extern/zrok
1
1
Fork 0
mirror of https://github.com/openziti/zrok.git synced 2024-11-22 08:03:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #505 from openziti/docker-minimal

Browse Source 
add self-hosted Docker zrok-instance
This commit is contained in:
Kenneth Bingham 2024-04-30 16:57:18 -04:00 committed by GitHub
commit 67b8dcb41c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
18 changed files with 828 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -2,6 +2,8 @@
## v0.4.28
FEATURE: A Docker Compose project for self-hosting a zrok instance and [accompanying Docker guide](https://docs.zrok.io/docs/guides/self-hosting/docker) for more information.
CHANGE: the container images run as "ziggy" (UID 2171) instead of the generic restricted user "nobody" (UID 65534). This reduces the risk of unexpected file permissions when binding the Docker host's filesystem to a zrok container.
CHANGE: the Docker sharing guides were simplified and expanded

2
docker/compose/zrok-instance/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
/.env
/compose.yml

31
docker/compose/zrok-instance/Caddyfile Normal file
View File

@ -0,0 +1,31 @@
{
email {$CADDY_ACME_EMAIL}
acme_ca {$CADDY_ACME_API}
admin 0.0.0.0:2019
}
http:// {
redir https://{host}{uri} permanent
}
*.{$ZROK_DNS_ZONE} {
tls {
dns {$CADDY_DNS_PLUGIN} {$CADDY_DNS_PLUGIN_TOKEN}
}
log {
output stdout
format console
level DEBUG
}
@oauth host oauth.{$ZROK_DNS_ZONE}
reverse_proxy @oauth zrok-frontend:{$ZROK_OAUTH_PORT}
@ctrl host zrok.{$ZROK_DNS_ZONE}
reverse_proxy @ctrl zrok-controller:{$ZROK_CTRL_PORT}
reverse_proxy zrok-frontend:{$ZROK_FRONTEND_PORT} {
header_up Host {http.request.host}
}
}

