diff --git a/content/zh/docs/tasks/security/cert-management/dns-cert/index.md b/content/zh/docs/tasks/security/cert-management/dns-cert/index.md new file mode 100644 index 0000000000..f9b3b534e9 --- /dev/null +++ b/content/zh/docs/tasks/security/cert-management/dns-cert/index.md @@ -0,0 +1,91 @@ +--- +title: Istio 的 DNS 证书管理 +description: 如何在 Istiod 中配置和管理 DNS 证书。 +weight: 90 +keywords: [security,certificate] +aliases: + - /zh/docs/tasks/security/dns-cert/ +owner: istio/wg-security-maintainers +test: yes +--- + +此文档主要说明如何使用 [Chiron](/zh/blog/2019/dns-cert/) 配置和管理 DNS 证书。 Chiron 是一个与 Istiod 相连的轻量型组件,使用 Kubernetes 的 CA API 签发证书,无需管理私钥。优势如下: + +* 与 {{< gloss >}}Istiod{{< /gloss >}} 不同, 这种方式无需维护签发的私钥,增强了安全性。 + +* 简化了将根证书分发到 TLS 客户端。客户端不再需要等待 Istiod 生成和分发其 CA 证书。 + +## 开始之前{#before-you-begin} + +* 通过 `istioctl` 安装 Istio,并配置 DNS 证书。当 Istio 启动后会读取该配置。 + +{{< text bash >}} +$ cat < ./istio.yaml +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + meshConfig: + certificates: + - secretName: dns.example1-service-account + dnsNames: [example1.istio-system.svc, example1.istio-system] + - secretName: dns.example2-service-account + dnsNames: [example2.istio-system.svc, example2.istio-system] +EOF +$ istioctl install -f ./istio.yaml +{{< /text >}} + +## DNS 证书的提供和管理{#DNS-certificate-provisioning-and-management} + +Istio 根据用户的配置,为 DNS 证书提供 DNS 名称和 Secret 名称。DNS 证书 通过 Kubernetes CA 签发,并根据配置保存到 Secret 中。Istio 也管理 DNS 证书的生命周期,包括证书的滚动和重新生成。 + +## 配置 DNS 证书{#configure-DNS-certificates} + +在 `istioctl install`命令中使用 `IstioOperator` 自定义资源用于配置Istio。`IstioOperator` 自定义资源包括 DNS 证书配置的例子。其中,`dnsNames` 字段定义证书中 DNS 名称,`secretName` 字段定义用于存储证书和私钥的 Kubernetes Secret 名称。 + +## 检查 DNS 证书的提供{#check-the-provisioning-of-DNS-certificates} + +在配置 Istio 生成 DNS 证书和保存证书到 Secret 后,您可以校验证书是够已经生成并正常运行。 + +为了校验例子中 Istio 的配置 `dns.example1-service-account` 生成的 DNS 证书,和校验证书是否包含 配置的 DNS 名称,需要获取 Kubernetes 的 Secret 进行解析解码,通过以下命令查看具体内容: + +{{< text bash >}} +$ kubectl get secret dns.example1-service-account -n istio-system -o jsonpath="{.data['cert-chain\.pem']}" | base64 --decode | openssl x509 -in /dev/stdin -text -noout +{{< /text >}} + +输出内容包括: + +{{< text plain >}} + X509v3 Subject Alternative Name: + DNS:example1.istio-system.svc, DNS:example1.istio-system +{{< /text >}} + +## 重新生成 DNS 证书{#regenerating-a-DNS-certificate} + +Istio 还可以在重新生成被误删的 DNS 证书。接下来,将会演示如何删除最近配置的证书,并校验 Istio 自动重新生成证书。 + +1. 删除前面保存的配置 DNS 证书的 Secret: + + {{< text bash >}} + $ kubectl delete secret dns.example1-service-account -n istio-system + {{< /text >}} + +1. 校验 Istio 重新生成已删除 DNS 证书,且证书包含配置的 DNS 名称,您需要获取 Kubernetes 的 Secret进行解析解码,通过以下命令查看详细内容: + + {{< text bash >}} + $ sleep 10; kubectl get secret dns.example1-service-account -n istio-system -o jsonpath="{.data['cert-chain\.pem']}" | base64 --decode | openssl x509 -in /dev/stdin -text -noout + {{< /text >}} + +输出内容包括: + +{{< text plain >}} + X509v3 Subject Alternative Name: + DNS:example1.istio-system.svc, DNS:example1.istio-system +{{< /text >}} + +## 清理{#cleanup} + +* 移除 `istio-system` Namespace: + + {{< text bash >}} + $ kubectl delete ns istio-system + {{< /text >}} diff --git a/content/zh/docs/tasks/security/cert-management/dns-cert/snips.sh b/content/zh/docs/tasks/security/cert-management/dns-cert/snips.sh new file mode 100644 index 0000000000..b4f3463f55 --- /dev/null +++ b/content/zh/docs/tasks/security/cert-management/dns-cert/snips.sh @@ -0,0 +1,62 @@ +#!