The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti
APACHE-2.0 License
Bot releases are visible (Hide)
Published by github-actions[bot] over 1 year ago
github.com/openziti/edge: v0.24.224 -> v0.24.228
github.com/openziti/fabric: v0.22.76 -> v0.22.77
github.com/openziti/storage: v0.1.45 -> v0.1.46
github.com/openziti/ziti: v0.27.7 -> v0.27.8
Published by github-actions[bot] over 1 year ago
Published by github-actions[bot] over 1 year ago
ziti fabric inspect config
ziti ops db compact <src> <dst>
ziti edge re-enroll edge-router
ziti fabric update router <router-id> --disabled
ziti fabric update router <router-id> --disabled=false
github.com/openziti/agent: v1.0.8 -> v1.0.10
github.com/openziti/channel/v2: v2.0.27 -> v2.0.53
github.com/openziti/edge: v0.24.125 -> v0.24.224
github.com/openziti/edge-api: v0.25.6 -> v0.25.9
github.com/openziti/fabric: v0.22.24 -> v0.22.76
github.com/openziti/foundation/v2: v2.0.10 -> v2.0.18
github.com/openziti/identity: v1.0.30 -> v1.0.42
github.com/openziti/runzmd: v1.0.9 -> v1.0.18
github.com/openziti/sdk-golang: v0.18.28 -> v0.18.76
github.com/openziti/storage: v0.1.34 -> v0.1.45
github.com/openziti/transport/v2: v2.0.51 -> v2.0.68
github.com/openziti/jwks: v1.0.2 -> v1.0.3
github.com/openziti/metrics: v1.2.3 -> v1.2.16
github.com/openziti/ziti: v0.27.5 -> v0.27.6
Published by github-actions[bot] over 1 year ago
ziti
CLI when using a globally trusted CAziti agent stack
was calling ziti agent stats
github.com/openziti/edge: v0.24.121 -> v0.24.125
github.com/openziti/fabric: v0.22.20 -> v0.22.24
github.com/openziti/sdk-golang: v0.18.27 -> v0.18.28
github.com/openziti/storage: v0.1.33 -> v0.1.34
github.com/openziti/ziti: v0.27.4 -> v0.27.5
Published by github-actions[bot] over 1 year ago
This release contains a fix for a controller deadlock
github.com/openziti/channel/v2: v2.0.26 -> v2.0.27
github.com/openziti/edge: v0.24.115 -> v0.24.121
github.com/openziti/fabric: v0.22.19 -> v0.22.20
github.com/openziti/sdk-golang: v0.18.26 -> v0.18.27
github.com/openziti/transport/v2: v2.0.50 -> v2.0.51
github.com/openziti/ziti: v0.27.3 -> v0.27.4
Published by github-actions[bot] over 1 year ago
Docker images for ziti
CLI
New Raft interaction commands
raft-leave
allows removal of controllers from the raft clusterraft-list
lists all connected controllers and their version/connected statusfabric raft list-members
same info as the agent command, but over restgithub.com/openziti/agent: v1.0.7 -> v1.0.8
github.com/openziti/channel/v2: v2.0.25 -> v2.0.26
github.com/openziti/edge: v0.24.95 -> v0.24.115
github.com/openziti/edge-api: v0.25.6 (new)
github.com/openziti/fabric: v0.22.7 -> v0.22.19
github.com/openziti/identity: v1.0.29 -> v1.0.30
github.com/openziti/runzmd: v1.0.7 -> v1.0.9
github.com/openziti/sdk-golang: v0.18.21 -> v0.18.26
github.com/openziti/storage: v0.1.31 -> v0.1.33
github.com/openziti/transport/v2: v2.0.49 -> v2.0.50
github.com/openziti/ziti: v0.27.2 -> v0.27.3
Published by github-actions[bot] almost 2 years ago
github.com/openziti/channel/v2: v2.0.24 -> v2.0.25
github.com/openziti/edge: v0.24.86 -> v0.24.95
github.com/openziti/fabric: v0.22.1 -> v0.22.7
github.com/openziti/foundation/v2: v2.0.9 -> v2.0.10
github.com/openziti/identity: v1.0.28 -> v1.0.29
github.com/openziti/sdk-golang: v0.18.19 -> v0.18.21
