ziti

The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti

APACHE-2.0 License

Downloads
3.1K
Stars
2K
Committers
48
View Code on GitHub Visit Website View on X
Ecosystems: Go

Bot releases are visible (Hide)

ziti - https://github.com/openziti/ziti/releases/tag/v0.27.8

Published by github-actions[bot] over 1 year ago

Release 0.27.8

What's New

  • CLI additions for auth policies and external JWT signers
  • Performance improvements for listing services

Component Updates and Bug Fixes

ziti - https://github.com/openziti/ziti/releases/tag/v0.27.7

Published by github-actions[bot] over 1 year ago

Release 0.27.7

What's New

  • This release updates the build to use Go 1.20
ziti - https://github.com/openziti/ziti/releases/tag/v0.27.6

Published by github-actions[bot] over 1 year ago

Release 0.27.6

What's New

  • Makes inspect CLI more discoverable by adding subcommands for inspectable values
  • Adds new inspection allowing configs to be retrieved: ziti fabric inspect config
  • Many improvements to edge-router/tunneler hosting performance with large numbers of hosted services
    • Routers should no longer overwhelm controller while setting up or reestablishing hosting
  • Adds ability to disable router
  • Adds CLI command to compact offline bbolt database: ziti ops db compact <src> <dst>
  • Adds CLI command to re-enroll edge routers: ziti edge re-enroll edge-router
  • Routers can now be disabled. Connections to the controller from disabled routers will be rejected.
    • Disable with: ziti fabric update router <router-id> --disabled
    • Enable with: ziti fabric update router <router-id> --disabled=false

Component Updates and Bug Fixes

ziti - https://github.com/openziti/ziti/releases/tag/v0.27.5

Published by github-actions[bot] over 1 year ago

Release 0.27.5

What's New

  • Fixes an issue with ziti CLI when using a globally trusted CA
  • Fixes bug where ziti agent stack was calling ziti agent stats
  • ziti controller/router no longer compare the running version with
    the latest from github by default. Set ZITI_CHECK_VERSION=true to
    enable this behavior

Component Updates and Bug Fixes

ziti - https://github.com/openziti/ziti/releases/tag/v0.27.4

Published by github-actions[bot] over 1 year ago

Release 0.27.4

What's New

This release contains a fix for a controller deadlock

Component Updates and Bug Fixes

ziti - https://github.com/openziti/ziti/releases/tag/v0.27.3

Published by github-actions[bot] over 1 year ago

Release 0.27.3

What's New

  • Docker images for ziti CLI

  • New Raft interaction commands

    • raft-leave allows removal of controllers from the raft cluster
    • raft-list lists all connected controllers and their version/connected status
    • fabric raft list-members same info as the agent command, but over rest

Component Updates and Bug Fixes

ziti - https://github.com/openziti/ziti/releases/tag/v0.27.2

Published by github-actions[bot] almost 2 years ago

Release 0.27.2

What's New

  • Bug fixes

Component Updates and Bug Fixes

ziti - https://github.com/openziti/ziti/releases/tag/v0.27.1

Published by github-actions[bot] almost 2 years ago

Release 0.27.1

What's New

  • Event streaming over websocket
    • ziti fabric stream events
    • Events use same JSON formatting as the file based streaming
    • Plain Text formatting removed
    • Individual streaming of metrics/circuits removed in favor of unified events streaming
  • Improvements to router/tunneler terminator creation
    • Create terminator requests are now idempotent, so repeated requests will not result in multiple terminators
    • Create terminator requests are now asynchronous, so responses will no longer get timed out
    • There is new timer metric from routers, timing how long terminator creates take: xgress_edge_tunnel.terminator.create_timer

Component Updates and Bug Fixes

  • github.com/openziti/edge: v0.24.75 -> v0.24.86

    • Issue #1272 - Mark xgress_edge and xgress_edge_tunnel created terminators as system entity
    • Issue #1270 - Make xgress_edge_tunnel service hosting more scalabe
    • Issue #1268 - session deletion can get stalled by restarts

  • github.com/openziti/fabric: v0.21.36 -> v0.22.1

    • Issue #563 - Allow streaming events over webscocket, replacing stream circuits and stream metrics
    • Issue #552 - Add minimum cost delta for smart routing
    • Issue #558 - Allow terminators to be marked as system entities

  • github.com/openziti/ziti: v0.27.0 -> v0.27.1

    • Issue #928 - ziti fabric update terminator should not require setting router
    • Issue #929 - zit fabric list terminators isn't showing cost or dynamic cost
ziti - https://github.com/openziti/ziti/releases/tag/v0.27.0

Published by github-actions[bot] almost 2 years ago

Release 0.27.0

What's New

  • Ziti CLI
    • The CLI has been cleaned up and unused, unusable and underused components have been removed or hidden
    • Add create/delete transit-router CLI commands
    • Issue-706 - Add port check to quickstart

Ziti CLI

  • The update command has been removed. It was non-functional, so this should not affect anyone
  • The adhoc, ping and playbook commands have been removed. These were ansible and vagrant commands that were not widely used.
  • Make the art command hidden, doesn't need to be removed, leave it as an easter egg
  • Move ziti ps command under ziti agent. Remove all ziti ps subcommands, as they already exist as ziti agent subcommands
  • Add ziti controller and ziti router commands
    • They should work exactly the same as ziti-controller and ziti router
    • The standalone binaries for ziti-controller and ziti-router are deprecated and will be removed in a future release
  • Add hidden ziti tunnel command
    • Should work exactly the same as ziti-tunnel
    • Is hidden as ziti-edge-tunnel is the preferred tunnelling application
    • The standalone binary ziti-tunnel is deprecated and will be removed in a future release
  • The db, log-format and unwrap commands have been moved under a new ops command
  • ziti executable download management has been deprecated
    • The init and uninstall commands have been removed
    • The install, upgrade, use and version commands have been hidden and will be hidden once tests using them are updated or replaced
  • The demo and tutorial commands have been moved under the new learn subcommand
  • ziti edge enroll now has a verbose option for additional debugging
  • The ziti edge CLI now support create/delete transit-router. This allows transit/fabric routers to be provisioned using an enrollment process, rather than requiring certs to be created externally. Note that this requires that the fabric router config file has a csr section.

Component Updates and Bug Fixes

ziti - https://github.com/openziti/ziti/releases/tag/v0.26.11

Published by github-actions[bot] almost 2 years ago

Release 0.26.11

What's New

This is mainly a bugfix release.

  • Ziti CLI
    • Bug Fixes (See Component Updates and Bug Fixes below)
    • Added CLI flags for setting router tunneler capability

Ziti CLI

Added CLI flags for setting router tunneler capability

Ziti CLI ziti create config router edge now has two new flags; --tunnelerMode and --lanInterface

--tunnelerMode

The --tunnelerMode flag enables tunneling and sets the tunneler mode. Currently, there are none, host and tproxy
modes. The default tunneler mode is host mode, choosing none will disable tunnel capabilities for the router.

Examples:

ziti create config router edge --routerName myRouter --tunnelerMode tproxy

ziti create config router edge --routerName myRouter --tunnelerMode none

--lanInterface

If using the tproxy tunneler mode, there is an optional lanIf section in the config to identify an interface to use.

Example:

ziti create config router edge --routerName myRouter --tunnelerMode tproxy --lanInterface tun0

Component Updates and Bug Fixes

ziti - https://github.com/openziti/ziti/releases/tag/v0.26.10

Published by github-actions[bot] about 2 years ago

Release 0.26.10

What's New

This release has a single fix for a panic in edge routers with embedded tunnelers hosting services.
The only other changes are build updates.

Ziti Component Updates and Bug Fixes

ziti - https://github.com/openziti/ziti/releases/tag/v0.26.9

Published by github-actions[bot] about 2 years ago

Release 0.26.9

What's New

  • Edge
    • Bug Fixes
  • Fabric
    • Bug Fixes
  • Ziti CLI
    • Allow dynamic modification of enrollment durations
    • Bug Fixes
  • SDK Golang
    • Bug Fixes
  • Identity

Ziti CLI

Allow dynamic modification of enrollment durations

Identity Enrollment Duration

Setting the environment variable ZITI_EDGE_IDENTITY_ENROLLMENT_DURATION to some value in minutes will override the default identity enrollment duration configuration
when creating new controller configurations. If left unset, the default value is used. Using this method applies to controller config generation through the CLI as
well as quickstart deployments.

Example:

# Set identity enrollment to 60 minutes, controller configs created afterward will use this value
export ZITI_EDGE_IDENTITY_ENROLLMENT_DURATION=60

An additional argument --identityEnrollmentDuration has been added to the CLI controller config generation. If the argument is provided, the value of the argument will take
precedence, followed by the value of the environment variable (noted above), and if neither are used, the default value is used. Note that the argument takes a time unit
(m for minutes, h for hour, etc.)

Example:

# Create a controller config with an identity enrollment duration of 60 minutes
ziti create config controller --identityEnrollmentDuration 60m
# OR
ziti create config controller --identityEnrollmentDuration 1h

Router Enrollment Duration

Setting the environment variable ZITI_EDGE_ROUTER_ENROLLMENT_DURATION to some value in minutes will override the default router enrollment duration configuration
when creating new controller configurations. If left unset, the default value is used. Using this method applies to controller config generation through the CLI as
well as quickstart deployments.

Example:

# Set router enrollment to 60 minutes, controller configs created afterward will use this value
export ZITI_EDGE_ROUTER_ENROLLMENT_DURATION=60

An additional argument --routerEnrollmentDuration has been added to the CLI controller config generation. If the argument is provided, the value of the argument will take
precedence, followed by the value of the environment variable (noted above), and if neither are used, the default value is used. Note that the argument takes a time unit
(m for minutes, h for hour, etc.)

Example:

# Create a controller config with a router enrollment duration of 60 minutes
ziti create config controller --routerEnrollmentDuration 60m
# OR
ziti create config controller --routerEnrollmentDuration 1h

Ziti Component Updates and Bug Fixes

ziti - https://github.com/openziti/ziti/releases/tag/v0.26.8

Published by github-actions[bot] about 2 years ago

Release 0.26.8

What's New

  • General
    • Allow filtering model entities by tag
  • Fabric
    • Usage v3 metrics
  • Edge
    • Bug Fixes
  • Ziti CLI
    • ziti edge create|update ca now supports externalIdClaim
    • Improved List CAs
  • Identity
    • Automatic File Reloads

General

Model entities can now be filtered by tags. This works via the fabric and edge REST APIs and can be
used from the ziti CLI.

Example:

$ ziti edge update service demo --tags location=PA 
$ ziti edge update service echo --tags location=NY 
$ ziti edge ls services 'limit 4'
╭────────────────────────┬──────────────┬────────────┬─────────────────────┬────────────╮
│ ID                     │ NAME         │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES │
│                        │              │  REQUIRED  │                     │            │
├────────────────────────┼──────────────┼────────────┼─────────────────────┼────────────┤
│ 1WztJ.YuMY             │ demo         │ true       │ smartrouting        │            │
│ 68kYZOS54kAbU4hEhKHgHT │ echo         │ true       │ smartrouting        │ echo       │
│ EjaiJkYuMY             │ project.mgmt │ true       │ smartrouting        │            │
│ F0JVJkY40Y             │ mattermost   │ true       │ smartrouting        │            │
╰────────────────────────┴──────────────┴────────────┴─────────────────────┴────────────╯
results: 1-4 of 13

$ ziti edge ls services 'tags.location != null'
╭────────────────────────┬──────┬────────────┬─────────────────────┬────────────╮
│ ID                     │ NAME │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES │
│                        │      │  REQUIRED  │                     │            │
├────────────────────────┼──────┼────────────┼─────────────────────┼────────────┤
│ 1WztJ.YuMY             │ demo │ true       │ smartrouting        │            │
│ 68kYZOS54kAbU4hEhKHgHT │ echo │ true       │ smartrouting        │ echo       │
╰────────────────────────┴──────┴────────────┴─────────────────────┴────────────╯
results: 1-2 of 2

$ ziti edge ls services 'tags.location = "NY"'
╭────────────────────────┬──────┬────────────┬─────────────────────┬────────────╮
│ ID                     │ NAME │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES │
│                        │      │  REQUIRED  │                     │            │
├────────────────────────┼──────┼────────────┼─────────────────────┼────────────┤
│ 68kYZOS54kAbU4hEhKHgHT │ echo │ true       │ smartrouting        │ echo       │
╰────────────────────────┴──────┴────────────┴─────────────────────┴────────────╯
results: 1-1 of 1

Fabric

Usage v3

This a new version of usage events available. The existing v2 version events can still be used. The version
is selected in the events configuration.

Here is a config showing how to get both sets of events:

events:
  jsonLogger:
    subscriptions:
      - type: fabric.usage
        version: 2
      - type: fabric.usage
        versin: 3

If no version is provided for usage, then v2 events will still be outputted by default.

Event Consolidation

V3 events consolidate multiple usage metrics together to minimize the number of events.

