Upgrade Ziti from 1.1.5 -> 1.5.4

Hi there!

We've been running an overlay with two routers for almost 3 years now.
I have upgraded to 1.1.5 in the meantime and our overlay runs very smoothly.
I did try to upgrade our ziti-edge-tunnelers to a recent version (>1.4.0) in the past but got the same errors as here

For many systems, the ziti-edge-tunnel is the ONLY way to connect to the servers, so it's critical that I dont break the installation while upgrading :slight_smile:

When upgrading the controller and router, what's your advisory? Installing a fresh instance of v1.5.4, and then using those new config files and adjust URLs and certificate paths?

Will the ziti-edge-tunnelers at v1.3.7 work with the recent versions of ziti?
Is there a support matrix between different versions? If not, I'd like to suggest this as an issue! :smiley:

Best regards
Dominik

1 Like

Hi @dmuensterer

Did you try the fix that worked for the issue you linked? Ziti identies are failing after upgrade of edge tunneler - #15 by qrkourier

As far as upgrading, most of the work in 1.2.0 -> 1.5.4 has been for HA and OIDC support. If you don't use either of those features, then I'd update to the latest 1.1.x release. Note that HA is still in beta, but should be functional unless you're using posture checks. Finishing the posture checks work for HA is the last blocker before releasing a release candidate for HA.

For tunneler/server compatibility, they should be compatible unless you're using HA. The HA support in the tunnelers has been evolving and there are cases where HA enabled tunnelers won't work well with certain versions of the routers/controllers.

There is some performance work coming in 1.6/1.7 that may be of interest, but will also require changes to the tunnelers. Something to keep an eye out for.

Paul

1 Like

Thank you Paul, that’s very helpful.
When upgrading to 1.1.6, the trust domain was introduced. Does that mean that I need to create new certificates for each controller/router but also need to exchange every identity with one that’s been created after the upgrade?

This answer says I would only need to define one in the config files however the docs say

  1. The controller client and server certificates must contain a SPIFFE ID.

Or does Ziti >1.1.6 only require a trust domain set but now necessarily embedded into the certs?

Clustered controllers' identity certificates must contain a spiffe ID based on the trust domain of the cluster and following the convention of spiffe://{trust domain}/controller/{node name}.

Non-clustered controllers may operate without spiffe ID, but a trust domain must be defined or derived. One way to define it is the configuration directive you referred to.

1 Like