Mena ka patai koe ki tetahi miihini mohio, mohio he aha tana whakaaro mo te kaiwhakahaere tiwhikete me te aha e whakamahia ai e te katoa, katahi ka aue te tohunga, ka awhi i a ia ma te maia ka kii mai: "Ka whakamahia e te katoa, na te mea karekau he huarahi pai. Ka tangi a tatou kiore, ka werohia, engari ka noho tonu me tenei tiotio. He aha tatou e aroha ai? No te mea e mahi ana. He aha tatou e kore ai e aroha? Na te mea kei te puta tonu nga putanga hou e whakamahi ana i nga ahuatanga hou. A me whakahou ano koe i te roopu. Na ka mutu te mahi o nga putanga tawhito, no te mea he whakaaro me te shamanism ngaro nui.
Engari e kii ana nga kaihanga kaiwhakahaere-tiwhikete 1.0 ka huri nga mea katoa.
Ka whakapono tatou?
Ko te Kaiwhakahaere Tiwhikete te mana whakahaere tiwhikete taketake o Kubernetes. Ka taea te whakamahi ki te whakaputa i nga tiwhikete mai i nga momo puna: Let's Encrypt, HashiCorp Vault, Venafi, hainatanga me nga takirua matua i hainatia. Ka taea hoki e koe te pupuri i nga taviri i nga wa e pa ana ki te ra paunga, me te ngana ano ki te whakahou aunoa i nga tiwhikete i te wa kua tohua i mua i te paunga. Ko te Cert-manager kei runga i te kube-lego, kua whakamahia ano e ia etahi tinihanga mai i etahi atu kaupapa rite penei i te kube-cert-manager.
Panui Panui
Ki te putanga 1.0, ka hoatu e matou he tohu whakawhirinaki mo nga tau e toru o te whakawhanaketanga o te kaupapa-kaiwhakahaere tiwhikete. I roto i tenei wa, kua tino tipu te mahi me te pumau, engari ko te nuinga o nga mea katoa i roto i te hapori. I tenei ra, ka kite tatou i te tini o nga tangata e whakamahi ana ki te whakapumau i o raatau kohinga Kubernetes me te tuku ki nga waahi maha o te rauwiringa kaiao. He maha nga hapa kua whakatikahia i roto i nga putanga 16 kua hipa. A ko nga mea e tika ana kia pakaru kua pakaru. He maha nga haerenga ki te mahi me te API kua pai ake tana taunekeneke ki nga kaiwhakamahi. Kua whakatauhia e matou nga take 1500 i runga i GitHub me etahi atu tono kumea mai i nga mema hapori 253.
Na te tukunga o te 1.0, ka kii mana matou he kaupapa pakeke te kaiwhakahaere tiwhikete. Ka oati ano matou kia noho hototahi to maatau API v1.
Ka nui te mihi ki nga tangata katoa i awhina i a matou ki te hanga tiwhikete-kaiwhakahaere i enei tau e toru! Ko te putanga 1.0 te tuatahi o te maha o nga mea nunui kei te heke mai.
Ko te Tukunga 1.0 he tuku pumau me etahi waahanga matua:
-
v1API; -
rōpū
kubectl cert-manager status, hei awhina i te tātari raruraru; -
Te whakamahi i nga API Kubernetes hou hou;
-
Kua pai ake te raakau;
-
Te whakapai ake i te ACME.
Kia mahara ki te panui i nga korero whakamohoatanga i mua i te whakahou.
API v1
Putanga v0.16 i mahi tahi me te API v1beta1. Na tenei i taapiri etahi huringa hanganga me te whakapai ake i nga tuhinga mara API. Ko te Putanga 1.0 ka hanga i runga i tenei me te API v1. Ko tenei API to maatau tuatahi, i te wa ano kua tukuna e matou he taurangi hototahi, engari me te API v1 ka oati matou ki te pupuri hototahi mo nga tau kei te heke mai.
Ko nga huringa i mahia (whakatupato: ma a maatau taputapu hurihanga e tiaki nga mea katoa mo koe):
Tiwhikete:
-
emailSANska karanga inaianeiemailAddresses -
uriSANs-uris
Ko enei huringa ka taapiri i te hototahi ki etahi atu SAN (nga ingoa alt kaupapa, āhua. kaiwhakamaori), me te Go API. Kei te tangohia e matou tenei kupu mai i to maatau API.
