diff --git a/cmd/horcrux/cmd/proxy.go b/cmd/horcrux/cmd/proxy.go
new file mode 100644
index 00000000..60dfdb4c
--- /dev/null
+++ b/cmd/horcrux/cmd/proxy.go
@@ -0,0 +1,65 @@
+package cmd
+
+import (
+	"fmt"
+
+	cometlog "github.com/cometbft/cometbft/libs/log"
+	"github.com/spf13/cobra"
+	"github.com/strangelove-ventures/horcrux/signer"
+	"github.com/strangelove-ventures/horcrux/signer/proxy"
+)
+
+const (
+	flagListen = "listen"
+	flagAll    = "all"
+)
+
+func proxyCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "proxy",
+		Short: "Commands for running a horcrux proxy",
+	}
+
+	cmd.AddCommand(proxyStartCmd())
+
+	return cmd
+}
+
+func proxyStartCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:          "start",
+		Short:        "Start horcrux-proxy process",
+		Args:         cobra.NoArgs,
+		SilenceUsage: true,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			out := cmd.OutOrStdout()
+
+			logger := cometlog.NewTMLogger(cometlog.NewSyncWriter(out)).With("module", "validator")
+
+			logger.Info("Horcrux Proxy")
+
+			addr, _ := cmd.Flags().GetString(flagListen)
+			all, _ := cmd.Flags().GetBool(flagAll)
+
+			listener := proxy.NewSignerListenerEndpoint(logger, addr)
+			if err := listener.Start(); err != nil {
+				return fmt.Errorf("failed to start listener: %w", err)
+			}
+
+			sentries := make(map[string]*signer.ReconnRemoteSigner)
+
+			if err := proxy.WatchForChangedSentries(cmd.Context(), logger, listener, sentries, all); err != nil {
+				return err
+			}
+
+			proxy.WaitAndTerminate(logger, listener, sentries)
+
+			return nil
+		},
+	}
+
+	cmd.Flags().StringP(flagListen, "l", "tcp://0.0.0.0:1234", "Privval listen address for the proxy")
+	cmd.Flags().BoolP(flagAll, "a", false, "Connect to sentries on all nodes")
+
+	return cmd
+}
diff --git a/cmd/horcrux/cmd/root.go b/cmd/horcrux/cmd/root.go
index ff506a7e..9c5117cd 100644
--- a/cmd/horcrux/cmd/root.go
+++ b/cmd/horcrux/cmd/root.go
@@ -40,6 +40,7 @@ horcrux create-ecies-shards
 	cmd.AddCommand(getLeaderCmd())
 	cmd.AddCommand(stateCmd())
 	cmd.AddCommand(versionCmd())
+	cmd.AddCommand(proxyCmd())
 
 	cmd.PersistentFlags().StringVar(
 		&config.HomeDir,
diff --git a/go.mod b/go.mod
index 4ece74ee..62b15225 100644
--- a/go.mod
+++ b/go.mod
@@ -9,6 +9,7 @@ require (
 	github.com/armon/go-metrics v0.4.1
 	github.com/cometbft/cometbft v0.37.2
 	github.com/cosmos/cosmos-sdk v0.47.3
+	github.com/cosmos/gogoproto v1.4.10
 	github.com/ethereum/go-ethereum v1.12.0
 	github.com/gogo/protobuf v1.3.2
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
@@ -27,6 +28,8 @@ require (
 	google.golang.org/grpc v1.55.0
 	google.golang.org/protobuf v1.30.0
 	gopkg.in/yaml.v2 v2.4.0
+	k8s.io/apimachinery v0.28.1
+	k8s.io/client-go v0.28.1
 )
 
 require (
@@ -44,7 +47,6 @@ require (
 	github.com/cosmos/btcutil v1.0.5 // indirect
 	github.com/cosmos/cosmos-proto v1.0.0-beta.2 // indirect
 	github.com/cosmos/go-bip39 v1.0.0 // indirect
-	github.com/cosmos/gogoproto v1.4.10 // indirect
 	github.com/cosmos/ledger-cosmos-go v0.12.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
@@ -52,16 +54,24 @@ require (
 	github.com/dgraph-io/ristretto v0.1.1 // indirect
 	github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-kit/kit v0.12.0 // indirect
 	github.com/go-kit/log v0.2.1 // indirect
 	github.com/go-logfmt/logfmt v0.5.1 // indirect
+	github.com/go-logr/logr v1.2.4 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/golang/glog v1.1.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/golang/snappy v0.0.5-0.20220116011046-fa5810519dcb // indirect
 	github.com/google/btree v1.1.2 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/uuid v1.3.0 // indirect
 	github.com/gtank/merlin v0.1.1 // indirect
 	github.com/gtank/ristretto255 v0.1.2 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -76,14 +86,20 @@ require (
 	github.com/holiman/uint256 v1.2.2-0.20230321075855-87b91420868c // indirect
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/jmhodges/levigo v1.0.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.16.3 // indirect
 	github.com/libp2p/go-buffer-pool v0.1.0 // indirect
 	github.com/magiconair/properties v1.8.6 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.18 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mimoo/StrobeGo v0.0.0-20210601165009-122bf33a46e0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.7 // indirect
 	github.com/petermattis/goid v0.0.0-20230317030725-371a4b8eda08 // indirect
@@ -101,14 +117,25 @@ require (
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
 	github.com/tecbot/gorocksdb v0.0.0-20191217155057-f0fad39f321c // indirect
 	go.etcd.io/bbolt v1.3.7 // indirect
-	golang.org/x/crypto v0.8.0 // indirect
+	golang.org/x/crypto v0.11.0 // indirect
 	golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc // indirect
-	golang.org/x/net v0.9.0 // indirect
-	golang.org/x/sys v0.7.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
+	golang.org/x/net v0.13.0 // indirect
+	golang.org/x/oauth2 v0.8.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/term v0.10.0 // indirect
+	golang.org/x/text v0.11.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/api v0.28.1 // indirect
+	k8s.io/klog/v2 v2.100.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
+	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 
diff --git a/go.sum b/go.sum
index 1079fe5f..551e9fcd 100644
--- a/go.sum
+++ b/go.sum
@@ -125,6 +125,7 @@ github.com/cosmos/ledger-cosmos-go v0.12.2 h1:/XYaBlE2BJxtvpkHiBm97gFGSGmYGKunKy
 github.com/cosmos/ledger-cosmos-go v0.12.2/go.mod h1:ZcqYgnfNJ6lAXe4HPtWgarNEY+B74i+2/8MhZw4ziiI=
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/danieljoos/wincred v1.1.2 h1:QLdCxFs1/Yl4zduvBdcHB8goaYk9RARS2SgLLRuAyr0=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -144,6 +145,8 @@ github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25Kn
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/dvsekhvalnov/jose2go v1.5.0 h1:3j8ya4Z4kMCwT5nXIKFSV84YS+HdqSSO0VsTQxaLAeM=
+github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE=
+github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -182,8 +185,18 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.1 h1:otpy5pqBCBZ1ng9RQ0dPu4PN7ba75Y/aA+UpowDyNVA=
 github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
+github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
+github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
+github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
+github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 h1:ZpnhV/YsD2/4cESfV5+Hoeu/iUR3ruzNvZ+yQfO03a0=
 github.com/gogo/googleapis v1.4.1 h1:1Yx4Myt7BxzvUr5ldGSbwYiZG6t9wGBZ+8/fX3Wvtq0=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
@@ -230,6 +243,8 @@ github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Z
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
+github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
+github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -260,8 +275,11 @@ github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLe
 github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
@@ -328,8 +346,12 @@ github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7P
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jmhodges/levigo v1.0.0 h1:q5EC36kV79HWeTBWsod3mG11EgStG3qArTKcvlksN1U=
 github.com/jmhodges/levigo v1.0.0/go.mod h1:Q6Qx+uH3RAqyK4rFQroq9RL7mdkABMcfhEI+nNuzMJQ=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
@@ -342,10 +364,12 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxv
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kraken-hpc/go-fork v0.1.1 h1:O3X/ynoNy/eS7UIcZYef8ndFq2RXEIOue9kZqyzF0Sk=
 github.com/kraken-hpc/go-fork v0.1.1/go.mod h1:uu0e5h+V4ONH5Qk/xuVlyNXJXy/swhqGIEMK7w+9dNc=
 github.com/libp2p/go-buffer-pool v0.1.0 h1:oK4mSFcQz7cTQIfqbe4MIj9gLW+mnanjyFtc6cdF0Y8=
@@ -353,6 +377,8 @@ github.com/libp2p/go-buffer-pool v0.1.0/go.mod h1:N+vh8gMqimBzdKkSMVuydVDq+UV5QT
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.6 h1:5ibWZ6iY0NctNGWo87LalDlEZ6R41TqbbDamhfG/Qzo=
 github.com/magiconair/properties v1.8.6/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
@@ -378,10 +404,15 @@ github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/mtibben/percent v0.2.1 h1:5gssi8Nqo8QU/r2pynCm+hBQHpkB/uNK7BJCFogWdzs=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
@@ -392,11 +423,12 @@ github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vv
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
 github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
+github.com/onsi/ginkgo/v2 v2.9.4 h1:xR7vG4IXt5RWx6FfIjyAtsoMAtnc3C/rFXBBd2AjZwE=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
-github.com/onsi/gomega v1.20.0 h1:8W0cWlwFkflGPLltQvLRB7ZVD5HuP6ng320w2IS245Q=
+github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
@@ -441,7 +473,7 @@ github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sasha-s/go-deadlock v0.3.1 h1:sqv7fDNShgjcaxkO0JNcOAlr8B9+cV5Ey/OB71efZx0=
@@ -534,8 +566,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ=
-golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
+golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
+golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -614,8 +646,8 @@ golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT
 golang.org/x/net v0.0.0-20210907225631-ff17edfbf26d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
-golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
+golang.org/x/net v0.13.0 h1:Nvo8UFsZ8X3BhAC9699Z1j7XQ3rsZnUUm7jfBEk1ueY=
+golang.org/x/net v0.13.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -625,6 +657,8 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8=
+golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -700,11 +734,12 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20221010170243-090e33056c14/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
-golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ=
+golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c=
+golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -714,11 +749,13 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
+golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -771,6 +808,7 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.8.0 h1:vSDcovVPld282ceKgDimkRSC8kpaH1dgyc9UMzlt84Y=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -801,6 +839,7 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20180831171423-11092d34479b/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
@@ -885,8 +924,11 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
@@ -896,6 +938,7 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
@@ -909,9 +952,25 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+k8s.io/api v0.28.1 h1:i+0O8k2NPBCPYaMB+uCkseEbawEt/eFaiRqUx8aB108=
+k8s.io/api v0.28.1/go.mod h1:uBYwID+66wiL28Kn2tBjBYQdEU0Xk0z5qF8bIBqk/Dg=
+k8s.io/apimachinery v0.28.1 h1:EJD40og3GizBSV3mkIoXQBsws32okPOy+MkRyzh6nPY=
+k8s.io/apimachinery v0.28.1/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw=
+k8s.io/client-go v0.28.1 h1:pRhMzB8HyLfVwpngWKE8hDcXRqifh1ga2Z/PU9SXVK8=
+k8s.io/client-go v0.28.1/go.mod h1:pEZA3FqOsVkCc07pFVzK076R+P/eXqsgx5zuuRWukNE=
+k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
+k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
+k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ=
+k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM=
+k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk=
+k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 pgregory.net/rapid v0.5.5 h1:jkgx1TjbQPD/feRoK+S/mXw9e1uj6WilpHrXJowi6oA=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
+sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
 sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
 sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
diff --git a/signer/proxy/privval/errors.go b/signer/proxy/privval/errors.go
new file mode 100644
index 00000000..297d5dca
--- /dev/null
+++ b/signer/proxy/privval/errors.go
@@ -0,0 +1,35 @@
+package privval
+
+import (
+	"errors"
+	"fmt"
+)
+
+// EndpointTimeoutError occurs when endpoint times out.
+type EndpointTimeoutError struct{}
+
+// Implement the net.Error interface.
+func (e EndpointTimeoutError) Error() string   { return "endpoint connection timed out" }
+func (e EndpointTimeoutError) Timeout() bool   { return true }
+func (e EndpointTimeoutError) Temporary() bool { return true }
+
+// Socket errors.
+var (
+	ErrConnectionTimeout  = EndpointTimeoutError{}
+	ErrNoConnection       = errors.New("endpoint is not connected")
+	ErrReadTimeout        = errors.New("endpoint read timed out")
+	ErrUnexpectedResponse = errors.New("empty response")
+	ErrWriteTimeout       = errors.New("endpoint write timed out")
+)
+
+// RemoteSignerError allows (remote) validators to include meaningful error
+// descriptions in their reply.
+type RemoteSignerError struct {
+	// TODO(ismail): create an enum of known errors
+	Code        int
+	Description string
+}
+
+func (e *RemoteSignerError) Error() string {
+	return fmt.Sprintf("signerEndpoint returned error #%d: %s", e.Code, e.Description)
+}
diff --git a/signer/proxy/privval/msgs.go b/signer/proxy/privval/msgs.go
new file mode 100644
index 00000000..1d110ef7
--- /dev/null
+++ b/signer/proxy/privval/msgs.go
@@ -0,0 +1,38 @@
+package privval
+
+import (
+	"fmt"
+
+	"github.com/cosmos/gogoproto/proto"
+
+	privvalproto "github.com/cometbft/cometbft/proto/tendermint/privval"
+)
+
+func mustWrapMsg(pb proto.Message) privvalproto.Message {
+	msg := privvalproto.Message{}
+
+	switch pb := pb.(type) {
+	case *privvalproto.Message:
+		msg = *pb
+	case *privvalproto.PubKeyRequest:
+		msg.Sum = &privvalproto.Message_PubKeyRequest{PubKeyRequest: pb}
+	case *privvalproto.PubKeyResponse:
+		msg.Sum = &privvalproto.Message_PubKeyResponse{PubKeyResponse: pb}
+	case *privvalproto.SignVoteRequest:
+		msg.Sum = &privvalproto.Message_SignVoteRequest{SignVoteRequest: pb}
+	case *privvalproto.SignedVoteResponse:
+		msg.Sum = &privvalproto.Message_SignedVoteResponse{SignedVoteResponse: pb}
+	case *privvalproto.SignedProposalResponse:
+		msg.Sum = &privvalproto.Message_SignedProposalResponse{SignedProposalResponse: pb}
+	case *privvalproto.SignProposalRequest:
+		msg.Sum = &privvalproto.Message_SignProposalRequest{SignProposalRequest: pb}
+	case *privvalproto.PingRequest:
+		msg.Sum = &privvalproto.Message_PingRequest{PingRequest: pb}
+	case *privvalproto.PingResponse:
+		msg.Sum = &privvalproto.Message_PingResponse{PingResponse: pb}
+	default:
+		panic(fmt.Errorf("unknown message type %T", pb))
+	}
+
+	return msg
+}
diff --git a/signer/proxy/privval/signer_endpoint.go b/signer/proxy/privval/signer_endpoint.go
new file mode 100644
index 00000000..2b4abe2d
--- /dev/null
+++ b/signer/proxy/privval/signer_endpoint.go
@@ -0,0 +1,156 @@
+package privval
+
+import (
+	"fmt"
+	"net"
+	"time"
+
+	"github.com/cometbft/cometbft/libs/protoio"
+	"github.com/cometbft/cometbft/libs/service"
+	cmtsync "github.com/cometbft/cometbft/libs/sync"
+	privvalproto "github.com/cometbft/cometbft/proto/tendermint/privval"
+)
+
+const (
+	defaultTimeoutReadWriteSeconds = 5
+)
+
+type signerEndpoint struct {
+	service.BaseService
+
+	connMtx cmtsync.Mutex
+	conn    net.Conn
+
+	timeoutReadWrite time.Duration
+}
+
+// Close closes the underlying net.Conn.
+func (se *signerEndpoint) Close() error {
+	se.DropConnection()
+	return nil
+}
+
+// IsConnected indicates if there is an active connection
+func (se *signerEndpoint) IsConnected() bool {
+	se.connMtx.Lock()
+	defer se.connMtx.Unlock()
+	return se.isConnected()
+}
+
+// TryGetConnection retrieves a connection if it is already available
+func (se *signerEndpoint) GetAvailableConnection(connectionAvailableCh chan net.Conn) bool {
+	se.connMtx.Lock()
+	defer se.connMtx.Unlock()
+
+	// Is there a connection ready?
+	select {
+	case se.conn = <-connectionAvailableCh:
+		return true
+	default:
+	}
+	return false
+}
+
+// TryGetConnection retrieves a connection if it is already available
+func (se *signerEndpoint) WaitConnection(connectionAvailableCh chan net.Conn, maxWait time.Duration) error {
+	se.connMtx.Lock()
+	defer se.connMtx.Unlock()
+
+	select {
+	case se.conn = <-connectionAvailableCh:
+	case <-time.After(maxWait):
+		return ErrConnectionTimeout
+	}
+
+	return nil
+}
+
+// SetConnection replaces the current connection object
+func (se *signerEndpoint) SetConnection(newConnection net.Conn) {
+	se.connMtx.Lock()
+	defer se.connMtx.Unlock()
+	se.conn = newConnection
+}
+
+// IsConnected indicates if there is an active connection
+func (se *signerEndpoint) DropConnection() {
+	se.connMtx.Lock()
+	defer se.connMtx.Unlock()
+	se.dropConnection()
+}
+
+// ReadMessage reads a message from the endpoint
+func (se *signerEndpoint) ReadMessage() (msg privvalproto.Message, err error) {
+	se.connMtx.Lock()
+	defer se.connMtx.Unlock()
+
+	if !se.isConnected() {
+		return msg, fmt.Errorf("endpoint is not connected: %w", ErrNoConnection)
+	}
+	// Reset read deadline
+	deadline := time.Now().Add(se.timeoutReadWrite)
+
+	err = se.conn.SetReadDeadline(deadline)
+	if err != nil {
+		return
+	}
+	const maxRemoteSignerMsgSize = 1024 * 10
+	protoReader := protoio.NewDelimitedReader(se.conn, maxRemoteSignerMsgSize)
+	_, err = protoReader.ReadMsg(&msg)
+	if _, ok := err.(timeoutError); ok {
+		if err != nil {
+			err = fmt.Errorf("%v: %w", err, ErrReadTimeout)
+		} else {
+			err = fmt.Errorf("empty error: %w", ErrReadTimeout)
+		}
+
+		se.Logger.Debug("Dropping [read]", "obj", se)
+		se.dropConnection()
+	}
+
+	return
+}
+
+// WriteMessage writes a message from the endpoint
+func (se *signerEndpoint) WriteMessage(msg privvalproto.Message) (err error) {
+	se.connMtx.Lock()
+	defer se.connMtx.Unlock()
+
+	if !se.isConnected() {
+		return fmt.Errorf("endpoint is not connected: %w", ErrNoConnection)
+	}
+
+	protoWriter := protoio.NewDelimitedWriter(se.conn)
+
+	// Reset read deadline
+	deadline := time.Now().Add(se.timeoutReadWrite)
+	err = se.conn.SetWriteDeadline(deadline)
+	if err != nil {
+		return
+	}
+
+	_, err = protoWriter.WriteMsg(&msg)
+	if _, ok := err.(timeoutError); ok {
+		if err != nil {
+			err = fmt.Errorf("%v: %w", err, ErrWriteTimeout)
+		} else {
+			err = fmt.Errorf("empty error: %w", ErrWriteTimeout)
+		}
+		se.dropConnection()
+	}
+
+	return
+}
+
+func (se *signerEndpoint) isConnected() bool {
+	return se.conn != nil
+}
+
+func (se *signerEndpoint) dropConnection() {
+	if se.conn != nil {
+		if err := se.conn.Close(); err != nil {
+			se.Logger.Error("signerEndpoint::dropConnection", "err", err)
+		}
+		se.conn = nil
+	}
+}
diff --git a/signer/proxy/privval/signer_listener_endpoint.go b/signer/proxy/privval/signer_listener_endpoint.go
new file mode 100644
index 00000000..22bc9989
--- /dev/null
+++ b/signer/proxy/privval/signer_listener_endpoint.go
@@ -0,0 +1,223 @@
+package privval
+
+import (
+	"fmt"
+	"net"
+	"time"
+
+	"github.com/cometbft/cometbft/libs/log"
+	"github.com/cometbft/cometbft/libs/service"
+	cometsync "github.com/cometbft/cometbft/libs/sync"
+	privvalproto "github.com/cometbft/cometbft/proto/tendermint/privval"
+)
+
+// SignerListenerEndpointOption sets an optional parameter on the SignerListenerEndpoint.
+type SignerListenerEndpointOption func(*SignerListenerEndpoint)
+
+// SignerListenerEndpointTimeoutReadWrite sets the read and write timeout for
+// connections from external signing processes.
+//
+// Default: 5s
+func SignerListenerEndpointTimeoutReadWrite(timeout time.Duration) SignerListenerEndpointOption {
+	return func(sl *SignerListenerEndpoint) { sl.signerEndpoint.timeoutReadWrite = timeout }
+}
+
+// SignerListenerEndpoint listens for an external process to dial in and keeps
+// the connection alive by dropping and reconnecting.
+//
+// The process will send pings every ~3s (read/write timeout * 2/3) to keep the
+// connection alive.
+type SignerListenerEndpoint struct {
+	signerEndpoint
+
+	listener              net.Listener
+	connectRequestCh      chan struct{}
+	connectionAvailableCh chan net.Conn
+
+	timeoutAccept time.Duration
+	pingTimer     *time.Ticker
+	pingInterval  time.Duration
+
+	instanceMtx cometsync.Mutex // Ensures instance public methods access, i.e. SendRequest
+}
+
+// NewSignerListenerEndpoint returns an instance of SignerListenerEndpoint.
