Code Review / airship.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 6f42f8c)
Initial site reference manifests for intel-pod17 40/68240/20
authorKaspars Skels <kaspars.skels@att.com>
Mon, 15 Jul 2019 20:27:12 +0000 (15:27 -0500)
committerKaspars Skels <kaspars.skels@att.com>
Tue, 13 Aug 2019 15:48:32 +0000 (10:48 -0500)
This includes cntt type definition as well as site manifests.

Change-Id: I4829c80199795af0c841419b8fd19557295fe244
Signed-off-by: Kaspars Skels <kaspars.skels@att.com>
136 files changed:
site/intel-pod17/baremetal/nodes.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/networks/common-addresses.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/networks/physical/networks.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/pki/pki-catalog.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/profiles/region.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/certificates/certificates.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/certificates/ingress.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/apiserver-encryption-key-key1.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ceph_fsid.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ceph_swift_keystone_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ipmi_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/maas-region-key.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_barbican_oslo_db_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_barbican_oslo_messaging_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_barbican_oslo_messaging_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_barbican_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_barbican_rabbitmq_erlang_cookie.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_cinder_oslo_db_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_cinder_oslo_messaging_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_cinder_oslo_messaging_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_cinder_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_cinder_rabbitmq_erlang_cookie.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_glance_oslo_db_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_glance_oslo_messaging_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_glance_oslo_messaging_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_glance_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_glance_rabbitmq_erlang_cookie.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_heat_oslo_db_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_heat_oslo_messaging_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_heat_oslo_messaging_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_heat_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_heat_rabbitmq_erlang_cookie.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_heat_stack_user_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_heat_trustee_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_horizon_oslo_db_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_infra_elasticsearch_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_infra_grafana_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_infra_grafana_oslo_db_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_infra_grafana_oslo_db_session_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_infra_nagios_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_infra_openstack_exporter_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_infra_oslo_db_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_infra_oslo_db_exporter_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_infra_prometheus_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_infra_rgw_s3_admin_access_key.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_infra_rgw_s3_admin_secret_key.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_infra_rgw_s3_elasticsearch_access_key.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_infra_rgw_s3_elasticsearch_secret_key.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_keystone_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_keystone_ldap_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_keystone_oslo_db_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_keystone_oslo_messaging_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_keystone_oslo_messaging_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_keystone_rabbitmq_erlang_cookie.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_neutron_oslo_db_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_neutron_oslo_messaging_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_neutron_oslo_messaging_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_neutron_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_neutron_rabbitmq_erlang_cookie.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_nova_oslo_db_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_nova_oslo_messaging_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_nova_oslo_messaging_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_nova_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_nova_rabbitmq_erlang_cookie.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_oslo_cache_secret_key.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_oslo_db_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_oslo_db_exporter_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_oslo_messaging_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_placement_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_rabbitmq_erlang_cookie.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/osh_tempest_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/tenant_ceph_fsid.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ubuntu_crypt_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_airflow_oslo_messaging_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_airflow_postgres_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_armada_keystone_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_barbican_keystone_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_barbican_oslo_db_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_deckhand_keystone_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_deckhand_postgres_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_drydock_keystone_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_drydock_postgres_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_keystone_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_keystone_oslo_db_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_maas_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_maas_postgres_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_openstack_exporter_keystone_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_oslo_db_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_oslo_messaging_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_postgres_admin_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_postgres_exporter_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_postgres_replication_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_promenade_keystone_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_rabbitmq_erlang_cookie.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_shipyard_keystone_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/passphrases/ucp_shipyard_postgres_password.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/publickey/grego_ssh_public_key.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/secrets/publickey/kasparss_ssh_public_key.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/site-definition.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/software/charts/kubernetes/container-networking/etcd.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/software/charts/kubernetes/etcd/etcd.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/software/charts/ucp/ceph/ceph-client-update.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/software/charts/ucp/ceph/ceph-client.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/software/charts/ucp/ceph/ceph-osd.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/software/charts/ucp/divingbell/divingbell.yaml [new file with mode: 0644] patch | blob
site/intel-pod17/software/config/common-software-config.yaml [new file with mode: 0644] patch | blob
type/cntt/bootactions/promjoin.yaml [new file with mode: 0644] patch | blob
type/cntt/deployment/deployment-configuration.yaml [new file with mode: 0644] patch | blob
type/cntt/network/KubernetesNetwork.yaml [new file with mode: 0644] patch | blob
type/cntt/profiles/genesis.yaml [new file with mode: 0644] patch | blob
type/cntt/profiles/hardware/intel-s2600wt.yaml [new file with mode: 0644] patch | blob
type/cntt/profiles/host/cp-intel-s2600wt.yaml [new file with mode: 0644] patch | blob
type/cntt/profiles/host/dp-intel-s2600wt.yaml [new file with mode: 0644] patch | blob
type/cntt/software/charts/kubernetes/ingress/ingress.yaml [new file with mode: 0644] patch | blob
type/cntt/software/charts/osh-infra/elasticsearch.yaml [new file with mode: 0644] patch | blob
type/cntt/software/charts/osh-infra/fluentbit.yaml [new file with mode: 0644] patch | blob
type/cntt/software/charts/osh-infra/fluentd.yaml [new file with mode: 0644] patch | blob
type/cntt/software/charts/osh-infra/grafana.yaml [new file with mode: 0644] patch | blob
type/cntt/software/charts/osh-infra/ingress.yaml [new file with mode: 0644] patch | blob
type/cntt/software/charts/osh-infra/mariadb.yaml [new file with mode: 0644] patch | blob
type/cntt/software/charts/osh-infra/prometheus.yaml [new file with mode: 0644] patch | blob
type/cntt/software/charts/osh/openstack-compute-kit/neutron.yaml [new file with mode: 0644] patch | blob
type/cntt/software/charts/osh/openstack-compute-kit/nova.yaml [new file with mode: 0644] patch | blob
type/cntt/software/charts/osh/openstack-heat/heat.yaml [new file with mode: 0644] patch | blob
type/cntt/software/charts/osh/openstack-tenant-ceph/ceph-client.yaml [new file with mode: 0644] patch | blob
type/cntt/software/charts/osh/openstack-tenant-ceph/ceph-osd.yaml [new file with mode: 0644] patch | blob
type/cntt/software/charts/ucp/comps/chart-group.yaml [new file with mode: 0644] patch | blob
type/cntt/software/charts/ucp/comps/drydock.yaml [new file with mode: 0644] patch | blob
type/cntt/software/charts/ucp/comps/maas-scaled.yaml [new file with mode: 0644] patch | blob
type/cntt/software/charts/ucp/comps/maas.yaml [new file with mode: 0644] patch | blob
type/cntt/software/charts/ucp/promenade/promenade.yaml [new file with mode: 0644] patch | blob
type/cntt/software/config/endpoints.yaml [new file with mode: 0644] patch | blob
type/cntt/software/config/service_accounts.yaml [new file with mode: 0644] patch | blob
type/cntt/software/manifests/bootstrap.yaml [new file with mode: 0644] patch | blob
type/cntt/software/manifests/full-site.yaml [new file with mode: 0644] patch | blob

diff --git a/site/intel-pod17/baremetal/nodes.yaml b/site/intel-pod17/baremetal/nodes.yaml
new file mode 100644 (file)
index 0000000..cd88a66
--- /dev/null
+++ b/site/intel-pod17/baremetal/nodes.yaml
@@ -0,0 +1,254 @@
+---
+# Drydock BaremetalNode resources for a specific rack are stored in this file.
+#
+# NOTE: For new sites, you should complete the networks/physical/networks.yaml
+# file before working on this file.
+#
+# In this file, you should make the number of `drydock/BaremetalNode/v1`
+# resources equal the number of bare metal nodes you have, either by deleting
+# excess BaremetalNode definitions (if there are too many), or by copying and
+# pasting the last BaremetalNode in the file until you have the correct number
+# of baremetal nodes (if there are too few).
+#
+# Then in each file, address all additional NEWSITE-CHANGEME markers to update
+# the data in these files with the right values for your new site.
+#
+# *NOTE: The Genesis node is counted as one of the control plane nodes. Note
+# that the Genesis node does not appear on this bare metal list, because the
+# procedure to reprovision the Genesis host with MaaS has not yet been
+# implemented. Therefore there will be only three bare metal nodes in this file
+# with the 'masters' tag, as the genesis roles are assigned in a difference
+# place (profiles/genesis.yaml).
+# NOTE: The host profiles for the control plane are further divided into two
+# variants: primary and secondary. The only significance this has is that the
+# "primary" nodes are active Ceph nodes, whereas the "secondary" nodes are Ceph
+# standby nodes. For Ceph quorum, this means that the control plane split will
+# be 3 primary + 1 standby host profile, and the Genesis node counts toward one
+# of the 3 primary profiles. Other control plane services are not affected by
+# primary vs secondary designation.
+#
+# TODO: Include the hostname naming convention
+#
+schema: 'drydock/BaremetalNode/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  # NEWSITE-CHANGEME: Replace with the hostname of the first node in the rack,
+  # after (excluding) genesis.
+  name: pod17-node1
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: The IPv4 address assigned to each logical network on this
+  # node. In the reference Airship deployment, this is all logical Networks defined
+  # in networks/physical/networks.yaml. IP addresses are manually assigned, by-hand.
+  # (what could possibly go wrong!) The instructions differ for each logical
+  # network, which are laid out below.
+  addressing:
+    # The iDrac/iLo IP of the node. It's important that this match up with the
+    # node's hostname above, so that the rack number and node position encoded
+    # in the hostname are accurate and matching the node that IPMI operations
+    # will be performed against (for poweron, poweroff, PXE boot to wipe disk or
+    # reconfigure identity, etc - very important to get right for these reasons).
+    # These addresses should already be assigned to nodes racked and stacked in
+    # the environment; these are not addresses which MaaS assigns.
+    - network: oob
+      address: 10.10.170.11
+    # The IP of the node on the PXE network. Refer to the static IP range
+    # defined for the PXE network in networks/physical/networks.yaml. Begin allocating
+    # IPs from this network, starting with the second IP (inclusive) from the
+    # allocation range of this subnet (Genesis node will have the first IP).
+    # Ex: If the start IP for the PXE "static" network is 10.23.20.11, then
+    # genesis will have 10.23.20.11, this node will have 10.23.20.12, and
+    # so on with incrementing IP addresses with each additional node.
+    - network: dmz
+      address: 10.10.170.21
+    # Genesis node gets first IP, all other nodes increment IPs from there
+    # within the allocation range defined for the network in
+    # networks/physical/networks.yaml
+    - network: admin
+      address: 10.10.171.21
+    # Genesis node gets first IP, all other nodes increment IPs from there
+    # within the allocation range defined for the network in
+    # networks/physical/networks.yaml
+    - network: private
+      address: 10.10.172.21
+    # Genesis node gets first IP, all other nodes increment IPs from there
+    # within the allocation range defined for the network in
+    # networks/physical/networks.yaml
+    - network: storage
+      address: 10.10.173.21
+    # Genesis node gets first IP, all other nodes increment IPs from there
+    # within the allocation range defined for the network in
+    # networks/physical/networks.yaml
+    - network: management
+      address: 10.10.174.21
+  # NEWSITE-CHANGEME: Set the host profile for the node.
+  # Note that there are different host profiles depending if this is a control
+  # plane vs data plane node, and different profiles that map to different types
+  # hardware. Control plane host profiles are further broken down into "primary"
+  # and "secondary" profiles (refer to the Notes section at the top of this doc).
+  # Select the host profile that matches up to your type of
+  # hardware and function. E.g., the r720 here refers to Dell R720 hardware, the
+  # 'cp' refers to a control plane profile, and the "primary" means it will be
+  # an active member in the ceph quorum. Refer to profiles/host/ for the list
+  # of available host profiles specific to this site (otherwise, you may find
+  # a general set of host profiles at the "type" or "global" layers/folders.
+  # If you have hardware that is not on this list of profiles, you may need to
+  # create a new host profile for that hardware.
+  # Regarding control plane vs other data plane profiles, refer to the notes at
+  # the beginning of this file. There should be one control plane node per rack,
+  # including Genesis. Note Genesis won't actually be listed in this file as a
+  # BaremetalNode, but the rest are.
+  # This is the second "primary" control plane node after Genesis.
+  host_profile: cp-intel-s2600wt
+  metadata:
+    tags:
+      # NEWSITE-CHANGEME: See previous comment. Apply 'masters' tag for control
+      # plane node, and 'workers' tag for data plane hosts.
+      - 'masters'
+    # NEWSITE-CHANGEME: Refer to site engineering package or other supporting
+    # documentation for the specific rack name. This should be a rack name that
+    # is meaningful to data center personnel (i.e. a rack they could locate if
+    # you gave them this rack designation).
+    rack: pod17-rack
+...
+---
+schema: 'drydock/BaremetalNode/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  # NEWSITE-CHANGEME: The next node's hostname
+  name: pod17-node2
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: The next node's IPv4 addressing
+  addressing:
+    - network: oob
+      address: 10.10.170.12
+    - network: dmz
+      address: 10.10.170.22
+    - network: admin
+      address: 10.10.171.22
+    - network: private
+      address: 10.10.172.22
+    - network: storage
+      address: 10.10.173.22
+    - network: management
+      address: 10.10.174.22
+  # NEWSITE-CHANGEME: The next node's host profile
+  host_profile: cp-intel-s2600wt
+  metadata:
+    # NEWSITE-CHANGEME: The next node's rack designation
+    rack: pod17-rack
+    # NEWSITE-CHANGEME: The next node's role desigatnion
+    tags:
+      - 'masters'
+...
+---
+schema: 'drydock/BaremetalNode/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  # NEWSITE-CHANGEME: The next node's hostname
+  name: pod17-node3
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: The next node's IPv4 addressing
+  addressing:
+    - network: oob
+      address: 10.10.170.13
+    - network: dmz
+      address: 10.10.170.23
+    - network: admin
+      address: 10.10.171.23
+    - network: private
+      address: 10.10.172.23
+    - network: storage
+      address: 10.10.173.23
+    - network: management
+      address: 10.10.174.23
+  # NEWSITE-CHANGEME: The next node's host profile
+  # This is the third "primary" control plane profile after genesis
+  host_profile: dp-intel-s2600wt
+  metadata:
+    # NEWSITE-CHANGEME: The next node's rack designation
+    rack: pod17-rack
+    # NEWSITE-CHANGEME: The next node's role desigatnion
+    tags:
+      - 'workers'
+...
+---
+schema: 'drydock/BaremetalNode/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  # NEWSITE-CHANGEME: The next node's hostname
+  name: pod17-node4
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: The next node's IPv4 addressing
+  addressing:
+    - network: oob
+      address: 10.10.170.14
+    - network: dmz
+      address: 10.10.170.24
+    - network: admin
+      address: 10.10.171.24
+    - network: private
+      address: 10.10.172.24
+    - network: storage
+      address: 10.10.173.24
+    - network: management
+      address: 10.10.174.24
+  # NEWSITE-CHANGEME: The next node's host profile
+  # This is the one and only appearance of the "secondary" control plane profile
+  host_profile: dp-intel-s2600wt
+  metadata:
+    # NEWSITE-CHANGEME: The next node's rack designation
+    rack: pod17-rack
+    # NEWSITE-CHANGEME: The next node's role desigatnion
+    tags:
+      - 'workers'
+...
+---
+schema: 'drydock/BaremetalNode/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  # NEWSITE-CHANGEME: The next node's hostname
+  name: pod17-node5
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: The next node's IPv4 addressing
+  addressing:
+    - network: oob
+      address: 10.10.170.15
+    - network: dmz
+      address: 10.10.170.25
+    - network: admin
+      address: 10.10.171.25
+    - network: private
+      address: 10.10.172.25
+    - network: storage
+      address: 10.10.173.25
+    - network: management
+      address: 10.10.174.25
+  # NEWSITE-CHANGEME: The next node's host profile
+  host_profile: dp-intel-s2600wt
+  metadata:
+    # NEWSITE-CHANGEME: The next node's rack designation
+    rack: pod17-rack
+    # NEWSITE-CHANGEME: The next node's role desigatnion
+    tags:
+      - 'workers'
+...
diff --git a/site/intel-pod17/networks/common-addresses.yaml b/site/intel-pod17/networks/common-addresses.yaml
new file mode 100644 (file)
index 0000000..1fe0357
--- /dev/null
+++ b/site/intel-pod17/networks/common-addresses.yaml
@@ -0,0 +1,155 @@
+---
+# The purpose of this file is to define network related paramters that are
+# referenced elsewhere in the manifests for this site.
+#
+schema: pegleg/CommonAddresses/v1
+metadata:
+  schema: metadata/Document/v1
+  name: common-addresses
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  calico:
+    # NEWSITE-CHANGEME: The interface that calico will use. Update if your
+    # logical bond interface name or calico VLAN have changed from the reference
+    # site design.
+    # This should be whichever
+    # bond and VLAN number specified in networks/physical/networks.yaml for the Calico
+    # network. E.g. VLAN 22 for the calico network as a member of bond0, you
+    # would set "interface=bond0.22" as shown here.
+    ip_autodetection_method: interface=ens785f0
+    etcd:
+      # etcd service IP address
+      service_ip: 10.96.232.136
+
+  vip:
+    ingress_vip: '10.10.170.100/32'
+    maas_vip: '10.10.171.100/32'
+
+  dns:
+    # Kubernetes cluster domain. Do not change. This is internal to the cluster.
+    cluster_domain: cluster.local
+    # DNS service ip
+    service_ip: 10.96.0.10
+    # List of upstream DNS forwards. Verify you can reach them from your
+    # environment. If so, you should not need to change them.
+    upstream_servers:
+      - 8.8.8.8
+      - 8.8.4.4
+    # Repeat the same values as above, but formatted as a common separated
+    # string
+    upstream_servers_joined: 8.8.8.8,8.8.4.4
+    # NEWSITE-CHANGEME: FQDN for ingress (i.e. "publicly facing" access point)
+    # Choose FQDN according to the ingress/public FQDN naming conventions at
+    # the top of this document.
+    ingress_domain: intel-pod17.opnfv.org
+
+  genesis:
+    # NEWSITE-CHANGEME: Update with the hostname for the node which will take on
+    # the Genesis role. Refer to the hostname naming stardards in
+    # networks/physical/networks.yaml
+    # NOTE: Ensure that the genesis node is manually configured with this
+    # hostname before running `genesis.sh` on the node.
+    hostname: pod17-jump
+    # NEWSITE-CHANGEME: Calico IP of the Genesis node. Use the "start" value for
+    # the calico network defined in networks/physical/networks.yaml for this IP.
+    ip: 10.10.172.20
+
+  bootstrap:
+    # NEWSITE-CHANGEME: Update with the "start" value/IP of the static range
+    # defined for the pxe network in networks/physical/networks.yaml
+    ip: 10.10.171.20
+
+  kubernetes:
+    # K8s API service IP
+    api_service_ip: 10.96.0.1
+    # etcd service IP
+    etcd_service_ip: 10.96.0.2
+    # k8s pod CIDR (network which pod traffic will traverse)
+    pod_cidr: 10.97.0.0/16
+    # k8s service CIDR (network which k8s API traffic will traverse)
+    service_cidr: 10.96.0.0/16
+    # misc k8s port settings
+    apiserver_port: 6443
+    haproxy_port: 6553
+    service_node_port_range: 30000-32767
+
+  # etcd port settings
+  etcd:
+    container_port: 2379
+    haproxy_port: 2378
+
+  # NEWSITE-CHANGEME: A list of nodes (apart from Genesis) which act as the
+  # control plane servers. Ensure that this matches the nodes with the 'masters'
+  # tags applied in baremetal/nodes.yaml
+  masters:
+    - hostname: pod17-node1
+    - hostname: pod17-node2
+
+  # NEWSITE-CHANGEME: Environment proxy information.
+  # NOTE: Reference Airship sites do not deploy behind a proxy, so this proxy section
+  # should be commented out.
+  # However if you are in a lab that requires proxy, ensure that these proxy
+  # settings are correct and reachable in your environment; otherwise update
+  # them with the correct values for your environment.
+  proxy:
+    http: ""
+    https: ""
+    no_proxy: []
+
+  node_ports:
+    drydock_api: 30000
+    maas_api: 30001
+    maas_proxy: 31800  # hardcoded in MAAS
+
+  ntp:
+    # comma separated NTP server list. Verify that these upstream NTP servers are
+    # reachable in your environment; otherwise update them with the correct
+    # values for your environment.
+    servers_joined: '0.ubuntu.pool.ntp.org,1.ubuntu.pool.ntp.org,2.ubuntu.pool.ntp.org,4.ubuntu.pool.ntp.org'
+
+  # NOTE: This will be updated soon
+  ldap:
+    # NEWSITE-CHANGEME: FQDN for LDAP. Update to the FQDN that is
+    # relevant for your type of deployment (test vs prod values, etc).
+    base_url: 'ldap.example.com'
+    # NEWSITE-CHANGEME: As above, with the protocol included to create a full URI
+    url: 'ldap://ldap.example.com'
+    # NEWSITE-CHANGEME: Update to the correct expression relevant for this
+    # deployment (test vs prod values, etc)
+    auth_path: DC=test,DC=test,DC=com?sAMAccountName?sub?memberof=CN=test,OU=Application,OU=Groups,DC=test,DC=test,DC=com
+    # NEWSITE-CHANGEME: Update to the correct AD group that contains the users
+    # relevant for this deployment (test users vs prod users/values, etc)
+    common_name: test
+    # NEWSITE-CHANGEME: Update to the correct subdomain for your type of
+    # deployment (test vs prod values, etc)
+    subdomain: test
+    # NEWSITE-CHANGEME: Update to the correct domain for your type of
+    # deployment (test vs prod values, etc)
+    domain: example
+
+  storage:
+    ceph:
+      # NEWSITE-CHANGEME: CIDRs for Ceph. Update to match the network CIDR
+      # used for the `storage` network in networks/physical/networks.yaml
+      public_cidr: '10.10.173.0/24'
+      cluster_cidr: '10.10.173.0/24'
+
+  neutron:
+    # NEWSITE-CHANGEME: Overlay network for VM traffic. Ensure the bond name and
+    # VLAN number are consistent with what's defined for the bond and the overlay
+    # network in networks/physical/networks.yaml
+    tunnel_device: 'ens785f0'
+    # bond which the overlay is a member of. Ensure the bond name is consistent
+    # with the bond assigned to the overlay network in
+    # networks/physical/networks.yaml
+    external_iface: 'ens785f1.1173'
+
+  openvswitch:
+    # bond which the overlay is a member of. Ensure the bond name is consistent
+    # with the bond assigned to the overlay network in
+    # networks/physical/networks.yaml
+    external_iface: 'ens785f1.1173'
+...
diff --git a/site/intel-pod17/networks/physical/networks.yaml b/site/intel-pod17/networks/physical/networks.yaml
new file mode 100644 (file)
index 0000000..d149b07
--- /dev/null
+++ b/site/intel-pod17/networks/physical/networks.yaml
@@ -0,0 +1,365 @@
+---
+# The purpose of this file is to define all of the NetworkLinks (i.e. layer 1
+# devices) and Networks (i.e. layer 3 configurations). The following is standard
+# for the logical networks in Airship:
+#
+# https://wiki.opnfv.org/display/pharos/Intel+POD17
+# +--------+------------+-----------------------------------+----------+----------+----------------+
+# |        |            |                                   |          |          |                |
+# +--------+------------+-----------------------------------+----------+----------+----------------+
+# |IF0 1G  | dmz        | OoB & OAM (default route)         | VLAN 170 | untagged | 10.10.170.0/24 |
+# |IF1 1G  | admin      | PXE boot network                  | VLAN 171 | untagged | 10.10.171.0/24 |
+# |IF2 10G | private    | Underlay calico and ovs overlay   | VLAN 172 | untagged | 10.10.172.0/24 |
+# |        | management | Management (unused for now)       | VLAN 174 | tagged   | 10.10.174.0/24 |
+# |IF3 10G | storage    | Storage network                   | VLAN 173 | untagged | 10.10.173.0/24 |
+# |        | public     | Public network for VMs            | VLAN 175 | tagged   | 10.10.175.0/24 |
+# +--------+------------+-----------------------------------+----------+----------+----------------+
+#
+# For standard Airship deployments, you should not need to modify the number of
+# NetworkLinks and Networks in this file. Only the IP addresses and CIDRs should
+# need editing.
+#
+# TODO: Given that we expect all network broadcast domains to span all racks in
+# Airship, we should choose network names that do not include the rack number.
+#
+# TODO: FQDN naming standards for hosts
+#
+schema: 'drydock/NetworkLink/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: oob
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # MaaS doesnt own this network like it does the others, so the noconfig label
+  # is specified.
+  labels:
+    noconfig: enabled
+  bonding:
+    mode: disabled
+  mtu: 1500
+  linkspeed: auto
+  trunking:
+    mode: disabled
+    default_network: oob
+  allowed_networks:
+    - oob
+...
+---
+schema: 'drydock/Network/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: oob
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: Update with the site's out-of-band CIDR
+  cidr: 10.10.170.0/24
+  routes:
+    # NEWSITE-CHANGEME: Update with the site's out-of-band gateway IP
+    - subnet: '0.0.0.0/0'
+      gateway: 10.10.170.1
+      metric: 100
+  # NEWSITE-CHANGEME: Update with the site's out-of-band IP allocation range
+  # FIXME: Is this IP range actually used/allocated for anything? The HW already
+  # has its OOB IPs assigned. None of the Ubuntu OS's should need IPs on OOB
+  # network either, as they should be routable via the default gw on OAM network
+  ranges:
+    - type: static
+      start: 10.10.170.20
+      end: 10.10.170.39
+...
+---
+schema: 'drydock/NetworkLink/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: dmz
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  bonding:
+    mode: disabled
+  mtu: 1500
+  linkspeed: auto
+  trunking:
+    mode: disabled
+    default_network: dmz
+  allowed_networks:
+    - dmz
+...
+---
+schema: 'drydock/Network/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: dmz
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: Update with the site's PXE network CIDR
+  # NOTE: The CIDR minimum size = (number of nodes * 2) + 10
+  cidr: 10.10.170.0/24
+  routes:
+    - subnet: 0.0.0.0/0
+      # NEWSITE-CHANGEME: Set the OAM network gateway IP address
+      gateway: 10.10.170.1
+      metric: 100
+  # NOTE: The first 10 IPs in the subnet are reserved for network infrastructure.
+  # The remainder of the range is divided between two subnets of equal size:
+  # one static, and one DHCP.
+  # The DHCP addresses are used when nodes perform a PXE boot (DHCP address gets
+  # assigned), and when a node is commissioning in MaaS (also uses DHCP to get
+  # its IP address). However, when MaaS installs the operating system
+  # ("Deploying/Deployed" states), it will write a static IP assignment to
+  # /etc/network/interfaces[.d] with IPs from the "static" subnet defined here.
+  ranges:
+    # NEWSITE-CHANGEME: Update to the first 10 IPs in the CIDR
+    - type: reserved
+      start: 10.10.170.1
+      end: 10.10.170.19
+    # NEWSITE-CHANGEME: Update to the first half of the remaining range after
+    # excluding the 10 reserved IPs.
+    - type: static
+      start: 10.10.170.20
+      end: 10.10.170.39
+    # NEWSITE-CHANGEME: Update to the second half of the remaining range after
+    # excluding the 10 reserved IPs.
+    - type: dhcp
+      start: 10.10.170.40
+      end: 10.10.170.79
+  dns:
+    # NEWSITE-CHANGEME: FQDN for bare metal nodes.
+    # Choose FQDN according to the node FQDN naming conventions at the top of
+    # this document.
+    domain: intel-pod17.opnfv.org
+    # List of upstream DNS forwards. Verify you can reach them from your
+    # environment. If so, you should not need to change them.
+    # TODO: This should be populated via substitution from common-addresses
+    servers: '8.8.8.8,8.8.4.4'
+...
+---
+schema: 'drydock/NetworkLink/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: admin
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  bonding:
+    mode: disabled
+  mtu: 1500
+  linkspeed: auto
+  trunking:
+    mode: disabled
+    default_network: admin
+  allowed_networks:
+    - admin
+...
+---
+schema: 'drydock/Network/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: admin
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: Update with the site's PXE network CIDR
+  # NOTE: The CIDR minimum size = (number of nodes * 2) + 10
+  cidr: 10.10.171.0/24
+  # routes:
+  #   - subnet: 0.0.0.0/0
+  #     # NEWSITE-CHANGEME: Set the OAM network gateway IP address
+  #     gateway: 10.10.171.1
+  #     metric: 100
+  # NOTE: The first 10 IPs in the subnet are reserved for network infrastructure.
+  # The remainder of the range is divided between two subnets of equal size:
+  # one static, and one DHCP.
+  # The DHCP addresses are used when nodes perform a PXE boot (DHCP address gets
+  # assigned), and when a node is commissioning in MaaS (also uses DHCP to get
+  # its IP address). However, when MaaS installs the operating system
+  # ("Deploying/Deployed" states), it will write a static IP assignment to
+  # /etc/network/interfaces[.d] with IPs from the "static" subnet defined here.
+  ranges:
+    # NEWSITE-CHANGEME: Update to the first 10 IPs in the CIDR
+    - type: reserved
+      start: 10.10.171.1
+      end: 10.10.171.19
+    # NEWSITE-CHANGEME: Update to the first half of the remaining range after
+    # excluding the 10 reserved IPs.
+    - type: static
+      start: 10.10.171.20
+      end: 10.10.171.39
+    # NEWSITE-CHANGEME: Update to the second half of the remaining range after
+    # excluding the 10 reserved IPs.
+    - type: dhcp
+      start: 10.10.171.40
+      end: 10.10.171.79
+  dns:
+    # NEWSITE-CHANGEME: FQDN for bare metal nodes.
+    # Choose FQDN according to the node FQDN naming conventions at the top of
+    # this document.
+    domain: intel-pod17.opnfv.org
+    # List of upstream DNS forwards. Verify you can reach them from your
+    # environment. If so, you should not need to change them.
+    # TODO: This should be populated via substitution from common-addresses
+    servers: '10.10.171.100'
+...
+---
+schema: 'drydock/NetworkLink/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: data1
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  bonding:
+    mode: disabled
+  # NEWSITE-CHANGEME: Ensure the network switches in the environment are
+  # configured for this MTU or greater. Even if switches are configured for or
+  # can support a slightly higher MTU, there is no need (and negliable benefit)
+  # to squeeze every last byte into the MTU (e.g., 9216 vs 9100). Leave MTU at
+  # 9100 for maximum compatibility.
+  mtu: 1500
+  linkspeed: auto
+  trunking:
+    mode: 802.1q
+  allowed_networks:
+    - private
+    - management
+...
+---
+schema: 'drydock/Network/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: private
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: Set the VLAN ID which the storage network is on
+  vlan: '0'
+  mtu: 1500
+  # NEWSITE-CHANGEME: Set the CIDR for the storage network
+  # NOTE: The CIDR minimum size = number of nodes + 10
+  cidr: 10.10.172.0/24
+  ranges:
+    # NEWSITE-CHANGEME: Update to the remaining range after excluding the 10
+    # 10 reserved IPs.
+    - type: static
+      start: 10.10.172.1
+      end: 10.10.172.19
+...
+---
+schema: 'drydock/Network/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: management
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: Set the VLAN ID which the OAM network is on
+  vlan: '174'
+  mtu: 1500
+  # NEWSITE-CHANGEME: Set the CIDR for the OAM network
+  # NOTE: The CIDR minimum size = number of nodes + 10
+  cidr: 10.10.174.0/24
+  routes:
+    - subnet: 0.0.0.0/0
+      # NEWSITE-CHANGEME: Set the OAM network gateway IP address
+      gateway: 10.10.174.1
+      metric: 100
+  ranges:
+    # NEWSITE-CHANGEME: Update to the remaining range after excluding the 10
+    # 10 reserved IPs.
+    - type: static
+      start: 10.10.174.1
+      end: 10.23.21.19
+  dns:
+    # NEWSITE-CHANGEME: FQDN for bare metal nodes.
+    # Choose FQDN according to the node FQDN naming conventions at the top of
+    # this document.
+    domain: intel-pod17.opnfv.org
+    # List of upstream DNS forwards. Verify you can reach them from your
+    # environment. If so, you should not need to change them.
+    # TODO: This should be populated via substitution from common-addresses
+    servers: '8.8.8.8,8.8.4.4'
+...
+---
+schema: 'drydock/NetworkLink/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: data2
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  bonding:
+    mode: disabled
+  # NEWSITE-CHANGEME: Ensure the network switches in the environment are
+  # configured for this MTU or greater. Even if switches are configured for or
+  # can support a slightly higher MTU, there is no need (and negliable benefit)
+  # to squeeze every last byte into the MTU (e.g., 9216 vs 9100). Leave MTU at
+  # 9100 for maximum compatibility.
+  mtu: 1500
+  linkspeed: auto
+  trunking:
+    mode: 802.1q
+    default_network: storage
+  allowed_networks:
+    - storage
+    - public
+...
+---
+schema: 'drydock/Network/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: storage
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # NEWSITE-CHANGEME: Set the VLAN ID which the storage network is on
+  vlan: '0'
+  mtu: 1500
+  # NEWSITE-CHANGEME: Set the CIDR for the storage network
+  # NOTE: The CIDR minimum size = number of nodes + 10
+  cidr: 10.10.173.0/24
+  ranges:
+    # NEWSITE-CHANGEME: Update to the remaining range after excluding the 10
+    # 10 reserved IPs.
+    - type: static
+      start: 10.10.173.1
+      end: 10.10.173.19
+...
+---
+schema: 'drydock/Network/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: public
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  vlan: '1173'
+  mtu: 1500
+  cidr: 10.10.175.0/24
+...
diff --git a/site/intel-pod17/pki/pki-catalog.yaml b/site/intel-pod17/pki/pki-catalog.yaml
new file mode 100644 (file)
index 0000000..d1f9935
--- /dev/null
+++ b/site/intel-pod17/pki/pki-catalog.yaml
@@ -0,0 +1,299 @@
+---
+# The purpose of this file is to define the PKI certificates for the environment
+#
+# NOTE: When deploying a new site, this file should not be configured until
+# baremetal/nodes.yaml is complete.
+#
+schema: promenade/PKICatalog/v1
+metadata:
+  schema: metadata/Document/v1
+  name: cluster-certificates
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  certificate_authorities:
+    kubernetes:
+      description: CA for Kubernetes components
+      certificates:
+        - document_name: apiserver
+          description: Service certificate for Kubernetes apiserver
+          common_name: apiserver
+          hosts:
+            - localhost
+            - 127.0.0.1
+            # FIXME: Repetition of api_service_ip in common-addresses; use
+            # substitution
+            - 10.96.0.1
+          kubernetes_service_names:
+            - kubernetes.default.svc.cluster.local
+
+        # NEWSITE-CHANGEME: The following should be a list of all the nodes in
+        # the environment (genesis, control plane, data plane, everything).
+        # Add/delete from this list as necessary until all nodes are listed.
+        # For each node, the `hosts` list should be comprised of:
+        #   1. The node's hostname, as already defined in baremetal/nodes.yaml
+        #   2. The node's oam IP address, as already defined in baremetal/nodes.yaml
+        #   3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
+        # NOTE: This list also needs to include the Genesis node, which is not
+        # listed in baremetal/nodes.yaml, but by convention should be allocated
+        # the first non-reserved IP in each logical network allocation range
+        # defined in networks/physical/networks.yaml
+        # NOTE: The genesis node needs to be defined twice (the first two entries
+        # on this list) with all of the same paramters except the document_name.
+        # In the first case the document_name is `kubelet-genesis`, and in the
+        # second case the document_name format is `kubelete-YOUR_GENESIS_HOSTNAME`.
+        - document_name: kubelet-genesis
+          common_name: system:node:pod17-jump
+          hosts:
+            - pod17-jump
+            - 10.10.172.20
+          groups:
+            - system:nodes
+        - document_name: kubelet-pod17-jump
+          common_name: system:node:pod17-jump
+          hosts:
+            - pod17-jump
+            - 10.10.172.20
+          groups:
+            - system:nodes
+        - document_name: kubelet-pod17-node1
+          common_name: system:node:pod17-node1
+          hosts:
+            - pod17-node1
+            - 10.10.172.21
+          groups:
+            - system:nodes
+        - document_name: kubelet-pod17-node2
+          common_name: system:node:pod17-node2
+          hosts:
+            - pod17-node2
+            - 10.10.172.22
+          groups:
+            - system:nodes
+        - document_name: kubelet-pod17-node3
+          common_name: system:node:pod17-node3
+          hosts:
+            - pod17-node3
+            - 10.10.172.23
+          groups:
+            - system:nodes
+        - document_name: kubelet-pod17-node4
+          common_name: system:node:pod17-node4
+          hosts:
+            - pod17-node4
+            - 10.10.172.24
+          groups:
+            - system:nodes
+        - document_name: kubelet-pod17-node5
+          common_name: system:node:pod17-node5
+          hosts:
+            - pod17-node5
+            - 10.10.172.25
+          groups:
+            - system:nodes
+        # End node list
+        - document_name: scheduler
+          description: Service certificate for Kubernetes scheduler
+          common_name: system:kube-scheduler
+        - document_name: controller-manager
+          description: certificate for controller-manager
+          common_name: system:kube-controller-manager
+        - document_name: admin
+          common_name: admin
+          groups:
+            - system:masters
+        - document_name: armada
+          common_name: armada
+          groups:
+            - system:masters
+    kubernetes-etcd:
+      description: Certificates for Kubernetes's etcd servers
+      certificates:
+        - document_name: apiserver-etcd
+          description: etcd client certificate for use by Kubernetes apiserver
+          common_name: apiserver
+        # NOTE(mark-burnett): hosts not required for client certificates
+        - document_name: kubernetes-etcd-anchor
+          description: anchor
+          common_name: anchor
+        # NEWSITE-CHANGEME: The following should be a list of the control plane
+        # nodes in the environment, including genesis.
+        # For each node, the `hosts` list should be comprised of:
+        #   1. The node's hostname, as already defined in baremetal/nodes.yaml
+        #   2. The node's oam IP address, as already defined in baremetal/nodes.yaml
+        #   3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
+        #   4. 127.0.0.1
+        #   5. localhost
+        #   6. kubernetes-etcd.kube-system.svc.cluster.local
+        # NOTE: This list also needs to include the Genesis node, which is not
+        # listed in baremetal/nodes.yaml, but by convention should be allocated
+        # the first non-reserved IP in each logical network allocation range
+        # defined in networks/physical/networks.yaml, except for the kubernetes
+        # service_cidr where it should start with the second IP in the range.
+        # NOTE: The genesis node is defined twice with the same `hosts` data:
+        # Once with its hostname in the common/document name, and once with
+        # `genesis` defined instead of the host. For now, this duplicated
+        # genesis definition is required. FIXME: Remove duplicate definition
+        # after Promenade addresses this issue.
+        - document_name: kubernetes-etcd-genesis
+          common_name: kubernetes-etcd-genesis
+          hosts:
+            - pod17-jump
+            - 10.10.172.20
+            - 127.0.0.1
+            - localhost
+            - kubernetes-etcd.kube-system.svc.cluster.local
+            - 10.96.0.2
+        - document_name: kubernetes-etcd-pod17-jump
+          common_name: kubernetes-etcd-pod17-jump
+          hosts:
+            - pod17-jump
+            - 10.10.172.20
+            - 127.0.0.1
+            - localhost
+            - kubernetes-etcd.kube-system.svc.cluster.local
+            - 10.96.0.2
+        - document_name: kubernetes-etcd-pod17-node1
+          common_name: kubernetes-etcd-pod17-node1
+          hosts:
+            - pod17-node1
+            - 10.10.172.21
+            - 127.0.0.1
+            - localhost
+            - kubernetes-etcd.kube-system.svc.cluster.local
+            - 10.96.0.2
+        - document_name: kubernetes-etcd-pod17-node2
+          common_name: kubernetes-etcd-pod17-node2
+          hosts:
+            - pod17-node2
+            - 10.10.172.22
+            - 127.0.0.1
+            - localhost
+            - kubernetes-etcd.kube-system.svc.cluster.local
+            - 10.96.0.2
+        # End node list
+    kubernetes-etcd-peer:
+      certificates:
+        # NEWSITE-CHANGEME: This list should be identical to the previous list,
+        # except that `-peer` has been appended to the document/common names.
+        - document_name: kubernetes-etcd-genesis-peer
+          common_name: kubernetes-etcd-genesis-peer
+          hosts:
+            - pod17-jump
+            - 10.10.172.20
+            - 127.0.0.1
+            - localhost
+            - kubernetes-etcd.kube-system.svc.cluster.local
+            - 10.96.0.2
+        - document_name: kubernetes-etcd-pod17-jump-peer
+          common_name: kubernetes-etcd-pod17-jump-peer
+          hosts:
+            - pod17-jump
+            - 10.10.172.20
+            - 127.0.0.1
+            - localhost
+            - kubernetes-etcd.kube-system.svc.cluster.local
+            - 10.96.0.2
+        - document_name: kubernetes-etcd-pod17-node1-peer
+          common_name: kubernetes-etcd-pod17-node1-peer
+          hosts:
+            - pod17-node1
+            - 10.10.172.21
+            - 127.0.0.1
+            - localhost
+            - kubernetes-etcd.kube-system.svc.cluster.local
+            - 10.96.0.2
+        - document_name: kubernetes-etcd-pod17-node2-peer
+          common_name: kubernetes-etcd-pod17-node2-peer
+          hosts:
+            - pod17-node2
+            - 10.10.172.22
+            - 127.0.0.1
+            - localhost
+            - kubernetes-etcd.kube-system.svc.cluster.local
+            - 10.96.0.2
+        # End node list
+    calico-etcd:
+      description: Certificates for Calico etcd client traffic
+      certificates:
+        - document_name: calico-etcd-anchor
+          description: anchor
+          common_name: anchor
+        # NEWSITE-CHANGEME: The following should be a list of the control plane
+        # nodes in the environment, including genesis.
+        # For each node, the `hosts` list should be comprised of:
+        #   1. The node's hostname, as already defined in baremetal/nodes.yaml
+        #   2. The node's oam IP address, as already defined in baremetal/nodes.yaml
+        #   3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
+        #   4. 127.0.0.1
+        #   5. localhost
+        #   6. The calico/etcd/service_ip defined in networks/common-addresses.yaml
+        # NOTE: This list also needs to include the Genesis node, which is not
+        # listed in baremetal/nodes.yaml, but by convention should be allocated
+        # the first non-reserved IP in each logical network allocation range
+        # defined in networks/physical/networks.yaml
+        - document_name: calico-etcd-pod17-jump
+          common_name: calico-etcd-pod17-jump
+          hosts:
+            - pod17-jump
+            - 10.10.172.20
+            - 127.0.0.1
+            - localhost
+            - 10.96.232.136
+        - document_name: calico-etcd-pod17-node1
+          common_name: calico-etcd-pod17-node1
+          hosts:
+            - pod17-node1
+            - 10.10.172.21
+            - 127.0.0.1
+            - localhost
+            - 10.96.232.136
+        - document_name: calico-etcd-pod17-node2
+          common_name: calico-etcd-pod17-node2
+          hosts:
+            - pod17-node2
+            - 10.10.172.22
+            - 127.0.0.1
+            - localhost
+            - 10.96.232.136
+        - document_name: calico-node
+          common_name: calcico-node
+        # End node list
+    calico-etcd-peer:
+      description: Certificates for Calico etcd clients
+      certificates:
+        # NEWSITE-CHANGEME: This list should be identical to the previous list,
+        # except that `-peer` has been appended to the document/common names.
+        - document_name: calico-etcd-pod17-jump-peer
+          common_name: calico-etcd-pod17-jump-peer
+          hosts:
+            - pod17-jump
+            - 10.10.172.20
+            - 127.0.0.1
+            - localhost
+            - 10.96.232.136
+        - document_name: calico-etcd-pod17-node1-peer
+          common_name: calico-etcd-pod17-node1-peer
+          hosts:
+            - pod17-node1
+            - 10.10.172.21
+            - 127.0.0.1
+            - localhost
+            - 10.96.232.136
+        - document_name: calico-etcd-pod17-node2-peer
+          common_name: calico-etcd-pod17-node2-peer
+          hosts:
+            - pod17-node2
+            - 10.10.172.22
+            - 127.0.0.1
+            - localhost
+            - 10.96.232.136
+        - document_name: calico-node-peer
+          common_name: calcico-node-peer
+        # End node list
+  keypairs:
+    - name: service-account
+      description: Service account signing key for use by Kubernetes controller-manager.
+...
diff --git a/site/intel-pod17/profiles/region.yaml b/site/intel-pod17/profiles/region.yaml
new file mode 100644 (file)
index 0000000..f8ac846
--- /dev/null
+++ b/site/intel-pod17/profiles/region.yaml
@@ -0,0 +1,53 @@
+---
+# The purpose of this file is to define the drydock Region, which in turn drives
+# the MaaS region.
+schema: 'drydock/Region/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  # NEWSITE-CHANGEME: Replace with the site name
+  name: seaworthy
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+  substitutions:
+    # NEWSITE-CHANGEME: Substitutions from deckhand SSH public keys into the
+    # list of authorized keys which MaaS will register for the build-in "ubuntu"
+    # account during the PXE process. Create a substitution rule for each SSH
+    # key that should have access to the "ubuntu" account (useful for trouble-
+    # shooting problems before UAM or UAM-lite is operational). SSH keys are
+    # stored as secrets in site/seaworthy/secrets.
+    - dest:
+        # Add/replace the first item in the list
+        path: .authorized_keys[0]
+      src:
+        schema: deckhand/PublicKey/v1
+        # This should match the "name" metadata of the SSH key which will be
+        # substituted, located in site/seaworthy/secrets folder.
+        name: airship_ssh_public_key
+        path: .
+    - dest:
+        path: .repositories.main_archive
+      src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .packages.repositories.main_archive
+    # Second key example
+    #- dest:
+    #    # Increment the list index
+    #    path: .authorized_keys[1]
+    #  src:
+    #    schema: deckhand/PublicKey/v1
+    #    # your ssh key
+    #    name: MY_USER_ssh_public_key
+    #    path: .
+data:
+  tag_definitions: []
+  # This is the list of SSH keys which MaaS will register for the built-in
+  # "ubuntu" account during the PXE process. This list is populated by
+  # substitution, so the same SSH keys do not need to be repeated in multiple
+  # manifests.
+  authorized_keys: []
+  repositories:
+    remove_unlisted: true
+...
diff --git a/site/intel-pod17/secrets/certificates/certificates.yaml b/site/intel-pod17/secrets/certificates/certificates.yaml
new file mode 100644 (file)
index 0000000..eb4382a
--- /dev/null
+++ b/site/intel-pod17/secrets/certificates/certificates.yaml
@@ -0,0 +1,2525 @@
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDSDCCAjCgAwIBAgIUKYDWHOar6ZsQ9ppv2nhGUQcmXWAwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xOTA4MDUxNjIzMDBaFw0yNDA4MDMxNjIzMDBaMCoxEzARBgNVBAoTCkt1YmVy
+  bmV0ZXMxEzARBgNVBAMTCmt1YmVybmV0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+  DwAwggEKAoIBAQCpZGUxEqLrgHW4w3GA8Ix5pYUBvE/WinjcanDiTQOGDxaaqN24
+  wMTWoYQQ7Bal4HZ3T42//G61PJJFEobelfKs0EwRKacKBKvfj89xz2FaMQ6UvITV
+  wxwSQYCZgZqGMd8/wWWcR4h9LQHEGuPXEOJAhtH8lASKu2KEM8W9AZQCNwdsWDLf
+  2aG55tGm9U8IqlVho7YFcpSCsjOlxilnndAodJZPpnZ00stMWtfPp8ZgV9xJX1sS
+  /Yo/BmwcofVzmgAIy4qE6Qrd8CZuEJIGjG/VIigmsIrVixOu4+3aRDFkIugjOufi
+  yKUZ6cbaz/2un5bdgFqPqORB+f+ki4I+QD/TAgMBAAGjZjBkMA4GA1UdDwEB/wQE
+  AwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBRKoDdKith5IO42xJ88
+  bx6fCL2bNjAfBgNVHSMEGDAWgBRKoDdKith5IO42xJ88bx6fCL2bNjANBgkqhkiG
+  9w0BAQsFAAOCAQEAc/cYd90vM8g3/I8eCdT+oKiImfHiaIZtaUnjedSGqtriLY9t
+  Arl4Lscfsu7yQA51E2BW9qESU8+Gi1E3NKznOmNs83n3pmAmmKUo8+M4vsvgz4HO
+  wb5XbHBh8nvQDkBBr8XkD48ElAl5rJMeClj7AEqVJ9ZXUltEW7EjjqJQ0KJpwfy0
+  k2WEQEwwyJ4Hi2UVDotabpIpfilCFdWz+uHGOWGi692PZA6tTP04Xx8uab9lWxDi
+  dkBIdqjf35ej34TdflW/pY+IpIT2J8cb1qvlO7TmoyOz4seGW7BXMI9Om72e8LP0
+  w/Cy9UelgAcNzMIGIIynHQpaFwl6csJJIrDXcA==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthority/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDUjCCAjqgAwIBAgIUXRyYMUbFIX9w+JjAKebJAXB2reMwDQYJKoZIhvcNAQEL
+  BQAwLzETMBEGA1UEChMKS3ViZXJuZXRlczEYMBYGA1UEAxMPa3ViZXJuZXRlcy1l
+  dGNkMB4XDTE5MDgwNTE2MjMwMFoXDTI0MDgwMzE2MjMwMFowLzETMBEGA1UEChMK
+  S3ViZXJuZXRlczEYMBYGA1UEAxMPa3ViZXJuZXRlcy1ldGNkMIIBIjANBgkqhkiG
+  9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqBEQbaKoG+0cD4/BYqufo9zgI26X2n1ragGH
+  X8fO0ONbOABevwt6sqaEA3qJSZ/9P5byD4kZjwpvTVSDl5ZDRY0cMWdquU7MBMwU
+  XDJoB2NRoaPW7oGx8AaiT7tcxyVGKUVCiM5C3BS3NU6U1tNQYWB90Y41GHXH2q0z
+  nWt8Pln4dRGC/4HhlLfWZbqG+uUdqmdT+FVdxgA3JdvQfbsO8GVkS7fv2LDOn0C0
+  F6E1rcnCVDEza7jqocNUWTukhiDTiETVRbT29H7RHKfMXsVsMYC6a/jQG/Y1dwus
+  HB0VAUbiKKU+55cDjHQ9Mg4Rv41gQUX1yK7eF7l1/4H+E+gtJwIDAQABo2YwZDAO
+  BgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUSkqk
+  mO9ScQrpng9HFA/0CMmeq4MwHwYDVR0jBBgwFoAUSkqkmO9ScQrpng9HFA/0CMme
+  q4MwDQYJKoZIhvcNAQELBQADggEBADiOSywzguhl/dNGoYWd5g94reGU8hjBemYd
+  UPusRbTZOmCwAdrs2SDu4mufPwXSWAcj4Apn/SdofnxhgSK/DgRlDxOe46Y33sce
+  gRbYAPu1TWuac2U06lI7ATstspEULC9DAyipdgYDTl6dMhufDDSY+T3GoSR5V+Za
+  S5N899o7+zRxXjVJGw/2FuW6YxgW6Czy30I3RfP1GOoJiRL0pUrxc3GzekL6YlI8
+  SAoKvnUrRqJOzutepeWMbVSCxKw3KHZoeiJWTBAFqmSjaRE0R8Ts1IO/DNTERYg4
+  bmqZdWXaFDU9gw1hwe5S+Kv/EHJRYIB3CrFJ/yQ0OU5Wdm6kRb8=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthority/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDXDCCAkSgAwIBAgIUGnkMT14tcuVvsnecVFwV0PFkfpYwDQYJKoZIhvcNAQEL
+  BQAwNDETMBEGA1UEChMKS3ViZXJuZXRlczEdMBsGA1UEAxMUa3ViZXJuZXRlcy1l
+  dGNkLXBlZXIwHhcNMTkwODA1MTYyMzAwWhcNMjQwODAzMTYyMzAwWjA0MRMwEQYD
+  VQQKEwpLdWJlcm5ldGVzMR0wGwYDVQQDExRrdWJlcm5ldGVzLWV0Y2QtcGVlcjCC
+  ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKL8PFbG7CoYtT8vJZMkZAV5
+  UNJx56cdlLVjJ6fZNOo198lQ5ysav/VpBRGDTXP57hwIQyowP+87W8fb4l8OnOrC
+  S8DQ6kU7qfuBgjTlQ1bWMDAW1pmsHCJmaW0edvSK7F0tt+ki+3AuTxYD7+If/z2X
+  TcLcruqfS7zggPI/5GNRcbzXcFH1ONnJlo92YY9QG3bgSnBqScq01u00gCCLfs8I
+  VTzT0ObsZCZVl/aVKv3dEbfSKKvv3E2TQeGH8RVBL/mVjACeWH1yD4N/yd4Ohzwn
+  NxuQ0+pGMCYHc75xESqUjoP5yyeKfT/Ywz47RQ05qko9BpTN7FqvF4UjnLS6zMsC
+  AwEAAaNmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQIwHQYD
+  VR0OBBYEFIZCZKq3pZiIt7X1Y6CVvK6OCZjRMB8GA1UdIwQYMBaAFIZCZKq3pZiI
+  t7X1Y6CVvK6OCZjRMA0GCSqGSIb3DQEBCwUAA4IBAQAGdhNPduKFlI7gRumaZreG
+  Wnw0zddci9D54JweCV0Vm7inCTy/xLsXzdLwfR9RKp3fuAwSLTaBmrtlw7j69MY1
+  g3HlUTNR9B7YgM7iKyChf0Vvsa0vZSn1Voy3yi5JrFqPrGQo5YcIpakwB8FAW5g+
+  mah/D8FyHTBaqqNq1idrfscWCefnsjs2+FSVbyxIwPEHa/71ORnI+yo/5XsHNar7
+  VDdRSyWbwXXcUf3oXUwb0c71qR/EFIcw5HVO1LTEVKDgPQmTsghDiyxGs71smWk0
+  yH17RjNP2pQmkQw+1cz8tD5gpsyoQGJ3W/MFxE4n2Sz8wZd2wAHrZ6A8CwE45gDg
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthority/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDSjCCAjKgAwIBAgIUZkqKs5BY/wzgvv5l8YhQpbWvP7YwDQYJKoZIhvcNAQEL
+  BQAwKzETMBEGA1UEChMKS3ViZXJuZXRlczEUMBIGA1UEAxMLY2FsaWNvLWV0Y2Qw
+  HhcNMTkwODA1MTYyMzAwWhcNMjQwODAzMTYyMzAwWjArMRMwEQYDVQQKEwpLdWJl
+  cm5ldGVzMRQwEgYDVQQDEwtjYWxpY28tZXRjZDCCASIwDQYJKoZIhvcNAQEBBQAD
+  ggEPADCCAQoCggEBALbKO5hAK05sYVaZz3jsF/DN8dJ3MH7e++C8zUOafkYDAFXC
+  32wOc5QWO3bs1RNfJcap/4OnRQl8++z9A20FCUH+PCeN+dElUIanFdiqfnQYQb73
+  pWQ/CxmWjLPLRt5+ZWvsxBwSJsnN8YT80GeUmxAXY6mLL6qSqlHih5YxlYvA88QZ
+  sWkqJA2jbQM+8+Lvcav5mruRCsxiZ4dOsU4DYNX/TNiDoackXL2U15ywQp0U4Gw8
+  sqExGuBMBHO/B3U126hHKCxPJwNxEEjoiSvNU7WVh3+AfXQzC/oUy/A9eMnQuVGH
+  e36x8Tz2vWPbPaJoAq1SbKbyhyEDCYnnwbkvEeECAwEAAaNmMGQwDgYDVR0PAQH/
+  BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQIwHQYDVR0OBBYEFG/YDADw6yQQ8uH6
+  vaVmB9X8yo2MMB8GA1UdIwQYMBaAFG/YDADw6yQQ8uH6vaVmB9X8yo2MMA0GCSqG
+  SIb3DQEBCwUAA4IBAQCcw3UYZ1sD7Vx+neXZKiYgw7QqZL7eF1CQ4klL3HWb6lvP
+  AbcOGr7MoXyN2Df+uAoZ+GZZh+SrXFLacBXdYp+C4YaetZZ2tUGI39Ua+UvZ0LsD
+  /2h47hMK5DT0GK6MaKBX4+mZ/MfZu/qjfON5qH+FCs4N+dnCuwhCJgJM6AsoHOBw
+  kXrAbtsay7d6YyheJpVALNTrFCv+z9SBHINHDb6VXDHVAPobgsTu9gW/QrMTv1a3
+  935rCW2gG/5uREK1M+1qfDDYcIvXbKGt+6+aHelkesmFheheXbD9G162bU9sCe1J
+  Angeom5UY2YlSkjkexXBScmiX4dqoFdshuqP8vNr
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthority/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDVDCCAjygAwIBAgIUPGN7DgZ0kZUBtBPpGSojEKhC6AEwDQYJKoZIhvcNAQEL
+  BQAwMDETMBEGA1UEChMKS3ViZXJuZXRlczEZMBcGA1UEAxMQY2FsaWNvLWV0Y2Qt
+  cGVlcjAeFw0xOTA4MDUxNjIzMDBaFw0yNDA4MDMxNjIzMDBaMDAxEzARBgNVBAoT
+  Ckt1YmVybmV0ZXMxGTAXBgNVBAMTEGNhbGljby1ldGNkLXBlZXIwggEiMA0GCSqG
+  SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQa57iWnyX5JVRNyuhjx06VLrSiLCHOqvt
+  JdyDBNgmrfW71LG6G/mE1pIIBzZkZRFO2eF36tQyHpcxdY2P1zse09Xsnnb5u/7U
+  eFhQWi1jQ/TJafcEB+MKPZMbccpoaGpXc0uePlqkzcPH1AiBtCquLEzslCY0VYw+
+  a1bDT3xqIDn0jBssTTIpPLgradpC4T7uJJl6JMwBPh5n3858B9K4jVh+Q+3Ul6cM
+  0MdxNJlWH6lxybsdW0aMd/qyQh7GBUf4zs8fOnFfWQf23dCDml+xGoIvyJk04cGl
+  PfWj0vqT9KHM/hPIkW/nnqs5wbzS+1CPk5FJOUleIIZ5ZdA13MRbAgMBAAGjZjBk
+  MA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBSv
+  APyGdVXJeVcR6Q7O3jk1ILVLhDAfBgNVHSMEGDAWgBSvAPyGdVXJeVcR6Q7O3jk1
+  ILVLhDANBgkqhkiG9w0BAQsFAAOCAQEAhW0xsLPrmKaXtpuc1hDNaift5UDnGLDT
+  vSZQd+fdV4l5rvnK85TOY3Z+Qij+p5fvX2uGi6Ge7OVUYiPDi+fmCoxn5fIfu3e7
+  QNLw9qMMwyauLFBeNWL1iEe9YBcCn0GDS637I62B2gIOU7AVvOkrwwvRMMFJXae/
+  uX9SPL7ohjnwWyPjp89KVhhaxEkoM/Jv0MaOU8gIKZqrgmnuR3qs7vYgnw3zMMJZ
+  Pg7fHZ1Jq4nDrvqMKjMBd2Gx+T+4pX7aJqvjTk3lddtWdSXLg96sFVoFSI5QDRpH
+  3tdkWPZ2hwHLasSIuDi2gKlMklEUUkePpU+KdlVceeuMvanRTNMSKw==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthority/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEAqWRlMRKi64B1uMNxgPCMeaWFAbxP1op43Gpw4k0Dhg8Wmqjd
+  uMDE1qGEEOwWpeB2d0+Nv/xutTySRRKG3pXyrNBMESmnCgSr34/Pcc9hWjEOlLyE
+  1cMcEkGAmYGahjHfP8FlnEeIfS0BxBrj1xDiQIbR/JQEirtihDPFvQGUAjcHbFgy
+  39mhuebRpvVPCKpVYaO2BXKUgrIzpcYpZ53QKHSWT6Z2dNLLTFrXz6fGYFfcSV9b
+  Ev2KPwZsHKH1c5oACMuKhOkK3fAmbhCSBoxv1SIoJrCK1YsTruPt2kQxZCLoIzrn
+  4silGenG2s/9rp+W3YBaj6jkQfn/pIuCPkA/0wIDAQABAoIBAAy2y12Wj4Hrn2ph
+  yQgrhe+ve784mil5NT8eAiEKNMSAJ2suV44BcgTGFLqMbdq/cUTdRL9vPAQAat4i
+  WNsmGBPegocbQD1hQmFCUwiwzxbM7dI+IB5HSbkZD4T2FFoULjSD2JOVTupOUX6d
+  ohJHYyQCuoohtgGPtQJFPIdGMgzEY050cFUeniu8KIhl3Xa1BdLQWuHtNtOSPmbX
+  6+9SaN+6pR5VezmQXwwS0wDX8r3/fuSW5E1D3heg/ISj9Fh4H2tRWR3poAN47cBO
+  Mf4N6mQ5ObbBYKV80QQUs0f9RFpN2hlg4kJ6RzvAXae9AdG4bA58dSQFaPnga1p4
+  BY0mFXECgYEAxgOlYpzU6G7TxmlB93J0VI1n0jrHB+8FOe+6vhn02nwUd+Ixazfz
+  XMQrnka2evpjqoMl5qbkhEwD0n04JqY0y/WcCYjvm3SDfcc+hWfzpy4AOSnhWFqC
+  qhPdB89mVuw/gh0UH3SMiq6rAgQbVR1FKkYII6PFRn3yMd11S2gGbykCgYEA2v8Q
+  cztRk4ssopr+PUZ0orELJCeCjVEOjsIMu1U9iFLVlotMeSaD6H9yqymM0iQAvhP8
+  7y8K2VKOo/JYbRhqxyA1XLJYyDE4jVEbuhDwtqOCbLmDTCUV6uLPJEAGsH3qJKVa
+  KxXjv8IgQB+VZ1HmboWk4w4a1YqAlXkN/YdLopsCgYEAuaQ9b4BdUzRkM0YHZHfX
+  fFW+Giik5FlAaxrH1uX62sMtZV+YuU6RSE1aH19oQU9yFTAzXlTlNOsXQkXHWOTF
+  5tnzWjUZfoLzq/4aLXRRyFCmQPF0pSLmEZHhzSqyZZfDyrZ8YSkhgftTs+YpwdhZ
+  OdLCWrd1gisd34YiK3nxXlECgYEApOEww3E/w/Qe0PYcwImROwRMvRW6JyeF7FmR
+  OGG/CCpFgSizlOs4mQ2Lie6ohXZx0Ko/3tzuMB0GI81MYibmDbHkOzxTt7XHPC56
+  z6X9daS5h55MikHJtKS7DDHgV3UVmi2cK6A5bqB7o4uj8rwo38FjGUf/UBMNKHyR
+  2fXJLk0CgYBP4hiCgEGFZkmaVzOCbgH8zNBVb3vc8Yau8Yf/q27pEOnnU3dy6NJ9
+  zzp6cliLnAILmNfTNruTRWWgHs94MNReSSRe9yyEzyGdC4t5fyg2UcJTOVSjR3CL
+  HM76WBcoqsshKzn2NcY6kCLLiVNZC5sJOIbaLDlXmAriGWDrmDVR/w==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthorityKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEAqBEQbaKoG+0cD4/BYqufo9zgI26X2n1ragGHX8fO0ONbOABe
+  vwt6sqaEA3qJSZ/9P5byD4kZjwpvTVSDl5ZDRY0cMWdquU7MBMwUXDJoB2NRoaPW
+  7oGx8AaiT7tcxyVGKUVCiM5C3BS3NU6U1tNQYWB90Y41GHXH2q0znWt8Pln4dRGC
+  /4HhlLfWZbqG+uUdqmdT+FVdxgA3JdvQfbsO8GVkS7fv2LDOn0C0F6E1rcnCVDEz
+  a7jqocNUWTukhiDTiETVRbT29H7RHKfMXsVsMYC6a/jQG/Y1dwusHB0VAUbiKKU+
+  55cDjHQ9Mg4Rv41gQUX1yK7eF7l1/4H+E+gtJwIDAQABAoIBAFW1jhk7UFwdiaft
+  +gNl3t3kMHIhXlPQjkzbRrxz22bv638dwTPQmNwuyzgy73yamL4rLnr5wg0Ol0Bq
+  j0lpGhmIIw6W3Phv1N/Fa8Sw+Bh8cA7szRmJDsOHvpLGzEPLIIK/jXTTK4mtDtmi
+  n4kG7wEaAlAyI6W7uxYsKhxnyk7JI5XzFM24seF8VAtFRxkD46DZ1JNkoR4RMRMc
+  aArRNOEhc+3clMEs9QPpUqGXdJEYuJsOaMY5vZdpgWdmF4Mv9/6NTYEpTJVDXnux
+  YXwHqN98aS7OAMHxBQRi0PFGsqyfXK8wxWsn3HsSOOoZPdHPi6BFPmio+XmTRJfr
+  t4813EECgYEAyAniEezx0HzajgCIwuRtxc0Bl2/FkklvA+8lfhW+1GePSnmsx31z
+  3jyo7kdR8R9K+fTb3UX82CE0hBntgsv8sbjSd7ZTW5tM0mtzGH7l6eZYI25fDUim
+  fjGwu1iF+oIHbNzL8Wkx41VVdZ22abKrNXm9cKMUjvilBDzpQ1kgXfcCgYEA1xV0
+  JIv00xRazAlkLcXlChlA/W6GamNJvgjR132PfrPdlXen9fU6t1w3q7+oLfTdKrlD
+  0AXCanTcYkdd8xXkYS6dhPUn/jrZJSqBNpkipXUzN1vKJIBb/p4CTvYdqw4B+Nal
+  OlhgzwA17VbF7M91SD1gq2ZYvdwszPooOpO0nlECgYEAxqix//VdbR0he9bh+xMa
+  RU9EHl3dS1tsSe7tQBteadjzABZ4VaGsOW/qoMDpitn1/uiClWyVHxtS6UJKkxP8
+  P496TXMfs6E2mN4m7pPPxwuASqeo9CtLVZYJmvTeEZuiviVE0NoUtl0fwu++oZfT
+  2gat8Te0Cgy67MuFKOJRd58CgYBD0DDRQQtM7fL+t8tNH0LqnzG9dfaNXoamkvNO
+  ZPk0MpOfh51+T/ZWT44B6ail7Lk6ujTmRpqYpAXEOsolVXavKVpizETyxC0oqbEZ
+  vMiOsFgYkSk3vvzCV6FUsgaCoyT+BvcLYUgMm/1kumInGvXYc/mhsOAz5FJ/wjOi
+  3GUrMQKBgQC7tv2DEH81u6tU2ZB/3E3QQtUmctEqARvaV5ZO/fHCGOq16X3OGi/S
+  IgysS3v8zInt3zTydTjeGp2SFcs8FnKEDu9jGLBIm7zsSfiJUbdevnaM2Wj9Eqn9
+  hRDMoo+tSmEhnN9O8K52eA5syOQ0N++CYTxHN1FaPV+uhMyN0JEQFA==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthorityKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEogIBAAKCAQEAovw8VsbsKhi1Py8lkyRkBXlQ0nHnpx2UtWMnp9k06jX3yVDn
+  Kxq/9WkFEYNNc/nuHAhDKjA/7ztbx9viXw6c6sJLwNDqRTup+4GCNOVDVtYwMBbW
+  mawcImZpbR529IrsXS236SL7cC5PFgPv4h//PZdNwtyu6p9LvOCA8j/kY1FxvNdw
+  UfU42cmWj3Zhj1AbduBKcGpJyrTW7TSAIIt+zwhVPNPQ5uxkJlWX9pUq/d0Rt9Io
+  q+/cTZNB4YfxFUEv+ZWMAJ5YfXIPg3/J3g6HPCc3G5DT6kYwJgdzvnERKpSOg/nL
+  J4p9P9jDPjtFDTmqSj0GlM3sWq8XhSOctLrMywIDAQABAoIBAC0FTcmOozexoYc1
+  h8SQXcyhSTEIY7vm0OgV3qNfvV0g0TRb0681cWbhvpOq2F8734kAw0TJFTAJDn4z
+  f+FQEQpL5074pm2/YGHn0Ua5OZOoEKGH/XlvcEoUTfTlYGiGY2oNseqFTj0bnZ7w
+  MXgd7Ixf2gwEl5CZtfsTbKr9+SFxsgamsbPD0btDHctWV8S61OPE8O5qiFFrfuQK
+  rYhA0VmsubAG7TurKwQK1pxgfhMP9WNx9ZQIEqYvISZY8SPD7ZO53lSgW+6xMeWb
+  z5Y6oI/7ZPsEnekOTZy11hSvAFsT/zP10OvYOJ4S/w0LiDuCoTYr1HrgmFNYZkKV
+  I1o8vrECgYEAyyLikrjmSMFz7bqjc7FYXZJagOyGfp7Db+sACPYpHSnAZb3i4Alr
+  ffwZk0oIHB/vthT9ELEVum74BHd622O58fcla5CFnKJiYo0KdnssMWNBB88pGTcQ
+  bJsZXj9P3urs+McrXwQe3iEiesR6a3ZY0EY7uxmWBi0Behu7ek6KctMCgYEAzWZ1
+  NQNPCItR1y4cNTkZllhXnruSW44WFJ0hBvgtf6Hi0fGsze2FGn+8HXXvkvsy/1u9
+  OQrZz8Ly+2G8FzJTiWp0gnyWeGpEthnNMm+8TFXv6h0F/FH/6x+/KoRyFX+N3z6f
+  i7FBchcCr9HUzKZEGWZX1JXcCMwULFaQnzDcUykCgYAPio23F/pWWqaZ64uR0GGo
+  VwghkPcBPPhK2bnY9axTlNwpbIutBEt7CgyS3jkcnbzjO1vZKRM2fkLvZIy7uDeD
+  sZrlTdtLDolkbNH+GpJY/PT+ufS0/yd8h6k7MrDTpzmWFvbUgCY0bGiM5/dNvXIy
+  DQ2I1P5LXqocQ37mbpfdDQKBgEN1ZwEmOQrBVvuo9TK1siWilgRX7lWLcM0MXhB/
+  6dGFRY1WJj7rx09QrGOwnCJVxgYAB0F4wthtWogdLT0hFjaHdAR3DqQ1oqN8DdyG
+  vf0ELGtjZNfdxoNeRdac8SsGXX34f0XNzYS+8e70p0MfSDZfWnFDVqS9AdMeCxl9
+  Xp8hAoGAd9DwL85VnZxfy/Ri4LegqZ9ZkB2pvjhcvaFdlHshpq+VI+pIu82oAiAk
+  EV/EFH1mn/7dlF7kL8JPS2dJSoVtRdfMIMuU+xbEg0PhjmwZAQ9e8S5H4NSKBAFR
+  4W0KcgMpttk1CqAd6JXuD7P93cA6zn9k7XqNo453w4y5t8hhaFk=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthorityKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEogIBAAKCAQEAtso7mEArTmxhVpnPeOwX8M3x0ncwft774LzNQ5p+RgMAVcLf
+  bA5zlBY7duzVE18lxqn/g6dFCXz77P0DbQUJQf48J4350SVQhqcV2Kp+dBhBvvel
+  ZD8LGZaMs8tG3n5la+zEHBImyc3xhPzQZ5SbEBdjqYsvqpKqUeKHljGVi8DzxBmx
+  aSokDaNtAz7z4u9xq/mau5EKzGJnh06xTgNg1f9M2IOhpyRcvZTXnLBCnRTgbDyy
+  oTEa4EwEc78HdTXbqEcoLE8nA3EQSOiJK81TtZWHf4B9dDML+hTL8D14ydC5UYd7
+  frHxPPa9Y9s9omgCrVJspvKHIQMJiefBuS8R4QIDAQABAoIBABFsb4fQvhAIprKh
+  kLQ/FP0gNGfScq31RV8jwBEsndLAoHyMSc28BupbwClS4/CnxisMs01yWVNRNZZe
+  e8AdlcdTm5pNnz1/aBCdxqhTgCBC26l/Y6WNmNpEjn7o5oV42OQTupHObSIZXmdF
+  zfvBn5JGGHrlyJJizpdll3UKnu2mOnEmv9Ckf8B/w9d6PNTCxnyHk1Tt3iFmM4cA
+  ip1uO/QQkuyuFlc/JYPwoKW6IBiVahs08yz6m6nFO1WvAEbzVva9WOFKk4l/AWCk
+  kAHiHOTNS/VQGGUjWQpcWT6Kf0FJKAzfHG4yxYeM/ciTsLNUxF0rKHMOeuU50dwG
+  7P5l/p0CgYEA6+bLlG78gmLxweSpXzvxKOdxshOpS6xos3VCDBvZl5mIbMXv92NJ
+  C4eKCnj8TCURAB9FM02Ec5pyWO+swHWR2ZuFsNFwLBNU7OHd/Ee/7t23zxAnUO2l
+  CiufyYAc0QOPSG5QpZdvvrEh7fBNpShz/XxNri5FP8mZFDmPVL7nzucCgYEAxl0H
+  6pjhMDGzaqYE0+zMPOl99NjeJ6cx2TsRNbEAYYEf6reE/ld3S6zgm/MHSBy7hM7+
+  M83ieXEriwXCH2oKIgK+cwajm5NEy5j09+lVcgBOIzP3cwrEAs1LL3qrgLrOMT63
+  FuznzrTfH6AUHtkMQHNiW3Sp65mblMWjVe8M5/cCgYAfgMLPH8M45l3CtvancSnT
+  fJUCYv3IzU1uKcqYM1/rjuVZIVXag7fNglw86ctHn+uVSJfFMiTuC0IZ/mfji8/e
+  b5Z69n00ZaCBwegTOMG49IMHc/DMLfBMW2cLUcCHaSJJWfILKx4RKTaOv/iehbh3
+  sZHuIN++lP2MZeNuPdBXIQKBgHjqSqIRcOtc0H5JFxZL+S+EMRhoffrz6un9HH97
+  Fr1Y5ajBF5umm3yQtBW77gtiIFhTiRbxAIWAm8dRykQ18llLDOa2/FIgUkY9Rc48
+  +K3WS8sfqU4CGPuQQq19fD+rH3dbQGYEIUWacYwomzs2mUZMT39qPQ31g6YLV4ZR
+  gq9/AoGAJck7HiHVlC7iDQt8ODD01kYLZNf7TVEa7NFKfJTUXqPNTF2XBaHtdMmc
+  647rhCDPr4yYsm6iV81KdLpRwo4c6wLKYklzbk4kjE9Q/LGD+5VK8h5u1V/mwnT6
+  F2shi9uzLjSc/d6b6z5bP1WS20X5PqMl4JG4PDpYqH81/NmzxDM=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthorityKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEA0Gue4lp8l+SVUTcroY8dOlS60oiwhzqr7SXcgwTYJq31u9Sx
+  uhv5hNaSCAc2ZGURTtnhd+rUMh6XMXWNj9c7HtPV7J52+bv+1HhYUFotY0P0yWn3
+  BAfjCj2TG3HKaGhqV3NLnj5apM3Dx9QIgbQqrixM7JQmNFWMPmtWw098aiA59Iwb
+  LE0yKTy4K2naQuE+7iSZeiTMAT4eZ9/OfAfSuI1YfkPt1JenDNDHcTSZVh+pccm7
+  HVtGjHf6skIexgVH+M7PHzpxX1kH9t3Qg5pfsRqCL8iZNOHBpT31o9L6k/ShzP4T
+  yJFv556rOcG80vtQj5ORSTlJXiCGeWXQNdzEWwIDAQABAoIBAGwuQFUbRKqOslZq
+  fZIpN7GMQ0B+RKqccJryWQgEnrFNAEzTdMC2PoiN21ShccEgmKBGBXr5/9RX/oBk
+  lOsBe6VfrR1Zj0XHJ9le8fAbLo3kuw1EnDuSYG1zUoUfRkF1WSU1Kh3kHaaHS0TQ
+  sO2p97FaOz9dEot9kALiMjHEcz6dtSLYbKNTJBPvAxsZll8EZFpuHyOMGwDY6p3k
+  oafELM+NMAyxVqjZn0pBL1svp9SU8UEyICNC7/Bu9H81mAyXzh7HweNC6LPiydsd
+  7LxvQiiuXz83u1+vcmeElKR+RkfEaWgHWv3uxw0LVQqJQnreU2epewkdefVUwDwB
+  vgFL5okCgYEA1nK3XfZVVJVwMWk120nRZ5OxEmDYeVOnYWIrZ4bU3uJjVHMv77Yi
+  WCAA3A+OMqEvwmlrAxcvfS9ZCi2FIr0Gu2UO0L4pYri5xQLgtXwBMhEitvgke1ID
+  byTJ7OM9mEaCOgCYBr5xw+Ivuh5KD5QXpvlXLR9d9EmZ7Gh0kIsAT60CgYEA+M3p
+  PiwWtcvTo0mZcC07QP/t4B1cMqv+df02weE0ZKAjM1fGzpP6BaYTNY8Y6U4bvZhu
+  PeMvCUD0AZfMzS3VXvW0agiPGsa3HqpE4uaTaqiJITNzD2N/iTqCjrc+rNgBAfcv
+  Cc0lJpfCWwBu3yHZawDvd2MV4Z+E6W0MiV+TRScCgYEAnMUEM9avDsSoXhbR3lua
+  kCOyIQNXfWqgRFrl7CrvV3kcsFH8yzrU5KOQvU9J3s1jArbaGkpK1zNT3lLkrz6M
+  u1XnfMZnrtnoRJQT/diHbziDrkq9MMIF7KxySZDeKIHzFb/1Y4i51j92MJOQBM94
+  cwJ4rm3t23Yq5l5+SGS1d4kCgYEAnZ1sLeumM2K9XsroPg0ZZXL8Eabn2l3k5IAV
+  qTrugvSDeCoaEpHhqKRttNdDE8Fch35CEEiUaotQSJYOsshfTDnhIe7sIS1TokSB
+  QTCKoN3FiVfbgxsoFxoOzTQ+qyZndQRPMylXaJxpDlc25Xm/Dy9XhE0r9nOksm9X
+  qsr2M68CgYArF+luAV8WEg1dsJgoxmPCAaSKKTMxBww+8v5vrV4kPZymiEHV71WY
+  PB9CF8SXuktUQuvVmkrE1snyyi9wthX6MEjSFgQviBS31BjbZxYYh3RzkbQXkm5u
+  eIvo+HBgEQeothVECvxWlG1SakjIkPNWzRUdJenVGESe4SO86/j6vw==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthorityKey/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIID8jCCAtqgAwIBAgIUJKkGA1FUkVoSQ/B44+qGdnlPXNkwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xOTA4MDUxNjIzMDBaFw0yMDA4MDQxNjIzMDBaMBQxEjAQBgNVBAMTCWFwaXNl
+  cnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK8A3Rr6WMB6VdM+
+  q8UwAdEArvznVCwlTtj+7ApI1ItuGyu0LxOYendUr99L+/Xob0WSGp8+sY4IYkOZ
+  qiGu9qIHmTJ04fY+xplmcIBhzqekEstGdCCnH8G42MJQKlpb5WZXLnkbLiLv0ze9
+  MsLCaISYAnxPBcEryHvWpSJ1X/iFaU8jU771PyXYC95C1/Dy5d6C44pg+/0H7c88
+  dBSt502xRnmCDyrPMxkwY2MmhiZCSwNV9Jq5C/REAYG70RjOBEATLC0sqhaH2128
+  TYiXg/kwRcT9pWz9jr0jyLRhN6HR0f0DGkXs/tski6Yj+9foJQiC0S2TgjMcaTB+
+  UVdzwlUCAwEAAaOCASQwggEgMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr
+  BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUVluFZ3v8
+  cr998QFxiMewu7XN42UwHwYDVR0jBBgwFoAUSqA3SorYeSDuNsSfPG8enwi9mzYw
+  gaAGA1UdEQSBmDCBlYIJbG9jYWxob3N0ggprdWJlcm5ldGVzghJrdWJlcm5ldGVz
+  LmRlZmF1bHSCFmt1YmVybmV0ZXMuZGVmYXVsdC5zdmOCHmt1YmVybmV0ZXMuZGVm
+  YXVsdC5zdmMuY2x1c3RlcoIka3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVy
+  LmxvY2FshwR/AAABhwQKYAABMA0GCSqGSIb3DQEBCwUAA4IBAQBmgxaxacnu5/xc
+  isA4UmydL7jvM/5JGrU0rqcyOZYdOK8Auz1iTdCpeRAwd477Y+IcKrSDvWQmA3yv
+  neOME5/ffNFek3iPx8vBf+rwwbD+tC/YHky5pllR4WlEa90+KXKBiOYVoz8RGLIr
+  dilJtU51NY+EnKIllCVzRtxeky/5kOV1oraWEk5vPhOpyYfJ+Yx9VVQXvSs6LzdR
+  QMkSmzPVeA1AXHauWyx6Cp61TtnuekCEbPAxrBPbJb+GkW2tFbYIAZBJfR5IiMJA
+  pBQI4JDeD6jkDLBp58gW3XJCYr0zcfQVaQVHsopOZKH5PoFIf+vAKcQAK/SmCSS+
+  tbq3nLaW
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: apiserver
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDjjCCAnagAwIBAgIUatMa/27XHBWZivkFr9aiuvo2liUwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xOTA4MDUxNjIzMDBaFw0yMDA4MDQxNjIzMDBaMDgxFTATBgNVBAoTDHN5c3Rl
+  bTpub2RlczEfMB0GA1UEAxMWc3lzdGVtOm5vZGU6cG9kMTctanVtcDCCASIwDQYJ
+  KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJhsnUwfqTp20kHzpc+aMZeivyVKYWIE
+  4Y0PoKVWbUuQZQjktGHHzO88ZzeohszvUVZy3bdGwPI4HwPjfa8LB/f6nDx1aqEr
+  dssV50tQydl1t0gQtKUuUDGk5FWIGcluX7MXktFZoJe2rtODpLQ/9nTO3wqqvKfr
+  u/tAmP8fhIw0T3fv+er02NDRvxhbyJpCd9R+gpm0gw9dduN3s2PlqiTPpEdQSQZz
+  QlV1yF6lrJ7R0hPns7xbcGSj+6karLzX3r+lT08QRgW7+10k5PpHoaEbwZoQ1xdR
+  CvZt0+G5xkAOoqB3BWBbfAFv9dwb38h/+VOo4cZeBVjbyo0ihBReDUsCAwEAAaOB
+  nTCBmjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
+  BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFPUBkcdySUw3bF1vawtgT9ba/8m
+  MB8GA1UdIwQYMBaAFEqgN0qK2Hkg7jbEnzxvHp8IvZs2MBsGA1UdEQQUMBKCCnBv
+  ZDE3LWp1bXCHBAoKrBQwDQYJKoZIhvcNAQELBQADggEBAKMoJGGPPlFd3X3F2lHI
+  LMReBe0j2VyuVykPSCbpaujcnTFZse+EVaFMFLWO1VhD45qji9bWg8BkHpw7TJZI
+  hz+xw0HdFRYLSwLQRNoi5tGD/6fHsWhyyxJ1bYHJl1GbYcd4hpIAkRIYj7tiLDD1
+  21027+1jls+MARdGd8y1hZB9YQCK6IzBoz8n+LNRe2YolAYykIYIRLAQt/x6LCP8
+  plhpVBAUxxecnulDJUHZLnSe1t7+S+dIyFucvgCT1eOATWh8TYIrxK5e97fkN5vt
+  1sYa65trF/dLAbL56GhHL7JOI8BNsBbjOPKbEpYNS/aFPSosw/8MyxeR08vSOwZB
+  q1k=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-genesis
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDjjCCAnagAwIBAgIUOASPsyDJETFZ5lCi6z/UkwzZ2WYwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xOTA4MDUxNjIzMDBaFw0yMDA4MDQxNjIzMDBaMDgxFTATBgNVBAoTDHN5c3Rl
+  bTpub2RlczEfMB0GA1UEAxMWc3lzdGVtOm5vZGU6cG9kMTctanVtcDCCASIwDQYJ
+  KoZIhvcNAQEBBQADggEPADCCAQoCggEBANja6HreKd9S1RYKWRMrJDL/EDA5yX9s
+  var2MOB/75ZXayQ1jzCnvol3hsopPXPBy8fikvU7Fu+MluFxSFBkbwHSmt/FrkAK
+  avaSzBHzhysm3SmySCu+6xkDjVcYrNKHVZNkuiRDcTRwsJC/mWQH9azayOKclaE7
+  15OwIlSp30j3Mhd0POys6oQ/486KKBOQPeOZRxgp05iifGz+oTzqYl2ihlnvLtg9
+  tfqqP5DIJ9CnoJRRUIRZ9SHFH6uYsSZXuHzWVOZnSnqgWB6zy9rx3BZqND6fZQ6f
+  1wp6Xa7OEFVCZy1EBQ+8ZtZsrCNAggrlzUGe56+Pd4ranIfMl8OhNkUCAwEAAaOB
+  nTCBmjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
+  BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKAoSxgiR2V5RhhoQM7qQtEi7zow
+  MB8GA1UdIwQYMBaAFEqgN0qK2Hkg7jbEnzxvHp8IvZs2MBsGA1UdEQQUMBKCCnBv
+  ZDE3LWp1bXCHBAoKrBQwDQYJKoZIhvcNAQELBQADggEBAEtbZOsFzGN9ot4MWlZL
+  R2MVrmVQpwHY3SCofpVxUMlkZg3FFSDydRTIiQXaxfa3Zczl2dviNkAIUJs7nd7p
+  YBhgGI9ezHhvS7t5pO5nG4Hyk1myw8WPV+Q/mU+i5DoES/apAw+9Zsqfw2xSnysi
+  QH1GTe5Tse7pqat5dMeAl5u2dGu3p9qe2Rd+q08Ts386njSxZuCEbmvglWSxUjva
+  hp+2deeqgTd9FaWlFvToiEDlZJ2s8d7l9Be3P0UbxuKwhHXBwkFjW8/KL8QIrJ7S
+  yCEGTmFajwa1HFsws+6Jxgo1BBLj9n4O7Y7oinNyw3ygDkn1jlkgcz/rPrAEe1Yi
+  DmI=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-pod17-jump
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDkDCCAnigAwIBAgIUeZ/tqTn4wiSSReN5fEEcMBZBP9MwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xOTA4MDUxNjIzMDBaFw0yMDA4MDQxNjIzMDBaMDkxFTATBgNVBAoTDHN5c3Rl
+  bTpub2RlczEgMB4GA1UEAxMXc3lzdGVtOm5vZGU6cG9kMTctbm9kZTEwggEiMA0G
+  CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCr7ZsgQOHGrJ7AwWv5JdUgl01JQvxd
+  LsHZ5HiXlUZOkHHBKbQV2snRc93MG0bNnsn7QPP5hT8ScveVcwkZOusH/hQggUrX
+  95Ua3Fic9nybeNorHhsWpRApBz58XU6l9GWQm+mmb2yCvW9rb2SvbRdIZixWSMUP
+  ltdlG8K0dH5yZJPaAEFpVtX6wSSH2zPxgI8ZCeK10c4egECpKXCKyNBHMAH7HDsU
+  wnYAizKHPlax2qCIzBhcCfhBJwX9/SubDRv/vSsyFCNRj0IG7IGx00GQd49tf9TY
+  ofIP5tFtMNxmCCXm+1N6gg8oaWRhav1e1CrayXWfKNZbP4SmXm1dssZbAgMBAAGj
+  gZ4wgZswDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
+  BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQHeh4XFT8hjpRNLiPGcXEm7SO/
+  szAfBgNVHSMEGDAWgBRKoDdKith5IO42xJ88bx6fCL2bNjAcBgNVHREEFTATggtw
+  b2QxNy1ub2RlMYcECgqsFTANBgkqhkiG9w0BAQsFAAOCAQEARB6DNhJTNe+cZxSd
+  Vt5ja8fYl3IjAApy97ZUKhQOFY3WPVAru+uv9OQ8VFDQzD3jsZ86pnvT6gOnH2z3
+  QuO9IKyb/Mzd2StwMAej25QN+PNE7jYvsW021cBrMmhKsGw5t9WAUu81pY9zhzpf
+  AywQXZz68GSyn160lz9C80UKLaDEdy+xrivh5Jn/XkzJkdI0X97nA/N0JPrllmjM
+  Duw/JQQb7FQcAkTa5ZvfjapOHR9hSblDJc3xTcYhav6yZ4qMCz1BCvpFXFrvAwJE
+  M/QMQOfw7DvyJj2B3JqsuQGVK1J5Ph6gEy5qAlj6zC0cb/C3j8pih53PHQi6nlbu
+  py8GrQ==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-pod17-node1
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDkDCCAnigAwIBAgIUZEh0TD3e+gQCjtZMnO9BgJRelIMwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xOTA4MDUxNjIzMDBaFw0yMDA4MDQxNjIzMDBaMDkxFTATBgNVBAoTDHN5c3Rl
+  bTpub2RlczEgMB4GA1UEAxMXc3lzdGVtOm5vZGU6cG9kMTctbm9kZTIwggEiMA0G
+  CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcgX/YKhGzS9xYf6eMgXWxjQZ9igUh
+  IY4eW8U5kFOmslRKQLHvHTqeK3vvsYzlWSeE3bvSyM51xiYJR+kJ+0iuHKzArT76
+  x+17sp6Whg3nOIgEpwrkKW08GOJfhD4b5owY90JqrYZwyggLiIn1HusAwxGkFfOX
+  HA9xvOYpkB/PIgwBV4R9YeG6tRQCDoQC64Uj/AVwtocX5LgWUZ3HWfsmk6GTjRvz
+  1LnMUhi94R9SL02jCcPlKF7i9FkAILd1D0I2xoEr86n/evvHtN1130A7kT+ZnP2x
+  j3QMyYh77iHMDLYKeicPR4WqAp05tLIUwv7IR8+cNfckdzOcJTuvPSAZAgMBAAGj
+  gZ4wgZswDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
+  BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBT9O6b1bnmbT9dm+4+NcFUZ5EXf
+  FDAfBgNVHSMEGDAWgBRKoDdKith5IO42xJ88bx6fCL2bNjAcBgNVHREEFTATggtw
+  b2QxNy1ub2RlMocECgqsFjANBgkqhkiG9w0BAQsFAAOCAQEAd/4jX1X1PqLQr7iX
+  tS5L7bE/QJD5z5wKERFkVks2MMZ3xC7OoqNiguZBteNzYqZ2vcCktMv1QiAb08kb
+  jn2DBOxg8F6RuLqGGJ+4hdbHV4ewlZviH7R0MdH/BANbqVoAOtujB+9tq3nkeGHA
+  E/75SkDwXaxEKrypwbpelUdh+SnxI6IosxPLNbyHesXpP5WeGFajitUYvqPzi6XN
+  WD7tOfPIarnzryPB+3J+Om0djawNCVMecHgVRZwCRUTNUfq734+2bp18hGLP8UuS
+  WZljv4KM6EA4ZaeNCQ/heytZE6jiYSJJ6ZQEKr/6O1PKe3SoOhO9N+zqDfS4ALQq
+  GsbDmA==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-pod17-node2
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDkDCCAnigAwIBAgIUdIZhQJbEXfJPmo7+MBg40oe7dZkwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xOTA4MDUxNjIzMDBaFw0yMDA4MDQxNjIzMDBaMDkxFTATBgNVBAoTDHN5c3Rl
+  bTpub2RlczEgMB4GA1UEAxMXc3lzdGVtOm5vZGU6cG9kMTctbm9kZTMwggEiMA0G
+  CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVPYu1B0MjSdlhS1F99ovPC15owcEW
+  7cbA9mDWix93nthaE1UZo98kVOAr7wY4C42YS0MHZlT5AOrPrwJpHwwC1W1zgDc5
+  +OlKnd3Tum+e2vvFW9PhFoSkZ4ZwliTIOyYIoaD5xAKcmOaFSbItg3mPbBTrXw6U
+  FHGbJypN9NvE/H8aMeRrQJ+DA6MqMKh0lmXHEptdYrVGTaxwT4AxsaDYpGgY1WHr
+  07Bcgd1no4coWnHYN9Vg/f80tE+uNebeRDgvH+gC4OEjD3+kV/CCfjkFYHLlU2so
+  YTu8WEfpG8HCxZrrpvB7EdX8kyaqANjeQhEgzycfHaDJyyf8Zrw0C3uhAgMBAAGj
+  gZ4wgZswDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
+  BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQDsLIMg506lEk+MFaD2Ie5YRdN
+  XzAfBgNVHSMEGDAWgBRKoDdKith5IO42xJ88bx6fCL2bNjAcBgNVHREEFTATggtw
+  b2QxNy1ub2RlM4cECgqsFzANBgkqhkiG9w0BAQsFAAOCAQEAWiPWzQNzOZvjVvHH
+  TQ1zW3rHKv1lKZ8gHb7s9aiUeuq/7PKUZpUBzOxYdxZLEiKp1ZRHfuO3BlUDFC/R
+  V7L6N4eco3bfvYpAd8NUrKX6ruyydvHqbKWF0Xo8MfcUZu9EIrHh2l/CmrCZ5eUP
+  kJlSD+mNvsmaAL6teOpnyj9RVEvk/mTbyCj4e9e7MpPNE/0kB7cFtrUdIHJc9bsy
+  WZJc/ISngSmnVoWMfaqxGX99iFW032aWuLWUrSTKOkvtZqIPDDMUAsFgwUKWmtOP
+  R1tOBXJrj4C/wdO/fgDEgO5F8O/KfG0jtwcTPi4kmR1FgzJUdv+cDbI5gylFhtS4
+  mixiFw==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-pod17-node3
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDkDCCAnigAwIBAgIUKFO+qu84cEUT6dxT+eXiHyC91AowDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xOTA4MDUxNjIzMDBaFw0yMDA4MDQxNjIzMDBaMDkxFTATBgNVBAoTDHN5c3Rl
+  bTpub2RlczEgMB4GA1UEAxMXc3lzdGVtOm5vZGU6cG9kMTctbm9kZTQwggEiMA0G
+  CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBib5O3QeE2WVARl8aGz0ll4AsyD2o
+  JNiNCccEM7nRsAT6ShXqPjWmO4OGPhNUe52DSmXcU/2GblCzeZ4iIPpYncDqC1e9
+  G68iBvArw6dwr1ENM+7eQ3DIWRt1zExgTRfbaw+aCPFEJMNqaYxVYky48WY39aa1
+  q/nfUuac8WHLtNz8fpaNfdfCmfk9fPyHiggSCCD4hZ4+kvwBd4QG2KFkrmpMH3hZ
+  DYcwxZkbeYopyqHVc+QeoQ3azWDRfYgKX2zWSgleCRJtkWt5miXELGsLgCiIykUs
+  fVM3OOBoEVTZnF4xz5Xkzf54xABInKcZjkgw8kMRiJPHRRrUdsjgVp3RAgMBAAGj
+  gZ4wgZswDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
+  BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTGvOFfJ0ZcijahG5L1R+uzmmEj
+  qTAfBgNVHSMEGDAWgBRKoDdKith5IO42xJ88bx6fCL2bNjAcBgNVHREEFTATggtw
+  b2QxNy1ub2RlNIcECgqsGDANBgkqhkiG9w0BAQsFAAOCAQEAN9WXZk1uwjwhVN0X
+  EExOpYSTBs87AAmW9SM0xp+eTLB3M91jUro5Bq9hqPC+e5eQqWzJcPwdpXUHlUCG
+  0Q1q8B5ldBn4HFyhKU994ZX+nMudIV0ZX3L4eC/Q6GDrGblpDCxeoqX+sRBPpitQ
+  GH//wS1/oB9ggXqHqYlkcWqUwzJCfZ3UZs04/o3X8+TQXaGcHhA8IK1ftyvGj3RU
+  likT/E54fmkCHvE14QKBSlipd2xQJDlUYs/be/yDHN7OwVoHWj+90GBTDWphAlON
+  QnJuHAx2OlM6c8Q4NRhvnjE1id41pctLZaUNjOf+MKbYS8r4Hhf5E8esCjHpG8j0
+  Tz1sfg==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-pod17-node4
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDkDCCAnigAwIBAgIUXfIj3ULerEYZxEkv17nlBfVO5FAwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xOTA4MDUxNjIzMDBaFw0yMDA4MDQxNjIzMDBaMDkxFTATBgNVBAoTDHN5c3Rl
+  bTpub2RlczEgMB4GA1UEAxMXc3lzdGVtOm5vZGU6cG9kMTctbm9kZTUwggEiMA0G
+  CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZbzwDTSIQhMJQvYbNVKvjpMf2NBGV
+  QXSC1CUlQlK43pIG0GC9EOLrHzKMDZMi35848NTEj4YtuSuesQHIHiSaKaLSNVpo
+  3uj2Kf8JajsNucfE+SyOeKANtfMZXveIdp4qhrbUsyoIg4vBaqDpftFv+bjBOYbW
+  9T8NzwUJG0GjphfgLIGZZib8BpbadwrcFENGXR3BFyS3KVN6XJznlUPX+p9Rfib+
+  YbzZCGVUYLgO0SrbPAyYmWLJC0Hj0KF3q0sjrQpyYMhnRFfz2B+kY90Dir5dC1ZX
+  uVmVHI1IS3FuprlizzygnVrRLJDFHPIM4LeXSY1wQmtuc8Wb4enC0WhDAgMBAAGj
+  gZ4wgZswDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
+  BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTwn3d4InIiDPBmY9i/1Kje+vUv
+  2DAfBgNVHSMEGDAWgBRKoDdKith5IO42xJ88bx6fCL2bNjAcBgNVHREEFTATggtw
+  b2QxNy1ub2RlNYcECgqsGTANBgkqhkiG9w0BAQsFAAOCAQEAK2gKG8ShPRiTdplU
+  6G7q3uopwfmfKaiQVYEKQQ9OLNtlaUOF9MAtsdgxmt1g54hyEkuLMZrZRohqInbE
+  O9waS6KvFYdxUPUHRgNh2DpUXunWPORwcf7VNwU0c4MHd12UK0UBAwuzDekTp7eh
+  8aFvS9Ig8iCP7c+W/x7HnKqNaEHtVEkbn8sdE6EzvPNwErjlGn6CuGwSf90EL92c
+  b5DgA/RZi6pxXIDM19n3O3MpeM8r7HT4ScUO3NWJDxIepWXnWGZ5hHsYqPoFxkU3
+  If0UfjkJh2n4xfyFyn+S6EoWl1Eldf7vSa78eb4HjcAJddCqHVpULTsSNxZyBVEJ
+  0O/wBw==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-pod17-node5
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDVzCCAj+gAwIBAgIUVkBkvmk1zxhXmntTkCrIzW5QNdgwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xOTA4MDUxNjIzMDBaFw0yMDA4MDQxNjIzMDBaMCAxHjAcBgNVBAMTFXN5c3Rl
+  bTprdWJlLXNjaGVkdWxlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+  AN+kUGrLcFeX+HP1Dg039vHOp8yIypTn5aLWycD3o0kmgUpMQEwWZMn8BuxUq+fe
+  BirCJz62pPBs0Shuw5ugP8vp+4h2Me3DIggQDaWYYfZrhMSGbiH6W9F6QhWwWCjf
+  9JPCa0xI+vVRv19p6Z6Q2PGCL9op1q2kpEqB91ALI3trMmYc2O4zIE8JWEBUeQEC
+  gt6GLP6ts0v0b1eU14cjszHz1rZK90xOZ8a6dbVj7C6wF/RkjbT+hAvG1nZjFhJt
+  W9csKDiRQyYLkd786u5gqKvEppUrVqN4daZHMuBSoHG+o/C5NX2I5hTCKuJLt0QE
+  0NWQeW6N/XyLUQHkxKqWPoECAwEAAaN/MH0wDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
+  JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
+  BBTKVr0D3u4EXt670HQwXkvHK80IfTAfBgNVHSMEGDAWgBRKoDdKith5IO42xJ88
+  bx6fCL2bNjANBgkqhkiG9w0BAQsFAAOCAQEAhrLFJ5mYiSMxNE9qKmPD7I3Ck39j
+  H7ELOVQ55WcKosSw0bxxN6uFdtPe46YL/IBWLrOUtxojni0MOTe2eRT/WxOri0tX
+  UcUrb8aEbHySUxTljRntKKKUUBY0SFgSUWGv6s/XbBTugl+SKk59zTXFApLXkHXR
+  FWuT1cyzDGyCINQTNU6sW4I1P6RptwUiHLsHvsvQzRGLXEmenhQtyQOgIdlWkBEa
+  XugbOB7MrVA2Okknm60tY6MjdhzLuLpsfrfgVPbOhhJgx4s5R9jUPYkJt2+AM91F
+  AatvYzGF8PXZ42AD86koVQMaKVkkik/+B84hC1WLJyi6j6q2XlNlbPI2IA==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: scheduler
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDXzCCAkegAwIBAgITUnedsZPFK24+0RLcQnBCy6sfaDANBgkqhkiG9w0BAQsF
+  ADAqMRMwEQYDVQQKEwpLdWJlcm5ldGVzMRMwEQYDVQQDEwprdWJlcm5ldGVzMB4X
+  DTE5MDgwNTE2MjMwMFoXDTIwMDgwNDE2MjMwMFowKTEnMCUGA1UEAxMec3lzdGVt
+  Omt1YmUtY29udHJvbGxlci1tYW5hZ2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+  MIIBCgKCAQEAx4qVolEaF1s0eKEqkCYybqL9v4ODiX+GAglz7KIQxXZzaF+RSVcH
+  xrbeMJV1eD57tpIdm6kbcjllTsnytTef5iaJeEyJu5cxyr6xhwyQNnuWlbHl9H7L
+  lF12eaNv94WAJ/S1I1bhjt3gj6vvXbFuridLydC9v/ELzVG15d70drVsfDvrRGbB
+  TPBTt1HX0pPD6uvaKLUwy5vLqx1uP+l75+EhmE1BmVy5c4SnuUdL+/8zqoPFI/07
+  wWY0Jq3+G9zSNeweVIxOv+vmgsUwNlNFsiu9XzzI65ngwaVHvelT1JT1ahMeO97o
+  qOd+XgYFNrKphJzvoLNVtt6/GdnAzjv1/wIDAQABo38wfTAOBgNVHQ8BAf8EBAMC
+  BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
+  HQYDVR0OBBYEFOne9MK3El73DSrS0A1Uz4SQhjP+MB8GA1UdIwQYMBaAFEqgN0qK
+  2Hkg7jbEnzxvHp8IvZs2MA0GCSqGSIb3DQEBCwUAA4IBAQCdho1eaIcOFSzyCgkx
+  vYuL3nwFmofMQh9P5t//dCIrs1YGmMC+i/paYK5LcBlqRfR5zV73y/Fvw4njIz+J
+  5dR1PC2lNmEXXyy//yhy4fw0G6zdY9dZ927znS7t7aeDf8XbUg2bnnOSj2vBTMXK
+  +SKZYSzYrhaYpem1Xv7pZpEGVhQ2kti6SkXmgrhbiFlzTqBK8IqrV63q4UIW1tdd
+  vPfg61tF44lUweAfDqe0qTra1HyHRscI9uXJSShY40U8O+UZX5BVhGlYbKP4rWyp
+  tx7vCUcRPNWsGVDw0YXiRzhZVl6edL92PTd56Y8zc24ELAbCodVFUoGIbKiBlC9+
+  giRY
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: controller-manager
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDYDCCAkigAwIBAgIUXVDbDAa6v2oTEGQolp4wy4+bNiIwDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xOTA4MDUxNjIzMDBaFw0yMDA4MDQxNjIzMDBaMCkxFzAVBgNVBAoTDnN5c3Rl
+  bTptYXN0ZXJzMQ4wDAYDVQQDEwVhZG1pbjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+  ADCCAQoCggEBANFOOJFFMQ2i1rnX6rtQAjdh3KtvjXv6Pfkd5bMY+7tKAHsy0x6H
+  TlwrN44dx4E4lGLJ1ZEqCRD9F6Vznrhjro2/Bq7MA2GmDbe0w0LCar9gXdKg7RMN
+  p/Prm+KAxWPF7r7KVBCc+/FZb8e97Cd7riFxAwD8z+IcIN/PwOnELauEmF9svL52
+  qSlcnWSaI3A5Sj5XYBDtrgb809e2jwRcYx72tWZ5+BnAkXqgmylh+ARedlQALTM2
+  gIR6iJblbTY5b9nWI+/0DW0kLkWrnbU8kq8R1mVKImq4TI5xlBqRVeJvrerxHSdc
+  szjybwbG9m8crW5c+Hdk3iJUEjskonGa3O8CAwEAAaN/MH0wDgYDVR0PAQH/BAQD
+  AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
+  MB0GA1UdDgQWBBRojpJQ8kbw/zd+BkCuQY8dbfeA0TAfBgNVHSMEGDAWgBRKoDdK
+  ith5IO42xJ88bx6fCL2bNjANBgkqhkiG9w0BAQsFAAOCAQEADbQMLo5fAELUbK1o
+  prklo9UUoD5dQQyMB3/kR9n+aPDT/EQvp2oj3wJQfBoHYxorCa4UThd1GYON0nt3
+  /AmiGmIcPmlX2XzeuIS4C5xRr+8rTx4umEqzg+ykdNwKV7Ed7QJkdIX9ExTbkfws
+  d85tmAeL8Js0GW0oWL3N8NKZNNu4ygAb7Ha67ZwtpHiJ1LIyd5XaZE1sxhtRCYEu
+  7GRQRJkX3qXCb3BoptHmjYrBR6AIKjKnRG0GE25z709wXS8cmbwFWS+NTOWo/5W2
+  J/TfCe0+RnIO2Mj/898hk7DImvav7PKuPraAV4G1ClGq1FqtVqa48hL/3tma85LN
+  PTZlCQ==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: admin
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDYTCCAkmgAwIBAgIUciDyPOzv2gb4bPSoKHoupoallj0wDQYJKoZIhvcNAQEL
+  BQAwKjETMBEGA1UEChMKS3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczAe
+  Fw0xOTA4MDUxNjIzMDBaFw0yMDA4MDQxNjIzMDBaMCoxFzAVBgNVBAoTDnN5c3Rl
+  bTptYXN0ZXJzMQ8wDQYDVQQDEwZhcm1hZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+  DwAwggEKAoIBAQCxoEU4+cHjqNFCs1PcBHC6q5iw5K4vhXJDn7JljpaAGwB7UTul
+  n5WMxdbl6Sj0OA2EtukQP5c+sQEcW2ZbvYkUajmeubsuP6+a/d/xr4kveCTTuloU
+  sBYi4+Q3Rz5wFO86Pyh2uoLh2HYGMBuQlo6IeT/DanL25pLmoijAaBN6jluLwvjL
+  S83uCNWcfRpAHhUarr58ldb1m3dwGHJh+Lj8oDmPI39WU88W8lOQCOSx7F62uk2v
+  9kVaxFCJIVtPGWkki8Zna12ZEQS2x/A8JiCL79jILWkIBHk8Xjzxdidy58Aab8Qm
+  65ozGJOaaGdtpUiGOBKYWecWFS5f68AjhPMzAgMBAAGjfzB9MA4GA1UdDwEB/wQE
+  AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw
+  ADAdBgNVHQ4EFgQUpLt0EVpJCPlGVnPdiPJKGl2W01QwHwYDVR0jBBgwFoAUSqA3
+  SorYeSDuNsSfPG8enwi9mzYwDQYJKoZIhvcNAQELBQADggEBAEwaNNwVUgZ8OIcM
+  h0RQ8Ly6HWsTODBcpRQW20lPDjpOde68zrnxI2pLdAV7KgcfdhvxrEUU67K4BS8k
+  7djFfLPOnuOty4imvIGaha8OXCqlP7gplFehbKsCDUwZibNm8FcQXTeVVqzGEFwO
+  WEdsKaYlHGMn0hPUvCG/qtvXTH+vY+q696+nDqIirCfRbNmUYTypKhdzDSiVFoTN
+  U5Ek6GKXBSv8rs7EoCJqiFD5dN5zpT7ErF8xgMkW0DVw/09u1vtRV4D9u/NlTIrh
+  5WtDiyRlFeRZeXnJz2CTgzItr1Lt6eoTh3/64hYQl2+ThDFTQz5WkrlHGfkRQWj+
+  QIpMP3Q=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: armada
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDUDCCAjigAwIBAgIUXLNalbN5I1hNhCAPUaS4nLXTZG4wDQYJKoZIhvcNAQEL
+  BQAwLzETMBEGA1UEChMKS3ViZXJuZXRlczEYMBYGA1UEAxMPa3ViZXJuZXRlcy1l
+  dGNkMB4XDTE5MDgwNTE2MjMwMFoXDTIwMDgwNDE2MjMwMFowFDESMBAGA1UEAxMJ
+  YXBpc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3C7GPaX+
+  CBwPz0rAbWorFholDrZqV4Q5yOoxPfrTRJsKkjpNPG9Wot3wZNukGWoUzm6uTwu+
+  tasfaOGHUH1EmwhHXtKavWhfuzJziXXPL2DWAoWhdrIkM0c5oYHqNSIiQk0Ld805
+  jtI8L467Sn0Sy21oSwIbPGVpcQeYtI0rOHLxev5Pw+KkmqUBImjv4otLtIScRlcV
+  LiOFqitIQMX6QtJ+0sQTmPye4ezaYg4o0kT6R7xuaPdPHH25ksh/yzQTYpileV9T
+  VSv5IhRrilqS+TGVNT/5MnIuMj6cDX8T7ZM03/uU5mVVLHlxURDZACAhad8d+t+q
+  RkfIuc20PQt2pwIDAQABo38wfTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
+  KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFiawe/1
+  NzSv3p4ojD4mBlLnDopxMB8GA1UdIwQYMBaAFEpKpJjvUnEK6Z4PRxQP9AjJnquD
+  MA0GCSqGSIb3DQEBCwUAA4IBAQAfE27rBTdIC69SOCs6KM+2p9Jlmv1H6bdcfV5o
+  oIQV6PgR7PUnazlXf/Qw7t5vt07oAlNuyQnDLAbz5qC8/Yjvk9rNXZD/ROQgXSK1
+  QnjTWJ7zCRzcmvF2OD5GDI8n9YdGjgbI2lJwOYlsP8c0eBKlOhG6tfRt3x8FRfw6
+  x4dTKKiCdC/PcYbKeGENAvhiBR7spm1d/BZ+gtmlApOJCUDXquUJOuXMbxcnbr/z
+  i9Ps7+rf8eMqF/HLw9SzM92UnFJuL8apL2xBgZSFSRaLoHD2Qyvu9ZFpkHBj02Af
+  uLuIRTUPpsCGtjN8ZXLryg5iGvgyJIkJL9ZC3aTIdVtlktYy
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: apiserver-etcd
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDTTCCAjWgAwIBAgIUZsDwxAyPFvCBD2qAoDt7LbN+gBMwDQYJKoZIhvcNAQEL
+  BQAwLzETMBEGA1UEChMKS3ViZXJuZXRlczEYMBYGA1UEAxMPa3ViZXJuZXRlcy1l
+  dGNkMB4XDTE5MDgwNTE2MjMwMFoXDTIwMDgwNDE2MjMwMFowETEPMA0GA1UEAxMG
+  YW5jaG9yMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsLJuWpNsBvXt
+  Nny+kzFW3BPOVt7hkgAMRtKtykDNev6PawxZoo5tuL4tRb/htj/htig1uI+eCKCo
+  4TBPS9GdVgvnWN8wUzqs7DQcGKlPrGlvg74Mnh4jOh913gdOSZRDQgqcOSE0tAOW
+  HVGUhFSFgdmqzCL7d5XVpqjLDleAM2OgSmhf8juqQmjtcoLg0Ioso5QzZO+MUIq8
+  qWoo8bfFHry+Dy0PVZyDm1tLDBCcFrjNndrvxh7gCdvbN0wHTUR/RUwFLGcT1OUT
+  LN7aS9379l2ROHjSs+T8JpjIwYYZ0/XzKc7WofUeO1wTNjrrWsNNa8Syw75io3Lu
+  LQcTMu9CcwIDAQABo38wfTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB
+  BQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFBCxp8LnC1Ft
+  4yBb//j1AyxclY/lMB8GA1UdIwQYMBaAFEpKpJjvUnEK6Z4PRxQP9AjJnquDMA0G
+  CSqGSIb3DQEBCwUAA4IBAQAR85WvVUHHukLczFgOv3jwlTY+bJLDjJd15ITEsNMK
+  F12kiCDdyUor1deiMnZzr1UMlVUV7zlxB+hVudboxbv/2E9gwixnXlIiuRkNxnc/
+  VlUp44GgQS1uSYcrMxUOUgPkyAswTIXTdmbSsAz5m8q+0cjKThglt8djNQTtR86n
+  OW+aYjmPhCh9ndyeoakPj/I+ICDgWKRDgLeoxgQiDt/m4F4QFV7UWCc9Wa5t5tcY
+  KJV4i3dLLY/Wnrt5jLI6ds7hyvsO/3qBbDnpkbLH6cXjtG18zcNGQb0bRwxNITL8
+  ZmRKx9GqVVeJF0e+RlrjfXLiwjW9dF3jDBbffgD+NgvX
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-anchor
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDwzCCAqugAwIBAgIUToZl7A7yvof8fxse7GAoLdpZglQwDQYJKoZIhvcNAQEL
+  BQAwLzETMBEGA1UEChMKS3ViZXJuZXRlczEYMBYGA1UEAxMPa3ViZXJuZXRlcy1l
+  dGNkMB4XDTE5MDgwNTE2MjMwMFoXDTIwMDgwNDE2MjMwMFowIjEgMB4GA1UEAxMX
+  a3ViZXJuZXRlcy1ldGNkLWdlbmVzaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+  ggEKAoIBAQCj/8sNN4HKAxqKkMcrOPHPUZwyAsn938pTql/ZKrd7zvyU4r3DQSKq
+  9WkkYOrlHfgepGpemBC7G9MeggrhOaQzMj1AsZOca2BO+jnuow/ffcSV/4SDKP+b
+  2h43DOmfLeVogAwXPOOKTeYjVoSYyrrl2c+IztKuu14IN18z7DrwpVMxs3/NLR1p
+  4WLOhCPKt8QxL9+Fc3SWIo+ayVz9RZNbBj+bOiq0AcMpSU1YyA0OeSkUQf7KcTvk
+  zLaZq3uffuK00V3Vx9ykGPPOBBlbqsafa1eWuP0RZribWRs2qoS44fyYr1TGPaDG
+  JjRoodYS++hjvLhu3e4wqGR1hsixNRZnAgMBAAGjgeMwgeAwDgYDVR0PAQH/BAQD
+  AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
+  MB0GA1UdDgQWBBSFBe7lFhSQb9E/duHuKEx+GlG0FTAfBgNVHSMEGDAWgBRKSqSY
+  71JxCumeD0cUD/QIyZ6rgzBhBgNVHREEWjBYggpwb2QxNy1qdW1wgglsb2NhbGhv
+  c3SCLWt1YmVybmV0ZXMtZXRjZC5rdWJlLXN5c3RlbS5zdmMuY2x1c3Rlci5sb2Nh
+  bIcECgqsFIcEfwAAAYcECmAAAjANBgkqhkiG9w0BAQsFAAOCAQEAb+hyTabp6x0d
+  PwzV+9DLh79EBJVvzDhDVeGg7L5a4efa9x1otEQ3tBQqSPv6s3iGj3TM4VRhJGmO
+  4nnOLQRt8IH9SRiEa5D78PjhrO0Oc3Zy60lib1fHoSQ5qhqmHNgdtGETk9bcO28e
+  fxIdKsjyGU+NQG+b/IGi9sGb+62M+NVxN3z/XnGOuEF3OrwQvf1r2Co00a2r6oX2
+  ZSjv6ebQH4R7XZPU5Rl7QKXbnsL3Id6sPEPQ/zaCB87i3YWR4dz4ntsubc00XHyc
+  RVqg4xiEErn4kHdxB3Z0nbA9VlMNmIsy67gvS1WwV+WjUXBXKKH9p3mz0wGF6w9G
+  cJyDTKUeGw==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-genesis
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDxjCCAq6gAwIBAgIUCidfjso0k+ZOmAVeFEEHhPW2BK8wDQYJKoZIhvcNAQEL
+  BQAwLzETMBEGA1UEChMKS3ViZXJuZXRlczEYMBYGA1UEAxMPa3ViZXJuZXRlcy1l
+  dGNkMB4XDTE5MDgwNTE2MjMwMFoXDTIwMDgwNDE2MjMwMFowJTEjMCEGA1UEAxMa
+  a3ViZXJuZXRlcy1ldGNkLXBvZDE3LWp1bXAwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+  DwAwggEKAoIBAQDorb8oyJ1+JiQihjFDPpIIuHLb02qSoUKhnCBJ8ERpdjArAGoP
+  w2B8fZ+v3ZFksbo5NcjasQ56FLaqpFAQ8Vl2bypF336ZsnQSB0ZtvopoaIhWC+ft
+  GcMTggQU7iHyFlmEvyvHIQOMEACdS2xo5uzyxNY1ZlMbC7/4vyiTY39uqyeWPDsm
+  JtSUa56fAiukTKPRJueiCvA5zfNTBn1Ubjo0YmTse01QU5J9zaaSD6X670o0eUpz
+  lKxx3XByFkqCenHcYodjsxQg2SZbw5pj/5hX8o0MSSnSmi9OhwfG1uCR+z/n3/70
+  NZH6cXt0/dFkv0Ih+Z0wgKiKy+bgaGVq3A6VAgMBAAGjgeMwgeAwDgYDVR0PAQH/
+  BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8E
+  AjAAMB0GA1UdDgQWBBSX7JQjFdBoydobT5N3r9cg1xYZlTAfBgNVHSMEGDAWgBRK
+  SqSY71JxCumeD0cUD/QIyZ6rgzBhBgNVHREEWjBYggpwb2QxNy1qdW1wgglsb2Nh
+  bGhvc3SCLWt1YmVybmV0ZXMtZXRjZC5rdWJlLXN5c3RlbS5zdmMuY2x1c3Rlci5s
+  b2NhbIcECgqsFIcEfwAAAYcECmAAAjANBgkqhkiG9w0BAQsFAAOCAQEAfIRL33lN
+  y2UV7JSd28g/FuHftVSAakz3OCAYykMlE4Dn52f/DazBqOap50W4HgJZNXW9RgqV
+  yAFaRTGBblx/3lq3pgi/652NSdMVMbLtUAWqfN6eQvpW4S8J9TKtF2PJmFjCmO4L
+  QYugCIofZrcSuqyBDOrzgSgB7hD5weMlNPdASicvpeiFu2sfIMi2D2t8rA1KwQxO
+  cf/r8RJ/Lc7QyL9bNoOq/64dFdnPNh13AKkaORhEXDHEdQvlu8th3T3HHRh+qImq
+  sIis3mp4LsDmQkCM9H33AsjbG+4eLMgCxvPjXtHwGMATSFOwdIuO41DQrUooTAoi
+  TmB9tl94BzthHg==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-pod17-jump
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDyDCCArCgAwIBAgIUMHqI/4QsQFGrhEYLBFA+kS/1nYgwDQYJKoZIhvcNAQEL
+  BQAwLzETMBEGA1UEChMKS3ViZXJuZXRlczEYMBYGA1UEAxMPa3ViZXJuZXRlcy1l
+  dGNkMB4XDTE5MDgwNTE2MjMwMFoXDTIwMDgwNDE2MjMwMFowJjEkMCIGA1UEAxMb
+  a3ViZXJuZXRlcy1ldGNkLXBvZDE3LW5vZGUxMIIBIjANBgkqhkiG9w0BAQEFAAOC
+  AQ8AMIIBCgKCAQEAzV5tuExTU+9A/tNkCqoVhBtYsZeNWrvuGiYWXc+6CXYKAhLo
+  eqVbDNTtxwsQA+KPRJtiJlTS1+EYeFd7ZTQHAj/vt8NSdFmIVSpaJdkDBTBLX/D9
+  9b3hdx1u+4ZR3jiU7VDsezci/apB69oBuihLcvCmm3m2EhgFFf0cUAa83Z0U/Pdy
+  Hg1VRSiLcMxxU5QATKuDNUpt+NG5rVP+dkVjYzp+Vmzxws4pY9T9xJSYup/rdb0T
+  gWpPFi8uNIazNCbUXRwHFM5VXq3S0ueNCCVIdA24M21QwrG7NZCsoG6n2d4yhLv3
+  89uSBzY4UQ30Y7Uqpi1vjn5QmqkYLrEuc/5FmwIDAQABo4HkMIHhMA4GA1UdDwEB
+  /wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/
+  BAIwADAdBgNVHQ4EFgQU4Q3H82QjIU2oyn7tG1HUbWZ1k7gwHwYDVR0jBBgwFoAU
+  SkqkmO9ScQrpng9HFA/0CMmeq4MwYgYDVR0RBFswWYILcG9kMTctbm9kZTGCCWxv
+  Y2FsaG9zdIIta3ViZXJuZXRlcy1ldGNkLmt1YmUtc3lzdGVtLnN2Yy5jbHVzdGVy
+  LmxvY2FshwQKCqwVhwR/AAABhwQKYAACMA0GCSqGSIb3DQEBCwUAA4IBAQBnSTl4
+  ymVkF5dAwrEd1A+YsB7BagB3kT9QSPNVzckyc114vJmGeUbpQsJ4q0sSZxw3bRNe
+  sf/ZS4XIaCVwPDhjNxVmOu9OPE16z55qeAHqt6+sGB5gz0EdT/sdGMbaHTiTlOwL
+  3NUBeCWoG7EByRxYhlKino3CB2Ozt7ol7XKddaOUOjcWCpRZOFwDQ+KgT9Ep6/K+
+  jYadGMMNQaKQied/tS3sDWMLa55kmbVOyAHYK9L3gnoli4+ZeEuXZuNvW+zemqZs
+  AwzuWB4zEahwOVJkCYwAMPOlzPlflRtoUArUHIgiSLa0BrjOeXEF8YRXcjEbRvjw
+  694njClwubBNq4sd
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-pod17-node1
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDyDCCArCgAwIBAgIULkPrqYtWovpB408xMGMkFt9/UTowDQYJKoZIhvcNAQEL
+  BQAwLzETMBEGA1UEChMKS3ViZXJuZXRlczEYMBYGA1UEAxMPa3ViZXJuZXRlcy1l
+  dGNkMB4XDTE5MDgwNTE2MjMwMFoXDTIwMDgwNDE2MjMwMFowJjEkMCIGA1UEAxMb
+  a3ViZXJuZXRlcy1ldGNkLXBvZDE3LW5vZGUyMIIBIjANBgkqhkiG9w0BAQEFAAOC
+  AQ8AMIIBCgKCAQEA5U4DMNAvkkGBgR6CJddKECt1+Y8VBVMbGQs9hC7Z8qRQHnqf
+  AFEs3N5rq+CASmoTdx1/ZjRqJnwoNVF3j1KUY8WNBtx84M0DTY3M2j6FXmOmmESJ
+  LHdxBYiNcs8C/j5517/yuHERs0aYxGOIK7SORw65159yQ2cFlXBW4+BGUkIKUkUj
+  R2TuoyBYRO943CWZRMHTN+eK98TuSdEaxk1vqNzXsvs6dk3ppetXa1pnHPs0KZm3
+  CrOZCg5CWEG5J0gK3vojQaR6ygrRV+sGN85q8433tsfMRy/hmahJbAQVwxhm6Oza
+  +cL6voHCuBkKju8JdZTl5b/91YbaF+pUKVS9CwIDAQABo4HkMIHhMA4GA1UdDwEB
+  /wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/
+  BAIwADAdBgNVHQ4EFgQU0GzAO+78ztY3or5VLtICWSFJWUAwHwYDVR0jBBgwFoAU
+  SkqkmO9ScQrpng9HFA/0CMmeq4MwYgYDVR0RBFswWYILcG9kMTctbm9kZTKCCWxv
+  Y2FsaG9zdIIta3ViZXJuZXRlcy1ldGNkLmt1YmUtc3lzdGVtLnN2Yy5jbHVzdGVy
+  LmxvY2FshwQKCqwWhwR/AAABhwQKYAACMA0GCSqGSIb3DQEBCwUAA4IBAQA1vb/3
+  hu45aT8BeMWTHR7REtfxZ7dwYp2WF0i5nfOZLxkrptaK2b/mjDo5L+FrJm6MjmeZ
+  P74O10UutDtSvZKOVeGc1+etvqEKymXL/HKOmxmT+1nG5ON4JaD01Tl56btFXSJX
+  J3GTUAX3S3RSTolvPYekc8klaVQi/YD6AY42SAFqrk9/DQJTPZosJwUoyirfapE1
+  5jf/jkwmrmIW6g3hORGYFihMwfw9FU7VfBF9M6QjdRTNyv4V+0l4FSd6AvdsN1ol
+  2SKJEQsLxpbXwjjM2spp4reAB0Mn1Mr0dEXRv4cJ59OQY3mSb3qhhsJAthrvRXkA
+  SRjyOHnfoiHvbIMj
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-pod17-node2
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDzTCCArWgAwIBAgIUbYHkC2Uah5N6oh4pji29G5LqntowDQYJKoZIhvcNAQEL
+  BQAwNDETMBEGA1UEChMKS3ViZXJuZXRlczEdMBsGA1UEAxMUa3ViZXJuZXRlcy1l
+  dGNkLXBlZXIwHhcNMTkwODA1MTYyMzAwWhcNMjAwODA0MTYyMzAwWjAnMSUwIwYD
+  VQQDExxrdWJlcm5ldGVzLWV0Y2QtZ2VuZXNpcy1wZWVyMIIBIjANBgkqhkiG9w0B
+  AQEFAAOCAQ8AMIIBCgKCAQEA5LKMumJCGGvh2YiPaih1JqfObaxIKLbTEvtqrj5g
+  fSMiF/mlOe8hoV0ce8edR5uhGGzY+MaRmZ4tbuxBSD+u4mjx02ggc007stMW0M+I
+  zhy1/EFveKznz8orA9Z/HwoIOnqJsRhRd5qKjAoo8a5rg/+PTKjTBQt4Ndzx9q3H
+  x1AhDvN4ViYswqe2z2vn73wOH/QAcT4ZZ3snTb2oGroYuZHo4aTRSZVGk1nZzNZP
+  OAZLookgNgdIEuWGIUwY+dXoXPfTsjuJ1EijjjtA3VwjfAKKrU5sUFJ/3IiXJE5N
+  0Ll4zhQ3eG19aDCv0jIpShyOR1XIeM3uz+QX1X49/hCU+wIDAQABo4HjMIHgMA4G
+  A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD
+  VR0TAQH/BAIwADAdBgNVHQ4EFgQUC7NPtIAgMaINmbjzLknt4duM788wHwYDVR0j
+  BBgwFoAUhkJkqrelmIi3tfVjoJW8ro4JmNEwYQYDVR0RBFowWIIKcG9kMTctanVt
+  cIIJbG9jYWxob3N0gi1rdWJlcm5ldGVzLWV0Y2Qua3ViZS1zeXN0ZW0uc3ZjLmNs
+  dXN0ZXIubG9jYWyHBAoKrBSHBH8AAAGHBApgAAIwDQYJKoZIhvcNAQELBQADggEB
+  ABQpwlULulZFJsfcKqRqMKzilPXpNARygcjfXnkOCvs95OsuKnUUaSjPtC4CFGhE
+  o4+e84VyjeUlnywbfEbBrUjLns7MBPmUb92M+0dadCCa4JilgXI8ZOcswko4gx4P
+  YrUAASog/VO9XYJnd/Ch+KrY46qyfis21inFmWrroz9pg1+glhV/IbybAJMWg+OT
+  lGblWWiL6DpeE3DaQzP/eYdeVlVYPaExjSsN5D0LAWOy/Rgz9+n3zLsuSLB6h9mY
+  2pJuy5eikkl28Q8OxMdxWQhEamny7rlgYP7W3DI2iP3VDYZrf1hXNlOtque1J3xr
+  WVwSS5clRh8ar1rxYU1ByEI=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-genesis-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIID0DCCArigAwIBAgIUBFKTOX2Sdx7PAY7wD1OsBC2yCwEwDQYJKoZIhvcNAQEL
+  BQAwNDETMBEGA1UEChMKS3ViZXJuZXRlczEdMBsGA1UEAxMUa3ViZXJuZXRlcy1l
+  dGNkLXBlZXIwHhcNMTkwODA1MTYyMzAwWhcNMjAwODA0MTYyMzAwWjAqMSgwJgYD
+  VQQDEx9rdWJlcm5ldGVzLWV0Y2QtcG9kMTctanVtcC1wZWVyMIIBIjANBgkqhkiG
+  9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx84cvFlUdir2iio1iPlFxQ67x2PqGCr1/jRj
+  1ptPjnlnXfLnAbypA0jpbKS9r1lnSUsJtK+TNG78jFtmfnT2DLX+J9tZm4qI1Z+q
+  rWhM0qlYyPuGqXuSDI+TR5wbz973/2IioTAbSo6E32cTHHWhEaCT4o+iD/K9jZB0
+  LToWX2k6+iQFBg61rFFAk7SOAO4/8CcsgMBw3Qnl/Ewn8WNCHcInkLqhgSOF21yM
+  lcBsoPv1IAARkhXmF5tr8RGmV13K70lv5IhusGuznZ2FYF9gl07VxQ+kWNIdRgYw
+  Pgb2qKpT2pbljzBX074rc4GUJ3gTimchGLROukOm5rMxRkYMhwIDAQABo4HjMIHg
+  MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+  DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUa/Kd3D99+S8L5HyI8VKXwCJE7pswHwYD
+  VR0jBBgwFoAUhkJkqrelmIi3tfVjoJW8ro4JmNEwYQYDVR0RBFowWIIKcG9kMTct
+  anVtcIIJbG9jYWxob3N0gi1rdWJlcm5ldGVzLWV0Y2Qua3ViZS1zeXN0ZW0uc3Zj
+  LmNsdXN0ZXIubG9jYWyHBAoKrBSHBH8AAAGHBApgAAIwDQYJKoZIhvcNAQELBQAD
+  ggEBAIj7MoexxflrK9Q97t95eDIaacwupUT8LeVRP627xGWcyzAk+wR2sKt52ra8
+  VLTMNThCF6IbMDyGZ2r1TNPKBEENStL/BGhm/1WYxEs81/GGolnZAbcNie2kB0RX
+  oDc71m/RJAI6Zm0h80yuT9U8hviuhN1gdfU5IbsB9wX9ZhUf69Fggtw5aOYXoxYn
+  SUIJpEd0fECTCwwbbxr87FbCj19MfnM2wo+NjCjQHDMf/09Z/QEHoxuDyfWiZ35U
+  XsYbvpfte6ssV5I8FARyc33U8igdWssuIz4PeDKqDVWZ5WxRw6cDqAlJhculAVAH
+  peRFZDYSAcQ0xLHuPkHD2e0Eq4c=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-pod17-jump-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIID0jCCArqgAwIBAgIUeh4Ggm8kIMINi0ZI7cwvYcUCi8QwDQYJKoZIhvcNAQEL
+  BQAwNDETMBEGA1UEChMKS3ViZXJuZXRlczEdMBsGA1UEAxMUa3ViZXJuZXRlcy1l
+  dGNkLXBlZXIwHhcNMTkwODA1MTYyMzAwWhcNMjAwODA0MTYyMzAwWjArMSkwJwYD
+  VQQDEyBrdWJlcm5ldGVzLWV0Y2QtcG9kMTctbm9kZTEtcGVlcjCCASIwDQYJKoZI
+  hvcNAQEBBQADggEPADCCAQoCggEBAL4FvXvuaXsBx5nxFEybOSeJEGgKr1y6WIqx
+  wGm41csuMERhLhiul5+RWpfCRJYq3zz8bbK7sDSdKvLMD7C+OAsWXb/jD8JUuR6z
+  RZCqP1hwk+j/gzJWoKYaf54A9kmGrK2HP3xtUmDm3FtH5kJfdaHgRF7ed83ULQWZ
+  Hsfdl5r4jH9RewTZcg7isxp4oFpdvc48p6N3qpjQn0gZUmir2enn72h7GZrGa8r4
+  g7WftL9E0nZCouglDiZYflMEaLbI9PkMxS0vdwgAqWJQUvP7K7vHucT+KsDH1E9U
+  Mmh2l/ayk3NOEU78hx9LQ2ABn0c4Hk5iUF/sk6mXVTnvFqyy+h8CAwEAAaOB5DCB
+  4TAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
+  MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFNlE95sWo6M8GR87C2km+fIb2/yMB8G
+  A1UdIwQYMBaAFIZCZKq3pZiIt7X1Y6CVvK6OCZjRMGIGA1UdEQRbMFmCC3BvZDE3
+  LW5vZGUxgglsb2NhbGhvc3SCLWt1YmVybmV0ZXMtZXRjZC5rdWJlLXN5c3RlbS5z
+  dmMuY2x1c3Rlci5sb2NhbIcECgqsFYcEfwAAAYcECmAAAjANBgkqhkiG9w0BAQsF
+  AAOCAQEAKyk87UAyZNGaRyE30opnPNvd2GhgmYQn0mHQgZqK+5lEHnsokhEj2p2T
+  AnprYIKczHtjZONKFSeFQImOgky/wImJl2mg006FzbbZ3cvRmW5faJiqxc8aLjSj
+  Z9dTxYEnLTnRIX2MgzAL1w5ZhA31FwoMN9Ch4UCXS9PsFbjJLSGmnrVMRilg8+En
+  7tl6oL0ZfA6SoRlTHf58HW5BopctG/zYVjykLFBBaDxl0jtJRQ81Tdq3lb5PxYKh
+  i+1w1vxOPE+27UpjkVDrG9fFc56Y/tYT2nJGhT2kl+ycsLmHTvLFniqnvh5QNIit
+  /Y1hFk8t/IGKnX53p0TCTTHkuBWlIA==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-pod17-node1-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIID0jCCArqgAwIBAgIUIyUyrm9IjcFUKYyrg/aRTyx4GB8wDQYJKoZIhvcNAQEL
+  BQAwNDETMBEGA1UEChMKS3ViZXJuZXRlczEdMBsGA1UEAxMUa3ViZXJuZXRlcy1l
+  dGNkLXBlZXIwHhcNMTkwODA1MTYyMzAwWhcNMjAwODA0MTYyMzAwWjArMSkwJwYD
+  VQQDEyBrdWJlcm5ldGVzLWV0Y2QtcG9kMTctbm9kZTItcGVlcjCCASIwDQYJKoZI
+  hvcNAQEBBQADggEPADCCAQoCggEBAMEZup7AAKbOGQ24RMtIuciVk7uPRa3Vxf2C
+  oIR61dRXCFpG+RC6gT4yHEikqF/Lh8X0IAsVWMW/zdPOjombO5WxWU9AyscTShp0
+  UYe5V5MSHbFY7A2YC23ni6+svC94LfJcAgffzI3xQjF2/dOfYl+99ywusjw2dw89
+  LzBCc8UtppzrL5bWO8QuOLfMoD9FHnj2D+DGj11xcoz9Np+GZEiv0TVrDb2s7DKU
+  3Yxt+9F36zbnt4pVm3RqvCK0y4iEVGfK0GYQHlRvLDXVgocXIvPWKUsPYegCqSfZ
+  AtTRHyf1S1w1+gK96XyXf18D9FMfDC9o8bgRGoVRFm5as/TTJA8CAwEAAaOB5DCB
+  4TAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
+  MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFC7YjLWMGWn8PP8J5UiXUd/r4aj6MB8G
+  A1UdIwQYMBaAFIZCZKq3pZiIt7X1Y6CVvK6OCZjRMGIGA1UdEQRbMFmCC3BvZDE3
+  LW5vZGUygglsb2NhbGhvc3SCLWt1YmVybmV0ZXMtZXRjZC5rdWJlLXN5c3RlbS5z
+  dmMuY2x1c3Rlci5sb2NhbIcECgqsFocEfwAAAYcECmAAAjANBgkqhkiG9w0BAQsF
+  AAOCAQEAmjbfjuh0fx7FmvbIMPRXq7z36Vjhe+Kwk5w1KItL7hjTdyD8602snqY0
+  IytOKEKz91CaswvYTd2HekxXrAJhUIL90w4DiPyxttY7Fk21gJvbamogscHQyENE
+  22X5egWUdRFikmg83k+EJBNixsioIUyA7BkWBz/1302GkR/j0CmYNRSEEX3YJ8YP
+  VV5wKr5zEgQDCPcwpRP898sk6QICCCDb8GpanjLurk1l0sgil8Ib3OH5vNO+Zb0i
+  urVbp2Y4GqONRqEOZE/4et4y8kStQvIcWph7hEGBObL7kVYo176foJXAxyob2zaj
+  p0vbKl8WELAGXPWRm5FdBhUyJyocXw==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-pod17-node2-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDSTCCAjGgAwIBAgIUAOnApTHu98LW7syQYeJa6PqRDngwDQYJKoZIhvcNAQEL
+  BQAwKzETMBEGA1UEChMKS3ViZXJuZXRlczEUMBIGA1UEAxMLY2FsaWNvLWV0Y2Qw
+  HhcNMTkwODA1MTYyMzAwWhcNMjAwODA0MTYyMzAwWjARMQ8wDQYDVQQDEwZhbmNo
+  b3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqqPUZqx8Y/a4ZOAU+
+  Qfi0bbKGrR1n2FZCabpnmDY7UYt9HMFek4bUT1U2O3vsS4qKTejKynCEGFHh+2u1
+  hU5KqTbrSkTEotHMJqt3mL8PZOU+PcpdoZVhQLK3kwZzAAggJ6yZsieqawtWl6D2
+  6zpoyPnFDX8JcJqPBh0WVEn4jAG0Y4YaY+vYQ/YE3AJgvJySGeNVsb9f+fUJjBqo
+  3nxwE+cg9PWdQKRqL6RjJzbxa5sMn7kaUU0JS9UmfrEV/scGWU5WdQnOsrg7n4EA
+  61aBUKawsmwr1KSV1lfnsmt94btuEalxwwA1HT8jnB0WFXOiMhMmkZqjldS1iKDO
+  13DPAgMBAAGjfzB9MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
+  AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUdnux2j1q7sBcGWNT
+  3E/GPe8v9ikwHwYDVR0jBBgwFoAUb9gMAPDrJBDy4fq9pWYH1fzKjYwwDQYJKoZI
+  hvcNAQELBQADggEBAD89WTs/MKIpZ/MDAfNm/hpCXXWg4zRSTgakWIsO/kpNvBop
+  KkVQ4S0tGPDIGgWyv9RBfVBsZknom6Qk5SkGhjtSMrgY/um0hsHTlIQuo6F+stZq
+  HAGdTbjfE1bXgvD+0TNwfx8ypHPsPFs6zxPz8zkS68kBawRBCjFcKvM/cFgP/vYd
+  x7qKmh0M/llWz7csJLG8dbAVv640mkN6MJGO6M2nsyUDmo8hp90FL3zahFwTiGEl
+  rttIRuHfHfH6o5lf/RoYIc1kP4APW5bz5oycdlVX4v27D0aqFPoRsjv8WiND2pwo
+  Y361cWrEapeM0AgkT5A7XISmfl8ksDoXRKOCFFg=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-anchor
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDjzCCAnegAwIBAgIUVrrClpDO5jsxeOtpQGdSQctKmeswDQYJKoZIhvcNAQEL
+  BQAwKzETMBEGA1UEChMKS3ViZXJuZXRlczEUMBIGA1UEAxMLY2FsaWNvLWV0Y2Qw
+  HhcNMTkwODA1MTYyMzAwWhcNMjAwODA0MTYyMzAwWjAhMR8wHQYDVQQDExZjYWxp
+  Y28tZXRjZC1wb2QxNy1qdW1wMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+  AQEAtT29xK+8i3lxNgWG/YYmE1mNmVuWHjZrB+K112+ix7CDldYF0fJgPwR+urDg
+  TiQFN5cLL7GcTGIYmgArdBZcvUmeUsPjxxUuik/w/WaqyJQJc4Evsl42owqpfjpY
+  L5u/n5o9azsx6OTxZP3b+rmtPqSCafgkZ/VcJawIDc+jhGAKvhVzJj6zjmvb77XF
+  R4eUjmBGVwO64lrsH7juVt6n6EnwsvMPVoxQGGAL1C2Q00kyfjLTDrQScp8Ez7N3
+  YhzzeH/W4pr84NCJ9n8Cg9GkIDpP9dLzmNYbCUC+OzA5Egge3tfun/Daf+JgJ8Mh
+  L0YcjX4CxdlX0t859fmD06d7CQIDAQABo4G0MIGxMA4GA1UdDwEB/wQEAwIFoDAd
+  BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV
+  HQ4EFgQUkrbIAriRvwk6kUGHkoG6hQIcl7swHwYDVR0jBBgwFoAUb9gMAPDrJBDy
+  4fq9pWYH1fzKjYwwMgYDVR0RBCswKYIKcG9kMTctanVtcIIJbG9jYWxob3N0hwQK
+  CqwUhwR/AAABhwQKYOiIMA0GCSqGSIb3DQEBCwUAA4IBAQA9wrXnfllZHiKZdpEo
+  1IDr6IqkK+8Ub2kXgVhaW9wAsWedgaPRuedWleIu8mYZYYuQWn0w49wJlOqVhGsq
+  l8dpBPH85AAWfyrcM7k3wOdJz6TVAQcRk5qLXrawerjCakY2jFpi+Gd1sbRNd0b+
+  dSlVo+7bjxhuq+EBS6OoFQQqx0SYLZEIPt6xW0yMEOQw+53IANN2Aeql1Th7C+p7
+  Avt5vnSNAEywVg/b4d47ffvbVF4hE0fGjDsYzNh/U6FLm+WKF/DP+zHPjXfeMC01
+  mqjTLmFrg+4qWOeW3CMiCFKYiTcbqa9QbJ17I2zWy0d1n0VkrX7ROF5WCCO+acNA
+  yK89
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-pod17-jump
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDkTCCAnmgAwIBAgIULrHOif0uejOAG1EFl8cJsNKAqMwwDQYJKoZIhvcNAQEL
+  BQAwKzETMBEGA1UEChMKS3ViZXJuZXRlczEUMBIGA1UEAxMLY2FsaWNvLWV0Y2Qw
+  HhcNMTkwODA1MTYyMzAwWhcNMjAwODA0MTYyMzAwWjAiMSAwHgYDVQQDExdjYWxp
+  Y28tZXRjZC1wb2QxNy1ub2RlMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+  ggEBAOuhXhDZaqedGuUyQ+aocfkaLWITmxAOXhmLQhHbe57RG/KCSE0TlaurzMul
+  DtApeyCTgayKUeZkpoZfkIrErHnJ/FR/YcAuTYQlNDyHHBgL39Gf9vGBF7VhYrRm
+  pwucIDrRPqed7wjuUfLdS5t2BpimWgCk2C+CMpVQi9HtrIazLAdP6CgDGD/VmMYZ
+  vc6EgzsTjBh8iEbmYflxD3lq1nCvsFQclaFl/kcZgXsyA71ovp2euiBVWLeTw4Xl
+  YDL/c+676zXTLOewk+WC+I5D/CX+Qw+CWDT2+pP5+Xcaic9PVYbyjzfOpGQagFOj
