- Event changes
- Added AMQP event writter for events
- Add entity change events for auditing or external integration
- Add usage event filtering
- Add annotations to circuit events
- CLI additions for
ziti
to login with certificates or external-jwt-signers - NOTE: ziti edge login flag changes:
-c
flag has been changed to map to--client-cert
--cert
is now--ca
and has no short flag representation-e/--ext-jwt
allows a user to supply a file containing a jwt used with ext-jwt-signers to login-c/--client-cert
allows a certificate to be supplied to login (used with-k/--client-key
)-k/--client-key
allows a key to be supplied to login (used with-c/--client-cert
)
- Config type changes
- address fields in
intercept.v1
,host.v1
, andhost.v2
config types now permit hostnames with underscores.
- address fields in
- Edge Router/Tunneler now supports setting default UDP idle timeout/check interval
Previously events could only be emitted to a file. They can now also be emitted to an AMQP endpoint.
Example configuration:
events:
jsonLogger:
subscriptions:
- type: fabric.circuits
handler:
type: amqp
format: json
url: "amqp://localhost:5672"
queue: ziti
durable: true //default:true
autoDelete: false //default:false
exclusive: false //default:false
noWait: false //default:false
OpenZiti can now be configured to emit entity change events. These events describe the changes when entities stored in the bbolt database are created, updated or deleted.
Note that events are emitted during the transaction. They are emitted at the end, so it's unlikely, but possible that an event will be emitted for a change which is rolled back. For this reason a following event will emitted when the change is committed. If a system crashes after commit, but before the committed event can be emitted, it will be emitted on the next startup.
Example configuration:
events:
jsonLogger:
subscriptions:
- type: entityChange
include:
- services
- identities
handler:
type: file
format: json
path: /tmp/ziti-events.log
See the related issue for discussion: openziti/fabric#562
Example output:
{
"namespace": "entityChange",
"eventId": "326faf6c-8123-42ae-9ed8-6fd9560eb567",
"eventType": "created",
"timestamp": "2023-05-11T21:41:47.128588927-04:00",
"metadata": {
"author": {
"type": "identity",
"id": "ji2Rt8KJ4",
"name": "Default Admin"
},
"source": {
"type": "rest",
"auth": "edge",
"localAddr": "localhost:1280",
"remoteAddr": "127.0.0.1:37578",
"method": "POST"
},
"version": "v0.0.0"
},
"entityType": "services",
"isParentEvent": false,
"initialState": null,
"finalState": {
"id": "6S0bCGWb6yrAutXwSQaLiv",
"createdAt": "2023-05-12T01:41:47.128138887Z",
"updatedAt": "2023-05-12T01:41:47.128138887Z",
"tags": {},
"isSystem": false,
"name": "test",
"terminatorStrategy": "smartrouting",
"roleAttributes": [
"goodbye",
"hello"
],
"configs": null,
"encryptionRequired": true
}
}
{
"namespace": "entityChange",
"eventId": "326faf6c-8123-42ae-9ed8-6fd9560eb567",
"eventType": "committed",
"timestamp": "2023-05-11T21:41:47.129235443-04:00"
}
Usage events, version 3, can now be filtered based on type.
The valid types include:
- ingress.rx
- ingress.tx
- egress.rx
- egress.tx
- fabric.rx
- fabric.tx
Example configuration:
events:
jsonLogger:
subscriptions:
- type: fabric.usage
version: 3
include:
- ingress.rx
- egress.rx
Circuit events initiated from the edge are now annotated with clientId, hostId and serviceId, to match usage events. The client and host ids are identity ids.
Example output:
{
"namespace": "fabric.circuits",
"version": 2,
"event_type": "created",
"circuit_id": "0CEjWYiw6",
"timestamp": "2023-05-05T11:44:03.242399585-04:00",
"client_id": "clhaq7u7600o4ucgdpxy9i4t1",
"service_id": "QARLLTKjqfLZytmSsIqba",
"terminator_id": "7ddcd421-2b00-4b49-9ac0-8c78fe388c30",
"instance_id": "",
"creation_timespan": 1014280,
"path": {
"nodes": [
"U7OwPtfjg",
"a4rC9DrZ3"
],
"links": [
"7Ru3hoxsssZzUNOyvd8Jcb"
],
"ingress_id": "K9lD",
"egress_id": "rQLK",
"initiator_local_addr": "100.64.0.1:1234",
"initiator_remote_addr": "100.64.0.1:37640",
"terminator_local_addr": "127.0.0.1:45566",
"terminator_remote_addr": "127.0.0.1:1234"
},
"link_count": 1,
"path_cost": 392151,
"tags": {
"clientId": "U7OwPtfjg",
"hostId": "a4rC9DrZ3",
"serviceId": "QARLLTKjqfLZytmSsIqba"
}
}
The edge router tunneler now allows configuring a timeout and check interval for tproxy UDP intercepts. By default intercepted UDP connections will be closed after five minutes of no traffic, checking every thirty seconds. The configuration is done in the router config file, in the options for the tunnel module. Note that these configuration options only apply to tproxy intercepts, not to proxy or host side UDP connections.
Example configuration:
listeners:
- binding: tunnel
options:
mode: tproxy
udpIdleTimeout: 10s
udpCheckInterval: 5s
-
github.com/openziti/agent: v1.0.10 -> v1.0.13
-
github.com/openziti/channel/v2: v2.0.58 -> v2.0.78
- Issue #98 - Set default connect timeout to 5 seconds
-
github.com/openziti/edge: v0.24.239 -> v0.24.309
- Issue #1503 - Support configurable UDP idle timeout and check interval for tproxy in edge router tunneler
- Issue #1471 - UDP intercept connections report incorrect local/remote addresses, making confusing events
- Issue #629 - emit entity change events
- Issue #1295 - Ensure DB migrations work properly in a clustered setup (edge)
- Issue #1418 - Checks for session edge router availablility are inefficient
-
github.com/openziti/edge-api: v0.25.11 -> v0.25.24
-
github.com/openziti/fabric: v0.22.87 -> v0.23.29
- Issue #724 - Controller should be notified of forwarding faults on links
- Issue #725 - If reroute fails, circuit should be torn down
- Issue #706 - Fix panic in link close
- Issue #700 - Additional Health Checks exposed on Edge Router
- Issue #595 - Add include filtering for V3 usage metrics
- Issue #684 - Add tag annotations to circuit events, similar to usage events
- Issue #562 - Add entity change events
- Issue #677 - Rework raft startup
- Issue #582 - Ensure DB migrations work properly in a clustered setup (fabric)
- Issue #668 - Add network.Run watchdog, to warn if processing is delayed
-
github.com/openziti/foundation/v2: v2.0.21 -> v2.0.24
-
github.com/openziti/identity: v1.0.45 -> v1.0.54
-
github.com/openziti/runzmd: v1.0.20 -> v1.0.24
-
github.com/openziti/sdk-golang: v0.18.76 -> v0.20.51
- Issue #407 - Allowing filtering which edge router urls the sdk uses
- Issue #394 - SDK does not recover from API session expiration (during app/computer suspend)
-
github.com/openziti/storage: v0.1.49 -> v0.2.6
-
github.com/openziti/transport/v2: v2.0.72 -> v2.0.88
-
github.com/openziti/metrics: v1.2.19 -> v1.2.25
-
github.com/openziti/secretstream: v0.1.8 (new)
-
github.com/openziti/ziti: v0.27.9 -> v0.28.0
- Issue #1112 -
ziti pki create
creates CA's and intermediates w/ the same DN - Issue #1087 - re-enable CI in forks
- Issue #1013 - docker env password is renewed at each
docker-compose up
- Issue #1077 - Show auth-policy name on identity list instead of id
- Issue #1119 - intercept.v1 config should permit underscores in the address
- Issue #1123 - cannot update config types with ziti cli
- Issue #1112 -