-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Controller router charts #16
Conversation
… quickstart guide to the main README.md
… on the quickstart docu
…o allow customized / predefined PVC's
… with other helm versions
Controller router charts signed
Hi @qrkourier, thanks for the comprehensive review & rework - You made the nomenclature / wording more clear for me! |
@marvkis Ziti is so flexible with how its PKI can be configured. I'm leaning toward a default configuration with one root of trust like this:
Even then, we can leave the additional CA resources in place in case they want discrete PKI (separate root of trust) for the edge signer or XWeb identity or both. I still plan to add template conditional for I removed the StatefulSet resource because it appears superfluous until we implement controller HA. Did you see a particular need for it in the meantime? |
@qrkourier I reproducted the CA structure from the quickstart guide. I also had the idea to strip it down for a minimal deployment. I just was happy it was working ;) AFAIK I had one point: I tried to use ECDSA key types quite everywhere. But at one point I had to change it to RSA as the tunneler on OSX refused to enroll with ECDSA... Didn't dig into it - but ther might be a comment at the certificat request. The idea for alt_server_certs is really cool. Currently when we deploy a controller and a router in a cluster, the router enrolls communicating via the external name. When there is a way to specify an alternate server name (i.e. during creation of the JWT) we could make the entire communication 'internal'. Same story for an edge-tunneler deployed within the cluster. The StatefulSet was just for future HA usage, drop it! |
5e61ae1
to
358feab
Compare
358feab
to
2a246dd
Compare
39d4364
to
77d047a
Compare
…harts into controller-router-charts
Adopt and adapt Helm charts for controller, router, console from controller-router-charts by @marvkis