Merge "Make userData optional in cluster chart"

diff --git a/Makefile b/Makefile
index 1ccfae2..d520c16 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -24,6 +24,7 @@ jump_server: package_prerequisite \
        kud_bm_deploy_mini \
        bmh_install \
        capi_install \
+       flux_install \
        bpa_op_install \
        bpa_rest_api_install
 
@@ -93,6 +94,9 @@ sdwan_verifier:
 capi_install:
        ./deploy/cluster-api/cluster-api.sh deploy
 
+flux_install:
+       ./deploy/flux/flux.sh deploy
+
 bpa_op_install:
        pushd $(BPA_OPERATOR) && make docker && make deploy && popd
 
@@ -148,7 +152,6 @@ vm_verifier: jump_server \
        vm_clean_all
 
 vm_cluster:
-       ./deploy/site/vm/vm.sh build
        ./deploy/site/vm/vm.sh deploy
        ./deploy/site/vm/vm.sh wait
        ./deploy/kata/kata.sh test

diff --git a/README.md b/README.md
index 3f76e11..72d059e 100644 (file)
--- a/README.md
+++ b/README.md
@@ -1,29 +1,30 @@
 # Introduction
 ICN strives to automate the process of installing the local cluster
 controller to the greatest degree possible – "zero touch
-installation". Most of the work is done simply by booting up the jump
-server (Local Controller). Once booted, the controller is fully
-provisioned and begins to inspect and provision the bare metal
-servers, until the cluster is entirely configured. This document shows
-step-by-step how to configure the network and deployment architecture
-for the ICN blueprint.
+installation". Once the jump server (Local Controller) is booted and
+the compute cluster-specific values are provided, the controller
+begins to inspect and provision the bare metal servers until the
+cluster is entirely configured. This document shows step-by-step how
+to configure the network and deployment architecture for the ICN
+blueprint.
 
 # License
 Apache license v2.0
 
 # Deployment Architecture
-The Local Controller is provisioned with the Metal3 Baremetal Operator
-and Ironic, which enable provisioning of bare metal servers. The
-controller has three network connections to the bare metal servers:
-network A connects bare metal servers, network B is a private network
-used for provisioning the bare metal servers and network C is the IPMI
-network, used for control during provisioning. In addition, the
-bare metal servers connect to the network D, the SRIOV network.
+The Local Controller is provisioned with the Cluster API controllers
+and the Metal3 infrastructure provider, which enable provisioning of
+bare metal servers. The controller has three network connections to
+the bare metal servers: network A connects bare metal servers, network
+B is a private network used for provisioning the bare metal servers
+and network C is the IPMI network, used for control during
+provisioning. In addition, the bare metal servers connect to the
+network D, the SRIOV network.
 
 ![Figure 1](figure-1.png)*Figure 1: Deployment Architecture*
 
 - Net A -- Bare metal network, lab networking for ssh. It is used as
-  the control plane for k8s, used by OVN and Flannel for the overlay
+  the control plane for K8s, used by OVN and Flannel for the overlay
   networking.
 - Net B (internal network) -- Provisioning network used by Ironic to
   do inspection.
@@ -43,15 +44,15 @@ one of the NICs.
 
 # Pre-installation Requirements
 There are two main components in ICN Infra Local Controller - Local
-Controller and k8s compute cluster.
+Controller and K8s compute cluster.
 
 ### Local Controller
-The Local Controller will reside in the jump server to run the Metal3
-operator, Binary Provisioning Agent (BPA) operator and BPA REST API
-controller.
+The Local Controller will reside in the jump server to run the Cluster
+API controllers with the Kubeadm bootstrap provider and Metal3
+infrastructure provider.
 
-### k8s Compute Cluster
-The k8s compute cluster will actually run the workloads and is
+### K8s Compute Cluster
+The K8s compute cluster will actually run the workloads and is
 installed on bare metal servers.
 
 ## Hardware Requirements
@@ -86,7 +87,7 @@ jump0 | Intel 2xE5-2699 | 64GB | 3TB (Sata)<br/>180 (SSD) | eth0: VLAN 110<br/>e
 
 #### Jump Server Software Requirements
 ICN supports Ubuntu 18.04. The ICN blueprint installs all required
-software during `make install`.
+software during `make jump_server`.
 
 ### Network Requirements
 Please refer to figure 1 for all the network requirements of the ICN
@@ -98,7 +99,7 @@ Net C to provision the bare metal servers to do the OS provisioning.
 
 ### Bare Metal Server Requirements
 
-### k8s Compute Cluster
+### K8s Compute Cluster
 
 #### Compute Server Hardware Requirements
 (Tested as below)
@@ -110,186 +111,21 @@ node3 | Intel 2xE5-2699 | 64GB | 3TB (Sata)<br/>180 (SSD) | eth0: VLAN 110<br/>e
 
 #### Compute Server Software Requirements
 The Local Controller will install all the software in compute servers
-from the OS to the software required to bring up the k8s cluster.
+from the OS to the software required to bring up the K8s cluster.
 
 ### Execution Requirements (Bare Metal Only)
 The ICN blueprint checks all the precondition and execution
 requirements for bare metal.
 
 # Installation High-Level Overview
-Installation is two-step process and everything starts with one
-command `make install`.
+Installation is two-step process:
 - Installation of the Local Controller.
-- Installation of compute cluster.
+- Installation of a compute cluster.
 
 ## Bare Metal Deployment Guide
 
 ### Install Bare Metal Jump Server
 
-#### Creating a Node Inventory File
-
-##### Preconfiguration for the Local Controller in Jump Server
-The user is required to provide the IPMI information of the servers
-they connect to the Local Controller by editing node JSON sample file
-in the directory icn/deploy/metal3/scripts/nodes.json.sample as
-below. This example only shows 2 servers, statically configured on the
-baremetal network. If you want to increase servers, just add another
-array.  If the baremetal network provides a DHCP server with gateway
-and DNS server information, just change the baremetal type to "ipv4".
-ICN provides DHCP servers for the provisioning network.
-
-`node.json.sample`
-``` json
-{
-  "nodes": [{
-    "name": "node1",
-    "ipmi_driver_info": {
-      "username": "admin",
-      "password": "admin",
-      "address": "10.10.10.11"
-    },
-    "os": {
-      "image_name": "focal-server-cloudimg-amd64.img",
-      "username": "ubuntu",
-      "password": "mypasswd"
-    },
-    "net": {
-      "links": [
-        {
-          "id": "baremetal_nic",
-          "ethernet_mac_address": "00:1e:67:fe:f4:19",
-          "type": "phy"
-        },
-        {
-          "id": "provisioning_nic",
-          "ethernet_mac_address": "00:1e:67:fe:f4:1a",
-          "type": "phy"
-        },
-        {
-          "id": "sriov_nic",
-          "ethernet_mac_address": "00:1e:67:f8:6a:41",
-          "type": "phy"
-        }
-      ],
-      "networks": [
-        {
-          "id": "baremetal",
-          "link": "baremetal_nic",
-          "type": "ipv4",
-          "ip_address": "10.10.110.21/24",
-          "gateway": "10.10.110.1",
-          "dns_nameservers": ["8.8.8.8"]
-        },
-        {
-          "id": "provisioning",
-          "link": "provisioning_nic",
-          "type": "ipv4_dhcp"
-        },
-        {
-          "id": "sriov",
-          "link": "sriov_nic",
-          "type": "ipv4",
-          "ip_address": "10.10.113.2/24"
-        }
-      ],
-      "services": []
-    }
-  },
-  {
-    "name": "node2",
-    "ipmi_driver_info": {
-      "username": "admin",
-      "password": "admin",
-      "address": "10.10.10.12"
-    },
-    "os": {
-      "image_name": "focal-server-cloudimg-amd64.img",
-      "username": "ubuntu",
-      "password": "mypasswd"
-    },
-    "net": {
-      "links": [
-        {
-          "id": "baremetal_nic",
-          "ethernet_mac_address": "00:1e:67:f1:5b:90",
-          "type": "phy"
-        },
-        {
-          "id": "provisioning_nic",
-          "ethernet_mac_address": "00:1e:67:f1:5b:91",
-          "type": "phy"
-        },
-        {
-          "id": "sriov_nic",
-          "ethernet_mac_address": "00:1e:67:f8:69:81",
-          "type": "phy"
-        }
-      ],
-      "networks": [
-        {
-          "id": "baremetal",
-          "link": "baremetal_nic",
-          "type": "ipv4",
-          "ip_address": "10.10.110.22/24",
-          "gateway": "10.10.110.1",
-          "dns_nameservers": ["8.8.8.8"]
-        },
-        {
-          "id": "provisioning",
-          "link": "provisioning_nic",
-          "type": "ipv4_dhcp"
-        },
-        {
-          "id": "sriov",
-          "link": "sriov_nic",
-          "type": "ipv4",
-          "ip_address": "10.10.113.3/24"
-        }
-      ],
-      "services": []
-    }
-  }]
-}
-```
-
-##### Local Controller Metal3 Configuration Reference
-- *node*: The array of nodes required to add to Local Controller.
-- *name*: This will be the hostname for the machine, once it is
-  provisioned by Metal3.
-- *ipmi_driver_info*: IPMI driver info is a json field. It currently
-  holds the IPMI information required for Ironic to send the IPMI tool
-  command.
-  - *username*: BMC username required to be provided for Ironic.
-  - *password*: BMC password required to be provided for Ironic.
-  - *address*: BMC server IPMI LAN IP address.
-- *os*: Bare metal machine OS information is a json field. It
-  currently holds the image name to be provisioned, username and
-  password for the login.
-  - *image_name*: Images name should be in qcow2 format.
-  - *username*: Login username for the OS provisioned.
-  - *password*: Login password for the OS provisioned.
-- *net*: Bare metal network information is a json field.  It describes
-  the interfaces and networks used by ICN.  For more information,
-  refer to the *networkData* field of the BareMetalHost resource
-  definition.
-  - *links*: An array of interfaces.
-       - *id*: The ID of the interface.  This is used in the network
-      definitions to associate the interface with its network
-      configuration.
-    - *ethernet_mac_address*: The MAC address of the interface.
-       - *type*: The type of interface.  Valid values are "phy".
-  - *networks*: An array of networks.
-    - *id*: The ID of the network.
-    - *link*: The ID of the link this network definition applies to.
-    - *type*: The type of network, either dynamic ("ipv4_dhcp") or
-      static ("ipv4").
-    - *ip_address*: Only valid for type "ipv4"; the IP address of the
-      interface.
-    - *gateway*: Only valid for type "ipv4"; the gateway of this
-      network.
-    - *dns_nameservers*: Only valid for type "ipv4"; an array of DNS
-      servers.
-
 #### Creating the Settings Files
 
 ##### Local Controller Network Configuration Reference
@@ -300,80 +136,277 @@ The user will find the network configuration file named as
 ``` shell
 #!/bin/bash
 
-#Edge Location Provider Network configuration
-#Net A - Provider Network
-#If provider having specific Gateway and DNS server details in the edge location,
-#supply those values in nodes.json.
-
-#Ironic Metal3 settings for provisioning network
-#Interface to which Ironic provision network to be connected
-#Net B - Provisioning Network
+#Ironic Metal3 settings for provisioning network (Net B)
 export IRONIC_INTERFACE="eno2"
 
-#Ironic Metal3 setting for IPMI LAN Network
-#Interface to which Ironic IPMI LAN should bind
-#Net C - IPMI LAN Network
+#Ironic Metal3 setting for IPMI LAN Network (Net C)
 export IRONIC_IPMI_INTERFACE="eno1"
 ```
 
 #### Running
-After configuring the node inventory file and network configuration
-files, please run `make install` from the ICN parent directory as
-shown below:
+After configuring the network configuration file, please run `make
+jump_server` from the ICN parent directory as shown below:
 
 ``` shell
-root@pod11-jump:# git clone "https://gerrit.akraino.org/r/icn"
+root@jump0:# git clone "https://gerrit.akraino.org/r/icn"
 Cloning into 'icn'...
 remote: Counting objects: 69, done
 remote: Finding sources: 100% (69/69)
 remote: Total 4248 (delta 13), reused 4221 (delta 13)
 Receiving objects: 100% (4248/4248), 7.74 MiB | 21.84 MiB/s, done.
 Resolving deltas: 100% (1078/1078), done.
-root@pod11-jump:# cd icn/
-root@pod11-jump:# vim Makefile
-root@pod11-jump:# make install
+root@jump0:# cd icn/
+root@jump0:# make jump_server
 ```
 
-The following steps occurs once the `make install` command is given.
+The following steps occurs once the `make jump_server` command is
+given.
 1. All the software required to run the bootstrap cluster is
    downloaded and installed.
-2. k8s cluster to maintain the bootstrap cluster and all the servers
+2. K8s cluster to maintain the bootstrap cluster and all the servers
    in the edge location is installed.
 3. Metal3 specific network configuration such as local DHCP server
    networking for each edge location, Ironic networking for both
    provisioning network and IPMI LAN network are identified and
    created.
-4. Metal3 is launched with IPMI configuration as configured in
-   "user_config.sh" and provisions the bare metal servers using IPMI
-   LAN network. For more information refer to the [Debugging
-   Failures](#debugging-failures) section.
-5. Metal3 launch verification runs with a timeout of 60 mins by
-   checking the status of all the servers being provisioned or not.
-   1. All servers are provisioned in parallel. For example, if your
-      deployment is having 10 servers in the edge location, all the 10
-      servers are provisioned at the same time.
-   2. Metal3 launch verification takes care of checking all the
-      servers are provisioned, the network interfaces are up and
-      provisioned with a provider network gateway and DNS server.
-   3. Metal3 launch verification checks the status of all servers
-      given in user_config.sh to make sure all the servers are
-      provisioned. For example, if 8 servers are provisioned and 2
-      servers are not provisioned, launch verification makes sure all
-      servers are provisioned before launch k8s clusters on those
-      servers.
-6. BPA bare metal components are invoked with the MAC address of the
-   servers provisioned by Metal3, BPA bare metal components decide the
-   cluster size and also the number of clusters required in the edge
-   location.
-7. BPA bare metal runs the containerized Kuberenetes Reference
-   Deployment (KUD) as a job for each cluster. KUD installs the k8s
-   cluster on the slice of servers and install ONAP4K8S and all other
-   default plugins such as Multus, OVN, OVN4NFV, NFD, Virtlet and
-   SRIOV.
-8. BPA REST API agent installed in the bootstrap cluster or jump
-   server, and this install rest-api, rook/ceph, MinIO as the cloud
-   storage. This provides a way for user to upload their own software,
-   container images or OS image to jump server.
+4. The Cluster API controllers, bootstrap, and infrastructure
+   providers and configured and installed.
+5. The Flux controllers are installed.
+
+#### Creating a compute cluster
+A compute cluster is composed of installations of two types of Helm
+charts: machine and cluster. The specific installations of these Helm
+charts are defined in HelmRelease resources consumed by the Flux
+controllers in the jump server. The user is required to provide the
+machine and cluster specific values in the HelmRelease resources.
+
+##### Preconfiguration for the compute cluster in Jump Server
+The user is required to provide the IPMI information of the servers
+and the values of the compute cluster they connect to the Local
+Controller.
+
+If the baremetal network provides a DHCP server with gateway and DNS
+server information, and each server has identical hardware then a
+cluster template can be used. Otherwise these values must also be
+provided with the values for each server. Refer to the machine chart
+in icn/deploy/machine for more details. In the example below, no DHCP
+server is present in the baremetal network.
+
+`site.yaml`
+``` yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+    name: metal3
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+    name: icn
+    namespace: metal3
+spec:
+    gitImplementation: go-git
+    interval: 1m0s
+    ref:
+        branch: master
+    timeout: 20s
+    url: https://gerrit.akraino.org/r/icn
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+    name: machine-node1
+    namespace: metal3
+spec:
+    interval: 5m
+    chart:
+        spec:
+            chart: deploy/machine
+            sourceRef:
+                kind: GitRepository
+                name: icn
+            interval: 1m
+    values:
+        machineName: node1
+        machineLabels:
+            machine: node1
+        bmcAddress: ipmi://10.10.110.11
+        bmcUsername: admin
+        bmcPassword: password
+        networks:
+            baremetal:
+                macAddress: 00:1e:67:fe:f4:19
+                type: ipv4
+                ipAddress: 10.10.110.21/24
+                gateway: 10.10.110.1
+                nameservers: ["8.8.8.8"]
+            provisioning:
+                macAddress: 00:1e:67:fe:f4:1a
+                type: ipv4_dhcp
+            sriov:
+                macAddress: 00:1e:67:f8:6a:41
+                type: ipv4
+                ipAddress: 10.10.113.3/24
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+    name: machine-node2
+    namespace: metal3
+spec:
+    interval: 5m
+    chart:
+        spec:
+            chart: deploy/machine
+            sourceRef:
+                kind: GitRepository
+                name: icn
+            interval: 1m
+    values:
+        machineName: node2
+        machineLabels:
+            machine: node2
+        bmcAddress: ipmi://10.10.110.12
+        bmcUsername: admin
+        bmcPassword: password
+        networks:
+            baremetal:
+                macAddress: 00:1e:67:f1:5b:90
+                type: ipv4
+                ipAddress: 10.10.110.22/24
+                gateway: 10.10.110.1
+                nameservers: ["8.8.8.8"]
+            provisioning:
+                macAddress: 00:1e:67:f1:5b:91
+                type: ipv4_dhcp
+            sriov:
+                macAddress: 00:1e:67:f8:69:81
+                type: ipv4
+                ipAddress: 10.10.113.4/24
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+    name: cluster-compute
+    namespace: metal3
+spec:
+    interval: 5m
+    chart:
+        spec:
+            chart: deploy/cluster
+            sourceRef:
+                kind: GitRepository
+                name: icn
+            interval: 1m
+    values:
+        clusterName: compute
+        controlPlaneEndpoint: 10.10.110.21
+        controlPlaneHostSelector:
+            matchLabels:
+                machine: node1
+        workersHostSelector:
+            matchLabels:
+                machine: node2
+        userData:
+            hashedPassword: $6$rounds=10000$PJLOBdyTv23pNp$9RpaAOcibbXUMvgJScKK2JRQioXW4XAVFMRKqgCB5jC4QmtAdbA70DU2jTcpAd6pRdEZIaWFjLCNQMBmiiL40.
+            sshAuthorizedKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrxu+fSrU51vgAO5zP5xWcTU8uLv4MkUZptE2m1BJE88JdQ80kz9DmUmq2AniMkVTy4pNeUW5PsmGJa+anN3MPM99CR9I37zRqy5i6rUDQgKjz8W12RauyeRMIBrbdy7AX1xasoTRnd6Ta47bP0egiFb+vUGnlTFhgfrbYfjbkJhVfVLCTgRw8Yj0NSK16YEyhYLbLXpix5udRpXSiFYIyAEWRCCsWJWljACr99P7EF82vCGI0UDGCCd/1upbUwZeTouD/FJBw9qppe6/1eaqRp7D36UYe3KzLpfHQNgm9AzwgYYZrD4tNN6QBMq/VUIuam0G1aLgG8IYRLs41HYkJ root@jump0
+        flux:
+            url: https://gerrit.akraino.org/r/icn
+            branch: master
+            path: ./deploy/site/cluster-e2etest
+```
+
+A brief overview of the values is below. Refer to the machine and
+cluster charts in deploy/machine and deploy/cluster respectively for
+more details.
+
+- *machineName*: This will be the hostname for the machine, once it is
+  provisioned by Metal3.
+- *bmcUsername*: BMC username required to be provided for Ironic.
+- *bmcPassword*: BMC password required to be provided for Ironic.
+- *bmcAddress*: BMC server IPMI LAN IP address.
+- *networks*: A dictionary of the networks used by ICN.  For more
+  information, refer to the *networkData* field of the BareMetalHost
+  resource definition.
+  - *macAddress*: The MAC address of the interface.
+  - *type*: The type of network, either dynamic ("ipv4_dhcp") or
+    static ("ipv4").
+  - *ipAddress*: Only valid for type "ipv4"; the IP address of the
+    interface.
+  - *gateway*: Only valid for type "ipv4"; the gateway of this
+    network.
+  - *nameservers*: Only valid for type "ipv4"; an array of DNS
+     servers.
+- *clusterName*: The name of the cluster.
+- *controlPlaneEndpoint*: The K8s control plane endpoint. This works
+  in cooperation with the *controlPlaneHostSelector* to ensure that it
+  addresses the control plane node.
+- *controlPlaneHostSelector*: A K8s match expression against labels on
+  the *BareMetalHost* machine resource (from the *machineLabels* value
+  of the machine Helm chart).  This will be used by Cluster API to
+  select machines for the control plane.
+- *workersHostSelector*: A K8s match expression selecting worker
+  machines.
+- *userData*: User data values to be provisioned into each machine in
+  the cluster.
+  - *hashedPassword*: The hashed password of the default user on each
+    machine.
+  - *sshAuthorizedKey*: An authorized public key of the *root* user on
+    each machine.
+- *flux*: An optional repository to continuously reconcile the created
+  K8s cluster against.
+
+#### Running
+After configuring the machine and cluster site values, the next steps
+are to encrypt the secrets contained in the file, commit the file to
+source control, and create the Flux resources on the jump server
+pointing to the committed files.
+
+1. Create a key protect the secrets in the values if one does not
+   already exist. The key created below will be named "site-secrets".
+
+``` shell
+root@jump0:# ./deploy/site/site.sh create-gpg-key site-secrets
+```
+
+2. Encrypt the secrets in the site values.
+
+``` shell
+root@jump0:# ./deploy/site/site.sh sops-encrypt-site site.yaml site-secrets
+```
+
+3. Commit the site.yaml and additional files (sops.pub.asc,
+   .sops.yaml) created by sops-encrypt-site to a Git repository. For
+   the purposes of the next step, site.yaml will be committed to a Git
+   repository hosted at URL, on the specified BRANCH, and at location
+   PATH inside the source tree.
+
+4. Create the Flux resources to deploy the resources described by the
+   repository in step 3. This creates a GitRepository resource
+   containing the URL and BRANCH to synchronize, a Secret resource
+   containing the private key used to decrypt the secrets in the site
+   values, and a Kustomization resource with the PATH to the site.yaml
+   file at the GitRepository.
+
+```shell
+root@jump0:# ./deploy/site/site.sh flux-create-site URL BRANCH PATH site-secrets
+```
+
+The progress of the deployment may be monitored in a number of ways:
+
+``` shell
+root@jump0:# kubectl -n metal3 get baremetalhost
+root@jump0:# kubectl -n metal3 get cluster compute
+root@jump0:# clusterctl -n metal3 describe cluster compute
+```
+
+When the control plane is ready, the kubeconfig can be obtained with
+clusterctl and used to access the compute cluster:
+
+``` shell
+root@jump0:# clusterctl -n metal3 get kubeconfig compute >compute-admin.conf
+root@jump0:# kubectl --kubeconfig=compute-admin.conf cluster-info
+```
 
