marvkis
commented
4 weeks ago Hi,
Since this is something like the 'main' issue for Browzer support, I'd like to give a summary of the PRs I've provided and how to get Browzer to work in a kubernetes setup.
Browzer interacts with three components: The Browzer bootstrapper, the Ziti-Controller and Ziti-Router. All three components need to be accessible from the client browser - so we need to make them accessible through trusted certificates.
- The Browzer bootstrapper is a web application, that can be installed via its own helm chart - see PR #230.
- The Ziti-Controller needs to be accessible by both the Browzer bootstrapper and also by the browser. So I added (manually) an additional ingress rule to make it accessible by an additional name. I do not currently have a PR for this.
- The Ziti-Router needs to expose an additional websocket 'WSS' endpoint. Since this also requires configuration changes in the router config, there is PR #234 for this. As there is no need for mTLS on the WSS endpoint, I initially tried to do this via SSL termination on the Ingress controller, but this didn't work - see https://github.com/openziti/ziti/issues/2202.
I've put the helm charts in a 'works for me' state on my github pages, accessible via https://marvkis.github.io/charts . This are samples how to use it. The urls are:
Controller: clients.browzer.my.domain
Edge: wss.browzer.my.domain
Browzer-App: test1.browzer.my.domain
- The ingress rule for the controller (currently manual)
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/backend-protocol: HTTPS nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true" name: ziti-controller-ingress-alt-client namespace: openziti spec: ingressClassName: nginx rules: - host: clients.browzer.my.domain http: paths: - backend: service: name: ziti-controller-client port: number: 443 path: / pathType: Prefix tls: - hosts: - clients.browzer.my.domain secretName: default-nginx-cert - The router configuration for the router needs to be extended with these values. Use
helm upgrade --install --repo https://marvkis.github.io/charts --version 1.0.7 ziti-router ziti-routerto use the chart with websocket support.additionalVolumes: - mountPath: /etc/ziti/wss-cert/ name: wss-cert secretName: nginx-default-cert volumeType: secret edge: additionalListeners: - advertisedHost: wss.browzer.my.domain advertisedPort: 443 containerPort: 3023 ingress: annotations: kubernetes.io/ingress.allow-http: "false" nginx.ingress.kubernetes.io/secure-backends: "true" nginx.ingress.kubernetes.io/ssl-passthrough: "true" enabled: true ingressClassName: public name: edge-wss protocol: wss service: enabled: true type: ClusterIP identity: altServerCerts: - mode: localFile serverCert: /etc/ziti/wss-cert/tls.crt serverKey: /etc/ziti/wss-cert/tls.key websocket: enabled: true - Browzer itself can be installed with by using the helm by following this example:
cat <<EOF | helm upgrade --install --repo https://marvkis.github.io/charts -n openziti ziti-browzer-1 ziti-browzer-bootstrapper --version 0.0.1 -f - zitiBrowzer: bootstrapper: logLevel: debug host: browzer.my.domain targets: - vhost: test1.browzer.my.domain # Service name to connect to service: browzer-test1-service path: / scheme: http idp_issuer_base_url: https://auth.my.domain/application/o/browzer-test-1/ idp_client_id: your-client_id runtime: logLevel: debug # see https://openziti.discourse.group/t/browzer-setup-error-1014-origintrial-subdomain-mismatch/2481] originTrailToken: ... controller: host: clients.browzer.my.domain port: 443 loadBalancer: host: my.domain
ingress: ingressClassName: nginx
This is a workaround for https://github.com/openziti/ziti-browzer-bootstrapper/issues/279
extraVolumeMounts:
- name: tmp subPath: log mountPath: /home/node/ziti-browzer-bootstrapper/log extraVolumes:
- name: tmp
emptyDir: {}
EOF
I hope this helps people like me to get browzer working on kubernetes. Have fun ;)
Bye, Chris
Add a Helm chart for deploying the bootstrapper on Kubernetes.
The browZer bootstrapper is a web server that facilitates OIDC and delivers the Ziti BrowZer (Javascript) Runtime (ZBR) which functions as an in-browser, agentless OpenZiti tunneling client.