fix and dry docker share

2024-12-22 14:50:55 +01:00 · 2023-11-27 21:12:38 -05:00 · 2023-11-27 21:12:38 -05:00 · 980a03c760
commit 980a03c760
parent ce249862e8
6 changed files with 190 additions and 208 deletions
--- a/docker/compose/zrok-private-access/compose.yml
+++ b/docker/compose/zrok-private-access/compose.yml
@ -7,28 +7,20 @@ services:
    volumes:
      - zrok_env:/mnt/.zrok

+  # enable zrok environment
  zrok-enable:
    image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
    depends_on:
      zrok-init:
        condition: service_completed_successfully
-    entrypoint:
-      - bash
-      - -euc
-      - |
-        if [[ -n "$(jq '.ziti_identity' ~/.zrok/environment.json 2>/dev/null)" ]]; then
-          echo "INFO: zrok environment is already enabled"
-          exit 0
-        else
-          zrok config set apiEndpoint ${ZROK_API_ENDPOINT:-https://api.zrok.io}
-          echo "INFO: running: zrok $$(sed -E "s/${ZROK_ENABLE_TOKEN}/************/" <<< $${@})"
-          exec zrok "$${@}"
-        fi
-    command: -- enable --headless --description "${ZROK_ENVIRONMENT_NAME:-docker private access}" ${ZROK_ENABLE_TOKEN}
+    entrypoint: zrok-enable.bash
    volumes:
-      - zrok_env:/mnt/.zrok
+      - zrok_env:/mnt
    environment:
-      HOME: /mnt
+      STATE_DIRECTORY: /mnt
+      ZROK_ENABLE_TOKEN:
+      ZROK_API_ENDPOINT:
+      ZROK_ENVIRONMENT_NAME: docker-private-access

  zrok-access:
    image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
@ -39,7 +31,7 @@ services:
    ports:
      - 9191:9191  # expose the zrok private access proxy to the Docker host
    volumes:
-      - zrok_env:/mnt/.zrok
+      - zrok_env:/mnt
    environment:
      HOME: /mnt
      PFXLOG_NO_JSON: "true"
--- a/docker/compose/zrok-private-share/compose.yml
+++ b/docker/compose/zrok-private-share/compose.yml
@ -7,42 +7,41 @@ services:
    volumes:
      - zrok_env:/mnt/.zrok

+  # enable zrok environment
  zrok-enable:
    image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
    depends_on:
      zrok-init:
        condition: service_completed_successfully
-    entrypoint:
-      - bash
-      - -euc
-      - |
-        if [[ -n "$(jq '.ziti_identity' ~/.zrok/environment.json 2>/dev/null)" ]]; then
-          echo "INFO: zrok environment is already enabled"
-          exit 0
-        else
-          zrok config set apiEndpoint ${ZROK_API_ENDPOINT:-https://api.zrok.io}
-          echo "INFO: running: zrok $$(sed -E "s/${ZROK_ENABLE_TOKEN}/************/" <<< $${@})"
-          exec zrok "$${@}"
-        fi
-    command: -- enable --headless --description "${ZROK_ENVIRONMENT_NAME:-docker private share}" ${ZROK_ENABLE_TOKEN}
+    entrypoint: zrok-enable.bash
    volumes:
-      - zrok_env:/mnt/.zrok
+      - zrok_env:/mnt
    environment:
-      HOME: /mnt
+      STATE_DIRECTORY: /mnt
+      ZROK_ENABLE_TOKEN:
+      ZROK_API_ENDPOINT:
+      ZROK_ENVIRONMENT_NAME: docker-private-share

  zrok-share:
    image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
-    command: share private --headless --backend-mode proxy ${ZROK_TARGET:-http://zrok-test:9090/} 
+    entrypoint:
+    - bash
+    - -euxc
+    - |
+      echo "DEBUG: HOME=$${HOME}"
+      ls -lA /mnt/.zrok/
+      exec zrok $${@}
+    command: -- share private --headless --backend-mode proxy ${ZROK_TARGET:-http://zrok-test:9090/} 
    depends_on:
      zrok-enable:
        condition: service_completed_successfully
    volumes:
-      - zrok_env:/mnt/.zrok
+      - zrok_env:/mnt
    environment:
      HOME: /mnt
      PFXLOG_NO_JSON: "true"

