---
-##############################################################################
-# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. #
-# #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may #
-# not use this file except in compliance with the License. #
-# #
-# You may obtain a copy of the License at #
-# http://www.apache.org/licenses/LICENSE-2.0 #
-# #
-# Unless required by applicable law or agreed to in writing, software #
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT #
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
-# See the License for the specific language governing permissions and #
-# limitations under the License. #
-##############################################################################
-
+# The purpose of this file is to define the PKI certificates for the environment
+#
+# NOTE: When deploying a new site, this file should not be configured until
+# baremetal/nodes.yaml is complete.
+#
schema: promenade/PKICatalog/v1
metadata:
schema: metadata/Document/v1
hosts:
- localhost
- 127.0.0.1
+ # FIXME: Repetition of api_service_ip in common-addresses; use
+ # substitution
- {{yaml.kubernetes.api_service_ip}}
kubernetes_service_names:
- kubernetes.default.svc.cluster.local
+
+ # NEWSITE-CHANGEME: The following should be a list of all the nodes in
+ # the environment (genesis, control plane, data plane, everything).
+ # Add/delete from this list as necessary until all nodes are listed.
+ # For each node, the `hosts` list should be comprised of:
+ # 1. The node's hostname, as already defined in baremetal/nodes.yaml
+ # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
+ # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
+ # NOTE: This list also needs to include the Genesis node, which is not
+ # listed in baremetal/nodes.yaml, but by convention should be allocated
+ # the first non-reserved IP in each logical network allocation range
+ # defined in networks/physical/networks.yaml
+ # NOTE: The genesis node needs to be defined twice (the first two entries
+ # on this list) with all of the same paramters except the document_name.
+ # In the first case the document_name is `kubelet-genesis`, and in the
+ # second case the document_name format is `kubelete-YOUR_GENESIS_HOSTNAME`.
- document_name: kubelet-genesis
common_name: system:node:{{yaml.genesis.name}}
hosts:
- {{yaml.genesis.name}}
- {{yaml.genesis.host}}
- {{yaml.genesis.ksn}}
- - {{yaml.genesis.pxe}}
groups:
- system:nodes
- document_name: kubelet-{{yaml.genesis.name}}
- {{yaml.genesis.name}}
- {{yaml.genesis.host}}
- {{yaml.genesis.ksn}}
- - {{yaml.genesis.pxe}}
groups:
- system:nodes
{% for server in yaml.masters %}
- {{server.name}}
- {{server.host}}
- {{server.ksn}}
- - {{server.pxe}}
groups:
- system:nodes
{% endfor %}
- {{server.name}}
- {{server.host}}
- {{server.ksn}}
- - {{server.pxe}}
groups:
- system:nodes
{% endfor %}{% endif %}
+ # End node list
- document_name: scheduler
description: Service certificate for Kubernetes scheduler
common_name: system:kube-scheduler
- document_name: apiserver-etcd
description: etcd client certificate for use by Kubernetes apiserver
common_name: apiserver
- # NOTE(mark-burnett): hosts not required for client certificates
+ # NOTE(mark-burnett): hosts not required for client certificates
- document_name: kubernetes-etcd-anchor
description: anchor
common_name: anchor
+ # NEWSITE-CHANGEME: The following should be a list of the control plane
+ # nodes in the environment, including genesis.
+ # For each node, the `hosts` list should be comprised of:
+ # 1. The node's hostname, as already defined in baremetal/nodes.yaml
+ # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
+ # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
+ # 4. 127.0.0.1
+ # 5. localhost
+ # 6. kubernetes-etcd.kube-system.svc.cluster.local
+ # NOTE: This list also needs to include the Genesis node, which is not
+ # listed in baremetal/nodes.yaml, but by convention should be allocated
+ # the first non-reserved IP in each logical network allocation range
+ # defined in networks/physical/networks.yaml, except for the kubernetes
+ # service_cidr where it should start with the second IP in the range.
+ # NOTE: The genesis node is defined twice with the same `hosts` data:
+ # Once with its hostname in the common/document name, and once with
+ # `genesis` defined instead of the host. For now, this duplicated
+ # genesis definition is required. FIXME: Remove duplicate definition
+ # after Promenade addresses this issue.
