keyserv: Deploy keyserv

`keyserv` is a little utility I wrote to dispense *age* keys to clients. It uses SSH certificates for authentication. If the client presents an SSH certificate signed by a trusted key, the server will return all the keys the principal(s) listed in the certificate are allowed to use. The response is encrypted with the public key from the certificate, so the client must have access to the corresponding private key in order to read the response. I am currently using this server to provide keys for the new configuration policy. The keys herein are used to encrypt NUT monitor passwords.
2024-01-19 22:08:25 -06:00 · 2024-01-19 22:08:25 -06:00 · 534c4bfca0
parent 897923a172
commit 534c4bfca0
19 changed files with 341 additions and 0 deletions
--- a/keyserv/age-keys/age1668cmw7jeyfawpdp7c6c79hdqdmvzjrkuszz4c96sfugkyjsr39qv4vsg7
+++ b/keyserv/age-keys/age1668cmw7jeyfawpdp7c6c79hdqdmvzjrkuszz4c96sfugkyjsr39qv4vsg7
@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXSzE0NzFTZm1XbTJkS0hD
+Y0pPSmlFTmtCc0poNTJXNEdQYzJEVjJpM1RnCnRZVU80MlliaXNSaXhpVTFwc2Ft
+Z0RKSU9KZ2IweXd4bEw5SmdBZFBaK0UKLS0tIDBmcjIxSEJncHU5SmFqMy93Vi9W
+RjVrdlRveWM4cGpvSlczVjkxNENxOEkKD+F9N41P8Wh0WjD07xTehkALoRx0zMKw
+59Uhg/6YgtNjNYdCL4cVi3NdmWkyMy8DcCsPyETpUDJs2lXfJS3J3cMauoHJh+0O
+MfOBp5PJUFS9RNgJlFVytyEOIN3WTtcNTsiyuQ6fsEvQ25w=
+-----END AGE ENCRYPTED FILE-----
--- a/keyserv/age-keys/age197zq0l27nwxj74d4pmpat6kqqth235mdc0ggmfm3006v0fy7advsg9ljts
+++ b/keyserv/age-keys/age197zq0l27nwxj74d4pmpat6kqqth235mdc0ggmfm3006v0fy7advsg9ljts
@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQ0NsQkUxUU44SmZWYmJT
+ZnRwQ3Q1eHBDVkFGeGtpMWdWWlBzaDI2MDBzCnlBa2R6bGZ5bGM3TGRwNVBWdzNq
+Ti9SUVNyblF1R2tpWGNvQytGNDFMZFEKLS0tIGtEWDloL2wwUTB3clBKMlRhcHhZ
+dkp4Ui9ZV0tTanh6SGVmNlpyNjRQRlUKRzAEPB2VyVOFwSrzoJOhoGf0pZ3yRVIF
+y5kaG/u/ZA1Z4v73koRcTR5m0MJwCU+xmzkwm4UAj6rZ+1F2KbDK1ruEFTuOwMGO
+BrNxD/28/mt7YQxmnJ9rL/YE895scKq9E4gqg3S0DuFmNBM=
+-----END AGE ENCRYPTED FILE-----
--- a/keyserv/age-keys/age1c6swn9tm0502jd3e0yszfd4qd7lgx2nd9uk0hruuckhx7zpn3utqhau7mz
+++ b/keyserv/age-keys/age1c6swn9tm0502jd3e0yszfd4qd7lgx2nd9uk0hruuckhx7zpn3utqhau7mz
@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvaGE2VnBGYzZJNzJRT1lJ
+VVl1bjlzRmpnaUNWb3ZrU3pqN2dENnQzYWxzCkcxMVhFMkpab0Voc2dYSHpXVlFi
+L245RXZ1Sis5RVZXZDAwUjF2SEp4NTgKLS0tIFlrOHFnMENZNEhoWU1IWG84WExJ
+SjJPbVZyaHp0blVKWlVrbXc0d3EvTjQKTPlbRWJ6GSImjja+/YfzbQ2US0z/wX+G
+y9Sw9vgmmw0g/mMFgboVwxRzseK0W/GT6u4wPAKqWnWeVQyvyxZOpLRg8NIpW/4d
