The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti
APACHE-2.0 License
Bot releases are visible (Hide)
The router now has a configuration setting to control how long it wait on startup to be able to
connect to a controller, before it gives up and exits.
ctrl:
endpoints:
- tls:localhost:1280
startupTimeout: 5m
github.com/openziti/channel/v2: v2.0.116 -> v2.0.117
github.com/openziti/edge-api: v0.26.8 -> v0.26.10
github.com/openziti/sdk-golang: v0.22.17 -> v0.22.21
github.com/openziti/ziti: v0.32.0 -> v0.32.1
Published by github-actions[bot] 9 months ago
This release includes new response types from the REST authentication APIS. They are now able to return
429
(server too busy) responses to auth requests. As this is an API change, the version number is
being bumped to 0.32.
If controller and router are both v0.32 or later, only the router which dialed a link will report it to the controller.
If the controller is older, newer routers will report links from both the dialing and listening side of the link.
In order to prevent clients from overwhelming the server with auth requests, an auth rate limiter has been introduced.
The rate limiter is adaptive, in that it will react to auth attempts timing out by shrinking the number of allowed
queued auth attempts. The number will slowly recover over time.
Example configuration:
edge:
# This section allows configurating the rate limiter for auth attempts
authRateLimiter:
# if disabled, no auth rate limiting with be enforced
enabled: true
# the smallest window size for auth attempts
minSize: 5
# the largest allowed window size for auth attempts
maxSize: 250
New metrics:
auth.limiter.queued_count
- current number of queued auth attemptsauth.limiter.window_size
- current size at which new auth attempts will be rejectedauth.limiter.work_timer
- tracks the rate at which api sessions are being created and how long it's taking to create themWith long lived link ids, there was potential for link control message to be ambiguous, as the link id wasn't enough to identify
a specific iteration of that link. An iteration field has been added to links so that messaging is unambiguous.
Links will also only be reported from the dialing router now to reduce ambiguouity and race condition in link control channel
messaging.
There is a new router config setting which allows setting the SSL handshake timeout for TLS connections, when using ALPN for listeners.
tls:
handshakeTimeout: 15s
github.com/openziti/channel/v2: v2.0.111 -> v2.0.116
github.com/openziti/edge-api: v0.26.6 -> v0.26.8
github.com/openziti/foundation/v2: v2.0.35 -> v2.0.36
github.com/openziti/identity: v1.0.68 -> v1.0.69
github.com/openziti/metrics: v1.2.41 -> v1.2.43
github.com/openziti/runzmd: v1.0.36 -> v1.0.37
github.com/openziti/sdk-golang: v0.22.0 -> v0.22.17
github.com/openziti/secretstream: v0.1.14 -> v0.1.16
github.com/openziti/storage: v0.2.27 -> v0.2.28
github.com/openziti/transport/v2: v2.0.119 -> v2.0.121
github.com/openziti/ziti: v0.31.4 -> v0.32.0
Published by github-actions[bot] 10 months ago
github.com/openziti/metrics: v1.2.40 -> v1.2.41
github.com/openziti/sdk-golang: v0.21.2 -> v0.22.0
github.com/openziti/storage: v0.2.26 -> v0.2.27
github.com/openziti/ziti: v0.31.3 -> v0.31.4
This release contains a posture check optimization to speed up service list queries. Unfortunately it also broke posture query support for networks with no posture checks.
The 0.31.4 release reverts the optimization. We'll revisit the optimization in a future release.
A max idle time can now be configured on services. The default value of 0 indicates that no maximum will
be enforced. A circuit is considered idle when no traffic is flowing across through the initiating or
terminating router.
ziti edge create service test-service --max-idle-time 5m
Note that the idle time calculation is done on the router, so if max idle time on a service is less
than the configured scan interval on the router, it make take longer than expected for idle circuits
to be removed.
The controller now allows some Raft cluster management operations to be performed via REST.
NOTE: If your cluster is not bootstrapped yet, the REST API won't be available. These will only work on a bootstrapped cluster!
