Merge pull request #2231 from openziti/release-next

Merge code for 1.1.6 to main

.github/workflows/main.yml

@@ -120,8 +120,6 @@ jobs:
         run: |
           sudo apt-get update
           sudo apt-get -yq install gcc-arm-linux-gnueabihf g++-arm-linux-gnueabihf gcc-aarch64-linux-gnu
-          $(go env GOPATH)/bin/ziti-ci configure-git
-          $(go env GOPATH)/bin/ziti-ci generate-build-info common/version/info_generated.go version ${ZITI_BASE_VERSION:+--base-version $ZITI_BASE_VERSION}
           go install github.com/mitchellh/gox@latest
           $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q go-build-flags -n)" -cgo -os=linux -arch=amd64 -output=$GOX_OUTPUT ./...
           CC=arm-linux-gnueabihf-gcc $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q go-build-flags -n)" -cgo -os=linux -arch=arm -output=$GOX_OUTPUT ./...

.github/workflows/publish-docker-images.yml

@@ -60,7 +60,7 @@ jobs:
       # arch that was downloaded in ./release/, hence the need to specify the
       # Dockerfile and DOCKER_BUILD_DIR
       - name: Build & Push Multi-Platform CLI Container Image to Hub
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: ${{ github.workspace }}/
@@ -87,7 +87,7 @@ jobs:
       # ZITI_CLI_TAG env var so it can build from the versioned image that
       # we pushed in the prior step.
       - name: Build & Push Multi-Platform Controller Container Image to Hub
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: ${{ github.workspace }}/
@@ -112,7 +112,7 @@ jobs:
           echo DOCKER_TAGS="${DOCKER_TAGS}" | tee -a $GITHUB_OUTPUT
 
       - name: Build & Push Multi-Platform Router Container Image to Hub
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: ${{ github.workspace }}/
@@ -142,7 +142,7 @@ jobs:
           echo DOCKER_TAGS="${DOCKER_TAGS}" >> $GITHUB_OUTPUT
 
       - name: Build & Push Multi-Platform Go Tunneler Container Image to Hub
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: ${{ github.workspace }}/dist/docker-images/ziti-tunnel/

.github/workflows/release-quickstart.yml

@@ -120,7 +120,7 @@ jobs:
           echo DOCKER_TAGS="${DOCKER_TAGS}" >> $GITHUB_OUTPUT
 
       - name: Build & Push Multi-Platform Quickstart Container Image to Hub
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: ${{ github.workspace }}/quickstart/docker/image

