Merge "Add reference multi-tenant site"

manifests/site/reference-multi-tenant/ephemeral/bootstrap/baremetalhost.yaml

@@ -0,0 +1,22 @@
+# This patches the node02 BMH to be suitable for ephemeral purposes
+apiVersion: metal3.io/v1alpha1
+kind: BareMetalHost
+metadata:
+  annotations:
+  labels:
+    airshipit.org/ephemeral-node: "true"
+    airshipit.org/deploy-k8s: "false"
+  # NEWSITE_CHANGEME : ephemeral node name
+  name: stl3r01s02
+spec:
+  online: true
+  bmc:
+    # NEWSITE_CHANGEME: ephemeral node redhish api endpoint
+    address: redfish+https://10.253.200.36/redfish/v1/Systems/System.Embedded.1
+status:
+  provisioning:
+# we need this status to make sure, that the host is not going to be
+# reprovisioned by the ephemeral baremetal operator.
+# when we have more flexible labeling system in place, we will not
+# deliver this document to ephemeral cluster
+    state: externally provisioned

manifests/site/reference-multi-tenant/ephemeral/bootstrap/hostgenerator/host-generation.yaml

@@ -0,0 +1,11 @@
+# Site-level, phase-specific lists of hosts to generate
+# This is used by the hostgenerator-m3 function to narrow down the site-level
+# host-catalogue to just the hosts needed for a particular phase.
+apiVersion: airshipit.org/v1alpha1
+kind: VariableCatalogue
+metadata:
+  name: host-generation-catalogue
+hosts:
+  m3:
+    ## NEWSITE_CHANGEME: The ephemeral node name
+    - stl3r01s02

manifests/site/reference-multi-tenant/ephemeral/bootstrap/hostgenerator/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../../../../../airshipctl/manifests/function/hostgenerator-m3
+  - ../../../../../../../airshipctl/manifests/function/hardwareprofile-example
+  - ../../catalogues/
+  - host-generation.yaml
+
+transformers:
+  - ../../../../../../../airshipctl/manifests/function/hostgenerator-m3/replacements
+  - ../../../../../../../airshipctl/manifests/function/hardwareprofile-example/replacements
+  - ../../../../../function/treasuremap-cleanup

manifests/site/reference-multi-tenant/ephemeral/bootstrap/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../../type/multi-tenant/ephemeral/bootstrap
+  - ../catalogues
+
+generators:
+  - hostgenerator
+
+patchesStrategicMerge:
+  - baremetalhost.yaml
+
+transformers:
+  - ../../../../type/multi-tenant/ephemeral/bootstrap/replacements

manifests/site/reference-multi-tenant/ephemeral/catalogues/README.md

@@ -0,0 +1,4 @@
+# Catalogue Definitions for Target Cluster
+
+This inherits Site-level catalogues from the neighboring target cluster's
+`catalogues` kustomization, and tweaks a few values for the ephemeral cluster.

manifests/site/reference-multi-tenant/ephemeral/catalogues/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../target/catalogues
+patchesStrategicMerge:
+  - networking.yaml

manifests/site/reference-multi-tenant/ephemeral/catalogues/networking.yaml

@@ -0,0 +1,24 @@
+# This makes a couple small networking tweaks that are specific to the
+# ephemeral cluster, on top of the target cluster networking definition.
+# These values can be overridden at the site, type, etc levels as appropriate.
+
+## NEWSITE_CHANGEME: update file with ephemeral node ips
+apiVersion: airshipit.org/v1alpha1
+kind: NetworkCatalogue
+metadata:
+  name: networking
+spec:
+  kubernetes:
+    serviceCidr: "10.96.0.0/12"
+    podCidr: "192.168.0.0/18"
+    controlPlaneEndpoint:
+      # NEWSITE_CHANGEME: Ephemeral node oam ip
+      host: "10.254.125.231"
+      port: 6443
+    # NEWSITE_CHANGEME: ephemeral node calico ip and pxe ip
+    apiserverCertSANs: "[172.64.0.12, 172.63.0.12]"
+  ironic:
+    # NEWSITE_CHANGEME: Ephemeral node PXE network
+    provisioningInterface: "eno4"
+    provisioningIp: "172.63.0.12"
+    dhcpRange: "172.63.0.31,172.63.0.126"

manifests/site/reference-multi-tenant/ephemeral/controlplane/hostgenerator/host-generation.yaml

@@ -0,0 +1,11 @@
+# Site-level, phase-specific lists of hosts to generate
+# This is used by the hostgenerator-m3 function to narrow down the site-level
+# host-catalogue to just the hosts needed for a particular phase.
+apiVersion: airshipit.org/v1alpha1
+kind: VariableCatalogue
+metadata:
+  name: host-generation-catalogue
+hosts:
+  m3:
+    ## NEWSITE_CHANGEME: Target cluster first node
+    - stl3r01s01

manifests/site/reference-multi-tenant/ephemeral/controlplane/hostgenerator/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../../../../../airshipctl/manifests/function/hostgenerator-m3
+  - ../../../../../../../airshipctl/manifests/function/hardwareprofile-example
+  - ../../catalogues/
+  - host-generation.yaml
+
+transformers:
+  - ../../../../../../../airshipctl/manifests/function/hostgenerator-m3/replacements
+  - ../../../../../../../airshipctl/manifests/function/hardwareprofile-example/replacements
+  - ../../../../../function/treasuremap-cleanup

manifests/site/reference-multi-tenant/ephemeral/controlplane/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../../type/multi-tenant/ephemeral/controlplane
+  - ../../target/catalogues # NOTE: use target networking for this phase
+  # TODO (dukov) It's recocommended to upload BareMetalHost objects separately
+  # otherwise nodes will hang in 'registering' state for quite a long time
+  - nodes
+transformers:
+  - ../../../../type/multi-tenant/ephemeral/controlplane/replacements

manifests/site/reference-multi-tenant/ephemeral/controlplane/nodes/kustomization.yaml

@@ -0,0 +1,12 @@
+# Note: this weird extra layer between the .. and ../hostgenerator
+# is purely to apply the label below to the generated hosts.
+# When can come up with a better way to declare (e.g. via catalogue)
+# that the host is a controlplane host, we should get rid of this.
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+generators:
+  - ../hostgenerator
+
+commonLabels:
+  airshipit.org/k8s-role: controlplane-host

manifests/site/reference-multi-tenant/ephemeral/initinfra-networking/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - ../../../../type/airship-core/ephemeral/initinfra-networking

manifests/site/reference-multi-tenant/ephemeral/initinfra/kustomization.yaml

@@ -0,0 +1,5 @@
+resources:
+  - ../../../../type/multi-tenant/ephemeral/initinfra
+  - ../catalogues
+transformers:
+  - ../../../../type/multi-tenant/ephemeral/initinfra/replacements

manifests/site/reference-multi-tenant/host-inventory/hostgenerator/host-generation.yaml

@@ -0,0 +1,18 @@
+# Site-level, phase-specific lists of hosts to generate
+# This is used by the hostgenerator-m3 function to narrow down the site-level
+# host-catalogue to just the hosts needed for a particular phase.
+apiVersion: airshipit.org/v1alpha1
+kind: VariableCatalogue
+metadata:
+  name: host-generation-catalogue
+hosts:
+  m3:
+    # Note: this list should be kept up to date with
+    # the full list of hosts in the cluster
+    ## NEWSITE_CHANGEME: list of all the hosts
+    - stl3r01s01
+    - stl3r01s02
+    - stl3r01s03
+    - stl3r01s04
+    - stl3r01s05
+    - stl3r01s06

manifests/site/reference-multi-tenant/host-inventory/hostgenerator/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../../../../airshipctl/manifests/function/hostgenerator-m3/
+  - ../../target/catalogues
+  - host-generation.yaml
+
+transformers:
+  - ../../../../../../airshipctl/manifests/function/hostgenerator-m3/replacements
+  - ../../../../function/treasuremap-cleanup

manifests/site/reference-multi-tenant/host-inventory/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+generators:
+  - hostgenerator

