Yog tias koj nug tus kws paub txog kev paub, tus kws tshaj lij tus kws tshaj lij nws xav li cas txog tus thawj tswj hwm thiab yog vim li cas txhua tus siv nws, tus kws tshaj lij yuav hnia, khawm nws tsis pub leej twg paub thiab hais tias hnav tsis zoo: "Txhua tus siv nws, vim tsis muaj lwm txoj hauv kev zoo. Peb cov nas quaj, prick lawv tus kheej, tab sis txuas ntxiv nrog lub cactus no. Vim li cas peb hlub? Vim nws ua haujlwm. Vim li cas peb tsis hlub? Vim cov tshiab versions tas li raug tso tawm uas siv cov yam ntxwv tshiab. Thiab koj yuav tsum hloov kho cov pawg ntau dua. Thiab cov qub versions tsis ua hauj lwm, vim hais tias muaj ib tug conspiracy thiab ib tug yawm mysterious shamanism. "
Tab sis cov developers hais tias nrog cert-tus tswj hwm 1.0 txhua yam yuav hloov.
Peb puas yuav ntseeg nws?
Cert-manager yog ib haiv neeg Kubernetes daim ntawv pov thawj tswj hwm. Nws tuaj yeem siv los muab daim ntawv pov thawj los ntawm ntau qhov chaw: Cia Encrypt, HashiCorp Vault, Venafi, kos npe thiab tus kheej kos npe tus khub tseem ceeb. Nws kuj tseem tso cai rau koj khaws cov yuam sij mus rau hnub tim thiab sim ua kom rov ua dua daim ntawv pov thawj ntawm lub sijhawm teev ua ntej lawv tas sijhawm. Cert-manager yog raws li kube-lego, thiab tseem siv qee cov tswv yim los ntawm lwm cov haujlwm zoo sib xws, xws li kube-cert-manager.
Tso Sau Ntawv
Nrog rau version 1.0 peb tau tso lub cim ntawm kev ntseeg siab hauv peb lub xyoos ntawm kev txhim kho ntawm daim ntawv pov thawj-tus thawj tswj qhov project. Lub sijhawm no, nws tau tsim muaj kev ua haujlwm zoo thiab kev ruaj ntseg, tab sis feem ntau ntawm txhua tus hauv zej zog. Niaj hnub no peb pom ntau tus neeg siv nws los tiv thaiv lawv cov Kubernetes pawg, nrog rau kev siv nws mus rau ntau qhov chaw ntawm ecosystem. Ib pawg ntawm cov kab mob tau raug kho hauv 16 qhov kev tshaj tawm dhau los. Thiab dab tsi yuav tsum tau tawg lawm. Ntau qhov kev mus ntsib API tau txhim kho nws kev sib raug zoo nrog cov neeg siv. Peb tau daws 1500 qhov teeb meem ntawm GitHub, nrog kev thov rub tawm ntau dua los ntawm 253 cov tswv cuab hauv zej zog.
Los ntawm kev tso tawm 1.0 peb tshaj tawm tias daim ntawv pov thawj-tus thawj coj yog ib qhov haujlwm loj. Peb kuj cog lus tias yuav ua kom peb cov API tau tshaj v1
.
Ua tsaug ntau rau txhua tus uas tau pab peb tsim daim ntawv pov thawj-tus thawj tswj hwm peb xyoos no! Cia version 1.0 yog thawj ntawm ntau yam zoo tuaj.
Tso Tawm 1.0 yog qhov tso tawm ruaj khov nrog ntau qhov tseem ceeb:
-
v1
API; -
pab neeg
kubectl cert-manager status
, pab txheeb xyuas cov teeb meem; -
Siv qhov tseeb ruaj khov Kubernetes APIs;
-
Txhim kho kev kaw lus;
-
Kev txhim kho ACME.
Nco ntsoov nyeem cov ntawv hloov tshiab ua ntej hloov kho dua tshiab.
