ProHoster > Π‘Π»ΠΎΠ³ > Maamulka > maamulaha shahaadada 1.0 la sii daayay

maamulaha shahaadada 1.0 la sii daayay

Haddii aad waydiiso injineer khibrad leh, caqli-gal ah waxa uu ka qabo maamulaha shahaadada iyo sababta qof kastaa u isticmaalo, markaa khabiirku wuu taahaya, kalsooni ayuu isku duubayaa oo wuxuu ku odhan doonaa isagoo daalan: "Qof kastaa wuu isticmaalaa, sababtoo ah ma jiraan wax kale oo caqli-gal ah. Jiirarkayadu way ooyaan, dilaan, laakiin way sii wadaan inay la noolaadaan cakatuskan. Maxaynu u jecelnahay? Sababtoo ah way shaqeysaa. Maxaynu u jeclaan waynay? Sababtoo ah noocyo cusub ayaa si joogto ah u soo baxaya kuwaas oo isticmaala astaamo cusub. Waana inaad cusboonaysiisaa kutlada marar badan. Iyo qoraaladii hore waxay joojiyaan shaqada, sababtoo ah waxaa jira shirqool iyo shamanism weyn oo qarsoodi ah.

Laakiin horumariyayaashu waxay sheeganayaan taas shahaado-maareeyaha 1.0 wax walba way isbedeli doonaan.

Ma rumaysan doonaa?

maamulaha shahaadada 1.0 la sii daayay

Cert-maareeyaha waa maamulaha maamulka shahaadada Kubernetes. Waxaa loo isticmaali karaa in lagu soo saaro shahaadooyin ilo kala duwan: Aynu Encrypt, HashiCorp Vault, Venafi, saxeexa iyo lammaanaha muhiimka ah ee is-saxiixa. Waxa kale oo ay kuu ogolaataa in aad furayaasha la socoto taariikhda uu dhacayo, waxa kale oo ay isku daydaa in ay si toos ah u cusboonaysiiso shahaadooyinka wakhti cayiman ka hor inta aanay dhicin. Maamulaha Cert-ku wuxuu ku salaysan yahay kube-lego wuxuuna sidoo kale adeegsaday xeelado ka mid ah mashaariicda kale ee la midka ah sida kube-cert-maareeyaha.

Xusuusin sii deynta

Iyadoo nooca 1.0, waxaan dhignay calaamadda kalsoonida saddex sano oo horumarinta mashruuca maamulaha shahaadada. Inta lagu jiro wakhtigan, waxa ay si weyn ugu horumartay shaqada iyo xasiloonida, laakiin inta badan dhammaan bulshada dhexdeeda. Maanta, waxaan aragnaa dad badan oo isticmaalaya si ay u sugaan kooxahooda Kubernetes iyo sidoo kale geynta qaybaha kala duwan ee deegaanka. Kutaanno badan ayaa la hagaajiyay 16-kii ugu dambeeyay ee la sii daayay. Wixii loo baahnaana waa jabeen. Dhawr booqasho oo lagula shaqaynayo API ayaa wanaajisay la macaamilka isticmaalayaasha. Waxaan ku xalinay 1500 arimood GitHub anagoo adeegsanayna codsiyo badan oo ka yimid 253 xubnaha bulshada.

Marka la sii daayo 1.0, waxaan si rasmi ah u cadeyneynaa in maamulaha shahaadada uu yahay mashruuc qaan-gaar ah. Waxaan sidoo kale ballan qaadaynaa inaan sii wadno API-gayada v1.

Mahad badan ayaa leh qof kasta oo naga caawiyay samaynta shahaado-maareeyaha saddexdan sano oo dhan! U ogolow nooca 1.0 inuu noqdo kan ugu horreeya waxyaabo badan oo waaweyn oo soo socda.

Siideynta 1.0 waa siideyn deggan oo leh dhowr meelood oo mudnaanta leh:

  • v1 API;

  • kooxda kubectl cert-manager status, si looga caawiyo falanqaynta dhibaatada;

  • Isticmaalka Kubernetes API-yadii ugu dambeeyay ee deggan;

  • Goynta oo la hagaajiyay;

  • Horumarka ACME

Hubi inaad akhrido qoraalada cusboonaysiinta ka hor intaanad cusboonaysiin.

