openziti · padibona · Dec 6, 2023 · Dec 6, 2023 · Dec 6, 2023 · Dec 6, 2023
@@ -0,0 +1,81 @@
+package actions
+
+import (
+	"github.com/openziti/fablab/kernel/lib/actions/host"
+	"github.com/openziti/fablab/kernel/lib/actions/semaphore"
+	"github.com/openziti/ziti/zititest/zitilab"
+	"time"
+
+	"github.com/openziti/fablab/kernel/lib/actions"
+	"github.com/openziti/fablab/kernel/lib/actions/component"
+	"github.com/openziti/fablab/kernel/model"
+	zitilib_actions "github.com/openziti/ziti/zititest/zitilab/actions"
+	"github.com/openziti/ziti/zititest/zitilab/actions/edge"
+	"github.com/openziti/ziti/zititest/zitilab/models"
+)
+
+type bootstrapAction struct{}
+
+func NewBootstrapAction() model.ActionBinder {
+	action := &bootstrapAction{}
+	return action.bind
+}
+
+func (a *bootstrapAction) bind(m *model.Model) model.Action {
+	workflow := actions.Workflow()
+
+	//Start Ziti Controller
+	workflow.AddAction(host.GroupExec("*", 1, "rm -f logs/*"))
+	workflow.AddAction(component.Stop("#ctrl"))
+	workflow.AddAction(component.Exec("#ctrl", zitilab.ControllerActionInitStandalone))
+	workflow.AddAction(component.Start("#ctrl"))
+	workflow.AddAction(edge.ControllerAvailable("#ctrl", 30*time.Second))
+
+	// Login to Ziti Controller
+	workflow.AddAction(edge.Login("#ctrl"))
+	workflow.AddAction(semaphore.Sleep(2 * time.Second))
+
+	// Setup Ziti Routers
+	workflow.AddAction(component.StopInParallel(models.EdgeRouterTag, 25))
+	workflow.AddAction(component.StartInParallel(models.EdgeRouterTag, 25))
+	workflow.AddAction(edge.InitEdgeRouters(models.EdgeRouterTag, 2))
+	workflow.AddAction(semaphore.Sleep(2 * time.Second))
+
+	// Create Configs
+	workflow.AddAction(zitilib_actions.Edge("create", "config", "iperf-server", "host.v1", `
+					{
+							"address" : "localhost",
+							"port" : 7001,
+							"protocol" : "tcp"
+					}`))
+	workflow.AddAction(semaphore.Sleep(2 * time.Second))
+	workflow.AddAction(zitilib_actions.Edge("create", "config", "iperf-client", "intercept.v1", `
+		{
+			"addresses": ["iperf.service"],
+			"portRanges" : [
+				{ "low": 7001, "high": 7001 }
+			 ],
+			"protocols": ["tcp"]
+		}`))
+
+	workflow.AddAction(zitilib_actions.Edge("create", "service", "iperf", "-c", "iperf-server,iperf-client"))
+
+	workflow.AddAction(zitilib_actions.Edge("create", "service-policy", "iperf-server", "Bind", "--service-roles",
+		"@iperf", "--identity-roles", "#iperf-server")) // The --identity-roles arg should match the identity attribute(tag) as seen in the model
+
+	workflow.AddAction(zitilib_actions.Edge("create", "service-policy", "iperf-client", "Dial", "--service-roles",
+		"@iperf", "--identity-roles", "#iperf-client")) // The --identity-roles arg should match the identity attribute(tag) as seen in the model
+
+	workflow.AddAction(zitilib_actions.Edge("create", "edge-router-policy", "iperf-client", "--edge-router-roles",
+		"#iperf-client", "--identity-roles", "#iperf-client"))
+
+	workflow.AddAction(zitilib_actions.Edge("create", "edge-router-policy", "iperf-server", "--edge-router-roles",
+		"#iperf-server", "--identity-roles", "#iperf-server"))
+
+	workflow.AddAction(zitilib_actions.Edge("create", "service-edge-router-policy", "iperf.service", "--semantic", "AnyOf",
+		"--service-roles", "@iperf", "--edge-router-roles", "#all"))
+
+	workflow.AddAction(host.GroupExec("ctrl", 25, "sudo service filebeat stop; sleep 5; sudo service filebeat start"))
+	workflow.AddAction(host.GroupExec("ctrl", 25, "sudo service metricbeat stop; sleep 5; sudo service metricbeat start"))
+	return workflow
+}
@@ -0,0 +1,41 @@
+/*
+	Copyright 2020 NetFoundry Inc.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+	https://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+package actions
+
+import (
+	"github.com/openziti/fablab/kernel/lib/actions"
+	"github.com/openziti/fablab/kernel/lib/actions/component"
+	"github.com/openziti/fablab/kernel/lib/actions/semaphore"
+	"github.com/openziti/fablab/kernel/model"
+	"github.com/openziti/ziti/zititest/zitilab/models"
+	"time"
+)
+
+func NewStartAction() model.ActionBinder {
+	action := &startAction{}
+	return action.bind
+}
+
+func (a *startAction) bind(*model.Model) model.Action {
+	workflow := actions.Workflow()
+	workflow.AddAction(component.Start("#ctrl"))
+	workflow.AddAction(semaphore.Sleep(2 * time.Second))
+	workflow.AddAction(component.StartInParallel(models.EdgeRouterTag, 25))
+	return workflow
+}
+
+type startAction struct{}
@@ -0,0 +1,194 @@
+v: 3
+
+db: /home/{{ .Model.MustVariable "credentials.ssh.username" }}/fablab/ctrl.db
+
+identity:
+  cert: /home/{{ .Model.MustVariable "credentials.ssh.username" }}/fablab/pki/ctrl/certs/{{ .Component.Id }}-server.cert
+  key: /home/{{ .Model.MustVariable "credentials.ssh.username" }}/fablab/pki/ctrl/keys/{{ .Component.Id }}-server.key
+  ca: /home/{{ .Model.MustVariable "credentials.ssh.username" }}/fablab/pki/ctrl/certs/{{ .Component.Id }}-server.chain.pem
+
+# the endpoint that routers will connect to the controller over.
+ctrl:
+  listener: tls:0.0.0.0:6262
+  options:
+    advertiseAddress: tls:{{.Host.PublicIp}}:6262
+    # (optional) settings
+    # set the maximum number of connect requests that are buffered and waiting to be acknowledged (1 to 5000, default 1000)
+    #maxQueuedConnects:      50
+
+    # the maximum number of connects that have  begun hello synchronization (1 to 1000, default 16)
+    #maxOutstandingConnects: 100
+
+    # the number of milliseconds to wait before a hello synchronization fails and closes the connection (30ms to 60000ms, default: 1000ms)
+    #connectTimeoutMs:       3000
+
+    # Sets the control channel write timeout. A write timeout will close the control channel, so the router will reconnect
+    #writeTimeout: 15s
+
+    # A listener address which will be sent to connecting routers in order to change their configured controller
+    # address. If defined, routers will update address configuration to immediately use the new address for future
+    # connections. The value of newListener must be resolvable both via DNS and validate via certificates
+    #newListener: tls:localhost:6262
+
+#events:
+#  jsonLogger:
+#    subscriptions:
+#      - type: fabric.routers
+#      - type: fabric.terminators
+#      - type: metrics
+#        sourceFilter: .*
+#        metricFilter: .*egress.*m1_rate*
+#      - type: fabric.circuits
+#        include:
+#          - created
+#      - type: edge.sessions
+#        include:
+#          - created
+#      - type: edge.apiSessions
+#      - type: fabric.usage
+#      - type: services
+#      - type: fabric.usage
+#      - type: edge.entityCounts
+#        interval: 5s
+#    handler:
+#      type: file
+#      format: json
+#      path: /tmp/ziti-events.log
+
+healthChecks:
+  boltCheck:
+    # How often to try entering a bolt read tx. Defaults to 30 seconds
+    interval: 30s
+    # When to timeout the check. Defaults to 15 seconds
+    timeout: 15s
+    # How long to wait before starting the check. Defaults to 15 seconds
+    initialDelay: 15s
+
+# By having an 'edge' section defined, the ziti-controller will attempt to parse the edge configuration. Removing this
+# section, commenting out, or altering the name of the section will cause the edge to not run.