github.com/openziti/storage: v0.1.30 -> v0.1.31
github.com/openziti/transport/v2: v2.0.48 -> v2.0.49
github.com/openziti/metrics: v1.2.2 -> v1.2.3
github.com/openziti/ziti: v0.27.1 -> v0.27.2
Published by github-actions[bot] almost 2 years ago
ziti fabric stream events
xgress_edge_tunnel.terminator.create_timer
github.com/openziti/edge: v0.24.75 -> v0.24.86
github.com/openziti/fabric: v0.21.36 -> v0.22.1
github.com/openziti/ziti: v0.27.0 -> v0.27.1
Published by github-actions[bot] almost 2 years ago
ziti controller
and ziti router
commands
ziti-controller
and ziti router
ziti-controller
and ziti-router
are deprecated and will be removed in a future releaseziti tunnel
command
ziti-tunnel
ziti-edge-tunnel
is the preferred tunnelling applicationziti-tunnel
is deprecated and will be removed in a future releaseziti edge enroll
now has a verbose option for additional debuggingziti edge
CLI now support create/delete transit-router. This allows transit/fabric routers to be provisioned using an enrollment process, rather than requiring certs to be created externally. Note that this requires that the fabric router config file has a csr
section.github.com/openziti/agent: v1.0.5 -> v1.0.7
github.com/openziti/channel/v2: v2.0.12 -> v2.0.24
github.com/openziti/edge: v0.24.36 -> v0.24.75
github.com/openziti/fabric: v0.21.17 -> v0.21.36
github.com/openziti/foundation/v2: v2.0.7 -> v2.0.9
github.com/openziti/identity: v1.0.20 -> v1.0.28
github.com/openziti/runzmd: v1.0.3 -> v1.0.7
github.com/openziti/sdk-golang: v0.16.146 -> v0.18.19
github.com/openziti/storage: v0.1.26 -> v0.1.30
github.com/openziti/transport/v2: v2.0.38 -> v2.0.48
github.com/openziti/metrics: v1.1.5 -> v1.2.2
github.com/openziti/ziti: v0.26.11 -> v0.26.12
Published by github-actions[bot] almost 2 years ago
This is mainly a bugfix release.
Ziti CLI ziti create config router edge
now has two new flags; --tunnelerMode
and --lanInterface
The --tunnelerMode
flag enables tunneling and sets the tunneler mode. Currently, there are none
, host
and tproxy
modes. The default tunneler mode is host
mode, choosing none
will disable tunnel capabilities for the router.
Examples:
ziti create config router edge --routerName myRouter --tunnelerMode tproxy
ziti create config router edge --routerName myRouter --tunnelerMode none
If using the tproxy
tunneler mode, there is an optional lanIf
section in the config to identify an interface to use.
Example:
ziti create config router edge --routerName myRouter --tunnelerMode tproxy --lanInterface tun0
github.com/openziti/agent: v1.0.4 -> v1.0.5
github.com/openziti/channel/v2: v2.0.9 -> v2.0.12
github.com/openziti/edge: v0.24.12 -> v0.24.36
github.com/openziti/fabric: v0.21.9 -> v0.21.17
github.com/openziti/foundation/v2: v2.0.6 -> v2.0.7
github.com/openziti/identity: v1.0.18 -> v1.0.20
github.com/openziti/runzmd: v1.0.3 (new)
github.com/openziti/sdk-golang: v0.16.135 -> v0.16.146
github.com/openziti/storage: v0.1.25 -> v0.1.26
github.com/openziti/transport/v2: v2.0.36 -> v2.0.38
github.com/openziti/metrics: v1.1.4 -> v1.1.5
github.com/openziti/ziti: v0.26.10 -> v0.26.11
Published by github-actions[bot] about 2 years ago
This release has a single fix for a panic in edge routers with embedded tunnelers hosting services.
The only other changes are build updates.
github.com/openziti/agent: v1.0.3 -> v1.0.4
github.com/openziti/channel/v2: v2.0.5 -> v2.0.9
github.com/openziti/edge: v0.24.7 -> v0.24.12
github.com/openziti/fabric: v0.21.3 -> v0.21.9
github.com/openziti/foundation/v2: v2.0.5 -> v2.0.6
github.com/openziti/identity: v1.0.16 -> v1.0.18
github.com/openziti/sdk-golang: v0.16.129 -> v0.16.135
github.com/openziti/storage: v0.1.23 -> v0.1.25
github.com/openziti/transport/v2: v2.0.33 -> v2.0.36
github.com/openziti/metrics: v1.1.2 -> v1.1.4
github.com/openziti/ziti: v0.26.9 -> v0.26.10
Published by github-actions[bot] about 2 years ago
Setting the environment variable ZITI_EDGE_IDENTITY_ENROLLMENT_DURATION
to some value in minutes will override the default identity enrollment duration configuration
when creating new controller configurations. If left unset, the default value is used. Using this method applies to controller config generation through the CLI as
well as quickstart deployments.
Example:
# Set identity enrollment to 60 minutes, controller configs created afterward will use this value
export ZITI_EDGE_IDENTITY_ENROLLMENT_DURATION=60
An additional argument --identityEnrollmentDuration
has been added to the CLI controller config generation. If the argument is provided, the value of the argument will take
precedence, followed by the value of the environment variable (noted above), and if neither are used, the default value is used. Note that the argument takes a time unit
(m for minutes, h for hour, etc.)
Example:
# Create a controller config with an identity enrollment duration of 60 minutes
ziti create config controller --identityEnrollmentDuration 60m
# OR
ziti create config controller --identityEnrollmentDuration 1h
Setting the environment variable ZITI_EDGE_ROUTER_ENROLLMENT_DURATION
to some value in minutes will override the default router enrollment duration configuration
when creating new controller configurations. If left unset, the default value is used. Using this method applies to controller config generation through the CLI as
well as quickstart deployments.
Example:
# Set router enrollment to 60 minutes, controller configs created afterward will use this value
export ZITI_EDGE_ROUTER_ENROLLMENT_DURATION=60
An additional argument --routerEnrollmentDuration
has been added to the CLI controller config generation. If the argument is provided, the value of the argument will take
precedence, followed by the value of the environment variable (noted above), and if neither are used, the default value is used. Note that the argument takes a time unit
(m for minutes, h for hour, etc.)
Example:
# Create a controller config with a router enrollment duration of 60 minutes
ziti create config controller --routerEnrollmentDuration 60m
# OR
ziti create config controller --routerEnrollmentDuration 1h
github.com/openziti/channel/v2: v1.0.3 -> v2.0.4
github.com/openziti/edge: v0.23.0 -> v0.24.3
github.com/openziti/fabric: v0.20.0 -> v0.21.2
github.com/openziti/foundation/v2: v2.0.4 -> v2.0.5
github.com/openziti/identity: v1.0.12 -> v1.0.16
github.com/openziti/sdk-golang: v0.16.121 -> v0.16.128
github.com/openziti/storage: v0.1.21 -> v0.1.23
github.com/openziti/transport/v2: v2.0.29 -> v2.0.33
github.com/openziti/jwks: v1.0.1 -> v1.0.2
github.com/openziti/metrics: v1.1.0 -> v1.1.2
github.com/openziti/x509-claims: v1.0.2 -> v1.0.3
github.com/openziti/ziti: 0.26.8 -> 0.26.9
Published by github-actions[bot] about 2 years ago
ziti edge create|update ca
now supports externalIdClaim
Model entities can now be filtered by tags. This works via the fabric and edge REST APIs and can be
used from the ziti
CLI.
Example:
$ ziti edge update service demo --tags location=PA
$ ziti edge update service echo --tags location=NY
$ ziti edge ls services 'limit 4'
╭────────────────────────┬──────────────┬────────────┬─────────────────────┬────────────╮
│ ID │ NAME │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES │
│ │ │ REQUIRED │ │ │
├────────────────────────┼──────────────┼────────────┼─────────────────────┼────────────┤
│ 1WztJ.YuMY │ demo │ true │ smartrouting │ │
│ 68kYZOS54kAbU4hEhKHgHT │ echo │ true │ smartrouting │ echo │
│ EjaiJkYuMY │ project.mgmt │ true │ smartrouting │ │
│ F0JVJkY40Y │ mattermost │ true │ smartrouting │ │
╰────────────────────────┴──────────────┴────────────┴─────────────────────┴────────────╯
results: 1-4 of 13
$ ziti edge ls services 'tags.location != null'
╭────────────────────────┬──────┬────────────┬─────────────────────┬────────────╮
│ ID │ NAME │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES │
│ │ │ REQUIRED │ │ │
├────────────────────────┼──────┼────────────┼─────────────────────┼────────────┤
│ 1WztJ.YuMY │ demo │ true │ smartrouting │ │
│ 68kYZOS54kAbU4hEhKHgHT │ echo │ true │ smartrouting │ echo │
╰────────────────────────┴──────┴────────────┴─────────────────────┴────────────╯
results: 1-2 of 2
$ ziti edge ls services 'tags.location = "NY"'
╭────────────────────────┬──────┬────────────┬─────────────────────┬────────────╮
│ ID │ NAME │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES │
│ │ │ REQUIRED │ │ │
├────────────────────────┼──────┼────────────┼─────────────────────┼────────────┤
│ 68kYZOS54kAbU4hEhKHgHT │ echo │ true │ smartrouting │ echo │
╰────────────────────────┴──────┴────────────┴─────────────────────┴────────────╯
results: 1-1 of 1
This a new version of usage events available. The existing v2 version events can still be used. The version
is selected in the events configuration.
Here is a config showing how to get both sets of events:
events:
jsonLogger:
subscriptions:
- type: fabric.usage
version: 2
- type: fabric.usage
versin: 3
If no version is provided for usage, then v2 events will still be outputted by default.
V3 events consolidate multiple usage metrics together to minimize the number of events.
Example:
{
"namespace": "fabric.usage",
"version": 3,
"source_id": "cjc.1kYu0",
"circuit_id": "CwbENl.lW",
"usage": {
"egress.rx": 47,
"egress.tx": 47
},
"interval_start_utc": 1663342500,
"interval_length": 60,
"tags": {
"clientId": "XtYOStBYgd",
"hostId": "f3ltEI8Iok",
"serviceId": "fclVFecdgakAoHyBvtIGy"
}
}
Ingress and egress usage for a given circuit will consolidated into a single event per router. Fabric usage
will also be consolided into a single, separate event.
Usage events for ingress and egress usage will be annotated with edge information for both v2 and v3.
In the example above the event has tags for clientId
, hostId
and serviceId
.
clientId
- The id of the edge identity using the servicehostId
- The id of the edge identity hosting the service (will be blank if not applicable, such as for router hosted)serviceId
- The id of the service being usedexternalIdClaim
Does Not Workziti edge create|update ca
now support `externalIdClaimIdentities now have a field named externalId
that can be used with 3rd Party CAs in addition to the existing
External JWT Signer support. 3rd Party CAs now support the following optional fields:
externalIdClaim.index
- if multiple externalId claims are located, the index will be used to select one, default 0externalIdClaim.location
- extracts values from one of the following locations on a x509 certificate: SAN_URI
, SAN_EMAIL
, COMMON_NAME
externalIdClaim.matcher
- matches values in one of the following ways PREFIX
, SUFFIX
, SCHEME
in conjunction with matcherCriteria
or select all values via ALL
externalIdClaim.matcherCriteria
- matcher
values of PREFIX
, SUFFIX
, and SCHEME
will use matcherCriteria
as a matching valueexternalIdClaim.parser
: - supports parsing values from all matched externalIds via SPLIT
or NONE
externalIdClaim.parserCriteria
- for a parser
value of SPLIT
, parserCriteria
will be used to split valuesWhen defined the externalIdClaim
configuration will be used to locate any externalId
s present in the client
supplied x509 certificate. If an externalId
is located, it will be used to associate the authentication request
with an identity. If found, authentication is considered successful if not the authentication request fails. If the
client certificate does not contain an externalId
then identities will be searched for that have a certificate
authenticator that matches the supplied client certificate. Should that fail, the authentication request fails.
This functionality can be used to support SPIFFE provisioned identities. For any specific SPIFFE ID, assign it to an
identity's externalId
and then use the following externalIdClaim
configurations.
{
...
"externalIdClaim": {
"location": "SAN_URI",
"index": 0,
"matcher": "SCHEME",
"matcherCriteria": "spiffe",
"parser": "NONE",
"parserCriteria": ""
}
}
ziti edge create ca myCa ca.pem -l SAN_URI -m SCHEME -x spiffe -p "NONE"
ziti edge update ca myCa -l SAN_URI -m SCHEME -x spiffe -p "NONE"
The output for listing CAs in non-JSON format has been improved.
Example:
╭────────────────────────┬─────────┬────────┬────────────┬─────────────┬─────────────────────────────────────────────────────────────────╮
│ ID │ NAME │ FLAGS │ TOKEN │ FINGERPRINT │ CONFIGURATION │
├────────────────────────┼─────────┼────────┼────────────┼─────────────┼─────────────────┬──────────────────────┬────────────────────────┤
│ 1tu6CbXT18Dd9rybjCW5eX │ 2 │ [AOE] │ KaPxRiKbk │ - │ AutoCA │ Identity Name Format │ [caName]-[commonName] │
│ │ │ │ │ │ ├──────────────────────┼────────────────────────┤
│ │ │ │ │ │ │ Identity Roles │ a,b,c │
│ │ │ │ │ ├─────────────────┼──────────────────────┼────────────────────────┤
│ │ │ │ │ │ ExternalIdClaim │ Index │ 2 │
│ │ │ │ │ │ ├──────────────────────┼────────────────────────┤
│ │ │ │ │ │ │ Location │ SAN_URI │
│ │ │ │ │ │ ├──────────────────────┼────────────────────────┤
│ │ │ │ │ │ │ Matcher │ ALL │
│ │ │ │ │ │ ├──────────────────────┼────────────────────────┤
│ │ │ │ │ │ │ Matcher Criteria │ │
│ │ │ │ │ │ ├──────────────────────┼────────────────────────┤
│ │ │ │ │ │ │ Parser │ NONE │
│ │ │ │ │ │ ├──────────────────────┼────────────────────────┤
│ │ │ │ │ │ │ Parser Criteria │ │
├────────────────────────┼─────────┼────────┼────────────┼─────────────┼─────────────────┼──────────────────────┼────────────────────────┤
│ 7AGp9vUttJHKA1JWujNtpR │ test-ca │ [VAOE] │ - │ 315e...ba │ AutoCA │ Identity Name Format │ [caName]-[commonName] │
│ │ │ │ │ │ ├──────────────────────┼────────────────────────┤
│ │ │ │ │ │ │ Identity Roles │ three, two,one │
╰────────────────────────┴─────────┴────────┴────────────┴─────────────┴─────────────────┴──────────────────────┴────────────────────────╯
github.com/openziti/channel: v1.0.2 -> v1.0.3
github.com/openziti/edge: v0.22.91 -> v0.23.0
github.com/openziti/fabric: v0.19.67 -> v0.20.0
github.com/openziti/identity: v1.0.11 -> v1.0.12
github.com/openziti/metrics: v1.0.7 -> v1.1.0
github.com/openziti/sdk-golang: v0.16.119 -> v0.16.121
github.com/openziti/storage: v0.1.20 -> v0.1.21
github.com/openziti/transport/v2: v2.0.28 -> v2.0.29
github.com/openziti/ziti: 0.26.7 -> 0.26.8
Published by github-actions[bot] about 2 years ago
The only change in this release is updating from Golang 1.18 to 1.19
Published by github-actions[bot] about 2 years ago
Previously if a router had multiple links and one of them was slow or blocked, it could prevent other traffic from moving. Now, if a link is unable to keep up with incoming traffic, payloads will be dropped. The end-to-end flow control and retransmission logic will handle re-sending the packet.
Links have a 64 message queue for incoming messages. Up to 64 messages are taken off the queue, sorted in priority order and then sent. Once the sorted list of messages has been sent, the next set of messages are dequeue, sorted and sent. If the queue fills while the current set of sorted messges is being sent, message will now be dropped instead of waiting for queue space to open up.
There is now a new per-link link.dropped_msgs
metric to track how often links are dropping messages.
When available, the remote address of the terminating side of a circuit is now available in the circuit event.