The following operations are now supported:
ziti fabric raft add-member tls:localhost:6363
ziti fabric raft add-member tls:localhost:6464
ziti fabric raft transfer-leadership
ziti fabric raft transfer-leadership ctrl3
ziti fabric raft remove-member ctrl2
ziti fabric raft remove-member ctrl3
github.com/openziti/edge-api: v0.26.1 -> v0.26.6
github.com/openziti/sdk-golang: v0.20.139 -> v0.21.2
github.com/openziti/ziti: v0.31.2 -> v0.31.3
Published by github-actions[bot] 11 months ago
Published by github-actions[bot] 11 months ago
In previous versions of OpenZiti, if many SDK clients were attempting to establish hosting, the controller could get overwhelmed.
In this release, routers will use the rate limiter pool introduced in 0.27.6 when creating terminators on behalf of sdk clients
hosting applications. Additionally, routers now have the ability to verify terminator state with the sdk, if the sdk supports it.
In general, hosting large numbers of services using the sdk should now be less suceptible to thundering herd issues.
There is a new CLI command available to validate terminator state. This is primarily a developer tool to validate that terminator
setup logic is correct. However it may also be used to diagnose and resolve issues with production systems, should the need arise.
ziti fabric validate terminators
Previously listing circuit and links always showed the full list. This is because these types are in memory only and are not stored
in the bbolt datastore. There's now basic support for querying in-memory types and circuits and links can now be filtered/paged/sorted
the same as other entity types.
github.com/openziti/channel/v2: v2.0.105 -> v2.0.111
github.com/openziti/edge-api: v0.26.0 -> v0.26.1
github.com/openziti/foundation/v2: v2.0.33 -> v2.0.35
github.com/openziti/identity: v1.0.66 -> v1.0.68
github.com/openziti/metrics: v1.2.37 -> v1.2.40
github.com/openziti/runzmd: v1.0.33 -> v1.0.36
github.com/openziti/sdk-golang: v0.20.129 -> v0.20.139
github.com/openziti/secretstream: v0.1.13 -> v0.1.14
github.com/openziti/storage: v0.2.23 -> v0.2.26
github.com/openziti/transport/v2: v2.0.113 -> v2.0.119
github.com/openziti/ziti: v0.31.0 -> v0.31.1
Published by github-actions[bot] 12 months ago
To prevent the controller from being overwhelmed by a flood of changes, a rate limiter
can be enabled in the configuration file. A maximum number of queued changes can also
be configured. The rate limited is disabled by default for now. If not specified the
default number of queued changes is 100.
When the rate limit is hit, an error will be returned. If the request came in from
the REST API, the response will use HTTP status code 429 (too many requests).
The OpenAPI specs have been updated, so if you're using a generated client to make
REST calls, it's recommened that you regenerate your client.
commandRateLimiter:
enabled: true
maxQueued: 100
If the rate limiter is enabled, the following metrics will be produced:
command.limiter.queued_count
- guage of the current number of queued operationscommand.limiter.work_timer
- timer for operations. Includes the following:
github.com/openziti/agent: v1.0.15 -> v1.0.16
github.com/openziti/channel/v2: v2.0.101 -> v2.0.105
github.com/openziti/edge-api: v0.25.38 -> v0.26.0
github.com/openziti/identity: v1.0.64 -> v1.0.66
github.com/openziti/metrics: v1.2.36 -> v1.2.37
github.com/openziti/sdk-golang: v0.20.122 -> v0.20.129
github.com/openziti/secretstream: v0.1.12 -> v0.1.13
github.com/openziti/storage: v0.2.20 -> v0.2.23
github.com/openziti/transport/v2: v2.0.109 -> v2.0.113
github.com/openziti/ziti: v0.30.5 -> v0.31.0
getZiti
and performMigration
were only functional on Mac OS, now they are functional for Linux and Mac OSs.ZITI_PWD
. Special characters are now supported for ZITI_PWD
in quickstart functions.Published by github-actions[bot] about 1 year ago
host.v1
and host.v2
configurations may now specify a proxy to use.
Currently only HTTP Connect proxies which don't require authentication are supported.
Example using host.v1
{
"address": "192.168.2.50",
"port": 1234,
"protocol": "tcp",
"proxy": {
"address": "192.168.1.110:3128",
"type": "http"
}
}
github.com/openziti/channel/v2: v2.0.99 -> v2.0.101
github.com/openziti/edge-api: v0.25.37 -> v0.25.38
github.com/openziti/foundation/v2: v2.0.32 -> v2.0.33
github.com/openziti/identity: v1.0.63 -> v1.0.64
github.com/openziti/metrics: v1.2.35 -> v1.2.36
github.com/openziti/runzmd: v1.0.32 -> v1.0.33
github.com/openziti/sdk-golang: v0.20.116 -> v0.20.122
github.com/openziti/storage: v0.2.18 -> v0.2.20
github.com/openziti/transport/v2: v2.0.107 -> v2.0.109
github.com/openziti/ziti: v0.30.4 -> v0.30.5
ziti edge quickstart
didziti edge quickstart
ziti edge quickstart
ziti edge quickstart
](https://github.com/openziti/ziti/issues/1298). You can now download
the ziti
CLI and have a functioning network with just one command. The network it creates is
ephemeral and is intended to be torn down when the process exits. It is intended for quick
evaluation and testing of an overlay network. It supports the following flags:
--already-initialized Specifies the PKI does not need to be created and the db does not need to be initialized. Recommended to be combined with --home. If --home is not specified the environment will be destroyed on shutdown! default: false
--ctrl-address string Sets the advertised address for the control plane and API
--ctrl-port int16 Sets the port to use for the control plane and API
-h, --help help for quickstart
--home string Sets the directory the environment should be installed into. Defaults to a temporary directory. If specified, the environment will not be removed on exit.
-p, --password string Password to use for authenticating to the Ziti Edge Controller. default: admin
--router-address string Sets the advertised address for the integrated router
--router-port int16 Sets the port to use for the integrated router
-u, --username string Username to use when creating the Ziti Edge Controller. default: admin
Example Usage:
ziti edge quickstart \
--ctrl-address potato \
--ctrl-port 12345 \
--router-address avacado \
--router-port 23456 \
--home $HOME/.ziti/pet-ziti \
--already-initialized \
--username someOtherUsername \
--password someOtherPassword
There was a race condition in edge sdk terminator handling, where if sdk noticed a broken connection
before the router did, it would reconnect and rebind while the router still though it had the old
connection and old binding. Because we were using the session token to key terminator state in the
router, the new terminator information would overwrite the old terminator information in the router.
However, in the controller, the information wouldn't get overridden, since we use a UUID to key
things in the controller. When the router noticed the old connection was gone it would try to clean
things up, but since the state had been overwritten, it couldn't and the controller would be left
with an orphaned terminator.
The router now uses a UUID as well so there shouldn't be any more orphaned terminators.
The host.v2 config type was mostly a collection of host.v1 instances. However, there was a one small
difference. The host.v1 type had connectTimeoutSeconds
in listenOptions
, where host.v2
had connectTimeout
, defined as a duration.
To bring them into alignment, both attributes are now supported in both config types.
However, connectTimeout
will take precedence if both are present. connectTimeout
is not yet
supported by all tunnelers. The following still need to be updated:
Once it is supported, we will deprecate connectTimeoutSeconds
with a lengthy deprecation period.
At the end of the deprecation period we will migrate any remaining connectTimeoutSeconds
values
to connectTimeout
.
The code from the fabric and edge repositories has been merged into the ziti repository. Once issues have been migrated, those two projects will be archived.
github.com/openziti/channel/v2: v2.0.95 -> v2.0.99
github.com/openziti/edge: v0.24.404 -> v0.24.420
not before
github.com/openziti/edge-api: v0.25.33 -> v0.25.37
github.com/openziti/fabric: v0.24.23 -> v0.24.36
github.com/openziti/foundation/v2: v2.0.30 -> v2.0.32
github.com/openziti/identity: v1.0.61 -> v1.0.63
github.com/openziti/metrics: v1.2.33 -> v1.2.35
github.com/openziti/runzmd: v1.0.30 -> v1.0.32
github.com/openziti/sdk-golang: v0.20.101 -> v0.20.116
github.com/openziti/secretstream: v0.1.11 -> v0.1.12
github.com/openziti/storage: v0.2.14 -> v0.2.18
github.com/openziti/transport/v2: v2.0.103 -> v2.0.107
github.com/openziti/ziti: v0.30.3 -> v0.30.4
Published by github-actions[bot] about 1 year ago
github.com/openziti/edge: v0.24.401 -> v0.24.404
github.com/openziti/fabric: v0.24.20 -> v0.24.23
github.com/openziti/ziti: v0.30.2 -> v0.30.3
Published by github-actions[bot] about 1 year ago
Prior to this release there were four identity types:
Of these four types, only Router has any functional purpose. Given that, the other three have been merged into
a single Default
identity type. Since Router identities can only be created by the system, it's no longer
necesary to specify the identity type when creating identities.
The identity type may still be provided, but a deprecation warning will be emitted.
Backwards Compatibility
Existing non-Router identities will be migrated to the Default
identity type. If an identity type other
than Default
is provided when creating an identity, it will be coerced to the Default
type. Existing
code may have issues with the new identity type being returned.
Routers may now specify a proxy configuation which will be used when establishing connections to controllers
and data links to other routers. At this point only HTTP Connect Proxies with no authentication required are
supported.
Example router config:
proxy:
type: http
address: localhost:3128
github.com/openziti/channel/v2: v2.0.91 -> v2.0.95
github.com/openziti/edge: v0.24.381 -> v0.24.401
github.com/openziti/edge-api: v0.25.31 -> v0.25.33
github.com/openziti/fabric: v0.24.2 -> v0.24.20
github.com/openziti/foundation/v2: v2.0.29 -> v2.0.30
github.com/openziti/identity: v1.0.60 -> v1.0.61
github.com/openziti/runzmd: v1.0.29 -> v1.0.30
github.com/openziti/sdk-golang: v0.20.90 -> v0.20.101
github.com/openziti/storage: v0.2.12 -> v0.2.14
github.com/openziti/transport/v2: v2.0.99 -> v2.0.103
github.com/openziti/metrics: v1.2.31 -> v1.2.33
github.com/openziti/secretstream: v0.1.10 -> v0.1.11
github.com/openziti/ziti: v0.30.1 -> v0.30.2
lsof
to the list of prerequisites to be checked during quickstartPublished by github-actions[bot] about 1 year ago
Previously, the controller would do its best to determine where links needed to be established.
It would send messages to the routers, telling them which addresses to dial on other routes.
The routers would in turn let the controller know if link establishment was successful or
if the router already had a link to the given endpoint.
With this release, the controller will only let routers know which routers exist, whether they
are currently connected to the controller, and what link listeners they are advertising. The
routers will now decide which links to make and let the controllers know as links are created
and broken.
Both dialers and listeners can now specify a set of groups. If no groups are specified, the
dialer or listener will be placed in the default
group. Dialers will only attempt to dial
listeners who have at least one group in common with them.
Previously when a link failed, the controller would show it in the link list as failed for a time
before removing it. Now failed links are removed immediately. There are existing link events for
link creation and link failure which can be used for forensics.
There is a new link status Duplicate
used when a router receives a link request and determines
that it's a duplicate of an existing link. This happens when two routers both have listeners
and dialers. They will often dial each other at the same time, resulting in a duplicate link.
If you use a 0.30+ controller with older routers, the controller will still do link calculation
and send dial messages, as long as the enableLegacyLinkMgmt
setting is set to true.
If you use a pre 0.30.0 controller with newer routers, the new routers will still accept the
dial messages.
The controller has three new options:
network:
routerMessaging:
queueSize: 100
maxWorkers: 100
enableLegacyLinkMgmt: true
When a router connects or disconnects from the controller, we send two sets of updates.
These messages are sent using a worker pool. The size of the queue feeding the worker pool is controlled with
routerMessaging.queueSize
. The max size of the worker pool is controlled used the routerMessaging.maxWorkers
option.
If you have routers older than 0.30.0, the controller will calculate which links to dial. This can be disabled
by setting enableLegacyLinkMgmt
to false. This setting currently defaults to true, but will default to false
in a future release. In a subsequent release this functionality will be removed all together.
The router has new configuration options for link dialing.
link:
dialers:
- binding: transport
groups:
- public
- vpc1234
healthyDialBackoff:
retryBackoffFactor: 1.5
minRetryInterval: 5s
maxRetryInterval: 5m
unhealthyDialBackoff:
retryBackoffFactor: 10
minRetryInterval: 1m
maxRetryInterval: 1h
listeners:
- binding: transport
groups: vpc1234
Groups
See above for a description of link groups work.
