ααααα·αααΎα’ααααα½ααα·ααααααααααΆααααα·ααααα αα·αααααΆαααααΆααΆαααα·ααααΆαααΆα ααααα’αααααααααααααα·ααααΆαααααα αα·αααΌαα ααα»αααααα»ααααααααααααΆααααΎααΆ α’αααα―ααααααΉααααααα αΎααα α±αααΆααααααααααΆαα α αΎααα·ααΆααααααΏαα ααα βαααααααααΆααααΎααΆ ααΈαααααααααΆααααααΎαααα’ααα ααααα»αβααααβααΎαβαααααβαααα αβαα ααα»ααααβααααβαααβαα βααΆαα½αβααΎαβααααααβαααα α ααα»α’αααΈααΆαααΆααΎααααα‘αΆαα? αααααααΆααααΎαααΆαα α ααα»α’αααΈααΎααα·ααααααΆαα? αααααΆαααααααααααΈααααΌαααΆαα ααααααΆαα₯αααααα αααααααΎααααΆαααα»αααΆαααααΈαα α αΎαα’αααααααΌαααααααΎαα αα α»ααααααααΆαα αααααααααα αΎααααααααα α αΎαβααααβα αΆααβαααβααααΎαααΆαβαα βα αΎα αααααβααΆαβααΆαβαα»ααα·αβααααΆ αα·αβααΆαβα’αΆααβααααΆααβααβα’ααα αΆαααΒ»α
ααα»ααααα’αααα’αα·ααααααα’αα’αΆαααΆααΆαα½α α’αααααααααααααα·ααααΆααααααα 1.0 α’αααΈααααααααΆαααΉαααααΆααααααΌαα
ααΎααΎααα½αααΏαα?
Cert-manager ααΊααΆα§ααααααααααΆααΆαααααααααααα·ααααΆαααααα Kubernetes ααΎαα ααΆα’αΆα ααααΌαααΆαααααΎααΎααααΈα αααα·ααααΆααααααααΈαααααααααααα Let's Encrypt, HashiCorp Vault, Venafi, signing and self-signed key pairsα ααΆααα’αα»ααααΆαα±ααα’ααααααααΆααα±ααααΆαααααα αα·αααααΆααΆααααααα·ααααΆαααααααααααααααααααααα·αα αααααΆααααΆαααα½α αα»αααααα½αααΆαα»ααααααα Cert-manager ααΊααα’ααααΎ kube-lego α αΎαααααΆαααααΎαα αα ααααααα½αα ααα½αααΈααααααααααααααααΆααααααααααααα ααΌα ααΆ kube-cert-manager α
αααααα αααΆαα ααααααΆα
ααΆαα½αααΉααααα 1.0 ααΎαααΆαααΆαααααααΆααααΆαααΏαα»αα α·ααααα αααα»αααααααααΈααααΆαααααΆαα’αα·ααααααααααααα’αααααααααααααα·ααααΆααααααα αααα»αα’αα‘α»ααααααα ααΆααΆαα’αα·αααααααΆαααααΆαααα αααα»ααα»αααΆα αα·ααααααααΆα ααα»ααααααΆαα αααΎααα αααα»ααα ααααα αααααααααααααΎαααΎαααα»αααααΆα αααΎαααααΎααααΆααααΆααΎααααΈααΆααΆααΆαααΌαα ααααα Kubernetes αααααα½ααα ααααΌα ααΆα’αα»ααααααΆαα αααα»ααααααααααααααααααααααα’αααΌα ααα α»αααΆα αααΎαααααΌαααΆααα½ααα»ααα αααα»αααΆαα ααααααΆα 16 α α»ααααααα α αΎαα’αααΈααααα½αααααΌαααΆαααΌα ααααΌαααΆαααΌα α ααΆαα αΌαααΎα API ααΆα αααΎαααΎαααααΎα’ααα’ααααααααααααααΆαααααΎαα‘αΎαααΆαα½αα’αααααααΎααααΆααα ααΎαααΆααααααααΆααααα αΆα ααα½α 1500 αα ααΎ GitHub αααααΆαααααΎααΆαααΆααααα αααΎαααΈαααΆαα·ααα ααααα ααα½α 253 ααΆααα
ααΆααααααΆαα
ααααααΆα 1.0 ααΎααααααΆαααΆααααΌαααΆαααΆα’αααααααααααααα·ααααΆααααααααΊααΆααααααα
αΆαααα»αα ααΎααααααααΆααΆααΉααααααΆ API ααααααΎαα±ααααααΌαααααΆα v1
.
