ProHoster > Блог > Nchịkwa > onye njikwa 1.0 ewepụtara

onye njikwa 1.0 ewepụtara

Ọ bụrụ na ị jụọ onye injinia nwere ahụmahụ, nke maara ihe ihe ọ na-eche banyere cert-manager na ihe mere onye ọ bụla ji eji ya eme ihe, ọkachamara ahụ ga-asụ ude, makụọ ya na nzuzo ma kwuo n'ike ọgwụgwụ, sị: "Onye ọ bụla na-eji ya eme ihe, n'ihi na ọ dịghị ụzọ ọzọ nwere ezi uche. Ụmụ oke anyị na-eti mkpu, na-akụ onwe ha, mana na-aga n'ihu na cactus a. Gịnị mere anyị ji hụ n'anya? N'ihi na ọ na-arụ ọrụ. Gịnị mere na anyị anaghị ahụ n'anya? N'ihi na a na-ewepụta nsụgharị ọhụrụ mgbe niile na-eji njirimara ọhụrụ. Na ị ga-emelite ụyọkọ ahụ ugboro ugboro. Na nsụgharị ochie kwụsịrị ịrụ ọrụ, n'ihi na e nwere nkata na nnukwu ihe omimi shamanism. "

Mana ndị mmepe na-ekwu na ya cert-onye njikwa 1.0 ihe niile ga-agbanwe.

Anyị ga-ekwere ya?

onye njikwa 1.0 ewepụtara

Cert-onye njikwa bụ onye njikwa njikwa asambodo Kubernetes. Enwere ike iji ya nye asambodo sitere na isi mmalite dị iche iche: Ka anyị Encrypt, HashiCorp Vault, Venafi, bịanyere aka na ya na igodo ụzọ abụọ ejiri aka ya bịanye aka na ya. Ọ na-enye gị ohere idobe igodo ruo ụbọchị yana ịnwa ịmegharị asambodo na-akpaghị aka n'oge akọwapụtara tupu ha ebibie. Cert-manager gbadoro ụkwụ na kube-lego, ma jirikwa ụfọdụ usoro sitere na ọrụ ndị ọzọ yiri ya, dị ka kube-cert-manager.

Ndetu mwepụta

Site na ụdị 1.0, anyị na-etinye akara ntụkwasị obi na afọ atọ nke mmepe nke ọrụ nchịkwa-onye njikwa. N'oge a, ọ tolitere nke ukwuu na ịrụ ọrụ na nkwụsi ike, mana nke kachasị na obodo. Taa, anyị na-ahụ ọtụtụ ndị na-eji ya iji chekwaa ụyọkọ Kubernetes ha, yana itinye ya n'ime akụkụ dị iche iche nke gburugburu ebe obibi. Edozila ụyọkọ ahụhụ na mwepụta iri na isii gara aga. Na ihe kwesịrị ịgbaji agbajikwa. Ọtụtụ nleta na API kwalitere mmekọrịta ya na ndị ọrụ. Anyị edozila okwu 16 na GitHub, yana ịrịọ arịrịọ ndị ọzọ sitere n'aka ndị otu obodo 1500.

Site na ịhapụ 1.0 anyị na-ekwupụta n'ihu ọha na onye njikwa asambodo bụ ọrụ tozuru oke. Anyị na-ekwekwa nkwa idobe API anyị dakọtara v1.

Ọtụtụ ekele maka onye ọ bụla nyeere anyị aka ịmepụta cert-manager niile afọ atọ a! Ka ụdị 1.0 bụrụ nke mbụ n'ime ọtụtụ ihe ukwu ndị ga-abịa.

Mwepụta 1.0 bụ ntọhapụ kwụsiri ike nwere ọtụtụ mpaghara kacha mkpa:

  • v1 API;

  • otu kubectl cert-manager status, iji nyere aka nyochaa nsogbu;

  • Iji Kubernetes API ndị kwụsiri ike kachasị ọhụrụ;

  • Ndekọ osisi emelitere;

  • Mmelite ACME.

Jide n'aka na ị gụọ ndetu mmelite tupu ịkwalite.

API v1

Ụdị v0.16 rụrụ ọrụ na API v1beta1. Nke a gbakwunyere ụfọdụ mgbanwe nhazi ma mekwaa akwụkwọ mpaghara API. Ụdị 1.0 na-eji API eme ihe niile v1. API a bụ nke mbụ anyị kwụsiri ike, n'otu oge ahụ anyị enyelarị nkwa ndakọrịta, mana yana API v1 Anyị na-ekwe nkwa ịnọgide na-enwe ndakọrịta maka afọ ndị na-abịa.

Mgbanwe emere (mara: ngwaọrụ ntụgharị anyị ga-elekọta gị ihe niile):

Asambodo:

  • emailSANs a na-akpọ ugbu a emailAddresses

  • uriSANs - uris

Mgbanwe ndị a na-agbakwunye ndakọrịta na SAN ndị ọzọ (aha alt isiokwu, ihe ruru. onye ntụgharị okwu), yana ya na Go API. Anyị na-ewepụ okwu a na API anyị.

Mmelite

Ọ bụrụ na ị na-eji Kubernetes 1.16+ - ntụgharị webhooks ga-enye gị ohere iji ụdị API rụọ ọrụ n'otu oge na enweghị nsogbu. v1alpha2, v1alpha3, v1beta1 и v1. Site na ha, ịnwere ike iji ụdị API ọhụrụ na-agbanweghị ma ọ bụ megharịa akụrụngwa ochie gị. Anyị na-akwado ike ịkwalite ngosipụta gị na API v1, dịka nsụgharị ndị gara aga ga-akwụsị n'oge na-adịghị anya. Ndị ọrụ legacy ụdị nke cert-manager ka ga-enwe naanị ohere v1, enwere ike ịchọta usoro mmelite ebe a.

kubectl cert-manager iwu iwu

Site na nkwalite ọhụrụ na ndọtị anyị ka kubectl Ọ dịla mfe nyocha nsogbu metụtara enweghị asambodo. kubectl cert-manager status ugbu a na-enye ọtụtụ ihe ọmụma banyere ihe na-eme na asambodo, na-egosikwa na ogbo na nke akwụkwọ e nyere.

Mgbe wụnye ndọtị ị nwere ike na-agba ọsọ kubectl cert-manager status certificate <имя-сертификата>, nke ga-achọ asambodo ahụ nwere aha akọwapụtara yana ihe ọ bụla metụtara ya, dị ka CertificateRequest, Secret, Issuer, and Order and Challenges in case of certificates from ACME.

Ọmụmaatụ nke nbibi akwụkwọ na-erubeghị:

$ kubectl cert-manager status certificate acme-certificate

Name: acme-certificate
Namespace: default
Created at: 2020-08-21T16:44:13+02:00
Conditions:
  Ready: False, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
  Issuing: True, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
DNS Names:
- example.com
Events:
  Type    Reason     Age   From          Message
  ----    ------     ----  ----          -------
  Normal  Issuing    18m   cert-manager  Issuing certificate as Secret does not exist
  Normal  Generated  18m   cert-manager  Stored new private key in temporary Secret resource "acme-certificate-tr8b2"
  Normal  Requested  18m   cert-manager  Created new CertificateRequest resource "acme-certificate-qp5dm"
Issuer:
  Name: acme-issuer
  Kind: Issuer
  Conditions:
    Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
error when finding Secret "acme-tls": secrets "acme-tls" not found
Not Before: <none>
Not After: <none>
Renewal Time: <none>
CertificateRequest:
  Name: acme-certificate-qp5dm
  Namespace: default
  Conditions:
    Ready: False, Reason: Pending, Message: Waiting on certificate issuance from order default/acme-certificate-qp5dm-1319513028: "pending"
  Events:
    Type    Reason        Age   From          Message
    ----    ------        ----  ----          -------
    Normal  OrderCreated  18m   cert-manager  Created Order resource default/acme-certificate-qp5dm-1319513028
Order:
  Name: acme-certificate-qp5dm-1319513028
  State: pending, Reason:
  Authorizations:
    URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/97777571, Identifier: example.com, Initial State: pending, Wildcard: false
Challenges:
- Name: acme-certificate-qp5dm-1319513028-1825664779, Type: DNS-01, Token: J-lOZ39yNDQLZTtP_ZyrYojDqjutMAJOxCL1AkOEZWw, Key: U_W3gGV2KWgIUonlO2me3rvvEOTrfTb-L5s0V1TJMCw, State: pending, Reason: error getting clouddns service account: secret "clouddns-accoun" not found, Processing: true, Presented: false

Ndị otu ahụ nwekwara ike inyere gị aka ịmatakwu ọdịnaya nke asambodo ahụ. Nkọwa ihe atụ maka asambodo Letsencrypt nyere:

$ kubectl cert-manager status certificate example
Name: example
[...]
Secret:
  Name: example
  Issuer Country: US
  Issuer Organisation: Let's Encrypt
  Issuer Common Name: Let's Encrypt Authority X3
  Key Usage: Digital Signature, Key Encipherment
  Extended Key Usages: Server Authentication, Client Authentication
  Public Key Algorithm: RSA
  Signature Algorithm: SHA256-RSA
  Subject Key ID: 65081d98a9870764590829b88c53240571997862
  Authority Key ID: a84a6a63047dddbae6d139b7a64565eff3a8eca1
  Serial Number: 0462ffaa887ea17797e0057ca81d7ba2a6fb
  Events:  <none>
Not Before: 2020-06-02T04:29:56+02:00
Not After: 2020-08-31T04:29:56+02:00
Renewal Time: 2020-08-01T04:29:56+02:00
[...]

Nyefee API Kubernetes kwụsiri ike kachasị ọhụrụ

Cert- manager bụ otu n'ime ndị mbụ mejuputa Kubernetes CRD. Nke a, yana nkwado anyị maka ụdị Kubernetes ruo 1.11, pụtara na anyị kwesịrị ịkwado ihe nketa. apiextensions.k8s.io/v1beta1 maka CRD anyị kwa admissionregistration.k8s.io/v1beta1 maka webhooks anyị. Akwụsịla ihe ndị a ugbu a, a ga-ewepụ ya na Kubernetes dịka ụdị 1.22. Site na 1.0 anyị ugbu a, anyị na-enye nkwado zuru oke apiextensions.k8s.io/v1 и admissionregistration.k8s.io/v1 maka Kubernetes 1.16 (ebe agbakwunyere ha) na emesia. Maka ndị ọrụ ụdịdị gara aga, anyị na-aga n'ihu na-enye nkwado v1beta1 n'ime anyị legacy nsụgharị.

Ndekọ osisi emelitere

N'ụdị a, anyị emelitere ọbá akwụkwọ osisi na klog/v2, ejiri na Kubernetes 1.19. Anyị na-enyochakwa magazin ọ bụla anyị na-ede iji hụ na e kenyere ya ọkwa kwesịrị ekwesị. Nke a duziri anyị nduzi sitere na Kubernetes. Enwere ise (n'ezie - isii, ihe ruru. onye ntụgharị okwu) ọkwa osisi na-amalite site na Error (ọkwa 0), nke na-ebipụta naanị mmejọ ndị dị mkpa, ma mechie ya Trace (ọkwa 5), ​​nke ga-enyere gị aka ịchọpụta kpọmkwem ihe na-eme. Site na mgbanwe a, anyị belatara ọnụ ọgụgụ ndekọ ma ọ bụrụ na ịchọghị ozi debugging mgbe ị na-agba ọsọ cert-manager.

Ndụmọdụ: site na ndabara cert-manager na-agba ọsọ na ọkwa 2 (Info), ị nwere ike mebie nke a site na iji global.logLevel na eserese Helm.

Mara: Nyochaa ndekọ bụ ebe ikpeazụ gị mgbe ị na-eme nchọpụta nsogbu. Maka ozi ndị ọzọ lelee anyị ndu.

Onye nchịkọta akụkọ n.b.: Iji mụtakwuo banyere otu ihe niile si arụ ọrụ n'okpuru mkpuchi nke Kubernetes, nweta ndụmọdụ bara uru sitere n'aka ndị nkuzi na-eme ihe, yana nkwado teknụzụ dị elu, ị nwere ike itinye aka na nkuzi kpụ ọkụ n'ọnụ n'ịntanetị. Kubernetes Base, nke a ga-eme na Septemba 28-30, na Kubernetes Mega, nke ga-ewere ọnọdụ n’October 14–16.

Mmelite ACME

Ojiji onye njikwa na-ejikarị eme ihe nwere ike jikọta ya na ịnye asambodo sitere na Ka anyị zoo site na iji ACME. Ụdị 1.0 bụ ihe a ma ama maka iji nzaghachi obodo tinye obere nkwalite abụọ dị mkpa na onye na-enye ACME anyị.

Gbanyụọ ọgbọ igodo akaụntụ

Ọ bụrụ na ị na-eji asambodo ACME na nnukwu mpịakọta, ị nwere ike iji otu akaụntụ ahụ n'ọtụtụ ụyọkọ, yabụ mmachi ị nweta akwụkwọ ga-emetụta ha niile. Nke a ekwerelarị na onye njikwa cert mgbe ị na-edegharị ihe nzuzo akọwapụtara na ya privateKeySecretRef. Okwu ojiji a siri ezigbo ike n'ihi na onye njikwa asambodo nwara inye aka ma jiri obi ụtọ mepụta igodo akaụntụ ọhụrụ ma ọ bụrụ na ọ hụghị ya. Ọ bụ ya mere anyị ji gbakwunye disableAccountKeyGenerationiji chebe gị pụọ na omume a site na ịtọ nhọrọ a true - cert-manager agaghị ewepụta igodo ma dọọ gị aka na ntị na enyeghị ya igodo akaụntụ.

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt
spec:
  acme:
    privateKeySecretRef:
      name: example-issuer-account-key
    disableAccountKeyGeneration: false

Chain ọkacha mmasị

Septemba 29 Ka anyị zoo ga-akwagharị ka gị onwe gị mgbọrọgwụ akwụkwọ ikike ISRG Root. A ga-eji dochie asambodo ndị mbinye aka n'ofe Identrust. Mgbanwe a anaghị achọ mgbanwe na ntọala cert-manager; asambodo niile emelitere ma ọ bụ ọhụrụ enyere mgbe ụbọchị a ga-eji mgbọrọgwụ CA ọhụrụ.

Ka anyị jiri CA nke a tinyela asambodo encrypt wee nye ha ka ọ bụrụ “ yinye asambodo ọzọ” site na ACME. Ụdị nke onye njikwa asambodo a nwere ike ịtọ ohere ị nweta agbụ ndị a na ntọala onye nrụpụta. Na oke preferredChain Ị nwere ike ịkọwapụta aha CA nke ejiri nye asambodo ahụ. Ọ bụrụ na a ca akwụkwọ dị nke dakọtara na arịrịọ, ọ ga-enye gị a akwụkwọ. Biko mara na nke a bụ nhọrọ kacha mma; ọ bụrụ na achọtaghị ihe ọ bụla, a ga-enye asambodo ndabara. Nke a ga-ahụ na ị ka ga-emeghari asambodo gị ka ihichapụ agbụ ọzọ dị n'akụkụ onye na-enye ACME.

Taa ị nwere ike ịnweta asambodo bịanyere aka na ya ISRG Root, Ya mere:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    preferredChain: "ISRG Root X1"

Ọ bụrụ na ịchọrọ ịhapụ agbụ ahụ IdenTrust - tọọ oke a DST Root CA X3:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    preferredChain: "DST Root CA X3"

Biko mara na mgbọrọgwụ CA ga-akwụsị n'oge na-adịghị anya, Let's Encrypt ga-eme ka agbụ a rụọ ọrụ ruo Septemba 29, 2021.

isi: www.habr.com

Tinye a comment