çµéšè±å¯ã§è³¢æãªãšã³ãžãã¢ã«ãcert-manager ã«ã€ããŠã©ãæããããªãã¿ããªãããã䜿ã£ãŠããã®ãå°ãããšããã®å°é家ã¯ããæ¯ãã€ããèªä¿¡æºã ã«åœŒãæ±ããããç²ããæ§åã§ããèšãã§ãããã ç§ãã¡ã®ããºãã¯é³Žããããåºãããããªãããããã®ãµããã³ãšãšãã«çãç¶ããŸãã ãªãç§ãã¡ã¯æããã®ã§ããããïŒ å¹æãããããã§ãã ãªãç§ãã¡ã¯æããªãã®ã§ããïŒ æ°ããæ©èœã䜿çšããæ°ããããŒãžã§ã³ãåžžã«ç»å Žããããã§ãã ãŸããã¯ã©ã¹ã¿ãŒãäœåºŠãæŽæ°ããå¿ èŠããããŸãã ãããŠãé°è¬ãšå倧ãªç¥ç§çãªã·ã£ãŒãããºã ããããããå€ãããŒãžã§ã³ã¯æ©èœããªããªããŸãã
ããããéçºè ã¯æ¬¡ã®ããã«äž»åŒµããŠããŸã 蚌ææžãããŒãžã£ãŒ 1.0 ãã¹ãŠãå€ãããŸãã
ä¿¡ããããŸããïŒ
Cert-manager ã¯ããã€ãã£ãã® Kubernetes 蚌ææžç®¡çã³ã³ãããŒã©ãŒã§ãã ããã䜿çšããŠãLet's EncryptãHashiCorp VaultãVenafiã眲åã㌠ãã¢ãèªå·±çœ²åã㌠ãã¢ãªã©ãããŸããŸãªãœãŒã¹ãã蚌ææžãçºè¡ã§ããŸãã ãŸããæå¹æéãŸã§ã«ããŒãææ°ã®ç¶æ ã«ä¿ã€ããšãã§ããæå¹æéãåããåã®æå®ãããæéã«èšŒææžãèªåçã«æŽæ°ããããšããŸãã Cert-manager 㯠kube-lego ã«åºã¥ããŠãããkube-cert-manager ãªã©ã®ä»ã®åæ§ã®ãããžã§ã¯ãã®ããã€ãã®ããªãã¯ã䜿çšããŠããŸãã
ãªãªãŒã¹ããŒã
ããŒãžã§ã³ 1.0 ã§ã¯ã16 幎éã® cert-manager ãããžã§ã¯ãã®éçºã«å¯Ÿããä¿¡é Œã®å°ãä»ããããŸããã ãã®éãæ©èœãšå®å®æ§ãå€§å¹ ã«é²åããŸããããæãéèŠãªã®ã¯ã³ãã¥ããã£ã§ãã çŸåšãå€ãã®äººã ã Kubernetes ã¯ã©ã¹ã¿ãŒãä¿è·ããããã«ããã䜿çšããŠããã ãã§ãªãããšã³ã·ã¹ãã ã®ããŸããŸãªéšåã«ãããã€ããŠããã®ãç®ã«ããŸãã éå» 1500 åã®ãªãªãŒã¹ã§å€ãã®ãã°ãä¿®æ£ãããŸããã ãããŠå£ãã¹ããã®ã¯å£ããã API ã䜿çšããããã«äœåºŠãã¢ã¯ã»ã¹ããããšã§ããŠãŒã¶ãŒãšã®å¯Ÿè©±ãæ¹åãããŸããã 253 人ã®ã³ãã¥ãã㣠ã¡ã³ããŒããã®è¿œå ã®ãã« ãªã¯ãšã¹ãã«ãããGitHub äžã® XNUMX 件ã®åé¡ã解決ããŸããã
1.0 ã®ãªãªãŒã¹ã«ãããcert-manager ãæçãããããžã§ã¯ãã§ããããšãæ£åŒã«å®£èšããŸãã ãŸããAPI ã®äºææ§ãç¶æããããšãçŽæããŸã v1
.
ãã® 1.0 幎éãcert-manager ã®äœæã«ååããŠãããçããã«æè¬ããŸãã ããŒãžã§ã³ XNUMX ããããããèµ·ããå€ãã®å€§ããªããšã®æåã®ãã®ã«ããŸãããã
ãªãªãŒã¹ 1.0 ã¯ãããã€ãã®åªå é åãåããå®å®ãªãªãŒã¹ã§ãã
-
v1
API; -
ããŒã
kubectl cert-manager status
ãåé¡åæã«åœ¹ç«ã¡ãŸãã -
ææ°ã®å®å®ãã Kubernetes API ã䜿çšããŸãã
-
ãã°èšé²ã®æ¹åã
-
ACMEã®æ¹åã
ã¢ããã°ã¬ãŒãããåã«ãã¢ããã°ã¬ãŒãã«é¢ãã泚æäºé ãå¿ ããèªã¿ãã ããã
API v1
ããŒãžã§ã³ v0.16 㯠API ã§åäœããŸãã v1beta1
ã ããã«ãããããã€ãã®æ§é äžã®å€æŽãè¿œå ãããAPI ãã£ãŒã«ãã®ããã¥ã¡ã³ããæ¹åãããŸããã ããŒãžã§ã³ 1.0 㯠API ã䜿çšããŠããã«åºã¥ããŠæ§ç¯ãããŠããŸã v1
ã ãã® API ã¯æåã®å®å®ãã API ã§ãããåæã«äºææ§ããã§ã«ä¿èšŒãããŠããŸãããAPI v1
ä»åŸäœå¹Žã«ãããã£ãŠäºææ§ãç¶æããããšããçŽæããŸãã
å ããããå€æŽ (泚: åœç€Ÿã®å€æããŒã«ããã¹ãŠãåŠçããŸã):
蚌ææžïŒ
-
emailSANs
ä»åŒã°ããŠããŸãemailAddresses
-
uriSANs
-uris
ãããã®å€æŽã«ãããä»ã® SAN (ãµããžã§ã¯ãã®ä»£æ¿åã çŽã 翻蚳è )ãããã³ Go API ã䜿çšããŸãã ãã®çšèªã¯ API ããåé€ãããŸãã
ã¢ããããŒã
Kubernetes 1.16 以éã䜿çšããŠããå ŽåãWebhook ãå€æãããšãAPI ããŒãžã§ã³ãåæã«ã·ãŒã ã¬ã¹ã«æäœã§ããããã«ãªããŸãã v1alpha2
, v1alpha3
, v1beta1
О v1
ã ãããã䜿çšãããšãå€ããªãœãŒã¹ãå€æŽãããåãããã€ãããããã«ãæ°ããããŒãžã§ã³ã® API ã䜿çšã§ããããã«ãªããŸãã ãããã§ã¹ãã API ã«ã¢ããã°ã¬ãŒãããããšã匷ããå§ãããŸã v1
ã以åã®ããŒãžã§ã³ã¯éããªãå»æ¢ãããäºå®ã§ãã ãŠãŒã¶ãŒ legacy
cert-manager ã®ããŒãžã§ã³ã¯åŒãç¶ãã¢ã¯ã»ã¹æš©ã®ã¿ãæã¡ãŸãã v1
ãã¢ããã°ã¬ãŒãæé ãèŠã€ãããŸãã
kubectl cert-manager ã¹ããŒã¿ã¹ ã³ãã³ã
æ¡åŒµæ©èœã®æ°ããªæ¹åã«ããã kubectl
蚌ææžã®äžçºè¡ã«äŒŽãåé¡ã®èª¿æ»ã容æã«ãªããŸããã kubectl cert-manager status
蚌ææžã§äœãèµ·ãã£ãŠããã®ãã«ã€ããŠããã«å€ãã®æ
å ±ãæäŸããã蚌ææžã®çºè¡æ®µéã衚瀺ãããããã«ãªããŸããã
æ¡åŒµæ©èœãã€ã³ã¹ããŒã«ããåŸãå®è¡ã§ããŸã kubectl cert-manager status certificate <ОЌÑ-ÑеÑÑОÑОкаÑа>
ããã«ãããæå®ãããååã®èšŒææžãšãACME ã®èšŒææžã䜿çšããŠããå Žå㯠CertificateRequestãSecretãIssuerãOrder and Challenges ãªã©ã®é¢é£ãªãœãŒã¹ãæ€çŽ¢ãããŸãã
ãŸã æºåãã§ããŠããªã蚌ææžããããã°ããäŸ:
$ kubectl cert-manager status certificate acme-certificate
Name: acme-certificate
Namespace: default
Created at: 2020-08-21T16:44:13+02:00
Conditions:
Ready: False, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
Issuing: True, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
DNS Names:
- example.com
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 18m cert-manager Issuing certificate as Secret does not exist
Normal Generated 18m cert-manager Stored new private key in temporary Secret resource "acme-certificate-tr8b2"
Normal Requested 18m cert-manager Created new CertificateRequest resource "acme-certificate-qp5dm"
Issuer:
Name: acme-issuer
Kind: Issuer
Conditions:
Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
error when finding Secret "acme-tls": secrets "acme-tls" not found
Not Before: <none>
Not After: <none>
Renewal Time: <none>
CertificateRequest:
Name: acme-certificate-qp5dm
Namespace: default
Conditions:
Ready: False, Reason: Pending, Message: Waiting on certificate issuance from order default/acme-certificate-qp5dm-1319513028: "pending"
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 18m cert-manager Created Order resource default/acme-certificate-qp5dm-1319513028
Order:
Name: acme-certificate-qp5dm-1319513028
State: pending, Reason:
Authorizations:
URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/97777571, Identifier: example.com, Initial State: pending, Wildcard: false
Challenges:
- Name: acme-certificate-qp5dm-1319513028-1825664779, Type: DNS-01, Token: J-lOZ39yNDQLZTtP_ZyrYojDqjutMAJOxCL1AkOEZWw, Key: U_W3gGV2KWgIUonlO2me3rvvEOTrfTb-L5s0V1TJMCw, State: pending, Reason: error getting clouddns service account: secret "clouddns-accoun" not found, Processing: true, Presented: false
ãã®ã³ãã³ãã¯ã蚌ææžã®å 容ã«ã€ããŠããã«è©³ããç¥ãã®ã«ã圹ç«ã¡ãŸãã Letsencrypt ã«ãã£ãŠçºè¡ããã蚌ææžã®è©³çŽ°ãªäŸ:
$ kubectl cert-manager status certificate example
Name: example
[...]
Secret:
Name: example
Issuer Country: US
Issuer Organisation: Let's Encrypt
Issuer Common Name: Let's Encrypt Authority X3
Key Usage: Digital Signature, Key Encipherment
Extended Key Usages: Server Authentication, Client Authentication
Public Key Algorithm: RSA
Signature Algorithm: SHA256-RSA
Subject Key ID: 65081d98a9870764590829b88c53240571997862
Authority Key ID: a84a6a63047dddbae6d139b7a64565eff3a8eca1
Serial Number: 0462ffaa887ea17797e0057ca81d7ba2a6fb
Events: <none>
Not Before: 2020-06-02T04:29:56+02:00
Not After: 2020-08-31T04:29:56+02:00
Renewal Time: 2020-08-01T04:29:56+02:00
[...]
ææ°ã®å®å®ãã Kubernetes API ã®äœ¿çš
Cert-manager ã¯ãKubernetes CRD ãæåã«å®è£
ããäŒæ¥ã® 1.11 ã€ã§ãã ãããšãKubernetes ããŒãžã§ã³ XNUMX ãŸã§ã®ãµããŒãã¯ãåŸæ¥ã®ããŒãžã§ã³ããµããŒãããå¿
èŠãããããšãæå³ããŸããã apiextensions.k8s.io/v1beta1
åœç€Ÿã® CRD ã«ã admissionregistration.k8s.io/v1beta1
Webhook çšã ãããã¯çŸåšéæšå¥šãšãªã£ãŠãããKubernetes ããŒãžã§ã³ 1.22 ããåé€ãããäºå®ã§ãã 1.0 ã§ã¯å®å
šãªãµããŒããæäŸããããã«ãªããŸãã apiextensions.k8s.io/v1
О admissionregistration.k8s.io/v1
Kubernetes 1.16 (è¿œå ãããå Žæ) 以éã®å Žåã 以åã®ããŒãžã§ã³ã®ãŠãŒã¶ãŒã«å¯ŸããŠã¯ãåŒãç¶ããµããŒããæäŸããŸã v1beta1
ç§ãã¡ã®äžã§ legacy
ããŒãžã§ã³ã
ãã°èšé²ã®æ¹å
ãã®ãªãªãŒã¹ã§ã¯ããã®ã³ã° ã©ã€ãã©ãªã次ã®ããã«æŽæ°ããŸããã klog/v2
ãKubernetes 1.19 ã§äœ¿çšãããŸãã ãŸããå·çããåãžã£ãŒãã«ãã¬ãã¥ãŒããŠãé©åãªã¬ãã«ãå²ãåœãŠãããŠããããšã確èªããŸãã ç§ãã¡ã¯ããã«å°ãããŸãã Error
(ã¬ãã« 0)ãéèŠãªãšã©ãŒã®ã¿ãåºåãã次ã§çµãããŸãã Trace
(ã¬ãã« 5) äœãèµ·ãã£ãŠããããæ£ç¢ºã«ç¥ãã®ã«åœ¹ç«ã¡ãŸãã ãã®å€æŽã«ãããcert-manager ã®å®è¡æã«ãããã°æ
å ±ãå¿
èŠãªãå Žåã®ãã°ã®æ°ãæžããŸããã
ãã³ã: cert-manager ã¯ããã©ã«ãã§ã¬ãã« 2 ã§å®è¡ãããŸã (Info
)ã次ã䜿çšããŠããããªãŒããŒã©ã€ãã§ããŸã global.logLevel
ãã«ã ãã£ãŒãã§ã
泚: ãã°ã®è¡šç€ºã¯ããã©ãã«ã·ã¥ãŒãã£ã³ã°ã®æåŸã®æ段ã§ãã 詳现ã«ã€ããŠã¯ããã¡ããã芧ãã ãã
ç·šéè
泚èš: Kubernetes ã®å
éšã§ãã¹ãŠãã©ã®ããã«æ©èœãããã«ã€ããŠè©³ããåŠã³ãå®è·µçãªæåž«ãã貎éãªã¢ããã€ã¹ã質ã®é«ãæè¡ãµããŒããåŸãã«ã¯ããªã³ã©ã€ã³éäžè¬çŸ©ã«åå ã§ããŸãã
ACMEã®æ¹å
cert-manager ã®æãäžè¬çãªäœ¿çšæ³ã¯ããããã ACME ã䜿çšãã Let's Encrypt ããã®èšŒææžã®çºè¡ã«é¢é£ãããã®ã§ãã ããŒãžã§ã³ 1.0 ã¯ãã³ãã¥ããã£ããã®ãã£ãŒãããã¯ãå©çšããŠãACME çºè¡è ã« XNUMX ã€ã®å°ãããªãããéèŠãªæ¹åãå ããããšã§æ³šç®ã«å€ããŸãã
ã¢ã«ãŠã³ãããŒã®çæãç¡å¹ã«ãã
ACME 蚌ææžã倧éã«äœ¿çšããå Žåã¯ãè€æ°ã®ã¯ã©ã¹ã¿ãŒã§åãã¢ã«ãŠã³ãã䜿çšããå¯èœæ§ãé«ãããã蚌ææžã®çºè¡å¶éã¯ããããã¹ãŠã«é©çšãããŸãã ããã¯ãcert-manager ã§æå®ãããã·ãŒã¯ã¬ãããã³ããŒãããšãã«ãã§ã«å¯èœã§ããã privateKeySecretRef
ã cert-manager ã¯åœ¹ç«ã€ããã«åªããã¢ã«ãŠã³ã ããŒãèŠã€ãããªãå Žåã¯åãã§æ°ããã¢ã«ãŠã³ã ããŒãäœæããããããã®äœ¿çšäŸã«ã¯ããªããã°ããããŸããã ã ããããè¿œå ããŸãã disableAccountKeyGeneration
ãã®ãªãã·ã§ã³ã次ã®ããã«èšå®ãããšããã®åäœããä¿è·ãããŸãã true
- cert-manager ã¯ããŒãçæãããã¢ã«ãŠã³ã ããŒãæäŸãããŠããªãããšãèŠåããŸãã
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
privateKeySecretRef:
name: example-issuer-account-key
disableAccountKeyGeneration: false
åªå ãã§ãŒã³
29 æ XNUMX æ¥ æå·åããŸããã ISRG Root
ã çžäºçœ²åããã蚌ææžã¯æ¬¡ã®ããã«çœ®ãæããããŸãã Identrust
ã ãã®å€æŽã«ã¯ãcert-manager èšå®ãå€æŽããå¿
èŠã¯ãããŸããããã®æ¥ä»¥éã«çºè¡ããããã¹ãŠã®æŽæ°ããã蚌ææžãŸãã¯æ°ãã蚌ææžã¯ãæ°ããã«ãŒã CA ã䜿çšããŸãã
Let's Encrypt ã¯ãã§ã«ãã® CA ã§èšŒææžã«çœ²åããŠããããããã ACME çµç±ã§ã代æ¿èšŒææžãã§ãŒã³ããšããŠæäŸããŠããŸãã ãã®ããŒãžã§ã³ã® cert-manager ã§ã¯ãçºè¡è
ã®èšå®ã§ãããã®ãã§ãŒã³ãžã®ã¢ã¯ã»ã¹ãèšå®ã§ããŸãã ãã©ã¡ãŒã¿å
preferredChain
蚌ææžã®çºè¡ã«äœ¿çšãããã䜿çšäžã® CA ã®ååãæå®ã§ããŸãã ãªã¯ãšã¹ãã«äžèŽãã CA 蚌ææžãå©çšå¯èœãªå Žåã¯ã蚌ææžãçºè¡ãããŸãã ããã¯æšå¥šãªãã·ã§ã³ã§ãããäœãèŠã€ãããªãå Žåã¯ããã©ã«ãã®èšŒææžãçºè¡ãããããšã«æ³šæããŠãã ããã ããã«ãããACME çºè¡è
åŽã§ä»£æ¿ãã§ãŒã³ãåé€ããåŸã§ã蚌ææžãæŽæ°ã§ããããã«ãªããŸãã
ãã§ã«ä»æ¥ããã眲åããã蚌ææžãåãåãããšãã§ããŸã ISRG Root
ã ããïŒ
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1"
ãã§ãŒã³ãé¢ãããå Žå IdenTrust
- ãã®ãªãã·ã§ã³ã次ã®ããã«èšå®ããŸã DST Root CA X3
:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "DST Root CA X3"
ãã®ã«ãŒã CA ã¯ãŸããªãå»æ¢ãããäºå®ã§ããããšã«æ³šæããŠãã ãããLet's Encrypt ã¯ããã®ãã§ãŒã³ã 29 幎 2021 æ XNUMX æ¥ãŸã§ã¢ã¯ãã£ãã«ä¿ã¡ãŸãã
åºæïŒ habr.com