From a06003c0047d085d61c9e4131c53922222a3211c Mon Sep 17 00:00:00 2001 From: Siraj Yasin Date: Mon, 27 Sep 2021 18:46:06 +0000 Subject: [PATCH] update secrets to align with airshipctl * Align treasuremap virtual-airship-core site to recent changes of airshipctl * This PS takes care of only the "airship-core" type and all other sites will fail validate docs untill the secrets are aligned. * So the validate_docs is invoked with parameter "virtual-airship-core" to run document validation just for virtual-airship-core reference airshipctl commit: e2c56108eef38dd83df52fcfd1fa6844e5376a56 Change-Id: I2e6149951beca570a3cadeecbc05366325c80286 --- .../encryption-keys/kustomization.yaml | 3 + .../encrypted/get/kustomization.yaml | 3 + .../encrypted/update/kustomization.yaml | 12 ++ .../encrypted/update/secrets.yaml | 15 ++ .../catalogues/encrypted/kustomization.yaml | 6 + .../catalogues/encrypted/secrets.yaml | 91 ++++++++++++ .../ephemeral/catalogues/kustomization.yaml | 6 +- .../catalogues/public-keys/example.pub | 92 ++++++++++++ .../catalogues/public-keys/kustomization.yaml | 10 ++ .../catalogues/shareable/kustomization.yaml | 6 + .../{ => shareable}/networking.yaml | 0 .../kubeconfig/kustomization.yaml | 3 +- .../kubeconfig/update-target.yaml | 24 +-- .../catalogues/encrypted/kustomization.yaml | 6 + .../target/catalogues/encrypted/secrets.yaml | 73 +++++++++ .../target/catalogues/kustomization.yaml | 10 +- .../target/catalogues/public-keys/example.pub | 51 +++++++ .../catalogues/public-keys/kustomization.yaml | 10 ++ .../catalogues/{ => shareable}/hosts.yaml | 0 .../catalogues/shareable/kustomization.yaml | 12 ++ .../{ => shareable}/networking-ha.yaml | 0 .../{ => shareable}/networking.yaml | 0 .../catalogues/{ => shareable}/storage.yaml | 0 .../{ => shareable}/versions-airshipctl.yaml | 0 .../encrypted/generator/kustomization.yaml | 4 - .../encrypted/importer/kustomization.yaml | 4 - .../encrypted/results/kustomization.yaml | 4 +- .../airship-core/phases/kustomization.yaml | 2 +- .../cleanup/kustomization.yaml | 2 + .../shared/decrypt-secrets/cleanup/patch.yaml | 12 ++ .../configurable-decryption.yaml | 11 +- .../decrypt-secrets/kustomization.yaml | 0 .../cleanup/kustomization.yaml | 2 + .../shared/encrypt-secrets/cleanup/patch.yaml | 13 ++ .../encrypt-secrets/encrypt-ephemeral.yaml | 17 +++ .../encrypt-secrets/encrypt-target.yaml | 17 +++ .../shared/encrypt-secrets/kustomization.yaml | 3 + .../fileplacement/filepaths.yaml | 25 ++++ .../fileplacement/kustomization.yaml | 2 + .../shared/update-secrets/kustomization.yaml | 2 + .../shared/update-secrets/template.yaml | 140 ++++++++++++++++++ .../generator/fileplacement/filepaths.yaml | 11 -- .../fileplacement/kustomization.yaml | 2 - .../target/generator/kustomization.yaml | 2 - .../target/generator/secret-template.yaml | 63 -------- .../importer/fileplacement/filepaths.yaml | 11 -- .../importer/fileplacement/kustomization.yaml | 2 - playbooks/get-vm-config.yaml | 4 +- .../deployment/common/23_generate_secrets.sh | 34 +++-- zuul.d/jobs.yaml | 2 +- zuul.d/projects.yaml | 2 +- 51 files changed, 677 insertions(+), 149 deletions(-) create mode 100644 manifests/site/virtual-airship-core/encrypted/encryption-keys/kustomization.yaml create mode 100644 manifests/site/virtual-airship-core/encrypted/get/kustomization.yaml create mode 100644 manifests/site/virtual-airship-core/encrypted/update/kustomization.yaml create mode 100644 manifests/site/virtual-airship-core/encrypted/update/secrets.yaml create mode 100644 manifests/site/virtual-airship-core/ephemeral/catalogues/encrypted/kustomization.yaml create mode 100644 manifests/site/virtual-airship-core/ephemeral/catalogues/encrypted/secrets.yaml create mode 100644 manifests/site/virtual-airship-core/ephemeral/catalogues/public-keys/example.pub create mode 100644 manifests/site/virtual-airship-core/ephemeral/catalogues/public-keys/kustomization.yaml create mode 100644 manifests/site/virtual-airship-core/ephemeral/catalogues/shareable/kustomization.yaml rename manifests/site/virtual-airship-core/ephemeral/catalogues/{ => shareable}/networking.yaml (100%) create mode 100644 manifests/site/virtual-airship-core/target/catalogues/encrypted/kustomization.yaml create mode 100644 manifests/site/virtual-airship-core/target/catalogues/encrypted/secrets.yaml create mode 100644 manifests/site/virtual-airship-core/target/catalogues/public-keys/example.pub create mode 100644 manifests/site/virtual-airship-core/target/catalogues/public-keys/kustomization.yaml rename manifests/site/virtual-airship-core/target/catalogues/{ => shareable}/hosts.yaml (100%) create mode 100644 manifests/site/virtual-airship-core/target/catalogues/shareable/kustomization.yaml rename manifests/site/virtual-airship-core/target/catalogues/{ => shareable}/networking-ha.yaml (100%) rename manifests/site/virtual-airship-core/target/catalogues/{ => shareable}/networking.yaml (100%) rename manifests/site/virtual-airship-core/target/catalogues/{ => shareable}/storage.yaml (100%) rename manifests/site/virtual-airship-core/target/catalogues/{ => shareable}/versions-airshipctl.yaml (100%) delete mode 100644 manifests/site/virtual-airship-core/target/encrypted/generator/kustomization.yaml delete mode 100644 manifests/site/virtual-airship-core/target/encrypted/importer/kustomization.yaml create mode 100644 manifests/type/airship-core/shared/decrypt-secrets/cleanup/kustomization.yaml create mode 100644 manifests/type/airship-core/shared/decrypt-secrets/cleanup/patch.yaml rename manifests/type/airship-core/{target => shared}/decrypt-secrets/configurable-decryption.yaml (65%) rename manifests/type/airship-core/{target => shared}/decrypt-secrets/kustomization.yaml (100%) create mode 100644 manifests/type/airship-core/shared/encrypt-secrets/cleanup/kustomization.yaml create mode 100644 manifests/type/airship-core/shared/encrypt-secrets/cleanup/patch.yaml create mode 100644 manifests/type/airship-core/shared/encrypt-secrets/encrypt-ephemeral.yaml create mode 100644 manifests/type/airship-core/shared/encrypt-secrets/encrypt-target.yaml create mode 100644 manifests/type/airship-core/shared/encrypt-secrets/kustomization.yaml create mode 100644 manifests/type/airship-core/shared/update-secrets/fileplacement/filepaths.yaml create mode 100644 manifests/type/airship-core/shared/update-secrets/fileplacement/kustomization.yaml create mode 100644 manifests/type/airship-core/shared/update-secrets/kustomization.yaml create mode 100644 manifests/type/airship-core/shared/update-secrets/template.yaml delete mode 100644 manifests/type/airship-core/target/generator/fileplacement/filepaths.yaml delete mode 100644 manifests/type/airship-core/target/generator/fileplacement/kustomization.yaml delete mode 100644 manifests/type/airship-core/target/generator/kustomization.yaml delete mode 100644 manifests/type/airship-core/target/generator/secret-template.yaml delete mode 100644 manifests/type/airship-core/target/importer/fileplacement/filepaths.yaml delete mode 100644 manifests/type/airship-core/target/importer/fileplacement/kustomization.yaml diff --git a/manifests/site/virtual-airship-core/encrypted/encryption-keys/kustomization.yaml b/manifests/site/virtual-airship-core/encrypted/encryption-keys/kustomization.yaml new file mode 100644 index 000000000..65b09265d --- /dev/null +++ b/manifests/site/virtual-airship-core/encrypted/encryption-keys/kustomization.yaml @@ -0,0 +1,3 @@ +resources: + - ../../ephemeral/catalogues/public-keys/ + - ../../target/catalogues/public-keys/ diff --git a/manifests/site/virtual-airship-core/encrypted/get/kustomization.yaml b/manifests/site/virtual-airship-core/encrypted/get/kustomization.yaml new file mode 100644 index 000000000..4762ccd08 --- /dev/null +++ b/manifests/site/virtual-airship-core/encrypted/get/kustomization.yaml @@ -0,0 +1,3 @@ +resources: + - ../../ephemeral/catalogues/encrypted + - ../../target/catalogues/encrypted diff --git a/manifests/site/virtual-airship-core/encrypted/update/kustomization.yaml b/manifests/site/virtual-airship-core/encrypted/update/kustomization.yaml new file mode 100644 index 000000000..154fff8c7 --- /dev/null +++ b/manifests/site/virtual-airship-core/encrypted/update/kustomization.yaml @@ -0,0 +1,12 @@ +resources: + - ../get/ + - ../encryption-keys/ + - secrets.yaml + - ../../../../../../airshipctl/manifests/function/templater-helpers/secret-generator/ # libs needed for generator +transformers: + - ../../../../type/airship-core/shared/update-secrets/ + - ../../../../../../airshipctl/manifests/function/templater-helpers/cleanup/ # remove libs after using in all generators + - ../../../../type/airship-core/shared/update-secrets/fileplacement # update paths for imports + - ../../../../type/airship-core/shared/encrypt-secrets + - ../../../../type/airship-core/shared/encrypt-secrets/cleanup + diff --git a/manifests/site/virtual-airship-core/encrypted/update/secrets.yaml b/manifests/site/virtual-airship-core/encrypted/update/secrets.yaml new file mode 100644 index 000000000..76de49dcb --- /dev/null +++ b/manifests/site/virtual-airship-core/encrypted/update/secrets.yaml @@ -0,0 +1,15 @@ +apiVersion: airshipit.org/v1alpha1 +kind: VariableCatalogue +metadata: + labels: + airshipit.org/deploy-k8s: 'false' + name: combined-ephemeral-secrets-import +secretGroups: [] +--- +apiVersion: airshipit.org/v1alpha1 +kind: VariableCatalogue +metadata: + labels: + airshipit.org/deploy-k8s: 'false' + name: combined-target-secrets-import +secretGroups: [] diff --git a/manifests/site/virtual-airship-core/ephemeral/catalogues/encrypted/kustomization.yaml b/manifests/site/virtual-airship-core/ephemeral/catalogues/encrypted/kustomization.yaml new file mode 100644 index 000000000..2e0a8fcf7 --- /dev/null +++ b/manifests/site/virtual-airship-core/ephemeral/catalogues/encrypted/kustomization.yaml @@ -0,0 +1,6 @@ +resources: + - secrets.yaml + +transformers: + - ../../../../../type/airship-core/shared/decrypt-secrets/ + - ../../../../../type/airship-core/shared/decrypt-secrets/cleanup/ diff --git a/manifests/site/virtual-airship-core/ephemeral/catalogues/encrypted/secrets.yaml b/manifests/site/virtual-airship-core/ephemeral/catalogues/encrypted/secrets.yaml new file mode 100644 index 000000000..ca11acc21 --- /dev/null +++ b/manifests/site/virtual-airship-core/ephemeral/catalogues/encrypted/secrets.yaml @@ -0,0 +1,91 @@ +apiVersion: airshipit.org/v1alpha1 +kind: VariableCatalogue +metadata: + labels: + airshipit.org/deploy-k8s: 'false' + name: combined-ephemeral-secrets +secretGroups: +- name: isoImageSecrets + updated: '2021-08-10T20:00:40Z' + values: + - data: 'ENC[AES256_GCM,data:TYMniBOXUzUWROJBIIM=,iv:2rnni6xgiooCBArUCrypA1jYuWbUofqli37SVMlaAwc=,tag:ipRCGuGwYbnibougLr8MvA==,type:str]' + name: rootPasswd + - data: 'ENC[AES256_GCM,data:duXgFUM9nTWEwx+nJrA=,iv:5ZfOPqnqGkfx+ibJwWUYmoQlETjU7EZbhRbzIuRQnXM=,tag:J3gzhybmEGPZxYC+ZvO0VQ==,type:str]' + name: deployerPasswd +- name: ephemeralK8sSecrets + updated: '2021-08-10T20:00:40Z' + values: + - data: 'ENC[AES256_GCM,data:MsAZOpDilAgx4mFIV769NMEQUSBSgK0Mz/+ChIcdtBZvTMAXf2Z2Dp2dhjdokwKLnNOv3jdbfwjGFDsxvwXHyqa5p2zbhXDLcvw8gShs/tpc8OkdVl6CpdObhwV9ayrzRFtewWswLr6IukoryP1b3EE9z2GXUO7/+bNOW0pMBXzeV9UO9n/DqxnbPsAOfuofUmY2NPQdhErJaMNhHMQeVa5U1B5qyy4H15rNPkSGZbjcRgzHopRP+qduig7zRdJOGqP+vRXlkrdLLFuyZbGD3i+2QUWoek1i+5znAoHASYsvBKOlnNgYVm/7WM4uckHbblzL4dromo99HPdsL/ugS0FVZQOTwBCRtSW2pOYNMXf3dQnxt91MC/v1mHNpgoju5Yyd+5GSmc/Czr+kva77RE109CFf9eUl9ReDpSqV1c1P8Sltq48wGUmNKl6KAN0OBkeALJIf/4izkEXUbUw2mTrtZuNjvFHk3Hkl7SZ65TVkA5ei0m7ejhpi5ugX5XWq1potAEKWlqVawXTP5qVwaN7RTCZgHvA7GjubQb/X2BCpUeZIQXbeXOyS46ZsWxPT5ZlH7d1l+ltRv7xcrj+ROpMgr4xrJlkx8Xfn86FWf7qMAXFeB8hNtY1XIQZ4ZKyXp19E3hvBMIOmdm9zGFWV1/7RdKmyfIs2+GJ/ATmeoDLlCVAin3oX+s52N5FfTh2ivmHfWnpFpHfj7K+BOjm+BwoBIzq2KC+H6WGo+GSrOhotygcq8i0XESqh/S+hN+WHNLFE/jsuCNtPOM9TXJwgSYJ3jU4ufvlSsA4sA8cJAjlBRsHcGGjPe6g+gdn6lZCzBe/CU0dlob7JNmpOapv1jUY81fTy0jq5hte4Zalj5JRRsGdc/kzY5h90ZT0VlRiq36NL3cFlahSaSIhVL8NH72MPep98SR2HSGTqcJDfrsmXQaIpJmZu5TE1pPgjBO7JXtWWHxdV9WWwxlZ/j0/oQSyunC2WO+zZbiHKoNBP3XKn9WY2Hje1YJ07H3dzOK1+bYykegePau3LSPuoRxP6tgFFpxlI7xtMi+38C7nGZI6XwPz2i8w99cxpvIxc5JS6eRR7GEZMSQQc/KtxRd7/W3sZJ8ylfQ7XXXrOGISv2Uki8p+n7XpYHdNJU02DfCAFTIa6e1cYBN4Ke8/IbB9Z8lqv4ZcHos2ceXE3rOwS23A6deShWg/lzUYzjQQN7BBasH1Bbxr6HYv/uAfiMzfOqHYUdd/i4aAsgDU8gZACHmEFR4kU/OGlk0AFmmqFZij75glJS2Pb1O9/lH6ZkRMg8M86QfBwwE+bt9xDfTUfq99wey54IxkZe7Rg1ESPc2R104E9lwm5CQ+XpdMCjaf1s3m12b5/ZTyjAEs2k2hCmxo1NsidbQhv/oFQDgdhsid70FTLhLD46WSoKG0NSplQ5tZr82HF9ycoEDVubtYO8mibjS3xcndDBnq2MwCJxCCCSjqWrBgaMyzp/YAhOyUtUNWAsZxBiMVDnmtmKf74mhYQGH41/om2RoJgvsjo0Qxbt/DjrtASHeGPm9DlITA0xi8cMKnLi0P9t31KkNA94DIPXOnK8TU32jLcOxjuasMIJVIpmaw4XWYRSSVs8WB3jhOJ83dr3kTfId3lKQi5zQOY6NNajHjD/lxIkdc8Q7cHCyV2fu80WeMPYGA5PcstfEpLhbJbIpJ9r98FeUrcjPJcuhg4sku5T9ojaltckOdeUib8D0o8f8Ta3z+3GgQtDa8CiYGTvEQigmZclHFmOMe1MsZu2Uvs6k/jCQrmk+9Xk0uNXr4YlQyeYH5DQ4WyvjZGSrVUMC/EzV6hT9+CDcjjhwOYKq6onjv66DbsfHcsUbRzwqv9nh+4BvkHz+zZhJm6CVy1oopP6CbGkPa5QcUbHyrQgYJ1c3H9ZICUynlvATft8FJ5wo3jbZDimEkRUxMD/+IaEEIqTBdvYQNs3NnegfoxoR043udiGpaRT2By9y2cXdP2ThftrZrVMBV9JNu45tgGltUzldAQkcaQkYA=,iv:21tSh1/+sShGLWR5TxB/2nHfMW4YzKOf1D6yE0jitho=,tag:6k0Rbfk+rf3wIIe1FhW2rA==,type:str]' + name: caCrt + - data: 'ENC[AES256_GCM,data:9l+dw1cEhgzFoD1Tsiaj2FY98869x5U1I4tN0I/vQ8q5wpx6vfo41/zxIDDV1d/mxq68Lzq3FYiLT03l/ZcmCIBv862iMW0jdcYAJAB1V4qq1vzDLNsXYtcRLl7wQ62mUnOJ41gpGaySKMf/Up6IZxiDRRfAuPm6xRtzS/0S3xeKTUwAbMIncz5hRcJ4zsVaX6ycqDe/vLwqHhnT3vuMsvCVk3caDtnfZjJ9OJXpS6AWl4f+09flMX8HBdoV1TJyJAyxOg/XHm0yzDGm45CRe0AaUo7I5jRvSpSVZT6Wb2Lf4Tf6b7Abf808Rj3AyQYzsCzr/xtTwxwlbsZSlxv+oFNXGITS5dun+NDjJYTBRvFaB1wTW6UERl1zk9iGOJD7U4tk5C5Dddattm2pVHL7/WzvPHWPzj1V0DEXlQDB5K6roA5tJtko1/rechviqq3VtumPCvC39liSuLHDya3eUK3QCqKvlRs2NRPnN1kNElDleIKgx4IPL00WWham0cOb25MmR8z3o+fUhysIwc4TXf20tWitkDQh1dA6g+7Go6ClOyFUlYzmhUm7z3tmlFe3IFXkshMuqinND2GXicFO+5jwDRyTBhBz59ls7pDUZC5+50hzDiCeRMwHRPsQToUbN3KjtZ932OZC+94rw7iDCwaswZ1Yrw9+cg2yxIL++6r4zHfQPAneWilXKH+Hl70H7pJtPYik8tFzeszdtJmE3cv6tWHx8Z7BnV/RtyY+dxDVkhJOPx6zIA7Mhbu+PsyuZHH1/7X4NrSoOmPXCFyhaMBUENN9fF8RfV+g08doOBZgEAhzMAeHkT7wSGw2UaeZ290W9iuJ/hqTri59cifTfokBnRZsb98AB4SZ5w2MKjmfvCE8IeUrz7zIpvrnTGKKF0bh5pNPYkPQ7YKfc8iib3RhO3MTceUPNuU3CadArOpK1YCh5GmmFttBhH037zXcZgKR/m5rWZJGCzQsVyvGcuO2iHAsNPLGD31te4ZHgPbwdT8+JU69+SE1qIgczhlCFh680lSiEkmVDSf0OcUoCWkMfW3i+P67eqzD6qFAaSYuDsJeY172Ez5hJFWXUFX6auLeN0ulQJCxs5SeDk/Yrqki8msmF0Zse+UcpFbG5jAurR2Zr/LcitAqR1RvBgMN7jWAa9Vy7Gt9Y5XhiNbawFzwG8vSFZ/TE7v5kpXOR53er6o8ZyaafINowMUd/KgVPFB766xITfRUf/fgqE3IFfbeABR0V8dM4EFIO1ytBD68xvr4cTEusfERfXNj178h7ufBCQw4I5qaZe58FyHrzbcF7cq/vTJ/jnkwIHWCGktem4bYZrIybXyaiwgdw7DPXZ0d0snOWGaFXjrvm3hMtVCuQSo+BhknGGOWt1fkIN33SEW+KWsceSqvhnN4k9lfQZ+NebpouGF6Lb0MIXj/e1zZHYKZXzfYnM5Bb69fJl3ivsUL8GNn4+89fgUxmDbIHcW78t7CgwgSeV/TR6apR3u9Bv8bj8WZog9uiGPzlx99V5BnTuDIyx96hElh758uiupxw19RE8S8pwFx3zhfvm+HHoEEBMEhL/N7tkmhzJ3ZIK/B7LiKGzplmnaBK7B5U0VA+zNqxEaSA7AsN20EzwXjM1YFHFqyP5+9n4s7KfUHLrJjbHzJXnEd9M4pqg4pyzCoYJqu7f7KB2AoOPbzxDAMI/xuZNgpHSazw+XULejGSSE0MqXcxs25iYMhlpqgkb/hi5U3iM8l2OWutH+skfaVLMt5jgfeQk3OlzCkH1HFHGjzDJWAk/uU6mRiN4dvbOq7jQ+PCQu0W07zmGcdHdF4gvgAOzTrpuZBPEtK8ARwN2/7h0P9UsdEcs2LzlVC4NXr2tMeXpuoDYGZfDE/o/+WEIZF4NEz0a6FpWpRiPHg7rxxAwe0JCap+UaC/wv3VDA78yw5uYx8Xepy0qCg4LK2nuNIG2ymaclAq4ia1+T7/A4DqBgP92dUuVI/JQnzJvdkCD1Dth7isHOzFOvRDMVusUNVZ+TtasijAvQYfc51TkQAMc0zOCvULPFvQhguriKk7e4odgk94In/jVmsr/8eF51dS52L5LRZzTWwjNnU2ukuI8Ogq37U9Qau/Zw+D7+arEByD3C+h61kQDXt9GRgVDEjyAAB18o9wofxJ3/A7yRvImEcON7OR1ZcJh6XuLEAAqa1Wgtj+FhD1ClvLkKTNIQvpNNyC84zz1pl851lBt1DBHQeFUenz3PAj177qN5Gwo88+18DSdTbFgYdBAFm5w09Af40usgw/jbJocZSRlwRcFxPyKvN6RPqLjCfz3czGUbgSNgjsYvAVEfrVlAbaJ9GFVLcraqgdljG9SSCRO+Kux1KJRmQCZcQsR5DNHzoIxXQfqUIQ7jQI28JanXjR8Y193jCK23oCUSTVsZo1vv10S4+4ZjU7aGm4s8QE+3v5DW7Cy/BtnU+nugdZgdRpkLWqE/vYF+oY7YBvUIAWp/uFBu/9XYz/QaXxluEtZMKsCpyUq98zSbTonHMHHV0eqRWaM7cIb8CJnTmn4qX/rhUT+sAyK5diZIIkPFRXZ7dd7oBkSJqkAiFSDMvoEm7bKCEdBo/dFrA10kQA7v6V8bVj2pbSqwZZiwZar3Eo8RxuskkB6CKrXR11YnZccyMyjOWnoqQ4iobgbXhm6tVGvcEp6hZ4JBnlOnXF59IUF++8PzcgJK0oG5HMnQNTAEiwxBoiWtQQEQ53dnLNKXq0AK5JmbMKKbVSSvFbObduwOrGTZnHsNhiP+nVyyM+Opqqtt5vFNdIA+ZGQQyQ+DnbOmQRyMxfnda7O+gZiuB09rYt1IwMkUdRx5tCpz/uum6OKApZ0gYhbaXEj1P4kR+4xc42vAQ5kavwaAHwqLyVxDTRshXmFCvMWPCd4kINBmQBpTmgiKzLJ1LGmnWyXdXFqxpsvlXj5n5JcoYsstlhkfvD0+EPQKXNo7sLV5HKbfA65ndfpUh5K0OWyYbhmU=,iv:DYwZlqxHUmFnhIy9S9OadGO2h3z67p8F+QmHVQQnuqE=,tag:I5W61XpWE4sWv7EEgLQnPw==,type:str]' + name: caKey + - data: 'ENC[AES256_GCM,data:huVN1pfbkZ9huFebvRbjN5A7pC1wulEJMJnrYO4/Ku+b8+x3NPzwh5a2DZyogI9cWy7zWRW7Esds3oE77KSjNAXjTOJ++nWqxQI35X+nJsiiow11LO4OdRZ98QSqcGGIcikQszExeu/w2BalhB8X+qTvq8oNtjJEydfO74DX3U4pbSyKceiVYxzLF6185jkIZzIvjMSGKr0OzLc+d5GyRhC493WEv7nOMIMsdm190GwmXqxYTrrvzBxzoaxaQFP444MMIM42fXAmH+OMYhk3qS7ghxxefP/NLzYSSCqB5uGTQU/vdNrrUjPDRM8otAxPiV5GIL8eB6np6vV/lYNyW+KcpQ9cw7VrM+jpXOakqFJGX92Z1PX0J5cflIxiDddZCaRv/gLfe4J9yuWgbAwzTtRiHBLm1/JTua9YX/yf9S/CGbtp7STVgMFayrP/qSaoRrjzuYR7mlHT5TmCUBzq2c7nTBoUDCA5ikDO3IcHmjm8E9G00pOUUIzU7PSuVFmrkMmoG7Z5OmpbNV7ae3dVnSkIed+AY076id/o1brUyUsDPE2RKAt7Ss0UTsS46jKKeigDnEe0WrI386FVn7wobU31b+x8ZcCCoGDaNeSQFHR/UZi1O8loIcBDVIzlx3ny2nRe5lU6GLvJ8CKVB8bbHTaXv8Gu9zW7+jZFQmjXwo5Bhu9PD6JUzG3ik+Y4ijodDQLwpYfLPmdBMfABNEix45qlYzFFN9/XndUY1cv8BJmJulNm1CrnIWevv5htAWG3lckpcFDMWL+pn5qGHJan2xWNf+FZVaOs3khSqui4jNj6BDe7CnnEiE9xjfvzXhEnq3tQHK1F8mPo+OEDyTISqIpH1jibepUEhhQnM4Qv0LJiScIA/QB4PX02e+l/SQKb+Ca01fjRA1qvFtzUfqON0+xAgFQNpXR/+wFYFFJEqBuyjy7PVPSnHyl0c/dxyruiwy9L8HljC6jn5wnj1RhOd+uDmMCZxbyeiuV0dYue02aIeD/1VSsV5EPtBCVzIJTGi9V0XqwIrsO0hopJbh64GRUMPMx2G85U9L7yQdXxBMNuN7c03msBLRmqTfujNPvhP1Kacgmshm4ULlrQADxaQN/AR6E7+AoBkiaR55qMYVldqbwbR2+pgdSBPN1bkuiDsetIOl+h5d+qjEAO3lNcrRRLHXRCfcoEccwdfHMXrfb/TwmC8rafD5eYKkmAU3j2wQcIzL3E8ufoIWKciXOxtkRVC6C6UG5QGcSwFfSUk0gcbXLqmdUIyD8b3VQLibMw/1brEfcPUk6vCE3rkWR7KwV1lhwN1iakuaBs2FSfsipos2pPQ4Wdvm5uYdVVJyigyxbD5KimtXn7uRo4MH1CA6bGoGb20S/7BF7kLERas9vI8vYQtMI5qHR9T/Upj8v0VsLO6fpnBsqWm98+3em/ys2hVrJiSqa+Jv/8suckOYIIi2liznZkgHJb62ZrE9DeCoQhEfaoDqMrZDqjca5xPilvFPb94LzjXVPLbF+0GqAB8grObPO4mer6MCqWSqQdLCRgGSzCKsScG2RY9mUwjFynjjlTDJeUqzU4RXC+AGHkfqPLpKZ44cYnZgakBWvSSj1TI41Kh1o3EHtQkjTMbJBaFR7Q86sfNB3H4GTNXKi3u1OVHNC9p3OCDyouomClpJ6tO1BfelzUh8s0sNClNJsL7mRMfDigNOZQXTvydKz0fQlPKkD0xZJmoHSJanQom0GJu0gg++bRRkOFN7RA7qZCAoGjOQFxMYC7d59jl9pBmwH7LHnnREdRZWlHbKbmMpm+TNbCbhXw/KLVoDzfgv1BvuMjz1ZddcuZnNZ6jVBhdcm1uyAjOu5TIl7QD/QcjVTlEIr0/mQkJSQHXQdzmfrSM8MqTpZRUPZvyZs06V0Y0PFsX9Z6ti7epZeXGzf4UEUKJ+WeSKi5Bpu3Jo4VMXQO/UDrKXrZfXFYaoPPu9pabqTD7aCERQBHv7hDoP9uKg2q5XfhCVk0ivtSMu73JAz5Ezh2kjveZSZDksKEMXNJljnYqFVBXQMKMqfQADCyP629C0Jepc8Vorm3,iv:pgVhozoNdRTBi2Y4zzx5bybtuWkP7R0enTXwfbrHKOE=,tag:71AKiBMZ/sBD/zWBgVMFOg==,type:str]' + name: crt + - data: 'ENC[AES256_GCM,data:MDBlkJV8BJ5hXxjIzEF8lhGoA2rTYW6fKOHpRljY5pXUQ7yArWK5rskSiROF/GnjuETnI3/1QtArMN0kHzTcqUPSkvSgSTo5Ulposf/efKxBbH69P1SIg4O2ViReznajjdO3unePUKax6mswnUG8GK4jv2utfZl+sx0xH6TGS51OxhuAo6+JMSIKK4s9f7XCVTWGRRf8tst0eYnlLbA+5jd1dNjFHxT17wcAxY4xFkAkmYRUt8UAd0dIm7pbcnIMBsTSZkkQUOLD3YZKjysxfN4NCnxkRcLkYMKHsT+Ekx8R4OTgBpOYeuiAUK5e1Oyctts7RxqHDaHD9D0MkU7Ko+a/Pjx/UqJzFjGZbZWdGpQwC7oKmTZxplRfbR35Q9E4z15lV/BO1KQ0BpZU3VwScHh1y+fwGxi9d5F7TPbvnKxdfvwZbZw9kwVB49p5xh+gwnJYC7K79HYQL82Ta/96emq7ri/61984MnTIsx9wR5uIcA8EMrSJS1iBd0ye0xlIhfQxK5W8Uzj/a0HiFN4xE4foxh7pA43+oJA4ZUECgwDTFX/jHFS+tdj+c+EpmrU2SpbHy5pC+5JokfXP/xcnFrc/j92CdTLYfxEFa1HZKhHk8Np663rtqlX08uigLJ3BIPE4ZMkmEN7nCJ8wMxGPMmz2qCiC9pySDootHAdlPz0gPMq5/g2aJSskrFLS50L6g6bjlIQlyllyRdxCoyjfSPiIhtpswsvwe6W8fY98AO/cBtK2fcRWIecy356ntGVLCfGZwcSU2xiOr6fm5RYiBfcbttnEHhJPzW7sbYoj7JObKsoPb3sg95ZP2jT0iM2FFA1UOfUCwiL2qbvl9oCIijJbrShec0Pd8CGIhetpH20jrra+eD9i8GCAvFkmOofLUQx/3CHFc+/YSOmpTa8p1ElBq8ev8Kio/28ZGSEDZzO5LYlKWGcj/4G1705yWFDTLj4J53z/XeppgmjVaLRthlO0Jt014vrP+zxso5EfzhSRJ4vKt1ywuruIUwSwKcaGejOIepnaNurrAyYTe1IMRLNIZ5tMYlw+DAdZXyi+dykmfJsyb2FrVZbDUdh9bkEpKDWzzv611ICnjdrfS49uPJz2wvlCtCZkVIZOvEGeD3Q4q2aN7YxQRkLxzwWS/UVUysAwZnU9cqm9SFZvVOVW2XsGs2BYDkjxAV6LNTCQwUwM85ijmNF5t+Zu6u7mX3l88PZVHeqYG53SHP3tfL9CzzeMkzWjnzNbFUlCm1hIRo/uIB+IZ6YupzsiZzPdmH6xgrX4eC5VqZgySAYaPW0bxfeX30l2u87nxaMiYeR7/TB+7LWakpbbLkhPNrEtshKDwamKxVXjb4ChmynemGbNbUoVpYjpmXbUTmSm6cGjFx+PPAMo5Lh8dJOkpQwG8LneA6ZCnq4cr3Xns99OxfOcLFCGV6XPcxwd1+g5ZZp+wj572G3j1jODDheLf0c0kwAOsECVs7iQOvAbvKR/BMbTEbPjGEdu1YnSwh4F9yVcaL+0HGoFHq1x7OxX9LzPg8d1/I23mRIY40kSxqFAl0/1iHRPMKj3SzAY0WFdIsQXr1SDuxNuEeRiG5DCEDi6Dq3jKzBYWjvA0AHlU7f/a1j/CbEvJkzmw/I8KEX/UmbC8/MaC1iJ1p6obLvMo7kVFRcBP9rSuriUxQSC656PSi+j06ssRs+TpHLGBZKP+IjGIdtVmoH2ErWVebjIt8mBl4d67bxtOHNbQD9AOGIYYTZhaIUAhFvqQv0CKJ3wuBet0qQ/3Nx4bf4mqOkG2BzVlaE/WVyhE/gBcHeBVqq8Z8xASzZU82nDR6QctFPWVu69nukhh98G5VlexjgwOW6u1SJDlX32gdqS7dY9VzvMhCQwAPB/KnLqGrHPG87OkpUkMdrmB6e81s1DF86Cum8qo9IPq8m6gtQu2b3xGDdg1peiUjR04AK27KWwUJ3oBYNq9x+RB/QBLwZYdzKJqI9t4qm2F0KM/A6JURaAKGUbM2fjWpJnd+3KyYUdw5y1R6OhMQQp2afL+1WDZNCIxqZw1APxpQRWDSh135JwB+vBkYOjW0TxW1/UdCw+ijwoXTc+qUPSJy9sPGHjc2LKdNePzdN95l9KzjxRa6GcsHbE/ue6GhFfaB01CxsgGlB0i0fz0Tb84ly3BMNvMIIN/jSPjH6SC1+urB5Zh1SSxf1DucC7oxCCvMmFw7ruvP5U3AbTL8W5Kfpd7z9JpePvqtiswl9Slv4vRZFTNfEs9NsEbtbWu2ODyxTCrQbu7Lxts5dGLq8xeHCEB9JhSzJgQaG20Aih9hPf5D7giG1T/FlqG6gwBJiAr4u3f85faYcE0UTsoFlgiYHFJuqmDC0lbWvL75rvyDPhsRhgwZ4g9uSLdPKmxLQFMgdbn0GLfPY2Ckaysfzx/gKiQ0HYsaOW5kJyQtgspUBmjm9zS0RxZcfXiFgtamSHMMAesmW1bGMTePTKIL2JoyS5fe0t01HdAsrw2zx6WKR87f4ZNglMnsunKFTPGXNcy1tN+0+sJelGxbah4doAdm7bWCNj3ej3G8Ki1jpgn7Mdw+GGWJfqSm4SI4nyxcl1ct/22baJ/QGpc5Dfu+MshtcAFz0Xn9NvZyIZN+pfJWeXPU1F6lNWqNnh+yVRLSda+HmbyHsWWmads9jwVSPPvCcnD/J9r02TQIhgYjCVYbV9rVQkomnhE4Kheke/hzD1Jctp007IA95sUI276TqzqScQ+QiSjc/HK5s2HmLidGOVML7riC53JVs1lFZCeqhBh9G6kxTKZbQX1oGcj9jPLwWMT8uSNzf6EpTmsBP7tvsumlzis+WfOrZDPLdh1DhJm8P/9VHme4T0vh0CsPwFnekbRJP8te4zg4hOmhWI/I3qlfvxGHOojZgtscghB4X3t+GbzTK9vn0DZynUKq1AvwSn4wC6v/HzaIl5UUlKQV0j4n2/IfQyqMsUUA76XxzPVRfkENtUZ5BX+nFe/Sg=,iv:ZVGs1HdrjkgpfKRMLnKEnZDdqD6sRO8h1/8V1W5QXRM=,tag:TUZXvh3hd+nRKaull1P+nA==,type:str]' + name: key +sops: + age: [] + azure_kv: [] + encrypted_regex: ^(data)$ + gcp_kms: [] + hc_vault: + - created_at: '2021-08-11T17:27:07Z' + enc: 'vault:v1:dTgln4Sz23VgKsMigpRssTtx7X8XB6wjCPDJGzvLRnM+LKpGnYdyppyYg4mha5mXLes5ke5RAj5CQHa5ccj+yaZFnCKihqZ1SkHDYhExXyBy9dNb2X8yDHx8Iix8Ir8icSEw+GZkG92xIbDHYxU4LgPgMAu9mQ5BUKGKv+IDpA/WKBRvvsczgVVDsuleBNnIQkxiU811RnqhYPojrPJefBcBXNsC2IgV0E9Lfo49Zm5HvOvPDaolucfteVAxIw3nTYToO/v2IV3I9X5NiWOvmYQ9JMvv83pmYgdkXlqekez4PPlADqUSZ/cW8B2UV21i46rW9Ilqui9eDv9SQMFg/xRbDu1pfXlKc4BGmUVrnH838mSCfizvNN+sX1ST6wrGtfOQA05wYtssbqRXrXbJ9dzjnkWnHWqEsTmS82uSu4tohsu29fRVwOgWfxHGKmhZuKYt2iggI/fn43CNyLgw2cRaXaXQFuTtefCAQ9toUOH4vOiZ9rDYsM8dInBukzYAcRAydZ1hVnhfm+UjfhS+e6MRDhA33BF/4VZzFW+mv9/1VzzbrZZE9x+juTDakmfcxj+Y88a8fgmkFfHpCAGnapdqpwvQ1/jomiCzLkQYPw8nRsirxDThggJBQ5IWqmINpr6wbx1A5eaepoAiGxEUTatFZdfVYL+tqO9Auz1xdvA=' + engine_path: sops + key_name: firstkey + vault_address: 'http://127.0.0.1:8200' + - created_at: '2021-08-11T17:27:07Z' + enc: 'vault:v1:hGmSWtvLej7IwtrKrjnfFv0vd+X0CeClUCzjgLXTz72zpEp+0velsci/5QYgr+N39Z0ZPt3a6PdwNN8Epuzwtbos66bWCaVz4LM7e6zj41mZczgXQMvEm4YRGFnVXGvB5Hp3OexROCBa3HskFTWqSFeqV6pzOKv+1Z12mGVqVNMJasU4aTM8kN/yvWaUyk8RYoh9q2FLwAawLFBhbXPPQ+HJeQcvaFN8/q0OH2mF37pvk3Vu7hm0Arok95HRfziyO6CMZymSKB9zsfeajYCNtTpZ7KDSwPIZraxqZQXrtUvQE97lvBwnMLhdA3bPAxq+tk498f5Qgkl4q2ikFLE13Q==' + engine_path: sops + key_name: secondkey + vault_address: 'http://127.0.0.1:8200' + kms: [] + lastmodified: '2021-08-11T17:27:08Z' + mac: 'ENC[AES256_GCM,data:qRm8PgsmzgsfEUST2l3Qai6NYqSmQYVjmSeqKXVNIzW86+5VpAgvtfeb+CYW2PoDyErPdUN2aVlCCIIMSHcvs/oeQenjhxuhD10Tq6YCSW6xdr18y9l2gfQk7he0lQrQD0G3s13ljW3pENSb5veD1z9jjePCUzMYxFag/AYKMa4=,iv:tNYu1HUIPUZv1Eu1uIejskm/oKY97ViHpByVsP4gcic=,tag:VChCD235OtUIFJY7LOZsPQ==,type:str]' + pgp: + - created_at: '2021-08-11T17:27:07Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMAyUpShfNkFB/AQgAovWJoL1kvunbQqgZVRDIpHJa4zPkbMv4kr7XHGSaKaJk + 7YIG6/tHJnbGWeEoJmjg06nbN0ovMBt2Aw8nEocirLgsdq8dSdCePiRQw9SZ/rAL + U0F+iItqqf9Xe0vxZAwJHnm2Gd2OTkZ5DXvmL3NdOb6zD7c/pQbMpPpYXXeKTnqs + R+b/V8lUCpRQbrmCLAf00Dl59+92hCZH7IZoLq60hTqjEcLJivRd+JHnYHFKYD7U + rWcZUmXb5YKSG90L42/E+KuUMqiNf2QUJYZos+2s4GWVOZJ21+C5ciPEs1ep1RRI + orc/4oGuMNiaGforo+gYv0GYvWp/pfIzpimD4uoclNJeAQmfo63FskWSqm2ON0jc + d6HNRqBMprGtvQjK9ES6gJotHV8iM1vTOnOchvWkl9Vwe3ZJiYYMFxqzjjWnSF6c + rKIhPfUeXP8kdADct7poEdjWfnkCqsOh7XmHKUHb+A== + =iW1A + -----END PGP MESSAGE----- + fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 + - created_at: '2021-08-11T17:27:07Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hIwDXFUltYFwV4MBBACc87vDwuhVG9NN0BK77GsH4PzZ23gVdqR/FB/BsUVKfIdE + Gm19aZZAlSL/AstATpddhXM2IRtDUM9sMRGfbr/E1r8qEByoUVruPGORsAhgvOfV + zEhts2UP4R6c1H7pT8JojrXpPQidlUj7hpCDDRczZlEgbkd9fB82isK/BYKUs9Je + AfibRs0Y0lpHNKJjYWZBMVuKfAY71ujAI9s3WaNv8Et84ddGJrun8pHlOydsL2h4 + ToYsrMozVGIsJGLhg1VcwgDgPCy7BsL1aF7hJzTdSYsW+Em++uJlN0BGAQbZzA== + =tT7m + -----END PGP MESSAGE----- + fp: D7229043384BCC60326C6FB9D8720D957C3D3074 + - created_at: '2021-08-11T17:27:07Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQGMA5pKZobbvtIQAQv+MhMPhbxS4gNfQwiFpnTqQ/Hga9FfbPc1l96Cd7IEQd4J + JQqMAW858fOSwsIAEEgZP1skOGGTQXDdpKCqPafySdRVDfFCPTFzVXnFTr2HwUfc + g0ByHpTqDMlRQ8mASlo8+PoZuw1nZSwOhdag4AWwDp1a/RVRP6tPOmOCL/P/t7Hc + VEcaAuaE1g0HJsLvtDITPf63WcgN2b9LcJ+anWfapjTL1yNLiZhUdN9sEETr8mkt + vNYrcPjMQ6/e7o8TYThrXw+5h0Uwed/zGO8E9UHUse+XeBJsYSJ76vnuiKXK6t9Q + LtrduJ1KeaLpvw9e1p1nxCZHSLN8dVngmyoYtdv3yVN7JUN18HUu7WT6MQ0VYttM + fBz7pHgltX2TP5EAvMBUAWA8i1K3razhGq5l79d3lVlxRK4mcTfZQkXQiieCBh/j + /cbvwFcwDYWbk+RKPFHw048+iIrWaqsv5nhv3Zc+8gZIyLmEattFh/8YTCyirNjj + kNamcFLHu2H5UTyuZV570l4B4SJNO0Vs34LIBMHpwQaEOdKPto2hvtzNuhZPw6CP + MbDQr0HaAShFTaQ5TJRKjWErZ8QWt3//lVe9wkMaMPlqVbddlyNbCIittzteS4CJ + I1w8PpzzT5u8EdTymqDT + =Vv6V + -----END PGP MESSAGE----- + fp: 9DC6FBBDB3801E4E1144017138959A55322BC64B + version: 3.7.1 diff --git a/manifests/site/virtual-airship-core/ephemeral/catalogues/kustomization.yaml b/manifests/site/virtual-airship-core/ephemeral/catalogues/kustomization.yaml index 5f99dd8a4..a2b72da55 100644 --- a/manifests/site/virtual-airship-core/ephemeral/catalogues/kustomization.yaml +++ b/manifests/site/virtual-airship-core/ephemeral/catalogues/kustomization.yaml @@ -1,6 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization + resources: - - ../../target/catalogues -patchesStrategicMerge: - - networking.yaml + - shareable/ + - encrypted/ diff --git a/manifests/site/virtual-airship-core/ephemeral/catalogues/public-keys/example.pub b/manifests/site/virtual-airship-core/ephemeral/catalogues/public-keys/example.pub new file mode 100644 index 000000000..202e27f4f --- /dev/null +++ b/manifests/site/virtual-airship-core/ephemeral/catalogues/public-keys/example.pub @@ -0,0 +1,92 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBF1oQV0BCAC1iFfE7H3uu0hbWbRYVMoz5zZ91ACHETCOMVxN8GOG4SV0l8aQ +wmK9QWkYxhi52LnicVD3D7Uy75+J3zkvEDQ15C0AZ8UHXp4JlSQuXpFhrOhfYUF/ +6pr/QexT+hQjOacvY4qfnj4xKa/AGdv5vPIygtQumE6r3GhEVAxQ1GSwtCWSU3Zl +3Uqf7S8kDvJTemtR2UkVfpXcMd4AmMKgt7fVhPO8eFotqTLPvz/iClzER+q61fLA +d1rP9YlmY46MJp/PffPicWdJiKv2i6ynKcIwkrQyP6V2ZzYi/gAhNJst3ZlMfsiN +ekCtcow9Bn44uxW3U8W02FNQSNyn6V6QPDIXABEBAAG0U1NPUFMgRnVuY3Rpb25h +bCBUZXN0cyBLZXkgMSAoaHR0cHM6Ly9naXRodWIuY29tL21vemlsbGEvc29wcy8p +IDxzZWNvcHNAbW96aWxsYS5jb20+iQFOBBMBCAA4FiEE+8e54qT5KJrAwdSEPRbO +5KJzgbQFAl1oQV0CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQPRbO5KJz +gbTDcQf7Bp7e2zY9pBBXTgDASQl31SSHp9WkRUV5iqPVC9iPCELggteBGMwIpbDl +obc6O8/06foxWctTUaaciPBo2+jeWFTO+DNvB7oXIArqr5673QHLh6jEABBjyt91 +rvta2wYF1XJBgxpui9aLICsCptFNIRvHeKUrXBI4fG5z3CDs/EOoY8K/AAYJUF+E +RtmvmisiE/m20UpbYRmkBJy25c89Wcn12I1SUJA3H3hGwvZCYp8hY1HPxxQUtU+D +ZBIpryi0xQqExGAlYqck7G03F+AD7/csaT1LEdCtWRLNwE8UkvfUF6liF0SgzxFo +1pp3gBU4swds9yO9wNe12JY/M5A/BLkBDQRdaEFdAQgAtun8JhSpNAKvOXwWX2nF +hnMXTJp4viMhlAZEdmMXEi27B2DM/nRzldjxGZoNUBSVbJNj2kx5ZUDl0o6eOpCh +vRaGuCOpYqOuSQvD8FnX0NgQULwuTZ+MawsaezktJEjDSBM1R6uASeJwDZj4hcUn +PgyAIESajPdowEkEjdYt261fGOLLcVoVdtqzOMBkLVdrK/FD1kGR9jnSlKEYDV9D +veBUBQGdqkgWXjS5BKcae07viC6xMa9AJS4pizyDALB2k0HQOelZNihOGXYUuvkc +s2Fivl0Tk3OCfH9XDvFehbYRHmkRDoMuKUDSzdy6tFBAkL0CPlXAWI6kQklaBEp1 +9QARAQABiQE2BBgBCAAgFiEE+8e54qT5KJrAwdSEPRbO5KJzgbQFAl1oQV0CGwwA +CgkQPRbO5KJzgbS7zwgAndbf532OXo9HwPH+yQQmzQCLDFL6P4V7LcFrrydYItTE +hxqI3tbb96MKXRAt+G5Mw6JjRkWhwzbU3jE7D7XBMHw7GriTTU9QltNHg7VUpSSa +iTfVcSNErzsaqbjbA7jMs7VWzOq4LZo6Efy8UDKg5qcqLFaTQrzQZYNHNfM+kLAi +UPU8m7vwmz6oJWsjHkQKUhKhHptlpwMwdHkoacqDO0x2H6H91l/PnDm4ZG6FybJt +cjr98i+p52/XOo81nLgX7tcFS3nrN9HNdgKg1ZW3yrzg8NOaFCVA8qLDgLk//M3q +DixOxiurECkFrMvt/bDxEGpN5GVy550MmyUZQrkuqg== +=Zs2s +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mI0EXWhBiAEEAM+5U/ol2T8n9Ns1r11eKun/PPArXxmo2502pAY3cf7ZpKDFfAvC +VF/PLusHcJToTCPOT0RVh5jO1MiQYcvQlnUIJOIEkCuUc7RsdBDsI94o+SEiGSN4 +DzK711xTvuhgLbFvCB/jcpjN8wpIYTJuD6wE75sf5jqlokrnhXZy5LcbABEBAAG0 +U1NPUFMgRnVuY3Rpb25hbCBUZXN0cyBLZXkgMiAoaHR0cHM6Ly9naXRodWIuY29t +L21vemlsbGEvc29wcy8pIDxzZWNvcHNAbW96aWxsYS5jb20+iM4EEwEIADgWIQTX +IpBDOEvMYDJsb7nYcg2VfD0wdAUCXWhBiAIbAwULCQgHAgYVCgkICwIEFgIDAQIe +AQIXgAAKCRDYcg2VfD0wdEdnA/9mMGieN4hrnmgMwchZ5fplBAUCeB4R+KewSHce +gfQIxN8i3vCOHaqmF8cmc2ifXfioqsSQU9JdRl7dx+TN9sgyWas1wfT01j98sfPk +NQrgrOxC/24SQ9f7C3bplXO+25kLXCPTUomMj8zf9marVeUVNeC6IduFRRI7hxrz +tIyN/riNBF1oQYgBBAChXi00fmpEs0Jiq0zOyYm9i749VoOsNReoB/5ix1QCimwV +ZKe1D37IP5Qqysxy+LIQc4lJ+Q8foNOx1Aev5+TDyv+iU82D9xr9uPLLbA82k3AZ +04OrBjrZ/Yt1NZhuaHzciZCPpmqzF9kqVqAZc+vMiKZL1WZjS7O1FwaidY1vXwAR +AQABiLYEGAEIACAWIQTXIpBDOEvMYDJsb7nYcg2VfD0wdAUCXWhBiAIbDAAKCRDY +cg2VfD0wdMMfBAC/66LvXwBPaHDakr0lo25PGOWWsf4o8yWui/Q/yhcc8KiELlzE +zmwnq0JDSodfJ5agMTxXfVu2oVUBDKuvTDLSCe2XUv+2ufAweg/xr/FrREc2TkLu +GZy6FMdtB7Ik1uJElmkIhnU7KsXXv6rq71gE+PCqnwqsn/SvLLaTJvtlEw== +=PafV +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBGDfWUMBDAD0nxvYUqZiUioXYFbQXDKhzVPLTo8mUY9YNZQzrcuspP3XKja1 +B4v7PwMPeqkLS86n/lK9JOZh2AMe2fhKYdp+Rtoz+7ARVl9QzkQEjcILM88wJOTg +i/VwK/rCWKduns8NASSE8vZrFI4pvS1nrf5BNotArSCdHsuGhFvqk+BoId1Z7ykX +VC44CcR7ePEDVWnff0XRgiPxEMuHT9HlaFZig/aBZz2GUSuuu7n5dvQCKtZGiLPN +4KpCoXh4atgGSnAeuhVFYeonMdhQsrPFRHyT/ITutsEsu+sAklT9IcaUM6/LIjXc +hVOgePJWtwA1wqBNmKn6vriGiFaFHCun5BSQq08pty78yvL1AwqrIKPv1lPGXcn4 +RlNNgG4F3G3qpxviwq3QVuYn08EWQh465Giin1EO53LeGLMajB1FIKNxyMgkV/n7 +O1cJjoRbm0veboIJYFkRd7t7SjOStPxGiFrP1MvyQ1nkexETQoYd2hjLLJTjORWX +qXdLQFPSLcTQ0iEAEQEAAbQ0dGVuYW50ICh0ZXN0IGtleSB0byB0ZXN0IHRlbmFu +dCkgPHRlbmFudEB0ZW5hbnQub3JnPokBzgQTAQoAOBYhBJ3G+72zgB5OEUQBcTiV +mlUyK8ZLBQJg31lDAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEDiVmlUy +K8ZLB4IMAK7p1Jq9mDki0fhNdKKF4p4wfP6eF28+8S6RbUsysaZK9zPMg/UKK5R8 +0Y/oXVCYtXTjdyjEwiSui15KcuKXBzzFnmJKTwGX5IVm5C6Y2dclDmFbZejJ9GJ1 +ImXh7pD/MgQfic/2i9lxmmc4tMZJCEJnaJw+oUniBO5KK5UV7fyoONIJAG3HW3B/ +aAEuYuB7lOejtkLxJDJeYJfrCIZYy9MYTzGOr0LukCws9+CqNiBaDdCJo6euGTao +LUIQlmdHB9peM0NjsQQpfpu0BzdlOgB0pnf79ZNRBlsgXqsine94tujRaiiOmcu3 +XVyM0JwUebB4ym2ky5+Gg9nneLCirWhqTqU+0sUHl7iwia+2L2fXa3aj6C0GlVAZ +Fpkrg/18BmdrykpaNJTq7z8MMrMD+crf5OsZIwPZ3xNjXiW3KLzvNKA09TlPTp8c +0WwzqmDsfkJPY2Z7+F4Bq/m9yYTiCxeQKwSCTOlLhubtnBx+Z93KxOeMy3jN07Ff +pZlkmNa4vLkBjQRg31lDAQwAttvs4g4Qfh3jl0QRAbIvxE8jKxBKijPmRRZf3MXd +dn7DNo7rv+J+HPWFSUlduX2eFDDbmDQAy1LQtXA2S63AELVTFNUxaHhbXpAltpV3 +1cIdcg7aNXc+uUC45EsC+mu6RE7u0pswMSepAeohI5jDNfX2Ij3EOtZfz1sC8CgI +FzdwQm795oAkFB4dS310fuJrejl3glBmX2jBDovKWTrjartrHqRiCrKjkBH3VEuh +pwNGYFw3mxA0NgltOBw698/XZqRJkonSmzZoLI9EJ+YGkIJtLHP14DxAeY5Z/7Yg +h0gIq7p3APEOr9uimm1pFEvReIx/4p7NM22ryQ/j7LlN/n8EAhpTHZn29t8ftTX7 +SZN5MygdgVdFxuiodvKsd4JtFMHGKq2BQZG2ZcVhSUTI+0tX/gDgSzeyIWdHT22k +ZJXmTYIfDsDFETYWlzAf76nAT11Q1wEcJ4d4xfvo1fOVAMNKeWH8ovE3uIFQ7FI9 +qe4ImBTSEIOIN8xOh0SIYTLbABEBAAGJAbYEGAEKACAWIQSdxvu9s4AeThFEAXE4 +lZpVMivGSwUCYN9ZQwIbDAAKCRA4lZpVMivGSxKEDADofi4m8pXZOpuQ7IBhjjww +/CxMf5VunM/xH2SwnRi5/Uf/pwSu6sk+Q2VGRV25mZv7K/jjMcdduGzdYECZpU5Q +HJ5Yfzep4bz1GAORMAcBgUiTBH2QhDjkBkFrVfEbxnr3udESIb6NF3LpC0DiX2x6 +785pKYUEUUY/H3PsQvKqkls9iit6HTIu+fc0JOtzSLc5cUDcCoj9hsQA+7y1ijWv +ur1nTPVYjjITjogV+9siHTPr5Vkbx1IDMFtDgfU1OUsSnvDpGqruStmor9Qhq+X2 +384Ng2w0k82H+tCfrXXaBp32V8avFIXSA6QrVncu5jSueARFB6a08KbJzIodKEvl +lUBlJEweLFlBZm96JxfQnr7e0v/TpHJ6SW4v/1U9/BlGIPL4R8IjSp1kfL3UC8Yl +GftHRvOj+M9QWkaZEh6i1dAdL2ID1B0s9zp3TE+QJJjbq22Bq9yiHsIg9qx9AFhV +rwDF2ieowreVC8aC6NmtMFjnXCyyj2iBJlQ9zuh+hVM= +=5FdM +-----END PGP PUBLIC KEY BLOCK----- diff --git a/manifests/site/virtual-airship-core/ephemeral/catalogues/public-keys/kustomization.yaml b/manifests/site/virtual-airship-core/ephemeral/catalogues/public-keys/kustomization.yaml new file mode 100644 index 000000000..06c0b3b8c --- /dev/null +++ b/manifests/site/virtual-airship-core/ephemeral/catalogues/public-keys/kustomization.yaml @@ -0,0 +1,10 @@ +configMapGenerator: + - name: ephemeral-encryption-keys + options: + disableNameSuffixHash: true + files: + - cmd-import-pgp=example.pub + literals: + # user U1, U2 and U3 + - pgp=FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4,D7229043384BCC60326C6FB9D8720D957C3D3074,9DC6FBBDB3801E4E1144017138959A55322BC64B + # - hc-vault-transit=http://127.0.0.1:8200/v1/sops/keys/firstkey,http://127.0.0.1:8200/v1/sops/keys/secondkey diff --git a/manifests/site/virtual-airship-core/ephemeral/catalogues/shareable/kustomization.yaml b/manifests/site/virtual-airship-core/ephemeral/catalogues/shareable/kustomization.yaml new file mode 100644 index 000000000..a0f57ccdf --- /dev/null +++ b/manifests/site/virtual-airship-core/ephemeral/catalogues/shareable/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../target/catalogues +patchesStrategicMerge: + - networking.yaml diff --git a/manifests/site/virtual-airship-core/ephemeral/catalogues/networking.yaml b/manifests/site/virtual-airship-core/ephemeral/catalogues/shareable/networking.yaml similarity index 100% rename from manifests/site/virtual-airship-core/ephemeral/catalogues/networking.yaml rename to manifests/site/virtual-airship-core/ephemeral/catalogues/shareable/networking.yaml diff --git a/manifests/site/virtual-airship-core/kubeconfig/kustomization.yaml b/manifests/site/virtual-airship-core/kubeconfig/kustomization.yaml index bae56b0ba..24d95a167 100644 --- a/manifests/site/virtual-airship-core/kubeconfig/kustomization.yaml +++ b/manifests/site/virtual-airship-core/kubeconfig/kustomization.yaml @@ -1,6 +1,7 @@ resources: - kubeconfig.yaml - - ../target/catalogues + - ../target/catalogues/encrypted + - ../ephemeral/catalogues/encrypted transformers: - update-target.yaml diff --git a/manifests/site/virtual-airship-core/kubeconfig/update-target.yaml b/manifests/site/virtual-airship-core/kubeconfig/update-target.yaml index c9bc5504d..6b81ed852 100644 --- a/manifests/site/virtual-airship-core/kubeconfig/update-target.yaml +++ b/manifests/site/virtual-airship-core/kubeconfig/update-target.yaml @@ -10,8 +10,8 @@ replacements: - source: objref: kind: VariableCatalogue - name: generated-secrets - fieldref: "{.targetKubeconfig.certificate-authority-data}" + name: combined-target-secrets + fieldref: ".secretGroups.[name=targetK8sSecrets].values.[name=caCrt].data" target: objref: kind: KubeConfig @@ -20,8 +20,8 @@ replacements: - source: objref: kind: VariableCatalogue - name: generated-secrets - fieldref: "{.targetKubeconfig.client-certificate-data}" + name: combined-target-secrets + fieldref: ".secretGroups.[name=targetK8sSecrets].values.[name=crt].data" target: objref: kind: KubeConfig @@ -30,8 +30,8 @@ replacements: - source: objref: kind: VariableCatalogue - name: generated-secrets - fieldref: "{.targetKubeconfig.client-key-data}" + name: combined-target-secrets + fieldref: ".secretGroups.[name=targetK8sSecrets].values.[name=key].data" target: objref: kind: KubeConfig @@ -40,8 +40,8 @@ replacements: - source: objref: kind: VariableCatalogue - name: generated-secrets - fieldref: "{.ephemeralKubeconfig.certificate-authority-data}" + name: combined-ephemeral-secrets + fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=caCrt].data" target: objref: kind: KubeConfig @@ -50,8 +50,8 @@ replacements: - source: objref: kind: VariableCatalogue - name: generated-secrets - fieldref: "{.ephemeralKubeconfig.client-certificate-data}" + name: combined-ephemeral-secrets + fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=crt].data" target: objref: kind: KubeConfig @@ -60,8 +60,8 @@ replacements: - source: objref: kind: VariableCatalogue - name: generated-secrets - fieldref: "{.ephemeralKubeconfig.client-key-data}" + name: combined-ephemeral-secrets + fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=key].data" target: objref: kind: KubeConfig diff --git a/manifests/site/virtual-airship-core/target/catalogues/encrypted/kustomization.yaml b/manifests/site/virtual-airship-core/target/catalogues/encrypted/kustomization.yaml new file mode 100644 index 000000000..2e0a8fcf7 --- /dev/null +++ b/manifests/site/virtual-airship-core/target/catalogues/encrypted/kustomization.yaml @@ -0,0 +1,6 @@ +resources: + - secrets.yaml + +transformers: + - ../../../../../type/airship-core/shared/decrypt-secrets/ + - ../../../../../type/airship-core/shared/decrypt-secrets/cleanup/ diff --git a/manifests/site/virtual-airship-core/target/catalogues/encrypted/secrets.yaml b/manifests/site/virtual-airship-core/target/catalogues/encrypted/secrets.yaml new file mode 100644 index 000000000..97022152b --- /dev/null +++ b/manifests/site/virtual-airship-core/target/catalogues/encrypted/secrets.yaml @@ -0,0 +1,73 @@ +apiVersion: airshipit.org/v1alpha1 +kind: VariableCatalogue +metadata: + labels: + airshipit.org/deploy-k8s: 'false' + name: combined-target-secrets +secretGroups: +- name: targetK8sSecrets + updated: '2021-08-10T20:00:41Z' + values: + - data: 'ENC[AES256_GCM,data:VGOFunY8rvu3GnfVLvwRRHjIL8r+qdjmbbia3tcqF0lKZAqz611aRZk2NUixqcP0p4rivGvVJipxI7fG0J9NkVNT47FR8qzHq2FEhXZAXKrgF/74MH7N40V0q3o8Tt/BbC5B/mplaYhIwBeZhWi0m4fuzmyW92DReKOHnbAavN6w+bSN85LuM8ccHTgXf7SBQ4cxHESyGs2XmtVAquI0vdUZF/okZpV+ViQk79MMTUkK55Y63St6KkaR34riouwlKs54uz2ZtlKGTaQDrXAJITlJ4UJVJe9XH0FkCarZ20rZ6Nng18aEOZzvIXQSDMkTWY9PbPYyZJzTuKkT6gEuPmSfjooEEUf6NPKsi3NTIpZTwDAszypmLYIu33LspSHHBn6oV46oOy71hlqzMDX2d4Iulg28rZqfXdget/sYxWjhJRwozDKD0Rw/w1uykGF9nxwHZ6mONPYi73THXczJejfJbhOoAn8Kk1YeADafVjLICCK4RayWmK71O049SIE0UGWBq1IQntV4gUV6STdpQqK3gePkFDgY/H1tNfPeuzy5GoLyFdVJwq51RLLS5mTSNndQEcv9j9wFPZDXTIbogamI2jHYokFwk7eRtRokCG7KwuJhyPY+/arBjMtKcEWBsd0uCeUtMGqAKXdeuSCZnpn+fORjCJZjoCDbaC3yU/Rti14z7sTNFmLlLEqWeQGYFNmKogv6A7oxraKKLcp8GSvNLw+7+KnMaVIgyzs/kAzJ8ZN5OFKnkp0MUiQKrQ8PNa3fYOPEdHJsYjuVU5BRGN1ZenQWDqPobF/CfEcHRyeY24A0Kf/S2Q7RSs7zisoNp1NyYaxc8GvevdgFt+7zrreQE7IX+nk0JD+0ppeE3X3/2+qzCwPKd0zWngdUmS0qQ1DpQpWOWQv/ayrlRJjlS5IF7SiOgoRV2YFPGbtwn1nElmDY2TuM5f9YFvOYO5spKtnktSavqYAhrsexYp8gERfujyyTbu8gJTGttixK9dta+l7cpnXjVooUvAP+RtygPeqExE8SuO97hvi1TfyBdf/zeDvidHEE9IkQkr6OWCDFGDwR9vGbMeG+0iO4AyEQp44jHqU093SD18ka+hlL7dVARmaZMVFA1WmbqNSGL9CoU4AWD8yMQfnBKp/EI4CO+PzY4jpUN/V/anUZigOoABg+WV4jldWM+RUJYRcJFwD/FRRJaujLz8mbdB3CWzkLdJhIt40F8ObHnuUHHTm/rjvEj2aWpXUNmR1Vx77ypvitsYWVyskaRSQ+7ar1Ch+Qc+lRbyapKdVu8P6HXDmB/Oq33i5pZz1eThkUWx7yrHF4iAKSg3v/Ff9NZzOXd2jYBEg3zbqEN34I5iwg19HJax7TcTuWse0IzFHEvqewwM91QlkZUrETfxPt327alMqwXet1iPnxqFiTgN00wsoU4q7S9GRJM6pED7oQUSKODNQqNyHP03EKbCVBxy3PRMd/tHXWb6oRHbbU8EZHfxkNcEsMPO0t7ZVNr3M/36t8IqhCs7/M/iulloLoPWJTXYu51YiQlyKoCvesDUfjk02Ay9hlk5W5bI5sTNzwNUL+WsOTPSzB1/VgCtsFXPA2pfTFV2qoeTuawc6ztXbTdnxU9XGa6s7IwAf9nP3O40InZYAWI2B1c2PMvcDpPko9yUJbf/MUhCRwr1RHJ4KLnEWyCXlr0eKCtvepApI44/L5cZeexjeqYm9EKK20MWWMYtqOKKrH1vCYZYG0rxqnUPlUJ8lBwJ7kjwzXc3XM2b4uAnr9vIPCXWK6OZ2/nQ9Dzx/uZIt3CevR3DKQiRVAStGlo3lT69g8XF19RMqD3XEHo0LtTgi4eWxh3ntIc5Akb//2Flb3cJYSrcfkcJ76ZAZyWhK+NFtMkdgjpz9T/JketIKzJ9tIYnNLAqpL0zCwZjMbfQMmlbXe6DpAeKIOj7DVq0Xoe/Ms+9Ay2firg+oFThlBAjLqcTM2ZD/hPrwzEIuBNIOCyCK1jTqPR12jMhQDTlmGvTRfCA0gH8kwFZUZ/xo=,iv:bPQ/f0A83qe/N/5MQVMDwGKNo0gCVSov3j5ctRBqq70=,tag:vvmSh6a8pEoFE8yh5UpCUA==,type:str]' + name: caCrt + - data: 'ENC[AES256_GCM,data:spZ6ALzwBM4BpdAtKdPzDv+hgDcCsjdbmHTtWAQ2seJDf10gnail4FK1aU3IQy5XthwMaSRv1yv7Lu9bvsBC0VclMp7WaiaynqJTi8pcD5COl+I69kfE5OE6Y7+gPfd8ySHrmq4XtYvNMFthQ2xrzJ0qqx/5H+Z2InkEB6vfz9MD+OjuUuBi0RTpAfsRQQFdKG7QXo/1x+9WIFUAAZiumAkayjbjJaDGOXCfmbAYIxP8zTdG/KOLbgDuSC79LAIop0AOGUvNfB0V/VVgohiErpcZzXrDr7h7S+SyFTFlrFmaA0OEZe1CW6WNiCIJIKwh0JeudzWNfI3cd/nh39T1K/ySKKRbN6jPqe2nVfW1LqtFSx0Krj9vhKVV5uURV74viJYlgETRGfoBMWCEeJSuq9++bg6kFx/K8XXXG91Jm/J4t51uA6i+uUXWSOZbDyLzRBYQtNCYUCa9HAyasNWVJX2Vdz9uaotfv9k32dAu/7ncOW0AgOyJQrW90k1R/vMzGiCfd+94wTbwQHa6kbC4Fk+288PF4feCTBb3UlTLETPj/xIeimYRE8gOvVr3JDod0R9EF0lkgGVEZQU29McqOi6EnHs/kiJc0zjarmmGPBYjot5P3Pj3uWe0AN4T92iOvW1f24nFSq3fxy04wUYfh+RUa9ZvCRJ4LfNNYktaTUmTyi7g9grce7DG0hpdSgfxn2stNcV6jmNjcYSZAGKFaAHATfXsBXNYASoIifQLsarIA0u7lJkmfDerCan8D2+l48bglKP3aXwXYARuKyhl5ePlnl0OVy3zQ5vhY8Wtce5V0VYDhfoBQEbRP+B2CxxblU2mm5WUS3I/JIF6zAjDbd6RyjQXFnp+Er1NhP7DAxqgut/gw5SxZHpLUpO6zd8GVL8Lv2uT/te1RJFnwwznBdhZDL8LESMBZ9pTOKUT8wAbpPseaGzxfThf72onQjHvu6qt8BRlMR7mlzRLEBe9xZ0d5OqPRl6Yn93CMhZmbCun6pUouZpw6zQfaFpRe3UA8t2ScDbqzD+nxA6QOSJ/pbfOHh6PGa7jajYSDbV4asuys8ujwQC3WHgRN2aPYpcqrXYDtXmWzMoMn7U1qskiOL++8n2wY1qv6fPPUTZqdUZjD7HYqcCmVAL5v9TxtsgE9uyFHGgWoIltEDr1zYI5ID1CGPdRBrmIGJ8cYC60BhdvhZKUP7fQzGS/M80ed2ey43t+9nX5++5hmITA6mxNKFG8SzUCeR9Ndl7NJNDjOGMw4OAdIyPTc2obFc0D3JZKhGPJ0h+nMFP/3rRM7nc96qjGYLZfffKta4P8yQkONC5Tpj/BwMsX2YgIEB7V3STnJ8rTkiFatSkVx/PdQpTvJ5TH4HxXKF9xcLKeoCYTHy0cS3W5LtvPSY3TCP7SJEFsgzy+059+zQf5bSxOZh6eA2YFFUNfPDct4lcS6QOtwHxGrZfr1ueXuclqSV9kGaO5IZIyOB55myS8mNlD/TH/onzE1M29YsXaeayYWXf/KUac1Myw/bfecFB7nkhdhbrTDPWArfCzjvi5nhZslBVv8vbYwDEqp27ByPIPNNjb62Fb1F1b43VM9vAVHsGBepx4Gfukx4WWuOB2Uz+Pd0QhtgvhCOpnvgv3VMYLdz2i17c1SGB/4L8n4jzV1HqJ0HCa5Da1BnA/JlNWiydPzKpUdazTNsJm5INAu1EGWJc/oDIRxEwnZpx9EUx+bt8RtowZH44kgB77t6Knih4UfZqbOsGLMovpZO5OFgFPsI+TqwIEBrXYUotBb9r238PmRB2p4oruFGug0m42gTasTf7E4MYToySVmeOpjcT7fcSJSMOOeckZqmXeZrb7uJ8MvgjJyo2BSVxThQBx4oy+B0ZswA1gaW49tVeYsPvWGblQMWft4MC9aj6aPV1sjcIUMvqRZCzUeHuHq6gEIH/qUwY8WiMaQlYqc7VO9Ff9iH6brLPGC1vuXsat3l4E9O2R0IYRBIcfEUb+0i2WIi4iTtixZ2sRfk7YtJySnlzVQeKG6uAdLLRRv9YXCDMHr6YwkeEaGub1CbIl+fJ/QKI3h6qg3yicx+y4YSiqFdx9eRnN6fapS3k1Vwr4FXpeFfpCozSZMJqob14LhGMlM9nKzT1BAy1vxv8cTDYhgyrEPQXQ5EBAjCcCf74KZGM6sZOK3SG1MW6z1hsV3uyKlxTR8+XTWhhTR6YyoMyBFD2VE68SVkEPwgGjUd/KYb9vHFqZiBXq938q14JMmII5oSK4WdsgNWNM3ExCfzbHDiJOj9L2Jtc8tIYjPxgyV482AGGsHi5Pr5MMZ9HS/8So57srk1TwBTxCVAfmFA6o/fmDUwUBQ8tJooBdHr0vf62AN7J8JhOK1PrRqNxRqKE/QqLc/9lpjVegM4AkMmbBpWHS3CpCBsZWewnMUKBz31O8dU8Y6SF4pQSTYpM6RJOHn7bA7uFIk8k6hZgVFh0ubQrTySbVvrU06/XmAcCbXYZtdwE3CYjQMJ08auEaB9LKV/vLzb+J9X4m5sJpo4sNAzpUed4hVAbeqws5OUtoCwSKBsHqfynhsGZztpBrYCwxNjQKos0UnwWDLVhH5J5w1d6jtid+5aOR12fAhwDl9OR/SvdwjXywN9RPQTouA8GsWPcfwfd/jWPDpNNdbz3qrUHum2L/g9mpqk5adY+x7QulAyfeRrrvDuXJjXQATtwVHdGfj90ogUzxXo7YNaLbYaIDQGRFNZ5p4M4t6CNP8MuT6DXZHxzzpt8gOgWStFFZsNwG56Vz2/16B822NLuDgC5ka8bNxklPKAGu9lnmILDF/GycvMC9IKJJLiY7dSwn3m9mv4mMrgB6poXX86xkzC0ltynYyrFFQmNwCLwVfITSiBhBc/HKte6gq4HTLvVTzr2xb1jmp14EjzSVK7nFyd0FORa/2KhRD3K76ved366rX2jmwwEMlTFwFna2k0pockGOYFnujoipLF7rXZgHGFQQI6KPHLQ=,iv:Z4EXdCvzyL3kfwgwGMO0dbo6n+24bXyu/YOLUvokYwI=,tag:1z8Igd1gDyCoAR4wshKo1A==,type:str]' + name: caKey + - data: 'ENC[AES256_GCM,data:Wwx+WY3NayWfwMfsTfqjM0Y9adNSdrz+XNU0rTLoWUPV5ocXD465mtRN7aKOPzIx6RldFXcHuQUJglYGwb3fl10onH+6tGFPwthBJOmA8z/MH2UVi0Ov76bUgbAcCTZkDzeE2xjjym0wlKd2W7nAtdyBPq2TyUh2IpFy4CX5tIoh3/JM9KrEynceWMmmr7Srg1YndtCc1UZfy82uDK21yEIF9PD749CqYJPz9+kJBwHBOpO/fEuoKqVseLjWXiVBWKBGc8l9rj6IHc35koRrdwqMzjKyBNr4v0pFhDPQjg9j/pfGAEACyhUP+DIM2U+jf/WLrfeIfndfy5MKMWl7UIyvXadLlJ7rVLw8qaeXfyRVYagyZIPAYCNPFTNmyCWA9BZeVvISwRY9o9mz/xqNh2kqOth0J6Jg+32b4UJkLSpglXAZNlHkKvMMTIUbAcYPctQ7d/9V4Bv46nGP3H4Ij4CE1qc5A2QQeyB9sEi4pSkAoekjK6ytmFC8qw+xmgsdd03CJpp5D8PDvw/yW5jS0iRCY3HBvZH8vAz6Bkf7aE6QdaHFl3ddYeNKZq2MB1/Wy41E/FA82o6j65aEiL6M881u6BNLeOzfhm5SKtUaKf3Ab8fBdjiMIVVRdnzfwuKgAvXwqkHcTisKn8G69FYz7uj3DzCQywLNaJNyzmFuxBfxE1EJF2/S451qwhL0AbkPzi1m7KQNJKOCeOq6NfEypq9op77r0LIe5dUI3FlecTIL9IWxARmTr52h+X3+7+Wa/ahfK1j8o9YxIFsD9JFyVBF1Ua7f4qms7UJP2DsHFGjUuUlf49EWfFCBPIQ8KS+80gT+vnp0qv+dpAs9MFliJCe8WcqlJXqFl9OthC+t8KUmbCkJzD9UBXF/9RNhszlcU6acyq4Ut7koI68eDdbZD49UN1rogpj2MgHOD75Tp7QRNFt8ragC/KA3kk6LVRExdF5OBzDn0eA2GNzIK3p14Feae+mlfvFcV20flvdq6agvMJa7JEEAPvAPZa9GAmmZYnJr3qvv/q65fMWC/MSlbOfTwq6MwKPiiUBe+A2aT0isvPpJ484E3E1zeSdIWiLUK8ljjW1obNfTKAojHpxxywmFvQixgsn6GaNBKi3H/r50MPdiUisy3lwGwUypY8rjtAtWeVHIMujTLjVhFDmcv27erG2fx8vLHVIYaLu2k5C46BhrrXF1Ngt1RfVQjxjXC2FsWiqrE1vheIb22itL51UwxjsXIayXvztEBX1gMvIQtps2fkc42zRTL1pecbwzsia1QzfpO5Zdo557ARX9Um4Hk8qACfLfC46n+9MC8wrnlbadcvwGXY9/Yq2vNr0uKQUizRmZxK003Ga72qDeI4nqeGMJPAM9Z2VQZLxdhTVJTuJEEhOSGzoLj0HkWDDj1/rCeXwafbm5bfHnTYIlATTnWfNHy3Mjol+T7kfpc+V7Hy2HSKihIeZNQ3CXeG0Z5ZWg6zKwWir/td+mDeCc2lN8uM0xi4/jxX1tG+oQ2JhVXqffVca4WF2iANF3bE5kwukNct3GBU0Li5JY7q/79yJBhktzXnT2O89I5T7o/a1OyxBa+VCUGwjsRTq2ry9tRZ7jvewEmI+8LR3n2f+Jq8wHy7yAU9VDpb/d7ZAFXmH0PzhZ6G2y0gwic+DHklK9AyfiFnHzvYRy4/awIQd8F5zbMSoCkRGieVPLW/lV+mMe5TNdP3HB9rfGVj7ozQHHmxHlo0rfl1zhcFPQckcK52xtKNHx4oBr0KyUbd6mwXNVRzVxVzhINQd/J/Bu6ZnkFKH6GTIWMK24DvXDU7YOhJsA356sH9uyQhVvJrgJ53B7vmsiYqzLkxakVGPKcdM4i+0aWRd1Nn4Ert9kPZ5KbuptIctBkIgZyYkVscTR47PYj+KtAOfp/GRAs6wwwsTLupbZPBdE54VqoxUuNSQz33H3XjzVJq4F+zhTbdZz/v7I25JVLsfeltCGa5e/qsKYR9efEQ96t0PO4kZsRmCHQRxtVS0+SAPznSdFYO9srPW/9L8xd6QlcuihfgMD9j8xE5q6L/b7/hKlcflz,iv:pvNaEoY5wwwbtDUUqJLj0h1CcXJBB6t/oOVTMTyXVOI=,tag:gEWpf9AKCNtA6nmkwj2GHw==,type:str]' + name: crt + - data: 'ENC[AES256_GCM,data:vzOfplS6cfnsH/1SbwQ5kOh2DzdOUrsRZH4/RafaLtMvC3d4n+Xixp/gr9rQ2pKrEt0gqrtyebtl736y65enRC7DEDJMHUwDhvTWDMZmzRu6duXLNy0At4vdTTiSzxm8sRoNFtGg2hkk5VkPZL0YUaRu4WTZjv/itjWy6spnXfc5r5p8glviUsPPBFK8WimCACHQOSswR1dRqD8/XEXiu2b25lj64+vtWyLMrjm5QmTh0o8a/Wk4K26mKiCsUiPBUKwAI8LjE/+yYVL9KFVufodoev7TZQ08FA9zyALyETA8pwImqBKq5Um9jKuMjhZ/7WlpbnV4egn6ZiBAt6FPgF/MUIat+9emVmpj6ch4RcbfK1uTIDVBOday7945B+u6aGJgI/bKnNoVkWAaRVkiR5CsQ4O+5dmu54KBm3bVYXwTmaRTLL/cQ/Cf73XeIJ/M0EtNrZrrsso1oCwgw4yzyvXmVtZ7RFzp1jEkDjyujmbB2I5fYpCADe1i7BPR2pLAx4JVUBr6qPPu0KJkUAStBOHkPTlzlAfineQjjU6n3s9YSWNTtsKpqazntWYZMNi0ou+8YTGJLq/Zzw7mxTxQloiGU/E866iyib66tTraxMBFKeTPvBjUZwg57DgpB6fW0sLl1xjJRcNW2fkwFHaV4iwdC11XLcjaFDX0r2qjxC1ZzlRB+R+iv6ZEalANayzAL5ymImM6WKx/CTBfTGA5Q9LOk15UCNSRT/ucak3+Px5u7tHp/FSrcAYIWako9MFPfUEq/4eLXTtYql20iEiHOjpT07/Xztyb7Jjas1qmYeoCzCeN7RrKHcuwqBG4DB4QX+5EY238n0RQ4bkG5sKdQDWbu8W3u4BmcvJXxjtFvdyB1WW/cQYvQXQn/bZH5DiMaWYAnpGAE+gA67z1aVofWPO0doKO4ae2SC5F6R0IslX7Zyx+YYHThIqQxeTjwVHNPAeuyfqZuE0oRwQFSy8bPFy4/nlm1kg6pXDjUCil2y9YDUU9MZZbKTlIqSQRzfaXiOZ5EqOMctz2UAa+w7kwh/4mKsye9e/C1J1McVV2HGXRMXJCmrNFJ1kdTd9/xuIAHHYPfsnAZRrnyZWuXZBAQfDB1ggZLMgn4wFExnS94GyQWFQIIm9KMapckYhAzkpAjLAPTgYbfF1abm1dYL3VNlSFkBhoq6Uny3WVos+6362GjvhiHhsTWizNo+6R0wvFh5NFzEBkxJGe+GhCCTAeUB+aQ/4NvDcIcOBdbt2UVzmE4pNP6fkVg1ZcIWKyWahlkXvWXVBCfY/uZWyhCSwTrKEnk/WLzCNDu4z4OMYDZdmV/3CZ6xbLTKRhKalY3sHJtsJoKdmN5PpPiEIJ/PAiStJ2vH6ElVHY3tc79q4S76h1UiZKzmOAufNmULtNweM1/nNnEasEtqzR3JRN3kuZafagfTNZck3R0faaBYIxBLzXYldFJZ+7M5pk9OPKunt9rVG/iaO1jFexFyXkZhQO+o2oALsEY1JL0F1T2NUFz3Np1UUSuYO3WiaUyuwuyD1tx/+0RZFKC0rUJhLIUwerMNmz3WpZQQmRvTjZ+FDkwc3akRnUeYORqy8DrmSVITDJlJtfmtzCIJlYaPziK0uQ4VjmGzm+53uStyjDvZ0Zc90bbZ0abj1pJ9vR7HoiTUbgE0AxzEkwppgdko8v7nVLptflHliE47SLz9W2LpZjh9tEtkLsHxhHPF3+zCZfbs9smmWnQ3jHUgmv6yC5JedSFtYjt2ew9t2TgjIDugA+YTEV6X15V4dSYvNfSi3eqivRNQJYGyULEYCHWm1hze/zLMWsQTl5sD81QL98xpASqfb1Jnh8RdNDv/Mj/PPNCIL8hGuBbYvNejoCz450k+9yIsZ36+kMgDRRwenJLOYZjD+QqAod3LsD9D686EmBd7yLIkULBb3fMIuK1ejf5vkgVmd0U/AYoB9fWxeD7sxwcre2UBERj/1A7Tk6KoxK0KvS4Y1fMRCz24WxH5AfEKhn1fg9lcGeVSa7f6uvIHG6zNyMOD2STNUs+M3s73hwKgAtqIr1oCijnw4Oh/6V/KtMLcEu531Kq0jhfBPpP4Of1db6Xq0CpyAsUKd3cO3FRFVfugxDRavtbTkOD3kA07rXVCaq09UKWKJ50jzPUcgJJn3+pJbA56TOFs0m/7aovijjPMahayY4fggkXM2En+oWHNmDAdQp5Bd8E6vhn4Ouf5Qz0vvWd0ifaDLW/Y4aLME3rVPIIcYFgiq4JpASf9ANMVWH2IseXwzmzDIho9+IPIPEOOImrB+ly/9OOIeAkcTU646OIotUXwovvF5J1u+RBTXEqEGbZLkx9o0f1ZRvacW5FwwnYLR4Mz0qeh3XmQtanqeT5jNElGRaZpVBn1KBhWYmNh651u9Y0V9XkVLJGlPC1b/U2qQA+H2FEcTZd0Tk5F1w8+fUUQVi9UtFnw7LtcCbMflO6/FjXuyMIZxR9CJY98Lupscy53Cf78ClIo5OEQK1F/ix78n6y/uclyNFxcX/AvQ7JUNyOFrfXX1q5ZbdA3YSvm8QLEcZsG3hwI4N4p1k+uCS9oAnMfgNJyRwXIoIxs7BZ5oIVlF/lX1q3sP01WxTMlZxNQX3xPuGKeq7mPjqUwDcMMPNXGoCdKuWofQ7GCfp9wMF8a8lI2q/id4z9ETLHqkpV7H/CSNz0B2d6NjohVJ7FbDlNgWIo5e6ndCdiOjTVKU2OfCuCKdVJsleCjed5vYVyNKD4w9GlInVAPZsDppS3GEW5Xd0FerbGUIewg7OLFue3EUOm+ItxOJyRgr5AFiXhUHgcw/Kv22LGqheCpkvkj4uRAuPgI6kdDXpgBeL+z6djXDNkj03uPKQoCle3/NN6T19sYq3fqVSrdx6o0JM+GosJYqzcbCpa3qZWkr01kCFnWeWhWXxdspTXjF5Dwc6/+Tig7/oxdcvRqeswq8l9U0DcoSQSEaX/f+3q6bP8lA+v3TqKYx32I4=,iv:dPDYUIlrM0uLfyXEdUx7D/UYUYc2h92JZhmlfUHEPU8=,tag:ySJUMycKpoGg19qJKdNDCg==,type:str]' + name: key +- name: targetSshSecrets + updated: '2021-08-10T20:00:41Z' + values: + - data: 'ENC[AES256_GCM,data:lqIbk19JrqVZf8eWHlZoTu3w0353ZqpI8jXQRfKC+dD0f5k5Md6YnWZZn60eH9S+FbhqWHB+y/J5VfM0Y0x4pMA9xRrYQHND0SxAsnI6vd0nd7Yggpm2aArIoe3C4ZtY6du0TN0EUy7QsuyKCQTk8hHzJbFgoW3EMmB4gkByOfhAja7oM+Yg2B01Zt6joe7xb8EXzFh1KKLBjhp5YLsy0B2TYSnVaCf9Kpwa4smYdTtjQSy0qxmjYfMD1uVaZV82tWmshDrHCnI5OOgZ0drZbSRc0M2tjtbtJ9Zhtf7m35telTGLFQW1gIjaZ9kescUySvMwVLmso4RgfXZeomKL44gatSQshU8YiqfiYEu98kiisF4F6iuz2yUrlyMmUasaqqIkFXyiY9wjHWyB8pW4LwvNlL9XHZLIwqeYL+1LBDhU454ZPqfgDppni7ng09bik5BDsYaIW+ct5HfhC2IjMAhbCG8Fvxfb7rFdZYPVnvdmmXpU75k9bDmIL91/lKRG6slH1KWBNkPEyS5T7DPd9FX0sH9gsuhzLGEVmgJOa5/v3nVSGxmSmdzKVZ3fOPSlPhvh0733AqCtaK/A0mFtfNDx0Us7N0ulBK+px1HLBoY4wsQNO0yFm2eYl4xTT8BxYYxT4xyIs+vQgxzAYwATYAO9ZXMZXkUTWPX9BWL4e4bruH2gJtplihdxnsTVYaW4pDMGheZIjg69YxS50J9yivIBWG6Ad+o+5kQ8BH8/fuNMyxvFgiKMK1qVsn8coYcfHG56KqHivQQ/fIenT4800+jP9umhoKEzBSonLGgD1aOrgFXXYO1YllMnWAuQ0HYcK5rCjXiSTiW8pVwL279KjfNjGoehV2HFqJ8SEwr1KNyMXqn/CPmWmlMCK0T4h1lULH2G9o2u+JdyTZg+uOJ60hqrUHfqfL6KRNktak4nuR+sP3KphxP81W+ZQVRp6ZnNFLN/3+/02q4i2Qqz3GTXrugUNzrPZ7AovDYyicy8lqPzCdygS7nPfMsur7KNONFZiX11/bTSUa4p6o3Eb7mxFCvX3I03bUq/XXPrF6ZT1ie9pd+aF5PkOw8IRQuumRjx0Fvby70UlW4nI86ZA/NIjOGJSVv3Rzsd9hXjuYaYMpyyvPPtCljLOvhttERZYBJ+yMACer4WfBsPKqEDGCsE2OlmJyrQsMYMSoBhJFo5czLf5xa88QI++CX2k4DJAVI+daMj43rGv9aTUt1C3Gyu2s0YKgqFOWlv6svlMMJZ1DFYysL5nQyQi2ySBp6BIdPPPtJLpjvMZmhI+Tr45gGB/SYPMsD4tUEYqQleVUfUA7OsY0E+KtWJNNq4BoeFr2mwgYFXSN6gVyHmXVvDnjtee99thfSdIcai33GIU0SPgwFvlZm99S3bRuJO/Fh3+7dMez85WVBhm9olacdvcrH6CEpm/5+J3gBmwx5pBeK7PXt3LQuacYQw0wwWankLXDA15+iSQjgo/G6jcm1x+DaFzblEnA00foKch/7G0BL+e6hiZU2Cco7h1ckJP4WFQcaNP6c5823Of+J8M0p+NNReOLEVozXSVsGbE6bddOy9pG4mEfmYmOBMwxNvVG/ybXEKTqX26zVkPbYraG2x4bDkD2kXf3A/9Z+3vmyT+L0ktUdBESGjV6az/MrThJVNZIQZT22dD7MrDP1ht03wXKDwppG12fRAlKIrC46Z1Hs11mLJSXcCcyzKLO+XuizNVwfMVBFwGbMdCigfJO7Qo36TZOb6n81rkfKSceMv6Y7w9tEWiU4P24Qcmt4Di1LSMoJUwBI8gI4KbxWEpbo8wX+6O29wcXYWjAT+VA+dgUFDhnjjUnIL7wpf44ZUEMPtC/tQs3+r3dMeO2VdTqfjfUKJSSgUh1igYko24YogBZDGCIqBllrKWuNt7+NBhvBJ9S7F1162bbdCYvy4yDu1mQEeawh1Jj0MirkslbPm6v5eecqDD0JaAKfxcJlqVF2SqqZMYgSNAsTn1jCddd+f1VfcPXK68OnggicoGV14kS7zDvnj57lIKE53j/ckdyrns70YJ1+M8zIvrOhj+DemwzD47kP1xyzzK832QNTy+KW9DCOthyfkeHKCe8UMYDkjVBVquyHmavEORJADCgu7N+NO/+qnsl9JfrGHiRL1Go1ijdDiPy1LZbFX5jPrXlB5G3vWtClwcqpLlHOubKef21JKEg0WJ8zW/ZLzkjpj4N9edik3m3UrJzj96QxnTxHmw3IJDzz51uQX4jodCvD1dFyufBerlfWV/tMN45B80CpbhM1aPIlbFdXw9hIJjitnxDXs9nrr1NK4fN2xVZd70QFmv+ucpWowed8ijifrGf7vPwq4J7S60i/OZAIS3J7azfhT/EzElvcCgrqALuXCuzkUdkll2iUZyBVBgrmDjt1ZncHjEbvgl/dt9B5YG6nFVku3HQEFJLv0LPNRnTt2iJEn8k0e1V2U6c6AtpIuPf6iTUig+PVDHIrXxTIfpiOn1ZG36gcKpSPaA4YkESHKM57qEQiV3IYUc+dMwSYa6xxe9O4iFcJyh2GkBC1CsbXqyhskatyMSpydxgn/DEtc7ODhdGRgkhxj2xy01apWe2CxbcXvIAOeRpj/kJIeJLvidUkzSLgz1Xcts0XlbB4ZO5hOdJtE7UutvMxOAK9lsbk/fdE1gcNuzcK2HQsU1xYviSMjLK+h8JXJS05/y47+CD2Xdq5WUXqdKdHSwIR18rAbCCFZsEB0QQvjpuxVXmK337DdL+P7qfJtSIOAE+S4atXyHYikOZaclGKb0vaVKHsELJ2mFJ8lOCJRj9xrviPYP+GMsmfrvp9zW49XRNx0ufdAvYuRBdOYu/+56ndQPiYj7ssDyRLl2wb82v18EQQXYUPpsi+P2yiJ5XXlsjIHny5v8iMs+gxDfcwkFErl0U943NUCdqXdL44jNcki0TaCtFge07yGirhGsCdZYVbr+TOl4msE8pBL1NhIzBkzgVONGfFrjQieC+dq0zzis5wmFj6FKtIBdVSKRtWA2swyP9cAdZsFdV6rukk2GJJk7bh06rSodQARh6Y2pZ7FbqZ0WB/ZPjRxVx04R281s0El1SDucVerwz6nMBjVD4BZJyhg0Buyi2G4+TwTV6G9aTE7FTLGMcmHiq21SiN9QvyTRKv97QbvlRAHdk/Ax1sbXHUIbhUp8XYRp+gA5hyftsldjhayMP8rsPGE4PsAubzH99xhQv84uRIocaCJJr/STAdLt9SA9D3dZehuq9XSpVo23dSiRl2c77R8CIlq4oa3e0wM1BdKmPthOJquwyFDU3B6MdaZa+kWF1nTdUydP3izEKfl1X1nxCgiIKgA73Lql5o/sR8C+7VDiT5d2WZBVCqh6iF/pQfm2r0mGVi/qx5bKMQYIEbwA4JagWpQOFB67gSBUSuvkbNOwnS6CWygXP/5lHkd8pH6kUPL2w3nRU67GCvCOSidcwQBIiNZdsbX9wPww3EU3945L5uItFh6LuwlY5xjj2oyf48AeEYmRvyKatFZyEdzJteqCLde1B+0ez7YGAndwrrMTaQKPiV77SKDIu7NaNdNOnKESIa6EmFy/wYAkRCo8CYcMKXPmPtR2+tAyrwvWSPKeg6DEtwx2YOSDfYkc2amVJNAvJO3yt4bLe9YGpa9Q2c17/ons66zbAvLct8K/Ysds3B90MJ+Uz3AUy4gnBJ+7vFYNuxC0MEHq9mouI4jKOJMkTmtOeaOpdLQp2KDfKTLw0QRC8fmeezUtOn8pbcgdHkkKolUPhe0cJ1uluK7vOmQwWwGhhKN+Xgi5L0LU5+iein+KQIJHfcS7L8mNYKo0t41/LAUqCFAVItm38KPUAj1S7U0bkbBwtUVzmxlF5ByMulmI9digR44oPmDOErjOz6QpSmidTYdECeWTjlKHCjrkkq19KTWaCDUcvT14WWh2vcbtFt1tWenSAs07pBFguSqlNhH41CnW8+6lzIE+ExXvyMiHIYcSW0yvdl/Rx78SYS+KNAaeHPo9nIOzYdjSuyFmU0PQdPcIUjWBQipUDizk/ZhjMWyikMwtQxp8N9P0J7d3EOSrSDxqEuUpBRkgwn7COvuqUVhR+VSiBC/6b1mwKdoPa8T3k/tRklY2wDllumzGoXxgmNZ2HxEYsLiytOrt32KZeAkWIvHYi3xdIyiCDJrMLf3/dMJjnEzG9rszpRhIcAPF4ZuS6KTVx3eRAQ7EhdGv19SuxddMib/kDnHNnUn7r3+KKpUAbscOm4bJpTF5LrA63Ls0E0BJPAXH6C7PC+8V0AuwdGP7/mckUeYlgiwsMxXIg+uxHBO7IoypY7MjWmz,iv:3V947NfzKkUc/KyqIqQxYRr5SlD1RIeppVC7651jppc=,tag:LNziKYmuXMRu7Myhu179Gg==,type:str]' + name: privateKey + - data: 'ENC[AES256_GCM,data:dM9Q7ZnLO2hGxtP//uQTdjGVa8UMffL+9YuzsOCqhnGaJFYoCOlPk+IYAtbVqlol2vT0mnWsVGuxn0c2afJSxpTuP8q+48p30s0v0weSZO+wjFXM8l2ZJ9bjW1Rn1ifnVKSwJFli/BahfSfhw13FPXO4ExGnOlL6U+lZkeaBUmHYPHkGjmmdDaFE7VFJ37Quylpxul6RWbidQgnzOymiGhsJMAL3reC9HmR1PXrfngyxXGWXjfkDCKlTr2libXJT3Az5nBwfCVyHae5i5uEThw/tfXlq01G0glQGMSyDf50uzH7O5ZGN9lnzjC6J8I+cPLHmqPf8N4ih1BuuJAhs2YRfsfO+AyGXbx5Kz4OXLf+0Twge+z6HCOLecQn+q3ZtzbmtSZaAvy1oKcsR1rE5khsOUf11CVMCKZgxOsgp5F7BLZOnUBVJoUmph7iSPTK0O7oR93RgyoRQ7+55c1GjDwsjZ3D/oVN5jcXvtjfuHrswcPhW/jxCHBt+jXVA7MsFWBZYpJXQTguuLavdRfFBF3UvvP6AdxxHb6leeMZQfyfR23Q4lXpDECbE05t8JyNguS6CL5+BKvIuTH0OZ6aoy8fn5+oP1039s7loACtAmig+caO+nytXXLkm73LgN8E2PyD5rubHT6eO/5JBgvlCrsikIfiSrmt4m/MnNlnOmARaS1eEGuyaZBDuCVhPaWbpQigxfGNMwhVO7cgacsSGEsct+83hG/UU1qZ5aA471HZKBdrKeZEQejxEoOJPnG5TW1j2G+ptes6pmK6OS9C9DFbwhE9eg48Q9///gQytBAm0Dvkk87lV3DUF4zZTg2xz/xyL2v1IpGle7bkbmKCXLldGDpdFLijyUF3197WLztl2UdMSCIERIK0DrBx/oL5TtJW+aNEONjW4eXbDsZ2lZ/VzC0vA4gp0AbHy5jNetjDfx3Dux+kNhntPwRTdVROOPtm6xSo=,iv:dM6ZBlzqKY/1rQBvoELAsQ0C7t3ImqwgfEVC/tmB21U=,tag:09JyHpyaSOhczaHxKtmt6A==,type:str]' + name: publicKey +sops: + age: [] + azure_kv: [] + encrypted_regex: ^(data)$ + gcp_kms: [] + hc_vault: + - created_at: '2021-08-11T17:27:09Z' + enc: 'vault:v1:jhJ6EQdgewNU8G90fvdFvB3DI5vYtcldhmiokzEuwFIwn19w+3iI7OOsHRImSlNAaf7hk+vGaWLJOllJzgjqn6WLtHQb4FNK6sQNHOMLKSlSNwwGtSR4/5NqGfwr83Bhf8di/JLlIsoGoJTN/qG5BVGgpObSbQS9QAQgHqIc6XAO4gaafl3cm71UyY6m1hgJzE+ETqoViySlTBVhf+RYZ3FRMrmZuPZBN+2t/J3KT6JSMCWDQVCPljADuHJqQgWviKs8EbSjNGYcKMX33driB6XEYmPkOs6kXh+hFDYvvLNEIyWWG5K5e5yRlxlBCcl7T5hQx2LTONotgcsi5Js/W7FkTZgmHJuwCrnHBi8sKwsnuJzShcKYENZa8SB2IiGxMN/PfgycyqPSBr9LyVgmh/rq0Sh4h5zuAR4p+QO+1M8eeYaCGI2mf6dK1zLxxK7JKL5cPMtn9Jv1ZhBA1oFejodVPJxCIrsr53wRKje13PBPwQFxW8ottLllykseAhHFWOxktBKwP6gQfkX6nChwTuHAb1OQviewpqxt+Y71godrNH8FIOjWVY1WdM9puum9pbyxk5UAKD/YO9zzboGmB822DnbnrHq+AlcglunvsgLvl/a/Wnk++mOmph1cOmR7s8LyxEa92KJ9UX1CGlSC68uzIWkX5YxYyVM267Su0bA=' + engine_path: sops + key_name: firstkey + vault_address: 'http://127.0.0.1:8200' + - created_at: '2021-08-11T17:27:09Z' + enc: 'vault:v1:SHCcOUHlef/HMsMvS5KY+ZZYHicJDYNzcdzZKGwchjYIssfqE9KZXDv+O3bDNWbNH7BnMO63TKT1VeZ/oAHFkovNnl+fcTdMtbI7WYiDNxBWiV+yFmj9OshsharAaFJ0fh6TE5Qqksccq7Oq0DVcvzSpMvJnNL011e06i2ABTOEjsjyf/kj/9hwnAezc+rlylvmObaOpX6lURmWqBeptFbmLj446BcVCITatg9Tg8qYbRz+PR1JIOaSmTSoRuifPPSZR0PoJmda6+gmHNJ7ezFAAyNq21lUnhr60R1gPI17WUwu7IPWNL1LMrTFRw1SQahbQFaAOj6wDqdKJ/HS1Cg==' + engine_path: sops + key_name: secondkey + vault_address: 'http://127.0.0.1:8200' + kms: [] + lastmodified: '2021-08-11T17:27:10Z' + mac: 'ENC[AES256_GCM,data:kYqyZkHzzrFCMCVChrNrQzBZ88vYzursIFEJGQz4mHpnMXMCPykpKOzfpUSlj+M5mYsb/y5hNbw8xsKOo1GUV2tEjoJ4k7kL4CF3JRVLHKHDgpJE8GTtz0uHBwN7HrPX7EurSWHeVmOTxP+1mxs7cBQQS/Yb2DyvOJNZyYswfxs=,iv:NDTuNLFHQxvZoLF693Y23bqySnrn/EBMvUNHkj59Bu8=,tag:UARHcP1hom78DlC1T/S8kA==,type:str]' + pgp: + - created_at: '2021-08-11T17:27:09Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMAyUpShfNkFB/AQgAhDRNRaVRHjXylYzg1ASfArY6BptjZm3dldnNjGP5p8RZ + Szz7Y77NTEqc4HGm0D2L2ob0hx76FUanMAEOEB7OJAqQC3T9rjVTnNrdfpX+I9ty + k4b5scb5iya6dQasDGccyMSlNwkJu63f88DhVXQgg62Z3r8LrkG5yUPB2YH5qpCf + m1xx19ssVuAP+EBp8T6hulhCf57zbGsJwUr6d0pkXzX5sUbeoNzgGSJ3xkyS5h/D + VvMjQpNxB3lvItNzvtDYCotQzzGMWRHKkDm4xzlN0ztbvg88pfCUNopU9kD4boXn + x13KS5F/LXokHRagXOxY/2lvIbpqMR57w/k6X+dj7dJeATWuTCbYLcST7YpPbScx + /PC756MHVn77RyIeNVkVL9b+PVgTHmU4XtX/ofBbVSpgRIL4kIpTjvvvQ/ZJpNCj + 8IxL/Iwni90DXv+CrhL8mRlwH8dtXGyMuthYGGU/Pw== + =Ln27 + -----END PGP MESSAGE----- + fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 + - created_at: '2021-08-11T17:27:09Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hIwDXFUltYFwV4MBA/9KHOMOnyeKipAPielSJGYCFIe70/DqoaUOgbq1aerC5VQ6 + 4jRZ6+yhNHFCYAYH7cN4i/wroJLeNY8e4PUDd/dBTILr4P9htje+8SiIoQFaI1Fo + VR9y7MTYpiHniW3Off7McwNg9qny1xpRDcv2M6wlqtMYVBGzu8RDKvAjbGPJwdJe + AToMSYhD83qWOjcRsdj/N/l/aMYZXYU1/crO/sM7wvJdM0irvJeZTclI0Btv01NJ + Hy+7ZzhB65XAvdKbTlw2YcyLkISq72HnuNX5IwhptZOxkhuh5rrYjlSUvdSL/Q== + =0cje + -----END PGP MESSAGE----- + fp: D7229043384BCC60326C6FB9D8720D957C3D3074 + version: 3.7.1 diff --git a/manifests/site/virtual-airship-core/target/catalogues/kustomization.yaml b/manifests/site/virtual-airship-core/target/catalogues/kustomization.yaml index d3b454087..789dc9e2d 100644 --- a/manifests/site/virtual-airship-core/target/catalogues/kustomization.yaml +++ b/manifests/site/virtual-airship-core/target/catalogues/kustomization.yaml @@ -2,12 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../../../type/airship-core/shared/catalogues - - hosts.yaml - ../encrypted/results - - storage.yaml - -patchesStrategicMerge: - - versions-airshipctl.yaml - - networking.yaml - - networking-ha.yaml + - shareable/ + - encrypted/ diff --git a/manifests/site/virtual-airship-core/target/catalogues/public-keys/example.pub b/manifests/site/virtual-airship-core/target/catalogues/public-keys/example.pub new file mode 100644 index 000000000..e25072c6c --- /dev/null +++ b/manifests/site/virtual-airship-core/target/catalogues/public-keys/example.pub @@ -0,0 +1,51 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBF1oQV0BCAC1iFfE7H3uu0hbWbRYVMoz5zZ91ACHETCOMVxN8GOG4SV0l8aQ +wmK9QWkYxhi52LnicVD3D7Uy75+J3zkvEDQ15C0AZ8UHXp4JlSQuXpFhrOhfYUF/ +6pr/QexT+hQjOacvY4qfnj4xKa/AGdv5vPIygtQumE6r3GhEVAxQ1GSwtCWSU3Zl +3Uqf7S8kDvJTemtR2UkVfpXcMd4AmMKgt7fVhPO8eFotqTLPvz/iClzER+q61fLA +d1rP9YlmY46MJp/PffPicWdJiKv2i6ynKcIwkrQyP6V2ZzYi/gAhNJst3ZlMfsiN +ekCtcow9Bn44uxW3U8W02FNQSNyn6V6QPDIXABEBAAG0U1NPUFMgRnVuY3Rpb25h +bCBUZXN0cyBLZXkgMSAoaHR0cHM6Ly9naXRodWIuY29tL21vemlsbGEvc29wcy8p +IDxzZWNvcHNAbW96aWxsYS5jb20+iQFOBBMBCAA4FiEE+8e54qT5KJrAwdSEPRbO +5KJzgbQFAl1oQV0CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQPRbO5KJz +gbTDcQf7Bp7e2zY9pBBXTgDASQl31SSHp9WkRUV5iqPVC9iPCELggteBGMwIpbDl +obc6O8/06foxWctTUaaciPBo2+jeWFTO+DNvB7oXIArqr5673QHLh6jEABBjyt91 +rvta2wYF1XJBgxpui9aLICsCptFNIRvHeKUrXBI4fG5z3CDs/EOoY8K/AAYJUF+E +RtmvmisiE/m20UpbYRmkBJy25c89Wcn12I1SUJA3H3hGwvZCYp8hY1HPxxQUtU+D +ZBIpryi0xQqExGAlYqck7G03F+AD7/csaT1LEdCtWRLNwE8UkvfUF6liF0SgzxFo +1pp3gBU4swds9yO9wNe12JY/M5A/BLkBDQRdaEFdAQgAtun8JhSpNAKvOXwWX2nF +hnMXTJp4viMhlAZEdmMXEi27B2DM/nRzldjxGZoNUBSVbJNj2kx5ZUDl0o6eOpCh +vRaGuCOpYqOuSQvD8FnX0NgQULwuTZ+MawsaezktJEjDSBM1R6uASeJwDZj4hcUn +PgyAIESajPdowEkEjdYt261fGOLLcVoVdtqzOMBkLVdrK/FD1kGR9jnSlKEYDV9D +veBUBQGdqkgWXjS5BKcae07viC6xMa9AJS4pizyDALB2k0HQOelZNihOGXYUuvkc +s2Fivl0Tk3OCfH9XDvFehbYRHmkRDoMuKUDSzdy6tFBAkL0CPlXAWI6kQklaBEp1 +9QARAQABiQE2BBgBCAAgFiEE+8e54qT5KJrAwdSEPRbO5KJzgbQFAl1oQV0CGwwA +CgkQPRbO5KJzgbS7zwgAndbf532OXo9HwPH+yQQmzQCLDFL6P4V7LcFrrydYItTE +hxqI3tbb96MKXRAt+G5Mw6JjRkWhwzbU3jE7D7XBMHw7GriTTU9QltNHg7VUpSSa +iTfVcSNErzsaqbjbA7jMs7VWzOq4LZo6Efy8UDKg5qcqLFaTQrzQZYNHNfM+kLAi +UPU8m7vwmz6oJWsjHkQKUhKhHptlpwMwdHkoacqDO0x2H6H91l/PnDm4ZG6FybJt +cjr98i+p52/XOo81nLgX7tcFS3nrN9HNdgKg1ZW3yrzg8NOaFCVA8qLDgLk//M3q +DixOxiurECkFrMvt/bDxEGpN5GVy550MmyUZQrkuqg== +=Zs2s +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mI0EXWhBiAEEAM+5U/ol2T8n9Ns1r11eKun/PPArXxmo2502pAY3cf7ZpKDFfAvC +VF/PLusHcJToTCPOT0RVh5jO1MiQYcvQlnUIJOIEkCuUc7RsdBDsI94o+SEiGSN4 +DzK711xTvuhgLbFvCB/jcpjN8wpIYTJuD6wE75sf5jqlokrnhXZy5LcbABEBAAG0 +U1NPUFMgRnVuY3Rpb25hbCBUZXN0cyBLZXkgMiAoaHR0cHM6Ly9naXRodWIuY29t +L21vemlsbGEvc29wcy8pIDxzZWNvcHNAbW96aWxsYS5jb20+iM4EEwEIADgWIQTX +IpBDOEvMYDJsb7nYcg2VfD0wdAUCXWhBiAIbAwULCQgHAgYVCgkICwIEFgIDAQIe +AQIXgAAKCRDYcg2VfD0wdEdnA/9mMGieN4hrnmgMwchZ5fplBAUCeB4R+KewSHce +gfQIxN8i3vCOHaqmF8cmc2ifXfioqsSQU9JdRl7dx+TN9sgyWas1wfT01j98sfPk +NQrgrOxC/24SQ9f7C3bplXO+25kLXCPTUomMj8zf9marVeUVNeC6IduFRRI7hxrz +tIyN/riNBF1oQYgBBAChXi00fmpEs0Jiq0zOyYm9i749VoOsNReoB/5ix1QCimwV +ZKe1D37IP5Qqysxy+LIQc4lJ+Q8foNOx1Aev5+TDyv+iU82D9xr9uPLLbA82k3AZ +04OrBjrZ/Yt1NZhuaHzciZCPpmqzF9kqVqAZc+vMiKZL1WZjS7O1FwaidY1vXwAR +AQABiLYEGAEIACAWIQTXIpBDOEvMYDJsb7nYcg2VfD0wdAUCXWhBiAIbDAAKCRDY +cg2VfD0wdMMfBAC/66LvXwBPaHDakr0lo25PGOWWsf4o8yWui/Q/yhcc8KiELlzE +zmwnq0JDSodfJ5agMTxXfVu2oVUBDKuvTDLSCe2XUv+2ufAweg/xr/FrREc2TkLu +GZy6FMdtB7Ik1uJElmkIhnU7KsXXv6rq71gE+PCqnwqsn/SvLLaTJvtlEw== +=PafV +-----END PGP PUBLIC KEY BLOCK----- diff --git a/manifests/site/virtual-airship-core/target/catalogues/public-keys/kustomization.yaml b/manifests/site/virtual-airship-core/target/catalogues/public-keys/kustomization.yaml new file mode 100644 index 000000000..eb0bafd0d --- /dev/null +++ b/manifests/site/virtual-airship-core/target/catalogues/public-keys/kustomization.yaml @@ -0,0 +1,10 @@ +configMapGenerator: + - name: target-encryption-keys + options: + disableNameSuffixHash: true + files: + - cmd-import-pgp=example.pub + literals: + # user U1 and U2 + - pgp=FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4,D7229043384BCC60326C6FB9D8720D957C3D3074 + # - hc-vault-transit=http://127.0.0.1:8200/v1/sops/keys/firstkey,http://127.0.0.1:8200/v1/sops/keys/secondkey diff --git a/manifests/site/virtual-airship-core/target/catalogues/hosts.yaml b/manifests/site/virtual-airship-core/target/catalogues/shareable/hosts.yaml similarity index 100% rename from manifests/site/virtual-airship-core/target/catalogues/hosts.yaml rename to manifests/site/virtual-airship-core/target/catalogues/shareable/hosts.yaml diff --git a/manifests/site/virtual-airship-core/target/catalogues/shareable/kustomization.yaml b/manifests/site/virtual-airship-core/target/catalogues/shareable/kustomization.yaml new file mode 100644 index 000000000..28a68c1e7 --- /dev/null +++ b/manifests/site/virtual-airship-core/target/catalogues/shareable/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../../../type/airship-core/shared/catalogues/ + - hosts.yaml + - storage.yaml + +patchesStrategicMerge: + - versions-airshipctl.yaml + - networking.yaml + - networking-ha.yaml diff --git a/manifests/site/virtual-airship-core/target/catalogues/networking-ha.yaml b/manifests/site/virtual-airship-core/target/catalogues/shareable/networking-ha.yaml similarity index 100% rename from manifests/site/virtual-airship-core/target/catalogues/networking-ha.yaml rename to manifests/site/virtual-airship-core/target/catalogues/shareable/networking-ha.yaml diff --git a/manifests/site/virtual-airship-core/target/catalogues/networking.yaml b/manifests/site/virtual-airship-core/target/catalogues/shareable/networking.yaml similarity index 100% rename from manifests/site/virtual-airship-core/target/catalogues/networking.yaml rename to manifests/site/virtual-airship-core/target/catalogues/shareable/networking.yaml diff --git a/manifests/site/virtual-airship-core/target/catalogues/storage.yaml b/manifests/site/virtual-airship-core/target/catalogues/shareable/storage.yaml similarity index 100% rename from manifests/site/virtual-airship-core/target/catalogues/storage.yaml rename to manifests/site/virtual-airship-core/target/catalogues/shareable/storage.yaml diff --git a/manifests/site/virtual-airship-core/target/catalogues/versions-airshipctl.yaml b/manifests/site/virtual-airship-core/target/catalogues/shareable/versions-airshipctl.yaml similarity index 100% rename from manifests/site/virtual-airship-core/target/catalogues/versions-airshipctl.yaml rename to manifests/site/virtual-airship-core/target/catalogues/shareable/versions-airshipctl.yaml diff --git a/manifests/site/virtual-airship-core/target/encrypted/generator/kustomization.yaml b/manifests/site/virtual-airship-core/target/encrypted/generator/kustomization.yaml deleted file mode 100644 index 68f07be46..000000000 --- a/manifests/site/virtual-airship-core/target/encrypted/generator/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -generators: -- ../../../../../type/airship-core/target/generator/ -transformers: -- ../../../../../type/airship-core/target/generator/fileplacement/ diff --git a/manifests/site/virtual-airship-core/target/encrypted/importer/kustomization.yaml b/manifests/site/virtual-airship-core/target/encrypted/importer/kustomization.yaml deleted file mode 100644 index 222ae6ae9..000000000 --- a/manifests/site/virtual-airship-core/target/encrypted/importer/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -resources: - - ../results/imported/ -transformers: - - ../../../../../type/airship-core/target/importer/fileplacement/ diff --git a/manifests/site/virtual-airship-core/target/encrypted/results/kustomization.yaml b/manifests/site/virtual-airship-core/target/encrypted/results/kustomization.yaml index 4d5611c68..2969fe64e 100644 --- a/manifests/site/virtual-airship-core/target/encrypted/results/kustomization.yaml +++ b/manifests/site/virtual-airship-core/target/encrypted/results/kustomization.yaml @@ -3,6 +3,4 @@ resources: - imported/ transformers: - - ../../../../../type/airship-core/target/decrypt-secrets/ - - ../../../../../type/airship-core/target/generator/fileplacement/ - - ../../../../../type/airship-core/target/importer/fileplacement/ + - ../../../../../type/airship-core/shared/decrypt-secrets/ diff --git a/manifests/type/airship-core/phases/kustomization.yaml b/manifests/type/airship-core/phases/kustomization.yaml index aebbd5520..d07d2ab34 100644 --- a/manifests/type/airship-core/phases/kustomization.yaml +++ b/manifests/type/airship-core/phases/kustomization.yaml @@ -1,5 +1,5 @@ resources: - - ../../../../../airshipctl/manifests/phases/ + - ../../../../../airshipctl/manifests/type/gating/phases/ - ../../../function/phase-helper/ - executors.yaml - phases.yaml diff --git a/manifests/type/airship-core/shared/decrypt-secrets/cleanup/kustomization.yaml b/manifests/type/airship-core/shared/decrypt-secrets/cleanup/kustomization.yaml