decommission the common .Values.advertisedHost; start adapting to add…

…itional edge listeners to enable adding a wss edge binding
openziti · Jan 4, 2024 · ddc0387 · ddc0387
1 parent 399b21a
commit ddc0387
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 13 deletions.
diff --git a/charts/ziti-router/templates/configmap.yaml b/charts/ziti-router/templates/configmap.yaml
@@ -133,7 +133,7 @@ data:
       listeners:
         - binding:          transport
           bind:             tls:0.0.0.0:{{ .Values.linkListeners.transport.containerPort }}
-          advertise:        tls:{{ coalesce .Values.linkListeners.transport.advertisedHost .Values.advertisedHost (printf "%s-transport.%s.svc" (include "ziti-router.fullname" . ) .Release.Namespace) }}:{{ .Values.linkListeners.transport.advertisedPort }}
+          advertise:        tls:{{ coalesce .Values.linkListeners.transport.advertisedHost (printf "%s-transport.%s.svc" (include "ziti-router.fullname" . ) .Release.Namespace) }}:{{ .Values.linkListeners.transport.advertisedPort }}
           options:
             outQueueSize:   4
       {{- end }}
@@ -142,11 +142,22 @@ data:
     # bindings of edge and tunnel requires an "edge" section below
     {{- if (eq .Values.edge.enabled true) }}
       - binding: edge
-        address: tls:0.0.0.0:{{ .Values.edge.containerPort }}
+        address: {{ .Values.edge.protocol }}:0.0.0.0:{{ .Values.edge.containerPort }}
         options:
-            advertise: {{ required "You must set either .Values.advertisedHost or .Values.edge.advertisedHost to the <host/ip> to advertise for this router. Try adding --set edge.advertisedHost=router.zitinetwork.example.org to your Helm command" (coalesce .Values.edge.advertisedHost .Values.advertisedHost) }}:{{ .Values.edge.advertisedPort }}
-            connectTimeoutMs: 1000
-            getSessionTimeout: 60
+          advertise: {{ required "You must set .Values.edge.advertisedHost to the domain name to advertise for this router's edge listener. Try adding --set edge.advertisedHost=router11.ziti.example.org to your Helm command" .Values.edge.advertisedHost }}:{{ .Values.edge.advertisedPort }}
+          {{- if .Values.edge.options }}
+            {{- toYaml .Values.edge.options | nindent 10 }}
+          {{- end }
+    {{- end }}
+    {{- if .Values.edge.additionalListeners }}
+      {{- range .Values.edge.additionalListeners }}
+      - binding: edge
+        address: {{ $element.protocol }}:0.0.0.0:{{ $element.containerPort }}
+        options:
+          advertise: {{ required (printf "You must set .Values.edge.additionalListeners[%d].advertisedHost to the domain name to advertise for this router's additional edge listener. Try adding --set edge.additionalListeners[%d].advertisedHost=router11-wss.ziti.example.org to your Helm command" $index $index) $element.advertisedHost }}:{{ $element.advertisedPort }}
+          {{- if $element.options }}
+            {{- toYaml $element.options | nindent 10 }}
+          {{- end }}
     {{- end }}
     {{- if and .Values.tunnel.mode (ne .Values.tunnel.mode "none" ) }}
       - binding: tunnel

diff --git a/charts/ziti-router/templates/ingress.yaml b/charts/ziti-router/templates/ingress.yaml
@@ -24,7 +24,7 @@ spec:
     {{- end }}
   {{- end }}
   rules:
-    - host: {{ (coalesce .Values.edge.advertisedHost .Values.advertisedHost) }}
+    - host: {{ .Values.edge.advertisedHost }}
       http:
         paths:
           # This rule gives internal access to the pingaccess admin services.
@@ -63,7 +63,7 @@ spec:
     {{- end }}
   {{- end }}
   rules:
-    - host: {{ (coalesce .Values.linkListeners.transport.advertisedHost .Values.advertisedHost) }}
+    - host: {{ .Values.linkListeners.transport.advertisedHost }}
       http:
         paths:
           # This rule gives internal access to the pingaccess admin services.

diff --git a/charts/ziti-router/values.yaml b/charts/ziti-router/values.yaml
@@ -1,11 +1,10 @@
 
 ctrl:
   # -- required control plane endpoint
-  endpoint: # ctrl.example.com:6262
+  endpoint: # ctrl.ziti.example.com:443
 
-# -- common advertise-host for transport and edge listeners can also be
-# specified separately via `edge.advertisedHost` and
-# `linkListeners.transport.advertisedHost`
+# -- decommissioned value must be specified separately as edge.advertisedHost,
+# edge.additionalListeners[].advertisedHost, and linkListeners.transport.advertisedHost
 advertisedHost:
 
 
@@ -62,12 +61,16 @@ linkListeners:
 edge:
   # -- enable the edge listener in the router config
   enabled: true
+  # -- edge listener protocol: tls, wss
+  protocol: tls
   # -- cluster service target port on the container
   containerPort: 3022
-  # -- DNS name that edge clients will use to reach this router's edge listener
+  # -- Domain name that edge clients will use to reach this router's edge listener
   advertisedHost: #router11-edge.ziti.example.com
   # -- cluster service, node port, load balancer, and ingress port
   advertisedPort: 443
+  # -- additional common xgress options
+  options:
   service:
     # -- create a cluster service for the edge listener
     enabled: true
@@ -82,6 +85,25 @@ edge:
     enabled: false
     # -- ingress annotations, e.g., to configure ingress-nginx
     annotations:
+  # -- additional edge listeners have the same shape as the default edge listener, except there is no "enabled" (they're
+  # enabled if defined), and you must specify a unique name for each additional edge listener. The name distinguishes
+  # their respective cluster services.
+  additionalListeners:
+    #- name: router11-edge-wss
+    #  protocol: wss
+    #  containerPort: 3023
+    #  advertisedHost: # router11-edge-wss.ziti.example.com
+    #  advertisedPort: 443
+    #  # -- additional edge listeners can have their own cluster services
+    #  service:
+    #    enabled: true
+    #    type: ClusterIP
+    #    labels:
+    #    annotations:
+    #  # -- additional edge listeners can have their own ingresses
+    #  ingress:
+    #    enabled: false
+    #    annotations:
 
 tunnel:
   # -- run mode for the router's built-in tunnel component: host, tproxy, proxy, or none
@@ -155,7 +177,7 @@ podAnnotations: {}
 podSecurityContext:
   # -- this is the GID of "ziggy" run-as user in the container that has access
   # to any files created by the router process in the emptyDir volume used to
-  # persist the endpoints state file
+  # persist the list of ctrl endpoints
   fsGroup: 2171
 
 # -- deployment container security context