mirror of
https://github.com/openziti/zrok.git
synced 2025-08-06 23:15:38 +02:00
385 lines
13 KiB
Go
385 lines
13 KiB
Go
package controller
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/openziti/edge-api/rest_management_api_client"
|
|
restMgmtEdgeConfig "github.com/openziti/edge-api/rest_management_api_client/config"
|
|
"github.com/openziti/edge-api/rest_management_api_client/edge_router_policy"
|
|
"github.com/openziti/edge-api/rest_management_api_client/identity"
|
|
"github.com/openziti/edge-api/rest_management_api_client/service"
|
|
"github.com/openziti/edge-api/rest_management_api_client/service_policy"
|
|
"github.com/openziti/edge-api/rest_model"
|
|
restModelEdge "github.com/openziti/edge-api/rest_model"
|
|
"github.com/openziti/edge-api/rest_util"
|
|
"github.com/openziti/sdk-golang/ziti"
|
|
"github.com/openziti/zrok/controller/config"
|
|
"github.com/openziti/zrok/controller/store"
|
|
"github.com/openziti/zrok/controller/zrokEdgeSdk"
|
|
"github.com/openziti/zrok/environment"
|
|
"github.com/openziti/zrok/environment/env_core"
|
|
"github.com/openziti/zrok/sdk/golang/sdk"
|
|
"github.com/pkg/errors"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
type BootstrapConfig struct {
|
|
SkipFrontend bool
|
|
SkipSecretsListener bool
|
|
}
|
|
|
|
func Bootstrap(bootCfg *BootstrapConfig, ctrlCfg *config.Config) error {
|
|
if v, err := store.Open(ctrlCfg.Store); err == nil {
|
|
str = v
|
|
} else {
|
|
return errors.Wrap(err, "error opening store")
|
|
}
|
|
|
|
logrus.Info("connecting to the ziti edge management api")
|
|
edge, err := zrokEdgeSdk.Client(ctrlCfg.Ziti)
|
|
if err != nil {
|
|
return errors.Wrap(err, "error connecting to the ziti edge management api")
|
|
}
|
|
|
|
env, err := environment.LoadRoot()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := assertFrontendIdentity(bootCfg, env, edge); err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := assertSecretsListener(bootCfg, ctrlCfg, env, edge); err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := assertZrokProxyConfigType(edge); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func assertFrontendIdentity(cfg *BootstrapConfig, env env_core.Root, edge *rest_management_api_client.ZitiEdgeManagement) error {
|
|
var frontendZId string
|
|
var err error
|
|
if !cfg.SkipFrontend {
|
|
logrus.Info("bootstrapping identity for public frontend access")
|
|
|
|
if frontendZId, err = getIdentityId(env.PublicIdentityName()); err == nil {
|
|
logrus.Infof("existing frontend identity: %v", frontendZId)
|
|
} else {
|
|
frontendZId, err = bootstrapIdentity(env.PublicIdentityName(), edge)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
logrus.Infof("created frontend identity (%v) '%v'", env.PublicIdentityName(), frontendZId)
|
|
}
|
|
if err := assertIdentity(frontendZId, edge); err != nil {
|
|
panic(err)
|
|
}
|
|
if err := assertErpForIdentity(env.PublicIdentityName(), frontendZId, edge); err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
trx, err := str.Begin()
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
defer trx.Rollback()
|
|
publicFe, err := str.FindFrontendWithZId(frontendZId, trx)
|
|
if err != nil {
|
|
logrus.Error(err)
|
|
logrus.Warnf("missing public frontend for ziti id '%v'; please use 'zrok admin create frontend %v public https://{token}.your.dns.name' to create a frontend instance", frontendZId, frontendZId)
|
|
} else {
|
|
if publicFe.PublicName != nil && publicFe.UrlTemplate != nil {
|
|
logrus.Infof("found public frontend entry '%v' (%v) for ziti identity '%v'", *publicFe.PublicName, publicFe.Token, frontendZId)
|
|
} else {
|
|
logrus.Warnf("found frontend entry for ziti identity '%v'; missing either public name or url template", frontendZId)