+enkoFTwIe+Kp6r+aVru83WrnTnqSBrmRcC787go0XQph3c0=
+-----END AGE ENCRYPTED FILE-----
--- a/keyserv/age-keys/age1dcyvkqde4j43gz6pzk6u8g3ph85tj3qr0tucr9lkcy4sgyqshe8qzq7d20
+++ b/keyserv/age-keys/age1dcyvkqde4j43gz6pzk6u8g3ph85tj3qr0tucr9lkcy4sgyqshe8qzq7d20
@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiN2Y3ck9SSjFmU2swT28w
+ckNsR2ozY3hXM3hnNWFxWHVCQUIyOERrMkE4CnNNdXU3a0dQNjd3OENRNFJ5NzlH
+WUxadzlOSHlOYlUrWkgxRzZ3OE5QZWcKLS0tIE53eGtFWXRtYzFVaWI5L3hIcy9U
+NUYyNzNQc0I5RmtnOVdsUWhLNmYraXcKAII/m6a8koWFlnQlqDiB0rAcc43V8HZf
+78cXUe+vzQf77TLwMcWsyPGuu+rExXTGy3WSdzbAsGBl0ujqUPaN1wX6wJDWERMN
+plQY+GhY99LPDsyQPwlZBJPfGukztfSqoo+aJHETsiCIbUI=
+-----END AGE ENCRYPTED FILE-----
--- a/keyserv/age-keys/age1ez6hv5frke4k4esk4p3nyf7y4g5mjq953t8ctk45qxnpreeerdpsrqu2dd
+++ b/keyserv/age-keys/age1ez6hv5frke4k4esk4p3nyf7y4g5mjq953t8ctk45qxnpreeerdpsrqu2dd
@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Si80ZVRMZWw4Y0svWlYr
+alhSSWpNWndtWDUwaG4rNWN6a1lOTUN1bVVrCmloR1Q4YllPZjFMSTFNTVluaWpY
+YndzWGQxRlJZbmdjS0VmTzFFN2dWeUEKLS0tIDdiNk5RUnJDcHlmaHV2S2RHVXNV
+ZGNJbmorNWJrTG9Ia2g0V2ZsbFZUOU0Kkuvj55FNmQPTbH0wn5mnyHopcTfejATL
+ME/kXZIGaadgzVHtZ4PAgPGbReS5/vnstF851ORilptXL8UGEklOMSnI8tIG16KU
+2AFGTPx5MvasCBYbEaUnwctef5g3LZjirf1UhSNGL3bvGgI=
+-----END AGE ENCRYPTED FILE-----
--- a/keyserv/age-keys/age1fc96yyd7a7l3uc4jr8sk06h8al607gjxd89q435jlp6nsmrhqflq5dkhtq
+++ b/keyserv/age-keys/age1fc96yyd7a7l3uc4jr8sk06h8al607gjxd89q435jlp6nsmrhqflq5dkhtq
@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIZUJucVQyaEdYZzZqcjJk
+dlBxbHNVSHVWRWhUOU40RTRtbURzeDNxbUg0CkF5Q2NRbXBYazByNXZVVmNJcmtC
+TXRIYUNQekQxZ1NIalFzY0JnMm02clEKLS0tIFA3ODFZNGw2cUlub1VaNXdhNVlw
+UFF1UUxqb1E5ZHhmaTFsN2hCY0N4Q2cKF9WKoDQG81miaraLbIMmA5w+d7lkcF0m
+zLXzKHCX5E03B8DLSqLh+TlI3g/ZlfUJgznvVb/TYSQlxFpffi65Bb9TB3rz6fml
+D77Va/kPs+qCZzBqvcN0LfYiGEyPn9gyOBOJT971W6Gqo/U=
+-----END AGE ENCRYPTED FILE-----
--- a/keyserv/age-keys/age1hl8dfgh938092h32zuex7xnfmqer3peg5gl6d892aarsw0s6nptq5tysu9
+++ b/keyserv/age-keys/age1hl8dfgh938092h32zuex7xnfmqer3peg5gl6d892aarsw0s6nptq5tysu9
@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUnhtbGw1bC83THE3Z00z
+eEp2OThrL25CYmsySGRTM2cyUTB1dnFkd0ZrCjR2YVlhbjBqRVIzVkNWRnpqVXJM
+T2VrcnZ2blg3Nlo2cGtBV0hlNG1sR0EKLS0tIGYrNmZwbEdYc1RQb0gyOVpmSkhL
+WEUvSEFrQmxGWEViQ2JGTGhMMjVORVEKYTRc/T5u8fbZ4OHpY7HAOasEjDdrxxC/
+cBL1b13V+O9k6w1vRZtratQI8ycqyjPe6uvQ2sOYVjy7BJpRAgU/5VcrA/b6s5v1
+sRsq8vQjZiFMaLkJEYt40a/koza72LMyBtB7ad7UdrfAZxw=
+-----END AGE ENCRYPTED FILE-----
--- a/keyserv/age-keys/age1j63kzwldegazaaj4rm2ydzlm4wlh6z4cgm4s7g6pzysskh04duhslyc5yy
+++ b/keyserv/age-keys/age1j63kzwldegazaaj4rm2ydzlm4wlh6z4cgm4s7g6pzysskh04duhslyc5yy
@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlMG5semFWVzJPTDMwUzF3
+SWJlNTN0a3JvV2hNQTVubWo5THZtYUJuTEJBCm92TGo3SFV2bk55elBuQ2Zoa29z
+bHlSZzFVS1JhVXM0a3dXcmFXQTd4YTgKLS0tIFZwT1RmMW04bk1zQ3RZY3YzaTJo
+Y0RoN1NSN2k3MllNUE9mS2J3WDV6UmsKOS+hCecCtIvztfeXLfBowpfN9JsKVx0D
+vc2N0PWFqaRPlNXdCl+xgW5/9fTN8gBrI1dya9DReOab430bVbWaL82E0rfoHjo+
+8e7Pb0t8Y3bquJW1R/rDbg/JLBHeHu2EOKI98QHVjq/dM/Y=
+-----END AGE ENCRYPTED FILE-----
--- a/keyserv/age-keys/age1kfqgu0ug40uwrsqx94azeflg58wp4ckx3xsm5l2y6zvw95zqygfsy8x69t
+++ b/keyserv/age-keys/age1kfqgu0ug40uwrsqx94azeflg58wp4ckx3xsm5l2y6zvw95zqygfsy8x69t
@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOV3c4c3gzV3E5Z0JOUmpw
+UnZ1ZVhFN3ZreE5RMXd2dnE2bjRZVDN3NmpVClphMnBoMldxQUEvNGNSNnE5U2tu
+NnBlQ2RibzJMSWQyY0Zsc29aT09HOE0KLS0tIForVEE1UlV1UEdVRkdMYVFBSEtp
+WnM2bktxQkVyVFFlQVRFVEdlZEc4QjgKzdkFJeEPS2vN4pSWn9W1rsH9UtezgLBt
+wnN82KIA8d2FWS+qr/9Cr2s6OFMd1fsSOqaN9uZPHjoPNGkcaBKLs2JD8b1L+eVD
+GR+kl+X3VlNXRs5828yj7v5KwMUmaOPZGFnFwHXNKjuhxh4=
+-----END AGE ENCRYPTED FILE-----
--- a/keyserv/age-keys/age1xfmmwhutwr4cml4dlj6rq6r9mgjs3fake0q4wuly5z9r9mqgk4nsk53d5j
+++ b/keyserv/age-keys/age1xfmmwhutwr4cml4dlj6rq6r9mgjs3fake0q4wuly5z9r9mqgk4nsk53d5j
@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVWk1WGxLRTNPUjFHd2ox
+Vy9xZFppdzNZR0diNnJ6NE9UMXBBV1Rnb3pRCjBUVFEwNWtkUFFXY3BSbVdlY3Nr
+MlFHa2RyZ2ZlUGZrdzhuVm02UVJ6YW8KLS0tIGR1SThDSXlCOXUvUlBqbVAxN1JN
+eDkwSjJoNmlmTlREOFY0Z0V5d21mMWsKUyb6AjI0ZatJV0DSVUn2eE1uHO5alJnC
+P5BXKcOhq3yFc4ounDnAUKl+nM6rplIkIfcg9cljf4Mf59Mxwq80EB5Kk1TIOioi
+GGGnFilwhUeV122CAKiLbTI4CL9DK+8YY4upuh0QG60bSBs=
+-----END AGE ENCRYPTED FILE-----
--- a/keyserv/age-keys/age1y3hea7a4rpeyjhcrcg29lsfzg9guwqeqx6m6q6szt5wuc8guy3hsl6t33e
+++ b/keyserv/age-keys/age1y3hea7a4rpeyjhcrcg29lsfzg9guwqeqx6m6q6szt5wuc8guy3hsl6t33e
@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQ0l2T3JqbEZMdHpkOWZM
+bm0zL1p6WmhpR0doYXd3YmxtK2N5ZnRQTkVrCm1CSys1dGxMK2p4OHhiRE9YSVNM
+ckVXRUIxSDFQaUg3aXpCWk9NUEZuc0UKLS0tIEtZZkYrSHovenkwbGVBMmgvNFVW
+dnk0cGhkaFliY2kxMHh6eURBVnVodkUKhE4UGzyUCdGoXl8IW0EQeO0Ni6/OW1JO
+BkSCkzS4XGwwJv28T5WAUziP29INfwsazsBhplMcjcXln8yV35+r0FLANldjVR05
+7n253PkmUSBXdzrDvK6uguGD9Ub8WvMlNnXh6NXH9Ht2Uo8=
+-----END AGE ENCRYPTED FILE-----
--- a/keyserv/age-keys/age1y4prxtunmkx0kwrtl5qkxvj0gzl8kuyp9seyptgy2rlvrqyysegq32srfn
+++ b/keyserv/age-keys/age1y4prxtunmkx0kwrtl5qkxvj0gzl8kuyp9seyptgy2rlvrqyysegq32srfn
