Open qrkourier opened 1 month ago
Hi,
Since this is something like the 'main' issue for Browzer support, I'd like to give a summary of the PRs I've provided and how to get Browzer to work in a kubernetes setup.
Browzer interacts with three components: The Browzer bootstrapper, the Ziti-Controller and Ziti-Router. All three components need to be accessible from the client browser - so we need to make them accessible through trusted certificates.
I've put the helm charts in a 'works for me' state on my github pages, accessible via https://marvkis.github.io/charts . This are samples how to use it. The urls are:
Controller: clients.browzer.my.domain
Edge: wss.browzer.my.domain
Browzer-App: test1.browzer.my.domain
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
name: ziti-controller-ingress-alt-client
namespace: openziti
spec:
ingressClassName: nginx
rules:
- host: clients.browzer.my.domain
http:
paths:
- backend:
service:
name: ziti-controller-client
port:
number: 443
path: /
pathType: Prefix
tls:
- hosts:
- clients.browzer.my.domain
secretName: default-nginx-cert
helm upgrade --install --repo https://marvkis.github.io/charts --version 1.0.7 ziti-router ziti-router
to use the chart with websocket support.
additionalVolumes:
- mountPath: /etc/ziti/wss-cert/
name: wss-cert
secretName: nginx-default-cert
volumeType: secret
edge:
additionalListeners:
- advertisedHost: wss.browzer.my.domain
advertisedPort: 443
containerPort: 3023
ingress:
annotations:
kubernetes.io/ingress.allow-http: "false"
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
enabled: true
ingressClassName: public
name: edge-wss
protocol: wss
service:
enabled: true
type: ClusterIP
identity:
altServerCerts:
- mode: localFile
serverCert: /etc/ziti/wss-cert/tls.crt
serverKey: /etc/ziti/wss-cert/tls.key
websocket:
enabled: true
cat <<EOF | helm upgrade --install --repo https://marvkis.github.io/charts -n openziti ziti-browzer-1 ziti-browzer-bootstrapper --version 0.0.1 -f -
zitiBrowzer:
bootstrapper:
logLevel: debug
host: browzer.my.domain
targets:
- vhost: test1.browzer.my.domain
# Service name to connect to
service: browzer-test1-service
path: /
scheme: http
idp_issuer_base_url: https://auth.my.domain/application/o/browzer-test-1/
idp_client_id: your-client_id
runtime:
logLevel: debug
# see https://openziti.discourse.group/t/browzer-setup-error-1014-origintrial-subdomain-mismatch/2481]
originTrailToken: ...
controller:
host: clients.browzer.my.domain
port: 443
loadBalancer:
host: my.domain
ingress: ingressClassName: nginx
extraVolumeMounts:
I hope this helps people like me to get browzer working on kubernetes. Have fun ;)
Bye, Chris
Add a Helm chart for deploying the bootstrapper on Kubernetes.
The browZer bootstrapper is a web server that facilitates OIDC and delivers the Ziti BrowZer (Javascript) Runtime (ZBR) which functions as an in-browser, agentless OpenZiti tunneling client.