231
docker/compose/zrok-instance/README.md Normal file
View File

@ -0,0 +1,231 @@
## Docker Quickstart
### DNS Configuration
The quickstart makes these assumptions about your global DNS configuration.
1. A Caddy DNS plugin is available for your DNS provider (see [github.com/caddy-dns](https://github.com/orgs/caddy-dns/repositories?type=all&q=sort%3Aname-asc))
1. You have designated A DNS zone for zrok, e.g. `example.com` or `share.example.com` and created (and delegated, if necessary) the zone on your DNS provider's platform.
1. A wildcard record exists for the IP address where the zrok instance will run, e.g. if your DNS zone is `share.example.com`, then your wildcard record is `*.share.example.com`.
1. You have created an API token in your DNS provider's platform and the token has permission to create DNS records in the DNS zone.
### Create the Docker Compose Project
Create a working directory on your Docker host and save these Docker Compose project files. A OpenZiti network is provided by the "quickstart" container and is managed exclusively by zrok.
#### Shortcut option
1. Run this script to download the files.
```bash
curl https://get.openziti.io/zrok-docker/fetch.bash | bash
```
Optionally, customize the install path instead of using the current directory.
```bash
curl https://get.openziti.io/zrok-docker/fetch.bash | bash -s /path/to/install
```
#### Do it Yourself
1. Fetch the ziti quickstart Compose file.
```bash
wget https://get.openziti.io/dock/all-in-one/compose.yml
```
1. Get the zrok repo ZIP file.
```bash
wget https://github.com/openziti/zrok/archive/refs/heads/main.zip
```
1. Unzip the zrok-instance files into the project directory.
```bash
unzip -j -d . main.zip '*/docker/compose/zrok-instance/*'
```
### Configure the Docker Compose Project Environment
Create an `.env` file in the working directory.
```bash title=".env required"
ZROK_DNS_ZONE=share.example.com
CADDY_DNS_PLUGIN=cloudflare
CADDY_DNS_PLUGIN_TOKEN=abcd1234
CADDY_ACME_EMAIL=me@example.com
# this must == ziti.${ZROK_DNS_ZONE}
ZITI_CTRL_ADVERTISED_ADDRESS=ziti.share.example.com
ZITI_PWD=zitiadminpw
ZROK_ADMIN_TOKEN=zroktoken
ZROK_USER_PWD=zrokuserpw
```
```bash title=".env options"
ZITI_CTRL_ADVERTISED_PORT=1280
ZITI_ROUTER_PORT=3022
# configure oauth for public shares
ZROK_OAUTH_HASH_KEY=oauthhashkeysecret
ZROK_OAUTH_GITHUB_CLIENT_ID=abcd1234
ZROK_OAUTH_GITHUB_CLIENT_SECRET=abcd1234
ZROK_OAUTH_GOOGLE_CLIENT_ID=abcd1234
ZROK_OAUTH_GOOGLE_CLIENT_SECRET=abcd1234
# use the staging API until you're sure everything is working to avoid hitting the main CA's rate limit
CADDY_ACME_API=https://acme-staging-v02.api.letsencrypt.org/directory
```
### Start the Docker Compose Project
1. Start the ziti network. This runs `ziti edge quickstart` ([link to readme](https://github.com/openziti/ziti/tree/main/quickstart/docker/all-in-one#readme)).
```bash
docker compose --profile ziti up --detach
```
1. Start the zrok instance.
The container images for zrok (including caddy) are built in this step. This provides a simple configuration to get started. You can modify the templates named like `*.envsubst` or mount a customized configuration file to mask the one that was built in.
```bash
docker compose --profile zrok up --build --detach
```
### Set up a User Account
This step creates a user account. You will log in to the zrok web console with the account password created in this step. The CADDY_ACME_EMAIL and ZROK_USER_PWD variables are set in the `.env` file. You can create more user accounts the same way by substituting a different email and password.
```bash
docker compose exec zrok-controller bash -xc 'zrok admin create account /etc/zrok-controller/config.yml ${CADDY_ACME_EMAIL} ${ZROK_USER_PWD}'
```
```buttonless title="Example output"
+ zrok admin create account /etc/zrok-controller/config.yml me@example.com zrokuserpw
[ 0.000] INFO zrok/controller/store.Open: database connected
[ 0.002] INFO zrok/controller/store.(*Store).migrate: applied 0 migrations
heMqncCyxZcx
```
### Enable the User Environment
You must enable each device environment with the account token obtained when the account was created. This is separate from the account password that's used to log in to the web console.
