v1.3.3

Release 1.3.3

What's New

• Bug Fixes

Component Updates and Bug Fixes

• github.com/openziti/ziti: v1.3.2 -> v1.3.3
  • Issue #2694 - Router should use router data model if it has more than one controller configured, regardless of controller configuration

v1.3.2

Release 1.3.2

What's New

• Bug Fixes

Component Updates and Bug Fixes

• github.com/openziti/ziti: v1.3.1 -> v1.3.2
  • Issue #2692 - Routers get empty ctrl list on upgrade
  • Issue #2689 - OIDC authentication with form data requires "id" in form data, authReqeustID in query string is ignored

v1.3.1

Release 1.3.1

What's New

• Bug Fixes

Component Updates and Bug Fixes

• github.com/openziti/ziti: v1.3.0 -> v1.3.1
  • Issue #2682 - HA Controller panics when bootstrapping by setting the db variable in the configuration
  • Issue #2683 - Controller fails to save peer configuration on a fresh install
  • Issue #2684 - Controller emits duplicate cluster events on startup

v1.3.0

Release 1.3.0

What's New

• Router Data Model enabled by default
• Bug fixes
• Controller Health Check HA Update (from @nenkoru)

Router Data Model

As part of the controller HA work, a stripped down version of the data model can now be distributed to the routers,
allowing routers to make some authorization/authentication decisions. This code has existed for some time, but
after testing and validation, is now enabled by default.

It can still be disabled at the controller level using new configuration. Note that the router data model is required
for HA functionality, so if the controller is running in HA mode, it cannot be disabled.

routerDataModel:
  # Controls whether routers are told to enable functionality dependent on the router data model
  # Defaults to true
  enabled: true 

  # How many model changes to buffer so that routers can be updated iteratively. If a router requests
  # data that's no longer available, it will receive the full data model
  logSize: 10000

HA Changes

Routers no longer require the ha: enabled flag be set in the configuration. Routers should work correctly
whether connecting to HA or non-HA controllers.

NOTE: If the controller a router is connected changes modes, specifically if the controller goes from
supporting the router data model to not, or vice-versa, the router will shutdown so that it can
restart with the correct mode.

Controller Health Check HA Update

This feature was contributed by @nenkoru.

The controller health check can now optionally return information about raft and leadership when the /controller/raft path is provided.

$ curl -k https://localhost:1280/health-checks/controller/raft
{
    "data": {
        "checks": [
            {
                "healthy": true,
                "id": "bolt.read",
                "lastCheckDuration": "0s",
                "lastCheckTime": "2025-01-14T19:42:13Z"
            }
        ],
        "healthy": true
    },
    "meta": {},
    "raft": {
        "isLeader": true,
        "isRaftEnabled": true
    }
}

Note the raft section, which indicates if raft is enabled and if the queried controller is currently the leader. If the
controller/raft path isn't present in the request, the result should be unchanged from previous releases.

When querying the controller/raft health, if raft is enabled but the controller is not the leader, the check will
return an HTTP status of 429.