-  # demo servers you can share with zrok
+  # demo server you can share with zrok
  zrok-test:
    image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
    command: test endpoint --address 0.0.0.0  # 9090
--- a/docker/compose/zrok-public-reserved/compose.yml
+++ b/docker/compose/zrok-public-reserved/compose.yml
@ -1,46 +1,7 @@
 services:
-  # create Caddyfile
-  zrok-caddyfile:
-    image: busybox
-    # create Caddyfile
-    entrypoint:
-      - sh
-      - -euc
-      - |
-        ZROK_UPSTREAM_URL="${ZROK_TARGET:-http://zrok-test:9090}"
-        ZROK_UPSTREAM_HOST="$(echo $${ZROK_UPSTREAM_URL}|sed -E 's#^https?://([^/:]+).*#\1#')"
-        mkdir -p /mnt/.zrok
-        cat <<CADDYFILE >| /mnt/.zrok/Caddyfile
-        {
-          # GET /config/ and POST /load on this API to reload Caddy config
-          admin 0.0.0.0:2019
-        }
-        http:// {
-          bind {{ .ZrokBindAddress }}
-          handle_path /zrok-test/* {
-              reverse_proxy http://zrok-test:9090 {
-                  header_up Host zrok-test
-              }
-          }
-          handle_path /zrok-static/* {
-            root * /mnt/.zrok/html
-            file_server browse
-          }
-          reverse_proxy /* $${ZROK_UPSTREAM_URL} {
-              header_up Host $${ZROK_UPSTREAM_HOST}
-          }
-        }
-        CADDYFILE
-    user: root
-    volumes:
-      - zrok_env:/mnt
-
  # set file ownership
  zrok-init:
    image: busybox
-    depends_on:
-      zrok-caddyfile:
-        condition: service_completed_successfully
    # matches uid:gid of "nobody" in zrok container image
    command: chown -Rc 65534:65534 /mnt/
    user: root
@ -60,27 +21,34 @@ services:
      STATE_DIRECTORY: /mnt
      ZROK_ENABLE_TOKEN:
      ZROK_API_ENDPOINT:
-      ZROK_ENVIRONMENT_NAME:
+      ZROK_ENVIRONMENT_NAME: docker-public-reserved

  # reserve zrok frontend subdomain and start sharing the target
  zrok-share:
    image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
-    entrypoint: zrok-share.bash
+    entrypoint: bash -x zrok-share.bash
    depends_on:
      zrok-enable:
        condition: service_completed_successfully
    volumes:
      - zrok_env:/mnt
-    ports: []
-      # - 127.0.0.1:2019:2019  # Caddy admin API
    environment:
-      STATE_DIRECTORY: /mnt
-      PFXLOG_NO_JSON: "true"
-      ZROK_BACKEND_MODE:
-      ZROK_TARGET:
-      ZROK_OAUTH_PROVIDER:
-      ZROK_OATH_EMAILS:
-      ZROK_BASIC_AUTH:
+      # internal configuration
+      STATE_DIRECTORY: /mnt  # zrok homedir in container
+
+      # most relevant options
+      ZROK_BACKEND_MODE: proxy  # web, caddy, drive, proxy
+      ZROK_TARGET: http://zrok-test:9090  # backend target, is a path in container filesystem unless proxy mode
+      ZROK_INSECURE:        # "--insecure" if proxy target has unverifiable TLS server certificate
+      ZROK_OAUTH_PROVIDER:  # google, github
+      ZROK_OATH_EMAILS:     # allow space-separated list of OAuth email addresses or @domain.tld
+      ZROK_BASIC_AUTH:      # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER
+
+      # least relevant options
+      ZROK_VERBOSE:           # "--verbose"
+      ZROK_SHARE_OPTS:        # additional arguments to "zrok reserve public" command
+      ZROK_FRONTENDS:         # "public"
+      PFXLOG_NO_JSON: "true"  # suppress JSON logging format

  # demo server
  zrok-test:
--- a/docker/compose/zrok-public-share/compose.yml
+++ b/docker/compose/zrok-public-share/compose.yml
@ -15,52 +15,46 @@ services:
    depends_on:
      zrok-init:
        condition: service_completed_successfully
-    entrypoint:
-      - bash
-      - -euc
-      - |
-        if [[ -n "$(jq '.ziti_identity' ~/.zrok/environment.json 2>/dev/null)" ]]; then
-          echo "INFO: zrok environment is already enabled"
-          exit 0
-        else
-          zrok config set apiEndpoint ${ZROK_API_ENDPOINT:-https://api.zrok.io}
-          echo "INFO: running: zrok $$(sed -E "s/${ZROK_ENABLE_TOKEN}/************/" <<< $${@})"
-          exec zrok "$${@}"
-        fi
-    command: -- enable --headless --description "${ZROK_ENVIRONMENT_NAME:-docker temp public share}" ${ZROK_ENABLE_TOKEN}
+    entrypoint: zrok-enable.bash
    volumes:
-      - zrok_env:/mnt/.zrok
+      - zrok_env:/mnt
    environment:
-      HOME: /mnt
+      STATE_DIRECTORY: /mnt
+      ZROK_ENABLE_TOKEN:
+      ZROK_API_ENDPOINT:
+      ZROK_ENVIRONMENT_NAME: docker-public-share

-  # start share on temporary public frontend url
+  # provision a temporary zrok frontend subdomain and start sharing the backend target
  zrok-share:
    image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
-    entrypoint:
-      - bash
-      - -euc
-      - |
-        set -o pipefail
-        ZROK_CMD="share public --headless"
-        if [[ -n "${ZROK_SHARE_OPTS:-}" ]]; then
-          ZROK_CMD+=" ${ZROK_SHARE_OPTS}"
-        fi
-        if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then
-          ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
-        fi
-        ZROK_CMD+=" --backend-mode proxy ${ZROK_TARGET:-http://zrok-test:9090/}"
-        echo "INFO: running: zrok $${ZROK_CMD}"
-        exec zrok $${ZROK_CMD}
+    entrypoint: zrok-share.bash
    depends_on:
      zrok-enable:
        condition: service_completed_successfully
    volumes:
-      - zrok_env:/mnt/.zrok
+      - zrok_env:/mnt
+    ports: []
+      # - 127.0.0.1:2019:2019  # Caddy admin API
    environment:
-      HOME: /mnt
-      PFXLOG_NO_JSON: "true"
+      # internal configuration
+      STATE_DIRECTORY: /mnt  # zrok homedir in container
+      ZROK_FRONTEND_MODE: temp-public  # tells zrok-share.bash to create a temporary subdomain and share until exit

-  # demo servers you can share with zrok
+      # most relevant options
+      ZROK_BACKEND_MODE: proxy  # web, caddy, drive, proxy
+      ZROK_TARGET: http://zrok-test:9090  # backend target, is a path in container filesystem unless proxy mode
+      ZROK_INSECURE:        # "--insecure" if proxy target has unverifiable TLS server certificate
+      ZROK_OAUTH_PROVIDER:  # google, github
+      ZROK_OATH_EMAILS:     # space-separated list of OAuth email addresses or @domain.tld to allow
+      ZROK_BASIC_AUTH:      # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER
+
+      # least relevant options
+      ZROK_VERBOSE:           # "--verbose"
+      ZROK_SHARE_OPTS:        # additional arguments to "zrok share public" command
+      ZROK_FRONTENDS:         # "public"
+      PFXLOG_NO_JSON: "true"  # suppress JSON logging format
+
+  # demo server you can share with zrok
  zrok-test:
    image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
    command: test endpoint --address 0.0.0.0  # 9090
--- a/nfpm/zrok-enable.bash
+++ b/nfpm/zrok-enable.bash
@ -38,13 +38,14 @@ fi