+  nOq/ttOo3LG5mMbmq66l1U7KU6ECAwEAAaOBtTCBsjAOBgNVHQ8BAf8EBAMCBaAw
+  HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
+  VR0OBBYEFJiDwOkvLBXAXAu7IbvYt8dDAkTeMB8GA1UdIwQYMBaAFG/YDADw6yQQ
+  8uH6vaVmB9X8yo2MMDMGA1UdEQQsMCqCC3BvZDE3LW5vZGUxgglsb2NhbGhvc3SH
+  BAoKrBWHBH8AAAGHBApg6IgwDQYJKoZIhvcNAQELBQADggEBAE/Yw0XgzVFuFNyY
+  b//eOHV2oj+rZXFBwEQCx5hMcct/bZdPqjjvHt+Df/gCp5/A+1KuHl3C+bCfRvWo
+  XtFn8WyMXWprAu0GbaGI+8Y/auh5bgTmvfqTPerWK36OtDVXzrxLVlXTHm2d8yGd
+  ydXNbh6FqsBXVN9VhBdP2EFDvuR/7u08ckHptgFa6RY/2iaSQhLAKBtyrIfj8/DJ
+  zoVl4rBOZb0uHz6k+njb2DmY79FWB8YIOTL1xcAfhS4dVPRrY0GTf0H7r+gGfhhv
+  egqMyMoLabwh7zYi2WgWicXX8/BZBG+Fw5IPEtY1cGzG7o8/2hwax9hlGLCI7nQQ
+  0S3uB4s=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-pod17-node1
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDkTCCAnmgAwIBAgIUSK5lrtrbA4UUnOPEI5//XPigjQwwDQYJKoZIhvcNAQEL
+  BQAwKzETMBEGA1UEChMKS3ViZXJuZXRlczEUMBIGA1UEAxMLY2FsaWNvLWV0Y2Qw
+  HhcNMTkwODA1MTYyMzAwWhcNMjAwODA0MTYyMzAwWjAiMSAwHgYDVQQDExdjYWxp
+  Y28tZXRjZC1wb2QxNy1ub2RlMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+  ggEBAN7hAskLB6wk2AqOz/yrhTUV6ak+Yf0TeXPAsQVSra9vfTR9PnuFugZBm7ha
+  49SPppGCY7UkPAQC+dw9g3+09vSDRy/G0qSpu77OFYao23e7cSVy7ci1W0Nf5pqC
+  n07tGmSdZ5V2dqS/LQnRdpUQUuWAFSZS/wC+tu+5diVlHXku2bC4ilnVnhkM9jFz
+  qb0B5cAdNN16v5CHF0jsiZ6Du9lNRiL1h2f5XN6bFc7Vofms7WN05W7n+uu6IQgm
+  oiVg9hFZeUOh4WmgMfPitxuC2yZMyvmDSv6eP163TEczTeVNCmnOPn92iME0d/tv
+  9GPDAMuRm4iM+ieJqb9HwF/oyfcCAwEAAaOBtTCBsjAOBgNVHQ8BAf8EBAMCBaAw
+  HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
+  VR0OBBYEFGtr+u9MwT/VqB2yDySDzuecjWObMB8GA1UdIwQYMBaAFG/YDADw6yQQ
+  8uH6vaVmB9X8yo2MMDMGA1UdEQQsMCqCC3BvZDE3LW5vZGUygglsb2NhbGhvc3SH
+  BAoKrBaHBH8AAAGHBApg6IgwDQYJKoZIhvcNAQELBQADggEBAKz1v7MdVWW3mrvi
+  qP5KWatJT9CXl1R6e36wwR/atSx87h0141YAT/PS0muW73fFZDcBobnhtb0r/phK
+  Q+73QwrsQijSLj1FQZDE+p+MYVbn1NGxOUhO7ZSn290wCURpr5hWCU2G481ki+Y7
+  AKXe2VHEl8Z1tnxM1Bq45Y6p41yfvFWTV1NjvEkUdMhPWzdoyco0cdF+8bAMrA4R
+  uGnarof4HirEwS+QCoVWA+PPQnDA/8zM1VmKDb5pEwv5cah3k4b4hW5Eatu5YMx2
+  APtgfWgEQAqnjJwBexbrTjb3Lbq5gSDbdy/KUABS0FKu5w4SnARznOU8ncYfQiCc
+  /bMmUV8=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-pod17-node2
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDTzCCAjegAwIBAgIURv1P/PZ+Gznq1ZZ0BjmlKIjEHLcwDQYJKoZIhvcNAQEL
+  BQAwKzETMBEGA1UEChMKS3ViZXJuZXRlczEUMBIGA1UEAxMLY2FsaWNvLWV0Y2Qw
+  HhcNMTkwODA1MTYyMzAwWhcNMjAwODA0MTYyMzAwWjAXMRUwEwYDVQQDEwxjYWxj
+  aWNvLW5vZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDlAyYrTSe
+  y4izRLv548RXhItJJ5VO9CQoV/Nt20rQJrcFsJbCRsH3LCvY9VfqC5jvtPYfFpTI
+  k664JYVDb7CMi/A4VjQN7hLuDgYe77zyg/BQoCnIcsViq2fa8avRNdJQNbdR4JWV
+  dlzvIpwbTzP4H3i5sGDp91E7jUIpJ3CNL3CwGoI3s+4QSiA6ii9T45Y5o9Xg0vwT
+  g6olYqIXRfPcG4SRk6sIE/yFf0a7egHYd03GhMYhz5/mk5ltYW/Fhmc1d5UtoMNx
+  i3/I5cpagCdzVtpp4eRB91IekzlwN1f8X0lUNQS+L+FGmFpOfTnOuIumUNS/fqrA
+  LrRJlf/Ll1sZAgMBAAGjfzB9MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr
+  BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUVq41W6/V
+  cLmdtvwks4AS1R4v3w8wHwYDVR0jBBgwFoAUb9gMAPDrJBDy4fq9pWYH1fzKjYww
+  DQYJKoZIhvcNAQELBQADggEBAK2Y2uxccfaaZQxHPtg8rw6NG/QVaLRhGqVhZg/c
+  l8KOE+Dm+wrgMLRlkIERRcKn6r8DxUIqFV+ghWW7GUDAdeuxrSdHuCXFZJoGA834
+  ksUTOSCOQjHQhWBcJUgAXtHk8hm9zaN28mbx+YS7va++mzw1pu5MK3Tu3XxgbGHR
+  EWg8To4p0iMJprypnlwIMwSw0XO5AUdzw6ClvJpdjU/aF8jBeJ/mubdu+MG84EaM
+  EskUFBQV2FzgcVAg5zh+5ZwRy+hWaOM5zGB0K0wF+hVcCuJrxtzZxoG5tFIN0tRy
+  TG/WnKaHw7Uj/hE5HT6KbFd3Wboxr6uzlqExaOSZOLq4h4w=
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-node
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDmTCCAoGgAwIBAgIUSWqXl4uMdAv5loIW6a5TbNVxLiswDQYJKoZIhvcNAQEL
+  BQAwMDETMBEGA1UEChMKS3ViZXJuZXRlczEZMBcGA1UEAxMQY2FsaWNvLWV0Y2Qt
+  cGVlcjAeFw0xOTA4MDUxNjIzMDBaFw0yMDA4MDQxNjIzMDBaMCYxJDAiBgNVBAMT
+  G2NhbGljby1ldGNkLXBvZDE3LWp1bXAtcGVlcjCCASIwDQYJKoZIhvcNAQEBBQAD
+  ggEPADCCAQoCggEBAL+L5bQ3kN/cbHz8Jky9rz/XBUeYyjztaacS4VNzz5+/hNaI
+  yZSqzN2yRagTJZH/m6MdBSmI3KIhEoHvHZNEO47tnL9J9sX8RtwV53mfWroHhuCQ
+  5Z1FuswnR2I9yhaPvcXVQhPGxpCszf66Cm2S6JctZzKMUkRlPb2XV/KCWluK9Dxe
+  7khQqpZOVJvL3uHrKfBQXIgLlZXxMLTz2s/jMDeqDsrhxBi91770YwRiVw5HX4Lj
+  R8gMJ0Y1NJ9fdeWOJyllfP8yfcTdUQ8JQIzk2vDKpjRopqYYUT23brQN7EqGK8uk
+  ub9AyHgmuZOKFg+FXmkmXRi7qZZJaTAHaccEoQUCAwEAAaOBtDCBsTAOBgNVHQ8B
+  Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB
+  /wQCMAAwHQYDVR0OBBYEFKvkppVjL5NHRRPR1+MXWvg63lMCMB8GA1UdIwQYMBaA
+  FK8A/IZ1Vcl5VxHpDs7eOTUgtUuEMDIGA1UdEQQrMCmCCnBvZDE3LWp1bXCCCWxv
+  Y2FsaG9zdIcECgqsFIcEfwAAAYcECmDoiDANBgkqhkiG9w0BAQsFAAOCAQEAmXcd
+  NMysKMi+YHPGipz9+Zj3P/c8bYxGML5eWKoYwrrbHGNNknwTKhvRTSlpiT6+u0xY
+  0aUrUHazM0fuum/hlNf0PZaIUDPfi73Gd1Xq+BxEMBpmewEuHIbnZdsP3OQ9z8Kz
+  JYpGfpIXb3Iy9Y9+O4KYAH4YUfLjBKg8JoACrrzYC96sN32SzbLOy7aGojuDCZ7v
+  VZttvHJ6VkpakR0bZjWmqMxb7XsAcyjk+/2uZickt2QJrixKsx/cHby7/c+ywhwt
+  QAAA40sqJOYUeqhqDPLDnl6gXyfJ3JCbMzKsvu/FRgGd2GbKgNCMDVpSElVTDNuA
+  GTW2U8c1AII6JfKdzA==
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-pod17-jump-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDmzCCAoOgAwIBAgIUMM0JvwRtsl6bVW2TrQkK+QUhPu4wDQYJKoZIhvcNAQEL
+  BQAwMDETMBEGA1UEChMKS3ViZXJuZXRlczEZMBcGA1UEAxMQY2FsaWNvLWV0Y2Qt
+  cGVlcjAeFw0xOTA4MDUxNjIzMDBaFw0yMDA4MDQxNjIzMDBaMCcxJTAjBgNVBAMT
+  HGNhbGljby1ldGNkLXBvZDE3LW5vZGUxLXBlZXIwggEiMA0GCSqGSIb3DQEBAQUA
+  A4IBDwAwggEKAoIBAQC0UDXQP1pR78DZh86E2fOXKiAVcorEfg75dP/pFQwgj7D8
+  9N6bdclTTuVy1U8xj6HlJA+7WeGPq42WOnVPNKldX495PRCHMKUamYRguBUvgDHk
+  hYBXhhh8rFs6PqvcUN0y0jkUcy9rrSqRyK093h1BDPVF/xicjw2XJ6wTevDYrUOD
+  zw731Cs2bmlVgqPH76uMznrXKaEYIm14IMW/YCSD6s5BT3oZQlKhbfPYIHSyJUCV
+  TCffhLF0RiEbznsq6gaS5ymvUdf/nnOeYqtWJS8OV9y8B/HM/C2fWIfmzV8ZHIno
+  z0sNa0XMtHGzryXN5g2kH6Cv6iFypHzOrX8J6WRtAgMBAAGjgbUwgbIwDgYDVR0P
+  AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
+  Af8EAjAAMB0GA1UdDgQWBBSXthiFCby/8efbtyXaBlB5Y5aMGDAfBgNVHSMEGDAW
+  gBSvAPyGdVXJeVcR6Q7O3jk1ILVLhDAzBgNVHREELDAqggtwb2QxNy1ub2RlMYIJ
+  bG9jYWxob3N0hwQKCqwVhwR/AAABhwQKYOiIMA0GCSqGSIb3DQEBCwUAA4IBAQAB
+  uRVBVY7ACmusaDqmVMWGwOc4TlCOufFxj7MZULoPrMQbYSdAZpVdSXjy24eAZXdG
+  HXouitQgAPTu/M7tMFfQCUP8XYHaMl/SCcOLsTlEOQeeYmWjst/02ymswFL8Y8X5
+  +x2m3FSzO6QxCj/i5gXp/xmUXTn0qshvAUaM/mK1PiR94Iue1cHzjA+VoGi5/nsM
+  e7sTjwM3JBrojwr9cNmCPlMBAVymIYlc8d1bNst4bX/3uTJRudKK0zdTVNHFa83T
+  F/NVsDwzIRzuy1srNGkOu6U7+l9Hu6x/0SsTH4nGKBMldA42FflJK1ho+hnV8PjC
+  K0N8RChJ4jkljGCAHePB
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-pod17-node1-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDmzCCAoOgAwIBAgIUSkpRUJYqQ/QIbowiYY1EVFFYT5kwDQYJKoZIhvcNAQEL
+  BQAwMDETMBEGA1UEChMKS3ViZXJuZXRlczEZMBcGA1UEAxMQY2FsaWNvLWV0Y2Qt
+  cGVlcjAeFw0xOTA4MDUxNjIzMDBaFw0yMDA4MDQxNjIzMDBaMCcxJTAjBgNVBAMT
+  HGNhbGljby1ldGNkLXBvZDE3LW5vZGUyLXBlZXIwggEiMA0GCSqGSIb3DQEBAQUA
+  A4IBDwAwggEKAoIBAQDA6m3jH0jFh6fTMg/Mv5T3CY4mWzAnH+RgaA7UcgKpNSqf
+  GRWs7Ju913jBZUk00SvTCG+sKIOUtsd+fKDJfCRALU+1X0cRQHDXgAg+NIXoOGG8
+  WiVR4rQ96TjinudePgrW3tyu3V7E/gmKC3LgMB73valxrAdKqSDShP/mYwqqO6Ht
+  2xG410Vp42APOOW9VsZBbtZ6f4WMJ2zpXCw9gBs6aA5xs2wGm0JfWLOfBcunUvSx
+  GNHFbEU/OZUjZ/l4Hu2xK3aaCyg65k9NBsvuLXd4bOWqw6oTFavX38uVVosv9A4/
+  /kGYMaDorYUHcF+M6YeJjixj4RDpb1uaB3Re52VxAgMBAAGjgbUwgbIwDgYDVR0P
+  AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
+  Af8EAjAAMB0GA1UdDgQWBBQQe5Y4COHamJ4Sc3YlW94B/wCfzTAfBgNVHSMEGDAW
+  gBSvAPyGdVXJeVcR6Q7O3jk1ILVLhDAzBgNVHREELDAqggtwb2QxNy1ub2RlMoIJ
+  bG9jYWxob3N0hwQKCqwWhwR/AAABhwQKYOiIMA0GCSqGSIb3DQEBCwUAA4IBAQAA
+  +hOEObAmt9cN3bz5nUNqUTmoc/FihiJnFq/2/iu0SMTuuEPJtLWPxgt+7pNV/zen
+  PJp5ttyRNWFX/b5RzNC4piso8MJDiFh3if+4niGlQ1MKEXlNWQgUQgQeQQ3onrhJ
+  fcSMHZ6iJ+O0gDfQQtv/ZsqBMS3w/lOFJBLsTPsnk31dcoFl0EU7/R/5OVMUoxzM
+  A+OA6s/TafxzmauLPUDyaMuhEUcRFJ+vnoz/HzojD3sADXMJIr0vDOQm8ly39sxm
+  fbyW5Bav66J8m4NmFzFV32qILvrXOt046+WKW1W+zMfP/lQyU8PIdSuJp3n8mI7v
+  Q6f94camDu5jpUjj+Pc6
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-pod17-node2-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIDWTCCAkGgAwIBAgIUQolLUlVe9jtOatwQegOgwBX+eE4wDQYJKoZIhvcNAQEL
+  BQAwMDETMBEGA1UEChMKS3ViZXJuZXRlczEZMBcGA1UEAxMQY2FsaWNvLWV0Y2Qt
+  cGVlcjAeFw0xOTA4MDUxNjIzMDBaFw0yMDA4MDQxNjIzMDBaMBwxGjAYBgNVBAMT
+  EWNhbGNpY28tbm9kZS1wZWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+  AQEA7xv2/Y36/LeeUMFWWJ6ztNHw1BIEK8EVjQumZgl3fk7yXquv9NFbto9LXQo9
+  Yib8741Q6BFtZ4ID4n3h/c65atA66V4zWnaVivs7UVsIoHGLz7lwrb9plkHIN118
+  o56ipWWcojiUfulAHC7wMIklEI9F9zOhRlzgvZbGpy5dSGQ6ZjqRlWkOQNxVnvY8
+  qqJnrrC6ucPGZqibhUo7UaLS4qlf0Yp/TjGsJjYsNwTACFUZOMpyZZuqoC8vLVWr
+  NYMAZrMSoUalP5NNrKCQVGBj4saOIFDNcoWAF/Xdd21TTnYHyENrEaLrfBEdiKL/
+  Qjl0/l3YXVZ6IMNLcn8PVQQ3NQIDAQABo38wfTAOBgNVHQ8BAf8EBAMCBaAwHQYD
+  VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
+  BBYEFL4u6Gx5hZrTzP+wWpzj7STuOi3LMB8GA1UdIwQYMBaAFK8A/IZ1Vcl5VxHp
+  Ds7eOTUgtUuEMA0GCSqGSIb3DQEBCwUAA4IBAQCulsqsgGGw8DxUyrujvxdOSNqK
+  G1RRsLdhLFVbgAZT6W8EHE4sfGTkhSZY9zpV4O1TWzfTxH9RsUa6VprE5mqn8Rpm
+  0mCtgII7wEtLHMKtoTYrBaWO3tfx6SgBB0DxDrr/kZWQ9tfMpMpKbhGMZa+HacEi
+  wBwARUinvzoOYBwuPOtzWH+Yc04j4aMcqZZGw9IiCQcC9tnXMhsBslyFhmLjoFla
+  dUSdQPwpVCdMwpNU26rnxtWjUUpX3pT2BkATvfY22Z5e6ZZsaX1zTY6hqMhPSHiq
+  rjjAEbBvbGCaD5obp+9+orrBH4fg9ljRekJPmiSFEXorqlDiUzYtg9URuA5A
+  -----END CERTIFICATE-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-node-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpQIBAAKCAQEArwDdGvpYwHpV0z6rxTAB0QCu/OdULCVO2P7sCkjUi24bK7Qv
+  E5h6d1Sv30v79ehvRZIanz6xjghiQ5mqIa72ogeZMnTh9j7GmWZwgGHOp6QSy0Z0
+  IKcfwbjYwlAqWlvlZlcueRsuIu/TN70ywsJohJgCfE8FwSvIe9alInVf+IVpTyNT
+  vvU/JdgL3kLX8PLl3oLjimD7/Qftzzx0FK3nTbFGeYIPKs8zGTBjYyaGJkJLA1X0
+  mrkL9EQBgbvRGM4EQBMsLSyqFofbXbxNiJeD+TBFxP2lbP2OvSPItGE3odHR/QMa
+  Rez+2ySLpiP71+glCILRLZOCMxxpMH5RV3PCVQIDAQABAoIBAQCJ68JV+qtrtn5h
+  Z+j0FSu5TjKa+q1pxVVoyy+3w0JPSM19Ghpn9Sm/ViztbPL8EN1xFP6KNly0tYLM
+  CBT/SubxN8/S5i8XZM4cI5HSfELj9/kf3zyyZ0Qt5sJeEdPvNrGKgHcN1w/7VMtA
+  CIoy2AiLR0neMmE0po7wmm+2wo6KSzvAOg/84NImL+NetMzuFzE/ACi7vl2KIbPR
+  RmXHBM8h1tThMt50Zkzs/Ax87cMme4EAFd84+7dJNZqYGDqE+I94XkZiDIbPwmxY
+  mbH9AyeO+sOYI1mrQgOFg8/M2U7SkzUKizOsqr3OtsRNMiiDC28wRrJAgYSAuX0A
+  09ofBRaZAoGBAOWoXJUIe2JQwccMQqBUNW5vXrgtyQ8/kJIit/zv/NoE+NPobMrf
+  3jxexNAvKuIgWzmaboUwaPTcqrQsr1BmjA++cTu/bJhwCbSKNd2DYypU6H+oqugj
+  ui0Tx3OSsKGnfVZz2ByXUHiEXEy3mbIoaxxs1YNgrUNryTqYTK1b0lGzAoGBAMMT
+  o/WqRO7FCbELz9gd+8rFTpP2fELwo+gk97ys1QZkMvynJn8/jDFdzKT96DD2jeJq
+  NU3lRwTCOYjmcmJbYsEuzUZIUxy9z8iegD/AQ8MI5Pq0MZTwEZhc9ye8vdI4Dq2R
+  PF38fqy7+FF4FDyiWqeVE1gsV3mZtLdUxa9E9cfXAoGBAMEGOAJ/JY0lySjukhVF
+  kb8nVhpBSUtKps1c5v1uDDyGj0k0gjQl4xkkohFEg6uZfHM27It/e8fKrKNRJ2zR
+  NAmLjIqmQrUA/fdDbzCmXLPYt62Ma1E/rhxzEmF+On00VDFUnqCxQU56GUXVzxWh
+  yR0UEIUivZ38Ox7HoTLYCTbnAoGAWghriMtf6y9HTM4dzCnyduBfZszBBwgXLeI5
+  8Ht4Ce4e1hqzGtGSe4pGE/QXwNlaHKBWH7Bs+ZZGhZeOPTTePDjEhuaEbWRxTK9S
+  k5nB7Hbjb43QwGOYS1DExTNIDIjQxWydhucs874BWmBoPp/T5TpZZj141eeJz38x
+  ibXzFZsCgYEA1rxRbGrErVcrUBLMWIkmwMH7O5WH7ECfiFllHp7cMIISPxSepCFc
+  bONruM1Pbc0Vh3DGjpmCwTlgQ1pcgzZnKWyjuzYeWt/1cTiejodxORVdpEmIbCVC
+  5484mvHCqBhF62eNJsVvPKhVfFFt3QgC04vUR3GsfvVqYsXKD40XIhE=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: apiserver
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEogIBAAKCAQEAmGydTB+pOnbSQfOlz5oxl6K/JUphYgThjQ+gpVZtS5BlCOS0
+  YcfM7zxnN6iGzO9RVnLdt0bA8jgfA+N9rwsH9/qcPHVqoSt2yxXnS1DJ2XW3SBC0
+  pS5QMaTkVYgZyW5fsxeS0Vmgl7au04OktD/2dM7fCqq8p+u7+0CY/x+EjDRPd+/5
+  6vTY0NG/GFvImkJ31H6CmbSDD11243ezY+WqJM+kR1BJBnNCVXXIXqWsntHSE+ez
+  vFtwZKP7qRqsvNfev6VPTxBGBbv7XSTk+kehoRvBmhDXF1EK9m3T4bnGQA6ioHcF
+  YFt8AW/13BvfyH/5U6jhxl4FWNvKjSKEFF4NSwIDAQABAoIBACtk8LtVYDZ20ZFZ
+  LmGWQnwrJ0QUkvj27sfcJR4tJtyWdU0832XfHicWCUS9Q/NgRsXX2ettx0yuUZYn
+  1AZbm58ryAMmYn8UArP6vmigzXaNnupzZxqHvukDSsZXAxBnzfMMyQ20+JV4uvkY
+  x3FRrHbA1psQ1Ljx0gjL8ULg1Dmd0m/E2zL35Iw7imNl1q62VwhRg6Xzo+AvbYYb
+  x3seb1mpyyh40G93UyNZ5ACmy+OKURUY5N/dwiKR5SBRrG2KevtvTIydR9nXKqnv
+  YNLm+6u57PhwOtZSNyVteiUAAmi5t19udXoLWap7z56iwanWDQhydOpMf/2ux9R1
+  OvDZ7NECgYEAxKh3gsdM4MLD8S2DsVVZSPH3C0rql8o2oDzH97gfIhW+IH6mJT9q
+  HsV0K9lfe7jqDljKY1S1w6AWYfAE6BNUhf9Sd2UWYvIN/iS9Wo4vVo2nIVhJ86J5
+  P0W4fPZv6/D2KcXYcugGvNk5U8yEdrJatUOV4W4Gur59w5ZwMBDGPD0CgYEAxmsn
+  oy9bzGvm6ViGH2Jeanp21kobJc4J3Uxb9dyYQk08F6lTtvD/K1/AFyX8qxbwrKkr
+  EARiHUXNIZwDgm36+88HPilXJ1XhroDnYR6FXVeZDvpGnD0YX1RVFM5yD/leAcw+
+  E3b5njrTZ2Kfqo2oCguGpdVRFfDL/cD6ugMkYCcCgYB5aLg/mOMxb4ygfMTs2hBB
+  JICsDBhAlaqbymp52MX/uQSj8wyHulq9nJFX8N8t9r8pFE/+evGsUE0BMbkVvblU
+  8IftBg+IDn/tAqmUGmvHN7SStXsSWqAYG+cF3u7B7wVKTMaQSga+2Cy4O28cCIhP
+  l+YUQmUNLUVfVqT0R6ba0QKBgB193dVee6mFvDugwca2a0wuSa2ONDzJRCQVbnG7
+  yRHJww3NSDkf1v2ObNHD/qs7bKhtOI5X6HFrZ5MASnE/gZed7PirUl3xYOr8E+gW
+  jkISfBiC0K32UsIQmdjO2ptPOE7SGcPw4idHnRZ3zT2fcoOTtP6/Fx9IvDlKTroJ
+  L4XvAoGAA7RWLfFfZH6LtoO0VLxaUN3TJ3bQ8JPGOxbo3tbJEwj/Hzm2Svh+z+ut
+  5bIh0UFvVvanC03Z8LXe514gvHrsTklCcWidKOIsj+ncxqqMRSMvnFTeIJqqZ0Op
+  aDGADTQC0Nc2VvRq9CwRhO5FmVKPQvFcp3Fu0hVMUnk0wbakFz0=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-genesis
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEA2Nroet4p31LVFgpZEyskMv8QMDnJf2y9qvYw4H/vlldrJDWP
+  MKe+iXeGyik9c8HLx+KS9TsW74yW4XFIUGRvAdKa38WuQApq9pLMEfOHKybdKbJI
+  K77rGQONVxis0odVk2S6JENxNHCwkL+ZZAf1rNrI4pyVoTvXk7AiVKnfSPcyF3Q8
+  7KzqhD/jzoooE5A945lHGCnTmKJ8bP6hPOpiXaKGWe8u2D21+qo/kMgn0KeglFFQ
+  hFn1IcUfq5ixJle4fNZU5mdKeqBYHrPL2vHcFmo0Pp9lDp/XCnpdrs4QVUJnLUQF
+  D7xm1mysI0CCCuXNQZ7nr493itqch8yXw6E2RQIDAQABAoIBAAaTJIdNIxHdTg6c
+  A7VcEn3lU9VSezR81IdRbYvw9Q+m2N3BLfU4sMM0N4b7lxxiXM5TpUcAIqLirVRq
+  fdnKIb95Zi6wrKbOag3Nx5gnvQpm5D+2Yw/IexJIFEn2uo6rgcG1RRuCW/VOEVxi
+  IsFwqFc0TvDn9HVt/gxBQ9kzSUzJ+5IXItJQ28d6E7wLQ7HFau59ywt2nu/LBFPD
+  QZyaTG4e3JNnzpc2R3tCoQu3WGHr+mwadpRinvQ/RdpLd8ZI2t/Yv6DqBhXZKnlf
+  72T04c3ZuKO7dLIH0PFc4or7PjSvfcFCxQpVjXV2JEO5CGG9xbWNlfyWQuuWGve4
+  820EuQECgYEA9x2LZVNJdj6HvuVtKUiunXqNZHm5LcX25I/brKtl2GV5uLEay/Iq
+  0bDcKVwuHTuAOlcHomb9Mb5MggtXHEPG9rIqKNVcs19ECAwitSPqieSn5WPnMLp6
+  fW0m3nTH3DsPZqBB9oo+ouTtd0ukeGFL1WVmwmfajjF8aXr/uP3DfMECgYEA4KbY
+  4LA744twWr/Bruig3BLjv2nJ4WvdLh3d2ajZT0tZzPsbgU1KEtuigBC8Cq1UMMLo
+  MOd7gvyhL8iKfqDG+iHQs2OrxBZusetY8gKe3V+OtbywKVCZ841fXLcnKWsE81AA
+  FdoPotSPWK0vBx1oDNGd25AU1H8+LSVKNb385oUCgYEAkVDrZyNqIMG2u9hYsB1Q
+  qcSmnv5Bmhw/CrtaGBkWpAFQaf6j3mjDK1pQrXXKnGAgEK6bC7J6lCTvAs4+ZJ2q
+  w+mThz2o7MZJ0F2qj1DWnE49OVTdYDdYzqdAYzLTULveW6BECgHTwaDT0AJIbo3w
+  tUWS/yFpUZLiMXkmJhf8PEECgYA9VbBe4B7pyDc7v6D8xSyuCUY/C33/2rg/kA3z
+  EEOMf7Eb4u8mhViU/3xFZMxCSgJzcbN9LqYtJBZJ+oG9gt3wiuz1HWBXIBzG3M+i
+  +44uOJm5CrQ6A3SU52NC6Ap8J2jpmUz8qlWcilY8ysPNOH0hCtYDjTnyrm7mWokB
+  VUbIFQKBgQC6TOhoriorfTk5sz44+QpjePB+vcZWvV7NjXn7Ky6xBwvryUo+yhIB
+  DlCToms8q1JZB68kLt95r9xWJFrDmLvKy1yMNmLJ9qF2HuGmtEgr15rlKL+ea5Xz
+  Y3cMY7J1tfL0+/+3rSSeot3CrhBBAUo0m8yTWejKq5KpKFltsdUARA==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-pod17-jump
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEogIBAAKCAQEAq+2bIEDhxqyewMFr+SXVIJdNSUL8XS7B2eR4l5VGTpBxwSm0
+  FdrJ0XPdzBtGzZ7J+0Dz+YU/EnL3lXMJGTrrB/4UIIFK1/eVGtxYnPZ8m3jaKx4b
+  FqUQKQc+fF1OpfRlkJvppm9sgr1va29kr20XSGYsVkjFD5bXZRvCtHR+cmST2gBB
+  aVbV+sEkh9sz8YCPGQnitdHOHoBAqSlwisjQRzAB+xw7FMJ2AIsyhz5WsdqgiMwY
+  XAn4QScF/f0rmw0b/70rMhQjUY9CBuyBsdNBkHePbX/U2KHyD+bRbTDcZggl5vtT
+  eoIPKGlkYWr9XtQq2sl1nyjWWz+Epl5tXbLGWwIDAQABAoIBACsQuWq61dMOKjXe
+  PU2LTHd9br6LKOuuaqBJums92P6U7+mSqKlQxHzSqRwXOQUIYU+uVW6LEeFtKtck
+  mYLYX0cBPclmmXi/a3nu98NZepz3CK8EO4TQk9uzFNPSC4FGVqqCY2RtRKD7Eo22
+  uWG30b0w2qpCUBo3jnylF4BcLdA5N/zojnloq1qslv7BCQi0H2u+ynQwzr97CSGS
+  1d1VD0E1FOZBkxcsrvtggQh6ZI4iY0wqwSte9Y/y9cTj28HgYLDp9Szpro0mO5lo
+  8WiDbSM8cErTGEolRsp/PqrwrbZL3DCbrAS7WMNVMICKEWlp2huKv1TS/FBBIEN2
+  4ZZrLwECgYEA396fEWu4TX/xquFIC45mU8rthy4YsaE/zRp4Nd0jt/gycMqjAKf7
+  T1bja4LZU4KsdZ0ICBPUzNnygFmv/4OU4lHR63vsIuDjQVolBue2j9hw06pBNRyK
+  Iurx2YhQoCjbi95MW72QSucA82ggv6nj8LeWfgiWlqCVGirjKJgHad8CgYEAxJqP
+  a1gUulSC2Ulhof9XfC4zdy348NHu+dkcJ3aU7gsOMHN90r2focvYvOWGvi+SMy1r
+  B3QesufSH/e88Z3EiUD3IWnSvTb1uNIiofC2Dm8E7ozMTHDHM7OVgvaZ/MEEZDG6
+  /zeW+6r71+7lKHGk0cHQPXVZl4HRFRPShPBi6wUCgYAbEHvkjERMwkICKZgfJYkD
+  ak4LAKyllNv0vNV5lZGC5TOb5TONmcFNFzEJR1lkujCFS4W0DEm2tkaV88HOPycZ
+  sVCSinnCwbNXrEE7s3mjrEP/ot6dQCUHEaZJaSxuIGJiZ26NzL4MAB9iTd1frndL
+  G7bK59jkvucnsbWiq7aBuwKBgHmiLgz5Z4mH85Q+5Bp3gUagxtJ7LMLA/xqwicyY
+  frdvO44aRcP18ScGmMb1MhHEGK108fygiMWiystgWBMbypYoDT0s3WaW9BsuVqLd
+  66SuZty3W0YHmBaSinOF4esP94mNguWXHOAC/uCvOjN1a8UiJZWAXrdvZ02k/9+j
+  YW+JAoGAR1BbnZ3F3sxMtFZBFmOvjrQGCDofrI3onAt5rSxtTj6G3IAgqMbG5es+
+  MtTvb0rLW7fnOvg3N+Sma33MAgAO/eSVO/M4pg+yqOPuFEROiY95pKvNadJDB9UW
+  +iYyU/0//f96gq/V7YemZpC0lFylbeGYmISNpgmB5rHdh/RMVKw=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-pod17-node1
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEAnIF/2CoRs0vcWH+njIF1sY0GfYoFISGOHlvFOZBTprJUSkCx
+  7x06nit777GM5VknhN270sjOdcYmCUfpCftIrhyswK0++sfte7KeloYN5ziIBKcK
+  5CltPBjiX4Q+G+aMGPdCaq2GcMoIC4iJ9R7rAMMRpBXzlxwPcbzmKZAfzyIMAVeE
+  fWHhurUUAg6EAuuFI/wFcLaHF+S4FlGdx1n7JpOhk40b89S5zFIYveEfUi9NownD
+  5She4vRZACC3dQ9CNsaBK/Op/3r7x7Tddd9AO5E/mZz9sY90DMmIe+4hzAy2Cnon
+  D0eFqgKdObSyFML+yEfPnDX3JHcznCU7rz0gGQIDAQABAoIBADDGp1puWg/gH68x
+  Mb23hz+rrQ8pGcomlA1gGoqDMZ7tSxnNKedU27T55mlgk4HTFF7zYBskXDwWYjpY
+  QAfNWexxoWF3XP55mskHdSeCZgje9H1Gtj0/r/yf4MVWCKlXY+hP/1IR/KlgPbui
+  dSSA20rkgLX75Wv94c5Xyf/AHDnIbNBiHpdKvMk1FE12eb21l0g5p7RDM84ANzOi
+  4HkC9UbGLUz6WvxTpqsBkb40+1NJnYfsphS9mo/nEpGlpZe68EMu3d34Ip+W8vyw
+  opik+BuUuuVjcXYI2uXhoe+Y2aoE8Djal2HPHECT8PnkkRP6ANF2HEW1tUrocB7s
+  zmRbuVECgYEAwWdlMMpifq7PVkLOm1oLv11nfjMkMCiIdewEunab2KPCI+MDUNbw
+  lG2aqgkIhEQt+djucz73kO4TpmOSFppj++4+AlCjW13fSW1QjTf0oeRMFjDCgRah
+  mlWxUwJ52XQUFBvSMd6HtI3wEJhCA2ReYP1OSBx4x5J0lTsWonO4670CgYEAzyjk
+  0OSNNEvu/0deMzuNJpm8TGiWnNuU/uyLx84vzIiQypGyfZvS+ZTouwBqPXmbflwL
+  352iVKMMz24RLQnWzdVVrvaC/5W+ggpU4YQZDw/OJg/FwgkiNFMIHjJQ2/RFXE90
+  tGYfvHVFp5e3Dcmigpn+e8HXfnMRaHRsJVTofY0CgYA25s8G5qzHIYCiEBzuZMVo
+  8W7rmEDxmtACCZneBMWA3hvCbDMIw7tPpz18f0v3oBMdFcO622kTr0HMvf8+g11W
+  qu7XYWS+DwvPoER5kiTTwCcJNZZBZtdBJIpN8in83MLGYo9ssKr9Sj2XuGEk7V0N
+  U1rhhZOTs7N8mWV3gDpCUQKBgQCJapYGH2WvaCNcgSnykDE8hsRKZyJpYJtAUwcR
+  /irk4T4ysV0WR1Q2rNmImmje6JkFw+c4aWdx/0qTGm8YUiuEFFynF+yjv+BEgLf3
+  dFnvDMvxoYrMAKUI0n9TEItkrG+KIUbIF+o7aAtRdak+4x8CxUXzMA1TWt8UTA4k
+  4WLrTQKBgB47ULCLv3eRs4+2bFddQkP9H51QdLBvk5EkPdTaPLFQ+mziNEOzLZYV
+  eTbk8+cRvjV7GxVitPv58EqipYUL9Z8PP9KQqjUEzxJgU+YvnFpPTbLIG2s1WNRF
+  zEsXkNrhSB4tq+dAVL6rZbZXGv6wPm/W/wNk9X6Kc8qK4SP1xT8U
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-pod17-node2
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEA1T2LtQdDI0nZYUtRffaLzwteaMHBFu3GwPZg1osfd57YWhNV
+  GaPfJFTgK+8GOAuNmEtDB2ZU+QDqz68CaR8MAtVtc4A3OfjpSp3d07pvntr7xVvT
+  4RaEpGeGcJYkyDsmCKGg+cQCnJjmhUmyLYN5j2wU618OlBRxmycqTfTbxPx/GjHk
+  a0CfgwOjKjCodJZlxxKbXWK1Rk2scE+AMbGg2KRoGNVh69OwXIHdZ6OHKFpx2DfV
+  YP3/NLRPrjXm3kQ4Lx/oAuDhIw9/pFfwgn45BWBy5VNrKGE7vFhH6RvBwsWa66bw
+  exHV/JMmqgDY3kIRIM8nHx2gycsn/Ga8NAt7oQIDAQABAoIBAQCYcbti26I/pBfn
+  2nST3KHujm4b7gggYDRq1rg8KJGCbui03IVGI0TvME5imiqT/o5nhcaRj7LHoMQ9
+  XRwYEr3/eJ0aqVrR8wS0908SgoIxytObMB61F+gTsH8IFg6Nptt16Daw2FQVp6mF
+  OD5NE2TgB6Cc9AP0EPl2tfUkbhx/IcT5FxP/BwzNAz6CpUzMzFxmT7C7xiylyy8u
+  I7dcon/ixyif4QLpUJqPDtfM3xGhVMCRqNMbOIIFb/+tfno9K2Ut87Y+a9JfJ40T
+  sjby2KDryBLsi+VmEkk3j4WYqObZSJKVGjFl0uG9CeKSw9dX81Q7ZxoaTMjHWoce
+  UjOaj+xRAoGBANu0wU7Mg3PTVxNQRvnZF8HvFESPrG/MJgKDm9Ck1zGlzwWotqsD
+  /12r5c3HlUTfkYzttWBZqHEUPB+GHkokbcrdJUETxYgJoj1J1c7xjgUB2mHlZ7o7
+  8M4VIEMQ3reebK/fUQJ+fjj6Ey7UWPgFE7MkH8xq4IRRNMnZyE0mNXajAoGBAPh3
+  XIlY6f+UkoMZS+JlERdF13DFgAW5JR+GWyN+ovuSsw1KwlBM8CsWq3Q1VrhOCf42
+  UhXjlG2jWrhVY1hL6iDcQexyTCX2NMgpEuQlFLnWDsLh+/wvYtDenrE+iHIZbCb3
+  5WEPBYeMLFlUtrUBmahTkQKHcJvvUDI+Xm3Cp1zrAoGAHfXbOoynDF9wi2CyHRYe
+  qEKbB/JzuFclg8hAskYYVlvfDE2Cg3WrGDH9x38E+vxl08sCpd30G1+AB2h5rvCi
+  zDw1/Vbd4/w0VJlB/9Nu433qMtleuMW9w8ybtqmRRYbkGWOhn25ydgCcJxGsBD5k
+  /lPZxj142nJceX4qU2L3fXMCgYBpYJ4zdi1QAyAcT9c6PmkAONPFdU31n29aLm5q
+  4GOZVL9xrLo6ulbFv4iZ8aFE63wbf8hSlkG2OijYswY+RXwX0bJ36IXZN9Fs7taf
+  QgbHRjzedF+dti8vrKsbOw09bwDKiiqTfn523YFVpbMTk4kqtb5zlyOwTs/xbzg3
+  Tu4SXwKBgQC9oIiWyXsasqOcQHoD64dAziSFWvcDoPu6feFOGiMSwcACRJGVU0r3
+  6U8dlqVmaKRa1Vy1OlWs4W7qHutZLWCzqhB8YQv+iJi1wPt7WWxbO454dJMOBV1H
+  7dQlpucItzhIq05+Al4FbJoVsyVrPrOan514/8iBpsNE2J1hX6yIyA==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-pod17-node3
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEAwYm+Tt0HhNllQEZfGhs9JZeALMg9qCTYjQnHBDO50bAE+koV
+  6j41pjuDhj4TVHudg0pl3FP9hm5Qs3meIiD6WJ3A6gtXvRuvIgbwK8OncK9RDTPu
+  3kNwyFkbdcxMYE0X22sPmgjxRCTDammMVWJMuPFmN/Wmtav531LmnPFhy7Tc/H6W
+  jX3Xwpn5PXz8h4oIEggg+IWePpL8AXeEBtihZK5qTB94WQ2HMMWZG3mKKcqh1XPk
+  HqEN2s1g0X2ICl9s1koJXgkSbZFreZolxCxrC4AoiMpFLH1TNzjgaBFU2ZxeMc+V
+  5M3+eMQASJynGY5IMPJDEYiTx0Ua1HbI4Fad0QIDAQABAoIBAQCaTlRpVFjWVu4f
+  XPweOHF8M1qCWfSuxxHRAWantwYEZS7Sz5bBeHAV5YVr1rpatWRUdVDZZi3QrMuz
+  DNhDpb90P/K7p+eAYz4zBw0eF5S8h0s8F5fvph2Z31HBje2nKlBHJQj/avnRtu4H
+  Pbghq4o4Ol+hZj5QwpkqsVIk919dpaTYnU3Z45mD3+wxxQsoTx4pV6hNyB+11VKI
+  j6/kNLkVcokEQ9YvbPp+lf6Rqg3k/rwrxN9KLNlllE0SG7Y8rxSWV+fGIF4KTSZC
+  xgIAF4DodrXrlUuTNzCSqzG8PRGGoldKMq5Tnvj4NRZpLpVK+9MguYGTpPcp5ew2
+  QOU1jDpBAoGBAMXx7XMbgfNeOBGnND4Co7+Mw9pfdw2iFlTFYfCjEjKp9ElHVNyp
+  3CZKsB9hDhsh4BLK7VxoQwn72OjQ92ZxevkSjOpaQTMaU1aLUJMRK5oPM5FKXSGw
+  84EbH79z6pIQnUZ8nPsRHgK41c4xHKU1D7wqmSkiIOZzR4kUpDpqX491AoGBAPpM
+  7r4rkEk+Gg96m02hwVmMZCcPB9/4jNa/v3Z79InrfLLoO+NqCblD6d2jGIUBEt1h
+  BeXX0bhKrFZrhYWjwzB120VlX/JmX5wsIqEc0kmRb9CsItRindmqTC2EtQxp7jC2
+  G+2YQw76jjv6MnfcYCQi+gX6vUi4jwevagHgjEVtAoGAHp4KJWjW0+b58zkSqpjL
+  7T//t1JW3uP4YkpZmNgQY4fIQmFnLe6UH9Qjo+bmQKoft6htyIJUBEJRTcmsysq4
+  w7fr1f/538atp1BLOURJoz3AszN2blSphYnFgl6SpN8vBI0X1vnR04f1gjw0exVX
+  BrrsD+G4hwzDvt9Te7miaFUCgYEAto0hmsU/CIwoiZ2MY0RUNjF0YiBOSAWJAp76
+  zzl8kpKTchB6jVQrH1nu2V04Ztjvn1JB8O5E4Lplkun8igl0NIXglG5pWetcVBTE
+  dOkGXe2atYC2Llx2b+gKgzBEs3cW56QKHnFshyIqVogWAuFRpUl1PKMxJjak6p//
+  Grtg0skCgYBnOPDHBUabmeeDTGZGJyuZgWVNFR5vuDSXgA7lR0At+4XXpCGq1s4w
+  AN5qDf4ORr++YlYmdTBHkMXRTMO9U/JBs73klKeczCMR0CIxVT76qIW7wsbRhfN2
+  SHn6rRNZdkQLy9d7x/0r+aA2Z0TSL7NZtDOyaXgOj3tu/7WjBcZvrA==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-pod17-node4
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEA2W88A00iEITCUL2GzVSr46TH9jQRlUF0gtQlJUJSuN6SBtBg
+  vRDi6x8yjA2TIt+fOPDUxI+GLbkrnrEByB4kmimi0jVaaN7o9in/CWo7DbnHxPks
+  jnigDbXzGV73iHaeKoa21LMqCIOLwWqg6X7Rb/m4wTmG1vU/Dc8FCRtBo6YX4CyB
+  mWYm/AaW2ncK3BRDRl0dwRcktylTelyc55VD1/qfUX4m/mG82QhlVGC4DtEq2zwM
+  mJliyQtB49Chd6tLI60KcmDIZ0RX89gfpGPdA4q+XQtWV7lZlRyNSEtxbqa5Ys88
+  oJ1a0SyQxRzyDOC3l0mNcEJrbnPFm+HpwtFoQwIDAQABAoIBAQDI+oFNR+GhxSTb
+  fqP4bThIvco675wFCzCHsVH4Y5qU2N2/QKL6f35P+FE/lViYVn0VI753RXawEsWX
+  9GMCN6J7gNrIVJqR7uEEkIL1j+Sv5jYaAnvF4QeIRNNEczx4PbQq+MRMTKMgpX7r
+  tASybw9l4jx9FhBl5uB2ghFUfoYonSya0BrV5pvamszDF7wumtCU/xpiokCiEOnx
+  CsLldLIFSL71b5friKXo6HlyZmEsKzcGLVyjTNKJYtUl0bVwOR7RMqXjwOATLGRD
+  YxRvhNxVm6gFJCwvkvkZkGynt1FENw5IeSOWGzHwyN79DA89k8etgv2TVKhrC2No
+  kdiHqI4BAoGBAPDXnnf2rg/Ld7DW+zLodCF5Y2b+pfuI7XIg0Mw0NUo/AMBkLiTJ
+  J7gn81m6f2kOliY5PB07E/LInowRZtBlLJBleNzpAux/7zAA4hcoBTwTfOuRuNPT
+  w4t7/f5Eao/lVDGlGn1hSpbg5XTl+ijJt5Wu/EQHp2ZScapQGCEzk5NDAoGBAOce
+  eflU4vGLGATRTC989oLfkSs5yEZpIkqpnRu/8Mtvz7LBfH6Xji+sG0b28TIvfzva
+  Rq8Hm8Bp4jIcX6bp5+pDZ/0US0T5ojLqomRzOBNDLhLkJ1OwHO9rBqfDHV0szgrO
+  BnHA8NB5Gsh1atsJ3kwBgMsOubXeUl2LHTi//QcBAoGBAI9lEakDamdlEYJsvWt2
+  E47Ko3BzNYgp4pYNC8RJYWEvWdcyznaAffGbd7x42dtHIAbqFOyifCIVaLCku75g
+  PsRKZkfBREhjc5n1LKf04AkA4WOwg4c7kjW+QV/ehEPgmtxkHP2Bq9NhW7zaILOg
+  RnoMkY4/sF+vvpVU0skR2E/ZAoGAHZ2sJ6UXB7i5NTTUvGkY9aBMa+uVnGAwgrzF
+  Yx7vbkI/rTpaB6bIE5fMTwWp1rJ7bWIFGLyy2q82yxETuMHUdBJ7KtUE6CvM+xVS
+  Bek10FIVf1o5J+IzcwKV8b1w79Wj+YJ5FO6SbUR3iCRzsunK0JaIuHyEk6ePimkf
+  L3x6ogECgYA/yUTbteFtcPsoXbdk0ooD3RuwSTlfURKwxFvrmJfrUkP8FFAENRvq
+  S4jbm4OnuNoeYb4Oxf2bAEY1qWvS1FeDDRzFi2TWMKCGNjeDh8CBgkzC43K5dzZP
+  5WJiUB8BUhcNbGrkQzJdr/nJYSNk3um6HxFwlSWhM7V6QR3/v69p6A==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubelet-pod17-node5
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEogIBAAKCAQEA36RQastwV5f4c/UODTf28c6nzIjKlOflotbJwPejSSaBSkxA
+  TBZkyfwG7FSr594GKsInPrak8GzRKG7Dm6A/y+n7iHYx7cMiCBANpZhh9muExIZu
+  Ifpb0XpCFbBYKN/0k8JrTEj69VG/X2npnpDY8YIv2inWraSkSoH3UAsje2syZhzY
+  7jMgTwlYQFR5AQKC3oYs/q2zS/RvV5TXhyOzMfPWtkr3TE5nxrp1tWPsLrAX9GSN
+  tP6EC8bWdmMWEm1b1ywoOJFDJguR3vzq7mCoq8SmlStWo3h1pkcy4FKgcb6j8Lk1
+  fYjmFMIq4ku3RATQ1ZB5bo39fItRAeTEqpY+gQIDAQABAoIBADvZ2peqGEeo6RoH
+  VBpfhtwRxUBsv2J4aTFaMCZPX8ic4G8E1xRFzfVsWGH5CwSDm7zntt8GvD+Hr7YV
+  Zo4IpeoplWJg113dIgdsXGqbzGPJRH/fxiubt+ToxjTNu9o8jVTZ7CM/SMJMfV3I
+  l3gTJawEfk/xcH2KGVnDTG+Ee5t0hbYu2FoksvD+b0FYLzy+FTXbAycdpmDXNGeb
+  gILCizTd/q4puNfg9812UUJ45GWCHVQZcE8hZsP7PT6EX8DiNBFwK6jBcGRqnK8U
+  RzenzyDD+fTEZratcB/4Vpc4CemZxM1nVkmnkEkkSGuomyDSXBVY7VmSgvj5ioFq
+  l4/EvpECgYEA8SMvCSnI1RdqjO0E1pMCkrtWeSfELbSosAMe9WUJ3j9o00lUK90a
+  W/KJVyGEWaAK9cU5wfVwGqxEmum3FfRcbU4N48mTOSheLUZ9iNrIXeByRe4q1FBG
+  1tu0tmzo2Teipg7FIBipp/0K3lAc0GKIQuUjl9g+rTputgMscy0QnaUCgYEA7W0S
+  /pdt8QwiGLtB9s97aBps6w3xMTCEQnplnyIwDCiEKOuqmm08T+1/6ba9tipr0TeE
+  /lRwrlVztM1pML9pU3yxijugn0gHjR5qtfYCIZiGqiWtA0AsR/Bax4oSWJRj+TlW
+  glqGjtAksDCbt+8GSLqfyDKEyRPDBcQDZpOK/q0CgYAxBkItzrzx9czH0fhF16WS
+  R1wRTbBoym3xOvE0WtJiyOl661GdiVouj2S0vi+2OP+BcBOKB2g/Q/6+r/11DTUt
+  U80nHng8CqT693XWOQS7cUJKTV2PxLJiRFC9Ne8xGkqLED2rhNgZOyzWfdsd0qp5
+  TzSpTmGPvm17u7FxyRuzsQKBgBZJjubnQCLIiMrZiS+p+mOjV2YZQPLlIwU6iB+Q
+  DgKWKxHMTY+BgY/fM4q05Moc4VIabBmTw6AZ1Wq7fYxd630yz1eykTligZL1r/60
+  wS52Ku3962fKtl1qapsgkuhNxbS3dS93X/o3/7mqVnPFtElPe4BHfb+CY2Q/KjKO
+  1xVhAoGAaog5dsq4XVRhTaMJJG+iOqMCELRFbaKRRneForcaJZzTvKfWI+G/x7lY
+  hTg7VoROnJHUvfJ5u4GKNaJBvXE1miWZ7Xct5DF9VTlGkiyG0qr4NuwLS4tklGxj
+  WXVjL8jecK8AkQp7km8HZCRJOk3OU/LgJloc096HcIp28GZCUIY=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: scheduler
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpQIBAAKCAQEAx4qVolEaF1s0eKEqkCYybqL9v4ODiX+GAglz7KIQxXZzaF+R
+  SVcHxrbeMJV1eD57tpIdm6kbcjllTsnytTef5iaJeEyJu5cxyr6xhwyQNnuWlbHl
