-
Notifications
You must be signed in to change notification settings - Fork 154
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add Linux package openziti-controller
- Loading branch information
Showing
14 changed files
with
371 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,6 +16,7 @@ jobs: | |
matrix: | ||
package_name: | ||
- openziti | ||
- openziti-controller | ||
arch: | ||
- goreleaser: amd64 | ||
gox: amd64 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
# nfpm configuration file | ||
# | ||
# check https://nfpm.goreleaser.com/configuration for detailed usage | ||
# | ||
name: openziti-controller | ||
arch: ${GOARCH} | ||
platform: linux | ||
version: ${ZITI_VERSION} | ||
maintainer: ${ZITI_MAINTAINER} | ||
description: > | ||
Provides a system service for running an OpenZiti Controller | ||
vendor: ${ZITI_VENDOR} | ||
homepage: ${ZITI_HOMEPAGE} | ||
license: Apache-2.0 | ||
# Contents to add to the package. | ||
contents: | ||
- dst: /lib/systemd/system/ | ||
src: ./dist/dist-packages/linux/openziti-controller/ziti-controller.service | ||
|
||
- dst: /opt/openziti/etc/controller | ||
type: dir | ||
file_info: | ||
mode: 0755 | ||
|
||
- dst: /opt/openziti/etc/controller/ | ||
src: ./dist/dist-packages/linux/openziti-controller/env | ||
type: config|noreplace | ||
|
||
- dst: /opt/openziti/etc/controller/ | ||
src: ./dist/dist-packages/linux/openziti-controller/bootstrap.bash | ||
|
||
- dst: /opt/openziti/etc/controller/ | ||
src: ./dist/dist-packages/linux/openziti-controller/entrypoint.bash | ||
depends: | ||
- openziti # ziti CLI |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
185 changes: 185 additions & 0 deletions
185
dist/dist-packages/linux/openziti-controller/bootstrap.bash
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,185 @@ | ||
#!/usr/bin/env bash | ||
# | ||
# bootstrap the OpenZiti Controller with PKI, config file, and database | ||
# | ||
|
||
set -o errexit | ||
set -o nounset | ||
set -o pipefail | ||
|
||
# use the ziti executable that the 'openziti' package installed | ||
PATH=/opt/openziti/bin:$PATH | ||
|
||
# | ||
# defaults | ||
# | ||
|
||
# used by "ziti pki create server" as DNS SAN and "ziti create config controller" as advertised address | ||
: "${ZITI_CONTROLLER_ADVERTISED_ADDRESS:=$(hostname -f)}" | ||
|
||
function makePki() { | ||
# | ||
# create root and intermediate CA | ||
# | ||
|
||
if [ "$ZITI_CA_FILE" == "$ZITI_INTERMEDIATE_FILE" ]; then | ||
echo "ERROR: ZITI_CA_FILE and ZITI_INTERMEDIATE_FILE must be different" >&2 | ||
exit 1 | ||
fi | ||
|
||
ROOT_CA_DIR="./${ZITI_PKI_ROOT}/${ZITI_CA_FILE}" | ||
if ! [ -d "$ROOT_CA_DIR" ]; then | ||
ziti pki create ca \ | ||
--pki-root "./${ZITI_PKI_ROOT}" \ | ||
--ca-file "${ZITI_CA_FILE}" | ||
fi | ||
|
||
ZITI_PKI_SIGNER_CERT="./${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/certs/${ZITI_INTERMEDIATE_FILE}.cert" | ||
ZITI_PKI_SIGNER_KEY="./${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/keys/${ZITI_INTERMEDIATE_FILE}.key" | ||
if [[ ! -s "$ZITI_PKI_SIGNER_CERT" && ! -s "$ZITI_PKI_SIGNER_KEY" ]]; then | ||
ziti pki create intermediate \ | ||
--pki-root "./${ZITI_PKI_ROOT}" \ | ||
--ca-name "${ZITI_CA_FILE}" \ | ||
--intermediate-file "${ZITI_INTERMEDIATE_FILE}" | ||
elif [[ ! -s "$ZITI_PKI_SIGNER_CERT" || ! -s "$ZITI_PKI_SIGNER_KEY" ]]; then | ||
