Merge pull request #2192 from openziti/release-next

Merge release-next to main for release v1.1.5

.github/workflows/main.yml

@@ -37,7 +37,7 @@ jobs:
     name: Build Mac OS binaries
     # allow fors to opt-out of time-consuming macOS builds
     if: vars.ZITI_SKIP_MACOS_BUILD != 'true'
-    runs-on: macos-11
+    runs-on: macos-latest
     steps:
       - name: Git Checkout
         uses: actions/checkout@v4

.github/workflows/release.yml

@@ -19,7 +19,7 @@ jobs:
     name: Build Mac OS binaries
     # allow fors to opt-out of time-consuming macOS builds
     if: vars.ZITI_SKIP_MACOS_BUILD != 'true'
-    runs-on: macos-11
+    runs-on: macos-latest
     steps:
       - name: Git Checkout
         uses: actions/checkout@v4

CHANGELOG.md

@@ -1,3 +1,25 @@
+# Release 1.1.5
+
+## What's New
+
+* Bug fixes
+
+## Component Updates and Bug Fixes
+
+* github.com/openziti/channel/v2: [v2.0.133 -> v2.0.136](https://github.com/openziti/channel/compare/v2.0.133...v2.0.136)
+    * [Issue #132](https://github.com/openziti/channel/issues/132) - reconnecting dialer doesn't take local binding into account when reconnecting
+
+* github.com/openziti/identity: [v1.0.80 -> v1.0.81](https://github.com/openziti/identity/compare/v1.0.80...v1.0.81)
+* github.com/openziti/transport/v2: [v2.0.136 -> v2.0.138](https://github.com/openziti/transport/compare/v2.0.136...v2.0.138)
+    * [Issue #83](https://github.com/openziti/transport/issues/83) - tls.Dial should use proxy configuration if provided
+
+* github.com/openziti/xweb/v2: [v2.1.0 -> v2.1.1](https://github.com/openziti/xweb/compare/v2.1.0...v2.1.1)
+* github.com/openziti/ziti: [v1.1.4 -> v1.1.5](https://github.com/openziti/ziti/compare/v1.1.4...v1.1.5)
+    * [Issue #2173](https://github.com/openziti/ziti/issues/2173) - panic on HA peer connect
+    * [Issue #2171](https://github.com/openziti/ziti/issues/2171) - Routers should consider control channels unresponsive if they are not connected
+    * [Issue #2086](https://github.com/openziti/ziti/issues/2086) - Enable File Watching for Router/Controller Identities
+    * [Issue #2087](https://github.com/openziti/ziti/issues/2087) - Ext JWT not setting provider value in auth query
+
 # Release 1.1.4
 
 ## What's New

controller/config.go

@@ -169,6 +169,10 @@ func LoadConfig(path string) (*Config, error) {
 		return nil, fmt.Errorf("unable to load identity (%s)", err)
 	} else {
 		controllerConfig.Id = identity.NewIdentity(id)
+
+		if err := controllerConfig.Id.WatchFiles(); err != nil {
+			pfxlog.Logger().Warn("could not enable file watching on identity: %w", err)
+		}
 	}
 
 	if value, found := cfgmap["network"]; found {

controller/config/config.go

@@ -351,6 +351,10 @@ func (c *Config) loadEnrollmentSection(edgeConfigMap map[interface{}]interface{}
 
 			if c.Enrollment.SigningCert, err = identity.LoadIdentity(c.Enrollment.SigningCertConfig); err != nil {
 				return fmt.Errorf("error loading [edge.enrollment.signingCert]: %s", err)
+			} else {
+				if err := c.Enrollment.SigningCert.WatchFiles(); err != nil {
+					pfxlog.Logger().Warn("could not enable file watching on enrollment signing cert: %w", err)
+				}
 			}
 