 ## Virtual Deployment Guide
 
@@ -385,13 +418,13 @@ Vagrant to create VMs with PXE boot. No setting is required from the
 user to deploy the virtual deployment.
 
 ### Snapshot Deployment Overview
-No snapshot is implemented in ICN R2.
+No snapshot is implemented in ICN R6.
 
 ### Special Requirements for Virtual Deployment
 
 #### Install Jump Server
 Jump server is required to be installed with Ubuntu 18.04. This will
-install all the VMs and install the k8s clusters.
+install all the VMs and install the K8s clusters.
 
 #### Verifying the Setup - VMs
 To verify the virtual deployment, execute the following commands:
@@ -400,22 +433,20 @@ $ vagrant up --no-parallel
 $ vagrant ssh jump
 vagrant@jump:~$ sudo su
 root@jump:/home/vagrant# cd /icn
-root@jump:/icn# make verifier
+root@jump:/icn# make jump_server
+root@jump:/icn# make vm_cluster
 ```
 `vagrant up --no-parallel` creates three VMs: vm-jump, vm-machine-1,
-and vm-machine-2, each with 16GB RAM and 8 vCPUs. `make verifier`
-installs the ICN BPA operator and the ICN BPA REST API verifier into
-vm-jump, and then installs a k8s cluster on the vm-machine VMs using
-the ICN BPA operator. The BPA operator installs the multi-cluster KUD
-to bring up k8s with all addons and plugins.
+and vm-machine-2, each with 16GB RAM and 8 vCPUs. `make jump_server`
+installs the jump server components into vm-jump, and `make
+vm_cluster` installs a K8s cluster on the vm-machine VMs using Cluster
+API. The cluster is configured to use Flux to bring up the cluster
+with all addons and plugins.
 
 # Verifying the Setup
 ICN blueprint checks all the setup in both bare metal and VM
-deployment. Verify script will check that Metal3 provisioned the OS in
-each bare metal servers by checking with a timeout period of 60 sec
-and interval of 30. BPA operator verifier will check whether the KUD
-installation is complete by doing plain curl command to the k8s
-cluster installed in bare metal and VM setup.
+deployment. Verify script will first confirm that the cluster control
+plane is ready then run self tests of all addons and plugins.
 
 **Bare Metal Verifier**: Run the `make bm_verifer`, it will verify the
 bare-metal deployment.
@@ -425,8 +456,7 @@ deployment.
 
 # Developer Guide and Troubleshooting
 For development uses the virtual deployment, it take up to 10 mins to
-bring up the virtual BMC VMs with PXE boot.  Virtual deployment works
-well for the BPA operator development for Metal3 installation scripts.
+bring up the virtual BMC VMs with PXE boot.
 
 ## Utilization of Images
 No images provided in this ICN release.
@@ -455,7 +485,6 @@ No post-deployment configuration required in this ICN release.
 * It is not possible to change the state from provision to deprovision
   or deprovision to provision without completing that state. All the
   issues are handled in ICN scripts.
-* k8s cluster failure can be debugged by KUD Pod logs.
 
 ## Reporting a Bug
 Required Linux Foundation ID to launch bug in ICN:
@@ -472,16 +501,14 @@ The command `make clean_all` uninstalls all the components installed by
   container.
 * Network configuration such internal DHCP server, provisioning
   interfaces and IPMI LAN interfaces are deleted.
-* docker images built during the `make install` are deleted, such as
-  all Ironic, baremetal operator, BPA operator and KUD images.
-* KUD will reset the bootstrap cluster - k8s cluster is torn down in
+* It will reset the bootstrap cluster - K8s cluster is torn down in
   the jump server and all the associated docker images are removed.
-* All software packages installed by `make install_all` are removed,
+* All software packages installed by `make jump_server` are removed,
   such as Ironic, openstack utility tool, docker packages and basic
   prerequisite packages.
 
 ## Virtual deployment
-The command `make vm_clean_all` uninstalls all the components for the
+The command `vagrant destroy -f` uninstalls all the components for the
 virtual deployments.
 
 # Troubleshooting

diff --git a/Vagrantfile b/Vagrantfile
index 82b72bc..377b215 100644 (file)
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -1,5 +1,8 @@
 # -*- mode: ruby -*-
 # vi: set ft=ruby :
+require 'ipaddr'
+require 'uri'
+require 'yaml'
 
 # IMPORTANT To bring up the machines, use the "--no-parallel" option
 # to vagrant up.  This is to workaround dependencies between the jump
@@ -7,11 +10,24 @@
 # machines will fail to come up until the baremetal network (created
 # by vagrant from the jump machine definition) is up.
 
-vars = {
-  :site => 'vm',
-  :baremetal_cidr => '192.168.151.0/24',
-  :num_machines => 2
-}
+site = ENV['ICN_SITE'] || 'vm'
+
+# Calculate the baremetal network address from the bmcAddress (aka
+# IPMI address) specified in the machine pool values.  IPMI in the
+# virtual environment is emulated by virtualbmc listening on the host.
+baremetal_cidr = nil
+Dir.glob("deploy/site/#{site}/*.yaml") do |file|
+  YAML.load_stream(File.read(file)) do |document|
+    values = document.fetch('spec', {}).fetch('values', {})
+    next if values['machineName'].nil? || values['bootMACAddress'].nil?
+    bmc_host = URI.parse(values['bmcAddress']).host
+    baremetal_cidr = "#{IPAddr.new(bmc_host).mask(24)}/24"
+  end
+end
+if baremetal_cidr.nil?
+  puts "Missing bmcAddress value in site definition, can't determine baremetal network address"
+  exit 1
+end
 
 $post_up_message = <<MSG
 ------------------------------------------------------
@@ -48,7 +64,7 @@ Vagrant.configure("2") do |config|
     m.vm.synced_folder '.', '/icn'
     m.vm.provider :libvirt do |libvirt|
       libvirt.graphics_ip = '0.0.0.0'
-      libvirt.default_prefix = "#{vars[:site]}-"
+      libvirt.default_prefix = "#{site}-"
       libvirt.cpu_mode = 'host-passthrough'
       libvirt.cpus = 8
       libvirt.memory = 24576
@@ -56,8 +72,8 @@ Vagrant.configure("2") do |config|
 
       # The ICN baremetal network is the vagrant management network,
       # and is created by vagrant for us
-      libvirt.management_network_name = "#{vars[:site]}-baremetal"
-      libvirt.management_network_address = vars[:baremetal_cidr]
+      libvirt.management_network_name = "#{site}-baremetal"
+      libvirt.management_network_address = baremetal_cidr
       libvirt.management_network_autostart = true
     end
 
@@ -65,14 +81,14 @@ Vagrant.configure("2") do |config|
     # created upon bringing up the jump machine
     m.trigger.before [:up] do |trigger|
       trigger.name = 'Creating provisioning network'
-      trigger.run = {inline: "./tools/vagrant/create_provisioning_network.sh #{vars[:site]}"}
+      trigger.run = {inline: "./tools/vagrant/create_provisioning_network.sh #{site}"}
     end
     m.trigger.after [:destroy] do |trigger|
       trigger.name = 'Destroying provisioning network'
-      trigger.run = {inline: "./tools/vagrant/destroy_provisioning_network.sh #{vars[:site]}"}
+      trigger.run = {inline: "./tools/vagrant/destroy_provisioning_network.sh #{site}"}
     end
     m.vm.network :private_network,
-                 :libvirt__network_name => "#{vars[:site]}-provisioning",
+                 :libvirt__network_name => "#{site}-provisioning",
                  :type => 'dhcp'
 
     # IPMI control of machines is provided by vbmc on the host
@@ -96,61 +112,65 @@ Vagrant.configure("2") do |config|
     m.vm.post_up_message = $post_up_message
   end
 
-  # The machine pool used by cluster creation
-  (1..vars[:num_machines]).each do |i|
-    config.vm.define "machine-#{i}" do |m|
-      m.vm.hostname = "machine-#{i}"
-      m.vm.provider :libvirt do |libvirt|
-        libvirt.graphics_ip = '0.0.0.0'
-        libvirt.default_prefix = "#{vars[:site]}-"
-        libvirt.cpu_mode = 'host-passthrough'
-        libvirt.cpus = 8
-        libvirt.memory = 16384
-        libvirt.nested = true
-        # The image will be provisioned by ICN so just create an empty
-        # disk for the machine
-        libvirt.storage :file, :size => 50, :type => 'raw', :cache => 'none'
-        # Management attach is false so that vagrant will not interfere
-        # with these machines: the jump server will manage them
-        # completely
-        libvirt.mgmt_attach = false
-      end
-      # The provisioning network must be listed first for PXE boot to
-      # the metal3/ironic provided image
-      m.vm.network :private_network,
-                   :libvirt__network_name => "#{vars[:site]}-provisioning",
-                   :type => 'dhcp'
-      m.vm.network :private_network,
-                   :libvirt__network_name => "#{vars[:site]}-baremetal",
-                   :type => 'dhcp'
-
-      # IPMI control
-      m.trigger.after [:up] do |trigger|
-        trigger.name = 'Adding machine to IPMI network'
-        trigger.run = {inline: "./tools/vagrant/add_machine_to_vbmc.sh #{i} #{vars[:site]} machine-#{i}"}
-      end
-      m.trigger.after [:destroy] do |trigger|
-        trigger.name = 'Removing machine from IPMI network'
-        trigger.run = {inline: "./tools/vagrant/remove_machine_from_vbmc.sh #{i} #{vars[:site]} machine-#{i}"}
-      end
+  # Look for any HelmReleases in the site directory with machineName in
+  # the values dictionary.  This will provide the values needed to
+  # create the machine pool.
+  legacy_machine_args = ""
+  Dir.glob("deploy/site/#{site}/*.yaml") do |file|
+    YAML.load_stream(File.read(file)) do |document|
+      values = document.fetch('spec', {}).fetch('values', {})
+      next if values['machineName'].nil? || values['bootMACAddress'].nil?
+      machine_name = values['machineName']
+      boot_mac_address = values['bootMACAddress']
+      bmc_port = URI.parse(values['bmcAddress']).port
+      config.vm.define machine_name do |m|
+        m.vm.hostname = machine_name
+        m.vm.provider :libvirt do |libvirt|
+          libvirt.graphics_ip = '0.0.0.0'
+          libvirt.default_prefix = "#{site}-"
+          libvirt.cpu_mode = 'host-passthrough'
+          libvirt.cpus = 8
+          libvirt.memory = 16384
+          libvirt.nested = true
+          # The image will be provisioned by ICN so just create an empty
+          # disk for the machine
+          libvirt.storage :file, :size => 50, :type => 'raw', :cache => 'none'
+          # Management attach is false so that vagrant will not interfere
+          # with these machines: the jump server will manage them
+          # completely
+          libvirt.mgmt_attach = false
+        end
+        # The provisioning network must be listed first for PXE boot to
+        # the metal3/ironic provided image
+        m.vm.network :private_network,
+                     :libvirt__network_name => "#{site}-provisioning",
+                     :mac => boot_mac_address,
+                     :type => 'dhcp'
+        m.vm.network :private_network,
+                     :libvirt__network_name => "#{site}-baremetal",
+                     :type => 'dhcp'
+
+        # IPMI control
+        m.trigger.after [:up] do |trigger|
+          trigger.name = 'Adding machine to IPMI network'
