Merge "Nextgen secrets implementation with separation per cluster"

changes/38/809938/1
Zuul 1 year ago committed by Gerrit Code Review
commit dad459f5cb

@ -3,16 +3,61 @@
Airshipctl consumes site manifests in order to deploy k8s cluster or update its configuration. All manifests must be stored in the SCM system: e.g. git. For security reasons this data cant be stored in plain-text form. There are several tools that may help to handle the complexity of dealing with encrypted manifests. One of them is [Mozilla SOPS](https://github.com/mozilla/sops), which was selected to encrypt/decrypt Airshipctl manifests.
Airshipctl has a standard approach with introduction of VariableCatalogues as a configuration source and kustomize Replacement plugin which must be used to put the values to different yaml documents. Different secrets such as passwords, keys and certificates must be presented in VariableCatalogues as well. Some of them can be externally provided - e.g. ldap credentials are typically created in some external system, e.g. Active Directory and k8s cluster just has to use them. Other secrets may be internally generated - e.g. several Openstack-helm charts may want the same Keystone password and if not a single external system doesnt need that password it can be generated by Airshipctl.
Airshipctl has a standard approach with introduction of VariableCatalogues as a configuration source and kustomize Replacement plugin which must be used to put the values to different yaml documents. Different secrets such as passwords, keys and certificates must be presented in VariableCatalogues as well. Some of them can be externally provided - e.g. ldap credentials are typically created in some external system, e.g. Active Directory and Airshipctl just has to use them. Other secrets may be internally generated - for example several Openstack-helm charts may want the same Openstack Keystone password and if no single external system needs that password it can be generated by Airshipctl rather than provided manually.
There can be different use-cases where the user may want instead of generating secrets to set it manually. That means that Airshipctl should allow the user to 'pin' some specific secret value rather than generate/regenerate it even though the default intent for that secret was to generate it.
Secret regeneration typically happens periodically, e.g. according to some internal policy passwords must be re-generated on yearly basis. Airshipctl should allow user to split secrets into groups that should be regenerated each period of time.
If some master key, e.g. PGP or AGE was used to encrypt secrets, some internal policies may define when this master key must be rotated. Airshipctl should allow user to easily re-encrypt the existing secrets values with new key without changing that values.
Lastly in some Treasuremap reference sites several clusters may present, e.g. ephemeral, target, lma-subcluster, wordpress-subcluster &etc. Since different people may need access to different clusters it leads to the requirement to have cluster-specific set of secrets that has to be encrypted with its own master keys and operations on secrets per cluster may be performed separately from other clusters.
This document is dedicated to the explanation of the technical details on how its currently done in Airshipctl and its manifests.
## Secret documents structure
Due to the need of updating parts of documents periodically the encrypted document has the following structure
``` yaml
apiVersion: airshipit.org/v1alpha1
kind: VariableCatalogue
metadata:
labels:
airshipit.org/deploy-k8s: "false"
name: secrets
secretGroups:
- name: groupName
updated: "2021-06-07T18:01:50Z"
values:
- data: encryptedData...
name: encryptedDataName
pinned: true|false #optional
```
This structure allows to split data into groups each of them can be regenerated/updated separatelly. For that purpose it has `updated` field timestamp that is getting new value when regeneration of group is happening. Each group has an array of values. Each value has a name (should be unique in the group), data field and also optional flag `pinned`. If the value is pinned, its value isn't getting updated during regeneration. That may be helpful to flexibly switch between 'internally generated' and 'externally provided' secrets. `pinned: true` will work as 'exnternally provided'.
Airshipctl will encrypt only field `data` and that will allow to monitor all other parameters without knowing master keys for decryption.
## Secrets document location
As mentioned above there is a need in some cases to restrict access to some cluster for some people. E.g. tenant cluster manifests can be accessible to one set of users and target cluster that hosts several tenant clusters should be accessible by another people. Some people may be in both groups.
Due to that need the current manifests structure has a place for public keys that should be used to set the list of people who may decrypt that data after it was encrypted. This is defined by the set of public keys, defined in `manifests/site/test-site/<cluster>/catalogues/public-keys/kustomization.yaml` in each cluster, e.g. ephemeral, target, etc.
There is a place for private keys as well: `manifests/.private-keys/kustomization.yaml`, before work user can copy his key to my.key or to change that file to use another file. This private key will be used during data decryption in addition to the values from ENV variables that also can contain keys: SOPS_IMPORT_PGP and SOPS_IMPORT_AGE.
The Variable Catalogues with secrets can be found in `manifests/site/test-site/<cluster>/catalogues/encrypted/secrets.yaml`.
When encrypted with sops Variable Catalogue contains info who can decrypt that data - it's located in the sops field that is getting added by SOPS krm-function. SOPS krm-function used in order to encrypt and decrypt data in airship.
## SOPS krm-function overview
Airshipctl uses kustomize along with different krm-functions that extend its functionality:
Replacement krm-function that is needed to avoid duplication of data in documents
Templater krm-function that is needed to produce new yaml documents based on the provided parameters.
* Replacement krm-function that is needed to avoid duplication of data in documents
* Templater krm-function that is needed to produce new yaml documents based on the provided parameters.
There is a standard catalog of [krm-functions](https://github.com/GoogleContainerTools/kpt-functions-catalog).
It includes the standard krm-function: `gcr.io/kpt-fn-contrib/sops` that can be used to perform decryption and encryption right in kustomize. Please refer to the example configurations that can be used to encrypt and decrypt the set of [existing yamls](https://github.com/GoogleContainerTools/kpt-functions-catalog/blob/master/examples/contrib/sops/function.yaml).
It includes the standard krm-function: `gcr.io/kpt-fn-contrib/sops` that can be used to perform decryption and encryption right in kustomize. Please refer to the [example configurations](https://github.com/GoogleContainerTools/kpt-functions-catalog/tree/master/examples/contrib/sops) that can be used to encrypt and decrypt the set of existing yamls.
Please note that to make that krm-function work its necessary to provide the following ENV variables:
@ -29,19 +74,25 @@ The gating scripts set that env variables [here](https://github.com/airshipit/ai
Templater krm-function allows users to call [Sprig functions](http://masterminds.github.io/sprig/). Sprig has a set of [functions that may generate random values, passwords, CAs, keys and certificates](http://masterminds.github.io/sprig/crypto.html). If its not possible to use the standard set of sprig functions for some important Airshipctl use-cases, its always possible to extend that set of functions: the latest version of templater krm-function introduces [extension library](https://github.com/airshipit/airshipctl/tree/master/pkg/document/plugin/templater/extlib) where this can be done. The set of already added functions can be found [here](https://github.com/airshipit/airshipctl/blob/master/pkg/document/plugin/templater/extlib/funcmap.go).
The example on how to generate different types of secrets with templater krm-function may be found [here](https://github.com/airshipit/airshipctl/tree/master/manifests/function/generatesecrets-example).
The example on how to generate different types of secrets with templater krm-function may be found [here](https://github.com/airshipit/airshipctl/tree/master/manifests/function/generate-secrets-example).
Essentially the set of steps that airshipctl must perform when its necessary to generate/regenerate/import new set of secrets is the following:
Starting Kustomize 4.0 transformer plugins are allowed to generate additional documents (before that it was prohibited by kustomize). It is also now possible to remove some of the documents in transformers. Airshipctl templater krm-function has been rebuilt to support that model as well - it now can be used in `transformers` section:
* in order to get RW access to the already existing documents that kustomize provides to templater called from `transformers` section 2 new functions were introduced: `getItems` and `setItems`.
* `getItems` and `setItems` work with [kyaml](https://github.com/kubernetes-sigs/kustomize/tree/master/kyaml/yaml) objects and because of that the additional subset of [kyaml-related functions](https://review.opendev.org/c/airship/airshipctl/+/794887/25/pkg/document/plugin/templater/extlib/funcmap.go) was introduced to manipulate kyaml-representation of documents.
1. Either:
Due to the requirements to encrypt different subclusters with different master keys it is necessary to have VariableCatalogue with secrets per site.
- Run templater that produces VariableCatalogue yaml with generated parameters
- Just import the yaml document with the existing external credentials. If the document doesnt have the required structure its possible to use replacement transformer to move the needed values to the right places of the required yaml
During the implementation of our working transformer it appeared that we needed go-template function feature. Templater now implements `include` function like in helm charts. Before run it scans all incoming documents and loads all functions defined in documents with apiVersion: `airshipit.org/v1alpha1` kind: `Templater`.
Essentially the set of steps that airshipctl must perform when its necessary to generate/regenerate/import new set of secrets is the following:
1. Load 2 already existing VariableCatalogues: with encrypted secrets and with data it's necessary to add to that encrypted VariableCatalogue (let's call it import-data)
2. Decrypt encrypted data using Sops krm-function
3. Use templater krm-function that will perform update operations. Update operations will include: merge import-data with decrypted secrets, check if some data has to be regenerated (unless it's pinned), merge regenerated data with decrypted secrets.
2. Use Sops krm-function to encrypt the yaml
3. Store the encrypted document in the document module of the site
[This phase](https://github.com/airshipit/airshipctl/blob/master/manifests/phases/phases.yaml#L232) performs that steps.
[Secret-update phase](https://review.opendev.org/c/airship/airshipctl/+/794887/25/manifests/phases/phases.yaml) performs that steps.
The following steps are used during standard procedure or yaml rendering for other phases:
Kustomize reads the encrypted VariableCatalogue
@ -57,11 +108,9 @@ In order to implement all that functionality it was necessary to introduce a new
Krm-functions accept a set of yamls and config as input and return a modified set of yamls.
GenericContainer executor may just output it to stdout. Or it may store it as `kpt fn sink` does.
In particular were using the second option to store our generated and encrypted yamls to the specific place from which other manifests will take [that file](manifests/site/test-site/target/encrypted/results/generated/secrets.yaml).
There is a way to provide external secrets, that shouldn't be generated. That secrets must be stored in encrypted way in [another file](manifests/site/test-site/target/encrypted/results/imported/secrets.yaml).
In particular were using the second option to store our generated and encrypted yamls to the specific places from which other manifests will take [ephemeral secrets file](manifests/site/test-site/ephemeral/catalogues/encrypted/secrets.yaml) or [target secrets file](manifests/site/test-site/target/catalogues/encrypted/secrets.yaml).
As its possible to see [encrypted kustomization](manifests/site/test-site/target/encrypted/results/kustomization.yaml) performs decryption using sops krm-function.
As an example its possible to see [target kustomization](manifests/site/test-site/target/catalogues/encrypted/kustomization.yaml) performs decryption using sops krm-function.
# Step-by-step Operator instructions
@ -136,7 +185,7 @@ This will decrypt the file and will open it in the editor. It will be possible t
## Generation/Regeneration and encryption of secrets in manifests
Now when we have all the information about what is going on under the hood, lets see how Airshipctl automates generation and encryption.
Now when we have all the information about what is going on under the hood, lets see how Airshipctl automats generation and encryption.
Note: This section will require the reader to understand how kustomize works in very good details.
The good start will be the official documentation, but that may not be enough.
@ -153,84 +202,117 @@ Lets start from the secrets generator.
To run it its just necessary to run the phase:
```
airshipctl phase run secret-generate
airshipctl phase run secret-update
```
This phase accepts parameters via env variables:
* `FORCE_REGENERATE` - accepts a comma-separated list of periods that must be regenerated, e.g. yearly,monthly
* `ONLY_CLUSTERS` - accepts a comma-separated list of clusters inside site that must be regenerated. This is helpful when the user has keys only for 1 subcluster and wants to perform update operation only for its secrets
* `TOLERATE_DECRYPTION_FAILURES` - should be `true` if `ONLY_CLUSTERS` option is used.
The following command is done each time we run integration testing in CI in this [file](tools/deployment/23_generate_secrets.sh) to regenerate all groups:
```
FORCE_REGENERATE=all airshipctl phase run secret-update
```
This commands updates all secrets in the following locations `ephemeral/catalogues/encrypted/secrets.yaml` and `target/catalogues/encrypted/secrets.yaml`. Here is the way how it works:
* it gets already decrypted documents by taking kustomization results from `encrypted/get/kustomization.yaml`.
* it also import-data encrypted/update/secrets.yaml. This file contains diff user wants to apply to the encrypted data.
* it executes templater-based transformer from manifests/type/gating/shared/update-secrets/template.yaml and it performs all magic (see below). as a result it produces unencrypted updated secrets catalogues, cleans up import-data and sets `config.kubernetes.io/path` annotations (see below) so the files can be stored by airshipctl to the right location.
* the resulting bundle is encrypted by genericContainer executor and getting stored by the location set in `config.kubernetes.io/path` annotations.
Let's look closer into the [templater](manifests/type/gating/shared/update-secrets/template.yaml) that does the whole job on generation. It can be redefined for different site types to incorporate templates for subclusters.
The template contains definition of functions that define how to generate each section of secrets, e.g.
```
{{- define "regenEphemeralK8sSecrets" -}}
{{- $ClusterCa := genCAEx .ephemeralCluster.ca.subj (int .ephemeralCluster.ca.validity) }}
{{- $KubeconfigCert := genSignedCertEx .ephemeralCluster.kubeconfigCert.subj nil nil (int .ephemeralCluster.kubeconfigCert.validity) $ClusterCa -}}
values:
- data: {{ $ClusterCa.Cert | b64enc | quote }}
name: caCrt
- data: {{ $ClusterCa.Key | b64enc | quote }}
name: caKey
- data: {{ $KubeconfigCert.Cert | b64enc | quote }}
name: crt
- data: {{ $KubeconfigCert.Key | b64enc | quote }}
name: key
{{- end -}}
```
And its done each time we run integration testing in CI in this [file](https://github.com/airshipit/airshipctl/blob/master/tools/deployment/23_generate_secrets.sh).
It also contains the code that finds the document with secrets and document with imports for that particular subcluster. E.g. for ephemeral subcluster it's:
This phase creates the bundle by running kustomize for `target/generator` inside the site directory. And that kustomization through a special directory that allows to override template values runs the following [templater](https://github.com/airshipit/airshipctl/blob/master/manifests/type/gating/target/generator/secret-template.yaml).
```
{{/* get combined-secrets yaml and exclude it from the bundle */}}
{{- $combinedSecrets := index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets$" "false"))) 0 -}}
{{- $_ := setItems (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets$" "true"))) -}}
{{/* get combined-secrets-import yaml and exclude it from the bundle */}}
{{- $combinedSecretsImport := index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets-import$"))) 0 -}}
```
This config file defines the following structure of VariableCatalogue:
As we can see some inbuilt kyaml functions are used for that purpose, e.g. `KOneFilter` - it applies the filter defined in the second parameter to the input bundle taken by `getItems` function. The filter ensures that in the resulting documents ther will be documents that have `metadata.name == combined-ephemeral-secrets`. Also we see that the filter is getting generated by go-template function called `grepTpl`. It's stored in go-template module, its implementation can be found [here](manifests/function/templater-helpers/secret-generator/lib.yaml). SetItems is used to exclude found documents from bundle - because this template add its own document with the same name, that contains all merged/regenerated data. We see that below:
```
apiVersion: airshipit.org/v1alpha1
kind: VariableCatalogue
metadata:
annotations:
config.kubernetes.io/path: "ephemeral/catalogues/encrypted/secrets.yaml"
labels:
airshipit.org/deploy-k8s: "false"
name: generated-secrets
ephemeralClusterCa:...
ephemeralKubeconfig:..
targetClusterCa:...
targetKubeconfig:...
isoImage:...
name: combined-ephemeral-secrets
secretGroups:
- {{ include "group" (list . $combinedSecrets $combinedSecretsImport "isoImageSecrets" "once" "regenIsoImageSecrets" ) | indent 4 | trim }}
- {{ include "group" (list . $combinedSecrets $combinedSecretsImport "ephemeralK8sSecrets" "once" "regenEphemeralK8sSecrets" ) | indent 4 | trim }}
```
Please pay attention to the annotation `config.kubernetes.io/path` - it defines the name of the file where this document will be stored by phase. Its possible to define several VariableCatalogues with unique names of files (it even may contain directories).
When this template is executed it generates keys/certs/passwords and renders them as a Variable catalog with the name `generated-secrets`.
Please pay attention that the special annotation `config.kubernetes.io/path` is getting added in the fileplacement transformer - it defines the name of the file where this document will be stored by phase. Its possible to define several VariableCatalogues with unique names of files (it even may contain directories).
We see that the body of groups are generated by the go-template function `group` that takes care of mering previous values of secrets with data from imports as well as about regeneration of data when needed by calling another function provided as the last parameter. The implementation of this function can be found [here](manifests/function/templater-helpers/secret-generator/lib.yaml).
Now if we refer back to the Phase description well see that its type is GenericContainer with the name `encrypter`.
The definition of that executor is the following:
```
apiVersion: airshipit.org/v1alpha1
```apiVersion: airshipit.org/v1alpha1
kind: GenericContainer
metadata:
name: encrypter
labels:
airshipit.org/deploy-k8s: "false"
spec:
sinkOutputDir: "target/generator/results"
image: gcr.io/kpt-fn-contrib/sops:v0.1.0
type: krm
sinkOutputDir: "./"
image: gcr.io/kpt-fn-contrib/sops:v0.3.0
envVars:
- SOPS_IMPORT_PGP
- SOPS_PGP_FP
- SOPS_IMPORT_PGP
- SOPS_PGP_FP
config: |
apiVersion: v1
kind: ConfigMap
data:
cmd: encrypt
unencrypted-regex: '^(kind|apiVersion|group|metadata)$'
cmd-json-path-filter: '$[?(@.metadata.name=="combined-ephemeral-secrets" || @.metadata.name=="combined-target-secrets")]'
encrypted-regex: '^(data)$'
```
Basically this executor accepts the bundle, runs krm-function `gcr.io/kpt-fn-contrib/sops:v0.1.0` with configuration from `config` field and stores the result to the directory `target/generator/results` based on the filenames/hierarchy defined by annotation `config.kubernetes.io/path`. Sops krm-function in its turn encrypts documents and that means that `target/generator/results/` will contain encrypted yamls. To make that work the user will need just to specify 2 environment variables:
Basically this executor accepts the bundle, runs krm-function `gcr.io/kpt-fn-contrib/sops:v0.3.0` with configuration from `config` field and stores the result to the directory `./`(root directory of the current site) based on the filenames/hierarchy defined by annotation `config.kubernetes.io/path`. Sops krm-function in its turn encrypts documents and that means that `target/generator/results/` will contain encrypted yamls. To make that work the user will need just to specify 2 additional environment variables:
- `SOPS_IMPORT_PGP`
- `SOPS_PGP_FP`
There is another a separate set of secrets that are provided externally and that shouldn't be generated. They're called `externally provided secrets`.
For that set there is a separate folder in the target/encrypted/results, called `imported`.
There is a special phase called `secret-import` that may be used to update the set of externally provided secrets:
just put a new unencrypted secrets.yaml to target/encrypted/results/imported/ instead of encrypted one and run that phase.
This phase will encrypt that file using provided public key set by `SOPS_IMPORT_PGP` and `SOPS_PGP_FP`.
Note: if you try to run this phase for already encrypted secrets.yaml this phase will return error saying that file is already encrypted.
Combination of different parameters provided via env variables can be used in different situations. For instance that allows to regenerate everything, regenerate only some secrets, regenerate only secrets for one subcluster, reencrypt only one subcluster without regeneration and etc. Some examples may be found [here](tools/deployment/23_generate_secrets.sh) as sanity tests.
## Decryption of secrets and using them
The current implementation of manifests doesnt require explicit decryption of files. All secrets are decrypted on the spot. Here are the details of how it was achieved:
All encrypted documents are listed in the [following kustomization file](https://github.com/airshipit/airshipctl/blob/master/manifests/site/test-site/target/encrypted/results/kustomization.yaml).
This kustomization file performs decryption by invoking `decrypt-secrets` transformer, that is just a sops krm-function configuration that decrypts all encrypted documents.
Cluster encrypted documents are listed in its catalogue, e.g. [target secrets](manifests/site/test-site/target/catalogues/encrypted/secrets.yaml).
[The kustomization file](manifests/site/test-site/target/catalogues/encrypted/kustomization.yaml) performs decryption by invoking `decrypt-secrets` transformer, that is just a sops krm-function configuration that decrypts all encrypted documents.
Note: we made a special kustomization for decrypt-secrets configuration just to be able to modify it a bit depending on the environment variable `TOLERATE_DECRYPTION_FAILURES` value. If its true were adding parameter `cmd-tolerate-failures: true` to sops configuration.
Once decrypted that VariableCatalogues may be imported as well as other catalogues. E.g.:
See [this line in the kustomization file](https://github.com/airshipit/airshipctl/blob/master/manifests/site/test-site/target/catalogues/kustomization.yaml#L7).
And its possible to use their values as a source for replacement transformer. E.g. [this replacement plugin configuration](https://github.com/airshipit/airshipctl/blob/master/manifests/site/test-site/kubeconfig/update-target.yaml) updates fields of kubeconfig in order to put there generated keys/certs.
See [this line in the kustomization file](manifests/site/test-site/target/catalogues/kustomization.yaml#L7).
And its possible to use their values as a source for replacement transformer. E.g. [this replacement plugin configuration](manifests/site/test-site/kubeconfig/update.yaml) updates fields of kubeconfig in order to put there generated keys/certs.
To get even more familiar with that approach and understand all details please refer to the [following commit] (https://github.com/airshipit/airshipctl/commit/a252b248bcc9be2c8aca6f544f99541dce5012a3).
@ -250,7 +332,7 @@ There are 2 different approaches that may be used:
Both approaches are possible taking into account that fact that SOPS allows you to have several private keys to decrypt data and it selects the needed one automatically.
Nevertheless for the sake of simplicity we're currently implemented the first approach in our manifests. There is a phase called `secret-reencrypt` that allows to perform master key rotation.
Nevertheless for the sake of simplicity we're currently implemented the first approach in our manifests. There is a phase called `secret-update` that allows to perform master key rotation.
In order to do so please follow the following steps:
@ -264,7 +346,7 @@ Note: please make sure you know the fingerprint of the newly generated key.
2. append the env variable `SOPS_IMPORT_PGP` with the new keypair (don't delete the previous one at this step, because it's needed for decryption).
3. set the env variable `SOPS_PGP_FP` to the value of the NEW private key fingerprint. That means that the new key will be used for encryption.
4. run `airshipctl phase run secret-reencrypt`. make sure it runs successfully.
4. run `airshipctl phase run secret-update`. make sure it runs successfully.
5. check that all encrypted files were updated and that pgp.fp field for all of them equal to the value you specified in `SOPS_PGP_FP`.
6. now it's possible to delete the old master key from `SOPS_IMPORT_PGP`. Once done it's possible to run `airshipctl phase run secret-show` to ensure that the keys will be decrypted properly.
8. commit the changes to the site manifests.

@ -0,0 +1,58 @@
-----BEGIN PGP PRIVATE KEY BLOCK-----
lQOYBF1oQV0BCAC1iFfE7H3uu0hbWbRYVMoz5zZ91ACHETCOMVxN8GOG4SV0l8aQ
wmK9QWkYxhi52LnicVD3D7Uy75+J3zkvEDQ15C0AZ8UHXp4JlSQuXpFhrOhfYUF/
6pr/QexT+hQjOacvY4qfnj4xKa/AGdv5vPIygtQumE6r3GhEVAxQ1GSwtCWSU3Zl
3Uqf7S8kDvJTemtR2UkVfpXcMd4AmMKgt7fVhPO8eFotqTLPvz/iClzER+q61fLA
d1rP9YlmY46MJp/PffPicWdJiKv2i6ynKcIwkrQyP6V2ZzYi/gAhNJst3ZlMfsiN
ekCtcow9Bn44uxW3U8W02FNQSNyn6V6QPDIXABEBAAEAB/0Z8kQSlkzE97QhXm0g
/PQuaVCdY9UJeSMBXTvDZhBhAcLf6yZLStq1uz4sIiWm6+ZcX8mXQ9b90fMceoaK
sVxiYYaEcCXgu5zcuMTu8xRWK30bzjkARrDjEByZFNLrr/yzO3KKWvdVAToou77N
xLxct4df+46vEMs/DOulDUkxBOjlkprlq8xSG/6vuo7rJKUylsS4s5+y+EJCfm0m
8C94IIOt42ANObDUziUHCFNhCKSUs92rL7HXfcMG6L16UrSpJ3yLNvTI34PgRydv
ppu6DAFNeqsJ6oINSWXEqjfMHK7Ly9oyF2bkB2VKoapAdz6YGJydrODhFrThcuJk
+pY9BADKnXtYvDRPoTsfRYgZewtBxf3ccGUjoS9YCC3salWuPEWnal2yI0YRwZNE
iirOFGKH6jh/fxtFZNPXuYb7MJzFqVOcARz6USCvR1va2kMZzQEOKwxOXqIYYMVh
Uwz9++QugqcBLHw9YUFmH/DsRaL4zP4H8cX5O1TALFo3aC/EHQQA5VzUDupcpRLP
gF6dCgT2GyajgRoUFU7Brq82+HJDBDhHMB+3VWJhsC9DkTMh/RtPOuLb41K0OZ//
acoXo0QjsLsBx+hNqWC0oosqaoXiUyhbmEukvlURm5uHThX9n5BZIKhiCft/NYNO
yb+OBgYFHN11BMUVyhMR7be2mlJ4EMMD/jd9WQIoHQQ6BKMNOlc6BGu4KsMv/+fF
KV4xnJKrWjJxwri0FsOYLS2qkgbSAXjxLqZWx4UylmJh1HSAyjTghY0zQEf2oDKd
0DKN8Y42aawh1AolIfDbYOampw5tBzI2/WYOksGRFCwjCidL3pNd03W9dBmNbBRc
tVKLG/kt4JwCL0y0U1NPUFMgRnVuY3Rpb25hbCBUZXN0cyBLZXkgMSAoaHR0cHM6
Ly9naXRodWIuY29tL21vemlsbGEvc29wcy8pIDxzZWNvcHNAbW96aWxsYS5jb20+
iQFOBBMBCAA4FiEE+8e54qT5KJrAwdSEPRbO5KJzgbQFAl1oQV0CGwMFCwkIBwIG
FQoJCAsCBBYCAwECHgECF4AACgkQPRbO5KJzgbTDcQf7Bp7e2zY9pBBXTgDASQl3
1SSHp9WkRUV5iqPVC9iPCELggteBGMwIpbDlobc6O8/06foxWctTUaaciPBo2+je
WFTO+DNvB7oXIArqr5673QHLh6jEABBjyt91rvta2wYF1XJBgxpui9aLICsCptFN
IRvHeKUrXBI4fG5z3CDs/EOoY8K/AAYJUF+ERtmvmisiE/m20UpbYRmkBJy25c89
Wcn12I1SUJA3H3hGwvZCYp8hY1HPxxQUtU+DZBIpryi0xQqExGAlYqck7G03F+AD
7/csaT1LEdCtWRLNwE8UkvfUF6liF0SgzxFo1pp3gBU4swds9yO9wNe12JY/M5A/
BJ0DmARdaEFdAQgAtun8JhSpNAKvOXwWX2nFhnMXTJp4viMhlAZEdmMXEi27B2DM
/nRzldjxGZoNUBSVbJNj2kx5ZUDl0o6eOpChvRaGuCOpYqOuSQvD8FnX0NgQULwu
TZ+MawsaezktJEjDSBM1R6uASeJwDZj4hcUnPgyAIESajPdowEkEjdYt261fGOLL
cVoVdtqzOMBkLVdrK/FD1kGR9jnSlKEYDV9DveBUBQGdqkgWXjS5BKcae07viC6x
Ma9AJS4pizyDALB2k0HQOelZNihOGXYUuvkcs2Fivl0Tk3OCfH9XDvFehbYRHmkR
DoMuKUDSzdy6tFBAkL0CPlXAWI6kQklaBEp19QARAQABAAf7BX7YLYi3YLGn9BEv
VuSFo7l3fLyzXfsOOjVJ/0iQ2+H12Y3l+ssi4eCntb40IjDMIHv5JwjfKNSfUwkn
5diMk3LGz2d64lTKmrU4yNLaMhMbwmE0/u4JOPoXbJZWLd3lyBeTpTiY3R9pgG8V
IGfA+xNDEjUdc5jHU+edtGk37X6l6uL3OANS/MyTRdVNr28Gv/upXmJs/NbvTost
1hsU89gaDjkfsWhdhiuCHR9bqoyot/Vgvpt1NxzfV4SQGVFeph8yCGvSRBS8zXuZ
FtmzACs0j2aOMSucAGogEoD158OpXSNfdmZ1nCswlo1yqP6+ir8mr2DTRgMtxPQa
N49b4QQAxVTwRZ6+qiSCz/GJPq7qASGG4RIr87gPzxaHmznQhKIx6LEMjX/+NU6c
94A8aZY/oN7f3rr8apIA+cAHbAwFGpbc7ke1Cgy/m/eJZNUxWPT/YBjZ4V+41Uat
viGrbmS9B4QulOpF2Ng6LcOc4dggxTPAW/CYd5T2FImr1qYjjWkEAO1Lss00LY5o
5I4QqgM0OeeBEOO8LiSDmjKgOvtsmJ6+dA4x3rYgI8smFMsvtyrcb75k6EdZazgN
YSI4sU3WceWbrtdVr1glP38CBMupnFvg8KwbjSFV8vNqVBHCXShUxnHmlOW+UVqy
CxjJf0RTOhLEY5DIRwQB0H8P30dYOfatBADaGIbs/6+1RulKpHwW/c3+XOlaTZrT
UhNjuccj7Y9IspYD+6crNkQvAri60AoDfIiO5aTk8rSYpGwB1vEmnUVmNPvRF958
GV3pyCOv/pkmnpS+4w+akiJsSHX3jqqp5fb/xd6ukUX95VgSymuJ+ya49G8B0jj6
bw7B4S2M39+Xdkg2iQE2BBgBCAAgFiEE+8e54qT5KJrAwdSEPRbO5KJzgbQFAl1o
QV0CGwwACgkQPRbO5KJzgbS7zwgAndbf532OXo9HwPH+yQQmzQCLDFL6P4V7LcFr
rydYItTEhxqI3tbb96MKXRAt+G5Mw6JjRkWhwzbU3jE7D7XBMHw7GriTTU9QltNH
g7VUpSSaiTfVcSNErzsaqbjbA7jMs7VWzOq4LZo6Efy8UDKg5qcqLFaTQrzQZYNH
NfM+kLAiUPU8m7vwmz6oJWsjHkQKUhKhHptlpwMwdHkoacqDO0x2H6H91l/PnDm4
ZG6FybJtcjr98i+p52/XOo81nLgX7tcFS3nrN9HNdgKg1ZW3yrzg8NOaFCVA8qLD
gLk//M3qDixOxiurECkFrMvt/bDxEGpN5GVy550MmyUZQrkuqg==
=VjGL
-----END PGP PRIVATE KEY BLOCK-----

@ -0,0 +1,34 @@
-----BEGIN PGP PRIVATE KEY BLOCK-----
lQHYBF1oQYgBBADPuVP6Jdk/J/TbNa9dXirp/zzwK18ZqNudNqQGN3H+2aSgxXwL
wlRfzy7rB3CU6Ewjzk9EVYeYztTIkGHL0JZ1CCTiBJArlHO0bHQQ7CPeKPkhIhkj
eA8yu9dcU77oYC2xbwgf43KYzfMKSGEybg+sBO+bH+Y6paJK54V2cuS3GwARAQAB
AAP+Jjf5BXtVP1OAr5xvCYS77JWzhpTUSIpS7dgR0br91GAC9DmhmyBEGeSqwz95
LUyYRbY9y1rZOfpEGCrIc5GLPOQytO9XMIzaS3dpzfGhla/spaKN4vJDvIOl+ruT
bInDdCRSmqXCfm2478OhOquc0H0a46eSmoaYeKdE3E8QZiECANxUL/dFk5j8NyPo
ZcwXw9Mv0A8UrynRcqht3Scti9k7dbsHylcObM305LFdcoNnSfNAIJhxfjbiXyGW
vwT2/qMCAPFatq3gvVjy6wKKylioi5cVwbLv9L+OaRXdR/Dy2bh/t3ujnsliV4+R
f7k3rHOQeaMLTnyfcz8AenL5IOe8RSkCANFpBgyzxCcV48Mm+FWDxjrSJ4/msRnN
gxqAPRrdpm7e1uebtBkPh4ch4oCW5/lLsRN23LUVIXYJRwyFfRjehCio0rRTU09Q
UyBGdW5jdGlvbmFsIFRlc3RzIEtleSAyIChodHRwczovL2dpdGh1Yi5jb20vbW96
aWxsYS9zb3BzLykgPHNlY29wc0Btb3ppbGxhLmNvbT6IzgQTAQgAOBYhBNcikEM4
S8xgMmxvudhyDZV8PTB0BQJdaEGIAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
AAoJENhyDZV8PTB0R2cD/2YwaJ43iGueaAzByFnl+mUEBQJ4HhH4p7BIdx6B9AjE
3yLe8I4dqqYXxyZzaJ9d+KiqxJBT0l1GXt3H5M32yDJZqzXB9PTWP3yx8+Q1CuCs
7EL/bhJD1/sLdumVc77bmQtcI9NSiYyPzN/2ZqtV5RU14Loh24VFEjuHGvO0jI3+
nQHYBF1oQYgBBAChXi00fmpEs0Jiq0zOyYm9i749VoOsNReoB/5ix1QCimwVZKe1
D37IP5Qqysxy+LIQc4lJ+Q8foNOx1Aev5+TDyv+iU82D9xr9uPLLbA82k3AZ04Or
BjrZ/Yt1NZhuaHzciZCPpmqzF9kqVqAZc+vMiKZL1WZjS7O1FwaidY1vXwARAQAB
AAP+L0wUQeOfsD0+gv8khyPJTJZOD1pxQ6NYKLcXF8rG0+vQnECha098YKNKAXTp
kfVU8795iQYIKcQQ6Hl2O1fj1AxJE/iZYrqfm7UZz3bQ7ROSsAEPZ5GDOjKfbwsz
E6bWVH+PhS1azlvtTs9JezUtK0Wl9s+81FOrZtnUUskmWtECAMNNs9ujUt6GHv/J
NXVaSmk1z8QXitPHbAJLDMj4xVDysJWZV95eplC+RUSiLz5HeP2AQgh1D9Rv2bA5
c7OcJ3kCANOEkA0hVpXCI0FKrsihOf0NUOaAtS6CQNFlaIkrLwssJQY8pGYbRfRa
3krNJPyOlXmezV2/CsX3EqA9KXXen5cB/iSmMJO4WndGJTe7YzUEnnY/P2TKg1fN
s6v5Lf39j5Ll8V5rVDT7ApAw0IKS8fzpbdHP0HcizutlF6l44YaAXMGfhoi2BBgB
CAAgFiEE1yKQQzhLzGAybG+52HINlXw9MHQFAl1oQYgCGwwACgkQ2HINlXw9MHTD
HwQAv+ui718AT2hw2pK9JaNuTxjllrH+KPMlrov0P8oXHPCohC5cxM5sJ6tCQ0qH
XyeWoDE8V31btqFVAQyrr0wy0gntl1L/trnwMHoP8a/xa0RHNk5C7hmcuhTHbQey
JNbiRJZpCIZ1OyrF17+q6u9YBPjwqp8KrJ/0ryy2kyb7ZRM=
=+tJ6
-----END PGP PRIVATE KEY BLOCK-----

@ -0,0 +1,82 @@
-----BEGIN PGP PRIVATE KEY BLOCK-----
lQVYBGDfWUMBDAD0nxvYUqZiUioXYFbQXDKhzVPLTo8mUY9YNZQzrcuspP3XKja1
B4v7PwMPeqkLS86n/lK9JOZh2AMe2fhKYdp+Rtoz+7ARVl9QzkQEjcILM88wJOTg
i/VwK/rCWKduns8NASSE8vZrFI4pvS1nrf5BNotArSCdHsuGhFvqk+BoId1Z7ykX
VC44CcR7ePEDVWnff0XRgiPxEMuHT9HlaFZig/aBZz2GUSuuu7n5dvQCKtZGiLPN
4KpCoXh4atgGSnAeuhVFYeonMdhQsrPFRHyT/ITutsEsu+sAklT9IcaUM6/LIjXc
hVOgePJWtwA1wqBNmKn6vriGiFaFHCun5BSQq08pty78yvL1AwqrIKPv1lPGXcn4
RlNNgG4F3G3qpxviwq3QVuYn08EWQh465Giin1EO53LeGLMajB1FIKNxyMgkV/n7
O1cJjoRbm0veboIJYFkRd7t7SjOStPxGiFrP1MvyQ1nkexETQoYd2hjLLJTjORWX
qXdLQFPSLcTQ0iEAEQEAAQAL/j1++FWQJZLnG/zHc9uqqfHiN/QO2k7kRxiCU7EQ
Onk6+zOJwboN3SN66k6MZA3ab2ftOCijq6UiVFp/qnsskWyYbEeQOOmK4KhkSlYo
uwTs7+OnCsDmfnvGGqKb/e+BzgRzapZfrBIsVzbn/4+mfpovV5+ZRm8pbDnzcVYN
+ebDyK1QwfBC8eGVlwcBVvmjEdwlV0x9noJ+WeQ47UfyTHE0wpYyeZWYN1aUjALK
ZDpdQYP23tjdZ4Abrrj7BzbBpGNI8Qk9E1eiuvGaqxoJI4suCCEgLSA96ksKa98f
01TUs5betS9Q65CH/ZnTsYDfNNRgxb7jX3Krm9QcyFydiwsvmUZiZhFGQkEd0vaC
ozkPqXAKXlsH1c27kW/fmCUFkXgZVtBhinQGPi//Ett8nxXZmbCOMZb5rJHrlSpc
YGR8VfWCPiNL6rYnQGMyg3TZbNHVXA4WymSO9kqISwvBat8qVv+NhMw/lCPGZzz3
YgomC5GctDX/Q1esP96NOLp9pwYA95/Ks7YaH2nisczsA6RI7a+7zt8vGrmv4Lkw
4f9fJXh1a8P7xrKAJ7fd8uK15fevSi/dcasvUWIoGqC3/+bn5V+78ujnRPHJedGK
9ZqG7DpHrtZ/2uc0bvS83z/H13v8dSqBGq8/h1ydeoL7Lb8uM8BxUp9DKEWHuwyb
waOyHGDKugj+Y8rsroMnAT8B7LNfy7A0dtw8MOs0dh9cxylen/tMcVp67VzKPTHZ
8PvtrjqzX/18D5WaAVzeBS7qKO4jBgD85VEFuXI3EBI0sSwlSMJZAvtnVCT2U6SX
PZbY6EyuWiN/yLGmySfGa9HB0rs4G/ZfaNv0Y6NXnK7/w5SjPlbeDHGg4+r5v6Pa
vJaJjJTVgmq9ZurQBu+b15H9ZXLr1oByOFQWec7UuaOvrZi2ru1HSrdlVPbcbO1d
xV1LftOgbdFN/qfZAnOJouaKbfYQNAq0TdeW62MlNrNS9YwK/YUF4qXEofrqF2Uf
WbmuFPLFXr7/8jUqw2D/1vWBNtWAaOsF/iD7XhEBiiZeXvh+b/1B2SDcBJLM+J+s
9sf+rIAoTuuBLQWzPRk0l1PLuaL07LpsV63zegM5PjL+cwRRUTOtI5t+YGF2yjh3
hKehEBtZU6Co8kMdevYk5DkHk4gQlLrL54PH9rAVUnsioBP+sxt7CPTydDax6jW6
h1aLEJkLdchF2h8AW1shevsQntrElciZ3hZencfEi9nzTpJG9a9gTle3DXrdVrR7
vWiM8lWkSkg0Zxh9+94At+Mim9VSQlmbhPfetDR0ZW5hbnQgKHRlc3Qga2V5IHRv
IHRlc3QgdGVuYW50KSA8dGVuYW50QHRlbmFudC5vcmc+iQHOBBMBCgA4FiEEncb7
vbOAHk4RRAFxOJWaVTIrxksFAmDfWUMCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC
F4AACgkQOJWaVTIrxksHggwArunUmr2YOSLR+E10ooXinjB8/p4Xbz7xLpFtSzKx
pkr3M8yD9QorlHzRj+hdUJi1dON3KMTCJK6LXkpy4pcHPMWeYkpPAZfkhWbkLpjZ
1yUOYVtl6Mn0YnUiZeHukP8yBB+Jz/aL2XGaZzi0xkkIQmdonD6hSeIE7korlRXt
/Kg40gkAbcdbcH9oAS5i4HuU56O2QvEkMl5gl+sIhljL0xhPMY6vQu6QLCz34Ko2
IFoN0Imjp64ZNqgtQhCWZ0cH2l4zQ2OxBCl+m7QHN2U6AHSmd/v1k1EGWyBeqyKd
73i26NFqKI6Zy7ddXIzQnBR5sHjKbaTLn4aD2ed4sKKtaGpOpT7SxQeXuLCJr7Yv
Z9drdqPoLQaVUBkWmSuD/XwGZ2vKSlo0lOrvPwwyswP5yt/k6xkjA9nfE2NeJbco
vO80oDT1OU9OnxzRbDOqYOx+Qk9jZnv4XgGr+b3JhOILF5ArBIJM6UuG5u2cHH5n
3crE54zLeM3TsV+lmWSY1ri8nQVYBGDfWUMBDAC22+ziDhB+HeOXRBEBsi/ETyMr
EEqKM+ZFFl/cxd12fsM2juu/4n4c9YVJSV25fZ4UMNuYNADLUtC1cDZLrcAQtVMU
1TFoeFtekCW2lXfVwh1yDto1dz65QLjkSwL6a7pETu7SmzAxJ6kB6iEjmMM19fYi
PcQ61l/PWwLwKAgXN3BCbv3mgCQUHh1LfXR+4mt6OXeCUGZfaMEOi8pZOuNqu2se
pGIKsqOQEfdUS6GnA0ZgXDebEDQ2CW04HDr3z9dmpEmSidKbNmgsj0Qn5gaQgm0s
c/XgPEB5jln/tiCHSAiruncA8Q6v26KabWkUS9F4jH/ins0zbavJD+PsuU3+fwQC
GlMdmfb23x+1NftJk3kzKB2BV0XG6Kh28qx3gm0UwcYqrYFBkbZlxWFJRMj7S1f+
AOBLN7IhZ0dPbaRkleZNgh8OwMURNhaXMB/vqcBPXVDXARwnh3jF++jV85UAw0p5
Yfyi8Te4gVDsUj2p7giYFNIQg4g3zE6HRIhhMtsAEQEAAQAL/RFGer0qhf1cNoWy
bQbjfibGMTTez6P53j3VrM3PNap9tFShsP0KWU7EFUkEsOGW0AnpSb253/9Vfhk+
FisVKamKb+RudcIAaOVoqd9zhIRB2AVQCOZ3MwpOZolO2uOsrMbKTD7CYY2rSQjA
xUu3IW4mJBA9FJ5YZWnSF9d3eLg0yRrFoKAXqBDsfWkF260nF+9OoY9CqEFIRMDq
jP3cFeMd/LNC5W5MTS6Nu/ePQ6DjKtFstOYl5EDcqCBebmW+EVsgsT08W/qysjJC
r9ZWq52w6ilAu4tQKodmItS2Hh94gjbbD5w4HFp5jpbIPUy1o3uUkBRcIiqbrFu9
pgXY/0n6ZrP7TZ40EuHgW1hPnf9i28jCoqKICRR7EOOsF/miPu/5ps4zMyZqF0+7
7J/dFQ0M27IJVWAiFL7Dg3wg38yGpxwa6UIUoasGn1Kvqju1udkyiV4Bj8cvi7VB
XX+LWiKvnC1+a29vP/wfjShc4w7aIITdA1uJvKOSPGyFTLQiuQYA0v8vuScVJOkP
IjYNeC5AjI5cCXau0ovckXrgzbcfbbXjwax0LNPx4gnJiZHsnGRZqnqUIVCsNpC6
y460EMT6F04y7K/3rcZykKb/+7KuBFN7uyQbBlMrMpIWNu+wA8h6+HPPXRNf4WNp
YmF9DQER5PIZsaqSuOkQ4E6KDsUkqQXnPJgR48tnQXy6cpg4EVISal+gMWtfPv8x
mWUm0meqRJVBiuW9E/tMl8QkoOb/en7VCc19db5Vb/xzUHHmofBJBgDd3F3jfbB/
WZH6H+cSWdB2Fy05nE55LruJ8VpGJ6e+zwpqnKOS+6jnn7uSR9Uo6cvQIq42mQxt
pMXZI8CiypURJmkUgWy4N4g0jTT4V1ueJuf2pOp4wW1bASdbsbZmnDbcizVDkJso
mbtQSS/uDFBQV29B5VNxtPK23OZdxbav3P/h4ZS5bJSMYOIypuBuZaw+aJxX+sHx
Q4sDHWTXlIfE+gFcXGn8iw96Jn4vly1owR16FEyUxWXU0hwjllFkUgMF/if5utC4
sJkkBw7TEqyOJP21T5jhpCzGGKKiOcgkqZYsJWO8Uqc3DvfzQnhitJ1CvZPcock5
DIzwgKvOVXe46tYuMiruAZLDnPObXqlyeMhTlydsfOZirkGLhmxM5yWcZyWW0fAV
TyvbRTpv3pjGa9yVzYnvGcj2RxMsLnWqGDtIusNpSGI6jzIE7xbyHHP8FzX8aK9L
ehdRjmG7wcWtdgafTWyytMGA+dhRAZbbTBtDWWoIXtri+UiuYT1X+97h3OBqiQG2
BBgBCgAgFiEEncb7vbOAHk4RRAFxOJWaVTIrxksFAmDfWUMCGwwACgkQOJWaVTIr
xksShAwA6H4uJvKV2TqbkOyAYY48MPwsTH+VbpzP8R9ksJ0Yuf1H/6cErurJPkNl
RkVduZmb+yv44zHHXbhs3WBAmaVOUByeWH83qeG89RgDkTAHAYFIkwR9kIQ45AZB
a1XxG8Z697nREiG+jRdy6QtA4l9seu/OaSmFBFFGPx9z7ELyqpJbPYoreh0yLvn3
NCTrc0i3OXFA3AqI/YbEAPu8tYo1r7q9Z0z1WI4yE46IFfvbIh0z6+VZG8dSAzBb
Q4H1NTlLEp7w6Rqq7krZqK/UIavl9t/ODYNsNJPNh/rQn6112gad9lfGrxSF0gOk
K1Z3LuY0rngERQemtPCmycyKHShL5ZVAZSRMHixZQWZveicX0J6+3tL/06Ryeklu
L/9VPfwZRiDy+EfCI0qdZHy91AvGJRn7R0bzo/jPUFpGmRIeotXQHS9iA9QdLPc6
d0xPkCSY26ttgavcoh7CIPasfQBYVa8AxdonqMK3lQvGgujZrTBY51wsso9ogSZU
Pc7ofoVT
=ELqz
-----END PGP PRIVATE KEY BLOCK-----

@ -0,0 +1,6 @@
secretGenerator:
- name: decryption-key
options:
disableNameSuffixHash: true
files:
- cmd-import-pgp=my.key

@ -0,0 +1 @@
# put here your key, or provide it using env var e.g. SOPS_IMPORT_PGP=$(cat manifests/.private-keys/exampleU1.key)

@ -9,8 +9,8 @@ metadata:
replacements:
- source:
objref:
name: generated-secrets
fieldref: "{.isoImage.passwords.root}"
name: combined-ephemeral-secrets
fieldref: ".secretGroups.[name=isoImageSecrets].values.[name=rootPasswd].data"
target:
objref:
kind: Secret
@ -18,8 +18,8 @@ replacements:
fieldrefs: ["stringData.userData%REPLACEMENT_ISO_PASSWORD_ROOT%"]
- source:
objref:
name: generated-secrets
fieldref: "{.isoImage.passwords.deployer}"
name: combined-ephemeral-secrets
fieldref: ".secretGroups.[name=isoImageSecrets].values.[name=deployerPasswd].data"
target:
objref:
kind: Secret
@ -27,8 +27,8 @@ replacements:
fieldrefs: ["stringData.userData%REPLACEMENT_ISO_PASSWORD_DEPLOYER%"]
- source:
objref:
name: generated-secrets
fieldref: "{.ephemeralClusterCa.key}"
name: combined-ephemeral-secrets
fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=caKey].data"
target:
objref:
kind: Secret
@ -36,26 +36,19 @@ replacements:
fieldrefs: ["stringData.userData%REPLACEMENT_CP_CA_KEY%"]
- source:
objref:
name: generated-secrets
fieldref: "{.ephemeralClusterCa.crt}"
name: combined-ephemeral-secrets
fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=caCrt].data"
target:
objref:
kind: Secret
name: ephemeral-bmc-secret
fieldrefs: ["stringData.userData%REPLACEMENT_CP_CA_CERT%"]
fieldrefs:
- "stringData.userData%REPLACEMENT_CP_CA_CERT%"
- "stringData.userData%REPLACEMENT_CP_KUBECONFIG_CA_CERT%"
- source:
objref:
name: generated-secrets
fieldref: "{.ephemeralKubeconfig.certificate-authority-data}"
target:
objref:
kind: Secret
name: ephemeral-bmc-secret
fieldrefs: ["stringData.userData%REPLACEMENT_CP_KUBECONFIG_CA_CERT%"]
- source:
objref:
name: generated-secrets
fieldref: "{.ephemeralKubeconfig.client-key-data}"
name: combined-ephemeral-secrets
fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=key].data"
target:
objref:
kind: Secret
@ -63,8 +56,8 @@ replacements:
fieldrefs: ["stringData.userData%REPLACEMENT_CP_KUBECONFIG_ADMIN_KEY%"]
- source:
objref:
name: generated-secrets
fieldref: "{.ephemeralKubeconfig.client-certificate-data}"
name: combined-ephemeral-secrets
fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=crt].data"
target:
objref:
kind: Secret

@ -9,11 +9,19 @@ metadata:
replacements:
- source:
objref:
kind: VariableCatalogue
name: generated-secrets
fieldref: "{.targetClusterCa}"
name: combined-target-secrets
fieldref: ".secretGroups.[name=targetK8sSecrets].values.[name=caCrt].data"
target:
objref:
kind: Secret
name: target-cluster-ca
fieldrefs: ["{.data}"]
fieldrefs: ["{$.data.tls\\.crt}"]
- source:
objref:
name: combined-target-secrets
fieldref: ".secretGroups.[name=targetK8sSecrets].values.[name=caKey].data"
target:
objref:
kind: Secret
name: target-cluster-ca
fieldrefs: ["{$.data.tls\\.key}"]

@ -10,8 +10,8 @@ metadata:
replacements:
- source:
objref:
name: generated-secrets
fieldref: "{.sshKeys.publicKey}"
name: combined-target-secrets
fieldref: ".secretGroups.[name=targetSshSecrets].values.[name=publicKey].data"
target:
objref:
kind: KubeadmControlPlane

@ -0,0 +1,15 @@
apiVersion: builtin
kind: PatchTransformer
metadata:
name: delete-templater-modules
target:
group: airshipit.org
version: v1alpha1
kind: Templater
patch: |
apiVersion: not-important
kind: not-important
metadata:
name: not-important
$patch: delete

@ -0,0 +1,165 @@
apiVersion: airshipit.org/v1alpha1
kind: Templater
metadata:
name: secret-template-lib
values:
template: |
{{/* RFC3339 returns string that defines timestamp format accoring to
that RFC */}}
{{- define "RFC3339" -}}
2006-01-02T15:04:05Z07:00
{{- end -}}
{{/* grepTpl returns yaml that can be used to built KFilter that will
filter with grep */}}
{{- define "grepTpl" -}}
kind: GrepFilter
path: {{ index . 0 }}
value: {{ index . 1 }}
{{ if gt (len .) 2}}
invertMatch: {{ index . 2 }}
{{ end }}
{{- end -}}
{{/* createNodeType converts text representation of node type that can be
created to number */}}
{{- define "createNodeType" -}}
{{- $type := . -}}
{{/* values defined here: https://github.com/go-yaml/yaml/blob/496545a6307b/yaml.go#L323 */}}
{{- if eq $type "DocumentNode" -}}
1
{{- else if eq $type "SequenceNode" -}}
2
{{- else if eq $type "MappingNode" -}}
4
{{- else if eq $type "ScalarNode" -}}
8
{{- else if eq $type "AliasNode" -}}
16
{{- else -}}
{{- fail (printf "unknown node type %s" $type) -}}
{{- end -}}
{{- end -}}
{{/* pathGetTpl returns yaml that can be used to create YFilter that returns
yaml node by path */}}
{{- define "pathGetTpl" -}}
{{- $path := index . 0 -}}
kind: PathGetter
path: {{ $path }}
{{- if gt (len .) 1 }}
create: {{ include "createNodeType" (index . 1) }}
{{ end -}}
{{- end -}}
{{/* fieldSetTpl returns yaml that can be used to create YFilter that sets
yaml node with value */}}
{{- define "fieldSetTpl" -}}
{{- $name := index . 0 -}}
{{- $stringValue := index . 1 -}}
kind: FieldSetter
name: {{ $name | quote }}
stringValue: {{ $stringValue }}
{{- end -}}
{{/* isEncrypted returns true if it can find sops field in the document */}}
{{- define "isEncrypted" -}}
{{- $combinedSecrets := . -}}
{{- $value := YValue $combinedSecrets -}}
{{- if $value.sops -}}
true
{{- else -}}
false
{{- end -}}
{{- end -}}
{{/* group gets the current combined secrets, imported combined secrets,
group name, group period (once, monthly, yearly) and name of function
that regenerates the group and performs merge of imported secrets to
the current secrets, and regenerates needed fields based group period */}}
{{- define "group" -}}
{{/* reading args and setting constants */}}
{{- $ctx := index . 0 -}}
{{- $combinedSecrets := index . 1 -}}
{{- $combinedSecretsImport := index . 2 -}}
{{- $groupName := index . 3 -}}
{{- $groupPeriod := index . 4 -}}
{{- $generationTemplateName := index . 5 -}}
{{- $RFC3339 := include "RFC3339" . -}}
{{- $groupY := YOneFilter $combinedSecrets (include "pathGetTpl" (list (printf "[\"secretGroups\", \"[name=%s]\"]" $groupName))) -}}
{{- $groupImportedY := YOneFilter $combinedSecretsImport (include "pathGetTpl" (list (printf "[\"secretGroups\", \"[name=%s]\"]" $groupName))) -}}
{{- $sg := YValue $groupY -}}
{{- $sgi := YValue $groupImportedY -}}
{{/* calculcate dates for regeneration periods. Add here group period if needed */}}
{{- $periodExpiredEarlier := dict "once" (toDate $RFC3339 "1970-01-01T00:00:00Z") "monthly" (now | dateModify "-720h") "yearly" (now | dateModify "-8760h") -}}
{{- $preiodRegenerationForced := dict -}}
{{- range $period, $_ := $periodExpiredEarlier -}}
{{- $_ := set $preiodRegenerationForced $period "false" -}}
{{- end -}}
{{- range $key, $val := splitList "," (env "FORCE_REGENERATE") -}}
{{- if eq $val "all" -}}
{{- range $period, $_ := $periodExpiredEarlier -}}
{{- $_ := set $preiodRegenerationForced $period "true" -}}
{{- end -}}
{{- else -}}
{{- $_ := set $preiodRegenerationForced $val "true" -}}
{{- end -}}
{{- end -}}
{{/* get initial flag if we need to regenerate from $preiodRegenerationForced dict */}}
{{- $regenerate := eq (get $preiodRegenerationForced $groupPeriod) "true" -}}
{{/* if group isn't present in input - generate */}}