Example:
{
"namespace": "fabric.circuits",
"version": 2,
"event_type": "created",
"circuit_id": "kh7myU.bX",
"timestamp": "2022-09-12T19:08:20.461576428-04:00",
"client_id": "cl7zdm0d0000fbygdlzh268uq",
"service_id": "6SIomYCjH5Jio52szEtX7W",
"terminator_id": "7IIb1nU5yTfJVbaD8Tjuf3",
"instance_id": "",
"creation_timespan": 949916,
"path": {
"nodes": [
"B3V.1kN40Y"
],
"links": null,
"ingress_id": "26D7",
"egress_id": "wjo7",
"terminator_local_addr": "127.0.0.1:44822",
"terminator_remote_addr": "127.0.0.1:1234"
},
"link_count": 0,
"path_cost": 262140
}
aarch64
Identity is a low-level library within Ziti and affects all Ziti components.
alt_server_certs
were not always loaded and used for presenting TLS configurationsgithub.com/openziti/agent: v1.0.1 -> v1.0.3
github.com/openziti/channel: v0.18.58 -> v1.0.2
github.com/openziti/edge: v0.22.54 -> v0.22.91
github.com/openziti/fabric: v0.19.34 -> v0.19.67
github.com/openziti/foundation/v2: v2.0.2 -> v2.0.4
github.com/openziti/identity: v1.0.5 -> v1.0.11
github.com/openziti/metrics: v1.0.3 -> v1.0.7
github.com/openziti/sdk-golang: v0.16.104 -> v0.16.119
github.com/openziti/storage: v0.1.16 -> v0.1.20
github.com/openziti/transport/v2: v2.0.20 -> v2.0.28
github.com/openziti/ziti: 0.26.5 -> 0.26.6
7f698a9 (Update deps and changelog)
Published by github-actions[bot] about 2 years ago
This build has no functional changes, but does have changes to the build workflow,
because github is deprecating certain action runners. See
https://github.blog/changelog/2022-08-09-github-actions-the-ubuntu-18-04-actions-runner-image-is-being-deprecated-and-will-be-removed-by-12-1-22/
and
https://github.blog/changelog/2022-07-20-github-actions-the-macos-10-15-actions-runner-image-is-being-deprecated-and-will-be-removed-by-8-30-22/
for details
This changes the oldest supported operating system versions for ziti-controller and ziti-router to those
listed above, due to dependencies on system shared libraries that may not be available on older operating
system versions.
If this change negatively impacts you, please let us on Discourse.
Published by github-actions[bot] about 2 years ago
ziti fabric inspect
can now emit results to individual files using the -f
flagPublished by github-actions[bot] over 2 years ago
Link events can now be configured in the controller events configuration.
events:
jsonLogger:
subscriptions:
- type: fabric.links
handler:
type: file
format: json
path: /var/log/ziti-events.log
dialed
: Generated when the controller sends a link dial message to a routerconnected
: Generated when a router sends a link connected message to the controllerfault
: Generated when a router sends a link fault to the controllerrouterLinkNew
: Generated when a router sends a router link message to the controler and the link is new to the controllerrouterLinkKnown
: Generated when a router sends a router link message to the controller and the link is knownrouterLinkDisconnectedDest
: Generated when a router sends a route link message to the controller and the router on the other side of the link is not currently connected.{
"namespace": "fabric.links",
"event_type": "dialed",
"timestamp": "2022-07-15T18:10:19.752766075-04:00",
"link_id": "47kGIApCXI29VQoCA1xXWI",
"src_router_id": "niY.XmLArx",
"dst_router_id": "YPpTEd8JP",
"protocol": "tls",
"dial_address": "tls:127.0.0.1:4024",
"cost": 1
}
{
"namespace": "fabric.links",
"event_type": "connected",
"timestamp": "2022-07-15T18:10:19.973626185-04:00",
"link_id": "47kGIApCXI29VQoCA1xXWI",
"src_router_id": "niY.XmLArx",
"dst_router_id": "YPpTEd8JP",
"protocol": "tls",
"dial_address": "tls:127.0.0.1:4024",
"cost": 1,
"connections": [
{
"id": "ack",
"local_addr": "tcp:127.0.0.1:49138",
"remote_addr": "tcp:127.0.0.1:4024"
},
{
"id": "payload",
"local_addr": "tcp:127.0.0.1:49136",
"remote_addr": "tcp:127.0.0.1:4024"
}
]
}
{
"namespace": "fabric.links",
"event_type": "fault",
"timestamp": "2022-07-15T18:10:19.973867809-04:00",
"link_id": "6slUYCqOB85YTfdiD8I5pl",
"src_router_id": "YPpTEd8JP",
"dst_router_id": "niY.XmLArx",
"protocol": "tls",
"dial_address": "tls:127.0.0.1:4023",
"cost": 1
}
```
#### Router Link Known Example
{
"namespace": "fabric.links",
"event_type": "routerLinkKnown",
"timestamp": "2022-07-15T18:10:19.974177638-04:00",
"link_id": "47kGIApCXI29VQoCA1xXWI",
"src_router_id": "niY.XmLArx",
"dst_router_id": "YPpTEd8JP",
"protocol": "tls",
"dial_address": "tls:127.0.0.1:4024",
"cost": 1
}
### Circuit Event Path Changes
* Circuit event paths are now structured, rather than being a string
* The path structure contains a string list of routers in the path, ordered from initiator to terminator
* The path structure contains a string list of links in the path, ordered from initiator to terminator
* The path structure also contains the initiator and terminator xgress instance ids
* `terminator_local_addr` has been moved inside the nested path structure
* There is also a new version field, which is set to 2.
Old circuit event:
{
"namespace": "fabric.circuits",
"event_type": "created",
"circuit_id": "Y4aVR-QfM",
"timestamp": "2022-07-19T12:39:21.500700972-04:00",
"client_id": "cl5sehx8k000d0agdrqyh9aa4",
"service_id": "bnNbAbsiYM",
"instance_id": "",
"creation_timespan": 812887,
"path": "[r/niY.XmLArx]",
"terminator_local_address": "",
"link_count": 0,
"path_cost": 262140,
"failure_cause": null
}
New circuit event:
{
"namespace": "fabric.circuits",
"version": 2,
"event_type": "created",
"circuit_id": "Llm58Bn-J",
"timestamp": "2022-07-19T12:41:31.043070164-04:00",
"client_id": "cl5sekp6z000dk0gdej54ipgx",
"service_id": "bnNbAbsiYM",
"terminator_id": "6CNJIXdRQ6mctdzHXEx8nW",
"instance_id": "",
"creation_timespan": 781618,
"path": {
"nodes": [
"niY.XmLArx"
],
"links": null,
"ingress_id": "v9yv",
"egress_id": "2mOq",
"terminator_local_addr": ""
},
"link_count": 0,
"path_cost": 262140
}
### Allow attributing usage to hosting endpoints
Terminator now has a Host ID, similar to the session Client ID. This can be used by higher levels to associate an id
with the terminator. The edge sets this field to the hosting session id.
Circuits now also track which terminator they are using, with a new terminatorId field.
These two changes together allow usage to be attributed to hosting entities as well
as dialing entities.
### Capture IP/Port of edge routers creatign api sessions
When an edge router creates an API session, the ip:port of the edge router control channel will be captured.
### Report high link latency when heartbeats time out
Previously when latency probes/heatbeats timed out, we wouldn't update the link latency.
Now, link latency will be set to 88888888888ns (or ~88seconds). This will help keep
these links from being used. The use of this marker value will also let timeouts be
identitied.
### Bug Fixes
* [Circuits on single router which is deleted are ophaned](https://github.com/openziti/fabric/issues/452)
* [API Session Certs not updated on ERs](https://github.com/openziti/edge/issues/1096)
Published by github-actions[bot] over 2 years ago
ziti edge list posture-check
outputThe binding ws
and wss
in the transport library now use identity for server certificates. Prior to this release
ws
and wss
would load the server_cert
and key
field from files only. Both now support an optional field named
identity
. If not specified, the root identity
field will be used. If specified it will be used for the specified
ws
or wss
binding. Since this field is processed by the identity library
it supports all the private key and certificate sources that the identity framework supports (file, pem, hsm, etc.).
