Browse Source

Sloop type and Airsloop site

Sloop type/site is a minimalistic approach to Airship with reduced
requirements towards hardware and external dependencies while keeping
all the functional features.

Major differences compared to reference site airship-seaworthy
 - Two bare-metal server setup with 1 control, and 1 compute.
   Most components are scaled to a single replica and doesn't carry
   any HA as there is only a single control plane host.
 - No requirements for DNS/certificates.
   HTTP and internal cluster DNS is used.
 - Ceph set to use the single (root) disk. This generally
   provides minimalistic no-touch ceph deployment.
   No replication of ceph data (single copy).
 - Simplified networking (no bonding).
   Two network interfaces are used by default (flat PXE, and DATA network
   with VLANs for OAM, Calico, Storage, and OpenStack Overlay)
 - Generic hostnames used (airsloop-control-1, airsloop-compute-1) that
   simplifies generation of k8s certificates
 - Usage of standard Ubuntu 16.04 GA kernel (as oppose to HWE)

Change-Id: I4944fcae7d29ed8799d810c93efb0120b6b3a105
tags/v1.0
Kaspars Skels 1 year ago
parent
commit
06ffeec6b1
100 changed files with 4408 additions and 0 deletions
  1. +2
    -0
      global/software/charts/osh-infra/osh-infra-dashboards/grafana.yaml
  2. +2
    -0
      global/software/charts/osh-infra/osh-infra-ingress-controller/ingress.yaml
  3. +2
    -0
      global/software/charts/osh-infra/osh-infra-mariadb/mariadb.yaml
  4. +2
    -0
      global/software/charts/osh-infra/osh-infra-monitoring/prometheus.yaml
  5. +2
    -0
      global/software/charts/osh/openstack-tenant-ceph/ceph-ingress.yaml
  6. +2
    -0
      global/software/charts/ucp/ceph/ceph-ingress.yaml
  7. +3
    -0
      global/software/manifests/bootstrap.yaml
  8. +32
    -0
      site/airsloop/baremetal/bootactions/promjoin.yaml
  9. +65
    -0
      site/airsloop/baremetal/nodes.yaml
  10. +41
    -0
      site/airsloop/deployment/deployment-configuration.yaml
  11. +154
    -0
      site/airsloop/networks/common-addresses.yaml
  12. +290
    -0
      site/airsloop/networks/physical/networks.yaml
  13. +285
    -0
      site/airsloop/pki/pki-catalog.yaml
  14. +49
    -0
      site/airsloop/profiles/genesis.yaml
  15. +49
    -0
      site/airsloop/profiles/hardware/dell_r720xd.yaml
  16. +80
    -0
      site/airsloop/profiles/host/compute.yaml
  17. +53
    -0
      site/airsloop/profiles/region.yaml
  18. +2387
    -0
      site/airsloop/secrets/certificates/certificates.yaml
  19. +12
    -0
      site/airsloop/secrets/passphrases/airsloop_crypt_password.yaml
  20. +12
    -0
      site/airsloop/secrets/passphrases/ceph_fsid.yaml
  21. +11
    -0
      site/airsloop/secrets/passphrases/ceph_swift_keystone_password.yaml
  22. +13
    -0
      site/airsloop/secrets/passphrases/ipmi_admin_password.yaml
  23. +12
    -0
      site/airsloop/secrets/passphrases/maas-region-key.yaml
  24. +11
    -0
      site/airsloop/secrets/passphrases/osh_barbican_oslo_db_password.yaml
  25. +11
    -0
      site/airsloop/secrets/passphrases/osh_barbican_oslo_messaging_admin_password.yaml
  26. +11
    -0
      site/airsloop/secrets/passphrases/osh_barbican_oslo_messaging_password.yaml
  27. +11
    -0
      site/airsloop/secrets/passphrases/osh_barbican_password.yaml
  28. +11
    -0
      site/airsloop/secrets/passphrases/osh_barbican_rabbitmq_erlang_cookie.yaml
  29. +11
    -0
      site/airsloop/secrets/passphrases/osh_cinder_oslo_db_password.yaml
  30. +11
    -0
      site/airsloop/secrets/passphrases/osh_cinder_oslo_messaging_admin_password.yaml
  31. +11
    -0
      site/airsloop/secrets/passphrases/osh_cinder_oslo_messaging_password.yaml
  32. +11
    -0
      site/airsloop/secrets/passphrases/osh_cinder_password.yaml
  33. +11
    -0
      site/airsloop/secrets/passphrases/osh_cinder_rabbitmq_erlang_cookie.yaml
  34. +11
    -0
      site/airsloop/secrets/passphrases/osh_glance_oslo_db_password.yaml
  35. +11
    -0
      site/airsloop/secrets/passphrases/osh_glance_oslo_messaging_admin_password.yaml
  36. +11
    -0
      site/airsloop/secrets/passphrases/osh_glance_oslo_messaging_password.yaml
  37. +11
    -0
      site/airsloop/secrets/passphrases/osh_glance_password.yaml
  38. +11
    -0
      site/airsloop/secrets/passphrases/osh_glance_rabbitmq_erlang_cookie.yaml
  39. +11
    -0
      site/airsloop/secrets/passphrases/osh_heat_oslo_db_password.yaml
  40. +11
    -0
      site/airsloop/secrets/passphrases/osh_heat_oslo_messaging_admin_password.yaml
  41. +11
    -0
      site/airsloop/secrets/passphrases/osh_heat_oslo_messaging_password.yaml
  42. +11
    -0
      site/airsloop/secrets/passphrases/osh_heat_password.yaml
  43. +11
    -0
      site/airsloop/secrets/passphrases/osh_heat_rabbitmq_erlang_cookie.yaml
  44. +11
    -0
      site/airsloop/secrets/passphrases/osh_heat_stack_user_password.yaml
  45. +11
    -0
      site/airsloop/secrets/passphrases/osh_heat_trustee_password.yaml
  46. +11
    -0
      site/airsloop/secrets/passphrases/osh_horizon_oslo_db_password.yaml
  47. +11
    -0
      site/airsloop/secrets/passphrases/osh_infra_elasticsearch_admin_password.yaml
  48. +11
    -0
      site/airsloop/secrets/passphrases/osh_infra_grafana_admin_password.yaml
  49. +11
    -0
      site/airsloop/secrets/passphrases/osh_infra_grafana_oslo_db_password.yaml
  50. +11
    -0
      site/airsloop/secrets/passphrases/osh_infra_grafana_oslo_db_session_password.yaml
  51. +11
    -0
      site/airsloop/secrets/passphrases/osh_infra_nagios_admin_password.yaml
  52. +11
    -0
      site/airsloop/secrets/passphrases/osh_infra_openstack_exporter_password.yaml
  53. +11
    -0
      site/airsloop/secrets/passphrases/osh_infra_oslo_db_admin_password.yaml
  54. +11
    -0
      site/airsloop/secrets/passphrases/osh_infra_oslo_db_exporter_password.yaml
  55. +11
    -0
      site/airsloop/secrets/passphrases/osh_infra_prometheus_admin_password.yaml
  56. +11
    -0
      site/airsloop/secrets/passphrases/osh_infra_rgw_s3_admin_access_key.yaml
  57. +11
    -0
      site/airsloop/secrets/passphrases/osh_infra_rgw_s3_admin_secret_key.yaml
  58. +11
    -0
      site/airsloop/secrets/passphrases/osh_infra_rgw_s3_elasticsearch_access_key.yaml
  59. +11
    -0
      site/airsloop/secrets/passphrases/osh_infra_rgw_s3_elasticsearch_secret_key.yaml
  60. +11
    -0
      site/airsloop/secrets/passphrases/osh_keystone_admin_password.yaml
  61. +11
    -0
      site/airsloop/secrets/passphrases/osh_keystone_ldap_password.yaml
  62. +11
    -0
      site/airsloop/secrets/passphrases/osh_keystone_oslo_db_password.yaml
  63. +11
    -0
      site/airsloop/secrets/passphrases/osh_keystone_oslo_messaging_admin_password.yaml
  64. +11
    -0
      site/airsloop/secrets/passphrases/osh_keystone_oslo_messaging_password.yaml
  65. +11
    -0
      site/airsloop/secrets/passphrases/osh_keystone_rabbitmq_erlang_cookie.yaml
  66. +11
    -0
      site/airsloop/secrets/passphrases/osh_neutron_oslo_db_password.yaml
  67. +11
    -0
      site/airsloop/secrets/passphrases/osh_neutron_oslo_messaging_admin_password.yaml
  68. +11
    -0
      site/airsloop/secrets/passphrases/osh_neutron_oslo_messaging_password.yaml
  69. +11
    -0
      site/airsloop/secrets/passphrases/osh_neutron_password.yaml
  70. +11
    -0
      site/airsloop/secrets/passphrases/osh_neutron_rabbitmq_erlang_cookie.yaml
  71. +11
    -0
      site/airsloop/secrets/passphrases/osh_nova_oslo_db_password.yaml
  72. +11
    -0
      site/airsloop/secrets/passphrases/osh_nova_oslo_messaging_admin_password.yaml
  73. +11
    -0
      site/airsloop/secrets/passphrases/osh_nova_oslo_messaging_password.yaml
  74. +11
    -0
      site/airsloop/secrets/passphrases/osh_nova_password.yaml
  75. +11
    -0
      site/airsloop/secrets/passphrases/osh_nova_rabbitmq_erlang_cookie.yaml
  76. +11
    -0
      site/airsloop/secrets/passphrases/osh_oslo_cache_secret_key.yaml
  77. +11
    -0
      site/airsloop/secrets/passphrases/osh_oslo_db_admin_password.yaml
  78. +11
    -0
      site/airsloop/secrets/passphrases/osh_oslo_db_exporter_password.yaml
  79. +11
    -0
      site/airsloop/secrets/passphrases/osh_placement_password.yaml
  80. +12
    -0
      site/airsloop/secrets/passphrases/tenant_ceph_fsid.yaml
  81. +11
    -0
      site/airsloop/secrets/passphrases/ucp_airflow_oslo_messaging_password.yaml
  82. +11
    -0
      site/airsloop/secrets/passphrases/ucp_airflow_postgres_password.yaml
  83. +11
    -0
      site/airsloop/secrets/passphrases/ucp_armada_keystone_password.yaml
  84. +11
    -0
      site/airsloop/secrets/passphrases/ucp_barbican_keystone_password.yaml
  85. +11
    -0
      site/airsloop/secrets/passphrases/ucp_barbican_oslo_db_password.yaml
  86. +11
    -0
      site/airsloop/secrets/passphrases/ucp_deckhand_keystone_password.yaml
  87. +11
    -0
      site/airsloop/secrets/passphrases/ucp_deckhand_postgres_password.yaml
  88. +11
    -0
      site/airsloop/secrets/passphrases/ucp_drydock_keystone_password.yaml
  89. +11
    -0
      site/airsloop/secrets/passphrases/ucp_drydock_postgres_password.yaml
  90. +11
    -0
      site/airsloop/secrets/passphrases/ucp_keystone_admin_password.yaml
  91. +11
    -0
      site/airsloop/secrets/passphrases/ucp_keystone_oslo_db_password.yaml
  92. +11
    -0
      site/airsloop/secrets/passphrases/ucp_maas_admin_password.yaml
  93. +11
    -0
      site/airsloop/secrets/passphrases/ucp_maas_postgres_password.yaml
  94. +11
    -0
      site/airsloop/secrets/passphrases/ucp_openstack_exporter_keystone_password.yaml
  95. +11
    -0
      site/airsloop/secrets/passphrases/ucp_oslo_db_admin_password.yaml
  96. +11
    -0
      site/airsloop/secrets/passphrases/ucp_oslo_messaging_password.yaml
  97. +11
    -0
      site/airsloop/secrets/passphrases/ucp_postgres_admin_password.yaml
  98. +11
    -0
      site/airsloop/secrets/passphrases/ucp_promenade_keystone_password.yaml
  99. +11
    -0
      site/airsloop/secrets/passphrases/ucp_rabbitmq_erlang_cookie.yaml
  100. +11
    -0
      site/airsloop/secrets/passphrases/ucp_shipyard_keystone_password.yaml