Component Updates and Bug Fixes

• github.com/openziti/agent: v1.0.20 -> v1.0.23

• github.com/openziti/channel/v3: v3.0.16 -> v3.0.26

• github.com/openziti/edge-api: v0.26.35 -> v0.26.38

  • Issue #138 - management api deletes were generally not mapping 404 properly

• github.com/openziti/foundation/v2: v2.0.52 -> v2.0.56

• github.com/openziti/identity: v1.0.90 -> v1.0.94

• github.com/openziti/metrics: v1.2.61 -> v1.2.65

• github.com/openziti/runzmd: v1.0.55 -> v1.0.59

• github.com/openziti/secretstream: v0.1.26 -> v0.1.28

• github.com/openziti/storage: v0.3.8 -> v0.3.15

  • Issue #91 - Support dashes in identifier segments after the first dot

• github.com/openziti/transport/v2: v2.0.153 -> v2.0.159

• github.com/openziti/ziti: v1.2.2 -> v1.3.0

  • Issue #2674 - 404 not found on well-known OIDC configuration with default ports/localhost
  • Issue #2669 - Router api session tracker leaks memory.
  • Issue #2659 - OIDC Login Panics On Unsupported Media Type
  • Issue #2582 - An endpoint to determine whether a node is a raft leader
  • Issue #2619 - Add source id to all events
  • Issue #2644 - enhance mismapped external identity logging
  • Issue #2636 - Enable HA smoketest
  • Issue #2586 - Ziti Controller in HA mode doesn't update binding address in a bolt database after config changed
  • Issue #2639 - Change cluster events namespace from fabric.cluster to cluster
  • Issue #2184 - Add Event(s) For Controller Leader Connection State
  • Issue #2548 - Generate a log message if the cluster is without a leader for some configurable period of time
  • Issue #2624 - Remove uri/params from connect events
  • Issue #2596 - Add DisableRouterDataModel config flag to controller
  • Issue #2599 - Routers should only stream model data from one controller
  • Issue #2232 - Standardized REST API Error For Mutation on Non-Consensus Controller
  • Issue #2566 - Remove HA config flag from router
  • Issue #2550 - Router Data Model Chaos Test
  • Issue #2625 - edge sessions for an ERT may not be cleaned up when the ER/T is deleted
  • Issue #2591 - Split Edge APIs can cause ziti edge login to fail

v1.1.16

Release 1.1.16

What's New

Update golang.org/x dependencies, specifically golang.org/x/crypto, for latest security fixes

v1.2.2

Release 1.2.2

What's New

• Bug fixes and continuing progress on controller HA

Component Updates and Bug Fixes

• github.com/openziti/secretstream: v0.1.25 -> v0.1.26

• github.com/openziti/storage: v0.3.6 -> v0.3.8

  • Issue #87 - negative URL filter returns incorrect results

• github.com/openziti/ziti: v1.2.1 -> v1.2.2

  • Issue #2559 - expired JWTs are allowed to enroll
  • Issue #2543 - Support adding adding an uninitialized node to a cluster (rather than the reverse)

v1.2.1

Release 1.2.1

What's New

• Bug fixes and continuing progress on controller HA

Component Updates and Bug Fixes

• github.com/openziti/agent: v1.0.19 -> v1.0.20
• github.com/openziti/channel/v3: v3.0.10 -> v3.0.16
• github.com/openziti/foundation/v2: v2.0.50 -> v2.0.52
• github.com/openziti/identity: v1.0.88 -> v1.0.90
• github.com/openziti/metrics: v1.2.59 -> v1.2.61
• github.com/openziti/runzmd: v1.0.53 -> v1.0.55
• github.com/openziti/storage: v0.3.2 -> v0.3.6
• github.com/openziti/transport/v2: v2.0.150 -> v2.0.153
• github.com/openziti/ziti: v1.2.0 -> v1.2.1
  • Issue #2543 - Support adding adding an uninitialized node to a cluster (rather than the reverse)
  • Issue #2541 - Add cluster id, to prevent merging disparate clusters
  • Issue #2532 - When adding an existing HA cluster member, remove/add if suffrage has changed
  • Issue #2217 - Controller list is empty until peers connect
  • Issue #2533 - Handle concurrent raft connections
  • Issue #2534 - Ziti ID with leading hyphen causes command-line parameter ambiguity
  • Issue #2528 - Updated router costs are not use when evaluating current path cost in the context of smart rerouting

v1.2.0

Release 1.2.0

What's New

• New Router Metrics
• Changes to identity connect status
• HA Bootstrap Changes
• Connect Events
• SDK Events
• Bug fixes and other HA work

New Router Metrics

The following new metrics are available for edge routers:

1. edge.connect.failures - meter tracking failed connect attempts from sdks
   This tracks failures to not having a valid token. Other failures which
   happen earlier in the connection process may not be tracked here.
2. edge.connect.successes - meter tracking successful connect attempts from sdks
3. edge.disconnects - meter tracking disconnects of previously successfully connected sdks
4. edge.connections - gauge tracking count of currently connected sdks

Identity Connect Status

Ziti tracks whether an identity is currently connected to an edge router.
This is the hasEdgeRouterConnection field on Identity.

Identity connection status used to be driven off of heartbeats from the edge router.
This feature doesn't work correctly when running with controller HA.

To address this, while also providing more operation insight, connect events were added
(see below for more details on the events themselves).

The controller can be configured to use status from heartbeats, connect events or both.
If both are used as source, then if either reports the identity as connected, then it
will show as connected. This is intended for when you have a mix of routers and they
don't all yet supported connect events.

