๋กœ์ผ“๐Ÿพ
article thumbnail
์ด ๊ธ€์€ TLS ์— ๋Œ€ํ•œ ๊ธฐ์ดˆ์ ์ธ ๊ฐœ๋…์ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค. 
์ตœ์†Œํ•œ HTTPS ๊ฐ€ ์–ด๋–ป๊ฒŒ ๋™์ž‘ํ•˜๋ฉฐ, CA, CSR, tls.cert ๋“ฑ๊ณผ ๊ฐ™์€ ๊ฒƒ์ด ๋ฌด์—‡์ธ์ง€ ์•Œ์•„์•ผ ํ•ฉ๋‹ˆ๋‹ค.

 

๋ฏธ๋‹ˆ PC ์—์„œ ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค ํด๋Ÿฌ์Šคํ„ฐ๋ฅผ ๊ตฌ์„ฑํ•˜์—ฌ ์ด๊ฒƒ์ €๊ฒƒ ํ•ด๋ณด๊ณ  ์žˆ๋Š”๋ฐ, ๋Š˜ ํ•˜๋‚˜ ๋งˆ์Œ์— ๊ฑธ๋ฆฌ๋Š” ๊ฒƒ์ด ์žˆ์—ˆ์Šต๋‹ˆ๋‹ค.

๋ฐ”๋กœ ๋„๋ฉ”์ธ๊ณผ TLS ์ž…๋‹ˆ๋‹ค!

 

๋„๋ฉ”์ธ ๊ฐ™์€ ๊ฒฝ์šฐ ๋งฅ /etc/host ์— ์ถ”๊ฐ€ํ•ด์„œ ์‚ฌ์šฉํ•˜๊ณ  ์žˆ์—ˆ๊ณ , TLS ๊ฐ€ ์ ์šฉ๋˜์ง€ ์•Š๋‹ค๋ณด๋‹ˆ ๋Š˜ ์ฃผ์˜ ์š”ํ•จ์„ ๋‹ฌ๊ณ  ์žˆ์—ˆ์ฃ .

๋กœ์ปฌ ๋„๋ฉ”์ธ ๋งคํ•‘

 

AWS ALB ๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด Route53 ๊ณผ ACM ์„ ํ†ตํ•ด์„œ TLS ์ ์šฉํ•˜๊ธฐ ์‰ฝ์ง€๋งŒ, AWS ์—†์ด TLS ๋ฅผ ์ ์šฉํ•˜๋ ค๋ฉด ๊ฒฐ๊ตญ TLS ๋ฅผ ๊ตฌ๋งคํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. TLS ๋Š” ๋ณดํ†ต ์œ ๋ฃŒ์ธ๋ฐ, Let's Ecrypt ๋Š” ๋ฌด๋ฃŒ๋กœ TLS ์„ ์ œ๊ณตํ•ด์ฃผ๊ธฐ ๋•Œ๋ฌธ์— ์ด๋ฒˆ ๊ธ€์—์„œ๋Š” ๋กœ์ปฌ ํ™˜๊ฒฝ์—์„œ Let's Ecrypt ์™€ Istio ๋ฅผ ์ด์šฉํ•ด์„œ ๋ฌด๋ฃŒ๋กœ TLS ๋ฅผ ์ ์šฉํ•ด๋ณด๊ณ ์ž ํ•ฉ๋‹ˆ๋‹ค.

 

๋“ค์–ด๊ฐ€๊ธฐ ์•ž์„œ ์ค€๋น„ํ•  ๊ฒƒ์ด ์žˆ์Šต๋‹ˆ๋‹ค. ๋ฐ”๋กœ TLS ๋ฅผ ์ ์šฉํ•˜๊ณ ์ž ํ•˜๋Š” ๋„๋ฉ”์ธ์ž…๋‹ˆ๋‹ค.

 

์ € ๊ฐ™์€ ๊ฒฝ์šฐ CloudFlare ์—์„œ ๋„๋ฉ”์ธ์„ ๊ตฌ๋งคํ•˜์˜€๊ณ , ๋‹ค์Œ๊ณผ ๊ฐ™์ด DNS ๋ ˆ์ฝ”๋“œ๋ฅผ ๊ตฌ์„ฑํ–ˆ์Šต๋‹ˆ๋‹ค.

httpbin.kingbj0429.uk ์™€ ๊ฐ™์ด ์„œ๋ธŒ๋„๋ฉ”์ธ์„ ์‚ฌ์šฉํ•  ๊ฒƒ์ด๊ธฐ ๋•Œ๋ฌธ์— ์™€์ผ๋“œ์นด๋“œ๋ฅผ ์ด์šฉํ•œ ๋ ˆ์ฝ”๋“œ๋ฅผ ์ถ”๊ฐ€ํ–ˆ์Šต๋‹ˆ๋‹ค.

๋ฉ”์ธ ๋„๋ฉ”์ธ๊ณผ ์„œ๋ธŒ ๋„๋ฉ”์ธ ํ™•์ธ

 

๊ทธ๋Ÿผ ๋ณธ๊ฒฉ์ ์œผ๋กœ ์‹œ์ž‘ํ•ด๋ณด์ฃ !

 

๋ ›์ธ ๋‘๋”์ฝ”๋“œ~

 

 

๋จผ์ € Cert Manager ์— ๋Œ€ํ•ด ์กฐ๊ธˆ์€ ์•Œ์•„๋ณด์ฃ !

 

์ฟ ๋ฒ„๋„คํ‹ฐ์Šค ํ™˜๊ฒฝ์—๋Š” ๋ฌด์ˆ˜ํžˆ ๋งŽ์€ ํŒŒ๋“œ๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค. ๋ฏผ๊ฐํ•œ ๋ฐ์ดํ„ฐ๋ฅผ ์ฃผ๊ณ  ๋ฐ›๋Š” ํŒŒ๋“œ๋ผ๋ฉด ๋‹น์—ฐํžˆ TLS ์„ ํ†ตํ•ด ์•ˆ์ „ํ•œ ํ†ต์‹ ์„ ํ•ด์ฃผ์–ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ํ•˜๋‚˜์˜ ํŒŒ๋“œ์— TLS ๋ฅผ ์ ์šฉํ•˜๋Š” ๊ฑด ์‚ด์ง ๊ท€์ฐฎ์•„๋„ ์–ด๋ ต์ง€ ์•Š์•„์š”. TLS ๊ฐ€ ๋งŒ๋ฃŒ๊ฐ€ ๋˜๋„, ํŒŒ๋“œ ํ•˜๋‚˜์— ๋Œ€ํ•ด์„œ๋งŒ ๊ฐฑ์‹ ํ•ด์ฃผ๋ฉด ๋˜๊ธฐ ๋•Œ๋ฌธ์— ๋ฌธ์ œ๊ฐ€ ์—†์–ด์š”.

 

ํ•˜์ง€๋งŒ ํŒŒ๋“œ๊ฐ€ 100๊ฐœ๋ผ๋ฉด ์–ด๋–จ๊นŒ์š”? ๊ฐฑ์‹ ํ•˜๋Š” ๊ฒƒ๋งŒ์œผ๋กœ๋„ ๋ฒŒ์จ ์ผ์ฃผ์ผ์ด ๋‹ค ๊ฐˆ ๊ฒ๋‹ˆ๋‹ค.

๊ทธ๋ž˜์„œ TLS ์ธ์ฆ์„œ๋ฅผ ํŽธ๋ฆฌํ•˜๊ฒŒ ๊ด€๋ฆฌํ•  ์ˆ˜ ์žˆ๋„๋ก ๋„์™€์ฃผ๋Š” ๊ฒƒ์ด ๋ฐ”๋กœ Cert Manager ์ž…๋‹ˆ๋‹ค.

 

Issuer ๋ฅผ ํ†ตํ•ด ์–ธ์ œ๋“ ์ง€ Certificate ๋ฅผ ๋งŒ๋“ค ์ˆ˜ ์žˆ๊ณ , ๊ฐฑ์‹  ๋˜ํ•œ ์•Œ์•„์„œ ๋‹ค ํ•ด์ค๋‹ˆ๋‹ค.

Cert Manager ๋ฅผ ์‚ฌ์šฉํ•ด๋„ ํŒŒ๋“œ ๊ฐ„ ํ†ต์‹ ์— TLS ๋ฅผ ์ ์šฉํ•˜๋Š” ๊ฑด ์ƒ๋‹นํžˆ ๊ท€์ฐฎ์Šต๋‹ˆ๋‹ค.
๊ทธ๋ž˜์„œ Istio ๋ฅผ ์‚ฌ์šฉํ•˜๊ฒŒ ๋˜๋ฉด ๋ณดํ†ต mTLS ๋ฅผ ํ†ตํ•ด ํŒŒ๋“œ๊ฐ€ ํ†ต์‹ ์„ ์•”ํ˜ธํ™” ํ•ด์ค๋‹ˆ๋‹ค.

mTLS ์— ๋Œ€ํ•ด ๊ถ๊ธˆํ•˜๋‹ค๋ฉด ์—ฌ๊ธฐ ์ฐธ๊ณ !

 

๊ทผ๋ฐ ์—ฌ๊ธฐ์„œ ๋ฌธ์ œ๋Š” Issuer ๊ฐ™์€ ๊ฒฝ์šฐ ๋ณดํ†ต SelfSigned ๋ฅผ ํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์ผ๋ฐ˜ ๋ธŒ๋ผ์šฐ์ €์—์„œ ์ ‘๊ทผํ•˜๊ณ ์ž ํ•˜๋ ค๋ฉด ์ฃผ์˜ ์š”ํ•จ์ด ๋– ์š”. 

์™œ๋ƒ ๋ฏฟ์„ ์ˆ˜ ์—†๋Š” ca.cert ์ด๊ธฐ ๋•Œ๋ฌธ์ด์ฃ .

 

๊ทธ๋ž˜์„œ ์šฐ๋ฆฌ๋Š” SelfSigned ๊ฐ€ ์•„๋‹Œ, Certificate Authority ๊ฐ€ ์ œ๊ณตํ•ด์ฃผ๋Š” ca.cert ๊ฐ€ ํ•„์š”ํ•˜๊ณ , ca.cert ๋ฅผ ํ†ตํ•ด ๋ฐœ๊ธ‰๋ฐ›์€ tls.cert ๊ฐ€ ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.

 

Let's Ecrypt ๋Š” Certificate Authority ์ด๊ธฐ ๋•Œ๋ฌธ์— ์—ฌ๊ธฐ์„œ ๊ฒ€์ฆ ๋ฐ›์€ tls.cert ๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ์ฃผ์˜ ์š”ํ•จ์„ ์—†์•จ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

SelfSigned ๋ฅผ ํ†ตํ•ด ๊ฒ€์ฆ ๋ฐ›์€ tls.cert ๋„ ์ฃผ์˜ ์š”ํ•จ์„ ์—†์•จ ์ˆ˜ ์žˆ๋Š”๋ฐ, ๋ฐ”๋กœ ๋ธŒ๋ผ์šฐ์ €์— SelfSigned ๋œ ca.cert ๋ฅผ ์ถ”๊ฐ€ํ•˜๋Š” ๊ฒƒ์ด์ฃ .
๋งฅ ๊ฐ™์€ ๊ฒฝ์šฐ ํ‚ค ์ฒด์ธ์— ์ถ”๊ฐ€ํ•ด์ฃผ๋ฉด ๋ฉ๋‹ˆ๋‹ค.

ํ•˜์ง€๋งŒ ์Šค์ฝ”ํ”„๊ฐ€ ์™„์ „ํžˆ ๋กœ์ปฌ์ด๊ธฐ ๋•Œ๋ฌธ์— ๋‹ค๋ฅธ ์‚ฌ๋žŒ์ด ๊ฒฐ๊ตญ ์ ‘๊ทผํ•˜๋ ค๊ณ  ํ•˜๋ฉด ์ฃผ์˜ ์š”ํ•จ์ด ๋ฐœ์ƒํ•˜์ฃ .

 

์š”์•ฝํ•ด๋ณด์ž๋ฉด Let's Ecrypt CA ๊ฐ€ ๋ฐœ๊ธ‰ํ•ด์ค€ tls.cert ๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ์•ˆ์ „ํ•œ https ํ†ต์‹ ์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. 

Cert Manager ๋Š” ์ด๋Ÿฌํ•œ tls.cert ๋ฅผ ์‚ฌ์šฉ์ž ๋Œ€์‹  ์ƒ์„ฑํ•ด์ฃผ๊ณ , ์ž๋™ ๊ฐฑ์‹  ๋“ฑ ๋‹ค์•™ํ–” ๊ธฐ๋Šฅ์„ ์ œ๊ณตํ•ด์ค๋‹ˆ๋‹ค.

 

๊ทธ๋Ÿผ ์ด์ œ ์ง„์งœ ์‹ค์Šต์œผ๋กœ ๋“ค์–ด๊ฐ€๋ณด์ฃ !

 

๋งŒ๋“ค๊ณ ์ž ํ•˜๋Š” ์•„ํ‚คํ…์ฒ˜๋Š” ์•„๋ž˜์™€ ๊ฐ™์•„์š”.