Example:

{
  "namespace": "fabric.usage",
  "version": 3,
  "source_id": "cjc.1kYu0",
  "circuit_id": "CwbENl.lW",
  "usage": {
    "egress.rx": 47,
    "egress.tx": 47
  },
  "interval_start_utc": 1663342500,
  "interval_length": 60,
  "tags": {
    "clientId": "XtYOStBYgd",
    "hostId": "f3ltEI8Iok",
    "serviceId": "fclVFecdgakAoHyBvtIGy"
  }
}

Ingress and egress usage for a given circuit will consolidated into a single event per router. Fabric usage
will also be consolided into a single, separate event.

Event tagging

Usage events for ingress and egress usage will be annotated with edge information for both v2 and v3.

In the example above the event has tags for clientId, hostId and serviceId.

  • clientId - The id of the edge identity using the service
  • hostId - The id of the edge identity hosting the service (will be blank if not applicable, such as for router hosted)
  • serviceId - The id of the service being used

Edge

Bug Fixes

  • Issue 1176: Patching CA externalIdClaim Does Not Work

Ziti CLI

ziti edge create|update ca now support `externalIdClaim

Identities now have a field named externalId that can be used with 3rd Party CAs in addition to the existing
External JWT Signer support. 3rd Party CAs now support the following optional fields:

  • externalIdClaim.index - if multiple externalId claims are located, the index will be used to select one, default 0
  • externalIdClaim.location - extracts values from one of the following locations on a x509 certificate: SAN_URI, SAN_EMAIL, COMMON_NAME
  • externalIdClaim.matcher - matches values in one of the following ways PREFIX, SUFFIX, SCHEME in conjunction with matcherCriteria or select all values via ALL
  • externalIdClaim.matcherCriteria - matcher values of PREFIX, SUFFIX, and SCHEME will use matcherCriteria as a matching value
  • externalIdClaim.parser: - supports parsing values from all matched externalIds via SPLIT or NONE
  • externalIdClaim.parserCriteria - for a parser value of SPLIT, parserCriteria will be used to split values

When defined the externalIdClaim configuration will be used to locate any externalIds present in the client
supplied x509 certificate. If an externalId is located, it will be used to associate the authentication request
with an identity. If found, authentication is considered successful if not the authentication request fails. If the
client certificate does not contain an externalId then identities will be searched for that have a certificate
authenticator that matches the supplied client certificate. Should that fail, the authentication request fails.

This functionality can be used to support SPIFFE provisioned identities. For any specific SPIFFE ID, assign it to an
identity's externalId and then use the following externalIdClaim configurations.

CA Create/Update REST API

{
  ...
  "externalIdClaim": {
    "location": "SAN_URI",
    "index": 0,
    "matcher": "SCHEME",
    "matcherCriteria": "spiffe",
    "parser": "NONE",
    "parserCriteria": ""
  }
}

Ziti CLI

ziti edge create ca myCa ca.pem -l SAN_URI -m SCHEME -x spiffe -p "NONE"

ziti edge update ca myCa -l SAN_URI -m SCHEME -x spiffe -p "NONE"

Improved List CAs Output

The output for listing CAs in non-JSON format has been improved.

Example:

╭────────────────────────┬─────────┬────────┬────────────┬─────────────┬─────────────────────────────────────────────────────────────────╮
│ ID                     │ NAME    │ FLAGS  │ TOKEN      │ FINGERPRINT │ CONFIGURATION                                                   │
├────────────────────────┼─────────┼────────┼────────────┼─────────────┼─────────────────┬──────────────────────┬────────────────────────┤
│ 1tu6CbXT18Dd9rybjCW5eX │ 2       │ [AOE]  │ KaPxRiKbk  │ -           │ AutoCA          │ Identity Name Format │ [caName]-[commonName]  │
│                        │         │        │            │             │                 ├──────────────────────┼────────────────────────┤
│                        │         │        │            │             │                 │ Identity Roles       │ a,b,c                  │
│                        │         │        │            │             ├─────────────────┼──────────────────────┼────────────────────────┤
│                        │         │        │            │             │ ExternalIdClaim │ Index                │ 2                      │
│                        │         │        │            │             │                 ├──────────────────────┼────────────────────────┤
│                        │         │        │            │             │                 │ Location             │ SAN_URI                │
│                        │         │        │            │             │                 ├──────────────────────┼────────────────────────┤
│                        │         │        │            │             │                 │ Matcher              │ ALL                    │
│                        │         │        │            │             │                 ├──────────────────────┼────────────────────────┤
│                        │         │        │            │             │                 │ Matcher Criteria     │                        │
│                        │         │        │            │             │                 ├──────────────────────┼────────────────────────┤
│                        │         │        │            │             │                 │ Parser               │ NONE                   │
│                        │         │        │            │             │                 ├──────────────────────┼────────────────────────┤
│                        │         │        │            │             │                 │ Parser Criteria      │                        │
├────────────────────────┼─────────┼────────┼────────────┼─────────────┼─────────────────┼──────────────────────┼────────────────────────┤
│ 7AGp9vUttJHKA1JWujNtpR │ test-ca │ [VAOE] │ -          │ 315e...ba   │ AutoCA          │ Identity Name Format │ [caName]-[commonName]  │
│                        │         │        │            │             │                 ├──────────────────────┼────────────────────────┤
│                        │         │        │            │             │                 │ Identity Roles       │  three, two,one        │
╰────────────────────────┴─────────┴────────┴────────────┴─────────────┴─────────────────┴──────────────────────┴────────────────────────╯

