v3.1.3

Remove Rich from CODEOWNERS

.github/CODEOWNERS

@@ -1,2 +1,2 @@
 # Main repo owners:
-*       @dfunckt @richbayliss
+*       @dfunckt

.versionbot/CHANGELOG.yml

@@ -1,3 +1,76 @@
+- commits:
+    - subject: Remove Rich from CODEOWNERS
+      hash: a0ef371621dbf6db325715f7cddcc17d33a4df45
+      body: ''
+      footer:
+        Change-type: patch
+        change-type: patch
+      author: Akis Kesoglou
+      nested: []
+  version: 3.1.3
+  date: 2021-01-26T11:35:15.017Z
+- commits:
+    - subject: 'tunnel: Expose tunnel service via TLS'
+      hash: b3d184c13c4a550c44f2ed3125d5240475b6508d
+      body: |
+        In order to support the new CLI and balenaCloud deployment
+        schemes for the tunnel service, the service is now exposed via
+        the TLS port 443 on the `tunnel.{domain}` server name.
+      footer:
+        Change-type: patch
+        change-type: patch
+        Signed-off-by: Rich Bayliss <rich@balena.io>
+        signed-off-by: Rich Bayliss <rich@balena.io>
+      author: Rich Bayliss
+      nested: []
+  version: 3.1.2
+  date: 2021-01-22T11:57:55.393Z
+- commits:
+    - subject: Update open-balena-api
+      hash: bfce474ff018496b72d008ec99ec1a6a813f457e
+      body: >
+        Fixes a bug with a migration that would keep obsolete DB columns around
+        and prevent creation of applications and devices.
+
+
+        See https://github.com/balena-io/open-balena-api/pull/507
+
+
+        Fixes #94 #95
+      footer:
+        Change-type: patch
+        change-type: patch
+      author: Akis Kesoglou
+      nested: []
+  version: 3.1.1
+  date: 2020-11-10T15:56:36.600Z
+- commits:
+    - subject: Change S3 OS images folder from resinos to images
+      hash: 7790290d0e967838d79d5de344f6a18f17882036
+      body: ''
+      footer:
+        Change-type: minor
+        change-type: minor
+        Signed-off-by: Stevche Radevski <stevche@balena.io>
+        signed-off-by: Stevche Radevski <stevche@balena.io>
+      author: Stevche Radevski
+      nested: []
+  version: 3.1.0
+  date: 2020-11-03T16:19:49.675Z
+- commits:
+    - subject: Update the API fixing an issue with migrations
+      hash: eec16b843d5e18d21658173b51d004b3600aced9
+      body: >
+        When updating from previous versions, the API will fail to execute the
+        database migrations. This updates the API version to include a fix for
+        this.
+      footer:
+        Change-type: patch
+        change-type: patch
+      author: Akis Kesoglou
+      nested: []
+  version: 3.0.1
+  date: 2020-10-29T11:38:33.463Z
 - commits:
     - subject: Update versions of services
       hash: 1f7ed769c094030b6c5ee60114498ebdb1e4ccf5

CHANGELOG.md

@@ -4,6 +4,31 @@ All notable changes to this project will be documented in this file
 automatically by Versionist. DO NOT EDIT THIS FILE MANUALLY!
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+# v3.1.3
+## (2021-01-26)
+
+* Remove Rich from CODEOWNERS [Akis Kesoglou]
+
+# v3.1.2
+## (2021-01-22)
+
+* tunnel: Expose tunnel service via TLS [Rich Bayliss]
+
+# v3.1.1
+## (2020-11-10)
+
+* Update open-balena-api [Akis Kesoglou]
+
+# v3.1.0
+## (2020-11-03)
+
+* Change S3 OS images folder from resinos to images [Stevche Radevski]
+
+# v3.0.1
+## (2020-10-29)
+
+* Update the API fixing an issue with migrations [Akis Kesoglou]
+
 # v3.0.0
 ## (2020-10-28)
 

README.md

@@ -37,7 +37,7 @@ application to your device(s).
 The current release of openBalena has the following minimum version requirements:
 
 - balenaOS v2.58.3
-- balena CLI v12.23.4
+- balena CLI v12.38.5
 
 If you are updating from previous openBalena versions, ensure you update the balena
 CLI and reprovision any devices to at least the minimum required versions in order

VERSION

@@ -1 +1 @@
-3.0.0
+3.1.3

compose/mdns.yml

@@ -22,7 +22,7 @@ services:
         # the resin backend (eg. that for BALENA_ROOT_CA if present).
         MDNS_TLD: ${OPENBALENA_HOST_NAME}
         # List of subdomains to advertise. This must include all required hosts.
-        MDNS_SUBDOMAINS: '["api", "db", "registry", "s3", "vpn"]'
+        MDNS_SUBDOMAINS: '["api", "db", "registry", "s3", "tunnel", "vpn"]'
         # The expectation is the DBus socket to use is always at the following location.
         DBUS_SESSION_BUS_ADDRESS: "unix:path=/host/run/dbus/system_bus_socket"
         # Selects the interface used for incoming connections from the wider subnet.

