tjo-cloud/infrastructure
1
0
Fork 0
Code Issues1 Pull requests1 Projects Releases Packages Wiki Activity Actions

feat(k8s.tjo.cloud): better crd handling

Browse source
This commit is contained in:
Tine 2025-04-01 19:05:27 +02:00
parent c954916739
commit 0522aeaa37
Signed by: mentos1386
SSH key fingerprint: SHA256:MNtTsLbihYaWF8j1fkOHfkKNlnN1JQfxEU/rBU8nCGw
29 changed files with 37351 additions and 15489 deletions

214
id.tjo.cloud/terraform/terraform.tfstate.encrypted
View file

@ -1,189 +1,189 @@
{
"version": "ENC[AES256_GCM,data:VA==,iv:wFe5jhRWV9QMPe0Qe709hUDmIaeHDFEuVd+FnaJUw8g=,tag:CLliEv10j+opldkzsofzzA==,type:float]",
"terraform_version": "ENC[AES256_GCM,data:BjlTO5U=,iv:OXAeyr/TtgZTSiXopzFD4zQXlzecRDUBKaRJXOXP8uY=,tag:QRP/CBID+0Ps2iYFJ9OoYA==,type:str]",
"serial": "ENC[AES256_GCM,data:tj8=,iv:TjhaxtWY2NxI6egxBn8XVSYU24pZTRRAp8TgdwCfu9g=,tag:rzeOaZhnUQQkd4O/DocsFQ==,type:float]",
"lineage": "ENC[AES256_GCM,data:gfnKzDpQX+028PuIQBBs/9JNc+ZKf8E4Ji5Gom3QhXBcPAyH,iv:3sHh2vtRWQWKt+dwSlszCbiKBNP+VN5hDAFjMdIeJKQ=,tag:C1YlR7yu3aB8c44BQTnRSA==,type:str]",
"version": "ENC[AES256_GCM,data:rQ==,iv:4KBzdlnZ5pjqXCyZtWGby3tQdsZm88VyqXtNKhOI7Tw=,tag:QFpocJE9J8DKuA4WYqPGUg==,type:float]",
"terraform_version": "ENC[AES256_GCM,data:Gm63KAc=,iv:vUfhEZfjdu2UthS1XQctgU29Bg3NI+hPiEUaoASFjB4=,tag:aj1+xIPwXPshqV8WLoiDGQ==,type:str]",
"serial": "ENC[AES256_GCM,data:m0Q=,iv:hDo1CKuQPQ6MJSi8EXqHzk+Bra4ELiIxx9R7n+5+l/w=,tag:bxRrJfAmWXpJREUHs19Wcg==,type:float]",
"lineage": "ENC[AES256_GCM,data:6Du+2T1JaWC8WM2oSjEe/tLmrJq3lbm6WNM8kgrqtqrXETyK,iv:YbbCsVQ09r5d2WC2mtuoLNLZ+gOy683WLq9D/zXr7ms=,tag:VEm267fgvnIRYam+JbWP3g==,type:str]",
"outputs": {
"ipv4": {
"value": {
"01": "ENC[AES256_GCM,data:s6VPbl+OZmpCt9/PFA==,iv:uJjo27lt7XjryNzyDZTv5zZfn7X4eA0QYZJFnle2/vg=,tag:Khc9eR01QkelJZFHmBlW/A==,type:str]"
"01": "ENC[AES256_GCM,data:MYhZcU1HIemb12wDgQ==,iv:+FFR3JGcShSFBX++7Ec2mesIQ/BUeKsXbHZAtw/yhzE=,tag:Kh/CydO1eitsZWpvElRUzw==,type:str]"
},
"type": [
"ENC[AES256_GCM,data:/UvFMgX9,iv:X0w6wtH4kMmycZ2dKv6L2PeOZhszPCFS2oa/MjDbmKU=,tag:pENJm+5ETtP+NHK14iq+XQ==,type:str]",
"ENC[AES256_GCM,data:G3CvzflK,iv:3yE3VSxsO9aTrG0YZiEueL71K5TvIjVGgO31vvanBUo=,tag:3LptuhH0WBLXiUPVgLBCkA==,type:str]",
{
"01": "ENC[AES256_GCM,data:aSn7ZkOL,iv:6Cds6XMlunOOsB7v19qaaAL8UnuwMmUa01X8rIUZf6k=,tag:jzLQMLS+mCQWlxlNmigcuA==,type:str]"
"01": "ENC[AES256_GCM,data:xSTTg+z/,iv:nyJHAHFfZxsd3M7l+uPTbj6N6Yu1tMCcY8c8DafB2j0=,tag:nkMGL19OnjAS3pfimBPGvg==,type:str]"
}
]
},
"ipv6": {
"value": {
"01": "ENC[AES256_GCM,data:wOe7KtRL9pmHc1aJaGLTb6zOu2GZ,iv:TreAwFOkchZPw0jIMY1n8qOHKvhKCJh5D0T0L/S+fr8=,tag:N5W6uQeUs/RVhzgs4uj3iQ==,type:str]"
"01": "ENC[AES256_GCM,data:MAJR3cdHR5r2hZ43/h1Zlh5KfpbD,iv:XDYltAIS2tME2/cNljHVe2oAJ4l0n1EckOV/vdL9q/Y=,tag:S6iOFCj9Enk4AOCCbmhHww==,type:str]"
},
"type": [
"ENC[AES256_GCM,data:numxZmH3,iv:6gk7i+BC6fJLZTD1WRN9izaCNBChC2fKXesXme8787o=,tag:0VyjlCctBz5+tKNW0zgX/w==,type:str]",
"ENC[AES256_GCM,data:h//nr5we,iv:/d7qLOKZxMrS5OTrp6JeNSz6Tq8J5WfoFY0hcfQWyRw=,tag:1oA9o1aKkFZ2/YJPhkjU6g==,type:str]",
{
"01": "ENC[AES256_GCM,data:Ww/+IZ90,iv:0C/KTukDdkgQRORaG1jt4ZZ/KHPYyZB4CdXGWRdhsjk=,tag:V25g+M7T3ZtQh1sAksRXAw==,type:str]"
"01": "ENC[AES256_GCM,data:q7iOpLWD,iv:lIegooqKIlnjI2TSpNy4hyab0Y3Y47h9EajlwXOMNt0=,tag:JsVbbCKLcyeie6etnEdwIA==,type:str]"
}
]
}
},
"resources": [
{
"mode": "ENC[AES256_GCM,data:GYHL7C8R+g==,iv:qs/vA/s1/Bm34KGUXT6VXFRDQD4D5g2wZnyjZ3g43/I=,tag:AwIY4vrhRxLZJWQFcHkjNA==,type:str]",
"type": "ENC[AES256_GCM,data:mD5sdLEY7MF/D5iO4cu2pMJN1HY=,iv:Rb9eoqdm1PsR1B2HjaSUyIjVPR3TjZ81jW0kQdkjMiU=,tag:MjZTDbpHY/pORi8WXDIsxQ==,type:str]",
"name": "ENC[AES256_GCM,data:xgsa3src5+k4PXB5ocvSrA==,iv:SU8v7ElupNmrnM0W3LCjRKm4fSp0jvpGM6/Y/wZJ78Q=,tag:hrQSezKtGvZ4YWlDtI0iOg==,type:str]",
"provider": "ENC[AES256_GCM,data:MT+KsrqdCT1T/NFwBqbwzYIZVwxU9iqyLp1szDqcCGOSAgkJRcPUE5TiNSMtedV7o+w4,iv:9RFygyDLYt/YLb3v9MWxkyWisDlOwXLMXlotk5XLjeY=,tag:qN8q14VHR+Vm8sxdY4xhGg==,type:str]",
"mode": "ENC[AES256_GCM,data:hqV0CY92qw==,iv:XmhDMvKI93wneXFuSlG5ClCwpWoXGHxpGlZBq3busQs=,tag:/unAIv6N8OGIPylqv2mx3Q==,type:str]",
"type": "ENC[AES256_GCM,data:NO23FW2kSElLp0jFpRqKzduE5W0=,iv:NU2ybt/GFlJxuMozgBmA8ndR2hmL6C4faW6ugbNJwss=,tag:u9meoFxKPBNM6L42tzHnKg==,type:str]",
"name": "ENC[AES256_GCM,data:uPkZIT7p+aJ3IWjHBpyfRw==,iv:x2KvPjOVTOQgH8pCMK/jRgr1v6McuiAqWhDWhDiQ12w=,tag:Ga1yQ/q4S+fyOdJsLhwsXA==,type:str]",
"provider": "ENC[AES256_GCM,data:6zTQN9hrcWPbWzK2f1Vhp7UG+TDLw5LMHshEqiPHHVFNPmzmcXHxYQmmp21cyomJ2chu,iv:Ee5IdOnQLpaw+YTPHXRcF5o4XMrAR6/flcTlqw6mLuY=,tag:Bi5uIfW+w5PC15j56Lxj7Q==,type:str]",
"instances": [
{
"index_key": "ENC[AES256_GCM,data:autqbbUoQfkiH1WT,iv:qQVxCAzMDPOYrbA/joUxozoerHJoulC06amIsZ66XB4=,tag:BQbRe4B53BWC8ASbswR+6A==,type:str]",
"schema_version": "ENC[AES256_GCM,data:Sw==,iv:UxCXkgruMScbGDAl8LZ9PeB7mBtfOIah83KWcasWV6U=,tag:8/ehzIX07J3ife/vNwC6Sg==,type:float]",
"index_key": "ENC[AES256_GCM,data:zeAJjig+S4FoBEMU,iv:MMoEIX9ZadpeHlttLboUSSTLm4JMwV5UHJlm0TkvGAk=,tag:GYy0uRfYsr7PV/nZ50ZJyw==,type:str]",
"schema_version": "ENC[AES256_GCM,data:Aw==,iv:d3YNa0AR69IjJirZ/9t+44ls8LXBpJDa0QsjChN89Yg=,tag:UFBsYm4pG5+sbCb+4oGI9g==,type:float]",
"attributes": {
"id": "ENC[AES256_GCM,data:x0vtuCgrDOg=,iv:sxMj7RqJesvNFfUABU3/lfdn0WWxhHBvosk26PnhIvo=,tag:v+B+xpMvkM8RIGs1Xco6/A==,type:float]",
"name": "ENC[AES256_GCM,data:YTk=,iv:1WmcyLQAZ91UYbtwaH8BO/YVSEfA4id58yzj4+x3YQw=,tag:H6EjzT2/gj/Tm47S5TqDug==,type:str]",
"name_normalized": "ENC[AES256_GCM,data:Zlg=,iv:qGlRinuTn0VNNVjEtp5UKjq57ljf8Y74GNSt4GlA8d8=,tag:ji+mx7WdUOCmuAdhBzbtLQ==,type:str]",
"priority": "ENC[AES256_GCM,data:8w==,iv:fWEOiy7+rVhe41d46splfWlKBzjgQanp7J6/FEJQLBw=,tag:bjkpQj82xtIjNKBNmL40RA==,type:float]",
"qualified_name": "ENC[AES256_GCM,data:eZUnm7Dm1GJ2apLp,iv:13ouBDsr/nh4UWwSWY5skFlMllm1uokhqQ5YPfBI8+c=,tag:2y08koW05Ec7MSLj+U0o/Q==,type:str]",
"id": "ENC[AES256_GCM,data:5uvBxFmKMls=,iv:ja7eEUdpDUXg1F0w9h4zKZ0HuBZZ2wBI/ic5ho40A/k=,tag:qRUY7K8CmzDNu4BUqIT91w==,type:float]",
"name": "ENC[AES256_GCM,data:8x0=,iv:plwuiXAu8/3bgyI+ri24LIvYxXnvl9dRUsC/cAdWSzM=,tag:sqZREQtKFhplJUGEp4FowA==,type:str]",
"name_normalized": "ENC[AES256_GCM,data:uwE=,iv:4CgaLk4FMLAP/I8s66uKvswAmOIEbNLhDMiv43UbrAY=,tag:Q20uE4ZiK4VCl96Vx3oIPw==,type:str]",
"priority": "ENC[AES256_GCM,data:cA==,iv:hA4JtVuT9JgGpg3AIpJWUYVl35mOS8tZMndEdxSfV0U=,tag:zeDNIkbREEp3ddA7T/T1Jw==,type:float]",
"qualified_name": "ENC[AES256_GCM,data:JdIZWU2/6Y7CvBg2,iv:t9UQwzJVr59/8lGeaC311FxEIEEJKNyy9Oyl7CtBAz4=,tag:eXmEex+yShHx8S6HhaEoxg==,type:str]",
"regions": null,
"ttl": "ENC[AES256_GCM,data:39y+,iv:L+8cryhSyTUkMkOiWS4lqwaWZBv2LUhLYIdBP7Ifm8Q=,tag:iOtunxhHK95ecdYUxYFJuw==,type:float]",
"type": "ENC[AES256_GCM,data:rFAiSyQ=,iv:59daFM7JxATYzgvQ+23n/oOvLsv0XWaXbTPrLS+SdNs=,tag:r6rsDvA79d49ssWTFW8+Hw==,type:str]",
"value": "ENC[AES256_GCM,data:fs4+bt66Eoxsh3KF,iv:+hg2DZsPKELkKZ6Phh64lIE0ab2epHAzsg1szykE+2Y=,tag:VCNW2wMSzjm/YBlNNG6sLA==,type:str]",
"value_normalized": "ENC[AES256_GCM,data:NrUESj6LvK6afkP1,iv:KZyjiD5pOevvunZ/VwLFtXIgC942Peaq3wXMicCifLg=,tag:mI5DqEVMnKR6lp5kZd9clw==,type:str]",
"zone_id": "ENC[AES256_GCM,data:kCa0grPEOD+/,iv:ycwgw8tddUyuAT/RPMMSQS5TqAljhRDEB5SjCjPhh+U=,tag:GmXzZZHkjlS3NacSJD4Rkw==,type:str]",
"zone_name": "ENC[AES256_GCM,data:H3O59AoGG/fn,iv:64l7/wIi35GcfH30JrxRkn4IgIT542yg81K+QOk4MVg=,tag:EwzPg9G5yihCgAOan7rw3Q==,type:str]"
"ttl": "ENC[AES256_GCM,data:dt0V,iv:QunSYb/MxNK1GciEt2FXFXQ8rxGcCcbaCuhN3U9EvCE=,tag:/LCYqNhuIqGYULJLC+DUOQ==,type:float]",
"type": "ENC[AES256_GCM,data:mLAmBqA=,iv:YLnjU79zPI6mURcgvIH4zorKVbBnkJlicMO+kZIJP2c=,tag:GbuaL/tkw/r7yQbDcGoieg==,type:str]",
"value": "ENC[AES256_GCM,data:efG16wh27G0UjyjO,iv:R0YZ7tGv3XXanQes8um+uZ4LwO+LFUFKLBWT5CgQgrs=,tag:nmRoicHDZwkFFOcpYZjU7w==,type:str]",
"value_normalized": "ENC[AES256_GCM,data:c5ddrbpaDox1ZXbV,iv:TuxY2Rn8oqKBq3dBgXGtwg1QlHEcsZYlfgYTXY5YC0s=,tag:Oe2Z6ZqPyVV1G16cK598nQ==,type:str]",
"zone_id": "ENC[AES256_GCM,data:xvulZJnzxVXJ,iv:lKz+xvJKRJplmJ66vDlmk9SlRQqVUkquyZa8zuL5LEU=,tag:TSTi3eIPQVZmopvd0Hicxw==,type:str]",
"zone_name": "ENC[AES256_GCM,data:qHyl2wUsuCWI,iv:GQNlH0cQfFimvDcLr6FIDMU/tMyRGOnHhqWKkJwhDxw=,tag:dVnXH7PawbJxYQeJRU9y/g==,type:str]"
},
"sensitive_attributes": []
}
]
},
{
"mode": "ENC[AES256_GCM,data:MH9nRWNHew==,iv:P7Y+WRW+ZFHZc6zwn9aVOO3CSot6B4WUAf/Ei6a1yys=,tag:ltI6X9lGIPIh8D4ziTO7Ug==,type:str]",