Ziti Library Updates

ziti - https://github.com/openziti/ziti/releases/tag/v0.26.7

Published by github-actions[bot] about 2 years ago

Release 0.26.7

What's New

The only change in this release is updating from Golang 1.18 to 1.19

ziti - https://github.com/openziti/ziti/releases/tag/v0.26.6

Published by github-actions[bot] about 2 years ago

Release 0.26.6

What's New

  • Edge
    • N/A
  • Fabric
    • Don't allow slow or blocked links to impede other links
    • Add destination address to circuit events
  • Ziti CLI
    • Bug Fixes
  • SDK Golang
    • N/A
  • Identity

Fabric

Address slow/blocked links

Previously if a router had multiple links and one of them was slow or blocked, it could prevent other traffic from moving. Now, if a link is unable to keep up with incoming traffic, payloads will be dropped. The end-to-end flow control and retransmission logic will handle re-sending the packet.

Links have a 64 message queue for incoming messages. Up to 64 messages are taken off the queue, sorted in priority order and then sent. Once the sorted list of messages has been sent, the next set of messages are dequeue, sorted and sent. If the queue fills while the current set of sorted messges is being sent, message will now be dropped instead of waiting for queue space to open up.

There is now a new per-link link.dropped_msgs metric to track how often links are dropping messages.

Destination Address added to Circuit Events

When available, the remote address of the terminating side of a circuit is now available in the circuit event.

Example:

{
  "namespace": "fabric.circuits",
  "version": 2,
  "event_type": "created",
  "circuit_id": "kh7myU.bX",
  "timestamp": "2022-09-12T19:08:20.461576428-04:00",
  "client_id": "cl7zdm0d0000fbygdlzh268uq",
  "service_id": "6SIomYCjH5Jio52szEtX7W",
  "terminator_id": "7IIb1nU5yTfJVbaD8Tjuf3",
  "instance_id": "",
  "creation_timespan": 949916,
  "path": {
    "nodes": [
      "B3V.1kN40Y"
    ],
    "links": null,
    "ingress_id": "26D7",
    "egress_id": "wjo7",
    "terminator_local_addr": "127.0.0.1:44822",
    "terminator_remote_addr": "127.0.0.1:1234"
  },
  "link_count": 0,
  "path_cost": 262140
}

Ziti CLI

Bug Fixes

  • Issue 823: Fixed quickstart bug with architecture detection not supporting aarch64

Identity

Identity is a low-level library within Ziti and affects all Ziti components.

Bug Fixes

  • Fixed an issue where alt_server_certs were not always loaded and used for presenting TLS configurations

Ziti Library Updates

7f698a9 (Update deps and changelog)

ziti - https://github.com/openziti/ziti/releases/tag/v0.26.5

Published by github-actions[bot] about 2 years ago

Release 0.26.5

What's New

This build has no functional changes, but does have changes to the build workflow,
because github is deprecating certain action runners. See
https://github.blog/changelog/2022-08-09-github-actions-the-ubuntu-18-04-actions-runner-image-is-being-deprecated-and-will-be-removed-by-12-1-22/
and
https://github.blog/changelog/2022-07-20-github-actions-the-macos-10-15-actions-runner-image-is-being-deprecated-and-will-be-removed-by-8-30-22/
for details

  • MacOS builds are now done on the macos-11 github builder
  • Linux builds are now done on the ubuntu-20.04 builder

This changes the oldest supported operating system versions for ziti-controller and ziti-router to those
listed above, due to dependencies on system shared libraries that may not be available on older operating
system versions.