 if (( $# )); then
  if [[ -s "$1" ]]; then
+    echo "INFO: reading enable parameters from $1"
    source "$1"
  else
    echo "ERROR: \$1="$1" is empty or not a readable file" >&2
    exit 1
  fi
 else
-  echo "WARNING: no env filename argument, trying to read configuration from environment variables" >&2
+  echo "INFO: reading enable parameters from environment variables"
 fi

 if [[ -z "${ZROK_ENABLE_TOKEN}" ]]; then
--- a/nfpm/zrok-share.bash
+++ b/nfpm/zrok-share.bash
@ -7,17 +7,29 @@ set -o errexit
 set -o nounset
 set -o pipefail

+share_reserved(){
+    local token="$1"
+    local target="$2"
+    shift 2
+    local opts="${*:-}"
+    local zrok_cmd="share reserved ${token} --headless ${opts} --override-endpoint ${target}"
+    echo "INFO: running: zrok ${zrok_cmd}"
+    exec zrok ${zrok_cmd}
+}
+
 if ! command -v jq &>/dev/null; then
  echo "ERROR: jq is needed but not installed" >&2
  exit 1
 fi

-# set HOME to the first colon-sep dir in STATE_DIRECTORY inherited from systemd, e.g. /var/lib/zrok-share
-export HOME="${STATE_DIRECTORY%:*}" 
+# set HOME to the first colon-sep dir in STATE_DIRECTORY inherited from systemd (/var/lib/zrok-share) or docker (/mnt)
+export HOME="${STATE_DIRECTORY%:*}"

 if (( $# )); then
  if [[ -s "$1" ]]; then
+    echo "INFO: reading share configuration from $1"
    source "$1"
+    shift
  else
    echo "ERROR: '$1' is empty or not readable" >&2
    exit 1
@ -30,102 +42,118 @@ else
  #   echo "ERROR: need /opt/openziti/etc/zrok.env or filename argument to read share configuration" >&2
  #   exit 1
  # fi
-  echo "WARNING: no environment filename argument, trying to read share configuration from env vars" >&2
+  echo "INFO: reading share configuration from environment variables"
 fi

-if [[ -s ~/.zrok/reserved.json ]]; then
-  ZROK_RESERVED_TOKEN="$(jq '.token' ~/.zrok/reserved.json 2>/dev/null)"
+[[ -n "${ZROK_TARGET:-}" ]] || {
+  echo "ERROR: ZROK_TARGET is not defined." >&2
+  exit 1
+}
+
+# default mode is reserved (public), override mode is temp-public, i.e., "share public" without a reserved subdomain
+if [[ "${ZROK_FRONTEND_MODE:-}" == temp-public ]]; then
+  ZROK_CMD="share public --headless ${ZROK_VERBOSE:-}"
+elif [[ -s ~/.zrok/reserved.json ]]; then
+  ZROK_RESERVED_TOKEN="$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null)"
  if [[ -z "${ZROK_RESERVED_TOKEN}" || "${ZROK_RESERVED_TOKEN}" == null ]]; then
    echo "ERROR: invalid reserved.json: '$(jq -c . ~/.zrok/reserved.json)'" >&2
    exit 1
  else
    echo "INFO: zrok backend is already reserved: ${ZROK_RESERVED_TOKEN}"
+    ZITI_CMD="${ZROK_RESERVED_TOKEN} ${ZROK_TARGET}"
+    ZITI_CMD+=" ${ZROK_VERBOSE:-} ${ZROK_INSECURE:-}"
+    share_reserved ${ZITI_CMD}
  fi
 else
  ZROK_CMD="reserve public --json-output ${ZROK_VERBOSE:-}"
-  [[ -n "${ZROK_TARGET:-}" ]] || {
-    echo "ERROR: ZROK_TARGET was not defined in /opt/openziti/etc/zrok/zrok-share.env." >&2
-    exit 1
-  }
-  [[ -n "${ZROK_BACKEND_MODE:-}" ]] || {
-    echo "WARNING: ZROK_BACKEND_MODE was not defined, assuming mode 'proxy'." >&2
-    ZROK_BACKEND_MODE="proxy"
-  }
-  case "${ZROK_BACKEND_MODE}" in
-    proxy)
-      if ! [[ "${ZROK_TARGET}" =~ ^https?:// ]]; then
-        echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an HTTP URL" >&2
-        exit 1
-      else
-        echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}"
-      fi
-      ;;
-    caddy)
-      if ! [[ "${ZROK_TARGET}" =~ ^/ ]]; then
-        echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path." >&2
-        exit 1
-      elif ! [[ -f "${ZROK_TARGET}" && -r "${ZROK_TARGET}" ]]; then
-        echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not a readable regular file" >&2
-        exit 1
-      else
-        echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}"
-      fi
-      ;;
-    web|drive)
-      if ! [[ "${ZROK_TARGET}" =~ ^/ ]]; then
-        echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path." >&2
-        exit 1
-      elif ! [[ -d "${ZROK_TARGET}" && -r "${ZROK_TARGET}" ]]; then
-        echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not a readable directory" >&2
-        exit 1
-      else
-        echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}"
-      fi
-      ;;
-    *)
-      echo "WARNING: ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}' is not a recognized mode for a zrok public share."\
-            " ZROK_TARGET value will not validated before running." >&2
-      ;;
-  esac
-  ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_TARGET}"
-  if [[ -n "${ZROK_SHARE_OPTS:-}" ]]; then
-    ZROK_CMD+=" ${ZROK_SHARE_OPTS}"
-  fi
-  if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then
-    ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
-    if [[ -n "${ZROK_OAUTH_EMAILS:-}" ]]; then
-      for EMAIL in ${ZROK_OAUTH_EMAILS}; do
-        ZROK_CMD+=" --oauth-email-domains ${EMAIL}"
-      done
-    fi
-  elif [[ -n "${ZROK_BASIC_AUTH:-}" ]]; then
-    ZROK_CMD+=" --basic-auth ${ZROK_BASIC_AUTH}"
-  fi
-  echo "INFO: running: zrok ${ZROK_CMD}"
-  zrok ${ZROK_CMD} | jq -rc | tee ~/.zrok/reserved.json
 fi