+ 2
- 0
global/software/charts/osh-infra/osh-infra-dashboards/grafana.yaml View File

@@ -6,6 +6,8 @@ metadata:
layeringDefinition:
abstract: false
layer: global
labels:
name: grafana-global
storagePolicy: cleartext
substitutions:
# Chart source


+ 2
- 0
global/software/charts/osh-infra/osh-infra-ingress-controller/ingress.yaml View File

@@ -3,6 +3,8 @@ schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: osh-infra-ingress-controller
labels:
name: osh-infra-ingress-controller-global
layeringDefinition:
abstract: false
layer: global


+ 2
- 0
global/software/charts/osh-infra/osh-infra-mariadb/mariadb.yaml View File

@@ -3,6 +3,8 @@ schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: osh-infra-mariadb
labels:
name: osh-infra-mariadb-global
layeringDefinition:
abstract: false
layer: global


+ 2
- 0
global/software/charts/osh-infra/osh-infra-monitoring/prometheus.yaml View File

@@ -3,6 +3,8 @@ schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: prometheus
labels:
name: prometheus-global
layeringDefinition:
abstract: false
layer: global


+ 2
- 0
global/software/charts/osh/openstack-tenant-ceph/ceph-ingress.yaml View File

@@ -3,6 +3,8 @@ schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: tenant-ceph-ingress
labels:
name: tenant-ceph-ingress-global
layeringDefinition:
abstract: false
layer: global


+ 2
- 0
global/software/charts/ucp/ceph/ceph-ingress.yaml View File

@@ -6,6 +6,8 @@ metadata:
layeringDefinition:
abstract: false
layer: global
labels:
name: ucp-ceph-ingress-global
storagePolicy: cleartext
substitutions:
# Chart source


+ 3
- 0
global/software/manifests/bootstrap.yaml View File

@@ -6,6 +6,8 @@ metadata:
layeringDefinition:
abstract: false
layer: global
labels:
name: cluster-bootstrap-global
storagePolicy: cleartext
data:
release_prefix: airship
@@ -28,3 +30,4 @@ data:
- ucp-drydock
- ucp-promenade
- ucp-shipyard
...

