-
Notifications
You must be signed in to change notification settings - Fork 154
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
25 changed files
with
733 additions
and
39 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# nfpm configuration file | ||
# | ||
# check https://nfpm.goreleaser.com/configuration for detailed usage | ||
# | ||
name: openziti-router | ||
arch: ${GOARCH} | ||
platform: linux | ||
version: ${ZITI_VERSION} | ||
maintainer: ${ZITI_MAINTAINER} | ||
description: > | ||
Provides a system service for running an OpenZiti Router | ||
vendor: ${ZITI_VENDOR} | ||
homepage: ${ZITI_HOMEPAGE} | ||
license: Apache-2.0 | ||
# Contents to add to the package. | ||
contents: | ||
- dst: /lib/systemd/system/ | ||
src: ./dist/dist-packages/linux/openziti-router/ziti-router.service | ||
|
||
- dst: /opt/openziti/etc/router | ||
type: dir | ||
file_info: | ||
mode: 0755 | ||
|
||
- dst: /opt/openziti/etc/router/ | ||
src: ./dist/dist-packages/linux/openziti-router/env | ||
type: config|noreplace | ||
|
||
- dst: /opt/openziti/etc/router/ | ||
src: ./dist/dist-packages/linux/openziti-router/bootstrap.bash | ||
|
||
- dst: /opt/openziti/etc/router/ | ||
src: ./dist/dist-packages/linux/openziti-router/entrypoint.bash | ||
|
||
scripts: | ||
postinstall: ./dist/dist-packages/linux/openziti-router/postinstall.bash | ||
preremove: ./dist/dist-packages/linux/openziti-router/preremove.bash | ||
|
||
depends: | ||
- openziti # ziti CLI |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
#!/usr/bin/env bash | ||
# | ||
# bootstrap the OpenZiti Router with a config file and identity | ||
# | ||
|
||
function makeConfig() { | ||
# | ||
# create config file | ||
# | ||
|
||
if [[ ! -s "${ZITI_ROUTER_CONFIG_FILE}" || "${1:-}" == --force ]]; then | ||
ziti create config router "${ZITI_ROUTER_TYPE}" \ | ||
--tunnelerMode "${ZITI_ROUTER_MODE}" \ | ||
--routerName "${ZITI_ROUTER_NAME}" \ | ||
--output "${ZITI_ROUTER_CONFIG_FILE}" | ||
fi | ||
|
||
} | ||
|
||
function enroll() { | ||
|
||
# shellcheck disable=SC1090 # find the identity file path | ||
source <(ziti create config environment | grep ZITI_ROUTER) | ||
|
||
if [[ ! -s "${ZITI_ROUTER_IDENTITY_CERT}" || "${1:-}" == --force ]]; then | ||
if [ -n "${ZITI_ENROLL_TOKEN:-}" ]; then | ||
# shellcheck disable=SC2188 | ||
ziti router enroll "${ZITI_ROUTER_CONFIG_FILE}" \ | ||
--jwt <(echo "${ZITI_ENROLL_TOKEN}") | ||
elif [ -s "/run/credentials/${UNIT_NAME:=ziti-router.service}/ZITI_ENROLL_TOKEN" ]; then | ||
ziti router enroll "${ZITI_ROUTER_CONFIG_FILE}" \ | ||
--jwt "/run/credentials/${UNIT_NAME}/ZITI_ENROLL_TOKEN" | ||
else | ||
echo "ERROR: use SetCredential or LoadCredential in"\ | ||
" /lib/systemd/system/ziti-router.service or set env var ZITI_ENROLL_TOKEN" >&2 | ||
fi | ||
fi | ||
|
||
} | ||
|
||
function bootstrap() { | ||
|
||
if [ -n "${1:-}" ]; then | ||
ZITI_ROUTER_CONFIG_FILE="${1}" | ||
else | ||
echo "ERROR: no config file path provided" >&2 | ||
return 1 | ||
fi | ||
|
||
# make config file unless it exists if true, set force to overwrite | ||
if [ "${ZITI_BOOTSTRAP_CONFIG}" == true ]; then | ||
makeConfig | ||
elif [ "${ZITI_BOOTSTRAP_CONFIG}" == force ]; then | ||
makeConfig --force | ||
fi | ||
|
||
# enroll unless certificate exists, set "force" to overwrite key and cert (requires new enrollment token) | ||
if [ "${ZITI_BOOTSTRAP_ENROLLMENT}" == true ]; then | ||
enroll | ||
elif [ "${ZITI_BOOTSTRAP_ENROLLMENT}" == force ]; then | ||
enroll --force | ||
fi | ||
} | ||
|
||
# | ||
# defaults | ||
# | ||
|
||
# used by "ziti create config router" and "ziti create config environment" | ||
: "${ZITI_ROUTER_ADVERTISED_ADDRESS:=${HOSTNAME:=$(hostname -f)}}" | ||
: "${ZITI_ROUTER_NAME:=${HOSTNAME%%.*}}" | ||
: "${ZITI_CTRL_ADVERTISED_PORT:=1280}" | ||
export ZITI_ROUTER_NAME \ | ||
ZITI_ROUTER_ADVERTISED_ADDRESS \ | ||
ZITI_CTRL_ADVERTISED_PORT \ | ||
ZITI_ROUTER_PORT \ | ||
ZITI_ROUTER_LISTENER_BIND_PORT="${ZITI_ROUTER_PORT}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
#!/usr/bin/env bash | ||
# | ||
# this thin wrapper script for the OpenZiti Router uses variable assignments from the systemd env file | ||
# | ||
|
||
set -o errexit | ||
set -o nounset | ||
set -o pipefail | ||
|
||
if ! (( $# )); then | ||
# if no args, run the router with the default config file | ||
set -- run config.yml | ||
elif [[ "${1}" == run && -z "${2:-}" ]]; then | ||
# if first arg is "run" and second arg is empty, run the router with the default config file | ||
set -- run config.yml | ||
fi | ||
|
||
# shellcheck disable=SC1090 # default path is assigned in env file | ||
source "${ZITI_ROUTER_BOOTSTRAP_BASH:-/opt/openziti/etc/router/bootstrap.bash}" | ||
|
||
# if first arg is "run", bootstrap the router with the config file | ||
if [ "${1}" == run ]; then | ||
bootstrap "${2}" | ||
fi | ||
|
||
# optionally renew certs at startup | ||
if [ "${ZITI_AUTO_RENEW_CERTS:-}" == true ]; then | ||
# shellcheck disable=SC2068 | ||
set -- ${@} --extend | ||
fi | ||
|
||
# shellcheck disable=SC2068 | ||
exec ziti router ${@} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# | ||
# this is a systemd env file allowing simple assignments for ziti-controller.service environment and serves as an answer | ||
# file for first run prompts and unattended installations; only variables that are consumed by the ziti binary are | ||
# expected here to preserve the separation between the service unit and the binary | ||
# | ||
|
||
# | ||
# for "ziti create config router edge" commands in bootstrap.bash | ||
# | ||
|
||
# address of the controller (required) | ||
ZITI_CTRL_ADVERTISED_ADDRESS= | ||
# tcp port of the controller (default: 1280) | ||
ZITI_CTRL_ADVERTISED_PORT=1280 | ||
|
||
# for better security, leave this assignment empty and create a file readable only by root containing the | ||
# token and set "LoadCredential=ZITI_ENROLL_TOKEN:/opt/openziti/etc/router/.token" in | ||
# /lib/systemd/system/ziti-router.service | ||
ZITI_ENROLL_TOKEN= | ||
|
||
# the router's address must be resolvable by other routers and edge identities (default: qualified hostname) | ||
ZITI_ROUTER_ADVERTISED_ADDRESS= | ||
# the advertised and listening port of the router (default: 3022) | ||
ZITI_ROUTER_PORT=3022 | ||
|
||
# the interface address on which to listen (default: 0.0.0.0) | ||
ZITI_ROUTER_BIND_ADDRESS="0.0.0.0" | ||
|
||
# where to listen for DNS requests in tproxy mode (default: udp://127.0.0.1:53) | ||
ZITI_ROUTER_TPROXY_RESOLVER="udp://127.0.0.1:53" | ||
|
||
# set identity filenames (default: unqualified hostname) | ||
# ZITI_ROUTER_NAME= | ||
|
||
# type of router (default: edge, options: edge, fabric) | ||
ZITI_ROUTER_TYPE=edge | ||
# the mode of the router (default: host) requires that the router is administratively created with flag | ||
# --tunneler-enabled | ||
ZITI_ROUTER_MODE=host |
Oops, something went wrong.