Skip to main content
Star us on GitHub Star

Install the OpenZiti Console in Kubernetes

ziti-console

Version: 0.2.4 Type: application AppVersion: latest

Deploy OpenZiti console as kubernetes service

Add the OpenZiti Charts Repo to Helm

helm repo add openziti https://docs.openziti.io/helm-charts/

Minimal Installation

This chart deploys a pod running ziti-console, the OpenZiti console.

After adding the charts repo to Helm then you may install the chart.

helm install \
--namespace ziti-console --create-namespace --generate-name \
openziti/ziti-console \
--set service.type=LoadBalancer \
--set service.advertisedPort=80

Although simple, using the LoadBalancer type may not be ideal for a variety of reasons. Here are some examples for creating an HTTP Ingress.

Ingress-Nginx Sample Values

You can merge these ingress-nginx values when you install or upgrade.

ingress:
enabled: true
ingressClassName: nginx
advertisedHost: myziti-console.zitik8s

settings:
edgeControllers:
- name: Ziti Edge Mgmt API
# URL of controller's mgmt API cluster service
url: https://myziti-controller-client.ziti-controller.svc:443
# or https://myziti-controller-mgmt.ziti-controller.svc:443 if mgmt API is separate
default: true

Traefik Sample Values

This is a minimal values.yaml sample for an k3s-enviroment using traefik as ingress loadbalancer:

ingress:
enabled: true
ingressClassName: nginx
advertisedHost: myziti-console.zitik8s
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
labels:
ingressMethod: traefik

settings:
edgeControllers:
- name: Ziti Edge Mgmt API
# URL of controller's mgmt API cluster service
url: https://myziti-controller-client.ziti-controller.svc:443
# or https://myziti-controller-mgmt.ziti-controller.svc:443 if mgmt API is separate
default: true

TLS with Cert Manager

Cert Manager can provide a Let's Encrypt certificate for you, even a wildcard certificate with ACMEv2. As a prerequisite, you need a cert-manager Issuer for Let's Encrypt (reference). Here are example chart values showing annotations for cert-manager and ingress-nginx.

ingress:
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: my-letsencrypt-issuer
advertisedHost: myziti-console.example.com
tlsSecret: myziti-console-tls-secret # secret managed by issuer

Values Reference

KeyTypeDefaultDescription
affinityobject{}deployment pod node affinity
fullnameOverridestring""release fullname override
image.argslist[]app run command args
image.commandlist["node","/usr/src/app/server.js"]app run command
image.pullPolicystring"Always"deployment image pull policy
image.pullSecretslist[]app image registry credential
image.repositorystring"openziti/zac"app container image to deploy
ingress.advertisedHoststringnilDNS name the ingress should use for the console service
ingress.annotationsobject{}ingress annotations for the ingress controller
ingress.enabledboolfalsecreate an ingress for the cluster service
ingress.ingressClassNamestring"""nginx" if using ingress-nginx
ingress.labelsobject{}ingress labels
ingress.tlsSecretstringnilenable TLS ingress by specifying the name of the secret with the tls.crt, tls.key, etc. for the server cert
nameOverridestring""release name override
nodeSelectorobject{}deployment pod node selector
podAnnotationsobject{}annotations to apply to all pods
podSecurityContext.fsGroupint1000volume mount filesystem group owner
podSecurityContext.runAsGroupint1000effective GID
podSecurityContext.runAsUserint1000effective UID
replicasint1deployment pod replicas
resourcesobject{}deployment container resources
securityContextstringnildeployment container security context
service.advertisedPortint80port for the cluster service, load balancer, nodeport, and ingress to advertise
service.annotationsobject{}cluster service annotations
service.containerPortint1408port for the server to bind and cluster service to target
service.enabledbooltruecreate a cluster service for the deployment
service.labelsobject{}cluster service labels
service.portNamestring"http"symbolic name of the cluster service port
service.typestring"ClusterIP"choose ClusterIP, NodePort, or LoadBalancer
settings.edgeControllerslist[]Ziti Edge Mgmt APIs to pre-configure
settings.fabricControllerslist[]Ziti Fabric Mgmt APIs to pre-configure
tolerationslist[]deployment pod tolerations