+ 32
- 0
site/airsloop/baremetal/bootactions/promjoin.yaml View File

@@ -0,0 +1,32 @@
---
# This file defines a boot action which is responsible for fetching the node's
# promjoin script from the promenade API. This is the script responsible for
# installing kubernetes on the node and joining the kubernetes cluster.
# #GLOBAL-CANDIDATE#
schema: 'drydock/BootAction/v1'
metadata:
schema: 'metadata/Document/v1'
name: promjoin
storagePolicy: 'cleartext'
layeringDefinition:
abstract: false
layer: site
labels:
application: 'drydock'
data:
signaling: false
# TODO(alanmeadows) move what is global about this document
assets:
- path: /opt/promjoin.sh
type: file
permissions: '555'
# The ip= parameter must match the MaaS network name of the network used
# to contact kubernetes. With a standard, reference Airship deployment where
# L2 networks are shared between all racks, the network name (i.e. calico)
# should be correct.
location: promenade+http://promenade-api.ucp.svc.cluster.local/api/v1.0/join-scripts?design_ref={{ action.design_ref | urlencode }}&hostname={{ node.hostname }}&ip={{ node.network.calico.ip }}{% for k, v in node.labels.items() %}&labels.dynamic={{ k }}={{ v }}{% endfor %}
location_pipeline:
- template
data_pipeline:
- utf8_decode
...

+ 65
- 0
site/airsloop/baremetal/nodes.yaml View File

@@ -0,0 +1,65 @@
---
# Drydock BaremetalNode resources for a specific rack are stored in this file.
#
# NOTE: For new sites, you should complete the networks/physical/networks.yaml
# file before working on this file.
#
# In this file, you should make the number of `drydock/BaremetalNode/v1`
# resources equal the number of bare metal nodes you have, either by deleting
# excess BaremetalNode definitions (if there are too many), or by copying and
# pasting the last BaremetalNode in the file until you have the correct number
# of baremetal nodes (if there are too few).
#
# Then in each file, address all additional NEWSITE-CHANGEME markers to update
# the data in these files with the right values for your new site.
#
# *NOTE: The Genesis node is counted as one of the control plane nodes. Note
# that the Genesis node does not appear on this bare metal list, because the
# procedure to reprovision the Genesis host with MaaS has not yet been
# implemented. Therefore there will be only three bare metal nodes in this file
# with the 'masters' tag, as the genesis roles are assigned in a difference
# place (profiles/genesis.yaml).
# NOTE: The host profiles for the control plane are further divided into two
# variants: primary and secondary. The only significance this has is that the
# "primary" nodes are active Ceph nodes, whereas the "secondary" nodes are Ceph
# standby nodes. For Ceph quorum, this means that the control plane split will
# be 3 primary + 1 standby host profile, and the Genesis node counts toward one
# of the 3 primary profiles. Other control plane services are not affected by
# primary vs secondary designation.
#
# TODO: Include the hostname naming convention
#
schema: 'drydock/BaremetalNode/v1'
metadata:
schema: 'metadata/Document/v1'
# NEWSITE-CHANGEME: The next node's hostname
name: airsloop-compute-1
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
# NEWSITE-CHANGEME: The next node's IPv4 addressing
addressing:
- network: oob
address: 10.22.104.22
- network: pxe
address: 10.22.70.22
- network: oam
address: 10.22.71.22
- network: calico
address: 10.22.72.22
- network: storage
address: 10.22.73.22
- network: overlay
address: 10.22.74.22
# NEWSITE-CHANGEME: The next node's host profile
# This is the third "primary" control plane profile after genesis
host_profile: compute_r720xd
metadata:
# NEWSITE-CHANGEME: The next node's rack designation
rack: cab22
# NEWSITE-CHANGEME: The next node's role desigatnion
tags:
- 'workers'
...

+ 41
- 0
site/airsloop/deployment/deployment-configuration.yaml View File

@@ -0,0 +1,41 @@
---
# The purpose of this file is to provide shipyard related deployment config
# parameters. This should not require modification for a new site. However,
# shipyard deployment strategies can be very useful in getting around certain
# failures, like misbehaving nodes that hold up the deployment. See more at
# https://github.com/openstack/airship-shipyard/blob/master/docs/source/site-definition-documents.rst#using-a-deployment-strategy
schema: shipyard/DeploymentConfiguration/v1
metadata:
schema: metadata/Document/v1
name: deployment-configuration
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
physical_provisioner:
deployment_strategy: deployment-strategy
deploy_interval: 30
deploy_timeout: 3600
destroy_interval: 30
destroy_timeout: 900
join_wait: 0
prepare_node_interval: 30
prepare_node_timeout: 1800
prepare_site_interval: 10
prepare_site_timeout: 300
verify_interval: 10
verify_timeout: 60
kubernetes_provisioner:
drain_timeout: 3600
drain_grace_period: 1800
clear_labels_timeout: 1800
remove_etcd_timeout: 1800
etcd_ready_timeout: 600
armada:
get_releases_timeout: 300
get_status_timeout: 300
manifest: 'full-site'
post_apply_timeout: 7200
validate_design_timeout: 600
...

+ 154
- 0
site/airsloop/networks/common-addresses.yaml View File

@@ -0,0 +1,154 @@
---
# The purpose of this file is to define network related paramters that are
# referenced elsewhere in the manifests for this site.
#
# TODO: Include bare metal host FQDN naming standards
# TODO: Include ingress FQDN naming standards
schema: pegleg/CommonAddresses/v1
metadata:
schema: metadata/Document/v1
name: common-addresses
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
calico:
# NEWSITE-CHANGEME: The interface that calico will use. Update if your
# logical bond interface name or calico VLAN have changed from the reference
# site design.
# This should be whichever
# bond and VLAN number specified in networks/physical/networks.yaml for the Calico
# network. E.g. VLAN 22 for the calico network as a member of bond0, you
# would set "interface=bond0.22" as shown here.
ip_autodetection_method: interface=enp67s0f0.72
etcd:
# etcd service IP address
service_ip: 10.96.232.136

dns:
# Kubernetes cluster domain. Do not change. This is internal to the cluster.
cluster_domain: cluster.local
# DNS service ip
service_ip: 10.96.0.10
# List of upstream DNS forwards. Verify you can reach them from your
# environment. If so, you should not need to change them.
upstream_servers:
- 8.8.8.8
- 8.8.4.4
- 208.67.222.222
# Repeat the same values as above, but formatted as a common separated
# string
upstream_servers_joined: 8.8.8.8,8.8.4.4,208.67.222.222
# NEWSITE-CHANGEME: FQDN for ingress (i.e. "publicly facing" access point)
# Choose FQDN according to the ingress/public FQDN naming conventions at
# the top of this document.
ingress_domain: atlantafoundry.com

genesis:
# NEWSITE-CHANGEME: Update with the hostname for the node which will take on
# the Genesis role. Refer to the hostname naming stardards in
# networks/physical/networks.yaml
# NOTE: Ensure that the genesis node is manually configured with this
# hostname before running `genesis.sh` on the node.
hostname: airsloop-control-1
# NEWSITE-CHANGEME: Calico IP of the Genesis node. Use the "start" value for
# the calico network defined in networks/physical/networks.yaml for this IP.
ip: 10.22.72.21

bootstrap:
# NEWSITE-CHANGEME: Update with the "start" value/IP of the static range
# defined for the pxe network in networks/physical/networks.yaml
ip: 10.22.70.21

kubernetes:
# K8s API service IP
api_service_ip: 10.96.0.1
# etcd service IP
etcd_service_ip: 10.96.0.2
# k8s pod CIDR (network which pod traffic will traverse)
pod_cidr: 10.97.0.0/16
# k8s service CIDR (network which k8s API traffic will traverse)
service_cidr: 10.96.0.0/16
# misc k8s port settings
apiserver_port: 6443
haproxy_port: 6553
service_node_port_range: 30000-32767

# etcd port settings
etcd:
container_port: 2379
haproxy_port: 2378

# NEWSITE-CHANGEME: A list of nodes (apart from Genesis) which act as the
# control plane servers. Ensure that this matches the nodes with the 'masters'
# tags applied in baremetal/nodes.yaml
masters:
- hostname: airsloop-control-2
- hostname: airsloop-control-3

# NEWSITE-CHANGEME: Environment proxy information.
# NOTE: Reference Airship sites do not deploy behind a proxy, so this proxy section
# should be commented out.
# However if you are in a lab that requires proxy, ensure that these proxy
# settings are correct and reachable in your environment; otherwise update
# them with the correct values for your environment.
proxy:
http: ""
https: ""
no_proxy: []

node_ports:
drydock_api: 30000
maas_api: 30001
maas_proxy: 31800 # hardcoded in MAAS

ntp:
# comma separated NTP server list. Verify that these upstream NTP servers are
# reachable in your environment; otherwise update them with the correct
# values for your environment.
servers_joined: '0.ubuntu.pool.ntp.org,1.ubuntu.pool.ntp.org,2.ubuntu.pool.ntp.org,4.ubuntu.pool.ntp.org'

# NOTE: This will be updated soon
ldap:
# NEWSITE-CHANGEME: FQDN for LDAP. Update to the FQDN that is
# relevant for your type of deployment (test vs prod values, etc).
base_url: 'ldap.example.com'
# NEWSITE-CHANGEME: As above, with the protocol included to create a full URI
url: 'ldap://ldap.example.com'
# NEWSITE-CHANGEME: Update to the correct expression relevant for this
# deployment (test vs prod values, etc)
auth_path: DC=test,DC=test,DC=com?sAMAccountName?sub?memberof=CN=test,OU=Application,OU=Groups,DC=test,DC=test,DC=com
# NEWSITE-CHANGEME: Update to the correct AD group that contains the users
# relevant for this deployment (test users vs prod users/values, etc)
common_name: test
# NEWSITE-CHANGEME: Update to the correct subdomain for your type of
# deployment (test vs prod values, etc)
subdomain: test
# NEWSITE-CHANGEME: Update to the correct domain for your type of
# deployment (test vs prod values, etc)
domain: example

storage:
ceph:
# NEWSITE-CHANGEME: CIDRs for Ceph. Update to match the network CIDR
# used for the `storage` network in networks/physical/networks.yaml
public_cidr: '10.22.73.0/24'
cluster_cidr: '10.22.73.0/24'

neutron:
# NEWSITE-CHANGEME: Overlay network for VM traffic. Ensure the bond name and
# VLAN number are consistent with what's defined for the bond and the overlay
# network in networks/physical/networks.yaml
tunnel_device: 'enp67s0f0.74'
# bond which the overlay is a member of. Ensure the bond name is consistent
# with the bond assigned to the overlay network in
# networks/physical/networks.yaml
external_iface: 'enp67s0f0'

openvswitch:
# bond which the overlay is a member of. Ensure the bond name is consistent
# with the bond assigned to the overlay network in
# networks/physical/networks.yaml
external_iface: 'enp67s0f0'
...

+ 290
- 0
site/airsloop/networks/physical/networks.yaml View File

@@ -0,0 +1,290 @@
---
# The purpose of this file is to define all of the NetworkLinks (i.e. layer 1
# devices) and Networks (i.e. layer 3 configurations). The following is standard
# for the logical networks in Airship:
#
# +----------+-----------------------------------+----------------+--------------+----------------------------------------------------+-----------------+
# | Network | | Per-rack or | | | VLAN tagged |
# | Name | Purpose | per-site CIDR? | Has gateway? | Bond | or untagged? |
# +----------+-----------------------------------+----------------+--------------+----------------------------------------------------+-----------------+
# | oob | Out of Band devices (iDrac/iLo) | per-site CIDR | Has gateway | No bond, N/A | Untagged/Native |
# | pxe | PXE boot network | per-site CIDR | No gateway | No bond, no LACP fallback. Dedicated PXE interface | Untagged/Native |
# | oam | management network | per-site CIDR | Has gateway | member of bond0 | tagged |
# | storage | storage network | per-site CIDR | No gateway | member of bond0 | tagged |
# | calico | underlay calico net; k8s traffic | per-site CIDR | No gateway | member of bond0 | tagged |
# | overlay | overlay network for openstack SDN | per-site CIDR | No gateway | member of bond0 | tagged |
# +----------+-----------------------------------+----------------+--------------+----------------------------------------------------+-----------------+
#
# For standard Airship deployments, you should not need to modify the number of
# NetworkLinks and Networks in this file. Only the IP addresses and CIDRs should
# need editing.
#
# TODO: Given that we expect all network broadcast domains to span all racks in
# Airship, we should choose network names that do not include the rack number.
#
# TODO: FQDN naming standards for hosts
#
schema: 'drydock/NetworkLink/v1'
metadata:
schema: 'metadata/Document/v1'
name: oob
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
# MaaS doesnt own this network like it does the others, so the noconfig label
# is specified.
labels:
noconfig: enabled
bonding:
mode: disabled
mtu: 1500
linkspeed: auto
trunking:
mode: disabled
default_network: oob
allowed_networks:
- oob
...
---
schema: 'drydock/Network/v1'
metadata:
schema: 'metadata/Document/v1'
name: oob
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
# NEWSITE-CHANGEME: Update with the site's out-of-band CIDR
cidr: 10.22.104.0/24
routes:
# NEWSITE-CHANGEME: Update with the site's out-of-band gateway IP
- subnet: '0.0.0.0/0'
gateway: 10.22.104.1
metric: 100
# NEWSITE-CHANGEME: Update with the site's out-of-band IP allocation range
# FIXME: Is this IP range actually used/allocated for anything? The HW already
# has its OOB IPs assigned. None of the Ubuntu OS's should need IPs on OOB
# network either, as they should be routable via the default gw on OAM network
ranges:
- type: static
start: 10.22.104.21
end: 10.22.104.22
...
---
schema: 'drydock/NetworkLink/v1'
metadata:
schema: 'metadata/Document/v1'
name: pxe
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
bonding:
mode: disabled
mtu: 1500
linkspeed: auto
trunking:
mode: disabled
default_network: pxe
allowed_networks:
- pxe
...
---
schema: 'drydock/Network/v1'
metadata:
schema: 'metadata/Document/v1'
name: pxe
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
# NEWSITE-CHANGEME: Update with the site's PXE network CIDR
# NOTE: The CIDR minimum size = (number of nodes * 2) + 10
cidr: 10.22.70.0/24
routes:
- subnet: 0.0.0.0/0
# NEWSITE-CHANGEME: Set the OAM network gateway IP address
gateway: 10.22.70.1
metric: 100
# NOTE: The first 10 IPs in the subnet are reserved for network infrastructure.
# The remainder of the range is divided between two subnets of equal size:
# one static, and one DHCP.
# The DHCP addresses are used when nodes perform a PXE boot (DHCP address gets
# assigned), and when a node is commissioning in MaaS (also uses DHCP to get
# its IP address). However, when MaaS installs the operating system
# ("Deploying/Deployed" states), it will write a static IP assignment to
# /etc/network/interfaces[.d] with IPs from the "static" subnet defined here.
ranges:
# NEWSITE-CHANGEME: Update to the first 10 IPs in the CIDR
- type: reserved
start: 10.22.70.1
end: 10.22.70.10
# NEWSITE-CHANGEME: Update to the first half of the remaining range after
# excluding the 10 reserved IPs.
- type: static
start: 10.22.70.21
end: 10.22.70.31
# NEWSITE-CHANGEME: Update to the second half of the remaining range after
# excluding the 10 reserved IPs.
- type: dhcp
start: 10.22.70.40
end: 10.22.70.80
dns:
# NEWSITE-CHANGEME: FQDN for bare metal nodes.
# Choose FQDN according to the node FQDN naming conventions at the top of
# this document.
domain: atlantafoundry.com
# List of upstream DNS forwards. Verify you can reach them from your
# environment. If so, you should not need to change them.
# TODO: This should be populated via substitution from common-addresses
servers: '8.8.8.8,8.8.4.4,208.67.222.222'
...
---
schema: 'drydock/NetworkLink/v1'
metadata:
schema: 'metadata/Document/v1'
name: data
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
bonding:
mode: disabled
mtu: 1500
linkspeed: auto
trunking:
mode: 802.1q
allowed_networks:
- oam
- storage
- overlay
- calico
...
---
schema: 'drydock/Network/v1'
metadata:
schema: 'metadata/Document/v1'
name: oam
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
# NEWSITE-CHANGEME: Set the VLAN ID which the OAM network is on
vlan: '71'
mtu: 1500
# NEWSITE-CHANGEME: Set the CIDR for the OAM network
# NOTE: The CIDR minimum size = number of nodes + 10
cidr: 10.22.71.0/24
routes:
- subnet: 0.0.0.0/0
# NEWSITE-CHANGEME: Set the OAM network gateway IP address
gateway: 10.22.71.1
metric: 100
ranges:
# NEWSITE-CHANGEME: Update to the first 10 IPs in the CIDR
- type: reserved
start: 10.22.71.1
end: 10.22.71.10
# NEWSITE-CHANGEME: Update to the remaining range after excluding the 10
# 10 reserved IPs.
- type: static
start: 10.22.71.21
end: 10.22.71.31
dns:
# NEWSITE-CHANGEME: FQDN for bare metal nodes.
# Choose FQDN according to the node FQDN naming conventions at the top of
# this document.
domain: atlantafoundry.com
# List of upstream DNS forwards. Verify you can reach them from your
# environment. If so, you should not need to change them.
# TODO: This should be populated via substitution from common-addresses
servers: '8.8.8.8,8.8.4.4'
...
---
schema: 'drydock/Network/v1'
metadata:
schema: 'metadata/Document/v1'
name: calico
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
# NEWSITE-CHANGEME: Set the VLAN ID which the calico network is on
vlan: '72'
mtu: 1500
# NEWSITE-CHANGEME: Set the CIDR for the calico network
# NOTE: The CIDR minimum size = number of nodes + 10
cidr: 10.22.72.0/24
ranges:
# NEWSITE-CHANGEME: Update to the first 10 IPs in the CIDR
- type: reserved
start: 10.22.72.1
end: 10.22.72.10
# NEWSITE-CHANGEME: Update to the remaining range after excluding the 10
# 10 reserved IPs.
- type: static
start: 10.22.72.21
end: 10.22.72.31
...
---
schema: 'drydock/Network/v1'
metadata:
schema: 'metadata/Document/v1'
name: storage
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
# NEWSITE-CHANGEME: Set the VLAN ID which the storage network is on
vlan: '73'
mtu: 1500
# NEWSITE-CHANGEME: Set the CIDR for the storage network
# NOTE: The CIDR minimum size = number of nodes + 10
cidr: 10.22.73.0/24
ranges:
# NEWSITE-CHANGEME: Update to the first 10 IPs in the CIDR
- type: reserved
start: 10.22.73.1
end: 10.22.73.10
# NEWSITE-CHANGEME: Update to the remaining range after excluding the 10
# 10 reserved IPs.
- type: static
start: 10.22.73.21
end: 10.22.73.31
...
---
schema: 'drydock/Network/v1'
metadata:
schema: 'metadata/Document/v1'
name: overlay
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
# NEWSITE-CHANGEME: Set the VLAN ID which the overlay network is on
vlan: '74'
mtu: 1500
# NEWSITE-CHANGEME: Set the CIDR for the overlay network
# NOTE: The CIDR minimum size = number of nodes + 10
cidr: 10.22.74.0/24
ranges:
# NEWSITE-CHANGEME: Update to the first 10 IPs in the CIDR
- type: reserved
start: 10.22.74.1
end: 10.22.74.10
# NEWSITE-CHANGEME: Update to the remaining range after excluding the 10
# 10 reserved IPs.
- type: static
start: 10.22.74.21
end: 10.22.74.31
...