|
|
}
|
|
}
|
|
} else {
|
|
logrus.Warnf("skipping frontend identity bootstrap")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func assertSecretsListener(bCfg *BootstrapConfig, ctrlCfg *config.Config, env env_core.Root, edge *rest_management_api_client.ZitiEdgeManagement) error {
|
|
if !bCfg.SkipSecretsListener || ctrlCfg == nil || ctrlCfg.Secrets == nil {
|
|
logrus.Info("bootstrapping secrets listener")
|
|
|
|
if ctrlCfg.Secrets.ServiceName == "" {
|
|
return errors.New("no secrets service name provided")
|
|
}
|
|
|
|
var secretsZId string
|
|
var err error
|
|
if ctrlCfg.Secrets.IdentityPath == "" || ctrlCfg.Secrets.ZId == "" {
|
|
logrus.Warnf("no secrets identity path or ziti id provided; allocating a new identity")
|
|
|
|
secretsZId, err = bootstrapIdentity("secretsListener", edge)
|
|
if err != nil {
|
|
return errors.Wrap(err, "error bootstrapping secrets identity")
|
|
}
|
|
logrus.Infof("created secrets identity '%v' (configure this into the 'secrets > z_id' field in the controller config)", secretsZId)
|
|
|
|
} else {
|
|
logrus.Infof("asserting existing secrets identity '%v'", ctrlCfg.Secrets.ZId)
|
|
|
|
if err := assertIdentity(ctrlCfg.Secrets.ZId, edge); err != nil {
|
|
return errors.Wrapf(err, "error asserting existing secrets identity '%v'", ctrlCfg.Secrets.ZId)
|
|
}
|
|
secretsZId = ctrlCfg.Secrets.ZId
|
|
logrus.Infof("asserted secrets identity '%v'", ctrlCfg.Secrets.ZId)
|
|
}
|
|
|
|
if err := assertErpForIdentity("secretsListener", secretsZId, edge); err != nil {
|
|
return errors.Wrapf(err, "error asserting erp for secrets identity (secrets) '%v'", secretsZId)
|
|
}
|
|
|
|
if err := assertSecretsService(ctrlCfg, edge); err != nil {
|
|
return errors.Wrapf(err, "error asserting secrets service '%v'", ctrlCfg.Secrets.ServiceName)
|
|
}
|
|
|
|
if err := assertBindPolicyForIdentityAndService(ctrlCfg.Secrets.ServiceName, secretsZId, edge); err != nil {
|
|
return errors.Wrapf(err, "error asserting bind policy for '@%v' -> '@%v'", ctrlCfg.Secrets.ServiceName, secretsZId)
|
|
}
|
|
|
|
} else {
|
|
logrus.Warnf("skipping secrets listener bootstrap")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func assertZrokProxyConfigType(edge *rest_management_api_client.ZitiEdgeManagement) error {
|
|
filter := fmt.Sprintf("name=\"%v\"", sdk.ZrokProxyConfig)
|
|
limit := int64(100)
|
|
offset := int64(0)
|
|
listReq := &restMgmtEdgeConfig.ListConfigTypesParams{
|
|
Filter: &filter,
|
|
Limit: &limit,
|
|
Offset: &offset,
|
|
Context: context.Background(),
|
|
}
|
|
listReq.SetTimeout(30 * time.Second)
|
|
listResp, err := edge.Config.ListConfigTypes(listReq, nil)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if len(listResp.Payload.Data) < 1 {
|
|
name := sdk.ZrokProxyConfig
|
|
ct := &restModelEdge.ConfigTypeCreate{Name: &name}
|
|
createReq := &restMgmtEdgeConfig.CreateConfigTypeParams{ConfigType: ct}
|
|
createReq.SetTimeout(30 * time.Second)
|
|
createResp, err := edge.Config.CreateConfigType(createReq, nil)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
logrus.Infof("created '%v' config type with id '%v'", sdk.ZrokProxyConfig, createResp.Payload.Data.ID)
|
|
} else if len(listResp.Payload.Data) > 1 {
|
|
return errors.Errorf("found %d '%v' config types; expected 0 or 1", len(listResp.Payload.Data), sdk.ZrokProxyConfig)
|
|
} else {
|
|
logrus.Infof("found '%v' config type with id '%v'", sdk.ZrokProxyConfig, *(listResp.Payload.Data[0].ID))
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func getIdentityId(identityName string) (string, error) {
|
|
env, err := environment.LoadRoot()
|
|
if err != nil {
|
|
return "", errors.Wrap(err, "error opening environment root")
|
|
}
|
|
zif, err := env.ZitiIdentityNamed(identityName)
