announce community instances in cert subjects (#384)

qrkourier · web-flow · commit ba9249720bd9 · 2026-02-23T20:42:07.000-05:00
* announce community instances in cert subjects

* bump chart version

* use miniziti branch

* wait longer for zrok test job

* resume using main miniziti.bash

* set verbose on miniziti controller/router and optionally override ziti version to test

* always use latest stable ziti cli version for interacting with the tested deployments

* correct actions syntax

* move k8s test procedure to a script so it can be run locally too

* add retry handler for the verify traffic command

* pass namespace through to miniziti profile

* optionally override miniziti executable
diff --git a/.github/workflows/miniziti.yml b/.github/workflows/miniziti.yml
diff --git a/.gitignore b/.gitignore
@@ -30,3 +30,4 @@ __snapshot__
 
 # top-level directory with local test data
 /valuestest/
+/testvalues/
diff --git a/charts/ziti-controller/Chart.yaml b/charts/ziti-controller/Chart.yaml
@@ -3,4 +3,4 @@ appVersion: 1.7.2
 description: Host an OpenZiti controller in Kubernetes
 name: ziti-controller
 type: application
-version: 3.1.0
+version: 3.1.1
diff --git a/charts/ziti-controller/README.md b/charts/ziti-controller/README.md
@@ -2,7 +2,7 @@
 
 # ziti-controller
 
-![Version: 3.1.0](https://img.shields.io/badge/Version-3.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square)
+![Version: 3.1.1](https://img.shields.io/badge/Version-3.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square)
 
 Host an OpenZiti controller in Kubernetes
 
diff --git a/charts/ziti-controller/templates/_helpers.tpl b/charts/ziti-controller/templates/_helpers.tpl
@@ -134,6 +134,18 @@ that are managed by cert-manager
 {{- dict "certManagerCerts" $filteredCerts | toJson -}}
 {{- end -}}
 
+{{/*
+Resolve the organization used in server certificate subjects.
+*/}}
+{{- define "ziti-controller.serverCertSubjectOrganization" -}}
+  {{- $edition := (get .Values "edition") | default dict -}}
+  {{- if (get $edition "enterprise" | default false) -}}
+Enterprise Edition
+  {{- else -}}
+OpenZiti Community
+  {{- end -}}
+{{- end -}}
+
 {{/*
 Validate cluster mode.
 Returns one of: "standalone", "cluster-init", "cluster-join", "cluster-migrate".
diff --git a/charts/ziti-controller/templates/alt-certificate.yaml b/charts/ziti-controller/templates/alt-certificate.yaml
@@ -10,6 +10,9 @@ metadata:
   name: {{ printf "%s-alt-cert-%d" (include "ziti-controller.fullname" $) $index }}
   namespace: {{ $.Release.Namespace }}
 spec:
+  subject:
+    organizations:
+      - {{ include "ziti-controller.serverCertSubjectOrganization" $ | quote }}
   {{- if $cert.secretName }}
   secretName: {{ $cert.secretName | quote }}
   {{- else }}
diff --git a/charts/ziti-controller/templates/ca-ctrl-identity.yaml b/charts/ziti-controller/templates/ca-ctrl-identity.yaml
@@ -60,6 +60,9 @@ metadata:
     {{- include "ziti-controller.labels" . | nindent 4 }}
 spec:
   commonName: {{ default (printf "%s-ctrl-plane-identity" (include "ziti-controller.fullname" .)) .Values.cluster.nodeName }}
+  subject:
+    organizations:
+      - {{ include "ziti-controller.serverCertSubjectOrganization" . | quote }}
   secretName: {{ include "ziti-controller.fullname" . }}-ctrl-plane-identity-secret
   isCA: false
   duration: {{ .Values.cert.duration }}
diff --git a/charts/ziti-controller/templates/ca-web-identity.yaml b/charts/ziti-controller/templates/ca-web-identity.yaml
@@ -64,6 +64,9 @@ metadata:
     {{- include "ziti-controller.labels" . | nindent 4 }}
 spec:
   commonName: {{ include "ziti-controller.fullname" . }}-web-identity
+  subject:
+    organizations:
+      - {{ include "ziti-controller.serverCertSubjectOrganization" . | quote }}
   secretName: {{ include "ziti-controller.fullname" . }}-web-identity-secret
   isCA: false
   duration: {{ .Values.cert.duration }}
@@ -115,6 +118,9 @@ metadata:
     {{- include "ziti-controller.labels" . | nindent 4 }}
 spec:
   commonName: {{ include "ziti-controller.fullname" . }}-mgmt
+  subject:
+    organizations:
+      - {{ include "ziti-controller.serverCertSubjectOrganization" . | quote }}
   secretName: {{ include "ziti-controller.fullname" . }}-web-mgmt-api-secret
   isCA: false
   duration: {{ .Values.cert.duration }}
@@ -162,6 +168,9 @@ metadata:
     {{- include "ziti-controller.labels" . | nindent 4 }}
 spec:
   commonName: {{ include "ziti-controller.fullname" . }}-prometheus
+  subject:
+    organizations:
+      - {{ include "ziti-controller.serverCertSubjectOrganization" . | quote }}
   secretName: {{ include "ziti-controller.fullname" . }}-web-prometheus-metrics-secret
   isCA: false
   duration: {{ .Values.cert.duration }}
diff --git a/matrix-test.bash b/matrix-test.bash
diff --git a/run-miniziti.bash b/run-miniziti.bash

Original file line number	Diff line number	Diff line change
`@@ -30,3 +30,4 @@ __snapshot__`
`30`	`30`
`31`	`31`	`# top-level directory with local test data`
`32`	`32`	`/valuestest/`
	`33`	`+/testvalues/`