+          trigger.run = {inline: "./tools/vagrant/add_machine_to_vbmc.sh #{site} #{machine_name} #{bmc_port}"}
+        end
+        m.trigger.after [:destroy] do |trigger|
+          trigger.name = 'Removing machine from IPMI network'
+          trigger.run = {inline: "./tools/vagrant/remove_machine_from_vbmc.sh #{site} #{machine_name} #{bmc_port}"}
+        end
 
-      # Create configuration for ICN provisioning
-      m.trigger.after [:up] do |trigger|
-        if i == vars[:num_machines] then
+        # Create configuration for ICN provisioning
+        legacy_machine_args = "#{legacy_machine_args} #{machine_name} #{bmc_port}"
+        m.trigger.after [:up] do |trigger|
           trigger.info = 'Creating nodes.json.sample describing the machines'
-          trigger.run = {inline: "./tools/vagrant/create_nodes_json_sample.sh #{vars[:num_machines]} #{vars[:site]} machine-"}
+          trigger.run = {inline: "./tools/vagrant/create_nodes_json_sample.sh #{site} #{legacy_machine_args}"}
         end
-      end
-      m.trigger.after [:up] do |trigger|
-        if i == vars[:num_machines] then
+        m.trigger.after [:up] do |trigger|
           trigger.info = 'Creating Provisioning resource describing the cluster'
-          trigger.run = {inline: "./tools/vagrant/create_provisioning_cr.sh #{vars[:num_machines]} #{vars[:site]} machine-"}
+          trigger.run = {inline: "./tools/vagrant/create_provisioning_cr.sh #{site} #{legacy_machine_args}"}
         end
       end
-      m.trigger.after [:up] do |trigger|
-        trigger.name = 'Creating machine resource'
-        trigger.run = {inline: "./tools/vagrant/create_machine_resource.sh #{i} #{vars[:site]} machine-#{i}"}
-      end
     end
   end
 end

diff --git a/deploy/flux/flux.sh b/deploy/flux/flux.sh
new file mode 100755 (executable)
index 0000000..cf1ec8f
--- /dev/null
+++ b/deploy/flux/flux.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -eux -o pipefail
+
+SCRIPTDIR="$(readlink -f $(dirname ${BASH_SOURCE[0]}))"
+LIBDIR="$(dirname $(dirname ${SCRIPTDIR}))/env/lib"
+
+source $LIBDIR/logging.sh
+source $LIBDIR/common.sh
+
+function deploy {
+    flux install
+}
+
+function clean {
+    flux uninstall
+}
+
+case $1 in
+    "clean") clean ;;
+    "deploy") deploy ;;
+    *) cat <<EOF
+Usage: $(basename $0) COMMAND
+
+Commands:
+  clean         - Uninstall Flux
+  deploy        - Install Flux
+EOF
+       ;;
+esac

diff --git a/deploy/metal3/scripts/01_metal3.sh b/deploy/metal3/scripts/01_metal3.sh
index b3995a8..5780858 100755 (executable)
--- a/deploy/metal3/scripts/01_metal3.sh
+++ b/deploy/metal3/scripts/01_metal3.sh
@@ -86,8 +86,8 @@ function configure_nodes {
     fi
 
     #make sure nodes.json file in /opt/ironic/ are configured
-    if [ ! -f $IRONIC_DATA_DIR/nodes.json ]; then
-        cp ${SCRIPTDIR}/nodes.json.sample $IRONIC_DATA_DIR/nodes.json
+    if [ ! -f $NODES_FILE ]; then
+        cp ${SCRIPTDIR}/nodes.json.sample $NODES_FILE
     fi
 }
 
@@ -106,8 +106,8 @@ function clean_bm_hosts {
 
 function clean_all {
     list_nodes | clean_bm_hosts
-    if [ -f $IRONIC_DATA_DIR/nodes.json ]; then
-        rm -rf $IRONIC_DATA_DIR/nodes.json
+    if [ -f $NODES_FILE ]; then
+        rm -rf $NODES_FILE
     fi
 }
 

diff --git a/deploy/site/common.sh b/deploy/site/common.sh
new file mode 100644 (file)
index 0000000..b20bae5
--- /dev/null
+++ b/deploy/site/common.sh
@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+set -eu -o pipefail
+
+function _gpg_key_fp {
+    gpg --with-colons --list-secret-keys $1 | awk -F: '/fpr/ {print $10;exit}'
+}
+
+function create_gpg_key {
+    local -r key_name=$1
+
+    # Create an rsa4096 key that does not expire
+    gpg --batch --full-generate-key <<EOF
+%no-protection
+Key-Type: 1
+Key-Length: 4096
+Subkey-Type: 1
+Subkey-Length: 4096
+Expire-Date: 0
+Name-Real: ${key_name}
+EOF
+}
+
+function export_gpg_private_key {
+    gpg --export-secret-keys --armor "$(_gpg_key_fp $1)"
+}
+
+function sops_encrypt_site {
+    local -r site_yaml=$1
+    local -r key_name=$2
+
+    local -r site_dir=$(dirname ${site_yaml})
+    local -r key_fp=$(_gpg_key_fp ${key_name})
+
+    # Commit the public key to the repository so that team members who
+    # clone the repo can encrypt new files
+    echo "Creating ${site_dir}/sops.pub.asc with public key used to encrypt secrets"
+    gpg --export --armor "${key_fp}" >${site_dir}/sops.pub.asc
+
+    # Add .sops.yaml so users won't have to worry about specifying the
+    # proper key for the target cluster or namespace
+    echo "Creating ${site_dir}/.sops.yaml SOPS configuration file"
+    cat <<EOF > ${site_dir}/.sops.yaml
+creation_rules:
+  - path_regex: .*.yaml
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    pgp: ${key_fp}
+EOF
+
+    sops --encrypt --in-place --config=${site_dir}/.sops.yaml ${site_yaml}
+}
+
+function sops_decrypt_site {
+    local -r site_yaml=$1
+
+    local -r site_dir=$(dirname ${site_yaml})
+    sops --decrypt --in-place --config=${site_dir}/.sops.yaml ${site_yaml}
+}
+
+function flux_create_site {
+    local -r url=$1
+    local -r branch=$2
+    local -r path=$3
+    local -r key_name=$4
+
+    local -r source_name="$(basename ${url})-${branch}"
+    local -r kustomization_name="${source_name}-site-$(basename ${path})"
+    local -r key_fp=$(gpg --with-colons --list-secret-keys ${key_name} | awk -F: '/fpr/ {print $10;exit}')
+    local -r secret_name="${key_name}-sops-gpg"
+
+    flux create source git ${source_name} --url=${url} --branch=${branch}
+    gpg --export-secret-keys --armor "$(_gpg_key_fp ${key_name})" |
+       kubectl -n flux-system create secret generic ${secret_name} --from-file=sops.asc=/dev/stdin --dry-run=client -o yaml |
+       kubectl apply -f -
+    flux create kustomization ${kustomization_name} --path=${path} --source=GitRepository/${source_name} --prune=true \
+        --decryption-provider=sops --decryption-secret=${secret_name}
+}

diff --git a/deploy/site/pod11/.sops.yaml b/deploy/site/pod11/.sops.yaml
new file mode 100644 (file)
index 0000000..60dfb57
--- /dev/null
+++ b/deploy/site/pod11/.sops.yaml
@@ -0,0 +1,4 @@
+creation_rules:
+  - path_regex: .*.yaml
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    pgp: A4B4A47A1DB07DE00E8158BE411E23534CA8FAE0

diff --git a/deploy/site/pod11/pod11.sh b/deploy/site/pod11/pod11.sh
new file mode 100755 (executable)
index 0000000..c26b239
--- /dev/null
+++ b/deploy/site/pod11/pod11.sh
@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+set -eux -o pipefail
+
+SCRIPTDIR="$(readlink -f $(dirname ${BASH_SOURCE[0]}))"
+LIBDIR="$(dirname $(dirname $(dirname ${SCRIPTDIR})))/env/lib"
+
+source $LIBDIR/common.sh
+source $SCRIPTDIR/../common.sh
+
+BUILDDIR=${SCRIPTDIR/deploy/build}
+mkdir -p ${BUILDDIR}
+
+FLUX_SOPS_KEY_NAME=${FLUX_SOPS_KEY_NAME:-"icn-site-vm"} # TODO Replace ICN test key with real key
+
+function build_source {
+    sops_encrypt_site ${SCRIPTDIR}/site.yaml ${FLUX_SOPS_KEY_NAME}
+}
+
+function deploy {
+    flux_create_site https://gerrit.akraino.org/r/icn master deploy/site/pod11 ${FLUX_SOPS_KEY_NAME}
+}
+
+function clean {
+    kubectl -n flux-system delete kustomization icn-master-site-pod11
+}
+
+function is_cluster_ready {
+    [[ $(kubectl -n metal3 get cluster e2etest -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}') == "True" ]]
+}
+
+function is_control_plane_ready {
+    # Checking the Cluster resource status is not sufficient, it
+    # reports the control plane as ready before the nodes forming the
+    # control plane are ready
+    local -r replicas=$(kubectl -n metal3 get kubeadmcontrolplane e2etest -o jsonpath='{.spec.replicas}')
+    [[ $(kubectl --kubeconfig=${BUILDDIR}/e2etest-admin.conf get nodes -l node-role.kubernetes.io/control-plane -o jsonpath='{range .items[*]}{.status.conditions[?(@.type=="Ready")].status}{"\n"}{end}' | grep -c True) == ${replicas} ]]
+}
+
+function insert_control_plane_network_identity_into_ssh_config {
+    # This enables logging into the control plane machines from this
+    # machine without specifying the identify file on the command line
+
+    # Create ssh config if it doesn't exist
+    mkdir -p ${HOME}/.ssh && chmod 700 ${HOME}/.ssh
+    touch ${HOME}/.ssh/config
+    chmod 600 ${HOME}/.ssh/config
+    # Add the entry for the control plane network, host value in ssh
+    # config is a wildcard
+    endpoint=$(helm -n metal3 get values -a cluster-e2etest | awk '/controlPlaneEndpoint:/ {print $2}')
+    prefix=$(helm -n metal3 get values -a cluster-e2etest | awk '/controlPlanePrefix:/ {print $2}')
+    host=$(ipcalc ${endpoint}/${prefix} | awk '/Network:/ {sub(/\.0.*/,".*"); print $2}')
+    if [[ $(grep -c "Host ${host}" ${HOME}/.ssh/config) != 0 ]]; then
+       sed -i -e '/Host '"${host}"'/,+1 d' ${HOME}/.ssh/config
+    fi
+    cat <<EOF >>${HOME}/.ssh/config
+Host ${host}
+  IdentityFile ${SCRIPTDIR}/id_rsa
+EOF
+}
+
+function wait_for_all_ready {
+    WAIT_FOR_INTERVAL=60s
+    WAIT_FOR_TRIES=30
+    wait_for is_cluster_ready
+    clusterctl -n metal3 get kubeconfig e2etest >${BUILDDIR}/e2etest-admin.conf
+    chmod 600 ${BUILDDIR}/e2etest-admin.conf
+    wait_for is_control_plane_ready
+    insert_control_plane_network_identity_into_ssh_config
+}
+
+case $1 in
+    "build-source") build_source ;;
+    "clean") clean ;;
+    "deploy") deploy ;;
+    "wait") wait_for_all_ready ;;
+    *) cat <<EOF
+Usage: $(basename $0) COMMAND
+
+Commands:
+  build-source  - Rebuild the in-tree site files
+  clean         - Remove the site
+  deploy        - Deploy the site
+  wait          - Wait for the site to be ready
+EOF
+       ;;
+esac

diff --git a/deploy/site/pod11/site.yaml b/deploy/site/pod11/site.yaml
new file mode 100644 (file)
index 0000000..9c66316
--- /dev/null
+++ b/deploy/site/pod11/site.yaml
@@ -0,0 +1,287 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+    name: metal3
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-12-10T17:33:34Z"
+    mac: ENC[AES256_GCM,data:lIvQYYlC4p/P/j51lN/oE8Fq+XfXpuTZesKjUi7pGCUI3Utdup4kEiPpr5rsidNBifnTpT6gFyl0CUVF3eNK7/brltv0jkfzfv0CO+y+Soa3Wu1ZvObtShGf8azbb77PEHC1qiLmCaCYQJmCgW7wkNfu5AHy+wndt85V4+oSE0g=,iv:ybmH8hIPs7RGxJJE1Jaj3FRCqv+Vlw/JUun2zSKb8tc=,tag:LibpQ6wjIJzPciVCgEvOjQ==,type:str]
+    pgp:
+        - created_at: "2021-12-10T17:33:33Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4SX7nk+q+zPAQ/+Jti8jqeEXHxNf7iMUFOndkJHJ5NKZ41FKZcanDw660YX
+            iRvFsp6G6XIIDUl8iJ9O+uMvwczT9Ho/+c3zCA7NjqBfgh8/T6DfYzg9iq29PEq8
+            koJda8q/DHwzYhC1+ijRqJ34jLCh/uAnBqCmYWNYYTO1GL5rK13PmZRtG67+3MJW
+            dmuH2eSGnSk/ZfnqxYusBEVIvpvedlD5rx960qIId0WhTTmu+uGM/aKopk/blqfY
+            fh3bPmoHNYjHvaMp5MMe0CJmXO1/XaVNnOnE8RZxd+BQkVgQyVONuP78o982msLy
+            uWF8khvBH9lbB6Mc0TPLf7ZL3e7HooyWl+r0sbbKbY3PZLNeXCFk3EW+XarN8QAp
+            qO4VWeoNtjexWN+jyim5Ld9n4aPxC9PJM/SOEETtFME11TrIEBwHsuQtE8oi6bwc
+            oI551fLC58q/yneNbFOtS34L4pwxVl7PLCP6wyKFyZY6pzE2OEvx/+p4bp3cKVpX
+            wSfKbRZXygaH/Zk+ocnUtBFoVhQ7dTkDr42yHkn/bwHvA+Jjn6vI5I5PqNNGRwkl
+            HyXXtz1UnQh+9M6jKjSqPHK5WeoxCochMttdjTxnnBHuFOUTZ16zMfVVJLLf2+ci
+            uXgKZFv/9xdFiWf1YwLsCiEC5iP0wE00ZShuyc/Yw6RjkVNbElVE5qlvaXOjVEnS
+            XAH24JbApCrv+zHw5HJ6Oi+VHjCa7kiaeGAyWEw4Udvn+gy0sKq7Zo9HbiXj+fA8
+            TR2PDX4lJKuE9lmQ2EeRNG6z7m6vVGmMiXYcq7/oBsxc2VUHfr42qE/nBMZI
+            =pjhf
+            -----END PGP MESSAGE-----
+          fp: A4B4A47A1DB07DE00E8158BE411E23534CA8FAE0
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    version: 3.7.1
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+    name: icn
+    namespace: metal3
+spec:
+    gitImplementation: go-git
+    interval: 1m0s
+    ref:
+        branch: master
+    timeout: 20s
+    url: https://gerrit.akraino.org/r/icn
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-12-10T17:33:34Z"
+    mac: ENC[AES256_GCM,data:lIvQYYlC4p/P/j51lN/oE8Fq+XfXpuTZesKjUi7pGCUI3Utdup4kEiPpr5rsidNBifnTpT6gFyl0CUVF3eNK7/brltv0jkfzfv0CO+y+Soa3Wu1ZvObtShGf8azbb77PEHC1qiLmCaCYQJmCgW7wkNfu5AHy+wndt85V4+oSE0g=,iv:ybmH8hIPs7RGxJJE1Jaj3FRCqv+Vlw/JUun2zSKb8tc=,tag:LibpQ6wjIJzPciVCgEvOjQ==,type:str]
+    pgp:
+        - created_at: "2021-12-10T17:33:33Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4SX7nk+q+zPAQ/+Jti8jqeEXHxNf7iMUFOndkJHJ5NKZ41FKZcanDw660YX
+            iRvFsp6G6XIIDUl8iJ9O+uMvwczT9Ho/+c3zCA7NjqBfgh8/T6DfYzg9iq29PEq8
+            koJda8q/DHwzYhC1+ijRqJ34jLCh/uAnBqCmYWNYYTO1GL5rK13PmZRtG67+3MJW
+            dmuH2eSGnSk/ZfnqxYusBEVIvpvedlD5rx960qIId0WhTTmu+uGM/aKopk/blqfY
+            fh3bPmoHNYjHvaMp5MMe0CJmXO1/XaVNnOnE8RZxd+BQkVgQyVONuP78o982msLy
+            uWF8khvBH9lbB6Mc0TPLf7ZL3e7HooyWl+r0sbbKbY3PZLNeXCFk3EW+XarN8QAp
+            qO4VWeoNtjexWN+jyim5Ld9n4aPxC9PJM/SOEETtFME11TrIEBwHsuQtE8oi6bwc
+            oI551fLC58q/yneNbFOtS34L4pwxVl7PLCP6wyKFyZY6pzE2OEvx/+p4bp3cKVpX
+            wSfKbRZXygaH/Zk+ocnUtBFoVhQ7dTkDr42yHkn/bwHvA+Jjn6vI5I5PqNNGRwkl
+            HyXXtz1UnQh+9M6jKjSqPHK5WeoxCochMttdjTxnnBHuFOUTZ16zMfVVJLLf2+ci
+            uXgKZFv/9xdFiWf1YwLsCiEC5iP0wE00ZShuyc/Yw6RjkVNbElVE5qlvaXOjVEnS
+            XAH24JbApCrv+zHw5HJ6Oi+VHjCa7kiaeGAyWEw4Udvn+gy0sKq7Zo9HbiXj+fA8
+            TR2PDX4lJKuE9lmQ2EeRNG6z7m6vVGmMiXYcq7/oBsxc2VUHfr42qE/nBMZI
+            =pjhf
+            -----END PGP MESSAGE-----
+          fp: A4B4A47A1DB07DE00E8158BE411E23534CA8FAE0
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    version: 3.7.1
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+    name: pod11-node2
+    namespace: metal3
+spec:
+    interval: 5m
+    chart:
+        spec:
+            chart: deploy/machine
+            sourceRef:
+                kind: GitRepository
+                name: icn
+            interval: 1m
+    values:
+        machineName: pod11-node2
+        machineLabels:
+            machine: pod11-node2
+        bmcAddress: ipmi://10.10.110.12
+        bmcUsername: root
+        bmcPassword: ENC[AES256_GCM,data:ZDFi9g==,iv:x8FS6/29Sirdn2V3CSEBZkSmq8GYxFp0aU0F/vub/4M=,tag:/b7M6/p+6IiTBs3Dlgz53Q==,type:str]
+        networks:
+            baremetal:
+                macAddress: 00:1e:67:fe:f4:19
+                type: ipv4
+                ipAddress: 10.10.110.22/24
+                gateway: 10.10.110.1
+                nameservers:
+                    - 8.8.8.8
+            provisioning:
+                macAddress: 00:1e:67:fe:f4:1a
+                type: ipv4_dhcp
+            private:
+                macAddress: 00:1e:67:f8:6a:40
+                type: ipv4
+                ipAddress: 10.10.112.3/24
+            storage:
+                macAddress: 00:1e:67:f8:6a:41
+                type: ipv4
+                ipAddress: 10.10.113.3/24
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-12-10T17:33:34Z"
+    mac: ENC[AES256_GCM,data:lIvQYYlC4p/P/j51lN/oE8Fq+XfXpuTZesKjUi7pGCUI3Utdup4kEiPpr5rsidNBifnTpT6gFyl0CUVF3eNK7/brltv0jkfzfv0CO+y+Soa3Wu1ZvObtShGf8azbb77PEHC1qiLmCaCYQJmCgW7wkNfu5AHy+wndt85V4+oSE0g=,iv:ybmH8hIPs7RGxJJE1Jaj3FRCqv+Vlw/JUun2zSKb8tc=,tag:LibpQ6wjIJzPciVCgEvOjQ==,type:str]
+    pgp:
+        - created_at: "2021-12-10T17:33:33Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4SX7nk+q+zPAQ/+Jti8jqeEXHxNf7iMUFOndkJHJ5NKZ41FKZcanDw660YX
+            iRvFsp6G6XIIDUl8iJ9O+uMvwczT9Ho/+c3zCA7NjqBfgh8/T6DfYzg9iq29PEq8
+            koJda8q/DHwzYhC1+ijRqJ34jLCh/uAnBqCmYWNYYTO1GL5rK13PmZRtG67+3MJW
+            dmuH2eSGnSk/ZfnqxYusBEVIvpvedlD5rx960qIId0WhTTmu+uGM/aKopk/blqfY
+            fh3bPmoHNYjHvaMp5MMe0CJmXO1/XaVNnOnE8RZxd+BQkVgQyVONuP78o982msLy
+            uWF8khvBH9lbB6Mc0TPLf7ZL3e7HooyWl+r0sbbKbY3PZLNeXCFk3EW+XarN8QAp
+            qO4VWeoNtjexWN+jyim5Ld9n4aPxC9PJM/SOEETtFME11TrIEBwHsuQtE8oi6bwc
+            oI551fLC58q/yneNbFOtS34L4pwxVl7PLCP6wyKFyZY6pzE2OEvx/+p4bp3cKVpX
+            wSfKbRZXygaH/Zk+ocnUtBFoVhQ7dTkDr42yHkn/bwHvA+Jjn6vI5I5PqNNGRwkl
+            HyXXtz1UnQh+9M6jKjSqPHK5WeoxCochMttdjTxnnBHuFOUTZ16zMfVVJLLf2+ci
+            uXgKZFv/9xdFiWf1YwLsCiEC5iP0wE00ZShuyc/Yw6RjkVNbElVE5qlvaXOjVEnS
+            XAH24JbApCrv+zHw5HJ6Oi+VHjCa7kiaeGAyWEw4Udvn+gy0sKq7Zo9HbiXj+fA8
+            TR2PDX4lJKuE9lmQ2EeRNG6z7m6vVGmMiXYcq7/oBsxc2VUHfr42qE/nBMZI
+            =pjhf
+            -----END PGP MESSAGE-----
+          fp: A4B4A47A1DB07DE00E8158BE411E23534CA8FAE0
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    version: 3.7.1
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+    name: pod11-node3
+    namespace: metal3
+spec:
+    interval: 5m
+    chart:
+        spec:
+            chart: deploy/machine
+            sourceRef:
+                kind: GitRepository
+                name: icn
+            interval: 1m
+    values:
+        machineName: pod11-node3
+        machineLabels:
+            machine: pod11-node3
+        bmcAddress: ipmi://10.10.110.13
+        bmcUsername: root
+        bmcPassword: ENC[AES256_GCM,data:SJBJHg==,iv:rIAANlqDFSlzCv4O9tWVfwhZ8dwhgI8QfrssEQJ3dd4=,tag:zDWJUzROdbGzTh0jxdq7uQ==,type:str]
+        networks:
+            baremetal:
+                macAddress: 00:1e:67:f1:5b:90
+                type: ipv4
+                ipAddress: 10.10.110.23/24
+                gateway: 10.10.110.1
+                nameservers:
+                    - 8.8.8.8
+            provisioning:
+                macAddress: 00:1e:67:f1:5b:91
+                type: ipv4_dhcp
+            private:
+                macAddress: 00:1e:67:f8:69:80
+                type: ipv4
+                ipAddress: 10.10.112.4/24
+            storage:
+                macAddress: 00:1e:67:f8:69:81
+                type: ipv4
+                ipAddress: 10.10.113.4/24
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-12-10T17:33:34Z"
+    mac: ENC[AES256_GCM,data:lIvQYYlC4p/P/j51lN/oE8Fq+XfXpuTZesKjUi7pGCUI3Utdup4kEiPpr5rsidNBifnTpT6gFyl0CUVF3eNK7/brltv0jkfzfv0CO+y+Soa3Wu1ZvObtShGf8azbb77PEHC1qiLmCaCYQJmCgW7wkNfu5AHy+wndt85V4+oSE0g=,iv:ybmH8hIPs7RGxJJE1Jaj3FRCqv+Vlw/JUun2zSKb8tc=,tag:LibpQ6wjIJzPciVCgEvOjQ==,type:str]
+    pgp:
+        - created_at: "2021-12-10T17:33:33Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4SX7nk+q+zPAQ/+Jti8jqeEXHxNf7iMUFOndkJHJ5NKZ41FKZcanDw660YX
+            iRvFsp6G6XIIDUl8iJ9O+uMvwczT9Ho/+c3zCA7NjqBfgh8/T6DfYzg9iq29PEq8
+            koJda8q/DHwzYhC1+ijRqJ34jLCh/uAnBqCmYWNYYTO1GL5rK13PmZRtG67+3MJW
+            dmuH2eSGnSk/ZfnqxYusBEVIvpvedlD5rx960qIId0WhTTmu+uGM/aKopk/blqfY
+            fh3bPmoHNYjHvaMp5MMe0CJmXO1/XaVNnOnE8RZxd+BQkVgQyVONuP78o982msLy
+            uWF8khvBH9lbB6Mc0TPLf7ZL3e7HooyWl+r0sbbKbY3PZLNeXCFk3EW+XarN8QAp
+            qO4VWeoNtjexWN+jyim5Ld9n4aPxC9PJM/SOEETtFME11TrIEBwHsuQtE8oi6bwc
+            oI551fLC58q/yneNbFOtS34L4pwxVl7PLCP6wyKFyZY6pzE2OEvx/+p4bp3cKVpX
+            wSfKbRZXygaH/Zk+ocnUtBFoVhQ7dTkDr42yHkn/bwHvA+Jjn6vI5I5PqNNGRwkl
+            HyXXtz1UnQh+9M6jKjSqPHK5WeoxCochMttdjTxnnBHuFOUTZ16zMfVVJLLf2+ci
+            uXgKZFv/9xdFiWf1YwLsCiEC5iP0wE00ZShuyc/Yw6RjkVNbElVE5qlvaXOjVEnS
+            XAH24JbApCrv+zHw5HJ6Oi+VHjCa7kiaeGAyWEw4Udvn+gy0sKq7Zo9HbiXj+fA8
+            TR2PDX4lJKuE9lmQ2EeRNG6z7m6vVGmMiXYcq7/oBsxc2VUHfr42qE/nBMZI
+            =pjhf
+            -----END PGP MESSAGE-----
+          fp: A4B4A47A1DB07DE00E8158BE411E23534CA8FAE0
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    version: 3.7.1
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+    name: cluster-e2etest
+    namespace: metal3
+spec:
+    interval: 5m
+    chart:
+        spec:
+            chart: deploy/cluster
+            sourceRef:
+                kind: GitRepository
+                name: icn
+            interval: 1m
+    values:
+        clusterName: e2etest
+        clusterLabels:
+            site: pod11
+        controlPlaneEndpoint: 10.10.110.23
+        controlPlaneHostSelector:
+            matchLabels:
+                machine: pod11-node3
+        workersHostSelector:
+            matchLabels:
+                machine: pod11-node2
+        userData:
+            hashedPassword: ENC[AES256_GCM,data:ZAVj+UjrqMAuufUEUshhCj+oQ14SrCqj6rMtF2AShJlRzg3kYv/91Mi4fcz0XTgTcERAcJbiey4aWD2GMmTx+r6v68p/6AOwyXhp+WqXyojTlO9+fOvGczkshgHc2Mqrpk99yt5v9gcpcIxDsDrZqA==,iv:Trb4zqR88fgm/9PYom1myBQbBOIOh6N9vDKCwLgdOIw=,tag:DEXyt3gojpgnUYAV7VnqUg==,type:str]
+            sshAuthorizedKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwLj/ekRDjp354W8kcGLagjudjTBZO8qBffJ4mNb01EJueUbLvM8EwCv2zu9lFKHD+nGkc1fkB3RyCn5OqzQDTAIpp82nOHXtrbKAZPg2ob8BlfVAz34h5r1bG78lnMH1xk7HKNbf73h9yzUEKiyrd8DlhJcJrsOZTPuTdRrIm7jxScDJpHFjy8tGISNMcnBGrNS9ukaRLK+PiEfDpuRtw/gOEf58NXgu38BcNm4tYfacHYuZFUbNCqj9gKi3btZawgybICcqrNqF36E/XXMfCS1qxZ7j9xfKjxWFgD9gW/HkRtV6K11NZFEvaYBFBA9S/GhLtk9aY+EsztABthE0J root@pod11-node5
+        flux:
+            url: https://gerrit.akraino.org/r/icn
+            branch: master
+            path: ./deploy/site/cluster-e2etest
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-12-10T17:33:34Z"
+    mac: ENC[AES256_GCM,data:lIvQYYlC4p/P/j51lN/oE8Fq+XfXpuTZesKjUi7pGCUI3Utdup4kEiPpr5rsidNBifnTpT6gFyl0CUVF3eNK7/brltv0jkfzfv0CO+y+Soa3Wu1ZvObtShGf8azbb77PEHC1qiLmCaCYQJmCgW7wkNfu5AHy+wndt85V4+oSE0g=,iv:ybmH8hIPs7RGxJJE1Jaj3FRCqv+Vlw/JUun2zSKb8tc=,tag:LibpQ6wjIJzPciVCgEvOjQ==,type:str]
+    pgp:
+        - created_at: "2021-12-10T17:33:33Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4SX7nk+q+zPAQ/+Jti8jqeEXHxNf7iMUFOndkJHJ5NKZ41FKZcanDw660YX
+            iRvFsp6G6XIIDUl8iJ9O+uMvwczT9Ho/+c3zCA7NjqBfgh8/T6DfYzg9iq29PEq8
+            koJda8q/DHwzYhC1+ijRqJ34jLCh/uAnBqCmYWNYYTO1GL5rK13PmZRtG67+3MJW
+            dmuH2eSGnSk/ZfnqxYusBEVIvpvedlD5rx960qIId0WhTTmu+uGM/aKopk/blqfY
+            fh3bPmoHNYjHvaMp5MMe0CJmXO1/XaVNnOnE8RZxd+BQkVgQyVONuP78o982msLy
+            uWF8khvBH9lbB6Mc0TPLf7ZL3e7HooyWl+r0sbbKbY3PZLNeXCFk3EW+XarN8QAp
+            qO4VWeoNtjexWN+jyim5Ld9n4aPxC9PJM/SOEETtFME11TrIEBwHsuQtE8oi6bwc
+            oI551fLC58q/yneNbFOtS34L4pwxVl7PLCP6wyKFyZY6pzE2OEvx/+p4bp3cKVpX
+            wSfKbRZXygaH/Zk+ocnUtBFoVhQ7dTkDr42yHkn/bwHvA+Jjn6vI5I5PqNNGRwkl
+            HyXXtz1UnQh+9M6jKjSqPHK5WeoxCochMttdjTxnnBHuFOUTZ16zMfVVJLLf2+ci
+            uXgKZFv/9xdFiWf1YwLsCiEC5iP0wE00ZShuyc/Yw6RjkVNbElVE5qlvaXOjVEnS
+            XAH24JbApCrv+zHw5HJ6Oi+VHjCa7kiaeGAyWEw4Udvn+gy0sKq7Zo9HbiXj+fA8
+            TR2PDX4lJKuE9lmQ2EeRNG6z7m6vVGmMiXYcq7/oBsxc2VUHfr42qE/nBMZI