+func NewSignerListenerEndpoint(
+	logger log.Logger,
+	listener net.Listener,
+	options ...SignerListenerEndpointOption,
+) *SignerListenerEndpoint {
+	sl := &SignerListenerEndpoint{
+		listener:      listener,
+		timeoutAccept: defaultTimeoutAcceptSeconds * time.Second,
+	}
+
+	sl.BaseService = *service.NewBaseService(logger, "SignerListenerEndpoint", sl)
+	sl.signerEndpoint.timeoutReadWrite = defaultTimeoutReadWriteSeconds * time.Second
+
+	for _, optionFunc := range options {
+		optionFunc(sl)
+	}
+
+	return sl
+}
+
+// OnStart implements service.Service.
+func (sl *SignerListenerEndpoint) OnStart() error {
+	sl.connectRequestCh = make(chan struct{})
+	sl.connectionAvailableCh = make(chan net.Conn)
+
+	// NOTE: ping timeout must be less than read/write timeout
+	sl.pingInterval = time.Duration(sl.signerEndpoint.timeoutReadWrite.Milliseconds()*2/3) * time.Millisecond
+	sl.pingTimer = time.NewTicker(sl.pingInterval)
+
+	go sl.serviceLoop()
+	go sl.pingLoop()
+
+	sl.connectRequestCh <- struct{}{}
+
+	return nil
+}
+
+// OnStop implements service.Service
+func (sl *SignerListenerEndpoint) OnStop() {
+	sl.instanceMtx.Lock()
+	defer sl.instanceMtx.Unlock()
+	_ = sl.Close()
+
+	// Stop listening
+	if sl.listener != nil {
+		if err := sl.listener.Close(); err != nil {
+			sl.Logger.Error("Closing Listener", "err", err)
+			sl.listener = nil
+		}
+	}
+
+	sl.pingTimer.Stop()
+}
+
+// WaitForConnection waits maxWait for a connection or returns a timeout error
+func (sl *SignerListenerEndpoint) WaitForConnection(maxWait time.Duration) error {
+	sl.instanceMtx.Lock()
+	defer sl.instanceMtx.Unlock()
+	return sl.ensureConnection(maxWait)
+}
+
+// SendRequest ensures there is a connection, sends a request and waits for a response
+func (sl *SignerListenerEndpoint) SendRequest(request privvalproto.Message) (*privvalproto.Message, error) {
+	sl.instanceMtx.Lock()
+	defer sl.instanceMtx.Unlock()
+
+	err := sl.ensureConnection(sl.timeoutAccept)
+	if err != nil {
+		return nil, err
+	}
+
+	err = sl.WriteMessage(request)
+	if err != nil {
+		return nil, err
+	}
+
+	res, err := sl.ReadMessage()
+	if err != nil {
+		return nil, err
+	}
+
+	// Reset pingTimer to avoid sending unnecessary pings.
+	sl.pingTimer.Reset(sl.pingInterval)
+
+	return &res, nil
+}
+
+func (sl *SignerListenerEndpoint) ensureConnection(maxWait time.Duration) error {
+	if sl.IsConnected() {
+		return nil
+	}
+
+	// Is there a connection ready? then use it
+	if sl.GetAvailableConnection(sl.connectionAvailableCh) {
+		return nil
+	}
+
+	// block until connected or timeout
+	sl.Logger.Info("SignerListener: Blocking for connection")
+	sl.triggerConnect()
+	err := sl.WaitConnection(sl.connectionAvailableCh, maxWait)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (sl *SignerListenerEndpoint) acceptNewConnection() (net.Conn, error) {
+	if !sl.IsRunning() || sl.listener == nil {
+		return nil, fmt.Errorf("endpoint is closing")
+	}
+
+	// wait for a new conn
+	sl.Logger.Info("SignerListener: Listening for new connection")
+	conn, err := sl.listener.Accept()
+	if err != nil {
+		return nil, err
+	}
+
+	return conn, nil
+}
+
+func (sl *SignerListenerEndpoint) triggerConnect() {
+	select {
+	case sl.connectRequestCh <- struct{}{}:
+	default:
+	}
+}
+
+func (sl *SignerListenerEndpoint) triggerReconnect() {
+	sl.DropConnection()
+	sl.triggerConnect()
+}
+
+func (sl *SignerListenerEndpoint) serviceLoop() {
+	for {
+		select {
+		case <-sl.connectRequestCh:
+			{
+				conn, err := sl.acceptNewConnection()
+				if err == nil {
+					sl.Logger.Info("SignerListener: Connected")
+
+					// We have a good connection, wait for someone that needs one otherwise cancellation
+					select {
+					case sl.connectionAvailableCh <- conn:
+					case <-sl.Quit():
+						return
+					}
+				}
+
+				select {
+				case sl.connectRequestCh <- struct{}{}:
+				default:
+				}
+			}
+		case <-sl.Quit():
+			return
+		}
+	}
+}
+
+func (sl *SignerListenerEndpoint) pingLoop() {
+	for {
+		select {
+		case <-sl.pingTimer.C:
+			{
+				_, err := sl.SendRequest(mustWrapMsg(&privvalproto.PingRequest{}))
+				if err != nil {
+					sl.Logger.Error("SignerListener: Ping timeout")
+					sl.triggerReconnect()
+				}
+			}
+		case <-sl.Quit():
+			return
+		}
+	}
+}
diff --git a/signer/proxy/privval/socket_listeners.go b/signer/proxy/privval/socket_listeners.go
new file mode 100644
index 00000000..6d406bd6
--- /dev/null
+++ b/signer/proxy/privval/socket_listeners.go
@@ -0,0 +1,190 @@
+package privval
+
+import (
+	"net"
+	"time"
+
+	"github.com/cometbft/cometbft/crypto/ed25519"
+	p2pconn "github.com/cometbft/cometbft/p2p/conn"
+)
+
+const (
+	defaultTimeoutAcceptSeconds = 3
+)
+
+// timeoutError can be used to check if an error returned from the netp package
+// was due to a timeout.
