Haɗin Maɓalli na Venafi
Devs sun riga sun sami ayyuka da yawa da zasu yi, kuma ana buƙatar su sami ƙwararrun masaniyar cryptography da mahimman ababen more rayuwa na jama'a (PKI). Ba daidai ba ne.
Lallai, kowane na'ura dole ne ya sami ingantacciyar takardar shaidar TLS. Ana buƙatar su don sabobin, kwantena, injunan kama-da-wane, da kuma cikin ragamar sabis. Amma adadin maɓalli da takaddun shaida suna girma kamar ƙwallon dusar ƙanƙara, kuma gudanarwa da sauri ya zama hargitsi, tsada da haɗari idan kun yi komai da kanku. Ba tare da ingantaccen aiwatar da manufofi da ayyukan sa ido ba, kasuwancin na iya wahala saboda raunin takaddun shaida ko ƙarewar da ba a zata ba.
GlobalSign da Venafi sun shirya gidajen yanar gizo guda biyu don taimakawa masu amfani. , kuma na biyu - tare da don haɗa tsarin PKI daga GlobalSign ta hanyar girgije Venafi ta amfani da kayan aikin budewa ta hanyar HashiCorp Vault daga bututun Jenkins CI / CD.
Babban matsalolin hanyoyin tafiyar da takaddun shaida na wanzuwa ana haifar da su ta hanyoyi da yawa:
- Samar da takaddun sa hannu a cikin OpenSSL.
- Yi aiki tare da lokuta da yawa na HashiCorp Vault don sarrafa CA masu zaman kansu ko takaddun shaida mai sanya hannu.
- Rajista na aikace-aikace don amintattun takaddun shaida.
- Amfani da takaddun shaida daga masu samar da girgije na jama'a.
- Automating Lets Encrypt sabunta takaddun shaida
- Rubuta rubutun ku
- Daidaita kai na kayan aikin DevOps kamar Red Hat Mai yiwuwa, Kubernetes, Pivotal Cloud Foundry
Duk hanyoyin suna ƙara haɗarin kuskure kuma suna ɗaukar lokaci. Venafi yana ƙoƙarin magance waɗannan matsalolin kuma ya sauƙaƙa rayuwa ga masu bautar.
GlobalSign da Venafi demo ya ƙunshi sassa biyu. Na farko, yadda ake saita Venafi Cloud da GlobalSign PKI. Sannan yadda ake amfani da shi don neman takaddun shaida bisa ga kafuwar manufofin, ta amfani da kayan aikin da aka saba.
Mahimman batutuwa:
- Aiwatar da bayar da takaddun shaida ta atomatik tsakanin hanyoyin DevOps CI/CD (misali, Jenkins).
- Samun damar kai tsaye zuwa PKI da sabis na takaddun shaida a cikin duk tarin aikace-aikacen (ba da takaddun shaida a cikin daƙiƙa biyu)
- Daidaita mahimman kayan aikin jama'a tare da shirye-shiryen mafita don haɗawa tare da ƙungiyar kide-kide ta kwantena, sarrafa sirri da dandamali na sarrafa kansa (misali, Kubernetes, OpenShift, Terraform, HashiCorp Vault, Mai yiwuwa, SaltStack da sauransu). An nuna tsarin gaba ɗaya don ba da takaddun shaida a cikin hoton da ke ƙasa.
Tsarin bayar da takaddun shaida ta HashiCorp Vault, Venafi Cloud da GlobalSign. A cikin zane, CSR tana nufin Neman Sa hannu na Takaddun Shaida. - Babban kayan aiki da ingantaccen kayan aikin PKI don haɓaka, mahalli masu girman gaske
- Amfani da ƙungiyoyin tsaro ta hanyar manufofi da hangen nesa na takaddun shaida
Wannan tsarin yana ba ku damar tsara tsarin abin dogara ba tare da kasancewa ƙwararren ƙwararren ƙwararru da PKI ba.
Injin Sirrin Venafi
Har ma Venafi ya yi iƙirarin cewa yana da mafi kyawun farashi a cikin dogon lokaci, tun da ba ya buƙatar sa hannun ƙwararrun PKI masu biyan kuɗi da tsadar tallafi.
Maganin an haɗa shi gaba ɗaya cikin bututun CI/CD da ke akwai kuma yana rufe duk buƙatun takaddun shaida na kamfanin. Ta wannan hanyar, masu haɓakawa da masu haɓakawa na iya yin aiki da sauri ba tare da fuskantar matsaloli masu wahala ba.
source: www.habr.com