continue testing controller chart

openziti · Oct 21, 2024 · aa233cf · aa233cf
1 parent 9aba205
commit aa233cf
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 10 deletions.
diff --git a/charts/ziti-controller/Chart.yaml b/charts/ziti-controller/Chart.yaml
@@ -16,4 +16,4 @@ dependencies:
 description: Host an OpenZiti controller in Kubernetes
 name: ziti-controller
 type: application
-version: 1.0.19
+version: 1.1.0
diff --git a/charts/ziti-controller/README.md b/charts/ziti-controller/README.md
@@ -2,7 +2,7 @@
 
 # ziti-controller
 
-![Version: 1.0.19](https://img.shields.io/badge/Version-1.0.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.15](https://img.shields.io/badge/AppVersion-1.1.15-informational?style=flat-square)
+![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.15](https://img.shields.io/badge/AppVersion-1.1.15-informational?style=flat-square)
 
 Host an OpenZiti controller in Kubernetes
 
@@ -224,7 +224,6 @@ For more information, please check [here](https://openziti.io/docs/learn/core-co
 | clientApi.ingress.tls | object | `{}` | deprecated: tls passthrough is required |
 | clientApi.service.enabled | bool | `true` | create a cluster service for the deployment |
 | clientApi.service.type | string | `"LoadBalancer"` | expose the service as a ClusterIP, NodePort, or LoadBalancer |
-| ctrlPlane | object | `{"advertisedHost":"{{ .Values.clientApi.advertisedHost }}","advertisedPort":"{{ .Values.clientApi.advertisedPort }}","alternativeIssuer":{},"containerPort":"{{ .Values.clientApi.containerPort }}","dnsNames":[],"ingress":{"annotations":{},"enabled":false,"ingressClassName":"","labels":{},"tls":{}},"service":{"enabled":false,"type":"ClusterIP"}}` | by default, there's no need for a separate cluster service, ingress, or load balancer for the ctrl plane because it shares a TLS listener with the client API, advertising the same host and port but presenting the separate ctrl plane identity to TLS clients via ALPN; you may override these templates with literal host and port values and configure a separate service, ingress, load balancer, etc. for the ctrl plane |
 | ctrlPlane.advertisedHost | string | `"{{ .Values.clientApi.advertisedHost }}"` | global DNS name by which routers can resolve a reachable IP for this service: default is cluster service DNS name which assumes all routers are inside the same cluster |
 | ctrlPlane.advertisedPort | string | `"{{ .Values.clientApi.advertisedPort }}"` | cluster service, node port, load balancer, and ingress port |
 | ctrlPlane.alternativeIssuer | object | `{}` | kind and name of alternative issuer for the controller's identity |
@@ -235,7 +234,7 @@ For more information, please check [here](https://openziti.io/docs/learn/core-co
 | ctrlPlane.ingress.ingressClassName | string | `""` | ingress class name, e.g., "nginx" |
 | ctrlPlane.ingress.labels | object | `{}` | ingress labels |
 | ctrlPlane.ingress.tls | object | `{}` | deprecated: tls passthrough is required |
-| ctrlPlane.service.enabled | bool | `false` | create a separate cluster service for the ctrl plane; enabling this requires you to also set the host and port for a separate ctrl plane TLS listener |
+| ctrlPlane.service.enabled | bool | `true` | create a separate cluster service for the ctrl plane; enabling this requires you to also set the host and port for a separate ctrl plane TLS listener |
 | ctrlPlane.service.type | string | `"ClusterIP"` | expose the service as a ClusterIP, NodePort, or LoadBalancer |
 | ctrlPlaneCasBundle.namespaceSelector | object | `{}` | namespaces where trust-manager will create the Bundle resource containing Ziti's trusted CA certs (default: empty means all namespaces) |
 | dbFile | string | `"ctrl.db"` | name of the BoltDB file |
@@ -343,7 +342,6 @@ For more information, please check [here](https://openziti.io/docs/learn/core-co
 * replicas - Each controller replica needs to be it's own HA member. We have to wait until HA https://github.com/openziti/ziti/blob/release-next/doc/ha/overview.md is officially released.
 * lower CA / Cert lifetime; how to refresh stuff when Certs are updated?
 * Deploy Prometheus scraper configuration when `prometheus.enabled = true`
-* cert-manager allows issuing only one cert per key, i.e., ClientCertKeyReuseIssue prevents us from issuing a user cert and server cert backed by same private key, hence the controller config.yaml re-uses server certs in place of user certs to allow startup and testing to continue
 
 ## Alternative Web Server Certificates
 

diff --git a/charts/ziti-controller/README.md.gotmpl b/charts/ziti-controller/README.md.gotmpl
@@ -202,7 +202,6 @@ For more information, please check [here](https://openziti.io/docs/learn/core-co
 * replicas - Each controller replica needs to be it's own HA member. We have to wait until HA https://github.com/openziti/ziti/blob/release-next/doc/ha/overview.md is officially released.
 * lower CA / Cert lifetime; how to refresh stuff when Certs are updated?
 * Deploy Prometheus scraper configuration when `prometheus.enabled = true`
-* cert-manager allows issuing only one cert per key, i.e., ClientCertKeyReuseIssue prevents us from issuing a user cert and server cert backed by same private key, hence the controller config.yaml re-uses server certs in place of user certs to allow startup and testing to continue
 
 ## Alternative Web Server Certificates
 

diff --git a/charts/ziti-controller/values-ingress-nginx.yaml b/charts/ziti-controller/values-ingress-nginx.yaml
@@ -1,4 +1,5 @@
-ctrlPlane:
+
+clientApi:
   service:
     enabled: true
     type: ClusterIP
@@ -9,7 +10,9 @@ ctrlPlane:
       kubernetes.io/ingress.allow-http: "false"
       nginx.ingress.kubernetes.io/ssl-passthrough: "true"
 
-clientApi:
+# shares a TLS listener with the client API by default; these values override the defaults and configure a separate
+# ingress for the ctrl plane for reverse compatibility with existing router deployments
+ctrlPlane:
   service:
     enabled: true
     type: ClusterIP

diff --git a/charts/ziti-controller/values.yaml b/charts/ziti-controller/values.yaml
@@ -76,7 +76,7 @@ managementApi:
   # -- additional DNS SANs
   dnsNames: []
 
-# -- by default, there's no need for a separate cluster service, ingress, or
+# by default, there's no need for a separate cluster service, ingress, or
 # load balancer for the ctrl plane because it shares a TLS listener with the
 # client API, advertising the same host and port but presenting the separate
 # ctrl plane identity to TLS clients via ALPN; you may override these templates
@@ -95,7 +95,7 @@ ctrlPlane:
     # -- create a separate cluster service for the ctrl plane; enabling this
     # requires you to also set the host and port for a separate ctrl plane TLS
     # listener
-    enabled: false
+    enabled: true
     # -- expose the service as a ClusterIP, NodePort, or LoadBalancer
     type: ClusterIP
   ingress: