From e2c56108eef38dd83df52fcfd1fa6844e5376a56 Mon Sep 17 00:00:00 2001 From: Alexey Odinokov Date: Wed, 28 Apr 2021 19:22:43 +0000 Subject: [PATCH] Nextgen secrets implementation with separation per cluster 1. Extending templater with kyaml functions and creating combined catalogue to be able to request/update the existing resources. This is based on 'everything is transformer' concept introduced in kustomize 4.x That includes gathering all secrets into 1 variable catalogue and special mechanism to regenerate/merge with manual secrets. 2. Implementing 'catalogue per cluster' approach for secrets. 3. Rearranging secrets so it's possible to use: pgp (each person may have his own key), age, Hachicorp Vault and etc and the list of people who can decrypt documents is set in a special file. Since in some cases there should be a separate list of people who can decrypt data - this list is set for each cluster (ephemeral and target) separatelly. Closes: #586 Change-Id: I038f84dd138d5ad4a35f4862c61ff2124c2fd530 --- docs/source/secrets-guidelines.md | 188 +++++--- manifests/.private-keys/.gitignore | 1 + manifests/.private-keys/exampleU1.key | 58 +++ manifests/.private-keys/exampleU2.key | 34 ++ manifests/.private-keys/exampleU3.key | 82 ++++ manifests/.private-keys/kustomization.yaml | 6 + manifests/.private-keys/my.key | 1 + .../replacements/generated-secrets.yaml | 37 +- .../k8scontrol/replacements/cluster.yaml | 16 +- .../replacements/generated-secrets.yaml | 4 +- .../cleanup/kustomization.yaml | 2 + .../templater-helpers/cleanup/patch.yaml | 15 + .../secret-generator/kustomization.yaml | 2 + .../secret-generator/lib.yaml | 165 +++++++ .../generated-secrets.yaml | 4 +- manifests/phases/executors.yaml | 21 +- manifests/phases/phases.yaml | 32 +- .../encryption-keys/kustomization.yaml | 3 + .../encrypted/get/kustomization.yaml | 3 + .../encrypted/update/kustomization.yaml | 12 + .../test-site/encrypted/update/secrets.yaml | 15 + .../catalogues/encrypted/kustomization.yaml | 7 + .../catalogues/encrypted/secrets.yaml | 91 ++++ .../ephemeral/catalogues/kustomization.yaml | 6 +- .../catalogues/public-keys/example.pub | 92 ++++ .../catalogues/public-keys/kustomization.yaml | 10 + .../catalogues/shareable/kustomization.yaml | 6 + .../{ => shareable}/networking.yaml | 0 .../test-site/kubeconfig/kustomization.yaml | 5 +- .../{update-target.yaml => update.yaml} | 24 +- .../catalogues/encrypted/kustomization.yaml | 7 + .../target/catalogues/encrypted/secrets.yaml | 73 +++ .../target/catalogues/kustomization.yaml | 9 +- .../target/catalogues/public-keys/example.pub | 51 ++ .../catalogues/public-keys/kustomization.yaml | 10 + .../catalogues/{ => shareable}/hosts.yaml | 0 .../catalogues/shareable/kustomization.yaml | 10 + .../{ => shareable}/networking.yaml | 0 .../{ => shareable}/versions-airshipctl.yaml | 0 .../site/test-site/target/encrypted/README.md | 32 -- .../encrypted/generator/kustomization.yaml | 4 - .../encrypted/importer/kustomization.yaml | 4 - .../results/generated/kustomization.yaml | 2 - .../encrypted/results/generated/secrets.yaml | 52 --- .../results/imported/kustomization.yaml | 2 - .../encrypted/results/imported/secrets.yaml | 32 -- .../encrypted/results/kustomization.yaml | 8 - .../cleanup/kustomization.yaml | 2 + .../shared/decrypt-secrets/cleanup/patch.yaml | 12 + .../configurable-decryption.yaml | 11 +- .../decrypt-secrets/kustomization.yaml | 0 .../cleanup/kustomization.yaml | 2 + .../shared/encrypt-secrets/cleanup/patch.yaml | 13 + .../encrypt-secrets/encrypt-ephemeral.yaml | 17 + .../encrypt-secrets/encrypt-target.yaml | 17 + .../shared/encrypt-secrets/kustomization.yaml | 3 + .../fileplacement/filepaths.yaml | 25 + .../fileplacement/kustomization.yaml | 2 + .../shared/update-secrets/kustomization.yaml | 2 + .../shared/update-secrets/template.yaml | 140 ++++++ .../generator/fileplacement/filepaths.yaml | 11 - .../fileplacement/kustomization.yaml | 2 - .../target/generator/kustomization.yaml | 2 - .../target/generator/secret-template.yaml | 58 --- .../importer/fileplacement/filepaths.yaml | 11 - .../importer/fileplacement/kustomization.yaml | 2 - pkg/document/bundle.go | 3 + .../plugin/templater/extlib/funcmap.go | 11 + pkg/document/plugin/templater/extlib/kyaml.go | 71 +++ .../plugin/templater/extlib/kyaml_base.go | 189 ++++++++ .../templater/extlib/kyaml_base_test.go | 434 ++++++++++++++++++ .../plugin/templater/extlib/kyaml_test.go | 185 ++++++++ pkg/document/plugin/templater/templater.go | 96 +++- .../plugin/templater/templater_test.go | 384 +++++++++++++++- playbooks/airshipctl-gate-runner.yaml | 2 - playbooks/get-vm-config.yaml | 4 +- playbooks/vars/test-config.yaml | 36 -- tools/deployment/21_systemwide_executable.sh | 2 +- tools/deployment/23_generate_secrets.sh | 64 ++- tools/deployment/update-krm-images | 2 +- tools/export_sops | 1 - tools/gate/20_run_gate_runner.sh | 2 +- tools/gate/config_template.yaml | 36 -- 83 files changed, 2608 insertions(+), 484 deletions(-) create mode 100644 manifests/.private-keys/.gitignore create mode 100644 manifests/.private-keys/exampleU1.key create mode 100644 manifests/.private-keys/exampleU2.key create mode 100644 manifests/.private-keys/exampleU3.key create mode 100644 manifests/.private-keys/kustomization.yaml create mode 100644 manifests/.private-keys/my.key create mode 100644 manifests/function/templater-helpers/cleanup/kustomization.yaml create mode 100644 manifests/function/templater-helpers/cleanup/patch.yaml create mode 100644 manifests/function/templater-helpers/secret-generator/kustomization.yaml create mode 100644 manifests/function/templater-helpers/secret-generator/lib.yaml create mode 100644 manifests/site/test-site/encrypted/encryption-keys/kustomization.yaml create mode 100644 manifests/site/test-site/encrypted/get/kustomization.yaml create mode 100644 manifests/site/test-site/encrypted/update/kustomization.yaml create mode 100644 manifests/site/test-site/encrypted/update/secrets.yaml create mode 100644 manifests/site/test-site/ephemeral/catalogues/encrypted/kustomization.yaml create mode 100644 manifests/site/test-site/ephemeral/catalogues/encrypted/secrets.yaml create mode 100644 manifests/site/test-site/ephemeral/catalogues/public-keys/example.pub create mode 100644 manifests/site/test-site/ephemeral/catalogues/public-keys/kustomization.yaml create mode 100644 manifests/site/test-site/ephemeral/catalogues/shareable/kustomization.yaml rename manifests/site/test-site/ephemeral/catalogues/{ => shareable}/networking.yaml (100%) rename manifests/site/test-site/kubeconfig/{update-target.yaml => update.yaml} (68%) create mode 100644 manifests/site/test-site/target/catalogues/encrypted/kustomization.yaml create mode 100644 manifests/site/test-site/target/catalogues/encrypted/secrets.yaml create mode 100644 manifests/site/test-site/target/catalogues/public-keys/example.pub create mode 100644 manifests/site/test-site/target/catalogues/public-keys/kustomization.yaml rename manifests/site/test-site/target/catalogues/{ => shareable}/hosts.yaml (100%) create mode 100644 manifests/site/test-site/target/catalogues/shareable/kustomization.yaml rename manifests/site/test-site/target/catalogues/{ => shareable}/networking.yaml (100%) rename manifests/site/test-site/target/catalogues/{ => shareable}/versions-airshipctl.yaml (100%) delete mode 100644 manifests/site/test-site/target/encrypted/README.md delete mode 100644 manifests/site/test-site/target/encrypted/generator/kustomization.yaml delete mode 100644 manifests/site/test-site/target/encrypted/importer/kustomization.yaml delete mode 100644 manifests/site/test-site/target/encrypted/results/generated/kustomization.yaml delete mode 100644 manifests/site/test-site/target/encrypted/results/generated/secrets.yaml delete mode 100644 manifests/site/test-site/target/encrypted/results/imported/kustomization.yaml delete mode 100644 manifests/site/test-site/target/encrypted/results/imported/secrets.yaml delete mode 100644 manifests/site/test-site/target/encrypted/results/kustomization.yaml create mode 100644 manifests/type/gating/shared/decrypt-secrets/cleanup/kustomization.yaml create mode 100644 manifests/type/gating/shared/decrypt-secrets/cleanup/patch.yaml rename manifests/type/gating/{target => shared}/decrypt-secrets/configurable-decryption.yaml (65%) rename manifests/type/gating/{target => shared}/decrypt-secrets/kustomization.yaml (100%) create mode 100644 manifests/type/gating/shared/encrypt-secrets/cleanup/kustomization.yaml create mode 100644 manifests/type/gating/shared/encrypt-secrets/cleanup/patch.yaml create mode 100644 manifests/type/gating/shared/encrypt-secrets/encrypt-ephemeral.yaml create mode 100644 manifests/type/gating/shared/encrypt-secrets/encrypt-target.yaml create mode 100644 manifests/type/gating/shared/encrypt-secrets/kustomization.yaml create mode 100644 manifests/type/gating/shared/update-secrets/fileplacement/filepaths.yaml create mode 100644 manifests/type/gating/shared/update-secrets/fileplacement/kustomization.yaml create mode 100644 manifests/type/gating/shared/update-secrets/kustomization.yaml create mode 100644 manifests/type/gating/shared/update-secrets/template.yaml delete mode 100644 manifests/type/gating/target/generator/fileplacement/filepaths.yaml delete mode 100644 manifests/type/gating/target/generator/fileplacement/kustomization.yaml delete mode 100644 manifests/type/gating/target/generator/kustomization.yaml delete mode 100644 manifests/type/gating/target/generator/secret-template.yaml delete mode 100644 manifests/type/gating/target/importer/fileplacement/filepaths.yaml delete mode 100644 manifests/type/gating/target/importer/fileplacement/kustomization.yaml create mode 100644 pkg/document/plugin/templater/extlib/kyaml.go create mode 100644 pkg/document/plugin/templater/extlib/kyaml_base.go create mode 100644 pkg/document/plugin/templater/extlib/kyaml_base_test.go create mode 100644 pkg/document/plugin/templater/extlib/kyaml_test.go diff --git a/docs/source/secrets-guidelines.md b/docs/source/secrets-guidelines.md index ca77b5d74..bc87a002c 100644 --- a/docs/source/secrets-guidelines.md +++ b/docs/source/secrets-guidelines.md @@ -3,16 +3,61 @@ Airshipctl consumes site manifests in order to deploy k8s cluster or update its configuration. All manifests must be stored in the SCM system: e.g. git. For security reasons this data can’t be stored in plain-text form. There are several tools that may help to handle the complexity of dealing with encrypted manifests. One of them is [Mozilla SOPS](https://github.com/mozilla/sops), which was selected to encrypt/decrypt Airshipctl manifests. -Airshipctl has a standard approach with introduction of VariableCatalogues as a configuration source and kustomize Replacement plugin which must be used to put the values to different yaml documents. Different secrets such as passwords, keys and certificates must be presented in VariableCatalogues as well. Some of them can be ‘externally provided’ - e.g. ldap credentials are typically created in some external system, e.g. Active Directory and k8s cluster just has to use them. Other secrets may be ‘internally generated’ - e.g. several Openstack-helm charts may want the same Keystone password and if not a single external system doesn’t need that password it can be generated by Airshipctl. +Airshipctl has a standard approach with introduction of VariableCatalogues as a configuration source and kustomize Replacement plugin which must be used to put the values to different yaml documents. Different secrets such as passwords, keys and certificates must be presented in VariableCatalogues as well. Some of them can be ‘externally provided’ - e.g. ldap credentials are typically created in some external system, e.g. Active Directory and Airshipctl just has to use them. Other secrets may be ‘internally generated’ - for example several Openstack-helm charts may want the same Openstack Keystone password and if no single external system needs that password it can be generated by Airshipctl rather than provided manually. + +There can be different use-cases where the user may want instead of generating secrets to set it manually. That means that Airshipctl should allow the user to 'pin' some specific secret value rather than generate/regenerate it even though the default intent for that secret was to generate it. + +Secret regeneration typically happens periodically, e.g. according to some internal policy passwords must be re-generated on yearly basis. Airshipctl should allow user to split secrets into groups that should be regenerated each period of time. + +If some master key, e.g. PGP or AGE was used to encrypt secrets, some internal policies may define when this master key must be rotated. Airshipctl should allow user to easily re-encrypt the existing secrets values with new key without changing that values. + +Lastly in some Treasuremap reference sites several clusters may present, e.g. ephemeral, target, lma-subcluster, wordpress-subcluster &etc. Since different people may need access to different clusters it leads to the requirement to have cluster-specific set of secrets that has to be encrypted with its own master keys and operations on secrets per cluster may be performed separately from other clusters. + This document is dedicated to the explanation of the technical details on how it’s currently done in Airshipctl and its manifests. +## Secret documents structure + +Due to the need of updating parts of documents periodically the encrypted document has the following structure + +``` yaml +apiVersion: airshipit.org/v1alpha1 +kind: VariableCatalogue +metadata: + labels: + airshipit.org/deploy-k8s: "false" + name: secrets +secretGroups: + - name: groupName + updated: "2021-06-07T18:01:50Z" + values: + - data: encryptedData... + name: encryptedDataName + pinned: true|false #optional +``` + +This structure allows to split data into groups each of them can be regenerated/updated separatelly. For that purpose it has `updated` field timestamp that is getting new value when regeneration of group is happening. Each group has an array of values. Each value has a name (should be unique in the group), data field and also optional flag `pinned`. If the value is pinned, its value isn't getting updated during regeneration. That may be helpful to flexibly switch between 'internally generated' and 'externally provided' secrets. `pinned: true` will work as 'exnternally provided'. + +Airshipctl will encrypt only field `data` and that will allow to monitor all other parameters without knowing master keys for decryption. + +## Secrets document location + +As mentioned above there is a need in some cases to restrict access to some cluster for some people. E.g. tenant cluster manifests can be accessible to one set of users and target cluster that hosts several tenant clusters should be accessible by another people. Some people may be in both groups. + +Due to that need the current manifests structure has a place for public keys that should be used to set the list of people who may decrypt that data after it was encrypted. This is defined by the set of public keys, defined in `manifests/site/test-site//catalogues/public-keys/kustomization.yaml` in each cluster, e.g. ephemeral, target, etc. + +There is a place for private keys as well: `manifests/.private-keys/kustomization.yaml`, before work user can copy his key to my.key or to change that file to use another file. This private key will be used during data decryption in addition to the values from ENV variables that also can contain keys: SOPS_IMPORT_PGP and SOPS_IMPORT_AGE. + +The Variable Catalogues with secrets can be found in `manifests/site/test-site//catalogues/encrypted/secrets.yaml`. +When encrypted with sops Variable Catalogue contains info who can decrypt that data - it's located in the sops field that is getting added by SOPS krm-function. SOPS krm-function used in order to encrypt and decrypt data in airship. + ## SOPS krm-function overview Airshipctl uses kustomize along with different krm-functions that extend its functionality: -Replacement krm-function that is needed to avoid duplication of data in documents -Templater krm-function that is needed to produce new yaml documents based on the provided parameters. +* Replacement krm-function that is needed to avoid duplication of data in documents +* Templater krm-function that is needed to produce new yaml documents based on the provided parameters. + There is a standard catalog of [krm-functions](https://github.com/GoogleContainerTools/kpt-functions-catalog). -It includes the standard krm-function: `gcr.io/kpt-fn-contrib/sops` that can be used to perform decryption and encryption right in kustomize. Please refer to the example configurations that can be used to encrypt and decrypt the set of [existing yamls](https://github.com/GoogleContainerTools/kpt-functions-catalog/blob/master/examples/contrib/sops/function.yaml). +It includes the standard krm-function: `gcr.io/kpt-fn-contrib/sops` that can be used to perform decryption and encryption right in kustomize. Please refer to the [example configurations](https://github.com/GoogleContainerTools/kpt-functions-catalog/tree/master/examples/contrib/sops) that can be used to encrypt and decrypt the set of existing yamls. Please note that to make that krm-function work it’s necessary to provide the following ENV variables: @@ -29,19 +74,25 @@ The gating scripts set that env variables [here](https://github.com/airshipit/ai Templater krm-function allows users to call [Sprig functions](http://masterminds.github.io/sprig/). Sprig has a set of [functions that may generate random values, passwords, CAs, keys and certificates](http://masterminds.github.io/sprig/crypto.html). If it’s not possible to use the standard set of sprig functions for some important Airshipctl use-cases, it’s always possible to extend that set of functions: the latest version of templater krm-function introduces [extension library](https://github.com/airshipit/airshipctl/tree/master/pkg/document/plugin/templater/extlib) where this can be done. The set of already added functions can be found [here](https://github.com/airshipit/airshipctl/blob/master/pkg/document/plugin/templater/extlib/funcmap.go). -The example on how to generate different types of secrets with templater krm-function may be found [here](https://github.com/airshipit/airshipctl/tree/master/manifests/function/generatesecrets-example). +The example on how to generate different types of secrets with templater krm-function may be found [here](https://github.com/airshipit/airshipctl/tree/master/manifests/function/generate-secrets-example). + +Starting Kustomize 4.0 transformer plugins are allowed to generate additional documents (before that it was prohibited by kustomize). It is also now possible to remove some of the documents in transformers. Airshipctl templater krm-function has been rebuilt to support that model as well - it now can be used in `transformers` section: +* in order to get RW access to the already existing documents that kustomize provides to templater called from `transformers` section 2 new functions were introduced: `getItems` and `setItems`. +* `getItems` and `setItems` work with [kyaml](https://github.com/kubernetes-sigs/kustomize/tree/master/kyaml/yaml) objects and because of that the additional subset of [kyaml-related functions](https://review.opendev.org/c/airship/airshipctl/+/794887/25/pkg/document/plugin/templater/extlib/funcmap.go) was introduced to manipulate kyaml-representation of documents. + +Due to the requirements to encrypt different subclusters with different master keys it is necessary to have VariableCatalogue with secrets per site. + +During the implementation of our working transformer it appeared that we needed go-template function feature. Templater now implements `include` function like in helm charts. Before run it scans all incoming documents and loads all functions defined in documents with apiVersion: `airshipit.org/v1alpha1` kind: `Templater`. Essentially the set of steps that airshipctl must perform when it’s necessary to generate/regenerate/import new set of secrets is the following: -1. Either: - -- Run templater that produces VariableCatalogue yaml with generated parameters -- Just import the yaml document with the existing external credentials. If the document doesn’t have the required structure it’s possible to use replacement transformer to move the needed values to the right places of the required yaml - +1. Load 2 already existing VariableCatalogues: with encrypted secrets and with data it's necessary to add to that encrypted VariableCatalogue (let's call it import-data) +2. Decrypt encrypted data using Sops krm-function +3. Use templater krm-function that will perform update operations. Update operations will include: merge import-data with decrypted secrets, check if some data has to be regenerated (unless it's pinned), merge regenerated data with decrypted secrets. 2. Use Sops krm-function to encrypt the yaml 3. Store the encrypted document in the document module of the site -[This phase](https://github.com/airshipit/airshipctl/blob/master/manifests/phases/phases.yaml#L232) performs that steps. +[Secret-update phase](https://review.opendev.org/c/airship/airshipctl/+/794887/25/manifests/phases/phases.yaml) performs that steps. The following steps are used during standard procedure or yaml rendering for other phases: Kustomize reads the encrypted VariableCatalogue @@ -57,11 +108,9 @@ In order to implement all that functionality it was necessary to introduce a new Krm-functions accept a set of yamls and config as input and return a modified set of yamls. GenericContainer executor may just output it to stdout. Or it may store it as `kpt fn sink` does. -In particular we’re using the second option to store our generated and encrypted yamls to the specific place from which other manifests will take [that file](manifests/site/test-site/target/encrypted/results/generated/secrets.yaml). +In particular we’re using the second option to store our generated and encrypted yamls to the specific places from which other manifests will take [ephemeral secrets file](manifests/site/test-site/ephemeral/catalogues/encrypted/secrets.yaml) or [target secrets file](manifests/site/test-site/target/catalogues/encrypted/secrets.yaml). -There is a way to provide external secrets, that shouldn't be generated. That secrets must be stored in encrypted way in [another file](manifests/site/test-site/target/encrypted/results/imported/secrets.yaml). - -As it’s possible to see [encrypted kustomization](manifests/site/test-site/target/encrypted/results/kustomization.yaml) performs decryption using sops krm-function. +As an example it’s possible to see [target kustomization](manifests/site/test-site/target/catalogues/encrypted/kustomization.yaml) performs decryption using sops krm-function. # Step-by-step Operator instructions @@ -136,7 +185,7 @@ This will decrypt the file and will open it in the editor. It will be possible t ## Generation/Regeneration and encryption of secrets in manifests -Now when we have all the information about what is going on under the hood, let’s see how Airshipctl automates generation and encryption. +Now when we have all the information about what is going on under the hood, let’s see how Airshipctl automats generation and encryption. Note: This section will require the reader to understand how kustomize works in very good details. The good start will be the official documentation, but that may not be enough. @@ -153,84 +202,117 @@ Let’s start from the secrets generator. To run it it’s just necessary to run the phase: ``` -airshipctl phase run secret-generate +airshipctl phase run secret-update ``` -And it’s done each time we run integration testing in CI in this [file](https://github.com/airshipit/airshipctl/blob/master/tools/deployment/23_generate_secrets.sh). +This phase accepts parameters via env variables: +* `FORCE_REGENERATE` - accepts a comma-separated list of periods that must be regenerated, e.g. yearly,monthly +* `ONLY_CLUSTERS` - accepts a comma-separated list of clusters inside site that must be regenerated. This is helpful when the user has keys only for 1 subcluster and wants to perform update operation only for its secrets +* `TOLERATE_DECRYPTION_FAILURES` - should be `true` if `ONLY_CLUSTERS` option is used. -This phase creates the bundle by running kustomize for `target/generator` inside the site directory. And that kustomization through a special directory that allows to override template values runs the following [templater](https://github.com/airshipit/airshipctl/blob/master/manifests/type/gating/target/generator/secret-template.yaml). +The following command is done each time we run integration testing in CI in this [file](tools/deployment/23_generate_secrets.sh) to regenerate all groups: -This config file defines the following structure of VariableCatalogue: +``` +FORCE_REGENERATE=all airshipctl phase run secret-update +``` + +This commands updates all secrets in the following locations `ephemeral/catalogues/encrypted/secrets.yaml` and `target/catalogues/encrypted/secrets.yaml`. Here is the way how it works: +* it gets already decrypted documents by taking kustomization results from `encrypted/get/kustomization.yaml`. +* it also import-data encrypted/update/secrets.yaml. This file contains diff user wants to apply to the encrypted data. +* it executes templater-based transformer from manifests/type/gating/shared/update-secrets/template.yaml and it performs all magic (see below). as a result it produces unencrypted updated secrets catalogues, cleans up import-data and sets `config.kubernetes.io/path` annotations (see below) so the files can be stored by airshipctl to the right location. +* the resulting bundle is encrypted by genericContainer executor and getting stored by the location set in `config.kubernetes.io/path` annotations. + +Let's look closer into the [templater](manifests/type/gating/shared/update-secrets/template.yaml) that does the whole job on generation. It can be redefined for different site types to incorporate templates for subclusters. + +The template contains definition of functions that define how to generate each section of secrets, e.g. + +``` + {{- define "regenEphemeralK8sSecrets" -}} + {{- $ClusterCa := genCAEx .ephemeralCluster.ca.subj (int .ephemeralCluster.ca.validity) }} + {{- $KubeconfigCert := genSignedCertEx .ephemeralCluster.kubeconfigCert.subj nil nil (int .ephemeralCluster.kubeconfigCert.validity) $ClusterCa -}} + values: + - data: {{ $ClusterCa.Cert | b64enc | quote }} + name: caCrt + - data: {{ $ClusterCa.Key | b64enc | quote }} + name: caKey + - data: {{ $KubeconfigCert.Cert | b64enc | quote }} + name: crt + - data: {{ $KubeconfigCert.Key | b64enc | quote }} + name: key + {{- end -}} +``` + +It also contains the code that finds the document with secrets and document with imports for that particular subcluster. E.g. for ephemeral subcluster it's: + +``` + {{/* get combined-secrets yaml and exclude it from the bundle */}} + {{- $combinedSecrets := index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets$" "false"))) 0 -}} + {{- $_ := setItems (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets$" "true"))) -}} + {{/* get combined-secrets-import yaml and exclude it from the bundle */}} + {{- $combinedSecretsImport := index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets-import$"))) 0 -}} +``` + +As we can see some inbuilt kyaml functions are used for that purpose, e.g. `KOneFilter` - it applies the filter defined in the second parameter to the input bundle taken by `getItems` function. The filter ensures that in the resulting documents ther will be documents that have `metadata.name == combined-ephemeral-secrets`. Also we see that the filter is getting generated by go-template function called `grepTpl`. It's stored in go-template module, its implementation can be found [here](manifests/function/templater-helpers/secret-generator/lib.yaml). SetItems is used to exclude found documents from bundle - because this template add its own document with the same name, that contains all merged/regenerated data. We see that below: ``` apiVersion: airshipit.org/v1alpha1 kind: VariableCatalogue metadata: + annotations: + config.kubernetes.io/path: "ephemeral/catalogues/encrypted/secrets.yaml" labels: airshipit.org/deploy-k8s: "false" - name: generated-secrets - ephemeralClusterCa:... - ephemeralKubeconfig:.. - targetClusterCa:... - targetKubeconfig:... - isoImage:... + name: combined-ephemeral-secrets + secretGroups: + - {{ include "group" (list . $combinedSecrets $combinedSecretsImport "isoImageSecrets" "once" "regenIsoImageSecrets" ) | indent 4 | trim }} + - {{ include "group" (list . $combinedSecrets $combinedSecretsImport "ephemeralK8sSecrets" "once" "regenEphemeralK8sSecrets" ) | indent 4 | trim }} ``` -Please pay attention to the annotation `config.kubernetes.io/path` - it defines the name of the file where this document will be stored by phase. It’s possible to define several VariableCatalogues with unique names of files (it even may contain directories). - -When this template is executed it generates keys/certs/passwords and renders them as a Variable catalog with the name `generated-secrets`. - -Please pay attention that the special annotation `config.kubernetes.io/path` is getting added in the fileplacement transformer - it defines the name of the file where this document will be stored by phase. It’s possible to define several VariableCatalogues with unique names of files (it even may contain directories). +We see that the body of groups are generated by the go-template function `group` that takes care of mering previous values of secrets with data from imports as well as about regeneration of data when needed by calling another function provided as the last parameter. The implementation of this function can be found [here](manifests/function/templater-helpers/secret-generator/lib.yaml). Now if we refer back to the Phase description we’ll see that it’s type is GenericContainer with the name `encrypter`. The definition of that executor is the following: -``` -apiVersion: airshipit.org/v1alpha1 +```apiVersion: airshipit.org/v1alpha1 kind: GenericContainer metadata: name: encrypter labels: airshipit.org/deploy-k8s: "false" spec: - sinkOutputDir: "target/generator/results" - image: gcr.io/kpt-fn-contrib/sops:v0.1.0 + type: krm + sinkOutputDir: "./" + image: gcr.io/kpt-fn-contrib/sops:v0.3.0 envVars: - - SOPS_IMPORT_PGP - - SOPS_PGP_FP + - SOPS_IMPORT_PGP + - SOPS_PGP_FP config: | apiVersion: v1 kind: ConfigMap data: cmd: encrypt - unencrypted-regex: '^(kind|apiVersion|group|metadata)$' + cmd-json-path-filter: '$[?