Pluggable provider architecture with Nitrokey HSM support#1
Merged
Conversation
Rename from Podman Secret Infisical to Podman Secret Infrastructure. Add SecretProvider protocol so multiple secret backends coexist behind a single shell driver. Infisical provider: all Infisical code moved to psi/providers/infisical/ with no behavior changes. Config nests under providers.infisical. NitroHSM provider: new backend that encrypts secrets with a Nitrokey HSM via PKCS#11. Hybrid encryption (AES-256-GCM + RSA-OAEP-SHA256). PIN resolves from systemd-creds (TPM-sealed), config, or env var. Includes preflight checks and pcscd sidecar setup command. secret.py and serve.py dispatch to providers via JSON mapping format. Generated drop-ins use Wants= instead of Requires= to prevent cascade failures. Containerfile switched to Fedora runtime for pcscd socket compatibility.
Rename the provider directory, config key, CLI subcommand, and env var from nitrohsm to nitrokeyhsm. Use "Nitrokey HSM" (with space) in all user-facing text and documentation. Code identifiers use NitrokeyHSM.
boto3, cryptography, and PyKCS11 are now core dependencies instead of optional extras. Removes all ty: ignore[unresolved-import] comments and simplifies the Containerfile. The only remaining optional extra is dbus-python (needed for systemd D-Bus reload in containers).
All dependencies are now core. The dbus import fallback to systemctl stays for distros without D-Bus development libraries.
Build the test container target from source in every PR, then run lint, type check, and unit tests inside it. Also builds the production container and verifies the entrypoint. No host-level Python or build tooling needed in the GitHub Actions runner.
Build the test container first, run lint/ty/pytest inside it, then build the production image and push to GHCR. Tags :latest on master. No host-level Python tooling needed on the Buildkite agent.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SecretProviderprotocol and provider registry for pluggable secret backendspsi/providers/infisical/with no behavior changespsi/providers/nitrokeyhsm/) that encrypts secrets at store time and decrypts via PKCS#11 at container startproviders:dict instead of top-level Infisical fieldsproviderdiscriminator replaces the old colon-separated formatWants=instead ofRequires=to prevent cascade failuresdocs/infisical-provider.mdanddocs/nitrokeyhsm-provider.mdNitrokey HSM provider
pinfield, orPSI_NITROKEYHSM_PINenv varpsi nitrokeyhsm preflight,setup-pcscd,init,store,test-pin,statusTest plan