DevOps/Cert manager

[Cert manager] Kubernetes ํ†ต์‹  ์•”ํ˜ธํ™” ๋ฐ ์ž๋™ํ™” (MySQL HTTPS ์ ์šฉ)

ooeunz 2021. 2. 5. 21:58
๋ฐ˜์‘ํ˜•

๐Ÿ– Cert-manager๋ž€?

Cert-manager๋Š” Kubernetes ๋‚ด๋ถ€์—์„œ HTTPS ํ†ต์‹ ์„ ์œ„ํ•œ ์ธ์ฆ์„œ๋ฅผ ์ƒ์„ฑํ•˜๊ณ , ๋˜ ์ธ์ฆ์„œ์˜ ๋งŒ๋ฃŒ ๊ธฐ๊ฐ„์ด ๋˜๋ฉด ์ž๋™์œผ๋กœ ์ธ์ฆ์„œ๋ฅผ ๊ฐฑ์‹ ํ•ด์ฃผ๋Š” ์—ญํ• ์„ ํ•˜๋Š” Certificate manager controller์ž…๋‹ˆ๋‹ค.

 

์‰ฝ๊ฒŒ ๋งํ•ด Kubernetes ๋‚ด์—์„œ ์™ธ๋ถ€์— ์กด์žฌํ•˜๋Š” Issuers๋ฅผ ํ™œ์šฉํ•˜๊ฑฐ๋‚˜ selfsigned Issuer๋ฅผ ์ง์ ‘ ์ƒ์„ฑํ•ด์„œ ์ƒ์„ฑํ•˜์—ฌ Certificate๋ฅผ ์ƒ์„ฑํ•˜๊ณ , ์ด๋•Œ ์ƒ์„ฑ๋œ Certificate๋ฅผ ๊ด€๋ฆฌํ•˜๋ฉฐ ์ธ์ฆ์„œ์˜ ๋งŒ๋ฃŒ ์‹œ๊ฐ„์ด ๊ฐ€๊นŒ์›Œ์ง€๋ฉด ์ธ์ฆ์„œ๋ฅผ ์ž๋™์œผ๋กœ ๊ฐฑ์‹ ํ•ด์ค๋‹ˆ๋‹ค.

 

Cert-manager๊ฐ€ ์‚ฌ์šฉํ•˜๋Š” ์™ธ๋ถ€์— ์กด์žฌํ•˜๋Š” Issuer๋Š” ์•„๋ž˜์˜ ์ด๋ฏธ์ง€์™€ ๊ฐ™์€๋ฐ, ๋Œ€ํ‘œ์ ์ธ Issuer๋กœ ๋ฌด๋ฃŒ๋กœ ์‚ฌ์šฉ๋˜๊ณ  ์žˆ๋Š” let's enscrypt๋ฅผ ๋งŽ์ด ์‚ฌ์šฉํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ํ•˜์ง€๋งŒ let's enscrypt๋ฅผ ์‚ฌ์šฉํ•œ ์˜ˆ์ œ๋ฅผ ๊ตฌ๊ธ€๋ง์„ ํ•˜๋ฉด ์‰ฝ๊ฒŒ ๊ฒ€์ƒ‰ํ•  ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ํ•ด๋‹น ํฌ์ŠคํŒ…์—์„œ๋Š” self-signed Issuer๋ฅผ ์ƒ์„ฑํ•˜๊ณ  ๊ทธ๋ฅผ ์ด์šฉํ•ด Certificate๋ฅผ ์ƒ์„ฑ ๋ฐ ๊ด€๋ฆฌํ•˜๋Š” ๋ฐฉ๋ฒ•์— ๋Œ€ํ•ด์„œ ์‚ดํŽด๋ณด๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  ๋งˆ์ง€๋ง‰์œผ๋กœ ์ƒ์„ฑ๋œ Certificate๋ฅผ ์ด์šฉํ•ด์„œ MySQL์— HTTPS๋ฅผ ์ ์šฉํ•ด๋ณด๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.

 

ํ•ด๋‹น ํฌ์ŠคํŒ…์—์„  ์•„๋ž˜์™€ ๊ฐ™์€ version์„ ์‚ฌ์šฉํ•˜์˜€์Šต๋‹ˆ๋‹ค.

kubernetes version : v1.17.12
cert-manager version: v1.1.0

 

 

 

๐Ÿ– Cert-manager deploy

cert-manager๋Š” ์˜คํ”ˆ์†Œ์Šค์ด๋ฉฐ ์—ฌ๊ธฐ์—์„œ ๊ณต์‹์ ์ธ ๋ฆด๋ฆฌ์ฆˆ ๋ฒ„์ „์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. 

jetstack / cert-manager

 

์œ„์˜ ์ด๋ฏธ์ง€์™€ ๊ฐ™์ด Release ๋ฒ„์ „์„ ํด๋ฆญํ•˜๊ณ  ๋ฐ‘์œผ๋กœ ์Šคํฌ๋กค์„ ๋‚ด๋ฆฌ๋‹ค ๋ณด๋ฉด ํ˜„์žฌ release ๋ฒ„์ „์— ํ•ด๋‹นํ•˜๋Š” cert-manager.yaml ํŒŒ์ผ์„ ์ฐพ์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์šฐ๋ฆฌ๋Š” ์•„๋ž˜์˜ yaml ํŒŒ์ผ์„ ์ด์šฉํ•ด์„œ kubernetes ํด๋Ÿฌ์Šคํ„ฐ์— cert-manager๋ฅผ ๋ฐฐํฌํ•  ๊ฒƒ์ž…๋‹ˆ๋‹ค. 

 

 

๋จผ์ € cert-manager๋ฅผ ๋ฐฐํฌํ•  cert-manager๋ผ๋Š” ์ด๋ฆ„์˜ namespace๋ฅผ ์ƒ์„ฑํ•˜๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.

# Create namespace
kubectl create namespace cert-manager

 

๊ทธ ํ›„ ์•„๋ž˜์˜ ๋ช…๋ น์–ด๋กœ kuberetes์— ๋ฐ”๋กœ cert-manager๋ฅผ ๋ฐฐํฌํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์•„๋ž˜์˜ ๋ช…๋ น์–ด์—์„  ํ˜„์žฌ ๊ธฐ์ค€์œผ๋กœ ์ตœ์‹  release ๋ฒ„์ „์ธ v1.1.0 ๋ฒ„์ „์„ ์‚ฌ์šฉํ•˜์˜€์ง€๋งŒ, ์‚ฌ์šฉํ•˜๊ธฐ์— ๋”ฐ๋ผ ๋‹ค๋ฅธ ๋ฒ„์ „์„ ์‚ฌ์šฉํ•˜์‹œ๋ฉด ๋ฉ๋‹ˆ๋‹ค.

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml

 

์ €๋Š” cert-manager๋ฅผ ์„ ์–ธ์ ์œผ๋กœ ๋˜ ๋‹ค์‹œ ์‚ฌ์šฉํ•  ๊ฒƒ์„ ์—ผ๋‘ํ•ด์„œ local์— cert-manager.yaml ํŒŒ์ผ์„ ๋ฐ›๊ณ , apply ๋ช…๋ น์–ด๋ฅผ ํ†ตํ•ด์„œ cert-manaer๋ฅผ ๋ฐฐํฌํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.

# cert-manager.yaml ํŒŒ์ผ ๋‹ค์šด๋กœ๋“œ
curl -LO https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml

# ๋ฒ„์ „ ๊ด€๋ฆฌ๋ฅผ ์œ„ํ•ด cert-manager.yaml -> cert-manager.1.1.0.yaml๋กœ ์ด๋ฆ„ ๋ณ€๊ฒฝ
mv cert-manager.yaml cert-manager.1.1.0.yaml

# cert-manager install
kubectl apply -f cert-manager.1.1.0.yaml

 

install์ด ์™„๋ฃŒ๋๋‹ค๋ฉด `kubectl get all` ๋ช…๋ น์–ด๋ฅผ ํ†ตํ•ด์„œ ํด๋Ÿฌ์Šคํ„ฐ์— cert-manager๊ฐ€ ์ •์ƒ์ ์œผ๋กœ ์„ค์น˜๋˜์—ˆ๋Š”์ง€ ํ™•์ธํ•ด๋ด…๋‹ˆ๋‹ค.

 

 

๐Ÿ– Cert-manager๋ฅผ ์ด์šฉํ•ด selfsigned ์ธ์ฆ์„œ ์ƒ์„ฑํ•˜๊ธฐ

Cert-manager๋Š” ๊ธฐ๋ณธ์ ์œผ๋กœ let's enscypt๊ฐ€ ์•„๋‹Œ Cluster ๋‚ด๋ถ€์—์„œ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” ์ž์ฒด์ ์œผ๋กœ ์„œ๋ช…๋œ self-signed issuer๋ฅผ ์ƒ์„ฑํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์—ฌ๊ธฐ์„œ Issuer๋ž€ ํ”ํžˆ CA๋ผ๊ณ  ์นญํ•˜๋Š” ์„œ๋ช…ํ•  ์ˆ˜ ์žˆ๋Š” ์ฃผ์ฒด๋ฅผ ์ง€์นญํ•˜๋Š” ๋‹จ์–ด๋กœ Certificate(์ธ์ฆ์„œ)๋ฅผ ์ƒ์„ฑํ•  ์ˆ˜ ์žˆ๋Š” ๋Œ€์ƒ์ž…๋‹ˆ๋‹ค.

 

self-signed ์ธ์ฆ์„œ๋ฅผ ์‚ฌ์šฉํ•˜๊ฒŒ ๋  ๊ฒฝ์šฐ ๋ธŒ๋ผ์šฐ์ €์—์„œ ์•„๋ž˜์˜ ์ด๋ฏธ์ง€์™€ ๊ฐ™์ด ์ข‹์ง€ ์•Š์€ ์‚ฌ์šฉ์ž ๊ฒฝํ—˜์„ ์ค„ ์ˆ˜ ์žˆ์ง€๋งŒ, cluster ๋‚ด๋ถ€์—์„œ ์‚ฌ์šฉํ•˜๊ฑฐ๋‚˜ ํ…Œ์ŠคํŠธ ์šฉ๋„๋กœ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ์ด๋ผ๋ฉด self-signed ์ธ์ฆ์„œ๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ๋„ ์ข‹์€ ๋ฐฉ๋ฒ•์ด ๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

self-signed ์ธ์ฆ์„œ๋ฅผ ์‚ฌ์šฉํ•˜๊ฒŒ ๋  ๊ฒฝ์šฐ ๋ธŒ๋ผ์šฐ์ €์˜ ํ˜•ํƒœ

 

์šฐ๋ฆฌ๊ฐ€ ๊ตฌ์„ฑํ•˜๊ฒŒ ๋  ๋Œ€๋žต์ ์ธ ์‹œ์Šคํ…œ ๊ตฌ์„ฑ๋„๋Š” ์•„๋ž˜์˜ ์ด๋ฏธ์ง€์™€ ๊ฐ™์Šต๋‹ˆ๋‹ค. ์ œ์ผ ๋จผ์ € cert-manager๋ฅผ ์ด์šฉํ•ด์„œ ํด๋Ÿฌ์Šคํ„ฐ ์ „์—ญ์—์„œ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” Cluster Issuer๋ฅผ ์ƒ์„ฑํ•˜๊ณ , ํ•ด๋‹น Issuer๋ฅผ ์ด์šฉํ•ด์„œ ๊ฐ๊ฐ์˜ Namespace ๋ณ„๋กœ Certificate๋ฅผ ์ƒ์„ฑํ•˜๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.

 

1. Issuer ์ƒ์„ฑ

์ž, ์ด์ œ ๋ณธ๊ฒฉ์ ์œผ๋กœ Cluster์— ์ธ์ฆ์„œ๋ฅผ ๋งŒ๋“ค์–ด๋ณด๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค. ๊ฐ€์žฅ ๋จผ์ € ํ•  ์ผ์€ Self-signed Issuer๋ฅผ ๋งŒ๋“œ๋Š” ์ผ์ž…๋‹ˆ๋‹ค. ์กฐ๊ธˆ ์ „์— ์ด์•ผ๊ธฐํ–ˆ๋“ฏ์ด Issuer๋Š” Certificate๋ฅผ ๋งŒ๋“ค ์ˆ˜ ์žˆ๋Š” ์ฃผ์ฒด์ธ๋ฐ, Issuer์—๋Š” ๊ทธ๋ƒฅ Issuer์™€ ClusterIssuer๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค.

 

์—ฌ๊ธฐ์„œ Issuer๋Š” Namespace์˜ ๋ฆฌ์†Œ์Šค๋กœ ์†ํ•ด์žˆ๋Š” Namespace ์•ˆ์—์„œ๋งŒ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” ๋ฆฌ์†Œ์Šค์ž…๋‹ˆ๋‹ค. ๋ฐ˜๋ฉด ClusterIssuer๋Š” Namespace๋ฅผ ๊ฐ€๋ฆฌ์ง€ ์•Š๊ณ  Cluster ์ „์—ญ์—์„œ ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๋Š” ๋ฆฌ์†Œ์Šค์ž…๋‹ˆ๋‹ค.

