Haeba u botsa moenjiniere ea nang le phihlelo, ea bohlale hore na o nahana eng ka cert-manager le hore na ke hobane’ng ha e mong le e mong a e sebelisa, setsebi se tla feheloa, se mo kopa ka lekunutu ’me se re ka mokhathala: “E mong le e mong oa e sebelisa, hobane ha ho na mekhoa e meng e bohlale. Litoeba tsa rona lia lla, lia lla, empa tsoela pele ho phela le cactus ena. Ke hobane'ng ha re rata? Hobane ea sebetsa. Ke hobane'ng ha re sa rate? Hobane liphetolelo tse ncha li lula li lokolloa tse sebelisang likarolo tse ncha. 'Me u tlameha ho ntlafatsa sehlopha khafetsa. 'Me liphetolelo tsa khale li khaotsa ho sebetsa, hobane ho na le morero oa bolotsana le bo-shamanism e makatsang. "
Empa bahlahisi ba bolela hore ka Motsamaisi oa cert 1.0 tsohle di tla fetoha.
Na re tla e dumela?
Cert-manager ke molaoli oa taolo ea setifikeiti sa Kubernetes. E ka sebelisoa ho fana ka litifikeiti ho tsoa mehloling e fapaneng: Let's Encrypt, HashiCorp Vault, Venafi, ho saena le ho ingolisa lipara tsa bohlokoa. E boetse e u lumella ho boloka linotlolo li ntse li le teng le ho leka ho nchafatsa litifikeiti ka nako e behiloeng pele li felloa ke nako. Cert-manager e ipapisitse le kube-lego, hape o sebelisitse mekhoa e meng ea merero e ts'oanang, joalo ka kube-cert-manager.
Lintlha tsa Phatlalatso
Ka mofuta oa 1.0 re beha lets'oao la ts'epo lilemong tse tharo tsa nts'etsopele ea projeke ea cert-manager. Nakong ena, e tsoetse pele haholo ts'ebetsong le botsitso, empa ho feta tsohle sechabeng. Kajeno re bona batho ba bangata ba e sebelisa ho boloka lihlopha tsa bona tsa Kubernetes, hammoho le ho e kenya tšebetsong likarolong tse fapaneng tsa tikoloho. Litšitšili tse ngata li lokisitsoe likhatisong tse 16 tse fetileng. Mme se neng se lokela ho robeha se ile sa robeha. Maeto a 'maloa ho API a ntlafalitse tšebelisano ea eona le basebelisi. Re rarolotse mathata a 1500 ho GitHub, ka likopo tse eketsehileng tse tsoang ho litho tse 253 tsa sechaba.
Ka ho lokolla 1.0 re phatlalatsa ka molao hore cert-manager ke projeke e holileng. Hape re ts'episa ho boloka API ea rona e sebelisana v1.
Re leboha bohle ba re thusitseng ho theha cert-manager lilemo tsena tse tharo kaofela! E re mofuta oa 1.0 e be oa pele ho tse ngata tse kholo tse tlang.
Release 1.0 ke tokollo e tsitsitseng e nang le likarolo tse 'maloa tsa bohlokoa:
-
v1API; -
sehlopha
kubectl cert-manager status, ho thusa ho hlahloba mathata; -
Ho sebelisa li-API tsa morao-rao tse tsitsitseng tsa Kubernetes;
-
Ho rema lifate ho ntlafalitsoe;
-
Lintlafatso tsa ACME.
Etsa bonnete ba hore u bala lintlha tsa ntlafatso pele u ntlafatsa.
API v1
Mofuta oa v0.16 o sebelitse le API v1beta1. Sena se ekelitse liphetoho tse ling tsa sebopeho mme sa ntlafatsa le litokomane tsa tšimo ea API. Mofuta oa 1.0 o haha ho sena sohle ka API v1. API ena ke ea rona ea pele e tsitsitseng, ka nako e ts'oanang re se re fane ka litiisetso tsa ho lumellana, empa ka API. v1 Re ts'episa ho boloka tšebelisano bakeng sa lilemo tse tlang.
Liphetoho tse entsoeng (hlokomela: lisebelisoa tsa rona tsa ho sokolla li tla hlokomela tsohle bakeng sa hau):
Setifikeiti:
-
emailSANse bitswang jwaleemailAddresses -
uriSANs-uris
Liphetoho tsena li eketsa tšebelisano le li-SAN tse ling (mabitso a lihlooho, hoo e ka bang. mofetoleli), hammoho le Go API. Re tlosa lentsoe lena ho API ea rona.