Follow [the getting started guide](/docs/getting-started#installing-the-zrok-command) to install the zrok CLI on some device and enable a zrok environment.
1. Configure the environment with the zrok API. Substitute the API endpoint with the one you're using, e.g. `https://zrok.${ZROK_DNS_ZONE}`.
```bash
zrok config set apiEndpoint https://zrok.share.example.com
```
1. Enable an environment on this device with the account token from the previous step.
```bash
zrok enable heMqncCyxZcx
```
### Firewall Configuration
The `quickstart` and `caddy` containers publish ports to all devices that use zrok shares. The `zrok-controller` and `zrok-frontend` containers expose ports only to the `caddy` container and the Docker host's loopback interface.
#### Required
1. `443/tcp` - reverse proxy handles HTTPS requests for zrok API, OAuth, and public shares (published by container `caddy`)
1. `1280/tcp` - ziti ctrl plane (published by container `quickstart`)
1. `3022/tcp` - ziti data plane (published by container `quickstart`)
#### Optional
1. `80/tcp` - reverse proxy redirects non-HTTPS requests to `443/tcp` (published by container `caddy`)
<!-- 1. 443/udp used by Caddy for HTTP/3 QUIC protocol (published by container `caddy`) -->
### Troubleshooting
1. Check the ziti and zrok logs.
You can substitute the service container name of each to check their logs individually: `quickstart` (ziti container), `zrok-controller`, `zrok-frontend`.
```bash
docker compose logs zrok-controller
```
1. Check the caddy logs.
It can take a few minutes for Caddy to obtain the wildcard certificate. You can check the logs to see if there were any errors completing the DNS challenge which involves using the Caddy DNS plugin to create a TXT record in your DNS zone. This leverages the API token you provided in the `.env` file, which must have permission to create DNS records in the zrok DNS zone.
```bash
docker compose logs caddy
```
1. `zrok enable` fails certificate verification: ensure you are not using the staging API for Let's Encrypt.
If you are using the staging API, you will see an error about the API certificate when you use the zrok CLI. You can switch to the production API by removing the overriding assignment of the `CADDY_ACME_API` variable.
```buttonless title="Example output"
there was a problem enabling your environment!
you are trying to use the zrok service at: https://zrok.share.example.com
you can change your zrok service endpoint using this command:
$ zrok config set apiEndpoint <newEndpoint>
(where newEndpoint is something like: https://some.zrok.io)
[ERROR]: error creating service client (error getting version from api endpoint 'https://zrok.share.example.com': Get "https://zrok.share.example.com/api/v1/version": tls: failed to verify certificate: x509: certificate signed by unknown authority: Get "https://zrok.share.example.com/api/v1/version": tls: failed to verify certificate: x509: certificate signed by unknown authority)
```
1. Validate the Caddyfile.
```bash
docker compose exec caddy caddy validate --config /etc/caddy/Caddyfile
```
1. Verify the correct DNS provider module was built-in to Caddy.
```bash
docker compose exec caddy caddy list-modules | grep dns.providers
```
```buttonless title="Example output"
dns.providers.cloudflare
```
1. Verify certificates.
You can check the certificates that Caddy has obtained.
```bash
docker compose exec caddy caddy list-certificates
```
1. Use the Caddy admin API.
You can use the Caddy admin API to check the status of the Caddy instance. The admin API is available on port `2019/tcp` inside the Docker Compose project. You can modify `compose.override.yml` to publish the port if you want to access the admin API from the Docker host or elsewhere.
```bash
docker compose exec caddy curl http://localhost:2019/config/ | jq
```
1. My provider, e.g., Route53 doesn't give me a single API token.
As long as your DNS provider is supported by Caddy then it will work. You can modify the Caddyfile to use a different set of properties than the example. Here's how the `tls` section should look for Route53.
```json
tls {
dns {$CADDY_DNS_PLUGIN} {
access_key_id {$AWS_ACCESS_KEY_ID}
secret_access_key {$AWS_SECRET_ACCESS_KEY}
}
}
```
```bash title=".env"
CADDY_DNS_PLUGIN=route53
AWS_ACCESS_KEY_ID=abcd1234
AWS_SECRET_ACCESS_KEY=abcd1234
```