{{- if and (not $regenerate) (eq ($sg | quote) "") -}}
{{- $regenerate = true -}}
{{- end -}}
{{/* generate if last update time is earlier than $periodExpiredEarlier for that period */}}
{{- if not $regenerate -}}
{{- if lt (unixEpoch (toDate $RFC3339 $sg.updated)) (unixEpoch (toDate $RFC3339 ( get $periodExpiredEarlier $groupPeriod | date $RFC3339))) -}}
{{- $regenerate = true -}}
{{- end -}}
{{- end -}}
{{/* merge imported values to old values */}}
{{/* for each value in imported */}}
{{- range $k, $v := $sgi.values -}}
{{/* find value with the same name as in imported */}}
{{- $val := YOneFilter $groupY (include "pathGetTpl" (list (printf "[\"values\", \"[name=%s]\"]" $v.name))) -}}
{{- if $val -}}
{{/* for each field */}}
{{- range $ki, $vi := $v -}}
{{/* ensure that the field exists before updating */}}
{{- $_ := YOneFilter $groupY (include "pathGetTpl" (list (printf "[\"values\", \"[name=%s]\",\"%s\"]" $v.name $ki) "ScalarNode")) -}}
{{/* update group value */}}
{{- $_ := YOneFilter $val (include "fieldSetTpl" (list $ki ($vi|quote))) -}}
{{- end -}}
{{- else -}}
{{/*create*/}}
{{- $valuesList := YOneFilter $groupY (include "pathGetTpl" (list (printf "[\"values\"]"))) -}}
{{- $newValue := YOneFilter $groupImportedY (include "pathGetTpl" (list (printf "[\"values\", \"[name=%s]\"]" $v.name))) -}}
{{- $_ := YListAppend $valuesList $newValue -}}
{{- end -}}
{{- end -}}
{{/* if both groups were empty - set at least name */}}
{{- $groupY = YMerge (StrToY (printf "name: %s" $groupName)) $groupY -}}
{{- if $regenerate -}}
{{- $groupY = YMerge (StrToY (printf "updated: %s" (now | date $RFC3339))) $groupY -}}
{{- $generatedValues := StrToY (include $generationTemplateName $ctx) -}}
{{- $_ := YOneFilter $groupY (include "pathGetTpl" (list "[\"values\"]" "SequenceNode")) -}}
{{- $sgn := YValue $generatedValues -}}
{{- range $k, $v := $sgn.values -}}
{{- $val := YOneFilter $groupY (include "pathGetTpl" (list (printf "[\"values\", \"[name=%s]\"]" $v.name))) -}}
{{- if $val -}}
{{- $vval := YValue $val -}}
{{/* don't update pinned values */}}
{{- if not (eq ($vval.pinned|quote) "\"true\"") -}}
{{/* for each field */}}
{{- range $ki, $vi := $v -}}
{{/* ensure that the field exists before updating */}}
{{- $_ := YOneFilter $groupY (include "pathGetTpl" (list (printf "[\"values\", \"[name=%s]\",\"%s\"]" $v.name $ki) "ScalarNode")) -}}
{{/* update group value */}}
{{- $_ := YOneFilter $val (include "fieldSetTpl" (list $ki ($vi|quote))) -}}
{{- end -}}
{{- end -}}
{{- else -}}
{{/*create*/}}
{{- $valuesList := YOneFilter $groupY (include "pathGetTpl" (list (printf "[\"values\"]"))) -}}
{{- $newValue := YOneFilter $generatedValues (include "pathGetTpl" (list (printf "[\"values\", \"[name=%s]\"]" $v.name))) -}}
{{- $_ := YListAppend $valuesList $newValue -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/* print the resulting yaml */}}
{{- toYaml (YValue $groupY) -}}
{{- end -}}

@ -10,8 +10,8 @@ metadata:
replacements:
- source:
objref:
name: generated-secrets
fieldref: "{.sshKeys.publicKey}"
name: combined-target-secrets
fieldref: ".secretGroups.[name=targetSshSecrets].values.[name=publicKey].data"
target:
objref:
kind: KubeadmConfigTemplate

@ -64,40 +64,33 @@ action: move
apiVersion: airshipit.org/v1alpha1
kind: GenericContainer
metadata:
name: encrypter
name: noop-sink
labels:
airshipit.org/deploy-k8s: "false"
spec:
type: krm
sinkOutputDir: "target/encrypted/results"
image: gcr.io/kpt-fn-contrib/sops:v0.1.0
envVars:
- SOPS_IMPORT_PGP
- SOPS_PGP_FP
sinkOutputDir: "./"
image: gcr.io/kpt-fn-contrib/sops:v0.3.0
config: |
apiVersion: v1
kind: ConfigMap
data:
cmd: encrypt
unencrypted-regex: '^(kind|apiVersion|group|metadata)$'
cmd: noop
---
apiVersion: airshipit.org/v1alpha1
kind: GenericContainer
metadata:
name: decrypter
name: noop-show
labels:
airshipit.org/deploy-k8s: "false"
spec:
type: krm
image: gcr.io/kpt-fn-contrib/sops:v0.1.0
envVars:
- SOPS_IMPORT_PGP
- SOPS_PGP_FP
image: gcr.io/kpt-fn-contrib/sops:v0.3.0
config: |
apiVersion: v1
kind: ConfigMap
data:
cmd: decrypt
cmd: noop
---
# This executor launchs a bootstrap container, which creates
# an Azure Kubernetes Service (AKS) cluster

@ -206,24 +206,13 @@ config:
apiVersion: airshipit.org/v1alpha1
kind: Phase
metadata:
name: secret-generate
name: secret-update
config:
executorRef:
apiVersion: airshipit.org/v1alpha1
kind: GenericContainer
name: encrypter
documentEntryPoint: target/encrypted/generator
---
apiVersion: airshipit.org/v1alpha1
kind: Phase
metadata:
name: secret-import
config:
executorRef:
apiVersion: airshipit.org/v1alpha1
kind: GenericContainer
name: encrypter
documentEntryPoint: target/encrypted/importer
name: noop-sink
documentEntryPoint: encrypted/update
---
apiVersion: airshipit.org/v1alpha1
kind: Phase
@ -233,19 +222,8 @@ config:
executorRef:
apiVersion: airshipit.org/v1alpha1
kind: GenericContainer
name: decrypter
documentEntryPoint: target/encrypted/results
---
apiVersion: airshipit.org/v1alpha1
kind: Phase
metadata:
name: secret-reencrypt
config:
executorRef:
apiVersion: airshipit.org/v1alpha1
kind: GenericContainer
name: encrypter
documentEntryPoint: target/encrypted/results
name: noop-show
documentEntryPoint: encrypted/get
---
apiVersion: airshipit.org/v1alpha1
kind: Phase

@ -0,0 +1,3 @@
resources:
- ../../ephemeral/catalogues/public-keys/
- ../../target/catalogues/public-keys/

@ -0,0 +1,3 @@
resources:
- ../../ephemeral/catalogues/encrypted
- ../../target/catalogues/encrypted

@ -0,0 +1,12 @@
resources:
- ../get/
- ../encryption-keys/
- secrets.yaml
- ../../../../function/templater-helpers/secret-generator/ # libs needed for generator
transformers:
- ../../../../type/gating/shared/update-secrets/
- ../../../../function/templater-helpers/cleanup/ # remove libs after using in all generators
- ../../../../type/gating/shared/update-secrets/fileplacement # update paths for imports
- ../../../../type/gating/shared/encrypt-secrets
- ../../../../type/gating/shared/encrypt-secrets/cleanup

@ -0,0 +1,15 @@
apiVersion: airshipit.org/v1alpha1
kind: VariableCatalogue
metadata:
labels:
airshipit.org/deploy-k8s: 'false'
name: combined-ephemeral-secrets-import
secretGroups: []
---
apiVersion: airshipit.org/v1alpha1
kind: VariableCatalogue
metadata:
labels:
airshipit.org/deploy-k8s: 'false'
name: combined-target-secrets-import
secretGroups: []

@ -0,0 +1,7 @@
resources:
- ../../../../../.private-keys/
- secrets.yaml
transformers:
- ../../../../../type/gating/shared/decrypt-secrets/
- ../../../../../type/gating/shared/decrypt-secrets/cleanup/

@ -0,0 +1,91 @@
apiVersion: airshipit.org/v1alpha1
kind: VariableCatalogue
metadata:
labels:
airshipit.org/deploy-k8s: 'false'
name: combined-ephemeral-secrets
secretGroups:
- name: isoImageSecrets
updated: '2021-08-10T20:00:40Z'
values:
- data: 'ENC[AES256_GCM,data:TYMniBOXUzUWROJBIIM=,iv:2rnni6xgiooCBArUCrypA1jYuWbUofqli37SVMlaAwc=,tag:ipRCGuGwYbnibougLr8MvA==,type:str]'
name: rootPasswd
- data: 'ENC[AES256_GCM,data:duXgFUM9nTWEwx+nJrA=,iv:5ZfOPqnqGkfx+ibJwWUYmoQlETjU7EZbhRbzIuRQnXM=,tag:J3gzhybmEGPZxYC+ZvO0VQ==,type:str]'
name: deployerPasswd
- name: ephemeralK8sSecrets
updated: '2021-08-10T20:00:40Z'
values:
- data: 'ENC[AES256_GCM,data:MsAZOpDilAgx4mFIV769NMEQUSBSgK0Mz/+ChIcdtBZvTMAXf2Z2Dp2dhjdokwKLnNOv3jdbfwjGFDsxvwXHyqa5p2zbhXDLcvw8gShs/tpc8OkdVl6CpdObhwV9ayrzRFtewWswLr6IukoryP1b3EE9z2GXUO7/+bNOW0pMBXzeV9UO9n/DqxnbPsAOfuofUmY2NPQdhErJaMNhHMQeVa5U1B5qyy4H15rNPkSGZbjcRgzHopRP+qduig7zRdJOGqP+vRXlkrdLLFuyZbGD3i+2QUWoek1i+5znAoHASYsvBKOlnNgYVm/7WM4uckHbblzL4dromo99HPdsL/ugS0FVZQOTwBCRtSW2pOYNMXf3dQnxt91MC/v1mHNpgoju5Yyd+5GSmc/Czr+kva77RE109CFf9eUl9ReDpSqV1c1P8Sltq48wGUmNKl6KAN0OBkeALJIf/4izkEXUbUw2mTrtZuNjvFHk3Hkl7SZ65TVkA5ei0m7ejhpi5ugX5XWq1potAEKWlqVawXTP5qVwaN7RTCZgHvA7GjubQb/X2BCpUeZIQXbeXOyS46ZsWxPT5ZlH7d1l+ltRv7xcrj+ROpMgr4xrJlkx8Xfn86FWf7qMAXFeB8hNtY1XIQZ4ZKyXp19E3hvBMIOmdm9zGFWV1/7RdKmyfIs2+GJ/ATmeoDLlCVAin3oX+s52N5FfTh2ivmHfWnpFpHfj7K+BOjm+BwoBIzq2KC+H6WGo+GSrOhotygcq8i0XESqh/S+hN+WHNLFE/jsuCNtPOM9TXJwgSYJ3jU4ufvlSsA4sA8cJAjlBRsHcGGjPe6g+gdn6lZCzBe/CU0dlob7JNmpOapv1jUY81fTy0jq5hte4Zalj5JRRsGdc/kzY5h90ZT0VlRiq36NL3cFlahSaSIhVL8NH72MPep98SR2HSGTqcJDfrsmXQaIpJmZu5TE1pPgjBO7JXtWWHxdV9WWwxlZ/j0/oQSyunC2WO+zZbiHKoNBP3XKn9WY2Hje1YJ07H3dzOK1+bYykegePau3LSPuoRxP6tgFFpxlI7xtMi+38C7nGZI6XwPz2i8w99cxpvIxc5JS6eRR7GEZMSQQc/KtxRd7/W3sZJ8ylfQ7XXXrOGISv2Uki8p+n7XpYHdNJU02DfCAFTIa6e1cYBN4Ke8/IbB9Z8lqv4ZcHos2ceXE3rOwS23A6deShWg/lzUYzjQQN7BBasH1Bbxr6HYv/uAfiMzfOqHYUdd/i4aAsgDU8gZACHmEFR4kU/OGlk0AFmmqFZij75glJS2Pb1O9/lH6ZkRMg8M86QfBwwE+bt9xDfTUfq99wey54IxkZe7Rg1ESPc2R104E9lwm5CQ+XpdMCjaf1s3m12b5/ZTyjAEs2k2hCmxo1NsidbQhv/oFQDgdhsid70FTLhLD46WSoKG0NSplQ5tZr82HF9ycoEDVubtYO8mibjS3xcndDBnq2MwCJxCCCSjqWrBgaMyzp/YAhOyUtUNWAsZxBiMVDnmtmKf74mhYQGH41/om2RoJgvsjo0Qxbt/DjrtASHeGPm9DlITA0xi8cMKnLi0P9t31KkNA94DIPXOnK8TU32jLcOxjuasMIJVIpmaw4XWYRSSVs8WB3jhOJ83dr3kTfId3lKQi5zQOY6NNajHjD/lxIkdc8Q7cHCyV2fu80WeMPYGA5PcstfEpLhbJbIpJ9r98FeUrcjPJcuhg4sku5T9ojaltckOdeUib8D0o8f8Ta3z+3GgQtDa8CiYGTvEQigmZclHFmOMe1MsZu2Uvs6k/jCQrmk+9Xk0uNXr4YlQyeYH5DQ4WyvjZGSrVUMC/EzV6hT9+CDcjjhwOYKq6onjv66DbsfHcsUbRzwqv9nh+4BvkHz+zZhJm6CVy1oopP6CbGkPa5QcUbHyrQgYJ1c3H9ZICUynlvATft8FJ5wo3jbZDimEkRUxMD/+IaEEIqTBdvYQNs3NnegfoxoR043udiGpaRT2By9y2cXdP2ThftrZrVMBV9JNu45tgGltUzldAQkcaQkYA=,iv:21tSh1/+sShGLWR5TxB/2nHfMW4YzKOf1D6yE0jitho=,tag:6k0Rbfk+rf3wIIe1FhW2rA==,type:str]'
name: caCrt
- data: 'ENC[AES256_GCM,data:9l+dw1cEhgzFoD1Tsiaj2FY98869x5U1I4tN0I/vQ8q5wpx6vfo41/zxIDDV1d/mxq68Lzq3FYiLT03l/ZcmCIBv862iMW0jdcYAJAB1V4qq1vzDLNsXYtcRLl7wQ62mUnOJ41gpGaySKMf/Up6IZxiDRRfAuPm6xRtzS/0S3xeKTUwAbMIncz5hRcJ4zsVaX6ycqDe/vLwqHhnT3vuMsvCVk3caDtnfZjJ9OJXpS6AWl4f+09flMX8HBdoV1TJyJAyxOg/XHm0yzDGm45CRe0AaUo7I5jRvSpSVZT6Wb2Lf4Tf6b7Abf808Rj3AyQYzsCzr/xtTwxwlbsZSlxv+oFNXGITS5dun+NDjJYTBRvFaB1wTW6UERl1zk9iGOJD7U4tk5C5Dddattm2pVHL7/WzvPHWPzj1V0DEXlQDB5K6roA5tJtko1/rechviqq3VtumPCvC39liSuLHDya3eUK3QCqKvlRs2NRPnN1kNElDleIKgx4IPL00WWham0cOb25MmR8z3o+fUhysIwc4TXf20tWitkDQh1dA6g+7Go6ClOyFUlYzmhUm7z3tmlFe3IFXkshMuqinND2GXicFO+5jwDRyTBhBz59ls7pDUZC5+50hzDiCeRMwHRPsQToUbN3KjtZ932OZC+94rw7iDCwaswZ1Yrw9+cg2yxIL++6r4zHfQPAneWilXKH+Hl70H7pJtPYik8tFzeszdtJmE3cv6tWHx8Z7BnV/RtyY+dxDVkhJOPx6zIA7Mhbu+PsyuZHH1/7X4NrSoOmPXCFyhaMBUENN9fF8RfV+g08doOBZgEAhzMAeHkT7wSGw2UaeZ290W9iuJ/hqTri59cifTfokBnRZsb98AB4SZ5w2MKjmfvCE8IeUrz7zIpvrnTGKKF0bh5pNPYkPQ7YKfc8iib3RhO3MTceUPNuU3CadArOpK1YCh5GmmFttBhH037zXcZgKR/m5rWZJGCzQsVyvGcuO2iHAsNPLGD31te4ZHgPbwdT8+JU69+SE1qIgczhlCFh680lSiEkmVDSf0OcUoCWkMfW3i+P67eqzD6qFAaSYuDsJeY172Ez5hJFWXUFX6auLeN0ulQJCxs5SeDk/Yrqki8msmF0Zse+UcpFbG5jAurR2Zr/LcitAqR1RvBgMN7jWAa9Vy7Gt9Y5XhiNbawFzwG8vSFZ/TE7v5kpXOR53er6o8ZyaafINowMUd/KgVPFB766xITfRUf/fgqE3IFfbeABR0V8dM4EFIO1ytBD68xvr4cTEusfERfXNj178h7ufBCQw4I5qaZe58FyHrzbcF7cq/vTJ/jnkwIHWCGktem4bYZrIybXyaiwgdw7DPXZ0d0snOWGaFXjrvm3hMtVCuQSo+BhknGGOWt1fkIN33SEW+KWsceSqvhnN4k9lfQZ+NebpouGF6Lb0MIXj/e1zZHYKZXzfYnM5Bb69fJl3ivsUL8GNn4+89fgUxmDbIHcW78t7CgwgSeV/TR6apR3u9Bv8bj8WZog9uiGPzlx99V5BnTuDIyx96hElh758uiupxw19RE8S8pwFx3zhfvm+HHoEEBMEhL/N7tkmhzJ3ZIK/B7LiKGzplmnaBK7B5U0VA+zNqxEaSA7AsN20EzwXjM1YFHFqyP5+9n4s7KfUHLrJjbHzJXnEd9M4pqg4pyzCoYJqu7f7KB2AoOPbzxDAMI/xuZNgpHSazw+XULejGSSE0MqXcxs25iYMhlpqgkb/hi5U3iM8l2OWutH+skfaVLMt5jgfeQk3OlzCkH1HFHGjzDJWAk/uU6mRiN4dvbOq7jQ+PCQu0W07zmGcdHdF4gvgAOzTrpuZBPEtK8ARwN2/7h0P9UsdEcs2LzlVC4NXr2tMeXpuoDYGZfDE/o/+WEIZF4NEz0a6FpWpRiPHg7rxxAwe0JCap+UaC/wv3VDA78yw5uYx8Xepy0qCg4LK2nuNIG2ymaclAq4ia1+T7/A4DqBgP92dUuVI/JQnzJvdkCD1Dth7isHOzFOvRDMVusUNVZ+TtasijAvQYfc51TkQAMc0zOCvULPFvQhguriKk7e4odgk94In/jVmsr/8eF51dS52L5LRZzTWwjNnU2ukuI8Ogq37U9Qau/Zw+D7+arEByD3C+h61kQDXt9GRgVDEjyAAB18o9wofxJ3/A7yRvImEcON7OR1ZcJh6XuLEAAqa1Wgtj+FhD1ClvLkKTNIQvpNNyC84zz1pl851lBt1DBHQeFUenz3PAj177qN5Gwo88+18DSdTbFgYdBAFm5w09Af40usgw/jbJocZSRlwRcFxPyKvN6RPqLjCfz3czGUbgSNgjsYvAVEfrVlAbaJ9GFVLcraqgdljG9SSCRO+Kux1KJRmQCZcQsR5DNHzoIxXQfqUIQ7jQI28JanXjR8Y193jCK23oCUSTVsZo1vv10S4+4ZjU7aGm4s8QE+3v5DW7Cy/BtnU+nugdZgdRpkLWqE/vYF+oY7YBvUIAWp/uFBu/9XYz/QaXxluEtZMKsCpyUq98zSbTonHMHHV0eqRWaM7cIb8CJnTmn4qX/rhUT+sAyK5diZIIkPFRXZ7dd7oBkSJqkAiFSDMvoEm7bKCEdBo/dFrA10kQA7v6V8bVj2pbSqwZZiwZar3Eo8RxuskkB6CKrXR11YnZccyMyjOWnoqQ4iobgbXhm6tVGvcEp6hZ4JBnlOnXF59IUF++8PzcgJK0oG5HMnQNTAEiwxBoiWtQQEQ53dnLNKXq0AK5JmbMKKbVSSvFbObduwOrGTZnHsNhiP+nVyyM+Opqqtt5vFNdIA+ZGQQyQ+DnbOmQRyMxfnda7O+gZiuB09rYt1IwMkUdRx5tCpz/uum6OKApZ0gYhbaXEj1P4kR+4xc42vAQ5kavwaAHwqLyVxDTRshXmFCvMWPCd4kINBmQBpTmgiKzLJ1LGmnWyXdXFqxpsvlXj5n5JcoYsstlhkfvD0+EPQKXNo7sLV5HKbfA65ndfpUh5K0OWyYbhmU=,iv:DYwZlqxHUmFnhIy9S9OadGO2h3z67p8F+QmHVQQnuqE=,tag:I5W61XpWE4sWv7EEgLQnPw==,type:str]'
name: caKey
- data: 'ENC[AES256_GCM,data:huVN1pfbkZ9huFebvRbjN5A7pC1wulEJMJnrYO4/Ku+b8+x3NPzwh5a2DZyogI9cWy7zWRW7Esds3oE77KSjNAXjTOJ++nWqxQI35X+nJsiiow11LO4OdRZ98QSqcGGIcikQszExeu/w2BalhB8X+qTvq8oNtjJEydfO74DX3U4pbSyKceiVYxzLF6185jkIZzIvjMSGKr0OzLc+d5GyRhC493WEv7nOMIMsdm190GwmXqxYTrrvzBxzoaxaQFP444MMIM42fXAmH+OMYhk3qS7ghxxefP/NLzYSSCqB5uGTQU/vdNrrUjPDRM8otAxPiV5GIL8eB6np6vV/lYNyW+KcpQ9cw7VrM+jpXOakqFJGX92Z1PX0J5cflIxiDddZCaRv/gLfe4J9yuWgbAwzTtRiHBLm1/JTua9YX/yf9S/CGbtp7STVgMFayrP/qSaoRrjzuYR7mlHT5TmCUBzq2c7nTBoUDCA5ikDO3IcHmjm8E9G00pOUUIzU7PSuVFmrkMmoG7Z5OmpbNV7ae3dVnSkIed+AY076id/o1brUyUsDPE2RKAt7Ss0UTsS46jKKeigDnEe0WrI386FVn7wobU31b+x8ZcCCoGDaNeSQFHR/UZi1O8loIcBDVIzlx3ny2nRe5lU6GLvJ8CKVB8bbHTaXv8Gu9zW7+jZFQmjXwo5Bhu9PD6JUzG3ik+Y4ijodDQLwpYfLPmdBMfABNEix45qlYzFFN9/XndUY1cv8BJmJulNm1CrnIWevv5htAWG3lckpcFDMWL+pn5qGHJan2xWNf+FZVaOs3khSqui4jNj6BDe7CnnEiE9xjfvzXhEnq3tQHK1F8mPo+OEDyTISqIpH1jibepUEhhQnM4Qv0LJiScIA/QB4PX02e+l/SQKb+Ca01fjRA1qvFtzUfqON0+xAgFQNpXR/+wFYFFJEqBuyjy7PVPSnHyl0c/dxyruiwy9L8HljC6jn5wnj1RhOd+uDmMCZxbyeiuV0dYue02aIeD/1VSsV5EPtBCVzIJTGi9V0XqwIrsO0hopJbh64GRUMPMx2G85U9L7yQdXxBMNuN7c03msBLRmqTfujNPvhP1Kacgmshm4ULlrQADxaQN/AR6E7+AoBkiaR55qMYVldqbwbR2+pgdSBPN1bkuiDsetIOl+h5d+qjEAO3lNcrRRLHXRCfcoEccwdfHMXrfb/TwmC8rafD5eYKkmAU3j2wQcIzL3E8ufoIWKciXOxtkRVC6C6UG5QGcSwFfSUk0gcbXLqmdUIyD8b3VQLibMw/1brEfcPUk6vCE3rkWR7KwV1lhwN1iakuaBs2FSfsipos2pPQ4Wdvm5uYdVVJyigyxbD5KimtXn7uRo4MH1CA6bGoGb20S/7BF7kLERas9vI8vYQtMI5qHR9T/Upj8v0VsLO6fpnBsqWm98+3em/ys2hVrJiSqa+Jv/8suckOYIIi2liznZkgHJb62ZrE9DeCoQhEfaoDqMrZDqjca5xPilvFPb94LzjXVPLbF+0GqAB8grObPO4mer6MCqWSqQdLCRgGSzCKsScG2RY9mUwjFynjjlTDJeUqzU4RXC+AGHkfqPLpKZ44cYnZgakBWvSSj1TI41Kh1o3EHtQkjTMbJBaFR7Q86sfNB3H4GTNXKi3u1OVHNC9p3OCDyouomClpJ6tO1BfelzUh8s0sNClNJsL7mRMfDigNOZQXTvydKz0fQlPKkD0xZJmoHSJanQom0GJu0gg++bRRkOFN7RA7qZCAoGjOQFxMYC7d59jl9pBmwH7LHnnREdRZWlHbKbmMpm+TNbCbhXw/KLVoDzfgv1BvuMjz1ZddcuZnNZ6jVBhdcm1uyAjOu5TIl7QD/QcjVTlEIr0/mQkJSQHXQdzmfrSM8MqTpZRUPZvyZs06V0Y0PFsX9Z6ti7epZeXGzf4UEUKJ+WeSKi5Bpu3Jo4VMXQO/UDrKXrZfXFYaoPPu9pabqTD7aCERQBHv7hDoP9uKg2q5XfhCVk0ivtSMu73JAz5Ezh2kjveZSZDksKEMXNJljnYqFVBXQMKMqfQADCyP629C0Jepc8Vorm3,iv:pgVhozoNdRTBi2Y4zzx5bybtuWkP7R0enTXwfbrHKOE=,tag:71AKiBMZ/sBD/zWBgVMFOg==,type:str]'
name: crt
- data: 'ENC[AES256_GCM,data:MDBlkJV8BJ5hXxjIzEF8lhGoA2rTYW6fKOHpRljY5pXUQ7yArWK5rskSiROF/GnjuETnI3/1QtArMN0kHzTcqUPSkvSgSTo5Ulposf/efKxBbH69P1SIg4O2ViReznajjdO3unePUKax6mswnUG8GK4jv2utfZl+sx0xH6TGS51OxhuAo6+JMSIKK4s9f7XCVTWGRRf8tst0eYnlLbA+5jd1dNjFHxT17wcAxY4xFkAkmYRUt8UAd0dIm7pbcnIMBsTSZkkQUOLD3YZKjysxfN4NCnxkRcLkYMKHsT+Ekx8R4OTgBpOYeuiAUK5e1Oyctts7RxqHDaHD9D0MkU7Ko+a/Pjx/UqJzFjGZbZWdGpQwC7oKmTZxplRfbR35Q9E4z15lV/BO1KQ0BpZU3VwScHh1y+fwGxi9d5F7TPbvnKxdfvwZbZw9kwVB49p5xh+gwnJYC7K79HYQL82Ta/96emq7ri/61984MnTIsx9wR5uIcA8EMrSJS1iBd0ye0xlIhfQxK5W8Uzj/a0HiFN4xE4foxh7pA43+oJA4ZUECgwDTFX/jHFS+tdj+c+EpmrU2SpbHy5pC+5JokfXP/xcnFrc/j92CdTLYfxEFa1HZKhHk8Np663rtqlX08uigLJ3BIPE4ZMkmEN7nCJ8wMxGPMmz2qCiC9pySDootHAdlPz0gPMq5/g2aJSskrFLS50L6g6bjlIQlyllyRdxCoyjfSPiIhtpswsvwe6W8fY98AO/cBtK2fcRWIecy356ntGVLCfGZwcSU2xiOr6fm5RYiBfcbttnEHhJPzW7sbYoj7JObKsoPb3sg95ZP2jT0iM2FFA1UOfUCwiL2qbvl9oCIijJbrShec0Pd8CGIhetpH20jrra+eD9i8GCAvFkmOofLUQx/3CHFc+/YSOmpTa8p1ElBq8ev8Kio/28ZGSEDZzO5LYlKWGcj/4G1705yWFDTLj4J53z/XeppgmjVaLRthlO0Jt014vrP+zxso5EfzhSRJ4vKt1ywuruIUwSwKcaGejOIepnaNurrAyYTe1IMRLNIZ5tMYlw+DAdZXyi+dykmfJsyb2FrVZbDUdh9bkEpKDWzzv611ICnjdrfS49uPJz2wvlCtCZkVIZOvEGeD3Q4q2aN7YxQRkLxzwWS/UVUysAwZnU9cqm9SFZvVOVW2XsGs2BYDkjxAV6LNTCQwUwM85ijmNF5t+Zu6u7mX3l88PZVHeqYG53SHP3tfL9CzzeMkzWjnzNbFUlCm1hIRo/uIB+IZ6YupzsiZzPdmH6xgrX4eC5VqZgySAYaPW0bxfeX30l2u87nxaMiYeR7/TB+7LWakpbbLkhPNrEtshKDwamKxVXjb4ChmynemGbNbUoVpYjpmXbUTmSm6cGjFx+PPAMo5Lh8dJOkpQwG8LneA6ZCnq4cr3Xns99OxfOcLFCGV6XPcxwd1+g5ZZp+wj572G3j1jODDheLf0c0kwAOsECVs7iQOvAbvKR/BMbTEbPjGEdu1YnSwh4F9yVcaL+0HGoFHq1x7OxX9LzPg8d1/I23mRIY40kSxqFAl0/1iHRPMKj3SzAY0WFdIsQXr1SDuxNuEeRiG5DCEDi6Dq3jKzBYWjvA0AHlU7f/a1j/CbEvJkzmw/I8KEX/UmbC8/MaC1iJ1p6obLvMo7kVFRcBP9rSuriUxQSC656PSi+j06ssRs+TpHLGBZKP+IjGIdtVmoH2ErWVebjIt8mBl4d67bxtOHNbQD9AOGIYYTZhaIUAhFvqQv0CKJ3wuBet0qQ/3Nx4bf4mqOkG2BzVlaE/WVyhE/gBcHeBVqq8Z8xASzZU82nDR6QctFPWVu69nukhh98G5VlexjgwOW6u1SJDlX32gdqS7dY9VzvMhCQwAPB/KnLqGrHPG87OkpUkMdrmB6e81s1DF86Cum8qo9IPq8m6gtQu2b3xGDdg1peiUjR04AK27KWwUJ3oBYNq9x+RB/QBLwZYdzKJqI9t4qm2F0KM/A6JURaAKGUbM2fjWpJnd+3KyYUdw5y1R6OhMQQp2afL+1WDZNCIxqZw1APxpQRWDSh135JwB+vBkYOjW0TxW1/UdCw+ijwoXTc+qUPSJy9sPGHjc2LKdNePzdN95l9KzjxRa6GcsHbE/ue6GhFfaB01CxsgGlB0i0fz0Tb84ly3BMNvMIIN/jSPjH6SC1+urB5Zh1SSxf1DucC7oxCCvMmFw7ruvP5U3AbTL8W5Kfpd7z9JpePvqtiswl9Slv4vRZFTNfEs9NsEbtbWu2ODyxTCrQbu7Lxts5dGLq8xeHCEB9JhSzJgQaG20Aih9hPf5D7giG1T/FlqG6gwBJiAr4u3f85faYcE0UTsoFlgiYHFJuqmDC0lbWvL75rvyDPhsRhgwZ4g9uSLdPKmxLQFMgdbn0GLfPY2Ckaysfzx/gKiQ0HYsaOW5kJyQtgspUBmjm9zS0RxZcfXiFgtamSHMMAesmW1bGMTePTKIL2JoyS5fe0t01HdAsrw2zx6WKR87f4ZNglMnsunKFTPGXNcy1tN+0+sJelGxbah4doAdm7bWCNj3ej3G8Ki1jpgn7Mdw+GGWJfqSm4SI4nyxcl1ct/22baJ/QGpc5Dfu+MshtcAFz0Xn9NvZyIZN+pfJWeXPU1F6lNWqNnh+yVRLSda+HmbyHsWWmads9jwVSPPvCcnD/J9r02TQIhgYjCVYbV9rVQkomnhE4Kheke/hzD1Jctp007IA95sUI276TqzqScQ+QiSjc/HK5s2HmLidGOVML7riC53JVs1lFZCeqhBh9G6kxTKZbQX1oGcj9jPLwWMT8uSNzf6EpTmsBP7tvsumlzis+WfOrZDPLdh1DhJm8P/9VHme4T0vh0CsPwFnekbRJP8te4zg4hOmhWI/I3qlfvxGHOojZgtscghB4X3t+GbzTK9vn0DZynUKq1AvwSn4wC6v/HzaIl5UUlKQV0j4n2/IfQyqMsUUA76XxzPVRfkENtUZ5BX+nFe/Sg=,iv:ZVGs1HdrjkgpfKRMLnKEnZDdqD6sRO8h1/8V1W5QXRM=,tag:TUZXvh3hd+nRKaull1P+nA==,type:str]'
name: key
sops:
age: []
azure_kv: []
encrypted_regex: ^(data)$
gcp_kms: []
hc_vault:
- created_at: '2021-08-11T17:27:07Z'
enc: 'vault:v1:dTgln4Sz23VgKsMigpRssTtx7X8XB6wjCPDJGzvLRnM+LKpGnYdyppyYg4mha5mXLes5ke5RAj5CQHa5ccj+yaZFnCKihqZ1SkHDYhExXyBy9dNb2X8yDHx8Iix8Ir8icSEw+GZkG92xIbDHYxU4LgPgMAu9mQ5BUKGKv+IDpA/WKBRvvsczgVVDsuleBNnIQkxiU811RnqhYPojrPJefBcBXNsC2IgV0E9Lfo49Zm5HvOvPDaolucfteVAxIw3nTYToO/v2IV3I9X5NiWOvmYQ9JMvv83pmYgdkXlqekez4PPlADqUSZ/cW8B2UV21i46rW9Ilqui9eDv9SQMFg/xRbDu1pfXlKc4BGmUVrnH838mSCfizvNN+sX1ST6wrGtfOQA05wYtssbqRXrXbJ9dzjnkWnHWqEsTmS82uSu4tohsu29fRVwOgWfxHGKmhZuKYt2iggI/fn43CNyLgw2cRaXaXQFuTtefCAQ9toUOH4vOiZ9rDYsM8dInBukzYAcRAydZ1hVnhfm+UjfhS+e6MRDhA33BF/4VZzFW+mv9/1VzzbrZZE9x+juTDakmfcxj+Y88a8fgmkFfHpCAGnapdqpwvQ1/jomiCzLkQYPw8nRsirxDThggJBQ5IWqmINpr6wbx1A5eaepoAiGxEUTatFZdfVYL+tqO9Auz1xdvA='
engine_path: sops
key_name: firstkey
vault_address: 'http://127.0.0.1:8200'
- created_at: '2021-08-11T17:27:07Z'
enc: 'vault:v1:hGmSWtvLej7IwtrKrjnfFv0vd+X0CeClUCzjgLXTz72zpEp+0velsci/5QYgr+N39Z0ZPt3a6PdwNN8Epuzwtbos66bWCaVz4LM7e6zj41mZczgXQMvEm4YRGFnVXGvB5Hp3OexROCBa3HskFTWqSFeqV6pzOKv+1Z12mGVqVNMJasU4aTM8kN/yvWaUyk8RYoh9q2FLwAawLFBhbXPPQ+HJeQcvaFN8/q0OH2mF37pvk3Vu7hm0Arok95HRfziyO6CMZymSKB9zsfeajYCNtTpZ7KDSwPIZraxqZQXrtUvQE97lvBwnMLhdA3bPAxq+tk498f5Qgkl4q2ikFLE13Q=='
engine_path: sops
key_name: secondkey
vault_address: 'http://127.0.0.1:8200'
kms: []
lastmodified: '2021-08-11T17:27:08Z'
mac: 'ENC[AES256_GCM,data:qRm8PgsmzgsfEUST2l3Qai6NYqSmQYVjmSeqKXVNIzW86+5VpAgvtfeb+CYW2PoDyErPdUN2aVlCCIIMSHcvs/oeQenjhxuhD10Tq6YCSW6xdr18y9l2gfQk7he0lQrQD0G3s13ljW3pENSb5veD1z9jjePCUzMYxFag/AYKMa4=,iv:tNYu1HUIPUZv1Eu1uIejskm/oKY97ViHpByVsP4gcic=,tag:VChCD235OtUIFJY7LOZsPQ==,type:str]'
pgp:
- created_at: '2021-08-11T17:27:07Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQEMAyUpShfNkFB/AQgAovWJoL1kvunbQqgZVRDIpHJa4zPkbMv4kr7XHGSaKaJk
7YIG6/tHJnbGWeEoJmjg06nbN0ovMBt2Aw8nEocirLgsdq8dSdCePiRQw9SZ/rAL
U0F+iItqqf9Xe0vxZAwJHnm2Gd2OTkZ5DXvmL3NdOb6zD7c/pQbMpPpYXXeKTnqs
R+b/V8lUCpRQbrmCLAf00Dl59+92hCZH7IZoLq60hTqjEcLJivRd+JHnYHFKYD7U
rWcZUmXb5YKSG90L42/E+KuUMqiNf2QUJYZos+2s4GWVOZJ21+C5ciPEs1ep1RRI
orc/4oGuMNiaGforo+gYv0GYvWp/pfIzpimD4uoclNJeAQmfo63FskWSqm2ON0jc
d6HNRqBMprGtvQjK9ES6gJotHV8iM1vTOnOchvWkl9Vwe3ZJiYYMFxqzjjWnSF6c
rKIhPfUeXP8kdADct7poEdjWfnkCqsOh7XmHKUHb+A==
=iW1A
-----END PGP MESSAGE-----
fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
- created_at: '2021-08-11T17:27:07Z'
enc: |
-----BEGIN PGP MESSAGE-----
hIwDXFUltYFwV4MBBACc87vDwuhVG9NN0BK77GsH4PzZ23gVdqR/FB/BsUVKfIdE
Gm19aZZAlSL/AstATpddhXM2IRtDUM9sMRGfbr/E1r8qEByoUVruPGORsAhgvOfV
zEhts2UP4R6c1H7pT8JojrXpPQidlUj7hpCDDRczZlEgbkd9fB82isK/BYKUs9Je
AfibRs0Y0lpHNKJjYWZBMVuKfAY71ujAI9s3WaNv8Et84ddGJrun8pHlOydsL2h4
ToYsrMozVGIsJGLhg1VcwgDgPCy7BsL1aF7hJzTdSYsW+Em++uJlN0BGAQbZzA==
=tT7m
-----END PGP MESSAGE-----
fp: D7229043384BCC60326C6FB9D8720D957C3D3074
- created_at: '2021-08-11T17:27:07Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQGMA5pKZobbvtIQAQv+MhMPhbxS4gNfQwiFpnTqQ/Hga9FfbPc1l96Cd7IEQd4J
JQqMAW858fOSwsIAEEgZP1skOGGTQXDdpKCqPafySdRVDfFCPTFzVXnFTr2HwUfc
g0ByHpTqDMlRQ8mASlo8+PoZuw1nZSwOhdag4AWwDp1a/RVRP6tPOmOCL/P/t7Hc
VEcaAuaE1g0HJsLvtDITPf63WcgN2b9LcJ+anWfapjTL1yNLiZhUdN9sEETr8mkt
vNYrcPjMQ6/e7o8TYThrXw+5h0Uwed/zGO8E9UHUse+XeBJsYSJ76vnuiKXK6t9Q
LtrduJ1KeaLpvw9e1p1nxCZHSLN8dVngmyoYtdv3yVN7JUN18HUu7WT6MQ0VYttM