manifests/site/reference-multi-tenant/kubeconfig/kubeconfig.yaml

@@ -0,0 +1,40 @@
+apiVersion: airshipit.org/v1alpha1
+kind: KubeConfig
+metadata:
+  name: default
+  labels:
+    airshipit.org/deploy-k8s: "false"
+config:
+  apiVersion: v1
+  clusters:
+  - cluster:
+      certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWRENDQWp5Z0F3SUJBZ0lVTUNwc09vRXhyRzdnRTVMOVJSamdnT01UOG53d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dURVhNQlVHQTFVRUF3d09TM1ZpWlhKdVpYUmxjeUJCVUVrd0hoY05NakF3T1RFMU1ERXdORE0zV2hjTgpNekF3T1RFek1ERXdORE0zV2pBWk1SY3dGUVlEVlFRRERBNUxkV0psY201bGRHVnpJRUZRU1RDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtBZFo0UWJHZmlLTExpTXNHcFJKS3d5ZkRGWVI5U0MKbGtVb3hlTU1BZVBkeVNNU0paTTlFMFBOaDM5TUtTVjNSZDRIZWt1eGdHK3J4em83WmcrZU1aY1hyNFk3ektQMwo1SW0vaERkMm1TYThsMEkxZTRwV3B0Z25vZjdvRWJpSXVIU2YxQmRhMU4wWm1EUUdtckxyQnFOZFE3c1BVenNWCllPejZVUFZlamNIeEFjMXBvMWZsQXYrWVNZejVXa28wRVRnTXZYRGtxT0hrWFc1WnhPcHBVbiszOVpvWTZMK3gKVmUwUHFQdHlmSVZ1M3dtcnZFNGd4SmxtWEk3dUxmdzZONHpwS2RuK0k0K1RJRWF5aE1EMWRRenNwQzRMM0IrcApYcHFPMWNWM2ZKMlBycS9mNU14SnIxWTVHUTZlQlZyTGVod1ZWTEhEMzF3ZWFpZ3UzeStyM3RVQ0F3RUFBYU9CCmt6Q0JrREFkQmdOVkhRNEVGZ1FVT1d5YTNFd2J5c25UUy9ZajFWTEtjMGh4aDRvd1ZBWURWUjBqQkUwd1M0QVUKT1d5YTNFd2J5c25UUy9ZajFWTEtjMGh4aDRxaEhhUWJNQmt4RnpBVkJnTlZCQU1NRGt0MVltVnlibVYwWlhNZwpRVkJKZ2hRd0ttdzZnVEdzYnVBVGt2MUZHT0NBNHhQeWZEQU1CZ05WSFJNRUJUQURBUUgvTUFzR0ExVWREd1FFCkF3SUJCakFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBTVp1U2tJbTdQdlA4MW5HSjlYOVZFOFVZTVdDSU5GMEEKYit1UURFaHRGc0dxdnZFZHhQcURUWUpwdlF1SUJlOVd0cmlWRzh0MENIL1NnZ0g2TlJod0wyYkJwMm5WaEFVVwphK3hZL1RpTmMzUEl5RHNFeEY3VHVENGJzaW1BQUJTZ2ZtbXRxV1dqajRyOStodS9vZ09jLzQyYk9JT0JWbHNkCi9VNzBiR3dZQjU5QXgvL2dIWVJmVDl3L3p0VHBvY2tzdEhhSjZsVDd5SFlqYUkzaU5EWnZNSnFRSWNxME4vTEMKcVBjWjBWQXBMUTZRUHRpMWpVSzBGM1VlZEF6TVc3ZFF4NkV3Qjd5UHo4NWdZS3ZJdWdyaStrc2YwbGMyeHVDRwpXTGg2YjFNWk9Cc1NZNkppVHpSUUpYdXNCRUdaTGN5VkRJSEU3Y0Q4NWhOQmZpdDAvejFmZlE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
+      ## NEWSITE_CHANGEME: update ip with the vrrp k8s ip
+      server: https://10.254.125.239:6443
+    name: target-cluster
+  - cluster:
+      certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1USXlOakE0TWpneU5Gb1hEVEk1TVRJeU16QTRNamd5TkZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTTFSClM0d3lnajNpU0JBZjlCR0JUS1p5VTFwYmdDaGQ2WTdJektaZWRoakM2K3k1ZEJpWm81ZUx6Z2tEc2gzOC9YQ1MKenFPS2V5cE5RcDN5QVlLdmJKSHg3ODZxSFZZNjg1ZDVYVDNaOHNyVVRzVDR5WmNzZHAzV3lHdDM0eXYzNi9BSQoxK1NlUFErdU5JemN6bzNEdWhXR0ZoQjk3VjZwRitFUTBlVWN5bk05c2hkL3AwWVFzWDR1ZlhxaENENVpzZnZUCnBka3UvTWkyWnVGUldUUUtNeGpqczV3Z2RBWnBsNnN0L2ZkbmZwd1Q5cC9WTjRuaXJnMEsxOURTSFFJTHVrU2MKb013bXNBeDJrZmxITWhPazg5S3FpMEloL2cyczRFYTRvWURZemt0Y2JRZ24wd0lqZ2dmdnVzM3pRbEczN2lwYQo4cVRzS2VmVGdkUjhnZkJDNUZNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJek9BL00xWmRGUElzd2VoWjFuemJ0VFNURG4KRHMyVnhSV0VnclFFYzNSYmV3a1NkbTlBS3MwVGR0ZHdEbnBEL2tRYkNyS2xEeFF3RWg3NFZNSFZYYkFadDdsVwpCSm90T21xdXgxYThKYklDRTljR0FHRzFvS0g5R29jWERZY0JzOTA3ckxIdStpVzFnL0xVdG5hN1dSampqZnBLCnFGelFmOGdJUHZIM09BZ3B1RVVncUx5QU8ya0VnelZwTjZwQVJxSnZVRks2TUQ0YzFmMnlxWGxwNXhrN2dFSnIKUzQ4WmF6d0RmWUVmV3Jrdld1YWdvZ1M2SktvbjVEZ0Z1ZHhINXM2Snl6R3lPVnZ0eG1TY2FvOHNxaCs3UXkybgoyLzFVcU5ZK0hlN0x4d04rYkhwYkIxNUtIMTU5ZHNuS3BRbjRORG1jSTZrVnJ3MDVJMUg5ZGRBbGF0bz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+      ## NEWSITE_CHANGEME: update ip with the ephemeral node oam ip
+      server: https://10.254.125.231:6443
+    name: ephemeral-cluster
+  contexts:
+  - context:
+      cluster: target-cluster
+      user: target-cluster-admin
+    name: target-cluster
+  - context:
+      cluster: ephemeral-cluster
+      user: ephemeral-cluster-admin
+    name: ephemeral-cluster
+  current-context: ""
+  kind: Config
+  preferences: {}
+  users:
+  - name: ephemeral-cluster-admin
+    user:
+      client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQwRENDQXJnQ0ZFdFBveEZYSjVrVFNWTXQ0OVlqcHBQL3hCYnlNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1CVXgKRXpBUkJnTlZCQU1UQ210MVltVnlibVYwWlhNd0hoY05NakF3TVRJME1Ua3hOVEV3V2hjTk1qa3hNakF5TVRreApOVEV3V2pBME1Sa3dGd1lEVlFRRERCQnJkV0psY201bGRHVnpMV0ZrYldsdU1SY3dGUVlEVlFRS0RBNXplWE4wClpXMDZiV0Z6ZEdWeWN6Q0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQU1iaFhUUmsKVjZiZXdsUjBhZlpBdTBGYWVsOXRtRThaSFEvaGtaSHhuTjc2bDZUUFltcGJvaDRvRjNGMFFqbzROS1o5NVRuWgo0OWNoV240eFJiZVlPU25EcDBpV0Qzd0pXUlZ5aVFvVUFyYTlNcHVPNkVFU1FpbFVGNXNxc0VXUVdVMjBETStBCkdxK1k0Z2c3eDJ1Q0hTdk1GUmkrNEw5RWlXR2xnRDIvb1hXUm5NWEswNExQajZPb3Vkb2Zid2RmT3J6dTBPVkUKUzR0eGtuS1BCY1BUU3YxMWVaWVhja0JEVjNPbExENEZ3dTB3NTcwcnczNzAraEpYdlZxd3Zjb2RjZjZEL1BXWQowamlnd2ppeUJuZ2dXYW04UVFjd1Nud3o0d05sV3hKOVMyWUJFb1ptdWxVUlFaWVk5ZXRBcEpBdFMzTjlUNlQ2ClovSlJRdEdhZDJmTldTYkxEck5qdU1OTGhBYWRMQnhJUHpBNXZWWk5aalJkdEMwU25pMlFUMTVpSFp4d1RxcjQKakRQQ0pYRXU3KytxcWpQVldUaUZLK3JqcVNhS1pqVWZVaUpHQkJWcm5RZkJENHNtRnNkTjB5cm9tYTZOYzRMNQpKS21RV1NHdmd1aG0zbW5sYjFRaVRZanVyZFJQRFNmdmwrQ0NHbnA1QkkvZ1pwMkF1SHMvNUpKVTJlc1ZvL0xsCkVPdHdSOXdXd3dXcTAvZjhXS3R4bVRrMTUyOUp2dFBGQXQweW1CVjhQbHZlYnVwYmJqeW5pL2xWbTJOYmV6dWUKeCtlMEpNbGtWWnFmYkRSS243SjZZSnJHWW1CUFV0QldoSVkzb1pJVTFEUXI4SUlIbkdmYlZoWlR5ME1IMkFCQQp1dlVQcUtSVk80UGkxRTF4OEE2eWVPeVRDcnB4L0pBazVyR2RBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFECmdnRUJBSWNFM1BxZHZDTVBIMnJzMXJESk9ESHY3QWk4S01PVXZPRi90RjlqR2EvSFBJbkh3RlVFNEltbldQeDYKVUdBMlE1bjFsRDFGQlU0T0M4eElZc3VvS1VQVHk1T0t6SVNMNEZnL0lEcG54STlrTXlmNStMR043aG8rblJmawpCZkpJblVYb0tERW1neHZzSWFGd1h6bGtSTDJzL1lKYUZRRzE1Uis1YzFyckJmd2dJOFA5Tkd6aEM1cXhnSmovCm04K3hPMGhXUmJIYklrQ21NekRib2pCSWhaL00rb3VYR1doei9TakpodXhZTVBnek5MZkFGcy9PMTVaSjd3YXcKZ3ZoSGc3L2E5UzRvUCtEYytPa3VrMkV1MUZjL0E5WHpWMzc5aWhNWW5ub3RQMldWeFZ3b0ZZQUg0NUdQcDZsUApCQmwyNnkxc2JMbjl6aGZYUUJIMVpFN0EwZVE9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+      client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBeHVGZE5HUlhwdDdDVkhScDlrQzdRVnA2WDIyWVR4a2REK0dSa2ZHYzN2cVhwTTlpCmFsdWlIaWdYY1hSQ09qZzBwbjNsT2RuajF5RmFmakZGdDVnNUtjT25TSllQZkFsWkZYS0pDaFFDdHIweW00N28KUVJKQ0tWUVhteXF3UlpCWlRiUU16NEFhcjVqaUNEdkhhNElkSzh3VkdMN2d2MFNKWWFXQVBiK2hkWkdjeGNyVApncytQbzZpNTJoOXZCMTg2dk83UTVVUkxpM0dTY284Rnc5TksvWFY1bGhkeVFFTlhjNlVzUGdYQzdURG52U3ZECmZ2VDZFbGU5V3JDOXloMXgvb1A4OVpqU09LRENPTElHZUNCWnFieEJCekJLZkRQakEyVmJFbjFMWmdFU2htYTYKVlJGQmxoajE2MENra0MxTGMzMVBwUHBuOGxGQzBacDNaODFaSnNzT3MyTzR3MHVFQnAwc0hFZy9NRG05VmsxbQpORjIwTFJLZUxaQlBYbUlkbkhCT3F2aU1NOElsY1M3djc2cXFNOVZaT0lVcjZ1T3BKb3BtTlI5U0lrWUVGV3VkCkI4RVBpeVlXeDAzVEt1aVpybzF6Z3Zra3FaQlpJYStDNkdiZWFlVnZWQ0pOaU82dDFFOE5KKytYNElJYWVua0UKaitCbW5ZQzRlei9ra2xUWjZ4V2o4dVVRNjNCSDNCYkRCYXJUOS94WXEzR1pPVFhuYjBtKzA4VUMzVEtZRlh3KwpXOTV1Nmx0dVBLZUwrVldiWTF0N081N0g1N1FreVdSVm1wOXNORXFmc25wZ21zWmlZRTlTMEZhRWhqZWhraFRVCk5DdndnZ2VjWjl0V0ZsUExRd2ZZQUVDNjlRK29wRlU3ZytMVVRYSHdEcko0N0pNS3VuSDhrQ1Rtc1owQ0F3RUEKQVFLQ0FnQUJ2U1N3ZVpRZW5HSDhsUXY4SURMQzdvU1ZZd0xxNWlCUDdEdjJsN00wYStKNWlXcWwzV2s4ZEVOSQpOYWtDazAwNmkyMCtwVDROdW5mdEZJYzBoTHN6TjBlMkpjRzY1dVlGZnZ2ZHY3RUtZZnNZU3hhU3d4TWJBMlkxCmNCa2NjcGVsUzBhMVpieFYvck16T1RxVUlRNGFQTzJPU3RUeU55b3dWVjhhcXh0QlNPV2pBUlA2VjlBOHNSUDIKNlVGeVFnM2thdjRla3d0S0M5TW85MEVvcGlkSXNnYy9IYk5kQm5tMFJDUnY0bU1DNmVPTXp0NGx0UVNldG0rcwpaRkUwZkM5cjkwRjE4RUVlUjZHTEYxdGhIMzlKTWFFcjYrc3F6TlZXU1VPVGxNN2M5SE55QTJIcnJudnhVUVNOCmF3SkZWSEFOY1hJSjBqcW9icmR6MTdMbGtIRVFGczNLdjRlcDR3REJKMlF0eisxdUFvY1JoV3ZSaWJxWEQ3THgKVmpPdGRyT1h3ZFQxY2ZrKzZRc1RMWUFKR3ptdDdsY1M2QjNnYzJHWmNJWGwyNVlqTUQ1ZVhpa1dEc3hYWmt1UAorb3MzVGhxeGZIS25ITmxtYk9SSVpDMW92Q1NkSTRWZVpzalk0MUs5K0dNaXdXSk1kektpRkp3NlR2blRSUldTCkxod2EzUTlBVmMvTEg0SC9PbU9qWDc0QTNZSWwrRDFVUHd3VzAvMmw4S3BNM0VWZ21XalJMV1ZIRnBNTGJNSlcKZVZKd3dKUmF3bWZLdHZ6bU9KRHlhTXJJblhqTDMvSE1EaWtwU3JhRzFyTnc1SUozOXJZdEFIUUQ1L1VuZlRkSApLNXVjakVucTdPdDMyR1ozcHJvRTU1ZGFBY0hQbktuOGpYZ1ZKTUQyOWh5cEZvL2ZRUUtDQVFFQStBbjRoSDFFCm9GK3FlcWlvYXR3N2cwaVdQUDNCeklxOEZWbWtsRlZBYVF5U28wU2QxWFBybmErR0RFQVd0cHlsVjF5ZkZkR2oKSHc4YXU5NnpUZnRuNWZCRkQxWG1NTkNZeTcrM293V3ArK1NwYUMvMTYzN1dvb3lLRjBjVFNvcWEzZEVuRUtSSwp4TGF2a0lFUTI3OXRBNFVUK0dVK3pTb0NPUFBNNE1JS3poR0FDczZ1anRySzFNcXpwK0JhYldzRlBuN2J1bStVCkRHSFIrNCtab2tBL1Q2N2luYlRxZUwwVzJCNjRMckFURHpZL3Y4NlRGbW1aallEaHRKR1JIWVZUOU9XSXR0RVkKNnZtUDN0a1dOTWt0R2w4bTFiQ0FHQ1JlcGtycUhxWXNMWG5GQ2ZZSFFtOXNpaGgvM3JFVjZ1MUYxZCt0U3JFMgprU1ZVOHhVWDUwbHFNUUtDQVFFQXpVTjZaS0lRNldkT09FR3ZyMExRL1hVczI0bUczN3lGMjhJUDJEcWFBWWVzCnJza2xTdjdlSU9TZWV3MW1CRHVCRkl2bkZvcTVsRlA3cXhWcEIyWjNNSGlDMVNaclZSZjlQTjdCNGFzcmNyMCsKdDB2S0NXWFFIaTVQQXhucXdYb2E2N0Q1bnkwdnlvV0lVUXAyZEZMdkIwQmp0b3MvajJFaHpJZk5WMm1UOW15bgpWQXZOWEdtZnc4SVJCL1diMGkzQ3c0Wityb1l1dTJkRHo2UUwzUFVvN1hLS3ljZzR1UzU1eksvcWZPc09lYm5mCnpsd3ZqbGxNSitmVFFHNzMrQnpINE5IWGs2akZZQzU4eXBrdXd0cmJmYk1pSkZOWThyV1ptL01Nd1VDWlZDQ3kKeUlxQ3FHQVB6b2kyU05zSEtaTlJqN3ZZQ3dQQVd6TzFidjFGcC9hM0xRS0NBUUVBeG0zTGw4cFROVzF6QjgrWApkRzJkV3FpZU1FcmRXRklBcDUvZ1R4NW9lZUdxQ2QxaDJ4cHlldUtwZlhGaitsRVU0Ty9qQU9TRjk5bndqQzFjCkNsMit2Ni9ZdjZ6N2l6L0ZqUEpoNlpRbGFiT0RaeXMvTkZkelEvVGtvRHluRFRJWE5LOFc3blJRc0ZCcDRWT3YKZGUwTlBBeWhiazBvMFo3eXlqY1lSeEpVN0lnSmhCdldmOGcvRGI3ZnZNUjU4eUR6d0F4aW9pS1RNTmlzMFBBUAplMEtrbzQySUU1eGhHNWhDQjBHRUhTMlZBYzFuY0gzRkk5LzFETVAzVEtwTGltOVlQQW5JdG1CTzYrUWNtYTNYCjJ3QzZDV2ZudkhvSDc4aGd3KzRZbjg1V2QwYjhQN3pJRC9qdHZ3aGNlMzMxeDh4cjJ1Nm5ScUxBd1pzNCs0SjcKYmZkSWNRS0NBUUFDL2JlNzNheTNhZnoyenVZN2ZKTEZEcjhQbCtweU9qSU5LTC9JVzlwQXFYUjN1NUNpamlJNApnbnhZdUxKQzM0Y2JBSXJtaGpEOEcxa3dmZ2hneGpwNFoxa290LzJhYU5ZVTIvNGhScmhFWE1PY01pdUloWVpKCjJrem1jNnM3RklkdDVjOU5aWUFyeUZSYk1mYlY3UnQwbEppZllWb1V3Y3FYUzJkUG5jYzlNUW9qTEdUYXN1TlUKRy9EWmw5ZWtjV3hFSXlLWGNuY2QzZnhiK3p6OUJFbUxaRDduZjlacnhHU2IrZmhGeDdzWFJRRWc1YkQvdHdkbwpFWFcvbTU1YmJEZnhhNzFqZG5NaDJxdVEzRGlWT0ZFNGZMTERxcjlDRWlsaDMySFJNeHJJNGcwWTVRUFFaazMwCnFZTldmbktWUllOTHYrWC9DeGZ6ZkVacGpxRkVPRkVsQW9JQkFRQ0t6R2JGdmx6d1BaUmh4czd2VXYxOXlIUXAKQzFmR3gwb0tpRDFSNWZwWVBrT0VRQWVudEFKRHNyYVRsNy9rSDY5V09VbUQ1T3gxbWpyRFB0a1M4WnhXYlJXeApGYjJLK3JxYzRtcGFacGROV09OTkszK3RNZmsrb0FRcWUySU1JV253NUhmbVpjNE1QY0t0bkZQYlJTTkF0aktwCkQ2aG9oL3BXMmdjRFA0cVpNWVZvRW04MVZYZEZDUGhOYitNYnUvU3gyaFB4U0dXYTVGaTczeEtwWWp5M3BISlQKWFoyY2lHN0VNQ3NKZW9HS2FRdmNCY1kvNGlSRGFoV0hWcmlsSVhJQXJQdXdmVUIybzZCZFR0allHeU5sZ2NmeApxWEt4aXBTaEE2VlNienVnR3pkdEdNeEUyekRHVEkxOXFSQy96OUNEREM1ZTJTQUZqbEJUV0QyUHJjcU4KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
+  - name: target-cluster-admin
+    user:
+      client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGekNDQWYrZ0F3SUJBZ0lJZmdId0V1Z1ViRWN3RFFZSktvWklodmNOQVFFTEJRQXdHVEVYTUJVR0ExVUUKQXd3T1MzVmlaWEp1WlhSbGN5QkJVRWt3SGhjTk1qQXdPVEUxTURFd05ETTNXaGNOTWpFd09URTFNREV5TWpRMgpXakEwTVJjd0ZRWURWUVFLRXc1emVYTjBaVzA2YldGemRHVnljekVaTUJjR0ExVUVBeE1RYTNWaVpYSnVaWFJsCmN5MWhaRzFwYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTTh6N0l4ay8yVVMKQlBRdjNSaWlpbjdUb1lPQThQZll5eTRXTEh3MTBwMVYwZGw2dFNlekR5Z3llcndHTHlyT0x3VUVYQ29oMlVnbQovS2M0Ukw1ZVllQkQxbFJkemxjWU4rdVVtVllJUjBKeUNCbUIyMnFlQzhjZEhlenEyMG0xQzRRMkRsUjZwUG1ZCi9SZUhjVVZaQnVVNnRoZkc0WC9OSkREWFI1K21PMHFZZFpHcGJwR3lNSDlBMTlBdXFMUTdFR1VUMENTR0wrdzkKY1BPcjk4WXI0RkVBV0lkRWRsMjFrekM5MW9ma3llZ3VuUjdnSHBtQkNxa0hUKzlmelQyZ2pVdlkvVW9UeTRncwpDbzBodVpzdGxQb3VaSGRDbWlRZ2ZXOEMzNnNhTnJZb0d6NDhkTDgzbWlWdi9GVG1jcTFUMW45NVI5a0gyNFdOCnRTRXFDQVNXTVVNQ0F3RUFBYU5JTUVZd0RnWURWUjBQQVFIL0JBUURBZ1dnTUJNR0ExVWRKUVFNTUFvR0NDc0cKQVFVRkJ3TUNNQjhHQTFVZEl3UVlNQmFBRkRsc210eE1HOHJKMDB2Mkk5VlN5bk5JY1llS01BMEdDU3FHU0liMwpEUUVCQ3dVQUE0SUJBUUNZTVIrcTdQTlM0allyYS91RHlPQk1VTmNwcGkvczZPeFpDVFUzdFdVa1hVSXU0VmYwClVuSWtva1h0cjd4eENhVVI2MXZxZ1A4dmVDVWZOMU5MRC9wbFFXY3hINFlSaE40ZGJkQ3BHa3lwTkNIRVNqTlQKRXhWdEx5MnFGaEdqenZjQVZuTThKaEV6SFJsTEJIWW1VaU9mVDhLeUd0djJPaWlHNW00WE5VRmNsYVJYS2xrdgpTaHQ0WGFnZHRXSVFPUGFvQm9sY3IwL0lZOGlXUkJxSmV0TnhsL2crMExqcEJHVnRCZ0RpdDlzT0NFVlhpbEhSCjlIbGZNQldIWlg4bUZUWTcwa3pUVDVCTnVpTXRrOGNKR1dCTzJtK3ZMb0pBWW9reTZ5L2hHQmdiNkwzeExjMmQKcDh2dUgvSEN6SDBuTWxubDFNODlZak4vRVFGTlhDemN5TmRwCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+      client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBenpQc2pHVC9aUklFOUMvZEdLS0tmdE9oZzREdzk5akxMaFlzZkRYU25WWFIyWHExCko3TVBLREo2dkFZdktzNHZCUVJjS2lIWlNDYjhwemhFdmw1aDRFUFdWRjNPVnhnMzY1U1pWZ2hIUW5JSUdZSGIKYXA0THh4MGQ3T3JiU2JVTGhEWU9WSHFrK1pqOUY0ZHhSVmtHNVRxMkY4YmhmODBrTU5kSG42WTdTcGgxa2FsdQprYkl3ZjBEWDBDNm90RHNRWlJQUUpJWXY3RDF3ODZ2M3hpdmdVUUJZaDBSMlhiV1RNTDNXaCtUSjZDNmRIdUFlCm1ZRUtxUWRQNzEvTlBhQ05TOWo5U2hQTGlDd0tqU0c1bXkyVStpNWtkMEthSkNCOWJ3TGZxeG8ydGlnYlBqeDAKdnplYUpXLzhWT1p5clZQV2YzbEgyUWZiaFkyMUlTb0lCSll4UXdJREFRQUJBb0lCQUNYTTN6YXRwam9XRTNsSQowaGtRYmh1OUdCWVppOXhyWElYSDNjMjdNL1VvRnVTS0VrcHZ6REFWSlhidjJlTUJRbXF6NU94NnlGejFYOXBSCjFaaTFOejNtb2s4NTNjN2R5RFhlSWlzanozdzd1V2FOM2kyUkw2emZqdm9Oem51ZjM3MzY3cHBTMVk0RGJ3aS8KMk5aQjY1UWVKZUlva2pMeWhjdXpPb25SbGJlQnpNZUNERmd3eUlBN2h4SXdpZzZWeG5FOG9sbDlGaC9sN0hGdApTcCt4dllwWmpoQnhGZVJCTHQ2T0JHM09ndkdZZE1oSDZtcU9HMHM3Qi9rZXI5N2xVeUQ5ZVdxQWxoY1BGMXZKCm80M0FWYm8vSVUxNDdwYW9HYldRb3VrSWxuZnhjK0Rvd1dqR2FUeTVTY1Fqc2ZCNVJHTTNMTTlDNTJxVU9aUGwKVDI5eWU0RUNnWUVBNkdwOEVObFRWamFpbnhRQURaRHpJeFYzNHV4RTNYVDhmbGVIZlpxTmJ5M1IwYjU5SGNYVAo0NVJlbmRNMHhIZDdSdnpkZXNoQlYxMTBVaWhRZ2RIajg2eWlrbElUZmE2S2FpSlJiME5Hd2hPQWx3MFZkTTNoCjJKZkdsVUlTWFhuOS9CaEZPMFdpQTRmZHR4M3BlL0pidUIxa3VYZ3UwU0pXRFJkdlJGWGVZRE1DZ1lFQTVEcDUKRk44Njg1MFExUzBTMmRtMnBhVXd5bWJHRlhhOUlRdHlhazMwcVpPOTVDN05qR0daMkxvb2c3eVcvd092TEtucQo4WWhFSFV4TGxCWGlUdnZ3K1JHMXowTW9IaEVGR055SU1IMnNyakJST2l5TVRIeU9vWGNBMTFtZitBNkVKQkMyCkt5T1pKSGRSamFSVUc3bjFYQW4xWVVhUGFZS1NjSE5GV3kwdG1yRUNnWUJwSlN1RnI5d3M1OERBZVJyaENFK0cKOHNKdkRmYkZ2WlF4VUVZQ3cvWHljMmMySFppYTdKSEVwcTM3ZHI2cmwyWlZJamJNd21ZVk1UbGJwZE51TjllSgp1UE0vZ1JSQ1NzRmg3SzZzeUdIdGtVY2VqeFBDNlJXZ21HR0Z5d05sK0xlMzRmOElKcU42TjNCTjFLRjVxcFptCkFCNCtiaW00QVhHdXNJaHRBTy8rMHdLQmdHRFgwd01oU2lHUFYxSXR3eDcvdS9vRDQzVXZNUVJ3a3daUGxpZzMKbGdiUzh6TzlER2x5RE5jaS93Z1BZVDhxc0ExU3VLZnV1NEIzSEdiazlsZXZubXdCc05VVzJSSVJCTW1zNG5rNQpDcW9MUkp4YnhOaTd6Y1lEK2k1bkVITXdyYStrQzdpNGJVWkUveTBNT3NoZEd4a0gvTUJmTVlHQzcyS1o5eWNlClA0aXhBb0dCQU5BdmJiL3h4VDhvOW1hU0FaV2MvblNWdEw5ckFiMGtHQlBTS3J0QW1wYkdxMitDNjlOeTVBMUUKdW9iN2dzdjJ3NDJIUHJnLzBUTElTSUZhV2kvUi9XUWRkRjFqclFqNTV6N0VpWFFVQ1I0c0NxRGRPU2FZdjAxVgp1NnlsQ2pmVUlGZVVQb3hIQzliTzdpZ01PYkJtcEhHU0RLZzE1cWp4blVpOFpxajRaK24yCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