α’ααα»αα’ααααααααααααΆαααααΆααα½αααΎααααααΎα cert-manager ααΆααααΈααααΆαααα! ααΌαα±αααααα 1.0 ααααΆαααΆααΏαααα’ααα αΆαααααααΌααααααα’αααααααΉααααααα
ααΆαα ααααααΆα 1.0 ααΊααΆααΆαα ααααααΆααααααΆααααααααΆαααΆαα½αααΉααααααα’αΆαα·ααΆαααΆα αααΎαα
-
v1
API -
αααα»αααΆαααΆα
kubectl cert-manager status
ααΎααααΈαα½ααα·ααΆααααα αΆ; -
ααΆαααααΎααααΆαα APIs Kubernetes αααααΆααααααααΆαα α»αααααααααα»α;
-
ααΆαααΆααααΎαααααΎαα‘αΎα;
-
ααΆααααααα’ ACME α
ααααΌαααααΆααααΆααΆαα’αΆααααααα αααΆαααααΎαα αα α»ααααααααΆααα»αααΉαααααΎαα αα α»ααααααααΆαα
API v1
αααα v0.16 ααααΎαααΆαααΆαα½α API v1beta1
. ααΆααΆαααααααααΆαααααΆααααααΌααα
ααΆαααααααααα½αα
ααα½α αα·αααΆαααααΎα±αααααααΎαα‘αΎαααΌαα―αααΆαααΆα API αααααα αααα 1.0 αααααΎααα
ααΎααΆααα’αααααααΆαα½αααΉα API v1
. API αααααΊααΆαααααααΆαααααΌαααααααΎα αααα»ααααααΆαα½αααααΆααα ααΎαααΆααααααααΆαααΆααΆααΆαααααααΆαα½α
α αΎα ααα»ααααααΆαα½αααΉα API v1
ααΎααααααΆααΆααΉααααααΆααΆαααααααΆαααααΆααααααΆαααΆααα»αα
ααΆαααααΆααααααΌααααααΆαααααΎα‘αΎα (α αααΆαα α§ααααααααααααααααααΎαααΉααααααααΆα’αααΈαααααααααΆααααααΆααα’ααα)α
αα·ααααΆααααααα
-
emailSANs
α₯α‘αΌααααααΆαα αemailAddresses
-
uriSANs
-uris
ααΆαααααΆααααααΌαααΆαααααααααααααΆαααααααΆααΆαα½α SANs αααααααα (ααααααααααΆααα alt, αααα αα α’ααααααααα) ααααΌα ααΆ Go API αααααα ααΎααααα»ααα»αααΆααααααα ααααΈ API ααααααΎαα
ααααΎαα αα α»ααααααααΆα
ααααα·αααΎα’ααααααα»αααααΎ Kubernetes 1.16+ - ααΆαααααααα webhooks ααΉαα’αα»ααααΆαα±ααα’αααααααΎααΆαααΆαα½ααααα API αααα»ααααααααΆαααααΆ αα·αααααΆααααααα v1alpha2
, v1alpha3
, v1beta1
ΠΈ v1
. ααΆαα½ααα½ααα α’αααα’αΆα
ααααΎααααααααΈαα API ααααα·αα
αΆαααΆα
αααααΆααααααΌα α¬ααααΎααααΆααααααΆαα
αΆααααααα’αααα‘αΎααα·αα ααΎαααΌααααααα’αα»ααΆααααααΆααα»αααΆαα±ααααααΎα±αααααααΎαα‘αΎαααΌα manifests ααααα’ααααα
API v1
ααΌα
ααααααααα»αααΉαααααΌαααΆαααα·ααααααα»ααααααΆααααααα α’αααααααΎααααΆαα legacy
αααααααα cert-manager ααΉααα
ααααΆααα·αααα·α
αΌαααααΎααα»αααααα v1
ααα αΆαααααΎαα
αα
α»ααααααααΆαα’αΆα
ααααΆα
ααΆααααααααΆααααΆαααΆαα’αααααααααααα cert kubectl
ααΆαα½αααΉαααΆααααααα’ααααΈαα
αααα»ααααααααααααααααααΎααα
kubectl
ααΆααΆααααααΆααααα½ααααα»αααΆααααΎαα’ααααααααα αΆαααααΆααααααΉαααΆααα·αα
αααα·ααααΆααααααα kubectl cert-manager status
α₯α‘αΌαααααααααααααααΆαααααααααΆα
αααΎαα’αααΈα’αααΈααααααα»αααΎαα‘αΎαααΆαα½ααα·ααααΆαααααα α αΎααααααα αΆαααααΆααααΆαααααα·ααααΆααααααααααΌαααΆαα
αααααααα
αααααΆααααΈααα‘αΎααααααα·ααΈααααααα’αααα’αΆα
ααααΎαααΆαααΆαα kubectl cert-manager status certificate <ΠΈΠΌΡ-ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°>
αααααΉαααααααααα·ααααΆαααααααααααΆαααααααααααΆααααααΆαα αα·αααααΆααααααΆαααααααααΌα
ααΆ CertificateRequest, Secret, Issuer, and Order and Challenges αααα»αααααΈαα·ααααΆααααααααΈ ACMEα
α§ααΆα αααααααΆαααααΆααααα α»ααα·ααααΆααααααααααα·αααΆαααα½α ααΆααα
$ kubectl cert-manager status certificate acme-certificate
Name: acme-certificate
Namespace: default
Created at: 2020-08-21T16:44:13+02:00
Conditions:
Ready: False, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
Issuing: True, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
DNS Names:
- example.com
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 18m cert-manager Issuing certificate as Secret does not exist
Normal Generated 18m cert-manager Stored new private key in temporary Secret resource "acme-certificate-tr8b2"
Normal Requested 18m cert-manager Created new CertificateRequest resource "acme-certificate-qp5dm"
Issuer:
Name: acme-issuer
Kind: Issuer
Conditions:
Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
error when finding Secret "acme-tls": secrets "acme-tls" not found
Not Before: <none>
Not After: <none>
Renewal Time: <none>
CertificateRequest:
Name: acme-certificate-qp5dm
Namespace: default
Conditions:
Ready: False, Reason: Pending, Message: Waiting on certificate issuance from order default/acme-certificate-qp5dm-1319513028: "pending"
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 18m cert-manager Created Order resource default/acme-certificate-qp5dm-1319513028
Order:
Name: acme-certificate-qp5dm-1319513028
State: pending, Reason:
Authorizations:
URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/97777571, Identifier: example.com, Initial State: pending, Wildcard: false
Challenges:
- Name: acme-certificate-qp5dm-1319513028-1825664779, Type: DNS-01, Token: J-lOZ39yNDQLZTtP_ZyrYojDqjutMAJOxCL1AkOEZWw, Key: U_W3gGV2KWgIUonlO2me3rvvEOTrfTb-L5s0V1TJMCw, State: pending, Reason: error getting clouddns service account: secret "clouddns-accoun" not found, Processing: true, Presented: false
αααα»αααΆαααΆαααα’αΆα αα½αα’αααααααααααααααααα’αααΈααααΉαααΆααααα·ααααΆαααααααααααα α§ααΆα αααααααααΆααααα’α·ααααααΆαααα·ααααΆαααααααααα ααααα Letsencryptα
$ kubectl cert-manager status certificate example
Name: example
[...]
Secret:
Name: example
Issuer Country: US
Issuer Organisation: Let's Encrypt
Issuer Common Name: Let's Encrypt Authority X3
Key Usage: Digital Signature, Key Encipherment
Extended Key Usages: Server Authentication, Client Authentication
Public Key Algorithm: RSA
Signature Algorithm: SHA256-RSA
Subject Key ID: 65081d98a9870764590829b88c53240571997862
Authority Key ID: a84a6a63047dddbae6d139b7a64565eff3a8eca1
Serial Number: 0462ffaa887ea17797e0057ca81d7ba2a6fb
Events: <none>
Not Before: 2020-06-02T04:29:56+02:00
Not After: 2020-08-31T04:29:56+02:00
Renewal Time: 2020-08-01T04:29:56+02:00
[...]