23
docker/compose/zrok-instance/bootstrap-controller.bash Executable file
View File

@ -0,0 +1,23 @@
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
set -o xtrace
for arg in "${@}"; do
if [[ ! "${arg}" =~ ^- && -s "${arg}" ]]; then
CONFIG="${arg}"
break
fi
done
if [[ -z "${CONFIG}" ]]; then
echo "ERROR: args '${*}' do not contain a non-empty config file" >&2
exit 1
fi
# config.yml is first param
zrok admin bootstrap --skip-frontend "${CONFIG}"
exec "$@"

116
docker/compose/zrok-instance/bootstrap-frontend.bash Executable file
View File

@ -0,0 +1,116 @@
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
# set -o xtrace
getZitiPublicFrontend(){
local RETURNED
local -A FIELDS
FIELDS[all]=0
FIELDS[zid]=1
FIELDS[name]=2
FIELDS[type]=3
FIELDS[attributes]=4
FIELDS[policy]=5
if (( $# )); then
RETURNED="$1"
shift
else
RETURNED="all"
fi
if (( $# )); then
echo "WARN: ignoring unexpected parameters: $*" >&2
fi
if [[ -z "${FIELDS[$RETURNED]}" ]]; then
echo "ERROR: invalid return field $RETURNED" >&2
return 1
fi
ziti edge list identities 'name="public"' --csv \
| awk -F, '$'${FIELDS[name]}'=="public" {print $'${FIELDS[$RETURNED]}';}'
}
getZrokPublicFrontend(){
local RETURNED
local -A FIELDS
FIELDS[all]=0
FIELDS[token]=1
FIELDS[zid]=2
FIELDS[name]=3
FIELDS[template]=4
FIELDS[created]=5
FIELDS[updated]=6
if (( $# )); then
RETURNED="$1"
shift
else
RETURNED="all"
fi
if (( $# )); then
echo "WARN: ignoring unexpected parameters: $*" >&2
fi
if [[ -z "${FIELDS[$RETURNED]}" ]]; then
echo "ERROR: invalid return field $RETURNED" >&2
return 1
fi
# strip ANSI sequences and return the first position from the line with a name exactly matching "public"
zrok admin list frontends | sed 's/\x1b\[[0-9;]*m//g' \
| awk '$'${FIELDS[name]}'=="public" {print $'${FIELDS[$RETURNED]}'}'
}
ziti edge login "https://ziti.${ZROK_DNS_ZONE}:${ZITI_CTRL_ADVERTISED_PORT}" \
--username admin \
--password "${ZITI_PWD}" \
--yes
if ! [[ -s ~/.zrok/identities/public.json ]]; then
mkdir -p ~/.zrok/identities
ziti edge create identity "public" --jwt-output-file /tmp/public.jwt
ziti edge enroll --jwt /tmp/public.jwt --out ~/.zrok/identities/public.json
fi
# find Ziti ID of default "public" frontend
ZITI_PUBLIC_ID="$(getZitiPublicFrontend zid)"
until [[ -n "${ZITI_PUBLIC_ID}" ]]; do
echo "DEBUG: waiting for default frontend "public" Ziti identity to be created"
sleep 3
ZITI_PUBLIC_ID="$(getZitiPublicFrontend zid)"
done
echo "DEBUG: 'public' ZITI_PUBLIC_ID=$ZITI_PUBLIC_ID"
until curl -sSf "${ZROK_API_ENDPOINT}/api/v1/version"; do
echo "DEBUG: waiting for zrok controller API version endpoint to respond"
sleep 3
done
# if default "public" frontend already exists
ZROK_PUBLIC_TOKEN=$(getZrokPublicFrontend token)
if [[ -n "${ZROK_PUBLIC_TOKEN}" ]]; then
# ensure the Ziti ID of the public frontend's identity is the same in Ziti and zrok
ZROK_PUBLIC_ZID=$(getZrokPublicFrontend zid)
if [[ "${ZITI_PUBLIC_ID}" != "${ZROK_PUBLIC_ZID}" ]]; then
echo "ERROR: existing Ziti Identity named 'public' with id '$ZITI_PUBLIC_ID' is from a previous zrok"\
"instance life cycle. Delete it then re-run zrok." >&2
exit 1
fi
echo "INFO: updating frontend"
zrok admin update frontend "${ZROK_PUBLIC_TOKEN}" \
--url-template "https://{token}.${ZROK_DNS_ZONE}"
else
echo "INFO: creating frontend"
zrok admin create frontend "${ZITI_PUBLIC_ID}" public \
"https://{token}.${ZROK_DNS_ZONE}"
fi
exec "${@}"

19
docker/compose/zrok-instance/caddy.Dockerfile Normal file
View File

@ -0,0 +1,19 @@
# Use the official Caddy image as a parent image
FROM caddy:2-builder AS builder
# e.g., "github.com/caddy-dns/digitalocean"
ARG CADDY_DNS_PLUGIN
# Build Caddy with the specified DNS provider plugin
RUN xcaddy build \
--with github.com/caddy-dns/${CADDY_DNS_PLUGIN}
# Use the official Caddy image to create the final image
FROM caddy:2
# install curl to support using the Caddy API
RUN apk add --no-cache curl
# Copy the custom Caddy build into the final image
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
COPY ./Caddyfile /etc/caddy/Caddyfile

137
docker/compose/zrok-instance/compose.override.yml Normal file
View File

@ -0,0 +1,137 @@
# this compose file is designed to merge with the ziti all-in-one quickstart compose file by renaming
# https://get.openziti.io/dock/all-in-one/compose.yml to compose.override.yml
services:
zrok-permissions:
image: busybox
command:
- /bin/sh
- -euxc
- |
chown -Rc ${ZIGGY_UID:-2171} /var/lib/zrok-*;
chmod -Rc ug=rwX,o-rwx /var/lib/zrok-*;
volumes:
- zrok_ctrl:/var/lib/zrok-controller
- zrok_frontend:/var/lib/zrok-frontend
zrok-controller:
profiles:
- zrok
depends_on:
zrok-permissions:
condition: service_completed_successfully
build:
context: .
dockerfile: ./zrok-controller.Dockerfile
args:
ZROK_CLI_IMAGE: ${ZROK_CLI_IMAGE:-openziti/zrok}
ZROK_CLI_TAG: ${ZROK_CLI_TAG:-latest}
ZROK_DNS_ZONE: ${ZROK_DNS_ZONE} # e.g., "example.com" or "127.0.0.1.sslip.io"
ZITI_CTRL_ADVERTISED_PORT: ${ZITI_CTRL_ADVERTISED_PORT:-1280}
ZROK_ADMIN_TOKEN: ${ZROK_ADMIN_TOKEN} # zrok controller admin password
ZROK_CTRL_PORT: ${ZROK_CTRL_PORT:-18080}
ZITI_PWD: ${ZITI_PWD} # ziti controller admin password
user: ${ZIGGY_UID:-2171}
command: zrok controller /etc/zrok-controller/config.yml --verbose
volumes:
- zrok_ctrl:/var/lib/zrok-controller
networks:
quickstart:
aliases:
- zrok.${ZROK_DNS_ZONE}
restart: unless-stopped
expose:
- ${ZROK_CTRL_PORT:-18080} # (not published)
# Caddy's published ports provide a TLS reverse proxy for the zrok controller
# ports:
# - 127.0.0.1:${ZROK_CTRL_PORT:-18080}:${ZROK_CTRL_PORT:-18080}
environment:
ZROK_USER_PWD: ${ZROK_USER_PWD} # admin account password (initial user account)
CADDY_ACME_EMAIL: ${CADDY_ACME_EMAIL} # login email address (initial user account)
zrok-frontend:
profiles:
- zrok
depends_on:
zrok-permissions:
condition: service_completed_successfully
build:
context: .
dockerfile: zrok-frontend.Dockerfile
args:
ZROK_CLI_IMAGE: ${ZROK_CLI_IMAGE:-openziti/zrok}
ZROK_CLI_TAG: ${ZROK_CLI_TAG:-latest}
ZROK_DNS_ZONE: ${ZROK_DNS_ZONE} # e.g., "example.com" or "127.0.0.1.sslip.io"
ZROK_FRONTEND_PORT: ${ZROK_FRONTEND_PORT:-8080}
ZROK_OAUTH_PORT: ${ZROK_OAUTH_PORT:-8081}
ZROK_OAUTH_HASH_KEY: ${ZROK_OAUTH_HASH_KEY-noop}
ZROK_OAUTH_GOOGLE_CLIENT_ID: ${ZROK_OAUTH_GOOGLE_CLIENT_ID:-noop}
ZROK_OAUTH_GOOGLE_CLIENT_SECRET: ${ZROK_OAUTH_GOOGLE_CLIENT_SECRET:-noop}
ZROK_OAUTH_GITHUB_CLIENT_ID: ${ZROK_OAUTH_GITHUB_CLIENT_ID:-noop}
ZROK_OAUTH_GITHUB_CLIENT_SECRET: ${ZROK_OAUTH_GITHUB_CLIENT_SECRET:-noop}
user: ${ZIGGY_UID:-2171}
command: zrok access public /etc/zrok-frontend/config.yml --verbose
volumes:
- zrok_frontend:/var/lib/zrok-frontend
networks:
quickstart:
restart: unless-stopped
expose:
- ${ZROK_FRONTEND_PORT:-8080} # (not published)
- ${ZROK_OAUTH_PORT:-8081} # (not published)
# ports:
# - 127.0.0.1:${ZROK_FRONTEND_PORT:-8080}:${ZROK_FRONTEND_PORT:-8080}
# - 127.0.0.1:${ZROK_OAUTH_PORT:-8081}:${ZROK_OAUTH_PORT:-8081}
environment:
HOME: /var/lib/zrok-frontend
ZROK_DNS_ZONE: ${ZROK_DNS_ZONE} # e.g., "example.com" or "127.0.0.1.sslip.io"
ZROK_ADMIN_TOKEN: ${ZROK_ADMIN_TOKEN} # zrok controller admin password
ZROK_API_ENDPOINT: http://zrok-controller:${ZROK_CTRL_PORT:-18080} # bridge address of the zrok controller
ZITI_CTRL_ADVERTISED_PORT: ${ZITI_CTRL_ADVERTISED_PORT:-1280}
ZITI_PWD: ${ZITI_PWD} # ziti controller admin password
caddy:
profiles:
- zrok
build:
context: .
dockerfile: ./caddy.Dockerfile
args:
CADDY_DNS_PLUGIN: ${CADDY_DNS_PLUGIN} # e.g., "digitalocean" (see github.com/caddy-dns)
restart: unless-stopped
environment:
CADDY_DNS_PLUGIN: ${CADDY_DNS_PLUGIN} # e.g., "digitalocean" (see github.com/caddy-dns)
CADDY_DNS_PLUGIN_TOKEN: ${CADDY_DNS_PLUGIN_TOKEN} # API token from DNS provider used by plugin to solve the ACME challenge
CADDY_ACME_EMAIL: ${CADDY_ACME_EMAIL} # email address sent to CA for ACME account and renewal notifications
CADDY_ACME_API: ${CADDY_ACME_API:-https://acme-v02.api.letsencrypt.org/directory} # ACME API endpoint
ZROK_DNS_ZONE: ${ZROK_DNS_ZONE} # e.g., "example.com" or "127.0.0.1.sslip.io"
ZROK_CTRL_PORT: ${ZROK_CTRL_PORT:-18080}
ZROK_FRONTEND_PORT: ${ZROK_FRONTEND_PORT:-8080}
ZROK_OAUTH_PORT: ${ZROK_OAUTH_PORT:-8081}
expose:
- 80/tcp
- 443/tcp
- 443/udp # Caddy's HTTP/3 (QUIC) (not published)
- 2019/tcp # Caddy's admin API (not published)
ports:
- ${CADDY_INTERFACE:-0.0.0.0}:80:80
- ${CADDY_INTERFACE:-0.0.0.0}:443:443
# - ${CADDY_INTERFACE:-0.0.0.0}:443:443/udp" # future: HTTP/3 (QUIC)
volumes:
- caddy_data:/data
- caddy_config:/config
networks:
quickstart:
quickstart:
profiles:
- ziti
quickstart-check:
profiles:
- ziti
volumes:
caddy_data:
caddy_config:
zrok_ctrl:
zrok_frontend:

42
docker/compose/zrok-instance/envsubst.bash Executable file
View File

@ -0,0 +1,42 @@
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
# Read the shell-format template from stdin
TEMPLATE=$(cat)
# consume args as default values from a file or a list of shell commands
while (( $# )); do
if [ -s "$1" ]; then
# Read the default values from the file
# shellcheck disable=SC1090
source "$1"
else
# Use the argument as a shell command
eval "$1"
fi
shift
done
if [ -z "$TEMPLATE" ]; then
echo "Error: no template provided on stdin" >&2
exit 1
fi
# obtain the list of required variables
read -ra VARIABLES <<< "$(envsubst "$TEMPLATE" --variables)"
# Check that all required variables are set
for var in "${VARIABLES[@]}"; do
if [ -z "${!var:-}" ]; then
echo "Error: $var is null" >&2
exit 1
else
export "${var?}"
fi
done
# Render the template to stdout
envsubst <<< "$TEMPLATE"

86
docker/compose/zrok-instance/fetch.bash Executable file
View File

@ -0,0 +1,86 @@
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
set -o xtrace
requireBashVersion() {
if (( "${BASH_VERSION%%.*}" < 4 )); then
echo "This script requires Bash major version 4 or greater."
echo "Detected version: $BASH_VERSION"
exit 1;
fi
}
fetchFile() {
local url="${1}"
local path="${2}"
if [[ -s "$path" ]]; then
echo "ERROR: file already exists: $path" >&2
return 1
fi
if { command -v curl > /dev/null; } 2>&1; then
curl -fLsS --output "${path}" "${url}"
elif { command -v wget > /dev/null; } 2>&1; then
wget --output-document "${path}" "${url}"
else
echo "ERROR: need one of curl or wget to fetch the artifact." >&2
return 1
fi
}
requireCommand() {
if ! command -v "$1" &>/dev/null; then
logError "this script requires command '$1'. Please install on the search PATH and try again."
$1
fi
}
setWorkingDir() {
workdir="${1}"
cd "${workdir}"
# Count non-hidden files
non_hidden_files=$(find . -maxdepth 1 -not -name '.*' | wc -l)
# Count hidden files
if ls -ld .[^.]* 2> /dev/null; then
hidden_files=0
for file in .[^.]*; do
if [[ -f "$file" ]]; then
hidden_files=$((hidden_files + 1))
fi
done
else
hidden_files=0
fi
# Calculate total number of files
total_files=$((non_hidden_files + hidden_files))
if (( total_files > 0 )); then
echo "WARN: working directory is not empty: ${workdir}" >&2
return 1
fi
}
main() {
requireBashVersion
declare -a BINS=(unzip find)
for BIN in "${BINS[@]}"; do
requireCommand "$BIN"
done
setWorkingDir "${1:-$PWD}" || {
echo "WARN: installing anyway in a few seconds...press Ctrl-C to abort" >&2
sleep 9
}
fetchFile "${ZITI_QUICK_COMPOSE:-"https://get.openziti.io/dock/all-in-one/compose.yml"}" "compose.yml"
fetchFile "${ZROK_REPO_ZIP:-"https://github.com/openziti/zrok/archive/refs/heads/main.zip"}" "zrok.zip"
unzip -j -d . zrok.zip '*/docker/compose/zrok-instance/*'
rm zrok.zip .gitignore fetch.bash
}
main "${@}"

25
docker/compose/zrok-instance/zrok-controller-config.yml.envsubst Normal file
View File