"type": "ENC[AES256_GCM,data:OqI+Q0NMDsspwUxXsj0Edn3g4cU=,iv:cG+Ai3EZZN866xM9L1wbX2buj/WHKI9MN2X7Zyv5jRQ=,tag:kUEQ2I3xzGV5uvMt4ORwTQ==,type:str]",
"name": "ENC[AES256_GCM,data:+eYoDpyEyIpzEvg=,iv:dagms4Waxpp02uzi5eMqkV9ALwUX7jkrgylYExU/HvE=,tag:dmLUcLL6ZIGOFXuFxO2NUQ==,type:str]",
"provider": "ENC[AES256_GCM,data:3WAIXxXB4sYTpXJ6ttBXWVwZSAIKsuCvXDnohx/yhRzS9MXdRHnwd5uDbfaqE+zNDAJC,iv:Vc9/O+TuaReJLQIcs8Vz3hko0nbPDgN1L3bnKa3JcUs=,tag:x9p9zbCvNzul4Y8Rj3lbHg==,type:str]",
"mode": "ENC[AES256_GCM,data:oj48Zypn/w==,iv:zM2U4wlDrbMwcZw07lWYlOTdT83GMoQsjhd/6qZAI1k=,tag:qUyoVpEthd3FhqSAZQuMmw==,type:str]",
"type": "ENC[AES256_GCM,data:fXGVV9JL5BKmSC17LWIkasHFbc0=,iv:00ncsbGPXoDhhmE8Mx9NWEDJJpN79SMZ2AIgPyvwzvU=,tag:eESpH7M5ddUBxWXwsxOV8g==,type:str]",
"name": "ENC[AES256_GCM,data:YXrinGQf9o01nns=,iv:/cHrJKWg7PW2Vq/aaL6HLi37wGio/Ru+it1HE6bMtM0=,tag:eiL1pU7JL5Dqtx4Zz6KJrA==,type:str]",
"provider": "ENC[AES256_GCM,data:jIHdF267uLAKexY8Wc8K6NWy71k2B96XdRstojfcsjiFVBuI/Efycpbnh6H8DIr7Awx5,iv:cs9AT127AreRdF7LBQW0PvsQqqmsXNeyY8uu18Q1p3Y=,tag:XNBpa7zxnFqkey6Jz/Otsg==,type:str]",
"instances": [
{
"index_key": "ENC[AES256_GCM,data:coU=,iv:GGb9P1efx0S2SpHhbw3N5tvezEQ+1GEzq6zW1U4oumM=,tag:1S3CndgxV538izPe4Men/w==,type:str]",
"schema_version": "ENC[AES256_GCM,data:Jg==,iv:zzSGSzfDLePHUXptWFcVV3jYRw2OOgUPU+ZfXWLM0p8=,tag:DUSjC73IQJqum9ymhjB0Nw==,type:float]",
"index_key": "ENC[AES256_GCM,data:ZTU=,iv:mG6FxcE4hHYTnZ9ImtgqFpMHR0GykOsig2/H6SXvF60=,tag:Zhahio2omUnJYt+US1TbpQ==,type:str]",
"schema_version": "ENC[AES256_GCM,data:Rg==,iv:Ym30sORpVDr5SVHzTFHl6GRMH3vIrVEfuyOksaUTfig=,tag:yEf8dOmuZIZ/TNEY2Pvvww==,type:float]",
"attributes": {
"id": "ENC[AES256_GCM,data:9yQJPsfdvCM=,iv:Dieyp7P5aX9P4xcwDTKn+AnFp+U+1rMz2ce+hQiq9vM=,tag:VgeD63UbynD4ncS5hU6zjw==,type:float]",
"name": "ENC[AES256_GCM,data:BQs=,iv:RioJCtY+LPF6n/idLkdNOrLDl2XZ+nMSYxrNVBkG5PE=,tag:i7PK44HTun8urex+A6PxTQ==,type:str]",
"name_normalized": "ENC[AES256_GCM,data:tHM=,iv:RpYKeLUSoQIVt5VM/NchInxWn8OLo7QPVvQpMK09Ldw=,tag:N0V29MleWixccs/MxY+b/w==,type:str]",
"priority": "ENC[AES256_GCM,data:Ew==,iv:9uLgUbtbfn439Ww18NN7HpuUBC3ofoLRBdHBHtGKavY=,tag:dVOtuwlnLMftwM0C9nwn6w==,type:float]",
"qualified_name": "ENC[AES256_GCM,data:fVGwJDBhXIZoEYda,iv:igeOE8orVmC+SYH2oBw9Z+ho80i591U8vnSeTDmD5XU=,tag:q2/4arAD47zetlLp0a9wxw==,type:str]",
"id": "ENC[AES256_GCM,data:LVx2cA7n6ig=,iv:x2+CrQrrD4or2NQPePiqjia/gieRJRDXg8NCLPZZUgg=,tag:5BB4Z0i1Tco8SPhPldf4kg==,type:float]",
"name": "ENC[AES256_GCM,data:lNU=,iv:75XArfqeeBxiCw25pTfZ39Yfo22EBZQ2kqBamk+rnhg=,tag:blH/oBMJN4tJq9Lia55whQ==,type:str]",
"name_normalized": "ENC[AES256_GCM,data:svI=,iv:uhsZ6kJwmUWUnQEs8CJ+fjQ/AfHNc5S7aLveuIPYzCI=,tag:g4uWiQVRjb+U1WtiP51/JQ==,type:str]",
"priority": "ENC[AES256_GCM,data:iQ==,iv:31NofBQEKt8u97NzBeEhXnjQhsF/Ypq3bgb8HbTULx0=,tag:UnwER/RyBnxuV6HmhAPUNA==,type:float]",
"qualified_name": "ENC[AES256_GCM,data:zS12rZSnqB89aYlx,iv:7XQQrVW0E1iUVJNFbkv3xlXNuLcof/LmiL0AFY65Ky8=,tag:jJtw7U9oqPKkNKBhA67GGA==,type:str]",
"regions": null,
"ttl": "ENC[AES256_GCM,data:0dyZ,iv:ywwUwFQi7rwpomyBq4tMAxF8VYP4dWCe2+xtewMJy9c=,tag:MMUr/gi5yn9csW/wP53ZBw==,type:float]",
"type": "ENC[AES256_GCM,data:LA==,iv:AfnI9mpcQnInWlPh6lU9TE0liVLyFhds8lGvQmZ6GnE=,tag:I6PHC602csI7SVUIBASc4g==,type:str]",
"value": "ENC[AES256_GCM,data:MwEGgh5UFnU7xcWO0A==,iv:uHyCS5/FN1QtkTKXKnB0+U4q74XZHwEzzmNDVFExggw=,tag:+P+l49OUAEWYAq97ACrx7Q==,type:str]",
"value_normalized": "ENC[AES256_GCM,data:cKfzGLYnWvr6CsWCXg==,iv:8PN6idW+tSxN7dByMk6xFlvhXApdGMOCaINdB2S3mf0=,tag:q4K3Im8NfIzJWOt1ifwxZw==,type:str]",
"zone_id": "ENC[AES256_GCM,data:gGeccGSLQLlq,iv:5F8CfZI6Hpfu1ZSoa9kV+RrcF/0nB5ewQq0mCQYqtGc=,tag:vRC+a/axg8ZQLXB9i31P1g==,type:str]",
"zone_name": "ENC[AES256_GCM,data:yhFGqy2i3pV6,iv:l92b33k3hJLY/KidqiWF+istfJCDe/qFJJCNJpiWP1Q=,tag:CcaVR6XXRNArbe6cay9Dww==,type:str]"
"ttl": "ENC[AES256_GCM,data:RGtu,iv:BAD91FoY6Ki4GljTZsNYZVMr1SICugFu6geafSUGfXQ=,tag:HSzlsPlSEcuNXqj+EROViw==,type:float]",
"type": "ENC[AES256_GCM,data:1g==,iv:xfJ025BE98jr+MHReILfzW46yRoOZmifwO6ywg1g37I=,tag:Q5oNODpiC5FKI/jYpwSB3A==,type:str]",
"value": "ENC[AES256_GCM,data:cRoGUu4mvvJY/dt8OA==,iv:aBAuLMYGOZJPldI/HXFGphmyziSI7W7MT+zahRhL37g=,tag:spOzbAMlg+aBhF86+Kmj1g==,type:str]",
"value_normalized": "ENC[AES256_GCM,data:JS9cKpyPwwE21lOv3w==,iv:jM/v+wY5DKYevxbVtVRRSgs9iqW8Bm00kBbCt7pv6RI=,tag:SVQIjh1bpzXD8jeO/P+uUA==,type:str]",
"zone_id": "ENC[AES256_GCM,data:9s71l/6OW1kB,iv:/UvhAODb0vVtQEm9WD4Px5DNJAcver6frU7lMr6S8fA=,tag:zoRMlnTLZ1NYwPQhZuAOtg==,type:str]",
"zone_name": "ENC[AES256_GCM,data:eeLma1mRu8l8,iv:W+kE+K2oTgiZuByUzLqL/TS2aFYFD6WWX7Hv30TiHYw=,tag:zp/tSZa71xjh2tBsaFqkLg==,type:str]"
},
"sensitive_attributes": [],
"dependencies": [
"ENC[AES256_GCM,data:JyIzNA3j7C65WQJqDK05Pzkl,iv:SgDWJdYo1+Q9eZF5vn9d1P7aUFqVLTdChvCFrvta/Vc=,tag:HN73YKEoDKKf5cYjJcEhOw==,type:str]",
"ENC[AES256_GCM,data:nWmcr2kUMGNQ0SrO1o3M4EZvSA==,iv:UQJMHVrbW59VV3RM35O31x8NKJ2irFoo0TytoJWPdTI=,tag:NYlKHSDFvOxixLBQUZQYJw==,type:str]"
"ENC[AES256_GCM,data:9h5DycGjGfHEZn17Jog3Bbdb,iv:mRQ+aBXJw8CZtWY2EJMKL7NQouz8KUokZGBnbhRodSg=,tag:tUN/gQvhckfYR+jaGlxf6w==,type:str]",
"ENC[AES256_GCM,data:F2gR1FfrKNdJABEia2IVFqRiaQ==,iv:2TMhvGsoXzb//EsMzXVKxqvEE5hKyClETo/H/rA48GU=,tag:BQH3ScH4Td1kq3JpcALmyQ==,type:str]"
]
}
]
},
{
"mode": "ENC[AES256_GCM,data:an3iQqR43A==,iv:oEvl3Eun/4B/vmFGiYupdvFehcKoFUdMX0Vl9X4NlvM=,tag:9aozyqEL4Ro4M3UWXLQyNQ==,type:str]",
"type": "ENC[AES256_GCM,data:2pr78LDsVJwQ8FR+lA==,iv:4dKhlbb80jIZ/pqmffzHK0nWTdf8qsqmtK+yHsOvqMo=,tag:joBOV+TCmk/Em27WYK8JlA==,type:str]",
"name": "ENC[AES256_GCM,data:aTvR5w==,iv:tat3wtKrLLJKg09Z3mUWXggYDeJ3WKmp0AAI3O1ZFMQ=,tag:3AY12/GNW4ZDNrx1qDfO9g==,type:str]",
"provider": "ENC[AES256_GCM,data:+p0ZiasG+vVSNpgdM2iy/bn9qxO226OAwZUbMP3XQuOhw9It63eEDZlUeZbFioobw7pBfbA=,iv:32YuGfPb0Y8ltXv3yj4VnZ0DIfCoC34+hJve8zlJM9M=,tag:0TCUvbwUIbrZiKRFDaW77w==,type:str]",
"mode": "ENC[AES256_GCM,data:Xcj1yvo7IA==,iv:I60EB1ZcMxioqF/dzqsarpEFr6Rzau7rR36Uzuv2FiA=,tag:QV9y/YAIPZzqVAGQichvjA==,type:str]",
"type": "ENC[AES256_GCM,data:o4cENQzzaZ1O9qADqg==,iv:3o606weLoSpZwq3AzUnAkCoGqeuCC0VrapHz/sS2RCY=,tag:DU7enGwYoJTAaYiJ+ajRlQ==,type:str]",
"name": "ENC[AES256_GCM,data:GvgN3A==,iv:mfpw5y0ULCExQeJ/MTKv8aAEEkbpUl1U0JBrNa3Onlg=,tag:5WOtubuGYOhQkBmPCkvUpg==,type:str]",
"provider": "ENC[AES256_GCM,data:NdM/NU6p7boMx65HwlQADrsoXZ37YKiWBG3h8CRmGSKxvFdec9loCl9QUNWyfa+ZFCkV1Hg=,iv:zjH8M4Nzu9Y9ZERB/kMmHVMdURK531GBYI95Ds5/S30=,tag:S0RzlNs3W1J9sfnFeJVtoA==,type:str]",
"instances": [
{
"index_key": "ENC[AES256_GCM,data:+ko=,iv:FtofbT2FTddedqB6bSuN4g24Bs238bdltOshr6FUP0A=,tag:/Ad7H85x5p2ijBCpbGJODw==,type:str]",
"schema_version": "ENC[AES256_GCM,data:bw==,iv:21lEYpdo47eqcpzjuLu8+l+qFmGq/XyPB0G3yZWX+l4=,tag:W3vIWIivYnLQGOmmWmadmg==,type:float]",
"index_key": "ENC[AES256_GCM,data:gQ4=,iv:R27GI0jRGJrVsYs3XZiiRgSpKPG7FDoJgTx/IciVoV4=,tag:xosnTe8BYNUXmVz+yWaOjQ==,type:str]",
"schema_version": "ENC[AES256_GCM,data:qg==,iv:ZgizKQ8lh8bW9IxtqtDDTIlRsaS2mG4753Wvl+NBsiU=,tag:jpm0lMk8Vkjek09mDgmehg==,type:float]",
"attributes": {
"allow_deprecated_images": "ENC[AES256_GCM,data:IbB1hRw=,iv:p2l4NZpL0kjV94H3U2X/UNXGE/i/qqKmpOH5l/9mfoM=,tag:Ayc34d/b1DMgJ+Yaqbbzlw==,type:bool]",
"backup_window": "ENC[AES256_GCM,data:ry53Uns=,iv:s+uAsBpmNHnbHvSuWgmbjLSSnCo/7Ux1EXjuk725nHY=,tag:CnZhFHyeo/rlFR3zSVuSZw==,type:str]",
"backups": "ENC[AES256_GCM,data:aAy0wg==,iv:z0TaPQvV2lfZlveB3g0OKFHqC+/kwKVc6NaV4CQi++A=,tag:jz2DNQ/tSzcSVS1UtvLEZg==,type:bool]",
"datacenter": "ENC[AES256_GCM,data:lPe3RrSYu4s=,iv:Q6lDtKWXWQPElUaboDK6JdvzqBGiDY4qWMTCw7WRCvk=,tag:WAhJPa8uUpUaasDu9elw/w==,type:str]",
"delete_protection": "ENC[AES256_GCM,data:wCk7p/I=,iv:E46ThtFPXOcH972N0Ow5VKhrte4c8jeI1jDMYDpKu/Y=,tag:546e+TQRlIvq5v4jbHEgcw==,type:bool]",
"allow_deprecated_images": "ENC[AES256_GCM,data:vzB60ck=,iv:GfhY2sxaZulz/dZHcUS7zYDKxyRYxznM51Csvgd8UJ4=,tag:/0dxYXobJUXwT6NL3I4CWQ==,type:bool]",
"backup_window": "ENC[AES256_GCM,data:+UKOd+Y=,iv:Skxf2pJAHLCMsV4M3ysUxZprPAhC1cT/GCUfsMb3hoM=,tag:HzVfQL+7Om8ectW6iBuyqQ==,type:str]",
"backups": "ENC[AES256_GCM,data:T2pXgA==,iv:40pux6D2rx+uUrPpjvAjKmerCh1vJWazFjdRI32mdwE=,tag:pArVJv0RqFIZIkdOWYBpzA==,type:bool]",
"datacenter": "ENC[AES256_GCM,data:RpFRD0/H8gI=,iv:yVjgzhWGe1F7qHCIyDOqXBwWrovByi9gMZACsrWobeU=,tag:P4jpnZaOPBskrNZ4FJWS1w==,type:str]",
"delete_protection": "ENC[AES256_GCM,data:ujXU5Z8=,iv:fd5Qblp9ffFiQ2AOZ+GWpWK9tWrK3XWCt/dvWwiz+Ac=,tag:nbdLzh6duYSTGm7Bwoq2mw==,type:bool]",
"firewall_ids": [],
"id": "ENC[AES256_GCM,data:ddJxYv8aYuc=,iv:rZJysEKfsPl3c+qT2Jyj4qCeIAKpPRS0ABQ4PIK9OHc=,tag:wm7gtliNhZiEb8EYjKLs3g==,type:str]",
"ignore_remote_firewall_ids": "ENC[AES256_GCM,data:gqTJAwg=,iv:LJXncUPL3JDQDaqgM/HBG5gAPvfhAknQYo2R3fC2G6I=,tag:sfLMOn657nuxAgG+8eIcPw==,type:bool]",
"image": "ENC[AES256_GCM,data:HdDXJgwcHuIDnqVe,iv:kpQBuvT4BXVZKqZ4CJeq8gr37gwWqs+aM711Q+519Xs=,tag:uhnNKL5JwiTtiSWW4aej4w==,type:str]",
"ipv4_address": "ENC[AES256_GCM,data:Z6vocwR7cUP1yp/sbg==,iv:U31KrbbcT1InQwy+SQKLA+IJxHa07JsjuSah3h5fIRY=,tag:eta+MfMaZEuzrZ4/1cRcpw==,type:str]",
"ipv6_address": "ENC[AES256_GCM,data:Dbmz/hJ3l0w3wSvJ7Sl3hx2uVv2Y,iv:a1Shw0OoCgufoItiqDvH/XQ2o+mxzwNok/2oCVKc+70=,tag:xiZh8u/eBMTBPCWLPEi1jg==,type:str]",
"ipv6_network": "ENC[AES256_GCM,data:xaq3qSfliS2Gvv9yGbnRaDX77q1ApBU=,iv:fDZxupoTW1iFtXi6LF5sgkz3Y96Zq4+Jbo1zq3HsmBk=,tag:ZZ41jHFrCg3tXziTIIK7HQ==,type:str]",
"id": "ENC[AES256_GCM,data:5gA53o6/s0w=,iv:LhxDH8cdcY9xki6nQXPwQ/AAn2RGGFBYK/Xe7Tvq3Hc=,tag:BLlz3U+c/9uz+PaNqW8M6Q==,type:str]",
"ignore_remote_firewall_ids": "ENC[AES256_GCM,data:Mj6Nz3w=,iv:HuyE/540O0ms1gMaZSpgbst9Vyu/EbDVW8ikEMYe24U=,tag:9GAViVNYT1ki1JGREbJFxQ==,type:bool]",
"image": "ENC[AES256_GCM,data:Suxuh9c1/rvtdEt0,iv:Ilg0t9mGoBVD1AIu2kIlc9g01kmACbKEM6vSErU6L8Q=,tag:OQ10AUghyc586R9AsAUk5g==,type:str]",
"ipv4_address": "ENC[AES256_GCM,data:VA6wfFEH8JiuKbZF5Q==,iv:e4WVWSmTDUuFNm556uEzSNZgHvYWryDLX/EglBN+/Pk=,tag:ZdSy+FoSC/m50Owfx3OZkA==,type:str]",
"ipv6_address": "ENC[AES256_GCM,data:3ttEffsFVHwRZ/GGQJkugJ53PNnf,iv:UOB5pPSr8GykUbnmBDGYQETc/Kmxnqi0ATvkfZQb2Is=,tag:ZGeHfeiVpOcKrFkdUgq9Fw==,type:str]",
"ipv6_network": "ENC[AES256_GCM,data:VVUuv+UYMZrtZTbf/R0C7LPvjXciNX8=,iv:CEY9jldmHIql6yYDDsLMoX1DX3R0TdJDWBJ5wEsCDLQ=,tag:ktt/BJyCj8kpHo23DW6QLg==,type:str]",
"iso": null,
"keep_disk": "ENC[AES256_GCM,data:qv7kcjc=,iv:qndD+YI5+pXoSefHl5xKCfr4sdwkYlP3RGIJIEpvNds=,tag:lP4uJndWTwk/IBJMbShRHw==,type:bool]",
"keep_disk": "ENC[AES256_GCM,data:Na1pbDE=,iv:4hgtyTXiA4Q/AWfK1tDueOZ8ghfHrkRm0V/hQabV9Jw=,tag:Duyh3fEsErOEZNQ+YU5LQQ==,type:bool]",
"labels": {},
"location": "ENC[AES256_GCM,data:+gOffA==,iv:qqsY0OnoRKJGsGQbr1PGO+lfS3YXBPsPzHB/aajXHmQ=,tag:oRDRs43P8kDkHJZW7gmarQ==,type:str]",
"name": "ENC[AES256_GCM,data:ITb/K5UHzxQX7XTpKC4r,iv:rnEHwafTsXi1ujZ5cjHtBEjQMMKKt4g4h+GwaV8nvAs=,tag:0h4POOR37wlsZh4J3+/Y4A==,type:str]",
"location": "ENC[AES256_GCM,data:tm/66A==,iv:t9uB9cIbKiappZYXCdanvt2nbu/b/y9D5wgDjYZ5X1A=,tag:2+PHMeh9liFHfRUcGA2+lQ==,type:str]",
"name": "ENC[AES256_GCM,data:uRZ4cxwM7lf3uPZMrCCt,iv:hWouQ+nwSBsWWib/H0hxoCp+WDDw7Mu7x090MD5hqCQ=,tag:pj9g3f5n06PkXPiYovg+qA==,type:str]",
"network": [],
"placement_group_id": "ENC[AES256_GCM,data:2w==,iv:JyBrqNJLxIol91QPbuW9qCJyJ8VOA9JNapK0pb6FeU0=,tag:1U6dBy2jON46Vjn86TR+SA==,type:float]",
"primary_disk_size": "ENC[AES256_GCM,data:Vj0=,iv:Z62tb6hKtV2Ylr1KWUK5f3zF78dYv0Zxqu18uTmFQTs=,tag:7pgnQ/OxMba7LtVIUEt7qA==,type:float]",
"placement_group_id": "ENC[AES256_GCM,data:DA==,iv:wDlTF+O144eqIXXby9kgjDz+q+Cn9hg1dzDl+i+eUWk=,tag:Vv7ndxwQ0HJ95y1pgJ/Ryg==,type:float]",
"primary_disk_size": "ENC[AES256_GCM,data:CRs=,iv:tilVdo6nzl9wex6m+bHKAQ3mz241HS5ZiWUqBjuMDVE=,tag:COZ/JZpK2EthNr/ON58x+g==,type:float]",
"public_net": [
{
"ipv4": "ENC[AES256_GCM,data:dQ==,iv:9ULiHonP5ftnx1Z40iW0J515x+QCvF0VtDY+tvHr7f0=,tag:RNcCvk/Mit7GaM4fBPy3GQ==,type:float]",
"ipv4_enabled": "ENC[AES256_GCM,data:NSF/Xg==,iv:jhj9cWExe0FKHZQuy2ZB+7+mrAbSAvjCwJAUvze8O18=,tag:O/nqTFlCdQA23PqrenIdpA==,type:bool]",
"ipv6": "ENC[AES256_GCM,data:+Q==,iv:V/Q4VFvvHeD3skxhlIqf7WinAfYq+XyVBxPKggJbpmg=,tag:qr5ihsA4lTbHhhXqipTgYQ==,type:float]",
"ipv6_enabled": "ENC[AES256_GCM,data:Bgm1PA==,iv:CH7ml8/LZ49HnMKNRvKzm4AJJaa9cU+nydNUO+3oGis=,tag:QMkCL2Ai7c4AEgpZXURQOA==,type:bool]"
"ipv4": "ENC[AES256_GCM,data:+A==,iv:tOkdkF02zJe/R/V35QNJ+iBzQYK4sv3gMRZPGX0u7rw=,tag:YFb8pZ4g764EV0SFQPlZag==,type:float]",
"ipv4_enabled": "ENC[AES256_GCM,data:sPfxqQ==,iv:TccA2tZ3WaPCuGpysjByJ77CQ3b6oWWo7A555prTws8=,tag:xZjPy3KgBQynqAhrgm5ddw==,type:bool]",
"ipv6": "ENC[AES256_GCM,data:uA==,iv:QY2cUV0/MQnFT5ofO/oeoh7lCx+QAvhVi4u+UHjNHuw=,tag:dpLshMAEcLCKtwnrotS1Wg==,type:float]",
"ipv6_enabled": "ENC[AES256_GCM,data:kfdd3g==,iv:BA6KbYnfoA2tBKkD9h2vUMEk6IPT6tvWL252LgEMCs0=,tag:e9O73/QF5w+VzXrTFHCX7A==,type:bool]"
}
],
"rebuild_protection": "ENC[AES256_GCM,data:3FnrYPk=,iv:/zpgEKnDRrc+xadYRhg8M/m3E70RyX+bX8y/Esi8oIs=,tag:Lml5esM04Czi/kK/3rlMAw==,type:bool]",
"rebuild_protection": "ENC[AES256_GCM,data:fNi4RXU=,iv:6XMo5JXIeTGfK0VX9p09gyp7FPYgeqzR5xS3TLJRZss=,tag:iZVCRx4E3blcKH8rq6cVcw==,type:bool]",
"rescue": null,
"server_type": "ENC[AES256_GCM,data:q5vtswQ=,iv:dtn4v9OdAV0nBghxOov2u7kZ+IsGKQDA1CrOWM7RcYg=,tag:iW7f8iidcnqnOeITQgCpcg==,type:str]",
"shutdown_before_deletion": "ENC[AES256_GCM,data:RB32QGc=,iv:FmuN47ZEow56V9BelGt02OX+rNQH8yvQVRtEVBS912g=,tag:EVUlteqmQETR21Yl1buoog==,type:bool]",
"server_type": "ENC[AES256_GCM,data:AKAhYaM=,iv:zO+COr+jtvht/fodpO18ep84xWhVHscvceH4sTMN92A=,tag:6ivWRxa3KYRAi5d+LwwBOQ==,type:str]",
"shutdown_before_deletion": "ENC[AES256_GCM,data:oID5NYg=,iv:yRqyUTxG0ptrHjIhyQeI2BEJfbY9wpVLZtt9K91CKww=,tag:J5bzNEomW0pztZvk5Gi30g==,type:bool]",
"ssh_keys": [
"ENC[AES256_GCM,data:y3VH61gJ4y4=,iv:YKCBCIdCo9icNX/wooulfbL2pnTYBb0s1mSdaR06WzE=,tag:OwJvUhkd8LoGW3WwtEEeJw==,type:str]",
"ENC[AES256_GCM,data:IMeb7iDe2MY=,iv:WWKusStwsQGLKcMyWFFFe+9OZ5OylBIlFaumqWA3hbE=,tag:V5TgWKa0Th0WPw0XeLCFYg==,type:str]",
"ENC[AES256_GCM,data:RCjaCTAtV8U=,iv:p58kwto+/ijVv6YUKfEIUyPJu/YmVzT8hAeeTR4feX8=,tag:Le2lLa6U29d2BbGgGziM8A==,type:str]"
"ENC[AES256_GCM,data:KUfNMsFJzrw=,iv:GUobA1mTMyqroRvhCeiMJ+ySlNSj2oBD0UT60BVIpqM=,tag:gOSkJI++ELkAAIlWQv3Bug==,type:str]",
"ENC[AES256_GCM,data:KVP8lXTRXq0=,iv:DVDi4bNPS2Mqh2egsRApT7ThGLDQEgWQoRfBqCEQlN0=,tag:z+YHNHVpM1RyLToAzPR8DQ==,type:str]",
"ENC[AES256_GCM,data:EE1KfM7A1GI=,iv:08c4dPrJmy9uWT7zZ3mpkwBkwLVxrkcW0ICsZiWtr0g=,tag:yq99dP/j6UxFvCA6olsOng==,type:str]"
],
"status": "ENC[AES256_GCM,data:FMxb3NfsRA==,iv:zdN5yGvGurpOM3sNWnSO/luHT1VEpB98eP5zvxSClNA=,tag:oQ98gPVnDP2RNfunPrrkbg==,type:str]",
"status": "ENC[AES256_GCM,data:dsVKGdjWlg==,iv:Ra4slxXtWmSSLoIgPbfZp1rDEHKCTZ+jmdOqcXDKhFw=,tag:1nNjkg3jfXHOyZN7jDkdiw==,type:str]",
"timeouts": null,
"user_data": "ENC[AES256_GCM,data:g4DCXXBpM5IB9FC8vl2tIeNmEB6mceCDcAAewQ==,iv:obWuPjz/Ab58PXi07OJfFC8wfFwLjn87lToGFsU/vgk=,tag:T7gwj1PhidvaEOKFdsf4mw==,type:str]"
"user_data": "ENC[AES256_GCM,data:sE+PJqGw5CGUbMV23qesdF1sl0RyNHEUohVmmg==,iv:DrB9ZM1Ax0535n/ojGqgJfPka11zXaS49cRcp4C03HU=,tag:Pc7s3RvW+uvSoIvsu2kbGg==,type:str]"
},
"sensitive_attributes": [],
"private": "ENC[AES256_GCM,data:Rnc2tPy02a2tda9pS7QtXqb+Ys/I4KokxBUhNfgTLf9JO9uGZ+a9bg5XPS/4bGCAFM1yOlPUWeJy/DJgtBVaFmpUaNCcDDeyQ04atqaon7KXBQF3tV2HRw==,iv:lEgcLVZAWa+b2T7tAGW5N6bHkz9miJvkTvc6UAN8cnc=,tag:Rg2GOZ2hgvDNs7l5rjVYZw==,type:str]",
"private": "ENC[AES256_GCM,data:mpR3jMnmDomOXcZJF4aW2X69vyIomvW7ewwX5gGlvVNWFwz0KzrEENzC7Ygv/+EdSITjlaMl/OCXfbDCmgscq5m391coAZlnDawszFKgqrh94TUPZBQ+fQ==,iv:ntytm/ngCla0y6mSaPXofDXmx8CMMIBtQgusZRV7KyY=,tag:ojBatGGVn5spkWvGSpOH8A==,type:str]",
"dependencies": [
"ENC[AES256_GCM,data:RuSVEYiSnGE5+YGHpsvF8Vbhaw==,iv:PksPo181wFrpM/i7MxtzoPj7AavxqUr523TnCJoxYAg=,tag:+hEqj8HOrLqFRgjEXUeC8Q==,type:str]"
"ENC[AES256_GCM,data:EHQ6S6IhXtFYddKbzT5q3UR4bg==,iv:przA1asBtiWrQpjiNodu8kiuw4u5cMLQ6HfGu6EJI4s=,tag:aGo9ARuK7BW/qtx+8Pf0GQ==,type:str]"
]
}
]
},
{
"mode": "ENC[AES256_GCM,data:vCCnojrqmA==,iv:2pcNiWYvm8z0HboUjFI0uC33lJU/2JS1gCMF0q264Xc=,tag:X7y5nBq4rLR+9W9N0dq30g==,type:str]",
"type": "ENC[AES256_GCM,data:Gg4YQy3SO1ca9gO9VDY=,iv:e/0FBfnuwNX9fP0S16H09O7fJUPuKIxyeXkyRg3Vknc=,tag:z+Oqj6tX/0k3dQKxPIvZ2w==,type:str]",
"name": "ENC[AES256_GCM,data:ox+y1w==,iv:gFauaV0B2p+9avxYTxoiSJklOKxsg4h7hqZ6vO7vxlo=,tag:NJWY2xGySUEXPbrdo0TtOw==,type:str]",
"provider": "ENC[AES256_GCM,data:FBJo1OwQH+SPZoFHGIndccjIhhylOqQPShcU4p85BAlrfIImkGvR1ebacnYmqC1S3RqEPIo=,iv:/zR1aZf0aFyoNgOkG5NZ5lidyhQUJtFUjKKclZpmaf4=,tag:9k5nt5FKCW+i6/vfqUksQA==,type:str]",
"mode": "ENC[AES256_GCM,data:MEw7fIAMrQ==,iv:FjZY2mXP0b6U6WZ2Q3Vetq9Ttbp2lXVNR0CnB6roqn8=,tag:DqoaCswWTnmi8vkrL11Tsw==,type:str]",
"type": "ENC[AES256_GCM,data:8xCiSmOi//mW18buhn8=,iv:TerILj4MoRGZEUeTVgwjg7hMMGfe59dUulE1mfOZ9zw=,tag:Gp2TQZOWEyTTXW4i0+SBkw==,type:str]",
"name": "ENC[AES256_GCM,data:XtvUow==,iv:o/q/qWrJgtNmP0Wsgv4TGqk9QJ5Qw2T+P67xgMNbdrk=,tag:+vRRHsPWlSwVHSbJNJ8irg==,type:str]",
"provider": "ENC[AES256_GCM,data:9tkdK/uZaB/a9nPXzRLt4W/H1QuV4D9tGhryj5NXRaqzGkrsMUru9v2a/rF+B1Nx18HStkc=,iv:TaufbhxzVX5UwZRMC8trdCg6OqDri+WzryAdqZEZ3t0=,tag:61rKG0H8Hr2v0/P7anbWSQ==,type:str]",
"instances": [
{
"index_key": "ENC[AES256_GCM,data:PVyJWpwFXf3r,iv:JjAzT10U6xBBtfDpOe67+D0Wc2LKArzF3avNa83gFAw=,tag:+IBxVUk+v7BT6O08xflwQw==,type:str]",
"schema_version": "ENC[AES256_GCM,data:DQ==,iv:ji/NPTzYf0EBJGAi/F3avf6UXK6P4HsQMQVmOggGO1c=,tag:+w9tMlEEBfymzBA8b9K1nw==,type:float]",
"index_key": "ENC[AES256_GCM,data:UXZ/OXlGPgnI,iv:+lt22QWG2Od0/ERxHYjMPRxT+eHEhoEbjFMghB768k8=,tag:SnFPqzLBSCVsRBKQEO9ptg==,type:str]",
"schema_version": "ENC[AES256_GCM,data:oA==,iv:hxuSeE7FXiH8Bol/5VzkNx/J07ffVuP5faQ2WkUZSVs=,tag:Fqx3jgbILZKEUa+Q4uo5dg==,type:float]",
"attributes": {
"fingerprint": "ENC[AES256_GCM,data:RXtVeyjyEXxBP9fb/xySgbuvBujR5VtXCdWPr6CDDpt450XARVISDV8/pyQgGW8=,iv:BEWWFn1ahfFl+yKZSG4+aeOMqBLVPafdUm6bt41pZio=,tag:We1fatB44MWLtq7XUtnKJQ==,type:str]",
"id": "ENC[AES256_GCM,data:WKSaprH3BAQ=,iv:yLqy6HhlGSY3qynoUlJsAASRFlO+Ls2pEyRPvIAnecA=,tag:BCPyHZ82RAVJjHFerec9YQ==,type:str]",
"fingerprint": "ENC[AES256_GCM,data:J7wlWQ4vakLpYSXAKFnNW6GknnofU7WA6wDQqDQ7yhJbqO56RoRIS49volEi448=,iv:UZ+eMFFE/jxq2Qdnp1YO9s2aiVkKNb31r+g5+Sp+ZwM=,tag:vwxv2NJFRbUBpa/+M/MuVw==,type:str]",
"id": "ENC[AES256_GCM,data:fiFNKjzJKAI=,iv:81JMo4HGCMxTv6y0ZqMx55zMkCp/A2RcykDOtJY73nQ=,tag:9ahkgYKZdWawohwTZh1N2w==,type:str]",
"labels": {},
"name": "ENC[AES256_GCM,data:YTjRUNGVN4G+,iv:blnT3tVN0E5FfAa8k85KOHdRzMBC0pJYr3oW/Oxu4mc=,tag:micllJN3P75xJquul42abw==,type:str]",
"public_key": "ENC[AES256_GCM,data:+2izm8O/5W6I+6FLYsWDH+vj8HprcM2m5kss3si106rjoIza8TR64H/bdIMQRDldyOGBgY0NhEBQkKeiioij5KlVt4xQ+IVHNI0VGAj0YKjrjmuczwA3uc3rQgmDzYZNl5hpNg==,iv:Y9dUywQEFcl48Ohq4ZA4nzUlig1SGoCL2HcJaGKtvqo=,tag:KNdzn12d00E9uyV/3KX5pg==,type:str]"
"name": "ENC[AES256_GCM,data:aUKp8SesrpHu,iv:AGJSVUpq1R5cGe0C1GY9TK7xYf6hqDD3bsaA4zaOVwQ=,tag:97cm204Bb7E05bL2l0/KGA==,type:str]",
"public_key": "ENC[AES256_GCM,data:eQuAUKaMi+49kNGNwnHAnB+lK2oYImdDKHq3uUBzyyWvhA4EWasHr+xVwOWdZCrfUcAxy2C24DEKV1wH00alqKDmh+XStwu7UMIEhYNDSoSyanwtquhdnGcexrm8UUQqVGtGUw==,iv:ILnf6ZxvpCwcc8I6ehqYRAaEAxpb+N+qV6kLuzM7mxo=,tag:S+2V6eqeiNFZ+Vfkk2MWqQ==,type:str]"
},
"sensitive_attributes": []
},
{
"index_key": "ENC[AES256_GCM,data:q+Poe/80RglJBWY=,iv:I8ZW7dMFTRTsGmvOfh6jz0qv9tno513KgNVDdeQZotM=,tag:rKkdZ/qv9o0o+gmbxRLFuw==,type:str]",
"schema_version": "ENC[AES256_GCM,data:tQ==,iv:ODnUHczhHxnHgrmnyQQ/9/5MMnD4Gr1YHZ8lhzn2Ex4=,tag:uCSwWBwjmwYWuklgZkPsJw==,type:float]",
"index_key": "ENC[AES256_GCM,data:Ma9ReIOIcM3L6pA=,iv:YparYMxavTGe0ehYuXmXxlw+fDOmzJ2LEOMPNIQOCA8=,tag:xBafgykUAVcFAW4Owlqwjw==,type:str]",
"schema_version": "ENC[AES256_GCM,data:vQ==,iv:gquRUlIIblEpRHEgifeqWqLvh6FWN3OO32Jmc8d5Hdo=,tag:8wdO4CbEP8wYbINnKG5/yg==,type:float]",
"attributes": {
"fingerprint": "ENC[AES256_GCM,data:qt+7i1M9kvDhPNU/3dTtZVwnxj74HndxPT5b8t701m/C03Hxy8ToUpf4zSdzNas=,iv:qaP+wccYsLyfh6y8RPymw2hxOFF++Jpt8YuizRaqPSM=,tag:qGsKjXtJwYqQPcwpTnIMjg==,type:str]",
"id": "ENC[AES256_GCM,data:Eqvq/tG6+k0=,iv:MWDcg8Ov4HSLTSZ/75iv2luWVDGazTY9lAJP3D1rZ6s=,tag:cVO/cluphyUedjJ78ayltg==,type:str]",
"fingerprint": "ENC[AES256_GCM,data:uBInk0fHs6GHKXlhEdRGlkT3MO96TFeTVIZWlZjrfOFGmrlxi9XaeT7kkbtzPBQ=,iv:Nluk+QdG8SNvGD3Pm89D930/0/2vu3uQjvTwJ2LDbrM=,tag:siBdofcR9HH+6IFH70sdUw==,type:str]",
"id": "ENC[AES256_GCM,data:0JKjy05lCWE=,iv:hz9u6xQIYJym3MKruXQUBafocO+olJqtzb2vcvnysFU=,tag:ynILJHaM560xJXR5eGXoSw==,type:str]",
"labels": {},
"name": "ENC[AES256_GCM,data:T571HeOc21jFKgs=,iv:uDdI8g6RHajznCdMQnDp7upL4H9dC0kpDYZlMpBbjL8=,tag:e+7ea0sHh1EFUxcQz0nJLQ==,type:str]",
"public_key": "ENC[AES256_GCM,data:miW/XUSScFCiaEapzcb3/szNwywZyNQWInO9g0YcGQXczHl3M32N8StDkIwOdEinUoQ/eRYk7ZwyRfZR9ZsueF7g4MC1g6XqucbsS/GimNJ0uaFRYWmhtWUV7WKu4O1ULyjz8enT,iv:DYnKdq+f/ULU9VqTqLReIxB0s1jjeheTim6Iq1vKkAA=,tag:32WsxjHlyPx4Pzq5yW5saA==,type:str]"
"name": "ENC[AES256_GCM,data:VXCd/g4M+uldaD8=,iv:JIn0uaikZTRMTeakc5eyZoEcmUfVYk/3IbOY7kM92aU=,tag:0RqZv/4y5IkndUhjQ4rGSw==,type:str]",
"public_key": "ENC[AES256_GCM,data:P+aLdAU+fu4nf1B2zVjpP5MvK+UlwzUmq++tyi54VvC+97OXkoCwlX0hSps5hGR0umYmWhWjsXCpNGG3VjeXV+KkwKSNT/SUMQmZf3qHVF9UVdjt1MszDq1wG5YyJVaLB4dEwty7,iv:g3DCkItcslwL4FtU97q4Nb9W+TAAQyNrjmXimey5gIo=,tag:9lVMskw3gUgdviYv16uxjw==,type:str]"
},
"sensitive_attributes": []
},
{
"index_key": "ENC[AES256_GCM,data:tf0G9VC4nw==,iv:NN65vK1IFus5E/IEQQW137sNQ5J8zcynYhl6L3JvezA=,tag:jqnsNiJN42NCJbT4aXA/ew==,type:str]",
"schema_version": "ENC[AES256_GCM,data:sw==,iv:9WKM86wLOX+n0S4ynuSsK4k/w6cXAQQOqo/DlNWUrQ4=,tag:aqNNvgVdvRimd0m7Pzd4tQ==,type:float]",
"index_key": "ENC[AES256_GCM,data:uhYD+StHjQ==,iv:jDGwVonx471DN8o8ZpNEuwmG89oCOcs+1kJ7CxjT1UE=,tag:6gjU32E9fWvkP8AM89INRA==,type:str]",
"schema_version": "ENC[AES256_GCM,data:Lw==,iv:UXMWQCgLzrqHbNkBbiwZO9gqfINrLsffu279qZEaNKA=,tag:4mWaEmTyxWny6aPdjtei5w==,type:float]",
"attributes": {
"fingerprint": "ENC[AES256_GCM,data:rTa3dgF+/NF94TOdZNdB0ZSWSzzKaGAZ9ye5Y5qIE6gZTyEnxCs2iAaxBGiPo3g=,iv:H6Qee9ONxRN93kBAUQVuWQJIkY5osfVOG1VTr7XQnhM=,tag:kl0/JYGVGRUCtoiEjpESmA==,type:str]",
"id": "ENC[AES256_GCM,data:eW5j2cwWZUY=,iv:ehahuSeI2ijFwkTQUuorWispbVWWWeDN+zZe4RZDBI0=,tag:RtmEcEe9RIYgSERnWM1Jdw==,type:str]",
"fingerprint": "ENC[AES256_GCM,data:3daJSK9XyzWO+/XVYLeOFhAAHauWBAHCnm/HvcwRLzABeLG3d4hTOFJ2oHeEJVI=,iv:7DNoUQFPUrkYiNv6berEBEm4UKIwl7vcJAXgrm0g5Ww=,tag:X6eo+GlM2Rs0ojnCVghc+w==,type:str]",
"id": "ENC[AES256_GCM,data:AN+yBF9JQQc=,iv:FEqSozoHJ+cea8j20ejFtGA6MleCL7RIw/ktqvoTGEo=,tag:PICEZCL2xCrzWsIPBTw9Sw==,type:str]",
"labels": {},
"name": "ENC[AES256_GCM,data:Q923KwQAcw==,iv:DIhgcS1f8pLJJsn2f88+5fL8stijRPvTQF9+Y1mIQ9Q=,tag:0rFyTf8aZouIvDvt/L9haw==,type:str]",
"public_key": "ENC[AES256_GCM,data:eMZHNjHtsbUiQQvMoESVoEYCNJLbhRLdabDiM2aiJYo6nXYPP8ACUGRru2mAhZCXWdSdAPcqpV8MdRSFbjDyf6GsSp6IFLIEqmnP3K4ijhOATgBWlSIX8P4Cbph+P18EBPA=,iv:Yu7QWUlGrQhZHzPOcpK952f6fS1F6Xwu/Ufp5cJXaZs=,tag:oUwuT+jYu6RddQmgGWd3Ww==,type:str]"
"name": "ENC[AES256_GCM,data:cSP7FhxjuA==,iv:vJyOLFDudyTUp0W4T7HmR/8PAVb4ZIp2ObN0mli0KEY=,tag:jqyoEWX3CRiaOMLfnV0Qsg==,type:str]",
"public_key": "ENC[AES256_GCM,data:N3xSDrqB91HxeTSvtKc9XxsFDVXWsGBMd4BFjS+4PSGm1VVh1jjdkiFmnRjtJhvy+4yrJqzEoQhQjenK+9rHZBE/ebDI1B6cCEDaa7g4r4Vs9LMjYzC8yyuiU/XgT5JmvB0=,iv:BWdXHLe0UP0rrcsew26Y2+AyC+R4x212A1VS7PPrP/0=,tag:45qV3Em9I4KjMnvPH7eaDg==,type:str]"
},
"sensitive_attributes": []
}
@ -199,11 +199,11 @@
"age": [
{
"recipient": "age1cl3d4wtrrqrgldmrzpu53q2mk60r7hrhrymsrwss8s57z4mdv9fst4a55h",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvYWJYVGVZSnJsSy8reUQ1\ncXdQREllT3Q4WFN6Z1UvMGtoZHNXZzF1ZkdJCmJlUzlYa2ZYNkovT1Qvcm5mRlVn\nYVZqd1BCdkpLeFdoYmRxN2hKb0VUVDAKLS0tIHVzVWM1dVBOWSt2NlFpMzZNazlU\ncnBubXZiOGprdkVZMXV2UmxNdWpkKzAK/bg84Kui9ITPeVyBvKkjgBC14XoR9tSW\ng1Gh59J4JfxGsVN9KIewK6iXXHga8m9ZCkC+L7ChtOYHoWLoVvoQtQ==\n-----END AGE ENCRYPTED FILE-----\n"
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHQ0JROXlEL3ZtZ0NacmJt\na3o2Q0d5ZHlxZlJNNkc4TUpGOVY4MzZxSHp3Cnpzd0VYRzBYeVZsZzc1Q2ZraTli\ncjRuYkUvOEZENzRoOGxvTDcyUTU5VWMKLS0tIDFBZXpmS3RGSWJJT0UyMi9iWkxR\ncS8vVE83SVBQZ0J5RWQ3d0M5cndMejAKxX7COEqb0ytUCzgRnyPAO1507FhxzhBo\nGJi5ug6x0Hnuosr4Zqx80aHAfCqkbSkvNYQhOFl1OFL5Vq2VGWGCZQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-03-30T15:03:10Z",
"mac": "ENC[AES256_GCM,data:QVyTnOE5nh8THkJVDSgdk+xRYQFX+SUNQPXX+4QrL61rMaIBEbcVSIjHWQx5eV4W153EP+33JxFl0D3G9OOKAvOvRiX4EjZkSPEkNQeHIZELjDZGnrb+32wmsTZmoMNzqaWqtCH0AvT/THu6sYN6zSemSot14K6AAjBd4ozOCFU=,iv:D1HVUELPoaEEo0PGgX+nKk7p7jJZWKUz6LEB+thwjEE=,tag:pi76jE7wkwBzh+NtZb97aQ==,type:str]",
"lastmodified": "2025-04-01T17:05:12Z",
"mac": "ENC[AES256_GCM,data:501jYACuO8RQDTE6bW/5gLX9Qu4clG6xWX9v4+LuV7Xsf02R5P/ft1aI+8pLvZQnem5CjB+xrwcjsz2ESo6Wl+2paKIXtyD9ez2xVLw5zpUluk3aQfPLLDv+vlRHjARf+Rl+s16ttI2jvcKVQgnOnuGo0JsoT5tHgZj8HKjZruQ=,iv:LIji1y7pmqbkVJDM/T3J3CWcqUE80gRVLO+JzJPNJr8=,tag:TiVRV7QgbyPoIiic0QMYzg==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.4"

2504
ingress.tjo.cloud/terraform/terraform.tfstate.encrypted
View file

File diff suppressed because it is too large Load diff

8
k8s.tjo.cloud/justfile
View file

@ -1,5 +1,6 @@
GATEWAY_API_VERSION := "v1.1.0"
GATEWAY_CRDS_VERSION := "v1.1.0"
PROMETHEUS_CRDS_VERSION := "main"
ENVOY_CRDS_VERSION := "1.2.8"
default:
@just --list
@ -12,7 +13,10 @@ module-cluster-core-crds:
@curl -L -o modules/cluster-core/crds/servicemonitors.yaml \
"https://raw.githubusercontent.com/prometheus-community/helm-charts/{{PROMETHEUS_CRDS_VERSION}}/charts/kube-prometheus-stack/charts/crds/crds/crd-servicemonitors.yaml"
@curl -L -o modules/cluster-core/crds/gateway-api.yaml \
"https://github.com/kubernetes-sigs/gateway-api/releases/download/{{GATEWAY_API_VERSION}}/experimental-install.yaml"
"https://github.com/kubernetes-sigs/gateway-api/releases/download/{{GATEWAY_CRDS_VERSION}}/experimental-install.yaml"
@curl -L -o - \
"https://github.com/envoyproxy/gateway/archive/refs/tags/v{{ENVOY_CRDS_VERSION}}.tar.gz" \
| tar -xz -C modules/cluster-core/crds --strip-components=5 --wildcards "gateway-{{ENVOY_CRDS_VERSION}}/charts/gateway-helm/crds/generated/*.yaml"
destroy:
tofu state rm module.cluster-core || true

2
k8s.tjo.cloud/kubeconfig
View file

@ -4,7 +4,7 @@ clusters:
- name: k8s-tjo-cloud
cluster:
server: https://api.internal.k8s.tjo.cloud:6443
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVRDZ0F3SUJBZ0lSQUpJUnk4L21TaDBsZHNFT2VVUE8vRzh3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOVEF6TXpBeE1qQTROVEJhRncwek5UQXpNamd4TWpBNApOVEJhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVRtMHFzWHhpaU80WlRaQWk3NDFralVLSkpZSjZISTdJU2dvWXptMEdCc2l1UUhPeTRMOVlMU0FDQ1gKT0x0YU9hRXFZbWc0d2wvTWFJaGlMRGJldzVKNW8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGTjIrTFRNYVJPYUZRaXFxWFNLRHVuS0tSV1JITUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFDYVFxRHAKeHpsaXduejQzQXVEekJoUURCL29WM2Z5WGRXQnUra2NKS0p4RndJZ0piUE9GWDVEbUw4VWdrN1EwQ1hzZ24wQQozNXRpM29OVlh1c0JyT052V0lFPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVMrZ0F3SUJBZ0lRTnVhRWJUTE5ybDFhZmtaWDdmQ093akFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSTFNRE16TVRFNU5UWXlNRm9YRFRNMU1ETXlPVEU1TlRZeQpNRm93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCQlA1QWxYWm9ENTBaZm1TOXNOdDVYdlpXbk1hUlYvNFVpMmxUeUVxbHZTVTlFemIwUXdDK1BMSmRtcjYKT1Jqby8wMm5UV1BpcVh0N1RFQ1dhd2E2WTBhallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVVwUzd0aTU3VmM1Uko0ZWFPQnFGTmp1Um9RRVV3Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQU15T3F2WVkKTmsreHYrS0JpckVHaXRmcWVpYmhzK0UvbE1LYk8yT2FRS2dGQWlFQWdsSy9heSszcStLRzJ0bm9VaXFyWTBNegpYWGtNWldWN0l6bDMvdHVIdFVzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
contexts:
- name: oidc@k8s-tjo-cloud
context:

18
k8s.tjo.cloud/main.tf
View file

@ -121,14 +121,26 @@ module "cluster-core" {
proxmox = module.cluster.proxmox
}
# TODO: Move to be managed by argocd
module "cluster-components" {
source = "./modules/cluster-components"
oidc_issuer_url = var.oidc_issuer_url
oidc_client_id = var.oidc_client_id
dnsimple_token = var.dnsimple_token
dnsimple_account_id = var.dnsimple_account_id
dnsimple = {
token = var.dnsimple_token
account_id = var.dnsimple_account_id
}
cluster_domain = "k8s.tjo.cloud"
domains = {
"tjo-cloud" = {
zone = "tjo.cloud"
domain = "tjo.cloud"
}
"k8s-tjo-cloud" = {
zone = "k8s.tjo.cloud"
domain = "k8s.tjo.cloud"
}
}
}

4
k8s.tjo.cloud/modules/cluster-components/dashboard.tf
View file

@ -28,7 +28,7 @@ resource "kubernetes_manifest" "dashoard-http-route" {
}
]
hostnames = [
"dashboard.${var.cluster_domain}"
"dashboard.k8s.tjo.cloud"
]
rules = [
{
@ -131,7 +131,7 @@ resource "kubernetes_manifest" "dashboard-oidc" {
scopes = ["openid", "email", "profile"]
forwardAccessToken = true
redirectURL = "https://dashboard.${var.cluster_domain}/login"
redirectURL = "https://dashboard.k8s.tjo.cloud/login"
}
}
}

69
k8s.tjo.cloud/modules/cluster-components/external-dns.tf
View file

@ -1,69 +0,0 @@
resource "helm_release" "external-dns-privileged" {
name = "external-dns-privileged"
chart = "external-dns"
repository = "https://kubernetes-sigs.github.io/external-dns/"
version = "v1.15.0"
namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
values = [<<-EOF
provider: dnsimple
env:
- name: DNSIMPLE_OAUTH
valueFrom:
secretKeyRef:
name: ${kubernetes_secret.dnsimple.metadata[0].name}
key: token
- name: DNSIMPLE_ACCOUNT_ID
valueFrom:
secretKeyRef:
name: ${kubernetes_secret.dnsimple.metadata[0].name}
key: account_id
- name: DNSIMPLE_ZONES
value: "${var.domains.privileged}"
sources:
- ingress
- service
- gateway-httproute
- gateway-grpcroute
- gateway-tlsroute
- gateway-tcproute
domainFilters:
- ${var.domains.privileged}
EOF
]
}
resource "helm_release" "external-dns-user-content" {
name = "external-dns-user-content"
chart = "external-dns"
repository = "https://kubernetes-sigs.github.io/external-dns/"
version = "v1.15.0"
namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
values = [<<-EOF
provider: dnsimple
env:
- name: DNSIMPLE_OAUTH
valueFrom:
secretKeyRef:
name: ${kubernetes_secret.dnsimple.metadata[0].name}
key: token
- name: DNSIMPLE_ACCOUNT_ID
valueFrom:
secretKeyRef:
name: ${kubernetes_secret.dnsimple.metadata[0].name}
key: account_id
- name: DNSIMPLE_ZONES
value: "${var.domains.usercontent}"
sources:
- ingress
- service
- gateway-httproute
- gateway-grpcroute
- gateway-tlsroute
- gateway-tcproute
domainFilters:
- ${var.domains.usercontent}
EOF
]
}

222
k8s.tjo.cloud/modules/cluster-components/gateway.tf
View file

@ -1,222 +0,0 @@
resource "helm_release" "cert-manager-dnsimple" {
name = "cert-manager-webhook-dnsimple"
chart = "cert-manager-webhook-dnsimple"
repository = "https://puzzle.github.io/cert-manager-webhook-dnsimple"
version = "v0.1.6"
namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
atomic = true
cleanup_on_fail = true
values = [<<-EOF
dnsimple:
tokenSecretName: "${kubernetes_secret.dnsimple.metadata[0].name}"
existingTokenSecret: true
account_id: "${var.dnsimple_account_id}"
certManager:
namespace: "kube-system"
serviceAccountName: "cert-manager"
EOF
]
}
resource "kubernetes_manifest" "privilieged-issuer" {
manifest = {
apiVersion = "cert-manager.io/v1"
kind = "Issuer"
metadata = {
name = "privileged"
namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
}
spec = {
acme = {
email = "tine@tjo.space"
server = "https://acme-staging-v02.api.letsencrypt.org/directory"
privateKeySecretRef = {
name = "tjo-cloud-acme-account"
}
solvers = [
{
dns01 = {
webhook = {
solverName = "dnsimple"
groupName = "acme.dnsimple.com"
config = {
tokenSecretRef = {
name = kubernetes_secret.dnsimple.metadata[0].name
key = "token"
}
accountID = var.dnsimple_account_id
}
}
}
selector = {
dnsZones = [
var.domains.privileged
]
}
}
]
}
}
}
}
resource "kubernetes_manifest" "usercontent-issuer" {
manifest = {
apiVersion = "cert-manager.io/v1"
kind = "ClusterIssuer"
metadata = {
name = "usercontent"
}
spec = {
acme = {
email = "tine@tjo.space"
server = "https://acme-staging-v02.api.letsencrypt.org/directory"
privateKeySecretRef = {
name = "tjo-cloud-acme-account"
}
solvers = [
{
dns01 = {
webhook = {
solverName = "dnsimple"
groupName = "acme.dnsimple.com"
config = {
tokenSecretRef = {
name = kubernetes_secret.dnsimple.metadata[0].name
key = "token"
}
accountID = var.dnsimple_account_id
}
}
}
selector = {
dnsZones = [
var.domains.usercontent
]
}
}
]
}
}
}
}
resource "kubernetes_manifest" "gateway_class_config" {
manifest = {
apiVersion = "gateway.envoyproxy.io/v1alpha1"
kind = "EnvoyProxy"
metadata = {
name = "daemonset"
namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
}
spec = {
mergeGateways = true
provider = {
type = "Kubernetes"
kubernetes = {
envoyService = {
annotations = {
"external-dns.alpha.kubernetes.io/internal-hostname" = "envoy-internal.k8s.tjo.cloud"
}
}
}
}
}
}
}
resource "kubernetes_manifest" "gateway_class" {
manifest = {
apiVersion = "gateway.networking.k8s.io/v1"
kind = "GatewayClass"
metadata = {
name = "envoy"
}
spec = {
controllerName = "gateway.envoyproxy.io/gatewayclass-controller"
parametersRef = {
group = "gateway.envoyproxy.io"
kind = "EnvoyProxy"
name = kubernetes_manifest.gateway_class_config.object.metadata.name
namespace = kubernetes_manifest.gateway_class_config.object.metadata.namespace
}
}
}
}
resource "kubernetes_manifest" "gateway" {
manifest = {
apiVersion = "gateway.networking.k8s.io/v1"
kind = "Gateway"
metadata = {
name = "primary"
namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
annotations = {
"cert-manager.io/issuer" = kubernetes_manifest.privilieged-issuer.object.metadata.name
}
}
spec = {
gatewayClassName = kubernetes_manifest.gateway_class.object.metadata.name
listeners = [
{
name = "privileged"
hostname = "*.${var.domains.privileged}"
protocol = "HTTPS"
port = 443
allowedRoutes = {
namespaces = {
from = "Same"
}
}
tls = {
mode = "Terminate"
certificateRefs = [
{
name = "${kubernetes_manifest.privilieged-issuer.object.metadata.name}-tls"
}
]
}
},
{
name = "usercontent"
hostname = "*.${var.domains.usercontent}"
protocol = "HTTPS"
port = 443
allowedRoutes = {
namespaces = {
from = "All"
}
}
tls = {
mode = "Terminate"
certificateRefs = [
{
name = "${kubernetes_manifest.usercontent-issuer.object.metadata.name}-tls"
}
]
}
},
]
}
}
}
resource "kubernetes_manifest" "enable-proxy-protocol-policy" {
manifest = {
apiVersion = "gateway.envoyproxy.io/v1alpha1"
kind = "ClientTrafficPolicy"
metadata = {
name = "enable-proxy-protocol-policy"
namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
}
spec = {
targetRef = {
group = "gateway.networking.k8s.io"
kind = "Gateway"
name = kubernetes_manifest.gateway.object.metadata.name
}
enableProxyProtocol = false
}
}
}

160
k8s.tjo.cloud/modules/cluster-components/main.tf
View file

@ -10,7 +10,163 @@ resource "kubernetes_secret" "dnsimple" {
namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
}
data = {
token = var.dnsimple_token
account_id = var.dnsimple_account_id
token = var.dnsimple.token
account_id = var.dnsimple.account_id
}
}
resource "helm_release" "external-dns" {
name = "external-dns-user-content"
chart = "external-dns"
repository = "https://kubernetes-sigs.github.io/external-dns/"
version = "v1.15.0"
namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
values = [yamlencode({
provider : "dnsimple"
env : [
{
name : "DNSIMPLE_OAUTH"
valueFrom : {
secretKeyRef : {
name : kubernetes_secret.dnsimple.metadata[0].name
key : "token"
}
}
},
{
name : "DNSIMPLE_ACCOUNT_ID"
valueFrom : {
secretKeyRef : {
name : kubernetes_secret.dnsimple.metadata[0].name
key : "account_id"
}
}
},
{
name : "DNSIMPLE_ZONES"
value = join(",", [for domain in var.domains : domain.zone])
}
]
sources : [
"ingress",
"service",
"gateway-httproute",
"gateway-grpcroute",
"gateway-tlsroute",
"gateway-tcproute"
]
domainFilters : [for domain in var.domains : domain.domain]
})]
}
resource "helm_release" "cert-manager-dnsimple" {
name = "cert-manager-webhook-dnsimple"
chart = "cert-manager-webhook-dnsimple"
repository = "https://puzzle.github.io/cert-manager-webhook-dnsimple"
version = "v0.1.6"
namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
atomic = true
cleanup_on_fail = true
values = [<<-EOF
dnsimple:
tokenSecretName: "${kubernetes_secret.dnsimple.metadata[0].name}"
existingTokenSecret: true
account_id: "${var.dnsimple.account_id}"
certManager:
namespace: "kube-system"
serviceAccountName: "cert-manager"
EOF
]
}
resource "kubernetes_manifest" "issuer" {
manifest = {
apiVersion = "cert-manager.io/v1"
kind = "Issuer"
metadata = {
name = "domains"
namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
}
spec = {
acme = {
email = "tine@tjo.space"
server = "https://acme-staging-v02.api.letsencrypt.org/directory"
privateKeySecretRef = {
name = "tjo-cloud-acme-account"
}
solvers = [
{
dns01 = {
webhook = {
solverName = "dnsimple"
groupName = "acme.dnsimple.com"
config = {
tokenSecretRef = {
name = kubernetes_secret.dnsimple.metadata[0].name
key = "token"
}
accountID = var.dnsimple.account_id
}
}
}
selector = {
dnsZones = [for domain in var.domains : domain.domain]
}
}
]
}
}
}
}
resource "kubernetes_manifest" "gateway" {
manifest = {
apiVersion = "gateway.networking.k8s.io/v1"
kind = "Gateway"
metadata = {
name = "primary"
namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
annotations = {
"cert-manager.io/issuer" = kubernetes_manifest.issuer.object.metadata.name
}
}
spec = {
gatewayClassName = "envoy"
listeners = [for key, domain in var.domains : {
name = key
hostname = "*.${domain.domain}"
protocol = "HTTPS"
port = 443
tls = {
mode = "Terminate"
certificateRefs = [
{
name = "${key}-tls"
}
]
}
}]
}
}
}
resource "kubernetes_manifest" "enable-proxy-protocol-policy" {
manifest = {
apiVersion = "gateway.envoyproxy.io/v1alpha1"
kind = "ClientTrafficPolicy"
metadata = {
name = "enable-proxy-protocol-policy"
namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
}
spec = {
targetRef = {
group = "gateway.networking.k8s.io"
kind = "Gateway"
name = kubernetes_manifest.gateway.object.metadata.name
}
enableProxyProtocol = false
}
}
}

37
k8s.tjo.cloud/modules/cluster-components/nats.tf
View file

@ -1,37 +0,0 @@
resource "helm_release" "nats" {
count = 1
name = "nats"
repository = "https://nats-io.github.io/k8s/helm/charts/"
chart = "nats"
version = "1.2.8"
namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
atomic = true
cleanup_on_fail = true
values = [<<-EOF
config:
cluster:
enabled: true
replicas: 2
jetstream:
enabled: true
fileStore:
pvc:
storageClassName: "common"
size: 10Gi
podTemplate:
topologySpreadConstraints:
kubernetes.io/hostname:
maxSkew: 1
whenUnsatisfiable: DoNotSchedule
service:
merge:
spec:
type: LoadBalancer
EOF
]
}

29
k8s.tjo.cloud/modules/cluster-components/variables.tf
View file

@ -1,8 +1,3 @@
variable "cluster_domain" {
description = "Domain of the cluster."
type = string
}
variable "oidc_client_id" {
type = string
}
@ -10,23 +5,17 @@ variable "oidc_issuer_url" {
type = string
}
variable "dnsimple_token" {
type = string
sensitive = true
}
variable "dnsimple_account_id" {
type = string
variable "dnsimple" {
type = object({
token = string
account_id = string
})
}
variable "domains" {
type = object({
privileged = string
usercontent = string
})
default = {
privileged = "k8s.tjo.cloud"
usercontent = "usercontent.k8s.tjo.cloud"
}
type = map(object({
zone = string
domain = string
}))
description = "Domains to be managed via cert-manager and external-dns."
}

46
k8s.tjo.cloud/modules/cluster-core/cert-manager.tf Normal file
View file

@ -0,0 +1,46 @@
resource "helm_release" "cert-manager" {
name = "cert-manager"
chart = "cert-manager"
repository = "https://charts.jetstack.io"
version = "v1.16.2"
namespace = "kube-system"
atomic = true
cleanup_on_fail = true
values = [yamlencode({
crds = {
enabled = true
}
affinity = {
nodeAffinity = {
requiredDuringSchedulingIgnoredDuringExecution = {
nodeSelectorTerms = [{
matchExpressions = [{
key = "node-role.kubernetes.io/control-plane"
operator = "Exists"
}]
}]
}
}
}
tolerations = [{
key = "node-role.kubernetes.io/control-plane"
effect = "NoSchedule"
}]
config = {
apiVersion = "controller.config.cert-manager.io/v1alpha1"
kind = "ControllerConfiguration"
enableGatewayAPI = true
}
prometheus = {
enabled = true
servicemonitor = {
enabled = true
}
}
})]
}

221
k8s.tjo.cloud/modules/cluster-core/crds/gateway.envoyproxy.io_backends.yaml Normal file
View file

@ -0,0 +1,221 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: backends.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
names:
categories:
- envoy-gateway
kind: Backend
listKind: BackendList
plural: backends
shortNames:
- be
singular: backend
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.conditions[?(@.type=="Accepted")].reason
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
Backend allows the user to configure the endpoints of a backend and
the behavior of the connection from Envoy Proxy to the backend.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of Backend.
properties:
appProtocols:
description: AppProtocols defines the application protocols to be
supported when connecting to the backend.
items:
description: AppProtocolType defines various backend applications
protocols supported by Envoy Gateway
enum:
- gateway.envoyproxy.io/h2c
- gateway.envoyproxy.io/ws
- gateway.envoyproxy.io/wss
type: string
type: array
endpoints:
description: Endpoints defines the endpoints to be used when connecting
to the backend.
items:
description: |-
BackendEndpoint describes a backend endpoint, which can be either a fully-qualified domain name, IP address or unix domain socket
corresponding to Envoy's Address: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#config-core-v3-address
properties:
fqdn:
description: FQDN defines a FQDN endpoint
properties:
hostname:
description: Hostname defines the FQDN hostname of the backend
endpoint.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$
type: string
port:
description: Port defines the port of the backend endpoint.
format: int32
maximum: 65535
minimum: 0
type: integer
required:
- hostname
- port
type: object
ip:
description: IP defines an IP endpoint. Supports both IPv4 and
IPv6 addresses.
properties:
address:
description: |-
Address defines the IP address of the backend endpoint.
Supports both IPv4 and IPv6 addresses.
maxLength: 45
minLength: 3
pattern: ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|^(([0-9a-fA-F]{1,4}:){1,7}[0-9a-fA-F]{1,4}|::|(([0-9a-fA-F]{1,4}:){0,5})?(:[0-9a-fA-F]{1,4}){1,2})$
type: string
port:
description: Port defines the port of the backend endpoint.
format: int32
maximum: 65535
minimum: 0
type: integer
required:
- address
- port
type: object
unix:
description: Unix defines the unix domain socket endpoint
properties:
path:
description: Path defines the unix domain socket path of
the backend endpoint.
type: string
required:
- path
type: object
type: object
x-kubernetes-validations:
- message: one of fqdn, ip or unix must be specified
rule: (has(self.fqdn) || has(self.ip) || has(self.unix))
- message: only one of fqdn, ip or unix can be specified
rule: ((has(self.fqdn) && !(has(self.ip) || has(self.unix))) ||
(has(self.ip) && !(has(self.fqdn) || has(self.unix))) || (has(self.unix)
&& !(has(self.ip) || has(self.fqdn))))
maxItems: 4
minItems: 1
type: array
x-kubernetes-validations:
- message: fqdn addresses cannot be mixed with other address types
rule: self.all(f, has(f.fqdn)) || !self.exists(f, has(f.fqdn))
fallback:
description: |-
Fallback indicates whether the backend is designated as a fallback.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
the health of the active backends falls below 72%.
type: boolean
type: object
status:
description: Status defines the current status of Backend.
properties:
conditions:
description: Conditions describe the current conditions of the Backend.
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}

1688
k8s.tjo.cloud/modules/cluster-core/crds/gateway.envoyproxy.io_backendtrafficpolicies.yaml Normal file
View file

File diff suppressed because it is too large Load diff

1170
k8s.tjo.cloud/modules/cluster-core/crds/gateway.envoyproxy.io_clienttrafficpolicies.yaml Normal file
View file

File diff suppressed because it is too large Load diff

1591
k8s.tjo.cloud/modules/cluster-core/crds/gateway.envoyproxy.io_envoyextensionpolicies.yaml Normal file
View file

File diff suppressed because it is too large Load diff

475
k8s.tjo.cloud/modules/cluster-core/crds/gateway.envoyproxy.io_envoypatchpolicies.yaml Normal file
View file

@ -0,0 +1,475 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: envoypatchpolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
names:
categories:
- envoy-gateway
kind: EnvoyPatchPolicy
listKind: EnvoyPatchPolicyList
plural: envoypatchpolicies
shortNames:
- epp
singular: envoypatchpolicy
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.conditions[?(@.type=="Programmed")].reason
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
EnvoyPatchPolicy allows the user to modify the generated Envoy xDS
resources by Envoy Gateway using this patch API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of EnvoyPatchPolicy.
properties:
jsonPatches:
description: JSONPatch defines the JSONPatch configuration.
items:
description: |-
EnvoyJSONPatchConfig defines the configuration for patching a Envoy xDS Resource
using JSONPatch semantic
properties:
name:
description: Name is the name of the resource
type: string
operation:
description: Patch defines the JSON Patch Operation
properties:
from:
description: |-
From is the source location of the value to be copied or moved. Only valid
for move or copy operations
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
type: string
jsonPath:
description: |-
JSONPath is a JSONPath expression. Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details.
It produces one or more JSONPointer expressions based on the given JSON document.
If no JSONPointer is found, it will result in an error.
If the 'Path' property is also set, it will be appended to the resulting JSONPointer expressions from the JSONPath evaluation.
This is useful when creating a property that does not yet exist in the JSON document.
The final JSONPointer expressions specifies the locations in the target document/field where the operation will be applied.
type: string
op:
description: Op is the type of operation to perform
enum:
- add
- remove
- replace
- move
- copy
- test
type: string
path:
description: |-
Path is a JSONPointer expression. Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
It specifies the location of the target document/field where the operation will be performed
type: string
value:
description: |-
Value is the new value of the path location. The value is only used by
the `add` and `replace` operations.
x-kubernetes-preserve-unknown-fields: true
required:
- op
type: object
type:
description: Type is the typed URL of the Envoy xDS Resource
enum:
- type.googleapis.com/envoy.config.listener.v3.Listener
- type.googleapis.com/envoy.config.route.v3.RouteConfiguration
- type.googleapis.com/envoy.config.cluster.v3.Cluster
- type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment
- type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret
type: string
required:
- name
- operation
- type
type: object
type: array
priority:
description: |-
Priority of the EnvoyPatchPolicy.
If multiple EnvoyPatchPolicies are applied to the same
TargetRef, they will be applied in the ascending order of
the priority i.e. int32.min has the highest priority and
int32.max has the lowest priority.
Defaults to 0.
format: int32
type: integer
targetRef:
description: |-
TargetRef is the name of the Gateway API resource this policy
is being attached to.
By default, attaching to Gateway is supported and
when mergeGateways is enabled it should attach to GatewayClass.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway
TargetRef
properties:
group:
description: Group is the group of the target resource.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the target resource.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the target resource.
maxLength: 253
minLength: 1
type: string
required:
- group
- kind
- name
type: object
type:
description: |-
Type decides the type of patch.
Valid EnvoyPatchType values are "JSONPatch".
enum:
- JSONPatch
type: string
required:
- targetRef
- type
type: object
status:
description: Status defines the current status of EnvoyPatchPolicy.
properties:
ancestors:
description: |-
Ancestors is a list of ancestor resources (usually Gateways) that are
associated with the policy, and the status of the policy with respect to
each ancestor. When this policy attaches to a parent, the controller that
manages the parent and the ancestors MUST add an entry to this list when
the controller first sees the policy and SHOULD update the entry as
appropriate when the relevant ancestor is modified.
Note that choosing the relevant ancestor is left to the Policy designers;
an important part of Policy design is designing the right object level at
which to namespace this status.
Note also that implementations MUST ONLY populate ancestor status for
the Ancestor resources they are responsible for. Implementations MUST
use the ControllerName field to uniquely identify the entries in this list
that they are responsible for.
Note that to achieve this, the list of PolicyAncestorStatus structs
MUST be treated as a map with a composite key, made up of the AncestorRef
and ControllerName fields combined.
A maximum of 16 ancestors will be represented in this list. An empty list
means the Policy is not relevant for any ancestors.
If this slice is full, implementations MUST NOT add further entries.
Instead they MUST consider the policy unimplementable and signal that
on any related resources such as the ancestor that would be referenced
here. For example, if this list was full on BackendTLSPolicy, no
additional Gateways would be able to reference the Service targeted by
the BackendTLSPolicy.
items:
description: |-
PolicyAncestorStatus describes the status of a route with respect to an
associated Ancestor.
Ancestors refer to objects that are either the Target of a policy or above it
in terms of object hierarchy. For example, if a policy targets a Service, the
Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
useful object to place Policy status on, so we recommend that implementations
SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
have a _very_ good reason otherwise.
In the context of policy attachment, the Ancestor is used to distinguish which
resource results in a distinct application of this policy. For example, if a policy
targets a Service, it may have a distinct result per attached Gateway.
Policies targeting the same resource may have different effects depending on the
ancestors of those resources. For example, different Gateways targeting the same
Service may have different capabilities, especially if they have different underlying
implementations.
For example, in BackendTLSPolicy, the Policy attaches to a Service that is
used as a backend in a HTTPRoute that is itself attached to a Gateway.
In this case, the relevant object for status is the Gateway, and that is the
ancestor object referred to in this status.
Note that a parent is also an ancestor, so for objects where the parent is the
relevant object for status, this struct SHOULD still be used.
This struct is intended to be used in a slice that's effectively a map,
with a composite key made up of the AncestorRef and the ControllerName.
properties:
ancestorRef:
description: |-
AncestorRef corresponds with a ParentRef in the spec that this
PolicyAncestorStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
description: |-
Group is the group of the referent.
When unspecified, "gateway.networking.k8s.io" is inferred.
To set the core API group (such as for a "Service" kind referent),
Group must be explicitly set to "" (empty string).
Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: |-
Kind is kind of the referent.
There are two kinds of parent resources with "Core" support:
* Gateway (Gateway conformance profile)
* Service (Mesh conformance profile, ClusterIP Services only)
Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: |-
Name is the name of the referent.
Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
description: |-
Namespace is the namespace of the referent. When unspecified, this refers
to the local namespace of the Route.
Note that there are specific rules for ParentRefs which cross namespace
boundaries. Cross-namespace references are only valid if they are explicitly
allowed by something in the namespace they are referring to. For example:
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
<gateway:experimental:description>
ParentRefs from a Route to a Service in the same namespace are "producer"
routes, which apply default routing rules to inbound connections from
any namespace to the Service.
ParentRefs from a Route to a Service in a different namespace are
"consumer" routes, and these routing rules are only applied to outbound
connections originating from the same namespace as the Route, for which
the intended destination of the connections are a Service targeted as a
ParentRef of the Route.
</gateway:experimental:description>
Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: |-
Port is the network port this Route targets. It can be interpreted
differently based on the type of parent resource.
When the parent resource is a Gateway, this targets all listeners
listening on the specified port that also support this kind of Route(and
select this Route). It's not recommended to set `Port` unless the
networking behaviors specified in a Route must apply to a specific port
as opposed to a listener(s) whose port(s) may be changed. When both Port
and SectionName are specified, the name and port of the selected listener
must match both specified values.
<gateway:experimental:description>
When the parent resource is a Service, this targets a specific port in the
Service spec. When both Port (experimental) and SectionName are specified,
the name and port of the selected port must match both specified values.
</gateway:experimental:description>
Implementations MAY choose to support other parent resources.
Implementations supporting other types of parent resources MUST clearly
document how/if Port is interpreted.
For the purpose of status, an attachment is considered successful as
long as the parent resource accepts it partially. For example, Gateway
listeners can restrict which Routes can attach to them by Route kind,
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
from the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: |-
SectionName is the name of a section within the target resource. In the
following resources, SectionName is interpreted as the following:
* Gateway: Listener name. When both Port (experimental) and SectionName
are specified, the name and port of the selected listener must match
both specified values.
* Service: Port name. When both Port (experimental) and SectionName
are specified, the name and port of the selected listener must match
both specified values.
Implementations MAY choose to support attaching Routes to other resources.
If that is the case, they MUST clearly document how SectionName is
interpreted.
When unspecified (empty string), this will reference the entire resource.
For the purpose of status, an attachment is considered successful if at
least one section in the parent resource accepts it. For example, Gateway
listeners can restrict which Routes can attach to them by Route kind,
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this Route, the
Route MUST be considered detached from the Gateway.
Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
conditions:
description: Conditions describes the status of the Policy with
respect to the given Ancestor.
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
minItems: 1
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
controllerName:
description: |-
ControllerName is a domain/path string that indicates the name of the
controller that wrote this status. This corresponds with the
controllerName field on GatewayClass.
Example: "example.net/gateway-controller".
The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
valid Kubernetes names
(https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
Controllers MUST populate this field when writing status. Controllers should ensure that
entries to status populated with their ControllerName are cleaned up when they are no
longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
required:
- ancestorRef
- controllerName
type: object
maxItems: 16
type: array
required:
- ancestors
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}

14329
k8s.tjo.cloud/modules/cluster-core/crds/gateway.envoyproxy.io_envoyproxies.yaml Normal file
View file

File diff suppressed because it is too large Load diff

220
k8s.tjo.cloud/modules/cluster-core/crds/gateway.envoyproxy.io_httproutefilters.yaml Normal file
View file

