kubernetes/keyserv/keyserv.yaml

apiVersion: v1
kind: Service
metadata:
  name: keyserv
  namespace: keyserv
  labels:
    app.kubernetes.io/name: keyserv
    app.kubernetes.io/component: keyserv
    app.kubernetes.io/instance: keyserv
    app.kubernetes.io/part-of: keyserv
spec:
  ports:
  - port: 8087
    name: keyserv
  selector:
    app.kubernetes.io/name: keyserv
    app.kubernetes.io/component: keyserv
    app.kubernetes.io/instance: keyserv
  type: ClusterIP

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: keyserv
  labels:
    app.kubernetes.io/name: keyserv
    app.kubernetes.io/component: keyserv
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: keyserv
      app.kubernetes.io/component: keyserv
  template:
    metadata:
      labels:
        app.kubernetes.io/name: keyserv
        app.kubernetes.io/component: keyserv
    spec:
      enableServiceLinks: false
      imagePullSecrets:
      - name: imagepull-gitea
      containers:
      - name: keyserv
        image: git.pyrocufflink.net/packages/keyserv
        args:
        - --master-key
        - /run/secrets/keyserv/master.key
        - --key-map
        - /run/keyserv/key-map.yml
        workingDir: /run/keyserv
        env:
        - name: RUST_LOG
          value: debug
        readinessProbe: &probe
          httpGet:
            path: /
            port: 8087
          periodSeconds: 60
          timeoutSeconds: 5
          failureThreshold: 3
          successThreshold: 1
        startupProbe:
          <<: *probe
          periodSeconds: 1
          timeoutSeconds: 1
          failureThreshold: 30
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /run/keyserv
          name: keyserv-config
          readOnly: true
        - mountPath: /run/keyserv/age-keys
          name: age-keys
          readOnly: true
        - mountPath: /run/secrets/keyserv
          name: master-key
          readOnly: true
      securityContext:
        runAsNonRoot: true
      volumes:
      - name: age-keys
        secret:
          secretName: age-keys
      - name: master-key
        secret:
          secretName: master-key
      - name: keyserv-config
        configMap:
          name: keyserv-config