Phetoho
Haeba u sebelisa Kubernetes 1.16+ - ho fetola li-webhooks ho tla u lumella ho sebetsa le liphetolelo tsa API ka nako e le 'ngoe le ka mokhoa o tsitsitseng. v1alpha2, v1alpha3, v1beta1 и v1. Ka bona, o ka sebelisa mofuta o mocha oa API ntle le ho fetola kapa ho sebelisa lisebelisoa tsa hau tsa khale. Re khothaletsa ka matla ho ntlafatsa li-manifest tsa hau ho API v1, kaha liphetolelo tse fetileng li tla tloha li tlosoa. Basebedisi legacy mefuta ea cert-manager e ntse e tla khona ho fihlella feela v1, mehato ea ntlafatso e ka fumanoa .
taelo ea boemo ba hobectl cert-manager
Ka lintlafatso tse ncha katolosong ea rona ea ho kubectl Ho se ho le bonolo ho batlisisa mathata a amanang le ho se ntše litifikeiti. kubectl cert-manager status hona joale e fana ka leseli le eketsehileng mabapi le se etsahalang ka setifikeiti, hape e bonts'a sethala seo setifikeiti se fanoang ho sona.
Ka mor'a ho kenya katoloso u ka matha kubectl cert-manager status certificate <имя-сертификата>, e tla batla setifikeiti se nang le lebitso le boletsoeng le lisebelisoa leha e le life tse amanang le tsona, tse kang CertificateRequest, Secret, Issuer, le Order and Challenges tabeng ea litifikeiti tse tsoang ACME.
Mohlala oa ho lokisa setifikeiti se seng se so lokisoe:
$ kubectl cert-manager status certificate acme-certificate
Name: acme-certificate
Namespace: default
Created at: 2020-08-21T16:44:13+02:00
Conditions:
Ready: False, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
Issuing: True, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
DNS Names:
- example.com
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 18m cert-manager Issuing certificate as Secret does not exist
Normal Generated 18m cert-manager Stored new private key in temporary Secret resource "acme-certificate-tr8b2"
Normal Requested 18m cert-manager Created new CertificateRequest resource "acme-certificate-qp5dm"
Issuer:
Name: acme-issuer
Kind: Issuer
Conditions:
Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
error when finding Secret "acme-tls": secrets "acme-tls" not found
Not Before: <none>
Not After: <none>
Renewal Time: <none>
CertificateRequest:
Name: acme-certificate-qp5dm
Namespace: default
Conditions:
Ready: False, Reason: Pending, Message: Waiting on certificate issuance from order default/acme-certificate-qp5dm-1319513028: "pending"
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 18m cert-manager Created Order resource default/acme-certificate-qp5dm-1319513028
Order:
Name: acme-certificate-qp5dm-1319513028
State: pending, Reason:
Authorizations:
URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/97777571, Identifier: example.com, Initial State: pending, Wildcard: false
Challenges:
- Name: acme-certificate-qp5dm-1319513028-1825664779, Type: DNS-01, Token: J-lOZ39yNDQLZTtP_ZyrYojDqjutMAJOxCL1AkOEZWw, Key: U_W3gGV2KWgIUonlO2me3rvvEOTrfTb-L5s0V1TJMCw, State: pending, Reason: error getting clouddns service account: secret "clouddns-accoun" not found, Processing: true, Presented: false
Sehlopha se ka boela sa u thusa ho ithuta haholoanyane ka litaba tsa setifikeiti. Mohlala oa lintlha tsa setifikeiti se fanoeng ke Letsencrypt:
$ kubectl cert-manager status certificate example
Name: example
[...]
Secret:
Name: example
Issuer Country: US
Issuer Organisation: Let's Encrypt
Issuer Common Name: Let's Encrypt Authority X3
Key Usage: Digital Signature, Key Encipherment
Extended Key Usages: Server Authentication, Client Authentication
Public Key Algorithm: RSA
Signature Algorithm: SHA256-RSA
Subject Key ID: 65081d98a9870764590829b88c53240571997862
Authority Key ID: a84a6a63047dddbae6d139b7a64565eff3a8eca1
Serial Number: 0462ffaa887ea17797e0057ca81d7ba2a6fb
Events: <none>
Not Before: 2020-06-02T04:29:56+02:00
Not After: 2020-08-31T04:29:56+02:00
Renewal Time: 2020-08-01T04:29:56+02:00
[...]
Sebeletsa li-API tsa morao-rao tse tsitsitseng tsa Kubernetes
Cert-manager e bile e mong oa ba pele ba ho kenya tšebetsong Kubernetes CRDs. Sena, hammoho le tšehetso ea rona bakeng sa mefuta ea Kubernetes ho fihla ho 1.11, ho ne ho bolela hore re hloka ho ts'ehetsa lefa. apiextensions.k8s.io/v1beta1 bakeng sa li-CRD tsa rona hape admissionregistration.k8s.io/v1beta1 bakeng sa li-webhooks tsa rona. Tsena li se li tlositsoe 'me li tla tlosoa Kubernetes ho tloha ka mofuta oa 1.22. Ka 1.0 ea rona joale re fana ka tšehetso e felletseng apiextensions.k8s.io/v1 и admissionregistration.k8s.io/v1 bakeng sa Kubernetes 1.16 (moo li kentsoeng teng) le hamorao. Bakeng sa basebelisi ba liphetolelo tse fetileng, re tsoela pele ho fana ka tšehetso v1beta1 ho tsa rona legacy liphetolelo.