+edge:
+  # This section represents the configuration of the Edge API that is served over HTTPS
+  api:
+    #(optional, default 90s) Alters how frequently heartbeat and last activity values are persisted
+    # activityUpdateInterval: 90s
+    #(optional, default 250) The number of API Sessions updated for last activity per transaction
+    # activityUpdateBatchSize: 250
+    # sessionTimeout - optional, default 10m
+    # The number of minutes before an Edge API session will timeout. Timeouts are reset by
+    # API requests and connections that are maintained to Edge Routers
+    sessionTimeout: 30m
+    # address - required
+    # The default address (host:port) to use for enrollment for the Client API. This value must match one of the addresses
+    # defined in a bind point's address field for the `edge-client` API in the web section.
+    address: {{.Host.PublicIp}}:1280
+  # enrollment - required
+  # A section containing settings pertaining to enrollment.
+  enrollment:
+    # signingCert - required
+    # A Ziti Identity configuration section that specifically makes use of the cert and key fields to define
+    # a signing certificate from the PKI that the Ziti environment is using to sign certificates. The signingCert.cert
+    # will be added to the /.well-known CA store that is used to bootstrap trust with the Ziti Controller.
+    signingCert:
+      cert: /home/{{ .Model.MustVariable "credentials.ssh.username" }}/fablab/pki/ctrl/certs/ctrl.cert
+      key: /home/{{ .Model.MustVariable "credentials.ssh.username" }}/fablab/pki/ctrl/keys/ctrl.key
+
+    # edgeIdentity - optional
+    # A section for identity enrollment specific settings
+    edgeIdentity:
+      # duration - optional, default 5m
+      # The length of time that a Ziti Edge Identity enrollment should remain valid. After
+      # this duration, the enrollment will expire and not longer be usable.
+      duration: 5m
+    # edgeRouter - Optional
+    # A section for edge router enrollment specific settings.
+    edgeRouter:
+      # duration - optional, default 5m
+      # The length of time that a Ziti Edge Router enrollment should remain valid. After
+      # this duration, the enrollment will expire and not longer be usable.
+      duration: 5m
+
+
+# web - optional
+# Defines webListeners that will be hosted by the controller. Each webListener can host many APIs and be bound to many
+# bind points.
+web:
+  # name - required
+  # Provides a name for this listener, used for logging output. Not required to be unique, but is highly suggested.
+  - name: all-apis-localhost
+    # bindPoints - required
+    # One or more bind points are required. A bind point specifies an interface (interface:port string) that defines
+    # where on the host machine the webListener will listen and the address (host:port) that should be used to
+    # publicly address the webListener(i.e. mydomain.com, localhost, 127.0.0.1). This public address may be used for
+    # incoming address resolution as well as used in responses in the API.
+    bindPoints:
+      #interface - required
+      # A host:port string on which network interface to listen on. 0.0.0.0 will listen on all interfaces
+      - interface: 0.0.0.0:1280
+
+        # address - required
+        # The public address that external incoming requests will be able to resolve. Used in request processing and
+        # response content that requires full host:port/path addresses.
+        address: {{.Host.PublicIp}}:1280
+
+        # newAddress - optional
+        # A host:port string which will be sent out as an HTTP header "ziti-new-address" if specified. If the header
+        # is present, clients should update location configuration to immediately use the new address for future
+        # connections. The value of newAddress must be resolvable both via DNS and validate via certificates
+        #newAddress: localhost:1280
+    # identity - optional
+    # Allows the webListener to have a specific identity instead of defaulting to the root `identity` section.
+    #    identity:
+    #      cert:                 ${ZITI_SOURCE}/ziti/etc/ca/intermediate/certs/ctrl-client.cert.pem
+    #      server_cert:          ${ZITI_SOURCE}/ziti/etc/ca/intermediate/certs/ctrl-server.cert.pem
+    #      key:                  ${ZITI_SOURCE}/ziti/etc/ca/intermediate/private/ctrl.key.pem
+    #      ca:                   ${ZITI_SOURCE}/ziti/etc/ca/intermediate/certs/ca-chain.cert.pem
+    # options - optional
+    # Allows the specification of webListener level options - mainly dealing with HTTP/TLS settings. These options are
+    # used for all http servers started by the current webListener.
+    options:
+      # idleTimeout - optional, default 5000ms
+      # The maximum amount of idle time in milliseconds allowed for pipelined HTTP requests. Setting this too high
+      # can cause resources on the host to be consumed as clients remain connected and idle. Lowering this value
+      # will cause clients to reconnect on subsequent HTTPs requests.