(@.metadata.name=="combined-ephemeral-secrets" || @.metadata.name=="combined-target-secrets")]' + encrypted-regex: '^(data)$' ``` -Basically this executor accepts the bundle, runs krm-function `gcr.io/kpt-fn-contrib/sops:v0.1.0` with configuration from `config` field and stores the result to the directory `target/generator/results` based on the filenames/hierarchy defined by annotation `config.kubernetes.io/path`. Sops krm-function in its turn encrypts documents and that means that `target/generator/results/` will contain encrypted yamls. To make that work the user will need just to specify 2 environment variables: +Basically this executor accepts the bundle, runs krm-function `gcr.io/kpt-fn-contrib/sops:v0.3.0` with configuration from `config` field and stores the result to the directory `./`(root directory of the current site) based on the filenames/hierarchy defined by annotation `config.kubernetes.io/path`. Sops krm-function in its turn encrypts documents and that means that `target/generator/results/` will contain encrypted yamls. To make that work the user will need just to specify 2 additional environment variables: - `SOPS_IMPORT_PGP` - `SOPS_PGP_FP` -There is another a separate set of secrets that are provided externally and that shouldn't be generated. They're called `externally provided secrets`. -For that set there is a separate folder in the target/encrypted/results, called `imported`. - -There is a special phase called `secret-import` that may be used to update the set of externally provided secrets: -just put a new unencrypted secrets.yaml to target/encrypted/results/imported/ instead of encrypted one and run that phase. -This phase will encrypt that file using provided public key set by `SOPS_IMPORT_PGP` and `SOPS_PGP_FP`. - -Note: if you try to run this phase for already encrypted secrets.yaml this phase will return error saying that file is already encrypted. +Combination of different parameters provided via env variables can be used in different situations. For instance that allows to regenerate everything, regenerate only some secrets, regenerate only secrets for one subcluster, reencrypt only one subcluster without regeneration and etc. Some examples may be found [here](tools/deployment/23_generate_secrets.sh) as sanity tests. ## Decryption of secrets and using them The current implementation of manifests doesn’t require explicit decryption of files. All secrets are decrypted on the spot. Here are the details of how it was achieved: -All encrypted documents are listed in the [following kustomization file](https://github.com/airshipit/airshipctl/blob/master/manifests/site/test-site/target/encrypted/results/kustomization.yaml). -This kustomization file performs decryption by invoking `decrypt-secrets` transformer, that is just a sops krm-function configuration that decrypts all encrypted documents. +Cluster encrypted documents are listed in its catalogue, e.g. [target secrets](manifests/site/test-site/target/catalogues/encrypted/secrets.yaml). +[The kustomization file](manifests/site/test-site/target/catalogues/encrypted/kustomization.yaml) performs decryption by invoking `decrypt-secrets` transformer, that is just a sops krm-function configuration that decrypts all encrypted documents. Note: we made a special kustomization for decrypt-secrets configuration just to be able to modify it a bit depending on the environment variable `TOLERATE_DECRYPTION_FAILURES` value. If it’s true we’re adding parameter `cmd-tolerate-failures: true` to sops configuration. Once decrypted that VariableCatalogues may be imported as well as other catalogues. E.g.: -See [this line in the kustomization file](https://github.com/airshipit/airshipctl/blob/master/manifests/site/test-site/target/catalogues/kustomization.yaml#L7). -And it’s possible to use their values as a source for replacement transformer. E.g. [this replacement plugin configuration](https://github.com/airshipit/airshipctl/blob/master/manifests/site/test-site/kubeconfig/update-target.yaml) updates fields of kubeconfig in order to put there generated keys/certs. +See [this line in the kustomization file](manifests/site/test-site/target/catalogues/kustomization.yaml#L7). +And it’s possible to use their values as a source for replacement transformer. E.g. [this replacement plugin configuration](manifests/site/test-site/kubeconfig/update.yaml) updates fields of kubeconfig in order to put there generated keys/certs. To get even more familiar with that approach and understand all details please refer to the [following commit] (https://github.com/airshipit/airshipctl/commit/a252b248bcc9be2c8aca6f544f99541dce5012a3). @@ -250,7 +332,7 @@ There are 2 different approaches that may be used: Both approaches are possible taking into account that fact that SOPS allows you to have several private keys to decrypt data and it selects the needed one automatically. -Nevertheless for the sake of simplicity we're currently implemented the first approach in our manifests. There is a phase called `secret-reencrypt` that allows to perform master key rotation. +Nevertheless for the sake of simplicity we're currently implemented the first approach in our manifests. There is a phase called `secret-update` that allows to perform master key rotation. In order to do so please follow the following steps: @@ -264,7 +346,7 @@ Note: please make sure you know the fingerprint of the newly generated key. 2. append the env variable `SOPS_IMPORT_PGP` with the new keypair (don't delete the previous one at this step, because it's needed for decryption). 3. set the env variable `SOPS_PGP_FP` to the value of the NEW private key fingerprint. That means that the new key will be used for encryption. -4. run `airshipctl phase run secret-reencrypt`. make sure it runs successfully. +4. run `airshipctl phase run secret-update`. make sure it runs successfully. 5. check that all encrypted files were updated and that pgp.fp field for all of them equal to the value you specified in `SOPS_PGP_FP`. 6. now it's possible to delete the old master key from `SOPS_IMPORT_PGP`. Once done it's possible to run `airshipctl phase run secret-show` to ensure that the keys will be decrypted properly. 8. commit the changes to the site manifests. diff --git a/manifests/.private-keys/.gitignore b/manifests/.private-keys/.gitignore new file mode 100644 index 000000000..c996e507d --- /dev/null +++ b/manifests/.private-keys/.gitignore @@ -0,0 +1 @@ +*.key diff --git a/manifests/.private-keys/exampleU1.key b/manifests/.private-keys/exampleU1.key new file mode 100644 index 000000000..cf56d04ee --- /dev/null +++ b/manifests/.private-keys/exampleU1.key @@ -0,0 +1,58 @@ +-----BEGIN PGP PRIVATE KEY BLOCK----- + +lQOYBF1oQV0BCAC1iFfE7H3uu0hbWbRYVMoz5zZ91ACHETCOMVxN8GOG4SV0l8aQ +wmK9QWkYxhi52LnicVD3D7Uy75+J3zkvEDQ15C0AZ8UHXp4JlSQuXpFhrOhfYUF/ +6pr/QexT+hQjOacvY4qfnj4xKa/AGdv5vPIygtQumE6r3GhEVAxQ1GSwtCWSU3Zl +3Uqf7S8kDvJTemtR2UkVfpXcMd4AmMKgt7fVhPO8eFotqTLPvz/iClzER+q61fLA +d1rP9YlmY46MJp/PffPicWdJiKv2i6ynKcIwkrQyP6V2ZzYi/gAhNJst3ZlMfsiN +ekCtcow9Bn44uxW3U8W02FNQSNyn6V6QPDIXABEBAAEAB/0Z8kQSlkzE97QhXm0g +/PQuaVCdY9UJeSMBXTvDZhBhAcLf6yZLStq1uz4sIiWm6+ZcX8mXQ9b90fMceoaK +sVxiYYaEcCXgu5zcuMTu8xRWK30bzjkARrDjEByZFNLrr/yzO3KKWvdVAToou77N +xLxct4df+46vEMs/DOulDUkxBOjlkprlq8xSG/6vuo7rJKUylsS4s5+y+EJCfm0m +8C94IIOt42ANObDUziUHCFNhCKSUs92rL7HXfcMG6L16UrSpJ3yLNvTI34PgRydv +ppu6DAFNeqsJ6oINSWXEqjfMHK7Ly9oyF2bkB2VKoapAdz6YGJydrODhFrThcuJk ++pY9BADKnXtYvDRPoTsfRYgZewtBxf3ccGUjoS9YCC3salWuPEWnal2yI0YRwZNE +iirOFGKH6jh/fxtFZNPXuYb7MJzFqVOcARz6USCvR1va2kMZzQEOKwxOXqIYYMVh +Uwz9++QugqcBLHw9YUFmH/DsRaL4zP4H8cX5O1TALFo3aC/EHQQA5VzUDupcpRLP +gF6dCgT2GyajgRoUFU7Brq82+HJDBDhHMB+3VWJhsC9DkTMh/RtPOuLb41K0OZ// +acoXo0QjsLsBx+hNqWC0oosqaoXiUyhbmEukvlURm5uHThX9n5BZIKhiCft/NYNO +yb+OBgYFHN11BMUVyhMR7be2mlJ4EMMD/jd9WQIoHQQ6BKMNOlc6BGu4KsMv/+fF +KV4xnJKrWjJxwri0FsOYLS2qkgbSAXjxLqZWx4UylmJh1HSAyjTghY0zQEf2oDKd +0DKN8Y42aawh1AolIfDbYOampw5tBzI2/WYOksGRFCwjCidL3pNd03W9dBmNbBRc +tVKLG/kt4JwCL0y0U1NPUFMgRnVuY3Rpb25hbCBUZXN0cyBLZXkgMSAoaHR0cHM6 +Ly9naXRodWIuY29tL21vemlsbGEvc29wcy8pIDxzZWNvcHNAbW96aWxsYS5jb20+ +iQFOBBMBCAA4FiEE+8e54qT5KJrAwdSEPRbO5KJzgbQFAl1oQV0CGwMFCwkIBwIG +FQoJCAsCBBYCAwECHgECF4AACgkQPRbO5KJzgbTDcQf7Bp7e2zY9pBBXTgDASQl3 +1SSHp9WkRUV5iqPVC9iPCELggteBGMwIpbDlobc6O8/06foxWctTUaaciPBo2+je +WFTO+DNvB7oXIArqr5673QHLh6jEABBjyt91rvta2wYF1XJBgxpui9aLICsCptFN +IRvHeKUrXBI4fG5z3CDs/EOoY8K/AAYJUF+ERtmvmisiE/m20UpbYRmkBJy25c89 +Wcn12I1SUJA3H3hGwvZCYp8hY1HPxxQUtU+DZBIpryi0xQqExGAlYqck7G03F+AD +7/csaT1LEdCtWRLNwE8UkvfUF6liF0SgzxFo1pp3gBU4swds9yO9wNe12JY/M5A/ +BJ0DmARdaEFdAQgAtun8JhSpNAKvOXwWX2nFhnMXTJp4viMhlAZEdmMXEi27B2DM +/nRzldjxGZoNUBSVbJNj2kx5ZUDl0o6eOpChvRaGuCOpYqOuSQvD8FnX0NgQULwu +TZ+MawsaezktJEjDSBM1R6uASeJwDZj4hcUnPgyAIESajPdowEkEjdYt261fGOLL +cVoVdtqzOMBkLVdrK/FD1kGR9jnSlKEYDV9DveBUBQGdqkgWXjS5BKcae07viC6x +Ma9AJS4pizyDALB2k0HQOelZNihOGXYUuvkcs2Fivl0Tk3OCfH9XDvFehbYRHmkR +DoMuKUDSzdy6tFBAkL0CPlXAWI6kQklaBEp19QARAQABAAf7BX7YLYi3YLGn9BEv +VuSFo7l3fLyzXfsOOjVJ/0iQ2+H12Y3l+ssi4eCntb40IjDMIHv5JwjfKNSfUwkn +5diMk3LGz2d64lTKmrU4yNLaMhMbwmE0/u4JOPoXbJZWLd3lyBeTpTiY3R9pgG8V +IGfA+xNDEjUdc5jHU+edtGk37X6l6uL3OANS/MyTRdVNr28Gv/upXmJs/NbvTost +1hsU89gaDjkfsWhdhiuCHR9bqoyot/Vgvpt1NxzfV4SQGVFeph8yCGvSRBS8zXuZ +FtmzACs0j2aOMSucAGogEoD158OpXSNfdmZ1nCswlo1yqP6+ir8mr2DTRgMtxPQa +N49b4QQAxVTwRZ6+qiSCz/GJPq7qASGG4RIr87gPzxaHmznQhKIx6LEMjX/+NU6c +94A8aZY/oN7f3rr8apIA+cAHbAwFGpbc7ke1Cgy/m/eJZNUxWPT/YBjZ4V+41Uat +viGrbmS9B4QulOpF2Ng6LcOc4dggxTPAW/CYd5T2FImr1qYjjWkEAO1Lss00LY5o +5I4QqgM0OeeBEOO8LiSDmjKgOvtsmJ6+dA4x3rYgI8smFMsvtyrcb75k6EdZazgN +YSI4sU3WceWbrtdVr1glP38CBMupnFvg8KwbjSFV8vNqVBHCXShUxnHmlOW+UVqy +CxjJf0RTOhLEY5DIRwQB0H8P30dYOfatBADaGIbs/6+1RulKpHwW/c3+XOlaTZrT +UhNjuccj7Y9IspYD+6crNkQvAri60AoDfIiO5aTk8rSYpGwB1vEmnUVmNPvRF958 +GV3pyCOv/pkmnpS+4w+akiJsSHX3jqqp5fb/xd6ukUX95VgSymuJ+ya49G8B0jj6 +bw7B4S2M39+Xdkg2iQE2BBgBCAAgFiEE+8e54qT5KJrAwdSEPRbO5KJzgbQFAl1o +QV0CGwwACgkQPRbO5KJzgbS7zwgAndbf532OXo9HwPH+yQQmzQCLDFL6P4V7LcFr +rydYItTEhxqI3tbb96MKXRAt+G5Mw6JjRkWhwzbU3jE7D7XBMHw7GriTTU9QltNH +g7VUpSSaiTfVcSNErzsaqbjbA7jMs7VWzOq4LZo6Efy8UDKg5qcqLFaTQrzQZYNH +NfM+kLAiUPU8m7vwmz6oJWsjHkQKUhKhHptlpwMwdHkoacqDO0x2H6H91l/PnDm4 +ZG6FybJtcjr98i+p52/XOo81nLgX7tcFS3nrN9HNdgKg1ZW3yrzg8NOaFCVA8qLD +gLk//M3qDixOxiurECkFrMvt/bDxEGpN5GVy550MmyUZQrkuqg== +=VjGL +-----END PGP PRIVATE KEY BLOCK----- diff --git a/manifests/.private-keys/exampleU2.key b/manifests/.private-keys/exampleU2.key new file mode 100644 index 000000000..b44e397fe --- /dev/null +++ b/manifests/.private-keys/exampleU2.key @@ -0,0 +1,34 @@ +-----BEGIN PGP PRIVATE KEY BLOCK----- + +lQHYBF1oQYgBBADPuVP6Jdk/J/TbNa9dXirp/zzwK18ZqNudNqQGN3H+2aSgxXwL +wlRfzy7rB3CU6Ewjzk9EVYeYztTIkGHL0JZ1CCTiBJArlHO0bHQQ7CPeKPkhIhkj +eA8yu9dcU77oYC2xbwgf43KYzfMKSGEybg+sBO+bH+Y6paJK54V2cuS3GwARAQAB +AAP+Jjf5BXtVP1OAr5xvCYS77JWzhpTUSIpS7dgR0br91GAC9DmhmyBEGeSqwz95 +LUyYRbY9y1rZOfpEGCrIc5GLPOQytO9XMIzaS3dpzfGhla/spaKN4vJDvIOl+ruT +bInDdCRSmqXCfm2478OhOquc0H0a46eSmoaYeKdE3E8QZiECANxUL/dFk5j8NyPo +ZcwXw9Mv0A8UrynRcqht3Scti9k7dbsHylcObM305LFdcoNnSfNAIJhxfjbiXyGW +vwT2/qMCAPFatq3gvVjy6wKKylioi5cVwbLv9L+OaRXdR/Dy2bh/t3ujnsliV4+R +f7k3rHOQeaMLTnyfcz8AenL5IOe8RSkCANFpBgyzxCcV48Mm+FWDxjrSJ4/msRnN +gxqAPRrdpm7e1uebtBkPh4ch4oCW5/lLsRN23LUVIXYJRwyFfRjehCio0rRTU09Q +UyBGdW5jdGlvbmFsIFRlc3RzIEtleSAyIChodHRwczovL2dpdGh1Yi5jb20vbW96 +aWxsYS9zb3BzLykgPHNlY29wc0Btb3ppbGxhLmNvbT6IzgQTAQgAOBYhBNcikEM4 +S8xgMmxvudhyDZV8PTB0BQJdaEGIAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA +AAoJENhyDZV8PTB0R2cD/2YwaJ43iGueaAzByFnl+mUEBQJ4HhH4p7BIdx6B9AjE +3yLe8I4dqqYXxyZzaJ9d+KiqxJBT0l1GXt3H5M32yDJZqzXB9PTWP3yx8+Q1CuCs +7EL/bhJD1/sLdumVc77bmQtcI9NSiYyPzN/2ZqtV5RU14Loh24VFEjuHGvO0jI3+ +nQHYBF1oQYgBBAChXi00fmpEs0Jiq0zOyYm9i749VoOsNReoB/5ix1QCimwVZKe1 +D37IP5Qqysxy+LIQc4lJ+Q8foNOx1Aev5+TDyv+iU82D9xr9uPLLbA82k3AZ04Or +BjrZ/Yt1NZhuaHzciZCPpmqzF9kqVqAZc+vMiKZL1WZjS7O1FwaidY1vXwARAQAB +AAP+L0wUQeOfsD0+gv8khyPJTJZOD1pxQ6NYKLcXF8rG0+vQnECha098YKNKAXTp +kfVU8795iQYIKcQQ6Hl2O1fj1AxJE/iZYrqfm7UZz3bQ7ROSsAEPZ5GDOjKfbwsz +E6bWVH+PhS1azlvtTs9JezUtK0Wl9s+81FOrZtnUUskmWtECAMNNs9ujUt6GHv/J +NXVaSmk1z8QXitPHbAJLDMj4xVDysJWZV95eplC+RUSiLz5HeP2AQgh1D9Rv2bA5 +c7OcJ3kCANOEkA0hVpXCI0FKrsihOf0NUOaAtS6CQNFlaIkrLwssJQY8pGYbRfRa +3krNJPyOlXmezV2/CsX3EqA9KXXen5cB/iSmMJO4WndGJTe7YzUEnnY/P2TKg1fN +s6v5Lf39j5Ll8V5rVDT7ApAw0IKS8fzpbdHP0HcizutlF6l44YaAXMGfhoi2BBgB +CAAgFiEE1yKQQzhLzGAybG+52HINlXw9MHQFAl1oQYgCGwwACgkQ2HINlXw9MHTD +HwQAv+ui718AT2hw2pK9JaNuTxjllrH+KPMlrov0P8oXHPCohC5cxM5sJ6tCQ0qH +XyeWoDE8V31btqFVAQyrr0wy0gntl1L/trnwMHoP8a/xa0RHNk5C7hmcuhTHbQey +JNbiRJZpCIZ1OyrF17+q6u9YBPjwqp8KrJ/0ryy2kyb7ZRM= +=+tJ6 +-----END PGP PRIVATE KEY BLOCK----- diff --git a/manifests/.private-keys/exampleU3.key b/manifests/.private-keys/exampleU3.key new file mode 100644 index 000000000..36ecff291 --- /dev/null +++ b/manifests/.private-keys/exampleU3.key @@ -0,0 +1,82 @@ +-----BEGIN PGP PRIVATE KEY BLOCK----- + +lQVYBGDfWUMBDAD0nxvYUqZiUioXYFbQXDKhzVPLTo8mUY9YNZQzrcuspP3XKja1 +B4v7PwMPeqkLS86n/lK9JOZh2AMe2fhKYdp+Rtoz+7ARVl9QzkQEjcILM88wJOTg +i/VwK/rCWKduns8NASSE8vZrFI4pvS1nrf5BNotArSCdHsuGhFvqk+BoId1Z7ykX +VC44CcR7ePEDVWnff0XRgiPxEMuHT9HlaFZig/aBZz2GUSuuu7n5dvQCKtZGiLPN +4KpCoXh4atgGSnAeuhVFYeonMdhQsrPFRHyT/ITutsEsu+sAklT9IcaUM6/LIjXc +hVOgePJWtwA1wqBNmKn6vriGiFaFHCun5BSQq08pty78yvL1AwqrIKPv1lPGXcn4 +RlNNgG4F3G3qpxviwq3QVuYn08EWQh465Giin1EO53LeGLMajB1FIKNxyMgkV/n7 +O1cJjoRbm0veboIJYFkRd7t7SjOStPxGiFrP1MvyQ1nkexETQoYd2hjLLJTjORWX +qXdLQFPSLcTQ0iEAEQEAAQAL/j1++FWQJZLnG/zHc9uqqfHiN/QO2k7kRxiCU7EQ +Onk6+zOJwboN3SN66k6MZA3ab2ftOCijq6UiVFp/qnsskWyYbEeQOOmK4KhkSlYo +uwTs7+OnCsDmfnvGGqKb/e+BzgRzapZfrBIsVzbn/4+mfpovV5+ZRm8pbDnzcVYN ++ebDyK1QwfBC8eGVlwcBVvmjEdwlV0x9noJ+WeQ47UfyTHE0wpYyeZWYN1aUjALK +ZDpdQYP23tjdZ4Abrrj7BzbBpGNI8Qk9E1eiuvGaqxoJI4suCCEgLSA96ksKa98f +01TUs5betS9Q65CH/ZnTsYDfNNRgxb7jX3Krm9QcyFydiwsvmUZiZhFGQkEd0vaC +ozkPqXAKXlsH1c27kW/fmCUFkXgZVtBhinQGPi//Ett8nxXZmbCOMZb5rJHrlSpc +YGR8VfWCPiNL6rYnQGMyg3TZbNHVXA4WymSO9kqISwvBat8qVv+NhMw/lCPGZzz3 +YgomC5GctDX/Q1esP96NOLp9pwYA95/Ks7YaH2nisczsA6RI7a+7zt8vGrmv4Lkw +4f9fJXh1a8P7xrKAJ7fd8uK15fevSi/dcasvUWIoGqC3/+bn5V+78ujnRPHJedGK +9ZqG7DpHrtZ/2uc0bvS83z/H13v8dSqBGq8/h1ydeoL7Lb8uM8BxUp9DKEWHuwyb +waOyHGDKugj+Y8rsroMnAT8B7LNfy7A0dtw8MOs0dh9cxylen/tMcVp67VzKPTHZ +8PvtrjqzX/18D5WaAVzeBS7qKO4jBgD85VEFuXI3EBI0sSwlSMJZAvtnVCT2U6SX +PZbY6EyuWiN/yLGmySfGa9HB0rs4G/ZfaNv0Y6NXnK7/w5SjPlbeDHGg4+r5v6Pa +vJaJjJTVgmq9ZurQBu+b15H9ZXLr1oByOFQWec7UuaOvrZi2ru1HSrdlVPbcbO1d +xV1LftOgbdFN/qfZAnOJouaKbfYQNAq0TdeW62MlNrNS9YwK/YUF4qXEofrqF2Uf +WbmuFPLFXr7/8jUqw2D/1vWBNtWAaOsF/iD7XhEBiiZeXvh+b/1B2SDcBJLM+J+s +9sf+rIAoTuuBLQWzPRk0l1PLuaL07LpsV63zegM5PjL+cwRRUTOtI5t+YGF2yjh3 +hKehEBtZU6Co8kMdevYk5DkHk4gQlLrL54PH9rAVUnsioBP+sxt7CPTydDax6jW6 +h1aLEJkLdchF2h8AW1shevsQntrElciZ3hZencfEi9nzTpJG9a9gTle3DXrdVrR7 +vWiM8lWkSkg0Zxh9+94At+Mim9VSQlmbhPfetDR0ZW5hbnQgKHRlc3Qga2V5IHRv +IHRlc3QgdGVuYW50KSA8dGVuYW50QHRlbmFudC5vcmc+iQHOBBMBCgA4FiEEncb7 +vbOAHk4RRAFxOJWaVTIrxksFAmDfWUMCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC +F4AACgkQOJWaVTIrxksHggwArunUmr2YOSLR+E10ooXinjB8/p4Xbz7xLpFtSzKx +pkr3M8yD9QorlHzRj+hdUJi1dON3KMTCJK6LXkpy4pcHPMWeYkpPAZfkhWbkLpjZ +1yUOYVtl6Mn0YnUiZeHukP8yBB+Jz/aL2XGaZzi0xkkIQmdonD6hSeIE7korlRXt +/Kg40gkAbcdbcH9oAS5i4HuU56O2QvEkMl5gl+sIhljL0xhPMY6vQu6QLCz34Ko2 +IFoN0Imjp64ZNqgtQhCWZ0cH2l4zQ2OxBCl+m7QHN2U6AHSmd/v1k1EGWyBeqyKd +73i26NFqKI6Zy7ddXIzQnBR5sHjKbaTLn4aD2ed4sKKtaGpOpT7SxQeXuLCJr7Yv +Z9drdqPoLQaVUBkWmSuD/XwGZ2vKSlo0lOrvPwwyswP5yt/k6xkjA9nfE2NeJbco +vO80oDT1OU9OnxzRbDOqYOx+Qk9jZnv4XgGr+b3JhOILF5ArBIJM6UuG5u2cHH5n +3crE54zLeM3TsV+lmWSY1ri8nQVYBGDfWUMBDAC22+ziDhB+HeOXRBEBsi/ETyMr +EEqKM+ZFFl/cxd12fsM2juu/4n4c9YVJSV25fZ4UMNuYNADLUtC1cDZLrcAQtVMU +1TFoeFtekCW2lXfVwh1yDto1dz65QLjkSwL6a7pETu7SmzAxJ6kB6iEjmMM19fYi +PcQ61l/PWwLwKAgXN3BCbv3mgCQUHh1LfXR+4mt6OXeCUGZfaMEOi8pZOuNqu2se +pGIKsqOQEfdUS6GnA0ZgXDebEDQ2CW04HDr3z9dmpEmSidKbNmgsj0Qn5gaQgm0s +c/XgPEB5jln/tiCHSAiruncA8Q6v26KabWkUS9F4jH/ins0zbavJD+PsuU3+fwQC +GlMdmfb23x+1NftJk3kzKB2BV0XG6Kh28qx3gm0UwcYqrYFBkbZlxWFJRMj7S1f+ +AOBLN7IhZ0dPbaRkleZNgh8OwMURNhaXMB/vqcBPXVDXARwnh3jF++jV85UAw0p5 +Yfyi8Te4gVDsUj2p7giYFNIQg4g3zE6HRIhhMtsAEQEAAQAL/RFGer0qhf1cNoWy +bQbjfibGMTTez6P53j3VrM3PNap9tFShsP0KWU7EFUkEsOGW0AnpSb253/9Vfhk+ +FisVKamKb+RudcIAaOVoqd9zhIRB2AVQCOZ3MwpOZolO2uOsrMbKTD7CYY2rSQjA +xUu3IW4mJBA9FJ5YZWnSF9d3eLg0yRrFoKAXqBDsfWkF260nF+9OoY9CqEFIRMDq +jP3cFeMd/LNC5W5MTS6Nu/ePQ6DjKtFstOYl5EDcqCBebmW+EVsgsT08W/qysjJC +r9ZWq52w6ilAu4tQKodmItS2Hh94gjbbD5w4HFp5jpbIPUy1o3uUkBRcIiqbrFu9 +pgXY/0n6ZrP7TZ40EuHgW1hPnf9i28jCoqKICRR7EOOsF/miPu/5ps4zMyZqF0+7 +7J/dFQ0M27IJVWAiFL7Dg3wg38yGpxwa6UIUoasGn1Kvqju1udkyiV4Bj8cvi7VB +XX+LWiKvnC1+a29vP/wfjShc4w7aIITdA1uJvKOSPGyFTLQiuQYA0v8vuScVJOkP +IjYNeC5AjI5cCXau0ovckXrgzbcfbbXjwax0LNPx4gnJiZHsnGRZqnqUIVCsNpC6 +y460EMT6F04y7K/3rcZykKb/+7KuBFN7uyQbBlMrMpIWNu+wA8h6+HPPXRNf4WNp +YmF9DQER5PIZsaqSuOkQ4E6KDsUkqQXnPJgR48tnQXy6cpg4EVISal+gMWtfPv8x +mWUm0meqRJVBiuW9E/tMl8QkoOb/en7VCc19db5Vb/xzUHHmofBJBgDd3F3jfbB/ +WZH6H+cSWdB2Fy05nE55LruJ8VpGJ6e+zwpqnKOS+6jnn7uSR9Uo6cvQIq42mQxt +pMXZI8CiypURJmkUgWy4N4g0jTT4V1ueJuf2pOp4wW1bASdbsbZmnDbcizVDkJso +mbtQSS/uDFBQV29B5VNxtPK23OZdxbav3P/h4ZS5bJSMYOIypuBuZaw+aJxX+sHx +Q4sDHWTXlIfE+gFcXGn8iw96Jn4vly1owR16FEyUxWXU0hwjllFkUgMF/if5utC4 +sJkkBw7TEqyOJP21T5jhpCzGGKKiOcgkqZYsJWO8Uqc3DvfzQnhitJ1CvZPcock5 +DIzwgKvOVXe46tYuMiruAZLDnPObXqlyeMhTlydsfOZirkGLhmxM5yWcZyWW0fAV +TyvbRTpv3pjGa9yVzYnvGcj2RxMsLnWqGDtIusNpSGI6jzIE7xbyHHP8FzX8aK9L +ehdRjmG7wcWtdgafTWyytMGA+dhRAZbbTBtDWWoIXtri+UiuYT1X+97h3OBqiQG2 +BBgBCgAgFiEEncb7vbOAHk4RRAFxOJWaVTIrxksFAmDfWUMCGwwACgkQOJWaVTIr +xksShAwA6H4uJvKV2TqbkOyAYY48MPwsTH+VbpzP8R9ksJ0Yuf1H/6cErurJPkNl +RkVduZmb+yv44zHHXbhs3WBAmaVOUByeWH83qeG89RgDkTAHAYFIkwR9kIQ45AZB +a1XxG8Z697nREiG+jRdy6QtA4l9seu/OaSmFBFFGPx9z7ELyqpJbPYoreh0yLvn3 +NCTrc0i3OXFA3AqI/YbEAPu8tYo1r7q9Z0z1WI4yE46IFfvbIh0z6+VZG8dSAzBb +Q4H1NTlLEp7w6Rqq7krZqK/UIavl9t/ODYNsNJPNh/rQn6112gad9lfGrxSF0gOk +K1Z3LuY0rngERQemtPCmycyKHShL5ZVAZSRMHixZQWZveicX0J6+3tL/06Ryeklu +L/9VPfwZRiDy+EfCI0qdZHy91AvGJRn7R0bzo/jPUFpGmRIeotXQHS9iA9QdLPc6 +d0xPkCSY26ttgavcoh7CIPasfQBYVa8AxdonqMK3lQvGgujZrTBY51wsso9ogSZU +Pc7ofoVT +=ELqz +-----END PGP PRIVATE KEY BLOCK----- diff --git a/manifests/.private-keys/kustomization.yaml b/manifests/.private-keys/kustomization.yaml new file mode 100644 index 000000000..bcf5fd5ed --- /dev/null +++ b/manifests/.private-keys/kustomization.yaml @@ -0,0 +1,6 @@ +secretGenerator: + - name: decryption-key + options: + disableNameSuffixHash: true + files: + - cmd-import-pgp=my.key diff --git a/manifests/.private-keys/my.key b/manifests/.private-keys/my.key new file mode 100644 index 000000000..273455e0f --- /dev/null +++ b/manifests/.private-keys/my.key @@ -0,0 +1 @@ +# put here your key, or provide it using env var e.g. SOPS_IMPORT_PGP=$(cat manifests/.private-keys/exampleU1.key) diff --git a/manifests/function/ephemeral/replacements/generated-secrets.yaml b/manifests/function/ephemeral/replacements/generated-secrets.yaml index 429eb86b2..78d71842f 100644 --- a/manifests/function/ephemeral/replacements/generated-secrets.yaml +++ b/manifests/function/ephemeral/replacements/generated-secrets.yaml @@ -9,8 +9,8 @@ metadata: replacements: - source: objref: - name: generated-secrets - fieldref: "{.isoImage.passwords.root}" + name: combined-ephemeral-secrets + fieldref: ".secretGroups.[name=isoImageSecrets].values.[name=rootPasswd].data" target: objref: kind: Secret @@ -18,8 +18,8 @@ replacements: fieldrefs: ["stringData.userData%REPLACEMENT_ISO_PASSWORD_ROOT%"] - source: objref: - name: generated-secrets - fieldref: "{.isoImage.passwords.deployer}" + name: combined-ephemeral-secrets + fieldref: ".secretGroups.[name=isoImageSecrets].values.[name=deployerPasswd].data" target: objref: kind: Secret @@ -27,8 +27,8 @@ replacements: fieldrefs: ["stringData.userData%REPLACEMENT_ISO_PASSWORD_DEPLOYER%"] - source: objref: - name: generated-secrets - fieldref: "{.ephemeralClusterCa.key}" + name: combined-ephemeral-secrets + fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=caKey].data" target: objref: kind: Secret @@ -36,26 +36,19 @@ replacements: fieldrefs: ["stringData.userData%REPLACEMENT_CP_CA_KEY%"] - source: objref: - name: generated-secrets - fieldref: "{.ephemeralClusterCa.crt}" + name: combined-ephemeral-secrets + fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=caCrt].data" target: objref: kind: Secret name: ephemeral-bmc-secret - fieldrefs: ["stringData.userData%REPLACEMENT_CP_CA_CERT%"] + fieldrefs: + - "stringData.userData%REPLACEMENT_CP_CA_CERT%" + - "stringData.userData%REPLACEMENT_CP_KUBECONFIG_CA_CERT%" - source: objref: - name: generated-secrets - fieldref: "{.ephemeralKubeconfig.certificate-authority-data}" - target: - objref: - kind: Secret - name: ephemeral-bmc-secret - fieldrefs: ["stringData.userData%REPLACEMENT_CP_KUBECONFIG_CA_CERT%"] -- source: - objref: - name: generated-secrets - fieldref: "{.ephemeralKubeconfig.client-key-data}" + name: combined-ephemeral-secrets + fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=key].data" target: objref: kind: Secret @@ -63,8 +56,8 @@ replacements: fieldrefs: ["stringData.userData%REPLACEMENT_CP_KUBECONFIG_ADMIN_KEY%"] - source: objref: - name: generated-secrets - fieldref: "{.ephemeralKubeconfig.client-certificate-data}" + name: combined-ephemeral-secrets + fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=crt].data" target: objref: kind: Secret diff --git a/manifests/function/k8scontrol/replacements/cluster.yaml b/manifests/function/k8scontrol/replacements/cluster.yaml index 03e4580a7..457f3cfe1 100644 --- a/manifests/function/k8scontrol/replacements/cluster.yaml +++ b/manifests/function/k8scontrol/replacements/cluster.yaml @@ -9,11 +9,19 @@ metadata: replacements: - source: objref: - kind: VariableCatalogue - name: generated-secrets - fieldref: "{.targetClusterCa}" + name: combined-target-secrets + fieldref: ".secretGroups.[name=targetK8sSecrets].values.[name=caCrt].data" target: objref: kind: Secret name: target-cluster-ca - fieldrefs: ["{.data}"] + fieldrefs: ["{$.data.tls\\.crt}"] +- source: + objref: + name: combined-target-secrets + fieldref: ".secretGroups.[name=targetK8sSecrets].values.[name=caKey].data" + target: + objref: + kind: Secret + name: target-cluster-ca + fieldrefs: ["{$.data.tls\\.key}"] diff --git a/manifests/function/k8scontrol/replacements/generated-secrets.yaml b/manifests/function/k8scontrol/replacements/generated-secrets.yaml index 31ab11d73..467de4837 100644 --- a/manifests/function/k8scontrol/replacements/generated-secrets.yaml +++ b/manifests/function/k8scontrol/replacements/generated-secrets.yaml @@ -10,8 +10,8 @@ metadata: replacements: - source: objref: - name: generated-secrets - fieldref: "{.sshKeys.publicKey}" + name: combined-target-secrets + fieldref: ".secretGroups.[name=targetSshSecrets].values.[name=publicKey].data" target: objref: kind: KubeadmControlPlane diff --git a/manifests/function/templater-helpers/cleanup/kustomization.yaml b/manifests/function/templater-helpers/cleanup/kustomization.yaml new file mode 100644 index 000000000..06dc29332 --- /dev/null +++ b/manifests/function/templater-helpers/cleanup/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- patch.yaml diff --git a/manifests/function/templater-helpers/cleanup/patch.yaml b/manifests/function/templater-helpers/cleanup/patch.yaml new file mode 100644 index 000000000..8578db889 --- /dev/null +++ b/manifests/function/templater-helpers/cleanup/patch.yaml @@ -0,0 +1,15 @@ +apiVersion: builtin +kind: PatchTransformer +metadata: + name: delete-templater-modules +target: + group: airshipit.org + version: v1alpha1 + kind: Templater +patch: | + apiVersion: not-important + kind: not-important + metadata: + name: not-important + $patch: delete + diff --git a/manifests/function/templater-helpers/secret-generator/kustomization.yaml b/manifests/function/templater-helpers/secret-generator/kustomization.yaml new file mode 100644 index 000000000..d8985d88e --- /dev/null +++ b/manifests/function/templater-helpers/secret-generator/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - lib.yaml diff --git a/manifests/function/templater-helpers/secret-generator/lib.yaml b/manifests/function/templater-helpers/secret-generator/lib.yaml new file mode 100644 index 000000000..e451785ee --- /dev/null +++ b/manifests/function/templater-helpers/secret-generator/lib.yaml @@ -0,0 +1,165 @@ +apiVersion: airshipit.org/v1alpha1 +kind: Templater +metadata: + name: secret-template-lib +values: +template: | + {{/* RFC3339 returns string that defines timestamp format accoring to + that RFC */}} + {{- define "RFC3339" -}} + 2006-01-02T15:04:05Z07:00 + {{- end -}} + {{/* grepTpl returns yaml that can be used to built KFilter that will + filter with grep */}} + {{- define "grepTpl" -}} + kind: GrepFilter + path: {{ index . 0 }} + value: {{ index . 1 }} + {{ if gt (len .) 2}} + invertMatch: {{ index . 2 }} + {{ end }} + {{- end -}} + {{/* createNodeType converts text representation of node type that can be + created to number */}} + {{- define "createNodeType" -}} + {{- $type := . -}} + {{/* values defined here: https://github.com/go-yaml/yaml/blob/496545a6307b/yaml.go#L323 */}} + {{- if eq $type "DocumentNode" -}} + 1 + {{- else if eq $type "SequenceNode" -}} + 2 + {{- else if eq $type "MappingNode" -}} + 4 + {{- else if eq $type "ScalarNode" -}} + 8 + {{- else if eq $type "AliasNode" -}} + 16 + {{- else -}} + {{- fail (printf "unknown node type %s" $type) -}} + {{- end -}} + {{- end -}} + {{/* pathGetTpl returns yaml that can be used to create YFilter that returns + yaml node by path */}} + {{- define "pathGetTpl" -}} + {{- $path := index . 0 -}} + kind: PathGetter + path: {{ $path }} + {{- if gt (len .) 1 }} + create: {{ include "createNodeType" (index . 1) }} + {{ end -}} + {{- end -}} + {{/* fieldSetTpl returns yaml that can be used to create YFilter that sets + yaml node with value */}} + {{- define "fieldSetTpl" -}} + {{- $name := index . 0 -}} + {{- $stringValue := index . 1 -}} + kind: FieldSetter + name: {{ $name | quote }} + stringValue: {{ $stringValue }} + {{- end -}} + {{/* isEncrypted returns true if it can find sops field in the document */}} + {{- define "isEncrypted" -}} + {{- $combinedSecrets := . -}} + {{- $value := YValue $combinedSecrets -}} + {{- if $value.sops -}} + true + {{- else -}} + false + {{- end -}} + {{- end -}} + {{/* group gets the current combined secrets, imported combined secrets, + group name, group period (once, monthly, yearly) and name of function + that regenerates the group and performs merge of imported secrets to + the current secrets, and regenerates needed fields based group period */}} + {{- define "group" -}} + {{/* reading args and setting constants */}} + {{- $ctx := index . 0 -}} + {{- $combinedSecrets := index . 1 -}} + {{- $combinedSecretsImport := index . 2 -}} + {{- $groupName := index . 3 -}} + {{- $groupPeriod := index . 4 -}} + {{- $generationTemplateName := index . 5 -}} + {{- $RFC3339 := include "RFC3339" . -}} + {{- $groupY := YOneFilter $combinedSecrets (include "pathGetTpl" (list (printf "[\"secretGroups\", \"[name=%s]\"]" $groupName))) -}} + {{- $groupImportedY := YOneFilter $combinedSecretsImport (include "pathGetTpl" (list (printf "[\"secretGroups\", \"[name=%s]\"]" $groupName))) -}} + {{- $sg := YValue $groupY -}} + {{- $sgi := YValue $groupImportedY -}} + {{/* calculcate dates for regeneration periods. Add here group period if needed */}} + {{- $periodExpiredEarlier := dict "once" (toDate $RFC3339 "1970-01-01T00:00:00Z") "monthly" (now | dateModify "-720h") "yearly" (now | dateModify "-8760h") -}} + {{- $preiodRegenerationForced := dict -}} + {{- range $period, $_ := $periodExpiredEarlier -}} + {{- $_ := set $preiodRegenerationForced $period "false" -}} + {{- end -}} + {{- range $key, $val := splitList "," (env "FORCE_REGENERATE") -}} + {{- if eq $val "all" -}} + {{- range $period, $_ := $periodExpiredEarlier -}} + {{- $_ := set $preiodRegenerationForced $period "true" -}} + {{- end -}} + {{- else -}} + {{- $_ := set $preiodRegenerationForced $val "true" -}} + {{- end -}} + {{- end -}} + {{/* get initial flag if we need to regenerate from $preiodRegenerationForced dict */}} + {{- $regenerate := eq (get $preiodRegenerationForced $groupPeriod) "true" -}} + {{/* if group isn't present in input - generate */}} + {{- if and (not $regenerate) (eq ($sg | quote) "") -}} + {{- $regenerate = true -}} + {{- end -}} + {{/* generate if last update time is earlier than $periodExpiredEarlier for that period */}} + {{- if not $regenerate -}} + {{- if lt (unixEpoch (toDate $RFC3339 $sg.updated)) (unixEpoch (toDate $RFC3339 ( get $periodExpiredEarlier $groupPeriod | date $RFC3339))) -}} + {{- $regenerate = true -}} + {{- end -}} + {{- end -}} + {{/* merge imported values to old values */}} + {{/* for each value in imported */}} + {{- range $k, $v := $sgi.values -}} + {{/* find value with the same name as in imported */}} + {{- $val := YOneFilter $groupY (include "pathGetTpl" (list (printf "[\"values\", \"[name=%s]\"]" $v.name))) -}} + {{- if $val -}} + {{/* for each field */}} + {{- range $ki, $vi := $v -}} + {{/* ensure that the field exists before updating */}} + {{- $_ := YOneFilter $groupY (include "pathGetTpl" (list (printf "[\"values\", \"[name=%s]\",\"%s\"]" $v.name $ki) "ScalarNode")) -}} + {{/* update group value */}} + {{- $_ := YOneFilter $val (include "fieldSetTpl" (list $ki ($vi|quote))) -}} + {{- end -}} + {{- else -}} + {{/*create*/}} + {{- $valuesList := YOneFilter $groupY (include "pathGetTpl" (list (printf "[\"values\"]"))) -}} + {{- $newValue := YOneFilter $groupImportedY (include "pathGetTpl" (list (printf "[\"values\", \"[name=%s]\"]" $v.name))) -}} + {{- $_ := YListAppend $valuesList $newValue -}} + {{- end -}} + {{- end -}} + {{/* if both groups were empty - set at least name */}} + {{- $groupY = YMerge (StrToY (printf "name: %s" $groupName)) $groupY -}} + {{- if $regenerate -}} + {{- $groupY = YMerge (StrToY (printf "updated: %s" (now | date $RFC3339))) $groupY -}} + {{- $generatedValues := StrToY (include $generationTemplateName $ctx) -}} + {{- $_ := YOneFilter $groupY (include "pathGetTpl" (list "[\"values\"]" "SequenceNode")) -}} + {{- $sgn := YValue $generatedValues -}} + {{- range $k, $v := $sgn.values -}} + {{- $val := YOneFilter $groupY (include "pathGetTpl" (list (printf "[\"values\", \"[name=%s]\"]" $v.name))) -}} + {{- if $val -}} + {{- $vval := YValue $val -}} + {{/* don't update pinned values */}} + {{- if not (eq ($vval.pinned|quote) "\"true\"") -}} + {{/* for each field */}} + {{- range $ki, $vi := $v -}} + {{/* ensure that the field exists before updating */}} + {{- $_ := YOneFilter $groupY (include "pathGetTpl" (list (printf "[\"values\", \"[name=%s]\",\"%s\"]" $v.name $ki) "ScalarNode")) -}} + {{/* update group value */}} + {{- $_ := YOneFilter $val (include "fieldSetTpl" (list $ki ($vi|quote))) -}} + {{- end -}} + {{- end -}} + {{- else -}} + {{/*create*/}} + {{- $valuesList := YOneFilter $groupY (include "pathGetTpl" (list (printf "[\"values\"]"))) -}} + {{- $newValue := YOneFilter $generatedValues (include "pathGetTpl" (list (printf "[\"values\", \"[name=%s]\"]" $v.name))) -}} + {{- $_ := YListAppend $valuesList $newValue -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{/* print the resulting yaml */}} + {{- toYaml (YValue $groupY) -}} + {{- end -}} diff --git a/manifests/function/workers-capm3/replacements-secrets/generated-secrets.yaml b/manifests/function/workers-capm3/replacements-secrets/generated-secrets.yaml index 6f3f2e6ab..42a3d5c14 100644 --- a/manifests/function/workers-capm3/replacements-secrets/generated-secrets.yaml +++ b/manifests/function/workers-capm3/replacements-secrets/generated-secrets.yaml @@ -10,8 +10,8 @@ metadata: replacements: - source: objref: - name: generated-secrets - fieldref: "{.sshKeys.publicKey}" + name: combined-target-secrets + fieldref: ".secretGroups.[name=targetSshSecrets].values.[name=publicKey].data" target: objref: kind: KubeadmConfigTemplate diff --git a/manifests/phases/executors.yaml b/manifests/phases/executors.yaml index 04df91765..802b67432 100644 --- a/manifests/phases/executors.yaml +++ b/manifests/phases/executors.yaml @@ -63,40 +63,33 @@ action: move apiVersion: airshipit.org/v1alpha1 kind: GenericContainer metadata: - name: encrypter + name: noop-sink labels: airshipit.org/deploy-k8s: "false" spec: type: krm - sinkOutputDir: "target/encrypted/results" - image: gcr.io/kpt-fn-contrib/sops:v0.1.0 - envVars: - - SOPS_IMPORT_PGP - - SOPS_PGP_FP + sinkOutputDir: "./" + image: gcr.io/kpt-fn-contrib/sops:v0.3.0 config: | apiVersion: v1 kind: ConfigMap data: - cmd: encrypt - unencrypted-regex: '^(kind|apiVersion|group|metadata)$' + cmd: noop --- apiVersion: airshipit.org/v1alpha1 kind: GenericContainer metadata: - name: decrypter + name: noop-show labels: airshipit.org/deploy-k8s: "false" spec: type: krm - image: gcr.io/kpt-fn-contrib/sops:v0.1.0 - envVars: - - SOPS_IMPORT_PGP - - SOPS_PGP_FP + image: gcr.io/kpt-fn-contrib/sops:v0.3.0 config: | apiVersion: v1 kind: ConfigMap data: - cmd: decrypt + cmd: noop --- # This executor launchs a bootstrap container, which creates # an Azure Kubernetes Service (AKS) cluster diff --git a/manifests/phases/phases.yaml b/manifests/phases/phases.yaml index ea60e6ca0..42235affa 100644 --- a/manifests/phases/phases.yaml +++ b/manifests/phases/phases.yaml @@ -206,24 +206,13 @@ config: apiVersion: airshipit.org/v1alpha1 kind: Phase metadata: - name: secret-generate + name: secret-update config: executorRef: apiVersion: airshipit.org/v1alpha1 kind: GenericContainer - name: encrypter - documentEntryPoint: target/encrypted/generator ---- -apiVersion: airshipit.org/v1alpha1 -kind: Phase -metadata: - name: secret-import -config: - executorRef: - apiVersion: airshipit.org/v1alpha1 - kind: GenericContainer - name: encrypter - documentEntryPoint: target/encrypted/importer + name: noop-sink + documentEntryPoint: encrypted/update --- apiVersion: airshipit.org/v1alpha1 kind: Phase @@ -233,19 +222,8 @@ config: executorRef: apiVersion: airshipit.org/v1alpha1 kind: GenericContainer - name: decrypter - documentEntryPoint: target/encrypted/results ---- -apiVersion: airshipit.org/v1alpha1 -kind: Phase -metadata: - name: secret-reencrypt -config: - executorRef: - apiVersion: airshipit.org/v1alpha1 - kind: GenericContainer - name: encrypter - documentEntryPoint: target/encrypted/results + name: noop-show + documentEntryPoint: encrypted/get --- apiVersion: airshipit.org/v1alpha1 kind: Phase diff --git a/manifests/site/test-site/encrypted/encryption-keys/kustomization.yaml b/manifests/site/test-site/encrypted/encryption-keys/kustomization.yaml new file mode 100644 index 000000000..65b09265d --- /dev/null +++ b/manifests/site/test-site/encrypted/encryption-keys/kustomization.yaml @@ -0,0 +1,3 @@ +resources: + - ../../ephemeral/catalogues/public-keys/ + - ../../target/catalogues/public-keys/ diff --git a/manifests/site/test-site/encrypted/get/kustomization.yaml b/manifests/site/test-site/encrypted/get/kustomization.yaml new file mode 100644 index 000000000..4762ccd08 --- /dev/null +++ b/manifests/site/test-site/encrypted/get/kustomization.yaml @@ -0,0 +1,3 @@ +resources: + - ../../ephemeral/catalogues/encrypted + - ../../target/catalogues/encrypted diff --git a/manifests/site/test-site/encrypted/update/kustomization.yaml b/manifests/site/test-site/encrypted/update/kustomization.yaml new file mode 100644 index 000000000..68ed55caf --- /dev/null +++ b/manifests/site/test-site/encrypted/update/kustomization.yaml @@ -0,0 +1,12 @@ +resources: + - ../get/ + - ../encryption-keys/ + - secrets.yaml + - ../../../../function/templater-helpers/secret-generator/ # libs needed for generator +transformers: + - ../../../../type/gating/shared/update-secrets/ + - ../../../../function/templater-helpers/cleanup/ # remove libs after using in all generators + - ../../../../type/gating/shared/update-secrets/fileplacement # update paths for imports + - ../../../../type/gating/shared/encrypt-secrets + - ../../../../type/gating/shared/encrypt-secrets/cleanup + diff --git a/manifests/site/test-site/encrypted/update/secrets.yaml b/manifests/site/test-site/encrypted/update/secrets.yaml new file mode 100644 index 000000000..76de49dcb --- /dev/null +++ b/manifests/site/test-site/encrypted/update/secrets.yaml @@ -0,0 +1,15 @@ +apiVersion: airshipit.org/v1alpha1 +kind: VariableCatalogue +metadata: + labels: + airshipit.org/deploy-k8s: 'false' + name: combined-ephemeral-secrets-import +secretGroups: [] +--- +apiVersion: airshipit.org/v1alpha1 +kind: VariableCatalogue +metadata: + labels: + airshipit.org/deploy-k8s: 'false' + name: combined-target-secrets-import +secretGroups: [] diff --git a/manifests/site/test-site/ephemeral/catalogues/encrypted/kustomization.yaml b/manifests/site/test-site/ephemeral/catalogues/encrypted/kustomization.yaml new file mode 100644 index 000000000..b81981cd4 --- /dev/null +++ b/manifests/site/test-site/ephemeral/catalogues/encrypted/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../../../../../.private-keys/ + - secrets.yaml + +transformers: + - ../../../../../type/gating/shared/decrypt-secrets/ + - ../../../../../type/gating/shared/decrypt-secrets/cleanup/ diff --git a/manifests/site/test-site/ephemeral/catalogues/encrypted/secrets.yaml b/manifests/site/test-site/ephemeral/catalogues/encrypted/secrets.yaml new file mode 100644 index 000000000..ca11acc21 --- /dev/null +++ b/manifests/site/test-site/ephemeral/catalogues/encrypted/secrets.yaml @@ -0,0 +1,91 @@ +apiVersion: airshipit.org/v1alpha1 +kind: VariableCatalogue +metadata: + labels: + airshipit.org/deploy-k8s: 'false' + name: combined-ephemeral-secrets +secretGroups: +- name: isoImageSecrets + updated: '2021-08-10T20:00:40Z' + values: + - data: 'ENC[AES256_GCM,data:TYMniBOXUzUWROJBIIM=,iv:2rnni6xgiooCBArUCrypA1jYuWbUofqli37SVMlaAwc=,tag:ipRCGuGwYbnibougLr8MvA==,type:str]' + name: rootPasswd + - data: 'ENC[AES256_GCM,data:duXgFUM9nTWEwx+nJrA=,iv:5ZfOPqnqGkfx+ibJwWUYmoQlETjU7EZbhRbzIuRQnXM=,tag:J3gzhybmEGPZxYC+ZvO0VQ==,type:str]' + name: deployerPasswd +- name: ephemeralK8sSecrets + updated: '2021-08-10T20:00:40Z' + values: + - data: 'ENC[AES256_GCM,data:MsAZOpDilAgx4mFIV769NMEQUSBSgK0Mz/+ChIcdtBZvTMAXf2Z2Dp2dhjdokwKLnNOv3jdbfwjGFDsxvwXHyqa5p2zbhXDLcvw8gShs/tpc8OkdVl6CpdObhwV9ayrzRFtewWswLr6IukoryP1b3EE9z2GXUO7/+bNOW0pMBXzeV9UO9n/DqxnbPsAOfuofUmY2NPQdhErJaMNhHMQeVa5U1B5qyy4H15rNPkSGZbjcRgzHopRP+qduig7zRdJOGqP+vRXlkrdLLFuyZbGD3i+2QUWoek1i+5znAoHASYsvBKOlnNgYVm/7WM4uckHbblzL4dromo99HPdsL/ugS0FVZQOTwBCRtSW2pOYNMXf3dQnxt91MC/v1mHNpgoju5Yyd+5GSmc/Czr+kva77RE109CFf9eUl9ReDpSqV1c1P8Sltq48wGUmNKl6KAN0OBkeALJIf/4izkEXUbUw2mTrtZuNjvFHk3Hkl7SZ65TVkA5ei0m7ejhpi5ugX5XWq1potAEKWlqVawXTP5qVwaN7RTCZgHvA7GjubQb/X2BCpUeZIQXbeXOyS46ZsWxPT5ZlH7d1l+ltRv7xcrj+ROpMgr4xrJlkx8Xfn86FWf7qMAXFeB8hNtY1XIQZ4ZKyXp19E3hvBMIOmdm9zGFWV1/7RdKmyfIs2+GJ/ATmeoDLlCVAin3oX+s52N5FfTh2ivmHfWnpFpHfj7K+BOjm+BwoBIzq2KC+H6WGo+GSrOhotygcq8i0XESqh/S+hN+WHNLFE/jsuCNtPOM9TXJwgSYJ3jU4ufvlSsA4sA8cJAjlBRsHcGGjPe6g+gdn6lZCzBe/CU0dlob7JNmpOapv1jUY81fTy0jq5hte4Zalj5JRRsGdc/kzY5h90ZT0VlRiq36NL3cFlahSaSIhVL8NH72MPep98SR2HSGTqcJDfrsmXQaIpJmZu5TE1pPgjBO7JXtWWHxdV9WWwxlZ/j0/oQSyunC2WO+zZbiHKoNBP3XKn9WY2Hje1YJ07H3dzOK1+bYykegePau3LSPuoRxP6tgFFpxlI7xtMi+38C7nGZI6XwPz2i8w99cxpvIxc5JS6eRR7GEZMSQQc/KtxRd7/W3sZJ8ylfQ7XXXrOGISv2Uki8p+n7XpYHdNJU02DfCAFTIa6e1cYBN4Ke8/IbB9Z8lqv4ZcHos2ceXE3rOwS23A6deShWg/lzUYzjQQN7BBasH1Bbxr6HYv/uAfiMzfOqHYUdd/i4aAsgDU8gZACHmEFR4kU/OGlk0AFmmqFZij75glJS2Pb1O9/lH6ZkRMg8M86QfBwwE+bt9xDfTUfq99wey54IxkZe7Rg1ESPc2R104E9lwm5CQ+XpdMCjaf1s3m12b5/ZTyjAEs2k2hCmxo1NsidbQhv/oFQDgdhsid70FTLhLD46WSoKG0NSplQ5tZr82HF9ycoEDVubtYO8mibjS3xcndDBnq2MwCJxCCCSjqWrBgaMyzp/YAhOyUtUNWAsZxBiMVDnmtmKf74mhYQGH41/om2RoJgvsjo0Qxbt/DjrtASHeGPm9DlITA0xi8cMKnLi0P9t31KkNA94DIPXOnK8TU32jLcOxjuasMIJVIpmaw4XWYRSSVs8WB3jhOJ83dr3kTfId3lKQi5zQOY6NNajHjD/lxIkdc8Q7cHCyV2fu80WeMPYGA5PcstfEpLhbJbIpJ9r98FeUrcjPJcuhg4sku5T9ojaltckOdeUib8D0o8f8Ta3z+3GgQtDa8CiYGTvEQigmZclHFmOMe1MsZu2Uvs6k/jCQrmk+9Xk0uNXr4YlQyeYH5DQ4WyvjZGSrVUMC/EzV6hT9+CDcjjhwOYKq6onjv66DbsfHcsUbRzwqv9nh+4BvkHz+zZhJm6CVy1oopP6CbGkPa5QcUbHyrQgYJ1c3H9ZICUynlvATft8FJ5wo3jbZDimEkRUxMD/+IaEEIqTBdvYQNs3NnegfoxoR043udiGpaRT2By9y2cXdP2ThftrZrVMBV9JNu45tgGltUzldAQkcaQkYA=,iv:21tSh1/+sShGLWR5TxB/2nHfMW4YzKOf1D6yE0jitho=,tag:6k0Rbfk+rf3wIIe1FhW2rA==,type:str]' + name: caCrt + - data: 'ENC[AES256_GCM,data:9l+dw1cEhgzFoD1Tsiaj2FY98869x5U1I4tN0I/vQ8q5wpx6vfo41/zxIDDV1d/mxq68Lzq3FYiLT03l/ZcmCIBv862iMW0jdcYAJAB1V4qq1vzDLNsXYtcRLl7wQ62mUnOJ41gpGaySKMf/Up6IZxiDRRfAuPm6xRtzS/0S3xeKTUwAbMIncz5hRcJ4zsVaX6ycqDe/vLwqHhnT3vuMsvCVk3caDtnfZjJ9OJXpS6AWl4f+09flMX8HBdoV1TJyJAyxOg/XHm0yzDGm45CRe0AaUo7I5jRvSpSVZT6Wb2Lf4Tf6b7Abf808Rj3AyQYzsCzr/xtTwxwlbsZSlxv+oFNXGITS5dun+NDjJYTBRvFaB1wTW6UERl1zk9iGOJD7U4tk5C5Dddattm2pVHL7/WzvPHWPzj1V0DEXlQDB5K6roA5tJtko1/rechviqq3VtumPCvC39liSuLHDya3eUK3QCqKvlRs2NRPnN1kNElDleIKgx4IPL00WWham0cOb25MmR8z3o+fUhysIwc4TXf20tWitkDQh1dA6g+7Go6ClOyFUlYzmhUm7z3tmlFe3IFXkshMuqinND2GXicFO+5jwDRyTBhBz59ls7pDUZC5+50hzDiCeRMwHRPsQToUbN3KjtZ932OZC+94rw7iDCwaswZ1Yrw9+cg2yxIL++6r4zHfQPAneWilXKH+Hl70H7pJtPYik8tFzeszdtJmE3cv6tWHx8Z7BnV/RtyY+dxDVkhJOPx6zIA7Mhbu+PsyuZHH1/7X4NrSoOmPXCFyhaMBUENN9fF8RfV+g08doOBZgEAhzMAeHkT7wSGw2UaeZ290W9iuJ/hqTri59cifTfokBnRZsb98AB4SZ5w2MKjmfvCE8IeUrz7zIpvrnTGKKF0bh5pNPYkPQ7YKfc8iib3RhO3MTceUPNuU3CadArOpK1YCh5GmmFttBhH037zXcZgKR/m5rWZJGCzQsVyvGcuO2iHAsNPLGD31te4ZHgPbwdT8+JU69+SE1qIgczhlCFh680lSiEkmVDSf0OcUoCWkMfW3i+P67eqzD6qFAaSYuDsJeY172Ez5hJFWXUFX6auLeN0ulQJCxs5SeDk/Yrqki8msmF0Zse+UcpFbG5jAurR2Zr/LcitAqR1RvBgMN7jWAa9Vy7Gt9Y5XhiNbawFzwG8vSFZ/TE7v5kpXOR53er6o8ZyaafINowMUd/KgVPFB766xITfRUf/fgqE3IFfbeABR0V8dM4EFIO1ytBD68xvr4cTEusfERfXNj178h7ufBCQw4I5qaZe58FyHrzbcF7cq/vTJ/jnkwIHWCGktem4bYZrIybXyaiwgdw7DPXZ0d0snOWGaFXjrvm3hMtVCuQSo+BhknGGOWt1fkIN33SEW+KWsceSqvhnN4k9lfQZ+NebpouGF6Lb0MIXj/e1zZHYKZXzfYnM5Bb69fJl3ivsUL8GNn4+89fgUxmDbIHcW78t7CgwgSeV/TR6apR3u9Bv8bj8WZog9uiGPzlx99V5BnTuDIyx96hElh758uiupxw19RE8S8pwFx3zhfvm+HHoEEBMEhL/N7tkmhzJ3ZIK/B7LiKGzplmnaBK7B5U0VA+zNqxEaSA7AsN20EzwXjM1YFHFqyP5+9n4s7KfUHLrJjbHzJXnEd9M4pqg4pyzCoYJqu7f7KB2AoOPbzxDAMI/xuZNgpHSazw+XULejGSSE0MqXcxs25iYMhlpqgkb/hi5U3iM8l2OWutH+skfaVLMt5jgfeQk3OlzCkH1HFHGjzDJWAk/uU6mRiN4dvbOq7jQ+PCQu0W07zmGcdHdF4gvgAOzTrpuZBPEtK8ARwN2/7h0P9UsdEcs2LzlVC4NXr2tMeXpuoDYGZfDE/o/+WEIZF4NEz0a6FpWpRiPHg7rxxAwe0JCap+UaC/wv3VDA78yw5uYx8Xepy0qCg4LK2nuNIG2ymaclAq4ia1+T7/A4DqBgP92dUuVI/JQnzJvdkCD1Dth7isHOzFOvRDMVusUNVZ+TtasijAvQYfc51TkQAMc0zOCvULPFvQhguriKk7e4odgk94In/jVmsr/8eF51dS52L5LRZzTWwjNnU2ukuI8Ogq37U9Qau/Zw+D7+arEByD3C+h61kQDXt9GRgVDEjyAAB18o9wofxJ3/A7yRvImEcON7OR1ZcJh6XuLEAAqa1Wgtj+FhD1ClvLkKTNIQvpNNyC84zz1pl851lBt1DBHQeFUenz3PAj177qN5Gwo88+18DSdTbFgYdBAFm5w09Af40usgw/jbJocZSRlwRcFxPyKvN6RPqLjCfz3czGUbgSNgjsYvAVEfrVlAbaJ9GFVLcraqgdljG9SSCRO+Kux1KJRmQCZcQsR5DNHzoIxXQfqUIQ7jQI28JanXjR8Y193jCK23oCUSTVsZo1vv10S4+4ZjU7aGm4s8QE+3v5DW7Cy/BtnU+nugdZgdRpkLWqE/vYF+oY7YBvUIAWp/uFBu/9XYz/QaXxluEtZMKsCpyUq98zSbTonHMHHV0eqRWaM7cIb8CJnTmn4qX/rhUT+sAyK5diZIIkPFRXZ7dd7oBkSJqkAiFSDMvoEm7bKCEdBo/dFrA10kQA7v6V8bVj2pbSqwZZiwZar3Eo8RxuskkB6CKrXR11YnZccyMyjOWnoqQ4iobgbXhm6tVGvcEp6hZ4JBnlOnXF59IUF++8PzcgJK0oG5HMnQNTAEiwxBoiWtQQEQ53dnLNKXq0AK5JmbMKKbVSSvFbObduwOrGTZnHsNhiP+nVyyM+Opqqtt5vFNdIA+ZGQQyQ+DnbOmQRyMxfnda7O+gZiuB09rYt1IwMkUdRx5tCpz/uum6OKApZ0gYhbaXEj1P4kR+4xc42vAQ5kavwaAHwqLyVxDTRshXmFCvMWPCd4kINBmQBpTmgiKzLJ1LGmnWyXdXFqxpsvlXj5n5JcoYsstlhkfvD0+EPQKXNo7sLV5HKbfA65ndfpUh5K0OWyYbhmU=,iv:DYwZlqxHUmFnhIy9S9OadGO2h3z67p8F+QmHVQQnuqE=,tag:I5W61XpWE4sWv7EEgLQnPw==,type:str]' + name: caKey + - data: 'ENC[AES256_GCM,data:huVN1pfbkZ9huFebvRbjN5A7pC1wulEJMJnrYO4/Ku+b8+x3NPzwh5a2DZyogI9cWy7zWRW7Esds3oE77KSjNAXjTOJ++nWqxQI35X+nJsiiow11LO4OdRZ98QSqcGGIcikQszExeu/w2BalhB8X+qTvq8oNtjJEydfO74DX3U4pbSyKceiVYxzLF6185jkIZzIvjMSGKr0OzLc+d5GyRhC493WEv7nOMIMsdm190GwmXqxYTrrvzBxzoaxaQFP444MMIM42fXAmH+OMYhk3qS7ghxxefP/NLzYSSCqB5uGTQU/vdNrrUjPDRM8otAxPiV5GIL8eB6np6vV/lYNyW+KcpQ9cw7VrM+jpXOakqFJGX92Z1PX0J5cflIxiDddZCaRv/gLfe4J9yuWgbAwzTtRiHBLm1/JTua9YX/yf9S/CGbtp7STVgMFayrP/qSaoRrjzuYR7mlHT5TmCUBzq2c7nTBoUDCA5ikDO3IcHmjm8E9G00pOUUIzU7PSuVFmrkMmoG7Z5OmpbNV7ae3dVnSkIed+AY076id/o1brUyUsDPE2RKAt7Ss0UTsS46jKKeigDnEe0WrI386FVn7wobU31b+x8ZcCCoGDaNeSQFHR/UZi1O8loIcBDVIzlx3ny2nRe5lU6GLvJ8CKVB8bbHTaXv8Gu9zW7+jZFQmjXwo5Bhu9PD6JUzG3ik+Y4ijodDQLwpYfLPmdBMfABNEix45qlYzFFN9/XndUY1cv8BJmJulNm1CrnIWevv5htAWG3lckpcFDMWL+pn5qGHJan2xWNf+FZVaOs3khSqui4jNj6BDe7CnnEiE9xjfvzXhEnq3tQHK1F8mPo+OEDyTISqIpH1jibepUEhhQnM4Qv0LJiScIA/QB4PX02e+l/SQKb+Ca01fjRA1qvFtzUfqON0+xAgFQNpXR/+wFYFFJEqBuyjy7PVPSnHyl0c/dxyruiwy9L8HljC6jn5wnj1RhOd+uDmMCZxbyeiuV0dYue02aIeD/1VSsV5EPtBCVzIJTGi9V0XqwIrsO0hopJbh64GRUMPMx2G85U9L7yQdXxBMNuN7c03msBLRmqTfujNPvhP1Kacgmshm4ULlrQADxaQN/AR6E7+AoBkiaR55qMYVldqbwbR2+pgdSBPN1bkuiDsetIOl+h5d+qjEAO3lNcrRRLHXRCfcoEccwdfHMXrfb/TwmC8rafD5eYKkmAU3j2wQcIzL3E8ufoIWKciXOxtkRVC6C6UG5QGcSwFfSUk0gcbXLqmdUIyD8b3VQLibMw/1brEfcPUk6vCE3rkWR7KwV1lhwN1iakuaBs2FSfsipos2pPQ4Wdvm5uYdVVJyigyxbD5KimtXn7uRo4MH1CA6bGoGb20S/7BF7kLERas9vI8vYQtMI5qHR9T/Upj8v0VsLO6fpnBsqWm98+3em/ys2hVrJiSqa+Jv/8suckOYIIi2liznZkgHJb62ZrE9DeCoQhEfaoDqMrZDqjca5xPilvFPb94LzjXVPLbF+0GqAB8grObPO4mer6MCqWSqQdLCRgGSzCKsScG2RY9mUwjFynjjlTDJeUqzU4RXC+AGHkfqPLpKZ44cYnZgakBWvSSj1TI41Kh1o3EHtQkjTMbJBaFR7Q86sfNB3H4GTNXKi3u1OVHNC9p3OCDyouomClpJ6tO1BfelzUh8s0sNClNJsL7mRMfDigNOZQXTvydKz0fQlPKkD0xZJmoHSJanQom0GJu0gg++bRRkOFN7RA7qZCAoGjOQFxMYC7d59jl9pBmwH7LHnnREdRZWlHbKbmMpm+TNbCbhXw/KLVoDzfgv1BvuMjz1ZddcuZnNZ6jVBhdcm1uyAjOu5TIl7QD/QcjVTlEIr0/mQkJSQHXQdzmfrSM8MqTpZRUPZvyZs06V0Y0PFsX9Z6ti7epZeXGzf4UEUKJ+WeSKi5Bpu3Jo4VMXQO/UDrKXrZfXFYaoPPu9pabqTD7aCERQBHv7hDoP9uKg2q5XfhCVk0ivtSMu73JAz5Ezh2kjveZSZDksKEMXNJljnYqFVBXQMKMqfQADCyP629C0Jepc8Vorm3,iv:pgVhozoNdRTBi2Y4zzx5bybtuWkP7R0enTXwfbrHKOE=,tag:71AKiBMZ/sBD/zWBgVMFOg==,type:str]' + name: crt + - data: 'ENC[AES256_GCM,data:MDBlkJV8BJ5hXxjIzEF8lhGoA2rTYW6fKOHpRljY5pXUQ7yArWK5rskSiROF/GnjuETnI3/1QtArMN0kHzTcqUPSkvSgSTo5Ulposf/efKxBbH69P1SIg4O2ViReznajjdO3unePUKax6mswnUG8GK4jv2utfZl+sx0xH6TGS51OxhuAo6+JMSIKK4s9f7XCVTWGRRf8tst0eYnlLbA+5jd1dNjFHxT17wcAxY4xFkAkmYRUt8UAd0dIm7pbcnIMBsTSZkkQUOLD3YZKjysxfN4NCnxkRcLkYMKHsT+Ekx8R4OTgBpOYeuiAUK5e1Oyctts7RxqHDaHD9D0MkU7Ko+a/Pjx/UqJzFjGZbZWdGpQwC7oKmTZxplRfbR35Q9E4z15lV/BO1KQ0BpZU3VwScHh1y+fwGxi9d5F7TPbvnKxdfvwZbZw9kwVB49p5xh+gwnJYC7K79HYQL82Ta/96emq7ri/61984MnTIsx9wR5uIcA8EMrSJS1iBd0ye0xlIhfQxK5W8Uzj/a0HiFN4xE4foxh7pA43+oJA4ZUECgwDTFX/jHFS+tdj+c+EpmrU2SpbHy5pC+5JokfXP/xcnFrc/j92CdTLYfxEFa1HZKhHk8Np663rtqlX08uigLJ3BIPE4ZMkmEN7nCJ8wMxGPMmz2qCiC9pySDootHAdlPz0gPMq5/g2aJSskrFLS50L6g6bjlIQlyllyRdxCoyjfSPiIhtpswsvwe6W8fY98AO/cBtK2fcRWIecy356ntGVLCfGZwcSU2xiOr6fm5RYiBfcbttnEHhJPzW7sbYoj7JObKsoPb3sg95ZP2jT0iM2FFA1UOfUCwiL2qbvl9oCIijJbrShec0Pd8CGIhetpH20jrra+eD9i8GCAvFkmOofLUQx/3CHFc+/YSOmpTa8p1ElBq8ev8Kio/28ZGSEDZzO5LYlKWGcj/4G1705yWFDTLj4J53z/XeppgmjVaLRthlO0Jt014vrP+zxso5EfzhSRJ4vKt1ywuruIUwSwKcaGejOIepnaNurrAyYTe1IMRLNIZ5tMYlw+DAdZXyi+dykmfJsyb2FrVZbDUdh9bkEpKDWzzv611ICnjdrfS49uPJz2wvlCtCZkVIZOvEGeD3Q4q2aN7YxQRkLxzwWS/UVUysAwZnU9cqm9SFZvVOVW2XsGs2BYDkjxAV6LNTCQwUwM85ijmNF5t+Zu6u7mX3l88PZVHeqYG53SHP3tfL9CzzeMkzWjnzNbFUlCm1hIRo/uIB+IZ6YupzsiZzPdmH6xgrX4eC5VqZgySAYaPW0bxfeX30l2u87nxaMiYeR7/TB+7LWakpbbLkhPNrEtshKDwamKxVXjb4ChmynemGbNbUoVpYjpmXbUTmSm6cGjFx+PPAMo5Lh8dJOkpQwG8LneA6ZCnq4cr3Xns99OxfOcLFCGV6XPcxwd1+g5ZZp+wj572G3j1jODDheLf0c0kwAOsECVs7iQOvAbvKR/BMbTEbPjGEdu1YnSwh4F9yVcaL+0HGoFHq1x7OxX9LzPg8d1/I23mRIY40kSxqFAl0/1iHRPMKj3SzAY0WFdIsQXr1SDuxNuEeRiG5DCEDi6Dq3jKzBYWjvA0AHlU7f/a1j/CbEvJkzmw/I8KEX/UmbC8/MaC1iJ1p6obLvMo7kVFRcBP9rSuriUxQSC656PSi+j06ssRs+TpHLGBZKP+IjGIdtVmoH2ErWVebjIt8mBl4d67bxtOHNbQD9AOGIYYTZhaIUAhFvqQv0CKJ3wuBet0qQ/3Nx4bf4mqOkG2BzVlaE/WVyhE/gBcHeBVqq8Z8xASzZU82nDR6QctFPWVu69nukhh98G5VlexjgwOW6u1SJDlX32gdqS7dY9VzvMhCQwAPB/KnLqGrHPG87OkpUkMdrmB6e81s1DF86Cum8qo9IPq8m6gtQu2b3xGDdg1peiUjR04AK27KWwUJ3oBYNq9x+RB/QBLwZYdzKJqI9t4qm2F0KM/A6JURaAKGUbM2fjWpJnd+3KyYUdw5y1R6OhMQQp2afL+1WDZNCIxqZw1APxpQRWDSh135JwB+vBkYOjW0TxW1/UdCw+ijwoXTc+qUPSJy9sPGHjc2LKdNePzdN95l9KzjxRa6GcsHbE/ue6GhFfaB01CxsgGlB0i0fz0Tb84ly3BMNvMIIN/jSPjH6SC1+urB5Zh1SSxf1DucC7oxCCvMmFw7ruvP5U3AbTL8W5Kfpd7z9JpePvqtiswl9Slv4vRZFTNfEs9NsEbtbWu2ODyxTCrQbu7Lxts5dGLq8xeHCEB9JhSzJgQaG20Aih9hPf5D7giG1T/FlqG6gwBJiAr4u3f85faYcE0UTsoFlgiYHFJuqmDC0lbWvL75rvyDPhsRhgwZ4g9uSLdPKmxLQFMgdbn0GLfPY2Ckaysfzx/gKiQ0HYsaOW5kJyQtgspUBmjm9zS0RxZcfXiFgtamSHMMAesmW1bGMTePTKIL2JoyS5fe0t01HdAsrw2zx6WKR87f4ZNglMnsunKFTPGXNcy1tN+0+sJelGxbah4doAdm7bWCNj3ej3G8Ki1jpgn7Mdw+GGWJfqSm4SI4nyxcl1ct/22baJ/QGpc5Dfu+MshtcAFz0Xn9NvZyIZN+pfJWeXPU1F6lNWqNnh+yVRLSda+HmbyHsWWmads9jwVSPPvCcnD/J9r02TQIhgYjCVYbV9rVQkomnhE4Kheke/hzD1Jctp007IA95sUI276TqzqScQ+QiSjc/HK5s2HmLidGOVML7riC53JVs1lFZCeqhBh9G6kxTKZbQX1oGcj9jPLwWMT8uSNzf6EpTmsBP7tvsumlzis+WfOrZDPLdh1DhJm8P/9VHme4T0vh0CsPwFnekbRJP8te4zg4hOmhWI/I3qlfvxGHOojZgtscghB4X3t+GbzTK9vn0DZynUKq1AvwSn4wC6v/HzaIl5UUlKQV0j4n2/IfQyqMsUUA76XxzPVRfkENtUZ5BX+nFe/Sg=,iv:ZVGs1HdrjkgpfKRMLnKEnZDdqD6sRO8h1/8V1W5QXRM=,tag:TUZXvh3hd+nRKaull1P+nA==,type:str]' + name: key +sops: + age: [] + azure_kv: [] + encrypted_regex: ^(data)$ + gcp_kms: [] + hc_vault: + - created_at: '2021-08-11T17:27:07Z' + enc: 'vault:v1:dTgln4Sz23VgKsMigpRssTtx7X8XB6wjCPDJGzvLRnM+LKpGnYdyppyYg4mha5mXLes5ke5RAj5CQHa5ccj+yaZFnCKihqZ1SkHDYhExXyBy9dNb2X8yDHx8Iix8Ir8icSEw+GZkG92xIbDHYxU4LgPgMAu9mQ5BUKGKv+IDpA/WKBRvvsczgVVDsuleBNnIQkxiU811RnqhYPojrPJefBcBXNsC2IgV0E9Lfo49Zm5HvOvPDaolucfteVAxIw3nTYToO/v2IV3I9X5NiWOvmYQ9JMvv83pmYgdkXlqekez4PPlADqUSZ/cW8B2UV21i46rW9Ilqui9eDv9SQMFg/xRbDu1pfXlKc4BGmUVrnH838mSCfizvNN+sX1ST6wrGtfOQA05wYtssbqRXrXbJ9dzjnkWnHWqEsTmS82uSu4tohsu29fRVwOgWfxHGKmhZuKYt2iggI/fn43CNyLgw2cRaXaXQFuTtefCAQ9toUOH4vOiZ9rDYsM8dInBukzYAcRAydZ1hVnhfm+UjfhS+e6MRDhA33BF/4VZzFW+mv9/1VzzbrZZE9x+juTDakmfcxj+Y88a8fgmkFfHpCAGnapdqpwvQ1/jomiCzLkQYPw8nRsirxDThggJBQ5IWqmINpr6wbx1A5eaepoAiGxEUTatFZdfVYL+tqO9Auz1xdvA=' + engine_path: sops + key_name: firstkey + vault_address: 'http://127.0.0.1:8200' + - created_at: '2021-08-11T17:27:07Z' + enc: 'vault:v1:hGmSWtvLej7IwtrKrjnfFv0vd+X0CeClUCzjgLXTz72zpEp+0velsci/5QYgr+N39Z0ZPt3a6PdwNN8Epuzwtbos66bWCaVz4LM7e6zj41mZczgXQMvEm4YRGFnVXGvB5Hp3OexROCBa3HskFTWqSFeqV6pzOKv+1Z12mGVqVNMJasU4aTM8kN/yvWaUyk8RYoh9q2FLwAawLFBhbXPPQ+HJeQcvaFN8/q0OH2mF37pvk3Vu7hm0Arok95HRfziyO6CMZymSKB9zsfeajYCNtTpZ7KDSwPIZraxqZQXrtUvQE97lvBwnMLhdA3bPAxq+tk498f5Qgkl4q2ikFLE13Q==' + engine_path: sops + key_name: secondkey + vault_address: 'http://127.0.0.1:8200' + kms: [] + lastmodified: '2021-08-11T17:27:08Z' + mac: 'ENC[AES256_GCM,data:qRm8PgsmzgsfEUST2l3Qai6NYqSmQYVjmSeqKXVNIzW86+5VpAgvtfeb+CYW2PoDyErPdUN2aVlCCIIMSHcvs/oeQenjhxuhD10Tq6YCSW6xdr18y9l2gfQk7he0lQrQD0G3s13ljW3pENSb5veD1z9jjePCUzMYxFag/AYKMa4=,iv:tNYu1HUIPUZv1Eu1uIejskm/oKY97ViHpByVsP4gcic=,tag:VChCD235OtUIFJY7LOZsPQ==,type:str]' + pgp: + - created_at: '2021-08-11T17:27:07Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMAyUpShfNkFB/AQgAovWJoL1kvunbQqgZVRDIpHJa4zPkbMv4kr7XHGSaKaJk + 7YIG6/tHJnbGWeEoJmjg06nbN0ovMBt2Aw8nEocirLgsdq8dSdCePiRQw9SZ/rAL + U0F+iItqqf9Xe0vxZAwJHnm2Gd2OTkZ5DXvmL3NdOb6zD7c/pQbMpPpYXXeKTnqs + R+b/V8lUCpRQbrmCLAf00Dl59+92hCZH7IZoLq60hTqjEcLJivRd+JHnYHFKYD7U + rWcZUmXb5YKSG90L42/E+KuUMqiNf2QUJYZos+2s4GWVOZJ21+C5ciPEs1ep1RRI + orc/4oGuMNiaGforo+gYv0GYvWp/pfIzpimD4uoclNJeAQmfo63FskWSqm2ON0jc + d6HNRqBMprGtvQjK9ES6gJotHV8iM1vTOnOchvWkl9Vwe3ZJiYYMFxqzjjWnSF6c + rKIhPfUeXP8kdADct7poEdjWfnkCqsOh7XmHKUHb+A== + =iW1A + -----END PGP MESSAGE----- + fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 + - created_at: '2021-08-11T17:27:07Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hIwDXFUltYFwV4MBBACc87vDwuhVG9NN0BK77GsH4PzZ23gVdqR/FB/BsUVKfIdE + Gm19aZZAlSL/AstATpddhXM2IRtDUM9sMRGfbr/E1r8qEByoUVruPGORsAhgvOfV + zEhts2UP4R6c1H7pT8JojrXpPQidlUj7hpCDDRczZlEgbkd9fB82isK/BYKUs9Je + AfibRs0Y0lpHNKJjYWZBMVuKfAY71ujAI9s3WaNv8Et84ddGJrun8pHlOydsL2h4 + ToYsrMozVGIsJGLhg1VcwgDgPCy7BsL1aF7hJzTdSYsW+Em++uJlN0BGAQbZzA== + =tT7m + -----END PGP MESSAGE----- + fp: D7229043384BCC60326C6FB9D8720D957C3D3074 + - created_at: '2021-08-11T17:27:07Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQGMA5pKZobbvtIQAQv+MhMPhbxS4gNfQwiFpnTqQ/Hga9FfbPc1l96Cd7IEQd4J + JQqMAW858fOSwsIAEEgZP1skOGGTQXDdpKCqPafySdRVDfFCPTFzVXnFTr2HwUfc + g0ByHpTqDMlRQ8mASlo8+PoZuw1nZSwOhdag4AWwDp1a/RVRP6tPOmOCL/P/t7Hc + VEcaAuaE1g0HJsLvtDITPf63WcgN2b9LcJ+anWfapjTL1yNLiZhUdN9sEETr8mkt + vNYrcPjMQ6/e7o8TYThrXw+5h0Uwed/zGO8E9UHUse+XeBJsYSJ76vnuiKXK6t9Q + LtrduJ1KeaLpvw9e1p1nxCZHSLN8dVngmyoYtdv3yVN7JUN18HUu7WT6MQ0VYttM + fBz7pHgltX2TP5EAvMBUAWA8i1K3razhGq5l79d3lVlxRK4mcTfZQkXQiieCBh/j + /cbvwFcwDYWbk+RKPFHw048+iIrWaqsv5nhv3Zc+8gZIyLmEattFh/8YTCyirNjj + kNamcFLHu2H5UTyuZV570l4B4SJNO0Vs34LIBMHpwQaEOdKPto2hvtzNuhZPw6CP + MbDQr0HaAShFTaQ5TJRKjWErZ8QWt3//lVe9wkMaMPlqVbddlyNbCIittzteS4CJ + I1w8PpzzT5u8EdTymqDT + =Vv6V + -----END PGP MESSAGE----- + fp: 9DC6FBBDB3801E4E1144017138959A55322BC64B + version: 3.7.1 diff --git a/manifests/site/test-site/ephemeral/catalogues/kustomization.yaml b/manifests/site/test-site/ephemeral/catalogues/kustomization.yaml index 5f99dd8a4..a2b72da55 100644 --- a/manifests/site/test-site/ephemeral/catalogues/kustomization.yaml +++ b/manifests/site/test-site/ephemeral/catalogues/kustomization.yaml @@ -1,6 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization + resources: - - ../../target/catalogues -patchesStrategicMerge: - - networking.yaml + - shareable/ + - encrypted/ diff --git a/manifests/site/test-site/ephemeral/catalogues/public-keys/example.pub