diff --git a/etc/router0.yml b/etc/router0.yml new file mode 100644 index 00000000..6854e6f0 --- /dev/null +++ b/etc/router0.yml @@ -0,0 +1,69 @@ +v: 3 + +identity: + cert: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/router0-client.cert" + server_cert: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/router0-server.cert" + key: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/keys/router0-server.key" + ca: "/home/ubuntu/local/etc/zrok.io/pki/cas.cert" + +ctrl: + endpoint: tls:0.0.0.0:6262 + +link: + dialers: + - binding: transport + listeners: + - binding: transport + bind: tls:0.0.0.0:10080 + advertise: tls:api.zrok.io:10080 + options: + outQueueSize: 4 + +listeners: +# bindings of edge and tunnel requires an "edge" section below + - binding: edge + address: tls:0.0.0.0:3022 + options: + advertise: api.zrok.io:3022 + connectTimeoutMs: 1000 + getSessionTimeout: 60s + - binding: tunnel + options: + mode: host #tproxy|host + + +edge: + csr: + country: US + province: NC + locality: Charlotte + organization: NetFoundry + organizationalUnit: Ziti + sans: + dns: + - api.zrok.io + - localhost + ip: + - "10.0.0.41" + - "127.0.0.1" + +#transport: +# ws: +# writeTimeout: 10 +# readTimeout: 5 +# idleTimeout: 5 +# pongTimeout: 60 +# pingInterval: 54 +# handshakeTimeout: 10 +# readBufferSize: 4096 +# writeBufferSize: 4096 +# enableCompression: true +# server_cert: /home/ubuntu/.ziti/quickstart/zrok-ctrl-01/pki/routers/zrok-ctrl-01-edge-router/server.cert +# key: /home/ubuntu/.ziti/quickstart/zrok-ctrl-01/pki/routers/zrok-ctrl-01-edge-router/server.key + +forwarder: + latencyProbeInterval: 10 + xgressDialQueueLength: 1000 + xgressDialWorkerCount: 128 + linkDialQueueLength: 1000 + linkDialWorkerCount: 32 diff --git a/etc/ziti-ctrl.yml b/etc/ziti-ctrl.yml new file mode 100644 index 00000000..e8bf7c9b --- /dev/null +++ b/etc/ziti-ctrl.yml @@ -0,0 +1,222 @@ +v: 3 + +#trace: +# path: "controller.trace" + +#profile: +# memory: +# path: ctrl.memprof + +db: "/home/ubuntu/local/etc/zrok.io/db/ctrl.db" + +identity: + cert: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/ctrl-client.cert" + server_cert: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/ctrl-server.chain.pem" + key: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/keys/ctrl-server.key" + ca: "/home/ubuntu/local/etc/zrok.io/pki/cas.pem" + +# Network Configuration +# +# Configure how the controller will establish and manage the overlay network, and routing operations on top of +# the network. +# +#network: + + # routeTimeoutSeconds controls the number of seconds the controller will wait for a route attempt to succeed. + #routeTimeoutSeconds: 10 + + # createCircuitRetries controls the number of retries that will be attempted to create a path (and terminate it) + # for new circuits. + #createCircuitRetries: 2 + + # pendingLinkTimeoutSeconds controls how long we'll wait before creating a new link between routers where + # there isn't an established link, but a link request has been sent + #pendingLinkTimeoutSeconds: 10 + + # Defines the period that the controller re-evaluates the performance of all of the circuits + # running on the network. + # + #cycleSeconds: 15 + + # Sets router minimum cost. Defaults to 10 + #minRouterCost: 10 + + # Sets how often a new control channel connection can take over for a router with an existing control channel connection + # Defaults to 1 minute + #routerConnectChurnLimit: 1m + + # Sets the latency of link when it's first created. Will be overwritten as soon as latency from the link is actually + # reported from the routers. Defaults to 65 seconds. + #initialLinkLatency: 65s + + #smart: + # + # Defines the fractional upper limit of underperforming circuits that are candidates to be re-routed. If + # smart routing detects 100 circuits that are underperforming, and `smart.rerouteFraction` is set to `0.02`, + # then the upper limit of circuits that will be re-routed in this `cycleSeconds` period will be limited to + # 2 (2% of 100). + # + #rerouteFraction: 0.02 + # + # Defines the hard upper limit of underperforming circuits that are candidates to be re-routed. If smart + # routing detects 100 circuits that are underperforming, and `smart.rerouteCap` is set to `1`, and + # `smart.rerouteFraction` is set to `0.02`, then the upper limit of circuits that will be re-routed in this + # `cycleSeconds` period will be limited to 1. + # + #rerouteCap: 4 + +# the endpoint that routers will connect to the controller over. +ctrl: + #options: + # (optional) settings + # set the maximum number of connect requests that are buffered and waiting to be acknowledged (1 to 5000, default 1) + #maxQueuedConnects: 1 + # the maximum number of connects that have begun hello synchronization (1 to 1000, default 16) + #maxOutstandingConnects: 16 + # the number of milliseconds to wait before a hello synchronization fails and closes the connection (30ms to 60000ms, default: 1000ms) + #connectTimeoutMs: 1000 + listener: tls:0.0.0.0:6262 + +# the endpoint that management tools connect to the controller over. +mgmt: + #options: + # (optional) settings + # set the maximum number of connect requests that are buffered and waiting to be acknowledged (1 to 5000, default 1) + #maxQueuedConnects: 1 + # the maximum number of connects that have begun hello synchronization (1 to 1000, default 16) + #maxOutstandingConnects: 16 + # the number of milliseconds to wait before a hello synchronization fails and closes the connection (30ms to 60000ms, default: 1000ms) + #connectTimeoutMs: 1000 + listener: tls:0.0.0.0:10000 + +#metrics: +# influxdb: +# url: http://localhost:8086 +# database: ziti + +# xctrl_example +# +#example: +# enabled: false +# delay: 5s + +healthChecks: + boltCheck: + # How often to try entering a bolt read tx. Defaults to 30 seconds + interval: 30s + # When to time out the check. Defaults to 20 seconds + timeout: 20s + # How long to wait before starting the check. Defaults to 30 seconds + initialDelay: 30s + +# By having an 'edge' section defined, the ziti-controller will attempt to parse the edge configuration. Removing this +# section, commenting out, or altering the name of the section will cause the edge to not run. +edge: + # This section represents the configuration of the Edge API that is served over HTTPS + api: + #(optional, default 90s) Alters how frequently heartbeat and last activity values are persisted + # activityUpdateInterval: 90s + #(optional, default 250) The number of API Sessions updated for last activity per transaction + # activityUpdateBatchSize: 250 + # sessionTimeout - optional, default 30m + # The number of minutes before an Edge API session will time out. Timeouts are reset by + # API requests and connections that are maintained to Edge Routers + sessionTimeout: 30m + # address - required + # The default address (host:port) to use for enrollment for the Client API. This value must match one of the addresses + # defined in this Controller.WebListener.'s bindPoints. + address: api.zrok.io:1280 + # This section is used to define option that are used during enrollment of Edge Routers, Ziti Edge Identities. + enrollment: + # signingCert - required + # A Ziti Identity configuration section that specifically makes use of the cert and key fields to define + # a signing certificate from the PKI that the Ziti environment is using to sign certificates. The signingCert.cert + # will be added to the /.well-known CA store that is used to bootstrap trust with the Ziti Controller. + signingCert: + cert: /home/ubuntu/local/etc/zrok.io/pki/signing-intermediate/certs/signing-intermediate.cert + key: /home/ubuntu/local/etc/zrok.io/pki/signing-intermediate/keys/signing-intermediate.key + # edgeIdentity - optional + # A section for identity enrollment specific settings + edgeIdentity: + # duration - optional, default 180m + # The length of time that a Ziti Edge Identity enrollment should remain valid. After + # this duration, the enrollment will expire and no longer be usable. + duration: 180m + # edgeRouter - Optional + # A section for edge router enrollment specific settings. + edgeRouter: + # duration - optional, default 180m + # The length of time that a Ziti Edge Router enrollment should remain valid. After + # this duration, the enrollment will expire and no longer be usable. + duration: 180m + +# web +# Defines webListeners that will be hosted by the controller. Each webListener can host many APIs and be bound to many +# bind points. +web: + # name - required + # Provides a name for this listener, used for logging output. Not required to be unique, but is highly suggested. + - name: client-management + # bindPoints - required + # One or more bind points are required. A bind point specifies an interface (interface:port string) that defines + # where on the host machine the webListener will listen and the address (host:port) that should be used to + # publicly address the webListener(i.e. mydomain.com, localhost, 127.0.0.1). This public address may be used for + # incoming address resolution as well as used in responses in the API. + bindPoints: + #interface - required + # A host:port string on which network interface to listen on. 0.0.0.0 will listen on all interfaces + - interface: 0.0.0.0:1280 + # address - required + # The public address that external incoming requests will be able to resolve. Used in request processing and + # response content that requires full host:port/path addresses. + address: api.zrok.io:1280 + # identity - optional + # Allows the webListener to have a specific identity instead of defaulting to the root 'identity' section. + identity: + ca: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/intermediate.cert" + key: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/keys/ctrl-server.key" + server_cert: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/ctrl-server.chain.pem" + cert: "/home/ubuntu/local/etc/zrok.io/pki/intermediate/certs/ctrl-client.cert" + # options - optional + # Allows the specification of webListener level options - mainly dealing with HTTP/TLS settings. These options are + # used for all http servers started by the current webListener. + options: + # idleTimeoutMs - optional, default 5000ms + # The maximum amount of idle time in milliseconds allowed for pipelined HTTP requests. Setting this too high + # can cause resources on the host to be consumed as clients remain connected and idle. Lowering this value + # will cause clients to reconnect on subsequent HTTPs requests. + idleTimeout: 5000ms #http timeouts, new + # readTimeoutMs - optional, default 5000ms + # The maximum amount of time in milliseconds http servers will wait to read the first incoming requests. A higher + # value risks consuming resources on the host with clients that are acting bad faith or suffering from high latency + # or packet loss. A lower value can risk losing connections to high latency/packet loss clients. + readTimeout: 5000ms + # writeTimeoutMs - optional, default 100000ms + # The total maximum time in milliseconds that the http server will wait for a single requests to be received and + # responded too. A higher value can allow long-running requests to consume resources on the host. A lower value + # can risk ending requests before the server has a chance to respond. + writeTimeout: 100000ms + # minTLSVersion - optional, default TLS1.2 + # The minimum version of TSL to support + minTLSVersion: TLS1.2 + # maxTLSVersion - optional, default TLS1.3 + # The maximum version of TSL to support + maxTLSVersion: TLS1.3 + # apis - required + # Allows one or more APIs to be bound to this webListener + apis: + # binding - required + # Specifies an API to bind to this webListener. Built-in APIs are + # - edge-management + # - edge-client + # - fabric-management + - binding: edge-management + # options - arg optional/required + # This section is used to define values that are specified by the API they are associated with. + # These settings are per API. The example below is for the 'edge-api' and contains both optional values and + # required values. + options: { } + - binding: edge-client + options: { } + - binding: fabric + options: { } diff --git a/etc/ctrl.yml b/etc/zrok-ctrl.yml similarity index 50% rename from etc/ctrl.yml rename to etc/zrok-ctrl.yml index db81f5b9..4036c608 100644 --- a/etc/ctrl.yml +++ b/etc/zrok-ctrl.yml @@ -6,18 +6,17 @@ endpoint: host: 0.0.0.0 - port: 10888 + port: 8080 proxy: - url_template: "http://{svcName}.zrok.quigley.com:10111/" + url_template: "http://{svcName}.in.zrok.io:8080/" identities: - # this is the identity(ies) used by your 'zrok proxy' instance(s) - - "-zbBF8eVb-" + - "yvnhjvzEd" store: - path: zrok.db + path: /home/ubuntu/local/etc/zrok.io/db/zrok.db ziti: - api_endpoint: "https://127.0.0.1:1280" + api_endpoint: "https://10.0.0.41:1280" username: admin password: admin