From cf1f2af8770a5b0c1f0db2911e4bf52907195cdf Mon Sep 17 00:00:00 2001
From: Kaspars Skels <kaspars.skels@gmail.com>
Date: Wed, 15 Aug 2018 09:26:26 -0500
Subject: [PATCH] Initial set of Airship deployment manifests

 - global/type manifests
 - airship-seaworthy site manifests

Change-Id: I5951bba063e6447ff0d2e1b40d9711209919f7d1
---
 global/common/layering-policy.yaml            |   10 +
 global/common/schemas/pegleg/Script/v1.yaml   |    8 +
 .../schemas/pegleg/SiteDefinition/v1.yaml     |   19 +
 .../passphrases/private_docker_key.yaml       |   14 +
 .../publickey/airship_ssh_public_key.yaml     |   11 +
 .../baremetal/bootactions/airship-target.yaml |   26 +
 .../v4.0/baremetal/bootactions/promjoin.yaml  |   33 +
 .../v4.0/deployment/deployment-strategy.yaml  |   39 +
 global/v4.0/profiles/genesis.yaml             |  114 +
 global/v4.0/profiles/hardware/generic.yaml    |   19 +
 global/v4.0/profiles/host/cp.yaml             |  108 +
 global/v4.0/profiles/host/dp.yaml             |   60 +
 global/v4.0/profiles/kubernetes-host.yaml     |  144 +
 global/v4.0/schemas/armada/Chart/v1.yaml      |   12 +
 global/v4.0/schemas/armada/ChartGroup/v1.yaml |   12 +
 global/v4.0/schemas/armada/Manifest/v1.yaml   |   12 +
 .../schemas/drydock/BaremetalNode/v1.yaml     |  163 +
 .../v4.0/schemas/drydock/BootAction/v1.yaml   |   93 +
 .../schemas/drydock/HardwareProfile/v1.yaml   |   49 +
 .../v4.0/schemas/drydock/HostProfile/v1.yaml  |  161 +
 global/v4.0/schemas/drydock/Network/v1.yaml   |   70 +
 .../v4.0/schemas/drydock/NetworkLink/v1.yaml  |   47 +
 global/v4.0/schemas/drydock/Rack/v1.yaml      |   35 +
 global/v4.0/schemas/drydock/Region/v1.yaml    |   71 +
 .../schemas/pegleg/AccountCatalogue/v1.yaml   |  645 ++++
 .../schemas/pegleg/CommonAddresses/v1.yaml    |  116 +
 .../pegleg/CommonSoftwareConfig/v1.yaml       |   15 +
 .../schemas/pegleg/EndpointCatalogue/v1.yaml  |  143 +
 .../schemas/pegleg/SoftwareVersions/v1.yaml   | 1066 +++++++
 global/v4.0/schemas/promenade/Docker/v1.yaml  |   16 +
 global/v4.0/schemas/promenade/Genesis/v1.yaml |  141 +
 .../v4.0/schemas/promenade/HostSystem/v1.yaml |  137 +
 global/v4.0/schemas/promenade/Kubelet/v1.yaml |   31 +
 .../promenade/KubernetesNetwork/v1.yaml       |  121 +
 .../schemas/promenade/KubernetesNode/v1.yaml  |   47 +
 .../promenade/PKICatalog/PKICatalog.yaml      |   43 +
 .../shipyard/DeploymentConfiguration/v1.yaml  |   80 +
 .../shipyard/DeploymentStrategy/v1.yaml       |   73 +
 global/v4.0/scripts/configure-ip-rules.yaml   |  128 +
 .../container-networking/calico.yaml          |  168 +
 .../container-networking/chart-group.yaml     |   15 +
 .../kubernetes/container-networking/etcd.yaml |  136 +
 .../charts/kubernetes/core/apiserver.yaml     |  155 +
 .../charts/kubernetes/core/chart-group.yaml   |   15 +
 .../kubernetes/core/controller-manager.yaml   |  136 +
 .../charts/kubernetes/core/scheduler.yaml     |   93 +
 .../charts/kubernetes/dns/chart-group.yaml    |   13 +
 .../charts/kubernetes/dns/coredns.yaml        |  146 +
 .../charts/kubernetes/etcd/chart-group.yaml   |   13 +
 .../software/charts/kubernetes/etcd/etcd.yaml |  137 +
 .../kubernetes/haproxy/chart-group.yaml       |   13 +
 .../charts/kubernetes/haproxy/haproxy.yaml    |  109 +
 .../kubernetes/ingress/chart-group.yaml       |   13 +
 .../charts/kubernetes/ingress/ingress.yaml    |   86 +
 .../charts/kubernetes/proxy/chart-group.yaml  |   14 +
 .../kubernetes/proxy/kubernetes-proxy.yaml    |   90 +
 .../charts/osh-infra/dependencies.yaml        |   28 +
 .../osh-infra-ceph-config/ceph-config.yaml    |  142 +
 .../osh-infra-ceph-config/chart-group.yaml    |   13 +
 .../osh-infra-dashboards/chart-group.yaml     |   14 +
 .../osh-infra-dashboards/grafana.yaml         |  251 ++
 .../osh-infra-dashboards/kibana.yaml          |  126 +
 .../chart-group.yaml                          |   13 +
 .../osh-infra-ingress-controller/ingress.yaml |   55 +
 .../osh-infra-logging/chart-group.yaml        |   14 +
 .../osh-infra-logging/elasticsearch.yaml      |  186 ++
 .../osh-infra-logging/fluent-logging.yaml     |  171 +
 .../osh-infra-mariadb/chart-group.yaml        |   13 +
 .../osh-infra/osh-infra-mariadb/mariadb.yaml  |   77 +
 .../osh-infra-monitoring/chart-group.yaml     |   17 +
 .../osh-infra-monitoring/nagios.yaml          |  129 +
 .../prometheus-alertmanager.yaml              |   68 +
 .../prometheus-kube-state-metrics.yaml        |   77 +
 .../prometheus-node-exporter.yaml             |   65 +
 .../osh-infra-monitoring/prometheus.yaml      |   80 +
 .../chart-group.yaml                          |   13 +
 .../prometheus-openstack-exporter.yaml        |   95 +
 .../software/charts/osh/dependencies.yaml     |   28 +
 .../openstack-ceph-config/ceph-config.yaml    |  142 +
 .../openstack-ceph-config/chart-group.yaml    |   13 +
 .../osh/openstack-cinder/chart-group.yaml     |   14 +
 .../charts/osh/openstack-cinder/cinder.yaml   |  287 ++
 .../charts/osh/openstack-cinder/rabbitmq.yaml |   95 +
 .../openstack-compute-kit/chart-group.yaml    |   18 +
 .../osh/openstack-compute-kit/libvirt.yaml    |   48 +
 .../neutron-rabbitmq.yaml                     |   95 +
 .../osh/openstack-compute-kit/neutron.yaml    |  334 ++
 .../openstack-compute-kit/nova-rabbitmq.yaml  |   95 +
 .../osh/openstack-compute-kit/nova.yaml       |  403 +++
 .../openstack-compute-kit/openvswitch.yaml    |   62 +
 .../osh/openstack-glance/chart-group.yaml     |   14 +
 .../charts/osh/openstack-glance/glance.yaml   |  296 ++
 .../charts/osh/openstack-glance/rabbitmq.yaml |   95 +
 .../osh/openstack-heat/chart-group.yaml       |   14 +
 .../charts/osh/openstack-heat/heat.yaml       |  297 ++
 .../charts/osh/openstack-heat/rabbitmq.yaml   |   95 +
 .../osh/openstack-horizon/chart-group.yaml    |   13 +
 .../charts/osh/openstack-horizon/horizon.yaml |  114 +
 .../chart-group.yaml                          |   13 +
 .../openstack-ingress-controller/ingress.yaml |   55 +
 .../osh/openstack-keystone/chart-group.yaml   |   14 +
 .../osh/openstack-keystone/keystone.yaml      |  259 ++
 .../osh/openstack-keystone/rabbitmq.yaml      |   95 +
 .../osh/openstack-mariadb/chart-group.yaml    |   13 +
 .../charts/osh/openstack-mariadb/mariadb.yaml |   77 +
 .../osh/openstack-memcached/chart-group.yaml  |   13 +
 .../osh/openstack-memcached/memcached.yaml    |   57 +
 .../osh/openstack-radosgw/chart-group.yaml    |   13 +
 .../charts/osh/openstack-radosgw/radosgw.yaml |  142 +
 .../software/charts/ucp/armada/armada.yaml    |  122 +
 .../charts/ucp/armada/chart-group.yaml        |   15 +
 .../software/charts/ucp/armada/tiller.yaml    |   70 +
 .../charts/ucp/ceph-config/ceph-config.yaml   |  143 +
 .../charts/ucp/ceph-config/chart-group.yaml   |   15 +
 .../charts/ucp/ceph/ceph-client-update.yaml   |  189 ++
 .../software/charts/ucp/ceph/ceph-client.yaml |  190 ++
 .../software/charts/ucp/ceph/ceph-htk.yaml    |   23 +
 .../charts/ucp/ceph/ceph-ingress.yaml         |   64 +
 .../software/charts/ucp/ceph/ceph-mon.yaml    |  150 +
 .../software/charts/ucp/ceph/ceph-osd.yaml    |  153 +
 .../charts/ucp/ceph/chart-group-update.yaml   |   18 +
 .../software/charts/ucp/ceph/chart-group.yaml |   18 +
 .../software/charts/ucp/core/chart-group.yaml |   17 +
 .../software/charts/ucp/core/ingress.yaml     |   85 +
 .../software/charts/ucp/core/mariadb.yaml     |  109 +
 .../software/charts/ucp/core/postgresql.yaml  |  105 +
 .../software/charts/ucp/core/rabbitmq.yaml    |  110 +
 .../charts/ucp/deckhand/barbican.yaml         |  261 ++
 .../charts/ucp/deckhand/chart-group.yaml      |   16 +
 .../charts/ucp/deckhand/deckhand.yaml         |  173 +
 .../charts/ucp/divingbell/chart-group.yaml    |   13 +
 .../charts/ucp/divingbell/divingbell.yaml     |  103 +
 .../charts/ucp/drydock/chart-group.yaml       |   14 +
 .../software/charts/ucp/drydock/drydock.yaml  |  191 ++
 .../software/charts/ucp/drydock/maas.yaml     |  226 ++
 .../charts/ucp/keystone/chart-group.yaml      |   14 +
 .../charts/ucp/keystone/keystone.yaml         |  243 ++
 .../charts/ucp/keystone/memcached.yaml        |   80 +
 .../charts/ucp/promenade/chart-group.yaml     |   13 +
 .../charts/ucp/promenade/promenade.yaml       |  135 +
 .../charts/ucp/shipyard/chart-group.yaml      |   13 +
 .../charts/ucp/shipyard/shipyard.yaml         |  315 ++
 global/v4.0/software/config/Docker.yaml       |   16 +
 global/v4.0/software/config/Kubelet.yaml      |   25 +
 global/v4.0/software/config/versions.yaml     |  904 ++++++
 global/v4.0/software/manifests/bootstrap.yaml |   29 +
 global/v4.0/software/manifests/full-site.yaml |   52 +
 .../baremetal/bootactions/promjoin.yaml       |   32 +
 site/airship-seaworthy/baremetal/nodes.yaml   |  254 ++
 .../deployment/deployment-configuration.yaml  |   41 +
 .../networks/common-addresses.yaml            |  157 +
 .../networks/physical/networks.yaml           |  286 ++
 site/airship-seaworthy/pki/pki-catalog.yaml   |  348 ++
 site/airship-seaworthy/profiles/genesis.yaml  |   44 +
 .../profiles/host/cp_r720.yaml                |  188 ++
 .../profiles/host/dp_r720.yaml                |   90 +
 site/airship-seaworthy/profiles/region.yaml   |   53 +
 .../secrets/certificates/certificates.yaml    | 2803 +++++++++++++++++
 .../secrets/certificates/ingress.yaml         |  128 +
 .../secrets/passphrases/ceph_fsid.yaml        |   12 +
 .../ceph_swift_keystone_password.yaml         |   11 +
 .../passphrases/ipmi_admin_password.yaml      |   11 +
 .../secrets/passphrases/maas-region-key.yaml  |   12 +
 .../osh_barbican_oslo_db_password.yaml        |   11 +
 ...arbican_oslo_messaging_admin_password.yaml |   11 +
 .../osh_barbican_oslo_messaging_password.yaml |   11 +
 .../passphrases/osh_barbican_password.yaml    |   11 +
 .../osh_barbican_rabbitmq_erlang_cookie.yaml  |   11 +
 .../osh_cinder_oslo_db_password.yaml          |   11 +
 ..._cinder_oslo_messaging_admin_password.yaml |   11 +
 .../osh_cinder_oslo_messaging_password.yaml   |   11 +
 .../passphrases/osh_cinder_password.yaml      |   11 +
 .../osh_cinder_rabbitmq_erlang_cookie.yaml    |   11 +
 .../osh_glance_oslo_db_password.yaml          |   11 +
 ..._glance_oslo_messaging_admin_password.yaml |   11 +
 .../osh_glance_oslo_messaging_password.yaml   |   11 +
 .../passphrases/osh_glance_password.yaml      |   11 +
 .../osh_glance_rabbitmq_erlang_cookie.yaml    |   11 +
 .../osh_heat_oslo_db_password.yaml            |   11 +
 ...sh_heat_oslo_messaging_admin_password.yaml |   11 +
 .../osh_heat_oslo_messaging_password.yaml     |   11 +
 .../passphrases/osh_heat_password.yaml        |   11 +
 .../osh_heat_rabbitmq_erlang_cookie.yaml      |   11 +
 .../osh_heat_stack_user_password.yaml         |   11 +
 .../osh_heat_trustee_password.yaml            |   11 +
 .../osh_horizon_oslo_db_password.yaml         |   11 +
 ...sh_infra_elasticsearch_admin_password.yaml |   11 +
 .../osh_infra_grafana_admin_password.yaml     |   11 +
 .../osh_infra_grafana_oslo_db_password.yaml   |   11 +
 ...nfra_grafana_oslo_db_session_password.yaml |   11 +
 .../osh_infra_kibana_admin_password.yaml      |   11 +
 .../osh_infra_nagios_admin_password.yaml      |   11 +
 ...osh_infra_openstack_exporter_password.yaml |   11 +
 .../osh_infra_oslo_db_admin_password.yaml     |   11 +
 .../osh_keystone_admin_password.yaml          |   11 +
 .../osh_keystone_ldap_password.yaml           |   11 +
 .../osh_keystone_oslo_db_password.yaml        |   11 +
 ...eystone_oslo_messaging_admin_password.yaml |   11 +
 .../osh_keystone_oslo_messaging_password.yaml |   11 +
 .../osh_keystone_rabbitmq_erlang_cookie.yaml  |   11 +
 .../osh_neutron_oslo_db_password.yaml         |   11 +
 ...neutron_oslo_messaging_admin_password.yaml |   11 +
 .../osh_neutron_oslo_messaging_password.yaml  |   11 +
 .../passphrases/osh_neutron_password.yaml     |   11 +
 .../osh_neutron_rabbitmq_erlang_cookie.yaml   |   11 +
 .../osh_nova_oslo_db_password.yaml            |   11 +
 ...sh_nova_oslo_messaging_admin_password.yaml |   11 +
 .../osh_nova_oslo_messaging_password.yaml     |   11 +
 .../passphrases/osh_nova_password.yaml        |   11 +
 .../osh_nova_rabbitmq_erlang_cookie.yaml      |   11 +
 .../osh_oslo_cache_secret_key.yaml            |   11 +
 .../osh_oslo_db_admin_password.yaml           |   11 +
 .../passphrases/osh_placement_password.yaml   |   11 +
 .../passphrases/ubuntu_crypt_password.yaml    |   12 +
 .../ucp_airflow_postgres_password.yaml        |   11 +
 .../ucp_armada_keystone_password.yaml         |   11 +
 .../ucp_barbican_keystone_password.yaml       |   11 +
 .../ucp_barbican_oslo_db_password.yaml        |   11 +
 .../ucp_deckhand_keystone_password.yaml       |   11 +
 .../ucp_deckhand_postgres_password.yaml       |   11 +
 .../ucp_drydock_keystone_password.yaml        |   11 +
 .../ucp_drydock_postgres_password.yaml        |   11 +
 .../ucp_keystone_admin_password.yaml          |   11 +
 .../ucp_keystone_oslo_db_password.yaml        |   11 +
 .../passphrases/ucp_maas_admin_password.yaml  |   11 +
 .../ucp_maas_postgres_password.yaml           |   11 +
 .../ucp_oslo_db_admin_password.yaml           |   11 +
 .../ucp_oslo_messaging_password.yaml          |   11 +
 .../ucp_postgres_admin_password.yaml          |   11 +
 .../ucp_promenade_keystone_password.yaml      |   11 +
 .../ucp_rabbitmq_erlang_cookie.yaml           |   11 +
 .../ucp_shipyard_keystone_password.yaml       |   11 +
 .../ucp_shipyard_postgres_password.yaml       |   11 +
 site/airship-seaworthy/site-definition.yaml   |   18 +
 .../kubernetes/container-networking/etcd.yaml |  159 +
 .../software/charts/kubernetes/etcd/etcd.yaml |  163 +
 .../charts/kubernetes/ingress/ingress.yaml    |   18 +
 .../osh/openstack-compute-kit/neutron.yaml    |   23 +
 .../osh/openstack-compute-kit/nova.yaml       |   25 +
 .../charts/ucp/ceph/ceph-client-update.yaml   |   26 +
 .../software/charts/ucp/ceph/ceph-client.yaml |   25 +
 .../software/charts/ucp/ceph/ceph-osd.yaml    |   75 +
 .../charts/ucp/divingbell/divingbell.yaml     |   51 +
 .../software/charts/ucp/drydock/maas.yaml     |   37 +
 .../charts/ucp/promenade/promenade.yaml       |   50 +
 .../config/common-software-config.yaml        |   16 +
 .../software/config/endpoints.yaml            | 1570 +++++++++
 .../software/config/service_accounts.yaml     |  420 +++
 .../software/manifests/full-site.yaml         |   56 +
 .../v4.0/network/KubernetesNetwork.yaml       |   97 +
 250 files changed, 22956 insertions(+)
 create mode 100644 global/common/layering-policy.yaml
 create mode 100644 global/common/schemas/pegleg/Script/v1.yaml
 create mode 100644 global/common/schemas/pegleg/SiteDefinition/v1.yaml
 create mode 100644 global/common/secrets/passphrases/private_docker_key.yaml
 create mode 100644 global/common/secrets/publickey/airship_ssh_public_key.yaml
 create mode 100644 global/v4.0/baremetal/bootactions/airship-target.yaml
 create mode 100644 global/v4.0/baremetal/bootactions/promjoin.yaml
 create mode 100644 global/v4.0/deployment/deployment-strategy.yaml
 create mode 100644 global/v4.0/profiles/genesis.yaml
 create mode 100644 global/v4.0/profiles/hardware/generic.yaml
 create mode 100644 global/v4.0/profiles/host/cp.yaml
 create mode 100644 global/v4.0/profiles/host/dp.yaml
 create mode 100644 global/v4.0/profiles/kubernetes-host.yaml
 create mode 100644 global/v4.0/schemas/armada/Chart/v1.yaml
 create mode 100644 global/v4.0/schemas/armada/ChartGroup/v1.yaml
 create mode 100644 global/v4.0/schemas/armada/Manifest/v1.yaml
 create mode 100644 global/v4.0/schemas/drydock/BaremetalNode/v1.yaml
 create mode 100644 global/v4.0/schemas/drydock/BootAction/v1.yaml
 create mode 100644 global/v4.0/schemas/drydock/HardwareProfile/v1.yaml
 create mode 100644 global/v4.0/schemas/drydock/HostProfile/v1.yaml
 create mode 100644 global/v4.0/schemas/drydock/Network/v1.yaml
 create mode 100644 global/v4.0/schemas/drydock/NetworkLink/v1.yaml
 create mode 100644 global/v4.0/schemas/drydock/Rack/v1.yaml
 create mode 100644 global/v4.0/schemas/drydock/Region/v1.yaml
 create mode 100644 global/v4.0/schemas/pegleg/AccountCatalogue/v1.yaml
 create mode 100644 global/v4.0/schemas/pegleg/CommonAddresses/v1.yaml
 create mode 100644 global/v4.0/schemas/pegleg/CommonSoftwareConfig/v1.yaml
 create mode 100644 global/v4.0/schemas/pegleg/EndpointCatalogue/v1.yaml
 create mode 100644 global/v4.0/schemas/pegleg/SoftwareVersions/v1.yaml
 create mode 100644 global/v4.0/schemas/promenade/Docker/v1.yaml
 create mode 100644 global/v4.0/schemas/promenade/Genesis/v1.yaml
 create mode 100644 global/v4.0/schemas/promenade/HostSystem/v1.yaml
 create mode 100644 global/v4.0/schemas/promenade/Kubelet/v1.yaml
 create mode 100644 global/v4.0/schemas/promenade/KubernetesNetwork/v1.yaml
 create mode 100644 global/v4.0/schemas/promenade/KubernetesNode/v1.yaml
 create mode 100644 global/v4.0/schemas/promenade/PKICatalog/PKICatalog.yaml
 create mode 100644 global/v4.0/schemas/shipyard/DeploymentConfiguration/v1.yaml
 create mode 100644 global/v4.0/schemas/shipyard/DeploymentStrategy/v1.yaml
 create mode 100644 global/v4.0/scripts/configure-ip-rules.yaml
 create mode 100644 global/v4.0/software/charts/kubernetes/container-networking/calico.yaml
 create mode 100644 global/v4.0/software/charts/kubernetes/container-networking/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/kubernetes/container-networking/etcd.yaml
 create mode 100644 global/v4.0/software/charts/kubernetes/core/apiserver.yaml
 create mode 100644 global/v4.0/software/charts/kubernetes/core/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/kubernetes/core/controller-manager.yaml
 create mode 100644 global/v4.0/software/charts/kubernetes/core/scheduler.yaml
 create mode 100644 global/v4.0/software/charts/kubernetes/dns/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/kubernetes/dns/coredns.yaml
 create mode 100644 global/v4.0/software/charts/kubernetes/etcd/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/kubernetes/etcd/etcd.yaml
 create mode 100644 global/v4.0/software/charts/kubernetes/haproxy/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/kubernetes/haproxy/haproxy.yaml
 create mode 100644 global/v4.0/software/charts/kubernetes/ingress/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/kubernetes/ingress/ingress.yaml
 create mode 100644 global/v4.0/software/charts/kubernetes/proxy/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/kubernetes/proxy/kubernetes-proxy.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/dependencies.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-ceph-config/ceph-config.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-ceph-config/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-dashboards/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-dashboards/grafana.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-dashboards/kibana.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-ingress-controller/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-ingress-controller/ingress.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-logging/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-logging/elasticsearch.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-logging/fluent-logging.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-mariadb/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-mariadb/mariadb.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-monitoring/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-monitoring/nagios.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-monitoring/prometheus-alertmanager.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-monitoring/prometheus-kube-state-metrics.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-monitoring/prometheus-node-exporter.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-monitoring/prometheus.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-openstack-exporter/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/osh-infra/osh-infra-openstack-exporter/prometheus-openstack-exporter.yaml
 create mode 100644 global/v4.0/software/charts/osh/dependencies.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-ceph-config/ceph-config.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-ceph-config/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-cinder/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-cinder/cinder.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-cinder/rabbitmq.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-compute-kit/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-compute-kit/libvirt.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-compute-kit/neutron-rabbitmq.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-compute-kit/neutron.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-compute-kit/nova-rabbitmq.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-compute-kit/nova.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-compute-kit/openvswitch.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-glance/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-glance/glance.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-glance/rabbitmq.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-heat/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-heat/heat.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-heat/rabbitmq.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-horizon/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-horizon/horizon.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-ingress-controller/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-ingress-controller/ingress.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-keystone/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-keystone/keystone.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-keystone/rabbitmq.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-mariadb/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-mariadb/mariadb.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-memcached/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-memcached/memcached.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-radosgw/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/osh/openstack-radosgw/radosgw.yaml
 create mode 100644 global/v4.0/software/charts/ucp/armada/armada.yaml
 create mode 100644 global/v4.0/software/charts/ucp/armada/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/ucp/armada/tiller.yaml
 create mode 100644 global/v4.0/software/charts/ucp/ceph-config/ceph-config.yaml
 create mode 100644 global/v4.0/software/charts/ucp/ceph-config/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/ucp/ceph/ceph-client-update.yaml
 create mode 100644 global/v4.0/software/charts/ucp/ceph/ceph-client.yaml
 create mode 100644 global/v4.0/software/charts/ucp/ceph/ceph-htk.yaml
 create mode 100644 global/v4.0/software/charts/ucp/ceph/ceph-ingress.yaml
 create mode 100644 global/v4.0/software/charts/ucp/ceph/ceph-mon.yaml
 create mode 100644 global/v4.0/software/charts/ucp/ceph/ceph-osd.yaml
 create mode 100644 global/v4.0/software/charts/ucp/ceph/chart-group-update.yaml
 create mode 100644 global/v4.0/software/charts/ucp/ceph/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/ucp/core/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/ucp/core/ingress.yaml
 create mode 100644 global/v4.0/software/charts/ucp/core/mariadb.yaml
 create mode 100644 global/v4.0/software/charts/ucp/core/postgresql.yaml
 create mode 100644 global/v4.0/software/charts/ucp/core/rabbitmq.yaml
 create mode 100644 global/v4.0/software/charts/ucp/deckhand/barbican.yaml
 create mode 100644 global/v4.0/software/charts/ucp/deckhand/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/ucp/deckhand/deckhand.yaml
 create mode 100644 global/v4.0/software/charts/ucp/divingbell/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/ucp/divingbell/divingbell.yaml
 create mode 100644 global/v4.0/software/charts/ucp/drydock/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/ucp/drydock/drydock.yaml
 create mode 100644 global/v4.0/software/charts/ucp/drydock/maas.yaml
 create mode 100644 global/v4.0/software/charts/ucp/keystone/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/ucp/keystone/keystone.yaml
 create mode 100644 global/v4.0/software/charts/ucp/keystone/memcached.yaml
 create mode 100644 global/v4.0/software/charts/ucp/promenade/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/ucp/promenade/promenade.yaml
 create mode 100644 global/v4.0/software/charts/ucp/shipyard/chart-group.yaml
 create mode 100644 global/v4.0/software/charts/ucp/shipyard/shipyard.yaml
 create mode 100644 global/v4.0/software/config/Docker.yaml
 create mode 100644 global/v4.0/software/config/Kubelet.yaml
 create mode 100644 global/v4.0/software/config/versions.yaml
 create mode 100644 global/v4.0/software/manifests/bootstrap.yaml
 create mode 100644 global/v4.0/software/manifests/full-site.yaml
 create mode 100644 site/airship-seaworthy/baremetal/bootactions/promjoin.yaml
 create mode 100644 site/airship-seaworthy/baremetal/nodes.yaml
 create mode 100644 site/airship-seaworthy/deployment/deployment-configuration.yaml
 create mode 100644 site/airship-seaworthy/networks/common-addresses.yaml
 create mode 100644 site/airship-seaworthy/networks/physical/networks.yaml
 create mode 100644 site/airship-seaworthy/pki/pki-catalog.yaml
 create mode 100644 site/airship-seaworthy/profiles/genesis.yaml
 create mode 100644 site/airship-seaworthy/profiles/host/cp_r720.yaml
 create mode 100644 site/airship-seaworthy/profiles/host/dp_r720.yaml
 create mode 100644 site/airship-seaworthy/profiles/region.yaml
 create mode 100644 site/airship-seaworthy/secrets/certificates/certificates.yaml
 create mode 100644 site/airship-seaworthy/secrets/certificates/ingress.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ceph_fsid.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ceph_swift_keystone_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ipmi_admin_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/maas-region-key.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_barbican_oslo_db_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_barbican_oslo_messaging_admin_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_barbican_oslo_messaging_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_barbican_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_barbican_rabbitmq_erlang_cookie.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_cinder_oslo_db_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_cinder_oslo_messaging_admin_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_cinder_oslo_messaging_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_cinder_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_cinder_rabbitmq_erlang_cookie.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_glance_oslo_db_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_glance_oslo_messaging_admin_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_glance_oslo_messaging_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_glance_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_glance_rabbitmq_erlang_cookie.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_heat_oslo_db_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_heat_oslo_messaging_admin_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_heat_oslo_messaging_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_heat_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_heat_rabbitmq_erlang_cookie.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_heat_stack_user_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_heat_trustee_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_horizon_oslo_db_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_infra_elasticsearch_admin_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_infra_grafana_admin_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_infra_grafana_oslo_db_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_infra_grafana_oslo_db_session_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_infra_kibana_admin_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_infra_nagios_admin_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_infra_openstack_exporter_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_infra_oslo_db_admin_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_keystone_admin_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_keystone_ldap_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_keystone_oslo_db_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_keystone_oslo_messaging_admin_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_keystone_oslo_messaging_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_keystone_rabbitmq_erlang_cookie.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_neutron_oslo_db_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_neutron_oslo_messaging_admin_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_neutron_oslo_messaging_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_neutron_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_neutron_rabbitmq_erlang_cookie.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_nova_oslo_db_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_nova_oslo_messaging_admin_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_nova_oslo_messaging_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_nova_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_nova_rabbitmq_erlang_cookie.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_oslo_cache_secret_key.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_oslo_db_admin_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_placement_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ubuntu_crypt_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ucp_airflow_postgres_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ucp_armada_keystone_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ucp_barbican_keystone_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ucp_barbican_oslo_db_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ucp_deckhand_keystone_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ucp_deckhand_postgres_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ucp_drydock_keystone_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ucp_drydock_postgres_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ucp_keystone_admin_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ucp_keystone_oslo_db_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ucp_maas_admin_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ucp_maas_postgres_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ucp_oslo_db_admin_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ucp_oslo_messaging_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ucp_postgres_admin_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ucp_promenade_keystone_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ucp_rabbitmq_erlang_cookie.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ucp_shipyard_keystone_password.yaml
 create mode 100644 site/airship-seaworthy/secrets/passphrases/ucp_shipyard_postgres_password.yaml
 create mode 100644 site/airship-seaworthy/site-definition.yaml
 create mode 100644 site/airship-seaworthy/software/charts/kubernetes/container-networking/etcd.yaml
 create mode 100644 site/airship-seaworthy/software/charts/kubernetes/etcd/etcd.yaml
 create mode 100644 site/airship-seaworthy/software/charts/kubernetes/ingress/ingress.yaml
 create mode 100644 site/airship-seaworthy/software/charts/osh/openstack-compute-kit/neutron.yaml
 create mode 100644 site/airship-seaworthy/software/charts/osh/openstack-compute-kit/nova.yaml
 create mode 100644 site/airship-seaworthy/software/charts/ucp/ceph/ceph-client-update.yaml
 create mode 100644 site/airship-seaworthy/software/charts/ucp/ceph/ceph-client.yaml
 create mode 100644 site/airship-seaworthy/software/charts/ucp/ceph/ceph-osd.yaml
 create mode 100644 site/airship-seaworthy/software/charts/ucp/divingbell/divingbell.yaml
 create mode 100644 site/airship-seaworthy/software/charts/ucp/drydock/maas.yaml
 create mode 100644 site/airship-seaworthy/software/charts/ucp/promenade/promenade.yaml
 create mode 100644 site/airship-seaworthy/software/config/common-software-config.yaml
 create mode 100644 site/airship-seaworthy/software/config/endpoints.yaml
 create mode 100644 site/airship-seaworthy/software/config/service_accounts.yaml
 create mode 100644 site/airship-seaworthy/software/manifests/full-site.yaml
 create mode 100644 type/foundry/v4.0/network/KubernetesNetwork.yaml

diff --git a/global/common/layering-policy.yaml b/global/common/layering-policy.yaml
new file mode 100644
index 000000000..e86d0babd
--- /dev/null
+++ b/global/common/layering-policy.yaml
@@ -0,0 +1,10 @@
+---
+schema: deckhand/LayeringPolicy/v1
+metadata:
+  schema: metadata/Control/v1
+  name: layering-policy
+data:
+  layerOrder:
+    - global
+    - type
+    - site
diff --git a/global/common/schemas/pegleg/Script/v1.yaml b/global/common/schemas/pegleg/Script/v1.yaml
new file mode 100644
index 000000000..9c90a3028
--- /dev/null
+++ b/global/common/schemas/pegleg/Script/v1.yaml
@@ -0,0 +1,8 @@
+---
+schema: deckhand/DataSchema/v1
+metadata:
+  schema: metadata/Control/v1
+  name: pegleg/Script/v1
+data:
+  $schema: http://json-schema.org/schema#
+  type: string
diff --git a/global/common/schemas/pegleg/SiteDefinition/v1.yaml b/global/common/schemas/pegleg/SiteDefinition/v1.yaml
new file mode 100644
index 000000000..3878eb3bf
--- /dev/null
+++ b/global/common/schemas/pegleg/SiteDefinition/v1.yaml
@@ -0,0 +1,19 @@
+---
+schema: deckhand/DataSchema/v1
+metadata:
+  schema: metadata/Control/v1
+  name: pegleg/SiteDefinition/v1
+data:
+  $schema: http://json-schema.org/schema#
+  type: object
+
+  properties:
+    revision:
+      type: string
+      pattern: '^v.+$'
+    site_type:
+      type: string
+  required:
+    - revision
+    - site_type
+  additionalProperties: false
diff --git a/global/common/secrets/passphrases/private_docker_key.yaml b/global/common/secrets/passphrases/private_docker_key.yaml
new file mode 100644
index 000000000..d3a0341e1
--- /dev/null
+++ b/global/common/secrets/passphrases/private_docker_key.yaml
@@ -0,0 +1,14 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: private_docker_key
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+# sample key for potential private docker registry
+# see Docker documentation for info on how to generate the key
+# base64 of password123
+data: cGFzc3dvcmQxMjM=
+...
diff --git a/global/common/secrets/publickey/airship_ssh_public_key.yaml b/global/common/secrets/publickey/airship_ssh_public_key.yaml
new file mode 100644
index 000000000..b14a575bd
--- /dev/null
+++ b/global/common/secrets/publickey/airship_ssh_public_key.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/PublicKey/v1
+metadata:
+  schema: metadata/Document/v1
+  name: airship_ssh_public_key
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyb6CDrai3VcFW1ew5ikf7IDSpqfFyrJNLI1DPyd28vcy6D1oFXdELYK7DsXzVCgV7YNDiKpneXMBTJ/Mr/aZi9K3eVvtRp1HAK3y6ycx9KRfyfMVAU0aT3xMOpE5xS/xTH8HNRbOSszp0woVYKhncpkumHweji7wbLKm/WxsggIoGDjn29KIoRhpo96tWz/DBsoU1pIHTMoZNyHW2aYWEx6kOzTEmhxL0LkKv7+A/2HJuLnqcXoQH9jl3kRQDyikNlSw2T3gQV3I8m0od/lEf98MZb1Yv9GrlDCmnUPXAJ2HQaWaVaPPpGcBW7veOZlLfeulwD4zlo6P6JW1SZaat airship@seaworthy
+...
diff --git a/global/v4.0/baremetal/bootactions/airship-target.yaml b/global/v4.0/baremetal/bootactions/airship-target.yaml
new file mode 100644
index 000000000..ae3a17a08
--- /dev/null
+++ b/global/v4.0/baremetal/bootactions/airship-target.yaml
@@ -0,0 +1,26 @@
+---
+schema: 'drydock/BootAction/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: airship-target
+  storagePolicy: 'cleartext'
+  layeringDefinition:
+    abstract: false
+    layer: global
+data:
+  signaling: false
+  assets:
+    - path: /etc/systemd/system/airship.target
+      type: unit
+      permissions: '444'
+      data: |
+        [Unit]
+        Description=Airshipt bootaction target
+        After=multi-user.target cloud-init.target
+
+        [Install]
+        WantedBy=graphical.target
+
+      data_pipeline:
+        - utf8_decode
+...
diff --git a/global/v4.0/baremetal/bootactions/promjoin.yaml b/global/v4.0/baremetal/bootactions/promjoin.yaml
new file mode 100644
index 000000000..c2dfefb7e
--- /dev/null
+++ b/global/v4.0/baremetal/bootactions/promjoin.yaml
@@ -0,0 +1,33 @@
+---
+schema: 'drydock/BootAction/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: promjoin-systemd-unit
+  storagePolicy: 'cleartext'
+  layeringDefinition:
+    abstract: false
+    layer: global
+  labels:
+    application: 'drydock'
+data:
+  signaling: false
+  assets:
+    - path: /etc/systemd/system/promjoin.service
+      type: unit
+      permissions: '444'
+      data: |
+        [Unit]
+        Description=Promenade Initialization Service
+        After=network-online.target local-fs.target cloud-init.target
+        ConditionPathExists=!/var/lib/prom.done
+
+        [Service]
+        Type=oneshot
+        ExecStart=/opt/promjoin.sh
+
+        [Install]
+        WantedBy=airship.target
+
+      data_pipeline:
+        - utf8_decode
+...
diff --git a/global/v4.0/deployment/deployment-strategy.yaml b/global/v4.0/deployment/deployment-strategy.yaml
new file mode 100644
index 000000000..764923282
--- /dev/null
+++ b/global/v4.0/deployment/deployment-strategy.yaml
@@ -0,0 +1,39 @@
+---
+# The global deployment strategy assumes nodes are marked with node_tags
+# of masters and workers.
+schema: shipyard/DeploymentStrategy/v1
+metadata:
+  schema: metadata/Document/v1
+  name: deployment-strategy
+  layeringDefinition:
+      abstract: false
+      layer: global
+  labels:
+    name: deployment-strategy-global
+  storagePolicy: cleartext
+data:
+  groups:
+    - name: masters
+      critical: true
+      depends_on: []
+      selectors:
+        - node_names: []
+          node_labels: []
+          node_tags:
+            - masters
+          rack_names: []
+      success_criteria:
+        percent_successful_nodes: 100
+    - name: workers
+      critical: true
+      depends_on:
+        - masters
+      selectors:
+        - node_names: []
+          node_labels: []
+          node_tags:
+            - workers
+          rack_names: []
+      success_criteria:
+        percent_successful_nodes: 60
+...
diff --git a/global/v4.0/profiles/genesis.yaml b/global/v4.0/profiles/genesis.yaml
new file mode 100644
index 000000000..b84f13623
--- /dev/null
+++ b/global/v4.0/profiles/genesis.yaml
@@ -0,0 +1,114 @@
+---
+schema: promenade/Genesis/v1
+metadata:
+  schema: metadata/Document/v1
+  name: genesis-global
+  layeringDefinition:
+    abstract: true
+    layer: global
+  labels:
+    name: genesis-global
+  storagePolicy: cleartext
+  substitutions:
+    # Software versions for bootstrapping phase
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ucp.armada.api
+      dest:
+        path: .images.armada
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ucp.armada.tiller
+      dest:
+        path: .images.helm.tiller
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.kubernetes.apiserver.apiserver
+      dest:
+        path: .images.kubernetes.apiserver
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.kubernetes.controller-manager.controller_manager
+      dest:
+        path: .images.kubernetes.controller-manager
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.kubernetes.etcd.etcd
+      dest:
+        path: .images.kubernetes.etcd
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.kubernetes.scheduler.scheduler
+      dest:
+        path: .images.kubernetes.scheduler
+
+    # Site-specific configuration
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .genesis.hostname
+      dest:
+        path: .hostname
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .genesis.ip
+      dest:
+        path: .ip
+
+    # Command prefix
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.service_cidr
+      dest:
+        path: .apiserver.command_prefix[1]
+        pattern: SERVICE_CIDR
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.service_node_port_range
+      dest:
+        path: .apiserver.command_prefix[2]
+        pattern: SERVICE_NODE_PORT_RANGE
+
+data:
+  apiserver:
+    command_prefix:
+      - /apiserver
+      - --service-cluster-ip-range=SERVICE_CIDR
+      - --service-node-port-range=SERVICE_NODE_PORT_RANGE
+      - --authorization-mode=Node,RBAC
+      - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
+      - --endpoint-reconciler-type=lease
+  armada:
+    target_manifest: cluster-bootstrap
+  labels:
+    dynamic:
+      - beta.kubernetes.io/fluentd-ds-ready=true
+      - calico-etcd=enabled
+      - ceph-mds=enabled
+      - ceph-mon=enabled
+      - ceph-osd=enabled
+      - ceph-rgw=enabled
+      - ceph-mgr=enabled
+      - kube-dns=enabled
+      - kube-ingress=enabled
+      - kubernetes-apiserver=enabled
+      - kubernetes-controller-manager=enabled
+      - kubernetes-etcd=enabled
+      - kubernetes-scheduler=enabled
+      - promenade-genesis=enabled
+      - ucp-control-plane=enabled
+      - maas-control-plane=enabled
+      - node-exporter=enabled
+  files:
+    - path: /var/lib/anchor/calico-etcd-bootstrap
+      content: "# placeholder for triggering calico etcd bootstrapping\n# this file will be deleted"
+      mode: 0644
diff --git a/global/v4.0/profiles/hardware/generic.yaml b/global/v4.0/profiles/hardware/generic.yaml
new file mode 100644
index 000000000..e4b96a54e
--- /dev/null
+++ b/global/v4.0/profiles/hardware/generic.yaml
@@ -0,0 +1,19 @@
+---
+schema: 'drydock/HardwareProfile/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: DELL_HP_Generic
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  vendor: Dell
+  generation: '8'
+  hw_version: '3'
+  bios_version: '2.2.3'
+  boot_mode: bios
+  bootstrap_protocol: pxe
+  pxe_interface: 0
+  device_aliases: {}
+...
diff --git a/global/v4.0/profiles/host/cp.yaml b/global/v4.0/profiles/host/cp.yaml
new file mode 100644
index 000000000..f5d839045
--- /dev/null
+++ b/global/v4.0/profiles/host/cp.yaml
@@ -0,0 +1,108 @@
+---
+schema: drydock/HostProfile/v1
+metadata:
+  schema: metadata/Document/v1
+  name: cp-global
+  storagePolicy: cleartext
+  labels:
+    hosttype: cp-global
+  layeringDefinition:
+    abstract: true
+    layer: global
+  substitutions:
+    - dest:
+        path: .oob.credential
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ipmi_admin_password
+        path: .
+data:
+  oob:
+    type: 'ipmi'
+    network: 'oob'
+    account: 'root'
+  storage:
+    physical_devices:
+      sda:
+        labels:
+          bootdrive: 'true'
+        partitions:
+          - name: 'root'
+            size: '30g'
+            bootable: true
+            filesystem:
+              mountpoint: '/'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+          - name: 'boot'
+            size: '1g'
+            filesystem:
+              mountpoint: '/boot'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+          - name: 'var'
+            size: '>300g'
+            filesystem:
+              mountpoint: '/var'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+  platform:
+    image: 'xenial'
+    kernel: 'hwe-16.04'
+  metadata:
+    owner_data:
+      control-plane: enabled
+      ucp-control-plane: enabled
+      openstack-control-plane: enabled
+      openstack-heat: enabled
+      openstack-keystone: enabled
+      openstack-rabbitmq: enabled
+      openstack-dns-helper: enabled
+      openstack-mariadb: enabled
+      openstack-nova-control: enabled
+      openstack-etcd: enabled
+      openstack-mistral: enabled
+      openstack-memcached: enabled
+      openstack-glance: enabled
+      openstack-horizon: enabled
+      openstack-cinder-control: enabled
+      openstack-cinder-volume: control
+      openstack-neutron: enabled
+      openvswitch: enabled
+      ucp-barbican: enabled
+      ceph-bootstrap: enabled
+      ceph-mon: enabled
+      ceph-mgr: enabled
+      ceph-osd: enabled
+      ceph-mds: enabled
+      ceph-rgw: enabled
+      ucp-maas: enabled
+      kube-dns: enabled
+      kubernetes-apiserver: enabled
+      kubernetes-controller-manager: enabled
+      kubernetes-etcd: enabled
+      kubernetes-scheduler: enabled
+      tiller-helm: enabled
+      kube-etcd: enabled
+      calico-policy: enabled
+      calico-node: enabled
+      calico-etcd: enabled
+      ucp-armada: enabled
+      ucp-drydock: enabled
+      ucp-deckhand: enabled
+      ucp-shipyard: enabled
+      IAM: enabled
+      ucp-promenade: enabled
+      prometheus-server: enabled
+      prometheus-client: enabled
+      fluentd: enabled
+      influxdb: enabled
+      kibana: enabled
+      elasticsearch-client: enabled
+      elasticsearch-master: enabled
+      elasticsearch-data: enabled
+      postgresql: enabled
+      kube-ingress: enabled
+      beta.kubernetes.io/fluentd-ds-ready: 'true'
+      node-exporter: enabled
+...
diff --git a/global/v4.0/profiles/host/dp.yaml b/global/v4.0/profiles/host/dp.yaml
new file mode 100644
index 000000000..dcbd91d5e
--- /dev/null
+++ b/global/v4.0/profiles/host/dp.yaml
@@ -0,0 +1,60 @@
+---
+schema: drydock/HostProfile/v1
+metadata:
+  schema: metadata/Document/v1
+  name: dp-global
+  labels:
+    hosttype: dp-global
+  layeringDefinition:
+    abstract: true
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - dest:
+        path: .oob.credential
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ipmi_admin_password
+        path: .
+data:
+  oob:
+    type: 'ipmi'
+    network: 'oob'
+    account: 'root'
+  storage:
+    physical_devices:
+      sda:
+        labels:
+          bootdrive: 'true'
+        partitions:
+          - name: 'root'
+            size: '30g'
+            bootable: true
+            filesystem:
+              mountpoint: '/'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+          - name: 'boot'
+            size: '1g'
+            filesystem:
+              mountpoint: '/boot'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+          - name: 'var'
+            size: '>300g'
+            filesystem:
+              mountpoint: '/var'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+  platform:
+    image: 'xenial'
+    kernel: 'hwe-16.04'
+  metadata:
+    owner_data:
+      openstack-nova-compute: enabled
+      openvswitch: enabled
+      contrail-vrouter: kernel
+      openstack-libvirt: kernel
+      beta.kubernetes.io/fluentd-ds-ready: 'true'
+      node-exporter: enabled
+...
diff --git a/global/v4.0/profiles/kubernetes-host.yaml b/global/v4.0/profiles/kubernetes-host.yaml
new file mode 100644
index 000000000..1179a81e6
--- /dev/null
+++ b/global/v4.0/profiles/kubernetes-host.yaml
@@ -0,0 +1,144 @@
+---
+schema: promenade/HostSystem/v1
+metadata:
+  schema: metadata/Document/v1
+  name: host-system
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .files.kubelet
+      dest:
+        path: .files[0].tar_url
+
+    # Initial CoreDNS image (used during node Genesis and node join)
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.kubernetes.coredns.coredns
+      dest:
+        path: .images.coredns
+
+    # Initial CoreDNS image (used during node Genesis and node join)
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.kubernetes.haproxy.haproxy
+      dest:
+        path: .images.haproxy
+
+    # Operational tools
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ucp.armada.helm
+      dest:
+        path: .images.helm.helm
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.kubernetes.kubectl
+      dest:
+        path: .images.kubernetes.kubectl
+
+    # System packages
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .packages.named.docker
+      dest:
+        path: .packages.required.docker
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .packages.named.socat
+      dest:
+        path: .packages.required.socat
+
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .packages.unnamed
+      dest:
+        path: .packages.additional
+
+    # Docker authorization
+    - src:
+        schema: deckhand/Passphrase/v1
+        path: .
+        name: private_docker_key
+      dest:
+        path: .files[2].content
+        pattern: DH_SUB_PRIVATE_DOCKER_KEY
+
+data:
+  files:
+    - path: /opt/kubernetes/bin/kubelet
+      tar_path: kubernetes/node/bin/kubelet
+      mode: 0555
+    - path: /etc/logrotate.d/json-logrotate
+      mode: 0444
+      content: |-
+        /var/lib/docker/containers/*/*-json.log
+        {
+            compress
+            copytruncate
+            create 0644 root root
+            weekly
+            dateext
+            dateformat -%Y%m%d-%s
+            maxsize 100M
+            missingok
+            notifempty
+            su root root
+            rotate 1
+        }
+    - path: /var/lib/kubelet/.dockercfg
+      mode: 0400
+      # NOTE: Sample key, this repo does not exist
+      content: |-
+        {
+           "https://private.registry.com": {
+             "auth": "DH_SUB_PRIVATE_DOCKER_KEY"
+           }
+        }
+
+  packages:
+    repositories:
+      - deb http://apt.dockerproject.org/repo ubuntu-xenial main
+    keys:
+      - |-
+        -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+        mQINBFWln24BEADrBl5p99uKh8+rpvqJ48u4eTtjeXAWbslJotmC/CakbNSqOb9o
+        ddfzRvGVeJVERt/Q/mlvEqgnyTQy+e6oEYN2Y2kqXceUhXagThnqCoxcEJ3+KM4R
+        mYdoe/BJ/J/6rHOjq7Omk24z2qB3RU1uAv57iY5VGw5p45uZB4C4pNNsBJXoCvPn
+        TGAs/7IrekFZDDgVraPx/hdiwopQ8NltSfZCyu/jPpWFK28TR8yfVlzYFwibj5WK
+        dHM7ZTqlA1tHIG+agyPf3Rae0jPMsHR6q+arXVwMccyOi+ULU0z8mHUJ3iEMIrpT
+        X+80KaN/ZjibfsBOCjcfiJSB/acn4nxQQgNZigna32velafhQivsNREFeJpzENiG
+        HOoyC6qVeOgKrRiKxzymj0FIMLru/iFF5pSWcBQB7PYlt8J0G80lAcPr6VCiN+4c
+        NKv03SdvA69dCOj79PuO9IIvQsJXsSq96HB+TeEmmL+xSdpGtGdCJHHM1fDeCqkZ
+        hT+RtBGQL2SEdWjxbF43oQopocT8cHvyX6Zaltn0svoGs+wX3Z/H6/8P5anog43U
+        65c0A+64Jj00rNDr8j31izhtQMRo892kGeQAaaxg4Pz6HnS7hRC+cOMHUU4HA7iM
+        zHrouAdYeTZeZEQOA7SxtCME9ZnGwe2grxPXh/U/80WJGkzLFNcTKdv+rwARAQAB
+        tDdEb2NrZXIgUmVsZWFzZSBUb29sIChyZWxlYXNlZG9ja2VyKSA8ZG9ja2VyQGRv
+        Y2tlci5jb20+iQI4BBMBAgAiBQJVpZ9uAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIe
+        AQIXgAAKCRD3YiFXLFJgnbRfEAC9Uai7Rv20QIDlDogRzd+Vebg4ahyoUdj0CH+n
+        Ak40RIoq6G26u1e+sdgjpCa8jF6vrx+smpgd1HeJdmpahUX0XN3X9f9qU9oj9A4I
+        1WDalRWJh+tP5WNv2ySy6AwcP9QnjuBMRTnTK27pk1sEMg9oJHK5p+ts8hlSC4Sl
+        uyMKH5NMVy9c+A9yqq9NF6M6d6/ehKfBFFLG9BX+XLBATvf1ZemGVHQusCQebTGv
+        0C0V9yqtdPdRWVIEhHxyNHATaVYOafTj/EF0lDxLl6zDT6trRV5n9F1VCEh4Aal8
+        L5MxVPcIZVO7NHT2EkQgn8CvWjV3oKl2GopZF8V4XdJRl90U/WDv/6cmfI08GkzD
+        YBHhS8ULWRFwGKobsSTyIvnbk4NtKdnTGyTJCQ8+6i52s+C54PiNgfj2ieNn6oOR
+        7d+bNCcG1CdOYY+ZXVOcsjl73UYvtJrO0Rl/NpYERkZ5d/tzw4jZ6FCXgggA/Zxc
+        jk6Y1ZvIm8Mt8wLRFH9Nww+FVsCtaCXJLP8DlJLASMD9rl5QS9Ku3u7ZNrr5HWXP
+        HXITX660jglyshch6CWeiUATqjIAzkEQom/kEnOrvJAtkypRJ59vYQOedZ1sFVEL
+        MXg2UCkD/FwojfnVtjzYaTCeGwFQeqzHmM241iuOmBYPeyTY5veF49aBJA1gEJOQ
+        TvBR8Q==
+        =Fm3p
+        -----END PGP PUBLIC KEY BLOCK-----
+...
diff --git a/global/v4.0/schemas/armada/Chart/v1.yaml b/global/v4.0/schemas/armada/Chart/v1.yaml
new file mode 100644
index 000000000..86fede8e4
--- /dev/null
+++ b/global/v4.0/schemas/armada/Chart/v1.yaml
@@ -0,0 +1,12 @@
+---
+schema: 'deckhand/DataSchema/v1'
+metadata:
+  schema: metadata/Control/v1
+  name: armada/Chart/v1
+  labels:
+    application: armada
+data:
+  $schema: 'http://json-schema.org/schema#'
+  type: 'object'
+  additionalProperties: true
+...
diff --git a/global/v4.0/schemas/armada/ChartGroup/v1.yaml b/global/v4.0/schemas/armada/ChartGroup/v1.yaml
new file mode 100644
index 000000000..76f21dfc8
--- /dev/null
+++ b/global/v4.0/schemas/armada/ChartGroup/v1.yaml
@@ -0,0 +1,12 @@
+---
+schema: 'deckhand/DataSchema/v1'
+metadata:
+  schema: metadata/Control/v1
+  name: armada/ChartGroup/v1
+  labels:
+    application: armada
+data:
+  $schema: 'http://json-schema.org/schema#'
+  type: 'object'
+  additionalProperties: true
+...
diff --git a/global/v4.0/schemas/armada/Manifest/v1.yaml b/global/v4.0/schemas/armada/Manifest/v1.yaml
new file mode 100644
index 000000000..cca2e1008
--- /dev/null
+++ b/global/v4.0/schemas/armada/Manifest/v1.yaml
@@ -0,0 +1,12 @@
+---
+schema: 'deckhand/DataSchema/v1'
+metadata:
+  schema: metadata/Control/v1
+  name: armada/Manifest/v1
+  labels:
+    application: armada
+data:
+  $schema: 'http://json-schema.org/schema#'
+  type: 'object'
+  additionalProperties: true
+...
diff --git a/global/v4.0/schemas/drydock/BaremetalNode/v1.yaml b/global/v4.0/schemas/drydock/BaremetalNode/v1.yaml
new file mode 100644
index 000000000..2902f79f3
--- /dev/null
+++ b/global/v4.0/schemas/drydock/BaremetalNode/v1.yaml
@@ -0,0 +1,163 @@
+---
+schema: 'deckhand/DataSchema/v1'
+metadata:
+  schema: metadata/Control/v1
+  name: drydock/BaremetalNode/v1
+  labels:
+    application: drydock
+data:
+  $schema: 'http://json-schema.org/schema#'
+  type: 'object'
+  properties:
+    addressing:
+      type: 'array'
+      items:
+        type: 'object'
+        properties:
+          address:
+            type: 'string'
+          network:
+            type: 'string'
+    oob:
+      type: 'object'
+      properties:
+        type:
+          type: 'string'
+        network:
+          type: 'string'
+        account:
+          type: 'string'
+        credetial:
+          type: 'string'
+      additionalProperties: true
+    storage:
+      type: 'object'
+      properties:
+        physical_devices:
+          type: 'object'
+          additionalProperties:
+            type: 'object'
+            properties:
+              labels:
+                type: 'object'
+                additionalProperties:
+                  type: 'string'
+              volume_group:
+                type: 'string'
+              partitions:
+                type: 'array'
+                items:
+                  type: 'object'
+                  properties:
+                    name:
+                      type: 'string'
+                    size:
+                      type: 'string'
+                    part_uuid:
+                      type: 'string'
+                    volume_group:
+                      type: 'string'
+                    labels:
+                      type: 'object'
+                      additionalProperties:
+                        type: 'string'
+                    bootable:
+                      type: 'boolean'
+                    volume_group:
+                      type: 'string'
+                    filesystem:
+                      type: 'object'
+                      properties:
+                        mountpoint:
+                          type: 'string'
+                        fstype:
+                          type: 'string'
+                        mount_options:
+                          type: 'string'
+                        fs_uuid:
+                          type: 'string'
+                        fs_label:
+                          type: 'string'
+                      additionalProperties: false
+                  additionalProperties: false
+        volume_groups:
+          type: 'object'
+          additionalProperties:
+            type: 'object'
+            properties:
+              vg_uuid:
+                type: 'string'
+              logical_volumes:
+                type: 'array'
+                items:
+                  type: 'object'
+                  properties:
+                    name:
+                      type: 'string'
+                    lv_uuid:
+                      type: 'string'
+                    size:
+                      type: 'string'
+                    filesystem:
+                      type: 'object'
+                      properties:
+                        mountpoint:
+                          type: 'string'
+                        fstype:
+                          type: 'string'
+                        mount_options:
+                          type: 'string'
+                        fs_uuid:
+                          type: 'string'
+                        fs_label:
+                          type: 'string'
+    platform:
+      type: 'object'
+      properties:
+        image:
+          type: 'string'
+        kernel:
+          type: 'string'
+        kernel_params:
+          type: 'object'
+          additionalProperties: true
+      additionalProperties: false
+    metadata:
+      type: 'object'
+      properties:
+        tags:
+          type: 'array'
+          items:
+            type: 'string'
+        owner_data:
+          type: 'object'
+          additionalProperties:
+            type: 'string'
+        rack:
+          type: 'string'
+        boot_mac:
+          type: 'string'
+      additionalProperties: false
+    host_profile:
+      type: 'string'
+    hardware_profile:
+      type: 'string'
+    primary_network:
+      type: 'string'
+    interfaces:
+      type: 'object'
+      additionalProperties:
+        type: 'object'
+        properties:
+          device_link:
+           type: 'string'
+          slaves:
+            type: 'array'
+            items:
+              type: 'string'
+          networks:
+            type: 'array'
+            items:
+              type: 'string'
+  additionalProperties: false
+...
diff --git a/global/v4.0/schemas/drydock/BootAction/v1.yaml b/global/v4.0/schemas/drydock/BootAction/v1.yaml
new file mode 100644
index 000000000..f3e7c2b9d
--- /dev/null
+++ b/global/v4.0/schemas/drydock/BootAction/v1.yaml
@@ -0,0 +1,93 @@
+---
+schema: 'deckhand/DataSchema/v1'
+metadata:
+  schema: metadata/Control/v1
+  name: drydock/BootAction/v1
+  labels:
+    application: drydock
+data:
+  $schema: 'http://json-schema.org/schema#'
+  type: 'object'
+  additionalProperties: false
+  properties:
+    signaling:
+      type: 'boolean'
+    assets:
+      type: 'array'
+      items:
+        type: 'object'
+        additionalProperties: false
+        properties:
+          path:
+            type: 'string'
+            pattern: '^/.+'
+          location:
+            type: 'string'
+          type:
+            type: 'string'
+            enum:
+              - 'unit'
+              - 'file'
+              - 'pkg_list'
+          data:
+            type: 'string'
+          location_pipeline:
+            type: 'array'
+            items:
+              type: 'string'
+              enum:
+                - 'template'
+          data_pipeline:
+            type: 'array'
+            items:
+              type: 'string'
+              enum:
+                - 'base64_encode'
+                - 'template'
+                - 'base64_decode'
+                - 'utf8_encode'
+                - 'utf8_decode'
+          permissions:
+            type: 'string'
+            pattern: '\d{3}'
+        required:
+          - 'type'
+    node_filter:
+      type: 'object'
+      additionalProperties: false
+      properties:
+        filter_set_type:
+          type: 'string'
+          enum:
+            - 'intersection'
+            - 'union'
+        filter_set:
+          type: 'array'
+          items:
+            type: 'object'
+            additionalProperties: false
+            properties:
+              filter_type:
+                type: 'string'
+                enum:
+                  - 'intersection'
+                  - 'union'
+              node_names:
+                type: 'array'
+                items:
+                  type: 'string'
+              node_tags:
+                type: 'array'
+                items:
+                  type: 'string'
+              node_labels:
+                type: 'object'
+                additionalProperties: true
+              rack_names:
+                type: 'array'
+                items:
+                  type: 'string'
+              rack_labels:
+                type: 'object'
+                additionalProperties: true
+...
diff --git a/global/v4.0/schemas/drydock/HardwareProfile/v1.yaml b/global/v4.0/schemas/drydock/HardwareProfile/v1.yaml
new file mode 100644
index 000000000..e51e274ff
--- /dev/null
+++ b/global/v4.0/schemas/drydock/HardwareProfile/v1.yaml
@@ -0,0 +1,49 @@
+---
+schema: 'deckhand/DataSchema/v1'
+metadata:
+  schema: metadata/Control/v1
+  name: drydock/HardwareProfile/v1
+  labels:
+    application: drydock
+data:
+  $schema: 'http://json-schema.org/schema#'
+  type: 'object'
+  properties:
+    vendor:
+      type: 'string'
+    generation:
+      type: 'string'
+    hw_version:
+      type: 'string'
+    bios_version:
+      type: 'string'
+    boot_mode:
+      type: 'string'
+      enum:
+        - 'bios'
+        - 'uefi'
+    bootstrap_protocol:
+      type: 'string'
+      enum:
+        - 'pxe'
+        - 'usb'
+        - 'hdd'
+    pxe_interface:
+      type: 'number'
+    device_aliases:
+      type: 'object'
+      additionalProperties: true
+    cpu_sets:
+      type: 'object'
+      additionalProperties:
+        type: 'string'
+    hugepages:
+      type: 'object'
+      additionalProperties:
+        type: 'object'
+        propertes:
+          size:
+            type: 'string'
+          count:
+            type: 'number'
+  additionalProperties: false
diff --git a/global/v4.0/schemas/drydock/HostProfile/v1.yaml b/global/v4.0/schemas/drydock/HostProfile/v1.yaml
new file mode 100644
index 000000000..642bb6620
--- /dev/null
+++ b/global/v4.0/schemas/drydock/HostProfile/v1.yaml
@@ -0,0 +1,161 @@
+---
+schema: 'deckhand/DataSchema/v1'
+metadata:
+  schema: metadata/Control/v1
+  name: drydock/HostProfile/v1
+  labels:
+    application: drydock
+data:
+  $schema: 'http://json-schema.org/schema#'
+  type: 'object'
+  properties:
+    oob:
+      type: 'object'
+      properties:
+        type:
+          type: 'string'
+        network:
+          type: 'string'
+        account:
+          type: 'string'
+        credetial:
+          type: 'string'
+      additionalProperties: true
+    storage:
+      type: 'object'
+      properties:
+        physical_devices:
+          type: 'object'
+          additionalProperties:
+            type: 'object'
+            properties:
+              labels:
+                type: 'object'
+                additionalProperties:
+                  type: 'string'
+              volume_group:
+                type: 'string'
+              partitions:
+                type: 'array'
+                items:
+                  type: 'object'
+                  properties:
+                    name:
+                      type: 'string'
+                    size:
+                      type: 'string'
+                    part_uuid:
+                      type: 'string'
+                    volume_group:
+                      type: 'string'
+                    labels:
+                      type: 'object'
+                      additionalProperties:
+                        type: 'string'
+                    bootable:
+                      type: 'boolean'
+                    volume_group:
+                      type: 'string'
+                    filesystem:
+                      type: 'object'
+                      properties:
+                        mountpoint:
+                          type: 'string'
+                        fstype:
+                          type: 'string'
+                        mount_options:
+                          type: 'string'
+                        fs_uuid:
+                          type: 'string'
+                        fs_label:
+                          type: 'string'
+                      additionalProperties: false
+                  additionalProperties: false
+        volume_groups:
+          type: 'object'
+          additionalProperties:
+            type: 'object'
+            properties:
+              vg_uuid:
+                type: 'string'
+              logical_volumes:
+                type: 'array'
+                items:
+                  type: 'object'
+                  properties:
+                    name:
+                      type: 'string'
+                    lv_uuid:
+                      type: 'string'
+                    size:
+                      type: 'string'
+                    filesystem:
+                      type: 'object'
+                      properties:
+                        mountpoint:
+                          type: 'string'
+                        fstype:
+                          type: 'string'
+                        mount_options:
+                          type: 'string'
+                        fs_uuid:
+                          type: 'string'
+                        fs_label:
+                          type: 'string'
+    platform:
+      type: 'object'
+      properties:
+        image:
+          type: 'string'
+        kernel:
+          type: 'string'
+        kernel_params:
+          type: 'object'
+          additionalProperties: true
+      additionalProperties: false
+    metadata:
+      type: 'object'
+      properties:
+        tags:
+          type: 'array'
+          items:
+            type: 'string'
+        owner_data:
+          type: 'object'
+          additionalProperties:
+            type: 'string'
+        rack:
+          type: 'string'
+        boot_mac:
+          type: 'string'
+      additionalProperties: false
+    host_profile:
+      type: 'string'
+    hardware_profile:
+      type: 'string'
+    primary_network:
+      type: 'string'
+    interfaces:
+      type: 'object'
+      additionalProperties:
+        type: 'object'
+        properties:
+          device_link:
+           type: 'string'
+          slaves:
+            type: 'array'
+            items:
+              type: 'string'
+          networks:
+            type: 'array'
+            items:
+              type: 'string'
+          sriov:
+            type: 'object'
+            properties:
+              vf_count:
+                type: 'number'
+              trustmode:
+                type: 'boolean'
+  additionalProperties: false
+...
diff --git a/global/v4.0/schemas/drydock/Network/v1.yaml b/global/v4.0/schemas/drydock/Network/v1.yaml
new file mode 100644
index 000000000..8617f8868
--- /dev/null
+++ b/global/v4.0/schemas/drydock/Network/v1.yaml
@@ -0,0 +1,70 @@
+---
+schema: 'deckhand/DataSchema/v1'
+metadata:
+  schema: metadata/Control/v1
+  name: drydock/Network/v1
+  labels:
+    application: drydock
+data:
+  $schema: 'http://json-schema.org/schema#'
+  type: 'object'
+  properties:
+    cidr:
+      type: 'string'
+    ranges:
+      type: 'array'
+      items:
+        type: 'object'
+        properties:
+          type:
+            type: 'string'
+          start:
+            type: 'string'
+            format: 'ipv4'
+          end:
+            type: 'string'
+            format: 'ipv4'
+        additionalProperties: false
+    dns:
+      type: 'object'
+      properties:
+        domain:
+          type: 'string'
+        servers:
+          type: 'string'
+      additionalProperties: false
+    dhcp_relay:
+      type: 'object'
+      properties:
+        self_ip:
+          type: 'string'
+          format: 'ipv4'
+        upstream_target:
+          type: 'string'
+          format: 'ipv4'
+      additionalProperties: false
+    mtu:
+      type: 'number'
+    vlan:
+      type: 'string'
+    routedomain:
+      type: 'string'
+    routes:
+      type: 'array'
+      items:
+        type: 'object'
+        properties:
+          subnet:
+            type: 'string'
+          gateway:
+            type: 'string'
+            format: 'ipv4'
+          metric:
+            type: 'number'
+          routedomain:
+            type: 'string'
+        additionalProperties: false
+    labels:
+      type: 'object'
+      additionalProperties: true
+  additionalProperties: false
diff --git a/global/v4.0/schemas/drydock/NetworkLink/v1.yaml b/global/v4.0/schemas/drydock/NetworkLink/v1.yaml
new file mode 100644
index 000000000..3d0b12b73
--- /dev/null
+++ b/global/v4.0/schemas/drydock/NetworkLink/v1.yaml
@@ -0,0 +1,47 @@
+---
+schema: 'deckhand/DataSchema/v1'
+metadata:
+  schema: metadata/Control/v1
+  name: drydock/NetworkLink/v1
+  labels:
+    application: drydock
+data:
+  $schema: 'http://json-schema.org/schema#'
+  type: 'object'
+  properties:
+    bonding:
+      type: 'object'
+      properties:
+        mode:
+          type: 'string'
+        hash:
+          type: 'string'
+        peer_rate:
+          type: 'string'
+        mon_rate:
+          type: 'number'
+        up_delay:
+          type: 'number'
+        down_delay:
+          type: 'number'
+      additionalProperties: false
+    mtu:
+      type: 'number'
+    linkspeed:
+      type: 'string'
+    trunking:
+      type: 'object'
+      properties:
+        mode:
+          type: 'string'
+        default_network:
+          type: 'string'
+      additionalProperties: false
+    allowed_networks:
+      type: 'array'
+      items:
+        type: 'string'
+    labels:
+      type: 'object'
+      additionalProperties: true
+  additionalProperties: false
diff --git a/global/v4.0/schemas/drydock/Rack/v1.yaml b/global/v4.0/schemas/drydock/Rack/v1.yaml
new file mode 100644
index 000000000..c987ef1db
--- /dev/null
+++ b/global/v4.0/schemas/drydock/Rack/v1.yaml
@@ -0,0 +1,35 @@
+---
+schema: 'deckhand/DataSchema/v1'
+metadata:
+  schema: metadata/Control/v1
+  name: drydock/Rack/v1
+  labels:
+    application: drydock
+data:
+  $schema: 'http://json-schema.org/schema#'
+  type: 'object'
+  properties:
+    tor_switches:
+      type: 'object'
+      properties:
+        mgmt_ip:
+          type: 'string'
+          format: 'ipv4'
+        sdn_api_uri:
+          type: 'string'
+          format: 'uri'
+    location:
+      type: 'object'
+      properties:
+        clli:
+          type: 'string'
+        grid:
+          type: 'string'
+    local_networks:
+      type: 'array'
+      items:
+        type: 'string'
+    labels:
+      type: 'object'
+      additionalProperties: true
+  additionalProperties: false
diff --git a/global/v4.0/schemas/drydock/Region/v1.yaml b/global/v4.0/schemas/drydock/Region/v1.yaml
new file mode 100644
index 000000000..42636dd1d
--- /dev/null
+++ b/global/v4.0/schemas/drydock/Region/v1.yaml
@@ -0,0 +1,71 @@
+---
+schema: 'deckhand/DataSchema/v1'
+metadata:
+  schema: metadata/Control/v1
+  name: drydock/Region/v1
+  labels:
+    application: drydock
+data:
+  $schema: 'http://json-schema.org/schema#'
+  type: 'object'
+  properties:
+    tag_definitions:
+      type: 'array'
+      items:
+        type: 'object'
+        properties:
+          tag:
+            type: 'string'
+          definition_type:
+            type: 'string'
+            enum:
+              - 'lshw_xpath'
+          definition:
+            type: 'string'
+        additionalProperties: false
+    authorized_keys:
+      type: 'array'
+      items:
+        type: 'string'
+    repositories:
+      # top level is class (e.g. apt, rpm)
+      type: 'object'
+      properties:
+        remove_unlisted:
+          type: 'boolean'
+      additionalPropties:
+        type: 'object'
+        properties:
+          repo_type:
+            type: 'string'
+            pattern: 'apt|rpm'
+          url:
+            type: 'string'
+          distributions:
+            type: 'array'
+            items:
+              type: 'string'
+          subrepos:
+            type: 'array'
+            items:
+              type: 'string'
+          components:
+            type: 'array'
+            items:
+              type: 'string'
+          gpgkey:
+            type: 'string'
+          arches:
+            type: 'array'
+            items:
+              type: 'string'
+          options:
+            type: 'object'
+            additionalProperties:
+              type: 'string'
+        additionalProperties: false
+        required:
+          - 'repo_type'
+          - 'url'
+          - 'arches'
+  additionalProperties: false
diff --git a/global/v4.0/schemas/pegleg/AccountCatalogue/v1.yaml b/global/v4.0/schemas/pegleg/AccountCatalogue/v1.yaml
new file mode 100644
index 000000000..c9505999b
--- /dev/null
+++ b/global/v4.0/schemas/pegleg/AccountCatalogue/v1.yaml
@@ -0,0 +1,645 @@
+---
+schema: 'deckhand/DataSchema/v1'
+metadata:
+  schema: metadata/Control/v1
+  name: pegleg/AccountCatalogue/v1
+data:
+  $schema: 'http://json-schema.org/schema#'
+  type: object
+  properties:
+    ucp:
+      type: object
+      properties:
+        postgres:
+          type: object
+          properties:
+            admin:
+              type: object
+              properties:
+                username:
+                  type: string
+        oslo_db:
+          type: object
+          properties:
+            admin:
+              type: object
+              properties:
+                username:
+                  type: string
+        oslo_messaging:
+          type: object
+          properties:
+            admin:
+              type: object
+              properties:
+                username:
+                  type: string
+        keystone:
+          type: object
+          properties:
+            admin:
+              type: object
+              properties:
+                region_name:
+                  type: string
+                username:
+                  type: string
+                project_name:
+                  type: string
+                user_domain_name:
+                  type: string
+                project_domain_name:
+                  type: string
+            oslo_messaging:
+              type: object
+              properties:
+                username:
+                  type: string
+            oslo_db:
+              type: object
+              properties:
+                username:
+                  type: string
+                database:
+                  type: string
+        promenade:
+          type: object
+          properties:
+            keystone:
+              type: object
+              properties:
+                region_name:
+                  type: string
+                role:
+                  type: string
+                project_name:
+                  type: string
+                project_domain_name:
+                  type: string
+                user_domain_name:
+                  type: string
+                username:
+                  type: string
+        drydock:
+          type: object
+          properties:
+            keystone:
+              type: object
+              properties:
+                region_name:
+                  type: string
+                role:
+                  type: string
+                project_name:
+                  type: string
+                project_domain_name:
+                  type: string
+                user_domain_name:
+                  type: string
+                username:
+                  type: string
+            postgres:
+              type: object
+              properties:
+                username:
+                  type: string
+                database:
+                  type: string
+        shipyard:
+          type: object
+          properties:
+            keystone:
+              type: object
+              properties:
+                region_name:
+                  type: string
+                role:
+                  type: string
+                project_name:
+                  type: string
+                project_domain_name:
+                  type: string
+                user_domain_name:
+                  type: string
+                username:
+                  type: string
+            postgres:
+              type: object
+              properties:
+                username:
+                  type: string
+                database:
+                  type: string
+        airflow:
+          type: object
+          properties:
+            postgres:
+              type: object
+              properties:
+                username:
+                  type: string
+                database:
+                  type: string
+            oslo_messaging:
+              type: object
+              properties:
+                username:
+                  type: string
+        maas:
+          type: object
+          properties:
+            admin:
+              type: object
+              properties:
+                username:
+                  type: string
+                email:
+                  type: string
+            postgres:
+              type: object
+              properties:
+                username:
+                  type: string
+                database:
+                  type: string
+        barbican:
+          type: object
+          properties:
+            keystone:
+              type: object
+              properties:
+                region_name:
+                  type: string
+                role:
+                  type: string
+                project_name:
+                  type: string
+                project_domain_name:
+                  type: string
+                user_domain_name:
+                  type: string
+                username:
+                  type: string
+            oslo_db:
+              type: object
+              properties:
+                username:
+                  type: string
+                database:
+                  type: string
+            oslo_messaging:
+              type: object
+              properties:
+                username:
+                  type: string
+        armada:
+          type: object
+          properties:
+            keystone:
+              type: object
+              properties:
+                project_domain_name:
+                  type: string
+                project_name:
+                  type: string
+                region_name:
+                  type: string
+                role:
+                  type: string
+                user_domain_name:
+                  type: string
+                username:
+                  type: string
+        deckhand:
+          type: object
+          properties:
+            keystone:
+              type: object
+              properties:
+                region_name:
+                  type: string
+                role:
+                  type: string
+                project_name:
+                  type: string
+                project_domain_name:
+                  type: string
+                user_domain_name:
+                  type: string
+                username:
+                  type: string
+            postgres:
+              type: object
+              properties:
+                username:
+                  type: string
+                database:
+                  type: string
+    ceph:
+      type: object
+      properties:
+        swift:
+          type: object
+          properties:
+            keystone:
+              type: object
+              properties:
+                role:
+                  type: string
+                region_name:
+                  type: string
+                username:
+                  type: string
+                project_name:
+                  type: string
+                user_domain_name:
+                  type: string
+                project_domain_name:
+                  type: string
+    osh:
+      type: object
+      properties:
+        keystone:
+          type: object
+          properties:
+            admin:
+              type: object
+              properties:
+                region_name:
+                  type: string
+                username:
+                  type: string
+                project_name:
+                  type: string
+                user_domain_name:
+                  type: string
+                project_domain_name:
+                  type: string
+            oslo_messaging:
+              type: object
+              properties:
+                admin:
+                  type: object
+                  properties:
+                    username:
+                      type: string
+                keystone:
+                  type: object
+                  properties:
+                    username:
+                      type: string
+            oslo_db:
+              type: object
+              properties:
+                username:
+                  type: string
+                database:
+                  type: string
+        cinder:
+          type: object
+          properties:
+            cinder:
+              type: object
+              properties:
+                role:
+                  type: string
+                region_name:
+                  type: string
+                username:
+                  type: string
+                project_name:
+                  type: string
+                user_domain_name:
+                  type: string
+                project_domain_name:
+                  type: string
+            oslo_messaging:
+              type: object
+              properties:
+                admin:
+                  type: object
+                  properties:
+                    username:
+                      type: string
+                cinder:
+                  type: object
+                  properties:
+                    username:
+                      type: string
+            oslo_db:
+              type: object
+              properties:
+                username:
+                  type: string
+                database:
+                  type: string
+        glance:
+          type: object
+          properties:
+            glance:
+              type: object
+              properties:
+                role:
+                  type: string
+                region_name:
+                  type: string
+                username:
+                  type: string
+                project_name:
+                  type: string
+                user_domain_name:
+                  type: string
+                project_domain_name:
+                  type: string
+            oslo_messaging:
+              type: object
+              properties:
+                admin:
+                  type: object
+                  properties:
+                    username:
+                      type: string
+                glance:
+                  type: object
+                  properties:
+                    username:
+                      type: string
+            oslo_db:
+              type: object
+              properties:
+                username:
+                  type: string
+                database:
+                  type: string
+            ceph_object_store:
+              type: object
+              properties:
+                username:
+                  type: string
+        heat:
+          type: object
+          properties:
+            heat:
+              type: object
+              properties:
+                role:
+                  type: string
+                region_name:
+                  type: string
+                username:
+                  type: string
+                project_name:
+                  type: string
+                user_domain_name:
+                  type: string
+                project_domain_name:
+                  type: string
+            heat_trustee:
+              type: object
+              properties:
+                role:
+                  type: string
+                region_name:
+                  type: string
+                username:
+                  type: string
+                project_name:
+                  type: string
+                user_domain_name:
+                  type: string
+                project_domain_name:
+                  type: string
+            heat_stack_user:
+              type: object
+              properties:
+                role:
+                  type: string
+                region_name:
+                  type: string
+                username:
+                  type: string
+                project_name:
+                  type: string
+                user_domain_name:
+                  type: string
+                project_domain_name:
+                  type: string
+            oslo_db:
+              type: object
+              properties:
+                username:
+                  type: string
+                database:
+                  type: string
+            oslo_messaging:
+              type: object
+              properties:
+                admin:
+                  type: object
+                  properties:
+                    username:
+                      type: string
+                heat:
+                  type: object
+                  properties:
+                    username:
+                      type: string
+        swift:
+          type: object
+          properties:
+            swift:
+              type: object
+              properties:
+                role:
+                  type: string
+                region_name:
+                  type: string
+                username:
+                  type: string
+                project_name:
+                  type: string
+                user_domain_name:
+                  type: string
+                project_domain_name:
+                  type: string
+        oslo_db:
+          type: object
+          properties:
+            admin:
+              type: object
+              properties:
+                username:
+                  type: string
+        neutron:
+          type: object
+          properties:
+            neutron:
+              type: object
+              properties:
+                role:
+                  type: string
+                region_name:
+                  type: string
+                username:
+                  type: string
+                project_name:
+                  type: string
+                user_domain_name:
+                  type: string
+                project_domain_name:
+                  type: string
+            oslo_messaging:
+              type: object
+              properties:
+                admin:
+                  type: object
+                  properties:
+                    username:
+                      type: string
+                neutron:
+                  type: object
+                  properties:
+                    username:
+                      type: string
+            oslo_db:
+              type: object
+              properties:
+                username:
+                  type: string
+                database:
+                  type: string
+        nova:
+          type: object
+          properties:
+            nova:
+              type: object
+              properties:
+                role:
+                  type: string
+                region_name:
+                  type: string
+                username:
+                  type: string
+                project_name:
+                  type: string
+                user_domain_name:
+                  type: string
+                project_domain_name:
+                  type: string
+            placement:
+              type: object
+              properties:
+                role:
+                  type: string
+                region_name:
+                  type: string
+                username:
+                  type: string
+                project_name:
+                  type: string
+                user_domain_name:
+                  type: string
+                project_domain_name:
+                  type: string
+            oslo_messaging:
+              type: object
+              properties:
+                admin:
+                  type: object
+                  properties:
+                    username:
+                      type: string
+                nova:
+                  type: object
+                  properties:
+                    username:
+                      type: string
+            oslo_db:
+              type: object
+              properties:
+                username:
+                  type: string
+                database:
+                  type: string
+            oslo_db_api:
+              type: object
+              properties:
+                username:
+                  type: string
+                database:
+                  type: string
+            oslo_db_cell0:
+              type: object
+              properties:
+                username:
+                  type: string
+                database:
+                  type: string
+        horizon:
+          type: object
+          properties:
+            oslo_db:
+              type: object
+              properties:
+                username:
+                  type: string
+                database:
+                  type: string
+    osh_infra:
+      type: object
+      properties:
+        grafana:
+          type: object
+          properties:
+            admin:
+              type: object
+              properties:
+                username:
+                  type: string
+            oslo_db:
+              type: object
+              properties:
+                username:
+                  type: string
+                database:
+                  type: string
+            oslo_db_session:
+              type: object
+              properties:
+                username:
+                  type: string
+                database:
+                  type: string
+        elasticsearch:
+          type: object
+          properties:
+            admin:
+              type: object
+              properties:
+                username:
+                  type: string
+        oslo_db:
+          type: object
+          properties:
+            admin:
+              type: object
+              properties:
+                username:
+                  type: string
+        prometheus_openstack_exporter:
+          type: object
+          properties:
+            user:
+              type: object
+              properties:
+                username:
+                  type: string
+        nagios:
+          type: object
+          properties:
+            admin:
+              type: object
+              properties:
+                username:
+                  type: string
+...
diff --git a/global/v4.0/schemas/pegleg/CommonAddresses/v1.yaml b/global/v4.0/schemas/pegleg/CommonAddresses/v1.yaml
new file mode 100644
index 000000000..339813733
--- /dev/null
+++ b/global/v4.0/schemas/pegleg/CommonAddresses/v1.yaml
@@ -0,0 +1,116 @@
+---
+schema: 'deckhand/DataSchema/v1'
+metadata:
+  schema: metadata/Control/v1
+  name: pegleg/CommonAddresses/v1
+data:
+  $schema: 'http://json-schema.org/schema#'
+  type: object
+  properties:
+    calico:
+      type: object
+      properties:
+        ip_autodetection_method:
+          type: string
+        etcd:
+          type: object
+          properties:
+            service_ip:
+              type: string
+    dns:
+      type: object
+      properties:
+        cluster_domain:
+          type: string
+        service_ip:
+          type: string
+        upstream_servers:
+          type: array
+          items:
+            type: string
+        upstream_servers_joined:
+          type: string
+    genesis:
+      type: object
+      properties:
+        hostname:
+          type: string
+        ip:
+          type: string
+    bootstrap:
+      type: object
+      properties:
+        ip:
+          type: string
+    kubernetes:
+      type: object
+      properties:
+        api_service_ip:
+          type: string
+        etcd_service_ip:
+          type: string
+        pod_cidr:
+          type: string
+        service_cidr:
+          type: string
+        apiserver_port:
+          type: number
+        haproxy_port:
+          type: number
+        service_node_port_range:
+          type: string
+    etcd:
+      type: object
+      properties:
+        container_port:
+          type: number
+        haproxy_port:
+          type: number
+    masters:
+      type: array
+      items:
+        type: object
+        properties:
+          hostname:
+            type: string
+    node_ports:
+      type: object
+      properties:
+        drydock_api:
+          type: number
+        maas_api:
+          type: number
+        maas_proxy:
+          type: number
+        shipyard_api:
+          type: number
+        airflow_web:
+          type: number
+    ntp:
+      type: object
+      properties:
+        servers_joined:
+          type: string
+    storage:
+      type: object
+      properties:
+        ceph:
+          type: object
+          properties:
+            public_cidr:
+              type: string
+            cluster_cidr:
+              type: string
+    openvswitch:
+      type: object
+      properties:
+        external_iface:
+          type: string
+    neutron:
+      type: object
+      properties:
+        tunnel_device:
+          type: string
+        external_iface:
+          type: string
+...
diff --git a/global/v4.0/schemas/pegleg/CommonSoftwareConfig/v1.yaml b/global/v4.0/schemas/pegleg/CommonSoftwareConfig/v1.yaml
new file mode 100644
index 000000000..c02965cf8
--- /dev/null
+++ b/global/v4.0/schemas/pegleg/CommonSoftwareConfig/v1.yaml
@@ -0,0 +1,15 @@
+---
+schema: 'deckhand/DataSchema/v1'
+metadata:
+  schema: metadata/Control/v1
+  name: pegleg/CommonSoftwareConfig/v1
+data:
+  $schema: 'http://json-schema.org/schema#'
+  type: object
+  properties:
+    osh:
+      type: object
+      properties:
+        region_name:
+          type: string
+...
diff --git a/global/v4.0/schemas/pegleg/EndpointCatalogue/v1.yaml b/global/v4.0/schemas/pegleg/EndpointCatalogue/v1.yaml
new file mode 100644
index 000000000..776e4270b
--- /dev/null
+++ b/global/v4.0/schemas/pegleg/EndpointCatalogue/v1.yaml
@@ -0,0 +1,143 @@
+---
+schema: 'deckhand/DataSchema/v1'
+metadata:
+  schema: metadata/Control/v1
+  name: pegleg/EndpointCatalogue/v1
+data:
+  $schema: 'http://json-schema.org/schema#'
+  type: 'object'
+  # Namespace the list of endpoints
+  additionalProperties:
+    type: 'object'
+    additionalProperties:
+      type: 'object'
+      properties:
+        namespace:
+          oneOf:
+            - type: string
+            - type: "null"
+        name:
+          type: string
+        auth:
+          type: object
+        hosts:
+          type: object
+          properties:
+            data:
+              type: string
+            default:
+              type: string
+            discovery:
+              type: string
+            public:
+              type: string
+            internal:
+              type: string
+          additionalProperties:
+            type: string
+        host_fqdn_override:
+          oneOf:
+            - type: object
+              properties:
+                default:
+                  oneOf:
+                    - type: string
+                    - type: "null"
+                    - type: object
+                      properties:
+                        host:
+                          type: string
+                        tls:
+                          type: object
+                          properties:
+                            crt:
+                              type: string
+                            ca:
+                              type: string
+                            key:
+                              type: string
+                      additionalProperties:
+                        type: string
+                public:
+                  oneOf:
+                    - type: string
+                    - type: "null"
+                    - type: object
+                      properties:
+                        host:
+                          type: string
+                        tls:
+                          type: object
+                          properties:
+                            crt:
+                              type: string
+                            ca:
+                              type: string
+                            key:
+                              type: string
+                      additionalProperties:
+                        type: string
+                internal:
+                  oneOf:
+                    - type: string
+                    - type: "null"
+                    - type: object
+                      properties:
+                        host:
+                          type: string
+                        tls:
+                          type: object
+                          properties:
+                            crt:
+                              type: string
+                            ca:
+                              type: string
+                            key:
+                              type: string
+                      additionalProperties:
+                        type: string
+              additionalProperties:
+                type: string
+            - type: "null"
+        path:
+          oneOf:
+            - type: object
+              properties:
+                default:
+                  oneOf:
+                    - type: string
+                    - type: "null"
+                public:
+                  type: string
+                internal:
+                  type: string
+              additionalProperties:
+                type: string
+            - type: string
+        scheme:
+          oneOf:
+            - type: object
+              properties:
+                default:
+                  type: string
+                public:
+                  type: string
+                internal:
+                  type: string
+              additionalProperties:
+                type: string
+            - type: string
+        port:
+          type: object
+          additionalProperties:
+            type: object
+            properties:
+              default:
+                type: number
+              public:
+                type: number
+              internal:
+                type: number
+            additionalProperties:
+              type: number
+...
