暗号スイートの名前と OpenSSL での名前
暗号スイート、Cipher Suilteの名前は openssl の出力と、一般的な呼び名で異なる。
openssl ciphers -V してからここで見つければよい。
例: AES256-SHA256
$ openssl ciphers -V | grep AES256-SHA256 0x00,0x3D - AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 0x00,0x6B - DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
これは 0x3D であり、
0x00,0x3D TLS_RSA_WITH_AES_256_CBC_SHA256 Y N [RFC5246]
である。
参考リンク
kubelet の設定値確認
kubelet の現在の設定値を確認する方法のメモ。
手順
kube-apiserver へのプロキシを起動する。
$ kubectl proxy Starting to serve on 127.0.0.1:8001
ノード名を確認し、ローカルホストにリクエストを投げる。
$ k get node NAME STATUS ROLES AGE VERSION ip-10-0-115-197.ap-northeast-1.compute.internal Ready <none> 88d v1.29.6 ip-10-0-77-210.ap-northeast-1.compute.internal Ready <none> 88d v1.29.6 $ curl -sSL "http://localhost:8001/api/v1/nodes/ip-10-0-115-197.ap-northeast-1.compute.internal/proxy/configz" | jq . { "kubeletconfig": { "enableServer": true, "syncFrequency": "1m0s", "fileCheckFrequency": "20s", "httpCheckFrequency": "20s", "address": "0.0.0.0", "port": 10250, "tlsCipherSuites": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256" ], "serverTLSBootstrap": true, "authentication": { "x509": { "clientCAFile": "/etc/kubernetes/pki/ca.crt" }, "webhook": { "enabled": true, "cacheTTL": "2m0s" }, "anonymous": { "enabled": false } }, "authorization": { "mode": "Webhook", "webhook": { "cacheAuthorizedTTL": "5m0s", "cacheUnauthorizedTTL": "30s" } }, "registryPullQPS": 5, "registryBurst": 10, "eventRecordQPS": 50, "eventBurst": 100, "enableDebuggingHandlers": true, "healthzPort": 10248, "healthzBindAddress": "127.0.0.1", "oomScoreAdj": -999, "clusterDomain": "cluster.local", "clusterDNS": [ "172.20.0.10" ], "streamingConnectionIdleTimeout": "4h0m0s", "nodeStatusUpdateFrequency": "10s", "nodeStatusReportFrequency": "5m0s", "nodeLeaseDurationSeconds": 40, "imageMinimumGCAge": "2m0s", "imageMaximumGCAge": "0s", "imageGCHighThresholdPercent": 85, "imageGCLowThresholdPercent": 80, "volumeStatsAggPeriod": "1m0s", "cgroupRoot": "/", "cgroupsPerQOS": true, "cgroupDriver": "cgroupfs", "cpuManagerPolicy": "none", "cpuManagerReconcilePeriod": "10s", "memoryManagerPolicy": "None", "topologyManagerPolicy": "none", "topologyManagerScope": "container", "runtimeRequestTimeout": "2m0s", "hairpinMode": "hairpin-veth", "maxPods": 29, "podPidsLimit": -1, "resolvConf": "/run/systemd/resolve/resolv.conf", "cpuCFSQuota": true, "cpuCFSQuotaPeriod": "100ms", "nodeStatusMaxImages": 50, "maxOpenFiles": 1000000, "contentType": "application/vnd.kubernetes.protobuf", "kubeAPIQPS": 50, "kubeAPIBurst": 100, "serializeImagePulls": false, "evictionHard": { "memory.available": "100Mi", "nodefs.available": "10%", "nodefs.inodesFree": "5%" }, "evictionPressureTransitionPeriod": "5m0s", "enableControllerAttachDetach": true, "makeIPTablesUtilChains": true, "iptablesMasqueradeBit": 14, "iptablesDropBit": 15, "featureGates": { "RotateKubeletServerCertificate": true }, "failSwapOn": true, "memorySwap": {}, "containerLogMaxSize": "10Mi", "containerLogMaxFiles": 5, "configMapAndSecretChangeDetectionStrategy": "Watch", "kubeReserved": { "cpu": "70m", "ephemeral-storage": "1Gi", "memory": "574Mi" }, "enforceNodeAllocatable": [ "pods" ], "volumePluginDir": "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/", "logging": { "format": "text", "flushFrequency": "5s", "verbosity": 0, "options": { "json": { "infoBufferSize": "0" } } }, "enableSystemLogHandler": true, "enableSystemLogQuery": false, "shutdownGracePeriod": "0s", "shutdownGracePeriodCriticalPods": "0s", "enableProfilingHandler": true, "enableDebugFlagsHandler": true, "seccompDefault": false, "memoryThrottlingFactor": 0.9, "registerNode": true, "localStorageCapacityIsolation": true, "containerRuntimeEndpoint": "unix:///run/containerd/containerd.sock" } }
参考リンク
cert-manager と aws-privateca-issuer と Reloader を試す
cert-manager によって Nginx で TLS 終端をするための証明書を管理している。cert-manager によって証明書は自動更新されるが、Nginx を再起動する必要がある。このために Reloader が使えるらしいので、動作を確認する。
aws-privateca-issuer も合わせて確認する。
クラスターの作成
クラスターを作成する。
CLUSTER_NAME="reloader" MY_ARN=$(aws sts get-caller-identity --output text --query Arn) AWS_ACCOUNT_ID=$(aws sts get-caller-identity --output text --query Account) cat << EOF > cluster.yaml apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: ${CLUSTER_NAME} region: ap-northeast-1 version: "1.29" vpc: cidr: "10.0.0.0/16" availabilityZones: - ap-northeast-1a - ap-northeast-1c cloudWatch: clusterLogging: enableTypes: ["*"] iam: withOIDC: true accessConfig: bootstrapClusterCreatorAdminPermissions: false authenticationMode: API accessEntries: - principalARN: arn:aws:iam::${AWS_ACCOUNT_ID}:role/Admin accessPolicies: - policyARN: arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy accessScope: type: cluster EOF
eksctl create cluster -f cluster.yaml
ノードグループを作成する。
cat << EOF > m1.yaml apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: ${CLUSTER_NAME} region: ap-northeast-1 managedNodeGroups: - name: m1 instanceType: m6i.large minSize: 1 maxSize: 10 desiredCapacity: 2 privateNetworking: true iam: attachPolicyARNs: - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore EOF
eksctl create nodegroup -f m1.yaml
ノードを確認する。
$ k get node NAME STATUS ROLES AGE VERSION ip-10-0-106-51.ap-northeast-1.compute.internal Ready <none> 106s v1.29.10-eks-94953ac ip-10-0-72-39.ap-northeast-1.compute.internal Ready <none> 113s v1.29.10-eks-94953ac
cert-manager のインストール
チャートリポジトリを追加する。
helm repo add jetstack https://charts.jetstack.io --force-update
インストールする。
helm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ --version v1.16.1 \ --set crds.enabled=true
NAME: cert-manager LAST DEPLOYED: Wed Nov 20 10:11:21 2024 NAMESPACE: cert-manager STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: cert-manager v1.16.1 has been deployed successfully! In order to begin issuing certificates, you will need to set up a ClusterIssuer or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer). More information on the different types of issuers and how to configure them can be found in our documentation: https://cert-manager.io/docs/configuration/ For information on how to configure cert-manager to automatically provision Certificates for Ingress resources, take a look at the `ingress-shim` documentation: https://cert-manager.io/docs/usage/ingress/
Pod を確認する。
$ k -n cert-manager get pods NAME READY STATUS RESTARTS AGE cert-manager-859bc755b6-r2h4q 1/1 Running 0 2m6s cert-manager-cainjector-dc59548c5-dcmqp 1/1 Running 0 2m6s cert-manager-webhook-d45c9fbd6-8r82w 1/1 Running 0 2m6s
aws-privateca-issuer のインストール
先に AWS マネジメントコンソールから AWS Private CA で CA を立てておく。
この CA を利用可能なポリシーを作成する。
cat << EOF > privateca-issuer-policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "awspcaissuer", "Action": [ "acm-pca:DescribeCertificateAuthority", "acm-pca:GetCertificate", "acm-pca:IssueCertificate" ], "Effect": "Allow", "Resource": "arn:aws:acm-pca:ap-northeast-1:XXXXXXXXXXXX:certificate-authority/2aebb313-2f59-4cd1-98a8-97d39bf3c42a" } ] } EOF aws iam create-policy \ --policy-name privateca-issuer-policy \ --policy-document file://privateca-issuer-policy.json
IAM ロールと ServiceAccount を先に作成しておく。--role-only でロールだけ作る方法もある。
NAMESPACE="cert-manager" SA_NAME="aws-privateca-issuer" eksctl create iamserviceaccount \ --cluster ${CLUSTER_NAME} --name ${SA_NAME} --namespace ${NAMESPACE} \ --attach-policy-arn arn:aws:iam::${AWS_ACCOUNT_ID}:policy/privateca-issuer-policy \ --approve
2024-11-20 10:23:53 [ℹ] 1 iamserviceaccount (cert-manager/aws-privateca-issuer) was included (based on the include/exclude rules)
2024-11-20 10:23:53 [!] serviceaccounts that exist in Kubernetes will be excluded, use --override-existing-serviceaccounts to override
2024-11-20 10:23:53 [ℹ] 1 task: {
2 sequential sub-tasks: {
create IAM role for serviceaccount "cert-manager/aws-privateca-issuer",
create serviceaccount "cert-manager/aws-privateca-issuer",
} }2024-11-20 10:23:53 [ℹ] building iamserviceaccount stack "eksctl-reloader-addon-iamserviceaccount-cert-manager-aws-privateca-issuer"
2024-11-20 10:23:54 [ℹ] deploying stack "eksctl-reloader-addon-iamserviceaccount-cert-manager-aws-privateca-issuer"
2024-11-20 10:23:54 [ℹ] waiting for CloudFormation stack "eksctl-reloader-addon-iamserviceaccount-cert-manager-aws-privateca-issuer"
2024-11-20 10:24:24 [ℹ] waiting for CloudFormation stack "eksctl-reloader-addon-iamserviceaccount-cert-manager-aws-privateca-issuer"
2024-11-20 10:24:24 [ℹ] created serviceaccount "cert-manager/aws-privateca-issuer""
ロールの ARN を変数に入れておく。
STACK_NAME="eksctl-${CLUSTER_NAME}-addon-iamserviceaccount-${NAMESPACE}-${SA_NAME}" ROLE_NAME=$(aws cloudformation describe-stack-resources \ --stack-name ${STACK_NAME} \ --query "StackResources[?ResourceType=='AWS::IAM::Role'].PhysicalResourceId" \ --output text) echo ${ROLE_NAME} ROLE_ARN=$(aws iam get-role \ --role-name ${ROLE_NAME} \ --query "Role.Arn" \ --output text) echo ${ROLE_ARN}
values.yaml を作成する。values.yaml 全量はこれ。
ServiceAccount は既に作ってあり create: false を設定するので annotations は指定しなくてもよいはずだが一応入れておく。
cat << EOF > privateca-issuer-values.yaml serviceAccount: # Specifies whether a service account should be created create: false # Annotations to add to the service account annotations: eks.amazonaws.com/role-arn: ${ROLE_ARN} # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "${SA_NAME}" EOF
チャートリポジトリを追加する。
helm repo add awspca https://cert-manager.github.io/aws-privateca-issuer --force-update
インストールする。
helm install \ aws-privateca-issuer awspca/aws-privateca-issuer \ --namespace cert-manager \ --version v1.4.0 \ -f privateca-issuer-values.yaml
NAME: aws-privateca-issuer LAST DEPLOYED: Wed Nov 20 10:35:06 2024 NAMESPACE: cert-manager STATUS: deployed REVISION: 1 TEST SUITE: None
Pod を確認する。
$ k -n cert-manager get po NAME READY STATUS RESTARTS AGE aws-privateca-issuer-6d8bcdbbb7-9vr6f 1/1 Running 0 33s cert-manager-859bc755b6-r2h4q 1/1 Running 0 24m cert-manager-cainjector-dc59548c5-dcmqp 1/1 Running 0 24m cert-manager-webhook-d45c9fbd6-8r82w 1/1 Running 0 24m
Reloader のインストール
チャートリポジトリを追加する。
helm repo add stakater https://stakater.github.io/stakater-charts --force-update
インストールする。
helm install \ reloader stakater/reloader \ --namespace reloader \ --create-namespace \ --version 1.1.0
NAME: reloader LAST DEPLOYED: Wed Nov 20 10:39:25 2024 NAMESPACE: reloader STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: - For a `Deployment` called `foo` have a `ConfigMap` called `foo-configmap`. Then add this annotation to main metadata of your `Deployment` configmap.reloader.stakater.com/reload: "foo-configmap" - For a `Deployment` called `foo` have a `Secret` called `foo-secret`. Then add this annotation to main metadata of your `Deployment` secret.reloader.stakater.com/reload: "foo-secret" - After successful installation, your pods will get rolling updates when a change in data of configmap or secret will happen.
Pod を確認する。
$ k -n reloader get pods NAME READY STATUS RESTARTS AGE reloader-reloader-59f8898b8-z4jb8 1/1 Running 0 21s
証明書の発行
まず AWSPCAClusterIssuer を作成する。
cat << EOF > root-ca-issuer.yaml apiVersion: awspca.cert-manager.io/v1beta1 kind: AWSPCAClusterIssuer metadata: name: root-ca spec: arn: arn:aws:acm-pca:ap-northeast-1:XXXXXXXXXXXX:certificate-authority/2aebb313-2f59-4cd1-98a8-97d39bf3c42a region: ap-northeast-1 EOF k apply -f root-ca-issuer.yaml
Certificate を作成する。
k create ns nginx cat << EOF > nginx-cert.yaml kind: Certificate apiVersion: cert-manager.io/v1 metadata: name: nginx-cert namespace: nginx spec: commonName: nginx dnsNames: - www.example.com duration: 1h0m0s issuerRef: group: awspca.cert-manager.io kind: AWSPCAClusterIssuer name: root-ca renewBefore: 10m0s secretName: nginx-cert-tls usages: - server auth privateKey: algorithm: "RSA" size: 2048 EOF k apply -f nginx-cert.yaml
証明書が発行されたことを確認する。
$ k -n nginx get certificate NAME READY SECRET AGE nginx-cert True nginx-cert-tls 6s $ k -n nginx get certificaterequest NAME APPROVED DENIED READY ISSUER REQUESTER AGE nginx-cert-1 True True root-ca system:serviceaccount:cert-manager:cert-manager 11s $ k -n nginx get secret NAME TYPE DATA AGE nginx-cert-tls kubernetes.io/tls 3 23m
CertificateRequest の status や Secret に証明書が入っている。
$ k -n nginx get certificaterequest nginx-cert-1 -oyaml apiVersion: cert-manager.io/v1 kind: CertificateRequest metadata: annotations: aws-privateca-issuer/certificate-arn: arn:aws:acm-pca:ap-northeast-1:XXXXXXXXXXXX:certificate-authority/2aebb313-2f59-4cd1-98a8-97d39bf3c42a/certificate/6ca13da9e494428deb37ba6e565d4e38 cert-manager.io/certificate-name: nginx-cert cert-manager.io/certificate-revision: "1" cert-manager.io/private-key-secret-name: nginx-cert-skrds creationTimestamp: "2024-11-20T02:14:34Z" generation: 1 name: nginx-cert-1 namespace: nginx ownerReferences: - apiVersion: cert-manager.io/v1 blockOwnerDeletion: true controller: true kind: Certificate name: nginx-cert uid: ffd8a316-8bbe-40f6-bac9-bba52cdabe28 resourceVersion: "20102" uid: 200b365d-4471-450d-8065-e1a2bfc6c90f spec: duration: 1h0m0s extra: authentication.kubernetes.io/pod-name: - cert-manager-859bc755b6-r2h4q authentication.kubernetes.io/pod-uid: - a39fdcdd-415f-4831-8415-bd7796ee282b groups: - system:serviceaccounts - system:serviceaccounts:cert-manager - system:authenticated issuerRef: group: awspca.cert-manager.io kind: AWSPCAClusterIssuer name: root-ca request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2x6Q0NBWDhDQVFBd0VERU9NQXdHQTFVRUF4TUZibWRwYm5nd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQQpBNElCRHdBd2dnRUtBb0lCQVFDNy9mclRLcUZjZEtUTTF5anE0NVRwK05DVU9lL0FzUnF2eVRoRHlQNGRhVzI0ClFVTmV4K1RlVHV4dkJqcUlaOUdFNE9adUwwUHdkSFdaK1JGcHNJc2N4M1FkMFRyaVZaQTErRDl6dXFJUzExdzMKQ2RjU0wyTllOeStSek43Mm9Tc2R3K0R5cUJQQXEzVnBMSG9HdWJkTkhJMElsTW9razFpZEdyVGJvVVY4aTFLWAp3UzZGcWRST2tzYnFTNmRYdWtEQjFhcGNFdWVDSkhRb1g5VWlBSkhDaGpoT3BXTlB3Z3RORnIya08zNUh0N2hyCjlRWCtldEg2Vm01UkhBRWZCY1NTZlJoRkhnWEcvS1Y3UjhxV1l2WTFYbnBYWTdvL3hrMTRDaWNIUm1YaHJXK1EKWmJ4NjVJUDBubGNHRHJjQXBicCswcDhVVmt0R2pBTjNGL21qYUthdEFnTUJBQUdnUWpCQUJna3Foa2lHOXcwQgpDUTR4TXpBeE1Cb0dBMVVkRVFRVE1CR0NEM2QzZHk1bGVHRnRjR3hsTG1OdmJUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVorU2xJMlptVWJhSWFhZ2ZrY0xTZ0I5VkkyT0IKZ1JyTGV6cTNVSkppZlJnNy9aVVZBaC9wcExxZ1paK05sajBmbWR6WFFtREdkWG1VQ3pZNURqVTlRQ2ZldUdPKwpIc05NYnpGMGI0VS9rSEt4VnVIQmRGVDVFRkNmTk9rejJJY04vZDV1Sm1nZVNyYlZTaDdBQnFkQk5qVzJDY0RWCm9MM0VicVVrTktFSjZmeWVOQzVpM1VTdjVNMjJwR2lFUHlNV050blBURXZPQkc1dHQ0Y0RmdWFJci9NR0g1UGEKTUUrWG1VbDBqcHpVQUdtSjV1L0Nmb01CSHQ3aTlYOTFNS21CMzVBc3lEVmpqamVMOVZwdjVCZTVjcEIwUW1mdAo0ZktQMlZDRUJBQ211cVMyZGRCWlJmVVhqL242KzMwd29wOWNKbGFRL0dhaG9zV1IramNnWVZRZ3dBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg== uid: 6ae4a1ea-48e9-426b-82d5-78a095c1279f usages: - server auth username: system:serviceaccount:cert-manager:cert-manager status: ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4RENDQWRpZ0F3SUJBZ0lRWmU2ODlEbGpyMnhFT0JWZ2pvMHlGekFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFEREFkU2IyOTBJRU5CTUI0WERUSTBNVEV5TURBd01Ua3hPRm9YRFRNME1URXlNREF4TVRreApORm93RWpFUU1BNEdBMVVFQXd3SFVtOXZkQ0JEUVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDCkFRb0NnZ0VCQUxtTmo4dFN0dlk4LzgraWJjOHM5WXdwbEt4aHBUUWJsdEw4bk1OSUhGdVluZUg1WjhpSkdkUGMKVlpxVnVaT3p2NUJCUkRjY3ErajVpYVZsOUFwNkVCeVRsRGlpbk1lOUowUnJRYTB0cTFzdDRHaG5SMWZEb2Q5egpQNjNCbFFjT2VSeHBwZVpJaTBjN1FJNitVdmFRN24wald5VXJIQnRvRDF6b3pYbUY5cjdkcXpiSjhLRXFWOWd6CnlmNHNnZHc5MWtwdHhxcGNCVFRFamRuMFVicXdxV3EwUWpUZUwvUlR3UjFidm1VWG5RV1pPOEVSakxpTExFOHAKdnI2MXJNU09MRDZweVQxVER4VkRJbGJnMWJueWlWUDk3M29Md0lqZWNaZjFtaVgzc0J6WXJUdm5scGZYeStOTAo5ZEFYa3NYRGVBMXR1eHpiYlZIREF5VTJndG50aFowQ0F3RUFBYU5DTUVBd0R3WURWUjBUQVFIL0JBVXdBd0VCCi96QWRCZ05WSFE0RUZnUVVvNmp1aHFSSzB3WStzVFBhV2U3SENRNWlLOVF3RGdZRFZSMFBBUUgvQkFRREFnR0cKTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBY3JreGxQclc2WW83azVIdHJSL21wdUNLNE82T3loV2lLYjdSSgprSjRPZ2xLc0p3Z3Q2U3R6L0VTRTRrZU1FWUVHMTVvempiYkVubTBNTHJ6RnRNWGlWbUVieEtKTGtBZ08zMzVICi9YSGFLWjI5OWN6Z2xHZUR3bU9GTCtvK1RneExqUUZSaFYyZWNDK2I1WUV6ZU0zSjJGNEx0RkF1TzRlS29jSUsKN1lCc082WFY5RHdoYzZYdzlBY3NSS1YzSk1vY0hrN1dHakUxdVZyTEEvV24yRTQzWTFJN3ZIZDc3cnRReVFFSgorUDc2MFFPTzlOTGVLd2FMNzVmVHVxZ1FXRVJNUVJSNHY0ZTVldG1HVU9EbEY0UllGaGxMQ3NRSlJIYzJLR0tFCjNoK25aVTU1dEEzY3BYeS82ODBwR01UbW11T0Q1cC9FQlVHNzJGSVB4TzBLOElxTQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURQRENDQWlTZ0F3SUJBZ0lRYktFOXFlU1VRbzNyTjdwdVZsMU9PREFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFEREFkU2IyOTBJRU5CTUI0WERUSTBNVEV5TURBeE1UUXpORm9YRFRJME1URXlNREF6TVRRegpORm93RURFT01Bd0dBMVVFQXhNRmJtZHBibmd3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUM3L2ZyVEtxRmNkS1RNMXlqcTQ1VHArTkNVT2UvQXNScXZ5VGhEeVA0ZGFXMjRRVU5leCtUZVR1eHYKQmpxSVo5R0U0T1p1TDBQd2RIV1orUkZwc0lzY3gzUWQwVHJpVlpBMStEOXp1cUlTMTF3M0NkY1NMMk5ZTnkrUgp6Tjcyb1NzZHcrRHlxQlBBcTNWcExIb0d1YmROSEkwSWxNb2trMWlkR3JUYm9VVjhpMUtYd1M2RnFkUk9rc2JxClM2ZFh1a0RCMWFwY0V1ZUNKSFFvWDlVaUFKSENoamhPcFdOUHdndE5GcjJrTzM1SHQ3aHI5UVgrZXRINlZtNVIKSEFFZkJjU1NmUmhGSGdYRy9LVjdSOHFXWXZZMVhucFhZN28veGsxNENpY0hSbVhoclcrUVpieDY1SVAwbmxjRwpEcmNBcGJwKzBwOFVWa3RHakFOM0YvbWphS2F0QWdNQkFBR2pnWTh3Z1l3d0dnWURWUjBSQkJNd0VZSVBkM2QzCkxtVjRZVzF3YkdVdVkyOXRNQWtHQTFVZEV3UUNNQUF3SHdZRFZSMGpCQmd3Rm9BVW82anVocVJLMHdZK3NUUGEKV2U3SENRNWlLOVF3SFFZRFZSME9CQllFRk00cDh4RDkvZUFJYjVlcXhYM0REOStJL1FZek1BNEdBMVVkRHdFQgovd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBCkFrNExMYStpOENIeXQ0K0xSVE5SYVQrUnc4M2Z2SFQyK0FpNE00SUc2R0Y1N2h0ZldzR3dhUTh0algvQVRETTkKUWUwS1JuKzk0Z0xDNkdQclBQRmdpeWVhNkdYcTIzaXl1WFMwejRNOFBlRUpYQTJUN25ZY3o3Q2lFcjMwc0hscwpocWZsbzdzU2d0Q1gyN1ZvMkZuaTNxMjdRT2lvZjVCWWVmNjVMRWJmbE92ODdCSWJWQWdURDFpZXlGcDh0b2YvCjlrSWZObXcrVUw3Y2xrS0VIaFRFSWdaNi8xWXpZUFZPSENQdXA3SUI4S0JGWGt5V284VHhYTVlYMGtGeDFDNVUKZVVjOUxpeCt1dVRoOElPb0VwbHc5Q2Q0RHc3eVlNSlkvZ3g5MzV2SHJPZmlTcXFkMkczdHF0cEhpYW5rYVdjVgpIWDJtMGJPUWdsekdLbkpFamZHTUp3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= conditions: - lastTransitionTime: "2024-11-20T02:14:34Z" message: Certificate request has been approved by cert-manager.io reason: cert-manager.io status: "True" type: Approved - lastTransitionTime: "2024-11-20T02:14:35Z" message: certificate issued reason: Issued status: "True" type: Ready
$ k -n nginx get secret nginx-cert-tls -oyaml apiVersion: v1 data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4RENDQWRpZ0F3SUJBZ0lRWmU2ODlEbGpyMnhFT0JWZ2pvMHlGekFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFEREFkU2IyOTBJRU5CTUI0WERUSTBNVEV5TURBd01Ua3hPRm9YRFRNME1URXlNREF4TVRreApORm93RWpFUU1BNEdBMVVFQXd3SFVtOXZkQ0JEUVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDCkFRb0NnZ0VCQUxtTmo4dFN0dlk4LzgraWJjOHM5WXdwbEt4aHBUUWJsdEw4bk1OSUhGdVluZUg1WjhpSkdkUGMKVlpxVnVaT3p2NUJCUkRjY3ErajVpYVZsOUFwNkVCeVRsRGlpbk1lOUowUnJRYTB0cTFzdDRHaG5SMWZEb2Q5egpQNjNCbFFjT2VSeHBwZVpJaTBjN1FJNitVdmFRN24wald5VXJIQnRvRDF6b3pYbUY5cjdkcXpiSjhLRXFWOWd6CnlmNHNnZHc5MWtwdHhxcGNCVFRFamRuMFVicXdxV3EwUWpUZUwvUlR3UjFidm1VWG5RV1pPOEVSakxpTExFOHAKdnI2MXJNU09MRDZweVQxVER4VkRJbGJnMWJueWlWUDk3M29Md0lqZWNaZjFtaVgzc0J6WXJUdm5scGZYeStOTAo5ZEFYa3NYRGVBMXR1eHpiYlZIREF5VTJndG50aFowQ0F3RUFBYU5DTUVBd0R3WURWUjBUQVFIL0JBVXdBd0VCCi96QWRCZ05WSFE0RUZnUVVvNmp1aHFSSzB3WStzVFBhV2U3SENRNWlLOVF3RGdZRFZSMFBBUUgvQkFRREFnR0cKTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBY3JreGxQclc2WW83azVIdHJSL21wdUNLNE82T3loV2lLYjdSSgprSjRPZ2xLc0p3Z3Q2U3R6L0VTRTRrZU1FWUVHMTVvempiYkVubTBNTHJ6RnRNWGlWbUVieEtKTGtBZ08zMzVICi9YSGFLWjI5OWN6Z2xHZUR3bU9GTCtvK1RneExqUUZSaFYyZWNDK2I1WUV6ZU0zSjJGNEx0RkF1TzRlS29jSUsKN1lCc082WFY5RHdoYzZYdzlBY3NSS1YzSk1vY0hrN1dHakUxdVZyTEEvV24yRTQzWTFJN3ZIZDc3cnRReVFFSgorUDc2MFFPTzlOTGVLd2FMNzVmVHVxZ1FXRVJNUVJSNHY0ZTVldG1HVU9EbEY0UllGaGxMQ3NRSlJIYzJLR0tFCjNoK25aVTU1dEEzY3BYeS82ODBwR01UbW11T0Q1cC9FQlVHNzJGSVB4TzBLOElxTQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURQRENDQWlTZ0F3SUJBZ0lRYktFOXFlU1VRbzNyTjdwdVZsMU9PREFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFEREFkU2IyOTBJRU5CTUI0WERUSTBNVEV5TURBeE1UUXpORm9YRFRJME1URXlNREF6TVRRegpORm93RURFT01Bd0dBMVVFQXhNRmJtZHBibmd3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUM3L2ZyVEtxRmNkS1RNMXlqcTQ1VHArTkNVT2UvQXNScXZ5VGhEeVA0ZGFXMjRRVU5leCtUZVR1eHYKQmpxSVo5R0U0T1p1TDBQd2RIV1orUkZwc0lzY3gzUWQwVHJpVlpBMStEOXp1cUlTMTF3M0NkY1NMMk5ZTnkrUgp6Tjcyb1NzZHcrRHlxQlBBcTNWcExIb0d1YmROSEkwSWxNb2trMWlkR3JUYm9VVjhpMUtYd1M2RnFkUk9rc2JxClM2ZFh1a0RCMWFwY0V1ZUNKSFFvWDlVaUFKSENoamhPcFdOUHdndE5GcjJrTzM1SHQ3aHI5UVgrZXRINlZtNVIKSEFFZkJjU1NmUmhGSGdYRy9LVjdSOHFXWXZZMVhucFhZN28veGsxNENpY0hSbVhoclcrUVpieDY1SVAwbmxjRwpEcmNBcGJwKzBwOFVWa3RHakFOM0YvbWphS2F0QWdNQkFBR2pnWTh3Z1l3d0dnWURWUjBSQkJNd0VZSVBkM2QzCkxtVjRZVzF3YkdVdVkyOXRNQWtHQTFVZEV3UUNNQUF3SHdZRFZSMGpCQmd3Rm9BVW82anVocVJLMHdZK3NUUGEKV2U3SENRNWlLOVF3SFFZRFZSME9CQllFRk00cDh4RDkvZUFJYjVlcXhYM0REOStJL1FZek1BNEdBMVVkRHdFQgovd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBCkFrNExMYStpOENIeXQ0K0xSVE5SYVQrUnc4M2Z2SFQyK0FpNE00SUc2R0Y1N2h0ZldzR3dhUTh0algvQVRETTkKUWUwS1JuKzk0Z0xDNkdQclBQRmdpeWVhNkdYcTIzaXl1WFMwejRNOFBlRUpYQTJUN25ZY3o3Q2lFcjMwc0hscwpocWZsbzdzU2d0Q1gyN1ZvMkZuaTNxMjdRT2lvZjVCWWVmNjVMRWJmbE92ODdCSWJWQWdURDFpZXlGcDh0b2YvCjlrSWZObXcrVUw3Y2xrS0VIaFRFSWdaNi8xWXpZUFZPSENQdXA3SUI4S0JGWGt5V284VHhYTVlYMGtGeDFDNVUKZVVjOUxpeCt1dVRoOElPb0VwbHc5Q2Q0RHc3eVlNSlkvZ3g5MzV2SHJPZmlTcXFkMkczdHF0cEhpYW5rYVdjVgpIWDJtMGJPUWdsekdLbkpFamZHTUp3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tls.key: (snip) kind: Secret metadata: annotations: cert-manager.io/alt-names: www.example.com cert-manager.io/certificate-name: nginx-cert cert-manager.io/common-name: nginx cert-manager.io/ip-sans: "" cert-manager.io/issuer-group: awspca.cert-manager.io cert-manager.io/issuer-kind: AWSPCAClusterIssuer cert-manager.io/issuer-name: root-ca cert-manager.io/uri-sans: "" creationTimestamp: "2024-11-20T01:50:57Z" labels: controller.cert-manager.io/fao: "true" name: nginx-cert-tls namespace: nginx resourceVersion: "20104" uid: fa9fc42c-c7b8-4623-b611-284221dbfa61 type: kubernetes.io/tls
Nginx のインストール
この証明書をマウントして TLS を終端する Nginx を起動する。
cat << EOF > nginx-deployment.yaml apiVersion: v1 kind: ConfigMap metadata: name: nginx-config-ssl namespace: nginx data: default.conf: | server { listen 443 ssl; server_name www.example.com; ssl_certificate /etc/nginx/ssl/tls.crt; ssl_certificate_key /etc/nginx/ssl/tls.key; } --- apiVersion: apps/v1 kind: Deployment metadata: name: nginx namespace: nginx spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: public.ecr.aws/docker/library/nginx:latest volumeMounts: - name: config mountPath: /etc/nginx/conf.d - name: ssl-certs mountPath: /etc/nginx/ssl volumes: - name: config configMap: name: nginx-config-ssl - name: ssl-certs secret: secretName: nginx-cert-tls --- apiVersion: v1 kind: Service metadata: name: nginx namespace: nginx spec: selector: app: nginx ports: - port: 443 targetPort: 443 type: ClusterIP EOF k apply -f nginx-deployment.yaml
ローカルマシンの /etc/hosts に以下エントリを追加しておく。
127.0.0.1 www.example.com
ローカルのブラウザからアクセスするためにポートフォワードする。
$ kubectl -n nginx port-forward svc/nginx 8443:443 Forwarding from 127.0.0.1:8443 -> 443 Forwarding from [::1]:8443 -> 443
ブラウザでアクセスして証明書を確認する。名前は合わせたが、クライアントに CA 証明書がないので警告が出る。有効期限 1 時間でリクエストしたはずだが、2 時間あるようだ。
Secret をデコードして証明書の内容を見てみると、確かにそのようだ。
$ k -n nginx get secret nginx-cert-tls -ojson | jq -r '.data."tls.crt"' | base64 --decode | openssl x509 -text -noout - Certificate: Data: Version: 3 (0x2) Serial Number: 6c:a1:3d:a9:e4:94:42:8d:eb:37:ba:6e:56:5d:4e:38 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Root CA Validity Not Before: Nov 20 01:14:34 2024 GMT Not After : Nov 20 03:14:34 2024 GMT Subject: CN=nginx Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bb:fd:fa:d3:2a:a1:5c:74:a4:cc:d7:28:ea:e3: 94:e9:f8:d0:94:39:ef:c0:b1:1a:af:c9:38:43:c8: fe:1d:69:6d:b8:41:43:5e:c7:e4:de:4e:ec:6f:06: 3a:88:67:d1:84:e0:e6:6e:2f:43:f0:74:75:99:f9: 11:69:b0:8b:1c:c7:74:1d:d1:3a:e2:55:90:35:f8: 3f:73:ba:a2:12:d7:5c:37:09:d7:12:2f:63:58:37: 2f:91:cc:de:f6:a1:2b:1d:c3:e0:f2:a8:13:c0:ab: 75:69:2c:7a:06:b9:b7:4d:1c:8d:08:94:ca:24:93: 58:9d:1a:b4:db:a1:45:7c:8b:52:97:c1:2e:85:a9: d4:4e:92:c6:ea:4b:a7:57:ba:40:c1:d5:aa:5c:12: e7:82:24:74:28:5f:d5:22:00:91:c2:86:38:4e:a5: 63:4f:c2:0b:4d:16:bd:a4:3b:7e:47:b7:b8:6b:f5: 05:fe:7a:d1:fa:56:6e:51:1c:01:1f:05:c4:92:7d: 18:45:1e:05:c6:fc:a5:7b:47:ca:96:62:f6:35:5e: 7a:57:63:ba:3f:c6:4d:78:0a:27:07:46:65:e1:ad: 6f:90:65:bc:7a:e4:83:f4:9e:57:06:0e:b7:00:a5: ba:7e:d2:9f:14:56:4b:46:8c:03:77:17:f9:a3:68: a6:ad Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:www.example.com X509v3 Basic Constraints: CA:FALSE X509v3 Authority Key Identifier: A3:A8:EE:86:A4:4A:D3:06:3E:B1:33:DA:59:EE:C7:09:0E:62:2B:D4 X509v3 Subject Key Identifier: CE:29:F3:10:FD:FD:E0:08:6F:97:AA:C5:7D:C3:0F:DF:88:FD:06:33 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication Signature Algorithm: sha256WithRSAEncryption Signature Value: 02:4e:0b:2d:af:a2:f0:21:f2:b7:8f:8b:45:33:51:69:3f:91: c3:cd:df:bc:74:f6:f8:08:b8:33:82:06:e8:61:79:ee:1b:5f: 5a:c1:b0:69:0f:2d:8d:7f:c0:4c:33:3d:41:ed:0a:46:7f:bd: e2:02:c2:e8:63:eb:3c:f1:60:8b:27:9a:e8:65:ea:db:78:b2: b9:74:b4:cf:83:3c:3d:e1:09:5c:0d:93:ee:76:1c:cf:b0:a2: 12:bd:f4:b0:79:6c:86:a7:e5:a3:bb:12:82:d0:97:db:b5:68: d8:59:e2:de:ad:bb:40:e8:a8:7f:90:58:79:fe:b9:2c:46:df: 94:eb:fc:ec:12:1b:54:08:13:0f:58:9e:c8:5a:7c:b6:87:ff: f6:42:1f:36:6c:3e:50:be:dc:96:42:84:1e:14:c4:22:06:7a: ff:56:33:60:f5:4e:1c:23:ee:a7:b2:01:f0:a0:45:5e:4c:96: a3:c4:f1:5c:c6:17:d2:41:71:d4:2e:54:79:47:3d:2e:2c:7e: ba:e4:e1:f0:83:a8:12:99:70:f4:27:78:0f:0e:f2:60:c2:58: fe:0c:7d:df:9b:c7:ac:e7:e2:4a:aa:9d:d8:6d:ed:aa:da:47: 89:a9:e4:69:67:15:1d:7d:a6:d1:b3:90:82:5c:c6:2a:72:44: 8d:f1:8c:27
openssl でアクセスしても確認して見る。
$ openssl s_client -connect localhost:8443 -showcerts Connecting to ::1 CONNECTED(00000005) Can't use SSL_get_servername depth=0 CN=nginx verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN=nginx verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN=nginx verify return:1 --- Certificate chain 0 s:CN=nginx i:CN=Root CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Nov 20 01:14:34 2024 GMT; NotAfter: Nov 20 03:14:34 2024 GMT -----BEGIN CERTIFICATE----- MIIDPDCCAiSgAwIBAgIQbKE9qeSUQo3rN7puVl1OODANBgkqhkiG9w0BAQsFADAS MRAwDgYDVQQDDAdSb290IENBMB4XDTI0MTEyMDAxMTQzNFoXDTI0MTEyMDAzMTQz NFowEDEOMAwGA1UEAxMFbmdpbngwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC7/frTKqFcdKTM1yjq45Tp+NCUOe/AsRqvyThDyP4daW24QUNex+TeTuxv BjqIZ9GE4OZuL0PwdHWZ+RFpsIscx3Qd0TriVZA1+D9zuqIS11w3CdcSL2NYNy+R zN72oSsdw+DyqBPAq3VpLHoGubdNHI0IlMokk1idGrTboUV8i1KXwS6FqdROksbq S6dXukDB1apcEueCJHQoX9UiAJHChjhOpWNPwgtNFr2kO35Ht7hr9QX+etH6Vm5R HAEfBcSSfRhFHgXG/KV7R8qWYvY1XnpXY7o/xk14CicHRmXhrW+QZbx65IP0nlcG DrcApbp+0p8UVktGjAN3F/mjaKatAgMBAAGjgY8wgYwwGgYDVR0RBBMwEYIPd3d3 LmV4YW1wbGUuY29tMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUo6juhqRK0wY+sTPa We7HCQ5iK9QwHQYDVR0OBBYEFM4p8xD9/eAIb5eqxX3DD9+I/QYzMA4GA1UdDwEB /wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEA Ak4LLa+i8CHyt4+LRTNRaT+Rw83fvHT2+Ai4M4IG6GF57htfWsGwaQ8tjX/ATDM9 Qe0KRn+94gLC6GPrPPFgiyea6GXq23iyuXS0z4M8PeEJXA2T7nYcz7CiEr30sHls hqflo7sSgtCX27Vo2Fni3q27QOiof5BYef65LEbflOv87BIbVAgTD1ieyFp8tof/ 9kIfNmw+UL7clkKEHhTEIgZ6/1YzYPVOHCPup7IB8KBFXkyWo8TxXMYX0kFx1C5U eUc9Lix+uuTh8IOoEplw9Cd4Dw7yYMJY/gx935vHrOfiSqqd2G3tqtpHiankaWcV HX2m0bOQglzGKnJEjfGMJw== -----END CERTIFICATE----- --- Server certificate subject=CN=nginx issuer=CN=Root CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 1388 bytes and written 382 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Protocol: TLSv1.3 Server public key is 2048 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 081865F75E84C5526B8329631C8A719465450BF69726E357DE322F06D4B766EA Session-ID-ctx: Resumption PSK: 02BA0EE819A11816BD4739A06CD500B9C484BAFE5E473430549D1AA1AF6357D2948165C215AC9B1602C1D3325B5626C1 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 76 c5 fe b4 da 6a 4e 2a-71 a3 75 1a 5c 96 74 4e v....jN*q.u.