Merge pull request #1944 from openziti/organize-container-image-vars

tidy container images

dist/docker-images/ziti-controller/.gitignore

@@ -1,2 +1,2 @@
 .env
-compose.override.yml
+compose.override.yml

dist/docker-images/ziti-controller/Dockerfile

@@ -6,10 +6,7 @@ FROM ${ZITI_CLI_IMAGE}:${ZITI_CLI_TAG}
 ARG CONTROLLER_PACKAGE=./dist/dist-packages/linux/openziti-controller
 ARG DOCKER_BUILD_DIR=.
 
-# This build stage grabs artifacts that are copied into the final image.
-# It uses the same base as the final image to maximize docker cache hits.
-
-### Required OpenShift Labels 
+### Required Labels for OpenShift 
 LABEL name="openziti/ziti-controller" \
       maintainer="[email protected]" \
       vendor="NetFoundry" \
@@ -19,6 +16,22 @@ LABEL name="openziti/ziti-controller" \
 # set up image as root, then drop privs to ziggy
 USER root
 
+# used by entrypoint.bash to source the bootstrapping script in this image
+ENV ZITI_CTRL_BOOTSTRAP_BASH=/bootstrap.bash
+
+COPY ${CONTROLLER_PACKAGE}/bootstrap.bash ${ZITI_CTRL_BOOTSTRAP_BASH}
+COPY ${CONTROLLER_PACKAGE}/entrypoint.bash /
+
+WORKDIR /ziti-controller
+RUN chown -R ziggy:ziggy /ziti-controller
+
+# configure logging
+ENV PFXLOG_NO_JSON=true
+ENV ZITI_TIME_FORMAT=utc
+
+# globally toggle bootstrapping; false preserves "thin" behavior for existing deployments like K8s
+ENV ZITI_BOOTSTRAP=false
+
 # selectively toggle bootstrapping steps
 ENV ZITI_BOOTSTRAP_PKI=true
 ENV ZITI_BOOTSTRAP_CONFIG=true
@@ -30,6 +43,8 @@ ENV ZITI_CA_FILE=root
 ENV ZITI_INTERMEDIATE_FILE=intermediate
 ENV ZITI_SERVER_FILE=server
 ENV ZITI_CLIENT_FILE=client
+ENV ZITI_NETWORK_NAME=ctrl
+ENV ZITI_AUTO_RENEW_CERTS=true
 
 # defaults for bootstrapping config
 ENV ZITI_CTRL_ADVERTISED_PORT=1280
@@ -38,18 +53,6 @@ ENV ZITI_CTRL_ADVERTISED_PORT=1280
 ENV ZITI_CTRL_DATABASE_FILE=bbolt.db
 ENV ZITI_USER=admin
 
-# emit human-friendly text logs
-ENV PFXLOG_NO_JSON=true
-# used by entrypoint.bash to source the bootstrapping script in this image
-ENV ZITI_CTRL_BOOTSTRAP_BASH=/bootstrap.bash
-# used by "ziti create config controller" as filename for the controller's identity files
-ENV ZITI_NETWORK_NAME=ctrl
-# used by ziti to format timestamps in output
-ENV ZITI_TIME_FORMAT=utc
-
-COPY ${CONTROLLER_PACKAGE}/bootstrap.bash ${ZITI_CTRL_BOOTSTRAP_BASH}
-COPY ${CONTROLLER_PACKAGE}/entrypoint.bash /
-
 # run as ziggy (2171:2171) by default
 USER ziggy
 ENTRYPOINT [ "/entrypoint.bash" ]

dist/docker-images/ziti-controller/compose.yml

@@ -6,18 +6,17 @@ volumes:
 services:
   chown-controller:
     image: busybox
-    command: chown -R ${ZIGGY_UID:-2171} /mnt
+    command: chown -R ${ZIGGY_UID:-2171} /ziti-controller
     volumes:
-      - ziti-controller:/mnt
+      - ziti-controller:/ziti-controller
 
   ziti-controller:
     image: ${ZITI_CONTROLLER_IMAGE:-openziti/ziti-controller}
     depends_on:
       chown-controller:
         condition: service_completed_successfully
     volumes:
-      - ziti-controller:/mnt
-    working_dir: /mnt
+      - ziti-controller:/ziti-controller
     # assign override vars in an .env file or export from parent env to ensure consistency throughout the compose
     # project
     environment:
@@ -32,9 +31,6 @@ services:
       ZITI_BOOTSTRAP_CONFIG: true      # make config file from env vars and defaults if "true," overwrite if "force"; requires ZITI_BOOTSTRAP=true
       ZITI_BOOTSTRAP_DATABASE: true    # make the default admin user if "true"; requires ZITI_BOOTSTRAP=true
       ZITI_AUTO_RENEW_CERTS: true      # renew certs automatically every startup; requires ZITI_BOOTSTRAP_PKI=true
-      ZITI_NETWORK_NAME: ctrl          # identity files basename
-      PFXLOG_NO_JSON: true             # disable JSON logging
-      ZITI_TIME_FORMAT: utc            # time format for logs
     command: run config.yml
     ports:
       # ensure this port matches the value of ZITI_CTRL_PORT in the container