Default value: default
Dial Back-off
Dialers can be configured with custom back-off behavior. Each dialer has a back-off policy for dialing
healthy routers (those that are connected to a controller) and a separate policy for unhealthy routers.
The back-off policies have the following attributes:
Ziti Controller and Routers can operate with a single open port. In order to implement this feature we use
ALPN (Application Layer Protocol Negotiation)
TLS extension. It allows TLS client to request and TLS server to select appropriate application protocol handler during
TLS handshake.
The following protocol identifiers are defined:
id | purpose |
---|---|
ziti-ctrl | Control plane connections |
ziti-link | Fabric link connections |
ziti-edge | Client SDK connection to Edge Routers |
Standard HTTP protocol identifiers (h2
, http/1.1
) are used for Controller REST API and Websocket listeners.
This feature is designed to be backward compatible with SDK clients: older client will still be able to connect without
requesting ziti-edge
protocol.
Breaking
Older routers won't be able to establish control channel or fabric links with updated network.
However, newer Edge Routers should be able to join older network in some circumstances -- only outbound links from new Routers would work.
github.com/openziti/agent: v1.0.14 -> v1.0.15
github.com/openziti/channel/v2: v2.0.84 -> v2.0.91
github.com/openziti/edge: v0.24.364 -> v0.24.381
github.com/openziti/edge-api: v0.25.30 -> v0.25.31
github.com/openziti/fabric: v0.23.45 -> v0.24.2
github.com/openziti/foundation/v2: v2.0.28 -> v2.0.29
github.com/openziti/identity: v1.0.59 -> v1.0.60
github.com/openziti/runzmd: v1.0.28 -> v1.0.29
github.com/openziti/sdk-golang: v0.20.78 -> v0.20.90
github.com/openziti/storage: v0.2.11 -> v0.2.12
github.com/openziti/transport/v2: v2.0.93 -> v2.0.99
github.com/openziti/xweb/v2: v2.0.2 -> v2.1.0
github.com/openziti/ziti-db-explorer: v1.1.1 -> v1.1.3
github.com/openziti/metrics: v1.2.30 -> v1.2.31
github.com/openziti/ziti: v0.29.0 -> v0.30.0
Published by github-actions[bot] over 1 year ago
This release removes the following deprecated binaries from the release archives.
ziti-controller
- replaced by ziti controller
ziti-router
- replaced by ziti router
ziti-tunnel
- replaced by ziti tunnel
The release archives now only contain the ziti
executable. This executable is now at the root of the archive instead of nested under a ziti
directory.
The ziti CLI functions under ziti learn
, namely ziti learn demo
and ziti learn tutorial
have been consolidated under ziti demo
.
The quickstart continues to evolve. A breaking change has occurred as numerous environment variables used to customize the quickstart
have changed again. A summary of changes is below
ZITI_EDGE_ROUTER_
variables have been changed to just ZITI_ROUTER_
.
ZITI_EDGE_ROUTER_NAME
-> ZITI_ROUTER_NAME
ZITI_EDGE_ROUTER_PORT
-> ZITI_ROUTER_PORT
ZITI_EDGE_ROUTER_ADVERTISED_HOST
-> ZITI_ROUTER_ADVERTISED_HOST
ZITI_EDGE_ROUTER_IP_OVERRIDE
-> ZITI_ROUTER_IP_OVERRIDE
ZITI_EDGE_ROUTER_ENROLLMENT_DURATION
-> ZITI_ROUTER_ENROLLMENT_DURATION
ZITI_EDGE_ROUTER_ADVERTISED_HOST
-> ZITI_ROUTER_ADVERTISED_HOST
ZITI_EDGE_ROUTER_LISTENER_BIND_PORT
-> ZITI_ROUTER_LISTENER_BIND_PORT
alt_server_certs
section. Both variablesZITI_PKI_ALT_SERVER_CERT
- "Alternative server certificate. Must be specified with ZITI_PKI_ALT_SERVER_KEY"ZITI_PKI_ALT_SERVER_KEY
- "Key to use with the alternative server certificate. Must be specified with ZITI_PKI_ALT_SERVER_CERT"ZITI_ROUTER_CSR_C
- "The country (C) to use for router CSRs"ZITI_ROUTER_CSR_ST
- "The state/province (ST) to use for router CSRs"ZITI_ROUTER_CSR_L
- "The locality (L) to use for router CSRs"ZITI_ROUTER_CSR_O
- "The organization (O) to use for router CSRs"ZITI_ROUTER_CSR_OU
- "The organization unit to use for router CSRs"ZITI_ROUTER_CSR_SANS_DNS
- "The DNS name used in the CSR request"ZITI_CTRL_EDGE_BIND_ADDRESS
allows controlling the IP the edge API usesgithub.com/openziti/channel/v2: v2.0.81 -> v2.0.84
github.com/openziti/edge: v0.24.348 -> v0.24.364
github.com/openziti/edge-api: v0.25.29 -> v0.25.30
github.com/openziti/fabric: v0.23.39 -> v0.23.45
github.com/openziti/foundation/v2: v2.0.26 -> v2.0.28
github.com/openziti/identity: v1.0.57 -> v1.0.59
github.com/openziti/runzmd: v1.0.26 -> v1.0.28
github.com/openziti/sdk-golang: v0.20.67 -> v0.20.78
github.com/openziti/storage: v0.2.8 -> v0.2.11
github.com/openziti/transport/v2: v2.0.91 -> v2.0.93
github.com/openziti/metrics: v1.2.27 -> v1.2.30
github.com/openziti/secretstream: v0.1.9 -> v0.1.10
github.com/openziti/ziti: v0.28.4 -> v0.29.0
Published by github-actions[bot] over 1 year ago
/version
and as the root handler to support previously enrolled GO SDK clientsPublished by github-actions[bot] over 1 year ago
Bug fix
Published by github-actions[bot] over 1 year ago
getZiti()
function, you will need to migrate any existing network that has been developed using OpenZiti v0.27.5 or earlier binaries as the new binaries will expect the new environment variable names. A function performMigration()
has been provided in the ziti-cli-script.sh
for this purpose. Simply source the latest ziti-cli-script.sh
, and your current network's .env file, then run performMigration()
to update environment variable name references. If the migration process cannot find your existing environment file in the default location, you will need to provide the path to the migration function, ex: performMigration <path-to-environment-file>
ZITI_HOME
environment variable to configure where your ziti CLI profiles were stored, you should now use ZITI_CONFIG_DIR
instead.github.com/openziti/channel/v2: v2.0.80 -> v2.0.81
github.com/openziti/edge: v0.24.326 -> v0.24.345
github.com/openziti/edge-api: v0.25.25 -> v0.25.29
github.com/openziti/fabric: v0.23.35 -> v0.23.39
github.com/openziti/foundation/v2: v2.0.25 -> v2.0.26
github.com/openziti/identity: v1.0.56 -> v1.0.57
github.com/openziti/runzmd: v1.0.25 -> v1.0.26
github.com/openziti/sdk-golang: v0.20.58 -> v0.20.67
github.com/openziti/storage: v0.2.7 -> v0.2.8
github.com/openziti/transport/v2: v2.0.90 -> v2.0.91
github.com/openziti/metrics: v1.2.26 -> v1.2.27
github.com/openziti/secretstream: v0.1.8 -> v0.1.9
github.com/openziti/ziti: v0.28.1 -> v0.28.2
.env
file to match documentation.ZITI_EDGE_CONTROLLER_API
Published by github-actions[bot] over 1 year ago
ziti
CLI now trims jwt files specified for login preventing a confusing invalid header field value for "Authorization"-e
flagThe link health check on routers now supports an initial delay configuration.
healthChecks:
linkCheck:
minLinks: 1
interval: 30s
initialDelay: 5s
The health check will also now start with an initial state of unhealthy, unless minLinks
is set to zero.
Finally, link checks now include the addresses associated with the links:
{
"details": [
{
"linkId": "6a72EtnLib5nUvjhVLuHOb",
"destRouterId": "5uUxuQ3u6Q",
"latency": 2732886.5,
"addresses": {
"ack": {
"localAddr": "tcp:127.0.0.1:4023",
"remoteAddr": "tcp:127.0.0.1:33520"
},
"payload": {
"localAddr": "tcp:127.0.0.1:4023",
"remoteAddr": "tcp:127.0.0.1:33504"
}
}
}
],
"healthy": true,
"id": "link.health",
"lastCheckDuration": "53.213µs",
"lastCheckTime": "2023-06-01T18:35:11Z"
}
A new field is available to the AMQP Event Writer. bufferSize
denotes how many messages ziti will hold during AMQP connection outages. Any messages exceeding this limit will be logged and dropped.
