-
Notifications
You must be signed in to change notification settings - Fork 154
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add Linux package openziti-controller
- Loading branch information
Showing
11 changed files
with
271 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
168 changes: 168 additions & 0 deletions
168
dist/dist-packages/linux/openziti-controller/bootstrap.bash
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,168 @@ | ||
#!/usr/bin/env bash | ||
# | ||
# bootstrap the OpenZiti Controller with PKI, config file, and database | ||
# | ||
|
||
set -o errexit | ||
set -o nounset | ||
set -o pipefail | ||
|
||
# use the ziti executable that the 'openziti' package installed | ||
PATH=/opt/openziti/bin:$PATH | ||
|
||
# | ||
# defaults | ||
# | ||
|
||
# used by "ziti pki create server" as DNS SAN and "ziti create config controller" as advertised address | ||
: "${ZITI_CONTROLLER_ADVERTISED_ADDRESS:=$(hostname -f)}" | ||
|
||
function makePki() { | ||
# | ||
# create root and intermediate CA | ||
# | ||
|
||
if [ "$ZITI_CA_FILE" == "$ZITI_INTERMEDIATE_FILE" ]; then | ||
echo "ERROR: ZITI_CA_FILE and ZITI_INTERMEDIATE_FILE must be different" >&2 | ||
exit 1 | ||
fi | ||
|
||
ROOT_CA_DIR="./${ZITI_PKI_ROOT}/${ZITI_CA_FILE}" | ||
if ! [ -d "$ROOT_CA_DIR" ]; then | ||
ziti pki create ca \ | ||
--pki-root "./${ZITI_PKI_ROOT}" \ | ||
--ca-file "${ZITI_CA_FILE}" | ||
fi | ||
|
||
ZITI_PKI_SIGNER_CERT="./${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/certs/${ZITI_INTERMEDIATE_FILE}.cert" | ||
ZITI_PKI_SIGNER_KEY="./${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/keys/${ZITI_INTERMEDIATE_FILE}.key" | ||
if [[ ! -s "$ZITI_PKI_SIGNER_CERT" && ! -s "$ZITI_PKI_SIGNER_KEY" ]]; then | ||
ziti pki create intermediate \ | ||
--pki-root "./${ZITI_PKI_ROOT}" \ | ||
--ca-name "${ZITI_CA_FILE}" \ | ||
--intermediate-file "${ZITI_INTERMEDIATE_FILE}" | ||
elif [[ ! -s "$ZITI_PKI_SIGNER_CERT" || ! -s "$ZITI_PKI_SIGNER_KEY" ]]; then | ||
echo "ERROR: $ZITI_PKI_SIGNER_CERT and $ZITI_PKI_SIGNER_KEY must both exist or neither exist as non-empty files" >&2 | ||
exit 1 | ||
fi | ||
|
||
# | ||
# create server and client keys | ||
# | ||
|
||
if [ "$ZITI_SERVER_FILE" == "$ZITI_CLIENT_FILE" ]; then | ||
echo "ERROR: ZITI_SERVER_FILE and ZITI_CLIENT_FILE must be different" >&2 | ||
exit 1 | ||
fi | ||
|
||
ZITI_PKI_CTRL_KEY="./${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/keys/${ZITI_SERVER_FILE}.key" | ||
if ! [ -s "$ZITI_PKI_CTRL_KEY" ]; then | ||
ziti pki create key \ | ||
--pki-root "./${ZITI_PKI_ROOT}" \ | ||
--ca-name "${ZITI_INTERMEDIATE_FILE}" \ | ||
--key-file "${ZITI_SERVER_FILE}" | ||
fi | ||
|
||
# use the server key for both client and server certs until "ziti create config controller" supports separate keys for | ||
# each | ||
# CLIENT_KEY_FILE="./${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/keys/${ZITI_CLIENT_FILE}.key" | ||
# if ! [ -s "$CLIENT_KEY_FILE" ]; then | ||
# ziti pki create key \ | ||
# --pki-root "./${ZITI_PKI_ROOT}" \ | ||
# --ca-name "${ZITI_INTERMEDIATE_FILE}" \ | ||
# --key-file "${ZITI_CLIENT_FILE}" | ||
# fi | ||
|
||
# | ||
# create server and client certs | ||
# | ||
|
||
# server cert | ||
ZITI_PKI_CTRL_SERVER_CERT="./${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/certs/${ZITI_SERVER_FILE}.chain.pem" | ||
if [[ "${ZITI_AUTO_RENEW_CERTS}" == true || ! -s "$ZITI_PKI_CTRL_SERVER_CERT" ]]; then | ||
ziti pki create server \ | ||
--pki-root "./${ZITI_PKI_ROOT}" \ | ||
--ca-name "${ZITI_INTERMEDIATE_FILE}" \ | ||
--key-file "${ZITI_SERVER_FILE}" \ | ||
--server-file "${ZITI_SERVER_FILE}" \ | ||
--dns "${ZITI_CONTROLLER_ADVERTISED_ADDRESS}" \ | ||
--allow-overwrite | ||
fi | ||
|
||
# client cert | ||
# use the server key for both client and server certs until "ziti create config controller" supports separate keys for | ||
# each | ||
ZITI_PKI_CTRL_CERT="./${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/certs/${ZITI_CLIENT_FILE}.cert" | ||
if [[ "${ZITI_CERT_AUTO_RENEW}" == true || ! -s "$ZITI_PKI_CTRL_CERT" ]]; then | ||
ziti pki create client \ | ||
--pki-root "./${ZITI_PKI_ROOT}" \ | ||
--ca-name "${ZITI_INTERMEDIATE_FILE}" \ | ||
--key-file "${ZITI_SERVER_FILE}" \ | ||
--client-file "${ZITI_CLIENT_FILE}" \ | ||
--allow-overwrite | ||
fi | ||
|
||
} | ||
|
||
function makeConfig() { | ||
# | ||
# create config file | ||
# | ||
|
||
# set the path to the root CA cert | ||
export ZITI_PKI_CTRL_CA="./${ZITI_PKI_ROOT}/${ZITI_CA_FILE}/certs/${ZITI_CA_FILE}.cert" | ||
|
||
# set the interface address on which to listen for connections; e.g., 0.0.0.0 | ||
export ZITI_CTRL_BIND_ADDRESS="${ZITI_CONTROLLER_BIND_ADDRESS}" | ||
export ZITI_CTRL_EDGE_BIND_ADDRESS="${ZITI_CONTROLLER_BIND_ADDRESS}" | ||
|
||
# set the URI of the router ctrl plane; e.g., ctrl.endpoint: ziti.example.com:443 | ||
export ZITI_CTRL_ADVERTISED_ADDRESS="${ZITI_CONTROLLER_ADVERTISED_ADDRESS}" | ||
export ZITI_CTRL_ADVERTISED_PORT="${ZITI_CONTROLLER_ADVERTISED_PORT}" | ||
|
||
# set the URI of the edge-client API (uses same TCP port); e.g., ztAPI: ziti.example.com:443 | ||
export ZITI_CTRL_EDGE_ADVERTISED_ADDRESS="${ZITI_CONTROLLER_ADVERTISED_ADDRESS}" | ||
export ZITI_CTRL_EDGE_ADVERTISED_PORT="${ZITI_CONTROLLER_ADVERTISED_PORT}" | ||
|
||
# export the vars that were assigned inside this script to set the path to the server and client certs and their common | ||
# private key, and the intermediate (signer) CA cert and key | ||
export ZITI_PKI_CTRL_SERVER_CERT \ | ||
ZITI_PKI_CTRL_CERT \ | ||
ZITI_PKI_CTRL_KEY \ | ||
ZITI_PKI_SIGNER_CERT \ | ||
ZITI_PKI_SIGNER_KEY | ||
|
||
if [ ! -s "./${ZITI_CONTROLLER_CONFIG_FILE}" ]; then | ||
ziti create config controller \ | ||
--output "./${ZITI_CONTROLLER_CONFIG_FILE}" | ||
fi | ||
|
||
} | ||
|
||
function makeDatabase() { | ||
|
||
# | ||
# create default admin in database | ||
# | ||
|
||
# if the database file is in a subdirectory, create the directory so that "ziti controller edge init" can load the | ||
# controller config.yml which contains a check to ensure the directory exists | ||
DB_DIR="$(dirname "${ZITI_CTRL_DATABASE_FILE}")" | ||
if ! [ "$DB_DIR" == "." ]; then | ||
mkdir -p "./$DB_DIR" | ||
fi | ||
|
||
if [[ $(wc -c <<< "${ZITI_PWD:-}") -gt 5 || -s /run/credentials/ZITI_PWD ]]; then | ||
ziti controller edge init "./${ZITI_CONTROLLER_CONFIG_FILE}" \ | ||
--username "${ZITI_USER}" \ | ||
--password "${ZITI_PWD:-$(< /run/credentials/ZITI_PWD)}" | ||
else | ||
echo "ERROR: use SetCredential or LoadCredential in"\ | ||
" ziti-controller.service or set env var ZITI_PWD of at least 5 characters" >&2 | ||
fi | ||
|
||
} | ||
|
||
