Reference Airship manifests, CICD, and reference architecture.
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.

286 строки
11KB

  1. ---
  2. # The purpose of this file is to define the PKI certificates for the environment
  3. #
  4. # NOTE: When deploying a new site, this file should not be configured until
  5. # baremetal/nodes.yaml is complete.
  6. #
  7. schema: promenade/PKICatalog/v1
  8. metadata:
  9. schema: metadata/Document/v1
  10. name: cluster-certificates
  11. layeringDefinition:
  12. abstract: false
  13. layer: site
  14. storagePolicy: cleartext
  15. data:
  16. certificate_authorities:
  17. kubernetes:
  18. description: CA for Kubernetes components
  19. certificates:
  20. - document_name: apiserver
  21. description: Service certificate for Kubernetes apiserver
  22. common_name: apiserver
  23. hosts:
  24. - localhost
  25. - 127.0.0.1
  26. # FIXME: Repetition of api_service_ip in common-addresses; use
  27. # substitution
  28. - 10.96.0.1
  29. kubernetes_service_names:
  30. - kubernetes.default.svc.cluster.local
  31. # NEWSITE-CHANGEME: The following should be a list of all the nodes in
  32. # the environment (genesis, control plane, data plane, everything).
  33. # Add/delete from this list as necessary until all nodes are listed.
  34. # For each node, the `hosts` list should be comprised of:
  35. # 1. The node's hostname, as already defined in baremetal/nodes.yaml
  36. # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
  37. # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
  38. # NOTE: This list also needs to include the Genesis node, which is not
  39. # listed in baremetal/nodes.yaml, but by convention should be allocated
  40. # the first non-reserved IP in each logical network allocation range
  41. # defined in networks/physical/networks.yaml
  42. # NOTE: The genesis node needs to be defined twice (the first two entries
  43. # on this list) with all of the same paramters except the document_name.
  44. # In the first case the document_name is `kubelet-genesis`, and in the
  45. # second case the document_name format is `kubelete-YOUR_GENESIS_HOSTNAME`.
  46. - document_name: kubelet-genesis
  47. common_name: system:node:airsloop-control-1
  48. hosts:
  49. - airsloop-control-1
  50. - 10.22.72.21
  51. groups:
  52. - system:nodes
  53. - document_name: kubelet-airsloop-control-1
  54. common_name: system:node:airsloop-control-1
  55. hosts:
  56. - airsloop-control-1
  57. - 10.22.72.21
  58. groups:
  59. - system:nodes
  60. - document_name: kubelet-airsloop-control-2
  61. common_name: system:node:airsloop-control-2
  62. hosts:
  63. - airsloop-control-2
  64. - 10.23.22.12
  65. groups:
  66. - system:nodes
  67. - document_name: kubelet-airsloop-control-3
  68. common_name: system:node:airsloop-control-3
  69. hosts:
  70. - airsloop-control-3
  71. - 10.23.22.13
  72. groups:
  73. - system:nodes
  74. - document_name: kubelet-airsloop-compute-1
  75. common_name: system:node:airsloop-compute-1
  76. hosts:
  77. - airsloop-compute-1
  78. - 10.22.72.22
  79. groups:
  80. - system:nodes
  81. # End node list
  82. - document_name: scheduler
  83. description: Service certificate for Kubernetes scheduler
  84. common_name: system:kube-scheduler
  85. - document_name: controller-manager
  86. description: certificate for controller-manager
  87. common_name: system:kube-controller-manager
  88. - document_name: admin
  89. common_name: admin
  90. groups:
  91. - system:masters
  92. - document_name: armada
  93. common_name: armada
  94. groups:
  95. - system:masters
  96. kubernetes-etcd:
  97. description: Certificates for Kubernetes's etcd servers
  98. certificates:
  99. - document_name: apiserver-etcd
  100. description: etcd client certificate for use by Kubernetes apiserver
  101. common_name: apiserver
  102. # NOTE(mark-burnett): hosts not required for client certificates
  103. - document_name: kubernetes-etcd-anchor
  104. description: anchor
  105. common_name: anchor
  106. # NEWSITE-CHANGEME: The following should be a list of the control plane
  107. # nodes in the environment, including genesis.
