fix and dry docker share

This commit is contained in:
Kenneth Bingham 2023-11-27 21:12:38 -05:00
parent ce249862e8
commit 980a03c760
No known key found for this signature in database
GPG Key ID: 31709281860130B6
6 changed files with 190 additions and 208 deletions

View File

@ -7,28 +7,20 @@ services:
volumes: volumes:
- zrok_env:/mnt/.zrok - zrok_env:/mnt/.zrok
# enable zrok environment
zrok-enable: zrok-enable:
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok} image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
depends_on: depends_on:
zrok-init: zrok-init:
condition: service_completed_successfully condition: service_completed_successfully
entrypoint: entrypoint: zrok-enable.bash
- bash
- -euc
- |
if [[ -n "$(jq '.ziti_identity' ~/.zrok/environment.json 2>/dev/null)" ]]; then
echo "INFO: zrok environment is already enabled"
exit 0
else
zrok config set apiEndpoint ${ZROK_API_ENDPOINT:-https://api.zrok.io}
echo "INFO: running: zrok $$(sed -E "s/${ZROK_ENABLE_TOKEN}/************/" <<< $${@})"
exec zrok "$${@}"
fi
command: -- enable --headless --description "${ZROK_ENVIRONMENT_NAME:-docker private access}" ${ZROK_ENABLE_TOKEN}
volumes: volumes:
- zrok_env:/mnt/.zrok - zrok_env:/mnt
environment: environment:
HOME: /mnt STATE_DIRECTORY: /mnt
ZROK_ENABLE_TOKEN:
ZROK_API_ENDPOINT:
ZROK_ENVIRONMENT_NAME: docker-private-access
zrok-access: zrok-access:
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok} image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
@ -39,7 +31,7 @@ services:
ports: ports:
- 9191:9191 # expose the zrok private access proxy to the Docker host - 9191:9191 # expose the zrok private access proxy to the Docker host
volumes: volumes:
- zrok_env:/mnt/.zrok - zrok_env:/mnt
environment: environment:
HOME: /mnt HOME: /mnt
PFXLOG_NO_JSON: "true" PFXLOG_NO_JSON: "true"

View File

@ -7,42 +7,41 @@ services:
volumes: volumes:
- zrok_env:/mnt/.zrok - zrok_env:/mnt/.zrok
# enable zrok environment
zrok-enable: zrok-enable:
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok} image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
depends_on: depends_on:
zrok-init: zrok-init:
condition: service_completed_successfully condition: service_completed_successfully
entrypoint: entrypoint: zrok-enable.bash
- bash
- -euc
- |
if [[ -n "$(jq '.ziti_identity' ~/.zrok/environment.json 2>/dev/null)" ]]; then
echo "INFO: zrok environment is already enabled"
exit 0
else
zrok config set apiEndpoint ${ZROK_API_ENDPOINT:-https://api.zrok.io}
echo "INFO: running: zrok $$(sed -E "s/${ZROK_ENABLE_TOKEN}/************/" <<< $${@})"
exec zrok "$${@}"
fi
command: -- enable --headless --description "${ZROK_ENVIRONMENT_NAME:-docker private share}" ${ZROK_ENABLE_TOKEN}
volumes: volumes:
- zrok_env:/mnt/.zrok - zrok_env:/mnt
environment: environment:
HOME: /mnt STATE_DIRECTORY: /mnt
ZROK_ENABLE_TOKEN:
ZROK_API_ENDPOINT:
ZROK_ENVIRONMENT_NAME: docker-private-share
zrok-share: zrok-share:
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok} image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
command: share private --headless --backend-mode proxy ${ZROK_TARGET:-http://zrok-test:9090/} entrypoint:
- bash
- -euxc
- |
echo "DEBUG: HOME=$${HOME}"
ls -lA /mnt/.zrok/
exec zrok $${@}
command: -- share private --headless --backend-mode proxy ${ZROK_TARGET:-http://zrok-test:9090/}
depends_on: depends_on:
zrok-enable: zrok-enable:
condition: service_completed_successfully condition: service_completed_successfully
volumes: volumes:
- zrok_env:/mnt/.zrok - zrok_env:/mnt
environment: environment:
HOME: /mnt HOME: /mnt
PFXLOG_NO_JSON: "true" PFXLOG_NO_JSON: "true"
# demo servers you can share with zrok # demo server you can share with zrok
zrok-test: zrok-test:
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok} image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
command: test endpoint --address 0.0.0.0 # 9090 command: test endpoint --address 0.0.0.0 # 9090

View File

@ -1,46 +1,7 @@
services: services:
# create Caddyfile
zrok-caddyfile:
image: busybox
# create Caddyfile
entrypoint:
- sh
- -euc
- |
ZROK_UPSTREAM_URL="${ZROK_TARGET:-http://zrok-test:9090}"
ZROK_UPSTREAM_HOST="$(echo $${ZROK_UPSTREAM_URL}|sed -E 's#^https?://([^/:]+).*#\1#')"
mkdir -p /mnt/.zrok
cat <<CADDYFILE >| /mnt/.zrok/Caddyfile
{
# GET /config/ and POST /load on this API to reload Caddy config
admin 0.0.0.0:2019
}
http:// {
bind {{ .ZrokBindAddress }}
handle_path /zrok-test/* {
reverse_proxy http://zrok-test:9090 {
header_up Host zrok-test
}
}
handle_path /zrok-static/* {
root * /mnt/.zrok/html
file_server browse
}
reverse_proxy /* $${ZROK_UPSTREAM_URL} {
header_up Host $${ZROK_UPSTREAM_HOST}
}
}
CADDYFILE
user: root
volumes:
- zrok_env:/mnt
# set file ownership # set file ownership
zrok-init: zrok-init:
image: busybox image: busybox
depends_on:
zrok-caddyfile:
condition: service_completed_successfully
# matches uid:gid of "nobody" in zrok container image # matches uid:gid of "nobody" in zrok container image
command: chown -Rc 65534:65534 /mnt/ command: chown -Rc 65534:65534 /mnt/
user: root user: root
@ -60,27 +21,34 @@ services:
STATE_DIRECTORY: /mnt STATE_DIRECTORY: /mnt
ZROK_ENABLE_TOKEN: ZROK_ENABLE_TOKEN:
ZROK_API_ENDPOINT: ZROK_API_ENDPOINT:
ZROK_ENVIRONMENT_NAME: ZROK_ENVIRONMENT_NAME: docker-public-reserved
# reserve zrok frontend subdomain and start sharing the target # reserve zrok frontend subdomain and start sharing the target
zrok-share: zrok-share:
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok} image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
entrypoint: zrok-share.bash entrypoint: bash -x zrok-share.bash
depends_on: depends_on:
zrok-enable: zrok-enable:
condition: service_completed_successfully condition: service_completed_successfully
volumes: volumes:
- zrok_env:/mnt - zrok_env:/mnt
ports: []
# - 127.0.0.1:2019:2019 # Caddy admin API
environment: environment:
STATE_DIRECTORY: /mnt # internal configuration
PFXLOG_NO_JSON: "true" STATE_DIRECTORY: /mnt # zrok homedir in container
ZROK_BACKEND_MODE:
ZROK_TARGET: # most relevant options
ZROK_OAUTH_PROVIDER: ZROK_BACKEND_MODE: proxy # web, caddy, drive, proxy
ZROK_OATH_EMAILS: ZROK_TARGET: http://zrok-test:9090 # backend target, is a path in container filesystem unless proxy mode
ZROK_BASIC_AUTH: ZROK_INSECURE: # "--insecure" if proxy target has unverifiable TLS server certificate
ZROK_OAUTH_PROVIDER: # google, github
ZROK_OATH_EMAILS: # allow space-separated list of OAuth email addresses or @domain.tld
ZROK_BASIC_AUTH: # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER
# least relevant options
ZROK_VERBOSE: # "--verbose"
ZROK_SHARE_OPTS: # additional arguments to "zrok reserve public" command
ZROK_FRONTENDS: # "public"
PFXLOG_NO_JSON: "true" # suppress JSON logging format
# demo server # demo server
zrok-test: zrok-test:

View File

@ -15,52 +15,46 @@ services:
depends_on: depends_on:
zrok-init: zrok-init:
condition: service_completed_successfully condition: service_completed_successfully
entrypoint: entrypoint: zrok-enable.bash
- bash
- -euc
- |
if [[ -n "$(jq '.ziti_identity' ~/.zrok/environment.json 2>/dev/null)" ]]; then
echo "INFO: zrok environment is already enabled"
exit 0
else
zrok config set apiEndpoint ${ZROK_API_ENDPOINT:-https://api.zrok.io}
echo "INFO: running: zrok $$(sed -E "s/${ZROK_ENABLE_TOKEN}/************/" <<< $${@})"
exec zrok "$${@}"
fi
command: -- enable --headless --description "${ZROK_ENVIRONMENT_NAME:-docker temp public share}" ${ZROK_ENABLE_TOKEN}
volumes: volumes:
- zrok_env:/mnt/.zrok - zrok_env:/mnt
environment: environment:
HOME: /mnt STATE_DIRECTORY: /mnt
ZROK_ENABLE_TOKEN:
ZROK_API_ENDPOINT:
ZROK_ENVIRONMENT_NAME: docker-public-share
# start share on temporary public frontend url # provision a temporary zrok frontend subdomain and start sharing the backend target
zrok-share: zrok-share:
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok} image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
entrypoint: entrypoint: zrok-share.bash
- bash
- -euc
- |
set -o pipefail
ZROK_CMD="share public --headless"
if [[ -n "${ZROK_SHARE_OPTS:-}" ]]; then
ZROK_CMD+=" ${ZROK_SHARE_OPTS}"
fi
if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then
ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
fi
ZROK_CMD+=" --backend-mode proxy ${ZROK_TARGET:-http://zrok-test:9090/}"
echo "INFO: running: zrok $${ZROK_CMD}"
exec zrok $${ZROK_CMD}
depends_on: depends_on:
zrok-enable: zrok-enable:
condition: service_completed_successfully condition: service_completed_successfully
volumes: volumes:
- zrok_env:/mnt/.zrok - zrok_env:/mnt
ports: []
# - 127.0.0.1:2019:2019 # Caddy admin API
environment: environment:
HOME: /mnt # internal configuration
PFXLOG_NO_JSON: "true" STATE_DIRECTORY: /mnt # zrok homedir in container
ZROK_FRONTEND_MODE: temp-public # tells zrok-share.bash to create a temporary subdomain and share until exit
# demo servers you can share with zrok # most relevant options
ZROK_BACKEND_MODE: proxy # web, caddy, drive, proxy
ZROK_TARGET: http://zrok-test:9090 # backend target, is a path in container filesystem unless proxy mode
ZROK_INSECURE: # "--insecure" if proxy target has unverifiable TLS server certificate
ZROK_OAUTH_PROVIDER: # google, github
ZROK_OATH_EMAILS: # space-separated list of OAuth email addresses or @domain.tld to allow
ZROK_BASIC_AUTH: # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER
# least relevant options
ZROK_VERBOSE: # "--verbose"
ZROK_SHARE_OPTS: # additional arguments to "zrok share public" command
ZROK_FRONTENDS: # "public"
PFXLOG_NO_JSON: "true" # suppress JSON logging format
# demo server you can share with zrok
zrok-test: zrok-test:
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok} image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
command: test endpoint --address 0.0.0.0 # 9090 command: test endpoint --address 0.0.0.0 # 9090

View File

@ -38,13 +38,14 @@ fi
if (( $# )); then if (( $# )); then
if [[ -s "$1" ]]; then if [[ -s "$1" ]]; then
echo "INFO: reading enable parameters from $1"
source "$1" source "$1"
else else
echo "ERROR: \$1="$1" is empty or not a readable file" >&2 echo "ERROR: \$1="$1" is empty or not a readable file" >&2
exit 1 exit 1
fi fi
else else
echo "WARNING: no env filename argument, trying to read configuration from environment variables" >&2 echo "INFO: reading enable parameters from environment variables"
fi fi
if [[ -z "${ZROK_ENABLE_TOKEN}" ]]; then if [[ -z "${ZROK_ENABLE_TOKEN}" ]]; then

View File

@ -7,17 +7,29 @@ set -o errexit
set -o nounset set -o nounset
set -o pipefail set -o pipefail
share_reserved(){
local token="$1"
local target="$2"
shift 2
local opts="${*:-}"
local zrok_cmd="share reserved ${token} --headless ${opts} --override-endpoint ${target}"
echo "INFO: running: zrok ${zrok_cmd}"
exec zrok ${zrok_cmd}
}
if ! command -v jq &>/dev/null; then if ! command -v jq &>/dev/null; then
echo "ERROR: jq is needed but not installed" >&2 echo "ERROR: jq is needed but not installed" >&2
exit 1 exit 1
fi fi
# set HOME to the first colon-sep dir in STATE_DIRECTORY inherited from systemd, e.g. /var/lib/zrok-share # set HOME to the first colon-sep dir in STATE_DIRECTORY inherited from systemd (/var/lib/zrok-share) or docker (/mnt)
export HOME="${STATE_DIRECTORY%:*}" export HOME="${STATE_DIRECTORY%:*}"
if (( $# )); then if (( $# )); then
if [[ -s "$1" ]]; then if [[ -s "$1" ]]; then
echo "INFO: reading share configuration from $1"
source "$1" source "$1"
shift
else else
echo "ERROR: '$1' is empty or not readable" >&2 echo "ERROR: '$1' is empty or not readable" >&2
exit 1 exit 1
@ -30,27 +42,37 @@ else
# echo "ERROR: need /opt/openziti/etc/zrok.env or filename argument to read share configuration" >&2 # echo "ERROR: need /opt/openziti/etc/zrok.env or filename argument to read share configuration" >&2
# exit 1 # exit 1
# fi # fi
echo "WARNING: no environment filename argument, trying to read share configuration from env vars" >&2 echo "INFO: reading share configuration from environment variables"
fi fi
if [[ -s ~/.zrok/reserved.json ]]; then [[ -n "${ZROK_TARGET:-}" ]] || {
ZROK_RESERVED_TOKEN="$(jq '.token' ~/.zrok/reserved.json 2>/dev/null)" echo "ERROR: ZROK_TARGET is not defined." >&2
exit 1
}
# default mode is reserved (public), override mode is temp-public, i.e., "share public" without a reserved subdomain
if [[ "${ZROK_FRONTEND_MODE:-}" == temp-public ]]; then
ZROK_CMD="share public --headless ${ZROK_VERBOSE:-}"
elif [[ -s ~/.zrok/reserved.json ]]; then
ZROK_RESERVED_TOKEN="$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null)"
if [[ -z "${ZROK_RESERVED_TOKEN}" || "${ZROK_RESERVED_TOKEN}" == null ]]; then if [[ -z "${ZROK_RESERVED_TOKEN}" || "${ZROK_RESERVED_TOKEN}" == null ]]; then
echo "ERROR: invalid reserved.json: '$(jq -c . ~/.zrok/reserved.json)'" >&2 echo "ERROR: invalid reserved.json: '$(jq -c . ~/.zrok/reserved.json)'" >&2
exit 1 exit 1
else else
echo "INFO: zrok backend is already reserved: ${ZROK_RESERVED_TOKEN}" echo "INFO: zrok backend is already reserved: ${ZROK_RESERVED_TOKEN}"
ZITI_CMD="${ZROK_RESERVED_TOKEN} ${ZROK_TARGET}"
ZITI_CMD+=" ${ZROK_VERBOSE:-} ${ZROK_INSECURE:-}"
share_reserved ${ZITI_CMD}
fi fi
else else
ZROK_CMD="reserve public --json-output ${ZROK_VERBOSE:-}" ZROK_CMD="reserve public --json-output ${ZROK_VERBOSE:-}"
[[ -n "${ZROK_TARGET:-}" ]] || { fi
echo "ERROR: ZROK_TARGET was not defined in /opt/openziti/etc/zrok/zrok-share.env." >&2
exit 1
}
[[ -n "${ZROK_BACKEND_MODE:-}" ]] || { [[ -n "${ZROK_BACKEND_MODE:-}" ]] || {
echo "WARNING: ZROK_BACKEND_MODE was not defined, assuming mode 'proxy'." >&2 echo "WARNING: ZROK_BACKEND_MODE was not defined, assuming mode 'proxy'." >&2
ZROK_BACKEND_MODE="proxy" ZROK_BACKEND_MODE="proxy"
} }
case "${ZROK_BACKEND_MODE}" in case "${ZROK_BACKEND_MODE}" in
proxy) proxy)
if ! [[ "${ZROK_TARGET}" =~ ^https?:// ]]; then if ! [[ "${ZROK_TARGET}" =~ ^https?:// ]]; then
@ -87,10 +109,13 @@ else
" ZROK_TARGET value will not validated before running." >&2 " ZROK_TARGET value will not validated before running." >&2
;; ;;
esac esac
ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_TARGET}" ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_TARGET}"
if [[ -n "${ZROK_SHARE_OPTS:-}" ]]; then if [[ -n "${ZROK_SHARE_OPTS:-}" ]]; then
ZROK_CMD+=" ${ZROK_SHARE_OPTS}" ZROK_CMD+=" ${ZROK_SHARE_OPTS}"
fi fi
if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then
ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}" ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
if [[ -n "${ZROK_OAUTH_EMAILS:-}" ]]; then if [[ -n "${ZROK_OAUTH_EMAILS:-}" ]]; then
@ -101,10 +126,16 @@ else
elif [[ -n "${ZROK_BASIC_AUTH:-}" ]]; then elif [[ -n "${ZROK_BASIC_AUTH:-}" ]]; then
ZROK_CMD+=" --basic-auth ${ZROK_BASIC_AUTH}" ZROK_CMD+=" --basic-auth ${ZROK_BASIC_AUTH}"
fi fi
echo "INFO: running: zrok ${ZROK_CMD}"
zrok ${ZROK_CMD} | jq -rc | tee ~/.zrok/reserved.json
fi
echo "INFO: running: zrok ${ZROK_CMD}"
if [[ "${ZROK_FRONTEND_MODE:-}" == temp-public ]]; then
# share until exit
exec zrok ${ZROK_CMD}
else
# reserve and continue
zrok ${ZROK_CMD} | jq -rc | tee ~/.zrok/reserved.json
# share the reserved backend target until exit
if ! [[ -s ~/.zrok/reserved.json ]]; then if ! [[ -s ~/.zrok/reserved.json ]]; then
echo "ERROR: empty or missing $(realpath ~/.zrok)/reserved.json" >&2 echo "ERROR: empty or missing $(realpath ~/.zrok)/reserved.json" >&2
exit 1 exit 1
@ -121,11 +152,8 @@ else
echo "ERROR: zrok reservation token not defined in $(realpath ~/.zrok)/reserved.json" >&2 echo "ERROR: zrok reservation token not defined in $(realpath ~/.zrok)/reserved.json" >&2
exit 1 exit 1
fi fi
ZROK_CMD="share reserved ${ZROK_RESERVED_TOKEN} --headless --override-endpoint ${ZROK_TARGET}" ZROK_CMD="${ZROK_RESERVED_TOKEN} ${ZROK_TARGET}"
ZROK_CMD+=" ${ZROK_VERBOSE:-} ${ZROK_INSECURE:-}" ZROK_CMD+=" ${ZROK_VERBOSE:-} ${ZROK_INSECURE:-}"
if [[ -n "${ZROK_SHARE_OPTS:-}" ]]; then share_reserved ${ZROK_CMD}
ZROK_CMD+=" ${ZROK_SHARE_OPTS}"
fi fi
echo "INFO: running: zrok ${ZROK_CMD}"
exec zrok ${ZROK_CMD}
fi fi