From bdd96043c9426f2ab923b310691cd5a6e1909d58 Mon Sep 17 00:00:00 2001 From: Andrew Martinez Date: Mon, 23 Sep 2024 14:45:15 -0400 Subject: [PATCH 01/37] updates xweb to not error on no default API handlers --- go.mod | 2 +- go.sum | 4 ++-- zititest/go.mod | 2 +- zititest/go.sum | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 1cfbeef89..c2fa54e57 100644 --- a/go.mod +++ b/go.mod @@ -63,7 +63,7 @@ require ( github.com/openziti/storage v0.3.2 github.com/openziti/transport/v2 v2.0.146 github.com/openziti/x509-claims v1.0.3 - github.com/openziti/xweb/v2 v2.1.2 + github.com/openziti/xweb/v2 v2.1.3 github.com/openziti/ziti-db-explorer v1.1.3 github.com/orcaman/concurrent-map/v2 v2.0.1 github.com/pkg/errors v0.9.1 diff --git a/go.sum b/go.sum index 2755f6ef6..e6c0f5c37 100644 --- a/go.sum +++ b/go.sum @@ -598,8 +598,8 @@ github.com/openziti/transport/v2 v2.0.146 h1:Wdr4udri/fFpdj9GR9DR7/FKqt/2cMTgBdt github.com/openziti/transport/v2 v2.0.146/go.mod h1:ULrJdwxs0sKmjAhen9Vk9E+Do4qpdDdx1YJeVVu3bZ4= github.com/openziti/x509-claims v1.0.3 h1:HNdQ8Nf1agB3lBs1gahcO6zfkeS4S5xoQ2/PkY4HRX0= github.com/openziti/x509-claims v1.0.3/go.mod h1:Z0WIpBm6c4ecrpRKrou6Gk2wrLWxJO/+tuUwKh8VewE= -github.com/openziti/xweb/v2 v2.1.2 h1:435lpiXOkXwos71Dp4UCOjaFdnp32aQyvOjQ6uB+4X4= -github.com/openziti/xweb/v2 v2.1.2/go.mod h1:d9+vBsVCONyb3GCrJPHb2+GfTJ4MMIu0i6S71uE3WHc= +github.com/openziti/xweb/v2 v2.1.3 h1:smHMs6BCdSF3LB3KMHvR8YcNYKESJjM9LBfHi958/2E= +github.com/openziti/xweb/v2 v2.1.3/go.mod h1:d9+vBsVCONyb3GCrJPHb2+GfTJ4MMIu0i6S71uE3WHc= github.com/openziti/ziti-db-explorer v1.1.3 h1:9JER16MJzagtYPdGEhgDcw2p/BXNCVbf9IgA/sMB52w= github.com/openziti/ziti-db-explorer v1.1.3/go.mod h1:pMIMNJoTRSTbkO2e7cZWiBokA3jMdeiGAILP3QhU+v8= github.com/orcaman/concurrent-map/v2 v2.0.1 h1:jOJ5Pg2w1oeB6PeDurIYf6k9PQ+aTITr/6lP/L/zp6c= diff --git a/zititest/go.mod b/zititest/go.mod index ac3b9f812..fe3538432 100644 --- a/zititest/go.mod +++ b/zititest/go.mod @@ -146,7 +146,7 @@ require ( github.com/openziti/runzmd v1.0.51 // indirect github.com/openziti/secretstream v0.1.24 // indirect github.com/openziti/x509-claims v1.0.3 // indirect - github.com/openziti/xweb/v2 v2.1.2 // indirect + github.com/openziti/xweb/v2 v2.1.3 // indirect github.com/openziti/ziti-db-explorer v1.1.3 // indirect github.com/parallaxsecond/parsec-client-go v0.0.0-20221025095442-f0a77d263cf9 // indirect github.com/pelletier/go-toml/v2 v2.2.2 // indirect diff --git a/zititest/go.sum b/zititest/go.sum index 701fed9c4..d1e6ca1e3 100644 --- a/zititest/go.sum +++ b/zititest/go.sum @@ -622,8 +622,8 @@ github.com/openziti/transport/v2 v2.0.146 h1:Wdr4udri/fFpdj9GR9DR7/FKqt/2cMTgBdt github.com/openziti/transport/v2 v2.0.146/go.mod h1:ULrJdwxs0sKmjAhen9Vk9E+Do4qpdDdx1YJeVVu3bZ4= github.com/openziti/x509-claims v1.0.3 h1:HNdQ8Nf1agB3lBs1gahcO6zfkeS4S5xoQ2/PkY4HRX0= github.com/openziti/x509-claims v1.0.3/go.mod h1:Z0WIpBm6c4ecrpRKrou6Gk2wrLWxJO/+tuUwKh8VewE= -github.com/openziti/xweb/v2 v2.1.2 h1:435lpiXOkXwos71Dp4UCOjaFdnp32aQyvOjQ6uB+4X4= -github.com/openziti/xweb/v2 v2.1.2/go.mod h1:d9+vBsVCONyb3GCrJPHb2+GfTJ4MMIu0i6S71uE3WHc= +github.com/openziti/xweb/v2 v2.1.3 h1:smHMs6BCdSF3LB3KMHvR8YcNYKESJjM9LBfHi958/2E= +github.com/openziti/xweb/v2 v2.1.3/go.mod h1:d9+vBsVCONyb3GCrJPHb2+GfTJ4MMIu0i6S71uE3WHc= github.com/openziti/ziti-db-explorer v1.1.3 h1:9JER16MJzagtYPdGEhgDcw2p/BXNCVbf9IgA/sMB52w= github.com/openziti/ziti-db-explorer v1.1.3/go.mod h1:pMIMNJoTRSTbkO2e7cZWiBokA3jMdeiGAILP3QhU+v8= github.com/orcaman/concurrent-map/v2 v2.0.1 h1:jOJ5Pg2w1oeB6PeDurIYf6k9PQ+aTITr/6lP/L/zp6c= From 1affdfff5294b3600b39e16edd836fb03eb5b716 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 23 Sep 2024 15:38:56 -0400 Subject: [PATCH 02/37] tidy Dockerfiles --- dist/docker-images/ziti-cli/Dockerfile | 2 +- quickstart/docker/image/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dist/docker-images/ziti-cli/Dockerfile b/dist/docker-images/ziti-cli/Dockerfile index 3b13582ac..a060c2ae0 100644 --- a/dist/docker-images/ziti-cli/Dockerfile +++ b/dist/docker-images/ziti-cli/Dockerfile @@ -5,7 +5,7 @@ FROM bitnami/kubectl AS bitnami-kubectl # FIXME: This repo requires terms acceptance and is only available on registry.redhat.io. -# FROM registry.access.redhat.com/openshift4/ose-cli as openshift-cli +# FROM registry.access.redhat.com/openshift4/ose-cli AS openshift-cli FROM registry.access.redhat.com/ubi9/ubi-minimal # This build stage grabs artifacts that are copied into the final image. diff --git a/quickstart/docker/image/Dockerfile b/quickstart/docker/image/Dockerfile index c4780346d..5b1b63e8a 100644 --- a/quickstart/docker/image/Dockerfile +++ b/quickstart/docker/image/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:rolling as fetch-ziti-bins +FROM ubuntu:rolling AS fetch-ziti-bins # optional arg to specify which version to fetch when local "ziti-bin" directory is not present ARG ZITI_VERSION_OVERRIDE From 519a9a02f9198f6c2542bc6127b5a604883a8528 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 23 Sep 2024 13:22:43 -0400 Subject: [PATCH 03/37] fix quickstart ziti version --- .github/workflows/release-quickstart.yml | 47 ++++++++++--------- .../linux/openziti-router/bootstrap.env | 2 +- quickstart/docker/createLocalImage.sh | 4 +- quickstart/docker/image/ziti-cli-functions.sh | 11 +++-- quickstart/docker/pushLatestDocker.sh | 17 ++++--- quickstart/test/compose-test.zsh | 2 +- 6 files changed, 48 insertions(+), 35 deletions(-) diff --git a/.github/workflows/release-quickstart.yml b/.github/workflows/release-quickstart.yml index 223c9a43a..3d3a53970 100644 --- a/.github/workflows/release-quickstart.yml +++ b/.github/workflows/release-quickstart.yml @@ -12,14 +12,18 @@ on: jobs: release-quickstart: name: Release Quickstart Job - # this is only run on the official upstream repo when a PR is merged to the default branch "main" or a release tag - # is pushed; merges to main trigger a quickstart release with a commit SHA suffix featuring the previous ziti binary - # release version, whereas release tag pushes trigger a quickstart release with the same tag name and the same ziti - # binary release version - if: github.repository_owner == 'openziti' - && ( - startsWith(github.ref_name, 'v') - || (github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'quickstartrelease')) + # this is only run on the official upstream repo when a PR is merged to the + # default branch "main" or a release tag is pushed or for the same + # conditions in a repo fork that overrides the container image repo to push + # to; merges to main trigger a quickstart release with a commit SHA suffix + # featuring the previous ziti binary release version, whereas release tag + # pushes trigger a quickstart release with the same tag name and the same + # ziti binary release version + if: (github.repository_owner == 'openziti' || vars.ZITI_QUICKSTART_IMAGE != '') && ( + startsWith(github.ref_name, 'v') || ( + github.event.pull_request.merged == true + && contains(github.event.pull_request.labels.*.name, 'quickstartrelease') + ) ) runs-on: ubuntu-latest env: @@ -27,7 +31,7 @@ jobs: # use github.ref, not github.head_ref, because this workflow should only run on merged PRs in the target/base # branch context, not the PR source branch GITHUB_REF: ${{ github.ref }} - # user github.sha, not github.pull_request.head.sha, because this workflow should only run on merged PRs in the + # use github.sha, not github.pull_request.head.sha, because this workflow should only run on merged PRs in the # target/base branch, not the PR source branch GITHUB_SHA: ${{ github.sha }} steps: @@ -89,32 +93,32 @@ jobs: if [[ "${GITHUB_REF_NAME}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then # Set output parameters for release tags - echo QUICKSTART_VERSION="${GITHUB_REF_NAME}" | tee -a $GITHUB_OUTPUT + QUICKSTART_VERSION="${GITHUB_REF_NAME}" elif [[ "${GITHUB_REF_NAME}" =~ ^main$ ]]; then # compute the latest release version to install in the quickstart image QUICKSTART_VERSION="$($(go env GOPATH)/bin/ziti-ci -q get-current-version ${ZITI_BASE_VERSION:+--base-version $ZITI_BASE_VERSION})" - - # drop the leading 'v', if any - QUICKSTART_VERSION=${QUICKSTART_VERSION#v} - validateSemver "${QUICKSTART_VERSION}" # Append short SHA to identify quickstart docker images shipped on merge to main QUICKSTART_VERSION="${QUICKSTART_VERSION}-$(git rev-parse --short ${GITHUB_SHA})" - echo QUICKSTART_VERSION="${QUICKSTART_VERSION}" | tee -a $GITHUB_OUTPUT - else echo "ERROR: Unexpected GITHUB_REF_NAME=${GITHUB_REF_NAME}" >&2 exit 1 fi - # configure the env var used by the quickstart's Dockerfile to download the correct version of ziti for the - # target architecture of each image build by trimming the hyphenated short sha suffix so that the preceding - # release version of the ziti executable is installed in the quickstart container image - ZITI_OVERRIDE_VERSION=${QUICKSTART_VERSION%-*} - echo ZITI_OVERRIDE_VERSION="${ZITI_OVERRIDE_VERSION}" | tee -a $GITHUB_OUTPUT + # configure the env var used by the quickstart's Dockerfile to + # download the correct version of ziti for the target architecture of + # each image build by trimming the hyphenated short sha suffix so that + # the preceding release version of the ziti executable is installed in + # the quickstart container image; ensure the QUICKSTART_VERSION + # (container image tag) does not have a leading 'v' and the + # ZITI_VERSION_OVERRIDE (GitHub tag ref) does have a leading 'v' + + QUICKSTART_VERSION="${QUICKSTART_VERSION#v}" + echo QUICKSTART_VERSION="${QUICKSTART_VERSION}" | tee -a $GITHUB_OUTPUT + echo ZITI_VERSION_OVERRIDE=v${QUICKSTART_VERSION%-*} | tee -a $GITHUB_OUTPUT # container image tag :latest is published on merge to default branch "main" and on release tags - name: Configure Quickstart Container @@ -146,6 +150,7 @@ jobs: python --version - name: Deploy the CloudFront Function for get.openziti.io + if: github.repository_owner == 'openziti' shell: bash run: python ./dist/cloudfront/get.openziti.io/deploy-cloudfront-function.py env: diff --git a/dist/dist-packages/linux/openziti-router/bootstrap.env b/dist/dist-packages/linux/openziti-router/bootstrap.env index f7cc61e89..9193b3373 100644 --- a/dist/dist-packages/linux/openziti-router/bootstrap.env +++ b/dist/dist-packages/linux/openziti-router/bootstrap.env @@ -1,5 +1,5 @@ # -# this is the ziti-controller.service bootstrapping inputs file where answers are recorded for generating a +# this is the ziti-router.service bootstrapping inputs file where answers are recorded for generating a # configuration # diff --git a/quickstart/docker/createLocalImage.sh b/quickstart/docker/createLocalImage.sh index 101e8db3c..468764290 100755 --- a/quickstart/docker/createLocalImage.sh +++ b/quickstart/docker/createLocalImage.sh @@ -32,10 +32,10 @@ fi # optionally, configure ZITI_VERSION for pushLatestDocker.sh if [[ -n "${ZITI_VERSION_OVERRIDE:-}" && -n "${ZITI_VERSION:-}" ]]; then - echo "WARN: both ZITI_VERSION and ZITI_VERSION_OVERRIDE are set, overriding $ZITI_VERSION with $ZITI_OVERRIDE_VERSION" >&2 + echo "WARN: both ZITI_VERSION and ZITI_VERSION_OVERRIDE are set, overriding $ZITI_VERSION with $ZITI_VERSION_OVERRIDE" >&2 export ZITI_VERSION="${ZITI_VERSION_OVERRIDE#v}" elif [[ -n "${ZITI_VERSION_OVERRIDE:-}" ]]; then - echo "INFO: ZITI_VERSION_OVERRIDE is set, setting ZITI_VERSION=${ZITI_OVERRIDE_VERSION#v}" + echo "INFO: ZITI_VERSION_OVERRIDE is set, setting ZITI_VERSION=${ZITI_VERSION_OVERRIDE#v}" export ZITI_VERSION="${ZITI_VERSION_OVERRIDE#v}" elif [[ -n "${ZITI_VERSION:-}" ]]; then echo "INFO: ZITI_VERSION is set, using ZITI_VERSION=${ZITI_VERSION#v}" diff --git a/quickstart/docker/image/ziti-cli-functions.sh b/quickstart/docker/image/ziti-cli-functions.sh index 8aecaac08..193deb1c2 100644 --- a/quickstart/docker/image/ziti-cli-functions.sh +++ b/quickstart/docker/image/ziti-cli-functions.sh @@ -12,6 +12,9 @@ ASCI_BLUE='\033[00;34m' ASCI_PURPLE='\033[00;35m' ZITIx_EXPRESS_COMPLETE="" +: "${GITHUB_OWNER:=openziti}" +: "${GITHUB_REPO:=ziti}" + function WHITE { echo "${ASCI_WHITE}${1-}${ASCI_RESTORE}" } @@ -245,7 +248,7 @@ function _check_env_variable() { _error=true fi else - echo -e " * $(RED "Unsupported shell, supply a PR or log an issue on https://github.com/openziti/ziti") " + echo -e " * $(RED "Unsupported shell, supply a PR or log an issue on https://github.com/${GITHUB_OWNER}/${GITHUB_REPO}") " return 1 fi done @@ -737,7 +740,7 @@ function getZiti { fi # Get the download link - zitidl="https://github.com/openziti/ziti/releases/download/${ZITI_BINARIES_VERSION-}/${ZITI_BINARIES_FILE}" + zitidl="https://github.com/${GITHUB_OWNER}/${GITHUB_REPO}/releases/download/${ZITI_BINARIES_VERSION-}/${ZITI_BINARIES_FILE}" echo -e 'Downloading '"$(BLUE "${zitidl}")"' to '"$(BLUE "${ziti_binaries_file_abspath}")" curl -Ls "${zitidl}" -o "${ziti_binaries_file_abspath}" @@ -1137,7 +1140,7 @@ function getLatestZitiVersion { _detect_architecture - ziti_latest=$(curl -s https://${GITHUB_TOKEN:+${GITHUB_TOKEN}@}api.github.com/repos/openziti/ziti/releases/latest) + ziti_latest=$(curl -s https://${GITHUB_TOKEN:+${GITHUB_TOKEN}@}api.github.com/repos/${GITHUB_OWNER}/${GITHUB_REPO}/releases/latest) ZITI_BINARIES_FILE=$(printf "%s" "${ziti_latest}" | tr '\r\n' ' ' | jq -r '.assets[] | select(.name | startswith("'"ziti-${ZITI_OSTYPE}-${ZITI_ARCH}-"'")) | .name') ZITI_BINARIES_VERSION=$(printf "%s" "${ziti_latest}" | tr '\r\n' ' ' | jq -r '.tag_name') } @@ -1494,7 +1497,7 @@ function _verify_ziti_version_exists { _detect_architecture - ziticurl="$(curl -s https://${GITHUB_TOKEN:+${GITHUB_TOKEN}@}api.github.com/repos/openziti/ziti/releases/tags/"${ZITI_VERSION_OVERRIDE}")" + ziticurl="$(curl -s https://${GITHUB_TOKEN:+${GITHUB_TOKEN}@}api.github.com/repos/${GITHUB_OWNER}/${GITHUB_REPO}/releases/tags/"${ZITI_VERSION_OVERRIDE}")" ZITI_BINARIES_FILE=$(echo "${ziticurl}" | tr '\r\n' ' ' | jq -r '.assets[] | select(.name | startswith("'"ziti-${ZITI_OSTYPE}-${ZITI_ARCH}-"'")) | .name') ZITI_BINARIES_VERSION=$(echo "${ziticurl}" | tr '\r\n' ' ' | jq -r '.tag_name') diff --git a/quickstart/docker/pushLatestDocker.sh b/quickstart/docker/pushLatestDocker.sh index 557fc26a5..1d60c40fd 100755 --- a/quickstart/docker/pushLatestDocker.sh +++ b/quickstart/docker/pushLatestDocker.sh @@ -1,16 +1,21 @@ #!/usr/bin/env bash -set -eo pipefail + +set -o errexit +set -o nounset +set -o pipefail +# set -o xtrace SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" +: "${ZITI_QUICKSTART_IMAGE:=openziti/quickstart}" -if [ -z "${ZITI_VERSION}" ]; then +if [ -z "${ZITI_VERSION:-}" ]; then DOCKER_IMAGE_ROOT="$(realpath ${SCRIPT_DIR}/image)" v=$(source "${DOCKER_IMAGE_ROOT}/ziti-cli-functions.sh"; getLatestZitiVersion > /dev/null 2>&1; echo ${ZITI_BINARIES_VERSION}) ZITI_VERSION=$(echo "${v}" | sed -e 's/^v//') echo "ZITI_VERSION=${ZITI_VERSION}" fi -if [ -z "${ZITI_VERSION}" ]; then +if [ -z "${ZITI_VERSION:-}" ]; then echo "ZITI_VERSION was not set and auto-detection failed." exit 1 fi @@ -21,7 +26,7 @@ if [ -z "${IMAGE_TAG}" ]; then echo "image tag name was not provided, using default '${IMAGE_TAG}'" fi -if [ "local" == "${1}" ]; then +if [ "local" == "${1-}" ]; then echo "LOADING LOCALLY instead of pushing to dockerhub" _BUILDX_PLATFORM="" _BUILDX_ACTION="--load" @@ -36,6 +41,6 @@ docker buildx create \ eval docker buildx build "${_BUILDX_PLATFORM}" "${SCRIPT_DIR}/image" \ --build-arg ZITI_VERSION_OVERRIDE="v${ZITI_VERSION}" \ - --tag "openziti/quickstart:${ZITI_VERSION}" \ - --tag "openziti/quickstart:${IMAGE_TAG}" \ + --tag "${ZITI_QUICKSTART_IMAGE}:${ZITI_VERSION}" \ + --tag "${ZITI_QUICKSTART_IMAGE}:${IMAGE_TAG}" \ "${_BUILDX_ACTION}" diff --git a/quickstart/test/compose-test.zsh b/quickstart/test/compose-test.zsh index fdb98043d..39cc945f0 100755 --- a/quickstart/test/compose-test.zsh +++ b/quickstart/test/compose-test.zsh @@ -72,7 +72,7 @@ if [[ -n "${ZITI_QUICK_DIR:-}" ]]; then if [[ -x "${ZITI_QUICK_DIR:-}/docker/createLocalImage.sh" ]]; then ( cd "${ZITI_QUICK_DIR}/docker" - unset ZITI_VERSION ZITI_OVERRIDE_VERSION # always build the local source + unset ZITI_VERSION ZITI_VERSION_OVERRIDE # always build the local source ./createLocalImage.sh --build "${ZITI_QUICK_TAG}" ) else From 7d86540ce6312103e3516134d75498dd79e08519 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 23 Sep 2024 16:34:22 -0400 Subject: [PATCH 04/37] debug quickstart scripts --- .github/workflows/release-quickstart.yml | 2 ++ quickstart/docker/image/Dockerfile | 4 ++++ quickstart/docker/image/fetch-ziti-bins.sh | 10 +++++++--- quickstart/docker/image/ziti-cli-functions.sh | 11 ++++------- 4 files changed, 17 insertions(+), 10 deletions(-) diff --git a/.github/workflows/release-quickstart.yml b/.github/workflows/release-quickstart.yml index 3d3a53970..9e30f659f 100644 --- a/.github/workflows/release-quickstart.yml +++ b/.github/workflows/release-quickstart.yml @@ -141,6 +141,8 @@ jobs: tags: ${{ steps.tagprep_qs.outputs.DOCKER_TAGS }} build-args: | ZITI_VERSION_OVERRIDE=${{ steps.get_version.outputs.ZITI_VERSION_OVERRIDE }} + GITHUB_OWNER=${GITHUB_OWNER} + GITHUB_REPO=${GITHUB_REPO} push: true - name: Configure Python diff --git a/quickstart/docker/image/Dockerfile b/quickstart/docker/image/Dockerfile index 5b1b63e8a..750d9ac76 100644 --- a/quickstart/docker/image/Dockerfile +++ b/quickstart/docker/image/Dockerfile @@ -3,6 +3,10 @@ FROM ubuntu:rolling AS fetch-ziti-bins # optional arg to specify which version to fetch when local "ziti-bin" directory is not present ARG ZITI_VERSION_OVERRIDE ARG DEBIAN_FRONTEND=noninteractive +ARG GITHUB_OWNER=openziti +ARG GITHUB_REPO=ziti +ENV GITHUB_OWNER=${GITHUB_OWNER} +ENV GITHUB_REPO=${GITHUB_REPO} RUN apt-get update \ && apt-get --yes install \ diff --git a/quickstart/docker/image/fetch-ziti-bins.sh b/quickstart/docker/image/fetch-ziti-bins.sh index 0b20e3eec..5628354aa 100644 --- a/quickstart/docker/image/fetch-ziti-bins.sh +++ b/quickstart/docker/image/fetch-ziti-bins.sh @@ -1,13 +1,17 @@ #!/bin/bash +set -o errexit +set -o nounset +set -o pipefail +# set -o xtrace + # this script is executed during the docker build, after the build context has been copied to /docker.build.context -dest="${1}" +ZITI_BIN_DIR="${1}" if [ -d /docker.build.context/ziti-bin ]; then - mv /docker.build.context/ziti-bin/ "${dest}" + mv /docker.build.context/ziti-bin/ "${ZITI_BIN_DIR}" else source /docker.build.context/ziti-cli-functions.sh getZiti - mv "${ZITI_BIN_DIR}" "${dest}" fi diff --git a/quickstart/docker/image/ziti-cli-functions.sh b/quickstart/docker/image/ziti-cli-functions.sh index 193deb1c2..80d473744 100644 --- a/quickstart/docker/image/ziti-cli-functions.sh +++ b/quickstart/docker/image/ziti-cli-functions.sh @@ -650,7 +650,7 @@ function getZiti { getLatestZitiVersion # sets ZITI_BINARIES_FILE & ZITI_BINARIES_VERSION default_path="${ZITI_HOME}/ziti-bin/ziti-${ZITI_BINARIES_VERSION}" echo -en "The path for ziti binaries has not been set, use the default (${default_path})? (Y/n) " - read -r reply + read -r reply || true if [[ -z "${reply}" || ${reply} =~ [yY] ]]; then echo "INFO: using the default path ${default_path}" ZITI_BIN_DIR="${default_path}" @@ -670,17 +670,14 @@ function getZiti { return 1 fi else - _check_env_variable ZITI_BINARIES_FILE ZITI_BINARIES_VERSION - retVal=$? - if [[ "${retVal}" != 0 ]]; then - return 1 - fi - # Check if an error occurred while trying to pull desired version (happens with incorrect version or formatting issue) if ! _verify_ziti_version_exists; then echo -e " * $(RED "ERROR: The version of ziti requested (${ZITI_VERSION_OVERRIDE}) could not be found for OS (${ZITI_OSTYPE}) and architecture (${ZITI_ARCH}). Please check these details and try again. The version should follow the format \"vx.x.x\".") " return 1 fi + if ! _check_env_variable ZITI_BINARIES_FILE ZITI_BINARIES_VERSION; then + return 1 + fi fi # Where to store the ziti binaries zip From f26e00235b90b561dc23b72f99a6baedc759cb9a Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 23 Sep 2024 18:00:55 -0400 Subject: [PATCH 05/37] fix path to ziti binary in getZiti() function --- quickstart/docker/image/ziti-cli-functions.sh | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/quickstart/docker/image/ziti-cli-functions.sh b/quickstart/docker/image/ziti-cli-functions.sh index 80d473744..0fa6738cd 100644 --- a/quickstart/docker/image/ziti-cli-functions.sh +++ b/quickstart/docker/image/ziti-cli-functions.sh @@ -686,7 +686,7 @@ function getZiti { if ! test -f "${ZITI_BIN_DIR}/ziti"; then # Make the directory echo -e "No existing binary found, creating the ZITI_BIN_DIR directory ($(BLUE "${ZITI_BIN_DIR}"))" - mkdir -p "${ZITI_BIN_DIR}" + mkdir -p "${ZITI_BIN_DIR}/ziti-extract" retVal=$? if [[ "${retVal}" != 0 ]]; then echo -e " * $(RED "ERROR: An error occurred generating the path (${ZITI_BIN_DIR})")" @@ -706,7 +706,7 @@ function getZiti { unset ZITI_BIN_DIR _set_ziti_bin_dir # Make the directory - mkdir -p "${ZITI_BIN_DIR}" + mkdir -p "${ZITI_BIN_DIR}/ziti-extract" retVal=$? if [[ "${retVal}" != 0 ]]; then echo -e " * $(RED "ERROR: An error occurred generating the path (${ZITI_BIN_DIR}")" @@ -742,7 +742,12 @@ function getZiti { curl -Ls "${zitidl}" -o "${ziti_binaries_file_abspath}" # Unzip the files - tar -xf "${ziti_binaries_file_abspath}" --directory "${ZITI_BIN_DIR}" + tar -xf "${ziti_binaries_file_abspath}" --directory "${ZITI_BIN_DIR}/ziti-extract" + if [ -d "${ZITI_BIN_DIR}/ziti-extract/ziti" ]; then + mv "${ZITI_BIN_DIR}/ziti-extract/ziti/ziti" "${ZITI_BIN_DIR}/ziti" + else + mv "${ZITI_BIN_DIR}/ziti-extract/ziti" "${ZITI_BIN_DIR}/ziti" + fi # Cleanup rm "${ziti_binaries_file_abspath}" # Remove zip From 25f9120db5de8212008d216464a1eb095e368697 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 23 Sep 2024 18:36:12 -0400 Subject: [PATCH 06/37] fix github owner/name assignments --- .github/workflows/release-quickstart.yml | 4 ++-- quickstart/docker/image/Dockerfile | 8 ++++---- quickstart/docker/image/ziti-cli-functions.sh | 12 ++++++------ 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/release-quickstart.yml b/.github/workflows/release-quickstart.yml index 9e30f659f..2bfdc6ef0 100644 --- a/.github/workflows/release-quickstart.yml +++ b/.github/workflows/release-quickstart.yml @@ -141,8 +141,8 @@ jobs: tags: ${{ steps.tagprep_qs.outputs.DOCKER_TAGS }} build-args: | ZITI_VERSION_OVERRIDE=${{ steps.get_version.outputs.ZITI_VERSION_OVERRIDE }} - GITHUB_OWNER=${GITHUB_OWNER} - GITHUB_REPO=${GITHUB_REPO} + GITHUB_REPO_OWNER=${{ github.repository_owner }} + GITHUB_REPO_NAME=${{ github.event.repository.name }} push: true - name: Configure Python diff --git a/quickstart/docker/image/Dockerfile b/quickstart/docker/image/Dockerfile index 750d9ac76..c6658a448 100644 --- a/quickstart/docker/image/Dockerfile +++ b/quickstart/docker/image/Dockerfile @@ -3,10 +3,10 @@ FROM ubuntu:rolling AS fetch-ziti-bins # optional arg to specify which version to fetch when local "ziti-bin" directory is not present ARG ZITI_VERSION_OVERRIDE ARG DEBIAN_FRONTEND=noninteractive -ARG GITHUB_OWNER=openziti -ARG GITHUB_REPO=ziti -ENV GITHUB_OWNER=${GITHUB_OWNER} -ENV GITHUB_REPO=${GITHUB_REPO} +ARG GITHUB_REPO_OWNER=openziti +ARG GITHUB_REPO_NAME=ziti +ENV GITHUB_REPO_OWNER=${GITHUB_REPO_OWNER} +ENV GITHUB_REPO_NAME=${GITHUB_REPO_NAME} RUN apt-get update \ && apt-get --yes install \ diff --git a/quickstart/docker/image/ziti-cli-functions.sh b/quickstart/docker/image/ziti-cli-functions.sh index 0fa6738cd..357b300f4 100644 --- a/quickstart/docker/image/ziti-cli-functions.sh +++ b/quickstart/docker/image/ziti-cli-functions.sh @@ -12,8 +12,8 @@ ASCI_BLUE='\033[00;34m' ASCI_PURPLE='\033[00;35m' ZITIx_EXPRESS_COMPLETE="" -: "${GITHUB_OWNER:=openziti}" -: "${GITHUB_REPO:=ziti}" +: "${GITHUB_REPO_OWNER:=openziti}" +: "${GITHUB_REPO_NAME:=ziti}" function WHITE { echo "${ASCI_WHITE}${1-}${ASCI_RESTORE}" @@ -248,7 +248,7 @@ function _check_env_variable() { _error=true fi else - echo -e " * $(RED "Unsupported shell, supply a PR or log an issue on https://github.com/${GITHUB_OWNER}/${GITHUB_REPO}") " + echo -e " * $(RED "Unsupported shell, supply a PR or log an issue on https://github.com/${GITHUB_REPO_OWNER}/${GITHUB_REPO_NAME}") " return 1 fi done @@ -737,7 +737,7 @@ function getZiti { fi # Get the download link - zitidl="https://github.com/${GITHUB_OWNER}/${GITHUB_REPO}/releases/download/${ZITI_BINARIES_VERSION-}/${ZITI_BINARIES_FILE}" + zitidl="https://github.com/${GITHUB_REPO_OWNER}/${GITHUB_REPO_NAME}/releases/download/${ZITI_BINARIES_VERSION-}/${ZITI_BINARIES_FILE}" echo -e 'Downloading '"$(BLUE "${zitidl}")"' to '"$(BLUE "${ziti_binaries_file_abspath}")" curl -Ls "${zitidl}" -o "${ziti_binaries_file_abspath}" @@ -1142,7 +1142,7 @@ function getLatestZitiVersion { _detect_architecture - ziti_latest=$(curl -s https://${GITHUB_TOKEN:+${GITHUB_TOKEN}@}api.github.com/repos/${GITHUB_OWNER}/${GITHUB_REPO}/releases/latest) + ziti_latest=$(curl -s https://${GITHUB_TOKEN:+${GITHUB_TOKEN}@}api.github.com/repos/${GITHUB_REPO_OWNER}/${GITHUB_REPO_NAME}/releases/latest) ZITI_BINARIES_FILE=$(printf "%s" "${ziti_latest}" | tr '\r\n' ' ' | jq -r '.assets[] | select(.name | startswith("'"ziti-${ZITI_OSTYPE}-${ZITI_ARCH}-"'")) | .name') ZITI_BINARIES_VERSION=$(printf "%s" "${ziti_latest}" | tr '\r\n' ' ' | jq -r '.tag_name') } @@ -1499,7 +1499,7 @@ function _verify_ziti_version_exists { _detect_architecture - ziticurl="$(curl -s https://${GITHUB_TOKEN:+${GITHUB_TOKEN}@}api.github.com/repos/${GITHUB_OWNER}/${GITHUB_REPO}/releases/tags/"${ZITI_VERSION_OVERRIDE}")" + ziticurl="$(curl -s https://${GITHUB_TOKEN:+${GITHUB_TOKEN}@}api.github.com/repos/${GITHUB_REPO_OWNER}/${GITHUB_REPO_NAME}/releases/tags/"${ZITI_VERSION_OVERRIDE}")" ZITI_BINARIES_FILE=$(echo "${ziticurl}" | tr '\r\n' ' ' | jq -r '.assets[] | select(.name | startswith("'"ziti-${ZITI_OSTYPE}-${ZITI_ARCH}-"'")) | .name') ZITI_BINARIES_VERSION=$(echo "${ziticurl}" | tr '\r\n' ' ' | jq -r '.tag_name') From 552653a1e35db855e52dd8a92b8ebe2e706d0abb Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Wed, 21 Aug 2024 