dist/docker-images/ziti-router/.gitignore

@@ -1,2 +1 @@
 .env
-compose.override.yml

dist/docker-images/ziti-router/Dockerfile

@@ -22,12 +22,7 @@ RUN INSTALL_PKGS="util-linux iptables libbpf iproute" && \
 
 # set a var for entrypoint.bash to find this script
 ENV ZITI_ROUTER_BOOTSTRAP_BASH=/bootstrap.bash
-ENV ZITI_ROUTER_TYPE=edge
-ENV ZITI_ROUTER_PORT=3022
-ENV ZITI_BOOTSTRAP=true
-ENV ZITI_BOOTSTRAP_CONFIG=true
-ENV ZITI_BOOTSTRAP_ENROLLMENT=true
-ENV PFXLOG_NO_JSON=true
+
 COPY ${ROUTER_PACKAGE}/bootstrap.bash ${ZITI_ROUTER_BOOTSTRAP_BASH}
 COPY ${ROUTER_PACKAGE}/entrypoint.bash /
 
@@ -37,4 +32,25 @@ RUN chown -R ziggy:ziggy /ziti-router
 # run as ziggy (2171:2171) by default, override run-as user with root when DOCKER_ROUTER_MODE=tproxy
 USER ziggy
 
+# configure logging
+ENV PFXLOG_NO_JSON=true
+ENV ZITI_TIME_FORMAT=utc
+
+# globally toggle bootstrapping; false preserves "thin" behavior for existing deployments like K8s
+ENV ZITI_BOOTSTRAP=false
+
+# selectively toggle bootstrapping steps
+ENV ZITI_BOOTSTRAP_CONFIG=true
+ENV ZITI_BOOTSTRAP_ENROLLMENT=true
+
+# defaults for bootstrapping
+ENV ZITI_ROUTER_NAME=router
+ENV ZITI_ROUTER_TYPE=edge
+ENV ZITI_ROUTER_PORT=3022
+ENV ZITI_ROUTER_MODE=none
+
+# renew router certs at startup with run --extend
+ENV ZITI_AUTO_RENEW_CERTS=true
+
+
 ENTRYPOINT [ "/entrypoint.bash" ]

