From 349769a916a490d5f61aa67340a41cf95e50c740 Mon Sep 17 00:00:00 2001 From: Samantha Blanco Date: Tue, 13 Feb 2018 16:10:14 -0500 Subject: [PATCH] Adds PKI catalog documentation Change-Id: I5506c5f20f4dbe4346893434ddb183e4511d5d7d --- docs/source/configuration/index.rst | 1 + docs/source/configuration/pki-catalog.rst | 264 ++++++++++++++++++++++ 2 files changed, 265 insertions(+) create mode 100644 docs/source/configuration/pki-catalog.rst diff --git a/docs/source/configuration/index.rst b/docs/source/configuration/index.rst index ed622a77..cffb630c 100644 --- a/docs/source/configuration/index.rst +++ b/docs/source/configuration/index.rst @@ -17,6 +17,7 @@ Details about Promenade-specific documents can be found here: kubelet kubernetes-network kubernetes-node + pki-catalog The provided Armada_ manifest and will be applied on the genesis node as soon diff --git a/docs/source/configuration/pki-catalog.rst b/docs/source/configuration/pki-catalog.rst new file mode 100644 index 00000000..2c10dc72 --- /dev/null +++ b/docs/source/configuration/pki-catalog.rst @@ -0,0 +1,264 @@ +PKI Catalog +=========== + +Configuration for certificate generation in the cluster. + + +Sample Document +--------------- + +Here is a sample document: + +.. code-block:: yaml + + schema: promenade/PKICatalog/v1 + metadata: + schema: metadata/Document/v1 + name: cluster-certificates + layeringDefinition: + abstract: false + layer: site + data: + certificate_authorities: + kubernetes: + description: CA for Kubernetes components + certificates: + - document_name: apiserver + description: Service certificate for Kubernetes apiserver + common_name: apiserver + hosts: + - localhost + - 127.0.0.1 + - 10.96.0.1 + kubernetes_service_names: + - kubernetes.default.svc.cluster.local + - document_name: kubelet-genesis + common_name: system:node:n0 + hosts: + - n0 + - 192.168.77.10 + groups: + - system:nodes + - document_name: kubelet-n0 + common_name: system:node:n0 + hosts: + - n0 + - 192.168.77.10 + groups: + - system:nodes + - document_name: kubelet-n1 + common_name: system:node:n1 + hosts: + - n1 + - 192.168.77.11 + groups: + - system:nodes + - document_name: kubelet-n2 + common_name: system:node:n2 + hosts: + - n2 + - 192.168.77.12 + groups: + - system:nodes + - document_name: kubelet-n3 + common_name: system:node:n3 + hosts: + - n3 + - 192.168.77.13 + groups: + - system:nodes + - document_name: scheduler + description: Service certificate for Kubernetes scheduler + common_name: system:kube-scheduler + - document_name: controller-manager + description: certificate for controller-manager + common_name: system:kube-controller-manager + - document_name: admin + common_name: admin + groups: + - system:masters + - document_name: armada + common_name: armada + groups: + - system:masters + kubernetes-etcd: + description: Certificates for Kubernetes's etcd servers + certificates: + - document_name: apiserver-etcd + description: etcd client certificate for use by Kubernetes apiserver + common_name: apiserver + - document_name: kubernetes-etcd-anchor + description: anchor + common_name: anchor + - document_name: kubernetes-etcd-genesis + common_name: kubernetes-etcd-genesis + hosts: + - n0 + - 192.168.77.10 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - document_name: kubernetes-etcd-n0 + common_name: kubernetes-etcd-n0 + hosts: + - n0 + - 192.168.77.10 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - document_name: kubernetes-etcd-n1 + common_name: kubernetes-etcd-n1 + hosts: + - n1 + - 192.168.77.11 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - document_name: kubernetes-etcd-n2 + common_name: kubernetes-etcd-n2 + hosts: + - n2 + - 192.168.77.12 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - document_name: kubernetes-etcd-n3 + common_name: kubernetes-etcd-n3 + hosts: + - n3 + - 192.168.77.13 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + kubernetes-etcd-peer: + certificates: + - document_name: kubernetes-etcd-genesis-peer + common_name: kubernetes-etcd-genesis-peer + hosts: + - n0 + - 192.168.77.10 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - document_name: kubernetes-etcd-n0-peer + common_name: kubernetes-etcd-n0-peer + hosts: + - n0 + - 192.168.77.10 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - document_name: kubernetes-etcd-n1-peer + common_name: kubernetes-etcd-n1-peer + hosts: + - n1 + - 192.168.77.11 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - document_name: kubernetes-etcd-n2-peer + common_name: kubernetes-etcd-n2-peer + hosts: + - n2 + - 192.168.77.12 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - document_name: kubernetes-etcd-n3-peer + common_name: kubernetes-etcd-n3-peer + hosts: + - n3 + - 192.168.77.13 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + calico-etcd: + description: Certificates for Calico etcd client traffic + certificates: + - document_name: calico-etcd-anchor + description: anchor + common_name: anchor + - document_name: calico-etcd-n0 + common_name: calico-etcd-n0 + hosts: + - n0 + - 192.168.77.10 + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-etcd-n1 + common_name: calico-etcd-n1 + hosts: + - n1 + - 192.168.77.11 + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-etcd-n2 + common_name: calico-etcd-n2 + hosts: + - n2 + - 192.168.77.12 + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-etcd-n3 + common_name: calico-etcd-n3 + hosts: + - n3 + - 192.168.77.13 + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-node + common_name: calcico-node + calico-etcd-peer: + description: Certificates for Calico etcd clients + certificates: + - document_name: calico-etcd-n0-peer + common_name: calico-etcd-n0-peer + hosts: + - n0 + - 192.168.77.10 + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-etcd-n1-peer + common_name: calico-etcd-n1-peer + hosts: + - n1 + - 192.168.77.11 + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-etcd-n2-peer + common_name: calico-etcd-n2-peer + hosts: + - n2 + - 192.168.77.12 + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-etcd-n3-peer + common_name: calico-etcd-n3-peer + hosts: + - n3 + - 192.168.77.13 + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-node-peer + common_name: calcico-node-peer + keypairs: + - name: service-account + description: Service account signing key for use by Kubernetes controller-manager. + + +Certificate Authorities +----------------------- + +The data in the ``certificate-authorities`` key is used to generate certificates for each +authority and node. + +Each certificate authority requires essential host-specific information for each node, including +the ``hostname`` and ``ip`` as listed in each :doc:`kubernetes-node` document.