From cced568bc9ef30c9796953be5115871614951e4f Mon Sep 17 00:00:00 2001 From: Scotte Zinn Date: Fri, 10 Jan 2025 09:59:24 -0500 Subject: [PATCH] feat(staging): Rebuilding cluster continues * prometheus-crds, coredns, cilium, kubelet-csr-approver, spegel installed --- .envrc | 2 +- .taskfiles/Bootstrap/Taskfile.yaml | 48 +++++- .taskfiles/talos/Taskfile.yaml | 159 +++++++++++------- Taskfile.yaml | 7 +- .../helm-charts/coredns-charts.yaml | 10 ++ .../helm-charts/kustomization.yaml | 1 + .../kube-system/cilium/app/helm-release.yaml | 84 +++++++++ .../kube-system/cilium/app/helm-values.yaml | 76 +++++++++ .../kube-system/cilium/app/kustomization.yaml | 13 ++ .../cilium/app/kustomizeconfig.yaml | 7 + .../cilium/config/kustomization.yaml | 8 + .../kube-system/cilium/config/l2-policy.yaml | 11 ++ .../kube-system/cilium/config/lb-pool.yaml | 8 + .../apps/kube-system/cilium/install.yaml | 36 ++++ .../kube-system/coredns/app/helm-release.yaml | 20 +++ .../kube-system/coredns/app/helm-values.yaml | 58 +++++++ .../coredns/app/kustomization.yaml | 13 ++ .../coredns/app/kustomizeconfig.yaml | 7 + .../apps/kube-system/coredns/install.yaml | 20 +++ .../apps/kube-system/kustomization.yaml | 11 ++ .../staging/apps/kube-system/namespace.yaml | 7 + .../app/helm-release.yaml | 26 +++ .../kubelet-csr-approver/app/helm-values.yaml | 5 + .../app/kustomization.yaml | 13 ++ .../app/kustomizeconfig.yaml | 7 + .../system/kubelet-csr-approver/install.yaml | 21 +++ .../staging/apps/system/kustomization.yaml | 11 ++ kubernetes/staging/apps/system/namespace.yaml | 7 + .../apps/system/spegel/app/helm-release.yaml | 34 ++++ .../apps/system/spegel/app/helm-values.yaml | 8 + .../apps/system/spegel/app/kustomization.yaml | 12 ++ .../system/spegel/app/kustomizeconfig.yaml | 7 + .../staging/apps/system/spegel/install.yaml | 20 +++ kubernetes/staging/bootstrap/bootstrap.env | 3 + kubernetes/staging/bootstrap/helmfile.yaml | 57 +++++++ .../bootstrap/talos/talsecret.sops.yaml | 52 +++--- .../bootstrap/templates/resources.yaml.j2 | 28 +++ 37 files changed, 821 insertions(+), 96 deletions(-) create mode 100644 kubernetes/repositories/helm-charts/coredns-charts.yaml create mode 100644 kubernetes/staging/apps/kube-system/cilium/app/helm-release.yaml create mode 100644 kubernetes/staging/apps/kube-system/cilium/app/helm-values.yaml create mode 100644 kubernetes/staging/apps/kube-system/cilium/app/kustomization.yaml create mode 100644 kubernetes/staging/apps/kube-system/cilium/app/kustomizeconfig.yaml create mode 100644 kubernetes/staging/apps/kube-system/cilium/config/kustomization.yaml create mode 100644 kubernetes/staging/apps/kube-system/cilium/config/l2-policy.yaml create mode 100644 kubernetes/staging/apps/kube-system/cilium/config/lb-pool.yaml create mode 100644 kubernetes/staging/apps/kube-system/cilium/install.yaml create mode 100644 kubernetes/staging/apps/kube-system/coredns/app/helm-release.yaml create mode 100644 kubernetes/staging/apps/kube-system/coredns/app/helm-values.yaml create mode 100644 kubernetes/staging/apps/kube-system/coredns/app/kustomization.yaml create mode 100644 kubernetes/staging/apps/kube-system/coredns/app/kustomizeconfig.yaml create mode 100644 kubernetes/staging/apps/kube-system/coredns/install.yaml create mode 100644 kubernetes/staging/apps/kube-system/kustomization.yaml create mode 100644 kubernetes/staging/apps/kube-system/namespace.yaml create mode 100644 kubernetes/staging/apps/system/kubelet-csr-approver/app/helm-release.yaml create mode 100644 kubernetes/staging/apps/system/kubelet-csr-approver/app/helm-values.yaml create mode 100644 kubernetes/staging/apps/system/kubelet-csr-approver/app/kustomization.yaml create mode 100644 kubernetes/staging/apps/system/kubelet-csr-approver/app/kustomizeconfig.yaml create mode 100644 kubernetes/staging/apps/system/kubelet-csr-approver/install.yaml create mode 100644 kubernetes/staging/apps/system/kustomization.yaml create mode 100644 kubernetes/staging/apps/system/namespace.yaml create mode 100644 kubernetes/staging/apps/system/spegel/app/helm-release.yaml create mode 100644 kubernetes/staging/apps/system/spegel/app/helm-values.yaml create mode 100644 kubernetes/staging/apps/system/spegel/app/kustomization.yaml create mode 100644 kubernetes/staging/apps/system/spegel/app/kustomizeconfig.yaml create mode 100644 kubernetes/staging/apps/system/spegel/install.yaml create mode 100644 kubernetes/staging/bootstrap/helmfile.yaml create mode 100644 kubernetes/staging/bootstrap/templates/resources.yaml.j2 diff --git a/.envrc b/.envrc index 9da18937ae..6e4b99974c 100644 --- a/.envrc +++ b/.envrc @@ -8,7 +8,7 @@ use_sops() { dotenv $HOME/.local/syscfg/volsync-credentials.txt dotenv $HOME/.local/syscfg/s3-credentials.txt -dotenv $HOME/.local/syscfg/op-connect-credentials.txt +# dotenv $HOME/.local/syscfg/op-connect-credentials.txt dotenv $HOME/.local/syscfg/postgres-main.txt export DBBACKUP=$HOME/Ragnar/k8s/main/backup/dbms diff --git a/.taskfiles/Bootstrap/Taskfile.yaml b/.taskfiles/Bootstrap/Taskfile.yaml index e5c4cdf019..f7ec57744e 100644 --- a/.taskfiles/Bootstrap/Taskfile.yaml +++ b/.taskfiles/Bootstrap/Taskfile.yaml @@ -4,7 +4,7 @@ version: "3" tasks: main: - desc: "Bootstrap main cluster" + desc: Bootstrap main cluster vars: cluster: main cmds: @@ -14,25 +14,63 @@ tasks: nodes: k8s-1 k8s-2 k8s-3 k8s-4 k8s-5 k8s-6 staging: - desc: "Bootstrap staging cluster" + desc: Bootstrap staging cluster cmds: - task: :proxmox:reset-staging - task: :talos:bootstrap vars: cluster: staging - nodes: stage-1 stage-2 stage-3 - task: :proxmox:unmount-staging-cdrom + merge: + desc: Merge kubeconfig and talosconfig configurations + requires: + vars: + - cluster + vars: + CLUSTER_DIR: "{{.KUBERNETES_DIR}}/{{.cluster}}" + cmds: + - cp $HOME/.kube/config /tmp/kubectl-config-backup + - cp $HOME/.talos/config /tmp/talosconfig-config-backup + - cmd: kubectl --kubeconfig $HOME/.kube/config config delete-context {{.cluster}} + ignore_error: true + - cmd: talosctl --talosconfig $HOME/.talos/config config remove -y {{.cluster}} + ignore_error: true + - KUBECONFIG="$HOME/.kube/config:{{.CLUSTER_DIR}}/kubeconfig" kubectl config view --flatten > $HOME/.kube/config-new + - mv $HOME/.kube/config-new $HOME/.kube/config + - talosctl --talosconfig $HOME/.talos/config config merge {{.CLUSTER_DIR}}/talosconfig + config: desc: Rebuild all cluster configuration cmd: bash .taskfiles/Bootstrap/_scripts/build-config.sh deploy: - desc: Deploy a cluster - cmd: bash .taskfiles/Bootstrap/_scripts/deploy-cluster.sh {{.cluster}} + desc: Bootstrap Apps [K8S_CLUSTER={{.K8S_CLUSTER}}] + preconditions: + - which helmfile kubectl + - test -f "${TALOSCONFIG}" + - test -f {{.CLUSTER_DIR}}/bootstrap/helmfile.yaml + - test -f {{.CLUSTER_DIR}}/bootstrap/templates/resources.yaml.j2 + - talosctl --context {{.cluster}} config info requires: vars: - cluster + env: + TALOSCONFIG: "{{.CLUSTER_DIR}}/talosconfig" + vars: + CLUSTER_DIR: "{{.KUBERNETES_DIR}}/{{.cluster}}" + cmds: + - until kubectl --context {{.cluster}} wait nodes --for=condition=Ready=False --all --timeout=10m; do sleep 5; done + - op run --env-file {{.CLUSTER_DIR}}/bootstrap/bootstrap.env --no-masking -- minijinja-cli "{{.CLUSTER_DIR}}/bootstrap/templates/resources.yaml.j2" | kubectl --context {{.cluster}} apply --server-side --filename - + - helmfile --kube-context {{.cluster}} --quiet --file {{.CLUSTER_DIR}}/bootstrap/helmfile.yaml apply --skip-diff-on-install --suppress-diff + - until kubectl --context {{.cluster}} wait nodes --for=condition=Ready --all --timeout=10m; do sleep 5; done + + # deploy: + # desc: Deploy a cluster + # cmd: bash .taskfiles/Bootstrap/_scripts/deploy-cluster.sh {{.cluster}} + # requires: + # vars: + # - cluster get-certs: desc: Fetch certificates from cluster diff --git a/.taskfiles/talos/Taskfile.yaml b/.taskfiles/talos/Taskfile.yaml index e9908c8310..3b7d84e68f 100644 --- a/.taskfiles/talos/Taskfile.yaml +++ b/.taskfiles/talos/Taskfile.yaml @@ -7,19 +7,31 @@ vars: tasks: gen-secrets: - desc: "Generate cluster secrets" - cmds: - - talhelper gensecret > kubernetes/{{.cluster}}/bootstrap/talos/talsecret.sops.yaml - - sops -e -i kubernetes/{{.cluster}}/bootstrap/talos/talsecret.sops.yaml + desc: Generate cluster secrets + summary: | + Args: + cluster: Cluster to run command against (required) + preconditions: + - which test talhelper + - test -f {{.CLUSTER_DIR}}/bootstrap/talos/talsecret.sops.yaml + - test -f {{.CLUSTER_DIR}}/bootstrap/talos/talconfig.yaml requires: vars: - cluster + vars: + CLUSTER_DIR: "{{.KUBERNETES_DIR}}/{{.cluster}}" + cmds: + - talhelper gensecret > {{.CLUSTER_DIR}}/bootstrap/talos/talsecret.sops.yaml + - sops -e -i {{.CLUSTER_DIR}}/bootstrap/talos/talsecret.sops.yaml bootstrap: desc: Bootstrap the cluster summary: | Args: cluster: Cluster to run command against (required) + requires: + vars: + - cluster prompt: Bootstrap Talos on the '{{.cluster}}' cluster ... continue? cmds: - task: generate-config @@ -34,106 +46,127 @@ tasks: - task: fetch-kubeconfig vars: cluster: "{{.cluster}}" - - until kubectl --context staging --kubeconfig="{{.KUBERNETES_DIR}}/{{.cluster}}/kubeconfig" wait nodes --for=condition=Ready=False --all --timeout=10m; do sleep 5; done + - until kubectl --context {{.cluster}} --kubeconfig="{{.KUBERNETES_DIR}}/{{.cluster}}/kubeconfig" wait nodes --for=condition=Ready=False --all --timeout=10m; do sleep 5; done + # - task: bootstrap-core # vars: # cluster: "{{.cluster}}" - # requires: - # vars: - # - cluster - # - nodes generate-config: desc: Generate Talos configurations summary: | Args: cluster: Cluster to run command against (required) - cmds: - - | - talhelper genconfig \ - --secret-file {{.CONFIG_ROOT}}/talsecret.sops.yaml \ - --config-file {{.CONFIG_ROOT}}/talconfig.yaml \ - --out-dir {{.CONFIG_ROOT}}/clusterconfig - - cp {{.CONFIG_ROOT}}/clusterconfig/talosconfig {{.KUBERNETES_DIR}}/{{.cluster}} - vars: - CONFIG_ROOT: "{{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos" + preconditions: + - which test talhelper cp + - test -f {{.CLUSTER_DIR}}/bootstrap/talos/talsecret.sops.yaml + - test -f {{.CLUSTER_DIR}}/bootstrap/talos/talconfig.yaml requires: vars: - cluster + vars: + CLUSTER_DIR: "{{.KUBERNETES_DIR}}/{{.cluster}}" + TALOS_CONFIG_ROOT: "{{.CLUSTER_DIR}}/bootstrap/talos" + cmds: + - | + talhelper genconfig \ + --secret-file {{.TALOS_CONFIG_ROOT}}/talsecret.sops.yaml \ + --config-file {{.TALOS_CONFIG_ROOT}}/talconfig.yaml \ + --out-dir {{.TALOS_CONFIG_ROOT}}/clusterconfig + - cp {{.TALOS_CONFIG_ROOT}}/clusterconfig/talosconfig {{.CLUSTER_DIR}} apply-config: desc: Apply Talos configurations summary: | Args: cluster: Cluster to run command against (required) - nodes: List of hostnames in the cluster to configure - cmds: - - for: {var: CONFIG_FILES} - cmd: | - talosctl apply-config -i -n {{ trimPrefix (printf "%s-" .cluster) (base .ITEM) | trimSuffix ".yaml" }} \ - --talosconfig {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig \ - --context {{.cluster}} \ - -f {{.ITEM}} + preconditions: + - which ls + - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig + requires: + vars: + - cluster vars: - CONFIG_ROOT: "{{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/clusterconfig" + CLUSTER_DIR: "{{.KUBERNETES_DIR}}/{{.cluster}}" + TALOS_CONFIG_ROOT: "{{.CLUSTER_DIR}}/bootstrap/talos" + CLUSTER_CONFIG_ROOT: "{{.TALOS_CONFIG_ROOT}}/clusterconfig" CONFIG_FILES: - sh: ls {{.CONFIG_ROOT}}/*.yaml + sh: ls {{.CLUSTER_CONFIG_ROOT}}/*.yaml + TALOSCONFIG: "{{.CLUSTER_DIR}}/talosconfig" + cmds: + - for: {var: CONFIG_FILES} + task: _apply-machineconfig + vars: + cluster: "{{.cluster}}" + FILENAME: "{{.ITEM}}" + HOSTNAME: |- + {{ trimPrefix (printf "%s-" .cluster) (base .ITEM) | trimSuffix ".yaml" }} + + _apply-machineconfig: + internal: true + desc: Apply a single Talos machineConfig to a Talos node + preconditions: + - which talosctl + - test -f "{{.FILENAME}}" requires: vars: - cluster - preconditions: - - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig + - HOSTNAME + - FILENAME + cmds: + - talosctl apply-config + --context "{{.cluster}}" + --nodes "{{.HOSTNAME}}" + --file "{{.FILENAME}}" + --insecure bootstrap-etcd: desc: Bootstrap Etcd summary: | Args: cluster: Cluster to run command against (required) - cmd: until talosctl --talosconfig {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig --context {{.cluster}} --nodes {{.controller}} bootstrap; do sleep 10; done - env: - TALOSCONFIG: "{{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig" - vars: - controller: - sh: talosctl --talosconfig {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig --context {{.cluster}} config info --output json | jq --raw-output '.endpoints[0]' + preconditions: + - test -f {{.TALOSCONFIG}} + - talosctl --context {{.cluster}} config info >/dev/null 2>&1 requires: vars: - cluster - preconditions: - - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig - - talosctl --talosconfig {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig --context {{.cluster}} config info >/dev/null 2>&1 + env: + TALOSCONFIG: "{{.CLUSTER_DIR}}/talosconfig" + vars: + CLUSTER_DIR: "{{.KUBERNETES_DIR}}/{{.cluster}}" + TALOS_CONTROLLER: + sh: talosctl --talosconfig "{{.CLUSTER_DIR}}/talosconfig" --context {{.cluster}} config info --output json | jq --raw-output '.endpoints[0]' + cmds: + - until talosctl --context {{.cluster}} --nodes {{.TALOS_CONTROLLER}} bootstrap; do sleep 10; done fetch-kubeconfig: desc: Fetch kubeconfig from Talos controllers summary: | Args: cluster: Cluster to run command against (required) - cmds: - - | - talosctl kubeconfig \ - --talosconfig {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig \ - --context {{.cluster}} \ - --nodes {{.controller}} \ - --force \ - --force-context-name {{.cluster}} \ - {{.KUBERNETES_DIR}}/{{.cluster}} - # Need to do it twice since the context name force doesn't happen the first time - - | - talosctl kubeconfig \ - --talosconfig {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig \ - --context {{.cluster}} \ - --nodes {{.controller}} \ - --force \ - --force-context-name {{.cluster}} \ - {{.KUBERNETES_DIR}}/{{.cluster}} - vars: - controller: - sh: talosctl --talosconfig {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig --context {{.cluster}} config info --output json | jq --raw-output '.endpoints[0]' + preconditions: + - test -f {{.CLUSTER_DIR}}/talosconfig + - talosctl --context {{.cluster}} config info >/dev/null 2>&1 requires: vars: - cluster - preconditions: - - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig - - talosctl --talosconfig {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig --context {{.cluster}} config info >/dev/null 2>&1 + env: + TALOSCONFIG: "{{.CLUSTER_DIR}}/talosconfig" + vars: + CLUSTER_DIR: "{{.KUBERNETES_DIR}}/{{.cluster}}" + KUBECONFIG: "{{.CLUSTER_DIR}}/kubeconfig" + TALOS_CONTROLLER: + sh: talosctl --talosconfig "{{.CLUSTER_DIR}}/talosconfig" --context {{.cluster}} config info --output json | jq --raw-output '.endpoints[0]' + cmds: + - talosctl kubeconfig + --context {{.cluster}} + --nodes {{.TALOS_CONTROLLER}} + --force + --force-context-name {{.cluster}} + "{{.KUBECONFIG}}" + - cmd: kubectl config delete-context "admin@{{.cluster}}" + ignore_error: true # bootstrap-core: # desc: Bootstrap core apps needed for Talos diff --git a/Taskfile.yaml b/Taskfile.yaml index e123b3a547..6bfb4bbd44 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -1,13 +1,18 @@ --- version: "3" +set: + - pipefail +shopt: + - globstar + vars: ANSIBLE_DIR: "{{.ROOT_DIR}}/ansible" KUBERNETES_DIR: "{{.ROOT_DIR}}/kubernetes" env: - KUBECONFIG: "{{.KUBERNETES_DIR}}/main/kubeconfig:{{.KUBERNETES_DIR}}/staging/kubeconfig" MINIJINJA_CONFIG_FILE: "{{.ROOT_DIR}}/.minijinja.toml" + KUBECONFIG: "{{.KUBERNETES_DIR}}/main/kubeconfig:{{.KUBERNETES_DIR}}/staging/kubeconfig" includes: ansible: .taskfiles/Ansible diff --git a/kubernetes/repositories/helm-charts/coredns-charts.yaml b/kubernetes/repositories/helm-charts/coredns-charts.yaml new file mode 100644 index 0000000000..03be46c256 --- /dev/null +++ b/kubernetes/repositories/helm-charts/coredns-charts.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/refs/heads/main/helmrepository-source-v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: coredns-charts + namespace: flux-system +spec: + interval: 2h + url: https://coredns.github.io/helm diff --git a/kubernetes/repositories/helm-charts/kustomization.yaml b/kubernetes/repositories/helm-charts/kustomization.yaml index 82ccdeb172..b0aaf9d10f 100644 --- a/kubernetes/repositories/helm-charts/kustomization.yaml +++ b/kubernetes/repositories/helm-charts/kustomization.yaml @@ -9,6 +9,7 @@ resources: - bjw-s-charts.yaml - cilium-charts.yaml - cloudnative-pg-charts.yaml + - coredns-charts.yaml - deliveryhero-charts.yaml - descheduler-charts.yaml - dragonfly-charts.yaml diff --git a/kubernetes/staging/apps/kube-system/cilium/app/helm-release.yaml b/kubernetes/staging/apps/kube-system/cilium/app/helm-release.yaml new file mode 100644 index 0000000000..e37ccefd0c --- /dev/null +++ b/kubernetes/staging/apps/kube-system/cilium/app/helm-release.yaml @@ -0,0 +1,84 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cilium + namespace: kube-system + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/managed-by: Helm +spec: + interval: 15m + chart: + spec: + chart: cilium + version: 1.16.5 + sourceRef: + kind: HelmRepository + name: cilium-charts + namespace: flux-system + interval: 15m + maxHistory: 3 + install: + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 + remediateLastFailure: true + cleanupOnFail: true + + valuesFrom: + - kind: ConfigMap + name: cilium-helm-values + + values: + hubble: + enabled: false + metrics: + enabled: + - dns:query;ignoreAAAA + - drop + - tcp + - flow + - port-distribution + - icmp + - http + relay: + enabled: false + rollOutPods: true + prometheus: + serviceMonitor: + enabled: true + ui: + enabled: false + rollOutPods: true + ingress: + enabled: false + className: nginx + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + hosts: ["hubble.${SECRET_DOMAIN_NAME}"] + operator: + prometheus: + enabled: false + serviceMonitor: + enabled: false + dashboards: + enabled: false + annotations: + grafana_folder: Cilium + prometheus: + enabled: false + serviceMonitor: + enabled: false + trustCRDsExist: true + dashboards: + enabled: false + annotations: + grafana_folder: Cilium diff --git a/kubernetes/staging/apps/kube-system/cilium/app/helm-values.yaml b/kubernetes/staging/apps/kube-system/cilium/app/helm-values.yaml new file mode 100644 index 0000000000..20b6ea7ec2 --- /dev/null +++ b/kubernetes/staging/apps/kube-system/cilium/app/helm-values.yaml @@ -0,0 +1,76 @@ +--- +autoDirectNodeRoutes: true + +bandwidthManager: + enabled: true + bbr: true + +bpf: + masquerade: true + tproxy: true + +cgroup: + automount: + enabled: false + hostRoot: /sys/fs/cgroup + +cluster: + name: staging + id: 1 + +enableRuntimeDeviceDetection: true + +endpointRoutes: + enabled: true + +envoy: + enabled: false + +hubble: + enabled: false + +ipam: + mode: kubernetes + +ipv4NativeRoutingCIDR: 10.211.0.0/16 + +k8sServiceHost: 127.0.0.1 +k8sServicePort: 7445 +kubeProxyReplacement: true +kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 + +l2announcements: + enabled: true + +loadBalancer: + algorithm: maglev + mode: dsr + +localRedirectPolicy: true + +operator: + enabled: true + rollOutPods: true + +rollOutCiliumPods: true + +routingMode: native + +securityContext: + privileged: true + capabilities: + ciliumAgent: + [ + CHOWN, + KILL, + NET_ADMIN, + NET_RAW, + IPC_LOCK, + SYS_ADMIN, + SYS_RESOURCE, + DAC_OVERRIDE, + FOWNER, + SETGID, + SETUID + ] + cleanCiliumState: [NET_ADMIN, SYS_ADMIN, SYS_RESOURCE] diff --git a/kubernetes/staging/apps/kube-system/cilium/app/kustomization.yaml b/kubernetes/staging/apps/kube-system/cilium/app/kustomization.yaml new file mode 100644 index 0000000000..4cc1b1184f --- /dev/null +++ b/kubernetes/staging/apps/kube-system/cilium/app/kustomization.yaml @@ -0,0 +1,13 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kube-system +resources: + - helm-release.yaml +configMapGenerator: + - name: cilium-helm-values + files: + - values.yaml=./helm-values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/staging/apps/kube-system/cilium/app/kustomizeconfig.yaml b/kubernetes/staging/apps/kube-system/cilium/app/kustomizeconfig.yaml new file mode 100644 index 0000000000..58f92ba153 --- /dev/null +++ b/kubernetes/staging/apps/kube-system/cilium/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/staging/apps/kube-system/cilium/config/kustomization.yaml b/kubernetes/staging/apps/kube-system/cilium/config/kustomization.yaml new file mode 100644 index 0000000000..3d60c71d1f --- /dev/null +++ b/kubernetes/staging/apps/kube-system/cilium/config/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kube-system +resources: + - l2-policy.yaml + - lb-pool.yaml diff --git a/kubernetes/staging/apps/kube-system/cilium/config/l2-policy.yaml b/kubernetes/staging/apps/kube-system/cilium/config/l2-policy.yaml new file mode 100644 index 0000000000..e5f21c22d1 --- /dev/null +++ b/kubernetes/staging/apps/kube-system/cilium/config/l2-policy.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliuml2announcementpolicy_v2alpha1.json +apiVersion: cilium.io/v2alpha1 +kind: CiliumL2AnnouncementPolicy +metadata: + name: l2-policy +spec: + loadBalancerIPs: true + nodeSelector: + matchLabels: + kubernetes.io/os: linux diff --git a/kubernetes/staging/apps/kube-system/cilium/config/lb-pool.yaml b/kubernetes/staging/apps/kube-system/cilium/config/lb-pool.yaml new file mode 100644 index 0000000000..d27c7dd705 --- /dev/null +++ b/kubernetes/staging/apps/kube-system/cilium/config/lb-pool.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumLoadBalancerIPPool +metadata: + name: main-pool +spec: + blocks: + - cidr: ${CONFIG_STAGING_L2_POOL_CIDR} diff --git a/kubernetes/staging/apps/kube-system/cilium/install.yaml b/kubernetes/staging/apps/kube-system/cilium/install.yaml new file mode 100644 index 0000000000..a03fbc01cc --- /dev/null +++ b/kubernetes/staging/apps/kube-system/cilium/install.