Reference Airship manifests, CICD, and reference architecture.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
treasuremap/site/seaworthy-virt/pki/pki-catalog.yaml

279 lines
8.2 KiB

---
# The purpose of this file is to define the PKI certificates for the environment
#
# NOTE: When deploying a new site, this file should not be configured until
# baremetal/nodes.yaml is complete.
#
schema: promenade/PKICatalog/v1
metadata:
schema: metadata/Document/v1
name: cluster-certificates
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
certificate_authorities:
kubernetes:
description: CA for Kubernetes components
certificates:
- document_name: apiserver
description: Service certificate for Kubernetes apiserver
common_name: apiserver
hosts:
- localhost
- 127.0.0.1
- 10.96.0.1
kubernetes_service_names:
- kubernetes.default.svc.cluster.local
- document_name: kubelet-genesis
common_name: system:node:n0
hosts:
- n0
- 172.24.1.10
groups:
- system:nodes
- document_name: kubelet-n0
common_name: system:node:n0
hosts:
- n0
- 172.24.1.10
groups:
- system:nodes
- document_name: kubelet-n1
common_name: system:node:n1
hosts:
- n1
- 172.24.1.11
groups:
- system:nodes
- document_name: kubelet-n2
common_name: system:node:n2
hosts:
- n2
- 172.24.1.12
groups:
- system:nodes
- document_name: kubelet-n3
common_name: system:node:n3
hosts:
- n3
- 172.24.1.13
groups:
- system:nodes
# End node list
- document_name: scheduler
description: Service certificate for Kubernetes scheduler
common_name: system:kube-scheduler
- document_name: controller-manager
description: certificate for controller-manager
common_name: system:kube-controller-manager
- document_name: admin
common_name: admin
groups:
- system:masters
- document_name: armada
common_name: armada
groups:
- system:masters
kubernetes-etcd:
description: Certificates for Kubernetes's etcd servers
certificates:
- document_name: apiserver-etcd
description: etcd client certificate for use by Kubernetes apiserver
common_name: apiserver
# NOTE(mark-burnett): hosts not required for client certificates
- document_name: kubernetes-etcd-anchor
description: anchor
common_name: anchor
- document_name: kubernetes-etcd-genesis
common_name: kubernetes-etcd-genesis
hosts:
- n0
- 172.24.1.10
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-n0
common_name: kubernetes-etcd-n0
hosts:
- n0
- 172.24.1.10
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-n1
common_name: kubernetes-etcd-n1
hosts:
- n1
- 172.24.1.11
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-n2
common_name: kubernetes-etcd-n2
hosts:
- n2
- 172.24.1.12
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-n3
common_name: kubernetes-etcd-n3
hosts:
- n3
- 172.24.1.13
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
kubernetes-etcd-peer:
certificates:
- document_name: kubernetes-etcd-genesis-peer
common_name: kubernetes-etcd-genesis-peer
hosts:
- n0
- 172.24.1.10
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-n0-peer
common_name: kubernetes-etcd-n0-peer
hosts:
- n0
- 172.24.1.10
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-n1-peer
common_name: kubernetes-etcd-n1-peer
hosts:
- n1
- 172.24.1.11
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-n2-peer
common_name: kubernetes-etcd-n2-peer
hosts:
- n2
- 172.24.1.12
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-n3-peer
common_name: kubernetes-etcd-n3-peer
hosts:
- n3
- 172.24.1.13
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
calico-etcd:
description: Certificates for Calico etcd client traffic
certificates:
- document_name: calico-etcd-anchor
description: anchor
common_name: anchor
- document_name: calico-etcd-genesis
common_name: calico-etcd-genesis
hosts:
- n0
- 172.24.1.10
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n0
common_name: calico-etcd-n0
hosts:
- n0
- 172.24.1.10
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n1
common_name: calico-etcd-n1
hosts:
- n1
- 172.24.1.11
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n2
common_name: calico-etcd-n2
hosts:
- n2
- 172.24.1.12
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n3
common_name: calico-etcd-n3
hosts:
- n3
- 172.24.1.13
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-node
common_name: calcico-node
calico-etcd-peer:
description: Certificates for Calico etcd clients
certificates:
- document_name: calico-etcd-genesis-peer
common_name: calico-etcd-genesis-peer
hosts:
- n0
- 172.24.1.10
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n0-peer
common_name: calico-etcd-n0-peer
hosts:
- n0
- 172.24.1.10
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n1-peer
common_name: calico-etcd-n1-peer
hosts:
- n1
- 172.24.1.11
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n2-peer
common_name: calico-etcd-n2-peer
hosts:
- n2
- 172.24.1.12
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n3-peer
common_name: calico-etcd-n3-peer
hosts:
- n3
- 172.24.1.13
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-node-peer
common_name: calcico-node-peer
keypairs:
- name: service-account
description: Service account signing key for use by Kubernetes controller-manager.
...