+  9H7LlF12eaNv94WAJ/S1I1bhjt3gj6vvXbFuridLydC9v/ELzVG15d70drVsfDvr
+  RGbBTPBTt1HX0pPD6uvaKLUwy5vLqx1uP+l75+EhmE1BmVy5c4SnuUdL+/8zqoPF
+  I/07wWY0Jq3+G9zSNeweVIxOv+vmgsUwNlNFsiu9XzzI65ngwaVHvelT1JT1ahMe
+  O97oqOd+XgYFNrKphJzvoLNVtt6/GdnAzjv1/wIDAQABAoIBAGV8gqZPgWmnpYRE
+  1BUEmFnU5CHnjZr9FPcsP512v/juSbwn/wjCDt5uW4tyOJCzltBAeHaXB7KMpo3w
+  AFVSuSyhJQHeS57xQw3O9xOsvBw5t1jjZgV4B6qp7nvnOCc36vpnZ0lWAtpa1r+7
+  vr50Y8qHifBXDmr0+f+vM0h6oPNOZIxapny6V0XUCmlJD1BrkpPes0RLM6yz/ALT
+  1EprK1LUGAXXOdExwEHiAaL8RyMBVrIUhQ/uXeLytqieP2lDUu9xVKPYBN+YU+/q
+  Xx3Lweu3WFmchG+8Vn+JAenhdUxiass4BZsk7XnTpIEcRnUr1RA3XJpwX9Dljouu
+  YuBOzsECgYEA2S6UWp+5vDehgtGKmS/LUDQzcgh/a/DbKhBgLB0pVItu+3Kykp+8
+  Vtcd7zryyffDb45y7BYw3qf6IZEPoJXs9aO0W+/TXr5+x6tAiQEmGECpnOwPRuwp
+  cdFVKc6ghC3L8ISYFklzK3Hh0yZKEiL5A4VqyQDF7yzE3vsy1T7F/OkCgYEA6zTW
+  hBVDRwJ7JRgia7FKv5l2wxle92RDZ/Mn/ZwyHbrjLmVjJGNvCSdOJbsFQvOMVbO2
+  OhFtg2YJSqAGscO6IO90ZwT9cLsBBBzOur7BOayq7I3t5i2D3Nw5nix0iKP95YxW
+  MKDWJxcAhT2QsoVIszTkskUEBlduZNNwdmZP6qcCgYEAlbU+Hpor9kqC0yKOX7pK
+  dCcHr3ucGlQVP5G6Oa6AZv8Wqc4OunPR6CqxP89qvT5FQgj3vzYsyc8Q5UKReyje
+  BxWpphZTpeO6kPjDq61XDTDFup4eic0RZJvgEMmWbIcFJe7Ax9wpv7Do8hxawtXI
+  wVyel6Ao0Q4TR4HxMH3tDMECgYEAkIHpHkOWDyW2FSdL1pCZ1TfrYJjQ4Pwn8dDS
+  DB4QKHXvKE1AaVXyHVSZzdKmu+i4mtsMJYcZmrZxFPlWw5b2X0/fW4AUWlN6n1U3
+  qkKSouW0KhxVQqtKLcLcX5L+kgj3cDYVqlDW4jNerX4SzavX68qei+ydOWw0Nhw2
+  J3hat1cCgYEAzaThgGbFLplA7X5Fz5fC9QrZRzYHRQPMATcaFmmRQSAT4cOgsf3O
+  Fg4pPyw9zRE4T2/BMPIj/ScJ5Z+jKoblNnZ1FKvYIp8pQQoSA/2vkeprOrXlhukZ
+  kK6ghUCh/s/gHNDxIiAdHQmnWxj6QMDeCkm2Yt0IZdDZGRo+SvEbb1I=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: controller-manager
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEA0U44kUUxDaLWudfqu1ACN2Hcq2+Ne/o9+R3lsxj7u0oAezLT
+  HodOXCs3jh3HgTiUYsnVkSoJEP0XpXOeuGOujb8GrswDYaYNt7TDQsJqv2Bd0qDt
+  Ew2n8+ub4oDFY8XuvspUEJz78Vlvx73sJ3uuIXEDAPzP4hwg38/A6cQtq4SYX2y8
+  vnapKVydZJojcDlKPldgEO2uBvzT17aPBFxjHva1Znn4GcCReqCbKWH4BF52VAAt
+  MzaAhHqIluVtNjlv2dYj7/QNbSQuRaudtTySrxHWZUoiarhMjnGUGpFV4m+t6vEd
+  J1yzOPJvBsb2bxytblz4d2TeIlQSOySicZrc7wIDAQABAoIBAGN7Bx3cwhTWGbLY
+  8gM3YuZJyCVfbuLHLJ9z21IFhNgesx3bKUbwTok2LUCJ3OIJL1XI0o4daZO+h3em
+  /YBsOHG8ooOACfdmgkyXSNs5Jp1xQwayYBvXOMWRbVT5mVfzoqbh6ZS/2Gt888j+
+  9vhJK5lPansUrgWtEt7tkqZJDN/g2BgDiQNt6xkSMz/CdkLVUwD+xQ5Fn0Z5bxsA
+  zzo231TFiYUny/9Kx7q/LQIYwAD5e1M1xCMbdKEG8U8yFNe04Z0zXkLtOhf+dkcb
+  xzd4IuJC/bIW+pDZIAiuzmzCfW5BJd3t/5bZQl+a0+1bsyiplyC1PvqGxjkVuTxh
+  6KtvwzkCgYEA+WTqjbATD5n/aGwUrARmeL1qb/Ax+3bTXgeileax0RfU4rGmTURw
+  EBI97wWlEMV7tXUQSGYktKFUcWRXUzTa/L5GZmTieMSlf9CAORSpT4MbQRq9PWv/
+  JBc7X5gsNsQY5/o9VgWqx1FDfFsYULUS5HfjvWdvvGuYbuW9MHw0rL0CgYEA1tl5
+  E9H3fRD8HDVmC/giW+SzZCYiq+4R07sfExHlgFHdVdxWzStwSVg4Ze0aVt08ra7b
+  lTSPndfLVIxEBObdyRCfaulQrKeR3p0gsJj8kngoldMjKEYJzLDIuYnf5agLYAeI
+  1v6k4pHhRAyfi63aJuYEVRvcLInvG7XD+j6CCRsCgYEA8syo/iB5rirDWao/xejS
+  yqG+ShSS1LqutVDBnSbn3yVQgRNrULZcU4ku+tGIDnf1JIg/vfyTp7eZOnvx+HPw
+  7zdf2rhFNEZeybz32Jqg62Q82Hlr26yUzVJA36SLBxaLGO2rYWBLD5myFhOp7Ikd
+  R4jhE7jsM4ic8vp/4gBKWBECgYAb1FWbnKHrIE0Xtk7+k+iXcJtQCKSLEq5ad62B
+  wdqxcWkzGvRfZRYJWhUMFtdHkyat9K1auVE1B+O9kuGopOLrjWyo44ngo2AAruey
+  GE73Bftz1MKED/Zq/icx6UsIK2k1yiQOfTOMaYr9TolIBX/xc+/xukcducwwEa5N
+  9tTPKwKBgAzgaU0mhI6/42sMgU4j9zuOvjWvtaPGTgG7NCozoZWFcQCB9Gp1RN7B
+  N3okwosJCKnrqLiXkgDMRTZxC5iTkTczN7S+U84NZd1E3GGIsos28xAoC3Cw3sNj
+  UrhnQYn5LZS81ZmUcpwAUeViid1MpIUX9MY+xY6ezhVjSFC5z6Ci
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: admin
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEAsaBFOPnB46jRQrNT3ARwuquYsOSuL4VyQ5+yZY6WgBsAe1E7
+  pZ+VjMXW5eko9DgNhLbpED+XPrEBHFtmW72JFGo5nrm7Lj+vmv3f8a+JL3gk07pa
+  FLAWIuPkN0c+cBTvOj8odrqC4dh2BjAbkJaOiHk/w2py9uaS5qIowGgTeo5bi8L4
+  y0vN7gjVnH0aQB4VGq6+fJXW9Zt3cBhyYfi4/KA5jyN/VlPPFvJTkAjksexetrpN
+  r/ZFWsRQiSFbTxlpJIvGZ2tdmREEtsfwPCYgi+/YyC1pCAR5PF488XYncufAGm/E
+  JuuaMxiTmmhnbaVIhjgSmFnnFhUuX+vAI4TzMwIDAQABAoIBAGGDtl0IKJyeUnvG
+  zXQNcAHbMNF0SfhGz6s2Yg8FD7S2njYVK6TKjqSg/FBuB5DDsRA6BotoDdVaAV0b
+  BH+69yWhB48PMia6yeJSG/6oOq03zSf7t3aCETUIXYLHdwy7QXZ9s+4yiKYKWwkc
+  ohVnwkpEHnBe4UyQ2vcI8UxoFsGBuZtKiJFfxjcmxXNwJBSA62ydZHwwfmCNuz4c
+  817q/LeUIZgynezO4gqrr6sWizrDP2HB9id64EgmEU3lL342yXbZCX/yfel8/eio
+  jwXA1IS3ae9swt0KzrUM720sLTqBtzi8E8BYVyAEMwQ2Af6++dpMv510n/0JDX1B
+  ZUsldOECgYEA29OSj8vOhnObi2d3G3gEzUmYLyi6+9ngQc38wX4gqMTZNWdEFj83
+  1l8dxfOSq2zCO7Np4bdzO2S4Ky3Xe+WGKNuXyduNIIcuUXg/7sQ9NqLIszQCDraZ
+  8Xe/aM9hnTVeSa3SI1+Tir5PUaVA2YVYq24MuLuIY5eof1Mu2ITA/UMCgYEAztr1
+  3BLj59I444hL1cAdjNoybCq6lYrFcyckDhnTL1QyZDPL3wIroE6Y9d9qN88ygNeE
+  a7RP1tSnLVjomOIR9kR7Krl6HRRtJzm7dV3ed3GTBhSm24LgbMYU44ef/TmqqhId
+  Vh9S08rM3Wbe1bsKD3LtZigCwygQ+oMUayf6W1ECgYAGQk3n/juRJHWHUJjZlV89
+  oRzOKvC3/wodlYne0IKJi6FLnfcYUxB58Bde7YJ9kwksvf0Dyj9jr4h24kVCZ9Sc
+  ETSPMMsh4/dzpmLbn4bGqXfhclekp5pWf7xZdZ4n5b8bhfF3xF7lEmobvwLLrrpJ
+  l0aRc/V8MHNBvNKWo6EDFQKBgF4OE3KQqE4VOUbEB29WnlkYMYsbVqF+as80QeGj
+  fnHrv8nt/0oUa4/FjSlm/54GuTj6RbzPTOoq4STuYzx4tqAafUJs+YhVbFhEmOcB
+  2pDG9In0Q/ZVqQPsgTz/wxBZ8y7Hc81gCsJAWSxmhPX7yNRDdoxXrwHbqvStO1CJ
+  6f0xAoGBAJErnksoLP1Kl2bznS2a1AeQV+qdKTpdVYwP6pgouPItwBQ89vBT2234
+  N6on1lRfewIx8Cz6xZjcSQgNoK4zXaVhLydFLEB4GHPgDqqR1gtNcfV+JyE8Mn8m
+  fvMbANbHnzFqDMF7xLnpTaDQ2Cx57K66tJFAJLMDPSm5zBXcn4M0
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: armada
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEA3C7GPaX+CBwPz0rAbWorFholDrZqV4Q5yOoxPfrTRJsKkjpN
+  PG9Wot3wZNukGWoUzm6uTwu+tasfaOGHUH1EmwhHXtKavWhfuzJziXXPL2DWAoWh
+  drIkM0c5oYHqNSIiQk0Ld805jtI8L467Sn0Sy21oSwIbPGVpcQeYtI0rOHLxev5P
+  w+KkmqUBImjv4otLtIScRlcVLiOFqitIQMX6QtJ+0sQTmPye4ezaYg4o0kT6R7xu
+  aPdPHH25ksh/yzQTYpileV9TVSv5IhRrilqS+TGVNT/5MnIuMj6cDX8T7ZM03/uU
+  5mVVLHlxURDZACAhad8d+t+qRkfIuc20PQt2pwIDAQABAoIBAQCgDEgBi+VJ08wS
+  LA4P+npzSHHjbemC0BSI3OMKYIated2HSWXXJj9dh+I0DgwMhTW2kHGX97uaplbg
+  j/8iHMx/vNbUMFZWk8XydsvRAZemosctciFZ/EegFofnxF2QXc11UDejz8Ok82DY
+  WPH/RUciI9cJnvBZSIYKqTDxHSRrlJfBCgfghaqBaYqk/21iBivKQc1m0jTY9TsK
+  MvxLrhFRSLYLeg04xBVpvvUVQ77l/YZ8HbrsLy23fdeDPPP/XaYxM8JmV6KBYjor
+  vESBR9oFUK8Lf+md/mYjliCKzEH2CCBhPve/iYsIAkgZ/vazhJZuVMNmqpXYo92t
+  zBABPHxRAoGBAN1vziOth69Jsst/gqFdzx6uTJLaHdBr3eAMuBZ//1TCv0XDPi8J
+  U7dvM7itkTChZvVT+OAk4qQOsGzovw/HtpwQ2IAG4su1bV2tX0JKDyE5FW1P2PWE
+  UvxY9AWJAmanbBwPMyPfspPD1vP9HLYp6g+wMiWMRREQ8IU5HLMAF1LTAoGBAP6M
+  3FBFnZEvQzQ8eTRcin16vLViCXbpiHctXKHZI5vicucY9YEQqx3+ZglcOTGICi3e
+  5sJ6lPban6jEMb7g8uXoqNusnuV9OAxUI8PAiNxOzb/Qba7GDpP5v4BBB68OfWNg
+  Ob/Y5TEGt0ZqlSebLYOq7yKF7/GBS+xRqSj56CBdAoGBALs6zsyB7Ej9Ao1oChbQ
+  z9C8RYihnjXdDqRjfL+hiE2twLaG6CwzMbLW9p9/OlUpE3n5f2ReK7fVp7zearY4
+  AiIhaD2QFPFzPL7JWdMd9X782i4sJmEpelVeDS4k83/CrflnrLD3cvHX1AdHC6DG
+  /d43956h5MASV5v9d1Oujwn7AoGAB09QPFXjcnni+isKaACIUZYmuSa5ktqd+p4o
+  3NT5es6D8jL7SduKrm/Ryk8FrXB0qmCOS+NtR7F7iEMqEosvLn8B6l0Iqxpvc5su
+  874hsAHrUqjPnYc+f+1aHHrBl7tYynPG9MVrv36r4K/K3LpOEkvkVh92hn7qCT1H
+  GFAk5FkCgYAnvm8VVMCnwmzPfGAObxo786P3kkQAGMP0vfew/Fyz7hCdE/H3yq07
+  +42aE/jfDo+tLKMYMleLvHJFMDtJFBM/ohTPnD1bV14a8SFJ4kd2V6TZzkVfd335
+  4E2+iFyyhFQYgS0km/xeVPd+Vo6e3suznqhX9Sr9mEEVJw5XOkTjyQ==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: apiserver-etcd
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEAsLJuWpNsBvXtNny+kzFW3BPOVt7hkgAMRtKtykDNev6PawxZ
+  oo5tuL4tRb/htj/htig1uI+eCKCo4TBPS9GdVgvnWN8wUzqs7DQcGKlPrGlvg74M
+  nh4jOh913gdOSZRDQgqcOSE0tAOWHVGUhFSFgdmqzCL7d5XVpqjLDleAM2OgSmhf
+  8juqQmjtcoLg0Ioso5QzZO+MUIq8qWoo8bfFHry+Dy0PVZyDm1tLDBCcFrjNndrv
+  xh7gCdvbN0wHTUR/RUwFLGcT1OUTLN7aS9379l2ROHjSs+T8JpjIwYYZ0/XzKc7W
+  ofUeO1wTNjrrWsNNa8Syw75io3LuLQcTMu9CcwIDAQABAoIBADQKeWIH5Vsvd0wC
+  9YYYlAKBetYvErSTewoo5rKY32wIKWlX29Z6qGou6NqQJwQsUGf788aF1f+ogdTB
+  C7nC5NoA64RLR8pbj66JsnS4+RRIgWWFxeWT7sAhn+9iq3YUSrLauSRCWWljXQUJ
+  j/phgmi6GQnCi9musZxCPnvc3Y9EnRri4G2/hZqIkyEdBEzXuYjUcibRJ8dTrPVN
+  va/bMHk6BqauuORYyuNBTk/taal+Os/gdnClhR/dxPhae9rz27DEUvcIfEIouQoa
+  1kZcFWBj+FieByW4Q8NzQtHDVe7gvRrAlhTfIT3GoIkQV46ioFmdu3dybMOsMQLF
+  WB9NO+ECgYEA1Tf/oNEtKij+pfGLf3qh32Oc1svn3iSvWxyGiFAiMGMnVAEPt97N
+  eHKNpxzbS6ZpsxXi3tnNzrgKwRn/rjVJuqAPi+TEEDHOA1Nww89HuTT5wHJW7ZZq
+  tTRorBe0v9bELrDS9OELPe1pkBgdCje90F/agkbH1Sz/bPj9kPt5WskCgYEA1CZ9
+  SV9/uIubK7V8QWaDIKcZP6Q031EvmLX+q6vWkJAMW3usnOTyprt2KghAkQsdXSLI
+  a/Hcb92RscKxin35kOKrbzwvWEWuDp5Asn7IqcZwPw9rB5NQFN6EzhtmI3MDS2pz
+  sAZlHQKJTpMBCae6MgCB9JPNnty/kkyzjarNlVsCgYBeqUXsd/G9TgYAVoTATAmh
+  y+/NzSlcDp1rrfZsfmcvZFYJjY8U6u3+E52gG8eghnlW8NiQZ9JffIYJxSkmhrH9
+  ESLV0PLa3cHA6EKgLF6Dc2mObzT4tlcZq/LstHmi0g63S/ncji0XiVfciVgbOTQk
+  VuoD/LirhBbCoqiwvXTbQQKBgC1Oevssde5Hgj/3Zi3hYqeah/3bZ585i1yloVmw
+  PQZqfPkclGR9UITjC/01/fP7162IPB0xbc5GF1NLLPdSp/WVMt9yjvnfB6j/ivmT
+  se7v/hC5jjXz8+pBC0Oo/ksbyNxWQ5aYBwgG/qPVKSeStmTvTtGYrxT6N79aug3L
+  KFR5AoGBAJdQB9VA3++LtKvCqrAcemKXismdYMMSQfswFoSe1xRzo2FtQWiTjHvN
+  iekPwH2K0z47Kso/UkcpFuv2RuY3p3M4kPebAKp0PDXoHYjQxbnJ+K0m5b7g2kvb
+  Af+t2zTKsM8Bi0YaTVhnca5NekSLnz2d3Ln9YQ/eEvl2MTM9w0Xc
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-anchor
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEogIBAAKCAQEAo//LDTeBygMaipDHKzjxz1GcMgLJ/d/KU6pf2Sq3e878lOK9
+  w0EiqvVpJGDq5R34HqRqXpgQuxvTHoIK4TmkMzI9QLGTnGtgTvo57qMP333Elf+E
+  gyj/m9oeNwzpny3laIAMFzzjik3mI1aEmMq65dnPiM7SrrteCDdfM+w68KVTMbN/
+  zS0daeFizoQjyrfEMS/fhXN0liKPmslc/UWTWwY/mzoqtAHDKUlNWMgNDnkpFEH+
+  ynE75My2mat7n37itNFd1cfcpBjzzgQZW6rGn2tXlrj9EWa4m1kbNqqEuOH8mK9U
+  xj2gxiY0aKHWEvvoY7y4bt3uMKhkdYbIsTUWZwIDAQABAoIBABttv7cxLmrsA/di
+  6XzIJGFJQ/d1UfU9BajimO9IXrG9V69LEPPkI/k13GTyNLcnQQVW+Fdj1YCF0dSL
+  aWhr7JOHdokoagjCSLRM032fFhuJ/GQd/Tq2k7GsVFtetIAj+/dzWxJT47aQ+sm0
+  Qa8QURv6RuSZutDwk3SKVkjn3J+8slQi7aBhNkMT1UAjF+CSH3QSFG4Ets7zwWBd
+  IFw3bFbtzNGrDcwfm7/kWE6hbh9mhwrdRxgb54CC9dBYcSBbPIvLipXNIcrnl9kX
+  GfFBfRxwnIWi+u2P3ygLmKdO/vuDZcwfR2NkzRrMuUC8zRnE6lhzWm72ClDVnJk0
+  SXUhwFECgYEAyIFYwBKsokoZFueQoeUotT4zPGlWyl6PCPiBh/OzqQ24thviYrxH
+  h40sHWeeRCwp+B3GU/f6D8Ftaur1KJY6YDLlG2Afwd41JipHlFWtyKWwxRt4+OUj
+  4fAcwWt1JdQH6/JSnY1o5w6TjMRnDEX/L6fMX2/HWFywRpLao0LfEb8CgYEA0WPV
+  9HVHpFcEGjPIaoaSZc3K2tV1R6QkmlHhDQkzi8AjhsD/jnBZbVhtbqb4BRM/Uo/x
+  3t9hk9+tV5wpdMQsaL7g+FI1pgqLzi8lknHJjfzFgOORR8ZFq9A8l2JxmQmOzmbD
+  ZefaV64MPhZL+1MSKMkSWyNHOnbOQOZRjtkc1VkCgYAMD2utMfJcWKSlsgwLEOOf
+  8zvVuGhWB9YGrhvsd4Yo9wBTQ94cHkMXLjCnHCJy600i9XeGeXX7GKFiOvvAEzkz
+  rBwHx4JhgOIlh4mCrJylYwH8+SgPoIjGAFFaeQI04koPsSWzAFx8+W16nB2uqU8u
+  KKOsYebVs82OkSrBgzYztQKBgEPtvIJi7cv9wsHxXKpaX/IQ8idOKo8ETC+YMod1
+  HbjPq3bS89U0034qus2z8zBKTzespQ3lsBU18llCuxw7bCDLE9bbbLYiI7rPBsRc
+  j8O1ZilrKj17sCyOEKoX8LxyIlcJdYiA0A+z0hruRtYQ3ApJOOBCMKBh3IWncnwC
+  KV15AoGAYty729Ip7dg2YJx/izNoGyralRcVF9NmvExH7LNoLRgfuO3oDBrk+4n4
+  TD7nB5Er5B73/G0zGMoL1++PQAamYqidmPX1QOLkW5CHU0qWpYzaE/o2kzXxc1fA
+  l/hzyKzeCn6BV0vHcsDI2O2aAQxzdHihm0YvmkB6v3G3S/uPxcc=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-genesis
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEA6K2/KMidfiYkIoYxQz6SCLhy29NqkqFCoZwgSfBEaXYwKwBq
+  D8NgfH2fr92RZLG6OTXI2rEOehS2qqRQEPFZdm8qRd9+mbJ0EgdGbb6KaGiIVgvn
+  7RnDE4IEFO4h8hZZhL8rxyEDjBAAnUtsaObs8sTWNWZTGwu/+L8ok2N/bqsnljw7
+  JibUlGuenwIrpEyj0SbnogrwOc3zUwZ9VG46NGJk7HtNUFOSfc2mkg+l+u9KNHlK
+  c5Sscd1wchZKgnpx3GKHY7MUINkmW8OaY/+YV/KNDEkp0povTocHxtbgkfs/59/+
+  9DWR+nF7dP3RZL9CIfmdMICoisvm4GhlatwOlQIDAQABAoIBAHhaXtWOp4A35FsD
+  RHn+5HSkS60PN0HvLdMAOedk404VtyaXCUVsDv110WKbXfhSwfuTqXgNO2rEShQL
+  9+o7nMXZDGmmCAsiNk2Y+8IKW/dTkqnHcMjAmZn+l3PoFSDulJFIfTF8DySkply2
+  RbYhNJECZbarXfNQaZUV87wBLEomO1CqDOIJtWojr/urWJTKzklqtv2C+p5tmsKD
+  yF6w0eazppTVOOpXUSjk6ymQNzEhClycWmXSx5m6KnkuzaakTVMqIFbLsl4ld8TK
+  VRGgOxeObSrSfv9jNwPkxpD/w4pWUwGzFuwumYD8T/r+Gs7IViJ6dBG2CFycYO+l
+  lP81W8UCgYEA9CguvlMdQnR2paypebZNNS2PrZbvAWCeBpBUWhJZNTBZn2ssG680
+  MTq836pFZapm1f8S0D041vX/Xw34u5hTOwc+XccpMnCGEzJwyA5j1La2O54F4zih
+  SY+OOFnd5i5UdLCHEM0cq4qFN3Rp/QiwbtZ812yPkLz7VCUPUOMhdxcCgYEA8/cI
+  aJt/JF4R8L4fevlOudieqYeSQRuJOVfHwIGyif/zvMtPtZQZ+BIbOIMCADRRTJJT
+  8fINCtV07fxCqWc2S6RWe/cGSCsiRJYXjFoN4dqaYs494pffCXFXLLUwOSq/2SYw
+  WXo9OCa7WFRbY3fJhdB4j9/KzfjmZNTeigIeczMCgYEA4+gKUgCVZG4APoAgpotE
+  IKqJ3njwWvHMMMZS5s0P1nVugz/wKVtvNbDlk0aGhvL8ES+LaTRstUNlgF4zWzFC
+  J+yIC9OXogylKpA/9I5yI6H2E0pbppE7BMZq9DD20CFZFp+dRFKiO4IO/ge908Nj
+  peKzIAenL20okZASbufFWjsCgYEAgoNBaFTna5k3l8beKHd++kU8fA0e3N3SR28C
+  WaYI0XKv/ev2NHmKev+UuGK9i0Zxx7jwV5raB1WyPC6bquygS08bRS4dmjYZGwAA
+  kQEMNCsyNHGJAdOlafPMYwp7Rdns0Epxyyxt28A8sUBPs6K9mGyyUqWyZQYmmwKW
+  GtaPW6kCgYB6Nk8fOoBbKEJxPzWS9dewTDVsMBc+l7VJf1kBm2pHq86y/V31RuO/
+  KYHUGJKtiY/UYnG+eHEhkbkhK56T/PxKtKbJNAzTNz8Xz6JWCIupK3VPN9e/dKPb
+  5Ik+g8avEUjTy4l2Bi77HBs/lD1vB0fE3ZAPd+xzNu1z0R705efcrw==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-pod17-jump
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEogIBAAKCAQEAzV5tuExTU+9A/tNkCqoVhBtYsZeNWrvuGiYWXc+6CXYKAhLo
+  eqVbDNTtxwsQA+KPRJtiJlTS1+EYeFd7ZTQHAj/vt8NSdFmIVSpaJdkDBTBLX/D9
+  9b3hdx1u+4ZR3jiU7VDsezci/apB69oBuihLcvCmm3m2EhgFFf0cUAa83Z0U/Pdy
+  Hg1VRSiLcMxxU5QATKuDNUpt+NG5rVP+dkVjYzp+Vmzxws4pY9T9xJSYup/rdb0T
+  gWpPFi8uNIazNCbUXRwHFM5VXq3S0ueNCCVIdA24M21QwrG7NZCsoG6n2d4yhLv3
+  89uSBzY4UQ30Y7Uqpi1vjn5QmqkYLrEuc/5FmwIDAQABAoIBAHSrE2viuGfzgJoD
+  n07LpyOAoZdqQFxubOqf/o7Wxpo/W5ooAbhDHgGhKV+tMjDy0W8pUs3x3EHV15/u
+  GuS4dM7bYaSkqr/8aQ3w3Hup2CRndjqP3sZvU5nmt7jear3yqPBUy7OH9DHlOkPx
+  eo+1+n7Wpd+nej63NJR0UVRJL5w5bxzKEUgx8jdrvPGdTneAmi9r2tKMX2inv4We
+  oHOspopKqb9A7e4+uyCwW2rmtZRhkccg+LWb63LBT4Xnl21bn9Sr9necB3WtTq+U
+  2Z647G0PULthTNXmD7mYn7UikRUyXqBvKlaQ7aXGWqwOl7vfiKhKBJZtp+zvN/x1
+  xp8QsUkCgYEA7PAKnk9MLRqvuZQO/5JCWb+0EB4nlWjukMJKgC1CtBz5H0v//hQu
+  ipW0a5r7S6rN3aovkMjgOUb4MH1Qhu9Yem8ct+SVtiN8azSIWLxYbaaEUzs0PTgO
+  onBpB3V7SdAJTCRHNUfrFumIMvAugspeJXKh+reNDrXunKmL7d6y2f8CgYEA3eQy
+  h19QU3DcnYpZpUrBehqlZ1DfWf0XOwGd53jW0//fDt4ECytXseWcvmTa8Vso48Hk
+  y6oMH5+rQx0SXgte3Ni0KuSYes3jEGlFlTybf3ETuFtamGXoAO71X2tc8JaILASm
+  OJN6yj1woQxKGUKK3lbnQHEGWbp8/bZaC6qpvGUCgYB8ghuiW1tVbGuhYruK88no
+  LcQqoB3+9rg+28qYlrAxw/PpzV9Fnkdizg6UaUna1nP+IvuB4v1pO/EaUg/qCIZ/
+  ODpoLDe8EePE1kM8FiWF4XYx4q+t5/JQzC91Gvhhrm/kUkAVMKjKTogi9HIMitl0
+  ZkvWW3RFobc1HieJJXjo8wKBgEHw0uNP+/sQCz/2IXXxpVW4HXd6nSWNBR5P+LEV
+  RCJ0Y8FzURhQpRsE9XPPXRFk2d31fRzZSAkN1kN3nEG+d06CR+iHTpkQHm5+GmOj
+  Q0K4Q/gBjgbEIhJE8T6OFWyaD5WlPBCMI21+nL3/fPXMxKAWi1qnPA/mT8bGLjRR
+  X2fRAoGACn02YKqBiL3reJorvVmTZsefzbv2EInz2qf878D6wSLO53XxdlxqTi+5
+  s8os57XwO9XwhYtcJIjsIoCHJjWwtAz2jdc8tNCZzVF+0sgjzQxQR7roTedpSSNr
+  Fl4kffJOD5rsc//eBDIaiq2QESGyF+x0TM6VhASPB9xJ/ECMGFs=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-pod17-node1
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEA5U4DMNAvkkGBgR6CJddKECt1+Y8VBVMbGQs9hC7Z8qRQHnqf
+  AFEs3N5rq+CASmoTdx1/ZjRqJnwoNVF3j1KUY8WNBtx84M0DTY3M2j6FXmOmmESJ
+  LHdxBYiNcs8C/j5517/yuHERs0aYxGOIK7SORw65159yQ2cFlXBW4+BGUkIKUkUj
+  R2TuoyBYRO943CWZRMHTN+eK98TuSdEaxk1vqNzXsvs6dk3ppetXa1pnHPs0KZm3
+  CrOZCg5CWEG5J0gK3vojQaR6ygrRV+sGN85q8433tsfMRy/hmahJbAQVwxhm6Oza
+  +cL6voHCuBkKju8JdZTl5b/91YbaF+pUKVS9CwIDAQABAoIBAQCcYarNZH28+g2v
+  GDZcRkoNYwZvLwSAACBv4PmQJz+eOi8lyiyb08CL1OiLbG0x0sv5pVVYR5DJNE1b
+  p3apeQEYVgcK0d4cldSV1IoLoS3lpIJeQAdpGwAqbOlCjimVaNhBqneHEB2pLRFM
+  hjC81cNedI2LnwMXMrBdLSMk/7QVrgeqqldJGJ7WoK1qe7akgoeTA+MR/qWDLGux
+  Bogsh3i8h97aQdNGNRs9ZBUUmUidN84TLelM2mZ1lkxI2fXf1qGLTyf9AxHQGPfs
+  FoJ0YATQidF8xH6xZZ86RXl9xS2b3pEOU/nolwPxKYLhFuqNrL1lGb0F2wNJmZLV
+  Ktjq4LcRAoGBAPmwAX3m9gkElFSviyqqiUlO6kxOHug7Lv4qZVNvBOkVufTSRMBS
+  apfeGcGfdAo3p0Y7vGlfJpugU+M55Az5M7ujqClj0qPWq2O+IdoTQPysoNUtyNL2
+  rUpPIfRTKv8H/TBKtcun8M6rNWm1G4fIN8ef8KZnbviY95rKXScCfWc5AoGBAOsa
+  FoAfBH5gPOoAsDJm02UvILiOU0WiPo0TnWtqpR5KUnhIzHCY/pqMWg0FRbGTvuSJ
+  KmmuEpkwici8mpx7Q1fgC47QiuLCoB9cIVpn+fJmkvI8WQ6B9KSu4DxkXTDGRjqX
+  +jgAE1bJMMY2d2SQna67DYRTXTsqSIHwywSZ4mJjAoGBAOeQYBHP3WZHpPlVRI/x
+  URl34ruZx/hAyzhVQVu7nqY8zBVN3Q0wYkMubFyx8QB41N3CEN74q+mxK5uU2Pdf
+  NqdTBGY+eeAQ+yqp7uM88AxmXVLX/2QH+nbsJOVfLIURd7MN1sRloGNLTWIX4Mxw
+  16p/nsP1MWnFE/2up+3B1WOhAoGAYdcnigZejmFquE+1BCS60R891NCWYyJUOc3x
+  82Qcd3CixaA2RJ3HR3Yle8m36WD9Toqu9fAVmV8T2FB1X64Epqt84+ByDFDG5oYm
+  80LWSETb3qeywFDhCTAl7bwu9D9vtq7M2UVexv1PqQ29vkJY/QCnbWxsHlVIe5tE
+  QhPwnNUCgYAc45f8x9pUcacz8NynFxAG/C7KwLboz+ssHPOYOBHVo09LtjBI3sdy
+  98ot/ERtr/G5hhCUWUXX2spnbjYLrk/AKFVP5JmaRv2TOz2GKo54DNwsYLb1Ctsd
+  /b7kCHLgoJZQxbqiKmNM74LTLv9D7b06P4BiYqJdgNCe2FBXCOthEw==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-pod17-node2
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpQIBAAKCAQEA5LKMumJCGGvh2YiPaih1JqfObaxIKLbTEvtqrj5gfSMiF/ml
+  Oe8hoV0ce8edR5uhGGzY+MaRmZ4tbuxBSD+u4mjx02ggc007stMW0M+Izhy1/EFv
+  eKznz8orA9Z/HwoIOnqJsRhRd5qKjAoo8a5rg/+PTKjTBQt4Ndzx9q3Hx1AhDvN4
+  ViYswqe2z2vn73wOH/QAcT4ZZ3snTb2oGroYuZHo4aTRSZVGk1nZzNZPOAZLookg
+  NgdIEuWGIUwY+dXoXPfTsjuJ1EijjjtA3VwjfAKKrU5sUFJ/3IiXJE5N0Ll4zhQ3
+  eG19aDCv0jIpShyOR1XIeM3uz+QX1X49/hCU+wIDAQABAoIBAQCU1aqGZgnz0Mn0
+  A06qXNgZJx5N+9AeRxVJBjxgV5H9/o5iogKomHr/hBRUbg1qm9sUhUoTZU8+dVXG
+  GZVGysMq7/dpiRuNTlcqwvvXOykiUkcRexhrpcNbVIv3/HFQpvvB6xuPGG90civ2
+  hWouF0A7cGc3Eav7XYKHM1p5GpGooL8+g9tHKt/DX597fDbf6hYh15OeyJlVdclw
+  pVYscKMomvEMcAS5dMR1CYacEx3Nzep5LkuzLnZKvckucytJXaFsE+ZXUbjvbMIO
+  qIBHcEeXZOVK4u02Xy2BWR2Uybl7NZb7AKFZHbZfxZs+/ngJR7KjaJqjjzjYlutn
+  EzmWDpBBAoGBAPk+LXfnYiQIHL8tu8hKjjycXXDqmSzNwU6kkc6YBim/pe6BspB8
+  7bm+tVRCkD1WkvwdKb2GweCEUG+HiuYG1qojJOTtmAsEzNdXVhdW+gMic+lINKr/
+  Mqj5sbmsY1xqR+1o1IxteSVUtYHK3p5FlNA0BlKuzyvYSoNkq7OFDg/hAoGBAOrl
+  x9JUYRBtkwLZXDj/LahW3hFxBeIUCcQqrRopYRNS+10e6wN0PTQehh3ZNE9frCZb
+  d3L0KdbtN/n/qfvsfbwbGMQMkx6sG8JyQ/9V91dKOwicMYqRqeoyseXgytwM/Ht9
+  +ukpP0pmcZmk//x1+sBOv67bZXmRPukdJFXA7vBbAoGBALpqd+V7aRrb+mw/D3kh
+  0jqhFP5UaNZq2g8w5WEosUtebQPze5O37LIFYmgwFOPbsbnhMgvwE2gSbnrMXOXo
+  7Xt5J6oVzqdHItJZHyn7wqi/hwRPHh1bHA/oGbZuqi4/y6ZUxsx1QKvcLJl0G4cz
+  Mbd7gdMrrgX0Et8tV4LAnKDhAoGAPNLnHRVwVNqquJAkCzY4UmC7+/QyO8pIhR0v
+  2ZhhZKmWIRTCchCFUJueytfVbcAuSXhhw8hplRez6O5Ey9D+9dhmX02KQuT6Ay2n
+  YdSWyWmVQ7N+OI1jXBtoaUf9/2D1d9y1Pe7KTq+cNta82liKZ4V8qQBylDoB+kbr
+  g7EDrgUCgYEAqVKWBVLF37tClQt1jkz+bWEAqnE2e75p8FKz33lO3Aosuu3wL9po
+  MgmaaocFWJm/RSo0vNL3cMGblkoDPXgw5ot1blF80jaJswiMjE14VwFRdf2AyHPl
+  9RSeTOcub++IQs5eMDdTWWqpjvNfy6POO6gcATVhNobOCsvqrCxiIiU=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-genesis-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEAx84cvFlUdir2iio1iPlFxQ67x2PqGCr1/jRj1ptPjnlnXfLn
+  AbypA0jpbKS9r1lnSUsJtK+TNG78jFtmfnT2DLX+J9tZm4qI1Z+qrWhM0qlYyPuG
+  qXuSDI+TR5wbz973/2IioTAbSo6E32cTHHWhEaCT4o+iD/K9jZB0LToWX2k6+iQF
+  Bg61rFFAk7SOAO4/8CcsgMBw3Qnl/Ewn8WNCHcInkLqhgSOF21yMlcBsoPv1IAAR
+  khXmF5tr8RGmV13K70lv5IhusGuznZ2FYF9gl07VxQ+kWNIdRgYwPgb2qKpT2pbl
+  jzBX074rc4GUJ3gTimchGLROukOm5rMxRkYMhwIDAQABAoIBAQC6rJkwaA1/cdhx
+  ccoetTY4S/Go8nKOLeUyoWP955FGvaqTnhOyDb+isAZWWPxXzaGwWokw5TEVNfSC
+  dgqmb0RKz+Yq+scXiTEa1VgzN1U/JLUs4cMIqcjkL2gc6X8akWkGk3tjOXzmBY2i
+  47x5RHU98Nb6P9PcLqBmmOXSM4kfjZzKHV+JKLAG1dzN1oBpS2XS+Ak0fARq4Qe9
+  eaBfmTR6V4SeqUmP5PBbxLhJqSKNaXPtsrErI/3sqoamsngybM15HqN/vbQuBGwR
+  YNEsbCDcUTpAJbq6he0Mu7nZkG3FRBMmap56CL9eq9+Z6Rzg63uVJ9B1Ys7tKuDZ
+  MJVYOxERAoGBAOAMgwAraaEdvc2PMWnR7cIVm/21PzAlteXH4TAAYpL+Yt+CNb8M
+  rlzKuSh1qNjDAAEfpuaoJyTBcAjS87bgk29CQs3ghy+n0gGKxJfkMBC0CuEWr2jV
+  OEvyN8T0ChU6PwSnkEgfqDU8RDpvFrxrvGKPvrkU3NVjPjFKNF9m+e3TAoGBAORM
+  hPDs6AVU9n1DIRJfordoPsmhXTWMmd7QQvDP25lCDrO5Vi6vf8D/feeH/+mZe74e
+  6JRGTUYatL4qWIHCpUPcia/C07uPdXRnxGwFUJQpMh4RHzCZyEL0ZMWxUJgwyuJi
+  OLDVJADyH2XEZ2cU3H42FqbB/qPPaJtIDQDpuRH9AoGAMUbPMSRbMRJngmRyC8Ie
+  Nsel7WEFqsNAhG83ueT7yTSl7l6nD4PsfYAgxSNLpZEN2TFq9eQZ592blHVBIQG3
+  q4q5QqqVUQfqCmjI4FdRsvrGQcdJgRcUMK/vUCQUa6LJ5W4tL4+24S6GGwv/xiUz
+  48GVwwMxpsUTEqgtaKYvZf0CgYEAzwdRG0ZLFeK5cFh62jWd0mKXZbOOWiw5sSP9
+  QHHOO4n62SJ+M/H0kWlfnKHpAcasv3k6ApRKKQO42iZ+gpWn1wVcWuX7qj/rDHe5
+  WRfsvZ8qErgGJ8WdJJKJ+/jTFGBS676UmE+AydbHgDr+Zi010sJsAic0KwrAWuiY
+  2jYZHWUCgYARWuy/Vm3kfBR84Kbr8D1RPUP6C0Q1sj4CC5GFpnnCULKy5hP9hzFo
+  PFCCH6oAidnz4yf6KB2oYs2kbWQ/Ri+r/ap/vmeunsAJFmaHr4OWiiiGYOYdSM8K
+  faOKD3Spe7A3vhandsyPRdNOhtch8ETR+bzaH7D9BPaBvGRPUenDww==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-pod17-jump-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEAvgW9e+5pewHHmfEUTJs5J4kQaAqvXLpYirHAabjVyy4wRGEu
+  GK6Xn5Fal8JElirfPPxtsruwNJ0q8swPsL44CxZdv+MPwlS5HrNFkKo/WHCT6P+D
+  Mlagphp/ngD2SYasrYc/fG1SYObcW0fmQl91oeBEXt53zdQtBZkex92XmviMf1F7
+  BNlyDuKzGnigWl29zjyno3eqmNCfSBlSaKvZ6efvaHsZmsZryviDtZ+0v0TSdkKi
+  6CUOJlh+UwRotsj0+QzFLS93CACpYlBS8/sru8e5xP4qwMfUT1QyaHaX9rKTc04R
+  TvyHH0tDYAGfRzgeTmJQX+yTqZdVOe8WrLL6HwIDAQABAoIBAFfXn3ijBe/vKq5n
+  W9LuDsXP/t2Z0ucy3at/8ErvPyXl/DogEocmbsE9GHv/OmWQ/BHdP3jYeuRXo3sK
+  ClbSGGZHuJ70AFz9fXZLuWTeztm7cSTMuYGTukAPD9+i4jerIjg1xYtnniVdk5A+
+  9JrKNj7WxcR1YzyrUQS9fBU4wtTINLAEYH2T6cVadm5p++idLHAAI9YHj9YpuB2V
+  sJHpk1JktURre0ouZXTs3EES46S4zCpBXQ4WDWqeBdbuv5na1bZV4nMSmMVrN3T2
+  RTDHJcoQtVueoEk2yvc+PygMjp1GY9DCRQ05+qQHSKxFd3g/u4VGfSPW0lc9nzQC
+  CnhXU0ECgYEA8R5TF5xzz1UEOzznPpeRUKsinms6qYLvtlBWwuYi/EZugrJmTPWF
+  D9NS6krqiUUFTQZ9utiaWD0WhvHCDyrNSiZrnUIQYlm9MfnYtnSuNncqdelHr455
+  q8HjEfcMYHf56+gLDNDwLL4KGu9EWKfWYmTwBExeQq6Ese6jlSFrtdsCgYEAycAY
+  82DsgKUl0k50szJUMP9Ng7nMVWbIQC1ilaoykHlKt1TvJhmDNFNte0jqQ2k+OraR
+  IYZsZXY91sFHkT5s988VfQSy9NdUmHZ6xTNIK6zu7ixCCqT2T6RHxO1tz5Qs+/uy
+  PM6ioNXqUfvxXRXBbF9SxnrQlFOPpJCS+MUPmg0CgYEAnVV4StPgDc4f8LeQ/RrR
+  y52f/Vdi8/FokcJimtKoyYz713SppFYg+W6fkBpKaEANcXFm4WEtdZ6G8I8YXeVE
+  B7qCRh8xqbt85PtvGb+RXiDsJ/yMtlV1t0nQ7YwTG2+uOO01KKu9zLREy8aNBnye
+  O545r9RVPZW7KI/bVhh0vDkCgYBzQx5+HYfAz5lWF6CwqDZVb+aXNVU6DWim0cca
+  /ou44rL/HrUqrTS6dld8MeI09TGqVZeA8c2IAg++W9pJbsLOqS77p+2d2E/qcvYd
+  J/k5iqlOxVZNwoU+Zvrh1UwBZgR1Sg1AlEVxYgVnJWt15PIGukcOQihcNYlBWZ++
+  JMePGQKBgDEorNejlcFoPuc81GadTbdnhWAAIuuL6vkopPF6R9wHc0ETDhNfCWWU
+  SvYIEesjdLRRs2Cyr8mFL4/Lgu97zZx4pc3nZVvS1W1I4Zt0XdIRm+mRMyvFatQ9
+  iiyyDmCz/16Gwqv+1mgF2exDi7M/JjWZFPs4SlDxNMbEbKGjF3es
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-pod17-node1-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEAwRm6nsAAps4ZDbhEy0i5yJWTu49FrdXF/YKghHrV1FcIWkb5
+  ELqBPjIcSKSoX8uHxfQgCxVYxb/N086OiZs7lbFZT0DKxxNKGnRRh7lXkxIdsVjs
+  DZgLbeeLr6y8L3gt8lwCB9/MjfFCMXb9059iX733LC6yPDZ3Dz0vMEJzxS2mnOsv
+  ltY7xC44t8ygP0UeePYP4MaPXXFyjP02n4ZkSK/RNWsNvazsMpTdjG370XfrNue3
+  ilWbdGq8IrTLiIRUZ8rQZhAeVG8sNdWChxci89YpSw9h6AKpJ9kC1NEfJ/VLXDX6
+  Ar3pfJd/XwP0Ux8ML2jxuBEahVEWblqz9NMkDwIDAQABAoIBAEnlhr1pzNYI2R2e
+  /vSsiCxy0W5djdTQkkxJyRPpzhrMk624q2fzd7JNivVhze2a/gKLQhf7u1Ux6Zq8
+  2V9fwJWwoPTrXq6Ae0NUcD74dsMZk7NizDMHlJginBpGiF3CKBMvkrdgte87/JDh
+  cJGj1Qm+sPB/jkXssfNq/rwBMjyqaEeQCpzRf2+lk6WTPkSwtD77oCBsYMX2Y+Kq
+  40piL+BT5Wll02IEKashyhZ1HdU8gTUCDieBQNYDxjkeGG5akkNXCKax4vt0G3LX
+  g1fTbXGL/YJP+iniJ02P5EY5baPpYKCmV323MXQwtPC006FSLllHlmi3q1RQsFZv
+  LKf+zcECgYEA+tA6R5vsvlO5miafqb5ZRUmO11SdpqCzv0yqLFWia0u9KaUR8UUS
+  WilamDYoBAMlPmcekB1TG+OoG1sEc5zQcdpmAJ7QBoHkPRNGwpywWv6wqehbhKBG
+  GkENPY8j3g0nOyCW3nYPeXfYwE3S527ngCJNYxzUyWzikfGxz/Dv7mMCgYEAxRf6
+  Ib6wCl7ZBqZWKUvFn1+/GEBAvcLK1BE4RuhAodUkPpQSQ6s8oBaqf46gPRwzlDeK
+  aGkDuD57n5Y9wq9ThXuUNu+6J9rMrjogcoKLT3XTcLROJ1Neo3uBMoz8/tMzRhtg
+  eVV+WV1SnmOmGsrX7ZkXejBIR4Aty92X9K6ZvWUCgYBiZbSniU2Msa4cAtEat9mv
+  7BbE9aZPy7YY88vDTulEbNdOcjsiy3VSt+yZ0I1MXauL2srLwSVsyJiX+tI5RSkl
+  sYfY8HUuSGExcNGO4gfx+v91+PmGg5ZdEG5QW0q3/7MHaFan+etCPTlk4GNAdmsO
+  AucXXiVAzJ3qocafjKekfwKBgGFn0Sm+OPhXGcDskeaE2R1Dz4hnsNdXnrAh9oMs
+  o0yXrvryaPhid2rS6N5zmYO6HU+iB1hElh8HWkdrlAhUZ92vTne8EG9D9iYg+go9
+  tCXIIIAxy/IphLsc/aQDA8HYlR2PyCUO+Iun0H4Q13WkTATTxUOQ+xfDJF79m+zE
+  IZz1AoGBANvc+XYrf7qzV79oPr/dAsqWb9sfrMlJAjAKZ2hGgK4FsjWJslbeAaMe
+  hV6aL7jBtPeQnlwTLXtNnmYWAUpI7GYetf7nNVlk39oovW+ls4KUigaW5+/YnPin
+  TxD/Q3tz4K8IKoL9HJgsZuGrQ/YgBIFTN+4QJsnx3pe3W3JfZBZj
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: kubernetes-etcd-pod17-node2-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEAqqj1GasfGP2uGTgFPkH4tG2yhq0dZ9hWQmm6Z5g2O1GLfRzB
+  XpOG1E9VNjt77EuKik3oyspwhBhR4ftrtYVOSqk260pExKLRzCard5i/D2TlPj3K
+  XaGVYUCyt5MGcwAIICesmbInqmsLVpeg9us6aMj5xQ1/CXCajwYdFlRJ+IwBtGOG
+  GmPr2EP2BNwCYLyckhnjVbG/X/n1CYwaqN58cBPnIPT1nUCkai+kYyc28WubDJ+5
+  GlFNCUvVJn6xFf7HBllOVnUJzrK4O5+BAOtWgVCmsLJsK9SkldZX57JrfeG7bhGp
+  ccMANR0/I5wdFhVzojITJpGao5XUtYigztdwzwIDAQABAoIBAH6dkhM0OYNCGxwM
+  yx8QtSOwS4bOA4YbJIxrguf/LyU9b98oKXMwwxTbsx3kbiG3Phc0jGWAYpAutvmR
+  nqzzNU4BU4Sn+nNlVYBApHC7++zA77AJCg4Dpx+bb7zxMRS7TkwFA3KYkgNHHgdl
+  wf/QL+q0SVNgmwL270TzxTre2G60wv3XQ/2nw/IL2YdaEcf2/mD4ZH1qY1IzFoZS
+  U/EVUItzhPksCihk3nGw1PBw5GoAFcOTmHLn/BbhoXJ4JWfKwqMG5hkXWrp853VF
+  cOZsLGE49WmNb1Uwx2hMW9pokh9V5rp24Z01SH83uxcJoQ7n0+G9fKMWm3RrhpIl
+  xKqlUpkCgYEA1tBpV3iPlRGG9jlpBy+4L9YbXSx6HzhbT5qplZ29+urOjird9f+R
+  z4HWayr5xo+oViBoO3lgMziOiMq6hahFs6Bpau9tx8izw+QlEytAPg0nLDGRsg5b
+  wCdWobS1uCHB+uiBkBichW2C+g7zRXnFaJRSftHIdzGxm1kLQ9JhOtUCgYEAy2Fb
+  SRAXH0+AwQpHSqPef8iGsLa2+g0v8MicmWFG269Wf6ZuK1mZ4hKKb/lXM6PiHOJa
+  gLokn8dZIUTpvyC/cFutkzIOCO+Vsmg/bw/mGfUcTrHDGvzgRHRKpnf005/Pi3LZ
+  DkEhxjVsjAcb4cZFIUT9nT9AJUbnJBOddaqTRxMCgYA7CfSp0bzEn5iUO5seGoNo
+  wlOq+/pkcjzGWB+bu0rnl3lFoYp3fdI5Udn4gks7w2fko+uBzQ4fhb/G4ND6wxDF
+  GaVfeoaVjhe6Ew4NgqmZZEwL3WPJqCCXYzhwIRaAkOabayOQ0vLRyRNiXpGF2r3i
+  zEEQEeAiwkmqBIMQFNYcMQKBgQCRmAyFbWNgIsYFa5pFsLHjwGXLs8GhmDctpC+X
+  DbBwLEE7+KT9m5Mx6Bv6tQDcEwIXs2MerCLzzv3bdz3ueT8S7E6CBV9OvlTn9wES
+  PMt44aN2IoONmmHiH24hZdZ6ePlW1szUC4RmJHCkfaJUKl/qxTzZiSIejXeCuBgM
+  2CO+yQKBgQCIsLHu3FGfzgz01riFjLLPKL1MV7W6/jSlIDKrznBPo6/XT6C7pyh1
+  k4r5gDGPHUXpRNjVufzd0BweHPs5RdZsmqeM2IQsvsjwwRjfnFG9amjLIc4omh4F
+  vUTBAdxlYifwrsYAOG+GCJ2Q3T3X4YlXClarhivtSx5RHJLjoVcvtw==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-anchor
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEAtT29xK+8i3lxNgWG/YYmE1mNmVuWHjZrB+K112+ix7CDldYF
+  0fJgPwR+urDgTiQFN5cLL7GcTGIYmgArdBZcvUmeUsPjxxUuik/w/WaqyJQJc4Ev
+  sl42owqpfjpYL5u/n5o9azsx6OTxZP3b+rmtPqSCafgkZ/VcJawIDc+jhGAKvhVz
+  Jj6zjmvb77XFR4eUjmBGVwO64lrsH7juVt6n6EnwsvMPVoxQGGAL1C2Q00kyfjLT
+  DrQScp8Ez7N3YhzzeH/W4pr84NCJ9n8Cg9GkIDpP9dLzmNYbCUC+OzA5Egge3tfu
+  n/Daf+JgJ8MhL0YcjX4CxdlX0t859fmD06d7CQIDAQABAoIBAE8LsYNh/gJ6odSk
+  zn4uDtcrnKVBG5TruPyEdTiTuNQM+SbVZE5vvmhdpoP39qw964SWPMu9U+TAd+ha