API v1
Version v0.16 ua haujlwm nrog API v1beta1
. Qhov no ntxiv qee qhov kev hloov pauv thiab kuj tau txhim kho cov ntaub ntawv API teb. Version 1.0 tsim rau txhua qhov no nrog API v1
. Qhov API no yog peb thawj qhov ruaj khov, tib lub sijhawm peb twb tau muab kev lees paub kev sib raug zoo, tab sis nrog API v1
Peb cog lus tias yuav tswj kev sib raug zoo rau xyoo tom ntej.
Cov kev hloov pauv tau ua (ceeb toom: peb cov cuab yeej hloov pauv yuav saib xyuas txhua yam rau koj):
Daim ntawv pov thawj:
-
emailSANs
tam sim no huemailAddresses
-
uriSANs
-uris
Cov kev hloov pauv no ntxiv kev sib raug zoo nrog rau lwm yam SANs (subject alt npe, kwv yees. tus txhais lus), nrog rau Go API. Peb tab tom tshem cov lus no los ntawm peb API.
Hloov tshiab
Yog tias koj siv Kubernetes 1.16+ - hloov webhooks yuav tso cai rau koj ua haujlwm nrog API versions ib txhij thiab seamlessly v1alpha2
, v1alpha3
, v1beta1
ΠΈ v1
. Nrog lawv, koj tuaj yeem siv qhov tshiab ntawm API yam tsis tau hloov lossis rov siv koj cov peev txheej qub. Peb pom zoo kom hloov kho koj cov manifests rau API v1
, raws li yav dhau los versions yuav sai sai no deprecated. Cov neeg siv legacy
versions ntawm cert-manager tseem tsuas muaj kev nkag mus v1
, cov kauj ruam hloov tshiab tuaj yeem pom
kubectl cert-manager status command
Nrog kev txhim kho tshiab hauv peb qhov txuas ntxiv mus kubectl
Nws tau dhau los ua yooj yim los tshawb xyuas cov teeb meem cuam tshuam nrog kev tsis muab daim ntawv pov thawj. kubectl cert-manager status
tam sim no muab cov ntaub ntawv ntau ntxiv txog dab tsi tshwm sim nrog daim ntawv pov thawj, thiab tseem qhia txog theem ntawm daim ntawv pov thawj raug muab.
Tom qab txhim kho qhov txuas ntxiv koj tuaj yeem khiav kubectl cert-manager status certificate <ΠΈΠΌΡ-ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°>
, uas yuav tshawb nrhiav daim ntawv pov thawj nrog lub npe teev thiab lwm yam kev pabcuam, xws li CertificateRequest, Secret, Issuer, thiab Order and Challenges in case of certificates from ACME.
Ib qho piv txwv ntawm kev debugging daim ntawv pov thawj uas tseem tsis tau npaj:
$ kubectl cert-manager status certificate acme-certificate
Name: acme-certificate
Namespace: default
Created at: 2020-08-21T16:44:13+02:00
Conditions:
Ready: False, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
Issuing: True, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
DNS Names:
- example.com
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 18m cert-manager Issuing certificate as Secret does not exist
Normal Generated 18m cert-manager Stored new private key in temporary Secret resource "acme-certificate-tr8b2"
Normal Requested 18m cert-manager Created new CertificateRequest resource "acme-certificate-qp5dm"
Issuer:
Name: acme-issuer
Kind: Issuer
Conditions:
Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
error when finding Secret "acme-tls": secrets "acme-tls" not found
Not Before: <none>
Not After: <none>
Renewal Time: <none>
CertificateRequest:
Name: acme-certificate-qp5dm
Namespace: default
Conditions:
Ready: False, Reason: Pending, Message: Waiting on certificate issuance from order default/acme-certificate-qp5dm-1319513028: "pending"
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 18m cert-manager Created Order resource default/acme-certificate-qp5dm-1319513028
Order:
Name: acme-certificate-qp5dm-1319513028
State: pending, Reason:
Authorizations:
URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/97777571, Identifier: example.com, Initial State: pending, Wildcard: false
Challenges:
- Name: acme-certificate-qp5dm-1319513028-1825664779, Type: DNS-01, Token: J-lOZ39yNDQLZTtP_ZyrYojDqjutMAJOxCL1AkOEZWw, Key: U_W3gGV2KWgIUonlO2me3rvvEOTrfTb-L5s0V1TJMCw, State: pending, Reason: error getting clouddns service account: secret "clouddns-accoun" not found, Processing: true, Presented: false
Pab neeg no tuaj yeem pab koj kawm ntxiv txog cov ntsiab lus ntawm daim ntawv pov thawj. Piv txwv cov ntsiab lus rau daim ntawv pov thawj muab los ntawm Letsencrypt:
$ kubectl cert-manager status certificate example
Name: example
[...]
Secret:
Name: example
Issuer Country: US
Issuer Organisation: Let's Encrypt
Issuer Common Name: Let's Encrypt Authority X3
Key Usage: Digital Signature, Key Encipherment
Extended Key Usages: Server Authentication, Client Authentication
Public Key Algorithm: RSA
Signature Algorithm: SHA256-RSA
Subject Key ID: 65081d98a9870764590829b88c53240571997862
Authority Key ID: a84a6a63047dddbae6d139b7a64565eff3a8eca1
Serial Number: 0462ffaa887ea17797e0057ca81d7ba2a6fb
Events: <none>
Not Before: 2020-06-02T04:29:56+02:00
Not After: 2020-08-31T04:29:56+02:00
Renewal Time: 2020-08-01T04:29:56+02:00
[...]
Leverage qhov tseeb ruaj khov Kubernetes APIs
Cert-manager yog ib tus thawj coj siv Kubernetes CRDs. Qhov no, ua ke nrog peb cov kev txhawb nqa rau Kubernetes versions mus txog 1.11, txhais tau tias peb xav tau kev txhawb nqa qub txeeg qub teg apiextensions.k8s.io/v1beta1
rau peb cov CRDs thiab admissionregistration.k8s.io/v1beta1
rau peb cov webhooks. Cov no yog tam sim no deprecated thiab yuav raug tshem tawm hauv Kubernetes raws li version 1.22. Nrog peb 1.0 tam sim no peb muaj kev txhawb nqa tag nrho apiextensions.k8s.io/v1
ΠΈ admissionregistration.k8s.io/v1
rau Kubernetes 1.16 (qhov twg lawv tau ntxiv) thiab tom qab ntawd. Rau cov neeg siv ntawm yav dhau los versions, peb txuas ntxiv muab kev txhawb nqa v1beta1
hauv peb legacy
cov qauv.
Txhim kho kev kaw lus
Hauv qhov version no peb tau hloov kho lub tsev qiv ntawv nkag mus rau klog/v2
, siv hauv Kubernetes 1.19. Peb kuj tshuaj xyuas txhua phau ntawv xov xwm uas peb sau kom ntseeg tau tias nws raug muab rau qib tsim nyog. Peb tau coj los ntawm qhov no Error
(theem 0), uas luam tawm tsuas yog qhov yuam kev tseem ceeb, thiab xaus nrog Trace
(qib 5), uas yuav pab koj nrhiav tau raws nraim li cas tshwm sim. Nrog rau qhov kev hloov no peb tau txo tus naj npawb ntawm cov cav yog tias koj tsis xav tau cov ntaub ntawv debugging thaum khiav cert-manager.
Tswv yim: los ntawm default cert-manager khiav ntawm qib 2 (Info
), koj tuaj yeem hla qhov no siv global.logLevel
hauv Helm chart.
Nco tseg: Kev tshuaj xyuas cov cav yog koj qhov chaw kawg thaum daws teeb meem. Yog xav paub ntxiv mus saib peb
Editor's n.b.: Txhawm rau kawm paub ntxiv txog yuav ua li cas nws ua haujlwm nyob rau hauv lub hood ntawm Kubernetes, tau txais cov lus qhia muaj txiaj ntsig los ntawm cov kws qhia xyaum, nrog rau kev txhawb nqa kev ua haujlwm zoo, koj tuaj yeem koom nrog hauv cov chav kawm hnyav hauv online
ACME Kev Txhim Kho
Kev siv ntau tshaj ntawm daim ntawv pov thawj-tus thawj coj yog tej zaum muaj feem xyuam rau kev muab daim ntawv pov thawj los ntawm Let's Encrypt siv ACME. Version 1.0 yog qhov tseem ceeb rau kev siv cov lus tawm tswv yim hauv zej zog los ntxiv ob qho kev txhim kho me me tab sis tseem ceeb rau peb tus tsim tawm ACME.
Disable Account Key Generation
Yog tias koj siv daim ntawv pov thawj ACME hauv cov ntim loj, koj yuav siv tib tus lej ntawm ntau pawg, yog li koj cov ntawv pov thawj kev txwv yuav siv rau lawv txhua tus. Qhov no twb ua tau nyob rau hauv daim ntawv pov thawj-tus thawj coj thaum luam cov ntaub ntawv zais cia hauv privateKeySecretRef
. Cov ntaub ntawv siv no yog buggy heev vim tias tus thawj tswj hwm tau sim ua kom pab tau thiab zoo siab tsim tus lej account tshiab yog tias nws nrhiav tsis tau ib qho. Yog vim li cas peb ntxiv disableAccountKeyGeneration
tiv thaiv koj ntawm tus cwj pwm no los ntawm kev teeb tsa qhov kev xaiv no rau true
- cert-manager yuav tsis tsim tus yuam sij thiab yuav ceeb toom koj tias nws tsis tau muab tus lej account.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
privateKeySecretRef:
name: example-issuer-account-key
disableAccountKeyGeneration: false
Nyiam Saw
Cuaj hlis 29 Cia Peb Encrypt ISRG Root
. Cov ntawv pov thawj uas tau kos npe yuav raug hloov nrog Identrust
. Qhov kev hloov pauv no tsis tas yuav hloov pauv rau cov ntawv pov thawj-tus thawj tswj chaw; tag nrho cov ntawv kho tshiab lossis daim ntawv pov thawj tshiab tau muab tom qab hnub no yuav siv lub hauv paus tshiab CA.
Wb Encrypt twb kos npe rau daim ntawv pov thawj nrog CA no thiab muab lawv ua "lwm daim ntawv pov thawj saw" los ntawm ACME. Qhov no version ntawm daim ntawv pov thawj-tus thawj coj muaj peev xwm los teeb tsa kev nkag mus rau cov chains no hauv qhov teeb tsa tus neeg teeb tsa. Nyob rau hauv parameter preferredChain
Koj tuaj yeem qhia lub npe ntawm CA siv los muab daim ntawv pov thawj. Yog tias muaj daim ntawv pov thawj CA uas haum rau qhov kev thov, nws yuav muab daim ntawv pov thawj rau koj. Thov nco ntsoov tias qhov no yog qhov kev xaiv zoo tshaj plaws; yog tias tsis muaj dab tsi pom, daim ntawv pov thawj yuav raug muab tawm. Qhov no yuav ua kom ntseeg tau tias koj tseem yuav rov ua dua koj daim ntawv pov thawj tom qab tshem tawm cov saw hlau sib txawv ntawm ACME tus tsim tawm.
Hnub no koj tuaj yeem tau txais daim ntawv pov thawj kos npe ISRG Root
, Yog li:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1"
Yog tias koj xav tawm ntawm cov saw hlau IdenTrust
- teeb qhov parameter no rau DST Root CA X3
:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "DST Root CA X3"
Thov nco ntsoov tias lub hauv paus CA no yuav raug txiav tawm sai sai, Cia's Encrypt yuav ua kom cov saw no ua haujlwm kom txog thaum lub Cuaj Hlis 29, 2021.
Tau qhov twg los: www.hab.com