- document_name: kubernetes-etcd-genesis
common_name: kubernetes-etcd-genesis
hosts:
- {{yaml.genesis.name}}
- {{yaml.genesis.host}}
- {{yaml.genesis.ksn}}
- - {{yaml.genesis.pxe}}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- {{yaml.genesis.name}}
- {{yaml.genesis.host}}
- {{yaml.genesis.ksn}}
- - {{yaml.genesis.pxe}}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-{{ server.name }}
common_name: kubernetes-etcd-{{ server.name }}
hosts:
- - {{ server.name }}
+ - {{server.name}}
- {{server.host}}
- {{server.ksn}}
- - {{server.pxe}}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- {{yaml.kubernetes.etcd_service_ip}}
{% endfor %}
+ # End node list
kubernetes-etcd-peer:
certificates:
+ # NEWSITE-CHANGEME: This list should be identical to the previous list,
+ # except that `-peer` has been appended to the document/common names.
- document_name: kubernetes-etcd-genesis-peer
common_name: kubernetes-etcd-genesis-peer
hosts:
- {{yaml.genesis.name}}
- {{yaml.genesis.host}}
- {{yaml.genesis.ksn}}
- - {{yaml.genesis.pxe}}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- {{yaml.genesis.name}}
- {{yaml.genesis.host}}
- {{yaml.genesis.ksn}}
- - {{yaml.genesis.pxe}}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- {{server.name}}
- {{server.host}}
- {{server.ksn}}
- - {{server.pxe}}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- {{yaml.kubernetes.etcd_service_ip}}
{% endfor %}
+ # End node list
calico-etcd:
description: Certificates for Calico etcd client traffic
certificates:
- document_name: calico-etcd-anchor
description: anchor
common_name: anchor
+ # NEWSITE-CHANGEME: The following should be a list of the control plane
+ # nodes in the environment, including genesis.
+ # For each node, the `hosts` list should be comprised of:
+ # 1. The node's hostname, as already defined in baremetal/nodes.yaml
+ # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
+ # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
+ # 4. 127.0.0.1
+ # 5. localhost
+ # 6. The calico/etcd/service_ip defined in networks/common-addresses.yaml
+ # NOTE: This list also needs to include the Genesis node, which is not
+ # listed in baremetal/nodes.yaml, but by convention should be allocated
+ # the first non-reserved IP in each logical network allocation range
+ # defined in networks/physical/networks.yaml
- document_name: calico-etcd-{{yaml.genesis.name}}
common_name: calico-etcd-{{yaml.genesis.name}}
hosts:
- {{yaml.genesis.name}}
- {{yaml.genesis.host}}
- {{yaml.genesis.ksn}}
- - {{yaml.genesis.pxe}}
- 127.0.0.1
- localhost
- 10.96.232.136
- {{server.name}}
- {{server.host}}
- {{server.ksn}}
- - {{server.pxe}}
- 127.0.0.1
- localhost
- 10.96.232.136
{% endfor %}
- document_name: calico-node
common_name: calcico-node
+ # End node list
calico-etcd-peer:
description: Certificates for Calico etcd clients
certificates:
+ # NEWSITE-CHANGEME: This list should be identical to the previous list,
+ # except that `-peer` has been appended to the document/common names.
- document_name: calico-etcd-{{yaml.genesis.name}}-peer
common_name: calico-etcd-{{yaml.genesis.name}}-peer
hosts:
- {{yaml.genesis.name}}
- {{yaml.genesis.host}}
- {{yaml.genesis.ksn}}
- - {{yaml.genesis.pxe}}
- 127.0.0.1
- localhost
- 10.96.232.136
- {{server.name}}
- {{server.host}}
- {{server.ksn}}
- - {{server.pxe}}
- 127.0.0.1
- localhost
- 10.96.232.136
{% endfor %}
- document_name: calico-node-peer
common_name: calcico-node-peer
+ # End node list
keypairs:
- name: service-account
description: Service account signing key for use by Kubernetes controller-manager.