Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DRY by using the enable and share scripts #464

Merged
merged 3 commits into from
Nov 28, 2023
Merged

DRY by using the enable and share scripts #464

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ce24986
DRY by using the Linux package's enable and share scripts in the Dock…
qrkourier Nov 27, 2023
980a03c
fix and dry docker share
qrkourier Nov 28, 2023
de68bcf
split docker shares between frontdoor (reserved) and temp
qrkourier Nov 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 8 additions & 16 deletions docker/compose/zrok-private-access/compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,28 +7,20 @@ services:
volumes:
- zrok_env:/mnt/.zrok

# enable zrok environment
zrok-enable:
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
depends_on:
zrok-init:
condition: service_completed_successfully
entrypoint:
- bash
- -euc
- |
if [[ -n "$(jq '.ziti_identity' ~/.zrok/environment.json 2>/dev/null)" ]]; then
echo "INFO: zrok environment is already enabled"
exit 0
else
zrok config set apiEndpoint ${ZROK_API_ENDPOINT:-https://api.zrok.io}
echo "INFO: running: zrok $$(sed -E "s/${ZROK_ENABLE_TOKEN}/************/" <<< $${@})"
exec zrok "$${@}"
fi
command: -- enable --headless --description "${ZROK_ENVIRONMENT_NAME:-docker private access}" ${ZROK_ENABLE_TOKEN}
entrypoint: zrok-enable.bash
volumes:
- zrok_env:/mnt/.zrok
- zrok_env:/mnt
environment:
HOME: /mnt
STATE_DIRECTORY: /mnt
ZROK_ENABLE_TOKEN:
ZROK_API_ENDPOINT:
ZROK_ENVIRONMENT_NAME: docker-private-access

zrok-access:
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
Expand All @@ -39,7 +31,7 @@ services:
ports:
- 9191:9191 # expose the zrok private access proxy to the Docker host
volumes:
- zrok_env:/mnt/.zrok
- zrok_env:/mnt
environment:
HOME: /mnt
PFXLOG_NO_JSON: "true"
Expand Down
35 changes: 17 additions & 18 deletions docker/compose/zrok-private-share/compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,42 +7,41 @@ services:
volumes:
- zrok_env:/mnt/.zrok

# enable zrok environment
zrok-enable:
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
depends_on:
zrok-init:
condition: service_completed_successfully
entrypoint:
- bash
- -euc
- |
if [[ -n "$(jq '.ziti_identity' ~/.zrok/environment.json 2>/dev/null)" ]]; then
echo "INFO: zrok environment is already enabled"
exit 0
else
zrok config set apiEndpoint ${ZROK_API_ENDPOINT:-https://api.zrok.io}
echo "INFO: running: zrok $$(sed -E "s/${ZROK_ENABLE_TOKEN}/************/" <<< $${@})"
exec zrok "$${@}"
fi
command: -- enable --headless --description "${ZROK_ENVIRONMENT_NAME:-docker private share}" ${ZROK_ENABLE_TOKEN}
entrypoint: zrok-enable.bash
volumes:
- zrok_env:/mnt/.zrok
- zrok_env:/mnt
environment:
HOME: /mnt
STATE_DIRECTORY: /mnt
ZROK_ENABLE_TOKEN:
ZROK_API_ENDPOINT:
ZROK_ENVIRONMENT_NAME: docker-private-share

zrok-share:
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
command: share private --headless --backend-mode proxy ${ZROK_TARGET:-http://zrok-test:9090/}
entrypoint:
- bash
- -euxc
- |
echo "DEBUG: HOME=$${HOME}"
ls -lA /mnt/.zrok/
exec zrok $${@}
command: -- share private --headless --backend-mode proxy ${ZROK_TARGET:-http://zrok-test:9090/}
depends_on:
zrok-enable:
condition: service_completed_successfully
volumes:
- zrok_env:/mnt/.zrok
- zrok_env:/mnt
environment:
HOME: /mnt
PFXLOG_NO_JSON: "true"

