v0.29.0

Release 0.29.0

What's New

Deprecated Binary Removal

This release removes the following deprecated binaries from the release archives.

• ziti-controller - replaced by ziti controller
• ziti-router - replaced by ziti router
• ziti-tunnel - replaced by ziti tunnel

The release archives now only contain the ziti executable. This executable is now at the root of the archive instead of nested under a ziti directory.

Ziti CLI Demo Consolidation

The ziti CLI functions under ziti learn, namely ziti learn demo and ziti learn tutorial have been consolidated under ziti demo.

Continued Quickstart Changes

The quickstart continues to evolve. A breaking change has occurred as numerous environment variables used to customize the quickstart
have changed again. A summary of changes is below

• All ZITI_EDGE_ROUTER_ variables have been changed to just ZITI_ROUTER_.
  • ZITI_EDGE_ROUTER_NAME -> ZITI_ROUTER_NAME
  • ZITI_EDGE_ROUTER_PORT -> ZITI_ROUTER_PORT
  • ZITI_EDGE_ROUTER_ADVERTISED_HOST -> ZITI_ROUTER_ADVERTISED_HOST
  • ZITI_EDGE_ROUTER_IP_OVERRIDE -> ZITI_ROUTER_IP_OVERRIDE
  • ZITI_EDGE_ROUTER_ENROLLMENT_DURATION -> ZITI_ROUTER_ENROLLMENT_DURATION
  • ZITI_EDGE_ROUTER_ADVERTISED_HOST -> ZITI_ROUTER_ADVERTISED_HOST
  • ZITI_EDGE_ROUTER_LISTENER_BIND_PORT -> ZITI_ROUTER_LISTENER_BIND_PORT
• Additional variables have been added to support "alternative addresses" and "alternative PKI", for example
  to support using Let's Encrypt certificates easily in the quickstarts.
• New variables were introduced to allow automatic generation of the alt_server_certs section. Both variables
  must be supplied for the variables to impact the configurations.
  • ZITI_PKI_ALT_SERVER_CERT - "Alternative server certificate. Must be specified with ZITI_PKI_ALT_SERVER_KEY"
  • ZITI_PKI_ALT_SERVER_KEY - "Key to use with the alternative server certificate. Must be specified with ZITI_PKI_ALT_SERVER_CERT"
• New variables were introduced to allow one to override and customize the CSR section of routers which is used during enrollment.
  • ZITI_ROUTER_CSR_C - "The country (C) to use for router CSRs"
  • ZITI_ROUTER_CSR_ST - "The state/province (ST) to use for router CSRs"
  • ZITI_ROUTER_CSR_L - "The locality (L) to use for router CSRs"
  • ZITI_ROUTER_CSR_O - "The organization (O) to use for router CSRs"
  • ZITI_ROUTER_CSR_OU - "The organization unit to use for router CSRs"
  • ZITI_ROUTER_CSR_SANS_DNS - "The DNS name used in the CSR request"
• New variable ZITI_CTRL_EDGE_BIND_ADDRESS allows controlling the IP the edge API uses

Component Updates and Bug Fixes

• github.com/openziti/channel/v2: v2.0.81 -> v2.0.84

• github.com/openziti/edge: v0.24.348 -> v0.24.364

  • Issue #1543 - controller ca normalization can go into infinite loop on startup with bad certs

• github.com/openziti/edge-api: v0.25.29 -> v0.25.30

• github.com/openziti/fabric: v0.23.39 -> v0.23.45

• github.com/openziti/foundation/v2: v2.0.26 -> v2.0.28

• github.com/openziti/identity: v1.0.57 -> v1.0.59

• github.com/openziti/runzmd: v1.0.26 -> v1.0.28

• github.com/openziti/sdk-golang: v0.20.67 -> v0.20.78

• github.com/openziti/storage: v0.2.8 -> v0.2.11

• github.com/openziti/transport/v2: v2.0.91 -> v2.0.93

• github.com/openziti/metrics: v1.2.27 -> v1.2.30

• github.com/openziti/secretstream: v0.1.9 -> v0.1.10

• github.com/openziti/ziti: v0.28.4 -> v0.29.0

  • Issue #1180 - Add ability to debug failed smoketests
  • Issue #1169 - Consolidate demo and tutorial under demo
  • Issue #1168 - Remove ziti-controller, ziti-router and ziti-tunnel executables from build
  • Issue #1158 - Add iperf tests to ziti smoketest

v0.28.4

Release 0.28.4

Component Updates and Bug Fixes

• Restores Ziti Edge Client API as the default handler for /version and as the root handler to support previously enrolled GO SDK clients

v0.28.3

Release 0.28.3

What's New

Bug fix

Component Updates and Bug Fixes

• github.com/openziti/ziti: v0.28.2 -> v0.28.3

v0.28.2

Release 0.28.2

What's New

• IMPORTANT: If you update your OpenZiti binaries to this version or later (which can be done easily with the getZiti() function, you will need to migrate any existing network that has been developed using OpenZiti v0.27.5 or earlier binaries as the new binaries will expect the new environment variable names. A function performMigration() has been provided in the ziti-cli-script.sh for this purpose. Simply source the latest ziti-cli-script.sh, and your current network's .env file, then run performMigration() to update environment variable name references. If the migration process cannot find your existing environment file in the default location, you will need to provide the path to the migration function, ex: performMigration <path-to-environment-file>
• If you were using the ZITI_HOME environment variable to configure where your ziti CLI profiles were stored, you should now use ZITI_CONFIG_DIR instead.

Component Updates and Bug Fixes

• github.com/openziti/channel/v2: v2.0.80 -> v2.0.81

• github.com/openziti/edge: v0.24.326 -> v0.24.345

  • Issue #1528 - edge unbind returns incorect message if token is not suplied or invalid
  • Issue #1416 - Allow MFA token name to be configured

• github.com/openziti/edge-api: v0.25.25 -> v0.25.29

• github.com/openziti/fabric: v0.23.35 -> v0.23.39

  • Issue #751 - Use of Fprintf causing buffer pool corruption with amqp event output

• github.com/openziti/foundation/v2: v2.0.25 -> v2.0.26

• github.com/openziti/identity: v1.0.56 -> v1.0.57

• github.com/openziti/runzmd: v1.0.25 -> v1.0.26

• github.com/openziti/sdk-golang: v0.20.58 -> v0.20.67

• github.com/openziti/storage: v0.2.7 -> v0.2.8

• github.com/openziti/transport/v2: v2.0.90 -> v2.0.91

• github.com/openziti/metrics: v1.2.26 -> v1.2.27

• github.com/openziti/secretstream: v0.1.8 -> v0.1.9

• github.com/openziti/ziti: v0.28.1 -> v0.28.2

  • Issue #1144 - DB explore subcommand panic
  • Issue #986 - Updated default ports in .env file to match documentation.
  • Issue #920 - Fixed bug causing failure when re-running quickstart.
  • Issue #779 - Add ability to upgrade ziti binaries using a quickstart function.
  • Issue #761 - Remove Management Listener section from controller config.
  • Issue #650 - Removed/Updated references to ZITI_EDGE_CONTROLLER_API
  • Quickstart environment variable names have been cleaned up.
  • Issue #1030 - Provide an upgrade path for quickstart cleanup

v0.28.1

Release 0.28.1

What's New

• ziti CLI now trims jwt files specified for login preventing a confusing invalid header field value for "Authorization"
  error when trying to use -e flag

Router Health Check Changes

The link health check on routers now supports an initial delay configuration.

healthChecks:
  linkCheck:
    minLinks: 1
    interval: 30s
    initialDelay: 5s

The health check will also now start with an initial state of unhealthy, unless minLinks is set to zero.

Finally, link checks now include the addresses associated with the links:

    {
        "details": [
            {
                "linkId": "6a72EtnLib5nUvjhVLuHOb",
                "destRouterId": "5uUxuQ3u6Q",
                "latency": 2732886.5,
                "addresses": {
                    "ack": {
                        "localAddr": "tcp:127.0.0.1:4023",
                        "remoteAddr": "tcp:127.0.0.1:33520"
                    },
                    "payload": {
                        "localAddr": "tcp:127.0.0.1:4023",
                        "remoteAddr": "tcp:127.0.0.1:33504"
                    }
                }
            }
        ],
        "healthy": true,
        "id": "link.health",
        "lastCheckDuration": "53.213µs",
        "lastCheckTime": "2023-06-01T18:35:11Z"
    }

Event Changes

AMQP Event Writer Changes

A new field is available to the AMQP Event Writer. bufferSize denotes how many messages ziti will hold during AMQP connection outages. Any messages exceeding this limit will be logged and dropped.

Example configuration:

events:
  jsonLogger:
    subscriptions:
      - type: fabric.circuits
    handler:
      type: amqp
      format: json
      url: "amqp://localhost:5672" 
      queue: ziti
      durable: true      //default:true
      autoDelete: false  //default:false
      exclusive: false   //default:false
      noWait: false      //default:false
      bufferSize: 50     //default:50

Component Updates and Bug Fixes

• github.com/openziti/agent: v1.0.13 -> v1.0.14

• github.com/openziti/channel/v2: v2.0.78 -> v2.0.80

• github.com/openziti/edge: v0.24.309 -> v0.24.326

  • Issue #1512 - Panic when removing edge terminator with expired session
  • Issue #1509 - SDK hosted terminators are being removed twice, causing spurious errors
  • Issue #1507 - edge-router with encryption disabled fails
  • Issue #1517 - allow wildcard domains in intercept.v1 addresses

• github.com/openziti/edge-api: v0.25.24 -> v0.25.25

• github.com/openziti/fabric: v0.23.29 -> v0.23.35

  • Issue #538 - Allow quiescing/dequiescing routers
  • Issue #738 - Timeout from routing is getting reported as conn refused instead of timeout
  • Issue #737 - Router link check should support initial delay configuration
  • Issue #735 - router link health check should only be passing initially if min links is zero
  • Issue #733 - Show link addresses in health check
  • Issue #732 - Added new bufferSize config option to amqp handler. Connection handling now happens in the background with exponential retries.

• github.com/openziti/foundation/v2: v2.0.24 -> v2.0.25

• github.com/openziti/identity: v1.0.54 -> v1.0.56

• github.com/openziti/runzmd: v1.0.24 -> v1.0.25

• github.com/openziti/sdk-golang: v0.20.51 -> v0.20.58

  • Issue #409 - sdk-golang v0.20.49 loops forever with older 'ws://' edge router

• github.com/openziti/storage: v0.2.6 -> v0.2.7

• github.com/openziti/transport/v2: v2.0.88 -> v2.0.90

• github.com/openziti/metrics: v1.2.25 -> v1.2.26

• github.com/openziti/ziti: v0.28.0 -> v0.28.1

  • Issue #1132 - Updated ws protocol to wss as ws is no longer supported.

v0.28.0

Release 0.28.0

What's New

• Event changes
  • Added AMQP event writter for events
  • Add entity change events for auditing or external integration
  • Add usage event filtering
  • Add annotations to circuit events
• CLI additions for ziti to login with certificates or external-jwt-signers
• NOTE: ziti edge login flag changes:
  • -c flag has been changed to map to --client-cert
  • --cert is now --ca and has no short flag representation
  • -e/--ext-jwt allows a user to supply a file containing a jwt used with ext-jwt-signers to login
  • -c/--client-cert allows a certificate to be supplied to login (used with -k/--client-key)
  • -k/--client-key allows a key to be supplied to login (used with -c/--client-cert)
• Config type changes
  • address fields in intercept.v1, host.v1, and host.v2 config types now permit hostnames with underscores.
• Edge Router/Tunneler now supports setting default UDP idle timeout/check interval

Event Changes

AMPQ Event Writer

Previously events could only be emitted to a file. They can now also be emitted to an AMQP endpoint.

Example configuration:

events:
  jsonLogger:
    subscriptions:
      - type: fabric.circuits
    handler:
      type: amqp
      format: json
      url: "amqp://localhost:5672" 
      queue: ziti
      durable: true      //default:true
      autoDelete: false  //default:false
      exclusive: false   //default:false
      noWait: false      //default:false

Entity Change Events

OpenZiti can now be configured to emit entity change events. These events describe the changes when entities stored in the
bbolt database are created, updated or deleted.

Note that events are emitted during the transaction. They are emitted at the end, so it's unlikely, but possible that an event will be emitted for a change which is rolled back. For this reason a following event will emitted when the change is committed. If a system crashes after commit, but before the committed event can be emitted, it will be emitted on the next startup.

Example configuration:

events:
  jsonLogger:
    subscriptions:
      - type: entityChange
        include:
          - services
          - identities
    handler:
      type: file
      format: json
      path: /tmp/ziti-events.log

See the related issue for discussion: openziti/fabric#562

Example output:

{
  "namespace": "entityChange",
  "eventId": "326faf6c-8123-42ae-9ed8-6fd9560eb567",
  "eventType": "created",
  "timestamp": "2023-05-11T21:41:47.128588927-04:00",
  "metadata": {
    "author": {
      "type": "identity",
      "id": "ji2Rt8KJ4",
      "name": "Default Admin"
    },
    "source": {
      "type": "rest",
      "auth": "edge",
      "localAddr": "localhost:1280",
      "remoteAddr": "127.0.0.1:37578",
      "method": "POST"
    },
    "version": "v0.0.0"
  },
  "entityType": "services",
  "isParentEvent": false,
  "initialState": null,
  "finalState": {
    "id": "6S0bCGWb6yrAutXwSQaLiv",
    "createdAt": "2023-05-12T01:41:47.128138887Z",
    "updatedAt": "2023-05-12T01:41:47.128138887Z",
    "tags": {},
    "isSystem": false,
    "name": "test",
    "terminatorStrategy": "smartrouting",
    "roleAttributes": [
      "goodbye",
      "hello"
    ],
    "configs": null,
    "encryptionRequired": true
  }
}

{
  "namespace": "entityChange",
  "eventId": "326faf6c-8123-42ae-9ed8-6fd9560eb567",
  "eventType": "committed",
  "timestamp": "2023-05-11T21:41:47.129235443-04:00"
}

Usage Event Filtering

Usage events, version 3, can now be filtered based on type.

The valid types include:

• ingress.rx
• ingress.tx
• egress.rx
• egress.tx
• fabric.rx
• fabric.tx

Example configuration:

events:
  jsonLogger:
    subscriptions:
      - type: fabric.usage
        version: 3
        include:
          - ingress.rx
          - egress.rx

Circuit Event Annotations

Circuit events initiated from the edge are now annotated with clientId, hostId and serviceId, to match usage events. The client and host ids are identity ids.

Example output:

 {
  "namespace": "fabric.circuits",
  "version": 2,
  "event_type": "created",
  "circuit_id": "0CEjWYiw6",
  "timestamp": "2023-05-05T11:44:03.242399585-04:00",
  "client_id": "clhaq7u7600o4ucgdpxy9i4t1",
  "service_id": "QARLLTKjqfLZytmSsIqba",
  "terminator_id": "7ddcd421-2b00-4b49-9ac0-8c78fe388c30",
  "instance_id": "",
  "creation_timespan": 1014280,
  "path": {
    "nodes": [
      "U7OwPtfjg",
      "a4rC9DrZ3"
    ],
    "links": [
      "7Ru3hoxsssZzUNOyvd8Jcb"
    ],
    "ingress_id": "K9lD",
    "egress_id": "rQLK",
    "initiator_local_addr": "100.64.0.1:1234",
    "initiator_remote_addr": "100.64.0.1:37640",
    "terminator_local_addr": "127.0.0.1:45566",
    "terminator_remote_addr": "127.0.0.1:1234"
  },
  "link_count": 1,
  "path_cost": 392151,
  "tags": {
    "clientId": "U7OwPtfjg",
    "hostId": "a4rC9DrZ3",
    "serviceId": "QARLLTKjqfLZytmSsIqba"
  }
}

ER/T UDP Settings

The edge router tunneler now allows configuring a timeout and check interval for tproxy UDP intercepts. By default intercepted UDP
connections will be closed after five minutes of no traffic, checking every thirty seconds. The configuration is done in the router
config file, in the options for the tunnel module. Note that these configuration options only apply to tproxy intercepts, not to
proxy or host side UDP connections.

Example configuration:

listeners:
  - binding: tunnel
    options:
      mode: tproxy
      udpIdleTimeout: 10s
      udpCheckInterval: 5s

Component Updates and Bug Fixes

• github.com/openziti/agent: v1.0.10 -> v1.0.13

• github.com/openziti/channel/v2: v2.0.58 -> v2.0.78

  • Issue #98 - Set default connect timeout to 5 seconds

• github.com/openziti/edge: v0.24.239 -> v0.24.309

  • Issue #1503 - Support configurable UDP idle timeout and check interval for tproxy in edge router tunneler
  • Issue #1471 - UDP intercept connections report incorrect local/remote addresses, making confusing events
  • Issue #629 - emit entity change events
  • Issue #1295 - Ensure DB migrations work properly in a clustered setup (edge)
  • Issue #1418 - Checks for session edge router availablility are inefficient

• github.com/openziti/edge-api: v0.25.11 -> v0.25.24

• github.com/openziti/fabric: v0.22.87 -> v0.23.29

  • Issue #724 - Controller should be notified of forwarding faults on links
  • Issue #725 - If reroute fails, circuit should be torn down
  • Issue #706 - Fix panic in link close
  • Issue #700 - Additional Health Checks exposed on Edge Router
  • Issue #595 - Add include filtering for V3 usage metrics
  • Issue #684 - Add tag annotations to circuit events, similar to usage events
  • Issue #562 - Add entity change events
  • Issue #677 - Rework raft startup
  • Issue #582 - Ensure DB migrations work properly in a clustered setup (fabric)
  • Issue #668 - Add network.Run watchdog, to warn if processing is delayed

• github.com/openziti/foundation/v2: v2.0.21 -> v2.0.24

• github.com/openziti/identity: v1.0.45 -> v1.0.54

• github.com/openziti/runzmd: v1.0.20 -> v1.0.24

• github.com/openziti/sdk-golang: v0.18.76 -> v0.20.51

  • Issue #407 - Allowing filtering which edge router urls the sdk uses
  • Issue #394 - SDK does not recover from API session expiration (during app/computer suspend)

• github.com/openziti/storage: v0.1.49 -> v0.2.6

• github.com/openziti/transport/v2: v2.0.72 -> v2.0.88

• github.com/openziti/metrics: v1.2.19 -> v1.2.25

• github.com/openziti/secretstream: v0.1.8 (new)

• github.com/openziti/ziti: v0.27.9 -> v0.28.0

  • Issue #1112 - ziti pki create creates CA's and intermediates w/ the same DN
  • Issue #1087 - re-enable CI in forks
  • Issue #1013 - docker env password is renewed at each docker-compose up
  • Issue #1077 - Show auth-policy name on identity list instead of id
  • Issue #1119 - intercept.v1 config should permit underscores in the ...

v0.27.9

Release 0.27.9

What's New

• Refactored the websocket transport to fix a concurrency issue
• v0.27.6 changed delete behaviors to error if the entity was not found. This release reverts that behavior.

Component Updates and Bug Fixes

• github.com/openziti/channel/v2: v2.0.53 -> v2.0.58

• github.com/openziti/edge: v0.24.228 -> v0.24.239

  • Issue #1391 - AuthPolicies for identities is missing a reference link

• github.com/openziti/edge-api: v0.25.9 -> v0.25.11

• github.com/openziti/fabric: v0.22.77 -> v0.22.87

• github.com/openziti/foundation/v2: v2.0.18 -> v2.0.21

• github.com/openziti/identity: v1.0.42 -> v1.0.45

• github.com/openziti/runzmd: v1.0.18 -> v1.0.20

• github.com/openziti/storage: v0.1.46 -> v0.1.49

• github.com/openziti/transport/v2: v2.0.68 -> v2.0.72

• github.com/openziti/metrics: v1.2.16 -> v1.2.19

• github.com/openziti/ziti: v0.27.8 -> v0.27.9

v0.27.8

Release 0.27.8

What's New

• CLI additions for auth policies and external JWT signers
• Performance improvements for listing services

Component Updates and Bug Fixes

• github.com/openziti/edge: v0.24.224 -> v0.24.228

  • Issue #1388 - Make better use of identity service indexes for service list
  • Issue #1386 - PUT on identities results in an error and internal PANIC

