diff --git a/addon/sshkeys/Chart.yaml b/addon/sshkeys/Chart.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..adb04f6a2ed16ac1cda693143643dcc19be1fa15
--- /dev/null
+++ b/addon/sshkeys/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: sshkeys
+description: A Helm chart for Kubernetes
+type: application
+version: 0.1.0
+appVersion: "1.16.0"
diff --git a/addon/sshkeys/templates/cm-sshkeys.yaml b/addon/sshkeys/templates/cm-sshkeys.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..fac24bf0b38b794eca710c8dc1d040b1edac47b8
--- /dev/null
+++ b/addon/sshkeys/templates/cm-sshkeys.yaml
@@ -0,0 +1,67 @@
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: ssh-keys
+ namespace: {{ .Release.Namespace }}
+ labels:
+ k8s-app: ssh-keys
+data:
+ ssh-keys-to-inject.txt: |
+ # ADD_KEYS_BELOW Do not remove this line
+ {{- range $k := .Values.sshkeys_add }}
+ {{ $k }}
+ {{- end }}
+
+ ssh-keys-to-remove.txt: |
+ # ADD_KEYS_BELOW Do not remove this line
+ {{- range $k := .Values.sshkeys_rm }}
+ {{ $k }}
+ {{- end }}
+
+ ssh-keys.sh: |
+ #!/bin/bash
+
+ function ssh_key () {
+ _authorized_keys="/hostfs/root/.ssh/authorized_keys"
+ _public_key=$1
+ if ! grep "${_public_key}" ${_authorized_keys} ; then
+ echo "Will add ssh key: ${_public_key} to ${_authorized_keys}"
+ echo "${_public_key}" >> ${_authorized_keys}
+ else
+ echo "ssh key already exists in ${_authorized_keys}"
+ fi
+ echo "sleeping for ever"
+ }
+
+ function remove_ssh_key () {
+ _authorized_keys="/hostfs/root/.ssh/authorized_keys"
+ _public_key=$1
+ if ! grep "${_public_key}" ${_authorized_keys} ; then
+ echo "ssh key: ${_public_key} not found in ${_authorized_keys}"
+ else
+ cat ${_authorized_keys} | grep -v "${_public_key}" > ${_authorized_keys}
+ echo "ssh key ${_public_key} removed from ${_authorized_keys}"
+ fi
+ echo "sleeping for ever"
+ }
+
+ while read -r line
+ do
+ ssh_key "$line"
+ done < <(cat /usr/local/ssh-keys/ssh-keys-to-inject.txt | grep -v ADD_KEYS_BELOW)
+
+ while read -r line
+ do
+ remove_ssh_key "$line"
+ done < <(cat /usr/local/ssh-keys/ssh-keys-to-remove.txt| grep -v ADD_KEYS_BELOW)
+
+
+ set +x
+ while true ; do
+ #run
+ sleep 60s
+ echo "Restart me to re-run"
+ done
+
+ # end
diff --git a/addon/sshkeys/templates/ds-sshkeys.yaml b/addon/sshkeys/templates/ds-sshkeys.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..17c58cf6a76e6bc857788b68b6e712a8767af164
--- /dev/null
+++ b/addon/sshkeys/templates/ds-sshkeys.yaml
@@ -0,0 +1,59 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ labels:
+ k8s-app: ssh-keys
+ name: ssh-keys
+ namespace: kube-system
+spec:
+ selector:
+ matchLabels:
+ k8s-app: ssh-keys
+ template:
+ metadata:
+ labels:
+ k8s-app: ssh-keys
+ spec:
+ tolerations:
+ - effect: NoSchedule
+ operator: Exists
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoExecute
+ operator: Exists
+ hostPID: true
+ hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
+ securityContext:
+ seLinuxOptions:
+ type: "spc_t"
+ runAsUser: 0
+ fsGroup: 0
+ volumes:
+ - name: hostfs
+ hostPath:
+ path: /
+ - name: ssh-keys
+ configMap:
+ name: ssh-keys
+ containers:
+ - name: sshkeys
+ image: gitlab-registry.cern.ch/linuxsupport/c8-base
+ securityContext:
+ privileged: true
+ runAsUser: 0
+ runAsGroup: 0
+ allowPrivilegeEscalation: true
+ capabilities:
+ add: ["SYS_ADMIN"]
+ command:
+ - /bin/bash
+ - /usr/local/ssh-keys/ssh-keys.sh
+ volumeMounts:
+ - name: hostfs
+ mountPath: /hostfs
+ mountPropagation: "Bidirectional"
+ - name: ssh-keys
+ mountPath: /usr/local/ssh-keys
+
diff --git a/addon/sshkeys/values.yaml b/addon/sshkeys/values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..f05c2fa0b508222246de13639eca19c914034a53
--- /dev/null
+++ b/addon/sshkeys/values.yaml
@@ -0,0 +1,2 @@
+sshkeys_add:
+ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3buGak50vRqdFHirl08/WQ/oHWitVqudFBJtuDJk/RztmI2HAkmmgmZT4Q9w16lhlQ+R7cYAoxEtytaU5iPuBs0X0mfAegrAlj/uL2Qcs2DbkyS13f83BNPUgn46+s7uB+ZMQ4N5pPri6Wue3+nRAB4R2S9JmuR+qETgNRYoUAcB+pawxNugRarS/ROpDszv5WxWRRYvB+w0FDSRFi1DalpjSwL29nthvqBNN733WD/sh7w6oq6lOWDzDvRtv4L0cD/4PulupCjwqDtu+MCCfGKh2kBZ11VQfl/nYM3bVDyYqKqPp5C0dYZbT/R0VqZafddP80lXxCqq/RysSB3x1 ricardo@rochahp.cern.ch"