-if ! [[ -s ~/.zrok/reserved.json ]]; then
-  echo "ERROR: empty or missing $(realpath ~/.zrok)/reserved.json" >&2
-  exit 1
-else
-  ZROK_PUBLIC_URLS=$(jq -cr '.frontend_endpoints' ~/.zrok/reserved.json 2>/dev/null)
-  if [[ -z "${ZROK_PUBLIC_URLS}" || "${ZROK_PUBLIC_URLS}" == null ]]; then
-    echo "ERROR: frontend endpoints not defined in $(realpath ~/.zrok)/reserved.json" >&2
-    exit 1
-  else 
-    echo "INFO: zrok public URLs: ${ZROK_PUBLIC_URLS}"
-  fi
-  ZROK_RESERVED_TOKEN=$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null)
-  if [[ -z "${ZROK_RESERVED_TOKEN}" || "${ZROK_RESERVED_TOKEN}" == null ]]; then
-    echo "ERROR: zrok reservation token not defined in $(realpath ~/.zrok)/reserved.json" >&2
-    exit 1
-  fi
-  ZROK_CMD="share reserved ${ZROK_RESERVED_TOKEN} --headless --override-endpoint ${ZROK_TARGET}"
-  ZROK_CMD+=" ${ZROK_VERBOSE:-} ${ZROK_INSECURE:-}"
-  if [[ -n "${ZROK_SHARE_OPTS:-}" ]]; then
-    ZROK_CMD+=" ${ZROK_SHARE_OPTS}"
-  fi
-  echo "INFO: running: zrok ${ZROK_CMD}"
-  exec zrok ${ZROK_CMD}
+[[ -n "${ZROK_BACKEND_MODE:-}" ]] || {
+  echo "WARNING: ZROK_BACKEND_MODE was not defined, assuming mode 'proxy'." >&2
+  ZROK_BACKEND_MODE="proxy"
+}
+
+case "${ZROK_BACKEND_MODE}" in
+  proxy)
+    if ! [[ "${ZROK_TARGET}" =~ ^https?:// ]]; then
+      echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an HTTP URL" >&2
+      exit 1
+    else
+      echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}"
+    fi
+    ;;
+  caddy)
+    if ! [[ "${ZROK_TARGET}" =~ ^/ ]]; then
+      echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path." >&2
+      exit 1
+    elif ! [[ -f "${ZROK_TARGET}" && -r "${ZROK_TARGET}" ]]; then
+      echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not a readable regular file" >&2
+      exit 1
+    else
+      echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}"
+    fi
+    ;;
+  web|drive)
+    if ! [[ "${ZROK_TARGET}" =~ ^/ ]]; then
+      echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path." >&2
+      exit 1
+    elif ! [[ -d "${ZROK_TARGET}" && -r "${ZROK_TARGET}" ]]; then
+      echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not a readable directory" >&2
+      exit 1
+    else
+      echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}"
+    fi
+    ;;
+  *)
+    echo "WARNING: ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}' is not a recognized mode for a zrok public share."\
+          " ZROK_TARGET value will not validated before running." >&2
+    ;;
+esac
+
+ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_TARGET}"
+
+if [[ -n "${ZROK_SHARE_OPTS:-}" ]]; then
+  ZROK_CMD+=" ${ZROK_SHARE_OPTS}"
+fi
+
+if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then
+  ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
+  if [[ -n "${ZROK_OAUTH_EMAILS:-}" ]]; then
+    for EMAIL in ${ZROK_OAUTH_EMAILS}; do
+      ZROK_CMD+=" --oauth-email-domains ${EMAIL}"
+    done
+  fi
+elif [[ -n "${ZROK_BASIC_AUTH:-}" ]]; then
+  ZROK_CMD+=" --basic-auth ${ZROK_BASIC_AUTH}"
+fi
+
+echo "INFO: running: zrok ${ZROK_CMD}"
+
+if [[ "${ZROK_FRONTEND_MODE:-}" == temp-public ]]; then
+  # share until exit
+  exec zrok ${ZROK_CMD}
+else
+  # reserve and continue
+  zrok ${ZROK_CMD} | jq -rc | tee ~/.zrok/reserved.json
+  # share the reserved backend target until exit
+  if ! [[ -s ~/.zrok/reserved.json ]]; then
+    echo "ERROR: empty or missing $(realpath ~/.zrok)/reserved.json" >&2
+    exit 1
+  else
+    ZROK_PUBLIC_URLS=$(jq -cr '.frontend_endpoints' ~/.zrok/reserved.json 2>/dev/null)
+    if [[ -z "${ZROK_PUBLIC_URLS}" || "${ZROK_PUBLIC_URLS}" == null ]]; then
+      echo "ERROR: frontend endpoints not defined in $(realpath ~/.zrok)/reserved.json" >&2
+      exit 1
+    else
+      echo "INFO: zrok public URLs: ${ZROK_PUBLIC_URLS}"
+    fi
+    ZROK_RESERVED_TOKEN=$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null)
+    if [[ -z "${ZROK_RESERVED_TOKEN}" || "${ZROK_RESERVED_TOKEN}" == null ]]; then
+      echo "ERROR: zrok reservation token not defined in $(realpath ~/.zrok)/reserved.json" >&2
+      exit 1
+    fi
+    ZROK_CMD="${ZROK_RESERVED_TOKEN} ${ZROK_TARGET}"
+    ZROK_CMD+=" ${ZROK_VERBOSE:-} ${ZROK_INSECURE:-}"
+    share_reserved ${ZROK_CMD}
+  fi
 fi