09:45:27 -0400 Subject: [PATCH 07/37] source platform-specific console image to silence BuildKit warning --- dist/docker-images/ziti-controller/Dockerfile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dist/docker-images/ziti-controller/Dockerfile b/dist/docker-images/ziti-controller/Dockerfile index 8d2bad707..c5d08dd1a 100644 --- a/dist/docker-images/ziti-controller/Dockerfile +++ b/dist/docker-images/ziti-controller/Dockerfile @@ -3,9 +3,11 @@ ARG ZITI_CLI_TAG="latest" ARG ZITI_CLI_IMAGE="docker.io/openziti/ziti-cli" +# provide a default value for the platform-neutral static console files +ARG TARGETPLATFORM="linux/amd64" + # dependabot bumps this version based on release to Hub -# only amd64 is available because only static assets are copied, not executables -FROM --platform=linux/amd64 openziti/ziti-console-assets:3.4.7 AS ziti-console +FROM --platform=${TARGETPLATFORM} openziti/ziti-console-assets:3.5.0 AS ziti-console FROM ${ZITI_CLI_IMAGE}:${ZITI_CLI_TAG} From d437ccd5bddf38f5e5671437a3c5168012950b20 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Tue, 24 Sep 2024 17:59:01 -0400 Subject: [PATCH 08/37] fix router auto-renewal; fix router address IP SAN; --- dist/dist-packages/linux/openziti-router/bootstrap.bash | 7 ++++++- dist/dist-packages/linux/openziti-router/service.env | 5 +---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/dist/dist-packages/linux/openziti-router/bootstrap.bash b/dist/dist-packages/linux/openziti-router/bootstrap.bash index e14546ba6..ab0f6db01 100755 --- a/dist/dist-packages/linux/openziti-router/bootstrap.bash +++ b/dist/dist-packages/linux/openziti-router/bootstrap.bash @@ -31,6 +31,12 @@ makeConfig() { ZITI_ROUTER_PORT \ ZITI_ROUTER_LISTENER_BIND_PORT="${ZITI_ROUTER_PORT}" + if [[ "${ZITI_ROUTER_ADVERTISED_ADDRESS}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "DEBUG: ZITI_ROUTER_ADVERTISED_ADDRESS is an IPv4 address, setting ZITI_ROUTER_IP_OVERRIDE" >&3 + export ZITI_ROUTER_IP_OVERRIDE="${ZITI_ROUTER_ADVERTISED_ADDRESS}" + unset ZITI_ROUTER_ADVERTISED_ADDRESS + fi + if [[ ! -s "${_config_file}" || "${1:-}" == --force ]]; then # build config command local -a _command=("ziti create config router ${ZITI_ROUTER_TYPE}" \ @@ -57,7 +63,6 @@ makeConfig() { mv --no-clobber "${_config_file}"{,".${ZITI_BOOTSTRAP_NOW}.old"} fi - exportZitiVars # export all ZITI_ vars to be used in bootstrap # shellcheck disable=SC2068 ${_command[@]} diff --git a/dist/dist-packages/linux/openziti-router/service.env b/dist/dist-packages/linux/openziti-router/service.env index 2ab58cb62..891d3e563 100644 --- a/dist/dist-packages/linux/openziti-router/service.env +++ b/dist/dist-packages/linux/openziti-router/service.env @@ -13,8 +13,5 @@ ZITI_BOOTSTRAP_ENROLLMENT='true' # BASH script that defines function bootstrap() ZITI_ROUTER_BOOTSTRAP_BASH='/opt/openziti/etc/router/bootstrap.bash' -# renew server and client certificates every startup -ZITI_AUTO_RENEW_CERTS='true' - # additional arguments to the ExecStart command must be a non-empty string -ZITI_ARGS='--' +ZITI_ARGS='--extend' From 8a91533c8b1385eb5b57126076e3507d5f67c7cb Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Wed, 25 Sep 2024 11:48:02 -0400 Subject: [PATCH 09/37] revert IP SAN fix for router --- dist/dist-packages/linux/openziti-router/bootstrap.bash | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/dist/dist-packages/linux/openziti-router/bootstrap.bash b/dist/dist-packages/linux/openziti-router/bootstrap.bash index ab0f6db01..e14546ba6 100755 --- a/dist/dist-packages/linux/openziti-router/bootstrap.bash +++ b/dist/dist-packages/linux/openziti-router/bootstrap.bash @@ -31,12 +31,6 @@ makeConfig() { ZITI_ROUTER_PORT \ ZITI_ROUTER_LISTENER_BIND_PORT="${ZITI_ROUTER_PORT}" - if [[ "${ZITI_ROUTER_ADVERTISED_ADDRESS}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - echo "DEBUG: ZITI_ROUTER_ADVERTISED_ADDRESS is an IPv4 address, setting ZITI_ROUTER_IP_OVERRIDE" >&3 - export ZITI_ROUTER_IP_OVERRIDE="${ZITI_ROUTER_ADVERTISED_ADDRESS}" - unset ZITI_ROUTER_ADVERTISED_ADDRESS - fi - if [[ ! -s "${_config_file}" || "${1:-}" == --force ]]; then # build config command local -a _command=("ziti create config router ${ZITI_ROUTER_TYPE}" \ @@ -63,6 +57,7 @@ makeConfig() { mv --no-clobber "${_config_file}"{,".${ZITI_BOOTSTRAP_NOW}.old"} fi + exportZitiVars # export all ZITI_ vars to be used in bootstrap # shellcheck disable=SC2068 ${_command[@]} From f11404b373b7729a695aded5321400bdd45a1102 Mon Sep 17 00:00:00 2001 From: Andrew Martinez Date: Thu, 26 Sep 2024 10:26:03 -0400 Subject: [PATCH 10/37] updates change log --- CHANGELOG.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0b13df464..40a11ae96 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,20 @@ +* # Release 1.1.12 + +## What's New + +* Bug fixes, enhancements and continuing progress on controller HA + +## Component Updates and Bug Fixes + +* github.com/openziti/xweb/v2: [v2.1.2 -> v2.1.3](https://github.com/openziti/xweb/compare/v2.1.2...v2.1.3) + * [Issue #2429](https://github.com/openziti/ziti/issues/2429) - Controller configurations without default Edge API binding panics +* github.com/openziti/ziti: [v1.1.12 -> v1.1.13](https://github.com/openziti/ziti/compare/v1.1.12...v1.1.13) + * [Issue #2427](https://github.com/openziti/ziti/issues/2427) - Add low overhead xgress protocol for DTLS links + * [Issue #2422](https://github.com/openziti/ziti/issues/2422) - Busy first hop links should backpressure to xgress senders + * [Issue #2413](https://github.com/openziti/ziti/issues/2413) - Add db anonymization utility + * [Issue #2415](https://github.com/openziti/ziti/issues/2415) - Fix policy denormalization when service policy type is changed + + # Release 1.1.12 ## What's New From 47823e1ac8ab020380ec3d537a77652a0d9250b2 Mon Sep 17 00:00:00 2001 From: Andrew Martinez Date: Thu, 26 Sep 2024 10:26:37 -0400 Subject: [PATCH 11/37] update version --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 40a11ae96..f07d3f859 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -* # Release 1.1.12 +* # Release 1.1.13 ## What's New From 9de90ccef4dcfa790b452b31acd491ba648e3037 Mon Sep 17 00:00:00 2001 From: Andrew Martinez Date: Thu, 26 Sep 2024 10:29:24 -0400 Subject: [PATCH 12/37] remove leading bullet --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f07d3f859..cbaeb533d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -* # Release 1.1.13 +# Release 1.1.13 ## What's New From 8e83a3833ecefa5859b6aa80b67436503b2e8e00 Mon Sep 17 00:00:00 2001 From: Andrew Martinez Date: Thu, 26 Sep 2024 10:49:44 -0400 Subject: [PATCH 13/37] remove items from previous release --- CHANGELOG.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cbaeb533d..51753b458 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,8 +11,6 @@ * github.com/openziti/ziti: [v1.1.12 -> v1.1.13](https://github.com/openziti/ziti/compare/v1.1.12...v1.1.13) * [Issue #2427](https://github.com/openziti/ziti/issues/2427) - Add low overhead xgress protocol for DTLS links * [Issue #2422](https://github.com/openziti/ziti/issues/2422) - Busy first hop links should backpressure to xgress senders - * [Issue #2413](https://github.com/openziti/ziti/issues/2413) - Add db anonymization utility - * [Issue #2415](https://github.com/openziti/ziti/issues/2415) - Fix policy denormalization when service policy type is changed # Release 1.1.12 From 3ee5f5a21bfd200bb157c84b2acfda85c4fc7a2d Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Wed, 25 Sep 2024 14:21:32 -0400 Subject: [PATCH 14/37] support using "*" in host.v1/host.v2 `allowedAddresses` to indicate acceptance of any hostname --- tunnel/entities/service.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tunnel/entities/service.go b/tunnel/entities/service.go index 333712641..9fc62ae0f 100644 --- a/tunnel/entities/service.go +++ b/tunnel/entities/service.go @@ -153,12 +153,12 @@ type domainAddress struct { func (self *domainAddress) Allows(addr interface{}) bool { host, ok := addr.(string) host = strings.ToLower(host) - return ok && (strings.HasSuffix(host, self.domain[1:]) || host == self.domain[2:]) + return ok && (self.domain == "*" || (strings.HasSuffix(host, self.domain[1:]) || host == self.domain[2:])) } func makeAllowedAddress(addr string) (allowedAddress, error) { if addr[0] == '*' { - if len(addr) < 3 || addr[1] != '.' { + if len(addr) != 1 && (len(addr) < 3 || addr[1] != '.') { return nil, errors.Errorf("invalid domain[%s]", addr) } return &domainAddress{domain: strings.ToLower(addr)}, nil From 2ac5b647347122eb9bfe8d98c61413f4d43c1338 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Thu, 26 Sep 2024 16:08:53 -0400 Subject: [PATCH 15/37] hint how to open the quickstart console --- quickstart/docker/all-in-one/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/quickstart/docker/all-in-one/README.md b/quickstart/docker/all-in-one/README.md index 1b3d3211d..e1fd0be63 100644 --- a/quickstart/docker/all-in-one/README.md +++ b/quickstart/docker/all-in-one/README.md @@ -42,7 +42,9 @@ This is the primary use case for this project: running the `ziti edge quickstart docker compose logs --follow ``` -5. Run the CLI inside the quickstart environment. +5. Open the console in a browser: [localhost:1280/zac/](https://localhost:1280/zac/) + +6. Run the CLI inside the quickstart environment. ```bash docker compose exec quickstart ziti edge list identities From 77e34954f65d4d9692e5e20065837f05737af443 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Thu, 26 Sep 2024 16:18:02 -0400 Subject: [PATCH 16/37] clarify controller url if overriden --- quickstart/docker/all-in-one/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/quickstart/docker/all-in-one/README.md b/quickstart/docker/all-in-one/README.md index e1fd0be63..dee5183b7 100644 --- a/quickstart/docker/all-in-one/README.md +++ b/quickstart/docker/all-in-one/README.md @@ -42,7 +42,7 @@ This is the primary use case for this project: running the `ziti edge quickstart docker compose logs --follow ``` -5. Open the console in a browser: [localhost:1280/zac/](https://localhost:1280/zac/) +5. Open the console in a browser: [localhost:1280/zac/](https://localhost:1280/zac/). If you override the default controller address then substitute the correct address in the URL like `https://${ZITI_CTRL_ADVERTISED_ADDRESS}:${ZITI_CTRL_ADVERTISED_PORT}/zac/`. 6. Run the CLI inside the quickstart environment. From 8c6879328a5e1be5e9edcc4ec5344bc1004d7fd3 Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Thu, 26 Sep 2024 17:29:56 -0400 Subject: [PATCH 17/37] Change default policy semantic from AllOf to AnyOf. Fixes #2444 --- ziti/cmd/edge/create_edge_router_policy.go | 2 +- ziti/cmd/edge/create_service_edge_router_policy.go | 2 +- ziti/cmd/edge/create_service_policy.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ziti/cmd/edge/create_edge_router_policy.go b/ziti/cmd/edge/create_edge_router_policy.go index a36f66b98..b23b4a149 100644 --- a/ziti/cmd/edge/create_edge_router_policy.go +++ b/ziti/cmd/edge/create_edge_router_policy.go @@ -57,7 +57,7 @@ func NewCreateEdgeRouterPolicyCmd(out io.Writer, errOut io.Writer) *cobra.Comman cmd.Flags().SetInterspersed(true) cmd.Flags().StringSliceVar(&options.edgeRouterRoles, "edge-router-roles", nil, "Edge router roles of the new edge router policy") cmd.Flags().StringSliceVar(&options.identityRoles, "identity-roles", nil, "Identity roles of the new edge router policy") - cmd.Flags().StringVar(&options.semantic, "semantic", "AllOf", "Semantic dictating how multiple attributes should be interpreted. Valid values: AnyOf, AllOf") + cmd.Flags().StringVar(&options.semantic, "semantic", "AnyOf", "Semantic dictating how multiple attributes should be interpreted. Valid values: AnyOf, AllOf") options.AddCommonFlags(cmd) return cmd diff --git a/ziti/cmd/edge/create_service_edge_router_policy.go b/ziti/cmd/edge/create_service_edge_router_policy.go index 555ebd3e5..e9cfb90c9 100644 --- a/ziti/cmd/edge/create_service_edge_router_policy.go +++ b/ziti/cmd/edge/create_service_edge_router_policy.go @@ -57,7 +57,7 @@ func NewCreateServiceEdgeRouterPolicyCmd(out io.Writer, errOut io.Writer) *cobra cmd.Flags().SetInterspersed(true) cmd.Flags().StringSliceVar(&options.edgeRouterRoles, "edge-router-roles", nil, "Edge router roles of the new service edge router policy") cmd.Flags().StringSliceVar(&options.serviceRoles, "service-roles", nil, "Identity roles of the new service edge router policy") - cmd.Flags().StringVar(&options.semantic, "semantic", "AllOf", "Semantic dictating how multiple attributes should be interpreted. Valid values: AnyOf, AllOf") + cmd.Flags().StringVar(&options.semantic, "semantic", "AnyOf", "Semantic dictating how multiple attributes should be interpreted. Valid values: AnyOf, AllOf") options.AddCommonFlags(cmd) return cmd diff --git a/ziti/cmd/edge/create_service_policy.go b/ziti/cmd/edge/create_service_policy.go index ccf0f516b..0b6f7a0b0 100644 --- a/ziti/cmd/edge/create_service_policy.go +++ b/ziti/cmd/edge/create_service_policy.go @@ -61,7 +61,7 @@ func newCreateServicePolicyCmd(out io.Writer, errOut io.Writer) *cobra.Command { cmd.Flags().SetInterspersed(true) cmd.Flags().StringSliceVar(&options.serviceRoles, "service-roles", nil, "Service roles of the new service policy") cmd.Flags().StringSliceVar(&options.identityRoles, "identity-roles", nil, "Identity roles of the new service policy") - cmd.Flags().StringVar(&options.semantic, "semantic", "AllOf", "Semantic dictating how multiple attributes should be interpreted. Valid values: AnyOf, AllOf") + cmd.Flags().StringVar(&options.semantic, "semantic", "AnyOf", "Semantic dictating how multiple attributes should be interpreted. Valid values: AnyOf, AllOf") cmd.Flags().StringSliceVarP(&options.postureCheckRoles, "posture-check-roles", "p", nil, "Posture check roles of the new service policy") options.AddCommonFlags(cmd) From 860000cae3202204fdd4ce3ce3be50102d015909 Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Thu, 26 Sep 2024 17:30:25 -0400 Subject: [PATCH 18/37] Fix ziti edge login --token so it doesn't try to login. Fixes #2207 --- ziti/cmd/edge/login.go | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/ziti/cmd/edge/login.go b/ziti/cmd/edge/login.go index 0912c3031..47451047e 100644 --- a/ziti/cmd/edge/login.go +++ b/ziti/cmd/edge/login.go @@ -203,25 +203,27 @@ func (o *LoginOptions) Run() error { body = container.String() } - jsonParsed, err := login(o, host, body) + if o.Token == "" { + jsonParsed, err := login(o, host, body) - if err != nil { - return err - } + if err != nil { + return err + } - if !jsonParsed.ExistsP("data.token") { - return fmt.Errorf("no session token returned from login request to %v. Received: %v", host, jsonParsed.String()) - } + if !jsonParsed.ExistsP("data.token") { + return fmt.Errorf("no session token returned from login request to %v. Received: %v", host, jsonParsed.String()) + } - var ok bool - o.Token, ok = jsonParsed.Path("data.token").Data().