bump controller 1.1.16

charts/ziti-controller/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.1.15
+appVersion: 1.1.16
 dependencies:
 - condition: cert-manager.enabled
   name: cert-manager
@@ -16,4 +16,4 @@ dependencies:
 description: Host an OpenZiti controller in Kubernetes
 name: ziti-controller
 type: application
-version: 1.1.5
+version: 1.1.16

charts/ziti-controller/README.md

@@ -2,7 +2,7 @@
 
 # ziti-controller
 
-![Version: 1.1.5](https://img.shields.io/badge/Version-1.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.15](https://img.shields.io/badge/AppVersion-1.1.15-informational?style=flat-square)
+![Version: 1.1.16](https://img.shields.io/badge/Version-1.1.16-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.16](https://img.shields.io/badge/AppVersion-1.1.16-informational?style=flat-square)
 
 Host an OpenZiti controller in Kubernetes
 
@@ -20,7 +20,7 @@ This chart runs a Ziti controller in Kubernetes. It uses the custom resources pr
 
 The client API must be published with a TLS passthrough Ingress, NodePort, or LoadBalancer. The ctrl plane and management API share the client API's TLS listener, so they're reached through the same address by default.
 
-## Requirements
+## Setup
 
 ### Add the OpenZiti Charts Repo to Helm
 
@@ -34,7 +34,7 @@ This chart requires declaring the Certificate, Issuer, and Bundle custom resourc
 
 ```bash
 kubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.crds.yaml
-kubectl apply -f https://raw.githubusercontent.com/cert-manager/trust-manager/v0.9.0/deploy/crds/trust.cert-manager.io_bundles.yaml
+kubectl apply -f https://raw.githubusercontent.com/cert-manager/trust-manager/v0.7.0/deploy/crds/trust.cert-manager.io_bundles.yaml
 ```
 
 ## Optional Sub-Charts
@@ -49,9 +49,9 @@ Or, as YAML:
 
 ```yaml
 cert-manager:
-  enabled: true
+    enabled: true
 trust-manager:
-  enabled: true
+    enabled: true
 ```
 
 ## Minimal Installation
@@ -166,12 +166,12 @@ ctrlPlane:
 
 ## Extra Security for the Management API
 
-You can split the client and management APIs into separate cluster services by setting `managementApi.service.enabled=true`. With this configuration, you'll have an additional cluster service named `{release}-mgmt` that is the management API, and the client API will not have management features.
+You can split the client and management APIs into separate cluster services by setting `managementApi.service.enabled=true`. With this configuration, you'll have an additional cluster service named `{release}-mgmt` that is the management API, and the client API will not have management features.
 
-This Helm chart's values allow for both operational scenarios: combined and split. The default choice is to expose the combined client and management APIs as the cluster service named `{release}-client`, which is convenient because you can use the `ziti` CLI immediately. For additional security, you may shelter the management API by splitting these two sets of features, exposing them as separate API servers. After the split, you can access the management API in several ways:
+This Helm chart's values allow for both operational scenarios: combined and split. The default choice is to expose the combined client and management APIs as the cluster service named `{release}-client`, which is convenient because you can use the `ziti` CLI immediately. For additional security, you may shelter the management API by splitting these two sets of features, exposing them as separate API servers. After the split, you can access the management API in several ways:
 
-* deploy a tunneler to bind a Ziti service targeting {release}-mgmt.{namespace}.svc:{port}.
-* `kubectl -n {namespace} port-forward deployments/{release}-mgmt 8443:{port}`
+* deploy a tunneler to bind a Ziti service targeting {release}-mgmt.{namespace}.svc:{port}.
+* `kubectl -n {namespace} port-forward deployments/{release}-mgmt 8443:{port}`
 
 The web console (ZAC) is always bound to the same web listener as the management API, so you can access it at that `/zac/` path on the same URL.
 
@@ -221,7 +221,7 @@ For more information, please check [here](https://openziti.io/docs/learn/core-co
 | cert-manager.installCRDs | bool | `false` | CRDs must be applied in advance of installing the parent chart |
 | cert.duration | string | `"87840h"` | server certificate duration as Go time.Duration string format |
 | cert.renewBefore | string | `"720h"` | rewnew server certificates before expiry as Go time.Duration string format |
-| clientApi.advertisedHost | string | `nil` | global DNS name by which routers can resolve a reachable IP for this service |
+| clientApi.advertisedHost | string | `""` | global DNS name by which routers can resolve a reachable IP for this service |
 | clientApi.advertisedPort | int | `443` | cluster service, node port, load balancer, and ingress port |
 | clientApi.altIngress.advertisedHost | string | `""` | alternative ingress host, e.g., ziti.example.com |
 | clientApi.altIngress.annotations | object | `{}` | ingress annotations, e.g., to configure ingress-nginx |
@@ -300,7 +300,7 @@ For more information, please check [here](https://openziti.io/docs/learn/core-co
 | managementApi.containerPort | string | `"{{ .Values.clientApi.containerPort }}"` | cluster service target port on the container |
 | managementApi.dnsNames | list | `[]` | additional DNS SANs |
 | managementApi.ingress.annotations | object | `{}` | ingress annotations, e.g., to configure ingress-nginx |
-| managementApi.ingress.enabled | bool | `false` | create an ingress for the cluster service |
+| managementApi.ingress.enabled | bool | `false` | create a TLS-passthrough ingress for the client API's ClusterIP service |
 | managementApi.ingress.ingressClassName | string | `""` | ingress class name, e.g., "nginx" |
 | managementApi.ingress.labels | object | `{}` | ingress labels |
 | managementApi.ingress.tls | object | `{}` | deprecated: tls passthrough is required |

charts/ziti-controller/README.md.gotmpl

@@ -21,7 +21,7 @@ This chart runs a Ziti controller in Kubernetes. It uses the custom resources pr
 
 The client API must be published with a TLS passthrough Ingress, NodePort, or LoadBalancer. The ctrl plane and management API share the client API's TLS listener, so they're reached through the same address by default.
 
-## Requirements
+## Setup
 
 ### Add the OpenZiti Charts Repo to Helm
 
@@ -35,7 +35,7 @@ This chart requires declaring the Certificate, Issuer, and Bundle custom resourc
 
 ```bash
 kubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.crds.yaml
-kubectl apply -f https://raw.githubusercontent.com/cert-manager/trust-manager/v0.9.0/deploy/crds/trust.cert-manager.io_bundles.yaml
+kubectl apply -f https://raw.githubusercontent.com/cert-manager/trust-manager/v0.7.0/deploy/crds/trust.cert-manager.io_bundles.yaml
 ```
 
 ## Optional Sub-Charts
@@ -50,9 +50,9 @@ Or, as YAML:
 
 ```yaml
 cert-manager:
-  enabled: true
+    enabled: true
 trust-manager:
-  enabled: true
+    enabled: true
 ```
 
 ## Minimal Installation

charts/ziti-controller/values.yaml

@@ -9,7 +9,7 @@ clientApi:
   # -- cluster service target port on the container
   containerPort: 1280
   # -- global DNS name by which routers can resolve a reachable IP for this service
-  advertisedHost:
+  advertisedHost: ""
   # -- cluster service, node port, load balancer, and ingress port
   advertisedPort: 443
   service:
@@ -63,7 +63,7 @@ managementApi:
     # -- expose the service as a ClusterIP, NodePort, or LoadBalancer
     type: ClusterIP  # this doesn't need to be exposed if you exclusively manage with ZAC also running in the same cluster
   ingress:
-    # -- create an ingress for the cluster service
+    # -- create a TLS-passthrough ingress for the client API's ClusterIP service
     enabled: false
     # -- ingress class name, e.g., "nginx"
     ingressClassName: ""

charts/ziti-edge-tunnel/README.md

@@ -5,11 +5,11 @@
 
 Dial OpenZiti services with a tunneler daemonset
 
-**Homepage:** <https://openziti.io>
+**Homepage:** <https://openziti.io>
 
 ## Source Code
 
-* &lt;https://github.com/openziti/ziti-tunnel-sdk-c>
+* <https://github.com/openziti/ziti-tunnel-sdk-c>
 
 ## Requirements
 
@@ -182,7 +182,7 @@ Once the image is present on every node, you can proceed to upgrade the tunneler
 | imagePullSecrets | list | `[]` |  |
 | livenessProbe.exec.command[0] | string | `"/bin/bash"` |  |
 | livenessProbe.exec.command[1] | string | `"-c"` |  |
-| livenessProbe.exec.command[2] | string | `"if (ziti-edge-tunnel tunnel_status | sed -E 's/(^received\\sresponse\\s&lt;|>$)//g' | jq '.Success'); then true; else false; fi"` |  |
+| livenessProbe.exec.command[2] | string | `"if (ziti-edge-tunnel tunnel_status | sed -E 's/(^received\\sresponse\\s<|>$)//g' | jq '.Success'); then true; else false; fi"` |  |
 | livenessProbe.failureThreshold | int | `3` |  |
 | livenessProbe.initialDelaySeconds | int | `180` |  |
 | livenessProbe.periodSeconds | int | `60` |  |

charts/ziti-router/README.md

@@ -320,7 +320,7 @@ identity:
 | tunnel.lanIf | string | `"lo"` | interface device name for setting up INPUT firewall rules if fw enabled. It must be set but not needed in containers. Thus, it is set to lo by default |
 | tunnel.mode | string | `"none"` | run mode for the router's built-in tunnel component: host, tproxy, proxy, or none |
 | tunnel.proxyAdditionalK8sServices | list | `[]` | if tunnel mode is "proxy", create a separate cluster service for each Ziti service listed in "proxyServices" which k8sService == name |
-| tunnel.proxyDefaultK8sService | object | `{"enabled":true,"type":"ClusterIP"}` | if tunnel mode is "proxy", create the a cluster service named {{ release }}-proxy-default listening on each "advertisedPort" defined in "proxyServices" |
+| tunnel.proxyDefaultK8sService | object | `{"enabled":true,"type":"ClusterIP"}` | if tunnel mode is "proxy", create the a cluster service named {{ release }}-proxy-default listening on each "advertisedPort" defined in "proxyServices" |
 | tunnel.proxyServices | list | `[]` | list of Ziti services for which K8s services are to be created by this deployment, default is one cluster service port per Ziti service |
 | tunnel.resolver | string | `nil` | Ziti nameserver listener where OS must be configured to send DNS queries (default: udp://127.0.0.1:53) |
 | websocket.enableCompression | bool | `true` | enable compression on websocket |