openziti · qrkourier · May 15, 2025 · Apr 29, 2025 · Apr 29, 2025 · Apr 29, 2025
diff --git a/charts/ziti-edge-tunnel/Chart.yaml b/charts/ziti-edge-tunnel/Chart.yaml
@@ -1,10 +1,10 @@
 apiVersion: v2
-appVersion: 1.3.9
+appVersion: 1.5.12
 description: Dial OpenZiti services with a tunneler daemonset
 kubeVersion: '>= 1.20.0-0'
 name: ziti-edge-tunnel
 type: application
-version: 1.1.1
+version: 1.2.0
 icon: https://openziti.io/img/ziti-logo-dark.svg
 home: https://openziti.io
 sources:

diff --git a/charts/ziti-edge-tunnel/README.md b/charts/ziti-edge-tunnel/README.md
@@ -1,7 +1,7 @@
 <!-- README.md generated by helm-docs from README.md.gotmpl -->
 # ziti-edge-tunnel
 
-![Version: 1.1.1](https://img.shields.io/badge/Version-1.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.9](https://img.shields.io/badge/AppVersion-1.3.9-informational?style=flat-square)
+![Version: 1.2.0](https://img.shields.io/badge/Version-1.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.12](https://img.shields.io/badge/AppVersion-1.5.12-informational?style=flat-square)
 
 Dial OpenZiti services with a tunneler daemonset
 
@@ -27,36 +27,44 @@ For multinode kubernetes installations, where your cluster DNS could run on a di
 
 This chart deploys a pod running `ziti-edge-tunnel`, [the OpenZiti Linux tunneler](https://docs.openziti.io/docs/reference/tunnelers/linux/), in transparent proxy mode with DNS nameserver. The chart uses container image `docker.io/openziti/ziti-edge-tunnel` which runs `ziti-edge-tunnel run`.
 
+The enrolled Ziti identity JSON is persisted in a volume, and the chart will migrate the identity from a secret to the volume if the legacy secret exists.
+
 ## Installation
 
 ```console
 helm repo add openziti https://docs.openziti.io/helm-charts/
 ```
 
-After adding the charts repo to Helm then you may enroll the identity and install the chart. You must supply a Ziti identity JSON file when you install the chart.
+After adding the charts repo to Helm then you may enroll the identity and install the chart. You may supply a Ziti identity JSON file when you install the chart. This approach enables you to use any option available to the `ziti-edge-tunnel enroll` command.
+
+```console
+ziti-edge-tunnel enroll --jwt /tmp/k8s-tunneler.jwt --identity /tmp/k8s-tunneler.json
+helm install ziti-edge-tunnel openziti/ziti-edge-tunnel --set-file zitiIdentity=/tmp/k8s-tunneler.json
+```
+
+Alternatively, you may supply the JWT directly to the chart. In this case, a private key will be generated on first run and the identity will be enrolled.
 
 ```console
-ziti edge enroll --jwt /tmp/k8s-tunneler.jwt --out /tmp/k8s-tunneler.json
-helm install ziti-edge-tunnel openziti/ziti-edge-tunnel --set-file zitiIdentity=/tmp/k8s-tunneler-03.json
+helm install ziti-edge-tunnel openziti/ziti-edge-tunnel --set-file zitiEnrollToken=/tmp/k8s-tunneler.jwt
 ```
 
-### Installation using a existing / pre-created secret
+### Installation using a existing secret
 
-Alternatively when you want to use a existing / pre-created secret (i.e. you have sealed-secrets enabled in your setup), you could refer to an existing secret with the ziti identity to use.
+**Warning:** this approach does not allow the tunneler to autonomously renew its identity certificate, so you must renew the identity certificate out of band and supply it as an existing secret.
 
-This sample shows you how to create the secret:
+Create the secret:
 
 ```console
 kubectl create secret generic k8s-tunneler-identity --from-file=persisted-identity=k8s-tunneler.json
 ```
 
-When you deploy the helm chart refer to the existing secret:
+Deploy the Helm chart, referring to the existing secret:
 
 ```console
 helm install ziti-edge-tunnel openziti/ziti-edge-tunnel --set secret.existingSecretName=k8s-tunneler-identity
 ```
 
-When you don't want to use the default key name `persisted-identity` you can define your own name by adding `--set secret.keyName=myKeyName`.
+If desired, change the key name `persisted-identity` with `--set secret.keyName=myKeyName`.
 
 ### Configure CoreDNS
 
@@ -175,22 +183,23 @@ Once the image is present on every node, you can proceed to upgrade the tunneler
 | fullnameOverride | string | `""` |  |
 | hostNetwork | bool | `true` |  |
 | image.args | list | `[]` |  |
+| image.command | list | `[]` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.registry | string | `"docker.io"` |  |
 | image.repository | string | `"openziti/ziti-edge-tunnel"` |  |
 | image.tag | string | `""` |  |
 | imagePullSecrets | list | `[]` |  |
 | livenessProbe.exec.command[0] | string | `"/bin/bash"` |  |
 | livenessProbe.exec.command[1] | string | `"-c"` |  |
-| livenessProbe.exec.command[2] | string | `"if (ziti-edge-tunnel tunnel_status | sed -E 's/(^received\\sresponse\\s<|>$)//g' | jq '.Success'); then true; else false; fi"` |  |
+| livenessProbe.exec.command[2] | string | `"if (ziti-edge-tunnel tunnel_status | jq '.Success'); then true; else false; fi"` |  |
 | livenessProbe.failureThreshold | int | `3` |  |
 | livenessProbe.initialDelaySeconds | int | `180` |  |
 | livenessProbe.periodSeconds | int | `60` |  |
 | livenessProbe.successThreshold | int | `1` |  |
 | livenessProbe.timeoutSeconds | int | `10` |  |
-| log.timeFormat | string | `"utc"` |  |
-| log.tlsUVLevel | int | `3` |  |
-| log.zitiLevel | int | `3` |  |
+| log.timeFormat | string | `"utc"` | Set log time format, if set to "utc", then in UTC format, otherwise in milliseconds since the program has started. |
+| log.tlsUVLevel | int | `3` | TLSUV log level, from 0 to 6 (see README.md Reference) |
+| log.zitiLevel | int | `3` | Ziti log level, from 0 to 6 (see README.md Reference) |
 | nameOverride | string | `""` |  |
 | nodeSelector | object | `{}` | constrain worker nodes where the ziti-edge-tunnel pod can be scheduled |
 | podAnnotations | object | `{}` |  |
@@ -199,14 +208,16 @@ Once the image is present on every node, you can proceed to upgrade the tunneler
 | resources | object | `{}` |  |
 | secret | object | `{}` |  |
 | securityContext.privileged | bool | `true` |  |
-| serviceAccount.annotations | object | `{}` |  |
-| serviceAccount.create | bool | `true` |  |
-| serviceAccount.name | string | `""` |  |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
 | spireAgent.enabled | bool | `false` | if you are running a container with the spire-agent binary installed then this will allow you to add the hostpath necessary for connecting to the spire socket |
 | spireAgent.spireSocketMnt | string | `"/run/spire/sockets"` | file path of the spire socket mount |
 | systemDBus.enabled | bool | `true` | enable D-Bus socket connection |
 | systemDBus.systemDBusSocketMnt | string | `"/var/run/dbus/system_bus_socket"` | file path of the System D-Bus socket mount |
 | tolerations | list | `[]` |  |
+| zitiEnrollToken | string | `""` | JWT to enroll a new identity and write in the PVC |
+| zitiIdentity | string | `""` | JSON of an enrolled identity to write in the PVC |
 
 ```console
 helm upgrade {release} {source dir}

diff --git a/charts/ziti-edge-tunnel/README.md.gotmpl b/charts/ziti-edge-tunnel/README.md.gotmpl
@@ -26,36 +26,44 @@ For multinode kubernetes installations, where your cluster DNS could run on a di
 
 This chart deploys a pod running `ziti-edge-tunnel`, [the OpenZiti Linux tunneler](https://docs.openziti.io/docs/reference/tunnelers/linux/), in transparent proxy mode with DNS nameserver. The chart uses container image `docker.io/openziti/ziti-edge-tunnel` which runs `ziti-edge-tunnel run`.
 
+The enrolled Ziti identity JSON is persisted in a volume, and the chart will migrate the identity from a secret to the volume if the legacy secret exists.
+
 ## Installation
 
 ```console
 helm repo add openziti https://docs.openziti.io/helm-charts/
 ```
 
-After adding the charts repo to Helm then you may enroll the identity and install the chart. You must supply a Ziti identity JSON file when you install the chart.
+After adding the charts repo to Helm then you may enroll the identity and install the chart. You may supply a Ziti identity JSON file when you install the chart. This approach enables you to use any option available to the `ziti-edge-tunnel enroll` command.
+
+```console
+ziti-edge-tunnel enroll --jwt /tmp/k8s-tunneler.jwt --identity /tmp/k8s-tunneler.json
+helm install ziti-edge-tunnel openziti/ziti-edge-tunnel --set-file zitiIdentity=/tmp/k8s-tunneler.json
+```
+
+Alternatively, you may supply the JWT directly to the chart. In this case, a private key will be generated on first run and the identity will be enrolled.
 