manifests/site/reference-multi-tenant/kubeconfig/kustomization.yaml

@@ -0,0 +1,7 @@
+resources:
+  - kubeconfig.yaml
+  - ../target/catalogues
+
+transformers:
+  - update-target.yaml
+  - ../../../function/treasuremap-cleanup

manifests/site/reference-multi-tenant/kubeconfig/update-target.yaml

@@ -0,0 +1,69 @@
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: k8scontrol-cluster-replacements
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: quay.io/airshipit/replacement-transformer:v2.0.2
+replacements:
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: generated-secrets
+    fieldref: "{.targetKubeconfig.certificate-authority-data}"
+  target:
+    objref:
+      kind: KubeConfig
+      name: default
+    fieldrefs: [".config.clusters.[name=target-cluster].cluster.certificate-authority-data"]
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: generated-secrets
+    fieldref: "{.targetKubeconfig.client-certificate-data}"
+  target:
+    objref:
+      kind: KubeConfig
+      name: default
+    fieldrefs: [".config.users.[name=target-cluster-admin].user.client-certificate-data"]
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: generated-secrets
+    fieldref: "{.targetKubeconfig.client-key-data}"
+  target:
+    objref:
+      kind: KubeConfig
+      name: default
+    fieldrefs: [".config.users.[name=target-cluster-admin].user.client-key-data"]
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: generated-secrets
+    fieldref: "{.ephemeralKubeconfig.certificate-authority-data}"
+  target:
+    objref:
+      kind: KubeConfig
+      name: default
+    fieldrefs: [".config.clusters.[name=ephemeral-cluster].cluster.certificate-authority-data"]
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: generated-secrets
+    fieldref: "{.ephemeralKubeconfig.client-certificate-data}"
+  target:
+    objref:
+      kind: KubeConfig
+      name: default
+    fieldrefs: [".config.users.[name=ephemeral-cluster-admin].user.client-certificate-data"]
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: generated-secrets
+    fieldref: "{.ephemeralKubeconfig.client-key-data}"
+  target:
+    objref:
+      kind: KubeConfig
+      name: default
+    fieldrefs: [".config.users.[name=ephemeral-cluster-admin].user.client-key-data"]

manifests/site/reference-multi-tenant/metadata.yaml

@@ -0,0 +1,6 @@
+phase:
+  docEntryPointPrefix: manifests/site/reference-multi-tenant
+  path: manifests/site/reference-multi-tenant/phases
+
+inventory:
+  path: manifests/site/reference-multi-tenant/host-inventory

manifests/site/reference-multi-tenant/phases/kustomization.yaml

@@ -0,0 +1,6 @@
+resources:
+  - ../kubeconfig
+  - ../../../type/multi-tenant/phases
+## TODO Consider making a catalogue combined with variable substitution instead
+patchesStrategicMerge:
+  - phase-patch.yaml

manifests/site/reference-multi-tenant/phases/phase-patch.yaml

@@ -0,0 +1,12 @@
+apiVersion: airshipit.org/v1alpha1
+kind: BaremetalManager
+metadata:
+  name: RemoteDirectEphemeral
+spec:
+  hostSelector:
+    ## NEWSITE_CHANGEME: ephemeral node
+    name: stl3r01s02
+  operationOptions:
+    remoteDirect:
+      ## NEWSITE_CHANGEME: URL to the ephemeral node iso 
+      isoURL: http://10.254.195.209/ephemeral.iso

manifests/site/reference-multi-tenant/target/catalogues/README.md

@@ -0,0 +1,5 @@
+# Catalogue Definitions for Target Cluster
+
+This inherits Type-level catalogues, and adds in Site-specific values.
+The neighboring ephemeral cluster's `catalogues` entrypoint applies further
+customizations on top of this for ephemeral use.

manifests/site/reference-multi-tenant/target/catalogues/hosts.yaml

@@ -0,0 +1,96 @@
+# Site-level host catalogue.  This info feeds the Templater
+# kustomize plugin config in the hostgenerator-m3 function.
+
+## NEWSITE_CHANGEME: update the whole file with the site specific host details
+apiVersion: airshipit.org/v1alpha1
+kind: VariableCatalogue
+metadata:
+  name: host-catalogue
+  labels:
+    airshipit.org/deploy-k8s: "false"
+
+hosts:
+  # NEWSITE_CHANGEME: update with the site specific host details for all hosts
+  m3:
+    stl3r01s01:
+      bootMode: legacy
+      macAddress: E4:43:4B:EE:F4:CB
+      bmcAddress: redfish+https://10.253.200.35/redfish/v1/Systems/System.Embedded.1
+      bmcUsername: root
+      bmcPassword: WWTwwt1!
+      disableCertificateVerification: true
+      ipAddresses:
+        oam-ipv4: 10.254.125.230
+        pxe-ipv4: 172.63.0.11
+        storage-ipv4: 172.62.0.11
+        calico-ipv4: 172.64.0.11
+      hardwareProfile: default # defined in the hostgenerator-m3 function
+    stl3r01s02:
+      bootMode: legacy
+      macAddress: E4:43:4B:EE:B0:43
+      bmcAddress: redfish+https://10.253.200.36/redfish/v1/Systems/System.Embedded.1
+      bmcUsername: root
+      bmcPassword: WWTwwt1!
+      disableCertificateVerification: true
+      ipAddresses:
+        oam-ipv4: 10.254.125.231
+        pxe-ipv4: 172.63.0.12
+        storage-ipv4: 172.62.0.12
+        calico-ipv4: 172.64.0.12
+      hardwareProfile: example # defined in the hardwareprofile-example function
+    stl3r01s03:
+      bootMode: legacy
+      #macAddress: E4:43:4B:EE:D7:B8
+      macAddress: E4:43:4B:EE:D7:D9
+      bmcAddress: redfish+https://10.253.200.37/redfish/v1/Systems/System.Embedded.1
+      bmcUsername: root
+      bmcPassword: WWTwwt1!
+      disableCertificateVerification: true
+      ipAddresses:
+        oam-ipv4: 10.254.125.232
+        pxe-ipv4: 172.63.0.13
+        storage-ipv4: 172.62.0.13
+        calico-ipv4: 172.64.0.13
+      hardwareProfile: default # defined in the hardwareprofile-example function
+    stl3r01s04:
+      bootMode: legacy
+      #macAddress: E4:43:4B:EE:D7:B8
+      macAddress: E4:43:4B:EE:DD:0F
+      bmcAddress: redfish+https://10.253.200.38/redfish/v1/Systems/System.Embedded.1
+      bmcUsername: root
+      bmcPassword: WWTwwt1!
+      disableCertificateVerification: true
+      ipAddresses:
+        oam-ipv4: 10.254.125.233
+        pxe-ipv4: 172.63.0.14
+        storage-ipv4: 172.62.0.14
+        calico-ipv4: 172.64.0.14
+      hardwareProfile: default # defined in the hardwareprofile-example function
+    stl3r01s05:
+      bootMode: legacy
+      #macAddress: E4:43:4B:EE:D7:B8
+      macAddress: E4:43:4B:EE:D7:2F
+      bmcAddress: redfish+https://10.253.200.39/redfish/v1/Systems/System.Embedded.1
+      bmcUsername: root
+      bmcPassword: WWTwwt1!
+      disableCertificateVerification: true
+      ipAddresses:
+        oam-ipv4: 10.254.125.234
+        pxe-ipv4: 172.63.0.15
+        storage-ipv4: 172.62.0.15
+        calico-ipv4: 172.64.0.15
+      hardwareProfile: default # defined in the hardwareprofile-example function
+    stl3r01s06:
+      bootMode: legacy
+      #macAddress: E4:43:4B:EE:D7:B8
+      macAddress: E4:43:4B:EE:F3:B7
+      bmcAddress: redfish+https://10.253.200.40/redfish/v1/Systems/System.Embedded.1
+      bmcUsername: root
+      bmcPassword: WWTwwt1!
+      disableCertificateVerification: true
+      ipAddresses:
+        oam-ipv4: 10.254.125.235
+        pxe-ipv4: 172.63.0.16
+        storage-ipv4: 172.62.0.16
+        calico-ipv4: 172.64.0.16
+      hardwareProfile: default # defined in the hardwareprofile-example function

manifests/site/reference-multi-tenant/target/catalogues/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../../../type/multi-tenant/shared/catalogues
+  - hosts.yaml
+  - ../generator/results
+  - storage.yaml
+
+patchesStrategicMerge:
+  - versions-airshipctl.yaml
+  - networking.yaml
+  - networking-ha.yaml

manifests/site/reference-multi-tenant/target/catalogues/networking-ha.yaml

@@ -0,0 +1,19 @@
+# This catalogue alone needs to be overriden at site level based on the
+# networkign requirement like HA
+
+## NEWSITE_CHANGEME: Update the file with the vrrp ips
+apiVersion: airshipit.org/v1alpha1
+kind: VariableCatalogue
+metadata:
+  name: networking-ha
+  labels:
+    airshipit.org/deploy-k8s: "false"
+vrrp:
+  # NEWSITE_CHANGEME: Update kubernetes virtual ip and OAM interface
+  kubernetes:
+    interface: bond0.61
+    virtual_ipaddress: 10.254.125.239
+  # NEWSITE_CHANGEME: Update ingress virtual ip and OAM interface
+  ingress:
+    interface: bond0.61
+    virtual_ipaddress: 10.254.125.240

manifests/site/reference-multi-tenant/target/catalogues/networking.yaml

@@ -0,0 +1,120 @@
+# This makes a couple small networking tweaks that are specific to the
+# ephemeral cluster, on top of the target cluster networking definition.
+# These values can be overridden at the site, type, etc levels as appropriate.
+
+apiVersion: airshipit.org/v1alpha1
+kind: NetworkCatalogue
+metadata:
+  name: networking
+
+spec:
+  # The catalogue should be overridden as appropriate for different kubernetes
+  # clusters, e.g. ephemeral vs target vs tenant
+  kubernetes:
+    serviceCidr: "10.96.0.0/12"
+    podCidr: "192.168.0.0/18"
+    controlPlaneEndpoint:
+      # NEWSITE_CHANGEME: below is the vrrp kubernetes virtual ip
+      host: "10.254.125.239"
+      port: 6443
+    # NEWSITE_CHANGEME: first controller node calico ip and pxe ip
+    apiserverCertSANs: "[172.64.0.11, 172.63.0.11]"
+  ironic:
+    # NEWSITE_CHANGEME: update the first controller node PXE network information
+    provisioningInterface: "eno4"
+    provisioningIp: "172.63.0.11"
+    dhcpRange: "172.63.0.31,172.63.0.126"
+  commonHostNetworking:
+    links:
+      # NEWSITE_CHANGEME: PXE network, untagged
+      - id: eno4
+        name: eno4
+        type: phy
+        mtu: "1500"
+      # NEWSITE_CHANGEME: 25G Intel XXV710DA2 NIC 1 port 2; the first NIC in the bonded interface
+      - id: enp94s0f1
+        name: enp94s0f1
+        type: phy
+        mtu: "9100"
+      # NEWSITE_CHANGEME: 25G Intel XXV710DA2 NIC 2 port 1; the second NIC in the bonded interface
+      - id: enp134s0f0
+        name: enp134s0f0
+        type: phy
+        mtu: 9100
+      - id: bond0
+        name: bond0
+        type: bond
+        # NEWSITE_CHANGEME: update the bond link interface name
+        bond_links: ["enp94s0f1", "enp134s0f0"]
+        bond_mode: 802.3ad
+        bond_xmit_hash_policy: layer3+4
+        bond_miimon: 100
+        mtu: 9100
+      # NEWSITE_CHANGEME: OAM network
+      - id: bond0.61
+        name: bond0.61
+        type: vlan
+        vlan_link: bond0
+        vlan_id: 61
+        mtu: 9100
+        vlan_mac_address: null
+      # NEWSITE_CHANGEME: Storage network
+      - id: bond0.62
+        name: bond0.62
+        type: vlan
+        vlan_link: bond0
+        vlan_id: 62
+        mtu: 9100
+        vlan_mac_address: null
+      # NEWSITE_CHANGEME: Calico network
+      - id: bond0.64
+        name: bond0.64
+        type: vlan
+        vlan_link: bond0
+        vlan_id: 64
+        mtu: 9100
+        vlan_mac_address: null
+      # unused for now
+      - id: bond0.65
+        name: bond0.65
+        type: vlan
+        vlan_link: bond0
+        vlan_id: 65
+        mtu: 9100
+        vlan_mac_address: null
+    networks:
+      # NEWSITE_CHANGEME: OAM network
+      - id: oam-ipv4
+        type: ipv4
+        link: bond0.61
+        # ip_address: <from host-catalogue>
+        netmask: 255.255.255.224
+        routes:
+          - network: 0.0.0.0
+            netmask: 0.0.0.0
+            gateway: 10.254.125.225
+      # NEWSITE_CHANGEME: PXE network
+      - id: pxe-ipv4
+        type: ipv4
+        link: eno4
+        # ip_address: <from host-catalogue>
+        netmask: 255.255.255.128
+      # NEWSITE_CHANGEME: Storage network
+      - id: storage-ipv4
+        type: ipv4
+        link: bond0.62
+        # ip_address:
+        netmask: 255.255.255.128
+      # NEWSITE_CHANGEME: Calico network
+      - id: calico-ipv4
+        type: ipv4
+        link: bond0.64
+        # ip_address:
+        netmask: 255.255.255.128
+    services:
+      # NEWSITE_CHANGEME: DNS servers
+      - address: 8.8.8.8
+        type: dns
+      - address: 8.8.4.4
+        type: dns
+

manifests/site/reference-multi-tenant/target/catalogues/storage.yaml

@@ -0,0 +1,16 @@
+apiVersion: airshipit.org/v1alpha1
+kind: VariableCatalogue
+metadata:
+  name: storage
+  labels:
+    airshipit.org/deploy-k8s: "false"
+spec:
+  storage:
+    useAllNodes: false   # We define per node/per device configuration below
+    useAllDevices: false # We define per node/per device configuration below
+    nodes:
+      - name: stl3r01s05
+        deviceFilter: "^/dev/sd[bc]"
+      - name: stl3r01s06
+        deviceFilter: "^/dev/sd[bc]"
+---

manifests/site/reference-multi-tenant/target/catalogues/versions-airshipctl.yaml

@@ -0,0 +1,16 @@
+# Override default controlplane image location
+
+## NEWSITE_CHANGEME: update the file with the ephemeral node pxe ip
+apiVersion: airshipit.org/v1alpha1
+kind: VersionsCatalogue
+metadata:
+  name: versions-airshipctl
+
+spec:
+  files:
+    k8scontrol:
+      # Host the image in a locally served location for CI
+      # NEWSITE_CHANGEME: update the url with the ephemeral node pxe ip
+      cluster_controlplane_image:
+        url: http://172.63.0.12/images/control-plane.qcow2
+        checksum: http://172.63.0.12/images/control-plane.qcow2.md5sum

manifests/site/reference-multi-tenant/target/controlplane/hostgenerator/host-generation.yaml

@@ -0,0 +1,13 @@
+# Site-level, phase-specific lists of hosts to generate
+# This is used by the hostgenerator-m3 function to narrow down the site-level
+# host-catalogue to just the hosts needed for a particular phase.
+apiVersion: airshipit.org/v1alpha1
+kind: VariableCatalogue
+metadata:
+  name: host-generation-catalogue
+hosts:
+  m3:
+    ## NEWSITE_CHANGEME: update with the list of controlplane hosts
+    - stl3r01s01
+    - stl3r01s04
+    - stl3r01s05

manifests/site/reference-multi-tenant/target/controlplane/hostgenerator/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../../../../../airshipctl/manifests/function/hostgenerator-m3
+  - ../../../../../../../airshipctl/manifests/function/hardwareprofile-example
+  - ../../catalogues
+  - host-generation.yaml
+
+
+transformers:
+  - ../../../../../../../airshipctl/manifests/function/hardwareprofile-example/replacements
+  - ../../../../../../../airshipctl/manifests/function/hostgenerator-m3/replacements
+  - ../../../../../function/treasuremap-cleanup

manifests/site/reference-multi-tenant/target/controlplane/hostgenerator/patchesstrategicmerge.yaml

@@ -0,0 +1,41 @@
+apiVersion: builtin
+kind: PatchStrategicMergeTransformer
+metadata:
+  name: smp
+patches: |-
+  ---
+  apiVersion: airshipit.org/v1alpha1
+  kind: VariableCatalogue
+  metadata:
+    name: hardwareprofile-example
+  $patch: delete
+  ---
+  apiVersion: airshipit.org/v1alpha1
+  kind: VariableCatalogue
+  metadata:
+    name: host-catalogue
+  $patch: delete
+  ---
+  apiVersion: airshipit.org/v1alpha1
+  kind: VariableCatalogue
+  metadata:
+    name: host-generation-catalogue
+  $patch: delete
+  ---
+  apiVersion: airshipit.org/v1alpha1
+  kind: VariableCatalogue
+  metadata:
+    name: networking
+  $patch: delete
+  ---
+  apiVersion: airshipit.org/v1alpha1
+  kind: VariableCatalogue
+  metadata:
+    name: env-vars-catalogue
+  $patch: delete
+  ---
+  apiVersion: airshipit.org/v1alpha1
+  kind: VariableCatalogue
+  metadata:
+    name: versions-airshipctl
+  $patch: delete

manifests/site/reference-multi-tenant/target/controlplane/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - nodes
+    #- ../../../../../../airshipctl/manifests/function/k8scontrol
+  - ../../../../function/k8scontrol-ha
+  - ../catalogues
+  - metal3machinetemplate.yaml
+
+patchesStrategicMerge:
+        #- versions-catalogue-patch.yaml
+        - patch_controlplane.yaml
+
+transformers:
+  #- ../../../../../../airshipctl/manifests/function/k8scontrol/replacements
+  - ../../../../type/multi-tenant/ephemeral/controlplane/replacements

manifests/site/reference-multi-tenant/target/controlplane/metal3machinetemplate.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4
+kind: Metal3MachineTemplate
+metadata:
+  annotations:
+    config.kubernetes.io/path: metal3machinetemplate_cluster-controlplane-2.yaml
+  name: cluster-controlplane-2
+spec:
+  template:
+    spec:
+      hostSelector:
+        matchLabels:
+          airshipit.org/k8s-role: controlplane-host
+      image:
+        ## NEWSITE_CHANGEME: update the below ips with the first target node pxe ips
+        url: http://172.63.0.11/images/control-plane.qcow2
+        checksum: http://172.63.0.11/images/control-plane.qcow2.md5sum
+
+

manifests/site/reference-multi-tenant/target/controlplane/nodes/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+generators:
+  - ../hostgenerator
+
+commonLabels:
+  airshipit.org/k8s-role: controlplane-host

manifests/site/reference-multi-tenant/target/controlplane/patch_controlplane.yaml

@@ -0,0 +1,11 @@
+kind: KubeadmControlPlane
+apiVersion: controlplane.cluster.x-k8s.io/v1alpha3
+metadata:
+  name: cluster-controlplane
+spec:
+  replicas: 3
+  infrastructureTemplate:
+    kind: Metal3MachineTemplate
+    apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4
+    name: cluster-controlplane-2
+

manifests/site/reference-multi-tenant/target/controlplane/versions-catalogue-patch.yaml

@@ -0,0 +1,15 @@
+# Patch the versions catalogue to use the site-specific local image URL
+# TODO: patch this in from a site-networking catalogue in the future
+apiVersion: airshipit.org/v1alpha1
+kind: VariableCatalogue
+metadata:
+  name: versions-airshipctl
+spec:
+  files:
+    k8scontrol:
+      # Host the image in a locally served location for CI
+      cluster_controlplane_image:
+        ## NEWSITE_CHANGEME: update with the first target node pxe ip
+        url: http://172.63.0.11:80/images/ubuntu-18.04-server-cloudimg-amd64.img
+        checksum: "e0d74d3d37e70e4eec1b204f8402ed3c"
+

manifests/site/reference-multi-tenant/target/generator/README.md

@@ -0,0 +1,32 @@
+# Secrets generator/encrypter/decrypter
+
+This directory contains an utility that helps generate, encrypt and decrypt
+secrects. These secrects can be used anywhere in manifests.
+
+For example we can use PGP key from SOPS example.
+To get the key we need to run:
+`curl -fsSL -o key.asc https://raw.githubusercontent.com/mozilla/sops/master/pgp/sops_functional_tests_key.asc`
+
+and import this key as environment variable:
+`export SOPS_IMPORT_PGP="$(cat key.asc)" && export SOPS_PGP_FP="FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"`
+
+## Generator
+
+To generate secrets we use [template](secret-template.yaml) that will be passed
+to kustomize as [generators](kustomization.yaml) during `airshipctl phase run secret-generate`
+execution.
+
+## Encrypter
+
+To encrypt the secrets that have been generated we use generic container executor.
+To start the secrets generate phase we need to execute following phase:
+`airshipctl phase run secret-generate`
+The executor run SOPS container and pass the pre-generated secrets to this container.
+This container encrypt the secrets and write it to directory specified in `kustomizeSinkOutputDir`(results/generated).
+
+## Decrypter
+
+To decrypt previously encrypted secrets we use [decrypt-secrets.yaml](results/decrypt-secrets.yaml).
+It will run the decrypt sops function when we run
+`KUSTOMIZE_PLUGIN_HOME=$(pwd)/manifests SOPS_IMPORT_PGP=$(cat key.asc) kustomize build --enable_alpha_plugins
+manifests/site/test-site/target/catalogues/`

manifests/site/reference-multi-tenant/target/generator/kustomization.yaml

@@ -0,0 +1,2 @@
+generators:
+  - override

manifests/site/reference-multi-tenant/target/generator/override/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+- ../../../../../type/multi-tenant/target/generator/

manifests/site/reference-multi-tenant/target/generator/results/decrypt-secrets/configurable-decryption.yaml

@@ -0,0 +1,28 @@
+apiVersion: airshipit.org/v1alpha1
+kind: Templater
+metadata:
+  name: secret-template
+  annotations:
+    config.kubernetes.io/function: |
+      container:
+        image: quay.io/airshipit/templater:v2.0.2
+        envs:
+        - TOLERATE_DECRYPTION_FAILURES
+template: |
+  {{- $tolerate := env "TOLERATE_DECRYPTION_FAILURES" }}
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: my-config2
+    annotations:
+      config.k8s.io/function: |
+        container:
+          image: gcr.io/kpt-fn-contrib/sops:v0.1.0
+          envs:
+          - SOPS_IMPORT_PGP
+  data:
+    ignore-mac: true
+    cmd: decrypt
+    {{- if eq $tolerate "true" }}
+    cmd-tolerate-failures: true
+    {{- end }}

manifests/site/reference-multi-tenant/target/generator/results/decrypt-secrets/kustomization.yaml

@@ -0,0 +1,2 @@
+generators:
+  - configurable-decryption.yaml

manifests/site/reference-multi-tenant/target/generator/results/generated/secrets.yaml

