ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > cert-manager 1.0 tso tawm

cert-manager 1.0 tso tawm

Yog tias koj nug tus kws paub txog kev paub, tus kws tshaj lij tus kws tshaj lij nws xav li cas txog tus thawj tswj hwm thiab yog vim li cas txhua tus siv nws, tus kws tshaj lij yuav hnia, khawm nws tsis pub leej twg paub thiab hais tias hnav tsis zoo: "Txhua tus siv nws, vim tsis muaj lwm txoj hauv kev zoo. Peb cov nas quaj, prick lawv tus kheej, tab sis txuas ntxiv nrog lub cactus no. Vim li cas peb hlub? Vim nws ua haujlwm. Vim li cas peb tsis hlub? Vim cov tshiab versions tas li raug tso tawm uas siv cov yam ntxwv tshiab. Thiab koj yuav tsum hloov kho cov pawg ntau dua. Thiab cov qub versions tsis ua hauj lwm, vim hais tias muaj ib tug conspiracy thiab ib tug yawm mysterious shamanism. "

Tab sis cov developers hais tias nrog cert-tus tswj hwm 1.0 txhua yam yuav hloov.

Peb puas yuav ntseeg nws?

cert-manager 1.0 tso tawm

Cert-manager yog ib haiv neeg Kubernetes daim ntawv pov thawj tswj hwm. Nws tuaj yeem siv los muab daim ntawv pov thawj los ntawm ntau qhov chaw: Cia Encrypt, HashiCorp Vault, Venafi, kos npe thiab tus kheej kos npe tus khub tseem ceeb. Nws kuj tseem tso cai rau koj khaws cov yuam sij mus rau hnub tim thiab sim ua kom rov ua dua daim ntawv pov thawj ntawm lub sijhawm teev ua ntej lawv tas sijhawm. Cert-manager yog raws li kube-lego, thiab tseem siv qee cov tswv yim los ntawm lwm cov haujlwm zoo sib xws, xws li kube-cert-manager.

Tso Sau Ntawv

Nrog rau version 1.0 peb tau tso lub cim ntawm kev ntseeg siab hauv peb lub xyoos ntawm kev txhim kho ntawm daim ntawv pov thawj-tus thawj tswj qhov project. Lub sijhawm no, nws tau tsim muaj kev ua haujlwm zoo thiab kev ruaj ntseg, tab sis feem ntau ntawm txhua tus hauv zej zog. Niaj hnub no peb pom ntau tus neeg siv nws los tiv thaiv lawv cov Kubernetes pawg, nrog rau kev siv nws mus rau ntau qhov chaw ntawm ecosystem. Ib pawg ntawm cov kab mob tau raug kho hauv 16 qhov kev tshaj tawm dhau los. Thiab dab tsi yuav tsum tau tawg lawm. Ntau qhov kev mus ntsib API tau txhim kho nws kev sib raug zoo nrog cov neeg siv. Peb tau daws 1500 qhov teeb meem ntawm GitHub, nrog kev thov rub tawm ntau dua los ntawm 253 cov tswv cuab hauv zej zog.

Los ntawm kev tso tawm 1.0 peb tshaj tawm tias daim ntawv pov thawj-tus thawj coj yog ib qhov haujlwm loj. Peb kuj cog lus tias yuav ua kom peb cov API tau tshaj v1.

Ua tsaug ntau rau txhua tus uas tau pab peb tsim daim ntawv pov thawj-tus thawj tswj hwm peb xyoos no! Cia version 1.0 yog thawj ntawm ntau yam zoo tuaj.

Tso Tawm 1.0 yog qhov tso tawm ruaj khov nrog ntau qhov tseem ceeb:

  • v1 API;

  • pab neeg kubectl cert-manager status, pab txheeb xyuas cov teeb meem;

  • Siv qhov tseeb ruaj khov Kubernetes APIs;

  • Txhim kho kev kaw lus;

  • Kev txhim kho ACME.

Nco ntsoov nyeem cov ntawv hloov tshiab ua ntej hloov kho dua tshiab.

