Merge pull request #1884 from openziti/docker-controller

add Docker controller example
openziti · Apr 2, 2024 · 2fe25cc · 2fe25cc
2 parents 60fe207 + 3ff331f
commit 2fe25cc
Show file tree

Hide file tree

Showing 7 changed files with 137 additions and 6 deletions.
diff --git a/dist/dist-packages/linux/nfpm-openziti-controller.yaml b/dist/dist-packages/linux/nfpm-openziti-controller.yaml
@@ -6,6 +6,7 @@ name: openziti-controller
 arch: ${GOARCH}
 platform: linux
 version: ${ZITI_VERSION}
+prerelease: ${ZITI_REV}
 maintainer: ${ZITI_MAINTAINER}
 description: >
   Provides a system service for running an OpenZiti Controller

diff --git a/dist/dist-packages/linux/nfpm-openziti-router.yaml b/dist/dist-packages/linux/nfpm-openziti-router.yaml
@@ -6,6 +6,7 @@ name: openziti-router
 arch: ${GOARCH}
 platform: linux
 version: ${ZITI_VERSION}
+prerelease: ${ZITI_REV}
 maintainer: ${ZITI_MAINTAINER}
 description: >
   Provides a system service for running an OpenZiti Router

diff --git a/dist/dist-packages/linux/nfpm-openziti.yaml b/dist/dist-packages/linux/nfpm-openziti.yaml
@@ -6,6 +6,7 @@ name: openziti
 arch: ${GOARCH}
 platform: linux
 version: ${ZITI_VERSION}
+prerelease: ${ZITI_REV}
 maintainer: ${ZITI_MAINTAINER}
 description: >
   The openziti package provides the ziti executable binary as a command line

diff --git a/dist/docker-images/ziti-controller/Dockerfile b/dist/docker-images/ziti-controller/Dockerfile
@@ -3,6 +3,9 @@ ARG ZITI_CLI_IMAGE="docker.io/openziti/ziti-cli"
 # this builds docker.io/openziti/ziti-controller
 FROM ${ZITI_CLI_IMAGE}:${ZITI_CLI_TAG}
 
+ARG CONTROLLER_PACKAGE=./dist/dist-packages/linux/openziti-controller
+ARG DOCKER_BUILD_DIR=.
+
 # This build stage grabs artifacts that are copied into the final image.
 # It uses the same base as the final image to maximize docker cache hits.
 
@@ -13,9 +16,40 @@ LABEL name="openziti/ziti-controller" \
       summary="Run the OpenZiti Controller" \
       description="Run the OpenZiti Controller"
 
+# set up image as root, then drop privs to ziggy
 USER root
-COPY ./entrypoint.sh /
-RUN chmod +x /entrypoint.sh
+
+# selectively toggle bootstrapping steps
+ENV ZITI_BOOTSTRAP_PKI=true
+ENV ZITI_BOOTSTRAP_CONFIG=true
+ENV ZITI_BOOTSTRAP_DATABASE=true
+
+# defaults for bootstrapping PKI
+ENV ZITI_PKI_ROOT=pki
+ENV ZITI_CA_FILE=root
+ENV ZITI_INTERMEDIATE_FILE=intermediate
+ENV ZITI_SERVER_FILE=server
+ENV ZITI_CLIENT_FILE=client
+
+# defaults for bootstrapping config
+ENV ZITI_CTRL_ADVERTISED_PORT=1280
+
+# defaults for bootstrapping database
+ENV ZITI_CTRL_DATABASE_FILE=bbolt.db
+ENV ZITI_USER=admin
+
+# emit human-friendly text logs
+ENV PFXLOG_NO_JSON=true
+# used by entrypoint.bash to source the bootstrapping script in this image
+ENV ZITI_CTRL_BOOTSTRAP_BASH=/bootstrap.bash
+# used by "ziti create config controller" as filename for the controller's identity files
+ENV ZITI_NETWORK_NAME=ctrl
+# used by ziti to format timestamps in output
+ENV ZITI_TIME_FORMAT=utc
+
+COPY ${CONTROLLER_PACKAGE}/bootstrap.bash ${ZITI_CTRL_BOOTSTRAP_BASH}
+COPY ${CONTROLLER_PACKAGE}/entrypoint.bash /
+
+# run as ziggy (2171:2171) by default
 USER ziggy
-ENTRYPOINT [ "/entrypoint.sh" ]
-CMD [ "run" ]
+ENTRYPOINT [ "/entrypoint.bash" ]
diff --git a/dist/docker-images/ziti-controller/README.md b/dist/docker-images/ziti-controller/README.md
@@ -0,0 +1,41 @@
+
+# Run Ziti Controller in Docker
+
+You can use this container image to run a Ziti Controller in a Docker container.
+
+## Container Image
+
+The `openziti/ziti-controller` image is thin and is based on the `openziti/ziti-cli` image, which only provides the
+`ziti` CLI. The `ziti-controller` image uses the same bootstrapping defaults and option variables as the Linux package.
+
+## Docker Compose
+
+The included `compose.yml` demonstrates how to bootstrap a controller container.
+
+### Example
+
+At a minimum, you must set the address and password options in the parent env or set every recurrence in the compose file.
+
+```bash
+ZITI_PWD="mypass" \
+ZITI_CTRL_ADVERTISED_ADDRESS=ctrl.127.0.0.1.sslip.io \
+    docker compose up
+```
+
+After a few seconds, `docker compose ps` will show a "healthy" status for the controller.
+
+Then, you may log in to the controller using the `ziti` CLI.
+
+```bash
+ziti edge login ctrl.127.0.0.1.sslip.io:1280 -u admin -p mypass
+```
+
+It's not always necessary to publish ports on every one of the Docker host's interfaces. You can instead publish the
+controller port only on a particular interface address by setting `ZITI_INTERFACE`.
+
+```bash
+ZITI_PWD="mypass" \
+ZITI_INTERFACE=127.21.71.0 \
+ZITI_CTRL_ADVERTISED_ADDRESS=ctrl.127.21.71.0.sslip.io \
+    docker compose up
+```
diff --git a/dist/docker-images/ziti-controller/compose.yml b/dist/docker-images/ziti-controller/compose.yml
@@ -0,0 +1,50 @@
+
+volumes:
+  ziti-controller:
+    driver: local
+
+services:
+  chown-volume:
+    image: busybox
+    command: chown -R ${ZIGGY_UID:-2171} /mnt
+    volumes:
+      - ziti-controller:/mnt
+
+  ziti-controller:
+    image: ${ZITI_CONTROLLER_IMAGE:-openziti/ziti-controller}
+    depends_on:
+      chown-volume:
+        condition: service_completed_successfully
+    volumes:
+      - ziti-controller:/mnt
+    working_dir: /mnt
+    # these declared vars pass through to container and should be assigned in an .env file or exported from parent env
+    # to ensure consistency throughout the compose project
+    environment:
+      # *** these are the important vars to set ***
+      ZITI_CTRL_ADVERTISED_ADDRESS:                                   # domain name of this controller (required)
+      ZITI_CTRL_ADVERTISED_PORT: ${ZITI_CTRL_ADVERTISED_PORT:-1280}   # exposed port of this controller
+      ZITI_PWD: ${ZITI_PWD:-}                                         # password for the default admin user
+
+      # *** less relevant vars below ***
+      ZITI_BOOTSTRAP_PKI: true
+      ZITI_BOOTSTRAP_CONFIG: true      # make config file from env vars and defaults if "true," overwrite if "force"
+      ZITI_BOOTSTRAP_DATABASE: true    # make the default admin user if "true"
+      ZITI_AUTO_RENEW_CERTS: true      # renew certs automatically every startup
+    command: run config.yml
+    ports:
+      # ensure this port matches the value of ZITI_CTRL_PORT in the container
+      - ${ZITI_INTERFACE:-0.0.0.0}:${ZITI_CTRL_ADVERTISED_PORT:-1280}:${ZITI_CTRL_ADVERTISED_PORT:-1280}
+    expose:
+      - ${ZITI_CTRL_ADVERTISED_PORT:-1280}
+    restart: unless-stopped
+    healthcheck:
+      test:
+        - CMD
+        - ziti
+        - agent
+        - stats
+      interval: 3s
+      timeout: 3s
+      retries: 5
+      start_period: 15s
diff --git a/dist/docker-images/ziti-router/Dockerfile b/dist/docker-images/ziti-router/Dockerfile
@@ -3,6 +3,9 @@ ARG ZITI_CLI_IMAGE="docker.io/openziti/ziti-cli"
 # this builds docker.io/openziti/ziti-router
 FROM ${ZITI_CLI_IMAGE}:${ZITI_CLI_TAG}
 
+ARG ROUTER_PACKAGE=./dist/dist-packages/linux/openziti-router
+ARG DOCKER_BUILD_DIR=.
+
 ### Required OpenShift Labels
 LABEL name="openziti/ziti-router" \
       maintainer="[email protected]" \
@@ -24,8 +27,8 @@ ENV ZITI_ROUTER_PORT=3022
 ENV ZITI_BOOTSTRAP_CONFIG=true
 ENV ZITI_BOOTSTRAP_ENROLLMENT=true
 ENV PFXLOG_NO_JSON=true
-COPY ./dist/dist-packages/linux/openziti-router/bootstrap.bash ${ZITI_ROUTER_BOOTSTRAP_BASH}
-COPY ./dist/dist-packages/linux/openziti-router/entrypoint.bash /
+COPY ${ROUTER_PACKAGE}/bootstrap.bash ${ZITI_ROUTER_BOOTSTRAP_BASH}
+COPY ${ROUTER_PACKAGE}/entrypoint.bash /
 
 WORKDIR /ziti-router
 RUN chown -R ziggy:ziggy /ziti-router