----
-# The purpose of this file is to define the PKI certificates for the environment
-#
-# NOTE: When deploying a new site, this file should not be configured until
-# baremetal/nodes.yaml is complete.
-#
-schema: promenade/PKICatalog/v1
-metadata:
- schema: metadata/Document/v1
- name: cluster-certificates
- layeringDefinition:
- abstract: false
- layer: site
- storagePolicy: cleartext
-data:
- certificate_authorities:
- kubernetes:
- description: CA for Kubernetes components
- certificates:
- - document_name: apiserver
- description: Service certificate for Kubernetes apiserver
- common_name: apiserver
- hosts:
- - localhost
- - 127.0.0.1
- # FIXME: Repetition of api_service_ip in common-addresses; use
- # substitution
- - 10.96.0.1
- kubernetes_service_names:
- - kubernetes.default.svc.cluster.local
-
- # NEWSITE-CHANGEME: The following should be a list of all the nodes in
- # the environment (genesis, control plane, data plane, everything).
- # Add/delete from this list as necessary until all nodes are listed.
- # For each node, the `hosts` list should be comprised of:
- # 1. The node's hostname, as already defined in baremetal/nodes.yaml
- # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
- # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
- # NOTE: This list also needs to include the Genesis node, which is not
- # listed in baremetal/nodes.yaml, but by convention should be allocated
- # the first non-reserved IP in each logical network allocation range
- # defined in networks/physical/networks.yaml
- # NOTE: The genesis node needs to be defined twice (the first two entries
- # on this list) with all of the same paramters except the document_name.
- # In the first case the document_name is `kubelet-genesis`, and in the
- # second case the document_name format is `kubelete-YOUR_GENESIS_HOSTNAME`.
- - document_name: kubelet-genesis
- common_name: system:node:cab23-r720-11
- hosts:
- - cab23-r720-11
- - 10.23.21.11
- - 10.23.22.11
- groups:
- - system:nodes
- - document_name: kubelet-cab23-r720-11
- common_name: system:node:cab23-r720-11
- hosts:
- - cab23-r720-11
- - 10.23.21.11
- - 10.23.22.11
- groups:
- - system:nodes
- - document_name: kubelet-cab23-r720-12
- common_name: system:node:cab23-r720-12
- hosts:
- - cab23-r720-12
- - 10.23.21.12
- - 10.23.22.12
- groups:
- - system:nodes
- - document_name: kubelet-cab23-r720-13
- common_name: system:node:cab23-r720-13
- hosts:
- - cab23-r720-13
- - 10.23.21.13
- - 10.23.22.13
- groups:
- - system:nodes
- - document_name: kubelet-cab23-r720-14
- common_name: system:node:cab23-r720-14
- hosts:
- - cab23-r720-14
- - 10.23.21.14
- - 10.23.22.14
- groups:
- - system:nodes
- - document_name: kubelet-cab23-r720-17
- common_name: system:node:cab23-r720-17
- hosts:
- - cab23-r720-17
- - 10.23.21.17
- - 10.23.22.17
- groups:
- - system:nodes
- - document_name: kubelet-cab23-r720-19
- common_name: system:node:cab23-r720-19
- hosts:
- - cab23-r720-19
- - 10.23.21.19
- - 10.23.22.19
- groups:
- - system:nodes
- # End node list
- - document_name: scheduler
- description: Service certificate for Kubernetes scheduler
- common_name: system:kube-scheduler
- - document_name: controller-manager
- description: certificate for controller-manager
- common_name: system:kube-controller-manager
- - document_name: admin
- common_name: admin
- groups:
- - system:masters
- - document_name: armada
- common_name: armada
- groups:
- - system:masters
- kubernetes-etcd:
- description: Certificates for Kubernetes's etcd servers
- certificates:
- - document_name: apiserver-etcd
- description: etcd client certificate for use by Kubernetes apiserver
- common_name: apiserver
- # NOTE(mark-burnett): hosts not required for client certificates
- - document_name: kubernetes-etcd-anchor
- description: anchor
- common_name: anchor
- # NEWSITE-CHANGEME: The following should be a list of the control plane
- # nodes in the environment, including genesis.
