From: Todd Malsbary <todd.malsbary@intel.com>
Date: Fri, 3 Dec 2021 00:17:57 +0000 (-0800)
Subject: Flux install of compute cluster
X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=commitdiff_plain;h=43dbb5a2353606d1801f08dcf3e2fd06399843fb;p=icn.git

Flux install of compute cluster

This includes SOPS encryption of BMC and cluster secrets.

NOTE: Keys are included in this commit.  These are only intended to be
used in this ICN virtual environment for testing and demonstration
purposes.

Signed-off-by: Todd Malsbary <todd.malsbary@intel.com>
Change-Id: I2c7b76ec5f2d125afb007d5a4b90a23924f8d305
---

diff --git a/Makefile b/Makefile
index 1ccfae2..a259336 100644
--- a/Makefile
+++ b/Makefile
@@ -148,7 +148,6 @@ vm_verifier: jump_server \
 	vm_clean_all
 
 vm_cluster:
-	./deploy/site/vm/vm.sh build
 	./deploy/site/vm/vm.sh deploy
 	./deploy/site/vm/vm.sh wait
 	./deploy/kata/kata.sh test
diff --git a/Vagrantfile b/Vagrantfile
index 82b72bc..377b215 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -1,5 +1,8 @@
 # -*- mode: ruby -*-
 # vi: set ft=ruby :
+require 'ipaddr'
+require 'uri'
+require 'yaml'
 
 # IMPORTANT To bring up the machines, use the "--no-parallel" option
 # to vagrant up.  This is to workaround dependencies between the jump
@@ -7,11 +10,24 @@
 # machines will fail to come up until the baremetal network (created
 # by vagrant from the jump machine definition) is up.
 
-vars = {
-  :site => 'vm',
-  :baremetal_cidr => '192.168.151.0/24',
-  :num_machines => 2
-}
+site = ENV['ICN_SITE'] || 'vm'
+
+# Calculate the baremetal network address from the bmcAddress (aka
+# IPMI address) specified in the machine pool values.  IPMI in the
+# virtual environment is emulated by virtualbmc listening on the host.
+baremetal_cidr = nil
+Dir.glob("deploy/site/#{site}/*.yaml") do |file|
+  YAML.load_stream(File.read(file)) do |document|
+    values = document.fetch('spec', {}).fetch('values', {})
+    next if values['machineName'].nil? || values['bootMACAddress'].nil?
+    bmc_host = URI.parse(values['bmcAddress']).host
+    baremetal_cidr = "#{IPAddr.new(bmc_host).mask(24)}/24"
+  end
+end
+if baremetal_cidr.nil?
+  puts "Missing bmcAddress value in site definition, can't determine baremetal network address"
+  exit 1
+end
 
 $post_up_message = <<MSG
 ------------------------------------------------------
@@ -48,7 +64,7 @@ Vagrant.configure("2") do |config|
     m.vm.synced_folder '.', '/icn'
     m.vm.provider :libvirt do |libvirt|
       libvirt.graphics_ip = '0.0.0.0'
-      libvirt.default_prefix = "#{vars[:site]}-"
+      libvirt.default_prefix = "#{site}-"
       libvirt.cpu_mode = 'host-passthrough'
       libvirt.cpus = 8
       libvirt.memory = 24576
@@ -56,8 +72,8 @@ Vagrant.configure("2") do |config|
 
       # The ICN baremetal network is the vagrant management network,
       # and is created by vagrant for us
-      libvirt.management_network_name = "#{vars[:site]}-baremetal"
-      libvirt.management_network_address = vars[:baremetal_cidr]
+      libvirt.management_network_name = "#{site}-baremetal"
+      libvirt.management_network_address = baremetal_cidr
       libvirt.management_network_autostart = true
     end
 
@@ -65,14 +81,14 @@ Vagrant.configure("2") do |config|
     # created upon bringing up the jump machine
     m.trigger.before [:up] do |trigger|
       trigger.name = 'Creating provisioning network'
-      trigger.run = {inline: "./tools/vagrant/create_provisioning_network.sh #{vars[:site]}"}
+      trigger.run = {inline: "./tools/vagrant/create_provisioning_network.sh #{site}"}
     end
     m.trigger.after [:destroy] do |trigger|
       trigger.name = 'Destroying provisioning network'
-      trigger.run = {inline: "./tools/vagrant/destroy_provisioning_network.sh #{vars[:site]}"}
+      trigger.run = {inline: "./tools/vagrant/destroy_provisioning_network.sh #{site}"}
     end
     m.vm.network :private_network,
-                 :libvirt__network_name => "#{vars[:site]}-provisioning",
+                 :libvirt__network_name => "#{site}-provisioning",
                  :type => 'dhcp'
 
     # IPMI control of machines is provided by vbmc on the host
@@ -96,61 +112,65 @@ Vagrant.configure("2") do |config|
     m.vm.post_up_message = $post_up_message
   end
 
-  # The machine pool used by cluster creation
-  (1..vars[:num_machines]).each do |i|
-    config.vm.define "machine-#{i}" do |m|
-      m.vm.hostname = "machine-#{i}"
-      m.vm.provider :libvirt do |libvirt|
-        libvirt.graphics_ip = '0.0.0.0'
-        libvirt.default_prefix = "#{vars[:site]}-"
-        libvirt.cpu_mode = 'host-passthrough'
-        libvirt.cpus = 8
-        libvirt.memory = 16384
-        libvirt.nested = true
-        # The image will be provisioned by ICN so just create an empty
-        # disk for the machine
-        libvirt.storage :file, :size => 50, :type => 'raw', :cache => 'none'
-        # Management attach is false so that vagrant will not interfere
-        # with these machines: the jump server will manage them
-        # completely
-        libvirt.mgmt_attach = false
-      end
-      # The provisioning network must be listed first for PXE boot to
-      # the metal3/ironic provided image
-      m.vm.network :private_network,
-                   :libvirt__network_name => "#{vars[:site]}-provisioning",
-                   :type => 'dhcp'
-      m.vm.network :private_network,
-                   :libvirt__network_name => "#{vars[:site]}-baremetal",
-                   :type => 'dhcp'
-
-      # IPMI control
-      m.trigger.after [:up] do |trigger|
-        trigger.name = 'Adding machine to IPMI network'
-        trigger.run = {inline: "./tools/vagrant/add_machine_to_vbmc.sh #{i} #{vars[:site]} machine-#{i}"}
-      end
-      m.trigger.after [:destroy] do |trigger|
-        trigger.name = 'Removing machine from IPMI network'
-        trigger.run = {inline: "./tools/vagrant/remove_machine_from_vbmc.sh #{i} #{vars[:site]} machine-#{i}"}
-      end
+  # Look for any HelmReleases in the site directory with machineName in
+  # the values dictionary.  This will provide the values needed to
+  # create the machine pool.
+  legacy_machine_args = ""
+  Dir.glob("deploy/site/#{site}/*.yaml") do |file|
+    YAML.load_stream(File.read(file)) do |document|
+      values = document.fetch('spec', {}).fetch('values', {})
+      next if values['machineName'].nil? || values['bootMACAddress'].nil?
+      machine_name = values['machineName']
+      boot_mac_address = values['bootMACAddress']
+      bmc_port = URI.parse(values['bmcAddress']).port
+      config.vm.define machine_name do |m|
+        m.vm.hostname = machine_name
+        m.vm.provider :libvirt do |libvirt|
+          libvirt.graphics_ip = '0.0.0.0'
+          libvirt.default_prefix = "#{site}-"
+          libvirt.cpu_mode = 'host-passthrough'
+          libvirt.cpus = 8
+          libvirt.memory = 16384
+          libvirt.nested = true
+          # The image will be provisioned by ICN so just create an empty
+          # disk for the machine
+          libvirt.storage :file, :size => 50, :type => 'raw', :cache => 'none'
+          # Management attach is false so that vagrant will not interfere
+          # with these machines: the jump server will manage them
+          # completely
+          libvirt.mgmt_attach = false
+        end
+        # The provisioning network must be listed first for PXE boot to
+        # the metal3/ironic provided image
+        m.vm.network :private_network,
+                     :libvirt__network_name => "#{site}-provisioning",
+                     :mac => boot_mac_address,
+                     :type => 'dhcp'
+        m.vm.network :private_network,
+                     :libvirt__network_name => "#{site}-baremetal",
+                     :type => 'dhcp'
+
+        # IPMI control
+        m.trigger.after [:up] do |trigger|
+          trigger.name = 'Adding machine to IPMI network'
+          trigger.run = {inline: "./tools/vagrant/add_machine_to_vbmc.sh #{site} #{machine_name} #{bmc_port}"}
+        end
+        m.trigger.after [:destroy] do |trigger|
+          trigger.name = 'Removing machine from IPMI network'
+          trigger.run = {inline: "./tools/vagrant/remove_machine_from_vbmc.sh #{site} #{machine_name} #{bmc_port}"}
+        end
 
-      # Create configuration for ICN provisioning
-      m.trigger.after [:up] do |trigger|
-        if i == vars[:num_machines] then
+        # Create configuration for ICN provisioning
+        legacy_machine_args = "#{legacy_machine_args} #{machine_name} #{bmc_port}"
+        m.trigger.after [:up] do |trigger|
           trigger.info = 'Creating nodes.json.sample describing the machines'
-          trigger.run = {inline: "./tools/vagrant/create_nodes_json_sample.sh #{vars[:num_machines]} #{vars[:site]} machine-"}
+          trigger.run = {inline: "./tools/vagrant/create_nodes_json_sample.sh #{site} #{legacy_machine_args}"}
         end
-      end
-      m.trigger.after [:up] do |trigger|
-        if i == vars[:num_machines] then
+        m.trigger.after [:up] do |trigger|
           trigger.info = 'Creating Provisioning resource describing the cluster'
-          trigger.run = {inline: "./tools/vagrant/create_provisioning_cr.sh #{vars[:num_machines]} #{vars[:site]} machine-"}
+          trigger.run = {inline: "./tools/vagrant/create_provisioning_cr.sh #{site} #{legacy_machine_args}"}
         end
       end
-      m.trigger.after [:up] do |trigger|
-        trigger.name = 'Creating machine resource'
-        trigger.run = {inline: "./tools/vagrant/create_machine_resource.sh #{i} #{vars[:site]} machine-#{i}"}
-      end
     end
   end
 end
diff --git a/deploy/site/common.sh b/deploy/site/common.sh
new file mode 100644
index 0000000..b20bae5
--- /dev/null
+++ b/deploy/site/common.sh
@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+set -eu -o pipefail
+
+function _gpg_key_fp {
+    gpg --with-colons --list-secret-keys $1 | awk -F: '/fpr/ {print $10;exit}'
+}
+
+function create_gpg_key {
+    local -r key_name=$1
+
+    # Create an rsa4096 key that does not expire
+    gpg --batch --full-generate-key <<EOF
+%no-protection
+Key-Type: 1
+Key-Length: 4096
+Subkey-Type: 1
+Subkey-Length: 4096
+Expire-Date: 0
+Name-Real: ${key_name}
+EOF
+}
+
+function export_gpg_private_key {
+    gpg --export-secret-keys --armor "$(_gpg_key_fp $1)"
+}
+
+function sops_encrypt_site {
+    local -r site_yaml=$1
+    local -r key_name=$2
+
+    local -r site_dir=$(dirname ${site_yaml})
+    local -r key_fp=$(_gpg_key_fp ${key_name})
+
+    # Commit the public key to the repository so that team members who
+    # clone the repo can encrypt new files
+    echo "Creating ${site_dir}/sops.pub.asc with public key used to encrypt secrets"
+    gpg --export --armor "${key_fp}" >${site_dir}/sops.pub.asc
+
+    # Add .sops.yaml so users won't have to worry about specifying the
+    # proper key for the target cluster or namespace
+    echo "Creating ${site_dir}/.sops.yaml SOPS configuration file"
+    cat <<EOF > ${site_dir}/.sops.yaml
+creation_rules:
+  - path_regex: .*.yaml
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    pgp: ${key_fp}
+EOF
+
+    sops --encrypt --in-place --config=${site_dir}/.sops.yaml ${site_yaml}
+}
+
+function sops_decrypt_site {
+    local -r site_yaml=$1
+
+    local -r site_dir=$(dirname ${site_yaml})
+    sops --decrypt --in-place --config=${site_dir}/.sops.yaml ${site_yaml}
+}
+
+function flux_create_site {
+    local -r url=$1
+    local -r branch=$2
+    local -r path=$3
+    local -r key_name=$4
+
+    local -r source_name="$(basename ${url})-${branch}"
+    local -r kustomization_name="${source_name}-site-$(basename ${path})"
+    local -r key_fp=$(gpg --with-colons --list-secret-keys ${key_name} | awk -F: '/fpr/ {print $10;exit}')
+    local -r secret_name="${key_name}-sops-gpg"
+
+    flux create source git ${source_name} --url=${url} --branch=${branch}
+    gpg --export-secret-keys --armor "$(_gpg_key_fp ${key_name})" |
+	kubectl -n flux-system create secret generic ${secret_name} --from-file=sops.asc=/dev/stdin --dry-run=client -o yaml |
+	kubectl apply -f -
+    flux create kustomization ${kustomization_name} --path=${path} --source=GitRepository/${source_name} --prune=true \
+	 --decryption-provider=sops --decryption-secret=${secret_name}
+}
diff --git a/deploy/site/site.sh b/deploy/site/site.sh
new file mode 100755
index 0000000..d0c970a
--- /dev/null
+++ b/deploy/site/site.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -eu -o pipefail
+
+SCRIPTDIR="$(readlink -f $(dirname ${BASH_SOURCE[0]}))"
+LIBDIR="$(dirname $(dirname ${SCRIPTDIR}))/env/lib"
+
+source $LIBDIR/common.sh
+source $SCRIPTDIR/common.sh
+
+case $1 in
+    "create-gpg-key") create_gpg_key $2 ;;
+    "sops-encrypt-site") sops_encrypt_site $2 $3 ;;
+    "sops-decrypt-site") sops_decrypt_site $2 ;;
+    "flux-create-site") flux_create_site $2 $3 $4 $5;;
+    *) cat <<EOF
+Usage: $(basename $0) COMMAND
+
+Commands:
+  create-gpg-key KEY_NAME			- Create GPG keypair in local keyring
+  sops-encrypt-site SITE_YAML KEY_NAME		- Encrypt SITE_YAML secrets with KEY_NAME
+  sops-decrypt-site SITE_YAML			- Decrypt SITE_YAML secrets
+  flux-create-site URL BRANCH PATH KEY_NAME	- Create Flux resources to deploy site
+EOF
+       ;;
+esac
diff --git a/deploy/site/vm/.sops.yaml b/deploy/site/vm/.sops.yaml
new file mode 100644
index 0000000..60dfb57
--- /dev/null
+++ b/deploy/site/vm/.sops.yaml
@@ -0,0 +1,4 @@
+creation_rules:
+  - path_regex: .*.yaml
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    pgp: A4B4A47A1DB07DE00E8158BE411E23534CA8FAE0
diff --git a/deploy/site/vm/cluster-e2etest-values.yaml b/deploy/site/vm/cluster-e2etest-values.yaml
deleted file mode 100644
index e1060ba..0000000
--- a/deploy/site/vm/cluster-e2etest-values.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-clusterName: e2etest
-clusterLabels:
-  site: vm
-keepalived:
-  interface: ens6
-  routerId: 3
-networks:
-  baremetal:
-    interface: ens6
-  provisioning:
-    interface: ens5
-userData:
-  sshAuthorizedKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrxu+fSrU51vgAO5zP5xWcTU8uLv4MkUZptE2m1BJE88JdQ80kz9DmUmq2AniMkVTy4pNeUW5PsmGJa+anN3MPM99CR9I37zRqy5i6rUDQgKjz8W12RauyeRMIBrbdy7AX1xasoTRnd6Ta47bP0egiFb+vUGnlTFhgfrbYfjbkJhVfVLCTgRw8Yj0NSK16YEyhYLbLXpix5udRpXSiFYIyAEWRCCsWJWljACr99P7EF82vCGI0UDGCCd/1upbUwZeTouD/FJBw9qppe6/1eaqRp7D36UYe3KzLpfHQNgm9AzwgYYZrD4tNN6QBMq/VUIuam0G1aLgG8IYRLs41HYkJ root@jump
-flux:
-  path: ./deploy/site/cluster-e2etest
diff --git a/deploy/site/vm/id_rsa b/deploy/site/vm/id_rsa
new file mode 100644
index 0000000..21e9cb1
--- /dev/null
+++ b/deploy/site/vm/id_rsa