Example configuration:
events:
jsonLogger:
subscriptions:
- type: fabric.circuits
handler:
type: amqp
format: json
url: "amqp://localhost:5672"
queue: ziti
durable: true //default:true
autoDelete: false //default:false
exclusive: false //default:false
noWait: false //default:false
bufferSize: 50 //default:50
github.com/openziti/agent: v1.0.13 -> v1.0.14
github.com/openziti/channel/v2: v2.0.78 -> v2.0.80
github.com/openziti/edge: v0.24.309 -> v0.24.326
github.com/openziti/edge-api: v0.25.24 -> v0.25.25
github.com/openziti/fabric: v0.23.29 -> v0.23.35
bufferSize
config option to amqp handler. Connection handling now happens in the background with exponential retries.github.com/openziti/foundation/v2: v2.0.24 -> v2.0.25
github.com/openziti/identity: v1.0.54 -> v1.0.56
github.com/openziti/runzmd: v1.0.24 -> v1.0.25
github.com/openziti/sdk-golang: v0.20.51 -> v0.20.58
github.com/openziti/storage: v0.2.6 -> v0.2.7
github.com/openziti/transport/v2: v2.0.88 -> v2.0.90
github.com/openziti/metrics: v1.2.25 -> v1.2.26
github.com/openziti/ziti: v0.28.0 -> v0.28.1
ws
protocol to wss
as ws
is no longer supported.Published by github-actions[bot] over 1 year ago
ziti
to login with certificates or external-jwt-signers-c
flag has been changed to map to --client-cert
--cert
is now --ca
and has no short flag representation-e/--ext-jwt
allows a user to supply a file containing a jwt used with ext-jwt-signers to login-c/--client-cert
allows a certificate to be supplied to login (used with -k/--client-key
)-k/--client-key
allows a key to be supplied to login (used with -c/--client-cert
)intercept.v1
, host.v1
, and host.v2
config types now permit hostnames with underscores.Previously events could only be emitted to a file. They can now also be emitted to an AMQP endpoint.
Example configuration:
events:
jsonLogger:
subscriptions:
- type: fabric.circuits
handler:
type: amqp
format: json
url: "amqp://localhost:5672"
queue: ziti
durable: true //default:true
autoDelete: false //default:false
exclusive: false //default:false
noWait: false //default:false
OpenZiti can now be configured to emit entity change events. These events describe the changes when entities stored in the
bbolt database are created, updated or deleted.
Note that events are emitted during the transaction. They are emitted at the end, so it's unlikely, but possible that an event will be emitted for a change which is rolled back. For this reason a following event will emitted when the change is committed. If a system crashes after commit, but before the committed event can be emitted, it will be emitted on the next startup.
Example configuration:
events:
jsonLogger:
subscriptions:
- type: entityChange
include:
- services
- identities
handler:
type: file
format: json
path: /tmp/ziti-events.log
See the related issue for discussion: https://github.com/openziti/fabric/issues/562
Example output:
{
"namespace": "entityChange",
"eventId": "326faf6c-8123-42ae-9ed8-6fd9560eb567",
"eventType": "created",
"timestamp": "2023-05-11T21:41:47.128588927-04:00",
"metadata": {
"author": {
"type": "identity",
"id": "ji2Rt8KJ4",
"name": "Default Admin"
},
"source": {
"type": "rest",
"auth": "edge",
"localAddr": "localhost:1280",
"remoteAddr": "127.0.0.1:37578",
"method": "POST"
},
"version": "v0.0.0"
},
"entityType": "services",
"isParentEvent": false,
"initialState": null,
"finalState": {
"id": "6S0bCGWb6yrAutXwSQaLiv",
"createdAt": "2023-05-12T01:41:47.128138887Z",
"updatedAt": "2023-05-12T01:41:47.128138887Z",
"tags": {},
"isSystem": false,
"name": "test",
"terminatorStrategy": "smartrouting",
"roleAttributes": [
"goodbye",
"hello"
],
"configs": null,
"encryptionRequired": true
}
}
{
"namespace": "entityChange",
"eventId": "326faf6c-8123-42ae-9ed8-6fd9560eb567",
"eventType": "committed",
"timestamp": "2023-05-11T21:41:47.129235443-04:00"
}
Usage events, version 3, can now be filtered based on type.