# demo servers you can share with zrok
# demo server you can share with zrok
zrok-test:
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
command: test endpoint --address 0.0.0.0 # 9090
Expand Down
159 changes: 22 additions & 137 deletions docker/compose/zrok-public-reserved/compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,46 +1,7 @@
services:
# create Caddyfile
zrok-caddyfile:
image: busybox
# create Caddyfile
entrypoint:
- sh
- -euc
- |
ZROK_UPSTREAM_URL="${ZROK_TARGET:-http://zrok-test:9090}"
ZROK_UPSTREAM_HOST="$(echo $${ZROK_UPSTREAM_URL}|sed -E 's#^https?://([^/:]+).*#\1#')"
mkdir -p /mnt/.zrok
cat <<CADDYFILE >| /mnt/.zrok/Caddyfile
{
# GET /config/ and POST /load on this API to reload Caddy config
admin 0.0.0.0:2019
}
http:// {
bind {{ .ZrokBindAddress }}
handle_path /zrok-test/* {
reverse_proxy http://zrok-test:9090 {
header_up Host zrok-test
}
}
handle_path /zrok-static/* {
root * /mnt/.zrok/html
file_server browse
}
reverse_proxy /* $${ZROK_UPSTREAM_URL} {
header_up Host $${ZROK_UPSTREAM_HOST}
}
}
CADDYFILE
user: root
volumes:
- zrok_env:/mnt

# set file ownership
zrok-init:
image: busybox
depends_on:
zrok-caddyfile:
condition: service_completed_successfully
# matches uid:gid of "nobody" in zrok container image
command: chown -Rc 65534:65534 /mnt/
user: root
Expand All @@ -53,117 +14,41 @@ services:
depends_on:
zrok-init:
condition: service_completed_successfully
entrypoint:
- bash
- -euc
- |
if [[ -s ~/.zrok/environment.json ]]; then
ZITI_ID="$(jq '.ziti_identity' ~/.zrok/environment.json 2>/dev/null)"
if [[ -z "$${ZITI_ID}" || "$${ZITI_ID}" == null ]]; then
echo "ERROR: invalid environment; consider a reset with 'docker compose down --volumes'" >&2
exit 1
else
echo "INFO: zrok environment is already enabled"
exit 0
fi
else
if [[ -z "${ZROK_ENABLE_TOKEN}" ]]; then
echo "ERROR: ZROK_ENABLE_TOKEN is not defined" >&2
exit 1
else
zrok config set apiEndpoint ${ZROK_API_ENDPOINT:-https://api.zrok.io}
echo "INFO: running: zrok $(sed -E "s/${ZROK_ENABLE_TOKEN}/************/" <<< $${@})"
exec zrok "$${@}"
fi
fi
command: -- enable --headless --description "${ZROK_ENVIRONMENT_NAME:-docker reserved public share}" ${ZROK_ENABLE_TOKEN}
entrypoint: zrok-enable.bash
volumes:
- zrok_env:/mnt
environment:
HOME: /mnt
STATE_DIRECTORY: /mnt
ZROK_ENABLE_TOKEN:
ZROK_API_ENDPOINT:
ZROK_ENVIRONMENT_NAME: docker-public-reserved

