ejbca-ce with HSM on kubernetes

deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: ejbca
  name: ejbca
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: ejbca
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: ejbca
    spec:
      initContainers:
      - command:
        - sh
        - -c
        - cp --preserve --recursive /opt/primekey/p11proxy-client/* /mnt/ && touch
          /opt/primekey/p11proxy-client/p11proxy-client.conf
        image: ghcr.io/jc-lab/ejbca-hsm-driver-opensc:tag-0.0.1-rc1
        imagePullPolicy: IfNotPresent
        name: hsm-driver-init
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /mnt
          name: p11proxy-client
      containers:
      - env:
        - name: PKCS11_PROXY_SOCKET
          value: tls://PKCS11_PROXY_DAEMON_IP:2345
        - name: PKCS11_PROXY_TLS_PSK_FILE
          value: /pkcs11-proxy-tls/tls.psk
        - name: TLS_SETUP_ENABLED
          value: later
        - name: DATABASE_JDBC_URL
          value: jdbc:mysql://MYSQL_DB_HOSTNAME/MYSQL_DB_NAME?characterEncoding=UTF-8
        - name: DATABASE_USER
          value: DATABASE_USERNAME
        - name: DATABASE_PASSWORD
          valueFrom:
            secretKeyRef:
              key: mysql-password
              name: ejbca-creds
        image: keyfactor/ejbca-ce:7.10.0.1
        imagePullPolicy: IfNotPresent
        name: ejbca
        ports:
        - containerPort: 80
          protocol: TCP
        - containerPort: 8443
          protocol: TCP
        resources: {}
        volumeMounts:
        - mountPath: /opt/primekey/bin/internal/after-init-post.sh
          name: ejbca-custom
          subPath: after-init-post.sh
          readOnly: true
        - mountPath: /opt/primekey/p11proxy-client
          name: p11proxy-client
        - mountPath: /pkcs11-proxy-tls
          name: pkcs11-proxy-tls
          readOnly: true
        - mountPath: /opt/primekey/secrets/external/tls/ks/
          name: ejbca-keystore
          readOnly: true
      volumes:
      - name: ejbca-custom
        configMap:
          name: ejbca-custom
      - emptyDir: {}
        name: p11proxy-client
      - name: pkcs11-proxy-tls
        secret:
          defaultMode: 420
          secretName: pkcs11-proxy-tls
      - name: ejbca-keystore
        secret:
          defaultMode: 420
          secretName: ejbca-keystore

ejbca-creds.yaml

apiVersion: v1
kind: Secret
metadata:
  name: ejbca-creds
type: Opaque
data:
  mysql-password: {{ "MYSQL PASSWORD" | b64enc }}

ejbca-custom.yaml

apiVersion: v1
data:
  after-init-post.sh: |
    #!/bin/bash

    baseDir="$1"
    tempDir="$2"
    ID="$3"

    echo "pkcs11.disableHashingSignMechanisms=false" >> ${baseDir}/ejbca/conf/cesecore.properties

kind: ConfigMap
metadata:
  name: ejbca-custom

ejbca-keystore.yaml

apiVersion: v1
kind: Secret
metadata:
  name: ejbca-keystore
type: Opaque
data:
  server.jks: {{ JWS | b64enc }}
  server.keypasswd: {{ PASSWORD | b64enc }}
  server.storepasswd: {{ PASSWORD | b64enc }}

pkcs11-proxy-tls.yaml

apiVersion: v1
kind: Secret
metadata:
  name: pkcs11-proxy-tls
type: Opaque
data:
  tls.psk: {{ "pkcs11:00112233445566778899aabbccddeeff" | b64enc }}

pkcs11-proxy.service

[Unit]
Description=OpenSC PKCS11 Proxy
After=pcscd.service

[Service]
Environment=PKCS11_DAEMON_SOCKET=tls://0.0.0.0:2345
Environment=PKCS11_PROXY_TLS_PSK_FILE=/etc/pkcs11-proxy.psk
ExecStart=/usr/local/bin/pkcs11-daemon /usr/lib/opensc-pkcs11.so

[Install]
WantedBy=multi-user.target