The controller now also aims to be more precise about identity state. There is a new
field on Identity: edgeRouterConnectionStatus. This field can have one of three
values:

• offline
• online
• unknown

If the identity is reported as connected to any ER, it will be marked as online.
If the identity has been reported as connected, but the reporting ER is now
offline, the identity may still be connected to the ER. While in this state
it will be marked as 'unknown'. After a configurable interval, it will be marked
as offline.

New controller config options:

identityStatusConfig:
  # valid values ['heartbeats', 'connect-events', 'hybrid']
  # defaults to 'hybrid' for now
  source: connect-events 

  # determines how often we scan for disconnected routers
  # defaults to 1 minute
  scanInterval: 1m

  # determines how long an identity will stay in unknown status before it's marked as offline
  # defaults to 5m
  unknownTimeout: 5m

HA Bootstrapping Changes

Previously bootstrapping the RAFT cluster and initializing the controller with a
default administrator were separate operations.
Now, the raft cluster will be bootstrapped whenever the controller is initialized.

The controller can be initialized as follows:

1. Using ziti agent controller init
2. Using ziti agent controller init-from-db
3. Specifying a db: entry in the config file. This is equivalent to using ziti agent controller init-from-db.

Additionally:

1. minClusterSize has been removed. The cluster will always be initialized with a size of 1.
2. bootstrapMembers has been renamed to initialMembers. If initialMembers are specified,
   the bootstrapping controller will attempt to add them after bootstrap has been complete. If
   they are invalid they will be ignored. If they can't be reached (because they're not running
   yet), the controller will continue to retry until they are reached, or it is restarted.

Connect Events

These are events generated when a successful connection is made to a controller, from any of:

1. Identity, using the REST API
2. Router
3. Controller (peer in an HA cluster)

They are also generated when an SDK connects to a router.

Controller Configuration

events:
  jsonLogger:
    subscriptions:
      - type: connect
    handler:
      type: file
      format: json
      path: /tmp/ziti-events.log

Router Configuration

connectEvents:
  # defaults to true. 
  # If set to false, minimal information about which identities are connected will still be 
  # sent to the controller, so the `edgeRouterConnectionStatus` field can be populated, 
  # but connect events will not be generated.
  enabled: true

  # The interval at which connect information will be batched up and sent to the controller. 
  # Shorter intervals will improve data resolution on the controller. Longer intervals could
  # more efficient.
  batchInterval: 3s

  # The router will also periodically sent the full state to the controller, to ensure that 
  # it's in sync. It will do this automatically if the router gets disconnected from the 
  # controller, or if the router is unable to send a connect events messages to the controller.
  # This controls how often the full state will be sent under ordinairy conditions
  fullSyncInterval: 5m

  # If enabled is set to true, the router will collect connect events and send them out
  # at the configured batch interval. If there are a huge number of connecting identities
  # or if the router is disconnected from the controller for a time, it may be unable to
  # send events. In order to prevent queued events from exhausting memory, a maximum 
  # queue size is configured. 
  # Default value 100,000
  maxQueuedEvents: 100000
  

Example Events

{
  "namespace": "connect",
  "src_type": "identity",
  "src_id": "ji2Rt8KJ4",
  "src_addr": "127.0.0.1:59336",
  "dst_id": "ctrl_client",
  "dst_addr": "localhost:1280/edge/management/v1/edge-routers/2L7NeVuGBU",
  "timestamp": "2024-10-02T12:17:39.501821249-04:00"
}
{
  "namespace": "connect",
  "src_type": "router",
  "src_id": "2L7NeVuGBU",
  "src_addr": "127.0.0.1:42702",
  "dst_id": "ctrl_client",
  "dst_addr": "127.0.0.1:6262",
  "timestamp": "2024-10-02T12:17:40.529865849-04:00"
}
{
  "namespace": "connect",
  "src_type": "peer",
  "src_id": "ctrl2",
  "src_addr": "127.0.0.1:40056",
  "dst_id": "ctrl1",
  "dst_addr": "127.0.0.1:6262",
  "timestamp": "2024-10-02T12:37:04.490859197-04:00"
}

SDK Events

Building off of the connect events, there are events generated when an identity/sdk comes online or goes offline.

events:
  jsonLogger:
    subscriptions:
      - type: sdk
    handler:
      type: file
      format: json
      path: /tmp/ziti-events.log

{
  "namespace": "sdk",
  "event_type" : "sdk-online",
  "identity_id": "ji2Rt8KJ4",
  "timestamp": "2024-10-02T12:17:39.501821249-04:00"
}

{
  "namespace": "sdk",
  "event_type" : "sdk-status-unknown",
  "identity_id": "ji2Rt8KJ4",
  "timestamp": "2024-10-02T12:17:40.501821249-04:00"
}

{
  "namespace": "sdk",
  "event_type" : "sdk-offline",
  "identity_id": "ji2Rt8KJ4",
  "timestamp": "2024-10-02T12:17:41.501821249-04:00"
}

Component Updates and Bug Fixes

• github.com/openziti/agent: v1.0.18 -> v1.0.19

• github.com/openziti/channel/v3: v3.0.5 -> v3.0.10

• github.com/openziti/edge-api: v0.26.32 -> v0.26.35

• github.com/openziti/foundation/v2: v2.0.49 -> v2.0.50

• github.com/openziti/identity: v1.0.85 -> v1.0.88

• github.com/openziti/metrics: v1.2.58 -> v1.2.59

• github.com/openziti/runzmd: v1.0.51 -> v1.0.53

• github.com/openziti/sdk-golang: v0.23.43 -> v0.23.44

• github.com/openziti/transport/v2: v2.0.146 -> v2.0.150

• github.com/openziti/ziti: v1.1.15 -> v1.2.0

  • Issue #2212 - Rework distributed control bootstrap mechanism
  • Issue #1835 - Add access log for rest and router connections
  • Issue #2234 - Emit an event when hasEdgeRouterConnection state changes for an Identity
  • Issue #2506 - Identity service config overrides referential integrity issues
  • Issue #2491 - fix router CSR loading
  • Issue #2478 - JWT signer secondary auth: not enough information to continue
  • Issue #2482 - router run command - improperly binds 127.0.0.1:53/udp when tunnel mode is not tproxy
  • Issue #2474 - Enable Ext JWT Enrollment/Generic Trust Bootstrapping
  • Issue #2471 - Service Access for Legacy SDKs in HA does not work
  • Issue #2468 - enrollment signing cert is not properly identified

v1.1.15

Release 1.1.15

What's New

• Bug fixes, enhancements and continuing progress on controller HA

Component Updates and Bug Fixes

• github.com/openziti/channel/v3: v3.0.3 -> v3.0.5

  • Issue #146 - Transport options aren't being set in dialer
  • Issue #144 - Add ReadAdapter utility

• github.com/openziti/edge-api: v0.26.31 -> v0.26.32

• github.com/openziti/sdk-golang: v0.23.42 -> v0.23.43

  • Issue #629 - JWT session refresh interprets expiration date incorrectly

• github.com/openziti/secretstream: v0.1.24 -> v0.1.25

• github.com/openziti/ziti: v1.1.14 -> v1.1.15

  • Issue #2460 - Panic on JWT token refresh

v1.1.14

Release 1.1.14

NOTE: Will not be promoted, as it contains a bug in the ALPN code, fixed in 1.1.15

What's New

• Bug fixes, enhancements and continuing progress on controller HA

Component Updates and Bug Fixes

• github.com/openziti/edge-api: v0.26.30 -> v0.26.31

• github.com/openziti/jwks: v1.0.5 -> v1.0.6

• github.com/openziti/ziti: v1.1.13 -> v1.1.14

  • Issue #2119 - Add authentication events
  • Issue #2424 - Enabling any health check causes WARNING to be logged
  • Issue #2454 - Fix release archive
  • Issue #1479 - ziti edge list ... show paginated output but no suggestions on how to go to next page
  • Issue #1420 - ziti-cli comma+space causes unhelpful error
  • Issue #2207 - ziti edge login --token -- gets "username and password fields are required"
  • Issue #2444 - Change default semantic for policies created from the CLI from AllOf to AnyOf

• github.com/openziti/xweb/v2: v2.1.2 -> v2.1.3

  • Issue #2454 - Fix release archive
  • Issue #2429 - Controller configurations without default Edge API binding panics

• github.com/openziti/ziti: v1.1.12 -> v1.1.13

  • Issue #2427 - Add low overhead xgress protocol for DTLS links
  • Issue #2422 - Busy first hop links should backpressure to xgress senders
  • support using "*" in host.v1/host.v2 allowedAddresses