Whakahou
Mena kei te whakamahi koe i te Kubernetes 1.16+, ma te huri i nga matau tukutuku ka taea e koe te mahi tahi me nga putanga API. v1alpha2, v1alpha3, v1beta1 и v1. Ma enei, ka taea e koe te whakamahi i te putanga hou o te API me te kore e whakarereke, e tukuna ano ranei o rauemi tawhito. Ka tino taunaki matou ki te whakahou i o whakaaturanga ki te API v1, i te mea ko nga putanga o mua ka mutu ka mutu. Kaiwhakamahi legacy Ko nga putanga o te kaiwhakahaere-tiwhikete ka whai waahi noa v1, ka kitea nga taahiraa whakamohoa .
kubectl cert-kaiwhakahaere mana whakahau
Me nga whakapainga hou i roto i ta maatau toronga ki kubectl kua ngawari ake te tirotiro i nga raru e pa ana ki te kore tuku tiwhikete. kubectl cert-manager status Inaianei he maha atu nga korero e pa ana ki nga mahi e pa ana ki nga tiwhikete me te whakaatu hoki i te wahanga tuku tiwhikete.
I muri i te whakauru i te toronga, ka taea e koe te rere kubectl cert-manager status certificate <имя-сертификата>, ka titiro ake ki te tiwhikete me te ingoa kua tohua me etahi rauemi e pa ana penei i te TiwhiketeRequest, Mea ngaro, Kaituku, me te Ota me nga Wero ki te whakamahi i nga tiwhikete mai i te ACME.
He tauira mo te patuiro i te tiwhikete kaore ano kia rite:
$ kubectl cert-manager status certificate acme-certificate
Name: acme-certificate
Namespace: default
Created at: 2020-08-21T16:44:13+02:00
Conditions:
Ready: False, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
Issuing: True, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
DNS Names:
- example.com
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 18m cert-manager Issuing certificate as Secret does not exist
Normal Generated 18m cert-manager Stored new private key in temporary Secret resource "acme-certificate-tr8b2"
Normal Requested 18m cert-manager Created new CertificateRequest resource "acme-certificate-qp5dm"
Issuer:
Name: acme-issuer
Kind: Issuer
Conditions:
Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
error when finding Secret "acme-tls": secrets "acme-tls" not found
Not Before: <none>
Not After: <none>
Renewal Time: <none>
CertificateRequest:
Name: acme-certificate-qp5dm
Namespace: default
Conditions:
Ready: False, Reason: Pending, Message: Waiting on certificate issuance from order default/acme-certificate-qp5dm-1319513028: "pending"
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 18m cert-manager Created Order resource default/acme-certificate-qp5dm-1319513028
Order:
Name: acme-certificate-qp5dm-1319513028
State: pending, Reason:
Authorizations:
URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/97777571, Identifier: example.com, Initial State: pending, Wildcard: false
Challenges:
- Name: acme-certificate-qp5dm-1319513028-1825664779, Type: DNS-01, Token: J-lOZ39yNDQLZTtP_ZyrYojDqjutMAJOxCL1AkOEZWw, Key: U_W3gGV2KWgIUonlO2me3rvvEOTrfTb-L5s0V1TJMCw, State: pending, Reason: error getting clouddns service account: secret "clouddns-accoun" not found, Processing: true, Presented: false
Ka taea hoki e te whakahau te awhina i a koe ki te ako atu mo nga korero o te tiwhikete. He tauira mo te tiwhikete i tukuna e Letsencrypt:
$ kubectl cert-manager status certificate example
Name: example
[...]
Secret:
Name: example
Issuer Country: US
Issuer Organisation: Let's Encrypt
Issuer Common Name: Let's Encrypt Authority X3
Key Usage: Digital Signature, Key Encipherment
Extended Key Usages: Server Authentication, Client Authentication
Public Key Algorithm: RSA
Signature Algorithm: SHA256-RSA
Subject Key ID: 65081d98a9870764590829b88c53240571997862
Authority Key ID: a84a6a63047dddbae6d139b7a64565eff3a8eca1
Serial Number: 0462ffaa887ea17797e0057ca81d7ba2a6fb
Events: <none>
Not Before: 2020-06-02T04:29:56+02:00
Not After: 2020-08-31T04:29:56+02:00
Renewal Time: 2020-08-01T04:29:56+02:00
[...]
Ma te whakamahi i nga API Kubernetes hou
Ko te Kaiwhakahaere Tiwhikete tetahi o nga tangata tuatahi ki te whakatinana i nga CRD Kubernetes. Ko tenei, me ta matou tautoko mo nga putanga Kubernetes tae atu ki te 1.11, ko te tikanga me tautoko e matou te taonga tuku iho. apiextensions.k8s.io/v1beta1 mo a maatau CRD hoki admissionregistration.k8s.io/v1beta1 mo a tatou maau tukutuku. Kua whakakorehia inaianei, ka tangohia i Kubernetes mai i te putanga 1.22. Ma to maatau 1.0 ka tukuna e matou he tautoko katoa apiextensions.k8s.io/v1 и admissionregistration.k8s.io/v1 mo Kubernetes 1.16 (i whakaurua atu) me nga mea hou ake. Mo nga kaiwhakamahi o nga putanga o mua, kei te tuku tautoko tonu matou v1beta1 i roto i to tatou legacy putanga.