\.tN 0010 - ca 82 c2 1c 9b be 41 e1-94 07 64 36 89 e2 6d b9 ......A...d6..m. 0020 - 17 f8 39 a9 52 e1 ab a4-d9 2c 2b 8f 2f 70 73 7f ..9.R....,+./ps. 0030 - e1 f2 46 de 89 11 f6 db-0c 09 06 4a 31 b6 d2 2f ..F........J1../ 0040 - 68 5b af d6 9b 42 71 01-e8 46 de 36 9d c9 7f 41 h[...Bq..F.6...A 0050 - fa 3b 8c 11 f6 06 1c 70-79 71 e5 02 65 19 8c 63 .;.....pyq..e..c 0060 - e9 d4 38 c5 1e ad d9 6b-09 f8 03 28 3f 35 60 ca ..8....k...(?5`. 0070 - 25 6e 82 b9 bf 45 54 ca-ad 5f 70 44 01 db a9 26 %n...ET.._pD...& 0080 - e7 15 19 f2 d6 ba 7d b7-03 95 0e fd 1f 85 8c 62 ......}........b 0090 - 0b 28 bf 05 ef 3e f4 d6-65 71 24 ca 77 b2 00 11 .(...>..eq$.w... 00a0 - 5e 97 df 49 53 da a1 66-3b c4 6c e7 61 ae 96 55 ^..IS..f;.l.a..U 00b0 - de bb 69 4f af 54 e0 09-e4 3a 28 ab 72 79 08 da ..iO.T...:(.ry.. 00c0 - 42 3e 8b 6c 17 3d e3 2c-a1 84 1c 2f c9 f0 d9 fb B>.l.=.,.../.... 00d0 - 07 7d fa 81 dc c6 e2 53-9a d0 49 c4 9f 70 52 89 .}.....S..I..pR. Start Time: 1732069480 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 779A52D6D297D50E423E512D7046E8C40C663822AC5274FDD0D18FC51207782F Session-ID-ctx: Resumption PSK: 4D2F35113182F1DE64F7550E4BD041A662F85E4C0C4593B60AE6CAF2D4B5D766E737E087E985860EB08E7CCD77646035 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 76 c5 fe b4 da 6a 4e 2a-71 a3 75 1a 5c 96 74 4e v....jN*q.u.\.tN 0010 - cd 56 f8 9c 07 05 c0 b5-3b fe bf 67 ea 46 b9 67 .V......;..g.F.g 0020 - 41 c1 e1 11 ab 13 b8 e3-b2 c3 2e b9 48 c3 a0 70 A...........H..p 0030 - 81 37 9c b6 d3 3d 7b 7d-ea 5a 58 c2 0e 1b b0 e1 .7...={}.ZX..... 0040 - 32 ee 32 ff c2 6d 95 71-9d 58 6f 8f 97 63 b5 c8 2.2..m.q.Xo..c.. 0050 - c2 88 fc 6b 73 32 1e b4-e8 3b 60 19 fd 41 a0 2b ...ks2...;`..A.+ 0060 - bd 4f 16 62 03 08 bd 5c-c7 02 06 fa 55 8c d3 82 .O.b...\....U... 0070 - db 32 83 87 2a f7 b6 be-22 18 78 0d 2c e7 14 6f .2..*...".x.,..o 0080 - d6 dc 6e 1b 81 14 b2 9e-84 15 04 4f 42 52 70 a4 ..n........OBRp. 0090 - 5e 64 b7 39 89 47 94 63-2d 00 99 92 31 8b d5 f5 ^d.9.G.c-...1... 00a0 - 52 f6 63 0a 50 b7 57 c8-a6 86 db 7e f9 fc 75 a7 R.c.P.W....~..u. 00b0 - 10 eb 24 08 88 ec ff cc-b5 cd f7 71 f2 b3 9d 9e ..$........q.... 00c0 - 9c b6 e3 a8 aa cb 8a cc-3f 21 ee 96 03 a3 42 26 ........?!....B& 00d0 - 9b 58 15 9b af 3b b0 92-f9 69 3a 24 1c 8e b0 77 .X...;...i:$...w Start Time: 1732069480 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK
証明書の更新動作の確認
このまま 2 時間待とうと思ったら 50 分で更新が実施された。
cert-manager のログ、エラーが出ていて何か問題があるかも知れない。
I1120 03:04:34.000561 1 trigger_controller.go:223] "Certificate must be re-issued" logger="cert-manager.controller" key="nginx/nginx-cert" reason="Renewing" message="Renewing certificate as renewal was scheduled at 2024-11-20 03:04:34 +0000 UTC" I1120 03:04:34.000597 1 conditions.go:203] Setting lastTransitionTime for Certificate "nginx-cert" condition "Issuing" to 2024-11-20 03:04:34.000589942 +0000 UTC m=+6782.076443858 I1120 03:04:34.083756 1 conditions.go:263] Setting lastTransitionTime for CertificateRequest "nginx-cert-2" condition "Approved" to 2024-11-20 03:04:34.083747695 +0000 UTC m=+6782.159601623 I1120 03:04:35.330079 1 controller.go:152] "re-queuing item due to optimistic locking on resource" logger="cert-manager.controller" error="Operation cannot be fulfilled on certificates.cert-manager.io \"nginx-cert\": the object has been modified; please apply your changes to the latest version and try again" I1120 03:04:35.348350 1 controller.go:152] "re-queuing item due to optimistic locking on resource" logger="cert-manager.controller" error="Operation cannot be fulfilled on certificates.cert-manager.io \"nginx-cert\": the object has been modified; please apply your changes to the latest version and try again"
privateca-issuer のログ、こちらは大丈夫そう。
{"level":"info","ts":"2024-11-20T02:14:34Z","logger":"controllers.CertificateRequest","msg":"Issued certificate with arn: arn:aws:acm-pca:ap-northeast-1:XXXXXXXXXXXX:certificate-authority/2aebb313-2f59-4cd1-98a8-97d39bf3c42a/certificate/6ca13da9e494428deb37ba6e565d4e38","certificaterequest":{"name":"nginx-cert-1","namespace":"nginx"}}
{"level":"info","ts":"2024-11-20T02:14:35Z","logger":"controllers.CertificateRequest","msg":"Created certificate with arn: ","certificaterequest":{"name":"nginx-cert-1","namespace":"nginx"}}
{"level":"info","ts":"2024-11-20T03:04:34Z","logger":"controllers.CertificateRequest","msg":"Issued certificate with arn: arn:aws:acm-pca:ap-northeast-1:XXXXXXXXXXXX:certificate-authority/2aebb313-2f59-4cd1-98a8-97d39bf3c42a/certificate/07d4187f2dd22a9e9d13264c40c50164","certificaterequest":{"name":"nginx-cert-2","namespace":"nginx"}}
{"level":"info","ts":"2024-11-20T03:04:35Z","logger":"controllers.CertificateRequest","msg":"Created certificate with arn: ","certificaterequest":{"name":"nginx-cert-2","namespace":"nginx"}}
$ k -n nginx get certificate NAME READY SECRET AGE nginx-cert True nginx-cert-tls 52m $ k -n nginx get certificaterequest NAME APPROVED DENIED READY ISSUER REQUESTER AGE nginx-cert-1 True True root-ca system:serviceaccount:cert-manager:cert-manager 52m nginx-cert-2 True True root-ca system:serviceaccount:cert-manager:cert-manager 2m41s $ k -n nginx get secret NAME TYPE DATA AGE nginx-cert-tls kubernetes.io/tls 3 76m
$ k -n nginx get certificate nginx-cert -oyaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"cert-manager.io/v1","kind":"Certificate","metadata":{"annotations":{},"name":"nginx-cert","namespace":"nginx"},"spec":{"commonName":"nginx","dnsNames":["www.example.com"],"duration":"1h0m0s","issuerRef":{"group":"awspca.cert-manager.io","kind":"AWSPCAClusterIssuer","name":"root-ca"},"privateKey":{"algorithm":"RSA","size":2048},"renewBefore":"10m0s","secretName":"nginx-cert-tls","usages":["server auth"]}} creationTimestamp: "2024-11-20T02:14:34Z" generation: 1 name: nginx-cert namespace: nginx resourceVersion: "30130" uid: ffd8a316-8bbe-40f6-bac9-bba52cdabe28 spec: commonName: nginx dnsNames: - www.example.com duration: 1h0m0s issuerRef: group: awspca.cert-manager.io kind: AWSPCAClusterIssuer name: root-ca privateKey: algorithm: RSA size: 2048 renewBefore: 10m0s secretName: nginx-cert-tls usages: - server auth status: conditions: - lastTransitionTime: "2024-11-20T02:14:35Z" message: Certificate is up to date and has not expired observedGeneration: 1 reason: Ready status: "True" type: Ready notAfter: "2024-11-20T04:04:34Z" notBefore: "2024-11-20T02:04:34Z" renewalTime: "2024-11-20T03:54:34Z" revision: 2
$ k -n nginx get certificaterequest nginx-cert-2 -oyaml apiVersion: cert-manager.io/v1 kind: CertificateRequest metadata: annotations: aws-privateca-issuer/certificate-arn: arn:aws:acm-pca:ap-northeast-1:XXXXXXXXXXXX:certificate-authority/2aebb313-2f59-4cd1-98a8-97d39bf3c42a/certificate/07d4187f2dd22a9e9d13264c40c50164 cert-manager.io/certificate-name: nginx-cert cert-manager.io/certificate-revision: "2" cert-manager.io/private-key-secret-name: nginx-cert-mzbzt creationTimestamp: "2024-11-20T03:04:34Z" generation: 1 name: nginx-cert-2 namespace: nginx ownerReferences: - apiVersion: cert-manager.io/v1 blockOwnerDeletion: true controller: true kind: Certificate name: nginx-cert uid: ffd8a316-8bbe-40f6-bac9-bba52cdabe28 resourceVersion: "30123" uid: e68773c3-5d6f-498b-bb7c-1ae538c915ae spec: duration: 1h0m0s extra: authentication.kubernetes.io/pod-name: - cert-manager-859bc755b6-r2h4q authentication.kubernetes.io/pod-uid: - a39fdcdd-415f-4831-8415-bd7796ee282b groups: - system:serviceaccounts - system:serviceaccounts:cert-manager - system:authenticated issuerRef: group: awspca.cert-manager.io kind: AWSPCAClusterIssuer name: root-ca request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2x6Q0NBWDhDQVFBd0VERU9NQXdHQTFVRUF4TUZibWRwYm5nd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQQpBNElCRHdBd2dnRUtBb0lCQVFDNy9mclRLcUZjZEtUTTF5anE0NVRwK05DVU9lL0FzUnF2eVRoRHlQNGRhVzI0ClFVTmV4K1RlVHV4dkJqcUlaOUdFNE9adUwwUHdkSFdaK1JGcHNJc2N4M1FkMFRyaVZaQTErRDl6dXFJUzExdzMKQ2RjU0wyTllOeStSek43Mm9Tc2R3K0R5cUJQQXEzVnBMSG9HdWJkTkhJMElsTW9razFpZEdyVGJvVVY4aTFLWAp3UzZGcWRST2tzYnFTNmRYdWtEQjFhcGNFdWVDSkhRb1g5VWlBSkhDaGpoT3BXTlB3Z3RORnIya08zNUh0N2hyCjlRWCtldEg2Vm01UkhBRWZCY1NTZlJoRkhnWEcvS1Y3UjhxV1l2WTFYbnBYWTdvL3hrMTRDaWNIUm1YaHJXK1EKWmJ4NjVJUDBubGNHRHJjQXBicCswcDhVVmt0R2pBTjNGL21qYUthdEFnTUJBQUdnUWpCQUJna3Foa2lHOXcwQgpDUTR4TXpBeE1Cb0dBMVVkRVFRVE1CR0NEM2QzZHk1bGVHRnRjR3hsTG1OdmJUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVorU2xJMlptVWJhSWFhZ2ZrY0xTZ0I5VkkyT0IKZ1JyTGV6cTNVSkppZlJnNy9aVVZBaC9wcExxZ1paK05sajBmbWR6WFFtREdkWG1VQ3pZNURqVTlRQ2ZldUdPKwpIc05NYnpGMGI0VS9rSEt4VnVIQmRGVDVFRkNmTk9rejJJY04vZDV1Sm1nZVNyYlZTaDdBQnFkQk5qVzJDY0RWCm9MM0VicVVrTktFSjZmeWVOQzVpM1VTdjVNMjJwR2lFUHlNV050blBURXZPQkc1dHQ0Y0RmdWFJci9NR0g1UGEKTUUrWG1VbDBqcHpVQUdtSjV1L0Nmb01CSHQ3aTlYOTFNS21CMzVBc3lEVmpqamVMOVZwdjVCZTVjcEIwUW1mdAo0ZktQMlZDRUJBQ211cVMyZGRCWlJmVVhqL242KzMwd29wOWNKbGFRL0dhaG9zV1IramNnWVZRZ3dBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg== uid: 6ae4a1ea-48e9-426b-82d5-78a095c1279f usages: - server auth username: system:serviceaccount:cert-manager:cert-manager status: ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4RENDQWRpZ0F3SUJBZ0lRWmU2ODlEbGpyMnhFT0JWZ2pvMHlGekFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFEREFkU2IyOTBJRU5CTUI0WERUSTBNVEV5TURBd01Ua3hPRm9YRFRNME1URXlNREF4TVRreApORm93RWpFUU1BNEdBMVVFQXd3SFVtOXZkQ0JEUVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDCkFRb0NnZ0VCQUxtTmo4dFN0dlk4LzgraWJjOHM5WXdwbEt4aHBUUWJsdEw4bk1OSUhGdVluZUg1WjhpSkdkUGMKVlpxVnVaT3p2NUJCUkRjY3ErajVpYVZsOUFwNkVCeVRsRGlpbk1lOUowUnJRYTB0cTFzdDRHaG5SMWZEb2Q5egpQNjNCbFFjT2VSeHBwZVpJaTBjN1FJNitVdmFRN24wald5VXJIQnRvRDF6b3pYbUY5cjdkcXpiSjhLRXFWOWd6CnlmNHNnZHc5MWtwdHhxcGNCVFRFamRuMFVicXdxV3EwUWpUZUwvUlR3UjFidm1VWG5RV1pPOEVSakxpTExFOHAKdnI2MXJNU09MRDZweVQxVER4VkRJbGJnMWJueWlWUDk3M29Md0lqZWNaZjFtaVgzc0J6WXJUdm5scGZYeStOTAo5ZEFYa3NYRGVBMXR1eHpiYlZIREF5VTJndG50aFowQ0F3RUFBYU5DTUVBd0R3WURWUjBUQVFIL0JBVXdBd0VCCi96QWRCZ05WSFE0RUZnUVVvNmp1aHFSSzB3WStzVFBhV2U3SENRNWlLOVF3RGdZRFZSMFBBUUgvQkFRREFnR0cKTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBY3JreGxQclc2WW83azVIdHJSL21wdUNLNE82T3loV2lLYjdSSgprSjRPZ2xLc0p3Z3Q2U3R6L0VTRTRrZU1FWUVHMTVvempiYkVubTBNTHJ6RnRNWGlWbUVieEtKTGtBZ08zMzVICi9YSGFLWjI5OWN6Z2xHZUR3bU9GTCtvK1RneExqUUZSaFYyZWNDK2I1WUV6ZU0zSjJGNEx0RkF1TzRlS29jSUsKN1lCc082WFY5RHdoYzZYdzlBY3NSS1YzSk1vY0hrN1dHakUxdVZyTEEvV24yRTQzWTFJN3ZIZDc3cnRReVFFSgorUDc2MFFPTzlOTGVLd2FMNzVmVHVxZ1FXRVJNUVJSNHY0ZTVldG1HVU9EbEY0UllGaGxMQ3NRSlJIYzJLR0tFCjNoK25aVTU1dEEzY3BYeS82ODBwR01UbW11T0Q1cC9FQlVHNzJGSVB4TzBLOElxTQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURQRENDQWlTZ0F3SUJBZ0lRQjlRWWZ5M1NLcDZkRXlaTVFNVUJaREFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFEREFkU2IyOTBJRU5CTUI0WERUSTBNVEV5TURBeU1EUXpORm9YRFRJME1URXlNREEwTURRegpORm93RURFT01Bd0dBMVVFQXhNRmJtZHBibmd3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUM3L2ZyVEtxRmNkS1RNMXlqcTQ1VHArTkNVT2UvQXNScXZ5VGhEeVA0ZGFXMjRRVU5leCtUZVR1eHYKQmpxSVo5R0U0T1p1TDBQd2RIV1orUkZwc0lzY3gzUWQwVHJpVlpBMStEOXp1cUlTMTF3M0NkY1NMMk5ZTnkrUgp6Tjcyb1NzZHcrRHlxQlBBcTNWcExIb0d1YmROSEkwSWxNb2trMWlkR3JUYm9VVjhpMUtYd1M2RnFkUk9rc2JxClM2ZFh1a0RCMWFwY0V1ZUNKSFFvWDlVaUFKSENoamhPcFdOUHdndE5GcjJrTzM1SHQ3aHI5UVgrZXRINlZtNVIKSEFFZkJjU1NmUmhGSGdYRy9LVjdSOHFXWXZZMVhucFhZN28veGsxNENpY0hSbVhoclcrUVpieDY1SVAwbmxjRwpEcmNBcGJwKzBwOFVWa3RHakFOM0YvbWphS2F0QWdNQkFBR2pnWTh3Z1l3d0dnWURWUjBSQkJNd0VZSVBkM2QzCkxtVjRZVzF3YkdVdVkyOXRNQWtHQTFVZEV3UUNNQUF3SHdZRFZSMGpCQmd3Rm9BVW82anVocVJLMHdZK3NUUGEKV2U3SENRNWlLOVF3SFFZRFZSME9CQllFRk00cDh4RDkvZUFJYjVlcXhYM0REOStJL1FZek1BNEdBMVVkRHdFQgovd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBCmNLSDlBTlZybWVVa1pIdXF2Vmd6ZmlEUmRoVEZ5Wm51WjZpM1EzSXE2aUZjMDFWK0FOaFJmb2x2T0hjK1JyQk4KVWNkY211YldVcjFsN2xXbVVLUDJLNlFua05ubDhDMTN3YnJlNXhGNmdzMjBvVlRtaTg3ZDhhUklkR1pWMWxIVQoyUlV5bEUvZEtuR3VBc282dkNoUVM0R1BjcWlBd3gyN3QyeEs3aHBtbCs2N0pMMTlZbU8vOGFaV2N3dGRGUzYwCmZGb0VUWmNPekoxRFQzZjBjeUxBUGYvOWFmQU1ndG1BbFdKa0RPTzBZUmhWMFRRQk1aYnVVYmptbGdadzBKRHgKamNrRVY2bnRCaTNuNVhNVUJ3eXpCRE9SamozZjVicG5nK29peTYrVjdmZzl6L3NXb2RUWk5SN3pINjBROGVmSgowMEVRZjJ3M3F4WkZhV3dGTmNuVVhBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= conditions: - lastTransitionTime: "2024-11-20T03:04:34Z" message: Certificate request has been approved by cert-manager.io reason: cert-manager.io status: "True" type: Approved - lastTransitionTime: "2024-11-20T03:04:35Z" message: certificate issued reason: Issued status: "True" type: Ready
$ k -n nginx get secret nginx-cert-tls -oyaml apiVersion: v1 data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4RENDQWRpZ0F3SUJBZ0lRWmU2ODlEbGpyMnhFT0JWZ2pvMHlGekFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFEREFkU2IyOTBJRU5CTUI0WERUSTBNVEV5TURBd01Ua3hPRm9YRFRNME1URXlNREF4TVRreApORm93RWpFUU1BNEdBMVVFQXd3SFVtOXZkQ0JEUVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDCkFRb0NnZ0VCQUxtTmo4dFN0dlk4LzgraWJjOHM5WXdwbEt4aHBUUWJsdEw4bk1OSUhGdVluZUg1WjhpSkdkUGMKVlpxVnVaT3p2NUJCUkRjY3ErajVpYVZsOUFwNkVCeVRsRGlpbk1lOUowUnJRYTB0cTFzdDRHaG5SMWZEb2Q5egpQNjNCbFFjT2VSeHBwZVpJaTBjN1FJNitVdmFRN24wald5VXJIQnRvRDF6b3pYbUY5cjdkcXpiSjhLRXFWOWd6CnlmNHNnZHc5MWtwdHhxcGNCVFRFamRuMFVicXdxV3EwUWpUZUwvUlR3UjFidm1VWG5RV1pPOEVSakxpTExFOHAKdnI2MXJNU09MRDZweVQxVER4VkRJbGJnMWJueWlWUDk3M29Md0lqZWNaZjFtaVgzc0J6WXJUdm5scGZYeStOTAo5ZEFYa3NYRGVBMXR1eHpiYlZIREF5VTJndG50aFowQ0F3RUFBYU5DTUVBd0R3WURWUjBUQVFIL0JBVXdBd0VCCi96QWRCZ05WSFE0RUZnUVVvNmp1aHFSSzB3WStzVFBhV2U3SENRNWlLOVF3RGdZRFZSMFBBUUgvQkFRREFnR0cKTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBY3JreGxQclc2WW83azVIdHJSL21wdUNLNE82T3loV2lLYjdSSgprSjRPZ2xLc0p3Z3Q2U3R6L0VTRTRrZU1FWUVHMTVvempiYkVubTBNTHJ6RnRNWGlWbUVieEtKTGtBZ08zMzVICi9YSGFLWjI5OWN6Z2xHZUR3bU9GTCtvK1RneExqUUZSaFYyZWNDK2I1WUV6ZU0zSjJGNEx0RkF1TzRlS29jSUsKN1lCc082WFY5RHdoYzZYdzlBY3NSS1YzSk1vY0hrN1dHakUxdVZyTEEvV24yRTQzWTFJN3ZIZDc3cnRReVFFSgorUDc2MFFPTzlOTGVLd2FMNzVmVHVxZ1FXRVJNUVJSNHY0ZTVldG1HVU9EbEY0UllGaGxMQ3NRSlJIYzJLR0tFCjNoK25aVTU1dEEzY3BYeS82ODBwR01UbW11T0Q1cC9FQlVHNzJGSVB4TzBLOElxTQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURQRENDQWlTZ0F3SUJBZ0lRQjlRWWZ5M1NLcDZkRXlaTVFNVUJaREFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFEREFkU2IyOTBJRU5CTUI0WERUSTBNVEV5TURBeU1EUXpORm9YRFRJME1URXlNREEwTURRegpORm93RURFT01Bd0dBMVVFQXhNRmJtZHBibmd3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUM3L2ZyVEtxRmNkS1RNMXlqcTQ1VHArTkNVT2UvQXNScXZ5VGhEeVA0ZGFXMjRRVU5leCtUZVR1eHYKQmpxSVo5R0U0T1p1TDBQd2RIV1orUkZwc0lzY3gzUWQwVHJpVlpBMStEOXp1cUlTMTF3M0NkY1NMMk5ZTnkrUgp6Tjcyb1NzZHcrRHlxQlBBcTNWcExIb0d1YmROSEkwSWxNb2trMWlkR3JUYm9VVjhpMUtYd1M2RnFkUk9rc2JxClM2ZFh1a0RCMWFwY0V1ZUNKSFFvWDlVaUFKSENoamhPcFdOUHdndE5GcjJrTzM1SHQ3aHI5UVgrZXRINlZtNVIKSEFFZkJjU1NmUmhGSGdYRy9LVjdSOHFXWXZZMVhucFhZN28veGsxNENpY0hSbVhoclcrUVpieDY1SVAwbmxjRwpEcmNBcGJwKzBwOFVWa3RHakFOM0YvbWphS2F0QWdNQkFBR2pnWTh3Z1l3d0dnWURWUjBSQkJNd0VZSVBkM2QzCkxtVjRZVzF3YkdVdVkyOXRNQWtHQTFVZEV3UUNNQUF3SHdZRFZSMGpCQmd3Rm9BVW82anVocVJLMHdZK3NUUGEKV2U3SENRNWlLOVF3SFFZRFZSME9CQllFRk00cDh4RDkvZUFJYjVlcXhYM0REOStJL1FZek1BNEdBMVVkRHdFQgovd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBCmNLSDlBTlZybWVVa1pIdXF2Vmd6ZmlEUmRoVEZ5Wm51WjZpM1EzSXE2aUZjMDFWK0FOaFJmb2x2T0hjK1JyQk4KVWNkY211YldVcjFsN2xXbVVLUDJLNlFua05ubDhDMTN3YnJlNXhGNmdzMjBvVlRtaTg3ZDhhUklkR1pWMWxIVQoyUlV5bEUvZEtuR3VBc282dkNoUVM0R1BjcWlBd3gyN3QyeEs3aHBtbCs2N0pMMTlZbU8vOGFaV2N3dGRGUzYwCmZGb0VUWmNPekoxRFQzZjBjeUxBUGYvOWFmQU1ndG1BbFdKa0RPTzBZUmhWMFRRQk1aYnVVYmptbGdadzBKRHgKamNrRVY2bnRCaTNuNVhNVUJ3eXpCRE9SamozZjVicG5nK29peTYrVjdmZzl6L3NXb2RUWk5SN3pINjBROGVmSgowMEVRZjJ3M3F4WkZhV3dGTmNuVVhBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tls.key: (snip) kind: Secret metadata: annotations: cert-manager.io/alt-names: www.example.com cert-manager.io/certificate-name: nginx-cert cert-manager.io/common-name: nginx cert-manager.io/ip-sans: "" cert-manager.io/issuer-group: awspca.cert-manager.io cert-manager.io/issuer-kind: AWSPCAClusterIssuer cert-manager.io/issuer-name: root-ca cert-manager.io/uri-sans: "" creationTimestamp: "2024-11-20T01:50:57Z" labels: controller.cert-manager.io/fao: "true" name: nginx-cert-tls namespace: nginx resourceVersion: "30125" uid: fa9fc42c-c7b8-4623-b611-284221dbfa61 type: kubernetes.io/tls
Secret ぱっと見更新されているのかよくわからないが、中身を見ると更新されているようだ。
$ k -n nginx get secret nginx-cert-tls -ojson | jq -r '.data."tls.crt"' | base64 --decode | openssl x509 -text -noout - Certificate: Data: Version: 3 (0x2) Serial Number: 07:d4:18:7f:2d:d2:2a:9e:9d:13:26:4c:40:c5:01:64 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Root CA Validity Not Before: Nov 20 02:04:34 2024 GMT Not After : Nov 20 04:04:34 2024 GMT Subject: CN=nginx Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bb:fd:fa:d3:2a:a1:5c:74:a4:cc:d7:28:ea:e3: 94:e9:f8:d0:94:39:ef:c0:b1:1a:af:c9:38:43:c8: fe:1d:69:6d:b8:41:43:5e:c7:e4:de:4e:ec:6f:06: 3a:88:67:d1:84:e0:e6:6e:2f:43:f0:74:75:99:f9: 11:69:b0:8b:1c:c7:74:1d:d1:3a:e2:55:90:35:f8: 3f:73:ba:a2:12:d7:5c:37:09:d7:12:2f:63:58:37: 2f:91:cc:de:f6:a1:2b:1d:c3:e0:f2:a8:13:c0:ab: 75:69:2c:7a:06:b9:b7:4d:1c:8d:08:94:ca:24:93: 58:9d:1a:b4:db:a1:45:7c:8b:52:97:c1:2e:85:a9: d4:4e:92:c6:ea:4b:a7:57:ba:40:c1:d5:aa:5c:12: e7:82:24:74:28:5f:d5:22:00:91:c2:86:38:4e:a5: 63:4f:c2:0b:4d:16:bd:a4:3b:7e:47:b7:b8:6b:f5: 05:fe:7a:d1:fa:56:6e:51:1c:01:1f:05:c4:92:7d: 18:45:1e:05:c6:fc:a5:7b:47:ca:96:62:f6:35:5e: 7a:57:63:ba:3f:c6:4d:78:0a:27:07:46:65:e1:ad: 6f:90:65:bc:7a:e4:83:f4:9e:57:06:0e:b7:00:a5: ba:7e:d2:9f:14:56:4b:46:8c:03:77:17:f9:a3:68: a6:ad Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:www.example.com X509v3 Basic Constraints: CA:FALSE X509v3 Authority Key Identifier: A3:A8:EE:86:A4:4A:D3:06:3E:B1:33:DA:59:EE:C7:09:0E:62:2B:D4 X509v3 Subject Key Identifier: CE:29:F3:10:FD:FD:E0:08:6F:97:AA:C5:7D:C3:0F:DF:88:FD:06:33 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication Signature Algorithm: sha256WithRSAEncryption Signature Value: 70:a1:fd:00:d5:6b:99:e5:24:64:7b:aa:bd:58:33:7e:20:d1: 76:14:c5:c9:99:ee:67:a8:b7:43:72:2a:ea:21:5c:d3:55:7e: 00:d8:51:7e:89:6f:38:77:3e:46:b0:4d:51:c7:5c:9a:e6:d6: 52:bd:65:ee:55:a6:50:a3:f6:2b:a4:27:90:d9:e5:f0:2d:77: c1:ba:de:e7:11:7a:82:cd:b4:a1:54:e6:8b:ce:dd:f1:a4:48: 74:66:55:d6:51:d4:d9:15:32:94:4f:dd:2a:71:ae:02:ca:3a: bc:28:50:4b:81:8f:72:a8:80:c3:1d:bb:b7:6c:4a:ee:1a:66: 97:ee:bb:24:bd:7d:62:63:bf:f1:a6:56:73:0b:5d:15:2e:b4: 7c:5a:04:4d:97:0e:cc:9d:43:4f:77:f4:73:22:c0:3d:ff:fd: 69:f0:0c:82:d9:80:95:62:64:0c:e3:b4:61:18:55:d1:34:01: 31:96:ee:51:b8:e6:96:06:70:d0:90:f1:8d:c9:04:57:a9:ed: 06:2d:e7:e5:73:14:07:0c:b3:04:33:91:8e:3d:df:e5:ba:67: 83:ea:22:cb:af:95:ed:f8:3d:cf:fb:16:a1:d4:d9:35:1e:f3: 1f:ad:10:f1:e7:c9:d3:41:10:7f:6c:37:ab:16:45:69:6c:05: 35:c9:d4:5c
しかし予想通りブラウザでアクセスすると更新されていない。
openssl でも確認しておく。
$ openssl s_client -connect localhost:8443 -showcerts Connecting to ::1 CONNECTED(00000005) Can't use SSL_get_servername depth=0 CN=nginx verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN=nginx verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN=nginx verify error:num=10:certificate has expired notAfter=Nov 20 03:14:34 2024 GMT verify return:1 depth=0 CN=nginx notAfter=Nov 20 03:14:34 2024 GMT verify return:1 --- Certificate chain 0 s:CN=nginx i:CN=Root CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Nov 20 01:14:34 2024 GMT; NotAfter: Nov 20 03:14:34 2024 GMT -----BEGIN CERTIFICATE----- MIIDPDCCAiSgAwIBAgIQbKE9qeSUQo3rN7puVl1OODANBgkqhkiG9w0BAQsFADAS MRAwDgYDVQQDDAdSb290IENBMB4XDTI0MTEyMDAxMTQzNFoXDTI0MTEyMDAzMTQz NFowEDEOMAwGA1UEAxMFbmdpbngwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC7/frTKqFcdKTM1yjq45Tp+NCUOe/AsRqvyThDyP4daW24QUNex+TeTuxv BjqIZ9GE4OZuL0PwdHWZ+RFpsIscx3Qd0TriVZA1+D9zuqIS11w3CdcSL2NYNy+R zN72oSsdw+DyqBPAq3VpLHoGubdNHI0IlMokk1idGrTboUV8i1KXwS6FqdROksbq S6dXukDB1apcEueCJHQoX9UiAJHChjhOpWNPwgtNFr2kO35Ht7hr9QX+etH6Vm5R HAEfBcSSfRhFHgXG/KV7R8qWYvY1XnpXY7o/xk14CicHRmXhrW+QZbx65IP0nlcG DrcApbp+0p8UVktGjAN3F/mjaKatAgMBAAGjgY8wgYwwGgYDVR0RBBMwEYIPd3d3 LmV4YW1wbGUuY29tMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUo6juhqRK0wY+sTPa We7HCQ5iK9QwHQYDVR0OBBYEFM4p8xD9/eAIb5eqxX3DD9+I/QYzMA4GA1UdDwEB /wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEA Ak4LLa+i8CHyt4+LRTNRaT+Rw83fvHT2+Ai4M4IG6GF57htfWsGwaQ8tjX/ATDM9 Qe0KRn+94gLC6GPrPPFgiyea6GXq23iyuXS0z4M8PeEJXA2T7nYcz7CiEr30sHls hqflo7sSgtCX27Vo2Fni3q27QOiof5BYef65LEbflOv87BIbVAgTD1ieyFp8tof/ 9kIfNmw+UL7clkKEHhTEIgZ6/1YzYPVOHCPup7IB8KBFXkyWo8TxXMYX0kFx1C5U eUc9Lix+uuTh8IOoEplw9Cd4Dw7yYMJY/gx935vHrOfiSqqd2G3tqtpHiankaWcV HX2m0bOQglzGKnJEjfGMJw== -----END CERTIFICATE----- --- Server certificate subject=CN=nginx issuer=CN=Root CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 1388 bytes and written 382 bytes Verification error: certificate has expired --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Protocol: TLSv1.3 Server public key is 2048 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 10 (certificate has expired) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 43BF3E46EC23FFF3D3AEF306BB931243B9F5FCF64E2FD3BCB869108270D13AE1 Session-ID-ctx: Resumption PSK: 6827140C0AA27746E712B7210545B3C69321C903D24986EE2BBFBB79044C282150FD5AA6C85727C71873A9C1F2938D9F PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 76 c5 fe b4 da 6a 4e 2a-71 a3 75 1a 5c 96 74 4e v....jN*q.u.\.tN 0010 - 4d 18 4f a9 1f 5f 97 cf-fb 09 c6 66 27 8a 3a 37 M.O.._.....f'.:7 0020 - a2 83 b9 b6 b4 da f2 1c-b0 a1 bf 35 04 6d 59 bd ...........5.mY. 0030 - 11 bf be fc 6b 91 90 b5-84 90 85 52 83 da ac 47 ....k......R...G 0040 - 63 cb bd dd 33 68 26 93-81 ea 53 f8 1e 18 8d 1f c...3h&...S..... 0050 - 2e f7 51 47 cc 30 d2 da-b2 b6 85 91 a8 ef 09 d9 ..QG.0.......... 0060 - cb 39 4d 5b e4 21 9a f2-2b de 73 b6 e3 85 62 29 .9M[.!..+.s...b) 0070 - 5c e6 be 26 30 24 65 bd-e5 ba 54 f9 0d d2 54 2f \..&0$e...T...T/ 0080 - 05 af 75 f5 d3 9c e9 cd-3c f5 bb a1 9b 24 aa f4 ..u.....<....$.. 0090 - f1 09 71 eb 96 02 e6 b2-45 1e f7 67 cd 97 71 79 ..q.....E..g..qy 00a0 - 4d 19 0e 91 a6 1c fc d6-98 7d c9 39 df c3 ee 41 M........}.9...A 00b0 - 94 25 fa a6 ed 94 32 fa-ea 54 0e 5b 94 30 fe f6 .%....2..T.[.0.. 00c0 - 4d ad 70 f2 90 f6 ff 6f-ce f4 f2 4b b9 d4 91 5b M.p....o...K...[ 00d0 - b8 e8 94 21 be 89 61 c4-6d 71 50 b5 dc 18 8c f9 ...!..a.mqP..... Start Time: 1732072738 Timeout : 7200 (sec) Verify return code: 10 (certificate has expired) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: A3D2C90F3B721F950A638A18482504F498EF54D30FAC5642EE4BF307C9E06A99 Session-ID-ctx: Resumption PSK: 766B18982AFAEF910F575B88DE61F7F6B6E3728D4534885432405FF7AAAF34C18A017B549F33206A22FFFD4F507F6756 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 76 c5 fe b4 da 6a 4e 2a-71 a3 75 1a 5c 96 74 4e v....jN*q.u.\.tN 0010 - e9 01 40 e9 f5 45 4e 6c-c0 16 22 f0 29 df c4 91 ..@..ENl..".)... 0020 - 83 e5 1d f3 07 06 88 21-76 a8 ed dd 9a 53 19 99 .......!v....S.. 0030 - 4d 6f 66 b5 71 92 f8 a2-6f ac 24 8b 1b a0 4b 13 Mof.q...o.$...K. 0040 - 8d 7a b8 2b 47 a5 15 10-70 ba 0a a7 70 aa 09 f0 .z.+G...p...p... 0050 - f5 a6 c9 7f 4c bb 0c 0a-bf c4 59 ed 34 2c 06 04 ....L.....Y.4,.. 0060 - 82 4e a3 19 a5 61 e0 76-2d cf 2a ac 66 78 ab 2d .N...a.v-.*.fx.- 0070 - ff 99 cd d3 10 09 6f fc-34 95 86 14 56 d1 90 5e ......o.4...V..^ 0080 - c0 ca 3a 10 20 dd 20 d5-25 ca 91 fe d2 f1 b7 cb ..:. . .%....... 0090 - 85 5a 67 9a c9 cd 5d d1-ea 97 99 0d b1 40 17 80 .Zg...]......@.. 00a0 - a7 6c dd 4c ed 03 68 c2-8a cf 78 6e b5 ef 4e 39 .l.L..h...xn..N9 00b0 - 10 53 68 1b ad 06 4f b6-ed af 00 e0 ed c4 c2 b9 .Sh...O......... 00c0 - bb 47 9c 17 25 8d f3 f4-07 54 ed 74 56 5e ac 58 .G..%....T.tV^.X 00d0 - 7d 93 99 44 e2 e2 63 d7-27 73 27 a4 f7 42 43 48 }..D..c.'s'..BCH Start Time: 1732072738 Timeout : 7200 (sec) Verify return code: 10 (certificate has expired) Extended master secret: no Max Early Data: 0 --- read R BLOCK
Nginx の Pod を再起動して証明書の変更が反映されることを確認する。
$ k -n nginx rollout restart deployment nginx deployment.apps/nginx restarted $ k -n nginx rollout status deployment nginx deployment "nginx" successfully rolled out $ k -n nginx get po NAME READY STATUS RESTARTS AGE nginx-64d594d6f8-xhjn5 1/1 Running 0 21s
有効期限が更新された。
$ openssl s_client -connect localhost:8443 -showcerts Connecting to ::1 CONNECTED(00000005) Can't use SSL_get_servername depth=0 CN=nginx verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN=nginx verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN=nginx verify return:1 --- Certificate chain 0 s:CN=nginx i:CN=Root CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Nov 20 02:04:34 2024 GMT; NotAfter: Nov 20 04:04:34 2024 GMT -----BEGIN CERTIFICATE----- MIIDPDCCAiSgAwIBAgIQB9QYfy3SKp6dEyZMQMUBZDANBgkqhkiG9w0BAQsFADAS MRAwDgYDVQQDDAdSb290IENBMB4XDTI0MTEyMDAyMDQzNFoXDTI0MTEyMDA0MDQz NFowEDEOMAwGA1UEAxMFbmdpbngwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC7/frTKqFcdKTM1yjq45Tp+NCUOe/AsRqvyThDyP4daW24QUNex+TeTuxv BjqIZ9GE4OZuL0PwdHWZ+RFpsIscx3Qd0TriVZA1+D9zuqIS11w3CdcSL2NYNy+R zN72oSsdw+DyqBPAq3VpLHoGubdNHI0IlMokk1idGrTboUV8i1KXwS6FqdROksbq S6dXukDB1apcEueCJHQoX9UiAJHChjhOpWNPwgtNFr2kO35Ht7hr9QX+etH6Vm5R HAEfBcSSfRhFHgXG/KV7R8qWYvY1XnpXY7o/xk14CicHRmXhrW+QZbx65IP0nlcG DrcApbp+0p8UVktGjAN3F/mjaKatAgMBAAGjgY8wgYwwGgYDVR0RBBMwEYIPd3d3 LmV4YW1wbGUuY29tMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUo6juhqRK0wY+sTPa We7HCQ5iK9QwHQYDVR0OBBYEFM4p8xD9/eAIb5eqxX3DD9+I/QYzMA4GA1UdDwEB /wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEA cKH9ANVrmeUkZHuqvVgzfiDRdhTFyZnuZ6i3Q3Iq6iFc01V+ANhRfolvOHc+RrBN UcdcmubWUr1l7lWmUKP2K6QnkNnl8C13wbre5xF6gs20oVTmi87d8aRIdGZV1lHU 2RUylE/dKnGuAso6vChQS4GPcqiAwx27t2xK7hpml+67JL19YmO/8aZWcwtdFS60 fFoETZcOzJ1DT3f0cyLAPf/9afAMgtmAlWJkDOO0YRhV0TQBMZbuUbjmlgZw0JDx jckEV6ntBi3n5XMUBwyzBDORjj3f5bpng+oiy6+V7fg9z/sWodTZNR7zH60Q8efJ 00EQf2w3qxZFaWwFNcnUXA== -----END CERTIFICATE----- --- Server certificate subject=CN=nginx issuer=CN=Root CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 1388 bytes and written 382 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Protocol: TLSv1.3 Server public key is 2048 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 880E61D7AFEFA00530491AC7CCD97FA332678F470DD4A025D017CA8CDEE14888 Session-ID-ctx: Resumption PSK: FCD6B9C771EFDEEA826E363D73D4438A6CB2C1A00AF2A48DB9E507699AC03ED090EC42272A3660321542491E9CDAE808 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 33 a7 0b 89 fc af 6f ed-6c c9 25 1f ce 6d b3 50 3.....o.l.%..m.P 0010 - 43 e5 0c 98 e1 de 33 a7-7c 99 a8 00 6e 0c f3 75 C.....3.|...n..u 0020 - 37 78 49 38 60 d4 ab 32-29 40 ee a9 a8 f5 45 c2 7xI8`..2)@....E. 0030 - 66 78 39 15 02 e0 8c 7e-18 3f db 82 19 f5 f8 3e fx9....~.?.....> 0040 - e0 57 22 91 57 53 d5 d5-23 6b 6a 79 2d 3a e1 51 .W".WS..#kjy-:.Q 0050 - 1b a3 d2 01 d0 69 96 0f-a7 ae 38 fe cc b7 26 22 .....i....8...&" 0060 - d5 45 a5 a5 64 8c dd 5a-2b 09 14 78 0b 93 1a 09 .E..d..Z+..x.... 0070 - 1c ca 28 a1 d3 be a6 60-b4 7b dd b4 8f 92 57 53 ..(....`.{....WS 0080 - 73 92 9f 29 d9 61 51 da-94 18 a5 0c 7e 40 92 23 s..).aQ.....~@.# 0090 - 51 93 0b e6 24 4f 82 b3-0c 06 f4 16 7d 4a 08 c8 Q...$O......}J.. 00a0 - bc 54 92 c5 2a 82 e5 2a-a7 09 e8 e1 d2 a2 ca 94 .T..*..*........ 00b0 - c4 75 10 89 9d 1a 6c 5e-aa c9 6e 88 a1 01 b5 bf .u....l^..n..... 00c0 - 4c fd 4d 2e a9 0b 02 a9-1e 00 5c a8 f5 e2 73 1b L.M.......\...s. 00d0 - 7e ff 02 c0 49 e5 c5 9e-ad 78 95 cf 50 22 b0 7a ~...I....x..P".z Start Time: 1732072959 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 3450842A43C543FE9E0A44E871A81941DF3E002A281EA97CD25A08F47F9E13E1 Session-ID-ctx: Resumption PSK: 5E3037E963869FB67355D78B7B9EC3F5C7C1C05DAF34E7BEBFCE0F2AFAC2E6D7C6119D9A25C81786F3F55CFF037CF75B PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 33 a7 0b 89 fc af 6f ed-6c c9 25 1f ce 6d b3 50 3.....o.l.%..m.P 0010 - 18 ad 5f b0 4a 52 c3 5f-66 3d fc 7f 67 93 ad a5 .._.JR._f=..g... 0020 - 95 03 d3 e2 3b 44 1b 0b-c1 9b e8 a7 9b 1d af 8a ....;D.......... 0030 - b3 54 db 6e 95 15 16 1f-41 c7 7d 62 4f 23 b7 34 .T.n....A.}bO#.4 0040 - 17 07 e9 fc 1e 99 56 80-96 c6 a0 70 1e 1d 45 bc ......V....p..E. 0050 - 17 06 25 ca b3 5f 5a 39-4e e5 16 b6 3f ca 99 8c ..%.._Z9N...?... 0060 - ee ed 76 ef 88 4b 55 8b-69 aa d7 9e 13 8e 9f e0 ..v..KU.i....... 0070 - 47 b4 e6 1f 7a a2 d1 29-0b 1a 67 73 38 cb e1 62 G...z..)..gs8..b 0080 - 66 be 8d 80 90 b6 56 9f-5e 32 34 88 07 36 19 9f f.....V.^24..6.. 0090 - 88 cd 22 79 e5 bf 9e fd-13 2a 11 f1 b8 ba 55 33 .."y.....*....U3 00a0 - 4c 74 5e c0 c2 fa d1 6c-5e 3c af 2f 09 fb 6d 4d Lt^....l^<./..mM 00b0 - e0 f1 68 84 da 7a df 45-6a 9a ce c8 98 7e 23 3d ..h..z.Ej....~#= 00c0 - 75 ca ff b5 c7 e9 40 32-25 72 80 af 90 fc 07 9f u.....@2%r...... 00d0 - 7a e3 89 a2 ae ce 55 50-80 5d be 2b c9 27 7b f5 z.....UP.].+.'{. Start Time: 1732072959 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK
Reloader による証明書更新時のロールアウト
Deployment を edit してアノテーションを追加する。
$ k -n nginx edit deployment nginx apiVersion: apps/v1 kind: Deployment metadata: annotations: reloader.stakater.com/auto: "true" # これを追加 ... name: nginx namespace: nginx
アノテーションの追加だけだと Pod は再起動されないので一応再起動。Reloader が見ているのは Deployment の方だと思うのであまり関係ないかもしれない。
$ k -n nginx rollout restart deployment nginx deployment.apps/nginx restarted
このまま 50 分後に再び更新されるのを待つ。
少々確認が遅れたが、更新されたタイミングで Nginx の Pod がリスタートされているのが確認できる。
$ k -n nginx get certificate NAME READY SECRET AGE nginx-cert True nginx-cert-tls 117m $ k -n nginx get certificaterequest NAME APPROVED DENIED READY ISSUER REQUESTER AGE nginx-cert-1 True True root-ca system:serviceaccount:cert-manager:cert-manager 117m nginx-cert-2 True True root-ca system:serviceaccount:cert-manager:cert-manager 67m nginx-cert-3 True True root-ca system:serviceaccount:cert-manager:cert-manager 17m $ k -n nginx get secret NAME TYPE DATA AGE nginx-cert-tls kubernetes.io/tls 3 141m $ k -n nginx get pods NAME READY STATUS RESTARTS AGE nginx-6f696674bc-gwbbb 1/1 Running 0 18m
証明書の有効期限が更新されている。
$ openssl s_client -connect localhost:8443 -showcerts Connecting to ::1 CONNECTED(00000005) Can't use SSL_get_servername depth=0 CN=nginx verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN=nginx verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN=nginx verify return:1 --- Certificate chain 0 s:CN=nginx i:CN=Root CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Nov 20 02:54:34 2024 GMT; NotAfter: Nov 20 04:54:34 2024 GMT -----BEGIN CERTIFICATE----- MIIDPTCCAiWgAwIBAgIRALHDdqBoX3d3RyT9kf5GYIUwDQYJKoZIhvcNAQELBQAw EjEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yNDExMjAwMjU0MzRaFw0yNDExMjAwNDU0 MzRaMBAxDjAMBgNVBAMTBW5naW54MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAu/360yqhXHSkzNco6uOU6fjQlDnvwLEar8k4Q8j+HWltuEFDXsfk3k7s bwY6iGfRhODmbi9D8HR1mfkRabCLHMd0HdE64lWQNfg/c7qiEtdcNwnXEi9jWDcv kcze9qErHcPg8qgTwKt1aSx6Brm3TRyNCJTKJJNYnRq026FFfItSl8EuhanUTpLG 6kunV7pAwdWqXBLngiR0KF/VIgCRwoY4TqVjT8ILTRa9pDt+R7e4a/UF/nrR+lZu URwBHwXEkn0YRR4Fxvyle0fKlmL2NV56V2O6P8ZNeAonB0Zl4a1vkGW8euSD9J5X Bg63AKW6ftKfFFZLRowDdxf5o2imrQIDAQABo4GPMIGMMBoGA1UdEQQTMBGCD3d3 dy5leGFtcGxlLmNvbTAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFKOo7oakStMGPrEz 2lnuxwkOYivUMB0GA1UdDgQWBBTOKfMQ/f3gCG+XqsV9ww/fiP0GMzAOBgNVHQ8B Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEB ADWJELzemZsgTooGoRYTq6wuCAU2fAIPiwhi0H61XFzlb54P/Ep1cOuxApEnD+gE oOy82bK5fdEMd72a9fGulgip6aEs6sgEHHB02wI7qEoSTANfvuhmCBFe0M7gOOVi QdcRXYm74/2ly4zb/Bfbg7xFtyChp7iRHY55A2+ctIOO7chN7hTuaIokkIrcPHex /c0+qkKOxBWSLzKU2hSXgoUyg46qLrMJ3sOL9eECWbMHwJFm1U5k6iXmSM7/MXBp IMR67cpZJYL+/N3BiEQiQzd3Dy2/ZEjlLXNnT+52m89/jeK9plr0fpvFQCj1AR5Z 4wFrd2npceW3uJR62JX5tlk= -----END CERTIFICATE----- --- Server certificate subject=CN=nginx issuer=CN=Root CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 1389 bytes and written 382 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Protocol: TLSv1.3 Server public key is 2048 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 1589D017F81D8DE0FE8EA51F3C604A509284699FF2A8CB5355DB4CCF4FA7C3FC Session-ID-ctx: Resumption PSK: 9F018E3BDDC523284F5F1FB5D413CB3E2A9FA14B488A753E1783CA6C33EF08A4AD089CA67729EFA0F11B0DBB4311F57C PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - a3 45 3a f0 9b 58 4e 35-7e fe 2f 91 b7 7c 75 ed .E:..XN5~./..|u. 0010 - 04 f5 5e d6 16 50 14 91-d2 1f 92 db 92 b1 8d d9 ..^..P.......... 0020 - 6e 98 9b ee 3a ac e7 e2-da 1d 25 4c 39 f3 42 9f n...:.....%L9.B. 0030 - a3 95 01 07 6e 39 a6 d4-e3 86 58 3b 93 71 07 3a ....n9....X;.q.: 0040 - f6 e4 4b f5 f2 be 98 c0-08 00 ac b5 eb da 03 52 ..K............R 0050 - 89 66 5d 50 2c 45 cb 4c-c2 42 6a 87 93 47 f6 d3 .f]P,E.L.Bj..G.. 0060 - 82 c5 55 7b 6c c4 b7 49-e8 27 e3 da 71 1e a5 6b ..U{l..I.'..q..k 0070 - 32 40 46 bc 4b b3 08 ea-8e 18 d9 42 84 44 9f 84 2@F.K......B.D.. 0080 - 10 9a 8f 6e f3 88 5c bc-39 21 5e 0b 48 b6 64 78 ...n..\.9!^.H.dx 0090 - 76 fc 28 1b ac 7f 17 9e-a4 ad 79 43 d9 5c 46 40 v.(.......yC.\F@ 00a0 - 5b e2 6f de 74 d2 fc b0-5d 0d e2 11 2b 81 b5 9b [.o.t...]...+... 00b0 - 4d e4 5e e0 a1 40 cf 11-60 35 e9 f2 16 a3 bf 00 M.^..@..`5...... 00c0 - 83 52 42 04 ed 13 2e 91-2d 84 6c 7d 3e cd 82 18 .RB.....-.l}>... 00d0 - 81 90 e6 65 ad 7f b9 35-2a aa 84 2b 47 ea 5a 73 ...e...5*..+G.Zs Start Time: 1732076825 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: E9E15B46DEFE6C6A7E19099F20FB2AFB1F815928FBCEF113AD77001FA69C4CEF Session-ID-ctx: Resumption PSK: 374713A9C141C61217265CDDC1E49867DFFBB87F613376F6EC61FFD744E05A9C3F08CFFC386889AF8327D888EB8F30AE PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - a3 45 3a f0 9b 58 4e 35-7e fe 2f 91 b7 7c 75 ed .E:..XN5~./..|u. 0010 - e1 01 10 40 2f f7 05 5c-0d 70 6b 5b 51 83 5d f7 ...@/..\.pk[Q.]. 0020 - c6 66 4a 96 3d 09 e0 12-20 de 0d 79 92 28 86 84 .fJ.=... ..y.(.. 0030 - fa 44 3e bc c5 1e c5 33-23 1e 56 9f 59 24 b5 4e .D>....3#.V.Y$.N 0040 - d1 6e eb 49 39 57 0c 8f-1f 76 fd a5 5e 6d d2 fd .n.I9W...v..^m.. 0050 - 91 0b 2e 61 8d 2d 75 b0-36 96 52 8b ce 23 4a 0e ...a.-u.6.R..#J. 0060 - f9 ff e9 d6 99 91 95 f1-ad 41 18 c1 6e 60 3a 5b .........A..n`:[ 0070 - 28 53 6d db 9b 23 7c e8-30 d9 0d 79 be 33 74 69 (Sm..#|.0..y.3ti 0080 - 21 6a ec b7 21 32 84 83-fb 71 b3 07 ff 5c af 7d !j..!2...q...\.} 0090 - 6a 98 d4 6d b2 00 4b 55-49 5e 8a 9a 98 67 b0 15 j..m..KUI^...g.. 00a0 - 6a 7c e0 68 b9 7a d2 af-ed 62 94 66 db eb 03 2a j|.h.z...b.f...* 00b0 - 79 ed 25 67 96 88 68 d6-3f 5a 13 c5 e7 dc 20 7d y.%g..h.?Z.... } 00c0 - 1b 25 3d 34 bb 6b d1 18-2e 44 1a 76 b6 1d 53 cf .%=4.k...D.v..S. 00d0 - b8 3c a1 08 a5 2b 28 fb-63 b7 ce be 58 4a dd 4d .<...+(.c...XJ.M Start Time: 1732076825 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK
Pod のガベッジコレクションの閾値
Suceeded または Failed の Pod は controller-manager によって GC される。その閾値について確認したメモ。
--terminated-pod-gc-threshold のデフォルト値は 12500 だが、閾値を超えたとき、全部削除されるのか、閾値まで削除されるのかを確認する。
クラスターの作成
EKS ではコントロールプレーンコンポーネントをカスタマイズできないので、今回は kind を使用する。
以下あたりを参考にして、設定ファイルを用意する。
- https://raw.githubusercontent.com/kubernetes-sigs/kind/main/site/content/docs/user/kind-example-config.yaml
- kind – Configuration
- Kind (Kubernetes in Docker) カスタマイズ完全ガイド #dockertokyo / Docker Meetup Tokyo 34th - Speaker Deck
cat << EOF > mycluster.yaml kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane image: kindest/node:v1.29.10 - role: worker image: kindest/node:v1.29.10 kubeadmConfigPatches: - | kind: ClusterConfiguration apiVersion: kubeadm.k8s.io/v1beta3 controllerManager: extraArgs: terminated-pod-gc-threshold: "10" EOF
クラスターを作成する。
$ kind create cluster --config=mycluster.yaml Creating cluster "kind" ... ✓ Ensuring node image (kindest/node:v1.29.10) 🖼 ✓ Preparing nodes 📦 📦 ✓ Writing configuration 📜 ✓ Starting control-plane 🕹️ ✓ Installing CNI 🔌 ✓ Installing StorageClass 💾 ✓ Joining worker nodes 🚜 Set kubectl context to "kind-kind" You can now use your cluster with: kubectl cluster-info --context kind-kind Thanks for using kind! 😊 $
なお、M1 Mac を使用していて、普段は以下環境変数をセットしている。
export DOCKER_DEFAULT_PLATFORM=linux/amd64
arm64 ではクラスターが起動しなかったので、この環境変数を unset して、イメージを削除してから再実行したら上手くいった。
ノードを確認する。
$ k get nodes NAME STATUS ROLES AGE VERSION kind-control-plane Ready control-plane 2m55s v1.29.10 kind-worker Ready <none> 2m32s v1.29.10
引数 --terminated-pod-gc-threshold が設定できているのかを確認する。ちゃんと設定できている。
$ k -n kube-system get pods kube-controller-manager-kind-control-plane -oyaml apiVersion: v1 kind: Pod metadata: ... name: kube-controller-manager-kind-control-plane namespace: kube-system ... spec: containers: - command: - kube-controller-manager - --allocate-node-cidrs=true - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf - --bind-address=127.0.0.1 - --client-ca-file=/etc/kubernetes/pki/ca.crt - --cluster-cidr=10.244.0.0/16 - --cluster-name=kind - --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key - --controllers=*,bootstrapsigner,tokencleaner - --enable-hostpath-provisioner=true - --kubeconfig=/etc/kubernetes/controller-manager.conf - --leader-elect=true - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt - --root-ca-file=/etc/kubernetes/pki/ca.crt - --service-account-private-key-file=/etc/kubernetes/pki/sa.key - --service-cluster-ip-range=10.96.0.0/16 - --terminated-pod-gc-threshold=10 - --use-service-account-credentials=true image: registry.k8s.io/kube-controller-manager:v1.29.10 imagePullPolicy: IfNotPresent ...
検証
Pod を 9 個作ってみる。
$ k run test1 --image=busybox --restart=Never pod/test1 created ... $ k run test9 --image=busybox --restart=Never pod/test9 created
$ k get pods NAME READY STATUS RESTARTS AGE test1 0/1 Completed 0 57s test2 0/1 Completed 0 39s test3 0/1 Completed 0 34s test4 0/1 Completed 0 30s test5 0/1 Completed 0 24s test6 0/1 Completed 0 20s test7 0/1 Completed 0 14s test8 0/1 Completed 0 9s test9 0/1 Completed 0 5s
10 個目を作る。
$ k run test10 --image=busybox --restart=Never pod/test10 created
しばらく待ってみるが消えない。
$ k get pods NAME READY STATUS RESTARTS AGE test1 0/1 Completed 0 3m31s test10 0/1 Completed 0 2m23s test2 0/1 Completed 0 3m13s test3 0/1 Completed 0 3m8s test4 0/1 Completed 0 3m4s test5 0/1 Completed 0 2m58s test6 0/1 Completed 0 2m54s test7 0/1 Completed 0 2m48s test8 0/1 Completed 0 2m43s test9 0/1 Completed 0 2m39s
11 個目を作る。
$ k run test11 --image=busybox --restart=Never pod/test11 created
watch していると、test1 が消えた。
$ k get pods -w NAME READY STATUS RESTARTS AGE test1 0/1 Completed 0 4m51s test10 0/1 Completed 0 3m43s test11 0/1 Completed 0 6s test2 0/1 Completed 0 4m33s test3 0/1 Completed 0 4m28s test4 0/1 Completed 0 4m24s test5 0/1 Completed 0 4m18s test6 0/1 Completed 0 4m14s test7 0/1 Completed 0 4m8s test8 0/1 Completed 0 4m3s test9 0/1 Completed 0 3m59s test1 0/1 Terminating 0 5m5s test1 0/1 Terminating 0 5m5s
12 個目を作ってみる。
$ k run test12 --image=busybox --restart=Never pod/test12 created
test2 が消えた。
$ k get pods -w NAME READY STATUS RESTARTS AGE test10 0/1 Completed 0 5m25s test11 0/1 Completed 0 108s test12 0/1 ContainerCreating 0 2s test2 0/1 Completed 0 6m15s test3 0/1 Completed 0 6m10s test4 0/1 Completed 0 6m6s test5 0/1 Completed 0 6m test6 0/1 Completed 0 5m56s test7 0/1 Completed 0 5m50s test8 0/1 Completed 0 5m45s test9 0/1 Completed 0 5m41s test12 0/1 Completed 0 6s test12 0/1 Completed 0 7s test2 0/1 Terminating 0 6m27s test2 0/1 Terminating 0 6m27s
