Adding encryption of k8s secrets and iso users passwords

This patchset introduces a generated with template [1] and encrypted VariableCatalogue generated-secrets that contains steps to generate: ephemeral and target CA+admin key/cert and passwords for users in ephemeral bootstrap iso. It also introduces the way how these secrets are used in manifests: They're decrypted by kustomize and incorporated into the folders `catalogues` in the site, so they can be used by replacement plugin. This patchset contains modifications in replacement plugin configurations to put the decrypted values from VariableCatalogue in place. Since k8s secrets were substituted with generated values this patchset removes pre-generated k8s secrets. [1] manifests/type/gating/target/generator/secret-template.yaml Change-Id: I0898c74012833f0e171d36bb8145acf358510b69
2021-02-02 16:55:17 +00:00 · 2021-02-02 16:55:17 +00:00 · b51e7559b6
commit b51e7559b6
parent 743f652494
42 changed files with 392 additions and 229 deletions
--- a/manifests/function/ephemeral/replacements/generated-secrets.yaml
+++ b/manifests/function/ephemeral/replacements/generated-secrets.yaml
@ -0,0 +1,72 @@
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: generated-secrets-replacements
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: quay.io/airshipit/replacement-transformer:latest
+replacements:
+- source:
+    objref:
+      name: generated-secrets
+    fieldref: "{.isoImage.passwords.root}"
+  target:
+    objref:
+      kind: Secret
+      name: ephemeral-bmc-secret
+    fieldrefs: ["stringData.userData%REPLACEMENT_ISO_PASSWORD_ROOT%"]
+- source:
+    objref:
+      name: generated-secrets
+    fieldref: "{.isoImage.passwords.deployer}"
+  target:
+    objref:
+      kind: Secret
+      name: ephemeral-bmc-secret
+    fieldrefs: ["stringData.userData%REPLACEMENT_ISO_PASSWORD_DEPLOYER%"]
+- source:
+    objref:
+      name: generated-secrets
+    fieldref: "{.ephemeralClusterCa.key}"
+  target:
+    objref:
+      kind: Secret
+      name: ephemeral-bmc-secret
+    fieldrefs: ["stringData.userData%REPLACEMENT_CP_CA_KEY%"]
+- source:
+    objref:
+      name: generated-secrets
+    fieldref: "{.ephemeralClusterCa.crt}"
+  target:
+    objref:
+      kind: Secret
+      name: ephemeral-bmc-secret
+    fieldrefs: ["stringData.userData%REPLACEMENT_CP_CA_CERT%"]
+- source:
+    objref:
+      name: generated-secrets
+    fieldref: "{.ephemeralKubeconfig.certificate-authority-data}"
+  target:
+    objref:
+      kind: Secret
+      name: ephemeral-bmc-secret
+    fieldrefs: ["stringData.userData%REPLACEMENT_CP_KUBECONFIG_CA_CERT%"]
+- source:
+    objref:
+      name: generated-secrets
+    fieldref: "{.ephemeralKubeconfig.client-key-data}"
+  target:
+    objref:
+      kind: Secret
+      name: ephemeral-bmc-secret
+    fieldrefs: ["stringData.userData%REPLACEMENT_CP_KUBECONFIG_ADMIN_KEY%"]
+- source:
+    objref:
+      name: generated-secrets
+    fieldref: "{.ephemeralKubeconfig.client-certificate-data}"
+  target:
+    objref:
+      kind: Secret
+      name: ephemeral-bmc-secret
+    fieldrefs: ["stringData.userData%REPLACEMENT_CP_KUBECONFIG_ADMIN_CERT%"]
--- a/manifests/function/ephemeral/replacements/kustomization.yaml
+++ b/manifests/function/ephemeral/replacements/kustomization.yaml
@ -3,3 +3,4 @@ kind: Kustomization
 resources:
  - ephemeral-env-vars.yaml
  - networking.yaml
+  - generated-secrets.yaml
--- a/manifests/function/ephemeral/secret.yaml
+++ b/manifests/function/ephemeral/secret.yaml
@ -17,8 +17,8 @@ stringData:
    ssh_pwauth: True
    chpasswd:
      list: |
-          root:deploY!K8s
-          deployer:deploY!K8s
+          root:REPLACEMENT_ISO_PASSWORD_ROOT
+          deployer:REPLACEMENT_ISO_PASSWORD_DEPLOYER
      expire: False
    users:
      - default
@ -42,7 +42,7 @@ stringData:
        apiVersion: v1
        clusters:
        - cluster:
-            certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1USXlOakE0TWpneU5Gb1hEVEk1TVRJeU16QTRNamd5TkZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTTFSClM0d3lnajNpU0JBZjlCR0JUS1p5VTFwYmdDaGQ2WTdJektaZWRoakM2K3k1ZEJpWm81ZUx6Z2tEc2gzOC9YQ1MKenFPS2V5cE5RcDN5QVlLdmJKSHg3ODZxSFZZNjg1ZDVYVDNaOHNyVVRzVDR5WmNzZHAzV3lHdDM0eXYzNi9BSQoxK1NlUFErdU5JemN6bzNEdWhXR0ZoQjk3VjZwRitFUTBlVWN5bk05c2hkL3AwWVFzWDR1ZlhxaENENVpzZnZUCnBka3UvTWkyWnVGUldUUUtNeGpqczV3Z2RBWnBsNnN0L2ZkbmZwd1Q5cC9WTjRuaXJnMEsxOURTSFFJTHVrU2MKb013bXNBeDJrZmxITWhPazg5S3FpMEloL2cyczRFYTRvWURZemt0Y2JRZ24wd0lqZ2dmdnVzM3pRbEczN2lwYQo4cVRzS2VmVGdkUjhnZkJDNUZNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJek9BL00xWmRGUElzd2VoWjFuemJ0VFNURG4KRHMyVnhSV0VnclFFYzNSYmV3a1NkbTlBS3MwVGR0ZHdEbnBEL2tRYkNyS2xEeFF3RWg3NFZNSFZYYkFadDdsVwpCSm90T21xdXgxYThKYklDRTljR0FHRzFvS0g5R29jWERZY0JzOTA3ckxIdStpVzFnL0xVdG5hN1dSampqZnBLCnFGelFmOGdJUHZIM09BZ3B1RVVncUx5QU8ya0VnelZwTjZwQVJxSnZVRks2TUQ0YzFmMnlxWGxwNXhrN2dFSnIKUzQ4WmF6d0RmWUVmV3Jrdld1YWdvZ1M2SktvbjVEZ0Z1ZHhINXM2Snl6R3lPVnZ0eG1TY2FvOHNxaCs3UXkybgoyLzFVcU5ZK0hlN0x4d04rYkhwYkIxNUtIMTU5ZHNuS3BRbjRORG1jSTZrVnJ3MDVJMUg5ZGRBbGF0bz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+            certificate-authority-data: REPLACEMENT_CP_KUBECONFIG_CA_CERT
            server: https://REPLACEMENT_CP_IP:REPLACEMENT_CP_PORT
          name: kubernetes
        contexts:
@ -56,19 +56,19 @@ stringData:
        users:
        - name: kubernetes-admin
          user:
-            client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZekNDQWt1Z0F3SUJBZ0lVRUZqa1hPbzMvM0YvWkg0eE12bkpTUUhVOUc4d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1ERXlNekV4TnpReU5EVmFGdzAwT0RBMQpNVGd4TnpReU5EVmFNRjR4Q3pBSkJnTlZCQVlUQWxWVE1Rc3dDUVlEVlFRSURBSlVXREVPTUF3R0ExVUVCd3dGClVHeGhibTh4RnpBVkJnTlZCQW9NRG5ONWMzUmxiVHB0WVhOMFpYSnpNUmt3RndZRFZRUUREQkJyZFdKbGNtNWwKZEdWekxXRmtiV2x1TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFsWGR5bHArVwpaVVoyMStkalRXbzlrN28wK0doa20xRmduYWpnYUZMUUtZVjhXUUpMbHRGUVdQL2ZJYVdTcllhWEVzNVhiT09XCmVXWjVqR3NlRUtDQXM5Tnh3R3QzSTV6V24yT0lmeGE2MHFDRVc2OWtXd0hkalJYU3dFWEVvWnNuQlZJcVpnUE4KVjhJdHNCWW9LcFlWcVc3SnFIRWd1MGtSKzJ0cnJYa1FQVXZhT2YxWjhDYkhkS0RPMTV2bnc4aXlCVzdIRVM3NQpoTk5ON2dXQ0hiTjRNeTI0QXYzSXVaOHhST0xLM2gzcFdrU3hEVzc2MFdQcnpoVGQ5M0tBVUJyUEJMNE4yeXdwCldEc3pGSi95Q2M2WEN0czcyUUFiUmE4VWFSSkVuVUhaT0NaREtjQ3NvSVgrV1FERTV2c213OEhnYkJ1QXBCcm0KVCsrdHMvSFVEM0NMQVFJREFRQUJvMkl3WURBbkJnTlZIU01FSURBZW9SbWtGekFWTVJNd0VRWURWUVFERXdwcgpkV0psY201bGRHVnpnZ0VBTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRREFnUXdNQjBHQTFVZEpRUVdNQlFHCkNDc0dBUVVGQndNQkJnZ3JCZ0VGQlFjREFqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFKVksrcDlpVHNHSm0KZFpRNGhMSE56d01WanZiMC9DaFNLK09FTU95dm02OFFieXI0RUdZRTRzSzY4ZzVzNE9nODNHMkR4M1Z0aHpMWQpUaUhKVkl0NG9YYS8rYzlYMzFqOHFZeTNiNng1Q3VzSUgvZ3JJL3lNT3k2U2hiaEJhNG9YVG9id256NVBlZWJjCm5KMm82aHp2Qno1ZXY5WmRKYkpWZEtScXB4K25jQ0ZmbUdSYzdRenFFV3dpMFFuaEVyVFRUdmhQYWd1cjRJd0IKYktQclpCYkRIZE1KNk5IN0YxUm13MDVvODE1WVZ1Nnp3WlVjZGEyajgwbGZ0Q3MxSjVxcnRINmg4N3ppRXllbwp1dlZiMWxqTjZmWmNiMFFtaGRZNjl6K29xVEZ2U2U5QldnQXdSM0lJMFdUQzI3cS9vYjV6a09KY1JkdWJ5dENRCjlCc0VmMllnSWc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
-            client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBbFhkeWxwK1daVVoyMStkalRXbzlrN28wK0doa20xRmduYWpnYUZMUUtZVjhXUUpMCmx0RlFXUC9mSWFXU3JZYVhFczVYYk9PV2VXWjVqR3NlRUtDQXM5Tnh3R3QzSTV6V24yT0lmeGE2MHFDRVc2OWsKV3dIZGpSWFN3RVhFb1pzbkJWSXFaZ1BOVjhJdHNCWW9LcFlWcVc3SnFIRWd1MGtSKzJ0cnJYa1FQVXZhT2YxWgo4Q2JIZEtETzE1dm53OGl5Qlc3SEVTNzVoTk5ON2dXQ0hiTjRNeTI0QXYzSXVaOHhST0xLM2gzcFdrU3hEVzc2CjBXUHJ6aFRkOTNLQVVCclBCTDROMnl3cFdEc3pGSi95Q2M2WEN0czcyUUFiUmE4VWFSSkVuVUhaT0NaREtjQ3MKb0lYK1dRREU1dnNtdzhIZ2JCdUFwQnJtVCsrdHMvSFVEM0NMQVFJREFRQUJBb0lCQURxRVMwNkJLR1o2RWVreApaQVZaQk1hamJqMmEwVmlsb1lmWUtCTnY2S040NlZnSHVBUlI2bjBOb0JRU09MekxKclpzSm5veEdDWnJZa2NCCllRSHRkTFh5b0dSUExwTzR3YVloVjcwNTd1YXJoV1pINHFobXNKQ2Q3S2J1S2ErRGlPRmlhOHNJemduL3NkZHcKdFVVSEFYQVdPY2xDa1NnQjBaSjNXZTdPcVBiMTlFelA0TW1qQWNGYithWUMvazVITEZxS3psMkFvc3YvUVRRTQpWcTI3NHhWLzRwZHNneE5kWjdiUWhrUG9BelhvOUIrdkFQQ2J1dmhpMzVxdnRGd1RSMUduSmFsUTBDV1ZzQkcwCktwbW8wMXZwYzVpU0wzNkF6QUd6bkIrS1plK3dPRllpaGVaQnI2RnM1TWs2b0pWSFpMeG1KYllHRVN1LzFUdG0KRyticjRna0NnWUVBeExLUGpXaUFQOTd3dk1GMm45L1FXaVMvM0FiYkRvM1NVK0kwdDFWUDhob1dCSEo2aDNQNQpHK3d6T1Y2Q2VUNHpmUFlaZjNFaEJaU2V6SExQV1ZLSFliOXFNQS95TUs4R2NwMXNBZms5U3hkKzdGT1VoUXlJCmFBY0pWelhoRGtkM3kwY1EwZHV0MC8vakNueEV2ZzlYa3doK2NxUGJ4ZmlyTkkxaHJCbWtrMU1DZ1lFQXdvZUcKNHRnY09xS3BQRzVDYzVsSTFhZlNES2s4M2ZmTkxwMHcyT1BjWWI4YlZSREZabTNhVlk4S1Q5emtudmJaa2JaeApNV00xUEFkbGJSMXdJeTV0eHplNzFuSWt2cXNhZVkxcEE3TzBKY1VPc1FBR1VNc3RaSjdjWTlnT3ZtMTZLcU1QCi94UXdVNm5UK1NJdXh6WXBXV3lHUStXclJQV3kwRDJ5Z1ZqcUVkc0NnWUVBdlZVUFB0TkhGN1BWMENyOHJ6azEKaVg5ME9pdFRNamdySzFsQzJ2SEFpVTY0d01FYzFrTTRscnNPTjN1VVpYWU5BNHl6MEdzcG1RQ010a2tRODI2dwpKOU9qTis0eGR0RVNpTUtrMDJXQXJVWkpndHVVeTFqYitCNUZ6Rzl0V1Z4TG9CeWd3UkFPeTFDMHowUDh1MkZ6CkwzRnVuWlRDR0ZhYkhYTzFmMzRUWDBjQ2dZQk9xczRTbUlDNSthUGs2MVgyTjZ2cnMwVlBsM1VrOHB4SVdJc3oKZXRwWnNSWVZqWVcyeVgvOUQ2NkU0M2lWREpDcHk1VDArd0RCT09COGd1WWhaQnBDOFRnR0hmemNHb2ZIVmpkOApwc1NZYlp0bVd2TXk0eWVGUkhVdDcyYnUvWWpsQ3pKaDNrRTQ1RG56eXk0Tm84cU8va05CMi9RcUhBNW5CanhVCjhLY2Y5d0tCZ1FDQ1RQbnBYMTlxQXFMRGtSYkVKMWZXM2Z2NysxamN5QVA4VEpTV3ZmWWQzdklEVk1pcVZkcG4KUjRXMFhVa0ZBVVJYM1hDSTE5SVRNY2Zkd3hybHVrNWtHUERnM3Y1cTh6ZVJRdHRnL0IvNkNoZGt2akxzRnRHdApINEVsOGhxeU4zM09sdHJNWmdER0FlVkd4YUV5N0h5SFVZRmpKalRKdnE1azZJRmIrcVVTVnc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
+            client-certificate-data: REPLACEMENT_CP_KUBECONFIG_ADMIN_CERT
+            client-key-data: REPLACEMENT_CP_KUBECONFIG_ADMIN_KEY
      owner: root:root
      path: /etc/kubernetes/admin.conf
      permissions: "0640"
    - content: |
-        LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1USXlOakE0TWpneU5Gb1hEVEk1TVRJeU16QTRNamd5TkZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTTFSClM0d3lnajNpU0JBZjlCR0JUS1p5VTFwYmdDaGQ2WTdJektaZWRoakM2K3k1ZEJpWm81ZUx6Z2tEc2gzOC9YQ1MKenFPS2V5cE5RcDN5QVlLdmJKSHg3ODZxSFZZNjg1ZDVYVDNaOHNyVVRzVDR5WmNzZHAzV3lHdDM0eXYzNi9BSQoxK1NlUFErdU5JemN6bzNEdWhXR0ZoQjk3VjZwRitFUTBlVWN5bk05c2hkL3AwWVFzWDR1ZlhxaENENVpzZnZUCnBka3UvTWkyWnVGUldUUUtNeGpqczV3Z2RBWnBsNnN0L2ZkbmZwd1Q5cC9WTjRuaXJnMEsxOURTSFFJTHVrU2MKb013bXNBeDJrZmxITWhPazg5S3FpMEloL2cyczRFYTRvWURZemt0Y2JRZ24wd0lqZ2dmdnVzM3pRbEczN2lwYQo4cVRzS2VmVGdkUjhnZkJDNUZNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJek9BL00xWmRGUElzd2VoWjFuemJ0VFNURG4KRHMyVnhSV0VnclFFYzNSYmV3a1NkbTlBS3MwVGR0ZHdEbnBEL2tRYkNyS2xEeFF3RWg3NFZNSFZYYkFadDdsVwpCSm90T21xdXgxYThKYklDRTljR0FHRzFvS0g5R29jWERZY0JzOTA3ckxIdStpVzFnL0xVdG5hN1dSampqZnBLCnFGelFmOGdJUHZIM09BZ3B1RVVncUx5QU8ya0VnelZwTjZwQVJxSnZVRks2TUQ0YzFmMnlxWGxwNXhrN2dFSnIKUzQ4WmF6d0RmWUVmV3Jrdld1YWdvZ1M2SktvbjVEZ0Z1ZHhINXM2Snl6R3lPVnZ0eG1TY2FvOHNxaCs3UXkybgoyLzFVcU5ZK0hlN0x4d04rYkhwYkIxNUtIMTU5ZHNuS3BRbjRORG1jSTZrVnJ3MDVJMUg5ZGRBbGF0bz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+        REPLACEMENT_CP_CA_CERT
      encoding: base64
      owner: root:root
      path: /etc/kubernetes/pki/ca.crt
      permissions: "0640"
    - content: |
-        LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBelZGTGpES0NQZUpJRUIvMEVZRk1wbkpUV2x1QUtGM3Bqc2pNcGw1MkdNTHI3TGwwCkdKbWpsNHZPQ1FPeUhmejljSkxPbzRwN0trMUNuZklCZ3E5c2tmSHZ6cW9kVmpyemwzbGRQZG55eXRST3hQakoKbHl4Mm5kYklhM2ZqSy9mcjhBalg1SjQ5RDY0MGpOek9qY082RllZV0VIM3RYcWtYNFJEUjVSektjejJ5RjMrbgpSaEN4Zmk1OWVxRUlQbG14KzlPbDJTNzh5TFptNFZGWk5Bb3pHT096bkNCMEJtbVhxeTM5OTJkK25CUDJuOVUzCmllS3VEUXJYME5JZEFndTZSSnlnekNhd0RIYVIrVWN5RTZUejBxcUxRaUgrRGF6Z1JyaWhnTmpPUzF4dENDZlQKQWlPQ0IrKzZ6Zk5DVWJmdUtscnlwT3dwNTlPQjFIeUI4RUxrVXdJREFRQUJBb0lCQVFDU0lPNFlGa3JFS0swSgpiUFNWRU9XeEFXVjV4ZTNzelFwUjZYQmVhSlM5QXQ1UFdaN2JjMTRQbWgxR0pTODhVTGRBeS92dVFiMXZXaFd6CnZHNSt5TVFKQzV5V0JsVmk3Z281SU5QUUZiTEwwVmRPc1pNbzJTaURKajcyM2hqOVRqTEtZRURvSWdkcmhaMDUKTkY1K1gzT3RwZ1ZHTDVvbDZVdHBrRU1UUWU2RkhYampxU0d2VkRhRnFWS25yemtVZitHcks5dXVYckxqWXpMWgo4bHpEbWd0YXhyN1pobnp4eEZMVUwzMXg0MFkwbGdzSkdTNHAwMncxTFdzL2I2bjBQKzk4TkxvUW5nS2lZdmVUCkM5dlVHT0dWWkJqNnBPTEdocWEzeWZ0Q25hbm1IRkFWTWN2WTllWW9ockFFWXlQenJPRURVR2pHUWJOUldwb24KL093RFI2T0JBb0dCQVBYUVlPM0Nhdm9Tckw5UTNZRmcrblRRWjFEYnpGYmZ4WjhYYVhWNUpDWEkyOG9ObG8wVwo0bCtMSnFHOTcxR2YwVElKeEpUcXRNU3NxSHNpdFZPOEthVHIyQ29XZWoybHZWWGhId3FSd3lhSkM1UllPR2VPCmxHY1MvM0xPejZyeE03bnJpakxUdHFKRDNjMUl1RTNwOERwNjFoTUlBYVI4WFlPNDVUNXMvWGd4QW9HQkFOWFQKVTNpNkZPYWh0ZjJQTTJBMHc0Sysyc2xVeW93VXhUQytBQmJrbUV4aGJiT3ViZ2VPbys1aFpNTjIzcGFnWWt1VgpSZ0lnQkE2Yk81RmRKMkhVRm5HcEdCMjVnOXZpd0k1ejhwZ0tsU3pGM21BT1dGWHBsWlJwT0dMbHpBbmpLS1RLCk1TQXRYS2UveU5IUjltUmFWd2hiK21QajVuTjlLcmQ0Rmd1WWx3ZkRBb0dBS1FwM2hIclhYWlZNbmt5a0R2dmcKRlN6T2N5T2ZoRW1zTnhtems5ZDcvNHIvbDBhWmdrajExcm5tNDA1UTdMSGdQWmgvNTlVZ0JVNUdldmlhaWJaNgp4WHhUQlFQbnVPODVJMk9JeVR6NDlqQWZiTThsNjdSVWRya25TVVhhU2xJbkxyMXl2M1cxb25YdVRGMzkxNVJkCmRZWVl3K2lzVFlndUhOWDhBR1kyRTZFQ2dZRUFveDdRTXUxaVBIOXBJc0kzNDFEZFJjVHJpMlBRRVFWWFdWUFoKSlozR1FaNmgzYzFYeXhRYUl5VFJoZndNMnNRSHVMbHI2dnNablRyM09uSGlOVk5pdTlyUHR2MXJoamQ1eGpMVwpBdjh2eGpRODdQS0VtU1hWSXA4U2tQL1ZwRVZUSUVQUExranN3bHdnaTFDdHN1am9ORXhXdkJXRUhONkQwK3NjCmhrUW1FNWtDZ1lFQWx6QzB5clVOSTBQMHdKQUw0S0JoM21oNDZST2V3TzIyb1FhZ0c4c1N5SjVpT0NIT1VaZDcKVnhPbmRZMVdKM2M5ZktXWmVQVXkvZEhCTUtjY2wvZXJmbkk0aHZ2bnhvejNob0Z2SDdnMHJGVU5vYVZzdlhpaQpPY2NCUURVMzNDdW5WVjRmeGNyNS8xV1NwUzZoT2ZIZDJ1NFZjNnpwQ2dTOXQ3VmFzZ1JweGJjPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
+        REPLACEMENT_CP_CA_KEY
      encoding: base64
      owner: root:root
      path: /etc/kubernetes/pki/ca.key
--- a/manifests/function/hardwareprofile-example/cleanup/kustomization.yaml
+++ b/manifests/function/hardwareprofile-example/cleanup/kustomization.yaml
@ -0,0 +1,2 @@
+resources:
+- smp.yaml
--- a/manifests/function/hardwareprofile-example/cleanup/smp.yaml
+++ b/manifests/function/hardwareprofile-example/cleanup/smp.yaml
@ -0,0 +1,11 @@
+apiVersion: builtin
+kind: PatchStrategicMergeTransformer
+metadata:
+  name: smp-hwparofile
+patches: |-
+  ---
+  apiVersion: airshipit.org/v1alpha1
+  kind: VariableCatalogue
+  metadata:
+    name: hardwareprofile-example
+  $patch: delete
--- a/manifests/function/hostgenerator-m3/cleanup/kustomization.yaml
+++ b/manifests/function/hostgenerator-m3/cleanup/kustomization.yaml
@ -0,0 +1,2 @@
+resources:
+- smp.yaml
--- a/manifests/function/hostgenerator-m3/cleanup/smp.yaml
+++ b/manifests/function/hostgenerator-m3/cleanup/smp.yaml
@ -0,0 +1,11 @@
+apiVersion: builtin
+kind: PatchStrategicMergeTransformer
+metadata:
+  name: smp-hgc
+patches: |-
+  ---
+  apiVersion: airshipit.org/v1alpha1
+  kind: VariableCatalogue
+  metadata:
+    name: host-generation-catalogue
+  $patch: delete
--- a/manifests/function/k8scontrol/replacements/cluster.yaml
+++ b/manifests/function/k8scontrol/replacements/cluster.yaml
@ -0,0 +1,19 @@
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: k8scontrol-cluster-replacements
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: quay.io/airshipit/replacement-transformer:latest
+replacements:
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: generated-secrets
+    fieldref: "{.targetClusterCa}"
+  target:
+    objref:
+      kind: Secret
+      name: target-cluster-ca
+    fieldrefs: ["{.data}"]
--- a/manifests/function/k8scontrol/replacements/kustomization.yaml
+++ b/manifests/function/k8scontrol/replacements/kustomization.yaml
@ -4,3 +4,4 @@ resources:
  - versions.yaml
  - k8scontrol-env-vars.yaml
  - networking.yaml
+  - cluster.yaml
--- a/manifests/phases/executors.yaml
+++ b/manifests/phases/executors.yaml
@ -55,9 +55,8 @@ metadata:
  labels:
    airshipit.org/deploy-k8s: "false"
 spec:
-  type: krm
  sinkOutputDir: "target/generator/results/generated"
-  image: quay.io/aodinokov/sops:v0.0.3
+  image: gcr.io/kpt-fn-contrib/sops:v0.1.0
  envVars:
  - SOPS_IMPORT_PGP
  - SOPS_PGP_FP
--- a/manifests/site/test-site/ephemeral/bootstrap/hostgenerator/kustomization.yaml
+++ b/manifests/site/test-site/ephemeral/bootstrap/hostgenerator/kustomization.yaml
@ -14,4 +14,6 @@ transformers:
  # NOTE We can not use patchesStrategicMerge directive since Strategic Merge
  # plugin has to be executed once all replacements has been done. Therefore
  # we need to load Strategic Merge plugin as an external plugin
-  - patchesstrategicmerge.yaml
+  - ../../../../../function/hostgenerator-m3/cleanup
+  - ../../catalogues/cleanup
+  - ../../../../../function/hardwareprofile-example/cleanup
--- a/manifests/site/test-site/ephemeral/bootstrap/hostgenerator/patchesstrategicmerge.yaml
+++ b/manifests/site/test-site/ephemeral/bootstrap/hostgenerator/patchesstrategicmerge.yaml
@ -1,47 +0,0 @@
-apiVersion: builtin
-kind: PatchStrategicMergeTransformer
-metadata:
-  name: smp
-patches: |-
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: hardwareprofile-example
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: host-catalogue
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: host-generation-catalogue
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: networking
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: env-vars-catalogue
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: versions-airshipctl
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: password-secret
-  $patch: delete
--- a/manifests/site/test-site/ephemeral/catalogues/cleanup/kustomization.yaml
+++ b/manifests/site/test-site/ephemeral/catalogues/cleanup/kustomization.yaml
@ -0,0 +1,3 @@
+resources:
+- smp.yaml
+- ../../../target/generator/results/cleanup/
--- a/manifests/site/test-site/target/workers/hostgenerator/patchesstrategicmerge.yaml
+++ b/manifests/site/test-site/target/workers/hostgenerator/patchesstrategicmerge.yaml
@ -12,12 +12,6 @@ patches: |-
  ---
  apiVersion: airshipit.org/v1alpha1
  kind: VariableCatalogue
-  metadata:
-    name: host-generation-catalogue
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
  metadata:
    name: networking
  $patch: delete
@ -33,9 +27,3 @@ patches: |-
  metadata:
    name: versions-airshipctl
  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: password-secret
-  $patch: delete
--- a/manifests/site/test-site/ephemeral/controlplane/hostgenerator/kustomization.yaml
+++ b/manifests/site/test-site/ephemeral/controlplane/hostgenerator/kustomization.yaml
@ -14,4 +14,6 @@ transformers:
  # NOTE We can not use patchesStrategicMerge directive since Strategic Merge
  # plugin has to be executed once all replacements has been done. Therefore
  # we need to load Strategic Merge plugin as an external plugin
-  - patchesstrategicmerge.yaml
+  - ../../../../../function/hostgenerator-m3/cleanup
+  - ../../catalogues/cleanup
+  - ../../../../../function/hardwareprofile-example/cleanup
--- a/manifests/site/test-site/ephemeral/controlplane/hostgenerator/patchesstrategicmerge.yaml
+++ b/manifests/site/test-site/ephemeral/controlplane/hostgenerator/patchesstrategicmerge.yaml
@ -1,47 +0,0 @@
-apiVersion: builtin
-kind: PatchStrategicMergeTransformer
-metadata:
-  name: smp
-patches: |-
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: hardwareprofile-example
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: host-catalogue
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: host-generation-catalogue
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: networking
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: env-vars-catalogue
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: versions-airshipctl
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: password-secret
-  $patch: delete
--- a/manifests/site/test-site/host-inventory/hostgenerator/kustomization.yaml
+++ b/manifests/site/test-site/host-inventory/hostgenerator/kustomization.yaml
@ -7,4 +7,5 @@ resources:

 transformers:
  - ../../../../function/hostgenerator-m3/replacements
-  - patchesstrategicmerge.yaml
+  - ../../../../function/hostgenerator-m3/cleanup
+  - ../../target/catalogues/cleanup
--- a/manifests/site/test-site/kubeconfig/kustomization.yaml
+++ b/manifests/site/test-site/kubeconfig/kustomization.yaml
@ -1,2 +1,7 @@
 resources:
  - kubeconfig.yaml
+  - ../target/catalogues
+
+transformers:
+  - update-target.yaml
+  - ../target/catalogues/cleanup
--- a/manifests/site/test-site/kubeconfig/update-target.yaml
+++ b/manifests/site/test-site/kubeconfig/update-target.yaml
@ -0,0 +1,69 @@
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: k8scontrol-cluster-replacements
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: quay.io/airshipit/replacement-transformer:latest
+replacements:
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: generated-secrets
+    fieldref: "{.targetKubeconfig.certificate-authority-data}"
+  target:
+    objref:
+      kind: KubeConfig
+      name: default
+    fieldrefs: [".config.clusters.[name=target-cluster].cluster.certificate-authority-data"]
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: generated-secrets
+    fieldref: "{.targetKubeconfig.client-certificate-data}"
+  target:
+    objref:
+      kind: KubeConfig
+      name: default
+    fieldrefs: [".config.users.[name=target-cluster-admin].user.client-certificate-data"]
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: generated-secrets
+    fieldref: "{.targetKubeconfig.client-key-data}"
+  target:
+    objref:
+      kind: KubeConfig
+      name: default
+    fieldrefs: [".config.users.[name=target-cluster-admin].user.client-key-data"]
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: generated-secrets
+    fieldref: "{.ephemeralKubeconfig.certificate-authority-data}"
+  target:
+    objref:
+      kind: KubeConfig
+      name: default
+    fieldrefs: [".config.clusters.[name=ephemeral-cluster].cluster.certificate-authority-data"]
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: generated-secrets
+    fieldref: "{.ephemeralKubeconfig.client-certificate-data}"
+  target:
+    objref:
+      kind: KubeConfig
+      name: default
+    fieldrefs: [".config.users.[name=ephemeral-cluster-admin].user.client-certificate-data"]
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: generated-secrets
+    fieldref: "{.ephemeralKubeconfig.client-key-data}"
+  target:
+    objref:
+      kind: KubeConfig
+      name: default
+    fieldrefs: [".config.users.[name=ephemeral-cluster-admin].user.client-key-data"]
--- a/manifests/site/test-site/target/catalogues/cleanup/kustomization.yaml
+++ b/manifests/site/test-site/target/catalogues/cleanup/kustomization.yaml
@ -0,0 +1,3 @@
+resources:
+- smp.yaml
+- ../../generator/results/cleanup/
--- a/manifests/site/test-site/host-inventory/hostgenerator/patchesstrategicmerge.yaml
+++ b/manifests/site/test-site/host-inventory/hostgenerator/patchesstrategicmerge.yaml
@ -12,12 +12,6 @@ patches: |-
  ---
  apiVersion: airshipit.org/v1alpha1
  kind: VariableCatalogue
-  metadata:
-    name: host-generation-catalogue
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
  metadata:
    name: networking
  $patch: delete
@ -33,9 +27,3 @@ patches: |-
  metadata:
    name: versions-airshipctl
  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: password-secret
-  $patch: delete
--- a/manifests/site/test-site/target/controlplane/hostgenerator/kustomization.yaml
+++ b/manifests/site/test-site/target/controlplane/hostgenerator/kustomization.yaml
@ -12,4 +12,6 @@ transformers:
  # NOTE We can not use patchesStrategicMerge directive since Strategic Merge
  # plugin has to be executed once all replacements has been done. Therefore
  # we need to load Strategic Merge plugin as an external plugin
-  - patchesstrategicmerge.yaml
+  - ../../../../../function/hostgenerator-m3/cleanup
+  - ../../catalogues/cleanup
+  - ../../../../../function/hardwareprofile-example/cleanup
--- a/manifests/site/test-site/target/controlplane/hostgenerator/patchesstrategicmerge.yaml
+++ b/manifests/site/test-site/target/controlplane/hostgenerator/patchesstrategicmerge.yaml
@ -1,47 +0,0 @@
-apiVersion: builtin
-kind: PatchStrategicMergeTransformer
-metadata:
-  name: smp
-patches: |-
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: hardwareprofile-example
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: host-catalogue
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: host-generation-catalogue
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: networking
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: env-vars-catalogue
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: versions-airshipctl
-  $patch: delete
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: password-secret
-  $patch: delete
--- a/manifests/site/test-site/target/generator/kustomization.yaml
+++ b/manifests/site/test-site/target/generator/kustomization.yaml
@ -1,2 +1,2 @@
 generators:
-  - secret-template.yaml
+- override
--- a/manifests/site/test-site/target/generator/override/kustomization.yaml
+++ b/manifests/site/test-site/target/generator/override/kustomization.yaml
@ -0,0 +1,2 @@
+resources:
+- ../../../../../type/gating/target/generator/
--- a/manifests/site/test-site/target/generator/results/cleanup/kustomization.yaml
+++ b/manifests/site/test-site/target/generator/results/cleanup/kustomization.yaml
@ -0,0 +1,2 @@
+resources:
+- override
--- a/manifests/site/test-site/target/generator/results/cleanup/override/kustomization.yaml
+++ b/manifests/site/test-site/target/generator/results/cleanup/override/kustomization.yaml
@ -0,0 +1,2 @@
+resources:
+- ../../../../../../../type/gating/target/generator/cleanup/
--- a/manifests/site/test-site/target/generator/results/decrypt-secrets.yaml
+++ b/manifests/site/test-site/target/generator/results/decrypt-secrets.yaml
@ -1,12 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: my-config2
-  annotations:
-    config.k8s.io/function: |
-      container:
-        image: gcr.io/kpt-functions/sops:latest
-        envs:
-        - SOPS_IMPORT_PGP
-data:
-  ignore-mac: true
--- a/manifests/site/test-site/target/generator/results/decrypt-secrets/configurable-decryption.yaml
+++ b/manifests/site/test-site/target/generator/results/decrypt-secrets/configurable-decryption.yaml
@ -0,0 +1,28 @@
+apiVersion: airshipit.org/v1alpha1
+kind: Templater
+metadata:
+  name: secret-template
+  annotations:
+    config.kubernetes.io/function: |
+      container:
+        image: quay.io/airshipit/templater:latest
+        envs:
+        - TOLERATE_DECRYPTION_FAILURES
+template: |
+  {{- $tolerate := env "TOLERATE_DECRYPTION_FAILURES" }}
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: my-config2
+    annotations:
+      config.k8s.io/function: |
+        container:
+          image: gcr.io/kpt-fn-contrib/sops:v0.1.0
+          envs:
+          - SOPS_IMPORT_PGP
+  data:
+    ignore-mac: true
+    cmd: decrypt
+    {{- if eq $tolerate "true" }}
+    cmd-tolerate-failures: true
+    {{- end }}
--- a/manifests/site/test-site/target/generator/results/decrypt-secrets/kustomization.yaml
+++ b/manifests/site/test-site/target/generator/results/decrypt-secrets/kustomization.yaml
@ -0,0 +1,2 @@
+generators:
+  - configurable-decryption.yaml
--- a/manifests/site/test-site/target/generator/results/generated/secrets.yaml
+++ b/manifests/site/test-site/target/generator/results/generated/secrets.yaml
@ -1,31 +1,48 @@
 apiVersion: airshipit.org/v1alpha1
+ephemeralClusterCa:
+  crt: 'ENC[AES256_GCM,data:HZtJf820/r8f0YytJeL1X7EXsKL987I1f1gKLoSNHzSFczOi/zXsiRIWCWH6rYn4Z+smlFtAGufvEM8uPJp8ZdGDlV5zHzjOnfMklOB4n5qOEoEKzwhCgxZaQPBw9Jr0SQBVFOKGPiAnOTkkOgfE5FWra/7SkkmgdLbR4MyHar3y88Eumkrqm4qo3RrfVtaSzTWgygtXME7wRnhutbIiA6zxBsgXFpxoaKMgLmwvJpo9PjSxz5CAYq/SN9mKLYGx3Vyr4ovLjtTIorPlQNW+iL3vBLkwhLP41HKYvK5y+rBIxlEU3Gyvd8493lk6Gh55lbgpT45DYaylC6hD+Ec29DdOwFBg9s8yWFHz8rYVElv5a1+RnOfdfnrfYbNk4eanyZH6PBDyzFZ/KRdMEPGFnMVIQ2ngnDLXzCQOBCTjHLb2FlCSWDmNVFSyDx8CAw7ik1AyNgHScfpIdB/cP/ujpDDhJpFioXMD8gSsX+l0dTDRAZo5ZIIRx8gM0446lmHxWjYZM5oT25PW9SDdo+u7L5oc3kMcKXzo2JxQRY+DDXXtz4ZUigh2RGTN764thOoJQA0LXiW/MjuuXqyXHXY9o49EFHsdq3hgq5DDhcRGTg+0pOUoftmCrpZYeHrv7yYnhiwDi0ot/oZQtIi9GWpKgg4uhuK+gN5htQzM6GNbmibgXNSCJPKeG9AMHErLEzI8SfLh+QRz5Oc8NvsTPHw0OigeX2FqW3rTmbsLR/w1mCHy0Y0IEPHrRMDS4HwzpLyWMvjR2RAHx1sA48su/6qRfxOZEhvOvzX/N06WozO4KjkXWH40oUatxyzH9T0SQaw7Y77eH5zh8PPJ1KL+KhtjpxNTP9CZfuJocuskYbXxeGQgKd5Ky76S0pAjgvpCvGCjCb0ltacW7bBFpblashR+ptRxucI05eBVLSjMRJjxtKb41uUVAg5euNeLVx/r+RoFmbna0NCjOKKXm8k85OORfbPOxXCp3zBgz/D3/+2BAdQS3t9LXi1cF0DuAr1165yxZIT2U3/JBBE/wf/d3T7Z9eVSaH00HI8rJCEhg+Dp14CvpjjOIjYkSti9FmhLNOV2S4pjWzDwsLjV5yGQvJJKApm+yL4NcojfUE61jyDC+VFEmOnETcIfF5nghLk8L7QP9su5eRouqr0NboAPFd6K4Ec9GaH28nRSo8IlDDbVqdYYFzVYAn4mTKX6PWdYzKCISPe1BlYPcRiAocOFqDMKCDjxQuVvMnyl8/VRxJXVU7VMU3BoQ+rdp+/P4lFNxaJA9ewvfvX3Dk81c9AtBJ1t213GEwQ1uLUUaIG89l6AYJ2Wkj2uNfVGCwxwTRDQBsrArhFW8Pj01ysSJ2CNoRfkXBVTm9Pial9PJP3e9xBAoODkLEQfeeWxCQv58UacWnew6HXTf3iMDczH4zfAfGbYMhpVnR/iqkCWemWIq4XpdpjJLRSvpLM0Xi7VsHYDZo3K/bA4aXh9IiT3bOsFU2dM9tV9GR3WodwungbM00tTyQv0ADn2OOTSYD8B1pBzjLQDKn3sXHVyolPkGZIU4T9eB47200nCyaI0BXWGtzhEF9O9lPGg8H9AT6q1oW32s9UCzC4+VVUjXVGv2FY/QIZBkAtFnT4NC2P7sY0EpDuUNfWSPg3gYRTuIySRxJMCQevyC09NsmWx0lOiECmcvEnHh61VkmTeorHaoCpx7Jnb2TceYTCB/6fPUo4wZm64wWxpE7VDozpBL0cqjutuQuuDGKQQ153J0Gp619hruPW74iNqhoe+Qu706DGt/ZR6tpgC/pzmR3qno6a/xXuIXgBFGLJpZJNMcbFaWCsjwB8NovBFiOlTOZpdyhSbZi3DQV+SB0L7Pjt9DnGIBhKNyR1VAxoNMcA1fBw1nH0o1/fid6l42baOWc9CFOwyn72hXw+9QAh/wFy0g+mBRpD7gfl7mqr6vuIILFmo0Zt5FA==,iv:+GaLzo3IZQUbrKH+DwoClgPxECOkhyNkKwu6jj9TFes=,tag:7Gouyh6wTV0YG+MMkC+4bQ==,type:str]'
+  key: 'ENC[AES256_GCM,data:PYh6RRCwUbdFOegAET7Gy3g+m9LfknB4vCq6amB6pOW4Ebp3LmSjWk3fQBWIaor9J9vhB/Irp/LRcwkPg1jdyzKMP/rmmNthdkdbst4oDcZVI2B3SHUVeJgDM4qN4hZ+xHVgSx0QFS3ynp3KA1kweMis3/VqjwGY8835mqVDjNv7g4OEcmj89HZ/cPmkryf9xEy17cs2ixV6LCfB+8LGr8OoKCYxQFetr3auqEKjAnUWaKpQe2touU2oF5iwVtxThHGTu/ytOyRF5yEjHCezt1B2U3DQ3Vy6nt7PTMA0X6QtHHdP1mOIW/DS1CokdX6LaM8ynosH4XqcQMiP/HfLJ8ymx1xL6zl+CkDGS2gTCyYTR+Nq3jwwhac9G2Pa22IpeMipCKqVFGzbs/bHUzUAfj3Arje1ugCLdarZDVjE2qk9UYLqQ8Sw5eq8jEE1Jqh0GyAS/8VIWsl4+0zggSNYmDmeC9lMKPM/ltMxQg04k/gTKyHKqaeoqs8z1Y26taojGUEHFFJhUcO92JZiKlYbpE4lrm60fuLIl6uxB+mSKJkLdFyCON6QhA7rorKM5CZQb2xrU8mi+NY0O1h1MwXsTIsiXLZcDGzsTJKw8mhnRJGWLpqnJ05Y1/DgvtV9EhuaR6pORsovjP5UDH/qiO1n5gMPBes3ikvQkK8C0CcAH7XoVreVe+deEP/1yHnL5SAMP9Rq0xFJ0AupZDyDTDqdkCv/6ngfqcq+NMTinKEyZVyYy5bb9T6bgYoKAuUYnThttUnDIRtLlKLKHwl1VLtoVEpisd7i3WO3Ul6HhJT3gqHCbGVW9K7SFSotAumChmYnvXSVn64F3+lmyDbyUbttrkeooAZftYP7zjC31ITtltW8D321omb7cfwef/iW/bKtkoqIOnENpX0xUkg/JFpiQrTZTOwVCKj2i43whWdel2XEffD6nMSyys50UrOxd5CunDxXvWP6+/+J2g5GcI3JdbGGE/gDfT5V/9v+4P+Zb4/ayL3KaJbuQksQ5dqR4+QZogyjWrAe53I8UQI1B2YdL/ECoNc6QRaxby93Msl2Q7pShsR5tQBjLtgbeiOdIfmQ5nccfMbUPwubYUdErSZhpuquB2avWF6YNwCfk+oj73dWLPbNtALRCNY5rObhVb+T+te1MSxrZJ0tXQToLEk/5AUvrNNgYqD17ssTHuSKGhYkiqvynvIhXd0lTsPMDUV/ecGGh93PynRNhDVpVA37zl2DN+KOEmdJYOLVWgg3zEHoB02rosf0t9E4W338uOOq9wIFbQfoVfhA63vy/2B2EdpKZUOsqgNZqI+VPnllH5uaos0Bona2q9XnIApfT5oqTzqWLUrfw5EL6B/aKunFlVk5UMj2Op8RtRV7qqV1ybVV6azTb6Nf57lzdyyXFj8lmkDZnOBYWuq8ZpXdzNF+PJCKo4cob5VHATV9XqatEfOcMcDyvauh3Xtn6wGlbiD8K1XcrBgPoKxHNY4BjYX+gBgwSu+RqRUVCzw7wMxj8MLg5yGFr1wIfN3fOIpHXNKRBlcaUBujKLXqvsn3CzNokYYXX7Zp9oH5nGlzc+UP9PHGkt2WGDggAfqQ4wcoKk9MpxKEpGYWdblgh13ySZToA2k0a1xHOZZykDTSrxQtxSqC1ht0i0Oa9M5KxQMd2GVfcQyqV/3gZGGJ67sE4pQXfO4fmRX2Y+fcNqhLwYtcoILV0pAiy96y35sTLTTaokMvbcYHbPzLsJ4oqR37c6GYzWERL+Yf2TETpzCQSJpqmOuD+yXbOLW17wpWrIf3wfo/j4dD3las5fBXN8mPcd3a25dR+7sbef9dNMsOqsTkgNGstW7nSp/tymk4HMiVlH1QFGZthfg3I+APuP+Jqnbvyk1E0Eo39xwIXiMRKTqjT4hap5WPd1gfhIBe+Jg0+VZH/IoHkNbvVxqoFHvYStTrEe/kWo5Un2yBrGw6OlE4MNJPgBPS4F7Q+xFZod6XxcOYdvwGlNiYvlb1NRmRMx0Qlt1A7aISW09cverACiR4g108Z52KTqKOzAP5utO1iEC4je3XfEOdyQ84P1NjSxHaf8AIUjYX+oUDgFxsySbdmQzkKIqg4gyw+nVrdARYpPo0FvGVSckKF5o3M83j4P3jWaxcVj0qB/63zgdAgPum7COi8xLBViCXUsXYEczrvZCbCGTv2syGiHwLbYfH2UrIqyoSkkZ6rzZZwD+BqM1pWMP0MNEwca8DIVQFPcItRIt2vDktVmOJe3UJ+7lk+27Q1bC0DbT5PrEykXsmo8H7ctO75R0UEuQDmjuTPiPcTmxhNIi63fu/eW14SmI5m5neAJ6RSfnutCo9ia17A4K8epuZQaoerJgDTfm43uNlDPlPgK3oYHWJE353TlfA/Fkum7g2VhMJ8ceV2lswRjN6hVK1+l5ez+tXRkkjxanIfSBRZxW/6ooM5en2zyzFqV2VBEawZEXG91mQt0aQQFM9Ukg1I6xVsmluNyFGl4Z0YUmm4nhjmCBjx2h2Qe94QI2qBLbrQrmJMiXaqFHZM2hdTFrx/wazywS+eIazb2UbaGsLa8G78nPkYJck8j5pKbUy4MNYZz83iu4pXoaMXDNfQDzaXnceAbOTkeYNyLY0Hrr8h55NFFHY/JLEgJrhdnVt2nSdPxTrNDUQCNUtWud4mVSPMSqZGNXN6ZNHJkt867H/aFGc/treT4xe7cUaykReH2eRSLC06wM2QLyMD6WlZw18QMBRE2n2PfnfaL52YNYHyuIvNzf3HNlW7G8VOOcKOSAanTfJvQph9gAoh1N95xib6u9c+LhPAY59N0oGBCH80bmKYAnbbEgn+1Vle3x9UwGnkeTDR5yo+MWJVtqoLoKggPug1G8/+sUTgFw1gYpAx1a3KM+CHshswMwC8T4fE7cC0J9HuXfeIKm/oIfoY5+gVb3pGdvlXI3C0tXlpr1Iu8a5O07ugH7j+4rzd1o8Qb+0duVEEehKNWNSZA==,iv:JYJ5gIun3lEN156HbX36zhtDMOjUgPBWeGqRBsu/8Kc=,tag:Sopg+BPB6Q3BIlz3doAx9w==,type:str]'
+ephemeralKubeconfig:
+  certificate-authority-data: 'ENC[AES256_GCM,data:fkJrkl1wkOR0rmsEuFCK78fSwWb3P1THxN2pXoMMnNt5AfdxLyYTb2OczfdtxU6HdrCeg3myibW83P4AIZfs5idEOKYeNgh05UDYHy2kxjIqYr8wBFM/OEe8okI0+AK0Fw0TmQzv3KEm+9yWfava5uFMe6eboSGwZ/CjTUMrIihTbw3xcHJ2PY2Fjl2YqJkcERauLBrLt1UyL0r+nTVbaqJ7mtziVLssv8H96+gTo1C1OaK3LHlHYjUDnK2Zkwcao6EqCxnFQfxlX4b2CkaqwUbs24sG2ewiJ3smIXPTWeLMZB4W/GKx7H33y1rATm+Sk2LixGP0zCXQl9AmETsQfZdOaLZEmdhizwEIyQd20Utb0RSGlP/RBclwUpX08DjR+Oq01mwUVJaDUpY5cOlO6ziFnjeJXZM3mQQ/MbLFVvkUUm0rGsRkYWz2XA/SQv5H3rvEUpKvBn4+MsIL0tID8ciBKoKvajP9KLy0l+njEAzJgqqGWdgO/ZhQ1gaPzOZo/OIFKH0jrhgs6AVG7lpm5eD1kgKpkux9mo9FYOaNetdRCyUnyI+cV8Ikix7CFfkVGS4o+FTDBHnZ0D6jkqbjimv+NwFCxzUxTrHcEBW3D5IYaTP2GVFkieALMWMF3foYhAqUiLfEjyRgwdTZpdTPigD1iXIVk4QUXONTZXmgGyrKabkFh730IT7QBDlRmvrwTIaJ0WDaHbPesL8ZYsW0MDQW1u10mLLjK/3BrCzb1lltasLQWh/q5e0MMFG1s4G/3Y0u1Lrs27bK1/SrMhhUwX2gxaxp5fWYARcKRtaarbZ1TgWC1PxqhUmbsvP60iPGn91qlGpMJ5VUdci0S9FQM/I7HoO3UjhhhzMTiQUyAWOu3+0QIDw0T5UIdHFbZYmqpn0XqXI8bhP8DPsHZ+XKEJRsBktl9/zdcZ+TY1QvsbtC6JgeS/P7RZfaWG74N2h/CgLiYuWpyuVxNlaYSpIJ9PNesRP1GK3CUpCp87H/MN0XOboXH9wLMFm7O8ayWKqOeVdNJ3ziFk66LsdbpxMlqy8CWrgGtPbgpDK8HkhlC6ra1BG5wAXUMXl4C6p/+027Et+IOuYwY8tD1z2r/wWpf0HcUrrMe1nHZv1vMszSA1i9eEBu6cAR1u5mKCzjayn/QEaYeGm/ROuzDskZy/KAPgpq6g2NYHqHfTPUeO6eB3+e1UDWJ4scPSJWetAFocr4TlZCWygg9Oite8h18N/LNziVQZ3QavUdCL/gZ9FWlS9i8zr8EFHYtQ3xJTC/g7W9EZkuNPYCJi3x/uHzc4sVfHK/mfoct1Gsbnq8atH6jDWhR1gfPS65AHQbLmqU1sRyGcwmRQAa8fiIlUP1VbTnkYFpXriVyfkhF/lBOxIMwAoe8OZ5nLg9pgnB/ZacZ5rEw/M1Fb3WrNdPYxe4pG7mgW6hLSyhkPEqmek8c/ZL13psgwhrsuhO90NEf/uxVt4HrPWUNdninHqiOjSB9iXgGaGSIUdCmLNn065MeKnOyThneHor61L+WarzDIhhZ/OUSgiKKGGvXPfKRLqMSXWf40Qy691EicQDjpu+RWkDy6np7WrOWd7uYBhkoz6WgQODB5Wm+DGob7eIxw1V/xiAuF0nDi1RJc3xEkbkaOX8LrUEMUMvvGxJTdGNfO8yW07owM0PddoUGuhDeg+g7SLUlHCJUxNpwi6lti02wbAZ6XAxc2ltN9fNZ98OE1VMtSlX+4pFLmMxtb9S1N53YS7MFejreADRoNskyFK5uYuPN5+a6lcOMHnXSKZnAC5EZsl3AiuNNIS2hIo4Hx7YJFZtB5JlF9YSjFXZDnZiSwZAGvhAUHq2Yn0UVModpN3TrBzSelJYwY+aQDJ8bSuQAp6U/2HJ2FFQFX35waZMHYqPyOlXiCGeOl7dYV+IpCMdZZaPzwI4EzjZkfKpW/FZBtJ/p45IytHI7gt/XAsiWQ==,iv:KxGVXmvi0AMbUQ1YAJTpYH5dIBA6ownuLtsI0K8Riko=,tag:j3HdCtl9Ptj6UH0otSsLJA==,type:str]'
+  client-certificate-data: 'ENC[AES256_GCM,data:AHrZ8/PILjb11JmChZDN43f8HYcSDUgj3//H0T0Hq2dAypGWNgiNQzhuJDiEj16qUYTJZqywhV4Ft6z7kMpI3wx5GcKPnYHr1RQkiufORR9QAvD6DImK9/dyxF44htGkbv/8x7Xi/Fg61oDSXa81UmlHhXHeoCvHRaiAhtPtCmMPuFraCCWVzzxbqIjgaGWTaHQtp17ClgANPyt4eQq+hzk4fMCYKSCoqZcCqnklKiYaZI8lp/feT9MW4eRNJG6nrhGhEF8+DklOmf3uzdKIuq8kyBeHBD5gJ8mwj7N/oFHoWG9XAPojjs7ddU2QbNgRWroGcJEdHWNt3bsqEDkRc3CMEwMbACEIT1f9bGsnVwFVS6TDtJcNoKcp9rSyohNkcoeM2Fp5aweMkvof7+773rHXO7XjSKFhb/EcvES0kBNTVwAGAJ42a1gWgA3aXGllXr8jiFMehPIP/krgb5rqDiRxRY9BDQR74x6EV7la7zOtJTOSVBRe/CWhbqg7H9SJN08WY+4wcZ95+Bbi5pup0J3ZY8HUU5poFC27YLNkpVBLKe/95LKAtU6jEuYiPuOICVGlXZFIA8NHhFavenbsGxULRM+apKLFUIna1Q/w912kK7nWYdAMDJqgoseJz7TeARHDXUagWuwTPJLw9eKi/c0eS1cQ/d/Wxl3hc5v5M7YhxJ2jU4j0weo9hbuq3F3nHZ6eAB7xUZlP02MAuM65NpU0+c88KC9x9p5rt64+h5dssrdgo5IL2MvDAuwHztxMv5TMAp9ZaHfR9NrKYoBl2sSwtDw1Tq7QS9uoD9jbuIMGi3MON7FQ0joD7NrdATeBY2eJERXHrVfCZ1Ft3vpooiyYed/FKSlp+CzPDtYnLCfDThv/dMw9xSoKPbuigGxzkdvFfrLhkelbwKH6j/5xd1xKIzvzmRvGi2LDWHG6qpJASLrNBvoG2NdpEpIgewwDyUEk+eA/BZR8k26S1QuIyWkKn8jK8O+0I4Ff1/9Fjv6RBw0l1e6Na/3fT2I9znpGoIwGXBSI2HMzwPwj/VjOjM5pUfI1rza3FfskiN6to5hCVzZxTqKol8FkfSj67MAC1yW98ryM4RSvAHctbNqZal1Q39drgk/p3/HqTyTYWtTjNrSfsNg1wn1Qz/MBnebVHt3I/C8bUsJ/jQ4Y2/6AfOnQP9teO8LGw+C1FDj5+9hmmV+aRL9zA1CZOrSonBiUZvJRsh5tm7ZSppZ/dLh+barslw28go1NPqFNSBXdEqQgxMCTkVL0R7M/0W9HUbM3IVDX58TKijasJ22K8VfOYPR4C8plcAKosBCdpL5W1qoCpFpeo23aOR26LCuPHi2n4A5OxqeXHpdzSD0PQG3nhJQUX6PBY4wHDwx9q/fyrhcLl+uC9ezib41iRV4wRUpn/6exnvRCmrGpzuY6A5H4uWHSp841gSO+EANPtCaSVYb+8Xar4QV+cE2QrzzGIcJETgpjyDZGkw06vbU0jI01GvQISJBmLkeaUZvFFnaiwlBPpclSRyODGdGqWmVZz4uGJG+CB0WlZLIM992nN2Lv/LiiB2RdLswRGhD6mBSdpDpaEth2oZRXdgbfPOk5d6Aqqj2r+2TQMAZzyj6yNCLmjkQkl0eAdSOQMK0tvuZ1b0ft+jnW6qr9BWR/cXVoxv0W1mBxA9EvNRphXefNr7obAx9PrAjyB9mmr4v+sWxrVQk4wgmrEERzhXip1DwuyTSZFcfm4HtA5skq/QcVRrUraKOJfDU7oFq/ZMYPpbgFqQrFbjG32xdoj+JPlCIg2aqYX1uJwgrLxcZutTUpGllDBDxbiVbd2y0eoAvw858a5rXjiaay9llk447IofumD19ndpWjc5/DrJcWKvfGV/f05YTCrISAMBBcEQKpoP2NmKh47eV64l0zpWAMevuWET81jWgFE0AbpbiRGK5zO6J4eoYyqKvmGwSM/c55RvOyBPYJDwaSuJsE7Ydb8aboiYF5,iv:l0za+exweqGI4ND3zfdLELyAy9fUsf6GAxgc552p64o=,tag:sUdZIebwysPNteocS618lQ==,type:str]'
+  client-key-data: 'ENC[AES256_GCM,data:WeJY1lARUlPKfAixbJEFrf2ef75yr7zto2L3/rXmDXAPlFjqy3jwRbPPIQd26VAEUIYd6C9BxdJoq7yzlF394GSjiHWjcGnR8B3ELwvxVtxdyWEqHs4TC+LwyG3/5bv7ZMIo51USFn8W4UGNEJ8lCX8istzuDa4JCI+LbxlTdr9iuMaXDtRhqBgR/8aabQtCb4J3udAbhmUlNoXiLPDdlsntD/ZxTmJuoevPGZnfaPCcb1kTczP//kmGutlu74Z39FwyUwCo2k8OnXnioqxViUgRZ+b+DgnqZKmCTMNgEy7a4QnmGbjWQqXCNGI0u3OcZ5VWvp4BYydrx9K6VfHbu/ZqHQ0GGKpq2va0nLlQ3AneqQMPOqWiihA1tNkIkXYwjwmVT+ny8MLPpSYa7gc540iTh42UuU17iX+N8f0HlqSv5VqjRBUi5osXCKZKt9nzh6CKEySNpwU3SsWbI4zTIQ2HygK2r5F5H9VSATZEi4rjW/QIgKHIN7AQNGi04M3hiJKD+67sTpr84s2x79cPtskdO4XFH0byzzC1Rk/0MHDhaYvgzq/SG6dYN+dPctW5IRGJwyc+J1eFLHNYBfRnQEM9OG9YftlxXAL/ieR+3fJ8UEwxLJeQWZQxhe4gp46h36z9jf/nnVBm7A9+m30wkOAe3pyvHt91ZJiHTJHIHuK9+C5QM0VGEGw8ElPnYR4SzwkD4YzYZpAMguEpY2hTZPzWrW8hc/6LXYzAJovrODq4ZjNKkFEJAWQfM7NC6VyS/NVbhUIK/tCmCN008RDFN5Fq5IdRigd8tFP4LfUQmxVxkc27Ynd3XQXYWrNyAe7JMUCWidVdQW99gjiWaI+K7oSEntlXl7XWMdaChdG2wlIQC0T5oQPgGJ2e2HamcyNzS17etx5TZ1/dE5GH29V8GSAJbP4Kz7xRrzil+c/DLDeGHRAA36VJV4LMcJOZzkfqC/m8exILOLWkpqz98sxBhpPmgV41yZ81bMzr6OfHbYQ+wjDzLPwQ/hvVKmbhxVX1SkhewYWbDT2ada4rVnyLO84oZ+dYBRQ4IGt+qjkyqn4lvduipUpFcynu5SRQ36axoYxF5j2SNa39SqA4i+QcftFrjUlcs1c9k+I5sDqvCqkFMukVmTv6fP2bJPY+js9Ixc44ULMbTdb6LFXCKpigNFyr1Kyu0viF2/9Y5Av+lDgXOi5obApLemcVrs/Pr3u6GvcT6TWiYgtv6Sq/x83+m3X86cPRJZjM8v3utLrVWPbUe++Uc6wkKaBcSsKxaUnLR+n/GB9ZIyjzgmogAQ77ygj5AOWzxCidU9wiP8tvV+1BS4P/LSPFdSJ8khGORr4drvDvlD0hHwEpMFZQz5TyZCXkrazOPu0Lk6I5LENXHuwfu29dkjm0s7PTnPxlOC2UXTf42V2rsxVpAwp7+AuwVJVJrinBlQd7aWHXISWFbisgyEn3FEvIVDqMIjLeTtcmGeIwSuVwCpNt8OYmbcUCdRN586Re9ph8BPFL5Bbffw/O+4J6fiewEeRImgXfj716c6a1KjrhfgnLQZ+wE2gyFoUcu8YvVdu0L4YCIT+hhTDAr0LU/doS0bYj/KDpkzyyw392KTS3ZgHl9pU8WKcL3x6Ik/0qbacvCbxPLvfwWRfUA3seOqPWlMvP2i6u8poAdy+l0ij4XYtqvQEWoYBERrM0+5EsyfJmJtOZYoadTtsJV20s+j62oi0WKqys9fVlI8bzq/ygY+GuoJud7AWwbst21xiNLA2JmSAYNlaC7d5WKWZvnEbbWR2zrtIWq3aaXJFgq4Z6Xbb6V5HIpuJHNpK0r1YK4mWdY2KKFAcedawwmWAImQTJWXAzgYboQdyU5ccVCsBOSGCEZHSRkCXZN/ZGiOYr+ldqYdU2ngtUa9YB4jnbAa/Jz9C+EY4B8OYrm/VgoHOKz86gAteYD6eCCgeXSkjSX4Ju/7LFkjJsQnaRBTXVg7Cat+EwVwWswJ5cHpCBXUkSczKWwF3fj2OC9qHXjdAxADH56S7bG3wxnIMVNhqxT/7V0Y1nweZy3gYToC8pUHE+zxnhCpAR06iSC8wnkjLaqpCVlKtPYhRJTLPk1rWHENQS1AwIVJ0dLmGCqgJCv1aSnX8ykRiM0kaC4lYlK4BZMfe4RATt5UI6pKjv4lwyMVsdykQdOWcJSowADRSiLT4bui/4SBPTdpLTtN6SYpdUJ9UcoZhg6aK+KNEfqgcXTq3uiGGILX6yzXjbcHpDyFxn4skwGTqBoN/2fnfGdiWvP4RdZEtWELphPN4ZboGo8iQT/ztsni0ZeTykuWT5q5wQUncQCrAeaDvTco3bN/szi0Zngs4sIPY87WiXAhz5GzA44y2UMVZhWtAkXD3Y+7WgtDs229/r49MSmUElTC4/oxg9wSxpN1QtvWKdzdOWZdmQxHFMKM21ys0yezwo5fnsH+6XifL+MBaYwuiJf5B6Mvh83M89z19jmD4xfJd2o1MhaC0K1RMnarSYH4Y26q/2gnnN+Os8Jaag1wZhKl82M51BjPZribLj7yRlwJOKon7p+NLkYML51eObXv7Y8S5HIWNmaZD8CfOC2gEngVl5bog52wpF8xko3JtdOahizovd5G9HhG8IBs37rwzOoVh8J3wY1XGXFXie7lvqwT0NgCkFFwwD2K+GuEqImrV9iW9I8OOYXh78n4FDw2DmLQCW9cCMmFypkLlLxmQ/5JOJsGsaF/wklSZ0oMsS/wC+GW1AwNAO/e4iimNfxH2gD7Z3lTD874JFVhC5gfHgEv3M6NCEuoArJh8Gw2h38EpqlNcgAdnF7fr4CcLM6VFGOw2+D1jJXGQ2RUgZnhyPZSFRN53AQROcfuvBEzIXUKiW82eh3b3/FtcxTUbno7O9xkV0S0kPPYBg4BKK2Kmy5cmFLS03JKA5KvcSOHT7QpVG9oVXDQtbk/qGQZ5osd2Dr/pR5lmjnqHMbc+530vx4vgWjKzfutTYTg==,iv:QfiqUy0j3UUyhgyBZrTxdZV1MHb8+fugIanpWDOrzX8=,tag:y7lmjUQD6mBOTcEZBL/iyw==,type:str]'
+isoImage:
+  passwords:
+    deployer: 'ENC[AES256_GCM,data:f8HvwuwgSQZ+FxleRdE=,iv:w/nOspDYaQJYUrxDaatZqfwzJz/MtosLLOw3BAi5kps=,tag:7ZxUsFiUsX4r9nx6Rf5LCQ==,type:str]'
+    root: 'ENC[AES256_GCM,data:llk5QE87o2EwzNTEfOA=,iv:xAnpHVc2rv2Trex1YzCmh0VEKDC88X9pWdFoOfZeofs=,tag:/Z6/tjBZuZMd0xgn25qrlg==,type:str]'
 kind: VariableCatalogue
 metadata:
  labels:
    airshipit.org/deploy-k8s: 'false'
-  name: password-secret
-passwordRandom1: 'ENC[AES256_GCM,data:o1xUrKiOPaucB+U2JSg=,iv:vJkmHG5B9/xiQA+qfRHyYwQFKIG1P0S0k8qwFCEyICk=,tag:MqLeMZ3BXhNKaUKvZoLStw==,type:str]'
+  name: generated-secrets
+targetClusterCa:
+  tls.crt: 'ENC[AES256_GCM,data:dHn0PTHUtSPdvuojub16FQDoB+l2ulLdo+GlPKwRkjhZMigNu4V3QRSSFKM5cnda9SJbk8s++RuZKuq0r+95mqqsCCg5ygQK2dh8yimyEmax7bxXtv2iL3SwVFf4CUa+lmyV/rwHkagjQqOZAmgVlOE+lXmpa76DrX7U/KlQIokyYrt5juxNcrjq563j70obPuyapFHneEoylwdM2NXwBVO6fzX8oz9DOB1deBxsiCkoBfQRUbiH4V6r8Oc1XvGOGhCHMEIueFXy/f3IzzD3HREH6a54l6Q6E/OmK27zsqYPYoA5L9NG4k7FZLjZu9UsIMKk6V8YN8oUYUX6AYnlyiaRobBqVoLf4j+dHibgPkQC80iK5fMq1Ob/4uIxW/cm/iQwtn/tHhha36Ly9BVkLUMirk0jgcZIg2o/fpYohaIlcA86ufhpr/p0mNe2dinreoTWcZGSmTwNwGdZrUbYBMJnH+nNoj1tTZVOd/L6skHCvL7/l3WJHflaw+S3hr+WAEjz5vJoxgkU3V7myz3rLTfMA9Vl+0kxqcrLvuZQl8AFwtuZm84AZw74ruheFqvGs1z/dyoA1hkeUa0MJdg2iOot7rt+Y6ZWwAIgpPEAaSyWuviI67N/dhpkM9BNutALjwJnHN9uZS30YzZXCFpK1XM7K68nvuHVKb7JM6SIzMT5DahTqXfJ101gmMIMsbqBD9p8ftQTwYZSMWmjdojRlC25AtaD0UHv9G3SXZQyhgU8ZFmFI7n+gtwihlozOcAo51WvDRKxbzwf4wrY2VPORgZa6L55FF8mO1NrDrCWTbwDI33Me0i+tqYn36cOj+NF7je6Reu9DpSiECH3+a2tJsD2UGxuL37dutxk/PtXuG7N6TfGj4T9lVCbfaLF06i3oNrcNSUKF1pbMmOM3e50FOZM9gycfNWm+ONJk9frzTT6lha+rDEvsGld/6+gHVMWct7Z0xDgjohlEjs9YjF3gjQB+LF9I5ndRRbPXXM1RFqqSdkz1celXD6ZOGGY/jtTELYTXrnn14gYHhxa4NFQ8FSulf47DpeltBrUedugwuXfChmn+Ty1/5Y1Owm8fB+xjxGy+8FH6HonEzJBOVQCFnijjJ4TRCUIztFsMIMM1CdVlr3/ivxezW6oFyuqRpq3p9Z1MXZEXrfMk7vI0pSWfHl4gOCXTd1dDLSGFfpdqjxe2mL9FhDvUsXRURDnWPxAnYQX3D8NIuoykIaUyH0T+AVfLH+H2lGssQ3AWogHSVz5WNYKZze2YcWlGuGWogTLhaRXz131Staqqb7QHRId2pWsnoZCWNcWg9wGVMRj9RC5IGMmXNKEIMZEV4YPsFPh8yYv0iuqOi3ZGcWCZZIB7LiqkOkI1AoZaIL6zuWC+WOahsvLnqKTMDyl7jTZle6sQS8AiDaM4bZ8GCveLFB5dN1uwDD8HA7rmwHi6j6udN6Zki+NYj4ut2Ci3cfpWFgMqzTwn7M7cooq6a0TYicwgNnftKtY9trr9KUI+s6yN73bXxK/ASfwABvUGbV2pLZ0zMjiAk0P/M9n11VvleeniRMsziYlV2ccRLYC3KLdZdhtvNnCn791X2p1E5kQhMcziGDA4MeaoKY7VuqW3PRSKC/bze9UWrwYMYmnktXNeY4uWurP1cMCGOuJ1N0IcKHnwmvZHKB0ZAxlZZTl9SlZ7ktzcLlaYUFTIYdp6RqoT7vqnDCJLi/POYpKq9CHSCuuqJu4vnZfW8fwi/CBZQt/VR/jR7spVk42UYjvWy7G7DYy4hsaNZBQM+RS/59vgOVBwdvKZRiNPQUMAGvDXYMbp1slU+xHIYhp+jyBflt9RHuaKAe6eFyDEyLz87ccvqBFCDSFbKb5VSW3gTTfV+YU/L0kkR3ZSLghg0QQRwjXJPpacmP6Yp4DmJYsJpF3Hi6gUD0EwRBTPhGkIgM3FjZYTE9BVBA/Q+NNmH7MlA==,iv:6j/U4n0YatBxXxf+gUi6EzXbJU45jc9KZkWOtN0QT60=,tag:iPR3lKvc2h7hpOr39zcI0A==,type:str]'
+  tls.key: 'ENC[AES256_GCM,data:nL5+ONfbkauHH6DH5ViV42F6u8Cvl4bjiTEgUOmbU1a/nyvUUnLCJlaPesr1iPlj+VSlAEjj2FSTy+yi/4QHhdpql94dPCH0xLQFIZKqMegHXuT/+ID97upY0Zcnpa7vRYXbM1ev5dIN+0TkMAaVuCbXvMHG0i85kNKj1FsuLBgvTMfs1IzSXm3WsVIsUJHkGZMPSjF+SvfQ8hcnEiduLbkeEtBoOzLSk4EOgPbrruv550DR3sYb84kpRdf8gUpGzRq1Qkr6ELrnG1f5osMBUOwA1k/AiA2LCtEUPJJPb75V/AMrPQxQke0C7c2m/efk4OdJDpcnlqVXsYQpk3MX9qz99sYS0BiCZ/7cy4o6IwSX4lU2iPQV42JVb4oAkAleCja30OhO9cIAiW3QMBoYhSxD+sFHnW1HiJdsNhNBupNk/d8Vkv2VQg8+Rz4dgupd8b/VsD4nALaYS84JK1IsWClbd0y740LUOa4S/XSa0gLl1njocw4bg98XGBjiEEG9CB6jBOgS5LCL8hYdE7a9FX8iCRwDI67MU0ah7vx9hWYoal1Ke/xLWQI/D0aU0Zg4RXiykOY/HfLxzpD56CrUq2GMNw/iWzDXoCCM140G5l0vDBINYAbWtpYqRQM8aQM8yh9wTgA4PJsSDLOZCYi66GptfPXQXjREyTRyqVOx8AoA95Qp4ggVcGDz9uRYYgZknxc6gxcsPoKXcY4JcwwK9zp3dsxYN2GGVDgHstzVGRiWrm9vn5Y1Jy+x0ndvjC3HegEGju7OpkOsVYMl/u8mNCzi33efGHkA6DqCXA+n0DF8slHEeb7SngQsP3L2UbfMPOPSMyFFXYbWe5h7YP1DvPhsrTEAcvxIbOl/aagh9GJgLpq1pWFgYBL+4Lko67gjZnZCd+WTw3/R1W9jnuS7AQ+x0Lzxil6+fGIt+tYQ4QZChw7rghqoGus6UzcATe6BiSwHG5Ltj799iqsuLUckFFATayWSHYfDs5CsNokNqQRTm9Ko2YXEigLb1J230WgoWBgaeASL18vZ0b9Ziy2rWNC8ZHBis1mYKZvSlKhy5jgXBWSDYFjI9DPGp6hWbEefYd1KpgVN1g7aHkv7dZibKlEM8OkxB/jdncAruO+I8ROSFfj8iWVFjPuekLNqrMfubHJbXgUWOsp+BzQwgtsqpjVHFK55u0bJNZ/v2G+whzQA+VnU8RS5SVCV0ZpzJIsG06lBbhUGdP4RIJjhRwy8LI5fjwNshExsZPC4FcCV3n8bBb/8aqJIl7TQ92trz4QWSo8Yo/6rdKCIX3/zADHHfjgPjOwLw1Qy3QrMc4kxHcEk8b9fgHf9+Z4H7k2ttdco2W9Jh2utNk5Qq+Zms3XTl0Cw4gIaZIndg4Qr6ZBCy9kzLva8DYQgJLNqgrh67CZ2SRGnytkpNYQl4KgCzbAGdKyZlGisUXaqTMwFxGEMb9P8HKgRUo8t8mB0OySg+2a7UIL4EcQLQLeCMyLgCtB0Mi06bHdh9Mo4AGCFGwC3ocXbn81DdpzMKQDzKlqxTFwYPKn/PP15TGAhQaP/29ECAFiXTrouvl2wmGnpiSsFKWN1391UzO21eBmxwCMf970M5uDMeOak1gaqxJsW/ck6BnjmUHSwZv5r/pTBh5aDjDiylKC7+sH0/Xe1upTcb56Wks7rj8hf6Vf9l5kn9lZZsE47PeHP3JZgosXyKpNdMmKsD/kKvMZ2X47KWfRZoMNEY45rwnnYGErKAGqooGnonP21eXXiXDgTHt0ykGP0A/ecDMLFYVWedLKVb3pUi/R907GgMPBThwU7EZNZgnGLzqTtRe/hCZvJt3DHBbHZPRz/Qy5RC4zZftj1HQ+B9BXhymPembqSv/DE7AwvFHjP2W9ZFsPwE55AnldTcRGfTmKIz/Z39qf1u0HP1hV3Z43TPDaE1HO5amNQir8c9BdKocyLT9TgErX6EnqEiGB7lGwbHDz52VSHxQAswU/uHBRSZ3VaZ5WOpQY1Wq6PqZbvVxKXASE3zMoik9SmICfgSeY/HJZS2fHk5rjm7uKYgEL2Zkg1/hxXIQJs7slc7znhM8tdKZoAa5Do753cidM6PmbNwD+DmBwT5nZVp3KA5ffaMUW3YkzaeqBgkBxnUamhIwgx0E7kyuvzJxENm4XITI74wNVmFYSJW5CfI5zPKf9yWxOHDFFH6v3hdoLOC47f0DUZQEdGXmVyRQcWEbfgmiZ51qfdi88A3CuUDmR5VXAVpA7+7wZkydSVNWfViOCAiKEWRutMCtxktWTTNBCLOoaC/jEOjbuD2jPA9SzSwvPnZeT9Q3osuf+VxiwzGIIND4PpMHrG2BYT3SojLeIzOpUFnYYRbV0jdU3qAglJljJ87r102UfynejnJpyElPPh13mZNkHUW7dmWQATqxux1bX92ZfbSSMaJPMulK9F/DkZUcV40/LAchfpPTJ0o72pTvVi30o5VCOv5XBH0A5+clQ6hs2nLY3vd5TF+EsgFynRUoqPuP5+WSUO/zVOlpw/wd14wHmaud4c2Z9q6bDJeJmJgUSmI9LjlK06FSqnx9AEHLV7LZA0s4JEoBoRSP0zOYcZ6KeJGbS/kDR53s8XMq0bt+thCv9AtR7L9dogyhC4nDFdqcjLTgx7A6cQ8sh8wmwhWEvBEZ8pT0cgY5x1RYM5ae3SQSK8a2NpXg/X7o0pECxe+YIYtt+Go4M+6PS3JZnqxL5bHUcAo1M73BNku0in724EwA+sosvblLnutDUBvP4naOHC/RN9c8QgkLCHIy1y5+NLWEanx4yTvbCZkZbhqLSCsX6Aoew4eF5ep6Y2BNiAo4cXtX4FQvgzBqFFu9Dgwp4iPs0cy9S9w3bL9ELWmukwH3DhjpByNQ8UEfR5UFsb9lRmjtBdAGVkdaJAQxah1WWitdqRZjAaAo6y6sRFLM8FcXqSuCjKXTs6VHWiLLhSLCWAFFRzMNpGqnunOBhk4uYpn1/XSVF5UA==,iv:HFOdMUDdmYFat6lW7YDJeCvBSn4HlxEBHyBQ4pYi2cs=,tag:w/Mf8KeiAUjky7zcR0E2mA==,type:str]'
+targetKubeconfig:
+  certificate-authority-data: 'ENC[AES256_GCM,data:pS6RXSBAeCT5kKyphp3sP+R8ps+CXvzEk8uSmW4vzuehcWioa/a7f7tfjBJWJq9QwG5tS63j/ijHdNcFne8aco6tqQSShqsH6uW7t8CrodB7+2cbRsoZ0Nr2u4Dl8Xddp/YHsCQ5NUHmjzYEADUn2Rg2vYZS8xVxB3iwHqRSVkWCCJRxYJiAhmXyy0xaYX5od11Yucqu7Fv3PUPP/BVZpxVUmk5pLRueZi1Dhg7vlVy9IdV26NwCPCyvRVPldjWfWptWnRAEWusn7efVgpIZpOg7vC+MEuvgIDBVqo5kyuKEHBOgzdhkEj9X4tUyLxG6qxYJDiEbpqPZk75yr88UHIqt2jDjd4M59AEqqPMCPWlOYrlueSyUFRC3z7r3bZPWJKBEB/ln+g4MeC2DbkZ8uyw9M/vEMzFkPUm4OXJXdU1phieRfRuAqxNLktDDRsfSiZfqG/DXa2cYBGa3E+0AHhmhGf6XeSOesIW2bsTdS75Bq9k00N9HbMSUG3IfBilajlZ6cTdwqvQNsVU7R/lKhfIKT1RJdx88Kb8SDgJp9vEcqsDyMx+TzL1LGkXcUYo3Pe1dR2mQ15l2vTOaWBtitLzM8d0AEtfaVfl9LCcDn4uFwFQ1P1jYHB75ULSK3Ft1VT1GfLoT9+vogr8Tzrz7p3q+glHHrBthuWPPga8zcEON8rYk99B5EFAEf+SnPQwDMnQ49aE8W40pyYeEgJBy1x9/I4EhZIfsIGjz45VX6iiGl4QV607ced/mZ0f2fzNlWorxxTSeXhIijyu42V9vvM7tz9Xl94FevpWbNH96SIVLQ9Bdl/fR1ZH2osZFmv6g5rwqY40FOVOR0KF0fWgBF95qUPsfSXQ0jVMlitv2tn5ijdYigJORccQxluFIRv9MdRqKG5GLrhG+OP06Tvl9agvArgHBiraTyKySMv0oq0+holFoGLUpOsCg3KenOeRbUvadkDRYx852H/s6nU9vjbYn5zSUVLcpZG1UWQakVcIWqjkQWvDtqv5td8gzSRJ8RkqwuXT0LIO79JcrG4LO38+8Lr65whuiRAC/W74F2IcPuPS0GbpWVyovzkhG6NutuJ/3hh8NHF9s1wm3e/X3SCsZKJEbKTH+46gc3T+Oeqpwc7vn46wsyIn8ix45kEJlf359eTQALYjkY2qIZSf7qwdvlN6W1n5xnPDgoYLzY4ZIRwiQruiTebSDvPwcbl0q8rkYDLLA5yv30RKvBLlyMyfWiBc8zFUemygHIRR3LZ7bDEml4Ki4grpJmArDegczeKNgoVJfB2D+QxTHOLpgKVLugxUkBnFFonFynAgnrS7ANCN2V8iUV+DRBsbL3etwSozVFs3IWYxlmqrfCFQzL/Tw+e+9RbYdCO6+5zIZJH66ThJYXewGnjIQmIjXQWXQFQ6DeqHVUM9I5etmFmrePj2vCDYPVOJ1xBNzePhKKy/HxSyb89ljiybMOafrPsMNXZTqAU8csii21Yfbjly13oBavQtzms/KtQk4pmoRRsXsMmMPX9GZqpRf9QpLkJQFMnQPeno9aGNf/5Q2DwlfWxJaopAR98CLJFKnx70pDS4DKeUUXFC/jAxm+Z1FNJqAtGRARxFnzZcYIzoMaeZ6z+crD7o/ALukrnIqWtFDJh/CCGJ6kbPup9142TxCK0DbQTobPJoIx0dBw4s14Wau7p96gRSFXni32FnBKE8CfpQED9qZ2y6U2MKb+7qaI91PRs6LbGJswmum9n4bPKcOiL60+n6PRd8gSJPpJ20M8OYRZuu7znUwzLf+G6jumLG1Aqwvm3/eWU8o4ouA/MkatrisR32Hg/Og2dw/L6W3a3shqh9PLg7GcwhmhY87dFAvfwiEYYx2wG7Oowm+IOiNOnNUaL6Ax3xWpje8Czp/FCHXI1z8E/ZHHcuEkAHPZaid1x0sEE9n0s7GeaI+D9FLPWKQ2sdbaDZgm9UG/w==,iv:03fiX+pQv3sINBBiMVG0jlszcRzBuik0+YLVs5WrQM8=,tag:/n/xc2EHUDbcOuAxZhPV1Q==,type:str]'
+  client-certificate-data: 'ENC[AES256_GCM,data:lmhhxijI7HD/SZRVrQMYo8Ngo4V0DCXDOSxn63cVePeSf8j9QbBJiwnxeZvPx+BMuzu/bv3QtsE5rUo2yuq2HZv8Ju+z5IQPrv0wSYYq9WOpi2SDRnN9Mn0c99TlkxxyJ/rUJsr2i2PlVhuVnKPwNqg/IXp/SMJp2FFiws2eIs0CglClzns/IgzXTJXlrAbVZHhD3YPs8+1I1Kr8cDRTqV6eyzWQpc6evzcDN8AK78I8uFNrLJjCbgh7CnSsnjxYngeF6B/bAqAdyTBxMjeU+GIDIHYmNKn9UlIdeqYC1rZx4Q359gH5mtFuGONDxhml7ideeNry7yPp6PuNHi7Cz33gyFzY+uiKZAkuCS2hucIfSIUOPLYlp0wcfYAxVCAwUUuvan5gE3d1SRk5BjMlseA7UMIpPX5lyB+9tek+9AAYyy7TczCbXWWM7GFYdwTYAqWwGx10fjblwvIwpK++MsdNQZMCHvTUbq83uSyCSb3T7hR6YG/qGnWcwUmJYj4iqT86Atr9rC3CSFwW/0GhvJmlMqMyhPB+VPlYWxqqASIcm8mqLFG6aCeODRvH20kzcsM9FVzO87xJafkOEJBfWUyn6m1GN9V/5z4Y2y/4VjgpksoVT1sV7jimtECjXIp+NCNyNKFc9w7YzSZW9FuvBJgMqzqWxJzupiDP1WiHpa5FMCcL2+k/jBPEqjL0nInWdNAyIc2dtnVsV3wBfhNAd68sDA3ele1HRBPE3OsGDxM/a5mzUu2HFVXdw7+ptq7Gv7qxUxWFP2zw+3cHDIM2Vkg/mPP7p5NMME4DnUb1eyV918db7N4TNJMm8tU/dYfozXYMjq/GpH/ubCaFg7pGB0qLCtkgVuunakY3ARYlfsi2i21gJg1KnHxWJDGqmC1ICjhdWybBA5xo1jBL5nhxT/cxTIRSeFEAYDaN7QTSQjwSrAQNysyUe+gSq8KyrkFMZponlIE9FE3CVhYqqbd2TXOvi9a620Y+Oke0BJb0IUNuaMOfveLTp8SmmAtaxFN0mQjiD1XIAa2L4EYnSj0WOChNuVHrSntiGaJTIrXAA1gto8ysU3OTkAeuRvCZSm3iYiKl5Hs2mmVae/oDBoeyLDviuS1olCFxiVItrQh5VorvBQuytogQMHbMDKk25c2tn0+xYCyZgsnSMPvommIj+yBbKTT5Rbc52AX8L+I5OCQLj+8nYrSuGh0694lLCi1Txqd/YLfHJu+QwrGg00EQga5XMRToHxu0SLqo6H3BA4WnwXsdHNt0wQeQB8L6l7Mc9yC6L2Iv83fkbdOmNHxMVwYSlmEmiaapaE2BArc2eQu/Qcxy1d9/VSoscP2XKc612g2yNCaDQk+zQBcYOKlM+AYkiVwPDsPZ6SMePzIYS+U61rhdd2VX3Wdp5bfWSI9obobey6bv7ThYdrR0T9Q2SzGZTY4a45jSTLALRXf0a9onZemD0wNyQMDFZAr9g1LEIuYMP3wI3n3TaAPtbdhBXqy2qrnyyQewgr3B6b5c43pYgmtwhL0eqPWus9/ud+mlvn9mpA42/GDwdzdvbJh2U4mzZdNQAYiI0bDZ81e3BdZiGF6w5aIiCLX/vgIZF40UHKaEJ62bdT8z42Y3kQ5CDDsIQDTWJtSxKkvt/OFDqHmP9zv/9paxekUzZA9PyI46pJUt3gXebpbCIXY0t4JEWkVATbKODApohY2arCLU4uK4X7DMKHnE+N54xBXHX1cfw/vCw2xvlHnrgbqEkEgqgOuVIKIbQJtmdwFr1D5InndHMtPB8EmHXW/OgRRnzIJ/OY6YXTTVI/9f+SG4SZMkhBoCfOP1h3jUNAQWcvuuhUxt7/4JHVF83kVnmD0u/9E9ObTP/56mDcExANfQjLwsNycuyz3x1Zns54KSUSwZi6kUhc5HttypfLDB0iTZZbqHCIwQgqoAy1FzqCOILCd7h78gqgzDnXF2tqoW94klKAvOx+fFfdn62P60MTpM6Rxq3V6hdQ==,iv:XFuBTIQJT4ns6M00T3HWSGHdknjsRZ4cRZQXSsLiOkU=,tag:3flxFrWSyiuyiyxGkXTReQ==,type:str]'
+  client-key-data: 'ENC[AES256_GCM,data:vlksLx8mgfvfu5Lnkv5DJrEUrsnT4Huknol3zk8gbcbowbB8YmHyjTWLEJ1MsAMJ2S1Y58ztnYmo+fXEoK0QXkiLjuIz6wFLZGUFhVSRQC1zUecFZgv74qAigwFcQ+HwFmYdCynNB1BXlZHRLMXYkLm4iyAGgJZw4zq0aown/DE0CYEtRm6oid4eOf3bdW2JD2TbedgQWB0wTVdgESn3kzT6xzS3i/7xlXwTzgDNmqW6noTsE7LsaUt7XM1y5R1Mcx3hYl3YSi60KIlEe1azavTjtM79uSoJabjBQm1RtPbbkW/+furP0/jgXXEz8N0qHmvH9CCu1E2YJS67RDEY1+Wt2YvfPA/wbtuUwc/HptbwCLXDdAlfKkIVOp3TyJki9e9RIYLAkSO5ljoJbeYZlzdeo1atTMLFE95o7q/Khj2w0pdLrkzMwE870Umg8DqlsxDcaBFgzPAbdWHNzr3gGQ97Jfcqnx6hRO4019gUx020NtZWCVg3bHTJO2n5A3G4OeG8mY/CFTZ3Xw04ECGj9aWbeHKXCGnpfsw12UbGYDUkcaF5UYb/Q5Ly6j9d5kVSPIBUihTiqdos2MmWQ+QdUpPYr0eeSR+5+3R7ld2yTla09jEa/ObvEGYRR8rENR3QwVws7g8+M8Tr0JeFGGrrhx4Uefs5Vrs+hr3UfupbBjuYGFsAqbbjgh9jGl2JY9bfbbxHdB5+72PrB6Wdg1E+Z64RBUR9cSD+7E7KZRBSMfEWGQEHgjAmizbr7vo//Xb1hcbRGCZtYc9fgDq5DYpe2UtT8o7C56TSR82nA++/GlzxoJgE8OrfyOpyqdTu3nIZmOG7WLjA8D+UQXhoIUXiSIw2RaKpqBvdoST+oE6KKu1l15SXJN+vYSKtecw3mjMfEBwN+OxMUXgJHKVIM/+W/LKmdc+yYpJX1ePoPGEl+N8xF1s+lGb4Ml6GYZwN2Jn/ePd45IQedw0Aujn4Wnh3kVZ3mjRCB24wAEH+Znp0mshGBJ5AEK9b2z3oPlGw7Q1Ii+prK4mD7ssvm3XfqRvew9JIYvkrcbUx8XlG48FOeV325Uj13H+GTiVgB45rz1nJxeUlEr+u4zQaUAgIFl/4N+akADIHmV/NyOOUOdDFXx+dOch5KiMZWNk9GDf3fxC+qkATIAPn9zaZ+HMc48wGTBsMbvWkRfOCSiA74Hf181ICAxVeJYlItTAqkSKRFI1M033dyeHx4A+jRGAJFXyyKL+4DW3J8qW9C3sMdc8yv4gWO80fwL5o8TUyO4yrFu87H2wQwAeZPzvE6TPZAYdcWgzaPss8HTMfvJ8g0ufC8r21EuLQR9qlzPUxgOh1DHVe3DQ6+cOsNJKrVuaKfFt6/KAzOWN/16x7HhjxIqZdZYV2Ei0XfbQbDz91cuQ5vfsh4Q5oT15Mc/AyoNrqVfdAsA8370hBVDPe052vuPwLHwOz87oR4FfP9pl3ynUGRhl+KDjHCpYg1+TYIBVEsPNzFBtDT5v4OWQh1gvou+gqdvb2W/RyM9lyEv44t7KqGAfgMPxNt2FuGgOTWY2drveVSi6K9qxgSqzFh82CxxyUkNOwSjajnr1Ssx1UTTMt+11FeeQIsMEKnokAIJTV78w1ZF/MwXDuqUGc/faunsNi+i/zIiAaJPz/F8Aa2hza65AbuQxnQqytEpTPV/DKXB+XgHiC02N3M8mE7qlF/zD3JWBt/IMThCaNT2p+c8Bckj5ce/9ESyXsNyh70A3Iw/f1Xep0tUVrQoKMmBU0EOFFHZqyBHsjpU3/IAWV9QAG/ysR6iBzHEbRIuhP1t/0IOKmZ7FeIQYGI0bBfyP1TumgSQNMCXCiUirPZEINYV2uRZHhA9SXx0MOo9EXgFNDRrW73RAj450nOCkY5iEwS9LXtswApNQiLXsvkbZ8eP7rwsvCaMfB5QtJ09eQaRjnz1pjiB+cXcweFwKT96qGFcfHzYiQCG7KIrGNckr2w+EZWLq6ivy1l5jwngKjMFfqJ/w1aI/qumWhYMOXirYf3HvGXaSSO7SWfpTYgSA0p9m99FKyCJeImew8Ef/QZKo6Tc+9zYRKuXeSlb+mdnXnPx0QOHoICGa2Fs4/OgtWAtWPb8H1PsvBtp05DctfOgrhm8g5XwOpqrr3NmR+dSjSxQVr49lBsB3pxRkffMB71pl8vzIYzlV6RDNMkPnFFge24wL776M25hyXqArtPU/pORBDaFhuD2RFI5unI+iOlqOwNGkf2Ta2MQ0QLiD1iaPy8wCIfViPc79E3cDC4JkP+TauS5dq9OjHTQz3aUaE4pnrM1DOTUld/YDjk3rXFdxTQ80I6AdVCWZGED6JrMjf6Kgww5Ygw1Q8pznoBBKy08nFW9BNTvRozYjYMH56Zk0zxFiw7iYEfYTXLYHA8uJTduDZh45wZYUd3WoMobNi5h+VjCOBoVhFAGdz+aUVvl080dtN4dOOvBcYUhJoBALmsWn6ODyyBnxEGuY+2Gul1jkDMs40ciI3BIq4Rtx9I8JdHhRrXcPDJW8WqkuevUxZYUawE8QC6e+ZqoPNwTk77yPsHloOuxRFcKAvwymQAR828nynFKnfA1zk8AEjVTyzTq3km/QLdKTh1j9EeKH2HZHkjTrCI/sS1MLfYelwAAwhg+h2sY6o9J94GPydYV6lGMvEINjuWRi03yeoIsUVbq+YWckj7wup2mlyntgtPb8RXb/i9IFbM8gjp7vPqn8qFUALT/P0dsQ/Tx8ObFdn6KLVEJikH8f/ZjdOi/k/a0xNtyxLtvJAWX6gMkSASt/oZQ8g+WjrholxNxZKbcJvOtSbaZjJ7MvOpjwx8GLWc6lH6n5sKAvd0Yo3jd5k1te+MJybWrMbLcwPUY+uUUWkY8OkGpq3nXliy9R4cpxsMs0VJ+9Z4dF8B7vpwLS2gfPqbCKxaCAs/u1KQcUuLOGBQQ4mjLTWvbPpVDSH4wQzWvucbWS8c42yD6RsAjJ63+7ngQ==,iv:k5QGyZdIRwKnMuVqG1qzu4iyaLD1HxvryjV+m4H7N8E=,tag:GDCtPo3HUjHUQvpV7dBS1w==,type:str]'
 sops:
  kms: []
  gcp_kms: []
  azure_kv: []
  hc_vault: []
-  lastmodified: '2021-01-14T11:23:10Z'
-  mac: 'ENC[AES256_GCM,data:7aMFeEfn5MXU9M7U+rQ7fIcWG6A6BZILsvgVyEl+esa8EhEsOL6dRfITq2x+1t6ft+H5nRqbO5GyXJ3mhu7n/x5FBVVqBcZrvydojrqBWizXA4HQAc3t8OS3D1I2WLLx+S7mI5AiKDERGZX4ImiahSebqL/bNfpYdDQP+gX8+vQ=,iv:zchumZaGhTpyEEsJMMlW/e1vieqjVKT32Kiv0LuLPlk=,tag:q0vWzGZ8D4HYHTvdRymG0g==,type:str]'
+  lastmodified: '2021-02-04T01:31:55Z'
+  mac: 'ENC[AES256_GCM,data:2WFdA51KkN7/cM90p61XTPUjykAXqTYuM1mrGbh91GxRLVL0fBNGljCb5PCPY/Ir3xnP7VFQN6LtBwmLFdj+7spj4Y40srQBU4A2e8j9GzuhW14jtvy2de+2v2wG2BZVllyaWKbu4+Mzav17eK9mscawPUCefed8InxXiF3yV1c=,iv:XbAJ3aHV3kgo6MLGTYkBzWIGp199l1B5siXMiFBXlUs=,tag:Q/cz3bQ87/TwAAsikORuNQ==,type:str]'
  pgp:
-  - created_at: '2021-01-14T11:23:10Z'
+  - created_at: '2021-02-04T01:31:55Z'
    enc: |
      -----BEGIN PGP MESSAGE-----

-      hQEMAyUpShfNkFB/AQf+IIXYumKkSmzMHCoJVXculVowkez4aUI/OpdNw2CPWNDd
-      3Kzea6kTv64ef+kll9DhczP0gVlgUZ0p0MenBfmkI4qt3wr5fyRUVjUpfF/R8Gmc
-      9GZf4myDD5T2wDJVCkNmO2wogbZ7IZaGdx0HV3DihvSGg0xcGBUaFp/zeR9vXTQs
-      a+CecTBm4+7uLnDvHf4Rathy3gnlLrLLdsJXRgEOJ2Fqp/JjoqFqsWOol9lFwALM
-      yRkxbWjeL7ePddXBZ8QmOB/AB0RKSRQ2Yd9RXpp1gSFKn5NOfWIZsaVgdds2zOw5
-      R5syWHhfzVylAxNrKJYIgr9hLje48W/Y6GSezkGvG9JcAebQzVP53UtXkwJSIjda
-      86WAFwpgpZ0sEG7zpSpxS8p4g3XsXjOdD2b0y/dwXGYK5oeOjb/wGYFf1EX0p0xk
-      BqGQ8JHxikqW8oEuyEgeg96uEMZb1Vy7u657zPw=
-      =VfIN
+      hQEMAyUpShfNkFB/AQf8CFwdvykoBIMfsOO9bSuz8Cx+IFhJGwPPEsSId+q/EFdz
+      tCop9SpR86AB+4T+MtC46uH1+gcV3Ko/dlXP++49BQ0zWpzgfDxsnnuudZyNX19D
+      SFmlEHKBniKavLR7P3Qg8GJMpREVkjQTRgSnZdwttWXCmFGtnuhBKajautlqK7Am
+      4J7iLGIiY1ynmig8JCJZ79CaSbyh8+/jmvjrx/17mR59HYUizH0P7FbPwAwDpoy1
+      lFh//AJKJ65Y51ar/hYC+ljdgE91UNiF3zsSETI+Lp0r5y7XG/tKeV+tqQGUdhvn
+      L9m9eqrvAw05TD/o2DKZSoSeRKLcMlqNwxYko9YO9NJeAfc3RbCWltgTii49+srf
+      mwyCuz/BQwz5rRY6VP+QLYkDGmzEjekrJGqWZQP/BU44TihL06mv/mxY3xConG24
+      Fy5Mi9UmNwsJMWBIlPEREantjbVnboiS0Q0DN0OAIw==
+      =+R0I
      -----END PGP MESSAGE-----
    fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
  unencrypted_regex: ^(kind|apiVersion|group|metadata)$
--- a/manifests/site/test-site/target/generator/results/kustomization.yaml
+++ b/manifests/site/test-site/target/generator/results/kustomization.yaml
@ -2,4 +2,4 @@ resources:
  - generated/secrets.yaml

 transformers:
-  - decrypt-secrets.yaml
+  - decrypt-secrets
--- a/manifests/site/test-site/target/generator/secret-template.yaml
+++ b/manifests/site/test-site/target/generator/secret-template.yaml
@ -1,19 +0,0 @@
-apiVersion: airshipit.org/v1alpha1
-kind: Templater
-metadata:
-  name: secret-template
-  annotations:
-    config.kubernetes.io/function: |
-      container:
-        image: quay.io/airshipit/templater:latest
-values:
-template: |
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    labels:
-      airshipit.org/deploy-k8s: "false"
-    name: password-secret
-    annotations:
-      config.kubernetes.io/path: secrets.yaml
-  passwordRandom1: {{ derivePassword 1 "long" (randAscii 10) "user" "example.com" }}
--- a/manifests/site/test-site/target/workers/hostgenerator/kustomization.yaml
+++ b/manifests/site/test-site/target/workers/hostgenerator/kustomization.yaml
@ -10,4 +10,5 @@ transformers:
  # NOTE We can not use patchesStrategicMerge directive since Strategic Merge
  # plugin has to be executed once all replacements has been done. Therefore
  # we need to load Strategic Merge plugin as an external plugin
-  - patchesstrategicmerge.yaml
+  - ../../../../../function/hostgenerator-m3/cleanup
+  - ../../catalogues/cleanup
--- a/manifests/type/gating/target/generator/cleanup/kustomization.yaml
+++ b/manifests/type/gating/target/generator/cleanup/kustomization.yaml
@ -0,0 +1,2 @@
+resources:
+- secret-cleanup.yaml
--- a/manifests/type/gating/target/generator/cleanup/secret-cleanup.yaml
+++ b/manifests/type/gating/target/generator/cleanup/secret-cleanup.yaml
@ -0,0 +1,11 @@
+apiVersion: builtin
+kind: PatchStrategicMergeTransformer
+metadata:
+  name: smp_cleanup
+patches: |-
+  ---
+  apiVersion: airshipit.org/v1alpha1
+  kind: VariableCatalogue
+  metadata:
+    name: generated-secrets
+  $patch: delete
--- a/manifests/type/gating/target/generator/kustomization.yaml
+++ b/manifests/type/gating/target/generator/kustomization.yaml
@ -0,0 +1,2 @@
+resources:
+- secret-template.yaml
--- a/manifests/type/gating/target/generator/secret-template.yaml
+++ b/manifests/type/gating/target/generator/secret-template.yaml
@ -0,0 +1,54 @@
+apiVersion: airshipit.org/v1alpha1
+kind: Templater
+metadata:
+  name: secret-template
+  annotations:
+    config.kubernetes.io/function: |
+      container:
+        image: quay.io/airshipit/templater:latest
+values:
+  ephemeralCluster:
+    ca:
+      subj: "/CN=Kubernetes API"
+      validity: 3650
+    kubeconfigCert:
+      subj: "/CN=admin/O=system:masters"
+      validity: 365
+  targetCluster:
+    ca:
+      subj: "/CN=Kubernetes API"
+      validity: 3650
+    kubeconfigCert:
+      subj: "/CN=admin/O=system:masters"
+      validity: 365
+template: |
+  apiVersion: airshipit.org/v1alpha1
+  kind: VariableCatalogue
+  metadata:
+    labels:
+      airshipit.org/deploy-k8s: "false"
+    name: generated-secrets
+    annotations:
+      config.kubernetes.io/path: secrets.yaml
+  {{- $ephemeralClusterCa := genCAEx .ephemeralCluster.ca.subj .ephemeralCluster.ca.validity }}
+  {{- $ephemeralKubeconfigCert := genSignedCertEx .ephemeralCluster.kubeconfigCert.subj nil nil .ephemeralCluster.kubeconfigCert.validity $ephemeralClusterCa }}
+  ephemeralClusterCa:
+    crt: {{ $ephemeralClusterCa.Cert|b64enc|quote }}
+    key: {{ $ephemeralClusterCa.Key|b64enc|quote }}
+  ephemeralKubeconfig:
+    certificate-authority-data: {{ $ephemeralClusterCa.Cert|b64enc|quote }}
+    client-certificate-data: {{ $ephemeralKubeconfigCert.Cert|b64enc|quote }}
+    client-key-data: {{ $ephemeralKubeconfigCert.Key|b64enc|quote }}
+  {{- $targetClusterCa := genCAEx .targetCluster.ca.subj .targetCluster.ca.validity }}
+  {{- $targetKubeconfigCert := genSignedCertEx .targetCluster.kubeconfigCert.subj nil nil .targetCluster.kubeconfigCert.validity $targetClusterCa }}
+  targetClusterCa:
+    tls.crt: {{ $targetClusterCa.Cert|b64enc|quote }}
+    tls.key: {{ $targetClusterCa.Key|b64enc|quote }}
+  targetKubeconfig:
+    certificate-authority-data: {{ $targetClusterCa.Cert|b64enc|quote }}
+    client-certificate-data: {{ $targetKubeconfigCert.Cert|b64enc|quote }}
+    client-key-data: {{ $targetKubeconfigCert.Key|b64enc|quote }}
+  isoImage:
+    passwords:
+      root: {{ derivePassword 1 "long" (randAscii 10) "user" "airshipit.org"|quote }}
+      deployer: {{ derivePassword 1 "long" (randAscii 10) "user" "airshipit.org"|quote }}
--- a/playbooks/airship-airshipctl-deploy-kustomize.yaml
+++ b/playbooks/airship-airshipctl-deploy-kustomize.yaml
@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- hosts: all
+  roles:
+    - install-kustomize
--- a/tools/deployment/23_generate_secrets.sh
+++ b/tools/deployment/23_generate_secrets.sh
@ -13,3 +13,16 @@
 # limitations under the License.

 set -xe
+
+echo "Generating secrets using airshipctl"
+airshipctl phase run secret-generate
+
+export AIRSHIP_CONFIG_MANIFEST_DIRECTORY=${AIRSHIP_CONFIG_MANIFEST_DIRECTORY:-"/tmp/airship"}
+export AIRSHIP_CONFIG_PHASE_REPO_URL=${AIRSHIP_CONFIG_PHASE_REPO_URL:-"https://review.opendev.org/airship/airshipctl"}
+export EXTERNAL_KUBECONFIG=${EXTERNAL_KUBECONFIG:-""}
+
+echo "Generating ~/.airship/kubeconfig"
+if [[ -z "$EXTERNAL_KUBECONFIG" ]]; then
+   # TODO: use airshipctl cluster get-kubeconfig command when it's implemented
+   KUSTOMIZE_PLUGIN_HOME=./ kustomize build --enable_alpha_plugins "${AIRSHIP_CONFIG_MANIFEST_DIRECTORY}/$(basename ${AIRSHIP_CONFIG_PHASE_REPO_URL})/manifests/site/test-site/kubeconfig/" | yq '.config' --yaml-output > ~/.airship/kubeconfig
+fi
--- a/tools/gate/00_setup.sh
+++ b/tools/gate/00_setup.sh
@ -36,11 +36,11 @@ sudo apt update
 sudo DEBIAN_FRONTEND=noninteractive apt -y install software-properties-common python3-pip curl wget ca-certificates
 sudo DEBIAN_FRONTEND=noninteractive apt -y --no-install-recommends install docker.io make

-ANSIBLE_PACKAGES="ansible netaddr"
+PACKAGES="yq ansible netaddr"
 if [[ -z "${http_proxy}" ]]; then
-  sudo pip3 install $ANSIBLE_PACKAGES
+  sudo pip3 install $PACKAGES
 else
-  sudo pip3 --proxy "${http_proxy}" install $ANSIBLE_PACKAGES
+  sudo pip3 --proxy "${http_proxy}" install $PACKAGES
 fi

 echo "primary ansible_host=localhost ansible_connection=local ansible_python_interpreter=/usr/bin/python3" > "$ANSIBLE_HOSTS"
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@ -126,10 +126,13 @@
    vars:
      site_name: test-site
      gate_scripts:
+        - ./tools/deployment/provider_common/03_install_pip.sh
+        - ./tools/deployment/provider_common/04_install_yq.sh
        - ./tools/deployment/01_install_kubectl.sh
        # 21_systemwide_executable.sh is run in the build-gate pre-run above
        - ./tools/deployment/22_test_configs.sh
        - ./tools/deployment/23_pull_documents.sh
+        - ./tools/deployment/23_generate_secrets.sh
        - ./tools/deployment/24_build_images.sh
        - ./tools/deployment/25_deploy_ephemeral_node.sh
        - ./tools/deployment/26_deploy_capi_ephemeral_node.sh