compose/services.yml

@@ -32,7 +32,7 @@ services:
       HOST: api.${OPENBALENA_HOST_NAME}
       IMAGE_MAKER_URL: img.${OPENBALENA_HOST_NAME}
       IMAGE_STORAGE_BUCKET: resin-production-img-cloudformation
-      IMAGE_STORAGE_PREFIX: resinos
+      IMAGE_STORAGE_PREFIX: images
       IMAGE_STORAGE_ENDPOINT: s3.amazonaws.com
       JSON_WEB_TOKEN_EXPIRY_MINUTES: 10080
       JSON_WEB_TOKEN_SECRET: ${OPENBALENA_JWT_SECRET}
@@ -168,6 +168,7 @@ services:
           - db.${OPENBALENA_HOST_NAME}
           - s3.${OPENBALENA_HOST_NAME}
           - redis.${OPENBALENA_HOST_NAME}
+          - tunnel.${OPENBALENA_HOST_NAME}
     environment:
       BALENA_HAPROXY_CRT: ${OPENBALENA_ROOT_CRT}
       BALENA_HAPROXY_KEY: ${OPENBALENA_ROOT_KEY}
@@ -183,5 +184,5 @@ services:
       - cert-provider:/usr/src/app/certs
     environment:
       ACTIVE: ${OPENBALENA_ACME_CERT_ENABLED}
-      DOMAINS: "api.${OPENBALENA_HOST_NAME},registry.${OPENBALENA_HOST_NAME},s3.${OPENBALENA_HOST_NAME},vpn.${OPENBALENA_HOST_NAME}"
+      DOMAINS: "api.${OPENBALENA_HOST_NAME},registry.${OPENBALENA_HOST_NAME},s3.${OPENBALENA_HOST_NAME},vpn.${OPENBALENA_HOST_NAME},tunnel.${OPENBALENA_HOST_NAME}"
       OUTPUT_PEM: /certs/open-balena.pem

compose/versions

@@ -1,4 +1,4 @@
-export OPENBALENA_API_VERSION_TAG=v0.105.0
+export OPENBALENA_API_VERSION_TAG=v0.109.2
 export OPENBALENA_DB_VERSION_TAG=v4.1.0
 export OPENBALENA_MDNS_PUBLISHER_VERSION_TAG=v1.7.9
 export OPENBALENA_REGISTRY_VERSION_TAG=v2.13.11

scripts/compose

@@ -11,6 +11,10 @@ echo_bold() {
   printf "\\033[1m%s\\033[0m\\n" "$@"
 }
 
+echo_bold_stderr() {
+  printf "\\033[1m%s\\033[0m\\n" "$@" 1>&2
+}
+
 VERSIONS_FILE="${BASE_DIR}/compose/versions"
 if [ ! -f "$VERSIONS_FILE" ]; then
   echo_bold "No service versions defined in ${VERSIONS_FILE}"
@@ -31,6 +35,9 @@ if [ ${OPENBALENA_HOST_NAME: -6} == ".local" ]; then
   INCLUDE_MDNS="-f ${BASE_DIR}/compose/mdns.yml"
 fi
 
+# show a warning to update your balena CLI tool...
+echo_bold_stderr "IMPORTANT: Please update your Balena CLI installation to version v12.38.5"
+
 # shellcheck source=/dev/null
 source "${VERSIONS_FILE}"; docker-compose \
   --project-name 'openbalena' \

src/haproxy/haproxy.cfg

@@ -34,6 +34,10 @@ frontend ssl-in
   tcp-request content accept if { req.ssl_hello_type 1 }
 
   acl is_ssl req.ssl_ver 2:3.4
+
+  acl host_tunnel req_ssl_sni -i "tunnel.${HAPROXY_HOSTNAME}"
+  use_backend redirect-to-tunnel-in if host_tunnel
+
   use_backend redirect-to-https-in if is_ssl
   use_backend vpn-devices if !is_ssl
 
@@ -42,6 +46,11 @@ backend redirect-to-https-in
   balance roundrobin
   server localhost 127.0.0.1:444 send-proxy-v2
 
+backend redirect-to-tunnel-in
+  mode tcp
+  balance roundrobin
+  server localhost 127.0.0.1:3129
+
 frontend https-in
   mode http
   option forwardfor
@@ -118,3 +127,8 @@ listen vpn-tunnel
   mode tcp
   bind *:3128
   server balena_vpn vpn:3128 check port 3128
+
+listen vpn-tunnel-tls
+  mode tcp
+  bind *:3129 ssl crt /etc/ssl/private/open-balena.pem
+  server balena_vpn vpn:3128 check port 3128