Thales Luna integration in Kubernetes

The Thales Luna HSM sidecar container enables integrating the application container to a network attached Thales Luna. The following covers how to set up the integration in Kubernetes.

For more general information on the HSM integration with PKCS#11, see HSM Integration.

Container	`registry.primekey.com/primekey/hsm-driver-luna7:<version>`
Current version	`10.5.1`
Privileges	Running as unprivileged user 10001:0.

Prerequisites

Before using this container, you need the following:

Luna7 net-HSM with fully configured secured network access. The EJBCA deployment will be configured with:
- The IP address/hostname of HSM
- server.pem certificate
Administrative access on the HSM for registering a client and assigning partitions a client
P11 Proxy must have network access to the HSM service (security groups, network ACL's, etc)
An existing key pair credential for the client i.e. the HSM driver container to communicate with HSM.

HSM driver container deployment parameters

This parameters needs to be configured at the HSM sidecar container.

Environment variables

The following environment variable can be used to adjust the containers behavior:

Name	Description	Comments
SERVER_NAME	The IP Address or FQDN of the HSM that the client will connect to.	Default: None Required: True
CKLOG2_ENABLED	Enable logging of PKCS11 calls on the HSM client. The values for this variable are 0 = disabled and 1 = enabled	Default: 0 Required: False
PROTECTED_AUTHENTICATION_PATH_FLAG_STATUS	How the HSM slot is protected. 0 → No PED 1 → Crypto Officer 2 → Crypto User	Default: 0 Required: False

Volume mounts

All of the volume mount parameters are mandatory and may only be configured at the sidecar container.

Description	Mount point
HSM Server certificate	`/opt/luna/certs-server/server.pem`
Client certificate to communicate with HSM	`/opt/luna/certs-client/dockerlunaclient.pem`
Client private key to communicate with HSM (Recommended to be configured as Kubernetes secrets)	`/opt/luna/certs-client/dockerlunaclientKey.pem`

Prepare HSM configuration

The server certificate and client credentials are assumed to configured as prerequisite.

We need to configure the server certificate and client credentials as described in last section.

Create a Kubernetes secret with the client private key to communicate with HSM.
- It is recommended to keep the file name in secret as dockerlunaclientKey.pem . Otherwise adjust the values.yaml in next section.
- The namespace may need to be updated
- The name of the secret needs also to be reflected at corresponding to line 57 in the values.yaml in next section.

BASH

kubectl create secret generic hsm-luna-secret-client-key \
     -n cadeploymentnamespace --from-file=dockerlunaclientKey.pem=dockerlunaclientKey.pem

Create a Kubernetes Configmap to configure the HSM server and the client certificate.
- HSM server certificate: See line 43 in the values.yaml in next section.
- Client certificate: See line 49 in the values.yaml in next section.

The contents of the certificates are truncated for brevity.

YAML

apiVersion: v1
kind: ConfigMap
metadata:
  name: hsm-luna-configmap
data:
  server.pem: |
    -----BEGIN CERTIFICATE-----
    MIIDOTCCAiGgAwIBAgIBADANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJDQTEQ
    .....truncated.....
    OaIJWeLzCzXw4bzKbl5VvfwXmrTyCh0wHgN+E1VOhv8s2HhA3/Mzujb1VhPDCT0Z
    LP1EfFulatVU0dtbQg==
    -----END CERTIFICATE-----
  dockerlunaclient.pem: |
    -----BEGIN CERTIFICATE-----
    MIIDMzCCAhugAwIBAgIBADANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJDQTEQ
    .....truncated.....
    xP96D2AMJN/9/rPHLHEJqETdYBvZYwdzyqB9GinxwuxlCfkrolx+ETyk16wK63m1
    dABXXPaeLg==
    -----END CERTIFICATE-----

Configure Deployment

The following provides an example of customizing the deployment using Helm. Note that the Helm chart values file values.yaml describes an example test deployment and does not include:

Database connection.
Configured imagePullSecrets that may be required.
TLS connection required after the deployment and creation of the CAs.

Ensure that the deployment is allowed an Egress to the physical HSM.

