X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=site_type%2Fsriov-a13%2Ftemplates%2Fpki%2Fpki-catalog.j2;fp=site_type%2Fsriov%2Ftemplates%2Fpki%2Fpki-catalog.j2;h=bea8a7d2578e73d69ff21258d477de137e1ff40b;hb=fbb206730195c6f03ded7658d08f1ef708ebf88b;hp=ae5ab0b42337c29f87507ed81f316b6bbf684d1a;hpb=3395a537e26721ec33a80f66686ca932f9328722;p=yaml_builds.git diff --git a/site_type/sriov/templates/pki/pki-catalog.j2 b/site_type/sriov-a13/templates/pki/pki-catalog.j2 similarity index 62% rename from site_type/sriov/templates/pki/pki-catalog.j2 rename to site_type/sriov-a13/templates/pki/pki-catalog.j2 index ae5ab0b..bea8a7d 100644 --- a/site_type/sriov/templates/pki/pki-catalog.j2 +++ b/site_type/sriov-a13/templates/pki/pki-catalog.j2 @@ -1,20 +1,9 @@ --- -############################################################################## -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # -# # -# Licensed under the Apache License, Version 2.0 (the "License"); you may # -# not use this file except in compliance with the License. # -# # -# You may obtain a copy of the License at # -# http://www.apache.org/licenses/LICENSE-2.0 # -# # -# Unless required by applicable law or agreed to in writing, software # -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # -# See the License for the specific language governing permissions and # -# limitations under the License. # -############################################################################## - +# The purpose of this file is to define the PKI certificates for the environment +# +# NOTE: When deploying a new site, this file should not be configured until +# baremetal/nodes.yaml is complete. +# schema: promenade/PKICatalog/v1 metadata: schema: metadata/Document/v1 @@ -34,16 +23,33 @@ data: hosts: - localhost - 127.0.0.1 + # FIXME: Repetition of api_service_ip in common-addresses; use + # substitution - {{yaml.kubernetes.api_service_ip}} kubernetes_service_names: - kubernetes.default.svc.cluster.local + + # NEWSITE-CHANGEME: The following should be a list of all the nodes in + # the environment (genesis, control plane, data plane, everything). + # Add/delete from this list as necessary until all nodes are listed. + # For each node, the `hosts` list should be comprised of: + # 1. The node's hostname, as already defined in baremetal/nodes.yaml + # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml + # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml + # NOTE: This list also needs to include the Genesis node, which is not + # listed in baremetal/nodes.yaml, but by convention should be allocated + # the first non-reserved IP in each logical network allocation range + # defined in networks/physical/networks.yaml + # NOTE: The genesis node needs to be defined twice (the first two entries + # on this list) with all of the same paramters except the document_name. + # In the first case the document_name is `kubelet-genesis`, and in the + # second case the document_name format is `kubelete-YOUR_GENESIS_HOSTNAME`. - document_name: kubelet-genesis common_name: system:node:{{yaml.genesis.name}} hosts: - {{yaml.genesis.name}} - {{yaml.genesis.host}} - {{yaml.genesis.ksn}} - - {{yaml.genesis.pxe}} groups: - system:nodes - document_name: kubelet-{{yaml.genesis.name}} @@ -52,7 +58,6 @@ data: - {{yaml.genesis.name}} - {{yaml.genesis.host}} - {{yaml.genesis.ksn}} - - {{yaml.genesis.pxe}} groups: - system:nodes {% for server in yaml.masters %} @@ -62,7 +67,6 @@ data: - {{server.name}} - {{server.host}} - {{server.ksn}} - - {{server.pxe}} groups: - system:nodes {% endfor %} @@ -73,10 +77,10 @@ data: - {{server.name}} - {{server.host}} - {{server.ksn}} - - {{server.pxe}} groups: - system:nodes {% endfor %}{% endif %} + # End node list - document_name: scheduler description: Service certificate for Kubernetes scheduler common_name: system:kube-scheduler @@ -97,17 +101,35 @@ data: - document_name: apiserver-etcd description: etcd client certificate for use by Kubernetes apiserver common_name: apiserver - # NOTE(mark-burnett): hosts not required for client certificates + # NOTE(mark-burnett): hosts not required for client certificates - document_name: kubernetes-etcd-anchor description: anchor common_name: anchor + # NEWSITE-CHANGEME: The following should be a list of the control plane + # nodes in the environment, including genesis. + # For each node, the `hosts` list should be comprised of: + # 1. The node's hostname, as already defined in baremetal/nodes.yaml + # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml + # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml + # 4. 127.0.0.1 + # 5. localhost + # 6. kubernetes-etcd.kube-system.svc.cluster.local + # NOTE: This list also needs to include the Genesis node, which is not + # listed in baremetal/nodes.yaml, but by convention should be allocated + # the first non-reserved IP in each logical network allocation range + # defined in networks/physical/networks.yaml, except for the kubernetes + # service_cidr where it should start with the second IP in the range. + # NOTE: The genesis node is defined twice with the same `hosts` data: + # Once with its hostname in the common/document name, and once with + # `genesis` defined instead of the host. For now, this duplicated + # genesis definition is required. FIXME: Remove duplicate definition + # after Promenade addresses this issue. - document_name: kubernetes-etcd-genesis common_name: kubernetes-etcd-genesis hosts: - {{yaml.genesis.name}} - {{yaml.genesis.host}} - {{yaml.genesis.ksn}} - - {{yaml.genesis.pxe}} - 127.0.0.1 - localhost - kubernetes-etcd.kube-system.svc.cluster.local @@ -118,7 +140,6 @@ data: - {{yaml.genesis.name}} - {{yaml.genesis.host}} - {{yaml.genesis.ksn}} - - {{yaml.genesis.pxe}} - 127.0.0.1 - localhost - kubernetes-etcd.kube-system.svc.cluster.local @@ -127,24 +148,25 @@ data: - document_name: kubernetes-etcd-{{ server.name }} common_name: kubernetes-etcd-{{ server.name }} hosts: - - {{ server.name }} + - {{server.name}} - {{server.host}} - {{server.ksn}} - - {{server.pxe}} - 127.0.0.1 - localhost - kubernetes-etcd.kube-system.svc.cluster.local - {{yaml.kubernetes.etcd_service_ip}} {% endfor %} + # End node list kubernetes-etcd-peer: certificates: + # NEWSITE-CHANGEME: This list should be identical to the previous list, + # except that `-peer` has been appended to the document/common names. - document_name: kubernetes-etcd-genesis-peer common_name: kubernetes-etcd-genesis-peer hosts: - {{yaml.genesis.name}} - {{yaml.genesis.host}} - {{yaml.genesis.ksn}} - - {{yaml.genesis.pxe}} - 127.0.0.1 - localhost - kubernetes-etcd.kube-system.svc.cluster.local @@ -155,7 +177,6 @@ data: - {{yaml.genesis.name}} - {{yaml.genesis.host}} - {{yaml.genesis.ksn}} - - {{yaml.genesis.pxe}} - 127.0.0.1 - localhost - kubernetes-etcd.kube-system.svc.cluster.local @@ -167,25 +188,37 @@ data: - {{server.name}} - {{server.host}} - {{server.ksn}} - - {{server.pxe}} - 127.0.0.1 - localhost - kubernetes-etcd.kube-system.svc.cluster.local - {{yaml.kubernetes.etcd_service_ip}} {% endfor %} + # End node list calico-etcd: description: Certificates for Calico etcd client traffic certificates: - document_name: calico-etcd-anchor description: anchor common_name: anchor + # NEWSITE-CHANGEME: The following should be a list of the control plane + # nodes in the environment, including genesis. + # For each node, the `hosts` list should be comprised of: + # 1. The node's hostname, as already defined in baremetal/nodes.yaml + # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml + # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml + # 4. 127.0.0.1 + # 5. localhost + # 6. The calico/etcd/service_ip defined in networks/common-addresses.yaml + # NOTE: This list also needs to include the Genesis node, which is not + # listed in baremetal/nodes.yaml, but by convention should be allocated + # the first non-reserved IP in each logical network allocation range + # defined in networks/physical/networks.yaml - document_name: calico-etcd-{{yaml.genesis.name}} common_name: calico-etcd-{{yaml.genesis.name}} hosts: - {{yaml.genesis.name}} - {{yaml.genesis.host}} - {{yaml.genesis.ksn}} - - {{yaml.genesis.pxe}} - 127.0.0.1 - localhost - 10.96.232.136 @@ -196,23 +229,24 @@ data: - {{server.name}} - {{server.host}} - {{server.ksn}} - - {{server.pxe}} - 127.0.0.1 - localhost - 10.96.232.136 {% endfor %} - document_name: calico-node common_name: calcico-node + # End node list calico-etcd-peer: description: Certificates for Calico etcd clients certificates: + # NEWSITE-CHANGEME: This list should be identical to the previous list, + # except that `-peer` has been appended to the document/common names. - document_name: calico-etcd-{{yaml.genesis.name}}-peer common_name: calico-etcd-{{yaml.genesis.name}}-peer hosts: - {{yaml.genesis.name}} - {{yaml.genesis.host}} - {{yaml.genesis.ksn}} - - {{yaml.genesis.pxe}} - 127.0.0.1 - localhost - 10.96.232.136 @@ -223,13 +257,13 @@ data: - {{server.name}} - {{server.host}} - {{server.ksn}} - - {{server.pxe}} - 127.0.0.1 - localhost - 10.96.232.136 {% endfor %} - document_name: calico-node-peer common_name: calcico-node-peer + # End node list keypairs: - name: service-account description: Service account signing key for use by Kubernetes controller-manager.