 

์ €๋Š” ClusterIssuer๋กœ ์ƒ์„ฑํ•˜๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.

# selfsigned-issuer.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}

 

2. Certificate ์ƒ์„ฑ

์ด๋ฒˆ์—๋Š” ์ƒ์„ฑํ•œ ClusterIssuer๋ฅผ ์‚ฌ์šฉํ•ด์„œ self-signed Certificate๋ฅผ ์ƒ์„ฑํ•˜๊ณ  ์ด๋ฅผ ์ด์šฉํ•ด์„œ MySQL์— ์ ์šฉํ•ด๋ณด๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค. cert-manager๊ฐ€ Issuer๋ฅผ ํ†ตํ•ด Certificate๋ฅผ ์ƒ์„ฑํ•˜๊ฒŒ ๋˜๋ฉด ํ•ด๋‹น Certificate๋Š” ์†ํ•ด์žˆ๋Š” Namespace ๋‚ด์˜ ๋ชจ๋“  ์„œ๋น„์Šค๊ฐ€ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” ์ธ์ฆ์„œ๊ฐ€ ๋ฉ๋‹ˆ๋‹ค.

 

ํ•ด๋‹น ์ธ์ฆ์„œ๊ฐ€ ์ƒ์„ฑ๋จ๊ณผ ๋™์‹œ์— Certificate๋Š” Kubernetes๋‚ด์—์„œ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋„๋ก  Public key, Secret key์™€ ๊ฐ™์€ ๋ฐ์ดํ„ฐ๋ฅผ ๊ฐ€์ง„ secret ๋ฆฌ์†Œ์Šค๊ฐ€ ์ƒ์„ฑํ•˜๊ฒŒ ๋˜๋Š”๋ฐ, ์ด๋•Œ ์ƒ์„ฑ๋˜๋Š” secret ๋ฆฌ์†Œ์Šค๋ฅผ ์ด์šฉํ•ด์„œ kubernetes ๋‚ด์—์„œ pod์— ์ฃผ์ž…ํ•˜๋Š” ๋“ฑ ๋‹ค์–‘ํ•˜๊ฒŒ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 

secret์— ๊ด€ํ•œ ๋‚ด์šฉ์€ ์•„๋ž˜์˜ ์—ฌ๊ธฐ๋ฅผ ์ฐธ์กฐํ•ฉ๋‹ˆ๋‹ค.

 

# selfsigned-cert.yaml

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: selfsigned-cert
  namespace: default
spec:
  secretName: selfsigned-cert-tls
  duration: 2880h # 120d
  renewBefore: 360h # 15d
  commonName: ooeunz.tistory.com
  isCA: false
  keySize: 2048
  keyAlgorithm: rsa
  keyEncoding: pkcs1
  usages:
    - digital signature
    - key encipherment
    - server auth
  issuerRef:
    name: selfsigned-issuer
    kind: ClusterIssuer
    group: cert-manager.io

Certificate์˜ spec์„ ๊ฐ„๋žตํ•˜๊ฒŒ ์‚ดํŽด๋ณด๊ฒ ์Šต๋‹ˆ๋‹ค.

  • secretName: Certificate์™€ ๋™์‹œ์— ํ•จ๊ป˜ ์ƒ์„ฑ๋˜๋Š” secret์˜ ์ด๋ฆ„์„ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค.

  • duration: ์ธ์ฆ์„œ์˜ ์œ ํšจ๊ธฐ๊ฐ„์„ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค.

  • renewBefore: ์ž๋™์œผ๋กœ ์ธ์ฆ์„œ๋ฅผ ๊ฐฑ์‹ ํ•  ๋•Œ๋ฅผ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค. ์—ฌ๊ธฐ์„œ duration๊ณผ renewBefore๋Š” go time์„ ์‚ฌ์šฉํ•˜๊ธฐ ๋•Œ๋ฌธ์— "ms", "s", "m", "h"๋งŒ์„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋” ์ž์„ธํ•œ ๋‚ด์šฉ์€ ์—ฌ๊ธฐ์—์„œ ํ™•์ธ ํ•˜์‹ค ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

  • commonName: host name์„ ์ง€์ •ํ•˜๋Š” ํ•„๋“œ์ž…๋‹ˆ๋‹ค. dnsName ์˜ต์…˜๊ณผ ํ•จ๊ฒŒ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ ๋งŒ์•ฝ commonName์ด ์„ค์ •๋˜์ง€ ์•Š์•˜์„ ๊ฒฝ์šฐ์—” dnsName์˜ ๊ฐ€์žฅ ์ฒซ๋ฒˆ์งธ ๊ฐ’์„ commonName์œผ๋กœ ์‚ฌ์šฉํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค. ํ•˜์ง€๋งŒ ํ•ด๋‹น ์˜ˆ์ œ์—์„  dnsName์€ ์ง€์ •ํ•˜์ง€ ์•Š๊ฒ ์Šต๋‹ˆ๋‹ค.

  • isCa: ์ด ์ธ์ฆ์„œ๋ฅผ CA์„œ๋ช…์ด ์œ ํšจํ•˜๋„๋ก ํ•˜๋Š” ์˜ต์…˜์ž…๋‹ˆ๋‹ค. ํ•ด๋‹น ์˜ต์…˜์„ true๋กœ ํ•ด์ค„ ๊ฒฝ์šฐ `cert sign`๊ฐ’์ด usages ๋ฆฌ์ŠคํŠธ์— ์ž๋™์œผ๋กœ ์ถ”๊ฐ€๋ฉ๋‹ˆ๋‹ค. ์ž์„ธํ•œ ๋‚ด์šฉ์€ ๊ณต์‹ ๋„ํ๋จผํŠธ์—์„œ ํ™•์ธํ•˜์‹ค ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

  • keySize: ์•”ํ˜ธํ™”ํ•  key์˜ ๊ธธ์ด๋ฅผ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค. ๊ธธ์ด๊ฐ€ ๊ธธ์–ด์งˆ์ˆ˜๋ก ์•”ํ˜ธํ™”์˜ ์ˆ˜์ค€์ด ๋†’์•„์ง€๋ฉฐ ์ง€์ •ํ•˜์ง€ ์•Š์„ ์‹œ์— default๋กœ 2048 ๊ฐ’์„ ๊ฐ€์ง‘๋‹ˆ๋‹ค. ์ง€์ •ํ•  ์ˆ˜ ์žˆ๋Š” ์˜ต์…˜์œผ๋ก  2048 ์ด์™ธ์— 4096, 8192๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค. ๋ณด์•ˆ๊ฐ•๋„์— ๋Œ€ํ•œ ๋” ์ž์„ธํ•œ ๋‚ด์šฉ์€ ์—ฌ๊ธฐ์„œ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

  • keyAlgorithm: ์‚ฌ์šฉํ•  ์•”ํ˜ธํ™” ์•Œ๊ณ ๋ฆฌ์ฆ˜์„ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค.

  • keyEncoding: ์–ด๋–ค keyEncoding์„ ์‚ฌ์šฉํ•  ๊ฒƒ์ธ์ง€์— ๊ด€ํ•œ ๋ถ€๋ถ„์ž…๋‹ˆ๋‹ค. PKCS#1๊ณผ PKCS#8๋งŒ์„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๊ณ  default๋กœ PKCS#1์„ ์ง€์›ํ•ฉ๋‹ˆ๋‹ค.

 

์œ„์˜ yaml ํŒŒ์ผ์„ apply ํ•˜๋ฉด ๋ง์”€๋“œ๋ฆฐ ๊ฒƒ์ฒ˜๋Ÿผ certificate์™€ secret ๋ฆฌ์†Œ์Šค๊ฐ€ ํ•จ๊ป˜ ์ƒ์„ฑ๋ฉ๋‹ˆ๋‹ค. secret์—๋Š” ์•„๋ž˜์™€ ๊ฐ™์€ data๋ฅผ ๊ฐ€์ง€๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค.

  • ca.crt: public certificate file
  • tls.crt: Public Key
  • tls.key: Private Key

 

 

์ด์™€ ๊ฐ™์ด ์ƒ์„ฑ๋œ Secret์„ MySQL์— ์ฃผ์ž…์‹œ์ผœ์ฃผ๊ณ , ๋™์‹œ์— ์•„๋ž˜์™€ ๊ฐ™์ด my.cnf ํŒŒ์ผ์— secret์•ˆ์— ์žˆ๋Š” ํ‚ค๋“ค์„ ๋„ฃ์–ด์ฃผ๋„๋ก ํ•ฉ๋‹ˆ๋‹ค.

# mysql-pvc.yaml

apiVersion: v1
kind: PersistentVolume
metadata:
  name: mysql-pv-volume
  labels:
    type: local
spec:
  storageClassName: manual
  capacity:
    storage: 20Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: "/mnt/data"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: mysql-pv-claim
spec:
  storageClassName: manual
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi
# mysql-config.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: mysql-config
  namespace: default
data:
  my.cnf: |-
    [mysqld]
    ssl-ca=/etc/mysql/tls/ca.crt
    ssl-cert=/etc/mysql/tls/tls.crt
    ssl-key=/etc/mysql/tls/tls.key
    require_secure_transport=ON   ## This line is the only setting required to enforce secure connections
# mysql-server.yaml

apiVersion: v1
kind: Service
metadata:
  name: mysql-http
spec:
  ports:
  - port: 3306
  selector:
    app: mysql
  clusterIP: None
# mysql-statefulset.yaml

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: mysql
spec:
  selector:
    matchLabels:
      app: mysql
  serviceName: mysql
  template:
    metadata:
      labels:
        app: mysql
    spec:
      terminationGracePeriodSeconds: 10
      containers:
        - name: mysql
          image: mysql:8.0.21
          env:
          - name: MYSQL_ROOT_PASSWORD
            value: password
          imagePullPolicy: Always
          ports:
            - containerPort: 3306
              name: mysql
          volumeMounts:
            - name: mysql-persistent-storage
              mountPath: /var/lib/mysql
            - name: mysql-cnf
              mountPath: /etc/mysql/conf.d/my.cnf
              subPath: my.cnf
            - name: mysql-tls
              mountPath: /etc/mysql/tls
              readOnly: true
      volumes:
        - name: mysql-persistent-storage
          persistentVolumeClaim:
            claimName: mysql-pv-claim
        - name: mysql-cnf
          configMap:
            name: mysql-config
        - name: mysql-tls
          secret:
            secretName: selfsigned-cert-tls

 

์ด์ œ ์œ„์™€ ๊ฐ™์ด secret์„ ์ฃผ์ž…ํ•˜๊ณ , mysql์— ๋“ค์–ด๊ฐ€์„œ ์•„๋ž˜์˜ ๋ช…๋ น์–ด๋กœ SSL์ด ์ •์ƒ์ ์œผ๋กœ ์ ์šฉ๋๋Š”์ง€ ํ™•์ธํ•ด ๋ณผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

SHOW VARIABLES LIKE '%ssl%';

 

have_openssl๊ณผ have_ssl ์˜ต์…˜์ด YES๋กœ ๋˜์–ด์žˆ๊ณ , ssl_ca, ssl_cert, ssl_key์— ๋ฐฉ๊ธˆ mountํ•ด์ค€ key๊ฐ€ ์ •์ƒ์ ์œผ๋กœ ์ ์šฉ๋œ ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 

๐Ÿค” Jdbc๋กœ ์—ฐ๊ฒฐํ•  ๋•Œ ์ฃผ์˜ํ•  ์ 

์ด์ œ Spring Boot์—์„œ MySQL์— ์—ฐ๊ฒฐ์„ ํ•ด๋ณผ ํ…๋ฐ์š”. jdbc๋กœ ์—ฐ๊ฒฐ์„ ํ•  ๊ฒฝ์šฐ์— ์ฃผ์˜ํ•  ์ ์ด ๋ช‡ ๊ฐ€์ง€๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค. ํ˜„์žฌ require_secure_transport=ON ์˜ต์…˜์„ ์ฃผ์—ˆ๊ธฐ ๋•Œ๋ฌธ์— MySQL์— ์ ‘์†ํ•˜๊ธฐ ์œ„ํ•ด์„  ํ•„์ˆ˜์ ์œผ๋กœ SSL ์ ‘์†์„ ํ•˜์—ฌ์•ผ ํ•ฉ๋‹ˆ๋‹ค. ๊ทธ๋Ÿฐ๋ฐ ์šฐ๋ฆฌ๋Š” self-sigend ์ธ์ฆ์„œ๋ฅผ ์‚ฌ์šฉํ•˜๊ณ  ์žˆ๊ธฐ ๋•Œ๋ฌธ์— tomcat์—์„œ ์ธ์ฆ์„œ๋ฅผ vailation ํ•˜๋Š” ๊ณผ์ •์—์„œ ์ปค๋„ฅ์…˜์„ ๋Š์–ด๋ฒ„๋ฆฌ๊ฒŒ ๋ฉ๋‹ˆ๋‹ค. ๋”ฐ๋ผ์„œ ์ธ์ฆ์„œ์— ๋Œ€ํ•˜์—ฌ validation ํ•˜์ง€ ์•Š๋Š” ์˜ต์…˜์„ ์ฃผ๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค. (๋˜๋Š” ์ž๋ฐ”์—๋„ ์ธ์ฆ์„œ๋ฅผ ํฌํ•จํ•˜์—ฌ ์–‘๋ฐฉํ–ฅ ์ธ์ฆํ•˜๋Š” ๋ฐฉ๋ฒ•๋„ ์žˆ์ง€๋งŒ, ์—ฌ๊ธฐ์„  ๋‹จ์ˆœํžˆ validation์„ ํ•˜์ง€ ์•Š๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.)

 

์—ฌ๊ธฐ์„œ MySQL ๋ฒ„์ „์— ๋”ฐ๋ผ validation ์˜ต์…˜์„ ์ฃผ๋Š” ๋ฐฉ๋ฒ•์ด ์กฐ๊ธˆ ์ฐจ์ด๊ฐ€ ๋‚ฉ๋‹ˆ๋‹ค. ์ž์„ธํ•œ ๋‚ด์šฉ์€ ๊ณต์‹ ๋„ํ๋จผํŠธ๋ฅผ ์ฐธ๊ณ ํ•ฉ๋‹ˆ๋‹ค.

 

MySQL 8.0.12

MySQL 8.0.12 ์ดํ•˜ ๋ฒ„์ „์—์„  useSSL=true, verifyServerCertificate=true ์ผ ๊ฒฝ์šฐ ์„œ๋ฒ„ ์ธ์ฆ์„œ์˜ ์œ ํšจ์„ฑ ๊ฒ€์ฆ์ด ํ™œ์„ฑํ™” ๋˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค. (๋‹ค๋งŒ hostname์€ ๊ฒ€์ฆํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค.) ๋”ฐ๋ผ์„œ 8.0.12 ๋ฒ„์ „ ์ดํ•˜์—์„  verifyServerCertificate=false๋ฅผ ์ฃผ์–ด ์œ ํšจ์„ฑ ๊ฒ€์ฆ์„ ํ•˜์ง€ ์•Š๋„๋ก ํ•ฉ๋‹ˆ๋‹ค.

# MySQL 8.0.12 ๋ฒ„์ „ ์ดํ•˜

jdbc:mysql://localhost:3306/cruise?useSSL=true&verifyServerCertificate=false

 

MySQL 8.0.13 ์ดํ›„

๋ฐ˜๋ฉด MySQL 8.0.13 ์ดํ›„ ๋ฒ„์ „์—์„œ๋Š” SSLMode๊ฐ€ VERTIFY_CA์ด๊ฑฐ๋‚˜ VERIFY_IDENTITY์ผ ๋•Œ๋งŒ ์„œ๋ฒ„ ์ธ์ฆ์„œ ์œ ํšจ์„ฑ์„ ํ™•์ธํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค. ๋˜ํ•œ useSSL์˜ต์…˜ ์—ญ์‹œ true๊ฐ’์ด default์ด๋ฏ€๋กœ ๋”ฐ๋กœ ์˜ต์…˜์„ ์ฃผ์ง€ ์•Š์œผ๋ฉด useSSL=true& verifyServerCertificate=false์˜ ๊ธฐ๋Šฅ์„ ํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

# MySQL 8.0.13 ๋ฒ„์ „ ์ดํ›„

jdbc:mysql://localhost:3306/cruise?

 

 

ํฌ์ŠคํŒ…์— ์‚ฌ์šฉํ•œ ์ฝ”๋“œ๋Š” ์•„๋ž˜์˜ URL์—์„œ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๐Ÿ˜„

 

ooeunz/blog-code

Contribute to ooeunz/blog-code development by creating an account on GitHub.

github.com

 

๋ฐ˜์‘ํ˜•