airship/promenade
Code Issues Proposed changes

Refactor the generator function to use PKIcatalog.

Browse Source 
Change-Id: I9c049b8499a14a537e7cc862ca96f84cf80b6694
This commit is contained in:
Hassan Kaous 2017-12-12 13:57:29 -06:00 committed by Mark Burnett
parent 9e0ab1871a
commit f9c8481927
14 changed files with 813 additions and 323 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/etcd/templates/daemonset-anchor.yaml
View File

@ -32,7 +32,9 @@ spec:
{{ tuple $envAll "kubernetes" "anchor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
hostNetwork: true
{{- if .Values.anchor.dns_policy }}
dnsPolicy: {{ .Values.anchor.dns_policy }}
{{- end }}
nodeSelector:
{{ .Values.labels.anchor.node_selector_key }}: {{ .Values.labels.anchor.node_selector_value }}
tolerations:

2
charts/etcd/values.yaml
View File

@ -24,7 +24,7 @@ labels:
node_selector_value: enabled
anchor:
dns_policy: Default
dns_policy: ClusterFirstWithHostNet
etcdctl_endpoint: example-etcd
host_data_path: /var/lib/etcd/example

244
examples/basic/PKICatalog.yaml Normal file
View File

@ -0,0 +1,244 @@
---
schema: promenade/PKICatalog/v1
metadata:
schema: metadata/Document/v1
name: cluster-certificates
layeringDefinition:
abstract: false
layer: site
data:
certificate_authorities:
kubernetes:
description: CA for Kubernetes components
certificates:
- document_name: apiserver
description: Service certificate for Kubernetes apiserver
common_name: apiserver
hosts:
- localhost
- 127.0.0.1
- 10.96.0.1
kubernetes_service_names:
- kubernetes.default.svc.cluster.local
- document_name: kubelet-genesis
common_name: system:node:n0
hosts:
- n0
- 192.168.77.10
groups:
- system:nodes
- document_name: kubelet-n0
common_name: system:node:n0
hosts:
- n0
- 192.168.77.10
groups:
- system:nodes
- document_name: kubelet-n1
common_name: system:node:n1
hosts:
- n1
- 192.168.77.11
groups:
- system:nodes
- document_name: kubelet-n2
common_name: system:node:n2
hosts:
- n2
- 192.168.77.12
groups:
- system:nodes
- document_name: kubelet-n3
common_name: system:node:n3
hosts:
- n3
- 192.168.77.13
groups:
- system:nodes
- document_name: scheduler
description: Service certificate for Kubernetes scheduler
common_name: system:kube-scheduler
- document_name: controller-manager
description: certificate for controller-manager
common_name: system:kube-controller-manager
- document_name: admin
common_name: admin
groups:
- system:masters
- document_name: armada
common_name: armada
groups:
- system:masters
kubernetes-etcd:
description: Certificates for Kubernetes's etcd servers
certificates:
- document_name: apiserver-etcd
description: etcd client certificate for use by Kubernetes apiserver
common_name: apiserver
# NOTE(mark-burnett): hosts not required for client certificates
- document_name: kubernetes-etcd-anchor
description: anchor
common_name: anchor
- document_name: kubernetes-etcd-genesis
common_name: kubernetes-etcd-genesis
hosts:
- n0
- 192.168.77.10
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-n0
common_name: kubernetes-etcd-n0
hosts:
- n0
- 192.168.77.10
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-n1
common_name: kubernetes-etcd-n1
hosts:
- n1
- 192.168.77.11
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-n2
common_name: kubernetes-etcd-n2
hosts:
- n2
- 192.168.77.12
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-n3
common_name: kubernetes-etcd-n3
hosts:
- n3
- 192.168.77.13
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
kubernetes-etcd-peer:
certificates:
- document_name: kubernetes-etcd-genesis-peer
common_name: kubernetes-etcd-genesis-peer
hosts:
- n0
- 192.168.77.10
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-n0-peer
common_name: kubernetes-etcd-n0-peer
hosts:
- n0
- 192.168.77.10
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-n1-peer
common_name: kubernetes-etcd-n1-peer
hosts:
- n1
- 192.168.77.11
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-n2-peer
common_name: kubernetes-etcd-n2-peer
hosts:
- n2
- 192.168.77.12
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-n3-peer
common_name: kubernetes-etcd-n3-peer
hosts:
- n3
- 192.168.77.13
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
calico-etcd:
description: Certificates for Calico etcd client traffic
certificates:
- document_name: calico-etcd-anchor
description: anchor
common_name: anchor
- document_name: calico-etcd-n0
common_name: calico-etcd-n0
hosts:
- n0
- 192.168.77.10
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n1
common_name: calico-etcd-n1
hosts:
- n1
- 192.168.77.11
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n2
common_name: calico-etcd-n2
hosts:
- n2
- 192.168.77.12
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n3
common_name: calico-etcd-n3
hosts:
- n3
- 192.168.77.13
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-node
common_name: calcico-node
calico-etcd-peer:
description: Certificates for Calico etcd clients
certificates:
- document_name: calico-etcd-n0-peer
common_name: calico-etcd-n0-peer
hosts:
- n0
- 192.168.77.10
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n1-peer
common_name: calico-etcd-n1-peer
hosts:
- n1
- 192.168.77.11
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n2-peer
common_name: calico-etcd-n2-peer
hosts:
- n2
- 192.168.77.12
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n3-peer
common_name: calico-etcd-n3-peer
hosts:
- n3
- 192.168.77.13
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-node-peer
common_name: calcico-node-peer
keypairs:
- name: service-account
description: Service account signing key for use by Kubernetes controller-manager.
...