CHANGELOG.md

@@ -1,3 +1,88 @@
+# Release 1.1.6
+
+## What's New
+
+* Trust Domain Configuration
+* Controller HA Beta 2
+
+## Trust Domain Configuration
+
+OpenZiti controllers from this release forward will now require a `trust domain` to be configured. 
+High Availability (HA) controllers already have this requirement. HA Controllers configure their trust domain via SPIFFE 
+ids that are embedded in x509 certificates.
+
+For feature parity, non-HA controllers will now have this same requirement. However, as re-issuing certificates is not
+always easily done. To help with the transition, non-HA controllers will have the ability to have their trust domain
+sourced from the controller configuration file through the root configuration value `trustDomain`. The configuration
+field which takes a string that must be URI hostname compatible (see: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md).
+If this value is not defined, a trust domain will be generated from the root CA certificate of the controller. 
+
+For networks that will be deployed after this change, it is highly suggested that a SPIFFE id is added to certificates.
+The `ziti pki create ...` tooling supports the `--spiffe-id` option to help handle this scenario.
+
+### Generated Trust Domain Log Messages
+
+The following log messages are examples of warnings produced when a controller is using a generated trust domain:
+
+```
+WARNING this environment is using a default generated trust domain [spiffe://d561decf63d229d66b07de627dbbde9e93228925], 
+  it is recommended that a trust domain is specified in configuration via URI SANs or the 'trustDomain' field
+
+WARNING this environment is using a default generated trust domain [spiffe://d561decf63d229d66b07de627dbbde9e93228925], 
+  it is recommended that if network components have enrolled that the generated trust domain be added to the 
+  configuration field 'additionalTrustDomains'
+```
+
+### Trust domain resolution:
+
+- Non-HA controllers
+  - Prefers SPIFFE ids in x509 certificate URI SANs, looking at the leaf up the signing chain
+  - Regresses to `trustDomain` in the controller configuration file if not found
+  - Regress to generating a trust domain from the server certificates root CA, if the above do not resolve
+
+- HA Controllers
+  - Requires x509 SPIFFE ids in x509 certificate URI SANs
+
+### Additional Trust Domains
+
+When moving between trust domains (i.e. from the default generated to a new named one), the controller supports having
+other trust domains. The trust domains do not replace certificate chain validation, which is still checked and enforced.
+
+Additional trust domains are configured in the controller configuration file under the root field 
+`additionalTrustDomains`. This field is an array of hostname safe strings.
+
+The most common use case for this is field is if a network has issued certificates using the generated trust domain and 
+now wants to transition to a explicitly defined one.
+
+## Controller HA Beta 2
+
+This release can be run in HA mode. The code is still beta, as we're still finding and fixing bugs. Several bugs
+have been fixed since Beta 1 and c-based SDKs and tunnelers now work in HA mode. The smoketest can now be run
+with HA controllers and clients.
+
+* Latest ZET release supporting HA control: https://github.com/openziti/ziti-tunnel-sdk-c/releases/tag/v2.0.0-alpha9
+* Windows, Mac and Mobile clients are in the process of being updated
+
+For more information:
+
+* HA overview/getting started/migration: [HA Documentation](https://github.com/openziti/ziti/tree/release-next/doc/ha)
+* Open Issues: [HA Project Board](https://github.com/orgs/openziti/projects/9/views/1)
+
+## Component Updates and Bug Fixes
+
+* github.com/openziti/storage: [v0.2.45 -> v0.2.46](https://github.com/openziti/storage/compare/v0.2.45...v0.2.46)
+    * [Issue #76](https://github.com/openziti/storage/issues/76) - Add support for non-boltz symbols to the the boltz stores
+
+* github.com/openziti/ziti: [v1.1.5 -> v1.1.6](https://github.com/openziti/ziti/compare/v1.1.5...v1.1.6)
+    * [Issue #2171](https://github.com/openziti/ziti/issues/2171) - Routers should consider control channels unresponsive if they are not connected
+    * [Issue #2219](https://github.com/openziti/ziti/issues/2219) - Add inspection for router connections
+    * [Issue #2195](https://github.com/openziti/ziti/issues/2195) - cached data model file set to
+    * [Issue #2222](https://github.com/openziti/ziti/issues/2222) - Add way to get read-only status from cluster nodes
+    * [Issue #2191](https://github.com/openziti/ziti/issues/2191) - Change raft list cluster members element name from values to data to match rest of REST api
+    * [Issue #785](https://github.com/openziti/ziti/issues/785) - ziti edge update service-policy to empty/no posture checks fails
+    * [Issue #2205](https://github.com/openziti/ziti/issues/2205) - Merge fabric and edge model code
+    * [Issue #2165](https://github.com/openziti/ziti/issues/2165) - Add network id
+
 # Release 1.1.5
 
 ## What's New
@@ -24,8 +109,8 @@
 
 ## What's New
 
-* Bug fixes
 * Controller HA Beta 1
+* Bug fixes
 
 ## Controller HA Beta 1
 
@@ -38,7 +123,7 @@ with HA controllers and clients.
 
 For more information:
 
-* HA overview/getting started/migration: [HA Documementation](https://github.com/openziti/ziti/tree/release-next/doc/ha)
+* HA overview/getting started/migration: [HA Documentation](https://github.com/openziti/ziti/tree/release-next/doc/ha)
 * Open Issues: [HA Project Board](https://github.com/orgs/openziti/projects/9/views/1)
 
 ## Component Updates and Bug Fixes 

controller/network/cmap_iterator.go → common/datastructures/cmap_iterator.go

@@ -14,7 +14,7 @@
 	limitations under the License.
 */
 
-package network
+package datastructures
 
 import (
 	"github.com/openziti/storage/objectz"

common/inspect/controller_inspections.go

@@ -0,0 +1,31 @@
+/*
+	Copyright NetFoundry Inc.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+	https://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+package inspect
+
+type ControllerInspectDetails struct {
+	Controllers map[string]*ControllerInspectDetail `json:"controllers"`
+}
+
+type ControllerInspectDetail struct {
+	ControllerId         string `json:"controllerId"`
+	IsConnected          bool   `json:"connected"`
+	IsResponsive         bool   `json:"responsive"`
+	Address              string `json:"address"`
+	Latency              string `json:"latency"`
+	Version              string `json:"version"`
+	TimeSinceLastContact string `json:"timeSinceLastContact"`
+}

controller/api_impl/circuit_api_model.go

@@ -18,6 +18,7 @@ package api_impl
 
 import (
 	"github.com/openziti/ziti/controller/api"
+	"github.com/openziti/ziti/controller/model"
 	"github.com/openziti/ziti/controller/network"
 
 	"github.com/openziti/ziti/controller/rest_model"
@@ -44,7 +45,7 @@ func (factory *CircuitLinkFactoryIml) Links(entity LinkEntity) rest_model.Links
 	return links
 }
 
-func MapCircuitToRestModel(n *network.Network, _ api.RequestContext, circuit *network.Circuit) (*rest_model.CircuitDetail, error) {
+func MapCircuitToRestModel(n *network.Network, _ api.RequestContext, circuit *model.Circuit) (*rest_model.CircuitDetail, error) {
 	path := &rest_model.Path{}
 	for _, node := range circuit.Path.Nodes {
 		path.Nodes = append(path.Nodes, ToEntityRef(node.Name, node, RouterLinkFactory))
@@ -54,7 +55,7 @@ func MapCircuitToRestModel(n *network.Network, _ api.RequestContext, circuit *ne
 	}
 
 	var svcEntityRef *rest_model.EntityRef
-	if svc, _ := n.Services.Read(circuit.ServiceId); svc != nil {
+	if svc, _ := n.Service.Read(circuit.ServiceId); svc != nil {
 		svcEntityRef = ToEntityRef(svc.Name, svc, ServiceLinkFactory)
 	} else {
 		svcEntityRef = ToEntityRef("<deleted>", deletedEntity(circuit.ServiceId), ServiceLinkFactory)

controller/api_impl/inspections_router.go

@@ -18,12 +18,12 @@ package api_impl
 
 import (
 	"github.com/go-openapi/runtime/middleware"
+	"github.com/openziti/foundation/v2/stringz"
 	"github.com/openziti/ziti/controller/api"
 	"github.com/openziti/ziti/controller/network"
 	"github.com/openziti/ziti/controller/rest_model"
 	"github.com/openziti/ziti/controller/rest_server/operations"
 	"github.com/openziti/ziti/controller/rest_server/operations/inspect"
-	"github.com/openziti/foundation/v2/stringz"
 	"net/http"
 )
 
@@ -49,7 +49,7 @@ func (r *InspectRouter) Register(fabricApi *operations.ZitiFabricAPI, wrapper Re
 }
 
 func (r *InspectRouter) Inspect(n *network.Network, rc api.RequestContext, request *rest_model.InspectRequest) {
-	result := n.Managers.Inspections.Inspect(stringz.OrEmpty(request.AppRegex), request.RequestedValues)
+	result := n.Inspections.Inspect(stringz.OrEmpty(request.AppRegex), request.RequestedValues)
 	resp := MapInspectResultToRestModel(n, result)
 	rc.Respond(resp, http.StatusOK)
 }

controller/api_impl/link_api_model.go

@@ -18,6 +18,7 @@ package api_impl
 
 import (
 	"github.com/openziti/ziti/controller/api"
+	"github.com/openziti/ziti/controller/model"
 	"github.com/openziti/ziti/controller/network"
 	"github.com/openziti/ziti/controller/rest_model"
 )
@@ -41,7 +42,7 @@ func (factory *LinkLinkFactoryIml) Links(entity LinkEntity) rest_model.Links {
 	return links
 }
 
-func MapLinkToRestModel(n *network.Network, _ api.RequestContext, link *network.Link) (*rest_model.LinkDetail, error) {
+func MapLinkToRestModel(n *network.Network, _ api.RequestContext, link *model.Link) (*rest_model.LinkDetail, error) {
 	iteration := int64(link.Iteration)
 	staticCost := int64(link.StaticCost)
 	linkStateStr := link.CurrentState().Mode.String()
@@ -51,7 +52,7 @@ func MapLinkToRestModel(n *network.Network, _ api.RequestContext, link *network.
 	destRouter := link.GetDest()
 	if destRouter == nil {
 		var err error
-		destRouter, err = n.Routers.Read(link.DstId)
+		destRouter, err = n.Router.Read(link.DstId)
 		if err != nil {
 			return nil, err
 		}

controller/api_impl/raft_router.go

@@ -89,6 +89,7 @@ func (r *RaftRouter) listMembers(n *network.Network, rc api.RequestContext) {
 		if err != nil {
 			rc.Respond(rest_model.RaftMemberListResponse{}, http.StatusInternalServerError)
 		}
+		readOnly := raftController.Mesh.IsReadOnly()
 		for _, member := range members {
 			vals = append(vals, &rest_model.RaftMemberListValue{
 				Address:   &member.Addr,
@@ -97,11 +98,12 @@ func (r *RaftRouter) listMembers(n *network.Network, rc api.RequestContext) {
 				Leader:    &member.Leader,
 				Version:   &member.Version,
 				Voter:     &member.Voter,
+				ReadOnly:  &readOnly,
 			})
 		}
 
 		rc.Respond(rest_model.RaftMemberListResponse{
-			Values: vals,
+			Data: vals,
 		}, http.StatusOK)
 
 	} else {

controller/api_impl/router_api_model.go

@@ -18,12 +18,13 @@ package api_impl
 
 import (
 	"github.com/openziti/ziti/controller/api"
+	"github.com/openziti/ziti/controller/model"
 	"github.com/openziti/ziti/controller/network"
 
 	"github.com/openziti/ziti/controller/rest_model"
 
-	"github.com/openziti/ziti/controller/models"
 	"github.com/openziti/foundation/v2/stringz"
+	"github.com/openziti/ziti/controller/models"
 )
 
 const EntityNameRouter = "routers"
@@ -46,8 +47,8 @@ func (factory *RouterLinkFactoryIml) Links(entity LinkEntity) rest_model.Links {
 	return links
 }
 
-func MapCreateRouterToModel(router *rest_model.RouterCreate) *network.Router {
-	ret := &network.Router{
+func MapCreateRouterToModel(router *rest_model.RouterCreate) *model.Router {
+	ret := &model.Router{
 		BaseEntity: models.BaseEntity{
 			Id:   stringz.OrEmpty(router.ID),
 			Tags: TagsOrDefault(router.Tags),
@@ -62,8 +63,8 @@ func MapCreateRouterToModel(router *rest_model.RouterCreate) *network.Router {
 	return ret
 }
 
-func MapUpdateRouterToModel(id string, router *rest_model.RouterUpdate) *network.Router {
-	ret := &network.Router{
+func MapUpdateRouterToModel(id string, router *rest_model.RouterUpdate) *model.Router {
+	ret := &model.Router{
 		BaseEntity: models.BaseEntity{
 			Tags: TagsOrDefault(router.Tags),
 			Id:   id,
@@ -78,8 +79,8 @@ func MapUpdateRouterToModel(id string, router *rest_model.RouterUpdate) *network
 	return ret
 }
 
-func MapPatchRouterToModel(id string, router *rest_model.RouterPatch) *network.Router {
-	ret := &network.Router{
+func MapPatchRouterToModel(id string, router *rest_model.RouterPatch) *model.Router {
+	ret := &model.Router{
 		BaseEntity: models.BaseEntity{
 			Tags: TagsOrDefault(router.Tags),
 			Id:   id,
@@ -96,7 +97,7 @@ func MapPatchRouterToModel(id string, router *rest_model.RouterPatch) *network.R
 
 type RouterModelMapper struct{}
 
-func (RouterModelMapper) ToApi(n *network.Network, _ api.RequestContext, router *network.Router) (interface{}, error) {
+func (RouterModelMapper) ToApi(n *network.Network, _ api.RequestContext, router *model.Router) (interface{}, error) {
 	connected := n.GetConnectedRouter(router.Id)
 	var restVersionInfo *rest_model.VersionInfo
 	if connected != nil && connected.VersionInfo != nil {