diff options
Diffstat (limited to 'site/intel-pod17/pki')
-rw-r--r-- | site/intel-pod17/pki/pki-catalog.yaml | 299 |
1 files changed, 299 insertions, 0 deletions
diff --git a/site/intel-pod17/pki/pki-catalog.yaml b/site/intel-pod17/pki/pki-catalog.yaml new file mode 100644 index 0000000..d1f9935 --- /dev/null +++ b/site/intel-pod17/pki/pki-catalog.yaml @@ -0,0 +1,299 @@ +--- +# The purpose of this file is to define the PKI certificates for the environment +# +# NOTE: When deploying a new site, this file should not be configured until +# baremetal/nodes.yaml is complete. +# +schema: promenade/PKICatalog/v1 +metadata: + schema: metadata/Document/v1 + name: cluster-certificates + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + certificate_authorities: + kubernetes: + description: CA for Kubernetes components + certificates: + - document_name: apiserver + description: Service certificate for Kubernetes apiserver + common_name: apiserver + hosts: + - localhost + - 127.0.0.1 + # FIXME: Repetition of api_service_ip in common-addresses; use + # substitution + - 10.96.0.1 + kubernetes_service_names: + - kubernetes.default.svc.cluster.local + + # NEWSITE-CHANGEME: The following should be a list of all the nodes in + # the environment (genesis, control plane, data plane, everything). + # Add/delete from this list as necessary until all nodes are listed. + # For each node, the `hosts` list should be comprised of: + # 1. The node's hostname, as already defined in baremetal/nodes.yaml + # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml + # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml + # NOTE: This list also needs to include the Genesis node, which is not + # listed in baremetal/nodes.yaml, but by convention should be allocated + # the first non-reserved IP in each logical network allocation range + # defined in networks/physical/networks.yaml + # NOTE: The genesis node needs to be defined twice (the first two entries + # on this list) with all of the same paramters except the document_name. + # In the first case the document_name is `kubelet-genesis`, and in the + # second case the document_name format is `kubelete-YOUR_GENESIS_HOSTNAME`. + - document_name: kubelet-genesis + common_name: system:node:pod17-jump + hosts: + - pod17-jump + - 10.10.172.20 + groups: + - system:nodes + - document_name: kubelet-pod17-jump + common_name: system:node:pod17-jump + hosts: + - pod17-jump + - 10.10.172.20 + groups: + - system:nodes + - document_name: kubelet-pod17-node1 + common_name: system:node:pod17-node1 + hosts: + - pod17-node1 + - 10.10.172.21 + groups: + - system:nodes + - document_name: kubelet-pod17-node2 + common_name: system:node:pod17-node2 + hosts: + - pod17-node2 + - 10.10.172.22 + groups: + - system:nodes + - document_name: kubelet-pod17-node3 + common_name: system:node:pod17-node3 + hosts: + - pod17-node3 + - 10.10.172.23 + groups: + - system:nodes + - document_name: kubelet-pod17-node4 + common_name: system:node:pod17-node4 + hosts: + - pod17-node4 + - 10.10.172.24 + groups: + - system:nodes + - document_name: kubelet-pod17-node5 + common_name: system:node:pod17-node5 + hosts: + - pod17-node5 + - 10.10.172.25 + groups: + - system:nodes + # End node list + - document_name: scheduler + description: Service certificate for Kubernetes scheduler + common_name: system:kube-scheduler + - document_name: controller-manager + description: certificate for controller-manager + common_name: system:kube-controller-manager + - document_name: admin + common_name: admin + groups: + - system:masters + - document_name: armada + common_name: armada + groups: + - system:masters + kubernetes-etcd: + description: Certificates for Kubernetes's etcd servers + certificates: + - document_name: apiserver-etcd + description: etcd client certificate for use by Kubernetes apiserver + common_name: apiserver + # NOTE(mark-burnett): hosts not required for client certificates + - document_name: kubernetes-etcd-anchor + description: anchor + common_name: anchor + # NEWSITE-CHANGEME: The following should be a list of the control plane + # nodes in the environment, including genesis. + # For each node, the `hosts` list should be comprised of: + # 1. The node's hostname, as already defined in baremetal/nodes.yaml + # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml + # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml + # 4. 127.0.0.1 + # 5. localhost + # 6. kubernetes-etcd.kube-system.svc.cluster.local + # NOTE: This list also needs to include the Genesis node, which is not + # listed in baremetal/nodes.yaml, but by convention should be allocated + # the first non-reserved IP in each logical network allocation range + # defined in networks/physical/networks.yaml, except for the kubernetes + # service_cidr where it should start with the second IP in the range. + # NOTE: The genesis node is defined twice with the same `hosts` data: + # Once with its hostname in the common/document name, and once with + # `genesis` defined instead of the host. For now, this duplicated + # genesis definition is required. FIXME: Remove duplicate definition + # after Promenade addresses this issue. + - document_name: kubernetes-etcd-genesis + common_name: kubernetes-etcd-genesis + hosts: + - pod17-jump + - 10.10.172.20 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - 10.96.0.2 + - document_name: kubernetes-etcd-pod17-jump + common_name: kubernetes-etcd-pod17-jump + hosts: + - pod17-jump + - 10.10.172.20 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - 10.96.0.2 + - document_name: kubernetes-etcd-pod17-node1 + common_name: kubernetes-etcd-pod17-node1 + hosts: + - pod17-node1 + - 10.10.172.21 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - 10.96.0.2 + - document_name: kubernetes-etcd-pod17-node2 + common_name: kubernetes-etcd-pod17-node2 + hosts: + - pod17-node2 + - 10.10.172.22 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - 10.96.0.2 + # End node list + kubernetes-etcd-peer: + certificates: + # NEWSITE-CHANGEME: This list should be identical to the previous list, + # except that `-peer` has been appended to the document/common names. + - document_name: kubernetes-etcd-genesis-peer + common_name: kubernetes-etcd-genesis-peer + hosts: + - pod17-jump + - 10.10.172.20 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - 10.96.0.2 + - document_name: kubernetes-etcd-pod17-jump-peer + common_name: kubernetes-etcd-pod17-jump-peer + hosts: + - pod17-jump + - 10.10.172.20 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - 10.96.0.2 + - document_name: kubernetes-etcd-pod17-node1-peer + common_name: kubernetes-etcd-pod17-node1-peer + hosts: + - pod17-node1 + - 10.10.172.21 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - 10.96.0.2 + - document_name: kubernetes-etcd-pod17-node2-peer + common_name: kubernetes-etcd-pod17-node2-peer + hosts: + - pod17-node2 + - 10.10.172.22 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - 10.96.0.2 + # End node list + calico-etcd: + description: Certificates for Calico etcd client traffic + certificates: + - document_name: calico-etcd-anchor + description: anchor + common_name: anchor + # NEWSITE-CHANGEME: The following should be a list of the control plane + # nodes in the environment, including genesis. + # For each node, the `hosts` list should be comprised of: + # 1. The node's hostname, as already defined in baremetal/nodes.yaml + # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml + # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml + # 4. 127.0.0.1 + # 5. localhost + # 6. The calico/etcd/service_ip defined in networks/common-addresses.yaml + # NOTE: This list also needs to include the Genesis node, which is not + # listed in baremetal/nodes.yaml, but by convention should be allocated + # the first non-reserved IP in each logical network allocation range + # defined in networks/physical/networks.yaml + - document_name: calico-etcd-pod17-jump + common_name: calico-etcd-pod17-jump + hosts: + - pod17-jump + - 10.10.172.20 + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-etcd-pod17-node1 + common_name: calico-etcd-pod17-node1 + hosts: + - pod17-node1 + - 10.10.172.21 + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-etcd-pod17-node2 + common_name: calico-etcd-pod17-node2 + hosts: + - pod17-node2 + - 10.10.172.22 + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-node + common_name: calcico-node + # End node list + calico-etcd-peer: + description: Certificates for Calico etcd clients + certificates: + # NEWSITE-CHANGEME: This list should be identical to the previous list, + # except that `-peer` has been appended to the document/common names. + - document_name: calico-etcd-pod17-jump-peer + common_name: calico-etcd-pod17-jump-peer + hosts: + - pod17-jump + - 10.10.172.20 + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-etcd-pod17-node1-peer + common_name: calico-etcd-pod17-node1-peer + hosts: + - pod17-node1 + - 10.10.172.21 + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-etcd-pod17-node2-peer + common_name: calico-etcd-pod17-node2-peer + hosts: + - pod17-node2 + - 10.10.172.22 + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-node-peer + common_name: calcico-node-peer + # End node list + keypairs: + - name: service-account + description: Service account signing key for use by Kubernetes controller-manager. +... |