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAz/UPm/uLY2bknS+pA6GtoeIpA9wBunYcUkEI6VIq/FLtsher
+tVgB6vHAQOCrjpy9Xi0Kmg0TTXiuNhGoux4uUJYWzWtzA+IRIfCzNZFA7LZZek1l
+JNS1QF/L3B0T7oRwvd8nhls1y3cUpdo4gdLJz8kbjWlvTR8/LjWxbGVLSdyfKUKL
+/OXYAho3R8IcXQ44qaxEkC7Hg+YoCs+8oZT3QB6x/tWZs7J4NTlAWLFLetjiZ1SN
+JJL09B/7pxZeq6pJmVPENeDTahJMDBRo3DnBPeWT8+WXPRHYz3HtJgy6LJ/ceYLC
+ntjGoq2yS2EafakH+yYMzrh9rPYJyeLJJZAfNwIDAQABAoIBABKcQsZZz5KYvbLX
+dg+uI2TOYY9H3Bu8wDIYQdznjpNANKdweNxkwN8uvV7Q/Glp24SXEVDSBL01JJoQ
+IIKGY+ywUeAWUpexXokkClWr5xyIAR/x1zBhnMrjB9JuA7+fuJs1Yksi1ICd6ooh
+Kldr7sWaoM2Z9uz28+eFxJgHxKIaY+aoP+S/UFv+2fX1uGHcADpGf16Z92TaWo4h
+pa296owO+kHWb6lbFPmslJpVqb+jrIky1a6KXCZAHxxQqQ042IHt8GnIZm9dFneq
+gHwjtMlZAyowwjPf/SRzZGVh285O9Zr3Y30PMPqfmMD2x11KVB2vJkHgzXA64GFe
+/6TpgWkCgYEA/RFrmL2FIdAbWqO3jL356FmfmSaFhk+le2w+qWLR/ypGvdtw2+c+
+V9jpsfoWQp3Cs0ryqu2K764YCf4EwxQVmPLYA0DD3gqSxD57TRlm+JiYZHD/8f8c
+P59EnYkLOd8RuonpzTXEu+EhrBztRRRulBFhsqGaeSh0v+OP+nOyn4UCgYEA0l3Y
+f1w4dn+M2mxFpYH+F7tZo0os/KPJRvC0cF/ooBcsfM+DlEw5iQp9HQR1lJHy3VGS
+8zi7V9/ACej7Bn45sbUsbdGXVxG8pWhgwFUgLR9whMrKN4ZocAIarf3lHwvUld7L
+AQBg/jynrlXubb4B9BvoaJ9uRh7KJ8yZCZ/gGosCgYBP8ZPa4WvQHay2emd+d3kd
+1EodmFSv9DMjhTNaURRjlhhY25yQa0F/gM96YLVtf+bEutVj97xfMND5PxyD/7E+
+6uAgTvJRD2gDxHUxCuhDefkSKbxA10U2N/r2BRfdxUEVe4G3SNgIPftkIpM1slmo
+PsFtK63fvk77W0jdZnUz/QKBgHI4glSkvgOZPeFa6HX1HwHDt+fxXnvOcnsSNubN
+LIHAE2exRMBAovzFtSkMQstoc3W31RI6u336/0piNepQnwLeXEFEi+e6ubMV+XJ0
+xgO6Dl4LvcBoOkyW1+Wg9cblpYe6cH8atY9VX7ZI8iyj/muMu6QS7M0l6p2xeWbA
+Z+4BAoGALegvmJQsNKTRXEyCjSOTq5FrOB9vSPDyLJ30HIN0sFHU0hycehPEzGcS
+VWLTct6IAy+Hs4md8YJHv0izN3WNvKdU0jMOkOirWC5XexWnnP9W8T7jZnnORjd2
+FkudWZC2d6el+JA3b021kjDMpBw4lMmr4vvwWbgDZpKaqx23HmU=
+-----END RSA PRIVATE KEY-----
diff --git a/deploy/site/vm/id_rsa.pub b/deploy/site/vm/id_rsa.pub
new file mode 100644
index 0000000..a539a63
--- /dev/null
+++ b/deploy/site/vm/id_rsa.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDP9Q+b+4tjZuSdL6kDoa2h4ikD3AG6dhxSQQjpUir8Uu2yF6u1WAHq8cBA4KuOnL1eLQqaDRNNeK42Eai7Hi5QlhbNa3MD4hEh8LM1kUDstll6TWUk1LVAX8vcHRPuhHC93yeGWzXLdxSl2jiB0snPyRuNaW9NHz8uNbFsZUtJ3J8pQov85dgCGjdHwhxdDjiprESQLseD5igKz7yhlPdAHrH+1Zmzsng1OUBYsUt62OJnVI0kkvT0H/unFl6rqkmZU8Q14NNqEkwMFGjcOcE95ZPz5Zc9EdjPce0mDLosn9x5gsKe2MairbJLYRp9qQf7JgzOuH2s9gnJ4sklkB83 root@jump
diff --git a/deploy/site/vm/site.yaml b/deploy/site/vm/site.yaml
new file mode 100644
index 0000000..3dce0b8
--- /dev/null
+++ b/deploy/site/vm/site.yaml
@@ -0,0 +1,248 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+    name: metal3
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-12-10T17:33:39Z"
+    mac: ENC[AES256_GCM,data:7aiq2A575kdNRs72319eOMh7ZMRKJVyU62NjIMXsHjhZE6Pk3lhulFuA/X4EcifNOMlHOuLR9Ovdv0iK3yVRSMf4oUKVWSDfY6zC+u5tr6fDx1jzF5etlPcEDcwwJnkj2ln4IjjR+B3ffRXTGG9mB9IXXIoq6ygeh3qkOfMydYg=,iv:+IPqs5qt8wFbFPWk584bk4+mvcTJfgQRTKT9E9BfnPQ=,tag:tcanGxTBztf0HIobK3+gEQ==,type:str]
+    pgp:
+        - created_at: "2021-12-10T17:33:38Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4SX7nk+q+zPAQ//fduMfeRxBfxXOBZ9Ho35MyLfVEU/BH99Rs7RA0b2Fzrc
+            dL9Qre7qJ6EPZt7LFduINUP7wKO8m1ReMrfWK4J4t07LgU9x1aoSDe8wRD4h4lvA
+            AX1SikXa2CA1BlcRu/tjQvCMze+USMMIPBZ3t/uW4AT7JET+vhERXNwTzvt5lV/R
+            l1XfCQeHRvbD8YnrREvZJ+oAHv3DiGBaSdiWPdvfQBgRrCu99I9+wlZAOOkAhqBq
+            R5DWWlXfh9/eh5211g8uKXo5vwSbmUgQGG2O+8twMS32AoCRE2jcmSWRE667r5c+
+            7ICcaYhtA/hjMbaKSgTKi8cm/UhPxUXlWbq8zSV5tV8L3oeFHrFJZPv27M610TdS
+            8JNVj08iIcEr7Po3OZ8+wT7cX+LxcrK+JeWzH8X2xLH5wkTJlChPajOYssMl8kJC
+            RT1KlYMu7clg4CT8Ouad7dsINjlObebo1VOuTmYdNQN2jxkCophcBL8LKxfky186
+            GI2HRHAvhsnWiqhlgGIYdLm78kG3WyLVag82j2ppE1eswFQPS4Z1T5wZWf240QG1
+            WI1REmjhEgOKMkvfWKbz/vdcOsI34ACknMd7ByRyI0T/m17PzcBphCP40rbF+W0O
+            GmY29spGTnppK4HYd7Ym59sLX0z/GS0bkttP9ZBZMtVWXl/Z7Am4x1hUhiLn/tfS
+            XAGt2OxeAI8MXJrRti85PR8OKasgMzWN4rvCvnPi56uvLDVezMu0AICuKTIAJb/g
+            pu3XtrPudeMAeVjlNzwfdmYzkSyg85rZDvbx5+ObjB7+ajEvUGbd6ZI8TnP8
+            =l0ei
+            -----END PGP MESSAGE-----
+          fp: A4B4A47A1DB07DE00E8158BE411E23534CA8FAE0
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    version: 3.7.1
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+    name: icn
+    namespace: metal3
+spec:
+    gitImplementation: go-git
+    interval: 1m0s
+    ref:
+        branch: master
+    timeout: 20s
+    url: https://gerrit.akraino.org/r/icn
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-12-10T17:33:39Z"
+    mac: ENC[AES256_GCM,data:7aiq2A575kdNRs72319eOMh7ZMRKJVyU62NjIMXsHjhZE6Pk3lhulFuA/X4EcifNOMlHOuLR9Ovdv0iK3yVRSMf4oUKVWSDfY6zC+u5tr6fDx1jzF5etlPcEDcwwJnkj2ln4IjjR+B3ffRXTGG9mB9IXXIoq6ygeh3qkOfMydYg=,iv:+IPqs5qt8wFbFPWk584bk4+mvcTJfgQRTKT9E9BfnPQ=,tag:tcanGxTBztf0HIobK3+gEQ==,type:str]
+    pgp:
+        - created_at: "2021-12-10T17:33:38Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4SX7nk+q+zPAQ//fduMfeRxBfxXOBZ9Ho35MyLfVEU/BH99Rs7RA0b2Fzrc
+            dL9Qre7qJ6EPZt7LFduINUP7wKO8m1ReMrfWK4J4t07LgU9x1aoSDe8wRD4h4lvA
+            AX1SikXa2CA1BlcRu/tjQvCMze+USMMIPBZ3t/uW4AT7JET+vhERXNwTzvt5lV/R
+            l1XfCQeHRvbD8YnrREvZJ+oAHv3DiGBaSdiWPdvfQBgRrCu99I9+wlZAOOkAhqBq
+            R5DWWlXfh9/eh5211g8uKXo5vwSbmUgQGG2O+8twMS32AoCRE2jcmSWRE667r5c+
+            7ICcaYhtA/hjMbaKSgTKi8cm/UhPxUXlWbq8zSV5tV8L3oeFHrFJZPv27M610TdS
+            8JNVj08iIcEr7Po3OZ8+wT7cX+LxcrK+JeWzH8X2xLH5wkTJlChPajOYssMl8kJC
+            RT1KlYMu7clg4CT8Ouad7dsINjlObebo1VOuTmYdNQN2jxkCophcBL8LKxfky186
+            GI2HRHAvhsnWiqhlgGIYdLm78kG3WyLVag82j2ppE1eswFQPS4Z1T5wZWf240QG1
+            WI1REmjhEgOKMkvfWKbz/vdcOsI34ACknMd7ByRyI0T/m17PzcBphCP40rbF+W0O
+            GmY29spGTnppK4HYd7Ym59sLX0z/GS0bkttP9ZBZMtVWXl/Z7Am4x1hUhiLn/tfS
+            XAGt2OxeAI8MXJrRti85PR8OKasgMzWN4rvCvnPi56uvLDVezMu0AICuKTIAJb/g
+            pu3XtrPudeMAeVjlNzwfdmYzkSyg85rZDvbx5+ObjB7+ajEvUGbd6ZI8TnP8
+            =l0ei
+            -----END PGP MESSAGE-----
+          fp: A4B4A47A1DB07DE00E8158BE411E23534CA8FAE0
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    version: 3.7.1
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+    name: machine-1
+    namespace: metal3
+spec:
+    interval: 5m
+    chart:
+        spec:
+            chart: deploy/machine
+            sourceRef:
+                kind: GitRepository
+                name: icn
+            interval: 1m
+    values:
+        machineName: machine-1
+        bootMACAddress: 52:54:00:c6:75:40
+        bmcAddress: ipmi://192.168.151.1:6230