diff --git a/global/v4.0/schemas/pegleg/SoftwareVersions/v1.yaml b/global/v4.0/schemas/pegleg/SoftwareVersions/v1.yaml
new file mode 100644
index 000000000..f09305301
--- /dev/null
+++ b/global/v4.0/schemas/pegleg/SoftwareVersions/v1.yaml
@@ -0,0 +1,1066 @@
+---
+schema: 'deckhand/DataSchema/v1'
+metadata:
+  schema: metadata/Control/v1
+  name: pegleg/SoftwareVersions/v1
+data:
+  $schema: 'http://json-schema.org/schema#'
+  type: object
+  properties:
+    charts:
+      type: object
+      properties:
+        kubernetes:
+          type: object
+          properties:
+            calico:
+              type: object
+              properties:
+                etcd:
+                  type: object
+                  properties:
+                    type:
+                      type: string
+                    location:
+                      type: string
+                    subpath:
+                      type: string
+                    reference:
+                      type: string
+                etcd-htk:
+                  type: object
+                  properties:
+                    type:
+                      type: string
+                    location:
+                      type: string
+                    subpath:
+                      type: string
+                    reference:
+                      type: string
+                calico:
+                  type: object
+                  properties:
+                    type:
+                      type: string
+                    location:
+                      type: string
+                    subpath:
+                      type: string
+                    reference:
+                      type: string
+            apiserver:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            apiserver-htk:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            controller-manager:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            controller-manager-htk:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            coredns:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            coredns-htk:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            haroxy:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+            haroxy-htk:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+            etcd:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            etcd-htk:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            ingress:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            ingress-htk:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            proxy:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            proxy-htk:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            scheduler:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            scheduler-htk:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+        osh_infra:
+          type: object
+          properties:
+            elasticsearch:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            fluent_logging:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            kibana:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            prometheus:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            prometheus_node_exporter:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            prometheus_kube_state_metrics:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            prometheus_alertmanager:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            grafana:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            prometheus_openstack_exporter:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            nagios:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+        osh:
+          type: object
+          properties:
+            barbican:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            cinder:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            glance:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            heat:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            horizon:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            ingress:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            keystone:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            libvirt:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            mariadb:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            memcached:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            neutron:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            nova:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            openvswitch:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            rabbitmq:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+        ucp:
+          type: object
+          properties:
+            armada:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            barbican:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            ceph-mon:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            ceph-osd:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            ceph-client:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            deckhand:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            drydock:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            ingress:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            postgresql:
+              type: object
+
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            promenade:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            keystone:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            maas:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            mariadb:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            memcached:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            rabbitmq:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            rabbitmq-etcd:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            shipyard:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+            tiller:
+              type: object
+              properties:
+                type:
+                  type: string
+                location:
+                  type: string
+                subpath:
+                  type: string
+                reference:
+                  type: string
+    files:
+      type: object
+      properties:
+        kubelet:
+          type: string
+    images:
+      type: object
+      properties:
+        ucp:
+          type: object
+          properties:
+            armada:
+              type: object
+              properties:
+                api:
+                  type: string
+                dep_check:
+                  type: string
+                ks_endpoints:
+                  type: string
+                ks_service:
+                  type: string
+                ks_user:
+                  type: string
+                helm:
+                  type: string
+                tiller:
+                  type: string
+            promenade:
+              type: object
+              properties:
+                dep_check:
+                  type: string
+                promenade:
+                  type: string
+                ks_user:
+                  type: string
+                ks_service:
+                  type: string
+                ks_endpoints:
+                  type: string
+            deckhand:
+              type: object
+              properties:
+                deckhand:
+                  type: string
+                dep_check:
+                  type: string
+                db_init:
+                  type: string
+                db_sync:
+                  type: string
+                ks_endpoints:
+                  type: string
+                ks_service:
+                  type: string
+                ks_user:
+                  type: string
+            barbican:
+              type: object
+              properties:
+                bootstrap:
+                  type: string
+                dep_check:
+                  type: string
+                scripted_test:
+                  type: string
+                db_init:
+                  type: string
+                barbican_db_sync:
+                  type: string
+                db_drop:
+                  type: string
+                ks_endpoints:
+                  type: string
+                ks_service:
+                  type: string
+                ks_user:
+                  type: string
+                barbican_api:
+                  type: string
+            drydock:
+              type: object
+              properties:
+                drydock:
+                  type: string
+                dep_check:
+                  type: string
+                ks_endpoints:
+                  type: string
+                ks_service:
+                  type: string
+                ks_user:
+                  type: string
+                drydock_db_init:
+                  type: string
+                drydock_db_sync:
+                  type: string
+            shipyard:
+              type: object
+              properties:
+                airflow:
+                  type: string
+                shipyard:
+                  type: string
+                dep_check:
+                  type: string
+                shipyard_db_init:
+                  type: string
+                shipyard_db_sync:
+                  type: string
+                airflow_db_init:
+                  type: string
+                airflow_db_sync:
+                  type: string
+                ks_user:
+                  type: string
+                ks_service:
+                  type: string
+                ks_endpoints:
+                  type: string
+            maas:
+              type: object
+              properties:
+                db_init:
+                  type: string
+                db_sync:
+                  type: string
+                maas_rack:
+                  type: string
+                maas_region:
+                  type: string
+                bootstrap:
+                  type: string
+                export_api_key:
+                  type: string
+                maas_cache:
+                  type: string
+                dep_check:
+                  type: string
+            keystone:
+              type: object
+              properties:
+                keystone_bootstrap:
+                  type: string
+                test:
+                  type: string
+                db_init:
+                  type: string
+                keystone_db_sync:
+                  type: string
+                db_drop:
+                  type: string
+                keystone_fernet_setup:
+                  type: string
+                keystone_fernet_rotate:
+                  type: string
+                keystone_credential_setup:
+                  type: string
+                keystone_credential_rotate:
+                  type: string
+                keystone_api:
+                  type: string
+                dep_check:
+                  type: string
+            tiller:
+              type: object
+              properties:
+                tiller:
+                  type: string
+            mariadb:
+              type: object
+              properties:
+                mariadb:
+                  type: string
+                dep_check:
+                  type: string
+            postgresql:
+              type: object
+              properties:
+                postgresql:
+                  type: string
+                dep_check:
+                  type: string
+            memcached:
+              type: object
+              properties:
+                memcached:
+                  type: string
+                dep_check:
+                  type: string
+            rabbitmq:
+              type: object
+              properties:
+                rabbitmq:
+                  type: string
+                dep_check:
+                  type: string
+        ceph:
+          type: object
+          properties:
+            ceph-mon:
+              type: object
+              properties:
+                fluentbit:
+                  type: string
+                ceph_bootstrap:
+                  type: string
+                dep_check:
+                  type: string
+                ceph_mon:
+                  type: string
+                ceph_config_helper:
+                  type: string
+                ceph_mon_check:
+                  type: string
+                image_repo_sync:
+                  type: string
+            ceph-osd:
+              type: object
+              properties:
+                fluentbit:
+                  type: string
+                ceph_bootstrap:
+                  type: string
+                dep_check:
+                  type: string
+                ceph_osd:
+                  type: string
+                image_repo_sync:
+                  type: string
+            ceph-client:
+              type: object
+              properties:
+                ks_endpoints:
+                  type: string
+                ks_service:
+                  type: string
+                ks_user:
+                  type: string
+                ceph_bootstrap:
+                  type: string
+                dep_check:
+                  type: string
+                ceph_mds:
+                  type: string
+                ceph_mgr:
+                  type: string
+                ceph_rgw:
+                  type: string
+                ceph_config_helper:
+                  type: string
+                ceph_rbd_pool:
+                  type: string
+                ceph_rbd_provisioner:
+                  type: string
+                ceph_cephfs_provisioner:
+                  type: string
+                image_repo_sync:
+                  type: string
+        kubernetes:
+          type: object
+          properties:
+            apiserver:
+              type: object
+              properties:
+                anchor:
+                  type: string
+                apiserver:
+                  type: string
+                dep_check:
+                  type: string
+            controller-manager:
+              type: object
+              properties:
+                anchor:
+                  type: string
+                controller_manager:
+                  type: string
+                dep_check:
+                  type: string
+            coredns:
+              type: object
+              properties:
+                coredns:
+                  type: string
+            haproxy:
+              type: object
+              properties:
+                haproxy:
+                  type: string
+                anchor:
+                  type: string
+            etcd:
+              type: object
+              properties:
+                etcd:
+                  type: string
+                etcdctl:
+                  type: string
+            kubectl:
+              type: string
+            pause:
+              type: string
+            scheduler:
+              type: object
+              properties:
+                anchor:
+                  type: string
+                scheduler:
+                  type: string
+            proxy:
+              type: object
+              properties:
+                proxy:
+                  type: string
+        calico:
+          type: object
+          properties:
+            etcd:
+              type: object
+              properties:
+                etcd:
+                  type: string
+                etcdctl:
+                  type: string
+            calico:
+              type: object
+              properties:
+                cni:
+                  type: string
+                ctl:
+                  type: string
+                node:
+                  type: string
+                policy_controller:
+                  type: string
+    packages:
+      type: object
+      properties:
+        repositories:
+          type: object
+          additionalProperties:
+            type: object
+            properties:
+              name:
+                type: string
+              url:
+                type: string
+              distributions:
+                type: array
+                items:
+                  type: string
+              components:
+                type: array
+                items:
+                  type: string
+              gpgkey:
+                type: string
+        named:
+          type: object
+          properties:
+            docker:
+              type: string
+            socat:
+              type: string
+        unnamed:
+          type: array
+          items:
+            type: string
+...
diff --git a/global/v4.0/schemas/promenade/Docker/v1.yaml b/global/v4.0/schemas/promenade/Docker/v1.yaml
new file mode 100644
index 000000000..f2dc517f3
--- /dev/null
+++ b/global/v4.0/schemas/promenade/Docker/v1.yaml
@@ -0,0 +1,16 @@
+---
+schema: deckhand/DataSchema/v1
+metadata:
+  schema: metadata/Control/v1
+  name: promenade/Docker/v1
+  labels:
+    application: promenade
+data:
+  $schema: http://json-schema.org/schema#
+  type: object
+  properties:
+    config:
+      type: object
+  required:
+    - config
+  additionalProperties: false
diff --git a/global/v4.0/schemas/promenade/Genesis/v1.yaml b/global/v4.0/schemas/promenade/Genesis/v1.yaml
new file mode 100644
index 000000000..d26169839
--- /dev/null
+++ b/global/v4.0/schemas/promenade/Genesis/v1.yaml
@@ -0,0 +1,141 @@
+---
+schema: deckhand/DataSchema/v1
+metadata:
+  schema: metadata/Control/v1
+  name: promenade/Genesis/v1
+  labels:
+    application: promenade
+data:
+  $schema: http://json-schema.org/schema#
+  definitions:
+    abs_path:
+      type: string
+      pattern: '^/.+$'
+    hostname:
+      type: string
+      pattern: '^[a-z][a-z0-9-]+$'
+    file:
+      properties:
+        path:
+          $ref: '#/definitions/abs_path'
+        content:
+          type: string
+        mode:
+          type: integer
+          minimum: 0
+        tar_url:
+          $ref: '#/definitions/url'
+        tar_path:
+          $ref: '#/definitions/rel_path'
+
+      requried:
+        - mode
+        - path
+      oneOf:
+        - type: object
+          required:
+            - content
+        - type: object
+          allOf:
+            - type: object
+              required:
+                - tar_url
+                - tar_path
+      additionalProperties: false
+    image:
+      type: string
+      # XXX add regex
+    ip_address:
+      type: string
+      pattern: '^(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))\.(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))\.(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))\.(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))$'
+    kubernetes_label:
+      type: string
+      # XXX add regex
+    rel_path:
+      type: string
+      # XXX add regex
+
+  type: object
+  properties:
+    armada:
+      type: object
+      properties:
+        target_manifest:
+          type: string
+      additionalProperties: false
+
+    apiserver:
+      type: object
+      properties:
+        command_prefix:
+          type: array
+          items:
+            type: string
+      additionalProperties: false
+
+    files:
+      type: array
+      items:
+        $ref: '#/definitions/file'
+
+    hostname:
+      $ref: '#/definitions/hostname'
+
+    ip:
+      $ref: '#/definitions/ip_address'
+
+    labels:
+      properties:
+        static:
+          type: array
+          items:
+            $ref: '#/definitions/kubernetes_label'
+        dynamic:
+          type: array
+          items:
+            $ref: '#/definitions/kubernetes_label'
+      additionalProperties: false
+
+    images:
+      type: object
+      properties:
+        armada:
+          $ref: '#/definitions/image'
+        helm:
+          type: object
+          properties:
+            tiller:
+              $ref: '#/definitions/image'
+          required:
+            - tiller
+          additionalProperties: false
+        kubernetes:
+          type: object
+          properties:
+            apiserver:
+              $ref: '#/definitions/image'
+            controller-manager:
+              $ref: '#/definitions/image'
+            etcd:
+              $ref: '#/definitions/image'
+            scheduler:
+              $ref: '#/definitions/image'
+          required:
+            - apiserver
+            - controller-manager
+            - etcd
+            - scheduler
+          additionalProperties: false
+      required:
+        - armada
+        - helm
+        - kubernetes
+      additionalProperties: false
+
+  required:
+    - hostname
+    - ip
+    - images
+    - labels
+  additionalProperties: false
+...
diff --git a/global/v4.0/schemas/promenade/HostSystem/v1.yaml b/global/v4.0/schemas/promenade/HostSystem/v1.yaml
new file mode 100644
index 000000000..874523830
--- /dev/null
+++ b/global/v4.0/schemas/promenade/HostSystem/v1.yaml
@@ -0,0 +1,137 @@
+---
+schema: deckhand/DataSchema/v1
+metadata:
+  schema: metadata/Control/v1
+  name: promenade/HostSystem/v1
+  labels:
+    application: promenade
+data:
+  $schema: http://json-schema.org/schema#
+  definitions:
+    abs_path:
+      type: string
+      pattern: '^/.+$'
+    apt_source_line:
+      type: string
+      # XXX add regex
+    file:
+      properties:
+        path:
+          $ref: '#/definitions/abs_path'
+        content:
+          type: string
+        mode:
+          type: integer
+          minimum: 0
+        tar_url:
+          $ref: '#/definitions/url'
+        tar_path:
+          $ref: '#/definitions/rel_path'
+
+      requried:
+        - mode
+        - path
+      oneOf:
+        - type: object
+          required:
+            - content
+        - type: object
+          allOf:
+            - type: object
+              required:
+                - tar_url
+                - tar_path
+      additionalProperties: false
+
+    image:
+      type: string
+      # XXX add regex
+    package:
+      type: string
+      # XXX add regex
+    public_key:
+      type: string
+      # XXX add regex
+    rel_path:
+      type: string
+      # XXX add regex
+    url:
+      type: string
+      # XXX add regex
+
+  type: object
+
+  properties:
+    files:
+      type: array
+      items:
+        type: object
+        items:
+          $ref: '#/definitions/file'
+    images:
+      type: object
+      properties:
+        haproxy:
+          $ref: '#/definitions/image'
+        coredns:
+          $ref: '#/definitions/image'
+        helm:
+          type: object
+          properties:
+            helm:
+              $ref: '#/definitions/image'
+          required:
+            - helm
+          additionalProperties: false
+        kubernetes:
+          type: object
+          properties:
+            kubectl:
+              $ref: '#/definitions/image'
+          required:
+            - kubectl
+          additionalProperties: false
+      required:
+        - haproxy
+        - coredns
+        - helm
+        - kubernetes
+      additionalProperties: false
+
+    packages:
+      type: object
+      properties:
+        additional:
+          type: array
+          items:
+            $ref: '#/definitions/package'
+        keys:
+          type: array
+          items:
+            $ref: '#/definitions/public_key'
+
+        required:
+          type: object
+          properties:
+            docker:
+              $ref: '#/definitions/package'
+            socat:
+              $ref: '#/definitions/package'
+          required:
+            - docker
+            - socat
+          additionalProperties: false
+
+        repositories:
+          type: array
+          items:
+            $ref: '#/definitions/apt_source_line'
+
+      required:
+        - required
+      additionalProperties: false
+
+  required:
+    - images
+    - packages
+  additionalProperties: false
diff --git a/global/v4.0/schemas/promenade/Kubelet/v1.yaml b/global/v4.0/schemas/promenade/Kubelet/v1.yaml
new file mode 100644
index 000000000..eb3d6939a
--- /dev/null
+++ b/global/v4.0/schemas/promenade/Kubelet/v1.yaml
@@ -0,0 +1,31 @@
+---
+schema: deckhand/DataSchema/v1
+metadata:
+  schema: metadata/Control/v1
+  name: promenade/Kubelet/v1
+  labels:
+    application: promenade
+data:
+  $schema: http://json-schema.org/schema#
+  type: object
+  definitions:
+    image:
+      type: string
+      # XXX add regex
+
+  properties:
+    images:
+      type: object
+      properties:
+        pause:
+          $ref: '#/definitions/image'
+      required:
+        - pause
+      additionalProperties: false
+    arguments:
+      type: array
+      items:
+        type: string
+  required:
+    - images
+  additionalProperties: false
diff --git a/global/v4.0/schemas/promenade/KubernetesNetwork/v1.yaml b/global/v4.0/schemas/promenade/KubernetesNetwork/v1.yaml
new file mode 100644
index 000000000..f9fcf43b4
--- /dev/null
+++ b/global/v4.0/schemas/promenade/KubernetesNetwork/v1.yaml
@@ -0,0 +1,121 @@
+---
+schema: deckhand/DataSchema/v1
+metadata:
+  schema: metadata/Control/v1
+  name: promenade/KubernetesNetwork/v1
+  labels:
+    application: promenade
+data:
+  $schema: http://json-schema.org/schema#
+  definitions:
+    cidr:
+      type: string
+      pattern: '^(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))\.(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))\.(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))\.(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))\/([0-9]|[1-2][0-9]|3[0-2])$'
+    domain_name:
+      type: string
+      format: hostname
+    domain_suffix:
+      type: string
+      pattern: '^\.[a-z0-9][a-z0-9-\.]*$'
+    hostname:
+      type: string
+      format: hostname
+    hostname_or_ip_address:
+      anyOf:
+        - $ref: '#/definitions/hostname'
+        - $ref: '#/definitions/ip_address'
+        - $ref: '#/definitions/domain_suffix'
+    ip_address:
+      type: string
+      format: ipv4
+    url:
+      type: string
+      format: uri
+
+  type: object
+  properties:
+    dns:
+      type: object
+      properties:
+        bootstrap_validation_checks:
+          type: array
+          items:
+            $ref: '#/definitions/domain_name'
+        cluster_domain:
+          $ref: '#/definitions/domain_name'
+        service_ip:
+          $ref: '#/definitions/ip_address'
+        upstream_servers:
+          type: array
+          items:
+            $ref: '#/definitions/ip_address'
+      required:
+        - cluster_domain
+        - service_ip
+      additionalProperties: false
+
+    etcd:
+      type: object
+      properties:
+        container_port:
+          type: integer
+        haproxy_port:
+          type: integer
+        # NOTE(mark-burnett): No longer used.
+        service_ip:
+          $ref: '#/definitions/ip_address'
+      required:
+        - container_port
+        - haproxy_port
+      additionalProperties: false
+
+    kubernetes:
+      type: object
+      properties:
+        pod_cidr:
+          $ref: '#/definitions/cidr'
+        service_ip:
+          $ref: '#/definitions/ip_address'
+        service_cidr:
+          $ref: '#/definitions/cidr'
+        apiserver_port:
+          type: integer
+        haproxy_port:
+          type: integer
+      required:
+        - pod_cidr
+        - service_cidr
+        - service_ip
+        - apiserver_port
+        - haproxy_port
+      additionalProperties: false
+    hosts_entries:
+      type: array
+      items:
+        type: object
+        properties:
+          ip:
+            $ref: '#/definitions/ip_address'
+          names:
+            type: array
+            items:
+              $ref: '#/definitions/hostname'
+
+    proxy:
+      type: object
+      properties:
+        additional_no_proxy:
+          type: array
+          items:
+            $ref: '#/definitions/hostname_or_ip_address'
+        url:
+          $ref: '#/definitions/url'
+      required:
+        - url
+      additionalFields: false
+
+  required:
+    - dns
+    - kubernetes
+  additionalProperties: false
+...
diff --git a/global/v4.0/schemas/promenade/KubernetesNode/v1.yaml b/global/v4.0/schemas/promenade/KubernetesNode/v1.yaml
new file mode 100644
index 000000000..1b7598e21
--- /dev/null
+++ b/global/v4.0/schemas/promenade/KubernetesNode/v1.yaml
@@ -0,0 +1,47 @@
+---
+schema: deckhand/DataSchema/v1
+metadata:
+  schema: metadata/Control/v1
+  name: promenade/KubernetesNode/v1
+  labels:
+    application: promenade
+data:
+  $schema: http://json-schema.org/schema#
+  definitions:
+    hostname:
+      type: string
+      pattern: '^[a-z][a-z0-9-]+$'
+    ip_address:
+      type: string
+      pattern: '^(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))\.(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))\.(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))\.(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))$'
+    kubernetes_label:
+      type: string
+      # XXX add regex
+
+  type: object
+  properties:
+    hostname:
+      $ref: '#/definitions/hostname'
+
+    ip:
+      $ref: '#/definitions/ip_address'
+
+    join_ip:
+      $ref: '#/definitions/ip_address'
+
+    labels:
+      properties:
+        static:
+          type: array
+          items:
+            $ref: '#/definitions/kubernetes_label'
+        dynamic:
+          type: array
+          items:
+            $ref: '#/definitions/kubernetes_label'
+      additionalProperties: false
+
+  required:
+    - ip
+    - join_ip
+  additionalProperties: false
diff --git a/global/v4.0/schemas/promenade/PKICatalog/PKICatalog.yaml b/global/v4.0/schemas/promenade/PKICatalog/PKICatalog.yaml
new file mode 100644
index 000000000..ae64c54ca
--- /dev/null
+++ b/global/v4.0/schemas/promenade/PKICatalog/PKICatalog.yaml
@@ -0,0 +1,43 @@
+---
+schema: deckhand/DataSchema/v1
+metadata:
+  schema: metadata/Control/v1
+  name: promenade/PKICatalog/v1
+  labels:
+    application: promenade
+data:
+  $schema: http://json-schema.org/schema#
+  certificate_authorities:
+    type: array
+    items:
+      type: object
+      properties:
+        description:
+          type: string
+        certificates:
+          type: array
+          items:
+            type: object
+            properties:
+              document_name:
+                type: string
+              description:
+                type: string
+              common_name:
+                type: string
+              hosts:
+                type: array
+                items: string
+              groups:
+                type: array
+                items: string
+  keypairs:
+    type: array
+    items:
+      type: object
+      properties:
+        name:
+          type: string
+        description:
+          type: string
+...
diff --git a/global/v4.0/schemas/shipyard/DeploymentConfiguration/v1.yaml b/global/v4.0/schemas/shipyard/DeploymentConfiguration/v1.yaml
new file mode 100644
index 000000000..77da34e3a
--- /dev/null
+++ b/global/v4.0/schemas/shipyard/DeploymentConfiguration/v1.yaml
@@ -0,0 +1,80 @@
+---
+schema: 'deckhand/DataSchema/v1'
+metadata:
+  schema: metadata/Control/v1
+  name: shipyard/DeploymentConfiguration/v1
+  labels:
+    application: shipyard
+data:
+  $schema: 'http://json-schema.org/schema#'
+  type: 'object'
+  properties:
+    physical_provisioner:
+      type: 'object'
+      properties:
+        deployment_strategy:
+          type: 'string'
+        deploy_interval:
+          type: 'integer'
+        deploy_timeout:
+          type: 'integer'
+        destroy_interval:
+          type: 'integer'
+        destroy_timeout:
+          type: 'integer'
+        join_wait:
+          type: 'integer'
+        prepare_node_interval:
+          type: 'integer'
+        prepare_node_timeout:
+          type: 'integer'
+        prepare_site_interval:
+          type: 'integer'
+        prepare_site_timeout:
+          type: 'integer'
+        verify_interval:
+          type: 'integer'
+        verify_timeout:
+          type: 'integer'
+      additionalProperties: false
+    kubernetes:
+      type: 'object'
+      properties:
+        node_status_interval:
+          type: 'integer'
+        node_status_timeout:
+          type: 'integer'
+      additionalProperties: false
+    kubernetes_provisioner:
+      type: 'object'
+      properties:
+        drain_timeout:
+          type: 'integer'
+        drain_grace_period:
+          type: 'integer'
+        clear_labels_timeout:
+          type: 'integer'
+        remove_etcd_timeout:
+          type: 'integer'
+        etcd_ready_timeout:
+          type: 'integer'
+      additionalProperties: false
+    armada:
+      type: 'object'
+      properties:
+        get_releases_timeout:
+          type: 'integer'
+        get_status_timeout:
+          type: 'integer'
+        manifest:
+          type: 'string'
+        post_apply_timeout:
+          type: 'integer'
+        validate_design_timeout:
+          type: 'integer'
+      additionalProperties: false
+      required:
+        - manifest
+  additionalProperties: false
+  required:
+    - armada
diff --git a/global/v4.0/schemas/shipyard/DeploymentStrategy/v1.yaml b/global/v4.0/schemas/shipyard/DeploymentStrategy/v1.yaml
new file mode 100644
index 000000000..081bbbc9d
--- /dev/null
+++ b/global/v4.0/schemas/shipyard/DeploymentStrategy/v1.yaml
@@ -0,0 +1,73 @@
+---
+schema: 'deckhand/DataSchema/v1'
+metadata:
+  schema: metadata/Control/v1
+  name: shipyard/DeploymentStrategy/v1
+  labels:
+    application: shipyard
+data:
+  $schema: 'http://json-schema.org/schema#'
+  type: 'object'
+  required:
+    - groups
+  properties:
+    groups:
+      type: 'array'
+      minItems: 0
+      items:
+        type: 'object'
+        required:
+          - name
+          - critical
+          - depends_on
+          - selectors
+        properties:
+          name:
+            type: 'string'
+            minLength: 1
+          critical:
+            type: 'boolean'
+          depends_on:
+            type: 'array'
+            minItems: 0
+            items:
+              type: 'string'
+          selectors:
+            type: 'array'
+            minItems: 0
+            items:
+              type: 'object'
+              minProperties: 1
+              properties:
+                node_names:
+                  type: 'array'
+                  items:
+                    type: 'string'
+                node_labels:
+                  type: 'array'
+                  items:
+                    type: 'string'
+                node_tags:
+                  type: 'array'
+                  items:
+                    type: 'string'
+                rack_names:
+                  type: 'array'
+                  items:
+                    type: 'string'
+              additionalProperties: false
+          success_criteria:
+            type: 'object'
+            minProperties: 1
+            properties:
+              percent_successful_nodes:
+                type: 'integer'
+                minimum: 0
+                maximum: 100
+              minimum_successful_nodes:
+                type: 'integer'
+                minimum: 0
+              maximum_failed_nodes:
+                type: 'integer'
+                minimum: 0
+            additionalProperties: false
diff --git a/global/v4.0/scripts/configure-ip-rules.yaml b/global/v4.0/scripts/configure-ip-rules.yaml
new file mode 100644
index 000000000..217d9de11
--- /dev/null
+++ b/global/v4.0/scripts/configure-ip-rules.yaml
@@ -0,0 +1,128 @@
+---
+schema: pegleg/Script/v1
+metadata:
+  schema: metadata/Document/v1
+  name: configure-ip-rules
+  storagePolicy: cleartext
+  layeringDefinition:
+    abstract: false
+    layer: global
+data: |-
+  #!/bin/bash
+  set -ex
+
+  function usage() {
+      cat <<EOU
+  Options are:
+
+    -c POD_CIDR     The pod CIDR for the Kubernetes cluster, e.g. 10.97.0.0/16
+    -i INTERFACE    (optional) The interface for internal pod traffic, e.g.
+                    bond0.22.  Used to auto-detect the service gateway.
+                    Exclusive with -g.
+    -g SERVICE_GW   (optional) The service gateway/VRR IP for routing pod
+                    traffic.  Exclusive with -i.
+    -o OVERLAP_CIDR (optional) This CIDR will be routed via the VRRP IP on
+                    INTERFACE.  It is used to provide a work around when
+                    complete Calico routes cannot be received via BGP.
+                    e.g. 10.96.0.0/15.  NOTE: This must include the POD_CIDR.
+    -s SERVICE_CIDR (optional) A routable CIDR to configure for ingress, maas,
+                    e.g. 10.23.22.192/29
+  EOU
+  }
+
+  SERVICE_CIDR=
+  OVERLAP_CIDR=
+
+  while getopts ":c:g:hi:o:s:" o; do
+      case "${o}" in
+          c)
+              POD_CIDR=${OPTARG}
+              ;;
+          g)
+              SERVICE_GW=${OPTARG}
+              ;;
+          h)
+              usage
+              exit 0
+              ;;
+          i)
+              INTERFACE=${OPTARG}
+              ;;
+          o)
+              OVERLAP_CIDR=${OPTARG}
+              ;;
+          s)
+              SERVICE_CIDR=${OPTARG}
+              ;;
+          \?)
+              echo "Unknown option: -${OPTARG}" >&2
+              exit 1
+              ;;
+          :)
+              echo "Missing argument for option: -${OPTARG}" >&2
+              exit 1
+              ;;
+          *)
+              echo "Unimplemented option: -${OPTARG}" >&2
+              exit 1
+              ;;
+      esac
+  done
+  shift $((OPTIND-1))
+
+  if [ "x$POD_CIDR" == "x" ]; then
+      echo "Missing pod CIDR, e.g -c 10.97.0.0/16" >&2
+      usage
+      exit 1
+  fi
+
+  if [ "x$INTERFACE" != "x" ]; then
+      while ! ip route list dev "${INTERFACE}" > /dev/null; do
+          echo Waiting for device "${INTERFACE}" to be ready. >&2
+          sleep 5
+      done
+  fi
+
+  intra_vrrp_ip=
+  if [ "x${SERVICE_GW}" == "x" ]; then
+      intra_vrrp_ip=$(ip route list dev "${INTERFACE}" | awk '($2~/via/){print $3}' | head -n 1)
+  else
+      intra_vrrp_ip=${SERVICE_GW}
+  fi
+
+  TABLE="1500"
+
+  if [ "x${intra_vrrp_ip}" == "x" ]; then
+      echo "Either INTERFACE or SERVICE_GW is required: e.g. either -i bond0.22 or -g 10.23.22.1"
+      usage
+      exit 1
+  fi
+
+  # Setup a routing table for traffic from service IPs
+  ip route flush table "${TABLE}"
+  ip route add default via "${intra_vrrp_ip}" table "${TABLE}"
+
+  # Setup arp_announce adjustment on interface facing gateway
+  arp_intf=$(ip route get ${intra_vrrp_ip} | grep dev | awk '{print $3}')
+  echo 2 > /proc/sys/net/ipv4/conf/${arp_intf}/arp_announce
+
+
+  if [ "x$OVERLAP_CIDR" != "x" ]; then
+      # NOTE: This is a work-around for nodes not receiving complete
+      # routes via BGP.
+      ip route add "${OVERLAP_CIDR}" via "${intra_vrrp_ip}"
+  fi
+
+  if [ "x$SERVICE_CIDR" != "x" ]; then
+      # Traffic from the service IPs to pods should use the pod network.
+      ip rule add \
+          from "${SERVICE_CIDR}" \
+          to "${POD_CIDR}" \
+          lookup main \
+          pref 10000
+      # Other traffic from service IPs should only use the VRRP IP
+      ip rule add \
+          from "${SERVICE_CIDR}" \
+          lookup "${TABLE}" \
+          pref 10100
+  fi
diff --git a/global/v4.0/software/charts/kubernetes/container-networking/calico.yaml b/global/v4.0/software/charts/kubernetes/container-networking/calico.yaml
new file mode 100644
index 000000000..11b982ad1
--- /dev/null
+++ b/global/v4.0/software/charts/kubernetes/container-networking/calico.yaml
@@ -0,0 +1,168 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-calico
+  layeringDefinition:
+    abstract: false
+    layer: global
+  labels:
+    name: kubernetes-calico-global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.calico.calico
+      dest:
+        path: .source
+    # Image versions
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.calico.calico
+      dest:
+        path: .values.images.tags
+    # IP addresses
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .calico.etcd.service_ip
+      dest:
+        path: .values.endpoints.etcd.host_fqdn_override.default
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.pod_cidr
+      dest:
+        path: .values.networking.podSubnet
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.api_service_ip
+      dest:
+        path: .values.conf.policy_controller.K8S_API
+        pattern: SUB_KUBERNETES_IP
+
+    # Other site-specific configuration
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .calico.ip_autodetection_method
+      dest:
+        path: .values.conf.node.IP_AUTODETECTION_METHOD
+
+    # Certificates
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: calico-etcd
+        path: .
+      dest:
+        path: .values.endpoints.etcd.auth.client.tls.ca
+    - src:
+        schema: deckhand/Certificate/v1
+        name: calico-node
+        path: .
+      dest:
+        path: .values.endpoints.etcd.auth.client.tls.crt
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: calico-node
+        path: .
+      dest:
+        path: .values.endpoints.etcd.auth.client.tls.key
+
+data:
+  chart_name: calico
+  release: kubernetes-calico
+  namespace: kube-system
+  protected:
+    continue_processing: true
+  wait:
+    timeout: 600
+    labels:
+      release_group: kubernetes-calico
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: kubernetes-calico
+  values:
+    conf:
+      cni_network_config:
+        name: k8s-pod-network
+        cniVersion: 0.1.0
+        type: calico
+        etcd_endpoints: __ETCD_ENDPOINTS__
+        etcd_ca_cert_file: /etc/calico/pki/ca
+        etcd_cert_file: /etc/calico/pki/crt
+        etcd_key_file: /etc/calico/pki/key
+        log_level: info
+        mtu: 1500
+        ipam:
+          type: calico-ipam
+        policy:
+          type: k8s
+          k8s_api_root: https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__
+          k8s_auth_token: __SERVICEACCOUNT_TOKEN__
+
+      policy_controller:
+        K8S_API: "https://SUB_KUBERNETES_IP:443"
+
+      node:
+        CALICO_STARTUP_LOGLEVEL: INFO
+        CLUSTER_TYPE:
+          - k8s
+          - bgp
+        WAIT_FOR_STORAGE: "true"
+
+    endpoints:
+      etcd:
+        hosts:
+          default: calico-etcd
+        scheme:
+          default: https
+
+    networking:
+      mtu: 1500
+      settings:
+        mesh: "on"
+        ippool:
+          ipip:
+            enabled: "true"
+            mode: "always"
+          nat_outgoing: "true"
+          disabled: "false"
+
+    manifests:
+      daemonset_calico_etcd: false
+      job_image_repo_sync: false
+      service_calico_etcd: false
+  dependencies:
+    - calico-htk
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: calico-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.calico.calico-htk
+      dest:
+        path: .source
+data:
+  chart_name: calico-htk
+  release: calico-htk
+  namespace: calico-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/kubernetes/container-networking/chart-group.yaml b/global/v4.0/software/charts/kubernetes/container-networking/chart-group.yaml
new file mode 100644
index 000000000..4d1cfbda0
--- /dev/null
+++ b/global/v4.0/software/charts/kubernetes/container-networking/chart-group.yaml
@@ -0,0 +1,15 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-container-networking
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Container networking via Calico
+  sequenced: true
+  chart_group:
+    - kubernetes-calico-etcd
+    - kubernetes-calico
diff --git a/global/v4.0/software/charts/kubernetes/container-networking/etcd.yaml b/global/v4.0/software/charts/kubernetes/container-networking/etcd.yaml
new file mode 100644
index 000000000..aafe48059
--- /dev/null
+++ b/global/v4.0/software/charts/kubernetes/container-networking/etcd.yaml
@@ -0,0 +1,136 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-calico-etcd-global
+  layeringDefinition:
+    abstract: true
+    layer: global
+  labels:
+    name: kubernetes-calico-etcd-global
+  storagePolicy: cleartext
+  substitutions:
+
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.calico.etcd
+      dest:
+        path: .source
+
+    # Image versions
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.calico.etcd
+      dest:
+        path: .values.images.tags
+
+    # IP addresses
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .calico.etcd.service_ip
+      dest:
+        path: .values.service.ip
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .calico.etcd.service_ip
+      dest:
+        path: .values.anchor.etcdctl_endpoint
+
+    # CAs
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: calico-etcd
+        path: .
+      dest:
+        path: .values.secrets.tls.client.ca
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: calico-etcd-peer
+        path: .
+      dest:
+        path: .values.secrets.tls.peer.ca
+
+    # Anchor client cert
+    - src:
+        schema: deckhand/Certificate/v1
+        name: calico-etcd-anchor
+        path: .
+      dest:
+        path: .values.secrets.anchor.tls.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: calico-etcd-anchor
+        path: .
+      dest:
+        path: .values.secrets.anchor.tls.key
+
+data:
+  chart_name: etcd
+  release: kubernetes-calico-etcd
+  namespace: kube-system
+  protected:
+    continue_processing: true
+  wait:
+    timeout: 600
+    labels:
+      release_group: kubernetes-calico-etcd
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: kubernetes-calico-etcd
+  values:
+    labels:
+      anchor:
+        node_selector_key: calico-etcd
+        node_selector_value: enabled
+    etcd:
+      host_data_path: /var/lib/etcd/calico
+      host_etc_path: /etc/etcd/calico
+    bootstrapping:
+      enabled: true
+      host_directory: /var/lib/anchor
+      filename: calico-etcd-bootstrap
+    service:
+      name: calico-etcd
+    network:
+      service_client:
+        name: service_client
+        port: 6666
+        target_port: 6666
+      service_peer:
+        name: service_peer
+        port: 6667
+        target_port: 6667
+  dependencies:
+    - kubernetes-calico-etcd-htk
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-calico-etcd-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.calico.etcd-htk
+      dest:
+        path: .source
+data:
+  chart_name: kubernetes-calico-etcd-htk
+  release: kubernetes-calico-etcd-htk
+  namespace: kubernetes-calico-etcd-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/kubernetes/core/apiserver.yaml b/global/v4.0/software/charts/kubernetes/core/apiserver.yaml
new file mode 100644
index 000000000..ceaf1ce40
--- /dev/null
+++ b/global/v4.0/software/charts/kubernetes/core/apiserver.yaml
@@ -0,0 +1,155 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-apiserver
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.apiserver
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.kubernetes.apiserver
+      dest:
+        path: .values.images.tags
+
+    # IP addresses
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.api_service_ip
+      dest:
+        path: .values.network.kubernetes_service_ip
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.pod_cidr
+      dest:
+        path: .values.network.pod_cidr
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.service_cidr
+      dest:
+        path: .values.command_prefix[1]
+        pattern: SERVICE_CIDR
+
+    # Kubernetes Port Range
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.service_node_port_range
+      dest:
+        path: .values.command_prefix[2]
+        pattern: SERVICE_NODE_PORT_RANGE
+
+    # CA
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: kubernetes
+        path: .
+      dest:
+        path: .values.secrets.tls.ca
+
+    # Certificates
+    - src:
+        schema: deckhand/Certificate/v1
+        name: apiserver
+        path: .
+      dest:
+        path: .values.secrets.tls.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: apiserver
+        path: .
+      dest:
+        path: .values.secrets.tls.key
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: kubernetes-etcd
+        path: .
+      dest:
+        path: .values.secrets.etcd.tls.ca
+    - src:
+        schema: deckhand/Certificate/v1
+        name: apiserver-etcd
+        path: .
+      dest:
+        path: .values.secrets.etcd.tls.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: apiserver-etcd
+        path: .
+      dest:
+        path: .values.secrets.etcd.tls.key
+    - src:
+        schema: deckhand/PublicKey/v1
+        name: service-account
+        path: .
+      dest:
+        path: .values.secrets.service_account.public_key
+
+data:
+  chart_name: apiserver
+  release: kubernetes-apiserver
+  namespace: kube-system
+  protected:
+    continue_processing: true
+  wait:
+    timeout: 600
+    labels:
+      release_group: kubernetes-apiserver
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: kubernetes-apiserver
+  values:
+    apiserver:
+      etcd:
+        endpoints: https://127.0.0.1:2378
+    command_prefix:
+      - /apiserver
+      - --service-cluster-ip-range=SERVICE_CIDR
+      - --service-node-port-range=SERVICE_NODE_PORT_RANGE
+      - --authorization-mode=Node,RBAC
+      - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
+      - --endpoint-reconciler-type=lease
+  dependencies:
+    - kubernetes-apiserver-htk
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-apiserver-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.apiserver-htk
+      dest:
+        path: .source
+data:
+  chart_name: kubernetes-apiserver-htk
+  release: kubernetes-apiserver-htk
+  namespace: kubernetes-apiserver-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/kubernetes/core/chart-group.yaml b/global/v4.0/software/charts/kubernetes/core/chart-group.yaml
new file mode 100644
index 000000000..6e8560d53
--- /dev/null
+++ b/global/v4.0/software/charts/kubernetes/core/chart-group.yaml
@@ -0,0 +1,15 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-core
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Kubernetes components
+  chart_group:
+    - kubernetes-apiserver
+    - kubernetes-controller-manager
+    - kubernetes-scheduler
diff --git a/global/v4.0/software/charts/kubernetes/core/controller-manager.yaml b/global/v4.0/software/charts/kubernetes/core/controller-manager.yaml
new file mode 100644
index 000000000..c4fad3a37
--- /dev/null
+++ b/global/v4.0/software/charts/kubernetes/core/controller-manager.yaml
@@ -0,0 +1,136 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-controller-manager
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.controller-manager
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.kubernetes.controller-manager
+      dest:
+        path: .values.images.tags
+
+    # IP addresses
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.pod_cidr
+      dest:
+        path: .values.network.pod_cidr
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.service_cidr
+      dest:
+        path: .values.network.service_cidr
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.pod_cidr
+      dest:
+        path: .values.command_prefix[1]
+        pattern: SUB_POD_CIDR
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.service_cidr
+      dest:
+        path: .values.command_prefix[2]
+        pattern: SUB_SERVICE_CIDR
+
+    # CA
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: kubernetes
+        path: .
+      dest:
+        path: .values.secrets.tls.ca
+
+    # Certificates
+    - src:
+        schema: deckhand/Certificate/v1
+        name: controller-manager
+        path: .
+      dest:
+        path: .values.secrets.tls.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: controller-manager
+        path: .
+      dest:
+        path: .values.secrets.tls.key
+
+    # Private key for Kubernetes service account token signing
+    - src:
+        schema: deckhand/PrivateKey/v1
+        name: service-account
+        path: .
+      dest:
+        path: .values.secrets.service_account.private_key
+
+data:
+  chart_name: controller-manager
+  release: kubernetes-controller-manager
+  namespace: kube-system
+  protected:
+    continue_processing: true
+  wait:
+    timeout: 600
+    labels:
+      release_group: kubernetes-controller-manager
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: kubernetes-controller-manager
+  values:
+    command_prefix:
+      - /controller-manager
+      - --cluster-cidr=SUB_POD_CIDR
+      - --service-cluster-ip-range=SUB_SERVICE_CIDR
+      - --node-monitor-period=5s
+      - --node-monitor-grace-period=20s
+      - --pod-eviction-timeout=60s
+    network:
+      kubernetes_netloc: 127.0.0.1:6553
+  dependencies:
+    - kubernetes-controller-manager-htk
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-controller-manager-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.controller-manager-htk
+      dest:
+        path: .source
+data:
+  chart_name: kubernetes-controller-manager-htk
+  release: kubernetes-controller-manager-htk
+  namespace: kubernetes-controller-manager-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/kubernetes/core/scheduler.yaml b/global/v4.0/software/charts/kubernetes/core/scheduler.yaml
new file mode 100644
index 000000000..4e7fe44a9
--- /dev/null
+++ b/global/v4.0/software/charts/kubernetes/core/scheduler.yaml
@@ -0,0 +1,93 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-scheduler
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.scheduler
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.kubernetes.scheduler
+      dest:
+        path: .values.images.tags
+
+    # CA
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: kubernetes
+        path: .
+      dest:
+        path: .values.secrets.tls.ca
+
+    # Certificates
+    - src:
+        schema: deckhand/Certificate/v1
+        name: scheduler
+        path: .
+      dest:
+        path: .values.secrets.tls.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: scheduler
+        path: .
+      dest:
+        path: .values.secrets.tls.key
+
+data:
+  chart_name: scheduler
+  release: kubernetes-scheduler
+  namespace: kube-system
+  protected:
+    continue_processing: true
+  wait:
+    timeout: 600
+    labels:
+      release_group: kubernetes-scheduler
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: kubernetes-scheduler
+  values:
+    network:
+      kubernetes_netloc: 127.0.0.1:6553
+  dependencies:
+    - kubernetes-scheduler-htk
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-scheduler-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.scheduler-htk
+      dest:
+        path: .source
+data:
+  chart_name: kubernetes-scheduler-htk
+  release: kubernetes-scheduler-htk
+  namespace: kubernetes-scheduler-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/kubernetes/dns/chart-group.yaml b/global/v4.0/software/charts/kubernetes/dns/chart-group.yaml
new file mode 100644
index 000000000..1c8abf03d
--- /dev/null
+++ b/global/v4.0/software/charts/kubernetes/dns/chart-group.yaml
@@ -0,0 +1,13 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-dns
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Cluster DNS
+  chart_group:
+    - coredns
diff --git a/global/v4.0/software/charts/kubernetes/dns/coredns.yaml b/global/v4.0/software/charts/kubernetes/dns/coredns.yaml
new file mode 100644
index 000000000..afbde080e
--- /dev/null
+++ b/global/v4.0/software/charts/kubernetes/dns/coredns.yaml
@@ -0,0 +1,146 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: coredns
+  layeringDefinition:
+    abstract: false
+    layer: global
+  labels:
+    name: coredns-global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.coredns
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.kubernetes.coredns
+      dest:
+        path: .values.images.tags
+
+    # IP Addresses
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.service_ip
+      dest:
+        path: .values.service.ip
+
+    # Zones
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.cluster_domain
+      dest:
+        path: .values.conf.coredns.corefile
+        pattern: '(CLUSTER_DOMAIN)'
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.service_cidr
+      dest:
+        path: .values.conf.coredns.corefile
+        pattern: '(SERVICE_CIDR)'
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.pod_cidr
+      dest:
+        path:  .values.conf.coredns.corefile
+        pattern: '(POD_CIDR)'
+
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.upstream_servers[0]
+      dest:
+        path: .values.conf.coredns.corefile
+        pattern: '(UPSTREAM1)'
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.upstream_servers[1]
+      dest:
+        path: .values.conf.coredns.corefile
+        pattern: '(UPSTREAM2)'
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.upstream_servers[2]
+      dest:
+        path: .values.conf.coredns.corefile
+        pattern: '(UPSTREAM3)'
+
+data:
+  chart_name: coredns
+  release: coredns
+  namespace: kube-system
+  wait:
+    timeout: 600
+    labels:
+      release_group: coredns
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: coredns
+  values:
+    conf:
+      coredns:
+        corefile: |
+          .:53 {
+              errors
+              health
+              autopath @kubernetes
+              kubernetes CLUSTER_DOMAIN SERVICE_CIDR POD_CIDR {
+                pods insecure
+                fallthrough in-addr.arpa ip6.arpa
+                upstream UPSTREAM1
+                upstream UPSTREAM2
+                upstream UPSTREAM3
+              }
+              prometheus :9153
+              forward . UPSTREAM1 UPSTREAM2 UPSTREAM3
+              cache 30
+          }
+
+    labels:
+      coredns:
+        node_selector_key: kube-dns
+        node_selector_value: enabled
+
+  dependencies:
+    - coredns-htk
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: coredns-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.coredns-htk
+      dest:
+        path: .source
+data:
+  chart_name: coredns-htk
+  release: coredns-htk
+  namespace: coredns-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/kubernetes/etcd/chart-group.yaml b/global/v4.0/software/charts/kubernetes/etcd/chart-group.yaml
new file mode 100644
index 000000000..5a951d136
--- /dev/null
+++ b/global/v4.0/software/charts/kubernetes/etcd/chart-group.yaml
@@ -0,0 +1,13 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-etcd
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Kubernetes etcd
+  chart_group:
+    - kubernetes-etcd
diff --git a/global/v4.0/software/charts/kubernetes/etcd/etcd.yaml b/global/v4.0/software/charts/kubernetes/etcd/etcd.yaml
new file mode 100644
index 000000000..022fad630
--- /dev/null
+++ b/global/v4.0/software/charts/kubernetes/etcd/etcd.yaml
@@ -0,0 +1,137 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-etcd-global
+  layeringDefinition:
+    abstract: true
+    layer: global
+  labels:
+    name: kubernetes-etcd-global
+  storagePolicy: cleartext
+  substitutions:
+
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.etcd
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.kubernetes.etcd
+      dest:
+        path: .values.images.tags
+
+    # IP addresses
+    -
+      src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.etcd_service_ip
+      dest:
+        path: .values.service.ip
+    -
+      src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.etcd_service_ip
+      dest:
+        path: .values.anchor.etcdctl_endpoint
+
+    # CAs
+    -
+      src:
+        schema: deckhand/CertificateAuthority/v1
+        name: kubernetes-etcd
+        path: .
+      dest:
+        path: .values.secrets.tls.client.ca
+    -
+      src:
+        schema: deckhand/CertificateAuthority/v1
+        name: kubernetes-etcd-peer
+        path: .
+      dest:
+        path: .values.secrets.tls.peer.ca
+
+    -
+      src:
+        schema: deckhand/Certificate/v1
+        name: kubernetes-etcd-anchor
+        path: .
+      dest:
+        path: .values.secrets.anchor.tls.cert
+    -
+      src:
+        schema: deckhand/CertificateKey/v1
+        name: kubernetes-etcd-anchor
+        path: .
+      dest:
+        path: .values.secrets.anchor.tls.key
+
+data:
+  chart_name: etcd
+  release: kubernetes-etcd
+  namespace: kube-system
+  protected:
+    continue_processing: true
+  wait:
+    timeout: 600
+    labels:
+      release_group: kubernetes-etcd
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: kubernetes-etcd
+  values:
+    labels:
+      anchor:
+        node_selector_key: kubernetes-etcd
+        node_selector_value: enabled
+    etcd:
+      host_data_path: /var/lib/etcd/kubernetes
+      host_etc_path: /etc/etcd/kubernetes
+    service:
+      name: kubernetes-etcd
+    network:
+      service_client:
+        name: service_client
+        port: 2379
+        target_port: 2379
+      service_peer:
+        name: service_peer
+        port: 2380
+        target_port: 2380
+  dependencies:
+    - kubernetes-etcd-htk
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-etcd-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.etcd-htk
+      dest:
+        path: .source
+data:
+  chart_name: kubernetes-etcd-htk
+  release: kubernetes-etcd-htk
+  namespace: kubernetes-etcd-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/kubernetes/haproxy/chart-group.yaml b/global/v4.0/software/charts/kubernetes/haproxy/chart-group.yaml
new file mode 100644
index 000000000..63a24f5f2
--- /dev/null
+++ b/global/v4.0/software/charts/kubernetes/haproxy/chart-group.yaml
@@ -0,0 +1,13 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-haproxy
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: HAProxy for Kubernetes
+  chart_group:
+    - haproxy
diff --git a/global/v4.0/software/charts/kubernetes/haproxy/haproxy.yaml b/global/v4.0/software/charts/kubernetes/haproxy/haproxy.yaml
new file mode 100644
index 000000000..7498f8052
--- /dev/null
+++ b/global/v4.0/software/charts/kubernetes/haproxy/haproxy.yaml
@@ -0,0 +1,109 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: haproxy
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.haproxy
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.kubernetes.haproxy
+      dest:
+        path: .values.images.tags
+
+    # Kubernetes configuration
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.api_service_ip
+      dest:
+        path: .values.conf.anchor.kubernetes_url
+        pattern: KUBERNETES_IP
+
+data:
+  chart_name: haproxy
+  release: haproxy
+  namespace: kube-system
+  protected:
+    continue_processing: true
+  wait:
+    timeout: 600
+    labels:
+      release_group: haproxy
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: haproxy
+  values:
+    conf:
+      anchor:
+        kubernetes_url: https://KUBERNETES_IP:443
+        services:
+          default:
+            kubernetes:
+              server_opts: "check port 6443"
+              conf_parts:
+                frontend:
+                  - mode tcp
+                  - option tcpka
+                  - bind *:6553
+                backend:
+                  - mode tcp
+                  - option tcpka
+                  - option tcp-check
+                  - option redispatch
+          kube-system:
+            kubernetes-etcd:
+              server_opts: "check port 2379"
+              conf_parts:
+                frontend:
+                  - mode tcp
+                  - option tcpka
+                  - bind *:2378
+                backend:
+                  - mode tcp
+                  - option tcpka
+                  - option tcp-check
+                  - option redispatch
+  dependencies:
+    - haproxy-htk
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: haproxy-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.haproxy-htk
+      dest:
+        path: .source
+data:
+  chart_name: haproxy-htk
+  release: haproxy-htk
+  namespace: haproxy-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/kubernetes/ingress/chart-group.yaml b/global/v4.0/software/charts/kubernetes/ingress/chart-group.yaml
new file mode 100644
index 000000000..11197f694
--- /dev/null
+++ b/global/v4.0/software/charts/kubernetes/ingress/chart-group.yaml
@@ -0,0 +1,13 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ingress-kube-system
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Ingress for the site
+  chart_group:
+    - ingress-kube-system
diff --git a/global/v4.0/software/charts/kubernetes/ingress/ingress.yaml b/global/v4.0/software/charts/kubernetes/ingress/ingress.yaml
new file mode 100644
index 000000000..e9af076eb
--- /dev/null
+++ b/global/v4.0/software/charts/kubernetes/ingress/ingress.yaml
@@ -0,0 +1,86 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: global-ingress-kube-system
+  labels:
+    ingress: kube-system
+  layeringDefinition:
+    abstract: true
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.ingress
+      dest:
+        path: .source
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.kubernetes.ingress
+      dest:
+        path: .values.images.tags
+data:
+  chart_name: ingress-kube-system
+  release: ingress-kube-system
+  namespace: kube-system
+  wait:
+    timeout: 300
+    labels:
+      release_group: ingress-kube-system
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: ingress-kube-system
+  values:
+    labels:
+      server:
+        node_selector_key: kube-ingress
+        node_selector_value: enabled
+      error_server:
+        node_selector_key: kube-ingress
+        node_selector_value: enabled
+    deployment:
+      mode: cluster
+      type: DaemonSet
+    network:
+      host_namespace: true
+      ingress:
+        annotations:
+          nginx.ingress.kubernetes.io/proxy-read-timeout: "603"
+    pod:
+      replicas:
+        error_page: 2
+  dependencies:
+    - ingress-kube-system-htk
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ingress-kube-system-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.ingress-htk
+      dest:
+        path: .source
+data:
+  chart_name: ingress-kube-system-htk
+  release: ingress-kube-system-htk
+  namespace: ingress-kube-system-htk
+  values: {}
+  dependencies: []
diff --git a/global/v4.0/software/charts/kubernetes/proxy/chart-group.yaml b/global/v4.0/software/charts/kubernetes/proxy/chart-group.yaml
new file mode 100644
index 000000000..a083dd3d7
--- /dev/null
+++ b/global/v4.0/software/charts/kubernetes/proxy/chart-group.yaml
@@ -0,0 +1,14 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-proxy
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Kubernetes proxy
+  sequenced: true
+  chart_group:
+    - kubernetes-proxy
diff --git a/global/v4.0/software/charts/kubernetes/proxy/kubernetes-proxy.yaml b/global/v4.0/software/charts/kubernetes/proxy/kubernetes-proxy.yaml
new file mode 100644
index 000000000..2de79e1ff
--- /dev/null
+++ b/global/v4.0/software/charts/kubernetes/proxy/kubernetes-proxy.yaml
@@ -0,0 +1,90 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-proxy
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.proxy
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.kubernetes.proxy
+      dest:
+        path: .values.images.tags
+
+    # IP Addresses
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.pod_cidr
+      dest:
+        path: .values.command_prefix[1]
+        pattern: POD_CIDR
+
+    # Secrets
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: kubernetes
+        path: .
+      dest:
+        path: .values.secrets.tls.ca
+data:
+  chart_name: proxy
+  release: kubernetes-proxy
+  namespace: kube-system
+  wait:
+    timeout: 600
+    labels:
+      release_group: kubernetes-proxy
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: kubernetes-proxy
+  values:
+    command_prefix:
+      - /proxy
+      - --cluster-cidr=POD_CIDR
+      - --proxy-mode=iptables
+    kube_service:
+      host: 127.0.0.1
+      port: 6553
+  dependencies:
+    - kubernetes-proxy-htk
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-proxy-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.kubernetes.proxy-htk
+      dest:
+        path: .source
+data:
+  chart_name: kubernetes-proxy-htk
+  release: kubernetes-proxy-htk
+  namespace: kubernetes-proxy-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/osh-infra/dependencies.yaml b/global/v4.0/software/charts/osh-infra/dependencies.yaml
new file mode 100644
index 000000000..d45bc5dbb
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/dependencies.yaml
@@ -0,0 +1,28 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh-infra-helm-toolkit
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh_infra.helm_toolkit
+      dest:
+        path: .source
+data:
+  chart_name: helm-toolkit
+  release: osh-infra-helm-toolkit
+  namespace: osh-infra-helm-toolkit
+  wait:
+    timeout: 600
+    labels:
+      release_group: osh-infra-helm-toolkit
+  upgrade:
+    no_hooks: true
+  values: {}
+  dependencies: []
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-ceph-config/ceph-config.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-ceph-config/ceph-config.yaml
new file mode 100644
index 000000000..d615db060
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-ceph-config/ceph-config.yaml
@@ -0,0 +1,142 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh-infra-ceph-config
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.ceph-client
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ceph.ceph-client
+      dest:
+        path: .values.images.tags
+
+    # IP addresses
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .storage.ceph.public_cidr
+      dest:
+        path: .values.network.public
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .storage.ceph.cluster_cidr
+      dest:
+        path: .values.network.cluster
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.object_store
+      dest:
+        path: .values.endpoints.object_store
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.ceph_mon
+      dest:
+        path: .values.endpoints.ceph_mon
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.ceph_mgr
+      dest:
+        path: .values.endpoints.ceph_mgr
+
+    # Credentials
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.swift.keystone
+      dest:
+        path: .values.endpoints.identity.auth.swift
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.swift.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ceph_swift_keystone_password
+        path: .
+
+data:
+  chart_name: osh-infra-ceph-config
+  release: osh-infra-ceph-config
+  namespace: osh-infra
+  wait:
+    timeout: 900
+    labels:
+      release_group: osh-infra-ceph-config
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: osh-infra-ceph-config
+  values:
+    labels:
+      job:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      provisioner:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      mds:
+        node_selector_key: ceph-mds
+        node_selector_value: enabled
+      rgw:
+        node_selector_key: ceph-rgw
+        node_selector_value: enabled
+      mgr:
+        node_selector_key: ceph-mgr
+        node_selector_value: enabled
+    deployment:
+      ceph: false
+      client_secrets: true
+      rbd_provisioner: false
+      cephfs_provisioner: false
+      rgw_keystone_user_and_endpoints: false
+    bootstrap:
+      enabled: false
+    conf:
+      rgw_ks:
+        enabled: true
+  dependencies:
+    - ceph-htk
+...
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-ceph-config/chart-group.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-ceph-config/chart-group.yaml
new file mode 100644
index 000000000..4ab41ec20
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-ceph-config/chart-group.yaml
@@ -0,0 +1,13 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh-infra-ceph-config
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Ceph config for OpenStack-Infra namespace(s)
+  chart_group:
+    - osh-infra-ceph-config
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-dashboards/chart-group.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-dashboards/chart-group.yaml
new file mode 100644
index 000000000..c9c8cf522
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-dashboards/chart-group.yaml
@@ -0,0 +1,14 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh-infra-dashboards
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: OSH Infra Dashboards
+  chart_group:
+    - kibana
+    - grafana
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-dashboards/grafana.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-dashboards/grafana.yaml
new file mode 100644
index 000000000..51eec5fa5
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-dashboards/grafana.yaml
@@ -0,0 +1,251 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: grafana
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh_infra.grafana
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh_infra.grafana
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db_session
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.grafana
+      dest:
+        path: .values.endpoints.grafana
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.monitoring
+      dest:
+        path: .values.endpoints.monitoring
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.ldap
+      dest:
+        path: .values.endpoints.ldap
+    # Accounts
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_infra_service_accounts
+        path: .osh_infra.grafana.admin
+      dest:
+        path: .values.endpoints.grafana.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_infra_service_accounts
+        path: .osh_infra.grafana.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db.auth.user
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_infra_service_accounts
+        path: .osh_infra.grafana.oslo_db.database
+      dest:
+        path: .values.endpoints.oslo_db.path
+        pattern: DB_NAME
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_infra_service_accounts
+        path: .osh_infra.grafana.oslo_db_session
+      dest:
+        path: .values.endpoints.oslo_db_session.auth.user
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_infra_service_accounts
+        path: .osh_infra.grafana.oslo_db_session.database
+      dest:
+        path: .values.endpoints.oslo_db_session.path
+        pattern: DB_NAME
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.grafana.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_infra_grafana_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db.auth.user.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_infra_grafana_oslo_db_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db_session.auth.user.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_infra_grafana_oslo_db_session_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_infra_oslo_db_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db_session.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_infra_oslo_db_admin_password
+        path: .
+
+    # LDAP Configuration Details
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_infra_service_accounts
+        path: .osh_infra.ldap.admin.bind
+      dest:
+        path: .values.endpoints.ldap.auth.admin.bind_dn
+    - dest:
+        path: .values.endpoints.ldap.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_ldap_password
+        path: .
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .ldap.subdomain
+      dest:
+        path:  .values.conf.ldap.config.base_dns.search
+        pattern: SUBDOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .ldap.domain
+      dest:
+        path:  .values.conf.ldap.config.base_dns.search
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .ldap.subdomain
+      dest:
+        path:  .values.conf.ldap.config.base_dns.group_search
+        pattern: SUBDOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .ldap.domain
+      dest:
+        path:  .values.conf.ldap.config.base_dns.group_search
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .ldap.common_name
+      dest:
+        path:  .values.conf.ldap.config.filters.group_search
+        pattern: COMMON_NAME
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .ldap.subdomain
+      dest:
+        path:  .values.conf.ldap.config.filters.group_search
+        pattern: SUBDOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .ldap.domain
+      dest:
+        path:  .values.conf.ldap.config.filters.group_search
+        pattern: DOMAIN
+data:
+  chart_name: grafana
+  release: grafana
+  namespace: osh-infra
+  wait:
+    timeout: 900
+    labels:
+      release_group: grafana
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: grafana
+    post:
+      create: []
+  values:
+    labels:
+      grafana:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      job:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+    conf:
+      ldap:
+        config:
+          base_dns:
+            search: "DC=SUBDOMAIN,DC=DOMAIN,DC=com"
+            group_search: "OU=Groups,DC=SUBDOMAIN,DC=DOMAIN,DC=com"
+          filters:
+            search: "(sAMAccountName=%s)"
+            group_search: "(memberof=CN=COMMON_NAME,OU=Application,OU=Groups,DC=SUBDOMAIN,DC=DOMAIN,DC=com)"
+        template: |
+          verbose_logging = true
+          [[servers]]
+          host = "{{ tuple "ldap" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}"
+          port = {{ tuple "ldap" "public" "ldap" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          use_ssl = false
+          start_tls = false
+          ssl_skip_verify = false
+          bind_dn = "{{ .Values.endpoints.ldap.auth.admin.bind_dn }}"
+          bind_password = '{{ .Values.endpoints.ldap.auth.admin.password }}'
+          search_filter = "{{ .Values.conf.ldap.config.filters.search }}"
+          search_base_dns = ["{{ .Values.conf.ldap.config.base_dns.search }}"]
+          group_search_base_dns = ["{{ .Values.conf.ldap.config.base_dns.group_search }}"]
+          [servers.attributes]
+          username = "sAMAccountName"
+          surname = "sn"
+          member_of = "memberof"
+          email = "mail"
+          [[servers.group_mappings]]
+          group_dn = "{{.Values.endpoints.ldap.auth.admin.bind_dn }}"
+          org_role = "Admin"
+          [[servers.group_mappings]]
+          group_dn = "*"
+          org_role = "Viewer"
+    pod:
+      replicas:
+        grafana: 2
+  dependencies:
+    - osh-infra-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-dashboards/kibana.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-dashboards/kibana.yaml
new file mode 100644
index 000000000..ccaf235c2
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-dashboards/kibana.yaml
@@ -0,0 +1,126 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kibana
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh_infra.kibana
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh_infra.kibana
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.elasticsearch
+      dest:
+        path: .values.endpoints.elasticsearch
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.kibana
+      dest:
+        path: .values.endpoints.kibana
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.ldap
+      dest:
+        path: .values.endpoints.ldap
+    # Accounts
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_infra_service_accounts
+        path: .osh_infra.elasticsearch.admin
+      dest:
+        path: .values.endpoints.elasticsearch.auth.admin
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.elasticsearch.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_infra_elasticsearch_admin_password
+        path: .
+
+    # LDAP Details
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_infra_service_accounts
+        path: .osh_infra.ldap.admin
+      dest:
+        path: .values.endpoints.ldap.auth.admin
+    - dest:
+        path: .values.endpoints.ldap.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_ldap_password
+        path: .
+data:
+  chart_name: kibana
+  release: kibana
+  namespace: osh-infra
+  wait:
+    timeout: 900
+    labels:
+      release_group: kibana
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: kibana
+      create: []
+    post:
+      create: []
+  values:
+    conf:
+      apache:
+        host: |
+          <VirtualHost *:80>
+            ProxyRequests off
+            ProxyPreserveHost On
+            <Location />
+                ProxyPass http://localhost:{{ tuple "kibana" "internal" "kibana" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
+                ProxyPassReverse http://localhost:{{ tuple "kibana" "internal" "kibana" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
+            </Location>
+            <Proxy *>
+                AuthName "Kibana"
+                AuthType Basic
+                AuthBasicProvider file ldap
+                AuthUserFile /usr/local/apache2/conf/.htpasswd
+                AuthLDAPBindDN {{ .Values.endpoints.ldap.auth.admin.bind }}
+                AuthLDAPBindPassword {{ .Values.endpoints.ldap.auth.admin.password }}
+                AuthLDAPURL {{ tuple "ldap" "public" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+                Require valid-user
+            </Proxy>
+          </VirtualHost>
+    labels:
+      kibana:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      job:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+  dependencies:
+    - osh-infra-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-ingress-controller/chart-group.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-ingress-controller/chart-group.yaml
new file mode 100644
index 000000000..a6dc3988c
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-ingress-controller/chart-group.yaml
@@ -0,0 +1,13 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh-infra-ingress-controller
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: OpenStack Namespace Ingress
+  chart_group:
+    - osh-infra-ingress-controller
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-ingress-controller/ingress.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-ingress-controller/ingress.yaml
new file mode 100644
index 000000000..03b2c638c
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-ingress-controller/ingress.yaml
@@ -0,0 +1,55 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh-infra-ingress-controller
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.ingress
+      dest:
+        path: .source
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.ingress
+      dest:
+        path: .values.images.tags
+data:
+  chart_name: osh-infra-ingress-controller
+  release: osh-infra-ingress-controller
+  namespace: osh-infra
+  wait:
+    timeout: 900
+    labels:
+      release_group: osh-infra-ingress-controller
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: osh-infra-ingress-controller
+  values:
+    labels:
+      server:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      error_server:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+    pod:
+      replicas:
+        ingress: 2
+        error_page: 2
+  dependencies:
+    - osh-helm-toolkit
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-logging/chart-group.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-logging/chart-group.yaml
new file mode 100644
index 000000000..0a1065777
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-logging/chart-group.yaml
@@ -0,0 +1,14 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh-infra-logging
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: OSH Infra Logging
+  chart_group:
+    - elasticsearch
+    - fluent-logging
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-logging/elasticsearch.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-logging/elasticsearch.yaml
new file mode 100644
index 000000000..cd9f1b50a
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-logging/elasticsearch.yaml
@@ -0,0 +1,186 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: elasticsearch-global
+  labels:
+    hosttype: elasticsearch-global
+  layeringDefinition:
+    abstract: true
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh_infra.elasticsearch
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh_infra.elasticsearch
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.elasticsearch
+      dest:
+        path: .values.endpoints.elasticsearch
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.prometheus_elasticsearch_exporter
+      dest:
+        path: .values.endpoints.prometheus_elasticsearch_exporter
+
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.ldap
+      dest:
+        path: .values.endpoints.ldap
+
+    # Accounts
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_infra_service_accounts
+        path: .osh_infra.elasticsearch.admin
+      dest:
+        path: .values.endpoints.elasticsearch.auth.admin
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.elasticsearch.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_infra_elasticsearch_admin_password
+        path: .
+
+    # LDAP Details
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_infra_service_accounts
+        path: .osh_infra.ldap.admin
+      dest:
+        path: .values.endpoints.ldap.auth.admin
+    - dest:
+        path: .values.endpoints.ldap.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_ldap_password
+        path: .
+data:
+  chart_name: elasticsearch
+  release: elasticsearch
+  namespace: osh-infra
+  wait:
+    timeout: 900
+    labels:
+      release_group: elasticsearch
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: elasticsearch
+      create: []
+    post:
+      create: []
+  values:
+    labels:
+      elasticsearch:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      job:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+    monitoring:
+      prometheus:
+        enabled: true
+    conf:
+      apache:
+        host: |
+          <VirtualHost *:80>
+            <Location />
+                ProxyPass http://localhost:{{ tuple "elasticsearch" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
+                ProxyPassReverse http://localhost:{{ tuple "elasticsearch" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
+            </Location>
+            <Proxy *>
+                AuthName "Elasticsearch"
+                AuthType Basic
+                AuthBasicProvider file ldap
+                AuthUserFile /usr/local/apache2/conf/.htpasswd
+                AuthLDAPBindDN {{ .Values.endpoints.ldap.auth.admin.bind }}
+                AuthLDAPBindPassword {{ .Values.endpoints.ldap.auth.admin.password }}
+                AuthLDAPURL {{ tuple "ldap" "public" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+                Require valid-user
+            </Proxy>
+          </VirtualHost>
+      elasticsearch:
+        env:
+          java_opts: "-Xms5g -Xmx5g"
+      curator:
+        #run every 6th hour
+        schedule:  "0 */6 * * *"
+        action_file:
+          # Remember, leave a key empty if there is no value.  None will be a string,
+          # not a Python "NoneType"
+          #
+          # Also remember that all examples have 'disable_action' set to True.  If you
+          # want to use this action as a template, be sure to set this to False after
+          # copying it.
+          actions:
+            1:
+              action: delete_indices
+              description: >-
+                "Delete indices older than 7 days"
+              options:
+                timeout_override:
+                continue_if_exception: False
+                ignore_empty_list: True
+                disable_action: False
+              filters:
+              - filtertype: pattern
+                kind: prefix
+                value: logstash-
+              - filtertype: age
+                source: name
+                direction: older
+                timestring: '%Y.%m.%d'
+                unit: days
+                unit_count: 7
+            2:
+              action: delete_indices
+              description: >-
+                "Delete indices by age if available disk space is
+                 less than 80% total disk"
+              options:
+                timeout_override: 600
+                continue_if_exception: False
+                ignore_empty_list: True
+                disable_action: False
+              filters:
+              - filtertype: pattern
+                kind: prefix
+                value: logstash-
+              - filtertype: space
+                source: creation_date
+                use_age: True
+                disk_space: 1200
+    storage:
+      elasticsearch:
+        requests:
+          storage: 500Gi
+  dependencies:
+    - osh-infra-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-logging/fluent-logging.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-logging/fluent-logging.yaml
new file mode 100644
index 000000000..199926738
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-logging/fluent-logging.yaml
@@ -0,0 +1,171 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: fluent-logging-global
+  layeringDefinition:
+    abstract: true
+    layer: global
+  labels:
+    hosttype: fluent-logging-global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh_infra.fluent_logging
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh_infra.fluent_logging
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.elasticsearch
+      dest:
+        path: .values.endpoints.elasticsearch
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.fluentd
+      dest:
+        path: .values.endpoints.fluentd
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.prometheus_fluentd_exporter
+      dest:
+        path: .values.endpoints.prometheus_fluentd_exporter
+    # Accounts
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_infra_service_accounts
+        path: .osh_infra.elasticsearch.admin
+      dest:
+        path: .values.endpoints.elasticsearch.auth.admin
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.elasticsearch.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_infra_elasticsearch_admin_password
+        path: .
+
+data:
+  chart_name: fluent-logging
+  release: fluent-logging
+  namespace: osh-infra
+  wait:
+    timeout: 900
+    labels:
+      release_group: fluent-logging
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: fluent-logging
+      create: []
+    post:
+      create: []
+  values:
+    labels:
+      fluentd:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      fluentbit:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      prometheus_fluentd_exporter:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      job:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+    dependencies:
+      static:
+        fluentbit:
+          jobs: ""
+          services:
+            - endpoint: internal
+              service: fluentd
+        fluentd:
+          jobs: ""
+          services:
+            - endpoint: internal
+              service: elasticsearch
+    manifests:
+      job_elasticsearch_template: false
+    conf:
+      fluentbit:
+        - service:
+            header: service
+            Flush: 5
+            Daemon: Off
+            Log_Level: info
+            Parsers_File: parsers.conf
+        - containers_tail:
+            header: input
+            Name: tail
+            Tag: kube.*
+            Path: /var/log/containers/*.log
+            Parser: docker
+            DB: /var/log/flb_kube.db
+            DB.Sync: Normal
+            Buffer_Chunk_Size: 1M
+            Buffer_Max_Size: 1M
+            Mem_Buf_Limit: 5MB
+        - kube_filter:
+            header: filter
+            Name: kubernetes
+            Match: kube.*
+            Merge_JSON_Log: On
+        - fluentd_output:
+            header: output
+            Name: forward
+            Match: "*"
+            Host: ${FLUENTD_HOST}
+            Port: ${FLUENTD_PORT}
+      td_agent:
+        - metrics_agent:
+            header: source
+            type: monitor_agent
+            bind: 0.0.0.0
+            port: 24220
+        - fluentbit_forward:
+            header: source
+            type: forward
+            port: "#{ENV['FLUENTD_PORT']}"
+            bind: 0.0.0.0
+        - elasticsearch:
+            header: match
+            type: elasticsearch
+            user: "#{ENV['ELASTICSEARCH_USERNAME']}"
+            password: "#{ENV['ELASTICSEARCH_PASSWORD']}"
+            expression: "**"
+            include_tag_key: true
+            host: "#{ENV['ELASTICSEARCH_HOST']}"
+            port: "#{ENV['ELASTICSEARCH_PORT']}"
+            logstash_format: true
+            buffer_chunk_limit: 10M
+            buffer_queue_limit: 32
+            flush_interval: 20s
+            max_retry_wait: 300
+            disable_retry_limit: ""
+            num_threads: 8
+  dependencies:
+    - osh-infra-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-mariadb/chart-group.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-mariadb/chart-group.yaml
new file mode 100644
index 000000000..5aa0c0035
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-mariadb/chart-group.yaml
@@ -0,0 +1,13 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh-infra-mariadb
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: OpenStack-Infra MariaDB
+  chart_group:
+    - osh-infra-mariadb
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-mariadb/mariadb.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-mariadb/mariadb.yaml
new file mode 100644
index 000000000..e7722878d
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-mariadb/mariadb.yaml
@@ -0,0 +1,77 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh-infra-mariadb
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.mariadb
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.mariadb
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.oslo_db
+      dest:
+        path: .values.endpoints.olso_db
+    # Accounts
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_infra_service_accounts
+        path: .osh_infra.oslo_db.admin
+      dest:
+        path: .values.endpoints.oslo_db.auth.admin
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.oslo_db.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_infra_oslo_db_admin_password
+        path: .
+
+data:
+  chart_name: osh-infra-mariadb
+  release: osh-infra-mariadb
+  namespace: osh-infra
+  wait:
+    timeout: 900
+    labels:
+      release_group: osh-infra-mariadb
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: osh-infra-mariadb
+  values:
+    labels:
+      server:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      prometheus_mysql_exporter:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+  dependencies:
+    - osh-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-monitoring/chart-group.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-monitoring/chart-group.yaml
new file mode 100644
index 000000000..4cb879cd4
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-monitoring/chart-group.yaml
@@ -0,0 +1,17 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh-infra-monitoring
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: OSH Infra Monitoring
+  chart_group:
+    - prometheus
+    - prometheus-alertmanager
+    - prometheus-node-exporter
+    - prometheus-kube-state-metrics
+    - nagios
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-monitoring/nagios.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-monitoring/nagios.yaml
new file mode 100644
index 000000000..3ae3eeddd
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-monitoring/nagios.yaml
@@ -0,0 +1,129 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: nagios
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh_infra.nagios
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh_infra.nagios
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.nagios
+      dest:
+        path: .values.endpoints.nagios
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.monitoring
+      dest:
+        path: .values.endpoints.monitoring
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.ldap
+      dest:
+        path: .values.endpoints.ldap
+
+    # Accounts
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_infra_service_accounts
+        path: .osh_infra.nagios.admin
+      dest:
+        path: .values.endpoints.nagios.auth.admin
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.nagios.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_infra_nagios_admin_password
+        path: .
+
+    # LDAP Details
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_infra_service_accounts
+        path: .osh_infra.ldap.admin
+      dest:
+        path: .values.endpoints.ldap.auth.admin
+    - dest:
+        path: .values.endpoints.ldap.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_ldap_password
+        path: .
+
+data:
+  chart_name: nagios
+  release: nagios
+  namespace: osh-infra
+  wait:
+    timeout: 900
+    labels:
+      release_group: nagios
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: nagios
+      create: []
+    post:
+      create: []
+  values:
+    conf:
+      apache:
+        host: |
+          <VirtualHost *:80>
+            <Location />
+                ProxyPass http://localhost:{{ tuple "nagios" "internal" "nagios" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
+                ProxyPassReverse http://localhost:{{ tuple "nagios" "internal" "nagios" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
+            </Location>
+            <Proxy *>
+                AuthName "Nagios"
+                AuthType Basic
+                AuthBasicProvider file ldap
+                AuthUserFile /usr/local/apache2/conf/.htpasswd
+                AuthLDAPBindDN {{ .Values.endpoints.ldap.auth.admin.bind }}
+                AuthLDAPBindPassword {{ .Values.endpoints.ldap.auth.admin.password }}
+                AuthLDAPURL {{ tuple "ldap" "public" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+                Require valid-user
+            </Proxy>
+          </VirtualHost>
+    labels:
+      nagios:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      job:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+    pod:
+      replicas:
+        nagios: 3
+  dependencies:
+    - osh-infra-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-monitoring/prometheus-alertmanager.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-monitoring/prometheus-alertmanager.yaml
new file mode 100644
index 000000000..af3bea330
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-monitoring/prometheus-alertmanager.yaml
@@ -0,0 +1,68 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: prometheus-alertmanager
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh_infra.prometheus_alertmanager
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh_infra.prometheus_alertmanager
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.alerts
+      dest:
+        path: .values.endpoints.alerts
+
+data:
+  chart_name: prometheus-alertmanager
+  release: prometheus-alertmanager
+  namespace: osh-infra
+  wait:
+    timeout: 900
+    labels:
+      release_group: prometheus-alertmanager
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: prometheus-alertmanager
+      create: []
+    post:
+      create: []
+  values:
+    manifests:
+      ingress: false
+      service_ingress: false
+    labels:
+      alertmanager:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      job:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+  dependencies:
+    - osh-infra-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-monitoring/prometheus-kube-state-metrics.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-monitoring/prometheus-kube-state-metrics.yaml
new file mode 100644
index 000000000..35348a4fe
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-monitoring/prometheus-kube-state-metrics.yaml
@@ -0,0 +1,77 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: prometheus-kube-state-metrics
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh_infra.prometheus_kube_state_metrics
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh_infra.prometheus_kube_state_metrics
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.kube_state_metrics
+      dest:
+        path: .values.endpoints.kube_state_metrics
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.kube_scheduler
+      dest:
+        path: .values.endpoints.kube_scheduler
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.kube_controller_manager
+      dest:
+        path: .values.endpoints.kube_controller_manager
+
+data:
+  chart_name: prometheus-kube-state-metrics
+  release: prometheus-kube-state-metrics
+  namespace: kube-system
+  wait:
+    timeout: 900
+    labels:
+      release_group: prometheus-kube-state-metrics
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: prometheus-kube-state-metrics
+      create: []
+    post:
+      create: []
+  values:
+    labels:
+      kube_state_metrics:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      job:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+  dependencies:
+    - osh-infra-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-monitoring/prometheus-node-exporter.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-monitoring/prometheus-node-exporter.yaml
new file mode 100644
index 000000000..efa79ae5f
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-monitoring/prometheus-node-exporter.yaml
@@ -0,0 +1,65 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: prometheus-node-exporter
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh_infra.prometheus_node_exporter
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh_infra.prometheus_node_exporter
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.node_metrics
+      dest:
+        path: .values.endpoints.node_metrics
+
+data:
+  chart_name: prometheus-node-exporter
+  release: prometheus-node-exporter
+  namespace: kube-system
+  wait:
+    timeout: 900
+    labels:
+      release_group: prometheus-node-exporter
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: prometheus-node-exporter
+      create: []
+    post:
+      create: []
+  values:
+    labels:
+      node_exporter:
+        node_selector_key: node-exporter
+        node_selector_value: enabled
+      job:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+  dependencies:
+    - osh-infra-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-monitoring/prometheus.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-monitoring/prometheus.yaml
new file mode 100644
index 000000000..584813fa8
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-monitoring/prometheus.yaml
@@ -0,0 +1,80 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: prometheus
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh_infra.prometheus
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh_infra.prometheus
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.monitoring
+      dest:
+        path: .values.endpoints.monitoring
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.alerts
+      dest:
+        path: .values.endpoints.alerts
+
+data:
+  chart_name: prometheus
+  release: prometheus
+  namespace: osh-infra
+  wait:
+    timeout: 900
+    labels:
+      release_group: prometheus
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: prometheus
+      create: []
+    post:
+      create: []
+  values:
+    manifests:
+      ingress: false
+      service_ingress: false
+    labels:
+      prometheus:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      job:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+    pod:
+      replicas:
+        prometheus: 3
+    storage:
+      requests:
+        storage: 500Gi
+  dependencies:
+    - osh-infra-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-openstack-exporter/chart-group.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-openstack-exporter/chart-group.yaml
new file mode 100644
index 000000000..020a347a8
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-openstack-exporter/chart-group.yaml
@@ -0,0 +1,13 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh-infra-prometheus-openstack-exporter
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Prometheus OpenStack Exporter
+  chart_group:
+    - prometheus-openstack-exporter
diff --git a/global/v4.0/software/charts/osh-infra/osh-infra-openstack-exporter/prometheus-openstack-exporter.yaml b/global/v4.0/software/charts/osh-infra/osh-infra-openstack-exporter/prometheus-openstack-exporter.yaml
new file mode 100644
index 000000000..0fddbd005
--- /dev/null
+++ b/global/v4.0/software/charts/osh-infra/osh-infra-openstack-exporter/prometheus-openstack-exporter.yaml
@@ -0,0 +1,95 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: prometheus-openstack-exporter
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh_infra.prometheus_openstack_exporter
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh_infra.prometheus_openstack_exporter
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.prometheus_openstack_exporter
+      dest:
+        path: .values.endpoints.prometheus_openstack_exporter
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.identity
+      dest:
+        path: .values.endpoints.identity
+
+    # Accounts
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_infra_service_accounts
+        path: .osh_infra.prometheus_openstack_exporter.user
+      dest:
+        path: .values.endpoints.identity.auth.user
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.user.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_infra_openstack_exporter_password
+        path: .
+data:
+  chart_name: prometheus-openstack-exporter
+  release: prometheus-openstack-exporter
+  namespace: openstack
+  wait:
+    timeout: 900
+    labels:
+      release_group: prometheus-openstack-exporter
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: prometheus-openstack-exporter
+  values:
+    labels:
+      openstack_exporter:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      job:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+  dependencies:
+    - osh-infra-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh/dependencies.yaml b/global/v4.0/software/charts/osh/dependencies.yaml
new file mode 100644
index 000000000..64523093f
--- /dev/null
+++ b/global/v4.0/software/charts/osh/dependencies.yaml
@@ -0,0 +1,28 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh-helm-toolkit
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.helm_toolkit
+      dest:
+        path: .source
+data:
+  chart_name: helm-toolkit
+  release: osh-helm-toolkit
+  namespace: osh-helm-toolkit
+  wait:
+    timeout: 600
+    labels:
+      release_group: osh-helm-toolkit
+  upgrade:
+    no_hooks: true
+  values: {}
+  dependencies: []
diff --git a/global/v4.0/software/charts/osh/openstack-ceph-config/ceph-config.yaml b/global/v4.0/software/charts/osh/openstack-ceph-config/ceph-config.yaml
new file mode 100644
index 000000000..4ea28193c
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-ceph-config/ceph-config.yaml
@@ -0,0 +1,142 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-ceph-config
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.ceph-client
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ceph.ceph-client
+      dest:
+        path: .values.images.tags
+
+    # IP addresses
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .storage.ceph.public_cidr
+      dest:
+        path: .values.network.public
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .storage.ceph.cluster_cidr
+      dest:
+        path: .values.network.cluster
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.object_store
+      dest:
+        path: .values.endpoints.object_store
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.ceph_mon
+      dest:
+        path: .values.endpoints.ceph_mon
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.ceph_mgr
+      dest:
+        path: .values.endpoints.ceph_mgr
+
+    # Credentials
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.swift.keystone
+      dest:
+        path: .values.endpoints.identity.auth.swift
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.swift.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ceph_swift_keystone_password
+        path: .
+
+data:
+  chart_name: openstack-ceph-config
+  release: openstack-ceph-config
+  namespace: openstack
+  wait:
+    timeout: 900
+    labels:
+      release_group: openstack-ceph-config
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: openstack-ceph-config
+  values:
+    labels:
+      job:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      provisioner:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      mds:
+        node_selector_key: ceph-mds
+        node_selector_value: enabled
+      rgw:
+        node_selector_key: ceph-rgw
+        node_selector_value: enabled
+      mgr:
+        node_selector_key: ceph-mgr
+        node_selector_value: enabled
+    deployment:
+      ceph: false
+      client_secrets: true
+      rbd_provisioner: false
+      cephfs_provisioner: false
+      rgw_keystone_user_and_endpoints: false
+    bootstrap:
+      enabled: false
+    conf:
+      rgw_ks:
+        enabled: true
+  dependencies:
+    - ceph-htk
+...
diff --git a/global/v4.0/software/charts/osh/openstack-ceph-config/chart-group.yaml b/global/v4.0/software/charts/osh/openstack-ceph-config/chart-group.yaml
new file mode 100644
index 000000000..338abe65b
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-ceph-config/chart-group.yaml
@@ -0,0 +1,13 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-ceph-config
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Ceph config for OpenStack namespace(s)
+  chart_group:
+    - openstack-ceph-config
diff --git a/global/v4.0/software/charts/osh/openstack-cinder/chart-group.yaml b/global/v4.0/software/charts/osh/openstack-cinder/chart-group.yaml
new file mode 100644
index 000000000..d84e66111
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-cinder/chart-group.yaml
@@ -0,0 +1,14 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-cinder
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Deploy Cinder
+  chart_group:
+    - cinder-rabbitmq
+    - cinder
diff --git a/global/v4.0/software/charts/osh/openstack-cinder/cinder.yaml b/global/v4.0/software/charts/osh/openstack-cinder/cinder.yaml
new file mode 100644
index 000000000..adb04c444
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-cinder/cinder.yaml
@@ -0,0 +1,287 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: cinder
+  labels:
+    component: cinder
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.cinder
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.cinder
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.image
+      dest:
+        path: .values.endpoints.image
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.image_registry
+      dest:
+        path: .values.endpoints.image_registry
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.volume
+      dest:
+        path: .values.endpoints.volume
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.volumev2
+      dest:
+        path: .values.endpoints.volumev2
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.volumev3
+      dest:
+        path: .values.endpoints.volumev3
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.cinder_oslo_messaging
+      dest:
+        path: .values.endpoints.oslo_messaging
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.oslo_cache
+      dest:
+        path: .values.endpoints.oslo_cache
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.fluentd
+      dest:
+        path: .values.endpoints.fluentd
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.cinder.cinder
+      dest:
+        path: .values.endpoints.identity.auth.cinder
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.cinder.oslo_messaging.admin
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.cinder.oslo_messaging.cinder
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.cinder
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.cinder.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db.auth.cinder
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.cinder.oslo_db.database
+      dest:
+        path: .values.endpoints.oslo_db.path
+        pattern: DB_NAME
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.cinder.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_cinder_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_messaging.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_cinder_oslo_messaging_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_messaging.auth.cinder.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_cinder_oslo_messaging_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db.auth.cinder.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_cinder_oslo_db_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_oslo_db_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_cache.auth.memcache_secret_key
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_oslo_cache_secret_key
+        path: .
+data:
+  chart_name: cinder
+  release: cinder
+  namespace: openstack
+  wait:
+    timeout: 900
+    labels:
+      release_group: cinder
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: cinder
+    post:
+      create: []
+  values:
+    pod:
+      replicas:
+        api: 2
+        volume: 2
+        scheduler: 2
+        backup: 2
+    labels:
+      api:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      backup:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      job:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      scheduler:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      test:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      volume:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+    conf:
+      logging:
+        loggers:
+          keys:
+            - root
+            - cinder
+        handlers:
+          keys:
+            - stdout
+            - stderr
+            - "null"
+            - fluent
+        formatters:
+          keys:
+            - context
+            - default
+            - fluent
+        logger_root:
+          level: WARNING
+          handlers: null
+        logger_cinder:
+          level: INFO
+          handlers:
+            - stdout
+            - stderr
+            - fluent
+          qualname: cinder
+        logger_amqp:
+          level: WARNING
+          handlers: stderr
+          qualname: amqp
+        logger_amqplib:
+          level: WARNING
+          handlers: stderr
+          qualname: amqplib
+        logger_eventletwsgi:
+          level: WARNING
+          handlers: stderr
+          qualname: eventlet.wsgi.server
+        logger_sqlalchemy:
+          level: WARNING
+          handlers: stderr
+          qualname: sqlalchemy
+        logger_boto:
+          level: WARNING
+          handlers: stderr
+          qualname: boto
+        handler_null:
+          class: logging.NullHandler
+          formatter: default
+          args: ()
+        handler_stdout:
+          class: StreamHandler
+          args: (sys.stdout,)
+          formatter: context
+        handler_stderr:
+          class: StreamHandler
+          args: (sys.stderr,)
+          formatter: context
+        handler_fluent:
+          class: fluent.handler.FluentHandler
+          args: ('openstack.cinder', 'fluentd-logging.osh-infra', 24224)
+          formatter: fluent
+        formatter_fluent:
+          class: oslo_log.formatters.FluentFormatter
+        formatter_context:
+          class: oslo_log.formatters.ContextFormatter
+        formatter_default:
+          format: "%(message)s"
+  dependencies:
+    - osh-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh/openstack-cinder/rabbitmq.yaml b/global/v4.0/software/charts/osh/openstack-cinder/rabbitmq.yaml
new file mode 100644
index 000000000..395ab17b2
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-cinder/rabbitmq.yaml
@@ -0,0 +1,95 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: cinder-rabbitmq
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.rabbitmq
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.rabbitmq
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.cinder_oslo_messaging
+      dest:
+        path: .values.endpoints.oslo_messaging
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.cinder_rabbitmq_exporter
+      dest:
+        path: .values.endpoints.prometheus_rabbitmq_exporter
+    # Credentials
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.cinder.oslo_messaging.admin
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.user
+
+    # Secrets
+
+    - src:
+        schema: deckhand/Passphrase/v1
+        name: osh_cinder_rabbitmq_erlang_cookie
+        path: .
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.erlang_cookie
+    - src:
+        schema: deckhand/Passphrase/v1
+        name: osh_cinder_oslo_messaging_admin_password
+        path: .
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.user.password
+data:
+  chart_name: cinder-rabbitmq
+  release: cinder-rabbitmq
+  namespace: openstack
+  wait:
+    timeout: 900
+    labels:
+      release_group: cinder-rabbitmq
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: cinder-rabbitmq
+  values:
+    pod:
+      replicas:
+        server: 1  
+    labels:
+      server:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      prometheus_rabbitmq_exporter:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled     
+    monitoring:
+      prometheus:
+        enabled: true
+  dependencies:
+    - osh-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh/openstack-compute-kit/chart-group.yaml b/global/v4.0/software/charts/osh/openstack-compute-kit/chart-group.yaml
new file mode 100644
index 000000000..fd889fbab
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-compute-kit/chart-group.yaml
@@ -0,0 +1,18 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-compute-kit
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Deploy Nova, Neutron, Openvswitch, and Libvirt
+  chart_group:
+    - libvirt
+    - openvswitch
+    - neutron-rabbitmq
+    - nova-rabbitmq
+    - neutron
+    - nova
diff --git a/global/v4.0/software/charts/osh/openstack-compute-kit/libvirt.yaml b/global/v4.0/software/charts/osh/openstack-compute-kit/libvirt.yaml
new file mode 100644
index 000000000..90693500b
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-compute-kit/libvirt.yaml
@@ -0,0 +1,48 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: libvirt
+  labels:
+    name: libvirt-global
+    component: libvirt
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.libvirt
+      dest:
+        path: .source
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.libvirt
+      dest:
+        path: .values.images.tags
+data:
+  chart_name: libvirt
+  release: libvirt
+  namespace: openstack
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: libvirt
+  values:
+    labels:
+      agent:
+        libvirt:
+          node_selector_key: openstack-libvirt
+          node_selector_value: kernel
+  dependencies:
+    - osh-helm-toolkit
diff --git a/global/v4.0/software/charts/osh/openstack-compute-kit/neutron-rabbitmq.yaml b/global/v4.0/software/charts/osh/openstack-compute-kit/neutron-rabbitmq.yaml
new file mode 100644
index 000000000..5f0d61f39
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-compute-kit/neutron-rabbitmq.yaml
@@ -0,0 +1,95 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: neutron-rabbitmq
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.rabbitmq
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.rabbitmq
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.neutron_oslo_messaging
+      dest:
+        path: .values.endpoints.oslo_messaging
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.neutron_rabbitmq_exporter
+      dest:
+        path: .values.endpoints.prometheus_rabbitmq_exporter
+    # Credentials
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.neutron.oslo_messaging.admin
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.user
+
+    # Secrets
+
+    - src:
+        schema: deckhand/Passphrase/v1
+        name: osh_neutron_rabbitmq_erlang_cookie
+        path: .
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.erlang_cookie
+    - src:
+        schema: deckhand/Passphrase/v1
+        name: osh_neutron_oslo_messaging_admin_password
+        path: .
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.user.password
+data:
+  chart_name: neutron-rabbitmq
+  release: neutron-rabbitmq
+  namespace: openstack
+  wait:
+    timeout: 900
+    labels:
+      release_group: neutron-rabbitmq
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: neutron-rabbitmq
+  values:
+    pod:
+      replicas:
+        server: 1    
+    labels:
+      server:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      prometheus_rabbitmq_exporter:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+    monitoring:
+      prometheus:
+        enabled: true
+  dependencies:
+    - osh-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh/openstack-compute-kit/neutron.yaml b/global/v4.0/software/charts/osh/openstack-compute-kit/neutron.yaml
new file mode 100644
index 000000000..f7c4b108e
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-compute-kit/neutron.yaml
@@ -0,0 +1,334 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: neutron
+  labels:
+    name: neutron-global
+    component: neutron
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.neutron
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.neutron
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.compute
+      dest:
+        path: .values.endpoints.compute
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.compute_metadata
+      dest:
+        path: .values.endpoints.image_registry
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.neutron_oslo_messaging
+      dest:
+        path: .values.endpoints.oslo_messaging
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.oslo_cache
+      dest:
+        path: .values.endpoints.oslo_cache
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.network
+      dest:
+        path: .values.endpoints.network
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.fluentd
+      dest:
+        path: .values.endpoints.fluentd
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.neutron.neutron
+      dest:
+        path: .values.endpoints.identity.auth.neutron
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.nova.nova
+      dest:
+        path: .values.endpoints.identity.auth.nova
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.neutron.oslo_messaging.admin
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.neutron.oslo_messaging.neutron
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.neutron
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.neutron.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db.auth.neutron
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.neutron.oslo_db.database
+      dest:
+        path: .values.endpoints.oslo_db.path
+        pattern: DB_NAME
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.neutron.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_neutron_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.nova.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_nova_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_messaging.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_neutron_oslo_messaging_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_messaging.auth.neutron.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_neutron_oslo_messaging_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db.auth.neutron.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_neutron_oslo_db_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_oslo_db_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_cache.auth.memcache_secret_key
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_oslo_cache_secret_key
+        path: .
+
+    # Interfaces for neutron configuration
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .neutron.tunnel_device
+      dest:
+        path: .values.network.interface.tunnel
+        pattern: 'TUNNEL_DEVICE'
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .neutron.external_iface
+      dest:
+        path: .values.network.interface.external
+        pattern: 'EXTERNAL_INTERFACE'
+
+data:
+  chart_name: neutron
+  release: neutron
+  namespace: openstack
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: neutron
+    post:
+      create: []
+  values:
+    pod:
+      replicas:
+        server: 2
+    labels:
+      agent:
+        dhcp:
+          node_selector_key: openstack-control-plane
+          node_selector_value: enabled
+        l3:
+          # To enable the forcing of routers onto controllers that have
+          # a public cidr so that tenant floating IPs can route properly
+          node_selector_key: openstack-l3-agent
+          node_selector_value: enabled
+        metadata:
+          node_selector_key: openstack-control-plane
+          node_selector_value: enabled
+      job:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      lb:
+        node_selector_key: linuxbridge
+        node_selector_value: enabled
+      ovs:
+        node_selector_key: openvswitch
+        node_selector_value: enabled
+      server:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      test:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+    network:
+      interface:
+        tunnel: 'TUNNEL_DEVICE'
+        external: 'EXTERNAL_INTERFACE'
+    conf:
+      logging:
+        loggers:
+          keys:
+            - root
+            - neutron
+        handlers:
+          keys:
+            - stdout
+            - stderr
+            - "null"
+            - fluent
+        formatters:
+          keys:
+            - context
+            - default
+            - fluent
+        logger_root:
+          level: WARNING
+          handlers: null
+        logger_neutron:
+          level: INFO
+          handlers:
+            - stdout
+            - stderr
+            - fluent
+          qualname: neutron
+        logger_amqp:
+          level: WARNING
+          handlers: stderr
+          qualname: amqp
+        logger_amqplib:
+          level: WARNING
+          handlers: stderr
+          qualname: amqplib
+        logger_eventletwsgi:
+          level: WARNING
+          handlers: stderr
+          qualname: eventlet.wsgi.server
+        logger_sqlalchemy:
+          level: WARNING
+          handlers: stderr
+          qualname: sqlalchemy
+        logger_boto:
+          level: WARNING
+          handlers: stderr
+          qualname: boto
+        handler_null:
+          class: logging.NullHandler
+          formatter: default
+          args: ()
+        handler_stdout:
+          class: StreamHandler
+          args: (sys.stdout,)
+          formatter: context
+        handler_stderr:
+          class: StreamHandler
+          args: (sys.stderr,)
+          formatter: context
+        handler_fluent:
+          class: fluent.handler.FluentHandler
+          args: ('openstack.neutron', 'fluentd-logging.osh-infra', 24224)
+          formatter: fluent
+        formatter_fluent:
+          class: oslo_log.formatters.FluentFormatter
+        formatter_context:
+          class: oslo_log.formatters.ContextFormatter
+        formatter_default:
+          format: "%(message)s"
+      neutron:
+        DEFAULT:
+          l3_ha: True
+          min_l3_agents_per_router: 2
+          max_l3_agents_per_router: 5
+          l3_ha_network_type: vxlan
+          dhcp_agents_per_network: 2
+        oslo_messaging_rabbit:
+          heartbeat_timeout_threshold: 0
+      plugins:
+        ml2_conf:
+          ml2:
+            extension_drivers: port_security
+            mechanism_drivers: l2population,openvswitch
+            type_drivers: vlan,flat,vxlan
+            tenant_network_types: vxlan
+          ml2_type_vlan:
+            network_vlan_ranges: bond1
+        openvswitch_agent:
+          agent:
+            tunnel_types: vxlan
+          ovs:
+            bridge_mappings: bond1:br-bond1
+  dependencies:
+    - osh-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh/openstack-compute-kit/nova-rabbitmq.yaml b/global/v4.0/software/charts/osh/openstack-compute-kit/nova-rabbitmq.yaml
new file mode 100644
index 000000000..0fdaa42a2
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-compute-kit/nova-rabbitmq.yaml
@@ -0,0 +1,95 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: nova-rabbitmq
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.rabbitmq
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.rabbitmq
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.nova_oslo_messaging
+      dest:
+        path: .values.endpoints.oslo_messaging
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.nova_rabbitmq_exporter
+      dest:
+        path: .values.endpoints.prometheus_rabbitmq_exporter
+    # Credentials
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.nova.oslo_messaging.admin
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.user
+
+    # Secrets
+
+    - src:
+        schema: deckhand/Passphrase/v1
+        name: osh_nova_rabbitmq_erlang_cookie
+        path: .
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.erlang_cookie
+    - src:
+        schema: deckhand/Passphrase/v1
+        name: osh_nova_oslo_messaging_admin_password
+        path: .
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.user.password
+data:
+  chart_name: nova-rabbitmq
+  release: nova-rabbitmq
+  namespace: openstack
+  wait:
+    timeout: 900
+    labels:
+      release_group: nova-rabbitmq
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: nova-rabbitmq
+  values:
+    pod:
+      replicas:
+        server: 1    
+    labels:
+      server:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      prometheus_rabbitmq_exporter:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+    monitoring:
+      prometheus:
+        enabled: true
+  dependencies:
+    - osh-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh/openstack-compute-kit/nova.yaml b/global/v4.0/software/charts/osh/openstack-compute-kit/nova.yaml
new file mode 100644
index 000000000..a52876b28
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-compute-kit/nova.yaml
@@ -0,0 +1,403 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: nova-global
+  labels:
+    name: nova-global
+    component: nova
+  layeringDefinition:
+    abstract: true
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.nova
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.nova
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db_api
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db_cell0
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.nova_oslo_messaging
+      dest:
+        path: .values.endpoints.oslo_messaging
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.oslo_cache
+      dest:
+        path: .values.endpoints.oslo_cache
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.image
+      dest:
+        path: .values.endpoints.image
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.compute
+      dest:
+        path: .values.endpoints.compute
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.compute_metadata
+      dest:
+        path: .values.endpoints.compute_metadata
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.compute_novnc_proxy
+      dest:
+        path: .values.endpoints.compute_novnc_proxy
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.compute_spice_proxy
+      dest:
+        path: .values.endpoints.compute_spice_proxy
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.placement
+      dest:
+        path: .values.endpoints.placement
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.network
+      dest:
+        path: .values.endpoints.network
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.fluentd
+      dest:
+        path: .values.endpoints.fluentd
+
+    # Service Accounts
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.nova.nova
+      dest:
+        path: .values.endpoints.identity.auth.nova
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.neutron.neutron
+      dest:
+        path: .values.endpoints.identity.auth.neutron
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.nova.placement
+      dest:
+        path: .values.endpoints.identity.auth.placement
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.nova.oslo_messaging.admin
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.nova.oslo_messaging.nova
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.nova
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.nova.oslo_db.username
+      dest:
+        path: .values.endpoints.oslo_db.auth.nova.username
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.nova.oslo_db.database
+      dest:
+        path: .values.endpoints.oslo_db.path
+        pattern: DB_NAME
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.nova.oslo_db_api
+      dest:
+        path: .values.endpoints.oslo_db_api.auth.nova
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.nova.oslo_db_api.database
+      dest:
+        path: .values.endpoints.oslo_db_api.path
+        pattern: DB_NAME
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.nova.oslo_db_cell0
+      dest:
+        path: .values.endpoints.oslo_db_cell0.auth.nova
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.nova.oslo_db_cell0.database
+      dest:
+        path: .values.endpoints.oslo_db_cell0.path
+        pattern: DB_NAME
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.nova.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_nova_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.neutron.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_neutron_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.placement.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_placement_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_messaging.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_nova_oslo_messaging_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_messaging.auth.nova.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_nova_oslo_messaging_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db.auth.nova.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_nova_oslo_db_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db_api.auth.nova.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_nova_oslo_db_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db_cell0.auth.nova.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_nova_oslo_db_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_oslo_db_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db_api.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_oslo_db_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db_cell0.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_oslo_db_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_cache.auth.memcache_secret_key
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_oslo_cache_secret_key
+        path: .
+data:
+  chart_name: nova
+  release: nova
+  namespace: openstack
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: nova
+    post:
+      create: []
+  values:
+    labels:
+      agent:
+        compute:
+          node_selector_key: openstack-nova-compute
+          node_selector_value: enabled
+      api_metadata:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      conductor:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      consoleauth:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      job:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      novncproxy:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      osapi:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      placement:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      scheduler:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      spiceproxy:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      test:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+    pod:
+      replicas:
+        api_metadata: 2
+        placement: 1
+        osapi: 2
+        conductor: 2
+        consoleauth: 1
+        scheduler: 1
+        novncproxy: 1
+    conf:
+      logging:
+        loggers:
+          keys:
+            - root
+            - nova
+        handlers:
+          keys:
+            - stdout
+            - stderr
+            - "null"
+            - fluent
+        formatters:
+          keys:
+            - context
+            - default
+            - fluent
+        logger_root:
+          level: WARNING
+          handlers: null
+        logger_nova:
+          level: INFO
+          handlers:
+            - stdout
+            - stderr
+            - fluent
+          qualname: nova
+        logger_amqp:
+          level: WARNING
+          handlers: stderr
+          qualname: amqp
+        logger_amqplib:
+          level: WARNING
+          handlers: stderr
+          qualname: amqplib
+        logger_eventletwsgi:
+          level: WARNING
+          handlers: stderr
+          qualname: eventlet.wsgi.server
+        logger_sqlalchemy:
+          level: WARNING
+          handlers: stderr
+          qualname: sqlalchemy
+        logger_boto:
+          level: WARNING
+          handlers: stderr
+          qualname: boto
+        handler_null:
+          class: logging.NullHandler
+          formatter: default
+          args: ()
+        handler_stdout:
+          class: StreamHandler
+          args: (sys.stdout,)
+          formatter: context
+        handler_stderr:
+          class: StreamHandler
+          args: (sys.stderr,)
+          formatter: context
+        handler_fluent:
+          class: fluent.handler.FluentHandler
+          args: ('openstack.nova', 'fluentd-logging.osh-infra', 24224)
+          formatter: fluent
+        formatter_fluent:
+          class: oslo_log.formatters.FluentFormatter
+        formatter_context:
+          class: oslo_log.formatters.ContextFormatter
+        formatter_default:
+          format: "%(message)s"
+  dependencies:
+    - osh-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh/openstack-compute-kit/openvswitch.yaml b/global/v4.0/software/charts/osh/openstack-compute-kit/openvswitch.yaml
new file mode 100644
index 000000000..15931c6c6
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-compute-kit/openvswitch.yaml
@@ -0,0 +1,62 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openvswitch
+  layeringDefinition:
+    abstract: false
+    layer: global
+  labels:
+    name: openvswitch-global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.openvswitch
+      dest:
+        path: .source
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.openvswitch
+      dest:
+        path: .values.images.tags
+    # External Interface
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .openvswitch.external_iface
+      dest:
+        path: .values.network.interface.external
+        pattern: 'EXTERNAL_INTERFACE'
+data:
+  chart_name: openvswitch
+  release: openvswitch
+  namespace: openstack
+  wait:
+    timeout: 900
+    labels:
+      release_group: openvswitch
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: openvswitch
+  values:
+    labels:
+      ovs:
+        node_selector_key: openvswitch
+        node_selector_value: enabled
+    network:
+      external_bridge: br-bond1
+      interface:
+        external: 'EXTERNAL_INTERFACE'
+  dependencies:
+    - osh-helm-toolkit
diff --git a/global/v4.0/software/charts/osh/openstack-glance/chart-group.yaml b/global/v4.0/software/charts/osh/openstack-glance/chart-group.yaml
new file mode 100644
index 000000000..bad0e1e1c
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-glance/chart-group.yaml
@@ -0,0 +1,14 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-glance
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Deploy Glance
+  chart_group:
+    - glance-rabbitmq
+    - glance
diff --git a/global/v4.0/software/charts/osh/openstack-glance/glance.yaml b/global/v4.0/software/charts/osh/openstack-glance/glance.yaml
new file mode 100644
index 000000000..b3283dd82
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-glance/glance.yaml
@@ -0,0 +1,296 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: glance
+  labels:
+    component: glance
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.glance
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.glance
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.image
+      dest:
+        path: .values.endpoints.image
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.image_registry
+      dest:
+        path: .values.endpoints.image_registry
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.glance_oslo_messaging
+      dest:
+        path: .values.endpoints.oslo_messaging
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.oslo_cache
+      dest:
+        path: .values.endpoints.oslo_cache
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.ceph_object_store
+      dest:
+        path: .values.endpoints.ceph_object_store
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.object_store
+      dest:
+        path: .values.endpoints.object_store
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.fluentd
+      dest:
+        path: .values.endpoints.fluentd
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.glance.glance
+      dest:
+        path: .values.endpoints.identity.auth.glance
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.glance.oslo_messaging.admin
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.glance.oslo_messaging.glance
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.glance
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.glance.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db.auth.glance
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.glance.oslo_db.database
+      dest:
+        path: .values.endpoints.oslo_db.path
+        pattern: DB_NAME
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.glance.ceph_object_store
+      dest:
+        path: .values.endpoints.ceph_object_store.auth.glance
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.glance.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_glance_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_messaging.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_glance_oslo_messaging_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_messaging.auth.glance.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_glance_oslo_messaging_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db.auth.glance.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_glance_oslo_db_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_oslo_db_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_cache.auth.memcache_secret_key
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_oslo_cache_secret_key
+        path: .
+    - dest:
+        path: .values.endpoints.object_store.auth.glance.tmpurlkey
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ceph_swift_keystone_password
+        path: .
+    - dest:
+        path: .values.endpoints.ceph_object_store.auth.glance.tmpurlkey
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ceph_swift_keystone_password
+        path: .
+    - dest:
+        path: .values.endpoints.ceph_object_store.auth.glance.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_glance_password
+        path: .
+data:
+  chart_name: glance
+  release: glance
+  namespace: openstack
+  wait:
+    timeout: 900
+    labels:
+      release_group: glance
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: glance
+    post:
+      create: []
+  values:
+    pod:
+      replicas:
+        api: 2
+        registry: 2
+    labels:
+      api:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      job:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      registry:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+    manifests:
+      job_bootstrap: false
+    conf:
+      logging:
+        loggers:
+          keys:
+            - root
+            - glance
+        handlers:
+          keys:
+            - stdout
+            - stderr
+            - "null"
+            - fluent
+        formatters:
+          keys:
+            - context
+            - default
+            - fluent
+        logger_root:
+          level: WARNING
+          handlers: null
+        logger_glance:
+          level: INFO
+          handlers:
+            - stdout
+            - stderr
+            - fluent
+          qualname: glance
+        logger_amqp:
+          level: WARNING
+          handlers: stderr
+          qualname: amqp
+        logger_amqplib:
+          level: WARNING
+          handlers: stderr
+          qualname: amqplib
+        logger_eventletwsgi:
+          level: WARNING
+          handlers: stderr
+          qualname: eventlet.wsgi.server
+        logger_sqlalchemy:
+          level: WARNING
+          handlers: stderr
+          qualname: sqlalchemy
+        logger_boto:
+          level: WARNING
+          handlers: stderr
+          qualname: boto
+        handler_null:
+          class: logging.NullHandler
+          formatter: default
+          args: ()
+        handler_stdout:
+          class: StreamHandler
+          args: (sys.stdout,)
+          formatter: context
+        handler_stderr:
+          class: StreamHandler
+          args: (sys.stderr,)
+          formatter: context
+        handler_fluent:
+          class: fluent.handler.FluentHandler
+          args: ('openstack.glance', 'fluentd-logging.osh-infra', 24224)
+          formatter: fluent
+        formatter_fluent:
+          class: oslo_log.formatters.FluentFormatter
+        formatter_context:
+          class: oslo_log.formatters.ContextFormatter
+        formatter_default:
+          format: "%(message)s"
+  dependencies:
+    - osh-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh/openstack-glance/rabbitmq.yaml b/global/v4.0/software/charts/osh/openstack-glance/rabbitmq.yaml
new file mode 100644
index 000000000..667c59174
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-glance/rabbitmq.yaml
@@ -0,0 +1,95 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: glance-rabbitmq
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.rabbitmq
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.rabbitmq
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.glance_oslo_messaging
+      dest:
+        path: .values.endpoints.oslo_messaging
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.glance_rabbitmq_exporter
+      dest:
+        path: .values.endpoints.prometheus_rabbitmq_exporter
+    # Credentials
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.glance.oslo_messaging.admin
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.user
+
+    # Secrets
+
+    - src:
+        schema: deckhand/Passphrase/v1
+        name: osh_glance_rabbitmq_erlang_cookie
+        path: .
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.erlang_cookie
+    - src:
+        schema: deckhand/Passphrase/v1
+        name: osh_glance_oslo_messaging_admin_password
+        path: .
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.user.password
+data:
+  chart_name: glance-rabbitmq
+  release: glance-rabbitmq
+  namespace: openstack
+  wait:
+    timeout: 900
+    labels:
+      release_group: glance-rabbitmq
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: glance-rabbitmq
+  values:
+    pod:
+      replicas:
+        server: 1    
+    labels:
+      server:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      prometheus_rabbitmq_exporter:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+    monitoring:
+      prometheus:
+        enabled: true
+  dependencies:
+    - osh-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh/openstack-heat/chart-group.yaml b/global/v4.0/software/charts/osh/openstack-heat/chart-group.yaml
new file mode 100644
index 000000000..36bee7e92
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-heat/chart-group.yaml
@@ -0,0 +1,14 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-heat
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Deploy Heat
+  chart_group:
+    - heat-rabbitmq
+    - heat
diff --git a/global/v4.0/software/charts/osh/openstack-heat/heat.yaml b/global/v4.0/software/charts/osh/openstack-heat/heat.yaml
new file mode 100644
index 000000000..81f9bd4cc
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-heat/heat.yaml
@@ -0,0 +1,297 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: heat
+  labels:
+    name: heat-global
+    component: heat
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.heat
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.heat
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.orchestration
+      dest:
+        path: .values.endpoints.orchestration
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.cloudformation
+      dest:
+        path: .values.endpoints.cloudformation
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.cloudwatch
+      dest:
+        path: .values.endpoints.cloudwatch
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.heat_oslo_messaging
+      dest:
+        path: .values.endpoints.oslo_messaging
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.oslo_cache
+      dest:
+        path: .values.endpoints.oslo_cache
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.fluentd
+      dest:
+        path: .values.endpoints.fluentd
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.heat.heat
+      dest:
+        path: .values.endpoints.identity.auth.heat
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.heat.heat_trustee
+      dest:
+        path: .values.endpoints.identity.auth.heat_trustee
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.heat.heat_stack_user
+      dest:
+        path: .values.endpoints.identity.auth.heat_stack_user
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.heat.oslo_messaging.admin
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.heat.oslo_messaging.heat
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.heat
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.heat.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db.auth.heat
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.heat.oslo_db.database
+      dest:
+        path: .values.endpoints.oslo_db.path
+        pattern: DB_NAME
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.heat.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_heat_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.heat_trustee.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_heat_trustee_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.heat_stack_user.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_heat_stack_user_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_messaging.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_heat_oslo_messaging_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_messaging.auth.heat.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_heat_oslo_messaging_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db.auth.heat.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_heat_oslo_db_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_oslo_db_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_cache.auth.memcache_secret_key
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_oslo_cache_secret_key
+        path: .
+data:
+  chart_name: heat
+  release: heat
+  namespace: openstack
+  wait:
+    timeout: 900
+    labels:
+      release_group: heat
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: heat
+    post:
+      create: []
+  values:
+    pod:
+      replicas:
+        api: 1
+        cfn: 1
+        cloudwatch: 1
+        engine: 2
+    labels:
+      api:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      cfn:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      cloudwatch:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      engine:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      job:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+    conf:
+      logging:
+        loggers:
+          keys:
+            - root
+            - heat
+        handlers:
+          keys:
+            - stdout
+            - stderr
+            - "null"
+            - fluent
+        formatters:
+          keys:
+            - context
+            - default
+            - fluent
+        logger_root:
+          level: WARNING
+          handlers: null
+        logger_heat:
+          level: INFO
+          handlers:
+            - stdout
+            - stderr
+            - fluent
+          qualname: heat
+        logger_amqp:
+          level: WARNING
+          handlers: stderr
+          qualname: amqp
+        logger_amqplib:
+          level: WARNING
+          handlers: stderr
+          qualname: amqplib
+        logger_eventletwsgi:
+          level: WARNING
+          handlers: stderr
+          qualname: eventlet.wsgi.server
+        logger_sqlalchemy:
+          level: WARNING
+          handlers: stderr
+          qualname: sqlalchemy
+        logger_boto:
+          level: WARNING
+          handlers: stderr
+          qualname: boto
+        handler_null:
+          class: logging.NullHandler
+          formatter: default
+          args: ()
+        handler_stdout:
+          class: StreamHandler
+          args: (sys.stdout,)
+          formatter: context
+        handler_stderr:
+          class: StreamHandler
+          args: (sys.stderr,)
+          formatter: context
+        handler_fluent:
+          class: fluent.handler.FluentHandler
+          args: ('openstack.heat', 'fluentd-logging.osh-infra', 24224)
+          formatter: fluent
+        formatter_fluent:
+          class: oslo_log.formatters.FluentFormatter
+        formatter_context:
+          class: oslo_log.formatters.ContextFormatter
+        formatter_default:
+          format: "%(message)s"
+  dependencies:
+    - osh-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh/openstack-heat/rabbitmq.yaml b/global/v4.0/software/charts/osh/openstack-heat/rabbitmq.yaml
new file mode 100644
index 000000000..6e01d9190
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-heat/rabbitmq.yaml
@@ -0,0 +1,95 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: heat-rabbitmq
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.rabbitmq
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.rabbitmq
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.heat_oslo_messaging
+      dest:
+        path: .values.endpoints.oslo_messaging
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.heat_rabbitmq_exporter
+      dest:
+        path: .values.endpoints.prometheus_rabbitmq_exporter
+    # Credentials
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.heat.oslo_messaging.admin
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.user
+
+    # Secrets
+
+    - src:
+        schema: deckhand/Passphrase/v1
+        name: osh_heat_rabbitmq_erlang_cookie
+        path: .
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.erlang_cookie
+    - src:
+        schema: deckhand/Passphrase/v1
+        name: osh_heat_oslo_messaging_admin_password
+        path: .
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.user.password
+data:
+  chart_name: heat-rabbitmq
+  release: heat-rabbitmq
+  namespace: openstack
+  wait:
+    timeout: 900
+    labels:
+      release_group: heat-rabbitmq
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: heat-rabbitmq
+  values:
+    pod:
+      replicas:
+        server: 1    
+    labels:
+      server:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      prometheus_rabbitmq_exporter:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+    monitoring:
+      prometheus:
+        enabled: true
+  dependencies:
+    - osh-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh/openstack-horizon/chart-group.yaml b/global/v4.0/software/charts/osh/openstack-horizon/chart-group.yaml
new file mode 100644
index 000000000..f59b955e0
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-horizon/chart-group.yaml
@@ -0,0 +1,13 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-horizon
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Deploy Horizon
+  chart_group:
+    - horizon
diff --git a/global/v4.0/software/charts/osh/openstack-horizon/horizon.yaml b/global/v4.0/software/charts/osh/openstack-horizon/horizon.yaml
new file mode 100644
index 000000000..de5f82759
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-horizon/horizon.yaml
@@ -0,0 +1,114 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: horizon
+  labels:
+    component: horizon
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.horizon
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.horizon
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.dashboard
+      dest:
+        path: .values.endpoints.dashboard
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.oslo_cache
+      dest:
+        path: .values.endpoints.oslo_cache
+
+    # Service Accounts
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.horizon.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db.auth.horizon
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.horizon.oslo_db.database
+      dest:
+        path: .values.endpoints.oslo_db.path
+        pattern: DB_NAME
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.oslo_db.auth.keystone.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_horizon_oslo_db_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_oslo_db_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_cache.auth.memcache_secret_key
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_oslo_cache_secret_key
+        path: .
+data:
+  chart_name: horizon
+  release: horizon
+  namespace: openstack
+  install:
+    no_hooks: false
+  wait:
+    timeout: 900
+    labels:
+      release_group: horizon
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: horizon
+    post:
+      create: []
+  values:
+    labels:
+      node_selector_key: openstack-control-plane
+      node_selector_value: enabled
+  dependencies:
+    - osh-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh/openstack-ingress-controller/chart-group.yaml b/global/v4.0/software/charts/osh/openstack-ingress-controller/chart-group.yaml
new file mode 100644
index 000000000..431942a97
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-ingress-controller/chart-group.yaml
@@ -0,0 +1,13 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-ingress-controller
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: OpenStack Namespace Ingress
+  chart_group:
+    - openstack-ingress-controller
diff --git a/global/v4.0/software/charts/osh/openstack-ingress-controller/ingress.yaml b/global/v4.0/software/charts/osh/openstack-ingress-controller/ingress.yaml
new file mode 100644
index 000000000..f3710668e
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-ingress-controller/ingress.yaml
@@ -0,0 +1,55 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-ingress-controller
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.ingress
+      dest:
+        path: .source
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.ingress
+      dest:
+        path: .values.images.tags
+data:
+  chart_name: openstack-ingress-controller
+  release: openstack-ingress-controller
+  namespace: openstack
+  wait:
+    timeout: 900
+    labels:
+      release_group: openstack-ingress-controller
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: openstack-ingress-controller
+  values:
+    labels:
+      server:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      error_server:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+    pod:
+      replicas:
+        ingress: 2
+        error_page: 2
+  dependencies:
+    - osh-helm-toolkit
diff --git a/global/v4.0/software/charts/osh/openstack-keystone/chart-group.yaml b/global/v4.0/software/charts/osh/openstack-keystone/chart-group.yaml
new file mode 100644
index 000000000..007be8ef4
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-keystone/chart-group.yaml
@@ -0,0 +1,14 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-keystone
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Deploy Keystone
+  chart_group:
+    - keystone-rabbitmq
+    - keystone
diff --git a/global/v4.0/software/charts/osh/openstack-keystone/keystone.yaml b/global/v4.0/software/charts/osh/openstack-keystone/keystone.yaml
new file mode 100644
index 000000000..4f0aeb39d
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-keystone/keystone.yaml
@@ -0,0 +1,259 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: keystone
+  labels:
+    name: keystone-global
+    component: keystone
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.keystone
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.keystone
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.keystone_oslo_messaging
+      dest:
+        path: .values.endpoints.oslo_messaging
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.oslo_cache
+      dest:
+        path: .values.endpoints.oslo_cache
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.fluentd
+      dest:
+        path: .values.endpoints.fluentd
+
+    # Service Accounts
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.keystone.oslo_messaging.admin
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.keystone.oslo_messaging.keystone
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.keystone
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.keystone.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db.auth.keystone
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.keystone.oslo_db.database
+      dest:
+        path: .values.endpoints.oslo_db.path
+        pattern: DB_NAME
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_messaging.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_oslo_messaging_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_messaging.auth.keystone.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_oslo_messaging_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db.auth.keystone.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_oslo_db_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_oslo_db_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_cache.auth.memcache_secret_key
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_oslo_cache_secret_key
+        path: .
+
+data:
+  chart_name: keystone
+  release: keystone
+  namespace: openstack
+  wait:
+    timeout: 900
+    labels:
+      release_group: keystone
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: keystone
+    post:
+      create: []
+  values:
+    bootstrap:
+      script: |
+        openstack role create --or-show _member_
+        openstack role add \
+              --user="${OS_USERNAME}" \
+              --user-domain="${OS_USER_DOMAIN_NAME}" \
+              --project-domain="${OS_PROJECT_DOMAIN_NAME}" \
+              --project="${OS_PROJECT_NAME}" \
+              "_member_"
+
+        #NOTE(portdirect): required for all users who operate heat stacks
+        openstack role create --or-show heat_stack_owner
+        openstack role add \
+              --user="${OS_USERNAME}" \
+              --user-domain="${OS_USER_DOMAIN_NAME}" \
+              --project-domain="${OS_PROJECT_DOMAIN_NAME}" \
+              --project="${OS_PROJECT_NAME}" \
+              "heat_stack_owner"
+    conf:
+      logging:
+        loggers:
+          keys:
+            - root
+            - keystone
+        handlers:
+          keys:
+            - stdout
+            - stderr
+            - "null"
+            - fluent
+        formatters:
+          keys:
+            - context
+            - default
+            - fluent
+        logger_root:
+          level: WARNING
+          handlers: null
+        logger_keystone:
+          level: INFO
+          handlers:
+            - stdout
+            - stderr
+            - fluent
+          qualname: keystone
+        logger_amqp:
+          level: WARNING
+          handlers: stderr
+          qualname: amqp
+        logger_amqplib:
+          level: WARNING
+          handlers: stderr
+          qualname: amqplib
+        logger_eventletwsgi:
+          level: WARNING
+          handlers: stderr
+          qualname: eventlet.wsgi.server
+        logger_sqlalchemy:
+          level: WARNING
+          handlers: stderr
+          qualname: sqlalchemy
+        logger_boto:
+          level: WARNING
+          handlers: stderr
+          qualname: boto
+        handler_null:
+          class: logging.NullHandler
+          formatter: default
+          args: ()
+        handler_stdout:
+          class: StreamHandler
+          args: (sys.stdout,)
+          formatter: context
+        handler_stderr:
+          class: StreamHandler
+          args: (sys.stderr,)
+          formatter: context
+        handler_fluent:
+          class: fluent.handler.FluentHandler
+          args: ('openstack.keystone', 'fluentd-logging.osh-infra', 24224)
+          formatter: fluent
+        formatter_fluent:
+          class: oslo_log.formatters.FluentFormatter
+        formatter_context:
+          class: oslo_log.formatters.ContextFormatter
+        formatter_default:
+          format: "%(message)s"
+      keystone:
+        identity:
+          driver: sql
+          default_domain_id: default
+          domain_specific_drivers_enabled: True
+          domain_configurations_from_database: True
+          domain_config_dir: /etc/keystonedomains
+    pod:
+      replicas:
+        api: 2
+    labels:
+      api:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      job:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+  dependencies:
+    - osh-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh/openstack-keystone/rabbitmq.yaml b/global/v4.0/software/charts/osh/openstack-keystone/rabbitmq.yaml
new file mode 100644
index 000000000..ce0aa2361
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-keystone/rabbitmq.yaml
@@ -0,0 +1,95 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: keystone-rabbitmq
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.rabbitmq
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.rabbitmq
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.keystone_oslo_messaging
+      dest:
+        path: .values.endpoints.oslo_messaging
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.keystone_rabbitmq_exporter
+      dest:
+        path: .values.endpoints.prometheus_rabbitmq_exporter
+    # Credentials
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.keystone.oslo_messaging.admin
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.user
+
+    # Secrets
+
+    - src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_rabbitmq_erlang_cookie
+        path: .
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.erlang_cookie
+    - src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_oslo_messaging_admin_password
+        path: .
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.user.password
+data:
+  chart_name: keystone-rabbitmq
+  release: keystone-rabbitmq
+  namespace: openstack
+  wait:
+    timeout: 900
+    labels:
+      release_group: keystone-rabbitmq
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: keystone-rabbitmq
+  values:
+    pod:
+      replicas:
+        server: 1    
+    labels:
+      server:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      prometheus_rabbitmq_exporter:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+    monitoring:
+      prometheus:
+        enabled: true
+  dependencies:
+    - osh-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh/openstack-mariadb/chart-group.yaml b/global/v4.0/software/charts/osh/openstack-mariadb/chart-group.yaml
new file mode 100644
index 000000000..5e218fb0b
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-mariadb/chart-group.yaml
@@ -0,0 +1,13 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-mariadb
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Deploy MariaDB
+  chart_group:
+    - openstack-mariadb
diff --git a/global/v4.0/software/charts/osh/openstack-mariadb/mariadb.yaml b/global/v4.0/software/charts/osh/openstack-mariadb/mariadb.yaml
new file mode 100644
index 000000000..1cffdd461
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-mariadb/mariadb.yaml
@@ -0,0 +1,77 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-mariadb
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.mariadb
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.mariadb
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.oslo_db
+      dest:
+        path: .values.endpoints.olso_db
+    # Accounts
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.oslo_db.admin
+      dest:
+        path: .values.endpoints.oslo_db.auth.admin
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.oslo_db.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_oslo_db_admin_password
+        path: .
+
+data:
+  chart_name: openstack-mariadb
+  release: openstack-mariadb
+  namespace: openstack
+  wait:
+    timeout: 900
+    labels:
+      release_group: openstack-mariadb
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: openstack-mariadb
+  values:
+    labels:
+      server:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      prometheus_mysql_exporter:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+  dependencies:
+    - osh-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh/openstack-memcached/chart-group.yaml b/global/v4.0/software/charts/osh/openstack-memcached/chart-group.yaml
new file mode 100644
index 000000000..f4d6b772d
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-memcached/chart-group.yaml
@@ -0,0 +1,13 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-memcached
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Deploy Memcached
+  chart_group:
+    - openstack-memcached
diff --git a/global/v4.0/software/charts/osh/openstack-memcached/memcached.yaml b/global/v4.0/software/charts/osh/openstack-memcached/memcached.yaml
new file mode 100644
index 000000000..9325c4eb2
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-memcached/memcached.yaml
@@ -0,0 +1,57 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-memcached
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh.memcached
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.osh.memcached
+      dest:
+        path: .values.images.tags
+
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.oslo_cache
+      dest:
+        path: .values.endpoints.oslo_cache
+data:
+  chart_name: openstack-memcached
+  release: openstack-memcached
+  namespace: openstack
+  wait:
+    timeout: 900
+    labels:
+      release_group: openstack-memcached
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: openstack-memcached
+  values:
+    labels:
+      server:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+  dependencies:
+    - osh-helm-toolkit
+...
diff --git a/global/v4.0/software/charts/osh/openstack-radosgw/chart-group.yaml b/global/v4.0/software/charts/osh/openstack-radosgw/chart-group.yaml
new file mode 100644
index 000000000..467aa1f53
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-radosgw/chart-group.yaml
@@ -0,0 +1,13 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-radosgw
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Deploy Radosgw
+  chart_group:
+    - radosgw
diff --git a/global/v4.0/software/charts/osh/openstack-radosgw/radosgw.yaml b/global/v4.0/software/charts/osh/openstack-radosgw/radosgw.yaml
new file mode 100644
index 000000000..fdeb38ec6
--- /dev/null
+++ b/global/v4.0/software/charts/osh/openstack-radosgw/radosgw.yaml
@@ -0,0 +1,142 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: radosgw
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.ceph-client
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ceph.ceph-client
+      dest:
+        path: .values.images.tags
+
+    # IP addresses
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .storage.ceph.public_cidr
+      dest:
+        path: .values.network.public
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .storage.ceph.cluster_cidr
+      dest:
+        path: .values.network.cluster
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.object_store
+      dest:
+        path: .values.endpoints.object_store
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.ceph_mon
+      dest:
+        path: .values.endpoints.ceph_mon
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.ceph_mgr
+      dest:
+        path: .values.endpoints.ceph_mgr
+
+    # Credentials
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.swift.keystone
+      dest:
+        path: .values.endpoints.identity.auth.swift
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.swift.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ceph_swift_keystone_password
+        path: .
+
+data:
+  chart_name: radosgw
+  release: radosgw
+  namespace: openstack
+  wait:
+    timeout: 900
+    labels:
+      release_group: radosgw
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: radosgw
+  values:
+    labels:
+      job:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      provisioner:
+        node_selector_key: openstack-control-plane
+        node_selector_value: enabled
+      mds:
+        node_selector_key: ceph-mds
+        node_selector_value: enabled
+      rgw:
+        node_selector_key: ceph-rgw
+        node_selector_value: enabled
+      mgr:
+        node_selector_key: ceph-mgr
+        node_selector_value: enabled
+    deployment:
+      ceph: false
+      client_secrets: false
+      rbd_provisioner: false
+      cephfs_provisioner: false
+      rgw_keystone_user_and_endpoints: true
+    bootstrap:
+      enabled: false
+    conf:
+      rgw_ks:
+        enabled: true
+  dependencies:
+    - ceph-htk
+...
diff --git a/global/v4.0/software/charts/ucp/armada/armada.yaml b/global/v4.0/software/charts/ucp/armada/armada.yaml
new file mode 100644
index 000000000..44a171fe8
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/armada/armada.yaml
@@ -0,0 +1,122 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-armada
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.armada
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ucp.armada
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.armada
+      dest:
+        path: .values.endpoints.armada
+
+    # Credentials
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.armada.keystone
+      dest:
+        path: .values.endpoints.identity.auth.user
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.user.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_armada_keystone_password
+        path: .
+data:
+  chart_name: armada
+  release: ucp-armada
+  namespace: ucp
+  wait:
+    timeout: 100
+    labels:
+      release_group: ucp-armada
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: ucp-armada
+  values:
+    pod:
+      replicas:
+        api: 2
+    conf:
+      armada:
+        DEFAULT:
+          debug: true
+          tiller_namespace: kube-system
+    manifests:
+      deployment_tiller: false
+      service_tiller_deploy: false
+  dependencies:
+    - armada-htk
+...
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: armada-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.armada-htk
+      dest:
+        path: .source
+data:
+  chart_name: armada-htk
+  release: armada-htk
+  namespace: armada-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/ucp/armada/chart-group.yaml b/global/v4.0/software/charts/ucp/armada/chart-group.yaml
new file mode 100644
index 000000000..01e6d06f0
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/armada/chart-group.yaml
@@ -0,0 +1,15 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-armada
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Armada
+  sequenced: true
+  chart_group:
+    - ucp-tiller
+    - ucp-armada
diff --git a/global/v4.0/software/charts/ucp/armada/tiller.yaml b/global/v4.0/software/charts/ucp/armada/tiller.yaml
new file mode 100644
index 000000000..4b36332e6
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/armada/tiller.yaml
@@ -0,0 +1,70 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-tiller
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.tiller
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ucp.tiller
+      dest:
+        path: .values.images.tags
+
+data:
+  chart_name: tiller
+  release: ucp-tiller
+  namespace: kube-system
+  wait:
+    timeout: 100
+    labels:
+      release_group: ucp-tiller
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: ucp-tiller
+  values: {}
+  dependencies:
+    - tiller-htk
+...
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: tiller-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.tiller-htk
+      dest:
+        path: .source
+data:
+  chart_name: tiller-htk
+  release: tiller-htk
+  namespace: tiller-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/ucp/ceph-config/ceph-config.yaml b/global/v4.0/software/charts/ucp/ceph-config/ceph-config.yaml
new file mode 100644
index 000000000..d9d11cad2
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/ceph-config/ceph-config.yaml
@@ -0,0 +1,143 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-ceph-config
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.ceph-client
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ceph.ceph-client
+      dest:
+        path: .values.images.tags
+
+    # IP addresses
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .storage.ceph.public_cidr
+      dest:
+        path: .values.network.public
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .storage.ceph.cluster_cidr
+      dest:
+        path: .values.network.cluster
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.object_store
+      dest:
+        path: .values.endpoints.object_store
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.ceph_mon
+      dest:
+        path: .values.endpoints.ceph_mon
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.ceph_mgr
+      dest:
+        path: .values.endpoints.ceph_mgr
+
+    # Credentials
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ceph.swift.keystone
+      dest:
+        path: .values.endpoints.identity.auth.swift
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.swift.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ceph_swift_keystone_password
+        path: .
+
+data:
+  chart_name: ucp-ceph-config
+  release: ucp-ceph-config
+  namespace: ucp
+  wait:
+    timeout: 3600
+    labels:
+      release_group: ucp-ceph-config
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: ucp-ceph-config
+  values:
+    labels:
+      job:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+      provisioner:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+      mds:
+        node_selector_key: ceph-mds
+        node_selector_value: enabled
+      rgw:
+        node_selector_key: ceph-rgw
+        node_selector_value: enabled
+      mgr:
+        node_selector_key: ceph-mgr
+        node_selector_value: enabled
+    deployment:
+      ceph: false
+      client_secrets: true
+      rbd_provisioner: false
+      cephfs_provisioner: false
+      rgw_keystone_user_and_endpoints: false
+    bootstrap:
+      enabled: false
+    conf:
+      rgw_ks:
+        enabled: true
+
+  dependencies:
+    - ceph-htk
+...
diff --git a/global/v4.0/software/charts/ucp/ceph-config/chart-group.yaml b/global/v4.0/software/charts/ucp/ceph-config/chart-group.yaml
new file mode 100644
index 000000000..5534867f6
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/ceph-config/chart-group.yaml
@@ -0,0 +1,15 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-ceph-config
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Ceph config for UCP namespace(s)
+  chart_group:
+    # NOTE: This will probably expand into one config per UCP namespace
+    # that requires ceph access.
+    - ucp-ceph-config
diff --git a/global/v4.0/software/charts/ucp/ceph/ceph-client-update.yaml b/global/v4.0/software/charts/ucp/ceph/ceph-client-update.yaml
new file mode 100644
index 000000000..3ddfeaf29
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/ceph/ceph-client-update.yaml
@@ -0,0 +1,189 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-ceph-client-update-global
+  layeringDefinition:
+    abstract: true
+    layer: global
+  storagePolicy: cleartext
+  labels:
+    name: ucp-ceph-client-update-global
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.ceph-client
+      dest:
+        path: .source
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ceph.ceph-client
+      dest:
+        path: .values.images.tags
+
+    # IP addresses
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .storage.ceph.public_cidr
+      dest:
+        path: .values.network.public
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .storage.ceph.cluster_cidr
+      dest:
+        path: .values.network.cluster
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.object_store
+      dest:
+        path: .values.endpoints.object_store
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.ceph_mon
+      dest:
+        path: .values.endpoints.ceph_mon
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.ceph_mgr
+      dest:
+        path: .values.endpoints.ceph_mgr
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.swift.keystone
+      dest:
+        path: .values.endpoints.identity.auth.swift
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.swift.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ceph_swift_keystone_password
+        path: .
+    - dest:
+       path: .values.conf.ceph.global.fsid
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ceph_fsid
+        path: .
+
+data:
+  chart_name: ucp-ceph-client
+  release: ucp-ceph-client
+  namespace: ceph
+  protected:
+    continue_processing: true
+  wait:
+    timeout: 900
+    labels:
+      release_group: ucp-ceph-client
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: ucp-ceph-client
+  values:
+    labels:
+      job:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+      provisioner:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+      mds:
+        node_selector_key: ceph-mds
+        node_selector_value: enabled
+      rgw:
+        node_selector_key: ceph-rgw
+        node_selector_value: enabled
+      mgr:
+        node_selector_key: ceph-mgr
+        node_selector_value: enabled
+    endpoints:
+      identity:
+        namespace: openstack
+      object_store:
+        namespace: ceph
+      ceph_mon:
+        namespace: ceph
+    deployment:
+      ceph: true
+      client_secrets: false
+      rbd_provisioner: true
+      cephfs_provisioner: true
+      rgw_keystone_user_and_endpoints: false
+    bootstrap:
+      enabled: true
+    pod:
+      replicas:
+        mds: 2
+        mgr: 2
+        rgw: 2
+
+    conf:
+      rgw_ks:
+        enabled: true
+        config:
+          #NOTE (portdirect): See http://tracker.ceph.com/issues/21226
+          rgw_keystone_token_cache_size: '0'
+      pool:
+
+        # NOTE(alanmeadows) spport 4.x 16.04 kernels (non-HWE)
+        crush:
+          tunables: 'hammer'
+
+        # NOTE(alanmeadows): This is required ATM for bootstrapping a Ceph
+        # cluster with only one OSD.  Depending on OSD targeting & site
+        # configuration this can be changed.
+        target:
+          osd: 1
+          pg_per_osd: 100
+
+        default:
+          # NOTE(alanmeadows): This is required ATM for bootstrapping a Ceph
+          # cluster with only one OSD.  Depending on OSD targeting & site
+          # configuration this can be changed.
+          crush_rule: replicated_rule
+
+      ceph:
+        global:
+        # NOTE: This is required ATM for bootstrapping a Ceph
+        # cluster with only one OSD.  Depending on OSD targeting & site
+        # configuration this can be changed.
+          osd_pool_default_size: 1
+
+  dependencies:
+    - ceph-htk
+...
diff --git a/global/v4.0/software/charts/ucp/ceph/ceph-client.yaml b/global/v4.0/software/charts/ucp/ceph/ceph-client.yaml
new file mode 100644
index 000000000..642bc8617
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/ceph/ceph-client.yaml
@@ -0,0 +1,190 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-ceph-client-global
+  layeringDefinition:
+    abstract: true
+    layer: global
+  storagePolicy: cleartext
+  labels:
+    name: ucp-ceph-client-global
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.ceph-client
+      dest:
+        path: .source
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ceph.ceph-client
+      dest:
+        path: .values.images.tags
+
+    # IP addresses
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .storage.ceph.public_cidr
+      dest:
+        path: .values.network.public
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .storage.ceph.cluster_cidr
+      dest:
+        path: .values.network.cluster
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_endpoints
+        path: .osh.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.object_store
+      dest:
+        path: .values.endpoints.object_store
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.ceph_mon
+      dest:
+        path: .values.endpoints.ceph_mon
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.ceph_mgr
+      dest:
+        path: .values.endpoints.ceph_mgr
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: osh_service_accounts
+        path: .osh.swift.keystone
+      dest:
+        path: .values.endpoints.identity.auth.swift
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.swift.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ceph_swift_keystone_password
+        path: .
+    - dest:
+       path: .values.conf.ceph.global.fsid
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ceph_fsid
+        path: .
+
+data:
+  chart_name: ucp-ceph-client
+  release: ucp-ceph-client
+  namespace: ceph
+  protected:
+    continue_processing: true
+  wait:
+    timeout: 900
+    labels:
+      release_group: ucp-ceph-client
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: ucp-ceph-client
+  values:
+    labels:
+      job:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+      provisioner:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+      mds:
+        node_selector_key: ceph-mds
+        node_selector_value: enabled
+      rgw:
+        node_selector_key: ceph-rgw
+        node_selector_value: enabled
+      mgr:
+        node_selector_key: ceph-mgr
+        node_selector_value: enabled
+    endpoints:
+      identity:
+        namespace: openstack
+      object_store:
+        namespace: ceph
+      ceph_mon:
+        namespace: ceph
+    deployment:
+      ceph: true
+      client_secrets: false
+      rbd_provisioner: true
+      cephfs_provisioner: true
+      rgw_keystone_user_and_endpoints: false
+    bootstrap:
+      enabled: true
+    pod:
+      replicas:
+        mds: 1
+        mgr: 1
+        rgw: 1
+
+    conf:
+      rgw_ks:
+        enabled: true
+        config:
+          #NOTE (portdirect): See http://tracker.ceph.com/issues/21226
+          rgw_keystone_token_cache_size: '0'
+      pool:
+
+        # NOTE(alanmeadows) spport 4.x 16.04 kernels (non-HWE)
+        crush:
+          tunables: 'hammer'
+
+        # NOTE(alanmeadows): This is required ATM for bootstrapping a Ceph
+        # cluster with only one OSD.  Depending on OSD targeting & site
+        # configuration this can be changed.
+        target:
+          osd: 1
+          pg_per_osd: 100
+
+        default:
+          # NOTE(alanmeadows): This is required ATM for bootstrapping a Ceph
+          # cluster with only one OSD.  Depending on OSD targeting & site
+          # configuration this can be changed.
+          crush_rule: same_host
+
+      ceph:
+        global:
+          # NOTE: This is required ATM for bootstrapping a Ceph
+          # cluster with only one OSD.  Depending on OSD targeting & site
+          # configuration this can be changed.
+          osd_pool_default_size: 1
+
+  dependencies:
+    - ceph-htk
+...
diff --git a/global/v4.0/software/charts/ucp/ceph/ceph-htk.yaml b/global/v4.0/software/charts/ucp/ceph/ceph-htk.yaml
new file mode 100644
index 000000000..ebaac07b1
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/ceph/ceph-htk.yaml
@@ -0,0 +1,23 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ceph-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.ceph-htk
+      dest:
+        path: .source
+data:
+  chart_name: ceph-htk
+  release: ceph-htk
+  namespace: ceph-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/ucp/ceph/ceph-ingress.yaml b/global/v4.0/software/charts/ucp/ceph/ceph-ingress.yaml
new file mode 100644
index 000000000..d8f501692
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/ceph/ceph-ingress.yaml
@@ -0,0 +1,64 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-ceph-ingress
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.ingress
+      dest:
+        path: .source
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ucp.ingress
+      dest:
+        path: .values.images.tags
+data:
+  chart_name: ucp-ceph-ingress
+  release: ucp-ceph-ingress
+  namespace: ceph
+  wait:
+    timeout: 300
+    labels:
+      release_group: ucp-ceph-ingress
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: ucp-ceph-ingress
+  values:
+    conf:
+      ingress:
+        proxy-body-size: 20m
+    labels:
+      server:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+      error_server:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+    pod:
+      replicas:
+        ingress: 2
+        error_page: 2
+    network:
+      ingress:
+        annotations:
+          nginx.ingress.kubernetes.io/proxy-body-size: 20m
+          nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+  dependencies:
+    - ucp-ingress-htk
+...
diff --git a/global/v4.0/software/charts/ucp/ceph/ceph-mon.yaml b/global/v4.0/software/charts/ucp/ceph/ceph-mon.yaml
new file mode 100644
index 000000000..ff08f3c15
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/ceph/ceph-mon.yaml
@@ -0,0 +1,150 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-ceph-mon
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  labels:
+    name: ucp-ceph-mon
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.ceph-mon
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ceph.ceph-mon
+      dest:
+        path: .values.images.tags
+
+    # IP addresses
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .storage.ceph.public_cidr
+      dest:
+        path: .values.network.public
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .storage.ceph.cluster_cidr
+      dest:
+        path: .values.network.cluster
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.object_store
+      dest:
+        path: .values.endpoints.object_store
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.ceph_mon
+      dest:
+        path: .values.endpoints.ceph_mon
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.fluentd
+      dest:
+        path: .values.endpoints.fluentd
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.ceph_mgr
+      dest:
+        path: .values.endpoints.ceph_mgr
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ceph.swift.keystone
+      dest:
+        path: .values.endpoints.identity.auth.swift
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.swift.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ceph_swift_keystone_password
+        path: .
+    - dest:
+       path: .values.conf.ceph.global.fsid
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ceph_fsid
+        path: .
+
+data:
+  chart_name: ucp-ceph-mon
+  release: ucp-ceph-mon
+  namespace: ceph
+  protected:
+    continue_processing: true
+  wait:
+    timeout: 1800
+    labels:
+      release_group: ucp-ceph-mon
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: ucp-ceph-mon
+  values:
+    logging:
+      fluentd: true
+    labels:
+      job:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+      mon:
+        node_selector_key: ceph-mon
+        node_selector_value: enabled
+    endpoints:
+      identity:
+        namespace: openstack
+      object_store:
+        namespace: ceph
+      ceph_mon:
+        namespace: ceph
+      fluentd:
+        namespace: osh-infra
+    deployment:
+      ceph: true
+      storage_secrets: true
+    bootstrap:
+      enabled: true
+  dependencies:
+    - ceph-htk
+...
diff --git a/global/v4.0/software/charts/ucp/ceph/ceph-osd.yaml b/global/v4.0/software/charts/ucp/ceph/ceph-osd.yaml
new file mode 100644
index 000000000..3dd6fd72b
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/ceph/ceph-osd.yaml
@@ -0,0 +1,153 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-ceph-osd-global
+  layeringDefinition:
+    abstract: true
+    layer: global
+  storagePolicy: cleartext
+  labels:
+    name: ucp-ceph-osd-global
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.ceph-osd
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ceph.ceph-osd
+      dest:
+        path: .values.images.tags
+
+    # IP addresses
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .storage.ceph.public_cidr
+      dest:
+        path: .values.network.public
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .storage.ceph.cluster_cidr
+      dest:
+        path: .values.network.cluster
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.object_store
+      dest:
+        path: .values.endpoints.object_store
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.ceph_mon
+      dest:
+        path: .values.endpoints.ceph_mon
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.fluentd
+      dest:
+        path: .values.endpoints.fluentd
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ceph.ceph_mgr
+      dest:
+        path: .values.endpoints.ceph_mgr
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ceph.swift.keystone
+      dest:
+        path: .values.endpoints.identity.auth.swift
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.swift.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ceph_swift_keystone_password
+        path: .
+    - dest:
+       path: .values.conf.ceph.global.fsid
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ceph_fsid
+        path: .
+
+data:
+  chart_name: ucp-ceph-osd
+  release: ucp-ceph-osd
+  namespace: ceph
+  protected:
+    continue_processing: true
+  wait:
+    timeout: 900
+    labels:
+      release_group: ucp-ceph-osd
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+  values:
+    logging:
+      fluentd: true
+    labels:
+      osd:
+        node_selector_key: ceph-osd
+        node_selector_value: enabled
+    endpoints:
+      identity:
+        namespace: openstack
+      object_store:
+        namespace: ceph
+      ceph_mon:
+        namespace: ceph
+      fluentd:
+        namespace: osh-infra
+    bootstrap:
+      enabled: true
+    conf:
+      storage:
+        osd:
+          - data:
+              type: directory
+              location: /var/lib/openstack-helm/ceph/osd/osd-one
+            journal:
+              type: directory
+              location: /var/lib/openstack-helm/ceph/osd/journal-one
+      osd:
+        # NOTE(alanmeadows): This is required ATM for bootstrapping a Ceph
+        # cluster with only one OSD.  Depending on OSD targeting & site
+        # configuration this can be changed.
+        osd_crush_chooseleaf_type: 0
+  dependencies:
+    - ceph-htk
+...
diff --git a/global/v4.0/software/charts/ucp/ceph/chart-group-update.yaml b/global/v4.0/software/charts/ucp/ceph/chart-group-update.yaml
new file mode 100644
index 000000000..6f819b1ec
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/ceph/chart-group-update.yaml
@@ -0,0 +1,18 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-ceph-update
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Ceph post-install update
+  sequenced: true
+  chart_group:
+    - ucp-ceph-ingress
+    - ucp-ceph-mon
+    - ucp-ceph-osd
+    - ucp-ceph-client-update
+...
diff --git a/global/v4.0/software/charts/ucp/ceph/chart-group.yaml b/global/v4.0/software/charts/ucp/ceph/chart-group.yaml
new file mode 100644
index 000000000..3a3ded08c
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/ceph/chart-group.yaml
@@ -0,0 +1,18 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-ceph
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Ceph Storage
+  sequenced: true
+  chart_group:
+    - ucp-ceph-ingress
+    - ucp-ceph-mon
+    - ucp-ceph-osd
+    - ucp-ceph-client
+...
diff --git a/global/v4.0/software/charts/ucp/core/chart-group.yaml b/global/v4.0/software/charts/ucp/core/chart-group.yaml
new file mode 100644
index 000000000..147b8bccb
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/core/chart-group.yaml
@@ -0,0 +1,17 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-core
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Common UCP Components
+  chart_group:
+    - ucp-ingress
+    - ucp-mariadb
+    - ucp-postgresql
+    - ucp-rabbitmq
+...
diff --git a/global/v4.0/software/charts/ucp/core/ingress.yaml b/global/v4.0/software/charts/ucp/core/ingress.yaml
new file mode 100644
index 000000000..f177951d0
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/core/ingress.yaml
@@ -0,0 +1,85 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-ingress
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.ingress
+      dest:
+        path: .source
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ucp.ingress
+      dest:
+        path: .values.images.tags
+data:
+  chart_name: ingress
+  release: ingress
+  namespace: ucp
+  wait:
+    timeout: 300
+    labels:
+      release_group: ingress
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: ingress
+  values:
+    conf:
+      ingress:
+        proxy-body-size: 20m
+    labels:
+      server:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+      error_server:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+    pod:
+      replicas:
+        ingress: 2
+        error_page: 2
+    network:
+      ingress:
+        annotations:
+          nginx.ingress.kubernetes.io/proxy-body-size: 20m
+          nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+  dependencies:
+    - ucp-ingress-htk
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-ingress-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.ingress-htk
+      dest:
+        path: .source
+data:
+  chart_name: ucp-ingress-htk
+  release: ucp-ingress-htk
+  namespace: ucp-ingress-htk
+  values: {}
+  dependencies: []
diff --git a/global/v4.0/software/charts/ucp/core/mariadb.yaml b/global/v4.0/software/charts/ucp/core/mariadb.yaml
new file mode 100644
index 000000000..99751fa39
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/core/mariadb.yaml
@@ -0,0 +1,109 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-mariadb
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.mariadb
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ucp.mariadb
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.oslo_db
+      dest:
+        path: .values.endpoints.olso_db
+    # Accounts
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.oslo_db.admin
+      dest:
+        path: .values.endpoints.oslo_db.auth.admin
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.oslo_db.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_oslo_db_admin_password
+        path: .
+
+data:
+  chart_name: ucp-mariadb
+  release: ucp-mariadb
+  namespace: ucp
+  wait:
+    timeout: 300
+    labels:
+      release_group: ucp-mariadb
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: ucp-mariadb
+  values:
+    labels:
+      server:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+      prometheus_mysql_exporter:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+      ingress:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+      error_server:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+    pod:
+      replicas:
+        server: 1
+  dependencies:
+    - mariadb-htk
+...
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: mariadb-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.mariadb-htk
+      dest:
+        path: .source
+data:
+  chart_name: mariadb-htk
+  release: mariadb-htk
+  namespace: mariadb-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/ucp/core/postgresql.yaml b/global/v4.0/software/charts/ucp/core/postgresql.yaml
new file mode 100644
index 000000000..488295bd9
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/core/postgresql.yaml
@@ -0,0 +1,105 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-postgresql
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.postgresql
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ucp.postgresql
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.postgresql
+      dest:
+        path: .values.endpoints.postgresql
+    # Credentials
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.postgres.admin
+      dest:
+        path: .values.endpoints.postgresql.auth.admin
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.postgresql.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_postgres_admin_password
+        path: .
+data:
+  chart_name: ucp-postgresql
+  release: ucp-postgresql
+  namespace: ucp
+  wait:
+    timeout: 600
+    labels:
+      release_group: ucp-postgresql
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: ucp-postgresql
+      create: []
+    post:
+      create: []
+  values:
+    conf:
+      postgresql:
+        max_connections: 1000
+        shared_buffers: 2GB
+    development:
+      enabled: false
+    labels:
+      server:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+  dependencies:
+    - postgres-htk
+...
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: postgres-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.postgresql-htk
+      dest:
+        path: .source
+data:
+  chart_name: postgres-htk
+  release: postgres-htk
+  namespace: postgres-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/ucp/core/rabbitmq.yaml b/global/v4.0/software/charts/ucp/core/rabbitmq.yaml
new file mode 100644
index 000000000..4df2c1b57
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/core/rabbitmq.yaml
@@ -0,0 +1,110 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-rabbitmq
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.rabbitmq
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ucp.rabbitmq
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.oslo_messaging
+      dest:
+        path: .values.endpoints.oslo_messaging
+
+    # Credentials
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.oslo_messaging.admin
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.user
+
+    # Secrets
+
+    - src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_rabbitmq_erlang_cookie
+        path: .
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.erlang_cookie
+    - src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_oslo_messaging_password
+        path: .
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.user.password
+data:
+  chart_name: ucp-rabbitmq
+  release: ucp-rabbitmq
+  namespace: ucp
+  wait:
+    timeout: 300
+    labels:
+      release_group: ucp-rabbitmq
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: ucp-rabbitmq
+  values:
+    pod:
+      replicas:
+        server: 1
+    labels:
+      server:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+      prometheus_rabbitmq_exporter:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+  dependencies:
+    - ucp-rabbitmq-htk
+...
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-rabbitmq-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.rabbitmq-htk
+      dest:
+        path: .source
+data:
+  chart_name: ucp-rabbitmq-htk
+  release: ucp-rabbitmq-htk
+  namespace: ucp-rabbitmq-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/ucp/deckhand/barbican.yaml b/global/v4.0/software/charts/ucp/deckhand/barbican.yaml
new file mode 100644
index 000000000..c6ee554c1
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/deckhand/barbican.yaml
@@ -0,0 +1,261 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-barbican
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.barbican
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ucp.barbican
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.key_manager
+      dest:
+        path: .values.endpoints.key_manager
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.oslo_cache
+      dest:
+        path: .values.endpoints.oslo_cache
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.oslo_messaging
+      dest:
+        path: .values.endpoints.oslo_messaging
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.fluentd
+      dest:
+        path: .values.endpoints.fluentd
+    # Credentials
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.barbican.keystone
+      dest:
+        path: .values.endpoints.identity.auth.barbican
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.barbican.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db.auth.barbican
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.barbican.oslo_db.database
+      dest:
+        path: .values.endpoints.oslo_db.path
+        pattern: DB_NAME
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.barbican.oslo_messaging
+      dest:
+        path: .values.endpoints.oslo_messaging.auth
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_oslo_db_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.barbican.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_barbican_keystone_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db.auth.barbican.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_barbican_oslo_db_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_messaging.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_oslo_messaging_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_messaging.auth.barbican.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_oslo_messaging_password
+        path: .
+data:
+  chart_name: ucp-barbican
+  release: ucp-barbican
+  namespace: ucp
+  wait:
+    timeout: 300
+    labels:
+      release_group: ucp-barbican
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: ucp-barbican
+    post:
+      create: []
+  values:
+    conf:
+      logging:
+        loggers:
+          keys:
+            - root
+            - barbican
+        handlers:
+          keys:
+            - stdout
+            - stderr
+            - "null"
+            - fluent
+        formatters:
+          keys:
+            - context
+            - default
+            - fluent
+        logger_root:
+          level: WARNING
+          handlers: null
+        logger_barbican:
+          level: INFO
+          handlers:
+            - stdout
+            - stderr
+            - fluent
+          qualname: barbican
+        logger_amqp:
+          level: WARNING
+          handlers: stderr
+          qualname: amqp
+        logger_amqplib:
+          level: WARNING
+          handlers: stderr
+          qualname: amqplib
+        logger_eventletwsgi:
+          level: WARNING
+          handlers: stderr
+          qualname: eventlet.wsgi.server
+        logger_sqlalchemy:
+          level: WARNING
+          handlers: stderr
+          qualname: sqlalchemy
+        logger_boto:
+          level: WARNING
+          handlers: stderr
+          qualname: boto
+        handler_null:
+          class: logging.NullHandler
+          formatter: default
+          args: ()
+        handler_stdout:
+          class: StreamHandler
+          args: (sys.stdout,)
+          formatter: context
+        handler_stderr:
+          class: StreamHandler
+          args: (sys.stderr,)
+          formatter: context
+        handler_fluent:
+          class: fluent.handler.FluentHandler
+          args: ('ucp.barbican', 'fluentd-logging.osh-infra', 24224)
+          formatter: fluent
+        formatter_fluent:
+          class: oslo_log.formatters.FluentFormatter
+        formatter_context:
+          class: oslo_log.formatters.ContextFormatter
+        formatter_default:
+          format: "%(message)s"
+    labels:
+      api:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+      job:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+      test:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+    pod:
+      replicas:
+        api: 2
+  dependencies:
+    - ucp-barbican-htk
+...
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-barbican-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.barbican-htk
+      dest:
+        path: .source
+data:
+  chart_name: ucp-barbican-htk
+  release: ucp-barbican-htk
+  namespace: ucp-barbican-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/ucp/deckhand/chart-group.yaml b/global/v4.0/software/charts/ucp/deckhand/chart-group.yaml
new file mode 100644
index 000000000..e26aba3cb
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/deckhand/chart-group.yaml
@@ -0,0 +1,16 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-deckhand
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Deckhand
+  chart_group:
+    # NOTE: Find and add the dogtag chart
+    # - ucp-dogtag
+    - ucp-barbican
+    - ucp-deckhand
diff --git a/global/v4.0/software/charts/ucp/deckhand/deckhand.yaml b/global/v4.0/software/charts/ucp/deckhand/deckhand.yaml
new file mode 100644
index 000000000..c5b59abd1
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/deckhand/deckhand.yaml
@@ -0,0 +1,173 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-deckhand
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.deckhand
+      dest:
+        path: .source
+
+    # Images
+
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ucp.deckhand
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.postgresql
+      dest:
+        path: .values.endpoints.postgresql
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.deckhand
+      dest:
+        path: .values.endpoints.deckhand
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.key_manager
+      dest:
+        path: .values.endpoints.key_manager
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.oslo_cache
+      dest:
+        path: .values.endpoints.oslo_cache
+    # Credentials
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.postgres.admin
+      dest:
+        path: .values.endpoints.postgresql.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.deckhand.postgres
+      dest:
+        path: .values.endpoints.postgresql.auth.user
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.deckhand.postgres.database
+      dest:
+        path: .values.endpoints.postgresql.path
+        pattern: DB_NAME
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.deckhand.keystone
+      dest:
+        path: .values.endpoints.identity.auth.user
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.postgresql.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_postgres_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.user.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_deckhand_keystone_password
+        path: .
+    - dest:
+        path: .values.endpoints.postgresql.auth.user.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_deckhand_postgres_password
+        path: .
+data:
+  chart_name: ucp-deckhand
+  release: ucp-deckhand
+  namespace: ucp
+  wait:
+    timeout: 600
+    labels:
+      release_group: ucp-deckhand
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: ucp-deckhand
+    post:
+      create: []
+  values:
+    pod:
+      replicas:
+        deckhand: 2
+    conf:
+      deckhand:
+        DEFAULT:
+          debug: true
+          use_stderr: true
+          use_syslog: true
+        keystone_authtoken:
+          memcache_security_strategy: None
+  dependencies:
+    - deckhand-htk
+...
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: deckhand-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.deckhand-htk
+      dest:
+        path: .source
+data:
+  chart_name: deckhand-htk
+  release: deckhand-htk
+  namespace: deckhand-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/ucp/divingbell/chart-group.yaml b/global/v4.0/software/charts/ucp/divingbell/chart-group.yaml
new file mode 100644
index 000000000..e67a6e201
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/divingbell/chart-group.yaml
@@ -0,0 +1,13 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-divingbell
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Divingbell
+  chart_group:
+    - ucp-divingbell
diff --git a/global/v4.0/software/charts/ucp/divingbell/divingbell.yaml b/global/v4.0/software/charts/ucp/divingbell/divingbell.yaml
new file mode 100644
index 000000000..135bc333e
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/divingbell/divingbell.yaml
@@ -0,0 +1,103 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-divingbell-global
+  layeringDefinition:
+    abstract: true
+    layer: global
+  labels:
+    name: ucp-divingbell-global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.divingbell
+      dest:
+        path: .source
+    # Image Source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ucp.divingbell
+      dest:
+        path: .values.images
+data:
+  chart_name: ucp-divingbell
+  release: ucp-divingbell
+  namespace: ucp
+  wait:
+    timeout: 300
+    labels:
+      release_group: ucp-divingbell
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: ucp-divingbell
+  values:
+    conf:
+      sysctl:
+        # Larger connection tracking table
+        net.nf_conntrack_max: '1048576'
+        # Reboot the node 60 seconds after a kernel panic, instead of default
+        # value of 0 (i.e. never reboot)
+        kernel.panic: '60'
+        # Accept gratuitous ARP to support failover scenarios
+        # https://bugs.launchpad.net/fuel/+bug/1456272
+        net.ipv4.conf.default.arp_accept: '1'
+        net.ipv4.conf.all.arp_accept: '1'
+        # Increased network backlog to optimize performance on fast networks
+        net.core.netdev_max_backlog: '261144'
+        # Optimizations for RabbitMQ failover
+        # https://bugs.launchpad.net/oslo.messaging/+bug/856764/comments/19
+        net.ipv4.tcp_keepalive_intvl: '3'
+        net.ipv4.tcp_keepalive_time: '30'
+        net.ipv4.tcp_keepalive_probes: '8'
+        net.ipv4.tcp_retries2: '5'
+        # Larger thresholds
+        # "Neighbour table overflow" errors that filled kernel logs
+        net.ipv4.neigh.default.gc_thresh1: '4096'
+        net.ipv4.neigh.default.gc_thresh2: '8192'
+        net.ipv4.neigh.default.gc_thresh3: '16384'
+        # It was necessary to set rp_filter to zero to support certain
+        # multi-homed storage backends
+        net.ipv4.conf.default.rp_filter: '0'
+        # Enable byte/packet count for new connections to enable creation of
+        # rules for the connbytes netfilter module
+        net.netfilter.nf_conntrack_acct: '1'
+        # Added in response to error messages seen on genesis host when services
+        # were restarted. "Failed to add /run/systemd/ask-password to directory
+        # watch: No space left on device". https://bit.ly/2Mj5qn2 TDP bug 427616
+        fs.inotify.max_user_watches: '1048576'
+  dependencies:
+    - ucp-divingbell-htk
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-divingbell-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.divingbell-htk
+      dest:
+        path: .source
+data:
+  chart_name: ucp-divingbell-htk
+  release: ucp-divingbell-htk
+  namespace: ucp-divingbell-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/ucp/drydock/chart-group.yaml b/global/v4.0/software/charts/ucp/drydock/chart-group.yaml
new file mode 100644
index 000000000..498e5e310
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/drydock/chart-group.yaml
@@ -0,0 +1,14 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-drydock
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Drydock
+  chart_group:
+    - ucp-maas
+    - ucp-drydock
diff --git a/global/v4.0/software/charts/ucp/drydock/drydock.yaml b/global/v4.0/software/charts/ucp/drydock/drydock.yaml
new file mode 100644
index 000000000..c91e68a45
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/drydock/drydock.yaml
@@ -0,0 +1,191 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-drydock
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.drydock
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ucp.drydock
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.postgresql
+      dest:
+        path: .values.endpoints.postgresql
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.physicalprovisioner
+      dest:
+        path: .values.endpoints.physicalprovisioner
+
+    # Drydock IPs
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .node_ports.drydock_api
+      dest:
+        path: .values.network.drydock.node_port.port
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .node_ports.drydock_api
+      dest:
+        path: .values.endpoints.physicalprovisioner.port.api.nodeport
+
+    # MaaS IPs
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .genesis.ip
+      dest:
+        path: .values.conf.drydock.maasdriver.maas_api_url
+        pattern: 'MAAS_IP'
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .node_ports.maas_api
+      dest:
+        path: .values.conf.drydock.maasdriver.maas_api_url
+        pattern: 'MAAS_PORT'
+
+    # Credentials
+
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.postgres.admin
+      dest:
+        path: .values.endpoints.postgresql.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.drydock.postgres
+      dest:
+        path: .values.endpoints.postgresql.auth.user
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.drydock.postgres.database
+      dest:
+        path: .values.endpoints.postgresql.path
+        pattern: DB_NAME
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.drydock.keystone
+      dest:
+        path: .values.endpoints.identity.auth.user
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.postgresql.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_postgres_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.user.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_drydock_keystone_password
+        path: .
+    - dest:
+        path: .values.endpoints.postgresql.auth.user.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_drydock_postgres_password
+        path: .
+
+data:
+  chart_name: drydock
+  release: drydock
+  namespace: ucp
+  wait:
+    timeout: 600
+    labels:
+      release_group: drydock
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: drydock
+  values:
+    labels:
+      node_selector_key: ucp-control-plane
+      node_selector_value: enabled
+    network:
+      drydock:
+        node_port:
+          enabled: true
+    conf:
+      drydock:
+        database:
+          pool_size: 200
+        maasdriver:
+          maas_api_url: http://MAAS_IP:MAAS_PORT/MAAS/api/2.0/
+        plugins:
+          ingester: drydock_provisioner.ingester.plugins.deckhand.DeckhandIngester
+  dependencies:
+    - drydock-htk
+...
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: drydock-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.drydock-htk
+      dest:
+        path: .source
+data:
+  chart_name: drydock-htk
+  release: drydock-htk
+  namespace: drydock-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/ucp/drydock/maas.yaml b/global/v4.0/software/charts/ucp/drydock/maas.yaml
new file mode 100644
index 000000000..3fc614b58
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/drydock/maas.yaml
@@ -0,0 +1,226 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-maas-global
+  layeringDefinition:
+    abstract: true
+    layer: global
+  labels:
+    name: ucp-maas-global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.maas
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ucp.maas
+      dest:
+        path: .values.images.tags
+
+    # Drydock IPs
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .bootstrap.ip
+      dest:
+        path: .values.conf.drydock.bootaction_url
+        pattern: '(DRYDOCK_IP)'
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .node_ports.drydock_api
+      dest:
+        path: .values.conf.drydock.bootaction_url
+        pattern: '(DRYDOCK_PORT)'
+
+    # MaaS IPs
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .bootstrap.ip
+      dest:
+        path: .values.conf.maas.url.maas_url
+        pattern: '(MAAS_IP)'
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .node_ports.maas_api
+      dest:
+        path: .values.conf.maas.url.maas_url
+        pattern: '(MAAS_PORT)'
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .node_ports.maas_api
+      dest:
+        path: .values.network.gui.node_port.port
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .node_ports.maas_proxy
+      dest:
+        path: .values.network.proxy.node_port.port
+
+    # MaaS Config
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.upstream_servers_joined
+      dest:
+        path: .values.conf.maas.dns.dns_servers
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .ntp.servers_joined
+      dest:
+        path: .values.conf.maas.ntp.ntp_servers
+    - src:
+        schema: deckhand/Passphrase/v1
+        name: maas-region-key
+        path: .
+      dest:
+        path: .values.secrets.maas_region.value
+
+    # Endpoint substitutions
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.postgresql
+      dest:
+        path: .values.endpoints.maas_db
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.maas_region_ui
+      dest:
+        path: .values.endpoints.maas_region_ui
+
+    # Account and credential substitutions
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.postgres.admin
+      dest:
+        path: .values.endpoints.maas_db.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.maas.postgres
+      dest:
+        path: .values.endpoints.maas_db.auth.user
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.maas.postgres.database
+      dest:
+        path: .values.endpoints.maas_db.path
+        pattern: DB_NAME
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.maas.admin
+      dest:
+        path: .values.endpoints.maas_region_ui.auth.admin
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.maas_region_ui.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_maas_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.maas_db.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_postgres_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.maas_db.auth.user.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_maas_postgres_password
+        path: .
+data:
+  chart_name: maas
+  release: maas
+  namespace: ucp
+  wait:
+    timeout: 600
+    labels:
+      release_group: maas
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: maas
+  values:
+    labels:
+      rack:
+        node_selector_key: maas-control-plane
+        node_selector_value: enabled
+      region:
+        node_selector_key: maas-control-plane
+        node_selector_value: enabled
+    network:
+      proxy:
+        node_port:
+          enabled: true
+    conf:
+      cache:
+        enabled: true
+      drydock:
+        bootaction_url: http://DRYDOCK_IP:DRYDOCK_PORT/api/v1.0/bootactions/nodes/
+      maas:
+        credentials:
+          secret:
+            namespace: ucp
+        url:
+          maas_url: http://MAAS_IP:MAAS_PORT/MAAS
+        proxy:
+          proxy_enabled: 'false'
+        ntp:
+          use_external_only: 'true'
+          disable_ntpd_region: true
+          disable_ntpd_rack: true
+        dns:
+          require_dnssec: 'no'
+  dependencies:
+    - maas-htk
+...
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: maas-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.maas-htk
+      dest:
+        path: .source
+data:
+  chart_name: maas-htk
+  release: maas-htk
+  namespace: maas-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/ucp/keystone/chart-group.yaml b/global/v4.0/software/charts/ucp/keystone/chart-group.yaml
new file mode 100644
index 000000000..1baf7e75b
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/keystone/chart-group.yaml
@@ -0,0 +1,14 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-keystone
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: UCP Keystone components
+  chart_group:
+    - ucp-keystone-memcached
+    - ucp-keystone
diff --git a/global/v4.0/software/charts/ucp/keystone/keystone.yaml b/global/v4.0/software/charts/ucp/keystone/keystone.yaml
new file mode 100644
index 000000000..2119f8385
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/keystone/keystone.yaml
@@ -0,0 +1,243 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-keystone
+  labels:
+    component: keystone
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.keystone
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ucp.keystone
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.oslo_messaging
+      dest:
+        path: .values.endpoints.oslo_messaging
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.oslo_cache
+      dest:
+        path: .values.endpoints.oslo_cache
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: osh_infra_endpoints
+        path: .osh_infra.fluentd
+      dest:
+        path: .values.endpoints.fluentd
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.keystone.oslo_messaging
+      dest:
+        path: .values.endpoints.oslo_messaging.auth
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.keystone.oslo_db
+      dest:
+        path: .values.endpoints.oslo_db.auth.keystone
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.keystone.oslo_db.database
+      dest:
+        path: .values.endpoints.oslo_db.path
+        pattern: DB_NAME
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_messaging.auth.keystone.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_oslo_messaging_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_messaging.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_oslo_messaging_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db.auth.keystone.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_keystone_oslo_db_password
+        path: .
+    - dest:
+        path: .values.endpoints.oslo_db.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_oslo_db_admin_password
+        path: .
+data:
+  chart_name: ucp-keystone
+  release: ucp-keystone
+  namespace: ucp
+  wait:
+    timeout: 600
+    labels:
+      release_group: ucp-keystone
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: ucp-keystone
+    post:
+      create: []
+  values:
+    conf:
+      logging:
+        loggers:
+          keys:
+            - root
+            - keystone
+        handlers:
+          keys:
+            - stdout
+            - stderr
+            - "null"
+            - fluent
+        formatters:
+          keys:
+            - context
+            - default
+            - fluent
+        logger_root:
+          level: WARNING
+          handlers: null
+        logger_keystone:
+          level: INFO
+          handlers:
+            - stdout
+            - stderr
+            - fluent
+          qualname: keystone
+        logger_amqp:
+          level: WARNING
+          handlers: stderr
+          qualname: amqp
+        logger_amqplib:
+          level: WARNING
+          handlers: stderr
+          qualname: amqplib
+        logger_eventletwsgi:
+          level: WARNING
+          handlers: stderr
+          qualname: eventlet.wsgi.server
+        logger_sqlalchemy:
+          level: WARNING
+          handlers: stderr
+          qualname: sqlalchemy
+        logger_boto:
+          level: WARNING
+          handlers: stderr
+          qualname: boto
+        handler_null:
+          class: logging.NullHandler
+          formatter: default
+          args: ()
+        handler_stdout:
+          class: StreamHandler
+          args: (sys.stdout,)
+          formatter: context
+        handler_stderr:
+          class: StreamHandler
+          args: (sys.stderr,)
+          formatter: context
+        handler_fluent:
+          class: fluent.handler.FluentHandler
+          args: ('ucp.keystone', 'fluentd-logging.osh-infra', 24224)
+          formatter: fluent
+        formatter_fluent:
+          class: oslo_log.formatters.FluentFormatter
+        formatter_context:
+          class: oslo_log.formatters.ContextFormatter
+        formatter_default:
+          format: "%(message)s"
+    pod:
+      replicas:
+        api: 2
+    labels:
+      api:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+      job:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+
+
+  dependencies:
+    - ucp-keystone-htk
+...
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name:  ucp-keystone-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.keystone-htk
+      dest:
+        path: .source
+data:
+  chart_name: ucp-keystone-htk
+  release: ucp-keystone-htk
+  namespace: ucp-keystone-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/ucp/keystone/memcached.yaml b/global/v4.0/software/charts/ucp/keystone/memcached.yaml
new file mode 100644
index 000000000..9c70d3197
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/keystone/memcached.yaml
@@ -0,0 +1,80 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-keystone-memcached
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.memcached
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ucp.memcached
+      dest:
+        path: .values.images.tags
+
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.oslo_cache
+      dest:
+        path: .values.endpoints.oslo_cache
+data:
+  chart_name: ucp-keystone-memcached
+  release: ucp-keystone-memcached
+  namespace: ucp
+  wait:
+    timeout: 600
+    labels:
+      release_group: ucp-keystone-memcached
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+          - type: job
+            labels:
+              release_group: ucp-keystone-memcached
+  values:
+    labels:
+      server:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+  dependencies:
+    - ucp-memcached-htk
+...
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-memcached-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.memcached-htk
+      dest:
+        path: .source
+data:
+  chart_name: ucp-memcached-htk
+  release: ucp-memcached-htk
+  namespace: ucp-memcached-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/ucp/promenade/chart-group.yaml b/global/v4.0/software/charts/ucp/promenade/chart-group.yaml
new file mode 100644
index 000000000..dcea4468b
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/promenade/chart-group.yaml
@@ -0,0 +1,13 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-promenade
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Promenade
+  chart_group:
+    - ucp-promenade
diff --git a/global/v4.0/software/charts/ucp/promenade/promenade.yaml b/global/v4.0/software/charts/ucp/promenade/promenade.yaml
new file mode 100644
index 000000000..f363633b9
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/promenade/promenade.yaml
@@ -0,0 +1,135 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-promenade-global
+  layeringDefinition:
+    abstract: true
+    layer: global
+  labels:
+    name: ucp-promenade-global
+  storagePolicy: cleartext
+  substitutions:
+
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.promenade
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ucp.promenade
+      dest:
+        path: .values.images.tags
+
+    # Endpoints
+
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.kubernetesprovisioner
+      dest:
+        path: .values.endpoints.kubernetesprovisioner
+
+    # Credentials
+
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.promenade.keystone
+      dest:
+        path: .values.endpoints.identity.auth.user
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.user.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_promenade_keystone_password
+        path: .
+
+data:
+  chart_name: promenade
+  release: ucp-promenade
+  namespace: ucp
+  wait:
+    timeout: 600
+    labels:
+      release_group: ucp-promenade
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: ucp-promenade
+  values:
+    pod:
+      replicas:
+        api: 2
+      env:
+        promenade_api:
+         # this aligns with drydocks timeouts and allows alow responses to
+         # download the external kubernetes client .tgz to still succeed
+         - name: UWSGI_TIMEOUT
+           value: "900"
+    conf:
+      paste:
+        filter:authtoken:
+          paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+          admin_tenant_name: service
+          admin_user: promenade
+          delay_auth_decision: true
+          identity_uri: http://keystone-api.ucp.svc.cluster.local/
+          service_token_roles_required: true
+  dependencies:
+    - promenade-htk
+...
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: promenade-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.promenade-htk
+      dest:
+        path: .source
+data:
+  chart_name: promenade-htk
+  release: promenade-htk
+  namespace: promenade-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/charts/ucp/shipyard/chart-group.yaml b/global/v4.0/software/charts/ucp/shipyard/chart-group.yaml
new file mode 100644
index 000000000..4dffc6e03
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/shipyard/chart-group.yaml
@@ -0,0 +1,13 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-shipyard
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Shipyard
+  chart_group:
+    - ucp-shipyard
diff --git a/global/v4.0/software/charts/ucp/shipyard/shipyard.yaml b/global/v4.0/software/charts/ucp/shipyard/shipyard.yaml
new file mode 100644
index 000000000..ef24c870b
--- /dev/null
+++ b/global/v4.0/software/charts/ucp/shipyard/shipyard.yaml
@@ -0,0 +1,315 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-shipyard
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.shipyard
+      dest:
+        path: .source
+
+    # Images
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.ucp.shipyard
+      dest:
+        path: .values.images.tags
+
+    # Node ports
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .node_ports.shipyard_api
+      dest:
+        path: .values.network.shipyard.node_port
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .node_ports.airflow_web
+      dest:
+        path: .values.network.airflow.web.node_port
+
+    # Endpoints
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.identity
+      dest:
+        path: .values.endpoints.identity
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.postgresql
+      dest:
+        path: .values.endpoints.postgresql_shipyard_db
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.postgresql
+      dest:
+        path: .values.endpoints.postgresql_airflow_db
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.postgresql_airflow_celery
+      dest:
+        path: .values.endpoints.postgresql_airflow_celery_db
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.shipyard
+      dest:
+        path: .values.endpoints.shipyard
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.airflow_web
+      dest:
+        path: .values.endpoints.airflow_web
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.airflow_flower
+      dest:
+        path: .values.endpoints.airflow_flower
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.oslo_messaging
+      dest:
+        path: .values.endpoints.olso_messaging
+    - src:
+        schema: pegleg/EndpointCatalogue/v1
+        name: ucp_endpoints
+        path: .ucp.oslo_cache
+      dest:
+        path: .values.endpoints.oslo_cache
+
+    # Database path
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.shipyard.postgres.database
+      dest:
+        path: .values.endpoints.postgresql_shipyard_db.path
+        pattern: 'DB_NAME'
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.airflow.postgres.database
+      dest:
+        path: .values.endpoints.postgresql_airflow_db.path
+        pattern: 'DB_NAME'
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.airflow.postgres.database
+      dest:
+        path: .values.endpoints.postgresql_airflow_celery_db.path
+        pattern: 'DB_NAME'
+    # Credentials
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.postgres.admin
+      dest:
+        path: .values.endpoints.postgresql_shipyard_db.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.postgres.admin
+      dest:
+        path: .values.endpoints.postgresql_airflow_db.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.postgres.admin
+      dest:
+        path: .values.endpoints.postgresql_airflow_celery_db.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.keystone.admin
+      dest:
+        path: .values.endpoints.identity.auth.admin
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.shipyard.postgres
+      dest:
+        path: .values.endpoints.postgresql_shipyard_db.auth.user
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.airflow.postgres
+      dest:
+        path: .values.endpoints.postgresql_airflow_db.auth.user
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.airflow.postgres
+      dest:
+        path: .values.endpoints.postgresql_airflow_celery_db.auth.user
+    - src:
+        schema: pegleg/AccountCatalogue/v1
+        name: ucp_service_accounts
+        path: .ucp.airflow.oslo_messaging
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.user
+
+    # Secrets
+    - dest:
+        path: .values.endpoints.identity.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_keystone_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.postgresql_shipyard_db.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_postgres_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.postgresql_airflow_db.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_postgres_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.postgresql_airflow_celery_db.auth.admin.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_postgres_admin_password
+        path: .
+    - dest:
+        path: .values.endpoints.identity.auth.shipyard.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_shipyard_keystone_password
+        path: .
+    - dest:
+        path: .values.endpoints.postgresql_shipyard_db.auth.user.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_shipyard_postgres_password
+        path: .
+    - dest:
+        path: .values.endpoints.postgresql_airflow_db.auth.user.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_airflow_postgres_password
+        path: .
+    - dest:
+        path: .values.endpoints.postgresql_airflow_celery_db.auth.user.password
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_airflow_postgres_password
+        path: .
+    - src:
+        schema: deckhand/Passphrase/v1
+        name: ucp_oslo_messaging_password
+        path: .
+      dest:
+        path: .values.endpoints.oslo_messaging.auth.user.password
+
+data:
+  chart_name: shipyard
+  release: ucp-shipyard
+  namespace: ucp
+  wait:
+    timeout: 600
+    labels:
+      release_group: ucp-shipyard
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: ucp-shipyard
+  values:
+    endpoints:
+      postgresql_airflow_db:
+        name: postgresql
+        hosts:
+          default: postgresql
+        path: /DB_NAME
+        scheme: postgresql+psycopg2
+        port:
+          postgresql:
+            default: 5432
+        host_fqdn_override:
+          default: null
+      postgresql_shipyard_db:
+        name: postgresql
+        hosts:
+          default: postgresql
+        path: /DB_NAME
+        scheme: postgresql+psycopg2
+        port:
+          postgresql:
+            default: 5432
+        host_fqdn_override:
+          default: null
+    prod_environment: true
+    pod:
+      replicas:
+        shipyard:
+          api: 2
+        airflow:
+          web: 2
+          worker: 2
+          flower: 2
+          scheduler: 2
+    labels:
+      job:
+        node_selector_key: ucp-control-plane
+        node_selector_value: enabled
+    network:
+      shipyard:
+        enable_node_port: true
+      airflow:
+        web:
+          enable_node_port: true
+    conf:
+      shipyard:
+        keystone_authtoken:
+          memcache_security_strategy: None
+  dependencies:
+    - shipyard-htk
+...
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: shipyard-htk
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.ucp.shipyard-htk
+      dest:
+        path: .source
+data:
+  chart_name: shipyard-htk
+  release: shipyard-htk
+  namespace: shipyard-htk
+  values: {}
+  dependencies: []
+...
diff --git a/global/v4.0/software/config/Docker.yaml b/global/v4.0/software/config/Docker.yaml
new file mode 100644
index 000000000..e0bf29c9f
--- /dev/null
+++ b/global/v4.0/software/config/Docker.yaml
@@ -0,0 +1,16 @@
+---
+schema: promenade/Docker/v1
+metadata:
+  schema: metadata/Document/v1
+  name: docker-global
+  labels:
+    promenade: enabled
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  config:
+    live-restore: true
+    storage-driver: overlay2
+...
diff --git a/global/v4.0/software/config/Kubelet.yaml b/global/v4.0/software/config/Kubelet.yaml
new file mode 100644
index 000000000..245e35127
--- /dev/null
+++ b/global/v4.0/software/config/Kubelet.yaml
@@ -0,0 +1,25 @@
+---
+schema: promenade/Kubelet/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubelet
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .images.kubernetes.pause
+      dest:
+        path: .images.pause
+data:
+  arguments:
+    - --cni-bin-dir=/opt/cni/bin
+    - --cni-conf-dir=/etc/cni/net.d
+    - --eviction-max-pod-grace-period=-1
+    - --network-plugin=cni
+    - --node-status-update-frequency=5s
+    - --max-pods=200
+    - --pods-per-core=10
diff --git a/global/v4.0/software/config/versions.yaml b/global/v4.0/software/config/versions.yaml
new file mode 100644
index 000000000..2950ae819
--- /dev/null
+++ b/global/v4.0/software/config/versions.yaml
@@ -0,0 +1,904 @@
+---
+schema: pegleg/SoftwareVersions/v1
+metadata:
+  schema: metadata/Document/v1
+  name: software-versions
+  layeringDefinition:
+    abstract: false
+    layer: global
+  labels:
+    name: software-versions-global
+  storagePolicy: cleartext
+data:
+  charts:
+    kubernetes:
+      calico:
+        etcd:
+          type: git
+          location: https://git.openstack.org/openstack/airship-promenade
+          subpath: charts/etcd
+          reference: 7a06bef72c0bfd799c2353b8213627f6a0826251
+        etcd-htk:
+          type: git
+          location: https://git.openstack.org/openstack/openstack-helm-infra
+          subpath: helm-toolkit
+          reference: c0c5199fb20335b3e8839163129372059a876ce8
+        calico:
+          type: git
+          location: https://git.openstack.org/openstack/openstack-helm-infra
+          subpath: calico
+          reference: c0c5199fb20335b3e8839163129372059a876ce8
+        calico-htk:
+          type: git
+          location: https://git.openstack.org/openstack/openstack-helm-infra
+          subpath: helm-toolkit
+          reference: c0c5199fb20335b3e8839163129372059a876ce8
+      apiserver:
+        type: git
+        location: https://git.openstack.org/openstack/airship-promenade
+        subpath: charts/apiserver
+        reference: 7a06bef72c0bfd799c2353b8213627f6a0826251
+      apiserver-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      controller-manager:
+        type: git
+        location: https://git.openstack.org/openstack/airship-promenade
+        subpath: charts/controller_manager
+        reference: 7a06bef72c0bfd799c2353b8213627f6a0826251
+      controller-manager-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      coredns:
+        type: git
+        location: https://git.openstack.org/openstack/airship-promenade
+        subpath: charts/coredns
+        reference: 7a06bef72c0bfd799c2353b8213627f6a0826251
+      coredns-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      haproxy:
+        type: git
+        location: https://git.openstack.org/openstack/airship-promenade
+        subpath: charts/haproxy
+        reference: 7a06bef72c0bfd799c2353b8213627f6a0826251
+      haproxy-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      etcd:
+        type: git
+        location: https://git.openstack.org/openstack/airship-promenade
+        subpath: charts/etcd
+        reference: 7a06bef72c0bfd799c2353b8213627f6a0826251
+      etcd-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      ingress:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: ingress
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      ingress-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      proxy:
+        type: git
+        location: https://git.openstack.org/openstack/airship-promenade
+        subpath: charts/proxy
+        reference: 7a06bef72c0bfd799c2353b8213627f6a0826251
+      proxy-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      scheduler:
+        type: git
+        location: https://git.openstack.org/openstack/airship-promenade
+        subpath: charts/scheduler
+        reference: 7a06bef72c0bfd799c2353b8213627f6a0826251
+      scheduler-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+    osh_infra:
+      helm_toolkit:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      elasticsearch:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: elasticsearch
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      fluent_logging:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: fluent-logging
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      kibana:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: kibana
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      prometheus:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: prometheus
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      prometheus_node_exporter:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: prometheus-node-exporter
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      prometheus_kube_state_metrics:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: prometheus-kube-state-metrics
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      prometheus_alertmanager:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: prometheus-alertmanager
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      grafana:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: grafana
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      prometheus_openstack_exporter:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: prometheus-openstack-exporter
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      nagios:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: nagios
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+    osh:
+      helm_toolkit:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      barbican:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: barbican
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      cinder:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: cinder
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      glance:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: glance
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      heat:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: heat
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      horizon:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: horizon
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      ingress:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: ingress
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      keystone:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: keystone
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      libvirt:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: libvirt
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      mariadb:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: mariadb
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      memcached:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: memcached
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      neutron:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: neutron
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      nova:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: nova
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      openvswitch:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: openvswitch
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      rabbitmq:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: rabbitmq
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+    ucp:
+      armada:
+        type: git
+        location: https://git.openstack.org/openstack/airship-armada
+        subpath: charts/armada
+        reference: 41683606507f4c391ba0d9f5ac932672596db7e2
+      armada-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      barbican:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: barbican
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      barbican-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      ceph-mon:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: ceph-mon
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      ceph-osd:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: ceph-osd
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      ceph-client:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: ceph-client
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      ceph-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      deckhand:
+        type: git
+        location: https://git.openstack.org/openstack/airship-deckhand
+        subpath: charts/deckhand
+        reference: 9b6eb81c824374303d4a4394f5c6ecfc20c48c92
+      deckhand-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: helm-toolkit
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      divingbell:
+        type: git
+        location: https://git.openstack.org/openstack/airship-divingbell
+        subpath: divingbell
+        reference: 4e074ec0c24ec285dc3ac02e2a347a0033dad454
+      divingbell-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      drydock:
+        type: git
+        location: https://git.openstack.org/openstack/airship-drydock
+        subpath: charts/drydock
+        reference: 246775da422db523304a5d27f45bba6c18789d2e
+      drydock-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: helm-toolkit
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      ingress:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: ingress
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      ingress-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      postgresql:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: postgresql
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      postgresql-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      promenade:
+        type: git
+        location: https://git.openstack.org/openstack/airship-promenade
+        subpath: charts/promenade
+        reference: 7a06bef72c0bfd799c2353b8213627f6a0826251
+      promenade-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      keystone:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: keystone
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      keystone-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      maas:
+        type: git
+        location: https://git.openstack.org/openstack/airship-maas
+        subpath: charts/maas
+        reference: 10d4966810bab5d815245820db7dc5ae160e6c4f
+      maas-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: helm-toolkit
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      mariadb:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: mariadb
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      mariadb-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      memcached:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: memcached
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      memcached-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      rabbitmq:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm
+        subpath: rabbitmq
+        reference: fbfcb51c31e21331ceb20b6108b739c5e2ad48f5
+      rabbitmq-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      shipyard:
+        type: git
+        location: https://git.openstack.org/openstack/airship-shipyard
+        subpath: charts/shipyard
+        reference: 0341954f0004311ffd07109cbfaa9c3350a9b01b
+      shipyard-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+      tiller:
+        type: git
+        location: https://git.openstack.org/openstack/airship-armada
+        subpath: charts/tiller
+        reference: 41683606507f4c391ba0d9f5ac932672596db7e2
+      tiller-htk:
+        type: git
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        subpath: helm-toolkit
+        reference: c0c5199fb20335b3e8839163129372059a876ce8
+  files:
+    kubelet: https://dl.k8s.io/v1.10.2/kubernetes-node-linux-amd64.tar.gz
+
+  images_refs:
+    images:
+      dep_check: &dep_check quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+      heat: &heat docker.io/openstackhelm/heat:ocata
+      neutron: &neutron docker.io/openstackhelm/neutron:ocata
+      horizon: &horizon docker.io/openstackhelm/horizon:ocata
+      cinder: &cinder docker.io/openstackhelm/cinder:ocata
+      keystone: &keystone docker.io/openstackhelm/keystone:ocata
+      nova: &nova docker.io/openstackhelm/nova:ocata
+      glance: &glance docker.io/openstackhelm/glance:ocata
+      rabbitmq: &rabbitmq docker.io/rabbitmq:3.7-management
+      rally_test: &rally_test docker.io/kolla/ubuntu-source-rally:4.0.0
+      memcached: &memcached docker.io/memcached:1.5.5
+      mariadb_db: &mariadb_db docker.io/mariadb:10.2.13
+      nova_novncproxy: &nova_novncproxy docker.io/kolla/ubuntu-source-nova-novncproxy:3.0.3
+      nova_spiceproxy: &nova_spiceproxy docker.io/kolla/ubuntu-source-nova-spicehtml5proxy:3.0.3
+      ceph_daemon: &ceph_daemon docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04
+      openvswitch: &openvswitch docker.io/openstackhelm/openvswitch:v2.8.1
+      os_barbican: &os_barbican docker.io/kolla/ubuntu-source-barbican-api:3.0.3
+      libvirt: &libvirt docker.io/openstackhelm/libvirt:ubuntu-xenial-1.3.1
+      ingress_controller: &ingress_controller quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0
+      ingress_error_pages: &ingress_error_pages gcr.io/google-containers/defaultbackend:1.0
+      # should probably be moved to https://quay.io/repository/airshipit/
+      storage_init: &storage_init docker.io/port/ceph-config-helper:v1.10.3
+    keystone: &ref_keystone
+      ks_endpoints: *heat
+      ks_service: *heat
+      ks_user: *heat
+
+  images:
+    ucp:
+      armada:
+        api: quay.io/airshipit/armada:41683606507f4c391ba0d9f5ac932672596db7e2
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        ks_endpoints: docker.io/openstackhelm/heat:ocata
+        ks_service: docker.io/openstackhelm/heat:ocata
+        ks_user: docker.io/openstackhelm/heat:ocata
+        image_repo_sync: docker.io/docker:17.07.0
+        helm: docker.io/lachlanevenson/k8s-helm:v2.7.2
+        tiller: gcr.io/kubernetes-helm/tiller:v2.7.2
+      promenade:
+        promenade: quay.io/airshipit/promenade:7a06bef72c0bfd799c2353b8213627f6a0826251
+        ks_user: docker.io/openstackhelm/heat:ocata
+        ks_service: docker.io/openstackhelm/heat:ocata
+        ks_endpoints: docker.io/openstackhelm/heat:ocata
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        image_repo_sync: docker.io/docker:17.07.0
+      deckhand:
+        deckhand: quay.io/airshipit/deckhand:64975c820afa84a9753fb6d71670f3e65e8d9824
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        db_init: docker.io/postgres:9.5
+        db_sync: quay.io/airshipit/deckhand:64975c820afa84a9753fb6d71670f3e65e8d9824
+        ks_endpoints: docker.io/openstackhelm/heat:ocata
+        ks_service: docker.io/openstackhelm/heat:ocata
+        ks_user: docker.io/openstackhelm/heat:ocata
+      barbican:
+        bootstrap: docker.io/openstackhelm/heat:ocata
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        scripted_test: docker.io/openstackhelm/heat:ocata
+        db_init: docker.io/openstackhelm/heat:ocata
+        barbican_db_sync: docker.io/kolla/ubuntu-source-barbican-api:3.0.3
+        db_drop: docker.io/openstackhelm/heat:ocata
+        ks_endpoints: docker.io/openstackhelm/heat:ocata
+        ks_service: docker.io/openstackhelm/heat:ocata
+        ks_user: docker.io/openstackhelm/heat:ocata
+        barbican_api: docker.io/kolla/ubuntu-source-barbican-api:3.0.3
+        rabbit_init: docker.io/rabbitmq:3.7-management
+      divingbell:
+        divingbell: docker.io/ubuntu:16.04
+      drydock:
+        drydock: quay.io/airshipit/drydock:246775da422db523304a5d27f45bba6c18789d2e
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        ks_user: docker.io/openstackhelm/heat:ocata
+        ks_service: docker.io/openstackhelm/heat:ocata
+        ks_endpoints: docker.io/openstackhelm/heat:ocata
+        drydock_db_init: docker.io/postgres:9.5
+        drydock_db_sync: quay.io/airshipit/drydock:246775da422db523304a5d27f45bba6c18789d2e
+      ingress:
+        entrypoint: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0
+        error_pages: gcr.io/google-containers/defaultbackend:1.0
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        image_repo_sync: docker.io/docker:17.07.0
+      shipyard:
+        # should probably point to docker.io/puckel/docker-airflow:xxxxxx
+        airflow: quay.io/airshipit/airflow:20c27eed6669b72e13a97f6551fb0eee045be8ae
+        shipyard: quay.io/airshipit/shipyard:20c27eed6669b72e13a97f6551fb0eee045be8ae
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        shipyard_db_init: docker.io/postgres:9.5
+        shipyard_db_sync: quay.io/airshipit/shipyard:20c27eed6669b72e13a97f6551fb0eee045be8ae
+        airflow_db_init: docker.io/postgres:9.5
+        # should probably point to docker.io/puckel/docker-airflow:xxxxxx
+        airflow_db_sync: quay.io/airshipit/airflow:20c27eed6669b72e13a97f6551fb0eee045be8ae
+        ks_user: docker.io/openstackhelm/heat:ocata
+        ks_service: docker.io/openstackhelm/heat:ocata
+        ks_endpoints: docker.io/openstackhelm/heat:ocata
+        image_repo_sync: docker.io/docker:17.07.0
+      maas:
+        db_init: docker.io/postgres:9.5
+        db_sync: quay.io/airshipit/maas-region-controller:10d4966810bab5d815245820db7dc5ae160e6c4f
+        maas_rack: quay.io/airshipit/maas-rack-controller:10d4966810bab5d815245820db7dc5ae160e6c4f
+        maas_region: quay.io/airshipit/maas-region-controller:10d4966810bab5d815245820db7dc5ae160e6c4f
+        bootstrap: quay.io/airshipit/maas-region-controller:10d4966810bab5d815245820db7dc5ae160e6c4f
+        export_api_key: quay.io/airshipit/maas-region-controller:10d4966810bab5d815245820db7dc5ae160e6c4f
+        maas_cache: quay.io/airshipit/sstream-cache:10d4966810bab5d815245820db7dc5ae160e6c4f
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+      keystone:
+        bootstrap: docker.io/openstackhelm/heat:ocata
+        test: docker.io/kolla/ubuntu-source-rally:4.0.0
+        db_init: docker.io/openstackhelm/heat:ocata
+        keystone_db_sync: docker.io/openstackhelm/keystone:ocata
+        db_drop: docker.io/openstackhelm/heat:ocata
+        ks_user: docker.io/openstackhelm/heat:ocata
+        keystone_fernet_setup: docker.io/openstackhelm/keystone:ocata
+        keystone_fernet_rotate: docker.io/openstackhelm/keystone:ocata
+        keystone_credential_setup: docker.io/openstackhelm/keystone:ocata
+        keystone_credential_rotate: docker.io/openstackhelm/keystone:ocata
+        keystone_api: docker.io/openstackhelm/keystone:ocata
+        keystone_domain_manage: docker.io/openstackhelm/keystone:ocata
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        rabbit_init: docker.io/rabbitmq:3.7-management
+        image_repo_sync: docker.io/docker:17.07.0
+      tiller:
+        tiller: gcr.io/kubernetes-helm/tiller:v2.7.2
+      mariadb:
+        mariadb: docker.io/mariadb:10.2.13
+        ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0
+        error_pages: gcr.io/google-containers/defaultbackend:1.0
+        prometheus_create_mysql_user: docker.io/mariadb:10.2.13
+        prometheus_mysql_exporter: docker.io/prom/mysqld-exporter:v0.10.0
+        prometheus_mysql_exporter_helm_tests: docker.io/openstackhelm/heat:ocata
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        image_repo_sync: docker.io/docker:17.07.0
+      postgresql:
+        postgresql: docker.io/postgres:9.5
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        image_repo_sync: docker.io/docker:17.07.0
+      memcached:
+        memcached: docker.io/memcached:1.5.5
+        prometheus_memcached_exporter: docker.io/prom/memcached-exporter:v0.4.1
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        image_repo_sync: docker.io/docker:17.07.0
+      rabbitmq:
+        prometheus_rabbitmq_exporter: docker.io/kbudde/rabbitmq-exporter:v0.21.0
+        prometheus_rabbitmq_exporter_helm_tests: docker.io/openstackhelm/heat:ocata
+        rabbitmq: docker.io/rabbitmq:3.7.4
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        scripted_test: docker.io/rabbitmq:3.7-management
+        image_repo_sync: docker.io/docker:17.07.0
+    osh:
+      memcached:
+        dep_check: *dep_check
+        memcached: *memcached
+      barbican:
+        bootstrap: *heat
+        dep_check: *dep_check
+        scripted_test: *heat
+        db_init: *heat
+        barbican_db_sync: *os_barbican
+        db_drop: *heat
+        <<: *ref_keystone
+        barbican_api: *os_barbican
+        rabbit_init: *rabbitmq
+      cinder:
+        test: *rally_test
+        db_init: *heat
+        cinder_db_sync: *cinder
+        db_drop: *heat
+        <<: *ref_keystone
+        cinder_api: *cinder
+        bootstrap: *heat
+        cinder_scheduler: *cinder
+        cinder_volume: *cinder
+        cinder_volume_usage_audit: *cinder
+        cinder_storage_init: *storage_init
+        cinder_backup: *cinder
+        cinder_backup_storage_init: *storage_init
+        dep_check: *dep_check
+        rabbit_init: *rabbitmq
+      glance:
+        test: *rally_test
+        glance_storage_init: *storage_init
+        db_init: *heat
+        glance_db_sync: *glance
+        db_drop: *heat
+        <<: *ref_keystone
+        glance_api: *glance
+        glance_registry: *glance
+        # Bootstrap image requires curl
+        bootstrap: *heat
+        dep_check: *dep_check
+        rabbit_init: *rabbitmq
+      heat:
+        bootstrap: *heat
+        db_init: *heat
+        heat_db_sync: *heat
+        db_drop: *heat
+        <<: *ref_keystone
+        heat_api: *heat
+        heat_cfn: *heat
+        heat_cloudwatch: *heat
+        heat_engine: *heat
+        heat_engine_cleaner: *heat
+        dep_check: *dep_check
+        rabbit_init: *rabbitmq
+      horizon:
+        db_init: *heat
+        horizon_db_sync: *horizon
+        db_drop: *heat
+        horizon: *horizon
+        dep_check: *dep_check
+      ingress:
+        entrypoint: *dep_check
+        ingress: *ingress_controller
+        error_pages: *ingress_error_pages
+        dep_check: *dep_check
+      keystone:
+        bootstrap: *heat
+        test: *rally_test
+        db_init: *heat
+        keystone_db_sync: *keystone
+        db_drop: *heat
+        <<: *ref_keystone
+        keystone_fernet_setup: *keystone
+        keystone_fernet_rotate: *keystone
+        keystone_credential_setup: *keystone
+        keystone_credential_rotate: *keystone
+        keystone_api: *keystone
+        keystone_domain_manage: *keystone
+        dep_check: *dep_check
+        rabbit_init: *rabbitmq
+      libvirt:
+        libvirt: *libvirt
+        dep_check: *dep_check
+      mariadb:
+        mariadb: *mariadb_db
+        ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0
+        error_pages: gcr.io/google-containers/defaultbackend:1.0
+        prometheus_create_mysql_user: *mariadb_db
+        prometheus_mysql_exporter: docker.io/prom/mysqld-exporter:v0.10.0
+        prometheus_mysql_exporter_helm_tests: *heat
+        dep_check: *dep_check
+        image_repo_sync: docker.io/docker:17.07.0
+      neutron:
+        bootstrap: *heat
+        test: *rally_test
+        db_init: *heat
+        neutron_db_sync: *neutron
+        db_drop: *heat
+        <<: *ref_keystone
+        neutron_server: *neutron
+        neutron_dhcp: *neutron
+        neutron_metadata: *neutron
+        neutron_l3: *neutron
+        neutron_openvswitch_agent: *neutron
+        neutron_linuxbridge_agent: *neutron
+        dep_check: *dep_check
+        rabbit_init: *rabbitmq
+      nova:
+        bootstrap: *heat
+        db_drop: *heat
+        db_init: *heat
+        dep_check: *dep_check
+        <<: *ref_keystone
+        nova_api: *nova
+        nova_cell_setup: *nova
+        nova_cell_setup_init: *heat
+        nova_compute: *nova
+        nova_compute_ssh: *nova
+        nova_conductor: *nova
+        nova_consoleauth: *nova
+        nova_db_sync: *nova
+        nova_novncproxy: *nova
+        nova_novncproxy_assets: *nova_novncproxy
+        nova_placement: *nova
+        nova_scheduler: *nova
+        nova_spiceproxy: *nova
+        nova_spiceproxy_assets: *nova_spiceproxy
+        test: *rally_test
+        rabbit_init: *rabbitmq
+      openvswitch:
+        openvswitch_db_server: *openvswitch
+        openvswitch_vswitchd: *openvswitch
+        dep_check: *dep_check
+      rabbitmq:
+        prometheus_rabbitmq_exporter: docker.io/kbudde/rabbitmq-exporter:v0.21.0
+        prometheus_rabbitmq_exporter_helm_tests: *heat
+        rabbitmq: docker.io/rabbitmq:3.7.4
+        dep_check: *dep_check
+    osh_infra:
+      elasticsearch:
+        apache_proxy: docker.io/httpd:2.4
+        memory_init: *heat
+        curator: docker.io/bobrik/curator:5.2.0
+        elasticsearch: docker.io/elasticsearch:5.6.4
+        helm_tests: *heat
+        prometheus_elasticsearch_exporter: docker.io/justwatch/elasticsearch_exporter:1.0.1
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        snapshot_repository: *heat
+        image_repo_sync: docker.io/docker:17.07.0
+      fluent_logging:
+        fluentbit: docker.io/fluent-bit:0.12.14
+        fluentd: docker.io/kolla/ubuntu-source-fluentd:ocata
+        # should be moved to somewhere...
+        prometheus_fluentd_exporter: docker.io/srwilkers/fluentd_exporter:v0.1
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        helm_tests: *heat
+        elasticsearch_template: *heat
+        image_repo_sync: docker.io/docker:17.07.0
+      kibana:
+        apache_proxy: docker.io/httpd:2.4
+        kibana: docker.elastic.co/kibana/kibana:5.6.4
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        image_repo_sync: docker.io/docker:17.07.0
+      prometheus:
+        prometheus: docker.io/prom/prometheus:v2.0.0
+        helm_tests: *heat
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        image_repo_sync: docker.io/docker:17.07.0
+      prometheus_node_exporter:
+        node_exporter: docker.io/prom/node-exporter:v0.15.0
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        image_repo_sync: docker.io/docker:17.07.0
+      prometheus_kube_state_metrics:
+        kube_state_metrics: docker.io/bitnami/kube-state-metrics:1.3.1
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        image_repo_sync: docker.io/docker:17.07.0
+      prometheus_alertmanager:
+        alertmanager: docker.io/prom/alertmanager:v0.11.0
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        image_repo_sync: docker.io/docker:17.07.0
+      prometheus_openstack_exporter:
+        prometheus_openstack_exporter: quay.io/attcomdev/prometheus-openstack-exporter:3231f14419f0c47547ce2551b7d884cd222104e6
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        image_repo_sync: docker.io/docker:17.07.0
+        <<: *ref_keystone
+      grafana:
+        grafana: docker.io/grafana/grafana:5.0.0
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        db_init: *heat
+        grafana_db_session_sync: *heat
+        image_repo_sync: docker.io/docker:17.07.0
+      nagios:
+        apache_proxy: docker.io/httpd:2.4
+        # should probably be moved to airshipit
+        # 'latest' refers to '4852dfd1455db6fb2330744c599b0c2ada3c78f5', however latest pushed is '11b061a3afe6e4671d98900d7249b5ad5090fd73'
+        nagios: quay.io/attcomdev/nagios:4852dfd1455db6fb2330744c599b0c2ada3c78f5
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        image_repo_sync: docker.io/docker:17.07.0
+    ceph:
+      ceph-mon:
+        fluentbit: docker.io/fluent-bit:0.12.14
+        ceph_bootstrap: *ceph_daemon
+        ceph_config_helper: docker.io/port/ceph-config-helper:v1.10.3
+        ceph_mon: *ceph_daemon
+        ceph_mon_check: docker.io/port/ceph-config-helper:v1.10.3
+        dep_check: *dep_check
+        image_repo_sync: docker.io/docker:17.07.0
+      ceph-osd:
+        fluentbit: docker.io/fluent-bit:0.12.14
+        ceph_osd: *ceph_daemon
+        ceph_bootstrap: *ceph_daemon
+        dep_check: *dep_check
+        image_repo_sync: docker.io/docker:17.07.0
+      ceph-client:
+        ceph_bootstrap: *ceph_daemon
+        ceph_cephfs_provisioner: quay.io/external_storage/cephfs-provisioner:v0.1.1
+        ceph_config_helper: docker.io/port/ceph-config-helper:v1.10.3
+        ceph_mds: *ceph_daemon
+        ceph_mgr: *ceph_daemon
+        ceph_rbd_pool: docker.io/port/ceph-config-helper:v1.10.3
+        ceph_rbd_provisioner: quay.io/external_storage/rbd-provisioner:v0.1.1
+        ceph_rgw: *ceph_daemon
+        dep_check: *dep_check
+        <<: *ref_keystone
+        image_repo_sync: docker.io/docker:17.07.0
+    kubernetes:
+      apiserver:
+        anchor: gcr.io/google-containers/hyperkube-amd64:v1.10.2
+        apiserver: gcr.io/google-containers/hyperkube-amd64:v1.10.2
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+      controller-manager:
+        anchor: gcr.io/google-containers/hyperkube-amd64:v1.10.2
+        controller_manager: gcr.io/google-containers/hyperkube-amd64:v1.10.2
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+      coredns:
+        coredns: docker.io/coredns/coredns:1.1.2
+        test: docker.io/coredns/coredns:1.1.2
+      haproxy:
+        haproxy: docker.io/haproxy:1.8.3
+        anchor: gcr.io/google-containers/hyperkube-amd64:v1.10.2
+        test: docker.io/python:3.6
+      etcd:
+        # quay.io/coreos/etcd:v3.2.14
+        etcd: quay.io/coreos/etcd:v3.2.14
+        etcdctl: quay.io/coreos/etcd:v3.2.14
+      ingress:
+        entrypoint: *dep_check
+        ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0
+        error_pages: gcr.io/google-containers/defaultbackend:1.0
+        dep_check: *dep_check
+        image_repo_sync: docker.io/docker:17.07.0
+
+      kubectl: gcr.io/google-containers/hyperkube-amd64:v1.10.2
+      pause: gcr.io/google-containers/pause-amd64:3.1
+
+      scheduler:
+        anchor: gcr.io/google-containers/hyperkube-amd64:v1.10.2
+        scheduler: gcr.io/google-containers/hyperkube-amd64:v1.10.2
+      proxy:
+        proxy: gcr.io/google-containers/hyperkube-amd64:v1.10.2
+    calico:
+      etcd:
+        etcd: quay.io/coreos/etcd:v3.2.14
+        etcdctl: quay.io/coreos/etcd:v3.2.14
+      calico:
+        calico_etcd: quay.io/coreos/etcd:v3.2.14
+        calico_node: quay.io/calico/node:v2.6.9
+        calico_cni: quay.io/calico/cni:v1.11.5
+        calico_ctl: quay.io/calico/ctl:v1.6.4
+        calico_settings: quay.io/calico/ctl:v1.6.4
+        calico_kube_policy_controller: quay.io/calico/kube-policy-controller:v0.7.0
+        dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+        image_repo_sync: docker.io/docker:17.07.0
+
+  packages:
+    repositories:
+      main_archive:
+        repo_type: apt
+        url: 'http://us.archive.ubuntu.com/ubuntu'
+        distributions:
+          - 'xenial'
+        components:
+          - 'main'
+          - 'universe'
+          - 'multiverse'
+        subrepos:
+          - 'security'
+          - 'updates'
+          - 'backports'
+      docker:
+        repo_type: apt
+        url: 'http://apt.dockerproject.org/repo'
+        distributions:
+          - ubuntu-xenial
+        components:
+          - main
+    gpgkey: |-
+      -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+      mQINBFWln24BEADrBl5p99uKh8+rpvqJ48u4eTtjeXAWbslJotmC/CakbNSqOb9o
+      ddfzRvGVeJVERt/Q/mlvEqgnyTQy+e6oEYN2Y2kqXceUhXagThnqCoxcEJ3+KM4R
+      mYdoe/BJ/J/6rHOjq7Omk24z2qB3RU1uAv57iY5VGw5p45uZB4C4pNNsBJXoCvPn
+      TGAs/7IrekFZDDgVraPx/hdiwopQ8NltSfZCyu/jPpWFK28TR8yfVlzYFwibj5WK
+      dHM7ZTqlA1tHIG+agyPf3Rae0jPMsHR6q+arXVwMccyOi+ULU0z8mHUJ3iEMIrpT
+      X+80KaN/ZjibfsBOCjcfiJSB/acn4nxQQgNZigna32velafhQivsNREFeJpzENiG
+      HOoyC6qVeOgKrRiKxzymj0FIMLru/iFF5pSWcBQB7PYlt8J0G80lAcPr6VCiN+4c
+      NKv03SdvA69dCOj79PuO9IIvQsJXsSq96HB+TeEmmL+xSdpGtGdCJHHM1fDeCqkZ
+      hT+RtBGQL2SEdWjxbF43oQopocT8cHvyX6Zaltn0svoGs+wX3Z/H6/8P5anog43U
+      65c0A+64Jj00rNDr8j31izhtQMRo892kGeQAaaxg4Pz6HnS7hRC+cOMHUU4HA7iM
+      zHrouAdYeTZeZEQOA7SxtCME9ZnGwe2grxPXh/U/80WJGkzLFNcTKdv+rwARAQAB
+      tDdEb2NrZXIgUmVsZWFzZSBUb29sIChyZWxlYXNlZG9ja2VyKSA8ZG9ja2VyQGRv
+      Y2tlci5jb20+iQI4BBMBAgAiBQJVpZ9uAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIe
+      AQIXgAAKCRD3YiFXLFJgnbRfEAC9Uai7Rv20QIDlDogRzd+Vebg4ahyoUdj0CH+n
+      Ak40RIoq6G26u1e+sdgjpCa8jF6vrx+smpgd1HeJdmpahUX0XN3X9f9qU9oj9A4I
+      1WDalRWJh+tP5WNv2ySy6AwcP9QnjuBMRTnTK27pk1sEMg9oJHK5p+ts8hlSC4Sl
+      uyMKH5NMVy9c+A9yqq9NF6M6d6/ehKfBFFLG9BX+XLBATvf1ZemGVHQusCQebTGv
+      0C0V9yqtdPdRWVIEhHxyNHATaVYOafTj/EF0lDxLl6zDT6trRV5n9F1VCEh4Aal8
+      L5MxVPcIZVO7NHT2EkQgn8CvWjV3oKl2GopZF8V4XdJRl90U/WDv/6cmfI08GkzD
+      YBHhS8ULWRFwGKobsSTyIvnbk4NtKdnTGyTJCQ8+6i52s+C54PiNgfj2ieNn6oOR
+      7d+bNCcG1CdOYY+ZXVOcsjl73UYvtJrO0Rl/NpYERkZ5d/tzw4jZ6FCXgggA/Zxc
+      jk6Y1ZvIm8Mt8wLRFH9Nww+FVsCtaCXJLP8DlJLASMD9rl5QS9Ku3u7ZNrr5HWXP
+      HXITX660jglyshch6CWeiUATqjIAzkEQom/kEnOrvJAtkypRJ59vYQOedZ1sFVEL
+      MXg2UCkD/FwojfnVtjzYaTCeGwFQeqzHmM241iuOmBYPeyTY5veF49aBJA1gEJOQ
+      TvBR8Q==
+      =Fm3p
+      -----END PGP PUBLIC KEY BLOCK-----
+    named:
+      docker: docker-engine=1.13.1-0~ubuntu-xenial
+      socat: socat=1.7.3.1-1
+    unnamed:
+      - ceph-common=10.2.10-0ubuntu0.16.04.1
+...
diff --git a/global/v4.0/software/manifests/bootstrap.yaml b/global/v4.0/software/manifests/bootstrap.yaml
new file mode 100644
index 000000000..aca7cc38d
--- /dev/null
+++ b/global/v4.0/software/manifests/bootstrap.yaml
@@ -0,0 +1,29 @@
+---
+schema: armada/Manifest/v1
+metadata:
+  schema: metadata/Document/v1
+  name: cluster-bootstrap
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  release_prefix: airship
+  chart_groups:
+    - kubernetes-proxy
+    - kubernetes-container-networking
+    - kubernetes-dns
+    - kubernetes-etcd
+    - kubernetes-haproxy
+    - kubernetes-core
+    - ingress-kube-system
+    - ucp-ceph
+    - ucp-ceph-config
+    - ucp-core
+    - ucp-keystone
+    - ucp-divingbell
+    - ucp-armada
+    - ucp-deckhand
+    - ucp-drydock
+    - ucp-promenade
+    - ucp-shipyard
diff --git a/global/v4.0/software/manifests/full-site.yaml b/global/v4.0/software/manifests/full-site.yaml
new file mode 100644
index 000000000..ed3a5015d
--- /dev/null
+++ b/global/v4.0/software/manifests/full-site.yaml
@@ -0,0 +1,52 @@
+---
+schema: armada/Manifest/v1
+metadata:
+  schema: metadata/Document/v1
+  name: full-site-global
+  layeringDefinition:
+    abstract: true
+    layer: global
+  labels:
+    name: full-site-global
+  storagePolicy: cleartext
+data:
+  release_prefix: airship
+  chart_groups:
+    - kubernetes-proxy
+    - kubernetes-container-networking
+    - kubernetes-dns
+    - kubernetes-etcd
+    - kubernetes-haproxy
+    - kubernetes-core
+    - ingress-kube-system
+    - ucp-ceph-update
+    - ucp-ceph-config
+    - ucp-core
+    - ucp-keystone
+    - ucp-divingbell
+    - ucp-armada
+    - ucp-deckhand
+    - ucp-drydock
+    - ucp-promenade
+    - ucp-shipyard
+    - osh-infra-ingress-controller
+    - osh-infra-ceph-config
+    - osh-infra-logging
+    - osh-infra-monitoring
+    - osh-infra-mariadb
+    - osh-infra-dashboards
+    - openstack-ingress-controller
+    - openstack-ceph-config
+    - openstack-mariadb
+    - openstack-memcached
+    - openstack-compute-services
+    - openstack-keystone
+    - openstack-radosgw
+    - openstack-glance
+    - openstack-cinder
+    - openstack-compute-kit
+    - openstack-heat
+    - osh-infra-prometheus-openstack-exporter
+    - openstack-horizon
+    - openstack-barbican
+...
diff --git a/site/airship-seaworthy/baremetal/bootactions/promjoin.yaml b/site/airship-seaworthy/baremetal/bootactions/promjoin.yaml
new file mode 100644
index 000000000..1042934a5
--- /dev/null
+++ b/site/airship-seaworthy/baremetal/bootactions/promjoin.yaml
@@ -0,0 +1,32 @@
+---
+# This file defines a boot action which is responsible for fetching the node's
+# promjoin script from the promenade API. This is the script responsible for
+# installing kubernetes on the node and joining the kubernetes cluster.
+# #GLOBAL-CANDIDATE#
+schema: 'drydock/BootAction/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: promjoin
+  storagePolicy: 'cleartext'
+  layeringDefinition:
+    abstract: false
+    layer: site
+  labels:
+    application: 'drydock'
+data:
+  signaling: false
+  # TODO(alanmeadows) move what is global about this document
+  assets:
+    - path: /opt/promjoin.sh
+      type: file
+      permissions: '555'
+      # The ip= parameter must match the MaaS network name of the network used
+      # to contact kubernetes. With a standard, reference Airship deployment where
+      # L2 networks are shared between all racks, the network name (i.e. calico)
+      # should be correct.
+      location: promenade+http://promenade-api.ucp.svc.cluster.local/api/v1.0/join-scripts?design_ref={{ action.design_ref | urlencode }}&hostname={{ node.hostname }}&ip={{ node.network.calico.ip }}{% for k, v in node.labels.items() %}&labels.dynamic={{ k }}={{ v }}{% endfor %}
+      location_pipeline:
+        - template
+      data_pipeline:
+        - utf8_decode
+...
diff --git a/site/airship-seaworthy/baremetal/nodes.yaml b/site/airship-seaworthy/baremetal/nodes.yaml
new file mode 100644
index 000000000..ee88a16a8
--- /dev/null
+++ b/site/airship-seaworthy/baremetal/nodes.yaml
@@ -0,0 +1,254 @@
+---
+# Drydock BaremetalNode resources for a specific rack are stored in this file.
+#
+# NOTE: For new sites, you should complete the networks/physical/networks.yaml
+# file before working on this file.
+#
+# In this file, you should make the number of `drydock/BaremetalNode/v1`
+# resources equal the number of bare metal nodes you have, either by deleting
+# excess BaremetalNode definitions (if there are too many), or by copying and
+# pasting the last BaremetalNode in the file until you have the correct number
+# of baremetal nodes (if there are too few).
+#
+# Then in each file, address all additional NEWSITE-CHANGEME markers to update
+# the data in these files with the right values for your new site.
+#
+# *NOTE: The Genesis node is counted as one of the control plane nodes. Note
+# that the Genesis node does not appear on this bare metal list, because the
+# procedure to reprovision the Genesis host with MaaS has not yet been
+# implemented. Therefore there will be only three bare metal nodes in this file
+# with the 'masters' tag, as the genesis roles are assigned in a difference
+# place (profiles/genesis.yaml).
+# NOTE: The host profiles for the control plane are further divided into two
+# variants: primary and secondary. The only significance this has is that the
+# "primary" nodes are active Ceph nodes, whereas the "secondary" nodes are Ceph
+# standby nodes. For Ceph quorum, this means that the control plane split will
+# be 3 primary + 1 standby host profile, and the Genesis node counts toward one
+# of the 3 primary profiles. Other control plane services are not affected by
+# primary vs secondary designation.
+#
+# TODO: Include the hostname naming convention
+#
+schema: 'drydock/BaremetalNode/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  # NEWSITE-CHANGEME: Replace with the hostname of the first node in the rack,
+  # after (excluding) genesis.
+  name: cab23-r720-12
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: The IPv4 address assigned to each logical network on this
+  # node. In the reference Airship deployment, this is all logical Networks defined
+  # in networks/physical/networks.yaml. IP addresses are manually assigned, by-hand.
+  # (what could possibly go wrong!) The instructions differ for each logical
+  # network, which are laid out below.
+  addressing:
+    # The iDrac/iLo IP of the node. It's important that this match up with the
+    # node's hostname above, so that the rack number and node position encoded
+    # in the hostname are accurate and matching the node that IPMI operations
+    # will be performed against (for poweron, poweroff, PXE boot to wipe disk or
+    # reconfigure identity, etc - very important to get right for these reasons).
+    # These addresses should already be assigned to nodes racked and stacked in
+    # the environment; these are not addresses which MaaS assigns.
+    - network: oob
+      address: 10.23.104.12
+    # The IP of the node on the PXE network. Refer to the static IP range
+    # defined for the PXE network in networks/physical/networks.yaml. Begin allocating
+    # IPs from this network, starting with the second IP (inclusive) from the
+    # allocation range of this subnet (Genesis node will have the first IP).
+    # Ex: If the start IP for the PXE "static" network is 10.23.20.11, then
+    # genesis will have 10.23.20.11, this node will have 10.23.20.12, and
+    # so on with incrementing IP addresses with each additional node.
+    - network: pxe
+      address: 10.23.20.12
+    # Genesis node gets first IP, all other nodes increment IPs from there
+    # within the allocation range defined for the network in
+    # networks/physical/networks.yaml
+    - network: oam
+      address: 10.23.21.12
+    # Genesis node gets first IP, all other nodes increment IPs from there
+    # within the allocation range defined for the network in
+    # networks/physical/networks.yaml
+    - network: storage
+      address: 10.23.23.12
+    # Genesis node gets first IP, all other nodes increment IPs from there
+    # within the allocation range defined for the network in
+    # networks/physical/networks.yaml
+    - network: overlay
+      address: 10.23.24.12
+    # Genesis node gets first IP, all other nodes increment IPs from there
+    # within the allocation range defined for the network in
+    # networks/physical/networks.yaml
+    - network: calico
+      address: 10.23.22.12
+  # NEWSITE-CHANGEME: Set the host profile for the node.
+  # Note that there are different host profiles depending if this is a control
+  # plane vs data plane node, and different profiles that map to different types
+  # hardware. Control plane host profiles are further broken down into "primary"
+  # and "secondary" profiles (refer to the Notes section at the top of this doc).
+  # Select the host profile that matches up to your type of
+  # hardware and function. E.g., the r720 here refers to Dell R720 hardware, the
+  # 'cp' refers to a control plane profile, and the "primary" means it will be
+  # an active member in the ceph quorum. Refer to profiles/host/ for the list
+  # of available host profiles specific to this site (otherwise, you may find
+  # a general set of host profiles at the "type" or "global" layers/folders.
+  # If you have hardware that is not on this list of profiles, you may need to
+  # create a new host profile for that hardware.
+  # Regarding control plane vs other data plane profiles, refer to the notes at
+  # the beginning of this file. There should be one control plane node per rack,
+  # including Genesis. Note Genesis won't actually be listed in this file as a
+  # BaremetalNode, but the rest are.
+  # This is the second "primary" control plane node after Genesis.
+  host_profile: cp_r720-primary
+  metadata:
+    tags:
+      # NEWSITE-CHANGEME: See previous comment. Apply 'masters' tag for control
+      # plane node, and 'workers' tag for data plane hosts.
+      - 'masters'
+    # NEWSITE-CHANGEME: Refer to site engineering package or other supporting
+    # documentation for the specific rack name. This should be a rack name that
+    # is meaningful to data center personnel (i.e. a rack they could locate if
+    # you gave them this rack designation).
+    rack: cab23
+...
+---
+schema: 'drydock/BaremetalNode/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  # NEWSITE-CHANGEME: The next node's hostname
+  name: cab23-r720-13
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: The next node's IPv4 addressing
+  addressing:
+    - network: oob
+      address: 10.23.104.13
+    - network: pxe
+      address: 10.23.20.13
+    - network: oam
+      address: 10.23.21.13
+    - network: storage
+      address: 10.23.23.13
+    - network: overlay
+      address: 10.23.24.13
+    - network: calico
+      address: 10.23.22.13
+  # NEWSITE-CHANGEME: The next node's host profile
+  host_profile: cp_r720-primary
+  metadata:
+    # NEWSITE-CHANGEME: The next node's rack designation
+    rack: cab23
+    # NEWSITE-CHANGEME: The next node's role desigatnion
+    tags:
+      - 'masters'
+...
+---
+schema: 'drydock/BaremetalNode/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  # NEWSITE-CHANGEME: The next node's hostname
+  name: cab23-r720-14
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: The next node's IPv4 addressing
+  addressing:
+    - network: oob
+      address: 10.23.104.14
+    - network: pxe
+      address: 10.23.20.14
+    - network: oam
+      address: 10.23.21.14
+    - network: storage
+      address: 10.23.23.14
+    - network: overlay
+      address: 10.23.24.14
+    - network: calico
+      address: 10.23.22.14
+  # NEWSITE-CHANGEME: The next node's host profile
+  # This is the third "primary" control plane profile after genesis
+  host_profile: cp_r740-secondary
+  metadata:
+    # NEWSITE-CHANGEME: The next node's rack designation
+    rack: cab23
+    # NEWSITE-CHANGEME: The next node's role desigatnion
+    tags:
+      - 'masters'
+...
+---
+schema: 'drydock/BaremetalNode/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  # NEWSITE-CHANGEME: The next node's hostname
+  name: cab23-r720-17
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: The next node's IPv4 addressing
+  addressing:
+    - network: oob
+      address: 10.23.104.17
+    - network: pxe
+      address: 10.23.20.17
+    - network: oam
+      address: 10.23.21.17
+    - network: storage
+      address: 10.23.23.17
+    - network: overlay
+      address: 10.23.24.17
+    - network: calico
+      address: 10.23.22.17
+  # NEWSITE-CHANGEME: The next node's host profile
+  # This is the one and only appearance of the "secondary" control plane profile
+  host_profile: dp_r720
+  metadata:
+    # NEWSITE-CHANGEME: The next node's rack designation
+    rack: cab23
+    # NEWSITE-CHANGEME: The next node's role desigatnion
+    tags:
+      - 'workers'
+...
+---
+schema: 'drydock/BaremetalNode/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  # NEWSITE-CHANGEME: The next node's hostname
+  name: cab23-r720-19
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: The next node's IPv4 addressing
+  addressing:
+    - network: oob
+      address: 10.23.104.19
+    - network: pxe
+      address: 10.23.20.19
+    - network: oam
+      address: 10.23.21.19
+    - network: storage
+      address: 10.23.23.19
+    - network: overlay
+      address: 10.23.24.19
+    - network: calico
+      address: 10.23.22.19
+  # NEWSITE-CHANGEME: The next node's host profile
+  host_profile: dp_r720
+  metadata:
+    # NEWSITE-CHANGEME: The next node's rack designation
+    rack: cab23
+    # NEWSITE-CHANGEME: The next node's role desigatnion
+    tags:
+      - 'workers'
+...
diff --git a/site/airship-seaworthy/deployment/deployment-configuration.yaml b/site/airship-seaworthy/deployment/deployment-configuration.yaml
new file mode 100644
index 000000000..676e219df
--- /dev/null
+++ b/site/airship-seaworthy/deployment/deployment-configuration.yaml
@@ -0,0 +1,41 @@
+---
+# The purpose of this file is to provide shipyard related deployment config
+# parameters. This should not require modification for a new site. However,
+# shipyard deployment strategies can be very useful in getting around certain
+# failures, like misbehaving nodes that hold up the deployment. See more at
+# https://github.com/openstack/airship-shipyard/blob/master/docs/source/site-definition-documents.rst#using-a-deployment-strategy
+schema: shipyard/DeploymentConfiguration/v1
+metadata:
+  schema: metadata/Document/v1
+  name: deployment-configuration
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  physical_provisioner:
+    deployment_strategy: deployment-strategy
+    deploy_interval: 30
+    deploy_timeout: 3600
+    destroy_interval: 30
+    destroy_timeout: 900
+    join_wait: 120
+    prepare_node_interval: 30
+    prepare_node_timeout: 1800
+    prepare_site_interval: 10
+    prepare_site_timeout: 300
+    verify_interval: 10
+    verify_timeout: 60
+  kubernetes_provisioner:
+    drain_timeout: 3600
+    drain_grace_period: 1800
+    clear_labels_timeout: 1800
+    remove_etcd_timeout: 1800
+    etcd_ready_timeout: 600
+  armada:
+    get_releases_timeout: 300
+    get_status_timeout: 300
+    manifest: 'full-site'
+    post_apply_timeout: 2700
+    validate_design_timeout: 600
+...
diff --git a/site/airship-seaworthy/networks/common-addresses.yaml b/site/airship-seaworthy/networks/common-addresses.yaml
new file mode 100644
index 000000000..89188a61c
--- /dev/null
+++ b/site/airship-seaworthy/networks/common-addresses.yaml
@@ -0,0 +1,157 @@
+---
+# The purpose of this file is to define network related paramters that are
+# referenced elsewhere in the manifests for this site.
+#
+# TODO: Include bare metal host FQDN naming standards
+# TODO: Include ingress FQDN naming standards
+schema: pegleg/CommonAddresses/v1
+metadata:
+  schema: metadata/Document/v1
+  name: common-addresses
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  calico:
+    # NEWSITE-CHANGEME: The interface that calico will use. Update if your
+    # logical bond interface name or calico VLAN have changed from the reference
+    # site design.
+    # This should be whichever
+    # bond and VLAN number specified in networks/physical/networks.yaml for the Calico
+    # network. E.g. VLAN 22 for the calico network as a member of bond0, you
+    # would set "interface=bond0.22" as shown here.
+    ip_autodetection_method: interface=bond0.22
+    etcd:
+      # etcd service IP address
+      service_ip: 10.96.232.136
+
+  dns:
+    # Kubernetes cluster domain. Do not change. This is internal to the cluster.
+    cluster_domain: cluster.local
+    # DNS service ip
+    service_ip: 10.96.0.10
+    # List of upstream DNS forwards. Verify you can reach them from your
+    # environment. If so, you should not need to change them.
+    upstream_servers:
+      - 8.8.8.8
+      - 8.8.4.4
+      - 208.67.222.222
+    # Repeat the same values as above, but formatted as a common separated
+    # string
+    upstream_servers_joined: 8.8.8.8,8.8.4.4,208.67.222.222
+    # NEWSITE-CHANGEME: FQDN for ingress (i.e. "publicly facing" access point)
+    # Choose FQDN according to the ingress/public FQDN naming conventions at
+    # the top of this document.
+    ingress_domain: airship-seaworthy.atlantafoundry.com
+
+  genesis:
+    # NEWSITE-CHANGEME: Update with the hostname for the node which will take on
+    # the Genesis role. Refer to the hostname naming stardards in
+    # networks/physical/networks.yaml
+    # NOTE: Ensure that the genesis node is manually configured with this
+    # hostname before running `genesis.sh` on the node.
+    hostname: cab23-r720-11
+    # NEWSITE-CHANGEME: Calico IP of the Genesis node. Use the "start" value for
+    # the calico network defined in networks/physical/networks.yaml for this IP.
+    ip: 10.23.22.11
+
+  bootstrap:
+    # NEWSITE-CHANGEME: Update with the "start" value/IP of the static range
+    # defined for the pxe network in networks/physical/networks.yaml
+    ip: 10.23.20.11
+
+  kubernetes:
+    # K8s API service IP
+    api_service_ip: 10.96.0.1
+    # etcd service IP
+    etcd_service_ip: 10.96.0.2
+    # k8s pod CIDR (network which pod traffic will traverse)
+    pod_cidr: 10.97.0.0/16
+    # k8s service CIDR (network which k8s API traffic will traverse)
+    service_cidr: 10.96.0.0/16
+    # misc k8s port settings
+    apiserver_port: 6443
+    haproxy_port: 6553
+    service_node_port_range: 30000-32767
+
+  # etcd port settings
+  etcd:
+    container_port: 2379
+    haproxy_port: 2378
+
+  # NEWSITE-CHANGEME: A list of nodes (apart from Genesis) which act as the
+  # control plane servers. Ensure that this matches the nodes with the 'masters'
+  # tags applied in baremetal/nodes.yaml
+  masters:
+    - hostname: cab23-r720-12
+    - hostname: cab23-r720-13
+    - hostname: cab23-r720-14
+
+  # NEWSITE-CHANGEME: Environment proxy information.
+  # NOTE: Reference Airship sites do not deploy behind a proxy, so this proxy section
+  # should be commented out.
+  # However if you are in a lab that requires proxy, ensure that these proxy
+  # settings are correct and reachable in your environment; otherwise update
+  # them with the correct values for your environment.
+  proxy:
+    http: ""
+    https: ""
+    no_proxy: []
+
+  node_ports:
+    drydock_api: 30000
+    maas_api: 30001
+    maas_proxy: 31800  # hardcoded in MAAS
+    shipyard_api: 30003
+    airflow_web: 30004
+
+  ntp:
+    # comma separated NTP server list. Verify that these upstream NTP servers are
+    # reachable in your environment; otherwise update them with the correct
+    # values for your environment.
+    servers_joined: '0.ubuntu.pool.ntp.org,1.ubuntu.pool.ntp.org,2.ubuntu.pool.ntp.org,4.ubuntu.pool.ntp.org'
+
+  # NOTE: This will be updated soon
+  ldap:
+    # NEWSITE-CHANGEME: FQDN for LDAP. Update to the FQDN that is
+    # relevant for your type of deployment (test vs prod values, etc).
+    base_url: 'ldap.example.com'
+    # NEWSITE-CHANGEME: As above, with the protocol included to create a full URI
+    url: 'ldap://ldap.example.com'
+    # NEWSITE-CHANGEME: Update to the correct expression relevant for this
+    # deployment (test vs prod values, etc)
+    auth_path: DC=test,DC=test,DC=com?sAMAccountName?sub?memberof=CN=test,OU=Application,OU=Groups,DC=test,DC=test,DC=com
+    # NEWSITE-CHANGEME: Update to the correct AD group that contains the users
+    # relevant for this deployment (test users vs prod users/values, etc)
+    common_name: test
+    # NEWSITE-CHANGEME: Update to the correct subdomain for your type of
+    # deployment (test vs prod values, etc)
+    subdomain: test
+    # NEWSITE-CHANGEME: Update to the correct domain for your type of
+    # deployment (test vs prod values, etc)
+    domain: example
+
+  storage:
+    ceph:
+      # NEWSITE-CHANGEME: CIDRs for Ceph. Update to match the network CIDR
+      # used for the `storage` network in networks/physical/networks.yaml
+      public_cidr: '10.23.23.0/24'
+      cluster_cidr: '10.23.23.0/24'
+
+  neutron:
+    # NEWSITE-CHANGEME: Overlay network for VM traffic. Ensure the bond name and
+    # VLAN number are consistent with what's defined for the bond and the overlay
+    # network in networks/physical/networks.yaml
+    tunnel_device: 'bond0.24'
+    # bond which the overlay is a member of. Ensure the bond name is consistent
+    # with the bond assigned to the overlay network in
+    # networks/physical/networks.yaml
+    external_iface: 'bond0'
+
+  openvswitch:
+    # bond which the overlay is a member of. Ensure the bond name is consistent
+    # with the bond assigned to the overlay network in
+    # networks/physical/networks.yaml
+    external_iface: 'bond0'
+...
diff --git a/site/airship-seaworthy/networks/physical/networks.yaml b/site/airship-seaworthy/networks/physical/networks.yaml
new file mode 100644
index 000000000..3fae65e1c
--- /dev/null
+++ b/site/airship-seaworthy/networks/physical/networks.yaml
@@ -0,0 +1,286 @@
+---
+# The purpose of this file is to define all of the NetworkLinks (i.e. layer 1
+# devices) and Networks (i.e. layer 3 configurations). The following is standard
+# for the logical networks in Airship:
+#
+# +----------+-----------------------------------+----------------+--------------+----------------------------------------------------+-----------------+
+# | Network  |                                   | Per-rack or    |              |                                                    |   VLAN tagged   |
+# |   Name   |             Purpose               | per-site CIDR? | Has gateway? |                    Bond                            |  or untagged?   |
+# +----------+-----------------------------------+----------------+--------------+----------------------------------------------------+-----------------+
+# |   oob    | Out of Band devices (iDrac/iLo)   | per-site CIDR  | Has gateway  |                No bond, N/A                        | Untagged/Native |
+# |   pxe    | PXE boot network                  | per-site CIDR  | No gateway   | No bond, no LACP fallback. Dedicated PXE interface | Untagged/Native |
+# |   oam    | management network                | per-site CIDR  | Has gateway  |               member of bond0                      |     tagged      |
+# | storage  | storage network                   | per-site CIDR  | No gateway   |               member of bond0                      |     tagged      |
+# |  calico  | underlay calico net; k8s traffic  | per-site CIDR  | No gateway   |               member of bond0                      |     tagged      |
+# | overlay  | overlay network for openstack SDN | per-site CIDR  | No gateway   |               member of bond0                      |     tagged      |
+# +----------+-----------------------------------+----------------+--------------+----------------------------------------------------+-----------------+
+#
+# For standard Airship deployments, you should not need to modify the number of
+# NetworkLinks and Networks in this file. Only the IP addresses and CIDRs should
+# need editing.
+#
+# TODO: Given that we expect all network broadcast domains to span all racks in
+# Airship, we should choose network names that do not include the rack number.
+#
+# TODO: FQDN naming standards for hosts
+#
+schema: 'drydock/NetworkLink/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: oob
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # MaaS doesnt own this network like it does the others, so the noconfig label
+  # is specified.
+  labels:
+    noconfig: enabled
+  bonding:
+    mode: disabled
+  mtu: 1500
+  linkspeed: auto
+  trunking:
+    mode: disabled
+    default_network: oob
+  allowed_networks:
+    - oob
+...
+---
+schema: 'drydock/Network/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: oob
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: Update with the site's out-of-band CIDR
+  cidr: 10.23.104.0/24
+  routes:
+    # NEWSITE-CHANGEME: Update with the site's out-of-band gateway IP
+    - subnet: '0.0.0.0/0'
+      gateway: 10.23.104.1
+      metric: 100
+  # NEWSITE-CHANGEME: Update with the site's out-of-band IP allocation range
+  # FIXME: Is this IP range actually used/allocated for anything? The HW already
+  # has its OOB IPs assigned. None of the Ubuntu OS's should need IPs on OOB
+  # network either, as they should be routable via the default gw on OAM network
+  ranges:
+    - type: static
+      start: 10.23.104.11
+      end: 10.23.104.21
+...
+---
+schema: 'drydock/NetworkLink/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: pxe
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  bonding:
+    mode: disabled
+  mtu: 1500
+  linkspeed: auto
+  trunking:
+    mode: disabled
+    default_network: pxe
+  allowed_networks:
+    - pxe
+...
+---
+schema: 'drydock/Network/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: pxe
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: Update with the site's PXE network CIDR
+  # NOTE: The CIDR minimum size = (number of nodes * 2) + 10
+  cidr: 10.23.20.0/24
+  # NOTE: The first 10 IPs in the subnet are reserved for network infrastructure.
+  # The remainder of the range is divided between two subnets of equal size:
+  # one static, and one DHCP.
+  # The DHCP addresses are used when nodes perform a PXE boot (DHCP address gets
+  # assigned), and when a node is commissioning in MaaS (also uses DHCP to get
+  # its IP address). However, when MaaS installs the operating system
+  # ("Deploying/Deployed" states), it will write a static IP assignment to
+  # /etc/network/interfaces[.d] with IPs from the "static" subnet defined here.
+  ranges:
+    # NEWSITE-CHANGEME: Update to the first 10 IPs in the CIDR
+    - type: reserved
+      start: 10.23.20.1
+      end: 10.23.20.10
+    # NEWSITE-CHANGEME: Update to the first half of the remaining range after
+    # excluding the 10 reserved IPs.
+    - type: static
+      start: 10.23.20.11
+      end: 10.23.20.21
+    # NEWSITE-CHANGEME: Update to the second half of the remaining range after
+    # excluding the 10 reserved IPs.
+    - type: dhcp
+      start: 10.23.20.121
+      end: 10.23.20.131
+...
+---
+schema: 'drydock/NetworkLink/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: gp
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  bonding:
+    mode: 802.3ad
+    hash: layer3+4
+    peer_rate: fast
+    mon_rate: 100
+    up_delay: 1000
+    down_delay: 3000
+  # NEWSITE-CHANGEME: Ensure the network switches in the environment are
+  # configured for this MTU or greater. Even if switches are configured for or
+  # can support a slightly higher MTU, there is no need (and negliable benefit)
+  # to squeeze every last byte into the MTU (e.g., 9216 vs 9100). Leave MTU at
+  # 9100 for maximum compatibility.
+  mtu: 9100
+  linkspeed: auto
+  trunking:
+    mode: 802.1q
+  allowed_networks:
+    - oam
+    - storage
+    - overlay
+    - calico
+...
+---
+schema: 'drydock/Network/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: oam
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: Set the VLAN ID which the OAM network is on
+  vlan: '21'
+  mtu: 9100
+  # NEWSITE-CHANGEME: Set the CIDR for the OAM network
+  # NOTE: The CIDR minimum size = number of nodes + 10
+  cidr: 10.23.21.0/24
+  routes:
+    - subnet: 0.0.0.0/0
+      # NEWSITE-CHANGEME: Set the OAM network gateway IP address
+      gateway: 10.23.21.1
+      metric: 100
+  ranges:
+    # NEWSITE-CHANGEME: Update to the first 10 IPs in the CIDR
+    - type: reserved
+      start: 10.23.21.1
+      end: 10.23.21.10
+    # NEWSITE-CHANGEME: Update to the remaining range after excluding the 10
+    # 10 reserved IPs.
+    - type: static
+      start: 10.23.21.11
+      end: 10.23.21.21
+  dns:
+    # NEWSITE-CHANGEME: FQDN for bare metal nodes.
+    # Choose FQDN according to the node FQDN naming conventions at the top of
+    # this document.
+    domain: airship-seaworthy.atlantafoundry.com
+    # List of upstream DNS forwards. Verify you can reach them from your
+    # environment. If so, you should not need to change them.
+    # TODO: This should be populated via substitution from common-addresses
+    servers: '8.8.8.8,8.8.4.4,208.67.222.222'
+...
+---
+schema: 'drydock/Network/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: storage
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: Set the VLAN ID which the storage network is on
+  vlan: '23'
+  mtu: 9100
+  # NEWSITE-CHANGEME: Set the CIDR for the storage network
+  # NOTE: The CIDR minimum size = number of nodes + 10
+  cidr: 10.23.23.0/24
+  ranges:
+    # NEWSITE-CHANGEME: Update to the first 10 IPs in the CIDR
+    - type: reserved
+      start: 10.23.23.1
+      end: 10.23.23.10
+    # NEWSITE-CHANGEME: Update to the remaining range after excluding the 10
+    # 10 reserved IPs.
+    - type: static
+      start: 10.23.23.11
+      end: 10.23.23.21
+...
+---
+schema: 'drydock/Network/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: overlay
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: Set the VLAN ID which the overlay network is on
+  vlan: '24'
+  mtu: 9100
+  # NEWSITE-CHANGEME: Set the CIDR for the overlay network
+  # NOTE: The CIDR minimum size = number of nodes + 10
+  cidr: 10.23.24.0/24
+  ranges:
+    # NEWSITE-CHANGEME: Update to the first 10 IPs in the CIDR
+    - type: reserved
+      start: 10.23.24.1
+      end: 10.23.24.10
+    # NEWSITE-CHANGEME: Update to the remaining range after excluding the 10
+    # 10 reserved IPs.
+    - type: static
+      start: 10.23.24.11
+      end: 10.23.24.21
+...
+---
+schema: 'drydock/Network/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: calico
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: Set the VLAN ID which the calico network is on
+  vlan: '22'
+  mtu: 9100
+  # NEWSITE-CHANGEME: Set the CIDR for the calico network
+  # NOTE: The CIDR minimum size = number of nodes + 10
+  cidr: 10.23.22.0/24
+  ranges:
+    # NEWSITE-CHANGEME: Update to the first 10 IPs in the CIDR
+    - type: reserved
+      start: 10.23.22.1
+      end: 10.23.22.10
+    # NEWSITE-CHANGEME: Update to the remaining range after excluding the 10
+    # 10 reserved IPs.
+    - type: static
+      start: 10.23.22.11
+      end: 10.23.22.21
+...
diff --git a/site/airship-seaworthy/pki/pki-catalog.yaml b/site/airship-seaworthy/pki/pki-catalog.yaml
new file mode 100644
index 000000000..e9c53dca5
--- /dev/null
+++ b/site/airship-seaworthy/pki/pki-catalog.yaml
@@ -0,0 +1,348 @@
+---
+# The purpose of this file is to define the PKI certificates for the environment
+#
+# NOTE: When deploying a new site, this file should not be configured until
+# baremetal/nodes.yaml is complete.
+#
+schema: promenade/PKICatalog/v1
+metadata:
+  schema: metadata/Document/v1
+  name: cluster-certificates
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  certificate_authorities:
+    kubernetes:
+      description: CA for Kubernetes components
+      certificates:
+        - document_name: apiserver
+          description: Service certificate for Kubernetes apiserver
+          common_name: apiserver
+          hosts:
+            - localhost
+            - 127.0.0.1
+            # FIXME: Repetition of api_service_ip in common-addresses; use
+            # substitution
+            - 10.96.0.1
+          kubernetes_service_names:
+            - kubernetes.default.svc.cluster.local
+
+        # NEWSITE-CHANGEME: The following should be a list of all the nodes in
+        # the environment (genesis, control plane, data plane, everything).
+        # Add/delete from this list as necessary until all nodes are listed.
+        # For each node, the `hosts` list should be comprised of:
+        #   1. The node's hostname, as already defined in baremetal/nodes.yaml
+        #   2. The node's oam IP address, as already defined in baremetal/nodes.yaml
+        #   3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
+        # NOTE: This list also needs to include the Genesis node, which is not
+        # listed in baremetal/nodes.yaml, but by convention should be allocated
+        # the first non-reserved IP in each logical network allocation range
+        # defined in networks/physical/networks.yaml
+        # NOTE: The genesis node needs to be defined twice (the first two entries
+        # on this list) with all of the same paramters except the document_name.
+        # In the first case the document_name is `kubelet-genesis`, and in the
+        # second case the document_name format is `kubelete-YOUR_GENESIS_HOSTNAME`.
+        - document_name: kubelet-genesis
+          common_name: system:node:cab23-r720-11
+          hosts:
+            - cab23-r720-11
+            - 10.23.21.11
+            - 10.23.22.11
+          groups:
+            - system:nodes
+        - document_name: kubelet-cab23-r720-11
+          common_name: system:node:cab23-r720-11
+          hosts:
+            - cab23-r720-11
+            - 10.23.21.11
+            - 10.23.22.11
+          groups:
+            - system:nodes
+        - document_name: kubelet-cab23-r720-12
+          common_name: system:node:cab23-r720-12
+          hosts:
+            - cab23-r720-12
+            - 10.23.21.12
+            - 10.23.22.12
+          groups:
+            - system:nodes
+        - document_name: kubelet-cab23-r720-13
+          common_name: system:node:cab23-r720-13
+          hosts:
+            - cab23-r720-13
+            - 10.23.21.13
+            - 10.23.22.13
+          groups:
+            - system:nodes
+        - document_name: kubelet-cab23-r720-14
+          common_name: system:node:cab23-r720-14
+          hosts:
+            - cab23-r720-14
+            - 10.23.21.14
+            - 10.23.22.14
+          groups:
+            - system:nodes
+        - document_name: kubelet-cab23-r720-15
+          common_name: system:node:cab23-r720-15
+          hosts:
+            - cab23-r720-15
+            - 10.23.21.15
+            - 10.23.22.15
+          groups:
+            - system:nodes
+        - document_name: kubelet-cab23-r720-16
+          common_name: system:node:cab23-r720-16
+          hosts:
+            - cab23-r720-16
+            - 10.23.21.16
+            - 10.23.22.16
+          groups:
+            - system:nodes
+        # End node list
+        - document_name: scheduler
+          description: Service certificate for Kubernetes scheduler
+          common_name: system:kube-scheduler
+        - document_name: controller-manager
+          description: certificate for controller-manager
+          common_name: system:kube-controller-manager
+        - document_name: admin
+          common_name: admin
+          groups:
+            - system:masters
+        - document_name: armada
+          common_name: armada
+          groups:
+            - system:masters
+    kubernetes-etcd:
+      description: Certificates for Kubernetes's etcd servers
+      certificates:
+        - document_name: apiserver-etcd
+          description: etcd client certificate for use by Kubernetes apiserver
+          common_name: apiserver
+        # NOTE(mark-burnett): hosts not required for client certificates
+        - document_name: kubernetes-etcd-anchor
+          description: anchor
+          common_name: anchor
+        # NEWSITE-CHANGEME: The following should be a list of the control plane
+        # nodes in the environment, including genesis.
+        # For each node, the `hosts` list should be comprised of:
+        #   1. The node's hostname, as already defined in baremetal/nodes.yaml
+        #   2. The node's oam IP address, as already defined in baremetal/nodes.yaml
+        #   3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
+        #   4. 127.0.0.1
+        #   5. localhost
+        #   6. kubernetes-etcd.kube-system.svc.cluster.local
+        # NOTE: This list also needs to include the Genesis node, which is not
+        # listed in baremetal/nodes.yaml, but by convention should be allocated
+        # the first non-reserved IP in each logical network allocation range
+        # defined in networks/physical/networks.yaml, except for the kubernetes
+        # service_cidr where it should start with the second IP in the range.
+        # NOTE: The genesis node is defined twice with the same `hosts` data:
+        # Once with its hostname in the common/document name, and once with
+        # `genesis` defined instead of the host. For now, this duplicated
+        # genesis definition is required. FIXME: Remove duplicate definition
+        # after Promenade addresses this issue.
+        - document_name: kubernetes-etcd-genesis
+          common_name: kubernetes-etcd-genesis
+          hosts:
+            - cab23-r720-11
+            - 10.23.21.11
+            - 10.23.22.11
+            - 127.0.0.1
+            - localhost
+            - kubernetes-etcd.kube-system.svc.cluster.local
+        - document_name: kubernetes-etcd-cab23-r720-11
+          common_name: kubernetes-etcd-cab23-r720-11
+          hosts:
+            - cab23-r720-11
+            - 10.23.21.11
+            - 10.23.22.11
+            - 127.0.0.1
+            - localhost
+            - kubernetes-etcd.kube-system.svc.cluster.local
+        - document_name: kubernetes-etcd-cab23-r720-12
+          common_name: kubernetes-etcd-cab23-r720-12
+          hosts:
+            - cab23-r720-12
+            - 10.23.21.12
+            - 10.23.22.12
+            - 127.0.0.1
+            - localhost
+            - kubernetes-etcd.kube-system.svc.cluster.local
+        - document_name: kubernetes-etcd-cab23-r720-13
+          common_name: kubernetes-etcd-cab23-r720-13
+          hosts:
+            - cab23-r720-13
+            - 10.23.21.13
+            - 10.23.22.13
+            - 127.0.0.1
+            - localhost
+            - kubernetes-etcd.kube-system.svc.cluster.local
+        - document_name: kubernetes-etcd-cab23-r720-14
+          common_name: kubernetes-etcd-cab23-r720-14
+          hosts:
+            - cab23-r720-14
+            - 10.23.21.14
+            - 10.23.22.14
+            - 127.0.0.1
+            - localhost
+            - kubernetes-etcd.kube-system.svc.cluster.local
+        # End node list
+    kubernetes-etcd-peer:
+      certificates:
+        # NEWSITE-CHANGEME: This list should be identical to the previous list,
+        # except that `-peer` has been appended to the document/common names.
+        - document_name: kubernetes-etcd-genesis-peer
+          common_name: kubernetes-etcd-genesis-peer
+          hosts:
+            - cab23-r720-11
+            - 10.23.21.11
+            - 10.23.22.11
+            - 127.0.0.1
+            - localhost
+            - kubernetes-etcd.kube-system.svc.cluster.local
+        - document_name: kubernetes-etcd-cab23-r720-11-peer
+          common_name: kubernetes-etcd-cab23-r720-11-peer
+          hosts:
+            - cab23-r720-11
+            - 10.23.21.11
+            - 10.23.22.11
+            - 127.0.0.1
+            - localhost
+            - kubernetes-etcd.kube-system.svc.cluster.local
+        - document_name: kubernetes-etcd-cab23-r720-12-peer
+          common_name: kubernetes-etcd-cab23-r720-12-peer
+          hosts:
+            - cab23-r720-12
+            - 10.23.21.12
+            - 10.23.22.12
+            - 127.0.0.1
+            - localhost
+            - kubernetes-etcd.kube-system.svc.cluster.local
+        - document_name: kubernetes-etcd-cab23-r720-13-peer
+          common_name: kubernetes-etcd-cab23-r720-13-peer
+          hosts:
+            - cab23-r720-13
+            - 10.23.21.13
+            - 10.23.22.13
+            - 127.0.0.1
+            - localhost
+            - kubernetes-etcd.kube-system.svc.cluster.local
+        - document_name: kubernetes-etcd-cab23-r720-14-peer
+          common_name: kubernetes-etcd-cab23-r720-14-peer
+          hosts:
+            - cab23-r720-14
+            - 10.23.21.14
+            - 10.23.22.14
+            - 127.0.0.1
+            - localhost
+            - kubernetes-etcd.kube-system.svc.cluster.local
+        # End node list
+    calico-etcd:
+      description: Certificates for Calico etcd client traffic
+      certificates:
+        - document_name: calico-etcd-anchor
+          description: anchor
+          common_name: anchor
+        # NEWSITE-CHANGEME: The following should be a list of the control plane
+        # nodes in the environment, including genesis.
+        # For each node, the `hosts` list should be comprised of:
+        #   1. The node's hostname, as already defined in baremetal/nodes.yaml
+        #   2. The node's oam IP address, as already defined in baremetal/nodes.yaml
+        #   3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
+        #   4. 127.0.0.1
+        #   5. localhost
+        #   6. The calico/etcd/service_ip defined in networks/common-addresses.yaml
+        # NOTE: This list also needs to include the Genesis node, which is not
+        # listed in baremetal/nodes.yaml, but by convention should be allocated
+        # the first non-reserved IP in each logical network allocation range
+        # defined in networks/physical/networks.yaml
+        - document_name: calico-etcd-cab23-r720-11
+          common_name: calico-etcd-cab23-r720-11
+          hosts:
+            - cab23-r720-11
+            - 10.23.21.11
+            - 10.23.22.11
+            - 127.0.0.1
+            - localhost
+            - 10.96.232.136
+        - document_name: calico-etcd-cab23-r720-12
+          common_name: calico-etcd-cab23-r720-12
+          hosts:
+            - cab23-r720-12
+            - 10.23.21.12
+            - 10.23.22.12
+            - 127.0.0.1
+            - localhost
+            - 10.96.232.136
+        - document_name: calico-etcd-cab23-r720-13
+          common_name: calico-etcd-cab23-r720-13
+          hosts:
+            - cab23-r720-13
+            - 10.23.21.13
+            - 10.23.22.13
+            - 127.0.0.1
+            - localhost
+            - 10.96.232.136
+        - document_name: calico-etcd-cab23-r720-14
+          common_name: calico-etcd-cab23-r720-14
+          hosts:
+            - cab23-r720-14
+            - 10.23.21.14
+            - 10.23.22.14
+            - 127.0.0.1
+            - localhost
+            - 10.96.232.136
+        - document_name: calico-node
+          common_name: calcico-node
+        # End node list
+    calico-etcd-peer:
+      description: Certificates for Calico etcd clients
+      certificates:
+        # NEWSITE-CHANGEME: This list should be identical to the previous list,
+        # except that `-peer` has been appended to the document/common names.
+        - document_name: calico-etcd-cab23-r720-11-peer
+          common_name: calico-etcd-cab23-r720-11-peer
+          hosts:
+            - cab23-r720-11
+            - 10.23.21.11
+            - 10.23.22.11
+            - 127.0.0.1
+            - localhost
+            - 10.96.232.136
+        - document_name: calico-etcd-cab23-r720-12-peer
+          common_name: calico-etcd-cab23-r720-12-peer
+          hosts:
+            - cab23-r720-12
+            - 10.23.21.12
+            - 10.23.22.12
+            - 127.0.0.1
+            - localhost
+            - 10.96.232.136
+        - document_name: calico-etcd-cab23-r720-13-peer
+          common_name: calico-etcd-cab23-r720-13-peer
+          hosts:
+            - cab23-r720-13
+            - 10.23.21.13
+            - 10.23.22.13
+            - 127.0.0.1
+            - localhost
+            - 10.96.232.136
+        - document_name: calico-etcd-cab23-r720-14-peer
+          common_name: calico-etcd-cab23-r720-14-peer
+          hosts:
+            - cab23-r720-14
+            - 10.23.21.14
+            - 10.23.22.14
+            - 127.0.0.1
+            - localhost
+            - 10.96.232.136
+        - document_name: calico-node-peer
+          common_name: calcico-node-peer
+        # End node list
+  keypairs:
+    - name: service-account
+      description: Service account signing key for use by Kubernetes controller-manager.
+...
diff --git a/site/airship-seaworthy/profiles/genesis.yaml b/site/airship-seaworthy/profiles/genesis.yaml
new file mode 100644
index 000000000..ff793b75c
--- /dev/null
+++ b/site/airship-seaworthy/profiles/genesis.yaml
@@ -0,0 +1,44 @@
+---
+# The purpose of this file is to apply proper labels to Genesis node so the
+# proper services are installed and proper configuration applied. This should
+# not need to be changed for a new site.
+# #GLOBAL-CANDIDATE#
+schema: promenade/Genesis/v1
+metadata:
+  schema: metadata/Document/v1
+  name: genesis-site
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: genesis-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  labels:
+    dynamic:
+      - beta.kubernetes.io/fluentd-ds-ready=true
+      - calico-etcd=enabled
+      - ceph-mds=enabled
+      - ceph-mon=enabled
+      - ceph-osd=enabled
+      - ceph-rgw=enabled
+      - ceph-mgr=enabled
+      - ceph-bootstrap=enabled
+      - kube-dns=enabled
+      - kube-ingress=enabled
+      - kubernetes-apiserver=enabled
+      - kubernetes-controller-manager=enabled
+      - kubernetes-etcd=enabled
+      - kubernetes-scheduler=enabled
+      - promenade-genesis=enabled
+      - ucp-control-plane=enabled
+      - maas-control-plane=enabled
+      - ceph-osd-bootstrap=enabled
+      - openstack-control-plane=enabled
+      - openvswitch=enabled
+      - openstack-l3-agent=enabled
+      - node-exporter=enabled
+...
diff --git a/site/airship-seaworthy/profiles/host/cp_r720.yaml b/site/airship-seaworthy/profiles/host/cp_r720.yaml
new file mode 100644
index 000000000..7913a8eca
--- /dev/null
+++ b/site/airship-seaworthy/profiles/host/cp_r720.yaml
@@ -0,0 +1,188 @@
+---
+# The primary control plane host profile for Airship for DELL R720s, and
+# should not need to be altered if you are using matching HW. The active
+# participants in the Ceph cluster run on this profile. Other control plane
+# services are not affected by primary vs secondary designation.
+schema: drydock/HostProfile/v1
+metadata:
+  schema: metadata/Document/v1
+  name: cp_r720-primary
+  storagePolicy: cleartext
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      hosttype: cp-global
+    actions:
+      - method: replace
+        path: .interfaces
+      - method: replace
+        path: .storage
+      - method: merge
+        path: .
+data:
+  # TODO: fixup proper HW profiles
+  hardware_profile: DELL_HP_Generic
+
+  primary_network: oam
+  interfaces:
+    pxe:
+      device_link: pxe
+      slaves:
+        - eno1
+      networks:
+        - pxe
+    bond0:
+      device_link: gp
+      slaves:
+        - enp67s0f0
+        - enp67s0f1
+        - enp68s0f0
+        - enp68s0f1
+      networks:
+        - oam
+        - storage
+        - overlay
+        - calico
+
+  storage:
+    physical_devices:
+      sda:
+        labels:
+          bootdrive: 'true'
+        partitions:
+          - name: 'root'
+            size: '30g'
+            bootable: true
+            filesystem:
+              mountpoint: '/'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+          - name: 'boot'
+            size: '1g'
+            filesystem:
+              mountpoint: '/boot'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+          - name: 'var_log'
+            size: '100g'
+            filesystem:
+              mountpoint: '/var/log'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+          - name: 'var'
+            size: '>300g'
+            filesystem:
+              mountpoint: '/var'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+      sdb:
+        partitions:
+          - name: 'cephj'
+            size: '>100g'
+            filesystem:
+              mountpoint: '/var/lib/ceph/cp'
+              fstype: 'xfs'
+              mount_options: 'defaults'
+
+  platform:
+    kernel: 'hwe-16.04'
+    kernel_params:
+      console: 'ttyS1,115200n8'
+
+  metadata:
+    owner_data:
+      openstack-l3-agent: enabled
+...
+---
+schema: drydock/HostProfile/v1
+metadata:
+  schema: metadata/Document/v1
+  name: cp_r740-secondary
+  storagePolicy: cleartext
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      hosttype: cp-global
+    actions:
+      - method: replace
+        path: .interfaces
+      - method: replace
+        path: .storage
+      - method: merge
+        path: .
+data:
+  # TODO: fixup proper HW profiles
+  hardware_profile: DELL_HP_Generic
+
+  primary_network: oam
+  interfaces:
+    pxe:
+      device_link: pxe
+      slaves:
+        - eno1
+      networks:
+        - pxe
+    bond0:
+      device_link: gp
+      slaves:
+        - enp67s0f0
+        - enp67s0f1
+        - enp68s0f0
+        - enp68s0f1
+      networks:
+        - oam
+        - storage
+        - overlay
+        - calico
+
+  storage:
+    physical_devices:
+      sda:
+        labels:
+          bootdrive: 'true'
+        partitions:
+          - name: 'root'
+            size: '30g'
+            bootable: true
+            filesystem:
+              mountpoint: '/'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+          - name: 'boot'
+            size: '1g'
+            filesystem:
+              mountpoint: '/boot'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+          - name: 'var_log'
+            size: '100g'
+            filesystem:
+              mountpoint: '/var/log'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+          - name: 'var'
+            size: '>300g'
+            filesystem:
+              mountpoint: '/var'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+      sdb:
+        partitions:
+          - name: 'cephj'
+            size: '>100g'
+            filesystem:
+              mountpoint: '/var/lib/ceph/cp'
+              fstype: 'xfs'
+              mount_options: 'defaults'
+
+  platform:
+    kernel: 'hwe-16.04'
+    kernel_params:
+      console: 'ttyS1,115200n8'
+
+  metadata:
+    owner_data:
+      openstack-l3-agent: enabled
+...
diff --git a/site/airship-seaworthy/profiles/host/dp_r720.yaml b/site/airship-seaworthy/profiles/host/dp_r720.yaml
new file mode 100644
index 000000000..6b7f19316
--- /dev/null
+++ b/site/airship-seaworthy/profiles/host/dp_r720.yaml
@@ -0,0 +1,90 @@
+---
+# The data plane host profile for Airship for DELL R720s, and should
+# not need to be altered if you are using matching HW. The host profile is setup
+# for cpu isolation (for nova pinning), hugepages, and sr-iov.
+schema: drydock/HostProfile/v1
+metadata:
+  schema: metadata/Document/v1
+  name: dp_r720
+  storagePolicy: cleartext
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      hosttype: dp-global
+    actions:
+      - method: replace
+        path: .interfaces
+      - method: replace
+        path: .storage
+      - method: merge
+        path: .
+data:
+  # TODO: fixup proper HW profiles
+  hardware_profile: DELL_HP_Generic
+
+  primary_network: oam
+  interfaces:
+    pxe:
+      device_link: pxe
+      slaves:
+        - eno1
+      networks:
+        - pxe
+    bond0:
+      device_link: gp
+      slaves:
+        - enp67s0f0
+        - enp67s0f1
+        - enp68s0f0
+        - enp68s0f1
+      networks:
+        - oam
+        - storage
+        - overlay
+        - calico
+
+  storage:
+    physical_devices:
+      sda:
+        labels:
+          bootdrive: 'true'
+        partitions:
+          - name: 'root'
+            size: '30g'
+            bootable: true
+            filesystem:
+              mountpoint: '/'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+          - name: 'boot'
+            size: '1g'
+            filesystem:
+              mountpoint: '/boot'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+          - name: 'var_log'
+            size: '100g'
+            filesystem:
+              mountpoint: '/var/log'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+          - name: 'var'
+            size: '>300g'
+            filesystem:
+              mountpoint: '/var'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+      sdb:
+        partitions:
+          - name: 'nova'
+            size: '>100g'
+            filesystem:
+              mountpoint: '/var/lib/nova'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+  platform:
+    kernel: 'hwe-16.04'
+    kernel_params:
+      console: 'ttyS1,115200n8'
+...
diff --git a/site/airship-seaworthy/profiles/region.yaml b/site/airship-seaworthy/profiles/region.yaml
new file mode 100644
index 000000000..9bef95a52
--- /dev/null
+++ b/site/airship-seaworthy/profiles/region.yaml
@@ -0,0 +1,53 @@
+---
+# The purpose of this file is to define the drydock Region, which in turn drives
+# the MaaS region.
+schema: 'drydock/Region/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  # NEWSITE-CHANGEME: Replace with the site name
+  name: airship-seaworthy
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+  substitutions:
+    # NEWSITE-CHANGEME: Substitutions from deckhand SSH public keys into the
+    # list of authorized keys which MaaS will register for the build-in "ubuntu"
+    # account during the PXE process. Create a substitution rule for each SSH
+    # key that should have access to the "ubuntu" account (useful for trouble-
+    # shooting problems before UAM or UAM-lite is operational). SSH keys are
+    # stored as secrets in site/airship-seaworthy/secrets.
+    - dest:
+        # Add/replace the first item in the list
+        path: .authorized_keys[0]
+      src:
+        schema: deckhand/PublicKey/v1
+        # This should match the "name" metadata of the SSH key which will be
+        # substituted, located in site/airship-seaworthy/secrets folder.
+        name: airship_ssh_public_key
+        path: .
+    - dest:
+        path: .repositories.main_archive
+      src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .packages.repositories.main_archive
+    # Second key example
+    #- dest:
+    #    # Increment the list index
+    #    path: .authorized_keys[1]
+    #  src:
+    #    schema: deckhand/PublicKey/v1
+    #    # your ssh key
+    #    name: MY_USER_ssh_public_key
+    #    path: .
+data:
+  tag_definitions: []
+  # This is the list of SSH keys which MaaS will register for the built-in
+  # "ubuntu" account during the PXE process. This list is populated by
+  # substitution, so the same SSH keys do not need to be repeated in multiple
+  # manifests.
+  authorized_keys: []
+  repositories:
+    remove_unlisted: true
+...
diff --git a/site/airship-seaworthy/secrets/certificates/certificates.yaml b/site/airship-seaworthy/secrets/certificates/certificates.yaml
new file mode 100644
index 000000000..3f8eca3c3
--- /dev/null
+++ b/site/airship-seaworthy/secrets/certificates/certificates.yaml
@@ -0,0 +1,2803 @@
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDSDCCAjCgAwIBAgIUWWgda/WLrzdDAAMmbOMqOzMYzAMwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xODA4MDMyMDQ3MDBaFw0yMzA4MDIyMDQ3MDBaMCoxEzARBgNVBAoTCkt1YmVy
+  bmV0ZXMxEzARBgNVBAMTCmt1YmVybmV0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+  DwAwggEKAoIBAQC/MHG2xCCJysGQS5G0Xjgzag15tS+o9GkbYK8bEe14vMDEZW0F
+  53YKEtzmp2okfXkbTDD5JVoOk/mNApi2sYpW/e69yHOStdHnqNGzvbGfXqqgHuSN
+  lrbdw+Mt0rIp64Alf0Rl3+Eaj7QNsWcziqAmh4TCWufDHZjALIrAFCiRogulQ3S/
+  6Ci9UI8z6PIUdQMq0o84ZzyMeAYXilFrpgbLWDbYBUcqh0nY5O6wdW/3HjdqMxF7
+  2wS5SBQ4UfoMikeUnTxO3HEyM+2Z6p1BzhvTIQCaQ6MY83Gj3z7za8RrXPKFdgzz
+  ekXU4DXUawiQvHvtiAyWzEh5gJf02BvDUYfFAgMBAAGjZjBkMA4GA1UdDwEB/wQE
+  AwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQQQuE36gIjYoQeVkzn
+  thDIn7LNvTAfBgNVHSMEGDAWgBQQQuE36gIjYoQeVkznthDIn7LNvTANBgkqhkiG
+  9w0BAQsFAAOCAQEAH1xbfqM/tMAXR3a9Hjz8S7u5Zg6D6U6ET5uguWFZ6kKerb7r
+  kQaFPXfowg2BNpIeSHraZRdafJmD+tKOxSrDnS6mQCXJbvdgRbxaALH0Jx6gGYc4
+  940LwQUwwl2y/0sKw0pggoQqYpxQ0/5tRI4XZCCYcvzcg2PzWVdR28U/LpnKnBuW
+  rQ2eHbudXyN0ycI7+pJimWOeShx3vl1fg6FuXYngi02HUC7wCF+ozQI5wuU2kToJ
+  eLSluGzV55G+RcWEgA96lMvqgi7O+NGyR7zHMMJMFT2dA4C3ULem9g0jKTVlcHD6
+  qq8r68QoBKhfLZ8Hqwb9khL1BrclQbHBxTNPEQ==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthority/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDUjCCAjqgAwIBAgIUB7RLVkTbfMvmqq0om0VyJoQIepcwDQYJKoZIhvcNAQEL
+  BQAwLzETMBEGA1UEChMKS3ViZXJuZXRlczEYMBYGA1UEAxMPa3ViZXJuZXRlcy1l
+  dGNkMB4XDTE4MDgwMzIwNDcwMFoXDTIzMDgwMjIwNDcwMFowLzETMBEGA1UEChMK
+  S3ViZXJuZXRlczEYMBYGA1UEAxMPa3ViZXJuZXRlcy1ldGNkMIIBIjANBgkqhkiG
+  9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvs7JqxKGjRlZ5XmieYyakyTzAJ2k3SkRNLmS
+  v4G3LXAG8JuZ849k1qWKo/TzzisFoonhMhsxJ+R5Z9/A/neDNY2ddyw8xeS+5hhY
+  5u8wewbIFBwXMH8ESGPk65PJnURIdqW8OFmOGk9w0xQHiwvxwk15mmk8DwxiIvJh
+  LKa4JgfrIxv1SjL/1mLnmJ7T6SkwHsJvkdgt+kV8+O73+KLdEUztWU/1vqHZ/Mt4
+  bLgHwWTKnO0ug58rB+TrHWsSZMZz6OKOBRHC6NM1hxoE7GLCNaWExHI+eV6vCJM1
+  sbFuvgN/lR7IvSfsd8jGTfZfGBSCxAKi51BoHhV91VQ1UGTL0QIDAQABo2YwZDAO
+  BgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUnGu9
+  N4Udb+CyWru+VythLVwfGPwwHwYDVR0jBBgwFoAUnGu9N4Udb+CyWru+VythLVwf
+  GPwwDQYJKoZIhvcNAQELBQADggEBAIkNU4+f9OVKmabWspJpbE2C7fFxYRtuET7S
+  OQaw5u7AMrFUX/AOqBrBN+4rACYATxVNwpfpGOnjUolEtAU3FUvrGyMVjy/LMHFF
+  MpHAD7ZxaVZNhq01Wp5XH1qnT55ZNHyGL+L5DZj++nL8NNcDf0UEtzw0wPmpBkDr
+  mI+1KiKpf/rsdXNyN06VMU4dvMBCO8nVhB6zbOPahCcRzDJxbgmEj8aM/bHCi+Nb
+  V1jV+lBp+EsZlQozUEa6U3PSnSy0Kb1zcrIXy98WKf5HXFcFQsANnvjYLpC4a6ex
+  C3PyjM89y/aIbX6QohoHES2KB2Z4fCwjOLmmvcj82rAwEftTCc4=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthority/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDXDCCAkSgAwIBAgIUHPfWYM9Atee8Vv0fvCEIX1yimTMwDQYJKoZIhvcNAQEL
+  BQAwNDETMBEGA1UEChMKS3ViZXJuZXRlczEdMBsGA1UEAxMUa3ViZXJuZXRlcy1l
+  dGNkLXBlZXIwHhcNMTgwODAzMjA0NzAwWhcNMjMwODAyMjA0NzAwWjA0MRMwEQYD
+  VQQKEwpLdWJlcm5ldGVzMR0wGwYDVQQDExRrdWJlcm5ldGVzLWV0Y2QtcGVlcjCC
+  ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANOIGFjJ+BKviYj1nUnBNJ7n
+  cdaZmXe1BZqzkd2FHiCNbXVZMq9GdKGhHHPsLtUgkgR9EndOYfi6wt8wYgo6Cq2D
+  muEmS+YgCjUFP7MGfZdoig/VXJQlkbJ9vNxbbqDxs3qztsHS6l1tKcJbgewiCJZK
+  I1beAPPUGvq1PNeKMsg0ILt5rajlIQUs7s7Sj+oa40J8pb0boZfxr5H5K/Tij+ne
+  +J8Ra4jbOilpcEXX83YLbTWwNSUKaEkcH9GaNMv+AbSNd29nNN24uWR/uVNh36Mz
+  YAqIpwCtAn0yBq/r5UpdGixy5/drTYS1X1MRf7puw7KGTcgowmdD5wtKlAoi9CUC
+  AwEAAaNmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQIwHQYD
+  VR0OBBYEFBznBuJTSfGqhk1d3K6eSLc4JzLHMB8GA1UdIwQYMBaAFBznBuJTSfGq
+  hk1d3K6eSLc4JzLHMA0GCSqGSIb3DQEBCwUAA4IBAQClQ/SQaPRmVyW6bACLail3
+  Ed8emn7AVGEicg1/y99lPwVZMNVcIRV+3J2HhSeIAZg0WFbeeOeTKgOd9umA7kjA
+  GrW2fCY6KKAslzml9AH++eJ6GrVVrTrqaLowl6U0uYtXnwHuyMuzm2beyLQNo4TP
+  oBt3onjkF34U23VTLsQySmeT2NDx27uUEYIEC5X+TZEnDfqw93z0X1u4+UbVpxbC
+  CteFoLobH+mzHpZBpwDz1V2doXC0BM19lTO6zoy16vZOHZyLkZweE+vjfCB6cQTh
+  UB1e/yHiCrO7N8Exoa/XSTA3UmJmeC5rWSz2DACtJm82+BhdqK/e6DHI8P7+D96y
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthority/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDSjCCAjKgAwIBAgIUCFATneIL9vjM+B4gR7Py5SktvJYwDQYJKoZIhvcNAQEL
+  BQAwKzETMBEGA1UEChMKS3ViZXJuZXRlczEUMBIGA1UEAxMLY2FsaWNvLWV0Y2Qw
+  HhcNMTgwODAzMjA0NzAwWhcNMjMwODAyMjA0NzAwWjArMRMwEQYDVQQKEwpLdWJl
+  cm5ldGVzMRQwEgYDVQQDEwtjYWxpY28tZXRjZDCCASIwDQYJKoZIhvcNAQEBBQAD
+  ggEPADCCAQoCggEBAMdu1xBIMtVmeOpn3RWDrP58YOZ91sk8tvyEsk6ZwSlSLVZK
+  5k4OhQ6I/8ctSceGXKJ8L3dZVCCDSP+0K9PMzMU841RVDwzZZ2Q871bBvI2exDWs
+  +Dtza//touRHkB99I4O5LL7SeFB1VnJyZa5BQK16bnPH9JEd9HO/qYLAIPDGbV/0
+  eMB9saXAWCSFzqvXIp5CBmpjn9xmAszuV073LF0MiU8NkzfTkVi2ml/ct/5hVe/F
+  olxm7XCv4rABEgOnQzaPG5ba5VCrsKWv4BBJz50PGm+OWM5sjg/282dyt3g/JANl
+  oE87PsQubhbqajah1II5AY39q5QEhP/0AfqL15sCAwEAAaNmMGQwDgYDVR0PAQH/
+  BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQIwHQYDVR0OBBYEFMpJeD4LfMe/IJN7
+  DR7ni2zaLCkgMB8GA1UdIwQYMBaAFMpJeD4LfMe/IJN7DR7ni2zaLCkgMA0GCSqG
+  SIb3DQEBCwUAA4IBAQAnjOyYtb9jq3faP0bWhzcG8PsD7exAKkmKN/o/Zqp82OHT
+  8LdXS7vFnECMDbmZmXvOJKEbYu8Akd1kUL5mzL+acIKFho010KJAjve0XLEdV5R6
+  rZSrsfhwENMTiQ/dzdRN6yM7oXBqY0r2Ba7KlPtTRCTiyNWbuW1JsCxwmCDf/2fH
+  6U9R0ru4BeUMDjodL5FmqKxt6R1+r9lPWR6F5PoGojFsrlrJF+1oO1b3cAfKlRQM
+  YWM0U9Dc0NdTNrBfTYDXYCI7HmSmhEtspkhSfhkzhuDC7k5lNC1+ua3nFGhIE2HH
+  kTG/OV2x6LkWIL8rKXWpHxwOW84cxl35PXzDjvVO
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthority/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDVDCCAjygAwIBAgIULlUaEuGZcBZlMze/YgeAPFYnT9IwDQYJKoZIhvcNAQEL
+  BQAwMDETMBEGA1UEChMKS3ViZXJuZXRlczEZMBcGA1UEAxMQY2FsaWNvLWV0Y2Qt
+  cGVlcjAeFw0xODA4MDMyMDQ3MDBaFw0yMzA4MDIyMDQ3MDBaMDAxEzARBgNVBAoT
+  Ckt1YmVybmV0ZXMxGTAXBgNVBAMTEGNhbGljby1ldGNkLXBlZXIwggEiMA0GCSqG
+  SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCfA9HbcJh38+eamuUEzcKpSywpJyYy4MO4
+  2Apj+vEwQX6G9kcOGPEz3OVXLtHAgoMFFPmEEvnr28Pye55XFvZPa66XqdPm+JYR
+  4JVVS+96pzRY6MQg8c4OUhHj2/VaZT4FSasGbk2C3Gox4AOBjlYHVx4LADEzpTTt
+  OwBVjmScIDRdZqRKjKY0kDWYKAGLWUisGN8zKjmqOxvfgWvIMJ8udlzdHy1NVzHE
+  5997XABE77FBAkH0v3S1V6KyaOvZq+1QiHTIN+q+84CUsCHrE0uShKS0OXnAVB+Y
+  77jXn1v+XI8Bviqv7UkBTjWPGjCukaJRYIR7grnZ2+QjZ5dFntgdAgMBAAGjZjBk
+  MA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBSY
+  yR2FsUsrd+jYSGwqMrUwGOmdrTAfBgNVHSMEGDAWgBSYyR2FsUsrd+jYSGwqMrUw
+  GOmdrTANBgkqhkiG9w0BAQsFAAOCAQEABcsIdW+Dog+EJGMfvbCwPI+h1p3fVmlM
+  daDBzGVOS1pPYn0KdV9qRUEkf8qRHN8DKs5j7uhi6MGOMrYvYnbDWRoh+lauucbQ
+  I94df3fkd9TUo9lHZR4cy4tjEvGapHp6iOrC9xoyO5w9XcvxqpsoR36CG2dJHWuF
+  mOm4QxK6+4vePsriOD1dq1A75D5eB2ofncmjILfqDCjkgLiBffFqWOlBRpU1DGaj
+  9zmnd83602G8xZsqgvikJpmEtavjUUcR7c4pxMSfR4MYfgsa1DlWNYqLvFINqhJk
+  D62y8L3noD3eJbQozkr28LuyA8G0u8GJm6BBBEriTzkpii9xAq+g4g==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthority/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEogIBAAKCAQEAvzBxtsQgicrBkEuRtF44M2oNebUvqPRpG2CvGxHteLzAxGVt
+  Bed2ChLc5qdqJH15G0ww+SVaDpP5jQKYtrGKVv3uvchzkrXR56jRs72xn16qoB7k
+  jZa23cPjLdKyKeuAJX9EZd/hGo+0DbFnM4qgJoeEwlrnwx2YwCyKwBQokaILpUN0
+  v+govVCPM+jyFHUDKtKPOGc8jHgGF4pRa6YGy1g22AVHKodJ2OTusHVv9x43ajMR
+  e9sEuUgUOFH6DIpHlJ08TtxxMjPtmeqdQc4b0yEAmkOjGPNxo98+82vEa1zyhXYM
+  83pF1OA11GsIkLx77YgMlsxIeYCX9Ngbw1GHxQIDAQABAoIBAFTwdNS59arCBZTR
+  vf3gDh/pcessb+wkCb48Cg+Au3v0f7/BP9prpql7D+D5Z9KmW/OgufE2gvgPDcNz
+  79zaq5dSYYq3T4FSfdrpyaCNGiivqiZRE0FEQCHuMTPec4DkO55tGDoaaKugRGIA
+  +tSPNe9oLbcbI/QvZfma0Fndmth33FdE/MQVYyub9L/BrChmNzrNjpyvnWRx4/HP
+  0d+MuP4FB8o04G6bS/2HDRHmSNw5XT5kwgSPoLCURN5/2w1adeegfQYqotpLLitA
+  N0Ck+uP1mrIDj2U2ZRvMxug68X5uhTbtsYYH2tdI1XZ/ForDu82oXJMAU6q6RAA9
+  YrZQ7NECgYEA8YIAJvsdWrQ/VxhEdE5nn3iJHfKyVhcCrZY+rrNsIuKvdqvqFckg
+  Jzv055fqKA9qr5/DyV4tfm10BsnwkuGGxOtnO6UYiHRuFrONn2j6XxB9u8OT1fUL
+  iiP43rdpaiSg9aIzsHoGBAzHSgVt0fSdktAJgDFk3biYJYKbxwJtd58CgYEAyql1
+  a5VLUkO86hGrEZvT7OtlP83ULtZkbPn28yiAA4mT6hDqCaSvUNGYU6/igzbZQSwV
+  UGeFCIcUrnvhFyV6kPTpAq39FggahiEBWkPqrAvkTzePL8jM+qXU1m5JGU5Lsbeo
+  j3ANPMKLHEc6t0eEh0LO0jan0wo4QhnglSbZ1hsCgYADltkFu0muZWtjkfrCd7/W
+  gOYYydiYqvLhPZBk7Em5IwFUlC2AcWLG8n8rSfiy67e8MHWqcnnenSXSTAIFTNDB
+  8HWyTzvUG1bfg3+hVOATtZ0Iw1lZHrEzNmGmfbdVWoIB5I08HDQmr0Hu+bGuIyKM
+  YgciHpnPKcUpGY3TIVgbJQKBgDKtVVNlrcQQdDkD2gc5NDFWW6cszRY5PjuR9hKv
+  2fMIgBhTynJG4CARiUnD/ZxaJtGJOHs2p6mOPbmz+IFVOeTtmSa2Y0cTF67aqf/s
+  Y85J2vmEJyYHzFoRBbvpMBZH4d2600eq+WRsMWUM2r3iAF3ict1WFXlMYO0Gk4Y4
+  hNhpAoGAEYRqaQUS3kOJlBCN0+T9ltdaaZ7M2lhUcSC9YpoA6a2cu41lXbwgEf4w
+  xZZkWo5H+bRqHryrG00QzxmVgx2KO6VeeJ9WTjj4u4diF00O/6VTLnVZO641TG4q
+  YppmkdY7zQexWeXLcS1pPAQh3YlTuVcK/pT05jWm8KDc71KpBTY=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthorityKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEogIBAAKCAQEAvs7JqxKGjRlZ5XmieYyakyTzAJ2k3SkRNLmSv4G3LXAG8JuZ
+  849k1qWKo/TzzisFoonhMhsxJ+R5Z9/A/neDNY2ddyw8xeS+5hhY5u8wewbIFBwX
+  MH8ESGPk65PJnURIdqW8OFmOGk9w0xQHiwvxwk15mmk8DwxiIvJhLKa4JgfrIxv1
+  SjL/1mLnmJ7T6SkwHsJvkdgt+kV8+O73+KLdEUztWU/1vqHZ/Mt4bLgHwWTKnO0u
+  g58rB+TrHWsSZMZz6OKOBRHC6NM1hxoE7GLCNaWExHI+eV6vCJM1sbFuvgN/lR7I
+  vSfsd8jGTfZfGBSCxAKi51BoHhV91VQ1UGTL0QIDAQABAoIBACjunW6Yg8rDFHjY
+  1hTzJ7nHJGYOa26SP8GqyaNRhWU28hYtmyIXsc8mJg60HpUsv4G1yFyCXtIq/ixd
+  YL52DuyvG4eUMtlVD+q2cGPiDelmdAd0WzkpFlcdLt+mjYqyOkVRmoYQGB7mydJO
+  KqwWfN9s1VhdmOe1hVvv2Q7GGRz3GQG9NZL9gKhydQmJ6CbbExAhMtqvMLSzEWZf
+  GDvaPhF9eXuF8vM0wMhuXu4KeMLkdTLA4nlr+7SyyZScfs2IkXgVtVGc1SJAZGTl
+  05qs8A2o7KF3PVObonUNmWW+FEalaOEGrJW487Ki5F92KR80LdaSyeAARLxIkdx/
+  Wri5x40CgYEA1JxIS2BdmDpoY21J9bG9C/6vqYEGnPStCA9Shuu62Amq4hCqzQyl
+  f1YcdY9DNvST8LAZb23Fk1BOXhuAQE1YXaOHpYV7+8k8QsYkKBb5VeqjW4ILbR74
+  ESpzg9httpvwPIB8IOMXGbUemNJxVTwOQuVUhLdWVlPcPI7Wbp+Hcz8CgYEA5b9v
+  QPQHfF5SJbN/z3i3N9wvfVKt/0wkJ3Y2OT2pSonROVo+0N7bq1BC0zkO8KQUDxdq
+  mojLfx9jc4tIztA55mfk8W7ieojv7HwNubez/mQVJdjiCq2B39OGcJTc6TrBDqF9
+  bObyqVxWeIiQ2HOudpeisVaFyrEpnF+m9fpmzO8CgYAsC6hqfS9GnysLFhQRY13/
+  wyaPHhzJnWLPXaVCMEnIAdC1/q/zxN/wTl2c+S36j5aqcUEDtaEN0MA7fMUIDT32
+  QC+U2d+CnQDv8G6DI6dJ5k8rYPiPBbBslffSY57vCsUtM40Dnygk+kG5dTdnagam
+  Uy48RGMNhVgF7616w2/jLwKBgG7z7qSttVfIrV9rupPVtpYRjhW18jXS7brpCfLG
+  5pUKzbIm9SMmHWw0jLE5Yw+wDcfkBSWwXqZ74CmS4IyQXwX4ssYuSM3oiAXrOy2v
+  nAuFBfmLLk790DTqEIkaOz2flFCeiNYpCpPj9harzVfbNiwruvRt1ps2x+OvBhDQ
+  5widAoGAcziJAKyrmQ1ee3Ou7/cAiab0vFfgtEyEArczMUiJb+QNBd85/bXofSYt
+  SNaLBu+KQlhYD0ANqqgw0WNwM7qkcY59T6h7jxfLieD6tWJvFdD0hshcnq25kcxd
+  7X/nPHiCffZxZXhuOk+Mx/8eR+Gr1dRIY56aVtRyF/ogDfMBq7I=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthorityKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEA04gYWMn4Eq+JiPWdScE0nudx1pmZd7UFmrOR3YUeII1tdVky
+  r0Z0oaEcc+wu1SCSBH0Sd05h+LrC3zBiCjoKrYOa4SZL5iAKNQU/swZ9l2iKD9Vc
+  lCWRsn283FtuoPGzerO2wdLqXW0pwluB7CIIlkojVt4A89Qa+rU814oyyDQgu3mt
+  qOUhBSzuztKP6hrjQnylvRuhl/Gvkfkr9OKP6d74nxFriNs6KWlwRdfzdgttNbA1
+  JQpoSRwf0Zo0y/4BtI13b2c03bi5ZH+5U2HfozNgCoinAK0CfTIGr+vlSl0aLHLn
+  92tNhLVfUxF/um7DsoZNyCjCZ0PnC0qUCiL0JQIDAQABAoIBAETzDYyTeMsOcLQ1
+  6ykJUw+gvViIBKAiX0tH0Pn11BYkQ1OG2aCMRKQSkeWvTKynyzCvW/+Lix+6MJ7z
+  dGGE/coFJczR4NeIBgu2REckjHd32djDYUPg4xbdKVxiaTMI1cnfHmkbSM1fMcdq
+  cHT5uvbR/6bnAkR4FLs3rDdNkrPywcw4GvHOZrU+U0YJdHkXroXg4vbeYh+rBRxI
+  WqiAiaU46LJjBJOowRr6sFaUT/KARCbtgyBoFXpqP27zjMoZAAcB/wtpsm5doXjH
+  9y1fcEh347m8aOgMp1f8xxnQrC1mDXpYERRE1SiUQ1H2QV7f1USlVVmaCl4BBv4U
+  RyKbhpkCgYEA2OosIvXybB+rbppIbWEqylTKP9K7nSNQnpdonE+PF4VTjHSDxh9w
+  Uf/1OcDCq/PbYdhlNFletuoYY8SlLoI2S+tc8mGr2Tsq5acnvxLF+HkX2TvKGoIj
+  oPIIAGHmq/Hifyq5FyBnNh6iQkhLuN61+rLrlgmRSsl+vU3rCiR8c7MCgYEA+aWc
+  W6CYubG/PFL4Twla/5Nq0fccGtEhkoJTHtGzOEgi2h1sIKuHXxfjVflwX+XkIWyp
+  DVTrctVMhs3EKEdcpPwAP3tykdNNw11cAS/fQbEj11Hk/EZKHQMS1bDj6KtPEclP
+  pTbphJphGxkWH/T+UGMD+/5achRGMZaBlRRU7McCgYBFnKEddyCdYmx5yjmEILLC
+  zAM8CDz9aN/uhVilEUMyoS723E2Nv3kkV6gzKJFQ7alx9ShFbIjg2q+JFQqNqmwS
+  YS4q+v1TcZGKseInh7bQzsvAg1eQukME26eFt+V3OOEfPm635UY6MAqSivECGzb7
+  hX/lXpyqC5AI4ICVeLAX0QKBgQCo86TC+ggCPEIhEEHOM5WrO9hiKuuRVpFy9tJM
+  HD0/TMqRdLIV1iAyghcvuzWLISloWYJ7bEpAGAzHeoBThiAz4/xC+kfKWwfYvNkk
+  UIK2kayg72KaPPOxeMAJcMJ9V1qWvfgx5tzZCiXH0g2AKSznuGsc4sHRTNlIfARM
+  oUrsRwKBgHnZpWuBPuE6K7siYM2ySjc1mP9kFgvToIIX7+7OFgjjTtU12Jd1FMQj
+  PvbVmZaNWyLI7zcke3zlVWYab5TPaptDoGdBG2/AXCS0QsqZcAQZwDvkpxD2TUUV
+  KbbB1PmetSTpqGCs3g3fCsvheuZPYZORO0NS7f5YJ3YH0tTIBX32
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthorityKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEAx27XEEgy1WZ46mfdFYOs/nxg5n3WyTy2/ISyTpnBKVItVkrm
+  Tg6FDoj/xy1Jx4Zconwvd1lUIINI/7Qr08zMxTzjVFUPDNlnZDzvVsG8jZ7ENaz4
+  O3Nr/+2i5EeQH30jg7ksvtJ4UHVWcnJlrkFArXpuc8f0kR30c7+pgsAg8MZtX/R4
+  wH2xpcBYJIXOq9cinkIGamOf3GYCzO5XTvcsXQyJTw2TN9ORWLaaX9y3/mFV78Wi
+  XGbtcK/isAESA6dDNo8bltrlUKuwpa/gEEnPnQ8ab45YzmyOD/bzZ3K3eD8kA2Wg
+  Tzs+xC5uFupqNqHUgjkBjf2rlASE//QB+ovXmwIDAQABAoIBAAnqDrL2g+Br+bLd
+  evYo157HHCIZO2ZBqG8hQaP6rMmbFjnl+1ECE8dHND/4lmRe35gMSGfMfwwmuqhL
+  kqoy0jMz9bEpkVf4LtWi2dscQn1f2S057hU2hbXxYFms3RNTq0JPIFRULjsBukxy
+  N2/UOpzlKzyCQjw8mvxuGMUxO/H8NMgE1fbZbR8LKUN+x3pOfQqOb+l8Eas1NpaN
+  2hdDR+zQZzCFMBGRUNldbaaKXyi895ZXXqqqG/lBvgLgjMzc3FpUQxlM/V2tRJD3
+  Q3drC0o9z/nKotsSDFLUYYVhizGNDxrqQDIU1dwq61YKhxGYMtjl+x4sRnSk1Ulm
+  XBtShtECgYEA0XYC1Sg7lbE8rKtXxoTf8MAbUa/FJKFtd4Seqpz9x7mia+e95TV+
+  Lv3q7bDZtYoGs8+0Q/1315E4cqh7O/LI60uEgdsKVjDzNOhHjp8guHc5ZJmxg/D1
+  UQdKWhE0aUxZ5ErBP7Rd5Qep/cuOGfL/PK2l0zrhur9fzfVqMEEqFWcCgYEA875x
+  Z5ZrmXt8QnHKUj4Rzf6QvxttC41n+wkaCQNFXHWAHaUzCCegeE1qeZyfjmOvoHNw
+  rjN/xZ5FXR9doXdbp6hcXUO+byt1C9RdcNGcio2gGsIDcKAbCbvFjvvMKwpnAS1M
+  mXe9I5jwmRQNzsL8Sr1ol3JuFOc+QfHksQ/D960CgYEAq9vz/wj/upatfc8oOc4U
+  H+i/gYqCase4lXPO65Xb89+wEHEYMdRuMAhOla+hMX6KeUZWVeLGTaztb8YlNs7B
+  Y62WjyU1mfqX0jUzYSXXJwNLp+si52rxHQaqTrQHGM54gwODA83trFlZdM9rTIdA
+  PH0Nrf6F7z/OT6Ko+ea9rMkCgYEAmb9IE1pLlu3QjKzwPP5QBssLjLCFESNqMmwk
+  UwkQKGkpngmFbiBo1VmnzvwfnRZ+QsxuiEON1h6mjD3rtpzuYIwPbvj7V25nD0Yu
+  hqqBftgk5Jv6xYEIbRRXYoCr4X5XSOPFDIz97kVbhoOizggqUg61ucoBbAgNOlWV
+  tqZGK6UCgYBDO9wMj4if/Mi1N+JOeirtU3kIsXzVbguFOj7LfzIkplPTCpcaF1fc
+  x5zHOu9Yvg1CCUKIus2CqJPmxjG1iEGaVFtr2ps6faTr1QvYmxYCVZwQ9Ojvh6f2
+  +tNS4xM76P9Q7vwSgd1WDxp45od/B8RxHfh3ReEWY5ImCoDSPDtUxQ==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthorityKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEAnwPR23CYd/PnmprlBM3CqUssKScmMuDDuNgKY/rxMEF+hvZH
+  DhjxM9zlVy7RwIKDBRT5hBL569vD8nueVxb2T2uul6nT5viWEeCVVUvveqc0WOjE
+  IPHODlIR49v1WmU+BUmrBm5NgtxqMeADgY5WB1ceCwAxM6U07TsAVY5knCA0XWak
+  SoymNJA1mCgBi1lIrBjfMyo5qjsb34FryDCfLnZc3R8tTVcxxOffe1wARO+xQQJB
+  9L90tVeismjr2avtUIh0yDfqvvOAlLAh6xNLkoSktDl5wFQfmO+4159b/lyPAb4q
+  r+1JAU41jxowrpGiUWCEe4K52dvkI2eXRZ7YHQIDAQABAoIBAHlu8VQjKExyduwa
+  XcrNV1rxjUfgHcu82brPQSAZAxdW7MkkSh757Tkt9/YcSxI4mNXIrsOtui3kJj+H
+  J+RaJL+B/FLV3n0EWZZNa703wCpqhg9fsmd2QWWuRvs7fqMJrdNb7r96fLbynCZ6
+  bDMD/66bWNYNz4UhJMoFxLuRgkO3IAlLnsXZjggCZ0YrkBkNUrttPE7UXy5wa5Zh
+  9goKRzFWxiUl0mZm/t9dyUcit3lFHiLQqSo5mXKT98YPgYPuyJmlfWSCR/CSEwP0
+  bQUsBmWxYh6ISx3l+mv+7AgHmL9XTRkoYqQI/6CqOvcKdyCKFZHsyHYUIa+bO4Mf
+  k+H/kgECgYEAxUOiq4gJUqnJTI3oQiSMAdK9cNwQXk99ZOz0T9qkr9NhJCbgRHT/
+  na1xPdiKDwu0UqAZZ7TIRwe3zdb4rc4xIAZQYLvAOBdLE5u7FPqyI6RvNyR//nuM
+  b/E5khIFP27c6OITiyLEDMPAYhBl03dFJ4XG7s7DCkFQRsJPOcBGcF8CgYEAzlym
+  9WWUkzTsUMVn5lWg28F1qZ0Sa2GJM/dkc8OkZjZDwEMdj700XBRe2mimvLOvIyvM
+  9xWOut/ObZqVMikF3kUSpAnZriOYsZtK5bAWdRkCumk0r3OraIZasYoVsCrAZ1lW
+  LzORJ7sMYBeOex0acXxdirGDVD3hfcwBVQBV2QMCgYEAvCWihdCec8WVRfsjx9Jr
+  52FFZtu+kPVoOFb5PyDfawRF5uFdjm25UH8ZP0/Ffkw/lX82O//l9jmaSi37ymqb
+  2FutVlY9JEKzTOSAL6ZdOjmgCgw6OFNGw45kxrmBX9sxwL3AvjhOnY4ndGEHfgaI
+  YwXpk+SJisJ4+sRiJEcL6CkCgYAKRXZR9JJmmVXB13GKd2ygQ4rVvGm0SpCHs6Ke
+  WHiQVdcddLm9887tXl4yRM83yUHIYF+9VKdcCdO+hNk0O/J807dPzuW00zTAclhS
+  Ame7wFjwalgi+4DmnPlaqOLXd+lHu5yckNaCwb6l8cY3voUYbPZC9v7wbHwSxNq0
+  HmYnfQKBgQCf/wSsWMInlrWH9Td9cD+I+ecJQw2C2igVlJCjRtRpGG7sozYHuPvg
+  TojbD2mZX/hQS/0mYDnEd8Q6V0O5KzzEsKsCCWd0BdpJmCRLIVQ7Au2OS6kn2qcF
+  HDdcEFltmejIwx/eOl2mi17wG7UUE/TCaWeZmKe/6cLhuK+Pci0ioQ==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthorityKey/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIID8jCCAtqgAwIBAgIUMTEwWmQjhfS8O3fivo2IrczVWwQwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xODA4MDMyMDQ3MDBaFw0xOTA4MDMyMDQ3MDBaMBQxEjAQBgNVBAMTCWFwaXNl
+  cnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALP0cgBfAO6vqPGB
+  DX0o7qLxxQ4RAoY9as2PH+NYfSvJEuE6MnAHJg1FWecSnhhgO8TAk8+vZ9oyA6VI
+  8PWHZ1y2V8y2kSFFVk5KzTU02QLPNuKSif1Teb+Ywf0JGwwMVaZ70nDMY4/HeZ1c
+  6gWZ2BBZYkipdTktL6bzL3QV3piQ2WjV51Qk5/pVhTO4vtFST2KJDl97TJ+5jqrq
+  006Jg8boD9ghKhrw99pU4G2bFtMFzrxlrKQLuUmCg/Lbb5gHet3VdcIJe7UjEG+r
+  iqxSMgr7GrN9enBcSCKQuQv2L9MPQTUeKTCGowWgWY3xBxMcGBIyLWKey3WGyVkN
+  CbxzpbMCAwEAAaOCASQwggEgMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr
+  BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUg3FxxMta
+  uhTDjgSMKSPpX36RtlwwHwYDVR0jBBgwFoAUEELhN+oCI2KEHlZM57YQyJ+yzb0w
+  gaAGA1UdEQSBmDCBlYIJbG9jYWxob3N0ggprdWJlcm5ldGVzghJrdWJlcm5ldGVz
+  LmRlZmF1bHSCFmt1YmVybmV0ZXMuZGVmYXVsdC5zdmOCHmt1YmVybmV0ZXMuZGVm
+  YXVsdC5zdmMuY2x1c3RlcoIka3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVy
+  LmxvY2FshwR/AAABhwQKYAABMA0GCSqGSIb3DQEBCwUAA4IBAQAy1vs6tT2RSMYH
+  7siAlRY50Au3BHbPXd04urn04rbuGN6vPxFYHrw99vMDcOuhe/Agd8CPWGF8vnMv
+  dArNztd+SsmsAAFINUrgMwyNhyDge1PSkJWFb/CkrZulJEswh/B/8lJvnepiegR7
+  +UMeNaNrsABN3qv1AuivYSD73xh1Bnf9iLddIT1JmxL/dxWv58isE/TK0u8d0UkC
+  2WhW2i5ShwgNKRsR7UWqLEuLGhl+6a27dhwvjpG+xv+V/R7bkynSNetX7LrNvqhD
+  Ge+e6RZnvqID6tizrMfIGW/6QsbdFwsUqng0mgj1Dy6WWZbFcrLaxEWXSOn5cgw+
+  flKEqTFG
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: apiserver
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDmjCCAoKgAwIBAgIUL7AdUaWHpVnTqL+O8Orqo4ivfzAwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xODA4MDMyMDQ3MDBaFw0xOTA4MDMyMDQ3MDBaMDsxFTATBgNVBAoTDHN5c3Rl
+  bTpub2RlczEiMCAGA1UEAxMZc3lzdGVtOm5vZGU6Y2FiMjMtcjcyMC0xMTCCASIw
+  DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJDyWDTuJogzEMuSK6+TwDScx6h
+  gULKUL/1SiSUykwOEfqjizcWFuxNEQmJgNDEk5SQCMnkdCyShaB6VKxQTPekcq9e
+  ACk0oNbHww5uVfHUT8tdWkrAIrIc0RHjOoK6TkXUPViT8we3IiBciVkG7sTgnOSk
+  8k2e0qeh/XI921mGwgCt607kEbzhjbdkaEhkcqOeLy2qxXxY1s34gJ1SexgqpG6k
+  r4EL1LDCRjSNPHsG4yd1STRB6eV3+b4okKR3D4E4kU4QX1i62w8WyR6MLV/DcJdR
+  1CrCT847POBBaueItJx8wV3ozWKqfr1cZ6Avr4NJF63YrlzjEB0RvjxHqK8CAwEA
+  AaOBpjCBozAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+  AQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFDRfhZzGVobLK7bKxyVTRSlh
+  gy6bMB8GA1UdIwQYMBaAFBBC4TfqAiNihB5WTOe2EMifss29MCQGA1UdEQQdMBuC
+  DWNhYjIzLXI3MjAtMTGHBAoXFQuHBAoXFgswDQYJKoZIhvcNAQELBQADggEBAD4D
+  UiL2UJGO8gyk9Im5I8HV9mJrg35rpIMGvGrzE84pQfLaJ4fyL00FztPyLWZgZa07
+  VMqfG4Q4ebxfpvcoL5CPjlaTp3jgecOvKeS23teHKXQAzggUik99QLnOWFy+DP3g
+  irL0nF6+qR0uTEh/MMBMPlL+UWSU314sADBHU+zClCkGX2TPqWBDoNyb83cDAOmq
+  7d5PXHBnwsh91RTodQfCYQUgj6zrbKTfrkCsUTyCDwkZaNCDWNuOen14Qt+1TbZH
+  doGky3rfkY+JotC7qNq9Y1MyJoWI6Z+jKxO4bjcxfUqdhjEr4+14juK8hKExCyCa
+  ufhhAtOTE8RW+zEK/7s=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-genesis
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDmjCCAoKgAwIBAgIUfp0dquroZWzCTuuIGyk6svPVscYwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xODA4MDMyMDQ3MDBaFw0xOTA4MDMyMDQ3MDBaMDsxFTATBgNVBAoTDHN5c3Rl
+  bTpub2RlczEiMCAGA1UEAxMZc3lzdGVtOm5vZGU6Y2FiMjMtcjcyMC0xMTCCASIw
+  DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ3kdiZSDZl7LfJuQ6Q0mFnvyPip
+  OljqMxilaxudIs5XsEOT3vdTAYGIt6H5Rw8DQ3bEHTd+B8ksTq5DPZXTJQBAkUxf
+  ImhZUUDH1XvVpNiOG+n2CWz2DVUj1pPEuHBIBVtGFnjTq+Up/Ycyu2J5e3nWGhEv
+  QNh0UaN/cpAUlVV54UaF0/X2iavsgQPadaIa+/Ntlw5mgVvxjCBX3gePCQ9ct1+P
+  7MRJRLnk2ovIxbNnwPPULZej7mFWHTZIA2V47Yj3oMg6LS9EJcWuvmvhSphBN46b
+  bHFXlsTwkRUjTCulaVzqumJ+BADLpvR7rsbk7F1A0kKQ5eG4JVXF49qwiTMCAwEA
+  AaOBpjCBozAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+  AQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFI6WNXbWAvxTZ824sOIqNOVd
+  4cLZMB8GA1UdIwQYMBaAFBBC4TfqAiNihB5WTOe2EMifss29MCQGA1UdEQQdMBuC
+  DWNhYjIzLXI3MjAtMTGHBAoXFQuHBAoXFgswDQYJKoZIhvcNAQELBQADggEBABjM
+  BUDbi175G0Fi7d8EvvFVM5BJsDiNoPr3TzOWJPTd1HseSF/nKMd/K5t5TkJ4+Fio
+  5tbrHXoFoSe2YZN5RFXSnwuIqeBceuhgBSmf4TmgQz8Mzcy9Mftk0nfZpKQr042i
+  gZZg2hTJlSGxOmHSEa+ekEcqrTwNuv0qmTW8F32l7YhJoh2sdNQumlLwAFVup++c
+  hxSWV9Qhh4/mEqVVMS2NRSWAt2oJQl6xhoQUkibiIl7+nZq0GIXYvLVtGcgepO5A
+  /0yfqRaDWgKSR6VIWlJeVnRe1lxop/XWigznJO53AcwjEExHyoIWzeSzwT3L85+R
+  9S7uykqMmQxqmAhRn+U=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-cab23-r720-11
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDmjCCAoKgAwIBAgIUO/AyatNZ2KykLGuZrDTtRs9FraAwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xODA4MDMyMDQ3MDBaFw0xOTA4MDMyMDQ3MDBaMDsxFTATBgNVBAoTDHN5c3Rl
+  bTpub2RlczEiMCAGA1UEAxMZc3lzdGVtOm5vZGU6Y2FiMjMtcjcyMC0xMjCCASIw
+  DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN7uLlrHBhVfaVE/iotlbT5KkdYN
+  shQDZOMdkbiKsOoILLusSMAo8L/DORi/kVIQybd3pPWcQ4pL4MwUCA6wRHDH3kTr
+  tqVGtn0x2atjydch52LOHG99v+lEahlAn6lkp9nPXAEELMO5NRN6k/2kigUrcfdU
+  vBlDewQoPd9HdlLlaJZylmBmEmU+xBo6fnuvHq6rpY63viVqbvlobDzTwF7cCuXa
+  vVgRmvs52ejikuFphjxg7Rwnzcu1Lr8N35qxDbkJyNIfuD4OxEcqChFBxMV5KnyK
+  BNuvKYUWW82h2leDGbPqdJl7Nml6UCJqUSM3hajWGN0ObmIwpwMx0HipByECAwEA
+  AaOBpjCBozAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+  AQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFODH7nyW3CvgBX90SvAeDHZ9
+  Q2jMMB8GA1UdIwQYMBaAFBBC4TfqAiNihB5WTOe2EMifss29MCQGA1UdEQQdMBuC
+  DWNhYjIzLXI3MjAtMTKHBAoXFQyHBAoXFgwwDQYJKoZIhvcNAQELBQADggEBACTA
+  XD2XBKjYIQRPKsUG6cXyUSxPH5vepFHWxT1CSLniDyFDi7IVT2mNkZg8NHjJXE7p
+  9UVNm7F4Gh1w6Obyh1tCChtqRzRjCDQikEvw/TtjWuXW9kkRF6Ty/hsXy24WyyO1
+  P1qOXDK8vjRH7PjQUCavmjiNLCEfLZbK+WEymS2blxeyM7ECK8P1D4Jx8YcgZnj8
+  FwHhoiNi+e1JZ2G92Y8KND/AmKS+apYRyGh+6Ecx/2FLGxBF9RbqNcas7Z0dQdFE
+  eaf3V/ofn+2rteNQadgcOn8/vWG8GRW7dkXN6cE1NkZvfWoufAXG0Wr3zIzxgWKi
+  ClKxcqraXHtAy4vkrUw=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-cab23-r720-12
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDmjCCAoKgAwIBAgIURJHoFHbbLZvu60nyrhE55F1XO2QwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xODA4MDMyMDQ3MDBaFw0xOTA4MDMyMDQ3MDBaMDsxFTATBgNVBAoTDHN5c3Rl
+  bTpub2RlczEiMCAGA1UEAxMZc3lzdGVtOm5vZGU6Y2FiMjMtcjcyMC0xMzCCASIw
+  DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANH+JKbZF6veSqEBj5Kt3YQQM8cS
+  Ugan+eDaPGTQt1/DawpXu6ClUZbrg5TYYovDe+mHA8cQXA6wcoFuylZYnqkHM9ek
+  ZqyI9+upUo/fD03WL5yRlyjOiXYaHKk77iRk+bosAdqns5rV1RsnID41MBjcdREf
+  gJUN/PCx9MqvjuMx8ExXCioC76TOuBfe7j8zwXAvhL52qdqPO62BQjsR6JwEiy6w
+  Vs6Ei2Rosli0rsoi9dEJsGyP+PByAFBXloOPq6G5AX4l9K0yibKhpRP8v6iFZza9
+  tSn3y0lYb0Wk+ofZIGQQOPqbPVfh1+Cw1yUTfE/SO9eoDlZ1zh6lMvXKHfcCAwEA
+  AaOBpjCBozAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+  AQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFAs7f4SypSxe2nqxB9c34gJx
+  vs2rMB8GA1UdIwQYMBaAFBBC4TfqAiNihB5WTOe2EMifss29MCQGA1UdEQQdMBuC
+  DWNhYjIzLXI3MjAtMTOHBAoXFQ2HBAoXFg0wDQYJKoZIhvcNAQELBQADggEBAJs/
+  XSTb7rr8oFyI95hnPPfGmC9Ooc/q3AntxtqiUTa2WarzAAs1oiSYTIaA3TpDpf15
+  vH/dXrUqks5utCt5+InLpabzjWfQU1pPdscobasz2DNdw119KLUSCkIh3NA7xtXf
+  ZA8tSMTvmQWGEXMA5uzVFbKonoevYdpIDKE4KutUE0Kd7iqcieS+nd8YoWzPV/ii
+  f4fh92nXyoC8pMe/bTqRu5ybqyo8qCGhfmYr3qw4EV+7Ygv3bvKYWRQVj9faNJwS
+  NFGydW1Yym5YBjBBqXXee1nSdgUR9+Hc7B7jBS20Re29QEpboIz0NN0mOD0wvhqU
+  f+pQOEJfu3siiGB/8/I=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-cab23-r720-13
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDmjCCAoKgAwIBAgIUAN65KbQ/Nerv7Ye8OYRJFbonDiEwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xODA4MDMyMDQ3MDBaFw0xOTA4MDMyMDQ3MDBaMDsxFTATBgNVBAoTDHN5c3Rl
+  bTpub2RlczEiMCAGA1UEAxMZc3lzdGVtOm5vZGU6Y2FiMjMtcjcyMC0xNDCCASIw
+  DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALCshJD9j7xhEM3AwyyGsHZhqWmQ
+  +6pa0aCeLfd4tgmLzyWuVV+IQlp7bRDtWL0YHFgABfm4w0TCV9Iq5toe+o0LHqnc
+  V5xAn62g8wIgvrctacgcQsRk6R7HFvr0rSHrVm34j79A/Q82Sw9pqml8YI0UI2Ev
+  myKkKiqFnnlIRjX482YP7G6G2lRb7fAsT6Y3eP1fYStEPb+XPnGSp1clGdbvOR5N
+  bwiGwyl7D8WX4hHY0+1sE6z9FEY9py3kAWEGAldkd5TxkZeXP5wpu9UKkWBlLo2E
+  6pqFTahPhEou7NTHLXjXdkINHFsAtxC/6je2IX3NcNGxN+xBjSuWKX02580CAwEA
+  AaOBpjCBozAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+  AQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKaS8EugCKlCunqxYJGBeX3S
+  vKeAMB8GA1UdIwQYMBaAFBBC4TfqAiNihB5WTOe2EMifss29MCQGA1UdEQQdMBuC
+  DWNhYjIzLXI3MjAtMTSHBAoXFQ6HBAoXFg4wDQYJKoZIhvcNAQELBQADggEBAI84
+  I9OTDzi3zm7i3n3bYDLpe3IfvBwMA+23OgR881stphwfdusnPs5v69tRmmPulK+T
+  6eFmsjF5FO63wIheyDX5FRyqjPER8/aY+rB+SLQFV1+W8BlfL3O2yjWV8QU70L/J
+  iB9dMbVP7viP1RQ0M/0xQad9aAiJf6H1IPtqkkIIngcDFqN2HsFyjac4wiCvxd7W
+  +XGIvVXnj4TfU4fCZDOdqagx198Ba2o0SYpklWdxmL3a6hWL7wDpHdOcFIq/ahka
+  0CVyKWCHVT/n57V+K9nCK5BU8793gqzg8JtsLaWNrOY24z/I7jqDQKrv0VDVaUuN
+  Zqk3q0o9IRfQ6SB7b70=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-cab23-r720-14
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDmjCCAoKgAwIBAgIUL+AB3lMZT+cvoHVncfqsn9zIkqAwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xODA4MDMyMDQ3MDBaFw0xOTA4MDMyMDQ3MDBaMDsxFTATBgNVBAoTDHN5c3Rl
+  bTpub2RlczEiMCAGA1UEAxMZc3lzdGVtOm5vZGU6Y2FiMjMtcjcyMC0xNTCCASIw
+  DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMOE3JKJWC7+xjy6UvOe7GJnQnqm
+  OWStmgCFg9PaOBG8Hki+Tvoti+Wp1f+wXyYciS4Ds9x+7DOg+NyqZdQd6NFCFGwB
+  Q2ne6dOkjDZte3OGCfiHC62asGDNWxY2+5A5l8ctYp5Gh6M0bx5bOJ1oPGauEZDg
+  91gPILRjvJWvuY8CjUEgBizIZ97t3jYsQkLargxDob2YDGdkulrXQU3Jp7U9hGm+
+  qIJRMRYlKLG2wX0KbSQpyfE/cxZbgt4JMTJrVAHVgk2ZgYibX5lfVJAJr0JMRjqR
+  qKF4X3JKgiupmwFs0D8YSUxA4h4YG8QHB5bp9cHlcC9RV/q5clOFwNyts/kCAwEA
+  AaOBpjCBozAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+  AQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFM5L8sdq7XxHQ4VF7PIw6w6x
+  iqF1MB8GA1UdIwQYMBaAFBBC4TfqAiNihB5WTOe2EMifss29MCQGA1UdEQQdMBuC
+  DWNhYjIzLXI3MjAtMTWHBAoXFQ+HBAoXFg8wDQYJKoZIhvcNAQELBQADggEBACIB
+  FeRVAaWFzlfaFXhn/Ii2KQdmM8V03qllWXV0f33q4JSEPmlyZWUOXL0evJ3ZUWH3
+  nC0uNTmz9nqmpSH6XkguWj4H8DSsg/xBa5zOjlRP73jxVf3no2C5pwTilJg3b7DB
+  W6RcEYXV8xJ88dgUpaJy4xFpDLWMtcZ3aRzNenB/M69Ofphp57SGxV615XR+unun
+  7jSKtLlG7Lvw/yUOe10Csx4/DLTEm5ZmraU/9cWTnG+66BGjpxBDA79hAerkg+3J
+  L6c8lQIoi7bno4RDXg4XWcVmMLU70BLyS6fZYBG4RrK0Qdwhdgzoo6UWL2l4dFla
+  0bpbs7RR0wVzRkqalME=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-cab23-r720-15
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDmjCCAoKgAwIBAgIUMebE3IcD7NvgPH9tNwmI6hW1OyowDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xODA4MDMyMDQ3MDBaFw0xOTA4MDMyMDQ3MDBaMDsxFTATBgNVBAoTDHN5c3Rl
+  bTpub2RlczEiMCAGA1UEAxMZc3lzdGVtOm5vZGU6Y2FiMjMtcjcyMC0xNjCCASIw
+  DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMYb5iC6L5GsFtLvP7ev/LhIWo/b
+  Dh9H/rneOmF8FN1fnOn3jtXFYaYaxgLZcx0O/KmuQDVN9w41g1kZsuXsa/N4T0mX
+  ITTvzKtz9oBpk8YBdCcbZUx/vgkgzF0Z+FpLULdX+y/R+xBNHrg7wJ2NXLrtUojE
+  6OKeFOuyfpIq8cpZhhEph/KHvCrWd08W5CKylJkvE7iVzJm1DKd4s9yua1ys5OIW
+  a6mbaO37rcDIwRwpDhUnPFRB/10LrgswbLEYwrYvwdU5ROh5AiZEpXtt6EWXv34o
+  tyXAZo8g7WjaPQFoJKCaZQVYGMW3CkJaNA9sd1UMfCc7T1/2i4i/5GrjmFUCAwEA
+  AaOBpjCBozAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+  AQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFBAictpB6T2LwMsDxa6aCwvQ
+  NCQaMB8GA1UdIwQYMBaAFBBC4TfqAiNihB5WTOe2EMifss29MCQGA1UdEQQdMBuC
+  DWNhYjIzLXI3MjAtMTaHBAoXFRCHBAoXFhAwDQYJKoZIhvcNAQELBQADggEBAHEp
+  v5I09F/1TPGZC605shZcFGkeYcGOS7eonNnzRJ/a2oX4XcIWEVe51rhrYFYNbEg1
+  laUeAAxCZpBAaayBJr/7mHpZ+O11wKeAXyhKMrWhD0I7zYcYY6+tzwOn2/PXnD9I
+  kLdr+QOP/tUc81eBdbc+bsQt0gMDDdkNPCRnh5ZBoq5TTzmdrv/Fs4oPM8Ay9Fmc
+  yKu8oesMnEe9Pn1CrCuqdHtjIcbeMxE2sKJAFRuKxrIW038zuZoo45Xe8SlW4WMQ
+  3/LJYFpaoz7ZPZvDM6EIshfdMuKdis69Et+BwfIniRbN4x7A8gChm0/ykeS0NFBv
+  f7fhLhjeq3RTAf+y/zg=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-cab23-r720-16
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDVzCCAj+gAwIBAgIURGsw+hhNCEAG0nl2WprcvB2eQJYwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xODA4MDMyMDQ3MDBaFw0xOTA4MDMyMDQ3MDBaMCAxHjAcBgNVBAMTFXN5c3Rl
+  bTprdWJlLXNjaGVkdWxlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+  AOI6ApeeAwSS4XE3K9z2pAJXi0pE9pPrjHOy/SQctCZkBuN5mAgOJNl67uWuqbIR
+  +8AvaPXH+Wz0lkKBv8EI8Rl2uZz8+aXGYKY9OCRbnWvaC67XJ1/3luxry7jGRYHo
+  kAkPAVpS1oUSGvNF0mQFhR0BtsyA0cYOzyp6WwEGLR14klqABs4iS5o3vwPSzJ06
+  Iel7ZtHS35/pCHvBL7FrBJ2k6nDcWc+juTrvLcAZK0tPXl7Q9zLuA74S2RwsVXPj
+  Zehw8isGTVJMLwdNUEQSGiFW5co0ux9ArOcbCbwQB0RpukJ412IiUNnZePPhesOF
+  JoTok5gEo/4KfG4cFoU506kCAwEAAaN/MH0wDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
+  JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
+  BBSdlHOy/P6uog1+jKgkuojvZWetQjAfBgNVHSMEGDAWgBQQQuE36gIjYoQeVkzn
+  thDIn7LNvTANBgkqhkiG9w0BAQsFAAOCAQEAJDkaSxKS5DVABnll4NtHNFQzHGif
+  cxVRuwzx9iLTvtu46+HDGa7kyqlfg6/D5ZL1Gv15mDlg/Z5DR9e5hJeHXeBC0gGH
+  oW8ZLqxim/o5JljOdQk6Pol3spkOraA3nQtQJC9acMWwVbEfBFtGXM0l5MKIjz3e
+  tu30uACC7cLy7woSbG/MiYRQFDj+26kEG9rVHyfxh62B/w8qlRzXJoGVB3Egj88p
+  nv+no/q8H7rQaPTW/NbnbhDIyzxTX2FC34Zk/+/Un10DsCUztQCHSaMoB5xzL0B7
+  QCedtwyyNXnwSTQARyZBmjJLxWkqkBuLNlOGQbYMGevlxLWaHzZ92LVFtQ==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: scheduler
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDYDCCAkigAwIBAgIUXyw9U/4082LRg9GVpN0/6qrIATUwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xODA4MDMyMDQ3MDBaFw0xOTA4MDMyMDQ3MDBaMCkxJzAlBgNVBAMTHnN5c3Rl
+  bTprdWJlLWNvbnRyb2xsZXItbWFuYWdlcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+  ADCCAQoCggEBAPD8R07Ho3+QiJelhwBCk6lzTy8PKynXJkLg/uKHx8qCB8pKS6SW
+  PLlqiRa1GWl9QFbypo4Ipcr3KlGFOnxUj1X4iyxXqgjP4F4eooA6h4TfUd1SB83r
+  e+mYJVwklxc6PPwQpDT7DiSA6hXBDVuUUkX//FDrs/j7d3+zCDRTrLYyZ1VXqmgX
+  Tw77bIVkhQujIjTgGEh56nUP//Z9jOapagiIT0vmPFhudSGVX1F2WGqpEADETMHt
+  AP7U21mNQWheSrNrvj6+IpG3uLAciTkZyX5lmIFLMvHvRh7GtglZJQsws0fg4Vx0
+  pe2AMYR+fNyazC5o1L2L/4CxknQEyDJ8B78CAwEAAaN/MH0wDgYDVR0PAQH/BAQD
+  AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
+  MB0GA1UdDgQWBBR5BbY5n3n1okPL12Fme9bexMBQjjAfBgNVHSMEGDAWgBQQQuE3
+  6gIjYoQeVkznthDIn7LNvTANBgkqhkiG9w0BAQsFAAOCAQEAVQby7LkFSz3kiayt
+  lYsYpIkYdnd88pINaq8cZ3JzaWQDdnExwTEB5Jj3E8weUQKZVTuSGACEGe3w4tLo
+  GGAbb0eDWOs/0I3QbQIVfzrSxUJtrwvWJMYxIHxd2F+20RBqovcjlB4Zijpa3Jbi
+  2jdsypmDGag7ej7GLEJSQqlEPEwlm8HrDsVDTFOXIWG7HVhFgQcD/LmqFRl3HPKQ
+  LsL3d4FOERCBkbmiySY6bs269L9i3Y03YIyQ/3EKKwbK01yu0HeVWZMDmVCNAqYy
+  4Ni5XbuDvtOa5mciXVNgWFL+4pypOe4HMsXsPCyhaMRxieR/hGfIHsrgK79i9qES
+  LUiftA==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: controller-manager
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDYDCCAkigAwIBAgIUSexdfWcY6foljjE1RsdGZSSwxHcwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xODA4MDMyMDQ3MDBaFw0xOTA4MDMyMDQ3MDBaMCkxFzAVBgNVBAoTDnN5c3Rl
+  bTptYXN0ZXJzMQ4wDAYDVQQDEwVhZG1pbjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+  ADCCAQoCggEBAMuh4ys4sSDX7pOfiwIphPyEazz1i9dK1AqYOsLIKYmGI/dQpkZo
+  ZgZLzAA/3ZLb/7ZZHSweqFAas5/UTXQrqNWSyGKAbssnQcb5Mow41bXf6mPiC4dB
+  IdoCJMb5y8f06Jjxe25a1Q3iB177lgJv6RiMdDFCE1iR6vhRGQSN7ICfeELIlQZB
+  Am6WhcfO20FAAPjAaYvxuNRkmCruH5VYu0EDb5bDLxJntnszH+eT/8JxB6SOgNLt
+  8GwB4pyCj1k5/p3fsE6vFJ0df+5/o4kA7hULBj9z313AxJa8MD+aOaVXtm/xb19p
+  G+lxw+BfArlxoIWntMbIO8Xr6lkYNCcDKZ0CAwEAAaN/MH0wDgYDVR0PAQH/BAQD
+  AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
+  MB0GA1UdDgQWBBTD8jobt4/8KUMiQU3ZXpSPkiT0LzAfBgNVHSMEGDAWgBQQQuE3
+  6gIjYoQeVkznthDIn7LNvTANBgkqhkiG9w0BAQsFAAOCAQEAgatxHYQCpix9g+SM
+  NMYLdWkiW0+QEX7/W5xtzrZoWU98+PPUIMXyllar1ZyT/wOnM0ixJ4LVdNFNeHRD
+  AJwsCzhjAFpL1KYYKOGupAoncmWD3aLYaJ0u+pZuAVWhkjHbRFxICyAWgyUKox6F
+  oSbGlc4hifDc8rsV6zumdZUcvbwK/NfLdu8PxCwAd3RJBZinVLy2hXAO+p5QWFpk
+  K3mF7qfeoejnDbyICuNGaYRUXpiUM16rJLoU8weoxdMHRj1KuUKlQZNfyAHLMkQt
+  Zbsu42F8EQjfCMtBZ8CNl8svrJ/wT2r9pEVDXxD02+DK9dRfi27dhPuzAs9rpmhh
+  FJbWDQ==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: admin
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDYTCCAkmgAwIBAgIUDlVAkaB2uyioZUMKetN0LMpGKpMwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xODA4MDMyMDQ3MDBaFw0xOTA4MDMyMDQ3MDBaMCoxFzAVBgNVBAoTDnN5c3Rl
+  bTptYXN0ZXJzMQ8wDQYDVQQDEwZhcm1hZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+  DwAwggEKAoIBAQCZYReO6YB4jMm5hR4I4rgXOH51MgqlLlYFUQ8fUUN3XLoNvtKM
+  WPSFU/jbQaUNnME2nh3bo/ERQ08g5PVSyKHB1bjzk69Hi9Eqxlvn+0ClA60rVzb6
+  840CdS0HICDcZcMYK64cfqtxxO1Uk6EbseUSOCHLRXrA0DCOR7foCS0esdhAmyC+
+  NxfDRyneEhvYd8Ym4YDYWQKHHRdA1Uc/wgg7DkXNAOal/apBmFybQArKygvJCHJM
+  zOtNSY5V4LC/HBCwIy/PvPWS/iEjq41XHZU+VIxbLIMCZxv9EqywnzmCqhNTCqQi
+  7Jz95flEtUp55l1+aQNuExt/RT2BBJabqY9HAgMBAAGjfzB9MA4GA1UdDwEB/wQE
+  AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw
+  ADAdBgNVHQ4EFgQUk7PXsMLd++phw0+p7FgrJKPosOkwHwYDVR0jBBgwFoAUEELh
+  N+oCI2KEHlZM57YQyJ+yzb0wDQYJKoZIhvcNAQELBQADggEBAAISpm5ng4Qw59xj
+  dGWWt5SKzi/K+HSm5Xwe4jXJv5iUXFjsgl3a02e+wY4jfYjTwAIpFSKx2Gqz9QlC
+  oFmxFmwLhnN4qBoqC2asFpIFghYQWDRPkJI/tIwYb047irvEnmdguC5zjANLu7dd
+  ziQ8+OYAPovXib8bige+aDQziZJ1HC9iZOUHKoVzFHsVo+6qJtAJFIPn/lJg0BgE
+  n8gwlxbo0Mxx0308KM/0mrshyt8N+eBhsFzcBtwqLvO4SvKU++T4erzwKg2C99qi
+  v3x4E4BIZcM4JYcKfCDtMgW24XENqWVPP4GRPdpTldjeYrYO5SlkwecvxtKfuNoU
+  r/CYTiU=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: armada
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDUDCCAjigAwIBAgIUZwkkMwPcgZYpWPR1bgz+I1qJh48wDQYJKoZIhvcNAQEL
+  BQAwLzETMBEGA1UEChMKS3ViZXJuZXRlczEYMBYGA1UEAxMPa3ViZXJuZXRlcy1l
+  dGNkMB4XDTE4MDgwMzIwNDcwMFoXDTE5MDgwMzIwNDcwMFowFDESMBAGA1UEAxMJ
+  YXBpc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/23WJUrh
+  PTh6LvOMmdOXA0Dl21GCS+OZkTlBgE80tb6shVcGm4wXnJzh7l3exqNuJ8GNYAVk
+  kRNWW6KNMwKhvtTjvZI+Xlr1C0SDSzi9SWpHeHq9sUQZG/YWvqGhcCCOwPz4UJ+S
+  AjM44mh6FF+CybIMAyxoodospASzJEm2dmZpj3XeIuW38R/l168Jnlkahb5oOGsn
+  VxNwhtjNaBCLyLxHfktN+urj9sgipwdTpCPE5IowYPdiGXy0DTHfjBui9/rKE11O
+  Nj9+cfgPlkiIClP/QKzDDhTo7AoF7dCRsFSJpbW0svLq0otVh3kVkLHjAUMkzMRN
+  PfcXVQ9RL5wIrwIDAQABo38wfTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
+  KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFAx2JnEx
+  q7n7OiqCIJ4wUZmA85kDMB8GA1UdIwQYMBaAFJxrvTeFHW/gslq7vlcrYS1cHxj8
+  MA0GCSqGSIb3DQEBCwUAA4IBAQCL/2ZEXgXd5APdhpMejvHY8Te+IPKc5TFRBNBE
+  1tg+Xd4FSVEAefxrbcSbA8GfEHVL8aNPSfM3mnN2tx7NhspjJ6sQv81iTJ5qgZUg
+  wpf6LW40unuy1reYSJ6/lhsQzrpF8+nNJqnfsHHGxCOhY/PeFKMJxESio+BDfzJx
+  dYp7AnDsAw7frQQgnijdInMEZ7YBdWJtzhqfV040E+W65n00LYgRwhIBTPiLosGI
+  9agVuGYdCwmmud5wDdrNflPNZ1M68OyRSiTcbX5dIQd3aillIyhR5JPm3ORYPhr8
+  FG6t703AT+SvxJfhFOz5Gx5er36FZVcybIQgA04XmznWIEKo
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: apiserver-etcd
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDTTCCAjWgAwIBAgIUJyzldWqvn6e4KD1B2CimFCJKAj4wDQYJKoZIhvcNAQEL
+  BQAwLzETMBEGA1UEChMKS3ViZXJuZXRlczEYMBYGA1UEAxMPa3ViZXJuZXRlcy1l
+  dGNkMB4XDTE4MDgwMzIwNDcwMFoXDTE5MDgwMzIwNDcwMFowETEPMA0GA1UEAxMG
+  YW5jaG9yMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwnwCrud47gNd
+  U3tZSnAjtMgLvJKmz/b25T2KlnubLnkf5FefU/CfGxN48xT+NmADieNA6hr+Wsjm
+  M+VsYj53ySW4ARBalW6SpXQFxEhm6WmXLw6x7wGOC0GC64EzOGmI1vKuf+UY8/p6
+  Fhe6kS4Kzaou3jCk9yUco/7UivI+87e2nTp0q3aTYQPxJg8mAQuNM9PRzNMzkxN0
+  //4hRfXEOED8+FwmA/enXaj3/tsvIhKp5DMy3r4cZTw03heRxHWrhFNUSwfe3xNz
+  rJ+oSevnvJ5vvLx+iSslTccx/SqHFh1qeMEgBWINmHQOzWlWpqW4TaWlc3xLAGZq
+  /C7uKbRJiQIDAQABo38wfTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB
+  BQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGswvAbNiBbX
+  ak8hI9KXm5YUhBCyMB8GA1UdIwQYMBaAFJxrvTeFHW/gslq7vlcrYS1cHxj8MA0G
+  CSqGSIb3DQEBCwUAA4IBAQCX9f3q7YU8qDoqB1YzK1fp4ixNws+yD+qqBUufCe48
+  3i7vXRXABqnzW1jAFQEqTcNjWq5i48o6oZpCPQEcZTsjq0XfDjKsqmK/BNhmRMbS
+  6Qe3+NdmZ66vcxr3x+Z0SohmSuWVJ5P9DEPeqQKu62eKUaqv0D4sVP5ErsvWLF82
+  Ez0P5MV9Yp7sW+Viayd6gYEHDFzjCipbV9Kao2qhhkbwwZXah9uf7TlZ7oNo32KG
+  RDHk68AdVld0hhtqxmBN3rtM9j6t3njh06akk9t/lRXcrt1fjWQtTairlqGzcEqC
+  wDxl1VncNUKZCq4ZsFh4p7uL/UpVtDRLd6Estm50LaT7
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-anchor
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDxjCCAq6gAwIBAgIUeP0HNhmy1WjKpDJmZJvkLcKUAHswDQYJKoZIhvcNAQEL
+  BQAwLzETMBEGA1UEChMKS3ViZXJuZXRlczEYMBYGA1UEAxMPa3ViZXJuZXRlcy1l
+  dGNkMB4XDTE4MDgwMzIwNDcwMFoXDTE5MDgwMzIwNDcwMFowIjEgMB4GA1UEAxMX
+  a3ViZXJuZXRlcy1ldGNkLWdlbmVzaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+  ggEKAoIBAQCZJWkSLOVdn3WxyePTKoXONR1xeIByKpWJR5TSdQczEx51o2w8Hr8Z
+  6TAO2W1zcvtGlub02hXisfYk6MP284pzCEcX1JxOfcuq0lpDPSIx8Ynby1BGY1RL
+  wGbQIAfjS66JSeV/bnEIRJlvQsYjynWaWR0Bjq62C/MGqMEvK4t1S25+As//cjEi
+  wlV02sQ7yuBxnomqMcJhxGvlwabLUz5i2H9/e8cxxcVhh5vogBQKTvHGXrVTe7XO
+  U73GwOWqA0L1NIv5onkyFs6RyhmFanH637Vn2Xaf/ssr4y6b8hf1K6iVOIrt3oiq
+  3Pomhsk+bw4JLYUOdOkg6l+naiD9Zx+jAgMBAAGjgeYwgeMwDgYDVR0PAQH/BAQD
+  AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
+  MB0GA1UdDgQWBBS9Cwfo2xHJjV9bfNnNfPTigRx9qDAfBgNVHSMEGDAWgBSca703
+  hR1v4LJau75XK2EtXB8Y/DBkBgNVHREEXTBbgg1jYWIyMy1yNzIwLTExgglsb2Nh
+  bGhvc3SCLWt1YmVybmV0ZXMtZXRjZC5rdWJlLXN5c3RlbS5zdmMuY2x1c3Rlci5s
+  b2NhbIcEChcVC4cEChcWC4cEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAXhbh1dWz
+  51xIazz9Nj5tmvVDoPq3NNMjlDyzWKCnbXZdP7/9nMKnaCf8Al77UV/RRU4ksBa8
+  pq3uLAn8hEvsgzguj2JHzF/tztiNdXhYQC3eVoL3lJGNmZbiJ7bzK7B+gWZrS4B2
+  tFJnchN5dLxQJ1xObbmBciapX4zufXC7Uj9BwQQ98Vm45mgs+IjyypRUaI+ff/pv
+  0zkL0NQcEHbXGAUjyUhm6/VP+pWl/hoK8j3VDvwlJ73zUSjvah2YkNCB7CXcXqxX
+  zDsVn8JtAk344Ktxf9uSvDXglESnxe4DplwWu2UfUFtZYWhiIKK4lk9exDjPSFtG
+  YxCoyIUHPGnzww==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-genesis
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDzDCCArSgAwIBAgIUQ6ylp+adnBv2MKI2sh69UFOtzqIwDQYJKoZIhvcNAQEL
+  BQAwLzETMBEGA1UEChMKS3ViZXJuZXRlczEYMBYGA1UEAxMPa3ViZXJuZXRlcy1l
+  dGNkMB4XDTE4MDgwMzIwNDcwMFoXDTE5MDgwMzIwNDcwMFowKDEmMCQGA1UEAxMd
+  a3ViZXJuZXRlcy1ldGNkLWNhYjIzLXI3MjAtMTEwggEiMA0GCSqGSIb3DQEBAQUA
+  A4IBDwAwggEKAoIBAQDMwxv3n4slMSD/yuRbc3GMoH1Zu1fariG9wLFgk2FJfZQ2
+  XSn62CZIVWIj/k6nVjjCCw/m6iLucnX1argXSn7U/Wo90OwTeoov8QbTXhEpxnNI
+  gFPrS9hcT+hvUtJ9JBJa+JATSoTCQeA5mK/7wNEeuW0rhJ3LGhgMs4WJ+P86abPc
+  nFwKrRlYBNOjYQ3qUlVsiS2AmavR6Er+NwhLp1kSIJK/Zb89FRjyPInXf+0LiHxp
+  A4+kKz8tnmhgSlozNwygU3uVnqMz690aDpvWip9MfCfGFcelDmuneRlTPpEXu3b5
+  2Pu7QlsXdU2lUE93NUcxV34aCYKM6F5dIt4Nd5T3AgMBAAGjgeYwgeMwDgYDVR0P
+  AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
+  Af8EAjAAMB0GA1UdDgQWBBTb382LBNVtWzjBzpayE5jomtDXtDAfBgNVHSMEGDAW
+  gBSca703hR1v4LJau75XK2EtXB8Y/DBkBgNVHREEXTBbgg1jYWIyMy1yNzIwLTEx
+  gglsb2NhbGhvc3SCLWt1YmVybmV0ZXMtZXRjZC5rdWJlLXN5c3RlbS5zdmMuY2x1
+  c3Rlci5sb2NhbIcEChcVC4cEChcWC4cEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA
+  lEFE4ONzv3tFGrcyO1zM8OEFyRSeA4v0hmRITOwbpc1ucZ2OMJcyKSj2aCQZIsLw
+  /V5U7AYN0f/iBR3E+J0NkZVfdd8OkKqs2dKzivyQfdhkqJeGQXH6oruNvoAikHpd
+  YtSrVo1w+MMICYlchSV6ooAw3VB4kIIU3YnEwSG4QfXElt47+2Hifuamkkt/bOO3
+  OMvLkXe93ejsU6j3KNGfYY5IujoJLrLSC5r8413cO7CxEcO9Yxpq3/AOGB1Ydjz/
+  VVJ8IbnEHv2T/VEHiMH5jBXfKr4Cadg6Dhi6RDdqMMd2gxsSO5Uzgrnu4qFgtzPC
+  wXot+wtYME0OUpZ82GMlgQ==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-cab23-r720-11
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDzDCCArSgAwIBAgIUO6mHXHQdt0jW10Y40UOpjkxsrHgwDQYJKoZIhvcNAQEL
+  BQAwLzETMBEGA1UEChMKS3ViZXJuZXRlczEYMBYGA1UEAxMPa3ViZXJuZXRlcy1l
+  dGNkMB4XDTE4MDgwMzIwNDcwMFoXDTE5MDgwMzIwNDcwMFowKDEmMCQGA1UEAxMd
+  a3ViZXJuZXRlcy1ldGNkLWNhYjIzLXI3MjAtMTIwggEiMA0GCSqGSIb3DQEBAQUA
+  A4IBDwAwggEKAoIBAQC7kszFdSEY9tNTPPoXoLNpThfh5s/Tud3fsNJBR+eIgRm4
+  wqpYzD8rkF9o0W2i+CZQamjLkPG3CdurIOzuT0eu1el995ATKjcmvDuT89wWv7Hf
+  rb3SUVQ+RtXurz88vpiBWGtsCFJWiJ0+UNerFWuxKQH0CMlcqHGB2Qh6Ji3rxqfM
+  MFQuaunDfY42b49q06DLxBIG/xnXw2UCkIxjDbnMsMeRzmaLdlXrjfkCudIUwzmA
+  eNF3+XUWeJU0PJrnLOxkAClgvPtEBscDokMmP5RtrYKfiNod+zbvEDxMLw72bM8E
+  YgZh1U8gUjRBGSYtAVlk1etQxSGEtsigUw6WOGr9AgMBAAGjgeYwgeMwDgYDVR0P
+  AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
+  Af8EAjAAMB0GA1UdDgQWBBTCynbDH3C17Y9VTVsq68Y3ZQ690TAfBgNVHSMEGDAW
+  gBSca703hR1v4LJau75XK2EtXB8Y/DBkBgNVHREEXTBbgg1jYWIyMy1yNzIwLTEy
+  gglsb2NhbGhvc3SCLWt1YmVybmV0ZXMtZXRjZC5rdWJlLXN5c3RlbS5zdmMuY2x1
+  c3Rlci5sb2NhbIcEChcVDIcEChcWDIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA
+  sGx5iCr7eAZmihISA2lK+CqdQOUERibE+2+4JhAjIzmPdn4ndwXUmpXZ6zbe77J0
+  vcGAZn482MYOZ4Zo4t7U/b3ouA98+EyEfC1Pfb7wa6oO/FzsastQdtEyOga3A2PD
+  gWtPDwke+hyqnmrw1cxenAjI7jRlO2fgXf7b3ktTOInZXl4krEKOVdUPxr3F1lZ8
+  e/KGQ7nKmlCIkheUhqdVIz9xecQPbY8VfBHQZ9Uxwt9ZVpM+VhVGQiIY8ptCTUct
+  oumyEtcNJrvC5kZryrZglRa2l+zPMPQs9SPDiSp2Rn+dIfy22ASoYbOepVCe43RW
+  fQVO48ElOMa0qFMYJCLOVw==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-cab23-r720-12
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDzDCCArSgAwIBAgIUGotda/SmqhZLVz/wfYNlJ/PVWwEwDQYJKoZIhvcNAQEL
+  BQAwLzETMBEGA1UEChMKS3ViZXJuZXRlczEYMBYGA1UEAxMPa3ViZXJuZXRlcy1l
+  dGNkMB4XDTE4MDgwMzIwNDcwMFoXDTE5MDgwMzIwNDcwMFowKDEmMCQGA1UEAxMd
+  a3ViZXJuZXRlcy1ldGNkLWNhYjIzLXI3MjAtMTMwggEiMA0GCSqGSIb3DQEBAQUA
+  A4IBDwAwggEKAoIBAQCq3gUbWeseVcSmqmdQEChmK7Oz0Owvo7nFxelJZywiBsD3
+  pwVQve0NfHXBJ0N0xlb1I4PyiHaUnfegppBYDJwbmaTL+1IqgvmcGgMgFgyp6k9i
+  ni9dT8LeM1T+Ysy4mud9cELaQXjTEG94hXeYX/AfPCxaDnNmNHL8Bvl9learnGXv
+  4lcHeF792vv/Cc4aaEjT8ft49jD+J4RPHhuLyvjFrlTDXsqK6BS1ruMHCa1TFV23
+  621XZ7JjWO9iO9T1GOY2efJBxxUxpGizxY7z4y3YLj43ujiRJ1C1bPpC75ptSHj4
