Resources on Kubeztl and setting up Ziti within a kubernetes cluster

Hi all,

Are there any docs or resources on setting up a Ziti inside a kubernetes cluster in order to zitify kubectl? I was looking at the Zitifying Kubectl article, but that assumes one already has a ziti network up and running.

Also, is it possible to make the ziti controller highly available?


Have you seen this article?: Kubernetes

Also, they are working on making the controller HA, and from last comments was not too far away. I am sure they will answer regarding that.

I checked that article out and that appears to be the same article as the one I linked, just in a different place.

Not yet. It’s a WIP and expected to be released in the coming weeks/months. It’s getting closer by the day. But, when OpenZiti supports HA, it will not ship with helm charts and HA support in kubernetes. It’s for “generic deployments” of OpenZiti, not kubernetes-specific.

We don’t have a “how to deploy a ziti network in kubernetes” yet. Some community members have started making helm charts. I don’t recall the status of those off the top of my head yet. @qrkourier probably remembers better than I. I had personally just taken it for granted that you’d operate the network from a controller outside of kubernetes but I don’t know if that’s a good or bad assumption.

@qrkourier, you have any more thoughts on this topic? Or anyone else in the community?

Regarding controller HA, as gooseleggs pointed out, it’s in progress. The last big chunks are currently being worked on by @andrew.martinez. If you want to track progress, there’s a board here: Controller HA · GitHub
All the work that’s been done so far has been released as part of regular OpenZiti releases. You can take a look at the HA Overview to get a feel for how things are shaping up. Generally speaking the fabric portions are complete, there some edge pieces that Andrew is working on and there’s likely quite a bit of polishing and testing to be done.
Once we’re in the polishing and testing phase, we’ll likely post here so people can try it out and provide feedback.


@andrewzah I may be wrong but it sounds like you are trying to zitify kubectl. If so, not sure if you have seen this work. You can do it on your own, or perhaps contribute to this kubeztl/main.go at main · openziti-test-kitchen/kubeztl · GitHub. I am sure it can be improved.

Several topics here:

  • running a Ziti control plane on K8s, potentially facilitated by Helm, Kustomize, or GitOps
  • Exposing/publishing K8s workloads with Ziti, e.g., apiserver, pods, and services.
  • Embedding the Ziti edge in kubectl (Zitification) to obviate the Ziti tunneler on the client side (thanks for sharing that resource, @dariuszSki !)
  • Ziti Control Plane High Availability (HA) (@TheLumberjack, @plorenz covered this one)

I suspect you’re mainly asking about running a Ziti control plane on K8s. A community member did start working on this over the holidays and sent in a link to their work in progress. Unfortunately, I haven’t had a chance to digest it yet. Generally, it’s a wonderful idea and I’m excited about running the control plane on K8s. I haven’t decided which approach I prefer yet, but GitOps is very attractive for the kind of audience that I imagine is interested in self-hosting production-grade Ziti on K8s. Kustomize inheritance is fancy, but I’m not sure if we’ll need many layers yet. Helm is tidy and convenient, but not nearly as flexible for updates as the former two. Do you have a preference?

Exposing workloads with Ziti is easy once you know how to do it. The basic idea is to deploy a ziti-host pod in a cluster namespace that has access to the workload you want to publish to your Ziti network (README)