diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..75675ee
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,5 @@
+example/
+config.json
+Dockerfile
+README.md
+tusk.yml
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..81b6472
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,20 @@
+FROM golang:1.12-alpine AS builder
+
+ENV GO111MODULE=on
+
+RUN apk add --no-cache git gcc libc-dev
+
+COPY . /go/src/github.com/sendsmaily/docker-secretprovider-pki
+
+WORKDIR /go/src/github.com/sendsmaily/docker-secretprovider-pki
+
+RUN set -ex && go install --ldflags '-extldflags "-static"'
+
+
+FROM alpine:latest
+
+RUN apk add --no-cache ca-certificates
+
+COPY --from=builder /go/bin/docker-secretprovider-pki .
+
+CMD ["docker-secretprovider-pki"]
diff --git a/config.json b/config.json
new file mode 100644
index 0000000..d5c0b57
--- /dev/null
+++ b/config.json
@@ -0,0 +1,47 @@
+{
+    "description": "PKI secrets plugin",
+    "documentation": "https://github.com/sendsmaily",
+    "env": [
+        {
+            "name": "BACKEND",
+            "description": "PKI provider backend to use",
+            "settable": [
+                "value"
+            ],
+            "value": "test"
+        }
+    ],
+    "entrypoint": [
+        "/docker-secretprovider-pki"
+    ],
+    "mounts": [
+        {
+            "destination": "/secrethub",
+            "source": "/etc/docker/secrethub",
+            "options": [
+                "rbind"
+            ],
+            "type": "bind"
+        },
+        {
+            "destination": "/docker.sock",
+            "source": "/run/docker.sock",
+            "options": [
+                "rbind"
+            ],
+            "type": "bind"
+        }
+    ],
+    "network": {
+        "type": "host"
+    },
+    "interface": {
+        "types": [
+            "docker.secretprovider/1.0"
+        ],
+        "socket": "plugin.sock"
+    },
+    "linux": {
+        "capabilities": []
+    }
+}
diff --git a/tusk.yml b/tusk.yml
new file mode 100644
index 0000000..08b0aa9
--- /dev/null
+++ b/tusk.yml
@@ -0,0 +1,37 @@
+---
+tasks:
+  set-environment:
+    private: true
+    options:
+      build-tag:
+        default:
+          command: git log -1 --pretty=%h ./
+    run:
+      - set-environment:
+          BUILD_TAG: ${build-tag}
+
+  build.plugin:
+    usage: Build the PKI plugin
+    run:
+      - task: set-environment
+      # Clean up.
+      - command: rm -rf ./plugin
+      # Build the plugin, then extract the created filesystem from the image
+      # into `./plugin/rootfs` directory.
+      - command: docker build -t sendsmaily/docker-secretprovider-pki:rootfs .
+      - command: mkdir -p ./plugin/rootfs
+      - command: docker create --name sendsmaily-pki-rootfs sendsmaily/docker-secretprovider-pki:rootfs
+      - command: docker export sendsmaily-pki-rootfs | tar -xC ./plugin/rootfs
+      - command: docker rm -vf sendsmaily-pki-rootfs
+      # Copy over configuration file needed to run the plugin.
+      - command: cp config.json ./plugin/
+      # Then create the plugin from created file system.
+      - command: docker plugin rm -f sendsmaily/docker-secretprovider-pki:${BUILD_TAG} || true
+      - command: docker plugin create sendsmaily/docker-secretprovider-pki:${BUILD_TAG} ./plugin
+
+  publish.plugin:
+    usage: Publish the PKI plugin on Docker Hub
+    run:
+      - task: set-environment
+      - command: docker plugin push sendsmaily/docker-secretprovider-pki:${BUILD_TAG}
+      - command: docker plugin push sendsmaily/docker-secretprovider-pki:latest