$30 off During Our Annual Pro Sale. View Details »

sacloudns

kazeburo
April 02, 2021

 sacloudns

#さくらのマイクロコミュニティ (CLI/APIユーザの会) vol.1

kazeburo

April 02, 2021
Tweet

More Decks by kazeburo

Other Decks in Technology

Transcript

  1. sacloudns
    Masahiro Nagano (kazeburo)
    2021/04/02 ͘͞ΒͷϚΠΫϩίϛϡχςΟ vol.1

    View Slide

  2. Who ?
    • Masahiro Nagano (kazeburo)
    • 2021/01/18 ͘͞ΒΠϯλʔωοτೖࣾ
    • ͘͞ΒͷΫϥ΢υͷDNSɺΤϯϋϯευLBɺγϯϓϧ؂ࢹ͋ͨΓΛΈͯ·͢

    View Slide

  3. the beginning
    • ೖࣾͯ͠·΋ͳ͘ɺ͘͞ΒͷΫϥ΢υ DNSͷϨίʔυ൓ө·Ͱʹ͔͔Δ࣌ؒ
    ͷ୹ॖ (1෼Ҏ্͔Β20ඵఔ౓) Λ΍ͬͨ
    • ΤϯϋϯευLBΛࢼ͢ʹ͋ͨΓɺSSLূ໌ॻͷऔಘ͕ඞཁʹ
    • lego (https://github.com/go-acme/lego) ͕ΠϚΠν࢖͍ʹ͍͘
    • ׳Ε͍ͯͨ dehydrated (https://dehydrated.io/) Λ࢖͍͍ͨͷͰɺDNSΛม
    ߋ͢ΔίϚϯυ͕ཉ͍͠

    View Slide

  4. sacloudns

    View Slide

  5. sacloudns
    • cli53 (Cli for Amazon Route53:https://github.com/barnybug/cli53) ͷΑ͏
    ͳDNSΛૢ࡞͢ΔίϚϯυϥΠϯπʔϧ
    • Goݴޠ
    • github.com/sacloud/libsacloud/v2 Λར༻ 🙇
    • GoogleͰHit͠ͳ͍

    View Slide

  6. Usage
    Usage:
    sacloudns [OPTIONS]
    Help Options:
    -h, --help Show this help message
    Available commands:
    fzone find zone for the record
    list list zones
    radd add a record
    rdelete delete a record
    rset replace records or add a record
    version display version
    zone describe zone

    View Slide

  7. Usage
    • Ϩίʔυͷ௥Ճ
    • Ϩίʔυͷ࡟আ
    • κʔϯͷݕࡧ
    • ࣮ߦʹ͸ SAKURACLOUD_ACCESS_TOKEN,
    SAKURACLOUD_ACCESS_TOKEN_SECRET ͕ඞཁ
    ./sacloudns radd --zone example.com --name www --type A --data 192.168.0.1 --ttl 30
    ./sacloudns rdelete --zone example.com --name test --type A --data 192.168.0.1
    ./sacloudns fzone foo.bar.example.com

    View Slide

  8. wait propagation
    ਁಁ଴ͪͩͳΜͯݴΘͤͳ͍
    • TXT ͱ CNAME ʹݶΓɺϨίʔυͷ൓өΛ଴ͭ —wait Φϓγϣϯ͕࢖͑Δ
    • κʔϯͷ NS ϨίʔυΛௐ΂ɺͦͷDNSαʔόʹ޲͔ͬͯ 2ඵ ͝ͱʹΫΤϦ
    Λඈ͹ͯ֬͠ೝ

    View Slide

  9. wait propagation
    % ./sacloudns radd --wait --zone kazeburo.work --name test --type TXT --data test-test-test --ttl 30
    2021/02/05 16:44:22 Checking DNS record propagation.
    2021/02/05 16:44:22 Waiting for DNS record propagation.
    2021/02/05 16:44:24 Waiting for DNS record propagation.
    2021/02/05 16:44:26 Waiting for DNS record propagation.
    2021/02/05 16:44:28 Waiting for DNS record propagation.
    2021/02/05 16:44:30 Waiting for DNS record propagation.
    2021/02/05 16:44:33 Waiting for DNS record propagation.
    2021/02/05 16:44:35 Waiting for DNS record propagation.
    2021/02/05 16:44:37 Waiting for DNS record propagation.
    2021/02/05 16:44:39 Waiting for DNS record propagation.
    2021/02/05 16:44:41 Waiting for DNS record propagation.
    2021/02/05 16:44:43 Waiting for DNS record propagation.
    2021/02/05 16:44:45 Waiting for DNS record propagation.
    {“ID”:113300144171,”Name”:”kazeburo.work","Description":"","Tags":
    [],"Availability":"available","IconID":0,"CreatedAt":"2021-01-19T11:59:31+09:00","ModifiedAt":"2021-01-19T11:59:31+
    09:00","Records":[{"Name":"*","Type":"CNAME","RData":"site-1etp19k.proxylb1.sakura.ne.jp.","TTL":10},....

    View Slide

  10. 100%ศར
    (౰ࣾൺ)

    View Slide

  11. GitHub Actions ͱ
    sacloudns ͱ
    ͘͞ΒͷΦϒδΣΫτετϨʔδ Ͱ
    ΤϯϋϯευLBͷূ໌ॻߋ৽ࣗಈԽ

    View Slide

  12. ଓ͖

    View Slide

  13. 1. GitHubͷrepoʹɺpush͢Δ͔͋Δ͍͸
    scheduleΛ͔ͭͬͯఆظతʹϫʔΫϑϩʔΛى
    ಈ͠·͢ɻ
    2. ΦϒδΣΫτετϨʔδ͔Βݱࡏͷূ໌ॻʗ
    Let's Encrypt ͷೝূ৘ใΛ Sync
    3. dehydratedΛىಈ͠
    4. sacloudnsΛ࢖ͬͯdns-01ೝূͯ͠ূ໌ॻऔಘ
    (ZeroSSLͰ΋Մ)
    5. ূ໌ॻɾೝূ৘ใΛΦϒδΣΫτετϨʔδʹ
    ॻ͖໭͢
    6. ূ໌ॻ͕ߋ৽͞Ε͍ͯΕ͹ɺΤϯϋϯευϩʔυ
    όϥϯαʔʹΞοϓϩʔυ

    View Slide

  14. name: release
    on:
    push:
    branches:
    - main
    schedule:
    - cron: '19 1 * * *'
    jobs:
    renew-cert:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
    uses: actions/checkout@v2
    with:
    fetch-depth: 0
    - name: install sacloudns
    run: |
    curl -s -LO https://github.com/kazeburo/sacloudns/releases/download/v0.0.4/
    sacloudns_linux_amd64.zip
    sudo unzip -d /usr/bin sacloudns_linux_amd64.zip sacloudns
    rm sacloudns_linux_amd64.zip
    - name: git pull dehydrated
    run: |
    git clone https://github.com/lukas2511/dehydrated.git -b v0.7.0 /opt/dehydrated
    cp -a ${GITHUB_WORKSPACE}/config /opt/dehydrated/config
    cp -a ${GITHUB_WORKSPACE}/hook.sh /opt/dehydrated/hook.sh
    cp -a ${GITHUB_WORKSPACE}/domains.txt /opt/dehydrated/domains.txt
    cp -a ${GITHUB_WORKSPACE}/template.jq /opt/dehydrated/template.jq
    - name: Sync accounts/certs from object storage
    env:
    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    AWS_REGION: eu-west-1
    run: |
    cd /opt/dehydrated
    mkdir -p accounts
    mkdir -p certs
    aws --version
    aws --endpoint-url=https://s3.isk01.sakurastorage.jp s3 ls s3://bucket/ > dir-list
    if grep accounts/ dir-list > /dev/null; then
    aws --endpoint-url=https://s3.isk01.sakurastorage.jp s3 --only-show-errors --delete sync
    s3://bucket/accounts/ accounts
    fi
    if grep certs/ dir-list > /dev/null; then
    aws --endpoint-url=https://s3.isk01.sakurastorage.jp s3 --only-show-errors --delete sync
    s3://bucket/certs/ certs
    fi
    - name: Renew and generate certs
    env:
    SAKURACLOUD_ACCESS_TOKEN: ${{ secrets.SAKURACLOUD_ACCESS_TOKEN }}
    SAKURACLOUD_ACCESS_TOKEN_SECRET: ${{ secrets.SAKURACLOUD_ACCESS_TOKEN_SECRET }}
    run: |
    cd /opt/dehydrated
    ./dehydrated --register --accept-terms
    ./dehydrated -c -f config |& tee -a log
    - name: check suceeded
    run: |
    cd /opt/dehydrated
    if ! grep "dehydrated completed" log > /dev/null; then
    exit 1
    fi
    - name: sync to object storage
    env:
    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    AWS_REGION: eu-west-1
    run: |
    cd /opt/dehydrated
    aws --endpoint-url=https://s3.isk01.sakurastorage.jp s3 --only-show-errors --delete sync
    accounts/ s3://bucket/accounts/
    aws --endpoint-url=https://s3.isk01.sakurastorage.jp s3 --only-show-errors --delete sync
    certs/ s3://bucket/certs/
    - name: run if new/renew
    env:
    SAKURACLOUD_ACCESS_TOKEN: ${{ secrets.SAKURACLOUD_ACCESS_TOKEN }}
    SAKURACLOUD_ACCESS_TOKEN_SECRET: ${{ secrets.SAKURACLOUD_ACCESS_TOKEN_SECRET }}
    run: |
    cd /opt/dehydrated
    if grep "Creating fullchain" log > /dev/null; then
    ELB_ID=$(curl -s --user $SAKURACLOUD_ACCESS_TOKEN:$SAKURACLOUD_ACCESS_TOKEN_SECRET
    https://secure.sakura.ad.jp/cloud/zone/is1a/api/cloud/1.1/commonserviceitem | jq -r
    ‘.CommonServiceItems[]|select(.Name==“MY-ELB" and .Provider.Class=="proxylb").ID'|head -1)
    jq -n -f template.jq --rawfile ServerCertificate certs/works/cert.pem --rawfile
    IntermediateCertificate certs/works/chain.pem --rawfile PrivateKey certs/works/privkey.pem |
    curl -d @- -X PUT -H "Content-Type: application/json" --user $SAKURACLOUD_ACCESS_TOKEN:
    $SAKURACLOUD_ACCESS_TOKEN_SECRET https://secure.sakura.ad.jp/cloud/zone/is1a/api/cloud/1.1/
    commonserviceitem/$ELB_ID/proxylb/sslcertificate
    fi
    ࢿྉ͸ެ։͠·͢

    View Slide

  15. ·ͱΊ
    • ΤϯϋϯευLB͸ 20ຕ·Ͱূ໌ॻొ࿥͕Մೳ͕ͩɺLet’s Encryptͷূ໌ॻ͸
    1ͭͷΈͰϫΠϧυΧʔυ ͕࢖͑ͳ͍
    • DNS-01ʹΑΔূ໌ॻऔಘͱɺAPIΛ࢖͏͜ͱͰΑΓॊೈͳSSLͱϩʔυόϥϯ
    αӡ༻͕ՄೳʹͳΓ·͢
    • ূ໌ॻ؅ཧͷϙϦγʔʹґΔͱ͜Ζ͸͋Γ·͕͢ɺGitHub ActionsͰߋ৽͸ָ

    View Slide

  16. ·ͱΊ2
    • sacloudns ศར
    • libsacloud ศར!!

    View Slide

  17. Ҏ্

    View Slide