+      idleTimeout: 5000ms  #http timeouts, new
+
+      # readTimeout - optional, default 5000ms
+      # The maximum amount of time in milliseconds http servers will wait to read the first incoming requests. A higher
+      # value risks consuming resources on the host with clients that are acting bad faith or suffering from high latency
+      # or packet loss. A lower value can risk losing connections to high latency/packet loss clients.
+
+      readTimeout: 5000ms
+      # writeTimeout - optional, default 10000ms
+      # The total maximum time in milliseconds that the http server will wait for a single requests to be received and
+      # responded too. A higher value can allow long running requests to consume resources on the host. A lower value
+      # can risk ending requests before the server has a chance to respond.
+
+      writeTimeout: 100000ms
+      # minTLSVersion - optional, default TSL1.2
+      # The minimum version of TSL to support
+
+      minTLSVersion: TLS1.2
+      # maxTLSVersion - optional, default TSL1.3
+      # The maximum version of TSL to support
+
+      maxTLSVersion: TLS1.3
+    # apis - required
+    # Allows one or more APIs to be bound to this webListener
+    apis:
+      # binding - required
+      # Specifies an API to bind to this webListener. Built-in APIs are
+      #   - health-checks
+      #   - edge-management
+      #   - edge-client
+      #   - fabric-management
+      - binding: health-checks
+        options: {}
+      - binding: fabric
+      - binding: edge-management
+        # options - variable optional/required
+        # This section is used to define values that are specified by the API they are associated with.
+        # These settings are per API. The example below is for the `edge-api` and contains both optional values and
+        # required values.
+        options: {}
+      - binding: edge-client
+        options: {}
@@ -0,0 +1,70 @@
+{{$ssh_username := .Model.MustVariable "credentials.ssh.username"}}
+{{$identity := .Component.Id}}
+{{$ctrl_ip := publicIp "component#ctrl"}}
+{{$router_ip := .Host.PublicIp}}
+
+v: 3
+
+enableDebugOps: true
+
+identity:
+  cert:                 /home/{{$ssh_username}}/fablab/cfg/{{$identity}}-client.cert
+  server_cert:          /home/{{$ssh_username}}/fablab/cfg/{{$identity}}-server.cert
+  key:                  /home/{{$ssh_username}}/fablab/cfg/{{$identity}}.key
+  ca:                   /home/{{$ssh_username}}/fablab/cfg/{{$identity}}-server.chain.pem
+
+ctrl:
+  endpoint:             tls:{{$ctrl_ip}}:6262
+
+healthChecks:
+  ctrlPingCheck:
+    # How often to ping the controller over the control channel. Defaults to 30 seconds
+    interval: 30s
+    # When to timeout the ping. Defaults to 15 seconds
+    timeout: 15s
+    # How long to wait before pinging the controller. Defaults to 15 seconds
+    initialDelay: 15s
+
+metrics:
+  reportInterval: 15s
+  messageQueueSize: 10
+
+link:
+  listeners:
+    - binding:          transport
+      bind:             tls:0.0.0.0:6000
+      advertise:        tls:{{$router_ip}}:6000
+  dialers:
+    - binding:          transport
+
+listeners:
+{{if .Component.HasTag "tunneler"}}
+  - binding: tunnel
+    options:
+      mode: tproxy
+{{end}}
+  - binding: edge
+    address: tls:0.0.0.0:6262
+    options:
+      # (required) The public hostname and port combination that Ziti SDKs should connect on. Previously this was in the chanIngress section.
+      advertise: {{ .Host.PublicIp }}:6262
+
+# By having an 'edge' section defined, the ziti-router will attempt to parse the edge configuration. Removing this
+# section, commenting out, or altering the name of the section will cause the router to no longer operate as an Edge
+# Router.
+edge:
+  # (required) Information used to generate the initial registration CSR. For documentation on these fields please
+  # refer to the openssl documentation. These values MUST be supplied and have no defaults.
+  csr:
+    country: US
+    province: NC
+    locality: Charlotte
+    organization: NetFoundry
+    organizationalUnit: Ziti
+
+    # (required) SANs that this Gateways certs should contain. At least one IP or DNS SAN should be defined that matches
+    # the edge listeners "advertise" value from the "listeners" section.
+    sans:
+      ip:
+        - {{ .Host.PublicIp }}
+