๊ด€๋ฆฌํ˜• Cloud Service Mesh์˜ Certificate Authority Service ๊ตฌ์„ฑ

์ด ๊ฐ€์ด๋“œ์—์„œ๋Š” ๊ด€๋ฆฌํ˜• Cloud Service Mesh์˜ Certificate Authority Service๋ฅผ ๊ตฌ์„ฑํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ์„ค๋ช…ํ•ฉ๋‹ˆ๋‹ค. ํด๋Ÿฌ์Šคํ„ฐ ๋‚ด Cloud Service Mesh์— ๊ด€ํ•œ ์ž์„ธํ•œ ๋‚ด์šฉ์€ ๊ธฐ๋ณธ ๊ธฐ๋Šฅ ๋ฐ ์ธ์ฆ ๊ธฐ๊ด€(CA) ์„œ๋น„์Šค ์„ค์น˜๋ฅผ ์ฐธ๊ณ ํ•˜์„ธ์š”.

Cloud Service Mesh ์ธ์ฆ ๊ธฐ๊ด€ ์™ธ์— Certificate Authority Service๋ฅผ ์‚ฌ์šฉํ•˜๋„๋ก Cloud Service Mesh๋ฅผ ๊ตฌ์„ฑํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด ๊ฐ€์ด๋“œ์—์„œ๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์€ ์‚ฌ์šฉ ์‚ฌ๋ก€์— ๊ถŒ์žฅ๋˜๋Š” CA ์„œ๋น„์Šค์™€ ํ†ตํ•ฉํ•  ์ˆ˜ ์žˆ๋Š” ๊ธฐํšŒ๋ฅผ ์ œ๊ณตํ•ฉ๋‹ˆ๋‹ค.

  • ์—ฌ๋Ÿฌ ํด๋Ÿฌ์Šคํ„ฐ์—์„œ ์›Œํฌ๋กœ๋“œ ์ธ์ฆ์„œ์— ์„œ๋ช…ํ•˜๋Š” ๋ฐ ๋‹ค๋ฅธ ์ธ์ฆ ๊ธฐ๊ด€์ด ํ•„์š”ํ•œ ๊ฒฝ์šฐ
  • Cloud HSM์—์„œ ์„œ๋ช… ํ‚ค๋ฅผ ๋ฐฑ์—…ํ•ด์•ผ ํ•˜๋Š” ๊ฒฝ์šฐ
  • ๊ทœ์ œ๊ฐ€ ์‹ฌํ•œ ์—…์ข…์— ์†ํ•ด ์žˆ๊ณ  ๊ทœ์ • ์ค€์ˆ˜ํ•ด์•ผ ํ•˜๋Š” ๊ฒฝ์šฐ
  • Cloud Service Mesh CA๋ฅผ ์ปค์Šคํ…€ ์—”ํ„ฐํ”„๋ผ์ด์ฆˆ ๋ฃจํŠธ ์ธ์ฆ์„œ์— ์—ฐ๊ฒฐํ•˜์—ฌ ์›Œํฌ๋กœ๋“œ ์ธ์ฆ์„œ์— ์„œ๋ช…ํ•˜๋ ค๋Š” ๊ฒฝ์šฐ

Cloud Service Mesh ์ธ์ฆ ๊ธฐ๊ด€ ๋น„์šฉ์€ Cloud Service Mesh ๊ฐ€๊ฒฉ์— ํฌํ•จ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค. CA ์„œ๋น„์Šค๋Š” ๊ธฐ๋ณธ Cloud Service Mesh ๊ฐ€๊ฒฉ์— ํฌํ•จ๋˜์ง€ ์•Š์œผ๋ฉฐ ์š”๊ธˆ์ด ๋ณ„๋„๋กœ ์ฒญ๊ตฌ๋ฉ๋‹ˆ๋‹ค. ๋˜ํ•œ CA Service์—๋Š” ๋ช…์‹œ์  SLA๊ฐ€ ์ œ๊ณต๋˜์ง€๋งŒ Cloud Service Mesh ์ธ์ฆ ๊ธฐ๊ด€์˜ ๊ฒฝ์šฐ์—๋Š” ๊ทธ๋ ‡์ง€ ์•Š์Šต๋‹ˆ๋‹ค.

๊ธฐ๋ณธ ์š”๊ฑด

์ด ๊ฐ€์ด๋“œ์—์„œ๋Š” ์‚ฌ์šฉ์ž์—๊ฒŒ ๋‹ค์Œ์ด ์ด๋ฏธ ์žˆ๋‹ค๊ณ  ๊ฐ€์ •ํ•ฉ๋‹ˆ๋‹ค.

์š”๊ตฌ์‚ฌํ•ญ

CA ํ’€์ด ๊ตฌ์„ฑ๋  ํ”„๋กœ์ ํŠธ์—์„œ ํ•„์š”ํ•œ API๋ฅผ ์‚ฌ์šฉ ์„ค์ •ํ•ฉ๋‹ˆ๋‹ค.

 gcloud services enable privateca.googleapis.com \
      --project=CA_PROJECT_ID

CA ์„œ๋น„์Šค ๊ตฌ์„ฑ

  1. CA ํ’€์ด DevOps ๋“ฑ๊ธ‰๊ณผ ๊ณผ๋„ํ•œ ์ง€์—ฐ ์‹œ๊ฐ„ ๋ฌธ์ œ๋‚˜ ๋ฆฌ์ „ ๊ฐ„ ์ž ์žฌ์ ์ธ ์ค‘๋‹จ์„ ๋ฐฉ์ง€ํ•˜๊ธฐ ์œ„ํ•ด ์ œ๊ณต๋˜๋Š” ํด๋Ÿฌ์Šคํ„ฐ์™€ ๋™์ผํ•œ ๋ฆฌ์ „์— ์žˆ๋Š”์ง€ ํ™•์ธํ•ฉ๋‹ˆ๋‹ค. ์ž์„ธํ•œ ๋‚ด์šฉ์€ ์›Œํฌ๋กœ๋“œ ์ตœ์ ํ™” ๋“ฑ๊ธ‰์„ ์ฐธ์กฐํ•˜์„ธ์š”.
  2. CA ํ’€์„ ๋งŒ๋“ค๊ณ  GKE ํด๋Ÿฌ์Šคํ„ฐ์™€ ๋™์ผํ•œ ํ”„๋กœ์ ํŠธ์˜ CA ํ’€์— ํ™œ์„ฑ ์ธ์ฆ ๊ธฐ๊ด€์ด ์ตœ์†Œ ํ•˜๋‚˜ ์ด์ƒ ์žˆ์–ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ํ•˜์œ„ CA๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ Cloud Service Mesh ์›Œํฌ๋กœ๋“œ ์ธ์ฆ์„œ์— ์„œ๋ช…ํ•ฉ๋‹ˆ๋‹ค. ํ•˜์œ„ CA์— ํ•ด๋‹นํ•˜๋Š” CA ํ’€์„ ๊ธฐ๋กํ•ด๋‘ก๋‹ˆ๋‹ค.

  3. Cloud Service Mesh ์›Œํฌ๋กœ๋“œ์˜ ์„œ๋น„์Šค ์ธ์ฆ์„œ๋งŒ ์‚ฌ์šฉํ•˜๋ ค๋Š” ๊ฒฝ์šฐ CA ํ’€์— ๋‹ค์Œ ๋ฐœ๊ธ‰ ์ •์ฑ…์„ ์„ค์ •ํ•ฉ๋‹ˆ๋‹ค.

    policy.yaml

    baselineValues:
  keyUsage:
    baseKeyUsage:
      digitalSignature: true
      keyEncipherment: true
    extendedKeyUsage:
      serverAuth: true
      clientAuth: true
  caOptions:
    isCa: false
identityConstraints:
  allowSubjectPassthrough: false
  allowSubjectAltNamesPassthrough: true
  celExpression:
    expression: subject_alt_names.all(san, san.type == URI && san.value.startsWith("spiffe://PROJECT_ID.svc.id.goog/ns/") )

  4. CA ํ’€์˜ ๋ฐœ๊ธ‰ ์ •์ฑ…์„ ์—…๋ฐ์ดํŠธํ•˜๋ ค๋ฉด ๋‹ค์Œ ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค.

    gcloud privateca pools update CA_POOL --location ca_region --issuance-policy policy.yaml

    ํ’€์˜ ์ •์ฑ… ์„ค์ •์— ๋Œ€ํ•œ ์ž์„ธํ•œ ๋‚ด์šฉ์€ ์ธ์ฆ์„œ ๋ฐœ๊ธ‰ ์ •์ฑ… ์‚ฌ์šฉ์„ ์ฐธ์กฐํ•˜์„ธ์š”.

  5. ์ธ์ฆ์„œ ํ…œํ”Œ๋ฆฟ์„ ์‚ฌ์šฉํ•˜๋Š” ๊ฒฝ์šฐ ์ง€๊ธˆ ๊ตฌ์„ฑํ•˜์„ธ์š”. ์ž์„ธํ•œ ๋‚ด์šฉ์€ CA ์„œ๋น„์Šค ๊ฐ€์ด๋“œ์—์„œ ์›Œํฌ๋กœ๋“œ ์•„์ด๋ดํ‹ฐํ‹ฐ ์ธ์ฆ์„œ๋ฅผ ์ฐธ์กฐํ•˜์„ธ์š”. ์ธ์ฆ์„œ ํ…œํ”Œ๋ฆฟ์ด CA ํ’€๊ณผ ๋™์ผํ•œ ๋ฆฌ์ „์— ์ƒ์„ฑ๋˜์—ˆ๋Š”์ง€ ํ™•์ธํ•ฉ๋‹ˆ๋‹ค. CA ํ’€์— ๋ฆฌ์ „์ด ์—ฌ๋Ÿฌ ๊ฐœ ์žˆ๋Š” ๊ฒฝ์šฐ ๋ฆฌ์ „๋ณ„๋กœ ์ธ์ฆ์„œ ํ…œํ”Œ๋ฆฟ์„ ๋งŒ๋“ญ๋‹ˆ๋‹ค.

CA ์„œ๋น„์Šค๋ฅผ ์‚ฌ์šฉํ•˜๊ธฐ ์œ„ํ•ด ํ•„์š”ํ•œ ์—ญํ• 

์ด ํ†ตํ•ฉ์„ ์œ„ํ•ด Cloud Service Mesh์˜ ๋ชจ๋“  ์›Œํฌ๋กœ๋“œ์—๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์€ IAM ์—ญํ• ์ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค. Cloud Service Mesh ์›Œํฌ๋กœ๋“œ์—๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์€ ์—ญํ•  ๋ฐ”์ธ๋”ฉ์„ ๋ช…์‹œ์ ์œผ๋กœ ์ ์šฉํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

    WORKLOAD_IDENTITY="FLEET_PROJECT_ID.svc.id.goog:/allAuthenticatedUsers/"

    gcloud privateca pools add-iam-policy-binding CA_POOL \
      --project FLEET_PROJECT_ID \
      --location ca_region \
      --member "group:${WORKLOAD_IDENTITY}" \
      --role "roles/privateca.workloadCertificateRequester"

    gcloud privateca pools add-iam-policy-binding CA_POOL \
      --project FLEET_PROJECT_ID \
      --location ca_region \
      --member "group:${WORKLOAD_IDENTITY}" \
      --role "roles/privateca.auditor"

์ธ์ฆ์„œ ํ…œํ”Œ๋ฆฟ์„ ์‚ฌ์šฉํ•˜๋Š” ๊ฒฝ์šฐ:

    gcloud privateca templates add-iam-policy-binding CERT_TEMPLATE_ID \
        --member "group:${WORKLOAD_IDENTITY}" \
        --role "roles/privateca.templateUser"

์ œํ•œ์‚ฌํ•ญ

  • Cloud Service Mesh ์ปจํŠธ๋กค ํ”Œ๋ ˆ์ธ์„ ํ”„๋กœ๋น„์ €๋‹ํ•˜๊ธฐ ์ „์— CA๋ฅผ ๊ตฌ์„ฑํ•˜๊ณ  ์„ ํƒํ•ฉ๋‹ˆ๋‹ค. CA ๋ณ€๊ฒฝ์€ ์ง€์›๋˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค.

CA ์„œ๋น„์Šค๋ฅผ ์‚ฌ์šฉํ•˜๋„๋ก ๊ด€๋ฆฌํ˜• Cloud Service Mesh ๊ตฌ์„ฑ

  1. istio-system ๋„ค์ž„์ŠคํŽ˜์ด์Šค๊ฐ€ ์žˆ๋Š”์ง€ ํ™•์ธํ•˜๊ณ  ๋ˆ„๋ฝ๋œ ๊ฒฝ์šฐ ์ด๋ฅผ ๋งŒ๋“ญ๋‹ˆ๋‹ค.

      kubectl create ns istio-system

  2. istio-system ๋„ค์ž„์ŠคํŽ˜์ด์Šค์— asm-options configmap์ด ์žˆ๋Š”์ง€ ํ™•์ธํ•ฉ๋‹ˆ๋‹ค.

      kubectl get configmap/asm-options -n istio-system

  3. ๊ตฌ์„ฑ ๋งต์ด ์—†์œผ๋ฉด ๋งŒ๋“ญ๋‹ˆ๋‹ค.

      kubectl create configmap -n istio-system asm-options

  4. ๊ตฌ์„ฑ ๋งต์„ ํŒจ์น˜ํ•˜์—ฌ CAS ๊ตฌ์„ฑ์„ ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค.

      kubectl patch configmap/asm-options -n istio-system --type merge \
  -p '{"data":{"ASM_OPTS": "CA=PRIVATECA;CAAddr=projects/CA_PROJECT_ID/locations/ca_region/caPools/CA_POOL"}}'

    ์ธ์ฆ์„œ ํ…œํ”Œ๋ฆฟ์ด ํ•„์š”ํ•œ ๊ฒฝ์šฐ :์„ ๊ตฌ๋ถ„์ž๋กœ ์‚ฌ์šฉํ•˜์—ฌ ํ…œํ”Œ๋ฆฟ ID๋ฅผ CA ํ’€ ์ฃผ์†Œ์— ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค.

      kubectl patch configmap/asm-options -n istio-system --type merge \
  -p '{"data":{"ASM_OPTS": "CA=PRIVATECA;CAAddr=projects/CA_PROJECT_ID/locations/ca_region/caPools/CA_POOL:projects/PROJECT_ID/locations/ca_region/certificateTemplates/CERT_TEMPLATE_ID"}}'

๊ตฌ์„ฑ ๋‹จ๊ณ„๋ฅผ ์™„๋ฃŒํ•œ ํ›„ ์ž๋™ ๊ด€๋ฆฌ๋ฅผ ์‚ฌ์šฉ ์„ค์ •ํ•˜์—ฌ ๊ด€๋ฆฌํ˜• Cloud Service Mesh ์„ค์น˜๋ฅผ ๊ณ„์† ์ง„ํ–‰ํ•ฉ๋‹ˆ๋‹ค.