áá®áá±á¬ááºážáá«ážááᯠá¡áá»ááºáá»á²á·ááŒá®áž áá±ážáá¬ážáá¬áá«á
áá®áá±á¬ááºážáá«ážááŸá¬ áááºááᯠinstall áá¯ááºááŒá®áž configure áá¯ááºáááá²ááá¯áᬠááŒá±á¬ááŒáá«áááºá
- áá±á¬á·áá»ááẠopen source ááá±á¬áá»ááºáá áºáá¯ááŒá áºáááºá áááºážááẠá¡ááá®áá±ážááŸááºážáá»á¬ážá¡ááœáẠáááºááœáá·áºá¡ááŸááºáá áºáá¯áááºážááᯠáá¶á·ááá¯ážáá±ážáááºá áá»áœááºá¯ááºááá¯á·á áááºáááºá á¬ážááá·áº LDAP ááŸáá·áº OpenID á¡áá«á¡ááẠáááá¯ááá¯áá±á¬áá»á¬ážá áœá¬ááŒáá·áº á¡áá¯ááºáá¯ááºáá«áááºá
- áá±á¬á·áááºáá¶áá«ážá á±á¬áá·áº - Keycloak ááŸáááá·áº ááœáá·áºááŒá¯áá»ááºááᯠáá±á«ááºážá ááºááœáá·áºááŒá¯áá±á¬ ááŒá±á¬ááºážááŒáẠproxy á¡ááá®áá±ážááŸááºážá
- áááºážáá±áž - OpenID ááŸáááá·áº Kubernetes API ááá¯á· áááºáááºáá±á¬ááºááŒá®áž Kubernetes API ááá¯á· áá»áááºáááºááá¯ááºááá·áº kubectl á¡ááœáẠconfig ááá¯áá¯ááºáá±ážááá·áº application áá áºáá¯á
Kubernetes ááœáẠááœáá·áºááŒá¯áá»ááºáá»á¬áž á¡áá¯ááºáá¯ááºáá¯á¶á
RBAC ááᯠá¡áá¯á¶ážááŒá¯á á¡áá¯á¶ážááŒá¯áá° / á¡á¯ááºá á¯á¡ááœáá·áºá¡áá±ážáá»á¬ážááᯠáá»áœááºá¯ááºááá¯á· á á®áá¶ááá·áºááœá²ááá¯ááºáááºá á€á¡ááŒá±á¬ááºáž áá±á¬ááºážáá«ážáá»á¬ážá áœá¬ááᯠáááºáá®ážáá¬ážááŒá®ážááŒá áºáááºá áá»áœááºá¯ááºááẠá€á¡ááŒá±á¬ááºážááᯠá¡áá±ážá ááẠáááŒá±á¬áá«á ááŒá¿áá¬ááŸá¬ á¡áá¯á¶ážááŒá¯áá°á¡ááœáá·áºá¡áá±ážááᯠááá·áºáááºááẠRBAC ááᯠáááºáá¯á¶ážááá¯ááºáá±á¬áºáááºáž Kubernetes ááẠá¡áá¯á¶ážááŒá¯áá°áá»á¬ážá¡ááŒá±á¬ááºáž áá¬ááŸááááá«á Kubernetes ááœáẠá¡áá¯á¶ážááŒá¯áá°áá±ážááá¯á·ááá·áº ááá¹ááá¬ážáá áºáᯠááá¯á¡ááºááŒá±á¬ááºáž ááœá±á·ááŸáááá«áááºá áááºážááá¯áá¯ááºáá±á¬ááºáááºá á€áá²á·ááá¯á·áá±á¬á¡áá¯á¶ážááŒá¯áá° á¡ááŸááºááááºááŸáááŒá±á¬ááºážááᯠKuberntes OpenID ááœáẠáá¶á·ááá¯ážáá±ážáá°áá áºáŠážááᯠáá±á«ááºážááá·áºáááºááŒá áºááŒá®áž Kubernetes ááá¯ááºááá¯ááºá áá°á·á¡á¬áž á¡ááœáá·áºá¡áá±ážáá±ážáááºááŒá áºáááºá
áá±á·áá»ááºá·áá±áž
- áááºááẠKubernetes á¡á á¯á¡áá±áž ááá¯á·ááá¯áẠáá®áá®áá°áá® ááá¯á¡ááºáááºááŒá áºáááºá
- active Directory
- ááá¯ááááºážáá»á¬áž-
keycloak.example.org
kubernetes-dashboard.example.org
gangway.example.org - ááá¯ááááºážáá»á¬ážá¡ááœáẠáááºááŸáẠááá¯á·ááá¯áẠááá¯ááºááá¯ááºáááºááŸááºááá¯ážáá¬ážáá±á¬ áááºááŸááº
ááá¯ááºááá¯ááºáááºááŸááºááá¯ážáá¬ážááá·áº áááºááŸááºááᯠáááºáá®ážáááºážááᯠáá»áœááºá¯ááºáá ááºážá á¬ážáá«á áááºááẠáááºááŸáẠ2 áá¯ááᯠáááºáá®ážááẠááá¯á¡ááºáááºá áááºážááẠ*.example.org ááá¯ááááºážá¡ááœáẠá¡ááŒá Ạ(áááºááŸááºá¡á¬áá¬ááá¯ááº) ááŸáá·áº ááááºáááºáá±á¬ááºáááº
áááº/áá¯ááºáá±ážááá·áº áááºááŸááºáá»á¬ážááᯠáááºáá¶áááŸáááŒá®ážáá±á¬ááºá áá¯á¶ážá áœá²áá°á¡á¬áž Kubernetes ááá¯á· áá±á«ááºážááá·áºááááºááŒá áºááŒá®ážá áááºážá¡ááœáẠáá»áœááºá¯ááºááá¯á·ááẠáááºážá¡ááœáẠáá»áŸáá¯á·ááŸááºáá»ááºáá áºáᯠáááºáá®ážáá±ážáááº-
kubectl create secret tls tls-keycloak --cert=example.org.crt --key=example.org.pem
ááá¯á·áá±á¬áẠáá»áœááºá¯ááºááá¯á·á Ingress controller á¡ááœáẠáááºážááᯠá¡áá¯á¶ážááŒá¯áá«áááºá
áá±á¬á·áá»áááºáááºáááºááŒááºážá
á¡ááœááºáá¯á¶ážáááºážáááºážá áá®á¡ááœáẠá¡áááºááá·áºáá¯ááºáá¬ážáá²á· ááŒá±ááŸááºážáááºážááœá±ááᯠáá¯á¶ážááá¯á· áá¯á¶ážááŒááºáá²á·áááº
repository ááᯠááá·áºááœááºážááŒá®áž á¡ááºááááºáá¯ááºáá«á
helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update
á¡á±á¬ááºáá«á¡ááŒá±á¬ááºážá¡áá¬ááŒáá·áº keycloak.yml ááá¯ááºááᯠáááºáá®ážáá«-
keycloak.yml
keycloak:
# ÐÐŒÑ Ð°ÐŽÐŒÐžÐœÐžÑÑÑаÑПÑа
username: "test_admin"
# ÐаÑÐŸÐ»Ñ Ð°ÐŽÐŒÐžÐœÐžÑÑÑаÑПÑ
password: "admin"
# ÐÑО ÑлагО ÐœÑÐ¶ÐœÑ ÑÑП Ð±Ñ Ð¿ÐŸÐ·Ð²ÐŸÐ»ÐžÑÑ Ð·Ð°Ð³ÑÑжаÑÑ Ð² Keycloak ÑкÑОпÑÑ Ð¿ÑÑЌП ÑеÑез web ЌПÑÐŽÑ. ÐÑП МаЌ
пПМаЎПбОÑÑÑÑ ÑÑП Ð±Ñ Ð¿ÐŸÑОМОÑÑ ÐŸÐŽÐžÐœ баг, П кПÑПÑПЌ МОже.
extraArgs: "-Dkeycloak.profile.feature.script=enabled -Dkeycloak.profile.feature.upload_scripts=enabled"
# ÐклÑÑаеЌ ingress, ÑказÑваеЌ ÐžÐŒÑ Ñ
ПÑÑа О ÑеÑÑОÑÐžÐºÐ°Ñ ÐºÐŸÑПÑÑй ÐŒÑ Ð¿ÑеЎваÑОÑелÑМП ÑПÑ
ÑаМОлО в secrets
ingress:
enabled: true
path: /
annotations:
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/affinity: cookie
hosts:
- keycloak.example.org
tls:
- hosts:
- keycloak.example.org
secretName: tls-keycloak
# Keycloak ÐŽÐ»Ñ ÑвПей ÑабПÑÑ ÑÑебÑÐµÑ Ð±Ð°Ð·Ñ ÐŽÐ°ÐœÐœÑÑ
, в ÑеÑÑПвÑÑ
ÑелÑÑ
Ñ ÑазвПÑаÑÐžÐ²Ð°Ñ Postgresql пÑÑЌП в Kuberntes, в пÑПЎакÑеМе Ñак лÑÑÑе Ме ЎелаÑÑ!
persistence:
deployPostgres: true
dbVendor: postgres
postgresql:
postgresUser: keycloak
postgresPassword: ""
postgresDatabase: keycloak
persistence:
enabled: true
á¡ááœá²á·áá»á¯ááºááœá²á·á ááºážááŸá¯
ááá¯á·áá±á¬áẠáááºá¡ááºáá¬áá±á·á
áºááᯠááœá¬ážáá«á
áááºáááºáá±á¬áá·áºááá¯ááŸáááºáá«á áááºáááºááá·áºáá«á
áá±á¬á·
á¡ááá¯áž
á¡áááº
Kubernetes
áá±á¬áºááŒáááºá·á¡áááº
Kubernetes
á¡áá¯á¶ážááŒá¯áá°á¡á®ážáá±ážááºá¡áááºááŒá¯ááŒááºážááᯠááááºáá«-
Client áááºáááºáá»á¬áž â> Email â> Mappers â> á¡á®ážáá±ážááºááᯠá
á
áºáá±ážááŒá®áž (áá»ááºáááº)
ActiveDirectory á០áá¯á¶ážá áœá²áá°áá»á¬ážááᯠáááºááœááºážááẠá¡ááœá²á·áá»á¯ááºááᯠáááºáá±á¬ááºáá¬ážááŒá®ážá áá»áœááºá¯ááºááẠá¡á±á¬ááºááœáẠáááºáá¬ážááŒááºáá¬ááºáá¯á¶áá»á¬ážááᯠáá»ááºáá¬ážáá²á·áááºá ááá¯ááŸááºážáááºážáááºáᯠáá»áœááºá¯áẠáááºáá«áááºá
á¡áá¯á¶ážááŒá¯áá°á¡áááºážáá»á¯áẠâ> áá¶á·ááá¯ážáá°ááá·áºáááºâŠ â> ldap
á¡ááœá²á·áá»á¯ááºááœá²á·á
ááºážááŸá¯
á¡á¬ážáá¯á¶ážá¡áááºááŒá±ááẠááá¯ááºááá¯ááŸáááºááá¯ááºáá«á á¡áá¯á¶ážááŒá¯áá°áá»á¬ážá¡á¬ážáá¯á¶ážááᯠáááºáá°ááŒá¯áá«á áá¯á¶ážá
áœá²áá°áá»á¬ážá á¡á±á¬ááºááŒááºáá±á¬ áááºááœááºážááŸá¯á¡ááŒá±á¬ááºáž áááºáá±á·áá»áºááᯠáááºááœá±á·ááá«áááºá
áá±á¬ááºáá áºáá¯á áá»áœááºáá±á¬áºááá¯á·á¡ááœá²á·ááœá±ááᯠááŒá±áá¯á¶ááœá²ááááºá
á¡áá¯á¶ážááŒá¯áá°á¡áááºážáá»á¯áẠ--> ldap_localhost --> Mappers --> áááºáá®ážáá«á
ááŒá±áá¯á¶ááœá²áááºáá®ážááŒááºážá
Client á áá áºááá·áºááœááºážááŒááºážá
Keycloak áá ááºážáááºážáá»ááºáá»á¬ážá¡áá áááºážáááºáá°áá¶ááŸááœáá·áºááŒá¯áá»ááºáááŸáááá·áº application áá áºáá¯ááŒá áºáááºá á¡áá®áá±á¬ááºááŒáá·áº á ááááºááŸá±á¬á·ááœáẠá¡áá±ážááŒá®ážáá±á¬á¡áá»ááºáá»á¬ážááᯠáá»áœááºá¯ááºáá±á¬áºááŒáá«áááºá
áá±á¬ááºáááºáá»á¬ážâ> áááºáá®ážáá«á
Client á
áá
áºááá·áºááœááºážááŒááºážá
á¡ááœá²á·áá»á¬ážá¡ááœáẠscupe áááºáá®ážááŒáá«á
áá¯á·á
Client Scopes â> áááºáá®ážáá«á
áááºáááºáááºáá®ážáá«á
ááŒá®ážáá»áŸáẠáá°ááá¯á·á¡ááœáẠááŒá±áá¯á¶ááá¬ááᯠáááºááŸááºáá«á
Client Scopes â> groups â> Mappers â> áááºáá®ážáá«á
ááŒá±áá¯á¶ááá¬
áá»áœááºá¯ááºááá¯á·áá¡ááœá²á·áá»á¬ážá ááŒá±áá¯á¶ááœá²ááŒááºážááᯠáá°áááºáž Client Scopes ááœáẠááá·áºáá«-
áá±á¬ááºáááºáá»á¬ážâ> kubernetesâ> Client Scopesâ> áá°áááºáž Client áááºáááºáá»á¬áž
ááœá±ážáá»ááºááŒááºáž á¡á¯ááºá
á¯ááœá± в áááá¯ááºáá±á¬ Client áááºáááºáá»á¬áž, ááŸáááºáá« ááœá±ážááá·áºáá«á
áá»áœááºá¯ááºááá¯á·ááẠKeycloak ááœáẠááœáá·áºááŒá¯áá»ááºá¡ááœáẠá¡áá¯á¶ážááŒá¯ááá·áº áá»áŸáá¯á·ááŸááºáá»ááºááᯠáááŸáááẠ(áááºážááᯠá á¬ááœá²ááœááºáá±ážáá¬ážáááº)
áá±á¬ááºáááºáá»á¬ážâ> kubernetesâ> á¡áá±á¬ááºá¡áá¬ážáá»á¬ážâ> áá»áŸáá¯á·ááŸááºáá»ááº
áááºážááẠá
áá
áºááá·áºááœááºážááŸá¯ááᯠááŒá®ážááŒá±á¬ááºá
á±áá±á¬áºáááºážá ááœáá·áºááŒá¯áá»ááºá¡á±á¬ááºááŒááºááŒá®ážáá±á¬áẠá¡ááŸá¬áž 403 ááᯠáááºáá¶áááŸááá±á¬á¡áá«ááœáẠáá»áœááºá¯ááºááœáẠá¡ááŸá¬ážá¡ááœááºážáá
áºáá¯ááŸááá²á·áá«áááºá
ááŒááºáááºáá«
Client Scopes â> á¡áááºážááá¹á â> Mappers â> áááºáá®ážáá«á
Mapper áá»á¬áž
áá¬ááºááœáŸááºážáá¯ááº
// add current client-id to token audience
token.addAudience(token.getIssuedFor());
// return token issuer as dummy result assigned to iss again
token.getIssuer();
Kubernetes ááᯠááŒááºáááºááŒááºáž
ááá¯ááºá០áá»áœááºá¯ááºááá¯á·á á¡ááŒá
áºá¡ááá¡ááŸááºááŒá¯áááºááŸááºááẠáááºááá·áºáá±áá¬ááŸáá·áº ODDC áááºáá±á¬ááºááŸá¯áá±ážááá·áºáá±áá¬ááœáẠááŸááá±áááºááᯠáááºááŸááºááẠááá¯á¡ááºáááºá
áá«ááá¯áá¯ááºááá¯á· /etc/kubernetes/manifests/kube-apiserver.yaml ááá¯ááºááᯠáááºážááŒááºáá«á
kube-apiserver.yaml
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/var/lib/minikube/certs/My_Root.crt
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
á¡á á¯á¡áá±ážááŸá kubeadm config ááᯠá¡ááºááááºáá¯ááºáá«á
kubeadmconfig
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /var/lib/minikube/certs/My_Root.crt
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
auth-proxy áááºááŸááºááŒááºážá
ááá·áºáááºá¡ááºááá®áá±ážááŸááºážááá¯áá¬ááœááºááẠáá±á¬á·ááááºáá¶áá«ážá á±á¬áá·áºááᯠáááºáá¯á¶ážááá¯ááºáááºá á á¬áá»ááºááŸá¬ááᯠáááŒáá® á€ááŒá±á¬ááºážááŒáẠproxy ááẠáá¯á¶ážá áœá²áá°á¡á¬áž ááœáá·áºááŒá¯áá±ážááá·áºá¡áá»ááºá¡ááŒááºá áááºážááẠááá·áºá¡ááŒá±á¬ááºáž á¡áá»ááºá¡áááºáá»á¬ážááᯠáá±á«ááºážá á®ážááŸá á¡áá¯á¶ážá¡ááá®áá±ážááŸááºážáᶠáá±ážááá¯á·áááºááŒá áºáááºá ááá¯á·ááŒá±á¬áá·áº ááá·áºá¡ááá®áá±ážááŸááºážááẠOpenID ááᯠáá¶á·ááá¯ážáá«áá á¡áá¯á¶ážááŒá¯áá°á¡á¬áž áá»ááºáá»ááºážááœáá·áºááŒá¯áá»ááºáááŸááááºááŒá áºáááºá Kubernetes Dashboard á á¥ááá¬ááᯠáá¯á¶ážáááºááŒáá·áºáá«á
Kubernetes Dashboard ááᯠááá·áºááœááºážááŒááºážá
helm install stable/kubernetes-dashboard --name dashboard -f values_dashboard.yaml
values_dashboard.yaml
enableInsecureLogin: true
service:
externalPort: 80
rbac:
clusterAdminRole: true
create: true
serviceAccount:
create: true
name: 'dashboard-test'
áááºáá±á¬ááºááœáá·áºáá»á¬ážááᯠáááºááŸááºááŒááºáž-
DataOPS á¡á¯ááºá á¯ááŸá áá¯á¶ážá áœá²áá°áá»á¬ážá¡ááœáẠá¡á á¯á¡ááœá²á· á á®áá¶ááá·áºááœá²ááá¯ááºááœáá·áºáá»á¬áž (Standard ClusterRole cluster-admin) ááᯠáá±ážááá·áº ClusterRoleBinding áá áºáá¯ááᯠáááºáá®ážááŒáá«á áá¯á·á
kubectl apply -f rbac.yaml
rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dataops_group
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: DataOPS
áá±á¬á·áá»áááºáá¶áá«ážááŸá°ážááᯠáááºáááºáá«-
helm repo add gabibbo97 https://gabibbo97.github.io/charts/
helm repo update
helm install gabibbo97/keycloak-gatekeeper --version 2.1.0 --name keycloak-gatekeeper -f values_proxy.yaml
values_proxy.yaml
# ÐклÑÑаеЌ ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
path: /
hosts:
- kubernetes-dashboard.example.org
tls:
- secretName: tls-keycloak
hosts:
- kubernetes-dashboard.example.org
# ÐПвПÑОЌ гЎе ÐŒÑ Ð±ÑЎеЌ авÑПÑОзПвÑваÑÑÑÑ Ñ OIDC пÑПвайЎеÑа
discoveryURL: "https://keycloak.example.org/auth/realms/kubernetes"
# ÐÐŒÑ ÐºÐ»ÐžÐµÐœÑа кПÑПÑПгП ÐŒÑ ÑПзЎалО в Keycloak
ClientID: "kubernetes"
# Secret кПÑПÑÑй Ñ Ð¿ÑПÑОл запОÑаÑÑ
ClientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# ÐÑЎа пеÑеМапÑавОÑÑ Ð² ÑлÑÑае ÑÑпеÑМПй авÑПÑОзаÑОО. ЀПÑÐŒÐ°Ñ <SCHEMA>://<SERVICE_NAME>.><NAMESAPCE>.<CLUSTER_NAME>
upstreamURL: "http://dashboard-kubernetes-dashboard.default.svc.cluster.local"
# ÐÑПпÑÑкаеЌ пÑПвеÑÐºÑ ÑеÑÑОÑОкаÑа, еÑлО Ñ ÐœÐ°Ñ ÑаЌПпПЎпОÑаММÑй
skipOpenidProviderTlsVerify: true
# ÐаÑÑÑПйка пÑав ЎПÑÑÑпа, пÑÑкаеЌ Ма вÑе path еÑлО ÐŒÑ Ð² гÑÑппе DataOPS
rules:
- "uri=/*|groups=DataOPS"
á¡á²áá®áá±á¬áẠááœá¬ážááá¯á· ááŒáá¯ážá
á¬ážáá²á·á¡áá«
gangway áááºáááºááŒááºážá
á¡áááºááŒá±á á±áááºá¡ááœááºá áá»áœááºá¯ááºááá¯á·áá¡áá¯á¶ážááŒá¯áá°áááºá¡á±á¬ááºááŸá Kubernetes ááá¯á· áá»áœááºá¯ááºááá¯á·áá±á¬ááºááŸáááá·áºá¡áá°á¡áá®ááŒáá·áº kubectl á¡ááœáẠconfig ááá¯ááºááá¯áá¯ááºáá±ážááá·áº gangway ááᯠáááºááá·áºááá¯ááºáááºá
helm install --name gangway stable/gangway -f values_gangway.yaml
values_gangway.yaml
gangway:
# ÐÑПОзвПлÑМПе ÐžÐŒÑ ÐºÐ»Ð°ÑÑеÑа
clusterName: "my-k8s"
