Adds PKI catalog documentation
Change-Id: I5506c5f20f4dbe4346893434ddb183e4511d5d7d
This commit is contained in:
Samantha Blanco
parent
f9c8481927
commit
349769a916
@ -17,6 +17,7 @@ Details about Promenade-specific documents can be found here:
|
||||
kubelet
|
||||
kubernetes-network
|
||||
kubernetes-node
|
||||
pki-catalog
|
||||
|
||||
|
||||
The provided Armada_ manifest and will be applied on the genesis node as soon
|
||||
|
||||
264
docs/source/configuration/pki-catalog.rst
Normal file
264
docs/source/configuration/pki-catalog.rst
Normal file
@ -0,0 +1,264 @@
|
||||
PKI Catalog
|
||||
===========
|
||||
|
||||
Configuration for certificate generation in the cluster.
|
||||
|
||||
|
||||
Sample Document
|
||||
---------------
|
||||
|
||||
Here is a sample document:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
schema: promenade/PKICatalog/v1
|
||||
metadata:
|
||||
schema: metadata/Document/v1
|
||||
name: cluster-certificates
|
||||
layeringDefinition:
|
||||
abstract: false
|
||||
layer: site
|
||||
data:
|
||||
certificate_authorities:
|
||||
kubernetes:
|
||||
description: CA for Kubernetes components
|
||||
certificates:
|
||||
- document_name: apiserver
|
||||
description: Service certificate for Kubernetes apiserver
|
||||
common_name: apiserver
|
||||
hosts:
|
||||
- localhost
|
||||
- 127.0.0.1
|
||||
- 10.96.0.1
|
||||
kubernetes_service_names:
|
||||
- kubernetes.default.svc.cluster.local
|
||||
- document_name: kubelet-genesis
|
||||
common_name: system:node:n0
|
||||
hosts:
|
||||
- n0
|
||||
- 192.168.77.10
|
||||
groups:
|
||||
- system:nodes
|
||||
- document_name: kubelet-n0
|
||||
common_name: system:node:n0
|
||||
hosts:
|
||||
- n0
|
||||
- 192.168.77.10
|
||||
groups:
|
||||
- system:nodes
|
||||
- document_name: kubelet-n1
|
||||
common_name: system:node:n1
|
||||
hosts:
|
||||
- n1
|
||||
- 192.168.77.11
|
||||
groups:
|
||||
- system:nodes
|
||||
- document_name: kubelet-n2
|
||||
common_name: system:node:n2
|
||||
hosts:
|
||||
- n2
|
||||
- 192.168.77.12
|
||||
groups:
|
||||
- system:nodes
|
||||
- document_name: kubelet-n3
|
||||
common_name: system:node:n3
|
||||
hosts:
|
||||
- n3
|
||||
- 192.168.77.13
|
||||
groups:
|
||||
- system:nodes
|
||||
- document_name: scheduler
|
||||
description: Service certificate for Kubernetes scheduler
|
||||
common_name: system:kube-scheduler
|
||||
- document_name: controller-manager
|
||||
description: certificate for controller-manager
|
||||
common_name: system:kube-controller-manager
|
||||
- document_name: admin
|
||||
common_name: admin
|
||||
groups:
|
||||
- system:masters
|
||||
- document_name: armada
|
||||
common_name: armada
|
||||
groups:
|
||||
- system:masters
|
||||
kubernetes-etcd:
|
||||
description: Certificates for Kubernetes's etcd servers
|
||||
certificates:
|
||||
- document_name: apiserver-etcd
|
||||
description: etcd client certificate for use by Kubernetes apiserver
|
||||
common_name: apiserver
|
||||
- document_name: kubernetes-etcd-anchor
|
||||
description: anchor
|
||||
common_name: anchor
|
||||
- document_name: kubernetes-etcd-genesis
|
||||
common_name: kubernetes-etcd-genesis
|
||||
hosts:
|
||||
- n0
|
||||
- 192.168.77.10
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- kubernetes-etcd.kube-system.svc.cluster.local
|
||||
- document_name: kubernetes-etcd-n0
|
||||
common_name: kubernetes-etcd-n0
|
||||
hosts:
|
||||
- n0
|
||||
- 192.168.77.10
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- kubernetes-etcd.kube-system.svc.cluster.local
|
||||
- document_name: kubernetes-etcd-n1
|
||||
common_name: kubernetes-etcd-n1
|
||||
hosts:
|
||||
- n1
|
||||
- 192.168.77.11
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- kubernetes-etcd.kube-system.svc.cluster.local
|
||||
- document_name: kubernetes-etcd-n2
|
||||
common_name: kubernetes-etcd-n2
|
||||
hosts:
|
||||
- n2
|
||||
- 192.168.77.12
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- kubernetes-etcd.kube-system.svc.cluster.local
|
||||
- document_name: kubernetes-etcd-n3
|
||||
