diff options
Diffstat (limited to 'mcp/reclass/classes/system/salt/minion/cert')
18 files changed, 223 insertions, 0 deletions
diff --git a/mcp/reclass/classes/system/salt/minion/cert/ceph/init.yml b/mcp/reclass/classes/system/salt/minion/cert/ceph/init.yml new file mode 100644 index 000000000..8b2e61ce8 --- /dev/null +++ b/mcp/reclass/classes/system/salt/minion/cert/ceph/init.yml @@ -0,0 +1,12 @@ +parameters: + _param: + salt_minion_ca_authority: salt_master_ca + salt: + minion: + cert: + ceph: + host: ${_param:salt_minion_ca_host} + signing_policy: cert_server + authority: ${_param:salt_minion_ca_authority} + common_name: ${_param:cluster_public_host} + diff --git a/mcp/reclass/classes/system/salt/minion/cert/ceph/openstack.yml b/mcp/reclass/classes/system/salt/minion/cert/ceph/openstack.yml new file mode 100644 index 000000000..664352da9 --- /dev/null +++ b/mcp/reclass/classes/system/salt/minion/cert/ceph/openstack.yml @@ -0,0 +1,11 @@ +classes: +- system.salt.minion.cert.ceph +parameters: + _param: + salt_pki_ceph_alt_names: IP:${_param:cluster_public_host},DNS:${_param:cluster_public_host} + salt: + minion: + cert: + ceph: + common_name: ceph + alternative_names: IP:127.0.0.1,${_param:salt_pki_ceph_alt_names} diff --git a/mcp/reclass/classes/system/salt/minion/cert/ceph/pki.yml b/mcp/reclass/classes/system/salt/minion/cert/ceph/pki.yml new file mode 100644 index 000000000..37e4fc5ad --- /dev/null +++ b/mcp/reclass/classes/system/salt/minion/cert/ceph/pki.yml @@ -0,0 +1,8 @@ +parameters: + salt: + minion: + cert: + ceph: + key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:ceph:common_name}.key + cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:ceph:common_name}.crt + all_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:ceph:common_name}-chain-with-key.pem diff --git a/mcp/reclass/classes/system/salt/minion/cert/etcd_client.yml b/mcp/reclass/classes/system/salt/minion/cert/etcd_client.yml new file mode 100644 index 000000000..90b41da7f --- /dev/null +++ b/mcp/reclass/classes/system/salt/minion/cert/etcd_client.yml @@ -0,0 +1,18 @@ +parameters: + salt: + minion: + cert: + etcd_client: + host: ${_param:salt_minion_ca_host} + authority: ${_param:salt_minion_ca_authority} + common_name: ${linux:system:name} + signing_policy: cert_open + alternative_names: IP:${_param:cluster_local_address},DNS:${linux:system:name},DNS:${linux:network:fqdn} + extended_key_usage: clientAuth + key_usage: "digitalSignature,nonRepudiation,keyEncipherment" + key_file: /var/lib/etcd/etcd-client.key + cert_file: /var/lib/etcd/etcd-client.crt + all_file: /var/lib/etcd/etcd-client.pem + ca_file: /var/lib/etcd/ca.pem + user: etcd + group: etcd diff --git a/mcp/reclass/classes/system/salt/minion/cert/etcd_server.yml b/mcp/reclass/classes/system/salt/minion/cert/etcd_server.yml new file mode 100644 index 000000000..ea26a4052 --- /dev/null +++ b/mcp/reclass/classes/system/salt/minion/cert/etcd_server.yml @@ -0,0 +1,18 @@ +parameters: + salt: + minion: + cert: + etcd_server: + host: ${_param:salt_minion_ca_host} + authority: ${_param:salt_minion_ca_authority} + common_name: ${linux:system:name} + signing_policy: cert_open + alternative_names: IP:127.0.0.1,IP:${_param:cluster_vip_address},IP:${_param:cluster_local_address},DNS:${linux:system:name},DNS:${linux:network:fqdn} + extended_key_usage: serverAuth,clientAuth + key_usage: "digitalSignature,nonRepudiation,keyEncipherment" + key_file: /var/lib/etcd/etcd-server.key + cert_file: /var/lib/etcd/etcd-server.crt + all_file: /var/lib/etcd/etcd-server.pem + ca_file: /var/lib/etcd/ca.pem + user: etcd + group: etcd diff --git a/mcp/reclass/classes/system/salt/minion/cert/k8s_client.yml b/mcp/reclass/classes/system/salt/minion/cert/k8s_client.yml new file mode 100644 index 000000000..06d83c4a1 --- /dev/null +++ b/mcp/reclass/classes/system/salt/minion/cert/k8s_client.yml @@ -0,0 +1,13 @@ +parameters: + salt: + minion: + cert: + k8s_client: + host: ${_param:salt_minion_ca_host} + authority: ${_param:salt_minion_ca_authority} + key_file: /etc/kubernetes/ssl/kubelet-client.key + cert_file: /etc/kubernetes/ssl/kubelet-client.crt + ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt + common_name: kubelet-client + signing_policy: cert_client + alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
