From acb38db94c93b8995d0f8945fd0edbbd150761dc Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Tue, 5 Mar 2024 11:24:27 -0500 Subject: [PATCH] add Linux package openziti-controller --- .github/workflows/fablab-db-creation.yml | 1 + .github/workflows/publish-linux-packages.yml | 1 + .../linux/nfpm-openziti-controller.yaml | 35 ++++ dist/dist-packages/linux/nfpm-openziti.yaml | 7 - .../linux/openziti-controller/bootstrap.bash | 185 ++++++++++++++++++ .../linux/openziti-controller/entrypoint.bash | 15 ++ .../linux/openziti-controller/env | 62 ++++++ .../ziti-controller.service | 38 ++++ .../create/config_templates/controller.yml | 2 +- ziti/cmd/create/create_config.go | 5 + ziti/cmd/create/create_config_controller.go | 19 +- ziti/cmd/helpers/env_helpers.go | 4 + ziti/cmd/pki/pki_create_client.go | 2 + ziti/constants/constants.go | 4 + 14 files changed, 371 insertions(+), 9 deletions(-) create mode 100644 dist/dist-packages/linux/nfpm-openziti-controller.yaml create mode 100755 dist/dist-packages/linux/openziti-controller/bootstrap.bash create mode 100755 dist/dist-packages/linux/openziti-controller/entrypoint.bash create mode 100644 dist/dist-packages/linux/openziti-controller/env create mode 100644 dist/dist-packages/linux/openziti-controller/ziti-controller.service diff --git a/.github/workflows/fablab-db-creation.yml b/.github/workflows/fablab-db-creation.yml index 8f8ffd4f0..731e9df1a 100644 --- a/.github/workflows/fablab-db-creation.yml +++ b/.github/workflows/fablab-db-creation.yml @@ -20,6 +20,7 @@ jobs: build: name: Build and Run runs-on: ubuntu-latest + if: github.repository_owner == 'openziti' steps: - name: Checkout ziti uses: actions/checkout@v3 diff --git a/.github/workflows/publish-linux-packages.yml b/.github/workflows/publish-linux-packages.yml index f1392040b..3185a6456 100644 --- a/.github/workflows/publish-linux-packages.yml +++ b/.github/workflows/publish-linux-packages.yml @@ -16,6 +16,7 @@ jobs: matrix: package_name: - openziti + - openziti-controller arch: - goreleaser: amd64 gox: amd64 diff --git a/dist/dist-packages/linux/nfpm-openziti-controller.yaml b/dist/dist-packages/linux/nfpm-openziti-controller.yaml new file mode 100644 index 000000000..4e887a3fd --- /dev/null +++ b/dist/dist-packages/linux/nfpm-openziti-controller.yaml @@ -0,0 +1,35 @@ +# nfpm configuration file +# +# check https://nfpm.goreleaser.com/configuration for detailed usage +# +name: openziti-controller +arch: ${GOARCH} +platform: linux +version: ${ZITI_VERSION} +maintainer: ${ZITI_MAINTAINER} +description: > + Provides a system service for running an OpenZiti Controller +vendor: ${ZITI_VENDOR} +homepage: ${ZITI_HOMEPAGE} +license: Apache-2.0 +# Contents to add to the package. +contents: + - dst: /lib/systemd/system/ + src: ./dist/dist-packages/linux/openziti-controller/ziti-controller.service + + - dst: /opt/openziti/etc/controller + type: dir + file_info: + mode: 0755 + + - dst: /opt/openziti/etc/controller/ + src: ./dist/dist-packages/linux/openziti-controller/env + type: config|noreplace + + - dst: /opt/openziti/etc/controller/ + src: ./dist/dist-packages/linux/openziti-controller/bootstrap.bash + + - dst: /opt/openziti/etc/controller/ + src: ./dist/dist-packages/linux/openziti-controller/entrypoint.bash +depends: + - openziti # ziti CLI diff --git a/dist/dist-packages/linux/nfpm-openziti.yaml b/dist/dist-packages/linux/nfpm-openziti.yaml index f7dd43be0..20be50d4b 100644 --- a/dist/dist-packages/linux/nfpm-openziti.yaml +++ b/dist/dist-packages/linux/nfpm-openziti.yaml @@ -23,10 +23,3 @@ contents: type: symlink replaces: - ziti-cli - -# packager-neutral scripts may be overridden by packager-specific scripts -# scripts: - # preinstall: ./scripts/preinstall.sh - # postinstall: ./scripts/postinstall.sh - # preremove: ./scripts/preremove.sh - # postremove: ./scripts/postremove.sh diff --git a/dist/dist-packages/linux/openziti-controller/bootstrap.bash b/dist/dist-packages/linux/openziti-controller/bootstrap.bash new file mode 100755 index 000000000..e5272c0d5 --- /dev/null +++ b/dist/dist-packages/linux/openziti-controller/bootstrap.bash @@ -0,0 +1,185 @@ +#!/usr/bin/env bash +# +# bootstrap the OpenZiti Controller with PKI, config file, and database +# + +set -o errexit +set -o nounset +set -o pipefail + +# use the ziti executable that the 'openziti' package installed +PATH=/opt/openziti/bin:$PATH + +# +# defaults +# + +# used by "ziti pki create server" as DNS SAN and "ziti create config controller" as advertised address +: "${ZITI_CONTROLLER_ADVERTISED_ADDRESS:=$(hostname -f)}" + +function makePki() { + # + # create root and intermediate CA + # + + if [ "$ZITI_CA_FILE" == "$ZITI_INTERMEDIATE_FILE" ]; then + echo "ERROR: ZITI_CA_FILE and ZITI_INTERMEDIATE_FILE must be different" >&2 + exit 1 + fi + + ROOT_CA_DIR="./${ZITI_PKI_ROOT}/${ZITI_CA_FILE}" + if ! [ -d "$ROOT_CA_DIR" ]; then + ziti pki create ca \ + --pki-root "./${ZITI_PKI_ROOT}" \ + --ca-file "${ZITI_CA_FILE}" + fi + + ZITI_PKI_SIGNER_CERT="./${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/certs/${ZITI_INTERMEDIATE_FILE}.cert" + ZITI_PKI_SIGNER_KEY="./${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/keys/${ZITI_INTERMEDIATE_FILE}.key" + if [[ ! -s "$ZITI_PKI_SIGNER_CERT" && ! -s "$ZITI_PKI_SIGNER_KEY" ]]; then + ziti pki create intermediate \ + --pki-root "./${ZITI_PKI_ROOT}" \ + --ca-name "${ZITI_CA_FILE}" \ + --intermediate-file "${ZITI_INTERMEDIATE_FILE}" + elif [[ ! -s "$ZITI_PKI_SIGNER_CERT" || ! -s "$ZITI_PKI_SIGNER_KEY" ]]; then + echo "ERROR: $ZITI_PKI_SIGNER_CERT and $ZITI_PKI_SIGNER_KEY must both exist or neither exist as non-empty files" >&2 + exit 1 + fi + + # + # create server and client keys + # + + if [ "$ZITI_SERVER_FILE" == "$ZITI_CLIENT_FILE" ]; then + echo "ERROR: ZITI_SERVER_FILE and ZITI_CLIENT_FILE must be different" >&2 + exit 1 + fi + + ZITI_PKI_CTRL_KEY="./${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/keys/${ZITI_SERVER_FILE}.key" + if ! [ -s "$ZITI_PKI_CTRL_KEY" ]; then + ziti pki create key \ + --pki-root "./${ZITI_PKI_ROOT}" \ + --ca-name "${ZITI_INTERMEDIATE_FILE}" \ + --key-file "${ZITI_SERVER_FILE}" + fi + + # use the server key for both client and server certs until "ziti create config controller" supports separate keys for + # each + # CLIENT_KEY_FILE="./${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/keys/${ZITI_CLIENT_FILE}.key" + # if ! [ -s "$CLIENT_KEY_FILE" ]; then + # ziti pki create key \ + # --pki-root "./${ZITI_PKI_ROOT}" \ + # --ca-name "${ZITI_INTERMEDIATE_FILE}" \ + # --key-file "${ZITI_CLIENT_FILE}" + # fi + + # + # create server and client certs + # + + # server cert + ZITI_PKI_CTRL_SERVER_CERT="./${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/certs/${ZITI_SERVER_FILE}.chain.pem" + if [[ "${ZITI_AUTO_RENEW_CERTS}" == true || ! -s "$ZITI_PKI_CTRL_SERVER_CERT" ]]; then + ziti pki create server \ + --pki-root "./${ZITI_PKI_ROOT}" \ + --ca-name "${ZITI_INTERMEDIATE_FILE}" \ + --key-file "${ZITI_SERVER_FILE}" \ + --server-file "${ZITI_SERVER_FILE}" \ + --dns "${ZITI_CONTROLLER_ADVERTISED_ADDRESS}" \ + --allow-overwrite + fi + + # client cert + # use the server key for both client and server certs until "ziti create config controller" supports separate keys for + # each + ZITI_PKI_CTRL_CERT="./${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/certs/${ZITI_CLIENT_FILE}.cert" + if [[ "${ZITI_AUTO_RENEW_CERTS}" == true || ! -s "$ZITI_PKI_CTRL_CERT" ]]; then + ziti pki create client \ + --pki-root "./${ZITI_PKI_ROOT}" \ + --ca-name "${ZITI_INTERMEDIATE_FILE}" \ + --key-file "${ZITI_SERVER_FILE}" \ + --client-file "${ZITI_CLIENT_FILE}" \ + --allow-overwrite + fi + +} + +function makeConfig() { + # + # create config file + # + + # set the path to the root CA cert + export ZITI_PKI_CTRL_CA="./${ZITI_PKI_ROOT}/${ZITI_CA_FILE}/certs/${ZITI_CA_FILE}.cert" + + # set the interface address on which to listen for connections; e.g., 0.0.0.0 + export ZITI_CTRL_BIND_ADDRESS="${ZITI_CONTROLLER_BIND_ADDRESS}" + export ZITI_CTRL_EDGE_BIND_ADDRESS="${ZITI_CONTROLLER_BIND_ADDRESS}" + + # set the URI of the router ctrl plane; e.g., ctrl.endpoint: ziti.example.com:443 + export ZITI_CTRL_ADVERTISED_ADDRESS="${ZITI_CONTROLLER_ADVERTISED_ADDRESS}" + export ZITI_CTRL_ADVERTISED_PORT="${ZITI_CONTROLLER_ADVERTISED_PORT}" + + # set the URI of the edge-client API (uses same TCP port); e.g., ztAPI: ziti.example.com:443 + export ZITI_CTRL_EDGE_ADVERTISED_ADDRESS="${ZITI_CONTROLLER_ADVERTISED_ADDRESS}" + export ZITI_CTRL_EDGE_ADVERTISED_PORT="${ZITI_CONTROLLER_ADVERTISED_PORT}" + + # export the vars that were assigned inside this script to set the path to the server and client certs and their common + # private key, and the intermediate (signer) CA cert and key + export ZITI_PKI_CTRL_SERVER_CERT \ + ZITI_PKI_CTRL_CERT \ + ZITI_PKI_CTRL_KEY \ + ZITI_PKI_SIGNER_CERT \ + ZITI_PKI_SIGNER_KEY + + if [[ ! -s "./${ZITI_CONTROLLER_CONFIG_FILE}" || "${1:-}" == --force ]]; then + ziti create config controller \ + --output "./${ZITI_CONTROLLER_CONFIG_FILE}" + fi + +} + +function makeDatabase() { + + # + # create default admin in database + # + + if [ -s "./${ZITI_CTRL_DATABASE_FILE}" ]; then + return 0 + fi + + # if the database file is in a subdirectory, create the directory so that "ziti controller edge init" can load the + # controller config.yml which contains a check to ensure the directory exists + DB_DIR="$(dirname "${ZITI_CTRL_DATABASE_FILE}")" + if ! [ "$DB_DIR" == "." ]; then + mkdir -p "./$DB_DIR" + fi + + if [[ $(wc -c <<< "${ZITI_PWD:-}") -gt 5 || -s /run/credentials/${UNIT_NAME:=ziti-controller.service}/ZITI_PWD ]]; then + ziti controller edge init "./${ZITI_CONTROLLER_CONFIG_FILE}" \ + --username "${ZITI_USER}" \ + --password "${ZITI_PWD:-$(< "/run/credentials/${UNIT_NAME}/ZITI_PWD")}" + else + echo "ERROR: need admin password; use LoadCredential or SetCredential in"\ + " /lib/systemd/system/ziti-controller.service or set env var ZITI_PWD with at least 5 characters" >&2 + fi + +} + +# make PKI unless it exists if true +if [ "${ZITI_BOOTSTRAP_PKI}" == true ]; then + makePki +fi + +# make config file unless it exists if true, set force to overwrite +if [ "${ZITI_BOOTSTRAP_CONFIG}" == true ]; then + makeConfig +elif [ "${ZITI_BOOTSTRAP_CONFIG}" == force ]; then + makeConfig --force +fi + +# make database unless it exists if true +if [ "${ZITI_BOOTSTRAP_DATABASE}" == true ]; then + makeDatabase +fi diff --git a/dist/dist-packages/linux/openziti-controller/entrypoint.bash b/dist/dist-packages/linux/openziti-controller/entrypoint.bash new file mode 100755 index 000000000..e36934fe5 --- /dev/null +++ b/dist/dist-packages/linux/openziti-controller/entrypoint.bash @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +# +# this thin wrapper script for the OpenZiti Controller uses variable assignments from the systemd env file +# + +set -o errexit +set -o nounset +set -o pipefail + +# shellcheck disable=SC1091 +source /opt/openziti/etc/controller/bootstrap.bash + +# shellcheck disable=SC2068 # because we must +# shellcheck disable=SC2086 # word-split args +exec /opt/openziti/bin/ziti controller run ${ZITI_CONTROLLER_CONFIG_FILE} ${ZITI_CONTROLLER_RUN_ARGS} $@ diff --git a/dist/dist-packages/linux/openziti-controller/env b/dist/dist-packages/linux/openziti-controller/env new file mode 100644 index 000000000..34e6602e7 --- /dev/null +++ b/dist/dist-packages/linux/openziti-controller/env @@ -0,0 +1,62 @@ +# +# this is a systemd env file allowing simple assignments for ziti-controller.service environment +# + +ZITI_CONTROLLER_RUN_ARGS="--log-formatter text" +# ZITI_CONTROLLER_RUN_ARGS="--log-formatter text --verbose" + +# disable JSON logging during bootstrapping +PFXLOG_NO_JSON=true + +# +# for "ziti pki" and "ziti create config controller" commands in bootstrap.bash +# + +# the advertised address of the controller is a domain name that can be resolved by all devices (default: hostname -f) +ZITI_CONTROLLER_ADVERTISED_ADDRESS= +# the advertised and listening port of the controller (default: 443) +ZITI_CONTROLLER_ADVERTISED_PORT=443 +# the interface address on which to listen (default: 0.0.0.0) +ZITI_CONTROLLER_BIND_ADDRESS=0.0.0.0 + +# +# for "ziti pki" commands in bootstrap.bash +# + +# create a new PKI unless it exists +ZITI_BOOTSTRAP_PKI=true +# renew server and client certificates every startup +ZITI_AUTO_RENEW_CERTS=true +# relative to systemd service