Public Key Infrastructure (PKI) Catalog

Configuration for certificate and keypair generation in the cluster. The pegleg secrets generate certificates command will read all PKICatalog documents and either find pre-existing certificates/keys, or generate new ones based on the given definition.

Dependencies

Pegleg’s PKI Catalog depends on CloudFlare’s PKI/TLS toolkit, which is installed as a part of Pegleg’s Dockerfile.

Sample Document

Here is a sample document:

# Basic example of pki-catalog.yaml for k8s.
---
schema: promenade/PKICatalog/v1
metadata:
  schema: metadata/Document/v1
  name: cluster-certificates-addition
  layeringDefinition:
    abstract: false
    layer: site
  storagePolicy: cleartext
data:
  certificate_authorities:
    kubernetes:
      description: CA for Kubernetes components
      certificates:
        - document_name: kubelet-n3
          common_name: system:node:n3
          hosts:
            - n3
            - 192.168.77.13
          groups:
            - system:nodes
...

Certificate Authorities

The data in the certificate-authorities key is used to generate certificates for each authority and node.

Each certificate authority requires essential host-specific information for each node.