(string) + var ok bool + o.Token, ok = jsonParsed.Path("data.token").Data().(string) - if !ok { - return fmt.Errorf("session token returned from login request to %v is not in the expected format. Received: %v", host, jsonParsed.String()) - } + if !ok { + return fmt.Errorf("session token returned from login request to %v is not in the expected format. Received: %v", host, jsonParsed.String()) + } - if !o.OutputJSONResponse { - o.Printf("Token: %v\n", o.Token) + if !o.OutputJSONResponse { + o.Printf("Token: %v\n", o.Token) + } } loginIdentity := &util.RestClientEdgeIdentity{ From 1205803ca2a23e5d8b8047140476a8a2293ff535 Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Thu, 26 Sep 2024 17:38:52 -0400 Subject: [PATCH 19/37] Set create service expected args to 1, for better errors msgs. Fixes #1420 --- ziti/cmd/edge/create_service.go | 2 +- ziti/cmd/edge/create_terminator.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ziti/cmd/edge/create_service.go b/ziti/cmd/edge/create_service.go index 92c942d61..3da20171f 100644 --- a/ziti/cmd/edge/create_service.go +++ b/ziti/cmd/edge/create_service.go @@ -44,7 +44,7 @@ func newCreateServiceCmd(out io.Writer, errOut io.Writer) *cobra.Command { Use: "service ", Short: "creates a service managed by the Ziti Edge Controller", Long: "creates a service managed by the Ziti Edge Controller", - Args: cobra.MinimumNArgs(1), + Args: cobra.ExactArgs(1), Run: func(cmd *cobra.Command, args []string) { options.Cmd = cmd options.Args = args diff --git a/ziti/cmd/edge/create_terminator.go b/ziti/cmd/edge/create_terminator.go index 2932dd4a4..5c8494880 100644 --- a/ziti/cmd/edge/create_terminator.go +++ b/ziti/cmd/edge/create_terminator.go @@ -19,8 +19,8 @@ package edge import ( "fmt" "github.com/Jeffail/gabs" - "github.com/openziti/ziti/router/xgress_edge_transport" "github.com/openziti/foundation/v2/stringz" + "github.com/openziti/ziti/router/xgress_edge_transport" "github.com/openziti/ziti/ziti/cmd/api" cmdhelper "github.com/openziti/ziti/ziti/cmd/helpers" "github.com/spf13/cobra" From bc505b044c3103999a815ab1c52897982bcf360f Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Thu, 26 Sep 2024 19:05:55 -0400 Subject: [PATCH 20/37] Add some filter examples to list command. Fixes #1479 --- ziti/cmd/edge/list.go | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/ziti/cmd/edge/list.go b/ziti/cmd/edge/list.go index a3bb60560..fc5a6282e 100644 --- a/ziti/cmd/edge/list.go +++ b/ziti/cmd/edge/list.go @@ -42,6 +42,19 @@ import ( "github.com/spf13/cobra" ) +const filterExamplesTemplate = " # use skip and limit for paging\n" + + " ziti edge list %s 'skip 10 limit 10'\n\n" + + " # fields can be filtered using =, !=, <, >, <=, >=, in, between, contains and icontains (for case insensitive searches) \n" + + " ziti edge list configs 'name = \"test\"'\n\n" + + " # filters can be combined using and, or and parenthesis\n" + + " ziti edge list service-policies 'name in [\"echo-dial\", \"echo-bind\"] and semantic=\"AllOf\"'\n\n" + + " # roleAttributes is a list and requires a set function like anyOf, allOf, count and isEmpty\n" + + " ziti edge list identities 'anyOf(roleAttributes) contains \"echo\" skip 5 limit 20'\n\n" + + " # datetimes are specified using the RFC3339 format\n" + + " ziti edge list services 'name contains \"test\" or createdAt > datetime(2000-01-02T03:04:05Z)'\n\n" + + " # entities can be searched by tag, using tag. with some filter\n" + + " ziti edge list edge-routers 'tags.foo = \"bar\"'" + // newListCmd creates a command object for the "controller list" command func newListCmd(out io.Writer, errOut io.Writer) *cobra.Command { cmd := &cobra.Command{ @@ -52,6 +65,7 @@ func newListCmd(out io.Writer, errOut io.Writer) *cobra.Command { err := cmd.Help() cmdhelper.CheckErr(err) }, + Example: fmt.Sprintf(filterExamplesTemplate, "services"), } newOptions := func() *api.Options { @@ -187,6 +201,7 @@ func newListCmdForEntityType(entityType string, command listCommandRunner, optio cmdhelper.CheckErr(err) }, SuggestFor: []string{}, + Example: fmt.Sprintf(filterExamplesTemplate, entityType), } // allow interspersing positional args and flags @@ -215,6 +230,7 @@ func newListServicesCmd(options *api.Options) *cobra.Command { err := runListServices(asIdentity, configTypes, roleFilters, roleSemantic, options) cmdhelper.CheckErr(err) }, + Example: fmt.Sprintf(filterExamplesTemplate, "services"), SuggestFor: []string{}, } @@ -247,6 +263,7 @@ func newListEdgeRoutersCmd(options *api.Options) *cobra.Command { err := runListEdgeRouters(roleFilters, roleSemantic, options) cmdhelper.CheckErr(err) }, + Example: fmt.Sprintf(filterExamplesTemplate, "edge-routers"), SuggestFor: []string{}, } @@ -276,6 +293,7 @@ func newListIdentitiesCmd(options *api.Options) *cobra.Command { err := runListIdentities(roleFilters, roleSemantic, options) cmdhelper.CheckErr(err) }, + Example: fmt.Sprintf(filterExamplesTemplate, "identities"), SuggestFor: []string{}, } @@ -303,6 +321,7 @@ func newSubListCmdForEntityType(entityType string, subType string, outputF outpu err := runListChildren(entityType, subType, options, outputF) cmdhelper.CheckErr(err) }, + Example: fmt.Sprintf(filterExamplesTemplate, "service configs"), SuggestFor: []string{}, } From 344d770a84aa7d6c2acb75cd2ffe4a4d56c4f80e Mon Sep 17 00:00:00 2001 From: dovholuknf <46322585+dovholuknf@users.noreply.github.com> Date: Fri, 27 Sep 2024 07:28:48 -0400 Subject: [PATCH 21/37] quiet the mkdir from complaining the directory already exists --- quickstart/docker/image/getZiti.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/quickstart/docker/image/getZiti.ps1 b/quickstart/docker/image/getZiti.ps1 index 5927da8cd..1170d54ec 100644 --- a/quickstart/docker/image/getZiti.ps1 +++ b/quickstart/docker/image/getZiti.ps1 @@ -55,9 +55,9 @@ if($toDir.Trim() -eq "") { $zipFile="${toDir}${dirSeparator}${name}" if($(Test-Path -Path $zipFile -PathType Leaf)) { - Write-Output "The file has already been downloading. No need to download again" + Write-Output "The distribution has already been downloaded to $zipFile. Not downloading again" } else { - mkdir -p "${toDir}" + New-Item -Force -ItemType Directory -Path "${toDir}" Write-Output "Downloading file " Write-Output " from: ${downloadUrl} " Write-Output " to: ${zipFile}" From 8ba72d1b0b9141ffe38308c8e9abbb854ff7b17b Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Fri, 27 Sep 2024 12:53:09 -0400 Subject: [PATCH 22/37] assume ziti edge login command uses mgmt API unless --admin=false --- ziti/cmd/edge/login.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ziti/cmd/edge/login.go b/ziti/cmd/edge/login.go index 0912c3031..1117c5b0b 100644 --- a/ziti/cmd/edge/login.go +++ b/ziti/cmd/edge/login.go @@ -52,6 +52,7 @@ type LoginOptions struct { ClientKey string ExtJwt string File string + Admin bool FileCertCreds *edge_apis.IdentityCredentials } @@ -92,6 +93,7 @@ func NewLoginCmd(out io.Writer, errOut io.Writer) *cobra.Command { cmd.Flags().StringVarP(&options.ClientKey, "client-key", "k", "", "The key to use with certificate authentication") cmd.Flags().StringVarP(&options.ExtJwt, "ext-jwt", "e", "", "A file containing a JWT from an external provider to be used for authentication") cmd.Flags().StringVarP(&options.File, "file", "f", "", "An identity file to use for authentication") + cmd.Flags().BoolVar(&options.Admin, "admin", true, "If set false, login to client API instead of management API") options.AddCommonFlags(cmd) @@ -121,6 +123,10 @@ func (o *LoginOptions) Run() error { if len(cfg.ZtAPIs) > 0 { host = cfg.ZtAPIs[0] } + + if o.Admin { + host = strings.Replace(host, "/edge/client/v1", "/edge/management/v1", 1) + } } id := config.GetIdentity() From 7c2532632bbdcdc3a6d9e7d4d22118ff6c39bf54 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Fri, 27 Sep 2024 12:55:17 -0400 Subject: [PATCH 23/37] assume ziti edge login command uses client API if --admin=false --- ziti/cmd/edge/login.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ziti/cmd/edge/login.go b/ziti/cmd/edge/login.go index 1117c5b0b..03daf14b4 100644 --- a/ziti/cmd/edge/login.go +++ b/ziti/cmd/edge/login.go @@ -126,6 +126,8 @@ func (o *LoginOptions) Run() error { if o.Admin { host = strings.Replace(host, "/edge/client/v1", "/edge/management/v1", 1) + } else { + host = strings.Replace(host, "/edge/management/v1", "/edge/client/v1", 1) } } From 209f099c07262fc06eb5ce31f1a2a773371062cd Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Fri, 27 Sep 2024 13:11:31 -0400 Subject: [PATCH 24/37] revert admin bool and simply truncate path part of ztAPI if login with --file so existing logic will append correct mgmt base path if appropriate --- ziti/cmd/edge/login.go | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/ziti/cmd/edge/login.go b/ziti/cmd/edge/login.go index 03daf14b4..22e42b99f 100644 --- a/ziti/cmd/edge/login.go +++ b/ziti/cmd/edge/login.go @@ -52,7 +52,6 @@ type LoginOptions struct { ClientKey string ExtJwt string File string - Admin bool FileCertCreds *edge_apis.IdentityCredentials } @@ -93,7 +92,6 @@ func NewLoginCmd(out io.Writer, errOut io.Writer) *cobra.Command { cmd.Flags().StringVarP(&options.ClientKey, "client-key", "k", "", "The key to use with certificate authentication") cmd.Flags().StringVarP(&options.ExtJwt, "ext-jwt", "e", "", "A file containing a JWT from an external provider to be used for authentication") cmd.Flags().StringVarP(&options.File, "file", "f", "", "An identity file to use for authentication") - cmd.Flags().BoolVar(&options.Admin, "admin", true, "If set false, login to client API instead of management API") options.AddCommonFlags(cmd) @@ -124,11 +122,8 @@ func (o *LoginOptions) Run() error { host = cfg.ZtAPIs[0] } - if o.Admin { - host = strings.Replace(host, "/edge/client/v1", "/edge/management/v1", 1) - } else { - host = strings.Replace(host, "/edge/management/v1", "/edge/client/v1", 1) - } + host = strings.TrimSuffix(host, "/edge/client/v1") + } id := config.GetIdentity() From 327b45f33fc4f252d919038c5b60f875584a5c4c Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Fri, 27 Sep 2024 13:48:41 -0400 Subject: [PATCH 25/37] use the parsed HTTP origin instead of truncating the path part --- ziti/cmd/edge/login.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/ziti/cmd/edge/login.go b/ziti/cmd/edge/login.go index 22e42b99f..c6e2c47ed 100644 --- a/ziti/cmd/edge/login.go +++ b/ziti/cmd/edge/login.go @@ -116,14 +116,19 @@ func (o *LoginOptions) Run() error { idCredentials := edge_apis.NewIdentityCredentialsFromConfig(cfg.ID) o.FileCertCreds = idCredentials - host = cfg.ZtAPI + ztAPI := cfg.ZtAPI + // override with the first HA client API URL if defined if len(cfg.ZtAPIs) > 0 { - host = cfg.ZtAPIs[0] + ztAPI = cfg.ZtAPIs[0] } - host = strings.TrimSuffix(host, "/edge/client/v1") + parsedZtAPI, err := url.Parse(ztAPI) + if err != nil { + return errors.Wrap(err, "invalid client API URL in ztAPI property of identity file") + } + host = parsedZtAPI.Scheme + "://" + parsedZtAPI.Host } id := config.GetIdentity() From 7d539e5cb8a970e38664912bb5f132304ac78dea Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Fri, 27 Sep 2024 13:54:28 -0400 Subject: [PATCH 26/37] only assign the host to host --- ziti/cmd/edge/login.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ziti/cmd/edge/login.go b/ziti/cmd/edge/login.go index c6e2c47ed..bed5c45a6 100644 --- a/ziti/cmd/edge/login.go +++ b/ziti/cmd/edge/login.go @@ -125,10 +125,10 @@ func (o *LoginOptions) Run() error { parsedZtAPI, err := url.Parse(ztAPI) if err != nil { - return errors.Wrap(err, "invalid client API URL in ztAPI property of identity file") + return fmt.Errorf("could not parse ztAPI '%s' as a URL", ztAPI) } - host = parsedZtAPI.Scheme + "://" + parsedZtAPI.Host + host = parsedZtAPI.Host } id := config.GetIdentity() From d06da0f2c6e6f25cf2b981cfa10432dc6ec6115e Mon Sep 17 00:00:00 2001 From: Andrew Martinez Date: Mon, 30 Sep 2024 10:03:35 -0400 Subject: [PATCH 27/37] fixes #2455 uses std base64 decoding for x5c property per RFC --- controller/model/authenticator_mod_ext_jwt.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/controller/model/authenticator_mod_ext_jwt.go b/controller/model/authenticator_mod_ext_jwt.go index 66636df42..6d99beeac 100644 --- a/controller/model/authenticator_mod_ext_jwt.go +++ b/controller/model/authenticator_mod_ext_jwt.go @@ -185,7 +185,9 @@ func (r *signerRecord) Resolve(force bool) error { for _, key := range jwksResponse.Keys { //if we have an x509chain the first must be the signing key if len(key.X509Chain) != 0 { - x509Der, err := base64.RawURLEncoding.DecodeString(key.X509Chain[0]) + // x5c is the only attribute with padding according to + // RFC 7517 Section-4.7 "x5c" (X.509 Certificate Chain) Parameter + x509Der, err := base64.StdEncoding.DecodeString(key.X509Chain[0]) if err != nil { return fmt.Errorf("could not parse JWKS keys: %v", err) From e2aa2d206b2c73da81f9fdc4ea30c29dc7f3ad49 Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Fri, 27 Sep 2024 17:56:30 -0400 Subject: [PATCH 28/37] Don't build shaper test binary. Fixes #2454 --- .github/workflows/release.yml | 16 ++++++++++------ CHANGELOG.md | 9 ++++++++- tests/shaper/main.go | 2 ++ 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 09b65179f..985dd7e96 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,8 +38,8 @@ jobs: shell: bash run: | go install github.com/mitchellh/gox@latest - $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=darwin -arch=amd64 -output=$GOX_OUTPUT ./... - $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=darwin -arch=arm64 -output=$GOX_OUTPUT ./... + $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=darwin -arch=amd64 -output=$GOX_OUTPUT ./ziti/ + $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=darwin -arch=arm64 -output=$GOX_OUTPUT ./ziti/ - name: Upload artifacts uses: actions/upload-artifact@v4 @@ -71,7 +71,7 @@ jobs: shell: bash run: | go install github.com/mitchellh/gox@latest - $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=windows -arch=amd64 -output=$GOX_OUTPUT ./... + $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=windows -arch=amd64 -output=$GOX_OUTPUT ./ziti/ - name: Upload artifacts uses: actions/upload-artifact@v4 @@ -105,11 +105,11 @@ jobs: $(go env GOPATH)/bin/ziti-ci configure-git go install github.com/mitchellh/gox@latest $(go env GOPATH)/bin/ziti-ci -t go-build-flags - $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=linux -arch=amd64 -output=$GOX_OUTPUT ./... + $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=linux -arch=amd64 -output=$GOX_OUTPUT ./ziti/ CC=arm-linux-gnueabihf-gcc \ - $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=linux -arch=arm -output=$GOX_OUTPUT ./... + $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=linux -arch=arm -output=$GOX_OUTPUT ./ziti/ CC=aarch64-linux-gnu-gcc \ - $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=linux -arch=arm64 -output=$GOX_OUTPUT ./... + $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=linux -arch=arm64 -output=$GOX_OUTPUT ./ziti/ - name: Upload artifacts uses: actions/upload-artifact@v4 @@ -228,6 +228,10 @@ jobs: shell: bash run: | $(go env GOPATH)/bin/ziti-ci configure-git + $(go env GOPATH)/bin/ziti-ci publish-to-github -t --prerelease --archive-base "" --dry-run + mkdir tmp + tar xfzv ./release/ziti-linux-amd64-* -C ./tmp + $(go env GOPATH)/bin/ziti-ci verify-current-version -t $(./tmp/ziti version) $(go env GOPATH)/bin/ziti-ci publish-to-github -t --prerelease --archive-base "" # only ziti-ci computed version for release branches and {version}-{run_id} for non-release branches diff --git a/CHANGELOG.md b/CHANGELOG.md index 51753b458..23de00267 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -# Release 1.1.13 +# Release 1.1.14 ## What's New @@ -7,10 +7,17 @@ ## Component Updates and Bug Fixes * github.com/openziti/xweb/v2: [v2.1.2 -> v2.1.3](https://github.com/openziti/xweb/compare/v2.1.2...v2.1.3) + * [Issue #2454](https://github.com/openziti/ziti/issues/2454) - Fix release archive * [Issue #2429](https://github.com/openziti/ziti/issues/2429) - Controller configurations without default Edge API binding panics * github.com/openziti/ziti: [v1.1.12 -> v1.1.13](https://github.com/openziti/ziti/compare/v1.1.12...v1.1.13) * [Issue #2427](https://github.com/openziti/ziti/issues/2427) - Add low overhead xgress protocol for DTLS links * [Issue #2422](https://github.com/openziti/ziti/issues/2422) - Busy first hop links should backpressure to xgress senders + * support using "\*" in host.v1/host.v2 allowedAddresses + + +# Release 1.1.13 + +This release will not be promoted, as a test binary was unintentionally released in the release archives. # Release 1.1.12 diff --git a/tests/shaper/main.go b/tests/shaper/main.go index 378747b41..85198d49b 100644 --- a/tests/shaper/main.go +++ b/tests/shaper/main.go @@ -1,3 +1,5 @@ +//go:build all + package main import ( From 3120aeb51c5374f75fa0fd0b9317ac0b807c301d Mon Sep 17 00:00:00 2001 From: Andrew Martinez Date: Mon, 30 Sep 2024 11:10:49 -0400 Subject: [PATCH 29/37] update deps --- go.mod | 2 +- go.sum | 4 ++-- zititest/go.mod | 2 +- zititest/go.sum | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index c2fa54e57..4a8e78cd8 100644 --- a/go.mod +++ b/go.mod @@ -55,7 +55,7 @@ require ( github.com/openziti/edge-api v0.26.30 github.com/openziti/foundation/v2 v2.0.49 github.com/openziti/identity v1.0.85 - github.com/openziti/jwks v1.0.5 + github.com/openziti/jwks v1.0.6 github.com/openziti/metrics v1.2.58 github.com/openziti/runzmd v1.0.51 github.com/openziti/sdk-golang v0.23.42 diff --git a/go.sum b/go.sum index e6c0f5c37..52d48e973 100644 --- a/go.sum +++ b/go.sum @@ -582,8 +582,8 @@ github.com/openziti/foundation/v2 v2.0.49 h1:aQ5I/lMhkHQ6urhRpLwrWP+7YtoeUitCfY/ github.com/openziti/foundation/v2 v2.0.49/go.mod h1:tFk7wg5WE/nDDur5jSVQTROugKDXQkFvmqRSV4pvWp0= github.com/openziti/identity v1.0.85 h1:jphDHrUCXCJGdbVTMBqsdtS0Ei/vhDH337DMNMYzLro= github.com/openziti/identity v1.0.85/go.mod h1:beIXWNDImEjZn93XPOorJzyuQCQUYOvKFQ0fWhLN2qM= -github.com/openziti/jwks v1.0.5 h1:JVoOeccqLEtKBc9GcyJODVZYVk50YwEaDTocm+KgKbI= -github.com/openziti/jwks v1.0.5/go.mod h1:t4xxq8vlXGsPn29kiQVnZBBDDnEoOFqtJoHibkJunQQ= +github.com/openziti/jwks v1.0.6 h1:PR+9OVaMO8oHEoVQmHqeUBExWwLWyODEGJQK2DXHaqE= +github.com/openziti/jwks v1.0.6/go.mod h1:t4xxq8vlXGsPn29kiQVnZBBDDnEoOFqtJoHibkJunQQ= github.com/openziti/metrics v1.2.58 h1:AbHSTMKHP/o6r6fh7a08c486Y/5f5xjkZQbcyn3w1tM= github.com/openziti/metrics v1.2.58/go.mod h1:zGLMrLvVFOxo9tXUf8svcUsASxsPjhW9foW92FUzmDs= github.com/openziti/runzmd v1.0.51 h1:Vz+2nfF9AyKQGyKwBUnpL2DH/4cL+3rOuLWj8lkNDBc= diff --git a/zititest/go.mod b/zititest/go.mod index fe3538432..c5c99526a 100644 --- a/zititest/go.mod +++ b/zititest/go.mod @@ -141,7 +141,7 @@ require ( github.com/openziti-incubator/cf v0.0.3 // indirect github.com/openziti/cobra-to-md v1.0.1 // indirect github.com/openziti/dilithium v0.3.5 // indirect - github.com/openziti/jwks v1.0.5 // indirect + github.com/openziti/jwks v1.0.6 // indirect github.com/openziti/metrics v1.2.58 // indirect github.com/openziti/runzmd v1.0.51 // indirect github.com/openziti/secretstream v0.1.24 // indirect diff --git a/zititest/go.sum b/zititest/go.sum index d1e6ca1e3..8149d2aad 100644 --- a/zititest/go.sum +++ b/zititest/go.sum @@ -606,8 +606,8 @@ github.com/openziti/foundation/v2 v2.0.49 h1:aQ5I/lMhkHQ6urhRpLwrWP+7YtoeUitCfY/ github.com/openziti/foundation/v2 v2.0.49/go.mod h1:tFk7wg5WE/nDDur5jSVQTROugKDXQkFvmqRSV4pvWp0= github.com/openziti/identity v1.0.85 h1:jphDHrUCXCJGdbVTMBqsdtS0Ei/vhDH337DMNMYzLro= github.com/openziti/identity v1.0.85/go.mod h1:beIXWNDImEjZn93XPOorJzyuQCQUYOvKFQ0fWhLN2qM= -github.com/openziti/jwks v1.0.5 h1:JVoOeccqLEtKBc9GcyJODVZYVk50YwEaDTocm+KgKbI= -github.com/openziti/jwks v1.0.5/go.mod h1:t4xxq8vlXGsPn29kiQVnZBBDDnEoOFqtJoHibkJunQQ= +github.com/openziti/jwks v1.0.6 h1:PR+9OVaMO8oHEoVQmHqeUBExWwLWyODEGJQK2DXHaqE= +github.com/openziti/jwks v1.0.6/go.mod h1:t4xxq8vlXGsPn29kiQVnZBBDDnEoOFqtJoHibkJunQQ= github.com/openziti/metrics v1.2.58 h1:AbHSTMKHP/o6r6fh7a08c486Y/5f5xjkZQbcyn3w1tM= github.com/openziti/metrics v1.2.58/go.mod h1:zGLMrLvVFOxo9tXUf8svcUsASxsPjhW9foW92FUzmDs= github.com/openziti/runzmd v1.0.51 h1:Vz+2nfF9AyKQGyKwBUnpL2DH/4cL+3rOuLWj8lkNDBc= From 4dfecdc767ef4850e29b6de070db9e01be6c1add Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 15:11:22 +0000 Subject: [PATCH 30/37] Bump github.com/go-resty/resty/v2 Bumps the third-party group with 1 update in the / directory: [github.com/go-resty/resty/v2](https://github.com/go-resty/resty). Updates `github.com/go-resty/resty/v2` from 2.15.0 to 2.15.3 - [Release notes](https://github.com/go-resty/resty/releases) - [Commits](https://github.com/go-resty/resty/compare/v2.15.0...v2.15.3) --- updated-dependencies: - dependency-name: github.com/go-resty/resty/v2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: third-party ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index c2fa54e57..ffd3b218b 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,7 @@ require ( github.com/go-openapi/strfmt v0.23.0 github.com/go-openapi/swag v0.23.0 github.com/go-openapi/validate v0.24.0 - github.com/go-resty/resty/v2 v2.15.0 + github.com/go-resty/resty/v2 v2.15.3 github.com/golang-jwt/jwt/v5 v5.2.1 github.com/google/go-cmp v0.6.0 github.com/google/gopacket v1.1.19 diff --git a/go.sum b/go.sum index e6c0f5c37..43a68812a 100644 --- a/go.sum +++ b/go.sum @@ -240,8 +240,8 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58= github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ= -github.com/go-resty/resty/v2 v2.15.0 h1:clPQLZ2x9h4yGY81IzpMPnty+xoGyFaDg0XMkCsHf90= -github.com/go-resty/resty/v2 v2.15.0/go.mod h1:0fHAoK7JoBy/Ch36N8VFeMsK7xQOHhvWaC3iOktwmIU= +github.com/go-resty/resty/v2 v2.15.3 h1:bqff+hcqAflpiF591hhJzNdkRsFhlB96CYfBwSFvql8= +github.com/go-resty/resty/v2 v2.15.3/go.mod h1:0fHAoK7JoBy/Ch36N8VFeMsK7xQOHhvWaC3iOktwmIU= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= From 12938c99dae427e0cfd98f09ad7ea00b927f3dda Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 15:11:26 +0000 Subject: [PATCH 31/37] Bump the openziti group across 1 directory with 2 updates Bumps the openziti group with 2 updates in the / directory: [github.com/openziti/edge-api](https://github.com/openziti/edge-api) and [github.com/openziti/jwks](https://github.com/openziti/jwks). Updates `github.com/openziti/edge-api` from 0.26.30 to 0.26.31 - [Release notes](https://github.com/openziti/edge-api/releases) - [Commits](https://github.com/openziti/edge-api/compare/v0.26.30...v0.26.31) Updates `github.com/openziti/jwks` from 1.0.5 to 1.0.6 - [Release notes](https://github.com/openziti/jwks/releases) - [Commits](https://github.com/openziti/jwks/compare/v1.0.5...v1.0.6) --- updated-dependencies: - dependency-name: github.com/openziti/edge-api dependency-type: direct:production update-type: version-update:semver-patch dependency-group: openziti - dependency-name: github.com/openziti/jwks dependency-type: direct:production update-type: version-update:semver-patch dependency-group: openziti ... Signed-off-by: dependabot[bot] --- go.mod | 12 ++++++------ go.sum | 24 ++++++++++++------------ 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/go.mod b/go.mod index c2fa54e57..37402ade4 100644 --- a/go.mod +++ b/go.mod @@ -52,10 +52,10 @@ require ( github.com/openziti/agent v1.0.18 github.com/openziti/channel/v3 v3.0.3 github.com/openziti/cobra-to-md v1.0.1 - github.com/openziti/edge-api v0.26.30 + github.com/openziti/edge-api v0.26.31 github.com/openziti/foundation/v2 v2.0.49 github.com/openziti/identity v1.0.85 - github.com/openziti/jwks v1.0.5 + github.com/openziti/jwks v1.0.6 github.com/openziti/metrics v1.2.58 github.com/openziti/runzmd v1.0.51 github.com/openziti/sdk-golang v0.23.42 @@ -185,11 +185,11 @@ require ( github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect - go.mongodb.org/mongo-driver v1.16.1 // indirect + go.mongodb.org/mongo-driver v1.17.0 // indirect go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect - go.opentelemetry.io/otel v1.29.0 // indirect - go.opentelemetry.io/otel/metric v1.29.0 // indirect - go.opentelemetry.io/otel/trace v1.29.0 // indirect + go.opentelemetry.io/otel v1.30.0 // indirect + go.opentelemetry.io/otel/metric v1.30.0 // indirect + go.opentelemetry.io/otel/trace v1.30.0 // indirect go.uber.org/atomic v1.9.0 // indirect go.uber.org/multierr v1.9.0 // indirect golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect diff --git a/go.sum b/go.sum index e6c0f5c37..5866321a1 100644 --- a/go.sum +++ b/go.sum @@ -576,14 +576,14 @@ github.com/openziti/cobra-to-md v1.0.1 h1:WRinNoIRmwWUSJm+pSNXMjOrtU48oxXDZgeCYQ github.com/openziti/cobra-to-md v1.0.1/go.mod h1:FjCpk/yzHF7/r28oSTNr5P57yN5VolpdAtS/g7KNi2c= github.com/openziti/dilithium v0.3.5 h1:+envGNzxc3OyVPiuvtxivQmCsOjdZjtOMLpQBeMz7eM= github.com/openziti/dilithium v0.3.5/go.mod h1:XONq1iK6te/WwNzkgZHfIDHordMPqb0hMwJ8bs9EfSk= -github.com/openziti/edge-api v0.26.30 h1:Zeit+UJbMhL8aJkcHKsq7XyRX2b7p/hBWL3nzo60gS8= -github.com/openziti/edge-api v0.26.30/go.mod h1:Ya4b6u+SmkqSU2HsWxahwhZ3g+aBqW8mzfm/OOSdCNM= +github.com/openziti/edge-api v0.26.31 h1:9XljIuZNhoPbiIicQYuxNyL7erpowZce3aOg1CkoxSo= +github.com/openziti/edge-api v0.26.31/go.mod h1:f5paewA+1G6JMZddYgXqA9Zp6BBXOJ1i4K42B+ET5ns= github.com/openziti/foundation/v2 v2.0.49 h1:aQ5I/lMhkHQ6urhRpLwrWP+7YtoeUitCfY/wub+nOqo= github.com/openziti/foundation/v2 v2.0.49/go.mod h1:tFk7wg5WE/nDDur5jSVQTROugKDXQkFvmqRSV4pvWp0= github.com/openziti/identity v1.0.85 h1:jphDHrUCXCJGdbVTMBqsdtS0Ei/vhDH337DMNMYzLro= github.com/openziti/identity v1.0.85/go.mod h1:beIXWNDImEjZn93XPOorJzyuQCQUYOvKFQ0fWhLN2qM= -github.com/openziti/jwks v1.0.5 h1:JVoOeccqLEtKBc9GcyJODVZYVk50YwEaDTocm+KgKbI= -github.com/openziti/jwks v1.0.5/go.mod h1:t4xxq8vlXGsPn29kiQVnZBBDDnEoOFqtJoHibkJunQQ= +github.com/openziti/jwks v1.0.6 h1:PR+9OVaMO8oHEoVQmHqeUBExWwLWyODEGJQK2DXHaqE= +github.com/openziti/jwks v1.0.6/go.mod h1:t4xxq8vlXGsPn29kiQVnZBBDDnEoOFqtJoHibkJunQQ= github.com/openziti/metrics v1.2.58 h1:AbHSTMKHP/o6r6fh7a08c486Y/5f5xjkZQbcyn3w1tM= github.com/openziti/metrics v1.2.58/go.mod h1:zGLMrLvVFOxo9tXUf8svcUsASxsPjhW9foW92FUzmDs= github.com/openziti/runzmd v1.0.51 h1:Vz+2nfF9AyKQGyKwBUnpL2DH/4cL+3rOuLWj8lkNDBc= @@ -817,8 +817,8 @@ go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I= go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= -go.mongodb.org/mongo-driver v1.16.1 h1:rIVLL3q0IHM39dvE+z2ulZLp9ENZKThVfuvN/IiN4l8= -go.mongodb.org/mongo-driver v1.16.1/go.mod h1:oB6AhJQvFQL4LEHyXi6aJzQJtBiTQHiAd83l0GdFaiw= +go.mongodb.org/mongo-driver v1.17.0 h1:Hp4q2MCjvY19ViwimTs00wHi7G4yzxh4/2+nTx8r40k= +go.mongodb.org/mongo-driver v1.17.0/go.mod h1:wwWm/+BuOddhcq3n68LKRmgk2wXzmF6s0SFOa0GINL4= go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 h1:CCriYyAfq1Br1aIYettdHZTy8mBTIPo7We18TuO/bak= go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA= @@ -829,14 +829,14 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= -go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw= -go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8= -go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc= -go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8= +go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= +go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= +go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w= +go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw= go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg= -go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4= -go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= +go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= +go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE= From 4cc501eda33de85e815a12f76600642333037fd1 Mon Sep 17 00:00:00 2001 From: Andrew Martinez Date: Mon, 30 Sep 2024 13:20:30 -0400 Subject: [PATCH 32/37] fix encoding in test jwks server --- tests/auth_external_jwt_signer_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/auth_external_jwt_signer_test.go b/tests/auth_external_jwt_signer_test.go index dcc3c0d7e..a37cb257a 100644 --- a/tests/auth_external_jwt_signer_test.go +++ b/tests/auth_external_jwt_signer_test.go @@ -125,7 +125,7 @@ func (js *jwksServer) handleJWKS(w http.ResponseWriter, _ *http.Request) { var keys []jsonWebKey for _, cert := range js.certificates { - certBase64 := base64.RawURLEncoding.EncodeToString(cert.Raw) + certBase64 := base64.StdEncoding.EncodeToString(cert.Raw) key := jsonWebKey{ Kid: cert.Subject.CommonName, X5C: []string{certBase64}, From 2cb0f4492835e6dcb55d1b9fa68f3c7a26619a14 Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Wed, 25 Sep 2024 16:14:18 -0400 Subject: [PATCH 33/37] Fix incorrect health checks warning. Fixes #2424 --- router/config.go | 1 + 1 file changed, 1 insertion(+) diff --git a/router/config.go b/router/config.go index 2d16cb95d..0b2009ee8 100644 --- a/router/config.go +++ b/router/config.go @@ -757,6 +757,7 @@ func LoadConfig(path string) (*Config, error) { pfxlog.Logger().Warn("invalid [healthChecks.linkCheck] stanza") } } + } else { pfxlog.Logger().Warn("invalid [healthChecks] stanza") } } From 694b9dc18d78a827620f46ba9ddd8de99615ed0f Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Wed, 25 Sep 2024 16:13:04 -0400 Subject: [PATCH 34/37] Add events for JWT session for create/refresh/exchange. Fixes #2119 --- CHANGELOG.md | 11 ++++++++ controller/env/appenv.go | 4 +++ controller/event/api_session.go | 6 +++++ controller/event/dispatcher.go | 1 + controller/event/dispatcher_mock.go | 2 ++ controller/events/dispatcher_api_session.go | 20 +++++++++------ controller/model/env.go | 1 + controller/model/testing.go | 4 +++ controller/oidc_auth/storage.go | 28 ++++++++++++++++++--- zititest/go.mod | 12 ++++----- zititest/go.sum | 24 +++++++++--------- zititest/models/smoke/configs/ctrl.yml.tmpl | 16 ++++++------ 12 files changed, 92 insertions(+), 37 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 23de00267..9833a0fd5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,17 @@ ## Component Updates and Bug Fixes +* github.com/openziti/edge-api: [v0.26.30 -> v0.26.31](https://github.com/openziti/edge-api/compare/v0.26.30...v0.26.31) +* github.com/openziti/jwks: [v1.0.5 -> v1.0.6](https://github.com/openziti/jwks/compare/v1.0.5...v1.0.6) +* github.com/openziti/ziti: [v1.1.13 -> v1.1.14](https://github.com/openziti/ziti/compare/v1.1.13...v1.1.14) + * [Issue #2119](https://github.com/openziti/ziti/issues/2119) - Add authentication events + * [Issue #2424](https://github.com/openziti/ziti/issues/2424) - Enabling any health check causes WARNING to be logged + * [Issue #2454](https://github.com/openziti/ziti/issues/2454) - Fix release archive + * [Issue #1479](https://github.com/openziti/ziti/issues/1479) - ziti edge list ... show paginated output but no suggestions on how to go to next page + * [Issue #1420](https://github.com/openziti/ziti/issues/1420) - ziti-cli comma+space causes unhelpful error + * [Issue #2207](https://github.com/openziti/ziti/issues/2207) - ziti edge login --token -- gets "username and password fields are required" + * [Issue #2444](https://github.com/openziti/ziti/issues/2444) - Change default semantic for policies created from the CLI from AllOf to AnyOf + * github.com/openziti/xweb/v2: [v2.1.2 -> v2.1.3](https://github.com/openziti/xweb/compare/v2.1.2...v2.1.3) * [Issue #2454](https://github.com/openziti/ziti/issues/2454) - Fix release archive * [Issue #2429](https://github.com/openziti/ziti/issues/2429) - Controller configurations without default Edge API binding panics diff --git a/controller/env/appenv.go b/controller/env/appenv.go index ec94af460..04beb51ed 100644 --- a/controller/env/appenv.go +++ b/controller/env/appenv.go @@ -258,6 +258,10 @@ func (ae *AppEnv) GetManagers() *model.Managers { return ae.Managers } +func (ae *AppEnv) GetEventDispatcher() event.Dispatcher { + return ae.HostController.GetEventDispatcher() +} + func (ae *AppEnv) GetConfig() *config.Config { return ae.HostController.GetConfig() } diff --git a/controller/event/api_session.go b/controller/event/api_session.go index 48c116433..dc957a6d1 100644 --- a/controller/event/api_session.go +++ b/controller/event/api_session.go @@ -23,12 +23,18 @@ import ( const ApiSessionEventTypeCreated = "created" const ApiSessionEventTypeDeleted = "deleted" +const ApiSessionEventTypeRefreshed = "refreshed" +const ApiSessionEventTypeExchanged = "exchanged" const ApiSessionEventNS = "edge.apiSessions" +const ApiSessionTypeLegacy = "legacy" +const ApiSessionTypeJwt = "jwt" + type ApiSessionEvent struct { Namespace string `json:"namespace"` EventType string `json:"event_type"` Id string `json:"id"` + Type string `json:"type"` Timestamp time.Time `json:"timestamp"` Token string `json:"token"` IdentityId string `json:"identity_id"` diff --git a/controller/event/dispatcher.go b/controller/event/dispatcher.go index 0055ac4a4..d89241f80 100644 --- a/controller/event/dispatcher.go +++ b/controller/event/dispatcher.go @@ -124,6 +124,7 @@ type Dispatcher interface { AddEntityCountEventHandler(handler EntityCountEventHandler, interval time.Duration, onlyLeaderEvents bool) RemoveEntityCountEventHandler(handler EntityCountEventHandler) + ApiSessionEventHandler CircuitEventHandler EntityChangeEventHandler LinkEventHandler diff --git a/controller/event/dispatcher_mock.go b/controller/event/dispatcher_mock.go index e2fe0c1c0..a3334f00c 100644 --- a/controller/event/dispatcher_mock.go +++ b/controller/event/dispatcher_mock.go @@ -27,6 +27,8 @@ var _ Dispatcher = DispatcherMock{} type DispatcherMock struct{} +func (d DispatcherMock) AcceptApiSessionEvent(event *ApiSessionEvent) {} + func (d DispatcherMock) AddApiSessionEventHandler(handler ApiSessionEventHandler) {} func (d DispatcherMock) RemoveApiSessionEventHandler(handler ApiSessionEventHandler) {} diff --git a/controller/events/dispatcher_api_session.go b/controller/events/dispatcher_api_session.go index ca5d6a067..2e40c624a 100644 --- a/controller/events/dispatcher_api_session.go +++ b/controller/events/dispatcher_api_session.go @@ -48,36 +48,40 @@ func (self *Dispatcher) initApiSessionEvents(stores *db.Stores) { stores.ApiSession.AddEntityEventListenerF(self.apiSessionDeleted, boltz.EntityDeleted) } +func (self *Dispatcher) AcceptApiSessionEvent(evt *event.ApiSessionEvent) { + for _, handler := range self.apiSessionEventHandlers.Value() { + go handler.AcceptApiSessionEvent(evt) + } +} + func (self *Dispatcher) apiSessionCreated(apiSession *db.ApiSession) { - event := &event.ApiSessionEvent{ + evt := &event.ApiSessionEvent{ Namespace: event.ApiSessionEventNS, EventType: event.ApiSessionEventTypeCreated, Id: apiSession.Id, + Type: event.ApiSessionTypeLegacy, Timestamp: time.Now(), Token: apiSession.Token, IdentityId: apiSession.IdentityId, IpAddress: apiSession.IPAddress, } - for _, handler := range self.apiSessionEventHandlers.Value() { - go handler.AcceptApiSessionEvent(event) - } + self.AcceptApiSessionEvent(evt) } func (self *Dispatcher) apiSessionDeleted(apiSession *db.ApiSession) { - event := &event.ApiSessionEvent{ + evt := &event.ApiSessionEvent{ Namespace: event.ApiSessionEventNS, EventType: event.ApiSessionEventTypeDeleted, Id: apiSession.Id, + Type: event.ApiSessionTypeLegacy, Timestamp: time.Now(), Token: apiSession.Token, IdentityId: apiSession.IdentityId, IpAddress: apiSession.IPAddress, } - for _, handler := range self.apiSessionEventHandlers.Value() { - go handler.AcceptApiSessionEvent(event) - } + self.AcceptApiSessionEvent(evt) } func (self *Dispatcher) registerApiSessionEventHandler(val interface{}, config map[string]interface{}) error { diff --git a/controller/model/env.go b/controller/model/env.go index c77ad9148..2786b340e 100644 --- a/controller/model/env.go +++ b/controller/model/env.go @@ -34,6 +34,7 @@ import ( type Env interface { GetCommandDispatcher() command.Dispatcher GetManagers() *Managers + GetEventDispatcher() event.Dispatcher GetConfig() *config.Config GetDb() boltz.Db GetStores() *db.Stores diff --git a/controller/model/testing.go b/controller/model/testing.go index 2d184ef87..5adce694e 100644 --- a/controller/model/testing.go +++ b/controller/model/testing.go @@ -51,6 +51,10 @@ type TestContext struct { dispatcher command.Dispatcher } +func (ctx *TestContext) GetEventDispatcher() event.Dispatcher { + panic("implement me") +} + func (self *TestContext) GetCloseNotifyChannel() <-chan struct{} { return self.closeNotify } diff --git a/controller/oidc_auth/storage.go b/controller/oidc_auth/storage.go index 69993a500..fc6ce23f4 100644 --- a/controller/oidc_auth/storage.go +++ b/controller/oidc_auth/storage.go @@ -8,6 +8,7 @@ import ( "errors" "fmt" "github.com/openziti/foundation/v2/errorz" + "github.com/openziti/ziti/controller/event" "gopkg.in/go-jose/go-jose.v2" "net/http" "strings" @@ -393,7 +394,7 @@ func (s *HybridStorage) DeleteAuthRequest(_ context.Context, id string) error { // CreateAccessToken implements the op.Storage interface func (s *HybridStorage) CreateAccessToken(ctx context.Context, request op.TokenRequest) (string, time.Time, error) { - accessTokenId, accessClaims, err := s.createAccessToken(request) + accessTokenId, accessClaims, err := s.createAccessToken(ctx, request) if err != nil { return "", time.Time{}, err @@ -411,7 +412,7 @@ func (s *HybridStorage) CreateAccessToken(ctx context.Context, request op.TokenR } // createAccessToken converts an op.TokenRequest into an access token -func (s *HybridStorage) createAccessToken(request op.TokenRequest) (string, *common.AccessClaims, error) { +func (s *HybridStorage) createAccessToken(ctx context.Context, request op.TokenRequest) (string, *common.AccessClaims, error) { now := time.Now() claims := &common.AccessClaims{ @@ -430,8 +431,11 @@ func (s *HybridStorage) createAccessToken(request op.TokenRequest) (string, *com CustomClaims: common.CustomClaims{}, } + var eventType = "unhandled" + switch req := request.