# ÐЎе Ñ ÐœÐ°Ñ OIDC пÑПвайЎеÑ
authorizeURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/auth"
tokenURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/token"
audience: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/userinfo"
# ТеПÑОÑОÑеÑкО ÑÑЎа ЌПжМП ЎПбавОÑÑ groups кПÑПÑÑе ÐŒÑ Ð·Ð°ÐŒÐ°Ð¿ÐžÐ»Ðž
scopes: ["openid", "profile", "email", "offline_access"]
redirectURL: "https://gangway.example.org/callback"
# ÐÐŒÑ ÐºÐ»ÐžÐµÐœÑа
clientID: "kubernetes"
# СекÑеÑ
clientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# ÐÑлО ПÑÑавОÑÑ ÐŽÐµÑПлÑМПе зМаÑМОе, ÑП за ÐžÐŒÑ Ð¿ÐŸÐ»ÑзПваÑÐµÐ»Ñ Ð±ÑÐŽÐµÑ Ð±ÑаÑÑÑ <b>Frist name</b> <b>Second name</b>, а пÑО "sub" егП лПгОМ
usernameClaim: "sub"
# ÐПЌеММПе ÐžÐŒÑ ÐžÐ»Ðž IP аЎÑеÑÑ API ÑеÑвеÑа
apiServerURL: "https://192.168.99.111:8443"
# ÐклÑÑаеЌ Ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
path: /
hosts:
- gangway.example.org
tls:
- secretName: tls-keycloak
hosts:
- gangway.example.org
# ÐÑлО ОÑпПлÑзÑеЌ ÑаЌПпПЎпОÑаММÑй ÑеÑÑОÑОкаÑ, ÑП егП(ПÑкÑÑÑÑй кПÑМевПй ÑеÑÑОÑОкаÑ) МаЎП ÑказаÑÑ.
trustedCACert: |-
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwHhcNMjAwMjE0MDkxODAwWhcNMzAwMjE0MDkxODAwWjA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyP749PqqIRwNSqaK6qr0Zsi03G4PTCUlgaYTPZuMrwUVPK8xX2dWWs9MPRMOdXpgr8aSTZnVfmelIlVz4D7o2vK5rfmAe9GPcK0WbwKwXyhFU0flS9sU/g46ogHFrk03SZxQAeJhMLfEmAJm8LF5HghtGDs3t4uwGsB95o+lqPLiBvxRB8ZS3jSpYpvPgXAuZWKdZUQ3UUZf0X3hGLp7uIcIwJ7i4MduOGaQEO4cePeEJy9aDAO6qV78YmHbyh9kaW+1DL/Sgq8NmTgHGV6UOnAPKHTnMKXl6KkyUz8uLBGIdVhPxrlzG1EzXresJbJenSZ+FZqm3oLqZbw54Yp5hAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHISTOU/6BQqqnOZj+1xJfxpjiG0MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAj7HC8ObibwOLT4ZYmISJZwub9lcE0AZ5cWkPW39j/syhdbbqjK/6jy2D3WUEbR+s1Vson5Ov7JhN5In2yfZ/ByDvBnoj7CP8Q/ZMjTJgwN7j0rgmEb3CTZvnDPAz8Ijw3FP0cjxfoZ1Z0V2F44Ry7gtLJWr06+MztXVyto3aIz1/XbMQnXYlzc3c3B5yUQIy44Ce5aLRVsAjmXNqVRmDJ2QPNLicvrhnUJsO0zFWI+zZ2hc4Ge1RotCrjfOc9hQY63jZJ17myCZ6QCD7yzMzAob4vrgmkD4q7tpGrhPY/gDcE+lUNhC7DO3l0oPy2wsnT2TEn87eyWmDiTFG9zWDew==
-----END CERTIFICATE-----
áá®áá¯á¶áá«áá²á config ááá¯ááºááᯠáá»ááºáá»ááºážáá±á«ááºážáá¯ááºáá¯ááºááŒá®áž command á¡á á¯á¶ááᯠá¡áá¯á¶ážááŒá¯á áááºážááᯠáá¯ááºáá¯ááºááœáá·áºááŒá¯áááº-
source: www.habr.com