summaryrefslogtreecommitdiffstats
path: root/site/intel-pod17/software/charts/kubernetes/etcd/etcd.yaml
blob: 365b3d04d8de8c5ccf1b4ecc7ad33fdd94702e7f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
---
# The purpose of this file is to build the list of k8s etcd nodes and the
# k8s etcd certs for those nodes in the environment.
schema: armada/Chart/v1
metadata:
  schema: metadata/Document/v1
  name: kubernetes-etcd
  layeringDefinition:
    abstract: false
    layer: site
    parentSelector:
      name: kubernetes-etcd-global
    actions:
      - method: merge
        path: .
  storagePolicy: cleartext
  substitutions:
    # Generate a list of control plane nodes (i.e. genesis node + master node
    # list) on which k8s etcd will run and will need certs. It is assumed
    # that Airship sites will have 4 control plane nodes, so this should not need to
    # change for a new site.
    - src:
        schema: pegleg/CommonAddresses/v1
        name: common-addresses
        path: .genesis.hostname
      dest:
        path: .values.nodes[0].name
    - src:
        schema: pegleg/CommonAddresses/v1
        name: common-addresses
        path: .masters[0].hostname
      dest:
        path: .values.nodes[1].name
    - src:
        schema: pegleg/CommonAddresses/v1
        name: common-addresses
        path: .masters[1].hostname
      dest:
        path: .values.nodes[2].name

    # Certificate substitutions for the node names assembled on the above list.
    # NEWSITE-CHANGEME: Per above, the number of substitutions should not need
    # to change with a standard Airship deployment. However, the names of each
    # deckhand certficiate should be updated with the correct hostnames for your
    # environment. The ordering is important (Genesis is index 0, then master
    # nodes in the order they are specified in common-addresses).

    # Genesis Exception*
    # *NOTE: This is an exception in that `genesis` is not the hostname of the
    # genesis node, but `genesis` is reference here in the certificate names
    # because of certain Promenade assumptions that may be addressed in the
    # future. Therefore `genesis` is used instead of `pod17-jump` here.
    - src:
        schema: deckhand/Certificate/v1
        name: kubernetes-etcd-genesis
        path: .
      dest:
        path: .values.nodes[0].tls.client.cert
    - src:
        schema: deckhand/CertificateKey/v1
        name: kubernetes-etcd-genesis
        path: .
      dest:
        path: .values.nodes[0].tls.client.key
    - src:
        schema: deckhand/Certificate/v1
        name: kubernetes-etcd-genesis-peer
        path: .
      dest:
        path: .values.nodes[0].tls.peer.cert
    - src:
        schema: deckhand/CertificateKey/v1
        name: kubernetes-etcd-genesis-peer
        path: .
      dest:
        path: .values.nodes[0].tls.peer.key

    # master node 1 hostname - pod17-node1
    - src:
        schema: deckhand/Certificate/v1
        name: kubernetes-etcd-pod17-node1
        path: .
      dest:
        path: .values.nodes[1].tls.client.cert
    - src:
        schema: deckhand/CertificateKey/v1
        name: kubernetes-etcd-pod17-node1
        path: .
      dest:
        path: .values.nodes[1].tls.client.key
    - src:
        schema: deckhand/Certificate/v1
        name: kubernetes-etcd-pod17-node1-peer
        path: .
      dest:
        path: .values.nodes[1].tls.peer.cert
    - src:
        schema: deckhand/CertificateKey/v1
        name: kubernetes-etcd-pod17-node1-peer
        path: .
      dest:
        path: .values.nodes[1].tls.peer.key

    # master node 2 hostname - pod17-node2
    - src:
        schema: deckhand/Certificate/v1
        name: kubernetes-etcd-pod17-node2
        path: .
      dest:
        path: .values.nodes[2].tls.client.cert
    - src:
        schema: deckhand/CertificateKey/v1
        name: kubernetes-etcd-pod17-node2
        path: .
      dest:
        path: .values.nodes[2].tls.client.key
    - src:
        schema: deckhand/Certificate/v1
        name: kubernetes-etcd-pod17-node2-peer
        path: .
      dest:
        path: .values.nodes[2].tls.peer.cert
    - src:
        schema: deckhand/CertificateKey/v1
        name: kubernetes-etcd-pod17-node2-peer
        path: $
      dest:
        path: .values.nodes[2].tls.peer.key

data: {}
...