-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathdocker-entrypoint.sh
360 lines (294 loc) · 11.9 KB
/
docker-entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
#!/usr/bin/env bash
#
# Copyright 2022 NetFoundry Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This version supports ziti 0.27.1 or above. we are using single binary for
# all ziti functionality now
# 7/19/2023
# Support ziti version 0.29.0 tarball
# move executable to /opt/openziti/bin (for execution)
# direct ziti output to the container. user can now retrieve log with
# docker logs -f <container>
# monitor ziti process, if process goes away, restart it
# 10/26/2023
# add health check config
# add proxy support, with environmental varibale "HTTPS_PROXY"
# 01/19/2024
# user ziti_auto_enroll.py to generate router config
# 04/25/2024
# fix issue with 1.0.0 release.
# 05/30/2024
# harden the detection of registrion by adding the old cert file
# 09/17/2024
# Version: 1.0. Support V8 network and lower environment for registration.
# Also use ziti_auto_enroll to download binary also.
VERSION="1.0"
set -e -o pipefail
LOGFILE="ziti-router.log"
# register router
# this will be edge only with tunnerl in host mode
register_router()
{
mkdir -p /etc/netfoundry/certs
# For 0.30.0 and above, the ctrl port is 443
ziti_main_version=$(echo $zitiVersion| awk -F "." '{print $1}')
ziti_dot_version=$(echo $zitiVersion| awk -F "." '{print $2}')
if [ "$ziti_main_version" -lt "1" ] && [ "$ziti_dot_version" -lt "30" ]; then
ZITI_CTRL_ADVERTISED_PORT="80"
else
ZITI_CTRL_ADVERTISED_PORT="443"
fi
# create proxy setting if exist
if [[ -n "${HTTPS_PROXY:-}" ]]; then
PROXY_TYPE=$(echo $HTTPS_PROXY |awk -F ':' '{print $1}')
PROXY_ADDRESS=$(echo $HTTPS_PROXY |awk -F ':' '{print $2}')
PROXY_ADDRESS=$(echo $PROXY_ADDRESS |awk -F '/' '{print $3}')
PROXY_PORT=$(echo $HTTPS_PROXY |awk -F ':' '{print $3}')
#echo TYPE: $PROXY_TYPE
#echo ADDRESS: $PROXY_ADDRESS
#echo PORT: $PROXY_PORT
/ziti_router_auto_enroll -n -j docker.jwt --tunnelListener 'host' --installDir /etc/netfoundry \
--controllerFabricPort $ZITI_CTRL_ADVERTISED_PORT \
--proxyType $PROXY_TYPE --proxyAddress $PROXY_ADDRESS --proxyPort $PROXY_PORT \
--downloadUrl $upgradelink --skipSystemd
else
/ziti_router_auto_enroll -n -j docker.jwt --tunnelListener 'host' --installDir /etc/netfoundry \
--controllerFabricPort $ZITI_CTRL_ADVERTISED_PORT \
--downloadUrl $upgradelink --skipSystemd
fi
}
get_controller_version()
{
echo "Check ziti controller verion"
CONTROLLER_ADDRESS=$(cat config.yml | grep "endpoint" |awk -F ':' '{print $3}')
echo -e "controller_address: ${CONTROLLER_ADDRESS}"
if [ -z $CONTROLLER_ADDRESS ]
then
echo "No controller address found, no upgrade"
else
#CONTROLLER_REP=$(curl -s -k -H -X "https://${CONTROLLER_ADDRESS}:443/edge/v1/version")
# for ha, we will need to use different endpoint.
CONTROLLER_REP=$(curl -s -k -H -X "https://${CONTROLLER_ADDRESS}:443/edge/client/v1/version")
if jq -e . >/dev/null 2>&1 <<<"$CONTROLLER_REP"; then
CONTROLLER_VERSION=$(echo ${CONTROLLER_REP} | jq -r .data.version)
else
echo "!!!!!!!!!!Retrieve controller verion Failed."
fi
fi
echo -e "controller_version: ${CONTROLLER_VERSION}"
}
# download ziti binary from the link saved in "upgradelink"
download_ziti_binary()
{
echo -e "version link: ${upgradelink}"
rm -f ziti-linux.tar.gz
curl -L -s -o ziti-linux.tar.gz ${upgradelink}
## maybe check if the file is downloaded?
rm -f ziti
#base on the verion, we extract the right ziti out of the tarball
controller_main_version=$(echo $CONTROLLER_VERSION| awk -F "." '{print $1}')
# strip off v
controller_main_version=$(echo "${controller_main_version//v}")
controller_dot_version=$(echo $CONTROLLER_VERSION| awk -F "." '{print $2}')
# do not continue if the version is not supported.
if [ "$controller_main_version" -lt "1" ] && [ "$controller_dot_version" -lt "27" ]; then
echo "Your version is not supported"
exit 1
fi
if [ "$controller_main_version" -lt "1" ] && [ "$controller_dot_version" -lt "29" ]; then
tar xf ziti-linux.tar.gz ziti/ziti --strip-components 1
else
tar xf ziti-linux.tar.gz ziti
fi
# change it to be executable
chmod +x ziti
#cleanup the download
rm ziti-linux.tar.gz
ls -l
### copy to /opt
mkdir -p /opt/openziti/bin
cp ziti /opt/openziti/bin
ls -la /opt/openziti/bin
}
# figure out the link for ziti binary, then call download to get the correct binary.
upgrade_ziti()
{
upgrade_release="${CONTROLLER_VERSION:1}"
echo -e "Upgrading ziti version to ${upgrade_release}"
response=$(curl -k -d -H "Accept: application/json" -X GET https://gateway.production.netfoundry.io/core/v2/network-versions?zitiVersion=${upgrade_release})
#upgradelink="https://github.com/openziti/ziti/releases/download/v"${upgrade_release}"/ziti-linux-amd64-"${upgrade_release}".tar.gz"
aarch=$(uname -m)
echo ${response} > mopresponse.json
if jq -e . >/dev/null 2>&1 <<<"${response}"; then
if [[ $aarch == "aarch64" ]]; then
upgradelink=$(echo ${response} | jq -r '._embedded["network-versions"][0].jsonNode.zitiBinaryBundleLinuxARM64')
elif [[ $aarch == "armv7l" ]]; then
upgradelink=$(echo ${response} | jq -r '._embedded["network-versions"][0].jsonNode.zitiBinaryBundleLinuxARM')
else
upgradelink=$(echo ${response} | jq -r '._embedded["network-versions"][0].jsonNode.zitiBinaryBundleLinuxAMD64')
fi
download_ziti_binary
else
echo "!!!!!!!!!!Retrieve from console Failed."
fi
}
#
# main code starts here
#
# look to see if the ziti-router is already registered
echo Version: $VERSION
cd /etc/netfoundry/
aarch=$(uname -m)
echo $aarch
CERT_FILE="certs/cert.pem"
CERT_FILE_OLD="certs/client.cert"
if [[ -n "${REG_KEY:-}" ]]; then
# user supplied Registration KEY
if [[ -s "${CERT_FILE}" ]]; then
# there is certificate file already, so we ignore the reg key.
echo "INFO: Found cert file ${CERT_FILE}"
echo " REG key ignored."
elif [[ -s "${CERT_FILE_OLD}" ]]; then
# there is certificate file already, so we ignore the reg key.
echo "INFO: Found cert file ${CERT_FILE_OLD}"
echo " REG key ignored."
else
echo REGKEY: $REG_KEY
firsttwo="${REG_KEY:0:2}"
length=${#REG_KEY}
# check which network the key comes from
if [[ $length == "11" ]]; then
# V8 production network
reg_url="https://gateway.production.netfoundry.io/core/v3/edge-router-registrations/${REG_KEY}"
elif [[ $length == "10" ]]; then
# V7 production network
reg_url="https://gateway.production.netfoundry.io/core/v2/edge-routers/register/${REG_KEY}"
elif [[ $firsttwo == "SA" ]]; then
if [[ $length == "12" ]]; then
reg_url="https://gateway.sandbox.netfoundry.io/core/v2/edge-routers/register/${REG_KEY}"
elif [[ $length == "13" ]]; then
reg_url="https://gateway.sandox.netfoundry.io/core/v3/edge-router-registrations/${REG_KEY}"
else
echo Sandbox Registration code: $REGKEY is not correct, Length: $length
exit
fi
elif [[ $firsttwo == "ST" ]]; then
if [[ $length == "12" ]]; then
reg_url="https://gateway.staging.netfoundry.io/core/v2/edge-routers/register/${REG_KEY}"
elif [[ $length == "13" ]]; then
reg_url="https://gateway.staging.netfoundry.io/core/v3/edge-router-registrations/${REG_KEY}"
else
echo Staging Registration code: $REGKEY is not correct, Length: $length
exit
fi
else
echo Registration code: $REGKEY is not correct, Length: $length
exit
fi
# contact console to get router information.
response=$(curl -k -d -H "Content-Type: application/json" -X POST ${reg_url})
echo $response >reg_response
jwt=$(echo $response |jq -r .edgeRouter.jwt)
networkControllerHost=$(echo $response |jq -r .networkControllerHost)
# get the link to the binary based on the architecture.
if [[ $aarch == "aarch64" ]]; then
upgradelink=$(echo $response |jq -r .productMetadata.zitiBinaryBundleLinuxARM64)
elif [[ $aarch == "armv7l" ]]; then
upgradelink=$(echo ${response} | jq -r .productMetadata.zitiBinaryBundleLinuxARM)
else
upgradelink=$(echo $response |jq -r .productMetadata.zitiBinaryBundleLinuxAMD64)
fi
#echo $jwt
#echo $networkControllerHost
#echo $upgradelink
# get the ziti version
zitiVersion=$(echo $response |jq -r .productMetadata.zitiVersion)
# need to figure out CONTROLLER verion
#CONTROLLER_REP=$(curl -s -k -H -X "https://${networkControllerHost}:443/edge/v1/version")
# for ha, we will need to use different endpoint.
CONTROLLER_REP=$(curl -s -k -H -X "https://${networkControllerHost}:443/edge/client/v1/version")
if jq -e . >/dev/null 2>&1 <<<"$CONTROLLER_REP"; then
CONTROLLER_VERSION=$(echo ${CONTROLLER_REP} | jq -r .data.version)
else
echo "!!!!!!!!!!Retrieve controller verion Failed."
fi
# save jwt retrieved from console, and register router
echo $jwt > docker.jwt
# create router config
register_router
fi
else
if [[ -s "${CERT_FILE}" || -s "${CERT_FILE_OLD}" ]]; then
echo "INFO: Found cert file"
else
echo "ERROR: Need to specify REG_KEY for registration"
exit 1
fi
fi
# now check if edge router version is same as controller
get_controller_version
# copy the ziti local copy (on the host) to /opt/openziti/bin .
if [[ ! -f "/opt/openziti/bin/ziti" ]] && [ -f "ziti" ]; then
echo "Copy saved ziti file to execute dir"
mkdir -p /opt/openziti/bin
cp ziti /opt/openziti/bin
fi
if [[ -f "/opt/openziti/bin/ziti" ]]; then
ZITI_VERSION=$(/opt/openziti/bin/ziti -v 2>/dev/null)
else
ZITI_VERSION="Not Found"
fi
echo Router version: $ZITI_VERSION
# check if the version is the same
if [ "$CONTROLLER_VERSION" == "$ZITI_VERSION" ]; then
echo "Ziti version match, no download necessary"
else
upgrade_ziti
fi
echo "INFO: running ziti-router"
# turn on the verbose mode if user defines it
if [ -z "$VERBOSE" ]; then
OPS=""
else
OPS="-v"
fi
# if we get here, we are running the autonomous router in normal mode
echo "Autonomous router mode"
ZITI_VERSION=$(/opt/openziti/bin/ziti -v 2>/dev/null)
/opt/openziti/bin/ziti router run config.yml $OPS &
set -x
while true; do
sleep 60
get_controller_version
if [ -z "$CONTROLLER_VERSION" ]; then
echo "Controller version not found, skip upgrade check"
else
if [ "$CONTROLLER_VERSION" != "$ZITI_VERSION" ]; then
pkill ziti
upgrade_ziti
ZITI_VERSION=$(/opt/openziti/bin/ziti -v 2>/dev/null)
echo "INFO: restarting ziti-router"
/opt/openziti/bin/ziti router run config.yml $OPS &
fi
fi
## check if ziti is running or not
if pgrep -x "/opt/openziti/bin/ziti" > /dev/null
then
echo ziti is running
else
# ziti not running, restart
/opt/openziti/bin/ziti router run config.yml $OPS &
fi
done