  108. # For each node, the `hosts` list should be comprised of:
  109. # 1. The node's hostname, as already defined in baremetal/nodes.yaml
  110. # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
  111. # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
  112. # 4. 127.0.0.1
  113. # 5. localhost
  114. # 6. kubernetes-etcd.kube-system.svc.cluster.local
  115. # NOTE: This list also needs to include the Genesis node, which is not
  116. # listed in baremetal/nodes.yaml, but by convention should be allocated
  117. # the first non-reserved IP in each logical network allocation range
  118. # defined in networks/physical/networks.yaml, except for the kubernetes
  119. # service_cidr where it should start with the second IP in the range.
  120. # NOTE: The genesis node is defined twice with the same `hosts` data:
  121. # Once with its hostname in the common/document name, and once with
  122. # `genesis` defined instead of the host. For now, this duplicated
  123. # genesis definition is required. FIXME: Remove duplicate definition
  124. # after Promenade addresses this issue.
  125. - document_name: kubernetes-etcd-genesis
  126. common_name: kubernetes-etcd-genesis
  127. hosts:
  128. - airsloop-control-1
  129. - 10.22.72.21
  130. - 127.0.0.1
  131. - localhost
  132. - kubernetes-etcd.kube-system.svc.cluster.local
  133. - 10.96.0.2
  134. - document_name: kubernetes-etcd-airsloop-control-1
  135. common_name: kubernetes-etcd-airsloop-control-1
  136. hosts:
  137. - airsloop-control-1
  138. - 10.22.72.21
  139. - 127.0.0.1
  140. - localhost
  141. - kubernetes-etcd.kube-system.svc.cluster.local
  142. - 10.96.0.2
  143. - document_name: kubernetes-etcd-airsloop-control-2
  144. common_name: kubernetes-etcd-airsloop-control-2
  145. hosts:
  146. - airsloop-control-2
  147. - 10.23.22.12
  148. - 127.0.0.1
  149. - localhost
  150. - kubernetes-etcd.kube-system.svc.cluster.local
  151. - 10.96.0.2
  152. - document_name: kubernetes-etcd-airsloop-control-3
  153. common_name: kubernetes-etcd-airsloop-control-3
  154. hosts:
  155. - airsloop-control-3
  156. - 10.23.22.13
  157. - 127.0.0.1
  158. - localhost
  159. - kubernetes-etcd.kube-system.svc.cluster.local
  160. - 10.96.0.2
  161. # End node list
  162. kubernetes-etcd-peer:
  163. certificates:
  164. # NEWSITE-CHANGEME: This list should be identical to the previous list,
  165. # except that `-peer` has been appended to the document/common names.