new file mode 100644 index 000000000..ceec91979 --- /dev/null +++ b/manifests/type/airship-core/shared/decrypt-secrets/cleanup/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - patch.yaml diff --git a/manifests/type/airship-core/shared/decrypt-secrets/cleanup/patch.yaml b/manifests/type/airship-core/shared/decrypt-secrets/cleanup/patch.yaml new file mode 100644 index 000000000..5fb22a8e8 --- /dev/null +++ b/manifests/type/airship-core/shared/decrypt-secrets/cleanup/patch.yaml @@ -0,0 +1,12 @@ +apiVersion: builtin +kind: PatchTransformer +metadata: + name: delete-decryption-secrets +target: + name: decryption-key +patch: | + apiVersion: not-important + kind: not-important + metadata: + name: not-important + $patch: delete diff --git a/manifests/type/airship-core/target/decrypt-secrets/configurable-decryption.yaml b/manifests/type/airship-core/shared/decrypt-secrets/configurable-decryption.yaml similarity index 65% rename from manifests/type/airship-core/target/decrypt-secrets/configurable-decryption.yaml rename to manifests/type/airship-core/shared/decrypt-secrets/configurable-decryption.yaml index 898a2b65f..b7080462b 100644 --- a/manifests/type/airship-core/target/decrypt-secrets/configurable-decryption.yaml +++ b/manifests/type/airship-core/shared/decrypt-secrets/configurable-decryption.yaml @@ -19,15 +19,20 @@ template: | annotations: config.k8s.io/function: | container: - image: localhost/sops + image: gcr.io/kpt-fn-contrib/sops:v0.3.0 envs: - SOPS_IMPORT_PGP + - SOPS_IMPORT_AGE + - VAULT_ADDR + - VAULT_TOKEN + network: true data: ignore-mac: true cmd: decrypt {{- if eq $tolerate "true" }} cmd-tolerate-failures: true {{- end }} - {{- if not (eq $debug "true") }} - override-preexec-cmd: '[ "$SOPS_IMPORT_PGP" == "" ] || (echo "$SOPS_IMPORT_PGP" | gpg --import 2>/dev/null)' + {{- if eq $debug "true" }} + override-preexec-cmd: '[ "$SOPS_IMPORT_PGP" == "" ] || (echo "$SOPS_IMPORT_PGP" | gpg --import >&2); [ "$SOPS_IMPORT_AGE" == "" ] || (echo "$SOPS_IMPORT_AGE" >> $XDG_CONFIG_HOME/sops/age/keys.txt);' {{- end }} + cmd-extra-params-json-path-filter: '$[?(@.metadata.name=="decryption-key")]' diff --git a/manifests/type/airship-core/target/decrypt-secrets/kustomization.yaml b/manifests/type/airship-core/shared/decrypt-secrets/kustomization.yaml similarity index 100% rename from manifests/type/airship-core/target/decrypt-secrets/kustomization.yaml rename to manifests/type/airship-core/shared/decrypt-secrets/kustomization.yaml diff --git a/manifests/type/airship-core/shared/encrypt-secrets/cleanup/kustomization.yaml b/manifests/type/airship-core/shared/encrypt-secrets/cleanup/kustomization.yaml new file mode 100644 index 000000000..ceec91979 --- /dev/null +++ b/manifests/type/airship-core/shared/encrypt-secrets/cleanup/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - patch.yaml diff --git a/manifests/type/airship-core/shared/encrypt-secrets/cleanup/patch.yaml b/manifests/type/airship-core/shared/encrypt-secrets/cleanup/patch.yaml new file mode 100644 index 000000000..acbd9a32a --- /dev/null +++ b/manifests/type/airship-core/shared/encrypt-secrets/cleanup/patch.yaml @@ -0,0 +1,13 @@ +apiVersion: builtin +kind: PatchTransformer +metadata: + name: delete-encryption-secrets +target: + kind: ConfigMap + name: .+-encryption-keys +patch: | + apiVersion: not-important + kind: not-important + metadata: + name: not-important + $patch: delete diff --git a/manifests/type/airship-core/shared/encrypt-secrets/encrypt-ephemeral.yaml b/manifests/type/airship-core/shared/encrypt-secrets/encrypt-ephemeral.yaml new file mode 100644 index 000000000..266451e99 --- /dev/null +++ b/manifests/type/airship-core/shared/encrypt-secrets/encrypt-ephemeral.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: encrypt-ephemeral + annotations: + config.k8s.io/function: | + container: + image: gcr.io/kpt-fn-contrib/sops:v0.3.0 + envs: + - VAULT_ADDR + - VAULT_TOKEN + network: true +data: + cmd: encrypt + cmd-json-path-filter: '$[?(@.metadata.name=="combined-ephemeral-secrets")]' + cmd-extra-params-json-path-filter: '$[?(@.metadata.name=="ephemeral-encryption-keys")]' + encrypted-regex: '^(data)$' diff --git a/manifests/type/airship-core/shared/encrypt-secrets/encrypt-target.yaml b/manifests/type/airship-core/shared/encrypt-secrets/encrypt-target.yaml new file mode 100644 index 000000000..5139dd82e --- /dev/null +++ b/manifests/type/airship-core/shared/encrypt-secrets/encrypt-target.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: encrypt-target + annotations: + config.k8s.io/function: | + container: + image: gcr.io/kpt-fn-contrib/sops:v0.3.0 + envs: + - VAULT_ADDR + - VAULT_TOKEN + network: true +data: + cmd: encrypt + cmd-json-path-filter: '$[?(@.metadata.name=="combined-target-secrets")]' + cmd-extra-params-json-path-filter: '$[?(@.metadata.name=="target-encryption-keys")]' + encrypted-regex: '^(data)$' diff --git a/manifests/type/airship-core/shared/encrypt-secrets/kustomization.yaml b/manifests/type/airship-core/shared/encrypt-secrets/kustomization.yaml new file mode 100644 index 000000000..9ee905d24 --- /dev/null +++ b/manifests/type/airship-core/shared/encrypt-secrets/kustomization.yaml @@ -0,0 +1,3 @@ +resources: + - encrypt-ephemeral.yaml + - encrypt-target.yaml diff --git a/manifests/type/airship-core/shared/update-secrets/fileplacement/filepaths.yaml b/manifests/type/airship-core/shared/update-secrets/fileplacement/filepaths.yaml new file mode 100644 index 000000000..4c51ef673 --- /dev/null +++ b/manifests/type/airship-core/shared/update-secrets/fileplacement/filepaths.yaml @@ -0,0 +1,25 @@ +apiVersion: builtin +kind: PatchTransformer +metadata: + name: imported-filnames-patch-0 +patch: | + apiVersion: airshipit.org/v1alpha1 + kind: VariableCatalogue + metadata: + name: combined-ephemeral-secrets-import + annotations: + config.kubernetes.io/path: "encrypted/update/secrets.yaml" + config.kubernetes.io/index: '0' +--- +apiVersion: builtin +kind: PatchTransformer +metadata: + name: imported-filnames-patch-1 +patch: | + apiVersion: airshipit.org/v1alpha1 + kind: VariableCatalogue + metadata: + name: combined-target-secrets-import + annotations: + config.kubernetes.io/path: "encrypted/update/secrets.yaml" + config.kubernetes.io/index: '1' diff --git a/manifests/type/airship-core/shared/update-secrets/fileplacement/kustomization.yaml b/manifests/type/airship-core/shared/update-secrets/fileplacement/kustomization.yaml new file mode 100644 index 000000000..1cd1ffc5d --- /dev/null +++ b/manifests/type/airship-core/shared/update-secrets/fileplacement/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - filepaths.yaml diff --git a/manifests/type/airship-core/shared/update-secrets/kustomization.yaml b/manifests/type/airship-core/shared/update-secrets/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/manifests/type/airship-core/shared/update-secrets/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/manifests/type/airship-core/shared/update-secrets/template.yaml b/manifests/type/airship-core/shared/update-secrets/template.yaml new file mode 100644 index 000000000..f432ef6ae --- /dev/null +++ b/manifests/type/airship-core/shared/update-secrets/template.yaml @@ -0,0 +1,140 @@ +apiVersion: airshipit.org/v1alpha1 +kind: Templater +metadata: + name: secret-template + annotations: + config.kubernetes.io/function: | + container: + image: quay.io/airshipit/templater:latest + envs: + - FORCE_REGENERATE + - ONLY_CLUSTERS + - DEBUG_TEMPLATER +values: + # these settings are overridable + sshKeyGen: + encBit: 4096 + ephemeralCluster: + ca: + subj: "/CN=Kubernetes API" + validity: 3650 + kubeconfigCert: + subj: "/CN=admin/O=system:masters" + validity: 365 + targetCluster: + ca: + subj: "/CN=Kubernetes API" + validity: 3650 + kubeconfigCert: + subj: "/CN=admin/O=system:masters" + validity: 365 +template: | + {{/***********************************************************************/}} + {{/* define regenerate templates for different sections */}} + {{/***********************************************************************/}} + {{- define "regenEphemeralK8sSecrets" -}} + {{- $ClusterCa := genCAEx .ephemeralCluster.ca.subj (int .ephemeralCluster.ca.validity) }} + {{- $KubeconfigCert := genSignedCertEx .ephemeralCluster.kubeconfigCert.subj nil nil (int .ephemeralCluster.kubeconfigCert.validity) $ClusterCa -}} + values: + - data: {{ $ClusterCa.Cert | b64enc | quote }} + name: caCrt + - data: {{ $ClusterCa.Key | b64enc | quote }} + name: caKey + - data: {{ $KubeconfigCert.Cert | b64enc | quote }} + name: crt + - data: {{ $KubeconfigCert.Key | b64enc | quote }} + name: key + {{- end -}} + {{- define "regenTargetK8sSecrets" -}} + {{- $ClusterCa := genCAEx .targetCluster.ca.subj (int .targetCluster.ca.validity) }} + {{- $KubeconfigCert := genSignedCertEx .targetCluster.kubeconfigCert.subj nil nil (int .targetCluster.kubeconfigCert.validity) $ClusterCa }} + values: + - data: {{ $ClusterCa.Cert | b64enc | quote }} + name: caCrt + - data: {{ $ClusterCa.Key | b64enc | quote }} + name: caKey + - data: {{ $KubeconfigCert.Cert | b64enc | quote }} + name: crt + - data: {{ $KubeconfigCert.Key | b64enc | quote }} + name: key + {{- end -}} + {{- define "regenIsoImageSecrets" -}} + values: + - data: {{ derivePassword 1 "long" (randAscii 10) "user" "airshipit.org" | quote }} + name: rootPasswd + - data: {{ derivePassword 1 "long" (randAscii 10) "user" "airshipit.org" | quote }} + name: deployerPasswd + {{- end -}} + {{- define "regenTargetSshSecrets" -}} + {{- $sshKey := genSSHKeyPair (int .sshKeyGen.encBit) }} + values: + - data: {{ $sshKey.Private | quote }} + name: privateKey + - data: {{ $sshKey.Public | quote }} + name: publicKey + {{- end -}} + {{/***********************************************************************/}} + {{- $onlyClusters := list -}} + {{- if not (eq (env "ONLY_CLUSTERS") "") -}} + {{- $onlyClusters = splitList "," (env "ONLY_CLUSTERS") -}} + {{- end -}} + {{/***********************************************************************/}} + {{/* get combined-secrets yaml and exclude it from the bundle */}} + {{- $combinedSecrets := index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets$" "false"))) 0 -}} + {{- $_ := setItems (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets$" "true"))) -}} + {{/* get combined-secrets-import yaml and exclude it from the bundle */}} + {{- $combinedSecretsImport := index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets-import$"))) 0 -}} + {{/* skip secrets generation if it wasn't decrypted */}} + {{- if and (eq (include "isEncrypted" $combinedSecrets) "false") (or (eq (len $onlyClusters) 0) (has "ephemeral" $onlyClusters)) -}} + {{- $_ := setItems (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets-import$" "true"))) -}} + apiVersion: airshipit.org/v1alpha1 + kind: VariableCatalogue + metadata: + labels: + airshipit.org/deploy-k8s: "false" + name: combined-ephemeral-secrets-import + secretGroups: [] + --- + apiVersion: airshipit.org/v1alpha1 + kind: VariableCatalogue + metadata: + annotations: + config.kubernetes.io/path: "ephemeral/catalogues/encrypted/secrets.yaml" + labels: + airshipit.org/deploy-k8s: "false" + name: combined-ephemeral-secrets + secretGroups: + - {{ include "group" (list . $combinedSecrets $combinedSecretsImport "isoImageSecrets" "once" "regenIsoImageSecrets" ) | indent 4 | trim }} + - {{ include "group" (list . $combinedSecrets $combinedSecretsImport "ephemeralK8sSecrets" "once" "regenEphemeralK8sSecrets" ) | indent 4 | trim }} + --- + {{- end -}} + {{/***********************************************************************/}} + {{/* get combined-secrets yaml and exclude it from the bundle */}} + {{- $combinedSecrets = index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-target-secrets$" "false"))) 0 -}} + {{- $_ := setItems (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-target-secrets$" "true"))) -}} + {{/* get combined-secrets-import yaml and exclude it from the bundle */}} + {{- $combinedSecretsImport = index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-target-secrets-import$"))) 0 -}} + {{/* skip secrets generation if it wasn't decrypted */}} + {{- if and (eq (include "isEncrypted" $combinedSecrets) "false") (or (eq (len $onlyClusters) 0) (has "target" $onlyClusters)) -}} + {{- $_ := setItems (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-target-secrets-import$" "true"))) -}} + apiVersion: airshipit.org/v1alpha1 + kind: VariableCatalogue + metadata: + labels: + airshipit.org/deploy-k8s: "false" + name: combined-target-secrets-import + secretGroups: [] + --- + apiVersion: airshipit.org/v1alpha1 + kind: VariableCatalogue + metadata: + annotations: + config.kubernetes.io/path: "target/catalogues/encrypted/secrets.yaml" + labels: + airshipit.org/deploy-k8s: "false" + name: combined-target-secrets + secretGroups: + - {{ include "group" (list . $combinedSecrets $combinedSecretsImport "targetK8sSecrets" "yearly" "regenTargetK8sSecrets" ) | indent 4 | trim }} + - {{ include "group" (list . $combinedSecrets $combinedSecretsImport "targetSshSecrets" "yearly" "regenTargetSshSecrets" ) | indent 4 | trim }} + --- + {{- end -}} diff --git a/manifests/type/airship-core/target/generator/fileplacement/filepaths.yaml b/manifests/type/airship-core/target/generator/fileplacement/filepaths.yaml deleted file mode 100644 index a7719d923..000000000 --- a/manifests/type/airship-core/target/generator/fileplacement/filepaths.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: builtin -kind: PatchTransformer -metadata: - name: generated-filnames-patch -patch: | - apiVersion: airshipit.org/v1alpha1 - kind: VariableCatalogue - metadata: - name: generated-secrets - annotations: - config.kubernetes.io/path: generated/secrets.yaml diff --git a/manifests/type/airship-core/target/generator/fileplacement/kustomization.yaml b/manifests/type/airship-core/target/generator/fileplacement/kustomization.yaml deleted file mode 100644 index aecaf8276..000000000 --- a/manifests/type/airship-core/target/generator/fileplacement/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: -- filepaths.yaml diff --git a/manifests/type/airship-core/target/generator/kustomization.yaml b/manifests/type/airship-core/target/generator/kustomization.yaml deleted file mode 100644 index 3ffd12cf5..000000000 --- a/manifests/type/airship-core/target/generator/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: -- secret-template.yaml diff --git a/manifests/type/airship-core/target/generator/secret-template.yaml b/manifests/type/airship-core/target/generator/secret-template.yaml deleted file mode 100644 index 72b8d1c9d..000000000 --- a/manifests/type/airship-core/target/generator/secret-template.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: airshipit.org/v1alpha1 -kind: Templater -metadata: - name: secret-template - annotations: - config.kubernetes.io/function: | - container: - image: localhost/templater -values: - sshKeyGen: - encBit: 4096 - ephemeralCluster: - ca: - subj: "/CN=Kubernetes API" - validity: 3650 - kubeconfigCert: - subj: "/CN=admin/O=system:masters" - validity: 365 - targetCluster: - ca: - subj: "/CN=Kubernetes API" - validity: 3650 - kubeconfigCert: - subj: "/CN=admin/O=system:masters" - validity: 365 -template: | - apiVersion: airshipit.org/v1alpha1 - kind: VariableCatalogue - metadata: - labels: - airshipit.org/deploy-k8s: "false" - name: generated-secrets - annotations: - config.kubernetes.io/path: secrets.yaml - {{- $ephemeralClusterCa := genCAEx .ephemeralCluster.ca.subj (int .ephemeralCluster.ca.validity) }} - {{- $ephemeralKubeconfigCert := genSignedCertEx .ephemeralCluster.kubeconfigCert.subj nil nil (int .ephemeralCluster.kubeconfigCert.validity) $ephemeralClusterCa }} - ephemeralClusterCa: - crt: {{ $ephemeralClusterCa.Cert|b64enc|quote }} - key: {{ $ephemeralClusterCa.Key|b64enc|quote }} - ephemeralKubeconfig: - certificate-authority-data: {{ $ephemeralClusterCa.Cert|b64enc|quote }} - client-certificate-data: {{ $ephemeralKubeconfigCert.Cert|b64enc|quote }} - client-key-data: {{ $ephemeralKubeconfigCert.Key|b64enc|quote }} - {{- $targetClusterCa := genCAEx .targetCluster.ca.subj (int .targetCluster.ca.validity) }} - {{- $targetKubeconfigCert := genSignedCertEx .targetCluster.kubeconfigCert.subj nil nil (int .targetCluster.kubeconfigCert.validity) $targetClusterCa }} - targetClusterCa: - tls.crt: {{ $targetClusterCa.Cert|b64enc|quote }} - tls.key: {{ $targetClusterCa.Key|b64enc|quote }} - targetKubeconfig: - certificate-authority-data: {{ $targetClusterCa.Cert|b64enc|quote }} - client-certificate-data: {{ $targetKubeconfigCert.Cert|b64enc|quote }} - client-key-data: {{ $targetKubeconfigCert.Key|b64enc|quote }} - isoImage: - passwords: - root: {{ derivePassword 1 "long" (randAscii 10) "user" "airshipit.org"|quote }} - deployer: {{ derivePassword 1 "long" (randAscii 10) "user" "airshipit.org"|quote }} - {{- $sshKey := genSSHKeyPair (int .sshKeyGen.encBit) }} - sshKeys: - privateKey: {{ $sshKey.Private|quote }} - publicKey: {{ $sshKey.Public|quote }} - dex: - oidc: - clientSecret: {{ regexGen "^[a-zA-Z0-9]{34}$" 34|quote }} diff --git a/manifests/type/airship-core/target/importer/fileplacement/filepaths.yaml b/manifests/type/airship-core/target/importer/fileplacement/filepaths.yaml deleted file mode 100644 index a89e95b10..000000000 --- a/manifests/type/airship-core/target/importer/fileplacement/filepaths.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: builtin -kind: PatchTransformer -metadata: - name: imported-filnames-patch -patch: | - apiVersion: airshipit.org/v1alpha1 - kind: VariableCatalogue - metadata: - name: imported-secrets - annotations: - config.kubernetes.io/path: imported/secrets.yaml diff --git a/manifests/type/airship-core/target/importer/fileplacement/kustomization.yaml b/manifests/type/airship-core/target/importer/fileplacement/kustomization.yaml deleted file mode 100644 index aecaf8276..000000000 --- a/manifests/type/airship-core/target/importer/fileplacement/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: -- filepaths.yaml diff --git a/playbooks/get-vm-config.yaml b/playbooks/get-vm-config.yaml index 9658af2a3..c6e6c1f08 100644 --- a/playbooks/get-vm-config.yaml +++ b/playbooks/get-vm-config.yaml @@ -16,7 +16,7 @@ - name: get BareMetalHost objects shell: | set -e - kustomize build --enable-alpha-plugins \ + kustomize build --enable-alpha-plugins --network \ {{ airship_config_manifest_directory }}/{{ airship_config_site_path }}/{{ path }} 2>/dev/null | kustomize cfg grep "kind=BareMetalHost" register: bmh_command @@ -32,7 +32,7 @@ - name: get network configuration for BareMetalHost objects shell: | set -e - kustomize build --enable-alpha-plugins \ + kustomize build --enable-alpha-plugins --network \ {{ airship_config_manifest_directory }}/{{ airship_config_site_path }}/{{ path }} 2>/dev/null | kustomize cfg grep "metadata.name={{ item.spec.networkData.name }}" register: netdata_command diff --git a/tools/deployment/common/23_generate_secrets.sh b/tools/deployment/common/23_generate_secrets.sh index de285b033..e1fc1a76b 100755 --- a/tools/deployment/common/23_generate_secrets.sh +++ b/tools/deployment/common/23_generate_secrets.sh @@ -14,22 +14,26 @@ set -xe -: ${AIRSHIPCTL_PROJECT:="../airshipctl"} -: ${TREASUREMAP_PROJECT:="$(pwd)"} +echo "Generating secrets using airshipctl" +FORCE_REGENERATE=all airshipctl phase run secret-update +echo "Generating ~/.airship/kubeconfig" +export EXTERNAL_KUBECONFIG=${EXTERNAL_KUBECONFIG:-""} export SITE=${SITE:-"virtual-airship-core"} -export AIRSHIP_CONFIG_METADATA_PATH=${AIRSHIP_CONFIG_METADATA_PATH:-"treasuremap/manifests/site/$SITE/metadata.yaml"} -# Setting the same value as targetPath that gets updated after create config step (22_test_configs.sh) -export AIRSHIP_CONFIG_MANIFEST_DIRECTORY=${AIRSHIP_CONFIG_MANIFEST_DIRECTORY:-"/tmp/treasuremap"} -# Primary repo options -# Only the last item in the repo url path, e.g., 'treasuremap', is used by -# the generate secret command. -# In the case the init_site script was used to generate the project and site -# directory outside of treasuremap, set it to the PROJECT value so we don't -# need to ask the user to set the repo url. -export PROJECT=${PROJECT:-"treasuremap"} -export AIRSHIP_CONFIG_PHASE_REPO_URL=${AIRSHIP_CONFIG_PHASE_REPO_URL:-$PROJECT} +if [[ -z "$EXTERNAL_KUBECONFIG" ]]; then + # we want to take config from bundle - remove kubeconfig file so + # airshipctl could regenerated it from kustomize + [ -f "~/.airship/kubeconfig" ] && rm ~/.airship/kubeconfig + # we need to use tmp file, because airshipctl uses it and fails + # if we write directly + airshipctl cluster get-kubeconfig > ~/.airship/tmp-kubeconfig + mv ~/.airship/tmp-kubeconfig ~/.airship/kubeconfig +fi -cd ${AIRSHIPCTL_PROJECT} -./tools/deployment/23_generate_secrets.sh +# Validate that we generated everything correctly +decrypted1=$(airshipctl phase run secret-show) +if [[ -z "${decrypted1}" ]]; then + echo "Got empty decrypted value" + exit 1 +fi diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 87fc61dd6..b08552c35 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -35,7 +35,7 @@ - ./tools/deployment/common/21_systemwide_executable.sh - ./tools/deployment/common/22_test_configs.sh - ./tools/deployment/common/23_pull_documents.sh - - ./tools/validate_docs + - ./tools/validate_docs virtual-airship-core - job: name: treasuremap-upload-git-mirror diff --git a/zuul.d/projects.yaml b/zuul.d/projects.yaml index 774b88528..b6dd0dd11 100644 --- a/zuul.d/projects.yaml +++ b/zuul.d/projects.yaml @@ -14,7 +14,7 @@ vars: # NOTE(drewwalters96): Set AIRSHIPCTL_REF to a commit SHA in order to pin # the cloned version of airshipctl to a known/compatible reference. - AIRSHIPCTL_REF: 36d7153a6637ba62abb034d03c295d77e385723f + AIRSHIPCTL_REF: eb9ac97ce207542e1e4d3b363963bfc5f0847096 sphinx_build_dir: docs/build check: jobs: