aboutsummaryrefslogtreecommitdiffstats
path: root/mcp/reclass/classes/system/salt/minion/cert
diff options
context:
space:
mode:
Diffstat (limited to 'mcp/reclass/classes/system/salt/minion/cert')
-rw-r--r--mcp/reclass/classes/system/salt/minion/cert/ceph/init.yml12
-rw-r--r--mcp/reclass/classes/system/salt/minion/cert/ceph/openstack.yml11
-rw-r--r--mcp/reclass/classes/system/salt/minion/cert/ceph/pki.yml8
-rw-r--r--mcp/reclass/classes/system/salt/minion/cert/etcd_client.yml18
-rw-r--r--mcp/reclass/classes/system/salt/minion/cert/etcd_server.yml18
-rw-r--r--mcp/reclass/classes/system/salt/minion/cert/k8s_client.yml13
-rw-r--r--mcp/reclass/classes/system/salt/minion/cert/k8s_client_single.yml13
-rw-r--r--mcp/reclass/classes/system/salt/minion/cert/k8s_server.yml13
-rw-r--r--mcp/reclass/classes/system/salt/minion/cert/k8s_server_single.yml13
-rw-r--r--mcp/reclass/classes/system/salt/minion/cert/prometheus_server.yml13
-rw-r--r--mcp/reclass/classes/system/salt/minion/cert/proxy/cicd.yml15
-rw-r--r--mcp/reclass/classes/system/salt/minion/cert/proxy/init.yml11
-rw-r--r--mcp/reclass/classes/system/salt/minion/cert/proxy/openstack.yml11
-rw-r--r--mcp/reclass/classes/system/salt/minion/cert/proxy/pki.yml8
-rw-r--r--mcp/reclass/classes/system/salt/minion/cert/swift/init.yml11
-rw-r--r--mcp/reclass/classes/system/salt/minion/cert/swift/openstack.yml11
-rw-r--r--mcp/reclass/classes/system/salt/minion/cert/swift/pki.yml8
-rw-r--r--mcp/reclass/classes/system/salt/minion/cert/wildcard/init.yml16
18 files changed, 223 insertions, 0 deletions
diff --git a/mcp/reclass/classes/system/salt/minion/cert/ceph/init.yml b/mcp/reclass/classes/system/salt/minion/cert/ceph/init.yml
new file mode 100644
index 000000000..8b2e61ce8
--- /dev/null
+++ b/mcp/reclass/classes/system/salt/minion/cert/ceph/init.yml
@@ -0,0 +1,12 @@
+parameters:
+ _param:
+ salt_minion_ca_authority: salt_master_ca
+ salt:
+ minion:
+ cert:
+ ceph:
+ host: ${_param:salt_minion_ca_host}
+ signing_policy: cert_server
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: ${_param:cluster_public_host}
+
diff --git a/mcp/reclass/classes/system/salt/minion/cert/ceph/openstack.yml b/mcp/reclass/classes/system/salt/minion/cert/ceph/openstack.yml
new file mode 100644
index 000000000..664352da9
--- /dev/null
+++ b/mcp/reclass/classes/system/salt/minion/cert/ceph/openstack.yml
@@ -0,0 +1,11 @@
+classes:
+- system.salt.minion.cert.ceph
+parameters:
+ _param:
+ salt_pki_ceph_alt_names: IP:${_param:cluster_public_host},DNS:${_param:cluster_public_host}
+ salt:
+ minion:
+ cert:
+ ceph:
+ common_name: ceph
+ alternative_names: IP:127.0.0.1,${_param:salt_pki_ceph_alt_names}
diff --git a/mcp/reclass/classes/system/salt/minion/cert/ceph/pki.yml b/mcp/reclass/classes/system/salt/minion/cert/ceph/pki.yml
new file mode 100644
index 000000000..37e4fc5ad
--- /dev/null
+++ b/mcp/reclass/classes/system/salt/minion/cert/ceph/pki.yml
@@ -0,0 +1,8 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ ceph:
+ key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:ceph:common_name}.key
+ cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:ceph:common_name}.crt
+ all_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:ceph:common_name}-chain-with-key.pem
diff --git a/mcp/reclass/classes/system/salt/minion/cert/etcd_client.yml b/mcp/reclass/classes/system/salt/minion/cert/etcd_client.yml
new file mode 100644
index 000000000..90b41da7f
--- /dev/null
+++ b/mcp/reclass/classes/system/salt/minion/cert/etcd_client.yml
@@ -0,0 +1,18 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ etcd_client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: ${linux:system:name}
+ signing_policy: cert_open
+ alternative_names: IP:${_param:cluster_local_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+ extended_key_usage: clientAuth
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: /var/lib/etcd/etcd-client.key
+ cert_file: /var/lib/etcd/etcd-client.crt
+ all_file: /var/lib/etcd/etcd-client.pem
+ ca_file: /var/lib/etcd/ca.pem
+ user: etcd
+ group: etcd
diff --git a/mcp/reclass/classes/system/salt/minion/cert/etcd_server.yml b/mcp/reclass/classes/system/salt/minion/cert/etcd_server.yml
new file mode 100644
index 000000000..ea26a4052
--- /dev/null
+++ b/mcp/reclass/classes/system/salt/minion/cert/etcd_server.yml
@@ -0,0 +1,18 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ etcd_server:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: ${linux:system:name}
+ signing_policy: cert_open
+ alternative_names: IP:127.0.0.1,IP:${_param:cluster_vip_address},IP:${_param:cluster_local_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+ extended_key_usage: serverAuth,clientAuth
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: /var/lib/etcd/etcd-server.key
+ cert_file: /var/lib/etcd/etcd-server.crt
+ all_file: /var/lib/etcd/etcd-server.pem
+ ca_file: /var/lib/etcd/ca.pem
+ user: etcd
+ group: etcd
diff --git a/mcp/reclass/classes/system/salt/minion/cert/k8s_client.yml b/mcp/reclass/classes/system/salt/minion/cert/k8s_client.yml
new file mode 100644
index 000000000..06d83c4a1
--- /dev/null
+++ b/mcp/reclass/classes/system/salt/minion/cert/k8s_client.yml
@@ -0,0 +1,13 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ k8s_client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ key_file: /etc/kubernetes/ssl/kubelet-client.key
+ cert_file: /etc/kubernetes/ssl/kubelet-client.crt
+ ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+ common_name: kubelet-client
+ signing_policy: cert_client
+ alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address} \ No newline at end of file
diff --git a/mcp/reclass/classes/system/salt/minion/cert/k8s_client_single.yml b/mcp/reclass/classes/system/salt/minion/cert/k8s_client_single.yml
new file mode 100644
index 000000000..179d534be
--- /dev/null
+++ b/mcp/reclass/classes/system/salt/minion/cert/k8s_client_single.yml
@@ -0,0 +1,13 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ k8s_client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ key_file: /etc/kubernetes/ssl/kubelet-client.key
+ cert_file: /etc/kubernetes/ssl/kubelet-client.crt
+ ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+ common_name: kubelet-client
+ signing_policy: cert_client
+ alternative_names: IP:${_param:control_address},IP:${_param:kubernetes_internal_api_address} \ No newline at end of file
diff --git a/mcp/reclass/classes/system/salt/minion/cert/k8s_server.yml b/mcp/reclass/classes/system/salt/minion/cert/k8s_server.yml
new file mode 100644
index 000000000..603d3691d
--- /dev/null
+++ b/mcp/reclass/classes/system/salt/minion/cert/k8s_server.yml
@@ -0,0 +1,13 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ k8s_server:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: kubernetes-server
+ key_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.key
+ cert_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.crt
+ all_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.pem
+ signing_policy: cert_server
+ alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address},DNS:kubernetes.default,DNS:kubernetes.default.svc
diff --git a/mcp/reclass/classes/system/salt/minion/cert/k8s_server_single.yml b/mcp/reclass/classes/system/salt/minion/cert/k8s_server_single.yml
new file mode 100644
index 000000000..33637e4a8
--- /dev/null
+++ b/mcp/reclass/classes/system/salt/minion/cert/k8s_server_single.yml
@@ -0,0 +1,13 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ k8s_server:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: kubernetes-server
+ key_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.key
+ cert_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.crt
+ all_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.pem
+ signing_policy: cert_server
+ alternative_names: IP:${_param:control_address},IP:${_param:kubernetes_internal_api_address}
diff --git a/mcp/reclass/classes/system/salt/minion/cert/prometheus_server.yml b/mcp/reclass/classes/system/salt/minion/cert/prometheus_server.yml
new file mode 100644
index 000000000..30a0711a1
--- /dev/null
+++ b/mcp/reclass/classes/system/salt/minion/cert/prometheus_server.yml
@@ -0,0 +1,13 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ prometheus_server:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ key_file: ${prometheus:server:dir:config}/prometheus-server.key
+ cert_file: ${prometheus:server:dir:config}/prometheus-server.crt
+ common_name: prometheus-server
+ signing_policy: cert_client
+ alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
+ mode: '0444'
diff --git a/mcp/reclass/classes/system/salt/minion/cert/proxy/cicd.yml b/mcp/reclass/classes/system/salt/minion/cert/proxy/cicd.yml
new file mode 100644
index 000000000..5fb5b280a
--- /dev/null
+++ b/mcp/reclass/classes/system/salt/minion/cert/proxy/cicd.yml
@@ -0,0 +1,15 @@
+classes:
+- system.salt.minion.cert.proxy
+parameters:
+ salt:
+ minion:
+ cert:
+ proxy:
+ alternative_names: "DNS:${_param:cluster_public_host}, DNS:*.${_param:cluster_public_host}, IP:${_param:control_vip_address}, IP:${_param:single_address}"
+ key_file: /etc/haproxy/ssl/${_param:cluster_public_host}.key
+ cert_file: /etc/haproxy/ssl/${_param:cluster_public_host}.crt
+ all_file: /etc/haproxy/ssl/${_param:cluster_public_host}-all.pem
+ ca_file: /etc/haproxy/ssl/${_param:salt_minion_ca_authority}-ca.crt
+ user: root
+ group: haproxy
+ mode: 640 \ No newline at end of file
diff --git a/mcp/reclass/classes/system/salt/minion/cert/proxy/init.yml b/mcp/reclass/classes/system/salt/minion/cert/proxy/init.yml
new file mode 100644
index 000000000..fac9aa554
--- /dev/null
+++ b/mcp/reclass/classes/system/salt/minion/cert/proxy/init.yml
@@ -0,0 +1,11 @@
+parameters:
+ _param:
+ salt_minion_ca_authority: salt_master_ca
+ salt:
+ minion:
+ cert:
+ proxy:
+ host: ${_param:salt_minion_ca_host}
+ signing_policy: cert_server
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: ${_param:cluster_public_host}
diff --git a/mcp/reclass/classes/system/salt/minion/cert/proxy/openstack.yml b/mcp/reclass/classes/system/salt/minion/cert/proxy/openstack.yml
new file mode 100644
index 000000000..627d96bd6
--- /dev/null
+++ b/mcp/reclass/classes/system/salt/minion/cert/proxy/openstack.yml
@@ -0,0 +1,11 @@
+classes:
+- system.salt.minion.cert.proxy
+parameters:
+ _param:
+ salt_pki_proxy_alt_names: IP:${_param:cluster_public_host},DNS:${_param:cluster_public_host},DNS:proxy.${_param:cluster_public_host},DNS:horizon.${_param:cluster_public_host}
+ salt:
+ minion:
+ cert:
+ proxy:
+ common_name: proxy
+ alternative_names: IP:127.0.0.1,${_param:salt_pki_proxy_alt_names}
diff --git a/mcp/reclass/classes/system/salt/minion/cert/proxy/pki.yml b/mcp/reclass/classes/system/salt/minion/cert/proxy/pki.yml
new file mode 100644
index 000000000..731aea625
--- /dev/null
+++ b/mcp/reclass/classes/system/salt/minion/cert/proxy/pki.yml
@@ -0,0 +1,8 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ proxy:
+ key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.key
+ cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.crt
+ all_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}-chain-with-key.pem
diff --git a/mcp/reclass/classes/system/salt/minion/cert/swift/init.yml b/mcp/reclass/classes/system/salt/minion/cert/swift/init.yml
new file mode 100644
index 000000000..28859cf23
--- /dev/null
+++ b/mcp/reclass/classes/system/salt/minion/cert/swift/init.yml
@@ -0,0 +1,11 @@
+parameters:
+ _param:
+ salt_minion_ca_authority: salt_master_ca
+ salt:
+ minion:
+ cert:
+ swift:
+ host: ${_param:salt_minion_ca_host}
+ signing_policy: cert_server
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: ${_param:cluster_public_host}
diff --git a/mcp/reclass/classes/system/salt/minion/cert/swift/openstack.yml b/mcp/reclass/classes/system/salt/minion/cert/swift/openstack.yml
new file mode 100644
index 000000000..5560e1b46
--- /dev/null
+++ b/mcp/reclass/classes/system/salt/minion/cert/swift/openstack.yml
@@ -0,0 +1,11 @@
+classes:
+- system.salt.minion.cert.swift
+parameters:
+ _param:
+ salt_pki_swift_alt_names: IP:${_param:cluster_public_host},DNS:${_param:cluster_public_host}
+ salt:
+ minion:
+ cert:
+ swift:
+ common_name: swift
+ alternative_names: IP:127.0.0.1,${_param:salt_pki_swift_alt_names}
diff --git a/mcp/reclass/classes/system/salt/minion/cert/swift/pki.yml b/mcp/reclass/classes/system/salt/minion/cert/swift/pki.yml
new file mode 100644
index 000000000..3195e48fc
--- /dev/null
+++ b/mcp/reclass/classes/system/salt/minion/cert/swift/pki.yml
@@ -0,0 +1,8 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ swift:
+ key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:swift:common_name}.key
+ cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:swift:common_name}.crt
+ all_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:swift:common_name}-chain-with-key.pem
diff --git a/mcp/reclass/classes/system/salt/minion/cert/wildcard/init.yml b/mcp/reclass/classes/system/salt/minion/cert/wildcard/init.yml
new file mode 100644
index 000000000..29748958c
--- /dev/null
+++ b/mcp/reclass/classes/system/salt/minion/cert/wildcard/init.yml
@@ -0,0 +1,16 @@
+parameters:
+ _param:
+ salt_minion_ca_authority: salt_master_ca
+ salt_pki_wildcard_alt_names: IP:${_param:cluster_public_host},DNS:${_param:cluster_public_host},DNS:*.${_param:cluster_public_host},DNS:${_param:cluster_domain},DNS:*.${_param:cluster_domain}
+ salt:
+ minion:
+ cert:
+ proxy:
+ host: ${_param:salt_minion_ca_host}
+ signing_policy: cert_server
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: wildcard
+ alternative_names: IP:127.0.0.1,${_param:salt_pki_wildcard_alt_names}
+ key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:wildcard:common_name}.key
+ cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:wildcard:common_name}.crt
+ all_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:wildcard:common_name}-chain-with-key.pem