dist/docker-images/ziti-router/README.md

@@ -42,13 +42,20 @@ healthy before running.
 ```bash
 # fetch the compose file for the ziti-router image
 wget -O ./compose.router.yml https://get.openziti.io/dist/docker-images/ziti-router/compose.yml
-
-# run the quickstart network in the background to provide the ctrl.endpoint at quickstart:1280
+# fetch the router tproxy compose overrides files
+wget -O ./compose.tproxy.yml https://get.openziti.io/dist/docker-images/ziti-router/compose.override.yml
+# fetch the all-in-one quickstart compose file
 wget -O ./compose.quickstart.yml https://get.openziti.io/dock/all-in-one/compose.yml
+```
+
+Patch the Compose project to use the quickstart network and provide a web server to test the hello service.
+
+```bash
+cat <<EOF >>./compose.tproxy.yml
+    # link the router to the quickstart network so it can reach the Ziti controller
+    networks:
+      - quickstart
 
-# patch the Compose project to use the quickstart network and provide a web server to test the hello service
-cat <<EOF >./compose.tproxy.yml
-services:
   # add a hello web server to use for a Ziti service target
   hello:
     image: openziti/hello-world
@@ -65,30 +72,72 @@ services:
       ziti-router:
         condition: service_healthy
     command: wget --output-document=- http://hello.internal/
+EOF
+```
 
-  # link the router to the quickstart network so it can reach the Ziti controller
+Your `compose.tproxy.yml` should look like this.
+
+```yaml
+services:
   ziti-router:
+    dns:
+      - 127.0.0.1
+      - 1.1.1.1
+    user: root
+    cap_add:
+      - NET_ADMIN
     networks:
       - quickstart
-EOF
-export COMPOSE_FILE=compose.router.yml:compose.quickstart.yml:compose.tproxy.yml
 
-# run the Ziti controller in the background with the all-in-one quickstart container
+  hello:
+    image: openziti/hello-world
+    expose:
+      - 8000
+    networks:
+      - quickstart
+
+  tproxy-demo-client:
+    image: busybox
+    network_mode: service:ziti-router
+    depends_on:
+      ziti-router:
+        condition: service_healthy
+    command: wget --output-document=- http://hello.internal/
+```
+
+Define the Compose project files.
+
+```bash
+export COMPOSE_FILE=compose.router.yml:compose.tproxy.yml:compose.quickstart.yml
+```
+
+Run the Ziti controller in the background with the all-in-one quickstart container.
+
+```bash
 docker compose up quickstart-check
+```
 
-# start the hello web server listening on 8000
+Start the hello web server listening on 8000.
+
+```bash
 docker compose up hello --detach
+```
+
+Log in to the Ziti controller
 
-# log in to the Ziti controller
+```bash
 ziti edge login 127.0.0.1:1280 -y -u admin -p admin
+```
 
-# create a Ziti service for the hello web server
+Create a Ziti service for the hello web server.
+
+```bash
 ziti edge create config "hello-intercept-config" intercept.v1 \
   '{"portRanges":[{"high":80,"low":80}],"addresses":["hello.internal"],"protocols":["tcp"]}'
 ziti edge create config "hello-host-config" host.v1 \
   '{"address":"hello","port":8000,"forwardProtocol":true,"allowedProtocols":["tcp"]}'
 ziti edge create service "hello" \
-  --configs 'intercept.v1,host.v1' \
+  --configs "hello-intercept-config,hello-host-config" \
   --role-attributes 'hello.services'
 ziti edge create service-policy "hello-dial-policy" Dial \
   --semantic AnyOf \
@@ -98,25 +147,40 @@ ziti edge create service-policy "hello-bind-policy" Bind \
   --semantic AnyOf \
   --service-roles '#hello.services' \
   --identity-roles '#hello.servers'
+```
 
-# grant the quickstart router permission to bind (provide) the hello service
+Grant the quickstart router permission to bind (provide) the hello service.
+
+```bash
 ziti edge update identity quickstart-router \
     --role-attributes=hello.servers
+```
+
+Create a second Ziti router to use as a tproxy client.
 
-# create a second Ziti router to use as a tproxy client
+```bash
 ziti edge create edge-router "tproxy-router" \
    --jwt-output-file=./tproxy-router.jwt \
    --tunneler-enabled
+```
+
+Grant the tproxy client permission to dial (consume) the hello service
 
-# grant the tproxy client permission to dial (consume) the hello service
+```bash
 ziti edge update identity tproxy-router \
     --role-attributes=hello.clients
+```
 
-# simulate policies to check for authorization problems
+Simulate policies to check for authorization problems
+
+```bash
 ziti edge policy-advisor services -q
+```
+
+Run the demo client which triggers the run of the tproxy router because it is a dependency.
 
-# run the demo client which triggers the run of the tproxy router because it is a dependency
-ZITI_ENROLL_TOKEN="$(<./tproxyRouter.jwt)" \
+```bash
+ZITI_ENROLL_TOKEN="$(<./tproxy-router.jwt)" \
 ZITI_ROUTER_MODE=tproxy \
 ZITI_CTRL_ADVERTISED_ADDRESS=quickstart \
 ZITI_CTRL_ADVERTISED_PORT=1280 \

dist/docker-images/ziti-router/compose.override.yml

@@ -0,0 +1,14 @@
+# include this Compose file in your project to grant elevated permissions to the ziti-router container that are
+# necessary when ZITI_ROUTER_MODE=tproxy
+services:
+  ziti-router:
+    # Additional config for other containers using this router as a transparent intercepting proxy sidecar and default
+    # nameserver - dns, user, cap_add are required when ZITI_ROUTER_MODE=tproxy (see adjacent README.md for TPROXY
+    # example)
+    #
+    dns:
+      - 127.0.0.1  # this router's Ziti resolver
+      - 1.1.1.1    # any recursive resolver
+    user: root     # required to create TPROXY routes in a container?
+    cap_add:
+      - NET_ADMIN  # required to create TPROXY rules

dist/docker-images/ziti-router/compose.yml

@@ -6,18 +6,17 @@ volumes:
 services:
   chown-router:
     image: busybox
-    command: chown -R ${ZIGGY_UID:-2171} /mnt
+    command: chown -R ${ZIGGY_UID:-2171} /ziti-router
     volumes:
-      - ziti-router:/mnt
+      - ziti-router:/ziti-router
 
   ziti-router:
     image: ${ZITI_ROUTER_IMAGE:-openziti/ziti-router}
     depends_on:
       chown-router:
         condition: service_completed_successfully
     volumes:
-      - ziti-router:/mnt
-    working_dir: /mnt
+      - ziti-router:/ziti-router
     # these declared vars pass through to container and should be assigned in an .env file or exported from parent env
     # to ensure consistency throughout the compose project
     environment:
@@ -33,10 +32,8 @@ services:
       ZITI_BOOTSTRAP: true             # bootstrap the router if "true"
       ZITI_BOOTSTRAP_CONFIG: true      # make config file from env vars and defaults if "true," overwrite if "force"; requires ZITI_BOOTSTRAP=true
       ZITI_BOOTSTRAP_ENROLLMENT: true  # enroll with controller if "true," overwrite if "force"; requires ZITI_BOOTSTRAP=true
+      ZITI_AUTO_RENEW_CERTS: true      # renew certs every startup
       ZITI_ROUTER_TYPE: edge           # edge, fabric
-      ZITI_ROUTER_NAME: router         # identity files basename
-      PFXLOG_NO_JSON: true             # disable JSON logging
-      ZITI_TIME_FORMAT: utc            # time format for logs
     command: run config.yml
     ports:
       # ensure this port matches the value of ZITI_ROUTER_PORT in the container