Skip to content

Commit

Permalink
Merge pull request #510 from openziti/issue-509-docker-identity-env-var
Browse files Browse the repository at this point in the history 
Docker get Ziti ID from env var instead of mounted file
  • Loading branch information
@qrkourier
qrkourier committed Oct 10, 2022
2 parents fcde6ef + c11ef43 commit 97aad5e
Show file tree
Hide file tree
Showing 2 changed files with 78 additions and 34 deletions.
68 changes: 37 additions & 31 deletions docker/docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,14 @@ version: "3.9"
x-base-service: &base-service
image: openziti/ziti-edge-tunnel
devices:
- /dev/net/tun:/dev/net/tun
- /dev/net/tun:/dev/net/tun
volumes:
- .:/ziti-edge-tunnel
- /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket
- .:/ziti-edge-tunnel
- /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket
environment:
- NF_REG_NAME # inherit when run like this: NF_REG_NAME=AcmeIdentity docker-compose up ziti-tun
- NF_REG_TOKEN # NF_REG_NAME=AcmeIdentity NF_REG_TOKEN={JWT} docker-compose up ziti-tun
- PFXLOG_NO_JSON=true # suppress JSON logging
- ZITI_IDENTITY_BASENAME # inherit when run like this: ZITI_IDENTITY_BASENAME=AcmeIdentity docker-compose up ziti-tun
- ZITI_ENROLL_TOKEN # ZITI_IDENTITY_BASENAME=AcmeIdentity ZITI_ENROLL_TOKEN={JWT} docker-compose up ziti-tun
- PFXLOG_NO_JSON=true # suppress JSON logging
network_mode: host # use the Docker host's network, not the Docker bridge
privileged: true

Expand All @@ -19,64 +19,70 @@ services:
ziti-tun: # tunneler for one Ziti identity
<<: *base-service
command:
- --verbose=4
- --dns-ip-range=100.64.64.0/18
- --verbose=4
- --dns-ip-range=100.64.64.0/18

ziti-tun-dir: # tunneler for all identities in /ziti-edge-tunnel
<<: *base-service
command:
- --verbose=4
- --dns-ip-range=100.64.64.0/18
environment: [] # ignore NF_REG_NAME and load all identities in same dir
- --verbose=4
- --dns-ip-range=100.64.64.0/18
environment: [] # ignore ZITI_IDENTITY_BASENAME and load all identities in same dir

ziti-test: # docker-compose exec ziti-test bash
<<: *base-service
entrypoint: ["sh", "-c", "while true; do sleep infinity; done"]

ziti-host: # tunneler for hosting services without providing DNS or IP routes

# enrolled identity JSON from env var is written to container filesystem /ziti-edge-tunnel/ziti_id.json
ziti-host:
image: openziti/ziti-edge-tunnel
environment:
- NF_REG_NAME
- NF_REG_TOKEN
volumes:
- .:/ziti-edge-tunnel
- ZITI_IDENTITY_JSON
networks:
- ziti-host
- ziti-host
privileged: false # no privileges necessary for run-host mode
command:
- run-host
- --verbose=4
- run-host
- --verbose=4

ziti-host-wait: # tunneler for hosting services that waits forever for the identity to become available
image: openziti/ziti-edge-tunnel
environment:
- NF_REG_NAME
- NF_REG_WAIT=-1 # optional seconds to wait for identity (or token) to become available, negative value is wait forever
- ZITI_IDENTITY_BASENAME
- ZITI_IDENTITY_WAIT=-1 # optional seconds to wait for identity (or token) to become available, negative value is wait forever
volumes:
- .:/ziti-edge-tunnel
- .:/ziti-edge-tunnel
networks:
- ziti-host
- ziti-host
privileged: false # no privileges necessary for run-host mode
command:
- run-host
- --verbose=4
- run-host
- --verbose=4

ziti-host-dir: # tunneler for hosting services without providing DNS or IP routes
image: openziti/ziti-edge-tunnel
environment: [] # ignore NF_REG_NAME and load all identities in same dir
environment: [] # ignore ZITI_IDENTITY_BASENAME and load all identities in same dir
volumes:
- .:/ziti-edge-tunnel
- .:/ziti-edge-tunnel
networks:
- ziti-host
- ziti-host
privileged: false # no privileges necessary for run-host mode
command:
- run-host
- --verbose=4
- run-host
- --verbose=4

hello: # http://hello:80 from bridge network "ziti-host"
image: netfoundry/hello-world-webpage
networks:
- ziti-host
- ziti-host

