treasuremap/site/seaworthy/pki/pki-catalog.yaml
Kaspars Skels 4f8b9788ce Streamline Seaworthy use of servers
Change-Id: Ic16a4f20b45c5037783627efe872cfe773f24716
2019-10-24 10:41:38 -05:00

359 lines
13 KiB
YAML

---
# The purpose of this file is to define the PKI certificates for the environment
#
# NOTE: When deploying a new site, this file should not be configured until
# baremetal/nodes.yaml is complete.
#
schema: promenade/PKICatalog/v1
metadata:
schema: metadata/Document/v1
name: cluster-certificates
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
certificate_authorities:
kubernetes:
description: CA for Kubernetes components
certificates:
- document_name: apiserver
description: Service certificate for Kubernetes apiserver
common_name: apiserver
hosts:
- localhost
- 127.0.0.1
# FIXME: Repetition of api_service_ip in common-addresses; use
# substitution
- 10.96.0.1
kubernetes_service_names:
- kubernetes.default.svc.cluster.local
# NEWSITE-CHANGEME: The following should be a list of all the nodes in
# the environment (genesis, control plane, data plane, everything).
# Add/delete from this list as necessary until all nodes are listed.
# For each node, the `hosts` list should be comprised of:
# 1. The node's hostname, as already defined in baremetal/nodes.yaml
# 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
# 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
# NOTE: This list also needs to include the Genesis node, which is not
# listed in baremetal/nodes.yaml, but by convention should be allocated
# the first non-reserved IP in each logical network allocation range
# defined in networks/physical/networks.yaml
# NOTE: The genesis node needs to be defined twice (the first two entries
# on this list) with all of the same paramters except the document_name.
# In the first case the document_name is `kubelet-genesis`, and in the
# second case the document_name format is `kubelete-YOUR_GENESIS_HOSTNAME`.
- document_name: kubelet-genesis
common_name: system:node:cab23-r720-11
hosts:
- cab23-r720-11
- 10.23.21.11
- 10.23.22.11
groups:
- system:nodes
- document_name: kubelet-cab23-r720-11
common_name: system:node:cab23-r720-11
hosts:
- cab23-r720-11
- 10.23.21.11
- 10.23.22.11
groups:
- system:nodes
- document_name: kubelet-cab23-r720-12
common_name: system:node:cab23-r720-12
hosts:
- cab23-r720-12
- 10.23.21.12
- 10.23.22.12
groups:
- system:nodes
- document_name: kubelet-cab23-r720-13
common_name: system:node:cab23-r720-13
hosts:
- cab23-r720-13
- 10.23.21.13
- 10.23.22.13
groups:
- system:nodes
- document_name: kubelet-cab23-r720-14
common_name: system:node:cab23-r720-14
hosts:
- cab23-r720-14
- 10.23.21.14
- 10.23.22.14
groups:
- system:nodes
- document_name: kubelet-cab23-r720-16
common_name: system:node:cab23-r720-16
hosts:
- cab23-r720-16
- 10.23.21.16
- 10.23.22.16
groups:
- system:nodes
- document_name: kubelet-cab23-r720-17
common_name: system:node:cab23-r720-17
hosts:
- cab23-r720-17
- 10.23.21.17
- 10.23.22.17
groups:
- system:nodes
# End node list
- document_name: scheduler
description: Service certificate for Kubernetes scheduler
common_name: system:kube-scheduler
- document_name: controller-manager
description: certificate for controller-manager
common_name: system:kube-controller-manager
- document_name: admin
common_name: admin
groups:
- system:masters
- document_name: armada
common_name: armada
groups:
- system:masters
kubernetes-etcd:
description: Certificates for Kubernetes's etcd servers
certificates:
- document_name: apiserver-etcd
description: etcd client certificate for use by Kubernetes apiserver
common_name: apiserver
# NOTE(mark-burnett): hosts not required for client certificates
- document_name: kubernetes-etcd-anchor
description: anchor
common_name: anchor
# NEWSITE-CHANGEME: The following should be a list of the control plane
# nodes in the environment, including genesis.
# For each node, the `hosts` list should be comprised of:
# 1. The node's hostname, as already defined in baremetal/nodes.yaml
# 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
# 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
# 4. 127.0.0.1
# 5. localhost
# 6. kubernetes-etcd.kube-system.svc.cluster.local
# NOTE: This list also needs to include the Genesis node, which is not
# listed in baremetal/nodes.yaml, but by convention should be allocated
# the first non-reserved IP in each logical network allocation range
# defined in networks/physical/networks.yaml, except for the kubernetes
# service_cidr where it should start with the second IP in the range.
# NOTE: The genesis node is defined twice with the same `hosts` data:
# Once with its hostname in the common/document name, and once with
# `genesis` defined instead of the host. For now, this duplicated
# genesis definition is required. FIXME: Remove duplicate definition
# after Promenade addresses this issue.
- document_name: kubernetes-etcd-genesis
common_name: kubernetes-etcd-genesis
hosts:
- cab23-r720-11
- 10.23.21.11
- 10.23.22.11
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-cab23-r720-11
common_name: kubernetes-etcd-cab23-r720-11
hosts:
- cab23-r720-11
- 10.23.21.11
- 10.23.22.11
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-cab23-r720-12
common_name: kubernetes-etcd-cab23-r720-12
hosts:
- cab23-r720-12
- 10.23.21.12
- 10.23.22.12
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-cab23-r720-13
common_name: kubernetes-etcd-cab23-r720-13
hosts:
- cab23-r720-13
- 10.23.21.13
- 10.23.22.13
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-cab23-r720-14
common_name: kubernetes-etcd-cab23-r720-14
hosts:
- cab23-r720-14
- 10.23.21.14
- 10.23.22.14
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
# End node list
kubernetes-etcd-peer:
certificates:
# NEWSITE-CHANGEME: This list should be identical to the previous list,
# except that `-peer` has been appended to the document/common names.
- document_name: kubernetes-etcd-genesis-peer
common_name: kubernetes-etcd-genesis-peer
hosts:
- cab23-r720-11
- 10.23.21.11
- 10.23.22.11
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-cab23-r720-11-peer
common_name: kubernetes-etcd-cab23-r720-11-peer
hosts:
- cab23-r720-11
- 10.23.21.11
- 10.23.22.11
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-cab23-r720-12-peer
common_name: kubernetes-etcd-cab23-r720-12-peer
hosts:
- cab23-r720-12
- 10.23.21.12
- 10.23.22.12
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-cab23-r720-13-peer
common_name: kubernetes-etcd-cab23-r720-13-peer
hosts:
- cab23-r720-13
- 10.23.21.13
- 10.23.22.13
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
- document_name: kubernetes-etcd-cab23-r720-14-peer
common_name: kubernetes-etcd-cab23-r720-14-peer
hosts:
- cab23-r720-14
- 10.23.21.14
- 10.23.22.14
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- 10.96.0.2
# End node list
calico-etcd:
description: Certificates for Calico etcd client traffic
certificates:
- document_name: calico-etcd-anchor
description: anchor
common_name: anchor
# NEWSITE-CHANGEME: The following should be a list of the control plane
# nodes in the environment, including genesis.
# For each node, the `hosts` list should be comprised of:
# 1. The node's hostname, as already defined in baremetal/nodes.yaml
# 2. The node's oam IP address, as already defined in baremetal/nodes.yaml
# 3. The node's Calico IP address, as already defined in baremetal/nodes.yaml
# 4. 127.0.0.1
# 5. localhost
# 6. The calico/etcd/service_ip defined in networks/common-addresses.yaml
# NOTE: This list also needs to include the Genesis node, which is not
# listed in baremetal/nodes.yaml, but by convention should be allocated
# the first non-reserved IP in each logical network allocation range
# defined in networks/physical/networks.yaml
- document_name: calico-etcd-cab23-r720-11
common_name: calico-etcd-cab23-r720-11
hosts:
- cab23-r720-11
- 10.23.21.11
- 10.23.22.11
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-cab23-r720-12
common_name: calico-etcd-cab23-r720-12
hosts:
- cab23-r720-12
- 10.23.21.12
- 10.23.22.12
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-cab23-r720-13
common_name: calico-etcd-cab23-r720-13
hosts:
- cab23-r720-13
- 10.23.21.13
- 10.23.22.13
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-cab23-r720-14
common_name: calico-etcd-cab23-r720-14
hosts:
- cab23-r720-14
- 10.23.21.14
- 10.23.22.14
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-node
common_name: calcico-node
# End node list
calico-etcd-peer:
description: Certificates for Calico etcd clients
certificates:
# NEWSITE-CHANGEME: This list should be identical to the previous list,
# except that `-peer` has been appended to the document/common names.
- document_name: calico-etcd-cab23-r720-11-peer
common_name: calico-etcd-cab23-r720-11-peer
hosts:
- cab23-r720-11
- 10.23.21.11
- 10.23.22.11
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-cab23-r720-12-peer
common_name: calico-etcd-cab23-r720-12-peer
hosts:
- cab23-r720-12
- 10.23.21.12
- 10.23.22.12
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-cab23-r720-13-peer
common_name: calico-etcd-cab23-r720-13-peer
hosts:
- cab23-r720-13
- 10.23.21.13
- 10.23.22.13
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-cab23-r720-14-peer
common_name: calico-etcd-cab23-r720-14-peer
hosts:
- cab23-r720-14
- 10.23.21.14
- 10.23.22.14
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-node-peer
common_name: calcico-node-peer
# End node list
keypairs:
- name: service-account
description: Service account signing key for use by Kubernetes controller-manager.
...