+  sarvhUU685Z39F29optT8wEWen2V1bhzn6CH6l3RAgMBAAGjgeYwgeMwDgYDVR0P
+  AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
+  Af8EAjAAMB0GA1UdDgQWBBQ4DoEc1t/C8IcSgZFsCDU6L/4fPDAfBgNVHSMEGDAW
+  gBSca703hR1v4LJau75XK2EtXB8Y/DBkBgNVHREEXTBbgg1jYWIyMy1yNzIwLTEz
+  gglsb2NhbGhvc3SCLWt1YmVybmV0ZXMtZXRjZC5rdWJlLXN5c3RlbS5zdmMuY2x1
+  c3Rlci5sb2NhbIcEChcVDYcEChcWDYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA
+  MsAPPC5E8nxOi4CifOToUor7XivfWhPwTMTeJ9EqD5Rwm52vLMvBL/USIFR7Ughb
+  KxyPRZef9giWvj+adsNDHKZJ3MAO6ki4vSXSdoKuqjXiHTtRWrB/gpiQF+kW9loJ
+  FsmQ18uyk4rE3Pu+8GQVM4VIVqL5W7o16qfSPwHnK9uQZw3b7V1ZI0s4rNBJQf5A
+  9iIlt0cAVRJaV4qYuSRMIwcnTRbere1MZ62oqpnQjKiRY9mBSPs43Dgel65WBq5M
+  O7JUUlDepDJ/w+5uS3NDg8/cYE8e7zlO5r3sUWtx4FW3cC8iHol1pWklKhhfIvE3
+  vojwQmVyjSmNN2OHNEmxmQ==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-cab23-r720-13
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDzDCCArSgAwIBAgIUAlMeWb+4iD0kW5LKOunO+K7euCwwDQYJKoZIhvcNAQEL
+  BQAwLzETMBEGA1UEChMKS3ViZXJuZXRlczEYMBYGA1UEAxMPa3ViZXJuZXRlcy1l
+  dGNkMB4XDTE4MDgwMzIwNDcwMFoXDTE5MDgwMzIwNDcwMFowKDEmMCQGA1UEAxMd
+  a3ViZXJuZXRlcy1ldGNkLWNhYjIzLXI3MjAtMTQwggEiMA0GCSqGSIb3DQEBAQUA
+  A4IBDwAwggEKAoIBAQDmTPd70GzDnq3zfFzNbFsC7iQk2Z53F+ylhqht1JvIQzzk
+  oywvDgufzH2BdHvDJ1zs0prJSkrDlgz/WDwEh4jlX3/U5aCmt1cupQ48tfERDTkV
+  oDtoSbQGUvk9bvvULhlJhKhyOvaTPo9OdZMG+GFJThDyWc2q14w28QnmaKfD79/d
+  NZKfVV2jho3vg5IfUOy7OmNzETqcduvOyrip5fVT8XeyZ3UKZ6a0sYgoH+liFbs6
+  iC8p9OmvfXq1To1rP4N/ouC0lPXytnhGMPbCY00Qq5j3NQVg8LRN5Uqui4ZGZj1Y
+  yUg/pd7aEzZNbnd/FtnFCZUh/FBc5AiXeAkrvLajAgMBAAGjgeYwgeMwDgYDVR0P
+  AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
+  Af8EAjAAMB0GA1UdDgQWBBRPsGubvOIF4DmzkFcz6Nq/fYvMIDAfBgNVHSMEGDAW
+  gBSca703hR1v4LJau75XK2EtXB8Y/DBkBgNVHREEXTBbgg1jYWIyMy1yNzIwLTE0
+  gglsb2NhbGhvc3SCLWt1YmVybmV0ZXMtZXRjZC5rdWJlLXN5c3RlbS5zdmMuY2x1
+  c3Rlci5sb2NhbIcEChcVDocEChcWDocEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA
+  ogDU8hy5FbPooDAymMdl+o49u6kR4KVwQNJDQ/ey3fU0BmsnzRJffZn/bkniOH/T
+  w44dFaYcIms9GdTvMSqsAoFmmxk5tTkjUvR0tWnTHXdW8BVP9daeZssxrEpWtdko
+  rk54U10GDb81/tgEzCgwyc3zlVGC7KFg8SQjkFRvzroMl7KQmOj4qHg4xmVMY9he
+  dlWe4bXL1wboWwGJinAde/DGVUtHuRUy+SZEQ5NrgmJyBMGuIxHUq+ah4m3Og7zy
+  a+rY2GNw4ZtwzIKfq8CRMOhY/Q15THHtkTEMYtbFnRBBHFTW4APmNN1sJf2zHyTA
+  Nb1AF67ZyA39QCwsmC/Eyg==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-cab23-r720-14
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIID0DCCArigAwIBAgIUGfc/aYOelDclJkqH2nlYthUt148wDQYJKoZIhvcNAQEL
+  BQAwNDETMBEGA1UEChMKS3ViZXJuZXRlczEdMBsGA1UEAxMUa3ViZXJuZXRlcy1l
+  dGNkLXBlZXIwHhcNMTgwODAzMjA0NzAwWhcNMTkwODAzMjA0NzAwWjAnMSUwIwYD
+  VQQDExxrdWJlcm5ldGVzLWV0Y2QtZ2VuZXNpcy1wZWVyMIIBIjANBgkqhkiG9w0B
+  AQEFAAOCAQ8AMIIBCgKCAQEA0LTvHFu4KjEVUVmN7RrGeBBtj97YGKWm7nAFNce4
+  0/iBFCMIIOP8Qgkk6Fko25izgYt9p2D4I6ipjw+Q6wBX89DnSlJtFh9P7k3ypUII
+  XcKW8tQCNuyU8RNjJlmoaYJhImx7OYQ1VAb1qP3ve5yBzjil+OS7Z78lRg+Qg6Ds
+  kzxdipYj8aNiJKygjFzURZ/Cyp40jIKR1GJG3S66FGMwgmDNfqIL/iKJhyYYcwOK
+  PF/v6f9FOxNigsUMrQmQUtmn70D21GguUKvalyr4rDVPuVmqZR4t6x0Hf7iymAZg
+  NOjXj/z4GN611vgL5GubdtCSG71o/pjLFoybsGzrCE22oQIDAQABo4HmMIHjMA4G
+  A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD
+  VR0TAQH/BAIwADAdBgNVHQ4EFgQUkKsAy9OaPaci0hKnCe4xs0a618EwHwYDVR0j
+  BBgwFoAUHOcG4lNJ8aqGTV3crp5ItzgnMscwZAYDVR0RBF0wW4INY2FiMjMtcjcy
+  MC0xMYIJbG9jYWxob3N0gi1rdWJlcm5ldGVzLWV0Y2Qua3ViZS1zeXN0ZW0uc3Zj
+  LmNsdXN0ZXIubG9jYWyHBAoXFQuHBAoXFguHBH8AAAEwDQYJKoZIhvcNAQELBQAD
+  ggEBAA/4FVglWoxX+dFFd1U/9FDA+D7wXkU09ACJtAtzwNfqlaO8DqkvP5n6+ck2
+  l50ViMCz/w6M81YHC+l6vZvYkJe4avsbcCbeTyMnF4Rp68xRB+AtdRC2jeYm2UDb
+  wSBd7YRvmC9HUJsixpdUI3/Gl6/PWbUtJr7ocytPmNFq8WNoEL18oPqPNx49by1K
+  Q0kldiyKpcEw6APRAevm2h95mld8Y9QSbGp1V4Utsy2JOTkj/cKGGZi80DGb/BPm
+  bo/nHMx9zFa/dUSznK7OGBWMJPUWR9RWwLurY/QZi4/ISbW7QeE7qXqjfr4vUCPJ
+  qrfEzKtO4F0AzZseYy84JHVdt3g=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-genesis-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIID1jCCAr6gAwIBAgIURD10BbmKCFPVcIhzBVNUJBqAWY8wDQYJKoZIhvcNAQEL
+  BQAwNDETMBEGA1UEChMKS3ViZXJuZXRlczEdMBsGA1UEAxMUa3ViZXJuZXRlcy1l
+  dGNkLXBlZXIwHhcNMTgwODAzMjA0NzAwWhcNMTkwODAzMjA0NzAwWjAtMSswKQYD
+  VQQDEyJrdWJlcm5ldGVzLWV0Y2QtY2FiMjMtcjcyMC0xMS1wZWVyMIIBIjANBgkq
+  hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvOGMM03w+KfFtSKF8Eboa66tXZc+NfdR
+  UtX4kLOL77p3nzuHRFnL/JA4+dnsPzVa57pqqOFuM7R3ieQJUv8H85KsrUkWJHap
+  u8WVJIJB2XVrB7FJKpGy/xRK0o3pyI6ZP+/vhd3m6vRz1qhlv6Hp5XB9iFbIonJ3
+  XBGq9C49ljL6cHAyGLg9pr4bOahGIi7zweINnSznv42uXrHaA9JfHYuK24Nuse6w
+  9AH9x3Q/Iu4kGaM2bjrkMdO4dkbrnPhq59KDS4VLChkc2sKFtHDg02IrplgYMF/8
+  r8dioUvicvBTkjV31VQkKsVCsXZIMKq5WVQ8UFPROJPiCxbmzyka4wIDAQABo4Hm
+  MIHjMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
+  AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU5/a0KPkb87b2ToFODou5W80B/Mow
+  HwYDVR0jBBgwFoAUHOcG4lNJ8aqGTV3crp5ItzgnMscwZAYDVR0RBF0wW4INY2Fi
+  MjMtcjcyMC0xMYIJbG9jYWxob3N0gi1rdWJlcm5ldGVzLWV0Y2Qua3ViZS1zeXN0
+  ZW0uc3ZjLmNsdXN0ZXIubG9jYWyHBAoXFQuHBAoXFguHBH8AAAEwDQYJKoZIhvcN
+  AQELBQADggEBAK6e9EcidpL50u7DSJYL6I6bcwHdLST7U1B5Neci1FQ38pBxTsaV
+  zC5WofWlBExkihBZbpGfDjWYRdLPtWtvZF4lTj8Lp305qvBQIQCRndaTHQKb8J5T
+  NwZUIvcomY1xI1RKc/nrGhG1aWtVAfIZiXXssB/BxkM7nV2mW+736gGLRVznqX7q
+  IlYAJsT8qS+MENhLvT+sFCq/WsLocj5mB58VsZQP0vPH9vsmfSzalk+vGlB4UI9b
+  W+ouw8vEHGqThiLXgyc9dqd2NCA7nYnBvbOjGdz4uPoL+Oy2yJ/Y1Xff9+KayvRQ
+  g2IuSu4K3wk8SlP/EpdXQ0Dx4Q/+JTRfE/k=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-cab23-r720-11-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIID1jCCAr6gAwIBAgIUf1FgYBVH5eIrYJ0987wEYd7JJxowDQYJKoZIhvcNAQEL
+  BQAwNDETMBEGA1UEChMKS3ViZXJuZXRlczEdMBsGA1UEAxMUa3ViZXJuZXRlcy1l
+  dGNkLXBlZXIwHhcNMTgwODAzMjA0NzAwWhcNMTkwODAzMjA0NzAwWjAtMSswKQYD
+  VQQDEyJrdWJlcm5ldGVzLWV0Y2QtY2FiMjMtcjcyMC0xMi1wZWVyMIIBIjANBgkq
+  hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz8EMYGTcnk95r0ChZIikBeVTdI8QINAK
+  qtsJjls8sKz8Bun7SvHJZTBSp3wzHIY75NIYF84W5JJhXEfJPKAjyzIwtQf26Axg
+  joxp/wayUSgKVgqC82qWtDpqB4fJIuDH64lYIRM/L6ZNTa7m3jZEVPC2jMRvLPdG
+  FUfOiQa11K1/aZ95gPww4W+6ujRfqmlGPtak/al3vbNwboguBbRSTkHUJ6+9O2Vn
+  /gAD6k7BbgU3mLp7eDKMADpvbSKV1+RIBGwBKgIXsg1kuyoyenf2v9eLDa/0XDge
+  a6FAM1aCYziJQSXzaorvMVeWm7ewkYiGLohpo3B3vqVVzKzboVHLlwIDAQABo4Hm
+  MIHjMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
+  AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUZwUMBSlIIh7o3QfgsQqrp9U8ch8w
+  HwYDVR0jBBgwFoAUHOcG4lNJ8aqGTV3crp5ItzgnMscwZAYDVR0RBF0wW4INY2Fi
+  MjMtcjcyMC0xMoIJbG9jYWxob3N0gi1rdWJlcm5ldGVzLWV0Y2Qua3ViZS1zeXN0
+  ZW0uc3ZjLmNsdXN0ZXIubG9jYWyHBAoXFQyHBAoXFgyHBH8AAAEwDQYJKoZIhvcN
+  AQELBQADggEBAHbQInewQjRhRiv/6w+GBtmA8qx/AaC41eyK9UyBv4VwWrgKSySe
+  Dj7xQVmUSrKE1xUnxV6++AGH0nQy/7bmgWpDO0d46jK3l+K7j8OKagJDmoqSMOry
+  4xTSE4+lpQMxfEvH2j2AGXm2oEqStqeCyyuFcNCheCDwgbK3ufKiFrfnUbUzyCx0
+  3cZal4O60TI0a6zA8Wc9pXOvo1ZYPqiQls90ET8tYMv5P7C/lFr3yyuVAKTXRnx9
+  J4N5RPJ6NAO8SAIOz3YANJrHn+rWQjtA5Jshi7dZTqwT50xXcCGj/x/qSkMR6Gbh
+  6D268Bj8Qr4dovW3vNFaNAYLRyD2kQgfHuU=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-cab23-r720-12-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIID1jCCAr6gAwIBAgIUeYWNmelZjWKNlj0iEmbLpb3zSIEwDQYJKoZIhvcNAQEL
+  BQAwNDETMBEGA1UEChMKS3ViZXJuZXRlczEdMBsGA1UEAxMUa3ViZXJuZXRlcy1l
+  dGNkLXBlZXIwHhcNMTgwODAzMjA0NzAwWhcNMTkwODAzMjA0NzAwWjAtMSswKQYD
+  VQQDEyJrdWJlcm5ldGVzLWV0Y2QtY2FiMjMtcjcyMC0xMy1wZWVyMIIBIjANBgkq
+  hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApZphvIQa6MCRwRi3vaRr5vdRId/CZYUB
+  CYNm5pz8OT6ud7IgiOD8J/S9ein+efRBC4i9sPQfMV92736IBGyplYPGeMBP0/4c
+  8SP8O3tU9JWYYJ6dP8nuk0DchTsfx1WNEzYZ66k6uZpIIWXfzLkmr33jiLCYoJq3
+  hQZerqp73GatAzjxXC6sq0VYzvmQt9AAZMuOM3u9r/w/QkSeyRrlIUhxoCALPSzZ
+  0Epq16w3GVpdi2bpTQcjGVmnuOVUUk9iXDklrpDWD9gb0RFf2EDSVRdP4HE3N1Ex
+  YgwHUo/NjYa0FVwCOWH0CRQHJcjiDHus4gzGq2liZZWygsEYWIEbfwIDAQABo4Hm
+  MIHjMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
+  AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUprH+innwQOSIbpjzLXmUk5lVPbow
+  HwYDVR0jBBgwFoAUHOcG4lNJ8aqGTV3crp5ItzgnMscwZAYDVR0RBF0wW4INY2Fi
+  MjMtcjcyMC0xM4IJbG9jYWxob3N0gi1rdWJlcm5ldGVzLWV0Y2Qua3ViZS1zeXN0
+  ZW0uc3ZjLmNsdXN0ZXIubG9jYWyHBAoXFQ2HBAoXFg2HBH8AAAEwDQYJKoZIhvcN
+  AQELBQADggEBALelcTIzhALyGkqZfMXvRHGs6VA30ty1mZpWgJdaRTizsCwEkLvi
+  VWxmslOYIYjhRCCglRdq4GWyLRE73TSFOjU5RJT0Fo+H/3dq7iUxKz2BPRBWx79i
+  RbMwBmOrr6NaDhuQyZwxp32rS7ulSq7rN2oQ7T5bFbtgjDzQkBwsmMDvCUtj8Tuv
+  9tWhh0omK17NjA/A1A15eiSekFMN9fhgeRggXxbqdQsKRquix6IPPwh7tL8CogPt
+  38OUg1pBlN1ycMbpw0LG/1CQ/KXPrIp6uLx4fXjy7TezoLHkbyual6kO0qx0qhsv
+  2h9bM447B6HjgyXu729dIXCQa8EBnLskY7g=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-cab23-r720-13-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIID1jCCAr6gAwIBAgIUYkLBgUJFFJ4v1InvJnB68RNfZNAwDQYJKoZIhvcNAQEL
+  BQAwNDETMBEGA1UEChMKS3ViZXJuZXRlczEdMBsGA1UEAxMUa3ViZXJuZXRlcy1l
+  dGNkLXBlZXIwHhcNMTgwODAzMjA0NzAwWhcNMTkwODAzMjA0NzAwWjAtMSswKQYD
+  VQQDEyJrdWJlcm5ldGVzLWV0Y2QtY2FiMjMtcjcyMC0xNC1wZWVyMIIBIjANBgkq
+  hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAylYLmx/W2AdS0lFbcyEsZEIBP3eGwMDx
+  kasVNplLJPFxpCI2Rt4YoWSxbyXWtPM9zBDx6odEDVDOkDHcTPfgu7ZxbSN6fqIM
+  AX4+1F4QLFxLdSK6QRjsA7an/N0Or7fyuioW0nERH2k4kLXDuk4hZo6zgaeG6Wr+
+  AqX0H66Y0ZqiBRwtLZuFWwp7JbimyawyGzSaPITv8UxPGhWXmsi4w2baFloTeINJ
+  R2V/XzZKB80ucbA7NvGmReU5afSAUZbhLMXwwcimFisK/DRU83GyW7fh1JGSubXJ
+  tr/S/b2vfuPx1e0PSc4A5tIzmQ/w4kxPUxiNdqdWslXu80rhQFDNWwIDAQABo4Hm
+  MIHjMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
+  AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUB/BXlV5a6HR+5UF/YYEBunldM0Uw
+  HwYDVR0jBBgwFoAUHOcG4lNJ8aqGTV3crp5ItzgnMscwZAYDVR0RBF0wW4INY2Fi
+  MjMtcjcyMC0xNIIJbG9jYWxob3N0gi1rdWJlcm5ldGVzLWV0Y2Qua3ViZS1zeXN0
+  ZW0uc3ZjLmNsdXN0ZXIubG9jYWyHBAoXFQ6HBAoXFg6HBH8AAAEwDQYJKoZIhvcN
+  AQELBQADggEBABYu9QZa/eFgZ0E1O/EQ8z8G2i2BJ+g3zHf20K0dQ7u+372LlBkS
+  uugUWCtqoTvTw28Eq+5rYxJZUn+M8WJHy4oBiIO+f6dcdpv3InEIWgUQP0jN7O6s
+  muO+6uNasRktKjteOKsdjDrfWpHBjkKf2IGBbF77qCQDOumktdReIogpngHTUqtM
+  1rHLjVFdLFhMb9ihBTi2D82eTNmMQVUpyvVX+z0rYg51GP94LQLL5oZkU2s5YyD8
+  6Z74wlpHA9Qr1Q0a2b6tOvLnVfWGFerb+AoxXuH3OFXbSv6kzwGPSQmOnR0FNa9I
+  P+I9RqzaJjDmFIOpptqpcjBunb9UVrSCfP4=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-cab23-r720-14-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDSTCCAjGgAwIBAgIUQzyI6TaOHRZmKp6b2jtNogsbj+UwDQYJKoZIhvcNAQEL
+  BQAwKzETMBEGA1UEChMKS3ViZXJuZXRlczEUMBIGA1UEAxMLY2FsaWNvLWV0Y2Qw
+  HhcNMTgwODAzMjA0NzAwWhcNMTkwODAzMjA0NzAwWjARMQ8wDQYDVQQDEwZhbmNo
+  b3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRoUsnZQ1lU2NkLdgY
+  KsUFVbAy/WoAddQhMdM9+rwCEyA1XrHSy/r9lJaaLDPnOUUZ/+bxkGkcGsADx1sT
+  LSgvaNhIcAqWyE/w8nAW2ufRvbgAXXlMR0OQq8DID7r3jUZbzXWfs17VErY7KWtI
+  SR8KFvLEAr5H+ckifF7A9kY1gQ72u42fPHts1otRQtCD9l376tmuT1ASd2vi/IeG
+  ob76TTlWwgsKePAp3+sCHlR/e5DrGunZMwT1Z2gOKaRDDDw/1CLxLG4Yd9NgzqIx
+  lWBmjuM3qb6u/Do/ZEH3IRhZiC0TqahPUcvaN/IYTrKdbojqHllwTD2zRkyaSbxU
+  /lHVAgMBAAGjfzB9MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
+  AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2liDEVGrnxC1OdrN
+  PayVcGlqX+0wHwYDVR0jBBgwFoAUykl4Pgt8x78gk3sNHueLbNosKSAwDQYJKoZI
+  hvcNAQELBQADggEBAKhZT+ttttSGLNlkJG7D6iiE0psAHZ85aHvwHB94GUVJKRDO
+  Quoz5CmCNNPZ1Nebar4AoBK9t3fbuLihBNy5S1oBBa9cjPPCCAFb/JzlnGiIXpoG
+  dpqiMMP2lPzFovUltHpL0iMLQOLNJ7QN8mWynekmkIZEDjliCb7TTkokImt5cZBB
+  7upKKJ29YdMq3b4t1Y9vNuqr8AYZh5BO2cGpq3+H4gk4fSURKeogOIotcrrfHuSg
+  R5at9pco/whOz43+APsw0d7XEZpTDo5uzKszgHh9mcJ/5mFDv7jFSandOI6JaGE9
+  5h5IloxnXipinDOTcO5zz8oKog6+C/aoLZORG4I=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-anchor
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDmzCCAoOgAwIBAgIUFmX4mWLxNQdnHGbRF3MsWkDNlmYwDQYJKoZIhvcNAQEL
+  BQAwKzETMBEGA1UEChMKS3ViZXJuZXRlczEUMBIGA1UEAxMLY2FsaWNvLWV0Y2Qw
+  HhcNMTgwODAzMjA0NzAwWhcNMTkwODAzMjA0NzAwWjAkMSIwIAYDVQQDExljYWxp
+  Y28tZXRjZC1jYWIyMy1yNzIwLTExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+  CgKCAQEAzIBBHokambstYR9N7j8qHGDYmAKsOdEDiwbOJhbp60bTSkwB9GCRuhz/
+  wcQ+rcjn5XONPzF6EFzYiEmBgDHfv3EIlj6h1Loupsc9//nYXbuD+EtIN5c/JAhH
+  ca3LENOOWcHNylwqcoy7Wif984l+yuxaclQzhwS0A3nr2lzqwiZrugYLq0fWIK1W
+  cX8O/b3DdB+ukKa+YKmdhaKo4U70vzEtT4nG818l2/v3DeSJEXcbEavzwZXNoRtP
+  mAzDEx3KSMp15Jdn9XbcEGDXnuog3pYdbUSXAqNLz+yPVzCyyaV2oPuYz+UPw7+q
+  hrZaG1sW74UuAfM7311woVoeJ/fYSwIDAQABo4G9MIG6MA4GA1UdDwEB/wQEAwIF
+  oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
+  BgNVHQ4EFgQUzU7aca2yaBkClvhgRZGXhJEIz3cwHwYDVR0jBBgwFoAUykl4Pgt8
+  x78gk3sNHueLbNosKSAwOwYDVR0RBDQwMoINY2FiMjMtcjcyMC0xMYIJbG9jYWxo
+  b3N0hwQKFxULhwQKFxYLhwR/AAABhwQKYOiIMA0GCSqGSIb3DQEBCwUAA4IBAQAq
+  y4mekQIugbJXQK8KAHnbBHeDZKsfG4C6oHL615ChcG8IDAxyN2mA1NDC889vg1Co
+  vAEgqTvnoVMeqMBUrgu9scyWYFFZVBLnMDn9k+KVxs33bBvnJW/xTIuia0lZ/Gm7
+  92nEhmSXI8CUN7tZqnyr6g6BVMfCWEPo1iaYfwRKDiqytbqwuxLAQbQPMiF2mE71
+  YeOeXfcmroRg3IzvLcXI7Ryr8kGDCLmg+J/mKJV+/Qnf0Q+QWXbBgwVCwifiq8iE
+  nlezmB18x7Xo/SVEgA44jb0KQg0Z9LW7op5tO+tLFm42I3HKlB62LCyWaCLDb3ha
+  +xiuguAvw8XyjR+EeWkb
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-cab23-r720-11
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDmzCCAoOgAwIBAgIUch4CPrpMu+0o4kkxEPvPnwpBfDIwDQYJKoZIhvcNAQEL
+  BQAwKzETMBEGA1UEChMKS3ViZXJuZXRlczEUMBIGA1UEAxMLY2FsaWNvLWV0Y2Qw
+  HhcNMTgwODAzMjA0NzAwWhcNMTkwODAzMjA0NzAwWjAkMSIwIAYDVQQDExljYWxp
+  Y28tZXRjZC1jYWIyMy1yNzIwLTEyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+  CgKCAQEAwHrcniIZIlEW/bb00mpTU1AnlpR+i+DkIEEFEpuxUsotI9Oo0iZ9Jqxk
+  wXWYnYVKtZySwOSRmU0QLDmPQnG382iAOR23ge4/5Ef/ysmnewcxJMA2+BXCgYTA
+  KLqX/xjh3ALFkcmXElluScU54SSeiD7SxGvormacblluNYOnkah2b2i5yu+sre12
+  HqBraEVeBORt9ALnBgwTiRdDib5F5dx3mIj15XZI+hZf9N8O+kVYMePIm8spo6HL
+  8XxIQVLARL8j7UknEB/pFd+GXcTFdiws42+buTDTPhghrCfqCxOXkyv72pfiDjse
+  RN46rKv6AkaPcQ/W0DSOJow35Js5rwIDAQABo4G9MIG6MA4GA1UdDwEB/wQEAwIF
+  oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
+  BgNVHQ4EFgQUMr2SORdXd0bENbsl+ef0Z+gfW3cwHwYDVR0jBBgwFoAUykl4Pgt8
+  x78gk3sNHueLbNosKSAwOwYDVR0RBDQwMoINY2FiMjMtcjcyMC0xMoIJbG9jYWxo
+  b3N0hwQKFxUMhwQKFxYMhwR/AAABhwQKYOiIMA0GCSqGSIb3DQEBCwUAA4IBAQCv
+  FOscbuVT7RYO7BdyoZIrcXUi5Y+l3CoLI4kUJ2escK+YGy4E7WwN+WUPp5aN6bGy
+  CfEqb0By7ajd6qPw0tyuAxRWoXY81S6Qs408uGmdtEXPeWVLOBt1tmQ6w7pRS7vA
+  VjjoxldiNqvbGiVQV5FWRaDHwjjrcEa57+gSWMHFsJll7UJxbuLkyeaY2T7RF58l
+  BNoSIfSpo964BglNwnFVxjyvF/EVFydwIAS0yZmSxlluiNPxc2oyhjAO+GKlfK8U
+  1JAPTaZULh3S9niHbGRz69W4xQOaSdfOtVhHa8MwJQ8B1jT1ecpeBKBUj9+aYtZs
+  MFnwPVB09w7MwPAecqxf
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-cab23-r720-12
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDmzCCAoOgAwIBAgIUXSCCUn0SD+9JxpYJmy4cvEORj/wwDQYJKoZIhvcNAQEL
+  BQAwKzETMBEGA1UEChMKS3ViZXJuZXRlczEUMBIGA1UEAxMLY2FsaWNvLWV0Y2Qw
+  HhcNMTgwODAzMjA0NzAwWhcNMTkwODAzMjA0NzAwWjAkMSIwIAYDVQQDExljYWxp
+  Y28tZXRjZC1jYWIyMy1yNzIwLTEzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+  CgKCAQEA1aGtMyzbcs9e+HtoSZTCdJvuLjAKapSoqOuQVXRtFLdXxpRbPtNuaT0T
+  0ZtXnommz8JtQga9m/c99ERSxzpI6eKUoIRIC8AeQb4+eo5NhzQbBDHX4uz1fD4u
+  DOYByCAijmMvCtGatunkU/9sDWzB9aoeUZc6/EhvBU0qLKbd6Ln/aCw+ma3ryxwO
+  nIQ3Tgo7U3B+KSGlw/OKeLSexd14Yv4A/+wiSNWfJ69Hr1hkj99yFT83bz8yJuEt
+  9JpOBTtq+u8k8hVVsXF/K8w1lzxSwxAQZLglVjfsbXhZRW/kh3pzPzUCr5VgL2Vq
+  waJISg5z5KGK8B05BOZuYe814Ph8EQIDAQABo4G9MIG6MA4GA1UdDwEB/wQEAwIF
+  oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
+  BgNVHQ4EFgQUGhTWdUmnsOontvB9iUxX1InlGiYwHwYDVR0jBBgwFoAUykl4Pgt8
+  x78gk3sNHueLbNosKSAwOwYDVR0RBDQwMoINY2FiMjMtcjcyMC0xM4IJbG9jYWxo
+  b3N0hwQKFxUNhwQKFxYNhwR/AAABhwQKYOiIMA0GCSqGSIb3DQEBCwUAA4IBAQCw
+  8StzpSnfg3XCo2rILc7U2hW1bEj2rUpoYtpkxlhzuI56NiN4PlvZoRNuVvX4hMZR
+  OtB9ar3f1CILMVhnM8XMLJ6SwGwhKEKNngsW6Kd6h4l87QjnqSkTGtQBbtS72h+b
+  UFC4navyDarLm0AIapEKXD/6MM4vjGKu8cea0vSSlZuKiLlhykwpz2frDIBc6VZk
+  Rwq9QJTxCr2GCd0C2PvKrmL2X9I8I0HPSLg6mUzficIyosA9EiiWFyjXlCJHm9AO
+  2Br7qUXyLBKNe9itI8F3RQnUbBPEdsIRl4/zubHL6MB89R9xhqGHR1gnVCY/EGfx
+  kue6FcdU34rYiZMUgnZv
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-cab23-r720-13
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDmzCCAoOgAwIBAgIUXgEkC3LmIL0HZknzp6ovCfARWPswDQYJKoZIhvcNAQEL
+  BQAwKzETMBEGA1UEChMKS3ViZXJuZXRlczEUMBIGA1UEAxMLY2FsaWNvLWV0Y2Qw
+  HhcNMTgwODAzMjA0NzAwWhcNMTkwODAzMjA0NzAwWjAkMSIwIAYDVQQDExljYWxp
+  Y28tZXRjZC1jYWIyMy1yNzIwLTE0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+  CgKCAQEA5rojKThztgVxlJOnvq/xSQF/hQEY5ek9Lc4rS1ZFUOqH0ttHA1iQuwfA
+  nB4P21BmOuUgN+1fBg9UbGFIvOd7KrjqKVIwS49klO/7c6gV4cUn5IblSmMVrOkN
+  HUuMzIxBrEuuHUQ8AlYJXyFIMAhMfzwhPFy1CrYNKDJKxxnuIYggZ/IQo64l4DzU
+  wDOL/kPEAM1tw+PXUyYnwi68tJJql/ISiAIGJOlhFRjYbFjvixO1xTknS4OUUw3I
+  mBTv4cMuAyyC5pjg9bdlIbAiEYa+3ocU6JVLOXEhfP6XuAXM+c2RuJhVKFSVQzSa
+  4FNRvgHjogARAqkv7dYkjO+MCaAfqQIDAQABo4G9MIG6MA4GA1UdDwEB/wQEAwIF
+  oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
+  BgNVHQ4EFgQU61uEFEp9y6UfpD8np5Phwa+SbAwwHwYDVR0jBBgwFoAUykl4Pgt8
+  x78gk3sNHueLbNosKSAwOwYDVR0RBDQwMoINY2FiMjMtcjcyMC0xNIIJbG9jYWxo
+  b3N0hwQKFxUOhwQKFxYOhwR/AAABhwQKYOiIMA0GCSqGSIb3DQEBCwUAA4IBAQC8
+  IrM+xUKiQMGVdbByrjenpOLvzbasxm6y6jVXa1i5AxhemQsFzQJFsYcYG8htNvmp
+  yDZ5VzPtjD598xKhIbR/5EZ0GYGZmnHVVd8VwiYKyEMv4CRTCqobV0ZjCBM7S8zu
+  /N9pgRpCrEjmcgLhTYuYdqIg0csl+nfvW7w01B7dOrrncl2KVpEdGmwbXRAFftgv
+  zVWnNZYj7hzMegb2hhrVXfxkrB4unWgbcEUvmCDHPsrx2z5wAZ4+oZN3rMSWUn8f
+  qhsVVnOPFyAwNEPagD3r3vccvGXrt0pFr/5y56BnH3D4GrZBfODCKlB0QBi0CydJ
+  5NaaA4GR6XAfwMbRyScq
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-cab23-r720-14
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDTzCCAjegAwIBAgIULCol7tpyIQHemGE6IJGi7I08n6IwDQYJKoZIhvcNAQEL
+  BQAwKzETMBEGA1UEChMKS3ViZXJuZXRlczEUMBIGA1UEAxMLY2FsaWNvLWV0Y2Qw
+  HhcNMTgwODAzMjA0NzAwWhcNMTkwODAzMjA0NzAwWjAXMRUwEwYDVQQDEwxjYWxj
+  aWNvLW5vZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDS8dK7yE/u
+  RV95FoAw1CBqWVKSVhWtHbdIqhlxY1Xa1OOuRW/gRPyNVHo1eARA0E77ehAq94MC
+  /FoOYo/2I0fIdm0uJIhAuTvBzjIdqpkrSSXNfgGQ/q+yEPNVteFky2BIss69kt+P
+  0idQeawN1WfhgEBmHQHBvZGUhOfPZbGWKzHpib0LD9m0pyCEZ18uDvQ8zVRXDPYx
+  Dv874W4H+OUyecDGrrd5LrXs5V+ZcYQTUNVyiiUkJ5mGZ3Kn4j94l2y5sEBQBUiy
+  3GX+wXua8i27A4JAsy6SfPAR/MkFstSOVFr0zklFktTFZVPy9EligQHQoBpi69Am
+  8/pU8hQyiC/BAgMBAAGjfzB9MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr
+  BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU5FM+gxJ/
+  XVtZVrIvPLdBC/9cOuswHwYDVR0jBBgwFoAUykl4Pgt8x78gk3sNHueLbNosKSAw
+  DQYJKoZIhvcNAQELBQADggEBALfxuDyfozCGGjjhXSDL1ylCudn1oBM9axE5DLE9
+  c0izxpmcogZBF3EtHsgQbzDsWnNNhWkw8Jtj2g2zpB9EHSLBjAV0st4ec6FLI/f7
+  QbjNZUFByFJqZDSKgedS7I5q+/r5Lj9owk1NoDzgONP1iUrNvXRi7/xB+ET8VCq1
+  3uLbb9wDOqWxl8So7pC5UKdeHrsatBruINBpL81JL9Dx7Ojjy3c7nracSJtTV3F1
+  z3H7w89wdWMNSMVb8b4eIlqCdDPKDZvjeGyW4CDSh1i7budw1Iw8AFKFEgdyaNDk
+  yoQbYEwxRDigj2fcsOPBzWBeP8e9O5SZswYEksuE+0K7iXU=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-node
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDpTCCAo2gAwIBAgIUDmFGA8jp8zm17q6tInhpP1fSEfkwDQYJKoZIhvcNAQEL
+  BQAwMDETMBEGA1UEChMKS3ViZXJuZXRlczEZMBcGA1UEAxMQY2FsaWNvLWV0Y2Qt
+  cGVlcjAeFw0xODA4MDMyMDQ3MDBaFw0xOTA4MDMyMDQ3MDBaMCkxJzAlBgNVBAMT
+  HmNhbGljby1ldGNkLWNhYjIzLXI3MjAtMTEtcGVlcjCCASIwDQYJKoZIhvcNAQEB
+  BQADggEPADCCAQoCggEBALPjJAsuE6mlfLE9KPKgCgXU0AjZ18minIP/F1kq0CxW
+  aaSiElEewjHq8UvAw5W24d0Iup+WFfB8CTBCulUZCPVgggR1PLK2d+q0JoWJDEms
+  W/0GjxMKjFBC93eOaCpQFwRuiNkAzApHVHfeeWh369zLOflqYRPIIDSKm84jfVt6
+  TMB4bYRwJO00M/eYyLZIZF6ClliXD3+kU9w7BL5hVkE+a5Zhe9R9THEg2sysfYM7
+  7O/HAfqXQBzkpp8HS8E/2Hn9Rc9CdVgWYpAaux6mbz1GUpOb6KiHmDlPwixryB0s
+  /UU+yo4BsajW6wkR7BfEkqMlw6uXbgaDDSpSon+Mkv8CAwEAAaOBvTCBujAOBgNV
+  HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
+  EwEB/wQCMAAwHQYDVR0OBBYEFHcvggipSS8vOyPlWHtggLit1EneMB8GA1UdIwQY
+  MBaAFJjJHYWxSyt36NhIbCoytTAY6Z2tMDsGA1UdEQQ0MDKCDWNhYjIzLXI3MjAt
+  MTGCCWxvY2FsaG9zdIcEChcVC4cEChcWC4cEfwAAAYcECmDoiDANBgkqhkiG9w0B
+  AQsFAAOCAQEAlotkgbSEO983qlTdPqPt30Brk9McN4VJIs0ZS2YxL9Bwf7ZHABsb
+  QUTZx7VocZhzkpalmhNagY3mR1wR92nFwFNxJE13DzyE6z0+KE4M7zZiZTqJNX4z
+  n+9jTdk0OSEtzTLEFiyXtVGbvckuHCG67TWxRigJOZ/qJCGxip8/2c00XyXRHZb9
+  KQtJWvXqBvMp8sAB83s1eTymNjFPq3KZ2tZARRFahFvLvDKWPnb+yt9xsYSy9HK6
+  KqSuVwkGhU+WwjGAwAtfNLaYsbdXUKt159jz2/ryjN7RZ7ufih4vVNuDls+u+pOA
+  crhYgjQpA9XevBYWt8jLxI/lWXFtKKQW3Q==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-cab23-r720-11-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDpTCCAo2gAwIBAgIUCgTRCrsdepbTgOtbjKB5NBeXx8EwDQYJKoZIhvcNAQEL
+  BQAwMDETMBEGA1UEChMKS3ViZXJuZXRlczEZMBcGA1UEAxMQY2FsaWNvLWV0Y2Qt
+  cGVlcjAeFw0xODA4MDMyMDQ3MDBaFw0xOTA4MDMyMDQ3MDBaMCkxJzAlBgNVBAMT
+  HmNhbGljby1ldGNkLWNhYjIzLXI3MjAtMTItcGVlcjCCASIwDQYJKoZIhvcNAQEB
+  BQADggEPADCCAQoCggEBAK7bFvKd8VchfPuef1g4iRJnLoFxr4LNNT7MajLBSsoK
+  xjsvlMLxAEOuBjmhD2ozk+apixqZPLWY4S1CreB04TUb8xo3DZs+8SyrzPinaOwl
+  ZmhkRLmDkh5DCnNDfGzOSiMZBml60AlQ7bzErAJ43YAczPB+WyxcDRXqUwbGFzzH
+  MV0uOG/4Zp2JxmHKPJL5fM5K3vfklNUV9G8utg3rLlNKXP/ch4VXEui11YvwwFFO
+  EvF2o9UIkmhXrCQW9xTqgp3EHVupMOtfOELAuNWQ/DAs71IceuvjYM1VOgmTHLKR
+  EOajCegvuepK8CyiFUr1qbkoDG8xD7xJFsDbDPvvbKECAwEAAaOBvTCBujAOBgNV
+  HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
+  EwEB/wQCMAAwHQYDVR0OBBYEFKCfVhvXaYu5rarlbR4gmYSK4OPPMB8GA1UdIwQY
+  MBaAFJjJHYWxSyt36NhIbCoytTAY6Z2tMDsGA1UdEQQ0MDKCDWNhYjIzLXI3MjAt
+  MTKCCWxvY2FsaG9zdIcEChcVDIcEChcWDIcEfwAAAYcECmDoiDANBgkqhkiG9w0B
+  AQsFAAOCAQEAmOLkSpHdQKGbuQITOCDzo/wksMS+hZdtTEbaBCuWgHA+JWza1IyK
+  5WrYlILeDOUEZiVJh+F450jmLjUzxeuzjkhUfAqr2mYVe02ZAzadZcQVW8oysgBx
+  SpK3CxETcam1hr9YBSQ6bs01IOATeb25HkXenx7Ug9bj7ldtXUCqYPKEmbcEVx9m
+  bJKNl2JkyT5qnu1dlW2MNsUfxIL1WFLoVLPb9jhP5ZjzrQH2KrH+kOnXSa26NGZA
+  OkJJIre0M2hTL+UEo/v8WQE61+LEMRPvCb+wEDeTO+oH9x5SEXq2wnYgDLGc/LwF
+  14bOO4r788DqCgPyEnc+SMo8pcttHU5LNw==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-cab23-r720-12-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDpTCCAo2gAwIBAgIUatDwAsVNyxNkORhq9lO5BZCASWgwDQYJKoZIhvcNAQEL
+  BQAwMDETMBEGA1UEChMKS3ViZXJuZXRlczEZMBcGA1UEAxMQY2FsaWNvLWV0Y2Qt
+  cGVlcjAeFw0xODA4MDMyMDQ3MDBaFw0xOTA4MDMyMDQ3MDBaMCkxJzAlBgNVBAMT
+  HmNhbGljby1ldGNkLWNhYjIzLXI3MjAtMTMtcGVlcjCCASIwDQYJKoZIhvcNAQEB
+  BQADggEPADCCAQoCggEBAMbFcz+JAoPbXkJQSsfsMJ58MsCyWRhpevl77ZhH4uUR
+  xJh5306+yeMZnX2zicSrkXr31wQtRA5x2PJurwc/zg4hCP3N+n6LKVyRDEwfEybe
+  5b7KSzfl+m7O/NhQI0OhjtbF//6c0t+iaqPIBrGKi4mgcUmSoFWYayAVrjQGn2XN
+  c9gjhf0UUNgnUn/6V9RZRjJbum/BrC2Vbcv3IB3FTtZIGhwQuIareakcUxNvzqUP
+  jJlZ8fWtb6h9GNVmtJZNxYnWhG2ZjEVjtOk+DM2HX/T9eqjhuakKbhxou5xpj16t
+  l19w/y/yXmLobzCuxsA5cBURuLTfYh8Ta6Zf7ohODh8CAwEAAaOBvTCBujAOBgNV
+  HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
+  EwEB/wQCMAAwHQYDVR0OBBYEFHNSUZwWEqGcvWSudxE23NGYINlOMB8GA1UdIwQY
+  MBaAFJjJHYWxSyt36NhIbCoytTAY6Z2tMDsGA1UdEQQ0MDKCDWNhYjIzLXI3MjAt
+  MTOCCWxvY2FsaG9zdIcEChcVDYcEChcWDYcEfwAAAYcECmDoiDANBgkqhkiG9w0B
+  AQsFAAOCAQEAR4G39OBCW6VR6vK5JDPuSm854TzABEeDlyu0t3yzJmI1ztpWpP9m
+  0PciTt+7nMxLJR4b0uaecy4m0FCRujQ5tJEAIG+kk+IviG9BHpNek3iB/pFUjxj9
+  v9ulupgZ6UQ+ZYezmZuJaZT244ekqJNYw0Z3IHWJp9uQpeZvWnPbgesREJZolfqJ
+  UJKJuS9Vi9CEWPCyav80c6XAGkyMKWTYgzwKTaq0ldOR21YzL2cKbJUxamFgvF8p
+  4JBhD3VbhgIqObMyIHo43/iqOvToqgz3cDbl9ISacM56+mg+lpBVLAPGi4SXcsL8
+  4Hh7Nq623ikJm6Iusj2HMQBjdb43/MMAhg==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-cab23-r720-13-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDpTCCAo2gAwIBAgIUQlcVHi9cpBA00djtL6NpYgkQIhwwDQYJKoZIhvcNAQEL
+  BQAwMDETMBEGA1UEChMKS3ViZXJuZXRlczEZMBcGA1UEAxMQY2FsaWNvLWV0Y2Qt
+  cGVlcjAeFw0xODA4MDMyMDQ3MDBaFw0xOTA4MDMyMDQ3MDBaMCkxJzAlBgNVBAMT
+  HmNhbGljby1ldGNkLWNhYjIzLXI3MjAtMTQtcGVlcjCCASIwDQYJKoZIhvcNAQEB
+  BQADggEPADCCAQoCggEBANJUb8mnamPUKeuL6cSL++ZK8Ie6fiZHPUPeMRhkJBBd
+  W15ZG5wK+MXE0jafvkBq9G0+VoVQ5SNpwoVOWVRkvEkfjKmUuNN6HEFxd9Oe2Eh3
+  l+2j2fpc39cuIcE8VMbz7qvUZ/0KUQ1OUzdAx0tVe1PbnsqBytnYykI5NnU0g1bV
+  TdEuhEbnzSmw3uNpiJouFScajbpIOVJOIvLy/ouhHUwz6xLFy9iJPm/vTMuUtxYD
+  i+MiVKwss19IxQ+KTmIqOw3LVyriakJGN4bW/nEUp5Dlohy/vZIbqm5P0eEl2qKE
+  erniTg/Sk+ZB8s+DSYmzPPjPbDpS6VgUBH7Jeh2PT60CAwEAAaOBvTCBujAOBgNV
+  HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
+  EwEB/wQCMAAwHQYDVR0OBBYEFCY0OgWqcX14yckLbM8emSQXic5LMB8GA1UdIwQY
+  MBaAFJjJHYWxSyt36NhIbCoytTAY6Z2tMDsGA1UdEQQ0MDKCDWNhYjIzLXI3MjAt
+  MTSCCWxvY2FsaG9zdIcEChcVDocEChcWDocEfwAAAYcECmDoiDANBgkqhkiG9w0B
+  AQsFAAOCAQEAeWUTRJaZcERcFxdxuI/GeEvVugpwKjFQk9FKy1TSenfAQnXJW7NH
+  ovvWBKG96ERkO3a1KpiiaQ0sBZDGgQz/iBu5GBIRDLJj8kGFJWhYeKYmacwE+Sdl
+  v2cohEUsEgGyI0ft3RGcfTa/Vdio9wZpQCSOAnQXX55pkiAV3G7s9G9zDrE9CdLn
+  +6aUCxoZqQqus/lAwAVnhX8bagwcdjNIPFeDkslwi37PCbVfvkUf8dIswVBcBM6B
+  tvs8DZAafKxcYspaP6NcjUNpmDauKfhZOlBbK5q5VwNxZr9bijqk3H+PapQMqS/d
+  iSIhlZu77hhGq1NMYWYvObj/Nr8a6T+kbg==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-cab23-r720-14-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDWTCCAkGgAwIBAgIUQlAtD8QnY5x/KSeiThXBX76ykPcwDQYJKoZIhvcNAQEL
+  BQAwMDETMBEGA1UEChMKS3ViZXJuZXRlczEZMBcGA1UEAxMQY2FsaWNvLWV0Y2Qt
+  cGVlcjAeFw0xODA4MDMyMDQ3MDBaFw0xOTA4MDMyMDQ3MDBaMBwxGjAYBgNVBAMT
+  EWNhbGNpY28tbm9kZS1wZWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+  AQEA0/WXnJuv2Mdfln/n5hBF7/TQY8UQzLNIUGiflH1k4ORalTxki4mrpSGiIOf3
+  Ynxly6s0pRqWwy9kytBte3102A0F7SPI8jJf4Ioa2KgmbUQ70ZeFALnudNg2yZnW
+  lGIO9bB3s7GlcqYSkVZ6IWBuFyOJ3JnJ5U4NxudKMDFLJUz653BDnxlmeuE1ksCW
+  cUyr6X880zUwRRiKhEo5cO0++qW1ySo+7+ic16F8IwJ+1JLqdUansQow96NcKzR8
+  qrJti/5eIJHobCdRRuTWLmTN2v+gA4dKr/+CBunHRCglpECen6rvTEYKhiCKAGbA
+  wzo8N1zSIH45+CwZEjZhG4C26wIDAQABo38wfTAOBgNVHQ8BAf8EBAMCBaAwHQYD
+  VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
+  BBYEFBqzRgCk2dGk8NMHUNP7jT/ztzjuMB8GA1UdIwQYMBaAFJjJHYWxSyt36NhI
+  bCoytTAY6Z2tMA0GCSqGSIb3DQEBCwUAA4IBAQAnQUJVxiMWxabNVe31ywiff0Sr
+  lQZCb3GcR3TDqb29SzyDBEMCCCZoM+FvbrzPH7Aeqee4Tg+6efPwoQlfSSc7/WAX
+  hhQ9JGxGenOs8PtNBTZMaha0oN0sDI468+2e7T8uNJjtEdFQFwmZG9fg9wxduKIf
+  D2E+W7sU8ihnAnG/Lt5vT45RLFBOouAW5v6osmG1ifzWGANRfJl9VWShW0ELPmRL
+  Ag7/Tig1TTACcciDfyaLzhPH895BMi085dWiP/wZOEPOpEnz062tXNcZuw9tmSfm
+  u2YL+0jzlfVW6ITiEUaoWomIu1+D/X2fwuGPZ/0Kdf58J9Dr7rzXbiUSGSJB
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-node-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEAs/RyAF8A7q+o8YENfSjuovHFDhEChj1qzY8f41h9K8kS4Toy
+  cAcmDUVZ5xKeGGA7xMCTz69n2jIDpUjw9YdnXLZXzLaRIUVWTkrNNTTZAs824pKJ
+  /VN5v5jB/QkbDAxVpnvScMxjj8d5nVzqBZnYEFliSKl1OS0vpvMvdBXemJDZaNXn
+  VCTn+lWFM7i+0VJPYokOX3tMn7mOqurTTomDxugP2CEqGvD32lTgbZsW0wXOvGWs
+  pAu5SYKD8ttvmAd63dV1wgl7tSMQb6uKrFIyCvsas316cFxIIpC5C/Yv0w9BNR4p
+  MIajBaBZjfEHExwYEjItYp7LdYbJWQ0JvHOlswIDAQABAoIBAAsIZ5ziNjpsBp2X
+  3e3Yfpj63av5GwCD73Je3gOgPzxZ/ZBVcxYvOgQCRnrGR28TJ1buv6EyDdnwywxt
+  JmjHPm0OuN9SKh+yEpKGP4KNlOh5L9JATbl8TrCSewI6drAMaYvld4d24HvGLQya
+  z7Y8MmT+NepiiU9SF+PScQxa8uTDkk87aWHjH0hhALoZU7qL7ElFnbUZ7e961Bah
+  BPHRoNeH8Xzdb1QeazULyKJKcZNfME9O+IiEqC/e4Aff9yI+lbahEV9S3a1c1bNX
+  XrkqXRALY0tbk4a/weIEF0mNnmcjNNP+zfjiCGZxLDX165J7o/0Gj+liw+XfX8aM
+  W3+5nwECgYEA5e01rsBlq9+T6R04pclStVXR8HDtMBnx050DEiI0qNul2bG/60Hw
+  qyL3UGz7LoNjZxNDDQytsLwoQXHfMONLVh2lfMJXKVC+dyhgHxsoUEuwuU4Lshwb
+  WgonSf8jN6YbgOPw/5LacBrTjuWLNVkhPlUM0BYTiwNXMLYWdGpmjnMCgYEAyFyN
+  Mf7hcCBYSO+BIM/z8+/LspfM/nzPyTu1UiGXVGj6iGp+ipFGrp0uDYNLr99zRwH/
+  VhlEP5EbknrefYOQ8tl+2X/fXfkx0LKlolOMHPl+7B3GdwKea8Cd2bqTg4g26ECi
+  ZadbVCUwRSuC5vslIEptTP3g7ZQAFqqZr7FLe8ECgYEA3vHqur7uFwEcz844znBv
+  FUvY3HbzVk/h79nwT1YBj7Yjk/nJ6Vkv/xFRk5eI22olKZ5AxteDV7qqogLDcwkC
+  VMc8XsOmdnZHqQzqX18a8PjjrFqj9plQYDc2L4cIY/5Z7tmXJooD6u3oM0gaeqkp
+  FeKsIN03J/UeRypYjZtaREcCgYEAq8X9HxG/QJvaVJ1Q/UqLgWTiI/jUvJFQqttP
+  tlwqGyntMCrs1et6x5TluJwJtXxCnmvt9mivBDhphQll2gGDsVAZ2mowm6ZauOuP
+  6TzrcKPN1qwoTDuoigSWz+WPNkL/n9pZ4AC84cUIPyTwkwpZZ/enAUzfG4+5C7Wz
+  ENdVOYECgYBOgmffYNBj+oL051MNTUIQVNzLzEgZiLs+x0tQSfqVPF1ENonTlB7w
+  mDk3QVhqrrWSxd619K42Bkp/cJs59ogQIa9F+Wfuf+bdQtu9sbXs3SX4/twNv69w
+  O1XOjc91QEfr3+l/oSOfi+soTeJ3Ypsu94+FzTyNsGZkufDvOSTYxA==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: apiserver
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEAskPJYNO4miDMQy5Irr5PANJzHqGBQspQv/VKJJTKTA4R+qOL
+  NxYW7E0RCYmA0MSTlJAIyeR0LJKFoHpUrFBM96Ryr14AKTSg1sfDDm5V8dRPy11a
+  SsAishzREeM6grpORdQ9WJPzB7ciIFyJWQbuxOCc5KTyTZ7Sp6H9cj3bWYbCAK3r
+  TuQRvOGNt2RoSGRyo54vLarFfFjWzfiAnVJ7GCqkbqSvgQvUsMJGNI08ewbjJ3VJ
+  NEHp5Xf5viiQpHcPgTiRThBfWLrbDxbJHowtX8Nwl1HUKsJPzjs84EFq54i0nHzB
+  XejNYqp+vVxnoC+vg0kXrdiuXOMQHRG+PEeorwIDAQABAoIBAQCCxQ9ZJHdrOVwe
+  fDl9VsYFyFwCwF9ea6PI7VuyciPknv25a3eYtW+jcPVqlaAVhd7tQKvxztEaUXIN
+  QzASJ+YOVGh9FOvxTlYeuPPyBiat/B19BcJSy5eoKVOFV7d4Zss8lnFaJU5G/qTe
+  MIPg9yD48/ykDgxhvHyz1DVkNNRQWzuctkD+caD025+KU2XTuJmkXH9Gj0cUXM0S
+  iGhkzE2Z92G0zrHTd8qeGKfqyx1Nu43wqCov/KLNoVSBMe7qgmHIzl9hk4Pe477G
+  dCb4O1xC+OFmVcRVS316T+g3lsecMWdQxGlMm2qkBmEHyqwuRRtM0LGNELObxCQ+
+  A+1a1bBhAoGBAO0cAzsQ781Eape7//ON0c3rgB4fRrkJaqxw3yL3vxBDlG11TCcD
+  VQ6yKj18C+/f1E3bmOJEu2tsyZbHUqoy9qK1aum7ntHBgb5CqfZklx3IUotea9bU
+  XEm3TDBXTBaycNpwnkcMJDFG7N7nTTUaYnmQUSeWAtuxu+kcQLM8QUmFAoGBAMB3
+  mlI+PQe1+ZFlFjNNFHURHfu9hh6Iw1h7GjPD7JCPrWP1MLXOHIKy8QjPEQdK9RfM
+  Q9xGPgoJImpc7tHzZqwU4adm5ElQCraMd9PU+VxdPo/8Q0n6fd1Vdkm7QIVUa2RU
+  kvWuauDouQSdRrRL0TTqnnz7DCeWbgQfzn2I4UWjAoGALxZsEdPYO6SFoqKEPwMA
+  EmvdYp4FdoPHOn2j4pbey8UP+fjcabcAsk1xlApJeJaz285reyv5KGlPU3E8Gm7K
+  ih+LHuXSsYdDU9x7UmJBnHmG4wSaV+yOc1lCeSstAijnvom09RkVKvAR5GZ877nQ
+  qqGdbEYfRS/zyGSC+NVThd0CgYA72fWndatM5o4BZMoOkf22megVDM7UV/tHXKC9
+  UEQUgFmPKARJxRqgmjzSXHITLoAhMmg367AHNuf444VwzJw1DxlNEXYURkvOkMgC
+  m8wfqO93nx7dtoPFfHoYW56o16O9w38f32llH3nJsY73KkyYhA1dGESjWuhDaBCy
+  gQpsuQKBgQDdPnHUlWr7QooEymxO4rccsAwNQbj1l29pxrgb0cYDHS0My8ebCLyy
+  D0ntoCbzfc/JsrYb9Y3ShI9byj8qiFhEf/ckipQTDzhcyJ2NA3FIOGKf0KkSMcvH
+  02o/77ib3nZL+k270kGc4Kx+j+r0h1hltDAnIZvBPWvtmdD9Rr7WrQ==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-genesis
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEAneR2JlINmXst8m5DpDSYWe/I+Kk6WOozGKVrG50izlewQ5Pe
+  91MBgYi3oflHDwNDdsQdN34HySxOrkM9ldMlAECRTF8iaFlRQMfVe9Wk2I4b6fYJ
+  bPYNVSPWk8S4cEgFW0YWeNOr5Sn9hzK7Ynl7edYaES9A2HRRo39ykBSVVXnhRoXT
+  9faJq+yBA9p1ohr7822XDmaBW/GMIFfeB48JD1y3X4/sxElEueTai8jFs2fA89Qt
+  l6PuYVYdNkgDZXjtiPegyDotL0Qlxa6+a+FKmEE3jptscVeWxPCRFSNMK6VpXOq6
+  Yn4EAMum9HuuxuTsXUDSQpDl4bglVcXj2rCJMwIDAQABAoIBAB3KNhSC1LgJiqC7
+  9x0rIzeMy0FHRI/0GBHlW/EI08FUwBfv9Vh6m8Uh02vHCYYmmnr1A4It0DA/oNS2
+  MQ9smAWVKRTcujQv7emoCnpj08dcAJ5C4oJhZiCTM3AL5LSikggnkCPZ5AvHwWLZ
+  yosI2qghIift33E3eRO8/xN6HrbSjTPqKPL7FL6cdGguCHWltReGGFC0ZrJGn/7+
+  vWJMdCBfToTTTSP5xJz1s6r+YskWE9oCa/NiW/QUbGhEtKbdPJPPNt1dnuglXJGK
+  mHMC/8MFvAAip8cvYuEOvusiOHpHGp6UPlB7jRblbOfTdOhNbeVFOg7SOxucS5TF
+  84x63zkCgYEAy+Y1hxKRJkFKG7+uPXqwcMettxciiCbDVMTqeHA3BZcv0Ecyi5rZ
+  zvNCOzM5tBvk/LAf+Whf79eSdgBT6y+v+irBD5bzbHpsiQrW1DuHO5DOk6SGfY0Z
+  /6mnBIigCSNjWP/HM/igCZBfdsmEJ291C7v6ggH9jb8uwEjE2WHDBOUCgYEAxjzH
+  XpuNzrV+k/XiIO5f0xclQ4NPfz/grPYhTaLmV4zkBz7Awey7/TQr5R+U2X762Uwq
+  gUnyNUT1Wjhvgqf9AtUo3j1A8zpf+NeY6fgh2mZs949DH+vF9qpLeZY9lOJL2922
+  AVYjrOplxi5QOnlc/d6jOXTjOGD9uWqiqtAUzDcCgYAYQUZUzwydNF8QdfjQL2wV
+  vmsXwJTHBXVu/A24TgD9lUKG0DFfEgie6akTScCvgDH5LSpgjN38tfQiPV++NmoE
+  pFla9WX3nYiTtMphbMNlfpBUV9n3zXUuSIwpqeb/r0n+KE8WC5leCeKRSt+BoWyW
+  /MGL/Zif6AIztXRVN5/vUQKBgQCXKkvBmg7V3NKME4j/IacSueihheU+HMDAQ+P7
+  ZsgNZRORbsngVxy3JWx/iMih3dF9mDYlZvT6p/4McVKfKGioG1HRvpXjo9UBVa52
+  Y8+00jwvvyApnEnWId/x9J47BSFhpLygYkZMGmXHbROis180++wt6TNHj7aLCITI
+  imoBmwKBgQCB17hhbicL2WU3Euf7y26kmFoES1ft7JT2HHyFQkuE4IjuFnXq98z7
+  Jr/Tg0qKoozfajFz6WOHYrIIQ1xh/GtWS7Dyp6wdAWK+zjDSHOmDcX3zx6Vrk586
+  NDCBa6rOOORjVZjDAZJVCtisBeOxuAPIVZRbOJImekhDU0YBo8ZfMw==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-cab23-r720-11
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpQIBAAKCAQEA3u4uWscGFV9pUT+Ki2VtPkqR1g2yFANk4x2RuIqw6ggsu6xI
+  wCjwv8M5GL+RUhDJt3ek9ZxDikvgzBQIDrBEcMfeROu2pUa2fTHZq2PJ1yHnYs4c
+  b32/6URqGUCfqWSn2c9cAQQsw7k1E3qT/aSKBStx91S8GUN7BCg930d2UuVolnKW
+  YGYSZT7EGjp+e68erquljre+JWpu+WhsPNPAXtwK5dq9WBGa+znZ6OKS4WmGPGDt
+  HCfNy7Uuvw3fmrENuQnI0h+4Pg7ERyoKEUHExXkqfIoE268phRZbzaHaV4MZs+p0
+  mXs2aXpQImpRIzeFqNYY3Q5uYjCnAzHQeKkHIQIDAQABAoIBAQDIdZ6jLEHxKAl4
+  8M0xCbRRBhbbRxdxXZfzjdxB+BybZVxsKcCFYosRtId8FI6lH8lzO5fO74PgMNjk
+  ScLxClmQnHjmuppTRiHEs/XKYwHVfHwnYbU6H/ZY2JcbO/wWAxfYCNjvZQSnvrvW
+  VywKMVGW0nk5cS1u/jn5BAKW6xif8lH9NbPYwmKAOIhhXumSQDoenN67MONcmyIg
+  xTVNyQ4LeA9UTdu4zqRe+ZDJYT8F8tk5bHiUWckElw9njCGvvLCWTlvWYMcMGa38
+  WDSLqa0QGm6wbygOdwHbI8NSfV5S/OEyjThUiOF1CjVaq9iQLKXgXKNtCZpEHtei
+  2fOg2JP9AoGBAOnVa9EXlAYyQfe0zDtjqM9pDd2T1JLy7aat8xE5UQW3QZl7F70R
+  5x+vw5YxYTiq5RxofRL4AvDY1lYgxqT/khgA1MJEjfpaF/IBH0DU9hTBmjKQKfN5
+  JiHsqf97kA8KxlHQkNiIa1xmfnU+LwDePzNMcqm2QqsCEjjRjZnrCjtDAoGBAPQQ
+  KeEN1fcBli9H0f9ohWFuSjMsguJvtMdOAuKBTNZgURcN+d7uNcnXaRyaZUQqflFj
+  Bh9WqxAIhEFNn8BRGLG9RKjFKXXufbILffTUKuDHN42xtrVHhO6MAVjSkFv21keX
+  zhH098tSBE1zCIEeSh/jHgeuhHQ9qUob7n6XeMPLAoGBAJcBx63xTxutSyK/tIDJ
+  /FNtoZGtjUMU9NqGTYma/TL2xLtsXckxDZRN+r48x29EFc+BvvwIBEYrkkduxTn6
+  /grYRo3qndHGat5TUS6aGQ0QdhcfOKhOXYzc/G/MCR1dtPNTAKeFeefjHNl0PgCO
+  hjwHq6jj1iv/m2rsEUkMG8BnAoGBAOhkV6wu43SOMzYT+fZrzM1IGij+EiaQXR+F
+  vaN1oPdjwPLl4O4P/nGRxklxDknI+HyAgLzoZnwez+fqhNm3nn7njG/zRJZBn7gf
+  zzCHschUiSZHeITGc+I8t6+e18xpjgGfn51jl2snTmd8yDVB5SzVsqt31jFk4URq
+  sj4h9uDfAoGAThGwKwC8fnQQDm06RSieR+2Ec3ZS36RhxwbN9xiq0KrCYxXJlUbB
+  zDhszlBBOfeBfmgDrvzDZjcU+1M5SaMX9af/TnTRtJm02oW/Upzxyk5mHR89/BDj
+  8Z8XJ3skM63It7+hYiojwSGoBNOYlN2W5GYKO3MMyCN2GElBZztdFRw=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-cab23-r720-12
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEA0f4kptkXq95KoQGPkq3dhBAzxxJSBqf54No8ZNC3X8NrCle7
+  oKVRluuDlNhii8N76YcDxxBcDrBygW7KVlieqQcz16RmrIj366lSj98PTdYvnJGX
+  KM6JdhocqTvuJGT5uiwB2qezmtXVGycgPjUwGNx1ER+AlQ388LH0yq+O4zHwTFcK
+  KgLvpM64F97uPzPBcC+Evnap2o87rYFCOxHonASLLrBWzoSLZGiyWLSuyiL10Qmw
+  bI/48HIAUFeWg4+robkBfiX0rTKJsqGlE/y/qIVnNr21KffLSVhvRaT6h9kgZBA4
+  +ps9V+HX4LDXJRN8T9I716gOVnXOHqUy9cod9wIDAQABAoIBAQCRZKV74FPDa+XA
+  FJSTuk3lYlJ3QvgII8WfKXsnUluksmkqgBQo5k3XcLlqFWgl3POufQzghzM1+HVP
+  qKXvouw3nAUJCYsNasg9Ir9HXen6upG8lhFS7629V9cAVb5M9JzzigS+n957FhK2
+  +iAY8jqa/AkSEf21NjorbQtQSr1kD6z5BVVx5FHyTbLHd2gvh57DzxC0INOxvkKC
+  n4KmKcpDm331Wf6/PLiK9A/azRKJiSZ77J4eVQY8y4OCIkKXt1bt7opYe7OZ1JtI
+  Llo69OAqeXMbblvUTV7U7F5BvMcumNBSmXvT2VGmZ0EvLfbNvmL9A0zf9TMhj52a
+  taVY5x4BAoGBANJU+s198ljfzxGwPVXQ6R2LEclEfjdOww8Uv6BSCdO60OBu2AJ/
+  B4vVO4tBZvcDCiWEZ6idP/w+Je+RUwM1B7ktCbpus0JX7q+aaaHE5iyv0IMa1cTp
+  NkpK33WpaDFx+P3a9dA+EYco12+CxngkxNvKkAxEO282D8nPyDoecdxzAoGBAP+W
+  Tygj+dHbkVBZrCij0lKW3bT1iepRM949NpcLzgluKv4P3ixzQo0OYhQ7P2FanoAc
+  3RlwyL1oic6Xzxwv38kVVLEtBZWv2Qk7jKuyTDiG0w3gI+z9AMOZTym72/fHtBcY
+  71w0S2VOIgPcvzByd4OpJlPYYJk4kyfQvY73DHttAoGBAKQlYd5BLoMhl26MhjGU
+  6nj98ZGLfJ0ZQK1iWfJ6U+UDZMPifX3lOTRt4xxYnEyl+KMy49r5bdgjgGOonIpi
+  NnbTqUXv4sIh8crlzQ5Mpf218BqBNNeJ0a7FJAOlhAUil1k2KqSr6+35d7g07UMS
+  HvgQ675G+cNfA49SM0b4P4/1AoGALvhkm6/g3VxInEeeh+lzYZIwNG1bZyB9M750
+  JdYZi0ofxIkN/4U/GcUm6SjqQO3yawDi8SX0/joT+U+U1E1IByBQbC8l85hZfoTf
+  GT6vG0RLzST/9TGZzliCX90SU7rzsbr3Yi6KHJf7UFJlIHYo2J1hWc9OEVqAULTf
+  4UItnRECgYB7i+dudtcQt1Jl9gRSH8nipuLTLZVIxW+ZQDJJPLKj3IJPmY0HsGsS
+  aCUovc8euinV6VgN3D3HZzyhAq7ruh1RvTMWs9Qgf26mT4bUgp9Nm7MVCkoEAFhg
+  Ne9qC/ZFDIGuOF2AgmUt9kzTVjUrJJRHxsEC0mz07QnX2F3j1cQVtQ==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-cab23-r720-13
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEAsKyEkP2PvGEQzcDDLIawdmGpaZD7qlrRoJ4t93i2CYvPJa5V
+  X4hCWnttEO1YvRgcWAAF+bjDRMJX0irm2h76jQseqdxXnECfraDzAiC+ty1pyBxC
+  xGTpHscW+vStIetWbfiPv0D9DzZLD2mqaXxgjRQjYS+bIqQqKoWeeUhGNfjzZg/s
+  bobaVFvt8CxPpjd4/V9hK0Q9v5c+cZKnVyUZ1u85Hk1vCIbDKXsPxZfiEdjT7WwT
+  rP0URj2nLeQBYQYCV2R3lPGRl5c/nCm71QqRYGUujYTqmoVNqE+ESi7s1McteNd2
+  Qg0cWwC3EL/qN7Yhfc1w0bE37EGNK5YpfTbnzQIDAQABAoIBAFGO8ou0YhxGeulg
+  6Tiu3NtpbjmrkmIsFsWc//9UHET/45qzhfnZ/zeh7tF3oBV7Aeql6BxF7O7bAIum
+  /ncHAgcGcRtc+pzJQG149XWwBBqvvjuAwFnFc9Cfe75SIXKdH4MY0dMqfyf8ml39
+  G4wivLej6kk9HtK5EjYbBPNcJ/1VsS+/bDSk95wZSdR82OXH39MvbAZy95CZgNm2
+  0B1h7DE9sX5ypHMzQjvTOlQDa6A5V67NsSxN1sQD3+prEC95+CHFbMe7OQFnam5t
+  BTXzmtyKPRcLBcldDF6CdsrI7AhTHIf1u8M++U70ckYjwyckKBaPoptoSnlelmIr
+  PlUTfcECgYEAz+y/chsnTh47cWWZCwTVjMNk10iU02N60EGoqnWctIr8RjQY9cri
+  Dx4LHPedE7XbLY0hlWSbVAXP+LSy0EjSNIHbrt3+x13lGnyrSs6aDM0OUvuuCoDT
+  p2jpBiM6Uq2HxY8uKufR3hrOSMhnJo8MmACyt3KTJ27AoKI9v1XG52UCgYEA2YYA
+  cpL+xxQwG3zT51fpXSoGuuni3MhPZDErUELGNBcu0U3H77SvVgJan6qcqhQgPfl8
+  mockYLQYJr7S1rxs8NEjUt4KmEvM4qY5wKiKrK7HmrmxZmar3SaeEzg8lloXv0dy
+  zavQFGIHZrIrGBT6TU2V+/B2+xoahc4gCeQifEkCgYAErSx5Ioc1yJRJrqFMkCVF
+  bzebZ/SA9KHUgUWL3+1QWjfmVFGjZZbEBEb3tdIAmXx+f8gblhGwSBkvXNEQwjKI
+  H8uTGUcbsM7wU5F+szrfwtTppON7NP6Nq1xiWPR8245MMTY2nNQpjKzLEkbPpTQB
+  TzK10YvhvSnz8vI0lXdNyQKBgQCk60v7kidImK3AqWufwq9Ty0E/BYTTD6vhssW8
+  HGRZqhn85pPn0X3+H9rFo30UFh473qPyJPQXvXNyLMt9s26FRosZkO9HeHDmhlDT
+  GPXK5ti/Hnq5wK4dBeJjgAevlq7afzkzZkhkq84gtoSlxYHgiipk0XPj/W6OdDEm
+  Tqk2wQKBgBrixDumFYlpUthYidE5T/uFHWFnlMvmB3Rj6WCcay8Zv7hNB/BI2Voh
+  6gij1Pe+0pFgkj3HKfRRk4Z3qdVr005hBaP2M2vgddAabrlgYwGiYsP7FEz9Wo8U
+  fZObL8d4UWt3v3o+TrINMXAKWFI2MaS9L1YGeasalKVbyCkGdoTS
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-cab23-r720-14
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpQIBAAKCAQEAw4TckolYLv7GPLpS857sYmdCeqY5ZK2aAIWD09o4EbweSL5O
+  +i2L5anV/7BfJhyJLgOz3H7sM6D43Kpl1B3o0UIUbAFDad7p06SMNm17c4YJ+IcL
+  rZqwYM1bFjb7kDmXxy1inkaHozRvHls4nWg8Zq4RkOD3WA8gtGO8la+5jwKNQSAG
+  LMhn3u3eNixCQtquDEOhvZgMZ2S6WtdBTcmntT2Eab6oglExFiUosbbBfQptJCnJ
+  8T9zFluC3gkxMmtUAdWCTZmBiJtfmV9UkAmvQkxGOpGooXhfckqCK6mbAWzQPxhJ
+  TEDiHhgbxAcHlun1weVwL1FX+rlyU4XA3K2z+QIDAQABAoIBAQCDcubMihREfDuR
+  Bn/QlI8+VUgHp4u8mU6JfTo1C2hY3A3MQE5eupJslLNwVQaTW+oKiqi43Ig26cmG
+  qfUOGBG35mJOfsbw/dJc3Sr7SL4P3BUGBt0eGXrtigLsO4kD3QSi/2tnF+oHGrB+
+  SzwT78l0CyF6MxV4GauWO9vFE0CA2TnuR3FfSMQ9Ow4h88jg9Yg0AoW8ipINh/FV
+  9/DJ+PvV17gSvf1RQeI0z4FkngiSnTupMZCCBRQ90Kp+UG8ny78IhK1VJG5fHErO
+  Ysxi/yNSDMGOXXcRGOMBHisaJ/DCMqDM4Y5PECtQ4WHu5VbAIFVIiedRMPaPtf8v
+  lCYBw30lAoGBAMQ/Smgaom3SXdb5XDdzrzthtriSFIVxWpBarGpmM3IroomKiP9u
+  ae67teaS8EnCWk4FAhC3YqBM/v7K/sek2HBDmhRB5nm58w55o5/qYFJkDEgO5cpJ
+  vXXeWmduKDz0eHBLcOI7KuRramKIMe5RuP8613UhQ1JbmTqvnaeH6SV3AoGBAP8M
+  zr8BGEX/wt1hoEixxKGHDVnYa97nD6w/LTMljxNOJasONpKCgPahtAsOkvupbtrV
+  Ml6Ssi5srEgG3m7H4oG8gJ4jHZLYpChGWv3Zn9IZFrPbvcdU0cxECTnl6KGaqU1b
+  PZfhPJpYMYWFoBDgtGK8cVoklDnH7tT1LT9nyA4PAoGBAJXunNRIdQxeil8xiCi9
+  c4V0s/rzcEY7QivDerKXfnqdp8JZWy17l+dS9jhAzuArYn71CIzo7qr16GOVh23U
+  HaA3pcIQTxt026OVf1Mv54NK+K8c4qbYC62/wWYAHTHkvRdeK9JLzgtRnafF0g/3
+  09T7iZztWtfTL5BMl7Bk/9UlAoGBAM3a6IQBvjXBWOaWBWinEq3M81mw9F/U3zGH
+  TFQb3H8YdA68Sg+2haCKo2bJPJkjB/ZYXW83t9kAnY0E/kMr0gYkvyrj7Nq5QMXB
+  A3AgVn6dAVXp5iMcsrjLsSaqCjllO4DUQ8JyaReqV04NrEPzGaUXs+Wt4HVCieIY
+  gYzLlwzBAoGADk6vPp4yC9w6NP0CAj67V2+p41mdIbQj/WoYGDk9Ng6D4brQcUAc
+  xA0+JfslHy6WLO3Xiey94kvL0HdsRDzhTp7ltsRQQ6HogO33WMDIAg0DCiqzw1Mz
+  VUieLlMGZ9VlQKGaW/8sFDf1UbyM6miBhMS9akc8zlcUWD8Lk356nlo=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-cab23-r720-15
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEAxhvmILovkawW0u8/t6/8uEhaj9sOH0f+ud46YXwU3V+c6feO
+  1cVhphrGAtlzHQ78qa5ANU33DjWDWRmy5exr83hPSZchNO/Mq3P2gGmTxgF0Jxtl
+  TH++CSDMXRn4WktQt1f7L9H7EE0euDvAnY1cuu1SiMTo4p4U67J+kirxylmGESmH
+  8oe8KtZ3TxbkIrKUmS8TuJXMmbUMp3iz3K5rXKzk4hZrqZto7futwMjBHCkOFSc8
+  VEH/XQuuCzBssRjCti/B1TlE6HkCJkSle23oRZe/fii3JcBmjyDtaNo9AWgkoJpl
+  BVgYxbcKQlo0D2x3VQx8JztPX/aLiL/kauOYVQIDAQABAoIBAHW79tPUUpjcEORi
+  0xczO5m5RjjgElB81OFZNJDi0POO8w4I1ZYtq46vsqXW3RaT5Yxhxj7nir+jBeBZ
+  6XvDOZSEF3rAmjd/m775N7GxDOVLz9+95EHGWQXLvChIWtQullWfr+QHgpF5g5wx
+  xpLbhBSDHd2ySEUFdaFtftMXOoLqC938EG5e2cbII54Xn1r5QJdToOLki465EE1p
+  qsqpumWylOmwe0EghQcA4XNYjKHPmj4BqsCbLTr5Ed8CdpTId5PcYi2or1vEHgqY
+  04XqidXidLkd+omEOfWBgyyjupSpv4eUBOtQGqweYODjPOKkIuBrjn3ttZfAopD3
+  JN4QybECgYEA/FkuM67TbBFTTsdZW7RAWOoGSBUvd47Kpa5UyVIsjGaisGFf+oh8
+  g2xLprBEwKb/eg7myAfEKSAPvEJlrPDn1emmFpMnprMgqAERVC8TNnupkiwqdo9P
+  5To/Otv+JAV6lRjJRFMuFEo6eA6Ob5CdHNlQ//E05/vtBCjqACvaimMCgYEAyPnK
+  LK4IIQ2x44bZ+IVrxK9ru20ZNAZ+nRdPWSxhZN4HgZZrlXra3cewcf2L3PLcQTIb
+  Re6XkGuVdG0VzPr1c4pjgbRCl6HurML06fsnFgJS2zBFDrdP2spADZVb7owOPVxp
+  pChdJDA7yEnoBOxi1q445xN6CXEW5VsXgMcVM+cCgYBpISItZ+0uvX0OeeCRYuPX
+  5w9c4m6XCYcFRT6PbMugZnXqs3aP4mK1Qd22gQLzm98dU63zscCYPYIwtRy00txS
+  8vc9umqveTrmoyM8Biyj6xr3Ca1bHVN0tTJ4bARRr3KlQOFAtMKis1XuhGn0srOx
+  vBuRtUSMTRkuPXlXPu3Z7wKBgQCQF+gImM5jRHpic3EcaiyWXF+VhecoEe/9mZTe
+  jp9VvosLMln4VplNobq0P+FjjQy2AcLkJOiuNzR0wTF8QgJx0Kr/d8q3BPcnDrCi
+  gdvIP+pAFR+uKWgrqg66rne3VNtwyy1C8V22cI6sT7D2trU2zrslkiVRV6/eyazU
+  O+jLyQKBgCvRUttdwwFlPbOIzGZmbyZxXunpzMNzTISGcmH6QMODqrZ8npPsKd9M
+  +lHbs3415cSoPtL00dU6SkNYrQjbvPjT/8PdhyMNIMNA4/x2VEyXFYYgl1IZykWQ
+  cqGvF0NwaDZCXLsmserQvFXyvxnB7hnjayZPRwPI3gZs4rtsz/S4
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-cab23-r720-16
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEA4joCl54DBJLhcTcr3PakAleLSkT2k+uMc7L9JBy0JmQG43mY
+  CA4k2Xru5a6pshH7wC9o9cf5bPSWQoG/wQjxGXa5nPz5pcZgpj04JFuda9oLrtcn
+  X/eW7GvLuMZFgeiQCQ8BWlLWhRIa80XSZAWFHQG2zIDRxg7PKnpbAQYtHXiSWoAG
+  ziJLmje/A9LMnToh6Xtm0dLfn+kIe8EvsWsEnaTqcNxZz6O5Ou8twBkrS09eXtD3
+  Mu4DvhLZHCxVc+Nl6HDyKwZNUkwvB01QRBIaIVblyjS7H0Cs5xsJvBAHRGm6QnjX
+  YiJQ2dl48+F6w4UmhOiTmASj/gp8bhwWhTnTqQIDAQABAoIBAE21f451SLQZgDdT
+  rE2Kq2vihoZMiiblkqlromj1Myy8z2D0M7UQprfN8qITDVeNtdyebH+A4bz7h2Hx
+  D91PJQKKNdgnTdoT+r8f6FkU305c6AZ3AZ+FfOJZZPFjqhyltlRmQyCzs9yiC3/l
+  TA/vlXoRTKmS1nwiOidtQDVp2bV1P/uYcHiOnCHFe2bgtRqg9CbK+LMe67bR2zG6
+  hr78ayAHzGvund12nwTzGGBwvPnVcaFYvddMGX9/PxM4+gKrXcbMaTnEXPGGzUAi
+  AYKYiI2FuEZ3Ug7ryI3CTRFrL57cSWlyCgVrIMmy3H4vc1mlKMooqA0fYa3afdeQ
+  ed2HBwECgYEA7+HRUhZFkRBoW6fSToGfV1Va+ujr+ut4aLmaqbuzLsVP7q9ixbjx
+  2WAh5d80FoVhDrQ4VcLjJowHwLlMC6523Mt8K924KM/qhWiPFBhV4+ESsRfgJnl7
+  rVVLMfbb0GT+srqg3C5pwWsvCccTCHetKxLVj40hlA3cUNXDZ49Yr10CgYEA8W1O
+  UYuo0gFUyae8fW7eIDAQx6IJqJjPwng2++9+8+ggzgtm6I6MEcI3BcqX9v7aWTt9
+  h5nG/RYbH3RAY0sYG1/MBKPB94BWZU+avJLJAN8gS9joaC5vww31YgIP/rf7Zs5P
+  Hg0W65/umBnuFn3ITppzPad1iyXl/HKFPoooDL0CgYEAjjrsa6l88fgyiDXHQnkk
+  yxl26lJ0qMA5Eo8KHx2FrnObY0BmZim0bFjNgIiJT9khpSBCTsdQ+6gHaMP1TO/S
+  1jNomnHKIZi1ywgl3ZpYQtdOx+YKJ4XcSPfLsAJYbwWS5tI1UpfKaL5uk3OP23Nq
+  H6H5MjZR9IELYnp8c8jQopkCgYAH4EL/0giN4VE8yuYRSX6hmi/R821RPLr6YyWY
+  DnYbyuTXE/QlfhD/u1BENhnDCwlgg9pShCfDtebonchD9P0yV2u2cwku49btsy0f
+  HcLE7oKFNuxOCcXHnTr2GY8gBiyDbBOUrWSkBzGncKEdxri0J8G+ryncgj4AgFPs
+  eGFaGQKBgQDhRgzvCR6+dKtBns68i8nPoNp6UhLtEy8ijHQeoBnOEMog7tjpdLhL
+  x6BLef1qv3iOnshY7znGPiHVpw0QVU09ony5IVaFctG0IjmyGyFOk7THIPENMPKh
+  LcBDJH0oi/weRb2LUe077ixZiooJOLzPlE7IIsSvvPc/FWUVZdQCaQ==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: scheduler
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEA8PxHTsejf5CIl6WHAEKTqXNPLw8rKdcmQuD+4ofHyoIHykpL
+  pJY8uWqJFrUZaX1AVvKmjgilyvcqUYU6fFSPVfiLLFeqCM/gXh6igDqHhN9R3VIH
+  zet76ZglXCSXFzo8/BCkNPsOJIDqFcENW5RSRf/8UOuz+Pt3f7MINFOstjJnVVeq
+  aBdPDvtshWSFC6MiNOAYSHnqdQ//9n2M5qlqCIhPS+Y8WG51IZVfUXZYaqkQAMRM
+  we0A/tTbWY1BaF5Ks2u+Pr4ikbe4sByJORnJfmWYgUsy8e9GHsa2CVklCzCzR+Dh
+  XHSl7YAxhH583JrMLmjUvYv/gLGSdATIMnwHvwIDAQABAoIBAQDHfkDVsaTi3FaH
+  G0tn5rVwqHlbnrX/vBD7emDmTLsTJJOoXdrC1HBOmigEeUUhM8PIdrV0jSoanIQW
+  2jCxbhr+c3Na8PNcuiGmKLwjZNB9KZYOnnLBf/ijRwVegxfk7ZxAmtIk3dQ2WdXu
+  zlLthhqZwjExF/5z1lB1kVLwZnhqljIB/4CscfD1Ld6DVFqroGTPaI4vD2zIUc/y
+  mUJ0oofLwNFi9tkpvHk1bnyfXhHg86ZFMVwh3fdFOGb/CqxEOgeNuUrpZTE+qr4l
+  yYwY1Za3HPhoXdBlVAeg8sXO79sGrx3ONSCYXL30IHvLUy+geqg+4wktk3SRDi0p
+  2oolsGKZAoGBAPlh9uM5Ly6KiWTE+jYeRS9Iofy9kvtqSPRt6aex9HO6RWkX2UfK
+  hXj1DamGor4O9phap+YXJTD+InqCQoe05mrVfCLhtSPxwoTj2yUC9obF2ygQlNb7
+  iqJRGA1LQ/kpgsrl4F/PCUMQU3f+4z6NotChx893b4DjtHxEFBdhXJFbAoGBAPdh
+  RcjIeMUlKuhkAZU9WiwE61lyucSK5lZ32pldIaiVcZgbM4BO3IczER3Qs+W1vrrl
+  FTVT+KsopD2ARIh41n0j4FMwTVAM2/Vhy4oXQq8jOJsxuOYjNWzoL1eWjmmCUxOT
+  Xl67N4lOqkromnqs7yfFETXkS7fOLUbr0ZXgi6xtAoGAc34CB6NBDY3NKWTr98o3
+  AjniAxmMi3DijoikkCwi6MGYSZ5o2w2YmLbsd9lJXzmwzEgXv8ByUekv8IqI4y5N
+  E6cA0Wq0KAxbqI2ZvN9NaocRAtIDDDj8MEXcHLQBq8+kqfCh490PDgbukQDzHtIb
+  WAHEdnl6ozdRK8efgmBtrUcCgYBkNqajePrbunvQWrr9bzY5QODqgnxY73/yJWmL
+  2VuKRMgYu2Q4pTnXF0vmzSYjd2XFponZ6aOCCtvGAlFBC9qwJTl52cZoGF1+4Vgo
+  H9YmxtjmndTuffLlpIWRMO+ONHpdIsUHEUalPBXmdKYn7iiP7thTAaHe2woigeOM
+  mMNcXQKBgEzHRl6OfV3dLyOuwQtu0C77u7m1rBtcc4TF2lr8AaOOVWsZUL+We6Je
+  rfy02d3COoQOdrCWesd6WBmM0kj15Jn3ll9/BH59JvxK4Fre/6hc3vunENS32cyg
+  QRBYO7wg8VEjDBqISM2iBwUSDRXS2pKl7Im2yq58Q6p3JE2gP/xC
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: controller-manager
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEAy6HjKzixINfuk5+LAimE/IRrPPWL10rUCpg6wsgpiYYj91Cm
+  RmhmBkvMAD/dktv/tlkdLB6oUBqzn9RNdCuo1ZLIYoBuyydBxvkyjDjVtd/qY+IL
+  h0Eh2gIkxvnLx/TomPF7blrVDeIHXvuWAm/pGIx0MUITWJHq+FEZBI3sgJ94QsiV
+  BkECbpaFx87bQUAA+MBpi/G41GSYKu4flVi7QQNvlsMvEme2ezMf55P/wnEHpI6A
+  0u3wbAHinIKPWTn+nd+wTq8UnR1/7n+jiQDuFQsGP3PfXcDElrwwP5o5pVe2b/Fv
+  X2kb6XHD4F8CuXGghae0xsg7xevqWRg0JwMpnQIDAQABAoIBAGd/qtTnBbBp0Asc
+  Ri0dKUinjVH4g9EzaT7RTNx/nA0YLuOfDEQw/9onYFKoI1hnlTr7ZEZudqHwUGfm
+  Ik/veOrEpjDaknWTSG13b2ex432Dh8Cova9LPYdvG34+rIK/ShGie1gFttBNl+2A
+  9ifa9aDSkqQOr4KO99yqa4rTD+f3PUvm05YaJW1dIar9rS5CdHS0ZmcCmlTytpF1
+  TJUMpDNAc/5C6YhjF4hRlUcpysdUac9wb17PGdiiF6PK4vAVs5shQ8bC4Hc/lx4v
+  7/APl9HSfJMeRzl6iWJRc1AttD2F3e9mf9WlvmANkKfpiIZgEhvieE9JhR1VuzI/
+  CZ/xgokCgYEA8hydocOSNln4oWrqkgygLQNkZnkwir7wtwZtupmiH8zBcHWXU8uV
+  WYNizIuyjsXX5XumqjKZIgT3YapPVC+wgYsc5+Yg+X2RU6WV6GBD3a4aQqCUMlGq
+  lh5Y+wi73dYlG9dBjtx+ZlWANwiOzEIIk2Wmha1uk9oT82bGjffavjMCgYEA11A0
+  swDp0xP3hsEFm8Ms8QAQ9qSRvEwqHnCaarbALHKEEOCXf+My9CDsBt5HJm4OU6Ov
+  c8Ry7YuzZT+1+BuHhgM+vbXNs2KQSh8FA2LntBb+q+/yq+1Q8+K/LIhfNV9/XqAX
+  pp+9gPMyVRzXio+B00EjuHgoixRDIB//wTa+CO8CgYEAzPoXJsZJ+oQPsLGxKLdR
+  wOpXTT6bL0xaxcnGiq3ZiayztP+Jf+MjbaaDtgMryB6OG3alcwDljty/iEtFYFQD
+  zpk1fsvh7Pg3WqcdFKCztHHbP79t2HA1yWSmFtqdG0JbJogGs+nPhdorc+xl4V6i
+  ng/4fMKJlNmT/IVt4vINmusCgYEAygBAgNPRiytHZZA/n8O7rRq/z3XUGFFojohc
+  BtQPdWO2jVL4L45LJoigh00QeXh1TnjZyYW7wSr4knv0T6IcQllXCoq/QpWtAy0Y
+  +fVXpjiQk2SZSj1qXnUToEcM87j1eSQ/LB7fnlQLm5hki2VZioWpao6oktreowwC
+  WRXvsdcCgYAn+BZPisByTp4j0Cbf4oV90lZLNCFivIaNQ7zVqGbce10KVZ7ORdM7
+  ggXBnbh1002cgctG4kZkOZYm0twkNqUrfUmjcakWPu0neMeVJTUfHmrtrReYWph/
+  uqBvxQA1UJ5tMYbgIWE46sg8cexgY38nLWofAd/cWDSDzNbtRDGe5g==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: admin
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEAmWEXjumAeIzJuYUeCOK4Fzh+dTIKpS5WBVEPH1FDd1y6Db7S
+  jFj0hVP420GlDZzBNp4d26PxEUNPIOT1UsihwdW485OvR4vRKsZb5/tApQOtK1c2
+  +vONAnUtByAg3GXDGCuuHH6rccTtVJOhG7HlEjghy0V6wNAwjke36AktHrHYQJsg
+  vjcXw0cp3hIb2HfGJuGA2FkChx0XQNVHP8IIOw5FzQDmpf2qQZhcm0AKysoLyQhy
+  TMzrTUmOVeCwvxwQsCMvz7z1kv4hI6uNVx2VPlSMWyyDAmcb/RKssJ85gqoTUwqk
+  Iuyc/eX5RLVKeeZdfmkDbhMbf0U9gQSWm6mPRwIDAQABAoIBAF3R3i809bjHpb0t
+  iCm3RRQvImtdqNVRepzV8IIfmz0wIz61MuVWpHvJ2beEeAnTkPxvy6PGrHb6zTQ5
+  2TZCM2/146Ra+iSxici4fQ9xySEnFo4kUyU+RUrzkg+Bv5gRRz1Jur8DXKvC4cmS
+  ZEIklxKF82X7ohK/RnRBumTc+BSFkmgBCRfIg7Ka+PknHRRCcpYyBx7fRxOGfq3O
+  qMyws2r9PD4C+cVgvfR48LktwiMt+lTvtyl4C6GpiXE5l/6wn14OYKTGlLi0sM0e
+  Y8i2yt+6uJLZDD5LfMz3xIo2O4rsKE0jqOwRN1bJeslLieGxhT+uHkAA9KAkO7KN
+  0oIRsgECgYEAyRpbkZsQ6gWGjByIGioB/ubqbNLvnrRztt/3sySTuPwjZGpcdlci
+  YxCaWOsfaIT4UCwO7Rfy0ioMK0zFGAhMN5Vuil0u5EA0M8b8vPVidvd9i7g2cA4N
+  Imydx92xQzhUVtgm1NtAGwVI3BTezx8wN1ObnGvYinmqBk6xT6oQRGcCgYEAwz+q
+  /Ubmc0BkVEQEKxeM4JXQXvX+Usr2gTNC5OfG9WkCb8v9b0i1wi1SLHE/kmDlHGfU
+  m+G8ytxMFIwgzLgv9M1fl/3GDNUNm9COAo42N2vXtz08RjMWuUsM68JcBOTgeDf9
+  rCIpcjxz7Wb41/FY3rAemAOC023Eua6cm0pCkiECgYEAuu3rK99Ny5ozRM3InTlq
+  /Xu7cEhqP8VQwi5RWo2nWo3UgCR1qfK4ngjyz7BOU6M2BZ/OiAh4x24aPa1wjzQ3
+  VHtscuTHD5e2bmKKz0HwstC+PD+RKnuFLfh0eTHS8b7MdqUZA0aBwhwZa6liqng9