API v1

Nooca v0.16 wuxuu la shaqeeyay API v1beta1. Tani waxay ku dartay qaar ka mid ah isbeddelada qaabdhismeedka waxayna sidoo kale wanaajisay dukumeentiyada goobta API. Nooca 1.0 ayaa tan ku dhisaya API v1. API-gani waa kii ugu horreeyay ee xasilloon, isla markaana waxaanu siinay dammaanad-qaadasho, laakiin API-ga v1 waxaan balan qaadaynaa inaan ilaalino iswaafajinta sanadaha soo socda.

Isbeddellada la sameeyay (xusuusnow: qalabkayada beddelka ayaa wax walba kuu daryeelaya):

Shahaado:

  • emailSANs hadda loo yaqaan emailAddresses

  • uriSANs - uris

Isbeddelladani waxay ku darayaan waafaqid SAN-yada kale (magacyada mawduucyada alt, qiyaastii turjumaan), iyo sidoo kale Go API. Waxaan ka saareynaa ereyga API-gayaga.

Cusboonaysii

Haddii aad isticmaalayso Kubernetes 1.16+, beddelashada webhooks waxay kuu oggolaan doontaa inaad si isku mar ah oo aan kala go 'lahayn ula shaqeyso noocyada API v1alpha2, v1alpha3, v1beta1 ΠΈ v1. Kuwaas, waxaad awoodi doontaa inaad isticmaasho nooca cusub ee API adoon bedelin ama dib u habayn agabkaagi hore. Waxaan aad ugu talinaynaa in dib loogu cusboonaysiiyo muujintaada API v1, maadaama noocyadii hore ay dhici doonaan dhawaan. Isticmaalayaasha legacy Noocyada maamulaha-shahaadadu waxay wali heli doonaan oo keliya v1, talaabooyinka casriyaynta waa la heli karaa halkan.

kubectl cert-maamulaha amarka amarka

Iyadoo horumarin cusub lagu sameeyay kordhintayada ilaa kubectl waxaa fududaaday in la baaro dhibaatooyinka la xiriira bixinta shahaadooyinka. kubectl cert-manager status hadda wuxuu bixiyaa macluumaad badan oo ku saabsan waxa ka socda shahaadooyinka iyo sidoo kale wuxuu muujinayaa heerka bixinta shahaadada.

Kadib rakibidda kordhinta, waad socodsiin kartaa kubectl cert-manager status certificate <имя-сСртификата>, Kaas oo eegi doona shahaadada magaca la bixiyay iyo wixii agab ah ee la xidhiidha sida Codsiga Shahaadada, Sirta, Bixiyaha, iyo Dalabka iyo Caqabadaha haddii la isticmaalayo shahaadooyinka ACME.

Tusaale ka saarida shahaado aan weli diyaar ahayn:

$ kubectl cert-manager status certificate acme-certificate

Name: acme-certificate
Namespace: default
Created at: 2020-08-21T16:44:13+02:00
Conditions:
  Ready: False, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
  Issuing: True, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
DNS Names:
- example.com
Events:
  Type    Reason     Age   From          Message
  ----    ------     ----  ----          -------
  Normal  Issuing    18m   cert-manager  Issuing certificate as Secret does not exist
  Normal  Generated  18m   cert-manager  Stored new private key in temporary Secret resource "acme-certificate-tr8b2"
  Normal  Requested  18m   cert-manager  Created new CertificateRequest resource "acme-certificate-qp5dm"
Issuer:
  Name: acme-issuer
  Kind: Issuer
  Conditions:
    Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
error when finding Secret "acme-tls": secrets "acme-tls" not found
Not Before: <none>
Not After: <none>
Renewal Time: <none>
CertificateRequest:
  Name: acme-certificate-qp5dm
  Namespace: default
  Conditions:
    Ready: False, Reason: Pending, Message: Waiting on certificate issuance from order default/acme-certificate-qp5dm-1319513028: "pending"
  Events:
    Type    Reason        Age   From          Message
    ----    ------        ----  ----          -------
    Normal  OrderCreated  18m   cert-manager  Created Order resource default/acme-certificate-qp5dm-1319513028
Order:
  Name: acme-certificate-qp5dm-1319513028
  State: pending, Reason:
  Authorizations:
    URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/97777571, Identifier: example.com, Initial State: pending, Wildcard: false
Challenges:
- Name: acme-certificate-qp5dm-1319513028-1825664779, Type: DNS-01, Token: J-lOZ39yNDQLZTtP_ZyrYojDqjutMAJOxCL1AkOEZWw, Key: U_W3gGV2KWgIUonlO2me3rvvEOTrfTb-L5s0V1TJMCw, State: pending, Reason: error getting clouddns service account: secret "clouddns-accoun" not found, Processing: true, Presented: false

Amarku wuxuu kaloo kaa caawin karaa inaad wax badan ka barato waxa ku jira shahaadada. Tusaale faahfaahsan oo ah shahaado ay bixisay Letsencrypt:

$ kubectl cert-manager status certificate example
Name: example
[...]
Secret:
  Name: example
  Issuer Country: US
  Issuer Organisation: Let's Encrypt
  Issuer Common Name: Let's Encrypt Authority X3
  Key Usage: Digital Signature, Key Encipherment
  Extended Key Usages: Server Authentication, Client Authentication
  Public Key Algorithm: RSA
  Signature Algorithm: SHA256-RSA
  Subject Key ID: 65081d98a9870764590829b88c53240571997862
  Authority Key ID: a84a6a63047dddbae6d139b7a64565eff3a8eca1
  Serial Number: 0462ffaa887ea17797e0057ca81d7ba2a6fb
  Events:  <none>
Not Before: 2020-06-02T04:29:56+02:00
Not After: 2020-08-31T04:29:56+02:00
Renewal Time: 2020-08-01T04:29:56+02:00
[...]

Isticmaalka Kubernetes API-yadii ugu dambeeyay ee xasilloon

Maamulaha shahaadada wuxuu ahaa mid ka mid ah kuwii ugu horreeyay ee hirgeliyay Kubernetes CRDs. Tani, iyo taageeradayada noocyada Kubernetes ilaa 1.11, waxay la macno tahay inaan u baahanahay inaan taageerno dhaxalka apiextensions.k8s.io/v1beta1 CRD-yadayada sidoo kale admissionregistration.k8s.io/v1beta1 for our webhooks. Hadda way go'een waxaana laga saari doonaa Kubernetes nooca 1.22. Anagoo adeegsanayna 1.0 waxaan hadda bixinaa taageero buuxda apiextensions.k8s.io/v1 ΠΈ admissionregistration.k8s.io/v1 loogu talagalay Kubernetes 1.16 (halka lagu daray) iyo kuwa cusub. Isticmaalayaasha noocyadii hore, waxaan sii wadeynaa bixinta taageerada v1beta1 in our legacy versions

Goynta la hagaajiyay

Siideyntan, waxaan u cusboonaysiinay maktabadda wax-gooynta klog/v2, loo adeegsaday Kubernetes 1.19. Waxaan sidoo kale dib u eegnaa joornaal kasta oo aan qorno si aan u hubinno in loo qoondeeyay heerka ku habboon. Waxaa na hagayey tan hagida Kubernetes. Waxaa jira shan (dhab ahaantii lix, qiyaastii turjumaan) heerarka goynta laga bilaabo Error (heerka 0), kaas oo daabaca kaliya khaladaadka muhiimka ah, oo ku dhamaanaya Trace (heerka 5) kaas oo kaa caawin doona inaad si sax ah u ogaato waxa socda. Isbeddelkan, waxaanu hoos u dhignay tirada diiwaannada haddii aadan u baahnayn macluumaadka cilladaha marka aad waddo maamulaha shahaadada.

Talo: maamulaha shahaadada wuxuu si caadi ah ugu socdaa heerka 2 (Info), waxaad ka saari kartaa adiga oo isticmaalaya global.logLevel Helmchart.

Fiiro gaar ah: Daawashada logyadu waa meesha ugu dambaysa marka cilad-baadhista Wixii macluumaad dheeraad ah naga hubi hogaaminta.