@ -0,0 +1,25 @@
# _____ __ ___ | | __
# |_ / '__/ _ \| |/ /
# / /| | | (_) | <
# /___|_| \___/|_|\_\
# controller configuration
v: 3
admin:
# generate these admin tokens from a source of randomness, e.g.
# LC_ALL=C tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c32
secrets:
- ${ZROK_ADMIN_TOKEN}
endpoint:
host: 0.0.0.0
port: ${ZROK_CTRL_PORT}
invites:
invites_open: true
token_strategy: store
store:
path: /var/lib/zrok-controller/sqlite3.db
type: sqlite3
ziti:
api_endpoint: https://ziti.${ZROK_DNS_ZONE}:${ZITI_CTRL_ADVERTISED_PORT}/edge/management/v1
username: admin
password: ${ZITI_PWD}

37
docker/compose/zrok-instance/zrok-controller.Dockerfile Normal file
View File

@ -0,0 +1,37 @@
ARG ZROK_CLI_TAG=latest
ARG ZROK_CLI_IMAGE=openziti/zrok
FROM ${ZROK_CLI_IMAGE}:${ZROK_CLI_TAG}
# set up image as root
USER root
# install envsubst
RUN INSTALL_PKGS="gettext" && \
microdnf -y update --setopt=install_weak_deps=0 --setopt=tsflags=nodocs && \
microdnf -y install --setopt=install_weak_deps=0 --setopt=tsflags=nodocs ${INSTALL_PKGS}
ARG ZROK_DNS_ZONE
ARG ZROK_ADMIN_TOKEN
ARG ZROK_CTRL_PORT
ARG ZITI_CTRL_ADVERTISED_PORT
ARG ZITI_PWD
# render zrok controller config.yml
COPY ./envsubst.bash ./bootstrap-controller.bash /usr/local/bin/
RUN chmod 0755 /usr/local/bin/envsubst.bash /usr/local/bin/bootstrap-controller.bash
COPY ./zrok-controller-config.yml.envsubst /tmp/
RUN mkdir -p /etc/zrok-controller/
RUN envsubst.bash \
ZROK_DNS_ZONE=${ZROK_DNS_ZONE} \
ZROK_ADMIN_TOKEN=${ZROK_ADMIN_TOKEN} \
ZROK_CTRL_PORT=${ZROK_CTRL_PORT} \
ZITI_CTRL_ADVERTISED_PORT=${ZITI_CTRL_ADVERTISED_PORT} \
ZITI_PWD=${ZITI_PWD} \
< /tmp/zrok-controller-config.yml.envsubst > /etc/zrok-controller/config.yml
# run as ziggy (or ZIGGY_UID if set in compose project)
USER ziggy
ENV HOME=/var/lib/zrok-controller
WORKDIR /var/lib/zrok-controller
ENTRYPOINT ["bootstrap-controller.bash"]

18
docker/compose/zrok-instance/zrok-frontend-config.yml.envsubst Normal file
View File

@ -0,0 +1,18 @@
v: 3
host_match: ${ZROK_DNS_ZONE}
address: 0.0.0.0:${ZROK_FRONTEND_PORT}
# delete if not using oauth for public shares
oauth:
bind_address: 0.0.0.0:${ZROK_OAUTH_PORT}
redirect_url: https://oauth.${ZROK_DNS_ZONE}
cookie_domain: ${ZROK_DNS_ZONE}
hash_key: ${ZROK_OAUTH_HASH_KEY}
providers:
- name: github
client_id: ${ZROK_OAUTH_GITHUB_CLIENT_ID}
client_secret: ${ZROK_OAUTH_GITHUB_CLIENT_SECRET}
- name: google
client_id: ${ZROK_OAUTH_GOOGLE_CLIENT_ID}
client_secret: ${ZROK_OAUTH_GOOGLE_CLIENT_SECRET}