Kua pai ake te takiuru
I tenei tukunga, kua whakahouhia e matou te whare pukapuka takiuru ki klog/v2, whakamahia i roto i te Kubernetes 1.19. Ka arotake ano matou i ia hautaka ka tuhia e matou kia mohio ai kua tautapahia ki te taumata e tika ana. Na tenei matou i arahi . E rima (e ono, āhua. kaiwhakamaori) nga reanga rehitatanga timata mai i Error (taumata 0), ka tā i ngā hapa nui anake, ka mutu ki te Trace (taumata 5) ka awhina koe ki te mohio he aha nga mahi. Na tenei huringa, kua whakaitihia e matou te maha o nga raarangi ki te kore koe e hiahia korero patuiro i te wa e whakahaere ana koe i te kaiwhakahaere-tiwhikete.
Aki: ka rere te kaiwhakahaere tiwhikete i te taumata 2 ma te taunoa (Info), ka taea e koe te whakakore i tenei ma te whakamahi global.logLevel kei te Tutohi.
Tuhipoka: Ko te tiro i nga raarangi te huarahi whakamutunga ina rapurongoa. Mo etahi atu korero tirohia to maatau .
Etita n.b.: Ki te ako atu mo te mahi katoa i raro i te maru o Kubernetes, tikina he tohutohu nui mai i nga kaiako whakangungu, tae atu ki te awhina tautoko hangarau kounga, ka taea e koe te uru atu ki nga mahi ipurangi. , ka tu i te 28-30 o Hepetema, a ka tu te 14-16 Oketopa.
ACME Whakapai
Ko te nuinga o te whakamahi o te kaiwhakahaere-tiwhikete e pa ana ki te tuku tiwhikete mai i Let's Encrypt ma te whakamahi i te ACME. Ko te Putanga 1.0 he mea rongonui mo te whakamahi i nga urupare a te hapori ki te taapiri i nga whakapainga iti e rua engari nui ki to tatou kaituku ACME.
Monokia te whakaputanga matua kaute
Mena ka whakamahi koe i nga tiwhikete ACME i roto i nga pukapuka nui, tera pea ka whakamahi koe i te kaute kotahi i runga i nga tautau maha, na reira ka uru to herenga tuku tiwhikete ki a raatau katoa. I taea tenei i roto i te kaiwhakahaere-tiwhikete i te wa e kape ana i te mea ngaro kua tohua ki roto privateKeySecretRef. He tino pukumahi tenei keehi, i te mea ka ngana te kaiwhakahaere-tiwhikete ki te awhina me te harikoa ki te hanga i tetahi taviri kaute hou mena karekau i kitea. Koia matou i tapiri atu ai disableAccountKeyGenerationhei tiaki i a koe mai i tenei whanonga mena ka whakatau koe i tenei whiringa ki true - Karekau te kaiwhakahaere-tiwhikete e whakaputa i tetahi kii, ka whakatupato ia koe kaore ano kia hoatu he kii kaute.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
privateKeySecretRef:
name: example-issuer-account-key
disableAccountKeyGeneration: false
Miini Manakohia
Mahuru 29 Kia Whakamuna ki to ake pakiaka CA ISRG Root. Ka whakakapihia nga tiwhikete hainatanga ripeka e Identrust. Ko tenei huringa kaore e hiahiatia he whakarereketanga ki nga tautuhinga kaiwhakahaere-tiwhikete, ko nga tiwhikete hou katoa i tukuna i muri i tenei ra ka whakamahi i te CA pakiaka hou.
Ka hainatia e te Whakamuna nga tiwhikete me tenei CA ka tukuna hei "riini tiwhikete rereke" ma te ACME. I roto i tenei putanga o te kaiwhakahaere-tiwhikete, ka taea te whakarite uru ki enei mekameka i roto i nga tautuhinga kaituku. I te tawhā preferredChain ka taea e koe te tohu i te ingoa o te CA e whakamahia ana, ka tukuna te tiwhikete. Mena kei te waatea he tiwhikete CA e rite ana ki te tono, ka tukuna he tiwhikete ki a koe. Kia mahara koinei te waahanga pai ake, ki te kore e kitea, ka tukuna he tiwhikete taunoa. Ma tenei ka whakarite ka whakahou tonu koe i to tiwhikete i muri i te whakakore i te mekameka rereke i te taha kaituku ACME.
I tenei ra ka taea e koe te whiwhi tiwhikete kua hainatia e ISRG Root, Na:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1"
Ki te pai koe ki te waiho i te mekameka IdenTrust - whakaturia tenei kōwhiringa ki DST Root CA X3:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "DST Root CA X3"
Kia mahara ko tenei CA pakiaka ka mutu ka mutu, ka noho tonu a Let's Encrypt i tenei mekameka tae noa ki te 29 o Hepetema, 2021.
Source: will.com