zrok/docs/guides/v0.3_self_hosting_guide.md

207 lines
8.9 KiB
Markdown
Raw Normal View History

2023-01-29 21:54:27 +01:00
# Self-Hosting Guide
2022-12-07 19:58:05 +01:00
## OpenZiti Quickstart
2022-12-07 19:58:05 +01:00
https://openziti.github.io/docs/quickstarts/network/
I specifically used the "no docker" variant:
```bash
2023-01-19 04:44:01 +01:00
$ source /dev/stdin <<< "$(wget -qO- https://get.openziti.io/quick/ziti-cli-functions.sh)"; expressInstall
2022-12-07 19:58:05 +01:00
$ startController
$ startRouter
```
Keep track of the generated admin password when running the `expressInstall` script. The script will prompt you like this:
```
Do you want to keep the generated admin password 'XO0xHp75uuyeireO2xmmVlK91T7B9fpD'? (Y/n)
```
You'll need that generated password (`XO0xHp75uuyeireO2xmmVlK91T7B9fpD`) when building your `zrok` controller configuration.
2023-01-19 15:53:28 +01:00
## Configure the Controller
Create a controller configuration file in `etc/ctrl.yml`. The controller does not provide server TLS, but you may front the server with a reverse proxy. This example will expose the non-TLS listener for the controller.
2022-12-07 19:58:05 +01:00
```yaml
# _____ __ ___ | | __
# |_ / '__/ _ \| |/ /
# / /| | | (_) | <
# /___|_| \___/|_|\_\
# controller configuration
v: 1
admin:
secrets:
- f60b55fa-4dec-4c4a-9244-e3b7d6b9bb13
endpoint:
host: 0.0.0.0
port: 18080
store:
path: zrok.db
type: sqlite3
ziti:
api_endpoint: "https://127.0.0.1:1280"
username: admin
password: "XO0xHp75uuyeireO2xmmVlK91T7B9fpD"
```
2023-01-19 15:53:28 +01:00
The `admin` section defines privileged administrative credentials and must be set in the `ZROK_ADMIN_TOKEN` environment variable in shells where you want to run `zrok admin`.
2022-12-07 19:58:05 +01:00
The `endpoint` section defines where your `zrok` controller will listen.
The `store` section defines the local `sqlite3` database used by the controller.
The `ziti` section defines how the `zrok` controller should communicate with your OpenZiti installation. When using the OpenZiti quickstart, an administrative password will be generated; the `password` in the `ziti` stanza should reflect this password.
2022-12-07 19:58:05 +01:00
## Environment Variables
The `zrok` binaries are configured to work with the global `zrok.io` service, and default to using `api.zrok.io` as the endpoint for communicating with the service.
2023-01-19 15:53:28 +01:00
To work with a local `zrok` deployment, you'll need to set the `ZROK_API_ENDPOINT` environment variable to point to the address where your `zrok` controller will be listening, according to `endpoint` in the configuration file above.
2022-12-07 19:58:05 +01:00
In my case, I've set:
2023-01-19 15:53:28 +01:00
```bash
2022-12-07 19:58:05 +01:00
$ export ZROK_API_ENDPOINT=http://localhost:18080
```
## Bootstrap OpenZiti for zrok
2022-12-07 19:58:05 +01:00
With your OpenZiti network running and your configuration saved to a local file (I refer to mine as `etc/ctrl.yml` in these examples), you're ready to bootstrap the Ziti network.
2022-12-07 19:58:05 +01:00
Use the `zrok admin bootstrap` command to bootstrap like this:
2023-01-19 15:53:28 +01:00
```bash
$ zrok admin bootstrap etc/ctrl.yml
2022-12-07 19:58:05 +01:00
[ 0.002] INFO main.(*adminBootstrap).run: {
...
}
[ 0.002] INFO zrok/controller/store.Open: database connected
[ 0.006] INFO zrok/controller/store.(*Store).migrate: applied 0 migrations
[ 0.006] INFO zrok/controller.Bootstrap: connecting to the ziti edge management api
[ 0.039] INFO zrok/controller.Bootstrap: creating identity for controller ziti access
[ 0.071] INFO zrok/controller.Bootstrap: controller identity: jKd8AINSz
[ 0.082] INFO zrok/controller.assertIdentity: asserted identity 'jKd8AINSz'
[ 0.085] INFO zrok/controller.assertErpForIdentity: asserted erps for 'ctrl' (jKd8AINSz)
[ 0.085] INFO zrok/controller.Bootstrap: creating identity for frontend ziti access
[ 0.118] INFO zrok/controller.Bootstrap: frontend identity: sqJRAINSiB
[ 0.119] INFO zrok/controller.assertIdentity: asserted identity 'sqJRAINSiB'
[ 0.120] INFO zrok/controller.assertErpForIdentity: asserted erps for 'frontend' (sqJRAINSiB)
[ 0.120] WARNING zrok/controller.Bootstrap: missing public frontend for ziti id 'sqJRAINSiB'; please use 'zrok admin create frontend sqJRAINSiB public https://{token}.your.dns.name' to create a frontend instance
2022-12-07 19:58:05 +01:00
[ 0.123] INFO zrok/controller.assertZrokProxyConfigType: found 'zrok.proxy.v1' config type with id '33CyjNbIepkXHN5VzGDA8L'
[ 0.124] INFO zrok/controller.assertMetricsService: creating 'metrics' service
[ 0.126] INFO zrok/controller.assertMetricsService: asserted 'metrics' service (5RpPZZ7T8bZf1ENjwGiPc3)
[ 0.128] INFO zrok/controller.assertMetricsSerp: creating 'metrics' serp
[ 0.130] INFO zrok/controller.assertMetricsSerp: asserted 'metrics' serp
[ 0.134] INFO zrok/controller.assertCtrlMetricsBind: creating 'ctrl-metrics-bind' service policy
[ 0.135] INFO zrok/controller.assertCtrlMetricsBind: asserted 'ctrl-metrics-bind' service policy
[ 0.138] INFO zrok/controller.assertFrontendMetricsDial: creating 'frontend-metrics-dial' service policy
[ 0.140] INFO zrok/controller.assertFrontendMetricsDial: asserted 'frontend-metrics-dial' service policy
[ 0.140] INFO main.(*adminBootstrap).run: bootstrap complete!
```
The `zrok admin bootstrap` command configures the `zrok` database, the necessary OpenZiti identities, and all of the OpenZiti policies required to run a `zrok` service.
2022-12-07 19:58:05 +01:00
Notice this warning:
```
[ 0.120] WARNING zrok/controller.Bootstrap: missing public frontend for ziti id 'sqJRAINSiB'; please use 'zrok admin create frontend sqJRAINSiB public https://{token}.your.dns.name' to create a frontend instance
2022-12-07 19:58:05 +01:00
```
The `zrok` bootstrap process wants us to create a "public frontend" for our service. `zrok` uses public frontends to allow users to specify where they would like public traffic to ingress from.
The `zrok admin create frontend` command requires a running `zrok` controller, so let's start that up first:
2023-01-19 15:53:28 +01:00
```bash
$ zrok controller etc/ctrl.yml
2022-12-07 19:58:05 +01:00
[ 0.003] INFO main.(*controllerCommand).run: {
...
}
[ 0.016] INFO zrok/controller.inspectZiti: inspecting ziti controller configuration
[ 0.048] INFO zrok/controller.findZrokProxyConfigType: found 'zrok.proxy.v1' config type with id '33CyjNbIepkXHN5VzGDA8L'
[ 0.048] INFO zrok/controller/store.Open: database connected
[ 0.048] INFO zrok/controller/store.(*Store).migrate: applied 0 migrations
[ 0.049] INFO zrok/controller.(*metricsAgent).run: starting
[ 0.064] INFO zrok/rest_server_zrok.setupGlobalMiddleware: configuring
[ 0.064] INFO zrok/ui.StaticBuilder: building
[ 0.065] INFO zrok/rest_server_zrok.(*Server).Logf: Serving zrok at http://[::]:18080
[ 0.085] INFO zrok/controller.(*metricsAgent).listen: started
```
2023-01-19 15:53:28 +01:00
With our `ZROK_ADMIN_TOKEN` and `ZROK_API_ENDPOINT` environment variables set, we can create our public frontend like this:
2022-12-07 19:58:05 +01:00
2023-01-19 15:53:28 +01:00
```bash
$ zrok admin create frontend sqJRAINSiB public http://{token}.zrok.quigley.com:8080
2022-12-07 19:58:05 +01:00
[ 0.037] INFO main.(*adminCreateFrontendCommand).run: created global public frontend 'WEirJNHVlcW9'
```
Now our `zrok` controller is fully configured.
2023-01-19 15:53:28 +01:00
## Configure the Public Frontend
Create `etc/http-frontend.yml`. You must reiterate the pattern you expressed in the public frontend URL template as a `host_match` pattern, and you may change the default address where the frontend will listen for public access requests. The frontend does not provide server TLS, but you may front the server with a reverse proxy. It is essential the reverse proxy forwards the `Host` header supplied by the viewer. This example will expose the non-TLS listener for the frontend.
2023-01-19 15:53:28 +01:00
```yaml
host_match: zrok.quigley.com
address: 0.0.0.0:8080
```
2022-12-07 19:58:05 +01:00
## Start Public Frontend
In another terminal window, run:
2023-01-19 15:53:28 +01:00
```bash
$ zrok access public etc/http-frontend.yml
2022-12-07 19:58:05 +01:00
[ 0.002] INFO main.(*accessPublicCommand).run: {
...
}
[ 0.002] INFO zrok/endpoints/public_frontend.newMetricsAgent: loaded 'frontend' identity
```
This process uses the `frontend` identity created during the bootstrap process to provide public access for the `zrok` deployment. It is expected that the configured listener for this `frontend` corresponds to the DNS template specified when creating the public frontend record above.
## Invite Yourself
2023-01-19 15:53:28 +01:00
```bash
2022-12-07 19:58:05 +01:00
$ zrok invite
New Email: user@domain.com
Confirm Email: user@domain.com
invitation sent to 'user@domain.com'!
2022-12-07 19:58:05 +01:00
```
If you look at the console output from your `zrok` controller, you'll see a message like this:
```
[ 238.168] INFO zrok/controller.(*inviteHandler).Handle: account request for 'user@domain.com' has registration token 'U2Ewt1UCn3ql'
2022-12-07 19:58:05 +01:00
```
You can access your `zrok` controller's registration UI by pointing a web browser at:
```
http://localhost:18080/register/U2Ewt1UCn3ql
```
The UI will ask you to set a password for your new account. Go ahead and do that.
After doing that, I see the following output in my controller console:
```
[ 516.778] INFO zrok/controller.(*registerHandler).Handle: created account 'user@domain.com' with token 'SuGzRPjVDIcF'
2022-12-07 19:58:05 +01:00
```
Keep track of the token listed above (`SuGzRPjVDIcF`). We'll use this to enable our shell for this `zrok` deployment.
## Enable Your Shell
```bash
$ zrok enable SuGzRPjVDIcF
zrok environment '2AS1WZ3Sz' enabled for 'SuGzRPjVDIcF'
```
2023-01-19 04:44:01 +01:00
Congratulations. You have a working `zrok` environment!