search

openziti / ziti

The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti
https://openziti.io
Apache License 2.0
2.82k stars 159 forks source link

ZITI_EDGE_ROUTER_IP_OVERRIDE does not override the edge router advertise hostname setting only adds it to the sans->ip. #868

Closed dariuszSki closed 2 years ago

dariuszSki commented 2 years ago

One needs to use these to overcome this limitation or perhaps I am missing something. 

export ZITI_EDGE_ROUTER_IP_OVERRIDE="10.40.101.194"
export ZITI_EDGE_ROUTER_RAWNAME="10.40.101.194"

But the certs ends up looking like this:

edge:
  csr:
    country: US
    province: NC
    locality: Charlotte
    organization: NetFoundry
    organizationalUnit: Ziti
    sans:
      dns:
        - 10.40.101.194
        - localhost
      ip:
        - "127.0.0.1"
        - "10.40.101.194"

perhaps it was meant to do something like this in the template as well (not sure about the syntax though). May be wrong here in my assumption. 

link:
  dialers:
    - binding: transport
{{ if .Router.IsPrivate }}#{{ end }}  listeners:
{{ if .Router.IsPrivate }}#{{ end }}    - binding:          transport
{{ if .Router.IsPrivate }}#{{ end }}      bind:             tls:0.0.0.0:{{ .Router.Listener.BindPort }}
{{ if .Router.IsPrivate }}#{{ end }}      advertise:        tls:{{ if .Router.Edge.IPOverride }} {{ .Router.Edge.IPOverride }} {{else}} {{ .Router.Edge.Hostname }}:{{ .Router.Listener.BindPort }}

Also, the description should probably say to "override the hostname" not "default edge router IP" if my assumptions are correct?

ZitiEdgeRouterIPOverrideVarDescription           = "Override the default edge router IP with a custom IP, this IP will also be added to the PKI"
dariuszSki commented 2 years ago

@gberl002 Let me know if this was your intention when you added this.

dovholuknf commented 2 years ago

That would be consistent with what I would expect at this time, but it sounds like it would be a challenge/problem in an "IP only" setting. Sounds like a feature to add to the script to support using "just an IP".

Is that the situation? You have "only an IP and no DNS"?

dariuszSki commented 2 years ago

yes

dariuszSki commented 2 years ago

if that is not intention, then the env name is misleading. It is not override but sans ip addition.

dariuszSki commented 2 years ago

also curious why use ZITI_EDGE_ROUTER_RAWNAME to overwrite hostname not something like ZITI_EDGE_ROUTER_FQDN RAWNAME means not only FQDN but any name?

dovholuknf commented 2 years ago

Ok... Looking back at your original message and the output config - If you're getting a config that looks like that it's a different bug. You shouldn't get the IP in the DNS section:

      dns:
        - 10.40.101.194

As for ZITI_EDGE_ROUTER_IP_OVERRIDE -- the description seems ok to me, but maybe a better name for it would be ZITI_EDGE_ROUTER_ADVERTISED_IP ? It probably should support 'n' IPs eventually too but it clearly doesn't yet.

also curious why use ZITI_EDGE_ROUTER_RAWNAME to overwrite hostname not something like ZITI_EDGE_ROUTER_FQDN RAWNAME means not only FQDN but any name?

probably no 'reason' other than that was just what was used.

So to reproduce this issue...

export ZITI_EDGE_ROUTER_IP_OVERRIDE="10.40.101.194"
export ZITI_EDGE_ROUTER_RAWNAME="10.40.101.194"

ziti create config router --routerName myRouter edge

That yields this config - what are the results you would expect?

v: 3

identity:
  cert:                 "/myRouter.cert"
  server_cert:          "/myRouter.server.chain.cert"
  key:                  "/myRouter.key"
  ca:                   "/myRouter.cas"

ctrl:
  endpoint:             tls:sg3:6262

link:
  dialers:
    - binding: transport
  listeners:
    - binding:          transport
      bind:             tls:0.0.0.0:10080
      advertise:        tls:10.40.101.194:10080
      options:
        outQueueSize:   4

listeners:
# bindings of edge and tunnel requires an "edge" section below
  - binding: edge
    address: tls:0.0.0.0:3022
    options:
      advertise: 10.40.101.194:3022
      connectTimeoutMs: 1000
      getSessionTimeout: 60s
  - binding: tunnel
    options:
      mode: host #tproxy|host

edge:
  csr:
    country: US
    province: NC
    locality: Charlotte
    organization: NetFoundry
    organizationalUnit: Ziti
    sans:
      dns:
        - 10.40.101.194
        - localhost
      ip:
        - "127.0.0.1"
        - "10.40.101.194"

the DNS entry is a bug for sure. The advertised IP is set properly I think? What are you thinking should change there?

gberl002 commented 2 years ago

Attached PR after it was closed, closing manually.