Introduction

VMware vSphere with Tanzu Kubernetes cluster integrates with an nShield Hardware Security Module (HSM), using the nShield Container Option Pack (nCOP).

VMware vSphere with Tanzu uses your existing vSphere environment to deliver Kubernetes clusters at a rapid pace. Developers can build, launch, and scale container-based web applications in the vSphere environment. nCOP allows application developers, in the container-based environment of vSphere with Tanzu, to access the cryptographic functionality of an HSM.

Integration architecture overview

vSphere Tanzu Cluster and HSM

In this integration, a vSphere Tanzu Kubernetes cluster is deployed in a VMware vSAN cluster. Container images are downloaded from a Docker registry.

vSphere Tanzu Cluster and HSM

The following hosts are created:

  • HA-Proxy virtual appliance for provisioning Load balancers.

  • Supervisors virtual machines.

  • Load balancers.

  • TKG nodes.

For more information on how to deploy a VMware Tanzu Kubernetes cluster see your VMware documentation.

Container images

Two container images were created for the purpose of this integration: a hardserver container, and an application container. These images are stored in an external registry:

  • nshield-hwsp

    A hardserver container image that controls communication between the HSM(s) and the application containers. One or more hardserver containers are required per deployment, depending on the number of HSMs and the number and types of application containers.

  • nshield-app

    Application container images to run nShield commands. They are Red Hat Universal Base Image containers, in which Security World software is installed.

You can also create containers that contain your application. For instructions, see the nShield Container Option Pack User Guide.

Product configurations

We have successfully tested the integration of an nShield HSM with VMware vSphere Tanzu in the following configurations:

Container Base OS vSphere Tanzu VMware nShield HSM nShield Image nShield Firmware nShield Software nCOP

RHEL, CentOS, Ubuntu

7.0.2

7.0.2

Connect XC

12.60.10

12.71.0

1.1.1

Requirements

Before starting the integration process

Familiarize yourself with:

  • The documentation for the nShield HSM.

  • The nShield Container Option Pack User Guide.

  • The documentation and setup process for vSphere with Tanzu.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.