2 ##############################################################################
3 # Copyright © 2018 AT&T Intellectual Property. All rights reserved. #
5 # Licensed under the Apache License, Version 2.0 (the "License"); you may #
6 # not use this file except in compliance with the License. #
8 # You may obtain a copy of the License at #
9 # http://www.apache.org/licenses/LICENSE-2.0 #
11 # Unless required by applicable law or agreed to in writing, software #
12 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT #
13 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
14 # See the License for the specific language governing permissions and #
15 # limitations under the License. #
16 ##############################################################################
18 schema: promenade/PKICatalog/v1
20 schema: metadata/Document/v1
21 name: cluster-certificates
25 storagePolicy: cleartext
27 certificate_authorities:
29 description: CA for Kubernetes components
31 - document_name: apiserver
32 description: Service certificate for Kubernetes apiserver
33 common_name: apiserver
37 - {{yaml.kubernetes.api_service_ip}}
38 kubernetes_service_names:
39 - kubernetes.default.svc.cluster.local
40 - document_name: kubelet-genesis
41 common_name: system:node:{{yaml.genesis.name}}
43 - {{yaml.genesis.name}}
44 - {{yaml.genesis.host}}
45 - {{yaml.genesis.ksn}}
46 - {{yaml.genesis.storage}}
49 - document_name: kubelet-{{yaml.genesis.name}}
50 common_name: system:node:{{yaml.genesis.name}}
52 - {{yaml.genesis.name}}
53 - {{yaml.genesis.host}}
54 - {{yaml.genesis.ksn}}
55 - {{yaml.genesis.storage}}
58 {% for server in yaml.servers %}
59 - document_name: kubelet-{{ server.name }}
60 common_name: system:node:{{ server.name }}
69 - document_name: scheduler
70 description: Service certificate for Kubernetes scheduler
71 common_name: system:kube-scheduler
72 - document_name: controller-manager
73 description: certificate for controller-manager
74 common_name: system:kube-controller-manager
75 - document_name: admin
79 - document_name: armada
84 description: Certificates for Kubernetes's etcd servers
86 - document_name: apiserver-etcd
87 description: etcd client certificate for use by Kubernetes apiserver
88 common_name: apiserver
89 # NOTE(mark-burnett): hosts not required for client certificates
90 - document_name: kubernetes-etcd-anchor
93 - document_name: kubernetes-etcd-genesis
94 common_name: kubernetes-etcd-genesis
96 - {{yaml.genesis.name}}
97 - {{yaml.genesis.host}}
98 - {{yaml.genesis.ksn}}
99 - {{yaml.genesis.storage}}
102 - kubernetes-etcd.kube-system.svc.cluster.local
103 - {{yaml.kubernetes.etcd_service_ip}}
104 - document_name: kubernetes-etcd-{{yaml.genesis.name}}
105 common_name: kubernetes-etcd-{{yaml.genesis.name}}
107 - {{yaml.genesis.name}}
108 - {{yaml.genesis.host}}
109 - {{yaml.genesis.ksn}}
110 - {{yaml.genesis.storage}}
113 - kubernetes-etcd.kube-system.svc.cluster.local
114 - {{yaml.kubernetes.etcd_service_ip}}
115 {% for server in yaml.servers %}
116 - document_name: kubernetes-etcd-{{ server.name }}
117 common_name: kubernetes-etcd-{{ server.name }}
125 - kubernetes-etcd.kube-system.svc.cluster.local
126 - {{yaml.kubernetes.etcd_service_ip}}
128 kubernetes-etcd-peer:
130 - document_name: kubernetes-etcd-genesis-peer
131 common_name: kubernetes-etcd-genesis-peer
133 - {{yaml.genesis.name}}
134 - {{yaml.genesis.host}}
135 - {{yaml.genesis.ksn}}
136 - {{yaml.genesis.storage}}
139 - kubernetes-etcd.kube-system.svc.cluster.local
140 - {{yaml.kubernetes.etcd_service_ip}}
141 - document_name: kubernetes-etcd-{{yaml.genesis.name}}-peer
142 common_name: kubernetes-etcd-{{yaml.genesis.name}}-peer
144 - {{yaml.genesis.name}}
145 - {{yaml.genesis.host}}
146 - {{yaml.genesis.ksn}}
147 - {{yaml.genesis.storage}}
150 - kubernetes-etcd.kube-system.svc.cluster.local
151 - {{yaml.kubernetes.etcd_service_ip}}
152 {% for server in yaml.servers %}
153 - document_name: kubernetes-etcd-{{server.name}}-peer
154 common_name: kubernetes-etcd-{{server.name}}-peer
162 - kubernetes-etcd.kube-system.svc.cluster.local
163 - {{yaml.kubernetes.etcd_service_ip}}
166 description: Certificates for Calico etcd client traffic
168 - document_name: calico-etcd-anchor
171 - document_name: calico-etcd-{{yaml.genesis.name}}
172 common_name: calico-etcd-{{yaml.genesis.name}}
174 - {{yaml.genesis.name}}
175 - {{yaml.genesis.host}}
176 - {{yaml.genesis.ksn}}
177 - {{yaml.genesis.storage}}
181 {% for server in yaml.servers %}
182 - document_name: calico-etcd-{{server.name}}
183 common_name: calico-etcd-{{server.name}}
193 - document_name: calico-node
194 common_name: calcico-node
196 description: Certificates for Calico etcd clients
198 - document_name: calico-etcd-{{yaml.genesis.name}}-peer
199 common_name: calico-etcd-{{yaml.genesis.name}}-peer
201 - {{yaml.genesis.name}}
202 - {{yaml.genesis.host}}
203 - {{yaml.genesis.ksn}}
204 - {{yaml.genesis.storage}}
208 {% for server in yaml.servers %}
209 - document_name: calico-etcd-{{server.name}}-peer
210 common_name: calico-etcd-{{server.name}}-peer
221 - name: service-account
222 description: Service account signing key for use by Kubernetes controller-manager.