 		} else {

controller/env/appenv.go

@@ -577,9 +577,11 @@ func NewAuthQueryZitiMfa() *rest_model.AuthQueryDetail {
 }
 
 func NewAuthQueryExtJwt(url string) *rest_model.AuthQueryDetail {
+	provider := rest_model.MfaProvidersURL
 	return &rest_model.AuthQueryDetail{
-		HTTPURL: url,
-		TypeID:  "EXT-JWT",
+		HTTPURL:  url,
+		TypeID:   "EXT-JWT",
+		Provider: &provider,
 	}
 }
 

controller/model/controller_manager.go

@@ -231,12 +231,14 @@ func (self *ControllerManager) PeersConnected(peers []*event.ClusterPeer) {
 	selfAsPeer := self.getCurrentAsClusterPeer()
 	peerFingerprints := ""
 	for _, peer := range peers {
-		fingerprint := nfpem.FingerprintFromCertificate(peer.ServerCert[0])
+		if len(peer.ServerCert) > 0 {
+			fingerprint := nfpem.FingerprintFromCertificate(peer.ServerCert[0])
 
-		if peerFingerprints == "" {
-			peerFingerprints = fingerprint
-		} else {
-			peerFingerprints = peerFingerprints + ", " + fingerprint
+			if peerFingerprints == "" {
+				peerFingerprints = fingerprint
+			} else {
+				peerFingerprints = peerFingerprints + ", " + fingerprint
+			}
 		}
 	}
 

controller/oidc_auth/storage.go

@@ -437,10 +437,12 @@ func (s *HybridStorage) createAccessToken(request op.TokenRequest) (string, *com
 		claims.CustomClaims.RemoteAddress = req.RemoteAddress
 		claims.AuthTime = oidc.Time(req.AuthTime.Unix())
 		claims.AccessTokenClaims.AuthenticationMethodsReferences = req.GetAMR()
+		claims.ClientID = req.ClientID
 	case *RefreshTokenRequest:
 		claims.CustomClaims = req.CustomClaims
 		claims.AuthTime = req.AuthTime
 		claims.AccessTokenClaims.AuthenticationMethodsReferences = req.GetAMR()
+		claims.ClientID = req.ClientID
 	case op.TokenExchangeRequest:
 		mapClaims := req.GetExchangeSubjectTokenClaims()
 		subjectClaims := &common.AccessClaims{}
@@ -470,6 +472,7 @@ func (s *HybridStorage) createAccessToken(request op.TokenRequest) (string, *com
 		}
 		claims.CustomClaims = subjectClaims.CustomClaims
 		claims.AccessTokenClaims.AuthenticationMethodsReferences = req.GetAMR()
+		claims.ClientID = req.GetClientID()
 	}
 
 	claims.AccessTokenClaims.Scopes = request.GetScopes()

dist/dist-packages/linux/install.bash

@@ -99,27 +99,37 @@ installDebian(){
     chmod a+r /usr/share/keyrings/openziti.gpg
 
     local REPOSRC="deb [signed-by=/usr/share/keyrings/openziti.gpg] https://packages.openziti.org/${ZITIPAX_DEB:-zitipax-openziti-deb-stable} debian main"
-
-    local REPOFILE="/etc/apt/sources.list.d/openziti-release.list"
-    if [ -s $REPOFILE ]; then
-        local EXISTINGSUM
-        local REPOSUM
-        EXISTINGSUM=$(checkSum < $REPOFILE)
-        REPOSUM=$(checkSum <<< "$REPOSRC")
-        if [ "$EXISTINGSUM" != "$REPOSUM" ]; then
-            mv -v $REPOFILE{,".$(date -Iseconds)"}
-            echo "$REPOSRC" > $REPOFILE
+    local ESCAPED_REPOSRC="${REPOSRC//\[/\\\[}"
+    ESCAPED_REPOSRC="${ESCAPED_REPOSRC//\]/\\\]}"
+
+    local REPODIR="/etc/apt/sources.list.d"
+    # add the repo source if it doesn't already exist
+    if ! grep -qEr "^${ESCAPED_REPOSRC}\$" $REPODIR; then
+        local REPOFILE="${REPODIR}/openziti-release.list"
+        if [ -s $REPOFILE ]; then
+            local EXISTINGSUM
+            local REPOSUM
+            EXISTINGSUM=$(checkSum < $REPOFILE)
+            REPOSUM=$(checkSum <<< "$REPOSRC")
+            if [ "$EXISTINGSUM" != "$REPOSUM" ]; then
+                mv -v $REPOFILE{,".$(date -Iseconds)"}
+                echo "$REPOSRC" > $REPOFILE
+
+            fi
+        else
+            echo "$REPOSRC" >| $REPOFILE
 
