Initial commit for Drivetrain on k8s
Related-prod: #PROD-27206 (PROD:27206)
Change-Id: I43ab57c6514864cf336d6811ae971479aa2ba8ac
diff --git a/salt/minion/cert/kdt_k8s_client.yml b/salt/minion/cert/kdt_k8s_client.yml
new file mode 100644
index 0000000..1a1c3e1
--- /dev/null
+++ b/salt/minion/cert/kdt_k8s_client.yml
@@ -0,0 +1,60 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ kdt_k8s_client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ key_file: /etc/kubernetes/ssl/kubelet-client.key
+ cert_file: /etc/kubernetes/ssl/kubelet-client.crt
+ ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+ common_name: system:node:${linux:system:name}
+ organization_name: system:nodes
+ signing_policy: cert_client
+ alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_node01_address},IP:${_param:kdt_node02_address},IP:${_param:kdt_node03_address},IP:${_param:kdt_k8s_internal_api_address}
+ kdt_k8s_client_fqdn:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ key_file: /etc/kubernetes/ssl/kubelet-client-fqdn.key
+ cert_file: /etc/kubernetes/ssl/kubelet-client-fqdn.crt
+ ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+ common_name: system:node:${linux:system:name}.${_param:cluster_domain}
+ organization_name: system:nodes
+ signing_policy: cert_client
+ alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_node01_address},IP:${_param:kdt_node02_address},IP:${_param:kdt_node03_address},IP:${_param:kdt_k8s_internal_api_address}
+ kdt_k8s_proxy:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ key_file: /etc/kubernetes/ssl/kube-proxy-client.key
+ cert_file: /etc/kubernetes/ssl/kube-proxy-client.crt
+ ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+ common_name: system:kube-proxy
+ signing_policy: cert_client
+ alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_node01_address},IP:${_param:kdt_node02_address},IP:${_param:kdt_node03_address},IP:${_param:kdt_k8s_internal_api_address}
+ kdt_k8s_scheduler:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ key_file: /etc/kubernetes/ssl/kube-scheduler-client.key
+ cert_file: /etc/kubernetes/ssl/kube-scheduler-client.crt
+ ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+ common_name: system:kube-scheduler
+ signing_policy: cert_client
+ alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_node01_address},IP:${_param:kdt_node02_address},IP:${_param:kdt_node03_address},IP:${_param:kdt_k8s_internal_api_address}
+ kdt_k8s_controller_manager:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ key_file: /etc/kubernetes/ssl/kube-controller-manager-client.key
+ cert_file: /etc/kubernetes/ssl/kube-controller-manager-client.crt
+ ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+ common_name: system:kube-controller-manager
+ signing_policy: cert_client
+ alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_node01_address},IP:${_param:kdt_node02_address},IP:${_param:kdt_node03_address},IP:${_param:kdt_k8s_internal_api_address}
+ kdt_k8s_aggregator_proxy:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ key_file: /etc/kubernetes/ssl/kube-aggregator-proxy-client.key
+ cert_file: /etc/kubernetes/ssl/kube-aggregator-proxy-client.crt
+ ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+ common_name: system:kube-controller-manager
+ signing_policy: cert_client
+ alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_node01_address},IP:${_param:kdt_node02_address},IP:${_param:kdt_node03_address},IP:${_param:kdt_k8s_internal_api_address}
diff --git a/salt/minion/cert/kdt_k8s_client_single.yml b/salt/minion/cert/kdt_k8s_client_single.yml
new file mode 100644
index 0000000..4d6cbcc
--- /dev/null
+++ b/salt/minion/cert/kdt_k8s_client_single.yml
@@ -0,0 +1,60 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ kdt_k8s_client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ key_file: /etc/kubernetes/ssl/kubelet-client.key
+ cert_file: /etc/kubernetes/ssl/kubelet-client.crt
+ ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+ common_name: system:node:${linux:system:name}
+ organization_name: system:nodes
+ signing_policy: cert_client
+ alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_k8s_internal_api_address}
+ kdt_k8s_client_fqdn:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ key_file: /etc/kubernetes/ssl/kubelet-client-fqdn.key
+ cert_file: /etc/kubernetes/ssl/kubelet-client-fqdn.crt
+ ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+ common_name: system:node:${linux:system:name}.${_param:cluster_domain}
+ organization_name: system:nodes
+ signing_policy: cert_client
+ alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_k8s_internal_api_address}
+ kdt_k8s_proxy:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ key_file: /etc/kubernetes/ssl/kube-proxy-client.key
+ cert_file: /etc/kubernetes/ssl/kube-proxy-client.crt
+ ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+ common_name: system:kube-proxy
+ signing_policy: cert_client
+ alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_k8s_internal_api_address}
+ kdt_k8s_scheduler:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ key_file: /etc/kubernetes/ssl/kube-scheduler-client.key
+ cert_file: /etc/kubernetes/ssl/kube-scheduler-client.crt
+ ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+ common_name: system:kube-scheduler
+ signing_policy: cert_client
+ alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_k8s_internal_api_address}
+ kdt_k8s_controller_manager:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ key_file: /etc/kubernetes/ssl/kube-controller-manager-client.key
+ cert_file: /etc/kubernetes/ssl/kube-controller-manager-client.crt
+ ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+ common_name: system:kube-controller-manager
+ signing_policy: cert_client
+ alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_k8s_internal_api_address}
+ kdt_k8s_aggregator_proxy:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ key_file: /etc/kubernetes/ssl/kube-aggregator-proxy-client.key
+ cert_file: /etc/kubernetes/ssl/kube-aggregator-proxy-client.crt
+ ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+ common_name: system:kube-controller-manager
+ signing_policy: cert_client
+ alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_k8s_internal_api_address}
diff --git a/salt/minion/cert/kdt_k8s_server.yml b/salt/minion/cert/kdt_k8s_server.yml
new file mode 100644
index 0000000..63ee6ab
--- /dev/null
+++ b/salt/minion/cert/kdt_k8s_server.yml
@@ -0,0 +1,13 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ kdt_k8s_server:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: kubernetes-server
+ key_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kdt/kubernetes-server.key
+ cert_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kdt/kubernetes-server.crt
+ all_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kdt/kubernetes-server.pem
+ signing_policy: cert_server
+ alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_node01_address},IP:${_param:kdt_node02_address},IP:${_param:kdt_node03_address},IP:${_param:kdt_k8s_internal_api_address},DNS:kubernetes.default,DNS:kubernetes.default.svc
diff --git a/salt/minion/cert/kdt_k8s_server_single.yml b/salt/minion/cert/kdt_k8s_server_single.yml
new file mode 100644
index 0000000..f586a14
--- /dev/null
+++ b/salt/minion/cert/kdt_k8s_server_single.yml
@@ -0,0 +1,13 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ kdt_k8s_server:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: kubernetes-server
+ key_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kdt/kubernetes-server.key
+ cert_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kdt/kubernetes-server.crt
+ all_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kdt/kubernetes-server.pem
+ signing_policy: cert_server
+ alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_k8s_internal_api_address}