b/manifests/site/test-site/ephemeral/catalogues/public-keys/example.pub new file mode 100644 index 000000000..202e27f4f --- /dev/null +++ b/manifests/site/test-site/ephemeral/catalogues/public-keys/example.pub @@ -0,0 +1,92 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBF1oQV0BCAC1iFfE7H3uu0hbWbRYVMoz5zZ91ACHETCOMVxN8GOG4SV0l8aQ +wmK9QWkYxhi52LnicVD3D7Uy75+J3zkvEDQ15C0AZ8UHXp4JlSQuXpFhrOhfYUF/ +6pr/QexT+hQjOacvY4qfnj4xKa/AGdv5vPIygtQumE6r3GhEVAxQ1GSwtCWSU3Zl +3Uqf7S8kDvJTemtR2UkVfpXcMd4AmMKgt7fVhPO8eFotqTLPvz/iClzER+q61fLA +d1rP9YlmY46MJp/PffPicWdJiKv2i6ynKcIwkrQyP6V2ZzYi/gAhNJst3ZlMfsiN +ekCtcow9Bn44uxW3U8W02FNQSNyn6V6QPDIXABEBAAG0U1NPUFMgRnVuY3Rpb25h +bCBUZXN0cyBLZXkgMSAoaHR0cHM6Ly9naXRodWIuY29tL21vemlsbGEvc29wcy8p +IDxzZWNvcHNAbW96aWxsYS5jb20+iQFOBBMBCAA4FiEE+8e54qT5KJrAwdSEPRbO +5KJzgbQFAl1oQV0CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQPRbO5KJz +gbTDcQf7Bp7e2zY9pBBXTgDASQl31SSHp9WkRUV5iqPVC9iPCELggteBGMwIpbDl +obc6O8/06foxWctTUaaciPBo2+jeWFTO+DNvB7oXIArqr5673QHLh6jEABBjyt91 +rvta2wYF1XJBgxpui9aLICsCptFNIRvHeKUrXBI4fG5z3CDs/EOoY8K/AAYJUF+E +RtmvmisiE/m20UpbYRmkBJy25c89Wcn12I1SUJA3H3hGwvZCYp8hY1HPxxQUtU+D +ZBIpryi0xQqExGAlYqck7G03F+AD7/csaT1LEdCtWRLNwE8UkvfUF6liF0SgzxFo +1pp3gBU4swds9yO9wNe12JY/M5A/BLkBDQRdaEFdAQgAtun8JhSpNAKvOXwWX2nF +hnMXTJp4viMhlAZEdmMXEi27B2DM/nRzldjxGZoNUBSVbJNj2kx5ZUDl0o6eOpCh +vRaGuCOpYqOuSQvD8FnX0NgQULwuTZ+MawsaezktJEjDSBM1R6uASeJwDZj4hcUn +PgyAIESajPdowEkEjdYt261fGOLLcVoVdtqzOMBkLVdrK/FD1kGR9jnSlKEYDV9D +veBUBQGdqkgWXjS5BKcae07viC6xMa9AJS4pizyDALB2k0HQOelZNihOGXYUuvkc +s2Fivl0Tk3OCfH9XDvFehbYRHmkRDoMuKUDSzdy6tFBAkL0CPlXAWI6kQklaBEp1 +9QARAQABiQE2BBgBCAAgFiEE+8e54qT5KJrAwdSEPRbO5KJzgbQFAl1oQV0CGwwA +CgkQPRbO5KJzgbS7zwgAndbf532OXo9HwPH+yQQmzQCLDFL6P4V7LcFrrydYItTE +hxqI3tbb96MKXRAt+G5Mw6JjRkWhwzbU3jE7D7XBMHw7GriTTU9QltNHg7VUpSSa +iTfVcSNErzsaqbjbA7jMs7VWzOq4LZo6Efy8UDKg5qcqLFaTQrzQZYNHNfM+kLAi +UPU8m7vwmz6oJWsjHkQKUhKhHptlpwMwdHkoacqDO0x2H6H91l/PnDm4ZG6FybJt +cjr98i+p52/XOo81nLgX7tcFS3nrN9HNdgKg1ZW3yrzg8NOaFCVA8qLDgLk//M3q +DixOxiurECkFrMvt/bDxEGpN5GVy550MmyUZQrkuqg== +=Zs2s +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mI0EXWhBiAEEAM+5U/ol2T8n9Ns1r11eKun/PPArXxmo2502pAY3cf7ZpKDFfAvC +VF/PLusHcJToTCPOT0RVh5jO1MiQYcvQlnUIJOIEkCuUc7RsdBDsI94o+SEiGSN4 +DzK711xTvuhgLbFvCB/jcpjN8wpIYTJuD6wE75sf5jqlokrnhXZy5LcbABEBAAG0 +U1NPUFMgRnVuY3Rpb25hbCBUZXN0cyBLZXkgMiAoaHR0cHM6Ly9naXRodWIuY29t +L21vemlsbGEvc29wcy8pIDxzZWNvcHNAbW96aWxsYS5jb20+iM4EEwEIADgWIQTX +IpBDOEvMYDJsb7nYcg2VfD0wdAUCXWhBiAIbAwULCQgHAgYVCgkICwIEFgIDAQIe +AQIXgAAKCRDYcg2VfD0wdEdnA/9mMGieN4hrnmgMwchZ5fplBAUCeB4R+KewSHce +gfQIxN8i3vCOHaqmF8cmc2ifXfioqsSQU9JdRl7dx+TN9sgyWas1wfT01j98sfPk +NQrgrOxC/24SQ9f7C3bplXO+25kLXCPTUomMj8zf9marVeUVNeC6IduFRRI7hxrz +tIyN/riNBF1oQYgBBAChXi00fmpEs0Jiq0zOyYm9i749VoOsNReoB/5ix1QCimwV +ZKe1D37IP5Qqysxy+LIQc4lJ+Q8foNOx1Aev5+TDyv+iU82D9xr9uPLLbA82k3AZ +04OrBjrZ/Yt1NZhuaHzciZCPpmqzF9kqVqAZc+vMiKZL1WZjS7O1FwaidY1vXwAR +AQABiLYEGAEIACAWIQTXIpBDOEvMYDJsb7nYcg2VfD0wdAUCXWhBiAIbDAAKCRDY +cg2VfD0wdMMfBAC/66LvXwBPaHDakr0lo25PGOWWsf4o8yWui/Q/yhcc8KiELlzE +zmwnq0JDSodfJ5agMTxXfVu2oVUBDKuvTDLSCe2XUv+2ufAweg/xr/FrREc2TkLu +GZy6FMdtB7Ik1uJElmkIhnU7KsXXv6rq71gE+PCqnwqsn/SvLLaTJvtlEw== +=PafV +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBGDfWUMBDAD0nxvYUqZiUioXYFbQXDKhzVPLTo8mUY9YNZQzrcuspP3XKja1 +B4v7PwMPeqkLS86n/lK9JOZh2AMe2fhKYdp+Rtoz+7ARVl9QzkQEjcILM88wJOTg +i/VwK/rCWKduns8NASSE8vZrFI4pvS1nrf5BNotArSCdHsuGhFvqk+BoId1Z7ykX +VC44CcR7ePEDVWnff0XRgiPxEMuHT9HlaFZig/aBZz2GUSuuu7n5dvQCKtZGiLPN +4KpCoXh4atgGSnAeuhVFYeonMdhQsrPFRHyT/ITutsEsu+sAklT9IcaUM6/LIjXc +hVOgePJWtwA1wqBNmKn6vriGiFaFHCun5BSQq08pty78yvL1AwqrIKPv1lPGXcn4 +RlNNgG4F3G3qpxviwq3QVuYn08EWQh465Giin1EO53LeGLMajB1FIKNxyMgkV/n7 +O1cJjoRbm0veboIJYFkRd7t7SjOStPxGiFrP1MvyQ1nkexETQoYd2hjLLJTjORWX +qXdLQFPSLcTQ0iEAEQEAAbQ0dGVuYW50ICh0ZXN0IGtleSB0byB0ZXN0IHRlbmFu +dCkgPHRlbmFudEB0ZW5hbnQub3JnPokBzgQTAQoAOBYhBJ3G+72zgB5OEUQBcTiV +mlUyK8ZLBQJg31lDAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEDiVmlUy +K8ZLB4IMAK7p1Jq9mDki0fhNdKKF4p4wfP6eF28+8S6RbUsysaZK9zPMg/UKK5R8 +0Y/oXVCYtXTjdyjEwiSui15KcuKXBzzFnmJKTwGX5IVm5C6Y2dclDmFbZejJ9GJ1 +ImXh7pD/MgQfic/2i9lxmmc4tMZJCEJnaJw+oUniBO5KK5UV7fyoONIJAG3HW3B/ +aAEuYuB7lOejtkLxJDJeYJfrCIZYy9MYTzGOr0LukCws9+CqNiBaDdCJo6euGTao +LUIQlmdHB9peM0NjsQQpfpu0BzdlOgB0pnf79ZNRBlsgXqsine94tujRaiiOmcu3 +XVyM0JwUebB4ym2ky5+Gg9nneLCirWhqTqU+0sUHl7iwia+2L2fXa3aj6C0GlVAZ +Fpkrg/18BmdrykpaNJTq7z8MMrMD+crf5OsZIwPZ3xNjXiW3KLzvNKA09TlPTp8c +0WwzqmDsfkJPY2Z7+F4Bq/m9yYTiCxeQKwSCTOlLhubtnBx+Z93KxOeMy3jN07Ff +pZlkmNa4vLkBjQRg31lDAQwAttvs4g4Qfh3jl0QRAbIvxE8jKxBKijPmRRZf3MXd +dn7DNo7rv+J+HPWFSUlduX2eFDDbmDQAy1LQtXA2S63AELVTFNUxaHhbXpAltpV3 +1cIdcg7aNXc+uUC45EsC+mu6RE7u0pswMSepAeohI5jDNfX2Ij3EOtZfz1sC8CgI +FzdwQm795oAkFB4dS310fuJrejl3glBmX2jBDovKWTrjartrHqRiCrKjkBH3VEuh +pwNGYFw3mxA0NgltOBw698/XZqRJkonSmzZoLI9EJ+YGkIJtLHP14DxAeY5Z/7Yg +h0gIq7p3APEOr9uimm1pFEvReIx/4p7NM22ryQ/j7LlN/n8EAhpTHZn29t8ftTX7 +SZN5MygdgVdFxuiodvKsd4JtFMHGKq2BQZG2ZcVhSUTI+0tX/gDgSzeyIWdHT22k +ZJXmTYIfDsDFETYWlzAf76nAT11Q1wEcJ4d4xfvo1fOVAMNKeWH8ovE3uIFQ7FI9 +qe4ImBTSEIOIN8xOh0SIYTLbABEBAAGJAbYEGAEKACAWIQSdxvu9s4AeThFEAXE4 +lZpVMivGSwUCYN9ZQwIbDAAKCRA4lZpVMivGSxKEDADofi4m8pXZOpuQ7IBhjjww +/CxMf5VunM/xH2SwnRi5/Uf/pwSu6sk+Q2VGRV25mZv7K/jjMcdduGzdYECZpU5Q +HJ5Yfzep4bz1GAORMAcBgUiTBH2QhDjkBkFrVfEbxnr3udESIb6NF3LpC0DiX2x6 +785pKYUEUUY/H3PsQvKqkls9iit6HTIu+fc0JOtzSLc5cUDcCoj9hsQA+7y1ijWv +ur1nTPVYjjITjogV+9siHTPr5Vkbx1IDMFtDgfU1OUsSnvDpGqruStmor9Qhq+X2 +384Ng2w0k82H+tCfrXXaBp32V8avFIXSA6QrVncu5jSueARFB6a08KbJzIodKEvl +lUBlJEweLFlBZm96JxfQnr7e0v/TpHJ6SW4v/1U9/BlGIPL4R8IjSp1kfL3UC8Yl +GftHRvOj+M9QWkaZEh6i1dAdL2ID1B0s9zp3TE+QJJjbq22Bq9yiHsIg9qx9AFhV +rwDF2ieowreVC8aC6NmtMFjnXCyyj2iBJlQ9zuh+hVM= +=5FdM +-----END PGP PUBLIC KEY BLOCK----- diff --git a/manifests/site/test-site/ephemeral/catalogues/public-keys/kustomization.yaml b/manifests/site/test-site/ephemeral/catalogues/public-keys/kustomization.yaml new file mode 100644 index 000000000..06c0b3b8c --- /dev/null +++ b/manifests/site/test-site/ephemeral/catalogues/public-keys/kustomization.yaml @@ -0,0 +1,10 @@ +configMapGenerator: + - name: ephemeral-encryption-keys + options: + disableNameSuffixHash: true + files: + - cmd-import-pgp=example.pub + literals: + # user U1, U2 and U3 + - pgp=FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4,D7229043384BCC60326C6FB9D8720D957C3D3074,9DC6FBBDB3801E4E1144017138959A55322BC64B + # - hc-vault-transit=http://127.0.0.1:8200/v1/sops/keys/firstkey,http://127.0.0.1:8200/v1/sops/keys/secondkey diff --git a/manifests/site/test-site/ephemeral/catalogues/shareable/kustomization.yaml b/manifests/site/test-site/ephemeral/catalogues/shareable/kustomization.yaml new file mode 100644 index 000000000..a0f57ccdf --- /dev/null +++ b/manifests/site/test-site/ephemeral/catalogues/shareable/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../target/catalogues +patchesStrategicMerge: + - networking.yaml diff --git a/manifests/site/test-site/ephemeral/catalogues/networking.yaml b/manifests/site/test-site/ephemeral/catalogues/shareable/networking.yaml similarity index 100% rename from manifests/site/test-site/ephemeral/catalogues/networking.yaml rename to manifests/site/test-site/ephemeral/catalogues/shareable/networking.yaml diff --git a/manifests/site/test-site/kubeconfig/kustomization.yaml b/manifests/site/test-site/kubeconfig/kustomization.yaml index 026f08c66..7aaddbc2b 100644 --- a/manifests/site/test-site/kubeconfig/kustomization.yaml +++ b/manifests/site/test-site/kubeconfig/kustomization.yaml @@ -1,7 +1,8 @@ resources: - kubeconfig.yaml - - ../target/catalogues + - ../target/catalogues/encrypted + - ../ephemeral/catalogues/encrypted transformers: - - update-target.yaml + - update.yaml - ../../../function/airshipctl-cleanup/ diff --git a/manifests/site/test-site/kubeconfig/update-target.yaml b/manifests/site/test-site/kubeconfig/update.yaml similarity index 68% rename from manifests/site/test-site/kubeconfig/update-target.yaml rename to manifests/site/test-site/kubeconfig/update.yaml index c9bc5504d..6b81ed852 100644 --- a/manifests/site/test-site/kubeconfig/update-target.yaml +++ b/manifests/site/test-site/kubeconfig/update.yaml @@ -10,8 +10,8 @@ replacements: - source: objref: kind: VariableCatalogue - name: generated-secrets - fieldref: "{.targetKubeconfig.certificate-authority-data}" + name: combined-target-secrets + fieldref: ".secretGroups.[name=targetK8sSecrets].values.[name=caCrt].data" target: objref: kind: KubeConfig @@ -20,8 +20,8 @@ replacements: - source: objref: kind: VariableCatalogue - name: generated-secrets - fieldref: "{.targetKubeconfig.client-certificate-data}" + name: combined-target-secrets + fieldref: ".secretGroups.[name=targetK8sSecrets].values.[name=crt].data" target: objref: kind: KubeConfig @@ -30,8 +30,8 @@ replacements: - source: objref: kind: VariableCatalogue - name: generated-secrets - fieldref: "{.targetKubeconfig.client-key-data}" + name: combined-target-secrets + fieldref: ".secretGroups.[name=targetK8sSecrets].values.[name=key].data" target: objref: kind: KubeConfig @@ -40,8 +40,8 @@ replacements: - source: objref: kind: VariableCatalogue - name: generated-secrets - fieldref: "{.ephemeralKubeconfig.certificate-authority-data}" + name: combined-ephemeral-secrets + fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=caCrt].data" target: objref: kind: KubeConfig @@ -50,8 +50,8 @@ replacements: - source: objref: kind: VariableCatalogue - name: generated-secrets - fieldref: "{.ephemeralKubeconfig.client-certificate-data}" + name: combined-ephemeral-secrets + fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=crt].data" target: objref: kind: KubeConfig @@ -60,8 +60,8 @@ replacements: - source: objref: kind: VariableCatalogue - name: generated-secrets - fieldref: "{.ephemeralKubeconfig.client-key-data}" + name: combined-ephemeral-secrets + fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=key].data" target: objref: kind: KubeConfig diff --git a/manifests/site/test-site/target/catalogues/encrypted/kustomization.yaml b/manifests/site/test-site/target/catalogues/encrypted/kustomization.yaml new file mode 100644 index 000000000..b81981cd4 --- /dev/null +++ b/manifests/site/test-site/target/catalogues/encrypted/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../../../../../.private-keys/ + - secrets.yaml + +transformers: + - ../../../../../type/gating/shared/decrypt-secrets/ + - ../../../../../type/gating/shared/decrypt-secrets/cleanup/ diff --git a/manifests/site/test-site/target/catalogues/encrypted/secrets.yaml b/manifests/site/test-site/target/catalogues/encrypted/secrets.yaml new file mode 100644 index 000000000..97022152b --- /dev/null +++ b/manifests/site/test-site/target/catalogues/encrypted/secrets.yaml @@ -0,0 +1,73 @@ +apiVersion: airshipit.org/v1alpha1 +kind: VariableCatalogue +metadata: + labels: + airshipit.org/deploy-k8s: 'false' + name: combined-target-secrets +secretGroups: +- name: targetK8sSecrets + updated: '2021-08-10T20:00:41Z' + values: + - data: 'ENC[AES256_GCM,data:VGOFunY8rvu3GnfVLvwRRHjIL8r+qdjmbbia3tcqF0lKZAqz611aRZk2NUixqcP0p4rivGvVJipxI7fG0J9NkVNT47FR8qzHq2FEhXZAXKrgF/74MH7N40V0q3o8Tt/BbC5B/mplaYhIwBeZhWi0m4fuzmyW92DReKOHnbAavN6w+bSN85LuM8ccHTgXf7SBQ4cxHESyGs2XmtVAquI0vdUZF/okZpV+ViQk79MMTUkK55Y63St6KkaR34riouwlKs54uz2ZtlKGTaQDrXAJITlJ4UJVJe9XH0FkCarZ20rZ6Nng18aEOZzvIXQSDMkTWY9PbPYyZJzTuKkT6gEuPmSfjooEEUf6NPKsi3NTIpZTwDAszypmLYIu33LspSHHBn6oV46oOy71hlqzMDX2d4Iulg28rZqfXdget/sYxWjhJRwozDKD0Rw/w1uykGF9nxwHZ6mONPYi73THXczJejfJbhOoAn8Kk1YeADafVjLICCK4RayWmK71O049SIE0UGWBq1IQntV4gUV6STdpQqK3gePkFDgY/H1tNfPeuzy5GoLyFdVJwq51RLLS5mTSNndQEcv9j9wFPZDXTIbogamI2jHYokFwk7eRtRokCG7KwuJhyPY+/arBjMtKcEWBsd0uCeUtMGqAKXdeuSCZnpn+fORjCJZjoCDbaC3yU/Rti14z7sTNFmLlLEqWeQGYFNmKogv6A7oxraKKLcp8GSvNLw+7+KnMaVIgyzs/kAzJ8ZN5OFKnkp0MUiQKrQ8PNa3fYOPEdHJsYjuVU5BRGN1ZenQWDqPobF/CfEcHRyeY24A0Kf/S2Q7RSs7zisoNp1NyYaxc8GvevdgFt+7zrreQE7IX+nk0JD+0ppeE3X3/2+qzCwPKd0zWngdUmS0qQ1DpQpWOWQv/ayrlRJjlS5IF7SiOgoRV2YFPGbtwn1nElmDY2TuM5f9YFvOYO5spKtnktSavqYAhrsexYp8gERfujyyTbu8gJTGttixK9dta+l7cpnXjVooUvAP+RtygPeqExE8SuO97hvi1TfyBdf/zeDvidHEE9IkQkr6OWCDFGDwR9vGbMeG+0iO4AyEQp44jHqU093SD18ka+hlL7dVARmaZMVFA1WmbqNSGL9CoU4AWD8yMQfnBKp/EI4CO+PzY4jpUN/V/anUZigOoABg+WV4jldWM+RUJYRcJFwD/FRRJaujLz8mbdB3CWzkLdJhIt40F8ObHnuUHHTm/rjvEj2aWpXUNmR1Vx77ypvitsYWVyskaRSQ+7ar1Ch+Qc+lRbyapKdVu8P6HXDmB/Oq33i5pZz1eThkUWx7yrHF4iAKSg3v/Ff9NZzOXd2jYBEg3zbqEN34I5iwg19HJax7TcTuWse0IzFHEvqewwM91QlkZUrETfxPt327alMqwXet1iPnxqFiTgN00wsoU4q7S9GRJM6pED7oQUSKODNQqNyHP03EKbCVBxy3PRMd/tHXWb6oRHbbU8EZHfxkNcEsMPO0t7ZVNr3M/36t8IqhCs7/M/iulloLoPWJTXYu51YiQlyKoCvesDUfjk02Ay9hlk5W5bI5sTNzwNUL+WsOTPSzB1/VgCtsFXPA2pfTFV2qoeTuawc6ztXbTdnxU9XGa6s7IwAf9nP3O40InZYAWI2B1c2PMvcDpPko9yUJbf/MUhCRwr1RHJ4KLnEWyCXlr0eKCtvepApI44/L5cZeexjeqYm9EKK20MWWMYtqOKKrH1vCYZYG0rxqnUPlUJ8lBwJ7kjwzXc3XM2b4uAnr9vIPCXWK6OZ2/nQ9Dzx/uZIt3CevR3DKQiRVAStGlo3lT69g8XF19RMqD3XEHo0LtTgi4eWxh3ntIc5Akb//2Flb3cJYSrcfkcJ76ZAZyWhK+NFtMkdgjpz9T/JketIKzJ9tIYnNLAqpL0zCwZjMbfQMmlbXe6DpAeKIOj7DVq0Xoe/Ms+9Ay2firg+oFThlBAjLqcTM2ZD/hPrwzEIuBNIOCyCK1jTqPR12jMhQDTlmGvTRfCA0gH8kwFZUZ/xo=,iv:bPQ/f0A83qe/N/5MQVMDwGKNo0gCVSov3j5ctRBqq70=,tag:vvmSh6a8pEoFE8yh5UpCUA==,type:str]' + name: caCrt + - data: 'ENC[AES256_GCM,data:spZ6ALzwBM4BpdAtKdPzDv+hgDcCsjdbmHTtWAQ2seJDf10gnail4FK1aU3IQy5XthwMaSRv1yv7Lu9bvsBC0VclMp7WaiaynqJTi8pcD5COl+I69kfE5OE6Y7+gPfd8ySHrmq4XtYvNMFthQ2xrzJ0qqx/5H+Z2InkEB6vfz9MD+OjuUuBi0RTpAfsRQQFdKG7QXo/1x+9WIFUAAZiumAkayjbjJaDGOXCfmbAYIxP8zTdG/KOLbgDuSC79LAIop0AOGUvNfB0V/VVgohiErpcZzXrDr7h7S+SyFTFlrFmaA0OEZe1CW6WNiCIJIKwh0JeudzWNfI3cd/nh39T1K/ySKKRbN6jPqe2nVfW1LqtFSx0Krj9vhKVV5uURV74viJYlgETRGfoBMWCEeJSuq9++bg6kFx/K8XXXG91Jm/J4t51uA6i+uUXWSOZbDyLzRBYQtNCYUCa9HAyasNWVJX2Vdz9uaotfv9k32dAu/7ncOW0AgOyJQrW90k1R/vMzGiCfd+94wTbwQHa6kbC4Fk+288PF4feCTBb3UlTLETPj/xIeimYRE8gOvVr3JDod0R9EF0lkgGVEZQU29McqOi6EnHs/kiJc0zjarmmGPBYjot5P3Pj3uWe0AN4T92iOvW1f24nFSq3fxy04wUYfh+RUa9ZvCRJ4LfNNYktaTUmTyi7g9grce7DG0hpdSgfxn2stNcV6jmNjcYSZAGKFaAHATfXsBXNYASoIifQLsarIA0u7lJkmfDerCan8D2+l48bglKP3aXwXYARuKyhl5ePlnl0OVy3zQ5vhY8Wtce5V0VYDhfoBQEbRP+B2CxxblU2mm5WUS3I/JIF6zAjDbd6RyjQXFnp+Er1NhP7DAxqgut/gw5SxZHpLUpO6zd8GVL8Lv2uT/te1RJFnwwznBdhZDL8LESMBZ9pTOKUT8wAbpPseaGzxfThf72onQjHvu6qt8BRlMR7mlzRLEBe9xZ0d5OqPRl6Yn93CMhZmbCun6pUouZpw6zQfaFpRe3UA8t2ScDbqzD+nxA6QOSJ/pbfOHh6PGa7jajYSDbV4asuys8ujwQC3WHgRN2aPYpcqrXYDtXmWzMoMn7U1qskiOL++8n2wY1qv6fPPUTZqdUZjD7HYqcCmVAL5v9TxtsgE9uyFHGgWoIltEDr1zYI5ID1CGPdRBrmIGJ8cYC60BhdvhZKUP7fQzGS/M80ed2ey43t+9nX5++5hmITA6mxNKFG8SzUCeR9Ndl7NJNDjOGMw4OAdIyPTc2obFc0D3JZKhGPJ0h+nMFP/3rRM7nc96qjGYLZfffKta4P8yQkONC5Tpj/BwMsX2YgIEB7V3STnJ8rTkiFatSkVx/PdQpTvJ5TH4HxXKF9xcLKeoCYTHy0cS3W5LtvPSY3TCP7SJEFsgzy+059+zQf5bSxOZh6eA2YFFUNfPDct4lcS6QOtwHxGrZfr1ueXuclqSV9kGaO5IZIyOB55myS8mNlD/TH/onzE1M29YsXaeayYWXf/KUac1Myw/bfecFB7nkhdhbrTDPWArfCzjvi5nhZslBVv8vbYwDEqp27ByPIPNNjb62Fb1F1b43VM9vAVHsGBepx4Gfukx4WWuOB2Uz+Pd0QhtgvhCOpnvgv3VMYLdz2i17c1SGB/4L8n4jzV1HqJ0HCa5Da1BnA/JlNWiydPzKpUdazTNsJm5INAu1EGWJc/oDIRxEwnZpx9EUx+bt8RtowZH44kgB77t6Knih4UfZqbOsGLMovpZO5OFgFPsI+TqwIEBrXYUotBb9r238PmRB2p4oruFGug0m42gTasTf7E4MYToySVmeOpjcT7fcSJSMOOeckZqmXeZrb7uJ8MvgjJyo2BSVxThQBx4oy+B0ZswA1gaW49tVeYsPvWGblQMWft4MC9aj6aPV1sjcIUMvqRZCzUeHuHq6gEIH/qUwY8WiMaQlYqc7VO9Ff9iH6brLPGC1vuXsat3l4E9O2R0IYRBIcfEUb+0i2WIi4iTtixZ2sRfk7YtJySnlzVQeKG6uAdLLRRv9YXCDMHr6YwkeEaGub1CbIl+fJ/QKI3h6qg3yicx+y4YSiqFdx9eRnN6fapS3k1Vwr4FXpeFfpCozSZMJqob14LhGMlM9nKzT1BAy1vxv8cTDYhgyrEPQXQ5EBAjCcCf74KZGM6sZOK3SG1MW6z1hsV3uyKlxTR8+XTWhhTR6YyoMyBFD2VE68SVkEPwgGjUd/KYb9vHFqZiBXq938q14JMmII5oSK4WdsgNWNM3ExCfzbHDiJOj9L2Jtc8tIYjPxgyV482AGGsHi5Pr5MMZ9HS/8So57srk1TwBTxCVAfmFA6o/fmDUwUBQ8tJooBdHr0vf62AN7J8JhOK1PrRqNxRqKE/QqLc/9lpjVegM4AkMmbBpWHS3CpCBsZWewnMUKBz31O8dU8Y6SF4pQSTYpM6RJOHn7bA7uFIk8k6hZgVFh0ubQrTySbVvrU06/XmAcCbXYZtdwE3CYjQMJ08auEaB9LKV/vLzb+J9X4m5sJpo4sNAzpUed4hVAbeqws5OUtoCwSKBsHqfynhsGZztpBrYCwxNjQKos0UnwWDLVhH5J5w1d6jtid+5aOR12fAhwDl9OR/SvdwjXywN9RPQTouA8GsWPcfwfd/jWPDpNNdbz3qrUHum2L/g9mpqk5adY+x7QulAyfeRrrvDuXJjXQATtwVHdGfj90ogUzxXo7YNaLbYaIDQGRFNZ5p4M4t6CNP8MuT6DXZHxzzpt8gOgWStFFZsNwG56Vz2/16B822NLuDgC5ka8bNxklPKAGu9lnmILDF/GycvMC9IKJJLiY7dSwn3m9mv4mMrgB6poXX86xkzC0ltynYyrFFQmNwCLwVfITSiBhBc/HKte6gq4HTLvVTzr2xb1jmp14EjzSVK7nFyd0FORa/2KhRD3K76ved366rX2jmwwEMlTFwFna2k0pockGOYFnujoipLF7rXZgHGFQQI6KPHLQ=,iv:Z4EXdCvzyL3kfwgwGMO0dbo6n+24bXyu/YOLUvokYwI=,tag:1z8Igd1gDyCoAR4wshKo1A==,type:str]' + name: caKey + - data: 'ENC[AES256_GCM,data:Wwx+WY3NayWfwMfsTfqjM0Y9adNSdrz+XNU0rTLoWUPV5ocXD465mtRN7aKOPzIx6RldFXcHuQUJglYGwb3fl10onH+6tGFPwthBJOmA8z/MH2UVi0Ov76bUgbAcCTZkDzeE2xjjym0wlKd2W7nAtdyBPq2TyUh2IpFy4CX5tIoh3/JM9KrEynceWMmmr7Srg1YndtCc1UZfy82uDK21yEIF9PD749CqYJPz9+kJBwHBOpO/fEuoKqVseLjWXiVBWKBGc8l9rj6IHc35koRrdwqMzjKyBNr4v0pFhDPQjg9j/pfGAEACyhUP+DIM2U+jf/WLrfeIfndfy5MKMWl7UIyvXadLlJ7rVLw8qaeXfyRVYagyZIPAYCNPFTNmyCWA9BZeVvISwRY9o9mz/xqNh2kqOth0J6Jg+32b4UJkLSpglXAZNlHkKvMMTIUbAcYPctQ7d/9V4Bv46nGP3H4Ij4CE1qc5A2QQeyB9sEi4pSkAoekjK6ytmFC8qw+xmgsdd03CJpp5D8PDvw/yW5jS0iRCY3HBvZH8vAz6Bkf7aE6QdaHFl3ddYeNKZq2MB1/Wy41E/FA82o6j65aEiL6M881u6BNLeOzfhm5SKtUaKf3Ab8fBdjiMIVVRdnzfwuKgAvXwqkHcTisKn8G69FYz7uj3DzCQywLNaJNyzmFuxBfxE1EJF2/S451qwhL0AbkPzi1m7KQNJKOCeOq6NfEypq9op77r0LIe5dUI3FlecTIL9IWxARmTr52h+X3+7+Wa/ahfK1j8o9YxIFsD9JFyVBF1Ua7f4qms7UJP2DsHFGjUuUlf49EWfFCBPIQ8KS+80gT+vnp0qv+dpAs9MFliJCe8WcqlJXqFl9OthC+t8KUmbCkJzD9UBXF/9RNhszlcU6acyq4Ut7koI68eDdbZD49UN1rogpj2MgHOD75Tp7QRNFt8ragC/KA3kk6LVRExdF5OBzDn0eA2GNzIK3p14Feae+mlfvFcV20flvdq6agvMJa7JEEAPvAPZa9GAmmZYnJr3qvv/q65fMWC/MSlbOfTwq6MwKPiiUBe+A2aT0isvPpJ484E3E1zeSdIWiLUK8ljjW1obNfTKAojHpxxywmFvQixgsn6GaNBKi3H/r50MPdiUisy3lwGwUypY8rjtAtWeVHIMujTLjVhFDmcv27erG2fx8vLHVIYaLu2k5C46BhrrXF1Ngt1RfVQjxjXC2FsWiqrE1vheIb22itL51UwxjsXIayXvztEBX1gMvIQtps2fkc42zRTL1pecbwzsia1QzfpO5Zdo557ARX9Um4Hk8qACfLfC46n+9MC8wrnlbadcvwGXY9/Yq2vNr0uKQUizRmZxK003Ga72qDeI4nqeGMJPAM9Z2VQZLxdhTVJTuJEEhOSGzoLj0HkWDDj1/rCeXwafbm5bfHnTYIlATTnWfNHy3Mjol+T7kfpc+V7Hy2HSKihIeZNQ3CXeG0Z5ZWg6zKwWir/td+mDeCc2lN8uM0xi4/jxX1tG+oQ2JhVXqffVca4WF2iANF3bE5kwukNct3GBU0Li5JY7q/79yJBhktzXnT2O89I5T7o/a1OyxBa+VCUGwjsRTq2ry9tRZ7jvewEmI+8LR3n2f+Jq8wHy7yAU9VDpb/d7ZAFXmH0PzhZ6G2y0gwic+DHklK9AyfiFnHzvYRy4/awIQd8F5zbMSoCkRGieVPLW/lV+mMe5TNdP3HB9rfGVj7ozQHHmxHlo0rfl1zhcFPQckcK52xtKNHx4oBr0KyUbd6mwXNVRzVxVzhINQd/J/Bu6ZnkFKH6GTIWMK24DvXDU7YOhJsA356sH9uyQhVvJrgJ53B7vmsiYqzLkxakVGPKcdM4i+0aWRd1Nn4Ert9kPZ5KbuptIctBkIgZyYkVscTR47PYj+KtAOfp/GRAs6wwwsTLupbZPBdE54VqoxUuNSQz33H3XjzVJq4F+zhTbdZz/v7I25JVLsfeltCGa5e/qsKYR9efEQ96t0PO4kZsRmCHQRxtVS0+SAPznSdFYO9srPW/9L8xd6QlcuihfgMD9j8xE5q6L/b7/hKlcflz,iv:pvNaEoY5wwwbtDUUqJLj0h1CcXJBB6t/oOVTMTyXVOI=,tag:gEWpf9AKCNtA6nmkwj2GHw==,type:str]' + name: crt + - data: 'ENC[AES256_GCM,data:vzOfplS6cfnsH/1SbwQ5kOh2DzdOUrsRZH4/RafaLtMvC3d4n+Xixp/gr9rQ2pKrEt0gqrtyebtl736y65enRC7DEDJMHUwDhvTWDMZmzRu6duXLNy0At4vdTTiSzxm8sRoNFtGg2hkk5VkPZL0YUaRu4WTZjv/itjWy6spnXfc5r5p8glviUsPPBFK8WimCACHQOSswR1dRqD8/XEXiu2b25lj64+vtWyLMrjm5QmTh0o8a/Wk4K26mKiCsUiPBUKwAI8LjE/+yYVL9KFVufodoev7TZQ08FA9zyALyETA8pwImqBKq5Um9jKuMjhZ/7WlpbnV4egn6ZiBAt6FPgF/MUIat+9emVmpj6ch4RcbfK1uTIDVBOday7945B+u6aGJgI/bKnNoVkWAaRVkiR5CsQ4O+5dmu54KBm3bVYXwTmaRTLL/cQ/Cf73XeIJ/M0EtNrZrrsso1oCwgw4yzyvXmVtZ7RFzp1jEkDjyujmbB2I5fYpCADe1i7BPR2pLAx4JVUBr6qPPu0KJkUAStBOHkPTlzlAfineQjjU6n3s9YSWNTtsKpqazntWYZMNi0ou+8YTGJLq/Zzw7mxTxQloiGU/E866iyib66tTraxMBFKeTPvBjUZwg57DgpB6fW0sLl1xjJRcNW2fkwFHaV4iwdC11XLcjaFDX0r2qjxC1ZzlRB+R+iv6ZEalANayzAL5ymImM6WKx/CTBfTGA5Q9LOk15UCNSRT/ucak3+Px5u7tHp/FSrcAYIWako9MFPfUEq/4eLXTtYql20iEiHOjpT07/Xztyb7Jjas1qmYeoCzCeN7RrKHcuwqBG4DB4QX+5EY238n0RQ4bkG5sKdQDWbu8W3u4BmcvJXxjtFvdyB1WW/cQYvQXQn/bZH5DiMaWYAnpGAE+gA67z1aVofWPO0doKO4ae2SC5F6R0IslX7Zyx+YYHThIqQxeTjwVHNPAeuyfqZuE0oRwQFSy8bPFy4/nlm1kg6pXDjUCil2y9YDUU9MZZbKTlIqSQRzfaXiOZ5EqOMctz2UAa+w7kwh/4mKsye9e/C1J1McVV2HGXRMXJCmrNFJ1kdTd9/xuIAHHYPfsnAZRrnyZWuXZBAQfDB1ggZLMgn4wFExnS94GyQWFQIIm9KMapckYhAzkpAjLAPTgYbfF1abm1dYL3VNlSFkBhoq6Uny3WVos+6362GjvhiHhsTWizNo+6R0wvFh5NFzEBkxJGe+GhCCTAeUB+aQ/4NvDcIcOBdbt2UVzmE4pNP6fkVg1ZcIWKyWahlkXvWXVBCfY/uZWyhCSwTrKEnk/WLzCNDu4z4OMYDZdmV/3CZ6xbLTKRhKalY3sHJtsJoKdmN5PpPiEIJ/PAiStJ2vH6ElVHY3tc79q4S76h1UiZKzmOAufNmULtNweM1/nNnEasEtqzR3JRN3kuZafagfTNZck3R0faaBYIxBLzXYldFJZ+7M5pk9OPKunt9rVG/iaO1jFexFyXkZhQO+o2oALsEY1JL0F1T2NUFz3Np1UUSuYO3WiaUyuwuyD1tx/+0RZFKC0rUJhLIUwerMNmz3WpZQQmRvTjZ+FDkwc3akRnUeYORqy8DrmSVITDJlJtfmtzCIJlYaPziK0uQ4VjmGzm+53uStyjDvZ0Zc90bbZ0abj1pJ9vR7HoiTUbgE0AxzEkwppgdko8v7nVLptflHliE47SLz9W2LpZjh9tEtkLsHxhHPF3+zCZfbs9smmWnQ3jHUgmv6yC5JedSFtYjt2ew9t2TgjIDugA+YTEV6X15V4dSYvNfSi3eqivRNQJYGyULEYCHWm1hze/zLMWsQTl5sD81QL98xpASqfb1Jnh8RdNDv/Mj/PPNCIL8hGuBbYvNejoCz450k+9yIsZ36+kMgDRRwenJLOYZjD+QqAod3LsD9D686EmBd7yLIkULBb3fMIuK1ejf5vkgVmd0U/AYoB9fWxeD7sxwcre2UBERj/1A7Tk6KoxK0KvS4Y1fMRCz24WxH5AfEKhn1fg9lcGeVSa7f6uvIHG6zNyMOD2STNUs+M3s73hwKgAtqIr1oCijnw4Oh/6V/KtMLcEu531Kq0jhfBPpP4Of1db6Xq0CpyAsUKd3cO3FRFVfugxDRavtbTkOD3kA07rXVCaq09UKWKJ50jzPUcgJJn3+pJbA56TOFs0m/7aovijjPMahayY4fggkXM2En+oWHNmDAdQp5Bd8E6vhn4Ouf5Qz0vvWd0ifaDLW/Y4aLME3rVPIIcYFgiq4JpASf9ANMVWH2IseXwzmzDIho9+IPIPEOOImrB+ly/9OOIeAkcTU646OIotUXwovvF5J1u+RBTXEqEGbZLkx9o0f1ZRvacW5FwwnYLR4Mz0qeh3XmQtanqeT5jNElGRaZpVBn1KBhWYmNh651u9Y0V9XkVLJGlPC1b/U2qQA+H2FEcTZd0Tk5F1w8+fUUQVi9UtFnw7LtcCbMflO6/FjXuyMIZxR9CJY98Lupscy53Cf78ClIo5OEQK1F/ix78n6y/uclyNFxcX/AvQ7JUNyOFrfXX1q5ZbdA3YSvm8QLEcZsG3hwI4N4p1k+uCS9oAnMfgNJyRwXIoIxs7BZ5oIVlF/lX1q3sP01WxTMlZxNQX3xPuGKeq7mPjqUwDcMMPNXGoCdKuWofQ7GCfp9wMF8a8lI2q/id4z9ETLHqkpV7H/CSNz0B2d6NjohVJ7FbDlNgWIo5e6ndCdiOjTVKU2OfCuCKdVJsleCjed5vYVyNKD4w9GlInVAPZsDppS3GEW5Xd0FerbGUIewg7OLFue3EUOm+ItxOJyRgr5AFiXhUHgcw/Kv22LGqheCpkvkj4uRAuPgI6kdDXpgBeL+z6djXDNkj03uPKQoCle3/NN6T19sYq3fqVSrdx6o0JM+GosJYqzcbCpa3qZWkr01kCFnWeWhWXxdspTXjF5Dwc6/+Tig7/oxdcvRqeswq8l9U0DcoSQSEaX/f+3q6bP8lA+v3TqKYx32I4=,iv:dPDYUIlrM0uLfyXEdUx7D/UYUYc2h92JZhmlfUHEPU8=,tag:ySJUMycKpoGg19qJKdNDCg==,type:str]' + name: key +- name: targetSshSecrets + updated: '2021-08-10T20:00:41Z' + values: + - data: 'ENC[AES256_GCM,data:lqIbk19JrqVZf8eWHlZoTu3w0353ZqpI8jXQRfKC+dD0f5k5Md6YnWZZn60eH9S+FbhqWHB+y/J5VfM0Y0x4pMA9xRrYQHND0SxAsnI6vd0nd7Yggpm2aArIoe3C4ZtY6du0TN0EUy7QsuyKCQTk8hHzJbFgoW3EMmB4gkByOfhAja7oM+Yg2B01Zt6joe7xb8EXzFh1KKLBjhp5YLsy0B2TYSnVaCf9Kpwa4smYdTtjQSy0qxmjYfMD1uVaZV82tWmshDrHCnI5OOgZ0drZbSRc0M2tjtbtJ9Zhtf7m35telTGLFQW1gIjaZ9kescUySvMwVLmso4RgfXZeomKL44gatSQshU8YiqfiYEu98kiisF4F6iuz2yUrlyMmUasaqqIkFXyiY9wjHWyB8pW4LwvNlL9XHZLIwqeYL+1LBDhU454ZPqfgDppni7ng09bik5BDsYaIW+ct5HfhC2IjMAhbCG8Fvxfb7rFdZYPVnvdmmXpU75k9bDmIL91/lKRG6slH1KWBNkPEyS5T7DPd9FX0sH9gsuhzLGEVmgJOa5/v3nVSGxmSmdzKVZ3fOPSlPhvh0733AqCtaK/A0mFtfNDx0Us7N0ulBK+px1HLBoY4wsQNO0yFm2eYl4xTT8BxYYxT4xyIs+vQgxzAYwATYAO9ZXMZXkUTWPX9BWL4e4bruH2gJtplihdxnsTVYaW4pDMGheZIjg69YxS50J9yivIBWG6Ad+o+5kQ8BH8/fuNMyxvFgiKMK1qVsn8coYcfHG56KqHivQQ/fIenT4800+jP9umhoKEzBSonLGgD1aOrgFXXYO1YllMnWAuQ0HYcK5rCjXiSTiW8pVwL279KjfNjGoehV2HFqJ8SEwr1KNyMXqn/CPmWmlMCK0T4h1lULH2G9o2u+JdyTZg+uOJ60hqrUHfqfL6KRNktak4nuR+sP3KphxP81W+ZQVRp6ZnNFLN/3+/02q4i2Qqz3GTXrugUNzrPZ7AovDYyicy8lqPzCdygS7nPfMsur7KNONFZiX11/bTSUa4p6o3Eb7mxFCvX3I03bUq/XXPrF6ZT1ie9pd+aF5PkOw8IRQuumRjx0Fvby70UlW4nI86ZA/NIjOGJSVv3Rzsd9hXjuYaYMpyyvPPtCljLOvhttERZYBJ+yMACer4WfBsPKqEDGCsE2OlmJyrQsMYMSoBhJFo5czLf5xa88QI++CX2k4DJAVI+daMj43rGv9aTUt1C3Gyu2s0YKgqFOWlv6svlMMJZ1DFYysL5nQyQi2ySBp6BIdPPPtJLpjvMZmhI+Tr45gGB/SYPMsD4tUEYqQleVUfUA7OsY0E+KtWJNNq4BoeFr2mwgYFXSN6gVyHmXVvDnjtee99thfSdIcai33GIU0SPgwFvlZm99S3bRuJO/Fh3+7dMez85WVBhm9olacdvcrH6CEpm/5+J3gBmwx5pBeK7PXt3LQuacYQw0wwWankLXDA15+iSQjgo/G6jcm1x+DaFzblEnA00foKch/7G0BL+e6hiZU2Cco7h1ckJP4WFQcaNP6c5823Of+J8M0p+NNReOLEVozXSVsGbE6bddOy9pG4mEfmYmOBMwxNvVG/ybXEKTqX26zVkPbYraG2x4bDkD2kXf3A/9Z+3vmyT+L0ktUdBESGjV6az/MrThJVNZIQZT22dD7MrDP1ht03wXKDwppG12fRAlKIrC46Z1Hs11mLJSXcCcyzKLO+XuizNVwfMVBFwGbMdCigfJO7Qo36TZOb6n81rkfKSceMv6Y7w9tEWiU4P24Qcmt4Di1LSMoJUwBI8gI4KbxWEpbo8wX+6O29wcXYWjAT+VA+dgUFDhnjjUnIL7wpf44ZUEMPtC/tQs3+r3dMeO2VdTqfjfUKJSSgUh1igYko24YogBZDGCIqBllrKWuNt7+NBhvBJ9S7F1162bbdCYvy4yDu1mQEeawh1Jj0MirkslbPm6v5eecqDD0JaAKfxcJlqVF2SqqZMYgSNAsTn1jCddd+f1VfcPXK68OnggicoGV14kS7zDvnj57lIKE53j/ckdyrns70YJ1+M8zIvrOhj+DemwzD47kP1xyzzK832QNTy+KW9DCOthyfkeHKCe8UMYDkjVBVquyHmavEORJADCgu7N+NO/+qnsl9JfrGHiRL1Go1ijdDiPy1LZbFX5jPrXlB5G3vWtClwcqpLlHOubKef21JKEg0WJ8zW/ZLzkjpj4N9edik3m3UrJzj96QxnTxHmw3IJDzz51uQX4jodCvD1dFyufBerlfWV/tMN45B80CpbhM1aPIlbFdXw9hIJjitnxDXs9nrr1NK4fN2xVZd70QFmv+ucpWowed8ijifrGf7vPwq4J7S60i/OZAIS3J7azfhT/EzElvcCgrqALuXCuzkUdkll2iUZyBVBgrmDjt1ZncHjEbvgl/dt9B5YG6nFVku3HQEFJLv0LPNRnTt2iJEn8k0e1V2U6c6AtpIuPf6iTUig+PVDHIrXxTIfpiOn1ZG36gcKpSPaA4YkESHKM57qEQiV3IYUc+dMwSYa6xxe9O4iFcJyh2GkBC1CsbXqyhskatyMSpydxgn/DEtc7ODhdGRgkhxj2xy01apWe2CxbcXvIAOeRpj/kJIeJLvidUkzSLgz1Xcts0XlbB4ZO5hOdJtE7UutvMxOAK9lsbk/fdE1gcNuzcK2HQsU1xYviSMjLK+h8JXJS05/y47+CD2Xdq5WUXqdKdHSwIR18rAbCCFZsEB0QQvjpuxVXmK337DdL+P7qfJtSIOAE+S4atXyHYikOZaclGKb0vaVKHsELJ2mFJ8lOCJRj9xrviPYP+GMsmfrvp9zW49XRNx0ufdAvYuRBdOYu/+56ndQPiYj7ssDyRLl2wb82v18EQQXYUPpsi+P2yiJ5XXlsjIHny5v8iMs+gxDfcwkFErl0U943NUCdqXdL44jNcki0TaCtFge07yGirhGsCdZYVbr+TOl4msE8pBL1NhIzBkzgVONGfFrjQieC+dq0zzis5wmFj6FKtIBdVSKRtWA2swyP9cAdZsFdV6rukk2GJJk7bh06rSodQARh6Y2pZ7FbqZ0WB/ZPjRxVx04R281s0El1SDucVerwz6nMBjVD4BZJyhg0Buyi2G4+TwTV6G9aTE7FTLGMcmHiq21SiN9QvyTRKv97QbvlRAHdk/Ax1sbXHUIbhUp8XYRp+gA5hyftsldjhayMP8rsPGE4PsAubzH99xhQv84uRIocaCJJr/STAdLt9SA9D3dZehuq9XSpVo23dSiRl2c77R8CIlq4oa3e0wM1BdKmPthOJquwyFDU3B6MdaZa+kWF1nTdUydP3izEKfl1X1nxCgiIKgA73Lql5o/sR8C+7VDiT5d2WZBVCqh6iF/pQfm2r0mGVi/qx5bKMQYIEbwA4JagWpQOFB67gSBUSuvkbNOwnS6CWygXP/5lHkd8pH6kUPL2w3nRU67GCvCOSidcwQBIiNZdsbX9wPww3EU3945L5uItFh6LuwlY5xjj2oyf48AeEYmRvyKatFZyEdzJteqCLde1B+0ez7YGAndwrrMTaQKPiV77SKDIu7NaNdNOnKESIa6EmFy/wYAkRCo8CYcMKXPmPtR2+tAyrwvWSPKeg6DEtwx2YOSDfYkc2amVJNAvJO3yt4bLe9YGpa9Q2c17/ons66zbAvLct8K/Ysds3B90MJ+Uz3AUy4gnBJ+7vFYNuxC0MEHq9mouI4jKOJMkTmtOeaOpdLQp2KDfKTLw0QRC8fmeezUtOn8pbcgdHkkKolUPhe0cJ1uluK7vOmQwWwGhhKN+Xgi5L0LU5+iein+KQIJHfcS7L8mNYKo0t41/LAUqCFAVItm38KPUAj1S7U0bkbBwtUVzmxlF5ByMulmI9digR44oPmDOErjOz6QpSmidTYdECeWTjlKHCjrkkq19KTWaCDUcvT14WWh2vcbtFt1tWenSAs07pBFguSqlNhH41CnW8+6lzIE+ExXvyMiHIYcSW0yvdl/Rx78SYS+KNAaeHPo9nIOzYdjSuyFmU0PQdPcIUjWBQipUDizk/ZhjMWyikMwtQxp8N9P0J7d3EOSrSDxqEuUpBRkgwn7COvuqUVhR+VSiBC/6b1mwKdoPa8T3k/tRklY2wDllumzGoXxgmNZ2HxEYsLiytOrt32KZeAkWIvHYi3xdIyiCDJrMLf3/dMJjnEzG9rszpRhIcAPF4ZuS6KTVx3eRAQ7EhdGv19SuxddMib/kDnHNnUn7r3+KKpUAbscOm4bJpTF5LrA63Ls0E0BJPAXH6C7PC+8V0AuwdGP7/mckUeYlgiwsMxXIg+uxHBO7IoypY7MjWmz,iv:3V947NfzKkUc/KyqIqQxYRr5SlD1RIeppVC7651jppc=,tag:LNziKYmuXMRu7Myhu179Gg==,type:str]' + name: privateKey + - data: 'ENC[AES256_GCM,data:dM9Q7ZnLO2hGxtP//uQTdjGVa8UMffL+9YuzsOCqhnGaJFYoCOlPk+IYAtbVqlol2vT0mnWsVGuxn0c2afJSxpTuP8q+48p30s0v0weSZO+wjFXM8l2ZJ9bjW1Rn1ifnVKSwJFli/BahfSfhw13FPXO4ExGnOlL6U+lZkeaBUmHYPHkGjmmdDaFE7VFJ37Quylpxul6RWbidQgnzOymiGhsJMAL3reC9HmR1PXrfngyxXGWXjfkDCKlTr2libXJT3Az5nBwfCVyHae5i5uEThw/tfXlq01G0glQGMSyDf50uzH7O5ZGN9lnzjC6J8I+cPLHmqPf8N4ih1BuuJAhs2YRfsfO+AyGXbx5Kz4OXLf+0Twge+z6HCOLecQn+q3ZtzbmtSZaAvy1oKcsR1rE5khsOUf11CVMCKZgxOsgp5F7BLZOnUBVJoUmph7iSPTK0O7oR93RgyoRQ7+55c1GjDwsjZ3D/oVN5jcXvtjfuHrswcPhW/jxCHBt+jXVA7MsFWBZYpJXQTguuLavdRfFBF3UvvP6AdxxHb6leeMZQfyfR23Q4lXpDECbE05t8JyNguS6CL5+BKvIuTH0OZ6aoy8fn5+oP1039s7loACtAmig+caO+nytXXLkm73LgN8E2PyD5rubHT6eO/5JBgvlCrsikIfiSrmt4m/MnNlnOmARaS1eEGuyaZBDuCVhPaWbpQigxfGNMwhVO7cgacsSGEsct+83hG/UU1qZ5aA471HZKBdrKeZEQejxEoOJPnG5TW1j2G+ptes6pmK6OS9C9DFbwhE9eg48Q9///gQytBAm0Dvkk87lV3DUF4zZTg2xz/xyL2v1IpGle7bkbmKCXLldGDpdFLijyUF3197WLztl2UdMSCIERIK0DrBx/oL5TtJW+aNEONjW4eXbDsZ2lZ/VzC0vA4gp0AbHy5jNetjDfx3Dux+kNhntPwRTdVROOPtm6xSo=,iv:dM6ZBlzqKY/1rQBvoELAsQ0C7t3ImqwgfEVC/tmB21U=,tag:09JyHpyaSOhczaHxKtmt6A==,type:str]' + name: publicKey +sops: + age: [] + azure_kv: [] + encrypted_regex: ^(data)$ + gcp_kms: [] + hc_vault: + - created_at: '2021-08-11T17:27:09Z' + enc: 'vault:v1:jhJ6EQdgewNU8G90fvdFvB3DI5vYtcldhmiokzEuwFIwn19w+3iI7OOsHRImSlNAaf7hk+vGaWLJOllJzgjqn6WLtHQb4FNK6sQNHOMLKSlSNwwGtSR4/5NqGfwr83Bhf8di/JLlIsoGoJTN/qG5BVGgpObSbQS9QAQgHqIc6XAO4gaafl3cm71UyY6m1hgJzE+ETqoViySlTBVhf+RYZ3FRMrmZuPZBN+2t/J3KT6JSMCWDQVCPljADuHJqQgWviKs8EbSjNGYcKMX33driB6XEYmPkOs6kXh+hFDYvvLNEIyWWG5K5e5yRlxlBCcl7T5hQx2LTONotgcsi5Js/W7FkTZgmHJuwCrnHBi8sKwsnuJzShcKYENZa8SB2IiGxMN/PfgycyqPSBr9LyVgmh/rq0Sh4h5zuAR4p+QO+1M8eeYaCGI2mf6dK1zLxxK7JKL5cPMtn9Jv1ZhBA1oFejodVPJxCIrsr53wRKje13PBPwQFxW8ottLllykseAhHFWOxktBKwP6gQfkX6nChwTuHAb1OQviewpqxt+Y71godrNH8FIOjWVY1WdM9puum9pbyxk5UAKD/YO9zzboGmB822DnbnrHq+AlcglunvsgLvl/a/Wnk++mOmph1cOmR7s8LyxEa92KJ9UX1CGlSC68uzIWkX5YxYyVM267Su0bA=' + engine_path: sops + key_name: firstkey + vault_address: 'http://127.0.0.1:8200' + - created_at: '2021-08-11T17:27:09Z' + enc: 'vault:v1:SHCcOUHlef/HMsMvS5KY+ZZYHicJDYNzcdzZKGwchjYIssfqE9KZXDv+O3bDNWbNH7BnMO63TKT1VeZ/oAHFkovNnl+fcTdMtbI7WYiDNxBWiV+yFmj9OshsharAaFJ0fh6TE5Qqksccq7Oq0DVcvzSpMvJnNL011e06i2ABTOEjsjyf/kj/9hwnAezc+rlylvmObaOpX6lURmWqBeptFbmLj446BcVCITatg9Tg8qYbRz+PR1JIOaSmTSoRuifPPSZR0PoJmda6+gmHNJ7ezFAAyNq21lUnhr60R1gPI17WUwu7IPWNL1LMrTFRw1SQahbQFaAOj6wDqdKJ/HS1Cg==' + engine_path: sops + key_name: secondkey + vault_address: 'http://127.0.0.1:8200' + kms: [] + lastmodified: '2021-08-11T17:27:10Z' + mac: 'ENC[AES256_GCM,data:kYqyZkHzzrFCMCVChrNrQzBZ88vYzursIFEJGQz4mHpnMXMCPykpKOzfpUSlj+M5mYsb/y5hNbw8xsKOo1GUV2tEjoJ4k7kL4CF3JRVLHKHDgpJE8GTtz0uHBwN7HrPX7EurSWHeVmOTxP+1mxs7cBQQS/Yb2DyvOJNZyYswfxs=,iv:NDTuNLFHQxvZoLF693Y23bqySnrn/EBMvUNHkj59Bu8=,tag:UARHcP1hom78DlC1T/S8kA==,type:str]' + pgp: + - created_at: '2021-08-11T17:27:09Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMAyUpShfNkFB/AQgAhDRNRaVRHjXylYzg1ASfArY6BptjZm3dldnNjGP5p8RZ + Szz7Y77NTEqc4HGm0D2L2ob0hx76FUanMAEOEB7OJAqQC3T9rjVTnNrdfpX+I9ty + k4b5scb5iya6dQasDGccyMSlNwkJu63f88DhVXQgg62Z3r8LrkG5yUPB2YH5qpCf + m1xx19ssVuAP+EBp8T6hulhCf57zbGsJwUr6d0pkXzX5sUbeoNzgGSJ3xkyS5h/D + VvMjQpNxB3lvItNzvtDYCotQzzGMWRHKkDm4xzlN0ztbvg88pfCUNopU9kD4boXn + x13KS5F/LXokHRagXOxY/2lvIbpqMR57w/k6X+dj7dJeATWuTCbYLcST7YpPbScx + /PC756MHVn77RyIeNVkVL9b+PVgTHmU4XtX/ofBbVSpgRIL4kIpTjvvvQ/ZJpNCj + 8IxL/Iwni90DXv+CrhL8mRlwH8dtXGyMuthYGGU/Pw== + =Ln27 + -----END PGP MESSAGE----- + fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 + - created_at: '2021-08-11T17:27:09Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hIwDXFUltYFwV4MBA/9KHOMOnyeKipAPielSJGYCFIe70/DqoaUOgbq1aerC5VQ6 + 4jRZ6+yhNHFCYAYH7cN4i/wroJLeNY8e4PUDd/dBTILr4P9htje+8SiIoQFaI1Fo + VR9y7MTYpiHniW3Off7McwNg9qny1xpRDcv2M6wlqtMYVBGzu8RDKvAjbGPJwdJe + AToMSYhD83qWOjcRsdj/N/l/aMYZXYU1/crO/sM7wvJdM0irvJeZTclI0Btv01NJ + Hy+7ZzhB65XAvdKbTlw2YcyLkISq72HnuNX5IwhptZOxkhuh5rrYjlSUvdSL/Q== + =0cje + -----END PGP MESSAGE----- + fp: D7229043384BCC60326C6FB9D8720D957C3D3074 + version: 3.7.1 diff --git a/manifests/site/test-site/target/catalogues/kustomization.yaml b/manifests/site/test-site/target/catalogues/kustomization.yaml index 27804446d..a2b72da55 100644 --- a/manifests/site/test-site/target/catalogues/kustomization.yaml +++ b/manifests/site/test-site/target/catalogues/kustomization.yaml @@ -2,10 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../../../type/gating/shared/catalogues - - hosts.yaml - - ../encrypted/results - -patchesStrategicMerge: - - versions-airshipctl.yaml - - networking.yaml + - shareable/ + - encrypted/ diff --git a/manifests/site/test-site/target/catalogues/public-keys/example.pub b/manifests/site/test-site/target/catalogues/public-keys/example.pub new file mode 100644 index 000000000..e25072c6c --- /dev/null +++ b/manifests/site/test-site/target/catalogues/public-keys/example.pub @@ -0,0 +1,51 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBF1oQV0BCAC1iFfE7H3uu0hbWbRYVMoz5zZ91ACHETCOMVxN8GOG4SV0l8aQ +wmK9QWkYxhi52LnicVD3D7Uy75+J3zkvEDQ15C0AZ8UHXp4JlSQuXpFhrOhfYUF/ +6pr/QexT+hQjOacvY4qfnj4xKa/AGdv5vPIygtQumE6r3GhEVAxQ1GSwtCWSU3Zl +3Uqf7S8kDvJTemtR2UkVfpXcMd4AmMKgt7fVhPO8eFotqTLPvz/iClzER+q61fLA +d1rP9YlmY46MJp/PffPicWdJiKv2i6ynKcIwkrQyP6V2ZzYi/gAhNJst3ZlMfsiN +ekCtcow9Bn44uxW3U8W02FNQSNyn6V6QPDIXABEBAAG0U1NPUFMgRnVuY3Rpb25h +bCBUZXN0cyBLZXkgMSAoaHR0cHM6Ly9naXRodWIuY29tL21vemlsbGEvc29wcy8p +IDxzZWNvcHNAbW96aWxsYS5jb20+iQFOBBMBCAA4FiEE+8e54qT5KJrAwdSEPRbO +5KJzgbQFAl1oQV0CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQPRbO5KJz +gbTDcQf7Bp7e2zY9pBBXTgDASQl31SSHp9WkRUV5iqPVC9iPCELggteBGMwIpbDl +obc6O8/06foxWctTUaaciPBo2+jeWFTO+DNvB7oXIArqr5673QHLh6jEABBjyt91 +rvta2wYF1XJBgxpui9aLICsCptFNIRvHeKUrXBI4fG5z3CDs/EOoY8K/AAYJUF+E +RtmvmisiE/m20UpbYRmkBJy25c89Wcn12I1SUJA3H3hGwvZCYp8hY1HPxxQUtU+D +ZBIpryi0xQqExGAlYqck7G03F+AD7/csaT1LEdCtWRLNwE8UkvfUF6liF0SgzxFo +1pp3gBU4swds9yO9wNe12JY/M5A/BLkBDQRdaEFdAQgAtun8JhSpNAKvOXwWX2nF +hnMXTJp4viMhlAZEdmMXEi27B2DM/nRzldjxGZoNUBSVbJNj2kx5ZUDl0o6eOpCh +vRaGuCOpYqOuSQvD8FnX0NgQULwuTZ+MawsaezktJEjDSBM1R6uASeJwDZj4hcUn +PgyAIESajPdowEkEjdYt261fGOLLcVoVdtqzOMBkLVdrK/FD1kGR9jnSlKEYDV9D +veBUBQGdqkgWXjS5BKcae07viC6xMa9AJS4pizyDALB2k0HQOelZNihOGXYUuvkc +s2Fivl0Tk3OCfH9XDvFehbYRHmkRDoMuKUDSzdy6tFBAkL0CPlXAWI6kQklaBEp1 +9QARAQABiQE2BBgBCAAgFiEE+8e54qT5KJrAwdSEPRbO5KJzgbQFAl1oQV0CGwwA +CgkQPRbO5KJzgbS7zwgAndbf532OXo9HwPH+yQQmzQCLDFL6P4V7LcFrrydYItTE +hxqI3tbb96MKXRAt+G5Mw6JjRkWhwzbU3jE7D7XBMHw7GriTTU9QltNHg7VUpSSa +iTfVcSNErzsaqbjbA7jMs7VWzOq4LZo6Efy8UDKg5qcqLFaTQrzQZYNHNfM+kLAi +UPU8m7vwmz6oJWsjHkQKUhKhHptlpwMwdHkoacqDO0x2H6H91l/PnDm4ZG6FybJt +cjr98i+p52/XOo81nLgX7tcFS3nrN9HNdgKg1ZW3yrzg8NOaFCVA8qLDgLk//M3q +DixOxiurECkFrMvt/bDxEGpN5GVy550MmyUZQrkuqg== +=Zs2s +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mI0EXWhBiAEEAM+5U/ol2T8n9Ns1r11eKun/PPArXxmo2502pAY3cf7ZpKDFfAvC +VF/PLusHcJToTCPOT0RVh5jO1MiQYcvQlnUIJOIEkCuUc7RsdBDsI94o+SEiGSN4 +DzK711xTvuhgLbFvCB/jcpjN8wpIYTJuD6wE75sf5jqlokrnhXZy5LcbABEBAAG0 +U1NPUFMgRnVuY3Rpb25hbCBUZXN0cyBLZXkgMiAoaHR0cHM6Ly9naXRodWIuY29t +L21vemlsbGEvc29wcy8pIDxzZWNvcHNAbW96aWxsYS5jb20+iM4EEwEIADgWIQTX +IpBDOEvMYDJsb7nYcg2VfD0wdAUCXWhBiAIbAwULCQgHAgYVCgkICwIEFgIDAQIe +AQIXgAAKCRDYcg2VfD0wdEdnA/9mMGieN4hrnmgMwchZ5fplBAUCeB4R+KewSHce +gfQIxN8i3vCOHaqmF8cmc2ifXfioqsSQU9JdRl7dx+TN9sgyWas1wfT01j98sfPk +NQrgrOxC/24SQ9f7C3bplXO+25kLXCPTUomMj8zf9marVeUVNeC6IduFRRI7hxrz +tIyN/riNBF1oQYgBBAChXi00fmpEs0Jiq0zOyYm9i749VoOsNReoB/5ix1QCimwV +ZKe1D37IP5Qqysxy+LIQc4lJ+Q8foNOx1Aev5+TDyv+iU82D9xr9uPLLbA82k3AZ +04OrBjrZ/Yt1NZhuaHzciZCPpmqzF9kqVqAZc+vMiKZL1WZjS7O1FwaidY1vXwAR +AQABiLYEGAEIACAWIQTXIpBDOEvMYDJsb7nYcg2VfD0wdAUCXWhBiAIbDAAKCRDY +cg2VfD0wdMMfBAC/66LvXwBPaHDakr0lo25PGOWWsf4o8yWui/Q/yhcc8KiELlzE +zmwnq0JDSodfJ5agMTxXfVu2oVUBDKuvTDLSCe2XUv+2ufAweg/xr/FrREc2TkLu +GZy6FMdtB7Ik1uJElmkIhnU7KsXXv6rq71gE+PCqnwqsn/SvLLaTJvtlEw== +=PafV +-----END PGP PUBLIC KEY BLOCK----- diff --git a/manifests/site/test-site/target/catalogues/public-keys/kustomization.yaml b/manifests/site/test-site/target/catalogues/public-keys/kustomization.yaml new file mode 100644 index 000000000..eb0bafd0d --- /dev/null +++ b/manifests/site/test-site/target/catalogues/public-keys/kustomization.yaml @@ -0,0 +1,10 @@ +configMapGenerator: + - name: target-encryption-keys + options: + disableNameSuffixHash: true + files: + - cmd-import-pgp=example.pub + literals: + # user U1 and U2 + - pgp=FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4,D7229043384BCC60326C6FB9D8720D957C3D3074 + # - hc-vault-transit=http://127.0.0.1:8200/v1/sops/keys/firstkey,http://127.0.0.1:8200/v1/sops/keys/secondkey diff --git a/manifests/site/test-site/target/catalogues/hosts.yaml b/manifests/site/test-site/target/catalogues/shareable/hosts.yaml similarity index 100% rename from manifests/site/test-site/target/catalogues/hosts.yaml rename to manifests/site/test-site/target/catalogues/shareable/hosts.yaml diff --git a/manifests/site/test-site/target/catalogues/shareable/kustomization.yaml b/manifests/site/test-site/target/catalogues/shareable/kustomization.yaml new file mode 100644 index 000000000..c9a77650a --- /dev/null +++ b/manifests/site/test-site/target/catalogues/shareable/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../../../type/gating/shared/catalogues + - hosts.yaml + +patchesStrategicMerge: + - versions-airshipctl.yaml + - networking.yaml diff --git a/manifests/site/test-site/target/catalogues/networking.yaml b/manifests/site/test-site/target/catalogues/shareable/networking.yaml similarity index 100% rename from manifests/site/test-site/target/catalogues/networking.yaml rename to manifests/site/test-site/target/catalogues/shareable/networking.yaml diff --git a/manifests/site/test-site/target/catalogues/versions-airshipctl.yaml b/manifests/site/test-site/target/catalogues/shareable/versions-airshipctl.yaml similarity index 100% rename from manifests/site/test-site/target/catalogues/versions-airshipctl.yaml rename to manifests/site/test-site/target/catalogues/shareable/versions-airshipctl.yaml diff --git a/manifests/site/test-site/target/encrypted/README.md b/manifests/site/test-site/target/encrypted/README.md deleted file mode 100644 index fbb7d9f23..000000000 --- a/manifests/site/test-site/target/encrypted/README.md +++ /dev/null @@ -1,32 +0,0 @@ -# Secrets generator/encrypter/decrypter - -This directory contains an utility that helps generate, encrypt and decrypt -secrects. These secrects can be used anywhere in manifests. - -For example we can use PGP key from SOPS example. -To get the key we need to run: -`curl -fsSL -o key.asc https://raw.githubusercontent.com/mozilla/sops/master/pgp/sops_functional_tests_key.asc` - -and import this key as environment variable: -`export SOPS_IMPORT_PGP="$(cat key.asc)" && export SOPS_PGP_FP="FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"` - -## Generator - -To generate secrets we use [template](secret-template.yaml) that will be passed -to kustomize as [generators](kustomization.yaml) during `airshipctl phase run secret-generate` -execution. - -## Encrypter - -To encrypt the secrets that have been generated we use generic container executor. -To start the secrets generate phase we need to execute following phase: -`airshipctl phase run secret-generate` -The executor run SOPS container and pass the pre-generated secrets to this container. -This container encrypt the secrets and write it to directory specified in `kustomizeSinkOutputDir`(results/generated). - -## Decrypter - -To decrypt previously encrypted secrets we use [decrypt-secrets.yaml](results/decrypt-secrets.yaml). -It will run the decrypt sops function when we run -`SOPS_IMPORT_PGP=$(cat key.asc) kustomize build --enable-alpha-plugins -manifests/site/test-site/target/catalogues/` diff --git a/manifests/site/test-site/target/encrypted/generator/kustomization.yaml b/manifests/site/test-site/target/encrypted/generator/kustomization.yaml deleted file mode 100644 index 4ddb1d09b..000000000 --- a/manifests/site/test-site/target/encrypted/generator/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -generators: -- ../../../../../type/gating/target/generator/ -transformers: -- ../../../../../type/gating/target/generator/fileplacement/ diff --git a/manifests/site/test-site/target/encrypted/importer/kustomization.yaml b/manifests/site/test-site/target/encrypted/importer/kustomization.yaml deleted file mode 100644 index 3ad5ab4e8..000000000 --- a/manifests/site/test-site/target/encrypted/importer/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -resources: - - ../results/imported/ -transformers: - - ../../../../../type/gating/target/importer/fileplacement/ diff --git a/manifests/site/test-site/target/encrypted/results/generated/kustomization.yaml b/manifests/site/test-site/target/encrypted/results/generated/kustomization.yaml deleted file mode 100644 index d68c20c09..000000000 --- a/manifests/site/test-site/target/encrypted/results/generated/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: - - secrets.yaml diff --git a/manifests/site/test-site/target/encrypted/results/generated/secrets.yaml b/manifests/site/test-site/target/encrypted/results/generated/secrets.yaml deleted file mode 100644 index 540a65044..000000000 --- a/manifests/site/test-site/target/encrypted/results/generated/secrets.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: airshipit.org/v1alpha1 -ephemeralClusterCa: - crt: 'ENC[AES256_GCM,data:gw0hEKZL9Thfmn1OhmswgsaP0rHpoDum/JlLKm67MADw2+bybKyLLzfXCNJxxL9ESegUAx7KnxHHh6GIfB52HQnk4tfCE4NNjbmZ0JrLl39lqpqmkBNU2Vp7PLxw7pK33eRzuZo8DLT1qlLqTFzE7f2RnF0cHOxO17WE9TwsYOZOYcTik1DZQAZJt1XygQah4Rv4JD+TVxxQ8sop2OmhqwKYSnXof0loE6/mm3QkD3CsOr7+2aAYZMEWfgajpLLfq2PzHbNGzPjYt78Qw5UqUi5g2xlGWI7LmZ1505BeCK4XYgb65RUvVWWj+71GPyRmqTly419yx7tDatCQJu892EdyUk3WpTJ4UxFVuCgBA8cWW0wqRSr0dA1DMLPPME9Xoi1nqprOWz10DvUH8NLS4MeOAquJlhAC7zUi09w8vJrxKaxRkLDIzjWITeCzfR5WpaJmNx89rA/XTUiLtCbShKz1hmkUA3WGPk0BdFJzXhLS+aX2PVbSY/PSjOtVFAXcecejCVq6RGD6Vbwhkr+/DsH82dZgCI0Vi9O+Va3sPo2ztcWElEvsPn24fWOz7AqPxdJgSeHDg1ufJe8s5RuEUBFfHWxB/ynbEBk9WBycI5M7nD0wn4UyukqmUbRkWzhPV7fxLC9IEZQKSat17VYzSa0lqncTu/WpInxzJHOxd/CPNToqNBMvwiL57IdVV/OQQj2CbO6ux+UspNV3KgsfkVdesiydrfu9atk6glyHeSmiwMu3PsET7U3yUxz+NakCGDqNiT3GDDUdpLf3ezySpf18MofwpGGv2DsG9r4DcKIs4Sc5yjDMA/cEU0JB2zLAINVLSO9CUEnM6BjDneHWIhCmIQC/7qjZSKenW8d4IaIhWFya3SelI8Z5eCnfYXKeAPqljW6d9/EzOAxpyjKnVni9W2KbHdMsgyHMfkDfZOprJgxmQcFF95kZRbjIR7vN/SRRT1iilHHhM0n275fonCYTuG8hWViXBnFVBcIEbhF9zcGr9W+eeJFksYG9WppU0xDOXGnGcVMiVRUPWTdDFtD3/ClUOR/tK7cS1ncK37HdIResWEVFywzmmmMDOZNS8/r8xRr8sJUQb9wyOufppAj3LPKSJ/w23oHJZReU4QmjXpm9aipkrUVvAouKCddkrL12o0/PTkZyE9YWFM3yUDbkemegaThf5DcROFFwnSjXChutGIi/ii/R7CUFEBTaLU+jun/QFgEcBtRho9NqI0v7Ukw/kdXKEylYd37wNJITNZeeFSgDeA+NBTv+u9dOdG5rVPHobUGguGEdnj5RyozFBCffWMsvcUyH2jrAGkkTRU86J9lere5T1vSbNQ6Xekzrc1QedQkzUVGhgUNKUBooSge/2P3+koN6TBZORRaBFvA8j2pK6JD6V/rEIbTwNi60Im5o6K/324l2kivgC4iE7C5NyDF0ZmV/YQzJzmXIpuDtaif77akFKmgWkNAz01BjlWeLd++iudOfhZcS6A+GlF6pQw3T+hmlu53S/15EpxJJXcvv36avFeFDaqSKZZjSONM1IxK0N1JoOGv4Gkq6eO0gDsuvZPKLrpmYIg4j3uZit0bAeit/GXfoZ3DazZxgqOHkh3uq6f4IdDQVfc1aLnyFTkFrcyg6M3YDgaCGG7Dg3FwIdLRcjW/ynHL8rGvwkygvirlC+ahAKDaaaCTSdVfMs07BSvHXp7lS2Lvsi16wD2hGy4WOHlSfXTWDbJkPuA17u4PlCEgHfJdmX5FZc9Lex319ka8iufeYW4jR6KdLCmZMwaiFCxBRAcTyNDflHmTrnnGkIEtMEHcNp6naHhYrGq00O2TaPoYS1esyHNk8+YlnXelAQm+ihY9s3ZQdr+wXy76ApdwrtL0x1NP6QkMEhAYAvqhp8viahugTXAZgT0QK61ag6UyaDayAoo+YkHq0iMH9Q7qlPYX71Bw4vaHpBXl2+TKhnA==,iv:1VYsXZzm9oyt10Gik06zOiMXLnCbdlayGXuGhg+UXlo=,tag:eEeUk2MByrpGB/XeZxepQA==,type:str]' - key: 'ENC[AES256_GCM,data:ypfi4Eh2npyBVnWPhF2AT6DTJpK9gHFMUYksgC4+P+f8+isVYRHITOLvvJsCN9ueTp1h5QwRAQih1weZb6kID12X6lrYZcLPQttbpBiRi89pvi2QU/sJIohl4qO1HEYXhqbrcf1vqnG7/kSM4HfPdIeyHySolSdSQDHca+ZHeC8rL9/5ltUBzbG9KOpPJWtWd3sVwN5V8TMMqHl9HknfsXbMtYBYOPheYin+XjqXqU1SqP3Fc8wc9U1f+ErDsYWMICm0Ay5AOZdXpGR8w0Y2uHvQ+E26VsyKfVQt/1k6qeJK/6TXagPboyLKtObnphqC5ghdr6vKIy6pndIwJ3z6TnaZbf0ADpW+OJBiu3ciQsxDP57SdSsDnatqI8W0SMBptxy5KKiVwK3Xi0hPimLUDElA/iG2MrkFuSR8e12hbqqlVNLZxQ+dGC1DJEGbstilMxssdRtMKg87wiUtQe6mNsMsBv3EmerQD8xR0me5dRW8h28ExJ0TKN2O7vKHUPUs/MXEydBkRO0vCVyQxWbOD3O/rpXESLLe/rwHAQfRd0HXUwzTYNYfP7SL1Q/7w8qXiF3LY6ORA7YKPm1nqkZtQ6LrfDC4RofYsxhcwvI+wdLU4pYbGVJ5rtVXz5bVmkcI/qKkkNOlIXMfBnQrX82Sdd8XTXWdvho0SAZZ1b0BvPV+AQOlicX43PJXnrTttWUuLI7sbLt5TBMVBxud49BN03C2V3XKwDEuo709OiOeLR4iTHt+vZ9j2eJjPbVujPmj5EcKfCut+flc9fbWOJOQEOQINzjQWLUmbO26B5gHeyjvfi0MR34gTOnSIfbPmd+FwqZXYysP0280TbttPJkUMJ0boZC2OGqmTGb6sT53c5QDOdU6MXQ22d7TqeBCi6KuRvWllk+wrLjgcx3qq+B4K0EdVlRaRRb7v3IZXAHFNhP6xN4292fV3zgInYbA6/TcvxA4d8kScTXzGQu8tkqRx0cdHFqbR2IaXMFBNz2AwwtCoaGMcu6LDMEOsa9CRa1g3gxrWnqQWkMl6hiAzSQtg3CWzn57A2VsDKM10GhaIetY3Psvcs1RWKxrlSfyGLM0Ih8wRtMRBTGnKa+jAFNmK4m/Ml/ONeE++viHChNBJx00XG9hTBJIf0pkUnenM2FCH66m0zt5tSrrdQSBkdUn3204KAppuJJO3v1zKHwC6HMTkAaJC0VckEMfTOAxeDBCPT6vJkRqubnaSh6Bwgv4vUiujqbz1lKMD+10G2XQqt+qYm8Xb4ibi6ikme9DXpVKLeSj0KUAjIWO75LvGVexd6kX/rRix4aP0oQkuMtLw5DbRmYIlR3uOMxjtWEK/C4XKANJ734B28e+9UEwtC+47rfy4ddeVt2wqaycPNGCwFyPMVKx4awcJ2BR3pc0qezZJo56dLxl3PFejXUCF1dkdzOFH9DtoCOXxWJfU2h2rJbem6ide22Gx9gRhwPF30C2qK4V3ZUb+Z86F2hgPpLsOXEdpYp39CzWTGgjJBJwnqZ4jPq12Lu8zrexV5RasG/m/K+KbCZY/aaUoldm157U3T7J6ZxllrT2ob6h7QxI+8Dy4OABfj4cOvgMeYVJzW+s4nDlxybDl7XG4s7dt9PJbAKDlEcMp6eebrrFmEApbUrIHzR3Wh56NavcSGcXCUc+AeDjvqsOE7qgZkTeY4S4IHSRkxxHrw6yC23u3jswHonGplEurIGagDyjfNryaK1g5lbbE9DGtBo5HM0jFUm8oPGc34nlR11y9ycRnwXBD7R4ZYxvTnopoELo3cw6YaPCtPVtuYmhiiBFjgk5k7+rLsr7/icbJpGURzjYHmK0pAjCysdFKswc0Gzy+QY6yPuahevnGvWyhbrsv/OueYpLr3OJLT4SHli1RVI7MLHondpdPKpIQCBvkpM3o5HozzZhOiipzselHW504vpmhdYSBDEAwCStZORzV9ehq0jLjxMIy09ZAf/gKjuzwBg4ubqyJvvFt828PhxvK5W7y0IZwM2T17okD+INPf14mgggwsW38dyhLCKt3BaAg1DODJiWSUBC0gLCxLwCAT9twDu+567GE3q6FUUaLL44gSXhwIAsBCtCrn4OPV8rHoStqkHzsYIgY4hEQ1NsbplpSoHfBrZGhsC6C/YVpfj9zp2G94BZXOSiyp7DXt9FmIk82bDW6avmlxh0f7IQTKMmOkcH4BuZ+vS72oKufeYU6/HCxKfkSEyNPcALqwD173ijQ8FHgsTJIXeSOhnyT2brVvD7Joz1+rSVLEaWRvV7qhAG/EfUpFKzkyF5Tnjs5bAXA7boVtzJ34x9iQLe+8FQ1EVhe4AfJDDUCDmfE7YltnlEy1Y8SqTseUFgyOMRyF7MYXHhexaoJQLGWtEJY+s7nCzKkZCW8hRAgGfo6ripGP7GbZeeN69HaqKzJ6feW/k0mN9ChAQeK+Jzr0u2osyIxq8pFWnwxvHkJyfnk8AQe7v6vrGecOzGfhCb+K5q7bcFYMqSwl3vawzsG5tbRYR5OT0XSgc9L1VEua0cXe821J69YsaGRnKjh82PzCXpUuQn7WPOMyFXKF1u9W/D5dK0BLPnDu4PEKsY6Tmg57c6rx/xnGx3BLKGkCwNrRwSLYKgSFiYJ9dI/9TZiIn5p4lInvzy30wjxncI/QnTJsMU/l8ItkKTjm5Tshyb0GOYcXYGPgcOZH1HNbaMvKWLs3DclLXDMfcZ3HpyLEZ3gvbTZznCorQAFg1sNH38+66t79whutWVxukeoHCFYfrdsp4SnY9B+xfaZiypmCpTwTeORPPlBJspSnjfxmfr8teBjubOQHFBOC7Ga4mgxSkzXOlDnWJ3cvA8dtPNtf/bTplaReSTdc9YW1YYmRlLAGcTglN7k8kLuSPc1gM+/9pMxR22/BgX25UGbtjugapaNE2/1yFiumycUWmfDqYlfC3RVkKFtiuKlYX3+4yYy2VQGzCyegDiq85dev/oE8+9EmmOTQ==,iv:qBXD2ZqvyxH/Z02roHl6ZK7+vXu0DvYbNkTZrQyO98Q=,tag:GqyEgh8EdaUFAwkPBi4f7w==,type:str]' -ephemeralKubeconfig: - certificate-authority-data: 'ENC[AES256_GCM,data:RE6eOJH5dJOCkg0EIBzONS9sOinaX+jGpUW1MVC6uzFMQVxd7W0NgJCNebbYurGf+6QlPW0LQv75Cpe9698ldkHIfUYCfIX2DLXpIrv0z7Y3vn5hZ0rNaJNE3yWCDlTkKti90GeSwyU4yjJNAxBfmqdgVTHUzaCvt/2bN2iFqHubJEZHTxx7gtfr2Tq927UnnzxyZf3OAkh4df03CEltOcQnErM0bopEMFmiu8Baf+N7p0/M9bLgeuPbLfZD+udr4LBsGx5hMums7/1iSeaAEyR35U45T7Zd7YQeDQBl7MB4nxjzS32UmnBHxpP3qGgpfyCO68ZFgT98RL/ybERmZD1ZU5D16FzWFojNX2CbsZnS5SE1e0HagmFIIPHF2wJyw624cMYd0sjKWRXqkIcPJ6h8V74cgqIERWh/fCCOlesHMDQMln7YqLdxKbT8KDByWcUXFf2mah8SJSBLPbnWnQg/v16ef3sJj6XcSCSEH5TFr7OPdO0DdeS2iU1BvHHuR22BF0kIkDsBfz2bpgx1RBCHbyhmi699LfkcsmDOeS/Hw9huf93xDgdtRUsJ8waAT/V4K0lO6QSNOmXD0MdrkFY0a8OWEksZ7jP5GbkHbsb3T7itm4j6EeOvXzMbJZhIRBP/X28rdJHnPcr/aGY8wCktBiQohbSOHlZ6BNPgqyfyYZyEr5jvOFQB6l1bSrex85ToOGtkcPb5BQrbs6lGe0M+YC8TIpXBlP2OJAOy+3RA+nNByXrGyt/VF05LKMgZO9fFITgPul/Rkt+Vecfripjr7sUKT5L2qdfzNslT4H4Mg1n8SkvOavFH4eJEMs6Iot1RfvGD9N53MhPLOzBJrOzmUhZMdAeU1dMN9xFOMmypySeuZsod9LuiAViUZnotMbBIzAN2kZnVIelXTvan3Y06OW6Xt//R1MMuvHWSMRuGuWsOJGfEYhqrtyZk558ky4o63kTbwcgCuGYQ0qk0ZiIUzDqMhW34fMDOoJMn0K+CaG7FU1ljUoluFj2/lcuARgXoeE9xYva9RiqiXtThRGxtnXOoCo5mTAt64rVp2wWatMhabWEiqEY+P2DpwbWWcHXVadRN4k2+LwKFEjB29AKFzvaM2Fexzvy0on4j6fWm4aJXD9WXb8bLstAXkbMN5nOugcoA9pPP0DN2WHNBSVFYDAetIsRPI0uxGBFyOhkD85JGtSH/huWkAZmqmxkifzRxn4Rn1NFSc73XOT326mjI8xITjtdFzYiCG9HGD7UmVIk93dSVv2RAWKV3qnwiPryNVEQ/F1GLl45SWVT7vBnpqj9ev6U813/h1UlVBf+LL6jTSnm4mGr0Lw9BlFVsj2Ss/n+0OLM6OdIbxWRRl1EyuqLaKA5ii9y3LHPGFW5vk2NrRPKfP4Y0Zmq1x9DEsSrvZ+cUweApnO8NXlgUednlm5cvFUr4ksWbv9KuSnR5ko8Wp0/uhmC35wFpTVs++cOz6QPU5IFuGsxrAPV6bmaVLdFjZdJEyPxO3Iqmoyabt9O5AAsLXeOD8wvyGvK3rAIjGyRnjL1spDgsHKi4/Aesz0UQs6g+ogETGpFyGysYTHJmndOxWZplE5ebyA7fYpQWNd1vrHPo42FkIeosRCVh73X6IKrrep2T7B+CkjFbHxHP0IhgE+d3+6eMcvFkE11zinelXpGQ/GmcSmRsWDI+4piULxK+w04E1JGti27/XuNGaMA34weE22ZfIt99fAoi55pIbJB4BKMwWUf1x92ENcujXU8qkoCaysw+isX0IMdU9FXEIFbYZVNOY2pxR2dSMHKmYpsaYO8fuBqtW2pMjz0RPLuDmX5Nufr5tiQYIHEpoHl3qJ1suTLJgdwS9+8oa0e07dIcuc9ukNFdJLmBGhYTO3IXrPz/lUvqT3fMucI2YnCTfWweJfp3ASVW+UwGO9h4hgUry5R2tphHYzrN1872sSM8hxCyhg==,iv:Q6aX25mYvdH14Wsw4OOCWWUuJxyVv6S7BBdOYKVoRdo=,tag:2xNfxP486RLulwKRF40Ctw==,type:str]' - client-certificate-data: 'ENC[AES256_GCM,data:m/eo/gLbHzioY9QQzQFKSGb4Hk2OpLA7psrPLPQxtfmngYRF43bdIKzbg8W+KJTTmsQKcaOt7R2v/6x04u/cA9om8QHaKegOMvWoFiIrAdGB20c/nRJFRMy8YZsIm30F7HjMdi2yh9PdWWKXdGHdAsfxmCEwMRcJhowF6pRi975AlHjNzH6+Xskxp2Rv0y0f0fn0PwOD0LNrU4HGEMQGlCGudW6ghyYVHUuozkL5GIu6MSaRlcp2giz5FDUydMQFTiMU6Vo5aazRUbo8rHlyvaEdokYHqlhEIE1zzbQDA/MaCO8iay/KLYzpiAZKSjKJbFULDPZi0AaOXqbBnfgUoi+0inIbK/2IOZ1kZLptiUnJ0xVYAv4g7Y5ugfG+gZwyq4YeIdpGAuQcZTQgmZiu7zFh0YTGglTNUmDXeRtHur/4NdiMrHLGaY1NDWQBdpF30zVKNkUEAnmz6IFsE3W2KCGZDwfWg/vdy7ESyhLKO9E+6J8HJqNfM9RmPBUymTuZDvwYGVXOLv11amBpsYNclbT43g/G8+jymsRdEkjSXPAbVDFK4UV7uKqu0PZIAubzzDuUBPVtoIpfQfbM8iLNacpvlNBTLMGjtbKb642K2h06uKgf99rbCdBYaZ67m1kZisV6S+5Qc/N6SHdObDzUXLLbIEJosVQoBge743Ukp9pwJ8KZKmyvcXpkSW5nWCLC7X3kSTNEtV2Q2ds24Cgo4+6m146wHmq4RQCRnKnzPAjEr3Cr226eYdxE9Qb6j+2z03XuUPxBE6ucpGEEfIBvqkiN10pXZ9dC68tTCQxOYnM6f6Se4zTiweEPXQUDh/WL+ZKRSCCs6C7y+4RNR3CWFcKDz5h5jcE1EcTAcvU4T4z2qRP/OM2x/erKnHBs1hpvMC6zpusDA0udir9XEhNJZzsua0vxZaOFUv/0iYuD7O/XAMtTwhAnZIksjb3VjVHNk98wUZ1c7WEtMoywCJ0hUm39bzfa/pgqZNUP7LWJDjebpCdespHGVAiN5BJS5IHRf2O0FrhHhUGYXdR5E3XuRTJ1NCpkfluoewuxN9Y5aiusn7J/5Ajg5gVB93VQzN6OfWRERIWS/UrQsBEXR9SLKk74UXvTj9+FbdOfcSJHAvlIwR3OHFu5tnLylI5Dqco6HmpUzKfNxWJZ8PwGug7gsy+hOw1/249EXKLzjI4bmVrYdEt+5h+dJC0nh3UuxnShXr1EQrFbQeO6lPhUL/03NW0fGHs35+hY54Q/L20sd3f27TcNt1wfy2W15CRJvQrwxqAV13svH3Uv8e8FrocIZ8pA2Scmp8qfCx6QatHJu1la1ZqLbawNUVeh5Fhqa+jjnI/wynYpZAvSnEqlx5928PXh5RzU20t8BoVEFo/EkIabALXQGlTo9avG+YPQPPZx0KqdrS4KGejsVKECVmfzhPqQ0S9S7XwQyTVJGDIZlATXbcMHjjSlqt133NsCut6k/1YiOAmB2eqTmfSpcXoIhyaejRMBqAGXFcaXDF6h2BC+L+NdK8HFzlBCTwl417zWv/ktVL6cuIT40mKMlMAYqA1heNcUs7h15Inrs8qutTyv3okenTCkLHefoKU3MzkMatwGSkVrnXc6TmuW3hhdgBLLm8jrnFWSQsMT9JdydJcXtQjycQr8h2GBzf3dJaQorS/Mrg85MgY2EuAd02zWkhkzUNKJk5iks82VYGb0arDPPvB4HrxginHb3fq937daZeXtWwPKZpqHt/b7qFz26hJv6fLwbsvnQl8XNxQRDMpk+P9BE6FV4XM6RcChsb8PvvNkX8BuLvqqmRZmhJsJf+GmN2e6YSfmvr9bxs5iaiCIjJN+tCjpfINRTOulfU7Hcn6MFJP5ZvcUzDHNfE8GACON5IZnKj9GWvDB2zC9JH/aDmaHXV0a/F0Do17Y55fqjYDsy2eLrJCR8WbNhlcHgF7dRkojcptVbKNr1VDrqWwobXoB8yhDEMoa2YMmF77IYZ0UwQ==,iv:lJGzozX58ZHHLshohQXzaX4NjEllFmfb2Ap+RterlNA=,tag:IWMQIA6ratIPrTvTyZsc6A==,type:str]' - client-key-data: 'ENC[AES256_GCM,data:s4gAOYLlRIkhl0QYeJJTEhNYNZnc2oE9rmksCDiSKWzfduXypIi2GBUsr1hshhJHsIgapX9E3oA86BKJuvrONfsIEwMS9U1Y92ihKv4XFgj7o7U7SsyDJj7arjrR+mlsVmL/Dt4E1X4uchZSqIqA3DxtBUasuhsyo6XQKGMRanWk6WITR9vU2zfxIIq7HXHtSMj34j3gvHl0YakWSSb4rtK/vX4BmAZGxLBAV3c29NZ7EODy4Szg341NXYHgrOzFz2Lf2B5BVtcpCh8fBaVOjex1aY6kufyZmyLHcyvfyFp3Tyy03J3AvZnwWd75KQ2T+LRQTUkDjFwxIUEbCiKFLnleY+R+ak3OOFGZoI8hJblhO9iVij1w2lQBhDHTH/1bb+gK9cERebxJs8f7+gt82/kmcpTGF/uqASwaqWXN/hzMFYFQGZKzJi/zFGgJoWf2HmIMWFGIyr14E7s7zWwCZOqC8qPMTwVfLwgvJM0jfEF1KopjIbXMzt3OlNdVrMjGdFFx5QpnsuB/IP+ZcvH/CQPEQ+5U+o/kyZdgXLyxuLy3AzS8JamOcbcgZxZWGnBFk/+4tukOHuvGfMst5+5RVZTfrYvr8BsIQbO05X9bsZzw30r/pJQ8ayl8t4cB1N2F4oeV/Vvckl16rrcoaum9PewF6lAnFXdMbZiu/u0KUuBZMGFyq4yKuNFSrIeeIfKyo1pCzv+zQFLJUTtYzHs6pZUkqWek+WBUaTHLB6A6sdCL44CSkG0dSZRk6eZqC07hXDD73w6WJAw7sj7OABF6kHoiefY+r17ZEqT1b78CiMukaSUgOkla9y2ErHudzndBfCetibDgMg4badHcYW+kWnBLHt8sU7EFgy5f1uenVG5FGo3319kaQzUsiUJKb0ZEW2EiQgRBkkjRFXjqFJt9bU4rHZe5cOB3ouqPfrNe85s2CVHzhjUMO7kg1jcyodvn+sKe1Zr+SwxRY9dPlaEHeD++MtFaayKsAjnlvAj3dN4wif8MYmHSOpUP2/v6nLx4bthHDaGlFT49oOKL8gl9Mg01k4RI+hkS+zlcIrvdS94DoCPZclpoqFYhpLB49hRT8+qowFQK6a0tEYYVpY3Z1EC21P44JJbDp1bWpHNx4lgqHfCXfjZf38nTi2VLyV/0TDDa802T/SIKarXDH6XrR2PxIzPjg78YHpo5FMpZJM77Q85djK6USpVyWIWdWZPWWQNBsECih6o5i4vytu2oyY4jIKn2xjzEi2iYBAGHvppD37IFQdahzPieflj2c4Xv+l1HCnPHTTpQQMlK1GvpOcRlgfNVqRS+UrXE6VqiJ8TbXUcO3h9qBngSbFFXtGHzPZo9yealZJs+B1FOlLdMwqgqjA74SwDTg33nOnhUTK5QPgHPACHlQm6OQDu+vAJUKx2lsjHgnmqYG0VvFmpZXc2NzC1hHUVRIkUkK57T9Z6YGee75GK2S232tVEdqihmrdnuzzvuiv0lzoaIP3I8hU3tKxLk11QatG263ZtpHWnIqu27q60XskPxeskhwIfWHUFLhewBzHRhlnwhI4Qu7hGg+y8jMUKXV4KpO5gWj336sSXOHREbCjsuBcALjdkP5m4fxUSZSlF2PSjKBWp1XKRRfPv5t/9FhLyAXb3MfYjOt0Ynn6G4U2pJPcjcqQWqXFLxHy5iIx12mrpvyEOdREJRzHkapl6f/AGF6XpcZWahjMD3d5SvXnkuuqwsxqscLwenkEl67Qexiiy7IABKq4zAMTAIT0J9T13+NCCvkH3ZAl2zCekb2s8R1rYh0iBLaiN70XUtWbIKfW6vcHBfYW4R/nzJLz//yB0ap0pN4nJri0UMMkaQ79c6hRSMtwst4ihQemqKwqAe8bTtum8cgzfx85/eO+7l99T3LILX6v4+tqyJCYADwZ8gNv2+WWib49NKyXUN4DOkngPf5Y0jt4RIGtMqkN5NxuWRsriRYx3nyFK/tHLUeMWH0YBfga1DkibUSA+qg2v48VQIVgL5gCX1d4rrpJjtpfD0l6Sn0toyRXzxJ7Mcb65ILZon0aBhytVVdI+2CPMmVGG4Pj3pb8/qAmqe2bkWF0Al1qOHzO+juoJZ8Yhvj7Fg+lEhY7aJ8NbJ2QkFwHeiJ6DqInx6f4EY7k3Ux2bMojunxjTO9hKfnjulNQ4IApVCTRmvToT37tQRePuxrHjZYx1lCCakXgJT+wQu/+fyCWNrk3YkmCFHuwA6nDYhDic4/+x1TBiXMIYhzfb/sCKRN5lTCBTjlQ8yPbHWOiEW/ZTacdURx3vqHbzHmnOUbGHmxZqAgMdd0xJKYNOEWi6nEC3JK4ZoQ4psNFFAwRqfDuvG1VfIbfejtmypEAL0Wfc//8XHFyCP8P7OTxdf+Dv0C38eBfwsA7GbIJjpgfPYicFSaY0E00YdoYB4qfXcsPfHNp0BJk2V+JpDBDwpy9qOMUxMJUoLG80F+Zcsudsxqc8XARcEaSkcxdEK0UjFltHJHIEyToO4tjscNfaCd+0i6UbCT4IFTKpycp3C0dRRyFawNOyzvxU/XnYqZZ2IYqXu7GjzgcpBB9EAyQUie2O39Yo2nd48ErTk0N+IwOrLZVF81RODr9dU3hxnEcqcY2E80vcnSWwnKGVgnj5VRRIVmb/jjqYSnRppwDKa+ujW+83p0focXNMN8tx0ZNtpegfFgcGWO2VKYqALFIE1mnmU9686ubfy/BOiiPcv3Gp2XpyFG51MQM08xrTbEEVG9u7aQx48/G9HVXHCyXYkchmGopLWF2Un6nTHSgi4N7utUEHAWqyzQZrUZz9kNuGLq4CxXaVcz9fMlOuJNE8Fd/D85cVd8fWypwVlSEGQDw8HiYjIR7L5Ku53BOqPZkCm/l6HaZ8C4gT0pf6dcjlXHUhnAJeAUg6tOnUU+9MqtazIbXhif09bl/d0AcLUNiNB2Fnd9/gh3r0i5Vtve6rgFXyhuTZYOd3aPH5gjwI9QsIsS1Hive1m/xc=,iv:FkiFas/0DNjwicUQtn5YwFGkm66hHQDUvOxWwp9HynY=,tag:5alfeVDKL4VU5OQY8a59bQ==,type:str]' -isoImage: - passwords: - deployer: 'ENC[AES256_GCM,data:AxP568lFnGRzzJJz9fY=,iv:KJq4oGMvKD9rzh5pny7huqF+vFJapSM3KT1oiQZut1w=,tag:G3MZ3YrA6V8FiRZK3Y9eqQ==,type:str]' - root: 'ENC[AES256_GCM,data:GcQasKPjs2VIilTOjfM=,iv:u39tfeYhi/Lhn2k4duT0Qw8rg/7+aHE9a+k/secNxDQ=,tag:51NVeLaS61WMqYaeCI0Sag==,type:str]' -kind: VariableCatalogue -metadata: - labels: - airshipit.org/deploy-k8s: 'false' - name: generated-secrets -sshKeys: - privateKey: 'ENC[AES256_GCM,data:zOu7rvMEmrroy2NGsq5um7RJera2HBp86ZoA+xEH2aJv+oesdZNYc5hon8b/DpVt8RssiPuEfx0iRbkAFJLqRCnqL5n12+Dy/Et276nwavWKzp7j8pOwI0FPr9nZO9gvOg1x98rv9cfv5tsFCs/kkUmvkszPNdRx8JmZ5BPae2AymOjbVaRkoiMVdG82C6tI/j004I0jd7L7MgZ5AvjOUVbehxKkVrHe73UDROz1smiFiPUStKQtdfl7sB51cNCxwGwl9+iCUoszaxnNGuXFdZ0TwyM7NElkxQxqQc1bzRbwma4bdhZ9n+1JCqGrR1iWU1jpBhh7VsB3OZp0ads49jqM+zNp7SQ7lOJlbSkckdepXUq4yrxSjuprasiAoq7iwxuqlCXxRNMBlUO2RcGiMgdFTmqFeWWE9xjzubDHEPe9uEZuLUqiRn0jgBlbImx8XaxeLHDR+dR66bD3hZ4kdbGcddGfdEIxblXCBK20TMV9CdEK7WsaD2SOezSVnPGM+yezcpW4wOV/2YjJeb2qQICz56u+9c3z47S91W5juDdWCZba0a8bwiZ2+symj9OpjI/Ybo+IDgZsV0fvLK8/fxgtOye7YOVrhuONQxA+p2bYImLvY90oqEpKJzJgctS2NkNUCLEB6gyBtg484ZhOIP1c8OlGlFP1LhRWvYXiZprnI6V/K1Q0tCQyGyXivkExC00na0ul3RGkU5GEZCHQadwT0kb1Zhgx4aQCLukxnY0q9mwFDNu/e8KRRi8yxFB8AKlHXLaR5Z1t+tZ8DX/Zv4cyhhHh10uEG0TcJLkrPg2qn8sXqYvqfIprOvRWgdBmz6J1I8eNmF5i/Uxm2q+HtGzjFiI7l3WBPdKDoMbksUTyIocQIUv/VN+vW2460LaQz8SSzqr0FRBYaIrsbsS7LIODabB0WOhcMBUKm6/xqJtzDbQ42JxtAhCz3F9A2r1mlcHQVPhaLcrUuJee8SVkOQ6jWMzDggnOrsdQvp/HzgzWD/M7TbzZqjEhJF3OkgjN5yjcliV9uA9ehnkZdC/xgQs0sz17Wr4FCiU2OpIVBFlFS2gU21xzelwcoAZwLE2zpnh5iIvy9wDqAA6lMKkWb5cpTIy/iqv7x8UWt0H2cYch0b1wTZX/WkyUCk0Zu15Uv3MLB6qIFS4opZ3N8gA/qWXT7J2TLAAXwb1BQW89foOTbszYC4Vtt5YyLleeFlCwW8zqVfLaNj+lTZ7VTT2fuzk2uJ+Nc7fmR7hObriIuw4Zpbluleslbia+zqwZY7VCIVIxO7DQsznDTPAm9lSgVupaWmOrr7hATrgeqeIU7AU9s7xrIEraUBn1+M6vdJ+t+IABdN3hYbvH6bOc6kTZjdCrbvCfS24FCEcYZtygZ05zxgrY6PkycAsdaE5gem1eDSS6pF30QK02lD8i3cwyMdA8jAS5lyLk4mPY5HOnFwi7/qV4xitH/JfThh00ivPSa7wWg4rdqJjMMXjDC+ZzoEF0nSJVTGVKoZqcePPtyQO2nCJYjwEMrkrpAWDWJQQnjpvP5wm+dEVLlRaBwrYV0YNGYr54Nu/bJZoH92kUqf04e/r5DPEXNZVSt0cMsX6u1iXNRq9uofiT2vCG5/Qsoca7ZjmeZCgLMqVzNX3QhJjA6O8BZJ4i2z9a+nicFisIQQE1IJzmFMMuiCa4HeB0zQ72RmF5CHk56pRYmdAPHMuUluXzzJ5xN9/4EjEg/QpdsCxmutPh2fkCPcV0Q6n+GrWK2nsJPKDFY+lkmA0vKpod4C69KtSNGF6sjZ3XxhdhKi9MFftGZl86Chj6ASfEMd9WcOMDF+XtM0KYRHMiuLB9hdiVrJWoybWwL1+GDhCOMoSlZ9/XX1+l5yuwHlxxq+Js3erstbW5l6PimHKn7kunxaBLzWsl+PNM8T5vyNytsr4mLS7TOZ+gDUyiOJdsbSiDsobjr/AMKyUDDins8O3T9xyxa9ubDBZSrukGx0B8nOFsJLux0CI0mjUg4V19WwYOmJ85QytyEzzdONWr3j0DQeEb9JIQWSVEZYC3NgHBUcsYD//FD3v6o+JRy5gI2icAUrYLECEa6uHvjJpQ3gs8vFaX65t3F/7G9kLAhbwreQGl6VDbci/3AjREV+eRtMKpYEc2uvfK732h7ovYcwvvHH2tUgqGgl0mOcWjJgDaQbc878XSolnL2CelmGjaGr4Ys3dv7iBlyJ0/sXYcz9PD3Fz6SFwtd3sjyLPPijk=,iv:apXcQV9iCzhauqZryv31qLCguyDt9hm6VUOX5GZrjB0=,tag:YGfGc2btt7ml9xIBwb+Gwg==,type:str]' - publicKey: 'ENC[AES256_GCM,data:34fWrfh0CcfyTmVjHC4AGMp346B3iDioJO2yk+tM+sH2rJBhpTaIa7Xnehq7jxk/8+3rafvAm9zWmgrpZ0ixZxoukSuLS3ROvCcsYTBTLXXrt567Wz+Mg6F8Qlujo9m7FeGuGDVCR7BDiWCORuDhn8VNhvhwdlsD7gg+BPPznLTeBILUWzNbV8VrXvjqyz2zA0cGYxvdn/m+UEnm+eJHw3i75MtMpCH+n7ZmG0m1YT4Q8ni/T8Y+yEIY/K/buNc+rtIr1CR7l1aCA+NzrBNaUyQraQXQunI+MqjYIm7o7O6tGzHTr2WAN9Z3Mgn6azqFMLe2CjtLWQ760zug17n2AJvsThtTo9e/hXZHX3dI0EXhoFGCO3s1pBoFYbx4cy62jHt/WB/6hN4Iww2Uow8A9knkjcD25mlAX/FrJJBpB1JfI+hGDM6p3RW3wfBZBeznPGiRVAcSAkTCxxWJ0D9cyDAVFZK0CXzhFneE0em9sQ7w4tUsyAEKyK4QO4Nf,iv:8f3KRXqSZJx2rBVDtUQ6ptepPVcMrxCb1dnCOdQ29Hc=,tag:WDtj8YJ9SwfCRlQM3nDwqw==,type:str]' -targetClusterCa: - tls.crt: 