site_type/ovsdpdk/templates/pki/pki-catalog.j2

   1 ---
   2 ##############################################################################
   3 # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.        #
   4 #                                                                            #
   5 # Licensed under the Apache License, Version 2.0 (the "License"); you may    #
   6 # not use this file except in compliance with the License.                   #
   7 #                                                                            #
   8 # You may obtain a copy of the License at                                    #
   9 #       http://www.apache.org/licenses/LICENSE-2.0                           #
  10 #                                                                            #
  11 # Unless required by applicable law or agreed to in writing, software        #
  12 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT  #
  13 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.           #
  14 # See the License for the specific language governing permissions and        #
  15 # limitations under the License.                                             #
  16 ##############################################################################
  17
  18 schema: promenade/PKICatalog/v1
  19 metadata:
  20   schema: metadata/Document/v1
  21   name: cluster-certificates
  22   layeringDefinition:
  23     abstract: false
  24     layer: site
  25   storagePolicy: cleartext
  26 data:
  27   certificate_authorities:
  28     kubernetes:
  29       description: CA for Kubernetes components
  30       certificates:
  31         - document_name: apiserver
  32           description: Service certificate for Kubernetes apiserver
  33           common_name: apiserver
  34           hosts:
  35             - localhost
  36             - 127.0.0.1
  37             - {{yaml.kubernetes.api_service_ip}}
  38           kubernetes_service_names:
  39             - kubernetes.default.svc.cluster.local
  40         - document_name: kubelet-genesis
  41           common_name: system:node:{{yaml.genesis.name}}
  42           hosts:
  43             - {{yaml.genesis.name}}
  44             - {{yaml.genesis.host}}
  45             - {{yaml.genesis.ksn}}
  46             - {{yaml.genesis.pxe}}
  47           groups:
  48             - system:nodes
  49         - document_name: kubelet-{{yaml.genesis.name}}
  50           common_name: system:node:{{yaml.genesis.name}}
  51           hosts:
  52             - {{yaml.genesis.name}}
  53             - {{yaml.genesis.host}}
  54             - {{yaml.genesis.ksn}}
  55             - {{yaml.genesis.pxe}}
  56           groups:
  57             - system:nodes
  58 {% for server in yaml.masters %}
  59         - document_name: kubelet-{{ server.name }}
  60           common_name: system:node:{{ server.name }}
  61           hosts:
  62             - {{server.name}}
  63             - {{server.host}}
  64             - {{server.ksn}}
  65             - {{server.pxe}}
  66           groups:
  67             - system:nodes
  68 {% endfor %}
  69 {% if 'workers' in yaml %}{% for server in yaml.workers %}
  70         - document_name: kubelet-{{ server.name }}
  71           common_name: system:node:{{ server.name }}
  72           hosts:
  73             - {{server.name}}
  74             - {{server.host}}
  75             - {{server.ksn}}
  76             - {{server.pxe}}
  77           groups:
  78             - system:nodes
  79 {% endfor %}{% endif %}
  80         - document_name: scheduler
  81           description: Service certificate for Kubernetes scheduler
  82           common_name: system:kube-scheduler
  83         - document_name: controller-manager
  84           description: certificate for controller-manager
  85           common_name: system:kube-controller-manager
  86         - document_name: admin
  87           common_name: admin
  88           groups:
  89             - system:masters
  90         - document_name: armada
  91           common_name: armada
  92           groups:
  93             - system:masters
  94     kubernetes-etcd:
  95       description: Certificates for Kubernetes's etcd servers
  96       certificates:
  97         - document_name: apiserver-etcd
  98           description: etcd client certificate for use by Kubernetes apiserver
  99           common_name: apiserver
 100           # NOTE(mark-burnett): hosts not required for client certificates
 101         - document_name: kubernetes-etcd-anchor
 102           description: anchor
 103           common_name: anchor
 104         - document_name: kubernetes-etcd-genesis
 105           common_name: kubernetes-etcd-genesis
 106           hosts:
 107             - {{yaml.genesis.name}}
 108             - {{yaml.genesis.host}}
 109             - {{yaml.genesis.ksn}}
 110             - {{yaml.genesis.pxe}}
 111             - 127.0.0.1
 112             - localhost
 113             - kubernetes-etcd.kube-system.svc.cluster.local