@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4K2FSV21VM0pUOFJUYmtj
+N0tSMDRwK1F2TFlHN3hpSldhMnVYRGJINVdFCmpvOEJ3QnpkTVppTnc3Mlg1c0lp
+S3g3c0hoUVh2M2xhR2RJL0kvQ0RRS1UKLS0tIGlWVnk0VUhMV3A0Q0NVRURnQVlW
+UFhtdGwxK1pEWnpsVW1OY1F4aDVOc00KKCDavNBbcVjWhxKPbH9575lbxCk4O6ys
+Uz6MraWdJxA+UL7ow04XaLHpLV/kT6KkIWHtWtarddeY/HcmeS47qYYiEF6oZoH5
+u0gtdzBoA4MTKmB4tsLvAQyXLgo04fxVqUIDL6a9cM830Lg=
+-----END AGE ENCRYPTED FILE-----
--- a/keyserv/ingress.yaml
+++ b/keyserv/ingress.yaml
@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: keyserv
+  labels:
+    app.kubernetes.io/name: keyserv
+    app.kubernetes.io/component: keyserv
+    app.kubernetes.io/part-of: keyserv
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: keyserv.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: keyserv
+            port:
+              name: keyserv
--- a/keyserv/key-map.yml
+++ b/keyserv/key-map.yml
@ -0,0 +1,34 @@
+dustin@hatch.name:
+- age197zq0l27nwxj74d4pmpat6kqqth235mdc0ggmfm3006v0fy7advsg9ljts
+- age1c6swn9tm0502jd3e0yszfd4qd7lgx2nd9uk0hruuckhx7zpn3utqhau7mz
+- age1ez6hv5frke4k4esk4p3nyf7y4g5mjq953t8ctk45qxnpreeerdpsrqu2dd
+- age1fc96yyd7a7l3uc4jr8sk06h8al607gjxd89q435jlp6nsmrhqflq5dkhtq
+- age1hl8dfgh938092h32zuex7xnfmqer3peg5gl6d892aarsw0s6nptq5tysu9
+- age1j63kzwldegazaaj4rm2ydzlm4wlh6z4cgm4s7g6pzysskh04duhslyc5yy
+- age1y4prxtunmkx0kwrtl5qkxvj0gzl8kuyp9seyptgy2rlvrqyysegq32srfn
+- age1668cmw7jeyfawpdp7c6c79hdqdmvzjrkuszz4c96sfugkyjsr39qv4vsg7
+
+burp1.pyrocufflink.blue:
+- age1xfmmwhutwr4cml4dlj6rq6r9mgjs3fake0q4wuly5z9r9mqgk4nsk53d5j
+
+gw1.pyrocufflink.blue:
+- age1dcyvkqde4j43gz6pzk6u8g3ph85tj3qr0tucr9lkcy4sgyqshe8qzq7d20
+
+nut0.pyrocufflink.blue:
+- age1c6swn9tm0502jd3e0yszfd4qd7lgx2nd9uk0hruuckhx7zpn3utqhau7mz
+- age1fc96yyd7a7l3uc4jr8sk06h8al607gjxd89q435jlp6nsmrhqflq5dkhtq
+- age1y4prxtunmkx0kwrtl5qkxvj0gzl8kuyp9seyptgy2rlvrqyysegq32srfn
+- age1668cmw7jeyfawpdp7c6c79hdqdmvzjrkuszz4c96sfugkyjsr39qv4vsg7
+- age1dcyvkqde4j43gz6pzk6u8g3ph85tj3qr0tucr9lkcy4sgyqshe8qzq7d20
+- age1y3hea7a4rpeyjhcrcg29lsfzg9guwqeqx6m6q6szt5wuc8guy3hsl6t33e
+- age1kfqgu0ug40uwrsqx94azeflg58wp4ckx3xsm5l2y6zvw95zqygfsy8x69t
+- age1xfmmwhutwr4cml4dlj6rq6r9mgjs3fake0q4wuly5z9r9mqgk4nsk53d5j
+
+nvr1.pyrocufflink.blue:
+- age1668cmw7jeyfawpdp7c6c79hdqdmvzjrkuszz4c96sfugkyjsr39qv4vsg7
+
+vmhost0.pyrocufflink.blue:
+- age1y3hea7a4rpeyjhcrcg29lsfzg9guwqeqx6m6q6szt5wuc8guy3hsl6t33e
+
+vmhost1.pyrocufflink.blue:
+- age1kfqgu0ug40uwrsqx94azeflg58wp4ckx3xsm5l2y6zvw95zqygfsy8x69t
--- a/keyserv/keyserv.yaml
+++ b/keyserv/keyserv.yaml
@ -0,0 +1,91 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: keyserv
+  namespace: keyserv
+  labels:
+    app.kubernetes.io/name: keyserv
+    app.kubernetes.io/component: keyserv
+    app.kubernetes.io/instance: keyserv
+    app.kubernetes.io/part-of: keyserv
+spec:
+  ports:
+  - port: 8087
+    name: keyserv
+  selector:
+    app.kubernetes.io/name: keyserv
+    app.kubernetes.io/component: keyserv
+    app.kubernetes.io/instance: keyserv
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keyserv
+  labels:
+    app.kubernetes.io/name: keyserv
+    app.kubernetes.io/component: keyserv
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: keyserv
+      app.kubernetes.io/component: keyserv
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: keyserv
+        app.kubernetes.io/component: keyserv
+    spec:
+      enableServiceLinks: false
+      imagePullSecrets:
+      - name: imagepull-gitea
+      containers:
+      - name: keyserv
+        image: git.pyrocufflink.net/packages/keyserv
+        args:
+        - --master-key
+        - /run/secrets/keyserv/master.key
+        - --key-map
+        - /run/keyserv/key-map.yml
+        workingDir: /run/keyserv
+        env:
+        - name: RUST_LOG
+          value: debug
+        readinessProbe: &probe
+          httpGet:
+            path: /
+            port: 8087
+          periodSeconds: 60
+          timeoutSeconds: 5
+          failureThreshold: 3
+          successThreshold: 1
+        startupProbe:
+          <<: *probe
+          periodSeconds: 1
+          timeoutSeconds: 1
+          failureThreshold: 30
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /run/keyserv
+          name: keyserv-config
+          readOnly: true
+        - mountPath: /run/keyserv/age-keys
+          name: age-keys
+          readOnly: true
+        - mountPath: /run/secrets/keyserv
+          name: master-key
+          readOnly: true
+      securityContext:
+        runAsNonRoot: true
+      volumes:
+      - name: age-keys
+        secret:
+          secretName: age-keys
+      - name: master-key
+        secret:
+          secretName: master-key
+      - name: keyserv-config
+        configMap:
+          name: keyserv-config
--- a/keyserv/kustomization.yaml
+++ b/keyserv/kustomization.yaml
@ -0,0 +1,51 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: keyserv
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: keyserv
