Install the OpenZiti Console in Kubernetes
ziti-console
Deploy OpenZiti console as kubernetes service
Add the OpenZiti Charts Repo to Helm
helm repo add openziti https://docs.openziti.io/helm-charts/
Minimal Installation
This chart deploys a pod running ziti-console, the OpenZiti console.
After adding the charts repo to Helm then you may install the chart.
helm install \
--namespace ziti-console --create-namespace --generate-name \
openziti/ziti-console \
--set service.type=LoadBalancer \
--set service.advertisedPort=80
Although simple, using the LoadBalancer type may not be ideal for a variety of reasons. Here are some examples for creating an HTTP Ingress.
Ingress-Nginx Sample Values
You can merge these ingress-nginx values when you install or upgrade.
ingress:
enabled: true
ingressClassName: nginx
advertisedHost: myziti-console.zitik8s
settings:
edgeControllers:
- name: Ziti Edge Mgmt API
# URL of controller's mgmt API cluster service
url: https://myziti-controller-client.ziti-controller.svc:443
# or https://myziti-controller-mgmt.ziti-controller.svc:443 if mgmt API is separate
default: true
Traefik Sample Values
This is a minimal values.yaml sample for an k3s-enviroment using traefik as ingress loadbalancer:
ingress:
enabled: true
ingressClassName: nginx
advertisedHost: myziti-console.zitik8s
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
labels:
ingressMethod: traefik
settings:
edgeControllers:
- name: Ziti Edge Mgmt API
# URL of controller's mgmt API cluster service
url: https://myziti-controller-client.ziti-controller.svc:443
# or https://myziti-controller-mgmt.ziti-controller.svc:443 if mgmt API is separate
default: true
TLS with Cert Manager
Cert Manager can provide a Let's Encrypt certificate for you, even a wildcard certificate with ACMEv2. As a prerequisite, you need a cert-manager Issuer for Let's Encrypt (reference). Here are example chart values showing annotations for cert-manager and ingress-nginx.
ingress:
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: my-letsencrypt-issuer
advertisedHost: myziti-console.example.com
tlsSecret: myziti-console-tls-secret # secret managed by issuer
Values Reference
| Key | Type | Default | Description |
|---|---|---|---|
| affinity | object | {} | deployment pod node affinity |
| fullnameOverride | string | "" | release fullname override |
| image.args | list | [] | app run command args |
| image.command | list | ["node","/usr/src/app/server.js"] | app run command |
| image.pullPolicy | string | "Always" | deployment image pull policy |
| image.pullSecrets | list | [] | app image registry credential |
| image.repository | string | "openziti/zac" | app container image to deploy |
| ingress.advertisedHost | string | nil | DNS name the ingress should use for the console service |
| ingress.annotations | object | {} | ingress annotations for the ingress controller |
| ingress.enabled | bool | false | create an ingress for the cluster service |
| ingress.ingressClassName | string | "" | "nginx" if using ingress-nginx |
| ingress.labels | object | {} | ingress labels |
| ingress.tlsSecret | string | nil | enable TLS ingress by specifying the name of the secret with the tls.crt, tls.key, etc. for the server cert |
| nameOverride | string | "" | release name override |
| nodeSelector | object | {} | deployment pod node selector |
| podAnnotations | object | {} | annotations to apply to all pods |
| podSecurityContext.fsGroup | int | 1000 | volume mount filesystem group owner |
| podSecurityContext.runAsGroup | int | 1000 | effective GID |
| podSecurityContext.runAsUser | int | 1000 | effective UID |
| replicas | int | 1 | deployment pod replicas |
| resources | object | {} | deployment container resources |
| securityContext | string | nil | deployment container security context |
| service.advertisedPort | int | 80 | port for the cluster service, load balancer, nodeport, and ingress to advertise |
| service.annotations | object | {} | cluster service annotations |
| service.containerPort | int | 1408 | port for the server to bind and cluster service to target |
| service.enabled | bool | true | create a cluster service for the deployment |
| service.labels | object | {} | cluster service labels |
| service.portName | string | "http" | symbolic name of the cluster service port |
| service.type | string | "ClusterIP" | choose ClusterIP, NodePort, or LoadBalancer |
| settings.edgeControllers | list | [] | Ziti Edge Mgmt APIs to pre-configure |
| settings.fabricControllers | list | [] | Ziti Fabric Mgmt APIs to pre-configure |
| tolerations | list | [] | deployment pod tolerations |