๋Œ€๋žต์ ์ธ ์•„ํ‚คํ…์ฒ˜

 

 

๋„๋ฉ”์ธ ์†Œ์œ ๊ถŒ์„ ํ™•์ธํ•˜๊ธฐ ์œ„ํ•ด์„œ ACME(Automated Certificate Management Environment) ํ”„๋กœํ† ์ฝœ์„ ์‚ฌ์šฉํ•˜๊ฒŒ ๋˜๋Š”๋ฐ, ๊ณต์‹ ๋ฌธ์„œ์—์„œ ๊ฐ๊ฐ ๋„๋ฉ”์ธ์— ๋งž๋Š” ๊ฒƒ์„ ์‚ฌ์šฉํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค.

 

 

์ €๋Š” CloudFlare ๋ฅผ ํ†ตํ•ด ๋„๋ฉ”์ธ์„ ๊ตฌ๋งคํ–ˆ๊ธฐ ๋•Œ๋ฌธ์— ๋„๋ฉ”์ธ ์†Œ์œ ๊ถŒ์„ ํ™•์ธํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” cloudflare ์˜ api ๊ฐ€ ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.

๋‹ค์–‘ํ•œ ACME ๋ฅผ ์ œ๊ณตํ•˜๋‹ˆ ๋ณธ์ธ ํ™˜๊ฒฝ์— ๋งž๊ฒŒ ์ ์šฉํ•˜์‹œ๋ฉด ๋  ๊ฑฐ ๊ฐ™์•„์š”.

 

๊ณต์‹ ๋ฌธ์„œ์— ๋‚˜์™€์žˆ๋Š” ๋Œ€๋กœ ์ €๋Š” API Token ์„ ์ƒ์„ฑํ–ˆ๊ณ , Secret ๊ณผ Issuer ๋ฅผ ์ƒ์„ฑํ–ˆ์Šต๋‹ˆ๋‹ค.

 

์—ฌ๊ธฐ์„œ ์ •๋ง ์ค‘์š”ํ•œ ํฌ์ธํŠธ๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค!!!

๊ณต์‹ ๋ฌธ์„œ๋ฅผ ๋ณด๋ฉด Secret ๋ฆฌ์†Œ์Šค์—์„œ data ๊ฐ€ ์•„๋‹Œ stringData ๋ฅผ ์‚ฌ์šฉํ•˜๊ณ  ์žˆ๋Š”๋ฐ data ๋ฅผ ์‚ฌ์šฉํ•ด์ค์‹œ๋‹ค.

apiVersion: v1
data:
  api-token: <base64 encoded api token>
kind: Secret
metadata:
  name: cloudflare-api-token-secret
  namespace: istio-system
type: Opaque
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-dns01-prod-issuer
  namespace: istio-system
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: kingbj0429@gmail.com
    privateKeySecretRef:
      name: letsencrypt-dns01-prod-key-pair
    solvers:
      - dns01:
          cloudflare:
            apiTokenSecretRef:
              name: cloudflare-api-token-secret
              key: api-token

 

ACME ํ”„๋กœํ† ์ฝœ์€ ๋„๋ฉ”์ธ์˜ ์†Œ์œ ์ž๋ฅผ ํ™•์ธํ•˜๊ณ  ์ธ์ฆ์„œ๋ฅผ ๋ฐœ๊ธ‰ ๊ฐ€๋Šฅ์ผ€ ํ•ด์ฃผ๋Š” ํ”„๋กœํ† ์ฝœ ์ž…๋‹ˆ๋‹ค.
ํฌ๊ฒŒ ์ข…๋ฅ˜๋Š” DNS-01 ๊ณผ HTTP-01 ์ด ์žˆ์ฃ .

DNS-01 ์€ DNS ๋ ˆ์ฝ”๋“œ๋ฅผ ํ†ตํ•ด ์†Œ์œ ๊ถŒ์„ ํ™•์ธํ•˜๊ณ ,
HTTP-01 ์€ HTTP ์š”์ฒญ์„ ํ†ตํ•ด ์†Œ์œ ๊ถŒ์„ ํ™•์ธํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

 

API Token ๊ถŒํ•œ์€ ๋ฌธ์„œ ๊ทธ๋Œ€๋กœ ์ง„ํ–‰ํ•˜์‹œ๋ฉด ๋˜๋Š”๋ฐ ํ˜น์‹œ๋‚˜ ํ•ด์„œ ์ฒจ๋ถ€ํ•ฉ๋‹ˆ๋‹ค.

 

 

๊ทธ๋Ÿผ ์ด์ œ ์ƒ์„ฑํ•œ Issuer ๋ฅผ ํ†ตํ•ด Certificate ๋ฅผ ์ƒ์„ฑํ•ด๋ณด์ฃ .

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: kingbj0429-uk-cert
  namespace: istio-system # gateway ์— ์ ์šฉํ•˜๊ธฐ ์œ„ํ•ด์„  ๋ฐ˜๋“œ์‹œ istio ๋ฐฐํฌํ•œ ๋„ค์ž„์ŠคํŽ˜์ด์Šค๋กœ!!
spec:
  isCA: false
  secretName: kingbj0429-uk-key-pair
  commonName: kingbj0429.uk
  dnsNames:
    - kingbj0429.uk
    - httpbin.kingbj0429.uk
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 4096
  issuerRef:
    name: letsencrypt-dns01-prod-issuer
    kind: Issuer
    group: cert-manager.io

 

Istio Gateway ์— ์ ์šฉํ•˜๋ ค๋ฉด ๋ฐ˜๋“œ์‹œ Istio ๋ฅผ ๋ฐฐํฌํ•œ ๋„ค์ž„์ŠคํŽ˜์ด์Šค์— Certificate ๋ฅผ ์ƒ์„ฑํ•ด์ฃผ์–ด์•ผ ํ•ฉ๋‹ˆ๋‹ค!!

 

๋ฐฐํฌํ•˜๊ฒŒ ๋˜๋ฉด ์ด์ œ ๋ณธ๊ฒฉ์ ์œผ๋กœ Cert Manager ๊ฐ€ ํ•ด๋‹น ๋„๋ฉ”์ธ์— TLS ๋ฅผ ์ ์šฉํ•˜๊ธฐ ์œ„ํ•œ ์ธ์ฆ์„œ๋ฅผ ๋ฐœ๊ธ‰ ํ•ด์ฃผ๋Š” ๋ฉ”์ปค๋‹ˆ์ฆ˜์ด ๋™์ž‘ํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

 

์•„๋ž˜์™€ ๊ฐ™์ด ๋‹ค์–‘ํ•œ CRD ๊ฐ€ ์ƒ์„ฑ๋ฉ๋‹ˆ๋‹ค.

$ k get orders.acme.cert-manager.io -n istio-system
#NAME                                  STATE     AGE
#kingbj0429-uk-cert-wr6b9-1120062372   pending   81s

$ k get challenges.acme.cert-manager.io -n istio-system
#NAME                                              STATE     DOMAIN                AGE
#kingbj0429-uk-cert-wr6b9-1120062372-1523595522   pending   httpbin.kingbj0429.uk 81s
#kingbj0429-uk-cert-wr6b9-1120062372-2843859647   pending   kingbj0429.uk 81s

$ k get certificaterequests.cert-manager.io -n istio-system
#NAME                       APPROVED   DENIED   READY   ISSUER                          REQUESTOR                                        AGE
#kingbj0429-uk-cert-fzhkf   True                False   letsencrypt-dns01-prod-issuer   system:serviceaccount:key-manager:cert-manager   83s

$ k get certificate -n istio-system
#NAME                 READY   SECRET                   AGE
#kingbj0429-uk-cert   False   kingbj0429-uk-key-pair   7m
Certificate ๋ฆฌ์†Œ์Šค์—์„œ .spec.dnsNames[] ์— ๋„๋ฉ”์ธ์„ 2๊ฐœ ๋ช…์‹œํ–ˆ๊ธฐ ๋•Œ๋ฌธ์— challenge ๊ฐ€ 2๊ฐœ์ธ๊ฑธ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 

๊ฒฐ๊ตญ Certificate ๋ฅผ ๋ฐ›๊ธฐ ์œ„ํ•œ ๊ณผ์ •์ด์ฃ .

 

ํ•˜๋‚˜์”ฉ ๊ฐ„๋žตํ•˜๊ฒŒ ์„ค๋ช…ํ•˜๋ฉด,

  • CertificateRequest: TLS ์ธ์ฆ์„œ๋ฅผ ์š”์ฒญํ•˜๊ณ , ์ด ์š”์ฒญ์€ ํŠน์ • Issuer ๋˜๋Š” ClusterIssuer์™€ ๊ด€๋ จ์ด ์žˆ์Œ
  • Order: CertificateRequest๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ CA์—๊ฒŒ ์ธ์ฆ์„œ๋ฅผ ์š”์ฒญํ•˜๋Š” ์ฃผ๋ฌธ์„ ๋‚˜ํƒ€๋ƒ„
  • Challenge: ์ธ์ฆ์„œ๋ฅผ ๋ฐœ๊ธ‰ํ•˜๊ธฐ ์œ„ํ•ด CA๊ฐ€ ์ธ์ฆ์„œ๋ฅผ ๋ฐœ๊ธ‰ํ•  ์ˆ˜ ์žˆ๋Š”์ง€ ํ™•์ธํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ๋‚˜ํƒ€๋ƒ„

 

๋ฉ”์ปค๋‹ˆ์ฆ˜ ์ˆœ์„œ๋ฅผ ์•„๋ž˜์™€ ๊ฐ™์ฃ .

(๋งŒ์•ฝ ์ธ์ฆ์„œ ๋ผ์ดํ”„์‚ฌ์ดํด์— ๋Œ€ํ•ด ์ž์„ธํžˆ ์•Œ๊ณ  ์‹ถ๋‹ค๋ฉด ์—ฌ๊ธฐ๋ฅผ ์ฐธ๊ณ !)

  1. CertificateRequest ๋ฅผ ์ƒ์„ฑํ•˜๋ฉด, Cert Manager๋Š” ํ•ด๋‹น ์š”์ฒญ์— ๋Œ€ํ•œ Order๋ฅผ ์ƒ์„ฑ
  2. Order๊ฐ€ ์ƒ์„ฑ๋˜๋ฉด, Cert Manager๋Š” ํ•ด๋‹น Order์— ๋Œ€ํ•œ Challenge๋ฅผ ์ƒ์„ฑ
  3. Challenge๊ฐ€ ์ƒ์„ฑ๋˜๋ฉด, Cert Manager๋Š” ํ•ด๋‹น Challenge๋ฅผ ์™„๋ฃŒํ•˜๊ธฐ ์œ„ํ•œ ๋ฐฉ๋ฒ•์„ ์ œ๊ณตํ•ฉ๋‹ˆ๋‹ค. DNS-01 or HTTP-01 ๋ฐฉ์‹์˜ ACME ํ”„๋กœํ† ์ฝœ์„ ํ†ตํ•ด ๋„๋ฉ”์ธ ์†Œ์œ ๊ถŒ์„ ํ™•์ธ
  4. Challenge๊ฐ€ ์™„๋ฃŒ๋˜๋ฉด, Cert Manager๋Š” ๋„๋ฉ”์ธ ์†Œ์œ ๋ฅผ ํ™•์ธํ•˜๊ณ  Order๋ฅผ ์™„๋ฃŒํ•˜๋ฉฐ, ์ธ์ฆ์„œ๋ฅผ ๋ฐœ๊ธ‰

 

ํ•œ ์ค„๋กœ ์š”์•ฝํ•˜๋ฉด Issuer.yaml ์— ์ž‘์„ฑํ•œ acme ์ฝ”๋“œ๋ฅผ ํ†ตํ•ด ๋„๋ฉ”์ธ ์†Œ์œ ๊ถŒ์„ ํ™•์ธํ•˜๊ณ , ์†Œ์œ ๊ถŒ์ด ํ™•์ธ๋˜๋ฉด ์ธ์ฆ์„œ๋ฅผ ๋ฐœ๊ธ‰ํ•ด์ค๋‹ˆ๋‹ค.

 

ํ•œ 2๋ถ„ ์ •๋„๊ฐ€ ๋˜๋ฉด ์ด์ œ ์œ„์— ๋ฆฌ์†Œ์Šค๋“ค์ด ๋ชจ๋‘ Valid ๋˜ True ๊ฐ€ ๋ฉ๋‹ˆ๋‹ค. ๊ทธ๋Ÿผ ์„ฑ๊ณต์ ์œผ๋กœ Let's Encrypt ๋ฅผ ํ†ตํ•ด TLS ๋ฅผ ๋ฐœ๊ธ‰ ๋ฐ›๊ฒŒ ๋œ ๊ฒƒ์ด์ฃ .

$ k get issuers.cert-manager.io -n istio-system
#NAME                            READY   AGE
#letsencrypt-dns01-prod-issuer   True    14m

$ k get orders.acme.cert-manager.io -n istio-system
#NAME                                  STATE     AGE
#kingbj0429-uk-cert-wr6b9-1120062372   valid     81s

$ k get challenges.acme.cert-manager.io -n istio-system
#NAME                                              STATE     DOMAIN                 AGE
#kingbj0429-uk-cert-wr6b9-1120062372-1523595522    valid     httpbin.kingbj0429.uk  81s
#kingbj0429-uk-cert-wr6b9-1120062372-2843859647    valid     kingbj0429.uk 81s      81s

$ k get certificaterequests.cert-manager.io -n istio-system
#NAME                       APPROVED   DENIED   READY   ISSUER                          REQUESTOR                                        AGE
#kingbj0429-uk-cert-fzhkf   True                False   letsencrypt-dns01-prod-issuer   system:serviceaccount:key-manager:cert-manager   83s

$ k get certificate -n istio-system
#NAME                 READY   SECRET                   AGE
#kingbj0429-uk-cert   True    kingbj0429-uk-key-pair   7m
challenges.acme.cert-manager.io ๋ฆฌ์†Œ์Šค ๊ฐ™์€ ๊ฒฝ์šฐ๋Š” valid ์ƒํƒœ๊ฐ€ ๋˜๋ฉด ์ž๋™์œผ๋กœ ์‚ญ์ œ๋˜๊ธฐ ๋•Œ๋ฌธ์—
-w ์˜ต์…˜์„ ์ฃผ์–ด ์ƒํƒœ๋ฅผ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 

ํ•œ๋ฒˆ ๋ฐœ๊ธ‰๋ฐ›์€ TLS ๋ฅผ ํ™•์ธํ•ด๋ด…์‹œ๋‹ค. TLS ์€ ์‹œํฌ๋ฆฟ์œผ๋กœ ๋ฐฐํฌ๋ฉ๋‹ˆ๋‹ค.

$ k describe secrets -n istio-system kingbj0429-uk-key-pair
#Name:         kingbj0429-uk-key-pair
#Namespace:    istio-system
#Labels:       controller.cert-manager.io/fao=true
#Annotations:  cert-manager.io/alt-names: httpbin.kingbj0429.uk,kingbj0429.uk
#              cert-manager.io/certificate-name: kingbj0429-uk-cert
#              cert-manager.io/common-name: kingbj0429.uk
#              cert-manager.io/ip-sans:
#              cert-manager.io/issuer-group: cert-manager.io
#              cert-manager.io/issuer-kind: Issuer
#              cert-manager.io/issuer-name: letsencrypt-dns01-prod-issuer
#              cert-manager.io/uri-sans:
#
#Type:  kubernetes.io/tls
#
#Data
#====
#tls.key:  3243 bytes
#tls.crt:  5883 bytes

 

์‹œํฌ๋ฆฟ์— ์˜ํ•ด ์ƒ์„ฑ๋œ tls.crt ๋ฅผ ๊ทธ๋Ÿผ ์ด์ œ ๋””์ฝ”๋”ฉ์„ ํ•ด๋ณด์ฃ .

echo "..." | base64 -d -o tls.cert
-----BEGIN CERTIFICATE-----
MIIF/DCCBOSgAwIBAgISBGYsMjD73J679u2U7ax5UXKVMA0GCSqGSIb3DQEBCwUA
...
8A/W4lHPy1UeCaHIs8j6QQwYp9JNXHle+yKP5obPb3f8GeCw2yAp91gffeovBFxn
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
...
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
...
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

 

๊ทธ๋Ÿผ ์ด์ œ ๋””์ฝ”๋”ฉ๋œ ๊ฐ’์œผ๋กœ certificate ๋‚ด์šฉ์„ ํ™•์ธํ•ด๋ณด์ฃ .

$ openssl x509 -in ./tls.cert -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:66:...
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Sep  7 11:44:12 2023 GMT
            Not After : Dec  6 11:44:11 2023 GMT
        Subject: CN = kingbj0429.uk
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:d5:96:ea:78:68:68:ae:88:47:a5:73:24:df:c4:
					...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                BA:DD:...
            X509v3 Authority Key Identifier:
                14:2E:...
            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/
            X509v3 Subject Alternative Name:
                DNS:httpbin.kingbj0429.uk, DNS:kingbj0429.uk
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84:
                                ...
                    Timestamp : Sep  7 12:44:12.629 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:4A:CB:24:7A:13:0D:A9:20:3C:80:68:9B:
                                ...
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : AD:F7:BE:FA:7C:FF:10:C8:8B:9D:3D:9C:1E:3E:18:6A:
                                ...
                    Timestamp : Sep  7 12:44:12.676 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:54:A6:7F:D0:4E:72:79:CA:01:EE:B2:FB:
								...
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        88:3b:98:ea:0a:bf:3c:5f:12:a1:a5:f2:8f:bc:36:cd:fe:9e:
		...

๋ช‡๊ฐ€์ง€ ํ•ต์‹ฌ ์ •๋ณด๋ฅผ ํ™•์ธํ•ด๋ณด๋ฉด,

O=Let's Encrypt ์ด๊ณ , Subject: CN = kingbj0429.uk ์ž…๋‹ˆ๋‹ค. ๋˜ํ•œ CA:FALSE ์ž…๋‹ˆ๋‹ค.

 

๊ฐ„๋žตํ•˜๊ฒŒ ๊ทธ๋ฆผ์œผ๋กœ ํ‘œํ˜„ํ•˜๋ฉด ์•„๋ž˜์™€ ๊ฐ™์ด ๋  ์ˆ˜ ์žˆ์„๊ฑฐ ๊ฐ™์•„์š”.

๋งŒ์•ฝ ์ธ์ฆ์„œ ๋ผ์ดํ”„์‚ฌ์ดํด์— ๋Œ€ํ•ด ์ž์„ธํžˆ ์•Œ๊ณ  ์‹ถ๋‹ค๋ฉด ์—ฌ๊ธฐ๋ฅผ ์ฐธ๊ณ !

 

Let's Encrypt ๋ฅผ ํ†ตํ•ด ์ธ์ฆ์„œ๋ฅผ ๋ฐœ๊ธ‰๋ฐ›์•˜์œผ๋‹ˆ ์ด์ œ ์‹ค์ œ๋กœ ์ ์šฉํ•ด๋ด…์‹œ๋‹ค.

httpbin ์„ ๋ฐฐํฌํ•˜๊ณ ์ž ํ•ฉ๋‹ˆ๋‹ค.

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: kingbj0429-test-gateway
spec:
  selector:
    istio: gateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "httpbin.kingbj0429.uk"
        - "kingbj0429.uk"
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: kingbj0429-uk-key-pair
      hosts:
        - "httpbin.kingbj0429.uk"
        - "kingbj0429.uk"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: kingbj0429-test-virtual-service
spec:
  hosts:
    - "httpbin.kingbj0429.uk"
    - "kingbj0429.uk"
  gateways:
    - kingbj0429-test-gateway
  http:
    - match:
        - uri:
            prefix: /
      route:
        - destination:
            host: httpbin
            port:
              number: 8000
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
    service: httpbin
spec:
  ports:
    - name: http
      port: 8000
      targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: httpbin
      containers:
        - image: docker.io/kong/httpbin
          imagePullPolicy: IfNotPresent
          name: httpbin
          ports:
            - containerPort: 80

 

์„ฑ๊ณต์ ์œผ๋กœ TLS ๊ฐ€ ์ ์šฉ์ด ๋์Šต๋‹ˆ๋‹ค.

ํฌํŠธ๊ฐ€ 32003 ์ธ ์ด์œ ๋Š” istio ingressgateway ์˜ https ํฌํŠธ๊ฐ€ ๋…ธ๋“œ์˜ 32003 ๊ณผ ๋งตํ•‘๋˜๊ธฐ ๋•Œ๋ฌธ์ž…๋‹ˆ๋‹ค.

 

์ธ์ฆ์„œ ๋ทฐ์–ด๋ฅผ ํ™•์ธํ–ˆ์„ ๋•Œ๋„ ๋ฌธ์ œ๋Š” ์—†์–ด๋ณด์ž…๋‹ˆ๋‹ค.

 

 

์ƒ๊ฐ๋ณด๋‹ค ๊ธ€์ด ๋„ˆ๋ฌด ๊ธธ์–ด์กŒ๋„ค์š”..

Cert Manager, TLS, ACME, Domain, DNS, Istio Gateway ๋“ฑ ๋‹ค์–‘ํ•œ ๊ฐœ๋…๋“ค์ด ์žˆ๋‹ค๋‹ˆ ์ƒ๊ฐ๋ณด๋‹ค ์–ด๋ ค์› ๋˜ ์‹ค์Šต์ด์˜€์Šต๋‹ˆ๋‹ค.

 

๊ทธ๋ž˜๋„ ๋ฌด์‚ฌํžˆ ์„ฑ๊ณต! 

๋‹ค์Œ ๊ธ€์—์„œ๋Š” AWS Route53 ์— ์ ์šฉํ•ด๋ณผ ์˜ˆ์ •์ž…๋‹ˆ๋‹ค.

 

๊ทธ๋Ÿผ ์˜ค๋Š˜์€ ์—ฌ๊ธฐ๊นŒ์ง€!

profile on loading

Loading...