Haeba u botsa moenjiniere ea nang le phihlelo, ea bohlale hore na ba nahana eng ka Cert-Manager le hore na ke hobane'ng ha bohle ba e sebelisa, ba tla feheloa, ba u kopa ka lekunutu, 'me ba re ba khathetse, "Motho e mong le e mong o e sebelisa hobane ha ho na mekhoa e meng e utloahalang. Litoeba tsa rona lia lla, lia itema, empa li tsoela pele ho phela le cactus ena. Ke hobane'ng ha re e rata? Hobane e sebetsa. 'Me u tlameha ho ntlafatsa sehlopha khafetsa,' me liphetolelo tsa khale li khaotsa ho sebetsa hobane ho na le morero oa bolotsana le bo-shamans bo makatsang.
Empa bahlahisi ba tiisa seo ka Motsamaisi oa cert 1.0 tsohle di tla fetoha.
Na re tla e dumela?
Cert-manager ke molaoli oa taolo ea setifikeiti sa Kubernetes. E ka fana ka litifikeiti ho tsoa mehloling e fapaneng, ho kenyeletsoa Let's Encrypt, HashiCorp Vault, Venafi, le lipara tsa bohlokoa tsa ho saena le ho ingolisa. E boetse e boloka linotlolo tsa morao-rao mabapi le linako tsa ts'ebetso le liteko tsa ho nchafatsa setifikeiti ka nako e behiloeng pele li felloa ke nako. Cert-manager e ipapisitse le kube-lego hape e alima mekhoa e meng ho tsoa mererong e meng e ts'oanang, joalo ka kube-cert-manager.
Lintlha tsa Phatlalatso
Ka mofuta oa 1.0, re keteka lilemo tse tharo tsa nts'etsopele ea projeke ea cert-manager. Nakong ena, e hōlile haholo ka ts'ebetso le botsitso, empa ka holim'a tsohle, sechabeng. Kajeno, re bona batho ba bangata ba e sebelisa ho sireletsa lihlopha tsa bona tsa Kubernetes le ho e kenya tšebetsong likarolong tse fapaneng tsa tikoloho. Likhatiso tse 16 tsa ho qetela li bone litokiso tse ngata tsa liphoso. Mme se neng se hloka ho rojwa se robehile. Likarolo tse 'maloa tsa mosebetsi oa API li ntlafalitse boiphihlelo ba mosebelisi. Re rarolotse mathata a 1500 ho GitHub, ka likopo tse eketsehileng tse tsoang ho litho tse 253 tsa sechaba.
Ka ho lokolla mofuta oa 1.0, re phatlalatsa semmuso cert-manager e le projeke e holileng. Hape re ts'episa ho boloka tumellano le API ea rona. v1.
Ke leboha haholo ho bohle ba re thusitseng ho theha Cert-Manager lilemong tse tharo tse fetileng! Mofuta oa 1.0 e ka ba oa pele ho tse ngata tse kholo tse tlang.
Release 1.0 ke tokollo e tsitsitseng e nang le libaka tse 'maloa tse tsepamisitsoeng maikutlo:
v1API;sehlopha
kubectl cert-manager status, ho thusa ho hlahloba mathata;Ho sebelisa li-API tsa morao-rao tse tsitsitseng tsa Kubernetes;
Ho rema lifate ho ntlafalitsoe;
Lintlafatso tsa ACME.
Ka kopo etsa bonnete ba hore u bala lintlha tsa ntlafatso pele u li ntlafatsa.
API v1
Mofuta oa v0.16 o sebelitse le API v1beta1Sena se ekelitse liphetoho tse ling tsa sebopeho mme sa ntlafatsa le litokomane tsa masimo a API. Mofuta oa 1.0 o haha ho sena ka API. v1API ena ke ea rona ea pele e tsitsitseng, athe re se re fane ka litiiso tsa ho lumellana, empa ka API. v1 Re ts'episa ho boloka tšebelisano bakeng sa lilemo tse tlang.
Liphetoho tse entsoeng (hlokomela: lisebelisoa tsa rona tsa ho sokolla li tla hlokomela tsohle bakeng sa hau):
Setifikeiti:
emailSANsjwale e se e bitswaemailAddressesuriSANs-uris
Liphetoho tsena li eketsa tšebelisano le li-SAN tse ling (mabitso a lihlooho, hoo e ka bang. mofetoleli), hammoho le Go API. Re tlosa lentsoe lena ho API ea rona.
Phetoho
Haeba u sebelisa Kubernetes 1.16+, ho fetola li-webhooks ho tla u lumella ho sebetsa ka mokhoa o tsitsitseng le mefuta ea API ka nako e le 'ngoe. v1alpha2, v1alpha3, v1beta1 и v1Ka tsena, o ka sebelisa mofuta o mocha oa API ntle le ho fetola kapa ho sebelisa lisebelisoa tsa hau tsa khale. Re khothaletsa ka matla ho nchafatsa lipontšo tsa hau tsa API. v1, kaha liphetolelo tse fetileng li tla tloha li tlosoa. Basebedisi legacy mefuta ea cert-manager e ntse e tla khona ho fihlella feela v1, mehato ea ntlafatso e ka fumanoa .
Taelo ea boemo ba kubectl cert-manager
Ka lintlafatso tse ncha katolosong ea rona ea ho kubectl Ho se ho le bonolo ho batlisisa litaba tse amanang le ho se ntše litifikeiti. kubectl cert-manager status hona joale e fana ka lintlha tse ling tse ngata mabapi le se etsahalang ka setifikeiti, hape e bonts'a sethala sa ho fana ka setifikeiti.
Ka mor'a ho kenya katoloso, u ka matha kubectl cert-manager status certificate <имя-сертификата>, e tla batla setifikeiti se nang le lebitso le boletsoeng le lisebelisoa leha e le life tse amanang le tsona, tse kang CertificateRequest, Secret, Issuer, le Order and Challenges tabeng ea litifikeiti tse tsoang ho ACME.
Mohlala oa ho lokisa setifikeiti se seng se so lokisoe:
$ kubectl cert-manager status certificate acme-certificate
Name: acme-certificate
Namespace: default
Created at: 2020-08-21T16:44:13+02:00
Conditions:
Ready: False, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
Issuing: True, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
DNS Names:
- example.com
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 18m cert-manager Issuing certificate as Secret does not exist
Normal Generated 18m cert-manager Stored new private key in temporary Secret resource "acme-certificate-tr8b2"
Normal Requested 18m cert-manager Created new CertificateRequest resource "acme-certificate-qp5dm"
Issuer:
Name: acme-issuer
Kind: Issuer
Conditions:
Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
error when finding Secret "acme-tls": secrets "acme-tls" not found
Not Before: <none>
Not After: <none>
Renewal Time: <none>
CertificateRequest:
Name: acme-certificate-qp5dm
Namespace: default
Conditions:
Ready: False, Reason: Pending, Message: Waiting on certificate issuance from order default/acme-certificate-qp5dm-1319513028: "pending"
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 18m cert-manager Created Order resource default/acme-certificate-qp5dm-1319513028
Order:
Name: acme-certificate-qp5dm-1319513028
State: pending, Reason:
Authorizations:
URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/97777571, Identifier: example.com, Initial State: pending, Wildcard: false
Challenges:
- Name: acme-certificate-qp5dm-1319513028-1825664779, Type: DNS-01, Token: J-lOZ39yNDQLZTtP_ZyrYojDqjutMAJOxCL1AkOEZWw, Key: U_W3gGV2KWgIUonlO2me3rvvEOTrfTb-L5s0V1TJMCw, State: pending, Reason: error getting clouddns service account: secret "clouddns-accoun" not found, Processing: true, Presented: false
Taelo e ka boela ea u thusa ho ithuta haholoanyane ka likahare tsa setifikeiti. Mona ke mohlala oa lintlha tsa setifikeiti se fanoeng ke Letsencrypt:
$ kubectl cert-manager status certificate example
Name: example
[...]
Secret:
Name: example
Issuer Country: US
Issuer Organisation: Let's Encrypt
Issuer Common Name: Let's Encrypt Authority X3
Key Usage: Digital Signature, Key Encipherment
Extended Key Usages: Server Authentication, Client Authentication
Public Key Algorithm: RSA
Signature Algorithm: SHA256-RSA
Subject Key ID: 65081d98a9870764590829b88c53240571997862
Authority Key ID: a84a6a63047dddbae6d139b7a64565eff3a8eca1
Serial Number: 0462ffaa887ea17797e0057ca81d7ba2a6fb
Events: <none>
Not Before: 2020-06-02T04:29:56+02:00
Not After: 2020-08-31T04:29:56+02:00
Renewal Time: 2020-08-01T04:29:56+02:00
[...]
Ho sebelisa li-API tsa morao-rao tse tsitsitseng tsa Kubernetes
Cert-manager e bile e mong oa ba pele ba ho kenya tšebetsong Kubernetes CRDs. Sena, hammoho le tšehetso ea rona ea mefuta ea Kubernetes ho fihla ho 1.11, ho ne ho bolela hore re tlameha ho ts'ehetsa lefa. apiextensions.k8s.io/v1beta1 bakeng sa li-CRD tsa rona, hape admissionregistration.k8s.io/v1beta1 bakeng sa li-webhooks tsa rona. Ha joale li tlositsoe 'me li tla tlosoa Kubernetes ho qala ka mofuta oa 1.22. Ka 1.0 ea rona, joale re fana ka tšehetso e felletseng. apiextensions.k8s.io/v1 и admissionregistration.k8s.io/v1 bakeng sa Kubernetes 1.16 (moo li kentsoeng teng) le hamorao. Re tsoela pele ho fana ka tšehetso ho basebelisi ba liphetolelo tse fetileng. v1beta1 ho tsa rona legacy liphetolelo.
Ho rema lifate ho ntlafalitsoe
Phetolelong ena re ntlafalitse laebrari ea ho rema lifate ho klog/v2, e sebelisitsoeng ho Kubernetes 1.19. Re boetse re hlahloba tlaleho e 'ngoe le e 'ngoe eo re e ngolang ho e abela boemo bo loketseng. Re ile ra sebelisa Ho na le tse hlano (ha e le hantle tse tšeletseng, hoo e ka bang. mofetoleli) maemo a ho rema lifate, ho qala ka Error (boemo ba 0), e hlahisang liphoso tsa bohlokoa feela, 'me e qetella ka Trace (boemo ba 5), e tla u thusa ho tseba hantle hore na ho etsahalang. Ka phetoho ena, re fokolitse palo ea li-log haeba o sa hloke lintlha tsa ho lokisa liphoso ha o tsamaisa cert-manager.
Keletso: Ka ho sa feleng, cert manager o sebetsa boemong ba 2 (Info), o ka hlakola sena ka ho sebelisa global.logLevel ka chate ea Helm.
Tlhokomeliso: Ho sheba lifate ke khetho ea ho qetela ha u rarolla mathata. Ho fumana lintlha tse ling, ka kopo sheba rona .
NB ea mohlophisiHo ithuta haholoanyane ka hore na ntho e ngoe le e ngoe e sebetsa joang tlasa Kubernetes, fumana likeletso tsa bohlokoa ho tsoa ho barupeli ba ikoetlisetsang, 'me u fumane tšehetso ea boleng bo holimo ea botekgeniki, u ka nka karolo lithutong tse matla tsa inthanete. , e tla etsahala ka September 28-30, le , e tla tšoaroa ka la 14-16 October.
Lintlafatso tsa ACME
Tšebeliso e atileng haholo ea cert-manager mohlomong ke ho fana ka litifikeiti tsa Let's Encrypt re sebelisa ACME. Mofuta oa 1.0 o bohlokoa ka ho kenyelletsa maikutlo a sechaba lintlafatsong tse peli tse nyane empa e le tsa bohlokoa ho mofani oa rona oa ACME.
E thibela tlhahiso ea senotlolo sa ak'haonte
Haeba u sebelisa litifikeiti tsa ACME ka bongata, u tla be u sebelisa ak'haonte e le 'ngoe ho lihlopha tse ngata, kahoo lithibelo tsa ho fana ka setifikeiti sa hau li tla sebetsa ho tsona kaofela. Sena se ne se se se khoneha ho cert-manager ka ho kopitsa lekunutu le boletsoeng ho privateKeySecretRefTaba ena ea ts'ebeliso e ne e le bothata, kaha molaoli oa cert o lekile ho thusa mme ka thabo a theha senotlolo se secha sa ak'haonte haeba a sa se fumane. Ke kahoo re ekelitseng disableAccountKeyGenerationHo u sireletsa boitšoarong bona, haeba u beha khetho ena ho true - cert-manager a ke ke a theha senotlolo mme o tla u lemosa hore ha e so fuoe senotlolo sa ak'haonte.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
privateKeySecretRef:
name: example-issuer-account-key
disableAccountKeyGeneration: false
Ketane e ratoang
La 29 Loetse Ha re Encrypt ho bolaoli ba hau ba setifikeiti sa motso ISRG Root. Litifikeiti tse nang le li-signature tsa sefapano li tla nkeloa sebaka ke IdentrustPhetoho ena ha e hloke liphetoho ho litlhophiso tsa cert-manager; litifikeiti tsohle tse nchafalitsoeng kapa tse ncha tse fanoeng kamora letsatsi lena li tla sebelisa motso o mocha oa CA.
Ha re Encrypt e se e ntse e saena litifikeiti tse sebelisang CA ena mme re li fa "ketane e 'ngoe ea setifikeiti" ka ACME. Mofuta ona oa cert-manager o u lumella ho hlakisa phihlello ea liketane tsena ho litlhophiso tsa mofani. Ka parameter preferredChain O ka hlakisa lebitso la CA e tla fana ka setifikeiti. Haeba setifikeiti sa CA se tsamaellanang le kopo ea hau se fumaneha, se tla fana ka sona. Hlokomela hore ena ke khetho e ratoang; ha ho se letho le fumanwang, setifikeiti sa kamehla se tla ntshwa. Sena se tiisa hore o ntse o ka nchafatsa setifikeiti sa hau kamora ho hlakola ketane e 'ngoe ho mofani oa ACME.
U se u ka fumana litifikeiti tse saenneng kajeno ISRG Root, Kahoo:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1"
Haeba u khetha ho tlohela ketane IdenTrust - beha parameter ena ho DST Root CA X3:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "DST Root CA X3"
Ka kopo elelloa hore motso ona oa CA o tla tloheloa haufinyane, Let's Encrypt e tla boloka ketane ena e sebetsa ho fihlela la 29 Loetse 2021.
Source: www.habr.com
