Kana ukabvunza mainjiniya ane ruzivo, akachenjera zvaanofunga nezve cert-maneja uye nei munhu wese achiishandisa, ipapo nyanzvi inogomera, ichimumbundira nechivimbo uye ichiti kuneta: βMunhu wese anoishandisa, nekuti hapana dzimwe nzira dzine njere. Mbeva dzedu dzinochema, dzinobaya, asi ramba uchirarama necactus iyi. Nei tichida? Nokuti inoshanda. Sei tisingadi? Nekuti mavhezheni matsva anogara achibuda anoshandisa maficha matsva. Uye iwe unofanirwa kugadzirisa iyo cluster kakawanda. Uye shanduro dzekare dzinomira kushanda, nokuti kune kurangana uye shamanism huru isinganzwisisiki.
Asi vanogadzira vanoti cert-maneja 1.0 zvose zvichashanduka.
Tichatenda here?
Cert-maneja ndiye wekuzvarwa Kubernetes chitupa maneja controller. Inogona kushandiswa kuburitsa zvitupa kubva kwakasiyana masosi: Let's Encrypt, HashiCorp Vault, Venafi, kusaina uye kuzvisaina makiyi maviri. Iyo zvakare inobvumidza iwe kuti uchengete makiyi ari-kusvika-date nezuva rekupera, uye zvakare inoedza kuvandudza otomatiki zvitupa panguva yakatarwa isati yapera. Cert-maneja yakavakirwa pakube-lego uye akashandisawo mamwe matipi kubva kune mamwe mapurojekiti akafanana se kube-cert-maneja.
Release Notes
Neshanduro 1.0, tinoisa mucherechedzo wekuvimba kwemakore matatu ekuvandudza cert-maneja chirongwa. Munguva ino, yakashanduka zvakanyanya mukushanda uye kugadzikana, asi zvakanyanya kupfuura zvese munharaunda. Nhasi, tinoona vanhu vazhinji vachiishandisa kuchengetedza zvikwata zvavo zveKubernetes pamwe nekuiendesa kunzvimbo dzakasiyana dzeecosystem. Mabhugi mazhinji akagadziriswa mune yekupedzisira 16 kuburitswa. Uye chaidiwa kuputswa chinotyoka. Kushanya kwakawanda kushanda neAPI kwakavandudza kudyidzana kwayo nevashandisi. Tagadzirisa nyaya dzinosvika chiuru nemazana mashanu paGitHub nezvimwe zvikumbiro zvekudhonza kubva kunhengo mazana maviri nemakumi mashanu nenhatu.
Nekuburitswa kwe1.0, tinozivisa zviri pamutemo kuti cert-maneja ipurojekiti yakakura. Isu tinovimbisawo kuchengetedza API yedu inoenderana v1
.
Ndatenda kune wese akatibatsira kuita cert-maneja makore ese matatu aya! Rega vhezheni 1.0 ive yekutanga yezvinhu zvikuru zvakawanda zvinouya.
Kuburitsa 1.0 kuburitswa kwakagadzikana kune akati wandei ekutanga nzvimbo:
-
v1
MOTO; -
chikwata
kubectl cert-manager status
, kubatsira nekuongorora dambudziko; -
Kushandisa yazvino yakagadzikana Kubernetes APIs;
-
Kugadzirwa kwemiti kwakavandudzwa;
-
ACME kuvandudzwa.
Iva nechokwadi chekuverenga zvinyorwa zvekusimudzira usati wavandudza.
API v1
Shanduro v0.16 yakashanda neAPI v1beta1
. Izvi zvakawedzera shanduko yezvimiro uye zvakare yakavandudza API yemunda zvinyorwa. Shanduro 1.0 inovaka pane iyi neAPI v1
. Iyi API ndiyo yedu yekutanga yakagadzikana, panguva imwechete isu takatopa vimbiso dzekuenderana, asi neiyo API. v1
tinovimbisa kuchengetedza kugarisana kwemakore anotevera.
Shanduko dzakaitwa (chinyorwa: maturusi edu ekushandura anokutarisira zvese):
Chitupa:
-
emailSANs
zvino yanziemailAddresses
-
uriSANs
-uris
Shanduko idzi dzinowedzera kuenderana nemamwe maSAN (chinyorwa alt mazita, approx. mushanduri), pamwe chete neGo API. Tiri kubvisa temu iyi kubva kuAPI yedu.
