1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
|
---
# The purpose of this file is to define the PKI certificates for the environment
#
# NOTE: When deploying a new site, this file should not be configured until
# baremetal/nodes.yaml is complete.
#
schema: promenade/PKICatalog/v1
metadata:
schema: metadata/Document/v1
name: cluster-certificates
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
certificate_authorities:
kubernetes:
description: CA for Kubernetes components
certificates:
- document_name: apiserver
description: Service certificate for Kubernetes apiserver
common_name: apiserver
hosts:
- localhost
- 127.0.0.1
# FIXME: Repetition of api_service_ip in common-addresses; use
# substitution
- 10.96.0.1
kubernetes_service_names:
- kubernetes.default.svc.cluster.local
# NEWSITE-CHANGEME: The following should be a list of all the nodes in
# the environment (genesis, control plane, data plane, everything).
# Add/delete from this list as necessary until all nodes are listed.
# For each node, the `hosts` list should be comprised of:
# 1. The node's hostname, as already defined in baremetal/nodes.yaml
# 2. The node's Calico IP address, as already defined in baremetal/nodes.yaml
# NOTE: This list also needs to include the Genesis node, which is not
# listed in baremetal/nodes.yaml, but by convention should be allocated
# the first non-reserved IP in each logical network allocation range
# defined in networks/physical/networks.yaml
# NOTE: The genesis node needs to be defined twice (the first two entries
# on this list) with all of the same paramters except the document_name.
# In the first case the document_name is `kubelet-genesis`, and in the
# second case the document_name format is `kubelet-YOUR_GENESIS_HOSTNAME`.
- document_name: kubelet-genesis
common_name: system:node:pod10-node1
hosts:
- pod10-node1
- 10.10.102.21
groups:
- system:nodes
- document_name: kubelet-pod10-node1
common_name: system:node:pod10-node1
hosts:
- pod10-node1
- 10.10.102.21
groups:
- system:nodes
- document_name: kubelet-pod10-node2
common_name: system:node:pod10-node2
hosts:
- pod10-node2
- 10.10.102.22
groups:
- system:nodes
- document_name: kubelet-pod10-node3
common_name: system:node:pod10-node3
hosts:
- pod10-node3
- 10.10.102.23
groups:
- system:nodes
- document_name: kubelet-pod10-node4
common_name: system:node:pod10-node4
hosts:
- pod10-node4
- 10.10.102.24
groups:
- system:nodes
- document_name: kubelet-pod10-node5
common_name: system:node:pod10-node5
hosts:
- pod10-node4
- 10.10.102.25
groups:
- system:nodes
# End node list
- document_name: scheduler
description: Service certificate for Kubernetes scheduler
common_name: system:kube-scheduler
- document_name: controller-manager
description: certificate for controller-manager
common_name: system:kube-controller-manager
- document_name: admin
common_name: admin
groups:
- system:masters
- document_name: armada
common_name: armada
groups:
- system:masters
kubernetes-etcd:
description: Certificates for Kubernetes's etcd servers
certificates:
- document_name: apiserver-etcd
description: etcd client certificate for use by Kubernetes apiserver
common_name: apiserver
# NOTE(mark-burnett): hosts not required for client certificates
- document_name: kubernetes-etcd-anchor
description: anchor
common_name: anchor
# NEWSITE-CHANGEME: The following should be a list of the control plane
# nodes in the environment, including genesis.
# For each node, the `hosts` list should be comprised of:
# 1. The node's hostname, as already defined in baremetal/nodes.yaml
# 2. The node's Calico IP address, as already defined in baremetal/nodes.yaml
# 3. 127.0.0.1
# 4. localhost
# 5. kubernetes-etcd.kube-system.svc.cluster.local
# NOTE: This list also needs to include the Genesis node, which is not
# listed in baremetal/nodes.yaml, but by convention should be allocated
# the first non-reserved IP in each logical network allocation range
# defined in networks/physical/networks.yaml, except for the kubernetes
# service_cidr where it should start with the second IP in the range.
# NOTE: The genesis node is defined twice with the same `hosts` data:
# Once with its hostname in the common/document name, and once with
# `genesis` defined instead of the host. For now, this duplicated
# genesis definition is required. FIXME: Remove duplicate definition
# after Promenade addresses this issue.
- document_name: kubernetes-etcd-genesis
common_name: kubernetes-etcd-genesis
hosts:
- pod10-node1
- 10.10.102.21
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-pod10-node1
common_name: kubernetes-etcd-pod10-node1
hosts:
- pod10-node1
- 10.10.102.21
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-pod10-node2
common_name: kubernetes-etcd-pod10-node2
hosts:
- pod10-node2
- 10.10.102.22
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-pod10-node3
common_name: kubernetes-etcd-pod10-node3
hosts:
- pod10-node3
- 10.10.102.23
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
# End node list
kubernetes-etcd-peer:
certificates:
# NEWSITE-CHANGEME: This list should be identical to the previous list,
# except that `-peer` has been appended to the document/common names.
- document_name: kubernetes-etcd-genesis-peer
common_name: kubernetes-etcd-genesis-peer
hosts:
- pod10-node1
- 10.10.102.21
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-pod10-node1-peer
common_name: kubernetes-etcd-pod10-node1-peer
hosts:
- pod10-node1
- 10.10.102.21
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-pod10-node2-peer
common_name: kubernetes-etcd-pod10-node2-peer
hosts:
- pod10-node2
- 10.10.102.22
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-pod10-node3-peer
common_name: kubernetes-etcd-pod10-node3-peer
hosts:
- pod10-node3
- 10.10.102.23
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
# End node list
calico-etcd:
description: Certificates for Calico etcd client traffic
certificates:
- document_name: calico-etcd-anchor
description: anchor
common_name: anchor
# NEWSITE-CHANGEME: The following should be a list of the control plane
# nodes in the environment, including genesis.
# For each node, the `hosts` list should be comprised of:
# 1. The node's hostname, as already defined in baremetal/nodes.yaml
# 2. The node's Calico IP address, as already defined in baremetal/nodes.yaml
# 3. 127.0.0.1
# 4. localhost
# 5. The calico/etcd/service_ip defined in networks/common-addresses.yaml
# NOTE: This list also needs to include the Genesis node, which is not
# listed in baremetal/nodes.yaml, but by convention should be allocated
# the first non-reserved IP in each logical network allocation range
# defined in networks/physical/networks.yaml
- document_name: calico-etcd-pod10-node1
common_name: calico-etcd-pod10-node1
hosts:
- pod10-node1
- 10.10.102.21
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-pod10-node2
common_name: calico-etcd-pod10-node2
hosts:
- pod10-node2
- 10.10.102.22
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-pod10-node3
common_name: calico-etcd-pod10-node3
hosts:
- pod10-node3
- 10.10.102.23
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-node
common_name: calcico-node
# End node list
calico-etcd-peer:
description: Certificates for Calico etcd clients
certificates:
# NEWSITE-CHANGEME: This list should be identical to the previous list,
# except that `-peer` has been appended to the document/common names.
- document_name: calico-etcd-pod10-node1-peer
common_name: calico-etcd-pod10-node1-peer
hosts:
- pod10-node1
- 10.10.102.21
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-pod10-node2-peer
common_name: calico-etcd-pod10-node2-peer
hosts:
- pod10-node2
- 10.10.102.22
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-pod10-node3-peer
common_name: calico-etcd-pod10-node3-peer
hosts:
- pod10-node3
- 10.10.102.23
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-node-peer
common_name: calcico-node-peer
# End node list
keypairs:
- name: service-account
description: Service account signing key for use by Kubernetes controller-manager.
...
|