ααααΎααααΆαα APIs Kubernetes αααααΆααααααααΆαα α»αααααααααα»αα
Cert-manager ααΊααΆα’αααααααΌααααααα’αα»αααα Kubernetes CRDs α ααααα½αααΆαα½αααΉαααΆαααΆααααααααααΎααααααΆαααααα Kubernetes αα αΌαααα 1.11 ααΆααααααΆααΎαααααΌαααΆαααΎααααΈααΆαααααααααα·αααααα apiextensions.k8s.io/v1beta1
αααααΆαα CRDs ααααααΎααααααα admissionregistration.k8s.io/v1beta1
αααααΆαα webhooks ααααααΎαα α₯α‘αΌαααα ααΆαααααααααΌαααΆαααα·ααα α αΎαααΉαααααΌαααΆαααα
αααα
αααα»α Kubernetes α
αΆααααΈαααα 1.22α ααΆαα½αααΉα 1.0 ααααααΎαα₯α‘αΌαααα ααΎααααααααΌαααΌαααΆαααΆαααααααααα apiextensions.k8s.io/v1
ΠΈ admissionregistration.k8s.io/v1
αααααΆαα Kubernetes 1.16 (ααααααααααα½αααααααΌαααΆααααααα) αα·ααα
ααααααααα αααααΆααα’αααααααΎααααΆαααααααα»α ααΎααααααααααααΆαααΆαααα v1beta1
αα
αααα»αααααααΎαα legacy
ααααα
ααΆαααΆααααΎαααααΎαα‘αΎα
αα
αααα»αααααααα ααΎαααΆαα’αΆααααααααααΆααααααααααΆαα
klog/v2
ααααΎαααα»α Kubernetes 1.19α ααΎααααα·αα·αααααΎαααΆααααααααΆαααααΈαααααΎαααααα ααΎααααΈααΆααΆααΆααΆααααΌαααΆαα
αΆααααΆααααααα·αααααααα ααΎαααααΌαααΆαααΉαααΆααααααΏαααα Error
(ααααα·α 0) αααααααα»αααααααα α»αααααΆααα α αΎααααα
ααααα Trace
(ααααα·α 5) αααααΉααα½αα’αααα±ααααΉαα
αααΆααααΌαα’αααΈααααααα»αααΎαα‘αΎαα ααΆαα½αααΉαααΆαααααΆααααααΌαααα ααΎαααΆαααΆαααααααα
ααα½ααααααα ααα» ααααα·αααΎα’ααααα·αααααΌαααΆαααααααΆαααααΆααααα α»α αα
αααααααΎαααΆααααααα·ααΈααααααααααα·ααααΆααααααα
αααααΉαα ααΆαααααΆαααΎα α’αααααααααααααα·ααααΆααααααααααΎαααΆααα
ααααα·α 2 (Info
) α’αααα’αΆα
ααα·αααααΆαααααααΎ global.logLevel
αα
αααα»αααΆααΆα Helm α
α
αααΆαα ααΆααα·αα·αααααΎααααααα ααα»ααΊααΆαααααααΆαα
α»ααααααααααα’ααααα
ααααααααααΆααααα αΆα αααααΆααααααααΆααααααα ααΌααα·αα·αααααΎαααααααΎαα
α’ααααα·αααα n.b.α ααΎααααΈααααααααααααααα’αααΈαααααααααΆααααΎαααΆαααΆααα’αααα
ααααααααααΆαααααα Kubernetes ααα½αααΆαααααΌααααΆαααααΆααααααααΈααααΌαααα’αα»αααα ααααΌα
ααΆαααα½ααα
αα
ααααααααααΆααα»αααΆαααααα α’αααα’αΆα
α
αΌααα½ααααα»ααααααα·ααααΆαααααΉαααα’ααααααΆααααΎα’ααΈαααΊαα·α
ααΆααααααα’ ACME
ααΆαααααΎααααΆααααΆααΌαα αααα»αααααα’αααααααααααααα·ααααΆααααααααΊαααα ααααΆαααααα ααΉαααΆαα αααα·ααααΆααααααααΈ Let's Encrypt αααααααΎ ACMEα αααα 1.0 ααΊαα½αα±ααααααααααΆαααααααΆααααΆαααααΎααααΆααααα·αααααα’αα ααααααΎααααΈααααααααΆααααααα’ααΌα ααα»ααααααααΆααααΈααααα’αααα αα ACME ααααααΎαα
αα·αααΆααααααΎαααΌαααααααΈ
ααααα·αααΎα’αααααααΎαα·ααααΆαααααα ACME αααα»αααα·ααΆαα
αααΎα α’αααααααααΆααααΎααααΈααΌα
ααααΆαα
ααΎα
αααααα
αααΎα ααΌα
ααααααΆαααΉααααααΉαααΆαα
αααα·ααααΆααααααααααα’αααααΉαα’αα»ααααα
αααααα½αααΆααΆααα’ααα ααΆα’αΆα
αα
αα½α
αα½α
α αΎααα
αααα»αα’αααααααααααααα·ααααΆααααααααα
αααα
ααααααΆααααααΆαααααααΆααααααΆαααα
αααα»α privateKeySecretRef
. ααααΈααααΆαααααΎααααΆααααααα·αααΆααΆαααα α»α αααααΆαααα’αααααααααααααα·ααααΆααααααααΆαααααΆααΆααα½α αα·ααααααΎαααααααΈααααΈαααααΈαααΆα ααααα·αααΎααΆαααα·αααΎαα αααα αΎαααΆααΌαα ααα»αααααΎααααααα disableAccountKeyGeneration
ααΎααααΈααΆαααΆαα’αααααΈα’αΆαααααα·αα·ααΆααααααααααααααααΎαααααα
true
- cert-manager ααΉααα·ααααααΎαααΌααααα α αΎαααΉααααααΆαα’αααααΆααΆαα·αααααΌαααΆααααααα±ααααΌαααααααΈααα
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
privateKeySecretRef:
name: example-issuer-account-key
disableAccountKeyGeneration: false
αααααααααΆααααααααα α·ααα
ααααααΈ 29 αααααααΆ α
αΌαααΎαα’αα·αααααΈα ISRG Root
. αα·ααααΆαααααααααααΆαα αααααααΆααααααΉαααααΌαααΆααααα½αααα Identrust
. ααΆαααααΆααααααΌαααααα·ααααααΌαα±ααααΆαααΆαααααΆααααααΌαα
ααααααΆααααααα’αααααααααααααα·ααααΆαααααααα ααΆαααα·ααααΆαααααααααααΆαααααΎαα
αα
α»ααααααααΆα α¬ααααΈαααααΆαα
αααααααΆααααΈααΆαααα·α
αααααααααΉαααααΎ root CA ααααΈα
ααα α’αα·αααααΈα α
α»αα αααααααΆααΎαα·ααααΆααααααααΆαα½α CA ααααα½α
α αΎα α αΎααααααα±αααα½αααααΆ "αααααααααΆαααα·ααααΆαααααααααα½α" ααΆαααα ACME α αααααααα cert-manager αααααΆααααααααΆααααααααΆαα
αΌαααααΎαααααααααΆααααΆααααααα
αααα»αααΆααααααα’αααα
ααα αα
αααα»ααααΆαααΆαααααα preferredChain
α’αααα’αΆα
αααααΆααααααααααα CA αααααααΎααΎααααΈα
αααα·ααααΆααααααα ααααα·αααΎαα·ααααΆαααααα CA ααΆααααααααΌαααΉαααααΎααα ααΆααΉαα
αααα·ααααΆαααααααααα’αααα ααΌαα
αααΆαααΆαααααΊααΆαααααΎαααααααα
α·ααα ααααα·αααΎααααΆαα’αααΈααααΌαααΆαααααΎααα αα·ααααΆααααααααααΆαααΎαααΉαααααΌαααΆαα
ααα ααΆααΉαααΆααΆααΆα’αααααΉααα
αααααααα·ααααΆααααααααααα’ααααααααΆααααΈαα»ααααααααααΆαααααα½ααα
αααααα’αααα
αα ACME α
αααααααα’αααα’αΆα
ααα½αααΆααα·ααααΆαααααααααααΆαα
α»αα αααααααΆ ISRG Root
, ααΌα
ααααα
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1"
ααααα·αααΎα’αααα
αΌαα
α·αααα
αΆαα
ααααΈαααααααααΆαα IdenTrust
- ααααααααΆαααΆααααααααααα
DST Root CA X3
:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "DST Root CA X3"
ααΌαα αααΆαααΆ root CA αααααΉαααααΌαααΆαααα·ααααααα»ααααααΆαααααα Let's Encrypt ααΉαααααααααΎαααΆααααααααααΆααααααα αΌααααααααααΈ 29 αααααααΆ ααααΆα 2021α
ααααα: www.habr.com