--- /dev/null
+---
+##############################################################################
+# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. #
+# #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may #
+# not use this file except in compliance with the License. #
+# #
+# You may obtain a copy of the License at #
+# http://www.apache.org/licenses/LICENSE-2.0 #
+# #
+# Unless required by applicable law or agreed to in writing, software #
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT #
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
+# See the License for the specific language governing permissions and #
+# limitations under the License. #
+##############################################################################
+
+schema: promenade/PKICatalog/v1
+metadata:
+ schema: metadata/Document/v1
+ name: cluster-certificates
+ layeringDefinition:
+ abstract: false
+ layer: site
+ storagePolicy: cleartext
+data:
+ certificate_authorities:
+ kubernetes:
+ description: CA for Kubernetes components
+ certificates:
+ - document_name: apiserver
+ description: Service certificate for Kubernetes apiserver
+ common_name: apiserver
+ hosts:
+ - localhost
+ - 127.0.0.1
+ - {{yaml.kubernetes.api_service_ip}}
+ kubernetes_service_names:
+ - kubernetes.default.svc.cluster.local
+ - document_name: kubelet-genesis
+ common_name: system:node:{{yaml.genesis.name}}
+ hosts:
+ - {{yaml.genesis.name}}
+ - {{yaml.genesis.host}}
+ - {{yaml.genesis.ksn}}
+ - {{yaml.genesis.pxe}}
+ groups:
+ - system:nodes
+ - document_name: kubelet-{{yaml.genesis.name}}
+ common_name: system:node:{{yaml.genesis.name}}
+ hosts:
+ - {{yaml.genesis.name}}
+ - {{yaml.genesis.host}}
+ - {{yaml.genesis.ksn}}
+ - {{yaml.genesis.pxe}}
+ groups:
+ - system:nodes
+{% for server in yaml.masters %}
+ - document_name: kubelet-{{ server.name }}
+ common_name: system:node:{{ server.name }}
+ hosts:
+ - {{server.name}}
+ - {{server.host}}
+ - {{server.ksn}}
+ - {{server.pxe}}
+ groups:
+ - system:nodes
+{% endfor %}
+{% if 'workers' in yaml %}{% for server in yaml.workers %}
+ - document_name: kubelet-{{ server.name }}
+ common_name: system:node:{{ server.name }}
+ hosts:
+ - {{server.name}}
+ - {{server.host}}
+ - {{server.ksn}}
+ - {{server.pxe}}
+ groups:
+ - system:nodes
+{% endfor %}{% endif %}
+ - document_name: scheduler
+ description: Service certificate for Kubernetes scheduler
+ common_name: system:kube-scheduler
+ - document_name: controller-manager
+ description: certificate for controller-manager
+ common_name: system:kube-controller-manager
+ - document_name: admin
+ common_name: admin
+ groups:
+ - system:masters
+ - document_name: armada
+ common_name: armada
+ groups:
+ - system:masters
+ kubernetes-etcd:
+ description: Certificates for Kubernetes's etcd servers
+ certificates:
+ - document_name: apiserver-etcd
+ description: etcd client certificate for use by Kubernetes apiserver
+ common_name: apiserver
+ # NOTE(mark-burnett): hosts not required for client certificates
+ - document_name: kubernetes-etcd-anchor
+ description: anchor
+ common_name: anchor
+ - document_name: kubernetes-etcd-genesis
+ common_name: kubernetes-etcd-genesis
+ hosts:
+ - {{yaml.genesis.name}}
+ - {{yaml.genesis.host}}
+ - {{yaml.genesis.ksn}}
+ - {{yaml.genesis.pxe}}
+ - 127.0.0.1
+ - localhost
+ - kubernetes-etcd.kube-system.svc.cluster.local
+ - {{yaml.kubernetes.etcd_service_ip}}
+ - document_name: kubernetes-etcd-{{yaml.genesis.name}}
+ common_name: kubernetes-etcd-{{yaml.genesis.name}}
+ hosts:
+ - {{yaml.genesis.name}}
+ - {{yaml.genesis.host}}
+ - {{yaml.genesis.ksn}}
+ - {{yaml.genesis.pxe}}
+ - 127.0.0.1
+ - localhost
+ - kubernetes-etcd.kube-system.svc.cluster.local
+ - {{yaml.kubernetes.etcd_service_ip}}
+{% for server in yaml.masters %}
+ - document_name: kubernetes-etcd-{{ server.name }}
+ common_name: kubernetes-etcd-{{ server.name }}
+ hosts:
+ - {{ server.name }}
+ - {{server.host}}
+ - {{server.ksn}}
+ - {{server.pxe}}
+ - 127.0.0.1
+ - localhost
+ - kubernetes-etcd.kube-system.svc.cluster.local
+ - {{yaml.kubernetes.etcd_service_ip}}
+{% endfor %}
+ kubernetes-etcd-peer:
+ certificates:
+ - document_name: kubernetes-etcd-genesis-peer
+ common_name: kubernetes-etcd-genesis-peer
+ hosts:
+ - {{yaml.genesis.name}}
+ - {{yaml.genesis.host}}
+ - {{yaml.genesis.ksn}}
+ - {{yaml.genesis.pxe}}
+ - 127.0.0.1
+ - localhost
+ - kubernetes-etcd.kube-system.svc.cluster.local
+ - {{yaml.kubernetes.etcd_service_ip}}
+ - document_name: kubernetes-etcd-{{yaml.genesis.name}}-peer
+ common_name: kubernetes-etcd-{{yaml.genesis.name}}-peer
+ hosts:
+ - {{yaml.genesis.name}}
+ - {{yaml.genesis.host}}
+ - {{yaml.genesis.ksn}}
+ - {{yaml.genesis.pxe}}
+ - 127.0.0.1
+ - localhost
+ - kubernetes-etcd.kube-system.svc.cluster.local
+ - {{yaml.kubernetes.etcd_service_ip}}
+{% for server in yaml.masters %}
+ - document_name: kubernetes-etcd-{{server.name}}-peer
+ common_name: kubernetes-etcd-{{server.name}}-peer
+ hosts:
+ - {{server.name}}
+ - {{server.host}}
+ - {{server.ksn}}
+ - {{server.pxe}}
+ - 127.0.0.1
+ - localhost
+ - kubernetes-etcd.kube-system.svc.cluster.local
+ - {{yaml.kubernetes.etcd_service_ip}}
+{% endfor %}
+ calico-etcd:
+ description: Certificates for Calico etcd client traffic
+ certificates:
+ - document_name: calico-etcd-anchor
+ description: anchor
+ common_name: anchor
+ - document_name: calico-etcd-{{yaml.genesis.name}}
+ common_name: calico-etcd-{{yaml.genesis.name}}
+ hosts:
+ - {{yaml.genesis.name}}
+ - {{yaml.genesis.host}}
+ - {{yaml.genesis.ksn}}
+ - {{yaml.genesis.pxe}}
+ - 127.0.0.1
+ - localhost
+ - 10.96.232.136
+{% for server in yaml.masters %}
+ - document_name: calico-etcd-{{server.name}}
+ common_name: calico-etcd-{{server.name}}
+ hosts:
+ - {{server.name}}
+ - {{server.host}}
+ - {{server.ksn}}
+ - {{server.pxe}}
+ - 127.0.0.1
+ - localhost
+ - 10.96.232.136
+{% endfor %}
+ - document_name: calico-node
+ common_name: calcico-node
+ calico-etcd-peer:
+ description: Certificates for Calico etcd clients
+ certificates:
+ - document_name: calico-etcd-{{yaml.genesis.name}}-peer
+ common_name: calico-etcd-{{yaml.genesis.name}}-peer
+ hosts:
+ - {{yaml.genesis.name}}
+ - {{yaml.genesis.host}}
+ - {{yaml.genesis.ksn}}
+ - {{yaml.genesis.pxe}}
+ - 127.0.0.1
+ - localhost
+ - 10.96.232.136
+{% for server in yaml.masters %}
+ - document_name: calico-etcd-{{server.name}}-peer
+ common_name: calico-etcd-{{server.name}}-peer
+ hosts:
+ - {{server.name}}
+ - {{server.host}}
+ - {{server.ksn}}
+ - {{server.pxe}}
+ - 127.0.0.1
+ - localhost
+ - 10.96.232.136
+{% endfor %}
+ - document_name: calico-node-peer
+ common_name: calcico-node-peer
+ keypairs:
+ - name: service-account
+ description: Service account signing key for use by Kubernetes controller-manager.
+...