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kube-system-cilium + namespace: flux-system + labels: + substitution.flux.home.arpa/enabled: "true" +spec: + path: ./kubernetes/staging/apps/kube-system/cilium/app + sourceRef: + kind: GitRepository + name: homelab-kubernetes + prune: true + wait: true + interval: 30m + timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kube-system-cilium-config + namespace: flux-system + labels: + substitution.flux.home.arpa/enabled: "true" +spec: + path: ./kubernetes/staging/apps/kube-system/cilium/config + sourceRef: + kind: GitRepository + name: homelab-kubernetes + dependsOn: + - name: kube-system-cilium + prune: true + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/staging/apps/kube-system/coredns/app/helm-release.yaml b/kubernetes/staging/apps/kube-system/coredns/app/helm-release.yaml new file mode 100644 index 0000000000..e077194a0b --- /dev/null +++ b/kubernetes/staging/apps/kube-system/coredns/app/helm-release.yaml @@ -0,0 +1,20 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: coredns +spec: + chart: + spec: + chart: coredns + version: 1.37.0 + sourceRef: + kind: HelmRepository + name: coredns-charts + namespace: flux-system + interval: 30m + + valuesFrom: + - kind: ConfigMap + name: coredns-values diff --git a/kubernetes/staging/apps/kube-system/coredns/app/helm-values.yaml b/kubernetes/staging/apps/kube-system/coredns/app/helm-values.yaml new file mode 100644 index 0000000000..219dc583eb --- /dev/null +++ b/kubernetes/staging/apps/kube-system/coredns/app/helm-values.yaml @@ -0,0 +1,58 @@ +--- +fullnameOverride: coredns +replicaCount: 2 +k8sAppLabelOverride: kube-dns +serviceAccount: + create: true +service: + name: kube-dns + clusterIP: 10.210.0.2 +servers: + - zones: + - zone: . + scheme: dns:// + use_tcp: true + port: 53 + plugins: + - name: errors + - name: health + configBlock: |- + lameduck 5s + - name: ready + - name: log + configBlock: |- + class error + - name: prometheus + parameters: 0.0.0.0:9153 + - name: kubernetes + parameters: cluster.local in-addr.arpa ip6.arpa + configBlock: |- + pods insecure + fallthrough in-addr.arpa ip6.arpa + - name: forward + parameters: . /etc/resolv.conf + - name: cache + parameters: 30 + - name: loop + - name: reload + - name: loadbalance +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists +tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule +topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/instance: coredns diff --git a/kubernetes/staging/apps/kube-system/coredns/app/kustomization.yaml b/kubernetes/staging/apps/kube-system/coredns/app/kustomization.yaml new file mode 100644 index 0000000000..1e8c2528cf --- /dev/null +++ b/kubernetes/staging/apps/kube-system/coredns/app/kustomization.yaml @@ -0,0 +1,13 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - helm-release.yaml +configMapGenerator: + - name: coredns-values + files: + - values.yaml=./helm-values.yaml + +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/staging/apps/kube-system/coredns/app/kustomizeconfig.yaml b/kubernetes/staging/apps/kube-system/coredns/app/kustomizeconfig.yaml new file mode 100644 index 0000000000..58f92ba153 --- /dev/null +++ b/kubernetes/staging/apps/kube-system/coredns/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/staging/apps/kube-system/coredns/install.yaml b/kubernetes/staging/apps/kube-system/coredns/install.yaml new file mode 100644 index 0000000000..5e56a29e6f --- /dev/null +++ b/kubernetes/staging/apps/kube-system/coredns/install.yaml @@ -0,0 +1,20 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &appname coredns + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *appname + path: ./kubernetes/staging/apps/kube-system/coredns/app + sourceRef: + kind: GitRepository + name: homelab-kubernetes + prune: true + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/staging/apps/kube-system/kustomization.yaml b/kubernetes/staging/apps/kube-system/kustomization.yaml new file mode 100644 index 0000000000..e29d82fe11 --- /dev/null +++ b/kubernetes/staging/apps/kube-system/kustomization.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + # Pre Flux-Kustomizations + - namespace.yaml + # Flux-Kustomizations + - cilium/install.yaml + - coredns/install.yaml + # - metrics-server/install.yaml diff --git a/kubernetes/staging/apps/kube-system/namespace.yaml b/kubernetes/staging/apps/kube-system/namespace.yaml new file mode 100644 index 0000000000..5eeb2c9183 --- /dev/null +++ b/kubernetes/staging/apps/kube-system/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: kube-system + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/staging/apps/system/kubelet-csr-approver/app/helm-release.yaml b/kubernetes/staging/apps/system/kubelet-csr-approver/app/helm-release.yaml new file mode 100644 index 0000000000..13d694ed1f --- /dev/null +++ b/kubernetes/staging/apps/system/kubelet-csr-approver/app/helm-release.yaml @@ -0,0 +1,26 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: kubelet-csr-approver + namespace: system +spec: + interval: 30m + chart: + spec: + chart: kubelet-csr-approver + version: 1.2.5 + sourceRef: + kind: HelmRepository + name: postfinance + namespace: flux-system + interval: 30m + valuesFrom: + - kind: ConfigMap + name: kubelet-csr-approver-values + values: + metrics: + enable: true + serviceMonitor: + enabled: true diff --git a/kubernetes/staging/apps/system/kubelet-csr-approver/app/helm-values.yaml b/kubernetes/staging/apps/system/kubelet-csr-approver/app/helm-values.yaml new file mode 100644 index 0000000000..0ee1997295 --- /dev/null +++ b/kubernetes/staging/apps/system/kubelet-csr-approver/app/helm-values.yaml @@ -0,0 +1,5 @@ +--- +providerRegex: | + ^stage-\d$ + +bypassDnsResolution: true diff --git a/kubernetes/staging/apps/system/kubelet-csr-approver/app/kustomization.yaml b/kubernetes/staging/apps/system/kubelet-csr-approver/app/kustomization.yaml new file mode 100644 index 0000000000..777499cbed --- /dev/null +++ b/kubernetes/staging/apps/system/kubelet-csr-approver/app/kustomization.yaml @@ -0,0 +1,13 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kube-system +resources: + - helm-release.yaml +configMapGenerator: + - name: kubelet-csr-approver-values + files: + - values.yaml=./helm-values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/staging/apps/system/kubelet-csr-approver/app/kustomizeconfig.yaml b/kubernetes/staging/apps/system/kubelet-csr-approver/app/kustomizeconfig.yaml new file mode 100644 index 0000000000..58f92ba153 --- /dev/null +++ b/kubernetes/staging/apps/system/kubelet-csr-approver/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/staging/apps/system/kubelet-csr-approver/install.yaml b/kubernetes/staging/apps/system/kubelet-csr-approver/install.yaml new file mode 100644 index 0000000000..fa5924e09e --- /dev/null +++ b/kubernetes/staging/apps/system/kubelet-csr-approver/install.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kube-system-kubelet-csr-approver + namespace: flux-system + labels: + substitution.flux.home.arpa/enabled: "true" +spec: + targetNamespace: system + commonMetadata: + labels: + app.kubernetes.io/name: kubelet-csr-approver + path: ./kubernetes/staging/apps/system/kubelet-csr-approver/app + sourceRef: + kind: GitRepository + name: homelab-kubernetes + prune: true + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/staging/apps/system/kustomization.yaml b/kubernetes/staging/apps/system/kustomization.yaml new file mode 100644 index 0000000000..db895da46a --- /dev/null +++ b/kubernetes/staging/apps/system/kustomization.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - kubelet-csr-approver/install.yaml + # - node-feature-discovery/install.yaml + # - reloader/install.yaml + - spegel/install.yaml + # - volsync/install.yaml diff --git a/kubernetes/staging/apps/system/namespace.yaml b/kubernetes/staging/apps/system/namespace.yaml new file mode 100644 index 0000000000..dc206087c7 --- /dev/null +++ b/kubernetes/staging/apps/system/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: system + annotations: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/staging/apps/system/spegel/app/helm-release.yaml b/kubernetes/staging/apps/system/spegel/app/helm-release.yaml new file mode 100644 index 0000000000..ddc3f58d06 --- /dev/null +++ b/kubernetes/staging/apps/system/spegel/app/helm-release.yaml @@ -0,0 +1,34 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: spegel +spec: + interval: 30m + chart: + spec: + chart: spegel + version: v0.0.28 + sourceRef: + kind: HelmRepository + name: spegel-charts + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + valuesFrom: + - kind: ConfigMap + name: spegel-helm-values + values: + image: + repository: ghcr.io/deedee-ops/spegel + tag: 0.0.25 + digest: "" + serviceMonitor: + enabled: true diff --git a/kubernetes/staging/apps/system/spegel/app/helm-values.yaml b/kubernetes/staging/apps/system/spegel/app/helm-values.yaml new file mode 100644 index 0000000000..7b137f39cb --- /dev/null +++ b/kubernetes/staging/apps/system/spegel/app/helm-values.yaml @@ -0,0 +1,8 @@ +--- +spegel: + appendMirrors: true + containerdSock: /run/containerd/containerd.sock + containerdRegistryConfigPath: /etc/cri/conf.d/hosts +service: + registry: + hostPort: 29999 diff --git a/kubernetes/staging/apps/system/spegel/app/kustomization.yaml b/kubernetes/staging/apps/system/spegel/app/kustomization.yaml new file mode 100644 index 0000000000..648f91fce1 --- /dev/null +++ b/kubernetes/staging/apps/system/spegel/app/kustomization.yaml @@ -0,0 +1,12 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - helm-release.yaml +configMapGenerator: + - name: spegel-helm-values + files: + - values.yaml=./helm-values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/staging/apps/system/spegel/app/kustomizeconfig.yaml b/kubernetes/staging/apps/system/spegel/app/kustomizeconfig.yaml new file mode 100644 index 0000000000..58f92ba153 --- /dev/null +++ b/kubernetes/staging/apps/system/spegel/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/staging/apps/system/spegel/install.yaml b/kubernetes/staging/apps/system/spegel/install.yaml new file mode 100644 index 0000000000..0188bf930e --- /dev/null +++ b/kubernetes/staging/apps/system/spegel/install.yaml @@ -0,0 +1,20 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kube-system-spegel + namespace: flux-system +spec: + targetNamespace: system + commonMetadata: + labels: + app.kubernetes.io/name: spegel + path: ./kubernetes/staging/apps/system/spegel/app + sourceRef: + kind: GitRepository + name: homelab-kubernetes + prune: true + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/staging/bootstrap/bootstrap.env b/kubernetes/staging/bootstrap/bootstrap.env index e69de29bb2..5bb19c9abe 100644 --- a/kubernetes/staging/bootstrap/bootstrap.env +++ b/kubernetes/staging/bootstrap/bootstrap.env @@ -0,0 +1,3 @@ +FLUX_SOPS_PRIVATE_KEY=op://Kubernetes/cluster-staging/SOPS_PRIVATE_KEY +ONEPASSWORD_CREDENTIALS=op://Private/1Password/OP_CREDENTIALS_JSON +ONEPASSWORD_CONNECT_TOKEN=op://Private/1Password/OP_CONNECT_TOKEN diff --git a/kubernetes/staging/bootstrap/helmfile.yaml b/kubernetes/staging/bootstrap/helmfile.yaml new file mode 100644 index 0000000000..b2af06cd0f --- /dev/null +++ b/kubernetes/staging/bootstrap/helmfile.yaml @@ -0,0 +1,57 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/helmfile + +helmDefaults: + wait: true + waitForJobs: true + timeout: 600 + recreatePods: true + force: true + +repositories: + - name: postfinance + url: https://postfinance.github.io/kubelet-csr-approver + - name: cilium + url: https://helm.cilium.io + - name: coredns + url: https://coredns.github.io/helm + +releases: + - name: prometheus-operator-crds + namespace: monitoring + chart: oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds + version: 17.0.2 + + - name: cilium + namespace: kube-system + chart: cilium/cilium + version: 1.16.5 + values: ["../apps/kube-system/cilium/app/helm-values.yaml"] + needs: + - monitoring/prometheus-operator-crds + + - name: coredns + namespace: kube-system + chart: coredns/coredns + version: 1.37.0 + values: + - ../apps/kube-system/coredns/app/helm-values.yaml + needs: + - kube-system/cilium + + - name: kubelet-csr-approver + namespace: system + chart: postfinance/kubelet-csr-approver + version: 1.2.5 + values: + ["../apps/system/kubelet-csr-approver/app/helm-values.yaml"] + needs: + - kube-system/cilium + + - name: spegel + namespace: system + chart: oci://ghcr.io/spegel-org/helm-charts/spegel + version: v0.0.28 + values: ["../apps/system/spegel/app/helm-values.yaml"] + needs: + - kube-system/coredns diff --git a/kubernetes/staging/bootstrap/talos/talsecret.sops.yaml b/kubernetes/staging/bootstrap/talos/talsecret.sops.yaml index 5fdc8ebb3e..a669ee1d66 100644 --- a/kubernetes/staging/bootstrap/talos/talsecret.sops.yaml +++ b/kubernetes/staging/bootstrap/talos/talsecret.sops.yaml @@ -1,26 +1,26 @@ cluster: - id: 4LhrO-RVbaCFwXYbNiwbtZeMMOUpXqYJFcqGfq_rlGM= - secret: ENC[AES256_GCM,data:6fSI6s1K7pPnwLZtvh1LP4ooqsmshdeMbnHmtVWcOYchmLCX3oduCzXOOOA=,iv:YMwoCq0f4EDbIso7z5LGbVPFhGlZERkdvtx5D22/ysI=,tag:tKQeFQOOo/REMq1TW5UoQg==,type:str] + id: bS1mqRyAW3u7fDixALyOleEF25sC6uVzV8qloKJOZ5o= + secret: ENC[AES256_GCM,data:nvUjVB2hk34tlnzSw9kLyaUsRvtJqs/2Uu+F77cX7k8c2aNf6SwyFeoKc2s=,iv:2j9bJWk9B8/gAcVfqDIQhvkjLEAdZsCth6qSHFdKXSs=,tag:n/MgrFmcchUO/YsV/E0xFw==,type:str] secrets: - bootstraptoken: ENC[AES256_GCM,data:l0EhgwYgg7r97xYmjVTjgfyUYveQrxY=,iv:taML3eNWkwg8KecuF6LsZakrQoC3KCBvGoGACC0fRow=,tag:Hoj0irFoi2358BlcyGOhLQ==,type:str] - secretboxencryptionsecret: ENC[AES256_GCM,data:kox3fvgz/65E12f13D4CjQRNEuFH80p806uS/Eb9hNDQD46cb1PsTVj1jPs=,iv:pBPU2kLcJAT2b6WMb3Cjs9dX/dOCo8/g0TSpyEPLXEQ=,tag:J686BMDD5Fs4QDrCsqOwxA==,type:str] + bootstraptoken: ENC[AES256_GCM,data:FY4k5Y7XzK6/lYjA27EKbpjKjBm46/8=,iv:oHu+i7Dd+S5nysiW3qbaHmOKZQOU1YWTWj1TvI/uFpM=,tag:XZ7Zip47ly8JPLP/EaJxtw==,type:str] + secretboxencryptionsecret: ENC[AES256_GCM,data:Kme6myupjwp+bIl5E5XRvY/0HJdpQtvf5CSe6R+3/8B64SOe7mPQtOk79WY=,iv:VhStS7ZZwQ2MsmqV0ZlIU4af+RGX28MQfYqEuXcRoTE=,tag:D0d5HdvpPWLNJEchaczv6A==,type:str] trustdinfo: - token: ENC[AES256_GCM,data:kbNHVQjlGAyC1wJNdXxsKiB0TxafmJA=,iv:1Rtzmb1fPTFxc0iVTht08nheaS4xfiv7UN5wM+SRDvo=,tag:ZRsRS74NUS0g2nXWBehqPg==,type:str] + token: ENC[AES256_GCM,data:dvZAIyaFV5emdMqtIppyWTXvbsoJ9Ko=,iv:K6ude+MFgSI2hCz91z/PqPlNLiOe8Y9KYUlpdtJY+ws=,tag:QsUzqMEnEluYliVkYqtI3Q==,type:str] certs: etcd: - crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmekNDQVNTZ0F3SUJBZ0lSQU5UbzlLRVJLeUlnZkFOTEFVSkF3d0V3Q2dZSUtvWkl6ajBFQXdJd0R6RU4KTUFzR0ExVUVDaE1FWlhSalpEQWVGdzB5TlRBeE1UQXdNVE0xTlRKYUZ3MHpOVEF4TURnd01UTTFOVEphTUE4eApEVEFMQmdOVkJBb1RCR1YwWTJRd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFSKzErV0MxdU9OCmxVTVJrdG83bTdjRWw2UTk5ZGZQNi9qaXRveUI4bnh3MXl0WDY1MVFBR2pNcXcwL2RNS044OUZ2bklJdkp0MkEKRkswSm12YnV5QVJFbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSApBd0VHQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRk85dnAwaU5uWm9UClgvak1oR0h2TmpZditJU1ZNQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUNJUUM2aDlhemJuZjgxSXA3eUxCSU1EeTUKdTdiUWtDS2lsR3M2WTQ2MjIwdFBZZ0loQU8vK3pHWU9QWGdueEk3ZWU5YnVZQll2b0lWb3RJTzIraHpNY1VLNQpyNlB0Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - key: ENC[AES256_GCM,data:ADeY+LSm0l3wlq5SluNzlxbwSawgzZJVzMJx793quAgvnvu/qx2mwsD/kLsoGv9QdJvqwfqAs13Wsb4kU+YmTm6NRz0rV+B4ao96pyJVejnTsZoSYEPzZPGy9kGrqaVrOKHgVn0DCTuVgQRdWr24sNfXv7a1dk109xkyKeHh0vx09mOaOlDt6YPKM+d656mt++wd8SMoz+77uW7CXde+KBIkStQ/68Hcvqlpz86xrpGOguVuQzknZfBOInm4Z6REo+9RX58TDWmdndUrrUhXxiL9tLIVdBhhZb5DNCRGSaVQ/EKOW1cB2nCbkxmov15XZOhIqtTjgDf9nSBLqvkogvXW0Z/Iww4LQlooWCYOq36cXR1r2xOgLJSJj27DgKHkhhBVcZRK+oE2i18N42EERA==,iv:EdVZGqta45hd4DifDBOerFdg7Y50YF9hwyXtCSXJ8FM=,tag:rW0opaAHhdnqGPSthh4zAg==,type:str] + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmakNDQVNTZ0F3SUJBZ0lSQUtmTFZIL1BCM0pNQjkxMVh2N3ZwVkl3Q2dZSUtvWkl6ajBFQXdJd0R6RU4KTUFzR0ExVUVDaE1FWlhSalpEQWVGdzB5TlRBeE1UQXhNREEyTURWYUZ3MHpOVEF4TURneE1EQTJNRFZhTUE4eApEVEFMQmdOVkJBb1RCR1YwWTJRd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFUWmljSExNVFpWClVpYWJlS2FVZ3pUNVZGM2hvSmhlYnNPMEdUczlYbU5RL1U1YUgzTXkrUFVaMEUwSm1ObFlhWGRxTm40SzdLYXAKNXJrRGozeStmb1hubzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSApBd0VHQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkczTElVREtkWDYzCjJPdTZZWm5TL3lMdjdGRWJNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJQzNIaGNBOTB0NjlHRVdSMkpHeStUNm0KcUdETkpSNmJqUmszUVo1a2duRnRBaUVBZzNIazFXR2RONmV4eVVFdGdxcGJHTXZ6TjRWWXJ2VTA3QW5lckJsOApOYk09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + key: ENC[AES256_GCM,data:M+pd3Ah23Adaxz0GHH8qzEfRmKR38fYzLekgTYVW64RRwoGb5RvUj2i0gqOde2HC7JNh/P8hAqzd6Clat3aFLOdZYSmeozIy36s5w9iwUh2YMK7J1ArwjxDGf+mp5UObyAM2UqinJRDSYI/gaQo6//VpVGd5Y0IfM+HgEqAMY7by9cgGZHabzi7hUw2q91Q23oh3EAeSWj4HEySaGA3vFhKIDQE5qQ5hiyMI8xkLjmnHnqJ+h5RiS9qfvH55mgbvHwNUF0iYs+/qs5qjfe/fNYgjih+JwpeHGuk1xqjV2loCVbL6U/V8eomZhsUOokud1qjnXFem0nORl9XQwUtqQpYS1fJW2EJBCVx5xr4T4uVBmKLyhEkkaZQUtTu0OXlnPn42xFjfdWEuGhbMn4e1Mg==,iv:hdhdwlRJZPRT9730wj2KSwY6KxqlvWtvP0svIKfKVy8=,tag:2tMF84SRQxmURn2lpptr6Q==,type:str] k8s: - crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVMrZ0F3SUJBZ0lRU3ptZk1sT1Z1WXpTb1hiVGFydm5SakFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSTFNREV4TURBeE16VTFNbG9YRFRNMU1ERXdPREF4TXpVMQpNbG93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCSXc2MTdOM3dvRXludHFZRnZTbU1ndnJ1dlNUdUg3ZDBXMCtLdndUdU54d1hNS1k2bDh1UWoyTmViazYKSklmMVpHd0FFNkxQcWdRajV6TG1RNlBKVFJtallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVVHcTlKT0pHbnhEYjhnU0FvdDJEdENOWHlCUFF3Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQU95L2hyR1IKQ3gzTEduL3l2dVVuakdlb0JFZml6WEJBeVpnY00yYXpmUXUwQWlFQTN6MDRpNlVTTjRCbXVoblBkeGc0S2VUUwpHWUQ3dzlsR1dQK05KOFpTMEJnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - key: ENC[AES256_GCM,data:O6o+8clO1j7hssmWmcjyVAojTaHUqP4HyOK+fUCagM825AcP6pp2RPGwzdo/qJDLQmvXV3ojGad+ApOTFr37WxWO7TfNme8g3u+Br9T9wDEimtza8EXbo0jTNWdc38ybsjyRUCODsSJS+a0PhKuNlzHnp6bPb28/wscEi1MSARXb3VwA4TvtpIvicDsM9hUL7QSIyNdkY8V4V4fibtcJgZ0yHfDD+vVDrWudQqpY8a+rZ73s22D1OVUAap0pjaJlrWJpDTLSdJsmbeYV780XjdV8X2V/l++9fMFOUmAnBi46eHD+6Fw+l1JWZsPzve59ursVJyofFhaW58F35UdOSOv+NIe+NP2xjJZdc9fjDFXPpEEfxuIWGzd0687SYTam6pIpEtn2PH2ZmlaI2v6yQw==,iv:wrcCgqtTOzJYP+KMLUXhLcrh8+4SNb4ECRW4NMZX1bo=,tag:hzDZAVvOjdZY+0TJxiWzZw==,type:str] + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpRENDQVMrZ0F3SUJBZ0lRTlQyRUp6RlFudVBpR24vTGxpSVBzakFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSTFNREV4TURFd01EWXdOVm9YRFRNMU1ERXdPREV3TURZdwpOVm93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCTVF5VVBPdFl6TW5vUjlCUkRNUGI4ZDd6bE5JaTl4d0pNMVptUmE0NTdLaUczWGxLQndqWUJ0bE50VlYKZEVUVTNIMUxMdHd1WjFhVnowTkt2eFhQSGJhallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVVPMnp5SmdMWjVFMXRvUmYwY2lrYzl3cnVPbDR3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnUjA1TmhxcmEKNk1IYm5mbFJqNXdDdEpSbTllaGh2enNqZDdlSko2TzJJZTRDSUZZbG9XTGs0NjVsZ1o0Y1VneUZmRUJLMUtZWQpCOXl6Z1d0bVl3MG90UnpWCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + key: ENC[AES256_GCM,data:CgMTgtpwfvXgLEyOc7EruKy3IwBC8ook6cT3F0Xy/n3nYWBuB1HFzCAMD4r8w5HOfIUdpuD5SBTUCl28B2R1xKK4kdC5BGb3rKPCQHsQMaTDzkZ5ve7COP7sR78ZUmUr/egkW6x5No/FoX51vvK52Wc7SY2h2V2KYHUk/Hf+drbZDigexGJhJMldcOowPilYKGhHeHWo1zhBM7lVUc+vhhHdyY9otCrKDfi1fthTTzVuGpR3PuWtvsFhvOpP4Jznlk+fRIn5otSeTHiou7/DifyQfwkFfyPy7JekKC3XbWT8cJ7egqRzhygVGF9FlY/f2OEbfSYgutyfgd71lIkI0DKD5dZSx2Up2dmoLvCmbeSb78SdJT5VMCU2AZl/aJ4XAUdv/HhHkyHvm5MOiX0wHw==,iv:14oWRzzO2o8dxOU1iBzBLYXkW9SrLBwZOak29DAtUhE=,tag:uyuH5iuqKOkp98/+IN6cwQ==,type:str] k8saggregator: - crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZVENDQVFhZ0F3SUJBZ0lSQU85bmVuVW4vVGRmV0dhdGF3Uk5uaEF3Q2dZSUtvWkl6ajBFQXdJd0FEQWUKRncweU5UQXhNVEF3TVRNMU5USmFGdzB6TlRBeE1EZ3dNVE0xTlRKYU1BQXdXVEFUQmdjcWhrak9QUUlCQmdncQpoa2pPUFFNQkJ3TkNBQVJ5dU1TRUw0VXo1Z2thN3p0VFFjTTd1b0kyd1pPMFRQV0huSWJLWXFsVmdiWXhEUHhRCjhhNXUrcHhGdkpUQkpZL1pZd09NWTBLdzEzWEJCK2p0ZWxDMm8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXcKSFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4dwpIUVlEVlIwT0JCWUVGQWxMK29zeW1KbEd4V3VPcFczeFcwelRSaGdETUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDCklRRG1iTnc2bW5RUFcwNHJOOWh0Q01wSjNEOFFZeWd2THAyTGFIODlYcFhiZUFJaEFJYUdDWENETExsdFo2d0MKMXFPVnl4T2xNajZBU3gxSFVQTXlXQjRQMlFsVQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - key: ENC[AES256_GCM,data:R0Im+tQaxtlbxTJGa+m5jRcaxzDheTIITuqMbFFjDg0Xqse8wGMfqQ1C7552kXTRpeFbny+0b9EUzsRu53amIOEcdNlUZeXLBa0xlonF2gzznhWFuV2si0zBAV/fkQ9oqPQAulk4iuOTxrHd7e5SIMqSz2T+dNb/6TVObUJTo/0VNjJqzM3nWw5JW0yWcU/HpzqE46F2imeNy5vmQuV6ee68OH+OJPLnjf5dn638mWc+XPzc6e5DdlIxUW0MSjuRG5gOpI21nrz2arSFAc9h+rVInScE0SjVsbfO/Klt+12lVlKQ5ahmJKYmCYAzXLXYx0atBLJcmNYluW5BIneuCcxWQypZa1Ei8sRRctW+dzFhTju9M2tyF9Opvmic93gn+sHENneVkClI/hd9RsaD9A==,iv:AHuevy+gcVFgqms1ItX9Y9R2zK+wg4iyVmEGVK4h7cM=,tag:y0VNjsUuvVsCG5kprW8mRg==,type:str] + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJYakNDQVFXZ0F3SUJBZ0lRUzRwcGQ2UHBxVVRtMHphSEg4NjZkekFLQmdncWhrak9QUVFEQWpBQU1CNFgKRFRJMU1ERXhNREV3TURZd05Wb1hEVE0xTURFd09ERXdNRFl3TlZvd0FEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxRwpTTTQ5QXdFSEEwSUFCS2lkM0ZaTjMzZWk0aC9NMlNESlNtT0F3WitDZHJyZnBsQW9ITmt2NHhJM1ZLbTZjcEdWCnpyYkZjV3M5dnVvTzJtZVNhdmt0OW03N0ZPRUtrWTIzTUdPallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWQKQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZApCZ05WSFE0RUZnUVU1NE1kSDUyQ2tISmxuUXBzd3RIVStGMGZsZXN3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnCkEyaTI1UUtXalRMa3g5eWpsUVZwQk9yTjk4ZFV5bXFSR3pPVW5rbXdPdTRDSUNpbzZ0MjU4aVdJV2p0TlZ5OVoKdjFYSzFOUjd5c0dSZEMvdUl3d0xKTnlMCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + key: ENC[AES256_GCM,data:nzkZ+SNxVgvUr9iSM+O4nsnO90DTXKciVKyDzTY2Zh1fsbM6xKYqrxWM8oZcN1jYylDsBPylFBW3UsBiH9feMh5I8N0HrbUpPOoPGPL7yezZcPBzxOQpkG6ZecpXucvtJE0XBzd1/ZBBZv9ZMLMV0q18qyDX9Eu2t3wwhLP7lQLaQNP+hJsdajbTVEub+pqxiMR9lf0OXChZa72F/tBbEIhBYRZwKKQDhU0dt4ABSZYLcj6OlxuNbVzYicnNWIjxSch5Z8rTpvWJNhIT2n3pyS18auduPMGZJSHxcI6Vb5qckiUS721cx0RUdRuY8NEVJLCFWa+ZH86n+UnH5RrK5Q7d2AtEbOpWg7o7kMj4mFPIaR7fRnZgE9mtRm9CnkVy2xWDCGZOssVJbfsARYNq/Q==,iv:NHroO5Czcnxp+1yOODxZAk49XWIlhFqkXF2PCGHcLlk=,tag:aIpa+ckIsg3nzB3XsAPpMw==,type:str] k8sserviceaccount: - key: ENC[AES256_GCM,data:nGceLVwCuN82ZyN6GZFxCBNa2YdRQUNOgcJyYJjWf09EFmV0CJW+TRlFAutHulCY6Bk/sagDZHMxnr8axzmQOfXXEvbEwD8Qdj0JbwWpD+v5P8O5vsnnjo2Un3puP3rgY8K7J7FXpsBSMOFa/lU/isudbQYRoPtn5vwNtU4p1CvUTqjtVGv9q1MW9iEhuXFZp/HhEWWDs/Y0FRPJKhTNokAK/4IaP/+2Iqt0DD7C6zmZpIJL2EtPR/NPZdfvVwwHLNnx/q12OHgbUDEq0zsNSU0gh+X1vfxR3bRjX7sla9IfE6w/yobeUmW2Lu2G1yv3s1+tYzt2niBpz9itaV6vWncz0cvADPxeCYywLl8OrrJ7zERYfcUJJgnMwPYbUeCLuAeFJKOtdm8iMqh/VRwF2BR6Tfwke6N9bjk8UWdlu+CIqRDLLAMz4tv2+yu+Qmo1NDQmDGmdOxxzMcDew9OFsmtJQCo64xsGo/MeOLOsvETqiXS3hlqHBRvdkIcdL5gqZcyGzWL9yxG0yqi9iFhB1DD/ID+viJMNTSrnF9prWlLd/gQgljLB1K88V2W29ELhX/PqBlkeIGaqDm0z2kzPWlZ5rBLHafr3s+MH19rNVoofPlsLgYzUdAvsOqEiPjMggUHg5A+lnu+EKiD6sIulAAaA//LTFTW9T7PuY0yTZoB9ym0FfWRTWtAD8ooATQ+0GgMLSJghdewpkBcoT1KQH9oOay0Xc5QOY76JZAtsARTi1KQD9q/l26wyO9cAK+j7m1iYPMdTtVL1UZl1swaoiNu43Ykg5OYjLOw4roLa/5wwwLlpqYU/wd1+6NrFVROECBGmi7c/cI8sp4Qn4IF9x4CZ6xPxaS5MqBCPJENTDosdcsNUpvN9w8miTDeVPJcxXyDEVsJCvvrR65z8LR69RWM6ftj62Ij5CuLorWjTdnySm7nN4OTDX+dvdLjuChwNc0Un0FNSjH+f6dacrN8Z9eBTvDUxnrL9ScCPJlxbNBeE21wR49e+BbPy+Zx7ITjZPI1h6EWuhJAp08lABTIOdk83g8UkTE2i5BwSLVayYsU3hXcK9jlGfmLMa2bthJUn0H3+6P1EL3lnUXNHeIE9FuAtZe1FyDHfZ2SyS43/1ZhiYqYgeGBLqWUdXf8idbJbjAoZCmu+HmOAZIwaPqhio/48M3+FD4+ajaf8rKICPXqfKit0LzAiKmbYbXND/ZwWQcmbB81WSSklbr6y0R+sxkBKMRaKHsbzKh9K5oGiJ1c/+/SLBXUm73KMrCMfnTt6udXdo4tK7uoxgpKDvoYoGyyCGZZZQYT4NIS1eW0TmsJKkzm1IrmmVRl1q7S8g2Gb0eWrccNRcEWJK+9TAesBta3RDRBkoUDa5r6+AIaxh1g9aT8EgoVfF9sK2q2tmmVlhUZsBBqd7dnO86X+vv5ytaYKa5R++BGfhuMOzlfp7KAnrhIzEPRenu498w4ZcZtPgxUxSq2JmhLHEkr17+LVJZtFU4YTRfr+tr4dj9+X