+            =pjhf
+            -----END PGP MESSAGE-----
+          fp: A4B4A47A1DB07DE00E8158BE411E23534CA8FAE0
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    version: 3.7.1

diff --git a/deploy/site/pod11/sops.pub.asc b/deploy/site/pod11/sops.pub.asc
new file mode 100644 (file)
index 0000000..34a3c25
--- /dev/null
+++ b/deploy/site/pod11/sops.pub.asc
@@ -0,0 +1,63 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGGuW6EBEADPL46O8WFQzLgKGpRE14fqxpUChIiTtTBI9RnTQ4RdYKdZEJGE
+AfWkx3mmp0ih9BUHNBzf9knPgq+KUiyaLBt9HB2PVgXxkVspsovHVTCS4Sp4iBRf
+CHPhAFAoeZSLo3I/k7W0tTxDKhRWL9qI2APU/2PDFrNX1BqwhKhIPjIX8ipx32iV
+QMBAYhhtF7xHsDttX/KGiU7U3klLasnFUfYSbmrHybl7VLTbivAdHe5ejkfMx4BI
+IjSloD6HLrdovWaYoaADtK2pIzx0W4EtE76doIGpcl6XEqk2VEsXFwjlvmk/FZT8
+HsTnba5Q+VaiDdt8nWkmA5kkz2bp/uklndN3BQkyWhdU8orSXsRibP2uBXr3p8yw
+LfarjBMcqiUPRS8GBW4VR2eYse9qBJAJ/CKUK3LhA1wONmpWE1iYH4KFsIYdUlcf
+tQ0J0ojUWyaCxMlkQ2aSDCt/x46gQ8BPn4OwAEQlRhn9R0bK6ZgYQ+AGdzAdlFbZ
+5qJO5/v6/rad+ZWoMKcRS1eJECsn1l6EwuDSZEjSnXULTMiXLAVW7btFtRrogHRJ
+jcxD3sIyAhh7ITyLfsf9LJHWB9QP18a8PoVfwtARTZ5jnjmPuxtLS262t/TgCmWa
+W54h8dr2jyhOzSE2YSGH4wp83Cl8IwStXQ02S/NNsi470h32ehZO7ksY1wARAQAB
+tAtpY24tc2l0ZS12bYkCTgQTAQoAOBYhBKS0pHodsH3gDoFYvkEeI1NMqPrgBQJh
+rluhAhsvBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEEeI1NMqPrgfIwP/36q
+cRUVAb+kZPJKYncG3SK1cYp7ErBTcGFi5VIlAWzBE81mhXefJPlgm+15Dzdxb46p
+xTE7g61zXsBVxC2mn60XmAf/wkrPK+snJer89B9HLhzHPINJHq6qHfipfNgmOqZ6
+iGo/XOFCCNBXZ2laRPzDjnc9teBTkOSjfdHuCoh9Qk9ghP2wF8t0kx0a+sUrZYV9
+BGTi8pBdUGKQ3kyUQOZRiPdCB2Nieg83ljiUHjM3Qih3BxxqEYjSSdlcCPyWFc/J
+TKryV/IX0p8xg6XeQedyojm4FDZUTpxr8yotNVfx+s2XZ0iQd8m2WCZcGrCweYNQ
+UqTEAkmvXrEmWGVLMaBJrtzuKQo6QC2gwEw0PCpv+kZJaKukUf0gowYbwEkKCWpX
+HunAoLY1Jfi6ha0qvOtddZqXZaRWU+CDfMnR23dmppJXSnePrCTGQhhI6gH//VK5
+/uI3lCA4ifOWC25lSzCdfdSObvR89x5bTP3kVvx1kTbz/Fsuq5ob1J78uv3VNrKM
+0MTx0jjgkCKc5mVoqwAW/n5b3uCZw6JTBSRvR3bRU9g0Lsw1R/xKwJBc8Tf6CK8Z
+gzzxhFd+tKgL2E9OYWFMgdg/s8k2r42xpShOwJHn20dJXUGjYERgqLYP4mSKzwP2
+5qou3dZ5RgMKMJfWiVhHcLvHOZQctfpKzUdGI/uSuQINBGGuW6EBEACstgYqJX5S
+xQZCPN4DwhBoqSxf+B4xXh0gK737bpeQaM+bAjSCdF3YQVY6vXn6LKh+d78Z2PDf
+K1Xskspai7d0h4w9Lf5kmc1vv8yVPhBnz7x32uBH/LhHCp1SJ34d/0+djX65JIh7
+ytDxmzcE69cQKdqt2cj6DzsjPrNM+0e5oqmme0lUi0QgzwhqUtyS0VP9BOziD/nq
+odzmONqzIToLfj7925FZwn2Xwcan7ZYzxQ2uKZvc1w6jaiaPkBoEzDOygQVhypj0
+GmGyO4dF96c+y/++6nry0nZuZzfiBVo+K+786uTETAYRJ6BEes/QlXxTGgQpE2VG
+7p5Z/tDQO/A3aFb88hgWlQ4Ot1Lbn7BlUvlA1ELXwloV5nTiqmTpNwSiAuARCqst
+WM3x1vugZUNEZGZkRAEtjahAjypBvls4a5iIlWbqVmdcACntvZZKF5KwByGwOpro
+jzXRDzoSVUyxG0zMIZAWHipGF4IpFjAYx3OPGlafYDq3gfoe4MxoD/9wOwDvNocj
+MDHWzBOIstOMlKG13zsCH4JdftQR1xspsWe0gA1jo183rrCQiNk8bLsr+UANyFAa
+jy2/PGBOybaqPe80h7YakwfZARQlLRQNDZpJpGV2L/9m2+qYrbi/Zq8h46Lkvmz4
+tGNdGfqNuju8DiJxNovtH8/cleFjEGClGwARAQABiQRsBBgBCgAgFiEEpLSkeh2w
+feAOgVi+QR4jU0yo+uAFAmGuW6ECGy4CQAkQQR4jU0yo+uDBdCAEGQEKAB0WIQTg
+LN375XITuuX10GGEl+55PqvszwUCYa5boQAKCRCEl+55Pqvsz15kD/9vzNhoKAtd
+JcdkeFv3wm75kapgEMMMitFeDO1c2uIg+bnTCIBoZRHO2RNHUS+d7ADCiTyWY3JJ
+BBr4LLHurg1AyQGXJ4Tf9W/ku3vfevoubzBtaH6YzZTcfWga35BN8KiIN3ZAiChy
+mNlxvr2YxaK0iX6eTXDWd3kvYmvVqQJO0hI5EOwXUWgY5VNBKVwjrYv34hqYE4+J
+Q1IsdcVvNjDkUAJO2y6vIiD7UiN0JKtK1JRCw1N+wOruNiuoky0UWCmMdUGSmnkP
+yX7cKpRDXHTeU560G1fEGPr5jc93Pd6LtyC/8eAJbC7w+fLn6+4hNzhRAxB/Z0H5
+mzBS+CuvUaX4yh3qgQTj20zeXKVRb3hRyQTmoEmtb7Udr/5C/GtDZJ97JwiAIiS7
+eeA89c8g/eAVXxN8hFAlTl8rTKEVnOIAiCPSo1QWHdmhYlaButyATkOoz9aGeA5c
+0/LWXJCsDSkzveNAnx6HGaG0rUtsd+Ee9QJCAhyhRsLisbpIjuhwkJOnCJh8zN7z
+XfiNUbr4SR4okBZsfws2g9yTTYI/i6IiZMrA+0UKFuYBceXeKgXtI8xy9IqVvnCf
+Hj0gI2PHSDnWVQWemqFt9TPEbBZBOzlzmV9pldhmDm8m11GkZFDpnpRK7ZnuJy3M
+jGnIM948OBXjxheBbr8LPX2VCU8vzsPyQHgHEAC/KRTx+GUg56vzW/1czY5i5HpS
+owl480uFAZYnmVOBkk2WztYizBR5vRGLaYFD5YyEnTML3ERTx5H+sbb/1pKtWD6s
+RVKR+LVtlQkBlAU263e0fKxs6qG20Z57m8mOJqPCnz9D0Deq4BBmQY6sApYCPa6x
+QzPPv40MOqeRv3zlSQIBhhF637Iad2rjOwgq6deezHGuqmSmCj2bo29oUi9zBhLf
+9pSfPYehLP6EXOPt0trdSL3HvV5icGMwRiCOx9LwmA49p7f0jDUs0Jo3OowS/4aJ
+8rlwbFMmerCVIWokGBL77j6Wc5ucAyj+ZzE7xfeberLa2sL1W1CDEs9IPLgXh+kI
+F5JAntVNyB5lfxPtNfV/XuCzCjJJgCwZOLCzwQg5cxRAHmRVorWq/5bmeWIKBX8q
+JqdvBSPW1IXVBz/6gpI3dU2ZF635F9qizJV/jyzV63lYRnTffRL4L/B8QR5iNlVI
+y/7Urqx2MgMsxmYJB38sOr0oO2dljUJdar3ZWCTIG/9oTg8quWt4lDcPfCsZp2Bk
+YhiZbE3p9iSSfmfO9gLgI8Dy4ZvZEavBU20B7qbiFYCAL+q+ZUUQAbYOTyZ0fZI6
+lKJuHN01R2ltDi3md55lsTL8bBGH2/bKR6YYkYPXzc/fqMGgHsaJ0IddRTKULcxW
+SqmNDCYCCn2EJbwrHQ==
+=8GKa
+-----END PGP PUBLIC KEY BLOCK-----

diff --git a/deploy/site/site.sh b/deploy/site/site.sh
new file mode 100755 (executable)
index 0000000..d0c970a
--- /dev/null
+++ b/deploy/site/site.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -eu -o pipefail
+
+SCRIPTDIR="$(readlink -f $(dirname ${BASH_SOURCE[0]}))"
+LIBDIR="$(dirname $(dirname ${SCRIPTDIR}))/env/lib"
+
+source $LIBDIR/common.sh
+source $SCRIPTDIR/common.sh
+
+case $1 in
+    "create-gpg-key") create_gpg_key $2 ;;
+    "sops-encrypt-site") sops_encrypt_site $2 $3 ;;
+    "sops-decrypt-site") sops_decrypt_site $2 ;;
+    "flux-create-site") flux_create_site $2 $3 $4 $5;;
+    *) cat <<EOF
+Usage: $(basename $0) COMMAND
+
+Commands:
+  create-gpg-key KEY_NAME                      - Create GPG keypair in local keyring
+  sops-encrypt-site SITE_YAML KEY_NAME         - Encrypt SITE_YAML secrets with KEY_NAME
+  sops-decrypt-site SITE_YAML                  - Decrypt SITE_YAML secrets
+  flux-create-site URL BRANCH PATH KEY_NAME    - Create Flux resources to deploy site
+EOF
+       ;;
+esac

diff --git a/deploy/site/vm/.sops.yaml b/deploy/site/vm/.sops.yaml
new file mode 100644 (file)
index 0000000..60dfb57
--- /dev/null
+++ b/deploy/site/vm/.sops.yaml
@@ -0,0 +1,4 @@
+creation_rules:
+  - path_regex: .*.yaml
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    pgp: A4B4A47A1DB07DE00E8158BE411E23534CA8FAE0

diff --git a/deploy/site/vm/cluster-e2etest-values.yaml b/deploy/site/vm/cluster-e2etest-values.yaml
deleted file mode 100644 (file)
index e1060ba..0000000
--- a/deploy/site/vm/cluster-e2etest-values.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-clusterName: e2etest
-clusterLabels:
-  site: vm
-keepalived:
-  interface: ens6
-  routerId: 3
-networks:
-  baremetal:
-    interface: ens6
-  provisioning:
-    interface: ens5
-userData:
-  sshAuthorizedKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrxu+fSrU51vgAO5zP5xWcTU8uLv4MkUZptE2m1BJE88JdQ80kz9DmUmq2AniMkVTy4pNeUW5PsmGJa+anN3MPM99CR9I37zRqy5i6rUDQgKjz8W12RauyeRMIBrbdy7AX1xasoTRnd6Ta47bP0egiFb+vUGnlTFhgfrbYfjbkJhVfVLCTgRw8Yj0NSK16YEyhYLbLXpix5udRpXSiFYIyAEWRCCsWJWljACr99P7EF82vCGI0UDGCCd/1upbUwZeTouD/FJBw9qppe6/1eaqRp7D36UYe3KzLpfHQNgm9AzwgYYZrD4tNN6QBMq/VUIuam0G1aLgG8IYRLs41HYkJ root@jump
-flux:
-  path: ./deploy/site/cluster-e2etest

diff --git a/deploy/site/vm/id_rsa b/deploy/site/vm/id_rsa
new file mode 100644 (file)
index 0000000..21e9cb1
--- /dev/null
+++ b/deploy/site/vm/id_rsa
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAz/UPm/uLY2bknS+pA6GtoeIpA9wBunYcUkEI6VIq/FLtsher
+tVgB6vHAQOCrjpy9Xi0Kmg0TTXiuNhGoux4uUJYWzWtzA+IRIfCzNZFA7LZZek1l
+JNS1QF/L3B0T7oRwvd8nhls1y3cUpdo4gdLJz8kbjWlvTR8/LjWxbGVLSdyfKUKL
+/OXYAho3R8IcXQ44qaxEkC7Hg+YoCs+8oZT3QB6x/tWZs7J4NTlAWLFLetjiZ1SN
+JJL09B/7pxZeq6pJmVPENeDTahJMDBRo3DnBPeWT8+WXPRHYz3HtJgy6LJ/ceYLC
+ntjGoq2yS2EafakH+yYMzrh9rPYJyeLJJZAfNwIDAQABAoIBABKcQsZZz5KYvbLX
+dg+uI2TOYY9H3Bu8wDIYQdznjpNANKdweNxkwN8uvV7Q/Glp24SXEVDSBL01JJoQ
+IIKGY+ywUeAWUpexXokkClWr5xyIAR/x1zBhnMrjB9JuA7+fuJs1Yksi1ICd6ooh
+Kldr7sWaoM2Z9uz28+eFxJgHxKIaY+aoP+S/UFv+2fX1uGHcADpGf16Z92TaWo4h
+pa296owO+kHWb6lbFPmslJpVqb+jrIky1a6KXCZAHxxQqQ042IHt8GnIZm9dFneq
+gHwjtMlZAyowwjPf/SRzZGVh285O9Zr3Y30PMPqfmMD2x11KVB2vJkHgzXA64GFe
+/6TpgWkCgYEA/RFrmL2FIdAbWqO3jL356FmfmSaFhk+le2w+qWLR/ypGvdtw2+c+
+V9jpsfoWQp3Cs0ryqu2K764YCf4EwxQVmPLYA0DD3gqSxD57TRlm+JiYZHD/8f8c
+P59EnYkLOd8RuonpzTXEu+EhrBztRRRulBFhsqGaeSh0v+OP+nOyn4UCgYEA0l3Y
+f1w4dn+M2mxFpYH+F7tZo0os/KPJRvC0cF/ooBcsfM+DlEw5iQp9HQR1lJHy3VGS
+8zi7V9/ACej7Bn45sbUsbdGXVxG8pWhgwFUgLR9whMrKN4ZocAIarf3lHwvUld7L
+AQBg/jynrlXubb4B9BvoaJ9uRh7KJ8yZCZ/gGosCgYBP8ZPa4WvQHay2emd+d3kd
+1EodmFSv9DMjhTNaURRjlhhY25yQa0F/gM96YLVtf+bEutVj97xfMND5PxyD/7E+
+6uAgTvJRD2gDxHUxCuhDefkSKbxA10U2N/r2BRfdxUEVe4G3SNgIPftkIpM1slmo
+PsFtK63fvk77W0jdZnUz/QKBgHI4glSkvgOZPeFa6HX1HwHDt+fxXnvOcnsSNubN
+LIHAE2exRMBAovzFtSkMQstoc3W31RI6u336/0piNepQnwLeXEFEi+e6ubMV+XJ0
+xgO6Dl4LvcBoOkyW1+Wg9cblpYe6cH8atY9VX7ZI8iyj/muMu6QS7M0l6p2xeWbA
+Z+4BAoGALegvmJQsNKTRXEyCjSOTq5FrOB9vSPDyLJ30HIN0sFHU0hycehPEzGcS
+VWLTct6IAy+Hs4md8YJHv0izN3WNvKdU0jMOkOirWC5XexWnnP9W8T7jZnnORjd2
+FkudWZC2d6el+JA3b021kjDMpBw4lMmr4vvwWbgDZpKaqx23HmU=
+-----END RSA PRIVATE KEY-----

diff --git a/deploy/site/vm/id_rsa.pub b/deploy/site/vm/id_rsa.pub
new file mode 100644 (file)
index 0000000..a539a63
--- /dev/null
+++ b/deploy/site/vm/id_rsa.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDP9Q+b+4tjZuSdL6kDoa2h4ikD3AG6dhxSQQjpUir8Uu2yF6u1WAHq8cBA4KuOnL1eLQqaDRNNeK42Eai7Hi5QlhbNa3MD4hEh8LM1kUDstll6TWUk1LVAX8vcHRPuhHC93yeGWzXLdxSl2jiB0snPyRuNaW9NHz8uNbFsZUtJ3J8pQov85dgCGjdHwhxdDjiprESQLseD5igKz7yhlPdAHrH+1Zmzsng1OUBYsUt62OJnVI0kkvT0H/unFl6rqkmZU8Q14NNqEkwMFGjcOcE95ZPz5Zc9EdjPce0mDLosn9x5gsKe2MairbJLYRp9qQf7JgzOuH2s9gnJ4sklkB83 root@jump

diff --git a/deploy/site/vm/site.yaml b/deploy/site/vm/site.yaml
new file mode 100644 (file)
index 0000000..3dce0b8
--- /dev/null
+++ b/deploy/site/vm/site.yaml
@@ -0,0 +1,248 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+    name: metal3
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-12-10T17:33:39Z"
+    mac: ENC[AES256_GCM,data:7aiq2A575kdNRs72319eOMh7ZMRKJVyU62NjIMXsHjhZE6Pk3lhulFuA/X4EcifNOMlHOuLR9Ovdv0iK3yVRSMf4oUKVWSDfY6zC+u5tr6fDx1jzF5etlPcEDcwwJnkj2ln4IjjR+B3ffRXTGG9mB9IXXIoq6ygeh3qkOfMydYg=,iv:+IPqs5qt8wFbFPWk584bk4+mvcTJfgQRTKT9E9BfnPQ=,tag:tcanGxTBztf0HIobK3+gEQ==,type:str]
+    pgp:
+        - created_at: "2021-12-10T17:33:38Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4SX7nk+q+zPAQ//fduMfeRxBfxXOBZ9Ho35MyLfVEU/BH99Rs7RA0b2Fzrc
+            dL9Qre7qJ6EPZt7LFduINUP7wKO8m1ReMrfWK4J4t07LgU9x1aoSDe8wRD4h4lvA
+            AX1SikXa2CA1BlcRu/tjQvCMze+USMMIPBZ3t/uW4AT7JET+vhERXNwTzvt5lV/R
+            l1XfCQeHRvbD8YnrREvZJ+oAHv3DiGBaSdiWPdvfQBgRrCu99I9+wlZAOOkAhqBq
+            R5DWWlXfh9/eh5211g8uKXo5vwSbmUgQGG2O+8twMS32AoCRE2jcmSWRE667r5c+
+            7ICcaYhtA/hjMbaKSgTKi8cm/UhPxUXlWbq8zSV5tV8L3oeFHrFJZPv27M610TdS
+            8JNVj08iIcEr7Po3OZ8+wT7cX+LxcrK+JeWzH8X2xLH5wkTJlChPajOYssMl8kJC
+            RT1KlYMu7clg4CT8Ouad7dsINjlObebo1VOuTmYdNQN2jxkCophcBL8LKxfky186
+            GI2HRHAvhsnWiqhlgGIYdLm78kG3WyLVag82j2ppE1eswFQPS4Z1T5wZWf240QG1
+            WI1REmjhEgOKMkvfWKbz/vdcOsI34ACknMd7ByRyI0T/m17PzcBphCP40rbF+W0O
+            GmY29spGTnppK4HYd7Ym59sLX0z/GS0bkttP9ZBZMtVWXl/Z7Am4x1hUhiLn/tfS
+            XAGt2OxeAI8MXJrRti85PR8OKasgMzWN4rvCvnPi56uvLDVezMu0AICuKTIAJb/g
+            pu3XtrPudeMAeVjlNzwfdmYzkSyg85rZDvbx5+ObjB7+ajEvUGbd6ZI8TnP8
+            =l0ei
+            -----END PGP MESSAGE-----
+          fp: A4B4A47A1DB07DE00E8158BE411E23534CA8FAE0
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    version: 3.7.1
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+    name: icn
+    namespace: metal3
+spec:
+    gitImplementation: go-git
+    interval: 1m0s
+    ref:
+        branch: master
+    timeout: 20s
+    url: https://gerrit.akraino.org/r/icn
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-12-10T17:33:39Z"
+    mac: ENC[AES256_GCM,data:7aiq2A575kdNRs72319eOMh7ZMRKJVyU62NjIMXsHjhZE6Pk3lhulFuA/X4EcifNOMlHOuLR9Ovdv0iK3yVRSMf4oUKVWSDfY6zC+u5tr6fDx1jzF5etlPcEDcwwJnkj2ln4IjjR+B3ffRXTGG9mB9IXXIoq6ygeh3qkOfMydYg=,iv:+IPqs5qt8wFbFPWk584bk4+mvcTJfgQRTKT9E9BfnPQ=,tag:tcanGxTBztf0HIobK3+gEQ==,type:str]
+    pgp:
+        - created_at: "2021-12-10T17:33:38Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4SX7nk+q+zPAQ//fduMfeRxBfxXOBZ9Ho35MyLfVEU/BH99Rs7RA0b2Fzrc
+            dL9Qre7qJ6EPZt7LFduINUP7wKO8m1ReMrfWK4J4t07LgU9x1aoSDe8wRD4h4lvA
+            AX1SikXa2CA1BlcRu/tjQvCMze+USMMIPBZ3t/uW4AT7JET+vhERXNwTzvt5lV/R
+            l1XfCQeHRvbD8YnrREvZJ+oAHv3DiGBaSdiWPdvfQBgRrCu99I9+wlZAOOkAhqBq
+            R5DWWlXfh9/eh5211g8uKXo5vwSbmUgQGG2O+8twMS32AoCRE2jcmSWRE667r5c+
+            7ICcaYhtA/hjMbaKSgTKi8cm/UhPxUXlWbq8zSV5tV8L3oeFHrFJZPv27M610TdS
+            8JNVj08iIcEr7Po3OZ8+wT7cX+LxcrK+JeWzH8X2xLH5wkTJlChPajOYssMl8kJC
+            RT1KlYMu7clg4CT8Ouad7dsINjlObebo1VOuTmYdNQN2jxkCophcBL8LKxfky186
+            GI2HRHAvhsnWiqhlgGIYdLm78kG3WyLVag82j2ppE1eswFQPS4Z1T5wZWf240QG1
+            WI1REmjhEgOKMkvfWKbz/vdcOsI34ACknMd7ByRyI0T/m17PzcBphCP40rbF+W0O
+            GmY29spGTnppK4HYd7Ym59sLX0z/GS0bkttP9ZBZMtVWXl/Z7Am4x1hUhiLn/tfS
+            XAGt2OxeAI8MXJrRti85PR8OKasgMzWN4rvCvnPi56uvLDVezMu0AICuKTIAJb/g
+            pu3XtrPudeMAeVjlNzwfdmYzkSyg85rZDvbx5+ObjB7+ajEvUGbd6ZI8TnP8
+            =l0ei
+            -----END PGP MESSAGE-----
+          fp: A4B4A47A1DB07DE00E8158BE411E23534CA8FAE0
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    version: 3.7.1
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+    name: machine-1
+    namespace: metal3
+spec:
+    interval: 5m
+    chart:
+        spec:
+            chart: deploy/machine
+            sourceRef:
+                kind: GitRepository
+                name: icn
+            interval: 1m
+    values:
+        machineName: machine-1
+        bootMACAddress: 52:54:00:c6:75:40
+        bmcAddress: ipmi://192.168.151.1:6230
+        bmcUsername: admin
+        bmcPassword: ENC[AES256_GCM,data:NirGLqlAT7A=,iv:W25j39CMEmJUXDl2o2UvXbdumqnpBY2K4/7gp6DZttQ=,tag:4h1pzHcnVnS0FMX0F9ugCg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-12-10T17:33:39Z"
+    mac: ENC[AES256_GCM,data:7aiq2A575kdNRs72319eOMh7ZMRKJVyU62NjIMXsHjhZE6Pk3lhulFuA/X4EcifNOMlHOuLR9Ovdv0iK3yVRSMf4oUKVWSDfY6zC+u5tr6fDx1jzF5etlPcEDcwwJnkj2ln4IjjR+B3ffRXTGG9mB9IXXIoq6ygeh3qkOfMydYg=,iv:+IPqs5qt8wFbFPWk584bk4+mvcTJfgQRTKT9E9BfnPQ=,tag:tcanGxTBztf0HIobK3+gEQ==,type:str]
+    pgp:
+        - created_at: "2021-12-10T17:33:38Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4SX7nk+q+zPAQ//fduMfeRxBfxXOBZ9Ho35MyLfVEU/BH99Rs7RA0b2Fzrc
+            dL9Qre7qJ6EPZt7LFduINUP7wKO8m1ReMrfWK4J4t07LgU9x1aoSDe8wRD4h4lvA
+            AX1SikXa2CA1BlcRu/tjQvCMze+USMMIPBZ3t/uW4AT7JET+vhERXNwTzvt5lV/R
+            l1XfCQeHRvbD8YnrREvZJ+oAHv3DiGBaSdiWPdvfQBgRrCu99I9+wlZAOOkAhqBq
+            R5DWWlXfh9/eh5211g8uKXo5vwSbmUgQGG2O+8twMS32AoCRE2jcmSWRE667r5c+
+            7ICcaYhtA/hjMbaKSgTKi8cm/UhPxUXlWbq8zSV5tV8L3oeFHrFJZPv27M610TdS
+            8JNVj08iIcEr7Po3OZ8+wT7cX+LxcrK+JeWzH8X2xLH5wkTJlChPajOYssMl8kJC
+            RT1KlYMu7clg4CT8Ouad7dsINjlObebo1VOuTmYdNQN2jxkCophcBL8LKxfky186
+            GI2HRHAvhsnWiqhlgGIYdLm78kG3WyLVag82j2ppE1eswFQPS4Z1T5wZWf240QG1
+            WI1REmjhEgOKMkvfWKbz/vdcOsI34ACknMd7ByRyI0T/m17PzcBphCP40rbF+W0O
+            GmY29spGTnppK4HYd7Ym59sLX0z/GS0bkttP9ZBZMtVWXl/Z7Am4x1hUhiLn/tfS
+            XAGt2OxeAI8MXJrRti85PR8OKasgMzWN4rvCvnPi56uvLDVezMu0AICuKTIAJb/g
+            pu3XtrPudeMAeVjlNzwfdmYzkSyg85rZDvbx5+ObjB7+ajEvUGbd6ZI8TnP8
+            =l0ei
+            -----END PGP MESSAGE-----
+          fp: A4B4A47A1DB07DE00E8158BE411E23534CA8FAE0
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    version: 3.7.1
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+    name: machine-2
+    namespace: metal3
+spec:
+    interval: 5m
+    chart:
+        spec:
+            chart: deploy/machine
+            sourceRef:
+                kind: GitRepository
+                name: icn
+            interval: 1m
+    values:
+        machineName: machine-2
+        bootMACAddress: 52:54:00:6f:d6:97
+        bmcAddress: ipmi://192.168.151.1:6231
+        bmcUsername: admin
+        bmcPassword: ENC[AES256_GCM,data:yXyJBi5nEgI=,iv:m6YOy0WkKbAmEJ2zAgpzeGjlU625fCwZ+bh0lFaNxmM=,tag:BARypQBJZXxRv5nbi5pcog==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-12-10T17:33:39Z"
+    mac: ENC[AES256_GCM,data:7aiq2A575kdNRs72319eOMh7ZMRKJVyU62NjIMXsHjhZE6Pk3lhulFuA/X4EcifNOMlHOuLR9Ovdv0iK3yVRSMf4oUKVWSDfY6zC+u5tr6fDx1jzF5etlPcEDcwwJnkj2ln4IjjR+B3ffRXTGG9mB9IXXIoq6ygeh3qkOfMydYg=,iv:+IPqs5qt8wFbFPWk584bk4+mvcTJfgQRTKT9E9BfnPQ=,tag:tcanGxTBztf0HIobK3+gEQ==,type:str]
+    pgp:
+        - created_at: "2021-12-10T17:33:38Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4SX7nk+q+zPAQ//fduMfeRxBfxXOBZ9Ho35MyLfVEU/BH99Rs7RA0b2Fzrc
+            dL9Qre7qJ6EPZt7LFduINUP7wKO8m1ReMrfWK4J4t07LgU9x1aoSDe8wRD4h4lvA
+            AX1SikXa2CA1BlcRu/tjQvCMze+USMMIPBZ3t/uW4AT7JET+vhERXNwTzvt5lV/R
+            l1XfCQeHRvbD8YnrREvZJ+oAHv3DiGBaSdiWPdvfQBgRrCu99I9+wlZAOOkAhqBq
+            R5DWWlXfh9/eh5211g8uKXo5vwSbmUgQGG2O+8twMS32AoCRE2jcmSWRE667r5c+
+            7ICcaYhtA/hjMbaKSgTKi8cm/UhPxUXlWbq8zSV5tV8L3oeFHrFJZPv27M610TdS
+            8JNVj08iIcEr7Po3OZ8+wT7cX+LxcrK+JeWzH8X2xLH5wkTJlChPajOYssMl8kJC
+            RT1KlYMu7clg4CT8Ouad7dsINjlObebo1VOuTmYdNQN2jxkCophcBL8LKxfky186
+            GI2HRHAvhsnWiqhlgGIYdLm78kG3WyLVag82j2ppE1eswFQPS4Z1T5wZWf240QG1
+            WI1REmjhEgOKMkvfWKbz/vdcOsI34ACknMd7ByRyI0T/m17PzcBphCP40rbF+W0O
+            GmY29spGTnppK4HYd7Ym59sLX0z/GS0bkttP9ZBZMtVWXl/Z7Am4x1hUhiLn/tfS
+            XAGt2OxeAI8MXJrRti85PR8OKasgMzWN4rvCvnPi56uvLDVezMu0AICuKTIAJb/g
+            pu3XtrPudeMAeVjlNzwfdmYzkSyg85rZDvbx5+ObjB7+ajEvUGbd6ZI8TnP8
+            =l0ei
+            -----END PGP MESSAGE-----
+          fp: A4B4A47A1DB07DE00E8158BE411E23534CA8FAE0
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    version: 3.7.1
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+    name: cluster-e2etest
+    namespace: metal3
+spec:
+    interval: 5m
+    chart:
+        spec:
+            chart: deploy/cluster
+            sourceRef:
+                kind: GitRepository
+                name: icn
+            interval: 1m
+    values:
+        clusterName: e2etest
+        clusterLabels:
+            site: vm
+        keepalived:
+            interface: ens6
+            routerId: 3
+        networks:
+            baremetal:
+                interface: ens6
+            provisioning:
+                interface: ens5
+        userData:
+            hashedPassword: ENC[AES256_GCM,data:N60s4MON2Xmkq1MqQtnp865IqHjeISQv17LJsuRLbrE4K2AvBDmgbZjt00xLiiBbcSuLJYLcTquC+Z4DhFEaq3mkumsOqZ8Q66sy0GR+Kja8PUsDXL8Bqlmusw1O6EzwAl0eK26VFW4PeC/Q7VVKyrH4osI=,iv:jTNY88lxKW6IHTH041ibR8+ZKGm4D7OC8hH5TGglR1Q=,tag:mDe/T+edPuyqkX/tbG4h1w==,type:str]
+            sshAuthorizedKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDP9Q+b+4tjZuSdL6kDoa2h4ikD3AG6dhxSQQjpUir8Uu2yF6u1WAHq8cBA4KuOnL1eLQqaDRNNeK42Eai7Hi5QlhbNa3MD4hEh8LM1kUDstll6TWUk1LVAX8vcHRPuhHC93yeGWzXLdxSl2jiB0snPyRuNaW9NHz8uNbFsZUtJ3J8pQov85dgCGjdHwhxdDjiprESQLseD5igKz7yhlPdAHrH+1Zmzsng1OUBYsUt62OJnVI0kkvT0H/unFl6rqkmZU8Q14NNqEkwMFGjcOcE95ZPz5Zc9EdjPce0mDLosn9x5gsKe2MairbJLYRp9qQf7JgzOuH2s9gnJ4sklkB83 root@jump
+        flux:
+            url: https://gerrit.akraino.org/r/icn
+            branch: master
+            path: ./deploy/site/cluster-e2etest
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-12-10T17:33:39Z"
+    mac: ENC[AES256_GCM,data:7aiq2A575kdNRs72319eOMh7ZMRKJVyU62NjIMXsHjhZE6Pk3lhulFuA/X4EcifNOMlHOuLR9Ovdv0iK3yVRSMf4oUKVWSDfY6zC+u5tr6fDx1jzF5etlPcEDcwwJnkj2ln4IjjR+B3ffRXTGG9mB9IXXIoq6ygeh3qkOfMydYg=,iv:+IPqs5qt8wFbFPWk584bk4+mvcTJfgQRTKT9E9BfnPQ=,tag:tcanGxTBztf0HIobK3+gEQ==,type:str]
+    pgp:
+        - created_at: "2021-12-10T17:33:38Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4SX7nk+q+zPAQ//fduMfeRxBfxXOBZ9Ho35MyLfVEU/BH99Rs7RA0b2Fzrc
+            dL9Qre7qJ6EPZt7LFduINUP7wKO8m1ReMrfWK4J4t07LgU9x1aoSDe8wRD4h4lvA
+            AX1SikXa2CA1BlcRu/tjQvCMze+USMMIPBZ3t/uW4AT7JET+vhERXNwTzvt5lV/R
+            l1XfCQeHRvbD8YnrREvZJ+oAHv3DiGBaSdiWPdvfQBgRrCu99I9+wlZAOOkAhqBq
+            R5DWWlXfh9/eh5211g8uKXo5vwSbmUgQGG2O+8twMS32AoCRE2jcmSWRE667r5c+
+            7ICcaYhtA/hjMbaKSgTKi8cm/UhPxUXlWbq8zSV5tV8L3oeFHrFJZPv27M610TdS
+            8JNVj08iIcEr7Po3OZ8+wT7cX+LxcrK+JeWzH8X2xLH5wkTJlChPajOYssMl8kJC
+            RT1KlYMu7clg4CT8Ouad7dsINjlObebo1VOuTmYdNQN2jxkCophcBL8LKxfky186
+            GI2HRHAvhsnWiqhlgGIYdLm78kG3WyLVag82j2ppE1eswFQPS4Z1T5wZWf240QG1
+            WI1REmjhEgOKMkvfWKbz/vdcOsI34ACknMd7ByRyI0T/m17PzcBphCP40rbF+W0O
+            GmY29spGTnppK4HYd7Ym59sLX0z/GS0bkttP9ZBZMtVWXl/Z7Am4x1hUhiLn/tfS
+            XAGt2OxeAI8MXJrRti85PR8OKasgMzWN4rvCvnPi56uvLDVezMu0AICuKTIAJb/g
+            pu3XtrPudeMAeVjlNzwfdmYzkSyg85rZDvbx5+ObjB7+ajEvUGbd6ZI8TnP8
+            =l0ei
+            -----END PGP MESSAGE-----
+          fp: A4B4A47A1DB07DE00E8158BE411E23534CA8FAE0
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    version: 3.7.1

diff --git a/deploy/site/vm/sops.asc b/deploy/site/vm/sops.asc
new file mode 100644 (file)
index 0000000..23f32be
--- /dev/null
+++ b/deploy/site/vm/sops.asc
@@ -0,0 +1,117 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+lQcYBGGuW6EBEADPL46O8WFQzLgKGpRE14fqxpUChIiTtTBI9RnTQ4RdYKdZEJGE
+AfWkx3mmp0ih9BUHNBzf9knPgq+KUiyaLBt9HB2PVgXxkVspsovHVTCS4Sp4iBRf
+CHPhAFAoeZSLo3I/k7W0tTxDKhRWL9qI2APU/2PDFrNX1BqwhKhIPjIX8ipx32iV
+QMBAYhhtF7xHsDttX/KGiU7U3klLasnFUfYSbmrHybl7VLTbivAdHe5ejkfMx4BI
+IjSloD6HLrdovWaYoaADtK2pIzx0W4EtE76doIGpcl6XEqk2VEsXFwjlvmk/FZT8
+HsTnba5Q+VaiDdt8nWkmA5kkz2bp/uklndN3BQkyWhdU8orSXsRibP2uBXr3p8yw
+LfarjBMcqiUPRS8GBW4VR2eYse9qBJAJ/CKUK3LhA1wONmpWE1iYH4KFsIYdUlcf
+tQ0J0ojUWyaCxMlkQ2aSDCt/x46gQ8BPn4OwAEQlRhn9R0bK6ZgYQ+AGdzAdlFbZ
+5qJO5/v6/rad+ZWoMKcRS1eJECsn1l6EwuDSZEjSnXULTMiXLAVW7btFtRrogHRJ
+jcxD3sIyAhh7ITyLfsf9LJHWB9QP18a8PoVfwtARTZ5jnjmPuxtLS262t/TgCmWa
+W54h8dr2jyhOzSE2YSGH4wp83Cl8IwStXQ02S/NNsi470h32ehZO7ksY1wARAQAB
+AA/5AdnHZqHeLLE54zHpzYjtVbA3mNad7k/Xvfyo7+WAIUCe1mnazP4491sVwSsE
+dVDZNqEbebSWWNpKUk3KhdAIqNOXDdUt0T0i1L7Y9g4QCXiJ0rD6lApOOUqg1mn6
+6pm1fVrlcefmtjACGopgldxja4FJeAqh2QF+9mgKsIUfRbwNPQ2j8HOg8etT97Pv
+5pge/rtb6rKQHsWS2aSW+FXXuLcULLZNm3AYl6hSIHWsncqGIwOEEaOqqwd4vRSy
+bD0+yixJVt5wc/yyAL7zBplLW1xcT5/kXl7LwnUyQhU3nTHB0agG+rBB2O4SYpI3
+9MhR5/cf6OmmZw34Lr2mo0j4K5B0pD4Hn6ccC+RrTSUd5W6YOkZ0+GGULbCuMfvH
+PX7FCLR3/FLevr4h8rN5jTlVNQW/N8AosIZmzCLLRR8NSH5+bw0YZ2Y9eWpOAlRG
+f0mfnBwT/7AoX3RYSdgQhMTgtZaIibicuKGwh2ggh+JtR9xsjY8X4n4n8ATnzdFc
+pxvXBPR8NRvw+fxpyLPyRfGByp6be6Yer83iZP04bVz1JlXksCqSLNJCNho4Qwjd
+haffUB2DI5L2k0jZ5WCcSM2eh/WLzw/XtlCleputCia7PPFjUKzIXh1WiJOuaTrL
+OjHXqPtTzKi4f7pfWoP+d2VLbxAQyW6k45TWtP4UAkJjEzkIANIkxO4xdwyg+nsu
+Sq59icu5IJOR5CAPDnTpip7CccP5qSqiBBWg9gZhIRKHU/X8ruWsxpp3EZ2SvvuJ
++Z9ggQ5dTmD+s5Ipo9PCp2FKdAuapIKxPJeROJA8cmjUkFox2quSz4GPrTIADyvm
+zDcPWyXQLwvF612Kf3BUBZnR7tYt8bAx50LCGOb+s9Xqgc58bmauGZVlytJ8Bm/7
+XtkSacVtxBWgCohej0tZuhTPx1Bfc8cD3rPTD62dRtocHh+G9sksaf5m7ytAsE/w
+iqhqiPOt5aAoOz/YPJn2ORbeW77suhavB83zSTTWBL1QyEVea+GmXDZCioY7tp41
+qgy6jzkIAPxljY3zo02BBimfFhtXgiwymxuEtGjFJitH2lzCBrpFyDDwBDIUHIe3
+8GNnASM/vY445R0AfAxxSymsQwCivoaLzHVVgZiRNDiKQTvHAtqiHN9DI76EcyU4
+EVo8FUh+qW2ontD//dMUOxj92QL6zyJiP9EC2SqIswaur8M9LHwEG61he4i43z6n
+gHMXvgiiIJr8oczZWtO+hJBCmcUOZKsJ6LBX4cg4lj4DgMKEnz4UCTiIxTVr6Z2V
+YRUMWA/6vomoyY/E9NkzK1OhgcaGHPh/YZMW59rWBw3wOZA8SLxEADybQEQd3Bav
+8mRof+yqGYwkkfvQQNlp6giE9WYl2I8H/jgKpCSBzRPRiwhlnQwhX11Lyw860VvV
+h4BE4PHUCL/5oQt8KLCbMOA6hbC/6t6fvGyuGpItFTANGMUnclZfUXuuGUcm+Hjx
+y3p3gGiB4ZievE+UBSi09AHMQjLc7dmPKSeh8AbOFg3PiHG1uNwGgvCTPl8i5GQP
+edxTqybb10KrVQXocUxnZQwBZsEj9fGbhQx7SJnmCKFsCHmP6rrxM/YaVk9ydk7D
+K/BRqNiRkIn91oWmCBYTmn5Q7IA5pgYkf1NZIEHUhYpzJSSpIS4Xg/g84/a7hnk0
+K3voiLoEsaQaw87NGff2tLQgkN6gcfsV1wSqGYz/0Y1w5RZd8njQZE5/47QLaWNu
+LXNpdGUtdm2JAk4EEwEKADgWIQSktKR6HbB94A6BWL5BHiNTTKj64AUCYa5boQIb
+LwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBBHiNTTKj64HyMD/9+qnEVFQG/
+pGTySmJ3Bt0itXGKexKwU3BhYuVSJQFswRPNZoV3nyT5YJvteQ83cW+OqcUxO4Ot
+c17AVcQtpp+tF5gH/8JKzyvrJyXq/PQfRy4cxzyDSR6uqh34qXzYJjqmeohqP1zh
+QgjQV2dpWkT8w453PbXgU5Dko33R7gqIfUJPYIT9sBfLdJMdGvrFK2WFfQRk4vKQ
+XVBikN5MlEDmUYj3QgdjYnoPN5Y4lB4zN0IodwccahGI0knZXAj8lhXPyUyq8lfy
+F9KfMYOl3kHncqI5uBQ2VE6ca/MqLTVX8frNl2dIkHfJtlgmXBqwsHmDUFKkxAJJ
+r16xJlhlSzGgSa7c7ikKOkAtoMBMNDwqb/pGSWirpFH9IKMGG8BJCglqVx7pwKC2
+NSX4uoWtKrzrXXWal2WkVlPgg3zJ0dt3ZqaSV0p3j6wkxkIYSOoB//1Suf7iN5Qg
+OInzlgtuZUswnX3Ujm70fPceW0z95Fb8dZE28/xbLquaG9Se/Lr91TayjNDE8dI4
+4JAinOZlaKsAFv5+W97gmcOiUwUkb0d20VPYNC7MNUf8SsCQXPE3+givGYM88YRX
+frSoC9hPTmFhTIHYP7PJNq+NsaUoTsCR59tHSV1Bo2BEYKi2D+Jkis8D9uaqLt3W
+eUYDCjCX1olYR3C7xzmUHLX6Ss1HRiP7kp0HGARhrluhARAArLYGKiV+UsUGQjze
+A8IQaKksX/geMV4dICu9+26XkGjPmwI0gnRd2EFWOr15+iyofne/Gdjw3ytV7JLK
+Wou3dIeMPS3+ZJnNb7/MlT4QZ8+8d9rgR/y4RwqdUid+Hf9PnY1+uSSIe8rQ8Zs3
+BOvXECnardnI+g87Iz6zTPtHuaKppntJVItEIM8IalLcktFT/QTs4g/56qHc5jja
+syE6C34+/duRWcJ9l8HGp+2WM8UNrimb3NcOo2omj5AaBMwzsoEFYcqY9BphsjuH
+RfenPsv/vup68tJ2bmc34gVaPivu/OrkxEwGESegRHrP0JV8UxoEKRNlRu6eWf7Q
+0DvwN2hW/PIYFpUODrdS25+wZVL5QNRC18JaFeZ04qpk6TcEogLgEQqrLVjN8db7
+oGVDRGRmZEQBLY2oQI8qQb5bOGuYiJVm6lZnXAAp7b2WSheSsAchsDqa6I810Q86
+ElVMsRtMzCGQFh4qRheCKRYwGMdzjxpWn2A6t4H6HuDMaA//cDsA7zaHIzAx1swT
+iLLTjJShtd87Ah+CXX7UEdcbKbFntIANY6NfN66wkIjZPGy7K/lADchQGo8tvzxg
+Tsm2qj3vNIe2GpMH2QEUJS0UDQ2aSaRldi//ZtvqmK24v2avIeOi5L5s+LRjXRn6
+jbo7vA4icTaL7R/P3JXhYxBgpRsAEQEAAQAP/RXFjmpitpVtg9f2v0/+9z2SUec5
+KmkzwX0sNnNLIi0QoVcbhI4LaEcaGWonN4ird4QVyU/TUq33UwoTCRI3+aTlb27I
+7QA2iTi0l3Aa1kuX2tzLCSnZ+ErwUhuoodPbOuiUDSz+p3vfec5zMBDdQAuoEwqG
+YTjwkZZkUYr7RDPpBvTXJsvTEIAISTnJ/0c8vxcut0PaGrmStPuKoDsjjaMkQ4GR
+27VSeK2YPlgt8ZjOFublFOJWc+BywbCoTDddnIi8jfahaP2gk785lNhjm0AlzDP/
+cAdLM6XAOkGyRgl/VU2puLPsF3mzIpdvWeIj7fu11F9vM/2ol+qlXiJZ4/KLGxMm
+0Ub6TVrYubEWIwMgCnu7XIO8nCaKDaEBmyZ7yBqTaBJMK+lSKhjs/i6CjVKbXUkl
+5mxudZ3tNVvFJZywJyRSXBuK5dw2CjJOSsIfemkI4t1y53cB5IehkWhEa3saRKmI
+ewoKUmLECk3szlFo2XvdwVNoGWbYTX3fcPrjyjf/bMGxJ07GWEvMn2ogcEpKVUjt
+M2uVo0G8m/9ptZZRXLD1nOLxfhDx5WzFcqgLqZEFfiV5lpAPZdjmN9xOFiPbiQ49
+t9vkHTJzgXwTQCkEWsJnJixHWZWy855bit0vH7tJKtuMrpArbjBUMnthFwfybMvs
+i/2/gdODhYJk0/jdCADM5eeeVlXV9TG1qayBT/UPSKJfDSQh3mzi9SanBbiJIR/+
+Zucx886TYhuvgJon3RKc1DdFp/HfXO+8+R+T33+LBvkl1d2/77HO3AxK784v5brU
+K9HOxAeF9WH9SnRPLLSNcvqjDn65xOu+Rdj6qVCrRB9DZt0pFvo4TJxj/sfthHlA
++edLJN+NrAybpKZekakT+/36RRSO3t/J3kHPqlo2nzGN6BvTwZw7KIpZtrQAEinR
+AJpFW7WqH8BIdYTQL8d4+JosbWYsCzrsDvOkM73I8+hQfttuRByx0dAb05seurtV
+KQnAcq9ai37815d7pCkh+14YqvnnGICYvHbZtHT3CADXyRQnKylzD1h81Vyszk+K
+VlBn+HvMvHMa83Q1cTDeBkOrzJMORWJk8gX+2mcRO3VTX2cqhLqPqXVEbryLJrbS
+6Jaf8I3xesaQe+a7REHrt+lOawlEoLtYQI6cpgsiiE3PYWCqaac3JDsVul6bJ6UD
+EtQ+9E8J440km1SREsdLRYDJkjylldwmD4ncytSjKysEVxiTGPM35X9adICyFjAV
+YK3idJccWtzpqIJKm3HfF5SJ2h/WzfsjEBAWLkstVsupvmotuteirkO7n9z2q/bQ
+pCAqKKfhDF2vaLSEKTKo0rB+svk0C/Qq5vNIEzfTlLTazswNeUIRe/jNx5uPJRv9
+CADHmNg1Xf8e3PIiM5IuZhHaKGKq9vu18JGZY0GXRh15H6ym1uw0PlXuwaEa75KW
+VR6rP6I2HAdu5rk51idnB0ab9sWHyqiZN1JPqbAuFfuGyLnkzNPmFzMSXm2r0JFU
+3NZuYSwYEZo89VZFIUEzCqwoT4FzYyN/fC5G3NyAHNN8+aAtWezdf9ENW1IfUM32
+SQza1+lwKlvYWFOCgfO8zAWoWn3w+89EF7VKrEInARBTyoOJwkhlxjjQw1Oo/90a
+6V2YNISGA8/LANh6VYNyHXjWYCAp8rcCEn/KoBoghvu2Pg++M3tvEcjv3KsIOOSp
++F9UjrpoLSZi98xzzUxXeqyTgUOJBGwEGAEKACAWIQSktKR6HbB94A6BWL5BHiNT
+TKj64AUCYa5boQIbLgJACRBBHiNTTKj64MF0IAQZAQoAHRYhBOAs3fvlchO65fXQ
+YYSX7nk+q+zPBQJhrluhAAoJEISX7nk+q+zPXmQP/2/M2GgoC10lx2R4W/fCbvmR
+qmAQwwyK0V4M7Vza4iD5udMIgGhlEc7ZE0dRL53sAMKJPJZjckkEGvgsse6uDUDJ
+AZcnhN/1b+S7e996+i5vMG1ofpjNlNx9aBrfkE3wqIg3dkCIKHKY2XG+vZjForSJ
+fp5NcNZ3eS9ia9WpAk7SEjkQ7BdRaBjlU0EpXCOti/fiGpgTj4lDUix1xW82MORQ
+Ak7bLq8iIPtSI3Qkq0rUlELDU37A6u42K6iTLRRYKYx1QZKaeQ/JftwqlENcdN5T
+nrQbV8QY+vmNz3c93ou3IL/x4AlsLvD58ufr7iE3OFEDEH9nQfmbMFL4K69RpfjK
+HeqBBOPbTN5cpVFveFHJBOagSa1vtR2v/kL8a0Nkn3snCIAiJLt54Dz1zyD94BVf
+E3yEUCVOXytMoRWc4gCII9KjVBYd2aFiVoG63IBOQ6jP1oZ4DlzT8tZckKwNKTO9
+40CfHocZobStS2x34R71AkICHKFGwuKxukiO6HCQk6cImHzM3vNd+I1RuvhJHiiQ
+Fmx/CzaD3JNNgj+LoiJkysD7RQoW5gFx5d4qBe0jzHL0ipW+cJ8ePSAjY8dIOdZV
+BZ6aoW31M8RsFkE7OXOZX2mV2GYObybXUaRkUOmelErtme4nLcyMacgz3jw4FePG
+F4Fuvws9fZUJTy/Ow/JAeAcQAL8pFPH4ZSDnq/Nb/VzNjmLkelKjCXjzS4UBlieZ
+U4GSTZbO1iLMFHm9EYtpgUPljISdMwvcRFPHkf6xtv/Wkq1YPqxFUpH4tW2VCQGU
+BTbrd7R8rGzqobbRnnubyY4mo8KfP0PQN6rgEGZBjqwClgI9rrFDM8+/jQw6p5G/
+fOVJAgGGEXrfshp3auM7CCrp157Mca6qZKYKPZujb2hSL3MGEt/2lJ89h6Es/oRc
+4+3S2t1Ivce9XmJwYzBGII7H0vCYDj2nt/SMNSzQmjc6jBL/honyuXBsUyZ6sJUh
+aiQYEvvuPpZzm5wDKP5nMTvF95t6strawvVbUIMSz0g8uBeH6QgXkkCe1U3IHmV/
+E+019X9e4LMKMkmALBk4sLPBCDlzFEAeZFWitar/luZ5YgoFfyomp28FI9bUhdUH
+P/qCkjd1TZkXrfkX2qLMlX+PLNXreVhGdN99Evgv8HxBHmI2VUjL/tSurHYyAyzG
+ZgkHfyw6vSg7Z2WNQl1qvdlYJMgb/2hODyq5a3iUNw98KxmnYGRiGJlsTen2JJJ+
+Z872AuAjwPLhm9kRq8FTbQHupuIVgIAv6r5lRRABtg5PJnR9kjqUom4c3TVHaW0O
+LeZ3nmWxMvxsEYfb9spHphiRg9fNz9+owaAexonQh11FMpQtzFZKqY0MJgIKfYQl
+vCsd
+=kqWR
+-----END PGP PRIVATE KEY BLOCK-----

diff --git a/deploy/site/vm/sops.pub.asc b/deploy/site/vm/sops.pub.asc
new file mode 100644 (file)
index 0000000..34a3c25
--- /dev/null
+++ b/deploy/site/vm/sops.pub.asc
@@ -0,0 +1,63 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGGuW6EBEADPL46O8WFQzLgKGpRE14fqxpUChIiTtTBI9RnTQ4RdYKdZEJGE
+AfWkx3mmp0ih9BUHNBzf9knPgq+KUiyaLBt9HB2PVgXxkVspsovHVTCS4Sp4iBRf
+CHPhAFAoeZSLo3I/k7W0tTxDKhRWL9qI2APU/2PDFrNX1BqwhKhIPjIX8ipx32iV
+QMBAYhhtF7xHsDttX/KGiU7U3klLasnFUfYSbmrHybl7VLTbivAdHe5ejkfMx4BI
+IjSloD6HLrdovWaYoaADtK2pIzx0W4EtE76doIGpcl6XEqk2VEsXFwjlvmk/FZT8
+HsTnba5Q+VaiDdt8nWkmA5kkz2bp/uklndN3BQkyWhdU8orSXsRibP2uBXr3p8yw
+LfarjBMcqiUPRS8GBW4VR2eYse9qBJAJ/CKUK3LhA1wONmpWE1iYH4KFsIYdUlcf
+tQ0J0ojUWyaCxMlkQ2aSDCt/x46gQ8BPn4OwAEQlRhn9R0bK6ZgYQ+AGdzAdlFbZ
+5qJO5/v6/rad+ZWoMKcRS1eJECsn1l6EwuDSZEjSnXULTMiXLAVW7btFtRrogHRJ
+jcxD3sIyAhh7ITyLfsf9LJHWB9QP18a8PoVfwtARTZ5jnjmPuxtLS262t/TgCmWa
+W54h8dr2jyhOzSE2YSGH4wp83Cl8IwStXQ02S/NNsi470h32ehZO7ksY1wARAQAB
+tAtpY24tc2l0ZS12bYkCTgQTAQoAOBYhBKS0pHodsH3gDoFYvkEeI1NMqPrgBQJh
+rluhAhsvBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEEeI1NMqPrgfIwP/36q
+cRUVAb+kZPJKYncG3SK1cYp7ErBTcGFi5VIlAWzBE81mhXefJPlgm+15Dzdxb46p
+xTE7g61zXsBVxC2mn60XmAf/wkrPK+snJer89B9HLhzHPINJHq6qHfipfNgmOqZ6
+iGo/XOFCCNBXZ2laRPzDjnc9teBTkOSjfdHuCoh9Qk9ghP2wF8t0kx0a+sUrZYV9
+BGTi8pBdUGKQ3kyUQOZRiPdCB2Nieg83ljiUHjM3Qih3BxxqEYjSSdlcCPyWFc/J
+TKryV/IX0p8xg6XeQedyojm4FDZUTpxr8yotNVfx+s2XZ0iQd8m2WCZcGrCweYNQ
+UqTEAkmvXrEmWGVLMaBJrtzuKQo6QC2gwEw0PCpv+kZJaKukUf0gowYbwEkKCWpX
+HunAoLY1Jfi6ha0qvOtddZqXZaRWU+CDfMnR23dmppJXSnePrCTGQhhI6gH//VK5
+/uI3lCA4ifOWC25lSzCdfdSObvR89x5bTP3kVvx1kTbz/Fsuq5ob1J78uv3VNrKM
+0MTx0jjgkCKc5mVoqwAW/n5b3uCZw6JTBSRvR3bRU9g0Lsw1R/xKwJBc8Tf6CK8Z
+gzzxhFd+tKgL2E9OYWFMgdg/s8k2r42xpShOwJHn20dJXUGjYERgqLYP4mSKzwP2
+5qou3dZ5RgMKMJfWiVhHcLvHOZQctfpKzUdGI/uSuQINBGGuW6EBEACstgYqJX5S
+xQZCPN4DwhBoqSxf+B4xXh0gK737bpeQaM+bAjSCdF3YQVY6vXn6LKh+d78Z2PDf
+K1Xskspai7d0h4w9Lf5kmc1vv8yVPhBnz7x32uBH/LhHCp1SJ34d/0+djX65JIh7
+ytDxmzcE69cQKdqt2cj6DzsjPrNM+0e5oqmme0lUi0QgzwhqUtyS0VP9BOziD/nq
+odzmONqzIToLfj7925FZwn2Xwcan7ZYzxQ2uKZvc1w6jaiaPkBoEzDOygQVhypj0
+GmGyO4dF96c+y/++6nry0nZuZzfiBVo+K+786uTETAYRJ6BEes/QlXxTGgQpE2VG
+7p5Z/tDQO/A3aFb88hgWlQ4Ot1Lbn7BlUvlA1ELXwloV5nTiqmTpNwSiAuARCqst
+WM3x1vugZUNEZGZkRAEtjahAjypBvls4a5iIlWbqVmdcACntvZZKF5KwByGwOpro
+jzXRDzoSVUyxG0zMIZAWHipGF4IpFjAYx3OPGlafYDq3gfoe4MxoD/9wOwDvNocj
+MDHWzBOIstOMlKG13zsCH4JdftQR1xspsWe0gA1jo183rrCQiNk8bLsr+UANyFAa
+jy2/PGBOybaqPe80h7YakwfZARQlLRQNDZpJpGV2L/9m2+qYrbi/Zq8h46Lkvmz4
+tGNdGfqNuju8DiJxNovtH8/cleFjEGClGwARAQABiQRsBBgBCgAgFiEEpLSkeh2w
+feAOgVi+QR4jU0yo+uAFAmGuW6ECGy4CQAkQQR4jU0yo+uDBdCAEGQEKAB0WIQTg
+LN375XITuuX10GGEl+55PqvszwUCYa5boQAKCRCEl+55Pqvsz15kD/9vzNhoKAtd
+JcdkeFv3wm75kapgEMMMitFeDO1c2uIg+bnTCIBoZRHO2RNHUS+d7ADCiTyWY3JJ
+BBr4LLHurg1AyQGXJ4Tf9W/ku3vfevoubzBtaH6YzZTcfWga35BN8KiIN3ZAiChy
+mNlxvr2YxaK0iX6eTXDWd3kvYmvVqQJO0hI5EOwXUWgY5VNBKVwjrYv34hqYE4+J
+Q1IsdcVvNjDkUAJO2y6vIiD7UiN0JKtK1JRCw1N+wOruNiuoky0UWCmMdUGSmnkP
+yX7cKpRDXHTeU560G1fEGPr5jc93Pd6LtyC/8eAJbC7w+fLn6+4hNzhRAxB/Z0H5
+mzBS+CuvUaX4yh3qgQTj20zeXKVRb3hRyQTmoEmtb7Udr/5C/GtDZJ97JwiAIiS7
+eeA89c8g/eAVXxN8hFAlTl8rTKEVnOIAiCPSo1QWHdmhYlaButyATkOoz9aGeA5c
+0/LWXJCsDSkzveNAnx6HGaG0rUtsd+Ee9QJCAhyhRsLisbpIjuhwkJOnCJh8zN7z
+XfiNUbr4SR4okBZsfws2g9yTTYI/i6IiZMrA+0UKFuYBceXeKgXtI8xy9IqVvnCf
+Hj0gI2PHSDnWVQWemqFt9TPEbBZBOzlzmV9pldhmDm8m11GkZFDpnpRK7ZnuJy3M
+jGnIM948OBXjxheBbr8LPX2VCU8vzsPyQHgHEAC/KRTx+GUg56vzW/1czY5i5HpS
+owl480uFAZYnmVOBkk2WztYizBR5vRGLaYFD5YyEnTML3ERTx5H+sbb/1pKtWD6s
+RVKR+LVtlQkBlAU263e0fKxs6qG20Z57m8mOJqPCnz9D0Deq4BBmQY6sApYCPa6x
+QzPPv40MOqeRv3zlSQIBhhF637Iad2rjOwgq6deezHGuqmSmCj2bo29oUi9zBhLf
+9pSfPYehLP6EXOPt0trdSL3HvV5icGMwRiCOx9LwmA49p7f0jDUs0Jo3OowS/4aJ
+8rlwbFMmerCVIWokGBL77j6Wc5ucAyj+ZzE7xfeberLa2sL1W1CDEs9IPLgXh+kI
+F5JAntVNyB5lfxPtNfV/XuCzCjJJgCwZOLCzwQg5cxRAHmRVorWq/5bmeWIKBX8q
+JqdvBSPW1IXVBz/6gpI3dU2ZF635F9qizJV/jyzV63lYRnTffRL4L/B8QR5iNlVI
+y/7Urqx2MgMsxmYJB38sOr0oO2dljUJdar3ZWCTIG/9oTg8quWt4lDcPfCsZp2Bk
+YhiZbE3p9iSSfmfO9gLgI8Dy4ZvZEavBU20B7qbiFYCAL+q+ZUUQAbYOTyZ0fZI6
+lKJuHN01R2ltDi3md55lsTL8bBGH2/bKR6YYkYPXzc/fqMGgHsaJ0IddRTKULcxW
+SqmNDCYCCn2EJbwrHQ==
+=8GKa
+-----END PGP PUBLIC KEY BLOCK-----

diff --git a/deploy/site/vm/vm.sh b/deploy/site/vm/vm.sh
index 882a8bd..841644b 100755 (executable)
--- a/deploy/site/vm/vm.sh
+++ b/deploy/site/vm/vm.sh
@@ -5,35 +5,48 @@ SCRIPTDIR="$(readlink -f $(dirname ${BASH_SOURCE[0]}))"
 LIBDIR="$(dirname $(dirname $(dirname ${SCRIPTDIR})))/env/lib"
 
 source $LIBDIR/common.sh
+source $SCRIPTDIR/../common.sh
 
 BUILDDIR=${SCRIPTDIR/deploy/build}
 mkdir -p ${BUILDDIR}
 
-function build {
-    SSH_AUTHORIZED_KEY=$(cat ${HOME}/.ssh/id_rsa.pub)
+FLUX_SOPS_KEY_NAME=${FLUX_SOPS_KEY_NAME:-"icn-site-vm"}
+
+# !!!NOTE!!! THE KEYS USED BELOW ARE FOR TEST PURPOSES ONLY.  DO NOT
+# USE THESE OUTSIDE OF THIS ICN VIRTUAL TEST ENVIRONMENT.
+function build_source {
+    # First decrypt the existing site YAML, otherwise we'll be
+    # attempting to encrypt it twice below
+    if [[ -f ${SCRIPTDIR}/sops.asc ]]; then
+       gpg --import ${SCRIPTDIR}/sops.asc
+       sops_decrypt_site ${SCRIPTDIR}/site.yaml
+    fi
+
+    # Generate user password and authorized key in site YAML
+    # To login to guest, ssh -i ${SCRIPTDIR}/id_rsa
+    HASHED_PASSWORD=$(mkpasswd --method=SHA-512 --rounds 10000 "mypasswd")
+    sed -i -e 's!hashedPassword: .*!hashedPassword: '"${HASHED_PASSWORD}"'!' ${SCRIPTDIR}/site.yaml
+    ssh-keygen -t rsa -N "" -f ${SCRIPTDIR}/id_rsa <<<y
+    SSH_AUTHORIZED_KEY=$(cat ${SCRIPTDIR}/id_rsa.pub)
     # Use ! instead of usual / to avoid escaping / in
     # SSH_AUTHORIZED_KEY
-    sed -e 's!sshAuthorizedKey: .*!sshAuthorizedKey: '"${SSH_AUTHORIZED_KEY}"'!' ${SCRIPTDIR}/cluster-e2etest-values.yaml >${BUILDDIR}/cluster-e2etest-values.yaml
-}
+    sed -i -e 's!sshAuthorizedKey: .*!sshAuthorizedKey: '"${SSH_AUTHORIZED_KEY}"'!' ${SCRIPTDIR}/site.yaml
+
+    # Encrypt the site YAML
+    create_gpg_key ${FLUX_SOPS_KEY_NAME}
+    sops_encrypt_site ${SCRIPTDIR}/site.yaml ${FLUX_SOPS_KEY_NAME}
 
-function release_name {
-    local -r values_path=$1
-    name=$(basename ${values_path})
-    echo ${name%-values.yaml}
+    # ONLY FOR TEST ENVIRONMENT: save the private key used
+    export_gpg_private_key ${FLUX_SOPS_KEY_NAME} >${SCRIPTDIR}/sops.asc
 }
 
 function deploy {
-    for values in ${BUILDDIR}/machine-*-values.yaml; do
-       helm -n metal3 install $(release_name ${values}) ${SCRIPTDIR}/../../machine --create-namespace -f ${values}
-    done
-    helm -n metal3 install cluster-e2etest ${SCRIPTDIR}/../../cluster --create-namespace -f ${BUILDDIR}/cluster-e2etest-values.yaml
+    gpg --import ${SCRIPTDIR}/sops.asc
+    flux_create_site https://gerrit.akraino.org/r/icn master deploy/site/vm ${FLUX_SOPS_KEY_NAME}
 }
 
 function clean {
-    helm -n metal3 uninstall cluster-e2etest
-    for values in ${BUILDDIR}/machine-*-values.yaml; do
-       helm -n metal3 uninstall $(release_name ${values})
-    done
+    kubectl -n flux-system delete kustomization icn-master-site-vm
 }
 
 function is_cluster_ready {
@@ -48,6 +61,28 @@ function is_control_plane_ready {
     [[ $(kubectl --kubeconfig=${BUILDDIR}/e2etest-admin.conf get nodes -l node-role.kubernetes.io/control-plane -o jsonpath='{range .items[*]}{.status.conditions[?(@.type=="Ready")].status}{"\n"}{end}' | grep -c True) == ${replicas} ]]
 }
 
+function insert_control_plane_network_identity_into_ssh_config {
+    # This enables logging into the control plane machines from this
+    # machine without specifying the identify file on the command line
+
+    # Create ssh config if it doesn't exist
+    mkdir -p ${HOME}/.ssh && chmod 700 ${HOME}/.ssh
+    touch ${HOME}/.ssh/config
+    chmod 600 ${HOME}/.ssh/config
+    # Add the entry for the control plane network, host value in ssh
+    # config is a wildcard
+    endpoint=$(helm -n metal3 get values -a cluster-e2etest | awk '/controlPlaneEndpoint:/ {print $2}')
+    prefix=$(helm -n metal3 get values -a cluster-e2etest | awk '/controlPlanePrefix:/ {print $2}')
+    host=$(ipcalc ${endpoint}/${prefix} | awk '/Network:/ {sub(/\.0.*/,".*"); print $2}')
+    if [[ $(grep -c "Host ${host}" ${HOME}/.ssh/config) != 0 ]]; then
+       sed -i -e '/Host '"${host}"'/,+1 d' ${HOME}/.ssh/config
+    fi
+    cat <<EOF >>${HOME}/.ssh/config
+Host ${host}
+  IdentityFile ${SCRIPTDIR}/id_rsa
+EOF
+}
+
 function wait_for_all_ready {
     WAIT_FOR_INTERVAL=60s
     WAIT_FOR_TRIES=30
@@ -55,10 +90,11 @@ function wait_for_all_ready {
     clusterctl -n metal3 get kubeconfig e2etest >${BUILDDIR}/e2etest-admin.conf
     chmod 600 ${BUILDDIR}/e2etest-admin.conf
     wait_for is_control_plane_ready
+    insert_control_plane_network_identity_into_ssh_config
 }
 
 case $1 in
-    "build") build ;;
+    "build-source") build_source ;;
     "clean") clean ;;
     "deploy") deploy ;;
     "wait") wait_for_all_ready ;;
@@ -66,7 +102,7 @@ case $1 in
 Usage: $(basename $0) COMMAND
 
 Commands:
-  build         - Build the site deployment values
+  build-source  - Build the in-tree site values
   clean         - Remove the site
   deploy        - Deploy the site
   wait          - Wait for the site to be ready

diff --git a/env/lib/common.sh b/env/lib/common.sh
index 2009c58..a6a6c4b 100755 (executable)
--- a/env/lib/common.sh
+++ b/env/lib/common.sh
@@ -2,6 +2,7 @@
 set -eu -o pipefail
 
 IRONIC_DATA_DIR=${IRONIC_DATA_DIR:-"/opt/ironic"}
+NODES_FILE=${NODES_FILE:-"${IRONIC_DATA_DIR}/nodes.json"}
 #IRONIC_PROVISIONING_INTERFACE is required to be provisioning, don't change it
 IRONIC_INTERFACE=${IRONIC_INTERFACE:-}
 IRONIC_PROVISIONING_INTERFACE=${IRONIC_PROVISIONING_INTERFACE:-"provisioning"}
@@ -46,6 +47,9 @@ CAPM3_VERSION="v0.5.1"
 #The flux version to use
 FLUX_VERSION="0.20.0"
 
+#The sops version to use
+SOPS_VERSION="v3.7.1"
+
 #refered from onap
 function call_api {
     #Runs curl with passed flags and provides
@@ -78,8 +82,6 @@ function call_api {
 }
 
 function list_nodes {
-    NODES_FILE="${IRONIC_DATA_DIR}/nodes.json"
-
     if [ ! -f "$NODES_FILE" ]; then
         exit 1
     fi
@@ -125,7 +127,6 @@ function networkdata_networks_field {
     name=$1
     network=$2
     field=$3
-    NODES_FILE="${IRONIC_DATA_DIR}/nodes.json"
     cat $NODES_FILE | jq -c -r --arg name "$name" --arg network "$network" --arg field "$field" '.nodes[] | select(.name==$name) | .net.networks[] | select(.id==$network).'${field}
 }
 
@@ -134,15 +135,12 @@ function networkdata_links_field {
     name=$1
     link=$2
     field=$3
-    NODES_FILE="${IRONIC_DATA_DIR}/nodes.json"
     cat $NODES_FILE | jq -c -r --arg name "$name" --arg link "$link" --arg field "$field" '.nodes[] | select(.name==$name) | .net.links[] | select(.id==$link).'${field}
 }
 
 function node_networkdata {
     name=$1
 
-    NODES_FILE="${IRONIC_DATA_DIR}/nodes.json"
-
     if [ ! -f "$NODES_FILE" ]; then
         exit 1
     fi
@@ -248,6 +246,13 @@ function install_emcoctl {
     sudo install -o root -g root -m 0755 ${EMCOPATH}/bin/emcoctl/emcoctl /usr/local/bin/emcoctl
 }
 
+function install_sops {
+    curl -L https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux -o sops
+    sudo install -o root -g root -m 0755 sops /usr/local/bin/sops
+    rm sops
+    sops --version
+}
+
 function fetch_image {
     if [[ "${BM_IMAGE_URL}" && "${BM_IMAGE}" ]]; then
        mkdir -p "${IRONIC_DATA_DIR}/html/images"

diff --git a/env/metal3/01_install_package.sh b/env/metal3/01_install_package.sh
index d0409b3..8b8c36f 100755 (executable)
--- a/env/metal3/01_install_package.sh
+++ b/env/metal3/01_install_package.sh
@@ -20,6 +20,7 @@ function install_essential_packages {
     curl \
     dnsmasq \
     figlet \
+    ipcalc \
     nmap \
     patch \
     psmisc \
@@ -64,6 +65,7 @@ install() {
     install_kustomize
     install_clusterctl
     install_flux_cli
+    install_sops
     install_emcoctl
 }
 

diff --git a/tools/vagrant/add_machine_to_vbmc.sh b/tools/vagrant/add_machine_to_vbmc.sh
index 5676a7b..86b3cd4 100755 (executable)
--- a/tools/vagrant/add_machine_to_vbmc.sh
+++ b/tools/vagrant/add_machine_to_vbmc.sh
@@ -1,9 +1,9 @@
 #!/bin/bash
 set -eu -o pipefail
 
-index=$1
-site=$2
-name=$3
+site=$1
+name=$2
+port=$3
 
-vbmc --no-daemon add ${site}-${name} --port $((6230+index-1)) --libvirt-uri "qemu:///system?&no_verify=1&no_tty=1"
+vbmc --no-daemon add ${site}-${name} --port ${port} --libvirt-uri "qemu:///system?&no_verify=1&no_tty=1"
 vbmc --no-daemon start ${site}-${name}

diff --git a/tools/vagrant/create_machine_resource.sh b/tools/vagrant/create_machine_resource.sh
deleted file mode 100755 (executable)
index e1afdc2..0000000
--- a/tools/vagrant/create_machine_resource.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/bash
-set -eu -o pipefail
-
-index=$1
-site=$2
-name=$3
-
-ipmi_host=$(virsh -c qemu:///system net-dumpxml ${site}-baremetal | xmlstarlet sel -t -v "//network/ip/@address")
-ipmi_port=$((6230+index-1))
-boot_mac=$(virsh -c qemu:///system dumpxml "${site}-${name}" | xmlstarlet sel -t -v "//interface[source/@network='${site}-provisioning']/mac/@address")
-
-mkdir -p build/site/${site}
-cat <<EOF >build/site/${site}/machine-${index}-values.yaml
-machineName: machine-${index}
-bootMACAddress: ${boot_mac}
-bmcAddress: ipmi://${ipmi_host}:${ipmi_port}
-bmcUsername: admin
-bmcPassword: password
-EOF

diff --git a/tools/vagrant/create_nodes_json_sample.sh b/tools/vagrant/create_nodes_json_sample.sh
index e1a9948..4729edb 100755 (executable)
--- a/tools/vagrant/create_nodes_json_sample.sh
+++ b/tools/vagrant/create_nodes_json_sample.sh
@@ -1,9 +1,7 @@
 #!/bin/bash
 set -eu -o pipefail
 
-num_machines=$1
-site=$2
-name_prefix=$3
+site=$1; shift
 
 nodes_json_path="deploy/metal3/scripts/nodes.json.sample"
 ipmi_host=$(virsh -c qemu:///system net-dumpxml ${site}-baremetal | xmlstarlet sel -t -v "//network/ip/@address")
@@ -12,12 +10,13 @@ cat <<EOF >${nodes_json_path}
 {
   "nodes": [
 EOF
-for ((i=1;i<=num_machines;++i)); do
-    name="${name_prefix}${i}"
-    ipmi_port=$((6230+i-1))
+
+while (("$#")); do
+    name=$1; shift
+    ipmi_port=$1; shift
     baremetal_mac=$(virsh -c qemu:///system dumpxml "${site}-${name}" | xmlstarlet sel -t -v "//interface[source/@network='${site}-baremetal']/mac/@address")
     provisioning_mac=$(virsh -c qemu:///system dumpxml "${site}-${name}" | xmlstarlet sel -t -v "//interface[source/@network='${site}-provisioning']/mac/@address")
-    if ((i<num_machines)); then comma=","; else comma=""; fi
+    if (("$#")); then comma=","; else comma=""; fi
     cat <<EOF >>${nodes_json_path}
     {
       "name": "${name}",

diff --git a/tools/vagrant/create_provisioning_cr.sh b/tools/vagrant/create_provisioning_cr.sh
index 2d07344..917245d 100755 (executable)
--- a/tools/vagrant/create_provisioning_cr.sh
+++ b/tools/vagrant/create_provisioning_cr.sh
@@ -1,13 +1,12 @@
 #!/bin/bash
 set -eu -o pipefail
 
-num_machines=$1
-site=$2
-name_prefix=$3
+site=$1; shift
 
 provisioning_cr_path="cmd/bpa-operator/e2etest/test_bmh_provisioning_cr.yaml"
 
-name="${name_prefix}1"
+name=$1; shift
+ipmi_port=$1; shift
 provisioning_mac=$(virsh -c qemu:///system dumpxml "${site}-${name}" | xmlstarlet sel -t -v "//interface[source/@network='${site}-provisioning']/mac/@address")
 cat <<EOF >${provisioning_cr_path}
 apiVersion: bpa.akraino.org/v1alpha1
@@ -22,12 +21,13 @@ spec:
     - ${name}:
         mac-address: ${provisioning_mac}
 EOF
-if ((num_machines>1)); then
+if (("$#")); then
     cat <<EOF >>${provisioning_cr_path}
   workers:
 EOF
-    for ((i=2;i<=num_machines;++i)); do
-       name="${name_prefix}${i}"
+    while (("$#")); do
+       name=$1; shift
+       ipmi_port=$1; shift
        provisioning_mac=$(virsh -c qemu:///system dumpxml "${site}-${name}" | xmlstarlet sel -t -v "//interface[source/@network='${site}-provisioning']/mac/@address")
        cat <<EOF >>${provisioning_cr_path}
     - ${name}:

diff --git a/tools/vagrant/remove_machine_from_vbmc.sh b/tools/vagrant/remove_machine_from_vbmc.sh
index 4ff8018..4efc15b 100755 (executable)
--- a/tools/vagrant/remove_machine_from_vbmc.sh
+++ b/tools/vagrant/remove_machine_from_vbmc.sh
@@ -1,8 +1,8 @@
 #!/bin/bash
 set -eu -o pipefail
 
-index=$1
-site=$2
-name=$3
+site=$1
+name=$2
+port=$3
 
 vbmc --no-daemon delete ${site}-${name} || true