Update
Kana iwe uri kushandisa Kubernetes 1.16+, kushandura webhooks kuchakubvumidza kuti ushande panguva imwe chete uye zvisina musono neshanduro dzeAPI. v1alpha2
, v1alpha3
, v1beta1
ΠΈ v1
. Neizvi, iwe unozogona kushandisa iyo vhezheni itsva yeAPI pasina kuchinja kana kuendesa zvakare zviwanikwa zvako zvekare. Isu tinokurudzira zvikuru kukwidziridza zviratidziro zvako kuAPI v1
, sezvo shanduro dzekare dzicharegwa munguva pfupi iri kutevera. Vashandisi legacy
shanduro dze-cert-maneja dzicharamba dzichingokwanisa kuwana v1
, matanho ekusimudzira anogona kuwanikwa
kubectl cert-maneja mamiriro ekuraira
Nekuvandudzwa kutsva mukuwedzera kwedu ku kubectl
zvakava nyore kuongorora matambudziko ane chekuita nekusapihwa kwezvitupa. kubectl cert-manager status
ikozvino inopa rumwe ruzivo rwakawanda nezve zviri kuitika nezvitupa uye zvakare inoratidza danho rekuburitsa zvitupa.
Mushure mekuisa iyo yekuwedzera, unogona kumhanya kubectl cert-manager status certificate <ΠΈΠΌΡ-ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°>
, iyo inotarisa kumusoro setifiketi ine zita rakapihwa uye chero zviwanikwa zvine hukama zvakaita seSitifiketiRequest, Chakavanzika, Mubudisi, uye Kurongeka uye Zvinetso kana uchishandisa zvitupa kubva kuACME.
Muenzaniso wekugadzirisa chitupa chisati chagadzirira:
$ kubectl cert-manager status certificate acme-certificate
Name: acme-certificate
Namespace: default
Created at: 2020-08-21T16:44:13+02:00
Conditions:
Ready: False, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
Issuing: True, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
DNS Names:
- example.com
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 18m cert-manager Issuing certificate as Secret does not exist
Normal Generated 18m cert-manager Stored new private key in temporary Secret resource "acme-certificate-tr8b2"
Normal Requested 18m cert-manager Created new CertificateRequest resource "acme-certificate-qp5dm"
Issuer:
Name: acme-issuer
Kind: Issuer
Conditions:
Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
error when finding Secret "acme-tls": secrets "acme-tls" not found
Not Before: <none>
Not After: <none>
Renewal Time: <none>
CertificateRequest:
Name: acme-certificate-qp5dm
Namespace: default
Conditions:
Ready: False, Reason: Pending, Message: Waiting on certificate issuance from order default/acme-certificate-qp5dm-1319513028: "pending"
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 18m cert-manager Created Order resource default/acme-certificate-qp5dm-1319513028
Order:
Name: acme-certificate-qp5dm-1319513028
State: pending, Reason:
Authorizations:
URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/97777571, Identifier: example.com, Initial State: pending, Wildcard: false
Challenges:
- Name: acme-certificate-qp5dm-1319513028-1825664779, Type: DNS-01, Token: J-lOZ39yNDQLZTtP_ZyrYojDqjutMAJOxCL1AkOEZWw, Key: U_W3gGV2KWgIUonlO2me3rvvEOTrfTb-L5s0V1TJMCw, State: pending, Reason: error getting clouddns service account: secret "clouddns-accoun" not found, Processing: true, Presented: false
Iwo murairo unogona zvakare kukubatsira kuti udzidze zvakawanda nezve zviri mukati mechitupa. Muenzaniso wakadzama wechitupa chakapihwa naLetsencrypt:
$ kubectl cert-manager status certificate example
Name: example
[...]
Secret:
Name: example
Issuer Country: US
Issuer Organisation: Let's Encrypt
Issuer Common Name: Let's Encrypt Authority X3
Key Usage: Digital Signature, Key Encipherment
Extended Key Usages: Server Authentication, Client Authentication
Public Key Algorithm: RSA
Signature Algorithm: SHA256-RSA
Subject Key ID: 65081d98a9870764590829b88c53240571997862
Authority Key ID: a84a6a63047dddbae6d139b7a64565eff3a8eca1
Serial Number: 0462ffaa887ea17797e0057ca81d7ba2a6fb
Events: <none>
Not Before: 2020-06-02T04:29:56+02:00
Not After: 2020-08-31T04:29:56+02:00
Renewal Time: 2020-08-01T04:29:56+02:00
[...]
Uchishandisa yazvino yakagadzikana Kubernetes APIs
Cert-maneja aive mumwe wekutanga kushandisa Kubernetes CRDs. Izvi, nerutsigiro rwedu rweKubernetes vhezheni kusvika 1.11, zvaireva kuti taifanira kutsigira nhaka. apiextensions.k8s.io/v1beta1
kune maCRD edu zvakare admissionregistration.k8s.io/v1beta1
zvemawebhusaiti edu. Ivo zvino vakaregwa uye vachabviswa muKubernetes kubva muvhezheni 1.22. Neyedu 1.0 isu zvino tinopa rutsigiro rwakazara apiextensions.k8s.io/v1
ΠΈ admissionregistration.k8s.io/v1
yeKubernetes 1.16 (kwavakawedzerwa) uye itsva. Kune vashandisi veshanduro dzakapfuura, tinoenderera mberi nekupa rutsigiro v1beta1
mune zvedu legacy
shanduro.
