templates/aic-clcp-manifests/pki/pki-catalog.j2

   1 ---
   2 ##############################################################################
   3 # Copyright © 2018 AT&T Intellectual Property. All rights reserved.          #
   4 #                                                                            #
   5 # Licensed under the Apache License, Version 2.0 (the "License"); you may    #
   6 # not use this file except in compliance with the License.                   #
   7 #                                                                            #
   8 # You may obtain a copy of the License at                                    #
   9 #       http://www.apache.org/licenses/LICENSE-2.0                           #
  10 #                                                                            #
  11 # Unless required by applicable law or agreed to in writing, software        #
  12 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT  #
  13 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.           #
  14 # See the License for the specific language governing permissions and        #
  15 # limitations under the License.                                             #
  16 ##############################################################################
  17
  18 schema: promenade/PKICatalog/v1
  19 metadata:
  20   schema: metadata/Document/v1
  21   name: cluster-certificates
  22   layeringDefinition:
  23     abstract: false
  24     layer: site
  25   storagePolicy: cleartext
  26 data:
  27   certificate_authorities:
  28     kubernetes:
  29       description: CA for Kubernetes components
  30       certificates:
  31         - document_name: apiserver
  32           description: Service certificate for Kubernetes apiserver
  33           common_name: apiserver
  34           hosts:
  35             - localhost
  36             - 127.0.0.1
  37             - {{yaml.kubernetes.api_service_ip}}
  38           kubernetes_service_names:
  39             - kubernetes.default.svc.cluster.local
  40         - document_name: kubelet-genesis
  41           common_name: system:node:{{yaml.genesis.name}}
  42           hosts:
  43             - {{yaml.genesis.name}}
  44             - {{yaml.genesis.host}}
  45             - {{yaml.genesis.ksn}}
  46             - {{yaml.genesis.storage}}
  47           groups:
  48             - system:nodes
  49         - document_name: kubelet-{{yaml.genesis.name}}
  50           common_name: system:node:{{yaml.genesis.name}}
  51           hosts:
  52             - {{yaml.genesis.name}}
  53             - {{yaml.genesis.host}}
  54             - {{yaml.genesis.ksn}}
  55             - {{yaml.genesis.storage}}
  56           groups:
  57             - system:nodes
  58 {% for server in yaml.servers %}
  59         - document_name: kubelet-{{ server.name }}
  60           common_name: system:node:{{ server.name }}
  61           hosts:
  62             - {{server.name}}
  63             - {{server.host}}
  64             - {{server.ksn}}
  65             - {{server.storage}}
  66           groups:
  67             - system:nodes
  68 {% endfor %}
  69         - document_name: scheduler
  70           description: Service certificate for Kubernetes scheduler
  71           common_name: system:kube-scheduler
  72         - document_name: controller-manager
  73           description: certificate for controller-manager
  74           common_name: system:kube-controller-manager
  75         - document_name: admin
  76           common_name: admin
  77           groups:
  78             - system:masters
  79         - document_name: armada
  80           common_name: armada
  81           groups:
  82             - system:masters
  83     kubernetes-etcd:
  84       description: Certificates for Kubernetes's etcd servers
  85       certificates:
  86         - document_name: apiserver-etcd
  87           description: etcd client certificate for use by Kubernetes apiserver
  88           common_name: apiserver
  89           # NOTE(mark-burnett): hosts not required for client certificates
  90         - document_name: kubernetes-etcd-anchor
  91           description: anchor
  92           common_name: anchor
  93         - document_name: kubernetes-etcd-genesis
  94           common_name: kubernetes-etcd-genesis
  95           hosts:
  96             - {{yaml.genesis.name}}
  97             - {{yaml.genesis.host}}
  98             - {{yaml.genesis.ksn}}
  99             - {{yaml.genesis.storage}}
 100             - 127.0.0.1
 101             - localhost
 102             - kubernetes-etcd.kube-system.svc.cluster.local
 103             - {{yaml.kubernetes.etcd_service_ip}}
 104         - document_name: kubernetes-etcd-{{yaml.genesis.name}}
 105           common_name: kubernetes-etcd-{{yaml.genesis.name}}
 106           hosts:
 107             - {{yaml.genesis.name}}
 108             - {{yaml.genesis.host}}
 109             - {{yaml.genesis.ksn}}
 110             - {{yaml.genesis.storage}}
 111             - 127.0.0.1
 112             - localhost
 113             - kubernetes-etcd.kube-system.svc.cluster.local
 114             - {{yaml.kubernetes.etcd_service_ip}}
 115 {% for server in yaml.servers %}
 116         - document_name: kubernetes-etcd-{{ server.name }}
 117           common_name: kubernetes-etcd-{{ server.name }}
 118           hosts:
 119             - {{ server.name }}
 120             - {{server.host}}
 121             - {{server.ksn}}
 122             - {{server.storage}}
 123             - 127.0.0.1
 124             - localhost
 125             - kubernetes-etcd.kube-system.svc.cluster.local
 126             - {{yaml.kubernetes.etcd_service_ip}}
 127 {% endfor %}
 128     kubernetes-etcd-peer:
 129       certificates:
 130         - document_name: kubernetes-etcd-genesis-peer
 131           common_name: kubernetes-etcd-genesis-peer
 132           hosts:
 133             - {{yaml.genesis.name}}
 134             - {{yaml.genesis.host}}
 135             - {{yaml.genesis.ksn}}
 136             - {{yaml.genesis.storage}}
 137             - 127.0.0.1
 138             - localhost
 139             - kubernetes-etcd.kube-system.svc.cluster.local
 140             - {{yaml.kubernetes.etcd_service_ip}}
 141         - document_name: kubernetes-etcd-{{yaml.genesis.name}}-peer
 142           common_name: kubernetes-etcd-{{yaml.genesis.name}}-peer
 143           hosts:
 144             - {{yaml.genesis.name}}
 145             - {{yaml.genesis.host}}
 146             - {{yaml.genesis.ksn}}
 147             - {{yaml.genesis.storage}}
 148             - 127.0.0.1
 149             - localhost
 150             - kubernetes-etcd.kube-system.svc.cluster.local
 151             - {{yaml.kubernetes.etcd_service_ip}}
 152 {% for server in yaml.servers %}
 153         - document_name: kubernetes-etcd-{{server.name}}-peer
 154           common_name: kubernetes-etcd-{{server.name}}-peer
 155           hosts:
 156             - {{server.name}}
 157             - {{server.host}}
 158             - {{server.ksn}}
 159             - {{server.storage}}
 160             - 127.0.0.1
 161             - localhost
 162             - kubernetes-etcd.kube-system.svc.cluster.local
 163             - {{yaml.kubernetes.etcd_service_ip}}
 164 {% endfor %}
 165     calico-etcd:
 166       description: Certificates for Calico etcd client traffic
 167       certificates:
 168         - document_name: calico-etcd-anchor
 169           description: anchor
 170           common_name: anchor
 171         - document_name: calico-etcd-{{yaml.genesis.name}}
 172           common_name: calico-etcd-{{yaml.genesis.name}}
 173           hosts:
 174             - {{yaml.genesis.name}}
 175             - {{yaml.genesis.host}}
 176             - {{yaml.genesis.ksn}}
 177             - {{yaml.genesis.storage}}
 178             - 127.0.0.1
 179             - localhost
 180             - 10.96.232.136
 181 {% for server in yaml.servers %}
 182         - document_name: calico-etcd-{{server.name}}
 183           common_name: calico-etcd-{{server.name}}
 184           hosts:
 185             - {{server.name}}
 186             - {{server.host}}
 187             - {{server.ksn}}
 188             - {{server.storage}}
 189             - 127.0.0.1
 190             - localhost
 191             - 10.96.232.136
 192 {% endfor %}
 193         - document_name: calico-node
 194           common_name: calcico-node
 195     calico-etcd-peer:
 196       description: Certificates for Calico etcd clients
 197       certificates:
 198         - document_name: calico-etcd-{{yaml.genesis.name}}-peer
 199           common_name: calico-etcd-{{yaml.genesis.name}}-peer
 200           hosts:
 201             - {{yaml.genesis.name}}
 202             - {{yaml.genesis.host}}
 203             - {{yaml.genesis.ksn}}
 204             - {{yaml.genesis.storage}}
 205             - 127.0.0.1
 206             - localhost
 207             - 10.96.232.136
 208 {% for server in yaml.servers %}
 209         - document_name: calico-etcd-{{server.name}}-peer
 210           common_name: calico-etcd-{{server.name}}-peer
 211           hosts:
 212             - {{server.name}}
 213             - {{server.host}}
 214             - {{server.ksn}}
 215             - {{server.storage}}
 216             - 127.0.0.1
 217             - localhost
 218             - 10.96.232.136
 219 {% endfor %}
 220   keypairs:
 221     - name: service-account
 222       description: Service account signing key for use by Kubernetes controller-manager.
 223 ...