/bin/bash +# shellcheck disable=SC2034,SC2153,SC2155,SC2164 + +# Copyright Istio Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#################################################################################################### +# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE: +# docs/tasks/security/cert-management/dns-cert/index.md +#################################################################################################### + +snip_before_you_begin_1() { +cat < ./istio.yaml +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + meshConfig: + certificates: + - secretName: dns.example1-service-account + dnsNames: [example1.istio-system.svc, example1.istio-system] + - secretName: dns.example2-service-account + dnsNames: [example2.istio-system.svc, example2.istio-system] +EOF +istioctl install -f ./istio.yaml +} + +snip_check_the_provisioning_of_dns_certificates_1() { +kubectl get secret dns.example1-service-account -n istio-system -o jsonpath="{.data['cert-chain\.pem']}" | base64 --decode | openssl x509 -in /dev/stdin -text -noout +} + +! read -r -d '' snip_check_the_provisioning_of_dns_certificates_2 <<\ENDSNIP + X509v3 Subject Alternative Name: + DNS:example1.istio-system.svc, DNS:example1.istio-system +ENDSNIP + +snip_regenerating_a_dns_certificate_1() { +kubectl delete secret dns.example1-service-account -n istio-system +} + +snip_regenerating_a_dns_certificate_2() { +sleep 10; kubectl get secret dns.example1-service-account -n istio-system -o jsonpath="{.data['cert-chain\.pem']}" | base64 --decode | openssl x509 -in /dev/stdin -text -noout +} + +! read -r -d '' snip_regenerating_a_dns_certificate_3 <<\ENDSNIP + X509v3 Subject Alternative Name: + DNS:example1.istio-system.svc, DNS:example1.istio-system +ENDSNIP + +snip_cleanup_1() { +kubectl delete ns istio-system +} diff --git a/content/zh/docs/tasks/security/cert-management/dns-cert/test.sh b/content/zh/docs/tasks/security/cert-management/dns-cert/test.sh new file mode 100644 index 0000000000..89d29ca293 --- /dev/null +++ b/content/zh/docs/tasks/security/cert-management/dns-cert/test.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash +# shellcheck disable=SC1090,SC2154 + +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# shellcheck disable=SC2001 + +set -e +set -u +set -o pipefail + +# @setup profile=none + +export VERIFY_TIMEOUT=300 + +echo y | snip_before_you_begin_1 +_wait_for_deployment istio-system istiod + +# helper functions +check_dns_certs() { + snip_check_the_provisioning_of_dns_certificates_1 | sed 's/[ ]*$//' # Remove trailing spaces +} +regen_dns_certs() { + snip_regenerating_a_dns_certificate_2 | sed 's/[ ]*$//' # Remove trailing spaces +} + +_verify_contains check_dns_certs "$snip_check_the_provisioning_of_dns_certificates_2" + +snip_regenerating_a_dns_certificate_1 + +_verify_contains regen_dns_certs "$snip_regenerating_a_dns_certificate_3" + +# @cleanup +snip_cleanup_1