qrkourier · March 18, 2025 21:19
diff --git a/ec2-ziti-k3s.bash b/ec2-ziti-k3s.bash
 #!/usr/bin/env bash

 set -o errexit
 set -o nounset
 set -o pipefail

 progress_pipe(){
    while IFS= read -r -n9 chunk
    do
        echo -n "."
    done
 }

 # Get EC2 metadata token for API access
 get_ec2_metadata_token() {
    if [[ -z "${TOKEN:-}" ]]
    then
        TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
        if [[ -z "${TOKEN}" ]]
        then
            echo "WARN: Failed to retrieve EC2 metadata token" >&2
        fi
    fi
    echo "${TOKEN}"
 }

 # Get EC2 metadata value using the token
 get_ec2_metadata() {
    local path="$1"
    local token="$2"
    
    curl -s -H "X-aws-ec2-metadata-token: ${token}" "http://169.254.169.254/latest/meta-data/${path}" 2>/dev/null
 }

 main() {
    # Save stdout
    exec 3>&1
    if ! [[ $- =~ x ]]
    then
        # If xtrace is off, redirect stdout to progress_pipe
        # Create a named pipe for redirection
        PIPE_FILE=$(mktemp -u)
        mkfifo "$PIPE_FILE"
        # Start progress_pipe in background, reading from the pipe
        progress_pipe < "$PIPE_FILE" &
        PROGRESS_PID=$!
        # Redirect stdout to the pipe
        exec 1>"$PIPE_FILE"
        # Clean up the pipe when the script exits
        trap 'rm -f "$PIPE_FILE"; kill $PROGRESS_PID 2>/dev/null || true' EXIT
    fi

    if [[ -z "${CTRL_ADDR:-}" ]]
    then
        TOKEN=$(get_ec2_metadata_token)
        CTRL_ADDR="$(get_ec2_metadata "public-hostname" "${TOKEN}")"
        if [[ -z "${CTRL_ADDR}" ]]
        then
            echo "ERROR: CTRL_ADDR is not set" >&2
            exit 1
        fi
    fi

    if [[ -z "${CTRL_IP:-}" ]]
    then
        TOKEN=$(get_ec2_metadata_token)
        CTRL_IP="$(get_ec2_metadata "public-ipv4" "${TOKEN}")"
        if [[ -z "${CTRL_IP}" ]]
        then
            echo "WARN: CTRL_IP is not set, will not be used" >&2
        fi
    fi

    : "${KUBECONFIG_POSIX_GROUP:=sudo}"
    if ! groups | grep -qw "${KUBECONFIG_POSIX_GROUP}"
    then
        echo "ERROR: user is not in selected group ${KUBECONFIG_POSIX_GROUP}" >&2
        exit 1
    fi

    curl -sSfL https://get.k3s.io \
    | INSTALL_K3S_EXEC="server" bash -s - \
        --write-kubeconfig-group="${KUBECONFIG_POSIX_GROUP}" \
        --write-kubeconfig-mode=0640

    command -v helm &>/dev/null || {
        curl -sSfL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 \
        | bash
    }

    export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
    kubectl cluster-info

    ATTEMPTS=30  # avg 18 on t2.xlarge
    until ! (( ATTEMPTS-- )) || kubectl get deployments -n kube-system traefik &>/dev/null
    do
        sleep 1
    done
    echo "DEBUG: traefik deployment exists with ${ATTEMPTS} attempts remaining"
    kubectl wait deployments -n kube-system --for condition=Available traefik

    helm repo update jetstack &>/dev/null \
    || helm repo add jetstack https://charts.jetstack.io

    helm upgrade --install cert-manager jetstack/cert-manager \
        --namespace cert-manager --create-namespace \
        --set crds.enabled=true
    kubectl wait deployments -n cert-manager --for condition=Available --timeout=30s --all

    kubectl apply -f - <<YAML
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
    name: traefik-http-issuer-prod
 spec:
    acme:
        server: https://acme-v02.api.letsencrypt.org/directory
        privateKeySecretRef:
            name: letsencrypt-prod-account-key
        solvers:
        - http01:
            ingress:
                class: traefik

 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
    name: traefik-http-issuer-staging
 spec:
    acme:
        server: https://acme-staging-v02.api.letsencrypt.org/directory
        privateKeySecretRef:
            name: letsencrypt-staging-account-key
        solvers:
        - http01:
            ingress:
                class: traefik
 YAML

    kubectl get namespace ziti &>/dev/null || kubectl create namespace ziti
    helm upgrade --install trust-manager jetstack/trust-manager \
        --namespace cert-manager \
        --set crds.keep=false \
        --set app.trust.namespace=ziti
    kubectl wait deployments -n cert-manager --for condition=Available --timeout=30s trust-manager

    _controller_values_yaml="
 clientApi:
    advertisedHost: ${CTRL_ADDR}
    advertisedPort: 443
    altDnsNames:
      - console.${CTRL_IP}.sslip.io
    service:
        type: ClusterIP
    traefikTcpRoute:
        enabled: true
 webBindingPki:
    altServerCerts:
      - mode: certManager
        issuerRef:
            group: cert-manager.io
            kind: ClusterIssuer
            name: ${CLUSTER_ISSUER:-traefik-http-issuer-staging}
        secretName: ziti-controller-alt-server-cert
        altDnsNames:
          - console.${CTRL_IP}.sslip.io
        mountPath: /etc/ziti/alt-server-cert
 consoleAltIngress:
    host: console.${CTRL_IP}.sslip.io
    port: 443
 "

    # TODO: until v2.0.0 chart is available, continue testing the release candidate
    #helm repo update openziti &>/dev/null || helm repo add openziti https://openziti.io/helm-charts
    cd $(mktemp -d)
    wget -qO- https://github.com/openziti/helm-charts/archive/refs/heads/upgrade-cert-manager.tar.gz \
    | tar -xzf - helm-charts-upgrade-cert-manager/charts/ziti-controller --strip-components=1

    (
        echo -e "\n"
        # TODO: until v2.0.0 chart is available, continue testing the release candidate
        # helm upgrade --install --version '~2' ziti-controller openziti/ziti-controller     \
        helm upgrade --install ziti-controller ./charts/ziti-controller     \
            --namespace=ziti    \
            --values <(echo "${_controller_values_yaml}")

        kubectl wait deployments -n ziti --for condition=Available --timeout=90s ziti-controller >/dev/null

        kubectl get secret ziti-controller-admin-secret \
            -n ziti \
            -o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'
    ) >&3
 }

 main
	#!/usr/bin/env bash

	set -o errexit
	set -o nounset
	set -o pipefail

	progress_pipe(){
	while IFS= read -r -n9 chunk
	do
	echo -n "."
	done
	}

	# Get EC2 metadata token for API access
	get_ec2_metadata_token() {
	if [[ -z "${TOKEN:-}" ]]
	then
	TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
	if [[ -z "${TOKEN}" ]]
	then
	echo "WARN: Failed to retrieve EC2 metadata token" >&2
	fi
	fi
	echo "${TOKEN}"
	}

	# Get EC2 metadata value using the token
	get_ec2_metadata() {
	local path="$1"
	local token="$2"

	curl -s -H "X-aws-ec2-metadata-token: ${token}" "http://169.254.169.254/latest/meta-data/${path}" 2>/dev/null
	}

	main() {
	# Save stdout
	exec 3>&1
	if ! [[ $- =~ x ]]
	then
	# If xtrace is off, redirect stdout to progress_pipe
	# Create a named pipe for redirection
	PIPE_FILE=$(mktemp -u)
	mkfifo "$PIPE_FILE"
	# Start progress_pipe in background, reading from the pipe
	progress_pipe < "$PIPE_FILE" &
	PROGRESS_PID=$!
	# Redirect stdout to the pipe
	exec 1>"$PIPE_FILE"
	# Clean up the pipe when the script exits
	trap 'rm -f "$PIPE_FILE"; kill $PROGRESS_PID 2>/dev/null \|\| true' EXIT
	fi

	if [[ -z "${CTRL_ADDR:-}" ]]
	then
	TOKEN=$(get_ec2_metadata_token)
	CTRL_ADDR="$(get_ec2_metadata "public-hostname" "${TOKEN}")"
	if [[ -z "${CTRL_ADDR}" ]]
	then
	echo "ERROR: CTRL_ADDR is not set" >&2
	exit 1
	fi
	fi

	if [[ -z "${CTRL_IP:-}" ]]
	then
	TOKEN=$(get_ec2_metadata_token)
	CTRL_IP="$(get_ec2_metadata "public-ipv4" "${TOKEN}")"
	if [[ -z "${CTRL_IP}" ]]
	then
	echo "WARN: CTRL_IP is not set, will not be used" >&2
	fi
	fi

	: "${KUBECONFIG_POSIX_GROUP:=sudo}"
	if ! groups \| grep -qw "${KUBECONFIG_POSIX_GROUP}"
	then
	echo "ERROR: user is not in selected group ${KUBECONFIG_POSIX_GROUP}" >&2
	exit 1
	fi

	curl -sSfL https://get.k3s.io \
	\| INSTALL_K3S_EXEC="server" bash -s - \
	--write-kubeconfig-group="${KUBECONFIG_POSIX_GROUP}" \
	--write-kubeconfig-mode=0640

	command -v helm &>/dev/null \|\| {
	curl -sSfL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 \
	\| bash
	}

	export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
	kubectl cluster-info

	ATTEMPTS=30 # avg 18 on t2.xlarge
	until ! (( ATTEMPTS-- )) \|\| kubectl get deployments -n kube-system traefik &>/dev/null
	do
	sleep 1
	done
	echo "DEBUG: traefik deployment exists with ${ATTEMPTS} attempts remaining"
	kubectl wait deployments -n kube-system --for condition=Available traefik

	helm repo update jetstack &>/dev/null \
	\|\| helm repo add jetstack https://charts.jetstack.io

	helm upgrade --install cert-manager jetstack/cert-manager \
	--namespace cert-manager --create-namespace \
	--set crds.enabled=true
	kubectl wait deployments -n cert-manager --for condition=Available --timeout=30s --all

	kubectl apply -f - <<YAML
	apiVersion: cert-manager.io/v1
	kind: ClusterIssuer
	metadata:
	name: traefik-http-issuer-prod
	spec:
	acme:
	server: https://acme-v02.api.letsencrypt.org/directory
	privateKeySecretRef:
	name: letsencrypt-prod-account-key
	solvers:
	- http01:
	ingress:
	class: traefik

	---
	apiVersion: cert-manager.io/v1
	kind: ClusterIssuer
	metadata:
	name: traefik-http-issuer-staging
	spec:
	acme:
	server: https://acme-staging-v02.api.letsencrypt.org/directory
	privateKeySecretRef:
	name: letsencrypt-staging-account-key
	solvers:
	- http01:
	ingress:
	class: traefik
	YAML

	kubectl get namespace ziti &>/dev/null \|\| kubectl create namespace ziti
	helm upgrade --install trust-manager jetstack/trust-manager \
	--namespace cert-manager \
	--set crds.keep=false \
	--set app.trust.namespace=ziti
	kubectl wait deployments -n cert-manager --for condition=Available --timeout=30s trust-manager

	_controller_values_yaml="
	clientApi:
	advertisedHost: ${CTRL_ADDR}
	advertisedPort: 443
	altDnsNames:
	- console.${CTRL_IP}.sslip.io
	service:
	type: ClusterIP
	traefikTcpRoute:
	enabled: true
	webBindingPki:
	altServerCerts:
	- mode: certManager
	issuerRef:
	group: cert-manager.io
	kind: ClusterIssuer
	name: ${CLUSTER_ISSUER:-traefik-http-issuer-staging}
	secretName: ziti-controller-alt-server-cert
	altDnsNames:
	- console.${CTRL_IP}.sslip.io
	mountPath: /etc/ziti/alt-server-cert
	consoleAltIngress:
	host: console.${CTRL_IP}.sslip.io
	port: 443
	"

	# TODO: until v2.0.0 chart is available, continue testing the release candidate
	#helm repo update openziti &>/dev/null \|\| helm repo add openziti https://openziti.io/helm-charts
	cd $(mktemp -d)
	wget -qO- https://github.com/openziti/helm-charts/archive/refs/heads/upgrade-cert-manager.tar.gz \
	\| tar -xzf - helm-charts-upgrade-cert-manager/charts/ziti-controller --strip-components=1

	(
	echo -e "\n"
	# TODO: until v2.0.0 chart is available, continue testing the release candidate
	# helm upgrade --install --version '~2' ziti-controller openziti/ziti-controller \
	helm upgrade --install ziti-controller ./charts/ziti-controller \
	--namespace=ziti \
	--values <(echo "${_controller_values_yaml}")

	kubectl wait deployments -n ziti --for condition=Available --timeout=90s ziti-controller >/dev/null

	kubectl get secret ziti-controller-admin-secret \
	-n ziti \
	-o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v \| base64decode}}{{end}}{{"\n"}}{{end}}'
	) >&3
	}

	main