diff --git a/charts/ziti-controller/Chart.yaml b/charts/ziti-controller/Chart.yaml index 0dda75695..253c8ac68 100644 --- a/charts/ziti-controller/Chart.yaml +++ b/charts/ziti-controller/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.1.15 +appVersion: 1.1.16 dependencies: - condition: cert-manager.enabled name: cert-manager @@ -16,4 +16,4 @@ dependencies: description: Host an OpenZiti controller in Kubernetes name: ziti-controller type: application -version: 1.1.5 +version: 1.1.16 diff --git a/charts/ziti-controller/README.md b/charts/ziti-controller/README.md index 6d2bd9f9a..ce2654518 100644 --- a/charts/ziti-controller/README.md +++ b/charts/ziti-controller/README.md @@ -2,7 +2,7 @@ # ziti-controller -![Version: 1.1.5](https://img.shields.io/badge/Version-1.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.15](https://img.shields.io/badge/AppVersion-1.1.15-informational?style=flat-square) +![Version: 1.1.16](https://img.shields.io/badge/Version-1.1.16-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.16](https://img.shields.io/badge/AppVersion-1.1.16-informational?style=flat-square) Host an OpenZiti controller in Kubernetes @@ -20,7 +20,7 @@ This chart runs a Ziti controller in Kubernetes. It uses the custom resources pr The client API must be published with a TLS passthrough Ingress, NodePort, or LoadBalancer. The ctrl plane and management API share the client API's TLS listener, so they're reached through the same address by default. -## Requirements +## Setup ### Add the OpenZiti Charts Repo to Helm @@ -34,7 +34,7 @@ This chart requires declaring the Certificate, Issuer, and Bundle custom resourc ```bash kubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.crds.yaml -kubectl apply -f https://raw.githubusercontent.com/cert-manager/trust-manager/v0.9.0/deploy/crds/trust.cert-manager.io_bundles.yaml +kubectl apply -f https://raw.githubusercontent.com/cert-manager/trust-manager/v0.7.0/deploy/crds/trust.cert-manager.io_bundles.yaml ``` ## Optional Sub-Charts @@ -49,9 +49,9 @@ Or, as YAML: ```yaml cert-manager: - enabled: true + enabled: true trust-manager: - enabled: true + enabled: true ``` ## Minimal Installation @@ -166,12 +166,12 @@ ctrlPlane: ## Extra Security for the Management API -You can split the client and management APIs into separate cluster services by setting `managementApi.service.enabled=true`. With this configuration, you'll have an additional cluster service named `{release}-mgmt` that is the management API, and the client API will not have management features. +You can split the client and management APIs into separate cluster services by setting `managementApi.service.enabled=true`. With this configuration, you'll have an additional cluster service named `{release}-mgmt` that is the management API, and the client API will not have management features. -This Helm chart's values allow for both operational scenarios: combined and split. The default choice is to expose the combined client and management APIs as the cluster service named `{release}-client`, which is convenient because you can use the `ziti` CLI immediately. For additional security, you may shelter the management API by splitting these two sets of features, exposing them as separate API servers. After the split, you can access the management API in several ways: +This Helm chart's values allow for both operational scenarios: combined and split. The default choice is to expose the combined client and management APIs as the cluster service named `{release}-client`, which is convenient because you can use the `ziti` CLI immediately. For additional security, you may shelter the management API by splitting these two sets of features, exposing them as separate API servers. After the split, you can access the management API in several ways: -* deploy a tunneler to bind a Ziti service targeting {release}-mgmt.{namespace}.svc:{port}. -* `kubectl -n {namespace} port-forward deployments/{release}-mgmt 8443:{port}` +* deploy a tunneler to bind a Ziti service targeting {release}-mgmt.{namespace}.svc:{port}. +* `kubectl -n {namespace} port-forward deployments/{release}-mgmt 8443:{port}` The web console (ZAC) is always bound to the same web listener as the management API, so you can access it at that `/zac/` path on the same URL. @@ -221,7 +221,7 @@ For more information, please check [here](https://openziti.io/docs/learn/core-co | cert-manager.installCRDs | bool | `false` | CRDs must be applied in advance of installing the parent chart | | cert.duration | string | `"87840h"` | server certificate duration as Go time.Duration string format | | cert.renewBefore | string | `"720h"` | rewnew server certificates before expiry as Go time.Duration string format | -| clientApi.advertisedHost | string | `nil` | global DNS name by which routers can resolve a reachable IP for this service | +| clientApi.advertisedHost | string | `""` | global DNS name by which routers can resolve a reachable IP for this service | | clientApi.advertisedPort | int | `443` | cluster service, node port, load balancer, and ingress port | | clientApi.altIngress.advertisedHost | string | `""` | alternative ingress host, e.g., ziti.example.com | | clientApi.altIngress.annotations | object | `{}` | ingress annotations, e.g., to configure ingress-nginx | @@ -300,7 +300,7 @@ For more information, please check [here](https://openziti.io/docs/learn/core-co | managementApi.containerPort | string | `"{{ .Values.clientApi.containerPort }}"` | cluster service target port on the container | | managementApi.dnsNames | list | `[]` | additional DNS SANs | | managementApi.ingress.annotations | object | `{}` | ingress annotations, e.g., to configure ingress-nginx | -| managementApi.ingress.enabled | bool | `false` | create an ingress for the cluster service | +| managementApi.ingress.enabled | bool | `false` | create a TLS-passthrough ingress for the client API's ClusterIP service | | managementApi.ingress.ingressClassName | string | `""` | ingress class name, e.g., "nginx" | | managementApi.ingress.labels | object | `{}` | ingress labels | | managementApi.ingress.tls | object | `{}` | deprecated: tls passthrough is required | diff --git a/charts/ziti-controller/README.md.gotmpl b/charts/ziti-controller/README.md.gotmpl index 67ca55d50..7c85b9d33 100644 --- a/charts/ziti-controller/README.md.gotmpl +++ b/charts/ziti-controller/README.md.gotmpl @@ -21,7 +21,7 @@ This chart runs a Ziti controller in Kubernetes. It uses the custom resources pr The client API must be published with a TLS passthrough Ingress, NodePort, or LoadBalancer. The ctrl plane and management API share the client API's TLS listener, so they're reached through the same address by default. -## Requirements +## Setup ### Add the OpenZiti Charts Repo to Helm @@ -35,7 +35,7 @@ This chart requires declaring the Certificate, Issuer, and Bundle custom resourc ```bash kubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.crds.yaml -kubectl apply -f https://raw.githubusercontent.com/cert-manager/trust-manager/v0.9.0/deploy/crds/trust.cert-manager.io_bundles.yaml +kubectl apply -f https://raw.githubusercontent.com/cert-manager/trust-manager/v0.7.0/deploy/crds/trust.cert-manager.io_bundles.yaml ``` ## Optional Sub-Charts @@ -50,9 +50,9 @@ Or, as YAML: ```yaml cert-manager: - enabled: true + enabled: true trust-manager: - enabled: true + enabled: true ``` ## Minimal Installation diff --git a/charts/ziti-controller/values.yaml b/charts/ziti-controller/values.yaml index 78541e37b..552dffa69 100644 --- a/charts/ziti-controller/values.yaml +++ b/charts/ziti-controller/values.yaml @@ -9,7 +9,7 @@ clientApi: # -- cluster service target port on the container containerPort: 1280 # -- global DNS name by which routers can resolve a reachable IP for this service - advertisedHost: + advertisedHost: "" # -- cluster service, node port, load balancer, and ingress port advertisedPort: 443 service: @@ -63,7 +63,7 @@ managementApi: # -- expose the service as a ClusterIP, NodePort, or LoadBalancer type: ClusterIP # this doesn't need to be exposed if you exclusively manage with ZAC also running in the same cluster ingress: - # -- create an ingress for the cluster service + # -- create a TLS-passthrough ingress for the client API's ClusterIP service enabled: false # -- ingress class name, e.g., "nginx" ingressClassName: "" diff --git a/charts/ziti-edge-tunnel/README.md b/charts/ziti-edge-tunnel/README.md index e39337bae..d33ada04a 100644 --- a/charts/ziti-edge-tunnel/README.md +++ b/charts/ziti-edge-tunnel/README.md @@ -5,11 +5,11 @@ Dial OpenZiti services with a tunneler daemonset -**Homepage:** <https://openziti.io> +**Homepage:** ## Source Code -* <https://github.com/openziti/ziti-tunnel-sdk-c> +* ## Requirements @@ -182,7 +182,7 @@ Once the image is present on every node, you can proceed to upgrade the tunneler | imagePullSecrets | list | `[]` | | | livenessProbe.exec.command[0] | string | `"/bin/bash"` | | | livenessProbe.exec.command[1] | string | `"-c"` | | -| livenessProbe.exec.command[2] | string | `"if (ziti-edge-tunnel tunnel_status | sed -E 's/(^received\\sresponse\\s<|>$)//g' | jq '.Success'); then true; else false; fi"` | | +| livenessProbe.exec.command[2] | string | `"if (ziti-edge-tunnel tunnel_status | sed -E 's/(^received\\sresponse\\s<|>$)//g' | jq '.Success'); then true; else false; fi"` | | | livenessProbe.failureThreshold | int | `3` | | | livenessProbe.initialDelaySeconds | int | `180` | | | livenessProbe.periodSeconds | int | `60` | | diff --git a/charts/ziti-router/README.md b/charts/ziti-router/README.md index 22be46c08..0063e1dc3 100644 --- a/charts/ziti-router/README.md +++ b/charts/ziti-router/README.md @@ -320,7 +320,7 @@ identity: | tunnel.lanIf | string | `"lo"` | interface device name for setting up INPUT firewall rules if fw enabled. It must be set but not needed in containers. Thus, it is set to lo by default | | tunnel.mode | string | `"none"` | run mode for the router's built-in tunnel component: host, tproxy, proxy, or none | | tunnel.proxyAdditionalK8sServices | list | `[]` | if tunnel mode is "proxy", create a separate cluster service for each Ziti service listed in "proxyServices" which k8sService == name | -| tunnel.proxyDefaultK8sService | object | `{"enabled":true,"type":"ClusterIP"}` | if tunnel mode is "proxy", create the a cluster service named {{ release }}-proxy-default listening on each "advertisedPort" defined in "proxyServices" | +| tunnel.proxyDefaultK8sService | object | `{"enabled":true,"type":"ClusterIP"}` | if tunnel mode is "proxy", create the a cluster service named {{ release }}-proxy-default listening on each "advertisedPort" defined in "proxyServices" | | tunnel.proxyServices | list | `[]` | list of Ziti services for which K8s services are to be created by this deployment, default is one cluster service port per Ziti service | | tunnel.resolver | string | `nil` | Ziti nameserver listener where OS must be configured to send DNS queries (default: udp://127.0.0.1:53) | | websocket.enableCompression | bool | `true` | enable compression on websocket |