Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for: (#315) #316

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix for: (#315) #316

wants to merge 1 commit into from

Conversation

marvkis
Copy link
Contributor

@marvkis marvkis commented Mar 9, 2025

Hi,
this is a fix for #315 😉

It separates the server certificates for the management api and the prometheus metrics.

I'm currently wondering:

  • Does the init container (ziti controller edge init) need to have access to the certificates?
  • Are the identity.[cert|key] options required / Is the client certificate required for the management api and prometheus metrics endpoints?

Bye,
Chris

@qrkourier qrkourier self-requested a review March 10, 2025 15:12
@qrkourier
Copy link
Member

I'm currently wondering:

  • Does the init container (ziti controller edge init) need to have access to the certificates?

Hi Chris, Thanks for another upstream contribution! No, init doesn't use the certs. However, with clustered mode there will be changes in this area of the chart since the controller must be running before initialization. For example, when bootstrapping a new cluster the first node will start without a default admin, then an IPC command will inject it during initialization.

  • Are the identity.[cert|key] options required / Is the client certificate required for the management api and prometheus metrics endpoints?

The conventional identity directive requires a client cert and key to be configured even if they are not currently used by the code path. It is not an error from Ziti's perspective to re-use the server cert and key in those properties, and my slight preference is to generate a client usage cert and separate key, mainly for consistency.

@qrkourier
Copy link
Member

I'm a little apprehensive about complicating the web PKI with separate certs. I'll give it some thought. I've been working on two branches that both touch the PKI, and need to consider the implications there.

@marvkis marvkis mentioned this pull request Mar 11, 2025
Open
@qrkourier
Copy link
Member

I didn't notice any barriers to adopting an approach like this, and will revisit this PR when I'm converging clustered controller changes in the v2 chart in the next couple of weeks: #314

@qrkourier qrkourier linked an issue Mar 26, 2025 that may be closed by this pull request
controller chart 1.2.1 / ziti 1.4.3 not working when Prometheus is enabled #315
Open
@marvkis
Copy link
Contributor Author

marvkis commented Mar 26, 2025

Hi @qrkourier, Thanks for the update.
I still have it in the back of my mind, and depending on how much free time I have, I may pick it up again. Or if you're faster, I'll be happy to test the new chart! The next two weeks will be very busy, so I don't think I'll find the time to work on it. Will take a look at 314 before picking it up again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@qrkourier qrkourier Awaiting requested review from qrkourier

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
notes:ziti-controller
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

controller chart 1.2.1 / ziti 1.4.3 not working when Prometheus is enabled
2 participants
@marvkis @qrkourier