 ```console
-ziti edge enroll --jwt /tmp/k8s-tunneler.jwt --out /tmp/k8s-tunneler.json
-helm install ziti-edge-tunnel openziti/ziti-edge-tunnel --set-file zitiIdentity=/tmp/k8s-tunneler-03.json
+helm install ziti-edge-tunnel openziti/ziti-edge-tunnel --set-file zitiEnrollToken=/tmp/k8s-tunneler.jwt
 ```
 
-### Installation using a existing / pre-created secret
+### Installation using a existing secret
 
-Alternatively when you want to use a existing / pre-created secret (i.e. you have sealed-secrets enabled in your setup), you could refer to an existing secret with the ziti identity to use.
+**Warning:** this approach does not allow the tunneler to autonomously renew its identity certificate, so you must renew the identity certificate out of band and supply it as an existing secret.
 
-This sample shows you how to create the secret:
+Create the secret:
 
 ```console
 kubectl create secret generic k8s-tunneler-identity --from-file=persisted-identity=k8s-tunneler.json
 ```
 
-When you deploy the helm chart refer to the existing secret:
+Deploy the Helm chart, referring to the existing secret:
 
 ```console
 helm install ziti-edge-tunnel openziti/ziti-edge-tunnel --set secret.existingSecretName=k8s-tunneler-identity
 ```
 
-When you don't want to use the default key name `persisted-identity` you can define your own name by adding `--set secret.keyName=myKeyName`.
+If desired, change the key name `persisted-identity` with `--set secret.keyName=myKeyName`.
 
 ### Configure CoreDNS
 

diff --git a/charts/ziti-edge-tunnel/templates/_helpers.tpl b/charts/ziti-edge-tunnel/templates/_helpers.tpl
@@ -51,6 +51,13 @@ app.kubernetes.io/name: {{ include "ziti-edge-tunnel.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+Define the mount path for the identity PVC.
+*/}}
+{{- define "ziti-edge-tunnel.identityMountPath" -}}
+/ziti-edge-tunnel
+{{- end }}
+
 {{/*
 Create the name of the service account to use
 */}}

diff --git a/charts/ziti-edge-tunnel/templates/daemonset.yaml b/charts/ziti-edge-tunnel/templates/daemonset.yaml
@@ -44,6 +44,14 @@ spec:
           env:
             - name: ZITI_IDENTITY_BASENAME
               value: {{ include "ziti-edge-tunnel.fullname" . }}-identity
+            {{- if .Values.zitiIdentity }}
+            - name: ZITI_IDENTITY_JSON
+              value: {{ .Values.zitiIdentity | quote }}
+            {{- end }}
+            {{- if .Values.zitiEnrollToken }}
+            - name: ZITI_ENROLL_TOKEN
+              value: {{ .Values.zitiEnrollToken }}
+            {{- end }}
             - name: ZITI_LOG
               value: {{ .Values.log.zitiLevel | default 3 | quote }}
             - name: TLSUV_DEBUG
@@ -55,9 +63,11 @@ spec:
             {{- toYaml .Values.livenessProbe | nindent 12 }}
           {{- end }}
           volumeMounts:
-            - mountPath: /ziti-edge-tunnel
+            - mountPath: {{ include "ziti-edge-tunnel.identityMountPath" . }}
               name: persisted-identity
+              {{- if .Values.secret.existingSecretName }}
               readOnly: true
+              {{- end }}
             {{- if .Values.systemDBus.enabled }}
             - mountPath: {{ .Values.systemDBus.systemDBusSocketMnt }}
               name: system-bus-socket
@@ -85,21 +95,19 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
+        {{- if .Values.secret.existingSecretName }}
         - name: persisted-identity
           secret:
-          {{- if .Values.secret.existingSecretName }}
             secretName: {{ .Values.secret.existingSecretName }}
             defaultMode: 0444
             items:
             - key: {{ .Values.secret.keyName | default "persisted-identity" | quote }}
               path: {{ include "ziti-edge-tunnel.fullname" . }}-identity.json
-          {{- else }}
-            secretName: {{ include "ziti-edge-tunnel.fullname" . }}-identity
-            defaultMode: 0444
-            items:
-            - key: persisted-identity
-              path: {{ include "ziti-edge-tunnel.fullname" . }}-identity.json
-          {{- end }}
+        {{- else }}
+        - name: persisted-identity
+          persistentVolumeClaim:
+            claimName: {{ include "ziti-edge-tunnel.fullname" . }}-identity-pvc
+        {{- end }}
         {{- if .Values.systemDBus.enabled }}
         - name: system-bus-socket
           hostPath:
@@ -124,4 +132,3 @@ spec:
           emptyDir: {}
           {{- end }}
         {{- end }}
-
diff --git a/charts/ziti-edge-tunnel/templates/identity-migrate-job.yaml b/charts/ziti-edge-tunnel/templates/identity-migrate-job.yaml
@@ -0,0 +1,29 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "ziti-edge-tunnel.fullname" . }}-identity-migrate
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      serviceAccountName: default
+      containers:
+        - name: migrate-identity
+          image: bitnami/kubectl:latest
+          command: ["/bin/bash", "/scripts/migrate.sh"]
+          volumeMounts:
+            - name: identity-pvc
+              mountPath: {{ include "ziti-edge-tunnel.identityMountPath" . }}
+            - name: migrate-script
+              mountPath: /scripts
+      volumes:
+        - name: identity-pvc
+          persistentVolumeClaim:
+            claimName: {{ include "ziti-edge-tunnel.fullname" . }}-identity-pvc
+        - name: migrate-script
+          configMap:
+            name: {{ include "ziti-edge-tunnel.fullname" . }}-identity-migrate
+            defaultMode: 0755
diff --git a/charts/ziti-edge-tunnel/templates/identity-migrate-role.yaml b/charts/ziti-edge-tunnel/templates/identity-migrate-role.yaml
@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "ziti-edge-tunnel.fullname" . }}-identity-migrate
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "delete"]
diff --git a/charts/ziti-edge-tunnel/templates/identity-migrate-rolebinding.yaml b/charts/ziti-edge-tunnel/templates/identity-migrate-rolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "ziti-edge-tunnel.fullname" . }}-identity-migrate
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "ziti-edge-tunnel.fullname" . }}-identity-migrate
+  apiGroup: rbac.authorization.k8s.io
diff --git a/charts/ziti-edge-tunnel/templates/identity-migrate-script-cm.yaml b/charts/ziti-edge-tunnel/templates/identity-migrate-script-cm.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "ziti-edge-tunnel.fullname" . }}-identity-migrate
+  labels:
+    app.kubernetes.io/name: {{ include "ziti-edge-tunnel.name" . }}
+    helm.sh/chart: {{ include "ziti-edge-tunnel.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+data:
+  migrate.sh: |
+    #!/bin/bash
+    set -e
+    SECRET_NAME="{{ include "ziti-edge-tunnel.fullname" . }}-identity"
+    NAMESPACE="{{ .Release.Namespace }}"
+    PVC_MOUNT="{{ include "ziti-edge-tunnel.identityMountPath" . }}"
+    IDENTITY_FILE="${PVC_MOUNT}/{{ include "ziti-edge-tunnel.fullname" . }}-identity.json"
+    if [ -f "$IDENTITY_FILE" ]; then
+      echo "Identity file already exists in PVC, skipping migration."
+      exit 0
+    fi
+    if kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" &>/dev/null; then
+      IDENTITY=$(kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" -o jsonpath='{.data.persisted-identity}' | base64 -d)
+      echo "$IDENTITY" > "$IDENTITY_FILE"
+      kubectl delete secret "$SECRET_NAME" -n "$NAMESPACE"
+      echo "Identity migrated to PVC and secret deleted."
+    else
+      echo "Secret $SECRET_NAME not found, nothing to migrate."
+    fi
diff --git a/charts/ziti-edge-tunnel/templates/identity-pvc.yaml b/charts/ziti-edge-tunnel/templates/identity-pvc.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "ziti-edge-tunnel.fullname" . }}-identity-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
diff --git a/charts/ziti-edge-tunnel/templates/secrets.yaml b/charts/ziti-edge-tunnel/templates/secrets.yaml
@@ -1,10 +1,10 @@
 ---
-{{ if not .Values.secret.existingSecretName }}
+{{ if and (.Values.zitiIdentity) (not .Values.secret.existingSecretName) }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "ziti-edge-tunnel.fullname" . }}-identity
 type: Opaque
 data:
-  persisted-identity: {{ required "You must set .Values.zitiIdentity to the JSON of a Ziti identity. Try adding --set-file zitiIdentity=/tmp/ziti_id.json to your Helm command" .Values.zitiIdentity | b64enc }}
+  persisted-identity: {{ .Values.zitiIdentity | b64enc }}
 {{ end }}