API v1

Version v0.16 ua haujlwm nrog API v1beta1. Qhov no ntxiv qee qhov kev hloov pauv thiab kuj tau txhim kho cov ntaub ntawv API teb. Version 1.0 tsim rau txhua qhov no nrog API v1. Qhov API no yog peb thawj qhov ruaj khov, tib lub sijhawm peb twb tau muab kev lees paub kev sib raug zoo, tab sis nrog API v1 Peb cog lus tias yuav tswj kev sib raug zoo rau xyoo tom ntej.

Cov kev hloov pauv tau ua (ceeb toom: peb cov cuab yeej hloov pauv yuav saib xyuas txhua yam rau koj):

Daim ntawv pov thawj:

  • emailSANs tam sim no hu emailAddresses

  • uriSANs - uris

Cov kev hloov pauv no ntxiv kev sib raug zoo nrog rau lwm yam SANs (subject alt npe, kwv yees. tus txhais lus), nrog rau Go API. Peb tab tom tshem cov lus no los ntawm peb API.

Hloov tshiab

Yog tias koj siv Kubernetes 1.16+ - hloov webhooks yuav tso cai rau koj ua haujlwm nrog API versions ib txhij thiab seamlessly v1alpha2, v1alpha3, v1beta1 ΠΈ v1. Nrog lawv, koj tuaj yeem siv qhov tshiab ntawm API yam tsis tau hloov lossis rov siv koj cov peev txheej qub. Peb pom zoo kom hloov kho koj cov manifests rau API v1, raws li yav dhau los versions yuav sai sai no deprecated. Cov neeg siv legacy versions ntawm cert-manager tseem tsuas muaj kev nkag mus v1, cov kauj ruam hloov tshiab tuaj yeem pom no.

kubectl cert-manager status command

Nrog kev txhim kho tshiab hauv peb qhov txuas ntxiv mus kubectl Nws tau dhau los ua yooj yim los tshawb xyuas cov teeb meem cuam tshuam nrog kev tsis muab daim ntawv pov thawj. kubectl cert-manager status tam sim no muab cov ntaub ntawv ntau ntxiv txog dab tsi tshwm sim nrog daim ntawv pov thawj, thiab tseem qhia txog theem ntawm daim ntawv pov thawj raug muab.

Tom qab txhim kho qhov txuas ntxiv koj tuaj yeem khiav kubectl cert-manager status certificate <имя-сСртификата>, uas yuav tshawb nrhiav daim ntawv pov thawj nrog lub npe teev thiab lwm yam kev pabcuam, xws li CertificateRequest, Secret, Issuer, thiab Order and Challenges in case of certificates from ACME.

Ib qho piv txwv ntawm kev debugging daim ntawv pov thawj uas tseem tsis tau npaj:

$ kubectl cert-manager status certificate acme-certificate

Name: acme-certificate
Namespace: default
Created at: 2020-08-21T16:44:13+02:00
Conditions:
  Ready: False, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
  Issuing: True, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
DNS Names:
- example.com
Events:
  Type    Reason     Age   From          Message
  ----    ------     ----  ----          -------
  Normal  Issuing    18m   cert-manager  Issuing certificate as Secret does not exist
  Normal  Generated  18m   cert-manager  Stored new private key in temporary Secret resource "acme-certificate-tr8b2"
  Normal  Requested  18m   cert-manager  Created new CertificateRequest resource "acme-certificate-qp5dm"
Issuer:
  Name: acme-issuer
  Kind: Issuer
  Conditions:
    Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
error when finding Secret "acme-tls": secrets "acme-tls" not found
Not Before: <none>
Not After: <none>
Renewal Time: <none>
CertificateRequest:
  Name: acme-certificate-qp5dm
  Namespace: default
  Conditions:
    Ready: False, Reason: Pending, Message: Waiting on certificate issuance from order default/acme-certificate-qp5dm-1319513028: "pending"
  Events:
    Type    Reason        Age   From          Message
    ----    ------        ----  ----          -------
    Normal  OrderCreated  18m   cert-manager  Created Order resource default/acme-certificate-qp5dm-1319513028
Order:
  Name: acme-certificate-qp5dm-1319513028
  State: pending, Reason:
  Authorizations:
    URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/97777571, Identifier: example.com, Initial State: pending, Wildcard: false
Challenges:
- Name: acme-certificate-qp5dm-1319513028-1825664779, Type: DNS-01, Token: J-lOZ39yNDQLZTtP_ZyrYojDqjutMAJOxCL1AkOEZWw, Key: U_W3gGV2KWgIUonlO2me3rvvEOTrfTb-L5s0V1TJMCw, State: pending, Reason: error getting clouddns service account: secret "clouddns-accoun" not found, Processing: true, Presented: false

Pab neeg no tuaj yeem pab koj kawm ntxiv txog cov ntsiab lus ntawm daim ntawv pov thawj. Piv txwv cov ntsiab lus rau daim ntawv pov thawj muab los ntawm Letsencrypt:

$ kubectl cert-manager status certificate example
Name: example
[...]
Secret:
  Name: example
  Issuer Country: US
  Issuer Organisation: Let's Encrypt
  Issuer Common Name: Let's Encrypt Authority X3
  Key Usage: Digital Signature, Key Encipherment
  Extended Key Usages: Server Authentication, Client Authentication
  Public Key Algorithm: RSA
  Signature Algorithm: SHA256-RSA
  Subject Key ID: 65081d98a9870764590829b88c53240571997862
  Authority Key ID: a84a6a63047dddbae6d139b7a64565eff3a8eca1
  Serial Number: 0462ffaa887ea17797e0057ca81d7ba2a6fb
  Events:  <none>
Not Before: 2020-06-02T04:29:56+02:00
Not After: 2020-08-31T04:29:56+02:00
Renewal Time: 2020-08-01T04:29:56+02:00
[...]

Leverage qhov tseeb ruaj khov Kubernetes APIs

Cert-manager yog ib tus thawj coj siv Kubernetes CRDs. Qhov no, ua ke nrog peb cov kev txhawb nqa rau Kubernetes versions mus txog 1.11, txhais tau tias peb xav tau kev txhawb nqa qub txeeg qub teg apiextensions.k8s.io/v1beta1 rau peb cov CRDs thiab admissionregistration.k8s.io/v1beta1 rau peb cov webhooks. Cov no yog tam sim no deprecated thiab yuav raug tshem tawm hauv Kubernetes raws li version 1.22. Nrog peb 1.0 tam sim no peb muaj kev txhawb nqa tag nrho apiextensions.k8s.io/v1 ΠΈ admissionregistration.k8s.io/v1 rau Kubernetes 1.16 (qhov twg lawv tau ntxiv) thiab tom qab ntawd. Rau cov neeg siv ntawm yav dhau los versions, peb txuas ntxiv muab kev txhawb nqa v1beta1 hauv peb legacy cov qauv.

Txhim kho kev kaw lus

Hauv qhov version no peb tau hloov kho lub tsev qiv ntawv nkag mus rau klog/v2, siv hauv Kubernetes 1.19. Peb kuj tshuaj xyuas txhua phau ntawv xov xwm uas peb sau kom ntseeg tau tias nws raug muab rau qib tsim nyog. Peb tau coj los ntawm qhov no kev taw qhia los ntawm Kubernetes. Muaj tsib (qhov tseeb - rau, kwv yees. tus txhais lus) nkag qib pib los ntawm Error (theem 0), uas luam tawm tsuas yog qhov yuam kev tseem ceeb, thiab xaus nrog Trace (qib 5), uas yuav pab koj nrhiav tau raws nraim li cas tshwm sim. Nrog rau qhov kev hloov no peb tau txo tus naj npawb ntawm cov cav yog tias koj tsis xav tau cov ntaub ntawv debugging thaum khiav cert-manager.

Tswv yim: los ntawm default cert-manager khiav ntawm qib 2 (Info), koj tuaj yeem hla qhov no siv global.logLevel hauv Helm chart.

Nco tseg: Kev tshuaj xyuas cov cav yog koj qhov chaw kawg thaum daws teeb meem. Yog xav paub ntxiv mus saib peb kev coj noj coj ua.

Editor's n.b.: Txhawm rau kawm paub ntxiv txog yuav ua li cas nws ua haujlwm nyob rau hauv lub hood ntawm Kubernetes, tau txais cov lus qhia muaj txiaj ntsig los ntawm cov kws qhia xyaum, nrog rau kev txhawb nqa kev ua haujlwm zoo, koj tuaj yeem koom nrog hauv cov chav kawm hnyav hauv online Kubernetes Base, uas yuav muaj lub Cuaj Hlis 28-30, thiab Kubernetes Mega, uas yuav muaj lub Kaum Hli 14-16.

ACME Kev Txhim Kho

Kev siv ntau tshaj ntawm daim ntawv pov thawj-tus thawj coj yog tej zaum muaj feem xyuam rau kev muab daim ntawv pov thawj los ntawm Let's Encrypt siv ACME. Version 1.0 yog qhov tseem ceeb rau kev siv cov lus tawm tswv yim hauv zej zog los ntxiv ob qho kev txhim kho me me tab sis tseem ceeb rau peb tus tsim tawm ACME.

Disable Account Key Generation

Yog tias koj siv daim ntawv pov thawj ACME hauv cov ntim loj, koj yuav siv tib tus lej ntawm ntau pawg, yog li koj cov ntawv pov thawj kev txwv yuav siv rau lawv txhua tus. Qhov no twb ua tau nyob rau hauv daim ntawv pov thawj-tus thawj coj thaum luam cov ntaub ntawv zais cia hauv privateKeySecretRef. Cov ntaub ntawv siv no yog buggy heev vim tias tus thawj tswj hwm tau sim ua kom pab tau thiab zoo siab tsim tus lej account tshiab yog tias nws nrhiav tsis tau ib qho. Yog vim li cas peb ntxiv disableAccountKeyGenerationtiv thaiv koj ntawm tus cwj pwm no los ntawm kev teeb tsa qhov kev xaiv no rau true - cert-manager yuav tsis tsim tus yuam sij thiab yuav ceeb toom koj tias nws tsis tau muab tus lej account.

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt
spec:
  acme:
    privateKeySecretRef:
      name: example-issuer-account-key
    disableAccountKeyGeneration: false

Nyiam Saw

Cuaj hlis 29 Cia Peb Encrypt yuav txav mus rau koj tus kheej hauv paus daim ntawv pov thawj txoj cai ISRG Root. Cov ntawv pov thawj uas tau kos npe yuav raug hloov nrog Identrust. Qhov kev hloov pauv no tsis tas yuav hloov pauv rau cov ntawv pov thawj-tus thawj tswj chaw; tag nrho cov ntawv kho tshiab lossis daim ntawv pov thawj tshiab tau muab tom qab hnub no yuav siv lub hauv paus tshiab CA.

Wb Encrypt twb kos npe rau daim ntawv pov thawj nrog CA no thiab muab lawv ua "lwm daim ntawv pov thawj saw" los ntawm ACME. Qhov no version ntawm daim ntawv pov thawj-tus thawj coj muaj peev xwm los teeb tsa kev nkag mus rau cov chains no hauv qhov teeb tsa tus neeg teeb tsa. Nyob rau hauv parameter preferredChain Koj tuaj yeem qhia lub npe ntawm CA siv los muab daim ntawv pov thawj. Yog tias muaj daim ntawv pov thawj CA uas haum rau qhov kev thov, nws yuav muab daim ntawv pov thawj rau koj. Thov nco ntsoov tias qhov no yog qhov kev xaiv zoo tshaj plaws; yog tias tsis muaj dab tsi pom, daim ntawv pov thawj yuav raug muab tawm. Qhov no yuav ua kom ntseeg tau tias koj tseem yuav rov ua dua koj daim ntawv pov thawj tom qab tshem tawm cov saw hlau sib txawv ntawm ACME tus tsim tawm.

Hnub no koj tuaj yeem tau txais daim ntawv pov thawj kos npe ISRG Root, Yog li:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    preferredChain: "ISRG Root X1"

Yog tias koj xav tawm ntawm cov saw hlau IdenTrust - teeb qhov parameter no rau DST Root CA X3:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    preferredChain: "DST Root CA X3"

Thov nco ntsoov tias lub hauv paus CA no yuav raug txiav tawm sai sai, Cia's Encrypt yuav ua kom cov saw no ua haujlwm kom txog thaum lub Cuaj Hlis 29, 2021.

Tau qhov twg los: www.hab.com

Ntxiv ib saib