echo "ERROR: $ZITI_PKI_SIGNER_CERT and $ZITI_PKI_SIGNER_KEY must both exist or neither exist as non-empty files" >&2 | ||
exit 1 | ||
fi | ||
|
||
# | ||
# create server and client keys | ||
# | ||
|
||
if [ "$ZITI_SERVER_FILE" == "$ZITI_CLIENT_FILE" ]; then | ||
echo "ERROR: ZITI_SERVER_FILE and ZITI_CLIENT_FILE must be different" >&2 | ||
exit 1 | ||
fi | ||
|
||
ZITI_PKI_CTRL_KEY="./${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/keys/${ZITI_SERVER_FILE}.key" | ||
if ! [ -s "$ZITI_PKI_CTRL_KEY" ]; then | ||
ziti pki create key \ | ||
--pki-root "./${ZITI_PKI_ROOT}" \ | ||
--ca-name "${ZITI_INTERMEDIATE_FILE}" \ | ||
--key-file "${ZITI_SERVER_FILE}" | ||
fi | ||
|
||
# use the server key for both client and server certs until "ziti create config controller" supports separate keys for | ||
# each | ||
# CLIENT_KEY_FILE="./${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/keys/${ZITI_CLIENT_FILE}.key" | ||
# if ! [ -s "$CLIENT_KEY_FILE" ]; then | ||
# ziti pki create key \ | ||
# --pki-root "./${ZITI_PKI_ROOT}" \ | ||
# --ca-name "${ZITI_INTERMEDIATE_FILE}" \ | ||
# --key-file "${ZITI_CLIENT_FILE}" | ||
# fi | ||
|
||
# | ||
# create server and client certs | ||
# | ||
|
||
# server cert | ||
ZITI_PKI_CTRL_SERVER_CERT="./${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/certs/${ZITI_SERVER_FILE}.chain.pem" | ||
if [[ "${ZITI_AUTO_RENEW_CERTS}" == true || ! -s "$ZITI_PKI_CTRL_SERVER_CERT" ]]; then | ||
ziti pki create server \ | ||
--pki-root "./${ZITI_PKI_ROOT}" \ | ||
--ca-name "${ZITI_INTERMEDIATE_FILE}" \ | ||
--key-file "${ZITI_SERVER_FILE}" \ | ||
--server-file "${ZITI_SERVER_FILE}" \ | ||
--dns "${ZITI_CONTROLLER_ADVERTISED_ADDRESS}" \ | ||
--allow-overwrite | ||
fi | ||
|
||
# client cert | ||
# use the server key for both client and server certs until "ziti create config controller" supports separate keys for | ||
# each | ||
ZITI_PKI_CTRL_CERT="./${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/certs/${ZITI_CLIENT_FILE}.cert" | ||
if [[ "${ZITI_AUTO_RENEW_CERTS}" == true || ! -s "$ZITI_PKI_CTRL_CERT" ]]; then | ||
ziti pki create client \ | ||
--pki-root "./${ZITI_PKI_ROOT}" \ | ||
--ca-name "${ZITI_INTERMEDIATE_FILE}" \ | ||
--key-file "${ZITI_SERVER_FILE}" \ | ||
--client-file "${ZITI_CLIENT_FILE}" \ | ||
--allow-overwrite | ||
fi | ||
|
||
} | ||
|
||
function makeConfig() { | ||
# | ||
# create config file | ||
# | ||
|
||
# set the path to the root CA cert | ||
export ZITI_PKI_CTRL_CA="./${ZITI_PKI_ROOT}/${ZITI_CA_FILE}/certs/${ZITI_CA_FILE}.cert" | ||
|
||
# set the interface address on which to listen for connections; e.g., 0.0.0.0 | ||
export ZITI_CTRL_BIND_ADDRESS="${ZITI_CONTROLLER_BIND_ADDRESS}" | ||
export ZITI_CTRL_EDGE_BIND_ADDRESS="${ZITI_CONTROLLER_BIND_ADDRESS}" | ||
|
||
# set the URI of the router ctrl plane; e.g., ctrl.endpoint: ziti.example.com:443 | ||
export ZITI_CTRL_ADVERTISED_ADDRESS="${ZITI_CONTROLLER_ADVERTISED_ADDRESS}" | ||
export ZITI_CTRL_ADVERTISED_PORT="${ZITI_CONTROLLER_ADVERTISED_PORT}" | ||
|
||
# set the URI of the edge-client API (uses same TCP port); e.g., ztAPI: ziti.example.com:443 | ||
export ZITI_CTRL_EDGE_ADVERTISED_ADDRESS="${ZITI_CONTROLLER_ADVERTISED_ADDRESS}" | ||
export ZITI_CTRL_EDGE_ADVERTISED_PORT="${ZITI_CONTROLLER_ADVERTISED_PORT}" | ||
|
||
# export the vars that were assigned inside this script to set the path to the server and client certs and their common | ||
# private key, and the intermediate (signer) CA cert and key | ||
export ZITI_PKI_CTRL_SERVER_CERT \ | ||
ZITI_PKI_CTRL_CERT \ | ||
ZITI_PKI_CTRL_KEY \ | ||
ZITI_PKI_SIGNER_CERT \ | ||
ZITI_PKI_SIGNER_KEY | ||
|
||
if [[ ! -s "./${ZITI_CONTROLLER_CONFIG_FILE}" || "${1:-}" == --force ]]; then | ||
ziti create config controller \ | ||
--output "./${ZITI_CONTROLLER_CONFIG_FILE}" | ||
fi | ||
|
||
} | ||
|
||
function makeDatabase() { | ||
|
||
# | ||
# create default admin in database | ||
# | ||
|
||
if [ -s "./${ZITI_CTRL_DATABASE_FILE}" ]; then | ||
return 0 | ||
fi | ||
|
||
# if the database file is in a subdirectory, create the directory so that "ziti controller edge init" can load the | ||
# controller config.yml which contains a check to ensure the directory exists | ||
DB_DIR="$(dirname "${ZITI_CTRL_DATABASE_FILE}")" | ||
if ! [ "$DB_DIR" == "." ]; then | ||
mkdir -p "./$DB_DIR" | ||
fi | ||
|
||
if [[ $(wc -c <<< "${ZITI_PWD:-}") -gt 5 || -s /run/credentials/${UNIT_NAME:=ziti-controller.service}/ZITI_PWD ]]; then | ||
ziti controller edge init "./${ZITI_CONTROLLER_CONFIG_FILE}" \ | ||
--username "${ZITI_USER}" \ | ||
--password "${ZITI_PWD:-$(< "/run/credentials/${UNIT_NAME}/ZITI_PWD")}" | ||
else | ||
echo "ERROR: need admin password; use LoadCredential or SetCredential in"\ | ||
" /lib/systemd/system/ziti-controller.service or set env var ZITI_PWD with at least 5 characters" >&2 | ||
fi | ||
|
||
} | ||
|
||
# make PKI unless it exists if true | ||
if [ "${ZITI_BOOTSTRAP_PKI}" == true ]; then | ||
makePki | ||
fi | ||
|
||
# make config file unless it exists if true, set force to overwrite | ||
if [ "${ZITI_BOOTSTRAP_CONFIG}" == true ]; then | ||
makeConfig | ||
elif [ "${ZITI_BOOTSTRAP_CONFIG}" == force ]; then | ||
makeConfig --force | ||
fi | ||
|
||
# make database unless it exists if true | ||
if [ "${ZITI_BOOTSTRAP_DATABASE}" == true ]; then | ||
makeDatabase | ||
fi |
15 changes: 15 additions & 0 deletions
15
dist/dist-packages/linux/openziti-controller/entrypoint.bash
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
#!/usr/bin/env bash | ||
# | ||
# this thin wrapper script for the OpenZiti Controller uses variable assignments from the systemd env file | ||
# | ||
|
||
set -o errexit | ||
set -o nounset | ||
set -o pipefail | ||
|
||
# shellcheck disable=SC1091 | ||
source /opt/openziti/etc/controller/bootstrap.bash | ||
|
||
# shellcheck disable=SC2068 # because we must | ||
# shellcheck disable=SC2086 # word-split args | ||
exec /opt/openziti/bin/ziti controller run ${ZITI_CONTROLLER_CONFIG_FILE} ${ZITI_CONTROLLER_RUN_ARGS} $@ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
# | ||
# this is a systemd env file allowing simple assignments for ziti-controller.service environment | ||
# | ||
|
||
ZITI_CONTROLLER_RUN_ARGS="--log-formatter text" | ||
# ZITI_CONTROLLER_RUN_ARGS="--log-formatter text --verbose" | ||
|
||
# disable JSON logging during bootstrapping | ||
PFXLOG_NO_JSON=true | ||
|
||
# | ||
# for "ziti pki" and "ziti create config controller" commands in bootstrap.bash | ||
# | ||
|
||
# the advertised address of the controller is a domain name that can be resolved by all devices (default: hostname -f) | ||
ZITI_CONTROLLER_ADVERTISED_ADDRESS= | ||
# the advertised and listening port of the controller (default: 443) | ||
ZITI_CONTROLLER_ADVERTISED_PORT=443 | ||