(type) { case *AuthRequest: + eventType = event.ApiSessionEventTypeCreated claims.CustomClaims.ApiSessionId = req.ApiSessionId claims.CustomClaims.ApplicationId = req.ClientID claims.CustomClaims.ConfigTypes = req.ConfigTypes @@ -445,11 +449,13 @@ func (s *HybridStorage) createAccessToken(request op.TokenRequest) (string, *com claims.AccessTokenClaims.AuthenticationMethodsReferences = req.GetAMR() claims.ClientID = req.ClientID case *RefreshTokenRequest: + eventType = event.ApiSessionEventTypeRefreshed claims.CustomClaims = req.CustomClaims claims.AuthTime = req.AuthTime claims.AccessTokenClaims.AuthenticationMethodsReferences = req.GetAMR() claims.ClientID = req.ClientID case op.TokenExchangeRequest: + eventType = event.ApiSessionEventTypeExchanged mapClaims := req.GetExchangeSubjectTokenClaims() subjectClaims := &common.AccessClaims{} if mapClaims != nil { @@ -501,12 +507,28 @@ func (s *HybridStorage) createAccessToken(request op.TokenRequest) (string, *com claims.CustomClaims.IsAdmin = identity.IsAdmin claims.CustomClaims.ExternalId = stringz.OrEmpty(identity.ExternalId) + ipAddr := "" + if httpRequest, _ := HttpRequestFromContext(ctx); httpRequest != nil { + ipAddr = httpRequest.RemoteAddr + } + + evt := &event.ApiSessionEvent{ + Namespace: event.ApiSessionEventNS, + EventType: eventType, + Id: claims.ApiSessionId, + Type: event.ApiSessionTypeJwt, + Timestamp: time.Now(), + IdentityId: identity.Id, + IpAddress: ipAddr, + } + s.env.GetEventDispatcher().AcceptApiSessionEvent(evt) + return claims.JWTID, claims, nil } // CreateAccessAndRefreshTokens implements the op.Storage interface func (s *HybridStorage) CreateAccessAndRefreshTokens(ctx context.Context, request op.TokenRequest, currentRefreshToken string) (accessTokenID string, newRefreshToken string, expiration time.Time, err error) { - accessTokenId, accessClaims, err := s.createAccessToken(request) + accessTokenId, accessClaims, err := s.createAccessToken(ctx, request) if err != nil { return "", "", time.Time{}, err diff --git a/zititest/go.mod b/zititest/go.mod index c5c99526a..5417fefd3 100644 --- a/zititest/go.mod +++ b/zititest/go.mod @@ -12,7 +12,7 @@ require ( github.com/michaelquigley/pfxlog v0.6.10 github.com/openziti/agent v1.0.18 github.com/openziti/channel/v3 v3.0.3 - github.com/openziti/edge-api v0.26.30 + github.com/openziti/edge-api v0.26.31 github.com/openziti/fablab v0.5.60 github.com/openziti/foundation/v2 v2.0.49 github.com/openziti/identity v1.0.85 @@ -80,7 +80,7 @@ require ( github.com/go-openapi/strfmt v0.23.0 // indirect github.com/go-openapi/swag v0.23.0 // indirect github.com/go-openapi/validate v0.24.0 // indirect - github.com/go-resty/resty/v2 v2.15.0 // indirect + github.com/go-resty/resty/v2 v2.15.3 // indirect github.com/golang-jwt/jwt/v5 v5.2.1 // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/gomarkdown/markdown v0.0.0-20230922112808-5421fefb8386 // indirect @@ -182,11 +182,11 @@ require ( github.com/xeipuuv/gojsonschema v1.2.0 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect github.com/zitadel/oidc/v2 v2.12.2 // indirect - go.mongodb.org/mongo-driver v1.16.1 // indirect + go.mongodb.org/mongo-driver v1.17.0 // indirect go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect - go.opentelemetry.io/otel v1.29.0 // indirect - go.opentelemetry.io/otel/metric v1.29.0 // indirect - go.opentelemetry.io/otel/trace v1.29.0 // indirect + go.opentelemetry.io/otel v1.30.0 // indirect + go.opentelemetry.io/otel/metric v1.30.0 // indirect + go.opentelemetry.io/otel/trace v1.30.0 // indirect go.uber.org/atomic v1.9.0 // indirect go.uber.org/multierr v1.9.0 // indirect go4.org v0.0.0-20180809161055-417644f6feb5 // indirect diff --git a/zititest/go.sum b/zititest/go.sum index 8149d2aad..50013284b 100644 --- a/zititest/go.sum +++ b/zititest/go.sum @@ -245,8 +245,8 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58= github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ= -github.com/go-resty/resty/v2 v2.15.0 h1:clPQLZ2x9h4yGY81IzpMPnty+xoGyFaDg0XMkCsHf90= -github.com/go-resty/resty/v2 v2.15.0/go.mod h1:0fHAoK7JoBy/Ch36N8VFeMsK7xQOHhvWaC3iOktwmIU= +github.com/go-resty/resty/v2 v2.15.3 h1:bqff+hcqAflpiF591hhJzNdkRsFhlB96CYfBwSFvql8= +github.com/go-resty/resty/v2 v2.15.3/go.mod h1:0fHAoK7JoBy/Ch36N8VFeMsK7xQOHhvWaC3iOktwmIU= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= @@ -598,8 +598,8 @@ github.com/openziti/cobra-to-md v1.0.1 h1:WRinNoIRmwWUSJm+pSNXMjOrtU48oxXDZgeCYQ github.com/openziti/cobra-to-md v1.0.1/go.mod h1:FjCpk/yzHF7/r28oSTNr5P57yN5VolpdAtS/g7KNi2c= github.com/openziti/dilithium v0.3.5 h1:+envGNzxc3OyVPiuvtxivQmCsOjdZjtOMLpQBeMz7eM= github.com/openziti/dilithium v0.3.5/go.mod h1:XONq1iK6te/WwNzkgZHfIDHordMPqb0hMwJ8bs9EfSk= -github.com/openziti/edge-api v0.26.30 h1:Zeit+UJbMhL8aJkcHKsq7XyRX2b7p/hBWL3nzo60gS8= -github.com/openziti/edge-api v0.26.30/go.mod h1:Ya4b6u+SmkqSU2HsWxahwhZ3g+aBqW8mzfm/OOSdCNM= +github.com/openziti/edge-api v0.26.31 h1:9XljIuZNhoPbiIicQYuxNyL7erpowZce3aOg1CkoxSo= +github.com/openziti/edge-api v0.26.31/go.mod h1:f5paewA+1G6JMZddYgXqA9Zp6BBXOJ1i4K42B+ET5ns= github.com/openziti/fablab v0.5.60 h1:RsqrEb3LV6asK5N97uZKyNSDhcNOeDcAuT4OAD/hY9Y= github.com/openziti/fablab v0.5.60/go.mod h1:B/ib+GOtozEIytv2aXSFl9+dL7AiGfbpGS/VjnNduU8= github.com/openziti/foundation/v2 v2.0.49 h1:aQ5I/lMhkHQ6urhRpLwrWP+7YtoeUitCfY/wub+nOqo= @@ -838,8 +838,8 @@ go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I= go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= -go.mongodb.org/mongo-driver v1.16.1 h1:rIVLL3q0IHM39dvE+z2ulZLp9ENZKThVfuvN/IiN4l8= -go.mongodb.org/mongo-driver v1.16.1/go.mod h1:oB6AhJQvFQL4LEHyXi6aJzQJtBiTQHiAd83l0GdFaiw= +go.mongodb.org/mongo-driver v1.17.0 h1:Hp4q2MCjvY19ViwimTs00wHi7G4yzxh4/2+nTx8r40k= +go.mongodb.org/mongo-driver v1.17.0/go.mod h1:wwWm/+BuOddhcq3n68LKRmgk2wXzmF6s0SFOa0GINL4= go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 h1:CCriYyAfq1Br1aIYettdHZTy8mBTIPo7We18TuO/bak= go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA= @@ -850,14 +850,14 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= -go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw= -go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8= -go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc= -go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8= +go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= +go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= +go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w= +go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw= go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg= -go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4= -go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= +go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= +go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE= diff --git a/zititest/models/smoke/configs/ctrl.yml.tmpl b/zititest/models/smoke/configs/ctrl.yml.tmpl index e05a18c64..5ccfb98d0 100644 --- a/zititest/models/smoke/configs/ctrl.yml.tmpl +++ b/zititest/models/smoke/configs/ctrl.yml.tmpl @@ -38,9 +38,9 @@ ctrl: # connections. The value of newListener must be resolvable both via DNS and validate via certificates #newListener: tls:localhost:6262 -#events: -# jsonLogger: -# subscriptions: +events: + jsonLogger: + subscriptions: # - type: fabric.routers # - type: fabric.terminators # - type: metrics @@ -52,16 +52,16 @@ ctrl: # - type: edge.sessions # include: # - created -# - type: edge.apiSessions + - type: edge.apiSessions # - type: fabric.usage # - type: services # - type: fabric.usage # - type: edge.entityCounts # interval: 5s -# handler: -# type: file -# format: json -# path: /tmp/ziti-events.log + handler: + type: file + format: json + path: /home/{{ .Model.MustVariable "credentials.ssh.username" }}/logs/events.json healthChecks: boltCheck: From b8294a98b1560dde113b8c06ff857d3c87613c11 Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Tue, 1 Oct 2024 09:41:52 -0400 Subject: [PATCH 35/37] Fix JWT refresh panic. Fixes #2460 --- CHANGELOG.md | 11 +++++++++++ controller/oidc_auth/storage.go | 3 +++ 2 files changed, 14 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9833a0fd5..0e801f41a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# Release 1.1.15 + +## What's New + +* Panic fix related to controller HA + +## Component Updates and Bug Fixes + +* github.com/openziti/ziti: [v1.1.14 -> v1.1.15](https://github.com/openziti/ziti/compare/v1.1.14...v1.1.15) + * [Issue #2460](https://github.com/openziti/ziti/issues/2460) - Panic on JWT token refresh + # Release 1.1.14 ## What's New diff --git a/controller/oidc_auth/storage.go b/controller/oidc_auth/storage.go index fc6ce23f4..b902a9ce6 100644 --- a/controller/oidc_auth/storage.go +++ b/controller/oidc_auth/storage.go @@ -601,6 +601,9 @@ func (s *HybridStorage) parseAccessToken(tokenStr string) (*jwt.Token, *common.A // TokenRequestByRefreshToken implements the op.Storage interface func (s *HybridStorage) TokenRequestByRefreshToken(_ context.Context, refreshToken string) (op.RefreshTokenRequest, error) { _, token, err := s.parseRefreshToken(refreshToken) + if err != nil { + return nil, err + } return &RefreshTokenRequest{*token}, err } From 1b47d525bb9007d94acbabc14b3d3f768d284b22 Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Tue, 1 Oct 2024 22:59:18 -0400 Subject: [PATCH 36/37] Update deps and changelog --- CHANGELOG.md | 11 ++++++++++- controller/raft/mesh/mesh.go | 16 ++++++++++------ go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- zititest/go.mod | 10 +++++----- zititest/go.sum | 20 ++++++++++---------- 6 files changed, 50 insertions(+), 37 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e801f41a..194ede250 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,10 +2,19 @@ ## What's New -* Panic fix related to controller HA +* Bug fixes, enhancements and continuing progress on controller HA ## Component Updates and Bug Fixes +* github.com/openziti/channel/v3: [v3.0.3 -> v3.0.5](https://github.com/openziti/channel/compare/v3.0.3...v3.0.5) + * [Issue #146](https://github.com/openziti/channel/issues/146) - Transport options aren't being set in dialer + * [Issue #144](https://github.com/openziti/channel/issues/144) - Add ReadAdapter utility + +* github.com/openziti/edge-api: [v0.26.31 -> v0.26.32](https://github.com/openziti/edge-api/compare/v0.26.31...v0.26.32) +* github.com/openziti/sdk-golang: [v0.23.42 -> v0.23.43](https://github.com/openziti/sdk-golang/compare/v0.23.42...v0.23.43) + * [Issue #629](https://github.com/openziti/sdk-golang/issues/629) - JWT session refresh interprets expiration date incorrectly + +* github.com/openziti/secretstream: [v0.1.24 -> v0.1.25](https://github.com/openziti/secretstream/compare/v0.1.24...v0.1.25) * github.com/openziti/ziti: [v1.1.14 -> v1.1.15](https://github.com/openziti/ziti/compare/v1.1.14...v1.1.15) * [Issue #2460](https://github.com/openziti/ziti/issues/2460) - Panic on JWT token refresh diff --git a/controller/raft/mesh/mesh.go b/controller/raft/mesh/mesh.go index 7431bf09a..9ab950523 100644 --- a/controller/raft/mesh/mesh.go +++ b/controller/raft/mesh/mesh.go @@ -247,7 +247,7 @@ type impl struct { closeNotify chan struct{} closed atomic.Bool raftAccepts chan net.Conn - bindHandler channel.BindHandler + bindHandler concurrenz.AtomicValue[channel.BindHandler] version versions.VersionProvider versionEncoded []byte readonly atomic.Bool @@ -261,8 +261,8 @@ func (self *impl) RegisterClusterStateHandler(f func(state ClusterState)) { } func (self *impl) Init(bindHandler channel.BindHandler) { - if self.bindHandler == nil { - self.bindHandler = bindHandler + if self.bindHandler.Load() == nil { + self.bindHandler.Store(bindHandler) } } @@ -354,10 +354,10 @@ func (self *impl) GetOrConnectPeer(address string, timeout time.Duration) (*Peer } bindHandler := channel.BindHandlerF(func(binding channel.Binding) error { - if self.bindHandler == nil { + if self.bindHandler.Load() == nil { return errors.New("bindHandler not initialized, cannot initialize new channels") } - if err := self.bindHandler.BindChannel(binding); err != nil { + if err = self.bindHandler.Load().BindChannel(binding); err != nil { return err } @@ -594,7 +594,11 @@ func (self *impl) AcceptUnderlay(underlay channel.Underlay) error { return errors.Errorf("connection didn't provide id '%v' or address '%v', closing connection", id, addr) } - if err := binding.Bind(self.bindHandler); err != nil { + bh := self.bindHandler.Load() + if bh == nil { + return errors.New("bindHandler not initialized, can't accept controller connection") + } + if err = binding.Bind(bh); err != nil { _ = ch.Close() return errors.Wrapf(err, "error while binding channel from id '%v' or address '%v', closing connection", id, addr) } diff --git a/go.mod b/go.mod index 3ac947c6b..6c2aaf822 100644 --- a/go.mod +++ b/go.mod @@ -50,16 +50,16 @@ require ( github.com/mitchellh/mapstructure v1.5.0 github.com/natefinch/lumberjack v2.0.0+incompatible github.com/openziti/agent v1.0.18 - github.com/openziti/channel/v3 v3.0.3 + github.com/openziti/channel/v3 v3.0.5 github.com/openziti/cobra-to-md v1.0.1 - github.com/openziti/edge-api v0.26.31 + github.com/openziti/edge-api v0.26.32 github.com/openziti/foundation/v2 v2.0.49 github.com/openziti/identity v1.0.85 github.com/openziti/jwks v1.0.6 github.com/openziti/metrics v1.2.58 github.com/openziti/runzmd v1.0.51 - github.com/openziti/sdk-golang v0.23.42 - github.com/openziti/secretstream v0.1.24 + github.com/openziti/sdk-golang v0.23.43 + github.com/openziti/secretstream v0.1.25 github.com/openziti/storage v0.3.2 github.com/openziti/transport/v2 v2.0.146 github.com/openziti/x509-claims v1.0.3 @@ -186,7 +186,7 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect go.mongodb.org/mongo-driver v1.17.0 // indirect - go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect + go.mozilla.org/pkcs7 v0.9.0 // indirect go.opentelemetry.io/otel v1.30.0 // indirect go.opentelemetry.io/otel/metric v1.30.0 // indirect go.opentelemetry.io/otel/trace v1.30.0 // indirect diff --git a/go.sum b/go.sum index b08ed4e71..ed429d83e 100644 --- a/go.sum +++ b/go.sum @@ -570,14 +570,14 @@ github.com/openziti-incubator/cf v0.0.3 h1:JKs55DbaIxl87nI/Ra/3DHMiz5iaPpu8JjsuN github.com/openziti-incubator/cf v0.0.3/go.mod h1:6abCY06bCjKmK2I9kohij+cp9uXIPFiFwSCNZPdMk8E= github.com/openziti/agent v1.0.18 h1:+MP1AXGresJPcbhbsFdElpTWqrQW+VZOLya0V+/mGbE= github.com/openziti/agent v1.0.18/go.mod h1:HET46hghk8ahnVt/3mfVjmnL4NLNVZGnqvrQC3PbIn8= -github.com/openziti/channel/v3 v3.0.3 h1:rmC/YtDgHQkcoLQOPygdg7QKuou6BrMubR/bsoH73js= -github.com/openziti/channel/v3 v3.0.3/go.mod h1:MiVIlcPpcErv8E/TLDpxWNV1fGh8lb0g7qMlQGFYTec= +github.com/openziti/channel/v3 v3.0.5 h1:Dfjjknaej5XZ6IqwJzmL6jpB8Y3P9ejBSuOvPI5J05U= +github.com/openziti/channel/v3 v3.0.5/go.mod h1:MiVIlcPpcErv8E/TLDpxWNV1fGh8lb0g7qMlQGFYTec= github.com/openziti/cobra-to-md v1.0.1 h1:WRinNoIRmwWUSJm+pSNXMjOrtU48oxXDZgeCYQfVXxE= github.com/openziti/cobra-to-md v1.0.1/go.mod h1:FjCpk/yzHF7/r28oSTNr5P57yN5VolpdAtS/g7KNi2c= github.com/openziti/dilithium v0.3.5 h1:+envGNzxc3OyVPiuvtxivQmCsOjdZjtOMLpQBeMz7eM= github.com/openziti/dilithium v0.3.5/go.mod h1:XONq1iK6te/WwNzkgZHfIDHordMPqb0hMwJ8bs9EfSk= -github.com/openziti/edge-api v0.26.31 h1:9XljIuZNhoPbiIicQYuxNyL7erpowZce3aOg1CkoxSo= -github.com/openziti/edge-api v0.26.31/go.mod h1:f5paewA+1G6JMZddYgXqA9Zp6BBXOJ1i4K42B+ET5ns= +github.com/openziti/edge-api v0.26.32 h1:32oJI97cuM/kRJPEOwH2pe9dqwj56IYdQgTjTJaaHaU= +github.com/openziti/edge-api v0.26.32/go.mod h1:sYHVpm26Jr1u7VooNJzTb2b2nGSlmCHMnbGC8XfWSng= github.com/openziti/foundation/v2 v2.0.49 h1:aQ5I/lMhkHQ6urhRpLwrWP+7YtoeUitCfY/wub+nOqo= github.com/openziti/foundation/v2 v2.0.49/go.mod h1:tFk7wg5WE/nDDur5jSVQTROugKDXQkFvmqRSV4pvWp0= github.com/openziti/identity v1.0.85 h1:jphDHrUCXCJGdbVTMBqsdtS0Ei/vhDH337DMNMYzLro= @@ -588,10 +588,10 @@ github.com/openziti/metrics v1.2.58 h1:AbHSTMKHP/o6r6fh7a08c486Y/5f5xjkZQbcyn3w1 github.com/openziti/metrics v1.2.58/go.mod h1:zGLMrLvVFOxo9tXUf8svcUsASxsPjhW9foW92FUzmDs= github.com/openziti/runzmd v1.0.51 h1:Vz+2nfF9AyKQGyKwBUnpL2DH/4cL+3rOuLWj8lkNDBc= github.com/openziti/runzmd v1.0.51/go.mod h1:TB2FZtxC6+jkZoJS21GY399j7Bo/05tGaULIyHO81s8= -github.com/openziti/sdk-golang v0.23.42 h1:27tkEQ58RrAjfVgUfUmC2HAbJdyO9WjnLfhOoQWj5Zk= -github.com/openziti/sdk-golang v0.23.42/go.mod h1:Nb9QU3zXtx4NoxZO/W7YhL+n46RY3p8sr5BR87kfcgo= -github.com/openziti/secretstream v0.1.24 h1:4MgfpoQ/jxdRMUrvi0MbXB4xw9Uu5A6e1TPrf9UaTWk= -github.com/openziti/secretstream v0.1.24/go.mod h1:7CZxW/G7AQ27G0K4v/hvzDN2pBHQmCvhao3Y70Q6Zy4= +github.com/openziti/sdk-golang v0.23.43 h1:n/Xaif9canea+T+VgNmfNhF2nNveXe4gdS35uUQgUIY= +github.com/openziti/sdk-golang v0.23.43/go.mod h1:6QsDMxGxX3Qsgpp4zVVHgBfr5XkXjIwRONS7onnaGvU= +github.com/openziti/secretstream v0.1.25 h1:40gHKcAcoXqKs0J7Tz1jTAmPoMXmMn4HP3Mg6scgJ5c= +github.com/openziti/secretstream v0.1.25/go.mod h1:zgBcyN7h/zLBIWeqSrWwlOGOMQW51oQGYYlkiArR6Ec= github.com/openziti/storage v0.3.2 h1:etRAT2asJvV1gKgj/eRu3st7AO0TKgDagsEpDdIj/l0= github.com/openziti/storage v0.3.2/go.mod h1:yTv6Rqs8Rk6nMPUD+96VXI5eWhOARTNLV0OPmgiK8I4= github.com/openziti/transport/v2 v2.0.146 h1:Wdr4udri/fFpdj9GR9DR7/FKqt/2cMTgBdt3gfrqFaQ= @@ -819,8 +819,8 @@ go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3 go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= go.mongodb.org/mongo-driver v1.17.0 h1:Hp4q2MCjvY19ViwimTs00wHi7G4yzxh4/2+nTx8r40k= go.mongodb.org/mongo-driver v1.17.0/go.mod h1:wwWm/+BuOddhcq3n68LKRmgk2wXzmF6s0SFOa0GINL4= -go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 h1:CCriYyAfq1Br1aIYettdHZTy8mBTIPo7We18TuO/bak= -go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= +go.mozilla.org/pkcs7 v0.9.0 h1:yM4/HS9dYv7ri2biPtxt8ikvB37a980dg69/pKmS+eI= +go.mozilla.org/pkcs7 v0.9.0/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= diff --git a/zititest/go.mod b/zititest/go.mod index 5417fefd3..121ea16d3 100644 --- a/zititest/go.mod +++ b/zititest/go.mod @@ -11,12 +11,12 @@ require ( github.com/google/uuid v1.6.0 github.com/michaelquigley/pfxlog v0.6.10 github.com/openziti/agent v1.0.18 - github.com/openziti/channel/v3 v3.0.3 - github.com/openziti/edge-api v0.26.31 + github.com/openziti/channel/v3 v3.0.5 + github.com/openziti/edge-api v0.26.32 github.com/openziti/fablab v0.5.60 github.com/openziti/foundation/v2 v2.0.49 github.com/openziti/identity v1.0.85 - github.com/openziti/sdk-golang v0.23.42 + github.com/openziti/sdk-golang v0.23.43 github.com/openziti/storage v0.3.2 github.com/openziti/transport/v2 v2.0.146 github.com/openziti/ziti v0.28.3 @@ -144,7 +144,7 @@ require ( github.com/openziti/jwks v1.0.6 // indirect github.com/openziti/metrics v1.2.58 // indirect github.com/openziti/runzmd v1.0.51 // indirect - github.com/openziti/secretstream v0.1.24 // indirect + github.com/openziti/secretstream v0.1.25 // indirect github.com/openziti/x509-claims v1.0.3 // indirect github.com/openziti/xweb/v2 v2.1.3 // indirect github.com/openziti/ziti-db-explorer v1.1.3 // indirect @@ -183,7 +183,7 @@ require ( github.com/yusufpapurcu/wmi v1.2.4 // indirect github.com/zitadel/oidc/v2 v2.12.2 // indirect go.mongodb.org/mongo-driver v1.17.0 // indirect - go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect + go.mozilla.org/pkcs7 v0.9.0 // indirect go.opentelemetry.io/otel v1.30.0 // indirect go.opentelemetry.io/otel/metric v1.30.0 // indirect go.opentelemetry.io/otel/trace v1.30.0 // indirect diff --git a/zititest/go.sum b/zititest/go.sum index 50013284b..70d705772 100644 --- a/zititest/go.sum +++ b/zititest/go.sum @@ -592,14 +592,14 @@ github.com/openziti-incubator/cf v0.0.3 h1:JKs55DbaIxl87nI/Ra/3DHMiz5iaPpu8JjsuN github.com/openziti-incubator/cf v0.0.3/go.mod h1:6abCY06bCjKmK2I9kohij+cp9uXIPFiFwSCNZPdMk8E= github.com/openziti/agent v1.0.18 h1:+MP1AXGresJPcbhbsFdElpTWqrQW+VZOLya0V+/mGbE= github.com/openziti/agent v1.0.18/go.mod h1:HET46hghk8ahnVt/3mfVjmnL4NLNVZGnqvrQC3PbIn8= -github.com/openziti/channel/v3 v3.0.3 h1:rmC/YtDgHQkcoLQOPygdg7QKuou6BrMubR/bsoH73js= -github.com/openziti/channel/v3 v3.0.3/go.mod h1:MiVIlcPpcErv8E/TLDpxWNV1fGh8lb0g7qMlQGFYTec= +github.com/openziti/channel/v3 v3.0.5 h1:Dfjjknaej5XZ6IqwJzmL6jpB8Y3P9ejBSuOvPI5J05U= +github.com/openziti/channel/v3 v3.0.5/go.mod h1:MiVIlcPpcErv8E/TLDpxWNV1fGh8lb0g7qMlQGFYTec= github.com/openziti/cobra-to-md v1.0.1 h1:WRinNoIRmwWUSJm+pSNXMjOrtU48oxXDZgeCYQfVXxE= github.com/openziti/cobra-to-md v1.0.1/go.mod h1:FjCpk/yzHF7/r28oSTNr5P57yN5VolpdAtS/g7KNi2c= github.com/openziti/dilithium v0.3.5 h1:+envGNzxc3OyVPiuvtxivQmCsOjdZjtOMLpQBeMz7eM= github.com/openziti/dilithium v0.3.5/go.mod h1:XONq1iK6te/WwNzkgZHfIDHordMPqb0hMwJ8bs9EfSk= -github.com/openziti/edge-api v0.26.31 h1:9XljIuZNhoPbiIicQYuxNyL7erpowZce3aOg1CkoxSo= -github.com/openziti/edge-api v0.26.31/go.mod h1:f5paewA+1G6JMZddYgXqA9Zp6BBXOJ1i4K42B+ET5ns= +github.com/openziti/edge-api v0.26.32 h1:32oJI97cuM/kRJPEOwH2pe9dqwj56IYdQgTjTJaaHaU= +github.com/openziti/edge-api v0.26.32/go.mod h1:sYHVpm26Jr1u7VooNJzTb2b2nGSlmCHMnbGC8XfWSng= github.com/openziti/fablab v0.5.60 h1:RsqrEb3LV6asK5N97uZKyNSDhcNOeDcAuT4OAD/hY9Y= github.com/openziti/fablab v0.5.60/go.mod h1:B/ib+GOtozEIytv2aXSFl9+dL7AiGfbpGS/VjnNduU8= github.com/openziti/foundation/v2 v2.0.49 h1:aQ5I/lMhkHQ6urhRpLwrWP+7YtoeUitCfY/wub+nOqo= @@ -612,10 +612,10 @@ github.com/openziti/metrics v1.2.58 h1:AbHSTMKHP/o6r6fh7a08c486Y/5f5xjkZQbcyn3w1 github.com/openziti/metrics v1.2.58/go.mod h1:zGLMrLvVFOxo9tXUf8svcUsASxsPjhW9foW92FUzmDs= github.com/openziti/runzmd v1.0.51 h1:Vz+2nfF9AyKQGyKwBUnpL2DH/4cL+3rOuLWj8lkNDBc= github.com/openziti/runzmd v1.0.51/go.mod h1:TB2FZtxC6+jkZoJS21GY399j7Bo/05tGaULIyHO81s8= -github.com/openziti/sdk-golang v0.23.42 h1:27tkEQ58RrAjfVgUfUmC2HAbJdyO9WjnLfhOoQWj5Zk= -github.com/openziti/sdk-golang v0.23.42/go.mod h1:Nb9QU3zXtx4NoxZO/W7YhL+n46RY3p8sr5BR87kfcgo= -github.com/openziti/secretstream v0.1.24 h1:4MgfpoQ/jxdRMUrvi0MbXB4xw9Uu5A6e1TPrf9UaTWk= -github.com/openziti/secretstream v0.1.24/go.mod h1:7CZxW/G7AQ27G0K4v/hvzDN2pBHQmCvhao3Y70Q6Zy4= +github.com/openziti/sdk-golang v0.23.43 h1:n/Xaif9canea+T+VgNmfNhF2nNveXe4gdS35uUQgUIY= +github.com/openziti/sdk-golang v0.23.43/go.mod h1:6QsDMxGxX3Qsgpp4zVVHgBfr5XkXjIwRONS7onnaGvU= +github.com/openziti/secretstream v0.1.25 h1:40gHKcAcoXqKs0J7Tz1jTAmPoMXmMn4HP3Mg6scgJ5c= +github.com/openziti/secretstream v0.1.25/go.mod h1:zgBcyN7h/zLBIWeqSrWwlOGOMQW51oQGYYlkiArR6Ec= github.com/openziti/storage v0.3.2 h1:etRAT2asJvV1gKgj/eRu3st7AO0TKgDagsEpDdIj/l0= github.com/openziti/storage v0.3.2/go.mod h1:yTv6Rqs8Rk6nMPUD+96VXI5eWhOARTNLV0OPmgiK8I4= github.com/openziti/transport/v2 v2.0.146 h1:Wdr4udri/fFpdj9GR9DR7/FKqt/2cMTgBdt3gfrqFaQ= @@ -840,8 +840,8 @@ go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3 go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= go.mongodb.org/mongo-driver v1.17.0 h1:Hp4q2MCjvY19ViwimTs00wHi7G4yzxh4/2+nTx8r40k= go.mongodb.org/mongo-driver v1.17.0/go.mod h1:wwWm/+BuOddhcq3n68LKRmgk2wXzmF6s0SFOa0GINL4= -go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 h1:CCriYyAfq1Br1aIYettdHZTy8mBTIPo7We18TuO/bak= -go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= +go.mozilla.org/pkcs7 v0.9.0 h1:yM4/HS9dYv7ri2biPtxt8ikvB37a980dg69/pKmS+eI= +go.mozilla.org/pkcs7 v0.9.0/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= From 924680d1545c7aa977c13f3eb393a6aed7c5b17b Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Wed, 2 Oct 2024 11:41:56 -0400 Subject: [PATCH 37/37] use explicit policy semantic and all/all SERP in k8s demo --- quickstart/kubernetes/miniziti.bash | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/quickstart/kubernetes/miniziti.bash b/quickstart/kubernetes/miniziti.bash index 5d0bd8aa1..084eec0a5 100755 --- a/quickstart/kubernetes/miniziti.bash +++ b/quickstart/kubernetes/miniziti.bash @@ -1066,7 +1066,7 @@ EOF if ! zitiWrapper edge list service-policies 'name="httpbin-bind-policy"' --csv \ | grep -q "httpbin-bind-policy"; then logDebug "creating service-policy httpbin-bind-policy" - zitiWrapper edge create service-policy "httpbin-bind-policy" Bind \ + zitiWrapper edge create service-policy "httpbin-bind-policy" Bind --semantic "AnyOf" \ --service-roles '@httpbin-service' --identity-roles '#httpbin-hosts' >&3 else logDebug "ignoring service-policy httpbin-bind-policy" @@ -1075,7 +1075,7 @@ EOF if ! zitiWrapper edge list service-policies 'name="httpbin-dial-policy"' --csv \ | grep -q "httpbin-dial-policy"; then logDebug "creating service-policy httpbin-dial-policy" - zitiWrapper edge create service-policy "httpbin-dial-policy" Dial \ + zitiWrapper edge create service-policy "httpbin-dial-policy" Dial --semantic "AnyOf" \ --service-roles '@httpbin-service' --identity-roles '#httpbin-clients' >&3 else logDebug "ignoring service-policy httpbin-dial-policy" @@ -1094,7 +1094,7 @@ EOF | grep -q "public-routers"; then logDebug "creating service-edge-router-policy public-routers" zitiWrapper edge create service-edge-router-policy "public-routers" \ - --edge-router-roles '#public-routers' --service-roles '#all' >&3 + --edge-router-roles '#all' --service-roles '#all' >&3 else logDebug "ignoring service-edge-router-policy public-routers" fi