Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

let linux/docker controller/router address be IPv4/IPv6 #2438

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

qrkourier
Copy link
Member

@qrkourier qrkourier commented Sep 24, 2024

resolves #1993

@qrkourier qrkourier requested review from a team as code owners September 24, 2024 22:29
@qrkourier qrkourier changed the title let linux/docker controller address be an IPv4; resolves #1993 let linux/docker controller address be an IPv4 Sep 24, 2024
@@ -71,14 +73,22 @@ issueLeafCerts() {
ZITI_PKI_CTRL_SERVER_CERT="${ZITI_PKI_ROOT}/${ZITI_INTERMEDIATE_FILE}/certs/${ZITI_SERVER_FILE}.chain.pem"
if [[ "${ZITI_AUTO_RENEW_CERTS}" == true || ! -s "$ZITI_PKI_CTRL_SERVER_CERT" ]]; then
# server cert
if [[ "${ZITI_CTRL_ADVERTISED_ADDRESS}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's better to not try to make these sorts of determiniations and instead have the user not mix/match between IP and DNS. Also this won't work proplery with ipv6 either.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My initial goal was to fix the immediate problem reported in Discourse that prevents using an IP address as a router address. The symptom is that the IP is not set as a DNS SAN, breaking certificate verification for edge clients and link dialers.

The underlying problem is the ziti create config router edge command currently parses the generic ZITI_ROUTER_ADVERTISED_ADDRESS input, and ejects it from DNS SANs if it matches an IPv4 pattern. This results in a silent failure (no exit code and a warning is printed) and no IP SAN is set, because the confirmed IPv4 address is not set in IP SANs. Instead, the command requires that a separate input variable is set, ZITI_ROUTER_IP_OVERRIDE, which has precisely the same meaning as the generically-named address input variable, ZITI_ROUTER_ADVERTISED_ADDRESS, except that it sets an IP SAN instead.

	// If CSR SANs is an IP, ignore it by setting it blank
	result, _ := regexp.MatchString("^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}$", data.Router.Edge.CsrSans)
	if result {
		logrus.Warnf("DNS provided (%s) appears to be an IP, ignoring for DNS entry", data.Router.Edge.CsrSans)
		data.Router.Edge.CsrSans = ""
	}

from: https://github.com/openziti/ziti/blob/v1.1.11/ziti/cmd/create/create_config.go#L294

The proposed fix will wrap this behavior with a safety check to set the alternative, IP-specific input if the string is an IPv4.


I expanded the fix to support controller IP SANs, allowing router or controller addresses to be DNS a name or IPv4 addresses by parsing the string to match an IPv4.

That implementation proved too controversial, and these requirements were added:

  • The address inputs for DNS name and IP address must be separate. The implementation must not parse the string to determine if it's an IP address.
  • The separate IP address input must support both IPv4 and IPv6.

Notably, the controller does not currently support advertising an IPv6 ctrl plane endpoint, so the IPv6 requirement is "future proofing" for controller deployments.


This expanded scope is not a match for current priorities, so I'm leaving this note here for future self or others to pick up the work when it can be prioritized. For now, controllers and routers must be configured with a DNS name, not an IP address, when using the auto-config generator features of Ziti.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the current draft branch, I experimented with matching both IPv4 and IPv6 with an extended regexp. This pattern is not practical to audit or debug, and I don't find it an acceptable solution, for the record.

@qrkourier qrkourier marked this pull request as draft September 25, 2024 19:41
@qrkourier qrkourier changed the title let linux/docker controller address be an IPv4 let linux/docker controller/router address be IPv4/IPv6 Sep 25, 2024
@qrkourier qrkourier force-pushed the linux-controller-ip-san branch from ba3ca6f to 4570aee Compare September 25, 2024 19:42
Base automatically changed from linux-router-args to main September 25, 2024 21:07
@qrkourier qrkourier linked an issue Nov 3, 2024 that may be closed by this pull request
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Ziti Controller Bootstrap Domain name
2 participants