add chart for browZer bootstrapper

[qrkourier]

Add a Helm chart for deploying the bootstrapper on Kubernetes.

The browZer bootstrapper is a web server that facilitates OIDC and delivers the Ziti BrowZer (Javascript) Runtime (ZBR) which functions as an in-browser, agentless OpenZiti tunneling client.

[marvkis]

Hi,

Since this is something like the 'main' issue for Browzer support, I'd like to give a summary of the PRs I've provided and how to get Browzer to work in a kubernetes setup.

Browzer interacts with three components: The Browzer bootstrapper, the Ziti-Controller and Ziti-Router.
All three components need to be accessible from the client browser - so we need to make them accessible through trusted certificates.

• The Browzer bootstrapper is a web application, that can be installed via its own helm chart - see PR browZer bootstrapper helm charts #230.
• The Ziti-Controller needs to be accessible by both the Browzer bootstrapper and also by the browser. So I added (manually) an additional ingress rule to make it accessible by an additional name. I do not currently have a PR for this.
• The Ziti-Router needs to expose an additional websocket 'WSS' endpoint. Since this also requires configuration changes in the router config, there is PR support secure websocket listener feature in router chart #234 for this. As there is no need for mTLS on the WSS endpoint, I initially tried to do this via SSL termination on the Ingress controller, but this didn't work - see Router: Websocket support over a TLS terminating reverse proxy ziti#2202.

I've put the helm charts in a 'works for me' state on my github pages, accessible via https://marvkis.github.io/charts . This are samples how to use it. The urls are:
Controller: clients.browzer.my.domain
Edge: wss.browzer.my.domain
Browzer-App: test1.browzer.my.domain

• The ingress rule for the controller (currently manual)

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
  name: ziti-controller-ingress-alt-client
  namespace: openziti
spec:
  ingressClassName: nginx
  rules:
  - host: clients.browzer.my.domain
    http:
      paths:
      - backend:
          service:
            name: ziti-controller-client
            port:
              number: 443
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - clients.browzer.my.domain
    secretName: default-nginx-cert

• The router configuration for the router needs to be extended with these values. Use helm upgrade --install --repo https://marvkis.github.io/charts --version 1.0.7 ziti-router ziti-router to use the chart with websocket support.

additionalVolumes:
  - mountPath: /etc/ziti/wss-cert/
    name: wss-cert
    secretName: nginx-default-cert
    volumeType: secret
edge:
  additionalListeners:
    - advertisedHost: wss.browzer.my.domain
      advertisedPort: 443
      containerPort: 3023
      ingress:
        annotations:
          kubernetes.io/ingress.allow-http: "false"
          nginx.ingress.kubernetes.io/secure-backends: "true"
          nginx.ingress.kubernetes.io/ssl-passthrough: "true"
        enabled: true
        ingressClassName: public
      name: edge-wss
      protocol: wss
      service:
        enabled: true
        type: ClusterIP
identity:
  altServerCerts:
    - mode: localFile
      serverCert: /etc/ziti/wss-cert/tls.crt
      serverKey: /etc/ziti/wss-cert/tls.key
websocket:
  enabled: true

• Browzer itself can be installed with by using the helm by following this example:

cat <<EOF | helm upgrade --install --repo https://marvkis.github.io/charts -n openziti ziti-browzer-1 ziti-browzer-bootstrapper  --version 0.0.1 -f -
zitiBrowzer:
  bootstrapper:
    logLevel: debug
    host: browzer.my.domain
    targets:
      - vhost: test1.browzer.my.domain
        # Service name to connect to
        service: browzer-test1-service
        path: /
        scheme: http
        idp_issuer_base_url: https://auth.my.domain/application/o/browzer-test-1/
        idp_client_id: your-client_id
  runtime:
    logLevel: debug
    # see https://openziti.discourse.group/t/browzer-setup-error-1014-origintrial-subdomain-mismatch/2481]
    originTrailToken: ...
  controller:
    host: clients.browzer.my.domain
    port: 443
  loadBalancer:
    host: my.domain

ingress:
  ingressClassName: nginx

# This is a workaround for https://github.com/openziti/ziti-browzer-bootstrapper/issues/279
extraVolumeMounts:
- name: tmp
  subPath: log
  mountPath: /home/node/ziti-browzer-bootstrapper/log
extraVolumes:
- name: tmp
  emptyDir: {}
EOF

I hope this helps people like me to get browzer working on kubernetes. Have fun ;)

Bye,
Chris