• github.com/openziti/fabric: v0.22.76 -> v0.22.77

• github.com/openziti/storage: v0.1.45 -> v0.1.46

• github.com/openziti/ziti: v0.27.7 -> v0.27.8

  • Issue #1064 - Support auth-policy assignments on identities via the CLI
  • Issue #1058 - Allow Auth Policy Create/Update/Delete via CLI
  • Issue #1059 - Expose Delete for Ext JWT Signers in CLI

v0.27.7

Release 0.27.7

What's New

• This release updates the build to use Go 1.20

v0.27.6

Release 0.27.6

What's New

• Makes inspect CLI more discoverable by adding subcommands for inspectable values
• Adds new inspection allowing configs to be retrieved: ziti fabric inspect config
• Many improvements to edge-router/tunneler hosting performance with large numbers of hosted services
  • Routers should no longer overwhelm controller while setting up or reestablishing hosting
• Adds ability to disable router
• Adds CLI command to compact offline bbolt database: ziti ops db compact <src> <dst>
• Adds CLI command to re-enroll edge routers: ziti edge re-enroll edge-router
• Routers can now be disabled. Connections to the controller from disabled routers will be rejected.
  • Disable with: ziti fabric update router <router-id> --disabled
  • Enable with: ziti fabric update router <router-id> --disabled=false

Component Updates and Bug Fixes

• github.com/openziti/agent: v1.0.8 -> v1.0.10

• github.com/openziti/channel/v2: v2.0.27 -> v2.0.53

  • Issue #83 - Improve protocol mismatch error(s)
  • Issue #93 - Fix atomic 64-bit alignment error on arm devices

• github.com/openziti/edge: v0.24.125 -> v0.24.224

  • Issue #1373 - Add support for disabled flag to edge and transit routers
  • Issue #1374 - Multiple MFA enrollments cannot be cleaned up by administrators
  • Issue #1336 - xgress_edge_tunnel shouldn't stop/start host on control channel reconnect
  • Issue #1369 - Add missing entity type id for TransitRouter
  • Issue #1366 - Error message incorrectly state 'invalid api session' when it's an invalid session
  • Issue #1364 - Cache api-sessions for tunneler router so we don't need to unnecessarily create new sessions
  • Issue #1362 - Rate limit terminator creates for router/tunneler
  • Issue #1359 - Sessions creates should be idempotent
  • Issue #1355 - Handle duplicate create terminator requests if create terminator fails
  • Issue #1350 - Router event processing can deadlock
  • Issue #1329 - UDP connections can drop data if datagrams are > 10k in size
  • Issue #1310 - Creating a cert backed ext-jwt-signer causes nil dereference

• github.com/openziti/edge-api: v0.25.6 -> v0.25.9

• github.com/openziti/fabric: v0.22.24 -> v0.22.76

  • Issue #651 - Add router enable/disable mechanism
  • Issue #648 - Add rate limiter pool to router for operations with potential to flood the controller
  • Issue #610 - Fix router disconnect when endpoint removed from cluster
  • Issue #622 - fatal error: concurrent map iteration and map write in logContext.WireEntry
  • Issue #507 - Add configuration for control channel heartbeat
  • Issue #584 - Add cluster events
  • Issue #599 - Add release and transfer leadership commands
  • Issue #606 - Ensure consistent use of peer address
  • Issue #598 - Add support to fabric inspect to propagate inspect to other controllers
  • Issue #597 - Make raft settings configurable
  • Issue #604 - Don't create link dropped msg metric until channel bind time
  • Issue #638 - Fix atomic 64-bit alignment error on arm devices

• github.com/openziti/foundation/v2: v2.0.10 -> v2.0.18

• github.com/openziti/identity: v1.0.30 -> v1.0.42

• github.com/openziti/runzmd: v1.0.9 -> v1.0.18

• github.com/openziti/sdk-golang: v0.18.28 -> v0.18.76

  • Issue #356 - sdk connections should respect net.Conn deadline related API specifications

• github.com/openziti/storage: v0.1.34 -> v0.1.45

• github.com/openziti/transport/v2: v2.0.51 -> v2.0.68

• github.com/openziti/jwks: v1.0.2 -> v1.0.3

• github.com/openziti/metrics: v1.2.3 -> v1.2.16

• github.com/openziti/ziti: v0.27.5 -> v0.27.6

  • Issue #1041 - Add ziti compact command to CLI
  • Issue #1032 - ziti edge create service fails silently if config names don't exist
  • Issue #1031 - Fixed quickstart bug with arm and arm64 ambiguity when running quickstart on arm architecture