfast/sockets
name: nscop-sockets
- mountPath: /opt/nfast/kmdata
name: nscop-kmdata
securityContext: {}
volumes:
- name: nscop-sockets
persistentVolumeClaim:
claimName: nfast-sockets
- name: nscop-kmdata
persistentVolumeClaim:
claimName: nfast-kmdata
pod_generatekeyocs_container.yaml
This example calls the ocsexpect.sh
script, which does the call to the generatekey
command.
The script uses environment variables created in the pod, coming from the cardcred
secret.
One of the variables is the CARDPP
variable which is the passphrase for the softcard.
kind: Pod
apiVersion: v1
metadata:
generateName: nscop-test-generatekeyocs-
namespace: nscop-test
labels:
app: nshield
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nscop-container
securityContext:
privileged: true
image: >-
<external-docker-registry-IP-address>/cv-nshield-app-container
envFrom:
- secretRef:
name: cardcred
env:
- name: MY_POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
command: ["sh", "-c"]
args:
- echo CONTAINER SCRIPT STARTED;
/opt/nfast/kmdata/bin/ocsexpect.sh $CARDMODULE $OCS $OCSKEY-$MY_POD_UID;
echo "list keys" | /opt/nfast/bin/rocs;
echo CONTAINER SCRIPT DONE && sleep 3600
ports:
- containerPort: 8080
protocol: TCP
resources: {}
volumeMounts:
- mountPath: /opt/nfast/sockets
name: nscop-sockets
- mountPath: /opt/nfast/kmdata
name: nscop-kmdata
securityContext: {}
volumes:
- name: nscop-sockets
persistentVolumeClaim:
claimName: nfast-sockets
- name: nscop-kmdata
persistentVolumeClaim:
claimName: nfast-kmdata
pod_rocs_container.yaml
kind: Pod
apiVersion: v1
metadata:
generateName: nscop-test-rocs-
namespace: nscop-test
labels:
app: nshield
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nscop-container
securityContext:
privileged: true
command: ["sh", "-c"]
args:
- echo CONTAINER SCRIPT STARTED;
echo "list keys" | /opt/nfast/bin/rocs;
echo CONTAINER SCRIPT DONE && sleep 3600
image: >-
<external-docker-registry-IP-address>/cv-nshield-app-container
ports:
- containerPort: 8080
protocol: TCP
resources: {}
volumeMounts:
- mountPath: /opt/nfast/sockets
name: nscop-sockets
- mountPath: /opt/nfast/kmdata
name: nscop-kmdata
securityContext: {}
volumes:
- name: nscop-sockets
persistentVolumeClaim:
claimName: nfast-sockets
- name: nscop-kmdata
persistentVolumeClaim:
claimName: nfast-kmdata
pod_all_container.yaml
kind: Pod
apiVersion: v1
metadata:
generateName: nscop-test-all-
namespace: nscop-test
labels:
app: nshield
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nscop-container
securityContext:
privileged: true
image: >-
<external-docker-registry-IP-address>/cv-nshield-app-container
envFrom:
- secretRef:
name: cardcred
env:
- name: MY_POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
command: ["sh", "-c"]
args:
- echo CONTAINER SCRIPT STARTED;
echo;
echo ------------------ enquiry;
/opt/nfast/bin/enquiry;
echo;
echo ------------------ nfkminfo;
/opt/nfast/bin/nfkminfo;
echo;
echo ------------------ Generating module key;
/opt/nfast/bin/generatekey --generate --batch -m$CARDMODULE pkcs11 protect=module type=rsa size=2048 pubexp=65537 plainname=modulekey-$MY_POD_UID nvram=no recovery=yes;
echo;
echo ------------------ Generating ocs key;
/opt/nfast/kmdata/bin/ocsexpect.sh $CARDMODULE $OCS $OCSKEY-$MY_POD_UID;
echo;
echo ------------------ Generating softcard key;
/opt/nfast/kmdata/bin/softcardexpect.sh $CARDMODULE $SOFTCARD $SOFTCARDKEY-$MY_POD_UID;
echo;
echo ------------------ list keys;
echo "list keys" | /opt/nfast/bin/rocs;
echo CONTAINER SCRIPT DONE && sleep 3600
ports:
- containerPort: 8080
protocol: TCP
resources: {}
volumeMounts:
- mountPath: /opt/nfast/sockets
name: nscop-sockets
- mountPath: /opt/nfast/kmdata
name: nscop-kmdata
securityContext: {}
volumes:
- name: nscop-sockets
persistentVolumeClaim:
claimName: nfast-sockets
- name: nscop-kmdata
persistentVolumeClaim:
claimName: nfast-kmdata
ocsexpect.sh
#!/usr/bin/expect
# Script to generate a key protected by an OCS card.
# You must pass the module, OCS name and the keyname to be created.
# The OCS Password is passed via the environment variable OCSPP
#
set MODULE [lindex $argv 0]
set OCS [lindex $argv 1]
set KEYNAME [lindex $argv 2]
sleep 2
spawn /opt/nfast/bin/generatekey -b -g -m$MODULE pkcs11 plainname=$KEYNAME type=rsa protect=token recovery=no size=2048 cardset=$OCS
expect "Enter passphrase:"
sleep 1
send -- "$env(CARDPP)\r"
expect eof
softcardexpect.sh
#!/usr/bin/expect
# Script to generate a key protected by a Softcard card.
# You must pass the module, softcard name and the keyname to be created.
# The softcard Password is passed via the environment variable SOFTCARDPP
#
set MODULE [lindex $argv 0]
set SOFTCARD [lindex $argv 1]
set KEYNAME [lindex $argv 2]
sleep 2
spawn /opt/nfast/bin/generatekey -b -g -m$MODULE pkcs11 plainname=$KEYNAME type=rsa protect=softcard recovery=no size=2048 softcard=$SOFTCARD
expect "pass phrase for softcard"
sleep 1
send -- "$env(CARDPP)\r"
expect eof