site_type/ovsdpdk/airship-treasuremap/site/airship-seaworthy/pki/pki-catalog.yaml

   1 ---
   2 # The purpose of this file is to define the PKI certificates for the environment
   3 #
   4 # NOTE: When deploying a new site, this file should not be configured until
   5 # baremetal/nodes.yaml is complete.
   6 #
   7 schema: promenade/PKICatalog/v1
   8 metadata:
   9   schema: metadata/Document/v1
  10   name: cluster-certificates
  11   layeringDefinition:
  12     abstract: false
  13     layer: site
  14   storagePolicy: cleartext
  15 data:
  16   certificate_authorities:
  17     kubernetes:
  18       description: CA for Kubernetes components
  19       certificates:
  20         - document_name: apiserver
  21           description: Service certificate for Kubernetes apiserver
  22           common_name: apiserver
  23           hosts:
  24             - localhost
  25             - 127.0.0.1
  26             # FIXME: Repetition of api_service_ip in common-addresses; use
  27             # substitution
  28             - 10.96.0.1
  29           kubernetes_service_names:
  30             - kubernetes.default.svc.cluster.local
  31
  32         # NEWSITE-CHANGEME: The following should be a list of all the nodes in
  33         # the environment (genesis, control plane, data plane, everything).
  34         # Add/delete from this list as necessary until all nodes are listed.
  35         # For each node, the `hosts` list should be comprised of:
  36         #   1. The node's hostname, as already defined in baremetal/nodes.yaml
  37         #   2. The node's oam IP address, as already defined in baremetal/nodes.yaml
  38         #   3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
  39         # NOTE: This list also needs to include the Genesis node, which is not
  40         # listed in baremetal/nodes.yaml, but by convention should be allocated
  41         # the first non-reserved IP in each logical network allocation range
  42         # defined in networks/physical/networks.yaml
  43         # NOTE: The genesis node needs to be defined twice (the first two entries
  44         # on this list) with all of the same paramters except the document_name.
  45         # In the first case the document_name is `kubelet-genesis`, and in the
  46         # second case the document_name format is `kubelete-YOUR_GENESIS_HOSTNAME`.
  47         - document_name: kubelet-genesis
  48           common_name: system:node:cab23-r720-11
  49           hosts:
  50             - cab23-r720-11
  51             - 10.23.21.11
  52             - 10.23.22.11
  53           groups:
  54             - system:nodes
  55         - document_name: kubelet-cab23-r720-11
  56           common_name: system:node:cab23-r720-11
  57           hosts:
  58             - cab23-r720-11
  59             - 10.23.21.11
  60             - 10.23.22.11
  61           groups:
  62             - system:nodes
  63         - document_name: kubelet-cab23-r720-12
  64           common_name: system:node:cab23-r720-12
  65           hosts:
  66             - cab23-r720-12
  67             - 10.23.21.12
  68             - 10.23.22.12
  69           groups:
  70             - system:nodes
  71         - document_name: kubelet-cab23-r720-13
  72           common_name: system:node:cab23-r720-13
  73           hosts:
  74             - cab23-r720-13
  75             - 10.23.21.13
  76             - 10.23.22.13
  77           groups:
  78             - system:nodes
  79         - document_name: kubelet-cab23-r720-14
  80           common_name: system:node:cab23-r720-14
  81           hosts:
  82             - cab23-r720-14
  83             - 10.23.21.14
  84             - 10.23.22.14
  85           groups:
  86             - system:nodes
  87         - document_name: kubelet-cab23-r720-17
  88           common_name: system:node:cab23-r720-17
  89           hosts:
  90             - cab23-r720-17
  91             - 10.23.21.17
  92             - 10.23.22.17
  93           groups:
  94             - system:nodes
  95         - document_name: kubelet-cab23-r720-19
  96           common_name: system:node:cab23-r720-19
  97           hosts:
  98             - cab23-r720-19
  99             - 10.23.21.19
 100             - 10.23.22.19
 101           groups:
 102             - system:nodes
 103         # End node list
 104         - document_name: scheduler
 105           description: Service certificate for Kubernetes scheduler
 106           common_name: system:kube-scheduler
 107         - document_name: controller-manager
 108           description: certificate for controller-manager
 109           common_name: system:kube-controller-manager
 110         - document_name: admin
 111           common_name: admin
 112           groups:
 113             - system:masters
 114         - document_name: armada
 115           common_name: armada
 116           groups:
 117             - system:masters
 118     kubernetes-etcd:
 119       description: Certificates for Kubernetes's etcd servers
 120       certificates:
 121         - document_name: apiserver-etcd
 122           description: etcd client certificate for use by Kubernetes apiserver
 123           common_name: apiserver
 124         # NOTE(mark-burnett): hosts not required for client certificates
 125         - document_name: kubernetes-etcd-anchor
 126           description: anchor
 127           common_name: anchor
 128         # NEWSITE-CHANGEME: The following should be a list of the control plane
 129         # nodes in the environment, including genesis.