         fi
-    else
-        echo "$REPOSRC" >| $REPOFILE
-
     fi
 
     apt-get update
-    apt-get install --yes "$@"
+    # allow downgrades if any versions are pinned with '='
+    if [[ "${*}" =~ = ]]; then
+        ALLOW_DOWNGRADES='--allow-downgrades'
+    fi
+    apt-get install --yes "${ALLOW_DOWNGRADES:-}" "$@"
     for PKG in "$@"; do
-        apt-cache show "$PKG=$(dpkg-query -W -f='${Version}' $PKG)"
+        apt-cache show "${PKG%=*}=$(dpkg-query -W -f='${Version}' "${PKG%=*}")"
     done
 }
 

dist/dist-packages/linux/openziti-router/bootstrap.bash

@@ -12,10 +12,26 @@ function makeConfig() {
       echo "ERROR: ZITI_CTRL_ADVERTISED_ADDRESS is not set" >&2
       return 1
     fi
-    ziti create config router "${ZITI_ROUTER_TYPE}" \
-      --tunnelerMode "${ZITI_ROUTER_MODE}" \
-      --routerName "${ZITI_ROUTER_NAME}" \
-      --output "${ZITI_ROUTER_CONFIG_FILE}"
+
+    # build config command
+    command=("ziti create config router ${ZITI_ROUTER_TYPE}" \
+              "--routerName ${ZITI_ROUTER_NAME}" \
+              "--output ${ZITI_ROUTER_CONFIG_FILE}")
+
+    # mode flag not present in fabric command
+    if [[ "${ZITI_ROUTER_TYPE}" == edge ]]; then
+      command+=("--tunnelerMode ${ZITI_ROUTER_MODE}")
+    fi
+
+    # check if ZITI_ROUTER_LAN_INTERFACE is specified and add --lanInterface flag accordingly
+    if [[ -n "${ZITI_ROUTER_LAN_INTERFACE:-}" ]]; then
+      command+=("--lanInterface ${ZITI_ROUTER_LAN_INTERFACE}")
+    fi
+
+    # execute config command
+    # shellcheck disable=SC2068
+    ${command[@]}
+
   fi
 
 }

dist/docker-images/ziti-controller/Dockerfile

@@ -5,7 +5,7 @@ ARG ZITI_CLI_IMAGE="docker.io/openziti/ziti-cli"
 
 # dependabot bumps this version based on release to Hub
 # only amd64 is available because only static assets are copied, not executables
-FROM --platform=linux/amd64 openziti/ziti-console-assets:3.1.0 as ziti-console
+FROM --platform=linux/amd64 openziti/ziti-console-assets:3.2.2 AS ziti-console
 
 FROM ${ZITI_CLI_IMAGE}:${ZITI_CLI_TAG}
 

dist/docker-images/ziti-router/compose.yml

@@ -33,7 +33,7 @@ services:
       ZITI_BOOTSTRAP_CONFIG: true      # make config file from env vars and defaults if "true," overwrite if "force"; requires ZITI_BOOTSTRAP=true
       ZITI_BOOTSTRAP_ENROLLMENT: true  # enroll with controller if "true," overwrite if "force"; requires ZITI_BOOTSTRAP=true
       ZITI_AUTO_RENEW_CERTS: true      # renew certs every startup
-      ZITI_ROUTER_TYPE: edge           # edge, fabric
+      ZITI_ROUTER_TYPE: ${ZITI_ROUTER_TYPE:-edge}  # edge or fabric
     command: run config.yml
     ports:
       # ensure this port matches the value of ZITI_ROUTER_PORT in the container

go.mod

@@ -48,19 +48,19 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/natefinch/lumberjack v2.0.0+incompatible
 	github.com/openziti/agent v1.0.16
-	github.com/openziti/channel/v2 v2.0.133
+	github.com/openziti/channel/v2 v2.0.136
 	github.com/openziti/edge-api v0.26.20
 	github.com/openziti/foundation/v2 v2.0.47
-	github.com/openziti/identity v1.0.80
+	github.com/openziti/identity v1.0.81
 	github.com/openziti/jwks v1.0.3
 	github.com/openziti/metrics v1.2.56
 	github.com/openziti/runzmd v1.0.49
 	github.com/openziti/sdk-golang v0.23.38
 	github.com/openziti/secretstream v0.1.21
 	github.com/openziti/storage v0.2.45
-	github.com/openziti/transport/v2 v2.0.136
+	github.com/openziti/transport/v2 v2.0.138
 	github.com/openziti/x509-claims v1.0.3
-	github.com/openziti/xweb/v2 v2.1.0
+	github.com/openziti/xweb/v2 v2.1.1
 	github.com/openziti/ziti-db-explorer v1.1.3
 	github.com/orcaman/concurrent-map/v2 v2.0.1
 	github.com/pkg/errors v0.9.1
@@ -81,6 +81,7 @@ require (
 	go4.org v0.0.0-20180809161055-417644f6feb5
 	golang.org/x/crypto v0.24.0
 	golang.org/x/net v0.26.0
+	golang.org/x/oauth2 v0.21.0
 	golang.org/x/sync v0.7.0
 	golang.org/x/sys v0.21.0
 	golang.org/x/text v0.16.0
@@ -97,7 +98,7 @@ require (
 	github.com/MichaelMure/go-term-markdown v0.1.4 // indirect
 	github.com/MichaelMure/go-term-text v0.3.1 // indirect
 	github.com/alecthomas/chroma v0.10.0 // indirect
-	github.com/andybalholm/brotli v1.0.6 // indirect
+	github.com/andybalholm/brotli v1.1.0 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
 	github.com/armon/go-metrics v0.4.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
@@ -184,7 +185,6 @@ require (
 	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
 	golang.org/x/image v0.13.0 // indirect
 	golang.org/x/mod v0.18.0 // indirect
-	golang.org/x/oauth2 v0.21.0 // indirect
 	golang.org/x/term v0.21.0 // indirect
 	golang.org/x/tools v0.22.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect

go.sum

@@ -77,8 +77,8 @@ github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuy
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sxfOI=
-github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
+github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=
+github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ=
@@ -566,16 +566,16 @@ github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b/go.mo
 github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=
 github.com/openziti/agent v1.0.16 h1:9Saji+8hFE1NpzP2XzDhsVJbCrDlhixoLHfOpFt5Z+U=
 github.com/openziti/agent v1.0.16/go.mod h1:zfm53+PVWoGFzjGGgQdKby5749G6VRYHe+eQJmoVKy4=
-github.com/openziti/channel/v2 v2.0.133 h1:/YuJnnmX6A1f+tdf33pi2c2GdzWYn7Sb4GP8S2zqXpI=
-github.com/openziti/channel/v2 v2.0.133/go.mod h1:D8MLoG3UHKtIGSwqk5GJi/y6IirNk5XaK8RW78nbOKc=
+github.com/openziti/channel/v2 v2.0.136 h1:XWjcNrPhto2XiD5HLhsh7GhmqfHEweQIJ/eUjtVKUJs=
+github.com/openziti/channel/v2 v2.0.136/go.mod h1:7jhk6JtJPP1O8aWYx+w2IuwCunFJ88Ot4AQcrKiX5og=
 github.com/openziti/dilithium v0.3.3 h1:PLgQ6PMNLSTzCFbX/h98cmudgz/cU6TmjdSv5NAPD8k=
 github.com/openziti/dilithium v0.3.3/go.mod h1:vsCjI2AU/hon9e+dLhUFbCNGesJDj2ASgkySOcpmvjo=
 github.com/openziti/edge-api v0.26.20 h1:r/61qDzU475mTXjZV/t3oGNN5szndzAR4OyhKjXb2jk=
 github.com/openziti/edge-api v0.26.20/go.mod h1:BQryKiWKvoVn4sZEjVToSW/2tL+M1ylSWsNzRKUfl9Q=
 github.com/openziti/foundation/v2 v2.0.47 h1:f2LM6FQOhHXJ9QMTpr4GAKq8qXspNG3EGczMjjyz7uc=
 github.com/openziti/foundation/v2 v2.0.47/go.mod h1:pj5nPmVtAdF1QX+aRtALw69hxcsAzrWDpBUe+Zrc73Q=
-github.com/openziti/identity v1.0.80 h1:3yzSLw4bSettFmi74nAywuZxPsb9siDQjhmsql/qzNU=
-github.com/openziti/identity v1.0.80/go.mod h1:/UKDen2MOw2Kjs0WuKiBloIT2bPrV0jxLAo8eyVy0ic=
+github.com/openziti/identity v1.0.81 h1:zeS+sCxsfIbNAvlLHqM+74BcCPitW4Vpmarlrcun6hw=
+github.com/openziti/identity v1.0.81/go.mod h1:/UKDen2MOw2Kjs0WuKiBloIT2bPrV0jxLAo8eyVy0ic=
 github.com/openziti/jwks v1.0.3 h1:hf8wkb+Cg4nH/HM0KROFd7u+C3DkRVcFZJ7tDV+4icc=
 github.com/openziti/jwks v1.0.3/go.mod h1:t4xxq8vlXGsPn29kiQVnZBBDDnEoOFqtJoHibkJunQQ=
 github.com/openziti/metrics v1.2.56 h1:sOX5SCdK2Kx2vci+2PWIXDedbyRDUWylM3xJmmISiUs=
@@ -588,12 +588,12 @@ github.com/openziti/secretstream v0.1.21 h1:r4xN8/CzSEvxZFFYGSztrlhMtIvk3B+SQcq2
 github.com/openziti/secretstream v0.1.21/go.mod h1:1lfAnS8gBHsKZiPbRRK1sularbAsqizN6tWUEuZSfo0=
 github.com/openziti/storage v0.2.45 h1:rCvQzWmGSmx6Ir2zUFO8H48klONGwZQfwFrfrEJuq9k=
 github.com/openziti/storage v0.2.45/go.mod h1:v6KddQOjkQmKHnC7hIgFtcm4tdA8l8DbxYHQOIbRWa8=
-github.com/openziti/transport/v2 v2.0.136 h1:FkF9DZx/kU9PPHKpz6mpxEqru0JOyCr8JfRReqDHfmk=
-github.com/openziti/transport/v2 v2.0.136/go.mod h1:hnu2HvfQ3t7XvA3F9EfdHMGupFQrP38BtbRO7RHr8tA=
+github.com/openziti/transport/v2 v2.0.138 h1:F7TUv34BZ6x2BetYLtYbxSU/G15B+vkGRU4uPKwvRvU=
+github.com/openziti/transport/v2 v2.0.138/go.mod h1:v0PN1dhFP48HeUUeBq9n/Ql2u5ln8EOtPBA3KkzD2GI=
 github.com/openziti/x509-claims v1.0.3 h1:HNdQ8Nf1agB3lBs1gahcO6zfkeS4S5xoQ2/PkY4HRX0=
 github.com/openziti/x509-claims v1.0.3/go.mod h1:Z0WIpBm6c4ecrpRKrou6Gk2wrLWxJO/+tuUwKh8VewE=
-github.com/openziti/xweb/v2 v2.1.0 h1:Xhh3C2pZkq/Prr65V+SfFSibLDYteoc4f62KQCcTZF4=
-github.com/openziti/xweb/v2 v2.1.0/go.mod h1:wPkjm5y45RYCV8AafjcAXP/ZM4DBOofXhRwSGgjF8w8=
+github.com/openziti/xweb/v2 v2.1.1 h1:T6vbmG2189WWwq16wryM7RQEbT5wNARrVHNQs23jEPE=
+github.com/openziti/xweb/v2 v2.1.1/go.mod h1:d9+vBsVCONyb3GCrJPHb2+GfTJ4MMIu0i6S71uE3WHc=
 github.com/openziti/ziti-db-explorer v1.1.3 h1:9JER16MJzagtYPdGEhgDcw2p/BXNCVbf9IgA/sMB52w=
 github.com/openziti/ziti-db-explorer v1.1.3/go.mod h1:pMIMNJoTRSTbkO2e7cZWiBokA3jMdeiGAILP3QhU+v8=
 github.com/orcaman/concurrent-map/v2 v2.0.1 h1:jOJ5Pg2w1oeB6PeDurIYf6k9PQ+aTITr/6lP/L/zp6c=