|
|
if err != nil {
|
|
return "", errors.Wrapf(err, "error opening identity '%v' from environment", identityName)
|
|
}
|
|
zcfg, err := ziti.NewConfigFromFile(zif)
|
|
if err != nil {
|
|
return "", errors.Wrapf(err, "error loading ziti config from file '%v'", zif)
|
|
}
|
|
zctx, err := ziti.NewContext(zcfg)
|
|
if err != nil {
|
|
return "", errors.Wrap(err, "error loading ziti context")
|
|
}
|
|
id, err := zctx.GetCurrentIdentity()
|
|
if err != nil {
|
|
return "", errors.Wrapf(err, "error getting current identity from '%v'", zif)
|
|
}
|
|
if id.ID != nil {
|
|
return *id.ID, nil
|
|
}
|
|
return "", nil
|
|
}
|
|
|
|
func assertIdentity(zId string, edge *rest_management_api_client.ZitiEdgeManagement) error {
|
|
filter := fmt.Sprintf("id=\"%v\"", zId)
|
|
limit := int64(0)
|
|
offset := int64(0)
|
|
listReq := &identity.ListIdentitiesParams{
|
|
Filter: &filter,
|
|
Limit: &limit,
|
|
Offset: &offset,
|
|
}
|
|
listReq.SetTimeout(30 * time.Second)
|
|
listResp, err := edge.Identity.ListIdentities(listReq, nil)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "error listing identities for '%v'", zId)
|
|
}
|
|
if len(listResp.Payload.Data) != 1 {
|
|
return errors.Wrapf(err, "found %d identities for '%v'", len(listResp.Payload.Data), zId)
|
|
}
|
|
logrus.Infof("asserted identity '%v'", zId)
|
|
return nil
|
|
}
|
|
|
|
func bootstrapIdentity(name string, edge *rest_management_api_client.ZitiEdgeManagement) (string, error) {
|
|
env, err := environment.LoadRoot()
|
|
if err != nil {
|
|
return "", errors.Wrap(err, "error loading environment root")
|
|
}
|
|
|
|
idc, err := zrokEdgeSdk.CreateIdentity(name, restModelEdge.IdentityTypeDevice, nil, edge)
|
|
if err != nil {
|
|
return "", errors.Wrapf(rest_util.WrapErr(err), "error creating '%v' identity", name)
|
|
}
|
|
|
|
zId := idc.Payload.Data.ID
|
|
cfg, err := zrokEdgeSdk.EnrollIdentity(zId, edge)
|
|
if err != nil {
|
|
return "", errors.Wrapf(rest_util.WrapErr(err), "error enrolling '%v' identity", name)
|
|
}
|
|
|
|
var out bytes.Buffer
|
|
enc := json.NewEncoder(&out)
|
|
enc.SetEscapeHTML(false)
|
|
err = enc.Encode(&cfg)
|
|
if err != nil {
|
|
return "", errors.Wrapf(err, "error encoding identity config '%v'", name)
|
|
}
|
|
if err := env.SaveZitiIdentityNamed(name, out.String()); err != nil {
|
|
return "", errors.Wrapf(err, "error saving identity config '%v'", name)
|
|
}
|
|
return zId, nil
|
|
}
|
|
|
|
func assertErpForIdentity(name, zId string, edge *rest_management_api_client.ZitiEdgeManagement) error {
|
|
filter := fmt.Sprintf("name=\"%v\" and tags.zrok != null", name)
|
|
limit := int64(0)
|
|
offset := int64(0)
|
|
listReq := &edge_router_policy.ListEdgeRouterPoliciesParams{
|
|
Filter: &filter,
|
|
Limit: &limit,
|
|
Offset: &offset,
|
|
}
|
|
listReq.SetTimeout(30 * time.Second)
|
|
listResp, err := edge.EdgeRouterPolicy.ListEdgeRouterPolicies(listReq, nil)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "error listing edge router policies for '%v' (%v)", name, zId)
|
|
}
|
|
if len(listResp.Payload.Data) != 1 {
|
|
logrus.Infof("creating erp for '%v' (%v)", name, zId)
|
|
if err := zrokEdgeSdk.CreateEdgeRouterPolicy(name, zId, edge); err != nil {
|
|
return errors.Wrapf(err, "error creating erp for '%v' (%v)", name, zId)
|
|
}
|
|
}
|
|
logrus.Infof("asserted erps for '%v' (%v)", name, zId)
|
|
return nil
|
|
}
|
|
|
|
func assertSecretsService(ctrlCfg *config.Config, edge *rest_management_api_client.ZitiEdgeManagement) error {
|
|
filter := fmt.Sprintf("name=\"%v\"", ctrlCfg.Secrets.ServiceName)
|
|
limit := int64(0)
|
|
offset := int64(0)
|
|
listReq := &service.ListServicesParams{
|
|
Filter: &filter,
|
|
Limit: &limit,
|
|
Offset: &offset,
|
|
}
|
|
listReq.SetTimeout(30 * time.Second)
|
|
listResp, err := edge.Service.ListServices(listReq, nil)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "error listing services for '%v'", ctrlCfg.Secrets.ServiceName)
|
|
}
|
|
if len(listResp.Payload.Data) == 1 {
|
|
logrus.Infof("found service '%v' with zId '%v'", ctrlCfg.Secrets.ServiceName, listResp.Payload.Data[0].ID)
|
|
|
|
} else if len(listResp.Payload.Data) < 1 {
|
|
serviceZId, err := zrokEdgeSdk.CreateService(ctrlCfg.Secrets.ServiceName, nil, nil, edge)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "error creating service '%v'", ctrlCfg.Secrets.ServiceName)
|
|
}
|
|
logrus.Infof("created service '%v' with zId '%v'", ctrlCfg.Secrets.ServiceName, serviceZId)
|
|
|
|
} else if len(listResp.Payload.Data) > 1 {
|
|
return errors.Errorf("found %d services for '%v'", len(listResp.Payload.Data), ctrlCfg.Secrets.ServiceName)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func assertBindPolicyForIdentityAndService(serviceName, zId string, edge *rest_management_api_client.ZitiEdgeManagement) error {
|
|
serviceZId, err := getZIdForService(serviceName, edge)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "error getting ziti id for service '%v'", serviceName)
|
|
}
|
|
spZId, err := getZIdForServicePolicy(serviceZId, zId, rest_model.DialBindBind, edge)
|
|
if err != nil {
|
|
logrus.Warnf("no existing bind policy for '@%v' -> '@%v'; creating one", zId, serviceName)
|
|
if err := zrokEdgeSdk.CreateServicePolicyBind(fmt.Sprintf("service-listener-bind-%v", zId), serviceZId, zId, nil, edge); err != nil {
|
|
return errors.Wrapf(err, "error creating bind policy for '%v' -> '%v'", zId, serviceName)
|
|
}
|
|
logrus.Infof("created bind policy for '@%v' -> '@%v' with zId '%v'", zId, serviceName, spZId)
|
|
} else {
|
|
logrus.Infof("found existing bind policy for '@%v' -> '@%v' with zId '%v'", zId, serviceName, spZId)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func getZIdForServicePolicy(serviceZId, zId string, dialBind rest_model.DialBind, edge *rest_management_api_client.ZitiEdgeManagement) (string, error) {
|
|
dialBindValue := 1
|
|
if dialBind == "Bind" {
|
|
dialBindValue = 2
|
|
}
|
|
filter := fmt.Sprintf("allOf(serviceRoles)=\"@%v\" and allOf(identityRoles)=\"@%v\" and type=%d", serviceZId, zId, dialBindValue)
|
|
limit := int64(0)
|
|
offset := int64(0)
|
|
listReq := &service_policy.ListServicePoliciesParams{
|
|
Filter: &filter,
|
|
Limit: &limit,
|
|
Offset: &offset,
|
|
}
|
|
listReq.SetTimeout(30 * time.Second)
|
|
listResp, err := edge.ServicePolicy.ListServicePolicies(listReq, nil)
|
|
if err != nil {
|
|
return "", errors.Wrapf(err, "error listing service policies for '%v' (%v) and '%v'", serviceZId, zId, dialBind)
|
|
}
|
|
if len(listResp.Payload.Data) != 1 {
|
|
return "", errors.Errorf("found %d service policies for '%v' (%v) and '%v'", len(listResp.Payload.Data), serviceZId, zId, dialBind)
|
|
}
|
|
return *listResp.Payload.Data[0].ID, nil
|
|
}
|
|
|
|
func getZIdForService(serviceName string, edge *rest_management_api_client.ZitiEdgeManagement) (string, error) {
|
|
filter := fmt.Sprintf("name=\"%v\"", serviceName)
|
|
limit := int64(0)
|
|
offset := int64(0)
|
|
listReq := &service.ListServicesParams{
|
|
Filter: &filter,
|
|
Limit: &limit,
|
|
Offset: &offset,
|
|
}
|
|
listReq.SetTimeout(30 * time.Second)
|
|
listResp, err := edge.Service.ListServices(listReq, nil)
|
|
if err != nil {
|
|
return "", errors.Wrapf(err, "error listing services for '%v'", serviceName)
|
|
}
|
|
if len(listResp.Payload.Data) != 1 {
|
|
return "", errors.Errorf("found %d services for '%v'", len(listResp.Payload.Data), serviceName)
|
|
}
|
|
return *listResp.Payload.Data[0].ID, nil
|
|
}
|