Uma ubuza unjiniyela onokuhlangenwe nakho, ohlakaniphile ukuthi ucabangani ngomphathi we-cert-manager nokuthi kungani wonke umuntu eyisebenzisa, khona-ke uchwepheshe uzophefumula, amgone ngokuzethemba futhi athi ngokukhathala: βWonke umuntu uyayisebenzisa, ngoba azikho ezinye izindlela ezinengqondo. Amagundane ethu ayakhala, ahlaba, kodwa qhubeka nokuphila nale cactus. Kungani sithanda? Ngoba iyasebenza. Kungani singathandi? Ngoba izinguqulo ezintsha zihlala ziphuma ezisebenzisa izici ezintsha. Futhi kufanele ubuyekeze iqoqo ngokuphindaphindiwe. Futhi izinguqulo ezindala ziyeka ukusebenza, ngoba kukhona uzungu kanye ne-shamanism enkulu engaqondakali.
Kodwa abathuthukisi bathi lokho Umphathi we-cert 1.0 konke kuzoshintsha.
Ingabe sizokholwa?
Umphathi we-Cert uyisilawuli sokuphatha isitifiketi se-Kubernetes. Ingasetshenziselwa ukukhipha izitifiketi ezivela emithonjeni ehlukahlukene: Masibhale Ngemfihlo, i-HashiCorp Vault, i-Venafi, amapheya okhiye wokusayina kanye nokuzisayina ngokwakho. Iphinde ikuvumela ukuthi ugcine okhiye basesikhathini samanje ngedethi yokuphelelwa yisikhathi, futhi uzama ukuvuselela ngokuzenzakalelayo izitifiketi ngesikhathi esishiwo ngaphambi kokuthi ziphelelwe yisikhathi. Umphathi we-Cert usekelwe ku-kube-lego futhi usebenzise amaqhinga avela kwamanye amaphrojekthi afanayo njenge-kube-cert-manager.
Khipha Amanothi
Ngenguqulo 1.0, sibeka uphawu lokuthenjwa iminyaka emithathu yokuthuthukiswa kwephrojekthi yomphathi we-cert. Ngalesi sikhathi, iye yavela kakhulu ekusebenzeni nasekuzinzeni, kodwa ngaphezu kwakho konke emphakathini. Namuhla, sibona abantu abaningi beyisebenzisa ukuze bavikele amaqoqo abo e-Kubernetes futhi bewathumela ezingxenyeni ezihlukahlukene ze-ecosystem. Izimbungulu eziningi zilungisiwe ekukhishweni kokugcina kwe-16. Futhi okwakudingeka kuphulwe kuphukile. Ukuvakasha okuningana kokusebenza ne-API kuthuthukise ukusebenzisana kwayo nabasebenzisi. Sixazulule izinkinga ezingu-1500 ku-GitHub ngezicelo ezengeziwe ezivela kumalungu omphakathi angu-253.
Ngokukhishwa kwe-1.0, simemezela ngokusemthethweni ukuthi umphathi we-cert uyiphrojekthi ekhulile. Futhi sithembisa ukugcina i-API yethu ihambisana v1.
Sibonga kakhulu kuwo wonke umuntu osisizile ukuthi senze umphathi wezitifiketi kuyo yonke le minyaka emithathu! Inguqulo engu-1.0 mayibe eyokuqala kwezinto eziningi ezinkulu ezizayo.
Ukukhishwa okungu-1.0 kuwukukhululwa okuzinzile okunezindawo ezimbalwa ezibalulekile:
-
v1I-API; -
Ithimba
kubectl cert-manager status, ukusiza ekuhlaziyeni izinkinga; -
Ukusebenzisa i-Kubernetes APIs yakamuva ezinzile;
-
Ukugawulwa kwemithi okuthuthukisiwe;
-
Ukuthuthukiswa kwe-ACME.
Qiniseka ukuthi ufunda amanothi okuthuthukisa ngaphambi kokuthuthukisa.
I-API v1
Inguqulo ye-v0.16 isebenze ne-API v1beta1. Lokhu kwengeze izinguquko ezithile zesakhiwo futhi kwathuthukisa nemibhalo yenkambu ye-API. Inguqulo engu-1.0 yakhela phezu kwalokhu nge-API v1. Le API ingeyethu yokuqala ezinzile, ngesikhathi esifanayo sesivele sinikeze iziqinisekiso zokuhambisana, kodwa nge-API v1 sithembisa ukugcina ukuhambisana iminyaka ezayo.
Izinguquko ezenziwe (qaphela: amathuluzi ethu okuguqula abhekelela yonke into):
Isitifiketi:
-
emailSANsmanje ebizwaemailAddresses -
uriSANs-uris
Lezi zinguquko zengeza ukuhambisana namanye ama-SAN (amagama ahlukile wezihloko, cishe. umhumushi), kanye ne-Go API. Sisusa leli gama ku-API yethu.
Vuselela
Uma usebenzisa i-Kubernetes 1.16+, ukuguqula ama-webhooks kuzokuvumela ukuthi usebenze kanyekanye futhi ngaphandle komthungo nezinguqulo ze-API. v1alpha2, v1alpha3, v1beta1 ΠΈ v1. Ngalokhu, uzokwazi ukusebenzisa inguqulo entsha ye-API ngaphandle kokushintsha noma ukuphakela kabusha izinsiza zakho ezindala. Sincoma kakhulu ukuthi uthuthukise i-manifest yakho ku-API v1, njengoba izinguqulo zangaphambilini zizohoxiswa maduze. Abasebenzisi legacy izinguqulo ze-cert-manager zisazokwazi ukufinyelela kuphela v1, izinyathelo zokuthuthukisa zingatholakala .
umyalo wesimo se-kubectl cert-manager
Ngokuthuthuka okusha kusandiso sethu sokuthi kubectl kube lula ukuphenya izinkinga ezihambisana nokungakhishwa kwezitifiketi. kubectl cert-manager status manje inikeza ulwazi oluningi mayelana nokuthi kwenzakalani ngezitifiketi futhi ikhombisa nesigaba sokukhishwa kwezitifiketi.
Ngemva kokufaka isandiso, ungaqalisa kubectl cert-manager status certificate <ΠΈΠΌΡ-ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°>, ezobheka isitifiketi esinegama elinikeziwe nanoma yiziphi izinsiza ezihlobene ezifana ne-CertificateRequest, Secret, Issuer, kanye ne-oda nezinselele uma kusetshenziswa izitifiketi ezivela ku-ACME.
Isibonelo sokulungisa iphutha lesitifiketi esingakalungi:
$ kubectl cert-manager status certificate acme-certificate
Name: acme-certificate
Namespace: default
Created at: 2020-08-21T16:44:13+02:00
Conditions:
Ready: False, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
Issuing: True, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
DNS Names:
- example.com
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 18m cert-manager Issuing certificate as Secret does not exist
Normal Generated 18m cert-manager Stored new private key in temporary Secret resource "acme-certificate-tr8b2"
Normal Requested 18m cert-manager Created new CertificateRequest resource "acme-certificate-qp5dm"
Issuer:
Name: acme-issuer
Kind: Issuer
Conditions:
Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
error when finding Secret "acme-tls": secrets "acme-tls" not found
Not Before: <none>
Not After: <none>
Renewal Time: <none>
CertificateRequest:
Name: acme-certificate-qp5dm
Namespace: default
Conditions:
Ready: False, Reason: Pending, Message: Waiting on certificate issuance from order default/acme-certificate-qp5dm-1319513028: "pending"
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 18m cert-manager Created Order resource default/acme-certificate-qp5dm-1319513028
Order:
Name: acme-certificate-qp5dm-1319513028
State: pending, Reason:
Authorizations:
URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/97777571, Identifier: example.com, Initial State: pending, Wildcard: false
Challenges:
- Name: acme-certificate-qp5dm-1319513028-1825664779, Type: DNS-01, Token: J-lOZ39yNDQLZTtP_ZyrYojDqjutMAJOxCL1AkOEZWw, Key: U_W3gGV2KWgIUonlO2me3rvvEOTrfTb-L5s0V1TJMCw, State: pending, Reason: error getting clouddns service account: secret "clouddns-accoun" not found, Processing: true, Presented: false
Umyalo ungakusiza futhi ufunde kabanzi mayelana nokuqukethwe kwesitifiketi. Isibonelo esinemininingwane yesitifiketi esikhishwe iLetsencrypt:
$ kubectl cert-manager status certificate example
Name: example
[...]
Secret:
Name: example
Issuer Country: US
Issuer Organisation: Let's Encrypt
Issuer Common Name: Let's Encrypt Authority X3
Key Usage: Digital Signature, Key Encipherment
Extended Key Usages: Server Authentication, Client Authentication
Public Key Algorithm: RSA
Signature Algorithm: SHA256-RSA
Subject Key ID: 65081d98a9870764590829b88c53240571997862
Authority Key ID: a84a6a63047dddbae6d139b7a64565eff3a8eca1
Serial Number: 0462ffaa887ea17797e0057ca81d7ba2a6fb
Events: <none>
Not Before: 2020-06-02T04:29:56+02:00
Not After: 2020-08-31T04:29:56+02:00
Renewal Time: 2020-08-01T04:29:56+02:00
[...]
Kusetshenziswa ama-API akamuva azinzile we-Kubernetes
Umphathi we-Cert ube ngomunye wabokuqala ukusebenzisa i-Kubernetes CRDs. Lokhu, kanye nokweseka kwethu izinguqulo ze-Kubernetes ezifika ku-1.11, kwakusho ukuthi sidinga ukusekela ifa. apiextensions.k8s.io/v1beta1 kuma-CRD ethu futhi admissionregistration.k8s.io/v1beta1 kumawebhook ethu. Manje zihoxisiwe futhi zizosuswa ku-Kubernetes kusukela kunguqulo 1.22. Nge-1.0 yethu manje sinikeza ukwesekwa okugcwele apiextensions.k8s.io/v1 ΠΈ admissionregistration.k8s.io/v1 kwe-Kubernetes 1.16 (lapho zengezwe khona) nezintsha. Kubasebenzisi bezinguqulo zangaphambilini, siyaqhubeka nokunikeza ukwesekwa v1beta1 kwezethu legacy izinguqulo.
Ukugawulwa kwemithi okuthuthukisiwe
Kulokhu kukhishwa, sibuyekeze ilabhulali yokugawula ukuthi ibe klog/v2, esetshenziswe ku-Kubernetes 1.19. Siphinde sibuyekeze ijenali ngayinye esiyibhalayo ukuze siqiniseke ukuthi inikezwa ileveli efanele. Sasiqondiswa yilokhu . Kukhona ezinhlanu (empeleni eziyisithupha, cishe. umhumushi) amazinga okugawula aqala kusukela Error (izinga 0), ephrinta kuphela amaphutha abalulekile, futhi egcina ngokuthi Trace (izinga lesi-5) elizokusiza ukuthi wazi kahle ukuthi kwenzekani. Ngalolu shintsho, sehlise inani lamalogi uma ungadingi ulwazi lokususa iphutha lapho usebenzisa umphathi we-cert.
Ithiphu: Umphathi we-cert ugijima ezingeni 2 ngokuzenzakalelayo (Info), ungakhipha lokhu usebenzisa global.logLevel e-Helmchart.
Qaphela: Ukubuka izingodo kuyindlela yokugcina lapho uxazulula inkinga. Ukuze uthole ukwaziswa okwengeziwe bheka yethu .
Ezomhleli n.b.: Ukuze ufunde kabanzi mayelana nokuthi konke kusebenza kanjani ngaphansi kwe-hood ye-Kubernetes, thola izeluleko ezibalulekile kothisha abaqeqeshiwe, kanye nosizo lwekhwalithi yokusekelwa kwezobuchwepheshe, ungaba nengxenye ku-inthanethi ejulile , ezoba ngo-September 28-30, kanye ozoba ngo-Okthoba 14-16.
Ukuthuthukiswa kwe-ACME
Ukusetshenziswa okuvamile komphathi we-cert cishe kuhlobene nokukhipha izitifiketi ezivela kokuthi Masibethele sisebenzisa i-ACME. Inguqulo engu-1.0 iphawuleka ngokusebenzisa impendulo yomphakathi ukuze wengeze ukuthuthuka okubili okuncane kodwa okubalulekile kumkhiphi wethu we-ACME.
Khubaza ukukhiqizwa kokhiye we-akhawunti
Uma usebenzisa izitifiketi ze-ACME ngamavolumu amakhulu, kungenzeka ukuthi usebenzise i-akhawunti efanayo kumaqoqo amaningi, ngakho imikhawulo yokukhishwa kwesitifiketi sakho izosebenza kuwo wonke. Lokhu bekuvele kuyenzeka kumphathi we-cert uma kukopishwa imfihlo eshiwo ku privateKeySecretRef. Lesi simo sokusebenzisa besinesiphazamiso impela, njengoba umphathi we-cert ezama ukusiza futhi ngenjabulo udale ukhiye we-akhawunti omusha uma engawutholi. Yingakho sengeze disableAccountKeyGenerationukukuvikela kulokhu kuziphatha uma usetha le nketho true - Umphathi we-cert ngeke akhiqize ukhiye futhi uzokuxwayisa ukuthi akazange anikezwe ukhiye we-akhawunti.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
privateKeySecretRef:
name: example-issuer-account-key
disableAccountKeyGeneration: false
Iketango Elikhethwayo
Septhemba 29 Masibhale kweyakho impande CA ISRG Root. Izitifiketi ezisayinwe ngokuphambana zizothathelwa indawo Identrust. Lolu shintsho aludingi izinguquko kuzilungiselelo zomphathi we-cert, zonke izitifiketi ezibuyekeziwe noma ezintsha ezikhishwe ngemva kwalolu suku zizosebenzisa impande entsha ye-CA.
Masibhale Ngemfihlo sesivele sisayina izitifiketi ngale CA futhi sizinikeze "njengelinye iketango lesitifiketi" nge-ACME. Kule nguqulo ye-cert-manager, kungenzeka ukusetha ukufinyelela kulawa maketango kuzilungiselelo zomhlinzeki. Kupharamitha preferredChain ungacacisa igama le-CA esebenzayo, isitifiketi esizokhishwa ngayo. Uma isitifiketi se-CA esifana nesicelo sitholakala, sizokunikeza isitifiketi. Sicela uqaphele ukuthi lena inketho ekhethwayo, uma kungatholakali lutho, isitifiketi esizenzakalelayo sizokhishwa. Lokhu kuzoqinisekisa ukuthi usazovuselela isitifiketi sakho ngemva kokususa elinye iketango ohlangothini lomkhiphi we-ACME.
Kakade namuhla ungazithola izitifiketi ezisayinwe ngu ISRG Root, Ngakho:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1"
Uma ukhetha ukushiya iketango IdenTrust - setha le nketho ku DST Root CA X3:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "DST Root CA X3"
Sicela uqaphele ukuthi lempande ye-CA izohoxiswa maduze, Let's Encrypt izogcina lolu chungechunge lusebenza kuze kube uSepthemba 29, 2021.
Source: www.habr.com