From c45469a17be028bebe3b741769cc8bcd896a226f Mon Sep 17 00:00:00 2001 From: Michael Quigley Date: Thu, 1 Sep 2022 14:02:12 -0400 Subject: [PATCH] organizational lint --- docs/network/ctrl.yml | 222 ------------------ {etc => docs/network}/prod/ziti-ctrl.yml | 0 {etc => docs/network}/prod/ziti-router0.yml | 0 {etc => docs/network}/prod/zrok-ctrl.yml | 0 docs/network/prod/zrok.io-network-skeleton.md | 95 ++++++++ docs/network/router0.yml | 69 ------ docs/zrok.io-network-skeleton.md | 99 -------- 7 files changed, 95 insertions(+), 390 deletions(-) delete mode 100644 docs/network/ctrl.yml rename {etc => docs/network}/prod/ziti-ctrl.yml (100%) rename {etc => docs/network}/prod/ziti-router0.yml (100%) rename {etc => docs/network}/prod/zrok-ctrl.yml (100%) create mode 100644 docs/network/prod/zrok.io-network-skeleton.md delete mode 100644 docs/network/router0.yml delete mode 100644 docs/zrok.io-network-skeleton.md diff --git a/docs/network/ctrl.yml b/docs/network/ctrl.yml deleted file mode 100644 index da8b4eaf..00000000 --- a/docs/network/ctrl.yml +++ /dev/null @@ -1,222 +0,0 @@ -v: 3 - -#trace: -# path: "controller.trace" - -#profile: -# memory: -# path: ctrl.memprof - -db: "/home/ubuntu/local/etc/zrok.io/db/ctrl.db" - -identity: - cert: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/ctrl-client.cert" - server_cert: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/ctrl-server.chain.pem" - key: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/keys/ctrl-server.key" - ca: "/home/ubuntu/local/etc/zrok.io/pki/cas.pem" - -# Network Configuration -# -# Configure how the controller will establish and manage the overlay network, and routing operations on top of -# the network. -# -#network: - - # routeTimeoutSeconds controls the number of seconds the controller will wait for a route attempt to succeed. - #routeTimeoutSeconds: 10 - - # createCircuitRetries controls the number of retries that will be attempted to create a path (and terminate it) - # for new circuits. - #createCircuitRetries: 2 - - # pendingLinkTimeoutSeconds controls how long we'll wait before creating a new link between routers where - # there isn't an established link, but a link request has been sent - #pendingLinkTimeoutSeconds: 10 - - # Defines the period that the controller re-evaluates the performance of all of the circuits - # running on the network. - # - #cycleSeconds: 15 - - # Sets router minimum cost. Defaults to 10 - #minRouterCost: 10 - - # Sets how often a new control channel connection can take over for a router with an existing control channel connection - # Defaults to 1 minute - #routerConnectChurnLimit: 1m - - # Sets the latency of link when it's first created. Will be overwritten as soon as latency from the link is actually - # reported from the routers. Defaults to 65 seconds. - #initialLinkLatency: 65s - - #smart: - # - # Defines the fractional upper limit of underperforming circuits that are candidates to be re-routed. If - # smart routing detects 100 circuits that are underperforming, and `smart.rerouteFraction` is set to `0.02`, - # then the upper limit of circuits that will be re-routed in this `cycleSeconds` period will be limited to - # 2 (2% of 100). - # - #rerouteFraction: 0.02 - # - # Defines the hard upper limit of underperforming circuits that are candidates to be re-routed. If smart - # routing detects 100 circuits that are underperforming, and `smart.rerouteCap` is set to `1`, and - # `smart.rerouteFraction` is set to `0.02`, then the upper limit of circuits that will be re-routed in this - # `cycleSeconds` period will be limited to 1. - # - #rerouteCap: 4 - -# the endpoint that routers will connect to the controller over. -ctrl: - #options: - # (optional) settings - # set the maximum number of connect requests that are buffered and waiting to be acknowledged (1 to 5000, default 1) - #maxQueuedConnects: 1 - # the maximum number of connects that have begun hello synchronization (1 to 1000, default 16) - #maxOutstandingConnects: 16 - # the number of milliseconds to wait before a hello synchronization fails and closes the connection (30ms to 60000ms, default: 1000ms) - #connectTimeoutMs: 1000 - listener: tls:0.0.0.0:6262 - -# the endpoint that management tools connect to the controller over. -mgmt: - #options: - # (optional) settings - # set the maximum number of connect requests that are buffered and waiting to be acknowledged (1 to 5000, default 1) - #maxQueuedConnects: 1 - # the maximum number of connects that have begun hello synchronization (1 to 1000, default 16) - #maxOutstandingConnects: 16 - # the number of milliseconds to wait before a hello synchronization fails and closes the connection (30ms to 60000ms, default: 1000ms) - #connectTimeoutMs: 1000 - listener: tls:0.0.0.0:10000 - -#metrics: -# influxdb: -# url: http://localhost:8086 -# database: ziti - -# xctrl_example -# -#example: -# enabled: false -# delay: 5s - -healthChecks: - boltCheck: - # How often to try entering a bolt read tx. Defaults to 30 seconds - interval: 30s - # When to time out the check. Defaults to 20 seconds - timeout: 20s - # How long to wait before starting the check. Defaults to 30 seconds - initialDelay: 30s - -# By having an 'edge' section defined, the ziti-controller will attempt to parse the edge configuration. Removing this -# section, commenting out, or altering the name of the section will cause the edge to not run. -edge: - # This section represents the configuration of the Edge API that is served over HTTPS - api: - #(optional, default 90s) Alters how frequently heartbeat and last activity values are persisted - # activityUpdateInterval: 90s - #(optional, default 250) The number of API Sessions updated for last activity per transaction - # activityUpdateBatchSize: 250 - # sessionTimeout - optional, default 30m - # The number of minutes before an Edge API session will time out. Timeouts are reset by - # API requests and connections that are maintained to Edge Routers - sessionTimeout: 30m - # address - required - # The default address (host:port) to use for enrollment for the Client API. This value must match one of the addresses - # defined in this Controller.WebListener.'s bindPoints. - address: 10.0.0.41:1280 - # This section is used to define option that are used during enrollment of Edge Routers, Ziti Edge Identities. - enrollment: - # signingCert - required - # A Ziti Identity configuration section that specifically makes use of the cert and key fields to define - # a signing certificate from the PKI that the Ziti environment is using to sign certificates. The signingCert.cert - # will be added to the /.well-known CA store that is used to bootstrap trust with the Ziti Controller. - signingCert: - cert: /home/ubuntu/local/etc/zrok.io/pki/signing-intermediate/certs/signing-intermediate.cert - key: /home/ubuntu/local/etc/zrok.io/pki/signing-intermediate/keys/signing-intermediate.key - # edgeIdentity - optional - # A section for identity enrollment specific settings - edgeIdentity: - # duration - optional, default 180m - # The length of time that a Ziti Edge Identity enrollment should remain valid. After - # this duration, the enrollment will expire and no longer be usable. - duration: 180m - # edgeRouter - Optional - # A section for edge router enrollment specific settings. - edgeRouter: - # duration - optional, default 180m - # The length of time that a Ziti Edge Router enrollment should remain valid. After - # this duration, the enrollment will expire and no longer be usable. - duration: 180m - -# web -# Defines webListeners that will be hosted by the controller. Each webListener can host many APIs and be bound to many -# backend points. -web: - # name - required - # Provides a name for this listener, used for logging output. Not required to be unique, but is highly suggested. - - name: client-management - # bindPoints - required - # One or more backend points are required. A backend point specifies an interface (interface:port string) that defines - # where on the host machine the webListener will frontend and the address (host:port) that should be used to - # publicly address the webListener(i.e. mydomain.com, localhost, 127.0.0.1). This public address may be used for - # incoming address resolution as well as used in responses in the API. - bindPoints: - #interface - required - # A host:port string on which network interface to frontend on. 0.0.0.0 will frontend on all interfaces - - interface: 0.0.0.0:1280 - # address - required - # The public address that external incoming requests will be able to resolve. Used in request processing and - # response content that requires full host:port/path addresses. - address: 10.0.0.41:1280 - # identity - optional - # Allows the webListener to have a specific identity instead of defaulting to the root 'identity' section. - identity: - ca: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/intermediate.cert" - key: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/keys/ctrl-server.key" - server_cert: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/ctrl-server.chain.pem" - cert: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/ctrl-client.cert" - # options - optional - # Allows the specification of webListener level options - mainly dealing with HTTP/TLS settings. These options are - # used for all http servers started by the current webListener. - options: - # idleTimeoutMs - optional, default 5000ms - # The maximum amount of idle time in milliseconds allowed for pipelined HTTP requests. Setting this too high - # can cause resources on the host to be consumed as clients remain connected and idle. Lowering this value - # will cause clients to reconnect on subsequent HTTPs requests. - idleTimeout: 5000ms #http timeouts, new - # readTimeoutMs - optional, default 5000ms - # The maximum amount of time in milliseconds http servers will wait to read the first incoming requests. A higher - # value risks consuming resources on the host with clients that are acting bad faith or suffering from high latency - # or packet loss. A lower value can risk losing connections to high latency/packet loss clients. - readTimeout: 5000ms - # writeTimeoutMs - optional, default 100000ms - # The total maximum time in milliseconds that the http server will wait for a single requests to be received and - # responded too. A higher value can allow long-running requests to consume resources on the host. A lower value - # can risk ending requests before the server has a chance to respond. - writeTimeout: 100000ms - # minTLSVersion - optional, default TLS1.2 - # The minimum version of TSL to support - minTLSVersion: TLS1.2 - # maxTLSVersion - optional, default TLS1.3 - # The maximum version of TSL to support - maxTLSVersion: TLS1.3 - # apis - required - # Allows one or more APIs to be bound to this webListener - apis: - # binding - required - # Specifies an API to backend to this webListener. Built-in APIs are - # - edge-management - # - edge-client - # - fabric-management - - binding: edge-management - # options - arg optional/required - # This section is used to define values that are specified by the API they are associated with. - # These settings are per API. The example below is for the 'edge-api' and contains both optional values and - # required values. - options: { } - - binding: edge-client - options: { } - - binding: fabric - options: { } diff --git a/etc/prod/ziti-ctrl.yml b/docs/network/prod/ziti-ctrl.yml similarity index 100% rename from etc/prod/ziti-ctrl.yml rename to docs/network/prod/ziti-ctrl.yml diff --git a/etc/prod/ziti-router0.yml b/docs/network/prod/ziti-router0.yml similarity index 100% rename from etc/prod/ziti-router0.yml rename to docs/network/prod/ziti-router0.yml diff --git a/etc/prod/zrok-ctrl.yml b/docs/network/prod/zrok-ctrl.yml similarity index 100% rename from etc/prod/zrok-ctrl.yml rename to docs/network/prod/zrok-ctrl.yml diff --git a/docs/network/prod/zrok.io-network-skeleton.md b/docs/network/prod/zrok.io-network-skeleton.md new file mode 100644 index 00000000..62eef86e --- /dev/null +++ b/docs/network/prod/zrok.io-network-skeleton.md @@ -0,0 +1,95 @@ +* create root ca + + `pki_create_ca`: + + ``` + $ ziti pki create ca --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-file=root-ca --ca-name="zrok.io Root CA" + ``` + +* signing root ca + + `pki_create_ca`: + + ``` + $ ziti pki create ca --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-file=signing-root-ca --ca-name="zrok.io Signing Root CA" + ``` + +* intermediate + + `pki_create_intermediate`: + + ``` + $ ziti pki create intermediate --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=root-ca --intermediate-name="zrok.io Intermediate" --intermediate-file=intermediate --max-path-len=1 + ``` + +* signing intermediate + + `pki_create_intermediate`: + + ``` + $ ziti pki create intermediate --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --intermediate-name="zrok.io Signing Intermediate" --intermediate-file=signing-intermediate --max-path-len=1 + ``` + +* create controller client/server certs: + + `pki_client_server`: + + ``` + $ ziti pki create server --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --server-file=ctrl-server --dns="ziti.zrok.io,localhost" --ip="0.0.0.0,10.0.0.41,127.0.01" --server-name="zrok.io controller server" + $ ziti pki create client --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --client-file=ctrl-client --key-file=ctrl-server --client-name="zrok.io controller client" + ``` + +* create edge router client/server certs: + + `pki_client_server`: + + ``` + $ ziti pki create server --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --server-file=router0-server --dns="ziti.zrok.io,localhost" --ip="0.0.0.0,10.0.0.41,127.0.01" --server-name="zrok.io router0 server" + $ ziti pki create client --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --client-file=router0-client --key-file=router0-server --client-name="zrok.io router0 client" + ``` + +* `cas.pem`: + + `createControllerConfig`: + + ``` + $ cat local/etc/zrok.io/pki/intermediate/certs/ctrl-server.chain.pem > local/etc/zrok.io/pki/cas.pem + $ cat local/etc/zrok.io/pki/intermediate/certs/signing-intermediate.cert >> local/etc/zrok.io/pki/cas.pem + ``` + +* `ziti-controller edge init`: + + ``` + $ ~/local/ziti/ziti-controller edge init local/etc/zrok.io/ziti-ctrl.yml + ``` + +* start controller + +* create and enroll edge router: + + ``` + $ ziti edge create edge-router router0 -o router0.jwt -t -a "public" + New edge router router0 created with id: ZAbNbXUL6A + Enrollment expires at 2022-08-29T21:56:37.418Z + + $ ziti-router enroll local/etc/zrok.io/ziti-router0.yml --jwt router0.jwt + [ 3.561] INFO edge/router/enroll.(*RestEnroller).Enroll: registration complete + ``` + +* configure zrok frontend identity + + ``` + $ ziti edge create identity device -o ~/.zrok/proxy.jwt proxy + New identity proxy created with id: -zbBF8eVb- + Enrollment expires at 2022-08-10T18:46:16.641Z + ``` + + ``` + $ ziti edge enroll -j ~/.zrok/proxy.jwt -o ~/.zrok/proxy.json + INFO generating 4096 bit RSA key + INFO enrolled successfully. identity file written to: proxy.json + ``` + + ``` + $ ziti edge create erp --edge-router-roles "#all" --identity-roles @proxy + ``` diff --git a/docs/network/router0.yml b/docs/network/router0.yml deleted file mode 100644 index 6854e6f0..00000000 --- a/docs/network/router0.yml +++ /dev/null @@ -1,69 +0,0 @@ -v: 3 - -identity: - cert: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/router0-client.cert" - server_cert: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/router0-server.cert" - key: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/keys/router0-server.key" - ca: "/home/ubuntu/local/etc/zrok.io/pki/cas.cert" - -ctrl: - endpoint: tls:0.0.0.0:6262 - -link: - dialers: - - binding: transport - listeners: - - binding: transport - bind: tls:0.0.0.0:10080 - advertise: tls:api.zrok.io:10080 - options: - outQueueSize: 4 - -listeners: -# bindings of edge and tunnel requires an "edge" section below - - binding: edge - address: tls:0.0.0.0:3022 - options: - advertise: api.zrok.io:3022 - connectTimeoutMs: 1000 - getSessionTimeout: 60s - - binding: tunnel - options: - mode: host #tproxy|host - - -edge: - csr: - country: US - province: NC - locality: Charlotte - organization: NetFoundry - organizationalUnit: Ziti - sans: - dns: - - api.zrok.io - - localhost - ip: - - "10.0.0.41" - - "127.0.0.1" - -#transport: -# ws: -# writeTimeout: 10 -# readTimeout: 5 -# idleTimeout: 5 -# pongTimeout: 60 -# pingInterval: 54 -# handshakeTimeout: 10 -# readBufferSize: 4096 -# writeBufferSize: 4096 -# enableCompression: true -# server_cert: /home/ubuntu/.ziti/quickstart/zrok-ctrl-01/pki/routers/zrok-ctrl-01-edge-router/server.cert -# key: /home/ubuntu/.ziti/quickstart/zrok-ctrl-01/pki/routers/zrok-ctrl-01-edge-router/server.key - -forwarder: - latencyProbeInterval: 10 - xgressDialQueueLength: 1000 - xgressDialWorkerCount: 128 - linkDialQueueLength: 1000 - linkDialWorkerCount: 32 diff --git a/docs/zrok.io-network-skeleton.md b/docs/zrok.io-network-skeleton.md deleted file mode 100644 index cbe19c67..00000000 --- a/docs/zrok.io-network-skeleton.md +++ /dev/null @@ -1,99 +0,0 @@ -`createPki`: - - * create root ca - - `pki_create_ca`: - - ``` - $ ziti pki create ca --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-file=root-ca --ca-name="zrok.io Root CA" - ``` - - * signing root ca - - `pki_create_ca`: - - ``` - $ ziti pki create ca --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-file=signing-root-ca --ca-name="zrok.io Signing Root CA" - ``` - - * intermediate - - `pki_create_intermediate`: - - ``` - $ ziti pki create intermediate --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=root-ca --intermediate-name="zrok.io Intermediate" --intermediate-file=intermediate --max-path-len=1 - ``` - - * signing intermediate - - `pki_create_intermediate`: - - ``` - $ ziti pki create intermediate --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --intermediate-name="zrok.io Signing Intermediate" --intermediate-file=signing-intermediate --max-path-len=1 - ``` - - * create controller client/server certs: - - `pki_client_server`: - - ``` - $ ziti pki create server --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --server-file=ctrl-server --dns="ziti.zrok.io,localhost" --ip="0.0.0.0,10.0.0.41,127.0.01" --server-name="zrok.io controller server" - $ ziti pki create client --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --client-file=ctrl-client --key-file=ctrl-server --client-name="zrok.io controller client" - ``` - - * create edge router client/server certs: - - `pki_client_server`: - - ``` - $ ziti pki create server --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --server-file=router0-server --dns="ziti.zrok.io,localhost" --ip="0.0.0.0,10.0.0.41,127.0.01" --server-name="zrok.io router0 server" - $ ziti pki create client --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --client-file=router0-client --key-file=router0-server --client-name="zrok.io router0 client" - ``` - - * `cas.pem`: - - `createControllerConfig`: - - ``` - $ cat local/etc/zrok.io/pki/intermediate/certs/ctrl-server.chain.pem > local/etc/zrok.io/pki/cas.pem - $ cat local/etc/zrok.io/pki/intermediate/certs/signing-intermediate.cert >> local/etc/zrok.io/pki/cas.pem - ``` - - * `ziti-controller edge init`: - - ``` - $ ~/local/ziti/ziti-controller edge init local/etc/zrok.io/ziti-ctrl.yml - ``` - - * start controller - - * create and enroll edge router: - - ``` - $ ziti edge create edge-router router0 -o router0.jwt -t -a "public" - New edge router router0 created with id: ZAbNbXUL6A - Enrollment expires at 2022-08-29T21:56:37.418Z - - $ ziti-router enroll local/etc/zrok.io/ziti-router0.yml --jwt router0.jwt - [ 0.456] DEBUG ziti/ziti/cmd/ziti/util.LogReleaseVersionCheck: this build of ziti-router is the latest release v0.26.5 - [ 0.467] DEBUG edge/router/enroll.(*RestEnroller).Enroll: JWT parsed - [ 3.561] INFO edge/router/enroll.(*RestEnroller).Enroll: registration complete - ``` - - * configure zrok frontend identity - - ``` - $ ziti edge create identity device -o ~/.zrok/proxy.jwt proxy - New identity proxy created with id: -zbBF8eVb- - Enrollment expires at 2022-08-10T18:46:16.641Z - ``` - - ``` - $ ziti edge enroll -j ~/.zrok/proxy.jwt -o ~/.zrok/proxy.json - INFO generating 4096 bit RSA key - INFO enrolled successfully. identity file written to: proxy.json - ``` - - ``` - $ ziti edge create erp --edge-router-roles "#all" --identity-roles @proxy - ```