if [ "${ZITI_BOOTSTRAP_PKI}" == true ]; then makePki; fi | ||
if [ "${ZITI_BOOTSTRAP_CONFIG}" == true ]; then makeConfig; fi | ||
if [ "${ZITI_BOOTSTRAP_DATABASE}" == true ]; then makeDatabase; fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,12 @@ | ||
#!/usr/bin/env bash | ||
# | ||
# this thin wrapper script for the OpenZiti Controller enables | ||
# - evaluating arguments from the env file | ||
# - future: bootstrapping a default run environment with PKI and initialized database | ||
# this thin wrapper script for the OpenZiti Controller evaluates arguments from the env file | ||
# | ||
|
||
set -o errexit | ||
set -o nounset | ||
set -o pipefail | ||
|
||
# shellcheck disable=SC2068 # because we want to word-split args | ||
exec /opt/openziti/bin/ziti controller run $@ | ||
# shellcheck disable=SC2068 # because we must | ||
# shellcheck disable=SC2086 # word-split args | ||
exec /opt/openziti/bin/ziti controller run ${ZITI_CONTROLLER_CONFIG_FILE} ${ZITI_CONTROLLER_RUN_ARGS} $@ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,54 @@ | ||
ZITI_CONTROLLER_RUN_ARGS="config.yml --log-formatter text --verbose" | ||
#PFXLOG_NO_JSON=true | ||
# | ||
# this is a systemd env file allowing simple assignments for ziti-controller.service environment | ||
# | ||
|
||
ZITI_CONTROLLER_RUN_ARGS="--log-formatter text" | ||
# ZITI_CONTROLLER_RUN_ARGS="--log-formatter text --verbose" | ||
# PFXLOG_NO_JSON=true | ||
|
||
# | ||
# for "ziti pki" and "ziti create config" commands in bootstrap.bash | ||
# | ||
|
||
# the advertised address of the controller is a domain name that can be resolved by all devices (default: hostname -f) | ||
ZITI_CONTROLLER_ADVERTISED_ADDRESS= | ||
# the advertised and listening port of the controller (default: 443) | ||
ZITI_CONTROLLER_ADVERTISED_PORT=443 | ||
# the interface address to bind the controller to (default: 0.0.0.0) | ||
ZITI_CONTROLLER_BIND_ADDRESS=0.0.0.0 | ||
|
||
# | ||
# for "ziti pki" commands in bootstrap.bash | ||
# | ||
|
||
# create a new PKI unless it exists | ||
ZITI_BOOTSTRAP_PKI=true | ||
# renew server and client certificates every startup (invalidates unused enrollment tokens) | ||
ZITI_AUTO_RENEW_CERTS=true | ||
# relative to systemd service WorkingDirectory; e.g., /var/lib/ziti-controller/pki | ||
ZITI_PKI_ROOT=pki | ||
# relative to ZITI_PKI_ROOT; root CA dir; e.g., /var/lib/ziti-controller/pki/root | ||
ZITI_CA_FILE=root | ||
# relative to ZITI_PKI_ROOT; intermediate CA dir; e.g., /var/lib/ziti-controller/pki/intermediate | ||
ZITI_INTERMEDIATE_FILE=intermediate | ||
# relative to intermediate CA "keys" and "certs" dirs | ||
ZITI_SERVER_FILE=controller-server-identity | ||
# relative to intermediate CA "keys" and "certs" dirs | ||
ZITI_CLIENT_FILE=controller-client-identity | ||
|
||
# | ||
# for "ziti create config" command in bootstrap.bash | ||
# | ||
# create a config file unless it exists | ||
ZITI_BOOTSTRAP_CONFIG=true | ||
# create a new config file relative to working directory unless it exists | ||
ZITI_CONTROLLER_CONFIG_FILE=config.yml | ||
ZITI_CTRL_DATABASE_FILE=ctrl.db | ||
|
||
# | ||
# for "ziti controller edge init" command in bootstrap.bash | ||
# | ||
# create a database unless it exists | ||
ZITI_BOOTSTRAP_DATABASE=true | ||
# must be 4 < 100 characters | ||
ZITI_USER=admin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters