diff --git a/k8s/apps/mtproxy/kustomization.yaml b/k8s/apps/mtproxy/kustomization.yaml
index 671eed9..9411c52 100644
--- a/k8s/apps/mtproxy/kustomization.yaml
+++ b/k8s/apps/mtproxy/kustomization.yaml
@@ -6,5 +6,6 @@ resources:
   - ./rbac.yaml
   - ./daemonset.yaml
   - ./external-secrets.yaml
+  - ./service.yaml
+  - ./secret-reader.yaml
 # - ./storage.yaml
-# - ./service.yaml
diff --git a/k8s/apps/mtproxy/secret-reader.yaml b/k8s/apps/mtproxy/secret-reader.yaml
new file mode 100644
index 0000000..9ab04bb
--- /dev/null
+++ b/k8s/apps/mtproxy/secret-reader.yaml
@@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: secret-reader
+  labels:
+    app: secret-reader
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: secret-reader
+  template:
+    metadata:
+      labels:
+        app: secret-reader
+    spec:
+      serviceAccountName: mtproxy
+      nodeSelector:
+        kubernetes.io/os: linux
+      containers:
+      - name: secret-reader
+        image: ultradesu/k8s-secrets:0.2.1
+        imagePullPolicy: Always
+        args:
+          - "--secrets"
+          - "mtproxy-links"
+          - "--namespace"
+          - "mtproxy"
+          - "--port"
+          - "3000"
+        ports:
+        - containerPort: 3000
+          name: http
+        env:
+        - name: RUST_LOG
+          value: "info"
+        resources:
+          requests:
+            memory: "64Mi"
+            cpu: "50m"
+          limits:
+            memory: "128Mi"
+            cpu: "150m"
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: http
+          initialDelaySeconds: 10
+          periodSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /health
+            port: http
+          initialDelaySeconds: 5
+          periodSeconds: 5
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 1000
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+            - ALL
diff --git a/k8s/apps/mtproxy/service.yaml b/k8s/apps/mtproxy/service.yaml
index 80b6539..2424610 100644
--- a/k8s/apps/mtproxy/service.yaml
+++ b/k8s/apps/mtproxy/service.yaml
@@ -2,15 +2,15 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: mtproxy
+  name: secret-reader
+  labels:
+    app: secret-reader
 spec:
-  type: LoadBalancer
+  type: ClusterIP
   selector:
-    app: mtproxy
+    app: secret-reader
   ports:
-    - name: proxy
-      port: 30443
-      targetPort: 30443
-      protocol: TCP
-      nodePort: 30443
-
+  - port: 80
+    targetPort: 3000
+    protocol: TCP
+    name: http