Haddii aad waydiiso injineer khibrad leh, caqli-gal ah waxa uu ka qabo maamulaha shahaadada iyo sababta qof kastaa u isticmaalo, markaa khabiirku wuu taahaya, kalsooni ayuu isku duubayaa oo wuxuu ku odhan doonaa isagoo daalan: "Qof kastaa wuu isticmaalaa, sababtoo ah ma jiraan wax kale oo caqli-gal ah. Jiirarkayadu way ooyaan, dilaan, laakiin way sii wadaan inay la noolaadaan cakatuskan. Maxaynu u jecelnahay? Sababtoo ah way shaqeysaa. Maxaynu u jeclaan waynay? Sababtoo ah noocyo cusub ayaa si joogto ah u soo baxaya kuwaas oo isticmaala astaamo cusub. Waana inaad cusboonaysiisaa kutlada marar badan. Iyo qoraaladii hore waxay joojiyaan shaqada, sababtoo ah waxaa jira shirqool iyo shamanism weyn oo qarsoodi ah.
Laakiin horumariyayaashu waxay sheeganayaan taas shahaado-maareeyaha 1.0 wax walba way isbedeli doonaan.
Ma rumaysan doonaa?
Cert-maareeyaha waa maamulaha maamulka shahaadada Kubernetes. Waxaa loo isticmaali karaa in lagu soo saaro shahaadooyin ilo kala duwan: Aynu Encrypt, HashiCorp Vault, Venafi, saxeexa iyo lammaanaha muhiimka ah ee is-saxiixa. Waxa kale oo ay kuu ogolaataa in aad furayaasha la socoto taariikhda uu dhacayo, waxa kale oo ay isku daydaa in ay si toos ah u cusboonaysiiso shahaadooyinka wakhti cayiman ka hor inta aanay dhicin. Maamulaha Cert-ku wuxuu ku salaysan yahay kube-lego wuxuuna sidoo kale adeegsaday xeelado ka mid ah mashaariicda kale ee la midka ah sida kube-cert-maareeyaha.
Xusuusin sii deynta
Iyadoo nooca 1.0, waxaan dhignay calaamadda kalsoonida saddex sano oo horumarinta mashruuca maamulaha shahaadada. Inta lagu jiro wakhtigan, waxa ay si weyn ugu horumartay shaqada iyo xasiloonida, laakiin inta badan dhammaan bulshada dhexdeeda. Maanta, waxaan aragnaa dad badan oo isticmaalaya si ay u sugaan kooxahooda Kubernetes iyo sidoo kale geynta qaybaha kala duwan ee deegaanka. Kutaanno badan ayaa la hagaajiyay 16-kii ugu dambeeyay ee la sii daayay. Wixii loo baahnaana waa jabeen. Dhawr booqasho oo lagula shaqaynayo API ayaa wanaajisay la macaamilka isticmaalayaasha. Waxaan ku xalinay 1500 arimood GitHub anagoo adeegsanayna codsiyo badan oo ka yimid 253 xubnaha bulshada.
Marka la sii daayo 1.0, waxaan si rasmi ah u cadeyneynaa in maamulaha shahaadada uu yahay mashruuc qaan-gaar ah. Waxaan sidoo kale ballan qaadaynaa inaan sii wadno API-gayada v1
.
Mahad badan ayaa leh qof kasta oo naga caawiyay samaynta shahaado-maareeyaha saddexdan sano oo dhan! U ogolow nooca 1.0 inuu noqdo kan ugu horreeya waxyaabo badan oo waaweyn oo soo socda.
Siideynta 1.0 waa siideyn deggan oo leh dhowr meelood oo mudnaanta leh:
-
v1
API; -
kooxda
kubectl cert-manager status
, si looga caawiyo falanqaynta dhibaatada; -
Isticmaalka Kubernetes API-yadii ugu dambeeyay ee deggan;
-
Goynta oo la hagaajiyay;
-
Horumarka ACME
Hubi inaad akhrido qoraalada cusboonaysiinta ka hor intaanad cusboonaysiin.
API v1
Nooca v0.16 wuxuu la shaqeeyay API v1beta1
. Tani waxay ku dartay qaar ka mid ah isbeddelada qaabdhismeedka waxayna sidoo kale wanaajisay dukumeentiyada goobta API. Nooca 1.0 ayaa tan ku dhisaya API v1
. API-gani waa kii ugu horreeyay ee xasilloon, isla markaana waxaanu siinay dammaanad-qaadasho, laakiin API-ga v1
waxaan balan qaadaynaa inaan ilaalino iswaafajinta sanadaha soo socda.
Isbeddellada la sameeyay (xusuusnow: qalabkayada beddelka ayaa wax walba kuu daryeelaya):
Shahaado:
-
emailSANs
hadda loo yaqaanemailAddresses
-
uriSANs
-uris
Isbeddelladani waxay ku darayaan waafaqid SAN-yada kale (magacyada mawduucyada alt, qiyaastii turjumaan), iyo sidoo kale Go API. Waxaan ka saareynaa ereyga API-gayaga.
Cusboonaysii
Haddii aad isticmaalayso Kubernetes 1.16+, beddelashada webhooks waxay kuu oggolaan doontaa inaad si isku mar ah oo aan kala go 'lahayn ula shaqeyso noocyada API v1alpha2
, v1alpha3
, v1beta1
ΠΈ v1
. Kuwaas, waxaad awoodi doontaa inaad isticmaasho nooca cusub ee API adoon bedelin ama dib u habayn agabkaagi hore. Waxaan aad ugu talinaynaa in dib loogu cusboonaysiiyo muujintaada API v1
, maadaama noocyadii hore ay dhici doonaan dhawaan. Isticmaalayaasha legacy
Noocyada maamulaha-shahaadadu waxay wali heli doonaan oo keliya v1
, talaabooyinka casriyaynta waa la heli karaa
kubectl cert-maamulaha amarka amarka
Iyadoo horumarin cusub lagu sameeyay kordhintayada ilaa kubectl
waxaa fududaaday in la baaro dhibaatooyinka la xiriira bixinta shahaadooyinka. kubectl cert-manager status
hadda wuxuu bixiyaa macluumaad badan oo ku saabsan waxa ka socda shahaadooyinka iyo sidoo kale wuxuu muujinayaa heerka bixinta shahaadada.
Kadib rakibidda kordhinta, waad socodsiin kartaa kubectl cert-manager status certificate <ΠΈΠΌΡ-ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°>
, Kaas oo eegi doona shahaadada magaca la bixiyay iyo wixii agab ah ee la xidhiidha sida Codsiga Shahaadada, Sirta, Bixiyaha, iyo Dalabka iyo Caqabadaha haddii la isticmaalayo shahaadooyinka ACME.
Tusaale ka saarida shahaado aan weli diyaar ahayn:
$ kubectl cert-manager status certificate acme-certificate
Name: acme-certificate
Namespace: default
Created at: 2020-08-21T16:44:13+02:00
Conditions:
Ready: False, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
Issuing: True, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
DNS Names:
- example.com
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 18m cert-manager Issuing certificate as Secret does not exist
Normal Generated 18m cert-manager Stored new private key in temporary Secret resource "acme-certificate-tr8b2"
Normal Requested 18m cert-manager Created new CertificateRequest resource "acme-certificate-qp5dm"
Issuer:
Name: acme-issuer
Kind: Issuer
Conditions:
Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
error when finding Secret "acme-tls": secrets "acme-tls" not found
Not Before: <none>
Not After: <none>
Renewal Time: <none>
CertificateRequest:
Name: acme-certificate-qp5dm
Namespace: default
Conditions:
Ready: False, Reason: Pending, Message: Waiting on certificate issuance from order default/acme-certificate-qp5dm-1319513028: "pending"
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 18m cert-manager Created Order resource default/acme-certificate-qp5dm-1319513028
Order:
Name: acme-certificate-qp5dm-1319513028
State: pending, Reason:
Authorizations:
URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/97777571, Identifier: example.com, Initial State: pending, Wildcard: false
Challenges:
- Name: acme-certificate-qp5dm-1319513028-1825664779, Type: DNS-01, Token: J-lOZ39yNDQLZTtP_ZyrYojDqjutMAJOxCL1AkOEZWw, Key: U_W3gGV2KWgIUonlO2me3rvvEOTrfTb-L5s0V1TJMCw, State: pending, Reason: error getting clouddns service account: secret "clouddns-accoun" not found, Processing: true, Presented: false
Amarku wuxuu kaloo kaa caawin karaa inaad wax badan ka barato waxa ku jira shahaadada. Tusaale faahfaahsan oo ah shahaado ay bixisay Letsencrypt:
$ kubectl cert-manager status certificate example
Name: example
[...]
Secret:
Name: example
Issuer Country: US
Issuer Organisation: Let's Encrypt
Issuer Common Name: Let's Encrypt Authority X3
Key Usage: Digital Signature, Key Encipherment
Extended Key Usages: Server Authentication, Client Authentication
Public Key Algorithm: RSA
Signature Algorithm: SHA256-RSA
Subject Key ID: 65081d98a9870764590829b88c53240571997862
Authority Key ID: a84a6a63047dddbae6d139b7a64565eff3a8eca1
Serial Number: 0462ffaa887ea17797e0057ca81d7ba2a6fb
Events: <none>
Not Before: 2020-06-02T04:29:56+02:00
Not After: 2020-08-31T04:29:56+02:00
Renewal Time: 2020-08-01T04:29:56+02:00
[...]
Isticmaalka Kubernetes API-yadii ugu dambeeyay ee xasilloon
Maamulaha shahaadada wuxuu ahaa mid ka mid ah kuwii ugu horreeyay ee hirgeliyay Kubernetes CRDs. Tani, iyo taageeradayada noocyada Kubernetes ilaa 1.11, waxay la macno tahay inaan u baahanahay inaan taageerno dhaxalka apiextensions.k8s.io/v1beta1
CRD-yadayada sidoo kale admissionregistration.k8s.io/v1beta1
for our webhooks. Hadda way go'een waxaana laga saari doonaa Kubernetes nooca 1.22. Anagoo adeegsanayna 1.0 waxaan hadda bixinaa taageero buuxda apiextensions.k8s.io/v1
ΠΈ admissionregistration.k8s.io/v1
loogu talagalay Kubernetes 1.16 (halka lagu daray) iyo kuwa cusub. Isticmaalayaasha noocyadii hore, waxaan sii wadeynaa bixinta taageerada v1beta1
in our legacy
versions
Goynta la hagaajiyay
Siideyntan, waxaan u cusboonaysiinay maktabadda wax-gooynta klog/v2
, loo adeegsaday Kubernetes 1.19. Waxaan sidoo kale dib u eegnaa joornaal kasta oo aan qorno si aan u hubinno in loo qoondeeyay heerka ku habboon. Waxaa na hagayey tan Error
(heerka 0), kaas oo daabaca kaliya khaladaadka muhiimka ah, oo ku dhamaanaya Trace
(heerka 5) kaas oo kaa caawin doona inaad si sax ah u ogaato waxa socda. Isbeddelkan, waxaanu hoos u dhignay tirada diiwaannada haddii aadan u baahnayn macluumaadka cilladaha marka aad waddo maamulaha shahaadada.
Talo: maamulaha shahaadada wuxuu si caadi ah ugu socdaa heerka 2 (Info
), waxaad ka saari kartaa adiga oo isticmaalaya global.logLevel
Helmchart.
Fiiro gaar ah: Daawashada logyadu waa meesha ugu dambaysa marka cilad-baadhista Wixii macluumaad dheeraad ah naga hubi
Tifaftiraha n.b.Si aad u ogaato wax badan oo ku saabsan sida ay dhammaantood u shaqeeyaan hoosta Kubernetes, hel talo qiimo leh oo ka socota macallimiinta xirfadlayaasha ah, iyo sidoo kale caawimo farsamo oo tayo leh, waxaad ka qayb qaadan kartaa xoojinta internetka.
Horumarka ACME
Isticmaalka ugu badan ee maamulaha shahaadodu waxa ay u badan tahay in ay la xidhiidha soo saarista shahaadooyinka Aynu Encrypt isticmaalno ACME. Nooca 1.0 ayaa caan ku ah adeegsiga jawaab celinta bulshada si loogu daro laba horumar oo yaryar laakiin muhiim ah soo saaraha ACME.
Dami jiilka furaha akoontiga
Haddii aad u isticmaasho shahaadooyinka ACME oo tiro badan, waxa ay u badan tahay in aad isla xisaabtan ku isticmaasho rucubyo badan, markaa xaddidaada bixinta shahaadadu waxay khusaysaa dhamaantood. Tani waxay mar horeba suurtogal ka ahayd maamulaha shahaadada markii la koobiyaynayo sirta lagu sheegay privateKeySecretRef
. Kiis isticmaalku aad buu u dhib badnaa, maadaama maamulaha shahaadodu isku dayay inuu caawiyo oo si farxad leh u abuuray furaha akoon cusub haddii aanu mid helin. Waa sababta aan ugu darnay disableAccountKeyGeneration
si uu kaaga ilaaliyo hab-dhaqankan haddii aad dejiso doorashadan true
- Maamulaha shahaadada ma soo saari doono fure wuxuuna kaaga digayaa in aan la siin furaha akoontiga.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
privateKeySecretRef:
name: example-issuer-account-key
disableAccountKeyGeneration: false
Silsilad la door biday
Sebtembar 29 Aynu Sirinno ISRG Root
. Shahaadooyinka saxeexan ayaa lagu beddeli doonaa Identrust
. Isbeddelkan uma baahna isbeddelka habaynta-maareeyaha shahaadada, dhammaan shahaadooyinka la cusboonaysiiyay ama kuwa cusub ee la soo saaray taariikhdan ka dib waxay isticmaali doonaan xididka cusub ee CA.
Aynu si qarsoodi ah ugu saxeexno shahaadooyinka CA-gan oo aan siino sidii "silsilad shahaado beddel ah" iyada oo loo sii marayo ACME. Noocan maamulaha-shahaadada, waxa suurtogal ah in lagu dejiyo gelitaanka silsiladahan goobaha soo saaraha. Qiyaas ahaan preferredChain
waxaad cayimi kartaa magaca CA ee la isticmaalay, kaas oo shahaadada lagu bixin doono. Haddii shahaado CA oo u dhigma codsiga la heli karo, waxay ku siin doontaa shahaado. Fadlan la soco in tani ay tahay doorashada la door bidayo, haddii aan waxba la helin, shahaado horudhac ah ayaa la bixin doonaa. Tani waxay hubin doontaa inaad weli dib u cusbooneysiin doonto shahaadadaada ka dib markaad tirtirto silsiladda beddelka ah ee dhinaca bixiyaha ACME.
Durba maanta waxaad heli kartaa shahaadooyin uu saxiixay ISRG Root
, Markaa:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1"
Haddii aad doorbidayso inaad ka baxdo silsiladda IdenTrust
- u dhig doorashadan DST Root CA X3
:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "DST Root CA X3"
Fadlan ogow in xididkan CA uu si dhakhso ah u go'i doono, Aynu Encrypt ku hayn doono silsiladan mid firfircoon ilaa Sebtember 29, 2021.
Source: www.habr.com