Additionally it also enables SNI support for ws
and wss
listeners.
transport:
ws:
writeTimeout: 10
readTimeout: 5
idleTimeout: 5
pongTimeout: 60
pingInterval: 54
handshakeTimeout: 10
readBufferSize: 4096
writeBufferSize: 4096
enableCompression: false
identity:
server_cert: ./certs/er1.server.cert.pem
server_key: ./certs/key.pem
Example: Relying on in the root server_cert
and alt_server_cert
field
v: 3
identity:
cert: ./certs/er1.client.cert.pem
server_cert: ./certs/er1.server.cert.pem
key: ./certs/er1.key.pem
ca: ./certs/er1.ca-chain.cert.pem
alt_server_certs:
- server_cert: ./certs/er1.alt.server.cert.pem
server_key: ./certs/er1.alt.server.cert.pem
...
transport:
ws:
writeTimeout: 10
readTimeout: 5
idleTimeout: 5
pongTimeout: 60
pingInterval: 54
handshakeTimeout: 10
readBufferSize: 4096
writeBufferSize: 4096
enableCompression: false
The identity library has been updated to support a new field: alt_server_certs
. This field is an array of objects with server_cert
and server_key
fields. alt_server_certs
is not touched by
higher level Ziti automations to renew certificates and is intended for manual or externally automated use. It allows
additional server certificates to be used for the controller and routers with separate private keys. It is useful in
scenarios where routers or controllers are exposed using certificates signed by public CAs (i.e. Let's Encrypt).
The server_cert
and server_key
work the same as the root identity properties of the same name. In any single
server_cert
source that provides a chain, it assumed that all leaf-certificates are based on the private key in
server_key
. If server_key
is not defined, the default root server_key
will be used. The identity library will use
the certificate chains and private key pairs specified in alt_server_certs
when generating a TLS configuration via
ServerTLSConfig()
. All identity sources are viable: pem
, file
, etc.
Go Identity Config Struct Definition:
type Config struct {
Key string `json:"key" yaml:"key" mapstructure:"key"`
Cert string `json:"cert" yaml:"cert" mapstructure:"cert"`
ServerCert string `json:"server_cert,omitempty" yaml:"server_cert,omitempty" mapstructure:"server_cert,omitempty"`
ServerKey string `json:"server_key,omitempty" yaml:"server_key,omitempty" mapstructure:"server_key,omitempty"`
AltServerCerts []ServerPair `json:"alt_server_certs,omitempty" yaml:"alt_server_certs,omitempty" mapstructure:"alt_server_certs,omitempty"`
CA string `json:"ca,omitempty" yaml:"ca,omitempty" mapstructure:"ca"`
}
JSON Example:
{
"cert": "./ziti/etc/ca/intermediate/certs/ctrl-client.cert.pem",
"key": "./ziti/etc/ca/intermediate/private/ctrl.key.pem",
"server_cert": "./ziti/etc/ca/intermediate/certs/ctrl-server.cert.pem",
"server_key": "./ziti/etc/ca/intermediate/certs/ctrl-server.key.pem",
"ca": "./ziti/etc/ca/intermediate/certs/ca-chain.cert.pem",
"alt_server_certs": [
{
"server_cert": "./ziti/etc/ca/intermediate/certs/alt01-ctrl-server.cert.pem",
"server_key": "./ziti/etc/ca/intermediate/certs/alt01-ctrl-server.key.pem"
},
{
"server_cert": "pem:-----BEGIN CERTIFICATE-----\nIIGBjCCA+6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNVBAYTAlVT...",
"server_key": "pem:-----BEGIN CERTIFICATE-----\nMIIEuDCCAqCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVT..."
}
]
}
YAML Example:
cert: "./ziti/etc/ca/intermediate/certs/ctrl-client.cert.pem"
key: "./ziti/etc/ca/intermediate/private/ctrl.key.pem"
server_cert: "./ziti/etc/ca/intermediate/certs/ctrl-server.cert.pem"
server_key: "./ziti/etc/ca/intermediate/certs/ctrl-server.key.pem"
ca: "./ziti/etc/ca/intermediate/certs/ca-chain.cert.pem"
alt_server_certs:
- server_cert: "./ziti/etc/ca/intermediate/certs/alt01-ctrl-server.cert.pem"
server_key: "./ziti/etc/ca/intermediate/certs/alt01-ctrl-server.key.pem"
- server_cert: "pem:-----BEGIN CERTIFICATE-----\nIIGBjCCA+6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNVBAYTAlVT..."
server_key: "pem:-----BEGIN CERTIFICATE-----\nMIIEuDCCAqCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVT..."
There was a missed dependency update for xweb in 0.26.0 that kept SNI from working in HTTP API components. This would
affect SNI support for all REST APIs.