Tifaftiraha n.b.Si aad u ogaato wax badan oo ku saabsan sida ay dhammaantood u shaqeeyaan hoosta Kubernetes, hel talo qiimo leh oo ka socota macallimiinta xirfadlayaasha ah, iyo sidoo kale caawimo farsamo oo tayo leh, waxaad ka qayb qaadan kartaa xoojinta internetka. Saldhigga Kubernetes, kaas oo la qaban doono Sebtembar 28-30, iyo Kubernetes Megakaas oo la qaban doono Oktoobar 14-16.

Horumarka ACME

Isticmaalka ugu badan ee maamulaha shahaadodu waxa ay u badan tahay in ay la xidhiidha soo saarista shahaadooyinka Aynu Encrypt isticmaalno ACME. Nooca 1.0 ayaa caan ku ah adeegsiga jawaab celinta bulshada si loogu daro laba horumar oo yaryar laakiin muhiim ah soo saaraha ACME.

Dami jiilka furaha akoontiga

Haddii aad u isticmaasho shahaadooyinka ACME oo tiro badan, waxa ay u badan tahay in aad isla xisaabtan ku isticmaasho rucubyo badan, markaa xaddidaada bixinta shahaadadu waxay khusaysaa dhamaantood. Tani waxay mar horeba suurtogal ka ahayd maamulaha shahaadada markii la koobiyaynayo sirta lagu sheegay privateKeySecretRef. Kiis isticmaalku aad buu u dhib badnaa, maadaama maamulaha shahaadodu isku dayay inuu caawiyo oo si farxad leh u abuuray furaha akoon cusub haddii aanu mid helin. Waa sababta aan ugu darnay disableAccountKeyGenerationsi uu kaaga ilaaliyo hab-dhaqankan haddii aad dejiso doorashadan true - Maamulaha shahaadada ma soo saari doono fure wuxuuna kaaga digayaa in aan la siin furaha akoontiga.

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt
spec:
  acme:
    privateKeySecretRef:
      name: example-issuer-account-key
    disableAccountKeyGeneration: false

Silsilad la door biday

Sebtembar 29 Aynu Sirinno mari doona xididkaaga CA ISRG Root. Shahaadooyinka saxeexan ayaa lagu beddeli doonaa Identrust. Isbeddelkan uma baahna isbeddelka habaynta-maareeyaha shahaadada, dhammaan shahaadooyinka la cusboonaysiiyay ama kuwa cusub ee la soo saaray taariikhdan ka dib waxay isticmaali doonaan xididka cusub ee CA.

Aynu si qarsoodi ah ugu saxeexno shahaadooyinka CA-gan oo aan siino sidii "silsilad shahaado beddel ah" iyada oo loo sii marayo ACME. Noocan maamulaha-shahaadada, waxa suurtogal ah in lagu dejiyo gelitaanka silsiladahan goobaha soo saaraha. Qiyaas ahaan preferredChain waxaad cayimi kartaa magaca CA ee la isticmaalay, kaas oo shahaadada lagu bixin doono. Haddii shahaado CA oo u dhigma codsiga la heli karo, waxay ku siin doontaa shahaado. Fadlan la soco in tani ay tahay doorashada la door bidayo, haddii aan waxba la helin, shahaado horudhac ah ayaa la bixin doonaa. Tani waxay hubin doontaa inaad weli dib u cusbooneysiin doonto shahaadadaada ka dib markaad tirtirto silsiladda beddelka ah ee dhinaca bixiyaha ACME.

Durba maanta waxaad heli kartaa shahaadooyin uu saxiixay ISRG Root, Markaa:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    preferredChain: "ISRG Root X1"

Haddii aad doorbidayso inaad ka baxdo silsiladda IdenTrust - u dhig doorashadan DST Root CA X3:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    preferredChain: "DST Root CA X3"

Fadlan ogow in xididkan CA uu si dhakhso ah u go'i doono, Aynu Encrypt ku hayn doono silsiladan mid firfircoon ilaa Sebtember 29, 2021.

Source: www.habr.com

Add a comment