mirror of
https://github.com/openziti/zrok.git
synced 2025-01-24 23:09:32 +01:00
organizational lint
This commit is contained in:
parent
0f9360f924
commit
c45469a17b
@ -1,222 +0,0 @@
|
|||||||
v: 3
|
|
||||||
|
|
||||||
#trace:
|
|
||||||
# path: "controller.trace"
|
|
||||||
|
|
||||||
#profile:
|
|
||||||
# memory:
|
|
||||||
# path: ctrl.memprof
|
|
||||||
|
|
||||||
db: "/home/ubuntu/local/etc/zrok.io/db/ctrl.db"
|
|
||||||
|
|
||||||
identity:
|
|
||||||
cert: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/ctrl-client.cert"
|
|
||||||
server_cert: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/ctrl-server.chain.pem"
|
|
||||||
key: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/keys/ctrl-server.key"
|
|
||||||
ca: "/home/ubuntu/local/etc/zrok.io/pki/cas.pem"
|
|
||||||
|
|
||||||
# Network Configuration
|
|
||||||
#
|
|
||||||
# Configure how the controller will establish and manage the overlay network, and routing operations on top of
|
|
||||||
# the network.
|
|
||||||
#
|
|
||||||
#network:
|
|
||||||
|
|
||||||
# routeTimeoutSeconds controls the number of seconds the controller will wait for a route attempt to succeed.
|
|
||||||
#routeTimeoutSeconds: 10
|
|
||||||
|
|
||||||
# createCircuitRetries controls the number of retries that will be attempted to create a path (and terminate it)
|
|
||||||
# for new circuits.
|
|
||||||
#createCircuitRetries: 2
|
|
||||||
|
|
||||||
# pendingLinkTimeoutSeconds controls how long we'll wait before creating a new link between routers where
|
|
||||||
# there isn't an established link, but a link request has been sent
|
|
||||||
#pendingLinkTimeoutSeconds: 10
|
|
||||||
|
|
||||||
# Defines the period that the controller re-evaluates the performance of all of the circuits
|
|
||||||
# running on the network.
|
|
||||||
#
|
|
||||||
#cycleSeconds: 15
|
|
||||||
|
|
||||||
# Sets router minimum cost. Defaults to 10
|
|
||||||
#minRouterCost: 10
|
|
||||||
|
|
||||||
# Sets how often a new control channel connection can take over for a router with an existing control channel connection
|
|
||||||
# Defaults to 1 minute
|
|
||||||
#routerConnectChurnLimit: 1m
|
|
||||||
|
|
||||||
# Sets the latency of link when it's first created. Will be overwritten as soon as latency from the link is actually
|
|
||||||
# reported from the routers. Defaults to 65 seconds.
|
|
||||||
#initialLinkLatency: 65s
|
|
||||||
|
|
||||||
#smart:
|
|
||||||
#
|
|
||||||
# Defines the fractional upper limit of underperforming circuits that are candidates to be re-routed. If
|
|
||||||
# smart routing detects 100 circuits that are underperforming, and `smart.rerouteFraction` is set to `0.02`,
|
|
||||||
# then the upper limit of circuits that will be re-routed in this `cycleSeconds` period will be limited to
|
|
||||||
# 2 (2% of 100).
|
|
||||||
#
|
|
||||||
#rerouteFraction: 0.02
|
|
||||||
#
|
|
||||||
# Defines the hard upper limit of underperforming circuits that are candidates to be re-routed. If smart
|
|
||||||
# routing detects 100 circuits that are underperforming, and `smart.rerouteCap` is set to `1`, and
|
|
||||||
# `smart.rerouteFraction` is set to `0.02`, then the upper limit of circuits that will be re-routed in this
|
|
||||||
# `cycleSeconds` period will be limited to 1.
|
|
||||||
#
|
|
||||||
#rerouteCap: 4
|
|
||||||
|
|
||||||
# the endpoint that routers will connect to the controller over.
|
|
||||||
ctrl:
|
|
||||||
#options:
|
|
||||||
# (optional) settings
|
|
||||||
# set the maximum number of connect requests that are buffered and waiting to be acknowledged (1 to 5000, default 1)
|
|
||||||
#maxQueuedConnects: 1
|
|
||||||
# the maximum number of connects that have begun hello synchronization (1 to 1000, default 16)
|
|
||||||
#maxOutstandingConnects: 16
|
|
||||||
# the number of milliseconds to wait before a hello synchronization fails and closes the connection (30ms to 60000ms, default: 1000ms)
|
|
||||||
#connectTimeoutMs: 1000
|
|
||||||
listener: tls:0.0.0.0:6262
|
|
||||||
|
|
||||||
# the endpoint that management tools connect to the controller over.
|
|
||||||
mgmt:
|
|
||||||
#options:
|
|
||||||
# (optional) settings
|
|
||||||
# set the maximum number of connect requests that are buffered and waiting to be acknowledged (1 to 5000, default 1)
|
|
||||||
#maxQueuedConnects: 1
|
|
||||||
# the maximum number of connects that have begun hello synchronization (1 to 1000, default 16)
|
|
||||||
#maxOutstandingConnects: 16
|
|
||||||
# the number of milliseconds to wait before a hello synchronization fails and closes the connection (30ms to 60000ms, default: 1000ms)
|
|
||||||
#connectTimeoutMs: 1000
|
|
||||||
listener: tls:0.0.0.0:10000
|
|
||||||
|
|
||||||
#metrics:
|
|
||||||
# influxdb:
|
|
||||||
# url: http://localhost:8086
|
|
||||||
# database: ziti
|
|
||||||
|
|
||||||
# xctrl_example
|
|
||||||
#
|
|
||||||
#example:
|
|
||||||
# enabled: false
|
|
||||||
# delay: 5s
|
|
||||||
|
|
||||||
healthChecks:
|
|
||||||
boltCheck:
|
|
||||||
# How often to try entering a bolt read tx. Defaults to 30 seconds
|
|
||||||
interval: 30s
|
|
||||||
# When to time out the check. Defaults to 20 seconds
|
|
||||||
timeout: 20s
|
|
||||||
# How long to wait before starting the check. Defaults to 30 seconds
|
|
||||||
initialDelay: 30s
|
|
||||||
|
|
||||||
# By having an 'edge' section defined, the ziti-controller will attempt to parse the edge configuration. Removing this
|
|
||||||
# section, commenting out, or altering the name of the section will cause the edge to not run.
|
|
||||||
edge:
|
|
||||||
# This section represents the configuration of the Edge API that is served over HTTPS
|
|
||||||
api:
|
|
||||||
#(optional, default 90s) Alters how frequently heartbeat and last activity values are persisted
|
|
||||||
# activityUpdateInterval: 90s
|
|
||||||
#(optional, default 250) The number of API Sessions updated for last activity per transaction
|
|
||||||
# activityUpdateBatchSize: 250
|
|
||||||
# sessionTimeout - optional, default 30m
|
|
||||||
# The number of minutes before an Edge API session will time out. Timeouts are reset by
|
|
||||||
# API requests and connections that are maintained to Edge Routers
|
|
||||||
sessionTimeout: 30m
|
|
||||||
# address - required
|
|
||||||
# The default address (host:port) to use for enrollment for the Client API. This value must match one of the addresses
|
|
||||||
# defined in this Controller.WebListener.'s bindPoints.
|
|
||||||
address: 10.0.0.41:1280
|
|
||||||
# This section is used to define option that are used during enrollment of Edge Routers, Ziti Edge Identities.
|
|
||||||
enrollment:
|
|
||||||
# signingCert - required
|
|
||||||
# A Ziti Identity configuration section that specifically makes use of the cert and key fields to define
|
|
||||||
# a signing certificate from the PKI that the Ziti environment is using to sign certificates. The signingCert.cert
|
|
||||||
# will be added to the /.well-known CA store that is used to bootstrap trust with the Ziti Controller.
|
|
||||||
signingCert:
|
|
||||||
cert: /home/ubuntu/local/etc/zrok.io/pki/signing-intermediate/certs/signing-intermediate.cert
|
|
||||||
key: /home/ubuntu/local/etc/zrok.io/pki/signing-intermediate/keys/signing-intermediate.key
|
|
||||||
# edgeIdentity - optional
|
|
||||||
# A section for identity enrollment specific settings
|
|
||||||
edgeIdentity:
|
|
||||||
# duration - optional, default 180m
|
|
||||||
# The length of time that a Ziti Edge Identity enrollment should remain valid. After
|
|
||||||
# this duration, the enrollment will expire and no longer be usable.
|
|
||||||
duration: 180m
|
|
||||||
# edgeRouter - Optional
|
|
||||||
# A section for edge router enrollment specific settings.
|
|
||||||
edgeRouter:
|
|
||||||
# duration - optional, default 180m
|
|
||||||
# The length of time that a Ziti Edge Router enrollment should remain valid. After
|
|
||||||
# this duration, the enrollment will expire and no longer be usable.
|
|
||||||
duration: 180m
|
|
||||||
|
|
||||||
# web
|
|
||||||
# Defines webListeners that will be hosted by the controller. Each webListener can host many APIs and be bound to many
|
|
||||||
# backend points.
|
|
||||||
web:
|
|
||||||
# name - required
|
|
||||||
# Provides a name for this listener, used for logging output. Not required to be unique, but is highly suggested.
|
|
||||||
- name: client-management
|
|
||||||
# bindPoints - required
|
|
||||||
# One or more backend points are required. A backend point specifies an interface (interface:port string) that defines
|
|
||||||
# where on the host machine the webListener will frontend and the address (host:port) that should be used to
|
|
||||||
# publicly address the webListener(i.e. mydomain.com, localhost, 127.0.0.1). This public address may be used for
|
|
||||||
# incoming address resolution as well as used in responses in the API.
|
|
||||||
bindPoints:
|
|
||||||
#interface - required
|
|
||||||
# A host:port string on which network interface to frontend on. 0.0.0.0 will frontend on all interfaces
|
|
||||||
- interface: 0.0.0.0:1280
|
|
||||||
# address - required
|
|
||||||
# The public address that external incoming requests will be able to resolve. Used in request processing and
|
|
||||||
# response content that requires full host:port/path addresses.
|
|
||||||
address: 10.0.0.41:1280
|
|
||||||
# identity - optional
|
|
||||||
# Allows the webListener to have a specific identity instead of defaulting to the root 'identity' section.
|
|
||||||
identity:
|
|
||||||
ca: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/intermediate.cert"
|
|
||||||
key: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/keys/ctrl-server.key"
|
|
||||||
server_cert: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/ctrl-server.chain.pem"
|
|
||||||
cert: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/ctrl-client.cert"
|
|
||||||
# options - optional
|
|
||||||
# Allows the specification of webListener level options - mainly dealing with HTTP/TLS settings. These options are
|
|
||||||
# used for all http servers started by the current webListener.
|
|
||||||
options:
|
|
||||||
# idleTimeoutMs - optional, default 5000ms
|
|
||||||
# The maximum amount of idle time in milliseconds allowed for pipelined HTTP requests. Setting this too high
|
|
||||||
# can cause resources on the host to be consumed as clients remain connected and idle. Lowering this value
|
|
||||||
# will cause clients to reconnect on subsequent HTTPs requests.
|
|
||||||
idleTimeout: 5000ms #http timeouts, new
|
|
||||||
# readTimeoutMs - optional, default 5000ms
|
|
||||||
# The maximum amount of time in milliseconds http servers will wait to read the first incoming requests. A higher
|
|
||||||
# value risks consuming resources on the host with clients that are acting bad faith or suffering from high latency
|
|
||||||
# or packet loss. A lower value can risk losing connections to high latency/packet loss clients.
|
|
||||||
readTimeout: 5000ms
|
|
||||||
# writeTimeoutMs - optional, default 100000ms
|
|
||||||
# The total maximum time in milliseconds that the http server will wait for a single requests to be received and
|
|
||||||
# responded too. A higher value can allow long-running requests to consume resources on the host. A lower value
|
|
||||||
# can risk ending requests before the server has a chance to respond.
|
|
||||||
writeTimeout: 100000ms
|
|
||||||
# minTLSVersion - optional, default TLS1.2
|
|
||||||
# The minimum version of TSL to support
|
|
||||||
minTLSVersion: TLS1.2
|
|
||||||
# maxTLSVersion - optional, default TLS1.3
|
|
||||||
# The maximum version of TSL to support
|
|
||||||
maxTLSVersion: TLS1.3
|
|
||||||
# apis - required
|
|
||||||
# Allows one or more APIs to be bound to this webListener
|
|
||||||
apis:
|
|
||||||
# binding - required
|
|
||||||
# Specifies an API to backend to this webListener. Built-in APIs are
|
|
||||||
# - edge-management
|
|
||||||
# - edge-client
|
|
||||||
# - fabric-management
|
|
||||||
- binding: edge-management
|
|
||||||
# options - arg optional/required
|
|
||||||
# This section is used to define values that are specified by the API they are associated with.
|
|
||||||
# These settings are per API. The example below is for the 'edge-api' and contains both optional values and
|
|
||||||
# required values.
|
|
||||||
options: { }
|
|
||||||
- binding: edge-client
|
|
||||||
options: { }
|
|
||||||
- binding: fabric
|
|
||||||
options: { }
|
|
95
docs/network/prod/zrok.io-network-skeleton.md
Normal file
95
docs/network/prod/zrok.io-network-skeleton.md
Normal file
@ -0,0 +1,95 @@
|
|||||||
|
* create root ca
|
||||||
|
|
||||||
|
`pki_create_ca`:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ ziti pki create ca --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-file=root-ca --ca-name="zrok.io Root CA"
|
||||||
|
```
|
||||||
|
|
||||||
|
* signing root ca
|
||||||
|
|
||||||
|
`pki_create_ca`:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ ziti pki create ca --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-file=signing-root-ca --ca-name="zrok.io Signing Root CA"
|
||||||
|
```
|
||||||
|
|
||||||
|
* intermediate
|
||||||
|
|
||||||
|
`pki_create_intermediate`:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ ziti pki create intermediate --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=root-ca --intermediate-name="zrok.io Intermediate" --intermediate-file=intermediate --max-path-len=1
|
||||||
|
```
|
||||||
|
|
||||||
|
* signing intermediate
|
||||||
|
|
||||||
|
`pki_create_intermediate`:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ ziti pki create intermediate --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --intermediate-name="zrok.io Signing Intermediate" --intermediate-file=signing-intermediate --max-path-len=1
|
||||||
|
```
|
||||||
|
|
||||||
|
* create controller client/server certs:
|
||||||
|
|
||||||
|
`pki_client_server`:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ ziti pki create server --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --server-file=ctrl-server --dns="ziti.zrok.io,localhost" --ip="0.0.0.0,10.0.0.41,127.0.01" --server-name="zrok.io controller server"
|
||||||
|
$ ziti pki create client --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --client-file=ctrl-client --key-file=ctrl-server --client-name="zrok.io controller client"
|
||||||
|
```
|
||||||
|
|
||||||
|
* create edge router client/server certs:
|
||||||
|
|
||||||
|
`pki_client_server`:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ ziti pki create server --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --server-file=router0-server --dns="ziti.zrok.io,localhost" --ip="0.0.0.0,10.0.0.41,127.0.01" --server-name="zrok.io router0 server"
|
||||||
|
$ ziti pki create client --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --client-file=router0-client --key-file=router0-server --client-name="zrok.io router0 client"
|
||||||
|
```
|
||||||
|
|
||||||
|
* `cas.pem`:
|
||||||
|
|
||||||
|
`createControllerConfig`:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ cat local/etc/zrok.io/pki/intermediate/certs/ctrl-server.chain.pem > local/etc/zrok.io/pki/cas.pem
|
||||||
|
$ cat local/etc/zrok.io/pki/intermediate/certs/signing-intermediate.cert >> local/etc/zrok.io/pki/cas.pem
|
||||||
|
```
|
||||||
|
|
||||||
|
* `ziti-controller edge init`:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ ~/local/ziti/ziti-controller edge init local/etc/zrok.io/ziti-ctrl.yml
|
||||||
|
```
|
||||||
|
|
||||||
|
* start controller
|
||||||
|
|
||||||
|
* create and enroll edge router:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ ziti edge create edge-router router0 -o router0.jwt -t -a "public"
|
||||||
|
New edge router router0 created with id: ZAbNbXUL6A
|
||||||
|
Enrollment expires at 2022-08-29T21:56:37.418Z
|
||||||
|
|
||||||
|
$ ziti-router enroll local/etc/zrok.io/ziti-router0.yml --jwt router0.jwt
|
||||||
|
[ 3.561] INFO edge/router/enroll.(*RestEnroller).Enroll: registration complete
|
||||||
|
```
|
||||||
|
|
||||||
|
* configure zrok frontend identity
|
||||||
|
|
||||||
|
```
|
||||||
|
$ ziti edge create identity device -o ~/.zrok/proxy.jwt proxy
|
||||||
|
New identity proxy created with id: -zbBF8eVb-
|
||||||
|
Enrollment expires at 2022-08-10T18:46:16.641Z
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
|
$ ziti edge enroll -j ~/.zrok/proxy.jwt -o ~/.zrok/proxy.json
|
||||||
|
INFO generating 4096 bit RSA key
|
||||||
|
INFO enrolled successfully. identity file written to: proxy.json
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
|
$ ziti edge create erp --edge-router-roles "#all" --identity-roles @proxy
|
||||||
|
```
|
@ -1,69 +0,0 @@
|
|||||||
v: 3
|
|
||||||
|
|
||||||
identity:
|
|
||||||
cert: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/router0-client.cert"
|
|
||||||
server_cert: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/router0-server.cert"
|
|
||||||
key: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/keys/router0-server.key"
|
|
||||||
ca: "/home/ubuntu/local/etc/zrok.io/pki/cas.cert"
|
|
||||||
|
|
||||||
ctrl:
|
|
||||||
endpoint: tls:0.0.0.0:6262
|
|
||||||
|
|
||||||
link:
|
|
||||||
dialers:
|
|
||||||
- binding: transport
|
|
||||||
listeners:
|
|
||||||
- binding: transport
|
|
||||||
bind: tls:0.0.0.0:10080
|
|
||||||
advertise: tls:api.zrok.io:10080
|
|
||||||
options:
|
|
||||||
outQueueSize: 4
|
|
||||||
|
|
||||||
listeners:
|
|
||||||
# bindings of edge and tunnel requires an "edge" section below
|
|
||||||
- binding: edge
|
|
||||||
address: tls:0.0.0.0:3022
|
|
||||||
options:
|
|
||||||
advertise: api.zrok.io:3022
|
|
||||||
connectTimeoutMs: 1000
|
|
||||||
getSessionTimeout: 60s
|
|
||||||
- binding: tunnel
|
|
||||||
options:
|
|
||||||
mode: host #tproxy|host
|
|
||||||
|
|
||||||
|
|
||||||
edge:
|
|
||||||
csr:
|
|
||||||
country: US
|
|
||||||
province: NC
|
|
||||||
locality: Charlotte
|
|
||||||
organization: NetFoundry
|
|
||||||
organizationalUnit: Ziti
|
|
||||||
sans:
|
|
||||||
dns:
|
|
||||||
- api.zrok.io
|
|
||||||
- localhost
|
|
||||||
ip:
|
|
||||||
- "10.0.0.41"
|
|
||||||
- "127.0.0.1"
|
|
||||||
|
|
||||||
#transport:
|
|
||||||
# ws:
|
|
||||||
# writeTimeout: 10
|
|
||||||
# readTimeout: 5
|
|
||||||
# idleTimeout: 5
|
|
||||||
# pongTimeout: 60
|
|
||||||
# pingInterval: 54
|
|
||||||
# handshakeTimeout: 10
|
|
||||||
# readBufferSize: 4096
|
|
||||||
# writeBufferSize: 4096
|
|
||||||
# enableCompression: true
|
|
||||||
# server_cert: /home/ubuntu/.ziti/quickstart/zrok-ctrl-01/pki/routers/zrok-ctrl-01-edge-router/server.cert
|
|
||||||
# key: /home/ubuntu/.ziti/quickstart/zrok-ctrl-01/pki/routers/zrok-ctrl-01-edge-router/server.key
|
|
||||||
|
|
||||||
forwarder:
|
|
||||||
latencyProbeInterval: 10
|
|
||||||
xgressDialQueueLength: 1000
|
|
||||||
xgressDialWorkerCount: 128
|
|
||||||
linkDialQueueLength: 1000
|
|
||||||
linkDialWorkerCount: 32
|
|
@ -1,99 +0,0 @@
|
|||||||
`createPki`:
|
|
||||||
|
|
||||||
* create root ca
|
|
||||||
|
|
||||||
`pki_create_ca`:
|
|
||||||
|
|
||||||
```
|
|
||||||
$ ziti pki create ca --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-file=root-ca --ca-name="zrok.io Root CA"
|
|
||||||
```
|
|
||||||
|
|
||||||
* signing root ca
|
|
||||||
|
|
||||||
`pki_create_ca`:
|
|
||||||
|
|
||||||
```
|
|
||||||
$ ziti pki create ca --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-file=signing-root-ca --ca-name="zrok.io Signing Root CA"
|
|
||||||
```
|
|
||||||
|
|
||||||
* intermediate
|
|
||||||
|
|
||||||
`pki_create_intermediate`:
|
|
||||||
|
|
||||||
```
|
|
||||||
$ ziti pki create intermediate --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=root-ca --intermediate-name="zrok.io Intermediate" --intermediate-file=intermediate --max-path-len=1
|
|
||||||
```
|
|
||||||
|
|
||||||
* signing intermediate
|
|
||||||
|
|
||||||
`pki_create_intermediate`:
|
|
||||||
|
|
||||||
```
|
|
||||||
$ ziti pki create intermediate --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --intermediate-name="zrok.io Signing Intermediate" --intermediate-file=signing-intermediate --max-path-len=1
|
|
||||||
```
|
|
||||||
|
|
||||||
* create controller client/server certs:
|
|
||||||
|
|
||||||
`pki_client_server`:
|
|
||||||
|
|
||||||
```
|
|
||||||
$ ziti pki create server --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --server-file=ctrl-server --dns="ziti.zrok.io,localhost" --ip="0.0.0.0,10.0.0.41,127.0.01" --server-name="zrok.io controller server"
|
|
||||||
$ ziti pki create client --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --client-file=ctrl-client --key-file=ctrl-server --client-name="zrok.io controller client"
|
|
||||||
```
|
|
||||||
|
|
||||||
* create edge router client/server certs:
|
|
||||||
|
|
||||||
`pki_client_server`:
|
|
||||||
|
|
||||||
```
|
|
||||||
$ ziti pki create server --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --server-file=router0-server --dns="ziti.zrok.io,localhost" --ip="0.0.0.0,10.0.0.41,127.0.01" --server-name="zrok.io router0 server"
|
|
||||||
$ ziti pki create client --pki-root=/home/ubuntu/local/etc/zrok.io/pki --ca-name=intermediate --client-file=router0-client --key-file=router0-server --client-name="zrok.io router0 client"
|
|
||||||
```
|
|
||||||
|
|
||||||
* `cas.pem`:
|
|
||||||
|
|
||||||
`createControllerConfig`:
|
|
||||||
|
|
||||||
```
|
|
||||||
$ cat local/etc/zrok.io/pki/intermediate/certs/ctrl-server.chain.pem > local/etc/zrok.io/pki/cas.pem
|
|
||||||
$ cat local/etc/zrok.io/pki/intermediate/certs/signing-intermediate.cert >> local/etc/zrok.io/pki/cas.pem
|
|
||||||
```
|
|
||||||
|
|
||||||
* `ziti-controller edge init`:
|
|
||||||
|
|
||||||
```
|
|
||||||
$ ~/local/ziti/ziti-controller edge init local/etc/zrok.io/ziti-ctrl.yml
|
|
||||||
```
|
|
||||||
|
|
||||||
* start controller
|
|
||||||
|
|
||||||
* create and enroll edge router:
|
|
||||||
|
|
||||||
```
|
|
||||||
$ ziti edge create edge-router router0 -o router0.jwt -t -a "public"
|
|
||||||
New edge router router0 created with id: ZAbNbXUL6A
|
|
||||||
Enrollment expires at 2022-08-29T21:56:37.418Z
|
|
||||||
|
|
||||||
$ ziti-router enroll local/etc/zrok.io/ziti-router0.yml --jwt router0.jwt
|
|
||||||
[ 0.456] DEBUG ziti/ziti/cmd/ziti/util.LogReleaseVersionCheck: this build of ziti-router is the latest release v0.26.5
|
|
||||||
[ 0.467] DEBUG edge/router/enroll.(*RestEnroller).Enroll: JWT parsed
|
|
||||||
[ 3.561] INFO edge/router/enroll.(*RestEnroller).Enroll: registration complete
|
|
||||||
```
|
|
||||||
|
|
||||||
* configure zrok frontend identity
|
|
||||||
|
|
||||||
```
|
|
||||||
$ ziti edge create identity device -o ~/.zrok/proxy.jwt proxy
|
|
||||||
New identity proxy created with id: -zbBF8eVb-
|
|
||||||
Enrollment expires at 2022-08-10T18:46:16.641Z
|
|
||||||
```
|
|
||||||
|
|
||||||
```
|
|
||||||
$ ziti edge enroll -j ~/.zrok/proxy.jwt -o ~/.zrok/proxy.json
|
|
||||||
INFO generating 4096 bit RSA key
|
|
||||||
INFO enrolled successfully. identity file written to: proxy.json
|
|
||||||
```
|
|
||||||
|
|
||||||
```
|
|
||||||
$ ziti edge create erp --edge-router-roles "#all" --identity-roles @proxy
|
|
||||||
```
|
|
Loading…
Reference in New Issue
Block a user