The valid types include:
Example configuration:
events:
jsonLogger:
subscriptions:
- type: fabric.usage
version: 3
include:
- ingress.rx
- egress.rx
Circuit events initiated from the edge are now annotated with clientId, hostId and serviceId, to match usage events. The client and host ids are identity ids.
Example output:
{
"namespace": "fabric.circuits",
"version": 2,
"event_type": "created",
"circuit_id": "0CEjWYiw6",
"timestamp": "2023-05-05T11:44:03.242399585-04:00",
"client_id": "clhaq7u7600o4ucgdpxy9i4t1",
"service_id": "QARLLTKjqfLZytmSsIqba",
"terminator_id": "7ddcd421-2b00-4b49-9ac0-8c78fe388c30",
"instance_id": "",
"creation_timespan": 1014280,
"path": {
"nodes": [
"U7OwPtfjg",
"a4rC9DrZ3"
],
"links": [
"7Ru3hoxsssZzUNOyvd8Jcb"
],
"ingress_id": "K9lD",
"egress_id": "rQLK",
"initiator_local_addr": "100.64.0.1:1234",
"initiator_remote_addr": "100.64.0.1:37640",
"terminator_local_addr": "127.0.0.1:45566",
"terminator_remote_addr": "127.0.0.1:1234"
},
"link_count": 1,
"path_cost": 392151,
"tags": {
"clientId": "U7OwPtfjg",
"hostId": "a4rC9DrZ3",
"serviceId": "QARLLTKjqfLZytmSsIqba"
}
}
The edge router tunneler now allows configuring a timeout and check interval for tproxy UDP intercepts. By default intercepted UDP
connections will be closed after five minutes of no traffic, checking every thirty seconds. The configuration is done in the router
config file, in the options for the tunnel module. Note that these configuration options only apply to tproxy intercepts, not to
proxy or host side UDP connections.
Example configuration:
listeners:
- binding: tunnel
options:
mode: tproxy
udpIdleTimeout: 10s
udpCheckInterval: 5s
github.com/openziti/agent: v1.0.10 -> v1.0.13
github.com/openziti/channel/v2: v2.0.58 -> v2.0.78
github.com/openziti/edge: v0.24.239 -> v0.24.309
github.com/openziti/edge-api: v0.25.11 -> v0.25.24
github.com/openziti/fabric: v0.22.87 -> v0.23.29
github.com/openziti/foundation/v2: v2.0.21 -> v2.0.24
github.com/openziti/identity: v1.0.45 -> v1.0.54
github.com/openziti/runzmd: v1.0.20 -> v1.0.24
github.com/openziti/sdk-golang: v0.18.76 -> v0.20.51
github.com/openziti/storage: v0.1.49 -> v0.2.6
github.com/openziti/transport/v2: v2.0.72 -> v2.0.88
github.com/openziti/metrics: v1.2.19 -> v1.2.25
github.com/openziti/secretstream: v0.1.8 (new)
github.com/openziti/ziti: v0.27.9 -> v0.28.0
ziti pki create
creates CA's and intermediates w/ the same DNdocker-compose up
Published by github-actions[bot] over 1 year ago
github.com/openziti/channel/v2: v2.0.53 -> v2.0.58
github.com/openziti/edge: v0.24.228 -> v0.24.239
github.com/openziti/edge-api: v0.25.9 -> v0.25.11
github.com/openziti/fabric: v0.22.77 -> v0.22.87
github.com/openziti/foundation/v2: v2.0.18 -> v2.0.21
github.com/openziti/identity: v1.0.42 -> v1.0.45
github.com/openziti/runzmd: v1.0.18 -> v1.0.20
github.com/openziti/storage: v0.1.46 -> v0.1.49
github.com/openziti/transport/v2: v2.0.68 -> v2.0.72
github.com/openziti/metrics: v1.2.16 -> v1.2.19
github.com/openziti/ziti: v0.27.8 -> v0.27.9