-
Notifications
You must be signed in to change notification settings - Fork 154
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add Linux package openziti-controller
- Loading branch information
Showing
17 changed files
with
512 additions
and
58 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,6 +16,7 @@ jobs: | |
matrix: | ||
package_name: | ||
- openziti | ||
- openziti-controller | ||
arch: | ||
- goreleaser: amd64 | ||
gox: amd64 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
# nfpm configuration file | ||
# | ||
# check https://nfpm.goreleaser.com/configuration for detailed usage | ||
# | ||
name: openziti-controller | ||
arch: ${GOARCH} | ||
platform: linux | ||
version: ${ZITI_VERSION} | ||
maintainer: ${ZITI_MAINTAINER} | ||
description: > | ||
Provides a system service for running an OpenZiti Controller | ||
vendor: ${ZITI_VENDOR} | ||
homepage: ${ZITI_HOMEPAGE} | ||
license: Apache-2.0 | ||
# Contents to add to the package. | ||
contents: | ||
- dst: /lib/systemd/system/ | ||
src: ./dist/dist-packages/linux/openziti-controller/ziti-controller.service | ||
|
||
- dst: /opt/openziti/etc/controller | ||
type: dir | ||
file_info: | ||
mode: 0755 | ||
|
||
- dst: /opt/openziti/etc/controller/ | ||
src: ./dist/dist-packages/linux/openziti-controller/env | ||
type: config|noreplace | ||
|
||
- dst: /opt/openziti/etc/controller/ | ||
src: ./dist/dist-packages/linux/openziti-controller/bootstrap.bash | ||
|
||
- dst: /opt/openziti/etc/controller/ | ||
src: ./dist/dist-packages/linux/openziti-controller/entrypoint.bash | ||
depends: | ||
- openziti # ziti CLI |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
215 changes: 215 additions & 0 deletions
215
dist/dist-packages/linux/openziti-controller/bootstrap.bash
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,215 @@ | ||
#!/usr/bin/env bash | ||
# | ||
# bootstrap the OpenZiti Controller with PKI, config file, and database | ||
# | ||
|
||
set -o errexit | ||
set -o nounset | ||
set -o pipefail | ||
|
||
# use the ziti executable that the 'openziti' package installed | ||
PATH=/opt/openziti/bin:$PATH | ||
|
||
# | ||
# defaults | ||
# | ||
|
||
function makePki() { | ||
# | ||
# create root and intermediate CA | ||
# | ||
|
||
# used by "ziti pki create server" as DNS SAN | ||
if [ -z "${ZITI_CTRL_ADVERTISED_ADDRESS:-}" ]; then | ||
echo "ERROR: ZITI_CTRL_ADVERTISED_ADDRESS must be set, i.e., the FQDN by which all devices will reach the"\ | ||
"controller and verify the server certificate" >&2 | ||
return 1 | ||
fi | ||
|
||
if [ "$ZITI_CA_FILE" == "$ZITI_INTERMEDIATE_FILE" ]; then | ||
echo "ERROR: ZITI_CA_FILE and ZITI_INTERMEDIATE_FILE must be different" >&2 | ||
return 1 | ||
fi | ||
|
||
ZITI_CA_CERT="${ZITI_PKI_ROOT}/${ZITI_CA_FILE}/certs/${ZITI_CA_FILE}.cert" | ||
if [ ! -s "${ZITI_CA_CERT}" ]; then | ||
ziti pki create ca \ | ||
--pki-root "${ZITI_PKI_ROOT}" \ | ||
--ca-file "${ZITI_CA_FILE}" | ||
fi | ||
|
||
ZITI_PKI_SIGNER_CERT="${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/certs/${ZITI_INTERMEDIATE_FILE}.cert" | ||