\ No newline at end of file diff --git a/mcp/reclass/classes/system/salt/minion/cert/k8s_client_single.yml b/mcp/reclass/classes/system/salt/minion/cert/k8s_client_single.yml new file mode 100644 index 000000000..179d534be --- /dev/null +++ b/mcp/reclass/classes/system/salt/minion/cert/k8s_client_single.yml @@ -0,0 +1,13 @@ +parameters: + salt: + minion: + cert: + k8s_client: + host: ${_param:salt_minion_ca_host} + authority: ${_param:salt_minion_ca_authority} + key_file: /etc/kubernetes/ssl/kubelet-client.key + cert_file: /etc/kubernetes/ssl/kubelet-client.crt + ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt + common_name: kubelet-client + signing_policy: cert_client + alternative_names: IP:${_param:control_address},IP:${_param:kubernetes_internal_api_address}
\ No newline at end of file diff --git a/mcp/reclass/classes/system/salt/minion/cert/k8s_server.yml b/mcp/reclass/classes/system/salt/minion/cert/k8s_server.yml new file mode 100644 index 000000000..603d3691d --- /dev/null +++ b/mcp/reclass/classes/system/salt/minion/cert/k8s_server.yml @@ -0,0 +1,13 @@ +parameters: + salt: + minion: + cert: + k8s_server: + host: ${_param:salt_minion_ca_host} + authority: ${_param:salt_minion_ca_authority} + common_name: kubernetes-server + key_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.key + cert_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.crt + all_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.pem + signing_policy: cert_server + alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address},DNS:kubernetes.default,DNS:kubernetes.default.svc diff --git a/mcp/reclass/classes/system/salt/minion/cert/k8s_server_single.yml b/mcp/reclass/classes/system/salt/minion/cert/k8s_server_single.yml new file mode 100644 index 000000000..33637e4a8 --- /dev/null +++ b/mcp/reclass/classes/system/salt/minion/cert/k8s_server_single.yml @@ -0,0 +1,13 @@ +parameters: + salt: + minion: + cert: + k8s_server: + host: ${_param:salt_minion_ca_host} + authority: ${_param:salt_minion_ca_authority} + common_name: kubernetes-server + key_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.key + cert_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.crt + all_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.pem + signing_policy: cert_server + alternative_names: IP:${_param:control_address},IP:${_param:kubernetes_internal_api_address} diff --git a/mcp/reclass/classes/system/salt/minion/cert/prometheus_server.yml b/mcp/reclass/classes/system/salt/minion/cert/prometheus_server.yml new file mode 100644 index 000000000..30a0711a1 --- /dev/null +++ b/mcp/reclass/classes/system/salt/minion/cert/prometheus_server.yml @@ -0,0 +1,13 @@ +parameters: + salt: + minion: + cert: + prometheus_server: + host: ${_param:salt_minion_ca_host} + authority: ${_param:salt_minion_ca_authority} + key_file: ${prometheus:server:dir:config}/prometheus-server.key + cert_file: ${prometheus:server:dir:config}/prometheus-server.crt + common_name: prometheus-server + signing_policy: cert_client + alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address} + mode: '0444' diff --git a/mcp/reclass/classes/system/salt/minion/cert/proxy/cicd.yml b/mcp/reclass/classes/system/salt/minion/cert/proxy/cicd.yml new file mode 100644 index 000000000..5fb5b280a --- /dev/null +++ b/mcp/reclass/classes/system/salt/minion/cert/proxy/cicd.yml @@ -0,0 +1,15 @@ +classes: +- system.salt.minion.cert.proxy +parameters: + salt: + minion: + cert: + proxy: + alternative_names: "DNS:${_param:cluster_public_host}, DNS:*.${_param:cluster_public_host}, IP:${_param:control_vip_address}, IP:${_param:single_address}" + key_file: /etc/haproxy/ssl/${_param:cluster_public_host}.key + cert_file: /etc/haproxy/ssl/${_param:cluster_public_host}.crt + all_file: /etc/haproxy/ssl/${_param:cluster_public_host}-all.pem + ca_file: /etc/haproxy/ssl/${_param:salt_minion_ca_authority}-ca.crt + user: root + group: haproxy + mode: 640
