{"id":24228,"date":"2026-05-20T22:59:12","date_gmt":"2026-05-20T22:59:12","guid":{"rendered":"https:\/\/umang.pk\/2026\/05\/20\/cert-manager%d8%8c-lets-encrypt%d8%8c-%d8%a7%d9%88%d8%b1-%d8%a7%d9%86%d8%af%d8%b1%d9%88%d9%86%db%8c-tls-%da%a9%d8%a7-%d8%a7%d8%b3%d8%aa%d8%b9%d9%85%d8%a7%d9%84-%da%a9%d8%b1%d8%aa%db%92-%db%81%d9%88\/"},"modified":"2026-05-20T22:59:12","modified_gmt":"2026-05-20T22:59:12","slug":"cert-manager%d8%8c-lets-encrypt%d8%8c-%d8%a7%d9%88%d8%b1-%d8%a7%d9%86%d8%af%d8%b1%d9%88%d9%86%db%8c-tls-%da%a9%d8%a7-%d8%a7%d8%b3%d8%aa%d8%b9%d9%85%d8%a7%d9%84-%da%a9%d8%b1%d8%aa%db%92-%db%81%d9%88","status":"publish","type":"post","link":"https:\/\/umang.pk\/ur\/2026\/05\/20\/cert-manager%d8%8c-lets-encrypt%d8%8c-%d8%a7%d9%88%d8%b1-%d8%a7%d9%86%d8%af%d8%b1%d9%88%d9%86%db%8c-tls-%da%a9%d8%a7-%d8%a7%d8%b3%d8%aa%d8%b9%d9%85%d8%a7%d9%84-%da%a9%d8%b1%d8%aa%db%92-%db%81%d9%88\/","title":{"rendered":"cert-manager\u060c Let&#8217;s Encrypt\u060c \u0627\u0648\u0631 \u0627\u0646\u062f\u0631\u0648\u0646\u06cc TLS \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 Kubernetes \u0679\u0631\u06cc\u0641\u06a9 \u06a9\u0648 \u06a9\u06cc\u0633\u06d2 \u0627\u0646\u06a9\u0631\u067e\u0679 \u06a9\u0631\u06cc\u06ba"},"content":{"rendered":"\n<div id=\"\">\n<p>\u0632\u06cc\u0627\u062f\u06c1 \u062a\u0631 \u0627\u0646\u062c\u06cc\u0646\u0626\u0631\u0632 \u0641\u0631\u0636 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba \u06a9\u06c1 \u0627\u0646 \u06a9\u0627 Kubernetes \u06a9\u0644\u0633\u0679\u0631 \u062a\u0645\u0627\u0645 \u0679\u0631\u06cc\u0641\u06a9 \u06a9\u0648 \u062e\u0641\u06cc\u06c1 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 \u06cc\u06c1 \u0633\u0686 \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u0646\u06d2 \u06a9\u0627 \u062d\u06a9\u0645 <code>kubectl<\/code> \u06cc\u06c1 \u0627\u0646\u06a9\u0631\u067e\u0679\u0688 \u06c1\u06d2\u06d4 \u06a9\u0644\u0627\u0626\u0646\u0679 \u0627\u0648\u0631 API \u0633\u0631\u0648\u0631 TLS \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4 API \u0633\u0631\u0648\u0631\u0632 \u062c\u0648 etcd \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0628\u0627\u062a \u0686\u06cc\u062a \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba \u0648\u06c1 \u0628\u06be\u06cc \u0639\u0627\u0645 \u0637\u0648\u0631 \u067e\u0631 \u0627\u0646\u06a9\u0631\u067e\u0679 \u06c1\u0648\u062a\u06d2 \u06c1\u06cc\u06ba\u060c \u0627\u0633 \u0628\u0627\u062a \u067e\u0631 \u0645\u0646\u062d\u0635\u0631 \u06c1\u06d2 \u06a9\u06c1 \u06a9\u0644\u0633\u0679\u0631 \u06a9\u06cc \u0641\u0631\u0627\u06c1\u0645\u06cc \u06a9\u06cc\u0633\u06d2 \u06a9\u06cc \u06af\u0626\u06cc \u06c1\u06d2\u06d4<\/p>\n<p>\u0644\u06cc\u06a9\u0646 \u067e\u06be\u0644\u06cc\u0648\u06ba \u06a9\u06d2 \u062f\u0631\u0645\u06cc\u0627\u0646 \u0679\u0631\u06cc\u0641\u06a9 \u06a9\u0627 \u06a9\u06cc\u0627 \u06c1\u0648\u06af\u0627\u061f \u06cc\u06c1 \u0628\u0646\u06cc\u0627\u062f\u06cc \u0637\u0648\u0631 \u067e\u0631 \u0633\u0627\u062f\u06c1 \u0645\u062a\u0646 \u06c1\u06d2\u06d4 \u06a9\u06cc\u0627 \u0627\u0646\u0679\u0631\u0646\u06cc\u0679 \u0633\u06d2 \u0622\u067e \u06a9\u06cc \u0633\u0631\u0648\u0633 \u067e\u0631 \u0622\u0646\u06d2 \u0648\u0627\u0644\u06cc \u0679\u0631\u06cc\u0641\u06a9 \u06c1\u06d2\u061f \u0635\u0631\u0641 \u0627\u0633 \u0635\u0648\u0631\u062a \u0645\u06cc\u06ba \u062e\u0641\u06cc\u06c1 \u06a9\u06cc\u0627 \u062c\u0627\u062a\u0627 \u06c1\u06d2 \u062c\u0628 TLS \u0648\u0627\u0636\u062d \u0637\u0648\u0631 \u067e\u0631 \u06a9\u0646\u0641\u06cc\u06af\u0631 \u06c1\u0648\u06d4 \u0627\u0648\u0631 \u062f\u0627\u062e\u0644\u06cc \u062e\u062f\u0645\u0627\u062a \u06a9\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06d2 \u0628\u0627\u0631\u06d2 \u0645\u06cc\u06ba \u06a9\u06cc\u0627 \u062e\u06cc\u0627\u0644 \u06c1\u06d2\u061f \u0622\u067e \u06a9\u0648 \u062e\u0648\u062f \u0627\u0633 \u06a9\u0627 \u0627\u0646\u062a\u0638\u0627\u0645 \u06a9\u0631\u0646\u0627 \u06c1\u0648\u06af\u0627\u06d4<\/p>\n<p>\u06cc\u06c1 Kubernetes \u06a9\u06cc \u0646\u06af\u0631\u0627\u0646\u06cc \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4 \u06cc\u06c1 \u062c\u0627\u0646 \u0628\u0648\u062c\u06be \u06a9\u0631 \u0688\u06cc\u0632\u0627\u0626\u0646 \u06a9\u0627 \u0627\u0646\u062a\u062e\u0627\u0628 \u06c1\u06d2\u06d4 Kubernetes \u0639\u0645\u0627\u0631\u062a \u06a9\u06d2 \u0628\u0644\u0627\u06a9\u0633 \u0641\u0631\u0627\u06c1\u0645 \u06a9\u0631\u062a\u0627 \u06c1\u06d2 \u0627\u0648\u0631 \u0639\u0645\u0644 \u062f\u0631\u0622\u0645\u062f \u0622\u067e \u067e\u0631 \u0686\u06be\u0648\u0691 \u062f\u06cc\u062a\u0627 \u06c1\u06d2\u06d4 \u0645\u0633\u0626\u0644\u06c1 \u06cc\u06c1 \u06c1\u06d2 \u06a9\u06c1 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u0627 \u0627\u0646\u062a\u0638\u0627\u0645 \u0628\u06c1\u062a \u062a\u06a9\u0644\u06cc\u0641 \u062f\u06c1 \u06c1\u06d2\u06d4 \u0622\u067e \u06a9\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u0645\u06cc\u0639\u0627\u062f \u062e\u062a\u0645 \u06c1\u0648 \u0631\u06c1\u06cc \u06c1\u06d2\u06d4 \u0627\u06af\u0631 \u0622\u067e \u0627\u0633\u06d2 \u062f\u0633\u062a\u06cc \u0637\u0648\u0631 \u067e\u0631 \u0641\u0631\u0627\u06c1\u0645 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba\u060c \u062a\u0648 \u06cc\u06c1 \u067e\u06cc\u0645\u0627\u0646\u06c1 \u0646\u06c1\u06cc\u06ba \u06c1\u0648\u06af\u0627\u06d4 \u0627\u06af\u0631 \u0622\u067e \u0627\u0633\u06d2 \u062a\u0628\u062f\u06cc\u0644 \u06a9\u0631\u0646\u0627 \u0628\u06be\u0648\u0644 \u062c\u0627\u062a\u06d2 \u06c1\u06cc\u06ba\u060c \u062a\u0648 \u06cc\u06c1 \u062e\u0631\u0627\u0628\u06cc \u06a9\u0627 \u0633\u0628\u0628 \u0628\u0646\u06d2 \u06af\u0627\u06d4<\/p>\n<p>cert-manager \u0627\u0633 \u0645\u0633\u0626\u0644\u06d2 \u06a9\u0648 \u062d\u0644 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 \u06a9\u0644\u0633\u0679\u0631 \u06a9\u06d2 \u0627\u0646\u062f\u0631 \u0627\u06cc\u06a9 \u06a9\u0646\u0679\u0631\u0648\u0644\u0631 \u06a9\u06d2 \u0637\u0648\u0631 \u067e\u0631 \u0686\u0644\u062a\u0627 \u06c1\u06d2\u06d4 <code>Certificate<\/code> \u0648\u0633\u0627\u0626\u0644 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u06cc\u06ba\u060c \u062a\u0631\u062a\u06cc\u0628 \u0634\u062f\u06c1 \u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06af\u0627\u0646 \u0633\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u062f\u0631\u062e\u0648\u0627\u0633\u062a \u06a9\u0631\u06cc\u06ba\u060c \u0627\u0646\u06c1\u06cc\u06ba Kubernetes Secrets \u0645\u06cc\u06ba \u0627\u0633\u0679\u0648\u0631 \u06a9\u0631\u06cc\u06ba\u060c \u0627\u0648\u0631 \u0627\u0646 \u06a9\u06cc \u0645\u06cc\u0639\u0627\u062f \u062e\u062a\u0645 \u06c1\u0648\u0646\u06d2 \u0633\u06d2 \u067e\u06c1\u0644\u06d2 \u062e\u0648\u062f \u0628\u062e\u0648\u062f \u0627\u0646 \u06a9\u06cc \u062c\u06af\u06c1 \u0644\u06d2 \u0644\u06cc\u06ba\u06d4 \u0622\u067e \u0627\u0639\u0644\u0627\u0646 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba \u06a9\u06c1 \u0622\u067e \u06a9\u06cc\u0627 \u0686\u0627\u06c1\u062a\u06d2 \u06c1\u06cc\u06ba\u060c \u0627\u0648\u0631 \u0633\u0631\u0679\u06cc\u0641\u06cc\u06a9 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u0627\u0633\u06d2 \u06c1\u0648\u062a\u0627 \u06c1\u06d2 \u0627\u0648\u0631 \u0627\u0633\u06d2 \u0622\u067e \u06a9\u06d2 \u0644\u06cc\u06d2 \u0628\u0631\u0642\u0631\u0627\u0631 \u0631\u06a9\u06be\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<p>\u0627\u0633 \u0622\u0631\u0679\u06cc\u06a9\u0644 \u0645\u06cc\u06ba\u060c \u06c1\u0645 \u0627\u0633 \u0628\u0627\u062a \u067e\u0631 \u0627\u06cc\u06a9 \u0646\u0638\u0631 \u0688\u0627\u0644\u06cc\u06ba \u06af\u06d2 \u06a9\u06c1 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06a9\u0627 \u0628\u0646\u06cc\u0627\u062f\u06cc \u0645\u0627\u0688\u0644 \u06a9\u0633 \u0637\u0631\u062d \u06a9\u0627\u0645 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u060c \u0644\u06cc\u0679\u0633 \u0627\u0646\u06a9\u0631\u067e\u0679 \u06a9\u06d2 \u0633\u0627\u062a\u06be \u067e\u0628\u0644\u06a9 Ingress TLS \u06a9\u0648 \u062e\u0648\u062f\u06a9\u0627\u0631 \u0628\u0646\u0627\u0626\u06cc\u06ba\u060c \u06a9\u0631\u0627\u0633 \u0633\u0631\u0648\u0633 \u0627\u0646\u06a9\u0631\u067e\u0634\u0646 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u06cc\u06a9 \u0627\u0646\u062f\u0631\u0648\u0646\u06cc \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0627\u062a\u06be\u0627\u0631\u0679\u06cc \u0642\u0627\u0626\u0645 \u06a9\u0631\u06cc\u06ba\u060c \u0627\u0648\u0631 \u06cc\u06c1 \u0633\u0645\u062c\u06be\u06cc\u06ba \u06af\u06d2 \u06a9\u06c1 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u06af\u0631\u062f\u0634 \u06a9\u06cc\u0633\u06d2 \u06a9\u0627\u0645 \u06a9\u0631\u062a\u06cc \u06c1\u06d2 \u062a\u0627\u06a9\u06c1 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u0645\u06cc\u0639\u0627\u062f \u062e\u062a\u0645 \u06c1\u0648\u0646\u06d2 \u06a9\u06cc \u0648\u062c\u06c1 \u0633\u06d2 \u0628\u0646\u062f\u0634 \u0645\u0627\u0636\u06cc \u06a9\u06cc \u0628\u0627\u062a \u06c1\u0648\u06d4<\/p>\n<h2 id=\"heading-prerequisites\">\u0634\u0631\u0637\u06cc\u06ba<\/h2>\n<ul wp_automatic_readability=\"1\">\n<li wp_automatic_readability=\"-1\">\n<p>\u0627\u06cc\u06a9 \u0642\u0633\u0645 \u06a9\u0627 \u06a9\u0644\u0633\u0679\u0631 \u062c\u0633 \u0645\u06cc\u06ba nginx Ingress \u06a9\u0646\u0679\u0631\u0648\u0644\u0631 \u0646\u0635\u0628 \u06c1\u06d2\u06d4<\/p>\n<\/li>\n<li>\n<p>\u06c1\u06cc\u0644\u0645 3 \u0627\u0646\u0633\u0679\u0627\u0644 \u06c1\u06d2\u06d4<\/p>\n<\/li>\n<li wp_automatic_readability=\"-1\">\n<p>DNS \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0688\u0648\u0645\u06cc\u0646 \u06a9\u0627 \u0646\u0627\u0645 \u062c\u0633\u06d2 \u0622\u067e \u06a9\u0646\u0679\u0631\u0648\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba \u2014 Let&#8217;s Encrypt \u0688\u06cc\u0645\u0648 \u06a9\u06d2 \u0644\u06cc\u06d2 \u062f\u0631\u06a9\u0627\u0631 \u06c1\u06d2\u06d4<\/p>\n<\/li>\n<li wp_automatic_readability=\"1\">\n<p>TLS \u06a9\u06cc \u0628\u0646\u06cc\u0627\u062f\u06cc \u062a\u0641\u06c1\u06cc\u0645: \u0622\u067e \u062c\u0627\u0646\u062a\u06d2 \u06c1\u06cc\u06ba \u06a9\u06c1 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679\u0633\u060c \u0646\u062c\u06cc \u06a9\u0644\u06cc\u062f\u06cc\u06ba\u060c \u0627\u0648\u0631 CA \u06a9\u06cc\u0627 \u06c1\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<\/ul>\n<p>\u062a\u0645\u0627\u0645 \u0688\u06cc\u0645\u0648 \u0641\u0627\u0626\u0644\u06cc\u06ba DevOps-Cloud-Projects GitHub \u0630\u062e\u06cc\u0631\u06c1 \u0645\u06cc\u06ba \u06c1\u06cc\u06ba\u06d4<\/p>\n<h2 id=\"heading-table-of-contents\">\u0627\u0646\u0688\u06cc\u06a9\u0633<\/h2>\n<h2 id=\"heading-what-is-and-isnt-encrypted-in-kubernetes\">\u06a9\u0628\u0631\u0646\u06cc\u0679\u0633 \u0645\u06cc\u06ba \u06a9\u06cc\u0627 \u0627\u0646\u06a9\u0631\u067e\u0679\u0688 \u06c1\u06d2 \u0627\u0648\u0631 \u06a9\u06cc\u0627 \u0627\u0646\u06a9\u0631\u067e\u0679 \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u061f<\/h2>\n<p>\u06a9\u0633\u06cc \u0628\u06be\u06cc \u0686\u06cc\u0632 \u06a9\u0648 \u0627\u0646\u0633\u0679\u0627\u0644 \u06a9\u0631\u0646\u06d2 \u0633\u06d2 \u067e\u06c1\u0644\u06d2\u060c \u06cc\u06c1 \u062c\u0627\u0646\u0646\u0627 \u0627\u0686\u06be\u0627 \u062e\u06cc\u0627\u0644 \u06c1\u06d2 \u06a9\u06c1 \u0622\u067e \u06a9\u0627 \u06a9\u0644\u0633\u0679\u0631 \u067e\u06c1\u0644\u06d2 \u0633\u06d2 \u06a9\u0633 \u0686\u06cc\u0632 \u06a9\u06cc \u062d\u0641\u0627\u0638\u062a \u06a9\u0631 \u0631\u06c1\u0627 \u06c1\u06d2 \u0627\u0648\u0631 \u06a9\u06cc\u0627 \u06a9\u06be\u0644\u0627 \u06c1\u06d2\u06d4<\/p>\n<table>\n<thead>\n<tr>\n<th>\u0646\u0642\u0644 \u0648 \u062d\u0645\u0644 \u06a9\u0627 \u0631\u0627\u0633\u062a\u06c1<\/th>\n<th>\u06a9\u06cc\u0627 \u06cc\u06c1 \u0628\u0637\u0648\u0631 \u0688\u06cc\u0641\u0627\u0644\u0679 \u062e\u0641\u06cc\u06c1 \u06a9\u0631\u062f\u06c1 \u06c1\u06d2\u061f<\/th>\n<th>\u0645\u06cc\u0645\u0648<\/th>\n<\/tr>\n<\/thead>\n<tbody wp_automatic_readability=\"6.5\">\n<tr>\n<td><code>kubectl<\/code>    \u2192 API \u0633\u0631\u0648\u0631<\/td>\n<td>\u06c1\u0627\u06ba<\/td>\n<td>\u06a9\u0644\u0633\u0679\u0631 CA \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 TLS<\/td>\n<\/tr>\n<tr wp_automatic_readability=\"2\">\n<td>API \u0633\u0631\u0648\u0631 \u2192 etcd<\/td>\n<td>\u0632\u06cc\u0627\u062f\u06c1 \u062a\u0631<\/td>\n<td>\u06a9\u0644\u0633\u0679\u0631 \u067e\u0631\u0648\u0648\u06cc\u0698\u0646\u0631 \u067e\u0631 \u0645\u0646\u062d\u0635\u0631 \u06c1\u06d2 &#8211; \u0633\u06cc\u0679\u0646\u06af\u0632 \u0686\u06cc\u06a9 \u06a9\u0631\u06cc\u06ba\u06d4<\/td>\n<\/tr>\n<tr wp_automatic_readability=\"3\">\n<td>API \u0633\u0631\u0648\u0631 \u2192 \u06a9\u0648\u0628\u06cc\u0644\u06cc\u0679<\/td>\n<td>\u06c1\u0627\u06ba<\/td>\n<td>TLS\u060c \u0644\u06cc\u06a9\u0646 \u06a9\u06cc\u0648\u0628\u0644\u06cc\u0679 \u0633\u0631\u0679\u06cc\u0641\u06cc\u06a9\u06cc\u0634\u0646 \u06a9\u0646\u0641\u06cc\u06af\u0631\u06cc\u0634\u0646 \u067e\u0631 \u0645\u0646\u062d\u0635\u0631 \u06c1\u06d2\u06d4<\/td>\n<\/tr>\n<tr wp_automatic_readability=\"4\">\n<td>Pod \u2192 Pod (\u0627\u06cc\u06a9 \u06c1\u06cc \u06a9\u0644\u0633\u0679\u0631)<\/td>\n<td><strong>\u0646\u06c1\u06cc\u06ba<\/strong><\/td>\n<td>\u0633\u0627\u062f\u06c1 \u0645\u062a\u0646 \u062c\u0628 \u062a\u06a9 \u06a9\u06c1 \u0622\u067e \u0633\u0631\u0648\u0633 \u0645\u06cc\u0634 \u06cc\u0627 \u0627\u06cc\u0645 \u0679\u06cc \u0627\u06cc\u0644 \u0627\u06cc\u0633 \u0634\u0627\u0645\u0644 \u0646\u06c1 \u06a9\u0631\u06cc\u06ba\u06d4<\/td>\n<\/tr>\n<tr wp_automatic_readability=\"2\">\n<td>\u0627\u0646\u0679\u0631\u0646\u06cc\u0679 \u2192 \u062f\u0627\u062e\u0644<\/td>\n<td><strong>\u0646\u06c1\u06cc\u06ba<\/strong><\/td>\n<td>\u0622\u067e\u0679 \u0627\u0646 &#8211; \u0622\u067e \u06a9\u06d2 \u062f\u0627\u062e\u0644\u06cc \u0648\u0633\u0627\u0626\u0644 \u06a9\u06d2 \u0644\u06cc\u06d2 TLS \u06a9\u0646\u0641\u06cc\u06af\u0631\u06cc\u0634\u0646 \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06c1\u06d2\u06d4<\/td>\n<\/tr>\n<tr wp_automatic_readability=\"2\">\n<td>Pod \u2192 Kubernetes API<\/td>\n<td>\u06c1\u0627\u06ba<\/td>\n<td>\u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679 \u0679\u0648\u06a9\u0646 \u0627\u0648\u0631 \u06a9\u0644\u0633\u0679\u0631 CA \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u0639\u0645\u0644\u06cc \u0637\u0648\u0631 \u067e\u0631\u060c \u062f\u0648 \u0633\u0628 \u0633\u06d2 \u0627\u06c1\u0645 \u062e\u0644\u0627 \u0627\u0646\u0679\u0631 \u067e\u0648\u0688 \u0679\u0631\u06cc\u0641\u06a9 \u0627\u0648\u0631 Ingress TLS \u06c1\u06cc\u06ba\u06d4 \u0627\u0633 \u0645\u0636\u0645\u0648\u0646 \u0645\u06cc\u06ba Let&#8217;s Encrypt \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 Ingress TLS \u0627\u0648\u0631 \u067e\u0631\u0627\u0626\u06cc\u0648\u06cc\u0679 CAs \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u0627\u0646\u062f\u0631\u0648\u0646\u06cc \u0633\u0631\u0648\u0633 \u0679\u0648 \u0633\u0631\u0648\u0633 \u0627\u0646\u06a9\u0631\u067e\u0634\u0646 \u062f\u0648\u0646\u0648\u06ba \u06a9\u0627 \u0627\u062d\u0627\u0637\u06c1 \u06a9\u06cc\u0627 \u06af\u06cc\u0627 \u06c1\u06d2\u06d4<\/p>\n<h2 id=\"heading-how-cert-manager-works\">\u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06a9\u06cc\u0633\u06d2 \u06a9\u0627\u0645 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4<\/h2>\n<p>cert-manager Kubernetes \u0622\u067e\u0631\u06cc\u0679\u0631 \u06c1\u06d2\u06d4 Kubernetes API \u06a9\u0648 \u062d\u0633\u0628 \u0636\u0631\u0648\u0631\u062a \u0648\u0633\u0627\u0626\u0644 \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0628\u0691\u06be\u0627\u0626\u06cc\u06ba \u062c\u0648 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u062f\u0631\u062e\u0648\u0627\u0633\u062a\u0648\u06ba \u0627\u0648\u0631 \u0627\u0646 \u06a9\u06cc \u062a\u0631\u062a\u06cc\u0628 \u06a9\u06cc \u0646\u0645\u0627\u0626\u0646\u062f\u06af\u06cc \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4 \u0622\u067e <code>Certificate<\/code> \u062c\u0628 \u0622\u067e \u06a9\u0648\u0626\u06cc \u0648\u0633\u06cc\u0644\u06c1 \u0645\u0646\u062a\u062e\u0628 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba\u060c \u062a\u0648 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06a9\u0627 \u06a9\u0646\u0679\u0631\u0648\u0644\u0631 \u0627\u0633\u06d2 \u0645\u0646\u062a\u062e\u0628 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u060c \u06a9\u0646\u0641\u06cc\u06af\u0631 \u0634\u062f\u06c1 \u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 \u0633\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u062f\u0631\u062e\u0648\u0627\u0633\u062a \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u060c \u0627\u0648\u0631 \u0646\u062a\u06cc\u062c\u06d2 \u0645\u06cc\u06ba \u0622\u0646\u06d2 \u0648\u0627\u0644\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0627\u0648\u0631 \u0646\u062c\u06cc \u06a9\u0644\u06cc\u062f \u06a9\u0648 \u06a9\u0628\u0631\u0646\u06cc\u0679\u0633 \u0633\u06cc\u06a9\u0631\u06cc\u0679 \u0645\u06cc\u06ba \u0645\u062d\u0641\u0648\u0638 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 \u062c\u0628 \u06a9\u0633\u06cc \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u0645\u06cc\u0639\u0627\u062f \u062e\u062a\u0645 \u06c1\u0648\u062c\u0627\u062a\u06cc \u06c1\u06d2\u060c \u062a\u0648 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u062e\u0648\u062f \u0628\u062e\u0648\u062f \u0627\u0633 \u06a9\u06cc \u062a\u062c\u062f\u06cc\u062f \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<p>\u0627\u0633 \u0645\u0627\u0688\u0644 \u06a9\u0627 \u0645\u0637\u0644\u0628 \u06c1\u06d2 \u06a9\u06c1 \u062f\u0631\u062e\u0648\u0627\u0633\u062a \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06d2 \u0627\u0646\u062a\u0638\u0627\u0645 \u06a9\u06d2 \u0628\u0627\u0631\u06d2 \u0645\u06cc\u06ba \u0646\u06c1\u06cc\u06ba \u062c\u0627\u0646\u062a\u06cc \u06c1\u06d2 \u0627\u0648\u0631 \u0646\u06c1 \u06c1\u06cc \u0627\u0633 \u06a9\u06cc \u067e\u0631\u0648\u0627\u06c1 \u06a9\u0631\u062a\u06cc \u06c1\u06d2\u06d4 \u0631\u0627\u0632 \u067e\u0691\u06be\u06cc\u06ba\u06d4 cert-manager \u0627\u067e\u0646\u06d2 \u0631\u0627\u0632 \u06a9\u0648 \u062a\u0627\u0632\u06c1 \u062a\u0631\u06cc\u0646 \u0631\u06a9\u06be\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<h3 id=\"heading-the-four-core-resources\">4 \u06a9\u0644\u06cc\u062f\u06cc \u0648\u0633\u0627\u0626\u0644<\/h3>\n<p>cert-manager \u0686\u0627\u0631 \u062d\u0633\u0628 \u0636\u0631\u0648\u0631\u062a \u0648\u0633\u0627\u0626\u0644 \u0645\u062a\u0639\u0627\u0631\u0641 \u06a9\u0631\u0627\u062a\u0627 \u06c1\u06d2 \u062c\u0646\u06c1\u06cc\u06ba \u0622\u067e \u0628\u0627\u0642\u0627\u0639\u062f\u06af\u06cc \u0633\u06d2 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u06cc\u06ba \u06af\u06d2\u06d4<\/p>\n<table>\n<thead>\n<tr>\n<th>\u0645\u0631\u0636\u06cc<\/th>\n<th>\u06cc\u06c1 \u06a9\u06cc\u0627 \u0646\u0645\u0627\u0626\u0646\u062f\u06af\u06cc \u06a9\u0631\u062a\u0627 \u06c1\u06d2<\/th>\n<\/tr>\n<\/thead>\n<tbody wp_automatic_readability=\"5\">\n<tr wp_automatic_readability=\"2\">\n<td><code>Issuer<\/code><\/td>\n<td>\u0633\u0631\u0679\u06cc\u0641\u06cc\u06a9\u06cc\u0634\u0646 \u0627\u062a\u06be\u0627\u0631\u0679\u06cc \u06cc\u0627 ACME \u0627\u06a9\u0627\u0624\u0646\u0679 &#8211; \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1 \u06a9\u0627 \u062f\u0627\u0626\u0631\u06c1<\/td>\n<\/tr>\n<tr wp_automatic_readability=\"3\">\n<td><code>ClusterIssuer<\/code><\/td>\n<td>\u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 \u06a9\u06cc \u0637\u0631\u062d\u060c \u0644\u06cc\u06a9\u0646 \u06a9\u0644\u0633\u0679\u0631 \u0648\u0633\u06cc\u0639 \u062f\u0633\u062a\u06cc\u0627\u0628 \u06c1\u06d2\u06d4<\/td>\n<\/tr>\n<tr wp_automatic_readability=\"2\">\n<td><code>Certificate<\/code><\/td>\n<td>\u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u062f\u0631\u062e\u0648\u0627\u0633\u062a &#8211; \u0628\u06cc\u0627\u0646 \u06a9\u0631\u06cc\u06ba \u06a9\u06c1 \u0622\u067e \u06a9\u06cc\u0627 \u0686\u0627\u06c1\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/td>\n<\/tr>\n<tr wp_automatic_readability=\"3\">\n<td><code>CertificateRequest<\/code><\/td>\n<td>\u0627\u0646\u0641\u0631\u0627\u062f\u06cc \u062f\u0633\u062a\u062e\u0637 \u06a9\u06cc \u062f\u0631\u062e\u0648\u0627\u0633\u062a\u06cc\u06ba &#8211; \u0633\u0631\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06c1 \u062e\u0648\u062f \u0628\u062e\u0648\u062f \u062a\u06cc\u0627\u0631 \u06a9\u06cc \u062c\u0627\u062a\u06cc \u06c1\u06cc\u06ba \u0627\u0648\u0631 \u0634\u0627\u0630 \u0648 \u0646\u0627\u062f\u0631 \u06c1\u06cc \u0628\u0631\u0627\u06c1 \u0631\u0627\u0633\u062a \u0686\u06be\u0648\u0646\u06d2 \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06c1\u0648\u062a\u06cc \u06c1\u06d2\u06d4<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u0639\u0645\u0644\u06cc \u0637\u0648\u0631 \u067e\u0631\u060c \u06cc\u06c1 \u0632\u06cc\u0627\u062f\u06c1 \u062a\u0631 \u0645\u0633\u0627\u0626\u0644 \u06a9\u0627 \u0627\u062d\u0627\u0637\u06c1 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 <code>ClusterIssuer<\/code> \u0627\u0648\u0631 <code>Certificate<\/code>. \u06a9\u06c1 <code>ClusterIssuer<\/code> \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u0627\u0635\u0644\u06cc\u062a \u06a9\u06cc \u0648\u0636\u0627\u062d\u062a \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 \u06a9\u06c1 <code>Certificate<\/code> \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u0648\u0636\u0627\u062d\u062a \u06a9\u0631\u06cc\u06ba \u062c\u0648 \u0622\u067e \u0686\u0627\u06c1\u062a\u06d2 \u06c1\u06cc\u06ba \u0627\u0648\u0631 \u0627\u0633\u06d2 \u06a9\u06c1\u0627\u06ba \u0630\u062e\u06cc\u0631\u06c1 \u06a9\u0631\u0646\u0627 \u06c1\u06d2\u06d4<\/p>\n<h3 id=\"heading-issuers-and-clusterissuers\">\u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 \u0627\u0648\u0631 \u06a9\u0644\u0633\u0679\u0631 \u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1<\/h3>\n<p>\u0646\u06c1\u06cc\u06ba <code>Issuer<\/code> \u0622\u067e \u0635\u0631\u0641 \u0627\u067e\u0646\u06d2 \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1 \u0645\u06cc\u06ba \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062c\u0627\u0631\u06cc \u06a9\u0631 \u0633\u06a9\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4 \u06a9\u0648\u0626\u06cc \u0631\u0627\u0633\u062a\u06c1 \u0646\u06c1\u06cc\u06ba <code>ClusterIssuer<\/code> \u0622\u067e \u06a9\u0633\u06cc \u0628\u06be\u06cc \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1 \u0645\u06cc\u06ba \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062c\u0627\u0631\u06cc \u06a9\u0631 \u0633\u06a9\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4 Let&#8217;s Encrypt \u062c\u06cc\u0633\u06d2 \u0645\u0634\u062a\u0631\u06a9\u06c1 \u0627\u0646\u0641\u0631\u0627\u0633\u0679\u0631\u06a9\u0686\u0631 \u06a9\u06d2 \u0644\u06cc\u06d2\u060c \u06cc\u06c1 \u062a\u0642\u0631\u06cc\u0628\u0627\u064b \u06c1\u0645\u06cc\u0634\u06c1 \u06c1\u0648\u062a\u0627 \u06c1\u06d2\u06d4 <code>ClusterIssuer<\/code>. \u062f\u0631\u062e\u0648\u0627\u0633\u062a \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0645\u062e\u0635\u0648\u0635 \u0627\u0646\u062f\u0631\u0648\u0646\u06cc CAs \u06a9\u06d2 \u0644\u06cc\u06d2 <code>Issuer<\/code> \u0627\u0633\u06d2 \u0627\u067e\u0646\u06cc \u062f\u0631\u062e\u0648\u0627\u0633\u062a \u06a9\u06d2 \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1 \u062a\u06a9 \u067e\u06be\u06cc\u0644\u0627\u0646\u0627 \u0627\u06cc\u06a9 \u0645\u062d\u0641\u0648\u0638 \u0627\u0646\u062a\u062e\u0627\u0628 \u06c1\u06d2\u06d4<\/p>\n<p>cert-manager \u0645\u062a\u0639\u062f\u062f \u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06af\u0627\u0646 \u06a9\u06cc \u0627\u0642\u0633\u0627\u0645 \u06a9\u0648 \u0633\u067e\u0648\u0631\u0679 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 \u062c\u0646 \u062a\u06cc\u0646\u0648\u06ba \u06a9\u0627 \u0622\u067e \u0627\u06a9\u062b\u0631 \u0633\u0627\u0645\u0646\u0627 \u06a9\u0631\u06cc\u06ba \u06af\u06d2 \u0648\u06c1 \u06c1\u06cc\u06ba:<\/p>\n<p><strong>\u0632\u06cc\u0646\u062a<\/strong> \u2014 Let&#8217;s Encrypt \u06cc\u0627 ACME-compliant CAs \u0633\u06d2 \u0639\u0648\u0627\u0645\u06cc \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679\u0633 \u06a9\u06d2 \u0644\u06cc\u06d2\u06d4 \u0688\u0648\u0645\u06cc\u0646 \u06a9\u06cc \u0645\u0644\u06a9\u06cc\u062a HTTP-01 \u06cc\u0627 DNS-01 \u0686\u06cc\u0644\u0646\u062c \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2 \u062b\u0627\u0628\u062a \u06c1\u0648\u062a\u06cc \u06c1\u06d2\u06d4<\/p>\n<p><strong>\u06a9\u06cc\u0644\u06cc\u0641\u0648\u0631\u0646\u06cc\u0627<\/strong> &#8211; \u0627\u06cc\u06a9 CA \u06a9\u06d2 \u062f\u0633\u062a\u062e\u0637 \u0634\u062f\u06c1 \u062f\u0627\u062e\u0644\u06cc \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679\u0633 \u06a9\u06d2 \u0644\u06cc\u06d2 \u062c\u0633 \u06a9\u06cc \u0646\u062c\u06cc \u06a9\u0644\u06cc\u062f Kubernetes Secret \u0645\u06cc\u06ba \u0645\u062d\u0641\u0648\u0638 \u06c1\u06d2\u06d4 \u0627\u06cc\u06a9 \u06a9\u0644\u0633\u0679\u0631 \u06a9\u06d2 \u0627\u0646\u062f\u0631 \u062e\u062f\u0645\u0627\u062a \u06a9\u06d2 \u062f\u0631\u0645\u06cc\u0627\u0646 TLS \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u06cc\u0627 \u062c\u0627\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<p><strong>\u062e\u0648\u062f \u062f\u0633\u062a\u062e\u0637 \u0634\u062f\u06c1<\/strong> &#8211; \u062e\u0648\u062f \u062f\u0633\u062a\u062e\u0637 \u0634\u062f\u06c1 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0628\u0646\u0627\u0626\u06cc\u06ba\u06d4 \u06cc\u06c1 \u0627\u067e\u0646\u06d2 \u0637\u0648\u0631 \u067e\u0631 \u0628\u06c1\u062a \u06a9\u0645 \u06a9\u0627\u0645 \u06a9\u0627 \u06c1\u06d2\u060c \u0644\u06cc\u06a9\u0646 \u0627\u0646\u062f\u0631\u0648\u0646\u06cc CA \u0628\u0646\u0627\u062a\u06d2 \u0648\u0642\u062a \u0628\u0648\u0679\u0633\u0679\u0631\u06cc\u067e\u0646\u06af \u0642\u062f\u0645 \u06a9\u06d2 \u0637\u0648\u0631 \u067e\u0631 \u0636\u0631\u0648\u0631\u06cc \u06c1\u06d2\u06d4<\/p>\n<h3 id=\"heading-the-certificate-lifecycle\">\u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0644\u0627\u0626\u0641 \u0633\u0627\u0626\u06cc\u06a9\u0644<\/h3>\n<p>\u0622\u067e <code>Certificate<\/code> \u0648\u0633\u0627\u0626\u0644\u060c \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631\u060c \u0627\u0633 \u062d\u06a9\u0645 \u06a9\u06cc \u067e\u06cc\u0631\u0648\u06cc \u06a9\u0631\u062a\u0627 \u06c1\u06d2:<\/p>\n<ol wp_automatic_readability=\"4\">\n<li wp_automatic_readability=\"-1\">\n<p>\u0646\u0633\u0644 <code>CertificateRequest<\/code> \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u067e\u0631 \u062f\u0633\u062a\u062e\u0637 \u06a9\u0631\u0646\u06d2 \u06a9\u06cc \u062f\u0631\u062e\u0648\u0627\u0633\u062a (CSR) \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u06cc\u06ba<\/p>\n<\/li>\n<li wp_automatic_readability=\"-1\">\n<p>CSR \u06a9\u0648 \u06a9\u0646\u0641\u06cc\u06af\u0631 \u06a9\u0631\u062f\u06c1 \u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 \u06a9\u0648 \u0628\u06be\u06cc\u062c\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<li wp_automatic_readability=\"-1\">\n<p>ACME \u062c\u0627\u0631\u06cc \u06a9\u0631\u0646\u06d2 \u0648\u0627\u0644\u0648\u06ba \u06a9\u06d2 \u0644\u06cc\u06d2: <code>Challenge<\/code> \u0648\u0633\u0627\u0626\u0644 \u062d\u0627\u0635\u0644 \u06a9\u0631\u06cc\u06ba \u0627\u0648\u0631 \u0627\u0646 \u067e\u0631 \u0639\u0645\u0644 \u062f\u0631\u0622\u0645\u062f \u06a9\u0631\u06cc\u06ba (\u0630\u06cc\u0644 \u0645\u06cc\u06ba \u062a\u0641\u0635\u06cc\u0644\u0627\u062a \u062f\u06cc\u06a9\u06be\u06cc\u06ba)\u06d4<\/p>\n<\/li>\n<li wp_automatic_readability=\"-1\">\n<p>\u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 \u0633\u06d2 \u062f\u0633\u062a\u062e\u0637 \u0634\u062f\u06c1 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062d\u0627\u0635\u0644 \u06a9\u0631\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<li wp_automatic_readability=\"-1\">\n<p>\u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0627\u0648\u0631 \u0646\u062c\u06cc \u06a9\u0644\u06cc\u062f \u06a9\u0648 \u06a9\u0648\u0628\u0631\u0646\u06cc\u0679\u0633 \u0633\u06cc\u06a9\u0631\u06cc\u0679 \u0645\u06cc\u06ba \u0645\u062d\u0641\u0648\u0638 \u06a9\u0631\u06cc\u06ba\u06d4 <code>spec.secretName<\/code><\/p>\n<\/li>\n<li wp_automatic_readability=\"1\">\n<p>\u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u0645\u06cc\u0639\u0627\u062f \u062e\u062a\u0645 \u06c1\u0648\u0646\u06d2 \u06a9\u06cc \u0646\u06af\u0631\u0627\u0646\u06cc \u06a9\u0631\u06cc\u06ba\u06d4 \u067e\u06c1\u0644\u06d2 \u0633\u06d2 \u0637\u06d2 \u0634\u062f\u06c1 \u0637\u0648\u0631 \u067e\u0631\u060c \u0627\u0633 \u06a9\u06cc \u062a\u062c\u062f\u06cc\u062f \u0627\u0633 \u0648\u0642\u062a \u06c1\u0648\u062a\u06cc \u06c1\u06d2 \u062c\u0628 \u0645\u06cc\u0639\u0627\u062f \u06a9\u0627 2\/3 \u06af\u0632\u0631 \u062c\u0627\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<\/li>\n<\/ol>\n<p>\u0627\u06cc\u067e\u0644\u06cc \u06a9\u06cc\u0634\u0646 \u0631\u0627\u0632 \u06a9\u0648 \u0645\u0627\u0624\u0646\u0679 \u06a9\u0631\u062a\u06cc \u06c1\u06d2\u06d4 cert-manager \u062e\u0648\u062f \u0628\u062e\u0648\u062f \u0627\u067e \u0688\u06cc\u0679 \u06c1\u0648\u062c\u0627\u062a\u0627 \u06c1\u06d2\u06d4 \u0632\u06cc\u0627\u062f\u06c1 \u062a\u0631 \u0627\u06cc\u067e\u0644\u06cc\u06a9\u06cc\u0634\u0646\u0632 \u062c\u0648 \u0641\u0627\u0626\u0644 \u06a9\u06cc \u062a\u0628\u062f\u06cc\u0644\u06cc\u0648\u06ba \u06a9\u0648 \u062f\u06cc\u06a9\u06be\u062a\u06d2 \u06c1\u06cc\u06ba \u0648\u06c1 \u062f\u0648\u0628\u0627\u0631\u06c1 \u0634\u0631\u0648\u0639 \u06a9\u06cc\u06d2 \u0628\u063a\u06cc\u0631 \u0646\u06cc\u0627 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0627\u0679\u06be\u0627 \u0644\u06cc\u06ba \u06af\u06cc\u06d4<\/p>\n<h3 id=\"heading-acme-challenges-http-01-vs-dns-01\">ACME \u0686\u06cc\u0644\u0646\u062c: HTTP-01 \u0628\u0645\u0642\u0627\u0628\u0644\u06c1 DNS-01<\/h3>\n<p>\u0622\u0626\u06cc\u06d2 \u0627\u0646\u06a9\u0631\u067e\u0679 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u0633 \u0628\u0627\u062a \u06a9\u0627 \u062b\u0628\u0648\u062a \u062f\u0631\u06a9\u0627\u0631 \u06c1\u06d2 \u06a9\u06c1 \u0622\u067e \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062c\u0627\u0631\u06cc \u06a9\u0631\u0646\u06d2 \u0633\u06d2 \u067e\u06c1\u0644\u06d2 \u0688\u0648\u0645\u06cc\u0646 \u06a9\u0648 \u06a9\u0646\u0679\u0631\u0648\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4 ACME \u0627\u0633 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0686\u06cc\u0644\u0646\u062c \u06a9\u06cc \u062f\u0648 \u0627\u0642\u0633\u0627\u0645 \u06a9\u06cc \u0648\u0636\u0627\u062d\u062a \u06a9\u0631\u062a\u0627 \u06c1\u06d2:<\/p>\n<p><strong>HTTP-01<\/strong> \u06cc\u06c1 \u0633\u0631\u0679\u06cc\u0641 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06a9\u0648 \u0627\u06cc\u06a9 \u0639\u0627\u0631\u0636\u06cc HTTP \u0627\u06cc\u0646\u0688 \u067e\u0648\u0627\u0626\u0646\u0679 \u0628\u0646\u0627 \u06a9\u0631 \u06a9\u0627\u0645 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 <code>http:\/\/<your-domain>\/.well-known\/acme-challenge\/<token\/><\/your-domain><\/code>. \u0622\u0626\u06cc\u06d2 \u0627\u0646\u06a9\u0631\u067e\u0679 \u0627\u0633 URL \u06a9\u0648 \u0627\u06cc\u06a9 \u062f\u0631\u062e\u0648\u0627\u0633\u062a \u0628\u06be\u06cc\u062c\u062a\u0627 \u06c1\u06d2\u06d4 \u0627\u06af\u0631 \u062c\u0648\u0627\u0628 \u0645\u062a\u0648\u0642\u0639 \u0679\u0648\u06a9\u0646 \u0633\u06d2 \u0645\u06cc\u0644 \u06a9\u06be\u0627\u062a\u0627 \u06c1\u06d2\u060c \u062a\u0648 \u0686\u06cc\u0644\u0646\u062c \u06af\u0632\u0631 \u062c\u0627\u062a\u0627 \u06c1\u06d2\u06d4 \u0627\u0633 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0636\u0631\u0648\u0631\u06cc \u06c1\u06d2 \u06a9\u06c1 \u0622\u067e \u06a9\u0627 \u06a9\u0644\u0633\u0679\u0631 \u067e\u0648\u0631\u0679 80 \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2 \u0627\u0646\u0679\u0631\u0646\u06cc\u0679 \u0633\u06d2 \u0642\u0627\u0628\u0644 \u0631\u0633\u0627\u0626\u06cc \u06c1\u0648\u06d4<\/p>\n<p><strong>DNS-01<\/strong> \u06cc\u06c1 \u0633\u0631\u0679\u06cc\u0641 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06a9\u0648 \u0639\u0627\u0631\u0636\u06cc DNS TXT \u0631\u06cc\u06a9\u0627\u0631\u0688 \u0628\u0646\u0627 \u06a9\u0631 \u06a9\u0627\u0645 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 <code>_acme-challenge.<your-domain\/><\/code>. \u0622\u0626\u06cc\u06d2 \u0627\u0633 \u0631\u06cc\u06a9\u0627\u0631\u0688 \u067e\u0631 \u0627\u06cc\u06a9 \u0686\u06cc\u06a9 \u06a9\u0648 \u062e\u0641\u06cc\u06c1 \u06a9\u0631\u06cc\u06ba\u06d4 \u06cc\u06c1 \u067e\u0631\u0627\u0626\u06cc\u0648\u06cc\u0679 \u06a9\u0644\u0633\u0679\u0631\u0632 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u06cc\u06a9 \u0627\u0686\u06be\u0627 \u0627\u0646\u062a\u062e\u0627\u0628 \u06c1\u06d2 \u06a9\u06cc\u0648\u0646\u06a9\u06c1 \u0627\u0633 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u0646 \u0628\u0627\u0624\u0646\u0688 HTTP \u0631\u0633\u0627\u0626\u06cc \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u0646\u06c1\u06cc\u06ba \u06c1\u06d2 \u0627\u0648\u0631 \u06cc\u06c1 \u0648\u0627\u0626\u0644\u0688 \u06a9\u0627\u0631\u0688 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062d\u0627\u0635\u0644 \u06a9\u0631\u0646\u06d2 \u06a9\u0627 \u0648\u0627\u062d\u062f \u0637\u0631\u06cc\u0642\u06c1 \u06c1\u06d2 (<code>*.example.com<\/code>)\u06d4<\/p>\n<p>Cons: HTTP-01 \u062a\u0631\u062a\u06cc\u0628 \u062f\u06cc\u0646\u0627 \u0622\u0633\u0627\u0646 \u06c1\u06d2\u060c \u0644\u06cc\u06a9\u0646 \u0635\u0631\u0641 \u0627\u06cc\u06a9 \u0688\u0648\u0645\u06cc\u0646 \u06a9\u06d2 \u0644\u06cc\u06d2 \u06a9\u0627\u0645 \u06a9\u0631\u062a\u0627 \u06c1\u06d2 \u0627\u0648\u0631 \u0627\u0646\u0679\u0631\u0646\u06cc\u0679 \u062a\u06a9 \u0631\u0633\u0627\u0626\u06cc \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0628\u0646\u06cc\u0627\u062f\u06cc \u0688\u06be\u0627\u0646\u0686\u06d2 \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06c1\u0648\u062a\u06cc \u06c1\u06d2\u06d4 DNS-01 \u06a9\u0648 \u0622\u067e \u06a9\u06d2 DNS \u0641\u0631\u0627\u06c1\u0645 \u06a9\u0646\u0646\u062f\u06c1 \u062a\u06a9 API \u0631\u0633\u0627\u0626\u06cc \u062f\u0631\u06a9\u0627\u0631 \u06c1\u06d2\u060c \u0644\u06cc\u06a9\u0646 \u06cc\u06c1 \u0627\u0646\u062f\u0631\u0648\u0646\u06cc \u06a9\u0644\u0633\u0679\u0631\u0632 \u0627\u0648\u0631 \u0648\u0627\u0626\u0644\u0688 \u06a9\u0627\u0631\u0688\u0632 \u06a9\u06d2 \u0644\u06cc\u06d2 \u06a9\u0627\u0645 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<h2 id=\"heading-demo-1-install-cert-manager-and-issue-a-certificate-using-pebble-and-lets-encrypt\">\u0688\u06cc\u0645\u0648 1 &#8211; \u067e\u06cc\u0628\u0644 \u0627\u06cc\u0646\u0688 \u0644\u06cc\u0679\u0633 \u0627\u0646\u06a9\u0631\u067e\u0679 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06a9\u0648 \u0627\u0646\u0633\u0679\u0627\u0644 \u06a9\u0631\u0646\u0627 \u0627\u0648\u0631 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062c\u0627\u0631\u06cc \u06a9\u0631\u0646\u0627<\/h2>\n<p>\u067e\u06cc\u0628\u0644 \u0644\u06cc\u0679\u0633 \u0627\u0646\u06a9\u0631\u067e\u0679 \u06a9\u0627 \u0645\u0642\u0627\u0645\u06cc ACME \u0679\u06cc\u0633\u0679 \u0633\u0631\u0648\u0631 \u06c1\u06d2\u06d4 \u06cc\u06c1 \u0627\u06cc\u06a9 \u06a9\u0644\u0633\u0679\u0631 \u06a9\u06d2 \u0627\u0646\u062f\u0631 \u0686\u0644\u062a\u0627 \u06c1\u06d2\u060c \u0627\u0633\u06cc ACME \u067e\u0631\u0648\u0679\u0648\u06a9\u0648\u0644 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062c\u0627\u0631\u06cc \u06a9\u0631\u062a\u0627 \u06c1\u06d2 \u062c\u06cc\u0633\u0627 \u06a9\u06c1 Let&#8217;s Encrypt\u060c \u0627\u0648\u0631 \u0627\u0633\u06d2 \u0639\u0648\u0627\u0645\u06cc \u0688\u0648\u0645\u06cc\u0646 \u06cc\u0627 \u0627\u0646\u0679\u0631\u0646\u06cc\u0679 \u062a\u06a9 \u0631\u0633\u0627\u0626\u06cc \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4 \u067e\u06cc\u0628\u0644 \u0622\u067e \u06a9\u0648 \u0627\u06cc\u06a9 \u0639\u0627\u0645 \u06a9\u0644\u0633\u0679\u0631 \u067e\u0631 \u067e\u0648\u0631\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06a9\u06d2 \u0628\u06c1\u0627\u0624 (\u0686\u06cc\u0644\u0646\u062c\u060c \u0627\u062c\u0631\u0627\u0621\u060c \u062a\u062c\u062f\u06cc\u062f) \u06a9\u06cc \u062c\u0627\u0646\u0686 \u06a9\u0631\u0646\u06d2 \u06a9\u06cc \u0627\u062c\u0627\u0632\u062a \u062f\u06cc\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<p>\u0627\u06cc\u06a9 \u0628\u0627\u0631 \u062c\u0628 \u0622\u067e \u0645\u0642\u0627\u0645\u06cc \u0637\u0648\u0631 \u067e\u0631 \u0628\u06c1\u0627\u0624 \u06a9\u0648 \u0633\u0645\u062c\u06be \u0644\u06cc\u06ba\u060c \u062a\u0648 \u062d\u0642\u06cc\u0642\u06cc Let&#8217;s Encrypt \u067e\u0631 \u0633\u0648\u0626\u0686 \u06a9\u0631\u0646\u0627 \u0635\u0631\u0641 \u0627\u06cc\u06a9 \u0644\u0627\u0626\u0646 \u06a9\u06cc \u062a\u0628\u062f\u06cc\u0644\u06cc \u06c1\u06d2\u06d4 \u06cc\u0639\u0646\u06cc\u060c ClusterIssuer \u0633\u0631\u0648\u0631 URL \u06a9\u0648 \u062a\u0628\u062f\u06cc\u0644 \u06a9\u0631\u06cc\u06ba \u0627\u0648\u0631 \u0627\u0633\u06d2 \u0627\u067e\u0646\u06d2 \u0639\u0648\u0627\u0645\u06cc \u0637\u0648\u0631 \u067e\u0631 \u0642\u0627\u0628\u0644 \u0631\u0633\u0627\u0626\u06cc \u06a9\u0644\u0633\u0679\u0631 \u0645\u06cc\u06ba DNS \u0631\u06cc\u06a9\u0627\u0631\u0688 \u06a9\u06cc \u0637\u0631\u0641 \u0627\u0634\u0627\u0631\u06c1 \u06a9\u0631\u06cc\u06ba\u06d4 \u0628\u0627\u0642\u06cc \u062a\u0631\u062a\u06cc\u0628 \u0648\u06c1\u06cc \u06c1\u06d2\u06d4<\/p>\n<p>\u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u0627\u0648\u0631 \u0627\u0646\u0633\u0679\u0627\u0644 \u06a9\u0631\u06cc\u06ba\u06d4 <code>ClusterIssuer<\/code> Let&#8217;s Encrypt \u06a9\u06d2 \u0644\u06cc\u06d2\u060c Ingress \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u0646\u0645\u0648\u0646\u06c1 \u0627\u06cc\u067e\u0644\u06cc \u06a9\u06cc\u0634\u0646 \u06a9\u0648 \u062a\u0639\u06cc\u0646\u0627\u062a \u06a9\u0631\u06cc\u06ba \u0627\u0648\u0631 \u062e\u0648\u062f \u0628\u062e\u0648\u062f \u062c\u0627\u0631\u06cc \u0627\u0648\u0631 \u0630\u062e\u06cc\u0631\u06c1 \u0634\u062f\u06c1 \u0627\u0635\u0644\u06cc \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062f\u06cc\u06a9\u06be\u06cc\u06ba\u06d4<\/p>\n<h3 id=\"heading-step-1-install-cert-manager\">\u0645\u0631\u062d\u0644\u06c1 1: \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u0627\u0646\u0633\u0679\u0627\u0644 \u06a9\u0631\u06cc\u06ba\u06d4<\/h3>\n<p>cert-manager \u0627\u0628 OCI \u06c1\u06cc\u0644\u0645 \u0686\u0627\u0631\u0679 \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2 \u062a\u0642\u0633\u06cc\u0645 \u06a9\u06cc\u0627 \u062c\u0627\u062a\u0627 \u06c1\u06d2\u06d4 <code>quay.io\/jetstack<\/code>. \u06a9\u06c1 <code>--set crds.enabled=true<\/code> \u067e\u0631\u0686\u0645 \u0686\u0627\u0631\u0679 \u06a9\u06d2 \u062d\u0635\u06d2 \u06a9\u06d2 \u0637\u0648\u0631 \u067e\u0631 \u0627\u06cc\u06a9 \u062d\u0633\u0628 \u0636\u0631\u0648\u0631\u062a \u0648\u0633\u0627\u0626\u0644 \u06a9\u06cc \u062a\u0639\u0631\u06cc\u0641 \u06a9\u0648 \u0627\u0646\u0633\u0679\u0627\u0644 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-bash\">helm upgrade cert-manager oci:\/\/quay.io\/jetstack\/charts\/cert-manager \\\n  --install \\\n  --create-namespace \\\n  --namespace cert-manager \\\n  --set crds.enabled=true \\\n  --version v1.17.0 \\\n  --wait\n<\/code><\/pre>\n<p>\u0622\u067e \u06a9\u0648 nginx Ingress \u06a9\u0646\u0679\u0631\u0648\u0644\u0631 \u06a9\u06cc \u0628\u06be\u06cc \u0636\u0631\u0648\u0631\u062a \u06c1\u0648\u06af\u06cc\u06d4 cert-manager \u0627\u0633 \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2 HTTP-01 \u06a9\u06d2 \u0645\u0633\u0627\u0626\u0644 \u06a9\u0648 \u0631\u0648\u0679\u0633 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 \u06a9\u06c1 <code>controller.service.type=ClusterIP<\/code> \u0627\u0648\u0648\u0631 \u0631\u0627\u0626\u06cc\u0688\u0646\u06af \u062e\u0627\u0635 \u0637\u0648\u0631 \u067e\u0631 \u0642\u0633\u0645 \u06a9\u06d2 \u0644\u06cc\u06d2 \u06c1\u06d2: \u0688\u06cc\u0641\u0627\u0644\u0679\u06d4 <code>LoadBalancer<\/code> \u062e\u062f\u0645\u062a \u06a9\u0628\u06be\u06cc \u0646\u06c1\u06cc\u06ba <code>EXTERNAL-IP<\/code> \u0642\u0633\u0645 \u067e\u0631 \u0645\u0646\u062d\u0635\u0631 \u06c1\u06d2 (\u06a9\u0648\u0626\u06cc \u06a9\u0644\u0627\u0624\u0688 \u0627\u06cc\u0644 \u0628\u06cc \u0646\u06c1\u06cc\u06ba) <code>--wait<\/code> \u0627\u0633\u06d2 \u06c1\u0645\u06cc\u0634\u06c1 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0644\u0679\u06a9\u0627 \u062f\u0648\u06d4 \u0627\u06cc\u06a9 \u062d\u0642\u06cc\u0642\u06cc \u06a9\u0644\u0633\u0679\u0631 \u0645\u06cc\u06ba\u060c \u06c1\u0645 \u0627\u0648\u0648\u0631 \u0631\u0627\u0626\u0688 \u06a9\u0648 \u062d\u0630\u0641 \u0627\u0648\u0631 \u0631\u06a9\u06be\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4 <code>LoadBalancer<\/code>.<\/p>\n<pre><code class=\"language-bash\">helm repo add ingress-nginx https:\/\/kubernetes.github.io\/ingress-nginx\nhelm repo update\n\nhelm install ingress-nginx ingress-nginx\/ingress-nginx \\\n  --namespace ingress-nginx \\\n  --create-namespace \\\n  --set controller.service.type=ClusterIP \\\n  --wait\n<\/code><\/pre>\n<p>\u06cc\u0642\u06cc\u0646\u06cc \u0628\u0646\u0627\u0626\u06cc\u06ba \u06a9\u06c1 \u0686\u0627\u0631\u0648\u06ba \u0627\u062c\u0632\u0627\u0621 \u0686\u0644 \u0631\u06c1\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<pre><code class=\"language-bash\">kubectl get pods -n cert-manager\nkubectl get pods -n ingress-nginx\n<\/code><\/pre>\n<pre><code class=\"language-plaintext\">NAME                                       READY   STATUS    RESTARTS   AGE\ncert-manager-76f84784c8-r4fx4              1\/1     Running   0          6m45s\ncert-manager-cainjector-66fbf49587-gv25n   1\/1     Running   0          6m45s\ncert-manager-webhook-577fddf86-l5wj4       1\/1     Running   0          6m45s\n\nNAME                                        READY   STATUS    RESTARTS   AGE\ningress-nginx-controller-6c7cd85885-h7zgx   1\/1     Running   0          3m34s\n<\/code><\/pre>\n<blockquote wp_automatic_readability=\"9\">\n<p>\u0641\u06cc \u0632\u0645\u0631\u06c1 \u06a9\u06d2 \u0645\u0633\u0627\u0626\u0644 \u2014 nginx \u06a9\u06cc \u0627\u062c\u0627\u0632\u062a \u06cc\u0627\u0641\u062a\u06c1 \u0648\u06cc\u0628 \u06c1\u06a9 \u06a9\u0648 \u0627\u0628\u06be\u06cc \u06c1\u0679\u0627 \u062f\u06cc\u06ba\u06d4 ** \u0632\u0645\u0631\u06c1 \u0645\u06cc\u06ba nginx \u06a9\u06cc \u0627\u062c\u0627\u0632\u062a \u06cc\u0627\u0641\u062a\u06c1 \u0648\u06cc\u0628 \u06c1\u06a9 \u062e\u0648\u062f \u062f\u0633\u062a\u062e\u0637 \u0634\u062f\u06c1 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0622\u062a\u0627 \u06c1\u06d2 \u062c\u0633 \u06a9\u06cc Kubernetes API \u0633\u0631\u0648\u0631 \u062a\u0635\u062f\u06cc\u0642 \u0646\u06c1\u06cc\u06ba \u06a9\u0631 \u0633\u06a9\u062a\u0627\u06d4 \u062c\u0628 \u0622\u067e \u067e\u06c1\u0644\u06cc \u0628\u0627\u0631 \u0627\u0633\u06d2 \u0628\u0646\u0627\u0646\u06d2 \u06a9\u06cc \u06a9\u0648\u0634\u0634 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4 <em>\u06a9\u0648\u0626\u06cc \u0628\u06be\u06cc<\/em> \u062f\u0627\u062e\u0644 \u06c1\u0648\u0646\u06d2 \u0648\u0627\u0644\u06d2 \u0648\u0633\u0627\u0626\u0644 \u062f\u06a9\u06be\u0627\u0626\u06d2 \u06af\u0626\u06d2\u06d4 <code>failed calling webhook \"validate.nginx.ingress.kubernetes.io\": ... x509: certificate signed by unknown authority<\/code>. \u0628\u0627\u0642\u06cc \u0688\u06cc\u0645\u0648 \u06a9\u0648 \u0679\u0631\u067e \u06a9\u0631\u0646\u06d2 \u0633\u06d2 \u0628\u0686\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0648\u0642\u062a \u0633\u06d2 \u067e\u06c1\u0644\u06d2 \u0648\u06cc\u0628 \u06c1\u06a9 \u06a9\u0648 \u062d\u0630\u0641 \u06a9\u0631\u06cc\u06ba\u06d4<\/p>\n<\/blockquote>\n<pre><code class=\"language-bash\">kubectl delete validatingwebhookconfiguration ingress-nginx-admission\n<\/code><\/pre>\n<h3 id=\"heading-step-2-install-pebble\">\u0645\u0631\u062d\u0644\u06c1 2: \u067e\u06cc\u0628\u0644 \u0627\u0646\u0633\u0679\u0627\u0644 \u06a9\u0631\u06cc\u06ba\u06d4<\/h3>\n<p>\u067e\u06cc\u0628\u0644 \u0627\u06cc\u06a9 \u0645\u0642\u0627\u0645\u06cc ACME \u0679\u06cc\u0633\u0679 \u0633\u0631\u0648\u0631 \u06c1\u06d2 \u062c\u0633\u06d2 JupyterHub \u067e\u0631\u0648\u062c\u06cc\u06a9\u0679 \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2 \u062a\u0642\u0633\u06cc\u0645 \u06a9\u06cc\u0627 \u06af\u06cc\u0627 \u06c1\u06d2\u06d4 \u0633\u0627\u062a\u06be\u06cc CoreDNS \u062a\u0642\u0633\u06cc\u0645 \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0622\u062a\u0627 \u06c1\u06d2 (<code>pebble-coredns<\/code>) \u0648\u06c1 \u06c1\u06d2 \u062c\u0633\u06d2 \u067e\u06cc\u0628\u0644 ACME \u062a\u0635\u062f\u06cc\u0642 \u06a9\u06d2 \u062f\u0648\u0631\u0627\u0646 \u0646\u0627\u0645\u0648\u06ba \u06a9\u0648 \u062d\u0644 \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-bash\">helm install pebble pebble \\\n  --repo https:\/\/jupyterhub.github.io\/helm-chart\/ \\\n  --namespace pebble \\\n  --create-namespace \\\n  --wait\n<\/code><\/pre>\n<p>\u06cc\u0642\u06cc\u0646\u06cc \u0628\u0646\u0627\u0626\u06cc\u06ba \u06a9\u06c1 \u062f\u0648\u0646\u0648\u06ba \u067e\u0648\u0688 \u0686\u0644 \u0631\u06c1\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<pre><code class=\"language-bash\">kubectl get pods -n pebble\n<\/code><\/pre>\n<pre><code class=\"language-plaintext\">NAME                              READY   STATUS    RESTARTS   AGE\npebble-8d8d49d64-lz8ck            1\/1     Running   0          36s\npebble-coredns-7fb5c7cbf4-4jw9h   1\/1     Running   0          36s\n<\/code><\/pre>\n<h3 id=\"heading-step-3-wire-up-dns-for-the-fake-hostname\">\u0645\u0631\u062d\u0644\u06c1 3: \u062c\u0639\u0644\u06cc \u0645\u06cc\u0632\u0628\u0627\u0646 \u0646\u0627\u0645 \u0633\u06d2 DNS \u06a9\u0646\u06cc\u06a9\u0679\u0648\u0679\u06cc<\/h3>\n<p>\u06c1\u0645 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062c\u0627\u0631\u06cc \u06a9\u0631\u0646\u06d2 \u06a9\u0627 \u0627\u0631\u0627\u062f\u06c1 \u0631\u06a9\u06be\u062a\u06d2 \u06c1\u06cc\u06ba: <code>echo.pebble.local<\/code>. \u0648\u06c1 \u0645\u06cc\u0632\u0628\u0627\u0646 \u0646\u0627\u0645 \u062c\u0639\u0644\u06cc \u06c1\u06d2\u06d4 \u06cc\u06c1 \u062d\u0642\u06cc\u0642\u06cc DNS \u0645\u06cc\u06ba \u0645\u0648\u062c\u0648\u062f \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u060c \u0627\u0633 \u0644\u06cc\u06d2 \u0627\u0633\u06d2 \u0633\u06a9\u06be\u0627\u06cc\u0627 \u062c\u0627\u0646\u0627 \u0686\u0627\u06c1\u06cc\u06d2\u06d4 <strong>\u062f\u0648<\/strong> \u0627\u06cc\u06a9 \u0622\u0632\u0627\u062f \u062d\u0644 \u06a9\u0631\u0646\u06d2 \u0648\u0627\u0644\u0627 \u0627\u0634\u0627\u0639\u062a \u0633\u06d2 \u067e\u06c1\u0644\u06d2 \u0627\u0633 \u067e\u0631 \u06a9\u0627\u0645 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<table>\n<thead>\n<tr>\n<th>\u062d\u0644 \u06a9\u0631\u0646\u06d2 \u0648\u0627\u0644\u0627<\/th>\n<th>\u06a9\u06c1\u0627\u06ba \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u0646\u0627 \u06c1\u06d2\u06d4<\/th>\n<th>\u06c1\u0645\u06cc\u06ba \u06a9\u06cc\u0627 \u0636\u0631\u0648\u0631\u062a \u06c1\u06d2<\/th>\n<\/tr>\n<\/thead>\n<tbody wp_automatic_readability=\"6.5\">\n<tr wp_automatic_readability=\"7\">\n<td><code>pebble-coredns<\/code>    (\u0645\u06cc\u06ba <code>pebble<\/code> \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1)<\/td>\n<td>HTTP-01 \u06a9\u06cc \u062a\u0648\u062b\u06cc\u0642 \u06a9\u06cc \u062f\u0631\u062e\u0648\u0627\u0633\u062a \u06a9\u0631\u062a\u06d2 \u0648\u0642\u062a\u060c \u062e\u0648\u062f \u067e\u06cc\u0628\u0644<\/td>\n<td>\u062d\u0644 <code>echo.pebble.local<\/code> \u2192 Incoming-nginx ClusterIP<\/td>\n<\/tr>\n<tr wp_automatic_readability=\"6\">\n<td>\u06a9\u0644\u0633\u0679\u0631 \u06a9\u0648\u0631 \u0688\u06cc \u0627\u06cc\u0646 \u0627\u06cc\u0633 (<code>kube-system<\/code>)<\/td>\n<td>\u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u0645\u06cc\u06ba HTTP-01 <strong>\u062e\u0648\u062f \u0686\u06cc\u06a9 \u06a9\u0631\u06cc\u06ba<\/strong> \u0686\u06cc\u0644\u0646\u062c \u06a9\u06cc \u0627\u0637\u0644\u0627\u0639 \u062f\u06cc\u0646\u06d2 \u0633\u06d2 \u067e\u06c1\u0644\u06d2 \u062a\u06cc\u0627\u0631 \u0631\u06c1\u06cc\u06ba<\/td>\n<td>\u0627\u0628 \u0633\u06d2 <code>pebble.local<\/code> \u0686\u06cc\u06a9 \u06a9\u0631\u06cc\u06ba <code>pebble-coredns<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u0627\u06af\u0631 \u0622\u067e \u06a9\u0633\u06cc \u0628\u06be\u06cc \u067e\u0631\u062a \u06a9\u0648 \u0686\u06be\u0648\u0691 \u062f\u06cc\u062a\u06d2 \u06c1\u06cc\u06ba\u060c \u062a\u0648 \u0622\u067e \u06a9\u0627 \u0622\u0631\u0688\u0631 \u0627\u06af\u0644\u06cc \u067e\u0631 \u0686\u0644\u0627 \u062c\u0627\u062a\u0627 \u06c1\u06d2\u06d4 <code>invalid<\/code> DNS \u062a\u0644\u0627\u0634 \u0646\u0627\u06a9\u0627\u0645 \u062d\u0627\u0644\u062a<\/p>\n<p>\u0633\u0628 \u0633\u06d2 \u067e\u06c1\u0644\u06d2\u060c \u062f\u0648 IPs \u062d\u0627\u0635\u0644 \u06a9\u0631\u06cc\u06ba \u062c\u0646 \u06a9\u06cc \u0622\u067e \u06a9\u0648 \u0636\u0631\u0648\u0631\u062a \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-bash\">NGINX_IP=$(kubectl get svc -n ingress-nginx ingress-nginx-controller \\\n  -o jsonpath=\"{.spec.clusterIP}\")\nPEBBLE_DNS_IP=$(kubectl get svc pebble-coredns -n pebble \\\n  -o jsonpath=\"{.spec.clusterIP}\")\necho \"NGINX_IP=\\(NGINX_IP  PEBBLE_DNS_IP=\\)PEBBLE_DNS_IP\"\n<\/code><\/pre>\n<p><strong>\u062c\u06af\u06c1<\/strong> <code>pebble-coredns<\/code>    \u062c\u0648\u0627\u0628 <code>*.pebble.local<\/code> \u0633\u0646\u0646\u06d2 \u0648\u0627\u0644\u06d2 \u06a9\u0646\u0679\u0631\u0648\u0644\u0631 \u06a9\u06d2 IP \u067e\u0631\u06d4 \u06a9\u0648\u0631 \u0688\u06cc \u0627\u06cc\u0646 \u0627\u06cc\u0633 <code>template<\/code> \u067e\u0644\u06af \u0627\u0646 \u0627\u06cc\u06a9 \u062d\u0642\u06cc\u0642\u06cc \u0645\u0644\u0679\u06cc \u0644\u0627\u0626\u0646 \u06a9\u0646\u0641\u06cc\u06af \u0645\u06cc\u067e \u06a9\u0627 \u0627\u0637\u0644\u0627\u0642 \u06a9\u0631\u062a\u0627 \u06c1\u06d2 \u06a9\u06cc\u0648\u0646\u06a9\u06c1 \u062c\u0628 \u067e\u0648\u0631\u0627 \u0628\u0644\u0627\u06a9 \u0627\u06cc\u06a9 \u0644\u0627\u0626\u0646 \u0645\u06cc\u06ba \u0633\u0645\u0679 \u062c\u0627\u062a\u0627 \u06c1\u06d2 \u062a\u0648 \u06cc\u06c1 \u0627\u0633\u06d2 \u0646\u0627\u0642\u0627\u0628\u0644 \u0627\u0639\u062a\u0628\u0627\u0631 \u0637\u0648\u0631 \u067e\u0631 \u067e\u0627\u0631\u0633 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-bash\">cat <<eof kubectl=\"\" apply=\"\" apiversion:=\"\" v1=\"\" kind:=\"\" configmap=\"\" metadata:=\"\" name:=\"\" pebble-coredns=\"\" namespace:=\"\" pebble=\"\" data:=\"\" corefile:=\"\" .:8053=\"\" errors=\"\" health=\"\" ready=\"\" template=\"\" any=\"\" pebble.local=\"\" answer=\"\" .name=\"\" in=\"\" a=\"\" forward=\"\" .=\"\" cache=\"\" reload=\"\" eof=\"\" rollout=\"\" restart=\"\" deploy=\"\" status=\"\"\/><\/code><\/pre>\n<p>\u06cc\u0642\u06cc\u0646\u06cc \u0628\u0646\u0627\u0626\u06cc\u06ba \u06a9\u06c1 \u0622\u067e \u0635\u062d\u06cc\u062d \u062c\u0648\u0627\u0628 \u062f\u06cc\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<pre><code class=\"language-bash\">kubectl run dnstest --rm -it --restart=Never --image=busybox -- \\\n  nslookup echo.pebble.local ${PEBBLE_DNS_IP}\n<\/code><\/pre>\n<p>\u0622\u067e \u06a9\u0648 \u062f\u06cc\u06a9\u06be\u0646\u0627 \u0686\u0627\u06c1\u0626\u06d2 <code>Address: <nginx_ip\/><\/code> \u062c\u0648\u0627\u0628 \u0645\u06cc\u06ba\u06d4 \u0627\u06af\u0631 \u0622\u067e \u06a9\u0648 \u0645\u0644\u062a\u0627 \u06c1\u06d2 <code>SERVFAIL<\/code>\u0686\u06cc\u06a9 \u06a9\u0631\u06cc\u06ba <code>kubectl logs -n pebble deploy\/pebble-coredns<\/code> &#8211; \u062a\u062c\u0632\u06cc\u06c1 \u06a9\u0627\u0631 \u06a9\u06cc \u063a\u0644\u0637\u06cc\u0627\u06ba \u062c\u06cc\u0633\u06d2: <code>not a TTL: \"}\"<\/code> \u0627\u0633 \u06a9\u0627 \u0645\u0637\u0644\u0628 \u06c1\u06d2 \u06a9\u06c1 \u0679\u06cc\u0645\u067e\u0644\u06cc\u0679 \u0628\u0644\u0627\u06a9 \u06a9\u0648 \u062f\u0648\u0628\u0627\u0631\u06c1 \u0627\u06cc\u06a9 \u0644\u0627\u0626\u0646 \u062a\u06a9 \u06a9\u0645 \u06a9\u0631 \u062f\u06cc\u0627 \u06af\u06cc\u0627 \u06c1\u06d2\u06d4<\/p>\n<p><strong>\u06a9\u0644\u0633\u0679\u0631 CoreDNS \u067e\u06cc\u0686<\/strong> \u0644\u06c1\u0630\u0627\u060c \u0633\u0631\u0679\u06cc\u0641\u06a9 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06a9\u0627 \u0627\u067e\u0646\u0627 \u0686\u06cc\u06a9 \u0627\u0633\u06cc \u0646\u0627\u0645 \u06a9\u0648 \u062d\u0644 \u06a9\u0631\u0633\u06a9\u062a\u0627 \u06c1\u06d2\u06d4 \u0622\u06af\u06d2 \u0628\u0691\u06be\u0627\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u0633\u0679\u0628 \u0627\u06cc\u0631\u06cc\u0627 \u0634\u0627\u0645\u0644 \u06a9\u0631\u06cc\u06ba\u06d4 <code>pebble.local<\/code> \u06a9\u0648 <code>pebble-coredns<\/code>:<\/p>\n<pre><code class=\"language-bash\">cat <<eof kubectl=\"\" apply=\"\" apiversion:=\"\" v1=\"\" kind:=\"\" configmap=\"\" metadata:=\"\" name:=\"\" coredns=\"\" namespace:=\"\" kube-system=\"\" data:=\"\" corefile:=\"\" .:53=\"\" errors=\"\" health=\"\" lameduck=\"\" ready=\"\" kubernetes=\"\" cluster.local=\"\" in-addr.arpa=\"\" ip6.arpa=\"\" pods=\"\" insecure=\"\" fallthrough=\"\" ttl=\"\" forward=\"\" .=\"\" max_concurrent=\"\" cache=\"\" loop=\"\" reload=\"\" loadbalance=\"\" pebble.local:53=\"\" eof=\"\" rollout=\"\" restart=\"\" deploy=\"\" status=\"\"\/><\/code><\/pre>\n<p>\u062a\u0635\u062f\u06cc\u0642 \u06a9\u0631\u06cc\u06ba \u06a9\u06c1 \u06a9\u0644\u0633\u0679\u0631 \u062d\u0644 \u06a9\u0631\u0646\u06d2 \u0648\u0627\u0644\u0627 \u0627\u0628 \u062c\u0648\u0627\u0628 \u062f\u06cc\u062a\u0627 \u06c1\u06d2: <code>echo.pebble.local<\/code> (\u0633\u0631\u0648\u0631 \u06a9\u06cc \u0648\u0636\u0627\u062d\u062a \u0646\u06c1 \u06a9\u0631\u06cc\u06ba \u0627\u0648\u0631 \u0688\u06cc\u0641\u0627\u0644\u0679 kube-dns \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u06cc\u06ba):<\/p>\n<pre><code class=\"language-bash\">kubectl run dnstest --rm -it --restart=Never --image=busybox -- \\\n  nslookup echo.pebble.local\n<\/code><\/pre>\n<p>\u062f\u0648\u0646\u0648\u06ba <code>Server: 10.96.0.10<\/code> \u0627\u0648\u0631 <code>Address: <nginx_ip\/><\/code> \u0622\u067e \u06a9\u0648 \u062f\u06a9\u06be\u0627\u0646\u0627 \u06c1\u0648\u06af\u0627\u06d4<\/p>\n<h3 id=\"heading-step-4-fetch-the-pebble-ca-and-create-the-clusterissuer\">\u0645\u0631\u062d\u0644\u06c1 4: \u067e\u06cc\u0628\u0644 CA \u062f\u0631\u0622\u0645\u062f \u06a9\u0631\u06cc\u06ba \u0627\u0648\u0631 \u0627\u06cc\u06a9 \u06a9\u0644\u0633\u0679\u0631 \u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 \u0628\u0646\u0627\u0626\u06cc\u06ba<\/h3>\n<p>\u067e\u06cc\u0628\u0644 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u067e\u0631 \u062e\u0648\u062f \u062f\u0633\u062a\u062e\u0637 \u0634\u062f\u06c1 \u062c\u0691 \u06a9\u06d2 \u0633\u0627\u062a\u06be \u062f\u0633\u062a\u062e\u0637 \u06a9\u0631\u062a\u0627 \u06c1\u06d2: <code>pebble<\/code> ConfigMap \u06a9\u06d2 \u062a\u062d\u062a <code>root-cert.pem<\/code>. cert-manager \u06a9\u0648 \u067e\u06cc\u0628\u0644 \u06a9\u06cc ACME \u0688\u0627\u0626\u0631\u06a9\u0679\u0631\u06cc \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0628\u0627\u062a \u0686\u06cc\u062a \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u0633 CA \u067e\u0631 \u0628\u06be\u0631\u0648\u0633\u06c1 \u06a9\u0631\u0646\u06d2 \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06c1\u06d2\u060c \u0644\u06c1\u0630\u0627 \u06c1\u0645 \u0627\u0633\u06d2 base64 \u0627\u0646\u06a9\u0648\u0688\u0646\u06af \u0645\u06cc\u06ba \u067e\u0627\u0633 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4 <code>caBundle<\/code> \u06a9\u0644\u0633\u0679\u0631 \u062c\u0627\u0631\u06cc \u06a9\u0631\u0646\u06d2 \u0648\u0627\u0644\u06d2 \u0645\u06cc\u06ba:<\/p>\n<pre><code class=\"language-bash\">kubectl get configmap pebble -n pebble \\\n  -o jsonpath=\"{.data.root-cert\\.pem}\" > pebble-ca.crt\n\nhead -1 pebble-ca.crt   # should print -----BEGIN CERTIFICATE-----\n\nCA_BUNDLE=$(base64 -i pebble-ca.crt | tr -d '\\n')\necho \"CA_BUNDLE length: ${#CA_BUNDLE}\"   # ~1600 chars, one continuous line\n<\/code><\/pre>\n<p>heredoc \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u0627\u06cc\u06a9 ClusterIssuer \u0628\u0646\u0627\u0626\u06cc\u06ba\u06d4 <code>${CA_BUNDLE}<\/code> \u0634\u06cc\u0644 \u0645\u062a\u063a\u06cc\u0631\u0627\u062a \u06a9\u0648 YAML \u0633\u06d2 \u062a\u0628\u062f\u06cc\u0644 \u06a9\u0631 \u062f\u06cc\u0627 \u062c\u0627\u062a\u0627 \u06c1\u06d2 \u0627\u0633 \u0633\u06d2 \u067e\u06c1\u0644\u06d2 \u06a9\u06c1 kubectl \u0627\u0646 \u06a9\u0648 \u067e\u0691\u06be\u06d2\u06d4<\/p>\n<pre><code class=\"language-bash\">kubectl apply -f - <<eof apiversion:=\"\" cert-manager.io=\"\" kind:=\"\" clusterissuer=\"\" metadata:=\"\" name:=\"\" pebble=\"\" spec:=\"\" acme:=\"\" server:=\"\" https:=\"\" email:=\"\" test=\"\" privatekeysecretref:=\"\" pebble-account-key=\"\" cabundle:=\"\" solvers:=\"\" http01:=\"\" ingress:=\"\" ingressclassname:=\"\" nginx=\"\" eof=\"\"\/><\/code><\/pre>\n<p>\u06cc\u0642\u06cc\u0646\u06cc \u0628\u0646\u0627\u0626\u06cc\u06ba \u06a9\u06c1 \u0622\u067e \u06a9\u0627 \u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 \u062a\u06cc\u0627\u0631 \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-bash\">kubectl get clusterissuer pebble\n<\/code><\/pre>\n<pre><code class=\"language-plaintext\">NAME     READY   AGE\npebble   True    5s\n<\/code><\/pre>\n<p>\u0627\u06af\u0631 <code>READY<\/code> \u0642\u06cc\u0627\u0645 <code>False<\/code>\u062f\u0648 \u0633\u0628 \u0633\u06d2 \u0639\u0627\u0645 \u0648\u062c\u0648\u06c1\u0627\u062a \u0627\u06cc\u06a9 \u062e\u0631\u0627\u0628 \u06a9\u06cc\u0628\u0646\u0688\u0644 \u06c1\u06cc\u06ba (\u06cc\u0642\u06cc\u0646\u06cc \u0628\u0646\u0627\u0626\u06cc\u06ba \u06a9\u06c1 \u06cc\u06c1 \u0627\u06cc\u06a9 \u0648\u0627\u062d\u062f \u063a\u06cc\u0631 \u0679\u0648\u0679\u06cc \u06c1\u0648\u0626\u06cc \u0628\u06cc\u0633 64 \u0644\u0627\u0626\u0646 \u06c1\u06d2 \u062c\u0633 \u0645\u06cc\u06ba \u06a9\u0648\u0626\u06cc \u0646\u0626\u06cc \u0644\u0627\u0626\u0646 \u0646\u06c1\u06cc\u06ba \u06c1\u06d2) \u06cc\u0627 \u067e\u06cc\u0628\u0644\u06d4 <code>cert-manager<\/code> \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1\u06d4 \u06a9\u0646\u06cc\u06a9\u0679\u06cc\u0648\u06cc\u0679\u06cc \u0686\u06cc\u06a9 \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2\u060c \u062f\u0631\u062c \u0630\u06cc\u0644 \u06a9\u0627\u0645 \u06a9\u0631\u06cc\u06ba:<\/p>\n<pre><code class=\"language-bash\">kubectl run test-curl --rm -it --restart=Never \\\n  --image=curlimages\/curl:latest \\\n  --namespace cert-manager -- \\\n  curl -k https:\/\/pebble.pebble.svc.cluster.local\/dir\n<\/code><\/pre>\n<p>JSON \u0648\u0627\u067e\u0633 \u0622\u0646\u06d2 \u06a9\u06d2 \u0628\u0639\u062f\u060c \u0622\u067e \u067e\u06cc\u0628\u0644 \u062a\u06a9 \u0631\u0633\u0627\u0626\u06cc \u062d\u0627\u0635\u0644 \u06a9\u0631 \u0633\u06a9\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<h3 id=\"heading-step-5-deploy-a-sample-application\">\u0645\u0631\u062d\u0644\u06c1 5: \u0646\u0645\u0648\u0646\u06c1 \u0627\u06cc\u067e\u0644\u06cc\u06a9\u06cc\u0634\u0646 \u062a\u0639\u06cc\u0646\u0627\u062a \u06a9\u0631\u06cc\u06ba\u06d4<\/h3>\n<pre><code class=\"language-yaml\"># echo-app.yaml\napiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: echo\n  namespace: default\nspec:\n  replicas: 1\n  selector:\n    matchLabels:\n      app: echo\n  template:\n    metadata:\n      labels:\n        app: echo\n    spec:\n      containers:\n        - name: echo\n          image: ealen\/echo-server:latest\n          ports:\n            - containerPort: 80\n---\napiVersion: v1\nkind: Service\nmetadata:\n  name: echo\n  namespace: default\nspec:\n  selector:\n    app: echo\n  ports:\n    - port: 80\n      targetPort: 80\n<\/code><\/pre>\n<pre><code class=\"language-bash\">kubectl apply -f echo-app.yaml\n<\/code><\/pre>\n<p>\u062a\u0635\u062f\u06cc\u0642 \u06a9\u0631\u06cc\u06ba \u06a9\u06c1 \u0648\u0633\u06cc\u0644\u06c1 \u0638\u0627\u06c1\u0631 \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-bash\">kubectl get deploy,pod,svc -n default\n<\/code><\/pre>\n<pre><code class=\"language-plaintext\">NAME                   READY   UP-TO-DATE   AVAILABLE   AGE\ndeployment.apps\/echo   1\/1     1            1           32s\n\nNAME                        READY   STATUS    RESTARTS   AGE\npod\/echo-5665fbcfdd-mbgxj   1\/1     Running   0          36s\n\nNAME                 TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE\nservice\/echo         ClusterIP   10.96.103.114   <none>        80\/TCP    40s\nservice\/kubernetes   ClusterIP   10.96.0.1       <none>        443\/TCP   32m\n<\/none><\/none><\/code><\/pre>\n<h3 id=\"heading-step-6-create-an-ingress-with-tls\">\u0645\u0631\u062d\u0644\u06c1 6: TLS \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u0627\u06cc\u06a9 \u0633\u0646\u06cc\u06ba \u0628\u0646\u0627\u0626\u06cc\u06ba<\/h3>\n<p>\u06a9\u06c1 <code>cert-manager.io\/cluster-issuer: pebble<\/code> \u062a\u0634\u0631\u06cc\u062d \u0633\u0631\u0679\u06cc\u0641 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u0633\u06d2 \u06a9\u06c1\u062a\u06cc \u06c1\u06d2 \u06a9\u06c1 \u0648\u06c1 \u0627\u0633\u06d2 \u062e\u0648\u062f \u0628\u062e\u0648\u062f \u062a\u06cc\u0627\u0631 \u06a9\u0631\u06d2\u06d4 <code>Certificate<\/code> \u0627\u0628\u06be\u06cc \u0622\u067e \u0646\u06d2 \u062c\u0648 \u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 \u0628\u0646\u0627\u06cc\u0627 \u06c1\u06d2 \u0627\u0633\u06d2 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u0627\u0633 Ingress \u06a9\u06d2 \u0644\u06cc\u06d2 \u0648\u0633\u0627\u0626\u0644 \u0641\u0631\u0627\u06c1\u0645 \u06a9\u0631\u06cc\u06ba\u06d4 \u0645\u06cc\u0632\u0628\u0627\u0646 \u0646\u0627\u0645 <code>echo.pebble.local<\/code> \u0628\u0627\u06c1\u0631 \u0633\u06d2 \u0686\u06cc\u06a9 \u06a9\u0631\u0646\u06d2 \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4 \u06c1\u0645 \u0646\u06d2 \u0622\u067e \u06a9\u0648 \u0645\u0631\u062d\u0644\u06c1 3 \u0645\u06cc\u06ba \u062f\u0648\u0646\u0648\u06ba DNS \u062d\u0644 \u06a9\u0631\u0646\u06d2 \u0648\u0627\u0644\u0648\u06ba \u06a9\u06d2 \u0628\u0627\u0631\u06d2 \u0645\u06cc\u06ba \u0633\u06a9\u06be\u0627\u06cc\u0627\u06d4<\/p>\n<pre><code class=\"language-yaml\"># echo-ingress.yaml\napiVersion: networking.k8s.io\/v1\nkind: Ingress\nmetadata:\n  name: echo\n  namespace: default\n  annotations:\n    cert-manager.io\/cluster-issuer: pebble\nspec:\n  ingressClassName: nginx\n  tls:\n    - hosts:\n        - echo.pebble.local\n      secretName: echo-tls     # cert-manager will create this Secret\n  rules:\n    - host: echo.pebble.local\n      http:\n        paths:\n          - path: \/\n            pathType: Prefix\n            backend:\n              service:\n                name: echo\n                port:\n                  number: 80\n<\/code><\/pre>\n<pre><code class=\"language-bash\">kubectl apply -f echo-ingress.yaml\n<\/code><\/pre>\n<h3 id=\"heading-step-7-watch-the-certificate-being-issued\">\u0645\u0631\u062d\u0644\u06c1 7: \u062c\u0627\u0631\u06cc \u06c1\u0648\u0646\u06d2 \u0648\u0627\u0644\u0627 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062f\u06cc\u06a9\u06be\u06cc\u06ba<\/h3>\n<pre><code class=\"language-bash\"># Watch the Certificate resource (Ctrl-C once Ready=True)\nkubectl get certificate echo-tls -n default -w\n<\/code><\/pre>\n<pre><code class=\"language-plaintext\">NAME       READY   SECRET     AGE\necho-tls   False   echo-tls   5s\necho-tls   True    echo-tls   28s\n<\/code><\/pre>\n<p>\u062c\u0628 <code>READY<\/code> \u0628\u0646 \u062c\u0627\u062a\u0627 \u06c1\u06d2\u06d4 <code>True<\/code>\u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062f\u0631\u062c \u0630\u06cc\u0644 \u062c\u06af\u06c1 \u067e\u0631 \u062c\u0627\u0631\u06cc \u0627\u0648\u0631 \u0645\u062d\u0641\u0648\u0638 \u06a9\u06cc\u0627 \u06af\u06cc\u0627 \u06c1\u06d2: <code>echo-tls<\/code> \u062e\u0641\u06cc\u06c1 \u0645\u06a9\u0645\u0644 \u0633\u0644\u0633\u0644\u06c1 (CertificateRequest \u2192 Order \u2192 Challenge \u2192 Solver Pod \u2192 Secret) \u0627\u06cc\u06a9 \u0635\u062d\u062a \u0645\u0646\u062f \u06a9\u0644\u0633\u0679\u0631 \u067e\u0631 1 \u0645\u0646\u0679 \u0633\u06d2 \u0628\u06be\u06cc \u06a9\u0645 \u0648\u0642\u062a \u0645\u06cc\u06ba \u06c1\u0648\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-bash\">kubectl get certificate,certificaterequest,order,challenge -n default\n<\/code><\/pre>\n<pre><code class=\"language-plaintext\">NAME                                   READY   SECRET     AGE\ncertificate.cert-manager.io\/echo-tls   True    echo-tls   81s\n\nNAME                                            APPROVED   DENIED   READY   ISSUER   AGE\ncertificaterequest.cert-manager.io\/echo-tls-1   True                True    pebble   81s\n\nNAME                                               STATE   AGE\norder.acme.cert-manager.io\/echo-tls-1-1824732543   valid   81s\n<\/code><\/pre>\n<p>(\u0622\u0631\u0688\u0631 \u0645\u06a9\u0645\u0644 \u06c1\u0648\u0646\u06d2 \u06a9\u06d2 \u0628\u0639\u062f \u0686\u06cc\u0644\u0646\u062c \u062e\u0648\u062f \u0628\u062e\u0648\u062f \u062d\u0630\u0641 \u06c1\u0648\u062c\u0627\u062a\u0627 \u06c1\u06d2\u060c \u0644\u06c1\u0630\u0627 <code>kubectl get challenge -n default<\/code> \u0639\u0627\u0645 \u0637\u0648\u0631 \u067e\u0631 \u0627\u0633 \u0645\u0642\u0627\u0645 \u067e\u0631 \u06a9\u0686\u06be \u0628\u06be\u06cc \u0638\u0627\u06c1\u0631 \u0646\u06c1\u06cc\u06ba \u06c1\u0648\u062a\u0627 \u06c1\u06d2\u06d4 \u06cc\u06c1 \u0646\u0627\u06a9\u0627\u0645\u06cc \u0646\u06c1\u06cc\u06ba \u0628\u0644\u06a9\u06c1 \u06a9\u0627\u0645\u06cc\u0627\u0628\u06cc \u06c1\u06d2\u06d4)<\/p>\n<p>\u0627\u06af\u0631 <code>READY<\/code> \u0642\u06cc\u0627\u0645 <code>False<\/code> \u0628\u0631\u0627\u06c1 \u06a9\u0631\u0645 \u0627\u0633 \u0633\u06cc\u06a9\u0634\u0646 \u06a9\u06d2 \u0622\u062e\u0631 \u0645\u06cc\u06ba \u0679\u0631\u0628\u0644 \u0634\u0648\u0679\u0646\u06af \u06a9\u06cc \u062a\u062c\u0627\u0648\u06cc\u0632 \u062f\u06cc\u06a9\u06be\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u06a9\u0645 \u0627\u0632 \u06a9\u0645 \u0627\u06cc\u06a9 \u0645\u0646\u0679 \u0646\u06a9\u0627\u0644\u06cc\u06ba\u06d4<\/p>\n<p>\u062c\u0627\u0631\u06cc \u06a9\u0631\u062f\u06c1 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u0648 \u0686\u06cc\u06a9 \u06a9\u0631\u06cc\u06ba \u06a9\u06c1 \u0627\u0633 \u067e\u0631 \u067e\u06cc\u0628\u0644 \u06a9\u06d2 \u062f\u0633\u062a\u062e\u0637 \u06c1\u06cc\u06ba\u06d4<\/p>\n<pre><code class=\"language-bash\">kubectl get secret echo-tls -n default -o jsonpath=\"{.data.tls\\.crt}\" | \\\n  base64 -d | openssl x509 -noout -issuer -subject -dates\n<\/code><\/pre>\n<pre><code class=\"language-plaintext\">issuer=CN=Pebble Intermediate CA 05478c\nsubject=\nnotBefore=May 17 19:09:22 2026 GMT\nnotAfter=Aug 15 19:09:21 2026 GMT\n<\/code><\/pre>\n<p>\u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 \u067e\u06cc\u0628\u0644 \u06a9\u0627 \u0627\u0646\u0679\u0631\u0645\u06cc\u0688\u06cc\u0679 CA \u06c1\u06d2\u06d4 \u0627\u0633 \u0633\u06d2 \u062b\u0627\u0628\u062a \u06c1\u0648\u062a\u0627 \u06c1\u06d2 \u06a9\u06c1 ACME \u06a9\u06d2 \u067e\u0648\u0631\u06d2 \u0628\u06c1\u0627\u0624 \u0646\u06d2 \u0634\u0631\u0648\u0639 \u0633\u06d2 \u0622\u062e\u0631 \u062a\u06a9 \u06a9\u0627\u0645 \u06a9\u06cc\u0627\u06d4 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679\u0633 90 \u062f\u0646\u0648\u06ba \u06a9\u06d2 \u0644\u06cc\u06d2 \u062f\u0631\u0633\u062a \u06c1\u06cc\u06ba \u0627\u0648\u0631 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u062e\u0648\u062f \u0628\u062e\u0648\u062f 60 \u062f\u0646\u0648\u06ba \u0645\u06cc\u06ba \u0627\u0646 \u06a9\u06cc \u062a\u062c\u062f\u06cc\u062f \u06a9\u0631 \u062f\u06cc\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<p>\u06a9\u0644\u0633\u0679\u0631 \u06a9\u06d2 \u0627\u0646\u062f\u0631\u060c \u06cc\u06c1 \u06cc\u0642\u06cc\u0646\u06cc \u0628\u0646\u0627\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 HTTPS \u067e\u0631 \u0633\u0646\u0646\u06d2 \u06a9\u06cc \u06a9\u0648\u0634\u0634 \u06a9\u0631\u06cc\u06ba \u06a9\u06c1 \u06c1\u0631 \u0686\u06cc\u0632 \u0627\u06cc\u06a9 \u0633\u0627\u062a\u06be \u062c\u0691\u06cc \u06c1\u0648\u0626\u06cc \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-bash\">kubectl run curltest --rm -it --restart=Never --image=curlimages\/curl -- \\\n  curl -sk https:\/\/echo.pebble.local\/\n<\/code><\/pre>\n<p>\u0627\u06cc\u06a9\u0648 \u0633\u0631\u0648\u0631 \u06a9\u0648 JSON \u0628\u0644\u0627\u0628 \u0648\u0627\u067e\u0633 \u06a9\u0631\u0646\u0627 \u0686\u0627\u06c1\u0626\u06d2\u06d4 <code>\"x-forwarded-proto\":\"https\"<\/code> \u06cc\u06c1 \u0641\u06cc\u0644\u0688 \u062b\u0627\u0628\u062a \u06a9\u0631\u062a\u06cc \u06c1\u06d2 \u06a9\u06c1 \u062f\u0631\u062e\u0648\u0627\u0633\u062a TLS \u067e\u0631 nginx \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2 \u06a9\u06cc \u06af\u0626\u06cc \u062a\u06be\u06cc\u06d4<\/p>\n<p><strong>\u0627\u06af\u0631 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062a\u06cc\u0627\u0631 \u062d\u0627\u0644\u062a \u0645\u06cc\u06ba \u062f\u0627\u062e\u0644 \u0646\u06c1\u06cc\u06ba \u06c1\u0648\u062a\u0627 \u06c1\u06d2 \u062a\u0648 \u0645\u0633\u0626\u0644\u06c1 \u062d\u0644 \u06a9\u0631\u06cc\u06ba:<\/strong><\/p>\n<ul wp_automatic_readability=\"3.5\">\n<li wp_automatic_readability=\"-1\">\n<p><code>kubectl describe order -n default<\/code>    &#8211; \u0627\u06cc\u0648\u0646\u0679 \u0645\u06cc\u06ba &quot;DNS \u0627\u06cc\u0634\u0648\u0632&#8221; \u06cc\u0627 &quot;\u06a9\u0646\u06a9\u0634\u0646 \u0633\u06d2 \u0627\u0646\u06a9\u0627\u0631&#8221; \u062a\u0644\u0627\u0634 \u06a9\u0631\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<li wp_automatic_readability=\"0\">\n<p><code>kubectl logs -n pebble deploy\/pebble --tail=50<\/code>    &#8211; \u067e\u06cc\u0628\u0644 \u0628\u0627\u0644\u06a9\u0644 \u0648\u06c1\u06cc \u06cc\u0648 \u0622\u0631 \u0627\u06cc\u0644 \u0644\u0627\u06af \u06a9\u0631\u062a\u0627 \u06c1\u06d2 \u062c\u0633\u06d2 \u0627\u0633 \u0646\u06d2 \u0628\u0627\u0632\u06cc\u0627\u0641\u062a \u06a9\u0631\u0646\u06d2 \u06a9\u06cc \u06a9\u0648\u0634\u0634 \u06a9\u06cc \u062a\u06be\u06cc \u0627\u0648\u0631 \u062a\u0635\u062f\u06cc\u0642 \u06a9\u06d2 \u062f\u0648\u0631\u0627\u0646 \u06c1\u0648\u0646\u06d2 \u0648\u0627\u0644\u06cc \u06a9\u0648\u0626\u06cc \u063a\u0644\u0637\u06cc\u06d4<\/p>\n<\/li>\n<li wp_automatic_readability=\"-1\">\n<p>\u0627\u06af\u0631 \u06a9\u0648\u0626\u06cc \u0622\u0631\u0688\u0631 \u0627\u06cc\u0648\u0646\u0679 \u06a9\u06d2 \u0628\u063a\u06cc\u0631 \u0632\u06cc\u0631 \u0627\u0644\u062a\u0648\u0627 \u06c1\u06d2: \u0633\u0631\u0679\u06cc\u0641 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u0633\u06d2 \u0627\u0628\u06be\u06cc \u062a\u06a9 \u0635\u0644\u062d \u0646\u06c1\u06cc\u06ba \u06c1\u0648\u0626\u06cc \u06c1\u06d2\u06d4 \u0628\u0633 30 \u0633\u06cc\u06a9\u0646\u0688 \u0627\u0646\u062a\u0638\u0627\u0631 \u06a9\u0631\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<li wp_automatic_readability=\"0\">\n<p>\u0627\u06af\u0631 \u0622\u067e \u06a9\u0627 \u0622\u0631\u0688\u0631 \u06c1\u06d2: <code>invalid<\/code>: \u062f\u0648 DNS \u062a\u06c1\u0648\u06ba \u0645\u06cc\u06ba \u0633\u06d2 \u0627\u06cc\u06a9 (\u0633\u0637\u062d 3) \u063a\u0644\u0637 \u0637\u0631\u06cc\u0642\u06d2 \u0633\u06d2 \u062a\u0631\u062a\u06cc\u0628 \u062f\u06cc \u06af\u0626\u06cc \u06c1\u06d2\u06d4 \u062f\u0648\u0646\u0648\u06ba \u06a9\u0648 \u062f\u0648\u0628\u0627\u0631\u06c1 \u0686\u0644\u0627\u0626\u06cc\u06ba <code>nslookup<\/code> \u0686\u06cc\u06a9\u0631<\/p>\n<\/li>\n<li wp_automatic_readability=\"0\">\n<p>\u0627\u06af\u0631 Ingress \u0627\u06cc\u067e\u0644\u06cc \u06a9\u06cc\u0634\u0646 \u062e\u0648\u062f x509 \u0648\u06cc\u0628 \u06c1\u06a9 \u06a9\u06cc \u062e\u0631\u0627\u0628\u06cc \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0646\u0627\u06a9\u0627\u0645 \u06c1\u0648\u062c\u0627\u062a\u06cc \u06c1\u06d2: <code>kubectl delete validatingwebhookconfiguration ingress-nginx-admission<\/code> \u0645\u0631\u062d\u0644\u06c1 1 \u067e\u0631 \u062c\u0627\u0626\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<\/ul>\n<h3 id=\"heading-step-8-switch-to-lets-encrypt-staging-real-public-domain\">\u0645\u0631\u062d\u0644\u06c1 8: \u0686\u0644\u0648 \u0627\u0646\u06a9\u0631\u067e\u0679 \u0633\u0679\u06cc\u062c\u0646\u06af \u067e\u0631 \u0633\u0648\u0626\u0686 \u06a9\u0631\u06cc\u06ba (\u0627\u0635\u0644 \u0639\u0648\u0627\u0645\u06cc \u0688\u0648\u0645\u06cc\u0646)<\/h3>\n<p>\u067e\u06cc\u0628\u0644 \u0646\u06d2 \u062b\u0627\u0628\u062a \u06a9\u06cc\u0627 \u06a9\u06c1 \u0628\u06c1\u0627\u0624 \u0645\u0642\u0627\u0645\u06cc \u0637\u0648\u0631 \u067e\u0631 \u06a9\u0627\u0645 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4 \u0627\u0628 \u0627\u067e\u0646\u06d2 \u0639\u0648\u0627\u0645\u06cc \u0637\u0648\u0631 \u067e\u0631 \u0642\u0627\u0628\u0644 \u0631\u0633\u0627\u0626\u06cc \u0688\u0648\u0645\u06cc\u0646 \u067e\u0631 \u062c\u0627\u0626\u06cc\u06ba\u060c \u062c\u0648 \u0622\u067e \u06a9\u06d2 \u0639\u0648\u0627\u0645\u06cc \u0637\u0648\u0631 \u067e\u0631 \u0642\u0627\u0628\u0644 \u0631\u0633\u0627\u0626\u06cc \u06a9\u0644\u0633\u0679\u0631 \u06a9\u06cc \u0637\u0631\u0641 \u0627\u0634\u0627\u0631\u06c1 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 \u062a\u06cc\u0646 \u0633\u0637\u062d\u06cc DNS \u0627\u0633\u06a9\u06cc\u0645 \u062e\u062a\u0645 \u06c1\u0648 \u06af\u0626\u06cc \u06c1\u06d2\u06d4 \u0686\u0648\u0646\u06a9\u06c1 \u0688\u0648\u0645\u06cc\u0646 \u0627\u06cc\u06a9 \u062d\u0642\u06cc\u0642\u06cc \u0688\u0648\u0645\u06cc\u0646 \u06c1\u06d2\u060c \u062f\u0648\u0646\u0648\u06ba \u062d\u0644 \u06a9\u0631\u0646\u06d2 \u0648\u0627\u0644\u06d2 \u0628\u063a\u06cc\u0631 \u06a9\u0633\u06cc \u0645\u062f\u0627\u062e\u0644\u062a \u06a9\u06d2 \u0688\u0648\u0645\u06cc\u0646 \u062a\u0644\u0627\u0634 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<p>\u0622\u0626\u06cc\u06d2 \u0627\u0646\u06a9\u0631\u067e\u0679 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u06cc\u06ba\u06d4 <strong>\u0688\u0631\u0627\u0645\u06c1 \u06a9\u0627\u0631\u06cc<\/strong> \u067e\u06c1\u0644\u06d2 \u06cc\u06c1 \u0627\u0633\u06cc ACME \u067e\u0631\u0648\u0679\u0648\u06a9\u0648\u0644 \u06a9\u0648 \u067e\u0631\u0648\u0688\u06a9\u0634\u0646 \u06a9\u06d2 \u0637\u0648\u0631 \u067e\u0631 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u060c \u0644\u06cc\u06a9\u0646 \u0627\u0633 \u06a9\u06cc \u0634\u0631\u062d \u06a9\u06cc \u062d\u062f \u06c1\u0648\u062a\u06cc \u06c1\u06d2 \u0644\u06c1\u0630\u0627 \u062c\u0627\u0646\u0686 \u06a9\u06d2 \u062f\u0648\u0631\u0627\u0646 \u0646\u0627\u06a9\u0627\u0645 \u06a9\u0648\u0634\u0634\u06cc\u06ba \u0622\u067e \u06a9\u0648 \u0645\u0633\u062f\u0648\u062f \u0646\u06c1\u06cc\u06ba \u06a9\u0631\u062a\u06cc \u06c1\u06cc\u06ba\u06d4<\/p>\n<pre><code class=\"language-yaml\"># clusterissuer-staging.yaml\napiVersion: cert-manager.io\/v1\nkind: ClusterIssuer\nmetadata:\n  name: letsencrypt-staging\nspec:\n  acme:\n    server: https:\/\/acme-staging-v02.api.letsencrypt.org\/directory\n    email: your-email@example.com\n    privateKeySecretRef:\n      name: letsencrypt-staging-account-key\n    solvers:\n      - http01:\n          ingress:\n            ingressClassName: nginx\n<\/code><\/pre>\n<pre><code class=\"language-bash\">kubectl apply -f clusterissuer-staging.yaml\n\n# Point the Ingress at staging and the real hostname, then force re-issuance\nkubectl annotate ingress echo \\\n  cert-manager.io\/cluster-issuer=letsencrypt-staging --overwrite -n default\nkubectl delete secret echo-tls -n default\n<\/code><\/pre>\n<p>\u0646\u0626\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062c\u0627\u0631\u06cc \u06a9\u0631\u0646\u06d2 \u0648\u0627\u0644\u06d2 \u06c1\u06cc\u06ba: <code>(STAGING) Let's Encrypt<\/code>.<\/p>\n<h3 id=\"heading-step-9-switch-to-lets-encrypt-production\">\u0645\u0631\u062d\u0644\u06c1 9: \u0622\u0626\u06cc\u06d2 \u0627\u0646\u06a9\u0631\u067e\u0679 \u067e\u0631\u0648\u0688\u06a9\u0634\u0646 \u0645\u06cc\u06ba \u0645\u0646\u062a\u0642\u0644\u06cc\u06d4<\/h3>\n<p>\u0627\u06cc\u06a9 \u0628\u0627\u0631 \u062c\u0628 \u0627\u0633\u0679\u06cc\u062c\u0646\u06af \u06a9\u0627\u0645 \u06a9\u0631\u062a\u06cc \u06c1\u06d2\u060c \u067e\u0631\u0648\u0688\u06a9\u0634\u0646 \u06a9\u0644\u0633\u0679\u0631 \u062c\u0627\u0631\u06cc \u06a9\u0631\u0646\u06d2 \u0648\u0627\u0644\u06d2 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u062f\u06c1\u0631\u0627\u0626\u06cc\u06ba\u06d4 \u0641\u0631\u0642 \u0635\u0631\u0641 \u0627\u062a\u0646\u0627 \u06c1\u06d2 <code>server<\/code> URL:<\/p>\n<pre><code class=\"language-yaml\"># clusterissuer-prod.yaml\napiVersion: cert-manager.io\/v1\nkind: ClusterIssuer\nmetadata:\n  name: letsencrypt-prod\nspec:\n  acme:\n    server: https:\/\/acme-v02.api.letsencrypt.org\/directory\n    email: your-email@example.com\n    privateKeySecretRef:\n      name: letsencrypt-prod-account-key\n    solvers:\n      - http01:\n          ingress:\n            ingressClassName: nginx\n<\/code><\/pre>\n<pre><code class=\"language-bash\">kubectl apply -f clusterissuer-prod.yaml\nkubectl annotate ingress echo \\\n  cert-manager.io\/cluster-issuer=letsencrypt-prod --overwrite -n default\nkubectl delete secret echo-tls -n default\n<\/code><\/pre>\n<p>\u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06af\u0645\u0634\u062f\u06c1 \u0631\u0627\u0632\u0648\u06ba \u06a9\u0627 \u067e\u062a\u06c1 \u0644\u06af\u0627\u062a\u0627 \u06c1\u06d2 \u0627\u0648\u0631 \u0641\u0648\u0631\u06cc \u0637\u0648\u0631 \u067e\u0631 \u0644\u06cc\u0679\u0633 \u0627\u0646\u06a9\u0631\u067e\u0679 \u067e\u0631\u0648\u0688\u06a9\u0634\u0646 \u0633\u06d2 \u0628\u0631\u0627\u0624\u0632\u0631 \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06c1 \u0642\u0627\u0628\u0644 \u0627\u0639\u062a\u0645\u0627\u062f \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u062f\u0631\u062e\u0648\u0627\u0633\u062a \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<p>cert-manager \u06af\u0645\u0634\u062f\u06c1 \u0631\u0627\u0632 \u06a9\u0627 \u067e\u062a\u06c1 \u0644\u06af\u0627\u062a\u0627 \u06c1\u06d2 \u0627\u0648\u0631 \u0641\u0648\u0631\u06cc \u0637\u0648\u0631 \u067e\u0631 \u067e\u0631\u0648\u0688\u06a9\u0634\u0646 \u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u0627\u06cc\u06a9 \u0646\u0626\u06cc \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u062f\u0631\u062e\u0648\u0627\u0633\u062a \u06a9\u0648 \u0645\u062a\u062d\u0631\u06a9 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<h2 id=\"heading-how-to-get-a-wildcard-certificate-with-dns-01\">DNS-01 \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0648\u0627\u0626\u0644\u0688 \u06a9\u0627\u0631\u0688 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc\u0633\u06d2 \u062d\u0627\u0635\u0644 \u06a9\u0631\u06cc\u06ba\u06d4<\/h2>\n<p>HTTP-01 \u0686\u06cc\u0644\u0646\u062c\u0632 \u0639\u0648\u0627\u0645\u06cc \u0627\u0633\u062a\u0642\u0628\u0627\u0644 \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0648\u0627\u062d\u062f \u0688\u0648\u0645\u06cc\u0646 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0645\u0648\u0632\u0648\u06ba \u06c1\u06cc\u06ba\u06d4 \u062a\u0627\u06c1\u0645\u060c \u0627\u0633 \u06a9\u06d2 \u0628\u062c\u0627\u0626\u06d2 \u062f\u0648 \u0635\u0648\u0631\u062a\u06cc\u06ba \u06c1\u06cc\u06ba \u062c\u06c1\u0627\u06ba DNS-01 \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06c1\u06d2: \u0627\u0633 \u06a9\u0627 \u0645\u0637\u0644\u0628 \u06c1\u06d2 \u06a9\u06c1 \u0622\u067e \u06a9\u0627 \u06a9\u0644\u0633\u0679\u0631 \u0639\u0648\u0627\u0645\u06cc \u0637\u0648\u0631 \u067e\u0631 \u0642\u0627\u0628\u0644 \u0631\u0633\u0627\u0626\u06cc \u0646\u06c1\u06cc\u06ba \u06c1\u06d2 (\u0627\u0646\u062f\u0631\u0648\u0646\u06cc \u06a9\u0644\u0633\u0679\u0631\u060c \u0627\u06cc\u0626\u0631 \u06af\u06cc\u067e\u0688 \u0645\u0627\u062d\u0648\u0644\u060c VPN \u06a9\u06d2 \u067e\u06cc\u0686\u06be\u06d2 \u0633\u0679\u06cc\u062c\u0646\u06af \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1) \u0627\u0648\u0631 \u0622\u067e \u06a9\u0648 \u0627\u06cc\u06a9 \u0648\u0627\u0626\u0644\u0688 \u06a9\u0627\u0631\u0688 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06c1\u06d2 \u062c\u0648 \u0622\u067e \u06a9\u06d2 \u0688\u0648\u0645\u06cc\u0646 \u06a9\u06d2 \u062a\u0645\u0627\u0645 \u0630\u06cc\u0644\u06cc \u0688\u0648\u0645\u06cc\u0646\u0632 \u06a9\u0627 \u0627\u062d\u0627\u0637\u06c1 \u06a9\u0631\u062a\u0627 \u06c1\u0648\u06d4<\/p>\n<p>DNS-01 \u06a9\u0648 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06c1\u06d2\u060c \u062c\u0648 \u0622\u067e \u06a9\u06d2 DNS \u0641\u0631\u0627\u06c1\u0645 \u06a9\u0646\u0646\u062f\u06c1 \u0645\u06cc\u06ba TXT \u0631\u06cc\u06a9\u0627\u0631\u0688 \u0628\u0646\u0627 \u0627\u0648\u0631 \u062d\u0630\u0641 \u06a9\u0631 \u0633\u06a9\u062a\u0627 \u06c1\u06d2\u06d4 cert-manager \u06a9\u06d2 \u067e\u0627\u0633 Route53\u060c Cloud DNS\u060c Cloudflare\u060c Azure DNS\u060c \u0627\u0648\u0631 \u0628\u06c1\u062a \u0633\u06d2 \u062f\u0648\u0633\u0631\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0628\u0644\u0679 \u0627\u0646 \u0633\u067e\u0648\u0631\u0679 \u06c1\u06d2\u06d4<\/p>\n<p>\u06cc\u06c1\u0627\u06ba <code>ClusterIssuer<\/code> AWS Route53 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 DNS-01 \u06a9\u06d2 \u0644\u06cc\u06d2:<\/p>\n<pre><code class=\"language-yaml\"># clusterissuer-dns01.yaml\napiVersion: cert-manager.io\/v1\nkind: ClusterIssuer\nmetadata:\n  name: letsencrypt-dns01\nspec:\n  acme:\n    server: https:\/\/acme-v02.api.letsencrypt.org\/directory\n    email: your-email@example.com\n    privateKeySecretRef:\n      name: letsencrypt-dns01-account-key\n    solvers:\n      - dns01:\n          route53:\n            region: us-east-1\n            # Use IRSA (IAM Roles for Service Accounts) in production\n            # rather than static credentials\n            hostedZoneID: YOUR_HOSTED_ZONE_ID\n<\/code><\/pre>\n<p>\u0648\u0627\u0626\u0644\u0688 \u06a9\u0627\u0631\u0688 <code>Certificate<\/code> \u0627\u0633 \u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2:<\/p>\n<pre><code class=\"language-yaml\"># wildcard-cert.yaml\napiVersion: cert-manager.io\/v1\nkind: Certificate\nmetadata:\n  name: wildcard-example-com\n  namespace: default\nspec:\n  secretName: wildcard-example-com-tls\n  issuerRef:\n    name: letsencrypt-dns01\n    kind: ClusterIssuer\n  commonName: \"*.example.com\"\n  dnsNames:\n    - \"*.example.com\"\n    - \"example.com\"        # Also cover the apex domain\n  duration: 2160h           # 90 days\n  renewBefore: 720h         # Renew 30 days before expiry\n<\/code><\/pre>\n<p>\u0646\u062a\u06cc\u062c\u06c1 \u0631\u0627\u0632 <code>wildcard-example-com-tls<\/code> \u06a9\u0648\u0626\u06cc \u0628\u06be\u06cc \u062f\u0627\u062e\u0644\u06c1 \u0627\u0633 \u06a9\u0627 \u062d\u0648\u0627\u0644\u06c1 \u062f\u06d2 \u0633\u06a9\u062a\u0627 \u06c1\u06d2\u06d4 <code>default<\/code> \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1\u06d4 \u062a\u0645\u0627\u0645 \u0630\u06cc\u0644\u06cc \u0688\u0648\u0645\u06cc\u0646\u0632 &#8211; <code>api.example.com<\/code>\u060c <code>dashboard.example.com<\/code>\u060c <code>staging.example.com<\/code> &#8211; \u0627\u06cc\u06a9 \u0648\u0627\u062d\u062f\u060c \u062e\u0648\u062f \u0628\u062e\u0648\u062f \u06af\u06be\u0648\u0645\u0646\u06d2 \u0648\u0627\u0644\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2 \u0645\u062d\u0641\u0648\u0638\u06d4<\/p>\n<p>Route53 \u06a9\u06d2 \u0628\u062c\u0627\u0626\u06d2 Cloudflare \u06a9\u06d2 \u0644\u06cc\u06d2\u060c \u0633\u0648\u0644\u0648\u0631 \u0633\u06cc\u06a9\u0634\u0646 \u0627\u0633 \u0637\u0631\u062d \u0644\u06af\u062a\u0627 \u06c1\u06d2:<\/p>\n<pre><code class=\"language-yaml\">    solvers:\n      - dns01:\n          cloudflare:\n            email: your-email@example.com\n            apiTokenSecretRef:\n              name: cloudflare-api-token\n              key: api-token\n<\/code><\/pre>\n<h2 id=\"heading-demo-2-set-up-an-internal-ca-for-service-to-service-tls\">\u0688\u06cc\u0645\u0648 2 &#8211; \u0633\u0631\u0648\u0633 \u0679\u0648 \u0633\u0631\u0648\u0633 TLS \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u06cc\u06a9 \u0627\u0646\u062f\u0631\u0648\u0646\u06cc CA \u062a\u0631\u062a\u06cc\u0628 \u062f\u06cc\u0646\u0627<\/h2>\n<p>\u0622\u0626\u06cc\u06d2 \u0627\u0646\u06a9\u0631\u067e\u0679 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0639\u0648\u0627\u0645\u06cc \u062e\u062f\u0645\u062a \u06a9\u06d2 \u0644\u06cc\u06d2 \u0645\u0648\u0632\u0648\u06ba \u06c1\u06cc\u06ba\u06d4 \u062a\u0627\u06c1\u0645\u060c \u0627\u0646\u062f\u0631\u0648\u0646\u06cc \u062e\u062f\u0645\u0627\u062a \u06a9\u06d2 \u0644\u06cc\u06d2 (gRPC \u0645\u0627\u0626\u06cc\u06a9\u0631\u0648 \u0633\u0631\u0648\u0633\u0632 \u062c\u0648 \u062f\u0648\u0633\u0631\u06cc \u0633\u0631\u0648\u0633\u0632 \u06a9\u0648 \u06a9\u0627\u0644 \u06a9\u0631\u062a\u06cc \u06c1\u06cc\u06ba\u060c \u0648\u06cc\u0628 \u0627\u06cc\u067e\u0644\u06cc\u06a9\u06cc\u0634\u0646\u0632 \u062c\u0648 \u0688\u06cc\u0679\u0627 \u0628\u06cc\u0633 \u0633\u06d2 \u0628\u0627\u062a \u06a9\u0631\u062a\u06cc \u06c1\u06cc\u06ba)\u060c \u0639\u0648\u0627\u0645\u06cc \u0627\u0639\u062a\u0645\u0627\u062f \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4 \u0622\u067e \u06a9\u0648 \u0627\u06cc\u06a9 CA \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06c1\u06d2 \u062c\u0633 \u067e\u0631 \u0622\u067e \u06a9\u0627 \u06a9\u0644\u0633\u0679\u0631 \u0628\u06be\u0631\u0648\u0633\u06c1 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u060c \u0627\u0648\u0631 \u0622\u067e \u06a9\u0648 \u062e\u062f\u0645\u062a \u06a9\u06d2 \u0646\u0627\u0645\u0648\u06ba \u06a9\u06d2 \u0644\u06cc\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062c\u0627\u0631\u06cc \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 CA \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06c1\u06d2 \u062c\u0648 \u0639\u0648\u0627\u0645\u06cc DNS \u0631\u06cc\u06a9\u0627\u0631\u0688\u0632 \u0645\u06cc\u06ba \u0645\u0648\u062c\u0648\u062f \u0646\u06c1\u06cc\u06ba \u06c1\u06cc\u06ba\u06d4<\/p>\n<p>\u0633\u0631\u0679\u06cc\u0641 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u0645\u06cc\u06ba CA \u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 \u0627\u0633\u06d2 \u0633\u0646\u0628\u06be\u0627\u0644\u062a\u0627 \u06c1\u06d2\u06d4 \u0627\u06cc\u06a9 \u0631\u0648\u0679 CA \u0628\u0646\u0627\u0626\u06cc\u06ba\u060c \u0627\u0633\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06a9\u0648 \u0645\u0637\u0644\u0639 \u06a9\u0631\u06cc\u06ba\u060c \u0627\u0648\u0631 \u0627\u0633 CA \u06a9\u0648 \u062f\u0627\u062e\u0644\u06cc \u062e\u062f\u0645\u0627\u062a \u06a9\u06d2 \u0644\u06cc\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062c\u0627\u0631\u06cc \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u06cc\u06ba\u06d4 \u06a9\u0648\u0626\u06cc \u0628\u06be\u06cc \u0633\u0631\u0648\u0633 \u062c\u0648 \u0631\u0648\u0679 CA \u067e\u0631 \u0628\u06be\u0631\u0648\u0633\u06c1 \u06a9\u0631\u062a\u06cc \u06c1\u06d2 \u0627\u0633 \u06a9\u06d2 \u062c\u0627\u0631\u06cc \u06a9\u0631\u062f\u06c1 \u06a9\u0633\u06cc \u0628\u06be\u06cc \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u067e\u0631 \u0628\u06be\u0631\u0648\u0633\u06c1 \u06a9\u0631\u06d2 \u06af\u06cc\u06d4<\/p>\n<h3 id=\"heading-step-1-create-a-self-signed-clusterissuer\">\u0645\u0631\u062d\u0644\u06c1 1: \u062e\u0648\u062f \u062f\u0633\u062a\u062e\u0637 \u0634\u062f\u06c1 \u06a9\u0644\u0633\u0679\u0631 \u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 \u0628\u0646\u0627\u0626\u06cc\u06ba<\/h3>\n<p>\u0627\u06cc\u06a9 \u062e\u0648\u062f \u062f\u0633\u062a\u062e\u0637 \u0634\u062f\u06c1 \u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 \u0627\u06cc\u06a9 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0628\u0646\u0627\u062a\u0627 \u06c1\u06d2 \u062c\u0633 \u067e\u0631 \u062e\u0648\u062f \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06d2 \u062f\u0633\u062a\u062e\u0637 \u06c1\u0648\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4 \u06cc\u06c1 \u0627\u0633 \u06a9\u0627 \u0627\u067e\u0646\u0627 CA \u06c1\u06d2\u06d4 \u06c1\u0645 \u0627\u0633\u06d2 \u0631\u0648\u0679 CA \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0628\u0646\u0627\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0628\u0648\u0679\u0633\u0679\u0631\u06cc\u067e \u0642\u062f\u0645 \u06a9\u06d2 \u0637\u0648\u0631 \u067e\u0631 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<pre><code class=\"language-yaml\"># selfsigned-issuer.yaml\napiVersion: cert-manager.io\/v1\nkind: ClusterIssuer\nmetadata:\n  name: selfsigned\nspec:\n  selfSigned: {}\n<\/code><\/pre>\n<pre><code class=\"language-bash\">kubectl apply -f selfsigned-issuer.yaml\n<\/code><\/pre>\n<h3 id=\"heading-step-2-create-the-root-ca-certificate\">\u0645\u0631\u062d\u0644\u06c1 2: \u0631\u0648\u0679 CA \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0628\u0646\u0627\u0626\u06cc\u06ba<\/h3>\n<p>\u062e\u0648\u062f \u062f\u0633\u062a\u062e\u0637 \u0634\u062f\u06c1 \u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 CA \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0628\u0646\u0627\u0626\u06cc\u06ba\u06d4 \u06a9\u06c1 <code>isCA: true<\/code> \u0641\u06cc\u0644\u0688 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06a9\u0648 \u0628\u062a\u0627\u062a\u06cc \u06c1\u06d2 \u06a9\u06c1 \u06cc\u06c1 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062f\u0648\u0633\u0631\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679\u0633 \u067e\u0631 \u062f\u0633\u062a\u062e\u0637 \u06a9\u0631 \u0633\u06a9\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-yaml\"># internal-ca.yaml\napiVersion: cert-manager.io\/v1\nkind: Certificate\nmetadata:\n  name: internal-ca\n  namespace: cert-manager    # Store in cert-manager namespace\nspec:\n  isCA: true\n  commonName: internal-ca\n  secretName: internal-ca-secret\n  duration: 87600h           # 10 years \u2014 this is a root CA\n  renewBefore: 720h\n  privateKey:\n    algorithm: ECDSA\n    size: 256\n  issuerRef:\n    name: selfsigned\n    kind: ClusterIssuer\n<\/code><\/pre>\n<pre><code class=\"language-bash\">kubectl apply -f internal-ca.yaml\nkubectl get certificate internal-ca -n cert-manager\n<\/code><\/pre>\n<pre><code class=\"language-plaintext\">NAME          READY   SECRET               AGE\ninternal-ca   True    internal-ca-secret   8s\n<\/code><\/pre>\n<h3 id=\"heading-step-3-create-a-ca-clusterissuer-backed-by-the-root-ca\">\u0645\u0631\u062d\u0644\u06c1 3: \u0627\u06cc\u06a9 CA ClusterIssuer \u0628\u0646\u0627\u0626\u06cc\u06ba \u062c\u0633\u06d2 \u0631\u0648\u0679 CA \u06a9\u06cc \u062d\u0645\u0627\u06cc\u062a \u062d\u0627\u0635\u0644 \u06c1\u0648\u06d4<\/h3>\n<p>\u0627\u0628 <code>ClusterIssuer<\/code> \u0631\u0648\u0679 CA \u0631\u0627\u0632 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u06cc\u06ba \u062c\u0648 \u0622\u067e \u0646\u06d2 \u0627\u0628\u06be\u06cc \u0628\u0646\u0627\u06cc\u0627 \u06c1\u06d2\u06d4 \u062f\u0627\u062e\u0644\u06cc \u062e\u062f\u0645\u0627\u062a \u06a9\u06d2 \u0644\u06cc\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u067e\u0631 \u062f\u0633\u062a\u062e\u0637 \u06a9\u0631\u0646\u06d2 \u0648\u0627\u0644\u06d2 \u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06af\u0627\u0646 \u0645\u06cc\u06ba \u0634\u0627\u0645\u0644 \u06c1\u06cc\u06ba:<\/p>\n<pre><code class=\"language-yaml\"># internal-ca-issuer.yaml\napiVersion: cert-manager.io\/v1\nkind: ClusterIssuer\nmetadata:\n  name: internal-ca\nspec:\n  ca:\n    secretName: internal-ca-secret   # References the Secret in cert-manager namespace\n<\/code><\/pre>\n<pre><code class=\"language-bash\">kubectl apply -f internal-ca-issuer.yaml\nkubectl get clusterissuer internal-ca\n<\/code><\/pre>\n<pre><code class=\"language-plaintext\">NAME          READY   AGE\ninternal-ca   True    5s\n<\/code><\/pre>\n<h3 id=\"heading-step-4-issue-a-certificate-for-an-internal-service\">\u0645\u0631\u062d\u0644\u06c1 4: \u062f\u0627\u062e\u0644\u06cc \u062e\u062f\u0645\u0627\u062a \u06a9\u06d2 \u0644\u06cc\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062c\u0627\u0631\u06cc \u06a9\u0631\u06cc\u06ba\u06d4<\/h3>\n<p>\u0627\u0628 \u06c1\u0645 \u0627\u067e\u0646\u06cc \u062f\u0627\u062e\u0644\u06cc \u062c\u06cc \u0622\u0631 \u067e\u06cc \u0633\u06cc \u062e\u062f\u0645\u0627\u062a \u06a9\u06d2 \u0644\u06cc\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062c\u0627\u0631\u06cc \u06a9\u0631\u06cc\u06ba \u06af\u06d2\u06d4 \u06a9\u06c1 <code>dnsNames<\/code> Kubernetes \u0627\u0646\u062f\u0631\u0648\u0646\u06cc DNS \u0646\u0627\u0645 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u06cc\u06ba &#8211; <code><service>.<namespace>.svc.cluster.local<\/namespace><\/service><\/code>:<\/p>\n<pre><code class=\"language-yaml\"># payments-cert.yaml\napiVersion: cert-manager.io\/v1\nkind: Certificate\nmetadata:\n  name: payments-tls\n  namespace: production\nspec:\n  secretName: payments-tls-secret\n  issuerRef:\n    name: internal-ca\n    kind: ClusterIssuer\n  commonName: payments.production.svc.cluster.local\n  dnsNames:\n    - payments.production.svc.cluster.local\n    - payments.production.svc\n    - payments\n  duration: 2160h     # 90 days\n  renewBefore: 360h   # Renew 15 days before expiry\n<\/code><\/pre>\n<pre><code class=\"language-bash\">kubectl create namespace production\nkubectl apply -f payments-cert.yaml\nkubectl get certificate payments-tls -n production\n<\/code><\/pre>\n<pre><code class=\"language-plaintext\">NAME           READY   SECRET                AGE\npayments-tls   True    payments-tls-secret   6s\n<\/code><\/pre>\n<p>\u062e\u0641\u06cc\u06c1 <code>payments-tls-secret<\/code> \u0627\u0628 \u0634\u0627\u0645\u0644 \u06c1\u06d2\u06d4 <code>tls.crt<\/code>\u060c <code>tls.key<\/code>\u0627\u0648\u0631 <code>ca.crt<\/code>. \u0627\u0633\u06d2 \u0627\u067e\u0646\u06d2 \u0627\u06cc\u067e\u0644\u06cc\u06a9\u06cc\u0634\u0646 \u067e\u0648\u0688 \u067e\u0631 \u0644\u06af\u0627\u0626\u06cc\u06ba\u06d4<\/p>\n<pre><code class=\"language-yaml\"># In your Deployment spec\nvolumes:\n  - name: tls\n    secret:\n      secretName: payments-tls-secret\ncontainers:\n  - name: payments\n    volumeMounts:\n      - name: tls\n        mountPath: \/etc\/tls\n        readOnly: true\n<\/code><\/pre>\n<p>\u0622\u067e \u06a9\u06cc \u062f\u0631\u062e\u0648\u0627\u0633\u062a \u0627\u0633 \u0637\u0631\u062d \u0646\u0638\u0631 \u0622\u062a\u06cc \u06c1\u06d2: <code>\/etc\/tls\/tls.crt<\/code> \u0627\u0648\u0631 <code>\/etc\/tls\/tls.key<\/code> TLS \u06a9\u0648 \u062a\u0631\u062a\u06cc\u0628 \u062f\u06cc\u06ba\u06d4 \u062f\u0648\u0633\u0631\u06cc \u062e\u062f\u0645\u0627\u062a \u067e\u0691\u06be\u06cc\u06ba \u062c\u0646 \u067e\u0631 \u0622\u067e \u06a9\u0648 \u0628\u06be\u0631\u0648\u0633\u06c1 \u06a9\u0631\u0646\u06d2 \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06c1\u06d2\u06d4 <code>\/etc\/tls\/ca.crt<\/code>.<\/p>\n<h3 id=\"heading-step-5-distribute-the-ca-bundle-with-trust-manager\">\u0645\u0631\u062d\u0644\u06c1 5: \u0679\u0631\u0633\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 CA \u0628\u0646\u0688\u0644 \u06a9\u0648 \u062a\u0639\u06cc\u0646\u0627\u062a \u06a9\u0631\u06cc\u06ba\u06d4<\/h3>\n<p>\u06a9\u0633\u0679\u0645 CA \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0645\u0633\u0626\u0644\u06c1 \u06cc\u06c1 \u06c1\u06d2 \u06a9\u06c1 \u06c1\u0631 \u0633\u0631\u0648\u0633 \u06a9\u0648 \u0627\u0633 \u06a9\u06d2 \u0628\u0627\u0631\u06d2 \u0645\u06cc\u06ba \u062c\u0627\u0646\u0646\u06d2 \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06c1\u06d2\u06d4 Trust-manager\u060c cert-manager \u06a9\u0627 \u0627\u06cc\u06a9 \u0633\u0627\u062a\u06be\u06cc \u0679\u0648\u0644\u060c CA \u0628\u0646\u0688\u0644 \u06a9\u0648 \u0627\u0633 \u0637\u0631\u062d \u062a\u0642\u0633\u06cc\u0645 \u06a9\u0631 \u06a9\u06d2 \u0627\u0633 \u06a9\u0648 \u0633\u0646\u0628\u06be\u0627\u0644\u062a\u0627 \u06c1\u06d2: <code>ConfigMap<\/code> \u062a\u0645\u0627\u0645 \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1\u0648\u06ba \u0645\u06cc\u06ba:<\/p>\n<pre><code class=\"language-bash\">helm upgrade trust-manager oci:\/\/quay.io\/jetstack\/charts\/trust-manager \\\n  --install \\\n  --namespace cert-manager \\\n  --wait\n<\/code><\/pre>\n<p>\u0628\u0646\u0627\u0646\u0627 <code>Bundle<\/code> CA \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062d\u0627\u0635\u0644 \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0648\u0633\u0627\u0626\u0644 <code>internal-ca-secret<\/code> \u067e\u0648\u0631\u06d2 \u06a9\u0644\u0633\u0679\u0631 \u0645\u06cc\u06ba \u062a\u0639\u06cc\u0646\u0627\u062a \u06a9\u0631\u06cc\u06ba\u06d4<\/p>\n<pre><code class=\"language-yaml\"># ca-bundle.yaml\napiVersion: trust.cert-manager.io\/v1alpha1\nkind: Bundle\nmetadata:\n  name: internal-ca-bundle\nspec:\n  sources:\n    - secret:\n        name: internal-ca-secret\n        key: ca.crt\n  target:\n    configMap:\n      key: ca-bundle.crt\n    namespaceSelector:\n      matchLabels:\n        # Distribute to all namespaces with this label\n        kubernetes.io\/metadata.name: production\n<\/code><\/pre>\n<pre><code class=\"language-bash\">kubectl apply -f ca-bundle.yaml\n<\/code><\/pre>\n<p>\u0686\u0646\u062f \u0633\u06cc\u06a9\u0646\u0688 \u06a9\u06d2 \u0628\u0639\u062f\u060c \u0622\u067e \u06a9\u06d2 \u067e\u0627\u0633 \u062a\u0645\u0627\u0645 \u0645\u0645\u0627\u062b\u0644 \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1\u0648\u06ba \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u06cc\u06a9 ConfigMap \u06a9\u0627 \u0646\u0627\u0645 \u06c1\u0648\u06af\u0627\u06d4 <code>internal-ca-bundle<\/code> CA \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0634\u0627\u0645\u0644 \u06c1\u06d2\u06d4 \u0627\u06cc\u067e\u0644\u06cc \u06a9\u06cc\u0634\u0646\u0632 \u0627\u0633 ConfigMap \u06a9\u0648 \u0628\u063a\u06cc\u0631 \u06a9\u0633\u06cc \u0633\u0631\u0648\u0633 \u06a9\u06d2 \u0645\u062e\u0635\u0648\u0635 \u06a9\u0646\u0641\u06cc\u06af\u0631\u06cc\u0634\u0646 \u06a9\u06d2 \u0627\u0646\u062f\u0631\u0648\u0646\u06cc \u0637\u0648\u0631 \u067e\u0631 \u062c\u0627\u0631\u06cc \u06a9\u0631\u062f\u06c1 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679\u0633 \u067e\u0631 \u0628\u06be\u0631\u0648\u0633\u06c1 \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0645\u0627\u0624\u0646\u0679 \u06a9\u0631\u062a\u06cc \u06c1\u06cc\u06ba\u06d4<\/p>\n<h3 id=\"heading-step-6-verify-the-certificate-chain\">\u0645\u0631\u062d\u0644\u06c1 6: \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0686\u06cc\u0646 \u06a9\u06cc \u062a\u0635\u062f\u06cc\u0642 \u06a9\u0631\u06cc\u06ba\u06d4<\/h3>\n<pre><code class=\"language-bash\"># Extract the CA cert and service cert\nkubectl get secret payments-tls-secret -n production \\\n  -o jsonpath=\"{.data.ca\\.crt}\" | base64 -d > ca.crt\n\nkubectl get secret payments-tls-secret -n production \\\n  -o jsonpath=\"{.data.tls\\.crt}\" | base64 -d > payments.crt\n\n# Verify the cert was signed by the CA\nopenssl verify -CAfile ca.crt payments.crt\n<\/code><\/pre>\n<pre><code class=\"language-plaintext\">payments.crt: OK\n<\/code><\/pre>\n<h2 id=\"heading-how-certificate-rotation-works\">\u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u06af\u0631\u062f\u0634 \u06a9\u06cc\u0633\u06d2 \u06a9\u0627\u0645 \u06a9\u0631\u062a\u06cc \u06c1\u06d2\u06d4<\/h2>\n<p>\u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u06af\u0631\u062f\u0634 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0645\u06cc\u0646\u062c\u0645\u0646\u0679 \u06a9\u0627 \u0648\u06c1 \u062d\u0635\u06c1 \u06c1\u06d2 \u062c\u0648 \u0627\u06a9\u062b\u0631 \u067e\u0631\u0648\u0688\u06a9\u0634\u0646 \u06a9\u0644\u0633\u0679\u0631\u0632 \u06a9\u06d2 \u0646\u0627\u06a9\u0627\u0645 \u06c1\u0648\u0646\u06d2 \u06a9\u0627 \u0633\u0628\u0628 \u0628\u0646\u062a\u0627 \u06c1\u06d2\u06d4 cert-manager \u0627\u0633\u06d2 \u062e\u0648\u062f \u0628\u062e\u0648\u062f \u06c1\u06cc\u0646\u0688\u0644 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u060c \u0644\u06cc\u06a9\u0646 \u0637\u0631\u06cc\u0642\u06c1 \u06a9\u0627\u0631 \u06a9\u0648 \u0633\u0645\u062c\u06be\u0646\u06d2 \u0633\u06d2 \u0622\u067e \u06a9\u0648 \u0645\u0633\u0627\u0626\u0644 \u067e\u06cc\u062f\u0627 \u06c1\u0648\u062a\u06d2 \u06c1\u06cc \u0679\u06cc\u0648\u0646 \u0627\u0648\u0631 \u0688\u06cc\u0628\u06af \u06a9\u0631\u0646\u06d2 \u0645\u06cc\u06ba \u0645\u062f\u062f \u0645\u0644\u06d2 \u06af\u06cc\u06d4<\/p>\n<p>cert-manager \u0631\u0648\u0632\u0627\u0646\u06c1 \u0645\u0627\u0646\u06cc\u0679\u0631 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 <code>Certificate<\/code> \u0631\u0627\u0632\u0648\u06ba \u06a9\u06cc \u0688\u06cc\u0641\u0627\u0644\u0679 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u0645\u06cc\u0639\u0627\u062f \u062e\u062a\u0645 \u06c1\u0648\u0646\u06d2 \u06a9\u06d2 \u0627\u0646\u062a\u0638\u0627\u0645 \u0627\u0648\u0631 \u062c\u0627\u0646\u0686 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u06cc\u06a9 \u0648\u0633\u06cc\u0644\u06c1\u06d4 \u0627\u06af\u0631 \u0628\u0627\u0642\u06cc \u0645\u0627\u0646\u062f\u06c1 \u0645\u062f\u062a \u062f\u0631\u0633\u062a\u06af\u06cc \u06a9\u06cc \u0645\u062f\u062a \u0633\u06d2 \u06a9\u0645 \u06c1\u06d2\u060c <code>renewBefore<\/code> \u062c\u0628 \u062d\u062f \u062a\u06a9 \u067e\u06c1\u0646\u0686 \u062c\u0627\u062a\u06cc \u06c1\u06d2\u060c \u0633\u0631\u0679\u06cc\u0641 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u0627\u06cc\u06a9 \u062a\u062c\u062f\u06cc\u062f \u06a9\u0648 \u0645\u062a\u062d\u0631\u06a9 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 \u067e\u06c1\u0644\u06d2 \u0633\u06d2 \u0637\u06d2 \u0634\u062f\u06c1 <code>renewBefore<\/code> \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u06a9\u0644 \u0645\u06cc\u0639\u0627\u062f \u06a9\u06cc \u0645\u062f\u062a \u06a9\u0627 1\/3 \u06c1\u06d2\u06d4 \u0644\u06c1\u0630\u0627\u060c 90 \u062f\u0646 \u06a9\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u062a\u062c\u062f\u06cc\u062f 60 \u062f\u0646 \u0633\u06d2 \u0634\u0631\u0648\u0639 \u06c1\u0648\u062a\u06cc \u06c1\u06d2\u06d4<\/p>\n<p>\u062c\u0628 \u0622\u067e \u062a\u062c\u062f\u06cc\u062f \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba \u062a\u0648 \u06a9\u0686\u06be \u0646\u06cc\u0627 \u067e\u06cc\u062f\u0627 \u06c1\u0648\u062a\u0627 \u06c1\u06d2\u06d4 <code>CertificateRequest<\/code>\u062c\u0627\u0631\u06cc \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u067e\u0648\u0631\u06d2 \u0628\u06c1\u0627\u0624 \u0633\u06d2 \u06af\u0632\u0631\u06cc\u06ba \u0627\u0648\u0631 \u0627\u067e\u0646\u06d2 \u0645\u0648\u062c\u0648\u062f\u06c1 \u0645\u0642\u0627\u0645 \u0633\u06d2 \u0631\u0627\u0632 \u06a9\u0648 \u0627\u067e \u0688\u06cc\u0679 \u06a9\u0631\u06cc\u06ba\u06d4 \u0646\u06cc\u0627 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062c\u0648\u06c1\u0631\u06cc \u0637\u0648\u0631 \u067e\u0631 \u067e\u0631\u0627\u0646\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u062c\u06af\u06c1 \u0644\u06d2 \u0644\u06cc\u062a\u0627 \u06c1\u06d2\u06d4 \u0648\u06c1 \u0627\u06cc\u067e\u0644\u06cc\u06a9\u06cc\u0634\u0646\u0632 \u062c\u0648 \u0641\u0627\u0626\u0644 \u0645\u0627\u0624\u0646\u0679\u0633 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06cc \u06c1\u06cc\u06ba \u0627\u0648\u0631 \u062a\u0628\u062f\u06cc\u0644\u06cc\u0648\u06ba \u067e\u0631 \u0646\u0638\u0631 \u0631\u06a9\u06be\u062a\u06cc \u06c1\u06cc\u06ba (\u062c\u0648 \u0632\u06cc\u0627\u062f\u06c1 \u062a\u0631 \u062c\u062f\u06cc\u062f \u0648\u06cc\u0628 \u0633\u0631\u0648\u0631\u0632 \u0627\u0648\u0631 \u062c\u06cc \u0622\u0631 \u067e\u06cc \u0633\u06cc \u0641\u0631\u06cc\u0645 \u0648\u0631\u06a9 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba) \u062f\u0648\u0628\u0627\u0631\u06c1 \u0634\u0631\u0648\u0639 \u06a9\u06cc\u06d2 \u0628\u063a\u06cc\u0631 \u0646\u06cc\u0627 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0627\u0679\u06be\u0627 \u0644\u06cc\u06ba \u06af\u06cc\u06d4<\/p>\n<pre><code class=\"language-bash\"># See the current rotation status\nkubectl describe certificate echo-tls -n default\n<\/code><\/pre>\n<p>\u0622\u0624\u0679 \u067e\u0679 \u0645\u06cc\u06ba \u062f\u0631\u062c \u0630\u06cc\u0644 \u0641\u06cc\u0644\u0688\u0632 \u062a\u0644\u0627\u0634 \u06a9\u0631\u06cc\u06ba:<\/p>\n<pre><code class=\"language-plaintext\">Status:\n  Not After:   2024-06-18T10:00:00Z\n  Not Before:  2024-03-20T10:00:00Z\n  Renewal Time: 2024-05-18T10:00:00Z   # When cert-manager will start renewing\n  Conditions:\n    Type:    Ready\n    Status:  True\n    Message: Certificate is up to date and has not expired\n<\/code><\/pre>\n<p>\u0627\u06af\u0631 \u062a\u062c\u062f\u06cc\u062f \u0646\u0627\u06a9\u0627\u0645 \u06c1\u0648 \u062c\u0627\u062a\u06cc \u06c1\u06d2\u060c \u0645\u062b\u0627\u0644 \u06a9\u06d2 \u0637\u0648\u0631 \u067e\u0631 \u06a9\u06cc\u0648\u0646\u06a9\u06c1 HTTP-01 \u0686\u06cc\u0644\u0646\u062c \u0645\u06a9\u0645\u0644 \u0646\u06c1\u06cc\u06ba \u06c1\u0648 \u0633\u06a9\u062a\u0627\u060c \u062a\u0648 \u0633\u0631\u0679\u06cc\u0641 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u0627\u06cc\u06a9\u0633\u067e\u0648\u0646\u06cc\u0634\u0646\u0644 \u0628\u06cc\u06a9 \u0622\u0641 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u062f\u0648\u0628\u0627\u0631\u06c1 \u06a9\u0648\u0634\u0634 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 \u0645\u0648\u062c\u0648\u062f\u06c1 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679\u0633 \u0627\u0633 \u0648\u0642\u062a \u062a\u06a9 \u067e\u06cc\u0634 \u06a9\u06cc\u06d2 \u062c\u0627\u062a\u06d2 \u0631\u06c1\u06cc\u06ba \u06af\u06d2 \u062c\u0628 \u062a\u06a9 \u06a9\u06c1 \u0627\u0646 \u06a9\u06cc \u0627\u0635\u0644 \u0645\u06cc\u0639\u0627\u062f \u062e\u062a\u0645 \u0646\u06c1 \u06c1\u0648 \u062c\u0627\u0626\u06d2\u060c \u0645\u0633\u0626\u0644\u06c1 \u06a9\u0648 \u0688\u06cc\u0628\u06af \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u06cc\u06a9 \u0648\u0646\u0688\u0648 \u0641\u0631\u0627\u06c1\u0645 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<p>\u062a\u062c\u062f\u06cc\u062f \u06a9\u06d2 \u0648\u0627\u0642\u0639\u0627\u062a \u06a9\u0648 \u062d\u0642\u06cc\u0642\u06cc \u0648\u0642\u062a \u0645\u06cc\u06ba \u062f\u06cc\u06a9\u06be\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2\u060c \u0627\u0646 \u0645\u0631\u0627\u062d\u0644 \u067e\u0631 \u0639\u0645\u0644 \u06a9\u0631\u06cc\u06ba:<\/p>\n<pre><code class=\"language-bash\">kubectl get events -n default --field-selector reason=Issued\nkubectl get events -n default --field-selector reason=Failed\n<\/code><\/pre>\n<p><strong>\u0645\u0627\u062d\u0648\u0644<\/strong> <code>renewBefore<\/code> <strong>\u0635\u062d\u06cc\u062d \u0637\u0631\u06cc\u0642\u06d2 \u0633\u06d2:<\/strong> \u0639\u0648\u0627\u0645\u06cc \u062e\u062f\u0645\u0627\u062a \u06a9\u06d2 \u0644\u06cc\u06d2\u060c 90 \u062f\u0646 \u06a9\u0627 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062d\u0627\u0635\u0644 \u06a9\u0631\u0646\u06d2 \u0633\u06d2 30 \u062f\u0646 \u067e\u06c1\u0644\u06d2 \u0627\u06cc\u06a9 \u0645\u0639\u0642\u0648\u0644 \u0628\u0641\u0631 \u06c1\u06d2\u06d4 \u0627\u0646\u062f\u0631\u0648\u0646\u06cc \u0642\u0644\u06cc\u0644 \u0645\u062f\u062a\u06cc \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679\u0633 \u06a9\u06d2 \u0644\u06cc\u06d2 (24 \u06af\u06be\u0646\u0679\u06d2 \u062f\u0631\u0633\u062a)\u060c \u062f\u0631\u062c \u0630\u06cc\u0644 \u06a9\u0648 \u0633\u06cc\u0679 \u06a9\u0631\u06cc\u06ba: <code>renewBefore<\/code> \u0632\u06cc\u0627\u062f\u06c1 \u0633\u06d2 \u0632\u06cc\u0627\u062f\u06c1 8 \u06af\u06be\u0646\u0679\u06d2 \u06c1\u06cc\u06ba\u060c \u0627\u0633 \u0644\u06cc\u06d2 \u0627\u06af\u0631 \u067e\u06c1\u0644\u06cc \u06a9\u0648\u0634\u0634 \u0646\u0627\u06a9\u0627\u0645 \u06c1\u0648 \u062c\u0627\u0626\u06d2 \u062a\u0648 \u0628\u06be\u06cc \u0645\u06cc\u0639\u0627\u062f \u062e\u062a\u0645 \u06c1\u0648\u0646\u06d2 \u0633\u06d2 \u067e\u06c1\u0644\u06d2 \u06c1\u06cc \u0645\u062a\u0628\u0627\u062f\u0644 \u06c1\u0648 \u062c\u0627\u0626\u06d2 \u06af\u0627\u06d4 \u0633\u06cc\u0679 \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4 <code>renewBefore<\/code> \u0622\u062f\u06be\u06d2 \u0633\u06d2 \u0632\u06cc\u0627\u062f\u06c1 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u062f\u0631\u0633\u062a\u06af\u06cc \u06a9\u06d2 \u0633\u0627\u062a\u06be \u2014 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u0641\u0648\u0631\u06cc \u0637\u0648\u0631 \u067e\u0631 \u0627\u0633 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u062a\u062c\u062f\u06cc\u062f \u06a9\u0631\u0646\u06d2 \u06a9\u06cc \u06a9\u0648\u0634\u0634 \u06a9\u0631\u06d2 \u06af\u0627 \u062c\u0633\u06d2 \u0627\u0633 \u0646\u06d2 \u0627\u0628\u06be\u06cc \u062c\u0627\u0631\u06cc \u06a9\u06cc\u0627 \u06c1\u06d2\u06d4<\/p>\n<h2 id=\"heading-cleanup\">\u0635\u0641\u0627\u0626\u06cc<\/h2>\n<pre><code class=\"language-bash\"># Remove demo resources\nkubectl delete ingress echo -n default\nkubectl delete service echo -n default\nkubectl delete deployment echo -n default\nkubectl delete secret echo-tls -n default\nkubectl delete certificate payments-tls -n production\nkubectl delete namespace production\n\n# Uninstall cert-manager and trust-manager\nhelm uninstall trust-manager -n cert-manager\nhelm uninstall cert-manager -n cert-manager\nkubectl delete namespace cert-manager\n\n# Remove ClusterIssuers\nkubectl delete clusterissuer letsencrypt-staging letsencrypt-prod \\\n  internal-ca selfsigned 2>\/dev\/null\n<\/code><\/pre>\n<h2 id=\"heading-conclusion\">\u0646\u062a\u06cc\u062c\u06c1<\/h2>\n<p>Kubernetes TLS \u06a9\u0646\u0641\u06cc\u06af\u0631\u06cc\u0634\u0646 \u06a9\u0648 \u0645\u06a9\u0645\u0644 \u0637\u0648\u0631 \u067e\u0631 \u0622\u067e \u067e\u0631 \u0686\u06be\u0648\u0691 \u062f\u06cc\u062a\u0627 \u06c1\u06d2\u06d4 \u0627\u0633 \u0645\u0636\u0645\u0648\u0646 \u0645\u06cc\u06ba \u0622\u067e \u0646\u06d2 \u0627\u0633 \u0630\u0645\u06c1 \u062f\u0627\u0631\u06cc \u06a9\u06d2 \u0639\u0648\u0627\u0645\u06cc \u0627\u0648\u0631 \u0627\u0646\u062f\u0631\u0648\u0646\u06cc \u062f\u0648\u0646\u0648\u06ba \u067e\u06c1\u0644\u0648\u0624\u06ba \u067e\u0631 \u062a\u0648\u062c\u06c1 \u062f\u06cc \u06c1\u06d2\u06d4<\/p>\n<p>\u0639\u0648\u0627\u0645\u06cc \u0633\u0637\u062d \u067e\u0631\u060c \u0645\u06cc\u06ba \u0641\u06cc \u0627\u0644\u062d\u0627\u0644 OCI \u06c1\u06cc\u0644\u0645 \u0686\u0627\u0631\u0679 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u0633\u0631\u0679\u06cc\u0641\u06cc\u06a9 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06a9\u0648 \u0627\u0646\u0633\u0679\u0627\u0644 \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u06a9\u0631\u062a\u0627 \u06c1\u0648\u06ba\u06d4 <code>ClusterIssuer<\/code> Let&#8217;s Encrypt \u06a9\u06d2 \u062a\u0639\u0627\u0648\u0646 \u0633\u06d2\u060c \u06c1\u0645 \u0646\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06a9\u0648 ACME HTTP-01 \u0686\u06cc\u0644\u0646\u062c \u0641\u0644\u0648 \u0633\u06d2 \u06af\u0632\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u062f\u06cc\u06a9\u06be\u0627\u060c \u0627\u06cc\u06a9 \u0639\u0627\u0631\u0636\u06cc \u0633\u0648\u0644\u0648\u0631 \u067e\u0648\u0688 \u0628\u0646\u0627\u0646\u06d2 \u0633\u06d2 \u0644\u06d2 \u06a9\u0631 \u0627\u06cc\u06a9 \u062f\u0631\u0633\u062a \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u0648 \u06a9\u0648\u0628\u0631\u0646\u06cc\u0679\u0633 \u0633\u06cc\u06a9\u0631\u06cc\u0679 \u0645\u06cc\u06ba \u0627\u0633\u0679\u0648\u0631 \u06a9\u0631\u0646\u06d2 \u062a\u06a9\u06d4 \u06c1\u0645 \u0646\u06d2 \u062f\u06cc\u06a9\u06be\u0627 \u06c1\u06d2 \u06a9\u06c1 \u06a9\u0633 \u0637\u0631\u062d \u0633\u0679\u06cc\u062c\u0646\u06af \u0633\u06d2 \u067e\u0631\u0648\u0688\u06a9\u0634\u0646 \u0645\u06cc\u06ba \u062a\u0628\u062f\u06cc\u0644 \u06c1\u0648\u0646\u0627 \u0627\u06cc\u06a9 \u0633\u0637\u0631\u06cc \u062a\u0628\u0635\u0631\u06d2 \u06a9\u06cc \u062a\u0628\u062f\u06cc\u0644\u06cc \u06c1\u06d2\u060c \u0627\u0648\u0631 \u06a9\u0633 \u0637\u0631\u062d \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679\u0633 \u06a9\u06cc \u0645\u06cc\u0639\u0627\u062f \u062e\u062a\u0645 \u06c1\u0648\u0646\u06d2 \u0633\u06d2 \u067e\u06c1\u0644\u06d2 \u062e\u0648\u062f \u0628\u062e\u0648\u062f \u062a\u062c\u062f\u06cc\u062f \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<p>\u0627\u0646\u062f\u0631\u0648\u0646\u06cc \u0637\u0631\u0641\u060c \u0622\u067e \u0633\u0631\u0679\u06cc\u0641 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06a9\u06d2 \u062e\u0648\u062f \u062f\u0633\u062a\u062e\u0637 \u0634\u062f\u06c1 \u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u0627\u06cc\u06a9 \u0646\u062c\u06cc CA \u0628\u0648\u0679\u0633\u0679\u0631\u06cc\u067e \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba \u0627\u0648\u0631 <code>ClusterIssuer<\/code> \u0627\u0633 CA \u06a9\u06d2 \u062a\u0639\u0627\u0648\u0646 \u0633\u06d2\u060c \u06c1\u0645 \u0646\u06d2 \u062f\u0627\u062e\u0644\u06cc \u062e\u062f\u0645\u062a \u06a9\u06d2 \u0646\u0627\u0645\u0648\u06ba \u06a9\u06d2 \u0644\u06cc\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u062c\u0627\u0631\u06cc \u06a9\u06cc\u06d2 \u062c\u0648 \u0635\u0631\u0641 \u06a9\u0644\u0633\u0679\u0631 \u06a9\u06d2 \u0627\u0646\u062f\u0631 \u0645\u0648\u062c\u0648\u062f \u06c1\u06cc\u06ba\u06d4 CA \u0628\u0646\u0688\u0644 \u06a9\u0648 \u06a9\u0644\u0633\u0679\u0631 \u0645\u06cc\u06ba \u062a\u0642\u0633\u06cc\u0645 \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2\u060c \u06c1\u0645 \u0646\u06d2 \u0679\u0631\u0633\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u06cc\u0627 \u062a\u0627\u06a9\u06c1 \u0633\u0631\u0648\u0633\u0632 \u06a9\u0648 \u0628\u063a\u06cc\u0631 \u06a9\u0633\u06cc \u0633\u0631\u0648\u0633 \u06a9\u06d2 \u0645\u062e\u0635\u0648\u0635 \u06a9\u0646\u0641\u06cc\u06af\u0631\u06cc\u0634\u0646 \u06a9\u06d2 \u0627\u06cc\u06a9 \u062f\u0648\u0633\u0631\u06d2 \u06a9\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679\u0633 \u067e\u0631 \u0628\u06be\u0631\u0648\u0633\u06c1 \u06a9\u0631\u0646\u06d2 \u06a9\u06cc \u0627\u062c\u0627\u0632\u062a \u062f\u06cc \u062c\u0627\u0626\u06d2\u06d4 \u06c1\u0645 \u0646\u06d2 \u06cc\u06c1 \u0628\u06be\u06cc \u062f\u06cc\u06a9\u06be\u0627 \u06a9\u06c1 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u0686\u06cc\u0646 \u06a9\u0648 \u06a9\u06cc\u0633\u06d2 \u0686\u06cc\u06a9 \u06a9\u06cc\u0627 \u062c\u0627\u0626\u06d2\u06d4 <code>openssl<\/code> \u0622\u067e \u062a\u0635\u062f\u06cc\u0642 \u06a9\u0631 \u0633\u06a9\u062a\u06d2 \u06c1\u06cc\u06ba \u06a9\u06c1 \u06cc\u06c1 \u067e\u0631\u0648\u0688\u06a9\u0634\u0646 \u0645\u06cc\u06ba \u062a\u0639\u06cc\u0646\u0627\u062a \u06a9\u0631\u0646\u06d2 \u0633\u06d2 \u067e\u06c1\u0644\u06d2 \u06a9\u0627\u0645 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<p>\u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679 \u06a9\u06cc \u06af\u0631\u062f\u0634 \u06a9\u0648 \u0633\u0645\u062c\u06be\u0646\u0627 \u0648\u06c1\u06cc \u06c1\u06d2 \u062c\u0648 \u0627\u06cc\u06a9 \u0679\u06cc\u0645 \u062c\u0648 \u0627\u0639\u062a\u0645\u0627\u062f \u06a9\u06d2 \u0633\u0627\u062a\u06be TLS \u06a9\u0627 \u0627\u0646\u062a\u0638\u0627\u0645 \u06a9\u0631\u062a\u06cc \u06c1\u06d2 \u0627\u0648\u0631 \u0627\u06cc\u06a9 \u0679\u06cc\u0645 \u06a9\u06d2 \u062f\u0631\u0645\u06cc\u0627\u0646 \u0641\u0631\u0642 \u06a9\u0631\u062a\u0627 \u06c1\u06d2 \u062c\u0648 \u0645\u06cc\u0639\u0627\u062f \u062e\u062a\u0645 \u06c1\u0648\u0646\u06d2 \u0648\u0627\u0644\u06d2 \u0633\u0631\u0679\u06cc\u0641\u06a9\u06cc\u0679\u0633 \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0635\u0628\u062d 3 \u0628\u062c\u06d2 \u0627\u0679\u06be\u062a\u06cc \u06c1\u06d2\u06d4 cert-manager \u062a\u062c\u062f\u06cc\u062f \u06a9\u0648 \u062e\u0648\u062f\u06a9\u0627\u0631 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u060c \u0644\u06cc\u06a9\u0646 <code>renewBefore<\/code> \u0641\u06cc\u0644\u0688 \u0633\u06cc\u0641\u0679\u06cc \u0645\u0627\u0631\u062c\u0646 \u06c1\u06d2\u06d4 \u0627\u0633\u06d2 \u062f\u0631\u0633\u062a \u0637\u0631\u06cc\u0642\u06d2 \u0633\u06d2 \u062a\u0631\u062a\u06cc\u0628 \u062f\u06cc\u0646\u06d2 \u06a9\u0627 \u0637\u0631\u06cc\u0642\u06c1 \u062c\u0627\u0646\u06cc\u06ba \u0627\u0648\u0631 \u0627\u067e\u0646\u06cc \u062a\u062c\u062f\u06cc\u062f \u06a9\u06cc \u062d\u06cc\u062b\u06cc\u062a \u06a9\u0648 \u067e\u0691\u06be\u06cc\u06ba\u06d4<\/p>\n<p>\u0627\u0633 \u062f\u0633\u062a\u0627\u0648\u06cc\u0632 \u06a9\u06d2 \u0644\u06cc\u06d2 \u062a\u0645\u0627\u0645 YAML \u0645\u06cc\u0646\u06cc \u0641\u06cc\u0633\u0679\u0633 \u0627\u0648\u0631 \u06c1\u06cc\u0644\u0645 \u0648\u06cc\u0644\u06cc\u0648\u0632 DevOps-Cloud-Projects GitHub \u0631\u06cc\u067e\u0648\u0632\u0679\u0631\u06cc \u0645\u06cc\u06ba \u062f\u0633\u062a\u06cc\u0627\u0628 \u06c1\u06cc\u06ba\u06d4<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>\u0632\u06cc\u0627\u062f\u06c1 \u062a\u0631 \u0627\u0646\u062c\u06cc\u0646\u0626\u0631\u0632 \u0641\u0631\u0636 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba \u06a9\u06c1 \u0627\u0646 \u06a9\u0627 Kubernetes \u06a9\u0644\u0633\u0679\u0631 \u062a\u0645\u0627\u0645 \u0679\u0631\u06cc\u0641\u06a9 \u06a9\u0648 \u062e\u0641\u06cc\u06c1 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 \u06cc\u06c1 \u0633\u0686 \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u0646\u06d2 \u06a9\u0627 \u062d\u06a9\u0645 kubectl \u06cc\u06c1 \u0627\u0646\u06a9\u0631\u067e\u0679\u0688 \u06c1\u06d2\u06d4 \u06a9\u0644\u0627\u0626\u0646\u0679 \u0627\u0648\u0631 API \u0633\u0631\u0648\u0631 TLS \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4 API \u0633\u0631\u0648\u0631\u0632 \u062c\u0648 etcd \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0628\u0627\u062a \u0686\u06cc\u062a \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba \u0648\u06c1 \u0628\u06be\u06cc \u0639\u0627\u0645 \u0637\u0648\u0631 \u067e\u0631 \u0627\u0646\u06a9\u0631\u067e\u0679 \u06c1\u0648\u062a\u06d2 \u06c1\u06cc\u06ba\u060c [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[1],"tags":[],"class_list":["post-24228","post","type-post","status-publish","format-standard","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/umang.pk\/ur\/wp-json\/wp\/v2\/posts\/24228","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/umang.pk\/ur\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/umang.pk\/ur\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/umang.pk\/ur\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/umang.pk\/ur\/wp-json\/wp\/v2\/comments?post=24228"}],"version-history":[{"count":0,"href":"https:\/\/umang.pk\/ur\/wp-json\/wp\/v2\/posts\/24228\/revisions"}],"wp:attachment":[{"href":"https:\/\/umang.pk\/ur\/wp-json\/wp\/v2\/media?parent=24228"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/umang.pk\/ur\/wp-json\/wp\/v2\/categories?post=24228"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/umang.pk\/ur\/wp-json\/wp\/v2\/tags?post=24228"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}