+ 285
- 0
site/airsloop/pki/pki-catalog.yaml View File

@@ -0,0 +1,285 @@
---
# The purpose of this file is to define the PKI certificates for the environment
#
# NOTE: When deploying a new site, this file should not be configured until
# baremetal/nodes.yaml is complete.
#
schema: promenade/PKICatalog/v1
metadata:
schema: metadata/Document/v1
name: cluster-certificates
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
certificate_authorities:
kubernetes:
description: CA for Kubernetes components
certificates:
- document_name: apiserver
description: Service certificate for Kubernetes apiserver
common_name: apiserver
hosts:
- localhost
- 127.0.0.1
# FIXME: Repetition of api_service_ip in common-addresses; use
# substitution
- 10.96.0.1
kubernetes_service_names:
- kubernetes.default.svc.cluster.local

# NEWSITE-CHANGEME: The following should be a list of all the nodes in
# the environment (genesis, control plane, data plane, everything).
# Add/delete from this list as necessary until all nodes are listed.
# For each node, the `hosts` list should be comprised of:
# 1. The node's hostname, as already defined in baremetal/nodes.yaml
# 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
# 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
# NOTE: This list also needs to include the Genesis node, which is not
# listed in baremetal/nodes.yaml, but by convention should be allocated
# the first non-reserved IP in each logical network allocation range
# defined in networks/physical/networks.yaml
# NOTE: The genesis node needs to be defined twice (the first two entries
# on this list) with all of the same paramters except the document_name.
# In the first case the document_name is `kubelet-genesis`, and in the
# second case the document_name format is `kubelete-YOUR_GENESIS_HOSTNAME`.
- document_name: kubelet-genesis
common_name: system:node:airsloop-control-1
hosts:
- airsloop-control-1
- 10.22.72.21
groups:
- system:nodes
- document_name: kubelet-airsloop-control-1
common_name: system:node:airsloop-control-1
hosts:
- airsloop-control-1
- 10.22.72.21
groups:
- system:nodes
- document_name: kubelet-airsloop-control-2
common_name: system:node:airsloop-control-2
hosts:
- airsloop-control-2
- 10.23.22.12
groups:
- system:nodes
- document_name: kubelet-airsloop-control-3
common_name: system:node:airsloop-control-3
hosts:
- airsloop-control-3
- 10.23.22.13
groups:
- system:nodes
- document_name: kubelet-airsloop-compute-1
common_name: system:node:airsloop-compute-1
hosts:
- airsloop-compute-1
- 10.23.22.14
groups:
- system:nodes
# End node list
- document_name: scheduler
description: Service certificate for Kubernetes scheduler
common_name: system:kube-scheduler
- document_name: controller-manager
description: certificate for controller-manager
common_name: system:kube-controller-manager
- document_name: admin
common_name: admin
groups:
- system:masters
- document_name: armada
common_name: armada
groups:
- system:masters
kubernetes-etcd:
description: Certificates for Kubernetes's etcd servers
certificates:
- document_name: apiserver-etcd
description: etcd client certificate for use by Kubernetes apiserver
common_name: apiserver
# NOTE(mark-burnett): hosts not required for client certificates
- document_name: kubernetes-etcd-anchor
description: anchor
common_name: anchor
# NEWSITE-CHANGEME: The following should be a list of the control plane
# nodes in the environment, including genesis.
# For each node, the `hosts` list should be comprised of:
# 1. The node's hostname, as already defined in baremetal/nodes.yaml
# 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
# 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
# 4. 127.0.0.1
# 5. localhost
# 6. kubernetes-etcd.kube-system.svc.cluster.local
# NOTE: This list also needs to include the Genesis node, which is not
# listed in baremetal/nodes.yaml, but by convention should be allocated
# the first non-reserved IP in each logical network allocation range
# defined in networks/physical/networks.yaml, except for the kubernetes
# service_cidr where it should start with the second IP in the range.
# NOTE: The genesis node is defined twice with the same `hosts` data:
# Once with its hostname in the common/document name, and once with
# `genesis` defined instead of the host. For now, this duplicated
# genesis definition is required. FIXME: Remove duplicate definition
# after Promenade addresses this issue.
- document_name: kubernetes-etcd-genesis
common_name: kubernetes-etcd-genesis
hosts:
- airsloop-control-1
- 10.22.72.21
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-airsloop-control-1
common_name: kubernetes-etcd-airsloop-control-1
hosts:
- airsloop-control-1
- 10.22.72.21
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-airsloop-control-2
common_name: kubernetes-etcd-airsloop-control-2
hosts:
- airsloop-control-2
- 10.23.22.12
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-airsloop-control-3
common_name: kubernetes-etcd-airsloop-control-3
hosts:
- airsloop-control-3
- 10.23.22.13
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
# End node list
kubernetes-etcd-peer:
certificates:
# NEWSITE-CHANGEME: This list should be identical to the previous list,
# except that `-peer` has been appended to the document/common names.
- document_name: kubernetes-etcd-genesis-peer
common_name: kubernetes-etcd-genesis-peer
hosts:
- airsloop-control-1
- 10.22.72.21
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-airsloop-control-1-peer
common_name: kubernetes-etcd-airsloop-control-1-peer
hosts:
- airsloop-control-1
- 10.22.72.21
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-airsloop-control-2-peer
common_name: kubernetes-etcd-airsloop-control-2-peer
hosts:
- airsloop-control-2
- 10.23.22.12
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-airsloop-control-3-peer
common_name: kubernetes-etcd-airsloop-control-3-peer
hosts:
- airsloop-control-3
- 10.23.22.13
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
# End node list
calico-etcd:
description: Certificates for Calico etcd client traffic
certificates:
- document_name: calico-etcd-anchor
description: anchor
common_name: anchor
# NEWSITE-CHANGEME: The following should be a list of the control plane
# nodes in the environment, including genesis.
# For each node, the `hosts` list should be comprised of:
# 1. The node's hostname, as already defined in baremetal/nodes.yaml
# 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
# 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
# 4. 127.0.0.1
# 5. localhost
# 6. The calico/etcd/service_ip defined in networks/common-addresses.yaml
# NOTE: This list also needs to include the Genesis node, which is not
# listed in baremetal/nodes.yaml, but by convention should be allocated
# the first non-reserved IP in each logical network allocation range
# defined in networks/physical/networks.yaml
- document_name: calico-etcd-airsloop-control-1
common_name: calico-etcd-airsloop-control-1
hosts:
- airsloop-control-1
- 10.22.72.21
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-airsloop-control-2
common_name: calico-etcd-airsloop-control-2
hosts:
- airsloop-control-2
- 10.23.22.12
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-airsloop-control-3
common_name: calico-etcd-airsloop-control-3
hosts:
- airsloop-control-3
- 10.23.22.13
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-node
common_name: calcico-node
# End node list
calico-etcd-peer:
description: Certificates for Calico etcd clients
certificates:
# NEWSITE-CHANGEME: This list should be identical to the previous list,
# except that `-peer` has been appended to the document/common names.
- document_name: calico-etcd-airsloop-control-1-peer
common_name: calico-etcd-airsloop-control-1-peer
hosts:
- airsloop-control-1
- 10.22.72.21
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-airsloop-control-2-peer
common_name: calico-etcd-airsloop-control-2-peer
hosts:
- airsloop-control-2
- 10.23.22.12
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-airsloop-control-3-peer
common_name: calico-etcd-airsloop-control-3-peer
hosts:
- airsloop-control-3
- 10.23.22.13
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-node-peer
common_name: calcico-node-peer
# End node list
keypairs:
- name: service-account
description: Service account signing key for use by Kubernetes controller-manager.
...

+ 49
- 0
site/airsloop/profiles/genesis.yaml View File

@@ -0,0 +1,49 @@
---
# The purpose of this file is to apply proper labels to Genesis node so the
# proper services are installed and proper configuration applied. This should
# not need to be changed for a new site.
# #GLOBAL-CANDIDATE#
schema: promenade/Genesis/v1
metadata:
schema: metadata/Document/v1
name: genesis-site
layeringDefinition:
abstract: false
layer: site
parentSelector:
name: genesis-global
actions:
- method: merge
path: .
storagePolicy: cleartext
data:
labels:
dynamic:
- beta.kubernetes.io/fluentd-ds-ready=true
- calico-etcd=enabled
- ceph-mds=enabled
- ceph-mon=enabled
- ceph-osd=enabled
- ceph-rgw=enabled
- ceph-mgr=enabled
- ceph-bootstrap=enabled
- tenant-ceph-control-plane=enabled
- tenant-ceph-mon=enabled
- tenant-ceph-rgw=enabled
- tenant-ceph-mgr=enabled
- kube-dns=enabled
- kube-ingress=enabled
- kubernetes-apiserver=enabled
- kubernetes-controller-manager=enabled
- kubernetes-etcd=enabled
- kubernetes-scheduler=enabled
- promenade-genesis=enabled
- ucp-control-plane=enabled
- maas-control-plane=enabled
- ceph-osd-bootstrap=enabled
- openstack-control-plane=enabled
- openvswitch=enabled
- openstack-l3-agent=enabled
- node-exporter=enabled
- fluentd=enabled
...

+ 49
- 0
site/airsloop/profiles/hardware/dell_r720xd.yaml View File

@@ -0,0 +1,49 @@
---
schema: 'drydock/HardwareProfile/v1'
metadata:
schema: 'metadata/Document/v1'
name: dell_r720xd
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
# Vendor of the server chassis
vendor: DELL
# Generation of the chassis model
generation: '8'
# Version of the chassis model within its generation - not version of the hardware definition
hw_version: '3'
# The certified version of the chassis BIOS
bios_version: '2.2.3'
# Mode of the default boot of hardware - bios, uefi
boot_mode: bios
# Protocol of boot of the hardware - pxe, usb, hdd
bootstrap_protocol: pxe
# Which interface to use for network booting within the OOB manager, not OS device
pxe_interface: 0
# Map hardware addresses to aliases/roles to allow a mix of hardware configs
# in a site to result in a consistent configuration
device_aliases:

## network
# eno1
pxe_nic01:
address: '0000:01:00.0'
# type could identify expected hardware - used for hardware manifest validation
dev_type: 'I350 Gigabit Network Connection'
bus_type: 'pci'
# enp67s0f0
data_nic01:
address: '0000:43:00.0'
dev_type: 'Ethernet 10G 2P X520 Adapter'
bus_type: 'pci'
# enp67s0f1

## storage
# /dev/sda
bootdisk:
address: '0:2.0.0'
dev_type: 'PERC H710P'
bus_type: 'scsi'
...

+ 80
- 0
site/airsloop/profiles/host/compute.yaml View File

@@ -0,0 +1,80 @@
---
# The data plane host profile for Airship for DELL R720s, and should
# not need to be altered if you are using matching HW. The host profile is setup
# for cpu isolation (for nova pinning), hugepages, and sr-iov.
schema: drydock/HostProfile/v1
metadata:
schema: metadata/Document/v1
name: compute_r720xd
storagePolicy: cleartext
layeringDefinition:
abstract: false
layer: site
parentSelector:
hosttype: dp-global
actions:
- method: replace
path: .interfaces
- method: replace
path: .storage
- method: merge
path: .
data:
hardware_profile: dell_r720xd

primary_network: oam
interfaces:
pxe:
device_link: pxe
slaves:
- pxe_nic01
networks:
- pxe
data:
device_link: data
slaves:
- data_nic01
networks:
- oam
- storage
- overlay
- calico

storage:
physical_devices:
bootdisk:
labels:
bootdrive: 'true'
partitions:
- name: 'root'
size: '30g'
bootable: true
filesystem:
mountpoint: '/'
fstype: 'ext4'
mount_options: 'defaults'
- name: 'boot'
size: '1g'
filesystem:
mountpoint: '/boot'
fstype: 'ext4'
mount_options: 'defaults'
- name: 'var_log'
size: '100g'
filesystem:
mountpoint: '/var/log'
fstype: 'ext4'
mount_options: 'defaults'
- name: 'var'
size: '>100g'
filesystem:
mountpoint: '/var'
fstype: 'ext4'
mount_options: 'defaults'

platform:
image: 'xenial'
kernel: 'ga-16.04'
kernel_params:
kernel_package: 'linux-image-4.4.0-137-generic'
...

+ 53
- 0
site/airsloop/profiles/region.yaml View File

@@ -0,0 +1,53 @@
---
# The purpose of this file is to define the drydock Region, which in turn drives
# the MaaS region.
schema: 'drydock/Region/v1'
metadata:
schema: 'metadata/Document/v1'
# NEWSITE-CHANGEME: Replace with the site name
name: airsloop
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
substitutions:
# NEWSITE-CHANGEME: Substitutions from deckhand SSH public keys into the
# list of authorized keys which MaaS will register for the build-in "ubuntu"
# account during the PXE process. Create a substitution rule for each SSH
# key that should have access to the "ubuntu" account (useful for trouble-
# shooting problems before UAM or UAM-lite is operational). SSH keys are
# stored as secrets in site/airsloop/secrets.
- dest:
# Add/replace the first item in the list
path: .authorized_keys[0]
src:
schema: deckhand/PublicKey/v1
# This should match the "name" metadata of the SSH key which will be
# substituted, located in site/airsloop/secrets folder.
name: airsloop_ssh_public_key
path: .
- dest:
path: .repositories.main_archive
src:
schema: pegleg/SoftwareVersions/v1
name: software-versions
path: .packages.repositories.main_archive
# Second key example
#- dest:
# # Increment the list index
# path: .authorized_keys[1]
# src:
# schema: deckhand/PublicKey/v1
# # your ssh key
# name: MY_USER_ssh_public_key
# path: .
data:
tag_definitions: []
# This is the list of SSH keys which MaaS will register for the built-in
# "ubuntu" account during the PXE process. This list is populated by
# substitution, so the same SSH keys do not need to be repeated in multiple
# manifests.
authorized_keys: []
repositories:
remove_unlisted: true
...

+ 2387
- 0
site/airsloop/secrets/certificates/certificates.yaml
File diff suppressed because it is too large
View File


+ 12
- 0
site/airsloop/secrets/passphrases/airsloop_crypt_password.yaml View File

@@ -0,0 +1,12 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: airsloop_crypt_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
# Pass: airsloop123
data: $6$AVL7yH1sLYlKqvcK$ngUiLKYZQhhj07Lb3ngWa4qVwDgUP9pCGfGFG7JIpF.6iStnfEMeySf8XusA0/3i9O5gMHE9hbg1/4GrFb5rR0
...

+ 12
- 0
site/airsloop/secrets/passphrases/ceph_fsid.yaml View File

@@ -0,0 +1,12 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: ceph_fsid
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
# uuidgen
data: d52a9d00-64b9-45f0-b564-08dffe95f847
...

+ 11
- 0
site/airsloop/secrets/passphrases/ceph_swift_keystone_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: ceph_swift_keystone_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 13
- 0
site/airsloop/secrets/passphrases/ipmi_admin_password.yaml View File

@@ -0,0 +1,13 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: ipmi_admin_password
layeringDefinition:
abstract: false
layer: site
labels:
name: ipmi-admin-password-site
storagePolicy: cleartext
data: airsloop123
...

+ 12
- 0
site/airsloop/secrets/passphrases/maas-region-key.yaml View File

@@ -0,0 +1,12 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: maas-region-key
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
# openssl rand -hex 10
data: e12330cfe038735aee32
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_barbican_oslo_db_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_barbican_oslo_db_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_barbican_oslo_messaging_admin_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_barbican_oslo_messaging_admin_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_barbican_oslo_messaging_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_barbican_oslo_messaging_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_barbican_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_barbican_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_barbican_rabbitmq_erlang_cookie.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_barbican_rabbitmq_erlang_cookie
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_cinder_oslo_db_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_cinder_oslo_db_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_cinder_oslo_messaging_admin_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_cinder_oslo_messaging_admin_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_cinder_oslo_messaging_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_cinder_oslo_messaging_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_cinder_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_cinder_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_cinder_rabbitmq_erlang_cookie.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_cinder_rabbitmq_erlang_cookie
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_glance_oslo_db_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_glance_oslo_db_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_glance_oslo_messaging_admin_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_glance_oslo_messaging_admin_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_glance_oslo_messaging_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_glance_oslo_messaging_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_glance_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_glance_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_glance_rabbitmq_erlang_cookie.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_glance_rabbitmq_erlang_cookie
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_heat_oslo_db_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_heat_oslo_db_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_heat_oslo_messaging_admin_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_heat_oslo_messaging_admin_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_heat_oslo_messaging_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_heat_oslo_messaging_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_heat_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_heat_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_heat_rabbitmq_erlang_cookie.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_heat_rabbitmq_erlang_cookie
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_heat_stack_user_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_heat_stack_user_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_heat_trustee_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_heat_trustee_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_horizon_oslo_db_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_horizon_oslo_db_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_infra_elasticsearch_admin_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_infra_elasticsearch_admin_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_infra_grafana_admin_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_infra_grafana_admin_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_infra_grafana_oslo_db_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_infra_grafana_oslo_db_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_infra_grafana_oslo_db_session_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_infra_grafana_oslo_db_session_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_infra_nagios_admin_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_infra_nagios_admin_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_infra_openstack_exporter_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_infra_openstack_exporter_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_infra_oslo_db_admin_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_infra_oslo_db_admin_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_infra_oslo_db_exporter_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_infra_oslo_db_exporter_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_infra_prometheus_admin_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_infra_prometheus_admin_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_infra_rgw_s3_admin_access_key.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_infra_rgw_s3_admin_access_key
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: admin_access_key
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_infra_rgw_s3_admin_secret_key.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_infra_rgw_s3_admin_secret_key
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: admin_secret_key
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_infra_rgw_s3_elasticsearch_access_key.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_infra_rgw_s3_elasticsearch_access_key
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: elastic_access_key
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_infra_rgw_s3_elasticsearch_secret_key.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_infra_rgw_s3_elasticsearch_secret_key
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: elastic_secret_key
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_keystone_admin_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_keystone_admin_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_keystone_ldap_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_keystone_ldap_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_keystone_oslo_db_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_keystone_oslo_db_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_keystone_oslo_messaging_admin_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_keystone_oslo_messaging_admin_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_keystone_oslo_messaging_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_keystone_oslo_messaging_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_keystone_rabbitmq_erlang_cookie.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_keystone_rabbitmq_erlang_cookie
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_neutron_oslo_db_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_neutron_oslo_db_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_neutron_oslo_messaging_admin_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_neutron_oslo_messaging_admin_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_neutron_oslo_messaging_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_neutron_oslo_messaging_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_neutron_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_neutron_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_neutron_rabbitmq_erlang_cookie.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_neutron_rabbitmq_erlang_cookie
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_nova_oslo_db_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_nova_oslo_db_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_nova_oslo_messaging_admin_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_nova_oslo_messaging_admin_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_nova_oslo_messaging_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_nova_oslo_messaging_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_nova_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_nova_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_nova_rabbitmq_erlang_cookie.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_nova_rabbitmq_erlang_cookie
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_oslo_cache_secret_key.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_oslo_cache_secret_key
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_oslo_db_admin_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_oslo_db_admin_password
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data: airsloop123
...

+ 11
- 0
site/airsloop/secrets/passphrases/osh_oslo_db_exporter_password.yaml View File

@@ -0,0 +1,11 @@
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: osh_oslo_db_exporter_password