  166. - document_name: kubernetes-etcd-genesis-peer
  167. common_name: kubernetes-etcd-genesis-peer
  168. hosts:
  169. - airsloop-control-1
  170. - 10.22.72.21
  171. - 127.0.0.1
  172. - localhost
  173. - kubernetes-etcd.kube-system.svc.cluster.local
  174. - 10.96.0.2
  175. - document_name: kubernetes-etcd-airsloop-control-1-peer
  176. common_name: kubernetes-etcd-airsloop-control-1-peer
  177. hosts:
  178. - airsloop-control-1
  179. - 10.22.72.21
  180. - 127.0.0.1
  181. - localhost
  182. - kubernetes-etcd.kube-system.svc.cluster.local
  183. - 10.96.0.2
  184. - document_name: kubernetes-etcd-airsloop-control-2-peer
  185. common_name: kubernetes-etcd-airsloop-control-2-peer
  186. hosts:
  187. - airsloop-control-2
  188. - 10.23.22.12
  189. - 127.0.0.1
  190. - localhost
  191. - kubernetes-etcd.kube-system.svc.cluster.local
  192. - 10.96.0.2
  193. - document_name: kubernetes-etcd-airsloop-control-3-peer
  194. common_name: kubernetes-etcd-airsloop-control-3-peer
  195. hosts:
  196. - airsloop-control-3
  197. - 10.23.22.13
  198. - 127.0.0.1
  199. - localhost
  200. - kubernetes-etcd.kube-system.svc.cluster.local
  201. - 10.96.0.2
  202. # End node list
  203. calico-etcd:
  204. description: Certificates for Calico etcd client traffic
  205. certificates:
  206. - document_name: calico-etcd-anchor
  207. description: anchor
  208. common_name: anchor
  209. # NEWSITE-CHANGEME: The following should be a list of the control plane
  210. # nodes in the environment, including genesis.
  211. # For each node, the `hosts` list should be comprised of:
  212. # 1. The node's hostname, as already defined in baremetal/nodes.yaml
  213. # 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
  214. # 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
  215. # 4. 127.0.0.1
  216. # 5. localhost
  217. # 6. The calico/etcd/service_ip defined in networks/common-addresses.yaml
  218. # NOTE: This list also needs to include the Genesis node, which is not
  219. # listed in baremetal/nodes.yaml, but by convention should be allocated
  220. # the first non-reserved IP in each logical network allocation range
  221. # defined in networks/physical/networks.yaml
  222. - document_name: calico-etcd-airsloop-control-1
  223. common_name: calico-etcd-airsloop-control-1
  224. hosts:
  225. - airsloop-control-1
  226. - 10.22.72.21
  227. - 127.0.0.1
  228. - localhost
  229. - 10.96.232.136
  230. - document_name: calico-etcd-airsloop-control-2
  231. common_name: calico-etcd-airsloop-control-2
  232. hosts:
  233. - airsloop-control-2
  234. - 10.23.22.12
  235. - 127.0.0.1
  236. - localhost
  237. - 10.96.232.136
  238. - document_name: calico-etcd-airsloop-control-3
  239. common_name: calico-etcd-airsloop-control-3
  240. hosts:
  241. - airsloop-control-3
  242. - 10.23.22.13
  243. - 127.0.0.1
  244. - localhost
  245. - 10.96.232.136
  246. - document_name: calico-node
  247. common_name: calcico-node
  248. # End node list
  249. calico-etcd-peer:
  250. description: Certificates for Calico etcd clients
  251. certificates:
  252. # NEWSITE-CHANGEME: This list should be identical to the previous list,
  253. # except that `-peer` has been appended to the document/common names.
  254. - document_name: calico-etcd-airsloop-control-1-peer
  255. common_name: calico-etcd-airsloop-control-1-peer
  256. hosts:
  257. - airsloop-control-1
  258. - 10.22.72.21
  259. - 127.0.0.1
  260. - localhost
  261. - 10.96.232.136
  262. - document_name: calico-etcd-airsloop-control-2-peer
  263. common_name: calico-etcd-airsloop-control-2-peer
  264. hosts:
  265. - airsloop-control-2
  266. - 10.23.22.12
  267. - 127.0.0.1
  268. - localhost
  269. - 10.96.232.136
  270. - document_name: calico-etcd-airsloop-control-3-peer
  271. common_name: calico-etcd-airsloop-control-3-peer
  272. hosts:
  273. - airsloop-control-3
  274. - 10.23.22.13
  275. - 127.0.0.1
  276. - localhost
  277. - 10.96.232.136
  278. - document_name: calico-node-peer
  279. common_name: calcico-node-peer
  280. # End node list
  281. keypairs:
  282. - name: service-account
  283. description: Service account signing key for use by Kubernetes controller-manager.
  284. ...