- Bug fixes and minor enhancements
- github.com/openziti/sdk-golang: v0.23.32 -> v0.23.35
- github.com/openziti/ziti: v1.1.1 -> v1.1.2
- Issue #2032 - Auto CA Enrollment Fails w/ 400 Bad Request
- Issue #2026 - Root Version Endpoint Handling 404s
- Issue #2002 - JWKS endpoints may not refresh on new KID
- Issue #2007 - Identities for edge routers with tunneling enabled sometimes show hasEdgeRouterConnection=false even though everything is OK
- Issue #1983 - delete of non-existent entity causes panic when run on follower controller
- HA Alpha-3
- Bug fixes and minor enhancements
- The all-in-one quickstart compose project now uses the same environment variable to configure the controller's address as the ziti command line tool
This release can be run in HA mode. The code is still alpha, as we're still finding and fixing bugs.
For more information:
- HA overview/getting started/migration: HA Documementation
- Open Issues: HA Project Board
Thanks to new contributors
- @Vrashabh-Sontakke
-
github.com/openziti/edge-api: v0.26.17 -> v0.26.18
-
github.com/openziti/sdk-golang: v0.23.27 -> v0.23.32
- Issue #554 - Passing in config types on service list breaks on older controller
-
github.com/openziti/storage: v0.2.36 -> v0.2.37
- Issue #64 - Add support for transaction complete listeners
-
github.com/openziti/ziti: v1.1.0 -> v1.1.1
- Issue #1973 - Raft should not initialize if db is misconfigured
- Issue #1971 - BUG: OIDC authentication does not convert config type names to ids
- Issue #1966 - Handle multi-entity updates in router data model
- Issue #1772 - provide a better error when the user is not logged in
- Issue #1964 - Add API Session Token Update Messaging
- Issue #1960 - JWT Session exchange isn't working
- Issue #1962 - permissions enum doesn't contain "Invalid"
- HA Alpha2
- Deployments Alpha
- Linux packages provide systemd services for controller and router. Both depend on existing package
openziti
which provides theziti
command line tool.openziti-controller
providesziti-controller.service
openziti-router
providesziti-router.service
- Container images for controller and router now share the bootstrapping logic with the packages, so they support the same configuration options.
- Linux packages provide systemd services for controller and router. Both depend on existing package
This release can be run in HA mode. The code is still alpha, so there are still some bugs and missing features, however basic functionality work with the exceptions noted. See the HA Documementation for instructions on setting up an HA cluster.
- JWT Session exchange isn't working with Go SDK clients
- This means Go clients will need to be restarted once their sessions expire
- Service/service policy changes might not be reflected in routers
- Changes to policy may not yet properly sync to the routers, causing unexpected behavior with ER/Ts running in HA mode
More information can be found on the HA Project Board
-
github.com/openziti/edge-api: v0.26.16 -> v0.26.17
- Issue #107 - Add configTypes param to service list
-
github.com/openziti/sdk-golang: v0.23.19 -> v0.23.27
- Issue #545 - Set config types on query when listing services
- Issue #541 - Token exchange in Go SDK not working
- Issue #540 - Switch to EdgeRouter.SupportedProtocols from deprecated URLs map
-
github.com/openziti/ziti: v1.0.0 -> v1.1.0
- Issue #1952 - Remove support for fabric only identities in CLI
- Issue #1950 - Add policy type to service policy router events
- Issue #1951 - Add more attributes to route data model Identity
- Issue #1942 - Rework ER/T intercept code to be sessionless or use JWT sessions
- Issue #1936 - SDK Hosted HA sessions are getting removed when they shouldn't be
- Issue #1934 - Don't publish binary builds to artifactory
- Issue #1931 - "invalid kid: " randomly occurs in HA mode
What does marking OpenZiti as 1.0 mean?
We've guaranteed API stability for SDK clients for years and worked hard to ensure that routers and controllers would be backwards and forward compatible. However, we have had a variety of management API changes and CLI changes. For post 1.0 releases we expect to make additions to the APIs and CLI, but won't remove anything until it's been first marked as deprecated and then only with a major version bump.
Recent releases have seen additional testing using chaos testing techniques. These tests involve setting up relatively large scale environments, knocking out various components and then verifying that the network is able to return to a stable state. These test are run for hours to try and eliminate race conditions and distributed state machine problems.
OpenZiti is also being used as underlying infrastrcture for the zrok public service. Use of this network has grown quickly and proven that it's possible to build ziti native apps that can scale up.
Administrators no longer have access to dial/bind all services by default. See below for details.
- Administrators no longer have access to dial/bind all services by default.
- TLS Handshakes can now be rate limited in the controller
- TLS Handshake timeouts can now be set on the controller when using ALPN
- Bugfixes
Admin identities were able to Dial and Bind all services regardless of the effective service policies prior to this release. This could lead to a confusing situation where a tunneler that was assuming an Admin identity would put itself into an infinite connect-loop when a service's host.v1 address overlapped with any addresses in its intercept configuration.
Please create service policies to grant Bind or Dial permissions to Admin identities as needed.
A TLS handhshake rate limiter can be enabled. This is useful in cases where there's a flood of TLS requests and the controller can't handle them all. It can get into a state where it can't respond to TLS handshakes quickly enough, so the clients time out. They then retry, adding to the the load. The controller ends up wasting time doing work that isn't use.
This uses the same rate limiting as the auth rate limiter.
Additionally the server side handshake timeout can now be configured.
Configuration:
tls:
handshakeTimeout: 15s
rateLimiter:
# if disabled, no tls handshake rate limiting with be enforced
enabled: true
# the smallest window size for tls handshakes
minSize: 5
# the largest allowed window size for tls handshakes
maxSize: 5000
# after how long to consider a handshake abandoned if neither success nor failure was reported
timeout: 30s
New metrics:
tls_handshake_limiter.in_process
- number of TLS handshakes in progresstls_handshake_limiter.window_size
- number of TLS handhshakes allowed concurrentlytls_handshake_limiter.work_timer
- timer tracking how long TLS handshakes are taking
-
github.com/openziti/channel/v2: v2.0.122 -> v2.0.128
-
github.com/openziti/edge-api: v0.26.14 -> v0.26.16
-
github.com/openziti/foundation/v2: v2.0.40 -> v2.0.42
-
github.com/openziti/identity: v1.0.73 -> v1.0.75
-
github.com/openziti/metrics: v1.2.48 -> v1.2.51
-
github.com/openziti/runzmd: v1.0.41 -> v1.0.43
-
github.com/openziti/sdk-golang: v0.23.15 -> v0.23.19
-
github.com/openziti/secretstream: v0.1.18 -> v0.1.19
-
github.com/openziti/storage: v0.2.33 -> v0.2.36
-
github.com/openziti/transport/v2: v2.0.125 -> v2.0.131
- Issue #79 - Add adaptive rate limiting to shared tls listener
-
github.com/openziti/ziti: v0.34.2 -> v1.0.0
- Issue #1923 - Add release validation test suite
- Issue #1904 - Add TLS handshake rate limiter
- Issue #1921 - Tidy CLI
- Issue #1916 - SDK dials fails with 'token is malformed' error
- Issue #1911 - Fix panic on first HA controller startup
- Issue #1914 - Fix panic in PeerConnected
- Issue #1781 - Admin identities have bind and dial permissions to services