Merge branch 'release-next' into refactor-linux-router-install

openziti · Jul 12, 2024 · 0aa38c0 · 0aa38c0
2 parents f22101b + d849fb9
commit 0aa38c0
Show file tree

Hide file tree

Showing 194 changed files with 3,753 additions and 3,651 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -120,8 +120,6 @@ jobs:
         run: |
           sudo apt-get update
           sudo apt-get -yq install gcc-arm-linux-gnueabihf g++-arm-linux-gnueabihf gcc-aarch64-linux-gnu
-          $(go env GOPATH)/bin/ziti-ci configure-git
-          $(go env GOPATH)/bin/ziti-ci generate-build-info common/version/info_generated.go version ${ZITI_BASE_VERSION:+--base-version $ZITI_BASE_VERSION}
           go install github.com/mitchellh/gox@latest
           $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q go-build-flags -n)" -cgo -os=linux -arch=amd64 -output=$GOX_OUTPUT ./...
           CC=arm-linux-gnueabihf-gcc $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q go-build-flags -n)" -cgo -os=linux -arch=arm -output=$GOX_OUTPUT ./...

diff --git a/.github/workflows/publish-docker-images.yml b/.github/workflows/publish-docker-images.yml
@@ -60,7 +60,7 @@ jobs:
       # arch that was downloaded in ./release/, hence the need to specify the
       # Dockerfile and DOCKER_BUILD_DIR
       - name: Build & Push Multi-Platform CLI Container Image to Hub
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: ${{ github.workspace }}/
@@ -87,7 +87,7 @@ jobs:
       # ZITI_CLI_TAG env var so it can build from the versioned image that
       # we pushed in the prior step.
       - name: Build & Push Multi-Platform Controller Container Image to Hub
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: ${{ github.workspace }}/
@@ -112,7 +112,7 @@ jobs:
           echo DOCKER_TAGS="${DOCKER_TAGS}" | tee -a $GITHUB_OUTPUT
 
       - name: Build & Push Multi-Platform Router Container Image to Hub
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: ${{ github.workspace }}/
@@ -142,7 +142,7 @@ jobs:
           echo DOCKER_TAGS="${DOCKER_TAGS}" >> $GITHUB_OUTPUT
 
       - name: Build & Push Multi-Platform Go Tunneler Container Image to Hub
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: ${{ github.workspace }}/dist/docker-images/ziti-tunnel/

diff --git a/.github/workflows/release-quickstart.yml b/.github/workflows/release-quickstart.yml
@@ -120,7 +120,7 @@ jobs:
           echo DOCKER_TAGS="${DOCKER_TAGS}" >> $GITHUB_OUTPUT
 
       - name: Build & Push Multi-Platform Quickstart Container Image to Hub
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: ${{ github.workspace }}/quickstart/docker/image

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,9 +1,86 @@
-# Release 1.1.4
+# Release 1.1.6
+
+## What's New
+
+* Trust Domain Configuration
+
+## Trust Domain Configuration
+
+OpenZiti controllers from this release forward will now require a `trust domain` to be configured. 
+High Availability (HA) controllers already have this requirement. HA Controllers configure their trust domain via SPIFFE 
+ids that are embedded in x509 certificates.
+
+For feature parity, non-HA controllers will now have this same requirement. However, as re-issuing certificates is not
+always easily done. To help with the transition, non-HA controllers will have the ability to have their trust domain
+sourced from the controller configuration file through the root configuration value `trustDomain`. The configuration
+field which takes a string that must be URI hostname compatible (see: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md).
+If this value is not defined, a trust domain will be generated from the root CA certificate of the controller. 
+
+For networks that will be deployed after this change, it is highly suggested that a SPIFFE id is added to certificates.
+The `ziti pki create ...` tooling supports the `--spiffe-id` option to help handle this scenario.
+
+### Generated Trust Domain Log Messages
+
+The following log messages are examples of warnings produced when a controller is using a generated trust domain:
+
+```
+WARNING this environment is using a default generated trust domain [spiffe://d561decf63d229d66b07de627dbbde9e93228925], 
+  it is recommended that a trust domain is specified in configuration via URI SANs or the 'trustDomain' field
+
+WARNING this environment is using a default generated trust domain [spiffe://d561decf63d229d66b07de627dbbde9e93228925], 
+  it is recommended that if network components have enrolled that the generated trust domain be added to the 
+  configuration field 'additionalTrustDomains'
+```
+
+### Trust domain resolution:
+
+- Non-HA controllers
+  - Prefers SPIFFE ids in x509 certificate URI SANs, looking at the leaf up the signing chain
+  - Regresses to `trustDomain` in the controller configuration file if not found
+  - Regress to generating a trust domain from the server certificates root CA, if the above do not resolve
+
+- HA Controllers
+  - Requires x509 SPIFFE ids in x509 certificate URI SANs
+
+### Additional Trust Domains
+
+When moving between trust domains (i.e. from the default generated to a new named one), the controller supports having
+other trust domains. The trust domains do not replace certificate chain validation, which is still checked and enforced.
+
+Additional trust domains are configured in the controller configuration file under the root field 
+`additionalTrustDomains`. This field is an array of hostname safe strings.
+
+The most common use case for this is field is if a network has issued certificates using the generated trust domain and 
+now wants to transition to a explicitly defined one.
+
+# Release 1.1.5
 
 ## What's New
 
 * Bug fixes
+
+## Component Updates and Bug Fixes
+
+* github.com/openziti/channel/v2: [v2.0.133 -> v2.0.136](https://github.com/openziti/channel/compare/v2.0.133...v2.0.136)
+    * [Issue #132](https://github.com/openziti/channel/issues/132) - reconnecting dialer doesn't take local binding into account when reconnecting
+
+* github.com/openziti/identity: [v1.0.80 -> v1.0.81](https://github.com/openziti/identity/compare/v1.0.80...v1.0.81)
+* github.com/openziti/transport/v2: [v2.0.136 -> v2.0.138](https://github.com/openziti/transport/compare/v2.0.136...v2.0.138)
+    * [Issue #83](https://github.com/openziti/transport/issues/83) - tls.Dial should use proxy configuration if provided
+
+* github.com/openziti/xweb/v2: [v2.1.0 -> v2.1.1](https://github.com/openziti/xweb/compare/v2.1.0...v2.1.1)
+* github.com/openziti/ziti: [v1.1.4 -> v1.1.5](https://github.com/openziti/ziti/compare/v1.1.4...v1.1.5)
+    * [Issue #2173](https://github.com/openziti/ziti/issues/2173) - panic on HA peer connect
+    * [Issue #2171](https://github.com/openziti/ziti/issues/2171) - Routers should consider control channels unresponsive if they are not connected
+    * [Issue #2086](https://github.com/openziti/ziti/issues/2086) - Enable File Watching for Router/Controller Identities
+    * [Issue #2087](https://github.com/openziti/ziti/issues/2087) - Ext JWT not setting provider value in auth query
+
+# Release 1.1.4
+
+## What's New
+
 * Controller HA Beta 1
+* Bug fixes
 
 ## Controller HA Beta 1
 

diff --git a/controller/network/cmap_iterator.go → common/datastructures/cmap_iterator.go b/controller/network/cmap_iterator.go → common/datastructures/cmap_iterator.go
@@ -14,7 +14,7 @@
 	limitations under the License.
 */
 
-package network
+package datastructures
 
 import (
 	"github.com/openziti/storage/objectz"

diff --git a/controller/api_impl/circuit_api_model.go b/controller/api_impl/circuit_api_model.go
@@ -18,6 +18,7 @@ package api_impl
 
 import (
 	"github.com/openziti/ziti/controller/api"
+	"github.com/openziti/ziti/controller/model"
 	"github.com/openziti/ziti/controller/network"
 
 	"github.com/openziti/ziti/controller/rest_model"
@@ -44,7 +45,7 @@ func (factory *CircuitLinkFactoryIml) Links(entity LinkEntity) rest_model.Links
 	return links
 }
 
-func MapCircuitToRestModel(n *network.Network, _ api.RequestContext, circuit *network.Circuit) (*rest_model.CircuitDetail, error) {
+func MapCircuitToRestModel(n *network.Network, _ api.RequestContext, circuit *model.Circuit) (*rest_model.CircuitDetail, error) {
 	path := &rest_model.Path{}
 	for _, node := range circuit.Path.Nodes {
 		path.Nodes = append(path.Nodes, ToEntityRef(node.Name, node, RouterLinkFactory))
@@ -54,7 +55,7 @@ func MapCircuitToRestModel(n *network.Network, _ api.RequestContext, circuit *ne
 	}
 
 	var svcEntityRef *rest_model.EntityRef
-	if svc, _ := n.Services.Read(circuit.ServiceId); svc != nil {
+	if svc, _ := n.Service.Read(circuit.ServiceId); svc != nil {
 		svcEntityRef = ToEntityRef(svc.Name, svc, ServiceLinkFactory)
 	} else {
 		svcEntityRef = ToEntityRef("<deleted>", deletedEntity(circuit.ServiceId), ServiceLinkFactory)

diff --git a/controller/api_impl/inspections_router.go b/controller/api_impl/inspections_router.go
@@ -18,12 +18,12 @@ package api_impl
 
 import (
 	"github.com/go-openapi/runtime/middleware"
+	"github.com/openziti/foundation/v2/stringz"
 	"github.com/openziti/ziti/controller/api"
 	"github.com/openziti/ziti/controller/network"
 	"github.com/openziti/ziti/controller/rest_model"
 	"github.com/openziti/ziti/controller/rest_server/operations"
 	"github.com/openziti/ziti/controller/rest_server/operations/inspect"
-	"github.com/openziti/foundation/v2/stringz"
 	"net/http"
 )
 
@@ -49,7 +49,7 @@ func (r *InspectRouter) Register(fabricApi *operations.ZitiFabricAPI, wrapper Re
 }
 
 func (r *InspectRouter) Inspect(n *network.Network, rc api.RequestContext, request *rest_model.InspectRequest) {
-	result := n.Managers.Inspections.Inspect(stringz.OrEmpty(request.AppRegex), request.RequestedValues)
+	result := n.Inspections.Inspect(stringz.OrEmpty(request.AppRegex), request.RequestedValues)
 	resp := MapInspectResultToRestModel(n, result)
 	rc.Respond(resp, http.StatusOK)
 }
diff --git a/controller/api_impl/link_api_model.go b/controller/api_impl/link_api_model.go
@@ -18,6 +18,7 @@ package api_impl
 
 import (
 	"github.com/openziti/ziti/controller/api"
+	"github.com/openziti/ziti/controller/model"
 	"github.com/openziti/ziti/controller/network"
 	"github.com/openziti/ziti/controller/rest_model"
 )
@@ -41,7 +42,7 @@ func (factory *LinkLinkFactoryIml) Links(entity LinkEntity) rest_model.Links {
 	return links
 }
 
-func MapLinkToRestModel(n *network.Network, _ api.RequestContext, link *network.Link) (*rest_model.LinkDetail, error) {
+func MapLinkToRestModel(n *network.Network, _ api.RequestContext, link *model.Link) (*rest_model.LinkDetail, error) {
 	iteration := int64(link.Iteration)
 	staticCost := int64(link.StaticCost)
 	linkStateStr := link.CurrentState().Mode.String()
@@ -51,7 +52,7 @@ func MapLinkToRestModel(n *network.Network, _ api.RequestContext, link *network.
 	destRouter := link.GetDest()
 	if destRouter == nil {
 		var err error
-		destRouter, err = n.Routers.Read(link.DstId)
+		destRouter, err = n.Router.Read(link.DstId)
 		if err != nil {
 			return nil, err
 		}

diff --git a/controller/api_impl/raft_router.go b/controller/api_impl/raft_router.go
@@ -89,6 +89,7 @@ func (r *RaftRouter) listMembers(n *network.Network, rc api.RequestContext) {
 		if err != nil {
 			rc.Respond(rest_model.RaftMemberListResponse{}, http.StatusInternalServerError)
 		}
+		readOnly := raftController.Mesh.IsReadOnly()
 		for _, member := range members {
 			vals = append(vals, &rest_model.RaftMemberListValue{
 				Address:   &member.Addr,
@@ -97,11 +98,12 @@ func (r *RaftRouter) listMembers(n *network.Network, rc api.RequestContext) {
 				Leader:    &member.Leader,
 				Version:   &member.Version,
 				Voter:     &member.Voter,
+				ReadOnly:  &readOnly,
 			})
 		}
 
 		rc.Respond(rest_model.RaftMemberListResponse{
-			Values: vals,
+			Data: vals,
 		}, http.StatusOK)
 
 	} else {

diff --git a/controller/api_impl/router_api_model.go b/controller/api_impl/router_api_model.go
@@ -18,12 +18,13 @@ package api_impl
 
 import (
 	"github.com/openziti/ziti/controller/api"
+	"github.com/openziti/ziti/controller/model"
 	"github.com/openziti/ziti/controller/network"
 
 	"github.com/openziti/ziti/controller/rest_model"
 
-	"github.com/openziti/ziti/controller/models"
 	"github.com/openziti/foundation/v2/stringz"
+	"github.com/openziti/ziti/controller/models"
 )
 
 const EntityNameRouter = "routers"
@@ -46,8 +47,8 @@ func (factory *RouterLinkFactoryIml) Links(entity LinkEntity) rest_model.Links {
 	return links
 }
 
-func MapCreateRouterToModel(router *rest_model.RouterCreate) *network.Router {
-	ret := &network.Router{
+func MapCreateRouterToModel(router *rest_model.RouterCreate) *model.Router {
+	ret := &model.Router{
 		BaseEntity: models.BaseEntity{
 			Id:   stringz.OrEmpty(router.ID),
 			Tags: TagsOrDefault(router.Tags),
@@ -62,8 +63,8 @@ func MapCreateRouterToModel(router *rest_model.RouterCreate) *network.Router {
 	return ret
 }
 
-func MapUpdateRouterToModel(id string, router *rest_model.RouterUpdate) *network.Router {
-	ret := &network.Router{
+func MapUpdateRouterToModel(id string, router *rest_model.RouterUpdate) *model.Router {
+	ret := &model.Router{
 		BaseEntity: models.BaseEntity{
 			Tags: TagsOrDefault(router.Tags),
 			Id:   id,
@@ -78,8 +79,8 @@ func MapUpdateRouterToModel(id string, router *rest_model.RouterUpdate) *network
 	return ret
 }
 
-func MapPatchRouterToModel(id string, router *rest_model.RouterPatch) *network.Router {
-	ret := &network.Router{
+func MapPatchRouterToModel(id string, router *rest_model.RouterPatch) *model.Router {
+	ret := &model.Router{
 		BaseEntity: models.BaseEntity{
 			Tags: TagsOrDefault(router.Tags),
 			Id:   id,
@@ -96,7 +97,7 @@ func MapPatchRouterToModel(id string, router *rest_model.RouterPatch) *network.R
 
 type RouterModelMapper struct{}
 
-func (RouterModelMapper) ToApi(n *network.Network, _ api.RequestContext, router *network.Router) (interface{}, error) {
+func (RouterModelMapper) ToApi(n *network.Network, _ api.RequestContext, router *model.Router) (interface{}, error) {
 	connected := n.GetConnectedRouter(router.Id)
 	var restVersionInfo *rest_model.VersionInfo
 	if connected != nil && connected.VersionInfo != nil {

diff --git a/controller/api_impl/router_router.go b/controller/api_impl/router_router.go
@@ -20,6 +20,7 @@ import (
 	"github.com/go-openapi/runtime/middleware"
 	"github.com/openziti/ziti/controller/api"
 	"github.com/openziti/ziti/controller/fields"
+	"github.com/openziti/ziti/controller/model"
 	"github.com/openziti/ziti/controller/network"
 	"github.com/openziti/ziti/controller/rest_server/operations"
 	"github.com/openziti/ziti/controller/rest_server/operations/router"
@@ -71,17 +72,17 @@ func (r *RouterRouter) Register(fabricApi *operations.ZitiFabricAPI, wrapper Req
 }
 
 func (r *RouterRouter) ListRouters(n *network.Network, rc api.RequestContext) {
-	ListWithHandler[*network.Router](n, rc, n.Managers.Routers, RouterModelMapper{})
+	ListWithHandler[*model.Router](n, rc, n.Managers.Router, RouterModelMapper{})
 }
 
 func (r *RouterRouter) Detail(n *network.Network, rc api.RequestContext) {
-	DetailWithHandler[*network.Router](n, rc, n.Managers.Routers, RouterModelMapper{})
+	DetailWithHandler[*model.Router](n, rc, n.Managers.Router, RouterModelMapper{})
 }
 
 func (r *RouterRouter) Create(n *network.Network, rc api.RequestContext, params router.CreateRouterParams) {
 	Create(rc, RouterLinkFactory, func() (string, error) {
 		router := MapCreateRouterToModel(params.Router)
-		err := n.Routers.Create(router, rc.NewChangeContext())
+		err := n.Router.Create(router, rc.NewChangeContext())
 		if err != nil {
 			return "", err
 		}
@@ -90,21 +91,21 @@ func (r *RouterRouter) Create(n *network.Network, rc api.RequestContext, params
 }
 
 func (r *RouterRouter) Delete(network *network.Network, rc api.RequestContext) {
-	DeleteWithHandler(rc, network.Managers.Routers)
+	DeleteWithHandler(rc, network.Managers.Router)
 }
 
 func (r *RouterRouter) Update(n *network.Network, rc api.RequestContext, params router.UpdateRouterParams) {
 	Update(rc, func(id string) error {
-		return n.Managers.Routers.Update(MapUpdateRouterToModel(params.ID, params.Router), nil, rc.NewChangeContext())
+		return n.Managers.Router.Update(MapUpdateRouterToModel(params.ID, params.Router), nil, rc.NewChangeContext())
 	})
 }
 
 func (r *RouterRouter) Patch(n *network.Network, rc api.RequestContext, params router.PatchRouterParams) {
 	Patch(rc, func(id string, fields fields.UpdatedFields) error {
-		return n.Managers.Routers.Update(MapPatchRouterToModel(params.ID, params.Router), fields.FilterMaps("tags"), rc.NewChangeContext())
+		return n.Managers.Router.Update(MapPatchRouterToModel(params.ID, params.Router), fields.FilterMaps("tags"), rc.NewChangeContext())
 	})
 }
 
 func (r *RouterRouter) listManagementTerminators(n *network.Network, rc api.RequestContext) {
-	ListAssociationWithHandler[*network.Router, *network.Terminator](n, rc, n.Managers.Routers, n.Managers.Terminators, TerminatorModelMapper{})
+	ListAssociationWithHandler[*model.Router, *model.Terminator](n, rc, n.Managers.Router, n.Managers.Terminator, TerminatorModelMapper{})
 }