If this change negatively impacts you, please let us on Discourse.

ziti - https://github.com/openziti/ziti/releases/tag/v0.26.4

Published by github-actions[bot] about 2 years ago

Release 0.26.4

What's New

  • Edge
    • N/A
  • Fabric
    • Bug Fixes
  • Ziti CLI
    • ziti fabric inspect can now emit results to individual files using the -f flag
  • SDK Golang
    • N/A

Fabric

Bug Fixes

  • Issue 463: fix for panic when dial service with instanceId and service has terminators but non for requested instanceId
ziti - https://github.com/openziti/ziti/releases/tag/v0.26.3

Published by github-actions[bot] over 2 years ago

Release 0.26.3

What's New

  • Edge
    • N/A
  • Fabric
    • Link Events
    • Circuit Event Path Changes
    • Allow attributing usage to hosting identities
    • Capture IP/Port of edge routers creating api sessions
    • Report high link latency when heartbeats time out
    • Bug Fixes
  • Ziti CLI
    • N/A
  • SDK Golang
    • N/A
  • Transport
    • WS/WSS no longer require client certificate

Fabric

Link Events

Link events can now be configured in the controller events configuration.

events:
  jsonLogger:
    subscriptions:
      - type: fabric.links
    handler:
      type: file
      format: json
      path: /var/log/ziti-events.log

Link Event Types

  • dialed : Generated when the controller sends a link dial message to a router
  • connected : Generated when a router sends a link connected message to the controller
  • fault : Generated when a router sends a link fault to the controller
  • routerLinkNew : Generated when a router sends a router link message to the controler and the link is new to the controller
  • routerLinkKnown : Generated when a router sends a router link message to the controller and the link is known
  • routerLinkDisconnectedDest : Generated when a router sends a route link message to the controller and the router on the other side of the link is not currently connected.

Link Dialed Event Example

{
  "namespace": "fabric.links",
  "event_type": "dialed",
  "timestamp": "2022-07-15T18:10:19.752766075-04:00",
  "link_id": "47kGIApCXI29VQoCA1xXWI",
  "src_router_id": "niY.XmLArx",
  "dst_router_id": "YPpTEd8JP",
  "protocol": "tls",
  "dial_address": "tls:127.0.0.1:4024",
  "cost": 1
}

Link Connected Example

{
  "namespace": "fabric.links",
  "event_type": "connected",
  "timestamp": "2022-07-15T18:10:19.973626185-04:00",
  "link_id": "47kGIApCXI29VQoCA1xXWI",
  "src_router_id": "niY.XmLArx",
  "dst_router_id": "YPpTEd8JP",
  "protocol": "tls",
  "dial_address": "tls:127.0.0.1:4024",
  "cost": 1,
  "connections": [
    {
      "id": "ack",
      "local_addr": "tcp:127.0.0.1:49138",
      "remote_addr": "tcp:127.0.0.1:4024"
    },
    {
      "id": "payload",
      "local_addr": "tcp:127.0.0.1:49136",
      "remote_addr": "tcp:127.0.0.1:4024"
    }
  ]
}

