Mukafunsa injiniya wodziwa zambiri, wanzeru zomwe amaganiza za woyang'anira cert-manager ndi chifukwa chake aliyense amazigwiritsira ntchito, katswiriyo amausa moyo, kumukumbatira mwachinsinsi ndi kunena motopa kuti: βAliyense amaugwiritsa ntchito, chifukwa palibe njira zina zanzeru. Makoswe athu akulira, amadzibaya okha, koma pitilizani kukhala ndi cactus iyi. Chifukwa chiyani timakonda? Chifukwa zimagwira ntchito. Chifukwa chiyani sitikonda? Chifukwa mitundu yatsopano imatulutsidwa nthawi zonse yomwe imagwiritsa ntchito zatsopano. Ndipo muyenera kusinthira masango mobwerezabwereza. Ndipo matembenuzidwe akale amasiya kugwira ntchito, chifukwa pali chiwembu komanso shamanism yodabwitsa kwambiri. "
Koma Madivelopa amanena kuti ndi cert-manager 1.0 zonse zidzasintha.
Kodi ife tizikhulupirira izo?
Cert-manager ndi mbadwa ya Kubernetes woyang'anira satifiketi. Itha kugwiritsidwa ntchito kutulutsa ziphaso kuchokera kumagwero osiyanasiyana: Let's Encrypt, HashiCorp Vault, Venafi, kusaina komanso kusaina makiyi awiri. Zimakupatsaninso mwayi kuti musunge makiyi amasiku ano komanso kuyesa kukonzanso masatifiketi munthawi yake asanathe. Cert-manager idakhazikitsidwa pa kube-lego, ndipo adagwiritsanso ntchito njira zina zochokera kuzinthu zina zofananira, monga kube-cert-manager.
Zolemba Zotulutsa
Ndi mtundu 1.0 timayika chizindikiro chakukhulupirira zaka zitatu za chitukuko cha cert-manager project. Panthawiyi, zakhala zikuchitika kwambiri pakugwira ntchito komanso kukhazikika, koma makamaka m'deralo. Masiku ano tikuwona anthu ambiri akugwiritsa ntchito kuti ateteze magulu awo a Kubernetes, komanso kuwagwiritsa ntchito m'malo osiyanasiyana azachilengedwe. Mulu wa nsikidzi zakonzedwa mu zotulutsidwa 16 zapitazi. Ndipo zomwe zimayenera kuthyoledwa zidathyoka. Maulendo angapo opita ku API adathandizira kulumikizana kwake ndi ogwiritsa ntchito. Tathetsa nkhani 1500 pa GitHub, ndi zopempha zambiri kuchokera kwa anthu 253 ammudzi.
Potulutsa 1.0 timalengeza kuti cert-manager ndi ntchito yokhwima. Timalonjezanso kusunga API yathu yogwirizana v1.
Zikomo kwambiri kwa aliyense amene watithandiza kupanga cert-manager zaka zitatu zonsezi! Lolani mtundu 1.0 ukhale woyamba mwazinthu zambiri zomwe zikubwera.
Kutulutsa 1.0 ndikutulutsa kokhazikika komwe kuli ndi magawo angapo ofunika:
-
v1API; -
timu
kubectl cert-manager status, kuthandiza kupenda mavuto; -
Kugwiritsa ntchito ma API okhazikika a Kubernetes;
-
Kudula mitengo bwino;
-
Zowonjezera za ACME.
Onetsetsani kuti mwawerenga zolemba zosintha musanakonze.
API v1
Mtundu wa v0.16 unagwira ntchito ndi API v1beta1. Izi zidawonjezera zosintha zina ndikuwongolera zolemba za API. Version 1.0 imamanga pa zonsezi ndi API v1. API iyi ndi yathu yoyamba yokhazikika, nthawi yomweyo tapereka kale zitsimikizo zogwirizana, koma ndi API. v1 Timalonjeza kuti tidzakhala ogwirizana kwa zaka zikubwerazi.
Zosintha zomwe zachitika (chidziwitso: zida zathu zosinthira zidzasamalira chilichonse kwa inu):
Chiphaso:
-
emailSANsotchedwa tsopanoemailAddresses -
uriSANs-uris
Zosinthazi zimawonjezera kuyanjana ndi ma SANs ena (mayina osintha, pafupifupi. womasulira), komanso ndi Go API. Tikuchotsa mawuwa mu API yathu.
Sintha
Ngati mukugwiritsa ntchito Kubernetes 1.16+ - kutembenuza ma webhooks kukulolani kuti mugwiritse ntchito mitundu ya API nthawi imodzi komanso mopanda malire. v1alpha2, v1alpha3, v1beta1 ΠΈ v1. Ndi iwo, mutha kugwiritsa ntchito mtundu watsopano wa API osasintha kapena kuyikanso zida zanu zakale. Tikukulimbikitsani kuti mukweze mawonekedwe anu ku API v1, popeza Mabaibulo akale adzachotsedwa ntchito posachedwa. Ogwiritsa ntchito legacy mitundu ya cert-manager adzakhala ndi mwayi wofikira v1, njira zosinthira zitha kupezeka .
kubectl cert-manager status command
Ndi zosintha zatsopano pakukulitsa kwathu ku kubectl Zakhala zosavuta kufufuza zovuta zokhudzana ndi kusapereka ziphaso. kubectl cert-manager status tsopano amapereka zambiri zambiri za zomwe zikuchitika ndi ziphaso, ndikuwonetsanso siteji yomwe satifiketi imaperekedwa.
Pambuyo khazikitsa kutambasuka mukhoza kuthamanga kubectl cert-manager status certificate <ΠΈΠΌΡ-ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°>, yomwe idzafufuze satifiketi yokhala ndi dzina lotchulidwa ndi zina zilizonse zogwirizana nazo, monga CertificateRequest, Secret, Issuer, ndi Order and Challenges pankhani ya satifiketi yochokera ku ACME.
Chitsanzo cha kukonza chiphaso chomwe sichinakonzekere:
$ kubectl cert-manager status certificate acme-certificate
Name: acme-certificate
Namespace: default
Created at: 2020-08-21T16:44:13+02:00
Conditions:
Ready: False, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
Issuing: True, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
DNS Names:
- example.com
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 18m cert-manager Issuing certificate as Secret does not exist
Normal Generated 18m cert-manager Stored new private key in temporary Secret resource "acme-certificate-tr8b2"
Normal Requested 18m cert-manager Created new CertificateRequest resource "acme-certificate-qp5dm"
Issuer:
Name: acme-issuer
Kind: Issuer
Conditions:
Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
error when finding Secret "acme-tls": secrets "acme-tls" not found
Not Before: <none>
Not After: <none>
Renewal Time: <none>
CertificateRequest:
Name: acme-certificate-qp5dm
Namespace: default
Conditions:
Ready: False, Reason: Pending, Message: Waiting on certificate issuance from order default/acme-certificate-qp5dm-1319513028: "pending"
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 18m cert-manager Created Order resource default/acme-certificate-qp5dm-1319513028
Order:
Name: acme-certificate-qp5dm-1319513028
State: pending, Reason:
Authorizations:
URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/97777571, Identifier: example.com, Initial State: pending, Wildcard: false
Challenges:
- Name: acme-certificate-qp5dm-1319513028-1825664779, Type: DNS-01, Token: J-lOZ39yNDQLZTtP_ZyrYojDqjutMAJOxCL1AkOEZWw, Key: U_W3gGV2KWgIUonlO2me3rvvEOTrfTb-L5s0V1TJMCw, State: pending, Reason: error getting clouddns service account: secret "clouddns-accoun" not found, Processing: true, Presented: false
Gululi litha kukuthandizaninso kudziwa zambiri za zomwe zili mu satifiketi. Zitsanzo za satifiketi yoperekedwa ndi Letsencrypt:
$ kubectl cert-manager status certificate example
Name: example
[...]
Secret:
Name: example
Issuer Country: US
Issuer Organisation: Let's Encrypt
Issuer Common Name: Let's Encrypt Authority X3
Key Usage: Digital Signature, Key Encipherment
Extended Key Usages: Server Authentication, Client Authentication
Public Key Algorithm: RSA
Signature Algorithm: SHA256-RSA
Subject Key ID: 65081d98a9870764590829b88c53240571997862
Authority Key ID: a84a6a63047dddbae6d139b7a64565eff3a8eca1
Serial Number: 0462ffaa887ea17797e0057ca81d7ba2a6fb
Events: <none>
Not Before: 2020-06-02T04:29:56+02:00
Not After: 2020-08-31T04:29:56+02:00
Renewal Time: 2020-08-01T04:29:56+02:00
[...]
Gwiritsani ntchito ma API okhazikika a Kubernetes
Cert-manager anali m'modzi mwa oyamba kukhazikitsa Kubernetes CRDs. Izi, kuphatikiza ndi chithandizo chathu cha Kubernetes mpaka 1.11, zikutanthauza kuti tifunika kuthandizira cholowa. apiextensions.k8s.io/v1beta1 kwa ma CRD athu admissionregistration.k8s.io/v1beta1 kwa masamba athu. Izi tsopano zachotsedwa ndipo zichotsedwa ku Kubernetes monga mtundu 1.22. Ndi 1.0 yathu tsopano timapereka chithandizo chonse apiextensions.k8s.io/v1 ΠΈ admissionregistration.k8s.io/v1 kwa Kubernetes 1.16 (komwe adawonjezedwa) ndipo kenako. Kwa ogwiritsa ntchito mitundu yam'mbuyomu, tikupitilizabe kupereka chithandizo v1beta1 mu wathu legacy Mabaibulo.
