2 # The purpose of this file is to define the PKI certificates for the environment
4 # NOTE: When deploying a new site, this file should not be configured until
5 # baremetal/nodes.yaml is complete.
7 schema: promenade/PKICatalog/v1
9 schema: metadata/Document/v1
10 name: cluster-certificates
14 storagePolicy: cleartext
16 certificate_authorities:
18 description: CA for Kubernetes components
20 - document_name: apiserver
21 description: Service certificate for Kubernetes apiserver
22 common_name: apiserver
26 # FIXME: Repetition of api_service_ip in common-addresses; use
29 kubernetes_service_names:
30 - kubernetes.default.svc.cluster.local
32 # NEWSITE-CHANGEME: The following should be a list of all the nodes in
33 # the environment (genesis, control plane, data plane, everything).
34 # Add/delete from this list as necessary until all nodes are listed.
35 # For each node, the `hosts` list should be comprised of:
36 # 1. The node's hostname, as already defined in baremetal/nodes.yaml
37 # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
38 # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
39 # NOTE: This list also needs to include the Genesis node, which is not
40 # listed in baremetal/nodes.yaml, but by convention should be allocated
41 # the first non-reserved IP in each logical network allocation range
42 # defined in networks/physical/networks.yaml
43 # NOTE: The genesis node needs to be defined twice (the first two entries
44 # on this list) with all of the same paramters except the document_name.
45 # In the first case the document_name is `kubelet-genesis`, and in the
46 # second case the document_name format is `kubelete-YOUR_GENESIS_HOSTNAME`.
47 - document_name: kubelet-genesis
48 common_name: system:node:cab23-r720-11
55 - document_name: kubelet-cab23-r720-11
56 common_name: system:node:cab23-r720-11
63 - document_name: kubelet-cab23-r720-12
64 common_name: system:node:cab23-r720-12
71 - document_name: kubelet-cab23-r720-13
72 common_name: system:node:cab23-r720-13
79 - document_name: kubelet-cab23-r720-14
80 common_name: system:node:cab23-r720-14
87 - document_name: kubelet-cab23-r720-17
88 common_name: system:node:cab23-r720-17
95 - document_name: kubelet-cab23-r720-19
96 common_name: system:node:cab23-r720-19
104 - document_name: scheduler
105 description: Service certificate for Kubernetes scheduler
106 common_name: system:kube-scheduler
107 - document_name: controller-manager
108 description: certificate for controller-manager
109 common_name: system:kube-controller-manager
110 - document_name: admin
114 - document_name: armada
119 description: Certificates for Kubernetes's etcd servers
121 - document_name: apiserver-etcd
122 description: etcd client certificate for use by Kubernetes apiserver
123 common_name: apiserver
124 # NOTE(mark-burnett): hosts not required for client certificates
125 - document_name: kubernetes-etcd-anchor
128 # NEWSITE-CHANGEME: The following should be a list of the control plane
129 # nodes in the environment, including genesis.
130 # For each node, the `hosts` list should be comprised of:
131 # 1. The node's hostname, as already defined in baremetal/nodes.yaml
132 # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
133 # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
136 # 6. kubernetes-etcd.kube-system.svc.cluster.local
137 # NOTE: This list also needs to include the Genesis node, which is not
138 # listed in baremetal/nodes.yaml, but by convention should be allocated
139 # the first non-reserved IP in each logical network allocation range
140 # defined in networks/physical/networks.yaml, except for the kubernetes
141 # service_cidr where it should start with the second IP in the range.
142 # NOTE: The genesis node is defined twice with the same `hosts` data:
143 # Once with its hostname in the common/document name, and once with
144 # `genesis` defined instead of the host. For now, this duplicated
145 # genesis definition is required. FIXME: Remove duplicate definition
146 # after Promenade addresses this issue.
147 - document_name: kubernetes-etcd-genesis
148 common_name: kubernetes-etcd-genesis
155 - kubernetes-etcd.kube-system.svc.cluster.local
157 - document_name: kubernetes-etcd-cab23-r720-11
158 common_name: kubernetes-etcd-cab23-r720-11
165 - kubernetes-etcd.kube-system.svc.cluster.local
167 - document_name: kubernetes-etcd-cab23-r720-12
168 common_name: kubernetes-etcd-cab23-r720-12
175 - kubernetes-etcd.kube-system.svc.cluster.local
177 - document_name: kubernetes-etcd-cab23-r720-13
178 common_name: kubernetes-etcd-cab23-r720-13
185 - kubernetes-etcd.kube-system.svc.cluster.local
187 - document_name: kubernetes-etcd-cab23-r720-14
188 common_name: kubernetes-etcd-cab23-r720-14
195 - kubernetes-etcd.kube-system.svc.cluster.local
198 kubernetes-etcd-peer:
200 # NEWSITE-CHANGEME: This list should be identical to the previous list,
201 # except that `-peer` has been appended to the document/common names.
202 - document_name: kubernetes-etcd-genesis-peer
203 common_name: kubernetes-etcd-genesis-peer
210 - kubernetes-etcd.kube-system.svc.cluster.local
212 - document_name: kubernetes-etcd-cab23-r720-11-peer
213 common_name: kubernetes-etcd-cab23-r720-11-peer
220 - kubernetes-etcd.kube-system.svc.cluster.local
222 - document_name: kubernetes-etcd-cab23-r720-12-peer
223 common_name: kubernetes-etcd-cab23-r720-12-peer
230 - kubernetes-etcd.kube-system.svc.cluster.local
232 - document_name: kubernetes-etcd-cab23-r720-13-peer
233 common_name: kubernetes-etcd-cab23-r720-13-peer
240 - kubernetes-etcd.kube-system.svc.cluster.local
242 - document_name: kubernetes-etcd-cab23-r720-14-peer
243 common_name: kubernetes-etcd-cab23-r720-14-peer
250 - kubernetes-etcd.kube-system.svc.cluster.local
254 description: Certificates for Calico etcd client traffic
256 - document_name: calico-etcd-anchor
259 # NEWSITE-CHANGEME: The following should be a list of the control plane
260 # nodes in the environment, including genesis.
261 # For each node, the `hosts` list should be comprised of:
262 # 1. The node's hostname, as already defined in baremetal/nodes.yaml
263 # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
264 # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
267 # 6. The calico/etcd/service_ip defined in networks/common-addresses.yaml
268 # NOTE: This list also needs to include the Genesis node, which is not
269 # listed in baremetal/nodes.yaml, but by convention should be allocated
270 # the first non-reserved IP in each logical network allocation range
271 # defined in networks/physical/networks.yaml
272 - document_name: calico-etcd-cab23-r720-11
273 common_name: calico-etcd-cab23-r720-11
281 - document_name: calico-etcd-cab23-r720-12
282 common_name: calico-etcd-cab23-r720-12
290 - document_name: calico-etcd-cab23-r720-13
291 common_name: calico-etcd-cab23-r720-13
299 - document_name: calico-etcd-cab23-r720-14
300 common_name: calico-etcd-cab23-r720-14
308 - document_name: calico-node
309 common_name: calcico-node
312 description: Certificates for Calico etcd clients
314 # NEWSITE-CHANGEME: This list should be identical to the previous list,
315 # except that `-peer` has been appended to the document/common names.
316 - document_name: calico-etcd-cab23-r720-11-peer
317 common_name: calico-etcd-cab23-r720-11-peer
325 - document_name: calico-etcd-cab23-r720-12-peer
326 common_name: calico-etcd-cab23-r720-12-peer
334 - document_name: calico-etcd-cab23-r720-13-peer
335 common_name: calico-etcd-cab23-r720-13-peer
343 - document_name: calico-etcd-cab23-r720-14-peer
344 common_name: calico-etcd-cab23-r720-14-peer
352 - document_name: calico-node-peer
353 common_name: calcico-node-peer
356 - name: service-account
357 description: Service account signing key for use by Kubernetes controller-manager.