quickstart/kubernetes/miniziti.bash

@@ -223,7 +223,6 @@ installHosts() {
     hosts=(
         "miniziti-controller.$MINIZITI_INGRESS_ZONE"
         "miniziti-router.$MINIZITI_INGRESS_ZONE"
-        "miniziti-console.$MINIZITI_INGRESS_ZONE"
     )
 
     hosts_line="$MINIKUBE_NODE_EXTERNAL ${hosts[*]}"
@@ -288,7 +287,7 @@ minizitiLogin() {
 
 minizitiConsole() {
     ingress_zone="$(getIngressZone)"
-    console_url="https://miniziti-console.$ingress_zone"
+    console_url="https://miniziti-controller.${ingress_zone}/zac/"
     case "$DETECTED_OS" in
         "Windows")
             checkCommand wslview
@@ -370,7 +369,7 @@ getPodStatus() {
 }
 
 showStatus() {
-    COMPONENTS=("ziti-controller" "ziti-router" "ziti-console")
+    COMPONENTS=("ziti-controller" "ziti-router")
     for component in "${COMPONENTS[@]}"; do
         status="$(getPodStatus "$component")"
         if [[ -z "$status" ]]; then
@@ -982,27 +981,6 @@ EOF
         exit 1
     fi
 
-    #
-    ## Ensure OpenZiti Console is Configured and Ready
-    #
-
-    logDebug "installing console chart as 'ziti-console'"
-    (( ZITI_CHARTS_ALT )) && {
-        logDebug "building ${ZITI_CHARTS_REF}/ziti-console Helm Chart dependencies"
-        helmWrapper dependency build "${ZITI_CHARTS_REF}/ziti-console" >&3
-    }
-    helmWrapper upgrade --install "ziti-console" "${ZITI_CHARTS_REF}/ziti-console" \
-        --namespace "${ZITI_NAMESPACE}" \
-        --set ingress.advertisedHost="miniziti-console.${MINIZITI_INGRESS_ZONE}" \
-        --set "settings.edgeControllers[0].url=https://ziti-controller-client.${ZITI_NAMESPACE}.svc:443" \
-        --values "${ZITI_CHARTS_URL}/ziti-console/values-ingress-nginx.yaml" >&3
-
-    logInfo "waiting for ziti-console to be ready"
-    kubectlWrapper wait deployments "ziti-console" \
-        --namespace "${ZITI_NAMESPACE}" \
-        --for condition=Available=True \
-        --timeout "${MINIZITI_TIMEOUT_SECS}s" >&3
-
     logDebug "setting default namespace to '${ZITI_NAMESPACE}' in kubeconfig context '${MINIKUBE_PROFILE}'"
         kubectlWrapper config set-context "${MINIKUBE_PROFILE}" \
             --namespace "${ZITI_NAMESPACE}" >&3
@@ -1118,7 +1096,7 @@ EOF
     fi
 
     echo -e "\n\n"
-    logInfo "Your OpenZiti Console is here: https://miniziti-console.${MINIZITI_INGRESS_ZONE}"
+    logInfo "Your OpenZiti Console is here: https://miniziti-controller.${MINIZITI_INGRESS_ZONE}/zac/"
     showAdminCreds
     echo -e "\n\n"
 

router/config.go

@@ -410,6 +410,10 @@ func LoadConfig(path string) (*Config, error) {
 		return nil, fmt.Errorf("unable to load identity (%w)", err)
 	} else {
 		cfg.Id = identity.NewIdentity(id)
+
+		if err := cfg.Id.WatchFiles(); err != nil {
+			pfxlog.Logger().Warn("could not enable file watching on identity: %w", err)
+		}
 	}
 
 	if value, found := cfgmap[PathMapKey]; found {