WorkingDirectory; e.g., /var/lib/ziti-controller/pki +ZITI_PKI_ROOT=pki +# relative to ZITI_PKI_ROOT; root CA dir; e.g., /var/lib/ziti-controller/pki/root +ZITI_CA_FILE=root +# relative to ZITI_PKI_ROOT; intermediate CA dir; e.g., /var/lib/ziti-controller/pki/intermediate +ZITI_INTERMEDIATE_FILE=intermediate +# relative to intermediate CA "keys" and "certs" dirs +ZITI_SERVER_FILE=controller-server-identity +# relative to intermediate CA "keys" and "certs" dirs +ZITI_CLIENT_FILE=controller-client-identity + +# +# for "ziti create config controller" command in bootstrap.bash +# +# create a config file unless it exists if "true", set "force" to overwrite (changing the advertised URI will break +# existing enrollments who will be unable to connect to the controller) +ZITI_BOOTSTRAP_CONFIG=true +# create a new config file relative to working directory unless it exists +ZITI_CONTROLLER_CONFIG_FILE=config.yml +# relative to systemd service WorkingDirectory; e.g., /var/lib/ziti-controller +ZITI_CTRL_DATABASE_FILE=ctrl.db + +# +# for "ziti controller edge init" command in bootstrap.bash +# +# create a database unless it exists if "true" +ZITI_BOOTSTRAP_DATABASE=true +# must be 4 < 100 characters +ZITI_USER=admin +# for better security, leave this assignment empty and create a file readable only by root containing the +# password and set "LoadCredential=ZITI_PWD:/opt/openziti/etc/controller/.pwd" in +# /lib/systemd/system/ziti-controller.service +ZITI_PWD= diff --git a/dist/dist-packages/linux/openziti-controller/ziti-controller.service b/dist/dist-packages/linux/openziti-controller/ziti-controller.service new file mode 100644 index 000000000..96ab5fcaf --- /dev/null +++ b/dist/dist-packages/linux/openziti-controller/ziti-controller.service @@ -0,0 +1,38 @@ +[Unit] +Description=OpenZiti Controller +After=network-online.target + +[Service] +# "ziti controller run" is the main process managed by this service and replaces entrypoint.bash +Type=simple + +# manage the user and permissions for the service automatically +DynamicUser=yes + +# allow binding low ports, e.g., 443/tcp +AmbientCapabilities=CAP_NET_BIND_SERVICE + +# load password from a file; set owner to root and chmod 0400 for security +LoadCredential=ZITI_PWD:/opt/openziti/etc/controller/.pwd +# or set a password as literal string +# SetCredential=ZITI_PWD:admin + +UMask=0007 +Restart=always +RestartSec=3 +LimitNOFILE=65535 + +# relative to /var/lib +StateDirectory=ziti-controller + +# absolute path where service will be run +WorkingDirectory=/var/lib/ziti-controller + +# used by bootstrap.bash to look up /run/credentials/$UNIT_NAME/$CREDENTIAL_NAME +Environment="UNIT_NAME=ziti-controller.service" +EnvironmentFile=/opt/openziti/etc/controller/env + +ExecStart=/opt/openziti/etc/controller/entrypoint.bash + +[Install] +WantedBy=multi-user.target diff --git a/ziti/cmd/create/config_templates/controller.yml b/ziti/cmd/create/config_templates/controller.yml index d476983e9..cc566073f 100644 --- a/ziti/cmd/create/config_templates/controller.yml +++ b/ziti/cmd/create/config_templates/controller.yml @@ -7,7 +7,7 @@ v: 3 # memory: # path: ctrl.memprof -db: "{{ .ZitiHome }}/db/ctrl.db" +db: "{{ .ZitiHome }}/{{ .Controller.Database.DatabaseFile }}" identity: cert: "{{ .Controller.Identity.Cert }}" diff --git a/ziti/cmd/create/create_config.go b/ziti/cmd/create/create_config.go index 76b6d3924..1c26a5ba1 100644 --- a/ziti/cmd/create/create_config.go +++ b/ziti/cmd/create/create_config.go @@ -120,6 +120,10 @@ type IdentityValues struct { AltCertsEnabled bool } +type DatabaseValues struct { + DatabaseFile string +} + type WebOptionsValues struct { IdleTimeout time.Duration ReadTimeout time.Duration @@ -130,6 +134,7 @@ type WebOptionsValues struct { type ControllerTemplateValues struct { Identity IdentityValues + Database DatabaseValues Ctrl CtrlValues HealthChecks HealthChecksValues EdgeApi EdgeApiValues diff --git a/ziti/cmd/create/create_config_controller.go b/ziti/cmd/create/create_config_controller.go index bd21f570f..3adf165e4 100644 --- a/ziti/cmd/create/create_config_controller.go +++ b/ziti/cmd/create/create_config_controller.go @@ -121,6 +121,10 @@ func NewCmdCreateConfigController() *CreateControllerConfigCmd { data.Controller.EdgeEnrollment.EdgeRouterDuration = controllerOptions.EdgeRouterEnrollmentDuration } + if controllerOptions.DatabaseFile != "" && controllerOptions.DatabaseFile != constants.DefaultCtrlDatabaseFile { + data.Controller.Database.DatabaseFile = controllerOptions.DatabaseFile + } + // process identity information SetControllerIdentity(&data.Controller) SetEdgeConfig(&data.Controller) @@ -147,7 +151,7 @@ func NewCmdCreateConfigController() *CreateControllerConfigCmd { func (options *CreateConfigControllerOptions) addFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&options.CtrlPort, optionCtrlPort, constants.DefaultCtrlAdvertisedPort, "port used for the router to controller communication") - cmd.Flags().StringVar(&options.DatabaseFile, optionDatabaseFile, "ctrl.db", "location of the database file") + cmd.Flags().StringVar(&options.DatabaseFile, optionDatabaseFile, constants.DefaultCtrlDatabaseFile, "location of the database file") cmd.Flags().DurationVar(&options.EdgeIdentityEnrollmentDuration, optionEdgeIdentityEnrollmentDuration, edge.DefaultEdgeEnrollmentDuration, "the edge identity enrollment duration, use 0h0m0s format") cmd.Flags().DurationVar(&options.EdgeRouterEnrollmentDuration, optionEdgeRouterEnrollmentDuration, edge.DefaultEdgeEnrollmentDuration, "the edge router enrollment duration, use 0h0m0s format") } @@ -194,6 +198,7 @@ func SetControllerIdentity(data *ControllerTemplateValues) { SetControllerIdentityServerCert(data) SetControllerIdentityKey(data) SetControllerIdentityCA(data) + setDatabaseFile(data) } func SetControllerIdentityCert(c *ControllerTemplateValues) { val := os.Getenv(constants.PkiCtrlCertVarName) @@ -224,6 +229,18 @@ func SetControllerIdentityCA(c *ControllerTemplateValues) { c.Identity.Ca = helpers.NormalizePath(val) } +func setDatabaseFile(c *ControllerTemplateValues) { + if c.Database.DatabaseFile != "" { + c.Database.DatabaseFile = helpers.NormalizePath(c.Database.DatabaseFile) + } else { + val := os.Getenv(constants.CtrlDatabaseFileVarName) + if val == "" { + val = constants.DefaultCtrlDatabaseFile // default + } + c.Database.DatabaseFile = helpers.NormalizePath(val) + } +} + func SetEdgeConfig(data *ControllerTemplateValues) { SetEdgeSigningCert(data) SetEdgeSigningKey(data) diff --git a/ziti/cmd/helpers/env_helpers.go b/ziti/cmd/helpers/env_helpers.go index 78c90105d..321acaaf6 100644 --- a/ziti/cmd/helpers/env_helpers.go +++ b/ziti/cmd/helpers/env_helpers.go @@ -120,6 +120,10 @@ func GetCtrlEdgeAdvertisedPort() string { return getFromEnv(constants.CtrlEdgeAdvertisedPortVarName, defaultValue(constants.DefaultCtrlEdgeAdvertisedPort)) } +func GetCtrlDatabaseFile() string { + return getFromEnv(constants.CtrlDatabaseFileVarName, defaultValue(constants.DefaultCtrlDatabaseFile)) +} + func GetZitiEdgeRouterPort() string { return getFromEnv(constants.ZitiEdgeRouterPortVarName, defaultValue(constants.DefaultZitiEdgeRouterPort)) } diff --git a/ziti/cmd/pki/pki_create_client.go b/ziti/cmd/pki/pki_create_client.go index 2e19c25d8..3d62b0124 100644 --- a/ziti/cmd/pki/pki_create_client.go +++ b/ziti/cmd/pki/pki_create_client.go @@ -79,6 +79,7 @@ func (o *PKICreateClientOptions) addPKICreateClientFlags(cmd *cobra.Command) { cmd.Flags().IntVarP(&o.Flags.CAPrivateKeySize, "private-key-size", "", 4096, "Size of the RSA private key, ignored if -curve is set") cmd.Flags().StringVarP(&o.Flags.EcCurve, "curve", "", "", "If set an EC private key is generated and -private-key-size is ignored, options: P224, P256, P384, P521") cmd.Flags().StringVar(&o.Flags.SpiffeID, "spiffe-id", "", "Optionally provide the path portion of a SPIFFE id. The trust domain will be taken from the signing certificate.") + cmd.Flags().BoolVar(&o.Flags.AllowOverwrite, "allow-overwrite", false, "Allow overwrite existing certs") } // Run implements this command @@ -158,6 +159,7 @@ func (o *PKICreateClientOptions) Run() error { Template: template, IsClientCertificate: true, PrivateKeyOptions: privateKeyOptions, + AllowOverwrite: o.Flags.AllowOverwrite, } if err := o.Flags.PKI.Sign(signer, req); err != nil { diff --git a/ziti/constants/constants.go b/ziti/constants/constants.go index 8017c662d..d74aa80aa 100644 --- a/ziti/constants/constants.go +++ b/ziti/constants/constants.go @@ -45,6 +45,8 @@ const ( DefaultCtrlBindAddress = "0.0.0.0" DefaultCtrlAdvertisedPort = "6262" + DefaultCtrlDatabaseFile = "db/ctrl.db" + DefaultCtrlEdgeBindAddress = "0.0.0.0" DefaultCtrlEdgeAdvertisedPort = "1280" @@ -82,6 +84,8 @@ const ( CtrlEdgeAltAdvertisedAddressVarDescription = "The publicly addressable, alternative controller address value. Overrides ZITI_CTRL_EDGE_ADVERTISED_ADDRESS" CtrlEdgeAdvertisedPortVarName = "ZITI_CTRL_EDGE_ADVERTISED_PORT" CtrlEdgeAdvertisedPortVarDescription = "The publicly addressable controller port value" + CtrlDatabaseFileVarName = "ZITI_CTRL_DATABASE_FILE" + CtrlDatabaseFileVarDescription = "Path to the Ziti Controller Database File" PkiSignerCertVarName = "ZITI_PKI_SIGNER_CERT" PkiSignerCertVarDescription = "Path to the Ziti Signing Cert" PkiSignerKeyVarName = "ZITI_PKI_SIGNER_KEY"