Merge pull request #418 from openziti/docker-reserved-public-share

Docker reserved public share
openziti · Oct 30, 2023 · 0c8ba2a · 0c8ba2a · vercel · Oct 30, 2023
2 parents 2af4f8e + 54794fa
commit 0c8ba2a
Show file tree

Hide file tree

Showing 13 changed files with 635 additions and 360 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,26 +1,32 @@
-# v0.4.13
+# Changelog
+
+## v0.4.14
+
+FEATURE: Docker Compose project for a reserved public share in docker/compose/zrok-public-share-reserved/compose.yml is described in the [public share guide](https://docs.zrok.io/docs/guides/docker-share/docker_public_share_guide/).
+
+## v0.4.13
 
 FIX: Update to Homebrew automation to properly integrate with the latest version of the Homebrew release process.
 
-# v0.4.12
+## v0.4.12
 
-FIX: The `zrok reserve` command was not properly recording the reserved share status of the shares that it created, preventing the `zrok release` command from properly releasing them (https://github.com/openziti/zrok/issues/427) If a user encounters reserved shares that cannot be released with the `zrok release` command, they can be deleted through the web console. 
+FIX: The `zrok reserve` command was not properly recording the reserved share status of the shares that it created, preventing the `zrok release` command from properly releasing them (https://github.com/openziti/zrok/issues/427) If a user encounters reserved shares that cannot be released with the `zrok release` command, they can be deleted through the web console.
 
-# v0.4.11
+## v0.4.11
 
 FEATURE: The `zrok reserve` command now incorporates the `--json-output|-j` flag, which outputs the reservation details as JSON, rather than as human-consumable log messages. Other commands will produce similar output in the future (https://github.com/openziti/zrok/issues/422)
 
 FIX: Include `--oauth-provider` and associated flags for the `zrok reserve` command, allowing reserved shares to specify OAuth authentication (https://github.com/openziti/zrok/issues/421)
 
-# v0.4.10
+## v0.4.10
 
 CHANGE: The public frontend configuration has been bumped from `v: 2` to `v: 3`. The `redirect_host`, `redirect_port` and `redirect_http_only` parameters have been removed. These three configuration options have been replaced with `bind_address`, `redirect_url` and `cookie_domain`. See the OAuth configuration guide at `docs/guides/self-hosting/oauth/configuring-oauth.md` for more details (https://github.com/openziti/zrok/issues/411)
 
-# v0.4.9
+## v0.4.9
 
 FIX: Remove extraneous share token prepended to OAuth frontend redirect.
 
-# v0.4.8
+## v0.4.8
 
 FEATURE: The `sdk` package now includes a `sdk.Overview` function, which returns a complete description of the account attached to the enabled environment. Useful for inventorying the deployed shares and environments (https://github.com/openziti/zrok/issues/407)
 
@@ -34,13 +40,13 @@ CHANGE: Improvements to email invitation sent in response to `zrok invite` to co
 
 CHANGE: Added warning message after `zrok invite` submit directing the user to check their "spam" folder if they do not receive the invite message.
 
-# v0.4.7
+## v0.4.7
 
 FEATURE: OAuth authentication with the ability to restrict authenticated users to specified domains for `zrok share public`. Supports both Google and GitHub authentication in this version. More authentication providers, and extensibility to come in future `zrok` releases. See the OAuth configuration guide at `docs/guides/self-hosting/oauth/configuring-oauth.md` for details (https://github.com/openziti/zrok/issues/45, https://github.com/openziti/zrok/issues/404)
 
 CHANGE: `--basic-auth` realm now presented as the share token rather than as `zrok` in `publicProxy` frontend implementation
 
-# v0.4.6
+## v0.4.6
 
 FEATURE: New `--backend-mode caddy`, which pre-processes a `Caddyfile` allowing a `bind` statement to work like this: `bind {{ .ZrokBindAddress }}`. Allows development of complicated API gateways and multi-backend shares, while maintaining the simple, ephemeral sharing model provided by `zrok` (https://github.com/openziti/zrok/issues/391)
 
@@ -52,35 +58,35 @@ CHANGE: Added `FrontendEndponts` to `sdk.Share`, returning selected frontend URL
 
 CHANGE: Added a short alias `-b` for `--backend-mode` to improve CLI ergonomics (https://github.com/openziti/zrok/issues/397)
 
-# v0.4.5
+## v0.4.5
 
 FEATURE: New health check endpoint (`/health`), which verifies that the underlying SQL store and metrics repository (InfluxDB, if configured) are operating correctly (https://github.com/openziti/zrok/issues/372)
 
 CHANGE: Updated to golang v1.21.0 and node v18.x
 
 FIX: `zrok admin bootstrap` and `zrok enable` both broken with latest OpenZiti releases (tested with `v0.30.0`); updated to latest OpenZiti golang SDK (https://github.com/openziti/zrok/issues/389)
 
-# v0.4.4
+## v0.4.4
 
 FIX: `zrok status`, `zrok enable`, `zrok config`, etc. were all causing a panic when used on systems that had no previous `~/.zrok` directory (https://github.com/openziti/zrok/issues/383)
 
-# v0.4.3
+## v0.4.3
 
 FEATURE: New `zrok overview` command, which returns all of the account details as a single JSON structure. See the OpenAPI spec at `specs/zrok.yml` for more details of the `/api/v1/overview` endpoint (https://github.com/openziti/zrok/issues/374)
 
 FEATURE: New `zrok` SDK (https://github.com/openziti/zrok/issues/34). `pastebin` example illustrates basic SDK usage (see `sdk/examples/pastebin/README.md` for details) ((https://github.com/openziti/zrok/issues/379)
 
-# v0.4.2
+## v0.4.2
 
 Some days are just like this. `v0.4.2` is a re-do of `v0.4.1`. Trying to get Homebrew working and had a bad release. Hopefully this is the one.
 
-# v0.4.1
+## v0.4.1
 
 FEATURE: New `zrok console` command to open the currently configured web console in the local web browser (https://github.com/openziti/zrok/issues/170)
 
 CHANGE: Further tweaks to the release process to automatically get the latest release into Homebrew (https://github.com/openziti/zrok/issues/264)
 
-# v0.4.0
+## v0.4.0
 
 FEATURE: New `tcpTunnel` backend mode allowing for private sharing of local TCP sockets with other `zrok` users (https://github.com/openziti/zrok/issues/170)
 
@@ -104,55 +110,56 @@ CHANGE: Updated to latest `github.com/openziti/sdk-golang` (https://github.com/o
 
 FIX: `zrok share reserved --override-endpoint` now works correctly; `--override-endpoint` was being incorrectly ignore previously (https://github.com/openziti/zrok/pull/348)
 
-# v0.3.7
+## v0.3.7
 
 FIX: Improved TUI word-wrapping (https://github.com/openziti/zrok/issues/180)
 
-# v0.3.6
+## v0.3.6
 
 CHANGE: Additional change to support branch builds (for CI purposes) and additional containerization efforts around k8s.
 
-# v0.3.5
+## v0.3.5
 
 CHANGE: `zrok config set apiEndpoint` now validates that the new API endpoint correctly starts with `http://` or `https://` (https://github.com/openziti/zrok/issues/258)
 
 CHANGE: Additional linting to support homebrew (https://github.com/openziti/zrok/issues/264)
 
-# v0.3.4
+## v0.3.4
 
 CHANGE: `zrok test endpoint` incorporates `--ziti` mode (and related flags) to allow direct endpoint listening on a Ziti service
 
 CHANGE: `zrok test websocket` command to test websockets, whether over TCP or over Ziti
 
 FIX: Websocket support now functional
 
-# v0.3.3
+## v0.3.3
 
 CHANGE: `zrok test loop` has been moved to `zrok test loop public`, making way for additional types of loopback testing tools. The `zrok test endpoint` server now includes an `/echo` endpoint, which provides a simple echo websocket (https://github.com/openziti/zrok/issues/237)
 
-# v0.3.2
+## v0.3.2
 
-FEATURE: New docker infrastructure, including `docker-compose.yml` examples (and documentation) illustrating how to deploy `zrok` in `docker`-based environments
+FEATURE: New docker infrastructure, including `compose.yml` examples (and documentation) illustrating how to deploy `zrok` in `docker`-based environments
 
 CHANGE: Include missing `--headless` flag for `zrok enable` and `zrok access private` (https://github.com/openziti/zrok/issues/246)
 
 CHANGE: Fix for `zrok enable` error path handling (https://github.com/openziti/zrok/issues/244)
 
 FEATURE: `zrok controller validate` and `zrok access public validate` will both perform a quick syntax validation on controller and public frontend configuration documents (https://github.com/openziti/zrok/issues/238)
 
-	$ zrok controller validate etc/dev.yml 
+	$ zrok controller validate etc/dev.yml
+
 	[ERROR]: controller config validation failed (error loading controller config 'etc/dev.yml': field 'maintenance': field 'registration': field 'expiration_timeout': got [bool], expected [time.Duration])
 
 CHANGE: `zrok status` no longer shows secrets (secret token, ziti identity) unless the `--secrets` flag is passed (https://github.com/openziti/zrok/issues/243)
 
-# v0.3.1
+## v0.3.1
 
 CHANGE: Incorporate initial docker image build (https://github.com/openziti/zrok/issues/217)
 
 CHANGE: Improve target URL parsing for `zrok share` when using `--backend-mode` proxy (https://github.com/openziti/zrok/issues/211)
 
 	New and improved URL handling for proxy backends:
-	
+
 	9090 -> http://127.0.0.1:9090
 	localhost:9090 -> http://127.0.0.1:9090
 	https://localhost:9090 -> https://localhost:9090
@@ -161,11 +168,11 @@ CHANGE: Improve usability of `zrok invite` TUI in low-color environments (https:
 
 CHANGE: Better error responses when `zrok invite` fails due to missing token (https://github.com/openziti/zrok/issues/207)
 
-# v0.3.0
+## v0.3.0
 
 CHANGE: Removed some minor web console lint and warnings (https://github.com/openziti/zrok/issues/205)
 
-# v0.3.0-rc6
+## v0.3.0-rc6
 
 CHANGE: Better error message when `zrok admin create frontend` runs into a duplicate name collision (https://github.com/openziti/zrok/issues/168)
 
@@ -179,19 +186,19 @@ CHANGE: Prevent multiple `zrok enable` commands from succeeding (https://github.
 
 CHANGE: New `--insecure` flag for `share <public|private|reserved>` commands (https://github.com/openziti/zrok/issues/195)
 
-# v0.3.0-rc5
+## v0.3.0-rc5
 
 CHANGE: Improvements to controller log messages to assist in operations (https://github.com/openziti/zrok/issues/186)
 
 CHANGE: `armv7` builds for Linux are now shipped with releases; these builds were tested against a Raspberry Pi 4 (https://github.com/openziti/zrok/issues/93)
 
 CHANGE: `zrok config set` now includes a warning when the `apiEndpoint` config is changed and an environment is already enabled; the user will not see the change until `zrok disable` is run. The CLI now includes a `zrok config unset` command (https://github.com/openziti/zrok/issues/188)
 
-# v0.3.0-rc4
+## v0.3.0-rc4
 
 CHANGE: Enable notarization for macos binaries (https://github.com/openziti/zrok/issues/92)
 
-# v0.3.0-rc3
+## v0.3.0-rc3
 
 > This release increments the configuration version from `1` to `2`. See the note below.
 
@@ -207,7 +214,7 @@ FIX: Fixed log message in `resetPasswordRequest.go` (https://github.com/openziti
 
 FIX: Fixed `-v` (verbose mode) on in TUI-based `zrok share` and `zrok access` (https://github.com/openziti/zrok/issues/174)
 
-# v0.3.0-rc2
+## v0.3.0-rc2
 
 FEATURE: Allow users to reset their password (https://github.com/openziti/zrok/issues/65)
 
@@ -221,16 +228,16 @@ FIX: Fixed PostgreSQL migration issue where sequences got reset and resulted in
 
 FIX: Remove `frontend` instances when `zrok disable`-ing an environment containing them (https://github.com/openziti/zrok/issues/171)
 
-# v0.3.x Series
+## v0.3.x Series
 
 The `v0.2` series was a _proof-of-concept_ implementation for the overall `zrok` architecture and the concept.
 
-`v0.3` is a massive elaboration of the concept, pivoting it from being a simple ephemeral reverse proxy solution, to being the beginnings of a comprehensive sharing platform, complete with public and private sharing (built on top of OpenZiti). 
+`v0.3` is a massive elaboration of the concept, pivoting it from being a simple ephemeral reverse proxy solution, to being the beginnings of a comprehensive sharing platform, complete with public and private sharing (built on top of OpenZiti).
 
 `v0.3.0` includes the minimal functionality required to produce an early, preview version of the elaborated `zrok` concept, suitable for both production use at `zrok.io`, and also suitable for private self-hosting.
 
 From `v0.3.0` forward, we will begin tracking notable changes in this document.
 
-# v0.2.18
+## v0.2.18
 
 * DEFECT: Token generation has been improved to use an alphabet consisting of `[a-zA-Z0-9]`. Service token generation continues to use a case-insensitive alphabet consisting of `[a-z0-9]` to be DNS-safe.
diff --git a/docker/compose/.gitignore b/docker/compose/.gitignore
@@ -1 +1,2 @@
-.env
+.env
+compose.override.yml
diff --git a/...se/zrok-private-access/docker-compose.yml → ...r/compose/zrok-private-access/compose.yml b/...se/zrok-private-access/docker-compose.yml → ...r/compose/zrok-private-access/compose.yml
@@ -1,37 +1,37 @@
-version: '3'
 services:
-  zrok-enable-init:
+  zrok-init:
     image: busybox
     # matches uid:gid of "nobody" in zrok container image
     command: chown -Rc 65534:65534 /mnt/.zrok
     user: root
     volumes:
       - zrok_env:/mnt/.zrok
+
   zrok-enable:
-    image: docker.io/openziti/zrok
+    image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
     depends_on:
-      zrok-enable-init:
+      zrok-init:
         condition: service_completed_successfully
     entrypoint:
       - bash
-      - -c
+      - -euc
       - |
-        if [[ -s /mnt/.zrok/environment.json ]]; then
-          echo "INFO: noop: zrok environment is already enabled"
+        if [[ -n "$(jq '.ziti_identity' ~/.zrok/environment.json 2>/dev/null)" ]]; then
+          echo "INFO: zrok environment is already enabled"
           exit 0
         else
+          zrok config set apiEndpoint ${ZROK_API_ENDPOINT:-https://api.zrok.io}
           echo "INFO: running: zrok $$(sed -E "s/${ZROK_ENABLE_TOKEN}/************/" <<< $${@})"
-          exec zrok $${@}
+          exec zrok "$${@}"
         fi
-    command: -- enable --headless ${ZROK_ENABLE_TOKEN}
+    command: -- enable --headless --description "${ZROK_ENVIRONMENT_NAME:-docker private access}" ${ZROK_ENABLE_TOKEN}
     volumes:
       - zrok_env:/mnt/.zrok
     environment:
       HOME: /mnt
-      ZROK_ENABLE_TOKEN:
-      ZROK_API_ENDPOINT: ${ZROK_API_ENDPOINT:-https://api.zrok.io/}
-  zrok-private-access:
-    image: docker.io/openziti/zrok
+
+  zrok-access:
+    image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
     command: access private --headless --bind 0.0.0.0:9191 ${ZROK_ACCESS_TOKEN}
     depends_on:
       zrok-enable:
@@ -43,20 +43,19 @@ services:
     environment:
       HOME: /mnt
       PFXLOG_NO_JSON: "true"
-      ZROK_ACCESS_TOKEN:
 
   # alternatively, access the zrok private access proxy from another container
   demo-client:
     depends_on:
-      - zrok-private-access
+      - zrok-access
     image: busybox
     entrypoint:
       - sh
       - -c
       - |
         while true; do 
           echo 'INFO: trying wget';
-          wget -q -O - http://zrok-private-access:9191/ip; 
+          wget -q -O - http://zrok-access:9191/ip; 
           sleep 3; 
         done
 

diff --git a/...ose/zrok-private-share/docker-compose.yml → ...er/compose/zrok-private-share/compose.yml b/...ose/zrok-private-share/docker-compose.yml → ...er/compose/zrok-private-share/compose.yml
@@ -1,38 +1,38 @@
-version: '3'
 services:
-  zrok-enable-init:
+  zrok-init:
     image: busybox
     # matches uid:gid of "nobody" in zrok container image
     command: chown -Rc 65534:65534 /mnt/.zrok
     user: root
     volumes:
       - zrok_env:/mnt/.zrok
+
   zrok-enable:
-    image: docker.io/openziti/zrok
+    image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
     depends_on:
-      zrok-enable-init:
+      zrok-init:
         condition: service_completed_successfully
     entrypoint:
       - bash
-      - -c
+      - -euc
       - |
-        if [[ -s /mnt/.zrok/environment.json ]]; then
-          echo "INFO: noop: zrok environment is already enabled"
+        if [[ -n "$(jq '.ziti_identity' ~/.zrok/environment.json 2>/dev/null)" ]]; then
+          echo "INFO: zrok environment is already enabled"
           exit 0
         else
+          zrok config set apiEndpoint ${ZROK_API_ENDPOINT:-https://api.zrok.io}
           echo "INFO: running: zrok $$(sed -E "s/${ZROK_ENABLE_TOKEN}/************/" <<< $${@})"
-          exec zrok $${@}
+          exec zrok "$${@}"
         fi
-    command: -- enable --headless ${ZROK_ENABLE_TOKEN}
+    command: -- enable --headless --description "${ZROK_ENVIRONMENT_NAME:-docker private share}" ${ZROK_ENABLE_TOKEN}
     volumes:
       - zrok_env:/mnt/.zrok
     environment:
       HOME: /mnt
-      ZROK_ENABLE_TOKEN:
-      ZROK_API_ENDPOINT: ${ZROK_API_ENDPOINT:-https://api.zrok.io/}
-  zrok-private-share:
-    image: docker.io/openziti/zrok
-    command: share private --headless http://zrok-test:9090
+
+  zrok-share:
+    image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
+    command: share private --headless --backend-mode proxy ${ZROK_BACKEND:-http://zrok-test:9090/} 
     depends_on:
       zrok-enable:
         condition: service_completed_successfully
@@ -44,10 +44,8 @@ services:
 
   # demo servers you can share with zrok
   zrok-test:
-    image: docker.io/openziti/zrok
+    image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
     command: test endpoint --address 0.0.0.0  # 9090
-  httpbin-test:
-    image: mccutchen/go-httpbin  # 8080/tcp
 
 volumes:
   zrok_env: