This step defines the OpenShift Deployment for deploying NGINX pods integrated with the Utimaco SecurityServer HSM.
The deployment uses a two-container structure:
-
An Init Container (
utimaco-init) to copy the required Utimaco PKCS#11 libraries and tools into a shared volume. -
The Main Application Container (
nginx-app) which runs NGINX configured to use the HSM for SSL/TLS operations via the PKCS#11 interface.
The deployment also mounts the previously created ConfigMaps (Utimaco and NGINX) and the Secret (generated by the Key Generation Job), enabling full integration between OpenShift workloads and the HSM.
Ensure that the ssl-cert secret has already been created by the Key Generation Job before applying this deployment (refer to Verify Secret Creation).
-
Create a file named
deploy.yamlin the path/home/admin/hsm-build/. -
Paste the contents provided below and save the file.
YAMLapiVersion: apps/v1 kind: Deployment metadata: name: securityserver spec: replicas: 2 selector: matchLabels: app: my-app template: metadata: labels: app: my-app spec: volumes: # Shared library between initContainers and main app - name: pkcs11-shared-libs emptyDir: {} # Utimaco + OpenSSL configuration - name: utimaco-cfg-volume configMap: name: utimaco-config # NGINX configuration - name: nginx-cfg-volume configMap: name: nginx-config # Shared Secret created by Job (contains SSL.cert) - name: cert-volume secret: secretName: ssl-cert - name: utimaco-logs emptyDir: {} # --- INIT CONTAINERS --- initContainers: - name: utimaco-init image: <docker_username>/utimaco-sidecar:1 command: ["/bin/sh", "-c"] args: - | echo "Copying Utimaco libraries and tools..." mkdir -p /shared/lib /shared/bin cp /opt/utimaco/lib/libcs_pkcs11_R3.so /shared/lib/ cp /opt/utimaco/bin/* /shared/bin/ echo "Libraries and tools are ready." volumeMounts: - name: pkcs11-shared-libs mountPath: /shared # --- MAIN CONTAINER --- containers: - name: nginx-app image: <docker_username>/nginx:1 ports: - containerPort: 443 env: - name: PKCS11_CONFIG value: /etc/utimaco/cs_pkcs11_R3.cfg - name: PKCS11_MODULE value: /opt/utimaco/lib/libcs_pkcs11_R3.so - name: PATH value: "/opt/utimaco/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" volumeMounts: # Shared Utimaco library from init container - name: pkcs11-shared-libs mountPath: /opt/utimaco/lib subPath: lib readOnly: true - name: pkcs11-shared-libs mountPath: /opt/utimaco/bin subPath: bin readOnly: true # Mount OpenSSL configuration from ConfigMap - name: utimaco-cfg-volume mountPath: /etc/pki/tls/openssl.cnf subPath: openssl.cnf # Mount Utimaco PKCS#11 config from ConfigMap - name: utimaco-cfg-volume mountPath: /etc/utimaco/cs_pkcs11_R3.cfg subPath: cs_pkcs11_R3.cfg # Mount NGINX configuration - name: nginx-cfg-volume mountPath: /etc/nginx/nginx.conf subPath: nginx.conf # Mount shared certificate (Secret from Job) - name: cert-volume mountPath: /etc/ssl/certs readOnly: true - name: utimaco-logs mountPath: /var/log/utimaco lifecycle: preStart: exec: command: - /bin/sh - -c - | echo "? Waiting for SSL certificate..." while [ ! -f /etc/ssl/certs/SSL.cert ] && [ ! -f /etc/ssl/certs/tls.crt ]; do sleep 2 done echo "Certificate ready. Starting NGINX."
Replace <docker_username> with your actual Docker Hub username for the images you built and pushed to your repository.
-
Apply the deployment.
Apply Deployment
-
Verify the deployment.
Verify Deployment