+        bmcUsername: admin
+        bmcPassword: ENC[AES256_GCM,data:NirGLqlAT7A=,iv:W25j39CMEmJUXDl2o2UvXbdumqnpBY2K4/7gp6DZttQ=,tag:4h1pzHcnVnS0FMX0F9ugCg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-12-10T17:33:39Z"
+    mac: ENC[AES256_GCM,data:7aiq2A575kdNRs72319eOMh7ZMRKJVyU62NjIMXsHjhZE6Pk3lhulFuA/X4EcifNOMlHOuLR9Ovdv0iK3yVRSMf4oUKVWSDfY6zC+u5tr6fDx1jzF5etlPcEDcwwJnkj2ln4IjjR+B3ffRXTGG9mB9IXXIoq6ygeh3qkOfMydYg=,iv:+IPqs5qt8wFbFPWk584bk4+mvcTJfgQRTKT9E9BfnPQ=,tag:tcanGxTBztf0HIobK3+gEQ==,type:str]
+    pgp:
+        - created_at: "2021-12-10T17:33:38Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4SX7nk+q+zPAQ//fduMfeRxBfxXOBZ9Ho35MyLfVEU/BH99Rs7RA0b2Fzrc
+            dL9Qre7qJ6EPZt7LFduINUP7wKO8m1ReMrfWK4J4t07LgU9x1aoSDe8wRD4h4lvA
+            AX1SikXa2CA1BlcRu/tjQvCMze+USMMIPBZ3t/uW4AT7JET+vhERXNwTzvt5lV/R
+            l1XfCQeHRvbD8YnrREvZJ+oAHv3DiGBaSdiWPdvfQBgRrCu99I9+wlZAOOkAhqBq
+            R5DWWlXfh9/eh5211g8uKXo5vwSbmUgQGG2O+8twMS32AoCRE2jcmSWRE667r5c+
+            7ICcaYhtA/hjMbaKSgTKi8cm/UhPxUXlWbq8zSV5tV8L3oeFHrFJZPv27M610TdS
+            8JNVj08iIcEr7Po3OZ8+wT7cX+LxcrK+JeWzH8X2xLH5wkTJlChPajOYssMl8kJC
+            RT1KlYMu7clg4CT8Ouad7dsINjlObebo1VOuTmYdNQN2jxkCophcBL8LKxfky186
+            GI2HRHAvhsnWiqhlgGIYdLm78kG3WyLVag82j2ppE1eswFQPS4Z1T5wZWf240QG1
+            WI1REmjhEgOKMkvfWKbz/vdcOsI34ACknMd7ByRyI0T/m17PzcBphCP40rbF+W0O
+            GmY29spGTnppK4HYd7Ym59sLX0z/GS0bkttP9ZBZMtVWXl/Z7Am4x1hUhiLn/tfS
+            XAGt2OxeAI8MXJrRti85PR8OKasgMzWN4rvCvnPi56uvLDVezMu0AICuKTIAJb/g
+            pu3XtrPudeMAeVjlNzwfdmYzkSyg85rZDvbx5+ObjB7+ajEvUGbd6ZI8TnP8
+            =l0ei
+            -----END PGP MESSAGE-----
+          fp: A4B4A47A1DB07DE00E8158BE411E23534CA8FAE0
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    version: 3.7.1
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+    name: machine-2
+    namespace: metal3
+spec:
+    interval: 5m
+    chart:
+        spec:
+            chart: deploy/machine
+            sourceRef:
+                kind: GitRepository
+                name: icn
+            interval: 1m
+    values:
+        machineName: machine-2
+        bootMACAddress: 52:54:00:6f:d6:97
+        bmcAddress: ipmi://192.168.151.1:6231
+        bmcUsername: admin
+        bmcPassword: ENC[AES256_GCM,data:yXyJBi5nEgI=,iv:m6YOy0WkKbAmEJ2zAgpzeGjlU625fCwZ+bh0lFaNxmM=,tag:BARypQBJZXxRv5nbi5pcog==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-12-10T17:33:39Z"
+    mac: ENC[AES256_GCM,data:7aiq2A575kdNRs72319eOMh7ZMRKJVyU62NjIMXsHjhZE6Pk3lhulFuA/X4EcifNOMlHOuLR9Ovdv0iK3yVRSMf4oUKVWSDfY6zC+u5tr6fDx1jzF5etlPcEDcwwJnkj2ln4IjjR+B3ffRXTGG9mB9IXXIoq6ygeh3qkOfMydYg=,iv:+IPqs5qt8wFbFPWk584bk4+mvcTJfgQRTKT9E9BfnPQ=,tag:tcanGxTBztf0HIobK3+gEQ==,type:str]
+    pgp:
+        - created_at: "2021-12-10T17:33:38Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4SX7nk+q+zPAQ//fduMfeRxBfxXOBZ9Ho35MyLfVEU/BH99Rs7RA0b2Fzrc
+            dL9Qre7qJ6EPZt7LFduINUP7wKO8m1ReMrfWK4J4t07LgU9x1aoSDe8wRD4h4lvA
+            AX1SikXa2CA1BlcRu/tjQvCMze+USMMIPBZ3t/uW4AT7JET+vhERXNwTzvt5lV/R
+            l1XfCQeHRvbD8YnrREvZJ+oAHv3DiGBaSdiWPdvfQBgRrCu99I9+wlZAOOkAhqBq
+            R5DWWlXfh9/eh5211g8uKXo5vwSbmUgQGG2O+8twMS32AoCRE2jcmSWRE667r5c+
+            7ICcaYhtA/hjMbaKSgTKi8cm/UhPxUXlWbq8zSV5tV8L3oeFHrFJZPv27M610TdS
+            8JNVj08iIcEr7Po3OZ8+wT7cX+LxcrK+JeWzH8X2xLH5wkTJlChPajOYssMl8kJC
+            RT1KlYMu7clg4CT8Ouad7dsINjlObebo1VOuTmYdNQN2jxkCophcBL8LKxfky186
+            GI2HRHAvhsnWiqhlgGIYdLm78kG3WyLVag82j2ppE1eswFQPS4Z1T5wZWf240QG1
+            WI1REmjhEgOKMkvfWKbz/vdcOsI34ACknMd7ByRyI0T/m17PzcBphCP40rbF+W0O
+            GmY29spGTnppK4HYd7Ym59sLX0z/GS0bkttP9ZBZMtVWXl/Z7Am4x1hUhiLn/tfS
+            XAGt2OxeAI8MXJrRti85PR8OKasgMzWN4rvCvnPi56uvLDVezMu0AICuKTIAJb/g
+            pu3XtrPudeMAeVjlNzwfdmYzkSyg85rZDvbx5+ObjB7+ajEvUGbd6ZI8TnP8
+            =l0ei
+            -----END PGP MESSAGE-----
+          fp: A4B4A47A1DB07DE00E8158BE411E23534CA8FAE0
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    version: 3.7.1
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+    name: cluster-e2etest
+    namespace: metal3
+spec:
+    interval: 5m
+    chart:
+        spec:
+            chart: deploy/cluster
+            sourceRef:
+                kind: GitRepository
+                name: icn
+            interval: 1m
+    values:
+        clusterName: e2etest
+        clusterLabels:
+            site: vm
+        keepalived:
+            interface: ens6
+            routerId: 3
+        networks:
+            baremetal:
+                interface: ens6
+            provisioning:
+                interface: ens5
+        userData:
+            hashedPassword: ENC[AES256_GCM,data:N60s4MON2Xmkq1MqQtnp865IqHjeISQv17LJsuRLbrE4K2AvBDmgbZjt00xLiiBbcSuLJYLcTquC+Z4DhFEaq3mkumsOqZ8Q66sy0GR+Kja8PUsDXL8Bqlmusw1O6EzwAl0eK26VFW4PeC/Q7VVKyrH4osI=,iv:jTNY88lxKW6IHTH041ibR8+ZKGm4D7OC8hH5TGglR1Q=,tag:mDe/T+edPuyqkX/tbG4h1w==,type:str]
+            sshAuthorizedKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDP9Q+b+4tjZuSdL6kDoa2h4ikD3AG6dhxSQQjpUir8Uu2yF6u1WAHq8cBA4KuOnL1eLQqaDRNNeK42Eai7Hi5QlhbNa3MD4hEh8LM1kUDstll6TWUk1LVAX8vcHRPuhHC93yeGWzXLdxSl2jiB0snPyRuNaW9NHz8uNbFsZUtJ3J8pQov85dgCGjdHwhxdDjiprESQLseD5igKz7yhlPdAHrH+1Zmzsng1OUBYsUt62OJnVI0kkvT0H/unFl6rqkmZU8Q14NNqEkwMFGjcOcE95ZPz5Zc9EdjPce0mDLosn9x5gsKe2MairbJLYRp9qQf7JgzOuH2s9gnJ4sklkB83 root@jump
+        flux:
+            url: https://gerrit.akraino.org/r/icn
+            branch: master
+            path: ./deploy/site/cluster-e2etest
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-12-10T17:33:39Z"
+    mac: ENC[AES256_GCM,data:7aiq2A575kdNRs72319eOMh7ZMRKJVyU62NjIMXsHjhZE6Pk3lhulFuA/X4EcifNOMlHOuLR9Ovdv0iK3yVRSMf4oUKVWSDfY6zC+u5tr6fDx1jzF5etlPcEDcwwJnkj2ln4IjjR+B3ffRXTGG9mB9IXXIoq6ygeh3qkOfMydYg=,iv:+IPqs5qt8wFbFPWk584bk4+mvcTJfgQRTKT9E9BfnPQ=,tag:tcanGxTBztf0HIobK3+gEQ==,type:str]
+    pgp:
+        - created_at: "2021-12-10T17:33:38Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4SX7nk+q+zPAQ//fduMfeRxBfxXOBZ9Ho35MyLfVEU/BH99Rs7RA0b2Fzrc
+            dL9Qre7qJ6EPZt7LFduINUP7wKO8m1ReMrfWK4J4t07LgU9x1aoSDe8wRD4h4lvA
+            AX1SikXa2CA1BlcRu/tjQvCMze+USMMIPBZ3t/uW4AT7JET+vhERXNwTzvt5lV/R
+            l1XfCQeHRvbD8YnrREvZJ+oAHv3DiGBaSdiWPdvfQBgRrCu99I9+wlZAOOkAhqBq
+            R5DWWlXfh9/eh5211g8uKXo5vwSbmUgQGG2O+8twMS32AoCRE2jcmSWRE667r5c+
+            7ICcaYhtA/hjMbaKSgTKi8cm/UhPxUXlWbq8zSV5tV8L3oeFHrFJZPv27M610TdS
+            8JNVj08iIcEr7Po3OZ8+wT7cX+LxcrK+JeWzH8X2xLH5wkTJlChPajOYssMl8kJC
+            RT1KlYMu7clg4CT8Ouad7dsINjlObebo1VOuTmYdNQN2jxkCophcBL8LKxfky186
+            GI2HRHAvhsnWiqhlgGIYdLm78kG3WyLVag82j2ppE1eswFQPS4Z1T5wZWf240QG1
+            WI1REmjhEgOKMkvfWKbz/vdcOsI34ACknMd7ByRyI0T/m17PzcBphCP40rbF+W0O
+            GmY29spGTnppK4HYd7Ym59sLX0z/GS0bkttP9ZBZMtVWXl/Z7Am4x1hUhiLn/tfS
+            XAGt2OxeAI8MXJrRti85PR8OKasgMzWN4rvCvnPi56uvLDVezMu0AICuKTIAJb/g
+            pu3XtrPudeMAeVjlNzwfdmYzkSyg85rZDvbx5+ObjB7+ajEvUGbd6ZI8TnP8
+            =l0ei
+            -----END PGP MESSAGE-----
+          fp: A4B4A47A1DB07DE00E8158BE411E23534CA8FAE0
+    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    version: 3.7.1
diff --git a/deploy/site/vm/sops.asc b/deploy/site/vm/sops.asc
new file mode 100644
index 0000000..23f32be
--- /dev/null
+++ b/deploy/site/vm/sops.asc
@@ -0,0 +1,117 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+lQcYBGGuW6EBEADPL46O8WFQzLgKGpRE14fqxpUChIiTtTBI9RnTQ4RdYKdZEJGE
+AfWkx3mmp0ih9BUHNBzf9knPgq+KUiyaLBt9HB2PVgXxkVspsovHVTCS4Sp4iBRf
+CHPhAFAoeZSLo3I/k7W0tTxDKhRWL9qI2APU/2PDFrNX1BqwhKhIPjIX8ipx32iV
+QMBAYhhtF7xHsDttX/KGiU7U3klLasnFUfYSbmrHybl7VLTbivAdHe5ejkfMx4BI
+IjSloD6HLrdovWaYoaADtK2pIzx0W4EtE76doIGpcl6XEqk2VEsXFwjlvmk/FZT8
+HsTnba5Q+VaiDdt8nWkmA5kkz2bp/uklndN3BQkyWhdU8orSXsRibP2uBXr3p8yw
+LfarjBMcqiUPRS8GBW4VR2eYse9qBJAJ/CKUK3LhA1wONmpWE1iYH4KFsIYdUlcf
+tQ0J0ojUWyaCxMlkQ2aSDCt/x46gQ8BPn4OwAEQlRhn9R0bK6ZgYQ+AGdzAdlFbZ
+5qJO5/v6/rad+ZWoMKcRS1eJECsn1l6EwuDSZEjSnXULTMiXLAVW7btFtRrogHRJ
+jcxD3sIyAhh7ITyLfsf9LJHWB9QP18a8PoVfwtARTZ5jnjmPuxtLS262t/TgCmWa
+W54h8dr2jyhOzSE2YSGH4wp83Cl8IwStXQ02S/NNsi470h32ehZO7ksY1wARAQAB
+AA/5AdnHZqHeLLE54zHpzYjtVbA3mNad7k/Xvfyo7+WAIUCe1mnazP4491sVwSsE
+dVDZNqEbebSWWNpKUk3KhdAIqNOXDdUt0T0i1L7Y9g4QCXiJ0rD6lApOOUqg1mn6
+6pm1fVrlcefmtjACGopgldxja4FJeAqh2QF+9mgKsIUfRbwNPQ2j8HOg8etT97Pv
+5pge/rtb6rKQHsWS2aSW+FXXuLcULLZNm3AYl6hSIHWsncqGIwOEEaOqqwd4vRSy
+bD0+yixJVt5wc/yyAL7zBplLW1xcT5/kXl7LwnUyQhU3nTHB0agG+rBB2O4SYpI3
+9MhR5/cf6OmmZw34Lr2mo0j4K5B0pD4Hn6ccC+RrTSUd5W6YOkZ0+GGULbCuMfvH
+PX7FCLR3/FLevr4h8rN5jTlVNQW/N8AosIZmzCLLRR8NSH5+bw0YZ2Y9eWpOAlRG
+f0mfnBwT/7AoX3RYSdgQhMTgtZaIibicuKGwh2ggh+JtR9xsjY8X4n4n8ATnzdFc
+pxvXBPR8NRvw+fxpyLPyRfGByp6be6Yer83iZP04bVz1JlXksCqSLNJCNho4Qwjd
+haffUB2DI5L2k0jZ5WCcSM2eh/WLzw/XtlCleputCia7PPFjUKzIXh1WiJOuaTrL
+OjHXqPtTzKi4f7pfWoP+d2VLbxAQyW6k45TWtP4UAkJjEzkIANIkxO4xdwyg+nsu
+Sq59icu5IJOR5CAPDnTpip7CccP5qSqiBBWg9gZhIRKHU/X8ruWsxpp3EZ2SvvuJ
++Z9ggQ5dTmD+s5Ipo9PCp2FKdAuapIKxPJeROJA8cmjUkFox2quSz4GPrTIADyvm
+zDcPWyXQLwvF612Kf3BUBZnR7tYt8bAx50LCGOb+s9Xqgc58bmauGZVlytJ8Bm/7
+XtkSacVtxBWgCohej0tZuhTPx1Bfc8cD3rPTD62dRtocHh+G9sksaf5m7ytAsE/w
+iqhqiPOt5aAoOz/YPJn2ORbeW77suhavB83zSTTWBL1QyEVea+GmXDZCioY7tp41
+qgy6jzkIAPxljY3zo02BBimfFhtXgiwymxuEtGjFJitH2lzCBrpFyDDwBDIUHIe3
+8GNnASM/vY445R0AfAxxSymsQwCivoaLzHVVgZiRNDiKQTvHAtqiHN9DI76EcyU4
+EVo8FUh+qW2ontD//dMUOxj92QL6zyJiP9EC2SqIswaur8M9LHwEG61he4i43z6n
+gHMXvgiiIJr8oczZWtO+hJBCmcUOZKsJ6LBX4cg4lj4DgMKEnz4UCTiIxTVr6Z2V
+YRUMWA/6vomoyY/E9NkzK1OhgcaGHPh/YZMW59rWBw3wOZA8SLxEADybQEQd3Bav
+8mRof+yqGYwkkfvQQNlp6giE9WYl2I8H/jgKpCSBzRPRiwhlnQwhX11Lyw860VvV
+h4BE4PHUCL/5oQt8KLCbMOA6hbC/6t6fvGyuGpItFTANGMUnclZfUXuuGUcm+Hjx
+y3p3gGiB4ZievE+UBSi09AHMQjLc7dmPKSeh8AbOFg3PiHG1uNwGgvCTPl8i5GQP
+edxTqybb10KrVQXocUxnZQwBZsEj9fGbhQx7SJnmCKFsCHmP6rrxM/YaVk9ydk7D
+K/BRqNiRkIn91oWmCBYTmn5Q7IA5pgYkf1NZIEHUhYpzJSSpIS4Xg/g84/a7hnk0
+K3voiLoEsaQaw87NGff2tLQgkN6gcfsV1wSqGYz/0Y1w5RZd8njQZE5/47QLaWNu
+LXNpdGUtdm2JAk4EEwEKADgWIQSktKR6HbB94A6BWL5BHiNTTKj64AUCYa5boQIb
+LwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBBHiNTTKj64HyMD/9+qnEVFQG/
+pGTySmJ3Bt0itXGKexKwU3BhYuVSJQFswRPNZoV3nyT5YJvteQ83cW+OqcUxO4Ot
+c17AVcQtpp+tF5gH/8JKzyvrJyXq/PQfRy4cxzyDSR6uqh34qXzYJjqmeohqP1zh
+QgjQV2dpWkT8w453PbXgU5Dko33R7gqIfUJPYIT9sBfLdJMdGvrFK2WFfQRk4vKQ
+XVBikN5MlEDmUYj3QgdjYnoPN5Y4lB4zN0IodwccahGI0knZXAj8lhXPyUyq8lfy
+F9KfMYOl3kHncqI5uBQ2VE6ca/MqLTVX8frNl2dIkHfJtlgmXBqwsHmDUFKkxAJJ
+r16xJlhlSzGgSa7c7ikKOkAtoMBMNDwqb/pGSWirpFH9IKMGG8BJCglqVx7pwKC2
+NSX4uoWtKrzrXXWal2WkVlPgg3zJ0dt3ZqaSV0p3j6wkxkIYSOoB//1Suf7iN5Qg
+OInzlgtuZUswnX3Ujm70fPceW0z95Fb8dZE28/xbLquaG9Se/Lr91TayjNDE8dI4
+4JAinOZlaKsAFv5+W97gmcOiUwUkb0d20VPYNC7MNUf8SsCQXPE3+givGYM88YRX
+frSoC9hPTmFhTIHYP7PJNq+NsaUoTsCR59tHSV1Bo2BEYKi2D+Jkis8D9uaqLt3W
+eUYDCjCX1olYR3C7xzmUHLX6Ss1HRiP7kp0HGARhrluhARAArLYGKiV+UsUGQjze
+A8IQaKksX/geMV4dICu9+26XkGjPmwI0gnRd2EFWOr15+iyofne/Gdjw3ytV7JLK
+Wou3dIeMPS3+ZJnNb7/MlT4QZ8+8d9rgR/y4RwqdUid+Hf9PnY1+uSSIe8rQ8Zs3
+BOvXECnardnI+g87Iz6zTPtHuaKppntJVItEIM8IalLcktFT/QTs4g/56qHc5jja
+syE6C34+/duRWcJ9l8HGp+2WM8UNrimb3NcOo2omj5AaBMwzsoEFYcqY9BphsjuH
+RfenPsv/vup68tJ2bmc34gVaPivu/OrkxEwGESegRHrP0JV8UxoEKRNlRu6eWf7Q
+0DvwN2hW/PIYFpUODrdS25+wZVL5QNRC18JaFeZ04qpk6TcEogLgEQqrLVjN8db7
+oGVDRGRmZEQBLY2oQI8qQb5bOGuYiJVm6lZnXAAp7b2WSheSsAchsDqa6I810Q86
+ElVMsRtMzCGQFh4qRheCKRYwGMdzjxpWn2A6t4H6HuDMaA//cDsA7zaHIzAx1swT
+iLLTjJShtd87Ah+CXX7UEdcbKbFntIANY6NfN66wkIjZPGy7K/lADchQGo8tvzxg
+Tsm2qj3vNIe2GpMH2QEUJS0UDQ2aSaRldi//ZtvqmK24v2avIeOi5L5s+LRjXRn6
+jbo7vA4icTaL7R/P3JXhYxBgpRsAEQEAAQAP/RXFjmpitpVtg9f2v0/+9z2SUec5
+KmkzwX0sNnNLIi0QoVcbhI4LaEcaGWonN4ird4QVyU/TUq33UwoTCRI3+aTlb27I
+7QA2iTi0l3Aa1kuX2tzLCSnZ+ErwUhuoodPbOuiUDSz+p3vfec5zMBDdQAuoEwqG
+YTjwkZZkUYr7RDPpBvTXJsvTEIAISTnJ/0c8vxcut0PaGrmStPuKoDsjjaMkQ4GR
+27VSeK2YPlgt8ZjOFublFOJWc+BywbCoTDddnIi8jfahaP2gk785lNhjm0AlzDP/
+cAdLM6XAOkGyRgl/VU2puLPsF3mzIpdvWeIj7fu11F9vM/2ol+qlXiJZ4/KLGxMm
+0Ub6TVrYubEWIwMgCnu7XIO8nCaKDaEBmyZ7yBqTaBJMK+lSKhjs/i6CjVKbXUkl
+5mxudZ3tNVvFJZywJyRSXBuK5dw2CjJOSsIfemkI4t1y53cB5IehkWhEa3saRKmI
+ewoKUmLECk3szlFo2XvdwVNoGWbYTX3fcPrjyjf/bMGxJ07GWEvMn2ogcEpKVUjt
+M2uVo0G8m/9ptZZRXLD1nOLxfhDx5WzFcqgLqZEFfiV5lpAPZdjmN9xOFiPbiQ49
+t9vkHTJzgXwTQCkEWsJnJixHWZWy855bit0vH7tJKtuMrpArbjBUMnthFwfybMvs
+i/2/gdODhYJk0/jdCADM5eeeVlXV9TG1qayBT/UPSKJfDSQh3mzi9SanBbiJIR/+
+Zucx886TYhuvgJon3RKc1DdFp/HfXO+8+R+T33+LBvkl1d2/77HO3AxK784v5brU
+K9HOxAeF9WH9SnRPLLSNcvqjDn65xOu+Rdj6qVCrRB9DZt0pFvo4TJxj/sfthHlA
++edLJN+NrAybpKZekakT+/36RRSO3t/J3kHPqlo2nzGN6BvTwZw7KIpZtrQAEinR
+AJpFW7WqH8BIdYTQL8d4+JosbWYsCzrsDvOkM73I8+hQfttuRByx0dAb05seurtV
+KQnAcq9ai37815d7pCkh+14YqvnnGICYvHbZtHT3CADXyRQnKylzD1h81Vyszk+K
+VlBn+HvMvHMa83Q1cTDeBkOrzJMORWJk8gX+2mcRO3VTX2cqhLqPqXVEbryLJrbS
+6Jaf8I3xesaQe+a7REHrt+lOawlEoLtYQI6cpgsiiE3PYWCqaac3JDsVul6bJ6UD
+EtQ+9E8J440km1SREsdLRYDJkjylldwmD4ncytSjKysEVxiTGPM35X9adICyFjAV
+YK3idJccWtzpqIJKm3HfF5SJ2h/WzfsjEBAWLkstVsupvmotuteirkO7n9z2q/bQ
+pCAqKKfhDF2vaLSEKTKo0rB+svk0C/Qq5vNIEzfTlLTazswNeUIRe/jNx5uPJRv9
+CADHmNg1Xf8e3PIiM5IuZhHaKGKq9vu18JGZY0GXRh15H6ym1uw0PlXuwaEa75KW
+VR6rP6I2HAdu5rk51idnB0ab9sWHyqiZN1JPqbAuFfuGyLnkzNPmFzMSXm2r0JFU
+3NZuYSwYEZo89VZFIUEzCqwoT4FzYyN/fC5G3NyAHNN8+aAtWezdf9ENW1IfUM32
+SQza1+lwKlvYWFOCgfO8zAWoWn3w+89EF7VKrEInARBTyoOJwkhlxjjQw1Oo/90a
+6V2YNISGA8/LANh6VYNyHXjWYCAp8rcCEn/KoBoghvu2Pg++M3tvEcjv3KsIOOSp
++F9UjrpoLSZi98xzzUxXeqyTgUOJBGwEGAEKACAWIQSktKR6HbB94A6BWL5BHiNT
+TKj64AUCYa5boQIbLgJACRBBHiNTTKj64MF0IAQZAQoAHRYhBOAs3fvlchO65fXQ
+YYSX7nk+q+zPBQJhrluhAAoJEISX7nk+q+zPXmQP/2/M2GgoC10lx2R4W/fCbvmR
+qmAQwwyK0V4M7Vza4iD5udMIgGhlEc7ZE0dRL53sAMKJPJZjckkEGvgsse6uDUDJ
+AZcnhN/1b+S7e996+i5vMG1ofpjNlNx9aBrfkE3wqIg3dkCIKHKY2XG+vZjForSJ
+fp5NcNZ3eS9ia9WpAk7SEjkQ7BdRaBjlU0EpXCOti/fiGpgTj4lDUix1xW82MORQ
+Ak7bLq8iIPtSI3Qkq0rUlELDU37A6u42K6iTLRRYKYx1QZKaeQ/JftwqlENcdN5T
+nrQbV8QY+vmNz3c93ou3IL/x4AlsLvD58ufr7iE3OFEDEH9nQfmbMFL4K69RpfjK
+HeqBBOPbTN5cpVFveFHJBOagSa1vtR2v/kL8a0Nkn3snCIAiJLt54Dz1zyD94BVf
+E3yEUCVOXytMoRWc4gCII9KjVBYd2aFiVoG63IBOQ6jP1oZ4DlzT8tZckKwNKTO9
+40CfHocZobStS2x34R71AkICHKFGwuKxukiO6HCQk6cImHzM3vNd+I1RuvhJHiiQ
+Fmx/CzaD3JNNgj+LoiJkysD7RQoW5gFx5d4qBe0jzHL0ipW+cJ8ePSAjY8dIOdZV
+BZ6aoW31M8RsFkE7OXOZX2mV2GYObybXUaRkUOmelErtme4nLcyMacgz3jw4FePG
+F4Fuvws9fZUJTy/Ow/JAeAcQAL8pFPH4ZSDnq/Nb/VzNjmLkelKjCXjzS4UBlieZ
+U4GSTZbO1iLMFHm9EYtpgUPljISdMwvcRFPHkf6xtv/Wkq1YPqxFUpH4tW2VCQGU
+BTbrd7R8rGzqobbRnnubyY4mo8KfP0PQN6rgEGZBjqwClgI9rrFDM8+/jQw6p5G/
+fOVJAgGGEXrfshp3auM7CCrp157Mca6qZKYKPZujb2hSL3MGEt/2lJ89h6Es/oRc
+4+3S2t1Ivce9XmJwYzBGII7H0vCYDj2nt/SMNSzQmjc6jBL/honyuXBsUyZ6sJUh
+aiQYEvvuPpZzm5wDKP5nMTvF95t6strawvVbUIMSz0g8uBeH6QgXkkCe1U3IHmV/
+E+019X9e4LMKMkmALBk4sLPBCDlzFEAeZFWitar/luZ5YgoFfyomp28FI9bUhdUH
+P/qCkjd1TZkXrfkX2qLMlX+PLNXreVhGdN99Evgv8HxBHmI2VUjL/tSurHYyAyzG
+ZgkHfyw6vSg7Z2WNQl1qvdlYJMgb/2hODyq5a3iUNw98KxmnYGRiGJlsTen2JJJ+
+Z872AuAjwPLhm9kRq8FTbQHupuIVgIAv6r5lRRABtg5PJnR9kjqUom4c3TVHaW0O
+LeZ3nmWxMvxsEYfb9spHphiRg9fNz9+owaAexonQh11FMpQtzFZKqY0MJgIKfYQl
+vCsd
+=kqWR
+-----END PGP PRIVATE KEY BLOCK-----
diff --git a/deploy/site/vm/sops.pub.asc b/deploy/site/vm/sops.pub.asc
new file mode 100644
index 0000000..34a3c25
--- /dev/null
+++ b/deploy/site/vm/sops.pub.asc
@@ -0,0 +1,63 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGGuW6EBEADPL46O8WFQzLgKGpRE14fqxpUChIiTtTBI9RnTQ4RdYKdZEJGE
+AfWkx3mmp0ih9BUHNBzf9knPgq+KUiyaLBt9HB2PVgXxkVspsovHVTCS4Sp4iBRf
+CHPhAFAoeZSLo3I/k7W0tTxDKhRWL9qI2APU/2PDFrNX1BqwhKhIPjIX8ipx32iV
+QMBAYhhtF7xHsDttX/KGiU7U3klLasnFUfYSbmrHybl7VLTbivAdHe5ejkfMx4BI
+IjSloD6HLrdovWaYoaADtK2pIzx0W4EtE76doIGpcl6XEqk2VEsXFwjlvmk/FZT8
+HsTnba5Q+VaiDdt8nWkmA5kkz2bp/uklndN3BQkyWhdU8orSXsRibP2uBXr3p8yw
+LfarjBMcqiUPRS8GBW4VR2eYse9qBJAJ/CKUK3LhA1wONmpWE1iYH4KFsIYdUlcf
+tQ0J0ojUWyaCxMlkQ2aSDCt/x46gQ8BPn4OwAEQlRhn9R0bK6ZgYQ+AGdzAdlFbZ
+5qJO5/v6/rad+ZWoMKcRS1eJECsn1l6EwuDSZEjSnXULTMiXLAVW7btFtRrogHRJ
+jcxD3sIyAhh7ITyLfsf9LJHWB9QP18a8PoVfwtARTZ5jnjmPuxtLS262t/TgCmWa
+W54h8dr2jyhOzSE2YSGH4wp83Cl8IwStXQ02S/NNsi470h32ehZO7ksY1wARAQAB
+tAtpY24tc2l0ZS12bYkCTgQTAQoAOBYhBKS0pHodsH3gDoFYvkEeI1NMqPrgBQJh
+rluhAhsvBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEEeI1NMqPrgfIwP/36q
+cRUVAb+kZPJKYncG3SK1cYp7ErBTcGFi5VIlAWzBE81mhXefJPlgm+15Dzdxb46p
+xTE7g61zXsBVxC2mn60XmAf/wkrPK+snJer89B9HLhzHPINJHq6qHfipfNgmOqZ6
+iGo/XOFCCNBXZ2laRPzDjnc9teBTkOSjfdHuCoh9Qk9ghP2wF8t0kx0a+sUrZYV9
+BGTi8pBdUGKQ3kyUQOZRiPdCB2Nieg83ljiUHjM3Qih3BxxqEYjSSdlcCPyWFc/J
+TKryV/IX0p8xg6XeQedyojm4FDZUTpxr8yotNVfx+s2XZ0iQd8m2WCZcGrCweYNQ
+UqTEAkmvXrEmWGVLMaBJrtzuKQo6QC2gwEw0PCpv+kZJaKukUf0gowYbwEkKCWpX
+HunAoLY1Jfi6ha0qvOtddZqXZaRWU+CDfMnR23dmppJXSnePrCTGQhhI6gH//VK5
+/uI3lCA4ifOWC25lSzCdfdSObvR89x5bTP3kVvx1kTbz/Fsuq5ob1J78uv3VNrKM
+0MTx0jjgkCKc5mVoqwAW/n5b3uCZw6JTBSRvR3bRU9g0Lsw1R/xKwJBc8Tf6CK8Z
+gzzxhFd+tKgL2E9OYWFMgdg/s8k2r42xpShOwJHn20dJXUGjYERgqLYP4mSKzwP2
+5qou3dZ5RgMKMJfWiVhHcLvHOZQctfpKzUdGI/uSuQINBGGuW6EBEACstgYqJX5S
+xQZCPN4DwhBoqSxf+B4xXh0gK737bpeQaM+bAjSCdF3YQVY6vXn6LKh+d78Z2PDf
+K1Xskspai7d0h4w9Lf5kmc1vv8yVPhBnz7x32uBH/LhHCp1SJ34d/0+djX65JIh7
+ytDxmzcE69cQKdqt2cj6DzsjPrNM+0e5oqmme0lUi0QgzwhqUtyS0VP9BOziD/nq
+odzmONqzIToLfj7925FZwn2Xwcan7ZYzxQ2uKZvc1w6jaiaPkBoEzDOygQVhypj0
+GmGyO4dF96c+y/++6nry0nZuZzfiBVo+K+786uTETAYRJ6BEes/QlXxTGgQpE2VG
+7p5Z/tDQO/A3aFb88hgWlQ4Ot1Lbn7BlUvlA1ELXwloV5nTiqmTpNwSiAuARCqst
+WM3x1vugZUNEZGZkRAEtjahAjypBvls4a5iIlWbqVmdcACntvZZKF5KwByGwOpro
+jzXRDzoSVUyxG0zMIZAWHipGF4IpFjAYx3OPGlafYDq3gfoe4MxoD/9wOwDvNocj
+MDHWzBOIstOMlKG13zsCH4JdftQR1xspsWe0gA1jo183rrCQiNk8bLsr+UANyFAa
+jy2/PGBOybaqPe80h7YakwfZARQlLRQNDZpJpGV2L/9m2+qYrbi/Zq8h46Lkvmz4
+tGNdGfqNuju8DiJxNovtH8/cleFjEGClGwARAQABiQRsBBgBCgAgFiEEpLSkeh2w
+feAOgVi+QR4jU0yo+uAFAmGuW6ECGy4CQAkQQR4jU0yo+uDBdCAEGQEKAB0WIQTg
+LN375XITuuX10GGEl+55PqvszwUCYa5boQAKCRCEl+55Pqvsz15kD/9vzNhoKAtd
+JcdkeFv3wm75kapgEMMMitFeDO1c2uIg+bnTCIBoZRHO2RNHUS+d7ADCiTyWY3JJ
+BBr4LLHurg1AyQGXJ4Tf9W/ku3vfevoubzBtaH6YzZTcfWga35BN8KiIN3ZAiChy
+mNlxvr2YxaK0iX6eTXDWd3kvYmvVqQJO0hI5EOwXUWgY5VNBKVwjrYv34hqYE4+J
+Q1IsdcVvNjDkUAJO2y6vIiD7UiN0JKtK1JRCw1N+wOruNiuoky0UWCmMdUGSmnkP
+yX7cKpRDXHTeU560G1fEGPr5jc93Pd6LtyC/8eAJbC7w+fLn6+4hNzhRAxB/Z0H5
+mzBS+CuvUaX4yh3qgQTj20zeXKVRb3hRyQTmoEmtb7Udr/5C/GtDZJ97JwiAIiS7
+eeA89c8g/eAVXxN8hFAlTl8rTKEVnOIAiCPSo1QWHdmhYlaButyATkOoz9aGeA5c
+0/LWXJCsDSkzveNAnx6HGaG0rUtsd+Ee9QJCAhyhRsLisbpIjuhwkJOnCJh8zN7z
+XfiNUbr4SR4okBZsfws2g9yTTYI/i6IiZMrA+0UKFuYBceXeKgXtI8xy9IqVvnCf
+Hj0gI2PHSDnWVQWemqFt9TPEbBZBOzlzmV9pldhmDm8m11GkZFDpnpRK7ZnuJy3M
+jGnIM948OBXjxheBbr8LPX2VCU8vzsPyQHgHEAC/KRTx+GUg56vzW/1czY5i5HpS
+owl480uFAZYnmVOBkk2WztYizBR5vRGLaYFD5YyEnTML3ERTx5H+sbb/1pKtWD6s
+RVKR+LVtlQkBlAU263e0fKxs6qG20Z57m8mOJqPCnz9D0Deq4BBmQY6sApYCPa6x
+QzPPv40MOqeRv3zlSQIBhhF637Iad2rjOwgq6deezHGuqmSmCj2bo29oUi9zBhLf
+9pSfPYehLP6EXOPt0trdSL3HvV5icGMwRiCOx9LwmA49p7f0jDUs0Jo3OowS/4aJ
+8rlwbFMmerCVIWokGBL77j6Wc5ucAyj+ZzE7xfeberLa2sL1W1CDEs9IPLgXh+kI
+F5JAntVNyB5lfxPtNfV/XuCzCjJJgCwZOLCzwQg5cxRAHmRVorWq/5bmeWIKBX8q
+JqdvBSPW1IXVBz/6gpI3dU2ZF635F9qizJV/jyzV63lYRnTffRL4L/B8QR5iNlVI
+y/7Urqx2MgMsxmYJB38sOr0oO2dljUJdar3ZWCTIG/9oTg8quWt4lDcPfCsZp2Bk
+YhiZbE3p9iSSfmfO9gLgI8Dy4ZvZEavBU20B7qbiFYCAL+q+ZUUQAbYOTyZ0fZI6
+lKJuHN01R2ltDi3md55lsTL8bBGH2/bKR6YYkYPXzc/fqMGgHsaJ0IddRTKULcxW
+SqmNDCYCCn2EJbwrHQ==
+=8GKa
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/deploy/site/vm/vm.sh b/deploy/site/vm/vm.sh
index 882a8bd..841644b 100755
--- a/deploy/site/vm/vm.sh
+++ b/deploy/site/vm/vm.sh
@@ -5,35 +5,48 @@ SCRIPTDIR="$(readlink -f $(dirname ${BASH_SOURCE[0]}))"
 LIBDIR="$(dirname $(dirname $(dirname ${SCRIPTDIR})))/env/lib"
 
 source $LIBDIR/common.sh
+source $SCRIPTDIR/../common.sh
 
 BUILDDIR=${SCRIPTDIR/deploy/build}
 mkdir -p ${BUILDDIR}
 
-function build {
-    SSH_AUTHORIZED_KEY=$(cat ${HOME}/.ssh/id_rsa.pub)
+FLUX_SOPS_KEY_NAME=${FLUX_SOPS_KEY_NAME:-"icn-site-vm"}
+
+# !!!NOTE!!! THE KEYS USED BELOW ARE FOR TEST PURPOSES ONLY.  DO NOT
+# USE THESE OUTSIDE OF THIS ICN VIRTUAL TEST ENVIRONMENT.
+function build_source {
+    # First decrypt the existing site YAML, otherwise we'll be
+    # attempting to encrypt it twice below
+    if [[ -f ${SCRIPTDIR}/sops.asc ]]; then
+	gpg --import ${SCRIPTDIR}/sops.asc
+	sops_decrypt_site ${SCRIPTDIR}/site.yaml
+    fi
+
+    # Generate user password and authorized key in site YAML
+    # To login to guest, ssh -i ${SCRIPTDIR}/id_rsa
+    HASHED_PASSWORD=$(mkpasswd --method=SHA-512 --rounds 10000 "mypasswd")
+    sed -i -e 's!hashedPassword: .*!hashedPassword: '"${HASHED_PASSWORD}"'!' ${SCRIPTDIR}/site.yaml
+    ssh-keygen -t rsa -N "" -f ${SCRIPTDIR}/id_rsa <<<y
+    SSH_AUTHORIZED_KEY=$(cat ${SCRIPTDIR}/id_rsa.pub)
     # Use ! instead of usual / to avoid escaping / in
     # SSH_AUTHORIZED_KEY
-    sed -e 's!sshAuthorizedKey: .*!sshAuthorizedKey: '"${SSH_AUTHORIZED_KEY}"'!' ${SCRIPTDIR}/cluster-e2etest-values.yaml >${BUILDDIR}/cluster-e2etest-values.yaml
-}
+    sed -i -e 's!sshAuthorizedKey: .*!sshAuthorizedKey: '"${SSH_AUTHORIZED_KEY}"'!' ${SCRIPTDIR}/site.yaml
+
+    # Encrypt the site YAML
+    create_gpg_key ${FLUX_SOPS_KEY_NAME}
+    sops_encrypt_site ${SCRIPTDIR}/site.yaml ${FLUX_SOPS_KEY_NAME}
 
-function release_name {
-    local -r values_path=$1
-    name=$(basename ${values_path})
-    echo ${name%-values.yaml}
+    # ONLY FOR TEST ENVIRONMENT: save the private key used
+    export_gpg_private_key ${FLUX_SOPS_KEY_NAME} >${SCRIPTDIR}/sops.asc
 }
 
 function deploy {
-    for values in ${BUILDDIR}/machine-*-values.yaml; do
-	helm -n metal3 install $(release_name ${values}) ${SCRIPTDIR}/../../machine --create-namespace -f ${values}
-    done
-    helm -n metal3 install cluster-e2etest ${SCRIPTDIR}/../../cluster --create-namespace -f ${BUILDDIR}/cluster-e2etest-values.yaml
+    gpg --import ${SCRIPTDIR}/sops.asc
+    flux_create_site https://gerrit.akraino.org/r/icn master deploy/site/vm ${FLUX_SOPS_KEY_NAME}
 }
 
 function clean {
-    helm -n metal3 uninstall cluster-e2etest
-    for values in ${BUILDDIR}/machine-*-values.yaml; do
-	helm -n metal3 uninstall $(release_name ${values})
-    done
+    kubectl -n flux-system delete kustomization icn-master-site-vm
 }
 
 function is_cluster_ready {
@@ -48,6 +61,28 @@ function is_control_plane_ready {
     [[ $(kubectl --kubeconfig=${BUILDDIR}/e2etest-admin.conf get nodes -l node-role.kubernetes.io/control-plane -o jsonpath='{range .items[*]}{.status.conditions[?(@.type=="Ready")].status}{"\n"}{end}' | grep -c True) == ${replicas} ]]
 }
 
+function insert_control_plane_network_identity_into_ssh_config {
+    # This enables logging into the control plane machines from this
+    # machine without specifying the identify file on the command line
+
+    # Create ssh config if it doesn't exist
+    mkdir -p ${HOME}/.ssh && chmod 700 ${HOME}/.ssh
+    touch ${HOME}/.ssh/config
+    chmod 600 ${HOME}/.ssh/config
+    # Add the entry for the control plane network, host value in ssh
+    # config is a wildcard
+    endpoint=$(helm -n metal3 get values -a cluster-e2etest | awk '/controlPlaneEndpoint:/ {print $2}')
+    prefix=$(helm -n metal3 get values -a cluster-e2etest | awk '/controlPlanePrefix:/ {print $2}')
+    host=$(ipcalc ${endpoint}/${prefix} | awk '/Network:/ {sub(/\.0.*/,".*"); print $2}')
+    if [[ $(grep -c "Host ${host}" ${HOME}/.ssh/config) != 0 ]]; then
+	sed -i -e '/Host '"${host}"'/,+1 d' ${HOME}/.ssh/config
+    fi
+    cat <<EOF >>${HOME}/.ssh/config
+Host ${host}
+  IdentityFile ${SCRIPTDIR}/id_rsa
+EOF
+}
+
 function wait_for_all_ready {
     WAIT_FOR_INTERVAL=60s
     WAIT_FOR_TRIES=30
@@ -55,10 +90,11 @@ function wait_for_all_ready {
     clusterctl -n metal3 get kubeconfig e2etest >${BUILDDIR}/e2etest-admin.conf
     chmod 600 ${BUILDDIR}/e2etest-admin.conf
     wait_for is_control_plane_ready
+    insert_control_plane_network_identity_into_ssh_config
 }
 
 case $1 in
-    "build") build ;;
+    "build-source") build_source ;;
     "clean") clean ;;
     "deploy") deploy ;;
     "wait") wait_for_all_ready ;;
@@ -66,7 +102,7 @@ case $1 in
 Usage: $(basename $0) COMMAND
 
 Commands:
-  build         - Build the site deployment values
+  build-source  - Build the in-tree site values
   clean         - Remove the site
   deploy        - Deploy the site
   wait          - Wait for the site to be ready
diff --git a/env/lib/common.sh b/env/lib/common.sh
index 2009c58..f09ca6f 100755
--- a/env/lib/common.sh
+++ b/env/lib/common.sh
@@ -46,6 +46,9 @@ CAPM3_VERSION="v0.5.1"
 #The flux version to use
 FLUX_VERSION="0.20.0"
 
+#The sops version to use
+SOPS_VERSION="v3.7.1"
+
 #refered from onap
 function call_api {
     #Runs curl with passed flags and provides
@@ -248,6 +251,13 @@ function install_emcoctl {
     sudo install -o root -g root -m 0755 ${EMCOPATH}/bin/emcoctl/emcoctl /usr/local/bin/emcoctl
 }
 
+function install_sops {
+    curl -L https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux -o sops
+    sudo install -o root -g root -m 0755 sops /usr/local/bin/sops
+    rm sops
+    sops --version
+}
+
 function fetch_image {
     if [[ "${BM_IMAGE_URL}" && "${BM_IMAGE}" ]]; then
        mkdir -p "${IRONIC_DATA_DIR}/html/images"
diff --git a/env/metal3/01_install_package.sh b/env/metal3/01_install_package.sh
index d0409b3..8b8c36f 100755
--- a/env/metal3/01_install_package.sh
+++ b/env/metal3/01_install_package.sh
@@ -20,6 +20,7 @@ function install_essential_packages {
     curl \
     dnsmasq \
     figlet \
+    ipcalc \
     nmap \
     patch \
     psmisc \
@@ -64,6 +65,7 @@ install() {
     install_kustomize
     install_clusterctl
     install_flux_cli
+    install_sops
     install_emcoctl
 }
 
diff --git a/tools/vagrant/add_machine_to_vbmc.sh b/tools/vagrant/add_machine_to_vbmc.sh
index 5676a7b..86b3cd4 100755
--- a/tools/vagrant/add_machine_to_vbmc.sh
+++ b/tools/vagrant/add_machine_to_vbmc.sh
@@ -1,9 +1,9 @@
 #!/bin/bash
 set -eu -o pipefail
 
-index=$1
-site=$2
-name=$3
+site=$1
+name=$2
+port=$3
 
-vbmc --no-daemon add ${site}-${name} --port $((6230+index-1)) --libvirt-uri "qemu:///system?&no_verify=1&no_tty=1"
+vbmc --no-daemon add ${site}-${name} --port ${port} --libvirt-uri "qemu:///system?&no_verify=1&no_tty=1"
 vbmc --no-daemon start ${site}-${name}
diff --git a/tools/vagrant/create_machine_resource.sh b/tools/vagrant/create_machine_resource.sh
deleted file mode 100755
index e1afdc2..0000000
--- a/tools/vagrant/create_machine_resource.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/bash
-set -eu -o pipefail
-
-index=$1
-site=$2
-name=$3
-
-ipmi_host=$(virsh -c qemu:///system net-dumpxml ${site}-baremetal | xmlstarlet sel -t -v "//network/ip/@address")
-ipmi_port=$((6230+index-1))
-boot_mac=$(virsh -c qemu:///system dumpxml "${site}-${name}" | xmlstarlet sel -t -v "//interface[source/@network='${site}-provisioning']/mac/@address")
-
-mkdir -p build/site/${site}
-cat <<EOF >build/site/${site}/machine-${index}-values.yaml
-machineName: machine-${index}
-bootMACAddress: ${boot_mac}
-bmcAddress: ipmi://${ipmi_host}:${ipmi_port}
-bmcUsername: admin
-bmcPassword: password
-EOF
diff --git a/tools/vagrant/create_nodes_json_sample.sh b/tools/vagrant/create_nodes_json_sample.sh
index e1a9948..4729edb 100755
--- a/tools/vagrant/create_nodes_json_sample.sh
+++ b/tools/vagrant/create_nodes_json_sample.sh
@@ -1,9 +1,7 @@
 #!/bin/bash
 set -eu -o pipefail
 
-num_machines=$1
-site=$2
-name_prefix=$3
+site=$1; shift
 
 nodes_json_path="deploy/metal3/scripts/nodes.json.sample"
 ipmi_host=$(virsh -c qemu:///system net-dumpxml ${site}-baremetal | xmlstarlet sel -t -v "//network/ip/@address")
@@ -12,12 +10,13 @@ cat <<EOF >${nodes_json_path}
 {
   "nodes": [
 EOF
-for ((i=1;i<=num_machines;++i)); do
-    name="${name_prefix}${i}"
-    ipmi_port=$((6230+i-1))
+
+while (("$#")); do
+    name=$1; shift
+    ipmi_port=$1; shift
     baremetal_mac=$(virsh -c qemu:///system dumpxml "${site}-${name}" | xmlstarlet sel -t -v "//interface[source/@network='${site}-baremetal']/mac/@address")
     provisioning_mac=$(virsh -c qemu:///system dumpxml "${site}-${name}" | xmlstarlet sel -t -v "//interface[source/@network='${site}-provisioning']/mac/@address")
-    if ((i<num_machines)); then comma=","; else comma=""; fi
+    if (("$#")); then comma=","; else comma=""; fi
     cat <<EOF >>${nodes_json_path}
     {
       "name": "${name}",
diff --git a/tools/vagrant/create_provisioning_cr.sh b/tools/vagrant/create_provisioning_cr.sh
index 2d07344..917245d 100755
--- a/tools/vagrant/create_provisioning_cr.sh
+++ b/tools/vagrant/create_provisioning_cr.sh
@@ -1,13 +1,12 @@
 #!/bin/bash
 set -eu -o pipefail
 
-num_machines=$1
-site=$2
-name_prefix=$3
+site=$1; shift
 
 provisioning_cr_path="cmd/bpa-operator/e2etest/test_bmh_provisioning_cr.yaml"
 
-name="${name_prefix}1"
+name=$1; shift
+ipmi_port=$1; shift
 provisioning_mac=$(virsh -c qemu:///system dumpxml "${site}-${name}" | xmlstarlet sel -t -v "//interface[source/@network='${site}-provisioning']/mac/@address")
 cat <<EOF >${provisioning_cr_path}
 apiVersion: bpa.akraino.org/v1alpha1
@@ -22,12 +21,13 @@ spec:
     - ${name}:
         mac-address: ${provisioning_mac}
 EOF
-if ((num_machines>1)); then
+if (("$#")); then
     cat <<EOF >>${provisioning_cr_path}
   workers:
 EOF
-    for ((i=2;i<=num_machines;++i)); do
-	name="${name_prefix}${i}"
+    while (("$#")); do
+	name=$1; shift
+	ipmi_port=$1; shift
 	provisioning_mac=$(virsh -c qemu:///system dumpxml "${site}-${name}" | xmlstarlet sel -t -v "//interface[source/@network='${site}-provisioning']/mac/@address")
 	cat <<EOF >>${provisioning_cr_path}
     - ${name}:
diff --git a/tools/vagrant/remove_machine_from_vbmc.sh b/tools/vagrant/remove_machine_from_vbmc.sh
index 4ff8018..4efc15b 100755
--- a/tools/vagrant/remove_machine_from_vbmc.sh
+++ b/tools/vagrant/remove_machine_from_vbmc.sh
@@ -1,8 +1,8 @@
 #!/bin/bash
 set -eu -o pipefail
 
-index=$1
-site=$2
-name=$3
+site=$1
+name=$2
+port=$3
 
 vbmc --no-daemon delete ${site}-${name} || true