+  oJkN076+p+2DAAnpBBZQzVNHfr7iScj1k/7gNkYftVKXUbTZ4dZTJ+xnsdnYWCvq
+  yBFu/88tYq+jCQXKLjlD8XNMlw15NfCkX1nJE6zT75MskNI/NaqLt2nmjsRCwCoH
+  Fttt/5lK1m4Ge4cqXaMKLiUi2ym04FZI3m+DBDqqO6QxEgpCrz7IveZsiVOF0B5x
+  9413Qxem6zm9cmy4X7lPyNHgEO26jQSy5IZDHS6zz5wjXYEsNn9RpCGHVjr8fWR5
+  cpLg1A0CgYEA1b08rl3vn4XEsQ+a1PbY2FmCMM3SvFZudUK1BjLUh2JGKQ4rSIJg
+  knqT0SDau66cDxDRTxz3vr02CzZCTrfGl01drAbAp1YuQ13PRYhaM+IPSNLAwS/D
+  zZdgKw4a3WMcfJbnkVJFUxEgp7csoacK+8aI4+atK+oVTpfJc/8pQl8CgYEA2ROQ
+  EeLur4a3qVjs6XcYnkIzO5O5bgKgdzbxpVJTz5UH24TjNICyy6yc/eJF2iUUOdEX
+  Ip708Uo3TyWYC5uiKYiu0jUHDjiujJjdZdeEcCdvy8b3eDlPGCqLTNOsSKKJ129S
+  Jey9CzEFP6wqeDgMDmlvDr1k1OnGxbc04UNQy5cCgYAChIwmcazU8Dp0634jbBT5
+  13QVJxeIaGw8rWB8hjTCs4GoEiaoYADLOO5s1Do/Y7sq4kPU7r5sXMY6M5VsX/XS
+  6nJkCGBUmEtLN9utMgH+Anezn+ftXqar0VCssSnX2ccIIK7xo0p1xAnib+HytYkH
+  ljselCUOE1/U4SzaVPMjeQKBgD6VAz4E3KdCAYUTHAoaycAmebq9VgI/Q5/a+UOe
+  PodkAcXpw88JI4LQmtoe9+ByPCiG/VJ/3UILEXMB9ZmzHsc2np//pa8V7EygbYPE
+  5GupEvP+wq2oaAMhkNNvWwX9xhuT/mzsmXu2gDrhGcVa8y7ceqYXOBCh7SpnLRmc
+  XJi1AoGBAM7o7NRNSSeY8U1D/tgnaSR1lsSQh6F0gJc4hLSigVMsGaFnqD6pQHK/
+  Zxg5rNkPjZHHq5KRG80bKjyOwEhx3BQDwemv+XoCX8A6NzlgNWR8MlkEwlC6Twhz
+  5eBy0x372FZpPSr1Tps6RHUZIqQbFFcUeNUH2I10HbVLEo+BuLso
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-pod17-jump
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEA66FeENlqp50a5TJD5qhx+RotYhObEA5eGYtCEdt7ntEb8oJI
+  TROVq6vMy6UO0Cl7IJOBrIpR5mSmhl+QisSsecn8VH9hwC5NhCU0PIccGAvf0Z/2
+  8YEXtWFitGanC5wgOtE+p53vCO5R8t1Lm3YGmKZaAKTYL4IylVCL0e2shrMsB0/o
+  KAMYP9WYxhm9zoSDOxOMGHyIRuZh+XEPeWrWcK+wVByVoWX+RxmBezIDvWi+nZ66
+  IFVYt5PDheVgMv9z7rvrNdMs57CT5YL4jkP8Jf5DD4JYNPb6k/n5dxqJz09VhvKP
+  N86kZBqAU6Oc6r+206jcsbmYxuarrqXVTspToQIDAQABAoIBAQDMumIupZlDlP8/
+  UNMqYATW+OWhp4M9Ch68dwCq31ajgPCVXplPTsrmY9kGv50FRGVUwpUSwwOx+JWv
+  fuzphUSOdO8mw569Cf4T6Pdf98xzIC4Rxrka0J023SyTrfVJ4xclw5R6soBz9A2D
+  xL7ijkPg8fiVQqULckZc8aTqe2VBilSTqPM+dpGQ5Wy2cqjjK70MCPdIMevZlmIH
+  bogNSUpsfKZ2lqboE3I2AaJJiGau1/1RF3cV4L+NK9wSUJNJ/MkPzgw9Ll+SKf9d
+  vPhGEsE8QUhT4jPyeWA5CSa4K7QfgLRH6P7VgjVanNKolPhSQCvmyIOj5ZYpU2TS
+  njrN0e6BAoGBAO03EPy6o8zand0eHJjjcvlHVX1gGfYxsNnffMZcKfaD7XUEEMk7
+  90ez3gsaYPdclpCuV2zWYBlS8AKO9om96JiAejsqnt5wgi0NS79ms0P0Uv6zVYnT
+  RbpzH8/Ydbk3pPd7NdoaNEO7iYVwaYUC526G6td6+fDGumkxnd94dxcZAoGBAP5K
+  LJBPFuBA+iIgB5PUmH4u4VEQaE6cr0CzKy6CSTqtmMtKKRq1t4jvqqtVYE04Vnji
+  Q5+gw4I1yXxnHknH+4kzJlgQesnPWtlvTyQQhjGFryqxWaFNu+uflSvMeNzOfhpI
+  R+c278tAEKoCwxzGCw6tYdYmYy1lYmgQc+Xr/dnJAoGAChDlIqRU4ROB0Wk+s2or
+  bdKOGSTj1SOkqoomRFCS40gT4nxKrg9iXeOPD4+N/9Eo/ni3cwHh0BFJ6AHjClNJ
+  tHb3ON2FIlFJ5NmEllmoT8DlaLN5dMDHW7MY7Xv0+ugWkv3ieh/Uie9CVaxAfgly
+  gqks+/nW81WrgV0+osX837kCgYAZhfRnH6kaJSt2FWTtT59muuneqxjtGwj0I4eo
+  CWe0PgxiCzWI+shLNFMbE1yxI4B6bat/8DDvdtqcY/VETpBOuxWULUNF0kw6GtQE
+  uKvfeJ2WWWq3qAe+pKviU4mmEAvUM4EUEg2LhwilJ9XRo4ckl/6D8iJuQgjYjR40
+  67T1EQKBgQDn86z6ryZs7L6lnZuPNaQ7TJiyv9EXeOQsQ2o5qBu/fVNDwYlJjab9
+  OJa49Sbv2ATAnp4ftkkleF/gFtqVFObiclkAhJXt4PqmY1JklLbaWKAxLv1QGRot
+  XHnidwjx1VXbKTbnfXY1EXPpAdsnGmgyTfrr4+LW4TeLaJBNfj/Kkg==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-pod17-node1
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEA3uECyQsHrCTYCo7P/KuFNRXpqT5h/RN5c8CxBVKtr299NH0+
+  e4W6BkGbuFrj1I+mkYJjtSQ8BAL53D2Df7T29INHL8bSpKm7vs4Vhqjbd7txJXLt
+  yLVbQ1/mmoKfTu0aZJ1nlXZ2pL8tCdF2lRBS5YAVJlL/AL6277l2JWUdeS7ZsLiK
+  WdWeGQz2MXOpvQHlwB003Xq/kIcXSOyJnoO72U1GIvWHZ/lc3psVztWh+aztY3Tl
+  buf667ohCCaiJWD2EVl5Q6HhaaAx8+K3G4LbJkzK+YNK/p4/XrdMRzNN5U0Kac4+
+  f3aIwTR3+2/0Y8MAy5GbiIz6J4mpv0fAX+jJ9wIDAQABAoIBAFkg4lxDbO4KTdrr
+  AYGplbuE58wmhkkOYKNJi4D1bz+Y9hjnfPUopRubYQp4TmPSjmniGr11oAp6pjDM
+  6KlJVPizBuS0PchbmBjVkQYowJtA+h5ft3dsDvMChtWDJvIJH2TdDW9X0FpRmVEz
+  0pgJzxy3+703s4I4wi9bm0OZDBBJTPgbQ/MJmI59YxAszEByxOc2zsQCbICwvr/f
+  E2mZvJUBSzC7ySLZQ3LkYiClp50bRVYNyDA8xPQbJHMw268zWJUWgmHYwAxZ00Ke
+  +OVQte6qfaEP2rMcKQc6MCrZha1223NDQ1Nwg4KiJL4Aj9O0uADmDajjZ0HA5l5O
+  coPfiwECgYEA7X+gC/87W2I5Mr6VEnVqsvuH7O0iGUA75w8aCmGpxRoJBktoYxa1
+  a1DfRLH5aWIKF4W/xPMVgYuQZzVU2wDvDSkIwsWYT4zaKCadO50t9Tmvh44ImU4q
+  +O34l77Ybfb4Af0m/YU5Tz8mf8JBndPkApbr4GGoxNLPYUC9fJVUaTsCgYEA8D3U
+  s/oyXzxlQKjKTvH0SzUnChlwPoIFLUAYU2RrkGQD21QzfgpJgihh5vGmEI47CUWb
+  00vzFm/KdnrHAUfujT2ATsqqhy9ahA3L7xrWqepsEZt7/F209DMi0E1++N5ss54N
+  juZaYfS3AFlTFkkvNfIWbcyz6fMfyoim24ZC9nUCgYBDEiPUv4O3zwlwNzpKODal
+  zTsZwe47S1SfcDhebi5Pp4ac7HbSZPtfDzu+XrSc+j73XaJGsI+GQi/Jtdn870qT
+  YN9EgiD9dj210RHeYAk2k8/qbEYpZVXlbu8hi5f7lh98EE4Okq0YoDDzK5z0QX7G
+  7HA4sdvDmfVO9cWNhW6NOQKBgBv7B5gCrvU6ooxaXF2/fnV39lkNx23wVMwFaA/m
+  ZUTG8VANSYYHirI3I9fzEyVge23EBrcgZGqbkJgmCqGSkC0xGY2TuzLNiBxTQwpR
+  NOlLXVTbqCAnhdjfT9G1BPHVbhGpeejH2YUJLHtE7BFvaqk8zfHx4o5/+5bqPYzZ
+  4Vi1AoGBAJtzPKVdiFlP4QHxU62Hbz5jVUIsBjvWENNOH5uMxqV0RabQxEr1me4q
+  4N3RlJLsjwEmQ34bwZoztUK9ugDCts7E3BoaQ1CSST4IwTePxooZR74Ootxhco9u
+  ZrSLRT1UspjJhevPc4zg61grlm2Y7hx3LqWEHulumNwvnLC/4Qg0
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-pod17-node2
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEAw5QMmK00nsuIs0S7+ePEV4SLSSeVTvQkKFfzbdtK0Ca3BbCW
+  wkbB9ywr2PVX6guY77T2HxaUyJOuuCWFQ2+wjIvwOFY0De4S7g4GHu+88oPwUKAp
+  yHLFYqtn2vGr0TXSUDW3UeCVlXZc7yKcG08z+B94ubBg6fdRO41CKSdwjS9wsBqC
+  N7PuEEogOoovU+OWOaPV4NL8E4OqJWKiF0Xz3BuEkZOrCBP8hX9Gu3oB2HdNxoTG
+  Ic+f5pOZbWFvxYZnNXeVLaDDcYt/yOXKWoAnc1baaeHkQfdSHpM5cDdX/F9JVDUE
+  vi/hRphaTn05zriLplDUv36qwC60SZX/y5dbGQIDAQABAoIBADqXthZffa49J90d
+  MHuy4vWdPeVSuIaI2fRENSeqVQV7M8W+m8vkSuP0FcbP6eCyTMUzn7C8oSJeLC/6
+  /auwYGIa4oLeQIYT1xP+m5LVG/RD1tEwypPE3qGq3FhZorHwv+tLzHn5IJdAeKMj
+  6US9O8KQGyj2UHKHp4yBy1ps+GkzUSOQ5NAdfbTNk9xP6AtKaQsyuN5MDmmD7Tll
+  6dfR9h3W6Tk+60a/t7goYVIwBB8m8L4uhojsQ3jPMrnHt+BIF5Tmpq+2JoKEgHY0
+  dDnomqJ4TgJ9vNbaAxpge/5QF+OCeG9bmlMx0oBUFRyORr9R6L08d/H1xNzZM/E7
+  eIc8mKECgYEA2zZa+xjDRZwqwGrZkGEb0K66Pr83bpXrP2XavGfrMRRqTwRtTukO
+  /AOAVxeXaYXbr3X3oly8HA5r4Assu08J7lMVr+P3rZeC5zAdgJWN0CprmCbyINcv
+  gmxgYzZXR46upDyTeRZ9NO0H+itT9n0W3SNMBtrtp3F18/ILID0usZ0CgYEA5GZY
+  pfUBAsFSCJxLdnX+tkQ4XmZp0G+3xzoNhth7GPEW5X4F8GaJT8i99V6opby6cWvP
+  wfYd94JGMDsVkr64c5qQDsWYNeRSJapSBbqpUVNCZxJ2W0h6ViUm/jEqEZS/vovA
+  m41A9FjaLm0FE65ahCXAO1wA+k2FcnhAPk/IZK0CgYAfcDk2H8QJnK8I74oKSdMK
+  Z7SwQQ47HuchLYNkV+cEH/BrKrBei9ApVns2glyltpveGyYLtA8KWwsfk5qztk8v
+  Td0jX6dqzvroGx9wDILNIvhRVuyMxy+6Hb7pG6cCzTTAuytPR2lniMMHHuWoySHZ
+  TzGdHhLNW9lVxhXQZtXmhQKBgQDEMcZkiJldrIKzMs7/60vpdaCWNpMeoVjUomGM
+  O9lCC5cHe8HOR8Yb6uyCIdXsyLm/REUq8Ce9vQJd2+MkMwBvDY5Boiql4INQJ4Zd
+  tYJMgaDAuXNB5nhwF2nvYHwqrgQnwhSpiiUJwGlrB+schODsMyF13Apa+MxxECrf
+  W9lf4QKBgQCSNYrSjf4eszLBtcLO++6KUf8NbH0t/zEO2jwGpvO3t8UHti+KeqhC
+  8wjbghrf8q1Vpf0/drxRdv2cES1BlZWfan7861CTmyLLGjZ9h84Eqv5d7C7BH/zd
+  MkFOORTjA3VA1FZU7ZmCHuKDH9vtmgNaFEeszikJmK6nlLeISPazHA==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-node
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEAv4vltDeQ39xsfPwmTL2vP9cFR5jKPO1ppxLhU3PPn7+E1ojJ
+  lKrM3bJFqBMlkf+box0FKYjcoiESge8dk0Q7ju2cv0n2xfxG3BXneZ9augeG4JDl
+  nUW6zCdHYj3KFo+9xdVCE8bGkKzN/roKbZLoly1nMoxSRGU9vZdX8oJaW4r0PF7u
+  SFCqlk5Um8ve4esp8FBciAuVlfEwtPPaz+MwN6oOyuHEGL3XvvRjBGJXDkdfguNH
+  yAwnRjU0n1915Y4nKWV8/zJ9xN1RDwlAjOTa8MqmNGimphhRPbdutA3sSoYry6S5
+  v0DIeCa5k4oWD4VeaSZdGLuplklpMAdpxwShBQIDAQABAoIBACW8OsmRNNJVS24o
+  AqeVquPJyXl8aUMthmXqu0dEhn+zLElTc1r9dxSp3T0qYHltwMyWmADBvK2YFFxS
+  riHoDE+xEfNBcAM7Gv6athpowWfqubCd+w5LwWwcxNxezeQ59yn1RGo++7lewcpP
+  /mPt0DKQOEdmC4L76vjhyuq0sXZdBoSXc1V8j6A36JSfcCMN6tmGKuzAPLCam8+4
+  3nU8/D6bRG47TO9YsOPYg3T6ZZwKVluU9TpVrx+J6nIWlflLf4q2P/1voVhWu6p/
+  e/mFfYgYrTpNpds1kwiedGTuMEpPfD6KWcdwKwTjFfPqTlamd5hMIPmx7B/ConUp
+  gsR4iEECgYEA/fVcyt0qIvE1kLL2XLHCjbm+gQNhn44f1AM8QYj5Hu1ULYR3TmS5
+  hbnkpykZVUy5vcLP8EB2FLvLGrE8TYdguV6LPgDkqq6TwGfoLe/D8rZBUxBZzL/Y
+  fUNVY/w46yzROSbWPXXIkC/EzDpSJawcEs8vbQ40Sesj89vn3GKGmjECgYEAwRYX
+  2f8cCeFDqEdLZB54jw7z9TJ5MfQ92lucO4INeIsLST5U0vYmnkSQDhLizSnUfUnB
+  W0+dBeLOoTydu8WhgWsCAdmR9UVv2llhYrL9WrlaPx1rB1QMbczeL19eF1VZSqPh
+  +Fr1gRcblJQLECdbIhshSPQgCJH4L8GI+r6f6xUCgYEAqr7wT5jZfrrMd+hLSdFe
+  bGmJEzbRyTQGZEZ0md9dF5UbtqrMiFGihq2QdW9lj/tRGqvDoNXGTnRgvyaQ09OE
+  jb1qQxrYo4VS49c4vMHq7eHqE833gnkuNjIyVFI9dqkgVputCY+KdJ8ZYvKHTrrj
+  +SWBzoHxWA2Xk5qzznIT69ECgYAiW9oWsqy8nVc6xKUHxdxSKKkEwtyKJRo0lwSw
+  Gi5neuahO/RALgklNLIlrvqo436qZMuBgiNA/uEiE/VFip94th//UEYGzTpgMnN/
+  6rXmxQDoJkX7YdtsVn5bE69cm5VuEMePODBjrkb8I3PshfRTl1xO7RIeNEtjxB6p
+  7+3pGQKBgGX+29mUiK1VJBbt6/yEHU1lMeOVQIMIdiJT+iYtYUKWiwu6K6YNW2gX
+  06PbpNxRWWw9mErExz/HET2onW20wMe5HRJ6uIF8AvjDkofCh3JXg3SGy6uXjOsL
+  331DfZUA+0vXMSnnK3ZOPlgPkUsS4qT/5dqcRpA43mfNu6O1Skz6
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-pod17-jump-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEogIBAAKCAQEAtFA10D9aUe/A2YfOhNnzlyogFXKKxH4O+XT/6RUMII+w/PTe
+  m3XJU07lctVPMY+h5SQPu1nhj6uNljp1TzSpXV+PeT0QhzClGpmEYLgVL4Ax5IWA
+  V4YYfKxbOj6r3FDdMtI5FHMva60qkcitPd4dQQz1Rf8YnI8NlyesE3rw2K1Dg88O
+  99QrNm5pVYKjx++rjM561ymhGCJteCDFv2Akg+rOQU96GUJSoW3z2CB0siVAlUwn
+  34SxdEYhG857KuoGkucpr1HX/55znmKrViUvDlfcvAfxzPwtn1iH5s1fGRyJ6M9L
+  DWtFzLRxs68lzeYNpB+gr+ohcqR8zq1/CelkbQIDAQABAoIBAEqWm4wniM84JEhX
+  22AtYIx5iogUt76MftlGQs5CPKADkK0zBhq84Kkri9Ky1m2kAs5s2m0fwyTRTGKG
+  kBxRpnXPn+QBFKM3xjR4qL/xpiHeH8VuTCboe5ynF53CawlaEgaB28bP1x/tpBxm
+  LPPYu7U7DQMFgULSEkcizBXK13JplxomiIeJa8Tf64ecu1e1kznshqlM5qK9C7ci
+  1SrMYT9FO2nZC5iK51rHavTAs4rWbK/w7d083Z2dhrgTkkRWETkIuZXZ+p/h3Vrb
+  OfdSrj6CM3sq2EK8kBfURAGO0dB6PdgD2UAeCQluQhe1VAEJb2AGS0ROaQsZjnP6
+  piii0ukCgYEAwFENTvJg6HLJq/UTIyNj3Pw9U8gfHwNRbDSQS7aTsyQjrp5LNpu2
+  +OmRmhNTj87qUppr/tyvsavp3a9yrx0j6B+oKF5nf741wNC/t9yr2+vOTzKCb+HH
+  voiZe432TKj3MqZMZAAEV9Pim/VdqUoc+nvnrSrlKlqS2D/J/qk6MDcCgYEA8AWf
+  aKw7r5BVSE6CoAIeIH87YripGDqEE/DDS84MaM2dSNrSDQvAWHmHkuW40MJs7OZo
+  JDGMlQP0MsAsB/YMxpT+9PC20bZ6kmNXLC8dEhSJ38EGQkbeqikedkLxhLSDQgxj
+  DHwZiut5Uhbchym+APTB3RiitReNpxMK6lDslnsCgYB3wkFiVycnuUuCzJOFPyWR
+  2HWsNaPDoUJT+oucym5BkRCzTZmSwPb5HCHya3SOyhA7LjRwOicioeZ5iScGi0Pv
+  6b7CnL8g2mcI0jWBHmbbBYWs5cw6NcQ4D0JcoXOuG04MeWh6oVQTCTxFWE9h+2f+
+  R6hmup6IeGyXQ2nbLrCwkwKBgAzlMHBOOJKxHXPaC/iOxJGYZFdkdmk/05LCr6tl
+  8ZK74URlxT1AMWBPfzIsN2a322RK6LNxGg1zfe4wFu2CkaMlpCECwb+4nxM4VRmh
+  ml07T0D/PNfYuOPJe8J8zD8F97tXsQadsD2fcxAu/EAixPuGKtg3F57FGi4svrxi
+  BqP7AoGABlD3ZSAnEew3XcsfelU1I8XEDur8FZYJYdrKiuIgwYbeNQ4XS4PzMFBU
+  pkjM62EXAEIkCyDMk9uyAyUgun6wzm5hZJdLbMraRZp7Jvn0n50lLLLbQIswRlDc
+  iSb0ttXSpu8elbF6rmJAtBhmz0oqQVpliNWr4o/Tujmm512q4JI=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-pod17-node1-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEAwOpt4x9IxYen0zIPzL+U9wmOJlswJx/kYGgO1HICqTUqnxkV
+  rOybvdd4wWVJNNEr0whvrCiDlLbHfnygyXwkQC1PtV9HEUBw14AIPjSF6DhhvFol
+  UeK0Pek44p7nXj4K1t7crt1exP4Jigty4DAe972pcawHSqkg0oT/5mMKqjuh7dsR
+  uNdFaeNgDzjlvVbGQW7Wen+FjCds6VwsPYAbOmgOcbNsBptCX1iznwXLp1L0sRjR
+  xWxFPzmVI2f5eB7tsSt2mgsoOuZPTQbL7i13eGzlqsOqExWr19/LlVaLL/QOP/5B
+  mDGg6K2FB3BfjOmHiY4sY+EQ6W9bmgd0XudlcQIDAQABAoIBAFVe6OYbkA6p66DQ
+  hKFtHrT764YZ0INf36ayJe3pzjenKYdiiG8P/hPS6MNc2TqgXi5zi0e6XhBPmpTk
+  /hpr73bfFmkDEuYViFo1dHBiued8G/RISD+mfXDwZpYTD/xqpE1WLn7LxAaVDQ+j
+  5WBEq0+jBPsiz89AbR/8b2o65htSp2XSH/Y0tOALYjEuxJEeS7ybumpgMT5+qrM7
+  VIqJMS+k2iqw7KcRmU1XsuX9KltiAEWSv0+NMNI+0+3j4ZXX43UrHdixqiFyRtMm
+  Gvua/b06UcapXBSApgDFbCNNsle1+duzb+DRxXN3Q2N+D1XlRDEVmowq2KvODvhM
+  iA3jv2ECgYEA6u1XL5yns+zEjkw01hJhTXuLZX5QgynaBkQwFlmhs9EW72YbxYnO
+  vzWK6WJMavn9JheXIBj5fnMhZIS95w69gtL6If8nH+DnkTiEU1RFH3tyDRLXvq77
+  F9fxwZ8izJ3v1rAKkGL9UQ4KxQE4r3KFMuV5vaiwZu/wIuVspWRhhf0CgYEA0jhg
+  YhAj0aL32uJFxXylGnmp09Qjm7PYxLTUvFm2FbOWM+8W2lZUJPicce9UIRCnNmQY
+  KyXZpJI6WUnEpVAIuutW/rzlhqNcgBEcpFUlSnsib14BriaSx4loAIcyDYGmAG6O
+  jnHm2A+gaYfoibTFO3+k09Zh7cKRrkKQh+HlvYUCgYEA4MzsOOs2rr1J+MCDbrV3
+  1qT55szQTjKmJojpWvm5+k+CGuMigAw2glHB80HUzikZTHIWcuhzFcUllwJOleNN
+  BPrNz+pQjfiwng3u0a451r5RjKETQaw/KbnB5P1aV2JqNo2ODkwrCnzdYVah34E+
+  ZE2iCRJ6eoXuy/Wt2TYM/CECgYBKvqzWcTKrKSzDcMyqCUWTAks1/CmlBO9AEaPK
+  TIOHd9EiKhKQEz3b32GQyS26i/dISZKmVNDryOpiMO5wcOKJw3+tF3DszEzpZCww
+  6e1WbC20N1KVnzV1KRAHkApl7wEdCjI5x5nynKvGmgI+ZD30h9ANWh57sUCnGxfU
+  mKddGQKBgQCtXb+6zdcuWS7Vri1lTE49831NZjC/DobwRhE5QJRnLmPFiCzOfnsr
+  +htnsJe/fGns445qhlaHH7VDRkTZlDZs6oJviECkMTk56Y3K72YUAQXknDswWUtM
+  HP+8NaFAWaxm8joIG2iD/etVlt2OEtflCk6M1ZXviNoKogM69cFlyQ==
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-etcd-pod17-node2-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEowIBAAKCAQEA7xv2/Y36/LeeUMFWWJ6ztNHw1BIEK8EVjQumZgl3fk7yXquv
+  9NFbto9LXQo9Yib8741Q6BFtZ4ID4n3h/c65atA66V4zWnaVivs7UVsIoHGLz7lw
+  rb9plkHIN118o56ipWWcojiUfulAHC7wMIklEI9F9zOhRlzgvZbGpy5dSGQ6ZjqR
+  lWkOQNxVnvY8qqJnrrC6ucPGZqibhUo7UaLS4qlf0Yp/TjGsJjYsNwTACFUZOMpy
+  ZZuqoC8vLVWrNYMAZrMSoUalP5NNrKCQVGBj4saOIFDNcoWAF/Xdd21TTnYHyENr
+  EaLrfBEdiKL/Qjl0/l3YXVZ6IMNLcn8PVQQ3NQIDAQABAoIBAH0vnvjRRP7bA8Az
+  +Qkczel1oSjm5dgily3pU41Il49BthNqwAzlL6c9Dq//lHO3BeZFjn5x4V237GDA
+  l3lSqjEKJE3aS/io7VJ+hmfpyXJ3AEQZSq0s8hMBDdouz/q6K118/azRAq4PYMlg
+  qdA/fXBWEsOB/IXiSqf4MLmGxMAI9nZqJNnoPXZ4FCktIpWQfgOTYS8H865/uD5l
+  JdVxQzln4qw+MY5C6zL1vDvmivjhpgJRH9aXn06SdZ4AesaM2YxBpbT9Qq+i6YBK
+  QVEb1DHujr1qXmvT8X922NXQZSNN0Imn5/DUvZ9kiwpModbJIgUSrB2UqsTgDR3/
+  rqSLpQECgYEA74+HYaNg8/A0NUh9EK99o64Hik/8+Z3ZyH+2qIVitBZ1y0GtAcbg
+  7onHpG3+4PCFHONZZdGNw1QkUD9zrTpZg+AuYkj8dph3UHRhOxE1t5A1E/f9dgZ1
+  gRaUxZwS4sMTD4pYgm8XDBHvBndwD8d0TFmH8QuC3T0XxkE/gqV/9lkCgYEA/4SB
+  cXPBI5OGcWJXa5Z8xzIDGk+Qs+f/xwnkt4vLbRZ9Q5hGUXInEV5ZhsIjXZNFhM9F
+  OO2mPerMWL+FDYHR7I0AG6xeD4Td2IwzJRHERPXaWcb3g2zhZmskoKBA3w7qfdOc
+  WRSxm1cEWPiM6dfrl2/6IAVcagYl+/w1ueWyJD0CgYEAqT4hSt19tVjRyYL4uD0C
+  6gwcz55K/p6CKZ/wj4YMgWYMuhgf/c1fQ6abIJOFKa1CnXIQyloNaR2cugTZ2FwM
+  uZo7qrwdgDuer3xI5M33wUNj/EOLEULm6NfnKuRkg0eFw8jdVujcw244C719segb
+  RYVLAQQ848gxb6LRF5+Mk6ECgYBdIZ/IiUdZPzkedJimdzhNplXpLhzw5dudYWbC
+  26ouvaa0j3j50KCavQfmjTY0siwBh0aUxFH2eXE3276UOMAZ9x6V95JlF6mAd0Fg
+  /oPKGs4WMOYgOfxBx0WXYjGi253udMWk1l0R4HqOLzG1PeT50m+ZYjrXzhvkJ34x
+  np36hQKBgDH1Jua/aapQZ39JltZ8dGoqGnXRxE37+fOnCiMphjNABP5dOvkbwmH4
+  X4s8t70KPzTNsCMPBk9ACxSoKDfT2vrzVIFc5Sy9eqO/Tufbis5EkVLx/AR8gPtT
+  PxcyBbm9ERRrR3Wv51myK0CReM28uuDAg0RpXvn8fH4PezKRoRxy
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: calico-node-peer
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+---
+data: |
+  -----BEGIN PUBLIC KEY-----
+  MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5VjcwV4weIFgFq25/aMn
+  gxvHW3elx7bXr7G1HI2EXsFVVUniJ4TfONkVpKMf9KLezrScLJL8LZJBo+kXtGDb
+  PWmL3VJtfEmshSk5EyESDAvg35sspToOaLbi0OE8uJa/9zE5phuMxVlMPwJgdKZ4
+  7edqnL6JcZWJWLGtqknS98AfVvkKqzMkO4H2QTcZz9EjKhyHi62jwd1zj1WWUgbT
+  WZY5ynWT0d4I6jkAcs/R/ih3eAHUHY7ru370+1PkcFjBcNOeI65UiL4oXpbqFRKE
+  16eVFULPpFYJ00thNGwgKFDuddrSV8ApXxliFgvmsRRdKhmNBU8fTcG7nzdl9mDf
+  wwIDAQAB
+  -----END PUBLIC KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: service-account
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/PublicKey/v1
+---
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpQIBAAKCAQEA5VjcwV4weIFgFq25/aMngxvHW3elx7bXr7G1HI2EXsFVVUni
+  J4TfONkVpKMf9KLezrScLJL8LZJBo+kXtGDbPWmL3VJtfEmshSk5EyESDAvg35ss
+  pToOaLbi0OE8uJa/9zE5phuMxVlMPwJgdKZ47edqnL6JcZWJWLGtqknS98AfVvkK
+  qzMkO4H2QTcZz9EjKhyHi62jwd1zj1WWUgbTWZY5ynWT0d4I6jkAcs/R/ih3eAHU
+  HY7ru370+1PkcFjBcNOeI65UiL4oXpbqFRKE16eVFULPpFYJ00thNGwgKFDuddrS
+  V8ApXxliFgvmsRRdKhmNBU8fTcG7nzdl9mDfwwIDAQABAoIBAQC4blNn9LSJ05BP
+  7Hiq7O8zUb1pYrgf+HtOQFvikDMod9SFd5q0KPfRIVF0SfHCqs797uPAPJsqknjS
+  tPlpBpKHuj7NRiHhVuWzV8kcBvYaVdsKNiEa5ar8rkWLr/VCg4fv4tf3KiRz9zGH
+  YgPrCowo1HY5gkfI3XXLq2Z6kE9lBsb2m/H9rJx4g17B6KDEaaOI/J2FNqy+SMSG
+  XLYx9Oqm6YUWUSbPXd8QUd/4axHgvecniz2KCg2YoGP7Oi2ercp4eXVrJ+FdoJSf
+  IUI1derpjMrd00VaFk3RfmKDzbrOlBp5lAkpGPydGbLmVAOaAsK9whb4BvR98ruv
+  Ph6xQsfhAoGBAPK+8YtQe5+LCn/9v8qsuP4DdRQ1lWpmxF/VbdOHupy4RhfRe2fd
+  MlZx+FjyU9UzYLBmq7VGTH1Z6v1obqqEpRbIuX1HYmbw3tXjnAVR8zD1bj5hvIFK
+  /puOmnTN85x27PYZG1rK4MfZE5O6KF0tHaxxD1HtV18SPjHpyY7ivpbpAoGBAPHe
+  oi1DsviS+QFdznCPtMBOZb7aEmylendMqfEPPVswQjsExSRJwFlh2tvurTFIflol
+  U/Ve+uRE96ZWvUYoTo6ZMxiv7nyXOz6L7u2M/95iIhQ1c9AMINyuJ/sRqtXNeN8p
+  wtgfIZcP/l1JMVXSZB3PXuc7sLFftLoM+M3ITm3LAoGBAKJI8Wb4CY3iAMUMubof
+  uxVm7lDyec/GoKaJI4F1jlbUA1hNHjmT8eFFFIkyiMVSMeP83/Ky6tQq1yVPOh0Z
+  zNzsmMWegbTcd717C4WrAfDLREbERKgToSASOES6o5EJGOZ2ZolOdPRmteXfYLja
+  PqpYc6uMBwtyQM5RxASYpl5xAoGALw0dRWrvDPYiZIaoGzOJeQOHPXpUrTf/u+d5
+  A8DwMaYQrESASU/jkD++AJzMqlKs6cJrM8d3TSKxfnVPOq+qoIji7MGExk3xI3i7
+  URDl0ZALixze27EQT329n1TPg+oFwnvwQHTF5wogdGtBoq1b9oSZtKfi9o5krPDL
+  EdUOlMMCgYEAh4cP2xvxy+hxI7pHb8/EmcSW5b1t+ib7OyDaLCi0jrPQlUTp+67y
+  1GqNopNX2qjquaEs2G2WBMnyNi706ykmbO3OdtEGnXG3TVMnrAVxDytoZ5/haE6j
+  J5TG1WP0RMYgOOh1sLtsfUjKr0bbiciOenQxhtuCDfkkuHoftIWEZPU=
+  -----END RSA PRIVATE KEY-----
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: service-account
+  schema: metadata/Document/v1
+  storagePolicy: cleartext
+schema: deckhand/PrivateKey/v1
diff --git a/site/intel-pod17/secrets/certificates/ingress.yaml b/site/intel-pod17/secrets/certificates/ingress.yaml
new file mode 100644 (file)
index 0000000..b799fdb
--- /dev/null
+++ b/site/intel-pod17/secrets/certificates/ingress.yaml
@@ -0,0 +1,135 @@
+---
+# Example manifest for ingress cert.
+# NEWSITE-CHANGEME: must be replaced with proper/valid set,
+# self-signed certs are not supported.
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: ingress-crt
+  schema: metadata/Document/v1
+  labels:
+    name: ingress-crt-site
+  storagePolicy: cleartext
+schema: deckhand/Certificate/v1
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIIFKzCCA5OgAwIBAgIMW2h6FCcFdKeaw3vnMA0GCSqGSIb3DQEBCwUAMBIxEDAO
+  BgNVBAMTB0FpcnNoaXAwHhcNMTgwODA2MTY0MDUyWhcNMTkwODA2MTY0MDUyWjBJ
+  MTUwMwYDVQQDEyxpbmdyZXNzLmFpcnNoaXAtc2Vhd29ydGh5LmF0bGFudGFmb3Vu
+  ZHJ5LmNvbTEQMA4GA1UEChMHQWlyc2hpcDCCAaIwDQYJKoZIhvcNAQEBBQADggGP
+  ADCCAYoCggGBALvNHm/G/ylh6aPcvrhOcb4qz1BjcNtnxH8bzZng/rMeX3W2AzjC
+  r2JloJcDvOLBp/TkLOZPImnFW2/GCwktxPgXZuBTPzFV50g77KsPFw0fn3Si7+bs
+  F22tLhdOGk6MQj/WW4pKGHqdw1/VbPwOHBT+I4/scR1L2SZxYtSFIKGenHJH+PMV
+  bCdwnNOR80F8KRzK5iZs/r6S/QqVheieARSWWnk2+TtkM1BloGOhLSd+ZkWh9VO1
+  eOnZowkaDAJwD/G6zoSr5n+beaXzDnEcoVXFSwd4FLoV+om77o92XmZ4rVw0vTMO
+  k6jVwmkdT+dM2K2hLUG/TXWoV2/Qms70gzDOs85RtAkTPe4Ohtdpr51Q0hd35TKG
+  YLKzX/OPblD68iYJYSBvMPpAVTbFYVPW1AQx8wWfannYbMoeL8XTEOKfkqm90YP9
+  EhIdtmw4D7GZxlzG5FXXutmT9sqLfqlRu/RynAhBP8NQvw74WumhOe8r7GhCwgzC
+  gaPLGjeekoS6LQIDAQABo4IBSDCCAUQwDAYDVR0TAQH/BAIwADCBzQYDVR0RBIHF
+  MIHCgixpbmdyZXNzLmFpcnNoaXAtc2Vhd29ydGh5LmF0bGFudGFmb3VuZHJ5LmNv
+  bYIta2V5c3RvbmUuYWlyc2hpcC1zZWF3b3J0aHkuYXRsYW50YWZvdW5kcnkuY29t
+  gilub3ZhLmFpcnNoaXAtc2Vhd29ydGh5LmF0bGFudGFmb3VuZHJ5LmNvbYIsaG9y
+  aXpvbi5haXJzaGlwLXNlYXdvcnRoeS5hdGxhbnRhZm91bmRyeS5jb22HBAoXFQuH
+  BAoXFgswEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAwegADAdBgNV
+  HQ4EFgQUfTAjNgn/1U1Uh1MJDYT2m4dzhsYwHwYDVR0jBBgwFoAUJFuXPZo6RzfE
+  BlJjnnk5jhcP4wIwDQYJKoZIhvcNAQELBQADggGBAE2ISWmrxqrledJI3aLaS9Yw
+  WsZc8O8CnIyLoxrE85vUubFjuI9ixC/6dJxl2iB1n0H8JgmFREox32Q4+kDJI8V/
+  X9x0PFpRzL7QEPrLZhW94Yis3sOphLW0rf0t06ZepdHHeodYJu1pVMDmLq6bKXdX
+  vo+/WwKnZBXC1qPbXJByv/CN9MtViXOnBGORFRTJPb6U8379LNWclJ/LW12yTwNk
+  JGIbZU61Vxu+2nLIabmmRoODH2jomgMOMMzLgjT3Hvw3whe8GrUoxDiPYQVTDGNm
+  ly6m+5B1Nx06fkZazonozeaOhSQ7RblUSbo+w8TJmLRzD9ft7p4vpjBGxRADMcuF
+  DOjATgdZeisBUHTGEO0P6wJOBQuCFMX9AVl+u8ZpcuRaRaN+pBE6/BqcHBB6qV/N
+  w2DdNtP8BrJ3kJVNEDIo5oTbH5SToxgA4hWBV42M1rB+5vIMDKN3rwVDdNKWYhYc
+  VZpU3V9V6JzSW1O2w4Wu9PdbWJD9oSvC0qJgnjOXzg==
+  -----END CERTIFICATE-----
+...
+---
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: ingress-ca
+  schema: metadata/Document/v1
+  labels:
+    name: ingress-ca-site
+  storagePolicy: cleartext
+schema: deckhand/CertificateAuthority/v1
+data: |
+  -----BEGIN CERTIFICATE-----
+  MIID7TCCAlWgAwIBAgIMW2h3tgSwie0Ypx8eMA0GCSqGSIb3DQEBCwUAMBIxEDAO
+  BgNVBAMTB0FpcnNoaXAwHhcNMTgwODA2MTYzMDQ2WhcNMTkwODA2MTYzMDQ2WjAS
+  MRAwDgYDVQQDEwdBaXJzaGlwMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKC
+  AYEAny0Nqu9U2tXdCCTNzD2T62htMmBLg3CmzWajfbfFl7ALqzo3HgbbY3PxTHDE
+  OJ/lwdm0HkEaGfEDXhJd06WZsa8+fKGqhKXvZXwXx5mJ8LCGxz6xiaxwo9lnKe6V
+  o3YX7bJ5YIVxQ2jhvZo+dY8Z/buloi2Tp2HbqTejKULH9+qdiQTDXAnyR0NLqzJ0
+  YQ4v4yU3zix3nBi8z29lQekGO9quNEka3nw2n0Gxmq5z1bNALGCF5F759mVkB0uT
+  fPGF+zm9eqlqAgduYg7R+JYUumVHvIoRY454GtAdZHTJHJZP0gQSGJsLff8ROFpI
+  GVYsOZhJXU9Ihc5VBC5PMErbmCn0YkuxAWNOYBstZ8l+uY6YiPoFV5Ulc/8M0If+
+  T6jbqzWoFC+4ysgY95RKOw53S4o/T6AFwiIKIw0xp3UfHCf6kr5Y0+XdDn5CXpJB
+  d1KK3PoUWzPSsxcUMXvgKWT4x1vsCId21dn1SmVSOEBhM08VZfjd5bvL9Xjt/E0j
+  mUqDAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcEADAd
+  BgNVHQ4EFgQUJFuXPZo6RzfEBlJjnnk5jhcP4wIwDQYJKoZIhvcNAQELBQADggGB
+  AJaoEtnDoWUUs4nSSqIGcoCfpIO0oqVp8DvkBOcxz5Rz8vMVJSC24/UnuCD2Wknx
+  2V/E3edXIeRo7duhPtNCT7c8OKY/pJsZQTgOczn4rphoD1pmAIPZmpG6ssPadPiM
+  EP8xWJHZt8NXG7D5kJX2COvBvgNeWXL6MF7Tv8+t5xzt59Vitdb/7lm9Z6jjpvN+
+  zoG0pKx3XYESsnLAVAf00F+kWwds/3x3gQywUAQUDER0jliYUE5id+sojp357Cl9
+  XtY+8zSnTduuP8CfMhwv5p6j9xbqacfT7AzpQ6cy4xcQ7MA6JBQcxbaq4NtvIf6+
+  d/5N9d8LGnfXdCd9iwNy9Qk23Ea0SNhnk9F/NqGBPakU4TbHh4iTYMC/+hDGInpO
+  TIRelTidNBFNaIBg3Z0vsh0lDwbt/xhpXip+ZVBqKMTtktEceiVGru9cYUQA2tKI
+  XNoc5s0uQGMpdFzgED4lXZf+n7yGVMKohvi7Yn96HqujGIrVH6qThsI6m7pUSz40
+  +g==
+  -----END CERTIFICATE-----
+...
+---
+metadata:
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: ingress-key
+  schema: metadata/Document/v1
+  labels:
+    name: ingress-key-site
+  storagePolicy: cleartext
+schema: deckhand/CertificateKey/v1
+data: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIG4wIBAAKCAYEAu80eb8b/KWHpo9y+uE5xvirPUGNw22fEfxvNmeD+sx5fdbYD
+  OMKvYmWglwO84sGn9OQs5k8iacVbb8YLCS3E+Bdm4FM/MVXnSDvsqw8XDR+fdKLv
+  5uwXba0uF04aToxCP9ZbikoYep3DX9Vs/A4cFP4jj+xxHUvZJnFi1IUgoZ6cckf4
+  8xVsJ3Cc05HzQXwpHMrmJmz+vpL9CpWF6J4BFJZaeTb5O2QzUGWgY6EtJ35mRaH1
+  U7V46dmjCRoMAnAP8brOhKvmf5t5pfMOcRyhVcVLB3gUuhX6ibvuj3ZeZnitXDS9
+  Mw6TqNXCaR1P50zYraEtQb9NdahXb9CazvSDMM6zzlG0CRM97g6G12mvnVDSF3fl
+  MoZgsrNf849uUPryJglhIG8w+kBVNsVhU9bUBDHzBZ9qedhsyh4vxdMQ4p+Sqb3R
+  g/0SEh22bDgPsZnGXMbkVde62ZP2yot+qVG79HKcCEE/w1C/Dvha6aE57yvsaELC
+  DMKBo8saN56ShLotAgMBAAECggGAYzZDhA1+sx/0zApL/xYB5NK83t0Ju/8fwX6w
+  qUBBjeLXz1mubgf7m2HQ6ragzLI9xpPcXHcl2PbYDT50ig7R5baHNK8FzUxyeKif
+  qOa56Mbx+C4zyqyi2+AHX2x1XVWfkhXuGip2sCA0HKalgqr5juWLZ/ci8rUlLLft
+  3BPQX1FpmL4I+HIyxsspLmQGPGwZVAqkd1xRX+BLKZJAQdlm/LdJaIvwMr4Glcx6
+  ZOe68QhHgzXCYsyV6gR9qstF2OvVuLa2mUc7EzYInFIFhXUdAAwmDqkuuLRdRQhf
+  Ur8nqQW33T0cG0GBUzgBI5YmSPJvTSzcPmeSyNVx2/Yb0pkuXtCw67oDcAsN4nW8
+  uls49E2RaiLJYsy5vPsX5aJNcAxw/CWLdadQ3ukviD/MDJbpTl4F52GOVYL6K4XH
+  g5TJjj7xzjmK3ldR/Kscg7HpCitQLGUYdgIsAFdspXf4aSIa68IjDrc5NsJZuMzc
+  PbVHrw7QYNfHY7VNdUlOVqH5lS3BAoHBANRqKrQXtnJmM006TCEJXdcN/5M685jz
+  +L4Ox0Rhrq8ROgcN5q/hjKb6kP/MccQ9voGQOl9TKEyinGNdTtyc/fuH7RNlQwpS
+  HT+vEzVEcrSe8UFs8c6oJnHFO72ylFcibFf56LvbI3L8BZXp7gPSPQkp5f1NWEZk
+  X5bUL4UNiOm0diltba/ofxywF0M9WGD00eqi0Q29JRlvun+355j06CENxRoonNZC
+  wk1evIxhhckP9zLjI2Ykb1hV6yzwPWtmyQKBwQDiVgru/B396KhzDhLl5AL+pBWA
+  GsfiCbmPLh6W6V5VzldB4+GlMRrJ4zSjZQ3/nvX5KepqjMn1N6LQpZQUI/YShCKE
+  mW0XMiAfbp2d23MRMjLD8L/bIoBHQOPkCaMjbmyDOlCagWakEvHJO/TieVgTmYk6
+  mtEYVjJFWI9OCNMAHdl8ovWr3p+8YbVZ8LLv5ZO/V1cIjczoNQ6p8LG/pPMTDLXM
+  ScN9a8z3f8LQLBHBlu0155xvt95PQLAon/x21kUCgcAvPVk36hoiQQZhw3hQ1JNx
+  E2TmanLobkHAiurYE11VA+DC1t2Z+fBc5la+/MnEWfL3P4srzgOlX3imRIcYWzXE
+  7crUyG1ray2kDxyXeRyFfN+srDzut8is/q81lfSVmEs+GY8f0DGHDfN0Dq1nXidC
+  1XWXqs7aANKdaZ0T2xm61+57ciG1wGAckjDqPEdecLQKmaEijBEnIgj5BH5WLwk8
+  6KIQGj4fDIPHzyzhj4LAX3ObdpZVzf6RR7JgsSEHtLkCgcBROW2dDC87MqZY++D+
+  TVBhz8LDgVjgHntQDc3+fGtVQcKAq+YLYU7qyrXWOWrHpGVDcK5mZHYJoVi1peY5
+  QBqL1I2KpoDGxT9P6GN6BgoKTsh3FsvTOVNtvrTJ3keEbJlWkrPgbrXGBeJtRC4C
+  pGdeSUg9FtgY8r4BsuFisLoAHbYyC008y5zpfusVBtNAUlQuY4qhUDoLzxafF/jB
+  /NEasgH/+SzFss0QuPHRwS7yGVaxdJfoY8TNDjrpqVhx0T0CgcEAvKG4UoWvT8gJ
+  pIeeAxxnv9yrMxgpntu4RXPDHgfX5tva6EaM3r3nLXjd9FVtlQ4cNBMhp9HNhS3a
+  dK+oEDcBysVxxfltlS2Bx0+gQf3WxgBCJwayKe3i/XCDza92EENgxTPmqB1LHiq5
+  2b5aOl2Y5fP0eX6UryxRc443c/ejMHw4lGwnno0qpRk9M9Ucqv5J96QCfAlBSQQS
+  gOG9cypL0kBWzCejn9W4av8HkM8Noqd7Tqul1onv/46OBaX51kt3
+  -----END RSA PRIVATE KEY-----
+...
diff --git a/site/intel-pod17/secrets/passphrases/apiserver-encryption-key-key1.yaml b/site/intel-pod17/secrets/passphrases/apiserver-encryption-key-key1.yaml
new file mode 100644 (file)
index 0000000..e21876e
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/apiserver-encryption-key-key1.yaml
@@ -0,0 +1,13 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: apiserver-encryption-key-key1
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+# https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
+# use head -c 32 /dev/urandom | base64
+data: n9VBwseT/JjV7r9vbUR/MvCobe01Bdh9XtWgsNF5zLY=
+...
diff --git a/site/intel-pod17/secrets/passphrases/ceph_fsid.yaml b/site/intel-pod17/secrets/passphrases/ceph_fsid.yaml
new file mode 100644 (file)
index 0000000..7201502
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ceph_fsid.yaml
@@ -0,0 +1,12 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ceph_fsid
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+# uuidgen
+data: 7b7576f4-3358-4668-9112-100440079807
+...
diff --git a/site/intel-pod17/secrets/passphrases/ceph_swift_keystone_password.yaml b/site/intel-pod17/secrets/passphrases/ceph_swift_keystone_password.yaml
new file mode 100644 (file)
index 0000000..9a9af1f
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ceph_swift_keystone_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ceph_swift_keystone_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ipmi_admin_password.yaml b/site/intel-pod17/secrets/passphrases/ipmi_admin_password.yaml
new file mode 100644 (file)
index 0000000..0b49b62
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ipmi_admin_password.yaml
@@ -0,0 +1,13 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ipmi_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  labels:
+    name: ipmi-admin-password-site
+  storagePolicy: cleartext
+data: root
+...
