Run the zrok controller and zrok frontend components as a K8s deployment
helm repo add openziti https://docs.openziti.io/helm-charts/
This example does not configure TLS termination for the API or public shares, metrics, or limits. You must configure a
wildcard DNS record (A record) that resolve to the value of ZROK_ZONE
.
Use an sslip.io
wildcard/zone like zrok.192.168.49.2.sslip.io
for testing and tiny scale deployments if you
want to avoid setting up DNS. This works with any IP address.
ZROK_ZONE=zrok.example.com
ZITI_NAMESPACE=miniziti
ZITI_MGMT_API_HOST=ziti-controller-client.${ZITI_NAMESPACE}.svc.cluster.local
ZITI_PWD=$(kubectl -n "${ZITI_NAMESPACE}" get secrets "ziti-controller-admin-secret" \
--output go-template='')
helm upgrade \
--install \
--namespace zrok --create-namespace \
--values https://openziti.io/helm-charts/charts/zrok/values-ingress-nginx.yaml \
--set "ziti.advertisedHost=${ZITI_MGMT_API_HOST}" \
--set "ziti.password=${ZITI_PWD}" \
--set "dnsZone=${ZROK_ZONE}" \
--set "controller.ingress.hosts[0]=ctrl.${ZROK_ZONE}" \
zrok openziti/zrok
One way to terminate TLS with Nginx is to use Cert Manager. Here’s an overview.
Annotate zrok’s Ingresses with the name of the ClusterIssuer.
helm upgrade zrok \
--set "frontend.ingress.annotations=cert-manager.io/cluster-issuer: letsencrypt-prod" \
--set "controller.ingress.annotations=cert-manager.io/cluster-issuer: letsencrypt-prod" \
openziti/zrok
The chart automatically creates a zrok account in the database. You can use the account token to enable a device environment with zrok enable ${ZROK_ENABLE_TOKEN}
and you can log in to the zrok console with the username and password.
Get the zrok account token:
kubectl -n zrok \
get secrets zrok-ziggy-account-token \
-o go-template='\n\n'
```text title=”Output”
qEP0MNtA74T3
Get the zrok console login credentials:
```bash
kubectl -n zrok \
get secrets zrok-ziggy-account-password \
-o go-template='\n\n'
```text title=”Output”
password: p7XWVyjHbMWazLc6PZveF2b8SB2wzxDD username: ziggy@zrok.192.168.49.2.sslip.io
The zrok console URL depends on how you configure ingress. If you used the NGINX Ingress example, then you can query the URL with:
```bash
kubectl -n zrok get ingress zrok
text title="Output"
NAME CLASS HOSTS ADDRESS PORTS AGE
zrok nginx ctrl.zrok.192.168.49.2.sslip.io 192.168.49.2 80 8m41s
Key | Type | Default | Description |
---|---|---|---|
affinity | object | {} |
|
autoscaling.enabled | bool | false |
|
autoscaling.maxReplicas | int | 100 |
|
autoscaling.minReplicas | int | 1 |
|
autoscaling.targetCPUUtilizationPercentage | int | 80 |
|
controller.email | object | {} |
send invitation acknowledgements and usage limit warnings from the specified email address |
controller.extraConfig | object | {} |
append additional controller config |
controller.ingress.annotations | object | {} |
The annotations to use for the zrok controller ingress resource |
controller.ingress.className | string | "" |
The ingress class to use for the zrok controller |
controller.ingress.enabled | bool | false |
enable the ingress resource for |
controller.ingress.hosts | list | [{"host":"chart-example.local","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}] |
The hosts to use for the zrok controller ingress resource |
controller.ingress.scheme | string | "https" |
URI scheme to advertise for the controller’s ingress resource |
controller.ingress.tls | list | [] |
The TLS configuration for the zrok controller ingress resource |
controller.invites.open | bool | true |
enable the zrok controller to onboard new users when they run “zrok invite” |
controller.invites.token_required | bool | false |
require new users to submit an invitation token when they run “zrok invite”, tokens are generated with “zrok admin generate” |
controller.metrics.agent.source.type | string | "websocketSource" |
initiate a WebSocket connection to the Ziti Management API URL to receive fabric usage metrics |
controller.metrics.enabled | bool | false |
enable metrics collection and reporting for the zrok controller |
controller.metrics.limits.bandwidth.per_account.limit.rx | int | -1 |
per-account limit threshold for receive bandwidth usage |
controller.metrics.limits.bandwidth.per_account.limit.total | int | 10485760 |
per-account limit threshold for total bandwidth usage |
controller.metrics.limits.bandwidth.per_account.limit.tx | int | -1 |
per-account limit threshold for transmit bandwidth usage |
controller.metrics.limits.bandwidth.per_account.period | string | "5m" |
per-account period for bandwidth usage |
controller.metrics.limits.bandwidth.per_account.warning.rx | int | -1 |
per-account warning threshold for receive bandwidth usage |
controller.metrics.limits.bandwidth.per_account.warning.total | int | 7242880 |
per-account warning threshold for total bandwidth usage |
controller.metrics.limits.bandwidth.per_account.warning.tx | int | -1 |
per-account warning threshold for transmit bandwidth usage |
controller.metrics.limits.bandwidth.per_environment.limit.rx | int | -1 |
per-environment limit threshold for receive bandwidth usage |
controller.metrics.limits.bandwidth.per_environment.limit.total | int | -1 |
per-environment limit threshold for total bandwidth usage |
controller.metrics.limits.bandwidth.per_environment.limit.tx | int | -1 |
per-environment limit threshold for transmit bandwidth usage |
controller.metrics.limits.bandwidth.per_environment.period | string | "5m" |
per-environment period for bandwidth usage |
controller.metrics.limits.bandwidth.per_environment.warning.rx | int | -1 |
per-environment warning threshold for receive bandwidth usage |
controller.metrics.limits.bandwidth.per_environment.warning.total | int | -1 |
per-environment warning threshold for total bandwidth usage |
controller.metrics.limits.bandwidth.per_environment.warning.tx | int | -1 |
per-environment warning threshold for transmit bandwidth usage |
controller.metrics.limits.bandwidth.per_share.limit.rx | int | -1 |
per-share limit threshold for receive bandwidth usage |
controller.metrics.limits.bandwidth.per_share.limit.total | int | -1 |
per-share limit threshold for total bandwidth usage |
controller.metrics.limits.bandwidth.per_share.limit.tx | int | -1 |
per-share limit threshold for transmit bandwidth usage |
controller.metrics.limits.bandwidth.per_share.period | string | "5m" |
per-share period for bandwidth usage |
controller.metrics.limits.bandwidth.per_share.warning.rx | int | -1 |
per-share warning threshold for receive bandwidth usage |
controller.metrics.limits.bandwidth.per_share.warning.total | int | -1 |
per-share warning threshold for total bandwidth usage |
controller.metrics.limits.bandwidth.per_share.warning.tx | int | -1 |
per-share warning threshold for transmit bandwidth usage |
controller.metrics.limits.cycle | string | "5m" |
the period for checking usage limits |
controller.metrics.limits.enforcing | bool | false |
toggle enforcement of usage limits |
controller.metrics.limits.environments | int | -1 |
the maximum number of environments |
controller.metrics.limits.shares | int | -1 |
the maximum number of shares |
controller.persistence.VolumeName | string | nil |
PVC volume name |
controller.persistence.accessMode | string | "ReadWriteOnce" |
PVC access mode: ReadWriteOnce (concurrent mounts not allowed), ReadWriteMany (concurrent allowed) |
controller.persistence.annotations | object | {} |
|
controller.persistence.enabled | bool | true |
storage claim for the zrok controller database if using sqlite3 |
controller.persistence.existingClaim | string | "" |
If defined, PVC must be created manually before volume will be bound |
controller.persistence.mount_dir | string | "/var/lib/zrok" |
The mount path for the zrok controller database |
controller.persistence.size | string | "2Gi" |
PVC size of zrok controller database |
controller.persistence.storageClass | string | "" |
Storage class of PV to bind. By default it looks for the default storage class. If the PV uses a different storage class, specify that here. |
controller.service.advertisedPort | int | 80 |
The port to advertise for the zrok controller service |
controller.service.containerPort | int | 18080 |
The port to expose on the zrok controller container |
controller.service.type | string | "ClusterIP" |
The service type to use for the zrok controller |
controller.specVersion | int | 3 |
|
dnsZone | string | "zrok.example.com" |
The DNS zone with a wildcard * A record to use for the zrok public frontend |
frontend.deBootstrapScript | string | "delete-identity.sh" |
|
frontend.extraConfig | object | {} |
append additional frontend config |
frontend.homeDir | string | "/var/lib/zrok" |
a read-only mountpoint for the frontend’s Ziti identity is “homeDir” because zrok always looks in $HOME/.zrok/identities |
frontend.ingress.annotations | object | {} |
The annotations to use for the frontend’s ingress resource |
frontend.ingress.className | string | "" |
The annotations to use for the frontend’s ingress resource |
frontend.ingress.enabled | bool | false |
enable the frontend’s ingress resource |
frontend.ingress.hosts | list | [] |
*. is always set when ingress enabled; specify optional, additional wildcard hostnames to use for the frontend’s ingress resource |
frontend.ingress.scheme | string | "https" |
URI scheme to advertise for the frontend’s ingress resource |
frontend.ingress.tls | list | [] |
The TLS configuration for the frontend’s ingress resource |
frontend.service.advertisedPort | int | 80 |
The port to advertise for the zrok frontend service |
frontend.service.containerPort | int | 8080 |
The port to expose on the zrok frontend container |
frontend.service.type | string | "ClusterIP" |
The service type to use for the zrok frontend |
frontend.specVersion | int | 3 |
|
fullnameOverride | string | "" |
|
image.pullPolicy | string | "IfNotPresent" |
|
image.repository | string | "openziti/zrok" |
|
image.tag | string | "" |
Overrides the image tag whose default is the chart appVersion. |
imagePullSecrets | list | [] |
|
influxdb2.adminUser.existingSecret | string | "" |
The name of an existing secret with admin-password and admin-token for the InfluxDB service |
influxdb2.adminUser.password | string | "admin" |
The admin password for the InfluxDB service |
influxdb2.adminUser.username | string | "admin" |
The admin username for the InfluxDB service |
influxdb2.enabled | bool | false |
enable the influxdb2 subchart |
influxdb2.service.port | int | 8086 |
The port to advertise for the InfluxDB service |
influxdb2.service.type | string | "ClusterIP" |
The service type to use for the InfluxDB service |
influxdb2.service.url | string | "" |
set URL of the InfluxDB service if subchart is disabled |
nameOverride | string | "" |
|
nodeSelector | object | {} |
|
podAnnotations | object | {} |
|
podSecurityContext | object | {} |
|
replicaCount | int | 1 |
|
resources | object | {} |
|
securityContext | object | {} |
|
serviceAccount.annotations | object | {} |
Annotations to add to the service account |
serviceAccount.name | string | "" |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
test.backoffLimit | int | 3 |
retry until first success unless backoffLimit is reached |
test.enabled | bool | false |
run the ‘zrok test loopback public’ in a one-off Job to verify the zrok public frontend is working |
tolerations | list | [] |
|
ziti.advertisedHost | string | "localhost" |
The Ziti Management API host to bootstrap with zrok and to collect fabric metrics from |
ziti.advertisedPort | string | "443" |
The Ziti Management API port |
ziti.ca_cert_configmap | string | "ziti-controller-ctrl-plane-cas" |
name of the configmap containing the Ziti CA certificate trust bundle that trust-manager syncs to namespaces with the label “openziti.io/namespace: enabled”; has format -ctrl-plane-cas |
ziti.ca_cert_dir | string | "/etc/ziti" |
mountpoint of the Ziti CA certificate trust bundle |
ziti.ca_cert_file | string | "ctrl-plane-cas.crt" |
key name of trust bundle in configmap and filename to project into mountpoint |
ziti.password | string | "admin" |
Ziti admin login password |
ziti.username | string | "admin" |
Ziti admin login name |