- # For each node, the `hosts` list should be comprised of:
- # 1. The node's hostname, as already defined in baremetal/nodes.yaml
- # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
- # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
- # 4. 127.0.0.1
- # 5. localhost
- # 6. kubernetes-etcd.kube-system.svc.cluster.local
- # NOTE: This list also needs to include the Genesis node, which is not
- # listed in baremetal/nodes.yaml, but by convention should be allocated
- # the first non-reserved IP in each logical network allocation range
- # defined in networks/physical/networks.yaml, except for the kubernetes
- # service_cidr where it should start with the second IP in the range.
- # NOTE: The genesis node is defined twice with the same `hosts` data:
- # Once with its hostname in the common/document name, and once with
- # `genesis` defined instead of the host. For now, this duplicated
- # genesis definition is required. FIXME: Remove duplicate definition
- # after Promenade addresses this issue.
- - document_name: kubernetes-etcd-genesis
- common_name: kubernetes-etcd-genesis
- hosts:
- - cab23-r720-11
- - 10.23.21.11
- - 10.23.22.11
- - 127.0.0.1
- - localhost
- - kubernetes-etcd.kube-system.svc.cluster.local
- - 10.96.0.2
- - document_name: kubernetes-etcd-cab23-r720-11
- common_name: kubernetes-etcd-cab23-r720-11
- hosts:
- - cab23-r720-11
- - 10.23.21.11
- - 10.23.22.11
- - 127.0.0.1
- - localhost
- - kubernetes-etcd.kube-system.svc.cluster.local
- - 10.96.0.2
- - document_name: kubernetes-etcd-cab23-r720-12
- common_name: kubernetes-etcd-cab23-r720-12
- hosts:
- - cab23-r720-12
- - 10.23.21.12
- - 10.23.22.12
- - 127.0.0.1
- - localhost
- - kubernetes-etcd.kube-system.svc.cluster.local
- - 10.96.0.2
- - document_name: kubernetes-etcd-cab23-r720-13
- common_name: kubernetes-etcd-cab23-r720-13
- hosts:
- - cab23-r720-13
- - 10.23.21.13
- - 10.23.22.13
- - 127.0.0.1
- - localhost
- - kubernetes-etcd.kube-system.svc.cluster.local
- - 10.96.0.2
- - document_name: kubernetes-etcd-cab23-r720-14
- common_name: kubernetes-etcd-cab23-r720-14
- hosts:
- - cab23-r720-14
- - 10.23.21.14
- - 10.23.22.14
- - 127.0.0.1
- - localhost
- - kubernetes-etcd.kube-system.svc.cluster.local
- - 10.96.0.2
- # End node list
- kubernetes-etcd-peer:
- certificates:
- # NEWSITE-CHANGEME: This list should be identical to the previous list,
- # except that `-peer` has been appended to the document/common names.
- - document_name: kubernetes-etcd-genesis-peer
- common_name: kubernetes-etcd-genesis-peer
- hosts:
- - cab23-r720-11
- - 10.23.21.11
- - 10.23.22.11
- - 127.0.0.1
- - localhost
- - kubernetes-etcd.kube-system.svc.cluster.local
- - 10.96.0.2
- - document_name: kubernetes-etcd-cab23-r720-11-peer
- common_name: kubernetes-etcd-cab23-r720-11-peer
- hosts:
- - cab23-r720-11
- - 10.23.21.11
- - 10.23.22.11
- - 127.0.0.1
- - localhost
- - kubernetes-etcd.kube-system.svc.cluster.local
- - 10.96.0.2
- - document_name: kubernetes-etcd-cab23-r720-12-peer
- common_name: kubernetes-etcd-cab23-r720-12-peer
- hosts:
- - cab23-r720-12
- - 10.23.21.12
- - 10.23.22.12
- - 127.0.0.1
- - localhost
- - kubernetes-etcd.kube-system.svc.cluster.local
- - 10.96.0.2
- - document_name: kubernetes-etcd-cab23-r720-13-peer
- common_name: kubernetes-etcd-cab23-r720-13-peer
- hosts:
- - cab23-r720-13
- - 10.23.21.13
- - 10.23.22.13
- - 127.0.0.1
- - localhost
- - kubernetes-etcd.kube-system.svc.cluster.local
- - 10.96.0.2
- - document_name: kubernetes-etcd-cab23-r720-14-peer
- common_name: kubernetes-etcd-cab23-r720-14-peer
- hosts:
- - cab23-r720-14
- - 10.23.21.14
- - 10.23.22.14
- - 127.0.0.1
- - localhost
- - kubernetes-etcd.kube-system.svc.cluster.local
- - 10.96.0.2
- # End node list
- calico-etcd:
- description: Certificates for Calico etcd client traffic
- certificates:
- - document_name: calico-etcd-anchor
- description: anchor
- common_name: anchor
- # NEWSITE-CHANGEME: The following should be a list of the control plane
- # nodes in the environment, including genesis.
- # For each node, the `hosts` list should be comprised of:
- # 1. The node's hostname, as already defined in baremetal/nodes.yaml
- # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
- # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
- # 4. 127.0.0.1
- # 5. localhost
- # 6. The calico/etcd/service_ip defined in networks/common-addresses.yaml
- # NOTE: This list also needs to include the Genesis node, which is not
- # listed in baremetal/nodes.yaml, but by convention should be allocated
- # the first non-reserved IP in each logical network allocation range
- # defined in networks/physical/networks.yaml
- - document_name: calico-etcd-cab23-r720-11
- common_name: calico-etcd-cab23-r720-11
- hosts:
- - cab23-r720-11
- - 10.23.21.11
- - 10.23.22.11
- - 127.0.0.1
- - localhost
- - 10.96.232.136
- - document_name: calico-etcd-cab23-r720-12
- common_name: calico-etcd-cab23-r720-12
- hosts:
- - cab23-r720-12
- - 10.23.21.12
- - 10.23.22.12
- - 127.0.0.1
- - localhost
- - 10.96.232.136
- - document_name: calico-etcd-cab23-r720-13
- common_name: calico-etcd-cab23-r720-13
- hosts:
- - cab23-r720-13
- - 10.23.21.13
- - 10.23.22.13
- - 127.0.0.1
- - localhost
- - 10.96.232.136
- - document_name: calico-etcd-cab23-r720-14
- common_name: calico-etcd-cab23-r720-14
- hosts:
- - cab23-r720-14
- - 10.23.21.14
- - 10.23.22.14
- - 127.0.0.1
- - localhost
- - 10.96.232.136
- - document_name: calico-node
- common_name: calcico-node
- # End node list
- calico-etcd-peer:
- description: Certificates for Calico etcd clients
- certificates:
- # NEWSITE-CHANGEME: This list should be identical to the previous list,
- # except that `-peer` has been appended to the document/common names.
- - document_name: calico-etcd-cab23-r720-11-peer
- common_name: calico-etcd-cab23-r720-11-peer
- hosts:
- - cab23-r720-11
- - 10.23.21.11
- - 10.23.22.11
- - 127.0.0.1
- - localhost
- - 10.96.232.136
- - document_name: calico-etcd-cab23-r720-12-peer
- common_name: calico-etcd-cab23-r720-12-peer
- hosts:
- - cab23-r720-12
- - 10.23.21.12
- - 10.23.22.12
- - 127.0.0.1
- - localhost
- - 10.96.232.136
- - document_name: calico-etcd-cab23-r720-13-peer
- common_name: calico-etcd-cab23-r720-13-peer
- hosts:
- - cab23-r720-13
- - 10.23.21.13
- - 10.23.22.13
- - 127.0.0.1
- - localhost
- - 10.96.232.136
- - document_name: calico-etcd-cab23-r720-14-peer
- common_name: calico-etcd-cab23-r720-14-peer
- hosts:
- - cab23-r720-14
- - 10.23.21.14
- - 10.23.22.14
- - 127.0.0.1
- - localhost
- - 10.96.232.136
- - document_name: calico-node-peer
- common_name: calcico-node-peer
- # End node list
- keypairs:
- - name: service-account
- description: Service account signing key for use by Kubernetes controller-manager.
-...