sacloudns

Transcript

1. sacloudns Masahiro Nagano (kazeburo) 2021/04/02 ͘͞ΒͷϚΠΫϩίϛϡχςΟ vol.1

2. Who ? • Masahiro Nagano (kazeburo) • 2021/01/18 ͘͞ΒΠϯλʔωοτೖࣾ •

   ͘͞ΒͷΫϥ΢υͷDNSɺΤϯϋϯευLBɺγϯϓϧ؂ࢹ͋ͨΓΛΈͯ·͢

3. the beginning • ೖࣾͯ͠·΋ͳ͘ɺ͘͞ΒͷΫϥ΢υ DNSͷϨίʔυ൓ө·Ͱʹ͔͔Δ࣌ؒ ͷ୹ॖ (1෼Ҏ্͔Β20ඵఔ౓) Λ΍ͬͨ • ΤϯϋϯευLBΛࢼ͢ʹ͋ͨΓɺSSLূ໌ॻͷऔಘ͕ඞཁʹ

   • lego (https://github.com/go-acme/lego) ͕ΠϚΠν࢖͍ʹ͍͘ • ׳Ε͍ͯͨ dehydrated (https://dehydrated.io/) Λ࢖͍͍ͨͷͰɺDNSΛม ߋ͢ΔίϚϯυ͕ཉ͍͠

4. sacloudns

5. sacloudns • cli53 (Cli for Amazon Route53:https://github.com/barnybug/cli53) ͷΑ͏ ͳDNSΛૢ࡞͢ΔίϚϯυϥΠϯπʔϧ •

   Goݴޠ • github.com/sacloud/libsacloud/v2 Λར༻ 🙇 • GoogleͰHit͠ͳ͍

6. Usage Usage: sacloudns [OPTIONS] <command> Help Options: -h, --help Show

   this help message Available commands: fzone find zone for the record list list zones radd add a record rdelete delete a record rset replace records or add a record version display version zone describe zone

7. Usage • Ϩίʔυͷ௥Ճ • Ϩίʔυͷ࡟আ • κʔϯͷݕࡧ • ࣮ߦʹ͸ SAKURACLOUD_ACCESS_TOKEN,

   SAKURACLOUD_ACCESS_TOKEN_SECRET ͕ඞཁ ./sacloudns radd --zone example.com --name www --type A --data 192.168.0.1 --ttl 30 ./sacloudns rdelete --zone example.com --name test --type A --data 192.168.0.1 ./sacloudns fzone foo.bar.example.com

8. wait propagation ਁಁ଴ͪͩͳΜͯݴΘͤͳ͍ • TXT ͱ CNAME ʹݶΓɺϨίʔυͷ൓өΛ଴ͭ —wait Φϓγϣϯ͕࢖͑Δ

   • κʔϯͷ NS ϨίʔυΛௐ΂ɺͦͷDNSαʔόʹ޲͔ͬͯ 2ඵ ͝ͱʹΫΤϦ Λඈ͹ͯ֬͠ೝ

9. wait propagation % ./sacloudns radd --wait --zone kazeburo.work --name test

   --type TXT --data test-test-test --ttl 30 2021/02/05 16:44:22 Checking DNS record propagation. 2021/02/05 16:44:22 Waiting for DNS record propagation. 2021/02/05 16:44:24 Waiting for DNS record propagation. 2021/02/05 16:44:26 Waiting for DNS record propagation. 2021/02/05 16:44:28 Waiting for DNS record propagation. 2021/02/05 16:44:30 Waiting for DNS record propagation. 2021/02/05 16:44:33 Waiting for DNS record propagation. 2021/02/05 16:44:35 Waiting for DNS record propagation. 2021/02/05 16:44:37 Waiting for DNS record propagation. 2021/02/05 16:44:39 Waiting for DNS record propagation. 2021/02/05 16:44:41 Waiting for DNS record propagation. 2021/02/05 16:44:43 Waiting for DNS record propagation. 2021/02/05 16:44:45 Waiting for DNS record propagation. {“ID”:113300144171,”Name”:”kazeburo.work","Description":"","Tags": [],"Availability":"available","IconID":0,"CreatedAt":"2021-01-19T11:59:31+09:00","ModifiedAt":"2021-01-19T11:59:31+ 09:00","Records":[{"Name":"*","Type":"CNAME","RData":"site-1etp19k.proxylb1.sakura.ne.jp.","TTL":10},....

10. 100%ศར (౰ࣾൺ)

11. GitHub Actions ͱ sacloudns ͱ ͘͞ΒͷΦϒδΣΫτετϨʔδ Ͱ ΤϯϋϯευLBͷূ໌ॻߋ৽ࣗಈԽ

12. ଓ͖

13. 1. GitHubͷrepoʹɺpush͢Δ͔͋Δ͍͸ scheduleΛ͔ͭͬͯఆظతʹϫʔΫϑϩʔΛى ಈ͠·͢ɻ 2. ΦϒδΣΫτετϨʔδ͔Βݱࡏͷূ໌ॻʗ Let's Encrypt ͷೝূ৘ใΛ Sync

    3. dehydratedΛىಈ͠ 4. sacloudnsΛ࢖ͬͯdns-01ೝূͯ͠ূ໌ॻऔಘ (ZeroSSLͰ΋Մ) 5. ূ໌ॻɾೝূ৘ใΛΦϒδΣΫτετϨʔδʹ ॻ͖໭͢ 6. ূ໌ॻ͕ߋ৽͞Ε͍ͯΕ͹ɺΤϯϋϯευϩʔυ όϥϯαʔʹΞοϓϩʔυ

14. name: release on: push: branches: - main schedule: - cron:

    '19 1 * * *' jobs: renew-cert: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 with: fetch-depth: 0 - name: install sacloudns run: | curl -s -LO https://github.com/kazeburo/sacloudns/releases/download/v0.0.4/ sacloudns_linux_amd64.zip sudo unzip -d /usr/bin sacloudns_linux_amd64.zip sacloudns rm sacloudns_linux_amd64.zip - name: git pull dehydrated run: | git clone https://github.com/lukas2511/dehydrated.git -b v0.7.0 /opt/dehydrated cp -a ${GITHUB_WORKSPACE}/config /opt/dehydrated/config cp -a ${GITHUB_WORKSPACE}/hook.sh /opt/dehydrated/hook.sh cp -a ${GITHUB_WORKSPACE}/domains.txt /opt/dehydrated/domains.txt cp -a ${GITHUB_WORKSPACE}/template.jq /opt/dehydrated/template.jq - name: Sync accounts/certs from object storage env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} AWS_REGION: eu-west-1 run: | cd /opt/dehydrated mkdir -p accounts mkdir -p certs aws --version aws --endpoint-url=https://s3.isk01.sakurastorage.jp s3 ls s3://bucket/ > dir-list if grep accounts/ dir-list > /dev/null; then aws --endpoint-url=https://s3.isk01.sakurastorage.jp s3 --only-show-errors --delete sync s3://bucket/accounts/ accounts fi if grep certs/ dir-list > /dev/null; then aws --endpoint-url=https://s3.isk01.sakurastorage.jp s3 --only-show-errors --delete sync s3://bucket/certs/ certs fi - name: Renew and generate certs env: SAKURACLOUD_ACCESS_TOKEN: ${{ secrets.SAKURACLOUD_ACCESS_TOKEN }} SAKURACLOUD_ACCESS_TOKEN_SECRET: ${{ secrets.SAKURACLOUD_ACCESS_TOKEN_SECRET }} run: | cd /opt/dehydrated ./dehydrated --register --accept-terms ./dehydrated -c -f config |& tee -a log - name: check suceeded run: | cd /opt/dehydrated if ! grep "dehydrated completed" log > /dev/null; then exit 1 fi - name: sync to object storage env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} AWS_REGION: eu-west-1 run: | cd /opt/dehydrated aws --endpoint-url=https://s3.isk01.sakurastorage.jp s3 --only-show-errors --delete sync accounts/ s3://bucket/accounts/ aws --endpoint-url=https://s3.isk01.sakurastorage.jp s3 --only-show-errors --delete sync certs/ s3://bucket/certs/ - name: run if new/renew env: SAKURACLOUD_ACCESS_TOKEN: ${{ secrets.SAKURACLOUD_ACCESS_TOKEN }} SAKURACLOUD_ACCESS_TOKEN_SECRET: ${{ secrets.SAKURACLOUD_ACCESS_TOKEN_SECRET }} run: | cd /opt/dehydrated if grep "Creating fullchain" log > /dev/null; then ELB_ID=$(curl -s --user $SAKURACLOUD_ACCESS_TOKEN:$SAKURACLOUD_ACCESS_TOKEN_SECRET https://secure.sakura.ad.jp/cloud/zone/is1a/api/cloud/1.1/commonserviceitem | jq -r ‘.CommonServiceItems[]|select(.Name==“MY-ELB" and .Provider.Class=="proxylb").ID'|head -1) jq -n -f template.jq --rawfile ServerCertificate certs/works/cert.pem --rawfile IntermediateCertificate certs/works/chain.pem --rawfile PrivateKey certs/works/privkey.pem | curl -d @- -X PUT -H "Content-Type: application/json" --user $SAKURACLOUD_ACCESS_TOKEN: $SAKURACLOUD_ACCESS_TOKEN_SECRET https://secure.sakura.ad.jp/cloud/zone/is1a/api/cloud/1.1/ commonserviceitem/$ELB_ID/proxylb/sslcertificate fi ࢿྉ͸ެ։͠·͢

15. ·ͱΊ • ΤϯϋϯευLB͸ 20ຕ·Ͱূ໌ॻొ࿥͕Մೳ͕ͩɺLet’s Encryptͷূ໌ॻ͸ 1ͭͷΈͰϫΠϧυΧʔυ ͕࢖͑ͳ͍ • DNS-01ʹΑΔূ໌ॻऔಘͱɺAPIΛ࢖͏͜ͱͰΑΓॊೈͳSSLͱϩʔυόϥϯ αӡ༻͕ՄೳʹͳΓ·͢

    • ূ໌ॻ؅ཧͷϙϦγʔʹґΔͱ͜Ζ͸͋Γ·͕͢ɺGitHub ActionsͰߋ৽͸ָ

16. ·ͱΊ2 • sacloudns ศར • libsacloud ศར!!

17. Ҏ্