\ No newline at end of file diff --git a/mcp/reclass/classes/system/salt/minion/cert/proxy/init.yml b/mcp/reclass/classes/system/salt/minion/cert/proxy/init.yml new file mode 100644 index 000000000..fac9aa554 --- /dev/null +++ b/mcp/reclass/classes/system/salt/minion/cert/proxy/init.yml @@ -0,0 +1,11 @@ +parameters: + _param: + salt_minion_ca_authority: salt_master_ca + salt: + minion: + cert: + proxy: + host: ${_param:salt_minion_ca_host} + signing_policy: cert_server + authority: ${_param:salt_minion_ca_authority} + common_name: ${_param:cluster_public_host} diff --git a/mcp/reclass/classes/system/salt/minion/cert/proxy/openstack.yml b/mcp/reclass/classes/system/salt/minion/cert/proxy/openstack.yml new file mode 100644 index 000000000..627d96bd6 --- /dev/null +++ b/mcp/reclass/classes/system/salt/minion/cert/proxy/openstack.yml @@ -0,0 +1,11 @@ +classes: +- system.salt.minion.cert.proxy +parameters: + _param: + salt_pki_proxy_alt_names: IP:${_param:cluster_public_host},DNS:${_param:cluster_public_host},DNS:proxy.${_param:cluster_public_host},DNS:horizon.${_param:cluster_public_host} + salt: + minion: + cert: + proxy: + common_name: proxy + alternative_names: IP:127.0.0.1,${_param:salt_pki_proxy_alt_names} diff --git a/mcp/reclass/classes/system/salt/minion/cert/proxy/pki.yml b/mcp/reclass/classes/system/salt/minion/cert/proxy/pki.yml new file mode 100644 index 000000000..731aea625 --- /dev/null +++ b/mcp/reclass/classes/system/salt/minion/cert/proxy/pki.yml @@ -0,0 +1,8 @@ +parameters: + salt: + minion: + cert: + proxy: + key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.key + cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.crt + all_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}-chain-with-key.pem diff --git a/mcp/reclass/classes/system/salt/minion/cert/swift/init.yml b/mcp/reclass/classes/system/salt/minion/cert/swift/init.yml new file mode 100644 index 000000000..28859cf23 --- /dev/null +++ b/mcp/reclass/classes/system/salt/minion/cert/swift/init.yml @@ -0,0 +1,11 @@ +parameters: + _param: + salt_minion_ca_authority: salt_master_ca + salt: + minion: + cert: + swift: + host: ${_param:salt_minion_ca_host} + signing_policy: cert_server + authority: ${_param:salt_minion_ca_authority} + common_name: ${_param:cluster_public_host} diff --git a/mcp/reclass/classes/system/salt/minion/cert/swift/openstack.yml b/mcp/reclass/classes/system/salt/minion/cert/swift/openstack.yml new file mode 100644 index 000000000..5560e1b46 --- /dev/null +++ b/mcp/reclass/classes/system/salt/minion/cert/swift/openstack.yml @@ -0,0 +1,11 @@ +classes: +- system.salt.minion.cert.swift +parameters: + _param: + salt_pki_swift_alt_names: IP:${_param:cluster_public_host},DNS:${_param:cluster_public_host} + salt: + minion: + cert: + swift: + common_name: swift + alternative_names: IP:127.0.0.1,${_param:salt_pki_swift_alt_names} diff --git a/mcp/reclass/classes/system/salt/minion/cert/swift/pki.yml b/mcp/reclass/classes/system/salt/minion/cert/swift/pki.yml new file mode 100644 index 000000000..3195e48fc --- /dev/null +++ b/mcp/reclass/classes/system/salt/minion/cert/swift/pki.yml @@ -0,0 +1,8 @@ +parameters: + salt: + minion: + cert: + swift: + key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:swift:common_name}.key + cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:swift:common_name}.crt + all_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:swift:common_name}-chain-with-key.pem diff --git a/mcp/reclass/classes/system/salt/minion/cert/wildcard/init.yml b/mcp/reclass/classes/system/salt/minion/cert/wildcard/init.yml new file mode 100644 index 000000000..29748958c --- /dev/null +++ b/mcp/reclass/classes/system/salt/minion/cert/wildcard/init.yml @@ -0,0 +1,16 @@ +parameters: + _param: + salt_minion_ca_authority: salt_master_ca + salt_pki_wildcard_alt_names: IP:${_param:cluster_public_host},DNS:${_param:cluster_public_host},DNS:*.${_param:cluster_public_host},DNS:${_param:cluster_domain},DNS:*.${_param:cluster_domain} + salt: + minion: + cert: + proxy: + host: ${_param:salt_minion_ca_host} + signing_policy: cert_server + authority: ${_param:salt_minion_ca_authority} + common_name: wildcard + alternative_names: IP:127.0.0.1,${_param:salt_pki_wildcard_alt_names} + key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:wildcard:common_name}.key + cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:wildcard:common_name}.crt + all_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:wildcard:common_name}-chain-with-key.pem |