apiVersion: v1 kind: Service metadata: name: keyserv namespace: keyserv labels: app.kubernetes.io/name: keyserv app.kubernetes.io/component: keyserv app.kubernetes.io/instance: keyserv app.kubernetes.io/part-of: keyserv spec: ports: - port: 8087 name: keyserv selector: app.kubernetes.io/name: keyserv app.kubernetes.io/component: keyserv app.kubernetes.io/instance: keyserv type: ClusterIP --- apiVersion: apps/v1 kind: Deployment metadata: name: keyserv labels: app.kubernetes.io/name: keyserv app.kubernetes.io/component: keyserv spec: selector: matchLabels: app.kubernetes.io/name: keyserv app.kubernetes.io/component: keyserv template: metadata: labels: app.kubernetes.io/name: keyserv app.kubernetes.io/component: keyserv spec: enableServiceLinks: false imagePullSecrets: - name: imagepull-gitea containers: - name: keyserv image: git.pyrocufflink.net/packages/keyserv args: - --master-key - /run/secrets/keyserv/master.key - --key-map - /run/keyserv/key-map.yml workingDir: /run/keyserv env: - name: RUST_LOG value: debug readinessProbe: &probe httpGet: path: / port: 8087 periodSeconds: 60 timeoutSeconds: 5 failureThreshold: 3 successThreshold: 1 startupProbe: <<: *probe periodSeconds: 1 timeoutSeconds: 1 failureThreshold: 30 securityContext: readOnlyRootFilesystem: true volumeMounts: - mountPath: /run/keyserv name: keyserv-config readOnly: true - mountPath: /run/keyserv/age-keys name: age-keys readOnly: true - mountPath: /run/secrets/keyserv name: master-key readOnly: true securityContext: runAsNonRoot: true volumes: - name: age-keys secret: secretName: age-keys - name: master-key secret: secretName: master-key - name: keyserv-config configMap: name: keyserv-config