2 ##############################################################################
3 # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. #
5 # Licensed under the Apache License, Version 2.0 (the "License"); you may #
6 # not use this file except in compliance with the License. #
8 # You may obtain a copy of the License at #
9 # http://www.apache.org/licenses/LICENSE-2.0 #
11 # Unless required by applicable law or agreed to in writing, software #
12 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT #
13 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
14 # See the License for the specific language governing permissions and #
15 # limitations under the License. #
16 ##############################################################################
18 schema: promenade/PKICatalog/v1
20 schema: metadata/Document/v1
21 name: cluster-certificates
25 storagePolicy: cleartext
27 certificate_authorities:
29 description: CA for Kubernetes components
31 - document_name: apiserver
32 description: Service certificate for Kubernetes apiserver
33 common_name: apiserver
37 - {{yaml.kubernetes.api_service_ip}}
38 kubernetes_service_names:
39 - kubernetes.default.svc.cluster.local
40 - document_name: kubelet-genesis
41 common_name: system:node:{{yaml.genesis.name}}
43 - {{yaml.genesis.name}}
44 - {{yaml.genesis.host}}
45 - {{yaml.genesis.ksn}}
46 - {{yaml.genesis.pxe}}
49 - document_name: kubelet-{{yaml.genesis.name}}
50 common_name: system:node:{{yaml.genesis.name}}
52 - {{yaml.genesis.name}}
53 - {{yaml.genesis.host}}
54 - {{yaml.genesis.ksn}}
55 - {{yaml.genesis.pxe}}
58 {% for server in yaml.masters %}
59 - document_name: kubelet-{{ server.name }}
60 common_name: system:node:{{ server.name }}
69 {% if 'workers' in yaml %}{% for server in yaml.workers %}
70 - document_name: kubelet-{{ server.name }}
71 common_name: system:node:{{ server.name }}
79 {% endfor %}{% endif %}
80 - document_name: scheduler
81 description: Service certificate for Kubernetes scheduler
82 common_name: system:kube-scheduler
83 - document_name: controller-manager
84 description: certificate for controller-manager
85 common_name: system:kube-controller-manager
86 - document_name: admin
90 - document_name: armada
95 description: Certificates for Kubernetes's etcd servers
97 - document_name: apiserver-etcd
98 description: etcd client certificate for use by Kubernetes apiserver
99 common_name: apiserver
100 # NOTE(mark-burnett): hosts not required for client certificates
101 - document_name: kubernetes-etcd-anchor
104 - document_name: kubernetes-etcd-genesis
105 common_name: kubernetes-etcd-genesis
107 - {{yaml.genesis.name}}
108 - {{yaml.genesis.host}}
109 - {{yaml.genesis.ksn}}
110 - {{yaml.genesis.pxe}}
113 - kubernetes-etcd.kube-system.svc.cluster.local
114 - {{yaml.kubernetes.etcd_service_ip}}
115 - document_name: kubernetes-etcd-{{yaml.genesis.name}}
116 common_name: kubernetes-etcd-{{yaml.genesis.name}}
118 - {{yaml.genesis.name}}
119 - {{yaml.genesis.host}}
120 - {{yaml.genesis.ksn}}
121 - {{yaml.genesis.pxe}}
124 - kubernetes-etcd.kube-system.svc.cluster.local
125 - {{yaml.kubernetes.etcd_service_ip}}
126 {% for server in yaml.masters %}
127 - document_name: kubernetes-etcd-{{ server.name }}
128 common_name: kubernetes-etcd-{{ server.name }}
136 - kubernetes-etcd.kube-system.svc.cluster.local
137 - {{yaml.kubernetes.etcd_service_ip}}
139 kubernetes-etcd-peer:
141 - document_name: kubernetes-etcd-genesis-peer
142 common_name: kubernetes-etcd-genesis-peer
144 - {{yaml.genesis.name}}
145 - {{yaml.genesis.host}}
146 - {{yaml.genesis.ksn}}
147 - {{yaml.genesis.pxe}}
150 - kubernetes-etcd.kube-system.svc.cluster.local
151 - {{yaml.kubernetes.etcd_service_ip}}
152 - document_name: kubernetes-etcd-{{yaml.genesis.name}}-peer
153 common_name: kubernetes-etcd-{{yaml.genesis.name}}-peer
155 - {{yaml.genesis.name}}
156 - {{yaml.genesis.host}}
157 - {{yaml.genesis.ksn}}
158 - {{yaml.genesis.pxe}}
161 - kubernetes-etcd.kube-system.svc.cluster.local
162 - {{yaml.kubernetes.etcd_service_ip}}
163 {% for server in yaml.masters %}
164 - document_name: kubernetes-etcd-{{server.name}}-peer
165 common_name: kubernetes-etcd-{{server.name}}-peer
173 - kubernetes-etcd.kube-system.svc.cluster.local
174 - {{yaml.kubernetes.etcd_service_ip}}
177 description: Certificates for Calico etcd client traffic
179 - document_name: calico-etcd-anchor
182 - document_name: calico-etcd-{{yaml.genesis.name}}
183 common_name: calico-etcd-{{yaml.genesis.name}}
185 - {{yaml.genesis.name}}
186 - {{yaml.genesis.host}}
187 - {{yaml.genesis.ksn}}
188 - {{yaml.genesis.pxe}}
192 {% for server in yaml.masters %}
193 - document_name: calico-etcd-{{server.name}}
194 common_name: calico-etcd-{{server.name}}
204 - document_name: calico-node
205 common_name: calcico-node
207 description: Certificates for Calico etcd clients
209 - document_name: calico-etcd-{{yaml.genesis.name}}-peer
210 common_name: calico-etcd-{{yaml.genesis.name}}-peer
212 - {{yaml.genesis.name}}
213 - {{yaml.genesis.host}}
214 - {{yaml.genesis.ksn}}
215 - {{yaml.genesis.pxe}}
219 {% for server in yaml.masters %}
220 - document_name: calico-etcd-{{server.name}}-peer
221 common_name: calico-etcd-{{server.name}}-peer
231 - document_name: calico-node-peer
232 common_name: calcico-node-peer
234 - name: service-account
235 description: Service account signing key for use by Kubernetes controller-manager.