'ENC[AES256_GCM,data:DfN7XbnB9nfvJsEnP1eySlgb261XTg+mLs1tY/ACaomjt5zOidwqVgTNHPD7eC2mZUbVePyzryWYgG/T94ibqEiMqvp0DtNETZlhy1/L+Bx76kbNJiJXwpLhiqkFoIJVDrAdUMxKOnAAy2Wk9jg7+GAYMl05h/4LUqTigiw89GeubU+T3bf0qP6Qoqyz+7LPpJMIV3RWfFcHXFB/Upf1OktiBF9g5FArwzxpjHgDLvRTKHwwPD7iRTv5kkAvDUtjSM5jwczzOEupbT/Jum1MRkbmqKoZmFgRg45C27FQL+fbsJKWEaB8CDKUK8HP859szL6KtB/ljPR0NPAflkY1TFgeP0xssMxW04nOm1ZvKa5g8va4xY/6HusU2ay8dyRF0K6cPc2iktUqMYi6sXFNx0YVmVwJOVXY/Sg0g/pmBHqReMgI6mvMCbcozpKsHAabgT0Zv+KerVXt/RbeNlgywC11QEQLqcgP/9EyozpMDJ38BG9RbC++ajL7FuGhumgRMsWKdc13tuLIuge2c2jfGjuNZ+yj5B2iAJd5/5Kx5Mle+XmsMLINO3QCqCnIZIgyCA5iA9ZD7ho0J5wfiQV1d6nHlOEJh3ScCTItTvF4C21Dc8rkXKdEbot1HbG4kMHBWfzsDytQismEWkQM31+/XpFgfzgAX2UqrxUt23shB3WUijT+kmohPWVhBHXQ187KAaQBR8iJGvrN4hQVy8vqnAcTsaF1SvIZ3PLDjN2i3pU175ostQyP6LOVKWdz/p6r2zeCxd9mI9ZF2BrKeKnMPdAGNeBihLaqIx3cu3duQyIQwFmVAHWbB6fc5EhvuvtsIUrkUBCbuQvhQ/XVVWdVQh9m46hXE3w65lOGI1xzAvnCCVySUaqDt8NkBh9WnEXlbijjQJnegqmWIF+tvR3dRdjyx2LlrtFiYzQL4lZ5Tvfv13EDoFmhBCLXStWqAqbji6lioone3YNtgyARbgnyjAYMWDrRx34gzQpvwqCUpbL6X/3Ql5MpgVEpygsNRJK86Wj+we6hfQK/EHyz3LtI1sGGoon1oilV0q/c3Xm5AL2aMU4IcULC0F5ZzR+2izAocckNSeNZIG1u+w3mJ9JXHVPNlV4AwMNiTGx4Zq5ioB3I0MPxalhPxZSDLyUWuGtv7mkYyn5iRblFy8x2lK66b7EO+3avU045JcxGyrfDP9KbCqR3tZPPemCnDKGssjriOf6VGbnPWlTgfjW+mnfDnKMckxomtL4dBym14RvCGXKRhd5qEzuCUioXfktyteC8pGEV7Rc2o6iQpOAYtECt5UFk7TviZ2XQ4kceS82Mw7OlB0XmQw549PHEz7U7/mK4a1IHVbyWxvV+chZUwohwBquwVUgP1udnZRMvYJW+yZwbN+UdnLS7eiDnVLAwG+x8VEnIaI+m6goyWYVWqCxSVoWyuZwswFxdNS5KtflbkodRkR3NmHqzL+XFiR9/5KOaTc5tJnc/HYnfA5lY/38n/JcG2Phync91mjVON940N89/cdH/IZUdbV8Je5oImtAPUfRrgnCqBK1d0SMWdQc2AGwu6PjQgwUXjbj4O+u/FSoIaGM1b3eVqXQPSm2e3p40TKonVsdo6Kzk8P6iePrh48lHYojFsC0UoPku6MqSG2CDtyy4Cmt58yiL77qnlGnwyHV4eB9Q1moKNul7pL4X0XePH4k/tskK9iekNr72Jq6NOs1L/jGlm9QVpDI6nByWqnvSioz9LPxL5fDL3TVUINypUo68jQijaCCI73o7Xi3eOAE/PePlKEjGCeiTz3E+mtnXp1JspZW8sC8MdVZvyV5/qDIO3D4IP8nW17jNs/bYolZZbJo/hegSCv8P/jFpcBgnIcTy1w/MCmOEmJiRCPyqTSucUMoZ+RA2ILEMa8MNsrdsIWnevKKP3Oxw/y5+eBUyQqc6XTYTuMwaVWRwrOLpR55yiXrcy+D63Q==,iv:ozUEtceBEmB+W05dB8fH2HlYRxdsrn40woE/Cz2Ay5s=,tag:QyR/FLIkAhFkbCU6j/z5YA==,type:str]' - tls.key: 'ENC[AES256_GCM,data:q4k57N0zYJuJiIQGVCObUMTsO8HnFgX0u1mV40eep55GZOFdYVmebAB3B3HIQWNxDpjGXb4bTLpy1AiO0uj/Id+JYT4oztU9BkEejEexvfhi0Lb3eN5rRuGwA2f+/yRixTyOEpy6tHeRHcNQgod6KOxW2pa7+bhiKxTq4qkCHj72xRAqo1eqZ47aXBzZ9f77ZOriJQq2BPV+v/n5XoFEG15n0OhU/7AMt3z+UbwwMKXGBp1uzR9XCKb3IQwgV1Z45kA5pTfyDtVLDKUGga9Q7ixmXyYs+MLnYx8VrMIE0/TDfDqPX4l0CzOmcocZIGG//pmzFFtRGGSzJw8W+Kv1mfsDMXrcml90vc0UcRMkvIjnAQaEouwqzAdSyNt9r6wbP/IfE5zAGmjQkd5ciNYh7K03Y7+rYUPXQWTm66GHHhM01zAm3zx86+JWtV35HslzNa8pe62tL5PQVN7jsrtlpmiM/XAWhwYH0Xkr+Tw7PfwmzMfHuuD8yp1OJ3eN62nP+Q/X3zUat5/ZipC8bpI67f5xD/5SjcAfRbf/0h4bqlxNIrpVZh2bsO7STctBl3k2mJeIqBMzSBDKZ0QNNgcBg7AToeORgk8eVg2qtXnc/rFpRK7MhJlFASBR+Ege3te1/ZX2DZtsov8UJmKdmR4zke7flLn22UI9Fma49DRvkbH54AygBlw6SY1kZAQlWsN2FBxLi2LeSUSHba3lchgOqEjqm/X3gd+n8a0bND8Vq38xK47DU6BHL+IjlLRjrqf5BhXe/5zTjkfDFEzZfZCuKFDMNzfmQ1jut5x+j6FhRxXvD2PoVzDkHnu/Hl8fuFfQBRxyxH+CB6RiDchnhAD6w7zsZ57ozGQechJtjpWWVBFJ7AyvWGtUinfIlarviOmfkOSQ1BLvPLI8J+5m3Skhcs4sf01Ux96xS1i4rIBYak4mYT2oK1fKa8wQy21m7VbVTVMrvYYjJsEKoGmKrQQgDQhztTHlFLM4yTWSDj96I1bgpFqh+uUDLVOeaRA59/TBLCCbbllr35h3eJNlR5Wh4oSgLQbP115MZPEMc3mzAh4igo7TR3IvlQCeqUnq1Z7XBhZqJrr1UFgq3qBjiAECsh28w+UQ6mpoJtrpHJZFUdBfPmCAzaqOM6mmD7Z51mnZiFF2C6IEmaM1sdGR2nbWgPHoWKW/G5yVtEB1iEnzcC2ZNWTMb0QiZ5sr99PKtyXXHt5X2oRtN6mEcvj/1WoEZVhDEwW1pc9Fo6JBpmOvGpoWFjSV9QkCll6reTnnQukNx3F3xUvKyQmPT+c8M//v8n0rVMm+JJ2WwayDRRsudPzv93CRV/dUHpXa+GkhJ6fhXvcjp1ajJ7Z1rDgWRAnBHt3wjyOMgoiAkWhrGucAi+KqZoHy0c0eMaOkr9B5LZrxaQf1PpZQS9fxtFTBUeFeWQeBif0PlggobVXKL6YQlMKA4sdACCfkH4nXFELd39FrV+W9I8t17l5yXJ1M6rhMk9yuWYVesn6wQkIcIqLBGRU+yF5R4f0PrpVXOHcQdXd4DYSEyQhVm1rS0tADxKfiwHTNhZzTZyY7OUjldP4I2Zn2mHTXiLqibICHk9V8biGxpOoKXOLve1F9HtwukzE4cAwWxnhKY3bydruIBOP7qGkR3Xvxb66nUfAGrC6w0ElJt/3wP384ROljGBKnSfL6y6DsFTYb0N2P+cBw2Zz0DlhwNnw+4PyN6SMqllfswEGK2TJ1afp1Daehsz89P5FJ/UCTn1eY20alvzjjyQ/7uoTcNoeBreERzzQv6RGhm0YBGhYZzzr0EPWu5aKymAThvKUxLao/ktJtFzEM+n8/nyCOc59A7KQkwE5F7fNMvEPYCYN0EDLcl14VceaftMwYc3/5uujmfRp7YLwTy0Q0YX94UiPXQlRR51cC/HrBATvuRtpIayX4ExN48YEvtFAuFFyawmQ0BzCZnszU44sdINpaitR74gANI6Nkc7dVFXCMiKfRgleKSnY2/HoigVLAYISV05AcBAJG0h5AEvL7LAUkFgkRSCsb4ImlDL0Jsme8m349ldYiT1vYk9fvFjMLq+I54QQ3gY3q+ZJDbZIxgyQb8jHsnQmUDd2StlJ26bw14sTe2KeJhwsPOzP87yXlkIpp5X411Ts9MNz1wXBE3am/sxxoW+KVwGztOx2jW6i9duH3djzjoCva5wyfwlDRCsID73Jd/7cWeCfmJjPZNlAyjOhg+UJObxO+9EOzH5pP/NZkFglwrMRLyi+MTs2gjn396mjLABkkpjd53ZZnkdWDtTNXnzvl62TDDMhO8u6ELzN+5zXoUS/aZXbXQPx85Gqo2LzyXTKDaSF7fsDQSH8boypH11B8MPZzRl2Yw0TT1QnRaJx7iXHRT+xW2Y8Qqp8CwQ0+d4CBzQkmaRyzCle1QwTl84SwEcspG6hXLCHERVEPrHR9tZ0a53XVKqGqZUMHrBrgrSvtsaUfaUkoU+IJ1ktBNB2Xc3dywqGrGYMVwyxQkG6qFWQaotf/zsy51rD1bGizRw4jh8yqOiplcqQPRWzxNxqv30b6iRVAc5d4MJgkTE6WSmDxHnvzzLgwuoJD3zFvRrS4KMafBmV4LKXE678BbjnA1raACcAJeD+4VdXPAsSCQ6sKT341PFThvBs+a4gUcvq7NHBBgApN/XPamrKqDEMA67KxC0xFpYPx3YtbyLz/fUMLzu3tanVY6tsvUZimSJcHLtvZ53rMmIJUP/2qtwdA+SEQ9Mk2wCGf9mqD9j2myHxTy2AiY7YTFuwCqLYa1LQrgtkVNf4NcUe7iGTiVOXvtnIncoq4BW/1W/DZ+NdKAz9VILoJ4vI+sSwJEOYj9ZXsnDRuQZVwkzYUJN328s8M0aC9Qao7Z/9+Jo5SKdgyStRGXdpAXq3n3GzWwTwnE/XdgotEryHSSGGpkkbN2k5Jr06TgFkARo9Evr+tnYIWismTmmlasDTmm1a+VnfGBpIujf++laNN9FY=,iv:UZA3vWQpP5ZGkmdQop36vcm7tdDVcuJmC1HSewpX6c0=,tag:HmVlQWjONvdQq8+bDGgvJQ==,type:str]' -targetKubeconfig: - certificate-authority-data: 'ENC[AES256_GCM,data:qG6uar7SwT+I2RYVvy9elhzH+s1ZMCUYh13vMP4Ro0fkECP347wNOsXJkX0OwV8pPZLFDC0ldFZkXbtvK7qfmhEYx3noWPvPSjTKgaVmUZf3WYuG4OTr5l4vDpFXuiamo+cd61DSUvLo2OpnVUuMJpB4VtBeZ44JA4OaQ4zxmSJsOlNXFZxE34K/YRuL1F7ALrxBo8WKiTlaq02/2bYbhg0LzMrUUoFELPRffxRgLV7P3MQl6Dn46oWO5X0Js/pTHK8WbqVxjPrCw57BP9KhFEBFc2f3lcdiGjb+keSpnWflt4e8htb2SlVdbH/AbOxtBJKE6obUZ9YKz3r/RPBEe5yDhmazQaeI9HY4bnHSh3ry/BRWLffacoLtBv5rtpUNUieceUZYVRLTwsGktpwd/151e4eV+2McYCZ/dbKOmwniRNSbGD9yWOLBIhHb3px/UiGCDWu6jFCdFfFgqxjb6O9t/HDVJlQ5LZutuWMNkBg4Twns+dtb9TVPRwFCFkdd0qgHrZkkCLHMyYIpkMpiWPFSbJi9qLEJbgMG9240Iyyk9yPenkqCyyLVe7UcLosf1QqJAtcxTfL77SNBNXJHWho0n0Rscw4ycZ4pRBa8N51lzT20TWki7402ZVODvlDPhYVX/9YOgkcDrcuK/KcMs3vKuVicTNdWcCzM8VomFL9/RUmVOnr+pVvznngdoukWr+PgImcEuAU1xbOdLNWZYCNRyBROxdlShPOzZutLYEW4RMv5dY08tsT94V06SPQKCFNZCod7LeWAzByZtJP5m0BnCqhqndCZrinxW8OUph6UNEp/5NOJR5FkJ88R88gU8qD4J/6EiFNAI2SD4shoUl9EwfJVspHUBwneTms2H3ioZau1ubJQCmhxW6GgXP+XFYgKN5rD6fSCPKbc5I0ee0r+ypcQUtwmbUiuYivXq5tlTxwSOTPDRTWYz0mfX6GQYlZM8MkUE4oOYVZNEVj91x74BKnH7+4qz4jhtYT7m5uIiUSqDsAWdTR64iIcUa/ha6l7tT4PouEiXX74IlVcJIKUjWtGzHfrbd4owijnoD+yimBrDaNm9oCHv8AMRtYy7tTL8UUJeNcILz17tYG/Cgv+w4wTh6kNWHLL74Agd+FliBh+SIa7ihp+1YjfGJyiFnamD50YVEW2BD7mtHrJHrZf6F4RO6IAY6dQ5Bi2Sh+Dufc2FIcQBbMx9sJJu6rKsG4pGmU7CbcHJkLdq/w65ngw8g5RDES808y2MZCf7yUmWlDXV889a94fCDnBZU0kSKlY/JBtP259IANiislvfoVjh/1Tmfzk3NGu0bI8cBcJt1TZJoGYMUQkKnWeAdSJO0MHIZIir3q+KOQFAyq21dgt67gTpda8hc46N7O9HbkA+/VlwCHP1SxkudLl07gehUey3JVr+fs/nmYbBFPXO4MC2VBMogdxSc8G99iQbzK6jM5Sau6SEWYkoj2DTXr6evcRL6vqTuae4CZdJNkWdrY3WF+mD2cxoJ+qON22FSg+FKXDN2VA+YPEMlSiUQV84uuJcbOcsH3zibb00vtx8gjCAbrHbeeP4t5czw9WIonkOuFRjQDr50c0qRQ1p/+o1GFxIt8wQZVsa/S3rBhVrhVPKZB2Uui7I5zVWXJ8ZBV4Xph84BV+mXylG+XEYyEXKn3/VtCzxvIOH+60sHUu0xMFSvKNiLP2ml8wFEv5v7G6qdL9/gSG5wwPZcA8o1ozW1CBmYY7dtax6PARisRZQzm74Pb7IHJ2eshsr4Fgb7GmGGcxw3dCWYbzgZKoi7/WPraXbJ6RvUA6JSOOvCxCSXkElO884on9Trv+0UIYIGt3ngaCJD717IUBEot+/JzJy5r9Z/sPFOev2KKt2+eXVpqJxSxVyZjtpMAis7M4upUanBIrjcZN+qj7xVRhO8Up+TUvzSHvz/TlBIarsNl1K1hgGlTvc27EILPs6w==,iv:H/kgd4cJi4KgwNn9k1Fs8YseCaT5QNwlr0Tyh7cNTmg=,tag:dIq98dkp8pLi5Dg73D7pOA==,type:str]' - client-certificate-data: 'ENC[AES256_GCM,data:4GnaBFl9ZwDSgsEgIOrWff2qugcKE1HYauyOKaePSJ2DGgR4cdfFKPZ/y9bVpMPRXIzFTuWVILTBl4sj8EqZ1RM1b5j3zvOnCmz7Gm2j24a/vnq3Zb5c3xyR5bs01ytroCMAZS9uuinQ+GTI2ydZxGvVVwz6caipfRIwkMYjQA7o098e5yCRUC3yuL7NV5IiqJ4P5XwGU0UwdIPnRAudxDm9DOYYTCmLj1s7Y8ZEhWALzRi3vrHJVnLYkckSg3rjPB+9mhFoSaEbVE9um7J8NS7F2Vj2Mh8383+WNTdimf4QNe3jdQlo6j3N65XvemIptCHU3ZONh5Wnm2hh5VRBQ+f5ggr4qQrMBR7/Q4j9FIgl7HmqqecXn/rWaBrKordyTu9Wa5mltmzqmFFzyCLaKbdzaUuwXlJhTyntfJqNpQBeXtq0vR0kyp6r81VYz3pBkb22VvpnnqHrLmGMdJ0Aw4dmg4SuEd51zukixcirwca2oF+8crRtSDzIuEWYJPafISS/cPeVmdtZd1XTlVng7FRxXU2yorDtXzUoQ3fzd0+AKyOgTDpOEoGdfcDyEDiaINijVn7/UxDlScYxDXrd9tGFrmG2B0W4eXhS8bzyPHJOnr5KSeGkE2YOsWhSty3A+6UqvSmldDA8BBGqMRMyFDn3T490XxTCRkSVETJPS+GOjr7IojzOPls9Wpe1zSRb3h79rfKI3SQvP53/aZsG34hN9nQmOXbbfQcX8Hu8AtSEDxcXiTbbRur9dPJCpoFGNS0jQgA2Xk64xXSjWQ4GaDflXZgX/Vb56J74wRt+YCpTgGnBSJ/pB+DtZETZK880t2xHLReXZAhaN7bjb5QJWsGDdW0NCHc6CN0X5Qf64Xaf/oB8s1RDG69/ZnGIf+nh1/XXdritNoP7jRdzHBGxFo/TXQOFzmU5Cymur+lF45+vBQyYVfdHm93hMa9pnjn1n/W/ryVtG9xF4alzNbCi8wni7HZowdQQdT74sk4XW9OFx9mjTAbRdkY98jBx9k86nWfaJ3GKLtABp7VjI2IcJNyPPf9IDvS63XmnD42SE1726Sp7In1umXEbq/bYR8exIjYrF0jXLdSqG79X/yD2ghIuD7Wyb8dd9y54qrmDiK59AKTgAdH5FQr2sG09uXQsL8IpJ77yk7pXCHTDFLFPQFz2ryqZZkA7ocHhh/+s2MMCkhPIW4DCnqWqcs7wKQmZ8EulO/gLxOX1lBpDY2WeVn1SLYE4gRahnVdtg7v4QRjtUv5PU+iLJsnENSPkYgN0EoueBmRpNYeuihXgF21n5eMvH7FYQQ4b0dqFVu44nVFq/APUmVJCKFBivBV9lJGpcB4puqSPPQXKpHMCbO0Z4NX+zJG+soSWjgYgEbNuR/yPDfFFtL0dQP8CVVE40E36mvmzEii7Ki6LRr/fTCeMshsU2BtdAnPHPRSLVAO5y9UTM0B+J47NLeskqx3LZPbaNGzEz3Kif9Zl4Noq741LpprSUOj95esvqxVoM2sdV8FOZxoXEFpUpEtNivj9ZGRf9rCVWPYQeCXfOitzaBr4V6mXtzNNG9tjrjKCmZKNSQFkoz5lgrTHMSabrnaEwdRxlGTL4eb7aPh8GuQ7WEbQBnOZdRmdjEeAn1y4QdXhIEOjY5wsmh63xeImBNhHvDjOIAkkvscs/sOaALNS/EGEs1X4/uXD4N1MzjTkO/Vd+JaqjK/yKM3qXdXxUBtvwp1jELK/Z8z6srgvPepHykYT1UWY88GStepQB2oa/IL0B0TktwoHPg6GqWddlC00Pb5m7ulWZF4RsVlZa3myMZG/IKwFa7/4Cg100wUHsVv9ewg025D2jkaYwlrpI7OYpMxQc87QrI1tPI1BkhK6jVnDUKwMPat49bE0XHGODu9iigZ3RiE6bMBA3dffiJ/44M7xJuJsGE3SnvSZRNwZkrvbAUmQn/OkU76Q8S2Ecd6dzD031bdEdJ5ADEeSm11toVIU+p66Ig==,iv:1Y8uCINVJ41LYbizSzx4l5Ix13l2c/FTUfE3YIIcVpQ=,tag:TMPPwf3h87uZkj0bUVEo8Q==,type:str]' - client-key-data: 'ENC[AES256_GCM,data:Zl+xqz8ozUMlVkbOILdzOM8fkqYAv93vTuH8ueUzstnBVszXD9BuhHijeTjyA8o4ByzvMg28yHnVzuU1tq0uq+w3DX1HHGuJIdSV4Qvnl+oHAh2Ca8HHRHyu67j/EMQxDviPjlgmDjpHxEg/X11TBoYq1sa6lbULX8q6vY04oMsa+RSsu/sTuHx3q3Jfo/RVDitq1x7Qud7jeZoNQhgzlaoe6cm/1i+72Shov+0houSyby9r2LO/tgVTuPMLL1wDPNkDfpUsbs3PNyXVCove4N/u4+YIp8QyUFmhOaGqcl8h5Qwmkbu3UG3ookM6Uua3wo9m7+CKODTWKNCma6zPi6ZO2dg6koMuU320HSqokGpcGPAmi02TFgeGsN4I0IhWM0O55N+3EGUN6M/IBI3EMHV2QbZn9hC5OoxEjazC2Xxg9UJaF5xvzYzTo0aPAhHgMu4NNZ0BSN4AEVEupI8JC/P0VoQyZtkg14LVlH6x/bx/HEpOqbj29b30fCVWjKXAjMCBxYg3ofoWWHklKt3XBVkBhzayCig/JrBc6ovJqmxfUcFcGleSXRMjg+z4XHXdylrVWEjPfGi/A7RGGkr0w1n5wsjnByVSvZj07x2bEKuqD/e0NuZwwqu6wOteMecKJsQWStAATYV2k44sCcQTB54NPdy/CE8/AZPgVLBqIaKiSTmkIt7x1aix+lGRtaphZDCOKVBOQ12cTS13mt0barb5iDu3b0p+EjeEhxiRZlk0F/jjU4aCyxfGtXyWX6SIMuJ2UQXLjBxsNaNtMENZ87YEJJgo6au5nO3Ou/CECwcIdbzYJPhydnQLi9jckkp1OLJ3QnYgJ5dFGvmVmwCDWmdsgC6wB0yfjAewRzY6PMRTtsAlAmmD3g1wsxmoU24axNoE+XkJiO6FUYnIgd2K6q+YJQl/hmYculSdHUtnCO9n4u8QO84krM2R+rU1aTm4VVwmJ4ziQ+45AlOCixRvfTFy3uuQEOSJcW3xeonstCSR4S2dMtfLj/uH2dUe/qTRTAzg1xgRwlSGWHNRvYDnZp7lylZ2/Hu09uQDwucAUtOvLXsfbspWObt1nqbSZswyC6Z9cFWePjS3Dl7EH0+3mtuayCJl8FJGAElky5LxKT43n2JeZ3/DZEcsAC6+LUcNBI49AQn6OlUigGSrJTICw9cDMOnsRleXJ71Qo5NRpk2RJI+KLx/a47Ja/z2O9IRC/FgoqGd1YSiAYeSKRHqlng50o7a3zx/l4WVbtaL4BBaCyOsVFiTA02xmovtbfEAbdqL/DVIldQJSlt/OU754GAGp6kOWuuo2uhpc0LhMh4oM+tNSfJpXOeyRchakp40wggEjQjzrqKwcNXVJgclgpZLHrke8Tfu/XAqyC2pKWw7pXvxJ801WUXAmcFwAflHMDs+UdpNr6z790BlO0EyloC6ExQeGVZLj0sKRVvRkW5/l4CsmIlT+EdZN2sFg43uYz1wjTHWnt66YEgDA0oGaerjkpKLd+Pnr/tUTMyl6iw2VPSmWbMnVCuMAdApr1zRek2NMwO86JzzOMe6spMg73VoaLd3ulKxmkpFlsZh+RHXZ7u6fBbvj6QnFPWcYKg2oVw83B4Fq0/3bmyuYhagGm3Aszrt3c5FQFk1Z6dy9G7fKZNxYqpJEck2EQ6momHn/1KxAgiB1/2+6Mr9CJvZ3gACetu5oxvmGSleuPSEQVg7Rey9DWz9BSHPy9G7XobI/RuZoJQl5my8zKokXv3DEgI1UhKC0HklFhSILy46COsSJ87dSRsKIMlTCQwxTFWLDcIj5VwYyHLifwJs3P7TX8GY/5ih3kq30gxzssVaSB7hN1ujl6oLYaUCgTDIVT9kmKxZ5FRB7SFpw8P+2v10yRhhIElDmwTl40j4tCSvcDvhUlg4xONIDY5A3adt5/SESEmHXnqtBL2+iPcPIPewXlRb0U1GQmSugvu4KU05Ac4NlfWBHwMrDwXVvCNmHBv47ocrQ4gMHVFEHiNYiKKt+Qec9ltvxCQIG4cd2n6+BEsN8J5Bu2v5GKIhqS8tWKyuZfBKsf1YYWY5SVkKbSQ4PNOeR774JBwg9iqp+aMgCaGQIPBTVvoC6fTEQuUUFmHvr2NiYGgwzZIumroJTtaQyeRAQdKzL49NH66AuAMlh2KJqd8t6q0de/fYQLkGpIlKZO11chr4Kd6S6l5HjNQNLXE0CDOMERf2vq8tsRgQsHnNXHSEv1fAlPzL+uu3cjtO4+WVbjuz5uCz4T26Q1XSGSob5kpq1R6vLnUvL041jSf64qElGHvu19P1xxc6TjXb2uZ4iniC/qNRF2XRp9gwbfT4DGtdydnN9Re9pE3nMdADNu15BTvT4cnD16Dt0exLNlDwFyne6ZBlYCeTqhHtlVf5URHtB0mAC00RNrGroO8kmIrcwiwgPGRAaHrgtnRlEK9c4Or17rLaiyVCoTeX9W34cMRHzRhhgiNGTr1CTIIvlTuqmHgEanfk0UgXo1U1lxlWlz6+HQ/XHw9/90/gOo5MnzOAbgvW/AYmRNXyYT7jVVVqol1dyrDY1boLNr+kD9kHx11IavvrGNEVNjTMonC2njcWg6BDRUanauN8RN6CpUibnIBrv3WDTXFBWMVGQz88mT+F140uwPGyWXKCawNfkJqVVs9Ehec31DG8uic3cDd5bBepkWEfZq0SIjnl17jUkALwVD549sV5GElGRnJcs8ESAg5gBxmAusmL8QC5koCZnB596/hB8pekQE/A9dSnRn9AnFvj4749TyrV1azALQfZuaaupKNG9T2LHEmkUIbl4ikRwr91c8GRc7Px88U2RwZExbx4tHFLYK0eeZErVO8XgpEwNRLCj0WpPCpd1rjJRrh54renPyt1tBd6k7PzEWZjR1vDbC+kHFFSpAFROkAbxuxEHw9LlRajiNjXMsli6Rm608ErVQAiBS/AlIlAWDfepRb2tu/gv8phQkWY+lXIWGD/o2NbMDg==,iv:C7X6BYqmMMtoD1OEcZgZoUW0f2O7B5v+zhJk+Ltev+M=,tag:91V80ags9hfhwVWHAEICRw==,type:str]' -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - lastmodified: '2021-03-12T05:43:44Z' - mac: 'ENC[AES256_GCM,data:iVYywElUJHJ2QL3tERhSEYQcGtsWUbhBVLD4/hIlklwN7rkYMFg2wHxN7kirT8NzheLRYDWm0mwL5j2+tAB+jskSD8N0Ri0hblCJLftESDv22GBLcNSRPIDuHT9QT0HH67NxPCboqCmZ5jrGDhUDHAGLWw+0acooFI21zYpJt+w=,iv:bVOMxTP2hT/+/DEc7DqXm4Jhd+CVCP0vF9q810nAIYw=,tag:52iKibVMHmUnzo0q2JKFhA==,type:str]' - pgp: - - created_at: '2021-03-12T05:43:44Z' - enc: | - -----BEGIN PGP MESSAGE----- - - hQEMAyUpShfNkFB/AQf/fLysnifuFmRpDgFE3H9enVMwJiOb6rtTLa0xInlAmOhz - tFC7x9dbjMcFxbPACpjSm1pcgy4y+ve3ZJposL8Huxz1jcID9MEJy667D8ojscj6 - DG+XJm7PzVet1kWY8oOgttEy72PQyD1lqkasnadFspxHwnzhIrhheoO6bLeRUs8O - I5brUhKx7s3CU5mmwXm4wNpVenbL/W8MKkpSW4fYf0oMASGXr47Ia74meJnD7HD4 - keBJ60BVegh+Nv2OpWIlD6OXBzjEzvN9AJpekx3DQt641yZHeN7AWCB2JV6OisUL - TrKmo8MeIQi2hT1OggT5YYOoSSZlCeIH6UMm/utRutJeAS85ZCgu3JJUC6dHYNdp - OC3Bu3JgP7BJ29kTsOupG154X63fR/0NvlDKHX+TMJYZJtlpFJ6HpE5IIoQ4dwiS - KVOxDrTy5Pw8K9YOSYtGpIGuubQVBGkSAzTcXW+7fA== - =Pg6f - -----END PGP MESSAGE----- - fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 - unencrypted_regex: ^(kind|apiVersion|group|metadata)$ - version: 3.6.1 diff --git a/manifests/site/test-site/target/encrypted/results/imported/kustomization.yaml b/manifests/site/test-site/target/encrypted/results/imported/kustomization.yaml deleted file mode 100644 index d68c20c09..000000000 --- a/manifests/site/test-site/target/encrypted/results/imported/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: - - secrets.yaml diff --git a/manifests/site/test-site/target/encrypted/results/imported/secrets.yaml b/manifests/site/test-site/target/encrypted/results/imported/secrets.yaml deleted file mode 100644 index 0ead0caa0..000000000 --- a/manifests/site/test-site/target/encrypted/results/imported/secrets.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: airshipit.org/v1alpha1 -kind: VariableCatalogue -metadata: - labels: - airshipit.org/deploy-k8s: "false" - name: imported-secrets -dummySecret: ENC[AES256_GCM,data:cLoVpHYvGAByZjXElzhX,iv:Pr44gXBRUTLAzcxgduqAwV36S1rb/WRbiQ3WnnOSwqE=,tag:A4kcrnRdWiYzgKJAotG7qQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - lastmodified: '2021-05-18T19:11:20Z' - mac: ENC[AES256_GCM,data:E0Uts+6wzSM201vWGMMmyBhRgOZ+JnzVSuiP8m4nZCdLSmbZlcTDTWLC895i08iZ624vxcTVlwbiF8HyRFKkFCNIhYkiyjA61CVEXRxrQXfC+Wo/RJdvXjHnIEBRfM+jSYAd8IdZVDOcMaKR42Gvik0D2J5lu0SiyYJrGzVqbIs=,iv:IT4U5A95rC4Ms6aa9SfS+rYhTwyzgJnUeOUAlp5+HSE=,tag:AsM6RWnbq7YTC4oQ67H/uA==,type:str] - pgp: - - created_at: '2021-04-14T16:28:50Z' - enc: |- - -----BEGIN PGP MESSAGE----- - - wcBMAyUpShfNkFB/AQgAXrMxHATnkcDVixx+LpHMRFZeEnJsnKhFMkYIC+fhtpJD - V73hTSSBhbFTlko81oBohS151qNrS1qtVbOhS5anlTOrgZnZ2Fmwt7YIxc68xbhO - 1fX8XbDAU2NmtWSdmc9sFLCrnpKakHuJfq6PMii8Cga126K7Smt62XuyFWw7r1Z+ - gyJXgIE2c1GNZmgKhhPgcVBZuyGr6x1Ml4t6qPqMTn1af64T4co+ujI0n1n3dXie - p/xCPD2QrI1DSMZgvJzPf8SVUD9jh70LUGJR4fY4U1kTazs/K1JwrPLSH/rWStUA - +MNtXkitYzQa4KH4Zr+3rEH6pC8ezgtntT99Wkj8g9LmAcyF+naWCh0Akaui+UNJ - 21DterDBlRsuJWUgFB54Kw+rSh7T1E4XbZzGQrb86EtCx9+gtPaRJoGYBi98wWAR - MORhPC2ylZX46XzMj9DTfMN44rvitTcA - =mdwS - -----END PGP MESSAGE----- - fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 - unencrypted_regex: ^(kind|apiVersion|group|metadata)$ - version: 3.7.1 diff --git a/manifests/site/test-site/target/encrypted/results/kustomization.yaml b/manifests/site/test-site/target/encrypted/results/kustomization.yaml deleted file mode 100644 index 1c294ca9e..000000000 --- a/manifests/site/test-site/target/encrypted/results/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ -resources: - - generated/ - - imported/ - -transformers: - - ../../../../../type/gating/target/decrypt-secrets/ - - ../../../../../type/gating/target/generator/fileplacement/ - - ../../../../../type/gating/target/importer/fileplacement/ diff --git a/manifests/type/gating/shared/decrypt-secrets/cleanup/kustomization.yaml b/manifests/type/gating/shared/decrypt-secrets/cleanup/kustomization.yaml new file mode 100644 index 000000000..ceec91979 --- /dev/null +++ b/manifests/type/gating/shared/decrypt-secrets/cleanup/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - patch.yaml diff --git a/manifests/type/gating/shared/decrypt-secrets/cleanup/patch.yaml b/manifests/type/gating/shared/decrypt-secrets/cleanup/patch.yaml new file mode 100644 index 000000000..5fb22a8e8 --- /dev/null +++ b/manifests/type/gating/shared/decrypt-secrets/cleanup/patch.yaml @@ -0,0 +1,12 @@ +apiVersion: builtin +kind: PatchTransformer +metadata: + name: delete-decryption-secrets +target: + name: decryption-key +patch: | + apiVersion: not-important + kind: not-important + metadata: + name: not-important + $patch: delete diff --git a/manifests/type/gating/target/decrypt-secrets/configurable-decryption.yaml b/manifests/type/gating/shared/decrypt-secrets/configurable-decryption.yaml similarity index 65% rename from manifests/type/gating/target/decrypt-secrets/configurable-decryption.yaml rename to manifests/type/gating/shared/decrypt-secrets/configurable-decryption.yaml index ac95d5e2e..b7080462b 100644 --- a/manifests/type/gating/target/decrypt-secrets/configurable-decryption.yaml +++ b/manifests/type/gating/shared/decrypt-secrets/configurable-decryption.yaml @@ -19,15 +19,20 @@ template: | annotations: config.k8s.io/function: | container: - image: gcr.io/kpt-fn-contrib/sops:v0.1.0 + image: gcr.io/kpt-fn-contrib/sops:v0.3.0 envs: - SOPS_IMPORT_PGP + - SOPS_IMPORT_AGE + - VAULT_ADDR + - VAULT_TOKEN + network: true data: ignore-mac: true cmd: decrypt {{- if eq $tolerate "true" }} cmd-tolerate-failures: true {{- end }} - {{- if not (eq $debug "true") }} - override-preexec-cmd: '[ "$SOPS_IMPORT_PGP" == "" ] || (echo "$SOPS_IMPORT_PGP" | gpg --import 2>/dev/null)' + {{- if eq $debug "true" }} + override-preexec-cmd: '[ "$SOPS_IMPORT_PGP" == "" ] || (echo "$SOPS_IMPORT_PGP" | gpg --import >&2); [ "$SOPS_IMPORT_AGE" == "" ] || (echo "$SOPS_IMPORT_AGE" >> $XDG_CONFIG_HOME/sops/age/keys.txt);' {{- end }} + cmd-extra-params-json-path-filter: '$[?(@.metadata.name=="decryption-key")]' diff --git a/manifests/type/gating/target/decrypt-secrets/kustomization.yaml b/manifests/type/gating/shared/decrypt-secrets/kustomization.yaml similarity index 100% rename from manifests/type/gating/target/decrypt-secrets/kustomization.yaml rename to manifests/type/gating/shared/decrypt-secrets/kustomization.yaml diff --git a/manifests/type/gating/shared/encrypt-secrets/cleanup/kustomization.yaml b/manifests/type/gating/shared/encrypt-secrets/cleanup/kustomization.yaml new file mode 100644 index 000000000..ceec91979 --- /dev/null +++ b/manifests/type/gating/shared/encrypt-secrets/cleanup/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - patch.yaml diff --git a/manifests/type/gating/shared/encrypt-secrets/cleanup/patch.yaml b/manifests/type/gating/shared/encrypt-secrets/cleanup/patch.yaml new file mode 100644 index 000000000..acbd9a32a --- /dev/null +++ b/manifests/type/gating/shared/encrypt-secrets/cleanup/patch.yaml @@ -0,0 +1,13 @@ +apiVersion: builtin +kind: PatchTransformer +metadata: + name: delete-encryption-secrets +target: + kind: ConfigMap + name: .+-encryption-keys +patch: | + apiVersion: not-important + kind: not-important + metadata: + name: not-important + $patch: delete diff --git a/manifests/type/gating/shared/encrypt-secrets/encrypt-ephemeral.yaml b/manifests/type/gating/shared/encrypt-secrets/encrypt-ephemeral.yaml new file mode 100644 index 000000000..266451e99 --- /dev/null +++ b/manifests/type/gating/shared/encrypt-secrets/encrypt-ephemeral.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: encrypt-ephemeral + annotations: + config.k8s.io/function: | + container: + image: gcr.io/kpt-fn-contrib/sops:v0.3.0 + envs: + - VAULT_ADDR + - VAULT_TOKEN + network: true +data: + cmd: encrypt + cmd-json-path-filter: '$[?(@.metadata.name=="combined-ephemeral-secrets")]' + cmd-extra-params-json-path-filter: '$[?(@.metadata.name=="ephemeral-encryption-keys")]' + encrypted-regex: '^(data)$' diff --git a/manifests/type/gating/shared/encrypt-secrets/encrypt-target.yaml b/manifests/type/gating/shared/encrypt-secrets/encrypt-target.yaml new file mode 100644 index 000000000..5139dd82e --- /dev/null +++ b/manifests/type/gating/shared/encrypt-secrets/encrypt-target.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: encrypt-target + annotations: + config.k8s.io/function: | + container: + image: gcr.io/kpt-fn-contrib/sops:v0.3.0 + envs: + - VAULT_ADDR + - VAULT_TOKEN + network: true +data: + cmd: encrypt + cmd-json-path-filter: '$[?(@.metadata.name=="combined-target-secrets")]' + cmd-extra-params-json-path-filter: '$[?(@.metadata.name=="target-encryption-keys")]' + encrypted-regex: '^(data)$' diff --git a/manifests/type/gating/shared/encrypt-secrets/kustomization.yaml b/manifests/type/gating/shared/encrypt-secrets/kustomization.yaml new file mode 100644 index 000000000..9ee905d24 --- /dev/null +++ b/manifests/type/gating/shared/encrypt-secrets/kustomization.yaml @@ -0,0 +1,3 @@ +resources: + - encrypt-ephemeral.yaml + - encrypt-target.yaml diff --git a/manifests/type/gating/shared/update-secrets/fileplacement/filepaths.yaml b/manifests/type/gating/shared/update-secrets/fileplacement/filepaths.yaml new file mode 100644 index 000000000..4c51ef673 --- /dev/null +++ b/manifests/type/gating/shared/update-secrets/fileplacement/filepaths.yaml @@ -0,0 +1,25 @@ +apiVersion: builtin +kind: PatchTransformer +metadata: + name: imported-filnames-patch-0 +patch: | + apiVersion: airshipit.org/v1alpha1 + kind: VariableCatalogue + metadata: + name: combined-ephemeral-secrets-import + annotations: + config.kubernetes.io/path: "encrypted/update/secrets.yaml" + config.kubernetes.io/index: '0' +--- +apiVersion: builtin +kind: PatchTransformer +metadata: + name: imported-filnames-patch-1 +patch: | + apiVersion: airshipit.org/v1alpha1 + kind: VariableCatalogue + metadata: + name: combined-target-secrets-import + annotations: + config.kubernetes.io/path: "encrypted/update/secrets.yaml" + config.kubernetes.io/index: '1' diff --git a/manifests/type/gating/shared/update-secrets/fileplacement/kustomization.yaml b/manifests/type/gating/shared/update-secrets/fileplacement/kustomization.yaml new file mode 100644 index 000000000..1cd1ffc5d --- /dev/null +++ b/manifests/type/gating/shared/update-secrets/fileplacement/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - filepaths.yaml diff --git a/manifests/type/gating/shared/update-secrets/kustomization.yaml b/manifests/type/gating/shared/update-secrets/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/manifests/type/gating/shared/update-secrets/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/manifests/type/gating/shared/update-secrets/template.yaml b/manifests/type/gating/shared/update-secrets/template.yaml new file mode 100644 index 000000000..f432ef6ae --- /dev/null +++ b/manifests/type/gating/shared/update-secrets/template.yaml @@ -0,0 +1,140 @@ +apiVersion: airshipit.org/v1alpha1 +kind: Templater +metadata: + name: secret-template + annotations: + config.kubernetes.io/function: | + container: + image: quay.io/airshipit/templater:latest + envs: + - FORCE_REGENERATE + - ONLY_CLUSTERS + - DEBUG_TEMPLATER +values: + # these settings are overridable + sshKeyGen: + encBit: 4096 + ephemeralCluster: + ca: + subj: "/CN=Kubernetes API" + validity: 3650 + kubeconfigCert: + subj: "/CN=admin/O=system:masters" + validity: 365 + targetCluster: + ca: + subj: "/CN=Kubernetes API" + validity: 3650 + kubeconfigCert: + subj: "/CN=admin/O=system:masters" + validity: 365 +template: | + {{/***********************************************************************/}} + {{/* define regenerate templates for different sections */}} + {{/***********************************************************************/}} + {{- define "regenEphemeralK8sSecrets" -}} + {{- $ClusterCa := genCAEx .ephemeralCluster.ca.subj (int .ephemeralCluster.ca.validity) }} + {{- $KubeconfigCert := genSignedCertEx .ephemeralCluster.kubeconfigCert.subj nil nil (int .ephemeralCluster.kubeconfigCert.validity) $ClusterCa -}} + values: + - data: {{ $ClusterCa.Cert | b64enc | quote }} + name: caCrt + - data: {{ $ClusterCa.Key | b64enc | quote }} + name: caKey + - data: {{ $KubeconfigCert.Cert | b64enc | quote }} + name: crt + - data: {{ $KubeconfigCert.Key | b64enc | quote }} + name: key + {{- end -}} + {{- define "regenTargetK8sSecrets" -}} + {{- $ClusterCa := genCAEx .targetCluster.ca.subj (int .targetCluster.ca.validity) }} + {{- $KubeconfigCert := genSignedCertEx .targetCluster.kubeconfigCert.subj nil nil (int .targetCluster.kubeconfigCert.validity) $ClusterCa }} + values: + - data: {{ $ClusterCa.Cert | b64enc | quote }} + name: caCrt + - data: {{ $ClusterCa.Key | b64enc | quote }} + name: caKey + - data: {{ $KubeconfigCert.Cert | b64enc | quote }} + name: crt + - data: {{ $KubeconfigCert.Key | b64enc | quote }} + name: key + {{- end -}} + {{- define "regenIsoImageSecrets" -}} + values: + - data: {{ derivePassword 1 "long" (randAscii 10) "user" "airshipit.org" | quote }} + name: rootPasswd + - data: {{ derivePassword 1 "long" (randAscii 10) "user" "airshipit.org" | quote }} + name: deployerPasswd + {{- end -}} + {{- define "regenTargetSshSecrets" -}} + {{- $sshKey := genSSHKeyPair (int .sshKeyGen.encBit) }} + values: + - data: {{ $sshKey.Private | quote }} + name: privateKey + - data: {{ $sshKey.Public | quote }} + name: publicKey + {{- end -}} + {{/***********************************************************************/}} + {{- $onlyClusters := list -}} + {{- if not (eq (env "ONLY_CLUSTERS") "") -}} + {{- $onlyClusters = splitList "," (env "ONLY_CLUSTERS") -}} + {{- end -}} + {{/***********************************************************************/}} + {{/* get combined-secrets yaml and exclude it from the bundle */}} + {{- $combinedSecrets := index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets$" "false"))) 0 -}} + {{- $_ := setItems (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets$" "true"))) -}} + {{/* get combined-secrets-import yaml and exclude it from the bundle */}} + {{- $combinedSecretsImport := index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets-import$"))) 0 -}} + {{/* skip secrets generation if it wasn't decrypted */}} + {{- if and (eq (include "isEncrypted" $combinedSecrets) "false") (or (eq (len $onlyClusters) 0) (has "ephemeral" $onlyClusters)) -}} + {{- $_ := setItems (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets-import$" "true"))) -}} + apiVersion: airshipit.org/v1alpha1 + kind: VariableCatalogue + metadata: + labels: + airshipit.org/deploy-k8s: "false" + name: combined-ephemeral-secrets-import + secretGroups: [] + --- + apiVersion: airshipit.org/v1alpha1 + kind: VariableCatalogue + metadata: + annotations: + config.kubernetes.io/path: "ephemeral/catalogues/encrypted/secrets.yaml" + labels: + airshipit.org/deploy-k8s: "false" + name: combined-ephemeral-secrets + secretGroups: + - {{ include "group" (list . $combinedSecrets $combinedSecretsImport "isoImageSecrets" "once" "regenIsoImageSecrets" ) | indent 4 | trim }} + - {{ include "group" (list . $combinedSecrets $combinedSecretsImport "ephemeralK8sSecrets" "once" "regenEphemeralK8sSecrets" ) | indent 4 | trim }} + --- + {{- end -}} + {{/***********************************************************************/}} + {{/* get combined-secrets yaml and exclude it from the bundle */}} + {{- $combinedSecrets = index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-target-secrets$" "false"))) 0 -}} + {{- $_ := setItems (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-target-secrets$" "true"))) -}} + {{/* get combined-secrets-import yaml and exclude it from the bundle */}} + {{- $combinedSecretsImport = index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-target-secrets-import$"))) 0 -}} + {{/* skip secrets generation if it wasn't decrypted */}} + {{- if and (eq (include "isEncrypted" $combinedSecrets) "false") (or (eq (len $onlyClusters) 0) (has "target" $onlyClusters)) -}} + {{- $_ := setItems (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-target-secrets-import$" "true"))) -}} + apiVersion: airshipit.org/v1alpha1 + kind: VariableCatalogue + metadata: + labels: + airshipit.org/deploy-k8s: "false" + name: combined-target-secrets-import + secretGroups: [] + --- + apiVersion: airshipit.org/v1alpha1 + kind: VariableCatalogue + metadata: + annotations: + config.kubernetes.io/path: "target/catalogues/encrypted/secrets.yaml" + labels: + airshipit.org/deploy-k8s: "false" + name: combined-target-secrets + secretGroups: + - {{ include "group" (list . $combinedSecrets $combinedSecretsImport "targetK8sSecrets" "yearly" "regenTargetK8sSecrets" ) | indent 4 | trim }} + - {{ include "group" (list . $combinedSecrets $combinedSecretsImport "targetSshSecrets" "yearly" "regenTargetSshSecrets" ) | indent 4 | trim }} + --- + {{- end -}} diff --git a/manifests/type/gating/target/generator/fileplacement/filepaths.yaml b/manifests/type/gating/target/generator/fileplacement/filepaths.yaml deleted file mode 100644 index a7719d923..000000000 --- a/manifests/type/gating/target/generator/fileplacement/filepaths.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: builtin -kind: PatchTransformer -metadata: - name: generated-filnames-patch -patch: | - apiVersion: airshipit.org/v1alpha1 - kind: VariableCatalogue - metadata: - name: generated-secrets - annotations: - config.kubernetes.io/path: generated/secrets.yaml diff --git a/manifests/type/gating/target/generator/fileplacement/kustomization.yaml b/manifests/type/gating/target/generator/fileplacement/kustomization.yaml deleted file mode 100644 index aecaf8276..000000000 --- a/manifests/type/gating/target/generator/fileplacement/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: -- filepaths.yaml diff --git a/manifests/type/gating/target/generator/kustomization.yaml b/manifests/type/gating/target/generator/kustomization.yaml deleted file mode 100644 index 3ffd12cf5..000000000 --- a/manifests/type/gating/target/generator/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: -- secret-template.yaml diff --git a/manifests/type/gating/target/generator/secret-template.yaml b/manifests/type/gating/target/generator/secret-template.yaml deleted file mode 100644 index 706037818..000000000 --- a/manifests/type/gating/target/generator/secret-template.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: airshipit.org/v1alpha1 -kind: Templater -metadata: - name: secret-template - annotations: - config.kubernetes.io/function: | - container: - image: localhost/templater -values: - sshKeyGen: - encBit: 4096 - ephemeralCluster: - ca: - subj: "/CN=Kubernetes API" - validity: 3650 - kubeconfigCert: - subj: "/CN=admin/O=system:masters" - validity: 365 - targetCluster: - ca: - subj: "/CN=Kubernetes API" - validity: 3650 - kubeconfigCert: - subj: "/CN=admin/O=system:masters" - validity: 365 -template: | - apiVersion: airshipit.org/v1alpha1 - kind: VariableCatalogue - metadata: - labels: - airshipit.org/deploy-k8s: "false" - name: generated-secrets - {{- $ephemeralClusterCa := genCAEx .ephemeralCluster.ca.subj (int .ephemeralCluster.ca.validity) }} - {{- $ephemeralKubeconfigCert := genSignedCertEx .ephemeralCluster.kubeconfigCert.subj nil nil (int .ephemeralCluster.kubeconfigCert.validity) $ephemeralClusterCa }} - ephemeralClusterCa: - crt: {{ $ephemeralClusterCa.Cert|b64enc|quote }} - key: {{ $ephemeralClusterCa.Key|b64enc|quote }} - ephemeralKubeconfig: - certificate-authority-data: {{ $ephemeralClusterCa.Cert|b64enc|quote }} - client-certificate-data: {{ $ephemeralKubeconfigCert.Cert|b64enc|quote }} - client-key-data: {{ $ephemeralKubeconfigCert.Key|b64enc|quote }} - {{- $targetClusterCa := genCAEx .targetCluster.ca.subj (int .targetCluster.ca.validity) }} - {{- $targetKubeconfigCert := genSignedCertEx .targetCluster.kubeconfigCert.subj nil nil (int .targetCluster.kubeconfigCert.validity) $targetClusterCa }} - targetClusterCa: - tls.crt: {{ $targetClusterCa.Cert|b64enc|quote }} - tls.key: {{ $targetClusterCa.Key|b64enc|quote }} - targetKubeconfig: - certificate-authority-data: {{ $targetClusterCa.Cert|b64enc|quote }} - client-certificate-data: {{ $targetKubeconfigCert.Cert|b64enc|quote }} - client-key-data: {{ $targetKubeconfigCert.Key|b64enc|quote }} - isoImage: - passwords: - root: {{ derivePassword 1 "long" (randAscii 10) "user" "airshipit.org"|quote }} - deployer: {{ derivePassword 1 "long" (randAscii 10) "user" "airshipit.org"|quote }} - {{- $sshKey := genSSHKeyPair (int .sshKeyGen.encBit) }} - sshKeys: - privateKey: {{ $sshKey.Private|quote }} - publicKey: {{ $sshKey.Public|quote }} diff --git a/manifests/type/gating/target/importer/fileplacement/filepaths.yaml b/manifests/type/gating/target/importer/fileplacement/filepaths.yaml deleted file mode 100644 index a89e95b10..000000000 --- a/manifests/type/gating/target/importer/fileplacement/filepaths.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: builtin -kind: PatchTransformer -metadata: - name: imported-filnames-patch -patch: | - apiVersion: airshipit.org/v1alpha1 - kind: VariableCatalogue - metadata: - name: imported-secrets - annotations: - config.kubernetes.io/path: imported/secrets.yaml diff --git a/manifests/type/gating/target/importer/fileplacement/kustomization.yaml b/manifests/type/gating/target/importer/fileplacement/kustomization.yaml deleted file mode 100644 index aecaf8276..000000000 --- a/manifests/type/gating/target/importer/fileplacement/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: -- filepaths.yaml diff --git a/pkg/document/bundle.go b/pkg/document/bundle.go index f07567e9b..22f53ad3c 100644 --- a/pkg/document/bundle.go +++ b/pkg/document/bundle.go @@ -132,6 +132,9 @@ func NewBundle(fSys fs.FileSystem, kustomizePath string) (Bundle, error) { PluginConfig: &types.PluginConfig{ PluginRestrictions: types.PluginRestrictionsNone, BpLoadingOptions: types.BploUseStaticallyLinked, + FnpLoadingOptions: types.FnPluginLoadingOptions{ + Network: true, + }, }, } diff --git a/pkg/document/plugin/templater/extlib/funcmap.go b/pkg/document/plugin/templater/extlib/funcmap.go index 58d83fac4..cd9852649 100644 --- a/pkg/document/plugin/templater/extlib/funcmap.go +++ b/pkg/document/plugin/templater/extlib/funcmap.go @@ -36,4 +36,15 @@ var genericMap = map[string]interface{}{ "regexGen": regexGen, "toYaml": toYaml, "toUint32": toUint32, + "YFilter": yFilter, + "YPipe": yPipe, + "YOneFilter": yOneFilter, + "YValue": yValue, + "KFilter": kFilter, + "KPipe": kPipe, + "KOneFilter": kOneFilter, + "KYFilter": newKYFilter, + "YMerge": yMerge, + "StrToY": strToY, + "YListAppend": yListAppend, } diff --git a/pkg/document/plugin/templater/extlib/kyaml.go b/pkg/document/plugin/templater/extlib/kyaml.go new file mode 100644 index 000000000..99ad8f377 --- /dev/null +++ b/pkg/document/plugin/templater/extlib/kyaml.go @@ -0,0 +1,71 @@ +/* + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package extlib + +import ( + "sigs.k8s.io/kustomize/kyaml/yaml" + "sigs.k8s.io/kustomize/kyaml/yaml/merge2" +) + +func yOneFilter(input *yaml.RNode, cfg string) *yaml.RNode { + flt := yFilter(cfg) + if flt == nil { + return nil + } + + return yPipe(input, []interface{}{flt}) +} + +func kOneFilter(input []*yaml.RNode, cfg string) []*yaml.RNode { + flt := kFilter(cfg) + if flt == nil { + return nil + } + + return kPipe(input, []interface{}{flt}) +} + +func yMerge(src, dest *yaml.RNode) *yaml.RNode { + res, err := merge2.Merge( + src, dest, + yaml.MergeOptions{ + ListIncreaseDirection: yaml.MergeOptionsListPrepend, + }) + if err != nil { + return nil + } + return res +} + +func yListAppend(src, el *yaml.RNode) *yaml.RNode { + flt := &yaml.ElementAppender{ + Elements: []*yaml.Node{ + el.YNode(), + }, + } + out, err := src.Pipe(flt) + if err != nil { + return nil + } + return out +} + +func strToY(in string) *yaml.RNode { + res, err := yaml.Parse(in) + if err != nil { + return nil + } + return res +} diff --git a/pkg/document/plugin/templater/extlib/kyaml_base.go b/pkg/document/plugin/templater/extlib/kyaml_base.go new file mode 100644 index 000000000..0c62368e8 --- /dev/null +++ b/pkg/document/plugin/templater/extlib/kyaml_base.go @@ -0,0 +1,189 @@ +/* + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package extlib + +import ( + "fmt" + "log" + + "k8s.io/apimachinery/pkg/api/resource" + + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/yaml" + + kfilters "sigs.k8s.io/kustomize/kyaml/kio/filters" +) + +func kFilter(cfg string) kio.Filter { + k := kfilters.KFilter{} + + err := k.UnmarshalYAML(func(x interface{}) error { + // GREP - special case - need to add cmp function and convert to address + // not sure why only grep isn't address + // see https://github.com/kubernetes-sigs/kustomize/blob/master/kyaml/kio/filters/filters.go#L21 + grepFilter, ok := k.Filter.(kfilters.GrepFilter) + if ok { + grepFilter.Compare = func(a, b string) (int, error) { + qa, err := resource.ParseQuantity(a) + if err != nil { + return 0, fmt.Errorf("%s: %v", a, err) + } + qb, err := resource.ParseQuantity(b) + if err != nil { + return 0, err + } + + return qa.Cmp(qb), err + } + err := yaml.Unmarshal([]byte(cfg), &grepFilter) + if err != nil { + log.Printf("can't unmarshal KFilter grepFilter cfg yaml %s: %v", cfg, err) + return err + } + k.Filter = grepFilter + return nil + } + + err := yaml.Unmarshal([]byte(cfg), x) + if err != nil { + log.Printf("can't unmarshal KFilter cfg yaml %s: %v", cfg, err) + return err + } + return nil + }) + if err != nil { + log.Printf("can't unmarshalYAML KFilter cfg %s: %v", cfg, err) + return nil + } + return k.Filter +} + +func kPipe(input []*yaml.RNode, kfilters []interface{}) []*yaml.RNode { + kfs, err := getKFilters(kfilters) + if err != nil { + log.Printf("KPipe: %v", err) + } + + pb := kio.PackageBuffer{} + p := kio.Pipeline{ + Inputs: []kio.Reader{&kio.PackageBuffer{Nodes: input}}, + Filters: kfs, + Outputs: []kio.Writer{&pb}, + } + + err = p.Execute() + if err != nil { + log.Printf("pipeline exec returned error: %v", err) + return nil + } + return pb.Nodes +} + +func yFilter(cfg string) yaml.Filter { + y := yaml.YFilter{} + + err := y.UnmarshalYAML(func(x interface{}) error { + err := yaml.Unmarshal([]byte(cfg), x) + if err != nil { + log.Printf("can't unmarshal YFilter cfg yaml %s: %v", cfg, err) + return err + } + return nil + }) + + if err != nil { + log.Printf("can't unmarshalYAML YFilter cfg %s: %v", cfg, err) + return nil + } + + return y.Filter +} + +func yPipe(input *yaml.RNode, yfilters []interface{}) *yaml.RNode { + yfs, err := getYFilters(yfilters) + if err != nil { + log.Printf("YPipe: %v", err) + } + res, err := input.Pipe(yfs...) + if err != nil { + log.Printf("pipe returned error: %v", err) + return nil + } + return res +} + +func yValue(input *yaml.RNode) interface{} { + s, err := input.String() + if err != nil { + log.Printf("can't get string for %v: %v", input, err) + return nil + } + + var x interface{} + err = yaml.Unmarshal([]byte(s), &x) + if err != nil { + log.Printf("can't unmarshal yaml %s: %v", s, err) + return nil + } + return x +} + +type kYFilter struct { + yfilters []yaml.Filter +} + +func newKYFilter(yfilters []interface{}) kio.Filter { + yfs, err := getYFilters(yfilters) + if err != nil { + log.Printf("KYFilter: %v", err) + } + return kYFilter{yfilters: yfs} +} + +// Filter performs all internal operations with all input and returns +func (k kYFilter) Filter(input []*yaml.RNode) ([]*yaml.RNode, error) { + for _, i := range input { + err := i.PipeE(k.yfilters...) + if err != nil { + log.Printf("pipe returned error: %v", err) + return nil, err + } + } + return input, nil +} + +func getYFilters(yfilters []interface{}) ([]yaml.Filter, error) { + yfs := []yaml.Filter{} + for i, y := range yfilters { + yf, ok := y.(yaml.Filter) + if !ok { + return nil, fmt.Errorf("has got element %d with unexpected type %T", i, y) + } + yfs = append(yfs, yf) + } + return yfs, nil +} + +func getKFilters(kfilters []interface{}) ([]kio.Filter, error) { + kfs := []kio.Filter{} + for i, k := range kfilters { + kf, ok := k.(kio.Filter) + if !ok { + return nil, fmt.Errorf("has got element %d with unexpected type %T", i, k) + } + kfs = append(kfs, kf) + } + return kfs, nil +} diff --git a/pkg/document/plugin/templater/extlib/kyaml_base_test.go b/pkg/document/plugin/templater/extlib/kyaml_base_test.go new file mode 100644 index 000000000..a4766d496 --- /dev/null +++ b/pkg/document/plugin/templater/extlib/kyaml_base_test.go @@ -0,0 +1,434 @@ +/* + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package extlib + +import ( + "testing" + + "bytes" + "strings" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/yaml" + + kfilters "sigs.k8s.io/kustomize/kyaml/kio/filters" +) + +func TestKFilter(t *testing.T) { + testCases := []struct { + in string + expectedOut kio.Filter + }{ + { + in: ` +kind: GrepFilter +path: +- metadata +- annotations +- test-annotation +value: ^x$ +invertMatch: true +`, + expectedOut: kfilters.GrepFilter{ + Path: []string{ + "metadata", + "annotations", + "test-annotation", + }, + Value: "^x$", + InvertMatch: true, + }, + }, + { + in: ` +kind: NonExistentFilter +path: +- metadata +`, + expectedOut: nil, + }, + { + in: ` +kind: GrepFilter +path: "incorrectdata" +`, + expectedOut: nil, + }, + { + in: ` +kind: Modifier +pipeline: "incorrectdata" +`, + expectedOut: nil, + }, + } + + for _, tc := range testCases { + r := kFilter(tc.in) + + // GrepFilter is a special case + grepFilter, ok := r.(kfilters.GrepFilter) + if ok { + require.NotNil(t, grepFilter.Compare) + grepFilter.Compare = nil + r = grepFilter + } + + assert.Equal(t, tc.expectedOut, r) + } +} + +func TestKPipe(t *testing.T) { + testCases := []struct { + in string + filters string + expectedOut string + }{ + { + in: ` +apiVersion: v1 +kind: ConfigMap +metadata: + name: cf1 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cf2 +--- +apiVersion: v1 +kind: Deployment +metadata: + name: cf1 +`, + filters: ` +kind: GrepFilter +path: +- metadata +- name +value: cf1 +--- +kind: GrepFilter +path: +- kind +value: ConfigMap +`, + expectedOut: ` +apiVersion: v1 +kind: ConfigMap +metadata: + name: cf1 +`, + }, + { + in: ` +apiVersion: v1 +kind: ConfigMap +metadata: + name: cf1 +`, + filters: ` +kind: InvalidFilter +`, + expectedOut: ` +apiVersion: v1 +kind: ConfigMap +metadata: + name: cf1 +`, + }, + } + + for _, tc := range testCases { + // convert in to []*yaml.RNode + b := kio.PackageBuffer{} + p := kio.Pipeline{ + Inputs: []kio.Reader{&kio.ByteReader{Reader: bytes.NewBufferString(tc.in)}}, + Outputs: []kio.Writer{&b}, + } + err := p.Execute() + require.NoError(t, err) + + // get list of filters + kfilters := []interface{}{} + for _, flt := range strings.Split(tc.filters, "\n---\n") { + kfilters = append(kfilters, kFilter(flt)) + } + + nodes := kPipe(b.Nodes, kfilters) + + // convert to string and compare with expected + out := &bytes.Buffer{} + err = kio.ByteWriter{Writer: out}.Write(nodes) + require.NoError(t, err) + assert.Equal(t, tc.expectedOut[1:], out.String()) + } +} + +func TestYFilter(t *testing.T) { + testCases := []struct { + in string + expectedOut yaml.Filter + }{ + { + in: ` +kind: PathGetter +path: ["data", "fld1"] +`, + expectedOut: &yaml.PathGetter{ + Kind: "PathGetter", + Path: []string{ + "data", + "fld1", + }, + }, + }, + {in: ` +kind: PathGetter +path: "data" +`, + expectedOut: nil, + }, + {in: ` +kind: nonExistingFilter +path: "data" +`, + expectedOut: nil, + }, + } + + for _, tc := range testCases { + out := yFilter(tc.in) + assert.Equal(t, tc.expectedOut, out) + } +} + +func TestYPipe(t *testing.T) { + testCases := []struct { + in string + filters string + expectedIn string + expectedOut string + }{ + { + in: ` +apiVersion: v1 +kind: ConfigMap +metadata: + name: cf1 +`, + filters: ` +kind: PathGetter +path: ["metadata"] +--- +kind: FieldSetter +name: "name" +stringValue: "cf2" +`, + expectedIn: ` +apiVersion: v1 +kind: ConfigMap +metadata: + name: cf2 +`, + expectedOut: ` +cf2 +`, + }, + { + in: ` +apiVersion: v1 +kind: ConfigMap +metadata: + name: cf1 +`, + filters: ` +kind: InvalidPathGetter +path: ["metadata"] +`, + }, + { + in: ` +apiVersion: v1 +kind: ConfigMap +metadata: + name: cf1 +`, + filters: ` +kind: PathGetter +path: ["xmetadata"] +--- +kind: FieldSetter +name: "namex" +stringValue: "cf2" +`, + expectedIn: ` +apiVersion: v1 +kind: ConfigMap +metadata: + name: cf1 +`, + }, + } + for _, tc := range testCases { + inRNode, err := yaml.Parse(tc.in) + require.NoError(t, err) + + // get list of filters + yfilters := []interface{}{} + for _, flt := range strings.Split(tc.filters, "\n---\n") { + yfilters = append(yfilters, yFilter(flt)) + } + + outRNode := yPipe(inRNode, yfilters) + + if tc.expectedOut != "" { + require.NotNil(t, outRNode) + out, err := outRNode.String() + require.NoError(t, err) + assert.Equal(t, tc.expectedOut[1:], out) + } + + if tc.expectedIn != "" { + in, err := inRNode.String() + require.NoError(t, err) + assert.Equal(t, tc.expectedIn[1:], in) + } + } +} + +func TestYValue(t *testing.T) { + testCases := []struct { + in string + expectedOut interface{} + }{ + { + in: ` +x +`, + expectedOut: "x", + }, + { + in: ` +kind: x +value: b +list: +- a +- b +`, + expectedOut: map[string]interface{}{ + "kind": "x", + "list": []interface{}{ + "a", + "b", + }, + "value": "b", + }, + }, + } + + for _, tc := range testCases { + inRNode, err := yaml.Parse(tc.in) + require.NoError(t, err) + + out := yValue(inRNode) + assert.Equal(t, tc.expectedOut, out) + } +} + +func TestKYFilter(t *testing.T) { + testCases := []struct { + in string + filters string + expectedOut string + }{ + { + in: ` +apiVersion: v1 +kind: ConfigMap +metadata: + name: cf1 + labels: {} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cf2 + labels: {} +--- +apiVersion: v1 +kind: Deployment +metadata: + name: cf1 + labels: {} +`, + filters: ` +kind: PathGetter +path: ["metadata", "labels"] +--- +kind: FieldSetter +name: "newlabel" +stringValue: "newvalue" +`, + expectedOut: ` +apiVersion: v1 +kind: ConfigMap +metadata: + name: cf1 + labels: {newlabel: newvalue} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cf2 + labels: {newlabel: newvalue} +--- +apiVersion: v1 +kind: Deployment +metadata: + name: cf1 + labels: {newlabel: newvalue} +`, + }, + } + for _, tc := range testCases { + // convert in to []*yaml.RNode + b := kio.PackageBuffer{} + p := kio.Pipeline{ + Inputs: []kio.Reader{&kio.ByteReader{Reader: bytes.NewBufferString(tc.in)}}, + Outputs: []kio.Writer{&b}, + } + err := p.Execute() + require.NoError(t, err) + + // get list of filters + yfilters := []interface{}{} + for _, flt := range strings.Split(tc.filters, "\n---\n") { + yfilters = append(yfilters, yFilter(flt)) + } + + kfilters := []interface{}{newKYFilter(yfilters)} + nodes := kPipe(b.Nodes, kfilters) + + // convert to string and compare with expected + out := &bytes.Buffer{} + err = kio.ByteWriter{Writer: out}.Write(nodes) + require.NoError(t, err) + assert.Equal(t, tc.expectedOut[1:], out.String()) + } +} diff --git a/pkg/document/plugin/templater/extlib/kyaml_test.go b/pkg/document/plugin/templater/extlib/kyaml_test.go new file mode 100644 index 000000000..f4555de44 --- /dev/null +++ b/pkg/document/plugin/templater/extlib/kyaml_test.go @@ -0,0 +1,185 @@ +/* + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package extlib + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "bytes" + + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +func TestKOneFilter(t *testing.T) { + testCases := []struct { + in string + filter string + expectedOut string + }{ + { + in: ` +apiVersion: v1 +kind: ConfigMap +metadata: + name: cf1 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cf2 +--- +apiVersion: v1 +kind: Deployment +metadata: + name: cf1 +`, + filter: ` +kind: GrepFilter +path: +- metadata +- name +value: cf2 +`, + expectedOut: ` +apiVersion: v1 +kind: ConfigMap +metadata: + name: cf2 +`, + }, + { + in: ` +somedata: a +`, + filter: ` +kind: invalidFilter +`, + expectedOut: "", + }, + } + + for _, tc := range testCases { + // convert in to []*yaml.RNode + b := kio.PackageBuffer{} + p := kio.Pipeline{ + Inputs: []kio.Reader{&kio.ByteReader{Reader: bytes.NewBufferString(tc.in)}}, + Outputs: []kio.Writer{&b}, + } + err := p.Execute() + require.NoError(t, err) + + nodes := kOneFilter(b.Nodes, tc.filter) + if tc.expectedOut == "" && nodes == nil { + continue + } + // convert to string and compare with expected + out := &bytes.Buffer{} + err = kio.ByteWriter{Writer: out}.Write(nodes) + require.NoError(t, err) + assert.Equal(t, tc.expectedOut[1:], out.String()) + } +} + +func TestYOneFilter(t *testing.T) { + testCases := []struct { + in string + filter string + expectedOut string + }{ + { + in: ` +apiVersion: v1 +kind: ConfigMap +metadata: + name: cf1 +`, + filter: ` +kind: PathGetter +path: ["metadata"] +`, + expectedOut: ` +name: cf1 +`, + }, + { + in: ` +apiVersion: v1 +kind: ConfigMap +metadata: + name: cf1 +`, + filter: ` +kind: InvalidFilter +`, + expectedOut: "", + }, + } + + for _, tc := range testCases { + inRNode, err := yaml.Parse(tc.in) + require.NoError(t, err) + + outRNode := yOneFilter(inRNode, tc.filter) + + if tc.expectedOut != "" { + require.NotNil(t, outRNode) + out, err := outRNode.String() + require.NoError(t, err) + assert.Equal(t, tc.expectedOut[1:], out) + } + } +} + +func TestMerge(t *testing.T) { + y1 := strToY(` +kind: x1 +value1: y`) + y2 := strToY(` +kind: x2 +value2: z`) + ym := yMerge(y1, y2) + res, err := ym.String() + require.NoError(t, err) + assert.Equal(t, ` +kind: x1 +value2: z +value1: y +`[1:], + res) +} + +func TestListAppend(t *testing.T) { + y1 := strToY(`values: +- name: x +- name: z +`) + list, err := y1.Pipe(yaml.PathGetter{Path: []string{"values"}}) + require.NoError(t, err) + y2 := strToY(` +name: y`) + yListAppend(list, y2) + res, err := y1.String() + require.NoError(t, err) + assert.Equal(t, `values: +- name: x +- name: z +- name: y +`, + res) +} diff --git a/pkg/document/plugin/templater/templater.go b/pkg/document/plugin/templater/templater.go index 8f7193628..6c20f684b 100644 --- a/pkg/document/plugin/templater/templater.go +++ b/pkg/document/plugin/templater/templater.go @@ -15,6 +15,9 @@ package templater import ( + "log" + "os" + "bytes" "encoding/json" "fmt" @@ -22,6 +25,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/kio/filters" "sigs.k8s.io/kustomize/kyaml/yaml" airshipv1 "opendev.org/airship/airshipctl/pkg/api/v1alpha1" @@ -37,6 +41,13 @@ type plugin struct { *airshipv1.Templater } +// define wrapper to call logging conditionally +func debug(x func()) { + if os.Getenv("DEBUG_TEMPLATER") == "true" { + x() + } +} + // New creates new instance of the plugin func New(obj map[string]interface{}) (kio.Filter, error) { cfg := &airshipv1.Templater{} @@ -60,14 +71,74 @@ func funcMapAppend(fma, fmb template.FuncMap) template.FuncMap { return fma } +func (t *plugin) loadModules(tmpl *template.Template, items []*yaml.RNode) ([]*yaml.RNode, error) { + err := kio.Pipeline{ + Inputs: []kio.Reader{&kio.PackageBuffer{Nodes: items}}, + Filters: []kio.Filter{ + filters.GrepFilter{Path: []string{"apiVersion"}, Value: "^airshipit.org/v1alpha1$"}, + filters.GrepFilter{Path: []string{"kind"}, Value: "Templater"}, + kio.FilterFunc(func(o []*yaml.RNode) ([]*yaml.RNode, error) { + for _, node := range o { + templateNode, err := node.Pipe(yaml.PathGetter{Path: []string{"template"}}) + if err != nil { + return nil, err + } + s := yaml.GetValue(templateNode) + debug(func() { log.Printf("Adding module:\n%s", s) }) + _, err = tmpl.Parse(s) + if err != nil { + return nil, err + } + } + return o, nil + }), + }, + }.Execute() + if err != nil { + return nil, err + } + + return items, nil +} + func (t *plugin) Filter(items []*yaml.RNode) ([]*yaml.RNode, error) { out := &bytes.Buffer{} + tmpl := template.New(t.Name) + funcMap := template.FuncMap{} funcMap = funcMapAppend(funcMap, sprig.TxtFuncMap()) funcMap = funcMapAppend(funcMap, extlib.GenericFuncMap()) - tmpl, err := template.New("tmpl").Funcs(funcMap).Parse(t.Template) + itemsFuncMap := template.FuncMap{} + itemsFuncMap["getItems"] = func() []*yaml.RNode { + return items + } + itemsFuncMap["setItems"] = func(val interface{}) error { + newItems, err := getRNodes(val) + if err != nil { + return err + } + + items = newItems + return nil + } + itemsFuncMap["include"] = func(name string, data interface{}) (string, error) { + localOut := &bytes.Buffer{} + if err := tmpl.ExecuteTemplate(localOut, name, data); err != nil { + return "", err + } + return localOut.String(), nil + } + funcMap = funcMapAppend(funcMap, itemsFuncMap) + tmpl = tmpl.Funcs(funcMap) + + items, err := t.loadModules(tmpl, items) + if err != nil { + return nil, err + } + + tmpl, err = tmpl.Parse(t.Template) if err != nil { return nil, err } @@ -83,6 +154,7 @@ func (t *plugin) Filter(items []*yaml.RNode) ([]*yaml.RNode, error) { if err = tmpl.Execute(out, values); err != nil { return nil, err } + debug(func() { log.Printf("Templater out is:\n%s", out.String()) }) p := kio.Pipeline{ Inputs: []kio.Reader{&kio.ByteReader{Reader: out}}, @@ -99,3 +171,25 @@ func (t *plugin) Filter(items []*yaml.RNode) ([]*yaml.RNode, error) { } return append(items, res.Nodes...), nil } + +func getRNodes(rnodesarr interface{}) ([]*yaml.RNode, error) { + rnodes, ok := rnodesarr.([]*yaml.RNode) + if ok { + return rnodes, nil + } + + rnodesx, ok := rnodesarr.([]interface{}) + if !ok { + return nil, fmt.Errorf("unexpected type %T - wanted []", rnodesarr) + } + + rns := []*yaml.RNode{} + for i, r := range rnodesx { + rn, ok := r.