76
examples/basic/joining-host-config.yaml
View File

@ -1,76 +0,0 @@
---
schema: promenade/KubernetesNode/v1
metadata:
schema: metadata/Document/v1
name: n0
layeringDefinition:
abstract: false
layer: site
data:
hostname: n0
ip: 192.168.77.10
join_ip: 192.168.77.11
labels:
dynamic:
- ucp-control-plane=enabled
---
schema: promenade/KubernetesNode/v1
metadata:
schema: metadata/Document/v1
name: n1
layeringDefinition:
abstract: false
layer: site
data:
hostname: n1
ip: 192.168.77.11
join_ip: 192.168.77.10
labels:
dynamic:
- calico-etcd=enabled
- kubernetes-apiserver=enabled
- kubernetes-controller-manager=enabled
- kubernetes-etcd=enabled
- kubernetes-scheduler=enabled
- ucp-control-plane=enabled
---
schema: promenade/KubernetesNode/v1
metadata:
schema: metadata/Document/v1
name: n2
layeringDefinition:
abstract: false
layer: site
data:
hostname: n2
ip: 192.168.77.12
join_ip: 192.168.77.10
labels:
dynamic:
- calico-etcd=enabled
- kubernetes-apiserver=enabled
- kubernetes-controller-manager=enabled
- kubernetes-etcd=enabled
- kubernetes-scheduler=enabled
- ucp-control-plane=enabled
---
schema: promenade/KubernetesNode/v1
metadata:
schema: metadata/Document/v1
name: n3
layeringDefinition:
abstract: false
layer: site
data:
hostname: n3
ip: 192.168.77.13
join_ip: 192.168.77.11
labels:
dynamic:
- calico-etcd=enabled
- kubernetes-apiserver=enabled
- kubernetes-controller-manager=enabled
- kubernetes-etcd=enabled
- kubernetes-scheduler=enabled
- ucp-control-plane=enabled
...

