Inā ʻoe e nīnau i kekahi ʻenekinia akamai i kona manaʻo e pili ana i ka luna hōʻoia a me ke kumu e hoʻohana ai nā mea a pau, e kanikau ka loea, apo me ka malu a ʻōlelo me ka luhi: "Hoʻohana nā kānaka a pau, no ka mea, ʻaʻohe mea kūpono. E uē kā mākou mau ʻiole, e ʻoki iā lākou iho, akā e hoʻomau i ka noho ʻana me kēia cactus. No ke aha mākou e aloha ai? No ka mea, hana. No ke aha mākou i aloha ʻole ai? No ka mea, hoʻokuʻu mau ʻia nā mana hou e hoʻohana ana i nā hiʻohiʻona hou. A pono ʻoe e hōʻano hou i ka hui. A pau nā mana kahiko i ka hana, no ka mea aia kahi kipi a me kahi shamanism pohihihi nui. "
Akā ke koi nei nā mea hoʻomohala me luna hōʻoia 1.0 e loli nā mea a pau.
E manaoio anei kakou?
ʻO Cert-manager kahi mea hoʻokele hoʻokele palapala Kubernetes maoli. Hiki ke hoʻohana ʻia no ka hoʻopuka ʻana i nā palapala hōʻoia mai nā kumu like ʻole: Let's Encrypt, HashiCorp Vault, Venafi, pūlima a me nā kī paʻa ponoʻī. Hiki iā ʻoe ke mālama i nā kī i kēia lā a hoʻāʻo e hōʻano hou i nā palapala hōʻoia i ka manawa i ʻōlelo ʻia ma mua o ka pau ʻana. Hoʻokumu ʻia ka Cert-manager ma ka kube-lego, a ua hoʻohana pū i kekahi mau ʻenehana mai nā papahana like ʻē aʻe, e like me kube-cert-manager.
Hoʻokuʻu ʻŌlelo
Me ka mana 1.0 ua kau mākou i kahi hōʻailona o ka hilinaʻi i nā makahiki ʻekolu o ka hoʻomohala ʻana i ka papahana cert-manager. I loko o kēia manawa, ua ulu nui ia i ka hana a me ke kūpaʻa, akā ʻo ka hapa nui o nā mea āpau i ke kaiāulu. I kēia lā, ʻike mākou i nā poʻe he nui e hoʻohana ana ia mea no ka hoʻopaʻa ʻana i kā lākou mau pūʻulu Kubernetes, a me ka hoʻokō ʻana iā ia i nā ʻāpana like ʻole o ka kaiaola. Ua hoʻopaʻa ʻia kahi pūpū o nā pōpoki i nā hoʻokuʻu 16 hope loa. A ʻo ka mea i haki ʻia, ua haki. Ua hoʻomaikaʻi kekahi mau kipa ʻana i ka API i kāna pilina me nā mea hoʻohana. Ua hoʻoholo mākou i nā pilikia 1500 ma GitHub, me nā noi huki hou mai 253 mau lālā kaiāulu.
Ma ka hoʻokuʻu ʻana i ka 1.0 ke haʻi aku nei mākou he papahana oʻo ka luna hōʻoia. Hoʻohiki pū mākou e mālama pono i kā mākou API v1
.
Mahalo nui i ka poʻe a pau i kōkua mai iā mākou e hana i ka mana-mana hōʻoia i kēia mau makahiki ʻekolu! E ʻae i ka mana 1.0 ka mua o nā mea nui e hiki mai ana.
ʻO ka hoʻokuʻu ʻana 1.0 kahi hoʻokuʻu paʻa me nā wahi koʻikoʻi:
-
v1
API; -
hui
kubectl cert-manager status
, e kōkua i ke kālailai pilikia; -
Ke hoʻohana nei i nā API Kubernetes paʻa hou loa;
-
Hoʻomaikaʻi ʻia ke kālai lāʻau;
-
Nā hoʻomaikaʻi ACME.
E heluhelu pono i nā memo hou ma mua o ka hoʻonui ʻana.
API v1
Ua hana pū ka mana v0.16 me ka API v1beta1
. Hoʻohui kēia i kekahi mau hoʻololi hoʻololi a hoʻomaikaʻi pū i ka palapala kahua API. Hoʻokumu ka mana 1.0 i kēia me kahi API v1
. ʻO kēia API kā mākou paʻa paʻa mua, i ka manawa like ua hāʻawi mua mākou i nā hōʻoia kūpono, akā me ka API v1
Hoʻohiki mākou e mālama i ka launa ʻana no nā makahiki e hiki mai ana.
Nā hoʻololi i hana ʻia (noka: na kā mākou mea hoʻololi e mālama i nā mea āpau no ʻoe):
palapala hōʻoia:
-
emailSANs
i kēia manawa i kapa ʻiaemailAddresses
-
uriSANs
-uris
Hoʻohui kēia mau hoʻololi i ka launa pū me nā SAN ʻē aʻe (inoa alt kumuhana, kokoke. mea unuhi), a me ka Go API. Ke wehe nei mākou i kēia huaʻōlelo mai kā mākou API.
Hoʻololi
Inā ʻoe e hoʻohana nei iā Kubernetes 1.16+ - ʻo ka hoʻohuli ʻana i nā webhooks e ʻae iā ʻoe e hana me nā mana API i ka manawa like a me ka maʻalahi. v1alpha2
, v1alpha3
, v1beta1
и v1
. Me lākou, hiki iā ʻoe ke hoʻohana i ka mana hou o ka API me ka ʻole e hoʻololi a hoʻihoʻi hou i kāu mau kumuwaiwai kahiko. Manaʻo ikaika mākou e hoʻonui i kāu mau hōʻike i ka API v1
, no ka mea, e pau koke ana nā mana o mua. Nā mea hoʻohana legacy
e loaʻa wale i nā mana o ka manakia palapala v1
, hiki ke loaʻa nā ʻanuʻu hōʻano hou
kauoha kūlana kubectl cert-manager
Me nā hoʻomaikaʻi hou i kā mākou hoʻonui i kubectl
Ua maʻalahi ka noiʻi ʻana i nā pilikia pili i ka hāʻawi ʻole ʻana i nā palapala hōʻoia. kubectl cert-manager status
i kēia manawa hāʻawi i nā ʻike hou aʻe e pili ana i nā mea e hana nei me nā palapala hōʻoia, a hōʻike pū i ke kahua i hoʻopuka ʻia ai ka palapala hōʻoia.
Ma hope o ka hoʻokomo ʻana i ka hoʻonui hiki iā ʻoe ke holo kubectl cert-manager status certificate <имя-сертификата>
, e ʻimi i ka palapala hōʻoia me ka inoa i kuhikuhi ʻia a me nā kumuwaiwai pili, e like me CertificateRequest, Secret, Issuer, a me Order and Challenges i ka hihia o nā palapala hōʻoia mai ACME.
ʻO kahi laʻana o ka hoʻopau ʻana i kahi palapala i mākaukau ʻole:
$ kubectl cert-manager status certificate acme-certificate
Name: acme-certificate
Namespace: default
Created at: 2020-08-21T16:44:13+02:00
Conditions:
Ready: False, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
Issuing: True, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
DNS Names:
- example.com
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 18m cert-manager Issuing certificate as Secret does not exist
Normal Generated 18m cert-manager Stored new private key in temporary Secret resource "acme-certificate-tr8b2"
Normal Requested 18m cert-manager Created new CertificateRequest resource "acme-certificate-qp5dm"
Issuer:
Name: acme-issuer
Kind: Issuer
Conditions:
Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
error when finding Secret "acme-tls": secrets "acme-tls" not found
Not Before: <none>
Not After: <none>
Renewal Time: <none>
CertificateRequest:
Name: acme-certificate-qp5dm
Namespace: default
Conditions:
Ready: False, Reason: Pending, Message: Waiting on certificate issuance from order default/acme-certificate-qp5dm-1319513028: "pending"
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 18m cert-manager Created Order resource default/acme-certificate-qp5dm-1319513028
Order:
Name: acme-certificate-qp5dm-1319513028
State: pending, Reason:
Authorizations:
URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/97777571, Identifier: example.com, Initial State: pending, Wildcard: false
Challenges:
- Name: acme-certificate-qp5dm-1319513028-1825664779, Type: DNS-01, Token: J-lOZ39yNDQLZTtP_ZyrYojDqjutMAJOxCL1AkOEZWw, Key: U_W3gGV2KWgIUonlO2me3rvvEOTrfTb-L5s0V1TJMCw, State: pending, Reason: error getting clouddns service account: secret "clouddns-accoun" not found, Processing: true, Presented: false
Hiki i ka hui ke kōkua iā ʻoe e aʻo hou e pili ana i nā mea o ka palapala hōʻoia. Nā hiʻohiʻona kikoʻī no kahi palapala i hoʻopuka ʻia e Letsencrypt:
$ kubectl cert-manager status certificate example
Name: example
[...]
Secret:
Name: example
Issuer Country: US
Issuer Organisation: Let's Encrypt
Issuer Common Name: Let's Encrypt Authority X3
Key Usage: Digital Signature, Key Encipherment
Extended Key Usages: Server Authentication, Client Authentication
Public Key Algorithm: RSA
Signature Algorithm: SHA256-RSA
Subject Key ID: 65081d98a9870764590829b88c53240571997862
Authority Key ID: a84a6a63047dddbae6d139b7a64565eff3a8eca1
Serial Number: 0462ffaa887ea17797e0057ca81d7ba2a6fb
Events: <none>
Not Before: 2020-06-02T04:29:56+02:00
Not After: 2020-08-31T04:29:56+02:00
Renewal Time: 2020-08-01T04:29:56+02:00
[...]
E hoʻohana i nā API Kubernetes paʻa hou loa
ʻO Cert-manager kekahi o nā mea mua i hoʻokō i nā Kubernetes CRDs. ʻO kēia, i hui pū ʻia me kā mākou kākoʻo no nā mana Kubernetes a hiki i 1.11, pono mākou e kākoʻo i ka hoʻoilina. apiextensions.k8s.io/v1beta1
no kā mākou CRD pū kekahi admissionregistration.k8s.io/v1beta1
no kā mākou mau pūnaewele. Hoʻopau ʻia kēia mau mea a wehe ʻia ma Kubernetes e like me ka mana 1.22. Me kā mākou 1.0 ke hāʻawi nei mākou i ke kākoʻo piha apiextensions.k8s.io/v1
и admissionregistration.k8s.io/v1
no Kubernetes 1.16 (kahi i hoʻohui ʻia ai) a ma hope. No nā mea hoʻohana o nā mana mua, hoʻomau mākou i ke kākoʻo v1beta1
i loko o kā mākou legacy
nā manaʻo.
Hoʻomaikaʻi ʻia ke kālai lāʻau
Ma kēia mana ua hōʻano hou mākou i ka waihona logging i klog/v2
, hoʻohana ʻia ma Kubernetes 1.19. Nānā pū mākou i kēlā me kēia mekala a mākou e kākau ai e hōʻoia i ka hāʻawi ʻia ʻana i ka pae kūpono. Ua alakaʻi ʻia mākou e kēia Error
(pae 0), e paʻi wale ana i nā hewa koʻikoʻi, a pau me Trace
(pae 5), e kōkua iā ʻoe e ʻike pono i ka mea e hana nei. Me kēia hoʻololi, ua hōʻemi mākou i ka helu o nā lāʻau inā ʻaʻole pono ʻoe i ka ʻike debugging i ka wā e holo ana i ka mana-mana.
Manaʻo kōkua: e holo ana ka luna palapala hōʻoia ma ka pae 2 (Info
), hiki iā ʻoe ke hoʻopau i kēia me ka hoʻohana ʻana global.logLevel
i ka pakuhi Helm.
'Ōlelo Aʻo: ʻO ka nānā ʻana i nā lāʻau ka hopena hope loa i ka wā e hoʻoponopono ai. No ka ʻike hou aku e nānā i kā mākou
NB a ka Lunahooponopono: No ke aʻo hou e pili ana i ka hana ʻana o nā mea a pau ma lalo o ka puʻupuʻu o Kubernetes, e kiʻi i nā ʻōlelo aʻo waiwai mai nā kumu hoʻomaʻamaʻa, a me ke kākoʻo ʻenehana kiʻekiʻe, hiki iā ʻoe ke komo i nā papa koʻikoʻi pūnaewele.
Nā Hoʻomaikaʻi ACME
ʻO ka hoʻohana maʻamau o ka mana-mana e pili ana i ka hoʻopuka ʻana i nā palapala hōʻoia mai Let's Encrypt me ka hoʻohana ʻana iā ACME. He mea kaulana ka mana 1.0 no ka hoʻohana ʻana i nā pane kaiāulu e hoʻohui i ʻelua mau mea hoʻomaikaʻi liʻiliʻi akā koʻikoʻi i kā mākou mea hoʻopuka ACME.
Hoʻopau i ka hana ʻana i nā moʻokāki
Inā hoʻohana ʻoe i nā palapala ACME i nā puke nui, e hoʻohana ana paha ʻoe i ka moʻokāki hoʻokahi ma nā pūʻulu lehulehu, no laila e pili ana kāu mau palapala hoʻopuka palapala iā lākou āpau. Ua hiki i kēia ma ka cert-manager ke kope ʻana i ka mea huna i kuhikuhi ʻia ma privateKeySecretRef
. He kaa loa kēia hihia hoʻohana no ka mea ua hoʻāʻo ka luna palapala hōʻoia e kōkua a hauʻoli i ka hana ʻana i kahi kī moʻokāki hou inā ʻaʻole hiki iā ia ke loaʻa. No laila mākou i hoʻohui ai disableAccountKeyGeneration
e pale iā ʻoe mai kēia ʻano ma ka hoʻonohonoho ʻana i kēia koho i true
- ʻaʻole e hoʻopuka ʻo cert-manager i kahi kī a e aʻo iā ʻoe ʻaʻole i hāʻawi ʻia i kahi kī moʻokāki.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
privateKeySecretRef:
name: example-issuer-account-key
disableAccountKeyGeneration: false
Laulā koho
Sepatemaba 29 E hoʻopaneʻe kāua ISRG Root
. E hoʻololi ʻia nā palapala hōʻoia i kau inoa ʻia Identrust
. ʻAʻole koi kēia hoʻololi i nā hoʻololi i nā hoʻonohonoho mana-mana; ʻo nā palapala hōʻoia hou a i ʻole nā palapala hōʻoia hou i hoʻopuka ʻia ma hope o kēia lā e hoʻohana i ke kumu CA hou.
E hoʻopaʻa inoa mākou i nā palapala hōʻoia me kēia CA a hāʻawi iā lākou ma ke ʻano he "hao palapala hōʻoia" ma o ACME. Hiki i kēia mana o ka luna hoʻokō ke hoʻonohonoho i ke komo ʻana i kēia mau kaulahao ma nā hoʻonohonoho hoʻopuka. Ma ka palena preferredChain
Hiki iā ʻoe ke kuhikuhi i ka inoa o ka CA i hoʻohana ʻia e hoʻopuka i ka palapala. Inā loaʻa kahi palapala CA e pili ana i ka noi, e hāʻawi ia iā ʻoe i palapala. E ʻoluʻolu e hoʻomaopopo ʻo ia ka koho makemake; inā ʻaʻohe mea i loaʻa, e hoʻopuka ʻia kahi palapala paʻamau. E hōʻoia kēia e hōʻano hou ʻoe i kāu palapala hōʻoia ma hope o ka holoi ʻana i ke kaulahao ʻē aʻe ma ka ʻaoʻao hoʻopuka ACME.
I kēia lā hiki iā ʻoe ke loaʻa nā palapala hōʻoia i pūlima ʻia ISRG Root
, No laila:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1"
Inā makemake ʻoe e haʻalele i ke kaulahao IdenTrust
— hoʻonoho i kēia ʻāpana i DST Root CA X3
:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "DST Root CA X3"
E ʻoluʻolu, e hoʻopau koke ʻia kēia kumu CA, Let's Encrypt e hoʻomau i kēia kaulahao a hiki i ka lā 29 o Kepakemapa 2021.
Source: www.habr.com