6X4mO5sJaf20TElo2YSX20mHlaJQ7fklMnK/6SyLlJbkMT90ndohv8v02utegpipJMpXrTqfrGM8LgPvdAvwhtEKedR4hw/DrHf2MUwdfX9jNqiFpnfnOOBhlbahC95iSruGHNsJ7We9CGp0EPzJ/vD0t9Hf8vJZr8PRyII55Zk0HfgzxGHXUVLS0F5fNe6RprtFg3gaoanospjhKXlKOAuJsnqnTG+eDIHjUs0JtJJRFe35aRN1rQOvhi2Kyxrw559GhumN0mWGGllCZ89b3QqK3fBxzNDjQIjztO6gbxW7yVTDg0TfKyfmFEiyLjhL19Fa+8SNgQ5M1jsEndk8e48doKO3xRBQhVaz1v7DF7s/K6Z6zqXDtjMeQ15nH1/3bNq2zt5fHu5y+d5TPNCfOV5jV34hv96PIidEqszxO/aqZlMv8JsHqYDJUc55QjUR45R9j2BcB0V/11HKjDr6nvA/HfhHojOORUKkBj8WuOnnIqOPjq7Q877hYBpBkIg4+6SPh6TA1JCMktDUbGg0fi4uDL2sOph7zDir+ud2YBkcCYTrubIfekGLdQgA4/FgnZzehamNgVk977zlMbyQmy3H8tq8I3aTFG0TF+MKltuHJW5oQRf3AX8C+pd1yLnn7qCSa2AvNj3tWvH7B/0y4IKqIZZOVW+wPZkPBjsGDABGE1uG2YVhPn4njy9gTYhJc8PkA6cVsfD4GxDPR9TAWyJE7LLkj7qQZQhVwDlFHhzcMdKMrbcel4iW7DHAlqkz1P1kY5y7H0wt4ypAb2ZBTZqFcTU+sRs9SMfmTwS4Wq9xvJN5A6Pv7V497S/YFoThf48CzKqRz2XwXspx/OMk9tnnUfE8/nYcBIacJHTqU0cjex4yMxs3RNtqnV6rCRFhjlQKyHjM4X/LFbV8McJPicrc77BSXXjJziyDUfvQhOCjKe/NP4CNjPervJCh+GEBT+210Ut4HqHkV8MQyM/3QPfBLdh1WBSl9pD9mL7F4R1mBNOJm5+G6KM8JKgH0g1RKrMTVZzhdoFQ84DW1uhCfCeZsVWwZ8lL2KEY2Q0axF4ykZ54nD3JF8GOm9oI3uX8ew9XOTueyybZwoVBb1U9aTbuw2s6RocYdObuTWXR8KwbCKSMWSFUn1VH4PGCT94oxWrm7LYNIj2ZSfYTUIKkNhuVeCnFVg3YYWnPrhvg1RHih5P8yFbCXiFb+p5YSiHNQ1mKEjIh97t8vHIshLEKxStTvSm84s1rdOALFDNqFuDS6wKCLjBWs+mPopqByX3Un0HlqiDc5Bd6yJ4ccstvovWfve6ax8MoCMHMV1FbUg0ObP8iQFCvL1bSJg96cCAAZW22LqclpVbV4gcVJMsOTtozdEArG7PI2jnhhPsdfBgYaFLyIx1X2Ko99/9iOLJPJJ+KwPvUiV9Qfbh9pYsA4/akGuDHuMgKSM0jvoR1stoumaQevx6zSqfhkxMZJLESwIUWxe/kmuo5Zk4/5tTBtz8WtJIo/M4KKJduh5vubHPg4ChiRO7NHVK/0ql0XQ3d2weXpNUaT1PctS3GlKfrssqdgUPn3iLmrqx9mdNoj1EJpKI+aQBKQBfRNAhPvDshlxL+DzyYk3dJqUAqTesFWcZqNNwANHjfDlIVIKvcDp6EGylHz+V/82znb814x6XKNOwpAHPXL3nEYMwfC+vjr8194PUSVRNSw6j2C7X2J7nhdH7LEXWKSssP9BHsHvE39GPIdmFnPQDHlhhqYaG3n2v7mUeVdpOWVC1WiwI/8G5Q6pyRSz2922wjLoXM822hw9dKajTpeXpa/9xRSKcIMnhVc7wC7GwCIsS+oe12dq2YUC349cxnF3MTW7lLIIDUKdbwaoJPmMX0vcwcYK3iCo7j/puXApTJxtHDVGctDnSYKEcQlQ3Jnn/kU+8fbMQ3Olt8FQT72plKSSly0y8QaeYKmRXZ/m1trBCzoZjvM2y3ZfxWpJvGBe+eIvN50rJyY4aP9A2rifcIcuYy4QTqCeE7BWvFNyvclafBPx3tvhrCfCpifDe02mNFKA6aeSwnCrYaipDZbPLX8FTGtbMJJ5rYfHGBvhZ0Bfj00tUtAtw9lCshNGkbXCMk94bjwCr2x+sXkbKBHjxt+3ATaqfyKoUbhOQpofCju40hCVtx47TVMiqScqJrHX4L2g6r9Uhq8ix+CFfpYVN/afI2O2r5xTlPUstTDobi3UMQ746I34Vw/+QrxnUCPyD8r6DaNuC22cKsS+i8f6L4O81mgd483is9oeDe2gySSBK7jyPljKTGtqa8Wmxotd5mx96XmG560d1vDymHFa3hK1AGOeikHVMPExFVRD2urw+8lcQIik0j7Ap9d1I6yHQUG+4UZTo/byESKump/gSsvZcb1FpLbsaWXyuXkfQLOjoH3L1tKOU+/HT3LxVDHf5/8XkJDBeBN8X1JH0CKUGcYUdcZ4xyBzWBMAd+2OL1fHj2+HdIkGYoNBDZO9GAjge7+CCZEfBXk7in2ygLtvGPCqzMA8vCjH4kAnhoefx0hvjEdK6AyicbsYWDFT7k8EZpBcsGjC0jfXfFMW86eK1JLVN/fsiesaymm0w6moXzWZ/NX4XgIzI0fEaGP4jMKJGmfn8JCT+7Z+3Ob+gUzzICe9K2nqPHMaa1Wwu46wPFXDWvC9FTQM0ANq4/BHvfUkvlwJHgEdeVz+Xy2NQhmV2S7IqSZpSvUT+Zlfb7L0KRXZpWU3CnzBECBM1vDQqKlbyf7FBv9BSrvsi4U1qfy8BRkDh4OL18p6r4gbVfEgCMo0ja+pK0A3ZmJSjSACVOvys0JAWhTsg3+RXxZ8X57OXZfqHipYtZjn4Gp+JMBXYmh4RFsPA2NDk5tGjJElbJqLUYUqrJF4vZv6itwm0ynzv2+ZdJDji08eqWgDyTGvZxJThUbTS6+8siSL2nOtfWczJmh/CHqsmy6J7yEZ8N17fB4bJHienJdvgZjVoWQf3wM7onWCys/EpNJz9M0NuLKrYWTHEMwx2BEvDdHl4LJRyxVc9601H6WJqsSGqrQJqXvnK54fzlszX8LikmdywzVDbrgJwKiH0+QOst4kkc0NvnzfdQ+84SmvhDAe+PC7fErqec86r11wX9yz81cHgwYazC/hrZgCBZg24YhFHAimxeo4jBwOZVjvAPWGhOgnZ5rhYQkh2ridDgDzk4rJvyDCEu8D6uLRAyw+/p/Yr3cRq0DoS2U5EccfUhh3gxXNNJGrCUahPpEWM2/eNu7cr6ggNnojEG3Y/l3FMKL5Ao7WRLQEjKM5o4Z6GWBO9rzreYiB71oPelgyAZpzzLbKf3lwHSVdXK2m3LBA1iw99yHYQreWuWtitfXMEKmwbetVW9FqGBe80ObLG3lgyis9G6iY2q3F0RtBXB9hzcnJGS3jcTovjtiHvwAOqxPd0banKnec2THeAjp8b2S7jTOVfHsjP0UDh594VzJB8HgQwAZqidYnIwMHFG03fF+I1PxRRKX/9ar4f3STM75VrfjZXNmVKjWzQeS4CoQTmONuR1kMilzPnoxe8QtAESRDd7XAmNu/tVicPhWyuEW53Dwy8oulXTic1rTEAhshVZtGedbFcmKky2NmVsbWQYw4dIqejILlHme3K4AC3ThYHWNQRAQxJ7+ZOFM4A3n/xUVzXZFgPYzeEjqlEe6p8ymJqj5Pod6EU7gLKmW6Hma4Y2A/+xhVe74HjcnuZYCfUBr05bZuNGGq/Q6V1uflD8BC+PZssC9Iq0KJRD/citBFSzuLftfq2sw4gQq/a09GFY4s1NBSIA4itBKLAT6ttxp+03L9E+BqowGspOkFhbHbdM0BkjX5nmvBJkzPR+1+6blpBzCl0diDSmvxDClc9ZhsPjxHjCJsdpYo9lywSQeJX4kYhBrgTHWJDNZ6gcDbRt2jbRj4IaS8N+KOqETKgP0+820DeN5pkrDpGdpmZhPSKhznytTtMTOi0HYyI0lTESOkLnPxDl3HYSXlIbf9WTg6s+pTVN7Nx4Yq2V5SmZOkEFdzECbeQpHLdx8U9gJ3cyDEoCguQireZX2rHu9zAnQ+ACg4UwXSqVrND039STyFwnlrdjnyW+nw6bpF817NJuZl2gY0vhQrO0fCtc1T+Oka1XNhwnzRwlWXqOXmq/LtWJGX8uQqoGrK2hy65m6vcUzJvkBVjSSYgtBNqkb9ifGkkeXR9xkr1lIvRMzGAgfSESNgJdB4j7ok2UJDItYrLA9Dmod5oPN8Eamn1ixDILUrvVhA==,iv:Lk9dxwImksXDC7LKbu6+uSt8h/Ka8Sa+2rypHz+6nRY=,tag:AJCP2Yh6n6tKq4WqJwIk+A==,type:str] + key: ENC[AES256_GCM,data:FB7DP3e0IGPrbY8cTIEzgmLqTufRmnNlvQ2b0G4php9w34OFxbv4xcQOTp415oyD+pIG+T6FLzZpNLMOQypWg7r7ktC2tJB55mn7OfhHjfjgiCOYI/ACXqBWp8bbrSHyAnvGSHbMR6cS5yQIJBOt75xvk0L82OeFPUn2IBNCnL264uIkUBU+y4bff7JogovZg6eiXTuwLIwE3OXdwiwPCqf8GV6Hl1W7inyV3Lyj4YXEo8dJFG1MIONQYBQQtbikKJOvMWc3bloBfc5Q7kLqwkYo3UPrnysZD1B48KlBJ5A7ZU4MOH1EPrtQSWeoCfroOQJ1PXUE5jZZ1jLzBgK0eHiRjWuaSCYMDcOxQS4a97wAEvvnsX1ab7WOz+7YC2FVuQqDkbUGQg5jWEWZUR9H7mm9fIM/zgJZqyO1pJf1DfgAfg8/HA+PhR9Qoaea3pmLCGA1Plsup4f3B3LksoWtBs0rvLsII8wThwSovVTmvbZx6PowwoihBCtu+EtEy8uZACtaMiM5ka8cw6mxAb40vZPlnxR6u1FBcY8gMKeduvXBOMHTDvBXxnuramRoqGeAc9c7wEwKVgTQfuna52aGmzeHjiAkKeKcVLa1+QQ2prcHcVcVhqT/IyHJirplEWqARGccuX5yiA7duec1VTa/3EyakE+j76NW2JJfjS/u+KJn3yRrMxsnn5ng2EbPLGffrSoJSH/aKu1cFS+AQJ7MGOf47dRWpJMeuLsThH8nwb+/JwZMba/jYRaQAPLse8ybhiYbq6uokcUlr+KfnJNvuEhY+WGALLUqipb8EMcgWXWRDcT3pejwSJ/H4Uf2xWWAmIGMtTKeKlbJlmO06Z+iMChD+gLNChYl8iiz0ZW29D11hD0MTOLe1NSkR2pgplV5fnJ80y/VIVP1ahMO71pzZEkcksVbfBpUBLz5upsXqpp8cpdfSu5y80JxzL9dQV0Myc5I1gxasfKsfEdug+NXw+3nvhdtToegi05hPhiiYL9aiTHrzpOI1FiEqfcphLqxFyk2Mlzso21Hg6HNeNWzZ8rnltofYAdJ1BhcETVMQOchcwErjd2UONALTpaY4SkXVbYT7AVsPDbDbexYVogKljqDsp7US00Y1uIeBHpa2rqEhU90izNaH105j6xfMhbTAwka0IUnzgbJCRi9Cr1cEzieogXNdgGjBSO+SWbub4vIxv6iAZGQofpssOXToVDd18rDGi6v80TeifV90e91xPWS90S8VbkaF1/b3cbEpPMKy7X8P5XDv/BuAhz57KZpKymvcKw68w5spHLIczgsJA46DcOAJm9XuQKvQGHSQGzugcWdO6bcaJUnhwiY4yhWUp9BHVZV8rIj+gnDz4sQlZgmXq7aKCbXpmSq7AIYY4RQ5ZTsnmT2WAn/j6ndmotFYtmNWvMV7QFwmrKfvEpwqr4c4ZY87wx+TCZBsk13153EzJAsssg5drb8iX3p5J4s3WGos3LOJxVh8bEAISjrONNwH772MM9+1L2hSp2bUn0FSpTkD4wGOrCiGSLv2hSfadGNM4YhG7Xo9ou6YfLZd+Bk7Gie6DNdPr3Lbv0cZXg+BliznyPCsbsH3JEVx13R32YNezmHfnHkpk4+63n0F2fQBps6CHkI8kpS+KstJGV0NfBM25xANk9MEU/lXYnTkKR7trCwrBMSZeM7ewCYnrLFZh7SyVPKutjb3jBwsru/H7JrBr8zbEiE/bnB48gOIaNG+OlfynFcMipy+Mrn5sLQRZnVETOzrWbdCUF4w93f9kH3Y7OOJOBNg7ls9FLK1RIfBd4ZgtKYE1UMdXN3vRXY1EoCnurrSW21w3QYqrAny+mlUu+KMKoHXdi+2l4tNYnXiR0MUMBh/nVsMllEUWrBM/PMZscaYrJZNaXDgFFpZo76cfHQ3NElyoPkGdygKIpVvqkt6VJo8qnsuxigNcid4bV07OP9//cjE1rls/fuSyD2AKGWrskXyUfldXHYNrhodCEoAzE7eW4ONzMSy4gIzsolr5z2K7m+ui4tTDRusO5jpF4YYtZm35Sza/tVtoL+hGOw0ihked8a6LQYb3ZDSmhZrBahCDMKReFUzAsJNdpjnJfReJ3LFZ31Wkx/Z0sZsMycjLARfgmljiqc2mkIC5jGbVZLCNd2hl3Qfzm+lcIO0uBn4VmAgvvIkdXb6wXPyNU8C5esJ6LHstafMxDJxSospmgUHp8SBiZevnXedNs9pWw7A6k0Xo1FnIEDllypmQhBxvYEhEEnr5OBr0oLkwIYCEZL3vyFgT+obcvOFGyYTIAGxAql508UdZOOGWvcqrHsC8u85BpnfvkIkn8v2CuF90IufaUOcQjhLI/YYgYbu61w5GDdnHwpStA49DYZthTfrU/c+ykkg9RB68jwRnJfQoP+1GMvAzTZL2wSp5OWDh3Zm7UMaZAmUj8P4HFlo5VfIfesCNQfkW6OAN5T/nvMDGPE5eFDvUpy3K6ju6U4uLS9iCnbI+KGfkwWtlfs+R8Ou0zxmIHQ4ERM8KcV2D3WlBJrc+DU8a2JIKhddmgz7kwFwIyawr3DbHVj58aGQGZ1V/8BRA18zaB65um5hTxpZZN3FTK39eO4QAYCe0pZBL9winK4jwvo31w/kvGltCvv4Z+38dL8HLsBP9L6E+St1+Cts858Yf4nxyjiQmwslf7YDiNFoHx9r/q2hc7m650msIzmZrwesLlh/qvEKc3SxEKY6G41joLZX1G/jLBVClKXUwrVzOIrBwutFLS0x0PiU/+uGC8wgMDzoIMipiVeZT5CsY2pjP/3X5Fh/1CllozAHFq5Os3t0+E79jxIIQWcvRSS48CcpzxQBvy3fu3C2wDJjdHX/uVXuifnFuDHtrH8JrQBNlHycWXgr7yjm9zq9Dh6SzrImkhMpUwONzu7V0f1Bzq3eslBYM5EemE0MXDB9gJDbCHDKQzHqCae5ec5r/zlDAeQs0vQ+bNIpQYKVl2+prq4wb2ug5gxvSypK88Ea+ZvY/yY2xwzlWIrQBqaBl6NLjAwZHAl9b4onmC0mqcXwOEoiaqjaJhfopRhAVCynVG00kVnTSxp20QIPgh3A7TKuQH86Lit+ZDoPhp75wWljBnRjcikKHWlw8veseLvVdfK/tBibzCVBUqkiHggVpfS21ecgX39IifkCE3blWlnTPa8NARs2ySz2lw/5RQdRVhmsUKShuSKYAreZJRMZNgOIjGz603CTHlGctaw5xbele05PjZZvPqWyvVfVTVMwlykckXwcr7c2toO2CvwtA5Dlx21UzZCArUxdxcdXjcl4Tx4a90OW2oRPFZKYh2bBPXxk9SHCtsKSJm4pwOnNwjSCIBE8qNiDcSvu7A632LRV+vyqMB1tFQTciFNiZZn6XUgtVbyYbo1g6pwldTy4noo24S3ywNxDKlwWz2rWY4XLNx99BSDiwzsF+hKlKI4d+gH3itbQsL7ecivYC4YzrFz8rKw0YFijizfKEJcw9uIsOvHGnmn+ynysV9WpdUn2FWy41eFXRhZO0dD0IKV4kJVilSD9M5wRsOLH8lR3juQ6bvC4cpxfGTIV3n582D+HjrGULUTBV6QA2/iZkzXyCdvA0iu3n/WvWu809PODEjewVR+oZrhze3Eo/L3UtyOZDN7ya0sNwp2MaCnfwK1OyziDQq9CvekC36QLRweM13pVJMxW4m+MrTdfAAa8kA9pW/vt6P3aQb5zilyror0e4gWy0RMFI6WG7+ZARdFSfFyNam4qdK9Kx2YIPea1hwA10FjJPYj0kkP/NEVd6nEJ+4SH7yKqSE4hlZdNa8CvRaV/HKM54dokJV/tR4EpmZm5eh9BqiiP+WXsHvtoPzjujWWF6nIAD7jtLSUW5wucr8dNlBelEQlBL6tGxxFBV3HqPLUeIOOXuRUMJ+NAhOXLrYHz5FGzBpJVE0ApI7FHONTYbO+tnl2Wv4w0mj6TMwPXsplwfcVEm4C94YUC5az6VnEg2GEZyvfWD/SpDXRKCzhHkCPMvgYn06KGkFNAY1VOe9V49XnPvsadD5GZ3NMEKBhljVXTBZ9djw5LzvsBRnmNEuScbqVBt94jt06Fv2Zn1G/cuQ6BENxBSVX1djayNUTKDR7AHlDswgZvmrsUcdGfkteYlsFUmBnxqYZYQDETf00WEvRPx7i8RwwXAL1K3etR5wzPnEAKXxVPilFxbGGWvYBRIbkUR9rro2U7zSTRG98OIbb1t/va/LlIiJ0EX2AIfTtMbK89ldW9Z1w3fejjZ4zxyE9Pix5RpZlndvU0n18mZ3HRd22lPxPgAcamgpYp7ECGyKSdE8S6zB0+h2iLKQpdoySFRp4vphmoSg+Wssd58UfLJs89fMfzzBaXSUaCSyNz/K7vQZOSfB3vJBS203IDYCybr+tN58w35pmbWwkdU6h4N+YhPqttLlfDQAKwPETrHYMkXHLlZ+fGKJiqM4abuGsxd8zN5bnj7MtRhha1LyD45C/9iwQvlRIfEYQV2fKF5tXyUhxHdJR+q7bwhoKRFDCzoXVCHuHJsPAUvmI5ThawBnxOzs0Rj9owEdl5UaSmG8Gfo526kFpps5hT9d/ulDRcyz8BJLbUis1gRIJCOtQ/aQtnSr+tNQUw8OA8RMF2mIqtwHzXAaCkwNFRHhcCHZZEI680Hre2ws08jM4N1y1DIZgUFxGgRddIN7hb5AaKIdEPiJurDHHt35uUM8yh+ndU/q9UM4K56ZX1CTZV7Udki2HAAid/ewy8Hy67RPwEVBgSH3HD3u7gAVX8kj4GxhBGbJ9JjblpncXN09xQQmYhHhw4xijTvWd0nFof5p3JbJ94eF4RMNeWYLXFpx/XjJ6cH1AdbLkRgYfZj8C7uClgI9aUDrSOFirQiOMIPEnrkoykv5XKNqMXkJ/6f4n0XJWiojJfymLOGDJOR/w2Tvm9iAUaDP5G2+3/JJF/Fc2B/FZPdm0Mf+piVqMIlfjSS0Dv9j0B0y2tNHS/WNhh3iS7xxOwZ7Y0+eYHdWfVNwiWGS3bQctEiRRtjQubMRsWcpJJwEJDCEQ4lPZ05viSR19ZFaG1JGYgaj0ay0miHylV1ZS7uSNK0V+K9qDS3Gi18jqqREKHUfWkuwMmlydi9zb8r8BQQLj9h54o1e99mQ8dh8gr59IKAhgTxrAsFEofJRRuh1qnEgeglt03GQj5FrGfZkXWs1kJTgCpv+AzIOyCIMHwn2hVlDrG+Kxyw5LMk/Bl46GzaT3n1oL0SmQ0TvjgDLdRWa8BeoCukGHxRwYxrz8sM3D8g/q88QxMIF+s3tTUhGJ9somBtI9NJepHeuoXP0b3dPBd5NKIjx34fKc21+0dt2rSzEmv/blKCJshIEq+1o4+TA5BvyEOY21EIAstoivwctw+8uYxxC1xJfPjfWA/yJRgMf16QfmIi3fXBSprCXBoj7YcAE3iwILylRBvdTcf3DzUSDdQYAcE/o+RYRoX7NnhqlPMevGZEXpfUZTKoEuTI1nyNDwPsA96nWxW+gdUnkZPTE6jWMb0VEqe0mK/RtqlKV7Fvl73d9jBcncQuHIOv4vfkesZHKZeaUUctlfB2xkXXDqdrZGA/rN8BEZOKKjyJjEdhzFVGKIL4hcn1NPa8SECeUlhfpl1Q//gSTMRpV5rVm7CfTw6DpsVtpJSc9gf/H5xSZKRP0CnrGZSPOwN4tg2tazEF6Yb/Qyg+uZYa+HyWUaKqxcHP3Qy07D1GPKBiNSeIxuwYnuW1JfCRGhqJc0EyQy6fNZ+Jg/6CgHcfd1nA==,iv:yv4cLw5a0IxSHi/JdEbkfZaryN2LMZVrR1u8DQL0dBc=,tag:MNgaqBW9tYl73vX4MpUxsw==,type:str] os: - crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEE2WGRSOHdqTSs2WlZmeHQ2MWJMREdNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5UQXhNVEF3TVRNMU5UUmFGdzB6TlRBeE1EZ3dNVE0xTlRSYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBaFBPOVljTWwzOUJuTXRIcFNZQXltRW5tbHFzUWxNUFBrRkQxCnd3dEErRGlqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVRGp4MGhjK3lzbDlxQ2RRbgowVk9seU55cFlBOHdCUVlESzJWd0EwRUFtNEtDTDllTVJoeGxnbjdnRFZTd2ViZ2lhVmsyRU1jNVlLclg5V1V5CnhhWk50em43Q1VwUHhxYnRuZUoxQXNWVDA3R2JOOUFWRC9oK2U5VTZHVUtmRGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - key: ENC[AES256_GCM,data:kRmh1K8tbfKabnIgzF83ZQyzcBT7tzZEmF3ciiwEWUJGJteXO7w2de5H/m4EJSLFogUBLGcTnx8Ij+9Qn5WcFrEnv+aNiahVRPbgiBrtMfs8/elAmROtb4Arc52Z9nlTzt8mEGbkmTmVtHGGMOfyvfyvH/470wSeCUQA6hnDZIufc+16EJgr3d0oE6Lsilv/U0UqwQhQwOGucEdWExQprHLFHW6FoO4KrBk/C5MwPPuKUe7U,iv:WvP/jimDR5Z/mu+r4qkX23Lm05PyHBN0fXX35xnZvvw=,tag:LygPhIGeeXyWtupyqgNqgA==,type:str] + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEJPa2tHWHl3TUZQOUpnTlBEYndaM1VNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5UQXhNVEF4TURBMk1EZGFGdzB6TlRBeE1EZ3hNREEyTURkYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBRUJ0SnFUNUNUWTJrQnZKOUl2WHEyUEE5ZDR2Y3o2Zk05QngwCnhnNFNRbkdqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVYVNQWFFmUFlhSmZXQnVXOAo5T20vQkwrc0Zzb3dCUVlESzJWd0EwRUFZOTRXWHJ3VUpxTWtqS0tRQjFqdElEbGpabC9UUlVWOUc2dDlYOFA4ClE5UjZwL3VkUkJrdFYzTHRobVQwMjBmS3BObmMzY2ZFUUhId0tBa0lzRjVQREE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + key: ENC[AES256_GCM,data:kEg/9D2108FmClbfmdDjreMl58yy2gpycdpuewOZx2F8kgZzFruxafagr08ECQOtTB0KN6+QO9ae5z8D+OVNUokdpri6RoZN+TJkEReJomT0I4lLZtqGjIodAz5FXGuOnRrij/2FAeTtTVbci1vvEIMrHomhtjVNX9PN0bHUNzuzUkwp1glKGDswXG8MyCS+oi32ANAkKieBrVAcEtlxNDv4aAZqPCsA0CNJdwJp99OaBS8R,iv:3PX8chKQtTGCLtigcLHaCPhFSSHCtBQkzrb/V2dpdpo=,tag:ivzRBoGYWR9nxIyEHALcEw==,type:str] sops: kms: [] gcp_kms: [] @@ -30,23 +30,23 @@ sops: - recipient: age1p28u8xjm5sf7jdavc8xsqtw7lxgscefxs7a5dtqszr2885xeputsh9y64y enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSCtxWTBUUGR0MnBqNEk4 - NFhFOUxyTi9oT2V2S2s5TXlSVGRnOUtWZzAwCmJrc1pjdVRraUxheldnRVM1ZFlU - bUcwaTJ3ZFlmaklwTStCQWdVQ3NCVWcKLS0tIDcwb2IvZ1R3b0tJYUpZempDSXlF - WXRmRHZReGduTUY2QytKZE9pYkdHZUkKoTrw/jccoPn5x6O7+SYmHQswrHnDKaOU - K4H/WIGDIkPlzLrS8Vg2w3Xmu2sVfwTtDP+I7wL0bRbd63DgKwe2iw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxYkNIczB5bjV4T2cvQlla + ZmZEeDh0NXdPbkpGY3ZHWGNFYWU4TUlnc0dVCkxCWDZlUEpUellneXVNY2tpQWp4 + THpnaElZeW1QWjVEMUVlY3d2d2NlMnMKLS0tIHI2czd4L1p5UXVNaG8yaXdvdlBE + MVdpNVpnSElkT0FTdjhUaXAvNTI0RzQK9H5iA8TxnBKFB6V91YeQ99Upi44wW3/G + aFMvhjpzxkJmzMte1FI/U18kVcXPl2iR8zY6C610DT+T0e5JoSHWFQ== -----END AGE ENCRYPTED FILE----- - recipient: age1cyqpra4hj22emvvsjyygd3mstyrf8vy0hktmvmv85kxgggqxzfns4pkdhy enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJK21KR0M2bDRtZlBDc1dJ - UU9rbDZmRkZyL0xLWENLVWFFcFR0Z3gwZENBClpEMVpOZ1U5RkxWb1RtU3QyODlV - ZndjQXFNQ3k4MkVJbThNaEF3WDYxN3cKLS0tIGtETnhzL1VlTkFIalJ0Y0RXcXRK - Qmg2OHBlUU5sL2E0MGphaWNlamoxclkKQ8GJALBGS/Ts5eg2J+oShVJwy5k2Wkx0 - 7DolTUMk3Ba2eZk6PyfYCgi+ml6TLnJP5DK4eqLx4NzY31Av7tzo3w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBibUN5TWNTNEZ4L29lQXBV + MHdFQmQzUFhuVXhRSE1sZlJTKzE5REhTWGhNClRSOWY4Q0VZbWwxRzVWWUN4VVk4 + cVZsdDkxZkhJTEt3SER6ME1wSWFLN3MKLS0tIDBkYWVFUGR2VGh2cGV6QWlsK3RG + UlEwbU43WjVXbFZ0Z3RJbWZMbGdObVkKX+CimLdsMH45pCiyNVUJVrLiNQZO9Lhw + yEew1PehSTFuW2nkuj/dsLZft9iPOCRS8vzS/ZFUnthOsh5oYWX+Zg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-10T01:35:54Z" - mac: ENC[AES256_GCM,data:PV3WaldrWeRUuRnvUwSm6MNP/6HdtSC+gr1BCuJ0IeMHkcU7tiZzoAZjlEVh7Tdrr0iticipySsIyG0dDh15KyW0SFXUXHjgBpHhvIrndVym4sN/CiV5+rp5N7hF4EwlRxNZcc6VozCaPNaL9U1378QVQIGNhHLjaJjDspnleLs=,iv:scEqHqt5PDTIWvj7Gfk5treHWbAR+hLXqP/r0cIgxEs=,tag:MR3BV0Ez51e29HcSRt3iNA==,type:str] + lastmodified: "2025-01-10T10:06:07Z" + mac: ENC[AES256_GCM,data:dxKtA96im0A1GVBU4vyahJcNEJqcoAjAqMEiDuc6W8IVoRCLeVrXk2MEZrn5KMN99bnKeuFBwCsU1xZVeXhaqbIBIkolt0jnUa7E7oZKpOWh4LnzCzLu6rgQ9fm08DK3bX19MMjpEr716GsZpqaP5iA6gtwTe6Q3ZTeAu4JCm2k=,iv:aafqXxBEK36HOVJeMxvgb/w+mYVEj0SSydyJ+0yJlN0=,tag:hyLiiTWZIcJ50XtCWgM23A==,type:str] pgp: [] encrypted_regex: ((?i)(displayname|email|pass|secret($|[^N])|key|token|^data$|^stringData)) version: 3.9.3 diff --git a/kubernetes/staging/bootstrap/templates/resources.yaml.j2 b/kubernetes/staging/bootstrap/templates/resources.yaml.j2 new file mode 100644 index 0000000000..bcfc7df122 --- /dev/null +++ b/kubernetes/staging/bootstrap/templates/resources.yaml.j2 @@ -0,0 +1,28 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: flux-system +--- +apiVersion: v1 +kind: Secret +metadata: + name: sops-age + namespace: flux-system +stringData: + age.agekey: {{ ENV.FLUX_SOPS_PRIVATE_KEY | indent(4) }} +--- +apiVersion: v1 +kind: Namespace +metadata: + name: external-secrets +--- +apiVersion: v1 +kind: Secret +metadata: + name: onepassword-connect-secret + namespace: external-secrets +stringData: + 1password-credentials.json: |- + {{ ENV.ONEPASSWORD_CREDENTIALS | indent(4) }} + token: {{ ENV.ONEPASSWORD_CONNECT_TOKEN }}