Merge pull request #1785 from openziti/docker-router-example

add docker tproxy router example
openziti · Mar 8, 2024 · 7b4b84a · 7b4b84a
2 parents c1ee24b + a176355
commit 7b4b84a
Show file tree

Hide file tree

Showing 12 changed files with 38 additions and 20 deletions.
diff --git a/.github/workflows/fablab-db-creation.yml b/.github/workflows/fablab-db-creation.yml
@@ -20,6 +20,7 @@ jobs:
   build:
     name: Build and Run
     runs-on: ubuntu-latest
+    if: github.repository_owner == 'openziti'
     steps:
       - name: Checkout ziti
         uses: actions/checkout@v3

diff --git a/dist/dist-packages/linux/openziti-router/entrypoint.bash b/dist/dist-packages/linux/openziti-router/entrypoint.bash
@@ -10,9 +10,9 @@ set -o pipefail
 # shellcheck disable=SC1090 # default path is set by the systemd service
 source "${ZITI_ROUTER_BOOTSTRAP_BASH:-/opt/openziti/etc/router/bootstrap.bash}"
 # if no args or first arg is "run", bootstrap the router with the config file path as next arg, or default "config.yml"
-if [[ $# -eq 0 || ${1} == run ]]; then
-    bootstrap "${2:-}"
+if [ "${1:-run}" == run ]; then
+    bootstrap "${2:-config.yml}"
 fi
 
 # shellcheck disable=SC2068
-exec ziti router ${@}
+exec ziti router ${@:-run config.yml}
diff --git a/dist/docker-images/ziti-router/Dockerfile b/dist/docker-images/ziti-router/Dockerfile
@@ -19,10 +19,17 @@ RUN INSTALL_PKGS="util-linux iptables" && \
 
 # set a var for entrypoint.bash to find this script
 ENV ZITI_ROUTER_BOOTSTRAP_BASH=/bootstrap.bash
+ENV ZITI_ROUTER_TYPE=edge
+ENV ZITI_ROUTER_ADVERTISED_PORT=3022
+ENV ZITI_BOOTSTRAP_CONFIG=true
+ENV ZITI_BOOTSTRAP_ENROLLMENT=true
+ENV PFXLOG_NO_JSON=true
 COPY ./dist/dist-packages/linux/openziti-router/bootstrap.bash ${ZITI_ROUTER_BOOTSTRAP_BASH}
-
 COPY ./dist/dist-packages/linux/openziti-router/entrypoint.bash /
 
+WORKDIR /ziti-router
+RUN chown -R ziggy:ziggy /ziti-router
+
 # run as ziggy (2171:2171) by default, override run-as user with root when DOCKER_ROUTER_MODE=tproxy
 USER ziggy
 

diff --git a/dist/docker-images/ziti-router/README.md b/dist/docker-images/ziti-router/README.md
@@ -39,17 +39,14 @@ services:
   # add a web client that waits for a healthy tproxy router
   tproxy-demo-client:
     image: busybox
-    network_mode: service:run-ziti-router
+    network_mode: service:ziti-router
     depends_on:
-      run-ziti-router:
+      ziti-router:
         condition: service_healthy
-    command: wget --output-document=- http://hello.internal:8000/
+    command: wget --output-document=- http://hello.internal/
 
   # link the router to the quickstart network so it can reach the Ziti controller
-  enroll-ziti-router:
-    networks:
-      - quickstart
-  run-ziti-router:
+  ziti-router:
     networks:
       - quickstart
 EOF
@@ -73,23 +70,23 @@ ziti edge update identity quickstart-router \
     --role-attributes=hello.servers
 
 # create a second Ziti router to use as a tproxy client
-ziti edge create edge-router "tproxyRouter" \
-   --jwt-output-file=/tmp/tproxyRouter.jwt \
+ziti edge create edge-router "tproxy-router" \
+   --jwt-output-file=./tproxy-router.jwt \
    --tunneler-enabled
 
 # grant the tproxy client permission to dial (consume) the hello service
-ziti edge update identity tproxyRouter \
+ziti edge update identity tproxy-router \
     --role-attributes=hello.clients
 
 # simulate policies to check for authorization problems
 ziti edge policy-advisor services -q
 
 # run the demo client which triggers the run of the tproxy router because it is a dependency
-ZITI_ROUTER_JWT="$(</tmp/tproxyRouter.jwt)" \
+ZITI_ROUTER_JWT="$(<./tproxyRouter.jwt)" \
 ZITI_ROUTER_MODE=tproxy \
 ZITI_CTRL_ADVERTISED_ADDRESS=quickstart \
 ZITI_CTRL_ADVERTISED_PORT=1280 \
 ZITI_ROUTER_PORT=3023 \
-ZITI_ROUTER_ADVERTISED_ADDRESS=run-ziti-router \
+ZITI_ROUTER_ADVERTISED_ADDRESS=ziti-router \
     docker compose up tproxy-demo-client
 ```
diff --git a/dist/docker-images/ziti-router/compose.yml b/dist/docker-images/ziti-router/compose.yml
@@ -30,6 +30,8 @@ services:
       ZITI_ROUTER_MODE: ${ZITI_ROUTER_MODE:-host}                     # host, tproxy, tproxy (tproxy requires additional config below)
       # *** less relevant vars below ***
       ZITI_ROUTER_TYPE: edge           # edge, fabric
+      ZITI_ROUTER_NAME: ziti-router    # ensure the computed filenames based on this var are consistent, not based on
+                                       #  ephemeral container id
       ZITI_BOOTSTRAP_CONFIG: true      # make config file from env vars and defaults if "true," overwrite if "force"
       ZITI_BOOTSTRAP_ENROLLMENT: true  # enroll with controller if "true," overwrite if "force"
       PFXLOG_NO_JSON: true

diff --git a/quickstart/docker/all-in-one/compose.yml b/quickstart/docker/all-in-one/compose.yml
@@ -23,7 +23,7 @@ services:
         ZITI_CMD+=" --ctrl-address ${EXTERNAL_DNS:-quickstart}"\
         " --ctrl-port ${ZITI_CTRL_EDGE_ADVERTISED_PORT:-1280}"\
         " --router-address ${EXTERNAL_DNS:-quickstart}"\
-        " --router-port ${ZITI_ROUTER_PORT:-3022}"\
+        " --router-port ${ZITI_ROUTER_ADVERTISED_PORT:-3022}"\
         " --password ${ZITI_PWD:-admin}"
         echo "DEBUG: run command is: ziti $${@} $${ZITI_CMD}"
         exec ziti "$${@}" $${ZITI_CMD}
@@ -38,10 +38,10 @@ services:
       - ${ZITI_HOME:-ziti_home}:/home/ziggy
     ports:
       - ${ZITI_INTERFACE:-0.0.0.0}:${ZITI_CTRL_EDGE_ADVERTISED_PORT:-1280}:${ZITI_CTRL_EDGE_ADVERTISED_PORT:-1280}
-      - ${ZITI_INTERFACE:-0.0.0.0}:${ZITI_ROUTER_PORT:-3022}:${ZITI_ROUTER_PORT:-3022}
+      - ${ZITI_INTERFACE:-0.0.0.0}:${ZITI_ROUTER_ADVERTISED_PORT:-3022}:${ZITI_ROUTER_ADVERTISED_PORT:-3022}
     expose:
       - ${ZITI_CTRL_EDGE_ADVERTISED_PORT:-1280}
-      - ${ZITI_ROUTER_PORT:-3022}
+      - ${ZITI_ROUTER_ADVERTISED_PORT:-3022}
     depends_on:
       quickstart-init:
         condition: service_completed_successfully

diff --git a/ziti/cmd/create/config_templates/router.yml b/ziti/cmd/create/config_templates/router.yml
@@ -40,7 +40,7 @@ link:
 {{ if or .Router.IsFabric (eq .Router.TunnelerMode "none") }}#{{ end }}  - binding: tunnel
 {{ if or .Router.IsFabric (eq .Router.TunnelerMode "none") }}#{{ end }}    options:
 {{ if or .Router.IsFabric (eq .Router.TunnelerMode "none") }}#      mode: host #tproxy|host{{ else }}      mode: {{ .Router.TunnelerMode }} #tproxy|host{{ end }}
-{{ if and (not .Router.IsFabric) (eq .Router.TunnelerMode "tproxy") }}      resolver: udp://0.0.0.0:53{{ end }}
+{{ if and (not .Router.IsFabric) (eq .Router.TunnelerMode "tproxy") }}      resolver: {{ .Router.Edge.Resolver }}{{ end }}
 {{ if and (not .Router.IsFabric) (eq .Router.TunnelerMode "tproxy") (.Router.Edge.LanInterface) }}      lanIf: {{ .Router.Edge.LanInterface }}{{ end }}
 {{ if .Router.IsFabric -}}
 csr:

diff --git a/ziti/cmd/create/create_config.go b/ziti/cmd/create/create_config.go
@@ -166,6 +166,7 @@ type EdgeRouterTemplateValues struct {
 	IPOverride       string
 	AdvertisedHost   string
 	LanInterface     string
+	Resolver         string
 	ListenerBindPort string
 	CsrC             string
 	CsrST            string
@@ -280,6 +281,7 @@ func (data *ConfigTemplateValues) PopulateConfigValues() {
 	// ************* Router Values ************
 	data.Router.Edge.Port = cmdHelper.GetZitiEdgeRouterPort()
 	data.Router.Edge.ListenerBindPort = cmdHelper.GetZitiEdgeRouterListenerBindPort()
+	data.Router.Edge.Resolver = cmdHelper.GetZitiEdgeRouterResolver()
 	data.Router.Edge.CsrC = cmdHelper.GetZitiEdgeRouterC()
 	data.Router.Edge.CsrST = cmdHelper.GetZitiEdgeRouterST()
 	data.Router.Edge.CsrL = cmdHelper.GetZitiEdgeRouterL()