ZITI_PKI_SIGNER_KEY="${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/keys/${ZITI_INTERMEDIATE_FILE}.key" | ||
if [[ ! -s "$ZITI_PKI_SIGNER_CERT" && ! -s "$ZITI_PKI_SIGNER_KEY" ]]; then | ||
ziti pki create intermediate \ | ||
--pki-root "${ZITI_PKI_ROOT}" \ | ||
--ca-name "${ZITI_CA_FILE}" \ | ||
--intermediate-file "${ZITI_INTERMEDIATE_FILE}" | ||
elif [[ ! -s "$ZITI_PKI_SIGNER_CERT" || ! -s "$ZITI_PKI_SIGNER_KEY" ]]; then | ||
echo "ERROR: $ZITI_PKI_SIGNER_CERT and $ZITI_PKI_SIGNER_KEY must both exist or neither exist as non-empty files" >&2 | ||
return 1 | ||
fi | ||
|
||
# | ||
# create server and client keys | ||
# | ||
|
||
if [ "$ZITI_SERVER_FILE" == "$ZITI_CLIENT_FILE" ]; then | ||
echo "ERROR: ZITI_SERVER_FILE and ZITI_CLIENT_FILE must be different" >&2 | ||
return 1 | ||
fi | ||
|
||
ZITI_PKI_CTRL_KEY="${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/keys/${ZITI_SERVER_FILE}.key" | ||
if ! [ -s "$ZITI_PKI_CTRL_KEY" ]; then | ||
ziti pki create key \ | ||
--pki-root "${ZITI_PKI_ROOT}" \ | ||
--ca-name "${ZITI_INTERMEDIATE_FILE}" \ | ||
--key-file "${ZITI_SERVER_FILE}" | ||
fi | ||
|
||
# use the server key for both client and server certs until "ziti create config controller" supports separate keys for | ||
# each | ||
# CLIENT_KEY_FILE="${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/keys/${ZITI_CLIENT_FILE}.key" | ||
# if ! [ -s "$CLIENT_KEY_FILE" ]; then | ||
# ziti pki create key \ | ||
# --pki-root "${ZITI_PKI_ROOT}" \ | ||
# --ca-name "${ZITI_INTERMEDIATE_FILE}" \ | ||
# --key-file "${ZITI_CLIENT_FILE}" | ||
# fi | ||
|
||
# | ||
# create server and client certs | ||
# | ||
|
||
# server cert | ||
ZITI_PKI_CTRL_SERVER_CERT="${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/certs/${ZITI_SERVER_FILE}.chain.pem" | ||
if [[ "${ZITI_AUTO_RENEW_CERTS}" == true || ! -s "$ZITI_PKI_CTRL_SERVER_CERT" ]]; then | ||
ziti pki create server \ | ||
--pki-root "${ZITI_PKI_ROOT}" \ | ||
--ca-name "${ZITI_INTERMEDIATE_FILE}" \ | ||
--key-file "${ZITI_SERVER_FILE}" \ | ||
--server-file "${ZITI_SERVER_FILE}" \ | ||
--dns "${ZITI_CTRL_ADVERTISED_ADDRESS}" \ | ||
--allow-overwrite | ||
fi | ||
|
||
# client cert | ||
# use the server key for both client and server certs until "ziti create config controller" supports separate keys for | ||
# each | ||
ZITI_PKI_CTRL_CERT="${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/certs/${ZITI_CLIENT_FILE}.cert" | ||
if [[ "${ZITI_AUTO_RENEW_CERTS}" == true || ! -s "$ZITI_PKI_CTRL_CERT" ]]; then | ||
ziti pki create client \ | ||
--pki-root "${ZITI_PKI_ROOT}" \ | ||
--ca-name "${ZITI_INTERMEDIATE_FILE}" \ | ||
--key-file "${ZITI_SERVER_FILE}" \ | ||
--client-file "${ZITI_CLIENT_FILE}" \ | ||
--allow-overwrite | ||
fi | ||
|
||
} | ||
|
||
function makeConfig() { | ||
# | ||
# create config file | ||
# | ||
|
||
shopt -s nocasematch # toggle off case-insensitive comparison to simplify regexp | ||
if [[ -n "${1:-}" && "$1" =~ .*\.ya?ml$ ]]; then | ||
local ZITI_CTRL_CONFIG_FILE="${1}" | ||
shift | ||
else | ||
echo "ERROR: no config file path provided ending like *.yml" >&2 | ||
shopt -u nocasematch # toggle on case-sensitive comparison | ||
return 1 | ||
fi | ||
shopt -u nocasematch # toggle on case-sensitive comparison | ||
|
||
# used by "ziti create config controller" as advertised address | ||
if [ -z "${ZITI_CTRL_ADVERTISED_ADDRESS:-}" ]; then | ||
echo "ERROR: ZITI_CTRL_ADVERTISED_ADDRESS must be set, i.e., the FQDN by which all devices will reach the"\ | ||
" controller and verify the server certificate" >&2 | ||
return 1 | ||
fi | ||
|
||
# set the path to the root CA cert | ||
export ZITI_PKI_CTRL_CA="${ZITI_PKI_ROOT}/${ZITI_CA_FILE}/certs/${ZITI_CA_FILE}.cert" | ||
|
||
# set the URI of the edge-client API (uses same TCP port); e.g., ztAPI: ziti.example.com:1280 | ||
export ZITI_CTRL_EDGE_ADVERTISED_ADDRESS="${ZITI_CTRL_ADVERTISED_ADDRESS}" \ | ||
ZITI_CTRL_EDGE_ADVERTISED_PORT="${ZITI_CTRL_ADVERTISED_PORT}" | ||
|
||
# export the vars that were assigned inside this script to set the path to the server and client certs and their common | ||
# private key, and the intermediate (signer) CA cert and key | ||
export ZITI_PKI_CTRL_SERVER_CERT \ | ||
ZITI_PKI_CTRL_CERT \ | ||
ZITI_PKI_CTRL_KEY \ | ||
ZITI_PKI_SIGNER_CERT \ | ||
ZITI_PKI_SIGNER_KEY \ | ||
ZITI_CTRL_ADVERTISED_ADDRESS \ | ||
ZITI_CTRL_ADVERTISED_PORT \ | ||
ZITI_CTRL_BIND_ADDRESS \ | ||
ZITI_CTRL_EDGE_BIND_ADDRESS | ||
|
||
if [[ ! -s "${ZITI_CTRL_CONFIG_FILE}" || "${1:-}" == --force ]]; then | ||
ziti create config controller \ | ||
--output "${ZITI_CTRL_CONFIG_FILE}" | ||
fi | ||
|
||
} | ||
|
||
function makeDatabase() { | ||
|
||
# | ||
# create default admin in database | ||
# | ||
|
||
if [ -s "${ZITI_CTRL_DATABASE_FILE}" ]; then | ||
return 0 | ||
fi | ||
|
||
# if the database file is in a subdirectory, create the directory so that "ziti controller edge init" can load the | ||
# controller config.yml which contains a check to ensure the directory exists | ||
DB_DIR="$(dirname "${ZITI_CTRL_DATABASE_FILE}")" | ||
if ! [ "$DB_DIR" == "." ]; then | ||
mkdir -p "$DB_DIR" | ||
fi | ||
|
||
if [[ -n "${ZITI_PWD:-}" || -s /run/credentials/${UNIT_NAME:=ziti-controller.service}/ZITI_PWD ]]; then | ||
ziti controller edge init "${ZITI_CTRL_CONFIG_FILE}" \ | ||
--username "${ZITI_USER}" \ | ||
--password "${ZITI_PWD:-$(< "/run/credentials/${UNIT_NAME}/ZITI_PWD")}" | ||
else | ||
echo "ERROR: need admin password; use LoadCredential or SetCredential in"\ | ||
" /lib/systemd/system/ziti-controller.service or set env var ZITI_PWD with at least 5 characters" >&2 | ||
return 1 | ||
fi | ||
|
||
} | ||
|
||
function bootstrap() { | ||
|
||
if [ -n "${1:-}" ]; then | ||
local ZITI_CTRL_CONFIG_FILE="${1}" | ||
echo "DEBUG: using config file path: $(realpath "${ZITI_CTRL_CONFIG_FILE}")" >&2 | ||
else | ||
echo "ERROR: no config file path provided" >&2 | ||
return 1 | ||
fi | ||
|
||
# make PKI unless it exists | ||
if [ "${ZITI_BOOTSTRAP_PKI}" == true ]; then | ||
makePki | ||
fi | ||
|
||
# make config file unless it exists, set force to overwrite every startup | ||
if [ "${ZITI_BOOTSTRAP_CONFIG}" == true ]; then | ||
makeConfig "${ZITI_CTRL_CONFIG_FILE}" | ||
elif [ "${ZITI_BOOTSTRAP_CONFIG}" == force ]; then | ||
makeConfig "${ZITI_CTRL_CONFIG_FILE}" --force | ||
fi | ||
|
||
# make database unless it exists | ||
if [ "${ZITI_BOOTSTRAP_DATABASE}" == true ]; then | ||
makeDatabase | ||
fi | ||
} |
19 changes: 19 additions & 0 deletions
19
dist/dist-packages/linux/openziti-controller/entrypoint.bash
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
#!/usr/bin/env bash | ||
# | ||
# this thin wrapper script for the OpenZiti Controller uses variable assignments from the systemd env file | ||
# | ||
|
||
set -o errexit | ||
set -o nounset | ||
set -o pipefail | ||
# set -o xtrace # debug startup | ||
|
||
# shellcheck disable=SC1090 # default path is set by the systemd service | ||
source "${ZITI_CTRL_BOOTSTRAP_BASH:-/opt/openziti/etc/controller/bootstrap.bash}" | ||
# if no args or first arg is "run", bootstrap the router with the config file path as next arg, or default "config.yml" | ||
if [ "${1:-run}" == run ]; then | ||
bootstrap "${2:-config.yml}" | ||
fi | ||
|
||
# shellcheck disable=SC2068 | ||
exec ziti controller ${@:-run config.yml} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
# | ||
# this is a systemd env file allowing simple assignments for ziti-controller.service environment | ||
# | ||
|
||
# | ||
# for "ziti pki" and "ziti create config controller" commands in bootstrap.bash | ||
# | ||
|
||
# the advertised address of the controller is a fully-qualified domain name; if defined this overrides any value set in | ||
# /lib/systemd/system/ziti-controller.service | ||
#ZITI_CTRL_ADVERTISED_ADDRESS= | ||
# the advertised and listening port of the controller (default: 1280) | ||
ZITI_CTRL_ADVERTISED_PORT=1280 | ||
# the interface address on which to listen (default: 0.0.0.0) | ||
ZITI_CTRL_BIND_ADDRESS=0.0.0.0 | ||
|
||
# | ||
# for "ziti pki" commands in bootstrap.bash | ||
# | ||
|
||
# relative to systemd service WorkingDirectory; e.g., /var/lib/ziti-controller/pki | ||
ZITI_PKI_ROOT=pki | ||
# relative to ZITI_PKI_ROOT; root CA dir; e.g., /var/lib/ziti-controller/pki/root | ||
ZITI_CA_FILE=root | ||
# relative to ZITI_PKI_ROOT; intermediate CA dir; e.g., /var/lib/ziti-controller/pki/intermediate | ||
ZITI_INTERMEDIATE_FILE=intermediate | ||
# relative to intermediate CA "keys" and "certs" dirs | ||
ZITI_SERVER_FILE=server | ||
# relative to intermediate CA "keys" and "certs" dirs | ||
ZITI_CLIENT_FILE=client | ||
|
||
# | ||
# for "ziti controller edge init" command in bootstrap.bash | ||
# | ||
# path to BoltDB relative to working directory /var/lib/ziti-controller | ||
ZITI_CTRL_DATABASE_FILE=bbolt.db | ||
# must be 4 < 100 characters | ||
ZITI_USER=admin | ||
# for better security, leave this assignment empty and create a file readable only by root containing the | ||
# password and set "LoadCredential=ZITI_PWD:/opt/openziti/etc/controller/.pwd" in | ||
# /lib/systemd/system/ziti-controller.service | ||
ZITI_PWD= |
Oops, something went wrong.