# the interface address on which to listen (default: 0.0.0.0) | ||
ZITI_CONTROLLER_BIND_ADDRESS=0.0.0.0 | ||
|
||
# | ||
# for "ziti pki" commands in bootstrap.bash | ||
# | ||
|
||
# create a new PKI unless it exists | ||
ZITI_BOOTSTRAP_PKI=true | ||
# renew server and client certificates every startup | ||
ZITI_AUTO_RENEW_CERTS=true | ||
# relative to systemd service WorkingDirectory; e.g., /var/lib/ziti-controller/pki | ||
ZITI_PKI_ROOT=pki | ||
# relative to ZITI_PKI_ROOT; root CA dir; e.g., /var/lib/ziti-controller/pki/root | ||
ZITI_CA_FILE=root | ||
# relative to ZITI_PKI_ROOT; intermediate CA dir; e.g., /var/lib/ziti-controller/pki/intermediate | ||
ZITI_INTERMEDIATE_FILE=intermediate | ||
# relative to intermediate CA "keys" and "certs" dirs | ||
ZITI_SERVER_FILE=controller-server-identity | ||
# relative to intermediate CA "keys" and "certs" dirs | ||
ZITI_CLIENT_FILE=controller-client-identity | ||
|
||
# | ||
# for "ziti create config controller" command in bootstrap.bash | ||
# | ||
# create a config file unless it exists if "true", set "force" to overwrite (changing the advertised URI will break | ||
# existing enrollments who will be unable to connect to the controller) | ||
ZITI_BOOTSTRAP_CONFIG=true | ||
# create a new config file relative to working directory unless it exists | ||
ZITI_CONTROLLER_CONFIG_FILE=config.yml | ||
# relative to systemd service WorkingDirectory; e.g., /var/lib/ziti-controller | ||
ZITI_CTRL_DATABASE_FILE=ctrl.db | ||
|
||
# | ||
# for "ziti controller edge init" command in bootstrap.bash | ||
# | ||
# create a database unless it exists if "true" | ||
ZITI_BOOTSTRAP_DATABASE=true | ||
# must be 4 < 100 characters | ||
ZITI_USER=admin | ||
# for better security, leave this assignment empty and create a file readable only by root containing the | ||
# password and set "LoadCredential=ZITI_PWD:/opt/openziti/etc/controller/.pwd" in | ||
# /lib/systemd/system/ziti-controller.service | ||
ZITI_PWD= |
38 changes: 38 additions & 0 deletions
38
dist/dist-packages/linux/openziti-controller/ziti-controller.service
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
[Unit] | ||
Description=OpenZiti Controller | ||
After=network-online.target | ||
|
||
[Service] | ||
# "ziti controller run" is the main process managed by this service and replaces entrypoint.bash | ||
Type=simple | ||
|
||
# manage the user and permissions for the service automatically | ||
DynamicUser=yes | ||
|
||
# allow binding low ports, e.g., 443/tcp | ||
AmbientCapabilities=CAP_NET_BIND_SERVICE | ||
|
||
# load password from a file; set owner to root and chmod 0400 for security | ||
LoadCredential=ZITI_PWD:/opt/openziti/etc/controller/.pwd | ||
# or set a password as literal string | ||
# SetCredential=ZITI_PWD:admin | ||
|
||
UMask=0007 | ||
Restart=always | ||
RestartSec=3 | ||
LimitNOFILE=65535 | ||
|
||
# relative to /var/lib | ||
StateDirectory=ziti-controller | ||
|
||
# absolute path where service will be run | ||
WorkingDirectory=/var/lib/ziti-controller | ||
|
||
# used by bootstrap.bash to look up /run/credentials/$UNIT_NAME/$CREDENTIAL_NAME | ||
Environment="UNIT_NAME=ziti-controller.service" | ||
EnvironmentFile=/opt/openziti/etc/controller/env | ||
|
||
ExecStart=/opt/openziti/etc/controller/entrypoint.bash | ||
|
||
[Install] | ||
WantedBy=multi-user.target |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.