2 # The purpose of this file is to define the PKI certificates for the environment
4 # NOTE: When deploying a new site, this file should not be configured until
5 # baremetal/nodes.yaml is complete.
7 schema: promenade/PKICatalog/v1
9 schema: metadata/Document/v1
10 name: cluster-certificates
14 storagePolicy: cleartext
16 certificate_authorities:
18 description: CA for Kubernetes components
20 - document_name: apiserver
21 description: Service certificate for Kubernetes apiserver
22 common_name: apiserver
26 # FIXME: Repetition of api_service_ip in common-addresses; use
28 - {{yaml.kubernetes.api_service_ip}}
29 kubernetes_service_names:
30 - kubernetes.default.svc.cluster.local
32 # NEWSITE-CHANGEME: The following should be a list of all the nodes in
33 # the environment (genesis, control plane, data plane, everything).
34 # Add/delete from this list as necessary until all nodes are listed.
35 # For each node, the `hosts` list should be comprised of:
36 # 1. The node's hostname, as already defined in baremetal/nodes.yaml
37 # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
38 # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
39 # NOTE: This list also needs to include the Genesis node, which is not
40 # listed in baremetal/nodes.yaml, but by convention should be allocated
41 # the first non-reserved IP in each logical network allocation range
42 # defined in networks/physical/networks.yaml
43 # NOTE: The genesis node needs to be defined twice (the first two entries
44 # on this list) with all of the same paramters except the document_name.
45 # In the first case the document_name is `kubelet-genesis`, and in the
46 # second case the document_name format is `kubelete-YOUR_GENESIS_HOSTNAME`.
47 - document_name: kubelet-genesis
48 common_name: system:node:{{yaml.genesis.name}}
50 - {{yaml.genesis.name}}
51 - {{yaml.genesis.host}}
52 - {{yaml.genesis.ksn}}
55 - document_name: kubelet-{{yaml.genesis.name}}
56 common_name: system:node:{{yaml.genesis.name}}
58 - {{yaml.genesis.name}}
59 - {{yaml.genesis.host}}
60 - {{yaml.genesis.ksn}}
63 {% for server in yaml.masters %}
64 - document_name: kubelet-{{ server.name }}
65 common_name: system:node:{{ server.name }}
73 {% if 'workers' in yaml %}{% for server in yaml.workers %}
74 - document_name: kubelet-{{ server.name }}
75 common_name: system:node:{{ server.name }}
82 {% endfor %}{% endif %}
84 - document_name: scheduler
85 description: Service certificate for Kubernetes scheduler
86 common_name: system:kube-scheduler
87 - document_name: controller-manager
88 description: certificate for controller-manager
89 common_name: system:kube-controller-manager
90 - document_name: admin
94 - document_name: armada
99 description: Certificates for Kubernetes's etcd servers
101 - document_name: apiserver-etcd
102 description: etcd client certificate for use by Kubernetes apiserver
103 common_name: apiserver
104 # NOTE(mark-burnett): hosts not required for client certificates
105 - document_name: kubernetes-etcd-anchor
108 # NEWSITE-CHANGEME: The following should be a list of the control plane
109 # nodes in the environment, including genesis.
110 # For each node, the `hosts` list should be comprised of:
111 # 1. The node's hostname, as already defined in baremetal/nodes.yaml
112 # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
113 # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
116 # 6. kubernetes-etcd.kube-system.svc.cluster.local
117 # NOTE: This list also needs to include the Genesis node, which is not
118 # listed in baremetal/nodes.yaml, but by convention should be allocated
119 # the first non-reserved IP in each logical network allocation range
120 # defined in networks/physical/networks.yaml, except for the kubernetes
121 # service_cidr where it should start with the second IP in the range.
122 # NOTE: The genesis node is defined twice with the same `hosts` data:
123 # Once with its hostname in the common/document name, and once with
124 # `genesis` defined instead of the host. For now, this duplicated
125 # genesis definition is required. FIXME: Remove duplicate definition
126 # after Promenade addresses this issue.
127 - document_name: kubernetes-etcd-genesis
128 common_name: kubernetes-etcd-genesis
130 - {{yaml.genesis.name}}
131 - {{yaml.genesis.host}}
132 - {{yaml.genesis.ksn}}
135 - kubernetes-etcd.kube-system.svc.cluster.local
136 - {{yaml.kubernetes.etcd_service_ip}}
137 - document_name: kubernetes-etcd-{{yaml.genesis.name}}
138 common_name: kubernetes-etcd-{{yaml.genesis.name}}
140 - {{yaml.genesis.name}}
141 - {{yaml.genesis.host}}
142 - {{yaml.genesis.ksn}}
145 - kubernetes-etcd.kube-system.svc.cluster.local
146 - {{yaml.kubernetes.etcd_service_ip}}
147 {% for server in yaml.masters %}
148 - document_name: kubernetes-etcd-{{ server.name }}
149 common_name: kubernetes-etcd-{{ server.name }}
156 - kubernetes-etcd.kube-system.svc.cluster.local
157 - {{yaml.kubernetes.etcd_service_ip}}
160 kubernetes-etcd-peer:
162 # NEWSITE-CHANGEME: This list should be identical to the previous list,
163 # except that `-peer` has been appended to the document/common names.
164 - document_name: kubernetes-etcd-genesis-peer
165 common_name: kubernetes-etcd-genesis-peer
167 - {{yaml.genesis.name}}
168 - {{yaml.genesis.host}}
169 - {{yaml.genesis.ksn}}
172 - kubernetes-etcd.kube-system.svc.cluster.local
173 - {{yaml.kubernetes.etcd_service_ip}}
174 - document_name: kubernetes-etcd-{{yaml.genesis.name}}-peer
175 common_name: kubernetes-etcd-{{yaml.genesis.name}}-peer
177 - {{yaml.genesis.name}}
178 - {{yaml.genesis.host}}
179 - {{yaml.genesis.ksn}}
182 - kubernetes-etcd.kube-system.svc.cluster.local
183 - {{yaml.kubernetes.etcd_service_ip}}
184 {% for server in yaml.masters %}
185 - document_name: kubernetes-etcd-{{server.name}}-peer
186 common_name: kubernetes-etcd-{{server.name}}-peer
193 - kubernetes-etcd.kube-system.svc.cluster.local
194 - {{yaml.kubernetes.etcd_service_ip}}
198 description: Certificates for Calico etcd client traffic
200 - document_name: calico-etcd-anchor
203 # NEWSITE-CHANGEME: The following should be a list of the control plane
204 # nodes in the environment, including genesis.
205 # For each node, the `hosts` list should be comprised of:
206 # 1. The node's hostname, as already defined in baremetal/nodes.yaml
207 # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
208 # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
211 # 6. The calico/etcd/service_ip defined in networks/common-addresses.yaml
212 # NOTE: This list also needs to include the Genesis node, which is not
213 # listed in baremetal/nodes.yaml, but by convention should be allocated
214 # the first non-reserved IP in each logical network allocation range
215 # defined in networks/physical/networks.yaml
216 - document_name: calico-etcd-{{yaml.genesis.name}}
217 common_name: calico-etcd-{{yaml.genesis.name}}
219 - {{yaml.genesis.name}}
220 - {{yaml.genesis.host}}
221 - {{yaml.genesis.ksn}}
225 {% for server in yaml.masters %}
226 - document_name: calico-etcd-{{server.name}}
227 common_name: calico-etcd-{{server.name}}
236 - document_name: calico-node
237 common_name: calcico-node
240 description: Certificates for Calico etcd clients
242 # NEWSITE-CHANGEME: This list should be identical to the previous list,
243 # except that `-peer` has been appended to the document/common names.
244 - document_name: calico-etcd-{{yaml.genesis.name}}-peer
245 common_name: calico-etcd-{{yaml.genesis.name}}-peer
247 - {{yaml.genesis.name}}
248 - {{yaml.genesis.host}}
249 - {{yaml.genesis.ksn}}
253 {% for server in yaml.masters %}
254 - document_name: calico-etcd-{{server.name}}-peer
255 common_name: calico-etcd-{{server.name}}-peer
264 - document_name: calico-node-peer
265 common_name: calcico-node-peer
268 - name: service-account
269 description: Service account signing key for use by Kubernetes controller-manager.