Please adjust the SERVER_NAME environment variable for HSM server in line 28.

YAML

#imagePullSecrets: []
ejbca:
  env:
    TLS_SETUP_ENABLED: "later"
    LOG_AUDIT_TO_DB: true
  # More convenient way to integrate with HSM will be available soon
  # Extra init containers to be added to the deployment
  initContainers:
    - name: hsm-driver-init
      image: registry.primekey.com/primekey/hsm-driver-luna7:10.5.1
      command:
        [
          "sh",
          "-c",
          "cp --preserve --recursive /opt/keyfactor/p11proxy-client/* /mnt/driver/",
        ]
      volumeMounts:
        - name: p11proxy-client
          mountPath: /mnt/driver/
  # Extra sidecar containers to be added to the deployment
  sidecarContainers:
    - name: hsm
      image: registry.primekey.com/primekey/hsm-driver-luna7:10.5.1
      env:
        - name: SERVER_NAME
          value: "192.168.1.25"
      volumeMounts:
        - name: hsm-luna-configmap-servercert
          mountPath: /opt/luna/certs-server/server.pem
          subPath: server.pem
        - name: hsm-luna-configmap-client-cert
          mountPath: /opt/luna/certs-client/dockerlunaclient.pem
          subPath: dockerlunaclient.pem
        - name: hsm-luna-secret-client-key
          mountPath: /opt/luna/certs-client/dockerlunaclientKey.pem
          subPath: dockerlunaclientKey.pem
  # Extra volumes to be added to the deployment
  volumes:
    - name: p11proxy-client
      emptyDir: {}
    - name: hsm-luna-configmap-servercert
      configMap:
        name: hsm-luna-configmap
        items:
          - key: "server.pem"
            path: "server.pem"
    - name: hsm-luna-configmap-client-cert
      configMap:
        name: hsm-luna-configmap
        items:
          - key: "dockerlunaclient.pem"
            path: "dockerlunaclient.pem"
    - name: hsm-luna-secret-client-key
      secret:
        secretName: hsm-luna-secret-client-key
  # Extra volume mounts to be added to the deployment
  volumeMounts:
    - name: p11proxy-client
      mountPath: /opt/keyfactor/p11proxy-client
# needed to make softhsm volume mount to work
podSecurityContext:
  fsGroup: 10001
ingress:
  enabled: true
  className: "nginx"
  annotations:
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional_no_ca"
    #nginx.ingress.kubernetes.io/auth-tls-secret: "default/ejbca-ingress-trust-secret"
    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
    nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
  hosts:
    - host: "ejbcaca1.testdomain.se"
      paths:
        - path: /
          pathType: Prefix
  # tls:
  #   - hosts:
  #       - "ejbcaca1.testdomain.se"
  #     secretName: ingress-credential-secret-ca

Create and verify HSM crypto token

To create a crypto token and then test the HSM key, do the following:

In the EJBCA menu, click CA Functions > Crypto Tokens.
Click Create new and specify the following on the New Crypto Token page:
- Name: Specify a name for the crypto token.
- Type: Select PKCS#11 NG.
- Auto-activation: Select use to allow EJBCA to save the password and reapply it after a restart so that the CA is always available.
- For PKCS#11 : Reference Type, select Slot/Token Label.
- For PKCS#11 : Reference, select one of the listed slots available in the HSM.
- Authentication Code: Enter a password for auto-activation, same as provided for the slot or token in the HSM.
- Click Save to create the crypto token.
Next, you can generate key pairs and any existing key pairs on the HSM are also shown.
To verify that the HSM key is operational, click Test.

Advanced deployments

The EJBCA Enterprise configuration export/import tool EJBCA ConfigDump allows you to deploy EJBCA with automation. For information on deploying EJBCA with automation, using a soft HSM integration suitable for testing, see Deploy EJBCA as CA with automation with SoftHSM2.

Thales Luna 7 HSM installations can also be automated using the EJBCA ConfigDump tool. For information on how to configure the tool in Kubernetes, see EJBCA Configdump in Kubernetes.

.