require admin to set ctrl address

dist/dist-packages/linux/openziti-controller/bootstrap.bash

@@ -14,14 +14,18 @@ PATH=/opt/openziti/bin:$PATH
 # defaults
 #
 
-# used by "ziti pki create server" as DNS SAN and "ziti create config controller" as advertised address
-: "${ZITI_CONTROLLER_ADVERTISED_ADDRESS:=$(hostname -f)}"
-
 function makePki() {
   #
   # create root and intermediate CA
   #
 
+  # used by "ziti pki create server" as DNS SAN
+  if [ -z "${ZITI_CTRL_ADVERTISED_ADDRESS:-}" ]; then
+    echo "ERROR: ZITI_CTRL_ADVERTISED_ADDRESS must be set, i.e., the FQDN by which all devices will reach the"\
+    " controller and verify the server certificate" >&2
+    return 1
+  fi
+
   if [ "$ZITI_CA_FILE" == "$ZITI_INTERMEDIATE_FILE" ]; then
     echo "ERROR: ZITI_CA_FILE and ZITI_INTERMEDIATE_FILE must be different" >&2
     exit 1
@@ -85,7 +89,7 @@ function makePki() {
       --ca-name "${ZITI_INTERMEDIATE_FILE}" \
       --key-file "${ZITI_SERVER_FILE}" \
       --server-file "${ZITI_SERVER_FILE}" \
-      --dns "${ZITI_CONTROLLER_ADVERTISED_ADDRESS}" \
+      --dns "${ZITI_CTRL_ADVERTISED_ADDRESS}" \
       --allow-overwrite
   fi
 
@@ -109,6 +113,13 @@ function makeConfig() {
   # create config file
   #
 
+  # used by "ziti create config controller" as advertised address
+  if [ -z "${ZITI_CTRL_ADVERTISED_ADDRESS:-}" ]; then
+    echo "ERROR: ZITI_CTRL_ADVERTISED_ADDRESS must be set, i.e., the FQDN by which all devices will reach the"\
+    " controller and verify the server certificate" >&2
+    return 1
+  fi
+
   # set the path to the root CA cert
   export ZITI_PKI_CTRL_CA="./${ZITI_PKI_ROOT}/${ZITI_CA_FILE}/certs/${ZITI_CA_FILE}.cert"
 
@@ -117,12 +128,12 @@ function makeConfig() {
   export ZITI_CTRL_EDGE_BIND_ADDRESS="${ZITI_CONTROLLER_BIND_ADDRESS}"
 
   # set the URI of the router ctrl plane; e.g., ctrl.endpoint: ziti.example.com:1280
-  export ZITI_CTRL_ADVERTISED_ADDRESS="${ZITI_CONTROLLER_ADVERTISED_ADDRESS}"
-  export ZITI_CTRL_ADVERTISED_PORT="${ZITI_CONTROLLER_ADVERTISED_PORT}"
+  export  ZITI_CTRL_ADVERTISED_ADDRESS \
+          ZITI_CTRL_ADVERTISED_PORT="${ZITI_CONTROLLER_ADVERTISED_PORT}"
 
   # set the URI of the edge-client API (uses same TCP port); e.g., ztAPI: ziti.example.com:1280
-  export ZITI_CTRL_EDGE_ADVERTISED_ADDRESS="${ZITI_CONTROLLER_ADVERTISED_ADDRESS}"
-  export ZITI_CTRL_EDGE_ADVERTISED_PORT="${ZITI_CONTROLLER_ADVERTISED_PORT}"
+  export  ZITI_CTRL_EDGE_ADVERTISED_ADDRESS="${ZITI_CTRL_ADVERTISED_ADDRESS}" \
+          ZITI_CTRL_EDGE_ADVERTISED_PORT="${ZITI_CONTROLLER_ADVERTISED_PORT}"
 
   # export the vars that were assigned inside this script to set the path to the server and client certs and their common
   # private key, and the intermediate (signer) CA cert and key

dist/dist-packages/linux/openziti-controller/env

@@ -13,7 +13,7 @@ PFXLOG_NO_JSON=true
 #
 
 # the advertised address of the controller is a domain name that can be resolved by all devices (default: hostname -f)
-ZITI_CONTROLLER_ADVERTISED_ADDRESS=
+ZITI_CTRL_ADVERTISED_ADDRESS=
 # the advertised and listening port of the controller (default: 1280)
 ZITI_CONTROLLER_ADVERTISED_PORT=1280
 # the interface address on which to listen (default: 0.0.0.0)

dist/dist-packages/linux/openziti-controller/ziti-controller.service

@@ -12,7 +12,8 @@ DynamicUser=yes
 # allow binding low ports, e.g., 443/tcp
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 
-# load password from a file; set owner to root and chmod 0400 for security
+# the bootstrapping script will initialize the default admin username and password by loading the password from a file
+# or env var; for security, set permissions to allow read only by root only and remove the file after first run
 LoadCredential=ZITI_PWD:/opt/openziti/etc/controller/.pwd
 # or set a password as literal string
 # SetCredential=ZITI_PWD:admin
@@ -32,6 +33,7 @@ WorkingDirectory=/var/lib/ziti-controller
 Environment="UNIT_NAME=ziti-controller.service"
 EnvironmentFile=/opt/openziti/etc/controller/env
 
+ExecStartPre=/bin/chown -Rc ziti-controller:ziti-controller /var/lib/ziti-controller/
 ExecStart=/opt/openziti/etc/controller/entrypoint.bash
 
 [Install]