sshca: Deploy SSH CA service

[sshca] is a simple web service I wrote to automatically create signed
SSH certificates for hosts' public keys.  It authenticates hosts by
their machine UUID, which it can find using the libvirt API.

[sshca]: https://git.pyrocufflink.net/dustin/sshca

argocd/applications/sshca.yaml

@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: sshca
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: sshca
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master

sshca/.gitignore

@@ -0,0 +1 @@
+machine-ids.json

sshca/README.md

@@ -0,0 +1,53 @@
+# SSHCA
+
+[SSHCA][0] is an online Certificate Authority for SSH.  It can automatically
+issue signed SSH certificates for hosts' public keys. Machines authenticate to
+the service using a JWT signed with their machine UUID, and the service
+validates the signature by looking up the UUID in either a local JSON document
+or by querying the libvirt API on one or more VM hosts. Certificates will only
+be issued for hosts that can authenticate successfully.
+
+## Installation
+
+```sh
+kubectl apply -k sshca
+```
+
+## Configuration
+
+SSHCA is configured by the `config.toml` file.  It is stored as a Kubernetes
+ConfigMap and mounted into the server container.  The configuration file is
+only read at startup, so the ConfigMap uses the name suffix hash feature of
+Kustomize; when the contents of the configuration file change, the name of the
+ConfigMap will change, which will cause Kubernetes to restart the pod.  Old
+ConfigMap resources are not deleted, but must be cleaned up by some other means
+(manually or e.g. Argo CD).
+
+The configuration file specifies the path to the private keys for signing
+certificates.  It also includes the list of libvirt hosts to check for machine
+UUIDs, as well as the path to a static file where additional machine UUIDs are
+provided.
+
+Besides the main configuration file, SSHCA needs an additional ConfigMap that
+contains an `ssh_known_hosts` file.  This file contains the public keys of the
+libvirt VM hosts, so that the service can securely connect to the libvirt API
+over SSH.
+
+## Secrets
+
+Several secrets are necessary for SSHCA to operate:
+
+1. The private key used to issue SSH host certificates, and optionally a
+   password to encrypt that key.
+2. A JSON document containing a map of host names to machine UUIDs, in order to
+   authenticate physical machines and other hosts that are not libvirt domains.
+3. An SSH user private key for authenticating to the libvirt hosts for VM UUID
+   lookups.
+4. OCI registry credentials for pulling container images.
+
+These secrets are stored encrypted as SealedSecret resources. The Bitnami
+Sealed Secrets controller decrypts these and manages regular Secret resources
+for them automatically.
+
+
+[0]: https://git.pyrocufflink.net/dustin/sshca

sshca/config.toml

@@ -0,0 +1,11 @@
+machine_ids = "/var/lib/sshca/machine-ids.json"
+
+[ca.host]
+private_key_file = "/run/sshca/secrets/host/key/host-ca-key"
+private_key_passphrase_file = "/run/sshca/secrets/host/passphrase/host-ca-key.passphrase"
+
+[[libvirt]]
+uri = "qemu+ssh://sshca@vmhost0.pyrocufflink.blue/system?keyfile=/run/sshca/libvirt/sshkey"
+
+[[libvirt]]
+uri = "qemu+ssh://sshca@vmhost1.pyrocufflink.blue/system?keyfile=/run/sshca/libvirt/sshkey"

sshca/host-ca-key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII24CZGosLMTny0a2eDB6KOG47FhlwVkTEFQNAYzKV0t sshca.pyrocufflink.blue

sshca/ingress.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: sshca
+  labels:
+    app.kubernetes.io/name: sshca
+    app.kubernetes.io/component: sshca
+    app.kubernetes.io/part-of: sshca
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: sshca.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: sshca
+            port:
+              name: sshca

sshca/kustomization.yaml

@@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: sshca
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: sshca
+  includeSelectors: true
+
+resources:
+- namespace.yaml
+- secrets.yaml
+- sshca.yaml
+- ingress.yaml
+
+configMapGenerator:
+- name: sshca-config
+  files:
+  - config.toml
+
+- name: ssh-known-hosts
+  files:
+  - ssh_known_hosts

