Thales Luna integration in Kubernetes
ENTERPRISE
The Thales Luna HSM sidecar container enables integrating the application container to a network attached Thales Luna. The following covers how to set up the integration in Kubernetes.
For more general information on the HSM integration with PKCS#11, see HSM Integration.
Container |
|
Current version |
|
Privileges | Running as unprivileged user 10001:0. |
Prerequisites
Before using this container, you need the following:
Luna7 net-HSM with fully configured secured network access. The EJBCA deployment will be configured with:
The IP address/hostname of the HSM
server.pem certificate
Administrative access on the HSM for registering a client and assigning partitions to the client.
The P11 Proxy must have network access to the HSM service (security groups, network ACLs, etc)
An existing key pair credential for the client, i.e. the HSM driver container, to communicate with the HSM.
HSM driver container deployment parameters
The following lists parameters for the HSM sidecar container.
Environment variables
The following environment variables configure the HSM sidecar container.
Name | Description | Comments |
---|---|---|
SERVER_NAME | IP Address or FQDN of the HSM that the client will connect to. | Default: None |
CKLOG2_ENABLED | Enables logging of PKCS11 calls on the HSM client. Values: 0 = disabled, 1 = enabled. | Default: 0 |
PROTECTED_AUTHENTICATION_PATH_FLAG_STATUS | Defines how the HSM slot is protected. Options: 0 = No PED, 1 = Crypto Officer, 2 = Crypto User. | Default: 0 |
Volume mounts
All volume mount parameters are mandatory and should only be configured in the HSM sidecar container.
Description | Mount point |
---|---|
HSM Server certificate |
|
Client certificate to communicate with HSM |
|
Client private key for HSM communication |
|
Prepare HSM configuration
The following assumes that the server certificate and client credentials are already available.
Configure the server certificate and client credentials:
Create a Kubernetes secret with the client private key to communicate with the HSM.
It is recommended to keep the file name in the secret as
dockerlunaclientKey.pem
. Otherwise, adjust thevalues.yaml
in the next section.Replace
<namespace>
with your deployment's namespace.The name of the secret needs to be reflected in the
values.yaml
in the next section.BASHkubectl create secret generic hsm-luna-secret-client-key \ -n cadeploymentnamespace --from-file=dockerlunaclientKey.pem=dockerlunaclientKey.pem
Create a Kubernetes ConfigMap to configure the HSM server certificate and client certificate.
The HSM server certificate and client certificate values in the
values.yaml
may be adjusted in the next section.
The contents of the certificates are truncated in the following example.
apiVersion: v1
kind: ConfigMap
metadata:
name: hsm-luna-configmap
data:
server.pem: |
-----BEGIN CERTIFICATE-----
MIIDOTCCAiGgAwIBAgIBADANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJDQTEQ
.....truncated.....
OaIJWeLzCzXw4bzKbl5VvfwXmrTyCh0wHgN+E1VOhv8s2HhA3/Mzujb1VhPDCT0Z
LP1EfFulatVU0dtbQg==
-----END CERTIFICATE-----
dockerlunaclient.pem: |
-----BEGIN CERTIFICATE-----
MIIDMzCCAhugAwIBAgIBADANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJDQTEQ
.....truncated.....
xP96D2AMJN/9/rPHLHEJqETdYBvZYwdzyqB9GinxwuxlCfkrolx+ETyk16wK63m1
dABXXPaeLg==
-----END CERTIFICATE-----
Configure Deployment
The following provides an example of customizing the deployment using Helm. Note that the Helm chart values file values.yaml
describes an example test deployment and does not include:
Database connection.
Configured
imagePullSecrets
that may be required.TLS connection required after the deployment and creation of the CAs.
Ensure that the deployment is allowed an Egress to the physical HSM.
Make sure to adjust the values for the HSM server environment variable (SERVER_NAME
) and any required secrets.
#imagePullSecrets: []
ejbca:
env:
TLS_SETUP_ENABLED: "later"
LOG_AUDIT_TO_DB: true
# More convenient way to integrate with HSM will be available soon
# Extra init containers to be added to the deployment
initContainers:
- name: hsm-driver-init
image: registry.primekey.com/primekey/hsm-driver-luna7:10.5.1
command:
[
"sh",
"-c",
"cp --preserve --recursive /opt/keyfactor/p11proxy-client/* /mnt/driver/",
]
volumeMounts:
- name: p11proxy-client
mountPath: /mnt/driver/
# Extra sidecar containers to be added to the deployment
sidecarContainers:
- name: hsm
image: registry.primekey.com/primekey/hsm-driver-luna7:10.5.1
env:
- name: SERVER_NAME
value: "192.168.1.25"
volumeMounts:
- name: hsm-luna-configmap-servercert
mountPath: /opt/luna/certs-server/server.pem
subPath: server.pem
- name: hsm-luna-configmap-client-cert
mountPath: /opt/luna/certs-client/dockerlunaclient.pem
subPath: dockerlunaclient.pem
- name: hsm-luna-secret-client-key
mountPath: /opt/luna/certs-client/dockerlunaclientKey.pem
subPath: dockerlunaclientKey.pem
# Extra volumes to be added to the deployment
volumes:
- name: p11proxy-client
emptyDir: {}
- name: hsm-luna-configmap-servercert
configMap:
name: hsm-luna-configmap
items:
- key: "server.pem"
path: "server.pem"
- name: hsm-luna-configmap-client-cert
configMap:
name: hsm-luna-configmap
items:
- key: "dockerlunaclient.pem"
path: "dockerlunaclient.pem"
- name: hsm-luna-secret-client-key
secret:
secretName: hsm-luna-secret-client-key
# Extra volume mounts to be added to the deployment
volumeMounts:
- name: p11proxy-client
mountPath: /opt/keyfactor/p11proxy-client
# needed to make softhsm volume mount to work
podSecurityContext:
fsGroup: 10001
ingress:
enabled: true
className: "nginx"
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional_no_ca"
#nginx.ingress.kubernetes.io/auth-tls-secret: "default/ejbca-ingress-trust-secret"
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
hosts:
- host: "ejbcaca1.testdomain.se"
paths:
- path: /
pathType: Prefix
# tls:
# - hosts:
# - "ejbcaca1.testdomain.se"
# secretName: ingress-credential-secret-ca
Create and verify HSM crypto token
To create a crypto token and then test the HSM key, do the following:
In the EJBCA menu, click CA Functions > Crypto Tokens.
Click Create new and specify the following on the New Crypto Token page:
Name: Specify a name for the crypto token.
Type: Select PKCS#11 NG.
Auto-activation: Select use to allow EJBCA to save the password and reapply it after a restart so that the CA is always available.
For PKCS#11 : Reference Type, select Slot/Token Label.
For PKCS#11 : Reference, select one of the listed slots available in the HSM.
Authentication Code: Enter a password for auto-activation, the same as provided for the slot or token in the HSM.
Click Save to create the crypto token.
Once created, you can generate new key pairs or view any existing key pairs on the HSM.
To verify that the HSM key is operational, click Test.
Advanced deployments
The EJBCA Enterprise configuration export/import tool EJBCA ConfigDump allows you to deploy EJBCA with automation. For information on deploying EJBCA with automation, using a soft HSM integration suitable for testing, see Deploy EJBCA as CA with automation with SoftHSM2.
Thales Luna 7 HSM installations can also be automated using the EJBCA ConfigDump tool. For information on how to configure the tool in Kubernetes, see EJBCA Configdump in Kubernetes.
.