The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti
APACHE-2.0 License
Bot releases are visible (Hide)
Published by github-actions[bot] about 2 months ago
openziti
/native
audiencesPublished by github-actions[bot] about 2 months ago
github.com/openziti/agent: v1.0.16 -> v1.0.17
github.com/openziti/channel/v2: v2.0.136 -> v2.0.143
github.com/openziti/edge-api: v0.26.23 -> v0.26.25
github.com/openziti/foundation/v2: v2.0.47 -> v2.0.48
github.com/openziti/identity: v1.0.81 -> v1.0.84
github.com/openziti/metrics: v1.2.56 -> v1.2.57
github.com/openziti/runzmd: v1.0.49 -> v1.0.50
github.com/openziti/sdk-golang: v0.23.39 -> v0.23.40
github.com/openziti/transport/v2: v2.0.138 -> v2.0.143
github.com/openziti/ziti: v1.1.8 -> v1.1.9
scope
and cliend_id
configuration to ext jwt signersPublished by github-actions[bot] 3 months ago
github.com/openziti/edge-api: v0.26.20 -> v0.26.23
github.com/openziti/sdk-golang: v0.23.38 -> v0.23.39
github.com/openziti/storage: v0.2.47 -> v0.3.0
github.com/openziti/ziti: v1.1.7 -> v1.1.8
/edge/v1/external-jwt-signers
needs to be openPublished by github-actions[bot] 3 months ago
Published by github-actions[bot] 3 months ago
OpenZiti controllers from this release forward will now require a trust domain
to be configured.
High Availability (HA) controllers already have this requirement. HA Controllers configure their trust domain via SPIFFE
ids that are embedded in x509 certificates.
For feature parity, non-HA controllers will now have this same requirement. However, as re-issuing certificates is not
always easily done. To help with the transition, non-HA controllers will have the ability to have their trust domain
sourced from the controller configuration file through the root configuration value trustDomain
. The configuration
field which takes a string that must be URI hostname compatible (see: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md).
If this value is not defined, a trust domain will be generated from the root CA certificate of the controller.
For networks that will be deployed after this change, it is highly suggested that a SPIFFE id is added to certificates.
The ziti pki create ...
tooling supports the --spiffe-id
option to help handle this scenario.
The following log messages are examples of warnings produced when a controller is using a generated trust domain:
WARNING this environment is using a default generated trust domain [spiffe://d561decf63d229d66b07de627dbbde9e93228925],
it is recommended that a trust domain is specified in configuration via URI SANs or the 'trustDomain' field
WARNING this environment is using a default generated trust domain [spiffe://d561decf63d229d66b07de627dbbde9e93228925],
it is recommended that if network components have enrolled that the generated trust domain be added to the
configuration field 'additionalTrustDomains'
Non-HA controllers
trustDomain
in the controller configuration file if not foundHA Controllers
When moving between trust domains (i.e. from the default generated to a new named one), the controller supports having
other trust domains. The trust domains do not replace certificate chain validation, which is still checked and enforced.
Additional trust domains are configured in the controller configuration file under the root field
additionalTrustDomains
. This field is an array of hostname safe strings.
The most common use case for this is field is if a network has issued certificates using the generated trust domain and
now wants to transition to a explicitly defined one.
This release can be run in HA mode. The code is still beta, as we're still finding and fixing bugs. Several bugs
have been fixed since Beta 1 and c-based SDKs and tunnelers now work in HA mode. The smoketest can now be run
with HA controllers and clients.
For more information:
github.com/openziti/storage: v0.2.45 -> v0.2.46
github.com/openziti/ziti: v1.1.5 -> v1.1.6
Published by github-actions[bot] 4 months ago
github.com/openziti/channel/v2: v2.0.133 -> v2.0.136
github.com/openziti/identity: v1.0.80 -> v1.0.81
github.com/openziti/transport/v2: v2.0.136 -> v2.0.138
github.com/openziti/xweb/v2: v2.1.0 -> v2.1.1
github.com/openziti/ziti: v1.1.4 -> v1.1.5
Published by github-actions[bot] 4 months ago
This release can be run in HA mode. The code is still beta, as we're still finding and fixing bugs. Several bugs
have been fixed since Alpha 3 and c-based SDKs and tunnelers now work in HA mode. The smoketest can now be run
with HA controllers and clients.
For more information:
github.com/openziti/channel/v2: v2.0.130 -> v2.0.133
github.com/openziti/edge-api: v0.26.19 -> v0.26.20
github.com/openziti/foundation/v2: v2.0.45 -> v2.0.47
github.com/openziti/identity: v1.0.77 -> v1.0.80
github.com/openziti/metrics: v1.2.54 -> v1.2.56
github.com/openziti/runzmd: v1.0.47 -> v1.0.49
github.com/openziti/sdk-golang: v0.23.37 -> v0.23.38
github.com/openziti/secretstream: v0.1.20 -> v0.1.21
github.com/openziti/storage: v0.2.41 -> v0.2.45
github.com/openziti/transport/v2: v2.0.133 -> v2.0.136
github.com/openziti/ziti: v1.1.3 -> v1.1.4
json
for non-interactive, text
for interactive.NOTE: This release is the first since 1.0.0 to be marked promoted from pre-release. Be sure to check the release notes
for the rest of the post-1.0.0 releases to get the full set of changes.
This release introduces a new terminator selection strategy sticky
. On every dial it will return a token to the
dialer, which represents the terminator used in the dial. This token maybe passed in on subsequent dials. If no token
is passed in, the strategy will work the same as the smartrouting
strategy. If a token is passed in, and the
terminator is still valid, the same terminator will be used for the dial. A terminator will be consideder valid if
it still exists and there are no terminators with a higher precedence.
This is currently only supported in the Go SDK.
ziti edge create service test --terminator-strategy sticky
conn := clientContext.Dial("test")
token := conn.Conn.GetStickinessToken()
_ = conn.Close()
dialOptions := &ziti.DialOptions{
ConnectTimeout: time.Second,
StickinessToken: token,
}
conn = clientContext.DialWithOptions("test", dialOptions))
nextToken := conn.Conn.GetStickinessToken()
_ = conn.Close()
github.com/openziti/channel/v2: v2.0.128 -> v2.0.130
github.com/openziti/edge-api: v0.26.18 -> v0.26.19
github.com/openziti/foundation/v2: v2.0.42 -> v2.0.45
github.com/openziti/identity: v1.0.75 -> v1.0.77
github.com/openziti/metrics: v1.2.51 -> v1.2.54
github.com/openziti/runzmd: v1.0.43 -> v1.0.47
github.com/openziti/sdk-golang: v0.23.35 -> v0.23.37
github.com/openziti/secretstream: v0.1.19 -> v0.1.20
github.com/openziti/storage: v0.2.37 -> v0.2.41
github.com/openziti/transport/v2: v2.0.131 -> v2.0.133
github.com/openziti/ziti: v1.1.2 -> v1.1.3
Published by github-actions[bot] 5 months ago
Published by github-actions[bot] 6 months ago
This is a re-release of v1.0.0 to address a bug in the autonomous docker image, which doesn't correct handle changes to the major version.
Published by github-actions[bot] 6 months ago
This release can be run in HA mode. The code is still alpha, as we're still finding and fixing bugs.
For more information:
Thanks to new contributors
github.com/openziti/edge-api: v0.26.17 -> v0.26.18
github.com/openziti/sdk-golang: v0.23.27 -> v0.23.32
github.com/openziti/storage: v0.2.36 -> v0.2.37
github.com/openziti/ziti: v1.1.0 -> v1.1.1
Published by github-actions[bot] 6 months ago
openziti
which provides the ziti
command line tool.
openziti-controller
provides ziti-controller.service
openziti-router
provides ziti-router.service
This release can be run in HA mode. The code is still alpha, so there are still some bugs and missing features,
however basic functionality work with the exceptions noted. See the HA Documementation
for instructions on setting up an HA cluster.
More information can be found on the HA Project Board
github.com/openziti/edge-api: v0.26.16 -> v0.26.17
github.com/openziti/sdk-golang: v0.23.19 -> v0.23.27
github.com/openziti/ziti: v1.0.0 -> v1.1.0
Published by github-actions[bot] 6 months ago
What does marking OpenZiti as 1.0 mean?
We've guaranteed API stability for SDK clients for years and worked hard to ensure that routers
and controllers would be backwards and forward compatible. However, we have had a variety of
management API changes and CLI changes. For post 1.0 releases we expect to make additions to the
APIs and CLI, but won't remove anything until it's been first marked as deprecated and then only
with a major version bump.
Recent releases have seen additional testing using chaos testing techniques. These tests involve
setting up relatively large scale environments, knocking out various components and then verifying
that the network is able to return to a stable state. These test are run for hours to try and
eliminate race conditions and distributed state machine problems.
OpenZiti is also being used as underlying infrastrcture for the zrok public service. Use of this
network has grown quickly and proven that it's possible to build ziti native apps that can scale
up.
Administrators no longer have access to dial/bind all services by default. See below for details.
Admin identities were able to Dial and Bind all services regardless of the effective service policies
prior to this release. This could lead to a confusing situation where a tunneler that was assuming an Admin
identity would put itself into an infinite connect-loop when a service's host.v1 address overlapped with
any addresses in its intercept configuration.
Please create service policies to grant Bind or Dial permissions to Admin identities as needed.
A TLS handhshake rate limiter can be enabled. This is useful in cases where there's a flood of TLS requests and the
controller can't handle them all. It can get into a state where it can't respond to TLS handshakes quickly enough,
so the clients time out. They then retry, adding to the the load. The controller ends up wasting time doing work
that isn't use.
This uses the same rate limiting as the auth rate limiter.
Additionally the server side handshake timeout can now be configured.
Configuration:
tls:
handshakeTimeout: 15s
rateLimiter:
# if disabled, no tls handshake rate limiting with be enforced
enabled: true
# the smallest window size for tls handshakes
minSize: 5
# the largest allowed window size for tls handshakes
maxSize: 5000
# after how long to consider a handshake abandoned if neither success nor failure was reported
timeout: 30s
New metrics:
tls_handshake_limiter.in_process
- number of TLS handshakes in progresstls_handshake_limiter.window_size
- number of TLS handhshakes allowed concurrentlytls_handshake_limiter.work_timer
- timer tracking how long TLS handshakes are takinggithub.com/openziti/channel/v2: v2.0.122 -> v2.0.128
github.com/openziti/edge-api: v0.26.14 -> v0.26.16
github.com/openziti/foundation/v2: v2.0.40 -> v2.0.42
github.com/openziti/identity: v1.0.73 -> v1.0.75
github.com/openziti/metrics: v1.2.48 -> v1.2.51
github.com/openziti/runzmd: v1.0.41 -> v1.0.43
github.com/openziti/sdk-golang: v0.23.15 -> v0.23.19
github.com/openziti/secretstream: v0.1.18 -> v0.1.19
github.com/openziti/storage: v0.2.33 -> v0.2.36
github.com/openziti/transport/v2: v2.0.125 -> v2.0.131
github.com/openziti/ziti: v0.34.2 -> v1.0.0
Published by github-actions[bot] 7 months ago
github.com/openziti/edge-api: v0.26.13 -> v0.26.14
github.com/openziti/sdk-golang: v0.23.14 -> v0.23.15
github.com/openziti/secretstream: v0.1.17 -> v0.1.18
github.com/openziti/ziti: v0.34.1 -> v0.34.2
Published by github-actions[bot] 7 months ago
Published by github-actions[bot] 7 months ago
github.com/openziti/channel/v2: v2.0.119 -> v2.0.122
github.com/openziti/edge-api: v0.26.12 -> v0.26.14
github.com/openziti/foundation/v2: v2.0.37 -> v2.0.40
github.com/openziti/identity: v1.0.70 -> v1.0.73
github.com/openziti/metrics: v1.2.45 -> v1.2.48
github.com/openziti/runzmd: v1.0.38 -> v1.0.41
github.com/openziti/sdk-golang: v0.22.28 -> v0.23.14
github.com/openziti/secretstream: v0.1.16 -> v0.1.17
github.com/openziti/storage: v0.2.30 -> v0.2.33
github.com/openziti/transport/v2: v2.0.122 -> v2.0.125
github.com/openziti/ziti: v0.33.1 -> v0.34.0
Published by github-actions[bot] 7 months ago
Published by github-actions[bot] 7 months ago
This release was focused on creating a chaos test for SDK terminators, running it and fixing any issues found.
The test repeatedly and randomly restarts the controller, routers and tunnelers then verifies that terminators
end up in the correct state.
The following tools were also used/added to aid in diagnosing and fixing issues:
ziti fabric validate router-sdk-terminators
ziti fabric validate terminators
ziti fabric inspect sdk-terminators
ziti fabric inspect router-messaging
ziti edge validate service-hosting
Several changes were made to the terminator code to ensure that terminators are properly created and cleaned up.
The routers now use an adaptive rate limiter to control how fast they send terminator related requests to the
controller. For this to work properly, the rate limiting on the controller must be enabled, so it can report
back to the routers when it's got too much work.
Published by github-actions[bot] 8 months ago
github.com/openziti/channel/v2: v2.0.117 -> v2.0.119
github.com/openziti/foundation/v2: v2.0.36 -> v2.0.37
github.com/openziti/identity: v1.0.69 -> v1.0.70
github.com/openziti/metrics: v1.2.43 -> v1.2.45
github.com/openziti/runzmd: v1.0.37 -> v1.0.38
github.com/openziti/sdk-golang: v0.22.21 -> v0.22.28
github.com/openziti/storage: v0.2.28 -> v0.2.30
github.com/openziti/transport/v2: v2.0.121 -> v2.0.122
github.com/openziti/ziti: v0.32.1 -> v0.32.2