@ -0,0 +1,220 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: httproutefilters.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
names:
categories:
- envoy-gateway
kind: HTTPRouteFilter
listKind: HTTPRouteFilterList
plural: httproutefilters
shortNames:
- hrf
singular: httproutefilter
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
HTTPRouteFilter is a custom Envoy Gateway HTTPRouteFilter which provides extended
traffic processing options such as path regex rewrite, direct response and more.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of HTTPRouteFilter.
properties:
directResponse:
description: HTTPDirectResponseFilter defines the configuration to
return a fixed response.
properties:
body:
description: Body of the Response
properties:
inline:
description: Inline contains the value as an inline string.
type: string
type:
allOf:
- enum:
- Inline
- ValueRef
- enum:
- Inline
- ValueRef
default: Inline
description: |-
Type is the type of method to use to read the body value.
Valid values are Inline and ValueRef, default is Inline.
type: string
valueRef:
description: |-
ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported.
The value of key `response.body` in the ConfigMap will be used as the response body.
If the key is not found, the first value in the ConfigMap will be used.
properties:
group:
description: |-
Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the referent. For example
"HTTPRoute" or "Service".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
required:
- group
- kind
- name
type: object
required:
- type
type: object
x-kubernetes-validations:
- message: inline must be set for type Inline
rule: '(!has(self.type) || self.type == ''Inline'')? has(self.inline)
: true'
- message: valueRef must be set for type ValueRef
rule: '(has(self.type) && self.type == ''ValueRef'')? has(self.valueRef)
: true'
- message: only ConfigMap is supported for ValueRef
rule: 'has(self.valueRef) ? self.valueRef.kind == ''ConfigMap''
: true'
contentType:
description: Content Type of the response. This will be set in
the Content-Type header.
type: string
statusCode:
description: |-
Status Code of the HTTP response
If unset, defaults to 200.
type: integer
type: object
urlRewrite:
description: HTTPURLRewriteFilter define rewrites of HTTP URL components
such as path and host
properties:
hostname:
description: |-
Hostname is the value to be used to replace the Host header value during
forwarding.
properties:
header:
description: Header is the name of the header whose value
would be used to rewrite the Host header
type: string
type:
description: HTTPPathModifierType defines the type of Hostname
rewrite.
enum:
- Header
- Backend
type: string
required:
- type
type: object
x-kubernetes-validations:
- message: header must be nil if the type is not Header
rule: '!(has(self.header) && self.type != ''Header'')'
- message: header must be specified for Header type
rule: '!(!has(self.header) && self.type == ''Header'')'
path:
description: Path defines a path rewrite.
properties:
replaceRegexMatch:
description: |-
ReplaceRegexMatch defines a path regex rewrite. The path portions matched by the regex pattern are replaced by the defined substitution.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite
Some examples:
(1) replaceRegexMatch:
pattern: ^/service/([^/]+)(/.*)$
substitution: \2/instance/\1
Would transform /service/foo/v1/api into /v1/api/instance/foo.
(2) replaceRegexMatch:
pattern: one
substitution: two
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz.
(3) replaceRegexMatch:
pattern: ^(.*?)one(.*)$
substitution: \1two\2
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz.
(3) replaceRegexMatch:
pattern: (?i)/xxx/
substitution: /yyy/
Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive).
properties:
pattern:
description: |-
Pattern matches a regular expression against the value of the HTTP Path.The regex string must
adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax.
minLength: 1
type: string
substitution:
description: |-
Substitution is an expression that replaces the matched portion.The expression may include numbered
capture groups that adhere to syntax documented in https://github.com/google/re2/wiki/Syntax.
type: string
required:
- pattern
- substitution
type: object
type:
description: HTTPPathModifierType defines the type of path
redirect or rewrite.
enum:
- ReplaceRegexMatch
type: string
required:
- type
type: object
x-kubernetes-validations:
- message: If HTTPPathModifier type is ReplaceRegexMatch, replaceRegexMatch
field needs to be set.
rule: 'self.type == ''ReplaceRegexMatch'' ? has(self.replaceRegexMatch)
: !has(self.replaceRegexMatch)'
type: object
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

3765
k8s.tjo.cloud/modules/cluster-core/crds/gateway.envoyproxy.io_securitypolicies.yaml Normal file
View file

File diff suppressed because it is too large Load diff

50
k8s.tjo.cloud/modules/cluster-core/envoy.tf Normal file
View file

@ -0,0 +1,50 @@
resource "helm_release" "envoy" {
name = "envoy"
chart = "gateway-helm"
repository = "oci://docker.io/envoyproxy"
version = "v1.2.4"
namespace = "kube-system"
atomic = true
cleanup_on_fail = true
}
resource "kubernetes_manifest" "gateway_class_config" {
manifest = {
apiVersion = "gateway.envoyproxy.io/v1alpha1"
kind = "EnvoyProxy"
metadata = {
name = "daemonset"
namespace = "kube-system"
}
spec = {
mergeGateways = true
provider = {
type = "Kubernetes"
kubernetes = {
envoyService = {
annotations = {}
}
}
}
}
}
}
resource "kubernetes_manifest" "gateway_class" {
manifest = {
apiVersion = "gateway.networking.k8s.io/v1"
kind = "GatewayClass"
metadata = {
name = "envoy"
}
spec = {
controllerName = "gateway.envoyproxy.io/gatewayclass-controller"
parametersRef = {
group = "gateway.envoyproxy.io"
kind = "EnvoyProxy"
name = kubernetes_manifest.gateway_class_config.object.metadata.name
namespace = kubernetes_manifest.gateway_class_config.object.metadata.namespace
}
}
}
}

44
k8s.tjo.cloud/modules/cluster-core/main.tf
View file

@ -1,6 +1,12 @@
data "kubectl_path_documents" "crds" {
pattern = "${path.module}/crds/*.yaml"
}
resource "kubectl_manifest" "crds" {
for_each = fileset("${path.module}/crds", "*.yaml")
yaml_body = file("${path.module}/crds/${each.value}")
for_each = data.kubectl_path_documents.crds.manifests
yaml_body = each.value
server_side_apply = true
wait = true
}
resource "helm_release" "proxmox-ccm" {
@ -58,40 +64,6 @@ resource "helm_release" "talos-ccm" {
})]
}
resource "helm_release" "cert-manager" {
name = "cert-manager"
chart = "cert-manager"
repository = "https://charts.jetstack.io"
version = "v1.16.2"
namespace = "kube-system"
atomic = true
cleanup_on_fail = true
values = [yamlencode({
crds = {
enabled = true
}
config = {
apiVersion = "controller.config.cert-manager.io/v1alpha1"
kind = "ControllerConfiguration"
enableGatewayAPI = true
}
})]
}
resource "helm_release" "envoy" {
depends_on = [kubectl_manifest.crds]
name = "envoy"
chart = "gateway-helm"
repository = "oci://docker.io/envoyproxy"
version = "v1.2.4"
namespace = "kube-system"
atomic = true
cleanup_on_fail = true
}
resource "helm_release" "metrics-server" {
name = "metrics-server"
chart = "metrics-server"

1
k8s.tjo.cloud/modules/cluster-core/monitoring.tf
View file

@ -24,6 +24,7 @@ resource "helm_release" "kube-state-metrics" {
tolerations:
- key: "node-role.kubernetes.io/control-plane"
effect: NoSchedule
updateStrategy: Recreate
prometheusScrape: false
prometheus:

8
k8s.tjo.cloud/modules/cluster-core/storage.tf
View file

@ -43,14 +43,14 @@ resource "helm_release" "hybrid-csi" {
cleanup_on_fail = true
values = [yamlencode({
nodeSelector = {
"node-role.kubernetes.io/control-plane" = ""
}
image = {
tag = "edge"
}
nodeSelector = {
"node-role.kubernetes.io/control-plane" = ""
}
tolerations = [{
key = "node-role.kubernetes.io/control-plane"
effect = "NoSchedule"

1
k8s.tjo.cloud/modules/cluster/components.tf
View file

@ -1 +0,0 @@

24677
k8s.tjo.cloud/terraform.tfstate.encrypted
View file

File diff suppressed because one or more lines are too long

5
network.tjo.cloud/openwrt/etc/config/dhcp
View file

@ -1,8 +1,6 @@
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option cachesize '1000'
# Must be larger than limits for interfaces.
@ -17,8 +15,7 @@ config dnsmasq
option min_cache_ttl '60'
option max_cache_ttl '600'
option nonegcache '1'
list rebind_domain 'tjo.cloud'
list rebind_domain 'tjo.space'
option rebind_protection '0'
config dhcp 'lan'
option interface 'lan'

1268
network.tjo.cloud/terraform/terraform.tfstate.encrypted
View file

File diff suppressed because it is too large Load diff

14
terraform.tfstate.encrypted
View file

@ -1,8 +1,8 @@
{
"version": "ENC[AES256_GCM,data:BA==,iv:ftxz3zLlkyGhDIdUd80Ku3EGB8QkkUeNbKJTzcJh77g=,tag:v507mQZdqSjgxkO4S6vBGw==,type:float]",
"terraform_version": "ENC[AES256_GCM,data:GLl05o4=,iv:HxzdqzBEEzi39t6XE8528O/bJzR0bj9tEtWrtEQoMmg=,tag:t3Xdwc21uAKtTO033GlGtA==,type:str]",
"serial": "ENC[AES256_GCM,data:oQ==,iv:aH+9YbiVG3tYHfIEmG+trivj2baFTEEWW2fjPWWtJRI=,tag:hw8Fg3oCCSTk139K5BvZlA==,type:float]",
"lineage": "ENC[AES256_GCM,data:t73HIGO9gYTl5DTz18dmr2veILuMjY8C96lWM/Eioq+4AhJn,iv:DlMf8MU9+pXBEVmXoGfxrTbBJa54Zrkarbtr3GuBmNs=,tag:5nflP7V1SQj2P1Ms7Rv8cQ==,type:str]",
"version": "ENC[AES256_GCM,data:BQ==,iv:rJNdrX4h1jsYGhjbRJ0aKOjdg0t6wqnH1uo6usN+MNA=,tag:Q1ZponqY3woDHz/hFBlw7A==,type:float]",
"terraform_version": "ENC[AES256_GCM,data:jWSNHGU=,iv:RoQEtH7fzYEghXdOeyMIciynpZ7uRpA762YWC2CyVM0=,tag:tVsWGPmWHG3cRA0IFOv7Fw==,type:str]",
"serial": "ENC[AES256_GCM,data:Ww==,iv:JgZQe5hIcRjyYdcHsjRVoFGTUiTvxDMXXl8tBGDJCsY=,tag:12UsifaqIc2StUompiCONg==,type:float]",
"lineage": "ENC[AES256_GCM,data:z5cvAistQzlKfIPL0WVBW5MKrKzSGGi+xmYyCeqiwBY3q0k/,iv:rAUnPebtcfNE03KlW74wQ5Nkk9zBo22ISR1VcF1q8Kg=,tag:kOVm1RZnBzp61GuTDUrikg==,type:str]",
"outputs": {},
"resources": [],
"check_results": null,
@ -14,11 +14,11 @@
"age": [
{
"recipient": "age1cl3d4wtrrqrgldmrzpu53q2mk60r7hrhrymsrwss8s57z4mdv9fst4a55h",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4MVBMWVh2MkdUcjV3NGQ1\nY3dKWkJodHcxUXdxQTlic1dmcnVRdk9OZkdJCkQvaW80WXZCcVppQW4rRm10UTlI\nd2d1bVRXVEh2cGxWMkhtQVppcnVlQTgKLS0tIGIzMTE4YVNZQm5GWEkrNktlU1hL\nM1B4MExOeDlCNEhoS2ZYT2RmMEdnbG8KI8zQnivJC0CoUZNEXukZj/JddTA982PY\ndi+P66rhZyXV5Fm4xnt5Cv+sPaLWWSmfvCHJ8C+pCLNBJDquI6wlAw==\n-----END AGE ENCRYPTED FILE-----\n"
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVc1dYQWROelR3Ui9JNFJi\nUkt2SlhFd3FpQmhRbkVQdjhTT0FGbW9nckNvCkpwKzhjc2xrYTg5T2s5UDRSZU1r\nVzJ3ZTA3UjFZYjF4VW91MFpodWpzNkEKLS0tIG9iZVlMekxVMXZiTHpKS0lESnZO\nd2lyeVB1SFA3cnNaRldTQWgvdEI4TGMK9suMJcs0zx6yOiiwVVNCAt4ZSZG1amSL\n7upbCUIgqAYq9NzQYuuhC7oIxLEKZ4CgMFOcS3lbXASdAVdrkBE40w==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-03-30T15:03:10Z",
"mac": "ENC[AES256_GCM,data:N4hQu5LcQY6FPoRd1W4nvLUjQNsI2vIOQnm2csmsNiw6UbEVyLZ+v2BpTNS+0YB4ZRR5ULMQJ93KmCWdEiyBdOJN7BcZj78SQD4qiiKk1Ay+7xE+q7+9pXYAKF6N7UjDKcazCgjqQwnYD+K5M1B4GhcOXnq4Q7riT7wygFEsuYc=,iv:Q7PhUFynFQGjmBjNKfsvjsBeiCLk7i/VN0UqjIUNcFs=,tag:7Cqd835FR8C/irx9n8I7gg==,type:str]",
"lastmodified": "2025-04-01T17:05:12Z",
"mac": "ENC[AES256_GCM,data:qS01E4VzXRIp1O9T/+uB66/+7lnZX+eiCqXnVwDeQ+COUBYnMgn+KNogJMQa1uaZNcXhuQAZQTe7Oy2CujWWbqpwZ0a3c2xcwCd/o0W3c/Mkc7oJBWWuyfW4WEQuGF7kT/r1vD9ksbJWU3SUYRTAoOPMIm1x39XKqv5j9QYy2FQ=,iv:XQop+XnZi5o2x4/TizvK02B3e3J81GlzOgvhjpwB7Ic=,tag:372IkOXEvOHxzX4n66XvUw==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.4"