Merge pull request ThalesGroup#35 from hoskeri/injector-script

Thales Plugin Injector
howardjohn · Nov 20, 2020 · ed9f7fe · ed9f7fe
2 parents b3b28f9 + b79a72c
commit ed9f7fe
Show file tree

Hide file tree

Showing 4 changed files with 106 additions and 0 deletions.
diff --git a/cvclient-plugin-injector/Dockerfile b/cvclient-plugin-injector/Dockerfile
@@ -0,0 +1,6 @@
+FROM debian:unstable
+ARG cvclientpackage="cvclient-min.tar.gz"
+ADD ${cvclientpackage} /opt/cvclient/
+ADD inject.sh /inject-pkcs11-driver
+
+ENTRYPOINT ["/inject-pkcs11-driver"]
diff --git a/cvclient-plugin-injector/README.md b/cvclient-plugin-injector/README.md
@@ -0,0 +1,23 @@
+# Thales PKCS11 Client Library Injector.
+
+The KMS plugin itself is redistributable, we can include it
+in the GKE OnPrem Container Repository, and this repository can
+be a publicly available.
+
+However, the Thales Client Library is proprietary software, and not publicly
+redistributable. This client library is a dependency for the KMS plugin
+when the HSM is being used.
+
+The Docker image built here is made available separately to those customers
+licensed to use the client package.
+
+# Building the container.
+
+Running ./build.sh performs the following steps.
+
+1. Download the cvclient-min.tar.gz from an external location (eg: a gcs
+   bucket), and save it to this directory.
+
+2. docker build -t thales-injector:v1
+
+3. docker push to the repository.
diff --git a/cvclient-plugin-injector/build.sh b/cvclient-plugin-injector/build.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+# This script builds a container image to inject the Thales Luna HSM
+# PKCS11 driver and related utilties into a specified target directory.
+# See thales-injector/README.md for background.
+
+set -euxo pipefail
+
+script_dir="$(dirname $(readlink -f "$0"))"
+
+fatal() {
+  >&2 echo "fatal: $*"
+  exit 1
+}
+
+verify_checksum() {
+  calc_sum="$(sha256sum "$1"|cut -d' ' -f1)"
+  expected_sum="${2}"
+
+  if [ "$calc_sum" != "$expected_sum" ]
+  then
+    fatal "checksum mismatch for ${1}"
+  fi
+  return 0
+}
+
+###
+### Obtain package tarball.
+###
+
+#Contents of cvclient-bin.tar.gz
+cvclient_payload="gs://hsm-cvclient-bin/cvclient-min-10.1-sha256sum@1b2faa327c32a674e395e697d2e7f65c447847ce393b12354a3d82962a76ee87.tar.gz"
+
+cvclient_version="10.1"
+cvclient_sha256sum="1b2faa327c32a674e395e697d2e7f65c447847ce393b12354a3d82962a76ee87"
+cvclient_path="${script_dir}/cvclient-min.tar.gz"
+
+rm -v -f "${cvclient_path}"
+
+gsutil cp "${cvclient_payload}" "${cvclient_path}"
+
+verify_checksum "${cvclient_path}" "${cvclient_sha256sum}"
+
+###
+### Build Image.
+###
+
+image_repo="gcr.io/thales-hsm-driver-injector"
+image_name="thaleslunahsm-plugin-injector"
+image_tag="${cvclient_version}-1" # append local version.
+
+# fully qualified image reference
+image_fullname="${image_repo}/${image_name}:${image_tag}"
+
+docker build -t "${image_fullname}" "${script_dir}"
+docker push "${image_fullname}"
diff --git a/cvclient-plugin-injector/inject.sh b/cvclient-plugin-injector/inject.sh
@@ -0,0 +1,22 @@
+#!/bin/bash -eu
+# Injects the driver plugin into a shared volume.
+# See README.md for background.
+
+destdir=${1:-}
+
+err_exit() {
+  >&2 echo "E: $*"
+  exit 1
+}
+
+if [ ! -n "${destdir}" ]
+then
+  err_exit "usage: $0 directory"
+fi
+
+if [ ! -d "${destdir}" ]
+then
+  err_exit "${destdir} is not a directory"
+fi
+
+cp -a -v /opt/cvclient "${destdir}"