Jika Anda bertanya kepada insinyur yang berpengalaman dan bijaksana tentang pendapatnya tentang manajer sertifikat dan mengapa semua orang menggunakannya, spesialis tersebut akan mendesah, secara rahasia merangkul dan dengan lelah berkata: “Semua orang menggunakannya, karena tidak ada alternatif yang waras. Tikus kami menangis, tusukan, tapi terus hidup dengan kaktus ini. Mengapa kita mencintai? Karena itu berhasil. Mengapa kita tidak mencintai? Karena versi baru terus dirilis yang menggunakan fitur baru. Dan Anda harus memperbarui cluster berulang kali. Dan versi lama berhenti berfungsi, karena konspirasi juga merupakan perdukunan misterius yang hebat. "
Tetapi pengembang mengklaim bahwa semuanya akan berubah dengan cert-manager 1.0 .
Akankah kita percaya?
Cert-manager - «» Kubernetes. : Let's Encrypt, HashiCorp Vault, Venafi, . , . Cert-manager kube-lego, , kube-cert-manager.
1.0 cert-manager. , - . , Kubernetes, . 16 . , - . API . 1500 GitHub 253 .
1.0 , cert-manager - . API v1.
, cert-manager ! 1.0 .
1.0 - :
v1API;kubectl cert-manager status, ;API Kubernetes;
;
ACME.
.
API v1
v0.16 API v1beta1. , API. 1.0 API v1. API , , API v1 .
(: ):
:
emailSANsemailAddressesuriSANs-uris
SAN (subject alt names, . ), Go API. API.
Kubernetes 1.16+ - webhooks API v1alpha2, v1alpha3, v1beta1 v1. API . API v1, . legacy cert-manager - v1, .
kubectl cert-manager status
C kubectl , . kubectl cert-manager status , , .
kubectl cert-manager status certificate <->, , CertificateRequest, Secret, Issuer, Order Challenges ACME.
:
$ kubectl cert-manager status certificate acme-certificate
Name: acme-certificate
Namespace: default
Created at: 2020-08-21T16:44:13+02:00
Conditions:
Ready: False, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
Issuing: True, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
DNS Names:
- example.com
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 18m cert-manager Issuing certificate as Secret does not exist
Normal Generated 18m cert-manager Stored new private key in temporary Secret resource "acme-certificate-tr8b2"
Normal Requested 18m cert-manager Created new CertificateRequest resource "acme-certificate-qp5dm"
Issuer:
Name: acme-issuer
Kind: Issuer
Conditions:
Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
error when finding Secret "acme-tls": secrets "acme-tls" not found
Not Before: <none>
Not After: <none>
Renewal Time: <none>
CertificateRequest:
Name: acme-certificate-qp5dm
Namespace: default
Conditions:
Ready: False, Reason: Pending, Message: Waiting on certificate issuance from order default/acme-certificate-qp5dm-1319513028: "pending"
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 18m cert-manager Created Order resource default/acme-certificate-qp5dm-1319513028
Order:
Name: acme-certificate-qp5dm-1319513028
State: pending, Reason:
Authorizations:
URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/97777571, Identifier: example.com, Initial State: pending, Wildcard: false
Challenges:
- Name: acme-certificate-qp5dm-1319513028-1825664779, Type: DNS-01, Token: J-lOZ39yNDQLZTtP_ZyrYojDqjutMAJOxCL1AkOEZWw, Key: U_W3gGV2KWgIUonlO2me3rvvEOTrfTb-L5s0V1TJMCw, State: pending, Reason: error getting clouddns service account: secret "clouddns-accoun" not found, Processing: true, Presented: false
. , Letsencrypt:
$ kubectl cert-manager status certificate example
Name: example
[...]
Secret:
Name: example
Issuer Country: US
Issuer Organisation: Let's Encrypt
Issuer Common Name: Let's Encrypt Authority X3
Key Usage: Digital Signature, Key Encipherment
Extended Key Usages: Server Authentication, Client Authentication
Public Key Algorithm: RSA
Signature Algorithm: SHA256-RSA
Subject Key ID: 65081d98a9870764590829b88c53240571997862
Authority Key ID: a84a6a63047dddbae6d139b7a64565eff3a8eca1
Serial Number: 0462ffaa887ea17797e0057ca81d7ba2a6fb
Events: <none>
Not Before: 2020-06-02T04:29:56+02:00
Not After: 2020-08-31T04:29:56+02:00
Renewal Time: 2020-08-01T04:29:56+02:00
[...]
API Kubernetes
Cert-manager , Kubernetes CRDs. , Kubernetes 1.11, , apiextensions.k8s.io/v1beta1 CRD, admissionregistration.k8s.io/v1beta1 webhooks. Kubernetes 1.22. 1.0 apiextensions.k8s.io/v1 admissionregistration.k8s.io/v1 Kubernetes 1.16 ( ) . v1beta1 legacy .
klog/v2, Kubernetes 1.19. , , . Kubernetes. ( - , . ) , Error ( 0), , Trace ( 5), , . , cert-manager.
: - cert-manager 2 (Info), global.logLevel Helm chart.
: - . .
N.B. : , Kubernetes, -, , - Kubernetes , 28-30 , Kubernetes , 14–16 .
ACME
cert-manager Let's Encrypt ACME. 1.0 , ACME issuer.
ACME , , . cert-manager , privateKeySecretRef. , cert-manager , . disableAccountKeyGeneration, , true - cert-manager , .
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
privateKeySecretRef:
name: example-issuer-account-key
disableAccountKeyGeneration: false
29 Let's Encrypt ISRG Root. Identrust. cert-manager, , , CA.
Let's Encrypt CA « » ACME. cert-manager issuer. preferredChain CA, . CA, , . , , - -. , ACME issuer.
, ISRG Root, :
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1"
IdenTrust - DST Root CA X3:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "DST Root CA X3"
, , Let's Encrypt 29 2021 .