--- # The purpose of this file is to define the PKI certificates for the environment # # NOTE: When deploying a new site, this file should not be configured until # baremetal/nodes.yaml is complete. # schema: promenade/PKICatalog/v1 metadata: schema: metadata/Document/v1 name: cluster-certificates layeringDefinition: abstract: false layer: site storagePolicy: cleartext data: certificate_authorities: kubernetes: description: CA for Kubernetes components certificates: - document_name: apiserver description: Service certificate for Kubernetes apiserver common_name: apiserver hosts: - localhost - 127.0.0.1 # FIXME: Repetition of api_service_ip in common-addresses; use # substitution - 10.96.0.1 kubernetes_service_names: - kubernetes.default.svc.cluster.local # NEWSITE-CHANGEME: The following should be a list of all the nodes in # the environment (genesis, control plane, data plane, everything). # Add/delete from this list as necessary until all nodes are listed. # For each node, the `hosts` list should be comprised of: # 1. The node's hostname, as already defined in baremetal/nodes.yaml # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml # NOTE: This list also needs to include the Genesis node, which is not # listed in baremetal/nodes.yaml, but by convention should be allocated # the first non-reserved IP in each logical network allocation range # defined in networks/physical/networks.yaml # NOTE: The genesis node needs to be defined twice (the first two entries # on this list) with all of the same paramters except the document_name. # In the first case the document_name is `kubelet-genesis`, and in the # second case the document_name format is `kubelete-YOUR_GENESIS_HOSTNAME`. - document_name: kubelet-genesis common_name: system:node:pod17-jump hosts: - pod17-jump - 10.10.172.20 groups: - system:nodes - document_name: kubelet-pod17-jump common_name: system:node:pod17-jump hosts: - pod17-jump - 10.10.172.20 groups: - system:nodes - document_name: kubelet-pod17-node1 common_name: system:node:pod17-node1 hosts: - pod17-node1 - 10.10.172.21 groups: - system:nodes - document_name: kubelet-pod17-node2 common_name: system:node:pod17-node2 hosts: - pod17-node2 - 10.10.172.22 groups: - system:nodes - document_name: kubelet-pod17-node3 common_name: system:node:pod17-node3 hosts: - pod17-node3 - 10.10.172.23 groups: - system:nodes - document_name: kubelet-pod17-node4 common_name: system:node:pod17-node4 hosts: - pod17-node4 - 10.10.172.24 groups: - system:nodes - document_name: kubelet-pod17-node5 common_name: system:node:pod17-node5 hosts: - pod17-node5 - 10.10.172.25 groups: - system:nodes # End node list - document_name: scheduler description: Service certificate for Kubernetes scheduler common_name: system:kube-scheduler - document_name: controller-manager description: certificate for controller-manager common_name: system:kube-controller-manager - document_name: admin common_name: admin groups: - system:masters - document_name: armada common_name: armada groups: - system:masters kubernetes-etcd: description: Certificates for Kubernetes's etcd servers certificates: - document_name: apiserver-etcd description: etcd client certificate for use by Kubernetes apiserver common_name: apiserver # NOTE(mark-burnett): hosts not required for client certificates - document_name: kubernetes-etcd-anchor description: anchor common_name: anchor # NEWSITE-CHANGEME: The following should be a list of the control plane # nodes in the environment, including genesis. # For each node, the `hosts` list should be comprised of: # 1. The node's hostname, as already defined in baremetal/nodes.yaml # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml # 4. 127.0.0.1 # 5. localhost # 6. kubernetes-etcd.kube-system.svc.cluster.local # NOTE: This list also needs to include the Genesis node, which is not # listed in baremetal/nodes.yaml, but by convention should be allocated # the first non-reserved IP in each logical network allocation range # defined in networks/physical/networks.yaml, except for the kubernetes # service_cidr where it should start with the second IP in the range. # NOTE: The genesis node is defined twice with the same `hosts` data: # Once with its hostname in the common/document name, and once with # `genesis` defined instead of the host. For now, this duplicated # genesis definition is required. FIXME: Remove duplicate definition # after Promenade addresses this issue. - document_name: kubernetes-etcd-genesis common_name: kubernetes-etcd-genesis hosts: - pod17-jump - 10.10.172.20 - 127.0.0.1 - localhost - kubernetes-etcd.kube-system.svc.cluster.local - 10.96.0.2 - document_name: kubernetes-etcd-pod17-jump common_name: kubernetes-etcd-pod17-jump hosts: - pod17-jump - 10.10.172.20 - 127.0.0.1 - localhost - kubernetes-etcd.kube-system.svc.cluster.local - 10.96.0.2 - document_name: kubernetes-etcd-pod17-node1 common_name: kubernetes-etcd-pod17-node1 hosts: - pod17-node1 - 10.10.172.21 - 127.0.0.1 - localhost - kubernetes-etcd.kube-system.svc.cluster.local - 10.96.0.2 - document_name: kubernetes-etcd-pod17-node2 common_name: kubernetes-etcd-pod17-node2 hosts: - pod17-node2 - 10.10.172.22 - 127.0.0.1 - localhost - kubernetes-etcd.kube-system.svc.cluster.local - 10.96.0.2 # End node list kubernetes-etcd-peer: certificates: # NEWSITE-CHANGEME: This list should be identical to the previous list, # except that `-peer` has been appended to the document/common names. - document_name: kubernetes-etcd-genesis-peer common_name: kubernetes-etcd-genesis-peer hosts: - pod17-jump - 10.10.172.20 - 127.0.0.1 - localhost - kubernetes-etcd.kube-system.svc.cluster.local - 10.96.0.2 - document_name: kubernetes-etcd-pod17-jump-peer common_name: kubernetes-etcd-pod17-jump-peer hosts: - pod17-jump - 10.10.172.20 - 127.0.0.1 - localhost - kubernetes-etcd.kube-system.svc.cluster.local - 10.96.0.2 - document_name: kubernetes-etcd-pod17-node1-peer common_name: kubernetes-etcd-pod17-node1-peer hosts: - pod17-node1 - 10.10.172.21 - 127.0.0.1 - localhost - kubernetes-etcd.kube-system.svc.cluster.local - 10.96.0.2 - document_name: kubernetes-etcd-pod17-node2-peer common_name: kubernetes-etcd-pod17-node2-peer hosts: - pod17-node2 - 10.10.172.22 - 127.0.0.1 - localhost - kubernetes-etcd.kube-system.svc.cluster.local - 10.96.0.2 # End node list calico-etcd: description: Certificates for Calico etcd client traffic certificates: - document_name: calico-etcd-anchor description: anchor common_name: anchor # NEWSITE-CHANGEME: The following should be a list of the control plane # nodes in the environment, including genesis. # For each node, the `hosts` list should be comprised of: # 1. The node's hostname, as already defined in baremetal/nodes.yaml # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml # 4. 127.0.0.1 # 5. localhost # 6. The calico/etcd/service_ip defined in networks/common-addresses.yaml # NOTE: This list also needs to include the Genesis node, which is not # listed in baremetal/nodes.yaml, but by convention should be allocated # the first non-reserved IP in each logical network allocation range # defined in networks/physical/networks.yaml - document_name: calico-etcd-pod17-jump common_name: calico-etcd-pod17-jump hosts: - pod17-jump - 10.10.172.20 - 127.0.0.1 - localhost - 10.96.232.136 - document_name: calico-etcd-pod17-node1 common_name: calico-etcd-pod17-node1 hosts: - pod17-node1 - 10.10.172.21 - 127.0.0.1 - localhost - 10.96.232.136 - document_name: calico-etcd-pod17-node2 common_name: calico-etcd-pod17-node2 hosts: - pod17-node2 - 10.10.172.22 - 127.0.0.1 - localhost - 10.96.232.136 - document_name: calico-node common_name: calcico-node # End node list calico-etcd-peer: description: Certificates for Calico etcd clients certificates: # NEWSITE-CHANGEME: This list should be identical to the previous list, # except that `-peer` has been appended to the document/common names. - document_name: calico-etcd-pod17-jump-peer common_name: calico-etcd-pod17-jump-peer hosts: - pod17-jump - 10.10.172.20 - 127.0.0.1 - localhost - 10.96.232.136 - document_name: calico-etcd-pod17-node1-peer common_name: calico-etcd-pod17-node1-peer hosts: - pod17-node1 - 10.10.172.21 - 127.0.0.1 - localhost - 10.96.232.136 - document_name: calico-etcd-pod17-node2-peer common_name: calico-etcd-pod17-node2-peer hosts: - pod17-node2 - 10.10.172.22 - 127.0.0.1 - localhost - 10.96.232.136 - document_name: calico-node-peer common_name: calcico-node-peer # End node list keypairs: - name: service-account description: Service account signing key for use by Kubernetes controller-manager. ...