blob: 365b3d04d8de8c5ccf1b4ecc7ad33fdd94702e7f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
---
# The purpose of this file is to build the list of k8s etcd nodes and the
# k8s etcd certs for those nodes in the environment.
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: kubernetes-etcd
layeringDefinition:
abstract: false
layer: site
parentSelector:
name: kubernetes-etcd-global
actions:
- method: merge
path: .
storagePolicy: cleartext
substitutions:
# Generate a list of control plane nodes (i.e. genesis node + master node
# list) on which k8s etcd will run and will need certs. It is assumed
# that Airship sites will have 4 control plane nodes, so this should not need to
# change for a new site.
- src:
schema: pegleg/CommonAddresses/v1
name: common-addresses
path: .genesis.hostname
dest:
path: .values.nodes[0].name
- src:
schema: pegleg/CommonAddresses/v1
name: common-addresses
path: .masters[0].hostname
dest:
path: .values.nodes[1].name
- src:
schema: pegleg/CommonAddresses/v1
name: common-addresses
path: .masters[1].hostname
dest:
path: .values.nodes[2].name
# Certificate substitutions for the node names assembled on the above list.
# NEWSITE-CHANGEME: Per above, the number of substitutions should not need
# to change with a standard Airship deployment. However, the names of each
# deckhand certficiate should be updated with the correct hostnames for your
# environment. The ordering is important (Genesis is index 0, then master
# nodes in the order they are specified in common-addresses).
# Genesis Exception*
# *NOTE: This is an exception in that `genesis` is not the hostname of the
# genesis node, but `genesis` is reference here in the certificate names
# because of certain Promenade assumptions that may be addressed in the
# future. Therefore `genesis` is used instead of `pod17-jump` here.
- src:
schema: deckhand/Certificate/v1
name: kubernetes-etcd-genesis
path: .
dest:
path: .values.nodes[0].tls.client.cert
- src:
schema: deckhand/CertificateKey/v1
name: kubernetes-etcd-genesis
path: .
dest:
path: .values.nodes[0].tls.client.key
- src:
schema: deckhand/Certificate/v1
name: kubernetes-etcd-genesis-peer
path: .
dest:
path: .values.nodes[0].tls.peer.cert
- src:
schema: deckhand/CertificateKey/v1
name: kubernetes-etcd-genesis-peer
path: .
dest:
path: .values.nodes[0].tls.peer.key
# master node 1 hostname - pod17-node1
- src:
schema: deckhand/Certificate/v1
name: kubernetes-etcd-pod17-node1
path: .
dest:
path: .values.nodes[1].tls.client.cert
- src:
schema: deckhand/CertificateKey/v1
name: kubernetes-etcd-pod17-node1
path: .
dest:
path: .values.nodes[1].tls.client.key
- src:
schema: deckhand/Certificate/v1
name: kubernetes-etcd-pod17-node1-peer
path: .
dest:
path: .values.nodes[1].tls.peer.cert
- src:
schema: deckhand/CertificateKey/v1
name: kubernetes-etcd-pod17-node1-peer
path: .
dest:
path: .values.nodes[1].tls.peer.key
# master node 2 hostname - pod17-node2
- src:
schema: deckhand/Certificate/v1
name: kubernetes-etcd-pod17-node2
path: .
dest:
path: .values.nodes[2].tls.client.cert
- src:
schema: deckhand/CertificateKey/v1
name: kubernetes-etcd-pod17-node2
path: .
dest:
path: .values.nodes[2].tls.client.key
- src:
schema: deckhand/Certificate/v1
name: kubernetes-etcd-pod17-node2-peer
path: .
dest:
path: .values.nodes[2].tls.peer.cert
- src:
schema: deckhand/CertificateKey/v1
name: kubernetes-etcd-pod17-node2-peer
path: $
dest:
path: .values.nodes[2].tls.peer.key
data: {}
...
|
