bah-config.yml

# This file is part of Cisco Modeling Labs
# Copyright (c) 2019-2026, Cisco Systems, Inc.
# All rights reserved.
#

# Becoming a Hacker CML configuration for US East 1 (South Carolina)

# at this time, "aws", "azure", and "gcp" are defined targets
# make sure that you ran the prepare.sh / prepare.bat script!
target: gcp

aws:
  region: us-east-1
  availability_zone: us-east-1a
  bucket: bucket-name-goes-here
  # flavor: c5.2xlarge
  flavor: m5zn.metal
  flavor_compute: m5zn.metal
  profile: permission-profile-goes-here
  # when specifying a VPC ID below then this prefix must exist on that VPC!
  public_vpc_ipv4_cidr: 10.0.0.0/16
  enable_ebs_encryption: false
  # leave empty to create a custom VPC / Internet gateway, or provide the IDs
  # of the VPC / gateway to use, they must exist and properly associated.
  # also: an IPv6 CIDR prefix must be associated with the specified VPC
  vpc_id: ""
  gw_id: ""
  spot_instances:
    use_spot_for_controller: false
    use_spot_for_computes: false

azure:
  resource_group: resource-group-name
  size: Standard_D4d_v4
  size_compute: unused_at_the_moment
  storage_account: storage-account-name
  container_name: container-name

# TODO cmm - Put secrets in secret manager
gcp:
  # Path to JSON-formatted service account key file.  Not required if using
  # 'gcloud auth application-default login' to authenticate to Google Cloud.
  # Leave empty in this case.
  credentials:

  # SSH public keys to add to controller and compute instances.  Leave empty to
  # inherit from the project's metadata.  Automatically creates user with sudo
  # privileges.  NOTE: The controller and computes should listen on SSH port
  # 1122 for these credentials.  SSH port 22 is used for the built-in CML
  # console server.
  #
  # Format: <user>:<ssh-key-type> <ssh public key> [<optional comment>]
  # e.g. 
  #
  # ssh_keys: |
  #   cml_user:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDAqIBESzn9J9rdSLarhyU6GNycV+43DkdkNzSgfLrP
  #   cml_admin:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFogojMnu6vXM1G1sMQv3boRvs6PxpUTIUw/GI7QrTaH
  #
  # https://cloud.google.com/compute/docs/instances/access-overview
  #
  # It's recommended not to use this.  Use OS-Login through the Identity Aware
  # Proxy instead:
  # ```shell
  # gcloud compute instances list --project=gcp-asigbahgcp-nprd-47930
  # NAME              ZONE        MACHINE_TYPE   PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP                    STATUS
  # cml-controller    us-east1-b  n2-standard-4               10.64.1.2    172.98.19.192                  RUNNING
  #                                                                        2602:80a:f004:301:0:0:0:0/96
  # cml-compute-p08x  us-east1-d  n2-highmem-32               10.64.1.208  2602:80a:f004:301:0:4e:0:0/96  RUNNING
  # 
  # gcloud compute ssh cml-controller --project=gcp-asigbahgcp-nprd-47930 --zone=us-east1-b --tunnel-through-iap --ssh-flag='-p1122'
  # ...
  # Welcome to Ubuntu 24.04.4 LTS (GNU/Linux 6.17.0-1009-gcp x86_64)
  # ...
  # Version: 2.10.0+build.2
  # This host is a controller
  # Compute ID: da186159-0f43-4347-bd9b-f56335df3267
  # 
  # cmm_cisco_com@cml-controller:~$
  # ```
  ssh_keys:

  # Google Cloud Platform project, region, and availablility zone.  Required.
  # Note that the zone 'us-east1-a' doesn't exist, or isn't available to you.
  # This zone is only used for controller, and the compute nodes will be spread
  # across available zones in the region. 
  project: gcp-asigbahgcp-nprd-47930
  region: us-east1
  zone: us-east1-b

  # CML service account ID to use.  If left empty, a new service account will be
  # created using 'cml-service-account-' and a random suffix.  Otherwise
  # service_account_id must match an existing service account.
  #service_account_id: cml-service-account
  service_account_id:

  # Google Cloud Storage bucket for machine images.  Required.  The bucket must contain
  # cml2 packages and refplat images.
  bucket: bah-machine-images
  # Google Cloud Storage bucket for /var/lib/libvirt/images.  Required.
  libvirt_images_bucket: bah-libvirt-images-ue1

  # Create a new network.  If set to 'false', the network indicated by
  # 'network_name' is used.
  network_create: true
  
  # CML Network name.  If network_create is set to true, a new network will be
  # created with a the name 'cml-network-', and a random suffix.  Otherwise
  # network_name MUST match an existing network.  The existing network MUST be
  # created Custom (no automatic subnets across all regions) with an IPv6 ULA
  # assigned.
  network_name:

  # IPv6 Unique Local Address (ULA) CIDR block.  Used for internal CML
  # communications between machines.  MUST be a /48 and MUST be in the range 
  # fd20::/20.  Leave empty to have Google create one for you, or use an
  # existing network.  In either case of creating a new network or using an
  # existing network, and not using an all-in-one deployment, a ULA is required.
  # https://unique-local-ipv6.com/
  #network_internal_v6_ula_cidr: fd20:c97:6372:0::/48
  network_internal_v6_ula_cidr:

  # Network MTU.  Leave empty to use the default of 1460 octets.  If not creating
  # a new network, MUST match the existing network MTU.  May contain the values
  # 1460, 1500 and 8896.  8896 is recommended to minimize fragmentation of tunneled
  # packets between nodes.
  network_mtu: 8896

  # IP collection.  Used to set the BYOIPv6 for the controller subnet.
  subnet_ip_collection: regions/us-east1/publicDelegatedPrefixes/asig-bah-prod-us-east1-net-2602-80a-f004-300-56

  # CML firewall policy name.  Leave empty to use an existing firewall policy
  # associated with the network indicated above.  VPC firewall rules are not
  # supported.  Only network firewall policies are supported.
  network_firewall_policy_name: cml-firewall-policy

  # Starting priority for defining firewall rules in the supplied firewall
  # policy.  Lower numbers are processed first.  Must not overlap with exising
  # rules.  Recommend leaving room for 100 rules for growth.
  network_firewall_rule_start_priority: 100
  network_firewall_rule_end_priority:   199

  # CML controller subnet name and IPv4 CIDR block.  Leave
  # 'controller_subnet_cidr' empty to use existing subnet.  Existing subnet MUST
  # have dual-stack IPv6 enabled with EXTERNAL access type.  If creating
  # a new subnet, it will be an EXTERNAL access type.
  controller_subnet_name: cml-controller-subnet
  controller_subnet_cidr: 10.64.1.0/24

  # CML controller address name.  Used to pick up a BYOIPv4 address for the
  # controller.  Must match the reserved address resource name in GCP (not the
  # CIDR alone).  Offensive Summit temp: 172.98.18.0/25 BYOIPv4 pool.
  controller_address_name: address-172-98-18-0

  # CML compute subnet name and IPv4 CIDR block.  Only needed if
  # cluster.enable_cluster is set to 'true'.  Leave 'compute_subnet_cidr' empty
  # to use an existing subnet.  Existing subnet must have dual-stack IPv6 enabled,
  # wth EXTERNAL or INTERNAL access type.  If creating a new subnet, it will be
  # INTERNAL access type and compute machines will not have Internet access.
  # Can be the same name as the controller subnet, just leave 'compute_subnet_cidr'
  # empty in this case.
  compute_subnet_name: cml-compute-subnet
  compute_subnet_cidr: 10.64.2.0/24

  # Private Service Connect CIDR block.  Leave 'private_service_connnect_cidr'
  # empty to use an existing subnet.  In both cases, required.
  # Access to internal Google services, such as logging and metrics, for
  # machines that don't have Internet access, such as computes.  Not required
  # if cluster.enable_cluster is set to 'false'.
  private_service_connnect_subnet_name: cml-private-service-connect-subnet
  private_service_connnect_cidr: 10.64.3.0/24

  # Use a load balancer for external access.  If set to true, a load balancer
  # will be created and the DNS A/AAAA records will be updated with the load balancer's
  # IP addresses.  If set to false or empty, the controller's external IP address
  # will all that will be available to you.
  enable_load_balancer: true

  # Target instance configuration for protocol forwarding.  A target instance
  # allows forwarding rules to direct traffic directly to the CML controller
  # without going through a load balancer.  Useful for non-HTTP protocols like
  # SSH (port 1122), or any TCP/UDP traffic that needs direct VM access.
  # https://cloud.google.com/compute/docs/protocol-forwarding
  target_instance:
    # Enable creation of the target instance.  If set to true, a target instance
    # will be created pointing to the CML controller.
    enable: true
    # Name for the target instance.  Leave empty to auto-generate using
    # 'cml-target-instance-' and a random suffix.
    name:
    # NAT policy for the target instance.  Can be 'NO_NAT' or leave empty for
    # default behavior.  NO_NAT means the original client IP is preserved.
    nat_policy: NO_NAT

  # DNS zone name and load balancer FQDNs.  Only needed if
  # 'enable_load_balancer' is set to 'true' and 'load_balancer_fqdns' has
  # fully-qualified domain names provided, it automatically creates HTTPS
  # certificates.  In addition, if 'dns_zone_name' is provided, A/AAAA
  # records will be created for the controller hostname.  A CAA record
  # is required.
  # https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs
  dns_zone_name: becomingahacker-com 
  load_balancer_fqdns:
   - becomingahacker.com
   - labs.becomingahacker.com

  # Enable Identity-Aware Proxy (IAP) for the load balancer.  If set to 'true',
  # you will need to log in with your Google account to access the controller.
  # If set to 'false', the controller will be accessible anonymously to any user
  # that has a valid CML credential.
  #
  # Setting to 'true' is strongly recommended if using a load balancer, since it
  # DOES NOT currently support common.allowed_ipv4_subnets.  Note that if IAP is
  # enabled, the Breakout tool or API access via a JSON web token is not
  # currently supported.
  # 
  # https://cloud.google.com/iap/docs/concepts-overview
  #
  enable_iap: true

  # Google Groups allowed to sign in through IAP to the HTTPS load balancer (member
  # format as in IAM: group:GROUP_EMAIL). Only used when enable_iap is true.  Include
  # the service account that will be used to programmatically access the IAP-protected
  # application.
  iap_https_access_groups:
    - group:gcp-hackers@cisco.com
    - group:gcp-script-kiddies@cisco.com
    - serviceAccount:bah-programmatic-access@gcp-asigbahgcp-nprd-47930.iam.gserviceaccount.com
    - domain:cisco.com

  # https://console.cloud.google.com/auth/clients?project=gcp-asigbahgcp-nprd-47930
  #
  # Important: IAP-protected applications that use the Google-managed OAuth
  # client must be accessed programmatically using a separate OAuth client ID
  # configured through the programmatic_clients setting.  You almost certainly want
  # to configure this.
  #
  # Extra allowed redirect URIs for the IAM OAuth client (required).
  # https://iap.googleapis.com/v1/oauth/clientIds/CLIENT_ID_FROM_OUTPUT:handleRedirect
  #
  # Documentation:
  # https://docs.cloud.google.com/iap/docs/custom-oauth-configuration

  # BAH-programmatic-access OAuth2 Client ID - **Created manually in the WebUI.**
  iap_programmatic_oauth_client_id: 344691804483-6qe8toekh0trb8a3hipistrueq8drah8.apps.googleusercontent.com
  #
  # Example:
  # ```shell
  # curl -s https://becomingahacker.com/ -H "Proxy-Authorization: Bearer $(gcloud auth print-identity-token \
  #   --impersonate-service-account=bah-programmatic-access@gcp-asigbahgcp-nprd-47930.iam.gserviceaccount.com \
  #   --include-email \
  #   --audiences=344691804483-6qe8toekh0trb8a3hipistrueq8drah8.apps.googleusercontent.com )"
  # ```

  # BGP configuration.  Used for BGP EVPN and BGP peering with custom external 
  # networks.
  bgp:
    local_as: 65000

  # Custom external connections in libvirt to labs.  Used for routing from the
  # cloud provider into the labs.  Only one external connection is supported at
  # this time.
  # WARNING: Changing these after the controller is created forces a recreation
  # of the controller, and all existing labs are lost!
  cml_custom_external_connections:
    # Name of the virtual network.  Also used for the bridge name.  Must be 
    # unique and begin with the prefix `virbr`.
    bridge0:

      # MAC address of the bridge.  Should be unique.
      mac_address: '02:00:00:00:00:01'

      # MTU for bridge.  Leave empty to use VPC network MTU.  Recommend limiting
      # to 1500 octets if using IPv6 SLAAC or DHCPv4, and attached node doesn't
      # support Option 26 to set MTU.
      mtu: 1500

      # Bridge forward mode.  Can be set to 'nat', 'route', or 'open'
      # https://libvirt.org/formatnetwork.html#connectivity
      forward_mode: open

      # IPv4 CIDR block.  First address is the gateway, and the rest available 
      # for DHCPv4 or static addressing.  IPv6 uses the /96 prefix assigned
      # to the controller from its attached subnet. DHCP(v6) range is hardcoded 
      # to start at the middle, and assumes /24 (or /112).  This is to make 
      # room for static IPs at the beginning of the range.  If using BYOIPv4,
      # you must have the addresses available for the subnet.
      # Offensive Summit temp (us-east1): /25 for ~125 pod /32s + controller space.
      cidr: 172.98.18.0/25
      # "first" or "last" for the gateway address.
      gateway: last

      # IP collection for BYOIPv6 used with the network load balancer for
      # protocol forwarding.  Must match the public delegated prefix name in GCP
      # for the NLB IPv6 pool (verify with gcloud compute public-delegated-prefixes list).
      # Offensive Summit temp: /48 covering 256 x /56 pod blocks (us-east1).
      load_balancer_ip_collection_v6: regions/us-east1/publicDelegatedPrefixes/asig-bah-prod-us-east1-nlb-2602-80a-f006-48
      # IPv6 CIDR block. Used for protocol forwarding.  The first /64 is used
      # for the CML controller.  The second available /64 is used for the first
      # pod.  The number of /64s forwarded for pods is equal to the number of
      # IPv4 addresses available for pods, plus the /64 for the CML controller.
      cidr_v6: 2602:80a:f006::/48
      # "first" or "last" for the IPv6 gateway address on bridge0.  Only the last
      # 16 bits are used.  "last" corresponds to e.g. 2602:80a:f006::ffff
      # 2602:80a:f006::8000 to 2602:80a:f006::fffe are reserved for DHCPv6.
      gateway_v6: last

      # BGP configuration.  Leave empty (null) to disable BGP.  If enabled, the
      # 'remote_as' setting is used for the BGP peer AS number.
      bgp:
        remote_as: 65001
        ipv4:
          # Originate a default route, 0.0.0.0/0.  Likely needed if the lab 
          # needs Internet access.
          originate_default: true
          # Intentionally crappy prefix lists.  Let the students be creative, but
          # not _too_ creative.  The Google Cloud prefixes won't work past,
          # or be advertised outside, the controller.  The controller uses /32
          # and /128 directly connected networks, so I think this is fairly
          # low risk to allow BGP to the labs and not be overridden. Specifically
          # I don't want bogons like 169.254.169.254/32 to be allowed in.  I
          # believe Google uses different ranges for their own APIs, which
          # should not be included.  I'll probably have to "eat my hat" later
          # if I'm wrong.
          # Google Cloud IPv4/IPv6 prefixes for BGP are prepended by Terraform from
          # https://www.gstatic.com/ipranges/cloud.json (service Google Cloud,
          # scope = gcp.region and scope global). List only additional prefixes here.
          # https://github.com/femueller/cloud-ip-ranges
          allow_in:
            # STO-ASIG-IPV4 (Offensive Summit temp, us-east1 BYOIPv4 /25)
            - cidr: 172.98.18.0/25
              le: 32
            # Labs
            - cidr: 10.0.0.0/10
              le: 32
          allow_out:
            # STO-ASIG-IPV4 (Offensive Summit temp)
            - cidr: 172.98.18.0/25
              le: 32
            # Labs
            - cidr: 10.0.0.0/10
              le: 32
            # Default
            - cidr: 0.0.0.0/0
        ipv6:
          # Originate a default route, ::/0.  Likely needed if the lab 
          # needs Internet access
          originate_default: true
          allow_in:
            # Offensive Summit temp (us-east1 BYOIPv6 /48; /56 blocks and more-specifics)
            - cidr: 2602:80a:f006::/48
              ge: 56
          allow_out:
            # Offensive Summit temp
            - cidr: 2602:80a:f006::/48
              ge: 56
            # Default
            - cidr: ::/0

  # Controller machine type.  4 VCPUs or higher are required.
  #controller_machine_type: n2-highmem-4
  controller_machine_type: n2-standard-4

  # This varies based on machine type and attached hardware.  You should be 
  # fairly safe using this with N2 series.  They do move around if you add 
  # scratch disks, e.g. for GCS FUSE cache.
  controller_primary_interface_name: ens5

  # Controller image family.  Provides access to the most recent custom image
  # for the control machine.  Leave empty to use 'ubuntu-2404-lts-amd64'.
  # If using a custom image family, an apt update and upgrade will NOT be 
  # performed at install time.  If empty, an apt update and upgrade will be 
  # performed.
  controller_image_family: cloud-cml-controller-amd64

  # Compute machine provisioning model. Can be 'on-demand' or 'spot'.  Required
  # if cluster.enable_cluster is set to 'true'.  
  #
  # IMPORTANT NOTE: Spot instances may be terminated at any time by Google Cloud,
  # and existing node state MUST be wiped and data WILL BE LOST.  An advantage of
  # spot instances is that they are far less expensive than on-demand instances.
  #
  compute_machine_provisioning_model: on-demand
  #compute_machine_provisioning_model: spot

  # Compute image family.  Provides access to the most recent custom image for
  # the compute machine.  Leave empty to use 'ubuntu-2404-lts-amd64'.  Used for both
  # provisioning models.  If using a custom image family, an apt update and
  # upgrade will NOT be performed at install time.  If empty, an apt update and
  # upgrade will be performed.
  compute_image_family: cloud-cml-compute-amd64

  # On-demand compute machine type.  Required if
  # compute_machine_provisioning_model is 'on-demand'.  If still specified and
  # compute_machine_provisioning_model is 'spot', this value will be used to create
  # an instance group with zero instances for easy scale-up of reliable machines.
  #compute_on_demand_machine_type: n2-standard-4
  #compute_on_demand_machine_type: n2-highmem-4
  compute_on_demand_machine_type: n2-highmem-32

  # Spot compute machine type.  Required if compute_machine_provisioning_model
  # is 'spot'.  If still specified and compute_machine_provisioning_model
  # is 'on-demand', this value will be used to create an instance group with zero
  # instances for easy scale-up of inexpensive, but unreliable, machines.
  compute_spot_machine_type: n2-highmem-32
  #compute_spot_machine_type: n2-highmem-4

  # This varies based on machine type.  You should be fairly safe using these
  # with N2 series.  They do move around if you add local storage, e.g. for 
  # GCS FUSE cache.
  compute_primary_interface_name: ens5

common:
  disk_size: 128
  controller_hostname: cml-controller
  # SSH key_name is not supported on GCP and is ignored.
  key_name: ssh-key-name
  allowed_ipv4_subnets:
    # GCE cml-subnet
    - "10.64.1.0/24"
    # TODO cmm - these should be integrated into the terraform code if the load balancer is enabled
    # GCE Health Chekers
    - "35.191.0.0/16"
    - "209.85.152.0/22"
    - "209.85.204.0/22"
    # Google Front End
    - "34.96.0.0/16"
    - "34.127.0.0/16"
    # Google Identity Aware Proxy
    - "130.211.0.0/22"
    - "35.235.240.0/20"
    # RTP NAT pool
    - "173.38.117.64/26"
    # cmm
    - "23.116.118.232/29"
    # cmm
    - "99.69.22.234/32"
    # ASIG
    - "64.100.197.0/24"
    - "64.100.220.0/23"

  # PaTTY is not supported on GCP at this time.  Must be set to 'false' in
  # this case.
  enable_patty: false

cluster:
  enable_cluster: true
  # No longer used, see the secret manager section below
  #secret: your-secret-password
  allow_vms_on_controller: false
  number_of_compute_nodes: 1
  compute_hostname_prefix: cml-compute
  compute_disk_size: 128

secret:
  # At this time, 'vault', 'conjur' and 'dummy' are supported secrets managers.
  # Make sure that you also run the prepare.sh / prepare.bat script, otherwise
  # a 'raw_secret' will be used.  If 'raw_secret' is not defined, a random
  # password will be used.
  # https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password
  #manager: vault
  manager: conjur
  #manager: dummy

  conjur:

  vault:
    # Only the v2 version of the key value secret engine is supported
    # https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2
    kv_secret_v2_mount: secret
    # Set this to true to prevent the creation of ephemeral child token used by this provider.
    skip_child_token: true

  # These are the secrets that will be used by the CML instances.  This key
  # gets mapped to the main configuration under 'secrets'.  The values are
  # filled in by the secrets manager and are accessible using the 'secret'. For
  # example, the 'app' password is accessed using 'secrets.app.secret'. The
  # SmartLicense token is accessed using 'secrets.smartlicense_token.secret'.
  secrets:
    app:
      username: admin
      # Used with dummy secret manager.  If unspecified, a random password will
      # be generated. You need to escape special chars:
      #raw_secret: '\"!@$%'
      #raw_secret: your-secret-password
      # Path to secret, used with both Vault and Conjur:
      path: sto/becomingahacker/secret/common/becomingahacker.com/prod/host/cml-0.becomingahacker.com/admin_password
      # Used with Vault only:
      #field: secret

    sys:
      username: sysadmin
      # Used with dummy secret manager.  If unspecified, a random password will
      # be generated.
      #raw_secret: your-secret-password
      # Path to secret, used with both Vault and Conjur:
      path: sto/becomingahacker/secret/common/becomingahacker.com/prod/host/cml-0.becomingahacker.com/sysadmin_password
      # Used with Vault only:
      #field: secret

    # https://software.cisco.com/clc/licensing/assigned
    smartlicense_token:
      # Only used with dummy secret manager
      #raw_secret: your-smart-licensing-token
      # Path to secret, used with both Vault and Conjur:
      path: sto/becomingahacker/secret/common/becomingahacker.com/prod/host/cml-0.becomingahacker.com/license_token
      # Used with Vault only:
      #field: token

    cluster:
      # Used with dummy secret manager.  If unspecified, a random password will
      # be generated.
      #raw_secret: your-secret-password
      # Path to secret, used with both Vault and Conjur:
      path: sto/becomingahacker/secret/common/becomingahacker.com/prod/host/cml-0.becomingahacker.com/cluster_secret
      # Used with Vault only:
      #field: secret

    iap_oauth2_client_id:
      # Used with dummy secret manager.  If unspecified, a random password will
      # be generated.
      #raw_secret: your-secret-password
      # Path to secret, used with both Vault and Conjur:
      path: sto/becomingahacker/secret/common/becomingahacker.com/prod/host/cml-0.becomingahacker.com/iap_oauth2_client_id
      # Used with Vault only:
      #field: secret

    iap_oauth2_client_secret:
      # Used with dummy secret manager.  If unspecified, a random password will
      # be generated.
      #raw_secret: your-secret-password
      # Path to secret, used with both Vault and Conjur:
      path: sto/becomingahacker/secret/common/becomingahacker.com/prod/host/cml-0.becomingahacker.com/iap_oauth2_client_secret
      # Used with Vault only:
      #field: secret


app:
  # **No longer used, see the secret manager section above**
  #user: admin
  #pass: your-secret-password
  # HACK cmm - this is not used, but is required by the code.  Fix the code.
  software: not-used
  # The list must have at least ONE element, this is what the dummy is for in
  # case 00- and 01- are commented out!
  customize:
    # - 00-patch_vmx.sh
    - 99-dummy.sh

license:
  flavor: CML_Enterprise
  # **No longer used, see the secret manager section above**
  #token: your-smart-licensing-token
  # Unless you have additional node licenses available, leave this at zero
  nodes: 0

# Select the reference platforms needed by un-/commenting them. The selected
# reference platforms will be copied from the specified cloud storage and must
# be available prior to starting an instance. Ensure that each definition has
# also a corresponding image! A smaller selection: less copying, faster bring-up
# time!
refplat:
  definitions: []
    # - alpine
    # - alpine-trex
    # - alpine-wanem
    # - asav
    # - cat8000v
    # - cat9000v-q200
    # - cat9000v-uadp
    # - cat-sdwan-edge
    # - cat-sdwan-controller
    # - cat-sdwan-manager
    # - cat-sdwan-validator
    # - cat-sdwan-vedge
    # - csr1000v
    # - desktop
    # - iol-xe
    # - ioll2-xe
    # - iosv
    # - iosvl2
    # - iosxrv9000
    # - nxosv9000
    # - server
    # - ubuntu
  images: []
    # - alpine-base-3-19-1
    # - alpine-trex-3-19-1
    # - alpine-wanem-3-19-1
    # - asav-9-20-2
    # - cat8000v-17-13-01a
    # - cat9000v-q200-17-12-01prd9
    # - cat9000v-uadp-17-12-01prd9
    # - cat-sdwan-edge-17-13-01a
    # - cat-sdwan-controller-20-13-1
    # - cat-sdwan-manager-20-13-1
    # - cat-sdwan-validator-20-13-1
    # - cat-sdwan-vedge-20-13-1
    # - csr1000v-17-03-068a
    # - desktop-3-19-1-xfce
    # - iol-xe-17-12-01
    # - ioll2-xe-17-12-01
    # - iosv-159-3-m8
    # - iosvl2-2020
    # - iosxrv9000-7-11-1
    # - nxosv9300-10-4-2-f
    # - server-tcl-14-0
    # - ubuntu-22-04-20240126