httpbin:
image: mccutchen/go-httpbin
networks:
- ziti-host
# ports:
# - "127.0.0.1:8080:8080/tcp"

networks:
ziti-host:
44 changes: 41 additions & 3 deletions docker/docker-entrypoint.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,17 +36,53 @@ if ! [[ -d "${IDENTITIES_DIR}" ]]; then
fi

if ! mountpoint "${IDENTITIES_DIR}" &>/dev/null; then
echo "WARN: the identities directory only available inside this container because ${IDENTITIES_DIR} is not a mounted volume. Be careful to not publish this image with identity inside or lose access to the identity by removing the image prematurely." >&2
echo "WARN: the identities directory is only available inside this container because ${IDENTITIES_DIR} is not a mounted volume. Be careful to not publish this image with identity inside or lose access to the identity by removing the image prematurely." >&2
else
if [[ -n "${ZITI_IDENTITY_JSON:-}" ]]; then
echo "WARNING: you supplied the Ziti identity as an env var and you mounted a volume on the identities dir. You may avoid this warning and future errors by not mounting a volume on ${IDENTITIES_DIR} when ZITI_IDENTITY_JSON is defined." >&2
fi
fi

#
## Map the preferred, Ziti var names to legacy NF names. This allows us to begin using the preferred vars right away
## while minimizing immediate differences to the main control structure. This eases code review. Later, the legacy
## names can be retired and replaced.
#
if [[ -n "${ZITI_IDENTITY_BASENAME:-}" ]]; then
echo "INFO: setting NF_REG_NAME to \${ZITI_IDENTITY_BASENAME} (${ZITI_IDENTITY_BASENAME})"
NF_REG_NAME="${ZITI_IDENTITY_BASENAME}"
fi
if [[ -n "${ZITI_ENROLL_TOKEN:-}" ]]; then
echo "INFO: setting NF_REG_TOKEN to \${ZITI_ENROLL_TOKEN} (${ZITI_ENROLL_TOKEN})"
NF_REG_TOKEN="${ZITI_ENROLL_TOKEN}"
fi
if [[ -n "${ZITI_IDENTITY_WAIT:-}" ]]; then
echo "INFO: setting NF_REG_WAIT to \${ZITI_IDENTITY_WAIT} (${ZITI_IDENTITY_WAIT})"
NF_REG_WAIT="${ZITI_IDENTITY_WAIT}"
fi

# IOTEDGE_DEVICEID is a standard var assigned by Azure IoT
# treat IOTEDGE_DEVICEID, a standard var assigned by Azure IoT, as an alias for NF_REG_NAME
if [[ -z "${NF_REG_NAME:-}" ]]; then
if [[ -n "${IOTEDGE_DEVICEID:-}" ]]; then
echo "INFO: setting NF_REG_NAME to \${IOTEDGE_DEVICEID} (${IOTEDGE_DEVICEID})"
NF_REG_NAME="${IOTEDGE_DEVICEID}"
fi
fi

# if identity JSON var is defined then write to a file
if [[ -n "${ZITI_IDENTITY_JSON:-}" ]]; then
# if the basename is not defined then use a default basename to write JSON to a file
if [[ -z "${NF_REG_NAME:-}" ]]; then
NF_REG_NAME="ziti_id"
fi
if [[ -s "${IDENTITIES_DIR}/${NF_REG_NAME}.json" ]]; then
echo "ERROR: refusing to clobber non-empty Ziti identity file ${NF_REG_NAME}.json with contents of env var ZITI_IDENTITY_JSON!" >&2
exit 1
else
echo "${ZITI_IDENTITY_JSON}" > "${IDENTITIES_DIR}/${NF_REG_NAME}.json"
fi
fi

typeset -a TUNNEL_OPTS
# if identity file, else multiple identities dir
if [[ -n "${NF_REG_NAME:-}" ]]; then
Expand All @@ -69,7 +105,9 @@ if [[ -n "${NF_REG_NAME:-}" ]]; then
# look for enrollment token
else
echo "INFO: identity file ${IDENTITY_FILE} does not exist"
for dir in "/var/run/secrets/netfoundry.io/enrollment-token" "${IDENTITIES_DIR}"; do
for dir in "/var/run/secrets/netfoundry.io/enrollment-token" \
"/enrollment-token" \
"${IDENTITIES_DIR}"; do
JWT_CANDIDATE="${dir}/${NF_REG_NAME}.jwt"
echo "INFO: looking for ${JWT_CANDIDATE}"
if [[ -s "${JWT_CANDIDATE}" ]]; then
Expand Down

0 comments on commit 97aad5e

Please sign in to comment.