Update controller chart options to use single port for deployment

[dariuszSki]

To use single port to utilize ALPN protocol. Here is what I did to use the existing options to get it working

clientApi:
  advertisedHost: ctrl-hm.dariuszski.dev
  advertisedPort: 443
  containerPort: 8443
  service:
    type: ClusterIP
  ingress:
    enabled: true
    ingressClassName: nginx
    annotations:
      kubernetes.io/ingress.allow-http: "false"
      nginx.ingress.kubernetes.io/ssl-passthrough: "true"
webBindingPki:
  enabled: false
managementApi:
  advertisedHost: ctrl-hm.dariuszski.dev
  service:
    enabled: false
  containerPort: 8443
ctrlPlane:
  advertisedHost: ctrl-hm.dariuszski.dev
  service:
    enabled: false
  containerPort: 8433

I get the following error, so I think the options can be optimized not to have to configure 3 different container ports.

$helm install  --namespace ziti ctrl-hm     openziti/ziti-controller     --values ./controller-values.yaml --kube-context $CLUSTER3 --set image.tag=0.34.1
**W0329 14:58:24.195672    9319 warnings.go:70] spec.template.spec.containers[0].ports[2]: duplicate port definition with spec.template.spec.containers[0].ports[0]**
NAME: ctrl-hm
LAST DEPLOYED: Fri Mar 29 14:58:21 2024
NAMESPACE: ziti
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
This is the first install of release ctrl-hm.

You have chart version 0.8.3 and app version 0.32.2.

To learn more about the release, try:

  $ helm status ctrl-hm -n ziti
  $ helm get all ctrl-hm -n ziti

  This deployment provides an OpenZiti controller to manage an OpenZiti network.

[qrkourier]

Is this the right goal?

Make single port operation the default while remaining compatible with separate DNS names and ports (needs to keep working with Ingress, NodePort, and LoadBalancer).

[mguthrie88]

I think this is highly desirable as default behavior

[qrkourier]

Thank for affirming this is the correct goal. After some exploratory conversations about edge cases, here's the status and next steps.

We ruled out the risk of invalidating the existing PKI. Each respective cert will be presented based upon ALPN identifier, e.g., ctrl plane server if ALPN is ziti-ctrl, web server if ALPN is h2,http/1.1, etc.

• A single-port default configuration is highly prized.
• This will be a breaking change for existing deployments.
• No user impact is expected if following the best practice of pinning the chart major version.
• Still, some impact is likely, so we must prepare documentation with these topics
  • For those that wish to continue operating with multi-port
    • How to configure the new chart to continue working with existing multi-port configuration
  • For those that wish to adopt single-port
    • How to migrate existing routers to a new client API and ctrl plane endpoint
    • How to re-enroll routers with same Ziti identifier
    • How to re-enroll identities with same Ziti identifier

[qrkourier]

related: https://github.com/openziti/ziti/issues/1838