+  includeSelectors: true
+- pairs:
+    app.kubernetes.io/part-of: keyserv
+  includeSelectors: false
+
+resources:
+- namespace.yaml
+- secrets.yaml
+- keyserv.yaml
+- ingress.yaml
+
+configMapGenerator:
+- name: keyserv-config
+  files:
+  - key-map.yml
+  - trusted-ca.keys
+  options:
+    disableNameSuffixHash: true
+    labels:
+      app.kubernetes.io/name: keyserv-config
+      app.kubernetes.io/component: keyserv
+
+secretGenerator:
+- name: age-keys
+  files:
+  - age-keys/age1y4prxtunmkx0kwrtl5qkxvj0gzl8kuyp9seyptgy2rlvrqyysegq32srfn
+  - age-keys/age1fc96yyd7a7l3uc4jr8sk06h8al607gjxd89q435jlp6nsmrhqflq5dkhtq
+  - age-keys/age1c6swn9tm0502jd3e0yszfd4qd7lgx2nd9uk0hruuckhx7zpn3utqhau7mz
+  - age-keys/age197zq0l27nwxj74d4pmpat6kqqth235mdc0ggmfm3006v0fy7advsg9ljts
+  - age-keys/age1ez6hv5frke4k4esk4p3nyf7y4g5mjq953t8ctk45qxnpreeerdpsrqu2dd
+  - age-keys/age1j63kzwldegazaaj4rm2ydzlm4wlh6z4cgm4s7g6pzysskh04duhslyc5yy
+  - age-keys/age1hl8dfgh938092h32zuex7xnfmqer3peg5gl6d892aarsw0s6nptq5tysu9
+  - age-keys/age1668cmw7jeyfawpdp7c6c79hdqdmvzjrkuszz4c96sfugkyjsr39qv4vsg7
+  - age-keys/age1dcyvkqde4j43gz6pzk6u8g3ph85tj3qr0tucr9lkcy4sgyqshe8qzq7d20
+  - age-keys/age1y3hea7a4rpeyjhcrcg29lsfzg9guwqeqx6m6q6szt5wuc8guy3hsl6t33e
+  - age-keys/age1kfqgu0ug40uwrsqx94azeflg58wp4ckx3xsm5l2y6zvw95zqygfsy8x69t
+  - age-keys/age1xfmmwhutwr4cml4dlj6rq6r9mgjs3fake0q4wuly5z9r9mqgk4nsk53d5j
+  options:
+    disableNameSuffixHash: true
+    labels:
+      app.kubernetes.io/name: age-keys
+      app.kubernetes.io/component: keyserv
+
--- a/keyserv/namespace.yaml
+++ b/keyserv/namespace.yaml
@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keyserv
+  labels:
+    app.kubernetes.io/name: keyserv
+    app.kubernetes.io/component: keyserv
--- a/keyserv/secrets.yaml
+++ b/keyserv/secrets.yaml
@ -0,0 +1,40 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: master-key
+  namespace: keyserv
+  labels:
+    app.kubernetes.io/name: master-key
+    app.kubernetes.io/component: keyserv
+spec:
+  encryptedData:
+    master.key: AgCrvNy66S678+UMafy43yGwXkDixZMJqk9RSe9+bLVUjXuzF0+O8Xk80Ral00tB9MyICo35G5bY/UQH3vJ8n6uex+JQFShBrzWSpdbPuczVHG9EX6eDmO502y5imfj+wPadaAYsTs0Ppjc+opmJWR+gmqCs9EcW8gTUjTqqingRN5wUrZ2eqaWAocRxQQyN4jiwmmPH2AFbvy7X3MKwe3gleBUlHnEQHqHMCmO+EOAkTuuxh67O4BxNu4AvFYsnrvp8nwSUt838pZRHrwiBAAD7C7t5ZwSdAnGbTETGkf4oRW5geJjvXczJy+u+o06QT232GVswU1dzCndJ2BZfBeamvFMvzcoNqtFhRuT3viDhvCGr49u5AxU1vJ4LA9T6iHLZfy0fPp/XofqvKVrHJbltAWaoqcZk9pDDEiQJgq/ygdaXtrQEOFW+LwNBpRM+cUkRcpxoSF12D709tHJEz9+tB+146WA3+ErYz18KoLXc8kPnCTbu/trQDSohE81Q/EF2I8Prrk8nb4LiqD7CUww08aCFDumep51HV/kydhMfqdkUNe22MReWyDo4Xnkws+l24ZoZFnvdFO/T0s9sGOc4eMStXiFZr5STkegSSCM+jGtOMgxE7886foXXO8HOPgydisTLApATNFw/aRpLvfpWhfiNECN1h27Sr1nErOlkcl1SlwpfYDEYdsGiDMM6GTkvwAa1wvVSxSeHvSaIHxPgnXvpzWMUL7plaLo5cO+c9cSjNDAxjvhX8IXlmhW2zozv/AEbOh8nQTemkTntCL/cvFJs77Iq29uviy42aNsyVxiIcWuftbiAL08Lh7x5GaOoDnauyAx35Fdy2NGN/LvZQcAkk4NQkcaZZhilcPduvpmmA1qkMDRkn2KjZpMwDmKCEF9tc+i1ADy738DsKilNrlRYXWKUGX3NmAJicO8ImFxPlRnSjYpydEwtW2Y=
+  template:
+    metadata:
+      name: master-key
+      namespace: keyserv
+      labels:
+        app.kubernetes.io/name: master-key
+        app.kubernetes.io/component: keyserv
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: imagepull-gitea
+  namespace: keyserv
+  labels:
+    app.kubernetes.io/name: imagepull-gitea
+    app.kubernetes.io/component: keyserv
+spec:
+  encryptedData:
+    .dockerconfigjson: AgBykHWcNtLBQCYq66qF+u3Y/d4e9z4dA5qkNkNNHgirwb+Vz05EkZWP62Tto1J4sWgaoMI0q9jw9jF/9/rE9qfsmKzPOWLmBEnkwFWzDmw8sRUf7W0IUWGtioLYQR+Bb3a62L7nGUjB40rfdiyfcCI1KIWVioWCrOOuJlvEiJeP4HEx/lF8Pb3M/yK13JmnZVwdp4j/J9r7WAg5r72MeLCb4rrIdM3OQ1cBEEbb3STBny8WTtjAkK0JgB54RImCv6MHT6VN2+aH0d688eHzk3ms8tOLOxC6fBSCVnuoqoK/MUXnC8AexPVAHFbHY6z99+euly0PoL3rVG7t0TlOpDbK84vqFL0GvSILz3+dTngWY5WF7wNtded/TqnTY1YB8MlTnKDn3lLv7IRkFa7MaOjlZwbGiU5ujQYv7cLqQ1yaT8uxMjrTZh399Y8isahfn82qG5sU4cJzQGXVzNCYu+lqvy/NJqEb9BE5glC1/ENfIHL+Z1aNQGeNsMuGBmoKhna/QAqn9dcL9iaG9iPV324IxBDscXTaUdQ/Li7mOhWnZadGfRKdq8DpMDqTDAHLVreILrbUWukQ1bRwznwAxTPK17BDrlizdSKPtQnmeeWurnRWcHPn7nT/tcL0h0dPbMC5J/ghgG71KqHrCeP670ffLb0ryiJhS2hJsVcDubCAfEdrUjdCL0dhsr9b35e99i+maOM58FBplb4Glm1LGaQrihGNSFedyhM9kpy3ALW6P4c1P+BysOfbmxlXYn95DezID+vYaY70sAxLx7ywY1pGL9oP7NmWjcHBqdjJpaG64jkGKAkQR3j0l1hZzaMbACIYercjhIBd3v4rqNd3Y0quJ74P0aMcZ735uVLTml7X09odOBJ7/hHHEyZ40lid5J4y4MOVkiOpXk9mwL7atSD0wOkv7VXhG15/MHOTOCPRnDG8tHPkbQwbhkpqMUY6MWF2kTTxnObD3iI7FEuK8uH/BXaRB4IHgEyGvKbVN2FKBGIqKRkiMy+P1IDG6vs=
+  template:
+    metadata:
+      name: imagepull-gitea
+      namespace: keyserv
+      labels:
+        app.kubernetes.io/name: imagepull-gitea
+        app.kubernetes.io/component: keyserv
+    type: kubernetes.io/dockerconfigjson
--- a/keyserv/trusted-ca.keys
+++ b/keyserv/trusted-ca.keys
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII24CZGosLMTny0a2eDB6KOG47FhlwVkTEFQNAYzKV0t
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII24CZGosLMTny0a2eDB6KOG47FhlwVkTEFQNAYzKV0t`