Docker get Ziti ID from env var instead of mounted file #510
Conversation
…t using Ziti env var names mapped to existing NF names
| @@ -69,7 +105,9 @@ if [[ -n "${NF_REG_NAME:-}" ]]; then | |||
| # look for enrollment token | |||
| else | |||
| echo "INFO: identity file ${IDENTITY_FILE} does not exist" | |||
| for dir in "/var/run/secrets/netfoundry.io/enrollment-token" "${IDENTITIES_DIR}"; do | |||
| for dir in "/var/run/secrets/netfoundry.io/enrollment-token" \ | |||
| "/enrollment-token" \ | |||
There was a problem hiding this comment.
This addition of /enrollment-token is for the sake of parity with the ziti-tunnel container where it was added to enable a use case where the admin wishes to supply the OTT on a separate mount point from the persisted identity. For example, this is necessary in Kubernetes where secrets and volumes may not be bound to the same mount point.
| - NF_REG_NAME # inherit when run like this: NF_REG_NAME=AcmeIdentity docker-compose up ziti-tun | ||
| - NF_REG_TOKEN # NF_REG_NAME=AcmeIdentity NF_REG_TOKEN={JWT} docker-compose up ziti-tun | ||
| - PFXLOG_NO_JSON=true # suppress JSON logging | ||
| - ZITI_IDENTITY_BASENAME # inherit when run like this: ZITI_IDENTITY_BASENAME=AcmeIdentity docker-compose up ziti-tun |
There was a problem hiding this comment.
I'm not sure how the _BASENAME suffix helps... Why not _NAME?
There was a problem hiding this comment.
@scareything I chose _BASENAME because I have found that it is often confusing for the operator who mistakenly assumes that the correct value here is like ziti_id.json instead of the correct value ziti_id. I meant to clarify that only the basename of the file, not the full filename, is expected.
There was a problem hiding this comment.
I agree, some differentiation is nice here. When I hear _NAME, I think "filename"
Also, start using Ziti env var names mapped to existing NF names e.g.
ZITI_ENROLL_TOKENinstead ofNF_REG_TOKENwhile preserving backwards compat.