@@ -0,0 +1,49 @@
+apiVersion: airshipit.org/v1alpha1
+ephemeralClusterCa:
+  crt: 'ENC[AES256_GCM,data:6uQzsPDu52M507lC9AWv/j70+JefIZ1N/R5ZKTtKMYxwQWVTFn6vXJrT1Sn62gqS3BrtXD6ZXOH3g5ISETgVNHfG5c8VuXlx3cg5MVDPJl8aGWD2MnoG3mcfAiotoKMF1cPTIJFVw8C1GFOINTM9AmVYzxURs5CHsi4pkSSYShLivy5OEm1dSMyV5X+uAndEyAChMQoBp2fq0cuMu16o80s0SpRo0KB3CfVCKjaaajLZtKadpGt90UgpTUdTRIofQyNucaEmqLQbEZw/SwN1jK88ulC/vtHoKZuxDZtk4clITqiTqTAiepjHlmyTpo6PK+HvM2K+ZIWRCzKy3NTtS4iOEL1kVfWtbE5Zemqwh6hDuHH/IuvjIxcx6twZFOEy7+iqsAhxYZYMXqaUHPIMbAw0jguqMc0Li5pjlwGR8pIxT+VdZ/oQV6E4t/enpEVJ/8vrIJ5fu/1rbV8s2vHgxFHO/r740Do1UVNjbq9CMxEAqi4sTUaNNYBxRIqfXGsjOsosolIMy1YmTfoDJ7iqf5do1eVOId6gWeBJQYwQR3YLzk2j+MzN+GRZUMXYAspE/FmAbytaKnk8AVHL5AqklsbDHmDimc4hee3VmNSQBiNDUbIj6vD9R9PuyPDO7IDs4cZxcyFwfgq/z6LT5GwEh/pmT8bIIb96fTAeWkkLA/XvaTuT3xqzrT7NBl8trlLLGsqct5/07o4QdbGBRtFc4wL6LDyq8MF5pHU/PRcgOl41E+2KECSdrJBJltRvOE73sd78nkkCq2O/dMSRKpb2sPW9K3IQYlCurpShYGP1a+p2H50O7/GGz7+E+4rymzJ933IWA4T0YNFWZ4EFDsGccDxDC3r71iX/9xd19xvZZWU1JowQ1OcPzTdpa1YhDIuqgKeIekatKEtLDhXHsaIbA5CXKg4Ew6BOx2lBLMgx1RnlReIAzzWnYyYb03awHJIKpfM+mKDSN1kQ6Oc5iLmKshFqCB270+KMna+r2hdvnXqhtTkM/pZge5QCIrtGkPc0jqHXF+0UutVuTVk5dejhqdeT3ITYP6eZj+/CPBm1a1Ms/haPJc9SA6r9yJUWKthJQCGReey7glzVzHs8FtbcZqr/xDDMYCDT84GNIo4RlsCqm4EXR8cpumkP8YVMQOzCSuWmS6NYDk7JrSRYiO5cdl99PDrSGNyVj6LSEJuDkkfuiFHR1SbqLhwNDtSoheHMtBJ6rmqPsGRe6UhkOETU5RkNiPAubJfqAGGl4OgWNcKIM+Wea5d+MYJPpXPbLCvN8eWIo3VyhO+lhnwUxle2Vp0sR3XoPNsnU013O6GmsmNvTnqa/CHGjDinL7hQioBZpzx14+IeHPMoHLjoL7bStJqoSYoC4sPnI1F7Zo7KEXaybwqW2A7oIoCOsLkqO3PP+LaR8aZBtWmQZ/buchWVOT1D6vwowAjbrfYmGuU0VZiY74TuX53JS3KCJ+sn04CwHZBpoHoAAmy9Yo1bfuzOlI0XGxWP8jGBwzQtJddoBEV5ziussvfYSHDDLF6CL1IRWwjj9YHz2w+8IzA232aMO2eRR4+TbbmOzI57WzlVsd7nBN63lPfPtne6MBtxiQuq2pALqHP897a0DocuuAI0xfaO5YYrLQ215lb4DxIR8764T6bNMdcHBo7/TgZfs+QS4B72WM1p19jCHRxAan0cJ+knKUERE5koJyshdbl8cRJ4kL2amk5mT27Q5Ek5mNHnwE6nrrHQXK4VrDG3v4IfgRQ6wP6525RUsjrWGvxCj8Am8JXtO13JfwMpEcWTZK86cMDAYXXLiu1KOlx295qnrWaJzknRzY+Nb2DYsoDe92zs7fgy3A7d4JRGZkjsCV45EYxXdUpSlRaMCj16urJ/BrdmbJ6ccw/PKDqxnWY7JQ4NFAoEC/BrgHpSKBT53xku2Nxmz8ktt4AvTb59rjjfAEkMDjCaLmGz+RKIBQ==,iv:aKqk4ruA0/QtbBFnr6mBidCrnEY2uQ64swqO+SysFkc=,tag:Uzt+Eu7l1mf8DzJr4E+KWw==,type:str]'
+  key: 'ENC[AES256_GCM,data:U0U76Jf7YNIqMRoWrlYcOpi74tYKflDwE6wh85Mj85f/bBMrY2WdmOFmqiL61v02SBahXnBCHrQw1wSBxmqAdP26W4kSLL94NYBFUvwJIQwbKU/Cz7sQpiEYFWRuc2De0N4ibzS6//vINSMV+yi/G1aSbpOlxzfSH2upFcH2yGa36erkLgdY7AsoW/YOOUMYWLWsgsXUkXnkzu0+44nLyGOJwnuLW5gb6/Ci+RWKklKfI69pe1Wkb8Av6zNhI29CnzwFclkVX6I1PWkvouayLusrzo7nwy7mHxbI8j4Xfq9YNb8jSg9nS2ibK9LtQ5BzcPAa7BlP6NGavCu0OJauQ0sgw124kaWsG77QmpxFiT0TdvqnTVu3vEI3f/XZG2c/sWXVA8FGZ31F38mM68KsDMlusXs3hUOJf7QaUw+0MeK8lmz8t3vI0UANXRMSt2fEVBaho4JoTsbgZSvTD/RZ6YwI2a1uoPdNKPh7F8i0rLOaCNgPLVoKAcV3M2mEhodJNZAI0ifa7sdQuWNQ0fbPwGh+dXLKQ8PNjdXMgn9JINLYRKDRD+eRFWPV/WuwepSjtD88LGJmQ66GjnCqXAOFo5RcHmPEIYM5o0x5wqf/ibmgheuUUBJVnNvgH2ZVqMH8oNyr3OfGxfgEItvA7LgQ6ao1ympnCnXZvpu0m04UqNmebsuEnqH2EB/MIBk/5UjyMHTt4X52S0RpmXU8CDZKj9Xk9VFDCcmWnEowMHl9i2CjRwMb0g0b8fC9A4N6P9SbzKX7usUJsa1tSkra+Dn3C7vprOunvE1fQiQM++K2KixP0OjeP7TbAyMkHTszrfxdvJT7V6Rb90behJaaDb1pZAva1SMQ0vudV844t+NLi96VsqpNptx7AKhzSsRrzz2kuhdVf1dr1JinR4h4cVSwQCjZCcxLDt8do/d6BgHuvHWQBBGOM4AqMOyIKGm3G0ZiW6j3WiCPmiWou/6cRFu2AqgVWgRludtcgZaTs/p5k5gVFVzNtkocfg4hluP0zk/zJeOdU2zZ/XuxDuNeA4MBHTZ4qzzKgMLVMiMWsQ927d7J2h9w6kvmoXKrKZH/oB0R4a2pDYiBpag8DOm8P76uLeaKlgj9EQH2eK1KO2998mZwDGS91HWl4O58SjSENBZFr/thgzqFk+2C80/abMjofziXrsefuJOYP8L5LXTGyV11qsjV0HDRZhlcvsIW2q66t91lW7WNzYoxDBNQJPq1nSEewF3tvDT4BhtDAjioO5fVVyUyI7bAxRcCZ+E3wjDF7uw7yngbyHP4spYU6xi4kJhQEXvBOqFt1N/aY7etlfCn4daMNQK6u385XIcSAq/HgC0D3jqJTil7HyxF21fwQCorK/G24ELzjW0SfYUFDHAeUKj1VkU2GqAO0uCGklcx3wpcH6QvSQMGid8yRbEketsXw+H0CBloWAptdLOZj9LhwR0lXlvooYuDGTEoQ4SXx37kscRDcpWggW6NA21wIwQM5aX4kuhvvsdEpOEd4lUdH4LGdnRTHCdldFK0NxTuGuf8swEDYbVUjUHwMHIzmtNG5SmKahPMwEzg2YIV1BU8z+nXbT2XaOUD7hXfpWdGx0BkQIeIZL6bNJMDuvmjtaoDq5CywmyOIkrQqSEGDNyCQJLGBGPD1QjfkRbtmtB2gVyyQTuPqI3hjOuSZ8ZBiTExkXYQvK3eNrij7B9n6q43pOjJ9zaoHjHx6sMcBMF8qcSNo7xoD5Xd0Owv6USL+tz+n5zcnu4PKnYg1ZdfzxcQbwKUZ21SEVGW+ZU8KpNtHjWB7oQ8MTD5wjpqsUzgYdkBypNcRWBgmzCsZwcxR0LU3qRGDGe9eSHyk9JRgzDuWfmlFsOb4UHZQW3SRY16xokFaXcpcu002GX0n/puS60fLsUr5/raEBF9vCPC4miucCQ7wJ7cCzsRc2fBx2osiMiTCDPmVK9QpxmQ/4fMnOZo4ocAF7cSesqZvPsOo086K2OeU3vr0kQhtFTYojFGM04zhd+d87V9GiYUR8ABwAqaqg4Xk1gh/oputa7e/y7NsByv0DCKOQxw4uKDNBf02WvmUnGK0w6ka6ZQmT5+GndTY/DdUvxXTUZqoGZf0TPZS7PrJFWmkUn9hwqIlSTNtY1WwkwWSbvKTswe1sgfL4Zs6u0tecPiIebRIYopNlDSMbk0LnKLo68Xg2zxV0bKU1iyMzyobh8/mhLIVAo7NS1za6ksH2km9dG1IUjVJIxtHjZqQ2BgOcbLEqEA1+J2tuKxc/lHqR39OxwDObei4bpXJqfWPEG4mHVGFMNWkj7H11cnBmX+GWEbEBXarQCZezRh++WROFmmylfdy+QlzD+bwxT4A37a/djWY0n27XdRwVA2nVGdBzi8aBSFws/lOaaGHJnpotFw9xjUuXI8uiN1eGhaWCzU2VBWYNutjKBJOefLYf7ahpjphUv6W7uYX+15leuWK5RuCwL1G/PmjdLNMzynhxgNmW+xvmNI7WrqLrfGciOqkxPirUq2tzvXdCAHDanS7Ckui04tEswwuxyaY0PMf11ku9XzVX7rn/OhxjYjck7D7O9S5SYWI+5u20Vjrv+gIYPI/YSLPNxacmk4GYWUGkafSRgDg180JUtKDmquaz/rZVUBC7wVnJV/Tv2aTs+iZbWhiGqY/4wepo19Lxzd6wBQNPfrN+d+BjTDVmPaCy88lloXWJBsTIuWz7mmANV/LMkNYSA5poCL7rRlbvgaOsaxBQ1yslmJ25G9oaLU0mj6SEfoK9/aZchAmBB8u9s7DzQLaW9HmfgHcLuU1XyWRm1nIeFFqrbBnS0fdEOTkExXI92+vRlM4DbqdMOtpZcZsUMiXvKKFRGhuZRxbY8HujqLHD+298Fk6y+GjcH8+Yfm5euDLp97/tImUqjUb2Fqdw/7aJKrR7zzWHPp/rbJtDUKoW1lvHaK37+eT9MF23Dl4Dteu6ouPGjaY3z/EUINU2J8E7HuwNjdQiw=,iv:x2TJ7k9fVfblb/WZrUP6lgc4xWg4Fop2T6oNfI6G7rY=,tag:MTLldXBFI16om6D5cDNcuA==,type:str]'
+ephemeralKubeconfig:
+  certificate-authority-data: 'ENC[AES256_GCM,data:Mx3R3AOO/a51bRTZ0lrp2KoSsQHaiVByXi8OuRkL+Ka2h0dt0PuJ+0XmvJNPUjc8Iw2DQ5MsvZ4AhbrNcaTV63ZH7HpeR1V/bFbqj2T0QzHVCzuZlpjW2GFkzMaDBFSCFmeLhB7KsK0chTkvIccd9VhSrwA4wukgY2Wy9r9WSBeZghV6yteVwIANz5qLTL2qalq73IYFbMGkQhhsc0sKw1X6CLSfz/1Cm5r5MNWtGnrnZTAVLQeF7ZcryqloMwRlDUBblWoM4oDIiA1UmpLmzCzOgNxAkNF2p3ci0WXxYtCDyX21lcYhDFOk83lYmIzUl/ufjJYdEWCfEoUk0Tsz8LusCsjm03vn3pPCpwaBfboFw4DisAkfh/nmvKd1rO7nrcWK0yrSjaNuqoGxW7I+GpFoeXtiyYKMk8konHy8r+U91kLW419lQ8iWxiQ1RyK2tgNj/3mzx6EZ6VnKbz7D0IA5+1KVXPOtF4TGQJD7VHb/xZhkTAy+XxoDgbMMS1EqfgFVS+/Rqp+V19VUjOiQg4WMleQoWT59xh78oBZFKXElK2neDmym2YLASeLs8nKprjWAVdlUAb4zX/AqRdky/+am402ifzzWDXe6IOh9Q6l0ZUPM+S2D99yG+JVlTtvtcmtmGu1ZneS8DgpEMMh70kGv0nr24YbhL0eJMmkZbIayiWMjsNkMk4JGzkZi0a4OpopUkrO4R5l+smVkNHtWxhxUy/8sUqzqNyGtzS6b8ygB6NEd1uTf52CqltyV1+ZOZdl/Qkb8a4BtwYdbb/kOteO9SFUv6kaUabaFyUCAo/EoxqraIREnmuJCFnIp8h1TzWN8om8UdBsZdPKlg1nv71WqxL1ZnZ8LgRClD/6dtSCcq8caECH0l2sP5dmctx6IPQJd/YUDW4RbLX9NQqCRlx6LR0jv5lN5I5Qr//07k5KDieNku6+uBnS3LMzgKKbN6swMjT1TMje4XEuolaiDjKAcsMb/tEJFwDYfSROcs5vylLJDwZ/DIo5m/c46i9hJJgzKHs1PpNXX0bbWR/M3Pk7fARF+hirdk7971FoILWcRTQZo2UMF8QJPh3MQRs3dOKIPMugDNTan6ftnjA0+hzwr94TknYGCEv+XH4Y61nWGZiTcv2tCt9JCGdXNARZLc3RtporxCtiAE8fMol9oso7x5sMqmuALl+iLfjpqzUHoXNJ9slipLH1RWDisGJXSQkEgrQ9h6bhUaOzuUeauYxnZBETfBZBmSoah2NDOOGcywGDDo03sRleaRVguxSZvftWtUb6RhHSj96qDbh+urbdW1PhfKs6M//XBMmLw5zlulYXqMaDvHeBRL4mSf+ZKNCFFCC/RJxGuT6hcuWOBwe0ZdCugvkVaJgqx32Fyd/YpHDPlFZEQb8/T0wP9M55jLg5Vm3voDzA02+UIZZFkSqbT5ZrmP+ScXE7HCFXLFBA3TBh8N1f5obuH0rbENvYFkBlEtIaAU2FkhPCpHJworrrIdpq/byQB9Jj8X+yhBh4y2vdSGT9faUDUB0S0v1fiD92IXJKzPKlpId3a4/bXXGl9tTVSQ01lPGSJf9/s2WyrRf6lhPuKY+bapWcs8ydNWGYhCccmZ4OHaOPbwGwks7l9RLTjDJzTr3ntnDI2DnbVENKdhuAEkavoElmgGSMscA/8sseX9FeuZLBvI4fKyNE4F9ZzAhUWe8JYulnw+oimizCLCAC+t9Inixda+dLZWJLbUEg17zvB5dS/aMZhO3dFUjn1/jGO2zbZo/SxjaHyi/WQFr5mZcLvwU+Zdyt+TRAbcV9sOy2tWUDp/xlRYAYqdeRBMly0lAoItUfa+jftUtR17l23i7UcMLs68hZ1NyuoEhKKDteRW8epgsbjmPfq8a04SPBW1XBZ8ujubf+UxMhTlvXdXKCQ5lIvlZE81Ezk3PuRfKXiK2ckCHjzyxE09pWkZXESAmdqKg==,iv:1WkqcxzVLVfrmBMCTZ48q9JLRpEkBgioGatSU3j+WQ4=,tag:VmKsG18InwFczeME1PUlZw==,type:str]'
+  client-certificate-data: 'ENC[AES256_GCM,data:85hKBjZyixCRv4c7zptdAeh0p8a4F+yYXssxGUfhYNwfYAY4DTHAxoLsYeNcy2ZdNUDoIBrQu8BuqYxRnMkY4RcT+SzWwGEKN2yQe+Wm9pGRcXAB9xz9A1nPHgxRO0ogVcDR93bJYEfsIhx2ws0pSTw+Zn7LGFoDwMRve7xXmMoxyYKHj7L00dDb+fp0a2rghC4Mcsy/0rijSWcvnm1mC084oMl/J5dj6tHIR2zEpgWtX8wRH34vxxkh8nyghuDQfOElheZ2q1Mho3deHtDxJJ4Kk9nscCULYU0HRjBghsexvWvGEWn+kDUCFAvSe9o/nkWxYiTt3+dM1ifDusj0+NzjBbLJvZ24ZkLjqgW6jIxVVCiD8Ky4kTAOfvlFMoRsLiezGvGbkPj5eTtcJOR+ukhMLpabKqpK6GDxohQfpD+SNYmKEmS3Z94K7oJ3d0OAPCE/qgac1AZTbDv1/buqWexT+zus9CjsWbgmIeJppWtWPHsUoqVmM5teB8zs3Qfd7IJj8ZtHZj1l3zLf1lIE7GBgToCwVPjc3opSX2lmekOt6gMmAfXYKNwOypvRhe2Fm7BAjrck3GZYj08rEffDHdO2/2qFq9qknKHmS7mJZgm3aZZh/+eDr6HVSLYztTXMjHKdzIthnsSvtX94Mr6nkjJMnMnOuFGnC0b5VKrw7ZHktLiaqorerVaYsCXr+TdQrIYkEguKlzQbnmpztGjCxN9JiaJ45Qxzzijxdy5ahlNmpQbrgBWBgZjjqdOuBJrBKNkzKyWikFk+jBsfKZkiHHT2Rw2+uu3Xz/LTc51vNLfFvwKr0XTa1i/hQnxtI0YlsRm4SVornTsSdQjmadCrz/NvuPwJ2lyFZirxeZsajBHUJ/Obk7ssevFXY0Sel2kajkS9lNu/CfMBz18PNb/+1T7wCP7RJzfFnnuLYrRLbCw9ihKNtRqkfBZA4X5Hf6ZKjmM8ifYqg17YWDk5SFUDJvVt59Hyfr1uazdHIWlovr5bju9TfGXH9ylWm8Ms+AB6935fBNnwsnN1tu4yOO9voD2dc3X97xqlqcr0fOhTIkFXlyAlILRAb0wywFAqDX8yrpIdtXzlY+iobSj/phXcHCb5mdvgrcKCrkOmRMhIhHmXZ8g+fBh52gpxVjkEwcmI5/vls63UbwC7NF/fnDUZeW8sq7aExFL7a53ApVoeXTRC+eDrLecI87Ehfz7aGGKIHa9CU81eM/W9BOsM/ZFLsx4fK3Tgp6ZVHYXvGc2geJskovhJuEyk41OYtGVYXZ/OPECrHFaj7za5zFxS2/GeEHkI8qau37d8gtMJCn/SuEP3hBJPkMt9S0OIYgl6jnKx66+TY808GtlDaOGr8U94oGhsnzw6zzTMWYSMKyoK7yIQwOvZKsoS/G7nI8wa9gm2EG0+Mn6Q+2pZL81EucvbTufDqUwnrV7KJeEF5wR1cM56BvZefi9Y67FeF8NNJV1RClzcZwg520qXKUU35PdYyivuKe4UqfkaKfltOUmLoEPp1fTad+2HoeeZFQr/b+6zAI/If9Z5j50IlncnaBOuGMsm1qxUrtpNR99gCswM5VJm7G0Rq7/ykB9cCcgdPJ1Yem5Ktu3+nRQNi2LviY49h8xrM8bPd3YvpVIpIks7d8dX6vV2jHF6CpIqfLvqWePiNeplLJ/C9kB01E3LxDgi0n7Vm1zQoBNzFjZMtHIYJX6abZAQUPwtN5qmJ56FFL7TZTNk0Oskw3khDj9NVphb85nDHGCt1LL5r45uVhsEXU+OaIB5tZZIZRs3kLpt3GLRHomOJKbxpExdjw1e1GqK4JFN6v7Rr8BmSZi+4nCGrg6rdFE0iopmsEla4R309mS2XYrMn2UJEcUDnnsmZD/UVeS27xQl1f3EK4fruRobbEQszWkDSYQ8RuJIOihyjCpIfMuW4N4G+znepub8kEMNg/eLgFw5X9uEoVJg8RW2Q6nJE+coMt/sKPILVlfnSFLy,iv:X/ONxuQJ3EVMe2RZLlR+mwu2cKtP2JFGztWNjOklP/I=,tag:9a6KFR/WldtUasiA1iBmuA==,type:str]'
+  client-key-data: 'ENC[AES256_GCM,data:hPeSh6qEUcnok6HgHm0eVB98kOqwjVYDM571D/kAvttm4XFX52/eNez/Mc8zyvOwv6P7QCOmJQTH1BQwyaJS5rD8CeuFWP+igCF4KLIo+8rqhLu6FWZzRblSKWnZhb/LHeyEl6EDZz7aA5njbEdXrlC8UkiJMu2xAuAE7a65YVag53AWcvF4K50BqRxNtGnSCMA88vLSXEagCGbyZeMRgJmA8neJTzsFCNXCMpGGEiGIKCsotm2xyBqGClZxcI1+sqCZag4s61rlttBYlrlKm+F0eF8vhoM9vWlHu2HRshFYEy3x/e/CMnULByGfFWqwrqstkIVjT4nX/txQdp6SaYrG/K71pPATEAIGbAERFh+APmfhVa1fmg4XSn4P4RzPThH7O771GRsrXkskbVs9icwKPxwpBSzepn89kUYj+/dq1AWo8lMrRI+T+s3vBif3BBGd/sNBZAyxSY9PJFtrAgaE+wYCJG5Gezg/L6Bu0GyormxwtRCAKHTuvcIQiwXWigJpL4oobKONOiYIfrooOeRGIogmCMdFLoNj3A+NQn8g9yN7ybe38/X4b6iF6a1mjWBhKJHDVPsFBXRsPp5DzIreVJL7+cw7OlwTSaZ4oNpGXM25a3NbMjfjYz/QylC9fKvE+HEpbKhWG21aTLbwtSm7wDRlx7lEofhpzR0/oEHsXtEk9qLupG3jTj029DaprStvKd4V1uQV+jjiuQWH8WXJO5ZrIY5IvT/4i9LWI74Bmdfm1uxFO0rX54xlrmLt8TVO6JnSijNM+miWLZMrhezT6DJutuugVx7DuS7CXUo3QMfu9NRQB2Al8DQS9DBrej2DXJ0cnCZu752vS4j/rRnC2SHYtLRUEzJuIkGWsMQIq9nnmSSMWpD/cdWEufLeOzRU6OibJQ9lcu+gaGWHBHd2MRyBoh74YHVOIH7HYop4CUqZfpnxc3oN0d4Y6B6Y0/qO+94wsAgp9b/CXbjrxxsVJwJQlAlHN+xFHNb5HLCXlXGTDBoseHARjbWaqPsv6+HWFkhzwnxtsSJCdcCrOpKJFlonO/ujWvDM99Uve8NGkZkgoII+FraeSVdBQIogUnRVtUTi3Aeqi6tn4Tt5K6gNqVX4O+jQtMrNZaDdD3AM+7zwZdgwHfgNYrFn10HUlgcqISuj0cJGBT5DGFxavGD1Shx/uBcVqOHzv4IKGfjpqjqPwHlqOuXGosZtgpbmLd8RnacLAb/WJRbGoZhM7r4AZEV8815JktZsD6fY+iH0Gq1+OubnfqWmzinNiifnuhirzPFLDOmFw0sK0s21Xr45pTQX0Kj4T+kcOwjNX1D6BJo4s11Uk8D4rfe2eBfFIoGnE9OEEWvvj8MLA0A0i7nUPhxxq0lKu5faCYNNw8w12+T1F6corMECtgqtphDvu6PleLf9b/aFTp5vYefRz/eifx6h/NIn7Z8qq3vI6zWmGv9zRZiKtDedNwYyOIC34KCYL7X/UsjsbhrpXsT605MnyzxyKOMLuxmaYPc4nj2M4xm1GJCBqxjxVkW295vO/e4WCxTyyjNHzNI3Cjqzy+dhyV/tq9Q6C57iawAoOroSVl1RPAzTqxf8slt4b4tdRzO4d9XoZgxTM0qiG83qD96QDhzi7wxY81ztDaAv9KFez6yIx5B5QLCZXoVapf3wPR8DLv7RzcKmdCKpinfSwhvgC2GpUnEDyQCIJTz9WY5AckbsLbsDmefMuLAda7K18kzR4MIrk3Vvv0MhM1CfeOndxG7EdIyDmUqjKc/A6KQM5L3u+qoQozuKRCWlveQPaG/ByBnf4uN9LXkrJkND1MtDvXssQJHRTgzTe+3mfmhq2aWy7l1tojTSUr06X4XV0ay4PSScxzdTVTf936nigmiU8L4qgk8NJmd64XJprH+mmxpU0tOdslsXSOxk2TP1+7R9Wbyx9Z/1SIhdyWjsFCfOgDOFL0y8zn4jaGehXVqt9FL3VDodI8hd2QFb6ckGTn5iW+zMMk1ZkCOizmhxC5oCLP4MlVtIEgqLwqclqevsAYVpSIxCLeAHr/2IoPawAgxUgOHgtA6LHJbv3oN+XPo6+nd8sPkXJZ8VlY5GouBwzf67JtLQjd8Y2VL+RjVozUkOcLTBBLWHBMxWjwp4+hsRc0lP1Z4/pK4CXuANacYPkmXOMozJpTJYYoaNv6WylLLFKCyj49yW+gl1HAkeyb8PSNY9LgjqEIZB+RZ9Xn7Utt66Mhqap0o6pCdAUuLK9uv2CR9rCGEeR8j8dsBQ9KJisxwBUjz9b6cBMT8XuOIUkWv1ESZhFmKJ1sCXhVKFOzOq5CgjU+QRMGOu+LIw4bUh3ZOB1DsA2P7LcZiWSVvtcQ11K20qkNK0Kkl9tZh5Y7qpRgh+SmIQE+X0QvZmWC7K1gWrlFEbtv3mw/9IBazy2GjA5ULKYz3ZzfNOwNrd4++rH6YHrwYn/o7slG18bb8oHElCzENwQC1nst5cmbTfHpeX/YET3tycL+EOHL16Kfg1DKzi8hbNZhAI3PWcV8rsuFcyMbtVXa3MI6y8dfLVfBETUlgPULJ5w/HFarKwXpRmU0v5YKpg0gy4JafVyqFO6bhmYAMvqKvZzt4WQUAEqJdPDEhyWj8ZQLAYwgAW1w+Lr5oIful4omz4AmDg4jA2aAB+/o9S42rM5nLLfgDZVBMeCU4QgUE9kM6S7lPWXdkaZUgoiUrD8OWyKy8KiAsMt+nkbuY5G5X57IoOApCd+smXT405+UatpL9VxQAHUaPqqX1raqDVmJHlJb2TB7rB8TL9q+S3AdOSQOMEfB/FxFYlIO7MyIayIyr7+7ZLBvJEnCMae9kjgbuHRCkelA7Qn2WCLzHRuPftgfs+cKExDVEmTsGkGEUy7erO00muI1Kt47HzIt0emR/RXG0arl31aYP8nBSt+cmkA3inWK9PaB9/Vc9gZul5Scqus1GCZ6CvjxhCMgUx91YrGYuVFGybcmUocXFVnWfoJ65E7n8=,iv:Um9mAPVzbSdF7D7IzmztYODkyCtgVwAexya0uYyxRFY=,tag:OYU+Wm0fBpQ/GPQpNC/hvQ==,type:str]'
+isoImage:
+  passwords:
+    deployer: 'ENC[AES256_GCM,data:5gHuzx1UgSmscTZVHCw=,iv:aaONFJ1W6FlQWWYwl+th7yDCRB71qhRDtpeP3verayI=,tag:wXdqB/VZYpeIDw7cxTYYBw==,type:str]'
+    root: 'ENC[AES256_GCM,data:0ViR7nN7r2HXAJ9Pxxw=,iv:bzqgGxK00NAkCJQlIt4x3V56tv3kiKipiUremZyOvf8=,tag:fC9RVyo8nObI26ERKFlj6Q==,type:str]'
+kind: VariableCatalogue
+metadata:
+  labels:
+    airshipit.org/deploy-k8s: 'false'
+  name: generated-secrets
+targetClusterCa:
+  tls.crt: 'ENC[AES256_GCM,data:WsmzwpV2WvfLHUb88aMI0cBFhOUvmywUtzLNQ9vpEyA+a/hzOkCt2hH6IGDg6rOg/DLCExMrRk8edXV8SropAl1jfa183igRPNKVYnswgtXZVOsjrXeoumDA4GeYsxh+J5y2V3uWoAzfepShTRyJZLLWOTiubgffLmY2c4hFoPjkvp5IdiLh19VYDLnLUhxPdJDneey5QwN1wdZ5RjKOD7tB0boDiENHxfzhUzWRHIok3TC1kScUqKbKNtqoQnl5R2ghTFVGyMtDCaBThdUfGWItnbO/F1ICvMKDkWCHEkh1XhVRi9WCVZxZHBzkbcRh+WTSgfjKnRAJmz78qgVo38F0cE4irqjoV9gDoCubQsplRyqOqmR5FY49g4599y5cRCyN/Pg2KZ4Qow2BO65EAQuDarjado7eB6LdBPCFKRFvJPJf3LxCt88esv6MTdJUTBuWWNDha0EqdMgPe76/xIoMNv2LxVHSzBArRz2jWayREV5FrE3xECnO80BUZGa4P+E2VgqkmijfQANm4fxAlomh0Hgy5V3LFa2NAfHnK70pXz05nwl6+q33lEGgQ9UGWG92o0ZK66bQDKSGA7AuS786fr9WiFhydGW0Ot0pE7Db51OL2Ln1S/SJCSyUi8QP7FViSreanwtz9dbXbXjnZUjQysAcQufuwSnX9Iott07PadiCCooumT4nBOGru8xi01SKiusOEk6qjscoTfpdfElpAHFQrWLgwGuS399cBFPcfu9YbGqzB6t+xRq48KBxvLGf04uVppNdcf3V4opy3LGDeNETcMfKea0fsNkSKMYOah0jqBoUcA3Qpo2uTo7qJ5wnO0lXYpn5RwxYgTKHIgomiFPOn7BptVAMz49EtcxJQpdpOf+LzjZLRHvZIqDlbrBrdSpQOZqsi2MXpkTG4b+ZEyP4+8helKe2kgOAgKzKQkgOjGWN2fbGsDqcLqVCaz08kvtqjyzO5bF+IwezaKl1abUAm0YEH2A34IZr2lkTvhIPN9YKjjWGZk3GCofNOFwMKLZ/Z4c/dGrjW8BtszQKAnpl33wyXunCTxjZiO3mpWgI7ffmXABSHzNLc6nElVn7Na3lwvxlSIGY+dVIekWSV2Rf0SdU5mBRh72UQ+rXwEq7C/ZvgP4mAyxzGZE0kd458Tnjzt0oqNMPPaZnAv/dZW0CYFQIyQuTFKKxbW0IgjN2lf+Q5RpbgfoGLhNEqN0gg2D3YIjOdOE0y3dDWx7iTQ4p574VIhxeCdoxkUIhuhh3P1cIqyjCdCsjmsEVG5QBFo/XIPjoffk8IN8DklVCp8AwIz8CFrMySRzgOOoK91XhhXo6BsZsIkP6Xk9zWvN4op4VR4zM3eqlcc5stBg4KepxxUvQTp2OpDokc5JsKxhUp3qM/uHjYWsDlflfaZukJ2xLcaRRniPLDaRbDH/9L86so/9ztCaCRB3OEtogEjgPFb4KOFiPG7TqUtvrisygwXno10DnI8Q2VR916hO1Gfyc3hdTpHzQK95rx3n/CVclyxibnwpH9S8DlU4QHT0X2NQXrO7t4aKCIg4NXbYMifN1Sp0lEHr1EapqkuL7lqc0PSOTonNt8OhBZ4NPvHsgndQ/+r4aFizZ/56k4n4Fs7Ki9Qvrgkk2ZJuX0amp+cdWwMQmDWC9OIOHRruHjtquX7gcZuQf3ibEU94K14XZB0mSbwmuTQajkBIKxFmtPbe3aCchvBhfaA5Tg3qm0nQS1dpMSzKYH7+kBwuGKKW4l+FTpW1OakPFM22r5oCH+5IY+Eh830Xvzxm/3zZdVD+S/3Dk0S9CSG8moPpDxxjwZ4DPcc5j0fEUweML8SpjeoHdVqyaU3spvuFryzu9poYukFMthvdh6xGzCHzM3889RZhOcG7bUfFlZxYQ015ZSXlYek8TGlaG6oAlrOIjrxRn+guqHUsAOlt1FnRe51WCBh6zMwxKWhVC+Q==,iv:VnSbM6xsMFMeMFf0PkflNnA2SK5cJsQ/HNmN3duawEM=,tag:pMk/noJNqGwTFalvR+Ar2Q==,type:str]'
+  tls.key: 'ENC[AES256_GCM,data:kvyc7MnG165YbHWCltMw4EPzZ3iC4nGOFeQ1z37s5/92f5Sc0pKnoi1tyC9YvgQrN2hbCMJH4H4thQ1RDEO8QNgAPilblNLW8m9qbSQ4SW4dbXILhokKb/eEN2dRfbEzLr+b2SBMDFi4KSWkO/u7JjCeFNTN9JifFddnqHlnaHkRFPRH7uXDf2ZziXcVbLD9y6JP3ZexTAGGy8W8kZhA/xLAdWGsLpyAC6qLbS3Ggv77JeRFTUTjLp9waoDootSA2BDBmC/KhoQKZIvxEDxdafe1qYqwtgl4L5X9xo6afiZXH1y3oBiNrASfZhE/yDe9oxVJBgQJRBj6zshTJ3ueoS66BdJY0gc508gEkEvOv1i7ZEqmhSTVaw9PJuABROHVhwTcpMYcOhhngdEh8/TqmPOzl8T5wRARgzN1jPECrh5ZcSrV6Guntc6SJBR9olVtt88QpNu5SwLJCTj9Xf5UgW3/cBUmsLpPylXY88B//5RSDiAtw4XIcEKMkk3g8czouAEWwU4APa5C8WtuF75C8VDQdFqmoVVHxshRhB1Y1j2laAhKAwq1I2jWUc24MLvCk2SA+o3SMukE0GcRSIx5rwh6bDaLbutgUXFtju3rYrbo9riFPhDBZ05wPB6lrST6+ZBcPwwvmMx0ty1WeFXwX5ddEBWnMLCHfDbTsi3hjNVOBG7OSmINe47YOC0+8Vf09LcL+C4NCiXFO8V06tmz1nbSIUmPBZRAvCaXTKHTE35dVtkkkmQy1wPk7dR69ALTFWhnceSi+LMxcQOKpafIU9KlgbrjhbjGR3gMYL33yeaMMR6OB/ghXROaopww8uoANxUmyf13VMYJBaJ4OVVd7M8b/vT6RfMw8fytIQBPB3I9xVvYMSoC1dpZ/N53LEIo0vq9suLoVYnFMhILVhxy1U/JChKR1tRv4lFKYYVKcZKoze9I5rl6FXyzld/ql+2EM0lJSAXe55mnmdbYPnQlUHPj5wq5AfqXW6ADnIqWHqdbEBo5UEvu9S6ElkMViNv9gD+iX5dD6DTk5Bx7R+lBmsvtySHopjSqslHJURCEmYDpKdKjFxKZR9uqaF81388ov3wnbQRFMLFzZZMwMTKVwL9oAeeJugQ6Hd97fwbXp6X/0mYbh8syaFfA7vTtjm/8oc1fPFrlUBTSXERqlyVgzq9j1IrfZeHc9t3e2WbNXmmlDTV5C7VMeLhBjvEVVNTaFVWfP7YQsrSbzrtirzHB3WFIUifdTCF7v3SlfE/VAmVfuI6w0Zi92g5DZl/2v/bfwLay3JETz2LIYb9GSNbfLX0dssUROgGUsS9F6WV0r1KT/27SsOi9EDygqqOxoFgD+YRckf2oDZ94wrT4vTVHlm9bQQEsKsogwofMxR2GnJwsozIJj5unbY1oiHWBdJfsPPtisESZK3SHxIVcF6iu8g8yvhkHKn/xMeUqDOZN28MoELStSFTkQGpOml5gXdXDdK2BEzIKbeDOV0bVIgN6WYZpEeOKgmoHRa1obDrcgUvC6CB9rPL+40CvFwroRQjoOMLHDZfBkxJxDYDo5abhLXiyd4kCG70nMhamlikVEJOQ+Y7PWIdB4ez/emEqG3S7Z7it/NRukfgFJ9xbnt8WkzJiKmbpnojjJTc/8UVSYSZ1y+UA4R3SKcTlr5/qyWn8V2nXrHZsH8wpmScmLQ3NZx3J2RnSrWLveXaksOcbFBebJPXnIvmqVZ33wDQNWJROXjQfCqtZAhXgOW2vHNyQEoi5IjyNtyGIvLEffX2jsHTgD/QOypA3e38EBgLkZ+0ybLa37GvYCH2GPzGf07TcvwXXlv9p1bwByCOCoUxumJ98gptfbQG7OUXPeDkZIs78xIP8mV2irDqawWn+4dqJBgDZAWudY8scn5gWo8L5sE51kGGsDE0MrPPxcmLBNFoTXYrdCuFFQXdxuQ7mSzX04gGabL+d1+SdETPdJLaqVe2WbI7huEd+jFuo0zd/WkYbJwCxs0mOB1xjm1EwIC43hhl2dLLIGYZVu8feoB2H4sEQeke6R1iGKDOpzL5CeY3L0/EA2cPVC9t3H7wjidFG4w/yfmQQZiN1ivoiLGoWTFN+ztGH0FyGS8M6Nk3d8nP/MkPjCodRIUnsppTRYSJgbxa2o0R2b2wftBdDU7oQqWy4XK/H4zVltACaZE06Og1Y+Rvb10NeYUiDxJupat+Z1gh6u/2ISDgZQwIsRQRYdhm1JgxxzUSeNTtGQPkRcNCoWlaT4oiuebSG8fsGPFaqv3KF+lWlORpKTjMC9mlBXPjH7NWeZOiqNI5pZaf1tl9FnOvUwzNdcGLR6Bqoe08+asKoOuh+NbKSEAlALnPnznFRBapHj5C9ppABMYKfqNigM1tflctJFiiqNnpH6Y+qXFzudrkq9VqhaMoccgkqgYcFEEIwJ8goByA2ZBSV4mA7sDtY0fCEirP98j4OOcUpkHLgaRbRW3DhvfGNOJDE0YJjb38kZEZ+KdDcu9CbrXBgNVet04j45VjIonlum+DWFsHD4tdu1CPJiii9retvUWn3uYN0zSKrj1jEL8cO7Ujgmm4A7Szgz6gP2ShvReaT9BtYf5W9I6HXnedjFL0HOT6SdrG6kXPMns6lOkO3CcxrTM2w3vtms6HYMTFSXDr1k9WJQFIPqF16MrahYaEbHC0Hn2f1euhxiwY6Pd/fWa8SOwx6It22sq3RX/Ra1dbRlQ8UkwvPKV12pR7Lcq3WoQr3/blMZBiK1nXgKREndxY2/oUeI8bpw/qgbAViujfyRVPcmfhPBgMPZceUbVLGlxdYzPIKAqYgttBVHDZNdvI4JEkK4FJnL55WrSiOPEEuiGrzOSKQvZ2b2/AiHceAax/Rr0zSxWKZ7numzZKYBrPBgxeMtJABz/alfsRhtKxIH/Tf3YUaMeS7nmYaOgO7nDTuLqSyWpyIqXQHvf9TCeZt3o+0hBx4R6wLlByifj/QOqY2ZbUrqLqp5xa1d8/SD58=,iv:zCKTZ259WSSteALG13EAZaPvEO+FkqwTvaFv6VQ3PRQ=,tag:wtL/ti1jBKK/zjzNR6E/PQ==,type:str]'
+targetKubeconfig:
+  certificate-authority-data: 'ENC[AES256_GCM,data:XQGGPJC6gnZKfIVTEpIFrnu80oB3BrrpGCiI33aKpSPzH7mJn/QLx/Ub22Q8pL4Y/AM7LRTNQ5dkLar6bns3ePLCes7QY0WtB5cp5QFFtlIDHvXWcX6o2yjrWP64cS3UY2Ct9vije4cZLlDHjOerOyI5yCXCbWNKP631EXq8KxmuTRQNJROtvnG37RYgp7nsHu9uXVcrCxf2UH8WH4LhO91yW83rJSThSSZMPBwUfZdvTxdFg1AU9ZzHxQr+FDw8rDIsw7nXbfhlQxvsbp7Sor1rPnu2/pO2wVMGrnrAiFn2qwuxWRCAC4gNZr43LXz1aYgxzwcTVV7Vn56C0G+cXgS9uceOlknYwE9ViupOeqmUJ9OaLldFmoEFmTVE//qamT78/jjBWjb2ZJi8ztjTCFkw9ce2RKAd4RILwzZ9bUMjJKuO397efe5VZ/Tm+94ZDRnrOpNT8NuFlhcyZ1ezYhSEJYG8H3cr+ep7j5wmhse1ThK7IiBaUKlEkBoZEcjd1TI5KGf/1VH5VXdW5FbGH/gfDUeUYH2JuMSKnGuozRlCacjK6lu3kVZpQTXHFtpHKFiEbLgCFcmM9HnPt0KLKlYX+XSgbElQPMHvyK9DrErCrj5KZ91KNOupgzqUJ7Y2GYYSWEGIyXQLO7V+LjDhE4K5PAQzEJ6D7dxK0b/4ze9uQiFtQLPa7qQ1tD8m9JoAUZSPWEzFgsOYJF8Meoff4Kp4vZU+p5+LlK+jOt/MGFF+1Yi7tuOdWY2Ulbzxm5TAt1Z3+HmgzidX01cDxb9zT7iDa5aObDI4BEFlPw8s0dZyvwLNXRL5yq90m9PWMZHmlkwpPXXOqCumbNC+FW1E3hQ1+drIiLcX0uRd1jHW+4RcS3ePYMQzZmt7aLQhRVfLNiJ7kW62XNNHAs6cc0Z2hJudloH5AQpWNwNsUPUzgaFnTPu1PyGhTywy+3C+zsLpfzQFCD4bSyhJrDj9XJKahNAWk435ehGNGCgr8bkj+9fZa/pTX/bmwSFMh/hvULGQB8jhQkCoO1RWCQnLK3iHIc/W0ED19GHxgWT/SOReLeL0TGsqN9FiesCo7pDkVGsbEzPtXjt2w+jaZovTBp2tBuhm9l3eB6qK17PqI3gi1YVQtaDvsDNwq0J0dhez+XwbVu4usrciyQYzJJoF0xHPlGhnyZWN83bp/HWZq7Oau0D/Gzv0eSZNG4TIXxAiXgTNA3EN3bp4uGzszYhzarKRiLo3+Shu85b7oa//UXp4FFUp+lRIqr6HDyhLv/17WaopfaNF/f7h0jym7+gvYj5SVKBLgawAkEfGwx+HWoEYrQxaXkFOPDhuNkCY5w5xaSCfWGHO/zfczvLwPXeqVLTmgt1UpdyOmrVL+WzegnsrPuIOL15VwJpxdjV8cnKMdp0fWRur9FTnDUSE3yQQDIUr/dHKP9wGcwxRoaa099zHkjpJVJk91sbxf8l6MCe8K9H2M7W48ED3DRhpzIbJthHjpZF6a+8E3a/+H45T7JevgZob2DfENYub7c0fiQqMyLU3OEXu90fpPB3450zFF/M6+TB+ezKK3VSxcAJFT9jPX7OfjgZJf0E4q8v0CYHYeOxqvAmoapyaO3Z2+tuP4rPriblu2KsH+5JyP7kVX0e4WvixCN+W/AuSO2O3CqXZTh22F5UxRLSc+p4WDx8DvgGSSsFtKE9ASkGgjpGEV2GBdDu5Ja2rC3qqooCSDtLEuas3zmmcbwVog/ZhHw+us1yyAqDpkllxZ+Hoq8rHdg0Jwep1JUJ7B+/4du60GleqvPbiiM8xnbPFOxrp/lEb23ura4AqH6ZxxBHol8d5WHCh0VxQXPychIsx2Pl/404t0mY0ne4bIudaLsGADwM5WBRczgKroe5ah+7KmujhavPoNQztnSgVTfa6hxjG5EeO1/hYBybXA3gjM1rKaRLUTdGGfcL3TmOf825xM4BLvQ==,iv:lrxOZvtDP49iLxzYfTW2B/ex0vtgmCj154j2xOnJEWM=,tag:ODHDg+Nh1ZF7oAloIlpnZQ==,type:str]'
+  client-certificate-data: 'ENC[AES256_GCM,data:wPc4wl2y3CkIciqXl7e3c6XPx9jQz86CBu/hSfIQUc3IkpBeEajlxlbxHnLDvG+/hyXJtqfLFrP1v5JcZCCiUk9lrZPmDT1yWUOMizV1/WLhC/nDuGitVErRWAeHDtxE7f96H5MKQpv43zmxrg3F1+mvYVt1WAc1SBWgcxY1bEmLtV2/RciaIUX90aoE/3zcvCRq4A4nsPGXqT2NCsDcSTngQPTGttYMCz1bNOUSk27kmd9d5RV5twRKtl5X/pcR6Hem0pqlkhnCIqElzMWnKLIOaxi3/KzS/SMIqRHJZhX1fzl0Szc183v+ew1Y63kGabvEJwG83JpGfKSRpLdH85rUydenxTWnGj+2qpZlgTUa/lIGfXR/X6RWNPKzrZbZc6Hq/s3n1Rk+OBSMjepygp+5huj5QII5gdI/YoW/4+nEav+IWvoXmtw7DNDuzPgicsZxZx4QmgkZJk3s+HX+f1TG8eceR20vuaWaSOkq2JR3Uc6+9ebzvuLsXqX34SryRvI6Mrd0bJwrNu8Dbzv4DKqHrUnT1tVoRRkCE33dHyRhWjG6vs4HaDgZuzfQGJMPQ4c7a2RJKVB2e0HYp8xjFmbQCPDfdVQ0y2/E8GNUZjTQhME1B6Nz8egtZjgIAbug++cgErT0PybCeMCHmz+596xlHYjoL1dIONCvzm//Dc7okuxs9D8LCZ5f7r7IjYRFQt6U3i0PLdv1pTds4yvG47VJimZi6SXeq7Z2LPqSVclZCfPlDC643bC9hqpIsDRKDJLFeMoTr62g5Z0W+c5dmMH/6BQrySgr99L0u9JJzaR2Pzfr2QxlsUZibYniNyuu5cEdMxiVbMFAcDaGWyTOjpvay04fkYky/A9AKwAxPStxx/YFZ1su/8SWIwsAUfj4xKEccjxOcfmL6BjdYdj47ElNYQXqIVKl/j3X7rXzDSu0eyVPVTcOwuGtXrV/VfadmisX9cKCSwLozj6GxqM9JN6QZ6GYAxHzU7V1UR7RTtnPN6s7JOhql80KmsN7XnRddmWPZpOmtnwunKSrvK7rBygXkNpX1TE24dfTpWzBOeVE6BFxUuiYGCoxuuxfEo6K2deBj/7jZZ3PLprQyqgIDipKjgeC6R3qx1UBHOleY67Y4ZvUCQSjz07+wo+B3OjNfbCSN0vHJJ9NhvyY4CdOtrgbzOchZPhobhxurH8iMf4UDBgugefpXRwpAFhyjkm0VvDE+UfKJFbsKcsPehzbBOxXJKBbyDze+Ov/oTAhY3JjGiUe3h6Hyac9ctnrUxaGFpLhsjZCDiewSBo+AP6J7dQ2bcg9XMmw3ckOD/hVaT/sOi2qWsrG4Qnr7ZmCXMy+yWQc21TL6JvT3yI56MAlE9TMrG4PWkktmTbw6eAyTOmL3lzBqpXKgdJoWLR/Zv0xUkk8+zZsVchja1kLPJAL6ALkRzL7PE+UEH57K5/vim8BaHzKO4Q/4fb1HjbBX6GA+/4nW0CYw3vKsa8Gpt2Av4XwOpAHRGrezm3w2o9fSxabCTMroJ8dsaR4uJiCpn7jq9O6a24PL54gP+9dLnvnjK07DXvIJI2mA5iDv4CJAgz0rNPz+6yAgGtuUkZvqslBOm5zhKy1TVlRuQT315YeYjHPp1JqmQ96j4RHCCGFFlHsYnzaazY8izu+r59JNxUVRipJs2UmUktJXETWn2zKe0LDs8LkPvObvzM4LLGOamVlaOjNKSQRsiUv2Qd0+ERY6sYJHwh40ObGF6Z8u+91wWglcylkY1+bjhCwh9Zs4Gw7JenOkMsJe0BtpJYCwkDIA4L/+PHtaUpgQmaFCGYAuWysAv8OGkv8gmIaSiLwTfiUxg+dqgicEcKAGoYj2pFduWKldP6dg2HyzCYVcMbMJXNf5KIFLcAnJ4IOYf2bBDR35Gbtq9gKUALudgR2O/xxVkI4+DwY2Tc2EdFnnkh/btYaz+seoCQL1cB9+IrxfldR7CLXUlDt+7DUirSEvNLpWA31wA==,iv:d8/OlgrzqF3u7162nMzKfWtqeeLogcwq2Z4FTxRfxjY=,tag:wI5cko+kBoFUXEJOO1CtOQ==,type:str]'
+  client-key-data: 'ENC[AES256_GCM,data:DIz0rFlKFLIEQaSlyqSgAiY2KK+a1CRDtAXtu5LKgS8kCr/XqRHq41wVVK44v8V1ih8Ca/i0Lie1pheHgdHQicilcturE8Mxfl8T4Eb/6fVy/soo4M+cdAHaZDa1NMW+0ZYrXB67oQbSnE5y8/Q/PQxg02VzWIm0G4OQkkTXjb2OC4+1pJl2tWezyMhdiudc04dO1z0uK3Z3oSX6huedu5lXEP2u9IlFrEDfdEg9Fpw8+HIPMF8hGblVffZkYob78AzuImW3vzTJV/6TDkNdlKbEnHiPAvqRu07jUa9w0rKGfvPeoRi8KUhCmqI+948lsmV1ZGUFXfTzYu4Ln+cQ+x9JT1cX/g/6DqmWUXiMY3Bh2xPyfW+qm66QypFH+wNTjfbUpPK/Fbjfrbt3Eu5XV0beOh9RQIMVQcV4OgOydwREbxxCfUtCRddtDcRuWp0uju9v6c3m48626LXPyO8iKoFVldpMxEAbYdROOar0FXBNner9t2LRX6oWeZijh3bRB11Tmi6y0H3fWfS7datRO+3ben18xWJJTYNIst3e7dUgjgnTriqKcGIzqsxO0rBH2+oT0gHAgDCKzsp53AOEl8LdJWXB5ua6WQFz9o+p3kkDLC+PLwXg1zY3nkVMYrs8a00JqTphRc5X8R6E/4wpYS0Eka6rXKIyAq6a74nCXjOWUy0sBCpwI/8bdckMF3u9uw8GjMmtQINzJv0Pm7Kx6T7wf7ysdhs0I/kup/l1SeckPoSBm14MSoVT5Co+0xyK72SpyAW5f8QFEv2SRp6c3xke1qOEaPAD7ITXlLt61y74yRcKXaiWkAG4tqxcudehRjnOATrC1y8KmkV+V1ZSP9wm1AVvYkYGldkBNTVaDGSZdaw+u9KFK+tfNbMajMrAEMPylINa9ELh5YGKzj7cHeaPVh3C3bgDNZHUD6osrGXvHYaWVqwAaslZVEauSFXvUAVxajcbaTf7RrdoDU24BP4IrQkmkDoSzsFvXiox+xEYXQMZuJP/Vp47e46eobCUxADxM6zpjyaNTwhSV0aofjMsbTjzlvniYzw4coM5mhfwJ029Fcrk8XlKqS/Mad/pFInjwZE4i0NQRwj5ZxI59mbUIQZUEXdXBtIVr02nE2TsHYQ0iYOeUTKALeZztwY8LKoIyIdCOoS3a89LEIjJgHnyesylxVBj46fDkVCkWcRpo6jwgqEQTzvRBjCJQMvb451kQUk6tBp6iW5G+6gViEbATrkHRWpFjbYiGYH74RTalyTxQA9Z6C0FmTTUxnr/4CP41nO/Wj653LrRL+BuJBi91KbfHQjKCltcFdbrZeEkmCNJk5G+5N7puxYldSLD+XJRTssK1+2qk9xM12LUzQB8pqTulKsbpMn+cnWzFwLmRCBsWdn2xattvqgdFoNXM7svCSroRogGx4pK9k4OgiOtM+Q1sOdTOsntLhSGyW6R723vnZ4OfzNbO/zkdqAT9ZmPl5V6g4sKopM4wibuGsHx7G7QEBz0YbYFxkKtUSH8VmNJH6s+liLCGvc9WtneT1S0HbcQjWYkFbWt0tX0N61NbVYEzTpycgXMnz2VbrkSiGkp0llWXMKAys4YimjKjquPxjXV4Dy19W82UBGo5wYG+WBKqwvwrU174Mb981JfZfhZiKHAreH8hy834pLcMGeJKR7BYeEUPG33gn2Ds/O9P3Hrh/ew2Itxw6LNUzvLb5hSwPGbgYkIjUufFKksiSUBpbpyPMXvTUKBL1eje6JYu3uqkUcmWKGVhfyAldlOoFGpUXiulR90KPXVTR3bwpwTyIYp9O5IhFHUlKb3kjBBXQe7z7yxrzPudJSbHljGPPZfyVgTdgYjiN+v35oppJseN6J3fsiSZIMJX7QanNTqwvsoZU3SGA958Le1154Sti5WlD/jMTovUmFVHNfIo+E3gdB64BEfPKf0R5cuWB05aiaeJJPH61I2W/0mK+zlK0gdNKjrzPDTutgkem5/zxYYu/mcnCk/fbBlOiHlAsgwkwSCs7nVUrJ/1aCAtMH0IVYjatslJMMy9p9q7L1YNjiyzRUgbIRa4g2dn+HkxEcZ/iwm4zWXpRYLZ8PdSl812/y8DG98yVxgjj2CeWxEdrviVlYKxivj6Fx2YvWV7H0GPeGLdvFw2C4OLBjrgTEriLFpwYhwE3jqpUh3Ceknoas+p76QYoqa+vJhYS1TeGzuZcsToBZ+Tie1C83MrIcJfp5DRXT0vffhP217YkD17/mQ8f2WBTEDckb1PeT/Tbspk+AAK3p33+yTqRUKppkRN7SU6ZAT2sRPlSA20fdC8ucBlTJWpsZsrnmnDLc/oacV8LGyxaEquDfKzYlunj3MAKLVibCnKxbtoLATOcRcb5XwGMqVrcrnr0KFNWFivV6IGeTGVOyEf3fgyfl6ahn3q7EoSM/QKTjp61+CMWzFsJvsJsVPXYWqy+QRZhiD6lJbezjRcfRVaeu9ZGMGPsgfbHCqUS0u+66QI/uXvUwfG+MZZaxBEpaSyHWSYtP9UGTeB8l1t1sK3qrLp1WMV3EwIevPJtpedDKxcfNBRrtW9G4b2HHqDsOTCPAH6A2FJTtDXqJtJx77IvBTV+z6DMoEJ/H9+F39pDIhKO7QlfQbCr4bL7cW/JeYSXeOPi4Z4y+uLfcC6glyl+ILRK+0u/bDVRk3W5B7uWXHyCwIUmxfEqrYJNKqz5O0LPp8jFzuSnRMLMtGk2vjxYctFLlprajjPuLk6VPZlLhbYV0bqDIPWuQ3XjKwQjfKWiOm0u3KCZSyhe68ImT07mddMgIHtwB39hbXOlhfPKppEnmc/qmr4F4EQMvztvwox8TuHrRip47ChkpOjcC7YlZOccZYR/8rorv/3Jl5V2ozmg/Gb7jV0YY/B4/kabpDQuXCnT0SFA4jQZys3CSBqO6AQOxZ4amZIFm9zbMnc3VLzJGBylsX9BbenLV1ffltLhI3eLpv8l19Yb660fNVu4R5Sw==,iv:d0V7thVsBXSYoEVaC/saH6WpX242EjiJjUpO6gpabxg=,tag:GNKcO01sISM3J/0Hjzkntw==,type:str]'
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  lastmodified: '2021-04-06T15:20:22Z'
+  mac: 'ENC[AES256_GCM,data:xR6t/C0I8eyJqi9HbodbjYWP/5dunzylUx77/aHqAqU3/zDfznH4jpN4oBE5+HD2AEtqWLavIJ5QjVilHIIp3q9FbDp28JnVWc4tcShceIJzn/E3EkGJohzbVkCVsEUnZ7U70sEfS/15IaJzfDnlZdxRnCLYdTYjCjaXXVaeOr8=,iv:2ksNc3zAY+OfMxgeEghCmy3u+ITiI4OqDVm9pbxzSFA=,tag:h7q+iyfTrtkZ3oiZNqATPQ==,type:str]'
+  pgp:
+  - created_at: '2021-04-06T15:20:22Z'
+    enc: |
+      -----BEGIN PGP MESSAGE-----
+
+      hQEMAyUpShfNkFB/AQf/ekiqVj5BDD2h1DEiKX0kz3sSU2Bem9EblObv+mEkIVzj
+      5aAMmcFF5W5f+5yNDeb9sN0eWMIl99IeY8Z4GZ/JgkLd1Hf2eDpyYhD522tTewOJ
+      IgJT21Tv29w+GE1S4erz1ncF2C8b1r5qzHLVKWomX+rj5/Ix29he42+6bXFO0f43
+      /GX43VWeuRenJ8p2UxeWaANzEdI354UCYCOuOx6vXytsljQ5Qd2tidaI/rmCfiIE
+      PjZvnbHmwPy4R2jtwtC+yEOs4EFzFB1DFZXl0vvQTcu9ztOTEgibziJZs2EYNcCm
+      RALZu8lSjLRbSbjGs28mTSCFEAeZkCcldOXWf1fljdJeAUmA87yTpVyFqdh4QYDz
+      h9OLOgO3YBaKfq/7+YT7wUMh4zXC/BCOKNRCYeAFzKk1GMCgwS2h/1j98Lo8KviR
+      AoiwcnomoTATIRs/7715GhroBvjHdrdDPQg0FwMB5g==
+      =3Y4v
+      -----END PGP MESSAGE-----
+    fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+  unencrypted_regex: ^(kind|apiVersion|group|metadata)$
+  version: 3.6.1

manifests/site/reference-multi-tenant/target/generator/results/kustomization.yaml

@@ -0,0 +1,5 @@
+resources:
+  - generated/secrets.yaml
+
+transformers:
+  - decrypt-secrets

manifests/site/reference-multi-tenant/target/initinfra-networking/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - ../../../../type/airship-core/target/initinfra-networking

manifests/site/reference-multi-tenant/target/initinfra/kustomization.yaml

@@ -0,0 +1,7 @@
+resources:
+  - ../../../../type/airship-core/target/initinfra
+  - ../catalogues
+transformers:
+  - ../../../../type/airship-core/target/initinfra/replacements
+  - ../../../../../../airshipctl/manifests/function/flux/source-controller/replacements
+  - ../../../../../../airshipctl/manifests/function/flux/helm-controller/replacements

manifests/site/reference-multi-tenant/target/lma-configs/kustomization.yaml

@@ -0,0 +1,4 @@
+resources:
+  - ../../../../function/lma-configs
+
+namespace: lma-infra

manifests/site/reference-multi-tenant/target/lma-infra/kustomization.yaml

@@ -0,0 +1,9 @@
+resources:
+  - ../../../../composite/lma-infra
+  - ../catalogues
+  - lma-infra-object-store.yaml
+
+transformers:
+  - ../../../../composite/lma-infra/replacements
+
+namespace: lma-infra

manifests/site/reference-multi-tenant/target/lma-infra/lma-infra-object-store.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: lma-infra-object-store
+type: Opaque
+stringData:
+  fluentd-accesskey: admin
+  fluentd-secretkey: changeme
+  thanos-config.yaml: |
+    type: s3
+    config:
+      insecure: true
+      endpoint: minio.lma-infra.svc.cluster.local:9000
+      bucket: metrics
+      region: lma-infra
+      access_key: admin
+      secret_key: changeme

manifests/site/reference-multi-tenant/target/lma-stack/kustomization.yaml

@@ -0,0 +1,14 @@
+resources:
+  - ../../../../composite/monitoring-stack
+  - ../../../../function/minio
+  - ../catalogues
+  - minio-admin-secret.yaml
+
+transformers:
+  - ../../../../composite/monitoring-stack/replacements
+  - ../../../../function/minio/replacements
+
+namespace: lma-infra
+
+patches:
+  - path: patches/minio.yaml

manifests/site/reference-multi-tenant/target/lma-stack/minio-admin-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: minio-admin-secret
+type: Opaque
+stringData:
+  accesskey: admin
+  secretkey: changeme

manifests/site/reference-multi-tenant/target/lma-stack/patches/minio.yaml

@@ -0,0 +1,17 @@
+apiVersion: "helm.toolkit.fluxcd.io/v2beta1"
+kind: HelmRelease
+metadata:
+  name: minio
+spec:
+  values:
+    replicas: 1
+    persistence:
+      enabled: false
+    existingSecret: minio-admin-secret
+    buckets:
+      - name: logs
+        policy: none
+        purge: false
+      - name: metrics
+        policy: none
+        purge: false

manifests/site/reference-multi-tenant/target/network-policies/README.md

@@ -0,0 +1,19 @@
+# Network Policy  in calico
+
+Restricting traffic between hosts and the outside world can be achieved
+using the following Calico features:
+
+* HostEndpoint resource
+* GlobalNetworkPolicy
+* FelixConfiguration resource with parameters:
+  -FailsafeInboundHostPorts
+  -FailsafeOutboundHostPorts
+Generally a cluster-wide policy is applied to every host.
+
+This site based manifest is designed to override the default global
+FelixConfiguration based in function directory.
+
+For more information on failsafe rules please refer below.
+
+[Host Protection in Calico](https://docs.projectcalico.org/security/protect-hosts)
+

manifests/site/reference-multi-tenant/target/network-policies/calico_failsafe_rules_patch.yaml

@@ -0,0 +1,43 @@
+apiVersion: projectcalico.org/v3
+kind: FelixConfiguration
+metadata:
+  name: default
+spec:
+  failsafeInboundHostPorts:
+  - protocol: tcp
+    port: 22
+  - protocol: udp
+    port: 68
+  - protocol: tcp
+    port: 179
+  - protocol: tcp
+    port: 2379
+  - protocol: tcp
+    port: 2380
+  - protocol: tcp
+    port: 5473
+  - protocol: tcp
+    port: 6443
+  - protocol: tcp
+    port: 6666
+  - protocol: tcp
+    port: 6667
+  failsafeOutboundHostPorts:
+  - protocol: udp
+    port: 53
+  - protocol: udp
+    port: 67
+  - protocol: tcp
+    port: 179
+  - protocol: tcp
+    port: 2379
+  - protocol: tcp
+    port: 2380
+  - protocol: tcp
+    port: 5473
+  - protocol: tcp
+    port: 6443
+  - protocol: tcp
+    port: 6666
+  - protocol: tcp
+    port: 6667

manifests/site/reference-multi-tenant/target/network-policies/kustomization.yaml

@@ -0,0 +1,5 @@
+resources:
+  - ../../../../type/multi-tenant/network-policies
+
+patchesStrategicMerge:
+  - calico_failsafe_rules_patch.yaml

manifests/site/reference-multi-tenant/target/workers/hostgenerator/host-generation.yaml

@@ -0,0 +1,12 @@
+# Site-level, phase-specific lists of hosts to generate
+# This is used by the hostgenerator-m3 function to narrow down the site-level
+# host-catalogue to just the hosts needed for a particular phase.
+apiVersion: airshipit.org/v1alpha1
+kind: VariableCatalogue
+metadata:
+  name: host-generation-catalogue
+hosts:
+  m3:
+    ## NEWSITE_CHANGEME: update with the worker hosts
+    - stl3r01s06
+    - stl3r01s02

manifests/site/reference-multi-tenant/target/workers/hostgenerator/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../../../../../airshipctl/manifests/function/hostgenerator-m3
+  - ../../catalogues/
+  - host-generation.yaml
+
+transformers:
+  - ../../../../../../../airshipctl/manifests/function/hostgenerator-m3/replacements
+  - ../../../../../function/treasuremap-cleanup

manifests/site/reference-multi-tenant/target/workers/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - nodes

manifests/site/reference-multi-tenant/target/workers/nodes/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+generators:
+  - ../hostgenerator
+
+commonLabels:
+  airshipit.org/k8s-role: worker

manifests/site/reference-multi-tenant/target/workers/provision/kubeadmconfigtemplate.yaml

@@ -0,0 +1,31 @@
+apiVersion: bootstrap.cluster.x-k8s.io/v1alpha3
+kind: KubeadmConfigTemplate
+metadata:
+  name: worker-1
+spec:
+  template:
+    spec:
+      joinConfiguration:
+        nodeRegistration:
+          name: '{{ ds.meta_data.name }}'
+          kubeletExtraArgs:
+            node-labels: 'metal3.io/uuid={{ ds.meta_data.uuid }},node-type=worker'
+            provider-id: 'metal3://{{ ds.meta_data.uuid }}'
+            feature-gates: "IPv6DualStack=true"
+      files:
+        - path: "/etc/systemd/system/docker.service.d/http-proxy.conf"
+          content: |
+            [Service]
+            Environment="HTTP_PROXY=REPLACEMENT_HTTP_PROXY"
+            Environment="HTTPS_PROXY=REPLACEMENT_HTTPS_PROXY"
+            Environment="NO_PROXY=REPLACEMENT_NO_PROXY"
+      preKubeadmCommands:
+        # Restart docker to apply any proxy settings
+        - export HOME=/root
+        - systemctl daemon-reload
+        - systemctl restart docker
+      users:
+        - name: deployer
+          sshAuthorizedKeys:
+          - REPLACE_HOST_SSH_KEY
+          sudo: ALL=(ALL) NOPASSWD:ALL

manifests/site/reference-multi-tenant/target/workers/provision/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../catalogues
+  - kubeadmconfigtemplate.yaml
+  - metal3machinetemplate.yaml
+  - machinedeployment.yaml
+
+transformers:
+  - ../replacements

manifests/site/reference-multi-tenant/target/workers/provision/machinedeployment.yaml

@@ -0,0 +1,30 @@
+apiVersion: cluster.x-k8s.io/v1alpha3
+kind: MachineDeployment
+metadata:
+  name: worker-1
+  labels:
+    cluster.x-k8s.io/cluster-name: target-cluster
+spec:
+  clusterName: target-cluster
+  ## NEWSITE_CHANGEME: update the below with the total number of worker nodes
+  replicas: 2
+  selector:
+    matchLabels:
+      cluster.x-k8s.io/cluster-name: target-cluster
+  template:
+    metadata:
+      labels:
+        cluster.x-k8s.io/cluster-name: target-cluster
+    spec:
+      clusterName: target-cluster
+      version: v1.18.3
+      bootstrap:
+        configRef:
+          name: worker-1
+          apiVersion: bootstrap.cluster.x-k8s.io/v1alpha3
+          kind: KubeadmConfigTemplate
+      infrastructureRef:
+        name: worker-1
+        apiVersion: infrastructure.cluster.x-k8s.io/v1alpha3
+        kind: Metal3MachineTemplate
+---

manifests/site/reference-multi-tenant/target/workers/provision/metal3machinetemplate.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4
+kind: Metal3MachineTemplate
+metadata:
+  name: worker-1
+spec:
+  template:
+    spec:
+      hostSelector:
+        matchLabels:
+          airshipit.org/k8s-role: worker
+      image:
+        ## NEWSITE_CHANGEME: update the below ips with the first target node pxe ip
+        url: http://172.63.0.11/images/control-plane.qcow2
+        checksum: http://172.63.0.11/images/control-plane.qcow2.md5sum
+
+

manifests/site/reference-multi-tenant/target/workers/replacements/generated-secrets.yaml

@@ -0,0 +1,20 @@
+# These rules inject env vars into the workers.
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: workers-generated-secret-replacements
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: quay.io/airshipit/replacement-transformer:v2.0.2
+replacements:
+- source:
+    objref:
+      name: generated-secrets
+    fieldref: "{.sshKeys.publicKey}"
+  target:
+    objref:
+      kind: KubeadmConfigTemplate
+      name: worker-1
+    fieldrefs:
+      - "spec.template.spec.users[name=deployer].sshAuthorizedKeys[0]%REPLACE_HOST_SSH_KEY%"

manifests/site/reference-multi-tenant/target/workers/replacements/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - workers-env-vars.yaml
+  - generated-secrets.yaml

manifests/site/reference-multi-tenant/target/workers/replacements/workers-env-vars.yaml

@@ -0,0 +1,41 @@
+# These rules inject env vars into the workers.
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: workers-env-vars-replacements
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: quay.io/airshipit/replacement-transformer:v2.0.2
+replacements:
+# Replace the proxy vars
+- source:
+    objref:
+      name: env-vars-catalogue
+    fieldref: env.HTTP_PROXY
+  target:
+    objref:
+      kind: KubeadmConfigTemplate
+      name: worker-1
+    fieldrefs:
+      - "spec.template.spec.files[path=/etc/systemd/system/docker.service.d/http-proxy.conf].content%REPLACEMENT_HTTP_PROXY%"
+- source:
+    objref:
+      name: env-vars-catalogue
+    fieldref: env.HTTPS_PROXY
+  target:
+    objref:
+      kind: KubeadmConfigTemplate
+      name: worker-1
+    fieldrefs:
+      - "spec.template.spec.files[path=/etc/systemd/system/docker.service.d/http-proxy.conf].content%REPLACEMENT_HTTPS_PROXY%"
+- source:
+    objref:
+      name: env-vars-catalogue
+    fieldref: env.NO_PROXY
+  target:
+    objref:
+      kind: KubeadmConfigTemplate
+      name: worker-1
+    fieldrefs:
+      - "spec.template.spec.files[path=/etc/systemd/system/docker.service.d/http-proxy.conf].content%REPLACEMENT_NO_PROXY%"

manifests/site/reference-multi-tenant/target/workload/kustomization.yaml

@@ -0,0 +1,8 @@
+resources:
+  - ../../../../type/multi-tenant/target/workload
+  - ../catalogues
+transformers:
+  - ../../../../function/ingress/replacements
+  - ../../../../function/sip/replacements
+  - ../../../../function/synclabeller/replacements
+  - ../../../../function/vino/replacements