I installed ziti controller with ingress (via ziti helm chart) and added the loadbalancer entry for both subdomains configured for ziti client and ziti ctrl .

Under ziti ingress resources added

nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/ssl-passthrough: "true" 

I was able to connect to client domain via ziti cli and create router identities .

Then I used GitHub - netfoundry/ziti_router_auto_enroll for registering router , I gave controller as ctrl subdomain URL and fabricPort as 443

I get the following error

ERROR:root:Unable to get controller version: Connection Error
ERROR:root:HTTPSConnectionPool(host='ztnctrl.domain', port=443): Max retries exceeded with url: /edge/client/v1/version (Caused by SSLError(SSLError(1, '[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:1000)')))

Router is installed in ec2 machine without any https advertising address

It's because the ctrlPlane.ingress has annotation nginx.ingress.kubernetes.io/backend-protocol: HTTPS. This breaks mTLS between the router and controller.

Here's an example of ingress-nginx annotations for the ctrlPlane.ingress.

ctrlPlane:
    advertisedHost: ziti-controller-managed-ctrl.example.com
    advertisedPort: 443
    service:
        enabled: true
    ingress:
        enabled: true
        ingressClassName: nginx
        annotations:
            kubernetes.io/ingress.allow-http: "false"
            nginx.ingress.kubernetes.io/ssl-passthrough: "true"

from the controller deployment guide for Kubernetes

You were able to log in to the controller with the CLI because you were using a password, not certificate auth. Certificate auth is used by identities to discovere Ziti services and routers, so it's necessary to also set these annotations on clientApi.ingress when using ingress-nginx.

Still same error

Also

nginx.ingress.kubernetes.io/backend-protocol: HTTPS

was to access ZAC on the browser , anyways I removed those fields on both client and ctrl side

My helm chart chart values looks like:

clientApi:
  advertisedHost: ztnclient.domain.co
  advertisedPort: 443
  service:
    type: ClusterIP
  ingress:
    enabled: true
    ingressClassName: nginx
    annotations:
      kubernetes.io/ingress.allow-http: "false"
      nginx.ingress.kubernetes.io/ssl-passthrough: "true"

ctrlPlane:
  advertisedHost: ztnctrl.domain.co
  advertisedPort: 443
  service:
    enabled: true
  ingress:
    enabled: true
    ingressClassName: nginx
    annotations:
      kubernetes.io/ingress.allow-http: "false"
      nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  
cert-manager:
  enabled: true
  enableCertificateOwnerRef: true
  installCRDs: false

trust-manager:
  enabled: true
  app:
    trust:
      namespace: ziti
  crds:
    enabled: false

ingress-nginx:
  enabled: true
  controller:
    extraArgs:
      enable-ssl-passthrough: "true"

I tried fresh install with this exact values and same error

Thank you for confirming the Ziti parts of your deployment have a correct configuration. This should allow any Ziti router to connect to the controller you are running in Kubernetes.

The error you reported was emitted by a router "auto enrollment" Python script which is a custom configuration tool for Ziti routers running on Linux. You can raise a GitHub issue in that repository to ask the maintainers for help, or you can try using the Linux router deployment alpha that uses the official Ziti router package and creates a Linux system service.

I am preparing to release a new version of the Linux router package with an improved installer. Will you help me test it out?

You'll need the ziti CLI and the router service packages for RPM or DEB.

• openziti (CLI)
  • RPM
  • DEB
• openziti-router (service)
  • RPM
  • DEB

Yes definetely , Please let me know when its ready

Here is a documentation preview for the router.

You can install those experimental packages that I linked instead of following the documentation step to install.

sure ill update on it

Is there a bash file @qrkourier . was getting issue regarding unpacking that

Yes, you can install that same experimental version with this BASH script.

Debian/Ubuntu

curl -sS https://get.openziti.io/install.bash \
| sudo ZITIPAX_DEB=zitipax-openziti-deb-test \
bash -s "openziti=0.0.203~9830771426" "openziti-router=0.0.203~9830771426"

RedHat/Fedora

curl -sS https://get.openziti.io/install.bash \
| sudo ZITIPAX_RPM=zitipax-openziti-rpm-test \
bash -s "openziti-0.0.203~9830771426" "openziti-router-0.0.203~9830771426"

thanks , ill try it , but what's different

The main difference is that you must run sudo /opt/openziti/etc/router/bootstrap.bash after you install the Linux router package.

The script generates a router configuration if there's not already a configuration in the router service's working directory.

sure thanks , will look at it

does not work for me , meanwhile I faced issue

/var/lib/dpkg/info/openziti-router.postinst: line 31: /opt/openziti/etc/controller/service.env: No such file or directory
dpkg: error processing package openziti-router (--configure):
 installed openziti-router package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 openziti-router
needrestart is being skipped since dpkg has failed
N: Ignoring file 'openziti-release.list.2024-07-09T14:51:02+00:00' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension
E: Sub-process /usr/bin/dpkg returned an error code (1)
root@ip-172-31-38-32:/home/ubuntu#  sudo /opt/openziti/et

Were you running install.bash when this error occurred?

You may need to purge the old package first.

sudo apt purge openziti-router

Then install the test package.

curl -sS https://get.openziti.io/install.bash | sudo ZITIPAX_DEB=zitipax-openziti-deb-test bash -s "openziti=0.0.203~9830771426" "openziti-router=0.0.203~9830771426"

Then generate a router configuration with the router enrollment token from the controller.

sudo /opt/openziti/etc/router/bootstrap.bash