What's New
* Event changes
* Added AMQP event writter for events
* Add entity change events for auditing or external integration
* Add usage event filtering
* Add annotations to circuit events
* CLI additions for `ziti` to login with certificates or external-jwt-signers
* NOTE: ziti edge login flag changes:
* `-c` flag has been changed to map to `--client-cert`
* `--cert` is now `--ca` and has no short flag representation
* `-e/--ext-jwt` allows a user to supply a file containing a jwt used with ext-jwt-signers to login
* `-c/--client-cert` allows a certificate to be supplied to login (used with `-k/--client-key`)
* `-k/--client-key` allows a key to be supplied to login (used with `-c/--client-cert`)
* Config type changes
* address fields in `intercept.v1`, `host.v1`, and `host.v2` config types now permit hostnames with underscores.
* Edge Router/Tunneler now supports setting default UDP idle timeout/check interval
Event Changes
AMQP Event Writer
Previously events could only be emitted to a file. They can now also be emitted to an AMQP endpoint.
Example configuration:
events:
jsonLogger:
subscriptions:
- type: fabric.circuits
handler:
type: amqp
format: json
url: "amqp://localhost:5672"
queue: ziti
durable: true //default:true
autoDelete: false //default:false
exclusive: false //default:false
noWait: false //default:false
Entity Change Events
OpenZiti can now be configured to emit entity change events. These events describe the changes when entities stored in the
bbolt database are created, updated or deleted.
Note that events are emitted during the transaction. They are emitted at the end, so it's unlikely, but possible that an event will be emitted for a change which is rolled back. For this reason a following event will emitted when the change is committed. If a system crashes after commit, but before the committed event can be emitted, it will be emitted on the next startup.
Example configuration:
events:
jsonLogger:
subscriptions:
- type: entityChange
include:
- services
- identities
handler:
type: file
format: json
path: /tmp/ziti-events.log
See the related issue for discussion: https://github.com/openziti/fabric/issues/562
Example output:
{
"namespace": "entityChange",
"eventId": "326faf6c-8123-42ae-9ed8-6fd9560eb567",
"eventType": "created",
"timestamp": "2023-05-11T21:41:47.128588927-04:00",
"metadata": {
"author": {
"type": "identity",
"id": "ji2Rt8KJ4",
"name": "Default Admin"
},
"source": {
"type": "rest",
"auth": "edge",
"localAddr": "localhost:1280",
"remoteAddr": "127.0.0.1:37578",
"method": "POST"
},
"version": "v0.0.0"
},
"entityType": "services",
"isParentEvent": false,
"initialState": null,
"finalState": {
"id": "6S0bCGWb6yrAutXwSQaLiv",
"createdAt": "2023-05-12T01:41:47.128138887Z",
"updatedAt": "2023-05-12T01:41:47.128138887Z",
"tags": {},
"isSystem": false,
"name": "test",
"terminatorStrategy": "smartrouting",
"roleAttributes": [
"goodbye",
"hello"
],
"configs": null,
"encryptionRequired": true
}
}
{
"namespace": "entityChange",
"eventId": "326faf6c-8123-42ae-9ed8-6fd9560eb567",
"eventType": "committed",
"timestamp": "2023-05-11T21:41:47.129235443-04:00"
}
Usage Event Filtering
Usage events, version 3, can now be filtered based on type.
The valid types include:
* ingress.rx
* ingress.tx
* egress.rx
* egress.tx
* fabric.rx
* fabric.tx
Example configuration:
events:
jsonLogger:
subscriptions:
- type: fabric.usage
version: 3
include:
- ingress.rx
- egress.rx
Circuit Event Annotations
Circuit events initiated from the edge are now annotated with clientId, hostId and serviceId, to match usage events. The client and host ids are identity ids.
Example output:
{
"namespace": "fabric.circuits",
"version": 2,
"event_type": "created",
"circuit_id": "0CEjWYiw6",
"timestamp": "2023-05-05T11:44:03.242399585-04:00",
"client_id": "clhaq7u7600o4ucgdpxy9i4t1",
"service_id": "QARLLTKjqfLZytmSsIqba",
"terminator_id": "7ddcd421-2b00-4b49-9ac0-8c78fe388c30",
"instance_id": "",
"creation_timespan": 1014280,
"path": {
"nodes": [
"U7OwPtfjg",
"a4rC9DrZ3"
],
"links": [
"7Ru3hoxsssZzUNOyvd8Jcb"
],
"ingress_id": "K9lD",
"egress_id": "rQLK",
"initiator_local_addr": "100.64.0.1:1234",
"initiator_remote_addr": "100.64.0.1:37640",
"terminator_local_addr": "127.0.0.1:45566",
"terminator_remote_addr": "127.0.0.1:1234"
},
"link_count": 1,
"path_cost": 392151,
"tags": {
"clientId": "U7OwPtfjg",
"hostId": "a4rC9DrZ3",
"serviceId": "QARLLTKjqfLZytmSsIqba"
}
}
ER/T UDP Settings
The edge router tunneler now allows configuring a timeout and check interval for tproxy UDP intercepts. By default intercepted UDP
connections will be closed after five minutes of no traffic, checking every thirty seconds. The configuration is done in the router
config file, in the options for the tunnel module. Note that these configuration options only apply to tproxy intercepts, not to
proxy or host side UDP connections.
Example configuration:
yaml
listeners:
- binding: tunnel
options:
mode: tproxy
udpIdleTimeout: 10s
udpCheckInterval: 5s
Component Updates and Bug Fixes
* github.com/openziti/agent: [v1.0.10 -> v1.0.13](https://github.com/openziti/agent/compare/v1.0.10...v1.0.13)
* github.com/openziti/channel/v2: [v2.0.58 -> v2.0.78](https://github.com/openziti/channel/compare/v2.0.58...v2.0.78)
* [Issue 98](https://github.com/openziti/channel/issues/98) - Set default connect timeout to 5 seconds
* github.com/openziti/edge: [v0.24.239 -> v0.24.309](https://github.com/openziti/edge/compare/v0.24.239...v0.24.309)
* [Issue 1503](https://github.com/openziti/edge/issues/1503) - Support configurable UDP idle timeout and check interval for tproxy in edge router tunneler
* [Issue 1471](https://github.com/openziti/edge/issues/1471) - UDP intercept connections report incorrect local/remote addresses, making confusing events
* [Issue 629](https://github.com/openziti/edge/issues/629) - emit entity change events
* [Issue 1295](https://github.com/openziti/edge/issues/1295) - Ensure DB migrations work properly in a clustered setup (edge)
* [Issue 1418](https://github.com/openziti/edge/issues/1418) - Checks for session edge router availablility are inefficient
* github.com/openziti/edge-api: [v0.25.11 -> v0.25.24](https://github.com/openziti/edge-api/compare/v0.25.11...v0.25.24)
* github.com/openziti/fabric: [v0.22.87 -> v0.23.29](https://github.com/openziti/fabric/compare/v0.22.87...v0.23.29)
* [Issue 724](https://github.com/openziti/fabric/issues/724) - Controller should be notified of forwarding faults on links
* [Issue 725](https://github.com/openziti/fabric/issues/725) - If reroute fails, circuit should be torn down
* [Issue 706](https://github.com/openziti/fabric/issues/706) - Fix panic in link close
* [Issue 700](https://github.com/openziti/fabric/issues/700) - Additional Health Checks exposed on Edge Router
* [Issue 595](https://github.com/openziti/fabric/issues/595) - Add include filtering for V3 usage metrics
* [Issue 684](https://github.com/openziti/fabric/issues/684) - Add tag annotations to circuit events, similar to usage events
* [Issue 562](https://github.com/openziti/fabric/issues/562) - Add entity change events
* [Issue 677](https://github.com/openziti/fabric/issues/677) - Rework raft startup
* [Issue 582](https://github.com/openziti/fabric/issues/582) - Ensure DB migrations work properly in a clustered setup (fabric)
* [Issue 668](https://github.com/openziti/fabric/issues/668) - Add network.Run watchdog, to warn if processing is delayed
* github.com/openziti/foundation/v2: [v2.0.21 -> v2.0.24](https://github.com/openziti/foundation/compare/v2.0.21...v2.0.24)
* github.com/openziti/identity: [v1.0.45 -> v1.0.54](https://github.com/openziti/identity/compare/v1.0.45...v1.0.54)
* github.com/openziti/runzmd: [v1.0.20 -> v1.0.24](https://github.com/openziti/runzmd/compare/v1.0.20...v1.0.24)
* github.com/openziti/sdk-golang: [v0.18.76 -> v0.20.51](https://github.com/openziti/sdk-golang/compare/v0.18.76...v0.20.51)
* [Issue 407](https://github.com/openziti/sdk-golang/issues/407) - Allowing filtering which edge router urls the sdk uses
* [Issue 394](https://github.com/openziti/sdk-golang/issues/394) - SDK does not recover from API session expiration (during app/computer suspend)
* github.com/openziti/storage: [v0.1.49 -> v0.2.6](https://github.com/openziti/storage/compare/v0.1.49...v0.2.6)
* github.com/openziti/transport/v2: [v2.0.72 -> v2.0.88](https://github.com/openziti/transport/compare/v2.0.72...v2.0.88)
* github.com/openziti/metrics: [v1.2.19 -> v1.2.25](https://github.com/openziti/metrics/compare/v1.2.19...v1.2.25)
* github.com/openziti/secretstream: v0.1.8 (new)
* github.com/openziti/ziti: [v0.27.9 -> v0.28.0](https://github.com/openziti/ziti/compare/v0.27.9...v0.28.0)
* [Issue 1112](https://github.com/openziti/ziti/issues/1112) - `ziti pki create` creates CA's and intermediates w/ the same DN
* [Issue 1087](https://github.com/openziti/ziti/issues/1087) - re-enable CI in forks
* [Issue 1013](https://github.com/openziti/ziti/issues/1013) - docker env password is renewed at each `docker-compose up`
* [Issue 1077](https://github.com/openziti/ziti/issues/1077) - Show auth-policy name on identity list instead of id
* [Issue 1119](https://github.com/openziti/ziti/issues/1119) - intercept.v1 config should permit underscores in the address
* [Issue 1123](https://github.com/openziti/ziti/issues/1123) - cannot update config types with ziti cli
Archived Changelogs
Archives are in the [changelogs](./changelogs/) folder.