Code Review / yaml_builds.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
updated templates and scripts for Airship 1.3
[yaml_builds.git] / site_type / sriov-a13 / templates / pki / pki-catalog.j2
diff --git a/site_type/sriov/templates/pki/pki-catalog.j2 b/site_type/sriov-a13/templates/pki/pki-catalog.j2
similarity index 62%
rename from site_type/sriov/templates/pki/pki-catalog.j2
rename to site_type/sriov-a13/templates/pki/pki-catalog.j2
index ae5ab0b..bea8a7d 100644 (file)
--- a/site_type/sriov/templates/pki/pki-catalog.j2
+++ b/site_type/sriov-a13/templates/pki/pki-catalog.j2
@@ -1,20 +1,9 @@
 ---
-##############################################################################
-# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.        #
-#                                                                            #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
-# not use this file except in compliance with the License.                   #
-#                                                                            #
-# You may obtain a copy of the License at                                    #
-#       http://www.apache.org/licenses/LICENSE-2.0                           #
-#                                                                            #
-# Unless required by applicable law or agreed to in writing, software        #
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT  #
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.           #
-# See the License for the specific language governing permissions and        #
-# limitations under the License.                                             #
-##############################################################################
-
+# The purpose of this file is to define the PKI certificates for the environment
+#
+# NOTE: When deploying a new site, this file should not be configured until
+# baremetal/nodes.yaml is complete.
+#
 schema: promenade/PKICatalog/v1
 metadata:
   schema: metadata/Document/v1
@@ -34,16 +23,33 @@ data:
           hosts:
             - localhost
             - 127.0.0.1
+            # FIXME: Repetition of api_service_ip in common-addresses; use
+            # substitution
             - {{yaml.kubernetes.api_service_ip}}
           kubernetes_service_names:
             - kubernetes.default.svc.cluster.local
+
+        # NEWSITE-CHANGEME: The following should be a list of all the nodes in
+        # the environment (genesis, control plane, data plane, everything).
+        # Add/delete from this list as necessary until all nodes are listed.
+        # For each node, the `hosts` list should be comprised of:
+        #   1. The node's hostname, as already defined in baremetal/nodes.yaml
+        #   2. The node's oam IP address, as already defined in baremetal/nodes.yaml
+        #   3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
+        # NOTE: This list also needs to include the Genesis node, which is not
+        # listed in baremetal/nodes.yaml, but by convention should be allocated
+        # the first non-reserved IP in each logical network allocation range
+        # defined in networks/physical/networks.yaml
+        # NOTE: The genesis node needs to be defined twice (the first two entries
+        # on this list) with all of the same paramters except the document_name.
+        # In the first case the document_name is `kubelet-genesis`, and in the
+        # second case the document_name format is `kubelete-YOUR_GENESIS_HOSTNAME`.
         - document_name: kubelet-genesis
           common_name: system:node:{{yaml.genesis.name}}
           hosts:
             - {{yaml.genesis.name}}
             - {{yaml.genesis.host}}
             - {{yaml.genesis.ksn}}
-            - {{yaml.genesis.pxe}}
           groups:
             - system:nodes
         - document_name: kubelet-{{yaml.genesis.name}}
@@ -52,7 +58,6 @@ data:
             - {{yaml.genesis.name}}
             - {{yaml.genesis.host}}
             - {{yaml.genesis.ksn}}
-            - {{yaml.genesis.pxe}}
           groups:
             - system:nodes
 {% for server in yaml.masters %}
@@ -62,7 +67,6 @@ data:
             - {{server.name}}
             - {{server.host}}
             - {{server.ksn}}
-            - {{server.pxe}}
           groups:
             - system:nodes
 {% endfor %}
@@ -73,10 +77,10 @@ data:
             - {{server.name}}
             - {{server.host}}
             - {{server.ksn}}
-            - {{server.pxe}}
           groups:
             - system:nodes
 {% endfor %}{% endif %}
+        # End node list
         - document_name: scheduler
           description: Service certificate for Kubernetes scheduler
           common_name: system:kube-scheduler
@@ -97,17 +101,35 @@ data:
         - document_name: apiserver-etcd
           description: etcd client certificate for use by Kubernetes apiserver
           common_name: apiserver
-          # NOTE(mark-burnett): hosts not required for client certificates
+        # NOTE(mark-burnett): hosts not required for client certificates
         - document_name: kubernetes-etcd-anchor
           description: anchor
           common_name: anchor
+        # NEWSITE-CHANGEME: The following should be a list of the control plane
+        # nodes in the environment, including genesis.
+        # For each node, the `hosts` list should be comprised of:
+        #   1. The node's hostname, as already defined in baremetal/nodes.yaml
+        #   2. The node's oam IP address, as already defined in baremetal/nodes.yaml
+        #   3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
+        #   4. 127.0.0.1
+        #   5. localhost
+        #   6. kubernetes-etcd.kube-system.svc.cluster.local
+        # NOTE: This list also needs to include the Genesis node, which is not
+        # listed in baremetal/nodes.yaml, but by convention should be allocated
+        # the first non-reserved IP in each logical network allocation range
+        # defined in networks/physical/networks.yaml, except for the kubernetes
+        # service_cidr where it should start with the second IP in the range.
+        # NOTE: The genesis node is defined twice with the same `hosts` data:
+        # Once with its hostname in the common/document name, and once with
+        # `genesis` defined instead of the host. For now, this duplicated
+        # genesis definition is required. FIXME: Remove duplicate definition
+        # after Promenade addresses this issue.