sshca/libvirt-sshkey.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQpBPCOlZvB8/kURvYITdkWf16LpwOenfphPDEETnyo sshca.pyrocufflink.blue

sshca/namespace.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: sshca
+  labels:
+    app.kubernetes.io/name: sshca
+    app.kubernetes.io/component: sshca
+    app.kubernetes.io/part-of: sshca

sshca/secrets.yaml

@@ -0,0 +1,70 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: sshca-host-key
+  namespace: sshca
+spec:
+  encryptedData:
+    host-ca-key: AgBG0Y/FZD87XZu4k/w78mqyN06VDoGkALP0xQ+IU59ZHoXAqz6HsOGP+0T5FUDBtvAwmOWlTehalXdKdhrU8anxFzbR79xbZVcwVDTWqsrybBPNMUYDJ7oc3T7BNyGfEEJIcbUBdFfiefCLJhl2rkaxIfG2ZBDdSmqdRI/m0QUE4u8vkDnI+Sxs53eM2qBZ/a4VHyGQkOLn0XlsQeTJiDo+oRRQQtDHNZ0i/2myX2RfLoiSNKv8BqFuhXnMG7Rx9HXjJ0dAFIO5e57eLkkBxElVZQEs+NfwZP/fd89sWTvRzeDvRCykhSS7RXgQtTEKdTpzoQdGUxDBNd3AcmBvb/BP0FyRJTGRQIhrRQmCzYKFVNI+oWvMlVp/aQ2tZpmL7BESkwoQ/jcWhx02r2dH9r7U/eZJnZdmsH5gvLhacHPkChfkKHesp9f4PZhDalhNP4WbIcJobe+/IG3L9eF4hjPVrYG7aoKrnNzHVETzYDh91vwQA1/v2ahQUxe4Gr3VwVOCxYtIc6ce/k0h+h5luDHA3l7/h7Z2O1EGkkcWzffJCslVKVwoW8wYk1kCN/iVPDNYWd7sVScM/yq8Pam/jzfB7yJwpQtpv6crezLTjXtUz1peRlgwu1V54j0FZDiTPaza+nC25BqCK0j8MhEicR5QTAMxNZE4mGfZESvHAQXXmuOoHwMUoNCoyvbk34chohOInYy6itWgrihHkFVAEhYVavxvb1N+i5fYzt2po1rynVBjpxHHp+/lb9Us8rFAPfD6lsl79njUeUX8E9OpDFUorwr+kNJz7AD3Nau1ZnSiJmBJfkTxaYo/JdGecNfe8G4FBx3/7g/VjHJAaPEpG+6+dJGlr+lNSHwfeS27ykP7UQVUvooF8tEjO3oTFSbb858MIrSqgJHAej5CeXI6gANEeHzeZ18TZQ9nANfKZjiguDx84FnrU97jyaB8BnYw8aPTFcBRtWrRlM+xtIOCojl12a72s0dPjxQvjKyd9OrYi6Xukik1wCVqO3OBvNIJPSVwczpxiDT3Gu2HBLl7S8xY0wROtdYUmTrKYoCEDSx1Ue7iRqsgSx5UQmXQQcIBKGQy+SbIrAJo4xmtKFtKN+JeMX8TCbu/wCSck0pOjXf30MxJlRNaefThJOKMLg/KugBTJE99CFx+uiSJneRFsZBlNpD+V7lUMU2rF9nwUnBjko5g1TRQqx456wQLrH7YB9EcgofMnQ6/pkONGpFylfObDGdnB6JVGjCwbeTe5F+Cv4sICGQDcA7QDeaZ4GhqyI9ywhXtzJ0IsFRCq96otD64ioc/JIZgPDm8YDh1FZDj1w==
+  template:
+    metadata:
+      name: sshca-host-key
+      namespace: sshca
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: sshca-host-passphrase
+  namespace: sshca
+spec:
+  encryptedData:
+    host-ca-key.passphrase: AgBGgXPHfyXA8wEkG2kXBUY/STvBZ98g8lEZ63M0WtMKCrwGj/LPmS0Xje0Lzr1WU6Js56/8AKOcUrXwpmCUMrtNORD3BCExgFP6eT0KNRZ4L/0ybfQRYdMlYDrWh0mG2kXCQ/VKUKKyICJeYYe8tyEfwYMyeXjG0+wn2Xpnw78B9msmaeDVTopCaCIY+3aUOmqmdakKA3QhfaOmfW5/j4c7Z5GhN56FXp1HxuDITWGijAiRI+dmhW0gGgZ1kBiWEGtXFG/24Ln6wEC2Gg477AECcReLmlbhjE0ckihzs1O8rIK0n7hM9cq+sxmhVTl/bfRYXnIGyc4vMwV5pzjshlFErK0/9Qh5Uhk7g474Z3hnF+GEzJmuyEthrsHW0Y3E922VMzHxU1v/7ZvX3cOwUFmjJ/bJrrU9/leaV7QdqiZaxvgYngEnf7xRQwiiunbbfn60bgDrrnMLuvqcG9AJ8vsBrc+62/OH8AB/9OSJYIkIT6eIquevv+WOrdT1i7qPtlK+xY/lOcfXuGUPhf96T/0sNYOgxSvHSWLLrv5S703aTS5Yqb/nERFWiOGlGyjhgUOv9GTTkzfCuRIYcRpjLSsWtUebzAale/wYniS4CaqfcOI9kv11whPUohMPVSQFhUaeQBmi0Gc6xIBVPT4L/QUzKFMhjLM2UXj+Z2ql7tJkTQ2GGWP89RZX6IGOPP/nZdCdqSNBtPvvaGC3mNCqksGu1v2ORyvRVYixF6PAfBlj/Afm/A9t+yPcNH0DjcGY7qZnrZ+YH+yZWlTeHA69vubh
+  template:
+    metadata:
+      name: sshca-host-passphrase
+      namespace: sshca
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: sshca-libvirt-sshkey
+  namespace: sshca
+spec:
+  encryptedData:
+    sshkey: AgB90kcWxJfkVI+NbKy+3S6CfFKsx7NwjeIOEzU5MnUx0PbkAG2VUAI9Xp0h5Md1/1qcTwXq1hOa/7NhfOPovarxBDf5iQISSX2aQcQbwcr3eOIuGbE3Uny4ttZqG5v5TJhnfhHdKlvv5Wmafmpv6xPkcV7mFLd5yaRNwu0zgg8eHnpGXxOFnp8LQXlB4KIP5NLYgEdLR0CTU/ygJMh4YSvtR+jQnt/gD7d6NRvyHsx+0dIHeaCfmYD2ewAW8a26sknG/ZuCEl3ZN2GE/rT8dyS8pd35aApEQvSjMW50hSb5kRTGjhvlhMOzoTpRAkp6gT4T9BIru8h1OenXr59d+xUxuHlIACZAOstxTV08dVfqBdlKvUvw8qxtb9htXe1m4NMTxZlSDp2zjvIUbRlopLBrLWuC55l+3DDmJg4w6ASL1W+KdflufAfK3JNJwMkHqORX8KzqhYa1McbyxTKshjoMkFm0yOip2kMcrrVVAJtymPElAwyjpwgWn1UIpMTLGoaXRxcaf38ljHY70yRZz4eWzIrtW5BeMbFdOBxpstQbSRHr8f5UueQr3nCavyv3lnKjiX3jxspnnBrv6WQDFs6yu6L97QSD3Gbx0yXYV/MOr8Cg/3+2KUDy9mCDUQ1mzNoObbdfwU+q1yHXgTRWd1QXBpov7f+E3Q/hcdO/9OaPu+DmiRfCrqTSnclh4LV/LMuYCWJogdzvEhGxItMscIfBmHLbIZIVrxCnVXJ4VkF0HGv35L+t+ZlhwA8XHN++LNVDvuHzvxAIrpqgQ5itHKSOjwXOepJ15Id/1eSP4fBnjeTL+OzVOr8H17S1oTF0aVNql9lCV1lgLVYMJrjsbERfvkfC8bfVZ3OdOJZAVE6EHWJOiYopKuX5cmB4Ca35+mEeLyGEM21KVxWeIIjzBgcMnDmNoMtSIHOT38Vy5DLs5qwQcXR19jx03x+BDVh22zkM8y/0YgZZFL1bkS0W6Y58HDGw33qXd0uPBnC+eL5BpN4nTJtiIv/C1+2P6RQz8qdf2yp9bn0+e4rdtRf/NFP/kQgED9bVX1LyOkAeb+W/L5Z99LRIqmYG+vhCeCnYZlzZto4jYV4h8Su8FxrbR0cIL0TH98FMP2e4sWh74aU63A3d7wFIrrR/hF+4mE7CiEbmtqgPGfXv6VrIY8fuzzQV6tAeH52yF7MQQGoy+8S9jlWDctqPRGhfMl0IvzwkuXtKeB+4z707VKN/SuheH74zDGbxvEwDBLzIDVN8fnV2bo7OhQ==
+  template:
+    metadata:
+      name: sshca-libvirt-sshkey
+      namespace: sshca
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: imagepull-gitea
+  namespace: sshca
+spec:
+  encryptedData:
+    .dockerconfigjson: AgCv0B4foYgX1AITeFvpn+M3fChalqe5qyR7uM+ltVFp35R0ojosrfTOynHTVQ4c4LHtHsU9JihS4IinLPM0F4FfT3gSkKwaz5cD0vwF3gWu5GC3/8EdlquMhCTq4ZNT5ZUEO6XAaFWjPPJ9F4TQsC6UTvQ5mg8AijQ3T7tZmVr61QA15frnm+MkiPcfPW/A3Ku2cUK+SBYyiGd/G7iBId13nWbkj1y74l1DZPV10ZaOoZRmOCoAx0QSkhOqENXvAFLC++Jny0OcP87sYXmdsoTPVO2BtuivVo+X3jxLBAX/nqaU3PuZkTORX/XlMtVhu7qF23aCzvumaayrnxDgE3HT+ddHi7S4PwDw1OCPwDd81hTzJ0b1x65a6PxiOgflfQS7ogYeN22edLlJt1KLdmEuvK6kp3D6yxU5Lx6VBDu24SBbfv0lrq2k3JyseeNYqJQ21oDW9bm1QqU2YbbwxsLxCv9Uc1stXxJ77d08dSgjCZ1PQsWnUAZLw53sGgytvvhcvdASy8d9VWNp0n5UlH27zxeFP6w78KAjdY54HvDxCJCk3hDR9jnE6Amwi8K6vMiI02bfEyrQb82I2yuZxCVj+4icS6wW/haMEnfnzNXNwqDxuLsWXL31ItyHmNgyhV5GOTPihA+phPXz91PbxsYDa2oMRZQ6M2uaGSbXHUAqiZA/cKPzISh5fKI1fsvbpjOditvYnig8JcvclrPe04EMuNr5+zPcaUI/kuwUb1sH7kMNGaP8tobRqTOLshN+ZQreVBC/3/tgjn+a5ERzmy1IPmqu5r/msSm3KJla9JOQZ+++3ZQuNZvqt8MF32WYyGxKieYP6claOVYMYfXxpGc3PrqdeVNUAw2fSnNp5N9+oVHTZD5aqmyeCE64sG7/IvUu+B9o/P6TEloJPy6SXcNO0ZkT+4Ttkvo/6KrQluJ8vt9PFSBU2/kFjX4IEJG4B6oASzvJ0QkVgn9P/7r+yfs1RAneNi5/r2upCsgpaYDLa676IdDkwy/m2f+QIyg=
+  template:
+    metadata:
+      name: imagepull-gitea
+      namespace: sshca
+    type: kubernetes.io/dockerconfigjson
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: sshca-data
+  namespace: sshca
+spec:
+  encryptedData:
+    machine-ids.json: AgCmwNtLiL3SbRthy7TIMcKtNWzo2Xm1uSpdyWAWSxLnuyfBDT7sgNn2ILma/bCW9zJe/EaPbbZDgeUbcob1YWLkm6gBEZ8UkA0z/Jgu9hyvVDFoicvDFcmpLiPviyUrak7mmioeOgshAKmHAILa5m1fWNjbzxy0UgkjrGPJA9GXF/g1BFerf/kp5qAkpk0zAONx3ToganSDL7wXj4Mz6x2bb4Nu4s6kdyWdaxyz3evOzvBcy9HRl9Yyq/sIjW/nSahrTs1iwtWDOqF7j5pLmUa5FBoD2hlPmDUCC2Sw5JhwDJd2KuTV811Sl4qk60xLrp6RLlbhrhq3XsRPsUJm/5F8s7kKr2KPtEZu24+uZ12w7DYxlkuEJSlRcH1g/BMc1SD4PDQ2UJK04uQN6RVZlkm8bBYKunMniX9btF4ECXNlgYe0jr7o1SHj862tSnx63GJ4LVnO6Q8ahuM5d9BqMduo+8gpLBVb8vV1pT0zDhLVDGAsDHZE7s8V84eDn83iqlIVaTkUyUt4UAVvRseXENk7s2wyTSf7hYEbVPfcoMfuYR//PQWlN1+iEHtwxU6wSYEBmAXEuS0HXUAVFo55XSQylLDZBERkP0xD1svVFUV062hfFy5sTWTgEciZItMqdX+2TFlPdojZUSj0hk0TsxnuKUBnZLDimKmMa/8e360s3t4b9q9TL4PutGbr57SFZvat5wRmDjq/YgPOtA8H1QV6U7CU5SjG2vKH7KXdoI4wGk84n+F6ECUBQ8pp8lxwlzjyIDzIYM8EEsWW3qc7EcZC7wsj1i+0MJAoauyTYQBpAu9OzwzVSpHlK4N6QNm7do0fpL8UsAX1EbdSxsLg7yWUTpNx02qiXhtLVt/csUGiokHapLxy+60b3kzHS5vpW5k=
+  template:
+    metadata:
+      name: sshca-data
+      namespace: sshca

sshca/ssh_known_hosts

@@ -0,0 +1,6 @@
+vmhost0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIE4HC02W4y4FG7tepnug47bH/DXAL2xX5klUN9r+a+P
+vmhost0.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2mhyQV9esoL+P20DYIK+mz7+9ndvavXOhc15nFYUkIQX7hZzfcZnvccjd/4Ii7U6IY/8pmgT7Qk72OS9l9aCUzxKwRe3hD9ICz1ncrBQB2dCw2zL3fdfywU5WHCYWdgJPY5L9EYe6G5XNnKZN8k0Bs5mtryLytQre06eiDo5tNsFs6iKNCM75JbHNTY2yI1Pcc+FS65jYxNUyuFm6MfbxgM8gUdtS8czifgFMZxXcaAjqN3Mc6UyR2NvBTrytnCuRay2d67KK3xWCtllw+hxkS7dGlpzV8DE+iYm7spFMFcQW3Az6xBs0G+SWBkvyBUn63YKsoarwl3G9VC9/SQhR
+vmhost0.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOSoJjVyG6dQMm0A+cTXFne1uh+smq13/bbvxJrxiVwFZiyi2ng5qU5tr+WSxyGNj2xLXGjtoygWUyr6D0R8mts=
+vmhost1.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKHL7MW0Tnl4BUyxWiwQ2ldAmQFqrVvRGd3razpQwK7P
+vmhost1.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2E9a0+JIcT7yWnbquZCSAdG43TFDyBlvdZgOYHanh6VRGlSDUWDkTdfqDuy4UvZ38OO5zRwjWv3X6jDF9wahyLYzkXYZ53/5piCnIl5Vki6KjpHCS3iFYVw8ZEX8NiPfMIqaNhmM+20q1qLGLV6YW/OJo504PfWh+pXGjMlIIJfLHlJpfhQD284RLZJWCjfEq+cr8j8/lE21j/adL9xReYoC9+TpfUNgUMRi06aMAu2fwR0ijU7oWSD/jnbYCvXgikt7cPrGI7jTIu2HFpTs5ctVIcE3c9NyQYbu1xKza2Scrt/0b3+jRdzAttGShwebW1iYzoctvzWDCd9DkHVQL
+vmhost1.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCix3Nzwir1BjTR+pv5Q1c+Yvqu9KS4OxEcDFqcvEQtVWWKZXR+QOAq/ZHvUaCi4FBuXvEKAJPQpZXF7ufdrd6Y=

sshca/sshca.yaml

@@ -0,0 +1,113 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: sshca
+  namespace: sshca
+  labels:
+    app.kubernetes.io/name: sshca
+    app.kubernetes.io/component: sshca
+    app.kubernetes.io/instance: sshca
+    app.kubernetes.io/part-of: sshca
+spec:
+  ports:
+  - port: 8087
+    name: sshca
+  selector:
+    app.kubernetes.io/name: sshca
+    app.kubernetes.io/component: sshca
+    app.kubernetes.io/instance: sshca
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sshca
+  namespace: sshca
+  labels:
+    app.kubernetes.io/name: sshca
+    app.kubernetes.io/component: sshca
+    app.kubernetes.io/part-of: sshca
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: sshca
+      app.kubernetes.io/component: sshca
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: sshca
+        app.kubernetes.io/component: sshca
+    spec:
+      enableServiceLinks: false
+      containers:
+      - name: sshca
+        image: git.pyrocufflink.net/packages/sshca
+        args:
+        - -c
+        - /etc/sshca/config.toml
+        env:
+        - name: RUST_LOG
+          value: info,sshca=trace
+        ports:
+        - containerPort: 8087
+          name: sshca
+        readinessProbe: &probe
+          httpGet:
+            port: 8087
+            path: /
+          failureThreshold: 3
+          periodSeconds: 60
+          successThreshold: 1
+          timeoutSeconds: 1
+        startupProbe:
+          <<: *probe
+          failureThreshold: 30
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        volumeMounts:
+        - mountPath: /etc/ssh/ssh_known_hosts
+          name: ssh-known-hosts
+          subPath: ssh_known_hosts
+          readOnly: true
+        - mountPath: /etc/sshca
+          name: sshca-config
+          readOnly: true
+        - mountPath: /run/sshca/libvirt
+          name: sshca-libvirt-key
+          readOnly: true
+        - mountPath: /run/sshca/secrets/host/key
+          name: sshca-host-key
+          readOnly: true
+        - mountPath: /run/sshca/secrets/host/passphrase
+          name: sshca-host-passphrase
+          readOnly: true
+        - mountPath: /var/lib/sshca
+          name: sshca-data
+          readOnly: true
+      imagePullSecrets:
+      - name: imagepull-gitea
+      securityContext:
+        runAsNonRoot: true
+        fsGroup: 298
+      volumes:
+      - name: sshca-config
+        configMap:
+          name: sshca-config
+      - name: sshca-data
+        secret:
+          secretName: sshca-data
+      - name: sshca-host-key
+        secret:
+          secretName: sshca-host-key
+      - name: sshca-host-passphrase
+        secret:
+          secretName: sshca-host-passphrase
+      - name: sshca-libvirt-key
+        secret:
+          secretName: sshca-libvirt-sshkey
+      - name: ssh-known-hosts
+        configMap:
+          name: ssh-known-hosts