openziti · qrkourier · Apr 2, 2024 · Mar 22, 2024 · Mar 22, 2024 · Mar 22, 2024
diff --git a/.github/workflows/publish-docker-images.yml b/.github/workflows/publish-docker-images.yml
@@ -116,19 +116,20 @@ jobs:
           if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
             DOCKER_TAGS+=",${IMAGE_REPO}:latest"
           fi
-          echo "DEBUG: DOCKER_TAGS=${DOCKER_TAGS}"
-          echo DOCKER_TAGS="${DOCKER_TAGS}" >> $GITHUB_OUTPUT
+          echo DOCKER_TAGS="${DOCKER_TAGS}" | tee -a $GITHUB_OUTPUT
 
       - name: Build & Push Multi-Platform Router Container Image to Hub
         uses: docker/build-push-action@v3
         with:
           builder: ${{ steps.buildx.outputs.name }}
-          context: ${{ github.workspace }}/dist/docker-images/ziti-router/
+          context: ${{ github.workspace }}/
+          file: ${{ github.workspace }}/dist/docker-images/ziti-router/Dockerfile
           platforms: linux/amd64,linux/arm64
           tags: ${{ steps.tagprep_router.outputs.DOCKER_TAGS }}
           build-args: |
             ZITI_CLI_TAG=${{ env.ZITI_CLI_TAG }}
             ZITI_CLI_IMAGE=${{ env.ZITI_CLI_IMAGE }}
+            DOCKER_BUILD_DIR=./dist/docker-images/ziti-router
           push: true
 
       - name: Set Up Container Image Tags for Go Tunneler Container

diff --git a/dist/cloudfront/get.openziti.io/routes.yml b/dist/cloudfront/get.openziti.io/routes.yml
@@ -38,3 +38,7 @@
 - get: /zdew/
   raw: /openziti/desktop-edge-win/main/release-streams/
   file: latest.json
+
+- get: /dist/
+  raw: /openziti/ziti/{{GITHUB_SHA}}/dist/
+  file: /docker-images/ziti-router/compose.yml
diff --git a/dist/dist-packages/linux/nfpm-openziti-controller.yaml b/dist/dist-packages/linux/nfpm-openziti-controller.yaml
@@ -6,6 +6,7 @@ name: openziti-controller
 arch: ${GOARCH}
 platform: linux
 version: ${ZITI_VERSION}
+prerelease: ${ZITI_REV}
 maintainer: ${ZITI_MAINTAINER}
 description: >
   Provides a system service for running an OpenZiti Controller

diff --git a/dist/dist-packages/linux/nfpm-openziti-router.yaml b/dist/dist-packages/linux/nfpm-openziti-router.yaml
@@ -0,0 +1,41 @@
+# nfpm configuration file
+#
+# check https://nfpm.goreleaser.com/configuration for detailed usage
+#
+name: openziti-router
+arch: ${GOARCH}
+platform: linux
+version: ${ZITI_VERSION}
+prerelease: ${ZITI_REV}
+maintainer: ${ZITI_MAINTAINER}
+description: >
+  Provides a system service for running an OpenZiti Router
+vendor: ${ZITI_VENDOR}
+homepage: ${ZITI_HOMEPAGE}
+license: Apache-2.0
+# Contents to add to the package.
+contents:
+  - dst: /lib/systemd/system/
+    src: ./dist/dist-packages/linux/openziti-router/ziti-router.service
+
+  - dst: /opt/openziti/etc/router
+    type: dir
+    file_info:
+      mode: 0755
+
+  - dst: /opt/openziti/etc/router/
+    src: ./dist/dist-packages/linux/openziti-router/env
+    type: config|noreplace
+
+  - dst: /opt/openziti/etc/router/
+    src: ./dist/dist-packages/linux/openziti-router/bootstrap.bash
+
+  - dst: /opt/openziti/etc/router/
+    src: ./dist/dist-packages/linux/openziti-router/entrypoint.bash
+
+scripts:
+  postinstall: ./dist/dist-packages/linux/openziti-router/postinstall.bash
+  preremove: ./dist/dist-packages/linux/openziti-router/preremove.bash
+
+depends:
+  - openziti  # ziti CLI
diff --git a/dist/dist-packages/linux/nfpm-openziti.yaml b/dist/dist-packages/linux/nfpm-openziti.yaml
@@ -6,6 +6,7 @@ name: openziti
 arch: ${GOARCH}
 platform: linux
 version: ${ZITI_VERSION}
+prerelease: ${ZITI_REV}
 maintainer: ${ZITI_MAINTAINER}
 description: >
   The openziti package provides the ziti executable binary as a command line