+  I1BuFuoQMDeDGbXQD1LvKAUCgYBPc+A0Ex8CNWjedZMwqfO1DKHvkrD8pgUrzF1j
+  YwIuqZ3JOryWBYOZUfIHjcot2epB5eq5yGGYN49qKR/LzwQM3WoSIr3uSOCx0GuJ
+  lK9xXBw7P9sAQhf0LRtD8SKbBzxlD3vWCUzOZNVT/Tw0O81LSWYZvAwH17pfSTQH
+  aW+voQKBgEGFSAo5/Aj/AGkLbQSsFx7onz3s+nnZOdGG8oTqdqVBbiDghcLIiyRZ
+  tEQ4dSU4zwuBKhmrnfsaic/6rbg5dwY5iDygTlJA/vC9Aw5PDL/8rutZn2of4Z3j
+  Ve5/oesnL5sgBbF2eyCyZX64hDAeBviJfidp2JD/SmXejpHR5FyV
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: armada
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEA/23WJUrhPTh6LvOMmdOXA0Dl21GCS+OZkTlBgE80tb6shVcG
+  m4wXnJzh7l3exqNuJ8GNYAVkkRNWW6KNMwKhvtTjvZI+Xlr1C0SDSzi9SWpHeHq9
+  sUQZG/YWvqGhcCCOwPz4UJ+SAjM44mh6FF+CybIMAyxoodospASzJEm2dmZpj3Xe
+  IuW38R/l168Jnlkahb5oOGsnVxNwhtjNaBCLyLxHfktN+urj9sgipwdTpCPE5Iow
+  YPdiGXy0DTHfjBui9/rKE11ONj9+cfgPlkiIClP/QKzDDhTo7AoF7dCRsFSJpbW0
+  svLq0otVh3kVkLHjAUMkzMRNPfcXVQ9RL5wIrwIDAQABAoIBADqHR3+KFex6SX0C
+  r5/73OmQ8Fp95dZP07t0HC8zdweCJnPzSf9QbYSkahy9g7OOdUpEzolHExEvFiWv
+  LJ2Yp8lbbMfef84NF4M6cr9ExBLTeIcB0P+SdBJ1JCcQUDaqLyvHi3ql5cX9SLaQ
+  bBDJBeYDlz8O6PbVUE9RCF9zSIz+W1dXrt9hvUqUYaohL8dTnE/8arNyATADQgrn
+  Whvs5St7I/iK0Y4nsg8g41+PYCxPgAYGpVBOxWm7uldnMuQAtuA+TR+vyD2KSxvW
+  IFMG5+rsLGq7cbQ1g2gj9OZpNEbFk4jddmhZQjQO+fsx51AqHBuzlYlNxWD6s6i9
+  uqpvROECgYEA/8OhZlm808WKtwq8Sh4EPGKFEgi4AZKUleAHQ3wC71eL2LXv3Ixz
+  YxTQTEngkFDgCf+HdDmSmmcewJMfrvw8hfd9W+bEKNKnQ8/heCtlxjsVR4KcS5D7
+  vpWU5gi6Pk2DxGnQm+Lmiksd5SjECiudcGuzCO3dGqntX3/g+hpPCRECgYEA/6og
+  ftNCJNwHQm4vQCp5dR2jFjFkevPuQfBR57He2T5donVkL8y3ocUf+a2nPIDNuP5M
+  K02p3FUdmJhfPRr8D87YVm1uTqwWgTT7MZL1zMYfg+uMjAUDWfCX6uNujRMayOie
+  YUAFYNSZB0DKg/g1U8hrn51RFYRNSGu4MfOH9b8CgYBbQBrXf3DFRZdmEuh2sRrl
+  yGidtIqh1QA6MMGmrBoH9n4ohVDcqSeJ1CU08q6yDojASHC1YM0TVXM9VcBaGBgn
+  29LX9Q9LWUzf/sz8qM8Y2H+REeJde461wnxrTfXUwKcgbnhFBcEm2gICfnbjAgib
+  0XEA4IygNLxB9Ef6M2S7YQKBgQDwpjqgJkqEV3ed2Akx5MkerB7urN9fvGvwNT1j
+  UdHpuwJ4APek5pWS9/H5GrPoB3WdRAB+YkQY2SValVJQOi440wJfl/HUq7cjN7Oa
+  HjKv5W2UxwssYSueZREaT6mnsOvtYMhz0cc+Nd81LI9zWRcZHfXv8Cx6jGYSXRKs
+  MgcwEQKBgQCmhyG3YDOxSHrtFcgJNK6Ll9U3hQlR2kK2/Q03Gqz8QNUwp7zD1PJb
+  zr+njSd4pWXwGt4DRq3cWFjiIm2ep60vvdyWEr0AkcEpk7ElzMf/iMHfLSAkJ/Io
+  w+U3ANJDjBEj0qGU2jOy0rGzJHQTmwOYDum1TpOwDP2WRhi96XftAw==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: apiserver-etcd
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEogIBAAKCAQEAwnwCrud47gNdU3tZSnAjtMgLvJKmz/b25T2KlnubLnkf5Fef
+  U/CfGxN48xT+NmADieNA6hr+WsjmM+VsYj53ySW4ARBalW6SpXQFxEhm6WmXLw6x
+  7wGOC0GC64EzOGmI1vKuf+UY8/p6Fhe6kS4Kzaou3jCk9yUco/7UivI+87e2nTp0
+  q3aTYQPxJg8mAQuNM9PRzNMzkxN0//4hRfXEOED8+FwmA/enXaj3/tsvIhKp5DMy
+  3r4cZTw03heRxHWrhFNUSwfe3xNzrJ+oSevnvJ5vvLx+iSslTccx/SqHFh1qeMEg
+  BWINmHQOzWlWpqW4TaWlc3xLAGZq/C7uKbRJiQIDAQABAoIBABRVauJmiRo5d9R2
+  nQtPVixcjf2VR6OOqpmlKYw6OCtPtqnlD19zVO87xfWESF/fAf+0puDTGazcPFVI
+  s2BCL7v0GZzi3NWqzeJGkyPGfhwBUjE1VB0tCHDc1JdS1swbHJd8oAn3Jfi8Q29z
+  46myKqb+GBBa/aRpWOk8h3RPh41rhPZZdc0NgHswG/HeHJWURqIw58WvTpYrJQAE
+  hRyiqjaFA/ZPN8frdpvYnpmI88lbcP1RmOjfYsg2NMbtBxSGe9W0wkVONN4+FWiF
+  fx8OvpJgVr4YC/bAXuqCJejKGaKxPNK4TpK11k3DCKPm4O8anOys+3wFvVnvH5HK
+  FjIabVECgYEA8n2ieOazD2GTW0NXXBSBxvyfjqNnqb6HniFSX9D0ekVJo0/DJCNJ
+  Qp9/caJiorVEsaTK1E3vDffY9J4ir3iwnhKsiIf2Zu+YmSJUrbc20y9omHvJcRNe
+  mZSHA6rGFsXFlOSeFO1ubvWY0NpdF8+x2FPRqe1BcGrjJKBP0n8Uri8CgYEAzVG3
+  gsX8P2BoZf0+DHBRIGN1DF41bdQuxBIsPI6Ri/WvX8+iMeHBbZX9fxt6l2XPOh/t
+  cSdwUiQfXaX12upF3Gs0BdGyMMhdRspyJZe4AiDA7sZzDOhC/mPgq3KF0usPq5YJ
+  ltybQnF9TO8H4Vy5JEyMsOndP+uTW9hMNCsfjccCgYBqHDvqd9lHE8Wtm+wwaPDZ
+  KFaRzkNgbfVeZupq7z7r+kHc6txThfVa5/yWtx4+YN/sdFYlTO0cyaXwdPpsmn1+
+  zmEdZZGXPaUi7Xjsg03EX+x/PTvK9VTiE7J5ElOYR3bMTrY2Jie6+lGioss1zjbe
+  mN8YYq/OB5fZwSTs0Zs1FQKBgBohnV6Kfjk+turMGVqR7PFXVy1UzC4HRFB2E6U9
+  a+7JPSHPllAM8IZXAaVsxOSB86btK1Ysc9IwgMF1ft321R9hkYRwFOK6jYyV9YMt
+  VSEINCXvofLxmJ0x7wVDFR8sBZmMBfpqZ2REd3MUNQeMuo+RIpLdoOgivmWBGOnG
+  10Q/AoGAaDz4I9mC+gH+DIPF7hr9FueZU3O9KvfR4QV9dqNMhrypNjdvimPs2eq8
+  etMwhfH8guk/f/pePCnkPX6rmVK2fcGQDUPqiHmLi0A2qiFYhvpHM6RoqrgRc43U
+  +qChbzg8KVXyHJM7q6jZZOfscSiIUgYr6KEoEkICL25H337TVn4=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-anchor
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEAmSVpEizlXZ91scnj0yqFzjUdcXiAciqViUeU0nUHMxMedaNs
+  PB6/GekwDtltc3L7Rpbm9NoV4rH2JOjD9vOKcwhHF9ScTn3LqtJaQz0iMfGJ28tQ
+  RmNUS8Bm0CAH40uuiUnlf25xCESZb0LGI8p1mlkdAY6utgvzBqjBLyuLdUtufgLP
+  /3IxIsJVdNrEO8rgcZ6JqjHCYcRr5cGmy1M+Yth/f3vHMcXFYYeb6IAUCk7xxl61
+  U3u1zlO9xsDlqgNC9TSL+aJ5MhbOkcoZhWpx+t+1Z9l2n/7LK+Mum/IX9SuolTiK
+  7d6Iqtz6JobJPm8OCS2FDnTpIOpfp2og/WcfowIDAQABAoIBAHLSosnW0Y31jffk
+  CCX+Xt5x4oZ+M8fld8K64bE9v00jC5ZmFjOpVdzmgnrPuIlz70RIxhdVIE2c4pFf
+  1/XjOa3vyeXrKdqL5NVJ7BU309igYZ1i/egYd05ojm2DZoab6tvShPibZLIvRN8v
+  sIGLPcug/ud5BDNIGEmo41crjd89q0lrUdqEn0M3ZGx6twLehg0r97BFqvWqcQCT
+  M2OIlDbahcTjEg3qoXNncjpu5oHUXCB5EMbwUMWkR0XrOmyiiiZRrgkuAvPsIB0q
+  27LnOx2ksunk+7N3zUBWKSvULMFR+B/vS7E8bNaIEnEqUIpoLOt3BPIELklujE76
+  Ik/kGRkCgYEAx10o9rPqDapkhPJsYIZs4M6Nz7IwrOtrMP1RtDKD0hzh2drFbvt5
+  lovcm2/uX4aWbUlx6ntMWPmVyDAvFznqO55pCNW8PBs9gSKXhkZBDqsbzwzb8BGp
+  7ttgUtzviSzCAHk25EYsZ3THbu+QawiM/dmE8xIB82BVE+BFGrP4zccCgYEAxKcK
+  MLU+bgESScFodUH1mkDiXTMajyS+Ueo2e30xTuxtVhXzZ7oxku7Gbxq03gH9Oen9
+  DnLLUWaSnlDSWwXuHZtjw+UlRdZJfNEs7vv65lIrAFWP591VB15bY/xVjdJYIiWr
+  LbrfeKej3l55x4kmR78lMdeOk4FslPF+aOJvD0UCgYEAuobSHcgFM1X6CF1cww7i
+  bY80JWAdpJv6xXItcIBWz05QjWjfkk/c2drvw8p854lf0s6Fs5I6w4B5ADz8wilg
+  mvlCYo6/OClwaRL5XBr9IYE8WoM4gCu2p5E/VSf7QYfL12+RyRBS2VTsh0HDCDGO
+  4K8UceumQZQe5aLOZQZ/wd8CgYEAjLh/iUVZDDzGCnNVPXtatewyT8EPA1mmu1Vf
+  cVSv4Ss8Pjrs98/8Q4mMA9tXi/pea3/uLtWkenZs+s8ZCDuhHhyg8oBaALSL176T
+  adx0uTYZQV744FG409IIke7yhc78dEsCSHIOEffcQnbWrBuPgg3dHuKCSzl1Ksv4
+  yjMmiAUCgYBNQuEqr6TWBzvNzySqjlAkkimlJGgIBlPcmmmwTW6b2gryQWe7IeIe
+  xz/2y+OFJ9DUqsSSuMSyIf+qMtGzvDUuqdBSRUP2Bb6KokmOTfSuXacuKr2J3Efv
+  nKnvvpqsOMoQIZZQYBlUFJEdsrh08sNf4l8mUjVAagiBQDEiwTt/QQ==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-genesis
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEogIBAAKCAQEAzMMb95+LJTEg/8rkW3NxjKB9WbtX2q4hvcCxYJNhSX2UNl0p
+  +tgmSFViI/5Op1Y4wgsP5uoi7nJ19Wq4F0p+1P1qPdDsE3qKL/EG014RKcZzSIBT
+  60vYXE/ob1LSfSQSWviQE0qEwkHgOZiv+8DRHrltK4SdyxoYDLOFifj/Ommz3Jxc
+  Cq0ZWATTo2EN6lJVbIktgJmr0ehK/jcIS6dZEiCSv2W/PRUY8jyJ13/tC4h8aQOP
+  pCs/LZ5oYEpaMzcMoFN7lZ6jM+vdGg6b1oqfTHwnxhXHpQ5rp3kZUz6RF7t2+dj7
+  u0JbF3VNpVBPdzVHMVd+GgmCjOheXSLeDXeU9wIDAQABAoIBAAD/JiCzbxr0PUPh
+  efEUA8Z6dYG9TrUqydFBodtlfEC+Ur1dALpO2QjbGYoxT7Ky0b3oDeDC3P6qIfba
+  2SCL5UgmH6FDZhLGMuv+0ViwCYdZhvAgZ8gqa1gvr2LzVUD0rv4wXYsqfrDvXycI
+  njqsepgasPRYRehaLSnKqei9BIkFPnZTx/3XdD+6T/zMmts71L0kFFaolXeoUcF8
+  eNvL4C994ElP4b95QDNGhJgf0fvpsOiD3EiOZRItqIB8X4u8zYfZ18EB06ZIA4eQ
+  Yw/rX65IB9xa/M4qBk6Ne6gJ4A6rVIaoQwAlQcdTd4aACIqMCmKnMlBjI0pizVC3
+  Qft5LIECgYEA2ApqIVGpC+pYh/nnCRl39zPaOXTmVpsKGw4bgq9FEn6knj3qd4wQ
+  GeiOh0Jtr7s8Pv859W5WGkhDmriCDjK25QqFsOfhl/ym6t3JYUJvos4L4uJHHqOD
+  aUOIRmbfObjpzYoGVlcFrwl/45OfLmUmYLhjU4D+PNSnfEW2Ay+HaUECgYEA8qKn
+  I8Cu6fjb3zvcM32knz8/0oz3cekyHnBTa7cUcmtPMVhrLodKRgnn5S03EWPRmYlF
+  WazcqnRrHC+Bppiyf1YbJkj1frC3200wqeGZTQV9zDQuB5SJ1C8k0bPFLs7b8BFM
+  GW2pEk7Dxy+9IjW0RWoKqbpjARYSk9Uo4k4p+DcCgYB6hsWUagz3Dgzx6aDHv2MT
+  l5vvtEYi3kGIAKNHpgIFsD/K45DEBnLnTsbvHZS58vYDQJttgAtjUpLNAFH6nXav
+  Rh12rLx8h7VfRTQ+bgCElFmXbwAo91HDdKKoUxXNVft8MAjSFP7LPBcFSicgmAuB
+  FXJ33JPUikMHLz5AZkdlQQKBgHL2dlMOXNInQ6aF6lPLWFDL2yWb/TJP15tshVoo
+  KNv91EwBJOeq2ppM3z9LKShoL0ucKuvOZ8+r0YRNThTtjMWgusRtFUSt3q9d54zW
+  g5hm3a//mT+mNZf/rmZd0zPWd4dL6s6xksZF46VhDTBEWeH52IuK8JX3K144RWLU
+  vjYJAoGATmu/QxI30oTu5dEaKgfaGgpSP3WFW79dVlDXbrEifsKB9+JAGQrrvysH
+  fWJszMro2K9ily+V9xXfPI9M6LebRRk1SIZLXYjOsqISl3wBFRsCw64c1j0rVqgs
+  LHhSmzHOP1o4V8+gvPWJyABUuok1dM/kkwKn4/BsUJWz4AoAUJQ=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-cab23-r720-11
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEogIBAAKCAQEAu5LMxXUhGPbTUzz6F6CzaU4X4ebP07nd37DSQUfniIEZuMKq
+  WMw/K5BfaNFtovgmUGpoy5DxtwnbqyDs7k9HrtXpffeQEyo3Jrw7k/PcFr+x3629
+  0lFUPkbV7q8/PL6YgVhrbAhSVoidPlDXqxVrsSkB9AjJXKhxgdkIeiYt68anzDBU
+  Lmrpw32ONm+PatOgy8QSBv8Z18NlApCMYw25zLDHkc5mi3ZV6435ArnSFMM5gHjR
+  d/l1FniVNDya5yzsZAApYLz7RAbHA6JDJj+Uba2Cn4jaHfs27xA8TC8O9mzPBGIG
+  YdVPIFI0QRkmLQFZZNXrUMUhhLbIoFMOljhq/QIDAQABAoIBAB+IIQY8l3DD5WiD
+  wqMAL8jPCPK/w0YbY7H73ox80u4+jZ1ilBJTW3cuUOuk8SJJRt+T08QMvKWBcb0F
+  zu6Mw0cfzJ2RZVXjbdwEHpvTjbcBSJyKb3OQmnHRpJr4ONA0VhzASWaiy3yigJR+
+  MJMhCbaBZ0OnynnaEyK54lPuYR/WPqT9VLn3s27bdcKY/m+001CM5OXd14g0iEYT
+  KWeO/YGaTSTA2DwS1APVrcuBrtrU7w37i71otmGcmASA1d4tXSXDICpcaHLzNq4k
+  57Fk8c6DXkK0vc+7f/1tyxBeM7VboEn2US6yJzpbogLKSY6GEsreqVE5QoZ6sNlo
+  T8T4YN0CgYEA3zYxeBuhawZBt7OAIw5nE8D5iEk1t3PNbPdZTTR5abl1qKWvwy/O
+  omrFoKImWpk1Bh4AuVP/2p88d/OhI2l6cBu2b8EWQZObs2SYUpVkmtqs9AxOqlQ/
+  /qR+g5m1xav9hLrJfmg9c8j91aAU1Og1iNx/eSaCz9ky7hz02WbwpcMCgYEA1yBw
+  6Z0POC3jaFI2nr7Ta3q9xUeWRv5AdHxwTicoWmDkkc3LwK9OYHZnIYi32OEg5bqp
+  gJFdCeD2gWCnfqu/SAsHhmvvn6fUF6f4rbThf/EtSwYiH+INk96F5905LJSNac5h
+  US6ohPVADVY164TkUnNv7rGfkv6mv2S89p/n4D8CgYBIkNvASmtN2fjfefG8c+A6
+  4c+96N8XxwQP2tIjcV3Pa0W/EC517ELnNoMNV+nUJl7AoFxn49EYCBCmhoPqeU4e
+  yEOlTUapBw3lYlzK7FqKpXD43k9svHsZk+y1Z/FaVDHVRsxe1hC0ZbFwE9zx4pQU
+  7GpcvpJkdB5EnxFS5E5z9QKBgBn6Vug/CRl1oSJ12xasYId4GPZ7wI/uIAZxCHbH
+  j73qOW/J9DLeeI55fda01c6g0QIs2k8mPp/0xI+3BkLrpnuiqVP4MMWM1LXOmN8R
+  GrICg7+ti+1htNYIZw8qzb6uaa0/OM0+3ya/Hu79XCGGuLOkMP4YAPcVPTmbhp4Z
+  jTytAoGADu7TH8LCOvUDHJdK1FGL5fNrQP2PUsD4lBSgwwyaMLtGO9Hd6OxV6aYZ
+  2oQRg4BiIBOGMbFzw86Ha34hryHIKxMg0VPuYi8HLzkT41Rq3h5H407GPzKRVI+i
+  vmTosZOkMQXTM6RZrX24KJ2Tu7o47TH9yWFtoP9Gy+pFSX9+Whw=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-cab23-r720-12
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpQIBAAKCAQEAqt4FG1nrHlXEpqpnUBAoZiuzs9DsL6O5xcXpSWcsIgbA96cF
+  UL3tDXx1wSdDdMZW9SOD8oh2lJ33oKaQWAycG5mky/tSKoL5nBoDIBYMqepPYp4v
+  XU/C3jNU/mLMuJrnfXBC2kF40xBveIV3mF/wHzwsWg5zZjRy/Ab5fZXmq5xl7+JX
+  B3he/dr7/wnOGmhI0/H7ePYw/ieETx4bi8r4xa5Uw17KiugUta7jBwmtUxVdt+tt
+  V2eyY1jvYjvU9RjmNnnyQccVMaRos8WO8+Mt2C4+N7o4kSdQtWz6Qu+abUh4+LGq
+  74VFOvOWd/RdvaKbU/MBFnp9ldW4c5+gh+pd0QIDAQABAoIBAQCFbZSdVC1HZgCH
+  iZ/dpJB3oH7W1znoxbinGTJgMKIE/DMp8RI0h+uaUWt+5tNFWDDFgvNhrHC1A1pA
+  6HDlYQtyfhtzcpEqQ1b6MFHqd21yLlfJke84tbVdYMZpU+u76LMGgGikGOZqI3Z4
+  rfjDU3+mVI3p0UkKMcDsz+F50Vns/ZCAYJ66dwnuyViK/Vqoibmo4WStt8oDpwC5
+  xbJOTNMwfj1yfHUIIMIB3p+NVB/ecTMGiWzdiSu06A++X5LLQ9A1a4f9yoU6CcNc
+  mHxyhWlme24P5liLUWDpNKvDlc1w8jcm70/abDsiZEZnwfy2TnQeorlaJ9BmHmRG
+  9iSrzX3xAoGBANxum6A28mvharm10xIU0d3qTN5fMPJutrG7lPNkSHvBijGqbjiS
+  CwPJKsmxdFy+6zi3SwxQUpUPM31gtA6zdeLbnf3Sa73Hl/RHM3hrPlhAI59wWR8y
+  77V2MGs5bg1+6MBbXy77cHyUd87Nk5tQwpx8DlNJO1SiJT++7AZNY3ClAoGBAMZw
+  CbI42KUSaFlGTtogOkUuxVC6cgDZsvC8aXor03UPnoHi6TMFg+kOzupbwz1Jim96
+  Kzgo1RwOyAFO5L7QWQwpp0Tjt22AWo2ImViX6VSci1r3epacaRj3L7An3eq4M4fj
+  C9QZcAMRhkkiL1CeIZuackrnJcQKuxG8412htSS9AoGBANdOXkn+gYkoE4Ozeqfl
+  mBvG+DAYEIor49z0WQfnQvlGUII0cxZkZ8fZ3SZGY18XyE+MkQxFBHS99VAYfacC
+  WTotw0MiHcSvyNd8GGUdczbl5yWbqiFUMlkvSRnibYFXHWaNmQod5IB60A86M1v4
+  ZS5N6fwlwoLnIbUC+i0pt+BVAoGBAK9+ECUsvvQltmEVm9CuZbofZeNCMGZuISFk
+  D4g7UBQbzxuheIll3EX1kaqTorQF4Mc77RMKkYXx0JHPmt7h1Y67G7ICDYtq0yqO
+  XseJ+ZGZrGizqxedlhi9KtCIQWs+olwPwLtAD9621eLBt8R9RM2fJmr1x2F79/r0
+  6MM6qr+lAoGAEGXaI8eAmBezUfv+6kiHg4bO9uK7Dm751evIHH6KAdyJYk7Gi7oj
+  NkHeH8Q5tOjy03KDPgwkRbQxxY7yUjXL9uZ7+6KRfO1oabF3LYw9ouzGkYgYeDIy
+  mVGiJIbQYrL691wdPlJaF32yAZvdg2+XiXz0PGY89Bn4k0jsr08cm+4=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-cab23-r720-13
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEA5kz3e9Bsw56t83xczWxbAu4kJNmedxfspYaobdSbyEM85KMs
+  Lw4Ln8x9gXR7wydc7NKayUpKw5YM/1g8BIeI5V9/1OWgprdXLqUOPLXxEQ05FaA7
+  aEm0BlL5PW771C4ZSYSocjr2kz6PTnWTBvhhSU4Q8lnNqteMNvEJ5minw+/f3TWS
+  n1Vdo4aN74OSH1DsuzpjcxE6nHbrzsq4qeX1U/F3smd1CmemtLGIKB/pYhW7Oogv
+  KfTpr316tU6Naz+Df6LgtJT18rZ4RjD2wmNNEKuY9zUFYPC0TeVKrouGRmY9WMlI
+  P6Xe2hM2TW53fxbZxQmVIfxQXOQIl3gJK7y2owIDAQABAoIBAQCyBotFHeAF9BLZ
+  5qfCcGGGSVqNVeBGhar8ZbSrei+WRku7HlvYYA4iUCwwtz+4oyQVOdRHh/N1b/fK
+  J4X1pmPvk7w4ce2XEqEFQLhZu/eGy+b1zbA+tMLCJL/genuXEK+hgjfIXcYgGrsi
+  1oZ6W+SwivVUspDm4MrV6cxSXVJahgp/4HxGiDsejizs47d6zrUokeQ12VMI+KZg
+  wCAGlvQkLEr+9SUlKFnzmRQUddVgfrlYMYMT6TxZrYvHlDnmDmuThn+VlKaCXoQJ
+  DPQeiJsuI5GvTzPwrn73H0e8vaAmik3npLh0AgKnYNyqCdiAYSLzfSesDBx+LcUQ
+  N0OgqrD5AoGBAOeHOENa2eS44FwGfKEN/EgGIgQgqQP/yN/iUfkkQJKlUww+jAm9
+  qZbhNdOqLYf/eQmj+DH8N7qe9+1DyYnVzikuG9fUhAGpz/cuVDumo83zQhGQAdX+
+  lwkdsvVDdZYe5DMYKQbOTEWxEIZTyxIiEE/gBnjBefE2RnqS2m5O3GTFAoGBAP6k
+  iAoRpk9ey6G09KrdtMu4w3mGJ3ehSPDBdhyK8R/IPcv1DniX3FmiI3ugKZUVMlRs
+  Oj1q9kIlVhnGbvgz2Unvr+Y5n3LpqFpbi3g2MqZ12sMIDcpJE7gWATEpWMmShGhi
+  N2vpRSZTB8AgK961r4qIfh1tUfl4DSslsoAtXfRHAoGAQnn3tJckUuCmQqX2KMP8
+  OK3SHH9IKAbMJUQ1JyS6iaCAXNaknLNhOxoEu3Z0RkUa+qKiw69YTPQR2YUKG9JQ
+  tFAx3GF/WX7pYF5j/xCUnbCHusUvUcMcmJh3ZqZs36KVAPqh5PtcuPHi/b6XYuh2
+  6Ig5M3jRy2k7CTybDOsFqsUCgYA7c6SDXU2L+GDolzwMbIjai3+v7r9mMdS6ySBP
+  V60mM3UiGkvPof0DPFS2d1VeBj3i8gXC8ycdmGP6zpZ4Anr3xSs3QDrW9HCm7/qn
+  DVhT/u4dXNMDaH5fG1wZ40JkhX2+dTflTOglI3uKwrgbXiXm3Sk8q5pY+UtxyHJd
+  dLob3wKBgBUIdEmk0iwIshqrKBd5k2l9dqNHPVAd3QQrPQpIL8NqgglBgf8NJCQj
+  gUT3HYyUPkOAp0fnXkO7PdQxC7s5hl5OzVdrQGHa1MWmLP5aWFBb1PZEf4F5+oE4
+  skVwsO2ByEiTyhNsIs6mplqgcRuH7MhuavX2QJbNSEy14D7ttfPX
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-cab23-r720-14
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEA0LTvHFu4KjEVUVmN7RrGeBBtj97YGKWm7nAFNce40/iBFCMI
+  IOP8Qgkk6Fko25izgYt9p2D4I6ipjw+Q6wBX89DnSlJtFh9P7k3ypUIIXcKW8tQC
+  NuyU8RNjJlmoaYJhImx7OYQ1VAb1qP3ve5yBzjil+OS7Z78lRg+Qg6DskzxdipYj
+  8aNiJKygjFzURZ/Cyp40jIKR1GJG3S66FGMwgmDNfqIL/iKJhyYYcwOKPF/v6f9F
+  OxNigsUMrQmQUtmn70D21GguUKvalyr4rDVPuVmqZR4t6x0Hf7iymAZgNOjXj/z4
+  GN611vgL5GubdtCSG71o/pjLFoybsGzrCE22oQIDAQABAoIBAF3sHvMfH5j1L8fF
+  SoaalxhvJC8rtQoaei4xgVa7g6T433XlcgIDN4GsRcy+WxG//YBd+vU5QVIi0/OK
+  qMfpBqu1pnCe+XKMMtdmgrz2I3e2W2H6IOkAvOJkvCkFDjI1N2tbcHTo12ryGtmr
+  NXvmadAZVC/XF7NPpQGLfZiO8ggrwGc/d4uP6F49nwBMT6DgzHtUdhjcTCc5d5Hy
+  I2ZLGEQut7Ym95Qr+YfclnuEBxHFEAWV2tgVDb2MRDGab5gyN+59kngoV3DlOjLN
+  IGu/azuk8ES+1pmKa0GOy3bBl399WprK26BFBH6ADU1e30RxdkrN3Va9cHN9r4Ns
+  9AR+WiUCgYEA0qLLqnWszYza8QF6hZKEBpTnqK6puGRFL/txEGsCjuCBYzCDPgWS
+  zWLTxDYHx+0J1LjTlzu0RJuJ/jU86Rer4CWe+hXY9cHqqIYz38S1BSDMbTYFgVwY
+  mCxup9C+61Ktv5HUTcCtAVOyGir6JsUFtUwWZae+rUYt1X3a7hry5OsCgYEA/afG
+  38cwZhEa7PjFOt9xNEv+xOZ2gSqOIZJvGwKlsYgehRw2hU8qfCmvUK/rfwqdjaZj
+  AthoZbU3YOCUSI+ypzSQ+Ys1xtjkxjDPNew3PY7WV8p+c/qdYPFX52cNR+T5miPM
+  070KsvsJFORmLMlTil/nhZGyInVXcr8uwQxon6MCgYBBoG06T+2mIWO5wU8uPMcb
+  0dsXqEvC4qLX30yL4/tpDrPhdqT9dvkVOtxl/ruP49+zQl7SeMyir59f77Bpo3Fu
+  peoRWys87s0w8pdI+d24mk53HGS8uDgFeZqEeLpzUVBHJqVyED0W87/C/W7xE2PC
+  59D2nTwAeqQfJ1ZF52mUPwKBgQD2NW1fdtuuprnI/OuMaqhaR82iV8T9OU4+ngGE
+  aTxlpydgsvLk0OP/IwMNwcRHSwmFHdULRP2Ig66eNT8Zc4nIrMhvwEVRnuPo0CXB
+  RGiWMtgw3NeDQeaS25Akh62ndEUm7cr6V4tUEUFOaygWHtEdBlwXFUWgFt/r/FCo
+  h5/iGwKBgBCeQBe2fEAS90d1mBIjuQrLhK0JHtqgVFCQ7lbkvqjV0zMsFlaBToi1
+  AuYi4GRTa2ztOBLmo/XV2AAd+VELIRrLhG4bu/CUIme6kfNCIWwvcUigSiEDMjIX
+  crMFoUtaFg976hqVquDntGoghWy1gAxb/M3e089tauCg+jz4PV53
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-genesis-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEAvOGMM03w+KfFtSKF8Eboa66tXZc+NfdRUtX4kLOL77p3nzuH
+  RFnL/JA4+dnsPzVa57pqqOFuM7R3ieQJUv8H85KsrUkWJHapu8WVJIJB2XVrB7FJ
+  KpGy/xRK0o3pyI6ZP+/vhd3m6vRz1qhlv6Hp5XB9iFbIonJ3XBGq9C49ljL6cHAy
+  GLg9pr4bOahGIi7zweINnSznv42uXrHaA9JfHYuK24Nuse6w9AH9x3Q/Iu4kGaM2
+  bjrkMdO4dkbrnPhq59KDS4VLChkc2sKFtHDg02IrplgYMF/8r8dioUvicvBTkjV3
+  1VQkKsVCsXZIMKq5WVQ8UFPROJPiCxbmzyka4wIDAQABAoIBADyn2dQn9XiEuDMB
+  ES4mN0FNaRMjHLFL6OvHFvmxDwE/SmbyQPAsPhuvXPyvhPSPd8/ux43QRwmHrNO1
+  TWE/0RfhRF6pl9jB2qQYQVrmEat5z5M61Zo8C9VqeNTBChCD6qbjsHG23w8YzZJj
+  pbkyj+BEjauY4vl39Oi2K8Yai2COFR28iR7Q7jCAXlru9hJWaM3IhXB0bAMrOsnS
+  k9y2MEQMbFXoOWEplauWnn5NPmyLCYAhSZ3qoGNgFAZgGuGeWenlRzN6pRGP7pG/
+  JQBe/qrAtI5LF+RcVfLzve5pGtX1bhtsR75uDcOtxoTNin9acQj+JotZOdL8hDSq
+  dj0hwwECgYEA4tuw0txAOXp0wgGA3fm5SgBQLidjxJQjPUifodGJ5ZaMnXWk82DP
+  KDoN/EMHC1+ntZ5JX1fe3pROiGTCkkpZt947aKwtBUuIEzy1ha38g2j6mbrBXeKh
+  G1e433lPhgBlHOg99qdlZ2pYCTMSvFUIbVeyYaAY23PIKl5ao5RXukECgYEA1ST3
+  VuyNRDXXKxpDeAD+in4kSUYIPNca9rrG9Bynut5ZGvWpv32O3yX25mF4jex36duI
+  bkTlM7EfaHqP8BvkWutvDB0rW16CPqfVf+W1pdFd65qt4quAbWgwj3CXXKEOGHaC
+  VBE6d4rvi6QlCGFgRFNiEp+wt0rvMnEsVEOZpCMCgYAcDHutZowOT0S2ZAcx6tls
+  ++LuAfLE8Gf3AM6z7Dt3hoi2Q0B00whp+duW0BbD4jzTKNH7ltq4fG/FT2f7PHQh
+  VrnTtE4QtIkLj9sFv0BUYxtw/HVCDW5L+imif9ZERDI8Q769i27vPWfLI2RyorTb
+  CBfHGEtaftNF4cqlJQc/wQKBgQCOKq7zgqqjIYpYTJdN9tPRClwnp5edBRkOEvzb
+  HDXgVah3a/6CJDxkqQzrE352o5BEItL4QenjNbQuWvmg/OmunzSdjuM5eWtEYWvt
+  eAlWBbUwjiaHdz8dOo6RTlcXSLF/LaS2cBtgWwJ2UNEGqvSr/jX/GBal20x6h7Q6
+  rDBRowKBgHA4n8eQRi6/+RBq+oeci8s41KOH+d+6XtmV/Fdd0x18HQ+Bf1VRdxi2
+  GvpBCWom0eWF3sZXREQUA9lRNJwswZQ2CoOzTZqtTU2lEKWeOa4v7PdciHYfqRx4
+  e59NH4jO3pSpMMW24/lItzHo0aAfVZiHz35WsRxHiFbN48uxqbTf
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-cab23-r720-11-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEAz8EMYGTcnk95r0ChZIikBeVTdI8QINAKqtsJjls8sKz8Bun7
+  SvHJZTBSp3wzHIY75NIYF84W5JJhXEfJPKAjyzIwtQf26Axgjoxp/wayUSgKVgqC
+  82qWtDpqB4fJIuDH64lYIRM/L6ZNTa7m3jZEVPC2jMRvLPdGFUfOiQa11K1/aZ95
+  gPww4W+6ujRfqmlGPtak/al3vbNwboguBbRSTkHUJ6+9O2Vn/gAD6k7BbgU3mLp7
+  eDKMADpvbSKV1+RIBGwBKgIXsg1kuyoyenf2v9eLDa/0XDgea6FAM1aCYziJQSXz
+  aorvMVeWm7ewkYiGLohpo3B3vqVVzKzboVHLlwIDAQABAoIBAA3lvA42sQtmBZ3T
+  lPhEq7Q5QvvpFgsb35rOTDVZpRWsfK95t3Wr9uzt7pmFlWWzFQ6Zf0MYZi+kGx8x
+  LiUAEWTmVpvFjJ65NTxT6ENHD2aeZxKaYWgnGS21OqKGUs4iez0mUt7jiraFSWaI
+  7KiwuKF1+MAx473+TJHf29EOwdsYITK3CwvWyVGOfr/fSyODbDM8BWn9JRgn/Ndp
+  W7ZD286+FC1Lj3av9LP18LHS1cuVybiWXeLIli/8pn1Xiv75v5ati0dL5WKgc8N8
+  uMlRWRM0XYWQQ/KoEEj643mR6aFEIxqTaNqR5Ieq9KiUOk28ntHwlrMDAOCyCq91
+  PLZeWQECgYEA6PQcYb54/Bpoigq/A/J3Wd+rM+7lBRl4l69a7P3GyugW6yIPXqAw
+  w8HIzIJS024D63vAqyVzB8lt86tvZcFXbOQmFbvG69DkiqvPvuxd76bhQV/IVMT3
+  J5fwNHLiJPqAivLrYrRMUM96o7bLqXGXOqLLUfky2ZTZzc7TKNwMapUCgYEA5E65
+  ac98XWZWlp7BVBSGfqtNgYY1jW1Gs2jbyXYzexnpVpshfj3PEkEzNRWPGvBhOJZu
+  OV2U8uVZL36LdcfKmqJPJgJd7zxheKl8TdSEZiGFMb3qziKyxx3InE8Wv1NcLRiX
+  y7DyDuAGRddSohrd4C9G3Yca0kS4LjXpzh9AvnsCgYEAxge+mNjywF0ywSahexmD
+  nEMnpt5Okic0/L107kJN2++wi/JIXoiO69qweCnRfyrm6igpgVQ0lUoGzj3OVRIm
+  38qTFaarU4wgvEGSORt2P2P92TUzd9x4vo/LAssms4i//V7D+wSKW6gE+WdLep+1
+  j4MUlHrjX1PKU8qedv2ZEIECgYEAk2V78SMikI5Most111m1BzyDOncyRc9iENxG
+  4Yctb3FoIyDee8ld0dREQiZcELFWoxkDqoePbU3CyZXyZaUKWdEmNkza5mReLW+G
+  sBzfKazEeDu7xz/BminRZZDuB7HC1d6FydzAOfhKNHbyg3PDAUSkhMr/9vakzjjC
+  bO/iddcCgYB8yHGF2tiXQppsyzGQDKjg5InX5BQCQ7GaafCm3N7fPX65Yt1y1/Mv
+  0PrLOzD5pLHRYSCST5fMWQV5drnLAjC0ZmXKA4Q3qwCVGtEs3bvENP6Ag+h3dJCS
+  uVmX5frTsSul8hPIUzEJ7B/CQ5pzXAQhymOkRyGplvfA52VVqNBOAg==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-cab23-r720-12-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEApZphvIQa6MCRwRi3vaRr5vdRId/CZYUBCYNm5pz8OT6ud7Ig
+  iOD8J/S9ein+efRBC4i9sPQfMV92736IBGyplYPGeMBP0/4c8SP8O3tU9JWYYJ6d
+  P8nuk0DchTsfx1WNEzYZ66k6uZpIIWXfzLkmr33jiLCYoJq3hQZerqp73GatAzjx
+  XC6sq0VYzvmQt9AAZMuOM3u9r/w/QkSeyRrlIUhxoCALPSzZ0Epq16w3GVpdi2bp
+  TQcjGVmnuOVUUk9iXDklrpDWD9gb0RFf2EDSVRdP4HE3N1ExYgwHUo/NjYa0FVwC
+  OWH0CRQHJcjiDHus4gzGq2liZZWygsEYWIEbfwIDAQABAoIBAHEPOGDi9BgpuJjT
+  TkZr5br26G4u/OIgbvfWvT7+uHhAog5YDzxEFgMVZPLtjq4mIu5D+fXAhTdJDMMv
+  aJ9UrGbGY473BMkfuRSs07ysU/Dz3OdCAuuU6ougAa34EpcdgkY2bnXkwJIMkegz
+  TBrR4WZ4lQoyPtGPL3HjSmsHO67ZVTdoFyxGb2bh2lriYSNr/7bYh3579+qHe2n2
+  n0b5ArADUVP9rWg6kfPvf47L0JPrK4vONG5CpyWZY1EYuauVrcUzZzF8Z3b2Y68I
+  AUn1NyyYspTSrflWiKDQ7DDZzNEvoU1rKL0cL1auyD/Ru2/OiYtPuwiJfi9l+BX7
+  0AeRKBkCgYEA1cwIJ444bL8fJ5tWTxs2EuVaEUTohJkHwf01IT4mz+wKyFef8Rsk
+  FUgG8TeLr0Hpl4HlbbOZ3BSoJsDVkDR5QrLOpTl7vU93fcd3BUXc+CfRja6jIWiw
+  2Zjf8PWkVr1JUzuDDYFQj/feX9pubeaA9imOcwnr6F3k3zY2/fgkyUMCgYEAxkrt
+  oBBJ3dMMFsxWHL+yUt4gy3o91/C7kk+morfWZUULNldGAMaHhbB+uwP9OICMbdED
+  Me/uRI0HjQb7sje8Zzjay/Q8LN3MbNLseT1Y+BWkplPaQZDI5caiaMcW1eIPVBAg
+  FeWW0imPU/ZHjFYHef+iQwlobbqzUTVA1pum8xUCgYEAh5TpgvQ9MjGN91caR/Zw
+  t1D9akAx2I0Xj10dSWSZxnfhaqWvB373xgs0Y9qe2djJ40v8DDK+mwP6kwDtLpMo
+  ZzTvuXYX07lGhNxuzUg91p2h1eDvEOvMY2IAelW9D0jg7EisVm8wgOxm+JCUQVvR
+  Ysp9zNR455ZL44YFH9Ayu/MCgYAPTDiI4LjSJDYKjDkYfrGDMx/Uktmyjx/pabux
+  Uf14UptK1fDQnoBWEAe25dfjRAeRcU6Ny7TWFQtAFgnU9ffS/s/ibDU4QOREgQE9
+  WT5D5WeObWmpJUJad7iP3MwmNAp6scPH7K52CD7Ge3mJmhl5j/80rMUhsgWjfjhC
+  Vj/LAQKBgCrXRyIGBi4DkdgQEmphl9mygnji0ciiSRTve8HebjhTPibOPHghM1do
+  wR6Xw0+bN6pTWxosD/Nm+09vKQfuUYOupihWowBgzuaBp+bTcfNJ3UW1AEbZF5+X
+  5Cqfvu1t5483Pu/LYU5c1Dp7SmX6un39Nbm08DQeWsPhb+oe7Gkx
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-cab23-r720-13-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpQIBAAKCAQEAylYLmx/W2AdS0lFbcyEsZEIBP3eGwMDxkasVNplLJPFxpCI2
+  Rt4YoWSxbyXWtPM9zBDx6odEDVDOkDHcTPfgu7ZxbSN6fqIMAX4+1F4QLFxLdSK6
+  QRjsA7an/N0Or7fyuioW0nERH2k4kLXDuk4hZo6zgaeG6Wr+AqX0H66Y0ZqiBRwt
+  LZuFWwp7JbimyawyGzSaPITv8UxPGhWXmsi4w2baFloTeINJR2V/XzZKB80ucbA7
+  NvGmReU5afSAUZbhLMXwwcimFisK/DRU83GyW7fh1JGSubXJtr/S/b2vfuPx1e0P
+  Sc4A5tIzmQ/w4kxPUxiNdqdWslXu80rhQFDNWwIDAQABAoIBAHo6fIxbMYgS9H9E
+  0n+8HHr8PJDAfdDXPZcHyKrQ88n/aO0EFdG9vRdSIrXIH+nzvvMVkW5iBEQe+om0
+  9SYx37rFvcN2WTtCXQpR31ae9Bo4LwU101ob2gdsQhLI32RbNPAtGNhLoVJeV+Nj
+  Sjezlw3DSsEaGK/NCGFFKzIwYPTM5vy10CK/miBwyS97qeQgj6ayxlfhxLVCCXpT
+  xcMS3X7ckYgnif32CaN9N4GR5GEULnL6Bk8QWFmQSK3+Ow3h8OU01b+8cdG62URO
+  SFCYylttzI7GNJGYNYolveFngUtxpQ+J8KUXoeNLRhexe4K0wLOm50GCApkJ5jS7
+  OhBMwwECgYEA949PWaqGiUPCOye+eFiLBJ/91xBQPpsv0Pc/sLmS5c6bq7g3gcdW
+  nEY4lg/UTqpikJAYUKunklVZG7qGqEMOjmUIU4apWRkvuFq6sWfvokALFYf93rwJ
+  CiQmFH5OGegbsdkCXTg3pojTXNtJ4y/rpWuASxA3G1Ywbe0R29xJBUECgYEA0TwG
+  cr87pb1vECCAcDffzhUlvIVmpbqu2IGmJDABGCWtp07ursfYWF0yr4+mBTnmaQSz
+  xwzUoNCI/2U6pm8OAI9/rIoWVBL5xwDeXdUwzS5CENM2gJx0qlkYGFU3DTWCqBZf
+  4FWwOYaBct6tRFXryHYxE9psHl8NmLnBlW/H35sCgYEA16btlsynufdewa1TjP6E
+  y5ibxbceUAtb0gswXkCqKKqcjTBCmjkNx8CcFozfg0+F4SzFIbEGnsDeiPspxnXz
+  vjNg13IdH9KC8XOH4ncKFyr2/OCkVF00+rKWwY9tdb/uMDU8i/wm7lmO1frpGJFs
+  E4PcFIehmZyxP3Ee94mjyoECgYEAyM2Cor1E0VtsK14F5ay57V3+SV79lDAFfWNv
+  v2sSocoHTnpCNxs0Vhmbe0GxY3Kd3kvU/UMjDPMVh4XvM6uBFKijL0OXCjjr3kDH
+  J+ZiX4f1f5A0zllY3eODbFbb7qFcM1TFztZtuceMlGGAiASttEU59IO7H6q5sckU
+  MAaHG+ECgYEAqpZMMAJewpAR9aYjJOdSzDUXHuDNyCDUJ54CJP4CV7rc8yJVcG27
+  Yl/3HKCbZl0sjVa6MBMvXEgdm3j2qZyclS22Y+Wj/hYIdFRmN0SNrQopi6JJdpj9
+  aslSd/TuwBouFfSIsx0DAaIgZ67n74uaoXCD4Z2yL0GPOG/vR3+vZ6M=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-cab23-r720-14-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEA0aFLJ2UNZVNjZC3YGCrFBVWwMv1qAHXUITHTPfq8AhMgNV6x
+  0sv6/ZSWmiwz5zlFGf/m8ZBpHBrAA8dbEy0oL2jYSHAKlshP8PJwFtrn0b24AF15
+  TEdDkKvAyA+6941GW811n7Ne1RK2OylrSEkfChbyxAK+R/nJInxewPZGNYEO9ruN
+  nzx7bNaLUULQg/Zd++rZrk9QEndr4vyHhqG++k05VsILCnjwKd/rAh5Uf3uQ6xrp
+  2TME9WdoDimkQww8P9Qi8SxuGHfTYM6iMZVgZo7jN6m+rvw6P2RB9yEYWYgtE6mo
+  T1HL2jfyGE6ynW6I6h5ZcEw9s0ZMmkm8VP5R1QIDAQABAoIBAFuHiG/4AGRYh5Ir
+  LipHKmVM57UrzsfKqsefoLN0MfjZ7vs+kHgQ1lM4OJWybSstZ02V3Xll6275AxPj
+  TJHP6rbgmWbvfMAfUEBNKsHf7M44fwmxxo+Wohqd03vG2oTSK4FT8WK8h9CS7fxg
+  9lXGj4XxRShuZjS5DKhBE4I/RaKAH9NVNdy549RkFLp7u+TXvHa1+Th14My32FKI
+  kTE9AShEtK6hJTEwMS6oj+q5TmCRinr4UGSTPQCAbDI3gJelzudZD/IP7e1ieZUi
+  tFJt7W34PFFaH85ctSBaM7yV/wHc01ZV0teE8lROmTDXsrmSQITGYyvl0Co48n/M
+  LtOgCDUCgYEA3eWrX3dTL7GbRv8quyue4Fj7HM7O8vWGXZ51wOqc8ZyahshMjwic
+  jIN5Xen4uPonf5C7W55viVCK6NuSWjU8chRtFrDk4mJKtooh50nSxcl5erWcsYI1
+  35EjmoSlCVuDt0NGPLSG8KgV61lTKKxmY48Go3dR3Jeg/xcGzORJdIsCgYEA8dj8
+  s8wR+pgnVVTj4MVo/LKUafsuOZKiVhzL85WjZAd3H8eQp/UuM0vZDOiKlYltMpog
+  eLk292IlADdcsT1pYoG3oARXCnqLj0QWCuJxnSV3AqqXh9xjIDTtlhxulsgEyhig
+  9fKzgfHYVKx9z4PS58TUmIJ5iIjFuhQ9chOhPx8CgYEAl34AhRnLMkmYUF1PCCAc
+  xOAa+Kz8vwT/KhVQIVhLs+yN1y0Sj6h6cLgl+QcO5wLqSn4+W6uMTHwvihC2F143
+  GU92tsIoUaJ3ja46vVQ6UQxfInaxNsNGEo9ddlXO8teG0mxcnH9HjS/EXzxJuQAS
+  my//gUSqH+dpZB6NZv8IY0cCgYAP/0lf3zzFNbFMXKwiHwy9wlY82GeLWV6xkYAQ
+  IbLIGBJSINI5uecPb5Hw36TjFU8KzNUfBylSncRSylawRp6k7G2oAQF86PQ4Ssmm
+  eKoJOgQwQfZ5/yLza2zXxBOwl5RxhcWH30DudH/ZwfskcdTOjd9+IwtE878YeuRB
+  mnjNAwKBgB/kr7JqebwbFu0XlQfxWHDatGpTpZgBmXBA/G+C8aMGx2dUZh0IaPvk
+  oRo1HX6uH2hinDRiO/zT2LnLi0vVLveUPubKuBY6Du//OWzgCpvtpUW1SGW0Ep/G
+  3FNDSN7oLvRWVVsiI4DPMVyGMf2EKx5bTppV5wN3ug05oBqEdHK7
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-anchor
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEAzIBBHokambstYR9N7j8qHGDYmAKsOdEDiwbOJhbp60bTSkwB
+  9GCRuhz/wcQ+rcjn5XONPzF6EFzYiEmBgDHfv3EIlj6h1Loupsc9//nYXbuD+EtI
+  N5c/JAhHca3LENOOWcHNylwqcoy7Wif984l+yuxaclQzhwS0A3nr2lzqwiZrugYL
+  q0fWIK1WcX8O/b3DdB+ukKa+YKmdhaKo4U70vzEtT4nG818l2/v3DeSJEXcbEavz
+  wZXNoRtPmAzDEx3KSMp15Jdn9XbcEGDXnuog3pYdbUSXAqNLz+yPVzCyyaV2oPuY
+  z+UPw7+qhrZaG1sW74UuAfM7311woVoeJ/fYSwIDAQABAoIBACQthFeslaIgtPR7
+  n0PItOB0WZz6zBEmYuQTfiDK6PMQgoygSbA77UvpmW1kFFqWMkArYw+M5zVB16S0
+  rE5LhHPPwV8jEWoazen/UX6ZaqeaZsxkNRBwl2D+ffUkc8o0QviqCogEKhY9w189
+  t/V/m4i2q4GSV9NJB7eduBXXXkieRnXGMRlAPeCMlGw9y21yb9HbWURdhlKYf9bf
+  WFXuFmiAoAbonNAUvdYMqOCXa0QZ1/APp5xgIi5GCBG6mOLhRd5i5jffS6aKIc/L
+  Dx8ejoQbMX0IbHev9cVLxlku1K1w1/+GrTEBXanyxMwMeDWwkd0mGc58GHSpu5KK
+  GOAphBECgYEA5/kHM5T0CxrqsFuetz9EqC0ZIFMf/IJeElzFwJc7bHKOodtFjI5O
+  uFiGbjzdNfo0JpAHWVTcfUe4fn8xemhptHKUKIhtybZ3wA1HoSjK1iLgl8tSTNqm
+  W14Ip5nhOPf4jVy1iaC/A3b68iF9YUiCohSdYbxmP3z76XQMaUN/t2cCgYEA4a7J
+  bze6OJyxGHGX7Sgbz5+hZxN3xYfxUENVTqA5gNK6d9tpdjeh8HoWCdOgp2eFddr9
+  PbsGzcG7tHEp1RDBZ8M0vkMXCXjaGE3jOmNFzuRMmt5y2ktlQkqNlCqJxWqSEuby
+  cnbxFaIIiOeOo1529ZcH+FTJ0ZNlMCyasRbCfX0CgYEAniXhCwGZ/5gyOFm+MyAn
+  JqDYaHlDbVtT1yD4kPyJvr27EA31tIWwlW2E+NL13T7fHwtCd1yrlZ234kXE7bcR
+  mbwj1h5s+wAzU/O5yd2Nq7/LbrFnQo4urEvHirwWGEi2Y2m5OkMk9q+/FiRO3mwY
+  43c6dM+ExfPnqpk7fOhPwjECgYBexIbRrRUFsMas/QZPEAidpuqf3gztZahvi9bG
+  rYF4FwU2T2x5t+LImHuopLVRlqb0VoEA6whwXmnz25E1Z1PPvqjnPETwNU9f5VUF
+  r6ogtr10SvTvtblPnP7WuQYhYB720QP+DPQvoVr0IkhDUeeiOUmffftBhiN3l0Ne
+  GbCSAQKBgQDPThg21/9XobYyIsGLiUVIWMtUkgBI7oX3rC34Id1S4VQokPpTsdr8
+  OvzVSpIA6x5FRuyngO0NepS3nBhS8AsJ6Cy+bT54Rcar7ZAB4zq8JHyNNnfgKSkZ
+  8ICNBzqv/wvfxiwqM0Xbqx2RmmaGUytik6wccPDI8+PJHdcfmuU6Yg==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-cab23-r720-11
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEogIBAAKCAQEAwHrcniIZIlEW/bb00mpTU1AnlpR+i+DkIEEFEpuxUsotI9Oo
+  0iZ9JqxkwXWYnYVKtZySwOSRmU0QLDmPQnG382iAOR23ge4/5Ef/ysmnewcxJMA2
+  +BXCgYTAKLqX/xjh3ALFkcmXElluScU54SSeiD7SxGvormacblluNYOnkah2b2i5
+  yu+sre12HqBraEVeBORt9ALnBgwTiRdDib5F5dx3mIj15XZI+hZf9N8O+kVYMePI
+  m8spo6HL8XxIQVLARL8j7UknEB/pFd+GXcTFdiws42+buTDTPhghrCfqCxOXkyv7
+  2pfiDjseRN46rKv6AkaPcQ/W0DSOJow35Js5rwIDAQABAoIBAAXtQpHT9vYpjQ2u
+  7ob0IzCzjSSD2gmwmRWtKtzR0nn8I7uwrsgZy0y/jjKuzk47ZnuFILez0g/oYZEb
+  DKA9JC7ojtozYg0sKud6mBPEddXB+O9qw8aL1Ptr/QbECB4gxAOkSjUdAfvcqRq4
+  afnWyNLlLFREBlwoaLS1KEGZljVT7uRUpAIEQvcoWV+JNXfYh/VpKrTf7lgz/OrP
+  tCBcCLIzBWasmF4V7zr/IOAkwPhenpU/64BaPhrCLBrzG2+fWBu80oTrMvUcsbX/
+  7pe0EWdxLAgOUGIhfxNLH+BI2dP/ViEm7KAc/yp5PFxLUCr1Nq28tRWe4VdFYH30
+  5TKBaCECgYEAyMBl8rBJ1nB+nI7uaC1m9fO8b4ueJ9eSPue9hpb+KrFOIKbujv1+
+  +XA/QVpA5qQm9ksJMpwWMbzrgyv5JAV1l43mCUVQ2KLL6yzKLT0BLUABcz+pnSHG
+  AJrAzp9Gxq2oRrDoUmV+UV2d8NvcnJ0mcvagl3lR+2+xNFIBDctfJscCgYEA9XOz
+  Uk+j769wTggjCvYcl4T2QB13Xf24W0CbE/cLEoyhrDsucLb14Anr8MYM4/Gy8IHP
+  lLIaJK6bBuqnoLdTK+AV9qlGNonJ3Zm3JOib39JiGiZkw+0wUKKN+pQEpOgN7qIx
+  rSGsz+65O+6Aq7oY+6JvD8aGbLzGXLSnLjvqzdkCgYAxSiP92VDXyNkdYW6hv3wH
+  KWf7z0DusVwj+8wp7orLOqtfEv2BuDXj0q6FQj6rImS6liPU/EPqxGLi2voZ4QlF
+  Q77WSeGWvynoPSAKyW6viIaSoG/pt7Ag1949HRhIkby+VpNEH81K9vxfdewNu/wD
+  wBAgANajMIJGwVem5mcfYwKBgH6fdoXjAe53chc/SVyxRGTCOgsvaFH7vuyMcrQl
+  APhLxmfEjBunt0YhuC8Y7LN3D9nVDdJm4ufDj8RMr7dQe76ptoruHoOqJ5KDZyDK
+  Qwd/UA6vedI9fWxLv7TiQVcVQ4K0962aLr2CKNsLGiP9OEAwNt1LjDNyW16d75UB
+  YgtZAoGAICTLqhf8RkAERBleamUSKEllAjNCSA9bbnlemrzaOSSqG+T0pCpxzgl7
+  eeJyuzH5kVPK8+dgwhXUCXZWSwfkgsSEEhO/wbs0B146qIzbFimHatxv9PriO58k
+  bcNignOln4zvOjQKp0xjHOjGCxVk/LACagYiYDi7r4i+AlP2MrM=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-cab23-r720-12
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEA1aGtMyzbcs9e+HtoSZTCdJvuLjAKapSoqOuQVXRtFLdXxpRb
+  PtNuaT0T0ZtXnommz8JtQga9m/c99ERSxzpI6eKUoIRIC8AeQb4+eo5NhzQbBDHX
+  4uz1fD4uDOYByCAijmMvCtGatunkU/9sDWzB9aoeUZc6/EhvBU0qLKbd6Ln/aCw+
+  ma3ryxwOnIQ3Tgo7U3B+KSGlw/OKeLSexd14Yv4A/+wiSNWfJ69Hr1hkj99yFT83
+  bz8yJuEt9JpOBTtq+u8k8hVVsXF/K8w1lzxSwxAQZLglVjfsbXhZRW/kh3pzPzUC
+  r5VgL2VqwaJISg5z5KGK8B05BOZuYe814Ph8EQIDAQABAoIBAQCeB9t339b2NzCp
+  36BlzgWK/U5UHHWYIiAh1SAQFvAaQwZLf7N/5ifm8aeXhrJqNKmRRuJL1XCtz1el
+  OmWBuzv0yAfqNfCVwKihOXo+bsYrHgBeOgDZfTCbl+O45uyqfhsR+YzzE9q/NIYT
+  HP9xbuKMOCv1b0nTFkIKSerI3SeK37GBx88K3q0GIYQBjk1NLZiWauCdcLhQkMKI
+  qY6L2C4ULWFyypTEFlzFKDtG93G+hHx2rQRKbXD9fsckrvd7xzi0qGMoy6Pn2KRx
+  z74a5sYCbtOUg2ZmoZ4Pmf8s0bL3YyYYe9tvgixT8RgpiUBiVKeXmKjhuagusBnY
+  RpH4nUoBAoGBANlAUn00kkyn9lf7CA5LZOiR5voQol0QU9fCbs1wBO4imoNGGxGd
+  KpUZ4HAvHjYK2llZx2TUanVDZff7YH6dwobXKHDG44jE1+8ZZ9YZnOmLyuLg110b
+  myJrEkrwZeBlHix9XzdZuwnwPJs8/cLnJvgBJ6WcI/zgK3dckXLJHALNAoGBAPu8
+  FCHze6SwKo9pdPwWGuaW78tcKle72xO9TlAfvNwj2wM3eNG71MWkVwjuTSVHZRoc
+  EqHQz1rTAdxlwt7ksOIiP+dHKqLqQJ20KlRzdVS4mLSCkukgYPJNzeYUZp3a73fz
+  14w/OPxnOHYoX7HvYcVULrLVZX8u6OGvhhfshcZVAoGAQYopGIKSnDOTmqktnfpa
+  v9q8PrZj9QVm9dE/UhS4OAsSaAXvRpoObZq33cApMg6GHqx5/c4jK6sgiPY5/xii
+  xcEE/zjRDcKsjgIxFCL39nDozRcdgYZBf9mjVB4/7bkzqCJOZklYpr/l2MNGntTT
+  KcBXcJuxM6mBE2pGqsVHAQUCgYAkVEZLiAoGAG6D9+IsJzyGnq3ImWp68t9w/9b3
+  dT0aQApxcmX7TrIsO8VbwphbkuwiUn7V336tStpv5jezVym32N2EER80F75vg/q/
+  6VG7glB3bIirIEMddOEMHVGZ4mjA1O38jXs54eOiGb2FvlhL1BRRNr7JFgoB2ATw
+  GvBLaQKBgBCYjJigJsw0h240ExM1ORMZe8b8BwVFZTLld9PgNAHb3uojUB4LpCni
+  khgsquNvEmYfsxm1cts0td+aNii94V1O5d7WK2G+vscvpVbhmV+mHhOZ0ENEqjnP
+  sxjgwIBlDdgzKa+EdqrfF8rfptPGRSod4ZSH06VohluO2+SIPpKZ
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-cab23-r720-13
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEA5rojKThztgVxlJOnvq/xSQF/hQEY5ek9Lc4rS1ZFUOqH0ttH
+  A1iQuwfAnB4P21BmOuUgN+1fBg9UbGFIvOd7KrjqKVIwS49klO/7c6gV4cUn5Ibl
+  SmMVrOkNHUuMzIxBrEuuHUQ8AlYJXyFIMAhMfzwhPFy1CrYNKDJKxxnuIYggZ/IQ
+  o64l4DzUwDOL/kPEAM1tw+PXUyYnwi68tJJql/ISiAIGJOlhFRjYbFjvixO1xTkn
+  S4OUUw3ImBTv4cMuAyyC5pjg9bdlIbAiEYa+3ocU6JVLOXEhfP6XuAXM+c2RuJhV
+  KFSVQzSa4FNRvgHjogARAqkv7dYkjO+MCaAfqQIDAQABAoIBACoWnGFhleIHXi+/
+  O6NSTw6FQnDNwW/3OxzG9ijZBO38ymgRbgPTPRuRD3arGTNlmDB4KYdqOqJNW5Yl
+  rPIgu9wQPU7qWjr+Xle460Kuz8cOgvdyEBOgvYx8OtM0O+v4TeaTK6DVGKlIbo82
+  8AcrDGFNY7ayJqhci0vg2Lk3JrRg2vPB8hijVk+T2dSUlWz62DLnYNUGOMei3aV/
+  5vMHf5LCZjmfdrlIAXnIn9YKz7wLD9P/l075r220pD0FidunpLiuE5i2Jb4KijPb
+  v84RoxtFxEEGAHQ6P0Di+LcmSakSNCP6pl7XNoD8HzvbIizaSepicYmVbx6zhtRS
+  Wz+f3vECgYEA9fKJSOvvKOW4Hw1NFpkiEjdFsab5DEach3NGduDUyc0Lw5zb+WKc
+  HXcljbGHkSNJw41CPGlExijIE7yIBpA+6UqbFOQNoTjt1IBIT0lzzU24RYdfUNVb
+  FAV94ThJCa5n80LMhuaZz8fTwfxlkaZj29JkS2YJNelYfHKPGNk03UUCgYEA8ChY
+  BDLi9tWu+LbaVpyQ09GiNS1RoCkW7cDm2Y+tue057ckr/tL9I7cWe49bEC89Y8uU
+  xbKUJsQxJozAxx3grn9VcbgSoz4ZJ3sj8wjMRl2W0tTyMZckhJaGvRd+5yeYpKUP
+  fJiXmlRI92JC4+rlTNAM7Fk3JE57hnyj05KDJRUCgYEAmMql8wFvwE6GBfRzcZiM
+  jBh+WZFLow6y64r3uZ6PUxbpOgrWtaVHKx7723zwpX/wsWWuQm17ZkerlGdJchpm
+  mvPYSDAtL314cs2HHoqZQHAKDFe/JS6GuHd47lPTPAp3Va6n9R6Ja4XOzfKI/uUJ
+  oGSiHh0zl6Rxbk6VC3DU4KkCgYEAn0SyMn6o5LgL5SgnHr+QkNl7MLcQZh459Y0z
+  y98sgJyiCV+cDNBSTwhSIbmN0+rwVKmjzYTEGf2M9xrrkmHvKuqJePRxb890ESnq
+  SnhwOM5Cgyn0QQ0Si9fkHa1iXNx2r+JDpgbwq8nv5hhFci/KyClGGMyF9E8UPrmU
+  UHDfBo0CgYAZDQ2uQa3tOQdlpIgFwTLGJhrfQ11rbEYO/RYboylDgh4vgaNKegk9
+  nYACWzhNl80bFhAuf9vdy+1JTOzDW+ktx1daHPpIhDKa8Ckt5RcB16uxbhyh3sa7
+  ZIqFu70qPXtTRCW5BFcWzIRjD5vpZb5VE41S/g/Mql0AcgitnjXCjw==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-cab23-r720-14
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEogIBAAKCAQEA0vHSu8hP7kVfeRaAMNQgallSklYVrR23SKoZcWNV2tTjrkVv
+  4ET8jVR6NXgEQNBO+3oQKveDAvxaDmKP9iNHyHZtLiSIQLk7wc4yHaqZK0klzX4B
+  kP6vshDzVbXhZMtgSLLOvZLfj9InUHmsDdVn4YBAZh0Bwb2RlITnz2Wxlisx6Ym9
+  Cw/ZtKcghGdfLg70PM1UVwz2MQ7/O+FuB/jlMnnAxq63eS617OVfmXGEE1DVcool
+  JCeZhmdyp+I/eJdsubBAUAVIstxl/sF7mvItuwOCQLMuknzwEfzJBbLUjlRa9M5J
+  RZLUxWVT8vRJYoEB0KAaYuvQJvP6VPIUMogvwQIDAQABAoIBAF80y8L7LrBA2U1i
+  jWr8YsD9HZp0hgYDUnTWaPNXPSmuSjCeoFbdbAsxpJK7X1gNbIht2Bw8aAIR+Wdi
+  rs0NsVlVsgNQc7qan9DiCpZ/J/B0bD5p77UMbin1Io59r4P5krRdF5hSUNqtpBbb
+  Q39e4SrS4r3zu5ZAxBL/RUzC/jri5CUfs2Hiyj/IWh593vgyN6EjurkB17KHFN+n
+  4Id0/xcc85P87Vz505D+Hg/x1HqqJh9eOlmlglv8LdL+Jn0fN49m6SwX4hudhNUp
+  iWQyAjS4HsWoFPt2Sd/QZ4ackM+IFcumF7+2JaBF/FTNKVT46y0nxcMA4fFFQ7v2
+  QXWUfAECgYEA7r3qerIzwCjZVtst/H4KFpbHxH9iMqeeFKKbxUPpiTbiyc9wr/qc
+  9T50jdGSXVwNZrF+n5XkbD9b97DeOUms8TtkDcUGhmzKs7uGtqxLcfJy4QGaTICG
+  6nMBMDuxMziBsO/O+8jjXZwBJrD7STK0GaGesU4jpG6r+ECAxPiJ9SECgYEA4jGA
+  AtDdllWlSL/SaCXuI80YUWi5njSgRZ1gaxJWiBP2EyniwLmcVTDEamPd1QBxX8Sm
+  qUZtywG7jhTz7kSJxJPjJAC8AuuwvdQDKE8P65y3i9Pq5Qi3IiM+LNivIQ2ZfxXd
+  ziIu5UpM2M5dyxI1IGv6m8hqRoOFF/ULCnT+RqECgYAGTVkdOAsJrYpfMpX6LlGR
+  2xUW6M3szGPt44T9JhfKGXrPHPy6iIEQMD/fZoLYmA96gID5MXnAKcQBu9eB56H7
+  FDhF7MeJUOHg8LhTpiSvs1i4+9PY5SOqmLKVVV4OHhW+V/Y8y0bFN9MH9HANtJrw
+  ekW4JHnoY0uC2CEOEgmCQQKBgBCLwmtyT+NBXJfXwFJyA9uGkzLRUFKsUtUE0BrE
+  +qN1oliAhd/HNBJfQN7vczizkZeJ0Q8s4bcp50hbbASP6uwATWtCyn4EM6ePLLP0
+  JJv9mMeXtuUOICdVIKUzLIxkbEgJl3IOuhN3vetWHTJPoKdAftKKdIu37zJzcF1R
+  dZBBAoGALfbLN/9/n4RQwr4BPOHIuEv33V5FAACFLhGbQS2rm1G/Srj4179+6sXm
+  kn0fHGHjUsYrcOLOnL/V0/zdqhWCDO28rR9Wqg9yux+Jr6DBhSZ/OIp9i4PBPjTv
+  qLQHZLtGa+HEQg9V5QXCBWcq0Yksr3jVLKLpw5G/g9EuI9A8lFk=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-node
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEAs+MkCy4TqaV8sT0o8qAKBdTQCNnXyaKcg/8XWSrQLFZppKIS
+  UR7CMerxS8DDlbbh3Qi6n5YV8HwJMEK6VRkI9WCCBHU8srZ36rQmhYkMSaxb/QaP
+  EwqMUEL3d45oKlAXBG6I2QDMCkdUd955aHfr3Ms5+WphE8ggNIqbziN9W3pMwHht
+  hHAk7TQz95jItkhkXoKWWJcPf6RT3DsEvmFWQT5rlmF71H1McSDazKx9gzvs78cB
+  +pdAHOSmnwdLwT/Yef1Fz0J1WBZikBq7HqZvPUZSk5voqIeYOU/CLGvIHSz9RT7K
+  jgGxqNbrCRHsF8SSoyXDq5duBoMNKlKif4yS/wIDAQABAoIBAFvt9HmSLpI/9B1P
+  uCFmEDkyrK4ZReHRrFL4hiIXcxN1hb+Q4/N42J1SB8ZC2LEmKP8get8bgFLJ0JhN
+  QZRDmwRrMYa9sytRfK8BKb6Mby8nWktQksWUWmiaEIWUzT7ydxDYvC7J7XxDP7OS
+  ilENGAhaA2KnLr1BRNQVEdKi6GlalnreXq5eK8tW/21Pp0Yqj2sSYGbwHEfMl4Dx
+  DcWOwfb6RoqDgDv6sjBr9gIvz5s19O8f5WIFycsVAOEtbDRlTjciHTv5v0D/Hr87
+  3Eusu3eQEruwP7eL38SQ5Pm5gTY5+6pffSc/BLEUvpdFNtmPUO1uI4FS3nRW38XM
+  SVQefuECgYEA7QXs1saVPPY1uZnpi71Bv7XVNgwItdYedNmAm/WUUKI2hJzGf3WM
+  SeOB9gJ74W0iB5srLq79XJ6qPEw5KfxvfjID3JtauPhBMRZJVG3vfEw6diraySYf
+  /JjeWKeo8vurmTqHT1oGYSyos5td4/O4BjKpjifx+GXozzhHzO5seWsCgYEAwkol
+  pEfM8pfbBWK8gMXkNEkGz30DPg3cle0L7kCmEuCUp81ZOs7SU8QG2+BP19YYy0XV
+  usKKyUi7aMcvQaTh8Y9snNuNhDf54nQUo1Kwt+Zo8VLul4QHPhDEvxOWBLzEywOR
+  mmYPtUH8gUQIID4scwa8OY3e4Uk9uQh7yHKFjb0CgYEA2JFGYsPVznrEgg6Alz7Y
+  2XsiEh0SxFqdP3UQju/nkXl1yNuafxF/mm+26npAiKv3oO2FmkUnmL4cm7WlsZhG
+  ow69+o80aLfkkR5k6DD+1hqsfBYSDCK6rUlcN7MRqtqLYxlYUwfVtmpgxqMaOdMR
+  fRBDXnFfJPCwtM4exL/A+3sCgYBjXGAbv8yEVDziaDhW8t1eD+q3ugsqdRRWaEAt
+  vEoyZUAhANedR6AwzpNjZzft/cP4UOKY/FzVy6hsUVFNlPEoBF1barzY3Xeh5BOZ
+  4vQVWHRa1jrGqfK6PwEfZvjVu2Q5Hr4b5A4seG6V/SDavHEm8k7YcEGHnVk/g6Mq
+  Q8chUQKBgG/Lv0yd9BbKCAKITvdDHwuMS9NY+CwW4YkkHKHpkZQYbNj47mJWD3TK
+  F5Vf6dUoRChuNfHLkqFKhiKkKg3tZ8Jj0eEikhc3xxvpbQpWdZ1yusq7otWM71x2
+  iBjofYw+aEvPF2Z9vgqFTWhTsNGKdsIGd4PeUZm88Z5q8YJOrZ6a
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-cab23-r720-11-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEArtsW8p3xVyF8+55/WDiJEmcugXGvgs01PsxqMsFKygrGOy+U
+  wvEAQ64GOaEPajOT5qmLGpk8tZjhLUKt4HThNRvzGjcNmz7xLKvM+Kdo7CVmaGRE
+  uYOSHkMKc0N8bM5KIxkGaXrQCVDtvMSsAnjdgBzM8H5bLFwNFepTBsYXPMcxXS44
+  b/hmnYnGYco8kvl8zkre9+SU1RX0by62DesuU0pc/9yHhVcS6LXVi/DAUU4S8Xaj
+  1QiSaFesJBb3FOqCncQdW6kw6184QsC41ZD8MCzvUhx66+NgzVU6CZMcspEQ5qMJ
+  6C+56krwLKIVSvWpuSgMbzEPvEkWwNsM++9soQIDAQABAoIBAFSd+63vVxKGRzhx
+  DElCGrtIKY5E2N2gtuqr+5ySQ8IgkqujrAbmn+0gsyyCT7ZiPWm7lHCLxYBP+nBv
+  uztK9I1B+FQwXipJvGaUwT13rmPQ+Yz9MPDhxf1VDiKXfwgckG4JtzumTjSj8FiQ
+  iHktymssBNVBIJgH9+EqI4G8rRQguFqEMoKTxVfLEt5F+dkhDDkNls+lR8VPLuDy
+  M80SQm0wEdqQwZXyNaWWPkLpnX3PDtFQOju/JbFgQKZLRIHxQX8v30SCBbL2vdxp
+  FoFshWjvlgDMyiblNJufDwc95EOxdRJTJ0ecQbVNu/ia3d2qh+uRjT25y4hTeWJK
+  BBg/Lj0CgYEA2fTcEZS8Xg7JIEBT4tifDiTpffA1jymNHhjgeYZJsKJjG6MoDJAq
+  lgPX21dkNH1YUMvI1P4DKiOMlLwBimwBHpGkfecK/qPe64ByzA9CtI+pGNU3VEnT
+  /MyjQJpMUqe1CUt0Wzqd0NURBwWhmG6MBuU7rUaEORVGMPUaHZ34ARMCgYEAzWBT
+  Rggm/ZuLCcaAXeJVi8KO4aElTeR/i4SKbjnqB28pb7jRBXMUrdf2BlYIPqIQLkJT
+  Ydp9LKliutFNK6e6HkdHiOIq1M6Sl5ee4vqzQJ3umN88k/QE6tZDk/PTX42mjBmW
+  GkMW3jrSTkpXig3hzjzWg7r6VamgZhF3o6BbBfsCgYBv/+h6TFEDkFt/7C5vGluZ
+  fBRT9/S9zV9LwQLQz9XcI4YENLImyopnri/k8aJ3apXQZvebo6/inoPmBjpQdDGb
+  EMJTRD+dHH43zDixbYIcoNoG/cHB2XJKrKmTT/a6Xp2j2hc/rf5cyrBGSHmCiAQC
+  oxcocl0NrEX2cGzsHTnM6wKBgQDE5xJPtWc0hJk0IRVXbbVYzorQdgBfArDqIYPb
+  FDl1MTWIAKid0ezEk6Y0Au3apuRehYaN7b1PQYL/28ViEmgVuX8zFKu95eOT5XEW
+  6wdK72AfPwBEVZMVV6Hoyr8gAJ3p+mn3+dSF8d1J5GqzWIXihl+gYna6BGxdD2gl
+  /4rlWwKBgFTfXShzn0FuU9dJ8UHCQvaTcFnlQnuCXU8LneIQrNUSQYiQnPvyNFWi
+  7BJzNRw4pN0+78bKERcuqxD+tAqFTy0VEDoigKKvbbrrxkrt3Q16QbqCfBQzE641
+  7PiFFd/rOvGauhv11Vug00974LeKnwJcTUmz271g/+7apV5VrKzD
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-cab23-r720-12-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEAxsVzP4kCg9teQlBKx+wwnnwywLJZGGl6+XvtmEfi5RHEmHnf
+  Tr7J4xmdfbOJxKuRevfXBC1EDnHY8m6vBz/ODiEI/c36fospXJEMTB8TJt7lvspL
+  N+X6bs782FAjQ6GO1sX//pzS36Jqo8gGsYqLiaBxSZKgVZhrIBWuNAafZc1z2COF
+  /RRQ2CdSf/pX1FlGMlu6b8GsLZVty/cgHcVO1kgaHBC4hqt5qRxTE2/OpQ+MmVnx
+  9a1vqH0Y1Wa0lk3FidaEbZmMRWO06T4MzYdf9P16qOG5qQpuHGi7nGmPXq2XX3D/
+  L/JeYuhvMK7GwDlwFRG4tN9iHxNrpl/uiE4OHwIDAQABAoIBAQCW/v2qoTEI64cy
+  Rv5X2yOf8Wc4nQMzmUVy6mK2UL2bGCFJVyN9FVAWNao/CDk67r5oNIfhQ2W0t2V/
+  3PcXQbANaakD7QpCQQLdr84wsVaCK8dJZTE4uHrC3HiU9mOjh8ITg3wRdh53BlGO
+  M3BqRH31waztn/Yur8eJKw8XtIQ390CsXUjToh7fw/LLHPSXboUVFxutWIG/lSdD
+  yxS4Sg2NSbB/g4FeSKK8CdHoBwPhgGyTBHy2fgKN9BTs3MrHLeieAN0Lfam8YVpt
+  drqHRJ/uzyS96LqF/DPl86JjXrvoah13aU2KrA8CmKWo3VUpdnTP1WL6rrvGYTnH
+  nl3fvq05AoGBANVYTsxIUaJeJp5V9D51ZJZyqr95NThEPjBaA6U2RC5VbJSOHZxy
+  JMdrR9jbyQ5MnDxR1QArjilCu5JUqCb0ABC4zuDI5PRBAqy9wMF73ki52DSm/9lg
+  RMxs4SWc5ChDd4khNjZNv2s4yhYW42rF+pBRQ3ZF2IS/u4PoF4kaLhEtAoGBAO6D
+  NvWWHnCeGJyY+Kdsxad04gbn5yi9DrN3lcck/WMLsCjMz9shmj8YjU5Ev6z2VQ6Y
+  z4WcIz/l5jRnfN1Y3uPFA/EaMaN1RLsQmw05DgI/vgRc5oHGE4zzrjDvX86u3eO9
+  pv7a9gMohBaqzUw3zxVK8credTT6XiRNgAgEnHP7AoGBAMcX1Nkwt/XlFPb30amj
+  1c3MjmmHDFJI5RwsNHCuFqyCjYSIpzuDDa2IARFv8c3FUpu75iF1hAIfQ3oIRK+t
+  To5MWMtOztLeBEf+AG7PUJ3fyNNB8UsDWtDG3slCA21LoLa45qWAopzF71jz3SCc
+  Rvr8yw8JmUgwwSYUpjoM02a1AoGAMSCv4lgAfxvhX+gWV44NDFgD8n4z2+1NKOQ5
+  4qIY2xzeNRkyuyUpu1NYT8XTYVH/5RjOreuiSxgUmbizPHiAuJOtIy1NCikudgWO
+  mmOlIgt1HTrxc8uT3VWYDJZRuqXEKJO44QfC4pWm13BpBwj7y5v7P9kgdUAYwguA
+  kqY4f58CgYAEiT26vgtRq9oitnPK1lPwvuwdGVDYEkDJ2S/GLDo5Ud6DESOn7S9e
+  b+F9XIYCAb9MJlnB0XdMAprzUIrFSXDID7TqpD3VZShL5PRjUPZL2mTlyYu2iFZ/
+  /KSfKHybBhgIwoRTAzbv+UlTQQIQODEbIDf+RFZnbEUApbJhOBxRZQ==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-cab23-r720-13-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpQIBAAKCAQEA0lRvyadqY9Qp64vpxIv75krwh7p+Jkc9Q94xGGQkEF1bXlkb
+  nAr4xcTSNp++QGr0bT5WhVDlI2nChU5ZVGS8SR+MqZS403ocQXF3057YSHeX7aPZ
+  +lzf1y4hwTxUxvPuq9Rn/QpRDU5TN0DHS1V7U9ueyoHK2djKQjk2dTSDVtVN0S6E
+  RufNKbDe42mImi4VJxqNukg5Uk4i8vL+i6EdTDPrEsXL2Ik+b+9My5S3FgOL4yJU
+  rCyzX0jFD4pOYio7DctXKuJqQkY3htb+cRSnkOWiHL+9khuqbk/R4SXaooR6ueJO
+  D9KT5kHyz4NJibM8+M9sOlLpWBQEfsl6HY9PrQIDAQABAoIBAQCU5MVGIcgE55rN
+  bnyMcPRf8MkZrIHFI0VRmCd1Nt743r3hqn8LFhFKH60YkjkibRSfiTPCqKOtUB8u
+  M2q1faJ0uWrgWbIFsznxchv7qUU+97qLtiSHQdwL/lJS8xyowuJArdr3nKgIHVx3
+  jtoGkHr/wEdG4F7znK6B9vKAQi5/9rJn+nWphIUufUhquk1sqzJSWb8GJQgG4ro0
+  C9xR2iazBJyxgQfm4sC/GZ9AFbxrRjfSVOpMxL0GU1KQzktVpP4acd6WMj0blkwA
+  zwRhpeY4XYWqNLwhwhLWKp0HzPsdszU2XEJkt29HGgzJNMcNfFwG775yb2RRByKm
+  Qkyy2usBAoGBAP7Qk3WJ7hBjN/vMrxzD4OVaTY6oUsvq/L3OXRuZIazNXhWF1+rS
+  Vvha1wB2YVzLCT8dOk/85tuPKavNgJ14dbaiGq8aAlHV58rpGedH4l76IJ6KpXZ2
+  6oizneY/HCsWsFs0f5hE8tE0HdmOHBSK6+RGdzQkvgUNRRw0YiSanQaNAoGBANNO
+  48DKq4tLtMj0qAjZxj7EZu2+j13G9kbP3MpLbC3BPf4g/+HAxuKmUH24WlFWUbLA
+  vMmDCQDRCRljwkQQ6fcvqniAM3m9KoCpjW5L+uUhwduF3JL5smGMclBa/RPhhUnh
+  Ffv8jDJX3CUoAw4BAApmmGsaMgzNf528QYI4/zWhAoGBAPRLJURHs1w0s2SNrMjI
+  JmHcfISrbY2gwSR7pxohan6P+YZq5kFz3PuHo58G33smELxYmiI7lVyj2VCj2Y2f
+  AkPREAIVzmmEyQ/pAPOSID3sUb+NrupvQZVDlrs6gBfzTapzH2ztlVnqPD/qFZPA
+  SD13LStpml+fhEVxFzJ+pNK1AoGAa/lTx5/IKFV2+3iIpH0jH8+cCL/m4jRYg7aT
+  S4teq8KiusiB+AlZl1cEqjkZbZZ+CKkTzqR2ZURrMd4X1lAOPZDNuuVHaF2Q6k25
+  RzLr8UlelZ3BKBkPXWk2wHi9+Pqz8Rxi73AM82yRwSrA5Nb9/lKOb6vjB0e6fg9E
+  KhaV0gECgYEAj7umHRVTki8G2bQ7hA//obbkv6Qsj0e7r7yeNwd2Rp1ttuScb+JP
+  ym645javlXQFs0gwb1nlB/s2pP8e05vMs/1SqOObeUjZfYhAjxyFVP+4fJACHuBV
+  XO71ATVMOPXW61ZvON5hmdl0mdMGpuZsWFJ8YEk/Aj8yI0az4WgiRpo=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-cab23-r720-14-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpQIBAAKCAQEA0/WXnJuv2Mdfln/n5hBF7/TQY8UQzLNIUGiflH1k4ORalTxk
+  i4mrpSGiIOf3Ynxly6s0pRqWwy9kytBte3102A0F7SPI8jJf4Ioa2KgmbUQ70ZeF
+  ALnudNg2yZnWlGIO9bB3s7GlcqYSkVZ6IWBuFyOJ3JnJ5U4NxudKMDFLJUz653BD
+  nxlmeuE1ksCWcUyr6X880zUwRRiKhEo5cO0++qW1ySo+7+ic16F8IwJ+1JLqdUan
+  sQow96NcKzR8qrJti/5eIJHobCdRRuTWLmTN2v+gA4dKr/+CBunHRCglpECen6rv
+  TEYKhiCKAGbAwzo8N1zSIH45+CwZEjZhG4C26wIDAQABAoIBAEcO97P+EbbYKDiZ
+  StI7NGccqNw5zccCd8TVPmKWo0It7BxJ8d9B2TR0ERl9CteOosXj8LNFNbPb6KuB
+  sqKKzag8vXbh31UrBC+PvS5TOQa6sF80r9ctfj7X2Y4+r8xxD1jYv1iTvsav3Fuz
+  JSCZZm8FcAtv11qzjzTWh22eqPWou91T/fEseWzd54mlgiETsvhePJeV3OuwICpG
+  k3kNQeJruURZQLkVqODeV/6aPBbFFCKPUTY5eAWZf+6ZNXiYswKUMHHmWtfKHkuX
+  WXfg0e8SMFgiaV22E2T5DzhezBJHJDsC6EE5/XMVTDnSqX1xhB0irwADa9R2K8MC
+  zVQnOfkCgYEA7p5gJ0r3QtwC0CO8dEheaj2OspfOhoDOLpZ3wYbv1jU2UAs8BCZT
+  7nSCnayOtW2enciVtgJCUTXhD49MEI3jVnTadul+LnZ+AouegrfiAFZP3bpS89Oy
+  ibn8EG3DYVibaB4n0lUYl5pvKCYGOH8z3Cw/dhnOxXMRt0+J/uP+gJ0CgYEA42YW
+  y6xp4is7stFnGxSZtglfUzP5PGWzhIHcPEjra3Ry1px+6IK73cq5oPcth8qQG4Iu
+  MOwGo5Yp72TjBtmErNu/xJvGCSSeRbpnrC0u7Js7MLSf4P2Du1aPK31Q5Tvpvg9t
+  tLFVkc78am1jXyVDqCACMp6Sg5w7UZXyjtrn6ycCgYEAu6jYa+58GRvYJoMEUdsc
+  TadN00yqQoOII4F4ez243xkINtkvAQB3n6AHnSM5NJwaU3KNsw+BwkaCUm9a3eYI
+  tVS+/yfQcZAEt9G//oPI/ITk2LcRR+rkjYY0I2N/dc5uoeqdXMBJz+jHpKaK2+HG
+  ElDGNAZF5GkDtMub9lauL80CgYEAp4ABdpFPhSs3VCZu/kGUX8RTlSQJiHWZYBeP
+  tFA6KPKjzHWF/Zqe62ZyiaDIxudscvbXM24IDeOEjDQSDm+XDQTpItdjbkSs2MvP
+  pcG6eMp3NQ83XTEgIZRG7U/nkJMrP7Z5psmhMD/5KiPdOK5oQaUiOUsYvR0NjLEY
+  9CVHA60CgYEAzaCX5rurBOb4vjTsROT911Ce02SJmvPqoPCR3M1COCnsps6cHsxx
+  GbtUEWlVxy/gzH9sOOKvJafQg6S9NtsGLTg8dQ3TZT/JAG9LSB9coDzbw7vGP59X
+  Hwl1QYrT8rmoJujJdb0WjRAVdow+Z90SzWKHUyXYp3dpyo7UEsDNhVw=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-node-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN PUBLIC KEY-----
+  MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw4qeAbKzyBt43qAm4q1U
+  XYfcOUJTuT5/dWrOqd9PudHwluxPUUVpiLmH4ixiRJsmckjl3S6rMJ9mLV+VO6lH
+  yrfWzQW5y+LEkq1/YAJYl1k/9dmBWd7fDGAb6tIkoB0o5qaIi1QvTkwUsilsNON9
+  IlyV5O94LERCowaGFGhAk9behOMce4JHK+Sne3gsBS4rZvL+CM030dDTfJ6WU8fj
+  wBF1Gl3vxuumOgUIaswq+ZMKPx30OMG0u2CSC2mpB/oQJYSqICH+odJBEzRQxMtQ
+  09ROsg1U3j1NaLMeJuSxS62E+dzOi2StWO/d8q8r2HC2j5XKYtie1w5l2mWeVeLL
+  7QIDAQAB
+  -----END PUBLIC KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: service-account
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/PublicKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEAw4qeAbKzyBt43qAm4q1UXYfcOUJTuT5/dWrOqd9PudHwluxP
+  UUVpiLmH4ixiRJsmckjl3S6rMJ9mLV+VO6lHyrfWzQW5y+LEkq1/YAJYl1k/9dmB
+  Wd7fDGAb6tIkoB0o5qaIi1QvTkwUsilsNON9IlyV5O94LERCowaGFGhAk9behOMc
+  e4JHK+Sne3gsBS4rZvL+CM030dDTfJ6WU8fjwBF1Gl3vxuumOgUIaswq+ZMKPx30
+  OMG0u2CSC2mpB/oQJYSqICH+odJBEzRQxMtQ09ROsg1U3j1NaLMeJuSxS62E+dzO
+  i2StWO/d8q8r2HC2j5XKYtie1w5l2mWeVeLL7QIDAQABAoIBABN6O0LwCfhkxCVo
+  znbFzSGD5uvNL4nEL+4CNZO2KrrXrp9Z6oyt3VVBJcfho+gxjCLWIA9oFqVBO2xJ
+  mRPYSM5ogXzqlRc5/1qc7ZMiqLBqs3RJthi9mnohGKbLR9qrDOfsrq0yNYQXD/iv
+  J5gdENnbXxLux4mhQwH6JGDkAYq4L8WmeXi5vjbs2oDSO2TMgXSKY+zjpIoOwDwc
+  v5KB0lZ70WKk0VoUno7xzv1vp7gV3ReaheGH67Zu+gkb4gdtHbOGokBn33DFi+bQ
+  gasg2rfVef0lh/hdFO7jpT50HFaCvJRNhwilZOE42Jhz56FXQ7f4aXpGhOg5WgC0
+  l92BGgECgYEA70ni538Q1Aa4mxlj9QzMuUGKNCBEkHzcWhQ7eSQAla/9W5K3gLDy
+  D5z3UNeqnNyG18BsEDJKC1EstuELof+N+pzGX4li4slrOgFzlWIfFJaLR9PqVeYH
+  wV4nlsIpErlAu27MKct4/NA6cWmUTF5dOx0WleaKHXTG+Inz4AMU3osCgYEA0TKZ
+  VuZbN4LbDRoM1XCKnMWSfvTJOZ482t02G1Ve9UQ6sW7vsGJKMNOgnyI+NzjAEpgf
+  KnRbiNoY23nSS+w4bptlmB3g/0ViI3KFaz4uhA44A6CqUyFsPcSPwkqj+wSoRiFB
+  xIHxbwUIfW0BxYuwJYQ3nmtdmKYcrEraMRCSBmcCgYBY0a4di3atnMkNGQGXReb/
+  pKot6wRINXB9JyFkN87XwPlj8jOW2xceYH8UTNkRXHHYx53U7TW6uajFQQdWXEtR
+  CLxBXfeMgoMAhuVmP4OV2sNcJ/bFZ5rdVZuQRAWG46h5agjyQopoHMp0qmHXbvdg
+  J83oWihOAriQLHSPY9VtPQKBgBun7M2oNnboPb1FrFyrPCftlqhiBBgx6ymkBPso
+  Fh2mn3vFhrpyxAwgbiObi04RmpLauYQLTe6RpqedO0f+Opekw5GQoaYdrhOxmCHN
+  XqjmmFEidGH5ES45RigRZgxRWU2sJ92qsBhVOgIa3xkWlnrfN9shpoX/r9q3KpFB
+  94wRAoGBALMo0T6SCqI0WxvjKtz+tAwbV8e8eenXIuwuAQ0dhEGNPMFp2dDiCMDd
+  MR5sPVEKDpDJC4uBqb33sjVSwjwDmhz+ct8fhLMCamD0FGtFuuxQQqzlH+TIOsp+
+  Fu6pMLoiXvgJaCpMJW/DhqSezU/1IsEg6gOs/b34Hwxd9gzTTOLF
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: service-account
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/PrivateKey/v1
diff --git a/site/airship-seaworthy/secrets/certificates/ingress.yaml b/site/airship-seaworthy/secrets/certificates/ingress.yaml
new file mode 100644
index 000000000..3bd7a2eab
--- /dev/null
+++ b/site/airship-seaworthy/secrets/certificates/ingress.yaml
@@ -0,0 +1,128 @@
+---
+# self-signed certifacte generated based on
+# https://libvirt.org/remote.html#Remote_certificates
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: ingress-crt
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIFKzCCA5OgAwIBAgIMW2h6FCcFdKeaw3vnMA0GCSqGSIb3DQEBCwUAMBIxEDAO
+  BgNVBAMTB0FpcnNoaXAwHhcNMTgwODA2MTY0MDUyWhcNMTkwODA2MTY0MDUyWjBJ
+  MTUwMwYDVQQDEyxpbmdyZXNzLmFpcnNoaXAtc2Vhd29ydGh5LmF0bGFudGFmb3Vu
+  ZHJ5LmNvbTEQMA4GA1UEChMHQWlyc2hpcDCCAaIwDQYJKoZIhvcNAQEBBQADggGP
+  ADCCAYoCggGBALvNHm/G/ylh6aPcvrhOcb4qz1BjcNtnxH8bzZng/rMeX3W2AzjC
+  r2JloJcDvOLBp/TkLOZPImnFW2/GCwktxPgXZuBTPzFV50g77KsPFw0fn3Si7+bs
+  F22tLhdOGk6MQj/WW4pKGHqdw1/VbPwOHBT+I4/scR1L2SZxYtSFIKGenHJH+PMV
+  bCdwnNOR80F8KRzK5iZs/r6S/QqVheieARSWWnk2+TtkM1BloGOhLSd+ZkWh9VO1
+  eOnZowkaDAJwD/G6zoSr5n+beaXzDnEcoVXFSwd4FLoV+om77o92XmZ4rVw0vTMO
+  k6jVwmkdT+dM2K2hLUG/TXWoV2/Qms70gzDOs85RtAkTPe4Ohtdpr51Q0hd35TKG
+  YLKzX/OPblD68iYJYSBvMPpAVTbFYVPW1AQx8wWfannYbMoeL8XTEOKfkqm90YP9
+  EhIdtmw4D7GZxlzG5FXXutmT9sqLfqlRu/RynAhBP8NQvw74WumhOe8r7GhCwgzC
+  gaPLGjeekoS6LQIDAQABo4IBSDCCAUQwDAYDVR0TAQH/BAIwADCBzQYDVR0RBIHF
+  MIHCgixpbmdyZXNzLmFpcnNoaXAtc2Vhd29ydGh5LmF0bGFudGFmb3VuZHJ5LmNv
+  bYIta2V5c3RvbmUuYWlyc2hpcC1zZWF3b3J0aHkuYXRsYW50YWZvdW5kcnkuY29t
+  gilub3ZhLmFpcnNoaXAtc2Vhd29ydGh5LmF0bGFudGFmb3VuZHJ5LmNvbYIsaG9y
+  aXpvbi5haXJzaGlwLXNlYXdvcnRoeS5hdGxhbnRhZm91bmRyeS5jb22HBAoXFQuH
+  BAoXFgswEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAwegADAdBgNV
+  HQ4EFgQUfTAjNgn/1U1Uh1MJDYT2m4dzhsYwHwYDVR0jBBgwFoAUJFuXPZo6RzfE
+  BlJjnnk5jhcP4wIwDQYJKoZIhvcNAQELBQADggGBAE2ISWmrxqrledJI3aLaS9Yw
+  WsZc8O8CnIyLoxrE85vUubFjuI9ixC/6dJxl2iB1n0H8JgmFREox32Q4+kDJI8V/
+  X9x0PFpRzL7QEPrLZhW94Yis3sOphLW0rf0t06ZepdHHeodYJu1pVMDmLq6bKXdX
+  vo+/WwKnZBXC1qPbXJByv/CN9MtViXOnBGORFRTJPb6U8379LNWclJ/LW12yTwNk
+  JGIbZU61Vxu+2nLIabmmRoODH2jomgMOMMzLgjT3Hvw3whe8GrUoxDiPYQVTDGNm
+  ly6m+5B1Nx06fkZazonozeaOhSQ7RblUSbo+w8TJmLRzD9ft7p4vpjBGxRADMcuF
+  DOjATgdZeisBUHTGEO0P6wJOBQuCFMX9AVl+u8ZpcuRaRaN+pBE6/BqcHBB6qV/N
+  w2DdNtP8BrJ3kJVNEDIo5oTbH5SToxgA4hWBV42M1rB+5vIMDKN3rwVDdNKWYhYc
+  VZpU3V9V6JzSW1O2w4Wu9PdbWJD9oSvC0qJgnjOXzg==
+  -----END CERTIFICATE-----
+...
+---
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: ingress-ca
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthority/v1
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIID7TCCAlWgAwIBAgIMW2h3tgSwie0Ypx8eMA0GCSqGSIb3DQEBCwUAMBIxEDAO
+  BgNVBAMTB0FpcnNoaXAwHhcNMTgwODA2MTYzMDQ2WhcNMTkwODA2MTYzMDQ2WjAS
+  MRAwDgYDVQQDEwdBaXJzaGlwMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKC
+  AYEAny0Nqu9U2tXdCCTNzD2T62htMmBLg3CmzWajfbfFl7ALqzo3HgbbY3PxTHDE
+  OJ/lwdm0HkEaGfEDXhJd06WZsa8+fKGqhKXvZXwXx5mJ8LCGxz6xiaxwo9lnKe6V
+  o3YX7bJ5YIVxQ2jhvZo+dY8Z/buloi2Tp2HbqTejKULH9+qdiQTDXAnyR0NLqzJ0
+  YQ4v4yU3zix3nBi8z29lQekGO9quNEka3nw2n0Gxmq5z1bNALGCF5F759mVkB0uT
+  fPGF+zm9eqlqAgduYg7R+JYUumVHvIoRY454GtAdZHTJHJZP0gQSGJsLff8ROFpI
+  GVYsOZhJXU9Ihc5VBC5PMErbmCn0YkuxAWNOYBstZ8l+uY6YiPoFV5Ulc/8M0If+
+  T6jbqzWoFC+4ysgY95RKOw53S4o/T6AFwiIKIw0xp3UfHCf6kr5Y0+XdDn5CXpJB
+  d1KK3PoUWzPSsxcUMXvgKWT4x1vsCId21dn1SmVSOEBhM08VZfjd5bvL9Xjt/E0j
+  mUqDAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcEADAd
+  BgNVHQ4EFgQUJFuXPZo6RzfEBlJjnnk5jhcP4wIwDQYJKoZIhvcNAQELBQADggGB
+  AJaoEtnDoWUUs4nSSqIGcoCfpIO0oqVp8DvkBOcxz5Rz8vMVJSC24/UnuCD2Wknx
+  2V/E3edXIeRo7duhPtNCT7c8OKY/pJsZQTgOczn4rphoD1pmAIPZmpG6ssPadPiM
+  EP8xWJHZt8NXG7D5kJX2COvBvgNeWXL6MF7Tv8+t5xzt59Vitdb/7lm9Z6jjpvN+
+  zoG0pKx3XYESsnLAVAf00F+kWwds/3x3gQywUAQUDER0jliYUE5id+sojp357Cl9
+  XtY+8zSnTduuP8CfMhwv5p6j9xbqacfT7AzpQ6cy4xcQ7MA6JBQcxbaq4NtvIf6+
+  d/5N9d8LGnfXdCd9iwNy9Qk23Ea0SNhnk9F/NqGBPakU4TbHh4iTYMC/+hDGInpO
+  TIRelTidNBFNaIBg3Z0vsh0lDwbt/xhpXip+ZVBqKMTtktEceiVGru9cYUQA2tKI
+  XNoc5s0uQGMpdFzgED4lXZf+n7yGVMKohvi7Yn96HqujGIrVH6qThsI6m7pUSz40
+  +g==
+  -----END CERTIFICATE-----
+...
+---
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: ingress-key
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIG4wIBAAKCAYEAu80eb8b/KWHpo9y+uE5xvirPUGNw22fEfxvNmeD+sx5fdbYD
+  OMKvYmWglwO84sGn9OQs5k8iacVbb8YLCS3E+Bdm4FM/MVXnSDvsqw8XDR+fdKLv
+  5uwXba0uF04aToxCP9ZbikoYep3DX9Vs/A4cFP4jj+xxHUvZJnFi1IUgoZ6cckf4
+  8xVsJ3Cc05HzQXwpHMrmJmz+vpL9CpWF6J4BFJZaeTb5O2QzUGWgY6EtJ35mRaH1
+  U7V46dmjCRoMAnAP8brOhKvmf5t5pfMOcRyhVcVLB3gUuhX6ibvuj3ZeZnitXDS9
+  Mw6TqNXCaR1P50zYraEtQb9NdahXb9CazvSDMM6zzlG0CRM97g6G12mvnVDSF3fl
+  MoZgsrNf849uUPryJglhIG8w+kBVNsVhU9bUBDHzBZ9qedhsyh4vxdMQ4p+Sqb3R
+  g/0SEh22bDgPsZnGXMbkVde62ZP2yot+qVG79HKcCEE/w1C/Dvha6aE57yvsaELC
+  DMKBo8saN56ShLotAgMBAAECggGAYzZDhA1+sx/0zApL/xYB5NK83t0Ju/8fwX6w
+  qUBBjeLXz1mubgf7m2HQ6ragzLI9xpPcXHcl2PbYDT50ig7R5baHNK8FzUxyeKif
+  qOa56Mbx+C4zyqyi2+AHX2x1XVWfkhXuGip2sCA0HKalgqr5juWLZ/ci8rUlLLft
+  3BPQX1FpmL4I+HIyxsspLmQGPGwZVAqkd1xRX+BLKZJAQdlm/LdJaIvwMr4Glcx6
+  ZOe68QhHgzXCYsyV6gR9qstF2OvVuLa2mUc7EzYInFIFhXUdAAwmDqkuuLRdRQhf
+  Ur8nqQW33T0cG0GBUzgBI5YmSPJvTSzcPmeSyNVx2/Yb0pkuXtCw67oDcAsN4nW8
+  uls49E2RaiLJYsy5vPsX5aJNcAxw/CWLdadQ3ukviD/MDJbpTl4F52GOVYL6K4XH
+  g5TJjj7xzjmK3ldR/Kscg7HpCitQLGUYdgIsAFdspXf4aSIa68IjDrc5NsJZuMzc
+  PbVHrw7QYNfHY7VNdUlOVqH5lS3BAoHBANRqKrQXtnJmM006TCEJXdcN/5M685jz
+  +L4Ox0Rhrq8ROgcN5q/hjKb6kP/MccQ9voGQOl9TKEyinGNdTtyc/fuH7RNlQwpS
+  HT+vEzVEcrSe8UFs8c6oJnHFO72ylFcibFf56LvbI3L8BZXp7gPSPQkp5f1NWEZk
+  X5bUL4UNiOm0diltba/ofxywF0M9WGD00eqi0Q29JRlvun+355j06CENxRoonNZC
+  wk1evIxhhckP9zLjI2Ykb1hV6yzwPWtmyQKBwQDiVgru/B396KhzDhLl5AL+pBWA
+  GsfiCbmPLh6W6V5VzldB4+GlMRrJ4zSjZQ3/nvX5KepqjMn1N6LQpZQUI/YShCKE
+  mW0XMiAfbp2d23MRMjLD8L/bIoBHQOPkCaMjbmyDOlCagWakEvHJO/TieVgTmYk6
+  mtEYVjJFWI9OCNMAHdl8ovWr3p+8YbVZ8LLv5ZO/V1cIjczoNQ6p8LG/pPMTDLXM
+  ScN9a8z3f8LQLBHBlu0155xvt95PQLAon/x21kUCgcAvPVk36hoiQQZhw3hQ1JNx
+  E2TmanLobkHAiurYE11VA+DC1t2Z+fBc5la+/MnEWfL3P4srzgOlX3imRIcYWzXE
+  7crUyG1ray2kDxyXeRyFfN+srDzut8is/q81lfSVmEs+GY8f0DGHDfN0Dq1nXidC
+  1XWXqs7aANKdaZ0T2xm61+57ciG1wGAckjDqPEdecLQKmaEijBEnIgj5BH5WLwk8
+  6KIQGj4fDIPHzyzhj4LAX3ObdpZVzf6RR7JgsSEHtLkCgcBROW2dDC87MqZY++D+
+  TVBhz8LDgVjgHntQDc3+fGtVQcKAq+YLYU7qyrXWOWrHpGVDcK5mZHYJoVi1peY5
+  QBqL1I2KpoDGxT9P6GN6BgoKTsh3FsvTOVNtvrTJ3keEbJlWkrPgbrXGBeJtRC4C
+  pGdeSUg9FtgY8r4BsuFisLoAHbYyC008y5zpfusVBtNAUlQuY4qhUDoLzxafF/jB
+  /NEasgH/+SzFss0QuPHRwS7yGVaxdJfoY8TNDjrpqVhx0T0CgcEAvKG4UoWvT8gJ
+  pIeeAxxnv9yrMxgpntu4RXPDHgfX5tva6EaM3r3nLXjd9FVtlQ4cNBMhp9HNhS3a
+  dK+oEDcBysVxxfltlS2Bx0+gQf3WxgBCJwayKe3i/XCDza92EENgxTPmqB1LHiq5
+  2b5aOl2Y5fP0eX6UryxRc443c/ejMHw4lGwnno0qpRk9M9Ucqv5J96QCfAlBSQQS
+  gOG9cypL0kBWzCejn9W4av8HkM8Noqd7Tqul1onv/46OBaX51kt3
+  -----END RSA PRIVATE KEY-----
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ceph_fsid.yaml b/site/airship-seaworthy/secrets/passphrases/ceph_fsid.yaml
new file mode 100644
index 000000000..720150288
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ceph_fsid.yaml
@@ -0,0 +1,12 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ceph_fsid
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+# uuidgen
+data: 7b7576f4-3358-4668-9112-100440079807
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ceph_swift_keystone_password.yaml b/site/airship-seaworthy/secrets/passphrases/ceph_swift_keystone_password.yaml
new file mode 100644
index 000000000..9a9af1f2c
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ceph_swift_keystone_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ceph_swift_keystone_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ipmi_admin_password.yaml b/site/airship-seaworthy/secrets/passphrases/ipmi_admin_password.yaml
new file mode 100644
index 000000000..7e4473d70
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ipmi_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ipmi_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/maas-region-key.yaml b/site/airship-seaworthy/secrets/passphrases/maas-region-key.yaml
new file mode 100644
index 000000000..73d4a6970
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/maas-region-key.yaml
@@ -0,0 +1,12 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: maas-region-key
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+# openssl rand -hex 10
+data: 9026f6048d6a017dc913
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_barbican_oslo_db_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_barbican_oslo_db_password.yaml
new file mode 100644
index 000000000..c5f866c85
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_barbican_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_barbican_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_barbican_oslo_messaging_admin_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_barbican_oslo_messaging_admin_password.yaml
new file mode 100644
index 000000000..bb19957a1
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_barbican_oslo_messaging_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_barbican_oslo_messaging_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_barbican_oslo_messaging_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_barbican_oslo_messaging_password.yaml
new file mode 100644
index 000000000..9bf0217bf
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_barbican_oslo_messaging_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_barbican_oslo_messaging_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_barbican_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_barbican_password.yaml
new file mode 100644
index 000000000..51221924c
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_barbican_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_barbican_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_barbican_rabbitmq_erlang_cookie.yaml b/site/airship-seaworthy/secrets/passphrases/osh_barbican_rabbitmq_erlang_cookie.yaml
new file mode 100644
index 000000000..32f8dae0f
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_barbican_rabbitmq_erlang_cookie.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_barbican_rabbitmq_erlang_cookie
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_cinder_oslo_db_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_cinder_oslo_db_password.yaml
new file mode 100644
index 000000000..b22f898b6
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_cinder_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_cinder_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_cinder_oslo_messaging_admin_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_cinder_oslo_messaging_admin_password.yaml
new file mode 100644
index 000000000..040e65769
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_cinder_oslo_messaging_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_cinder_oslo_messaging_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_cinder_oslo_messaging_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_cinder_oslo_messaging_password.yaml
new file mode 100644
index 000000000..5d76ba793
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_cinder_oslo_messaging_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_cinder_oslo_messaging_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_cinder_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_cinder_password.yaml
new file mode 100644
index 000000000..26565dbe3
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_cinder_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_cinder_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_cinder_rabbitmq_erlang_cookie.yaml b/site/airship-seaworthy/secrets/passphrases/osh_cinder_rabbitmq_erlang_cookie.yaml
new file mode 100644
index 000000000..b1ac8ffdc
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_cinder_rabbitmq_erlang_cookie.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_cinder_rabbitmq_erlang_cookie
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_glance_oslo_db_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_glance_oslo_db_password.yaml
new file mode 100644
index 000000000..073906900
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_glance_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_glance_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_glance_oslo_messaging_admin_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_glance_oslo_messaging_admin_password.yaml
new file mode 100644
index 000000000..57db7521f
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_glance_oslo_messaging_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_glance_oslo_messaging_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_glance_oslo_messaging_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_glance_oslo_messaging_password.yaml
new file mode 100644
index 000000000..d103c2780
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_glance_oslo_messaging_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_glance_oslo_messaging_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_glance_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_glance_password.yaml
new file mode 100644
index 000000000..93ae0f24b
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_glance_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_glance_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_glance_rabbitmq_erlang_cookie.yaml b/site/airship-seaworthy/secrets/passphrases/osh_glance_rabbitmq_erlang_cookie.yaml
new file mode 100644
index 000000000..496fae3f6
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_glance_rabbitmq_erlang_cookie.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_glance_rabbitmq_erlang_cookie
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_heat_oslo_db_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_heat_oslo_db_password.yaml
new file mode 100644
index 000000000..3352d4ce9
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_heat_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_heat_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_heat_oslo_messaging_admin_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_heat_oslo_messaging_admin_password.yaml
new file mode 100644
index 000000000..074e688f5
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_heat_oslo_messaging_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_heat_oslo_messaging_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_heat_oslo_messaging_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_heat_oslo_messaging_password.yaml
new file mode 100644
index 000000000..39f132713
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_heat_oslo_messaging_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_heat_oslo_messaging_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_heat_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_heat_password.yaml
new file mode 100644
index 000000000..5777ebbf8
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_heat_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_heat_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_heat_rabbitmq_erlang_cookie.yaml b/site/airship-seaworthy/secrets/passphrases/osh_heat_rabbitmq_erlang_cookie.yaml
new file mode 100644
index 000000000..74e2a9906
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_heat_rabbitmq_erlang_cookie.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_heat_rabbitmq_erlang_cookie
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_heat_stack_user_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_heat_stack_user_password.yaml
new file mode 100644
index 000000000..36db28bc2
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_heat_stack_user_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_heat_stack_user_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_heat_trustee_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_heat_trustee_password.yaml
new file mode 100644
index 000000000..58129ef5d
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_heat_trustee_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_heat_trustee_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_horizon_oslo_db_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_horizon_oslo_db_password.yaml
new file mode 100644
index 000000000..7c78d4572
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_horizon_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_horizon_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_infra_elasticsearch_admin_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_infra_elasticsearch_admin_password.yaml
new file mode 100644
index 000000000..78c265edc
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_infra_elasticsearch_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_elasticsearch_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_infra_grafana_admin_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_infra_grafana_admin_password.yaml
new file mode 100644
index 000000000..9232de761
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_infra_grafana_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_grafana_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_infra_grafana_oslo_db_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_infra_grafana_oslo_db_password.yaml
new file mode 100644
index 000000000..6d5f49e5b
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_infra_grafana_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_grafana_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_infra_grafana_oslo_db_session_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_infra_grafana_oslo_db_session_password.yaml
new file mode 100644
index 000000000..bd4e57399
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_infra_grafana_oslo_db_session_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_grafana_oslo_db_session_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_infra_kibana_admin_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_infra_kibana_admin_password.yaml
new file mode 100644
index 000000000..56ecc33da
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_infra_kibana_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_kibana_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_infra_nagios_admin_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_infra_nagios_admin_password.yaml
new file mode 100644
index 000000000..52dbe16a0
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_infra_nagios_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_nagios_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_infra_openstack_exporter_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_infra_openstack_exporter_password.yaml
new file mode 100644
index 000000000..64f78e1a4
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_infra_openstack_exporter_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_openstack_exporter_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_infra_oslo_db_admin_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_infra_oslo_db_admin_password.yaml
new file mode 100644
index 000000000..9c68e9d5c
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_infra_oslo_db_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_oslo_db_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_keystone_admin_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_keystone_admin_password.yaml
new file mode 100644
index 000000000..6c3f44695
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_keystone_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_keystone_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_keystone_ldap_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_keystone_ldap_password.yaml
new file mode 100644
index 000000000..2edf0f22c
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_keystone_ldap_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_keystone_ldap_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_keystone_oslo_db_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_keystone_oslo_db_password.yaml
new file mode 100644
index 000000000..07b2206ab
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_keystone_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_keystone_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_keystone_oslo_messaging_admin_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_keystone_oslo_messaging_admin_password.yaml
new file mode 100644
index 000000000..aec85c07c
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_keystone_oslo_messaging_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_keystone_oslo_messaging_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_keystone_oslo_messaging_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_keystone_oslo_messaging_password.yaml
new file mode 100644
index 000000000..be716f432
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_keystone_oslo_messaging_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_keystone_oslo_messaging_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_keystone_rabbitmq_erlang_cookie.yaml b/site/airship-seaworthy/secrets/passphrases/osh_keystone_rabbitmq_erlang_cookie.yaml
new file mode 100644
index 000000000..ee7e4bd25
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_keystone_rabbitmq_erlang_cookie.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_keystone_rabbitmq_erlang_cookie
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_neutron_oslo_db_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_neutron_oslo_db_password.yaml
new file mode 100644
index 000000000..4d0b15749
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_neutron_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_neutron_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_neutron_oslo_messaging_admin_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_neutron_oslo_messaging_admin_password.yaml
new file mode 100644
index 000000000..4ac42c9b0
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_neutron_oslo_messaging_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_neutron_oslo_messaging_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_neutron_oslo_messaging_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_neutron_oslo_messaging_password.yaml
new file mode 100644
index 000000000..6be02b9ce
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_neutron_oslo_messaging_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_neutron_oslo_messaging_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_neutron_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_neutron_password.yaml
new file mode 100644
index 000000000..dd0b2b68b
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_neutron_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_neutron_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_neutron_rabbitmq_erlang_cookie.yaml b/site/airship-seaworthy/secrets/passphrases/osh_neutron_rabbitmq_erlang_cookie.yaml
new file mode 100644
index 000000000..9e8ff8deb
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_neutron_rabbitmq_erlang_cookie.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_neutron_rabbitmq_erlang_cookie
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_nova_oslo_db_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_nova_oslo_db_password.yaml
new file mode 100644
index 000000000..2cd60f567
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_nova_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_nova_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_nova_oslo_messaging_admin_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_nova_oslo_messaging_admin_password.yaml
new file mode 100644
index 000000000..487bcc57f
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_nova_oslo_messaging_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_nova_oslo_messaging_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_nova_oslo_messaging_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_nova_oslo_messaging_password.yaml
new file mode 100644
index 000000000..13569ba02
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_nova_oslo_messaging_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_nova_oslo_messaging_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_nova_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_nova_password.yaml
new file mode 100644
index 000000000..4c2223d36
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_nova_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_nova_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_nova_rabbitmq_erlang_cookie.yaml b/site/airship-seaworthy/secrets/passphrases/osh_nova_rabbitmq_erlang_cookie.yaml
new file mode 100644
index 000000000..7a885e683
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_nova_rabbitmq_erlang_cookie.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_nova_rabbitmq_erlang_cookie
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_oslo_cache_secret_key.yaml b/site/airship-seaworthy/secrets/passphrases/osh_oslo_cache_secret_key.yaml
new file mode 100644
index 000000000..11747a726
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_oslo_cache_secret_key.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_oslo_cache_secret_key
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_oslo_db_admin_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_oslo_db_admin_password.yaml
new file mode 100644
index 000000000..48df9ee54
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_oslo_db_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_oslo_db_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/osh_placement_password.yaml b/site/airship-seaworthy/secrets/passphrases/osh_placement_password.yaml
new file mode 100644
index 000000000..c72b59ac0
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/osh_placement_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_placement_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ubuntu_crypt_password.yaml b/site/airship-seaworthy/secrets/passphrases/ubuntu_crypt_password.yaml
new file mode 100644
index 000000000..4d6046803
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ubuntu_crypt_password.yaml
@@ -0,0 +1,12 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ubuntu_crypt_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+# Pass: password123
+data: $6$qgvZ3LC9.t59Akqy$HAJfJpdrN8Ld9ssGyjFPzyJ3WUGN.ucqhSyA25LFjBrSYboVFgX8wLomRwlf5YIn1siaXHSh4JaPJED3BO36J1
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ucp_airflow_postgres_password.yaml b/site/airship-seaworthy/secrets/passphrases/ucp_airflow_postgres_password.yaml
new file mode 100644
index 000000000..8a1d64884
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ucp_airflow_postgres_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_airflow_postgres_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ucp_armada_keystone_password.yaml b/site/airship-seaworthy/secrets/passphrases/ucp_armada_keystone_password.yaml
new file mode 100644
index 000000000..866efcce2
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ucp_armada_keystone_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_armada_keystone_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ucp_barbican_keystone_password.yaml b/site/airship-seaworthy/secrets/passphrases/ucp_barbican_keystone_password.yaml
new file mode 100644
index 000000000..cb2da2244
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ucp_barbican_keystone_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_barbican_keystone_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ucp_barbican_oslo_db_password.yaml b/site/airship-seaworthy/secrets/passphrases/ucp_barbican_oslo_db_password.yaml
new file mode 100644
index 000000000..95a76ed17
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ucp_barbican_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_barbican_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ucp_deckhand_keystone_password.yaml b/site/airship-seaworthy/secrets/passphrases/ucp_deckhand_keystone_password.yaml
new file mode 100644
index 000000000..5ee27f2a8
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ucp_deckhand_keystone_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_deckhand_keystone_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ucp_deckhand_postgres_password.yaml b/site/airship-seaworthy/secrets/passphrases/ucp_deckhand_postgres_password.yaml
new file mode 100644
index 000000000..e63319b71
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ucp_deckhand_postgres_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_deckhand_postgres_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ucp_drydock_keystone_password.yaml b/site/airship-seaworthy/secrets/passphrases/ucp_drydock_keystone_password.yaml
new file mode 100644
index 000000000..b8083b519
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ucp_drydock_keystone_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_drydock_keystone_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ucp_drydock_postgres_password.yaml b/site/airship-seaworthy/secrets/passphrases/ucp_drydock_postgres_password.yaml
new file mode 100644
index 000000000..2eff5255c
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ucp_drydock_postgres_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_drydock_postgres_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ucp_keystone_admin_password.yaml b/site/airship-seaworthy/secrets/passphrases/ucp_keystone_admin_password.yaml
new file mode 100644
index 000000000..91f74fdc0
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ucp_keystone_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_keystone_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ucp_keystone_oslo_db_password.yaml b/site/airship-seaworthy/secrets/passphrases/ucp_keystone_oslo_db_password.yaml
new file mode 100644
index 000000000..a9cb15317
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ucp_keystone_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_keystone_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ucp_maas_admin_password.yaml b/site/airship-seaworthy/secrets/passphrases/ucp_maas_admin_password.yaml
new file mode 100644
index 000000000..402c1299b
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ucp_maas_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_maas_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ucp_maas_postgres_password.yaml b/site/airship-seaworthy/secrets/passphrases/ucp_maas_postgres_password.yaml
new file mode 100644
index 000000000..96ec5745c
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ucp_maas_postgres_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_maas_postgres_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ucp_oslo_db_admin_password.yaml b/site/airship-seaworthy/secrets/passphrases/ucp_oslo_db_admin_password.yaml
new file mode 100644
index 000000000..b3c132542
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ucp_oslo_db_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_oslo_db_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ucp_oslo_messaging_password.yaml b/site/airship-seaworthy/secrets/passphrases/ucp_oslo_messaging_password.yaml
new file mode 100644
index 000000000..95d6c0e3c
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ucp_oslo_messaging_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_oslo_messaging_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ucp_postgres_admin_password.yaml b/site/airship-seaworthy/secrets/passphrases/ucp_postgres_admin_password.yaml
new file mode 100644
index 000000000..546de05ba
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ucp_postgres_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_postgres_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ucp_promenade_keystone_password.yaml b/site/airship-seaworthy/secrets/passphrases/ucp_promenade_keystone_password.yaml
new file mode 100644
index 000000000..ac40d1ec5
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ucp_promenade_keystone_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_promenade_keystone_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ucp_rabbitmq_erlang_cookie.yaml b/site/airship-seaworthy/secrets/passphrases/ucp_rabbitmq_erlang_cookie.yaml
new file mode 100644
index 000000000..6a2aef93e
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ucp_rabbitmq_erlang_cookie.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_rabbitmq_erlang_cookie
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ucp_shipyard_keystone_password.yaml b/site/airship-seaworthy/secrets/passphrases/ucp_shipyard_keystone_password.yaml
new file mode 100644
index 000000000..181a52a84
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ucp_shipyard_keystone_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_shipyard_keystone_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/secrets/passphrases/ucp_shipyard_postgres_password.yaml b/site/airship-seaworthy/secrets/passphrases/ucp_shipyard_postgres_password.yaml
new file mode 100644
index 000000000..de0eed714
--- /dev/null
+++ b/site/airship-seaworthy/secrets/passphrases/ucp_shipyard_postgres_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_shipyard_postgres_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/airship-seaworthy/site-definition.yaml b/site/airship-seaworthy/site-definition.yaml
new file mode 100644
index 000000000..b45d369dc
--- /dev/null
+++ b/site/airship-seaworthy/site-definition.yaml
@@ -0,0 +1,18 @@
+---
+# High-level pegleg site definition file
+schema: pegleg/SiteDefinition/v1
+metadata:
+  schema: metadata/Document/v1
+  layeringDefinition:
+    abstract: false
+    layer: site
+  # NEWSITE-CHANGEME: Replace with the site name
+  name: airship-seaworthy
+  storagePolicy: cleartext
+data:
+  # Deprecated revision system, will be removed later. Do not modify.
+  revision: v4.0
+  # The type layer this site will delpoy with. Type layer is found in the
+  # type folder.
+  site_type: foundry
+...
diff --git a/site/airship-seaworthy/software/charts/kubernetes/container-networking/etcd.yaml b/site/airship-seaworthy/software/charts/kubernetes/container-networking/etcd.yaml
new file mode 100644
index 000000000..3e547eb50
--- /dev/null
+++ b/site/airship-seaworthy/software/charts/kubernetes/container-networking/etcd.yaml
@@ -0,0 +1,159 @@
+---
+# The purpose of this file is to build the list of calico etcd nodes and the
+# calico etcd certs for those nodes in the environment.
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-calico-etcd
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: kubernetes-calico-etcd-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+  substitutions:
+    # Generate a list of control plane nodes (i.e. genesis node + master node
+    # list) on which calico etcd will run and will need certs. It is assumed
+    # that Airship sites will have 4 control plane nodes, so this should not need to
+    # change for a new site.
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .genesis.hostname
+      dest:
+        path: .values.nodes[0].name
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .masters[0].hostname
+      dest:
+        path: .values.nodes[1].name
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .masters[1].hostname
+      dest:
+        path: .values.nodes[2].name
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .masters[2].hostname
+      dest:
+        path: .values.nodes[3].name
+
+    # Certificate substitutions for the node names assembled on the above list.
+    # NEWSITE-CHANGEME: Per above, the number of substitutions should not need
+    # to change with a standard Airship deployment. However, the names of each
+    # deckhand certficiate should be updated with the correct hostnames for your
+    # environment. The ordering is important (Genesis is index 0, then master
+    # nodes in the order they are specified in common-addresses).
+
+    # Genesis hostname - cab23-r720-11
+    - src:
+        schema: deckhand/Certificate/v1
+        name: calico-etcd-cab23-r720-11
+        path: .
+      dest:
+        path: .values.nodes[0].tls.client.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: calico-etcd-cab23-r720-11
+        path: .
+      dest:
+        path: .values.nodes[0].tls.client.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: calico-etcd-cab23-r720-11-peer
+        path: .
+      dest:
+        path: .values.nodes[0].tls.peer.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: calico-etcd-cab23-r720-11-peer
+        path: .
+      dest:
+        path: .values.nodes[0].tls.peer.key
+
+    # master node 1 hostname - cab23-r720-12
+    - src:
+        schema: deckhand/Certificate/v1
+        name: calico-etcd-cab23-r720-12
+        path: .
+      dest:
+        path: .values.nodes[1].tls.client.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: calico-etcd-cab23-r720-12
+        path: .
+      dest:
+        path: .values.nodes[1].tls.client.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: calico-etcd-cab23-r720-12-peer
+        path: .
+      dest:
+        path: .values.nodes[1].tls.peer.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: calico-etcd-cab23-r720-12-peer
+        path: .
+      dest:
+        path: .values.nodes[1].tls.peer.key
+
+    # master node 2 hostname - cab23-r720-13
+    - src:
+        schema: deckhand/Certificate/v1
+        name: calico-etcd-cab23-r720-13
+        path: .
+      dest:
+        path: .values.nodes[2].tls.client.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: calico-etcd-cab23-r720-13
+        path: .
+      dest:
+        path: .values.nodes[2].tls.client.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: calico-etcd-cab23-r720-13-peer
+        path: .
+      dest:
+        path: .values.nodes[2].tls.peer.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: calico-etcd-cab23-r720-13-peer
+        path: .
+      dest:
+        path: .values.nodes[2].tls.peer.key
+
+    # master node 3 hostname - cab23-r720-14
+    - src:
+        schema: deckhand/Certificate/v1
+        name: calico-etcd-cab23-r720-14
+        path: .
+      dest:
+        path: .values.nodes[3].tls.client.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: calico-etcd-cab23-r720-14
+        path: .
+      dest:
+        path: .values.nodes[3].tls.client.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: calico-etcd-cab23-r720-14-peer
+        path: .
+      dest:
+        path: .values.nodes[3].tls.peer.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: calico-etcd-cab23-r720-14-peer
+        path: $
+      dest:
+        path: .values.nodes[3].tls.peer.key
+
+data: {}
+...
diff --git a/site/airship-seaworthy/software/charts/kubernetes/etcd/etcd.yaml b/site/airship-seaworthy/software/charts/kubernetes/etcd/etcd.yaml
new file mode 100644
index 000000000..b32495ee2
--- /dev/null
+++ b/site/airship-seaworthy/software/charts/kubernetes/etcd/etcd.yaml
@@ -0,0 +1,163 @@
+---
+# The purpose of this file is to build the list of k8s etcd nodes and the
+# k8s etcd certs for those nodes in the environment.
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-etcd
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: kubernetes-etcd-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+  substitutions:
+    # Generate a list of control plane nodes (i.e. genesis node + master node
+    # list) on which k8s etcd will run and will need certs. It is assumed
+    # that Airship sites will have 4 control plane nodes, so this should not need to
+    # change for a new site.
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .genesis.hostname
+      dest:
+        path: .values.nodes[0].name
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .masters[0].hostname
+      dest:
+        path: .values.nodes[1].name
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .masters[1].hostname
+      dest:
+        path: .values.nodes[2].name
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .masters[2].hostname
+      dest:
+        path: .values.nodes[3].name
+
+    # Certificate substitutions for the node names assembled on the above list.
+    # NEWSITE-CHANGEME: Per above, the number of substitutions should not need
+    # to change with a standard Airship deployment. However, the names of each
+    # deckhand certficiate should be updated with the correct hostnames for your
+    # environment. The ordering is important (Genesis is index 0, then master
+    # nodes in the order they are specified in common-addresses).
+
+    # Genesis Exception*
+    # *NOTE: This is an exception in that `genesis` is not the hostname of the
+    # genesis node, but `genesis` is reference here in the certificate names
+    # because of certain Promenade assumptions that may be addressed in the
+    # future. Therefore `genesis` is used instead of `cab23-r720-11` here.
+    - src:
+        schema: deckhand/Certificate/v1
+        name: kubernetes-etcd-genesis
+        path: .
+      dest:
+        path: .values.nodes[0].tls.client.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: kubernetes-etcd-genesis
+        path: .
+      dest:
+        path: .values.nodes[0].tls.client.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: kubernetes-etcd-genesis-peer
+        path: .
+      dest:
+        path: .values.nodes[0].tls.peer.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: kubernetes-etcd-genesis-peer
+        path: .
+      dest:
+        path: .values.nodes[0].tls.peer.key
+
+    # master node 1 hostname - cab23-r720-12
+    - src:
+        schema: deckhand/Certificate/v1
+        name: kubernetes-etcd-cab23-r720-12
+        path: .
+      dest:
+        path: .values.nodes[1].tls.client.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: kubernetes-etcd-cab23-r720-12
+        path: .
+      dest:
+        path: .values.nodes[1].tls.client.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: kubernetes-etcd-cab23-r720-12-peer
+        path: .
+      dest:
+        path: .values.nodes[1].tls.peer.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: kubernetes-etcd-cab23-r720-12-peer
+        path: .
+      dest:
+        path: .values.nodes[1].tls.peer.key
+
+    # master node 2 hostname - cab23-r720-13
+    - src:
+        schema: deckhand/Certificate/v1
+        name: kubernetes-etcd-cab23-r720-13
+        path: .
+      dest:
+        path: .values.nodes[2].tls.client.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: kubernetes-etcd-cab23-r720-13
+        path: .
+      dest:
+        path: .values.nodes[2].tls.client.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: kubernetes-etcd-cab23-r720-13-peer
+        path: .
+      dest:
+        path: .values.nodes[2].tls.peer.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: kubernetes-etcd-cab23-r720-13-peer
+        path: $
+      dest:
+        path: .values.nodes[2].tls.peer.key
+
+    # master node 3 hostname - cab23-r720-14
+    - src:
+        schema: deckhand/Certificate/v1
+        name: kubernetes-etcd-cab23-r720-14
+        path: .
+      dest:
+        path: .values.nodes[3].tls.client.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: kubernetes-etcd-cab23-r720-14
+        path: .
+      dest:
+        path: .values.nodes[3].tls.client.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: kubernetes-etcd-cab23-r720-14-peer
+        path: .
+      dest:
+        path: .values.nodes[3].tls.peer.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: kubernetes-etcd-cab23-r720-14-peer
+        path: $
+      dest:
+        path: .values.nodes[3].tls.peer.key
+
+data: {}
+...
diff --git a/site/airship-seaworthy/software/charts/kubernetes/ingress/ingress.yaml b/site/airship-seaworthy/software/charts/kubernetes/ingress/ingress.yaml
new file mode 100644
index 000000000..a05492b5d
--- /dev/null
+++ b/site/airship-seaworthy/software/charts/kubernetes/ingress/ingress.yaml
@@ -0,0 +1,18 @@
+---
+# The purpose of this file is to define the environment-specific public-facing
+# VIP for the ingress controller
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ingress-kube-system
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      ingress: kube-system
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data: {}
+...
diff --git a/site/airship-seaworthy/software/charts/osh/openstack-compute-kit/neutron.yaml b/site/airship-seaworthy/software/charts/osh/openstack-compute-kit/neutron.yaml
new file mode 100644
index 000000000..254736048
--- /dev/null
+++ b/site/airship-seaworthy/software/charts/osh/openstack-compute-kit/neutron.yaml
@@ -0,0 +1,23 @@
+---
+# This file defines hardware-specific settings for neutron. If you use the same
+# hardware profile as this environment, you should not need to change this file.
+# Otherwise, you should review the settings here and adjust for your hardware.
+# In particular:
+# 1. logical network interface names
+# 2. physical device mappigns
+# TODO: Should move to global layer and become tied to the hardware profile
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: neutron-fixme
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: neutron-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data: {}
+...
diff --git a/site/airship-seaworthy/software/charts/osh/openstack-compute-kit/nova.yaml b/site/airship-seaworthy/software/charts/osh/openstack-compute-kit/nova.yaml
new file mode 100644
index 000000000..32f94b89b
--- /dev/null
+++ b/site/airship-seaworthy/software/charts/osh/openstack-compute-kit/nova.yaml
@@ -0,0 +1,25 @@
+---
+# This file defines hardware-specific settings for nova. If you use the same
+# hardware profile as this environment, you should not need to change this file.
+# Otherwise, you should review the settings here and adjust for your hardware.
+# In particular:
+# 1. vcpu_pin_set will change if the number of logical CPUs on the hardware
+#    changes.
+# 2. pci alias / passthrough_whitelist could change if the NIC type or NIC
+#    slotting changes.
+# TODO: Should move to global layer and become tied to the hardware profile
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: nova
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: nova-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data: {}
+...
diff --git a/site/airship-seaworthy/software/charts/ucp/ceph/ceph-client-update.yaml b/site/airship-seaworthy/software/charts/ucp/ceph/ceph-client-update.yaml
new file mode 100644
index 000000000..d2ac01fff
--- /dev/null
+++ b/site/airship-seaworthy/software/charts/ucp/ceph/ceph-client-update.yaml
@@ -0,0 +1,26 @@
+---
+# The purpose of this file is to define environment-specific parameters for ceph
+# client update
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-ceph-client-update
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: ucp-ceph-client-update-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  values:
+    conf:
+      pool:
+        target:
+          # NEWSITE-CHANGEME: Total number of OSDs. Does not need to change if
+          # your HW matches this site's HW. Verify for your environment.
+          # 8 OSDs per node x 4 nodes = 32
+          osd: 32
+...
diff --git a/site/airship-seaworthy/software/charts/ucp/ceph/ceph-client.yaml b/site/airship-seaworthy/software/charts/ucp/ceph/ceph-client.yaml
new file mode 100644
index 000000000..ad4678063
--- /dev/null
+++ b/site/airship-seaworthy/software/charts/ucp/ceph/ceph-client.yaml
@@ -0,0 +1,25 @@
+---
+# The purpose of this file is to define envrionment-specific parameters for the
+# ceph client
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-ceph-client
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: ucp-ceph-client-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  values:
+    conf:
+      pool:
+        target:
+          # NEWSITE-CHANGEME: The number of OSDs per ceph node. Does not need to
+          # change if your deployment HW matches this site's HW.
+          osd: 8
+...
diff --git a/site/airship-seaworthy/software/charts/ucp/ceph/ceph-osd.yaml b/site/airship-seaworthy/software/charts/ucp/ceph/ceph-osd.yaml
new file mode 100644
index 000000000..265c5b22e
--- /dev/null
+++ b/site/airship-seaworthy/software/charts/ucp/ceph/ceph-osd.yaml
@@ -0,0 +1,75 @@
+---
+# The purpose of this file is to define environment-specific parameters for
+# ceph-osd
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-ceph-osd
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: ucp-ceph-osd-global
+    actions:
+      - method: replace
+        path: .values.conf.storage.osd
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  values:
+    conf:
+      storage:
+        # NEWSITE-CHANGEME: The OSD count and configuration here should not need
+        # to change if your HW matches the HW used in this environment.
+        # Otherwise you may need to add or subtract disks to this list.
+        osd:
+          - data:
+              type: block-logical
+              location: /dev/sdc
+            journal:
+              type: directory
+              location: /var/lib/ceph/cp/journal-sdc
+          - data:
+              type: block-logical
+              location: /dev/sdd
+            journal:
+              type: directory
+              location: /var/lib/ceph/cp/journal-sdd
+          - data:
+              type: block-logical
+              location: /dev/sde
+            journal:
+              type: directory
+              location: /var/lib/ceph/cp/journal-sde
+          - data:
+              type: block-logical
+              location: /dev/sdf
+            journal:
+              type: directory
+              location: /var/lib/ceph/cp/journal-sdf
+          - data:
+              type: block-logical
+              location: /dev/sdg
+            journal:
+              type: directory
+              location: /var/lib/ceph/cp/journal-sdg
+          - data:
+              type: block-logical
+              location: /dev/sdh
+            journal:
+              type: directory
+              location: /var/lib/ceph/cp/journal-sdh
+          - data:
+              type: block-logical
+              location: /dev/sdi
+            journal:
+              type: directory
+              location: /var/lib/ceph/cp/journal-sdi
+          - data:
+              type: block-logical
+              location: /dev/sdj
+            journal:
+              type: directory
+              location: /var/lib/ceph/cp/journal-sdj
+...
diff --git a/site/airship-seaworthy/software/charts/ucp/divingbell/divingbell.yaml b/site/airship-seaworthy/software/charts/ucp/divingbell/divingbell.yaml
new file mode 100644
index 000000000..29f5a8323
--- /dev/null
+++ b/site/airship-seaworthy/software/charts/ucp/divingbell/divingbell.yaml
@@ -0,0 +1,51 @@
+---
+# The purpose of this file is to define site-specific parameters to the
+# UAM-lite portion of the divingbell chart:
+# 1. User accounts to create on bare metal
+# 2. SSH public key for operationg system access to the bare metal
+# 3. Passwords for operating system access via iDrac/iLo console. SSH password-
+#    based auth is disabled.
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-divingbell
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: ucp-divingbell-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+  substitutions:
+    - dest:
+        path: .values.conf.uamlite.users[0].user_sshkeys[0]
+      src:
+        schema: deckhand/PublicKey/v1
+        name: airship_ssh_public_key
+        path: .
+    - dest:
+        path: .values.conf.uamlite.users[0].user_crypt_passwd
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ubuntu_crypt_password
+        path: .
+    - dest:
+        path: .values.conf.uamlite.users[1].user_sshkeys[0]
+      src:
+        schema: deckhand/PublicKey/v1
+        name: airship_ssh_public_key
+        path: .
+data:
+  values:
+    conf:
+      uamlite:
+        users:
+          - user_name: ubuntu
+            user_sudo: true
+            user_sshkeys: []
+          - user_name: airship
+            user_sudo: true
+            user_sshkeys: []
+...
diff --git a/site/airship-seaworthy/software/charts/ucp/drydock/maas.yaml b/site/airship-seaworthy/software/charts/ucp/drydock/maas.yaml
new file mode 100644
index 000000000..f0d2b3226
--- /dev/null
+++ b/site/airship-seaworthy/software/charts/ucp/drydock/maas.yaml
@@ -0,0 +1,37 @@
+---
+# This file defines site-specific deviations for MaaS.
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-maas
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: ucp-maas-global
+    actions:
+      - method: replace
+        path: .values.conf.maas.proxy
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  values:
+    conf:
+      maas:
+        images:
+          default_os: 'ubuntu'
+          default_image: 'xenial'
+          default_kernel: 'hwe-16.04'
+        proxy:
+          # Whether deploying nodes should use MaaS region as an APT proxy.
+          proxy_enabled: false
+          # NEWSITE-CHANGEME: Whether MaaS region should utilize an external proxy
+          # for accessing repos. Set to 'true' if your environment needs a proxy
+          # to get to the upstream package mirrors, and false otherwise.
+          peer_proxy_enabled: false
+          # NEWSITE-CHANGEME: If your site requires a proxy to reach upstream
+          # package mirrors, enter the proxy information here. Otherwise, comment
+          # out this line.
+          # proxy_server: http://proxy.example.com:8080
+...
diff --git a/site/airship-seaworthy/software/charts/ucp/promenade/promenade.yaml b/site/airship-seaworthy/software/charts/ucp/promenade/promenade.yaml
new file mode 100644
index 000000000..543083d28
--- /dev/null
+++ b/site/airship-seaworthy/software/charts/ucp/promenade/promenade.yaml
@@ -0,0 +1,50 @@
+---
+# The purpose of this file is to provide site-specific parameters for the ucp-
+# promenade chart.
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-promenade
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: ucp-promenade-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  values:
+    pod:
+      env:
+        promenade_api: []
+          # NEWSITE-CHANGEME: If your site uses an http proxy, enter it here.
+          # Otherwise comment out these lines.
+          # - name: http_proxy
+          #   value: http://proxy.example.com:8080
+          # NEWSITE-CHANGEME: If your site uses an https proxy, enter it here.
+          # Otherwise comment out these lines.
+          # - name: https_proxy
+          #   value: http://proxy.example.com:8080
+          # NEWSITE-CHANGEME: If your site uses an http/https proxy, enter the
+          # IPs / domain names which the proxy should not be used for (i.e. the
+          # cluster domain and kubernetes service_cidr defined in common-addresses)
+          # Otherwise comment out these lines.
+          # - name: no_proxy
+          #   value: 10.36.0.1,.cluster.local
+          # NEWSITE-CHANGEME: If your site uses an http proxy, enter it here.
+          # Otherwise comment out these lines.
+          # - name: HTTP_PROXY
+          #   value: http://proxy.example.com:8080
+          # NEWSITE-CHANGEME: If your site uses an https proxy, enter it here.
+          # Otherwise comment out these lines.
+          # - name: HTTPS_PROXY
+          #   value: http://proxy.example.com:8080
+          # NEWSITE-CHANGEME: If your site uses an http/https proxy, enter the
+          # IPs / domain names which the proxy should not be used for (i.e. the
+          # cluster domain and kubernetes service_cidr defined in common-addresses)
+          # Otherwise comment out these lines.
+          # - name: NO_PROXY
+          #   value: 10.36.0.1,.cluster.local
+...
diff --git a/site/airship-seaworthy/software/config/common-software-config.yaml b/site/airship-seaworthy/software/config/common-software-config.yaml
new file mode 100644
index 000000000..8bc0c436e
--- /dev/null
+++ b/site/airship-seaworthy/software/config/common-software-config.yaml
@@ -0,0 +1,16 @@
+---
+# The purpose of this file is to define site-specific common software config
+# paramters.
+schema: pegleg/CommonSoftwareConfig/v1
+metadata:
+  schema: metadata/Document/v1
+  name: common-software-config
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  osh:
+    # NEWSITE-CHANGEME: Replace with the site name
+    region_name: airship-seaworthy
+...
diff --git a/site/airship-seaworthy/software/config/endpoints.yaml b/site/airship-seaworthy/software/config/endpoints.yaml
new file mode 100644
index 000000000..e68bd3706
--- /dev/null
+++ b/site/airship-seaworthy/software/config/endpoints.yaml
@@ -0,0 +1,1570 @@
+---
+# The purpose of this file is to define the site's endpoint catalog. This should
+# not need to be modified for a new site.
+# #GLOBAL-CANDIDATE#
+schema: pegleg/EndpointCatalogue/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_endpoints
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .ucp.identity.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .ucp.shipyard.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .ceph.object_store.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .ceph.ceph_object_store.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .ceph.object_store.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .ceph.object_store.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .ceph.object_store.host_fqdn_override.public.tls.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .ceph.ceph_object_store.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .ceph.ceph_object_store.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .ceph.ceph_object_store.host_fqdn_override.public.tls.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .ucp.identity.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .ucp.identity.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .ucp.identity.host_fqdn_override.public.tls.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .ucp.shipyard.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .ucp.shipyard.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .ucp.shipyard.host_fqdn_override.public.tls.key
+data:
+  ucp:
+    identity:
+      namespace: ucp
+      name: keystone
+      hosts:
+        default: keystone-api
+        public: keystone
+      host_fqdn_override:
+        default: null
+        public:
+          host: iam.DOMAIN
+      path:
+        default: /v3
+      scheme:
+        default: http
+        public: https
+      port:
+        admin:
+          default: 35357
+        api:
+          default: 80
+          public: 443
+    armada:
+      name: armada
+      hosts:
+        default: armada-api
+        public: armada
+      port:
+        api:
+          default: 8000
+      path:
+        default: /api/v1.0
+      scheme:
+        default: http
+      host_fqdn_override:
+        default: null
+    deckhand:
+      name: deckhand
+      hosts:
+        default: deckhand-int
+        public: deckhand-api
+      port:
+        api:
+          default: 9000
+      path:
+        default: /api/v1.0
+      scheme:
+        default: http
+      host_fqdn_override:
+        default: null
+    postgresql:
+      name: postgresql
+      hosts:
+        default: postgresql
+      path: /DB_NAME
+      scheme: postgresql+psycopg2
+      port:
+        postgresql:
+          default: 5432
+      host_fqdn_override:
+        default: null
+    postgresql_airflow_celery:
+      name: postgresql_airflow_celery_db
+      hosts:
+        default: postgresql
+      path: /DB_NAME
+      scheme: db+postgresql
+      port:
+        postgresql:
+          default: 5432
+      host_fqdn_override:
+        default: null
+    oslo_db:
+      hosts:
+        default: mariadb
+        discovery: mariadb-discovery
+      host_fqdn_override:
+        default: null
+      path: /DB_NAME
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+        wsrep:
+          default: 4567
+    key_manager:
+      name: barbican
+      hosts:
+        default: barbican-api
+        public: barbican
+      host_fqdn_override:
+        default: null
+      path:
+        default: /v1
+      scheme:
+        default: http
+      port:
+        api:
+          default: 9311
+          public: 80
+    oslo_messaging:
+      namespace: null
+      hosts:
+        default: rabbitmq
+      host_fqdn_override:
+        default: null
+      path: /openstack
+      scheme: rabbit
+      port:
+        amqp:
+          default: 5672
+    oslo_cache:
+      hosts:
+        default: memcached
+      host_fqdn_override:
+        default: null
+      port:
+        memcache:
+          default: 11211
+    physicalprovisioner:
+      name: drydock
+      hosts:
+        default: drydock-api
+      port:
+        api:
+          default: 9000
+          nodeport: 31900
+      path:
+        default: /api/v1.0
+      scheme:
+        default: http
+      host_fqdn_override:
+        default: null
+    maas_region_ui:
+      name: maas-region-ui
+      hosts:
+        default: maas-region-ui
+        public: maas
+      path:
+        default: /MAAS
+      scheme:
+        default: "http"
+      port:
+        region_ui:
+          default: 80
+          public: 80
+      host_fqdn_override:
+        default: null
+    kubernetesprovisioner:
+      name: promenade
+      hosts:
+        default: promenade-api
+      port:
+        api:
+          default: 80
+      path:
+        default: /api/v1.0
+      scheme:
+        default: http
+      host_fqdn_override:
+        default: null
+    shipyard:
+      name: shipyard
+      hosts:
+        default: shipyard-int
+        public: shipyard-api
+      port:
+        api:
+          default: 9000
+          public: 443
+      path:
+        default: /api/v1.0
+      scheme:
+        default: http
+        public: https
+      host_fqdn_override:
+        default: null
+        public:
+          host: shipyard.DOMAIN
+    airflow_web:
+      name: airflow-web
+      hosts:
+        default: airflow-web-int
+        public: airflow-web
+      port:
+        airflow_web:
+          default: 8080
+      path:
+        default: /
+      scheme:
+        default: http
+      host_fqdn_override:
+        default: null
+    airflow_flower:
+      name: airflow-flower
+      hosts:
+        default: airflow-flower
+      port:
+        airflow_flower:
+          default: 5555
+      path:
+        default: /
+      scheme:
+        default: http
+      host_fqdn_override:
+        default: null
+  ceph:
+    object_store:
+      name: swift
+      namespace: ceph
+      hosts:
+        default: ceph-rgw
+        public: radosgw
+      host_fqdn_override:
+        default: null
+        public:
+          host: object-store.DOMAIN
+      path:
+        default: /swift/v1
+      scheme:
+        default: http
+        public: "https"
+      port:
+        api:
+          default: 8088
+          public: 443
+    ceph_object_store:
+      name: radosgw
+      namespace: ceph
+      hosts:
+        default: ceph-rgw
+        public: radosgw
+      host_fqdn_override:
+        default: null
+        public:
+          host: object-store.DOMAIN
+      path:
+        default: /auth/v1.0
+      scheme:
+        default: "http"
+        public: "https"
+      port:
+        api:
+          default: 8088
+          public: 443
+    ceph_mon:
+      namespace: ceph
+      hosts:
+        default: ceph-mon
+        discovery: ceph-mon-discovery
+      host_fqdn_override:
+        default: null
+      port:
+        mon:
+          default: 6789
+    ceph_mgr:
+      namespace: ceph
+      hosts:
+        default: ceph-mgr
+      host_fqdn_override:
+        default: null
+      port:
+        mgr:
+          default: 7000
+      scheme:
+        default: http
+...
+---
+schema: pegleg/EndpointCatalogue/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_endpoints
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .osh.object_store.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .osh.ceph_object_store.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .osh.object_store.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .osh.object_store.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .osh.object_store.host_fqdn_override.public.tls.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .osh.ceph_object_store.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .osh.ceph_object_store.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .osh.ceph_object_store.host_fqdn_override.public.tls.key
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .osh.image.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .osh.cloudformation.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .osh.orchestration.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .osh.compute.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .osh.compute_novnc_proxy.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .osh.placement.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .osh.network.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .osh.identity.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .osh.dashboard.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .osh.volume.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .osh.volumev2.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .osh.volumev3.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .osh.identity.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .osh.identity.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .osh.identity.host_fqdn_override.public.tls.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .osh.orchestration.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .osh.orchestration.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .osh.orchestration.host_fqdn_override.public.tls.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .osh.cloudformation.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .osh.cloudformation.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .osh.cloudformation.host_fqdn_override.public.tls.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .osh.dashboard.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .osh.dashboard.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .osh.dashboard.host_fqdn_override.public.tls.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .osh.image.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .osh.image.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .osh.image.host_fqdn_override.public.tls.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .osh.volume.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .osh.volume.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .osh.volume.host_fqdn_override.public.tls.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .osh.volumev2.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .osh.volumev2.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .osh.volumev2.host_fqdn_override.public.tls.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .osh.volumev3.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .osh.volumev3.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .osh.volumev3.host_fqdn_override.public.tls.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .osh.compute.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .osh.compute.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .osh.compute.host_fqdn_override.public.tls.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .osh.compute_novnc_proxy.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .osh.compute_novnc_proxy.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .osh.compute_novnc_proxy.host_fqdn_override.public.tls.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .osh.placement.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .osh.placement.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .osh.placement.host_fqdn_override.public.tls.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .osh.network.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .osh.network.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .osh.network.host_fqdn_override.public.tls.key
+data:
+  osh:
+    object_store:
+      name: swift
+      namespace: ceph
+      hosts:
+        default: ceph-rgw
+        public: radosgw
+      host_fqdn_override:
+        default: null
+        public:
+          host: object-store.DOMAIN
+      path:
+        default: /swift/v1/KEY_$(tenant_id)s
+      scheme:
+        default: http
+        public: "https"
+      port:
+        api:
+          default: 8088
+          public: 443
+    ceph_object_store:
+      name: radosgw
+      namespace: ceph
+      hosts:
+        default: ceph-rgw
+        public: radosgw
+      host_fqdn_override:
+        default: null
+        public:
+          host: object-store.DOMAIN
+      path:
+        default: /auth/v1.0
+      scheme:
+        default: "http"
+        public: "https"
+      port:
+        api:
+          default: 8088
+          public: 443
+    oslo_db:
+      hosts:
+        default: mariadb
+        discovery: mariadb-discovery
+      host_fqdn_override:
+        default: null
+      path: /DB_NAME
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+        wsrep:
+          default: 4567
+    keystone_oslo_messaging:
+      namespace: openstack
+      hosts:
+        default: keystone-rabbitmq
+      host_fqdn_override:
+        default: null
+      path: /keystone
+      scheme: rabbit
+      port:
+        amqp:
+          default: 5672
+        http:
+          default: 15672
+    keystone_rabbitmq_exporter:
+      namespace: openstack
+      hosts:
+        default: keystone-rabbitmq-exporter
+      host_fqdn_override:
+        default: null
+      path:
+        default: /metrics
+      scheme:
+        default: "http"
+      port:
+        metrics:
+          default: 9095
+    oslo_cache:
+      namespace: openstack
+      hosts:
+        default: memcached
+      host_fqdn_override:
+        default: null
+      port:
+        memcache:
+          default: 11211
+    identity:
+      namespace: openstack
+      name: keystone
+      hosts:
+        default: keystone-api
+        public: keystone
+      host_fqdn_override:
+        default: null
+        public:
+          host: identity.DOMAIN
+      path:
+        default: /v3
+      scheme:
+        default: "http"
+        public: "https"
+      port:
+        admin:
+          default: 35357
+        api:
+          default: 80
+          public: 443
+    glance_oslo_messaging:
+      namespace: openstack
+      hosts:
+        default: glance-rabbitmq
+      host_fqdn_override:
+        default: null
+      path: /glance
+      scheme: rabbit
+      port:
+        amqp:
+          default: 5672
+        http:
+          default: 15672
+    glance_rabbitmq_exporter:
+      namespace: openstack
+      hosts:
+        default: glance-rabbitmq-exporter
+      host_fqdn_override:
+        default: null
+      path:
+        default: /metrics
+      scheme:
+        default: "http"
+      port:
+        metrics:
+          default: 9095
+    image:
+      name: glance
+      hosts:
+        default: glance-api
+        public: glance
+      host_fqdn_override:
+        default: null
+        public:
+          host: image.DOMAIN
+      path:
+        default: null
+      scheme:
+        default: "http"
+        public: "https"
+      port:
+        api:
+          default: 9292
+          public: 443
+    image_registry:
+      name: glance-registry
+      hosts:
+        default: glance-registry
+        public: glance-reg
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme:
+        default: "http"
+      port:
+        api:
+          default: 9191
+          public: 80
+    cinder_oslo_messaging:
+      namespace: openstack
+      hosts:
+        default: cinder-rabbitmq
+      host_fqdn_override:
+        default: null
+      path: /cinder
+      scheme: rabbit
+      port:
+        amqp:
+          default: 5672
+        http:
+          default: 15672
+    cinder_rabbitmq_exporter:
+      namespace: openstack
+      hosts:
+        default: cinder-rabbitmq-exporter
+      host_fqdn_override:
+        default: null
+      path:
+        default: /metrics
+      scheme:
+        default: "http"
+      port:
+        metrics:
+          default: 9095
+    volume:
+      name: cinder
+      hosts:
+        default: cinder-api
+        public: cinder
+      host_fqdn_override:
+        default: null
+        public:
+          host: volume.DOMAIN
+      path:
+        default: "/v1/%(tenant_id)s"
+      scheme:
+        default: "http"
+        public: "https"
+      port:
+        api:
+          default: 8776
+          public: 443
+    volumev2:
+      name: cinderv2
+      hosts:
+        default: cinder-api
+        public: cinder
+      host_fqdn_override:
+        default: null
+        public:
+          host: volume.DOMAIN
+      path:
+        default: "/v2/%(tenant_id)s"
+      scheme:
+        default: "http"
+        public: "https"
+      port:
+        api:
+          default: 8776
+          public: 443
+    volumev3:
+      name: cinderv3
+      hosts:
+        default: cinder-api
+        public: cinder
+      host_fqdn_override:
+        default: null
+        public:
+          host: volume.DOMAIN
+      path:
+        default: "/v3/%(tenant_id)s"
+      scheme:
+        default: "http"
+        public: "https"
+      port:
+        api:
+          default: 8776
+          public: 443
+    heat_oslo_messaging:
+      namespace: openstack
+      hosts:
+        default: heat-rabbitmq
+      host_fqdn_override:
+        default: null
+      path: /heat
+      scheme: rabbit
+      port:
+        amqp:
+          default: 5672
+        http:
+          default: 15672
+    heat_rabbitmq_exporter:
+      namespace: openstack
+      hosts:
+        default: heat-rabbitmq-exporter
+      host_fqdn_override:
+        default: null
+      path:
+        default: /metrics
+      scheme:
+        default: "http"
+      port:
+        metrics:
+          default: 9095
+    orchestration:
+      name: heat
+      hosts:
+        default: heat-api
+        public: heat
+      host_fqdn_override:
+        default: null
+        public:
+          host: orchestration.DOMAIN
+      path:
+        default: "/v1/%(project_id)s"
+      scheme:
+        default: "http"
+        public: "https"
+      port:
+        api:
+          default: 8004
+          public: 443
+    cloudformation:
+      name: heat-cfn
+      hosts:
+        default: heat-cfn
+        public: cloudformation
+      host_fqdn_override:
+        default: null
+        public:
+          host: cloudformation.DOMAIN
+      path:
+        default: /v1
+      scheme:
+        default: "http"
+        public: "https"
+      port:
+        api:
+          default: 8000
+          public: 443
+    cloudwatch:
+      name: heat-cloudwatch
+      hosts:
+        default: heat-cloudwatch
+        public: cloudwatch
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      type: null
+      scheme:
+        default: "http"
+      port:
+        api:
+          default: 8003
+          public: 80
+    neutron_oslo_messaging:
+      namespace: openstack
+      hosts:
+        default: neutron-rabbitmq
+      host_fqdn_override:
+        default: null
+      path: /neutron
+      scheme: rabbit
+      port:
+        amqp:
+          default: 5672
+        http:
+          default: 15672
+    neutron_rabbitmq_exporter:
+      namespace: openstack
+      hosts:
+        default: neutron-rabbitmq-exporter
+      host_fqdn_override:
+        default: null
+      path:
+        default: /metrics
+      scheme:
+        default: "http"
+      port:
+        metrics:
+          default: 9095
+    network:
+      name: neutron
+      hosts:
+        default: neutron-server
+        public: neutron
+      host_fqdn_override:
+        default: null
+        public:
+          host: network.DOMAIN
+      path:
+        default: null
+      scheme:
+        default: "http"
+        public: "https"
+      port:
+        api:
+          default: 9696
+          public: 443
+    nova_oslo_messaging:
+      namespace: openstack
+      hosts:
+        default: nova-rabbitmq
+      host_fqdn_override:
+        default: null
+      path: /nova
+      scheme: rabbit
+      port:
+        amqp:
+          default: 5672
+        http:
+          default: 15672
+    nova_rabbitmq_exporter:
+      namespace: openstack
+      hosts:
+        default: nova-rabbitmq-exporter
+      host_fqdn_override:
+        default: null
+      path:
+        default: /metrics
+      scheme:
+        default: "http"
+      port:
+        metrics:
+          default: 9095
+    compute:
+      name: nova
+      hosts:
+        default: nova-api
+        public: nova
+      host_fqdn_override:
+        default: null
+        public:
+          host: compute.DOMAIN
+      path:
+        default: "/v2/%(tenant_id)s"
+      scheme:
+        default: "http"
+        public: "https"
+      port:
+        api:
+          default: 8774
+          public: 443
+        novncproxy:
+          default: 443
+    compute_metadata:
+      name: nova
+      hosts:
+        default: nova-metadata
+        public: metadata
+      host_fqdn_override:
+        default: null
+      path:
+        default: /
+      scheme:
+        default: "http"
+      port:
+        metadata:
+          default: 8775
+          public: 80
+    compute_novnc_proxy:
+      name: nova
+      hosts:
+        default: nova-novncproxy
+        public: novncproxy
+      host_fqdn_override:
+        default: null
+        public:
+          host: nova-novncproxy.DOMAIN
+      path:
+        default: /vnc_auto.html
+      scheme:
+        default: "http"
+        public: "https"
+      port:
+        novnc_proxy:
+          default: 6080
+          public: 443
+    compute_spice_proxy:
+      name: nova
+      hosts:
+        default: nova-spiceproxy
+      host_fqdn_override:
+        default: null
+      path:
+        default: /spice_auto.html
+      scheme:
+        default: "http"
+      port:
+        spice_proxy:
+          default: 6082
+    placement:
+      name: placement
+      hosts:
+        default: placement-api
+        public: placement
+      host_fqdn_override:
+        default: null
+        public:
+          host: placement.DOMAIN
+      path:
+        default: /
+      scheme:
+        default: "http"
+        public: "https"
+      port:
+        api:
+          default: 8778
+          public: 443
+    dashboard:
+      name: horizon
+      hosts:
+        default: horizon-int
+        public: horizon
+      host_fqdn_override:
+        default: null
+        public:
+          host: dashboard.DOMAIN
+      path:
+        default: null
+      scheme:
+        default: "http"
+        public: "https"
+      port:
+        web:
+          default: 80
+          public: 443
+...
+---
+schema: pegleg/EndpointCatalogue/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_endpoints
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .osh_infra.kibana.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .osh_infra.grafana.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        path: .osh_infra.nagios.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .osh_infra.kibana.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .osh_infra.kibana.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .osh_infra.kibana.host_fqdn_override.public.tls.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .osh_infra.grafana.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .osh_infra.grafana.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .osh_infra.grafana.host_fqdn_override.public.tls.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: ingress-crt
+        path: .
+      dest:
+        path: .osh_infra.nagios.host_fqdn_override.public.tls.crt
+    - src:
+        schema: deckhand/CertificateAuthority/v1
+        name: ingress-ca
+        path: .
+      dest:
+        path: .osh_infra.nagios.host_fqdn_override.public.tls.ca
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: ingress-key
+        path: .
+      dest:
+        path: .osh_infra.nagios.host_fqdn_override.public.tls.key
+        path: .osh_infra.nagios.host_fqdn_override.public.tls.key
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .ldap.base_url
+      dest:
+        path:  .osh_infra.ldap.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .ldap.auth_path
+      dest:
+        path:  .osh_infra.ldap.path.default
+        pattern: AUTH_PATH
+data:
+  osh_infra:
+    elasticsearch:
+      name: elasticsearch
+      namespace: osh-infra
+      hosts:
+        data: elasticsearch-data
+        default: elasticsearch-logging
+        discovery: elasticsearch-discovery
+        public: elasticsearch
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme:
+        default: "http"
+      port:
+        http:
+          default: 80
+    prometheus_elasticsearch_exporter:
+      namespace: null
+      hosts:
+        default: elasticsearch-exporter
+      host_fqdn_override:
+        default: null
+      path:
+        default: /metrics
+      scheme:
+        default: "http"
+      port:
+        metrics:
+          default: 9108
+    fluentd:
+      namespace: osh-infra
+      name: fluentd
+      hosts:
+        default: fluentd-logging
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme:
+        default: "http"
+      port:
+        service:
+          default: 24224
+        metrics:
+          default: 24220
+    prometheus_fluentd_exporter:
+      namespace: osh-infra
+      hosts:
+        default: fluentd-exporter
+      host_fqdn_override:
+        default: null
+      path:
+        default: /metrics
+      scheme:
+        default: "http"
+      port:
+        metrics:
+          default: 9309
+    oslo_db:
+      namespace: osh-infra
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /DB_NAME
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+    grafana:
+      name: grafana
+      namespace: osh-infra
+      hosts:
+        default: grafana-dashboard
+        public: grafana
+      host_fqdn_override:
+        default: null
+        public:
+          host: grafana.DOMAIN
+      path:
+        default: null
+      scheme:
+        default: "http"
+        public: "https"
+      port:
+        grafana:
+          default: 3000
+          public: 443
+    monitoring:
+      name: prometheus
+      namespace: osh-infra
+      hosts:
+        default: prom-metrics
+        public: prometheus
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme:
+        default: "http"
+      port:
+        api:
+          default: 9090
+          public: 80
+    kibana:
+      name: kibana
+      namespace: osh-infra
+      hosts:
+        default: kibana-dash
+        public: kibana
+      host_fqdn_override:
+        default: null
+        public:
+          host: kibana.DOMAIN
+      path:
+        default: null
+      scheme:
+        default: "http"
+        public: "https"
+      port:
+        kibana:
+          default: 5601
+          public: 443
+    alerts:
+      name: alertmanager
+      namespace: osh-infra
+      hosts:
+        default: alerts-engine
+        public: alertmanager
+        discovery: alertmanager-discovery
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme:
+        default: "http"
+      port:
+        api:
+          default: 9093
+          public: 80
+        mesh:
+          default: 6783
+    kube_state_metrics:
+      namespace: kube-system
+      hosts:
+        default: kube-state-metrics
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme:
+        default: "http"
+      port:
+        http:
+          default: 8080
+    kube_scheduler:
+      scheme:
+        default: "http"
+      path:
+        default: /metrics
+    kube_controller_manager:
+      scheme:
+        default: "http"
+      path:
+        default: /metrics
+    node_metrics:
+      namespace: kube-system
+      hosts:
+        default: node-exporter
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme:
+        default: "http"
+      port:
+        metrics:
+          default: 9100
+        prometheus_port:
+          default: 9100
+    prometheus_openstack_exporter:
+      namespace: openstack
+      hosts:
+        default: openstack-metrics
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme:
+        default: "http"
+      port:
+        exporter:
+          default: 9103
+    nagios:
+      name: nagios
+      namespace: osh-infra
+      hosts:
+        default: nagios-metrics
+        public: nagios
+      host_fqdn_override:
+        default: null
+        public:
+          host: nagios.DOMAIN
+      path:
+        default: null
+      scheme:
+        default: http
+        public: https
+      port:
+        http:
+          default: 80
+          public: 443
+    ldap:
+      hosts:
+        default: ldap
+      host_fqdn_override:
+        default: null
+        public:
+          host: DOMAIN
+      path:
+        default: /AUTH_PATH
+      scheme:
+        default: "ldap"
+      port:
+        ldap:
+          default: 389
+...
diff --git a/site/airship-seaworthy/software/config/service_accounts.yaml b/site/airship-seaworthy/software/config/service_accounts.yaml
new file mode 100644
index 000000000..eed80d2d3
--- /dev/null
+++ b/site/airship-seaworthy/software/config/service_accounts.yaml
@@ -0,0 +1,420 @@
+---
+# The purpose of this file is to define the account catalog for the site. This
+# mostly contains service usernames, but also contain some information which
+# should be changed like the region (site) name.
+schema: pegleg/AccountCatalogue/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_service_accounts
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+    ucp:
+        postgres:
+            admin:
+                username: postgres
+        oslo_db:
+            admin:
+                username: root
+        oslo_messaging:
+            admin:
+                username: rabbitmq
+        keystone:
+            admin:
+                # NEWSITE-CHANGEME: Replace with the site name
+                region_name: airship-seaworthy
+                username: admin
+                project_name: admin
+                user_domain_name: default
+                project_domain_name: default
+            oslo_messaging:
+                admin:
+                    username: rabbitmq
+                keystone:
+                    username: keystone
+            oslo_db:
+                username: keystone
+                database: keystone
+        promenade:
+            keystone:
+                # NEWSITE-CHANGEME: Replace with the site name
+                region_name: airship-seaworthy
+                role: admin
+                project_name: service
+                project_domain_name: default
+                user_domain_name: default
+                username: promenade
+        drydock:
+            keystone:
+                # NEWSITE-CHANGEME: Replace with the site name
+                region_name: airship-seaworthy
+                role: admin
+                project_name: service
+                project_domain_name: default
+                user_domain_name: default
+                username: drydock
+            postgres:
+                username: drydock
+                database: drydock
+        shipyard:
+            keystone:
+                # NEWSITE-CHANGEME: Replace with the site name
+                region_name: airship-seaworthy
+                role: admin
+                project_name: service
+                project_domain_name: default
+                user_domain_name: default
+                username: shipyard
+            postgres:
+                username: shipyard
+                database: shipyard
+        airflow:
+            postgres:
+                username: airflow
+                database: airflow
+            oslo_messaging:
+                username: rabbitmq
+        maas:
+            admin:
+                username: admin
+                email: none@none
+            postgres:
+                username: maas
+                database: maasdb
+        barbican:
+            keystone:
+                # NEWSITE-CHANGEME: Replace with the site name
+                region_name: airship-seaworthy
+                role: admin
+                project_name: service
+                project_domain_name: default
+                user_domain_name: default
+                username: barbican
+            oslo_db:
+                username: barbican
+                database: barbican
+            oslo_messaging:
+                admin:
+                    username: rabbitmq
+                keystone:
+                    username: keystone
+        armada:
+            keystone:
+                project_domain_name: default
+                user_domain_name: default
+                project_name: service
+                # NEWSITE-CHANGEME: Replace with the site name
+                region_name: airship-seaworthy
+                role: admin
+                user_domain_name: default
+                username: armada
+        deckhand:
+            keystone:
+                # NEWSITE-CHANGEME: Replace with the site name
+                region_name: airship-seaworthy
+                role: admin
+                project_name: service
+                project_domain_name: default
+                user_domain_name: default
+                username: deckhand
+            postgres:
+                username: deckhand
+                database: deckhand
+    ceph:
+        swift:
+            keystone:
+                role: admin
+                # NEWSITE-CHANGEME: Replace with the site name
+                region_name: airship-seaworthy
+                username: swift
+                project_name: service
+                user_domain_name: default
+                project_domain_name: default
+...
+---
+schema: pegleg/AccountCatalogue/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_service_accounts
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.keystone.admin.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.cinder.cinder.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.glance.glance.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.heat.heat.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.heat.heat_trustee.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.heat.heat_stack_user.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.swift.keystone.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.neutron.neutron.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.nova.nova.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.nova.placement.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.barbican.barbican.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.barbican.barbican.region_name
+data:
+  osh:
+    keystone:
+      admin:
+        username: admin
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+      oslo_db:
+        username: keystone
+        database: keystone
+      oslo_messaging:
+        admin:
+          username: keystone-rabbitmq-admin
+        keystone:
+          username: keystone-rabbitmq-user
+      ldap:
+        # NEWSITE-CHANGEME: Replace with the site's LDAP account used to
+        # authenticate to the active directory backend to validate keystone
+        # users.
+        username: "test@ldap.example.com"
+    cinder:
+      cinder:
+        role: admin
+        username: cinder
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+      oslo_db:
+        username: cinder
+        database: cinder
+      oslo_messaging:
+        admin:
+          username: cinder-rabbitmq-admin
+        cinder:
+          username: cinder-rabbitmq-user
+    glance:
+      glance:
+        role: admin
+        username: glance
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+      oslo_db:
+        username: glance
+        database: glance
+      oslo_messaging:
+        admin:
+          username: glance-rabbitmq-admin
+        glance:
+          username: glance-rabbitmq-user
+      ceph_object_store:
+        username: glance
+    heat:
+      heat:
+        role: admin
+        username: heat
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+      heat_trustee:
+        role: admin
+        username: heat-trust
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+      heat_stack_user:
+        role: admin
+        username: heat-domain
+        domain_name: heat
+      oslo_db:
+        username: heat
+        database: heat
+      oslo_messaging:
+        admin:
+          username: heat-rabbitmq-admin
+        heat:
+          username: heat-rabbitmq-user
+    swift:
+      keystone:
+        role: admin
+        username: swift
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+    oslo_db:
+      admin:
+        username: root
+    neutron:
+      neutron:
+        role: admin
+        username: neutron
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+      oslo_db:
+        username: neutron
+        database: neutron
+      oslo_messaging:
+        admin:
+          username: neutron-rabbitmq-admin
+        neutron:
+          username: neutron-rabbitmq-user
+    nova:
+      nova:
+        role: admin
+        username: nova
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+      placement:
+        role: admin
+        username: placement
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+      oslo_db:
+        username: nova
+        database: nova
+      oslo_db_api:
+        username: nova
+        database: nova_api
+      oslo_db_cell0:
+        username: nova
+        database: "nova_cell0"
+      oslo_messaging:
+        admin:
+          username: nova-rabbitmq-admin
+        nova:
+          username: nova-rabbitmq-user
+    horizon:
+      oslo_db:
+        username: horizon
+        database: horizon
+    barbican:
+      barbican:
+        role: admin
+        username: barbican
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+      oslo_db:
+        username: barbican
+        database: barbican
+      oslo_messaging:
+        admin:
+          username: barbican-rabbitmq-admin
+        barbican:
+          username: barbican-rabbitmq-user
+...
+---
+schema: pegleg/AccountCatalogue/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_service_accounts
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh_infra.prometheus_openstack_exporter.user.region_name
+data:
+  osh_infra:
+    grafana:
+      admin:
+        username: grafana
+      oslo_db:
+        username: grafana
+        database: grafana
+      oslo_db_session:
+        username: grafana_session
+        database: grafana_session
+    elasticsearch:
+      admin:
+        username: elasticsearch
+    kibana:
+      admin:
+        username: kibana
+    oslo_db:
+      admin:
+        username: root
+    prometheus_openstack_exporter:
+      user:
+        role: admin
+        username: prometheus-openstack-exporter
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+    nagios:
+      admin:
+        username: nagios
+    ldap:
+      admin:
+        # NEWSITE-CHANGEME: Replace with the site's LDAP account used to
+        # authenticate to the active directory backend to validate keystone
+        # users.
+        bind: "test@ldap.example.com"
+...
diff --git a/site/airship-seaworthy/software/manifests/full-site.yaml b/site/airship-seaworthy/software/manifests/full-site.yaml
new file mode 100644
index 000000000..593dfc106
--- /dev/null
+++ b/site/airship-seaworthy/software/manifests/full-site.yaml
@@ -0,0 +1,56 @@
+---
+# This file defines the "full-site" armada manifest and should not need to
+# change for new sites.
+# #GLOBAL-CANDIDATE#
+schema: armada/Manifest/v1
+metadata:
+  schema: metadata/Document/v1
+  name: full-site
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: full-site-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  release_prefix: airship
+  chart_groups:
+    - kubernetes-proxy
+    - kubernetes-container-networking
+    - kubernetes-dns
+    - kubernetes-etcd
+    - kubernetes-haproxy
+    - kubernetes-core
+    - ingress-kube-system
+    - ucp-ceph-update
+    - ucp-ceph-config
+    - ucp-core
+    - ucp-keystone
+    - ucp-divingbell
+    - ucp-armada
+    - ucp-deckhand
+    - ucp-drydock
+    - ucp-promenade
+    - ucp-shipyard
+    - osh-infra-ingress-controller
+    - osh-infra-ceph-config
+    - osh-infra-logging
+    - osh-infra-monitoring
+    - osh-infra-mariadb
+    - osh-infra-dashboards
+    - openstack-ingress-controller
+    - openstack-ceph-config
+    - openstack-mariadb
+    - openstack-memcached
+    - openstack-keystone
+    - openstack-radosgw
+    - openstack-glance
+    - openstack-cinder
+    - openstack-compute-kit
+    - openstack-heat
+    - osh-infra-prometheus-openstack-exporter
+    - openstack-horizon
+...
diff --git a/type/foundry/v4.0/network/KubernetesNetwork.yaml b/type/foundry/v4.0/network/KubernetesNetwork.yaml
new file mode 100644
index 000000000..1124d63d8
--- /dev/null
+++ b/type/foundry/v4.0/network/KubernetesNetwork.yaml
@@ -0,0 +1,97 @@
+---
+schema: promenade/KubernetesNetwork/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-network
+  layeringDefinition:
+    abstract: false
+    layer: type
+  storagePolicy: cleartext
+  substitutions:
+    # DNS
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.cluster_domain
+      dest:
+        path: .dns.cluster_domain
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.service_ip
+      dest:
+        path: .dns.service_ip
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.upstream_servers
+      dest:
+        path: .dns.upstream_servers
+
+    # Kubernetes IPs
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.api_service_ip
+      dest:
+        path: .kubernetes.service_ip
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.pod_cidr
+      dest:
+        path: .kubernetes.pod_cidr
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.service_cidr
+      dest:
+        path: .kubernetes.service_cidr
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.apiserver_port
+      dest:
+        path: .kubernetes.apiserver_port
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.haproxy_port
+      dest:
+        path: .kubernetes.haproxy_port
+
+    # etcd IPs
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .etcd.container_port
+      dest:
+        path: .etcd.container_port
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .etcd.haproxy_port
+      dest:
+        path: .etcd.haproxy_port
+
+    # proxy
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .proxy.http
+      dest:
+        path: .proxy.url
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .proxy.no_proxy
+      dest:
+        path: .proxy.additional_no_proxy
+
+data:
+  dns:
+    bootstrap_validation_checks:
+      - calico-etcd.kube-system.svc.cluster.local
+      - kubernetes-etcd.kube-system.svc.cluster.local
+      - kubernetes.default.svc.cluster.local
+...