From 534c4bfca0256dbfe9e37a8482c02a40845c581f Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Fri, 19 Jan 2024 22:08:25 -0600 Subject: [PATCH] keyserv: Deploy keyserv `keyserv` is a little utility I wrote to dispense *age* keys to clients. It uses SSH certificates for authentication. If the client presents an SSH certificate signed by a trusted key, the server will return all the keys the principal(s) listed in the certificate are allowed to use. The response is encrypted with the public key from the certificate, so the client must have access to the corresponding private key in order to read the response. I am currently using this server to provide keys for the new configuration policy. The keys herein are used to encrypt NUT monitor passwords. --- ...7c6c79hdqdmvzjrkuszz4c96sfugkyjsr39qv4vsg7 | 8 ++ ...pmpat6kqqth235mdc0ggmfm3006v0fy7advsg9ljts | 8 ++ ...0yszfd4qd7lgx2nd9uk0hruuckhx7zpn3utqhau7mz | 8 ++ ...zk6u8g3ph85tj3qr0tucr9lkcy4sgyqshe8qzq7d20 | 8 ++ ...4p3nyf7y4g5mjq953t8ctk45qxnpreeerdpsrqu2dd | 8 ++ ...r8sk06h8al607gjxd89q435jlp6nsmrhqflq5dkhtq | 8 ++ ...zuex7xnfmqer3peg5gl6d892aarsw0s6nptq5tysu9 | 8 ++ ...rm2ydzlm4wlh6z4cgm4s7g6pzysskh04duhslyc5yy | 8 ++ ...94azeflg58wp4ckx3xsm5l2y6zvw95zqygfsy8x69t | 8 ++ ...lj6rq6r9mgjs3fake0q4wuly5z9r9mqgk4nsk53d5j | 8 ++ ...cg29lsfzg9guwqeqx6m6q6szt5wuc8guy3hsl6t33e | 8 ++ ...l5qkxvj0gzl8kuyp9seyptgy2rlvrqyysegq32srfn | 8 ++ keyserv/ingress.yaml | 21 +++++ keyserv/key-map.yml | 34 +++++++ keyserv/keyserv.yaml | 91 +++++++++++++++++++ keyserv/kustomization.yaml | 51 +++++++++++ keyserv/namespace.yaml | 7 ++ keyserv/secrets.yaml | 40 ++++++++ keyserv/trusted-ca.keys | 1 + 19 files changed, 341 insertions(+) create mode 100644 keyserv/age-keys/age1668cmw7jeyfawpdp7c6c79hdqdmvzjrkuszz4c96sfugkyjsr39qv4vsg7 create mode 100644 keyserv/age-keys/age197zq0l27nwxj74d4pmpat6kqqth235mdc0ggmfm3006v0fy7advsg9ljts create mode 100644 keyserv/age-keys/age1c6swn9tm0502jd3e0yszfd4qd7lgx2nd9uk0hruuckhx7zpn3utqhau7mz create mode 100644 keyserv/age-keys/age1dcyvkqde4j43gz6pzk6u8g3ph85tj3qr0tucr9lkcy4sgyqshe8qzq7d20 create mode 100644 keyserv/age-keys/age1ez6hv5frke4k4esk4p3nyf7y4g5mjq953t8ctk45qxnpreeerdpsrqu2dd create mode 100644 keyserv/age-keys/age1fc96yyd7a7l3uc4jr8sk06h8al607gjxd89q435jlp6nsmrhqflq5dkhtq create mode 100644 keyserv/age-keys/age1hl8dfgh938092h32zuex7xnfmqer3peg5gl6d892aarsw0s6nptq5tysu9 create mode 100644 keyserv/age-keys/age1j63kzwldegazaaj4rm2ydzlm4wlh6z4cgm4s7g6pzysskh04duhslyc5yy create mode 100644 keyserv/age-keys/age1kfqgu0ug40uwrsqx94azeflg58wp4ckx3xsm5l2y6zvw95zqygfsy8x69t create mode 100644 keyserv/age-keys/age1xfmmwhutwr4cml4dlj6rq6r9mgjs3fake0q4wuly5z9r9mqgk4nsk53d5j create mode 100644 keyserv/age-keys/age1y3hea7a4rpeyjhcrcg29lsfzg9guwqeqx6m6q6szt5wuc8guy3hsl6t33e create mode 100644 keyserv/age-keys/age1y4prxtunmkx0kwrtl5qkxvj0gzl8kuyp9seyptgy2rlvrqyysegq32srfn create mode 100644 keyserv/ingress.yaml create mode 100644 keyserv/key-map.yml create mode 100644 keyserv/keyserv.yaml create mode 100644 keyserv/kustomization.yaml create mode 100644 keyserv/namespace.yaml create mode 100644 keyserv/secrets.yaml create mode 100644 keyserv/trusted-ca.keys diff --git a/keyserv/age-keys/age1668cmw7jeyfawpdp7c6c79hdqdmvzjrkuszz4c96sfugkyjsr39qv4vsg7 b/keyserv/age-keys/age1668cmw7jeyfawpdp7c6c79hdqdmvzjrkuszz4c96sfugkyjsr39qv4vsg7 new file mode 100644 index 0000000..cbac15c --- /dev/null +++ b/keyserv/age-keys/age1668cmw7jeyfawpdp7c6c79hdqdmvzjrkuszz4c96sfugkyjsr39qv4vsg7 @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXSzE0NzFTZm1XbTJkS0hD +Y0pPSmlFTmtCc0poNTJXNEdQYzJEVjJpM1RnCnRZVU80MlliaXNSaXhpVTFwc2Ft +Z0RKSU9KZ2IweXd4bEw5SmdBZFBaK0UKLS0tIDBmcjIxSEJncHU5SmFqMy93Vi9W +RjVrdlRveWM4cGpvSlczVjkxNENxOEkKD+F9N41P8Wh0WjD07xTehkALoRx0zMKw +59Uhg/6YgtNjNYdCL4cVi3NdmWkyMy8DcCsPyETpUDJs2lXfJS3J3cMauoHJh+0O +MfOBp5PJUFS9RNgJlFVytyEOIN3WTtcNTsiyuQ6fsEvQ25w= +-----END AGE ENCRYPTED FILE----- diff --git a/keyserv/age-keys/age197zq0l27nwxj74d4pmpat6kqqth235mdc0ggmfm3006v0fy7advsg9ljts b/keyserv/age-keys/age197zq0l27nwxj74d4pmpat6kqqth235mdc0ggmfm3006v0fy7advsg9ljts new file mode 100644 index 0000000..57bc8fc --- /dev/null +++ b/keyserv/age-keys/age197zq0l27nwxj74d4pmpat6kqqth235mdc0ggmfm3006v0fy7advsg9ljts @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQ0NsQkUxUU44SmZWYmJT +ZnRwQ3Q1eHBDVkFGeGtpMWdWWlBzaDI2MDBzCnlBa2R6bGZ5bGM3TGRwNVBWdzNq +Ti9SUVNyblF1R2tpWGNvQytGNDFMZFEKLS0tIGtEWDloL2wwUTB3clBKMlRhcHhZ +dkp4Ui9ZV0tTanh6SGVmNlpyNjRQRlUKRzAEPB2VyVOFwSrzoJOhoGf0pZ3yRVIF +y5kaG/u/ZA1Z4v73koRcTR5m0MJwCU+xmzkwm4UAj6rZ+1F2KbDK1ruEFTuOwMGO +BrNxD/28/mt7YQxmnJ9rL/YE895scKq9E4gqg3S0DuFmNBM= +-----END AGE ENCRYPTED FILE----- diff --git a/keyserv/age-keys/age1c6swn9tm0502jd3e0yszfd4qd7lgx2nd9uk0hruuckhx7zpn3utqhau7mz b/keyserv/age-keys/age1c6swn9tm0502jd3e0yszfd4qd7lgx2nd9uk0hruuckhx7zpn3utqhau7mz new file mode 100644 index 0000000..a5d25ef --- /dev/null +++ b/keyserv/age-keys/age1c6swn9tm0502jd3e0yszfd4qd7lgx2nd9uk0hruuckhx7zpn3utqhau7mz @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvaGE2VnBGYzZJNzJRT1lJ +VVl1bjlzRmpnaUNWb3ZrU3pqN2dENnQzYWxzCkcxMVhFMkpab0Voc2dYSHpXVlFi +L245RXZ1Sis5RVZXZDAwUjF2SEp4NTgKLS0tIFlrOHFnMENZNEhoWU1IWG84WExJ +SjJPbVZyaHp0blVKWlVrbXc0d3EvTjQKTPlbRWJ6GSImjja+/YfzbQ2US0z/wX+G +y9Sw9vgmmw0g/mMFgboVwxRzseK0W/GT6u4wPAKqWnWeVQyvyxZOpLRg8NIpW/4d +enkoFTwIe+Kp6r+aVru83WrnTnqSBrmRcC787go0XQph3c0= +-----END AGE ENCRYPTED FILE----- diff --git a/keyserv/age-keys/age1dcyvkqde4j43gz6pzk6u8g3ph85tj3qr0tucr9lkcy4sgyqshe8qzq7d20 b/keyserv/age-keys/age1dcyvkqde4j43gz6pzk6u8g3ph85tj3qr0tucr9lkcy4sgyqshe8qzq7d20 new file mode 100644 index 0000000..fb59234 --- /dev/null +++ b/keyserv/age-keys/age1dcyvkqde4j43gz6pzk6u8g3ph85tj3qr0tucr9lkcy4sgyqshe8qzq7d20 @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiN2Y3ck9SSjFmU2swT28w +ckNsR2ozY3hXM3hnNWFxWHVCQUIyOERrMkE4CnNNdXU3a0dQNjd3OENRNFJ5NzlH +WUxadzlOSHlOYlUrWkgxRzZ3OE5QZWcKLS0tIE53eGtFWXRtYzFVaWI5L3hIcy9U +NUYyNzNQc0I5RmtnOVdsUWhLNmYraXcKAII/m6a8koWFlnQlqDiB0rAcc43V8HZf +78cXUe+vzQf77TLwMcWsyPGuu+rExXTGy3WSdzbAsGBl0ujqUPaN1wX6wJDWERMN +plQY+GhY99LPDsyQPwlZBJPfGukztfSqoo+aJHETsiCIbUI= +-----END AGE ENCRYPTED FILE----- diff --git a/keyserv/age-keys/age1ez6hv5frke4k4esk4p3nyf7y4g5mjq953t8ctk45qxnpreeerdpsrqu2dd b/keyserv/age-keys/age1ez6hv5frke4k4esk4p3nyf7y4g5mjq953t8ctk45qxnpreeerdpsrqu2dd new file mode 100644 index 0000000..cb144bb --- /dev/null +++ b/keyserv/age-keys/age1ez6hv5frke4k4esk4p3nyf7y4g5mjq953t8ctk45qxnpreeerdpsrqu2dd @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Si80ZVRMZWw4Y0svWlYr +alhSSWpNWndtWDUwaG4rNWN6a1lOTUN1bVVrCmloR1Q4YllPZjFMSTFNTVluaWpY +YndzWGQxRlJZbmdjS0VmTzFFN2dWeUEKLS0tIDdiNk5RUnJDcHlmaHV2S2RHVXNV +ZGNJbmorNWJrTG9Ia2g0V2ZsbFZUOU0Kkuvj55FNmQPTbH0wn5mnyHopcTfejATL +ME/kXZIGaadgzVHtZ4PAgPGbReS5/vnstF851ORilptXL8UGEklOMSnI8tIG16KU +2AFGTPx5MvasCBYbEaUnwctef5g3LZjirf1UhSNGL3bvGgI= +-----END AGE ENCRYPTED FILE----- diff --git a/keyserv/age-keys/age1fc96yyd7a7l3uc4jr8sk06h8al607gjxd89q435jlp6nsmrhqflq5dkhtq b/keyserv/age-keys/age1fc96yyd7a7l3uc4jr8sk06h8al607gjxd89q435jlp6nsmrhqflq5dkhtq new file mode 100644 index 0000000..f50f89d --- /dev/null +++ b/keyserv/age-keys/age1fc96yyd7a7l3uc4jr8sk06h8al607gjxd89q435jlp6nsmrhqflq5dkhtq @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIZUJucVQyaEdYZzZqcjJk +dlBxbHNVSHVWRWhUOU40RTRtbURzeDNxbUg0CkF5Q2NRbXBYazByNXZVVmNJcmtC +TXRIYUNQekQxZ1NIalFzY0JnMm02clEKLS0tIFA3ODFZNGw2cUlub1VaNXdhNVlw +UFF1UUxqb1E5ZHhmaTFsN2hCY0N4Q2cKF9WKoDQG81miaraLbIMmA5w+d7lkcF0m +zLXzKHCX5E03B8DLSqLh+TlI3g/ZlfUJgznvVb/TYSQlxFpffi65Bb9TB3rz6fml +D77Va/kPs+qCZzBqvcN0LfYiGEyPn9gyOBOJT971W6Gqo/U= +-----END AGE ENCRYPTED FILE----- diff --git a/keyserv/age-keys/age1hl8dfgh938092h32zuex7xnfmqer3peg5gl6d892aarsw0s6nptq5tysu9 b/keyserv/age-keys/age1hl8dfgh938092h32zuex7xnfmqer3peg5gl6d892aarsw0s6nptq5tysu9 new file mode 100644 index 0000000..a6cbe14 --- /dev/null +++ b/keyserv/age-keys/age1hl8dfgh938092h32zuex7xnfmqer3peg5gl6d892aarsw0s6nptq5tysu9 @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUnhtbGw1bC83THE3Z00z +eEp2OThrL25CYmsySGRTM2cyUTB1dnFkd0ZrCjR2YVlhbjBqRVIzVkNWRnpqVXJM +T2VrcnZ2blg3Nlo2cGtBV0hlNG1sR0EKLS0tIGYrNmZwbEdYc1RQb0gyOVpmSkhL +WEUvSEFrQmxGWEViQ2JGTGhMMjVORVEKYTRc/T5u8fbZ4OHpY7HAOasEjDdrxxC/ +cBL1b13V+O9k6w1vRZtratQI8ycqyjPe6uvQ2sOYVjy7BJpRAgU/5VcrA/b6s5v1 +sRsq8vQjZiFMaLkJEYt40a/koza72LMyBtB7ad7UdrfAZxw= +-----END AGE ENCRYPTED FILE----- diff --git a/keyserv/age-keys/age1j63kzwldegazaaj4rm2ydzlm4wlh6z4cgm4s7g6pzysskh04duhslyc5yy b/keyserv/age-keys/age1j63kzwldegazaaj4rm2ydzlm4wlh6z4cgm4s7g6pzysskh04duhslyc5yy new file mode 100644 index 0000000..32d6381 --- /dev/null +++ b/keyserv/age-keys/age1j63kzwldegazaaj4rm2ydzlm4wlh6z4cgm4s7g6pzysskh04duhslyc5yy @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlMG5semFWVzJPTDMwUzF3 +SWJlNTN0a3JvV2hNQTVubWo5THZtYUJuTEJBCm92TGo3SFV2bk55elBuQ2Zoa29z +bHlSZzFVS1JhVXM0a3dXcmFXQTd4YTgKLS0tIFZwT1RmMW04bk1zQ3RZY3YzaTJo +Y0RoN1NSN2k3MllNUE9mS2J3WDV6UmsKOS+hCecCtIvztfeXLfBowpfN9JsKVx0D +vc2N0PWFqaRPlNXdCl+xgW5/9fTN8gBrI1dya9DReOab430bVbWaL82E0rfoHjo+ +8e7Pb0t8Y3bquJW1R/rDbg/JLBHeHu2EOKI98QHVjq/dM/Y= +-----END AGE ENCRYPTED FILE----- diff --git a/keyserv/age-keys/age1kfqgu0ug40uwrsqx94azeflg58wp4ckx3xsm5l2y6zvw95zqygfsy8x69t b/keyserv/age-keys/age1kfqgu0ug40uwrsqx94azeflg58wp4ckx3xsm5l2y6zvw95zqygfsy8x69t new file mode 100644 index 0000000..c65cea9 --- /dev/null +++ b/keyserv/age-keys/age1kfqgu0ug40uwrsqx94azeflg58wp4ckx3xsm5l2y6zvw95zqygfsy8x69t @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOV3c4c3gzV3E5Z0JOUmpw +UnZ1ZVhFN3ZreE5RMXd2dnE2bjRZVDN3NmpVClphMnBoMldxQUEvNGNSNnE5U2tu +NnBlQ2RibzJMSWQyY0Zsc29aT09HOE0KLS0tIForVEE1UlV1UEdVRkdMYVFBSEtp +WnM2bktxQkVyVFFlQVRFVEdlZEc4QjgKzdkFJeEPS2vN4pSWn9W1rsH9UtezgLBt +wnN82KIA8d2FWS+qr/9Cr2s6OFMd1fsSOqaN9uZPHjoPNGkcaBKLs2JD8b1L+eVD +GR+kl+X3VlNXRs5828yj7v5KwMUmaOPZGFnFwHXNKjuhxh4= +-----END AGE ENCRYPTED FILE----- diff --git a/keyserv/age-keys/age1xfmmwhutwr4cml4dlj6rq6r9mgjs3fake0q4wuly5z9r9mqgk4nsk53d5j b/keyserv/age-keys/age1xfmmwhutwr4cml4dlj6rq6r9mgjs3fake0q4wuly5z9r9mqgk4nsk53d5j new file mode 100644 index 0000000..f7ec684 --- /dev/null +++ b/keyserv/age-keys/age1xfmmwhutwr4cml4dlj6rq6r9mgjs3fake0q4wuly5z9r9mqgk4nsk53d5j @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVWk1WGxLRTNPUjFHd2ox +Vy9xZFppdzNZR0diNnJ6NE9UMXBBV1Rnb3pRCjBUVFEwNWtkUFFXY3BSbVdlY3Nr +MlFHa2RyZ2ZlUGZrdzhuVm02UVJ6YW8KLS0tIGR1SThDSXlCOXUvUlBqbVAxN1JN +eDkwSjJoNmlmTlREOFY0Z0V5d21mMWsKUyb6AjI0ZatJV0DSVUn2eE1uHO5alJnC +P5BXKcOhq3yFc4ounDnAUKl+nM6rplIkIfcg9cljf4Mf59Mxwq80EB5Kk1TIOioi +GGGnFilwhUeV122CAKiLbTI4CL9DK+8YY4upuh0QG60bSBs= +-----END AGE ENCRYPTED FILE----- diff --git a/keyserv/age-keys/age1y3hea7a4rpeyjhcrcg29lsfzg9guwqeqx6m6q6szt5wuc8guy3hsl6t33e b/keyserv/age-keys/age1y3hea7a4rpeyjhcrcg29lsfzg9guwqeqx6m6q6szt5wuc8guy3hsl6t33e new file mode 100644 index 0000000..9e17dd0 --- /dev/null +++ b/keyserv/age-keys/age1y3hea7a4rpeyjhcrcg29lsfzg9guwqeqx6m6q6szt5wuc8guy3hsl6t33e @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQ0l2T3JqbEZMdHpkOWZM +bm0zL1p6WmhpR0doYXd3YmxtK2N5ZnRQTkVrCm1CSys1dGxMK2p4OHhiRE9YSVNM +ckVXRUIxSDFQaUg3aXpCWk9NUEZuc0UKLS0tIEtZZkYrSHovenkwbGVBMmgvNFVW +dnk0cGhkaFliY2kxMHh6eURBVnVodkUKhE4UGzyUCdGoXl8IW0EQeO0Ni6/OW1JO +BkSCkzS4XGwwJv28T5WAUziP29INfwsazsBhplMcjcXln8yV35+r0FLANldjVR05 +7n253PkmUSBXdzrDvK6uguGD9Ub8WvMlNnXh6NXH9Ht2Uo8= +-----END AGE ENCRYPTED FILE----- diff --git a/keyserv/age-keys/age1y4prxtunmkx0kwrtl5qkxvj0gzl8kuyp9seyptgy2rlvrqyysegq32srfn b/keyserv/age-keys/age1y4prxtunmkx0kwrtl5qkxvj0gzl8kuyp9seyptgy2rlvrqyysegq32srfn new file mode 100644 index 0000000..91d3b05 --- /dev/null +++ b/keyserv/age-keys/age1y4prxtunmkx0kwrtl5qkxvj0gzl8kuyp9seyptgy2rlvrqyysegq32srfn @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4K2FSV21VM0pUOFJUYmtj +N0tSMDRwK1F2TFlHN3hpSldhMnVYRGJINVdFCmpvOEJ3QnpkTVppTnc3Mlg1c0lp +S3g3c0hoUVh2M2xhR2RJL0kvQ0RRS1UKLS0tIGlWVnk0VUhMV3A0Q0NVRURnQVlW +UFhtdGwxK1pEWnpsVW1OY1F4aDVOc00KKCDavNBbcVjWhxKPbH9575lbxCk4O6ys +Uz6MraWdJxA+UL7ow04XaLHpLV/kT6KkIWHtWtarddeY/HcmeS47qYYiEF6oZoH5 +u0gtdzBoA4MTKmB4tsLvAQyXLgo04fxVqUIDL6a9cM830Lg= +-----END AGE ENCRYPTED FILE----- diff --git a/keyserv/ingress.yaml b/keyserv/ingress.yaml new file mode 100644 index 0000000..02951ea --- /dev/null +++ b/keyserv/ingress.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: keyserv + labels: + app.kubernetes.io/name: keyserv + app.kubernetes.io/component: keyserv + app.kubernetes.io/part-of: keyserv +spec: + ingressClassName: nginx + rules: + - host: keyserv.pyrocufflink.blue + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: keyserv + port: + name: keyserv diff --git a/keyserv/key-map.yml b/keyserv/key-map.yml new file mode 100644 index 0000000..66535d4 --- /dev/null +++ b/keyserv/key-map.yml @@ -0,0 +1,34 @@ +dustin@hatch.name: +- age197zq0l27nwxj74d4pmpat6kqqth235mdc0ggmfm3006v0fy7advsg9ljts +- age1c6swn9tm0502jd3e0yszfd4qd7lgx2nd9uk0hruuckhx7zpn3utqhau7mz +- age1ez6hv5frke4k4esk4p3nyf7y4g5mjq953t8ctk45qxnpreeerdpsrqu2dd +- age1fc96yyd7a7l3uc4jr8sk06h8al607gjxd89q435jlp6nsmrhqflq5dkhtq +- age1hl8dfgh938092h32zuex7xnfmqer3peg5gl6d892aarsw0s6nptq5tysu9 +- age1j63kzwldegazaaj4rm2ydzlm4wlh6z4cgm4s7g6pzysskh04duhslyc5yy +- age1y4prxtunmkx0kwrtl5qkxvj0gzl8kuyp9seyptgy2rlvrqyysegq32srfn +- age1668cmw7jeyfawpdp7c6c79hdqdmvzjrkuszz4c96sfugkyjsr39qv4vsg7 + +burp1.pyrocufflink.blue: +- age1xfmmwhutwr4cml4dlj6rq6r9mgjs3fake0q4wuly5z9r9mqgk4nsk53d5j + +gw1.pyrocufflink.blue: +- age1dcyvkqde4j43gz6pzk6u8g3ph85tj3qr0tucr9lkcy4sgyqshe8qzq7d20 + +nut0.pyrocufflink.blue: +- age1c6swn9tm0502jd3e0yszfd4qd7lgx2nd9uk0hruuckhx7zpn3utqhau7mz +- age1fc96yyd7a7l3uc4jr8sk06h8al607gjxd89q435jlp6nsmrhqflq5dkhtq +- age1y4prxtunmkx0kwrtl5qkxvj0gzl8kuyp9seyptgy2rlvrqyysegq32srfn +- age1668cmw7jeyfawpdp7c6c79hdqdmvzjrkuszz4c96sfugkyjsr39qv4vsg7 +- age1dcyvkqde4j43gz6pzk6u8g3ph85tj3qr0tucr9lkcy4sgyqshe8qzq7d20 +- age1y3hea7a4rpeyjhcrcg29lsfzg9guwqeqx6m6q6szt5wuc8guy3hsl6t33e +- age1kfqgu0ug40uwrsqx94azeflg58wp4ckx3xsm5l2y6zvw95zqygfsy8x69t +- age1xfmmwhutwr4cml4dlj6rq6r9mgjs3fake0q4wuly5z9r9mqgk4nsk53d5j + +nvr1.pyrocufflink.blue: +- age1668cmw7jeyfawpdp7c6c79hdqdmvzjrkuszz4c96sfugkyjsr39qv4vsg7 + +vmhost0.pyrocufflink.blue: +- age1y3hea7a4rpeyjhcrcg29lsfzg9guwqeqx6m6q6szt5wuc8guy3hsl6t33e + +vmhost1.pyrocufflink.blue: +- age1kfqgu0ug40uwrsqx94azeflg58wp4ckx3xsm5l2y6zvw95zqygfsy8x69t diff --git a/keyserv/keyserv.yaml b/keyserv/keyserv.yaml new file mode 100644 index 0000000..f6daad0 --- /dev/null +++ b/keyserv/keyserv.yaml @@ -0,0 +1,91 @@ +apiVersion: v1 +kind: Service +metadata: + name: keyserv + namespace: keyserv + labels: + app.kubernetes.io/name: keyserv + app.kubernetes.io/component: keyserv + app.kubernetes.io/instance: keyserv + app.kubernetes.io/part-of: keyserv +spec: + ports: + - port: 8087 + name: keyserv + selector: + app.kubernetes.io/name: keyserv + app.kubernetes.io/component: keyserv + app.kubernetes.io/instance: keyserv + type: ClusterIP + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: keyserv + labels: + app.kubernetes.io/name: keyserv + app.kubernetes.io/component: keyserv +spec: + selector: + matchLabels: + app.kubernetes.io/name: keyserv + app.kubernetes.io/component: keyserv + template: + metadata: + labels: + app.kubernetes.io/name: keyserv + app.kubernetes.io/component: keyserv + spec: + enableServiceLinks: false + imagePullSecrets: + - name: imagepull-gitea + containers: + - name: keyserv + image: git.pyrocufflink.net/packages/keyserv + args: + - --master-key + - /run/secrets/keyserv/master.key + - --key-map + - /run/keyserv/key-map.yml + workingDir: /run/keyserv + env: + - name: RUST_LOG + value: debug + readinessProbe: &probe + httpGet: + path: / + port: 8087 + periodSeconds: 60 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + startupProbe: + <<: *probe + periodSeconds: 1 + timeoutSeconds: 1 + failureThreshold: 30 + securityContext: + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /run/keyserv + name: keyserv-config + readOnly: true + - mountPath: /run/keyserv/age-keys + name: age-keys + readOnly: true + - mountPath: /run/secrets/keyserv + name: master-key + readOnly: true + securityContext: + runAsNonRoot: true + volumes: + - name: age-keys + secret: + secretName: age-keys + - name: master-key + secret: + secretName: master-key + - name: keyserv-config + configMap: + name: keyserv-config diff --git a/keyserv/kustomization.yaml b/keyserv/kustomization.yaml new file mode 100644 index 0000000..da06303 --- /dev/null +++ b/keyserv/kustomization.yaml @@ -0,0 +1,51 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: keyserv + +labels: +- pairs: + app.kubernetes.io/instance: keyserv + includeSelectors: true +- pairs: + app.kubernetes.io/part-of: keyserv + includeSelectors: false + +resources: +- namespace.yaml +- secrets.yaml +- keyserv.yaml +- ingress.yaml + +configMapGenerator: +- name: keyserv-config + files: + - key-map.yml + - trusted-ca.keys + options: + disableNameSuffixHash: true + labels: + app.kubernetes.io/name: keyserv-config + app.kubernetes.io/component: keyserv + +secretGenerator: +- name: age-keys + files: + - age-keys/age1y4prxtunmkx0kwrtl5qkxvj0gzl8kuyp9seyptgy2rlvrqyysegq32srfn + - age-keys/age1fc96yyd7a7l3uc4jr8sk06h8al607gjxd89q435jlp6nsmrhqflq5dkhtq + - age-keys/age1c6swn9tm0502jd3e0yszfd4qd7lgx2nd9uk0hruuckhx7zpn3utqhau7mz + - age-keys/age197zq0l27nwxj74d4pmpat6kqqth235mdc0ggmfm3006v0fy7advsg9ljts + - age-keys/age1ez6hv5frke4k4esk4p3nyf7y4g5mjq953t8ctk45qxnpreeerdpsrqu2dd + - age-keys/age1j63kzwldegazaaj4rm2ydzlm4wlh6z4cgm4s7g6pzysskh04duhslyc5yy + - age-keys/age1hl8dfgh938092h32zuex7xnfmqer3peg5gl6d892aarsw0s6nptq5tysu9 + - age-keys/age1668cmw7jeyfawpdp7c6c79hdqdmvzjrkuszz4c96sfugkyjsr39qv4vsg7 + - age-keys/age1dcyvkqde4j43gz6pzk6u8g3ph85tj3qr0tucr9lkcy4sgyqshe8qzq7d20 + - age-keys/age1y3hea7a4rpeyjhcrcg29lsfzg9guwqeqx6m6q6szt5wuc8guy3hsl6t33e + - age-keys/age1kfqgu0ug40uwrsqx94azeflg58wp4ckx3xsm5l2y6zvw95zqygfsy8x69t + - age-keys/age1xfmmwhutwr4cml4dlj6rq6r9mgjs3fake0q4wuly5z9r9mqgk4nsk53d5j + options: + disableNameSuffixHash: true + labels: + app.kubernetes.io/name: age-keys + app.kubernetes.io/component: keyserv + diff --git a/keyserv/namespace.yaml b/keyserv/namespace.yaml new file mode 100644 index 0000000..8c055f3 --- /dev/null +++ b/keyserv/namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: keyserv + labels: + app.kubernetes.io/name: keyserv + app.kubernetes.io/component: keyserv diff --git a/keyserv/secrets.yaml b/keyserv/secrets.yaml new file mode 100644 index 0000000..e1b581c --- /dev/null +++ b/keyserv/secrets.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: master-key + namespace: keyserv + labels: + app.kubernetes.io/name: master-key + app.kubernetes.io/component: keyserv +spec: + encryptedData: + master.key: AgCrvNy66S678+UMafy43yGwXkDixZMJqk9RSe9+bLVUjXuzF0+O8Xk80Ral00tB9MyICo35G5bY/UQH3vJ8n6uex+JQFShBrzWSpdbPuczVHG9EX6eDmO502y5imfj+wPadaAYsTs0Ppjc+opmJWR+gmqCs9EcW8gTUjTqqingRN5wUrZ2eqaWAocRxQQyN4jiwmmPH2AFbvy7X3MKwe3gleBUlHnEQHqHMCmO+EOAkTuuxh67O4BxNu4AvFYsnrvp8nwSUt838pZRHrwiBAAD7C7t5ZwSdAnGbTETGkf4oRW5geJjvXczJy+u+o06QT232GVswU1dzCndJ2BZfBeamvFMvzcoNqtFhRuT3viDhvCGr49u5AxU1vJ4LA9T6iHLZfy0fPp/XofqvKVrHJbltAWaoqcZk9pDDEiQJgq/ygdaXtrQEOFW+LwNBpRM+cUkRcpxoSF12D709tHJEz9+tB+146WA3+ErYz18KoLXc8kPnCTbu/trQDSohE81Q/EF2I8Prrk8nb4LiqD7CUww08aCFDumep51HV/kydhMfqdkUNe22MReWyDo4Xnkws+l24ZoZFnvdFO/T0s9sGOc4eMStXiFZr5STkegSSCM+jGtOMgxE7886foXXO8HOPgydisTLApATNFw/aRpLvfpWhfiNECN1h27Sr1nErOlkcl1SlwpfYDEYdsGiDMM6GTkvwAa1wvVSxSeHvSaIHxPgnXvpzWMUL7plaLo5cO+c9cSjNDAxjvhX8IXlmhW2zozv/AEbOh8nQTemkTntCL/cvFJs77Iq29uviy42aNsyVxiIcWuftbiAL08Lh7x5GaOoDnauyAx35Fdy2NGN/LvZQcAkk4NQkcaZZhilcPduvpmmA1qkMDRkn2KjZpMwDmKCEF9tc+i1ADy738DsKilNrlRYXWKUGX3NmAJicO8ImFxPlRnSjYpydEwtW2Y= + template: + metadata: + name: master-key + namespace: keyserv + labels: + app.kubernetes.io/name: master-key + app.kubernetes.io/component: keyserv + +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: imagepull-gitea + namespace: keyserv + labels: + app.kubernetes.io/name: imagepull-gitea + app.kubernetes.io/component: keyserv +spec: + encryptedData: + .dockerconfigjson: AgBykHWcNtLBQCYq66qF+u3Y/d4e9z4dA5qkNkNNHgirwb+Vz05EkZWP62Tto1J4sWgaoMI0q9jw9jF/9/rE9qfsmKzPOWLmBEnkwFWzDmw8sRUf7W0IUWGtioLYQR+Bb3a62L7nGUjB40rfdiyfcCI1KIWVioWCrOOuJlvEiJeP4HEx/lF8Pb3M/yK13JmnZVwdp4j/J9r7WAg5r72MeLCb4rrIdM3OQ1cBEEbb3STBny8WTtjAkK0JgB54RImCv6MHT6VN2+aH0d688eHzk3ms8tOLOxC6fBSCVnuoqoK/MUXnC8AexPVAHFbHY6z99+euly0PoL3rVG7t0TlOpDbK84vqFL0GvSILz3+dTngWY5WF7wNtded/TqnTY1YB8MlTnKDn3lLv7IRkFa7MaOjlZwbGiU5ujQYv7cLqQ1yaT8uxMjrTZh399Y8isahfn82qG5sU4cJzQGXVzNCYu+lqvy/NJqEb9BE5glC1/ENfIHL+Z1aNQGeNsMuGBmoKhna/QAqn9dcL9iaG9iPV324IxBDscXTaUdQ/Li7mOhWnZadGfRKdq8DpMDqTDAHLVreILrbUWukQ1bRwznwAxTPK17BDrlizdSKPtQnmeeWurnRWcHPn7nT/tcL0h0dPbMC5J/ghgG71KqHrCeP670ffLb0ryiJhS2hJsVcDubCAfEdrUjdCL0dhsr9b35e99i+maOM58FBplb4Glm1LGaQrihGNSFedyhM9kpy3ALW6P4c1P+BysOfbmxlXYn95DezID+vYaY70sAxLx7ywY1pGL9oP7NmWjcHBqdjJpaG64jkGKAkQR3j0l1hZzaMbACIYercjhIBd3v4rqNd3Y0quJ74P0aMcZ735uVLTml7X09odOBJ7/hHHEyZ40lid5J4y4MOVkiOpXk9mwL7atSD0wOkv7VXhG15/MHOTOCPRnDG8tHPkbQwbhkpqMUY6MWF2kTTxnObD3iI7FEuK8uH/BXaRB4IHgEyGvKbVN2FKBGIqKRkiMy+P1IDG6vs= + template: + metadata: + name: imagepull-gitea + namespace: keyserv + labels: + app.kubernetes.io/name: imagepull-gitea + app.kubernetes.io/component: keyserv + type: kubernetes.io/dockerconfigjson diff --git a/keyserv/trusted-ca.keys b/keyserv/trusted-ca.keys new file mode 100644 index 0000000..d47d026 --- /dev/null +++ b/keyserv/trusted-ca.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII24CZGosLMTny0a2eDB6KOG47FhlwVkTEFQNAYzKV0t