common_name: kubernetes-etcd-n3
|
||||
hosts:
|
||||
- n3
|
||||
- 192.168.77.13
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- kubernetes-etcd.kube-system.svc.cluster.local
|
||||
kubernetes-etcd-peer:
|
||||
certificates:
|
||||
- document_name: kubernetes-etcd-genesis-peer
|
||||
common_name: kubernetes-etcd-genesis-peer
|
||||
hosts:
|
||||
- n0
|
||||
- 192.168.77.10
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- kubernetes-etcd.kube-system.svc.cluster.local
|
||||
- document_name: kubernetes-etcd-n0-peer
|
||||
common_name: kubernetes-etcd-n0-peer
|
||||
hosts:
|
||||
- n0
|
||||
- 192.168.77.10
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- kubernetes-etcd.kube-system.svc.cluster.local
|
||||
- document_name: kubernetes-etcd-n1-peer
|
||||
common_name: kubernetes-etcd-n1-peer
|
||||
hosts:
|
||||
- n1
|
||||
- 192.168.77.11
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- kubernetes-etcd.kube-system.svc.cluster.local
|
||||
- document_name: kubernetes-etcd-n2-peer
|
||||
common_name: kubernetes-etcd-n2-peer
|
||||
hosts:
|
||||
- n2
|
||||
- 192.168.77.12
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- kubernetes-etcd.kube-system.svc.cluster.local
|
||||
- document_name: kubernetes-etcd-n3-peer
|
||||
common_name: kubernetes-etcd-n3-peer
|
||||
hosts:
|
||||
- n3
|
||||
- 192.168.77.13
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- kubernetes-etcd.kube-system.svc.cluster.local
|
||||
calico-etcd:
|
||||
description: Certificates for Calico etcd client traffic
|
||||
certificates:
|
||||
- document_name: calico-etcd-anchor
|
||||
description: anchor
|
||||
common_name: anchor
|
||||
- document_name: calico-etcd-n0
|
||||
common_name: calico-etcd-n0
|
||||
hosts:
|
||||
- n0
|
||||
- 192.168.77.10
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- 10.96.232.136
|
||||
- document_name: calico-etcd-n1
|
||||
common_name: calico-etcd-n1
|
||||
hosts:
|
||||
- n1
|
||||
- 192.168.77.11
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- 10.96.232.136
|
||||
- document_name: calico-etcd-n2
|
||||
common_name: calico-etcd-n2
|
||||
hosts:
|
||||
- n2
|
||||
- 192.168.77.12
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- 10.96.232.136
|
||||
- document_name: calico-etcd-n3
|
||||
common_name: calico-etcd-n3
|
||||
hosts:
|
||||
- n3
|
||||
- 192.168.77.13
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- 10.96.232.136
|
||||
- document_name: calico-node
|
||||
common_name: calcico-node
|
||||
calico-etcd-peer:
|
||||
description: Certificates for Calico etcd clients
|
||||
certificates:
|
||||
- document_name: calico-etcd-n0-peer
|
||||
common_name: calico-etcd-n0-peer
|
||||
hosts:
|
||||
- n0
|
||||
- 192.168.77.10
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- 10.96.232.136
|
||||
- document_name: calico-etcd-n1-peer
|
||||
common_name: calico-etcd-n1-peer
|
||||
hosts:
|
||||
- n1
|
||||
- 192.168.77.11
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- 10.96.232.136
|
||||
- document_name: calico-etcd-n2-peer
|
||||
common_name: calico-etcd-n2-peer
|
||||
hosts:
|
||||
- n2
|
||||
- 192.168.77.12
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- 10.96.232.136
|
||||
- document_name: calico-etcd-n3-peer
|
||||
common_name: calico-etcd-n3-peer
|
||||
hosts:
|
||||
- n3
|
||||
- 192.168.77.13
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- 10.96.232.136
|
||||
- document_name: calico-node-peer
|
||||
common_name: calcico-node-peer
|
||||
keypairs:
|
||||
- name: service-account
|
||||
description: Service account signing key for use by Kubernetes controller-manager.
|
||||
|
||||
|
||||
Certificate Authorities
|
||||
-----------------------
|
||||
|
||||
The data in the ``certificate-authorities`` key is used to generate certificates for each
|
||||
authority and node.
|
||||
|
||||
Each certificate authority requires essential host-specific information for each node, including
|
||||
the ``hostname`` and ``ip`` as listed in each :doc:`kubernetes-node` document.
|
||||
Loading…
x
Reference in New Issue
Block a user