fBz7pHgltX2TP5EAvMBUAWA8i1K3razhGq5l79d3lVlxRK4mcTfZQkXQiieCBh/j
/cbvwFcwDYWbk+RKPFHw048+iIrWaqsv5nhv3Zc+8gZIyLmEattFh/8YTCyirNjj
kNamcFLHu2H5UTyuZV570l4B4SJNO0Vs34LIBMHpwQaEOdKPto2hvtzNuhZPw6CP
MbDQr0HaAShFTaQ5TJRKjWErZ8QWt3//lVe9wkMaMPlqVbddlyNbCIittzteS4CJ
I1w8PpzzT5u8EdTymqDT
=Vv6V
-----END PGP MESSAGE-----
fp: 9DC6FBBDB3801E4E1144017138959A55322BC64B
version: 3.7.1

@ -1,6 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../target/catalogues
patchesStrategicMerge:
- networking.yaml
- shareable/
- encrypted/

@ -0,0 +1,92 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBF1oQV0BCAC1iFfE7H3uu0hbWbRYVMoz5zZ91ACHETCOMVxN8GOG4SV0l8aQ
wmK9QWkYxhi52LnicVD3D7Uy75+J3zkvEDQ15C0AZ8UHXp4JlSQuXpFhrOhfYUF/
6pr/QexT+hQjOacvY4qfnj4xKa/AGdv5vPIygtQumE6r3GhEVAxQ1GSwtCWSU3Zl
3Uqf7S8kDvJTemtR2UkVfpXcMd4AmMKgt7fVhPO8eFotqTLPvz/iClzER+q61fLA
d1rP9YlmY46MJp/PffPicWdJiKv2i6ynKcIwkrQyP6V2ZzYi/gAhNJst3ZlMfsiN
ekCtcow9Bn44uxW3U8W02FNQSNyn6V6QPDIXABEBAAG0U1NPUFMgRnVuY3Rpb25h
bCBUZXN0cyBLZXkgMSAoaHR0cHM6Ly9naXRodWIuY29tL21vemlsbGEvc29wcy8p
IDxzZWNvcHNAbW96aWxsYS5jb20+iQFOBBMBCAA4FiEE+8e54qT5KJrAwdSEPRbO
5KJzgbQFAl1oQV0CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQPRbO5KJz
gbTDcQf7Bp7e2zY9pBBXTgDASQl31SSHp9WkRUV5iqPVC9iPCELggteBGMwIpbDl
obc6O8/06foxWctTUaaciPBo2+jeWFTO+DNvB7oXIArqr5673QHLh6jEABBjyt91
rvta2wYF1XJBgxpui9aLICsCptFNIRvHeKUrXBI4fG5z3CDs/EOoY8K/AAYJUF+E
RtmvmisiE/m20UpbYRmkBJy25c89Wcn12I1SUJA3H3hGwvZCYp8hY1HPxxQUtU+D
ZBIpryi0xQqExGAlYqck7G03F+AD7/csaT1LEdCtWRLNwE8UkvfUF6liF0SgzxFo
1pp3gBU4swds9yO9wNe12JY/M5A/BLkBDQRdaEFdAQgAtun8JhSpNAKvOXwWX2nF
hnMXTJp4viMhlAZEdmMXEi27B2DM/nRzldjxGZoNUBSVbJNj2kx5ZUDl0o6eOpCh
vRaGuCOpYqOuSQvD8FnX0NgQULwuTZ+MawsaezktJEjDSBM1R6uASeJwDZj4hcUn
PgyAIESajPdowEkEjdYt261fGOLLcVoVdtqzOMBkLVdrK/FD1kGR9jnSlKEYDV9D
veBUBQGdqkgWXjS5BKcae07viC6xMa9AJS4pizyDALB2k0HQOelZNihOGXYUuvkc
s2Fivl0Tk3OCfH9XDvFehbYRHmkRDoMuKUDSzdy6tFBAkL0CPlXAWI6kQklaBEp1
9QARAQABiQE2BBgBCAAgFiEE+8e54qT5KJrAwdSEPRbO5KJzgbQFAl1oQV0CGwwA
CgkQPRbO5KJzgbS7zwgAndbf532OXo9HwPH+yQQmzQCLDFL6P4V7LcFrrydYItTE
hxqI3tbb96MKXRAt+G5Mw6JjRkWhwzbU3jE7D7XBMHw7GriTTU9QltNHg7VUpSSa
iTfVcSNErzsaqbjbA7jMs7VWzOq4LZo6Efy8UDKg5qcqLFaTQrzQZYNHNfM+kLAi
UPU8m7vwmz6oJWsjHkQKUhKhHptlpwMwdHkoacqDO0x2H6H91l/PnDm4ZG6FybJt
cjr98i+p52/XOo81nLgX7tcFS3nrN9HNdgKg1ZW3yrzg8NOaFCVA8qLDgLk//M3q
DixOxiurECkFrMvt/bDxEGpN5GVy550MmyUZQrkuqg==
=Zs2s
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
mI0EXWhBiAEEAM+5U/ol2T8n9Ns1r11eKun/PPArXxmo2502pAY3cf7ZpKDFfAvC
VF/PLusHcJToTCPOT0RVh5jO1MiQYcvQlnUIJOIEkCuUc7RsdBDsI94o+SEiGSN4
DzK711xTvuhgLbFvCB/jcpjN8wpIYTJuD6wE75sf5jqlokrnhXZy5LcbABEBAAG0
U1NPUFMgRnVuY3Rpb25hbCBUZXN0cyBLZXkgMiAoaHR0cHM6Ly9naXRodWIuY29t
L21vemlsbGEvc29wcy8pIDxzZWNvcHNAbW96aWxsYS5jb20+iM4EEwEIADgWIQTX
IpBDOEvMYDJsb7nYcg2VfD0wdAUCXWhBiAIbAwULCQgHAgYVCgkICwIEFgIDAQIe
AQIXgAAKCRDYcg2VfD0wdEdnA/9mMGieN4hrnmgMwchZ5fplBAUCeB4R+KewSHce
gfQIxN8i3vCOHaqmF8cmc2ifXfioqsSQU9JdRl7dx+TN9sgyWas1wfT01j98sfPk
NQrgrOxC/24SQ9f7C3bplXO+25kLXCPTUomMj8zf9marVeUVNeC6IduFRRI7hxrz
tIyN/riNBF1oQYgBBAChXi00fmpEs0Jiq0zOyYm9i749VoOsNReoB/5ix1QCimwV
ZKe1D37IP5Qqysxy+LIQc4lJ+Q8foNOx1Aev5+TDyv+iU82D9xr9uPLLbA82k3AZ
04OrBjrZ/Yt1NZhuaHzciZCPpmqzF9kqVqAZc+vMiKZL1WZjS7O1FwaidY1vXwAR
AQABiLYEGAEIACAWIQTXIpBDOEvMYDJsb7nYcg2VfD0wdAUCXWhBiAIbDAAKCRDY
cg2VfD0wdMMfBAC/66LvXwBPaHDakr0lo25PGOWWsf4o8yWui/Q/yhcc8KiELlzE
zmwnq0JDSodfJ5agMTxXfVu2oVUBDKuvTDLSCe2XUv+2ufAweg/xr/FrREc2TkLu
GZy6FMdtB7Ik1uJElmkIhnU7KsXXv6rq71gE+PCqnwqsn/SvLLaTJvtlEw==
=PafV
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGDfWUMBDAD0nxvYUqZiUioXYFbQXDKhzVPLTo8mUY9YNZQzrcuspP3XKja1
B4v7PwMPeqkLS86n/lK9JOZh2AMe2fhKYdp+Rtoz+7ARVl9QzkQEjcILM88wJOTg
i/VwK/rCWKduns8NASSE8vZrFI4pvS1nrf5BNotArSCdHsuGhFvqk+BoId1Z7ykX
VC44CcR7ePEDVWnff0XRgiPxEMuHT9HlaFZig/aBZz2GUSuuu7n5dvQCKtZGiLPN
4KpCoXh4atgGSnAeuhVFYeonMdhQsrPFRHyT/ITutsEsu+sAklT9IcaUM6/LIjXc
hVOgePJWtwA1wqBNmKn6vriGiFaFHCun5BSQq08pty78yvL1AwqrIKPv1lPGXcn4
RlNNgG4F3G3qpxviwq3QVuYn08EWQh465Giin1EO53LeGLMajB1FIKNxyMgkV/n7
O1cJjoRbm0veboIJYFkRd7t7SjOStPxGiFrP1MvyQ1nkexETQoYd2hjLLJTjORWX
qXdLQFPSLcTQ0iEAEQEAAbQ0dGVuYW50ICh0ZXN0IGtleSB0byB0ZXN0IHRlbmFu
dCkgPHRlbmFudEB0ZW5hbnQub3JnPokBzgQTAQoAOBYhBJ3G+72zgB5OEUQBcTiV
mlUyK8ZLBQJg31lDAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEDiVmlUy
K8ZLB4IMAK7p1Jq9mDki0fhNdKKF4p4wfP6eF28+8S6RbUsysaZK9zPMg/UKK5R8
0Y/oXVCYtXTjdyjEwiSui15KcuKXBzzFnmJKTwGX5IVm5C6Y2dclDmFbZejJ9GJ1
ImXh7pD/MgQfic/2i9lxmmc4tMZJCEJnaJw+oUniBO5KK5UV7fyoONIJAG3HW3B/
aAEuYuB7lOejtkLxJDJeYJfrCIZYy9MYTzGOr0LukCws9+CqNiBaDdCJo6euGTao
LUIQlmdHB9peM0NjsQQpfpu0BzdlOgB0pnf79ZNRBlsgXqsine94tujRaiiOmcu3
XVyM0JwUebB4ym2ky5+Gg9nneLCirWhqTqU+0sUHl7iwia+2L2fXa3aj6C0GlVAZ
Fpkrg/18BmdrykpaNJTq7z8MMrMD+crf5OsZIwPZ3xNjXiW3KLzvNKA09TlPTp8c
0WwzqmDsfkJPY2Z7+F4Bq/m9yYTiCxeQKwSCTOlLhubtnBx+Z93KxOeMy3jN07Ff
pZlkmNa4vLkBjQRg31lDAQwAttvs4g4Qfh3jl0QRAbIvxE8jKxBKijPmRRZf3MXd
dn7DNo7rv+J+HPWFSUlduX2eFDDbmDQAy1LQtXA2S63AELVTFNUxaHhbXpAltpV3
1cIdcg7aNXc+uUC45EsC+mu6RE7u0pswMSepAeohI5jDNfX2Ij3EOtZfz1sC8CgI
FzdwQm795oAkFB4dS310fuJrejl3glBmX2jBDovKWTrjartrHqRiCrKjkBH3VEuh
pwNGYFw3mxA0NgltOBw698/XZqRJkonSmzZoLI9EJ+YGkIJtLHP14DxAeY5Z/7Yg
h0gIq7p3APEOr9uimm1pFEvReIx/4p7NM22ryQ/j7LlN/n8EAhpTHZn29t8ftTX7
SZN5MygdgVdFxuiodvKsd4JtFMHGKq2BQZG2ZcVhSUTI+0tX/gDgSzeyIWdHT22k
ZJXmTYIfDsDFETYWlzAf76nAT11Q1wEcJ4d4xfvo1fOVAMNKeWH8ovE3uIFQ7FI9
qe4ImBTSEIOIN8xOh0SIYTLbABEBAAGJAbYEGAEKACAWIQSdxvu9s4AeThFEAXE4
lZpVMivGSwUCYN9ZQwIbDAAKCRA4lZpVMivGSxKEDADofi4m8pXZOpuQ7IBhjjww
/CxMf5VunM/xH2SwnRi5/Uf/pwSu6sk+Q2VGRV25mZv7K/jjMcdduGzdYECZpU5Q
HJ5Yfzep4bz1GAORMAcBgUiTBH2QhDjkBkFrVfEbxnr3udESIb6NF3LpC0DiX2x6
785pKYUEUUY/H3PsQvKqkls9iit6HTIu+fc0JOtzSLc5cUDcCoj9hsQA+7y1ijWv
ur1nTPVYjjITjogV+9siHTPr5Vkbx1IDMFtDgfU1OUsSnvDpGqruStmor9Qhq+X2
384Ng2w0k82H+tCfrXXaBp32V8avFIXSA6QrVncu5jSueARFB6a08KbJzIodKEvl
lUBlJEweLFlBZm96JxfQnr7e0v/TpHJ6SW4v/1U9/BlGIPL4R8IjSp1kfL3UC8Yl
GftHRvOj+M9QWkaZEh6i1dAdL2ID1B0s9zp3TE+QJJjbq22Bq9yiHsIg9qx9AFhV
rwDF2ieowreVC8aC6NmtMFjnXCyyj2iBJlQ9zuh+hVM=
=5FdM
-----END PGP PUBLIC KEY BLOCK-----

@ -0,0 +1,10 @@
configMapGenerator:
- name: ephemeral-encryption-keys
options:
disableNameSuffixHash: true
files:
- cmd-import-pgp=example.pub
literals:
# user U1, U2 and U3
- pgp=FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4,D7229043384BCC60326C6FB9D8720D957C3D3074,9DC6FBBDB3801E4E1144017138959A55322BC64B
# - hc-vault-transit=http://127.0.0.1:8200/v1/sops/keys/firstkey,http://127.0.0.1:8200/v1/sops/keys/secondkey

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../target/catalogues
patchesStrategicMerge:
- networking.yaml

@ -1,7 +1,8 @@
resources:
- kubeconfig.yaml
- ../target/catalogues
- ../target/catalogues/encrypted
- ../ephemeral/catalogues/encrypted
transformers:
- update-target.yaml
- update.yaml
- ../../../function/airshipctl-cleanup/

@ -10,8 +10,8 @@ replacements:
- source:
objref:
kind: VariableCatalogue
name: generated-secrets
fieldref: "{.targetKubeconfig.certificate-authority-data}"
name: combined-target-secrets
fieldref: ".secretGroups.[name=targetK8sSecrets].values.[name=caCrt].data"
target:
objref:
kind: KubeConfig
@ -20,8 +20,8 @@ replacements:
- source:
objref:
kind: VariableCatalogue
name: generated-secrets
fieldref: "{.targetKubeconfig.client-certificate-data}"
name: combined-target-secrets
fieldref: ".secretGroups.[name=targetK8sSecrets].values.[name=crt].data"
target:
objref:
kind: KubeConfig
@ -30,8 +30,8 @@ replacements:
- source:
objref:
kind: VariableCatalogue
name: generated-secrets
fieldref: "{.targetKubeconfig.client-key-data}"
name: combined-target-secrets
fieldref: ".secretGroups.[name=targetK8sSecrets].values.[name=key].data"
target:
objref:
kind: KubeConfig
@ -40,8 +40,8 @@ replacements:
- source:
objref:
kind: VariableCatalogue
name: generated-secrets
fieldref: "{.ephemeralKubeconfig.certificate-authority-data}"
name: combined-ephemeral-secrets
fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=caCrt].data"
target:
objref:
kind: KubeConfig
@ -50,8 +50,8 @@ replacements:
- source:
objref:
kind: VariableCatalogue
name: generated-secrets
fieldref: "{.ephemeralKubeconfig.client-certificate-data}"
name: combined-ephemeral-secrets
fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=crt].data"
target:
objref:
kind: KubeConfig
@ -60,8 +60,8 @@ replacements:
- source:
objref:
kind: VariableCatalogue
name: generated-secrets
fieldref: "{.ephemeralKubeconfig.client-key-data}"
name: combined-ephemeral-secrets
fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=key].data"
target:
objref:
kind: KubeConfig

@ -0,0 +1,7 @@
resources:
- ../../../../../.private-keys/
- secrets.yaml
transformers:
- ../../../../../type/gating/shared/decrypt-secrets/
- ../../../../../type/gating/shared/decrypt-secrets/cleanup/

@ -0,0 +1,73 @@
apiVersion: airshipit.org/v1alpha1
kind: VariableCatalogue
metadata:
labels:
airshipit.org/deploy-k8s: 'false'
name: combined-target-secrets
secretGroups:
- name: targetK8sSecrets
updated: '2021-08-10T20:00:41Z'
values:
- data: 'ENC[AES256_GCM,data:VGOFunY8rvu3GnfVLvwRRHjIL8r+qdjmbbia3tcqF0lKZAqz611aRZk2NUixqcP0p4rivGvVJipxI7fG0J9NkVNT47FR8qzHq2FEhXZAXKrgF/74MH7N40V0q3o8Tt/BbC5B/mplaYhIwBeZhWi0m4fuzmyW92DReKOHnbAavN6w+bSN85LuM8ccHTgXf7SBQ4cxHESyGs2XmtVAquI0vdUZF/okZpV+ViQk79MMTUkK55Y63St6KkaR34riouwlKs54uz2ZtlKGTaQDrXAJITlJ4UJVJe9XH0FkCarZ20rZ6Nng18aEOZzvIXQSDMkTWY9PbPYyZJzTuKkT6gEuPmSfjooEEUf6NPKsi3NTIpZTwDAszypmLYIu33LspSHHBn6oV46oOy71hlqzMDX2d4Iulg28rZqfXdget/sYxWjhJRwozDKD0Rw/w1uykGF9nxwHZ6mONPYi73THXczJejfJbhOoAn8Kk1YeADafVjLICCK4RayWmK71O049SIE0UGWBq1IQntV4gUV6STdpQqK3gePkFDgY/H1tNfPeuzy5GoLyFdVJwq51RLLS5mTSNndQEcv9j9wFPZDXTIbogamI2jHYokFwk7eRtRokCG7KwuJhyPY+/arBjMtKcEWBsd0uCeUtMGqAKXdeuSCZnpn+fORjCJZjoCDbaC3yU/Rti14z7sTNFmLlLEqWeQGYFNmKogv6A7oxraKKLcp8GSvNLw+7+KnMaVIgyzs/kAzJ8ZN5OFKnkp0MUiQKrQ8PNa3fYOPEdHJsYjuVU5BRGN1ZenQWDqPobF/CfEcHRyeY24A0Kf/S2Q7RSs7zisoNp1NyYaxc8GvevdgFt+7zrreQE7IX+nk0JD+0ppeE3X3/2+qzCwPKd0zWngdUmS0qQ1DpQpWOWQv/ayrlRJjlS5IF7SiOgoRV2YFPGbtwn1nElmDY2TuM5f9YFvOYO5spKtnktSavqYAhrsexYp8gERfujyyTbu8gJTGttixK9dta+l7cpnXjVooUvAP+RtygPeqExE8SuO97hvi1TfyBdf/zeDvidHEE9IkQkr6OWCDFGDwR9vGbMeG+0iO4AyEQp44jHqU093SD18ka+hlL7dVARmaZMVFA1WmbqNSGL9CoU4AWD8yMQfnBKp/EI4CO+PzY4jpUN/V/anUZigOoABg+WV4jldWM+RUJYRcJFwD/FRRJaujLz8mbdB3CWzkLdJhIt40F8ObHnuUHHTm/rjvEj2aWpXUNmR1Vx77ypvitsYWVyskaRSQ+7ar1Ch+Qc+lRbyapKdVu8P6HXDmB/Oq33i5pZz1eThkUWx7yrHF4iAKSg3v/Ff9NZzOXd2jYBEg3zbqEN34I5iwg19HJax7TcTuWse0IzFHEvqewwM91QlkZUrETfxPt327alMqwXet1iPnxqFiTgN00wsoU4q7S9GRJM6pED7oQUSKODNQqNyHP03EKbCVBxy3PRMd/tHXWb6oRHbbU8EZHfxkNcEsMPO0t7ZVNr3M/36t8IqhCs7/M/iulloLoPWJTXYu51YiQlyKoCvesDUfjk02Ay9hlk5W5bI5sTNzwNUL+WsOTPSzB1/VgCtsFXPA2pfTFV2qoeTuawc6ztXbTdnxU9XGa6s7IwAf9nP3O40InZYAWI2B1c2PMvcDpPko9yUJbf/MUhCRwr1RHJ4KLnEWyCXlr0eKCtvepApI44/L5cZeexjeqYm9EKK20MWWMYtqOKKrH1vCYZYG0rxqnUPlUJ8lBwJ7kjwzXc3XM2b4uAnr9vIPCXWK6OZ2/nQ9Dzx/uZIt3CevR3DKQiRVAStGlo3lT69g8XF19RMqD3XEHo0LtTgi4eWxh3ntIc5Akb//2Flb3cJYSrcfkcJ76ZAZyWhK+NFtMkdgjpz9T/JketIKzJ9tIYnNLAqpL0zCwZjMbfQMmlbXe6DpAeKIOj7DVq0Xoe/Ms+9Ay2firg+oFThlBAjLqcTM2ZD/hPrwzEIuBNIOCyCK1jTqPR12jMhQDTlmGvTRfCA0gH8kwFZUZ/xo=,iv:bPQ/f0A83qe/N/5MQVMDwGKNo0gCVSov3j5ctRBqq70=,tag:vvmSh6a8pEoFE8yh5UpCUA==,type:str]'
name: caCrt
- data: 'ENC[AES256_GCM,data:spZ6ALzwBM4BpdAtKdPzDv+hgDcCsjdbmHTtWAQ2seJDf10gnail4FK1aU3IQy5XthwMaSRv1yv7Lu9bvsBC0VclMp7WaiaynqJTi8pcD5COl+I69kfE5OE6Y7+gPfd8ySHrmq4XtYvNMFthQ2xrzJ0qqx/5H+Z2InkEB6vfz9MD+OjuUuBi0RTpAfsRQQFdKG7QXo/1x+9WIFUAAZiumAkayjbjJaDGOXCfmbAYIxP8zTdG/KOLbgDuSC79LAIop0AOGUvNfB0V/VVgohiErpcZzXrDr7h7S+SyFTFlrFmaA0OEZe1CW6WNiCIJIKwh0JeudzWNfI3cd/nh39T1K/ySKKRbN6jPqe2nVfW1LqtFSx0Krj9vhKVV5uURV74viJYlgETRGfoBMWCEeJSuq9++bg6kFx/K8XXXG91Jm/J4t51uA6i+uUXWSOZbDyLzRBYQtNCYUCa9HAyasNWVJX2Vdz9uaotfv9k32dAu/7ncOW0AgOyJQrW90k1R/vMzGiCfd+94wTbwQHa6kbC4Fk+288PF4feCTBb3UlTLETPj/xIeimYRE8gOvVr3JDod0R9EF0lkgGVEZQU29McqOi6EnHs/kiJc0zjarmmGPBYjot5P3Pj3uWe0AN4T92iOvW1f24nFSq3fxy04wUYfh+RUa9ZvCRJ4LfNNYktaTUmTyi7g9grce7DG0hpdSgfxn2stNcV6jmNjcYSZAGKFaAHATfXsBXNYASoIifQLsarIA0u7lJkmfDerCan8D2+l48bglKP3aXwXYARuKyhl5ePlnl0OVy3zQ5vhY8Wtce5V0VYDhfoBQEbRP+B2CxxblU2mm5WUS3I/JIF6zAjDbd6RyjQXFnp+Er1NhP7DAxqgut/gw5SxZHpLUpO6zd8GVL8Lv2uT/te1RJFnwwznBdhZDL8LESMBZ9pTOKUT8wAbpPseaGzxfThf72onQjHvu6qt8BRlMR7mlzRLEBe9xZ0d5OqPRl6Yn93CMhZmbCun6pUouZpw6zQfaFpRe3UA8t2ScDbqzD+nxA6QOSJ/pbfOHh6PGa7jajYSDbV4asuys8ujwQC3WHgRN2aPYpcqrXYDtXmWzMoMn7U1qskiOL++8n2wY1qv6fPPUTZqdUZjD7HYqcCmVAL5v9TxtsgE9uyFHGgWoIltEDr1zYI5ID1CGPdRBrmIGJ8cYC60BhdvhZKUP7fQzGS/M80ed2ey43t+9nX5++5hmITA6mxNKFG8SzUCeR9Ndl7NJNDjOGMw4OAdIyPTc2obFc0D3JZKhGPJ0h+nMFP/3rRM7nc96qjGYLZfffKta4P8yQkONC5Tpj/BwMsX2YgIEB7V3STnJ8rTkiFatSkVx/PdQpTvJ5TH4HxXKF9xcLKeoCYTHy0cS3W5LtvPSY3TCP7SJEFsgzy+059+zQf5bSxOZh6eA2YFFUNfPDct4lcS6QOtwHxGrZfr1ueXuclqSV9kGaO5IZIyOB55myS8mNlD/TH/onzE1M29YsXaeayYWXf/KUac1Myw/bfecFB7nkhdhbrTDPWArfCzjvi5nhZslBVv8vbYwDEqp27ByPIPNNjb62Fb1F1b43VM9vAVHsGBepx4Gfukx4WWuOB2Uz+Pd0QhtgvhCOpnvgv3VMYLdz2i17c1SGB/4L8n4jzV1HqJ0HCa5Da1BnA/JlNWiydPzKpUdazTNsJm5INAu1EGWJc/oDIRxEwnZpx9EUx+bt8RtowZH44kgB77t6Knih4UfZqbOsGLMovpZO5OFgFPsI+TqwIEBrXYUotBb9r238PmRB2p4oruFGug0m42gTasTf7E4MYToySVmeOpjcT7fcSJSMOOeckZqmXeZrb7uJ8MvgjJyo2BSVxThQBx4oy+B0ZswA1gaW49tVeYsPvWGblQMWft4MC9aj6aPV1sjcIUMvqRZCzUeHuHq6gEIH/qUwY8WiMaQlYqc7VO9Ff9iH6brLPGC1vuXsat3l4E9O2R0IYRBIcfEUb+0i2WIi4iTtixZ2sRfk7YtJySnlzVQeKG6uAdLLRRv9YXCDMHr6YwkeEaGub1CbIl+fJ/QKI3h6qg3yicx+y4YSiqFdx9eRnN6fapS3k1Vwr4FXpeFfpCozSZMJqob14LhGMlM9nKzT1BAy1vxv8cTDYhgyrEPQXQ5EBAjCcCf74KZGM6sZOK3SG1MW6z1hsV3uyKlxTR8+XTWhhTR6YyoMyBFD2VE68SVkEPwgGjUd/KYb9vHFqZiBXq938q14JMmII5oSK4WdsgNWNM3ExCfzbHDiJOj9L2Jtc8tIYjPxgyV482AGGsHi5Pr5MMZ9HS/8So57srk1TwBTxCVAfmFA6o/fmDUwUBQ8tJooBdHr0vf62AN7J8JhOK1PrRqNxRqKE/QqLc/9lpjVegM4AkMmbBpWHS3CpCBsZWewnMUKBz31O8dU8Y6SF4pQSTYpM6RJOHn7bA7uFIk8k6hZgVFh0ubQrTySbVvrU06/XmAcCbXYZtdwE3CYjQMJ08auEaB9LKV/vLzb+J9X4m5sJpo4sNAzpUed4hVAbeqws5OUtoCwSKBsHqfynhsGZztpBrYCwxNjQKos0UnwWDLVhH5J5w1d6jtid+5aOR12fAhwDl9OR/SvdwjXywN9RPQTouA8GsWPcfwfd/jWPDpNNdbz3qrUHum2L/g9mpqk5adY+x7QulAyfeRrrvDuXJjXQATtwVHdGfj90ogUzxXo7YNaLbYaIDQGRFNZ5p4M4t6CNP8MuT6DXZHxzzpt8gOgWStFFZsNwG56Vz2/16B822NLuDgC5ka8bNxklPKAGu9lnmILDF/GycvMC9IKJJLiY7dSwn3m9mv4mMrgB6poXX86xkzC0ltynYyrFFQmNwCLwVfITSiBhBc/HKte6gq4HTLvVTzr2xb1jmp14EjzSVK7nFyd0FORa/2KhRD3K76ved366rX2jmwwEMlTFwFna2k0pockGOYFnujoipLF7rXZgHGFQQI6KPHLQ=,iv:Z4EXdCvzyL3kfwgwGMO0dbo6n+24bXyu/YOLUvokYwI=,tag:1z8Igd1gDyCoAR4wshKo1A==,type:str]'
name: caKey
- data: 'ENC[AES256_GCM,data:Wwx+WY3NayWfwMfsTfqjM0Y9adNSdrz+XNU0rTLoWUPV5ocXD465mtRN7aKOPzIx6RldFXcHuQUJglYGwb3fl10onH+6tGFPwthBJOmA8z/MH2UVi0Ov76bUgbAcCTZkDzeE2xjjym0wlKd2W7nAtdyBPq2TyUh2IpFy4CX5tIoh3/JM9KrEynceWMmmr7Srg1YndtCc1UZfy82uDK21yEIF9PD749CqYJPz9+kJBwHBOpO/fEuoKqVseLjWXiVBWKBGc8l9rj6IHc35koRrdwqMzjKyBNr4v0pFhDPQjg9j/pfGAEACyhUP+DIM2U+jf/WLrfeIfndfy5MKMWl7UIyvXadLlJ7rVLw8qaeXfyRVYagyZIPAYCNPFTNmyCWA9BZeVvISwRY9o9mz/xqNh2kqOth0J6Jg+32b4UJkLSpglXAZNlHkKvMMTIUbAcYPctQ7d/9V4Bv46nGP3H4Ij4CE1qc5A2QQeyB9sEi4pSkAoekjK6ytmFC8qw+xmgsdd03CJpp5D8PDvw/yW5jS0iRCY3HBvZH8vAz6Bkf7aE6QdaHFl3ddYeNKZq2MB1/Wy41E/FA82o6j65aEiL6M881u6BNLeOzfhm5SKtUaKf3Ab8fBdjiMIVVRdnzfwuKgAvXwqkHcTisKn8G69FYz7uj3DzCQywLNaJNyzmFuxBfxE1EJF2/S451qwhL0AbkPzi1m7KQNJKOCeOq6NfEypq9op77r0LIe5dUI3FlecTIL9IWxARmTr52h+X3+7+Wa/ahfK1j8o9YxIFsD9JFyVBF1Ua7f4qms7UJP2DsHFGjUuUlf49EWfFCBPIQ8KS+80gT+vnp0qv+dpAs9MFliJCe8WcqlJXqFl9OthC+t8KUmbCkJzD9UBXF/9RNhszlcU6acyq4Ut7koI68eDdbZD49UN1rogpj2MgHOD75Tp7QRNFt8ragC/KA3kk6LVRExdF5OBzDn0eA2GNzIK3p14Feae+mlfvFcV20flvdq6agvMJa7JEEAPvAPZa9GAmmZYnJr3qvv/q65fMWC/MSlbOfTwq6MwKPiiUBe+A2aT0isvPpJ484E3E1zeSdIWiLUK8ljjW1obNfTKAojHpxxywmFvQixgsn6GaNBKi3H/r50MPdiUisy3lwGwUypY8rjtAtWeVHIMujTLjVhFDmcv27erG2fx8vLHVIYaLu2k5C46BhrrXF1Ngt1RfVQjxjXC2FsWiqrE1vheIb22itL51UwxjsXIayXvztEBX1gMvIQtps2fkc42zRTL1pecbwzsia1QzfpO5Zdo557ARX9Um4Hk8qACfLfC46n+9MC8wrnlbadcvwGXY9/Yq2vNr0uKQUizRmZxK003Ga72qDeI4nqeGMJPAM9Z2VQZLxdhTVJTuJEEhOSGzoLj0HkWDDj1/rCeXwafbm5bfHnTYIlATTnWfNHy3Mjol+T7kfpc+V7Hy2HSKihIeZNQ3CXeG0Z5ZWg6zKwWir/td+mDeCc2lN8uM0xi4/jxX1tG+oQ2JhVXqffVca4WF2iANF3bE5kwukNct3GBU0Li5JY7q/79yJBhktzXnT2O89I5T7o/a1OyxBa+VCUGwjsRTq2ry9tRZ7jvewEmI+8LR3n2f+Jq8wHy7yAU9VDpb/d7ZAFXmH0PzhZ6G2y0gwic+DHklK9AyfiFnHzvYRy4/awIQd8F5zbMSoCkRGieVPLW/lV+mMe5TNdP3HB9rfGVj7ozQHHmxHlo0rfl1zhcFPQckcK52xtKNHx4oBr0KyUbd6mwXNVRzVxVzhINQd/J/Bu6ZnkFKH6GTIWMK24DvXDU7YOhJsA356sH9uyQhVvJrgJ53B7vmsiYqzLkxakVGPKcdM4i+0aWRd1Nn4Ert9kPZ5KbuptIctBkIgZyYkVscTR47PYj+KtAOfp/GRAs6wwwsTLupbZPBdE54VqoxUuNSQz33H3XjzVJq4F+zhTbdZz/v7I25JVLsfeltCGa5e/qsKYR9efEQ96t0PO4kZsRmCHQRxtVS0+SAPznSdFYO9srPW/9L8xd6QlcuihfgMD9j8xE5q6L/b7/hKlcflz,iv:pvNaEoY5wwwbtDUUqJLj0h1CcXJBB6t/oOVTMTyXVOI=,tag:gEWpf9AKCNtA6nmkwj2GHw==,type:str]'
name: crt
- data: 'ENC[AES256_GCM,data:vzOfplS6cfnsH/1SbwQ5kOh2DzdOUrsRZH4/RafaLtMvC3d4n+Xixp/gr9rQ2pKrEt0gqrtyebtl736y65enRC7DEDJMHUwDhvTWDMZmzRu6duXLNy0At4vdTTiSzxm8sRoNFtGg2hkk5VkPZL0YUaRu4WTZjv/itjWy6spnXfc5r5p8glviUsPPBFK8WimCACHQOSswR1dRqD8/XEXiu2b25lj64+vtWyLMrjm5QmTh0o8a/Wk4K26mKiCsUiPBUKwAI8LjE/+yYVL9KFVufodoev7TZQ08FA9zyALyETA8pwImqBKq5Um9jKuMjhZ/7WlpbnV4egn6ZiBAt6FPgF/MUIat+9emVmpj6ch4RcbfK1uTIDVBOday7945B+u6aGJgI/bKnNoVkWAaRVkiR5CsQ4O+5dmu54KBm3bVYXwTmaRTLL/cQ/Cf73XeIJ/M0EtNrZrrsso1oCwgw4yzyvXmVtZ7RFzp1jEkDjyujmbB2I5fYpCADe1i7BPR2pLAx4JVUBr6qPPu0KJkUAStBOHkPTlzlAfineQjjU6n3s9YSWNTtsKpqazntWYZMNi0ou+8YTGJLq/Zzw7mxTxQloiGU/E866iyib66tTraxMBFKeTPvBjUZwg57DgpB6fW0sLl1xjJRcNW2fkwFHaV4iwdC11XLcjaFDX0r2qjxC1ZzlRB+R+iv6ZEalANayzAL5ymImM6WKx/CTBfTGA5Q9LOk15UCNSRT/ucak3+Px5u7tHp/FSrcAYIWako9MFPfUEq/4eLXTtYql20iEiHOjpT07/Xztyb7Jjas1qmYeoCzCeN7RrKHcuwqBG4DB4QX+5EY238n0RQ4bkG5sKdQDWbu8W3u4BmcvJXxjtFvdyB1WW/cQYvQXQn/bZH5DiMaWYAnpGAE+gA67z1aVofWPO0doKO4ae2SC5F6R0IslX7Zyx+YYHThIqQxeTjwVHNPAeuyfqZuE0oRwQFSy8bPFy4/nlm1kg6pXDjUCil2y9YDUU9MZZbKTlIqSQRzfaXiOZ5EqOMctz2UAa+w7kwh/4mKsye9e/C1J1McVV2HGXRMXJCmrNFJ1kdTd9/xuIAHHYPfsnAZRrnyZWuXZBAQfDB1ggZLMgn4wFExnS94GyQWFQIIm9KMapckYhAzkpAjLAPTgYbfF1abm1dYL3VNlSFkBhoq6Uny3WVos+6362GjvhiHhsTWizNo+6R0wvFh5NFzEBkxJGe+GhCCTAeUB+aQ/4NvDcIcOBdbt2UVzmE4pNP6fkVg1ZcIWKyWahlkXvWXVBCfY/uZWyhCSwTrKEnk/WLzCNDu4z4OMYDZdmV/3CZ6xbLTKRhKalY3sHJtsJoKdmN5PpPiEIJ/PAiStJ2vH6ElVHY3tc79q4S76h1UiZKzmOAufNmULtNweM1/nNnEasEtqzR3JRN3kuZafagfTNZck3R0faaBYIxBLzXYldFJZ+7M5pk9OPKunt9rVG/iaO1jFexFyXkZhQO+o2oALsEY1JL0F1T2NUFz3Np1UUSuYO3WiaUyuwuyD1tx/+0RZFKC0rUJhLIUwerMNmz3WpZQQmRvTjZ+FDkwc3akRnUeYORqy8DrmSVITDJlJtfmtzCIJlYaPziK0uQ4VjmGzm+53uStyjDvZ0Zc90bbZ0abj1pJ9vR7HoiTUbgE0AxzEkwppgdko8v7nVLptflHliE47SLz9W2LpZjh9tEtkLsHxhHPF3+zCZfbs9smmWnQ3jHUgmv6yC5JedSFtYjt2ew9t2TgjIDugA+YTEV6X15V4dSYvNfSi3eqivRNQJYGyULEYCHWm1hze/zLMWsQTl5sD81QL98xpASqfb1Jnh8RdNDv/Mj/PPNCIL8hGuBbYvNejoCz450k+9yIsZ36+kMgDRRwenJLOYZjD+QqAod3LsD9D686EmBd7yLIkULBb3fMIuK1ejf5vkgVmd0U/AYoB9fWxeD7sxwcre2UBERj/1A7Tk6KoxK0KvS4Y1fMRCz24WxH5AfEKhn1fg9lcGeVSa7f6uvIHG6zNyMOD2STNUs+M3s73hwKgAtqIr1oCijnw4Oh/6V/KtMLcEu531Kq0jhfBPpP4Of1db6Xq0CpyAsUKd3cO3FRFVfugxDRavtbTkOD3kA07rXVCaq09UKWKJ50jzPUcgJJn3+pJbA56TOFs0m/7aovijjPMahayY4fggkXM2En+oWHNmDAdQp5Bd8E6vhn4Ouf5Qz0vvWd0ifaDLW/Y4aLME3rVPIIcYFgiq4JpASf9ANMVWH2IseXwzmzDIho9+IPIPEOOImrB+ly/9OOIeAkcTU646OIotUXwovvF5J1u+RBTXEqEGbZLkx9o0f1ZRvacW5FwwnYLR4Mz0qeh3XmQtanqeT5jNElGRaZpVBn1KBhWYmNh651u9Y0V9XkVLJGlPC1b/U2qQA+H2FEcTZd0Tk5F1w8+fUUQVi9UtFnw7LtcCbMflO6/FjXuyMIZxR9CJY98Lupscy53Cf78ClIo5OEQK1F/ix78n6y/uclyNFxcX/AvQ7JUNyOFrfXX1q5ZbdA3YSvm8QLEcZsG3hwI4N4p1k+uCS9oAnMfgNJyRwXIoIxs7BZ5oIVlF/lX1q3sP01WxTMlZxNQX3xPuGKeq7mPjqUwDcMMPNXGoCdKuWofQ7GCfp9wMF8a8lI2q/id4z9ETLHqkpV7H/CSNz0B2d6NjohVJ7FbDlNgWIo5e6ndCdiOjTVKU2OfCuCKdVJsleCjed5vYVyNKD4w9GlInVAPZsDppS3GEW5Xd0FerbGUIewg7OLFue3EUOm+ItxOJyRgr5AFiXhUHgcw/Kv22LGqheCpkvkj4uRAuPgI6kdDXpgBeL+z6djXDNkj03uPKQoCle3/NN6T19sYq3fqVSrdx6o0JM+GosJYqzcbCpa3qZWkr01kCFnWeWhWXxdspTXjF5Dwc6/+Tig7/oxdcvRqeswq8l9U0DcoSQSEaX/f+3q6bP8lA+v3TqKYx32I4=,iv:dPDYUIlrM0uLfyXEdUx7D/UYUYc2h92JZhmlfUHEPU8=,tag:ySJUMycKpoGg19qJKdNDCg==,type:str]'
name: key
- name: targetSshSecrets
updated: '2021-08-10T20:00:41Z'
values:
- data: 'ENC[AES256_GCM,data:lqIbk19JrqVZf8eWHlZoTu3w0353ZqpI8jXQRfKC+dD0f5k5Md6YnWZZn60eH9S+FbhqWHB+y/J5VfM0Y0x4pMA9xRrYQHND0SxAsnI6vd0nd7Yggpm2aArIoe3C4ZtY6du0TN0EUy7QsuyKCQTk8hHzJbFgoW3EMmB4gkByOfhAja7oM+Yg2B01Zt6joe7xb8EXzFh1KKLBjhp5YLsy0B2TYSnVaCf9Kpwa4smYdTtjQSy0qxmjYfMD1uVaZV82tWmshDrHCnI5OOgZ0drZbSRc0M2tjtbtJ9Zhtf7m35telTGLFQW1gIjaZ9kescUySvMwVLmso4RgfXZeomKL44gatSQshU8YiqfiYEu98kiisF4F6iuz2yUrlyMmUasaqqIkFXyiY9wjHWyB8pW4LwvNlL9XHZLIwqeYL+1LBDhU454ZPqfgDppni7ng09bik5BDsYaIW+ct5HfhC2IjMAhbCG8Fvxfb7rFdZYPVnvdmmXpU75k9bDmIL91/lKRG6slH1KWBNkPEyS5T7DPd9FX0sH9gsuhzLGEVmgJOa5/v3nVSGxmSmdzKVZ3fOPSlPhvh0733AqCtaK/A0mFtfNDx0Us7N0ulBK+px1HLBoY4wsQNO0yFm2eYl4xTT8BxYYxT4xyIs+vQgxzAYwATYAO9ZXMZXkUTWPX9BWL4e4bruH2gJtplihdxnsTVYaW4pDMGheZIjg69YxS50J9yivIBWG6Ad+o+5kQ8BH8/fuNMyxvFgiKMK1qVsn8coYcfHG56KqHivQQ/fIenT4800+jP9umhoKEzBSonLGgD1aOrgFXXYO1YllMnWAuQ0HYcK5rCjXiSTiW8pVwL279KjfNjGoehV2HFqJ8SEwr1KNyMXqn/CPmWmlMCK0T4h1lULH2G9o2u+JdyTZg+uOJ60hqrUHfqfL6KRNktak4nuR+sP3KphxP81W+ZQVRp6ZnNFLN/3+/02q4i2Qqz3GTXrugUNzrPZ7AovDYyicy8lqPzCdygS7nPfMsur7KNONFZiX11/bTSUa4p6o3Eb7mxFCvX3I03bUq/XXPrF6ZT1ie9pd+aF5PkOw8IRQuumRjx0Fvby70UlW4nI86ZA/NIjOGJSVv3Rzsd9hXjuYaYMpyyvPPtCljLOvhttERZYBJ+yMACer4WfBsPKqEDGCsE2OlmJyrQsMYMSoBhJFo5czLf5xa88QI++CX2k4DJAVI+daMj43rGv9aTUt1C3Gyu2s0YKgqFOWlv6svlMMJZ1DFYysL5nQyQi2ySBp6BIdPPPtJLpjvMZmhI+Tr45gGB/SYPMsD4tUEYqQleVUfUA7OsY0E+KtWJNNq4BoeFr2mwgYFXSN6gVyHmXVvDnjtee99thfSdIcai33GIU0SPgwFvlZm99S3bRuJO/Fh3+7dMez85WVBhm9olacdvcrH6CEpm/5+J3gBmwx5pBeK7PXt3LQuacYQw0wwWankLXDA15+iSQjgo/G6jcm1x+DaFzblEnA00foKch/7G0BL+e6hiZU2Cco7h1ckJP4WFQcaNP6c5823Of+J8M0p+NNReOLEVozXSVsGbE6bddOy9pG4mEfmYmOBMwxNvVG/ybXEKTqX26zVkPbYraG2x4bDkD2kXf3A/9Z+3vmyT+L0ktUdBESGjV6az/MrThJVNZIQZT22dD7MrDP1ht03wXKDwppG12fRAlKIrC46Z1Hs11mLJSXcCcyzKLO+XuizNVwfMVBFwGbMdCigfJO7Qo36TZOb6n81rkfKSceMv6Y7w9tEWiU4P24Qcmt4Di1LSMoJUwBI8gI4KbxWEpbo8wX+6O29wcXYWjAT+VA+dgUFDhnjjUnIL7wpf44ZUEMPtC/tQs3+r3dMeO2VdTqfjfUKJSSgUh1igYko24YogBZDGCIqBllrKWuNt7+NBhvBJ9S7F1162bbdCYvy4yDu1mQEeawh1Jj0MirkslbPm6v5eecqDD0JaAKfxcJlqVF2SqqZMYgSNAsTn1jCddd+f1VfcPXK68OnggicoGV14kS7zDvnj57lIKE53j/ckdyrns70YJ1+M8zIvrOhj+DemwzD47kP1xyzzK832QNTy+KW9DCOthyfkeHKCe8UMYDkjVBVquyHmavEORJADCgu7N+NO/+qnsl9JfrGHiRL1Go1ijdDiPy1LZbFX5jPrXlB5G3vWtClwcqpLlHOubKef21JKEg0WJ8zW/ZLzkjpj4N9edik3m3UrJzj96QxnTxHmw3IJDzz51uQX4jodCvD1dFyufBerlfWV/tMN45B80CpbhM1aPIlbFdXw9hIJjitnxDXs9nrr1NK4fN2xVZd70QFmv+ucpWowed8ijifrGf7vPwq4J7S60i/OZAIS3J7azfhT/EzElvcCgrqALuXCuzkUdkll2iUZyBVBgrmDjt1ZncHjEbvgl/dt9B5YG6nFVku3HQEFJLv0LPNRnTt2iJEn8k0e1V2U6c6AtpIuPf6iTUig+PVDHIrXxTIfpiOn1ZG36gcKpSPaA4YkESHKM57qEQiV3IYUc+dMwSYa6xxe9O4iFcJyh2GkBC1CsbXqyhskatyMSpydxgn/DEtc7ODhdGRgkhxj2xy01apWe2CxbcXvIAOeRpj/kJIeJLvidUkzSLgz1Xcts0XlbB4ZO5hOdJtE7UutvMxOAK9lsbk/fdE1gcNuzcK2HQsU1xYviSMjLK+h8JXJS05/y47+CD2Xdq5WUXqdKdHSwIR18rAbCCFZsEB0QQvjpuxVXmK337DdL+P7qfJtSIOAE+S4atXyHYikOZaclGKb0vaVKHsELJ2mFJ8lOCJRj9xrviPYP+GMsmfrvp9zW49XRNx0ufdAvYuRBdOYu/+56ndQPiYj7ssDyRLl2wb82v18EQQXYUPpsi+P2yiJ5XXlsjIHny5v8iMs+gxDfcwkFErl0U943NUCdqXdL44jNcki0TaCtFge07yGirhGsCdZYVbr+TOl4msE8pBL1NhIzBkzgVONGfFrjQieC+dq0zzis5wmFj6FKtIBdVSKRtWA2swyP9cAdZsFdV6rukk2GJJk7bh06rSodQARh6Y2pZ7FbqZ0WB/ZPjRxVx04R281s0El1SDucVerwz6nMBjVD4BZJyhg0Buyi2G4+TwTV6G9aTE7FTLGMcmHiq21SiN9QvyTRKv97QbvlRAHdk/Ax1sbXHUIbhUp8XYRp+gA5hyftsldjhayMP8rsPGE4PsAubzH99xhQv84uRIocaCJJr/STAdLt9SA9D3dZehuq9XSpVo23dSiRl2c77R8CIlq4oa3e0wM1BdKmPthOJquwyFDU3B6MdaZa+kWF1nTdUydP3izEKfl1X1nxCgiIKgA73Lql5o/sR8C+7VDiT5d2WZBVCqh6iF/pQfm2r0mGVi/qx5bKMQYIEbwA4JagWpQOFB67gSBUSuvkbNOwnS6CWygXP/5lHkd8pH6kUPL2w3nRU67GCvCOSidcwQBIiNZdsbX9wPww3EU3945L5uItFh6LuwlY5xjj2oyf48AeEYmRvyKatFZyEdzJteqCLde1B+0ez7YGAndwrrMTaQKPiV77SKDIu7NaNdNOnKESIa6EmFy/wYAkRCo8CYcMKXPmPtR2+tAyrwvWSPKeg6DEtwx2YOSDfYkc2amVJNAvJO3yt4bLe9YGpa9Q2c17/ons66zbAvLct8K/Ysds3B90MJ+Uz3AUy4gnBJ+7vFYNuxC0MEHq9mouI4jKOJMkTmtOeaOpdLQp2KDfKTLw0QRC8fmeezUtOn8pbcgdHkkKolUPhe0cJ1uluK7vOmQwWwGhhKN+Xgi5L0LU5+iein+KQIJHfcS7L8mNYKo0t41/LAUqCFAVItm38KPUAj1S7U0bkbBwtUVzmxlF5ByMulmI9digR44oPmDOErjOz6QpSmidTYdECeWTjlKHCjrkkq19KTWaCDUcvT14WWh2vcbtFt1tWenSAs07pBFguSqlNhH41CnW8+6lzIE+ExXvyMiHIYcSW0yvdl/Rx78SYS+KNAaeHPo9nIOzYdjSuyFmU0PQdPcIUjWBQipUDizk/ZhjMWyikMwtQxp8N9P0J7d3EOSrSDxqEuUpBRkgwn7COvuqUVhR+VSiBC/6b1mwKdoPa8T3k/tRklY2wDllumzGoXxgmNZ2HxEYsLiytOrt32KZeAkWIvHYi3xdIyiCDJrMLf3/dMJjnEzG9rszpRhIcAPF4ZuS6KTVx3eRAQ7EhdGv19SuxddMib/kDnHNnUn7r3+KKpUAbscOm4bJpTF5LrA63Ls0E0BJPAXH6C7PC+8V0AuwdGP7/mckUeYlgiwsMxXIg+uxHBO7IoypY7MjWmz,iv:3V947NfzKkUc/KyqIqQxYRr5SlD1RIeppVC7651jppc=,tag:LNziKYmuXMRu7Myhu179Gg==,type:str]'
name: privateKey
- data: 'ENC[AES256_GCM,data:dM9Q7ZnLO2hGxtP//uQTdjGVa8UMffL+9YuzsOCqhnGaJFYoCOlPk+IYAtbVqlol2vT0mnWsVGuxn0c2afJSxpTuP8q+48p30s0v0weSZO+wjFXM8l2ZJ9bjW1Rn1ifnVKSwJFli/BahfSfhw13FPXO4ExGnOlL6U+lZkeaBUmHYPHkGjmmdDaFE7VFJ37Quylpxul6RWbidQgnzOymiGhsJMAL3reC9HmR1PXrfngyxXGWXjfkDCKlTr2libXJT3Az5nBwfCVyHae5i5uEThw/tfXlq01G0glQGMSyDf50uzH7O5ZGN9lnzjC6J8I+cPLHmqPf8N4ih1BuuJAhs2YRfsfO+AyGXbx5Kz4OXLf+0Twge+z6HCOLecQn+q3ZtzbmtSZaAvy1oKcsR1rE5khsOUf11CVMCKZgxOsgp5F7BLZOnUBVJoUmph7iSPTK0O7oR93RgyoRQ7+55c1GjDwsjZ3D/oVN5jcXvtjfuHrswcPhW/jxCHBt+jXVA7MsFWBZYpJXQTguuLavdRfFBF3UvvP6AdxxHb6leeMZQfyfR23Q4lXpDECbE05t8JyNguS6CL5+BKvIuTH0OZ6aoy8fn5+oP1039s7loACtAmig+caO+nytXXLkm73LgN8E2PyD5rubHT6eO/5JBgvlCrsikIfiSrmt4m/MnNlnOmARaS1eEGuyaZBDuCVhPaWbpQigxfGNMwhVO7cgacsSGEsct+83hG/UU1qZ5aA471HZKBdrKeZEQejxEoOJPnG5TW1j2G+ptes6pmK6OS9C9DFbwhE9eg48Q9///gQytBAm0Dvkk87lV3DUF4zZTg2xz/xyL2v1IpGle7bkbmKCXLldGDpdFLijyUF3197WLztl2UdMSCIERIK0DrBx/oL5TtJW+aNEONjW4eXbDsZ2lZ/VzC0vA4gp0AbHy5jNetjDfx3Dux+kNhntPwRTdVROOPtm6xSo=,iv:dM6ZBlzqKY/1rQBvoELAsQ0C7t3ImqwgfEVC/tmB21U=,tag:09JyHpyaSOhczaHxKtmt6A==,type:str]'
name: publicKey
sops:
age: []
azure_kv: []
encrypted_regex: ^(data)$
gcp_kms: []
hc_vault:
- created_at: '2021-08-11T17:27:09Z'
enc: 'vault:v1:jhJ6EQdgewNU8G90fvdFvB3DI5vYtcldhmiokzEuwFIwn19w+3iI7OOsHRImSlNAaf7hk+vGaWLJOllJzgjqn6WLtHQb4FNK6sQNHOMLKSlSNwwGtSR4/5NqGfwr83Bhf8di/JLlIsoGoJTN/qG5BVGgpObSbQS9QAQgHqIc6XAO4gaafl3cm71UyY6m1hgJzE+ETqoViySlTBVhf+RYZ3FRMrmZuPZBN+2t/J3KT6JSMCWDQVCPljADuHJqQgWviKs8EbSjNGYcKMX33driB6XEYmPkOs6kXh+hFDYvvLNEIyWWG5K5e5yRlxlBCcl7T5hQx2LTONotgcsi5Js/W7FkTZgmHJuwCrnHBi8sKwsnuJzShcKYENZa8SB2IiGxMN/PfgycyqPSBr9LyVgmh/rq0Sh4h5zuAR4p+QO+1M8eeYaCGI2mf6dK1zLxxK7JKL5cPMtn9Jv1ZhBA1oFejodVPJxCIrsr53wRKje13PBPwQFxW8ottLllykseAhHFWOxktBKwP6gQfkX6nChwTuHAb1OQviewpqxt+Y71godrNH8FIOjWVY1WdM9puum9pbyxk5UAKD/YO9zzboGmB822DnbnrHq+AlcglunvsgLvl/a/Wnk++mOmph1cOmR7s8LyxEa92KJ9UX1CGlSC68uzIWkX5YxYyVM267Su0bA='
engine_path: sops
key_name: firstkey
vault_address: 'http://127.0.0.1:8200'
- created_at: '2021-08-11T17:27:09Z'
enc: 'vault:v1:SHCcOUHlef/HMsMvS5KY+ZZYHicJDYNzcdzZKGwchjYIssfqE9KZXDv+O3bDNWbNH7BnMO63TKT1VeZ/oAHFkovNnl+fcTdMtbI7WYiDNxBWiV+yFmj9OshsharAaFJ0fh6TE5Qqksccq7Oq0DVcvzSpMvJnNL011e06i2ABTOEjsjyf/kj/9hwnAezc+rlylvmObaOpX6lURmWqBeptFbmLj446BcVCITatg9Tg8qYbRz+PR1JIOaSmTSoRuifPPSZR0PoJmda6+gmHNJ7ezFAAyNq21lUnhr60R1gPI17WUwu7IPWNL1LMrTFRw1SQahbQFaAOj6wDqdKJ/HS1Cg=='
engine_path: sops
key_name: secondkey
vault_address: 'http://127.0.0.1:8200'
kms: []
lastmodified: '2021-08-11T17:27:10Z'
mac: 'ENC[AES256_GCM,data:kYqyZkHzzrFCMCVChrNrQzBZ88vYzursIFEJGQz4mHpnMXMCPykpKOzfpUSlj+M5mYsb/y5hNbw8xsKOo1GUV2tEjoJ4k7kL4CF3JRVLHKHDgpJE8GTtz0uHBwN7HrPX7EurSWHeVmOTxP+1mxs7cBQQS/Yb2DyvOJNZyYswfxs=,iv:NDTuNLFHQxvZoLF693Y23bqySnrn/EBMvUNHkj59Bu8=,tag:UARHcP1hom78DlC1T/S8kA==,type:str]'
pgp:
- created_at: '2021-08-11T17:27:09Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQEMAyUpShfNkFB/AQgAhDRNRaVRHjXylYzg1ASfArY6BptjZm3dldnNjGP5p8RZ
Szz7Y77NTEqc4HGm0D2L2ob0hx76FUanMAEOEB7OJAqQC3T9rjVTnNrdfpX+I9ty
k4b5scb5iya6dQasDGccyMSlNwkJu63f88DhVXQgg62Z3r8LrkG5yUPB2YH5qpCf
m1xx19ssVuAP+EBp8T6hulhCf57zbGsJwUr6d0pkXzX5sUbeoNzgGSJ3xkyS5h/D
VvMjQpNxB3lvItNzvtDYCotQzzGMWRHKkDm4xzlN0ztbvg88pfCUNopU9kD4boXn
x13KS5F/LXokHRagXOxY/2lvIbpqMR57w/k6X+dj7dJeATWuTCbYLcST7YpPbScx
/PC756MHVn77RyIeNVkVL9b+PVgTHmU4XtX/ofBbVSpgRIL4kIpTjvvvQ/ZJpNCj
8IxL/Iwni90DXv+CrhL8mRlwH8dtXGyMuthYGGU/Pw==
=Ln27
-----END PGP MESSAGE-----
fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
- created_at: '2021-08-11T17:27:09Z'
enc: |
-----BEGIN PGP MESSAGE-----
hIwDXFUltYFwV4MBA/9KHOMOnyeKipAPielSJGYCFIe70/DqoaUOgbq1aerC5VQ6
4jRZ6+yhNHFCYAYH7cN4i/wroJLeNY8e4PUDd/dBTILr4P9htje+8SiIoQFaI1Fo
VR9y7MTYpiHniW3Off7McwNg9qny1xpRDcv2M6wlqtMYVBGzu8RDKvAjbGPJwdJe
AToMSYhD83qWOjcRsdj/N/l/aMYZXYU1/crO/sM7wvJdM0irvJeZTclI0Btv01NJ
Hy+7ZzhB65XAvdKbTlw2YcyLkISq72HnuNX5IwhptZOxkhuh5rrYjlSUvdSL/Q==
=0cje
-----END PGP MESSAGE-----
fp: D7229043384BCC60326C6FB9D8720D957C3D3074
version: 3.7.1

@ -2,10 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../../type/gating/shared/catalogues
- hosts.yaml
- ../encrypted/results
patchesStrategicMerge:
- versions-airshipctl.yaml
- networking.yaml
- shareable/
- encrypted/

@ -0,0 +1,51 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBF1oQV0BCAC1iFfE7H3uu0hbWbRYVMoz5zZ91ACHETCOMVxN8GOG4SV0l8aQ
wmK9QWkYxhi52LnicVD3D7Uy75+J3zkvEDQ15C0AZ8UHXp4JlSQuXpFhrOhfYUF/
6pr/QexT+hQjOacvY4qfnj4xKa/AGdv5vPIygtQumE6r3GhEVAxQ1GSwtCWSU3Zl
3Uqf7S8kDvJTemtR2UkVfpXcMd4AmMKgt7fVhPO8eFotqTLPvz/iClzER+q61fLA
d1rP9YlmY46MJp/PffPicWdJiKv2i6ynKcIwkrQyP6V2ZzYi/gAhNJst3ZlMfsiN
ekCtcow9Bn44uxW3U8W02FNQSNyn6V6QPDIXABEBAAG0U1NPUFMgRnVuY3Rpb25h
bCBUZXN0cyBLZXkgMSAoaHR0cHM6Ly9naXRodWIuY29tL21vemlsbGEvc29wcy8p
IDxzZWNvcHNAbW96aWxsYS5jb20+iQFOBBMBCAA4FiEE+8e54qT5KJrAwdSEPRbO
5KJzgbQFAl1oQV0CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQPRbO5KJz
gbTDcQf7Bp7e2zY9pBBXTgDASQl31SSHp9WkRUV5iqPVC9iPCELggteBGMwIpbDl
obc6O8/06foxWctTUaaciPBo2+jeWFTO+DNvB7oXIArqr5673QHLh6jEABBjyt91
rvta2wYF1XJBgxpui9aLICsCptFNIRvHeKUrXBI4fG5z3CDs/EOoY8K/AAYJUF+E
RtmvmisiE/m20UpbYRmkBJy25c89Wcn12I1SUJA3H3hGwvZCYp8hY1HPxxQUtU+D
ZBIpryi0xQqExGAlYqck7G03F+AD7/csaT1LEdCtWRLNwE8UkvfUF6liF0SgzxFo
1pp3gBU4swds9yO9wNe12JY/M5A/BLkBDQRdaEFdAQgAtun8JhSpNAKvOXwWX2nF
hnMXTJp4viMhlAZEdmMXEi27B2DM/nRzldjxGZoNUBSVbJNj2kx5ZUDl0o6eOpCh
vRaGuCOpYqOuSQvD8FnX0NgQULwuTZ+MawsaezktJEjDSBM1R6uASeJwDZj4hcUn
PgyAIESajPdowEkEjdYt261fGOLLcVoVdtqzOMBkLVdrK/FD1kGR9jnSlKEYDV9D
veBUBQGdqkgWXjS5BKcae07viC6xMa9AJS4pizyDALB2k0HQOelZNihOGXYUuvkc
s2Fivl0Tk3OCfH9XDvFehbYRHmkRDoMuKUDSzdy6tFBAkL0CPlXAWI6kQklaBEp1
9QARAQABiQE2BBgBCAAgFiEE+8e54qT5KJrAwdSEPRbO5KJzgbQFAl1oQV0CGwwA
CgkQPRbO5KJzgbS7zwgAndbf532OXo9HwPH+yQQmzQCLDFL6P4V7LcFrrydYItTE
hxqI3tbb96MKXRAt+G5Mw6JjRkWhwzbU3jE7D7XBMHw7GriTTU9QltNHg7VUpSSa
iTfVcSNErzsaqbjbA7jMs7VWzOq4LZo6Efy8UDKg5qcqLFaTQrzQZYNHNfM+kLAi
UPU8m7vwmz6oJWsjHkQKUhKhHptlpwMwdHkoacqDO0x2H6H91l/PnDm4ZG6FybJt
cjr98i+p52/XOo81nLgX7tcFS3nrN9HNdgKg1ZW3yrzg8NOaFCVA8qLDgLk//M3q
DixOxiurECkFrMvt/bDxEGpN5GVy550MmyUZQrkuqg==
=Zs2s
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
mI0EXWhBiAEEAM+5U/ol2T8n9Ns1r11eKun/PPArXxmo2502pAY3cf7ZpKDFfAvC
VF/PLusHcJToTCPOT0RVh5jO1MiQYcvQlnUIJOIEkCuUc7RsdBDsI94o+SEiGSN4
DzK711xTvuhgLbFvCB/jcpjN8wpIYTJuD6wE75sf5jqlokrnhXZy5LcbABEBAAG0
U1NPUFMgRnVuY3Rpb25hbCBUZXN0cyBLZXkgMiAoaHR0cHM6Ly9naXRodWIuY29t
L21vemlsbGEvc29wcy8pIDxzZWNvcHNAbW96aWxsYS5jb20+iM4EEwEIADgWIQTX
IpBDOEvMYDJsb7nYcg2VfD0wdAUCXWhBiAIbAwULCQgHAgYVCgkICwIEFgIDAQIe
AQIXgAAKCRDYcg2VfD0wdEdnA/9mMGieN4hrnmgMwchZ5fplBAUCeB4R+KewSHce
gfQIxN8i3vCOHaqmF8cmc2ifXfioqsSQU9JdRl7dx+TN9sgyWas1wfT01j98sfPk
NQrgrOxC/24SQ9f7C3bplXO+25kLXCPTUomMj8zf9marVeUVNeC6IduFRRI7hxrz
tIyN/riNBF1oQYgBBAChXi00fmpEs0Jiq0zOyYm9i749VoOsNReoB/5ix1QCimwV
ZKe1D37IP5Qqysxy+LIQc4lJ+Q8foNOx1Aev5+TDyv+iU82D9xr9uPLLbA82k3AZ
04OrBjrZ/Yt1NZhuaHzciZCPpmqzF9kqVqAZc+vMiKZL1WZjS7O1FwaidY1vXwAR
AQABiLYEGAEIACAWIQTXIpBDOEvMYDJsb7nYcg2VfD0wdAUCXWhBiAIbDAAKCRDY
cg2VfD0wdMMfBAC/66LvXwBPaHDakr0lo25PGOWWsf4o8yWui/Q/yhcc8KiELlzE
zmwnq0JDSodfJ5agMTxXfVu2oVUBDKuvTDLSCe2XUv+2ufAweg/xr/FrREc2TkLu
GZy6FMdtB7Ik1uJElmkIhnU7KsXXv6rq71gE+PCqnwqsn/SvLLaTJvtlEw==
=PafV
-----END PGP PUBLIC KEY BLOCK-----

@ -0,0 +1,10 @@
configMapGenerator:
- name: target-encryption-keys
options:
disableNameSuffixHash: true
files:
- cmd-import-pgp=example.pub
literals:
# user U1 and U2
- pgp=FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4,D7229043384BCC60326C6FB9D8720D957C3D3074
# - hc-vault-transit=http://127.0.0.1:8200/v1/sops/keys/firstkey,http://127.0.0.1:8200/v1/sops/keys/secondkey

@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../../../type/gating/shared/catalogues
- hosts.yaml