diff --git a/site/intel-pod17/secrets/passphrases/maas-region-key.yaml b/site/intel-pod17/secrets/passphrases/maas-region-key.yaml
new file mode 100644 (file)
index 0000000..73d4a69
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/maas-region-key.yaml
@@ -0,0 +1,12 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: maas-region-key
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+# openssl rand -hex 10
+data: 9026f6048d6a017dc913
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_barbican_oslo_db_password.yaml b/site/intel-pod17/secrets/passphrases/osh_barbican_oslo_db_password.yaml
new file mode 100644 (file)
index 0000000..c5f866c
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_barbican_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_barbican_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_barbican_oslo_messaging_admin_password.yaml b/site/intel-pod17/secrets/passphrases/osh_barbican_oslo_messaging_admin_password.yaml
new file mode 100644 (file)
index 0000000..bb19957
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_barbican_oslo_messaging_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_barbican_oslo_messaging_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_barbican_oslo_messaging_password.yaml b/site/intel-pod17/secrets/passphrases/osh_barbican_oslo_messaging_password.yaml
new file mode 100644 (file)
index 0000000..9bf0217
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_barbican_oslo_messaging_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_barbican_oslo_messaging_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_barbican_password.yaml b/site/intel-pod17/secrets/passphrases/osh_barbican_password.yaml
new file mode 100644 (file)
index 0000000..5122192
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_barbican_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_barbican_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_barbican_rabbitmq_erlang_cookie.yaml b/site/intel-pod17/secrets/passphrases/osh_barbican_rabbitmq_erlang_cookie.yaml
new file mode 100644 (file)
index 0000000..32f8dae
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_barbican_rabbitmq_erlang_cookie.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_barbican_rabbitmq_erlang_cookie
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_cinder_oslo_db_password.yaml b/site/intel-pod17/secrets/passphrases/osh_cinder_oslo_db_password.yaml
new file mode 100644 (file)
index 0000000..b22f898
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_cinder_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_cinder_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_cinder_oslo_messaging_admin_password.yaml b/site/intel-pod17/secrets/passphrases/osh_cinder_oslo_messaging_admin_password.yaml
new file mode 100644 (file)
index 0000000..040e657
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_cinder_oslo_messaging_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_cinder_oslo_messaging_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_cinder_oslo_messaging_password.yaml b/site/intel-pod17/secrets/passphrases/osh_cinder_oslo_messaging_password.yaml
new file mode 100644 (file)
index 0000000..5d76ba7
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_cinder_oslo_messaging_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_cinder_oslo_messaging_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_cinder_password.yaml b/site/intel-pod17/secrets/passphrases/osh_cinder_password.yaml
new file mode 100644 (file)
index 0000000..26565db
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_cinder_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_cinder_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_cinder_rabbitmq_erlang_cookie.yaml b/site/intel-pod17/secrets/passphrases/osh_cinder_rabbitmq_erlang_cookie.yaml
new file mode 100644 (file)
index 0000000..b1ac8ff
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_cinder_rabbitmq_erlang_cookie.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_cinder_rabbitmq_erlang_cookie
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_glance_oslo_db_password.yaml b/site/intel-pod17/secrets/passphrases/osh_glance_oslo_db_password.yaml
new file mode 100644 (file)
index 0000000..0739069
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_glance_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_glance_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_glance_oslo_messaging_admin_password.yaml b/site/intel-pod17/secrets/passphrases/osh_glance_oslo_messaging_admin_password.yaml
new file mode 100644 (file)
index 0000000..57db752
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_glance_oslo_messaging_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_glance_oslo_messaging_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_glance_oslo_messaging_password.yaml b/site/intel-pod17/secrets/passphrases/osh_glance_oslo_messaging_password.yaml
new file mode 100644 (file)
index 0000000..d103c27
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_glance_oslo_messaging_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_glance_oslo_messaging_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_glance_password.yaml b/site/intel-pod17/secrets/passphrases/osh_glance_password.yaml
new file mode 100644 (file)
index 0000000..93ae0f2
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_glance_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_glance_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_glance_rabbitmq_erlang_cookie.yaml b/site/intel-pod17/secrets/passphrases/osh_glance_rabbitmq_erlang_cookie.yaml
new file mode 100644 (file)
index 0000000..496fae3
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_glance_rabbitmq_erlang_cookie.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_glance_rabbitmq_erlang_cookie
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_heat_oslo_db_password.yaml b/site/intel-pod17/secrets/passphrases/osh_heat_oslo_db_password.yaml
new file mode 100644 (file)
index 0000000..3352d4c
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_heat_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_heat_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_heat_oslo_messaging_admin_password.yaml b/site/intel-pod17/secrets/passphrases/osh_heat_oslo_messaging_admin_password.yaml
new file mode 100644 (file)
index 0000000..074e688
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_heat_oslo_messaging_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_heat_oslo_messaging_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_heat_oslo_messaging_password.yaml b/site/intel-pod17/secrets/passphrases/osh_heat_oslo_messaging_password.yaml
new file mode 100644 (file)
index 0000000..39f1327
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_heat_oslo_messaging_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_heat_oslo_messaging_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_heat_password.yaml b/site/intel-pod17/secrets/passphrases/osh_heat_password.yaml
new file mode 100644 (file)
index 0000000..5777ebb
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_heat_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_heat_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_heat_rabbitmq_erlang_cookie.yaml b/site/intel-pod17/secrets/passphrases/osh_heat_rabbitmq_erlang_cookie.yaml
new file mode 100644 (file)
index 0000000..74e2a99
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_heat_rabbitmq_erlang_cookie.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_heat_rabbitmq_erlang_cookie
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_heat_stack_user_password.yaml b/site/intel-pod17/secrets/passphrases/osh_heat_stack_user_password.yaml
new file mode 100644 (file)
index 0000000..36db28b
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_heat_stack_user_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_heat_stack_user_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_heat_trustee_password.yaml b/site/intel-pod17/secrets/passphrases/osh_heat_trustee_password.yaml
new file mode 100644 (file)
index 0000000..58129ef
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_heat_trustee_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_heat_trustee_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_horizon_oslo_db_password.yaml b/site/intel-pod17/secrets/passphrases/osh_horizon_oslo_db_password.yaml
new file mode 100644 (file)
index 0000000..7c78d45
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_horizon_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_horizon_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_infra_elasticsearch_admin_password.yaml b/site/intel-pod17/secrets/passphrases/osh_infra_elasticsearch_admin_password.yaml
new file mode 100644 (file)
index 0000000..78c265e
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_infra_elasticsearch_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_elasticsearch_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_infra_grafana_admin_password.yaml b/site/intel-pod17/secrets/passphrases/osh_infra_grafana_admin_password.yaml
new file mode 100644 (file)
index 0000000..9232de7
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_infra_grafana_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_grafana_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_infra_grafana_oslo_db_password.yaml b/site/intel-pod17/secrets/passphrases/osh_infra_grafana_oslo_db_password.yaml
new file mode 100644 (file)
index 0000000..6d5f49e
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_infra_grafana_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_grafana_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_infra_grafana_oslo_db_session_password.yaml b/site/intel-pod17/secrets/passphrases/osh_infra_grafana_oslo_db_session_password.yaml
new file mode 100644 (file)
index 0000000..bd4e573
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_infra_grafana_oslo_db_session_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_grafana_oslo_db_session_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_infra_nagios_admin_password.yaml b/site/intel-pod17/secrets/passphrases/osh_infra_nagios_admin_password.yaml
new file mode 100644 (file)
index 0000000..52dbe16
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_infra_nagios_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_nagios_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_infra_openstack_exporter_password.yaml b/site/intel-pod17/secrets/passphrases/osh_infra_openstack_exporter_password.yaml
new file mode 100644 (file)
index 0000000..64f78e1
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_infra_openstack_exporter_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_openstack_exporter_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_infra_oslo_db_admin_password.yaml b/site/intel-pod17/secrets/passphrases/osh_infra_oslo_db_admin_password.yaml
new file mode 100644 (file)
index 0000000..9c68e9d
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_infra_oslo_db_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_oslo_db_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_infra_oslo_db_exporter_password.yaml b/site/intel-pod17/secrets/passphrases/osh_infra_oslo_db_exporter_password.yaml
new file mode 100644 (file)
index 0000000..f134f46
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_infra_oslo_db_exporter_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_oslo_db_exporter_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_infra_prometheus_admin_password.yaml b/site/intel-pod17/secrets/passphrases/osh_infra_prometheus_admin_password.yaml
new file mode 100644 (file)
index 0000000..b3df5f6
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_infra_prometheus_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_prometheus_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_infra_rgw_s3_admin_access_key.yaml b/site/intel-pod17/secrets/passphrases/osh_infra_rgw_s3_admin_access_key.yaml
new file mode 100644 (file)
index 0000000..9f64719
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_infra_rgw_s3_admin_access_key.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_rgw_s3_admin_access_key
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: admin_access_key
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_infra_rgw_s3_admin_secret_key.yaml b/site/intel-pod17/secrets/passphrases/osh_infra_rgw_s3_admin_secret_key.yaml
new file mode 100644 (file)
index 0000000..3e06f91
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_infra_rgw_s3_admin_secret_key.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_rgw_s3_admin_secret_key
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: admin_secret_key
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_infra_rgw_s3_elasticsearch_access_key.yaml b/site/intel-pod17/secrets/passphrases/osh_infra_rgw_s3_elasticsearch_access_key.yaml
new file mode 100644 (file)
index 0000000..97c7d23
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_infra_rgw_s3_elasticsearch_access_key.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_rgw_s3_elasticsearch_access_key
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: elastic_access_key
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_infra_rgw_s3_elasticsearch_secret_key.yaml b/site/intel-pod17/secrets/passphrases/osh_infra_rgw_s3_elasticsearch_secret_key.yaml
new file mode 100644 (file)
index 0000000..60f0134
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_infra_rgw_s3_elasticsearch_secret_key.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_rgw_s3_elasticsearch_secret_key
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: elastic_secret_key
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_keystone_admin_password.yaml b/site/intel-pod17/secrets/passphrases/osh_keystone_admin_password.yaml
new file mode 100644 (file)
index 0000000..6c3f446
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_keystone_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_keystone_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_keystone_ldap_password.yaml b/site/intel-pod17/secrets/passphrases/osh_keystone_ldap_password.yaml
new file mode 100644 (file)
index 0000000..2edf0f2
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_keystone_ldap_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_keystone_ldap_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_keystone_oslo_db_password.yaml b/site/intel-pod17/secrets/passphrases/osh_keystone_oslo_db_password.yaml
new file mode 100644 (file)
index 0000000..07b2206
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_keystone_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_keystone_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_keystone_oslo_messaging_admin_password.yaml b/site/intel-pod17/secrets/passphrases/osh_keystone_oslo_messaging_admin_password.yaml
new file mode 100644 (file)
index 0000000..aec85c0
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_keystone_oslo_messaging_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_keystone_oslo_messaging_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_keystone_oslo_messaging_password.yaml b/site/intel-pod17/secrets/passphrases/osh_keystone_oslo_messaging_password.yaml
new file mode 100644 (file)
index 0000000..be716f4
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_keystone_oslo_messaging_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_keystone_oslo_messaging_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_keystone_rabbitmq_erlang_cookie.yaml b/site/intel-pod17/secrets/passphrases/osh_keystone_rabbitmq_erlang_cookie.yaml
new file mode 100644 (file)
index 0000000..ee7e4bd
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_keystone_rabbitmq_erlang_cookie.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_keystone_rabbitmq_erlang_cookie
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_neutron_oslo_db_password.yaml b/site/intel-pod17/secrets/passphrases/osh_neutron_oslo_db_password.yaml
new file mode 100644 (file)
index 0000000..4d0b157
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_neutron_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_neutron_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_neutron_oslo_messaging_admin_password.yaml b/site/intel-pod17/secrets/passphrases/osh_neutron_oslo_messaging_admin_password.yaml
new file mode 100644 (file)
index 0000000..4ac42c9
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_neutron_oslo_messaging_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_neutron_oslo_messaging_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_neutron_oslo_messaging_password.yaml b/site/intel-pod17/secrets/passphrases/osh_neutron_oslo_messaging_password.yaml
new file mode 100644 (file)
index 0000000..6be02b9
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_neutron_oslo_messaging_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_neutron_oslo_messaging_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_neutron_password.yaml b/site/intel-pod17/secrets/passphrases/osh_neutron_password.yaml
new file mode 100644 (file)
index 0000000..dd0b2b6
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_neutron_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_neutron_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_neutron_rabbitmq_erlang_cookie.yaml b/site/intel-pod17/secrets/passphrases/osh_neutron_rabbitmq_erlang_cookie.yaml
new file mode 100644 (file)
index 0000000..9e8ff8d
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_neutron_rabbitmq_erlang_cookie.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_neutron_rabbitmq_erlang_cookie
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml b/site/intel-pod17/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml
new file mode 100644 (file)
index 0000000..37d5c62
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_nova_metadata_proxy_shared_secret
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_nova_oslo_db_password.yaml b/site/intel-pod17/secrets/passphrases/osh_nova_oslo_db_password.yaml
new file mode 100644 (file)
index 0000000..2cd60f5
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_nova_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_nova_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_nova_oslo_messaging_admin_password.yaml b/site/intel-pod17/secrets/passphrases/osh_nova_oslo_messaging_admin_password.yaml
new file mode 100644 (file)
index 0000000..487bcc5
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_nova_oslo_messaging_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_nova_oslo_messaging_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_nova_oslo_messaging_password.yaml b/site/intel-pod17/secrets/passphrases/osh_nova_oslo_messaging_password.yaml
new file mode 100644 (file)
index 0000000..13569ba
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_nova_oslo_messaging_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_nova_oslo_messaging_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_nova_password.yaml b/site/intel-pod17/secrets/passphrases/osh_nova_password.yaml
new file mode 100644 (file)
index 0000000..4c2223d
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_nova_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_nova_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_nova_rabbitmq_erlang_cookie.yaml b/site/intel-pod17/secrets/passphrases/osh_nova_rabbitmq_erlang_cookie.yaml
new file mode 100644 (file)
index 0000000..7a885e6
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_nova_rabbitmq_erlang_cookie.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_nova_rabbitmq_erlang_cookie
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_oslo_cache_secret_key.yaml b/site/intel-pod17/secrets/passphrases/osh_oslo_cache_secret_key.yaml
new file mode 100644 (file)
index 0000000..11747a7
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_oslo_cache_secret_key.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_oslo_cache_secret_key
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_oslo_db_admin_password.yaml b/site/intel-pod17/secrets/passphrases/osh_oslo_db_admin_password.yaml
new file mode 100644 (file)
index 0000000..48df9ee
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_oslo_db_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_oslo_db_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_oslo_db_exporter_password.yaml b/site/intel-pod17/secrets/passphrases/osh_oslo_db_exporter_password.yaml
new file mode 100644 (file)
index 0000000..61b4144
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_oslo_db_exporter_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_oslo_db_exporter_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_oslo_messaging_admin_password.yaml b/site/intel-pod17/secrets/passphrases/osh_oslo_messaging_admin_password.yaml
new file mode 100644 (file)
index 0000000..e7d97e2
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_oslo_messaging_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_oslo_messaging_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_placement_password.yaml b/site/intel-pod17/secrets/passphrases/osh_placement_password.yaml
new file mode 100644 (file)
index 0000000..c72b59a
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_placement_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_placement_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_rabbitmq_erlang_cookie.yaml b/site/intel-pod17/secrets/passphrases/osh_rabbitmq_erlang_cookie.yaml
new file mode 100644 (file)
index 0000000..a3b5a2b
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_rabbitmq_erlang_cookie.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_rabbitmq_erlang_cookie
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/osh_tempest_password.yaml b/site/intel-pod17/secrets/passphrases/osh_tempest_password.yaml
new file mode 100644 (file)
index 0000000..af90ec0
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/osh_tempest_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_tempest_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/tenant_ceph_fsid.yaml b/site/intel-pod17/secrets/passphrases/tenant_ceph_fsid.yaml
new file mode 100644 (file)
index 0000000..18bd485
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/tenant_ceph_fsid.yaml
@@ -0,0 +1,12 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: tenant_ceph_fsid
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+# uuidgen
+data: 29d8953d-0bb6-4ba1-a48a-f9be1c0937a9
+...
diff --git a/site/intel-pod17/secrets/passphrases/ubuntu_crypt_password.yaml b/site/intel-pod17/secrets/passphrases/ubuntu_crypt_password.yaml
new file mode 100644 (file)
index 0000000..4d60468
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ubuntu_crypt_password.yaml
@@ -0,0 +1,12 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ubuntu_crypt_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+# Pass: password123
+data: $6$qgvZ3LC9.t59Akqy$HAJfJpdrN8Ld9ssGyjFPzyJ3WUGN.ucqhSyA25LFjBrSYboVFgX8wLomRwlf5YIn1siaXHSh4JaPJED3BO36J1
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_airflow_oslo_messaging_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_airflow_oslo_messaging_password.yaml
new file mode 100644 (file)
index 0000000..33c4125
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_airflow_oslo_messaging_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_airflow_oslo_messaging_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_airflow_postgres_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_airflow_postgres_password.yaml
new file mode 100644 (file)
index 0000000..8a1d648
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_airflow_postgres_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_airflow_postgres_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_armada_keystone_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_armada_keystone_password.yaml
new file mode 100644 (file)
index 0000000..866efcc
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_armada_keystone_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_armada_keystone_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_barbican_keystone_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_barbican_keystone_password.yaml
new file mode 100644 (file)
index 0000000..cb2da22
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_barbican_keystone_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_barbican_keystone_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_barbican_oslo_db_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_barbican_oslo_db_password.yaml
new file mode 100644 (file)
index 0000000..95a76ed
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_barbican_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_barbican_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_deckhand_keystone_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_deckhand_keystone_password.yaml
new file mode 100644 (file)
index 0000000..5ee27f2
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_deckhand_keystone_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_deckhand_keystone_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_deckhand_postgres_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_deckhand_postgres_password.yaml
new file mode 100644 (file)
index 0000000..e63319b
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_deckhand_postgres_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_deckhand_postgres_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_drydock_keystone_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_drydock_keystone_password.yaml
new file mode 100644 (file)
index 0000000..b8083b5
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_drydock_keystone_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_drydock_keystone_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_drydock_postgres_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_drydock_postgres_password.yaml
new file mode 100644 (file)
index 0000000..2eff525
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_drydock_postgres_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_drydock_postgres_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_keystone_admin_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_keystone_admin_password.yaml
new file mode 100644 (file)
index 0000000..91f74fd
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_keystone_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_keystone_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_keystone_oslo_db_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_keystone_oslo_db_password.yaml
new file mode 100644 (file)
index 0000000..a9cb153
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_keystone_oslo_db_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_keystone_oslo_db_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_maas_admin_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_maas_admin_password.yaml
new file mode 100644 (file)
index 0000000..402c129
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_maas_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_maas_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_maas_postgres_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_maas_postgres_password.yaml
new file mode 100644 (file)
index 0000000..96ec574
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_maas_postgres_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_maas_postgres_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_openstack_exporter_keystone_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_openstack_exporter_keystone_password.yaml
new file mode 100644 (file)
index 0000000..b513af4
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_openstack_exporter_keystone_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_openstack_exporter_keystone_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_oslo_db_admin_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_oslo_db_admin_password.yaml
new file mode 100644 (file)
index 0000000..b3c1325
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_oslo_db_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_oslo_db_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_oslo_messaging_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_oslo_messaging_password.yaml
new file mode 100644 (file)
index 0000000..95d6c0e
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_oslo_messaging_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_oslo_messaging_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_postgres_admin_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_postgres_admin_password.yaml
new file mode 100644 (file)
index 0000000..546de05
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_postgres_admin_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_postgres_admin_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_postgres_exporter_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_postgres_exporter_password.yaml
new file mode 100644 (file)
index 0000000..abdaa5b
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_postgres_exporter_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_postgres_exporter_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_postgres_replication_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_postgres_replication_password.yaml
new file mode 100644 (file)
index 0000000..2176e71
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_postgres_replication_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_postgres_replication_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_promenade_keystone_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_promenade_keystone_password.yaml
new file mode 100644 (file)
index 0000000..ac40d1e
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_promenade_keystone_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_promenade_keystone_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_rabbitmq_erlang_cookie.yaml b/site/intel-pod17/secrets/passphrases/ucp_rabbitmq_erlang_cookie.yaml
new file mode 100644 (file)
index 0000000..6a2aef9
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_rabbitmq_erlang_cookie.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_rabbitmq_erlang_cookie
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_shipyard_keystone_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_shipyard_keystone_password.yaml
new file mode 100644 (file)
index 0000000..181a52a
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_shipyard_keystone_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_shipyard_keystone_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/passphrases/ucp_shipyard_postgres_password.yaml b/site/intel-pod17/secrets/passphrases/ucp_shipyard_postgres_password.yaml
new file mode 100644 (file)
index 0000000..de0eed7
--- /dev/null
+++ b/site/intel-pod17/secrets/passphrases/ucp_shipyard_postgres_password.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_shipyard_postgres_password
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
diff --git a/site/intel-pod17/secrets/publickey/grego_ssh_public_key.yaml b/site/intel-pod17/secrets/publickey/grego_ssh_public_key.yaml
new file mode 100644 (file)
index 0000000..2ca157f
--- /dev/null
+++ b/site/intel-pod17/secrets/publickey/grego_ssh_public_key.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/PublicKey/v1
+metadata:
+  schema: metadata/Document/v1
+  name: grego_ssh_public_key
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDOyMag93evkxOvIKFryNGuaIqzuWdji7wyqoYNzTP7JI3SvEAdv/6yEo5Ca7/OxHWvKOfD8BaBINljMdHk3cj47LA47s4BFUpYxaYd6x5JqjSVFcX0JzB8FO4i/RE9q2HmqJJ9XuOc9ZZZC8CANFajqG9uvY0ChHLMifEtzi7KCPnQfDSSB5dogz3kdaukuUC9dtpUX04v29C9Mk9JaW4gmECYqPnwRZq0E+XFI0ipKtB5LtGY191p04AYMWHq+vZXo7F5k2RKl3PRiIEBIGJjIK64NhzIhV4g/8nRABeNO7C7YbFHbNbXW2ztzZA4Avt/nPVn5goDuaY7kus1kWG+RRy1oQrFRL+MIbuJkFV4hkxa9SonUSTPNj8rk++E94ysVxundWRxhT9eKU/tDaVYg+KxoUApdk0UfwpbUNl/FtiEGu44hutYfON4EMYgHIc5lbfXQ2dSQq82jTdEeP2/LcRl+W6Au9chlzly7B39rCzi9hSjezb7r2uJ5ZhdXLfQfPaBg3hS+4Tt/QmBkj+1dZZVyJ77KAabd3ppr+KURwUEdwqP0Www9yExdhbO2ff92ZzkBe+9dUKaVv/yFapQYCgguwuRqG7a0tTvF/5aLx0IVghp6qBA9t4ysgpq5KqIB1aTuo546ftfSGnZZvbJhND1qMMqT8shTqaBkctGEw== greg.oberfield@att.com
+...
diff --git a/site/intel-pod17/secrets/publickey/kasparss_ssh_public_key.yaml b/site/intel-pod17/secrets/publickey/kasparss_ssh_public_key.yaml
new file mode 100644 (file)
index 0000000..3cf2601
--- /dev/null
+++ b/site/intel-pod17/secrets/publickey/kasparss_ssh_public_key.yaml
@@ -0,0 +1,11 @@
+---
+schema: deckhand/PublicKey/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kasparss_ssh_public_key
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhZBgcufBr6msHHnAxW96vYgFhDHqjYi3oWsg/E7BeoTT+962mSeU0roKJG9XN3WY++D83T5dUcv6PAje1Upzq9O0tX9daKET89ZeYEtZ5cwIQvf75caDIgfilNVFbIIc831ardHZVte68SRrtyToXdXJdiK0KHZyuMauZvU/T1Icth91fHYuY2Lo2G2+15A9VqKKW4v+Luvj8qJR98s0uMslkJozZH1xWbX2HbXzLLZuQZk93Z9V9QDCv5qKd9VBz6xDQ4d69Hf++qkHnKHznhq3mA1dIrSRNG963IM/sueoGCDDTLKPchZeZ4kWWH3vr0iM02NVcUV/R9kamoUzz kaspars.skels@att.com
+...
diff --git a/site/intel-pod17/site-definition.yaml b/site/intel-pod17/site-definition.yaml
new file mode 100644 (file)
index 0000000..1952cae
--- /dev/null
+++ b/site/intel-pod17/site-definition.yaml
@@ -0,0 +1,17 @@
+---
+schema: pegleg/SiteDefinition/v1
+metadata:
+  schema: metadata/Document/v1
+  layeringDefinition:
+    abstract: false
+    layer: site
+  name: intel-pod17
+  storagePolicy: cleartext
+data:
+  site_type: cntt
+
+  repositories:
+    global:
+      revision: v1.3
+      url: https://github.com/airshipit/treasuremap
+...
diff --git a/site/intel-pod17/software/charts/kubernetes/container-networking/etcd.yaml b/site/intel-pod17/software/charts/kubernetes/container-networking/etcd.yaml
new file mode 100644 (file)
index 0000000..00053a4
--- /dev/null
+++ b/site/intel-pod17/software/charts/kubernetes/container-networking/etcd.yaml
@@ -0,0 +1,127 @@
+---
+# The purpose of this file is to build the list of calico etcd nodes and the
+# calico etcd certs for those nodes in the environment.
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-calico-etcd
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: kubernetes-calico-etcd-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+  substitutions:
+    # Generate a list of control plane nodes (i.e. genesis node + master node
+    # list) on which calico etcd will run and will need certs. It is assumed
+    # that Airship sites will have 4 control plane nodes, so this should not need to
+    # change for a new site.
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .genesis.hostname
+      dest:
+        path: .values.nodes[0].name
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .masters[0].hostname
+      dest:
+        path: .values.nodes[1].name
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .masters[1].hostname
+      dest:
+        path: .values.nodes[2].name
+
+    # Certificate substitutions for the node names assembled on the above list.
+    # NEWSITE-CHANGEME: Per above, the number of substitutions should not need
+    # to change with a standard Airship deployment. However, the names of each
+    # deckhand certficiate should be updated with the correct hostnames for your
+    # environment. The ordering is important (Genesis is index 0, then master
+    # nodes in the order they are specified in common-addresses).
+
+    # Genesis hostname - pod17-jump
+    - src:
+        schema: deckhand/Certificate/v1
+        name: calico-etcd-pod17-jump
+        path: .
+      dest:
+        path: .values.nodes[0].tls.client.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: calico-etcd-pod17-jump
+        path: .
+      dest:
+        path: .values.nodes[0].tls.client.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: calico-etcd-pod17-jump-peer
+        path: .
+      dest:
+        path: .values.nodes[0].tls.peer.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: calico-etcd-pod17-jump-peer
+        path: .
+      dest:
+        path: .values.nodes[0].tls.peer.key
+
+    # master node 1 hostname - pod17-node1
+    - src:
+        schema: deckhand/Certificate/v1
+        name: calico-etcd-pod17-node1
+        path: .
+      dest:
+        path: .values.nodes[1].tls.client.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: calico-etcd-pod17-node1
+        path: .
+      dest:
+        path: .values.nodes[1].tls.client.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: calico-etcd-pod17-node1-peer
+        path: .
+      dest:
+        path: .values.nodes[1].tls.peer.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: calico-etcd-pod17-node1-peer
+        path: .
+      dest:
+        path: .values.nodes[1].tls.peer.key
+
+    # master node 2 hostname - pod17-node2
+    - src:
+        schema: deckhand/Certificate/v1
+        name: calico-etcd-pod17-node2
+        path: .
+      dest:
+        path: .values.nodes[2].tls.client.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: calico-etcd-pod17-node2
+        path: .
+      dest:
+        path: .values.nodes[2].tls.client.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: calico-etcd-pod17-node2-peer
+        path: .
+      dest:
+        path: .values.nodes[2].tls.peer.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: calico-etcd-pod17-node2-peer
+        path: .
+      dest:
+        path: .values.nodes[2].tls.peer.key
+
+data: {}
+...
diff --git a/site/intel-pod17/software/charts/kubernetes/etcd/etcd.yaml b/site/intel-pod17/software/charts/kubernetes/etcd/etcd.yaml
new file mode 100644 (file)
index 0000000..365b3d0
--- /dev/null
+++ b/site/intel-pod17/software/charts/kubernetes/etcd/etcd.yaml
@@ -0,0 +1,131 @@
+---
+# The purpose of this file is to build the list of k8s etcd nodes and the
+# k8s etcd certs for those nodes in the environment.
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-etcd
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: kubernetes-etcd-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+  substitutions:
+    # Generate a list of control plane nodes (i.e. genesis node + master node
+    # list) on which k8s etcd will run and will need certs. It is assumed
+    # that Airship sites will have 4 control plane nodes, so this should not need to
+    # change for a new site.
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .genesis.hostname
+      dest:
+        path: .values.nodes[0].name
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .masters[0].hostname
+      dest:
+        path: .values.nodes[1].name
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .masters[1].hostname
+      dest:
+        path: .values.nodes[2].name
+
+    # Certificate substitutions for the node names assembled on the above list.
+    # NEWSITE-CHANGEME: Per above, the number of substitutions should not need
+    # to change with a standard Airship deployment. However, the names of each
+    # deckhand certficiate should be updated with the correct hostnames for your
+    # environment. The ordering is important (Genesis is index 0, then master
+    # nodes in the order they are specified in common-addresses).
+
+    # Genesis Exception*
+    # *NOTE: This is an exception in that `genesis` is not the hostname of the
+    # genesis node, but `genesis` is reference here in the certificate names
+    # because of certain Promenade assumptions that may be addressed in the
+    # future. Therefore `genesis` is used instead of `pod17-jump` here.
+    - src:
+        schema: deckhand/Certificate/v1
+        name: kubernetes-etcd-genesis
+        path: .
+      dest:
+        path: .values.nodes[0].tls.client.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: kubernetes-etcd-genesis
+        path: .
+      dest:
+        path: .values.nodes[0].tls.client.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: kubernetes-etcd-genesis-peer
+        path: .
+      dest:
+        path: .values.nodes[0].tls.peer.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: kubernetes-etcd-genesis-peer
+        path: .
+      dest:
+        path: .values.nodes[0].tls.peer.key
+
+    # master node 1 hostname - pod17-node1
+    - src:
+        schema: deckhand/Certificate/v1
+        name: kubernetes-etcd-pod17-node1
+        path: .
+      dest:
+        path: .values.nodes[1].tls.client.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: kubernetes-etcd-pod17-node1
+        path: .
+      dest:
+        path: .values.nodes[1].tls.client.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: kubernetes-etcd-pod17-node1-peer
+        path: .
+      dest:
+        path: .values.nodes[1].tls.peer.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: kubernetes-etcd-pod17-node1-peer
+        path: .
+      dest:
+        path: .values.nodes[1].tls.peer.key
+
+    # master node 2 hostname - pod17-node2
+    - src:
+        schema: deckhand/Certificate/v1
+        name: kubernetes-etcd-pod17-node2
+        path: .
+      dest:
+        path: .values.nodes[2].tls.client.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: kubernetes-etcd-pod17-node2
+        path: .
+      dest:
+        path: .values.nodes[2].tls.client.key
+    - src:
+        schema: deckhand/Certificate/v1
+        name: kubernetes-etcd-pod17-node2-peer
+        path: .
+      dest:
+        path: .values.nodes[2].tls.peer.cert
+    - src:
+        schema: deckhand/CertificateKey/v1
+        name: kubernetes-etcd-pod17-node2-peer
+        path: $
+      dest:
+        path: .values.nodes[2].tls.peer.key
+
+data: {}
+...
diff --git a/site/intel-pod17/software/charts/ucp/ceph/ceph-client-update.yaml b/site/intel-pod17/software/charts/ucp/ceph/ceph-client-update.yaml
new file mode 100644 (file)
index 0000000..eb921b8
--- /dev/null
+++ b/site/intel-pod17/software/charts/ucp/ceph/ceph-client-update.yaml
@@ -0,0 +1,26 @@
+---
+# The purpose of this file is to define environment-specific parameters for ceph
+# client update
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-ceph-client-update
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: ucp-ceph-client-update-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  values:
+    conf:
+      pool:
+        target:
+          # NEWSITE-CHANGEME: Total number of OSDs. Does not need to change if
+          # your HW matches this site's HW. Verify for your environment.
+          # 8 OSDs per node x 3 nodes = 24
+          osd: 3
+...
diff --git a/site/intel-pod17/software/charts/ucp/ceph/ceph-client.yaml b/site/intel-pod17/software/charts/ucp/ceph/ceph-client.yaml
new file mode 100644 (file)
index 0000000..e1e8ecf
--- /dev/null
+++ b/site/intel-pod17/software/charts/ucp/ceph/ceph-client.yaml
@@ -0,0 +1,100 @@
+---
+# The purpose of this file is to define envrionment-specific parameters for the
+# ceph client
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-ceph-client
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: ucp-ceph-client-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  values:
+    conf:
+      pool:
+        target:
+          # NEWSITE-CHANGEME: The number of OSDs per ceph node. Does not need to
+          # change if your deployment HW matches this site's HW.
+          osd: 1
+        spec:
+          # RBD pool
+          - name: rbd
+            application: rbd
+            replication: 1
+            percent_total_data: 40
+          - name: cephfs_metadata
+            application: cephfs
+            replication: 1
+            percent_total_data: 5
+          - name: cephfs_data
+            application: cephfs
+            replication: 1
+            percent_total_data: 10
+          # RadosGW pools
+          - name: .rgw.root
+            application: rgw
+            replication: 1
+            percent_total_data: 0.1
+          - name: default.rgw.control
+            application: rgw
+            replication: 1
+            percent_total_data: 0.1
+          - name: default.rgw.data.root
+            application: rgw
+            replication: 1
+            percent_total_data: 0.1
+          - name: default.rgw.gc
+            application: rgw
+            replication: 1
+            percent_total_data: 0.1
+          - name: default.rgw.log
+            application: rgw
+            replication: 1
+            percent_total_data: 0.1
+          - name: default.rgw.intent-log
+            application: rgw
+            replication: 1
+            percent_total_data: 0.1
+          - name: default.rgw.meta
+            application: rgw
+            replication: 1
+            percent_total_data: 0.1
+          - name: default.rgw.usage
+            application: rgw
+            replication: 1
+            percent_total_data: 0.1
+          - name: default.rgw.users.keys
+            application: rgw
+            replication: 1
+            percent_total_data: 0.1
+          - name: default.rgw.users.email
+            application: rgw
+            replication: 1
+            percent_total_data: 0.1
+          - name: default.rgw.users.swift
+            application: rgw
+            replication: 1
+            percent_total_data: 0.1
+          - name: default.rgw.users.uid
+            application: rgw
+            replication: 1
+            percent_total_data: 0.1
+          - name: default.rgw.buckets.extra
+            application: rgw
+            replication: 1
+            percent_total_data: 0.1
+          - name: default.rgw.buckets.index
+            application: rgw
+            replication: 1
+            percent_total_data: 3
+          - name: default.rgw.buckets.data
+            application: rgw
+            replication: 1
+            percent_total_data: 34.8
+...
diff --git a/site/intel-pod17/software/charts/ucp/ceph/ceph-osd.yaml b/site/intel-pod17/software/charts/ucp/ceph/ceph-osd.yaml
new file mode 100644 (file)
index 0000000..8cf291a
--- /dev/null
+++ b/site/intel-pod17/software/charts/ucp/ceph/ceph-osd.yaml
@@ -0,0 +1,30 @@
+---
+# The purpose of this file is to define environment-specific parameters for
+# ceph-osd
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-ceph-osd
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: ucp-ceph-osd-global
+    actions:
+      - method: replace
+        path: .values.conf.storage.osd
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  values:
+    conf:
+      storage:
+        osd:
+          - data:
+              type: block-logical
+              location: /dev/sdb
+            journal:
+              type: directory
+              location: /var/lib/openstack-helm/ceph/osd/osd-sdb
+...
diff --git a/site/intel-pod17/software/charts/ucp/divingbell/divingbell.yaml b/site/intel-pod17/software/charts/ucp/divingbell/divingbell.yaml
new file mode 100644 (file)
index 0000000..db6ef66
--- /dev/null
+++ b/site/intel-pod17/software/charts/ucp/divingbell/divingbell.yaml
@@ -0,0 +1,72 @@
+---
+# The purpose of this file is to define site-specific parameters to the
+# UAM-lite portion of the divingbell chart:
+# 1. User accounts to create on bare metal
+# 2. SSH public key for operationg system access to the bare metal
+# 3. Passwords for operating system access via iDrac/iLo console. SSH password-
+#    based auth is disabled.
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-divingbell
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: ucp-divingbell-global
+    actions:
+      - method: merge
+        path: .
+  labels:
+    name: ucp-divingbell-site
+  storagePolicy: cleartext
+  substitutions:
+    - dest:
+        path: .values.conf.uamlite.users[0].user_sshkeys[0]
+      src:
+        schema: deckhand/PublicKey/v1
+        name: airship_ssh_public_key
+        path: .
+    - dest:
+        path: .values.conf.uamlite.users[0].user_crypt_passwd
+      src:
+        schema: deckhand/Passphrase/v1
+        name: ubuntu_crypt_password
+        path: .
+    - dest:
+        path: .values.conf.uamlite.users[1].user_sshkeys[0]
+      src:
+        schema: deckhand/PublicKey/v1
+        name: airship_ssh_public_key
+        path: .
+    - dest:
+        path: .values.conf.uamlite.users[2].user_sshkeys[0]
+      src:
+        schema: deckhand/PublicKey/v1
+        name: grego_ssh_public_key
+        path: .
+    - dest:
+        path: .values.conf.uamlite.users[3].user_sshkeys[0]
+      src:
+        schema: deckhand/PublicKey/v1
+        name: kasparss_ssh_public_key
+        path: .
+
+data:
+  values:
+    conf:
+      uamlite:
+        users:
+          - user_name: ubuntu
+            user_sudo: true
+            user_sshkeys: []
+          - user_name: airship
+            user_sudo: true
+            user_sshkeys: []
+          - user_name: grego
+            user_sudo: true
+            user_sshkeys: []
+          - user_name: kasparss
+            user_sudo: true
+            user_sshkeys: []
+...
diff --git a/site/intel-pod17/software/config/common-software-config.yaml b/site/intel-pod17/software/config/common-software-config.yaml
new file mode 100644 (file)
index 0000000..6122372
--- /dev/null
+++ b/site/intel-pod17/software/config/common-software-config.yaml
@@ -0,0 +1,16 @@
+---
+# The purpose of this file is to define site-specific common software config
+# paramters.
+schema: pegleg/CommonSoftwareConfig/v1
+metadata:
+  schema: metadata/Document/v1
+  name: common-software-config
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  osh:
+    # NEWSITE-CHANGEME: Replace with the site name
+    region_name: intel-pod17
+...
diff --git a/type/cntt/bootactions/promjoin.yaml b/type/cntt/bootactions/promjoin.yaml
new file mode 100644 (file)
index 0000000..1178c10
--- /dev/null
+++ b/type/cntt/bootactions/promjoin.yaml
@@ -0,0 +1,32 @@
+---
+# This file defines a boot action which is responsible for fetching the node's
+# promjoin script from the promenade API. This is the script responsible for
+# installing kubernetes on the node and joining the kubernetes cluster.
+# #GLOBAL-CANDIDATE#
+schema: 'drydock/BootAction/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: promjoin
+  storagePolicy: 'cleartext'
+  layeringDefinition:
+    abstract: false
+    layer: site
+  labels:
+    application: 'drydock'
+data:
+  signaling: false
+  # TODO(alanmeadows) move what is global about this document
+  assets:
+    - path: /opt/promjoin.sh
+      type: file
+      permissions: '555'
+      # The ip= parameter must match the MaaS network name of the network used
+      # to contact kubernetes. With a standard, reference Airship deployment where
+      # L2 networks are shared between all racks, the network name (i.e. calico)
+      # should be correct.
+      location: promenade+http://promenade-api.ucp.svc.cluster.local/api/v1.0/join-scripts?design_ref={{ action.design_ref | urlencode }}&hostname={{ node.hostname }}&ip={{ node.network.private.ip }}{% for k, v in node.labels.items() %}&labels.dynamic={{ k }}={{ v }}{% endfor %}
+      location_pipeline:
+        - template
+      data_pipeline:
+        - utf8_decode
+...
diff --git a/type/cntt/deployment/deployment-configuration.yaml b/type/cntt/deployment/deployment-configuration.yaml
new file mode 100644 (file)
index 0000000..bfc6c0c
--- /dev/null
+++ b/type/cntt/deployment/deployment-configuration.yaml
@@ -0,0 +1,41 @@
+---
+# The purpose of this file is to provide shipyard related deployment config
+# parameters. This should not require modification for a new site. However,
+# shipyard deployment strategies can be very useful in getting around certain
+# failures, like misbehaving nodes that hold up the deployment. See more at
+# https://opendev.org/airship/shipyard/src/branch/master/doc/source/site-definition-documents.rst#using-a-deployment-strategy
+schema: shipyard/DeploymentConfiguration/v1
+metadata:
+  schema: metadata/Document/v1
+  name: deployment-configuration
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  physical_provisioner:
+    deployment_strategy: deployment-strategy
+    deploy_interval: 30
+    deploy_timeout: 3600
+    destroy_interval: 30
+    destroy_timeout: 900
+    join_wait: 0
+    prepare_node_interval: 30
+    prepare_node_timeout: 1800
+    prepare_site_interval: 10
+    prepare_site_timeout: 300
+    verify_interval: 10
+    verify_timeout: 60
+  kubernetes_provisioner:
+    drain_timeout: 3600
+    drain_grace_period: 1800
+    clear_labels_timeout: 1800
+    remove_etcd_timeout: 1800
+    etcd_ready_timeout: 600
+  armada:
+    get_releases_timeout: 300
+    get_status_timeout: 300
+    manifest: 'full-site'
+    post_apply_timeout: 7200
+    validate_design_timeout: 600
+...
diff --git a/type/cntt/network/KubernetesNetwork.yaml b/type/cntt/network/KubernetesNetwork.yaml
new file mode 100644 (file)
index 0000000..1124d63
--- /dev/null
+++ b/type/cntt/network/KubernetesNetwork.yaml
@@ -0,0 +1,97 @@
+---
+schema: promenade/KubernetesNetwork/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kubernetes-network
+  layeringDefinition:
+    abstract: false
+    layer: type
+  storagePolicy: cleartext
+  substitutions:
+    # DNS
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.cluster_domain
+      dest:
+        path: .dns.cluster_domain
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.service_ip
+      dest:
+        path: .dns.service_ip
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.upstream_servers
+      dest:
+        path: .dns.upstream_servers
+
+    # Kubernetes IPs
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.api_service_ip
+      dest:
+        path: .kubernetes.service_ip
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.pod_cidr
+      dest:
+        path: .kubernetes.pod_cidr
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.service_cidr
+      dest:
+        path: .kubernetes.service_cidr
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.apiserver_port
+      dest:
+        path: .kubernetes.apiserver_port
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .kubernetes.haproxy_port
+      dest:
+        path: .kubernetes.haproxy_port
+
+    # etcd IPs
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .etcd.container_port
+      dest:
+        path: .etcd.container_port
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .etcd.haproxy_port
+      dest:
+        path: .etcd.haproxy_port
+
+    # proxy
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .proxy.http
+      dest:
+        path: .proxy.url
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .proxy.no_proxy
+      dest:
+        path: .proxy.additional_no_proxy
+
+data:
+  dns:
+    bootstrap_validation_checks:
+      - calico-etcd.kube-system.svc.cluster.local
+      - kubernetes-etcd.kube-system.svc.cluster.local
+      - kubernetes.default.svc.cluster.local
+...
diff --git a/type/cntt/profiles/genesis.yaml b/type/cntt/profiles/genesis.yaml
new file mode 100644 (file)
index 0000000..54c5276
--- /dev/null
+++ b/type/cntt/profiles/genesis.yaml
@@ -0,0 +1,49 @@
+---
+# The purpose of this file is to apply proper labels to Genesis node so the
+# proper services are installed and proper configuration applied. This should
+# not need to be changed for a new site.
+# #GLOBAL-CANDIDATE#
+schema: promenade/Genesis/v1
+metadata:
+  schema: metadata/Document/v1
+  name: genesis-site
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: genesis-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  labels:
+    dynamic:
+      - beta.kubernetes.io/fluentd-ds-ready=true
+      - calico-etcd=enabled
+      - ceph-mds=enabled
+      - ceph-mon=enabled
+      - ceph-osd=enabled
+      - ceph-rgw=enabled
+      - ceph-mgr=enabled
+      - ceph-bootstrap=enabled
+      - tenant-ceph-control-plane=enabled
+      - tenant-ceph-mon=enabled
+      - tenant-ceph-rgw=enabled
+      - tenant-ceph-mgr=enabled
+      - kube-dns=enabled
+      - kube-ingress=enabled
+      - kubernetes-apiserver=enabled
+      - kubernetes-controller-manager=enabled
+      - kubernetes-etcd=enabled
+      - kubernetes-scheduler=enabled
+      - promenade-genesis=enabled
+      - ucp-control-plane=enabled
+      - maas-rack=enabled
+      - maas-region=enabled
+      - ceph-osd-bootstrap=enabled
+      - openstack-control-plane=enabled
+      - openvswitch=enabled
+      - openstack-l3-agent=enabled
+      - node-exporter=enabled
+...
diff --git a/type/cntt/profiles/hardware/intel-s2600wt.yaml b/type/cntt/profiles/hardware/intel-s2600wt.yaml
new file mode 100644 (file)
index 0000000..07836ef
--- /dev/null
+++ b/type/cntt/profiles/hardware/intel-s2600wt.yaml
@@ -0,0 +1,109 @@
+---
+schema: 'drydock/HardwareProfile/v1'
+metadata:
+  schema: 'metadata/Document/v1'
+  name: intel-s2600wt
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+  # Vendor of the server chassis
+  vendor: Intel
+  # Generation of the chassis model
+  generation: '4'
+  # Version of the chassis model within its generation - not version of the hardware definition
+  hw_version: '3'
+  # The certified version of the chassis BIOS
+  bios_version: 'SE5C610.86B.01.01.0019.101220160604'
+  # Mode of the default boot of hardware - bios, uefi
+  boot_mode: bios
+  # Protocol of boot of the hardware - pxe, usb, hdd
+  bootstrap_protocol: pxe
+  # Which interface to use for network booting within the OOB manager, not OS device
+  pxe_interface: 0
+
+  # Map hardware addresses to aliases/roles to allow a mix of hardware configs
+  # in a site to result in a consistent configuration
+
+  device_aliases:
+    ## network
+    # $ sudo lspci |grep -i ethernet
+    # 03:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
+    # 03:00.3 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
+    # 05:00.0 Ethernet controller: Intel Corporation Ethernet Controller X710 for 10GbE SFP+ (rev 01)
+    # 05:00.1 Ethernet controller: Intel Corporation Ethernet Controller X710 for 10GbE SFP+ (rev 01)
+    # 05:00.2 Ethernet controller: Intel Corporation Ethernet Controller X710 for 10GbE SFP+ (rev 01)
+    # 05:00.3 Ethernet controller: Intel Corporation Ethernet Controller X710 for 10GbE SFP+ (rev 01)
+
+    # control networks
+    # eno1
+    ctrl_nic1:
+      address: '0000:03:00.0'
+      dev_type: 'I350 Gigabit Network Connection'
+      bus_type: 'pci'
+    # eno2
+    ctrl_nic2:
+      address: '0000:03:00.3'
+      dev_type: 'I350 Gigabit Network Connection'
+      bus_type: 'pci'
+
+    # data networks
+    # ens785f0
+    data_nic1:
+      address: '0000:05:00.0'
+      dev_type: 'Ethernet Controller X710 for 10GbE SFP+'
+      bus_type: 'pci'
+    # ens785f1
+    data_nic2:
+      address: '0000:05:00.1'
+      dev_type: 'Ethernet Controller X710 for 10GbE SFP+'
+      bus_type: 'pci'
+    # ens785f2
+    data_nic3:
+      address: '0000:05:00.2'
+      dev_type: 'Ethernet Controller X710 for 10GbE SFP+'
+      bus_type: 'pci'
+    # ens785f3
+    data_nic4:
+      address: '0000:05:00.3'
+      dev_type: 'Ethernet Controller X710 for 10GbE SFP+'
+      bus_type: 'pci'
+
+    ## storage
+    # $ sudo lshw -c disk
+    #   *-disk                  
+    #        description: ATA Disk
+    #        product: INTEL SSDSC2BB48
+    #        physical id: 0.0.0
+    #        bus info: scsi@4:0.0.0
+    #        logical name: /dev/sda
+    #        version: 0101
+    #        serial: PHDV637602LL480BGN
+    #        size: 447GiB (480GB)
+    #        capabilities: gpt-1.00 partitioned partitioned:gpt
+    #        configuration: ansiversion=5 guid=ea7d0b6a-c105-4409-8d4c-dc104cb38737 logicalsectorsize=512 sectorsize=4096
+    #   *-disk
+    #        description: ATA Disk
+    #        product: ST91000640NS
+    #        vendor: Seagate
+    #        physical id: 0.0.0
+    #        bus info: scsi@5:0.0.0
+    #        logical name: /dev/sdb
+    #        version: SN03
+    #        serial: 9XG6LX48
+    #        size: 931GiB (1TB)
+    #        capabilities: gpt-1.00 partitioned partitioned:gpt
+    #        configuration: ansiversion=5 guid=27f17348-e081-4b00-8d4c-5960513a40cd logicalsectorsize=512 sectorsize=512
+
+    # /dev/sda
+    bootdisk:
+      address: '4:0.0.0'
+      dev_type: 'INTEL SSDSC2BB48'
+      bus_type: 'scsi'
+    # /dev/sdb
+    datadisk:
+      address: '5:0.0.0'
+      dev_type: 'ST91000640NS'
+      bus_type: 'scsi'
+...
diff --git a/type/cntt/profiles/host/cp-intel-s2600wt.yaml b/type/cntt/profiles/host/cp-intel-s2600wt.yaml
new file mode 100644 (file)
index 0000000..1eca33e
--- /dev/null
+++ b/type/cntt/profiles/host/cp-intel-s2600wt.yaml
@@ -0,0 +1,96 @@
+---
+# The primary control plane host profile for Airship for DELL R720s, and
+# should not need to be altered if you are using matching HW. The active
+# participants in the Ceph cluster run on this profile. Other control plane
+# services are not affected by primary vs secondary designation.
+schema: drydock/HostProfile/v1
+metadata:
+  schema: metadata/Document/v1
+  name: cp-intel-s2600wt
+  storagePolicy: cleartext
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      hosttype: cp-global
+    actions:
+      - method: replace
+        path: .interfaces
+      - method: replace
+        path: .storage
+      - method: merge
+        path: .
+data:
+  hardware_profile: intel-s2600wt
+
+  primary_network: dmz
+  interfaces:
+    dmz:
+      device_link: dmz
+      slaves:
+        - ctrl_nic1
+      networks:
+        - dmz
+    admin:
+      device_link: admin
+      slaves:
+        - ctrl_nic2
+      networks:
+        - admin
+    data1:
+      device_link: data1
+      slaves:
+        - data_nic1
+      networks:
+        - private
+        - management
+    data2:
+      device_link: data2
+      slaves:
+        - data_nic2
+      networks:
+        - storage
+        - public
+
+  storage:
+    physical_devices:
+      bootdisk:
+        labels:
+          bootdrive: 'true'
+        partitions:
+          - name: 'root'
+            size: '30g'
+            bootable: true
+            filesystem:
+              mountpoint: '/'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+          - name: 'boot'
+            size: '1g'
+            filesystem:
+              mountpoint: '/boot'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+          - name: 'var_log'
+            size: '100g'
+            filesystem:
+              mountpoint: '/var/log'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+          - name: 'var'
+            size: '>100g'
+            filesystem:
+              mountpoint: '/var'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+
+  platform:
+    image: 'xenial'
+    kernel: 'hwe-16.04'
+    kernel_params:
+      kernel_package: 'linux-image-4.15.0-46-generic'
+
+  metadata:
+    owner_data:
+      openstack-l3-agent: enabled
+...
diff --git a/type/cntt/profiles/host/dp-intel-s2600wt.yaml b/type/cntt/profiles/host/dp-intel-s2600wt.yaml
new file mode 100644 (file)
index 0000000..e05a2c7
--- /dev/null
+++ b/type/cntt/profiles/host/dp-intel-s2600wt.yaml
@@ -0,0 +1,103 @@
+---
+# The data plane host profile for Airship for DELL R720s, and should
+# not need to be altered if you are using matching HW. The host profile is setup
+# for cpu isolation (for nova pinning), hugepages, and sr-iov.
+schema: drydock/HostProfile/v1
+metadata:
+  schema: metadata/Document/v1
+  name: dp-intel-s2600wt
+  storagePolicy: cleartext
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      hosttype: dp-global
+    actions:
+      - method: replace
+        path: .interfaces
+      - method: replace
+        path: .storage
+      - method: merge
+        path: .
+data:
+  hardware_profile: intel-s2600wt
+
+  primary_network: dmz
+  interfaces:
+    dmz:
+      device_link: dmz
+      slaves:
+        - ctrl_nic1
+      networks:
+        - dmz
+    admin:
+      device_link: admin
+      slaves:
+        - ctrl_nic2
+      networks:
+        - admin
+    data1:
+      device_link: data1
+      slaves:
+        - data_nic1
+      networks:
+        - private
+        - management
+    data2:
+      device_link: data2
+      slaves:
+        - data_nic2
+      networks:
+        - storage
+        - public
+
+  storage:
+    physical_devices:
+      bootdisk:
+        labels:
+          bootdrive: 'true'
+        partitions:
+          - name: 'root'
+            size: '30g'
+            bootable: true
+            filesystem:
+              mountpoint: '/'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+          - name: 'boot'
+            size: '1g'
+            filesystem:
+              mountpoint: '/boot'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+          - name: 'log'
+            size: '100g'
+            filesystem:
+              mountpoint: '/var/log'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+          # - name: 'cephjournal'
+          #   size: '10g'
+          - name: 'var'
+            size: '>100g'
+            filesystem:
+              mountpoint: '/var'
+              fstype: 'ext4'
+              mount_options: 'defaults'
+      # datadisk:
+      #   partitions:
+      #     - name: 'nova'
+      #       size: '450g'
+      #       filesystem:
+      #         mountpoint: '/var/lib/nova'
+      #         fstype: 'ext4'
+      #         mount_options: 'defaults'
+      #     - name: 'cephosd'
+      #       size: '>100g'
+
+  platform:
+    image: 'xenial'
+    kernel: 'hwe-16.04'
+    kernel_params:
+      kernel_package: 'linux-image-4.15.0-46-generic'
+...
diff --git a/type/cntt/software/charts/kubernetes/ingress/ingress.yaml b/type/cntt/software/charts/kubernetes/ingress/ingress.yaml
new file mode 100644 (file)
index 0000000..be61953
--- /dev/null
+++ b/type/cntt/software/charts/kubernetes/ingress/ingress.yaml
@@ -0,0 +1,31 @@
+---
+# The purpose of this file is to define the environment-specific public-facing
+# VIP for the ingress controller
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ingress-kube-system
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      ingress: kube-system
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .vip.ingress_vip
+      dest:
+        path: .values.network.vip.addr
+data:
+  values:
+    network:
+      ingress:
+        disable-ipv6: "true"
+      vip:
+        manage: true
+...
diff --git a/type/cntt/software/charts/osh-infra/elasticsearch.yaml b/type/cntt/software/charts/osh-infra/elasticsearch.yaml
new file mode 100644 (file)
index 0000000..3621e75
--- /dev/null
+++ b/type/cntt/software/charts/osh-infra/elasticsearch.yaml
@@ -0,0 +1,34 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: elasticsearch
+  labels:
+    name: elasticsearch-type
+  layeringDefinition:
+    abstract: false
+    layer: type
+    parentSelector:
+      hosttype: elasticsearch-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  values:
+    pod:
+      replicas:
+        master: 2
+        data: 1
+        client: 2
+    storage:
+      requests:
+        storage: 40Gi
+    conf:
+      elasticsearch:
+        env:
+          java_opts:
+            client: "-Xms2048m -Xmx2048m"
+            data: "-Xms2048m -Xmx2048m"
+            master: "-Xms2048m -Xmx2048m"
+...
diff --git a/type/cntt/software/charts/osh-infra/fluentbit.yaml b/type/cntt/software/charts/osh-infra/fluentbit.yaml
new file mode 100644 (file)
index 0000000..1d176cd
--- /dev/null
+++ b/type/cntt/software/charts/osh-infra/fluentbit.yaml
@@ -0,0 +1,22 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: fluentbit
+  labels:
+    name: fluentbit-type
+  layeringDefinition:
+    abstract: false
+    layer: type
+    parentSelector:
+      hosttype: fluentbit-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  values:
+    pod:
+      replicas:
+        fluentd: 1
+...
diff --git a/type/cntt/software/charts/osh-infra/fluentd.yaml b/type/cntt/software/charts/osh-infra/fluentd.yaml
new file mode 100644 (file)
index 0000000..906b26d
--- /dev/null
+++ b/type/cntt/software/charts/osh-infra/fluentd.yaml
@@ -0,0 +1,22 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: fluentd
+  labels:
+    name: fluentd-type
+  layeringDefinition:
+    abstract: false
+    layer: type
+    parentSelector:
+      hosttype: fluentd-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  values:
+    pod:
+      replicas:
+        fluentd: 1
+...
diff --git a/type/cntt/software/charts/osh-infra/grafana.yaml b/type/cntt/software/charts/osh-infra/grafana.yaml
new file mode 100644 (file)
index 0000000..d12f7d2
--- /dev/null
+++ b/type/cntt/software/charts/osh-infra/grafana.yaml
@@ -0,0 +1,23 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  replacement: true
+  name: grafana
+  labels:
+    name: grafana-type
+  layeringDefinition:
+    abstract: false
+    layer: type
+    parentSelector:
+      name: grafana-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  values:
+    pod:
+      replicas:
+        grafana: 1
+...
diff --git a/type/cntt/software/charts/osh-infra/ingress.yaml b/type/cntt/software/charts/osh-infra/ingress.yaml
new file mode 100644 (file)
index 0000000..96753c9
--- /dev/null
+++ b/type/cntt/software/charts/osh-infra/ingress.yaml
@@ -0,0 +1,24 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  replacement: true
+  name: osh-infra-ingress-controller
+  labels:
+    name: osh-infra-ingress-controller-type
+  layeringDefinition:
+    abstract: false
+    layer: type
+    parentSelector:
+      name: osh-infra-ingress-controller-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  values:
+    pod:
+      replicas:
+        ingress: 1
+        error_page: 1
+...
diff --git a/type/cntt/software/charts/osh-infra/mariadb.yaml b/type/cntt/software/charts/osh-infra/mariadb.yaml
new file mode 100644 (file)
index 0000000..ddb4424
--- /dev/null
+++ b/type/cntt/software/charts/osh-infra/mariadb.yaml
@@ -0,0 +1,24 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  replacement: true
+  name: osh-infra-mariadb
+  labels:
+    name: osh-infra-mariadb-type
+  layeringDefinition:
+    abstract: false
+    layer: type
+    parentSelector:
+      name: osh-infra-mariadb-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  values:
+    pod:
+      replicas:
+        server: 1
+        ingress: 1
+...
diff --git a/type/cntt/software/charts/osh-infra/prometheus.yaml b/type/cntt/software/charts/osh-infra/prometheus.yaml
new file mode 100644 (file)
index 0000000..4b02c04
--- /dev/null
+++ b/type/cntt/software/charts/osh-infra/prometheus.yaml
@@ -0,0 +1,35 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  replacement: true
+  name: prometheus
+  labels:
+    name: prometheus-type
+  layeringDefinition:
+    abstract: false
+    layer: type
+    parentSelector:
+      name: prometheus-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  values:
+    pod:
+      replicas:
+        prometheus: 1
+      resources:
+        enabled: true
+        prometheus:
+          limits:
+            memory: "4Gi"
+            cpu: "2000m"
+          requests:
+            memory: "2Gi"
+            cpu: "1000m"
+    storage:
+      requests:
+        storage: 50Gi
+...
diff --git a/type/cntt/software/charts/osh/openstack-compute-kit/neutron.yaml b/type/cntt/software/charts/osh/openstack-compute-kit/neutron.yaml
new file mode 100644 (file)
index 0000000..8d47efd
--- /dev/null
+++ b/type/cntt/software/charts/osh/openstack-compute-kit/neutron.yaml
@@ -0,0 +1,28 @@
+---
+# This file defines hardware-specific settings for neutron. If you use the same
+# hardware profile as this environment, you should not need to change this file.
+# Otherwise, you should review the settings here and adjust for your hardware.
+# In particular:
+# 1. logical network interface names
+# 2. physical device mappigns
+# TODO: Should move to global layer and become tied to the hardware profile
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  replacement: true
+  name: neutron
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: neutron-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  wait:
+    timeout: 1800
+  test:
+    timeout: 900
+...
diff --git a/type/cntt/software/charts/osh/openstack-compute-kit/nova.yaml b/type/cntt/software/charts/osh/openstack-compute-kit/nova.yaml
new file mode 100644 (file)
index 0000000..32f94b8
--- /dev/null
+++ b/type/cntt/software/charts/osh/openstack-compute-kit/nova.yaml
@@ -0,0 +1,25 @@
+---
+# This file defines hardware-specific settings for nova. If you use the same
+# hardware profile as this environment, you should not need to change this file.
+# Otherwise, you should review the settings here and adjust for your hardware.
+# In particular:
+# 1. vcpu_pin_set will change if the number of logical CPUs on the hardware
+#    changes.
+# 2. pci alias / passthrough_whitelist could change if the NIC type or NIC
+#    slotting changes.
+# TODO: Should move to global layer and become tied to the hardware profile
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: nova
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: nova-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data: {}
+...
diff --git a/type/cntt/software/charts/osh/openstack-heat/heat.yaml b/type/cntt/software/charts/osh/openstack-heat/heat.yaml
new file mode 100644 (file)
index 0000000..de5bd51
--- /dev/null
+++ b/type/cntt/software/charts/osh/openstack-heat/heat.yaml
@@ -0,0 +1,21 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  replacement: true
+  name: heat
+  labels:
+    name: heat-type
+  layeringDefinition:
+    abstract: false
+    layer: type
+    parentSelector:
+      name: heat-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  test:
+    timeout: 600
+...
diff --git a/type/cntt/software/charts/osh/openstack-tenant-ceph/ceph-client.yaml b/type/cntt/software/charts/osh/openstack-tenant-ceph/ceph-client.yaml
new file mode 100644 (file)
index 0000000..3f5bfba
--- /dev/null
+++ b/type/cntt/software/charts/osh/openstack-tenant-ceph/ceph-client.yaml
@@ -0,0 +1,23 @@
+---
+# The purpose of this file is to define envrionment-specific parameters for the
+# ceph client
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: tenant-ceph-client
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: tenant-ceph-client-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  values:
+    conf:
+      pool:
+        target:
+          osd: 3
+...
diff --git a/type/cntt/software/charts/osh/openstack-tenant-ceph/ceph-osd.yaml b/type/cntt/software/charts/osh/openstack-tenant-ceph/ceph-osd.yaml
new file mode 100644 (file)
index 0000000..8937fdc
--- /dev/null
+++ b/type/cntt/software/charts/osh/openstack-tenant-ceph/ceph-osd.yaml
@@ -0,0 +1,34 @@
+---
+# The purpose of this file is to define environment-specific parameters for
+# ceph-osd
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: tenant-ceph-osd
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: tenant-ceph-osd-global
+    actions:
+      - method: replace
+        path: .values.conf.storage.osd
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  values:
+    labels:
+      osd:
+        node_selector_key: tenant-ceph-osd
+        node_selector_value: enabled
+    conf:
+      storage:
+        osd:
+          - data:
+              type: block-logical
+              location: /dev/sdb
+            journal:
+              type: directory
+              location: /var/lib/openstack-helm/tenant-ceph/osd/osd-sdb
+...
diff --git a/type/cntt/software/charts/ucp/comps/chart-group.yaml b/type/cntt/software/charts/ucp/comps/chart-group.yaml
new file mode 100644 (file)
index 0000000..02236b5
--- /dev/null
+++ b/type/cntt/software/charts/ucp/comps/chart-group.yaml
@@ -0,0 +1,14 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-drydock-scaled
+  layeringDefinition:
+    abstract: false
+    layer: type
+  storagePolicy: cleartext
+data:
+  description: Drydock
+  chart_group:
+    - ucp-maas-scaled
+    - ucp-drydock
diff --git a/type/cntt/software/charts/ucp/comps/drydock.yaml b/type/cntt/software/charts/ucp/comps/drydock.yaml
new file mode 100644 (file)
index 0000000..1343340
--- /dev/null
+++ b/type/cntt/software/charts/ucp/comps/drydock.yaml
@@ -0,0 +1,25 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  replacement: true
+  name: ucp-drydock
+  labels:
+    name: ucp-drydock-type
+  layeringDefinition:
+    abstract: false
+    layer: type
+    parentSelector:
+      name: ucp-drydock-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  values:
+    network:
+      api:
+        ingress:
+          classes:
+            cluster: maas-ingress
+...
diff --git a/type/cntt/software/charts/ucp/comps/maas-scaled.yaml b/type/cntt/software/charts/ucp/comps/maas-scaled.yaml
new file mode 100644 (file)
index 0000000..531a9f3
--- /dev/null
+++ b/type/cntt/software/charts/ucp/comps/maas-scaled.yaml
@@ -0,0 +1,32 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-maas-scaled
+  layeringDefinition:
+    abstract: false
+    layer: type
+    parentSelector:
+      name: ucp-maas-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .vip.maas_vip
+      dest:
+        path: .values.network.maas_ingress.addr
+data:
+  values:
+    network:
+      region_api:
+        node_port:
+          enabled: true
+    pod:
+      replicas:
+        region: 2
+        rack: 2
+...
diff --git a/type/cntt/software/charts/ucp/comps/maas.yaml b/type/cntt/software/charts/ucp/comps/maas.yaml
new file mode 100644 (file)
index 0000000..d22cf55
--- /dev/null
+++ b/type/cntt/software/charts/ucp/comps/maas.yaml
@@ -0,0 +1,29 @@
+---
+# This file defines site-specific deviations for MaaS.
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-maas
+  layeringDefinition:
+    abstract: false
+    layer: type
+    parentSelector:
+      name: ucp-maas-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .vip.maas_vip
+      dest:
+        path: .values.network.maas_ingress.addr
+data:
+  values:
+    network:
+      region_api:
+        node_port:
+          enabled: true
+...
diff --git a/type/cntt/software/charts/ucp/promenade/promenade.yaml b/type/cntt/software/charts/ucp/promenade/promenade.yaml
new file mode 100644 (file)
index 0000000..e245bd9
--- /dev/null
+++ b/type/cntt/software/charts/ucp/promenade/promenade.yaml
@@ -0,0 +1,50 @@
+---
+# The purpose of this file is to provide site-specific parameters for the ucp-
+# promenade chart.
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp-promenade
+  layeringDefinition:
+    abstract: false
+    layer: site
+    parentSelector:
+      name: ucp-promenade-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  values:
+    pod:
+      env:
+        promenade_api: []
+          # NEWSITE-CHANGEME: If your site uses an http proxy, enter it here.
+          # Otherwise comment out these lines.
+          # - name: http_proxy
+          #   value: 'http://proxy.example.com:8080'
+          # NEWSITE-CHANGEME: If your site uses an https proxy, enter it here.
+          # Otherwise comment out these lines.
+          # - name: https_proxy
+          #   value: 'http://proxy.example.com:8080'
+          # NEWSITE-CHANGEME: If your site uses an http/https proxy, enter the
+          # IPs / domain names which the proxy should not be used for (i.e. the
+          # cluster domain and kubernetes service_cidr defined in common-addresses)
+          # Otherwise comment out these lines.
+          # - name: no_proxy
+          #   value: '10.96.0.1,.cluster.local'
+          # NEWSITE-CHANGEME: If your site uses an http proxy, enter it here.
+          # Otherwise comment out these lines.
+          # - name: HTTP_PROXY
+          #   value: 'http://proxy.example.com:8080'
+          # NEWSITE-CHANGEME: If your site uses an https proxy, enter it here.
+          # Otherwise comment out these lines.
+          # - name: HTTPS_PROXY
+          #   value: 'http://proxy.example.com:8080'
+          # NEWSITE-CHANGEME: If your site uses an http/https proxy, enter the
+          # IPs / domain names which the proxy should not be used for (i.e. the
+          # cluster domain and kubernetes service_cidr defined in common-addresses)
+          # Otherwise comment out these lines.
+          # - name: NO_PROXY
+          #   value: '10.96.0.1,.cluster.local'
+...
diff --git a/type/cntt/software/config/endpoints.yaml b/type/cntt/software/config/endpoints.yaml
new file mode 100644 (file)
index 0000000..12bc7da
--- /dev/null
+++ b/type/cntt/software/config/endpoints.yaml
@@ -0,0 +1,1088 @@
+---
+# The purpose of this file is to define the site's endpoint catalog. This should
+# not need to be modified for a new site.
+# #GLOBAL-CANDIDATE#
+schema: pegleg/EndpointCatalogue/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_endpoints
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        - path: .ucp.identity.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .ucp.identity.host_fqdn_override.admin.host
+          pattern: DOMAIN
+        - path: .ucp.shipyard.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .ucp.physicalprovisioner.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .ucp.maas_region.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .ceph.object_store.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .ceph.ceph_object_store.host_fqdn_override.public.host
+          pattern: DOMAIN
+data:
+  ucp:
+    identity:
+      namespace: ucp
+      name: keystone
+      hosts:
+        default: keystone
+        internal: keystone-api
+      host_fqdn_override:
+        default: null
+        public:
+          host: iam-airship.DOMAIN
+        admin:
+          host: iam-airship.DOMAIN
+      path:
+        default: /v3
+      scheme:
+        default: "http"
+        internal: "http"
+      port:
+        api:
+          default: 80
+          internal: 5000
+    armada:
+      name: armada
+      hosts:
+        default: armada-api
+        public: armada
+      port:
+        api:
+          default: 8000
+      path:
+        default: /api/v1.0
+      scheme:
+        default: "http"
+      host_fqdn_override:
+        default: null
+    deckhand:
+      name: deckhand
+      hosts:
+        default: deckhand-int
+        public: deckhand-api
+      port:
+        api:
+          default: 9000
+      path:
+        default: /api/v1.0
+      scheme:
+        default: "http"
+      host_fqdn_override:
+        default: null
+    postgresql:
+      name: postgresql
+      hosts:
+        default: postgresql
+      path: /DB_NAME
+      scheme: postgresql+psycopg2
+      port:
+        postgresql:
+          default: 5432
+      host_fqdn_override:
+        default: null
+    postgresql_airflow_celery:
+      name: postgresql_airflow_celery_db
+      hosts:
+        default: postgresql
+      path: /DB_NAME
+      scheme: db+postgresql
+      port:
+        postgresql:
+          default: 5432
+      host_fqdn_override:
+        default: null
+    oslo_db:
+      hosts:
+        default: mariadb
+        discovery: mariadb-discovery
+      host_fqdn_override:
+        default: null
+      path: /DB_NAME
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+        wsrep:
+          default: 4567
+    key_manager:
+      name: barbican
+      hosts:
+        default: barbican-api
+        public: barbican
+      host_fqdn_override:
+        default: null
+      path:
+        default: /v1
+      scheme:
+        default: "http"
+      port:
+        api:
+          default: 9311
+          public: 80
+    airflow_oslo_messaging:
+      namespace: null
+      hosts:
+        default: rabbitmq
+      host_fqdn_override:
+        default: null
+      path: /airflow
+      scheme: amqp
+      port:
+        amqp:
+          default: 5672
+        http:
+          default: 15672
+    oslo_messaging:
+      namespace: null
+      statefulset:
+        name: airship-ucp-rabbitmq-rabbitmq
+      hosts:
+        default: rabbitmq
+      host_fqdn_override:
+        default: null
+      path: /keystone
+      scheme: rabbit
+      port:
+        amqp:
+          default: 5672
+    oslo_cache:
+      hosts:
+        default: memcached
+      host_fqdn_override:
+        default: null
+      port:
+        memcache:
+          default: 11211
+    physicalprovisioner:
+      name: drydock
+      hosts:
+        default: drydock-api
+      port:
+        api:
+          default: 9000
+          nodeport: 31900
+          public: 80
+      path:
+        default: /api/v1.0
+      scheme:
+        default: "http"
+        public: "http"
+      host_fqdn_override:
+        default: null
+        public:
+          host: drydock-airship.DOMAIN
+    maas_region:
+      name: maas-region
+      hosts:
+        default: maas-region
+        public: maas
+      path:
+        default: /MAAS
+      scheme:
+        default: "http"
+      port:
+        region_api:
+          default: 80
+          nodeport: 31900
+          podport: 80
+          public: 80
+        region_proxy:
+          default: 8000
+      host_fqdn_override:
+        default: null
+        public:
+          host: maas-airship.DOMAIN
+    maas_ingress:
+      hosts:
+        default: maas-ingress
+        error_pages: maas-ingress-error
+      host_fqdn_override:
+        public: null
+      port:
+        http:
+          default: 80
+        https:
+          default: 443
+        ingress_default_server:
+          default: 8383
+        error_pages:
+          default: 8080
+          podport: 8080
+        healthz:
+          podport: 10259
+        status:
+          podport: 18089
+    kubernetesprovisioner:
+      name: promenade
+      hosts:
+        default: promenade-api
+      port:
+        api:
+          default: 80
+      path:
+        default: /api/v1.0
+      scheme:
+        default: "http"
+      host_fqdn_override:
+        default: null
+    shipyard:
+      name: shipyard
+      hosts:
+        default: shipyard-int
+        public: shipyard-api
+      port:
+        api:
+          default: 9000
+          public: 80
+      path:
+        default: /api/v1.0
+      scheme:
+        default: "http"
+        public: "http"
+      host_fqdn_override:
+        default: null
+        public:
+          host: shipyard-airship.DOMAIN
+    prometheus_openstack_exporter:
+      namespace: ucp
+      hosts:
+        default: openstack-metrics
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme:
+        default: "http"
+      port:
+        exporter:
+          default: 9103
+  ceph:
+    object_store:
+      name: swift
+      namespace: ceph
+      hosts:
+        default: ceph-rgw
+        public: radosgw
+      host_fqdn_override:
+        default: null
+        public:
+          host: object-store-airship.DOMAIN
+      path:
+        default: /swift/v1
+      scheme:
+        default: "http"
+        public: "http"
+      port:
+        api:
+          default: 8088
+          public: 80
+    ceph_object_store:
+      name: radosgw
+      namespace: ceph
+      hosts:
+        default: ceph-rgw
+        public: radosgw
+      host_fqdn_override:
+        default: null
+        public:
+          host: object-store-airship.DOMAIN
+      path:
+        default: /auth/v1.0
+      scheme:
+        default: "http"
+        public: "http"
+      port:
+        api:
+          default: 8088
+          public: 80
+    ceph_mon:
+      namespace: ceph
+      hosts:
+        default: ceph-mon
+        discovery: ceph-mon-discovery
+      host_fqdn_override:
+        default: null
+      port:
+        mon:
+          default: 6789
+    ceph_mgr:
+      namespace: ceph
+      hosts:
+        default: ceph-mgr
+      host_fqdn_override:
+        default: null
+      port:
+        mgr:
+          default: 7000
+      scheme:
+        default: "http"
+    tenant_ceph_mon:
+      namespace: tenant-ceph
+      hosts:
+        default: ceph-mon
+        discovery: ceph-mon-discovery
+      host_fqdn_override:
+        default: null
+      port:
+        mon:
+          default: 6790
+    tenant_ceph_mgr:
+      namespace: tenant-ceph
+      hosts:
+        default: ceph-mgr
+      host_fqdn_override:
+        default: null
+      port:
+        mgr:
+          default: 7001
+        metrics:
+          default: 9284
+      scheme:
+        default: http
+...
+---
+schema: pegleg/EndpointCatalogue/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_endpoints
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        - path: .osh.object_store.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .osh.ceph_object_store.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .osh.image.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .osh.cloudformation.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .osh.orchestration.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .osh.compute.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .osh.compute_novnc_proxy.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .osh.placement.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .osh.network.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .osh.identity.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .osh.identity.host_fqdn_override.admin.host
+          pattern: DOMAIN
+        - path: .osh.dashboard.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .osh.volume.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .osh.volumev2.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .osh.volumev3.host_fqdn_override.public.host
+          pattern: DOMAIN
+data:
+  osh:
+    object_store:
+      name: swift
+      namespace: openstack
+      hosts:
+        default: ceph-rgw
+        public: radosgw
+      host_fqdn_override:
+        default: null
+        public:
+          host: object-store-airship.DOMAIN
+      path:
+        default: /swift/v1/KEY_$(tenant_id)s
+      scheme:
+        default: "http"
+        public: "http"
+      port:
+        api:
+          default: 8088
+          public: 80
+    ceph_object_store:
+      name: radosgw
+      namespace: openstack
+      hosts:
+        default: ceph-rgw
+        public: radosgw
+      host_fqdn_override:
+        default: null
+        public:
+          host: object-store-airship.DOMAIN
+      path:
+        default: /auth/v1.0
+      scheme:
+        default: "http"
+        public: "http"
+      port:
+        api:
+          default: 8088
+          public: 80
+    oslo_db:
+      hosts:
+        default: mariadb
+        discovery: mariadb-discovery
+      host_fqdn_override:
+        default: null
+      path: /DB_NAME
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+        wsrep:
+          default: 4567
+    prometheus_mysql_exporter:
+      namespace: openstack
+      hosts:
+        default: mysql-exporter
+      host_fqdn_override:
+        default: null
+      path:
+        default: /metrics
+      scheme:
+        default: 'http'
+      port:
+        metrics:
+          default: 9104
+    oslo_messaging:
+      statefulset:
+        name: airship-openstack-rabbitmq-rabbitmq
+      namespace: openstack
+      hosts:
+        default: openstack-rabbitmq
+      host_fqdn_override:
+        default: null
+      path: /VHOST_NAME
+      scheme: rabbit
+      port:
+        amqp:
+          default: 5672
+        http:
+          default: 15672
+    openstack_rabbitmq_exporter:
+      namespace: openstack
+      hosts:
+        default: openstack-rabbitmq-exporter
+      host_fqdn_override:
+        default: null
+      path:
+        default: /metrics
+      scheme:
+        default: "http"
+      port:
+        metrics:
+          default: 9095
+    oslo_cache:
+      namespace: openstack
+      hosts:
+        default: memcached
+      host_fqdn_override:
+        default: null
+      port:
+        memcache:
+          default: 11211
+    identity:
+      namespace: openstack
+      name: keystone
+      hosts:
+        default: keystone
+        internal: keystone-api
+      host_fqdn_override:
+        default: null
+        public:
+          host: identity-airship.DOMAIN
+        admin:
+          host: identity-airship.DOMAIN
+      path:
+        default: /v3
+      scheme:
+        default: "http"
+        internal: "http"
+      port:
+        api:
+          default: 80
+          internal: 5000
+    image:
+      name: glance
+      hosts:
+        default: glance-api
+        public: glance
+      host_fqdn_override:
+        default: null
+        public:
+          host: image-airship.DOMAIN
+      path:
+        default: null
+      scheme:
+        default: "http"
+        public: "http"
+      port:
+        api:
+          default: 9292
+          public: 80
+    image_registry:
+      name: glance-registry
+      hosts:
+        default: glance-registry
+        public: glance-reg
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme:
+        default: "http"
+      port:
+        api:
+          default: 9191
+          public: 80
+    volume:
+      name: cinder
+      hosts:
+        default: cinder-api
+        public: cinder
+      host_fqdn_override:
+        default: null
+        public:
+          host: volume-airship.DOMAIN
+      path:
+        default: "/v1/%(tenant_id)s"
+      scheme:
+        default: "http"
+        public: "http"
+      port:
+        api:
+          default: 8776
+          public: 80
+    volumev2:
+      name: cinderv2
+      hosts:
+        default: cinder-api
+        public: cinder
+      host_fqdn_override:
+        default: null
+        public:
+          host: volume-airship.DOMAIN
+      path:
+        default: "/v2/%(tenant_id)s"
+      scheme:
+        default: "http"
+        public: "http"
+      port:
+        api:
+          default: 8776
+          public: 80
+    volumev3:
+      name: cinderv3
+      hosts:
+        default: cinder-api
+        public: cinder
+      host_fqdn_override:
+        default: null
+        public:
+          host: volume-airship.DOMAIN
+      path:
+        default: "/v3/%(tenant_id)s"
+      scheme:
+        default: "http"
+        public: "http"
+      port:
+        api:
+          default: 8776
+          public: 80
+    orchestration:
+      name: heat
+      hosts:
+        default: heat-api
+        public: heat
+      host_fqdn_override:
+        default: null
+        public:
+          host: orchestration-airship.DOMAIN
+      path:
+        default: "/v1/%(project_id)s"
+      scheme:
+        default: "http"
+        public: "http"
+      port:
+        api:
+          default: 8004
+          public: 80
+    cloudformation:
+      name: heat-cfn
+      hosts:
+        default: heat-cfn
+        public: cloudformation
+      host_fqdn_override:
+        default: null
+        public:
+          host: cloudformation-airship.DOMAIN
+      path:
+        default: /v1
+      scheme:
+        default: "http"
+        public: "http"
+      port:
+        api:
+          default: 8000
+          public: 80
+    cloudwatch:
+      name: heat-cloudwatch
+      hosts:
+        default: heat-cloudwatch
+        public: cloudwatch
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      type: null
+      scheme:
+        default: "http"
+      port:
+        api:
+          default: 8003
+          public: 80
+    network:
+      name: neutron
+      hosts:
+        default: neutron-server
+        public: neutron
+      host_fqdn_override:
+        default: null
+        public:
+          host: network-airship.DOMAIN
+      path:
+        default: null
+      scheme:
+        default: "http"
+        public: "http"
+      port:
+        api:
+          default: 9696
+          public: 80
+    compute:
+      name: nova
+      hosts:
+        default: nova-api
+        public: nova
+      host_fqdn_override:
+        default: null
+        public:
+          host: compute-airship.DOMAIN
+      path:
+        default: "/v2/%(tenant_id)s"
+      scheme:
+        default: "http"
+        public: "http"
+      port:
+        api:
+          default: 8774
+          public: 80
+        novncproxy:
+          default: 80
+    compute_metadata:
+      name: nova
+      hosts:
+        default: nova-metadata
+        public: metadata
+      host_fqdn_override:
+        default: null
+      path:
+        default: /
+      scheme:
+        default: "http"
+      port:
+        metadata:
+          default: 8775
+          public: 80
+    compute_novnc_proxy:
+      name: nova
+      hosts:
+        default: nova-novncproxy
+        public: novncproxy
+      host_fqdn_override:
+        default: null
+        public:
+          host: nova-novncproxy-airship.DOMAIN
+      path:
+        default: /vnc_auto.html
+      scheme:
+        default: "http"
+        public: "http"
+      port:
+        novnc_proxy:
+          default: 6080
+          public: 80
+    compute_spice_proxy:
+      name: nova
+      hosts:
+        default: nova-spiceproxy
+      host_fqdn_override:
+        default: null
+      path:
+        default: /spice_auto.html
+      scheme:
+        default: "http"
+      port:
+        spice_proxy:
+          default: 6082
+    placement:
+      name: placement
+      hosts:
+        default: placement-api
+        public: placement
+      host_fqdn_override:
+        default: null
+        public:
+          host: placement-airship.DOMAIN
+      path:
+        default: /
+      scheme:
+        default: "http"
+        public: "http"
+      port:
+        api:
+          default: 8778
+          public: 80
+    dashboard:
+      name: horizon
+      hosts:
+        default: horizon-int
+        public: horizon
+      host_fqdn_override:
+        default: null
+        public:
+          host: dashboard-airship.DOMAIN
+      path:
+        default: null
+      scheme:
+        default: "http"
+        public: "http"
+      port:
+        web:
+          default: 80
+          public: 80
+...
+---
+schema: pegleg/EndpointCatalogue/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_endpoints
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .dns.ingress_domain
+      dest:
+        - path: .osh_infra.kibana.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .osh_infra.grafana.host_fqdn_override.public.host
+          pattern: DOMAIN
+        - path: .osh_infra.nagios.host_fqdn_override.public.host
+          pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .ldap.base_url
+      dest:
+        path: .osh_infra.ldap.host_fqdn_override.public.host
+        pattern: DOMAIN
+    - src:
+        schema: pegleg/CommonAddresses/v1
+        name: common-addresses
+        path: .ldap.auth_path
+      dest:
+        path: .osh_infra.ldap.path.default
+        pattern: AUTH_PATH
+data:
+  osh_infra:
+    ceph_object_store:
+      name: radosgw
+      namespace: osh-infra
+      hosts:
+        default: ceph-rgw
+        public: radosgw
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme:
+        default: "http"
+      port:
+        api:
+          default: 8088
+          public: 80
+    elasticsearch:
+      name: elasticsearch
+      namespace: osh-infra
+      hosts:
+        data: elasticsearch-data
+        default: elasticsearch-logging
+        discovery: elasticsearch-discovery
+        public: elasticsearch
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme:
+        default: "http"
+    prometheus_elasticsearch_exporter:
+      namespace: null
+      hosts:
+        default: elasticsearch-exporter
+      host_fqdn_override:
+        default: null
+      path:
+        default: /metrics
+      scheme:
+        default: "http"
+      port:
+        metrics:
+          default: 9108
+    fluentd:
+      namespace: osh-infra
+      name: fluentd
+      hosts:
+        default: fluentd-logging
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme:
+        default: "http"
+      port:
+        service:
+          default: 24224
+        metrics:
+          default: 24220
+    prometheus_fluentd_exporter:
+      namespace: osh-infra
+      hosts:
+        default: fluentd-exporter
+      host_fqdn_override:
+        default: null
+      path:
+        default: /metrics
+      scheme:
+        default: "http"
+      port:
+        metrics:
+          default: 9309
+    oslo_db:
+      namespace: osh-infra
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /DB_NAME
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+    prometheus_mysql_exporter:
+      namespace: osh-infra
+      hosts:
+        default: mysql-exporter
+      host_fqdn_override:
+        default: null
+      path:
+        default: /metrics
+      scheme:
+        default: 'http'
+      port:
+        metrics:
+          default: 9104
+    grafana:
+      name: grafana
+      namespace: osh-infra
+      hosts:
+        default: grafana-dashboard
+        public: grafana
+      host_fqdn_override:
+        default: null
+        public:
+          host: grafana-airship.DOMAIN
+      path:
+        default: null
+      scheme:
+        default: "http"
+        public: "http"
+      port:
+        grafana:
+          default: 3000
+          public: 80
+    monitoring:
+      name: prometheus
+      namespace: osh-infra
+      hosts:
+        default: prom-metrics
+        public: prometheus
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme:
+        default: "http"
+      port:
+        api:
+          default: 9090
+        http:
+          default: 80
+    kibana:
+      name: kibana
+      namespace: osh-infra
+      hosts:
+        default: kibana-dash
+        public: kibana
+      host_fqdn_override:
+        default: null
+        public:
+          host: kibana-airship.DOMAIN
+      path:
+        default: null
+      scheme:
+        default: "http"
+        public: "http"
+      port:
+        kibana:
+          default: 5601
+          public: 80
+    alerts:
+      name: alertmanager
+      namespace: osh-infra
+      hosts:
+        default: alerts-engine
+        public: alertmanager
+        discovery: alertmanager-discovery
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme:
+        default: "http"
+      port:
+        api:
+          default: 9093
+          public: 80
+        mesh:
+          default: 6783
+    kube_state_metrics:
+      namespace: kube-system
+      hosts:
+        default: kube-state-metrics
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme:
+        default: "http"
+      port:
+        http:
+          default: 8080
+    kube_scheduler:
+      scheme:
+        default: "http"
+      path:
+        default: /metrics
+    kube_controller_manager:
+      scheme:
+        default: "http"
+      path:
+        default: /metrics
+    node_metrics:
+      namespace: kube-system
+      hosts:
+        default: node-exporter
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme:
+        default: "http"
+      port:
+        metrics:
+          default: 9100
+        prometheus_port:
+          default: 9100
+    process_exporter_metrics:
+      namespace: kube-system
+      hosts:
+        default: process-exporter
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme:
+        default: "http"
+      port:
+        metrics:
+          default: 9256
+    prometheus_openstack_exporter:
+      namespace: openstack
+      hosts:
+        default: openstack-metrics
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme:
+        default: "http"
+      port:
+        exporter:
+          default: 9103
+    nagios:
+      name: nagios
+      namespace: osh-infra
+      hosts:
+        default: nagios-metrics
+        public: nagios
+      host_fqdn_override:
+        default: null
+        public:
+          host: nagios-airship.DOMAIN
+      path:
+        default: null
+      scheme:
+        default: "http"
+        public: "http"
+      port:
+        http:
+          default: 80
+          public: 80
+    ldap:
+      hosts:
+        default: ldap
+      host_fqdn_override:
+        default: null
+        public:
+          host: DOMAIN
+      path:
+        default: /AUTH_PATH
+      scheme:
+        default: "ldap"
+      port:
+        ldap:
+          default: 389
+...
diff --git a/type/cntt/software/config/service_accounts.yaml b/type/cntt/software/config/service_accounts.yaml
new file mode 100644 (file)
index 0000000..751f1b1
--- /dev/null
+++ b/type/cntt/software/config/service_accounts.yaml
@@ -0,0 +1,435 @@
+---
+# The purpose of this file is to define the account catalog for the site. This
+# mostly contains service usernames, but also contain some information which
+# should be changed like the region (site) name.
+schema: pegleg/AccountCatalogue/v1
+metadata:
+  schema: metadata/Document/v1
+  name: ucp_service_accounts
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data:
+    ucp:
+        postgres:
+            admin:
+                username: postgres
+            replica:
+                username: standby
+            exporter:
+                username: psql_exporter
+        oslo_db:
+            admin:
+                username: root
+        oslo_messaging:
+            admin:
+                username: rabbitmq
+        keystone:
+            admin:
+                # NEWSITE-CHANGEME: Replace with the site name
+                region_name: RegionOne
+                username: admin
+                project_name: admin
+                user_domain_name: default
+                project_domain_name: default
+            oslo_messaging:
+                admin:
+                    username: rabbitmq
+                keystone:
+                    username: keystone
+            oslo_db:
+                username: keystone
+                database: keystone
+        promenade:
+            keystone:
+                # NEWSITE-CHANGEME: Replace with the site name
+                region_name: RegionOne
+                role: admin
+                project_name: service
+                project_domain_name: default
+                user_domain_name: default
+                username: promenade
+        drydock:
+            keystone:
+                # NEWSITE-CHANGEME: Replace with the site name
+                region_name: RegionOne
+                role: admin
+                project_name: service
+                project_domain_name: default
+                user_domain_name: default
+                username: drydock
+            postgres:
+                username: drydock
+                database: drydock
+        shipyard:
+            keystone:
+                # NEWSITE-CHANGEME: Replace with the site name
+                region_name: RegionOne
+                role: admin
+                project_name: service
+                project_domain_name: default
+                user_domain_name: default
+                username: shipyard
+            postgres:
+                username: shipyard
+                database: shipyard
+        airflow:
+            postgres:
+                username: airflow
+                database: airflow
+            oslo_messaging:
+                admin:
+                    username: rabbitmq
+                user:
+                    username: airflow
+        maas:
+            admin:
+                username: admin
+                email: none@none
+            postgres:
+                username: maas
+                database: maasdb
+        barbican:
+            keystone:
+                # NEWSITE-CHANGEME: Replace with the site name
+                region_name: RegionOne
+                role: admin
+                project_name: service
+                project_domain_name: default
+                user_domain_name: default
+                username: barbican
+            oslo_db:
+                username: barbican
+                database: barbican
+            oslo_messaging:
+                admin:
+                    username: rabbitmq
+                keystone:
+                    username: keystone
+        armada:
+            keystone:
+                project_domain_name: default
+                user_domain_name: default
+                project_name: service
+                # NEWSITE-CHANGEME: Replace with the site name
+                region_name: RegionOne
+                role: admin
+                username: armada
+        deckhand:
+            keystone:
+                # NEWSITE-CHANGEME: Replace with the site name
+                region_name: RegionOne
+                role: admin
+                project_name: service
+                project_domain_name: default
+                user_domain_name: default
+                username: deckhand
+            postgres:
+                username: deckhand
+                database: deckhand
+        prometheus_openstack_exporter:
+            user:
+                region_name: RegionOne
+                role: admin
+                username: prometheus-openstack-exporter
+                project_name: service
+                user_domain_name: default
+                project_domain_name: default
+    ceph:
+        swift:
+            keystone:
+                role: admin
+                # NEWSITE-CHANGEME: Replace with the site name
+                region_name: RegionOne
+                username: swift
+                project_name: service
+                user_domain_name: default
+                project_domain_name: default
+...
+---
+schema: pegleg/AccountCatalogue/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_service_accounts
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.keystone.admin.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.cinder.cinder.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.glance.glance.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.heat.heat.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.heat.heat_trustee.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.heat.heat_stack_user.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.swift.keystone.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.neutron.neutron.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.nova.nova.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.nova.placement.region_name
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh.barbican.barbican.region_name
+data:
+  osh:
+    keystone:
+      admin:
+        username: admin
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+      oslo_db:
+        username: keystone
+        database: keystone
+      oslo_messaging:
+        keystone:
+          username: keystone-rabbitmq-user
+      ldap:
+        # NEWSITE-CHANGEME: Replace with the site's LDAP account used to
+        # authenticate to the active directory backend to validate keystone
+        # users.
+        username: "test@ldap.example.com"
+    cinder:
+      cinder:
+        role: admin
+        username: cinder
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+      oslo_db:
+        username: cinder
+        database: cinder
+      oslo_messaging:
+        cinder:
+          username: cinder-rabbitmq-user
+    glance:
+      glance:
+        role: admin
+        username: glance
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+      oslo_db:
+        username: glance
+        database: glance
+      oslo_messaging:
+        glance:
+          username: glance-rabbitmq-user
+      ceph_object_store:
+        username: glance
+    heat:
+      heat:
+        role: admin
+        username: heat
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+      heat_trustee:
+        role: admin
+        username: heat-trust
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+      heat_stack_user:
+        role: admin
+        username: heat-domain
+        domain_name: heat
+      oslo_db:
+        username: heat
+        database: heat
+      oslo_messaging:
+        heat:
+          username: heat-rabbitmq-user
+    swift:
+      keystone:
+        role: admin
+        username: swift
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+    oslo_db:
+      admin:
+        username: root
+    prometheus_mysql_exporter:
+      user:
+        username: osh-oslodb-exporter
+    neutron:
+      neutron:
+        role: admin
+        username: neutron
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+      oslo_db:
+        username: neutron
+        database: neutron
+      oslo_messaging:
+        neutron:
+          username: neutron-rabbitmq-user
+    nova:
+      nova:
+        role: admin
+        username: nova
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+      placement:
+        role: admin
+        username: placement
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+      oslo_db:
+        username: nova
+        database: nova
+      oslo_db_api:
+        username: nova
+        database: nova_api
+      oslo_db_cell0:
+        username: nova
+        database: "nova_cell0"
+      oslo_messaging:
+        nova:
+          username: nova-rabbitmq-user
+    horizon:
+      oslo_db:
+        username: horizon
+        database: horizon
+    barbican:
+      barbican:
+        role: admin
+        username: barbican
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+      oslo_db:
+        username: barbican
+        database: barbican
+      oslo_messaging:
+        barbican:
+          username: barbican-rabbitmq-user
+    oslo_messaging:
+      admin:
+        username: admin
+    tempest:
+      tempest:
+        role: admin
+        username: tempest
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+...
+---
+schema: pegleg/AccountCatalogue/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_infra_service_accounts
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+  substitutions:
+    - src:
+        schema: pegleg/CommonSoftwareConfig/v1
+        name: common-software-config
+        path: .osh.region_name
+      dest:
+        path: .osh_infra.prometheus_openstack_exporter.user.region_name
+data:
+  osh_infra:
+    ceph_object_store:
+      admin:
+        username: s3_admin
+      elasticsearch:
+        username: elasticsearch
+    grafana:
+      admin:
+        username: grafana
+      oslo_db:
+        username: grafana
+        database: grafana
+      oslo_db_session:
+        username: grafana_session
+        database: grafana_session
+    elasticsearch:
+      admin:
+        username: elasticsearch
+    oslo_db:
+      admin:
+        username: root
+    prometheus_mysql_exporter:
+      user:
+        username: osh-infra-oslodb-exporter
+    prometheus_openstack_exporter:
+      user:
+        role: admin
+        username: prometheus-openstack-exporter
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
+    nagios:
+      admin:
+        username: nagios
+    prometheus:
+      admin:
+        username: prometheus
+    ldap:
+      admin:
+        # NEWSITE-CHANGEME: Replace with the site's LDAP account used to
+        # authenticate to the active directory backend to validate keystone
+        # users.
+        bind: "test@ldap.example.com"
+...
diff --git a/type/cntt/software/manifests/bootstrap.yaml b/type/cntt/software/manifests/bootstrap.yaml
new file mode 100644 (file)
index 0000000..e015410
--- /dev/null
+++ b/type/cntt/software/manifests/bootstrap.yaml
@@ -0,0 +1,39 @@
+---
+schema: armada/Manifest/v1
+metadata:
+  schema: metadata/Document/v1
+  replacement: true
+  name: cluster-bootstrap
+  labels:
+    name: cluster-bootstrap-type
+  layeringDefinition:
+    abstract: false
+    layer: type
+    parentSelector:
+      name: cluster-bootstrap-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  release_prefix: airship
+  chart_groups:
+    - podsecuritypolicy
+    - kubernetes-proxy
+    - kubernetes-container-networking
+    - kubernetes-dns
+    - kubernetes-etcd
+    - kubernetes-haproxy
+    - kubernetes-core
+    - ingress-kube-system
+    - ucp-ceph
+    - ucp-ceph-config
+    - ucp-core
+    - ucp-keystone
+    - ucp-divingbell
+    - ucp-armada
+    - ucp-deckhand
+    - ucp-drydock
+    - ucp-promenade
+    - ucp-shipyard
+...
diff --git a/type/cntt/software/manifests/full-site.yaml b/type/cntt/software/manifests/full-site.yaml
new file mode 100644 (file)
index 0000000..2cb0c84
--- /dev/null
+++ b/type/cntt/software/manifests/full-site.yaml
@@ -0,0 +1,61 @@
+---
+schema: armada/Manifest/v1
+metadata:
+  schema: metadata/Document/v1
+  replacement: true
+  name: full-site
+  labels:
+    name: full-site-type
+  layeringDefinition:
+    abstract: false
+    layer: type
+    parentSelector:
+      name: full-site-global
+    actions:
+      - method: merge
+        path: .
+  storagePolicy: cleartext
+data:
+  release_prefix: airship
+  chart_groups:
+    - podsecuritypolicy
+    - kubernetes-proxy
+    - kubernetes-container-networking
+    - kubernetes-dns
+    - kubernetes-etcd
+    - kubernetes-haproxy
+    - kubernetes-core
+    - ingress-kube-system
+    - ucp-ceph-update
+    - ucp-ceph-config
+    - ucp-core
+    - ucp-keystone
+    - ucp-divingbell
+    - ucp-armada
+    - ucp-deckhand
+    - ucp-drydock-scaled
+    - ucp-promenade
+    - ucp-shipyard
+    - ucp-prometheus-openstack-exporter
+    - osh-infra-ingress-controller
+    - osh-infra-ceph-config
+    - osh-infra-radosgw
+    - osh-infra-logging
+    - osh-infra-monitoring
+    - osh-infra-mariadb
+    - osh-infra-dashboards
+    - openstack-ingress-controller
+    - openstack-ceph-config
+    - openstack-tenant-ceph
+    - openstack-mariadb
+    - openstack-rabbitmq
+    - openstack-memcached
+    - openstack-keystone
+    - openstack-radosgw
+    - openstack-glance
+    - openstack-cinder
+    - openstack-compute-kit
+    - openstack-heat
+    - osh-infra-prometheus-openstack-exporter
+    - openstack-horizon
+...