Link Fault Example

{
  "namespace": "fabric.links",
  "event_type": "fault",
  "timestamp": "2022-07-15T18:10:19.973867809-04:00",
  "link_id": "6slUYCqOB85YTfdiD8I5pl",
  "src_router_id": "YPpTEd8JP",
  "dst_router_id": "niY.XmLArx",
  "protocol": "tls",
  "dial_address": "tls:127.0.0.1:4023",
  "cost": 1
}
```

#### Router Link Known Example

{
"namespace": "fabric.links",
"event_type": "routerLinkKnown",
"timestamp": "2022-07-15T18:10:19.974177638-04:00",
"link_id": "47kGIApCXI29VQoCA1xXWI",
"src_router_id": "niY.XmLArx",
"dst_router_id": "YPpTEd8JP",
"protocol": "tls",
"dial_address": "tls:127.0.0.1:4024",
"cost": 1
}


### Circuit Event Path Changes

* Circuit event paths are now structured, rather than being a string
* The path structure contains a string list of routers in the path, ordered from initiator to terminator
* The path structure contains a string list of links in the path, ordered from initiator to terminator
* The path structure also contains the initiator and terminator xgress instance ids
* `terminator_local_addr` has been moved inside the nested path structure
* There is also a new version field, which is set to 2.

Old circuit event:

{
"namespace": "fabric.circuits",
"event_type": "created",
"circuit_id": "Y4aVR-QfM",
"timestamp": "2022-07-19T12:39:21.500700972-04:00",
"client_id": "cl5sehx8k000d0agdrqyh9aa4",
"service_id": "bnNbAbsiYM",
"instance_id": "",
"creation_timespan": 812887,
"path": "[r/niY.XmLArx]",
"terminator_local_address": "",
"link_count": 0,
"path_cost": 262140,
"failure_cause": null
}


New circuit event:

{
"namespace": "fabric.circuits",
"version": 2,
"event_type": "created",
"circuit_id": "Llm58Bn-J",
"timestamp": "2022-07-19T12:41:31.043070164-04:00",
"client_id": "cl5sekp6z000dk0gdej54ipgx",
"service_id": "bnNbAbsiYM",
"terminator_id": "6CNJIXdRQ6mctdzHXEx8nW",
"instance_id": "",
"creation_timespan": 781618,
"path": {
"nodes": [
"niY.XmLArx"
],
"links": null,
"ingress_id": "v9yv",
"egress_id": "2mOq",
"terminator_local_addr": ""
},
"link_count": 0,
"path_cost": 262140
}


### Allow attributing usage to hosting endpoints
Terminator now has a Host ID, similar to the session Client ID. This can be used by higher levels to associate an id 
with the terminator. The edge sets this field to the hosting session id. 
Circuits now also track which terminator they are using, with a new terminatorId field. 
These two changes together allow usage to be attributed to hosting entities as well
as dialing entities.

### Capture IP/Port of edge routers creatign api sessions
When an edge router creates an API session, the ip:port of the edge router control channel will be captured.

### Report high link latency when heartbeats time out
Previously when latency probes/heatbeats timed out, we wouldn't update the link latency. 
Now, link latency will be set to 88888888888ns (or ~88seconds). This will help keep
these links from being used. The use of this marker value will also let timeouts be 
identitied.

### Bug Fixes

* [Circuits on single router which is deleted are ophaned](https://github.com/openziti/fabric/issues/452)
* [API Session Certs not updated on ERs](https://github.com/openziti/edge/issues/1096)
ziti - https://github.com/openziti/ziti/releases/tag/v0.26.2

Published by github-actions[bot] over 2 years ago

Release 0.26.2

What's New

  • Transport
    • WS/WSS Identity Support
  • Identity
    • Alternate Server Certificate Support
  • Edge
    • N/A
  • Fabric
    • N/A
  • Ziti CLI
    • Improvements to ziti edge list posture-check output
  • SDK Golang
    • N/A

Transport

WS/WSS Identity Support

The binding ws and wss in the transport library now use identity for server certificates. Prior to this release
ws and wss would load the server_cert and key field from files only. Both now support an optional field named
identity. If not specified, the root identity field will be used. If specified it will be used for the specified
ws or wss binding. Since this field is processed by the identity library
it supports all the private key and certificate sources that the identity framework supports (file, pem, hsm, etc.).
Additionally it also enables SNI support for ws and wss listeners.

transport:
  ws:
    writeTimeout:      10
    readTimeout:       5
    idleTimeout:       5
    pongTimeout:       60
    pingInterval:      54
    handshakeTimeout:  10
    readBufferSize:    4096
    writeBufferSize:   4096
    enableCompression: false
    identity:
      server_cert:          ./certs/er1.server.cert.pem
      server_key:                  ./certs/key.pem

Example: Relying on in the root server_cert and alt_server_cert field

v: 3

identity:
  cert:                 ./certs/er1.client.cert.pem
  server_cert:          ./certs/er1.server.cert.pem
  key:                  ./certs/er1.key.pem
  ca:                   ./certs/er1.ca-chain.cert.pem
  alt_server_certs:
    - server_cert: ./certs/er1.alt.server.cert.pem
      server_key:  ./certs/er1.alt.server.cert.pem
...

transport:
  ws:
    writeTimeout:      10
    readTimeout:       5
    idleTimeout:       5
    pongTimeout:       60
    pingInterval:      54
    handshakeTimeout:  10
    readBufferSize:    4096
    writeBufferSize:   4096
    enableCompression: false

Identity

Alternate Server Certificate Support

The identity library has been updated to support a new field: alt_server_certs
. This field is an array of objects with server_cert and server_key fields. alt_server_certs is not touched by
higher level Ziti automations to renew certificates and is intended for manual or externally automated use. It allows
additional server certificates to be used for the controller and routers with separate private keys. It is useful in
scenarios where routers or controllers are exposed using certificates signed by public CAs (i.e. Let's Encrypt).

The server_cert and server_key work the same as the root identity properties of the same name. In any single
server_cert source that provides a chain, it assumed that all leaf-certificates are based on the private key in
server_key. If server_key is not defined, the default root server_key will be used. The identity library will use
the certificate chains and private key pairs specified in alt_server_certs when generating a TLS configuration via
ServerTLSConfig(). All identity sources are viable: pem, file, etc.

Go Identity Config Struct Definition:

type Config struct {
	Key            string       `json:"key" yaml:"key" mapstructure:"key"`
	Cert           string       `json:"cert" yaml:"cert" mapstructure:"cert"`
	ServerCert     string       `json:"server_cert,omitempty" yaml:"server_cert,omitempty" mapstructure:"server_cert,omitempty"`
	ServerKey      string       `json:"server_key,omitempty" yaml:"server_key,omitempty" mapstructure:"server_key,omitempty"`
	AltServerCerts []ServerPair `json:"alt_server_certs,omitempty" yaml:"alt_server_certs,omitempty" mapstructure:"alt_server_certs,omitempty"`
	CA             string       `json:"ca,omitempty" yaml:"ca,omitempty" mapstructure:"ca"`
}

JSON Example:

{
  "cert": "./ziti/etc/ca/intermediate/certs/ctrl-client.cert.pem",
  "key": "./ziti/etc/ca/intermediate/private/ctrl.key.pem",
  "server_cert": "./ziti/etc/ca/intermediate/certs/ctrl-server.cert.pem",
  "server_key": "./ziti/etc/ca/intermediate/certs/ctrl-server.key.pem",
  "ca": "./ziti/etc/ca/intermediate/certs/ca-chain.cert.pem",
  "alt_server_certs": [
    {
      "server_cert": "./ziti/etc/ca/intermediate/certs/alt01-ctrl-server.cert.pem",
      "server_key": "./ziti/etc/ca/intermediate/certs/alt01-ctrl-server.key.pem"
    },
    {
      "server_cert": "pem:-----BEGIN CERTIFICATE-----\nIIGBjCCA+6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNVBAYTAlVT...",
      "server_key": "pem:-----BEGIN CERTIFICATE-----\nMIIEuDCCAqCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVT..."
    }
  ]
}

YAML Example:

cert: "./ziti/etc/ca/intermediate/certs/ctrl-client.cert.pem"
key: "./ziti/etc/ca/intermediate/private/ctrl.key.pem"
server_cert: "./ziti/etc/ca/intermediate/certs/ctrl-server.cert.pem"
server_key: "./ziti/etc/ca/intermediate/certs/ctrl-server.key.pem"
ca: "./ziti/etc/ca/intermediate/certs/ca-chain.cert.pem"
alt_server_certs:
 - server_cert: "./ziti/etc/ca/intermediate/certs/alt01-ctrl-server.cert.pem"
   server_key: "./ziti/etc/ca/intermediate/certs/alt01-ctrl-server.key.pem"
 - server_cert: "pem:-----BEGIN CERTIFICATE-----\nIIGBjCCA+6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNVBAYTAlVT..."
   server_key: "pem:-----BEGIN CERTIFICATE-----\nMIIEuDCCAqCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVT..."
ziti -

Published by github-actions[bot] over 2 years ago

Release 0.26.1

There was a missed dependency update for xweb in 0.26.0 that kept SNI from working in HTTP API components. This would
affect SNI support for all REST APIs.

What's New

  • Edge
    • Fixes missing identity update in xweb
  • Fabric
    • Fixes missing identity update in xweb
    • Bug Fixes
  • Ziti CLI
    • N/A
  • SDK Golang
    • N/A

Edge

Bug Fixes

Fabric

Bug Fixes

Package Rankings
Top 2.51% on Proxy.golang.org
Top 10.69% on Pypi.org
Badges
Extracted from project README
Build Status Go Report Card GoDoc Discourse Widget License: Apache-v2
Related Projects
openyurt

OpenYurt - Extending your native Kubernetes to edge(project under CNCF)

21 May 2020 1,667
datum

Datum's central server

17 Oct 2023 52
zrok

Geo-scale, next-generation peer-to-peer sharing platform built on top of OpenZiti.

18 Jul 2022 2,123
openfga

A high performance and flexible authorization/permission engine built for developers and inspired...

08 Jun 2022 2,221
devops-resources

DevOps resources - Linux, Jenkins, AWS, SRE, Prometheus, Docker, Python, Ansible, Git, Kubernetes...

07 Jan 2019 8,538