This Python script automates the process of downloading, configuring and enrolling an OpenZiti router. The script takes care of generating the configuration file with custom options, downloading binaries from github, handling the enrollment process, and setting up local DNS settings if needed.
pip install -r requirements.txt
./ziti_router_auto_enroll {paste JWT here}
OR ./ziti_router_auto_enroll --jwt enrollment.txt
./ziti_router_auto_enroll --jwt enrollment.txt --assumePublic
./ziti_router_auto_enroll --jwt enrollment.txt --autoTunnelListener
One positional argument, a jwt string which is optional.(enrollment_jwt)
-j JWT
, --jwt JWT
: Path to file-based JWT-p
, --printConfig
: Print the generated configuration and exit-t
, --printTemplate
: Print the Jinja template used to create the config and exit-n
, --noHostname
: Don't use hostnames, only IP addresses for auto-generated config-f
, --force
: Forcefully proceed with re-enrollment-l {DEBUG,INFO,WARNING,ERROR,CRITICAL}
, --logLevel {DEBUG,INFO,WARNING,ERROR,CRITICAL}
: Set the logging level (Default: INFO)-v
, --version
: Show the program's version number and exit--logFile
: Specify the log file (Default: {cwd}/{program_name}.log
)--parametersFile
: File containing all parameters Json or Yaml format (.json or .yaml/.yml)--installDir
: Installation directory for Openziti (Default: /opt/openziti/ziti-router
)--installVersion
: Install a specific version (Default is to match Controller)--downloadUrl
: Bundle download URL (Default: https://github.com/openziti/ziti/releases/latest/
)--identityCert
: Path to certificate (Default: {installDir}/certs/cert.pem
)--identityServerCert
: Path to server chain (Default: {installDir}/certs/server_cert.pem
)--identityKey
: Path to key file (Default: {installDir}/certs/key.pem
)--identityCa
: Path to CA chain (Default: {installDir}/certs/ca.pem
)--controller
: Hostname or IP of Openziti controller--controllerMgmtPort
: Controller Edge Port--controllerFabricPort
: Controller Fabric Port--proxyType
: Proxy type, currently supported is "http" (Default: http
)
--proxyAddress
: The Address of the proxy (Default: None
)
--proxyPort
: The port of the proxy (Default: 3128
)
--disableHealthChecks
: Disable HealthChecks portion of router config
--ctrlPingCheckInterval
: How often to ping the controller (Default: 30)
--ctrlPingCheckTimeout
: Timeout the ping (Default: 15)
--ctrlPingCheckInitialDelay
: How long to wait before pinging the controller (Default: 15)
--linkCheckMinLinks
: Number of links required for the health check to be passing. (Defaults to 1)
--linkCheckInterval
: How often to check the link count. (Defaults to 5)
--linkCheckInitialDelay
: How long to wait before running the first check. (Defaults to 5)
--reportInterval
: Reporting Interval (Default: 15)--messageQueueSize
: Message Queue Size (Default: 10)--disableEdge
: Disable the Edge portion of router config--heartbeatIntervalSeconds
: Edge heartbeatInterval in Seconds (Default: 60)--csrCountry
: Country in certificate (Default: US)--csrProvince
: Province in certificate (Default: NC)--csrLocality
: Locality in certificate (Default: Charlotte)--csrOrganization
: Organization in certificate (Default: NetFoundry)--csrOrganizationalUnit
: OrganizationalUnit in certificate (Default: Ziti)--csrSansEmail
: SANS Email--csrSansDns
: List of SANS DNS names--csrSansIp
: List of SANS IP Addresses--csrSansUri
: List of SANS URIs--apiProxyListener
: The interface and port that the Edge API should be served on.
--apiProxyUpstream
: The hostname and port combination to the ziti-controller hosted Edge API
--linkDialers
: Link Dialers (Default: 'transport')
--linkListeners
: Link Listener (Default: None)
--disableListeners
: Disable Listeners portion of router config
--assumePublic
: Attempt to use external lookup to assign default edge listener instead of {default_gw_adapter} - This option also auto configures an external linkListener with the external ip
--edgeListeners
: Edge Binding Listener (Default: 'tls:0.0.0.0:443' '{default_gw_adapter}:443')
--proxyListeners
: Proxy Binding Listener (Default: None)
--tunnelListener
: Tunnel Binding Listener (Default: None)
--autoTunnelListener
: Automatically add a local tproxy tunneler with the {default_gw_adapter} as the local resolver and LANIf
--webs
: Web Options (Default: 'health-check' '0.0.0.0:8081' '0.0.0.0:8081' 'health-checks')
--ha
: Enable ha flag to True (Default: False)Create a new router on the controller before enrollment:
--adminUser
: Openziti Admin username--adminPassword
: Openziti Admin password--routerName
: Router name created in controllerBesides passing in every argument with a --argumentName you can also use:
:heavy_exclamation_mark: When using environment variables make sure to use sudo -E when running the command
You can pass any argument vi OS Environmental variables. All argument are in all UPPER case.
:warning: Passing in links, listeners, tunnelers, webs is not supported. Passing a list of lists with environment is messy. Use the json or yaml instead.
Example: export CONTROLLERFABRICPORT=6262
Example: `export CSRSANSDNS="name1,name2,name3"
You can pass any argument vi paramter files. Json or Yaml format is supported. The file extension needs to be .json or .yaml/.yml
Example Json:
{
"controllerFabricPort": 6262
"csrSansIp": ["1.1.1.1","2.2.2.2"],
"proxyListeners": [["0.0.0.0:123","my_ntp_service"],["0.0.0.0:5631","mydbconn_service"]]
}
Example Yaml:
controllerFabricPort: 6262
csrSansIp:
- 1.1.1.1
- 2.2.2.2
proxyListeners:
- ["0.0.0.0:123", "myntp"]
- ["0.0.0.0:5631", "mydb"]