 114             - {{yaml.kubernetes.etcd_service_ip}}
 115         - document_name: kubernetes-etcd-{{yaml.genesis.name}}
 116           common_name: kubernetes-etcd-{{yaml.genesis.name}}
 117           hosts:
 118             - {{yaml.genesis.name}}
 119             - {{yaml.genesis.host}}
 120             - {{yaml.genesis.ksn}}
 121             - {{yaml.genesis.pxe}}
 122             - 127.0.0.1
 123             - localhost
 124             - kubernetes-etcd.kube-system.svc.cluster.local
 125             - {{yaml.kubernetes.etcd_service_ip}}
 126 {% for server in yaml.masters %}
 127         - document_name: kubernetes-etcd-{{ server.name }}
 128           common_name: kubernetes-etcd-{{ server.name }}
 129           hosts:
 130             - {{ server.name }}
 131             - {{server.host}}
 132             - {{server.ksn}}
 133             - {{server.pxe}}
 134             - 127.0.0.1
 135             - localhost
 136             - kubernetes-etcd.kube-system.svc.cluster.local
 137             - {{yaml.kubernetes.etcd_service_ip}}
 138 {% endfor %}
 139     kubernetes-etcd-peer:
 140       certificates:
 141         - document_name: kubernetes-etcd-genesis-peer
 142           common_name: kubernetes-etcd-genesis-peer
 143           hosts:
 144             - {{yaml.genesis.name}}
 145             - {{yaml.genesis.host}}
 146             - {{yaml.genesis.ksn}}
 147             - {{yaml.genesis.pxe}}
 148             - 127.0.0.1
 149             - localhost
 150             - kubernetes-etcd.kube-system.svc.cluster.local
 151             - {{yaml.kubernetes.etcd_service_ip}}
 152         - document_name: kubernetes-etcd-{{yaml.genesis.name}}-peer
 153           common_name: kubernetes-etcd-{{yaml.genesis.name}}-peer
 154           hosts:
 155             - {{yaml.genesis.name}}
 156             - {{yaml.genesis.host}}
 157             - {{yaml.genesis.ksn}}
 158             - {{yaml.genesis.pxe}}
 159             - 127.0.0.1
 160             - localhost
 161             - kubernetes-etcd.kube-system.svc.cluster.local
 162             - {{yaml.kubernetes.etcd_service_ip}}
 163 {% for server in yaml.masters %}
 164         - document_name: kubernetes-etcd-{{server.name}}-peer
 165           common_name: kubernetes-etcd-{{server.name}}-peer
 166           hosts:
 167             - {{server.name}}
 168             - {{server.host}}
 169             - {{server.ksn}}
 170             - {{server.pxe}}
 171             - 127.0.0.1
 172             - localhost
 173             - kubernetes-etcd.kube-system.svc.cluster.local
 174             - {{yaml.kubernetes.etcd_service_ip}}
 175 {% endfor %}
 176     calico-etcd:
 177       description: Certificates for Calico etcd client traffic
 178       certificates:
 179         - document_name: calico-etcd-anchor
 180           description: anchor
 181           common_name: anchor
 182         - document_name: calico-etcd-{{yaml.genesis.name}}
 183           common_name: calico-etcd-{{yaml.genesis.name}}
 184           hosts:
 185             - {{yaml.genesis.name}}
 186             - {{yaml.genesis.host}}
 187             - {{yaml.genesis.ksn}}
 188             - {{yaml.genesis.pxe}}
 189             - 127.0.0.1
 190             - localhost
 191             - 10.96.232.136
 192 {% for server in yaml.masters %}
 193         - document_name: calico-etcd-{{server.name}}
 194           common_name: calico-etcd-{{server.name}}
 195           hosts:
 196             - {{server.name}}
 197             - {{server.host}}
 198             - {{server.ksn}}
 199             - {{server.pxe}}
 200             - 127.0.0.1
 201             - localhost
 202             - 10.96.232.136
 203 {% endfor %}
 204         - document_name: calico-node
 205           common_name: calcico-node
 206     calico-etcd-peer:
 207       description: Certificates for Calico etcd clients
 208       certificates:
 209         - document_name: calico-etcd-{{yaml.genesis.name}}-peer
 210           common_name: calico-etcd-{{yaml.genesis.name}}-peer
 211           hosts:
 212             - {{yaml.genesis.name}}
 213             - {{yaml.genesis.host}}
 214             - {{yaml.genesis.ksn}}
 215             - {{yaml.genesis.pxe}}
 216             - 127.0.0.1
 217             - localhost
 218             - 10.96.232.136
 219 {% for server in yaml.masters %}
 220         - document_name: calico-etcd-{{server.name}}-peer
 221           common_name: calico-etcd-{{server.name}}-peer
 222           hosts:
 223             - {{server.name}}
 224             - {{server.host}}
 225             - {{server.ksn}}
 226             - {{server.pxe}}
 227             - 127.0.0.1
 228             - localhost
 229             - 10.96.232.136
 230 {% endfor %}
 231         - document_name: calico-node-peer
 232           common_name: calcico-node-peer
 233   keypairs:
 234     - name: service-account
 235       description: Service account signing key for use by Kubernetes controller-manager.
 236 ...