add Linux package openziti-controller

.github/workflows/fablab-db-creation.yml

@@ -20,6 +20,7 @@ jobs:
   build:
     name: Build and Run
     runs-on: ubuntu-latest
+    if: github.repository_owner == 'openziti'
     steps:
       - name: Checkout ziti
         uses: actions/checkout@v4

.github/workflows/publish-linux-packages.yml

@@ -16,6 +16,7 @@ jobs:
       matrix:
         package_name:
           - openziti
+          - openziti-controller
         arch:
           - goreleaser: amd64
             gox: amd64

dist/dist-packages/linux/nfpm-openziti-controller.yaml

@@ -0,0 +1,35 @@
+# nfpm configuration file
+#
+# check https://nfpm.goreleaser.com/configuration for detailed usage
+#
+name: openziti-controller
+arch: ${GOARCH}
+platform: linux
+version: ${ZITI_VERSION}
+maintainer: ${ZITI_MAINTAINER}
+description: >
+  Provides a system service for running an OpenZiti Controller
+vendor: ${ZITI_VENDOR}
+homepage: ${ZITI_HOMEPAGE}
+license: Apache-2.0
+# Contents to add to the package.
+contents:
+  - dst: /lib/systemd/system/
+    src: ./dist/dist-packages/linux/openziti-controller/ziti-controller.service
+
+  - dst: /opt/openziti/etc/controller
+    type: dir
+    file_info:
+      mode: 0755
+
+  - dst: /opt/openziti/etc/controller/
+    src: ./dist/dist-packages/linux/openziti-controller/env
+    type: config|noreplace
+
+  - dst: /opt/openziti/etc/controller/
+    src: ./dist/dist-packages/linux/openziti-controller/bootstrap.bash
+
+  - dst: /opt/openziti/etc/controller/
+    src: ./dist/dist-packages/linux/openziti-controller/entrypoint.bash
+depends:
+  - openziti  # ziti CLI

dist/dist-packages/linux/nfpm-openziti.yaml

@@ -23,10 +23,3 @@ contents:
     type: symlink
 replaces:
   - ziti-cli
-
-# packager-neutral scripts may be overridden by packager-specific scripts
-# scripts:
-  # preinstall: ./scripts/preinstall.sh
-  # postinstall: ./scripts/postinstall.sh
-  # preremove: ./scripts/preremove.sh
-  # postremove: ./scripts/postremove.sh

dist/dist-packages/linux/openziti-controller/bootstrap.bash

@@ -0,0 +1,215 @@
+#!/usr/bin/env bash
+#
+# bootstrap the OpenZiti Controller with PKI, config file, and database
+#
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# use the ziti executable that the 'openziti' package installed
+PATH=/opt/openziti/bin:$PATH
+
+#
+# defaults
+#
+
+function makePki() {
+  #
+  # create root and intermediate CA
+  #
+
+  # used by "ziti pki create server" as DNS SAN
+  if [ -z "${ZITI_CTRL_ADVERTISED_ADDRESS:-}" ]; then
+    echo "ERROR: ZITI_CTRL_ADVERTISED_ADDRESS must be set, i.e., the FQDN by which all devices will reach the"\
+    "controller and verify the server certificate" >&2
+    return 1
+  fi
+
+  if [ "$ZITI_CA_FILE" == "$ZITI_INTERMEDIATE_FILE" ]; then
+    echo "ERROR: ZITI_CA_FILE and ZITI_INTERMEDIATE_FILE must be different" >&2
+    return 1
+  fi
+
+  ZITI_CA_CERT="${ZITI_PKI_ROOT}/${ZITI_CA_FILE}/certs/${ZITI_CA_FILE}.cert"
+  if [ ! -s "${ZITI_CA_CERT}" ]; then
+    ziti pki create ca \
+      --pki-root "${ZITI_PKI_ROOT}" \
+      --ca-file "${ZITI_CA_FILE}"
+  fi
+
+  ZITI_PKI_SIGNER_CERT="${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/certs/${ZITI_INTERMEDIATE_FILE}.cert"
+  ZITI_PKI_SIGNER_KEY="${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/keys/${ZITI_INTERMEDIATE_FILE}.key"
+  if [[ ! -s "$ZITI_PKI_SIGNER_CERT" && ! -s "$ZITI_PKI_SIGNER_KEY" ]]; then
+    ziti pki create intermediate \
+      --pki-root "${ZITI_PKI_ROOT}" \
+      --ca-name "${ZITI_CA_FILE}" \
+      --intermediate-file "${ZITI_INTERMEDIATE_FILE}"
+  elif [[ ! -s "$ZITI_PKI_SIGNER_CERT" || ! -s "$ZITI_PKI_SIGNER_KEY" ]]; then
+    echo "ERROR: $ZITI_PKI_SIGNER_CERT and $ZITI_PKI_SIGNER_KEY must both exist or neither exist as non-empty files" >&2
+    return 1
+  fi
+
+  #
+  # create server and client keys
+  #
+
+  if [ "$ZITI_SERVER_FILE" == "$ZITI_CLIENT_FILE" ]; then
+    echo "ERROR: ZITI_SERVER_FILE and ZITI_CLIENT_FILE must be different" >&2
+    return 1
+  fi
+
+  ZITI_PKI_CTRL_KEY="${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/keys/${ZITI_SERVER_FILE}.key"
+  if ! [ -s "$ZITI_PKI_CTRL_KEY" ]; then
+    ziti pki create key \
+      --pki-root "${ZITI_PKI_ROOT}" \
+      --ca-name "${ZITI_INTERMEDIATE_FILE}" \
+      --key-file "${ZITI_SERVER_FILE}"
+  fi
+
+  # use the server key for both client and server certs until "ziti create config controller" supports separate keys for
+  # each
+  # CLIENT_KEY_FILE="${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/keys/${ZITI_CLIENT_FILE}.key"
+  # if ! [ -s "$CLIENT_KEY_FILE" ]; then
+  #   ziti pki create key \
+  #     --pki-root "${ZITI_PKI_ROOT}" \
+  #     --ca-name "${ZITI_INTERMEDIATE_FILE}" \
+  #     --key-file "${ZITI_CLIENT_FILE}"
+  # fi
+
+  #
+  # create server and client certs
+  #
+
+  # server cert
+  ZITI_PKI_CTRL_SERVER_CERT="${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/certs/${ZITI_SERVER_FILE}.chain.pem"
+  if [[ "${ZITI_AUTO_RENEW_CERTS}" == true || ! -s "$ZITI_PKI_CTRL_SERVER_CERT" ]]; then
+    ziti pki create server \
+      --pki-root "${ZITI_PKI_ROOT}" \
+      --ca-name "${ZITI_INTERMEDIATE_FILE}" \
+      --key-file "${ZITI_SERVER_FILE}" \
+      --server-file "${ZITI_SERVER_FILE}" \
+      --dns "${ZITI_CTRL_ADVERTISED_ADDRESS}" \
+      --allow-overwrite
+  fi
+
+  # client cert
+  #   use the server key for both client and server certs until "ziti create config controller" supports separate keys for
+  #   each
+  ZITI_PKI_CTRL_CERT="${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/certs/${ZITI_CLIENT_FILE}.cert"
+  if [[ "${ZITI_AUTO_RENEW_CERTS}" == true || ! -s "$ZITI_PKI_CTRL_CERT" ]]; then
+    ziti pki create client \
+      --pki-root "${ZITI_PKI_ROOT}" \
+      --ca-name "${ZITI_INTERMEDIATE_FILE}" \
+      --key-file "${ZITI_SERVER_FILE}" \
+      --client-file "${ZITI_CLIENT_FILE}" \
+      --allow-overwrite
+  fi
+
+}
+
+function makeConfig() {
+  #
+  # create config file
+  #
+
+  shopt -s nocasematch  # toggle off case-insensitive comparison to simplify regexp
+  if [[ -n "${1:-}" && "$1" =~ .*\.ya?ml$ ]]; then
+    local ZITI_CTRL_CONFIG_FILE="${1}"
+    shift
+  else
+    echo "ERROR: no config file path provided ending like *.yml" >&2
+    shopt -u nocasematch  # toggle on case-sensitive comparison
+    return 1
+  fi
+  shopt -u nocasematch  # toggle on case-sensitive comparison
+
+  # used by "ziti create config controller" as advertised address
+  if [ -z "${ZITI_CTRL_ADVERTISED_ADDRESS:-}" ]; then
+    echo "ERROR: ZITI_CTRL_ADVERTISED_ADDRESS must be set, i.e., the FQDN by which all devices will reach the"\
+    " controller and verify the server certificate" >&2
+    return 1
+  fi
+
+  # set the path to the root CA cert
+  export ZITI_PKI_CTRL_CA="${ZITI_PKI_ROOT}/${ZITI_CA_FILE}/certs/${ZITI_CA_FILE}.cert"
+
+  # set the URI of the edge-client API (uses same TCP port); e.g., ztAPI: ziti.example.com:1280
+  export  ZITI_CTRL_EDGE_ADVERTISED_ADDRESS="${ZITI_CTRL_ADVERTISED_ADDRESS}" \
+          ZITI_CTRL_EDGE_ADVERTISED_PORT="${ZITI_CTRL_ADVERTISED_PORT}"
+
+  # export the vars that were assigned inside this script to set the path to the server and client certs and their common
+  # private key, and the intermediate (signer) CA cert and key
+  export  ZITI_PKI_CTRL_SERVER_CERT \
+          ZITI_PKI_CTRL_CERT \
+          ZITI_PKI_CTRL_KEY \
+          ZITI_PKI_SIGNER_CERT \
+          ZITI_PKI_SIGNER_KEY \
+          ZITI_CTRL_ADVERTISED_ADDRESS \
+          ZITI_CTRL_ADVERTISED_PORT \
+          ZITI_CTRL_BIND_ADDRESS \
+          ZITI_CTRL_EDGE_BIND_ADDRESS
+
+  if [[ ! -s "${ZITI_CTRL_CONFIG_FILE}" || "${1:-}" == --force ]]; then
+    ziti create config controller \
+      --output "${ZITI_CTRL_CONFIG_FILE}"
+  fi
+
+}
+
+function makeDatabase() {
+
+  #
+  # create default admin in database
+  #
+
+  if [ -s "${ZITI_CTRL_DATABASE_FILE}" ]; then
+    return 0
+  fi
+
+  # if the database file is in a subdirectory, create the directory so that "ziti controller edge init" can load the
+  # controller config.yml which contains a check to ensure the directory exists
+  DB_DIR="$(dirname "${ZITI_CTRL_DATABASE_FILE}")"
+  if ! [ "$DB_DIR" == "." ]; then
+    mkdir -p "$DB_DIR"
+  fi
+
+  if [[ -n "${ZITI_PWD:-}" || -s /run/credentials/${UNIT_NAME:=ziti-controller.service}/ZITI_PWD ]]; then
+    ziti controller edge init "${ZITI_CTRL_CONFIG_FILE}" \
+      --username "${ZITI_USER}" \
+      --password "${ZITI_PWD:-$(< "/run/credentials/${UNIT_NAME}/ZITI_PWD")}"
+  else
+    echo  "ERROR: need admin password; use LoadCredential or SetCredential in"\
+          " /lib/systemd/system/ziti-controller.service or set env var ZITI_PWD with at least 5 characters" >&2
+    return 1
+  fi
+
+}
+
+function bootstrap() {
+
+  if [ -n "${1:-}" ]; then
+    local ZITI_CTRL_CONFIG_FILE="${1}"
+    echo "DEBUG: using config file path: $(realpath "${ZITI_CTRL_CONFIG_FILE}")" >&2
+  else
+    echo "ERROR: no config file path provided" >&2
+    return 1
+  fi
+
+  # make PKI unless it exists
+  if [ "${ZITI_BOOTSTRAP_PKI}"      == true ]; then
+    makePki
+  fi
+
+  # make config file unless it exists, set force to overwrite every startup
+  if [ "${ZITI_BOOTSTRAP_CONFIG}"   == true ]; then
+    makeConfig "${ZITI_CTRL_CONFIG_FILE}"
+  elif [ "${ZITI_BOOTSTRAP_CONFIG}" == force ]; then
+    makeConfig "${ZITI_CTRL_CONFIG_FILE}" --force
+  fi
+
+  # make database unless it exists
+  if [ "${ZITI_BOOTSTRAP_DATABASE}" == true ]; then
+    makeDatabase
+  fi
+}

dist/dist-packages/linux/openziti-controller/entrypoint.bash

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+#
+# this thin wrapper script for the OpenZiti Controller uses variable assignments from the systemd env file
+#
+
+set -o errexit
+set -o nounset
+set -o pipefail
+# set -o xtrace  # debug startup
+
+# shellcheck disable=SC1090 # default path is set by the systemd service
+source "${ZITI_CTRL_BOOTSTRAP_BASH:-/opt/openziti/etc/controller/bootstrap.bash}"
+# if no args or first arg is "run", bootstrap the router with the config file path as next arg, or default "config.yml"
+if [ "${1:-run}" == run ]; then
+    bootstrap "${2:-config.yml}"
+fi
+
+# shellcheck disable=SC2068
+exec ziti controller ${@:-run config.yml}

dist/dist-packages/linux/openziti-controller/env

@@ -0,0 +1,42 @@
+#
+# this is a systemd env file allowing simple assignments for ziti-controller.service environment
+#
+
+#
+# for "ziti pki" and "ziti create config controller" commands in bootstrap.bash
+#
+
+# the advertised address of the controller is a fully-qualified domain name; if defined this overrides any value set in
+# /lib/systemd/system/ziti-controller.service
+#ZITI_CTRL_ADVERTISED_ADDRESS=
+# the advertised and listening port of the controller (default: 1280)
+ZITI_CTRL_ADVERTISED_PORT=1280
+# the interface address on which to listen (default: 0.0.0.0)
+ZITI_CTRL_BIND_ADDRESS=0.0.0.0
+
+#
+# for "ziti pki" commands in bootstrap.bash
+#
+
+# relative to systemd service WorkingDirectory; e.g., /var/lib/ziti-controller/pki
+ZITI_PKI_ROOT=pki
+# relative to ZITI_PKI_ROOT; root CA dir; e.g., /var/lib/ziti-controller/pki/root
+ZITI_CA_FILE=root
+# relative to ZITI_PKI_ROOT; intermediate CA dir; e.g., /var/lib/ziti-controller/pki/intermediate
+ZITI_INTERMEDIATE_FILE=intermediate
+# relative to intermediate CA "keys" and "certs" dirs
+ZITI_SERVER_FILE=server
+# relative to intermediate CA "keys" and "certs" dirs
+ZITI_CLIENT_FILE=client
+
+#
+# for "ziti controller edge init" command in bootstrap.bash
+#
+# path to BoltDB relative to working directory /var/lib/ziti-controller
+ZITI_CTRL_DATABASE_FILE=bbolt.db
+# must be 4 < 100 characters
+ZITI_USER=admin
+# for better security, leave this assignment empty and create a file readable only by root containing the
+# password and set "LoadCredential=ZITI_PWD:/opt/openziti/etc/controller/.pwd" in
+# /lib/systemd/system/ziti-controller.service
+ZITI_PWD=