 130         # For each node, the `hosts` list should be comprised of:
 131         #   1. The node's hostname, as already defined in baremetal/nodes.yaml
 132         #   2. The node's oam IP address, as already defined in baremetal/nodes.yaml
 133         #   3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
 134         #   4. 127.0.0.1
 135         #   5. localhost
 136         #   6. kubernetes-etcd.kube-system.svc.cluster.local
 137         # NOTE: This list also needs to include the Genesis node, which is not
 138         # listed in baremetal/nodes.yaml, but by convention should be allocated
 139         # the first non-reserved IP in each logical network allocation range
 140         # defined in networks/physical/networks.yaml, except for the kubernetes
 141         # service_cidr where it should start with the second IP in the range.
 142         # NOTE: The genesis node is defined twice with the same `hosts` data:
 143         # Once with its hostname in the common/document name, and once with
 144         # `genesis` defined instead of the host. For now, this duplicated
 145         # genesis definition is required. FIXME: Remove duplicate definition
 146         # after Promenade addresses this issue.
 147         - document_name: kubernetes-etcd-genesis
 148           common_name: kubernetes-etcd-genesis
 149           hosts:
 150             - cab23-r720-11
 151             - 10.23.21.11
 152             - 10.23.22.11
 153             - 127.0.0.1
 154             - localhost
 155             - kubernetes-etcd.kube-system.svc.cluster.local
 156             - 10.96.0.2
 157         - document_name: kubernetes-etcd-cab23-r720-11
 158           common_name: kubernetes-etcd-cab23-r720-11
 159           hosts:
 160             - cab23-r720-11
 161             - 10.23.21.11
 162             - 10.23.22.11
 163             - 127.0.0.1
 164             - localhost
 165             - kubernetes-etcd.kube-system.svc.cluster.local
 166             - 10.96.0.2
 167         - document_name: kubernetes-etcd-cab23-r720-12
 168           common_name: kubernetes-etcd-cab23-r720-12
 169           hosts:
 170             - cab23-r720-12
 171             - 10.23.21.12
 172             - 10.23.22.12
 173             - 127.0.0.1
 174             - localhost
 175             - kubernetes-etcd.kube-system.svc.cluster.local
 176             - 10.96.0.2
 177         - document_name: kubernetes-etcd-cab23-r720-13
 178           common_name: kubernetes-etcd-cab23-r720-13
 179           hosts:
 180             - cab23-r720-13
 181             - 10.23.21.13
 182             - 10.23.22.13
 183             - 127.0.0.1
 184             - localhost
 185             - kubernetes-etcd.kube-system.svc.cluster.local
 186             - 10.96.0.2
 187         - document_name: kubernetes-etcd-cab23-r720-14
 188           common_name: kubernetes-etcd-cab23-r720-14
 189           hosts:
 190             - cab23-r720-14
 191             - 10.23.21.14
 192             - 10.23.22.14
 193             - 127.0.0.1
 194             - localhost
 195             - kubernetes-etcd.kube-system.svc.cluster.local
 196             - 10.96.0.2
 197         # End node list
 198     kubernetes-etcd-peer:
 199       certificates:
 200         # NEWSITE-CHANGEME: This list should be identical to the previous list,
 201         # except that `-peer` has been appended to the document/common names.
 202         - document_name: kubernetes-etcd-genesis-peer
 203           common_name: kubernetes-etcd-genesis-peer
 204           hosts:
 205             - cab23-r720-11
 206             - 10.23.21.11
 207             - 10.23.22.11
 208             - 127.0.0.1
 209             - localhost
 210             - kubernetes-etcd.kube-system.svc.cluster.local
 211             - 10.96.0.2
 212         - document_name: kubernetes-etcd-cab23-r720-11-peer
 213           common_name: kubernetes-etcd-cab23-r720-11-peer
 214           hosts:
 215             - cab23-r720-11
 216             - 10.23.21.11
 217             - 10.23.22.11
 218             - 127.0.0.1
 219             - localhost
 220             - kubernetes-etcd.kube-system.svc.cluster.local
 221             - 10.96.0.2
 222         - document_name: kubernetes-etcd-cab23-r720-12-peer
 223           common_name: kubernetes-etcd-cab23-r720-12-peer
 224           hosts:
 225             - cab23-r720-12
 226             - 10.23.21.12
 227             - 10.23.22.12
 228             - 127.0.0.1
 229             - localhost
 230             - kubernetes-etcd.kube-system.svc.cluster.local
 231             - 10.96.0.2
 232         - document_name: kubernetes-etcd-cab23-r720-13-peer
 233           common_name: kubernetes-etcd-cab23-r720-13-peer
 234           hosts:
 235             - cab23-r720-13
 236             - 10.23.21.13
 237             - 10.23.22.13
 238             - 127.0.0.1
 239             - localhost
 240             - kubernetes-etcd.kube-system.svc.cluster.local
 241             - 10.96.0.2
 242         - document_name: kubernetes-etcd-cab23-r720-14-peer
 243           common_name: kubernetes-etcd-cab23-r720-14-peer
 244           hosts:
 245             - cab23-r720-14
 246             - 10.23.21.14
 247             - 10.23.22.14
 248             - 127.0.0.1
 249             - localhost
 250             - kubernetes-etcd.kube-system.svc.cluster.local
 251             - 10.96.0.2
 252         # End node list
 253     calico-etcd:
 254       description: Certificates for Calico etcd client traffic
 255       certificates:
 256         - document_name: calico-etcd-anchor
 257           description: anchor
 258           common_name: anchor
 259         # NEWSITE-CHANGEME: The following should be a list of the control plane
 260         # nodes in the environment, including genesis.
 261         # For each node, the `hosts` list should be comprised of:
 262         #   1. The node's hostname, as already defined in baremetal/nodes.yaml
 263         #   2. The node's oam IP address, as already defined in baremetal/nodes.yaml
 264         #   3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
 265         #   4. 127.0.0.1
 266         #   5. localhost
 267         #   6. The calico/etcd/service_ip defined in networks/common-addresses.yaml
 268         # NOTE: This list also needs to include the Genesis node, which is not
 269         # listed in baremetal/nodes.yaml, but by convention should be allocated
 270         # the first non-reserved IP in each logical network allocation range
 271         # defined in networks/physical/networks.yaml
 272         - document_name: calico-etcd-cab23-r720-11
 273           common_name: calico-etcd-cab23-r720-11
 274           hosts:
 275             - cab23-r720-11
 276             - 10.23.21.11
 277             - 10.23.22.11
 278             - 127.0.0.1
 279             - localhost
 280             - 10.96.232.136
 281         - document_name: calico-etcd-cab23-r720-12
 282           common_name: calico-etcd-cab23-r720-12
 283           hosts:
 284             - cab23-r720-12
 285             - 10.23.21.12
 286             - 10.23.22.12
 287             - 127.0.0.1
 288             - localhost
 289             - 10.96.232.136
 290         - document_name: calico-etcd-cab23-r720-13
 291           common_name: calico-etcd-cab23-r720-13
 292           hosts:
 293             - cab23-r720-13
 294             - 10.23.21.13
 295             - 10.23.22.13
 296             - 127.0.0.1
 297             - localhost
 298             - 10.96.232.136
 299         - document_name: calico-etcd-cab23-r720-14
 300           common_name: calico-etcd-cab23-r720-14
 301           hosts:
 302             - cab23-r720-14
 303             - 10.23.21.14
 304             - 10.23.22.14
 305             - 127.0.0.1
 306             - localhost
 307             - 10.96.232.136
 308         - document_name: calico-node
 309           common_name: calcico-node
 310         # End node list
 311     calico-etcd-peer:
 312       description: Certificates for Calico etcd clients
 313       certificates:
 314         # NEWSITE-CHANGEME: This list should be identical to the previous list,
 315         # except that `-peer` has been appended to the document/common names.
 316         - document_name: calico-etcd-cab23-r720-11-peer
 317           common_name: calico-etcd-cab23-r720-11-peer
 318           hosts:
 319             - cab23-r720-11
 320             - 10.23.21.11
 321             - 10.23.22.11
 322             - 127.0.0.1
 323             - localhost
 324             - 10.96.232.136
 325         - document_name: calico-etcd-cab23-r720-12-peer
 326           common_name: calico-etcd-cab23-r720-12-peer
 327           hosts:
 328             - cab23-r720-12
 329             - 10.23.21.12
 330             - 10.23.22.12
 331             - 127.0.0.1
 332             - localhost
 333             - 10.96.232.136
 334         - document_name: calico-etcd-cab23-r720-13-peer
 335           common_name: calico-etcd-cab23-r720-13-peer
 336           hosts:
 337             - cab23-r720-13
 338             - 10.23.21.13
 339             - 10.23.22.13
 340             - 127.0.0.1
 341             - localhost
 342             - 10.96.232.136
 343         - document_name: calico-etcd-cab23-r720-14-peer
 344           common_name: calico-etcd-cab23-r720-14-peer
 345           hosts:
 346             - cab23-r720-14
 347             - 10.23.21.14
 348             - 10.23.22.14
 349             - 127.0.0.1
 350             - localhost
 351             - 10.96.232.136
 352         - document_name: calico-node-peer
 353           common_name: calcico-node-peer
 354         # End node list
 355   keypairs:
 356     - name: service-account
 357       description: Service account signing key for use by Kubernetes controller-manager.
 358 ...