Si vous demandez à un ingénieur expérimenté et avisé ce qu'il pense du cert-manager et pourquoi tout le monde l'utilise, le spécialiste soupira, embrassera confidentiellement et dira avec lassitude: «Tout le monde l'utilise parce qu'il n'y a pas d'alternatives sensées. Nos souris pleurent, piquent, mais continuent à vivre avec ce cactus. Pourquoi aimons-nous? Parce que ça marche. Pourquoi n'aimons-nous pas? Parce que de nouvelles versions sont constamment publiées et utilisent de nouvelles fonctionnalités. Et vous devez mettre à jour le cluster encore et encore. Et les anciennes versions cessent de fonctionner, car une conspiration est aussi un grand chamanisme mystérieux. "
Mais les développeurs affirment que tout changera avec cert-manager 1.0 .
Croirons-nous?
Cert-manager - «» Kubernetes. : Let's Encrypt, HashiCorp Vault, Venafi, . , . Cert-manager kube-lego, , kube-cert-manager.
1.0 cert-manager. , - . , Kubernetes, . 16 . , - . API . 1500 GitHub 253 .
1.0 , cert-manager - . API v1.
, cert-manager ! 1.0 .
1.0 - :
v1API;kubectl cert-manager status, ;API Kubernetes;
;
ACME.
.
API v1
v0.16 API v1beta1. , API. 1.0 API v1. API , , API v1 .
(: ):
:
emailSANsemailAddressesuriSANs-uris
SAN (subject alt names, . ), Go API. API.
Kubernetes 1.16+ - webhooks API v1alpha2, v1alpha3, v1beta1 v1. API . API v1, . legacy cert-manager - v1, .
kubectl cert-manager status
C kubectl , . kubectl cert-manager status , , .
kubectl cert-manager status certificate <->, , CertificateRequest, Secret, Issuer, Order Challenges ACME.
:
$ kubectl cert-manager status certificate acme-certificate
Name: acme-certificate
Namespace: default
Created at: 2020-08-21T16:44:13+02:00
Conditions:
Ready: False, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
Issuing: True, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
DNS Names:
- example.com
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 18m cert-manager Issuing certificate as Secret does not exist
Normal Generated 18m cert-manager Stored new private key in temporary Secret resource "acme-certificate-tr8b2"
Normal Requested 18m cert-manager Created new CertificateRequest resource "acme-certificate-qp5dm"
Issuer:
Name: acme-issuer
Kind: Issuer
Conditions:
Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
error when finding Secret "acme-tls": secrets "acme-tls" not found
Not Before: <none>
Not After: <none>
Renewal Time: <none>
CertificateRequest:
Name: acme-certificate-qp5dm
Namespace: default
Conditions:
Ready: False, Reason: Pending, Message: Waiting on certificate issuance from order default/acme-certificate-qp5dm-1319513028: "pending"
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 18m cert-manager Created Order resource default/acme-certificate-qp5dm-1319513028
Order:
Name: acme-certificate-qp5dm-1319513028
State: pending, Reason:
Authorizations:
URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/97777571, Identifier: example.com, Initial State: pending, Wildcard: false
Challenges:
- Name: acme-certificate-qp5dm-1319513028-1825664779, Type: DNS-01, Token: J-lOZ39yNDQLZTtP_ZyrYojDqjutMAJOxCL1AkOEZWw, Key: U_W3gGV2KWgIUonlO2me3rvvEOTrfTb-L5s0V1TJMCw, State: pending, Reason: error getting clouddns service account: secret "clouddns-accoun" not found, Processing: true, Presented: false
. , Letsencrypt:
$ kubectl cert-manager status certificate example
Name: example
[...]
Secret:
Name: example
Issuer Country: US
Issuer Organisation: Let's Encrypt
Issuer Common Name: Let's Encrypt Authority X3
Key Usage: Digital Signature, Key Encipherment
Extended Key Usages: Server Authentication, Client Authentication
Public Key Algorithm: RSA
Signature Algorithm: SHA256-RSA
Subject Key ID: 65081d98a9870764590829b88c53240571997862
Authority Key ID: a84a6a63047dddbae6d139b7a64565eff3a8eca1
Serial Number: 0462ffaa887ea17797e0057ca81d7ba2a6fb
Events: <none>
Not Before: 2020-06-02T04:29:56+02:00
Not After: 2020-08-31T04:29:56+02:00
Renewal Time: 2020-08-01T04:29:56+02:00
[...]
API Kubernetes
Cert-manager , Kubernetes CRDs. , Kubernetes 1.11, , apiextensions.k8s.io/v1beta1 CRD, admissionregistration.k8s.io/v1beta1 webhooks. Kubernetes 1.22. 1.0 apiextensions.k8s.io/v1 admissionregistration.k8s.io/v1 Kubernetes 1.16 ( ) . v1beta1 legacy .
klog/v2, Kubernetes 1.19. , , . Kubernetes. ( - , . ) , Error ( 0), , Trace ( 5), , . , cert-manager.
: - cert-manager 2 (Info), global.logLevel Helm chart.
: - . .
N.B. : , Kubernetes, -, , - Kubernetes , 28-30 , Kubernetes , 14–16 .
ACME
cert-manager Let's Encrypt ACME. 1.0 , ACME issuer.
ACME , , . cert-manager , privateKeySecretRef. , cert-manager , . disableAccountKeyGeneration, , true - cert-manager , .
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
privateKeySecretRef:
name: example-issuer-account-key
disableAccountKeyGeneration: false
29 Let's Encrypt ISRG Root. Identrust. cert-manager, , , CA.
Let's Encrypt CA « » ACME. cert-manager issuer. preferredChain CA, . CA, , . , , - -. , ACME issuer.
, ISRG Root, :
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1"
IdenTrust - DST Root CA X3:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "DST Root CA X3"
, , Let's Encrypt 29 2021 .