Kutema miti kwakavandudzwa
Mukuburitswa uku, takagadziridza raibhurari yekutema miti kuti klog/v2
, inoshandiswa muKubernetes 1.19. Isu tinodzokorora zvakare jenari yega yega yatinonyora kuti tive nechokwadi chekuti yakapihwa nhanho yakakodzera. Takatungamirirwa neizvi Error
(level 0), iyo inodhinda zvikanganiso zvakakosha chete, uye inopera na Trace
(nhanho 5) iyo ichakubatsira iwe kuziva chaizvo zviri kuitika. Nekuchinja uku, isu takadzikisa huwandu hwematanda kana iwe usingade ruzivo rwedebug paunenge uchimhanyisa cert-maneja.
Zano: cert-maneja anomhanya padanho 2 nekukasira (Info
), unogona kudarika izvi uchishandisa global.logLevel
muHelmchart.
Cherechedza: Kuona matanda ndiyo yekupedzisira sarudzo paunenge uchigadzirisa matambudziko. Kuti uwane rumwe ruzivo tarisa yedu
Mupepeti n.b.: Kuti udzidze zvakawanda nezvekuti zvese zvinoshanda sei pasi pehudhi yeKubernetes, wana zano rakakosha kubva kuvadzidzisi vanodzidzira, pamwe nerubatsiro rwemhando yepamusoro yerutsigiro, unogona kutora chikamu mune intensives online.
ACME Kuvandudzwa
Kunyanya kushandiswa kwecert-maneja kungangove kwakabatana nekuburitsa zvitupa kubva Ngatinyorei tichishandisa ACME. Shanduro 1.0 yakakosha pakushandisa mhinduro yenharaunda kuwedzera maviri madiki asi akakosha ekuvandudza kune yedu ACME inopa.
Dzima kugadzira kiyi yeakaundi
Kana iwe ukashandisa zvitupa zve ACME mumavhoriyamu akakura, unogona kushandisa iyo account pamasumbu akawanda, saka zvirambidzo zvekuburitsa zvitupa zvako zvichashanda kune ese. Izvi zvaitove zvichigoneka mune cert-maneja pakukopa chakavanzika chakatsanangurwa mukati privateKeySecretRef
. Iyi kesi yekushandisa yaive bhagi, sezvo cert-maneja akaedza kubatsira uye nerufaro akagadzira kiyi yeakaundi nyowani kana akaishaya. Ndosaka takawedzera disableAccountKeyGeneration
kukudzivirira kubva kumaitiro aya kana ukaisa sarudzo iyi true
- cert-maneja haizoburitse kiyi uye ichakuyambira kuti haina kupihwa kiyi yeakaundi.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
privateKeySecretRef:
name: example-issuer-account-key
disableAccountKeyGeneration: false
Preferred Chain
Gunyana 29 Ngatinyorei ISRG Root
. Zvitupa zvakasaina zvichatsiviwa ne Identrust
. Shanduko iyi haidi shanduko kune cert-maneja marongero, ese akagadziridzwa kana zvitupa zvitsva zvakaburitswa mushure mezuva rino zvichashandisa iyo itsva mudzi CA.
Ngatinyorei tatosaina zvitupa neCA iyi uye tinovapa se "imwe nzira yechitupa cheni" kuburikidza neACME. Mune iyi vhezheni yecert-maneja, zvinogoneka kuseta kupinda kune aya maketani mune anoburitsa marongero. In parameter preferredChain
unogona kutsanangura zita reCA riri kushandiswa, iro richapihwa chitupa. Kana chitupa cheCA chinoenderana nechikumbiro chiripo, chinokupa chitupa. Ndokumbira utarise kuti iyi ndiyo sarudzo inosarudzika, kana pasina chinowanikwa, chitupa chakasarudzika chinopihwa. Izvi zvinovimbisa kuti iwe ucharamba uchivandudza chitupa chako mushure mekudzima imwe ketani padivi re ACME.
Nechekare nhasi unogona kugamuchira zvitupa zvakasainwa na ISRG Root
, Saka:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1"
Kana uchida kusiya cheni IdenTrust
- isa sarudzo iyi DST Root CA X3
:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "DST Root CA X3"
Ndokumbira utarise kuti iyi mudzi CA icharegwa munguva pfupi iri kutevera, Let's Encrypt ichaita kuti cheni iyi irambe ichishanda kusvika Gunyana 29, 2021.
Source: www.habr.com