{"id":18834041,"url":"https://github.com/jetstack/ingress-yubikey","last_synced_at":"2026-04-25T21:31:57.961Z","repository":{"id":52718867,"uuid":"315585284","full_name":"jetstack/ingress-yubikey","owner":"jetstack","description":"Experimental Kubernetes Ingress Controller using a Yubikey for an HSM","archived":false,"fork":false,"pushed_at":"2020-11-24T16:44:08.000Z","size":75,"stargazers_count":2,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-05-29T17:53:37.384Z","etag":null,"topics":["hsm","ingress","ingress-controller","kubernetes","yubikey"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jetstack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-11-24T09:42:57.000Z","updated_at":"2023-06-05T18:47:24.000Z","dependencies_parsed_at":"2022-08-22T11:21:01.237Z","dependency_job_id":null,"html_url":"https://github.com/jetstack/ingress-yubikey","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/jetstack/ingress-yubikey","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fingress-yubikey","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fingress-yubikey/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fingress-yubikey/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fingress-yubikey/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jetstack","download_url":"https://codeload.github.com/jetstack/ingress-yubikey/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fingress-yubikey/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32278249,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-25T18:29:39.964Z","status":"ssl_error","status_checked_at":"2026-04-25T18:29:32.149Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hsm","ingress","ingress-controller","kubernetes","yubikey"],"created_at":"2024-11-08T02:06:45.059Z","updated_at":"2026-04-25T21:31:57.945Z","avatar_url":"https://github.com/jetstack.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"## ingress-yubikey\n\nThis is a proof-of-concept **highly experimental!**\n[Kubernetes Ingress Controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/)\nthat terminates TLS using a certificate and key from the PIV smartcard applet\non a YubiKey. This addresses a common complaint that Kubernetes Ingress\ncontrollers have cluster-wide access to secrets in order to retrieve \nTLS private keys. With a hardware-backed key, the private key never exists \nin application memory.\n\n### Usage\n\nCheck you have a working yubikey before deploying:\n\n```shell\n./ingress-yubikey validate\n```\n\nIf not, you can set up the PIV applet like so:\n\n```shell\nykman piv reset\nykman piv generate-key -m 010203040506070801020304050607080102030405060708 -P 123456 -a ECCP256 --pin-policy NEVER --touch-policy NEVER 9c 9c.pub\nykman piv generate-csr -s your-hostname.com 9c 9c.pub 9c.csr\n# Sign the CSR, even with a publicly trusted CA!\nykman piv import-certificate 9c 9c.pem\n```\n\n`ingress-yubikey` watches for `networking.k8s.io/v1` Ingress objects\nwith their Ingress Class set to `ingress-yubikey` As the only goal is\nto terminate TLS, path rules are ignored, but TLS hosts are matched\nby parsing SNI.\n\nFor now, ingress-yubikey always uses the Digital Signature certificate\nin slot 9c. Insert an appropriately prepared YubiKey and run the ingress\ncontroller using the manifest in `./deploy` as a guide. Volume mount\nthe smartcard device appropriately.\n\n#### PIN - protected keys\n\nAgain for now, the PIN for accessing the signing key can be provided with\nthe flag `--smartcard-pin` or environment variable\n`INGRESS_YUBIKEY_SMARTCARD_PIN`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Fingress-yubikey","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjetstack%2Fingress-yubikey","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Fingress-yubikey/lists"}