         - document_name: kubernetes-etcd-genesis
           common_name: kubernetes-etcd-genesis
           hosts:
             - {{yaml.genesis.name}}
             - {{yaml.genesis.host}}
             - {{yaml.genesis.ksn}}
-            - {{yaml.genesis.pxe}}
             - 127.0.0.1
             - localhost
             - kubernetes-etcd.kube-system.svc.cluster.local
@@ -118,7 +140,6 @@ data:
             - {{yaml.genesis.name}}
             - {{yaml.genesis.host}}
             - {{yaml.genesis.ksn}}
-            - {{yaml.genesis.pxe}}
             - 127.0.0.1
             - localhost
             - kubernetes-etcd.kube-system.svc.cluster.local
@@ -127,24 +148,25 @@ data:
         - document_name: kubernetes-etcd-{{ server.name }}
           common_name: kubernetes-etcd-{{ server.name }}
           hosts:
-            - {{ server.name }}
+            - {{server.name}}
             - {{server.host}}
             - {{server.ksn}}
-            - {{server.pxe}}
             - 127.0.0.1
             - localhost
             - kubernetes-etcd.kube-system.svc.cluster.local
             - {{yaml.kubernetes.etcd_service_ip}}
 {% endfor %}
+        # End node list
     kubernetes-etcd-peer:
       certificates:
+        # NEWSITE-CHANGEME: This list should be identical to the previous list,
+        # except that `-peer` has been appended to the document/common names.
         - document_name: kubernetes-etcd-genesis-peer
           common_name: kubernetes-etcd-genesis-peer
           hosts:
             - {{yaml.genesis.name}}
             - {{yaml.genesis.host}}
             - {{yaml.genesis.ksn}}
-            - {{yaml.genesis.pxe}}
             - 127.0.0.1
             - localhost
             - kubernetes-etcd.kube-system.svc.cluster.local
@@ -155,7 +177,6 @@ data:
             - {{yaml.genesis.name}}
             - {{yaml.genesis.host}}
             - {{yaml.genesis.ksn}}
-            - {{yaml.genesis.pxe}}
             - 127.0.0.1
             - localhost
             - kubernetes-etcd.kube-system.svc.cluster.local
@@ -167,25 +188,37 @@ data:
             - {{server.name}}
             - {{server.host}}
             - {{server.ksn}}
-            - {{server.pxe}}
             - 127.0.0.1
             - localhost
             - kubernetes-etcd.kube-system.svc.cluster.local
             - {{yaml.kubernetes.etcd_service_ip}}
 {% endfor %}
+        # End node list
     calico-etcd:
       description: Certificates for Calico etcd client traffic
       certificates:
         - document_name: calico-etcd-anchor
           description: anchor
           common_name: anchor
+        # NEWSITE-CHANGEME: The following should be a list of the control plane
+        # nodes in the environment, including genesis.
+        # For each node, the `hosts` list should be comprised of:
+        #   1. The node's hostname, as already defined in baremetal/nodes.yaml
+        #   2. The node's oam IP address, as already defined in baremetal/nodes.yaml
+        #   3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
+        #   4. 127.0.0.1
+        #   5. localhost
+        #   6. The calico/etcd/service_ip defined in networks/common-addresses.yaml
+        # NOTE: This list also needs to include the Genesis node, which is not
+        # listed in baremetal/nodes.yaml, but by convention should be allocated
+        # the first non-reserved IP in each logical network allocation range
+        # defined in networks/physical/networks.yaml
         - document_name: calico-etcd-{{yaml.genesis.name}}
           common_name: calico-etcd-{{yaml.genesis.name}}
           hosts:
             - {{yaml.genesis.name}}
             - {{yaml.genesis.host}}
             - {{yaml.genesis.ksn}}
-            - {{yaml.genesis.pxe}}
             - 127.0.0.1
             - localhost
             - 10.96.232.136
@@ -196,23 +229,24 @@ data:
             - {{server.name}}
             - {{server.host}}
             - {{server.ksn}}
-            - {{server.pxe}}
             - 127.0.0.1
             - localhost
             - 10.96.232.136
 {% endfor %}
         - document_name: calico-node
           common_name: calcico-node
+        # End node list
     calico-etcd-peer:
       description: Certificates for Calico etcd clients
       certificates:
+        # NEWSITE-CHANGEME: This list should be identical to the previous list,
+        # except that `-peer` has been appended to the document/common names.
         - document_name: calico-etcd-{{yaml.genesis.name}}-peer
           common_name: calico-etcd-{{yaml.genesis.name}}-peer
           hosts:
             - {{yaml.genesis.name}}
             - {{yaml.genesis.host}}
             - {{yaml.genesis.ksn}}
-            - {{yaml.genesis.pxe}}
             - 127.0.0.1
             - localhost
             - 10.96.232.136
@@ -223,13 +257,13 @@ data:
             - {{server.name}}
             - {{server.host}}
             - {{server.ksn}}
-            - {{server.pxe}}
             - 127.0.0.1
             - localhost
             - 10.96.232.136
 {% endfor %}
         - document_name: calico-node-peer
           common_name: calcico-node-peer
+        # End node list
   keypairs:
     - name: service-account
       description: Service account signing key for use by Kubernetes controller-manager.
Scripts and YAML files/templates used to boot an Akraino cluster