diff --git a/dist/dist-packages/linux/openziti-router/bootstrap.bash b/dist/dist-packages/linux/openziti-router/bootstrap.bash
@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+#
+# bootstrap the OpenZiti Router with a config file and identity
+#
+
+function makeConfig() {
+  #
+  # create config file
+  #
+
+  if [[ ! -s "${ZITI_ROUTER_CONFIG_FILE}" || "${1:-}" == --force ]]; then
+    ziti create config router "${ZITI_ROUTER_TYPE}" \
+      --tunnelerMode "${ZITI_ROUTER_MODE}" \
+      --routerName "${ZITI_ROUTER_NAME}" \
+      --output "${ZITI_ROUTER_CONFIG_FILE}"
+  fi
+
+}
+
+function enroll() {
+
+  # shellcheck disable=SC1090 # find the identity file path
+  source <(ziti create config environment | grep ZITI_ROUTER)
+
+  if [[ ! -s "${ZITI_ROUTER_IDENTITY_CERT}" || "${1:-}" == --force ]]; then
+    if [ -n "${ZITI_ENROLL_TOKEN:-}" ]; then
+      # shellcheck disable=SC2188
+      ziti router enroll "${ZITI_ROUTER_CONFIG_FILE}" \
+        --jwt <(echo "${ZITI_ENROLL_TOKEN}")
+    elif [ -s "/run/credentials/${UNIT_NAME:=ziti-router.service}/ZITI_ENROLL_TOKEN" ]; then
+      ziti router enroll "${ZITI_ROUTER_CONFIG_FILE}" \
+        --jwt "/run/credentials/${UNIT_NAME}/ZITI_ENROLL_TOKEN"
+    else
+      echo  "ERROR: use SetCredential or LoadCredential in"\
+            " /lib/systemd/system/ziti-router.service or set env var ZITI_ENROLL_TOKEN" >&2
+    fi
+  fi
+
+}
+
+function bootstrap() {
+
+  if [ -n "${1:-}" ]; then
+    ZITI_ROUTER_CONFIG_FILE="${1}"
+  else
+    echo "ERROR: no config file path provided" >&2
+    return 1
+  fi
+
+  # make config file unless it exists if true, set force to overwrite
+  if [ "${ZITI_BOOTSTRAP_CONFIG}"   == true ]; then
+    makeConfig
+  elif [ "${ZITI_BOOTSTRAP_CONFIG}" == force ]; then
+    makeConfig --force
+  fi
+
+  # enroll unless certificate exists, set "force" to overwrite key and cert (requires new enrollment token)
+  if [ "${ZITI_BOOTSTRAP_ENROLLMENT}" == true ]; then
+    enroll
+  elif [ "${ZITI_BOOTSTRAP_ENROLLMENT}" == force ]; then
+    enroll --force
+  fi
+}
+
+#
+# defaults
+#
+
+# used by "ziti create config router" and "ziti create config environment" 
+: "${ZITI_ROUTER_ADVERTISED_ADDRESS:=${HOSTNAME:=$(hostname -f)}}"
+: "${ZITI_ROUTER_NAME:=${HOSTNAME%%.*}}"
+: "${ZITI_CTRL_ADVERTISED_PORT:=1280}"
+: "${ZITI_ROUTER_MODE:=none}"
+export  ZITI_ROUTER_NAME \
+        ZITI_ROUTER_ADVERTISED_ADDRESS \
+        ZITI_CTRL_ADVERTISED_PORT \
+        ZITI_ROUTER_PORT \
+        ZITI_ROUTER_LISTENER_BIND_PORT="${ZITI_ROUTER_PORT}"
diff --git a/dist/dist-packages/linux/openziti-router/entrypoint.bash b/dist/dist-packages/linux/openziti-router/entrypoint.bash
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+#
+# this thin wrapper script for the OpenZiti Router uses variable assignments from the systemd env file
+#
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+if ! (( $# )); then
