helm-charts

ziti-console

Version: 0.5.2 Type: application AppVersion: 3.1.0

Deploy OpenZiti console as kubernetes service

Add the OpenZiti Charts Repo to Helm

helm repo add openziti https://docs.openziti.io/helm-charts/

Minimal Installation

This chart deploys a pod running ziti-console, the OpenZiti console.

After adding the charts repo to Helm then you may install the chart.

helm install \
  --namespace ziti-console --create-namespace --generate-name \
  openziti/ziti-console \
    --set service.type=LoadBalancer \
    --set service.advertisedPort=80

Although simple, using the LoadBalancer type may not be ideal for a variety of reasons. Here are some examples for creating an HTTP Ingress.

Ingress-Nginx Sample Values

You can merge these ingress-nginx values when you install or upgrade.

ingress:
  enabled: true
  ingressClassName: nginx
  advertisedHost: myziti-console.zitik8s

settings:
  edgeControllers:
    - name: Ziti Edge Mgmt API
      # URL of controller's mgmt API cluster service
      url: https://myziti-controller-client.ziti-controller.svc:443
      # or https://myziti-controller-mgmt.ziti-controller.svc:443 if mgmt API is separate
      default: true

Traefik Sample Values

This is a minimal values.yaml sample for an k3s-enviroment using traefik as ingress loadbalancer:

ingress:
  enabled: true
  ingressClassName: nginx
  advertisedHost: myziti-console.zitik8s
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
  labels:
    ingressMethod: traefik

settings:
  edgeControllers:
    - name: Ziti Edge Mgmt API
      # URL of controller's mgmt API cluster service
      url: https://myziti-controller-client.ziti-controller.svc:443
      # or https://myziti-controller-mgmt.ziti-controller.svc:443 if mgmt API is separate
      default: true

TLS with Cert Manager

Cert Manager can provide a Let’s Encrypt certificate for you, even a wildcard certificate with ACMEv2. As a prerequisite, you need a cert-manager Issuer for Let’s Encrypt (reference). Here are example chart values showing annotations for cert-manager and ingress-nginx.

ingress:
  ingressClassName: nginx
  annotations:
    cert-manager.io/cluster-issuer: my-letsencrypt-issuer
  advertisedHost: myziti-console.example.com
  tlsSecret: myziti-console-tls-secret  # secret managed by issuer

Values Reference

Key Type Default Description
affinity object {} deployment pod node affinity
fullnameOverride string "" release fullname override
image.args list [] app run command args
image.command list ["node","/usr/src/app/server.js"] app run command
image.pullPolicy string "Always" deployment image pull policy
image.pullSecrets list [] app image registry credential
image.repository string "openziti/zac" app container image to deploy
ingress.advertisedHost string nil DNS name the ingress should use for the console service
ingress.annotations object {} ingress annotations for the ingress controller
ingress.enabled bool false create an ingress for the cluster service
ingress.ingressClassName string "" “nginx” if using ingress-nginx
ingress.labels object {} ingress labels
ingress.tlsSecret string nil enable TLS ingress by specifying the name of the secret with the tls.crt, tls.key, etc. for the server cert
nameOverride string "" release name override
nodeSelector object {} deployment pod node selector
podAnnotations object {} annotations to apply to all pods
podSecurityContext.fsGroup int 1000 volume mount filesystem group owner
podSecurityContext.runAsGroup int 1000 effective GID
podSecurityContext.runAsUser int 1000 effective UID
replicas int 1 deployment pod replicas
resources object {} deployment container resources
securityContext string nil deployment container security context
service.advertisedPort int 80 port for the cluster service, load balancer, nodeport, and ingress to advertise
service.annotations object {} cluster service annotations
service.containerPort int 1408 port for the server to bind and cluster service to target
service.enabled bool true create a cluster service for the deployment
service.labels object {} cluster service labels
service.portName string "http" symbolic name of the cluster service port
service.type string "ClusterIP" choose ClusterIP, NodePort, or LoadBalancer
settings.edgeControllers list [] Ziti Edge Mgmt APIs to pre-configure
settings.fabricControllers list [] Ziti Fabric Mgmt APIs to pre-configure
tolerations list [] deployment pod tolerations