Ho rema lifate ho ntlafalitsoe
Phetolelong ena re ntlafalitse laebrari ea ho rema lifate ho klog/v2, e sebelisitsoeng ho Kubernetes 1.19. Hape re hlahloba makasine e ’ngoe le e ’ngoe eo re e ngolang ho tiisa hore e abeloa boemo bo loketseng. Re ne re tataisoa ke sena . Ho na le tse hlano (ha e le hantle - tse tšeletseng, hoo e ka bang. mofetoleli) maemo a ho rema ho qala ho tloha Error (boemo ba 0), e hatisang liphoso tsa bohlokoa feela, 'me e qetella ka Trace (boemo ba 5), e tla u thusa ho tseba hantle se etsahalang. Ka phetoho ena re fokolitse palo ea lits'oants'o haeba o sa hloke tlhaiso-leseling ea debugging ha o tsamaisa cert-manager.
Keletso: ka ho sa feleng cert manager o matha boemong ba 2 (Info), o ka hlakola sena ka ho sebelisa global.logLevel ka chate ea Helm.
Tlhokomeliso: Ho hlahloba li-log ke khetho ea hau ea ho qetela ha u rarolla mathata. Bakeng sa lintlha tse ling etela rona .
NB ea mohlophisi: Ho ithuta haholoanyane ka hore na e sebetsa joang tlasa Kubernetes, fumana likeletso tsa bohlokoa ho matichere a ikoetlisetsang, hammoho le tšehetso ea boleng bo holimo ea tekheniki, o ka nka karolo lithutong tse matla tsa inthaneteng. , e tla etsahala ka September 28-30, le , e tla tšoaroa ka la 14-16 October.
Lintlafatso tsa ACME
Tšebeliso e atileng haholo ea cert-manager mohlomong e amana le ho fana ka litifikeiti ho tsoa ho Let's Encrypt re sebelisa ACME. Mofuta oa 1.0 o tsebahala ka ho sebelisa maikutlo a sechaba ho eketsa lintlafatso tse peli tse nyane empa e le tsa bohlokoa ho mofani oa rona oa ACME.
Thibela Moloko oa Senotlolo sa Akhaonto
Haeba u sebelisa litifikeiti tsa ACME ka bongata, mohlomong u sebelisa ak'haonte e tšoanang ho lihlopha tse ngata, kahoo lithibelo tsa ho fana ka setifikeiti sa hau li tla sebetsa ho tsona kaofela. Sena se ne se se se ntse se khoneha ho cert-manager ha o kopitsa sephiri se boletsoeng ho privateKeySecretRef. Taba ena ea ts'ebeliso e ne e le bothata hobane molaoli oa cert o lekile ho thusa mme ka thabo a theha senotlolo se secha sa ak'haonte haeba a sa se fumane. Ke kahoo re ekelitseng disableAccountKeyGenerationho u sireletsa boitšoarong bona ka ho beha khetho ena ho true - cert-manager e ke ke ea hlahisa senotlolo 'me e tla u lemosa hore ha ea fuoa senotlolo sa akhaonto.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
privateKeySecretRef:
name: example-issuer-account-key
disableAccountKeyGeneration: false
Ketane e Ratoang
La 29 Loetse Ha re Encrypt ho bolaoli ba setifikeiti sa motso oa hau ISRG Root. Lisetifikeiti tse saenneng li tla nkeloa sebaka ke Identrust. Phetoho ena ha e hloke liphetoho ho litlhophiso tsa cert-manager; litifikeiti tsohle tse nchafalitsoeng kapa tse ncha tse fanoeng kamora letsatsi lena li tla sebelisa motso o mocha oa CA.
Ha re Encrypt re se re saena litifikeiti ka CA ena mme re li fa "ketane e 'ngoe ea setifikeiti" ka ACME. Mofuta ona oa cert-manager o na le bokhoni ba ho beha phihlello ho liketane tsena ho litlhophiso tsa mofani. Ka parameter preferredChain O ka hlakisa lebitso la CA e sebelisitsoeng ho fana ka setifikeiti. Haeba setifikeiti sa CA se fumaneha se lumellanang le kopo, se tla u fa setifikeiti. Ka kopo hlokomela hore ena ke khetho e ratoang; haeba ho se letho le fumanehang, ho tla fanoa ka setifikeiti sa kamehla. Sena se tla netefatsa hore o ntse o tla nchafatsa setifikeiti sa hau kamora ho hlakola ketane e 'ngoe ka lehlakoreng la mofani oa ACME.
Kajeno u ka fumana mangolo a saennoeng ISRG Root, Kahoo:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1"
Haeba u khetha ho tlohela ketane IdenTrust — beha paramethara ena ho DST Root CA X3:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "DST Root CA X3"
Ka kopo elelloa hore motso ona oa CA o tla tloheloa haufinyane, Let's Encrypt e tla boloka ketane ena e sebetsa ho fihlela la 29 Loetse 2021.
Source: www.habr.com