summaryrefslogtreecommitdiffstats
path: root/site/intel-pod17/pki/pki-catalog.yaml
blob: 20305eacd83373274570b1fcd35a95c6444b18e0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
---
# The purpose of this file is to define the PKI certificates for the environment
#
# NOTE: When deploying a new site, this file should not be configured until
# baremetal/nodes.yaml is complete.
#
schema: promenade/PKICatalog/v1
metadata:
  schema: metadata/Document/v1
  name: cluster-certificates
  layeringDefinition:
    abstract: false
    layer: site
  storagePolicy: cleartext
data:
  certificate_authorities:
    kubernetes:
      description: CA for Kubernetes components
      certificates:
        - document_name: apiserver
          description: Service certificate for Kubernetes apiserver
          common_name: apiserver
          hosts:
            - localhost
            - 127.0.0.1
            # FIXME: Repetition of api_service_ip in common-addresses; use
            # substitution
            - 10.96.0.1
          kubernetes_service_names:
            - kubernetes.default.svc.cluster.local

        # NEWSITE-CHANGEME: The following should be a list of all the nodes in
        # the environment (genesis, control plane, data plane, everything).
        # Add/delete from this list as necessary until all nodes are listed.
        # For each node, the `hosts` list should be comprised of:
        #   1. The node's hostname, as already defined in baremetal/nodes.yaml
        #   2. The node's Calico IP address, as already defined in baremetal/nodes.yaml
        # NOTE: This list also needs to include the Genesis node, which is not
        # listed in baremetal/nodes.yaml, but by convention should be allocated
        # the first non-reserved IP in each logical network allocation range
        # defined in networks/physical/networks.yaml
        # NOTE: The genesis node needs to be defined twice (the first two entries
        # on this list) with all of the same paramters except the document_name.
        # In the first case the document_name is `kubelet-genesis`, and in the
        # second case the document_name format is `kubelet-YOUR_GENESIS_HOSTNAME`.
        - document_name: kubelet-genesis
          common_name: system:node:pod17-node1
          hosts:
            - pod17-node1
            - 10.10.172.21
          groups:
            - system:nodes
        - document_name: kubelet-pod17-node1
          common_name: system:node:pod17-node1
          hosts:
            - pod17-node1
            - 10.10.172.21
          groups:
            - system:nodes
        - document_name: kubelet-pod17-node2
          common_name: system:node:pod17-node2
          hosts:
            - pod17-node2
            - 10.10.172.22
          groups:
            - system:nodes
        - document_name: kubelet-pod17-node3
          common_name: system:node:pod17-node3
          hosts:
            - pod17-node3
            - 10.10.172.23
          groups:
            - system:nodes
        - document_name: kubelet-pod17-node4
          common_name: system:node:pod17-node4
          hosts:
            - pod17-node4
            - 10.10.172.24
          groups:
            - system:nodes
        - document_name: kubelet-pod17-node5
          common_name: system:node:pod17-node5
          hosts:
            - pod17-node5
            - 10.10.172.25
          groups:
            - system:nodes
        # End node list
        - document_name: scheduler
          description: Service certificate for Kubernetes scheduler
          common_name: system:kube-scheduler
        - document_name: controller-manager
          description: certificate for controller-manager
          common_name: system:kube-controller-manager
        - document_name: admin
          common_name: admin
          groups:
            - system:masters
        - document_name: armada
          common_name: armada
          groups:
            - system:masters
    kubernetes-etcd:
      description: Certificates for Kubernetes's etcd servers
      certificates:
        - document_name: apiserver-etcd
          description: etcd client certificate for use by Kubernetes apiserver
          common_name: apiserver
        # NOTE(mark-burnett): hosts not required for client certificates
        - document_name: kubernetes-etcd-anchor
          description: anchor
          common_name: anchor
        # NEWSITE-CHANGEME: The following should be a list of the control plane
        # nodes in the environment, including genesis.
        # For each node, the `hosts` list should be comprised of:
        #   1. The node's hostname, as already defined in baremetal/nodes.yaml
        #   2. The node's Calico IP address, as already defined in baremetal/nodes.yaml
        #   3. 127.0.0.1
        #   4. localhost
        #   5. kubernetes-etcd.kube-system.svc.cluster.local
        # NOTE: This list also needs to include the Genesis node, which is not
        # listed in baremetal/nodes.yaml, but by convention should be allocated
        # the first non-reserved IP in each logical network allocation range
        # defined in networks/physical/networks.yaml, except for the kubernetes
        # service_cidr where it should start with the second IP in the range.
        # NOTE: The genesis node is defined twice with the same `hosts` data:
        # Once with its hostname in the common/document name, and once with
        # `genesis` defined instead of the host. For now, this duplicated
        # genesis definition is required. FIXME: Remove duplicate definition
        # after Promenade addresses this issue.
        - document_name: kubernetes-etcd-genesis
          common_name: kubernetes-etcd-genesis
          hosts:
            - pod17-node1
            - 10.10.172.21
            - 127.0.0.1
            - localhost
            - kubernetes-etcd.kube-system.svc.cluster.local
            - 10.96.0.2
        - document_name: kubernetes-etcd-pod17-node1
          common_name: kubernetes-etcd-pod17-node1
          hosts:
            - pod17-node1
            - 10.10.172.21
            - 127.0.0.1
            - localhost
            - kubernetes-etcd.kube-system.svc.cluster.local
            - 10.96.0.2
        - document_name: kubernetes-etcd-pod17-node2
          common_name: kubernetes-etcd-pod17-node2
          hosts:
            - pod17-node2
            - 10.10.172.22
            - 127.0.0.1
            - localhost
            - kubernetes-etcd.kube-system.svc.cluster.local
            - 10.96.0.2
        - document_name: kubernetes-etcd-pod17-node3
          common_name: kubernetes-etcd-pod17-node3
          hosts:
            - pod17-node3
            - 10.10.172.23
            - 127.0.0.1
            - localhost
            - kubernetes-etcd.kube-system.svc.cluster.local
            - 10.96.0.2
        # End node list
    kubernetes-etcd-peer:
      certificates:
        # NEWSITE-CHANGEME: This list should be identical to the previous list,
        # except that `-peer` has been appended to the document/common names.
        - document_name: kubernetes-etcd-genesis-peer
          common_name: kubernetes-etcd-genesis-peer
          hosts:
            - pod17-node1
            - 10.10.172.21
            - 127.0.0.1
            - localhost
            - kubernetes-etcd.kube-system.svc.cluster.local
            - 10.96.0.2
        - document_name: kubernetes-etcd-pod17-node1-peer
          common_name: kubernetes-etcd-pod17-node1-peer
          hosts:
            - pod17-node1
            - 10.10.172.21
            - 127.0.0.1
            - localhost
            - kubernetes-etcd.kube-system.svc.cluster.local
            - 10.96.0.2
        - document_name: kubernetes-etcd-pod17-node2-peer
          common_name: kubernetes-etcd-pod17-node2-peer
          hosts:
            - pod17-node2
            - 10.10.172.22
            - 127.0.0.1
            - localhost
            - kubernetes-etcd.kube-system.svc.cluster.local
            - 10.96.0.2
        - document_name: kubernetes-etcd-pod17-node3-peer
          common_name: kubernetes-etcd-pod17-node3-peer
          hosts:
            - pod17-node3
            - 10.10.172.23
            - 127.0.0.1
            - localhost
            - kubernetes-etcd.kube-system.svc.cluster.local
            - 10.96.0.2
        # End node list
    calico-etcd:
      description: Certificates for Calico etcd client traffic
      certificates:
        - document_name: calico-etcd-anchor
          description: anchor
          common_name: anchor
        # NEWSITE-CHANGEME: The following should be a list of the control plane
        # nodes in the environment, including genesis.
        # For each node, the `hosts` list should be comprised of:
        #   1. The node's hostname, as already defined in baremetal/nodes.yaml
        #   2. The node's Calico IP address, as already defined in baremetal/nodes.yaml
        #   3. 127.0.0.1
        #   4. localhost
        #   5. The calico/etcd/service_ip defined in networks/common-addresses.yaml
        # NOTE: This list also needs to include the Genesis node, which is not
        # listed in baremetal/nodes.yaml, but by convention should be allocated
        # the first non-reserved IP in each logical network allocation range
        # defined in networks/physical/networks.yaml
        - document_name: calico-etcd-pod17-node1
          common_name: calico-etcd-pod17-node1
          hosts:
            - pod17-node1
            - 10.10.172.21
            - 127.0.0.1
            - localhost
            - 10.96.232.136
        - document_name: calico-etcd-pod17-node2
          common_name: calico-etcd-pod17-node2
          hosts:
            - pod17-node2
            - 10.10.172.22
            - 127.0.0.1
            - localhost
            - 10.96.232.136
        - document_name: calico-etcd-pod17-node3
          common_name: calico-etcd-pod17-node3
          hosts:
            - pod17-node3
            - 10.10.172.23
            - 127.0.0.1
            - localhost
            - 10.96.232.136
        - document_name: calico-node
          common_name: calcico-node
        # End node list
    calico-etcd-peer:
      description: Certificates for Calico etcd clients
      certificates:
        # NEWSITE-CHANGEME: This list should be identical to the previous list,
        # except that `-peer` has been appended to the document/common names.
        - document_name: calico-etcd-pod17-node1-peer
          common_name: calico-etcd-pod17-node1-peer
          hosts:
            - pod17-node1
            - 10.10.172.21
            - 127.0.0.1
            - localhost
            - 10.96.232.136
        - document_name: calico-etcd-pod17-node2-peer
          common_name: calico-etcd-pod17-node2-peer
          hosts:
            - pod17-node2
            - 10.10.172.22
            - 127.0.0.1
            - localhost
            - 10.96.232.136
        - document_name: calico-etcd-pod17-node3-peer
          common_name: calico-etcd-pod17-node3-peer
          hosts:
            - pod17-node3
            - 10.10.172.23
            - 127.0.0.1
            - localhost
            - 10.96.232.136
        - document_name: calico-node-peer
          common_name: calcico-node-peer
        # End node list
  keypairs:
    - name: service-account
      description: Service account signing key for use by Kubernetes controller-manager.
...