diff --git a/dist/dist-packages/linux/nfpm-openziti-router.yaml b/dist/dist-packages/linux/nfpm-openziti-router.yaml index 36eec1710..bce61b2db 100644 --- a/dist/dist-packages/linux/nfpm-openziti-router.yaml +++ b/dist/dist-packages/linux/nfpm-openziti-router.yaml @@ -31,5 +31,10 @@ contents: - dst: /opt/openziti/etc/router/ src: ./dist/dist-packages/linux/openziti-router/entrypoint.bash + +scripts: + postinstall: ./dist/dist-packages/linux/openziti-router/postinstall.bash + preremove: ./dist/dist-packages/linux/openziti-router/preremove.bash + depends: - openziti # ziti CLI diff --git a/dist/dist-packages/linux/openziti-router/bootstrap.bash b/dist/dist-packages/linux/openziti-router/bootstrap.bash index ff098a47b..2aa51bed9 100755 --- a/dist/dist-packages/linux/openziti-router/bootstrap.bash +++ b/dist/dist-packages/linux/openziti-router/bootstrap.bash @@ -8,11 +8,11 @@ function makeConfig() { # create config file # - if [[ ! -s "./${ZITI_ROUTER_CONFIG_FILE}" || "${1:-}" == --force ]]; then + if [[ ! -s "${ZITI_ROUTER_CONFIG_FILE}" || "${1:-}" == --force ]]; then ziti create config router "${ZITI_ROUTER_TYPE}" \ --tunnelerMode "${ZITI_ROUTER_MODE}" \ --routerName "${ZITI_ROUTER_NAME}" \ - --output "./${ZITI_ROUTER_CONFIG_FILE}" + --output "${ZITI_ROUTER_CONFIG_FILE}" fi } @@ -25,10 +25,10 @@ function enroll() { if [[ ! -s "${ZITI_ROUTER_IDENTITY_CERT}" || "${1:-}" == --force ]]; then if [ -n "${ZITI_ENROLL_TOKEN:-}" ]; then # shellcheck disable=SC2188 - ziti router enroll "./${ZITI_ROUTER_CONFIG_FILE}" \ + ziti router enroll "${ZITI_ROUTER_CONFIG_FILE}" \ --jwt <(echo "${ZITI_ENROLL_TOKEN}") elif [ -s "/run/credentials/${UNIT_NAME:=ziti-router.service}/ZITI_ENROLL_TOKEN" ]; then - ziti router enroll "./${ZITI_ROUTER_CONFIG_FILE}" \ + ziti router enroll "${ZITI_ROUTER_CONFIG_FILE}" \ --jwt "/run/credentials/${UNIT_NAME}/ZITI_ENROLL_TOKEN" else echo "ERROR: use SetCredential or LoadCredential in"\ @@ -69,9 +69,9 @@ function bootstrap() { # used by "ziti create config router" and "ziti create config environment" : "${ZITI_ROUTER_ADVERTISED_ADDRESS:=${HOSTNAME:=$(hostname -f)}}" : "${ZITI_ROUTER_NAME:=${HOSTNAME%%.*}}" -: "${ZITI_CTRL_ADVERTISED_PORT:=443}" +: "${ZITI_CTRL_ADVERTISED_PORT:=1280}" export ZITI_ROUTER_NAME \ ZITI_ROUTER_ADVERTISED_ADDRESS \ ZITI_CTRL_ADVERTISED_PORT \ - ZITI_ROUTER_PORT="${ZITI_ROUTER_ADVERTISED_PORT}" \ - ZITI_ROUTER_LISTENER_BIND_PORT="${ZITI_ROUTER_ADVERTISED_PORT}" + ZITI_ROUTER_PORT \ + ZITI_ROUTER_LISTENER_BIND_PORT="${ZITI_ROUTER_PORT}" diff --git a/dist/dist-packages/linux/openziti-router/entrypoint.bash b/dist/dist-packages/linux/openziti-router/entrypoint.bash index 06e408deb..0ae6275cc 100755 --- a/dist/dist-packages/linux/openziti-router/entrypoint.bash +++ b/dist/dist-packages/linux/openziti-router/entrypoint.bash @@ -7,12 +7,27 @@ set -o errexit set -o nounset set -o pipefail -# shellcheck disable=SC1090 # default path is set by the systemd service +if ! (( $# )); then + # if no args, run the router with the default config file + set -- run config.yml +elif [[ ${1} == run && -z ${2:-} ]]; then + # if first arg is "run" and second arg is empty, run the router with the default config file + set -- run config.yml +fi + +# shellcheck disable=SC1090 # default path is assigned in env file source "${ZITI_ROUTER_BOOTSTRAP_BASH:-/opt/openziti/etc/router/bootstrap.bash}" -# if no args or first arg is "run", bootstrap the router with the config file path as next arg, or default "config.yml" -if [ "${1:-run}" == run ]; then - bootstrap "${2:-config.yml}" + +# if first arg is "run", bootstrap the router with the config file +if [ "${1}" == run ]; then + bootstrap "${2}" +fi + +# optionally renew certs at startup +if [ "${ZITI_AUTO_RENEW_CERTS:-}" == true ]; then + # shellcheck disable=SC2068 + set -- ${@} --extend fi # shellcheck disable=SC2068 -exec ziti router ${@:-run config.yml} +exec ziti router ${@} diff --git a/dist/dist-packages/linux/openziti-router/env b/dist/dist-packages/linux/openziti-router/env index f5d676fa7..8016c6fcc 100644 --- a/dist/dist-packages/linux/openziti-router/env +++ b/dist/dist-packages/linux/openziti-router/env @@ -2,40 +2,36 @@ # this is a systemd env file allowing simple assignments for ziti-controller.service environment # -# disable JSON logging -PFXLOG_NO_JSON=true - # # for "ziti create config router edge" commands in bootstrap.bash # -# address and port of the controller (required) +# address of the controller (required) ZITI_CTRL_ADVERTISED_ADDRESS= -ZITI_CTRL_ADVERTISED_PORT= +# tcp port of the controller (default: 1280) +ZITI_CTRL_ADVERTISED_PORT=1280 + +# for better security, leave this assignment empty and create a file readable only by root containing the +# token and set "LoadCredential=ZITI_ENROLL_TOKEN:/opt/openziti/etc/router/.token" in +# /lib/systemd/system/ziti-router.service +ZITI_ENROLL_TOKEN= +# the router's address must be resolvable by other routers and edge identities (default: fully qualified hostname) -# set identity filenames (default: hostname -s) -ZITI_ROUTER_NAME= -# the advertised address of the router is a domain name that can be resolved by all devices (default: hostname -f) ZITI_ROUTER_ADVERTISED_ADDRESS= -# the advertised and listening port of the router (default: 80) -ZITI_ROUTER_ADVERTISED_PORT= +# the advertised and listening port of the router (default: 3022) +ZITI_ROUTER_PORT=3022 + # the interface address on which to listen (default: 0.0.0.0) -ZITI_ROUTER_BIND_ADDRESS= +ZITI_ROUTER_BIND_ADDRESS="0.0.0.0" + # where to listen for DNS requests in tproxy mode (default: udp://127.0.0.1:53) -ZITI_ROUTER_TPROXY_RESOLVER= +ZITI_ROUTER_TPROXY_RESOLVER="udp://127.0.0.1:53" + +# set identity filenames (default: unqualified hostname) +# ZITI_ROUTER_NAME= + # type of router (default: edge, options: edge, fabric) ZITI_ROUTER_TYPE=edge - # the mode of the router (default: host) requires that the router is administratively created with flag # --tunneler-enabled ZITI_ROUTER_MODE=host - -# create a config file unless it exists if "true", set "force" to overwrite -ZITI_BOOTSTRAP_CONFIG=true - -# enroll unless already enrolled if "true", set "force" to overwrite key and cert (requires new enrollment token) -ZITI_BOOTSTRAP_ENROLLMENT=true -# for better security, leave this assignment empty and create a file readable only by root containing the -# token and set "LoadCredential=ZITI_ENROLL_TOKEN:/opt/openziti/etc/router/.token" in -# /lib/systemd/system/ziti-router.service -ZITI_ENROLL_TOKEN= \ No newline at end of file diff --git a/dist/dist-packages/linux/openziti-router/postinstall.bash b/dist/dist-packages/linux/openziti-router/postinstall.bash new file mode 100755 index 000000000..068dcca61 --- /dev/null +++ b/dist/dist-packages/linux/openziti-router/postinstall.bash @@ -0,0 +1,218 @@ +#!/usr/bin/env bash + +set -o errexit +set -o nounset +set -o pipefail +set -o xtrace + +install() { + checkSystemdVersion $MINIMUM_SYSTEMD_VERSION + commonActions + +} + +upgrade() { + # Step 2(upgrade), do what you need + commonActions + +} + +commonActions() { + makeTokenFile + loadEnv + promptCtrlAdvertisedAddress + promptRouterAdvertisedAddress + promptEnrollToken + promptRouterMode + promptRouterPort +} + +checkSystemdVersion() { + # Step 2 (clean install), enable the service in the proper way for this platform + if ! command -V systemctl &>/dev/null; then + echo "ERROR: required command 'systemctl' is missing" >&2 + return 1 + else + systemd_version=$(systemctl --version | awk '/^systemd/ {print $2}') + fi + + if [ "${systemd_version}" -lt "$1" ]; then + printf "\033[31m systemd version %s is less then 232, aborting \033[0m\n" "${systemd_version}" + return 1 + fi +} + +makeTokenFile() { + # unless it exists, create an empty enrollment token file with restrictive permissions so the service can start with + # LoadCredential enabled + ZITI_ENROLL_TOKEN_FILE=/opt/openziti/etc/router/.token + if ! [ -s "${ZITI_ENROLL_TOKEN_FILE}" ]; then + umask 0177 + touch "${ZITI_ENROLL_TOKEN_FILE}" + fi +} + +prompt() { + # return true if interactive and response is not empty + if [[ "${DEBIAN_FRONTEND:-}" != "noninteractive" && -t 0 ]]; then + read -r -p "$1" response + if [ -n "${response:-}" ]; then + echo "${response}" + else + return 1 + fi + else + echo "ERROR: non-interactive, unable prompt '$1'" >&2 + return 1 + fi +} + +loadEnv() { + # shellcheck disable=SC1091 + source /opt/openziti/etc/router/env +} + +promptCtrlAdvertisedAddress() { + if [ -z "${ZITI_CTRL_ADVERTISED_ADDRESS:-}" ]; then + if ZITI_CTRL_ADVERTISED_ADDRESS="$(prompt 'Enter the advertised address for the controller: ')"; then + if [ -n "${ZITI_CTRL_ADVERTISED_ADDRESS:-}" ]; then + sed -Ei "s/^(ZITI_CTRL_ADVERTISED_ADDRESS)=.*/\1=${ZITI_CTRL_ADVERTISED_ADDRESS}/" /opt/openziti/etc/router/env + fi + else + echo "WARN: missing ZITI_CTRL_ADVERTISED_ADDRESS in /opt/openziti/etc/router/env" >&2 + fi + fi +} + +promptRouterAdvertisedAddress() { + if [ -z "${ZITI_ROUTER_ADVERTISED_ADDRESS:-}" ]; then + if ZITI_ROUTER_ADVERTISED_ADDRESS="$(prompt 'Enter the advertised address for this router: ')"; then + if [ -n "${ZITI_ROUTER_ADVERTISED_ADDRESS:-}" ]; then + sed -Ei "s/^(ZITI_ROUTER_ADVERTISED_ADDRESS)=.*/\1=${ZITI_ROUTER_ADVERTISED_ADDRESS}/" /opt/openziti/etc/router/env + fi + else + echo "WARN: missing ZITI_ROUTER_ADVERTISED_ADDRESS in /opt/openziti/etc/router/env" >&2 + fi + fi +} + +promptEnrollToken() { + # make ziti vars available in "ziti create config environment" + exportZitiVars + # shellcheck disable=SC1090 # compute the path to the identity file + source <(ZITI_HOME=/var/lib/ziti-router ziti create config environment) + # do nothing if identity file has stuff in it + if [ -s "${ZITI_ROUTER_IDENTITY_CERT}" ]; then + echo "INFO: enrolled identity exists in ${ZITI_ROUTER_IDENTITY_CERT}" + # prompt for enrollment token if interactive, unless already answered + else + ZITI_BOOTSTRAP_ENROLLMENT=$(awk -F= '/^Environment=ZITI_BOOTSTRAP_ENROLLMENT=/ {print $3}' /lib/systemd/system/ziti-router.service) + if ! [[ "${ZITI_BOOTSTRAP_ENROLLMENT:-}" == true ]]; then + echo "INFO: ZITI_BOOTSTRAP_ENROLLMENT is not true in /lib/systemd/system/ziti-router.service" >&2 + # do nothing if enrollment token is already defined in env file + elif [[ -n "${ZITI_ENROLL_TOKEN:-}" ]]; then + echo "INFO: ZITI_ENROLL_TOKEN is defined in /opt/openziti/etc/router/env and will be used to enroll during"\ + "next startup" + elif grep -qE "^LoadCredential=ZITI_ENROLL_TOKEN=${ZITI_ENROLL_TOKEN_FILE}" \ + /lib/systemd/system/ziti-router.service \ + && [[ -s "${ZITI_ENROLL_TOKEN_FILE}" ]]; then + echo "INFO: ZITI_ENROLL_TOKEN is defined in ${ZITI_ENROLL_TOKEN_FILE} and will be used to"\ + "enroll during next startup " + elif grep -qE '^SetCredential=ZITI_ENROLL_TOKEN:.+' /lib/systemd/system/ziti-router.service; then + echo "INFO: ZITI_ENROLL_TOKEN is defined in /lib/systemd/system/ziti-router.service and will be used to"\ + "enroll during next startup" + else + if ZITI_ENROLL_TOKEN=$(prompt "Enter the enrollment token: "); then + if [ -n "${ZITI_ENROLL_TOKEN:-}" ]; then + echo "$ZITI_ENROLL_TOKEN" >| /opt/openziti/etc/router/.token + fi + else + echo "WARN: missing ZITI_ENROLL_TOKEN; use LoadCredential or SetCredential in"\ + "/lib/systemd/system/ziti-router.service or set in /opt/openziti/etc/router/env" >&2 + fi + fi + fi +} + +promptRouterMode() { + # if undefined or default value in env file, prompt for router mode, preserving default if no answer + if [[ -z "${ZITI_ROUTER_MODE:-}" || "${ZITI_ROUTER_MODE}" == host ]]; then + if ZITI_ROUTER_MODE="$(prompt 'Enter the router mode (eg. host, tproxy, proxy) [host]: ' || echo 'host')"; then + sed -Ei "s/^(ZITI_ROUTER_MODE)=.*/\1=${ZITI_ROUTER_MODE}/" /opt/openziti/etc/router/env + fi + fi + if [[ "${ZITI_ROUTER_MODE}" == tproxy ]]; then + grantNetAdmin + fi +} + +grantNetAdmin() { + # grant ambient capabilities to the router process if not already granted + if ! grep -qE '^AmbientCapabilities=CAP_NET_ADMIN' /lib/systemd/system/ziti-router.service; then + # uncomment the line + sed -Ei 's/.*AmbientCapabilities=CAP_NET_ADMIN/AmbientCapabilities=CAP_NET_ADMIN/' /lib/systemd/system/ziti-router.service + fi + systemctl daemon-reload +} + +promptRouterPort() { + # if undefined or default value in env file, prompt for router port, preserving default if no answer + if [[ -z "${ZITI_ROUTER_PORT:-}" || "${ZITI_ROUTER_PORT}" == 3022 ]]; then + if ZITI_ROUTER_PORT="$(prompt 'Enter the router port [3022]: ' || echo '3022')"; then + sed -Ei "s/^(ZITI_ROUTER_PORT)=.*/\1=${ZITI_ROUTER_PORT}/" /opt/openziti/etc/router/env + fi + fi + if [[ "${ZITI_ROUTER_PORT}" -le 1024 ]]; then + grantNetBindService + fi +} + +grantNetBindService() { + # grant binding privileged low ports unless already granted + if ! grep -qE '^AmbientCapabilities=CAP_NET_BIND_SERVICE' /lib/systemd/system/ziti-router.service; then + # uncomment the line + sed -Ei 's/.*AmbientCapabilities=CAP_NET_BIND_SERVICE/AmbientCapabilities=CAP_NET_BIND_SERVICE/' /lib/systemd/system/ziti-router.service + fi + systemctl daemon-reload +} + +exportZitiVars() { + # make ziti vars available in forks like "ziti create config environment" + for line in $(set | grep -e "^ZITI_" | sort); do + # shellcheck disable=SC2013 + for var in $(awk -F= '{print $1}' <<< "$line"); do + # shellcheck disable=SC2163 + export "$var" + done + done +} + +MINIMUM_SYSTEMD_VERSION=232 + +# Step 1, check if this is a clean install or an upgrade +if (( $# )); then + if [[ $1 == 1 || ($1 == configure && -z ${2:-}) ]]; then + # deb passes $1=configure, rpm passes $1=1 + action=install + elif [[ $1 == 2 || ($1 == configure && -n ${2:-}) ]]; then + # deb passes $1=configure $2=, rpm passes $1=2 + action=upgrade + else + echo "ERROR: unexpected action '$1'" >&2 + exit 1 + fi +else + echo "ERROR: missing action" >&2 + exit 1 +fi + +case "$action" in + "install") + printf "\033[32m Post Install of an clean install\033[0m\n" + install + ;; + "upgrade") + printf "\033[32m Post Install of an upgrade\033[0m\n" + upgrade + ;; +esac diff --git a/dist/dist-packages/linux/openziti-router/preremove.bash b/dist/dist-packages/linux/openziti-router/preremove.bash new file mode 100755 index 000000000..5ddede9ff --- /dev/null +++ b/dist/dist-packages/linux/openziti-router/preremove.bash @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +set -o errexit +set -o nounset +set -o pipefail +set -o xtrace + +# if it exists and is still empty, clean up the enrollment token file that was created by postinstall.bash, allowing the +# package manager to remove the empty directory +ZITI_ENROLL_TOKEN_FILE=/opt/openziti/etc/router/.token +if [ -e "${ZITI_ENROLL_TOKEN_FILE}" ]; then + if ! [ -s "${ZITI_ENROLL_TOKEN_FILE}" ]; then + rm -f "${ZITI_ENROLL_TOKEN_FILE}" + fi +fi diff --git a/dist/dist-packages/linux/openziti-router/ziti-router.service b/dist/dist-packages/linux/openziti-router/ziti-router.service index 96623ee24..df9d943b4 100644 --- a/dist/dist-packages/linux/openziti-router/ziti-router.service +++ b/dist/dist-packages/linux/openziti-router/ziti-router.service @@ -3,38 +3,64 @@ Description=OpenZiti Router After=network-online.target [Service] -# "ziti router run" is the main process managed by this service and replaces entrypoint.bash -Type=simple -# manage the user and permissions for the service automatically -DynamicUser=yes +# +## Required Configuration +# -# allow binding low ports, e.g., 443/tcp -AmbientCapabilities=CAP_NET_BIND_SERVICE -# required when ZITI_ROUTER_MODE=tproxy -AmbientCapabilities=CAP_NET_ADMIN - - -# load enrollment token from a file readable only by root for better security +# you must provide an enrollment token to enroll the router at first startup in the .token file or by temporarily setting env var +# ZITI_ENROLL_TOKEN +# load enrollment token from a file readable only by root for better security; null the file after bootstrapping LoadCredential=ZITI_ENROLL_TOKEN:/opt/openziti/etc/router/.token -# or set one-time enrollment token as literal string + +# or, temporarily set one-time enrollment token as literal string # SetCredential=ZITI_ENROLL_TOKEN: -UMask=0007 -Restart=always -RestartSec=3 -LimitNOFILE=65535 -# relative to /var/lib -StateDirectory=ziti-router +# +## extra permissions +# -# absolute path where service will be run -WorkingDirectory=/var/lib/ziti-router +# allow binding low ports, e.g., 443/tcp +# AmbientCapabilities=CAP_NET_BIND_SERVICE +# allow adding IP routes and iptables rules; required when ZITI_ROUTER_MODE=tproxy +# AmbientCapabilities=CAP_NET_ADMIN +# +## options +# + +# additional environment variables used by ziti commands in bootstrap.bash +EnvironmentFile=/opt/openziti/etc/router/env # used by bootstrap.bash to look up /run/credentials/$UNIT_NAME/$CREDENTIAL_NAME Environment=UNIT_NAME=ziti-router.service -EnvironmentFile=/opt/openziti/etc/router/env +# disable JSON logging +Environment=PFXLOG_NO_JSON=true +# create a config file unless it exists if "true", set "force" to overwrite +Environment=ZITI_BOOTSTRAP_CONFIG=true +# enroll unless already enrolled if "true", set "force" to overwrite key and cert (requires new enrollment token) +Environment=ZITI_BOOTSTRAP_ENROLLMENT=true +# set the bootstrap function definitions for entrypoint.bash to source +Environment=ZITI_ROUTER_BOOTSTRAP_BASH=/opt/openziti/etc/router/bootstrap.bash +# renew server and client certificates every startup +Environment=ZITI_AUTO_RENEW_CERTS=true + +# +## misc +# +# manage the user and permissions for the service automatically +DynamicUser=yes +# relative to /var/lib +StateDirectory=ziti-router +# absolute path where service will be run +WorkingDirectory=/var/lib/ziti-router +# "ziti router run" is the main process managed by this service and replaces entrypoint.bash +Type=simple +UMask=0007 +Restart=always +RestartSec=3 +LimitNOFILE=65535 ExecStart=/opt/openziti/etc/router/entrypoint.bash run config.yml [Install] diff --git a/dist/docker-images/ziti-router/compose.yml b/dist/docker-images/ziti-router/compose.yml index a11e220b8..af6ec096c 100644 --- a/dist/docker-images/ziti-router/compose.yml +++ b/dist/docker-images/ziti-router/compose.yml @@ -23,10 +23,10 @@ services: environment: # *** these are the important vars to set *** ZITI_CTRL_ADVERTISED_ADDRESS: # domain name of the controller (required) - ZITI_CTRL_ADVERTISED_PORT: ${ZITI_CTRL_ADVERTISED_PORT:-443} # exposed port of the controller + ZITI_CTRL_ADVERTISED_PORT: ${ZITI_CTRL_ADVERTISED_PORT:-1280} # exposed port of the controller ZITI_ENROLL_TOKEN: # enrollment token for this router (required) ZITI_ROUTER_ADVERTISED_ADDRESS: # domain name for this router (default: the container ID [hostname -f]) - ZITI_ROUTER_ADVERTISED_PORT: ${ZITI_ROUTER_ADVERTISED_PORT-80} # exposed port for this router + ZITI_ROUTER_PORT: ${ZITI_ROUTER_PORT-3022} # exposed port for this router ZITI_ROUTER_MODE: ${ZITI_ROUTER_MODE:-host} # host, tproxy, tproxy (tproxy requires additional config below) # *** less relevant vars below *** ZITI_ROUTER_TYPE: edge # edge, fabric @@ -38,10 +38,10 @@ services: ZITI_TIME_FORMAT: utc command: run config.yml ports: - # ensure this port matches the value of ZITI_ROUTER_ADVERTISED_PORT in the container - - ${ZITI_INTERFACE:-0.0.0.0}:${ZITI_ROUTER_ADVERTISED_PORT:-80}:${ZITI_ROUTER_ADVERTISED_PORT:-80} + # ensure this port matches the value of ZITI_ROUTER_PORT in the container + - ${ZITI_INTERFACE:-0.0.0.0}:${ZITI_ROUTER_PORT:-3022}:${ZITI_ROUTER_PORT:-3022} expose: - - ${ZITI_ROUTER_ADVERTISED_PORT:-80} + - ${ZITI_ROUTER_PORT:-3022} restart: unless-stopped healthcheck: test: @@ -61,6 +61,6 @@ services: # dns: # - 127.0.0.1 # this router's Ziti resolver # - 1.1.1.1 # any recursive resolver - # user: root # required to create TPROXY routes + # user: root # required to create TPROXY routes in a container? # cap_add: - # - NET_ADMIN # required to create TPROXY rules + # - NET_ADMIN # required to create TPROXY rules diff --git a/ziti/cmd/create/config_templates/router.yml b/ziti/cmd/create/config_templates/router.yml index 42e105f14..1bcf7944a 100644 --- a/ziti/cmd/create/config_templates/router.yml +++ b/ziti/cmd/create/config_templates/router.yml @@ -53,7 +53,7 @@ csr: dns: - localhost {{ if .Router.Edge.CsrSans }} - {{ .Router.Edge.CsrSans }}{{ end }} -{{ if ne .Router.Edge.CsrSans .Hostname }} - {{ .Hostname }}{{ end }} +{{ if ne .Router.Edge.CsrSans .HostnameOrNetworkName }} - {{ .HostnameOrNetworkName }}{{ end }} ip: - "127.0.0.1" {{ if .Router.Edge.IPOverride }} - "{{ .Router.Edge.IPOverride }}"{{ end }} @@ -69,7 +69,7 @@ edge: dns: - localhost {{ if .Router.Edge.CsrSans }} - {{ .Router.Edge.CsrSans }}{{ end }} -{{ if ne .Router.Edge.CsrSans .Hostname }} - {{ .Hostname }}{{ end }} +{{ if ne .Router.Edge.CsrSans .HostnameOrNetworkName }} - {{ .HostnameOrNetworkName }}{{ end }} ip: - "127.0.0.1" {{ if .Router.Edge.IPOverride }} - "{{ .Router.Edge.IPOverride }}"{{ end }} diff --git a/ziti/cmd/create/create_config.go b/ziti/cmd/create/create_config.go index e14471f05..7b93d0d1d 100644 --- a/ziti/cmd/create/create_config.go +++ b/ziti/cmd/create/create_config.go @@ -52,7 +52,7 @@ type CreateConfigOptions struct { type ConfigTemplateValues struct { ZitiHome string - Hostname string + HostnameOrNetworkName string Controller ControllerTemplateValues Router RouterTemplateValues @@ -231,7 +231,7 @@ func (options *CreateConfigOptions) addCreateFlags(cmd *cobra.Command) { func (data *ConfigTemplateValues) PopulateConfigValues() { // Get and add hostname to the params - data.Hostname = cmdHelper.HostnameOrNetworkName() + data.HostnameOrNetworkName = cmdHelper.HostnameOrNetworkName() // Get and add ziti home to the params zitiHome := cmdHelper.GetZitiHome() diff --git a/ziti/cmd/create/create_config_environment.go b/ziti/cmd/create/create_config_environment.go index ad261dfb5..99e84d5ee 100644 --- a/ziti/cmd/create/create_config_environment.go +++ b/ziti/cmd/create/create_config_environment.go @@ -93,6 +93,7 @@ func NewCmdCreateConfigEnvironment() *cobra.Command { environmentOptions.EnvVars = []EnvVar{ {constants.ZitiHomeVarName, constants.ZitiHomeVarDescription, data.ZitiHome}, + {constants.ZitiNetworkNameVarName, constants.ZitiNetworkNameVarDescription, data.HostnameOrNetworkName}, {constants.PkiCtrlCertVarName, constants.PkiCtrlCertVarDescription, data.Controller.Identity.Cert}, {constants.PkiCtrlServerCertVarName, constants.PkiCtrlServerCertVarDescription, data.Controller.Identity.ServerCert}, {constants.PkiCtrlKeyVarName, constants.PkiCtrlKeyVarDescription, data.Controller.Identity.Key}, @@ -175,6 +176,7 @@ func NewCmdCreateConfigEnvironment() *cobra.Command { "the config output.\n\nThe following environment variables can be set to override config values " + "(current value is displayed):\n") sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiHomeVarName, constants.ZitiHomeVarDescription, data.ZitiHome)) + sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiNetworkNameVarName, constants.ZitiNetworkNameVarDescription, data.HostnameOrNetworkName)) sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.PkiCtrlCertVarName, constants.PkiCtrlCertVarDescription, data.Controller.Identity.Cert)) sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.PkiCtrlServerCertVarName, constants.PkiCtrlServerCertVarDescription, data.Controller.Identity.ServerCert)) sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.PkiCtrlKeyVarName, constants.PkiCtrlKeyVarDescription, data.Controller.Identity.Key)) diff --git a/ziti/cmd/create/create_config_router_edge_test.go b/ziti/cmd/create/create_config_router_edge_test.go index ae642101c..68c5f05f1 100644 --- a/ziti/cmd/create/create_config_router_edge_test.go +++ b/ziti/cmd/create/create_config_router_edge_test.go @@ -238,7 +238,7 @@ func TestExecuteCreateConfigRouterEdgeHasNonBlankTemplateValues(t *testing.T) { _, data := createRouterConfig([]string{"edge", "--routerName", routerName}, routerOptions, nil) expectedNonEmptyStringFields := []string{".Router.Edge.ListenerBindPort", ".ZitiHome", ".Hostname", ".Router.Name", ".Router.IdentityCert", ".Router.IdentityServerCert", ".Router.IdentityKey", ".Router.IdentityCA", ".Router.Edge.Port"} - expectedNonEmptyStringValues := []*string{&data.Router.Edge.ListenerBindPort, &data.ZitiHome, &data.Hostname, &data.Router.Name, &data.Router.IdentityCert, &data.Router.IdentityServerCert, &data.Router.IdentityKey, &data.Router.IdentityCA, &data.Router.Edge.Port} + expectedNonEmptyStringValues := []*string{&data.Router.Edge.ListenerBindPort, &data.ZitiHome, &data.HostnameOrNetworkName, &data.Router.Name, &data.Router.IdentityCert, &data.Router.IdentityServerCert, &data.Router.IdentityKey, &data.Router.IdentityCA, &data.Router.Edge.Port} expectedNonEmptyIntFields := []string{".Router.Listener.OutQueueSize", ".Router.Wss.ReadBufferSize", ".Router.Wss.WriteBufferSize", ".Router.Forwarder.XgressDialQueueLength", ".Router.Forwarder.XgressDialWorkerCount", ".Router.Forwarder.LinkDialQueueLength", ".Router.Forwarder.LinkDialWorkerCount"} expectedNonEmptyIntValues := []*int{&data.Router.Listener.OutQueueSize, &data.Router.Wss.ReadBufferSize, &data.Router.Wss.WriteBufferSize, &data.Router.Forwarder.XgressDialQueueLength, &data.Router.Forwarder.XgressDialWorkerCount, &data.Router.Forwarder.LinkDialQueueLength, &data.Router.Forwarder.LinkDialWorkerCount} expectedNonEmptyTimeFields := []string{".Router.Listener.ConnectTimeout", "Router.Listener.GetSessionTimeout", ".Router.Wss.WriteTimeout", ".Router.Wss.ReadTimeout", ".Router.Wss.IdleTimeout", ".Router.Wss.PongTimeout", ".Router.Wss.PingInterval", ".Router.Wss.HandshakeTimeout"} diff --git a/ziti/cmd/create/create_config_router_fabric_test.go b/ziti/cmd/create/create_config_router_fabric_test.go index 3269d58b1..eaeddbff1 100644 --- a/ziti/cmd/create/create_config_router_fabric_test.go +++ b/ziti/cmd/create/create_config_router_fabric_test.go @@ -20,7 +20,7 @@ func TestExecuteCreateConfigRouterFabricHasNonBlankTemplateValues(t *testing.T) _, data := createRouterConfig([]string{"fabric", "--routerName", routerName}, routerOptions, nil) expectedNonEmptyStringFields := []string{".Router.Listener.BindPort", ".ZitiHome", ".Hostname", ".Router.Name", ".Router.IdentityCert", ".Router.IdentityServerCert", ".Router.IdentityKey", ".Router.IdentityCA", ".Router.Edge.Port"} - expectedNonEmptyStringValues := []*string{&data.Router.Edge.ListenerBindPort, &data.ZitiHome, &data.Hostname, &data.Router.Name, &data.Router.IdentityCert, &data.Router.IdentityServerCert, &data.Router.IdentityKey, &data.Router.IdentityCA, &data.Router.Edge.Port} + expectedNonEmptyStringValues := []*string{&data.Router.Edge.ListenerBindPort, &data.ZitiHome, &data.HostnameOrNetworkName, &data.Router.Name, &data.Router.IdentityCert, &data.Router.IdentityServerCert, &data.Router.IdentityKey, &data.Router.IdentityCA, &data.Router.Edge.Port} expectedNonEmptyIntFields := []string{".Router.Listener.OutQueueSize", ".Router.Wss.ReadBufferSize", ".Router.Wss.WriteBufferSize", ".Router.Forwarder.XgressDialQueueLength", ".Router.Forwarder.XgressDialWorkerCount", ".Router.Forwarder.LinkDialQueueLength", ".Router.Forwarder.LinkDialWorkerCount"} expectedNonEmptyIntValues := []*int{&data.Router.Listener.OutQueueSize, &data.Router.Wss.ReadBufferSize, &data.Router.Wss.WriteBufferSize, &data.Router.Forwarder.XgressDialQueueLength, &data.Router.Forwarder.XgressDialWorkerCount, &data.Router.Forwarder.LinkDialQueueLength, &data.Router.Forwarder.LinkDialWorkerCount} expectedNonEmptyTimeFields := []string{".Router.Listener.ConnectTimeout", "Router.Listener.GetSessionTimeout", ".Router.Wss.WriteTimeout", ".Router.Wss.ReadTimeout", ".Router.Wss.IdleTimeout", ".Router.Wss.PongTimeout", ".Router.Wss.PingInterval", ".Router.Wss.HandshakeTimeout"} diff --git a/ziti/cmd/create/create_config_test.go b/ziti/cmd/create/create_config_test.go index 37e3284f2..f02c25dc0 100644 --- a/ziti/cmd/create/create_config_test.go +++ b/ziti/cmd/create/create_config_test.go @@ -43,6 +43,7 @@ func getZitiEnvironmentVariables() []string { "ZITI_CTRL_EDGE_BIND_ADDRESS", "ZITI_EDGE_IDENTITY_ENROLLMENT_DURATION", "ZITI_HOME", + "ZITI_NETWORK_NAME", "ZITI_ROUTER_ENROLLMENT_DURATION", "ZITI_ROUTER_ADVERTISED_ADDRESS", "ZITI_ROUTER_LISTENER_BIND_PORT", diff --git a/ziti/constants/constants.go b/ziti/constants/constants.go index a8b21c09e..8fc63ccaf 100644 --- a/ziti/constants/constants.go +++ b/ziti/constants/constants.go @@ -59,8 +59,11 @@ const ( // Env Var Constants const ( - ZitiHomeVarName = "ZITI_HOME" - ZitiHomeVarDescription = "Root home directory for Ziti-related files" + ZitiHomeVarName = "ZITI_HOME" + ZitiHomeVarDescription = "base dirname used to construct paths" + + ZitiNetworkNameVarName = "ZITI_NETWORK_NAME" + ZitiNetworkNameVarDescription = "base filename used to construct paths" PkiCtrlCertVarName = "ZITI_PKI_CTRL_CERT" PkiCtrlCertVarDescription = "Path to controller's default identity client cert"