43
docker/compose/zrok-instance/zrok-frontend.Dockerfile Normal file
View File

@ -0,0 +1,43 @@
ARG ZROK_CLI_TAG=latest
ARG ZROK_CLI_IMAGE=openziti/zrok
FROM ${ZROK_CLI_IMAGE}:${ZROK_CLI_TAG}
# set up image as root
USER root
# install envsubst
RUN INSTALL_PKGS="gettext" && \
microdnf -y update --setopt=install_weak_deps=0 --setopt=tsflags=nodocs && \
microdnf -y install --setopt=install_weak_deps=0 --setopt=tsflags=nodocs ${INSTALL_PKGS}
ARG ZROK_DNS_ZONE
ARG ZROK_FRONTEND_PORT
ARG ZROK_OAUTH_PORT
ARG ZROK_OAUTH_HASH_KEY
ARG ZROK_OAUTH_GOOGLE_CLIENT_ID
ARG ZROK_OAUTH_GOOGLE_CLIENT_SECRET
ARG ZROK_OAUTH_GITHUB_CLIENT_ID
ARG ZROK_OAUTH_GITHUB_CLIENT_SECRET
# render zrok frontend config.yml
COPY ./envsubst.bash ./bootstrap-frontend.bash /usr/local/bin/
RUN chmod 0755 /usr/local/bin/envsubst.bash /usr/local/bin/bootstrap-frontend.bash
COPY ./zrok-frontend-config.yml.envsubst /tmp/
RUN mkdir -p /etc/zrok-frontend/
RUN envsubst.bash \
ZROK_DNS_ZONE=${ZROK_DNS_ZONE} \
ZROK_FRONTEND_PORT=${ZROK_FRONTEND_PORT} \
ZROK_OAUTH_PORT=${ZROK_OAUTH_PORT} \
ZROK_OAUTH_HASH_KEY=${ZROK_OAUTH_HASH_KEY} \
ZROK_OAUTH_GOOGLE_CLIENT_ID=${ZROK_OAUTH_GOOGLE_CLIENT_ID} \
ZROK_OAUTH_GOOGLE_CLIENT_SECRET=${ZROK_OAUTH_GOOGLE_CLIENT_SECRET} \
ZROK_OAUTH_GITHUB_CLIENT_ID=${ZROK_OAUTH_GITHUB_CLIENT_ID} \
ZROK_OAUTH_GITHUB_CLIENT_SECRET=${ZROK_OAUTH_GITHUB_CLIENT_SECRET} \
< /tmp/zrok-frontend-config.yml.envsubst > /etc/zrok-frontend/config.yml
# run as ziggy (or ZIGGY_UID if set in compose project)
USER ziggy
ENV HOME=/var/lib/zrok-frontend
WORKDIR /var/lib/zrok-frontend
ENTRYPOINT ["bootstrap-frontend.bash"]

8
docker/images/zrok/Dockerfile
View File

@ -20,16 +20,12 @@ LABEL name="openziti/zrok" \
USER root
### install packages: findutils provides xargs which is used by the zrok Helm chart's controller bootstrapping script to
#create the default account enable token
RUN INSTALL_PKGS="findutils" && \
microdnf -y update --setopt=install_weak_deps=0 --setopt=tsflags=nodocs && \
microdnf -y install --setopt=install_weak_deps=0 --setopt=tsflags=nodocs ${INSTALL_PKGS}
### add licenses to this directory
RUN mkdir -p -m0755 /licenses
COPY ./LICENSE /licenses/apache.txt
ENV PFXLOG_NO_JSON=true
RUN mkdir -p /usr/local/bin
COPY ${ARTIFACTS_DIR}/${TARGETARCH}/${TARGETOS}/zrok \
./nfpm/zrok-enable.bash \

9
docs/guides/self-hosting/docker.mdx Normal file
View File

@ -0,0 +1,9 @@
---
title: Self-hosting guide for Docker
sidebar_label: Docker
sidebar_position: 45
---
import DockerInstance from '/../docker/compose/zrok-instance/README.md'
<DockerInstance />

7
docs/guides/self-hosting/linux.mdx
View File

@ -181,10 +181,9 @@ $ zrok admin create frontend sqJRAINSiB public http://{token}.zrok.quigley.com:8
The id of the frontend was emitted earlier in by the zrok controller when we ran the bootstrap command. If you don't have that log message the you can find the id again with the `ziti` CLI like this:
```bash
# initialize the Ziti quickstart env
source ~/.ziti/quickstart/$(hostname -s)/$(hostname -s).env
# login as admin
zitiLogin
# log in as admin (example)
ziti edge login localhost:1280 -u admin -p XO0xHp75uuyeireO2xmmVlK91T7B9fpD
# list Ziti identities created by the quickstart and bootstrap
ziti edge list identities
```

2
website/vercel.json
View File

@ -6,5 +6,5 @@
},
"cleanUrls": false,
"public": true,
"ignoreCommand": "grep -qE '^(gh-pages)$' <<< ${VERCEL_GIT_COMMIT_REF} || git diff --quiet HEAD^ HEAD -- ../website/ ../docs/"
"ignoreCommand": "grep -qE '^(gh-pages)$' <<< ${VERCEL_GIT_COMMIT_REF} || git diff --quiet HEAD^ HEAD -- ../website/ ../docs/ ../**/*.md"
}