(*yaml.RNode) + if !ok { + return nil, fmt.Errorf("has got element %d with unexpected type %T", i, r) + } + rns = append(rns, rn) + } + return rns, nil +} diff --git a/pkg/document/plugin/templater/templater_test.go b/pkg/document/plugin/templater/templater_test.go index c19ec5c68..08173e044 100644 --- a/pkg/document/plugin/templater/templater_test.go +++ b/pkg/document/plugin/templater/templater_test.go @@ -12,28 +12,29 @@ limitations under the License. */ -package templater_test +package templater import ( "bytes" + "os" "testing" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "sigs.k8s.io/kustomize/kyaml/kio" + kyaml "sigs.k8s.io/kustomize/kyaml/yaml" "sigs.k8s.io/yaml" "crypto/x509" "crypto/x509/pkix" "encoding/base64" "encoding/pem" - - "opendev.org/airship/airshipctl/pkg/document/plugin/templater" ) func TestTemplater(t *testing.T) { testCases := []struct { + in string cfg string expectedOut string expectedErr string @@ -101,6 +102,29 @@ template: | cfg: ` apiVersion: airshipit.org/v1alpha1 kind: Templater +metadata: + name: notImportantHere +values: + test: + someKey: + anotherKey: value + of: + - toYaml +template: | + {{- $_ := setItems getItems -}} + {{ toYaml . -}} +`, + expectedOut: `test: + of: + - toYaml + someKey: + anotherKey: value +`, + }, + { + cfg: ` +apiVersion: airshipit.org/v1alpha1 +kind: Templater metadata: name: notImportantHere values: @@ -110,7 +134,7 @@ values: template: | {{ toYaml ignorethisbadinput -}} `, - expectedOut: ``, + expectedErr: `template: notImportantHere:1: function "ignorethisbadinput" not defined`, }, { cfg: ` @@ -120,7 +144,7 @@ metadata: name: notImportantHere template: | {{ end }`, - expectedErr: "template: tmpl:1: unexpected \"}\" in end", + expectedErr: "template: notImportantHere:1: unexpected \"}\" in end", }, { cfg: ` @@ -165,7 +189,7 @@ values: template: | password: {{ regexGen .regex (.limit|int) }} `, - expectedErr: "template: tmpl:1:13: executing \"tmpl\" at " + + expectedErr: "template: notImportantHere:1:13: executing \"notImportantHere\" at " + ": error calling regexGen: " + "Limit cannot be less than or equal to 0", }, @@ -182,23 +206,284 @@ values: template: | password: {{ regexGen .regex (.limit|int) }} `, - expectedErr: "template: tmpl:1:13: executing \"tmpl\" " + + expectedErr: "template: notImportantHere:1:13: executing \"notImportantHere\" " + "at : error calling " + "regexGen: error parsing regexp: missing closing ]: `[a-z`", }, + // transformer tests + { + in: ` +apiVersion: v1 +kind: ConfigMap +metadata: + name: map1 +`, + cfg: ` +apiVersion: airshipit.org/v1alpha1 +kind: Templater +metadata: + name: notImportantHere +values: + annotationTransf: | + kind: AnnotationSetter + key: test-annotation + value: %s +template: | + {{- $_ := KPipe getItems (list (KYFilter (list (YFilter (printf .annotationTransf "testenvvalue"))))) -}} +`, + expectedOut: `apiVersion: v1 +kind: ConfigMap +metadata: + name: map1 + annotations: + test-annotation: 'testenvvalue' +`, + }, + { + in: ` +apiVersion: v1 +kind: ConfigMap +metadata: + name: map1 +data: + value: value1 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: map2 +data: + value: value2 +`, + cfg: ` +apiVersion: airshipit.org/v1alpha1 +kind: Templater +metadata: + name: notImportantHere +values: + map1grep: | + kind: GrepFilter + path: + - metadata + - name + value: ^map1$ + pathGet1: | + kind: PathGetter + path: + - data + - value + map2grep: | + kind: GrepFilter + path: + - metadata + - name + value: ^map2$ + map2PathGet: | + kind: PathGetter + path: + - data + fieldSet: | + kind: FieldSetter + name: value + stringValue: %s +template: | + {{- $map1 := KPipe getItems (list (KFilter .map1grep)) -}} + {{- $map1value := YValue (YPipe (index $map1 0) (list (YFilter .pathGet1))) -}} + {{- $kyflt := KYFilter (list (YFilter .map2PathGet) (YFilter (printf .fieldSet $map1value))) -}} + {{- $_ := KPipe getItems (list (KFilter .map2grep) $kyflt) -}} +`, + expectedOut: `apiVersion: v1 +kind: ConfigMap +metadata: + name: map1 +data: + value: value1 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: map2 +data: + value: value1 +`, + }, + { + in: ` +apiVersion: v1 +kind: ConfigMap +metadata: + name: map1 + annotations: + test-annotation: x +data: + value: value1 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: map2 +data: + value: value2 +`, + cfg: ` +apiVersion: airshipit.org/v1alpha1 +kind: Templater +metadata: + name: notImportantHere +values: + grep: | + kind: GrepFilter + path: + - metadata + - annotations + - test-annotation + value: ^x$ + invertMatch: true +template: | + {{- $_ := setItems (KPipe getItems (list (KFilter .grep))) -}} +`, + expectedOut: `apiVersion: v1 +kind: ConfigMap +metadata: + name: map2 +data: + value: value2 +`, + }, + { + in: ` +apiVersion: v1 +kind: ConfigMap +metadata: + name: map1 + annotations: + test-annotation: x +data: + value: value1 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: map2 +data: + value: value2 +`, + cfg: ` +apiVersion: airshipit.org/v1alpha1 +kind: Templater +metadata: + name: notImportantHere +values: + grep: | + kind: GrepFilter + path: + - metadata + - annotations + - test-annotation + value: ^x$ + invertMatch: true +template: | + {{- $_ := setItems (KOneFilter getItems .grep) -}} +`, + expectedOut: `apiVersion: v1 +kind: ConfigMap +metadata: + name: map2 +data: + value: value2 +`, + }, + { + in: ``, + cfg: ` +apiVersion: airshipit.org/v1alpha1 +kind: Templater +metadata: + name: notImportantHere +template: | + {{ define "tmplx" }} + {{- $name:= . -}} + apiVersion: v1 + kind: ConfigMap + metadata: + name: {{ $name }} + {{ end }} + {{ include "tmplx" "cfg1" }} + --- + {{ include "tmplx" "cfg2" }} +`, + expectedOut: `apiVersion: v1 +kind: ConfigMap +metadata: + name: cfg1 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cfg2 +`, + }, + { + in: ` +apiVersion: airshipit.org/v1alpha1 +kind: Templater +metadata: + name: libModule +template: | + {{/* grepTpl returns yaml that can be used to built KFilter that will + filter with grep */}} + {{- define "grepTpl" -}} + kind: GrepFilter + path: {{ index . 0 }} + value: {{ index . 1 }} + {{ if gt (len .) 2}} + invertMatch: {{ index . 2 }} + {{ end }} + {{- end -}} + {{/* test function */}} + {{ define "fnFromModule" }} + apiVersion: v1 + kind: ConfigMap + metadata: + name: {{ index . 0 }} + {{ end }} +`, + cfg: ` +apiVersion: airshipit.org/v1alpha1 +kind: Templater +metadata: + name: notImportantHere +template: | + {{/* remove all modules (they already imported) */}} + {{- $_ := setItems (KOneFilter getItems (include "grepTpl" (list "[\"kind\"]" "^Templater$" "true"))) -}} + {{/* call fn from imported module */}} + {{ include "fnFromModule" (list "cfg1") }} +`, + expectedOut: `apiVersion: v1 +kind: ConfigMap +metadata: + name: cfg1 +`, + }, } for _, tc := range testCases { cfg := make(map[string]interface{}) err := yaml.Unmarshal([]byte(tc.cfg), &cfg) require.NoError(t, err) - plugin, err := templater.New(cfg) + plugin, err := New(cfg) require.NoError(t, err) + + nodesIn, err := (&kio.ByteReader{Reader: bytes.NewBufferString(tc.in)}).Read() + require.NoError(t, err) + buf := &bytes.Buffer{} - nodes, err := plugin.Filter(nil) + nodes, err := plugin.Filter(nodesIn) if tc.expectedErr != "" { assert.EqualError(t, err, tc.expectedErr) + continue } + require.NoError(t, err) err = kio.ByteWriter{Writer: buf}.Write(nodes) require.NoError(t, err) assert.Equal(t, tc.expectedOut, buf.String()) @@ -238,7 +523,7 @@ template: | cfg := make(map[string]interface{}) err := yaml.Unmarshal([]byte(tc.cfg), &cfg) require.NoError(t, err) - plugin, err := templater.New(cfg) + plugin, err := New(cfg) require.NoError(t, err) buf := &bytes.Buffer{} nodes, err := plugin.Filter(nil) @@ -268,3 +553,82 @@ template: | assert.Equal(t, tc.expectedSubject, cert.Subject) } } + +func TestGetRNodes(t *testing.T) { + //Prepare test data A, B, C, + //var x []*yaml.RNode + rnode1, err := kyaml.Parse(`x: y`) + require.NoError(t, err) + rnode2, err := kyaml.Parse(`z: "a"`) + require.NoError(t, err) + + testA := []*kyaml.RNode{ + rnode1, + rnode2, + } + + testB := []interface{}{ + rnode1, + rnode2, + } + + testCases := []struct { + rnodesarr interface{} + expectedOut string + expectedErr bool + }{ + { + rnodesarr: nil, + expectedErr: true, + }, + { + rnodesarr: testA, + expectedOut: ` +x: y +--- +z: "a" +`, + }, + { + rnodesarr: testB, + expectedOut: ` +x: y +--- +z: "a" +`, + }, + } + + for i, tc := range testCases { + nodes, err := getRNodes(tc.rnodesarr) + if tc.expectedErr && err != nil { + continue + } + if tc.expectedErr { + t.Errorf("expected error, but hasn't got it for the case %d", i) + continue + } + if err != nil { + t.Errorf("got unexpected error: %v", err) + continue + } + + // convert to string and compare with expected + out := &bytes.Buffer{} + err = kio.ByteWriter{Writer: out}.Write(nodes) + require.NoError(t, err) + assert.Equal(t, tc.expectedOut[1:], out.String()) + } +} + +func TestDebug(t *testing.T) { + i := 0 + + os.Setenv("DEBUG_TEMPLATER", "false") + debug(func() { i = 1 }) + assert.Equal(t, 0, i) + + os.Setenv("DEBUG_TEMPLATER", "true") + debug(func() { i = 1 }) + assert.Equal(t, 1, i) +} diff --git a/playbooks/airshipctl-gate-runner.yaml b/playbooks/airshipctl-gate-runner.yaml index 40bb7f20c..37f7caa24 100644 --- a/playbooks/airshipctl-gate-runner.yaml +++ b/playbooks/airshipctl-gate-runner.yaml @@ -16,8 +16,6 @@ name: airshipctl_gate_runner environment: SOPS_IMPORT_PGP: "{{ airship_config_pgp }}" - SOPS_PGP_FP_ENCRYPT: "{{ airship_config_pgp_fp1 }}" - SOPS_PGP_FP_REENCRYPT: "{{ airship_config_pgp_fp2 }}" AZURE_SUBSCRIPTION_ID_B64: "UGxlYXNlLCBwcm92aWRlIHlvdXIgQXp1cmUgc3Vic2NyaXB0aW9uIGlkIGhlcmUK" AZURE_TENANT_ID_B64: "UGxlYXNlLCBwcm92aWRlIHlvdXIgQXp1cmUgdGVuYW50IGlkIGhlcmUK" AZURE_CLIENT_ID_B64: "UGxlYXNlLCBwcm92aWRlIHlvdXIgQXp1cmUgc2VydmljZSBwcmluY2lwYWwgaWQgaGVyZQo=" diff --git a/playbooks/get-vm-config.yaml b/playbooks/get-vm-config.yaml index 5196ecdbf..61b0e44ad 100644 --- a/playbooks/get-vm-config.yaml +++ b/playbooks/get-vm-config.yaml @@ -13,7 +13,7 @@ - name: get BareMetalHost objects shell: | set -e - kustomize build --enable-alpha-plugins \ + kustomize build --enable-alpha-plugins --network \ {{ airship_config_manifest_directory }}/{{ airship_config_site_path }}/{{ path }} 2>/dev/null | kustomize cfg grep "kind=BareMetalHost" register: bmh_command @@ -28,7 +28,7 @@ - name: get network configuration for BareMetalHost objects shell: | set -e - kustomize build --enable-alpha-plugins \ + kustomize build --enable-alpha-plugins --network \ {{ airship_config_manifest_directory }}/{{ airship_config_site_path }}/{{ path }} 2>/dev/null | kustomize cfg grep "metadata.name={{ item.spec.networkData.name }}" register: netdata_command diff --git a/playbooks/vars/test-config.yaml b/playbooks/vars/test-config.yaml index 6596462c4..6485f25e3 100644 --- a/playbooks/vars/test-config.yaml +++ b/playbooks/vars/test-config.yaml @@ -20,8 +20,6 @@ airship_config_site_path: manifests/site/test-site airship_config_ca_data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1USXlOakE0TWpneU5Gb1hEVEk1TVRJeU16QTRNamd5TkZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTTFSClM0d3lnajNpU0JBZjlCR0JUS1p5VTFwYmdDaGQ2WTdJektaZWRoakM2K3k1ZEJpWm81ZUx6Z2tEc2gzOC9YQ1MKenFPS2V5cE5RcDN5QVlLdmJKSHg3ODZxSFZZNjg1ZDVYVDNaOHNyVVRzVDR5WmNzZHAzV3lHdDM0eXYzNi9BSQoxK1NlUFErdU5JemN6bzNEdWhXR0ZoQjk3VjZwRitFUTBlVWN5bk05c2hkL3AwWVFzWDR1ZlhxaENENVpzZnZUCnBka3UvTWkyWnVGUldUUUtNeGpqczV3Z2RBWnBsNnN0L2ZkbmZwd1Q5cC9WTjRuaXJnMEsxOURTSFFJTHVrU2MKb013bXNBeDJrZmxITWhPazg5S3FpMEloL2cyczRFYTRvWURZemt0Y2JRZ24wd0lqZ2dmdnVzM3pRbEczN2lwYQo4cVRzS2VmVGdkUjhnZkJDNUZNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJek9BL00xWmRGUElzd2VoWjFuemJ0VFNURG4KRHMyVnhSV0VnclFFYzNSYmV3a1NkbTlBS3MwVGR0ZHdEbnBEL2tRYkNyS2xEeFF3RWg3NFZNSFZYYkFadDdsVwpCSm90T21xdXgxYThKYklDRTljR0FHRzFvS0g5R29jWERZY0JzOTA3ckxIdStpVzFnL0xVdG5hN1dSampqZnBLCnFGelFmOGdJUHZIM09BZ3B1RVVncUx5QU8ya0VnelZwTjZwQVJxSnZVRks2TUQ0YzFmMnlxWGxwNXhrN2dFSnIKUzQ4WmF6d0RmWUVmV3Jrdld1YWdvZ1M2SktvbjVEZ0Z1ZHhINXM2Snl6R3lPVnZ0eG1TY2FvOHNxaCs3UXkybgoyLzFVcU5ZK0hlN0x4d04rYkhwYkIxNUtIMTU5ZHNuS3BRbjRORG1jSTZrVnJ3MDVJMUg5ZGRBbGF0bz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= airship_config_client_cert_data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQwRENDQXJnQ0ZFdFBveEZYSjVrVFNWTXQ0OVlqcHBQL3hCYnlNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1CVXgKRXpBUkJnTlZCQU1UQ210MVltVnlibVYwWlhNd0hoY05NakF3TVRJME1Ua3hOVEV3V2hjTk1qa3hNakF5TVRreApOVEV3V2pBME1Sa3dGd1lEVlFRRERCQnJkV0psY201bGRHVnpMV0ZrYldsdU1SY3dGUVlEVlFRS0RBNXplWE4wClpXMDZiV0Z6ZEdWeWN6Q0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQU1iaFhUUmsKVjZiZXdsUjBhZlpBdTBGYWVsOXRtRThaSFEvaGtaSHhuTjc2bDZUUFltcGJvaDRvRjNGMFFqbzROS1o5NVRuWgo0OWNoV240eFJiZVlPU25EcDBpV0Qzd0pXUlZ5aVFvVUFyYTlNcHVPNkVFU1FpbFVGNXNxc0VXUVdVMjBETStBCkdxK1k0Z2c3eDJ1Q0hTdk1GUmkrNEw5RWlXR2xnRDIvb1hXUm5NWEswNExQajZPb3Vkb2Zid2RmT3J6dTBPVkUKUzR0eGtuS1BCY1BUU3YxMWVaWVhja0JEVjNPbExENEZ3dTB3NTcwcnczNzAraEpYdlZxd3Zjb2RjZjZEL1BXWQowamlnd2ppeUJuZ2dXYW04UVFjd1Nud3o0d05sV3hKOVMyWUJFb1ptdWxVUlFaWVk5ZXRBcEpBdFMzTjlUNlQ2ClovSlJRdEdhZDJmTldTYkxEck5qdU1OTGhBYWRMQnhJUHpBNXZWWk5aalJkdEMwU25pMlFUMTVpSFp4d1RxcjQKakRQQ0pYRXU3KytxcWpQVldUaUZLK3JqcVNhS1pqVWZVaUpHQkJWcm5RZkJENHNtRnNkTjB5cm9tYTZOYzRMNQpKS21RV1NHdmd1aG0zbW5sYjFRaVRZanVyZFJQRFNmdmwrQ0NHbnA1QkkvZ1pwMkF1SHMvNUpKVTJlc1ZvL0xsCkVPdHdSOXdXd3dXcTAvZjhXS3R4bVRrMTUyOUp2dFBGQXQweW1CVjhQbHZlYnVwYmJqeW5pL2xWbTJOYmV6dWUKeCtlMEpNbGtWWnFmYkRSS243SjZZSnJHWW1CUFV0QldoSVkzb1pJVTFEUXI4SUlIbkdmYlZoWlR5ME1IMkFCQQp1dlVQcUtSVk80UGkxRTF4OEE2eWVPeVRDcnB4L0pBazVyR2RBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFECmdnRUJBSWNFM1BxZHZDTVBIMnJzMXJESk9ESHY3QWk4S01PVXZPRi90RjlqR2EvSFBJbkh3RlVFNEltbldQeDYKVUdBMlE1bjFsRDFGQlU0T0M4eElZc3VvS1VQVHk1T0t6SVNMNEZnL0lEcG54STlrTXlmNStMR043aG8rblJmawpCZkpJblVYb0tERW1neHZzSWFGd1h6bGtSTDJzL1lKYUZRRzE1Uis1YzFyckJmd2dJOFA5Tkd6aEM1cXhnSmovCm04K3hPMGhXUmJIYklrQ21NekRib2pCSWhaL00rb3VYR1doei9TakpodXhZTVBnek5MZkFGcy9PMTVaSjd3YXcKZ3ZoSGc3L2E5UzRvUCtEYytPa3VrMkV1MUZjL0E5WHpWMzc5aWhNWW5ub3RQMldWeFZ3b0ZZQUg0NUdQcDZsUApCQmwyNnkxc2JMbjl6aGZYUUJIMVpFN0EwZVE9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K airship_config_client_key_data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBeHVGZE5HUlhwdDdDVkhScDlrQzdRVnA2WDIyWVR4a2REK0dSa2ZHYzN2cVhwTTlpCmFsdWlIaWdYY1hSQ09qZzBwbjNsT2RuajF5RmFmakZGdDVnNUtjT25TSllQZkFsWkZYS0pDaFFDdHIweW00N28KUVJKQ0tWUVhteXF3UlpCWlRiUU16NEFhcjVqaUNEdkhhNElkSzh3VkdMN2d2MFNKWWFXQVBiK2hkWkdjeGNyVApncytQbzZpNTJoOXZCMTg2dk83UTVVUkxpM0dTY284Rnc5TksvWFY1bGhkeVFFTlhjNlVzUGdYQzdURG52U3ZECmZ2VDZFbGU5V3JDOXloMXgvb1A4OVpqU09LRENPTElHZUNCWnFieEJCekJLZkRQakEyVmJFbjFMWmdFU2htYTYKVlJGQmxoajE2MENra0MxTGMzMVBwUHBuOGxGQzBacDNaODFaSnNzT3MyTzR3MHVFQnAwc0hFZy9NRG05VmsxbQpORjIwTFJLZUxaQlBYbUlkbkhCT3F2aU1NOElsY1M3djc2cXFNOVZaT0lVcjZ1T3BKb3BtTlI5U0lrWUVGV3VkCkI4RVBpeVlXeDAzVEt1aVpybzF6Z3Zra3FaQlpJYStDNkdiZWFlVnZWQ0pOaU82dDFFOE5KKytYNElJYWVua0UKaitCbW5ZQzRlei9ra2xUWjZ4V2o4dVVRNjNCSDNCYkRCYXJUOS94WXEzR1pPVFhuYjBtKzA4VUMzVEtZRlh3KwpXOTV1Nmx0dVBLZUwrVldiWTF0N081N0g1N1FreVdSVm1wOXNORXFmc25wZ21zWmlZRTlTMEZhRWhqZWhraFRVCk5DdndnZ2VjWjl0V0ZsUExRd2ZZQUVDNjlRK29wRlU3ZytMVVRYSHdEcko0N0pNS3VuSDhrQ1Rtc1owQ0F3RUEKQVFLQ0FnQUJ2U1N3ZVpRZW5HSDhsUXY4SURMQzdvU1ZZd0xxNWlCUDdEdjJsN00wYStKNWlXcWwzV2s4ZEVOSQpOYWtDazAwNmkyMCtwVDROdW5mdEZJYzBoTHN6TjBlMkpjRzY1dVlGZnZ2ZHY3RUtZZnNZU3hhU3d4TWJBMlkxCmNCa2NjcGVsUzBhMVpieFYvck16T1RxVUlRNGFQTzJPU3RUeU55b3dWVjhhcXh0QlNPV2pBUlA2VjlBOHNSUDIKNlVGeVFnM2thdjRla3d0S0M5TW85MEVvcGlkSXNnYy9IYk5kQm5tMFJDUnY0bU1DNmVPTXp0NGx0UVNldG0rcwpaRkUwZkM5cjkwRjE4RUVlUjZHTEYxdGhIMzlKTWFFcjYrc3F6TlZXU1VPVGxNN2M5SE55QTJIcnJudnhVUVNOCmF3SkZWSEFOY1hJSjBqcW9icmR6MTdMbGtIRVFGczNLdjRlcDR3REJKMlF0eisxdUFvY1JoV3ZSaWJxWEQ3THgKVmpPdGRyT1h3ZFQxY2ZrKzZRc1RMWUFKR3ptdDdsY1M2QjNnYzJHWmNJWGwyNVlqTUQ1ZVhpa1dEc3hYWmt1UAorb3MzVGhxeGZIS25ITmxtYk9SSVpDMW92Q1NkSTRWZVpzalk0MUs5K0dNaXdXSk1kektpRkp3NlR2blRSUldTCkxod2EzUTlBVmMvTEg0SC9PbU9qWDc0QTNZSWwrRDFVUHd3VzAvMmw4S3BNM0VWZ21XalJMV1ZIRnBNTGJNSlcKZVZKd3dKUmF3bWZLdHZ6bU9KRHlhTXJJblhqTDMvSE1EaWtwU3JhRzFyTnc1SUozOXJZdEFIUUQ1L1VuZlRkSApLNXVjakVucTdPdDMyR1ozcHJvRTU1ZGFBY0hQbktuOGpYZ1ZKTUQyOWh5cEZvL2ZRUUtDQVFFQStBbjRoSDFFCm9GK3FlcWlvYXR3N2cwaVdQUDNCeklxOEZWbWtsRlZBYVF5U28wU2QxWFBybmErR0RFQVd0cHlsVjF5ZkZkR2oKSHc4YXU5NnpUZnRuNWZCRkQxWG1NTkNZeTcrM293V3ArK1NwYUMvMTYzN1dvb3lLRjBjVFNvcWEzZEVuRUtSSwp4TGF2a0lFUTI3OXRBNFVUK0dVK3pTb0NPUFBNNE1JS3poR0FDczZ1anRySzFNcXpwK0JhYldzRlBuN2J1bStVCkRHSFIrNCtab2tBL1Q2N2luYlRxZUwwVzJCNjRMckFURHpZL3Y4NlRGbW1aallEaHRKR1JIWVZUOU9XSXR0RVkKNnZtUDN0a1dOTWt0R2w4bTFiQ0FHQ1JlcGtycUhxWXNMWG5GQ2ZZSFFtOXNpaGgvM3JFVjZ1MUYxZCt0U3JFMgprU1ZVOHhVWDUwbHFNUUtDQVFFQXpVTjZaS0lRNldkT09FR3ZyMExRL1hVczI0bUczN3lGMjhJUDJEcWFBWWVzCnJza2xTdjdlSU9TZWV3MW1CRHVCRkl2bkZvcTVsRlA3cXhWcEIyWjNNSGlDMVNaclZSZjlQTjdCNGFzcmNyMCsKdDB2S0NXWFFIaTVQQXhucXdYb2E2N0Q1bnkwdnlvV0lVUXAyZEZMdkIwQmp0b3MvajJFaHpJZk5WMm1UOW15bgpWQXZOWEdtZnc4SVJCL1diMGkzQ3c0Wityb1l1dTJkRHo2UUwzUFVvN1hLS3ljZzR1UzU1eksvcWZPc09lYm5mCnpsd3ZqbGxNSitmVFFHNzMrQnpINE5IWGs2akZZQzU4eXBrdXd0cmJmYk1pSkZOWThyV1ptL01Nd1VDWlZDQ3kKeUlxQ3FHQVB6b2kyU05zSEtaTlJqN3ZZQ3dQQVd6TzFidjFGcC9hM0xRS0NBUUVBeG0zTGw4cFROVzF6QjgrWApkRzJkV3FpZU1FcmRXRklBcDUvZ1R4NW9lZUdxQ2QxaDJ4cHlldUtwZlhGaitsRVU0Ty9qQU9TRjk5bndqQzFjCkNsMit2Ni9ZdjZ6N2l6L0ZqUEpoNlpRbGFiT0RaeXMvTkZkelEvVGtvRHluRFRJWE5LOFc3blJRc0ZCcDRWT3YKZGUwTlBBeWhiazBvMFo3eXlqY1lSeEpVN0lnSmhCdldmOGcvRGI3ZnZNUjU4eUR6d0F4aW9pS1RNTmlzMFBBUAplMEtrbzQySUU1eGhHNWhDQjBHRUhTMlZBYzFuY0gzRkk5LzFETVAzVEtwTGltOVlQQW5JdG1CTzYrUWNtYTNYCjJ3QzZDV2ZudkhvSDc4aGd3KzRZbjg1V2QwYjhQN3pJRC9qdHZ3aGNlMzMxeDh4cjJ1Nm5ScUxBd1pzNCs0SjcKYmZkSWNRS0NBUUFDL2JlNzNheTNhZnoyenVZN2ZKTEZEcjhQbCtweU9qSU5LTC9JVzlwQXFYUjN1NUNpamlJNApnbnhZdUxKQzM0Y2JBSXJtaGpEOEcxa3dmZ2hneGpwNFoxa290LzJhYU5ZVTIvNGhScmhFWE1PY01pdUloWVpKCjJrem1jNnM3RklkdDVjOU5aWUFyeUZSYk1mYlY3UnQwbEppZllWb1V3Y3FYUzJkUG5jYzlNUW9qTEdUYXN1TlUKRy9EWmw5ZWtjV3hFSXlLWGNuY2QzZnhiK3p6OUJFbUxaRDduZjlacnhHU2IrZmhGeDdzWFJRRWc1YkQvdHdkbwpFWFcvbTU1YmJEZnhhNzFqZG5NaDJxdVEzRGlWT0ZFNGZMTERxcjlDRWlsaDMySFJNeHJJNGcwWTVRUFFaazMwCnFZTldmbktWUllOTHYrWC9DeGZ6ZkVacGpxRkVPRkVsQW9JQkFRQ0t6R2JGdmx6d1BaUmh4czd2VXYxOXlIUXAKQzFmR3gwb0tpRDFSNWZwWVBrT0VRQWVudEFKRHNyYVRsNy9rSDY5V09VbUQ1T3gxbWpyRFB0a1M4WnhXYlJXeApGYjJLK3JxYzRtcGFacGROV09OTkszK3RNZmsrb0FRcWUySU1JV253NUhmbVpjNE1QY0t0bkZQYlJTTkF0aktwCkQ2aG9oL3BXMmdjRFA0cVpNWVZvRW04MVZYZEZDUGhOYitNYnUvU3gyaFB4U0dXYTVGaTczeEtwWWp5M3BISlQKWFoyY2lHN0VNQ3NKZW9HS2FRdmNCY1kvNGlSRGFoV0hWcmlsSVhJQXJQdXdmVUIybzZCZFR0allHeU5sZ2NmeApxWEt4aXBTaEE2VlNienVnR3pkdEdNeEUyekRHVEkxOXFSQy96OUNEREM1ZTJTQUZqbEJUV0QyUHJjcU4KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K -airship_config_pgp_fp1: "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4" -airship_config_pgp_fp2: "D7229043384BCC60326C6FB9D8720D957C3D3074" airship_config_pgp: |- -----BEGIN PGP PRIVATE KEY BLOCK----- @@ -81,37 +79,3 @@ airship_config_pgp: |- gLk//M3qDixOxiurECkFrMvt/bDxEGpN5GVy550MmyUZQrkuqg== =VjGL -----END PGP PRIVATE KEY BLOCK----- - -----BEGIN PGP PRIVATE KEY BLOCK----- - - lQHYBF1oQYgBBADPuVP6Jdk/J/TbNa9dXirp/zzwK18ZqNudNqQGN3H+2aSgxXwL - wlRfzy7rB3CU6Ewjzk9EVYeYztTIkGHL0JZ1CCTiBJArlHO0bHQQ7CPeKPkhIhkj - eA8yu9dcU77oYC2xbwgf43KYzfMKSGEybg+sBO+bH+Y6paJK54V2cuS3GwARAQAB - AAP+Jjf5BXtVP1OAr5xvCYS77JWzhpTUSIpS7dgR0br91GAC9DmhmyBEGeSqwz95 - LUyYRbY9y1rZOfpEGCrIc5GLPOQytO9XMIzaS3dpzfGhla/spaKN4vJDvIOl+ruT - bInDdCRSmqXCfm2478OhOquc0H0a46eSmoaYeKdE3E8QZiECANxUL/dFk5j8NyPo - ZcwXw9Mv0A8UrynRcqht3Scti9k7dbsHylcObM305LFdcoNnSfNAIJhxfjbiXyGW - vwT2/qMCAPFatq3gvVjy6wKKylioi5cVwbLv9L+OaRXdR/Dy2bh/t3ujnsliV4+R - f7k3rHOQeaMLTnyfcz8AenL5IOe8RSkCANFpBgyzxCcV48Mm+FWDxjrSJ4/msRnN - gxqAPRrdpm7e1uebtBkPh4ch4oCW5/lLsRN23LUVIXYJRwyFfRjehCio0rRTU09Q - UyBGdW5jdGlvbmFsIFRlc3RzIEtleSAyIChodHRwczovL2dpdGh1Yi5jb20vbW96 - aWxsYS9zb3BzLykgPHNlY29wc0Btb3ppbGxhLmNvbT6IzgQTAQgAOBYhBNcikEM4 - S8xgMmxvudhyDZV8PTB0BQJdaEGIAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA - AAoJENhyDZV8PTB0R2cD/2YwaJ43iGueaAzByFnl+mUEBQJ4HhH4p7BIdx6B9AjE - 3yLe8I4dqqYXxyZzaJ9d+KiqxJBT0l1GXt3H5M32yDJZqzXB9PTWP3yx8+Q1CuCs - 7EL/bhJD1/sLdumVc77bmQtcI9NSiYyPzN/2ZqtV5RU14Loh24VFEjuHGvO0jI3+ - nQHYBF1oQYgBBAChXi00fmpEs0Jiq0zOyYm9i749VoOsNReoB/5ix1QCimwVZKe1 - D37IP5Qqysxy+LIQc4lJ+Q8foNOx1Aev5+TDyv+iU82D9xr9uPLLbA82k3AZ04Or - BjrZ/Yt1NZhuaHzciZCPpmqzF9kqVqAZc+vMiKZL1WZjS7O1FwaidY1vXwARAQAB - AAP+L0wUQeOfsD0+gv8khyPJTJZOD1pxQ6NYKLcXF8rG0+vQnECha098YKNKAXTp - kfVU8795iQYIKcQQ6Hl2O1fj1AxJE/iZYrqfm7UZz3bQ7ROSsAEPZ5GDOjKfbwsz - E6bWVH+PhS1azlvtTs9JezUtK0Wl9s+81FOrZtnUUskmWtECAMNNs9ujUt6GHv/J - NXVaSmk1z8QXitPHbAJLDMj4xVDysJWZV95eplC+RUSiLz5HeP2AQgh1D9Rv2bA5 - c7OcJ3kCANOEkA0hVpXCI0FKrsihOf0NUOaAtS6CQNFlaIkrLwssJQY8pGYbRfRa - 3krNJPyOlXmezV2/CsX3EqA9KXXen5cB/iSmMJO4WndGJTe7YzUEnnY/P2TKg1fN - s6v5Lf39j5Ll8V5rVDT7ApAw0IKS8fzpbdHP0HcizutlF6l44YaAXMGfhoi2BBgB - CAAgFiEE1yKQQzhLzGAybG+52HINlXw9MHQFAl1oQYgCGwwACgkQ2HINlXw9MHTD - HwQAv+ui718AT2hw2pK9JaNuTxjllrH+KPMlrov0P8oXHPCohC5cxM5sJ6tCQ0qH - XyeWoDE8V31btqFVAQyrr0wy0gntl1L/trnwMHoP8a/xa0RHNk5C7hmcuhTHbQey - JNbiRJZpCIZ1OyrF17+q6u9YBPjwqp8KrJ/0ryy2kyb7ZRM= - =+tJ6 - -----END PGP PRIVATE KEY BLOCK----- diff --git a/tools/deployment/21_systemwide_executable.sh b/tools/deployment/21_systemwide_executable.sh index 841d148b0..5eb1b1ac8 100755 --- a/tools/deployment/21_systemwide_executable.sh +++ b/tools/deployment/21_systemwide_executable.sh @@ -50,7 +50,7 @@ fi # the version of airshipctl that they are installing via this script. export AIRSHIP_KRM_FUNCTION_REPO=${AIRSHIP_KRM_FUNCTION_REPO:-"quay.io/airshipit"} export AIRSHIP_KRM_FUNCTION_TAG=${AIRSHIP_KRM_FUNCTION_TAG:-"latest"} -export SOPS_KRM_FUNCTION=${SOPS_KRM_FUNCTION:-"gcr.io/kpt-fn-contrib/sops:v0.1.0"} +export SOPS_KRM_FUNCTION=${SOPS_KRM_FUNCTION:-"gcr.io/kpt-fn-contrib/sops:v0.3.0"} echo "Resolve krm function versions" diff --git a/tools/deployment/23_generate_secrets.sh b/tools/deployment/23_generate_secrets.sh index 6fe52f922..3d1520c3f 100755 --- a/tools/deployment/23_generate_secrets.sh +++ b/tools/deployment/23_generate_secrets.sh @@ -15,14 +15,14 @@ set -xe echo "Generating secrets using airshipctl" -export SOPS_PGP_FP=${SOPS_PGP_FP_ENCRYPT:-"${SOPS_PGP_FP}"} -airshipctl phase run secret-generate +FORCE_REGENERATE=all airshipctl phase run secret-update echo "Generating ~/.airship/kubeconfig" export AIRSHIP_CONFIG_MANIFEST_DIRECTORY=${AIRSHIP_CONFIG_MANIFEST_DIRECTORY:-"/tmp/airship"} export AIRSHIP_CONFIG_PHASE_REPO_URL=${AIRSHIP_CONFIG_PHASE_REPO_URL:-"https://review.opendev.org/airship/airshipctl"} export EXTERNAL_KUBECONFIG=${EXTERNAL_KUBECONFIG:-""} export SITE=${SITE:-"test-site"} +export WORKDIR="${AIRSHIP_CONFIG_MANIFEST_DIRECTORY}/$(basename ${AIRSHIP_CONFIG_PHASE_REPO_URL})" if [[ -z "$EXTERNAL_KUBECONFIG" ]]; then # we want to take config from bundle - remove kubeconfig file so @@ -34,31 +34,55 @@ if [[ -z "$EXTERNAL_KUBECONFIG" ]]; then mv ~/.airship/tmp-kubeconfig ~/.airship/kubeconfig fi -#backward compatibility with previous behavior -if [[ -z "${SOPS_PGP_FP_ENCRYPT}" ]]; then - #skipping sanity checks - exit 0 -fi - -echo "Sanity check for secret-reencrypt phase" +# Validate that we generated everything correctly decrypted1=$(airshipctl phase run secret-show) if [[ -z "${decrypted1}" ]]; then - echo "Got empty decrypted value" - exit 1 + echo "Got empty decrypted value" + exit 1 fi -#make sure that generated file has right FP -grep "${SOPS_PGP_FP}" "${AIRSHIP_CONFIG_MANIFEST_DIRECTORY}/$(basename ${AIRSHIP_CONFIG_PHASE_REPO_URL})/manifests/site/$SITE/target/encrypted/results/generated/secrets.yaml" +#remove default key from env +unset SOPS_IMPORT_PGP -#set new FP and reencrypt -export SOPS_PGP_FP=${SOPS_PGP_FP_REENCRYPT} -airshipctl phase run secret-reencrypt -#make sure that generated file has right FP -grep "${SOPS_PGP_FP}" "${AIRSHIP_CONFIG_MANIFEST_DIRECTORY}/$(basename ${AIRSHIP_CONFIG_PHASE_REPO_URL})/manifests/site/$SITE/target/encrypted/results/generated/secrets.yaml" +echo "Sanity check 1: Check that we can decrypt everything with U1 and U2 creds" +# set user1 key +cp ${WORKDIR}/manifests/.private-keys/my.key ${WORKDIR}/manifests/.private-keys/my.key.old +cp ${WORKDIR}/manifests/.private-keys/exampleU1.key ${WORKDIR}/manifests/.private-keys/my.key #make sure that decrypted valus stay the same decrypted2=$(airshipctl phase run secret-show) if [ "${decrypted1}" != "${decrypted2}" ]; then - echo "reencrypted decrypted value is different from the original" - exit 1 + echo "reencrypted decrypted value is different from the original" + exit 1 fi +# set user2 key +cp ${WORKDIR}/manifests/.private-keys/exampleU2.key ${WORKDIR}/manifests/.private-keys/my.key + +#make sure that decrypted valus stay the same +decrypted2=$(airshipctl phase run secret-show) +if [ "${decrypted1}" != "${decrypted2}" ]; then + echo "reencrypted decrypted value is different from the original" + exit 1 +fi + +echo "Sanity check 2: reencrypt ephemeral site using U2 user" +ONLY_CLUSTERS=ephemeral airshipctl phase run secret-update + +#make sure that decrypted valus stay the same +decrypted2=$(airshipctl phase run secret-show) +if [ "${decrypted1}" != "${decrypted2}" ]; then + echo "reencrypted decrypted value is different from the original" + exit 1 +fi + +echo "Sanity check 3: Try to reecnrypt ephemeral by user 3, who can't decrypt target" +cp ${WORKDIR}/manifests/.private-keys/exampleU3.key ${WORKDIR}/manifests/.private-keys/my.key +TOLERATE_DECRYPTION_FAILURES=true ONLY_CLUSTERS=ephemeral airshipctl phase run secret-update + +decrypted3=$(TOLERATE_DECRYPTION_FAILURES=true airshipctl phase run secret-show) +if [ "${decrypted1}" == "${decrypted3}" ]; then + echo "reencrypted decrypted value should be different because it has to contain unencrypted data" + exit 1 +fi + +mv ${WORKDIR}/manifests/.private-keys/my.key.old ${WORKDIR}/manifests/.private-keys/my.key diff --git a/tools/deployment/update-krm-images b/tools/deployment/update-krm-images index cb2c090cf..9cbba03c7 100755 --- a/tools/deployment/update-krm-images +++ b/tools/deployment/update-krm-images @@ -26,7 +26,7 @@ export OLD_TEMPLATER=${OLD_TEMPLATER:-"localhost/templater"} export OLD_CLOUD_INIT=${OLD_CLOUD_INIT:-"localhost/cloud-init"} export OLD_TOOLBOX=${OLD_TOOLBOX:-"localhost/toolbox"} export OLD_KUBEVAL_VALIDATOR=${OLD_KUBEVAL_VALIDATOR:-"localhost/kubeval-validator"} -export OLD_SOPS=${OLD_SOPS:-"gcr.io/kpt-fn-contrib/sops:v0.1.0"} +export OLD_SOPS=${OLD_SOPS:-"gcr.io/kpt-fn-contrib/sops:v0.3.0"} export NEW_REPLACEMENT_TRANSFORMER=${NEW_REPLACEMENT_TRANSFORMER:-$OLD_REPLACEMENT_TRANSFORMER} export NEW_TEMPLATER=${NEW_TEMPLATER:-$OLD_TEMPLATER} diff --git a/tools/export_sops b/tools/export_sops index 7d2fbf9a4..b417dfcaf 100755 --- a/tools/export_sops +++ b/tools/export_sops @@ -13,4 +13,3 @@ # limitations under the License. export SOPS_IMPORT_PGP="$(curl -fsSL https://raw.githubusercontent.com/mozilla/sops/master/pgp/sops_functional_tests_key.asc)" -export SOPS_PGP_FP="FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4" diff --git a/tools/gate/20_run_gate_runner.sh b/tools/gate/20_run_gate_runner.sh index ccf81c2d0..9f4298faf 100755 --- a/tools/gate/20_run_gate_runner.sh +++ b/tools/gate/20_run_gate_runner.sh @@ -100,7 +100,7 @@ for script in $SCRIPT_LIST; do fi echo -e "\033[0;32m[ *** Run script $script *** ] \033[0m " - cmd="sudo --preserve-env=AIRSHIPCTL_WS,AIRSHIP_CONFIG_PHASE_REPO_URL,SOPS_IMPORT_PGP,SOPS_PGP_FP $script" + cmd="sudo --preserve-env=AIRSHIPCTL_WS,AIRSHIP_CONFIG_PHASE_REPO_URL,SOPS_IMPORT_PGP $script" if [[ $OUTPUT_DIR ]]; then $cmd > ${OUTPUT_DIR}/${SCRIPT_NAME}.out 2>&1 elif [[ "$MUTE" -eq "1" ]]; then diff --git a/tools/gate/config_template.yaml b/tools/gate/config_template.yaml index 781e06ff4..880369683 100644 --- a/tools/gate/config_template.yaml +++ b/tools/gate/config_template.yaml @@ -28,8 +28,6 @@ proxy: http: "$HTTP_PROXY" https: "$HTTPS_PROXY" noproxy: "$NO_PROXY" -airship_config_pgp_fp1: "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4" -airship_config_pgp_fp2: "D7229043384BCC60326C6FB9D8720D957C3D3074" airship_config_pgp: |- -----BEGIN PGP PRIVATE KEY BLOCK----- @@ -89,37 +87,3 @@ airship_config_pgp: |- gLk//M3qDixOxiurECkFrMvt/bDxEGpN5GVy550MmyUZQrkuqg== =VjGL -----END PGP PRIVATE KEY BLOCK----- - -----BEGIN PGP PRIVATE KEY BLOCK----- - - lQHYBF1oQYgBBADPuVP6Jdk/J/TbNa9dXirp/zzwK18ZqNudNqQGN3H+2aSgxXwL - wlRfzy7rB3CU6Ewjzk9EVYeYztTIkGHL0JZ1CCTiBJArlHO0bHQQ7CPeKPkhIhkj - eA8yu9dcU77oYC2xbwgf43KYzfMKSGEybg+sBO+bH+Y6paJK54V2cuS3GwARAQAB - AAP+Jjf5BXtVP1OAr5xvCYS77JWzhpTUSIpS7dgR0br91GAC9DmhmyBEGeSqwz95 - LUyYRbY9y1rZOfpEGCrIc5GLPOQytO9XMIzaS3dpzfGhla/spaKN4vJDvIOl+ruT - bInDdCRSmqXCfm2478OhOquc0H0a46eSmoaYeKdE3E8QZiECANxUL/dFk5j8NyPo - ZcwXw9Mv0A8UrynRcqht3Scti9k7dbsHylcObM305LFdcoNnSfNAIJhxfjbiXyGW - vwT2/qMCAPFatq3gvVjy6wKKylioi5cVwbLv9L+OaRXdR/Dy2bh/t3ujnsliV4+R - f7k3rHOQeaMLTnyfcz8AenL5IOe8RSkCANFpBgyzxCcV48Mm+FWDxjrSJ4/msRnN - gxqAPRrdpm7e1uebtBkPh4ch4oCW5/lLsRN23LUVIXYJRwyFfRjehCio0rRTU09Q - UyBGdW5jdGlvbmFsIFRlc3RzIEtleSAyIChodHRwczovL2dpdGh1Yi5jb20vbW96 - aWxsYS9zb3BzLykgPHNlY29wc0Btb3ppbGxhLmNvbT6IzgQTAQgAOBYhBNcikEM4 - S8xgMmxvudhyDZV8PTB0BQJdaEGIAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA - AAoJENhyDZV8PTB0R2cD/2YwaJ43iGueaAzByFnl+mUEBQJ4HhH4p7BIdx6B9AjE - 3yLe8I4dqqYXxyZzaJ9d+KiqxJBT0l1GXt3H5M32yDJZqzXB9PTWP3yx8+Q1CuCs - 7EL/bhJD1/sLdumVc77bmQtcI9NSiYyPzN/2ZqtV5RU14Loh24VFEjuHGvO0jI3+ - nQHYBF1oQYgBBAChXi00fmpEs0Jiq0zOyYm9i749VoOsNReoB/5ix1QCimwVZKe1 - D37IP5Qqysxy+LIQc4lJ+Q8foNOx1Aev5+TDyv+iU82D9xr9uPLLbA82k3AZ04Or - BjrZ/Yt1NZhuaHzciZCPpmqzF9kqVqAZc+vMiKZL1WZjS7O1FwaidY1vXwARAQAB - AAP+L0wUQeOfsD0+gv8khyPJTJZOD1pxQ6NYKLcXF8rG0+vQnECha098YKNKAXTp - kfVU8795iQYIKcQQ6Hl2O1fj1AxJE/iZYrqfm7UZz3bQ7ROSsAEPZ5GDOjKfbwsz - E6bWVH+PhS1azlvtTs9JezUtK0Wl9s+81FOrZtnUUskmWtECAMNNs9ujUt6GHv/J - NXVaSmk1z8QXitPHbAJLDMj4xVDysJWZV95eplC+RUSiLz5HeP2AQgh1D9Rv2bA5 - c7OcJ3kCANOEkA0hVpXCI0FKrsihOf0NUOaAtS6CQNFlaIkrLwssJQY8pGYbRfRa - 3krNJPyOlXmezV2/CsX3EqA9KXXen5cB/iSmMJO4WndGJTe7YzUEnnY/P2TKg1fN - s6v5Lf39j5Ll8V5rVDT7ApAw0IKS8fzpbdHP0HcizutlF6l44YaAXMGfhoi2BBgB - CAAgFiEE1yKQQzhLzGAybG+52HINlXw9MHQFAl1oQYgCGwwACgkQ2HINlXw9MHTD - HwQAv+ui718AT2hw2pK9JaNuTxjllrH+KPMlrov0P8oXHPCohC5cxM5sJ6tCQ0qH - XyeWoDE8V31btqFVAQyrr0wy0gntl1L/trnwMHoP8a/xa0RHNk5C7hmcuhTHbQey - JNbiRJZpCIZ1OyrF17+q6u9YBPjwqp8KrJ/0ryy2kyb7ZRM= - =+tJ6 - -----END PGP PRIVATE KEY BLOCK-----