Move to HA set up from non HA

TheLumberjack · February 10, 2025, 6:45pm

Hi @Fabio72 welcome to the community and to OpenZiti!

that's great!

Nice!

From the quickstart -- no this won't be sufficient. I have been getting ready to comment about HOW one might actually accomplish this.

MAKE SURE YOU BACKUP FIRST

Here are my notes. Given what you've already accomplished, I expect you'll hit no issues here and realize you need all the variables set properly...

MAKE SURE YOU BACKUP FIRST

Did you backup??? You can just cp -r the entire quickstart folder. That's the easiest thing to do imo.

ziti pki create server \
	--spiffe-id  spiffe://$EXTERNAL_DNS/controller/migrated \
	--dns "$EXTERNAL_DNS,$(hostname),localhost" \
	--ip "$EXTERNAL_IP,127.0.0.1" \
	--pki-root "$ZITI_PKI" \
	--ca-name "$ZITI_PKI_CTRL_INTERMEDIATE_NAME" \
	--key-file "${EXTERNAL_DNS}-server" \
	--server-file controller.2025.server \
	--server-name migrated
ziti pki create client \
	--spiffe-id  spiffe://$EXTERNAL_DNS/controller/migrated \
	--pki-root "$ZITI_PKI" \
	--ca-name "$ZITI_PKI_CTRL_INTERMEDIATE_NAME" \
	--key-file "${EXTERNAL_DNS}-server" \
	--client-file controller.2025.client \
	--client-name migrated

NEW_CTRL_SERVER_CERT=$(realpath $(find . -name "*2025*server*chain*" | grep $ZITI_PKI_CTRL_INTERMEDIATE_NAME))
NEW_CTRL_CLIENT_CERT=$(realpath $(find . -name "*2025*client*chain*" | grep $ZITI_PKI_CTRL_INTERMEDIATE_NAME))

ziti pki create server \
	--spiffe-id  spiffe://$EXTERNAL_DNS/controller/migrated \
	--dns "$EXTERNAL_DNS,$(hostname),localhost" \
	--ip "$EXTERNAL_IP,127.0.0.1" \
	--pki-root "$ZITI_PKI" \
	--ca-name "$ZITI_PKI_CTRL_EDGE_INTERMEDIATE_NAME" \
	--key-file "${EXTERNAL_DNS}-server" \
	--server-file controller.2025.server \
	--server-name migrated
ziti pki create client \
	--spiffe-id  spiffe://$EXTERNAL_DNS/controller/migrated \
	--pki-root "$ZITI_PKI" \
	--ca-name "$ZITI_PKI_CTRL_EDGE_INTERMEDIATE_NAME" \
	--key-file "${EXTERNAL_DNS}-server" \
	--client-file controller.2025.client \
	--client-name migrated

NEW_EDGE_SERVER_CERT=$(realpath $(find . -name "*2025*server*chain*" | grep $ZITI_PKI_CTRL_EDGE_INTERMEDIATE_NAME))
NEW_EDGE_CLIENT_CERT=$(realpath $(find . -name "*2025*client*chain*" | grep $ZITI_PKI_CTRL_EDGE_INTERMEDIATE_NAME))

echo "Update your controller config file. "
echo "Assuming you ran a quickstart, you should have a separate PKI for CTRL/EDGE"
echo ""
echo "Modify the control plane identity block with:"
echo "server_cert: \"${NEW_CTRL_SERVER_CERT}\""
echo "cert:        \"${NEW_CTRL_CLIENT_CERT}\""
echo ""
echo "Modify the edge api identity block with:"
echo "server_cert: \"${NEW_EDGE_SERVER_CERT}\""
echo "cert:        \"${NEW_EDGE_CLIENT_CERT}\""

Yes.

We are working on finalizing this doc still. So you're catching us right in the middle of getting that doc out. Paul merged some doc JUST TODAY you can find at Operating a Controller Cluster | OpenZiti

Let's start there and move on once you have a look at my reply

Topic		Replies	Views
What is the easiest way to create an HA setup with 3 controllers	29	82	April 16, 2025
A fresh install of HA controllers across three nodes	6	92	December 25, 2024
How to deploy and add a controller to an existing cluster General Questions	5	43	February 18, 2025
Stable V1 release / Roadmap General Questions	3	135	February 28, 2024
Resources on Kubeztl and setting up Ziti within a kubernetes cluster Zitifications	6	363	January 9, 2023

Move to HA set up from non HA

Related topics