Kudula mitengo bwino
Mu mtundu uwu tasintha laibulale yodula mitengo kuti klog/v2, yogwiritsidwa ntchito ku Kubernetes 1.19. Timabwerezanso magazini iliyonse yomwe timalemba kuti titsimikizire kuti yaperekedwa mulingo woyenera. Tinatsogoleredwa ndi izi . Pali zisanu (kwenikweni - zisanu ndi chimodzi, pafupifupi. womasulira) milingo yodula mitengo kuyambira pamenepo Error (level 0), yomwe imasindikiza zolakwika zofunika zokha, ndikumaliza ndi Trace (gawo 5), zomwe zingakuthandizeni kudziwa zomwe zikuchitika. Ndi kusinthaku tachepetsa kuchuluka kwa zipika ngati simukufuna zambiri pakuwongolera cert-manager.
Langizo: mwachisawawa cert-manager imayenda pamlingo 2 (Info), mutha kuwongolera izi pogwiritsa ntchito global.logLevel mu Helm chart.
Chidziwitso: Kuwunikanso zipika ndi njira yanu yomaliza mukathetsa mavuto. Kuti mudziwe zambiri onani wathu .
Mkonzi wa NB: Kuti mudziwe zambiri za momwe zimagwirira ntchito pansi pa Kubernetes, pezani upangiri wofunikira kuchokera kwa aphunzitsi, komanso chithandizo chaukadaulo chapamwamba, mutha kutenga nawo gawo pamaphunziro apamwamba pa intaneti , zomwe zidzachitika September 28-30, ndi , yomwe idzachitika October 14-16.
Kusintha kwa ACME
Kugwiritsa ntchito kwambiri kwa cert-manager mwina kumakhudzana ndi kupereka ziphaso kuchokera ku Let's Encrypt pogwiritsa ntchito ACME. Mtundu wa 1.0 ndiwodziwikiratu kugwiritsa ntchito mayankho ammudzi kuti muwonjezere zosintha ziwiri zazing'ono koma zofunika kwa omwe amapereka ACME.
Letsani Kupanga Makiyi a Akaunti
Ngati mumagwiritsa ntchito ziphaso za ACME m'mavoliyumu akulu, mwina mukugwiritsa ntchito akaunti yomweyi pamagulu angapo, chifukwa chake zoletsa zanu zopereka satifiketi zidzagwira ntchito kwa iwo onse. Izi zinali zotheka kale mu cert-manager pokopera chinsinsi chomwe chafotokozedwamo privateKeySecretRef. Mlanduwu unali wovuta kwambiri chifukwa woyang'anira cert adayesetsa kukhala wothandiza ndikupanga kiyi ya akaunti yatsopano ngati sangayipeze. Ndi chifukwa chake tawonjezera disableAccountKeyGenerationkukutetezani ku khalidweli pokhazikitsa chisankho ichi true - cert-manager sangapange kiyi ndipo adzakuchenjezani kuti sanapatsidwe kiyi ya akaunti.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
privateKeySecretRef:
name: example-issuer-account-key
disableAccountKeyGeneration: false
Unyolo Wokondedwa
Seputembara 29 Tiyeni Tilembetse kwa olamulira anu a satifiketi ya mizu ISRG Root. Satifiketi zosainidwa panjira zidzasinthidwa ndi Identrust. Kusinthaku sikufuna kusintha kwa cert-manager zochunira; ziphaso zonse zosinthidwa kapena zatsopano zomwe zatulutsidwa pambuyo pa tsikuli zigwiritsa ntchito muzu watsopano wa CA.
Tiyeni Tilembetse kale ziphaso ndi CA iyi ndikuwapatsa ngati "satifiketi ina" kudzera mu ACME. Mtundu uwu wa cert-manager uli ndi kuthekera kokhazikitsa zofikira kumaketaniwa pazokonda zotulutsa. Mu parameter preferredChain Mutha kutchula dzina la CA yomwe idagwiritsidwa ntchito popereka satifiketi. Ngati satifiketi ya CA ilipo yomwe ikufanana ndi pempho, idzakupatsani satifiketi. Chonde dziwani kuti iyi ndiye njira yomwe mungakonde; ngati palibe chomwe chapezeka, satifiketi yokhazikika idzaperekedwa. Izi zidzaonetsetsa kuti mukukonzanso satifiketi yanu mutachotsa tcheni china kumbali ya ACME yopereka.
Lero mutha kulandira ziphaso zosainidwa ISRG Root, Choncho:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1"
Ngati mukufuna kusiya unyolo IdenTrust - khazikitsani parameter iyi DST Root CA X3:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "DST Root CA X3"
Chonde dziwani kuti muzu wa CA uwu uchotsedwa posachedwa, Let's Encrypt tisunge unyolowu mpaka Seputembara 29, 2021.
Source: www.habr.com