--- schema: promenade/PKICatalog/v1 metadata: schema: metadata/Document/v1 name: cluster-certificates layeringDefinition: abstract: false layer: site storagePolicy: cleartext data: certificate_authorities: kubernetes: description: CA for Kubernetes components certificates: - document_name: apiserver description: Service certificate for Kubernetes apiserver common_name: apiserver hosts: - localhost - 127.0.0.1 - 10.96.0.1 kubernetes_service_names: - kubernetes.default.svc.cluster.local {% for racks in data['baremetal'].keys()%} {% for host in data['baremetal'][racks].keys()%} {% if data['baremetal'][racks][host]['type'] == 'genesis' %} - document_name: kubelet-genesis common_name: system:node:{{ host }} hosts: - {{ host }} - {{ data['baremetal'][racks][host]['ip']['oam'] }} - {{ data['baremetal'][racks][host]['ip']['ksn']}} groups: - system:nodes {% endif %} {%endfor%} {%endfor%} {% for racks in data['baremetal'].keys()%} {% for host in data['baremetal'][racks].keys()%} - document_name: kubelet-{{ host }} common_name: system:node:{{ host }} hosts: - {{ host }} - {{ data['baremetal'][racks][host]['ip']['oam'] }} - {{ data['baremetal'][racks][host]['ip']['ksn']}} groups: - system:nodes {%endfor%} {%endfor%} - document_name: scheduler description: Service certificate for Kubernetes scheduler common_name: system:kube-scheduler - document_name: controller-manager description: certificate for controller-manager common_name: system:kube-controller-manager - document_name: admin common_name: admin groups: - system:masters - document_name: armada common_name: armada groups: - system:masters kubernetes-etcd: description: Certificates for Kubernetes's etcd servers certificates: - document_name: apiserver-etcd description: etcd client certificate for use by Kubernetes apiserver common_name: apiserver # NOTE(mark-burnett): hosts not required for client certificates - document_name: kubernetes-etcd-anchor description: anchor common_name: anchor {% for racks in data['baremetal'].keys()%} {% for host in data['baremetal'][racks].keys()%} {% if data['baremetal'][racks][host]['type'] == 'genesis' %} - document_name: kubernetes-etcd-genesis common_name: kubernetes-etcd-genesis hosts: - {{ host }} - {{ data['baremetal'][racks][host]['ip']['oam'] }} - {{ data['baremetal'][racks][host]['ip']['ksn']}} - 127.0.0.1 - localhost - kubernetes-etcd.kube-system.svc.cluster.local - 10.96.0.2 {% endif %} {%endfor%} {%endfor%} {% for racks in data['baremetal'].keys()%} {% for host in data['baremetal'][racks].keys()%} {% if data['baremetal'][racks][host]['type'] == 'controller' or data['baremetal'][racks][host]['type'] == 'genesis'%} - document_name: kubernetes-etcd-{{ host }} common_name: kubernetes-etcd-{{ host }} hosts: - {{ host }} - {{ data['baremetal'][racks][host]['ip']['oam'] }} - {{ data['baremetal'][racks][host]['ip']['ksn']}} - 127.0.0.1 - localhost - kubernetes-etcd.kube-system.svc.cluster.local - 10.96.0.2 {% endif %} {%endfor%} {%endfor%} {% for racks in data['baremetal'].keys()%} {% for host in data['baremetal'][racks].keys()%} {% if data['baremetal'][racks][host]['type'] == 'genesis' %} kubernetes-etcd-peer: certificates: - document_name: kubernetes-etcd-genesis-peer common_name: kubernetes-etcd-genesis-peer hosts: - {{ host }} - {{ data['baremetal'][racks][host]['ip']['oam'] }} - {{ data['baremetal'][racks][host]['ip']['ksn']}} - 127.0.0.1 - localhost - kubernetes-etcd.kube-system.svc.cluster.local - 10.96.0.2 {% endif %} {%endfor%} {%endfor%} {% for racks in data['baremetal'].keys()%} {% for host in data['baremetal'][racks].keys()%} {% if data['baremetal'][racks][host]['type'] == 'controller' or data['baremetal'][racks][host]['type'] == 'genesis' %} - document_name: kubernetes-etcd-{{ host }}-peer common_name: kubernetes-etcd-{{ host }}-peer hosts: - {{ host }} - {{ data['baremetal'][racks][host]['ip']['oam'] }} - {{ data['baremetal'][racks][host]['ip']['ksn']}} - 127.0.0.1 - localhost - kubernetes-etcd.kube-system.svc.cluster.local - 10.96.0.2 {% endif %} {%endfor%} {%endfor%} ksn-etcd: description: Certificates for Calico etcd client traffic certificates: - document_name: ksn-etcd-anchor description: anchor common_name: anchor {% for racks in data['baremetal'].keys()%} {% for host in data['baremetal'][racks].keys()%} {% if data['baremetal'][racks][host]['type'] == 'controller' or data['baremetal'][racks][host]['type'] == 'genesis' %} - document_name: ksn-etcd-{{ host }} common_name: ksn-etcd-{{ host }} hosts: - {{ host }} - {{ data['baremetal'][racks][host]['ip']['oam'] }} - {{ data['baremetal'][racks][host]['ip']['ksn']}} - 127.0.0.1 - localhost - 10.96.232.136 {% endif %} {%endfor%} {%endfor%} - document_name: ksn-node common_name: calcico-node ksn-etcd-peer: description: Certificates for Calico etcd clients certificates: {% for racks in data['baremetal'].keys()%} {% for host in data['baremetal'][racks].keys()%} {% if data['baremetal'][racks][host]['type'] == 'controller' or data['baremetal'][racks][host]['type'] == 'genesis' %} - document_name: ksn-etcd-{{ host }}-peer common_name: ksn-etcd-{{ host }}-peer hosts: - {{ host }} - {{ data['baremetal'][racks][host]['ip']['oam'] }} - {{ data['baremetal'][racks][host]['ip']['ksn']}} - 127.0.0.1 - localhost - 10.96.232.136 {% endif %} {%endfor%} {%endfor%} - document_name: ksn-node-peer common_name: calico-node-peer keypairs: - name: service-account description: Service account signing key for use by Kubernetes controller-manager. ...