diff --git a/ziti/cmd/create/create_config_environment.go b/ziti/cmd/create/create_config_environment.go
@@ -125,6 +125,7 @@ func NewCmdCreateConfigEnvironment() *cobra.Command {
 				{constants.ZitiRouterIdentityCAVarName, constants.ZitiRouterIdentityCAVarDescription, data.Router.IdentityCA},
 				{constants.ZitiEdgeRouterIPOverrideVarName, constants.ZitiEdgeRouterIPOverrideVarDescription, data.Router.Edge.IPOverride},
 				{constants.ZitiEdgeRouterAdvertisedAddressVarName, constants.ZitiEdgeRouterAdvertisedAddressVarDescription, data.Router.Edge.AdvertisedHost},
+				{constants.ZitiEdgeRouterResolverVarName, constants.ZitiEdgeRouterResolverVarDescription, data.Router.Edge.Resolver},
 				{constants.ZitiEdgeRouterCsrCVarName, constants.ZitiEdgeRouterCsrCVarDescription, data.Router.Edge.CsrC},
 				{constants.ZitiEdgeRouterCsrSTVarName, constants.ZitiEdgeRouterCsrSTVarDescription, data.Router.Edge.CsrST},
 				{constants.ZitiEdgeRouterCsrLVarName, constants.ZitiEdgeRouterCsrLVarDescription, data.Router.Edge.CsrL},
@@ -203,6 +204,7 @@ func NewCmdCreateConfigEnvironment() *cobra.Command {
 	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiRouterIdentityCAVarName, constants.ZitiRouterIdentityCAVarDescription, data.Router.IdentityCA))
 	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiEdgeRouterIPOverrideVarName, constants.ZitiEdgeRouterIPOverrideVarDescription, data.Router.Edge.IPOverride))
 	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiEdgeRouterAdvertisedAddressVarName, constants.ZitiEdgeRouterAdvertisedAddressVarDescription, data.Router.Edge.AdvertisedHost))
+	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiEdgeRouterResolverVarName, constants.ZitiEdgeRouterResolverVarDescription, data.Router.Edge.Resolver))
 	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiEdgeRouterCsrCVarName, constants.ZitiEdgeRouterCsrCVarDescription, data.Router.Edge.CsrC))
 	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiEdgeRouterCsrSTVarName, constants.ZitiEdgeRouterCsrSTVarDescription, data.Router.Edge.CsrST))
 	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiEdgeRouterCsrLVarName, constants.ZitiEdgeRouterCsrLVarDescription, data.Router.Edge.CsrL))

diff --git a/ziti/cmd/create/create_config_router_edge.go b/ziti/cmd/create/create_config_router_edge.go
@@ -76,6 +76,7 @@ func NewCmdCreateConfigRouterEdge(routerOptions *CreateConfigRouterOptions, data
 			data.Router.IsPrivate = routerOptions.IsPrivate
 			data.Router.TunnelerMode = routerOptions.TunnelerMode
 			data.Router.Edge.LanInterface = routerOptions.LanInterface
+			data.Router.Edge.Resolver = cmdhelper.GetZitiEdgeRouterResolver()
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			routerOptions.Cmd = cmd

diff --git a/ziti/cmd/helpers/env_helpers.go b/ziti/cmd/helpers/env_helpers.go
@@ -17,6 +17,7 @@
 package helpers
 
 import (
+	"github.com/openziti/ziti/router/xgress_edge_tunnel"
 	edge "github.com/openziti/ziti/controller/config"
 	"github.com/openziti/ziti/ziti/constants"
 	"github.com/pkg/errors"
@@ -197,6 +198,9 @@ func NormalizePath(input string) string {
 func GetRouterAdvertisedAddress() string {
 	return getFromEnv(constants.ZitiEdgeRouterAdvertisedAddressVarName, HostnameOrNetworkName)
 }
+func GetZitiEdgeRouterResolver() string {
+	return getFromEnv(constants.ZitiEdgeRouterResolverVarName, defaultValue(xgress_edge_tunnel.DefaultDnsResolver))
+}
 func GetRouterSans() string {
 	return getFromEnv(constants.ZitiRouterCsrSansDnsVarName, GetRouterAdvertisedAddress)
 }
diff --git a/ziti/constants/constants.go b/ziti/constants/constants.go
@@ -124,6 +124,8 @@ const (
 	ZitiEdgeRouterAdvertisedAddressVarDescription    = "The advertised address of the router"
 	ZitiEdgeRouterListenerBindPortVarName            = "ZITI_ROUTER_LISTENER_BIND_PORT"
 	ZitiEdgeRouterListenerBindPortVarDescription     = "The port a public router will advertise on"
+	ZitiEdgeRouterResolverVarName                    = "ZITI_ROUTER_TPROXY_RESOLVER"
+	ZitiEdgeRouterResolverVarDescription             = "The bind URI to listen for DNS requests in tproxy mode"
 	ZitiEdgeRouterCsrCVarName                        = "ZITI_ROUTER_CSR_C"
 	ZitiEdgeRouterCsrCVarDescription                 = "The country (C) to use for router CSRs"
 	ZitiEdgeRouterCsrSTVarName                       = "ZITI_ROUTER_CSR_ST"