+    # if no args, run the router with the default config file
+    set -- run config.yml
+elif [[ "${1}" == run && -z "${2:-}" ]]; then
+    # if first arg is "run" and second arg is empty, run the router with the default config file
+    set -- run config.yml
+fi
+
+# shellcheck disable=SC1090 # default path is assigned in env file
+source "${ZITI_ROUTER_BOOTSTRAP_BASH:-/opt/openziti/etc/router/bootstrap.bash}"
+
+# if first arg is "run", bootstrap the router with the config file
+if [ "${1}" == run ]; then
+    bootstrap "${2}"
+fi
+
+# optionally renew certs at startup
+if [ "${ZITI_AUTO_RENEW_CERTS:-}" == true ]; then
+    # shellcheck disable=SC2068
+    set -- ${@} --extend
+fi
+
+# shellcheck disable=SC2068
+exec ziti router ${@}
diff --git a/dist/dist-packages/linux/openziti-router/env b/dist/dist-packages/linux/openziti-router/env
@@ -0,0 +1,45 @@
+#
+# this is a systemd env file allowing simple assignments for ziti-controller.service environment and serves as an answer
+# file for first run prompts and unattended installations; only variables that are consumed by the ziti binary are
+# expected here to preserve the separation between the service unit and the binary
+#
+
+#
+# for "ziti create config router edge" commands in bootstrap.bash
+#
+
+# address of the controller (required)
+ZITI_CTRL_ADVERTISED_ADDRESS=
+# tcp port of the controller (default: 1280)
+ZITI_CTRL_ADVERTISED_PORT=
+
+# for better security, leave this assignment empty and create a file readable only by root containing the
+# token and set "LoadCredential=ZITI_ENROLL_TOKEN:/opt/openziti/etc/router/.token" in
+# /lib/systemd/system/ziti-router.service
+ZITI_ENROLL_TOKEN=
+
+# the router's address must be resolvable by other routers and edge identities (default: qualified hostname)
+ZITI_ROUTER_ADVERTISED_ADDRESS=
+# the advertised and listening port of the router, if <= 1024, then grant the NET_BIND_SERVICE ambient capability in
+# /lib/systemd/system/ziti-router.service (default: 3022)
+ZITI_ROUTER_PORT=
+
+# the mode of the router; the router must be administratively created with the --tunneler-enabled flag; if "tproxy" mode
+# then grant ambient capbility NET_ADMIN in /lib/systemd/system/ziti-router.service and set the host's DNS resolvers to
+# have this router's nameserver as the primary in additional to a secondary, recursive resolver (host, tproxy, proxy;
+# default: host)
+ZITI_ROUTER_MODE=
+# where to listen for DNS requests in tproxy mode (default: udp://127.0.0.1:53)
+ZITI_ROUTER_TPROXY_RESOLVER=
+# CIDR range of IP addresses to assign to DNS clients in tproxy mode (default: 100.64.0.1/10)
+ZITI_ROUTER_DNS_IP_RANGE=
+
+# the interface address on which to listen (default: 0.0.0.0)
+ZITI_ROUTER_BIND_ADDRESS=
+
+# set identity filenames (default: unqualified hostname)
+# ZITI_ROUTER_NAME=
+
+# type of router (default: edge, options: edge, fabric)
+ZITI_ROUTER_TYPE=edge
+