+type timeoutError interface {
+	Timeout() bool
+}
+
+//------------------------------------------------------------------
+// TCP Listener
+
+// TCPListenerOption sets an optional parameter on the tcpListener.
+type TCPListenerOption func(*TCPListener)
+
+// TCPListenerTimeoutAccept sets the timeout for the listener.
+// A zero time value disables the timeout.
+func TCPListenerTimeoutAccept(timeout time.Duration) TCPListenerOption {
+	return func(tl *TCPListener) { tl.timeoutAccept = timeout }
+}
+
+// TCPListenerTimeoutReadWrite sets the read and write timeout for connections
+// from external signing processes.
+func TCPListenerTimeoutReadWrite(timeout time.Duration) TCPListenerOption {
+	return func(tl *TCPListener) { tl.timeoutReadWrite = timeout }
+}
+
+// tcpListener implements net.Listener.
+var _ net.Listener = (*TCPListener)(nil)
+
+// TCPListener wraps a *net.TCPListener to standardize protocol timeouts
+// and potentially other tuning parameters. It also returns encrypted connections.
+type TCPListener struct {
+	*net.TCPListener
+
+	secretConnKey ed25519.PrivKey
+
+	timeoutAccept    time.Duration
+	timeoutReadWrite time.Duration
+}
+
+// NewTCPListener returns a listener that accepts authenticated encrypted connections
+// using the given secretConnKey and the default timeout values.
+func NewTCPListener(ln net.Listener, secretConnKey ed25519.PrivKey) *TCPListener {
+	return &TCPListener{
+		TCPListener:      ln.(*net.TCPListener),
+		secretConnKey:    secretConnKey,
+		timeoutAccept:    time.Second * defaultTimeoutAcceptSeconds,
+		timeoutReadWrite: time.Second * defaultTimeoutReadWriteSeconds,
+	}
+}
+
+// Accept implements net.Listener.
+func (ln *TCPListener) Accept() (net.Conn, error) {
+	deadline := time.Now().Add(ln.timeoutAccept)
+	err := ln.SetDeadline(deadline)
+	if err != nil {
+		return nil, err
+	}
+
+	tc, err := ln.AcceptTCP()
+	if err != nil {
+		return nil, err
+	}
+
+	// Wrap the conn in our timeout and encryption wrappers
+	timeoutConn := newTimeoutConn(tc, ln.timeoutReadWrite)
+	secretConn, err := p2pconn.MakeSecretConnection(timeoutConn, ln.secretConnKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return secretConn, nil
+}
+
+//------------------------------------------------------------------
+// Unix Listener
+
+// unixListener implements net.Listener.
+var _ net.Listener = (*UnixListener)(nil)
+
+type UnixListenerOption func(*UnixListener)
+
+// UnixListenerTimeoutAccept sets the timeout for the listener.
+// A zero time value disables the timeout.
+func UnixListenerTimeoutAccept(timeout time.Duration) UnixListenerOption {
+	return func(ul *UnixListener) { ul.timeoutAccept = timeout }
+}
+
+// UnixListenerTimeoutReadWrite sets the read and write timeout for connections
+// from external signing processes.
+func UnixListenerTimeoutReadWrite(timeout time.Duration) UnixListenerOption {
+	return func(ul *UnixListener) { ul.timeoutReadWrite = timeout }
+}
+
+// UnixListener wraps a *net.UnixListener to standardize protocol timeouts
+// and potentially other tuning parameters. It returns unencrypted connections.
+type UnixListener struct {
+	*net.UnixListener
+
+	timeoutAccept    time.Duration
+	timeoutReadWrite time.Duration
+}
+
+// NewUnixListener returns a listener that accepts unencrypted connections
+// using the default timeout values.
+func NewUnixListener(ln net.Listener) *UnixListener {
+	return &UnixListener{
+		UnixListener:     ln.(*net.UnixListener),
+		timeoutAccept:    time.Second * defaultTimeoutAcceptSeconds,
+		timeoutReadWrite: time.Second * defaultTimeoutReadWriteSeconds,
+	}
+}
+
+// Accept implements net.Listener.
+func (ln *UnixListener) Accept() (net.Conn, error) {
+	deadline := time.Now().Add(ln.timeoutAccept)
+	err := ln.SetDeadline(deadline)
+	if err != nil {
+		return nil, err
+	}
+
+	tc, err := ln.AcceptUnix()
+	if err != nil {
+		return nil, err
+	}
+
+	// Wrap the conn in our timeout wrapper
+	conn := newTimeoutConn(tc, ln.timeoutReadWrite)
+
+	// TODO: wrap in something that authenticates
+	// with a MAC - https://github.com/tendermint/tendermint/issues/3099
+
+	return conn, nil
+}
+
+//------------------------------------------------------------------
+// Connection
+
+// timeoutConn implements net.Conn.
+var _ net.Conn = (*timeoutConn)(nil)
+
+// timeoutConn wraps a net.Conn to standardize protocol timeouts / deadline resets.
+type timeoutConn struct {
+	net.Conn
+	timeout time.Duration
+}
+
+// newTimeoutConn returns an instance of timeoutConn.
+func newTimeoutConn(conn net.Conn, timeout time.Duration) *timeoutConn {
+	return &timeoutConn{
+		conn,
+		timeout,
+	}
+}
+
+// Read implements net.Conn.
+func (c timeoutConn) Read(b []byte) (n int, err error) {
+	// Reset deadline
+	deadline := time.Now().Add(c.timeout)
+	err = c.Conn.SetReadDeadline(deadline)
+	if err != nil {
+		return
+	}
+
+	return c.Conn.Read(b)
+}
+
+// Write implements net.Conn.
+func (c timeoutConn) Write(b []byte) (n int, err error) {
+	// Reset deadline
+	deadline := time.Now().Add(c.timeout)
+	err = c.Conn.SetWriteDeadline(deadline)
+	if err != nil {
+		return
+	}
+
+	return c.Conn.Write(b)
+}
diff --git a/signer/proxy/proxy.go b/signer/proxy/proxy.go
new file mode 100644
index 00000000..eddd41c3
--- /dev/null
+++ b/signer/proxy/proxy.go
@@ -0,0 +1,136 @@
+package proxy
+
+import (
+	"net"
+
+	cometcrypto "github.com/cometbft/cometbft/crypto"
+	"github.com/cometbft/cometbft/crypto/ed25519"
+	cometcryptoed25519 "github.com/cometbft/cometbft/crypto/ed25519"
+	cometlog "github.com/cometbft/cometbft/libs/log"
+	cometnet "github.com/cometbft/cometbft/libs/net"
+	cometos "github.com/cometbft/cometbft/libs/os"
+	cometservice "github.com/cometbft/cometbft/libs/service"
+	cometprotoprivval "github.com/cometbft/cometbft/proto/tendermint/privval"
+	cometproto "github.com/cometbft/cometbft/proto/tendermint/types"
+	"github.com/strangelove-ventures/horcrux/signer"
+	"github.com/strangelove-ventures/horcrux/signer/proxy/privval"
+)
+
+var _ signer.PrivValidator = (*PrivValProxy)(nil)
+
+type PrivValProxy struct {
+	sl *privval.SignerListenerEndpoint
+}
+
+func NewPrivValProxy(sl *privval.SignerListenerEndpoint) *PrivValProxy {
+	return &PrivValProxy{sl: sl}
+}
+
+func (p *PrivValProxy) SignVote(chainID string, vote *cometproto.Vote) error {
+	req := cometprotoprivval.Message{
+		Sum: &cometprotoprivval.Message_SignVoteRequest{
+			SignVoteRequest: &cometprotoprivval.SignVoteRequest{
+				ChainId: chainID,
+				Vote:    vote,
+			},
+		},
+	}
+
+	res, err := p.sl.SendRequest(req)
+	if err != nil {
+		return err
+	}
+
+	signed := res.GetSignedVoteResponse()
+
+	*vote = signed.Vote
+
+	return nil
+}
+
+func (p *PrivValProxy) SignProposal(chainID string, proposal *cometproto.Proposal) error {
+	req := cometprotoprivval.Message{
+		Sum: &cometprotoprivval.Message_SignProposalRequest{
+			SignProposalRequest: &cometprotoprivval.SignProposalRequest{
+				ChainId:  chainID,
+				Proposal: proposal,
+			},
+		},
+	}
+
+	res, err := p.sl.SendRequest(req)
+	if err != nil {
+		return err
+	}
+
+	signed := res.GetSignedProposalResponse()
+
+	*proposal = signed.Proposal
+
+	return nil
+}
+
+func (p *PrivValProxy) GetPubKey(chainID string) (cometcrypto.PubKey, error) {
+	req := cometprotoprivval.Message{
+		Sum: &cometprotoprivval.Message_PubKeyRequest{
+			PubKeyRequest: &cometprotoprivval.PubKeyRequest{
+				ChainId: chainID,
+			},
+		},
+	}
+
+	res, err := p.sl.SendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+
+	pub := res.GetPubKeyResponse().PubKey.GetEd25519()
+
+	return cometcryptoed25519.PubKey(pub), nil
+}
+
+func (p *PrivValProxy) Stop() {
+	_ = p.sl.Stop()
+}
+
+func NewSignerListenerEndpoint(logger cometlog.Logger, addr string) *privval.SignerListenerEndpoint {
+	proto, address := cometnet.ProtocolAndAddress(addr)
+
+	ln, err := net.Listen(proto, address)
+	logger.Info("SignerListener: Listening", "proto", proto, "address", address)
+	if err != nil {
+		panic(err)
+	}
+
+	var listener net.Listener
+
+	if proto == "unix" {
+		unixLn := privval.NewUnixListener(ln)
+		listener = unixLn
+	} else {
+		tcpLn := privval.NewTCPListener(ln, ed25519.GenPrivKey())
+		listener = tcpLn
+	}
+
+	return privval.NewSignerListenerEndpoint(
+		logger,
+		listener,
+	)
+}
+
+func WaitAndTerminate(logger cometlog.Logger, listener cometservice.Service, sentries map[string]*signer.ReconnRemoteSigner) {
+	done := make(chan struct{})
+	cometos.TrapSignal(logger, func() {
+		for _, s := range sentries {
+			err := s.Stop()
+			if err != nil {
+				panic(err)
+			}
+		}
+		if err := listener.Stop(); err != nil {
+			panic(err)
+		}
+		close(done)
+	})
+	<-done
+}
diff --git a/signer/proxy/watcher.go b/signer/proxy/watcher.go
new file mode 100644
index 00000000..98d0c2cd
--- /dev/null
+++ b/signer/proxy/watcher.go
@@ -0,0 +1,180 @@
+package proxy
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"time"
+
+	cometlog "github.com/cometbft/cometbft/libs/log"
+	"github.com/strangelove-ventures/horcrux/signer"
+	"github.com/strangelove-ventures/horcrux/signer/proxy/privval"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+)
+
+const (
+	namespaceFile     = "/var/run/secrets/kubernetes.io/serviceaccount/namespace"
+	labelCosmosSentry = "app.kubernetes.io/component=cosmos-sentry"
+)
+
+func WatchForChangedSentries(
+	ctx context.Context,
+	logger cometlog.Logger,
+	listener *privval.SignerListenerEndpoint,
+	sentries map[string]*signer.ReconnRemoteSigner,
+	all bool, // should we connect to sentries on all nodes, or just this node?
+) error {
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		return fmt.Errorf("failed to get in cluster config: %w", err)
+	}
+
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		return fmt.Errorf("failed to create kube clientset: %w", err)
+	}
+
+	thisNode := ""
+	if !all {
+		// need to determine which node this pod is on so we can only connect to sentries on this node
+
+		nsbz, err := os.ReadFile(namespaceFile)
+		if err != nil {
+			return fmt.Errorf("failed to read namespace from service account: %w", err)
+		}
+		ns := string(nsbz)
+
+		thisPod, err := clientset.CoreV1().Pods(ns).Get(ctx, os.Getenv("HOSTNAME"), metav1.GetOptions{})
+		if err != nil {
+			return fmt.Errorf("failed to get this pod: %w", err)
+		}
+
+		thisNode = thisPod.Spec.NodeName
+	}
+
+	t := time.NewTimer(30 * time.Second)
+
+	go func() {
+		for {
+			if err := reconcileSentries(ctx, logger, listener, sentries, thisNode, clientset, all); err != nil {
+				logger.Error("Failed to reconcile sentries with kube api", "error", err)
+			}
+			select {
+			case <-ctx.Done():
+				return
+			case <-t.C:
+				t.Reset(30 * time.Second)
+			}
+		}
+	}()
+
+	return nil
+}
+
+func reconcileSentries(
+	ctx context.Context,
+	logger cometlog.Logger,
+	listener *privval.SignerListenerEndpoint,
+	sentries map[string]*signer.ReconnRemoteSigner,
+	thisNode string,
+	clientset *kubernetes.Clientset,
+	all bool, // should we connect to sentries on all nodes, or just this node?
+) error {
+	ns, err := clientset.CoreV1().Namespaces().List(ctx, metav1.ListOptions{
+		LabelSelector: labelCosmosSentry,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to list namespaces: %w", err)
+	}
+
+	configNodes := make([]string, 0)
+
+	for _, n := range ns.Items {
+		services, err := clientset.CoreV1().Services(n.Name).List(ctx, metav1.ListOptions{
+			LabelSelector: labelCosmosSentry,
+		})
+
+		if err != nil {
+			return fmt.Errorf("failed to list services in namespace %s: %w", n.Name, err)
+		}
+
+		for _, s := range services.Items {
+			if len(s.Spec.Ports) != 1 || s.Spec.Ports[0].Name != "sentry-privval" {
+				continue
+			}
+
+			set := labels.Set(s.Spec.Selector)
+
+			pods, err := clientset.CoreV1().Pods(n.Name).List(ctx, metav1.ListOptions{LabelSelector: set.AsSelector().String()})
+			if err != nil {
+				return fmt.Errorf("failed to list pods in namespace for service %s: %w", n.Name, err)
+			}
+
+			if len(pods.Items) != 1 {
+				continue
+			}
+
+			if !all && pods.Items[0].Spec.NodeName != thisNode {
+				continue
+			}
+
+			// Connect to this service
+			configNodes = append(configNodes, fmt.Sprintf("tcp://%s.%s:%d", s.Name, n.Name, s.Spec.Ports[0].Port))
+		}
+	}
+
+	newSentries := make([]string, 0)
+
+	for _, newConfigSentry := range configNodes {
+		foundNewConfigSentry := false
+		for existingSentry := range sentries {
+			if existingSentry == newConfigSentry {
+				foundNewConfigSentry = true
+				break
+			}
+		}
+		if !foundNewConfigSentry {
+			logger.Info("Will add new sentry", "address", newConfigSentry)
+			newSentries = append(newSentries, newConfigSentry)
+		}
+	}
+
+	removedSentries := make([]string, 0)
+
+	for existingSentry := range sentries {
+		foundExistingSentry := false
+		for _, newConfigSentry := range configNodes {
+			if existingSentry == newConfigSentry {
+				foundExistingSentry = true
+				break
+			}
+		}
+		if !foundExistingSentry {
+			logger.Info("Will remove existing sentry", "address", existingSentry)
+			removedSentries = append(removedSentries, existingSentry)
+		}
+	}
+
+	for _, s := range removedSentries {
+		if err := sentries[s].Stop(); err != nil {
+			return fmt.Errorf("failed to stop remote signer: %w", err)
+		}
+		delete(sentries, s)
+	}
+
+	for _, newSentry := range newSentries {
+		dialer := net.Dialer{Timeout: 2 * time.Second}
+		s := signer.NewReconnRemoteSigner(newSentry, logger, NewPrivValProxy(listener), dialer)
+
+		if err := s.Start(); err != nil {
+			return fmt.Errorf("failed to start new remote signer(s): %w", err)
+		}
+		sentries[newSentry] = s
+	}
+
+	return nil
+}