244
examples/complete/PKICatalog.yaml Normal file
View File

@ -0,0 +1,244 @@
---
schema: promenade/PKICatalog/v1
metadata:
schema: metadata/Document/v1
name: cluster-certificates
layeringDefinition:
abstract: false
layer: site
data:
certificate_authorities:
kubernetes:
description: CA for Kubernetes components
certificates:
- document_name: apiserver
description: Service certificate for Kubernetes apiserver
common_name: apiserver
hosts:
- localhost
- 127.0.0.1
- 10.96.0.1
kubernetes_service_names:
- kubernetes.default.svc.cluster.local
- document_name: kubelet-genesis
common_name: system:node:n0
hosts:
- n0
- 192.168.77.10
groups:
- system:nodes
- document_name: kubelet-n0
common_name: system:node:n0
hosts:
- n0
- 192.168.77.10
groups:
- system:nodes
- document_name: kubelet-n1
common_name: system:node:n1
hosts:
- n1
- 192.168.77.11
groups:
- system:nodes
- document_name: kubelet-n2
common_name: system:node:n2
hosts:
- n2
- 192.168.77.12
groups:
- system:nodes
- document_name: kubelet-n3
common_name: system:node:n3
hosts:
- n3
- 192.168.77.13
groups:
- system:nodes
- document_name: scheduler
description: Service certificate for Kubernetes scheduler
common_name: system:kube-scheduler
- document_name: controller-manager
description: certificate for controller-manager
common_name: system:kube-controller-manager
- document_name: admin
common_name: admin
groups:
- system:masters
- document_name: armada
common_name: armada
groups:
- system:masters
kubernetes-etcd:
description: Certificates for Kubernetes's etcd servers
certificates:
- document_name: apiserver-etcd
description: etcd client certificate for use by Kubernetes apiserver
common_name: apiserver
# NOTE(mark-burnett): hosts not required for client certificates
- document_name: kubernetes-etcd-anchor
description: anchor
common_name: anchor
- document_name: kubernetes-etcd-genesis
common_name: kubernetes-etcd-genesis
hosts:
- n0
- 192.168.77.10
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-n0
common_name: kubernetes-etcd-n0
hosts:
- n0
- 192.168.77.10
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-n1
common_name: kubernetes-etcd-n1
hosts:
- n1
- 192.168.77.11
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-n2
common_name: kubernetes-etcd-n2
hosts:
- n2
- 192.168.77.12
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-n3
common_name: kubernetes-etcd-n3
hosts:
- n3
- 192.168.77.13
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
kubernetes-etcd-peer:
certificates:
- document_name: kubernetes-etcd-genesis-peer
common_name: kubernetes-etcd-genesis-peer
hosts:
- n0
- 192.168.77.10
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-n0-peer
common_name: kubernetes-etcd-n0-peer
hosts:
- n0
- 192.168.77.10
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-n1-peer
common_name: kubernetes-etcd-n1-peer
hosts:
- n1
- 192.168.77.11
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-n2-peer
common_name: kubernetes-etcd-n2-peer
hosts:
- n2
- 192.168.77.12
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-n3-peer
common_name: kubernetes-etcd-n3-peer
hosts:
- n3
- 192.168.77.13
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
calico-etcd:
description: Certificates for Calico etcd client traffic
certificates:
- document_name: calico-etcd-anchor
description: anchor
common_name: anchor
- document_name: calico-etcd-n0
common_name: calico-etcd-n0
hosts:
- n0
- 192.168.77.10
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n1
common_name: calico-etcd-n1
hosts:
- n1
- 192.168.77.11
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n2
common_name: calico-etcd-n2
hosts:
- n2
- 192.168.77.12
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n3
common_name: calico-etcd-n3
hosts:
- n3
- 192.168.77.13
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-node
common_name: calcico-node
calico-etcd-peer:
description: Certificates for Calico etcd clients
certificates:
- document_name: calico-etcd-n0-peer
common_name: calico-etcd-n0-peer
hosts:
- n0
- 192.168.77.10
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n1-peer
common_name: calico-etcd-n1-peer
hosts:
- n1
- 192.168.77.11
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n2-peer
common_name: calico-etcd-n2-peer
hosts:
- n2
- 192.168.77.12
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-n3-peer
common_name: calico-etcd-n3-peer
hosts:
- n3
- 192.168.77.13
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-node-peer
common_name: calcico-node-peer
keypairs:
- name: service-account
description: Service account signing key for use by Kubernetes controller-manager.
...

96
examples/complete/joining-host-config.yaml
View File

@ -1,96 +0,0 @@
---
schema: promenade/KubernetesNode/v1
metadata:
schema: metadata/Document/v1
name: n0
layeringDefinition:
abstract: false
layer: site
data:
hostname: n0
ip: 192.168.77.10
join_ip: 192.168.77.11
labels:
dynamic:
- ceph-mds=enabled
- ceph-mon=enabled
- ceph-osd=enabled
- ceph-rgw=enabled
- ceph-mgr=enabled
- ucp-control-plane=enabled
---
schema: promenade/KubernetesNode/v1
metadata:
schema: metadata/Document/v1
name: n1
layeringDefinition:
abstract: false
layer: site
data:
hostname: n1
ip: 192.168.77.11
join_ip: 192.168.77.10
labels:
dynamic:
- calico-etcd=enabled
- ceph-mds=enabled
- ceph-mon=enabled
- ceph-osd=enabled
- ceph-rgw=enabled
- ceph-mgr=enabled
- kubernetes-apiserver=enabled
- kubernetes-controller-manager=enabled
- kubernetes-etcd=enabled
- kubernetes-scheduler=enabled
- ucp-control-plane=enabled
---
schema: promenade/KubernetesNode/v1
metadata:
schema: metadata/Document/v1
name: n2
layeringDefinition:
abstract: false
layer: site
data:
hostname: n2
ip: 192.168.77.12
join_ip: 192.168.77.10
labels:
dynamic:
- calico-etcd=enabled
- ceph-mds=enabled
- ceph-mon=enabled
- ceph-osd=enabled
- ceph-rgw=enabled
- ceph-mgr=enabled
- kubernetes-apiserver=enabled
- kubernetes-controller-manager=enabled
- kubernetes-etcd=enabled
- kubernetes-scheduler=enabled
- ucp-control-plane=enabled
---
schema: promenade/KubernetesNode/v1
metadata:
schema: metadata/Document/v1
name: n3
layeringDefinition:
abstract: false
layer: site
data:
hostname: n3
ip: 192.168.77.13
join_ip: 192.168.77.11
labels:
dynamic:
- calico-etcd=enabled
- ceph-mds=enabled
- ceph-mon=enabled
- ceph-osd=enabled
- ceph-rgw=enabled
- ceph-mgr=enabled
- kubernetes-apiserver=enabled
- kubernetes-controller-manager=enabled
- kubernetes-etcd=enabled
- kubernetes-scheduler=enabled
- ucp-control-plane=enabled
...

9
promenade/cli.py
View File

@ -48,17 +48,12 @@ def build_all(*, config_files, output_dir, validators):
required=True,
help='Location to write *-certificates.yaml')
@click.argument('config_files', nargs=-1, type=click.File('rb'))
@click.option(
'--calico-etcd-service-ip',
default='10.96.232.136',
help='Service IP for calico etcd')
def genereate_certs(*, calico_etcd_service_ip, config_files, output_dir):
def genereate_certs(*, config_files, output_dir):
debug = _debug()
try:
c = config.Configuration.from_streams(
debug=debug, streams=config_files, substitute=True, validate=False)
g = generator.Generator(
c, calico_etcd_service_ip=calico_etcd_service_ip)
g = generator.Generator(c)
g.generate(output_dir)
except exceptions.PromenadeException as e:
e.display(debug=debug)

168
promenade/generator.py
View File

@ -8,9 +8,8 @@ LOG = logging.getLogger(__name__)
class Generator:
def __init__(self, config, *, calico_etcd_service_ip):
def __init__(self, config):
self.config = config
self.calico_etcd_service_ip = calico_etcd_service_ip
self.keys = pki.PKI()
self.documents = []
@ -19,153 +18,38 @@ class Generator:
return self.config['KubernetesNetwork:dns.cluster_domain']
def generate(self, output_dir):
# Certificate Authorities
self.gen('ca', 'kubernetes')
self.gen('ca', 'kubernetes-etcd')
self.gen('ca', 'kubernetes-etcd-peer')
self.gen('ca', 'calico-etcd')
self.gen('ca', 'calico-etcd-peer')
# Certificates for Kubernetes API server
self.gen(
'certificate',
'apiserver',
ca='kubernetes',
cn='apiserver',
hosts=self._service_dns('kubernetes', 'default') +
['localhost', '127.0.0.1'] +
[self.config['KubernetesNetwork:kubernetes.service_ip']])
self.gen(
'certificate',
'apiserver-etcd',
ca='kubernetes-etcd',
cn='apiserver')
# Certificates for other Kubernetes components
self.gen(
'certificate',
'scheduler',
ca='kubernetes',
cn='system:kube-scheduler')
self.gen(
'certificate',
'controller-manager',
ca='kubernetes',
cn='system:kube-controller-manager')
self.gen('keypair', 'service-account')
self.gen_kubelet_certificates()
# Certificates for kubectl admin
self.gen(
'certificate',
'admin',
ca='kubernetes',
cn='admin',
groups=['system:masters'])
# Certificates for armada
self.gen(
'certificate',
'armada',
ca='kubernetes',
cn='armada',
groups=['system:masters'])
# Certificates for Kubernetes's etcd servers
self.gen_etcd_certificates(
ca='kubernetes-etcd',
genesis=True,
service_name='kubernetes-etcd',
service_namespace='kube-system')
# Certificates for Calico's etcd servers
self.gen_etcd_certificates(
ca='calico-etcd',
service_name='calico-etcd',
service_namespace='kube-system',
service_ip=self.calico_etcd_service_ip)
# Certificates for Calico node
self.gen(
'certificate', 'calico-node', ca='calico-etcd', cn='calico-node')
for ca_name, ca_def in self.config[
'PKICatalog:certificate_authorities'].items():
self.gen('ca', ca_name)
for cert_def in ca_def.get('certificates', []):
hosts = cert_def.get('hosts', [])
hosts.extend(
self.get_host_list(
cert_def.get('kubernetes_service_names', [])))
self.gen(
'certificate',
cert_def['document_name'],
ca=ca_name,
cn=cert_def['common_name'],
hosts=hosts,
groups=cert_def.get('groups', []))
for keypair_def in self.config['PKICatalog:keypairs']:
self.gen('keypair', keypair_def['name'])
_write(output_dir, self.documents)
def get_host_list(self, service_names):
service_list = []
for service in service_names:
parts = service.split('.')
for i in range(len(parts)):
service_list.append('.'.join(parts[:i]))
return service_list
def gen(self, kind, *args, **kwargs):
method = getattr(self.keys, 'generate_' + kind)
self.documents.extend(method(*args, **kwargs))
def gen_kubelet_certificates(self):
self._gen_single_kubelet(
'genesis', node_data=self.config.get(kind='Genesis'))
for node_config in self.config.iterate(kind='KubernetesNode'):
self._gen_single_kubelet(
node_config['data']['hostname'], node_data=node_config['data'])
def _gen_single_kubelet(self, name, node_data):
self.gen(
'certificate',
'kubelet-%s' % name,
ca='kubernetes',
cn='system:node:%s' % node_data['hostname'],
hosts=[node_data['hostname'], node_data['ip']],
groups=['system:nodes'])
def gen_etcd_certificates(self, *, ca, genesis=False, **service_args):
if genesis:
self._gen_single_etcd(
name='genesis',
ca=ca,
node_data=self.config.get(kind='Genesis'),
**service_args)
for node_config in self.config.iterate(kind='KubernetesNode'):
self._gen_single_etcd(
name=node_config['data']['hostname'],
ca=ca,
node_data=node_config['data'],
**service_args)
self.gen(
'certificate',
service_args['service_name'] + '-anchor',
ca=ca,
cn='anchor')
def _gen_single_etcd(self,
*,
name,
ca,
node_data,
service_name,
service_namespace,
service_ip=None,
additional_hosts=None):
member_name = ca + '-' + name
hosts = [
node_data['hostname'],
node_data['ip'],
'localhost',
'127.0.0.1',
] + (additional_hosts or [])
hosts.extend(self._service_dns(service_name, service_namespace))
if service_ip is not None:
hosts.append(service_ip)
self.gen(
'certificate', member_name, ca=ca, cn=member_name, hosts=hosts)
self.gen(
'certificate',
member_name + '-peer',
ca=ca + '-peer',
cn=member_name,
hosts=hosts)
def _service_dns(self, name, namespace):
return [
name,

43
promenade/schemas/PKICatalog.yaml Normal file
View File

@ -0,0 +1,43 @@
---
schema: deckhand/DataSchema/v1
metadata:
schema: metadata/Control/v1
name: promenade/PKICatalog/v1
labels:
application: promenade
data:
$schema: http://json-schema.org/schema#
certificate_authorities:
type: array
items:
type: object
properties:
description:
type: string
certificates:
type: array
items:
type: object
properties:
document_name:
type: string
description:
type: string
common_name:
type: string
hosts:
type: array
items: string
groups:
type: array
items: string
keypairs:
type: array
items:
type: object
properties:
name:
type: string
description:
type: string
...

2
promenade/templates/scripts/validate-genesis.sh
View File

@ -1,3 +1,5 @@
{% include "header.sh" with context %}
wait_for_kubernetes_api
validate_kubectl_logs {{ config['Genesis:hostname'] }}

2
promenade/templates/scripts/validate-join.sh
View File

@ -1,3 +1,5 @@
{% include "header.sh" with context %}
wait_for_kubernetes_api
validate_kubectl_logs {{ config['KubernetesNode:hostname'] }}

2
tools/g2/lib/registry.sh
View File

@ -7,7 +7,7 @@ registry_down() {
}
registry_list_images() {
FILES=($(config_configuration | xargs -n 1 -I DIRNAME find DIRNAME -type f -name '*.yaml'))
FILES=($(config_configuration | xargs -n 1 -I DIRNAME find DIRNAME -type f -name '*.yaml' | grep -v PKICatalog))
HOSTNAME_REGEX='[a-zA-Z0-9][a-zA-Z0-9_-]{0,62}'
DOMAIN_NAME_REGEX="${HOSTNAME_REGEX}(\.${HOSTNAME_REGEX})*"

2
tools/g2/stages/join-nodes.sh
View File

@ -115,6 +115,8 @@ for NAME in "${NODES[@]}"; do
ssh_cmd "${NAME}" "/root/promenade/join-${NAME}.sh" 2>&1 | tee -a "${LOG_FILE}"
done
sleep 10
for etcd_validation_string in "${ETCD_CLUSTERS[@]}"; do
IFS=' ' read -a etcd_validation_args <<<"${etcd_validation_string}"
validate_etcd_membership "${etcd_validation_args[@]}"

244
tools/gate/config-templates/PKICatalog.yaml Normal file
View File

@ -0,0 +1,244 @@
---
schema: promenade/PKICatalog/v1
metadata:
schema: metadata/Document/v1
name: cluster-certificates
layeringDefinition:
abstract: false
layer: site
data:
certificate_authorities:
kubernetes:
description: CA for Kubernetes components
certificates:
- document_name: apiserver
description: Service certificate for Kubernetes apiserver
common_name: apiserver
hosts:
- localhost
- 127.0.0.1
- 10.96.0.1
kubernetes_service_names:
- kubernetes.default.svc.cluster.local
- document_name: kubelet-genesis
common_name: system:node:${GENESIS_HOSTNAME}
hosts:
- ${GENESIS_HOSTNAME}
- ${GENESIS_IP}
groups:
- system:nodes
- document_name: kubelet-${GENESIS_HOSTNAME}
common_name: system:node:${GENESIS_HOSTNAME}
hosts:
- ${GENESIS_HOSTNAME}
- ${GENESIS_IP}
groups:
- system:nodes
- document_name: kubelet-${MASTER1_HOSTNAME}
common_name: system:node:${MASTER1_HOSTNAME}
hosts:
- ${MASTER1_HOSTNAME}
- ${MASTER1_IP}
groups:
- system:nodes
- document_name: kubelet-${MASTER2_HOSTNAME}
common_name: system:node:${MASTER2_HOSTNAME}
hosts:
- ${MASTER2_HOSTNAME}
- ${MASTER2_IP}
groups:
- system:nodes
- document_name: kubelet-${WORKER_HOSTNAME}
common_name: system:node:${WORKER_HOSTNAME}
hosts:
- ${WORKER_HOSTNAME}
- ${WORKER_IP}
groups:
- system:nodes
- document_name: scheduler
description: Service certificate for Kubernetes scheduler
common_name: system:kube-scheduler
- document_name: controller-manager
description: certificate for controller-manager
common_name: system:kube-controller-manager
- document_name: admin
common_name: admin
groups:
- system:masters
- document_name: armada
common_name: armada
groups:
- system:masters
kubernetes-etcd:
description: Certificates for Kubernetes's etcd servers
certificates:
- document_name: apiserver-etcd
description: etcd client certificate for use by Kubernetes apiserver
common_name: apiserver
# NOTE(mark-burnett): hosts not required for client certificates
- document_name: kubernetes-etcd-anchor
description: anchor
common_name: anchor
- document_name: kubernetes-etcd-genesis
common_name: kubernetes-etcd-genesis
hosts:
- ${GENESIS_HOSTNAME}
- ${GENESIS_IP}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-${GENESIS_HOSTNAME}
common_name: kubernetes-etcd-${GENESIS_HOSTNAME}
hosts:
- ${GENESIS_HOSTNAME}
- ${GENESIS_IP}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-${MASTER1_HOSTNAME}
common_name: kubernetes-etcd-${MASTER1_HOSTNAME}
hosts:
- ${MASTER1_HOSTNAME}
- ${MASTER1_IP}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-${MASTER2_HOSTNAME}
common_name: kubernetes-etcd-${MASTER2_HOSTNAME}
hosts:
- ${MASTER2_HOSTNAME}
- ${MASTER2_IP}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-${WORKER_HOSTNAME}
common_name: kubernetes-etcd-${WORKER_HOSTNAME}
hosts:
- ${WORKER_HOSTNAME}
- ${WORKER_IP}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
kubernetes-etcd-peer:
certificates:
- document_name: kubernetes-etcd-genesis-peer
common_name: kubernetes-etcd-genesis-peer
hosts:
- ${GENESIS_HOSTNAME}
- ${GENESIS_IP}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-${GENESIS_HOSTNAME}-peer
common_name: kubernetes-etcd-${GENESIS_HOSTNAME}-peer
hosts:
- ${GENESIS_HOSTNAME}
- ${GENESIS_IP}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-${MASTER1_HOSTNAME}-peer
common_name: kubernetes-etcd-${MASTER1_HOSTNAME}-peer
hosts:
- ${MASTER1_HOSTNAME}
- ${MASTER1_IP}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-${MASTER2_HOSTNAME}-peer
common_name: kubernetes-etcd-${MASTER2_HOSTNAME}-peer
hosts:
- ${MASTER2_HOSTNAME}
- ${MASTER2_IP}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-${WORKER_HOSTNAME}-peer
common_name: kubernetes-etcd-${WORKER_HOSTNAME}-peer
hosts:
- ${WORKER_HOSTNAME}
- ${WORKER_IP}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
calico-etcd:
description: Certificates for Calico etcd client traffic
certificates:
- document_name: calico-etcd-anchor
description: anchor
common_name: anchor
- document_name: calico-etcd-${GENESIS_HOSTNAME}
common_name: calico-etcd-${GENESIS_HOSTNAME}
hosts:
- ${GENESIS_HOSTNAME}
- ${GENESIS_IP}
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-${MASTER1_HOSTNAME}
common_name: calico-etcd-${MASTER1_HOSTNAME}
hosts:
- ${MASTER1_HOSTNAME}
- ${MASTER1_IP}
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-${MASTER2_HOSTNAME}
common_name: calico-etcd-${MASTER2_HOSTNAME}
hosts:
- ${MASTER2_HOSTNAME}
- ${MASTER2_IP}
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-${WORKER_HOSTNAME}
common_name: calico-etcd-${WORKER_HOSTNAME}
hosts:
- ${WORKER_HOSTNAME}
- ${WORKER_IP}
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-node
common_name: calcico-node
calico-etcd-peer:
description: Certificates for Calico etcd clients
certificates:
- document_name: calico-etcd-${GENESIS_HOSTNAME}-peer
common_name: calico-etcd-${GENESIS_HOSTNAME}-peer
hosts:
- ${GENESIS_HOSTNAME}
- ${GENESIS_IP}
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-${MASTER1_HOSTNAME}-peer
common_name: calico-etcd-${MASTER1_HOSTNAME}-peer
hosts:
- ${MASTER1_HOSTNAME}
- ${MASTER1_IP}
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-${MASTER2_HOSTNAME}-peer
common_name: calico-etcd-${MASTER2_HOSTNAME}-peer
hosts:
- ${MASTER2_HOSTNAME}
- ${MASTER2_IP}
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-${WORKER_HOSTNAME}-peer
common_name: calico-etcd-${WORKER_HOSTNAME}-peer
hosts:
- ${WORKER_HOSTNAME}
- ${WORKER_IP}
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-node-peer
common_name: calcico-node-peer
keypairs:
- name: service-account
description: Service account signing key for use by Kubernetes controller-manager.
...