# reserve zrok frontend url for the zrok backend config
zrok-reserve:
# reserve zrok frontend subdomain and start sharing the target
zrok-share:
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
entrypoint:
- bash
- -euc
- |
if [[ -s ~/.zrok/reserved.json ]]; then
ZROK_RESERVED_TOKEN="$(jq '.token' ~/.zrok/reserved.json 2>/dev/null)"
if [[ -z "$${ZROK_RESERVED_TOKEN}" || "$${ZROK_RESERVED_TOKEN}" == null ]]; then
echo "ERROR: invalid reserved.json: $(jq -c . ~/.zrok/reserved.json)" >&2
exit 1
else
echo "INFO: zrok backend is already reserved: $${ZROK_RESERVED_TOKEN}"
exit 0
fi
else
set -o pipefail
ZROK_CMD="reserve public --json-output"
if [[ -n "${ZROK_SHARE_OPTS:-}" ]]; then
ZROK_CMD+=" ${ZROK_SHARE_OPTS}"
fi
if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then
ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
fi
if [[ -n "${ZROK_BACKEND_MODE:-}" && "${ZROK_BACKEND_MODE}" != caddy ]]; then
ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_TARGET:-http://zrok-test:9090}"
else
ZROK_CMD+=" --backend-mode caddy /mnt/.zrok/Caddyfile"
fi
echo "INFO: running: zrok $${ZROK_CMD}"
zrok $${ZROK_CMD} | jq -rc | tee ~/.zrok/reserved.json
fi
entrypoint: bash -x zrok-share.bash
depends_on:
zrok-enable:
condition: service_completed_successfully
volumes:
- zrok_env:/mnt
environment:
HOME: /mnt
# internal configuration
STATE_DIRECTORY: /mnt # zrok homedir in container

# start share on reserved public frontend url
zrok-share:
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
restart: unless-stopped
entrypoint:
- bash
- -euc
- |
if ! [[ -s ~/.zrok/reserved.json ]]; then
echo "ERROR: empty or missing reserved.json" >&2
exit 1
else
ZROK_PUBLIC_URLS=$(jq -cr '.frontend_endpoints' ~/.zrok/reserved.json 2>/dev/null)
if [[ -z "$${ZROK_PUBLIC_URLS}" || "$${ZROK_PUBLIC_URLS}" == null ]]; then
echo "ERROR: frontend endpoints not defined" >&2
exit 1
else
echo "INFO: zrok public URLs: $${ZROK_PUBLIC_URLS}"
fi
ZROK_RESERVED_TOKEN=$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null)
if [[ -z "$${ZROK_RESERVED_TOKEN}" && "$${ZROK_RESERVED_TOKEN}" == null ]]; then
echo "ERROR: zrok reservation token not defined" >&2
exit 1
else
echo "INFO: zrok reservation token: $${ZROK_RESERVED_TOKEN}"
fi
# most relevant options
ZROK_BACKEND_MODE: proxy # web, caddy, drive, proxy
ZROK_TARGET: http://zrok-test:9090 # backend target, is a path in container filesystem unless proxy mode
ZROK_INSECURE: # "--insecure" if proxy target has unverifiable TLS server certificate
ZROK_OAUTH_PROVIDER: # google, github
ZROK_OATH_EMAILS: # allow space-separated list of OAuth email addresses or @domain.tld
ZROK_BASIC_AUTH: # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER

echo "INFO: running: zrok $${@} $${ZROK_RESERVED_TOKEN}"
exec zrok "$${@}" $${ZROK_RESERVED_TOKEN}
fi
command: -- share reserved --headless
depends_on:
zrok-reserve:
condition: service_completed_successfully
volumes:
- zrok_env:/mnt
ports:
- 127.0.0.1:2019:2019
environment:
HOME: /mnt
PFXLOG_NO_JSON: "true"
# least relevant options
ZROK_VERBOSE: # "--verbose"
ZROK_SHARE_OPTS: # additional arguments to "zrok reserve public" command
ZROK_FRONTENDS: # "public"
PFXLOG_NO_JSON: "true" # suppress JSON logging format

# demo server
zrok-test:
Expand Down
64 changes: 29 additions & 35 deletions docker/compose/zrok-public-share/compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,52 +15,46 @@ services:
depends_on:
zrok-init:
condition: service_completed_successfully
entrypoint:
- bash
- -euc
- |
if [[ -n "$(jq '.ziti_identity' ~/.zrok/environment.json 2>/dev/null)" ]]; then
echo "INFO: zrok environment is already enabled"
exit 0
else
zrok config set apiEndpoint ${ZROK_API_ENDPOINT:-https://api.zrok.io}
echo "INFO: running: zrok $$(sed -E "s/${ZROK_ENABLE_TOKEN}/************/" <<< $${@})"
exec zrok "$${@}"
fi
command: -- enable --headless --description "${ZROK_ENVIRONMENT_NAME:-docker temp public share}" ${ZROK_ENABLE_TOKEN}
entrypoint: zrok-enable.bash
volumes:
- zrok_env:/mnt/.zrok
- zrok_env:/mnt
environment:
HOME: /mnt
STATE_DIRECTORY: /mnt
ZROK_ENABLE_TOKEN:
ZROK_API_ENDPOINT:
ZROK_ENVIRONMENT_NAME: docker-public-share

# start share on temporary public frontend url
# provision a temporary zrok frontend subdomain and start sharing the backend target
zrok-share:
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
entrypoint:
- bash
- -euc
- |
set -o pipefail
ZROK_CMD="share public --headless"
if [[ -n "${ZROK_SHARE_OPTS:-}" ]]; then
ZROK_CMD+=" ${ZROK_SHARE_OPTS}"
fi
if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then
ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
fi
ZROK_CMD+=" --backend-mode proxy ${ZROK_TARGET:-http://zrok-test:9090/}"
echo "INFO: running: zrok $${ZROK_CMD}"
exec zrok $${ZROK_CMD}
entrypoint: zrok-share.bash
depends_on:
zrok-enable:
condition: service_completed_successfully
volumes:
- zrok_env:/mnt/.zrok
- zrok_env:/mnt
ports: []
# - 127.0.0.1:2019:2019 # Caddy admin API
environment:
HOME: /mnt
PFXLOG_NO_JSON: "true"
# internal configuration
STATE_DIRECTORY: /mnt # zrok homedir in container
ZROK_FRONTEND_MODE: temp-public # tells zrok-share.bash to create a temporary subdomain and share until exit

# most relevant options
ZROK_BACKEND_MODE: proxy # web, caddy, drive, proxy
ZROK_TARGET: http://zrok-test:9090 # backend target, is a path in container filesystem unless proxy mode
ZROK_INSECURE: # "--insecure" if proxy target has unverifiable TLS server certificate
ZROK_OAUTH_PROVIDER: # google, github
ZROK_OATH_EMAILS: # space-separated list of OAuth email addresses or @domain.tld to allow
ZROK_BASIC_AUTH: # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER

# least relevant options
ZROK_VERBOSE: # "--verbose"
ZROK_SHARE_OPTS: # additional arguments to "zrok share public" command
ZROK_FRONTENDS: # "public"
PFXLOG_NO_JSON: "true" # suppress JSON logging format

# demo servers you can share with zrok
# demo server you can share with zrok
zrok-test:
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
command: test endpoint --address 0.0.0.0 # 9090
Expand Down
12 changes: 9 additions & 3 deletions docker/images/zrok/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# this builds docker.io/openziti/zrok
ARG ZITI_CLI_TAG="0.30.5"
ARG ZITI_CLI_TAG="0.31.0"
ARG ZITI_CLI_IMAGE="docker.io/openziti/ziti-cli"
# this builds docker.io/openziti/ziti-controller
FROM ${ZITI_CLI_IMAGE}:${ZITI_CLI_TAG}
Expand Down Expand Up @@ -30,8 +30,14 @@ RUN mkdir -p -m0755 /licenses
COPY ./LICENSE /licenses/apache.txt

RUN mkdir -p /usr/local/bin
COPY ${ARTIFACTS_DIR}/${TARGETARCH}/${TARGETOS}/zrok /usr/local/bin/
RUN chmod 0755 /usr/local/bin/zrok
COPY ${ARTIFACTS_DIR}/${TARGETARCH}/${TARGETOS}/zrok \
./nfpm/zrok-enable.bash \
./nfpm/zrok-share.bash \
/usr/local/bin/
RUN chmod 0755 \
/usr/local/bin/zrok \
/usr/local/bin/zrok-enable.bash \
/usr/local/bin/zrok-share.bash

USER nobody
ENTRYPOINT [ "zrok" ]
Loading