-
Notifications
You must be signed in to change notification settings - Fork 154
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add Linux package for router #1801
Changes from all commits
9625a6f
6b401c2
3f260af
60fe207
d4c063c
3ff331f
2fe25cc
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -38,3 +38,7 @@ | |
- get: /zdew/ | ||
raw: /openziti/desktop-edge-win/main/release-streams/ | ||
file: latest.json | ||
|
||
- get: /dist/ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. add a shortcut so we can provide examples in docs like |
||
raw: /openziti/ziti/{{GITHUB_SHA}}/dist/ | ||
file: /docker-images/ziti-router/compose.yml |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
# nfpm configuration file | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This file extends the pattern used by the CLI and controller Linux packages. |
||
# | ||
# check https://nfpm.goreleaser.com/configuration for detailed usage | ||
# | ||
name: openziti-router | ||
arch: ${GOARCH} | ||
platform: linux | ||
version: ${ZITI_VERSION} | ||
prerelease: ${ZITI_REV} | ||
maintainer: ${ZITI_MAINTAINER} | ||
description: > | ||
Provides a system service for running an OpenZiti Router | ||
vendor: ${ZITI_VENDOR} | ||
homepage: ${ZITI_HOMEPAGE} | ||
license: Apache-2.0 | ||
# Contents to add to the package. | ||
contents: | ||
- dst: /lib/systemd/system/ | ||
src: ./dist/dist-packages/linux/openziti-router/ziti-router.service | ||
|
||
- dst: /opt/openziti/etc/router | ||
type: dir | ||
file_info: | ||
mode: 0755 | ||
|
||
- dst: /opt/openziti/etc/router/ | ||
src: ./dist/dist-packages/linux/openziti-router/env | ||
type: config|noreplace | ||
|
||
- dst: /opt/openziti/etc/router/ | ||
src: ./dist/dist-packages/linux/openziti-router/bootstrap.bash | ||
|
||
- dst: /opt/openziti/etc/router/ | ||
src: ./dist/dist-packages/linux/openziti-router/entrypoint.bash | ||
|
||
scripts: | ||
postinstall: ./dist/dist-packages/linux/openziti-router/postinstall.bash | ||
preremove: ./dist/dist-packages/linux/openziti-router/preremove.bash | ||
|
||
depends: | ||
- openziti # ziti CLI |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
#!/usr/bin/env bash | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This router bootstrapping script defines the default run state for a router deployed as a Linux package or container (except K8s, which has its default state). |
||
# | ||
# bootstrap the OpenZiti Router with a config file and identity | ||
# | ||
|
||
function makeConfig() { | ||
# | ||
# create config file | ||
# | ||
|
||
if [[ ! -s "${ZITI_ROUTER_CONFIG_FILE}" || "${1:-}" == --force ]]; then | ||
ziti create config router "${ZITI_ROUTER_TYPE}" \ | ||
--tunnelerMode "${ZITI_ROUTER_MODE}" \ | ||
--routerName "${ZITI_ROUTER_NAME}" \ | ||
--output "${ZITI_ROUTER_CONFIG_FILE}" | ||
fi | ||
|
||
} | ||
|
||
function enroll() { | ||
|
||
# shellcheck disable=SC1090 # find the identity file path | ||
source <(ziti create config environment | grep ZITI_ROUTER) | ||
|
||
if [[ ! -s "${ZITI_ROUTER_IDENTITY_CERT}" || "${1:-}" == --force ]]; then | ||
if [ -n "${ZITI_ENROLL_TOKEN:-}" ]; then | ||
# shellcheck disable=SC2188 | ||
ziti router enroll "${ZITI_ROUTER_CONFIG_FILE}" \ | ||
--jwt <(echo "${ZITI_ENROLL_TOKEN}") | ||
elif [ -s "/run/credentials/${UNIT_NAME:=ziti-router.service}/ZITI_ENROLL_TOKEN" ]; then | ||
ziti router enroll "${ZITI_ROUTER_CONFIG_FILE}" \ | ||
--jwt "/run/credentials/${UNIT_NAME}/ZITI_ENROLL_TOKEN" | ||
else | ||
echo "ERROR: use SetCredential or LoadCredential in"\ | ||
" /lib/systemd/system/ziti-router.service or set env var ZITI_ENROLL_TOKEN" >&2 | ||
fi | ||
fi | ||
|
||
} | ||
|
||
function bootstrap() { | ||
|
||
if [ -n "${1:-}" ]; then | ||
ZITI_ROUTER_CONFIG_FILE="${1}" | ||
else | ||
echo "ERROR: no config file path provided" >&2 | ||
return 1 | ||
fi | ||
|
||
# make config file unless it exists if true, set force to overwrite | ||
if [ "${ZITI_BOOTSTRAP_CONFIG}" == true ]; then | ||
makeConfig | ||
elif [ "${ZITI_BOOTSTRAP_CONFIG}" == force ]; then | ||
makeConfig --force | ||
fi | ||
|
||
# enroll unless certificate exists, set "force" to overwrite key and cert (requires new enrollment token) | ||
if [ "${ZITI_BOOTSTRAP_ENROLLMENT}" == true ]; then | ||
enroll | ||
elif [ "${ZITI_BOOTSTRAP_ENROLLMENT}" == force ]; then | ||
enroll --force | ||
fi | ||
} | ||
|
||
# | ||
# defaults | ||
# | ||
|
||
# used by "ziti create config router" and "ziti create config environment" | ||
: "${ZITI_ROUTER_ADVERTISED_ADDRESS:=${HOSTNAME:=$(hostname -f)}}" | ||
: "${ZITI_ROUTER_NAME:=${HOSTNAME%%.*}}" | ||
: "${ZITI_CTRL_ADVERTISED_PORT:=1280}" | ||
: "${ZITI_ROUTER_MODE:=none}" | ||
export ZITI_ROUTER_NAME \ | ||
ZITI_ROUTER_ADVERTISED_ADDRESS \ | ||
ZITI_CTRL_ADVERTISED_PORT \ | ||
ZITI_ROUTER_PORT \ | ||
ZITI_ROUTER_LISTENER_BIND_PORT="${ZITI_ROUTER_PORT}" |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
#!/usr/bin/env bash | ||
# | ||
# this thin wrapper script for the OpenZiti Router uses variable assignments from the systemd env file | ||
# | ||
|
||
set -o errexit | ||
set -o nounset | ||
set -o pipefail | ||
|
||
if ! (( $# )); then | ||
# if no args, run the router with the default config file | ||
set -- run config.yml | ||
elif [[ "${1}" == run && -z "${2:-}" ]]; then | ||
# if first arg is "run" and second arg is empty, run the router with the default config file | ||
set -- run config.yml | ||
fi | ||
|
||
# shellcheck disable=SC1090 # default path is assigned in env file | ||
source "${ZITI_ROUTER_BOOTSTRAP_BASH:-/opt/openziti/etc/router/bootstrap.bash}" | ||
|
||
# if first arg is "run", bootstrap the router with the config file | ||
if [ "${1}" == run ]; then | ||
bootstrap "${2}" | ||
fi | ||
|
||
# optionally renew certs at startup | ||
if [ "${ZITI_AUTO_RENEW_CERTS:-}" == true ]; then | ||
# shellcheck disable=SC2068 | ||
set -- ${@} --extend | ||
fi | ||
|
||
# shellcheck disable=SC2068 | ||
exec ziti router ${@} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
# | ||
# this is a systemd env file allowing simple assignments for ziti-controller.service environment and serves as an answer | ||
# file for first run prompts and unattended installations; only variables that are consumed by the ziti binary are | ||
# expected here to preserve the separation between the service unit and the binary | ||
# | ||
|
||
# | ||
# for "ziti create config router edge" commands in bootstrap.bash | ||
# | ||
|
||
# address of the controller (required) | ||
ZITI_CTRL_ADVERTISED_ADDRESS= | ||
# tcp port of the controller (default: 1280) | ||
ZITI_CTRL_ADVERTISED_PORT= | ||
|
||
# for better security, leave this assignment empty and create a file readable only by root containing the | ||
# token and set "LoadCredential=ZITI_ENROLL_TOKEN:/opt/openziti/etc/router/.token" in | ||
# /lib/systemd/system/ziti-router.service | ||
ZITI_ENROLL_TOKEN= | ||
|
||
# the router's address must be resolvable by other routers and edge identities (default: qualified hostname) | ||
ZITI_ROUTER_ADVERTISED_ADDRESS= | ||
# the advertised and listening port of the router, if <= 1024, then grant the NET_BIND_SERVICE ambient capability in | ||
# /lib/systemd/system/ziti-router.service (default: 3022) | ||
ZITI_ROUTER_PORT= | ||
|
||
# the mode of the router; the router must be administratively created with the --tunneler-enabled flag; if "tproxy" mode | ||
# then grant ambient capbility NET_ADMIN in /lib/systemd/system/ziti-router.service and set the host's DNS resolvers to | ||
# have this router's nameserver as the primary in additional to a secondary, recursive resolver (host, tproxy, proxy; | ||
# default: host) | ||
ZITI_ROUTER_MODE= | ||
# where to listen for DNS requests in tproxy mode (default: udp://127.0.0.1:53) | ||
ZITI_ROUTER_TPROXY_RESOLVER= | ||
# CIDR range of IP addresses to assign to DNS clients in tproxy mode (default: 100.64.0.1/10) | ||
ZITI_ROUTER_DNS_IP_RANGE= | ||
|
||
# the interface address on which to listen (default: 0.0.0.0) | ||
ZITI_ROUTER_BIND_ADDRESS= | ||
|
||
# set identity filenames (default: unqualified hostname) | ||
# ZITI_ROUTER_NAME= | ||
|
||
# type of router (default: edge, options: edge, fabric) | ||
ZITI_ROUTER_TYPE=edge | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
elevate the build context to the root dir of the repo to enable sharing the entrypoint/bootstrap scripts that are also used by the Linux package