Skip to main content

Changelog

1.0.0 - 2026-05-27

Fixes

  • Fixed non-interactive install aborting when registry credentials are absent.
  • Fixed helm upgrade support failing on helm 3 due to a stray --force-conflicts flag.
  • Fixed ZMP running with 0 replicas after offline installs.
  • Fixed missing jq dependency in offline installs.
  • Bumped Ziti Console Enterprise to 0.1.2 — fixes 404 when serving the console at a non-root URL path (e.g. /console).

Other changes

  • Bumped ziti-controller chart to 3.2.0, ziti-router chart to 3.0.0, ziti-host chart to ^1.4.0 (OpenZiti 2.0.0 stable).

Validation

  • Added preflight checks to the quickstart installer covering CPU, RAM, disk, host firewall, DNS, and external reachability.

1.0.0-rc3 - 2026-04-30

Validation

  • Rejected IP literals for CTRL_ADDR at input time — non-interactive runs exit with a clear error; interactive runs re-prompt.

Support stack reliability

  • Changed post-install hook jobs and the logstash deployment to block on Elasticsearch and Kibana cluster-health probes instead of DNS, eliminating Job backoff retries during bootstrap.
  • Raised the support-stack helm upgrade --install timeout to 15 minutes.
  • Switched ECK CRD installation to kubectl apply --server-side --force-conflicts so re-running after a partial failure succeeds cleanly.

Image pinning

  • Pinned Ziti Console Enterprise to 0.1.1 with imagePullPolicy: IfNotPresent so pre-loaded images are reused instead of re-pulled from Quay.

1.0.0-rc2 - 2026-04-22

  • No notable user-facing changes; internal build only.

1.0.0-rc1 - 2026-04-15

Breaking changes

:::warning Ziti Controller Helm Chart v2 → v3 This release upgrades the Ziti controller Helm chart from v2 to v3, which introduces PKI consolidation and a new required cluster.mode value. The installer handles the upgrade automatically; operators should note:

  • The controller must be upgraded before the routers. Routers below 1.7 will fail to connect after the controller upgrade; the upgrade script warns when incompatible routers are detected.
  • PKI roots for control plane, web/client APIs, and edge enrollment are consolidated into a single root of trust. Routers and identities do not need to be re-enrolled.
  • cluster.mode is now required. The upgrade hook sets standalone for existing installs; new installs default to cluster-init.
  • Controller, router, and ziti-host are restarted automatically after the upgrade to pick up new certificates.

See PKI Consolidation and Clustered Mode for upstream details. :::

:::note Quay registry credentials required Ziti Console Enterprise is now installed by default with the support stack and requires NetFoundry Quay credentials. Existing installs are prompted during upgrade if credentials are not already configured. Set REGISTRY_USERNAME and REGISTRY_PASSWORD for non-interactive upgrades. :::

New features

  • Added Ziti Console Enterprise as the default web console (installed with the support stack; added on upgrade for existing installs).
  • Added Ziti Metrics Processor (ZMP) for real-time enrichment of Ziti events with identity and service context before they reach Elasticsearch.
  • Migrated zLAN Ziti resources (config types, logstash configs, services, service policies) to be managed by the zlan-console Helm chart; the ziti CLI is no longer required on the installer host.
  • Added controller cluster support — new installs use cluster-init mode with a configurable trust domain.
  • Added base-path support so zLAN Console and Ziti Console Enterprise can share a hostname via the basePath Helm value.
  • Added structured logging — installer and upgrade output is captured in timestamped log files in logs/ and collected by nf-support-bundle.
  • Added nf-controller-logs and nf-router-logs helper commands.
  • Added nf-cluster command (beta) for HA controller cluster management: status, add, remove, and migrate. See the HA cluster management guide.
  • Added -f flag to nf-quickstart for sourcing variables from a file; env-quickstart.example ships as a template.
  • Added CONSOLE_DISABLED=true to skip ZAC and Ziti Console Enterprise installation.
  • Added an install summary printing Helm chart versions and Ziti container images at the end of the install.

Upgrade support

  • Added automated v2→v3 controller upgrade hook (PKI consolidation, interfaces.v1 rename, cluster.mode injection, cert propagation wait, component restarts).
  • Added support-stack v0→v1 upgrade hook (deploys ZMP and Redis, replicates admin secrets, migrates Grafana datasources, consolidates RabbitMQ queues, installs Ziti Console Enterprise and snapshot jobs if missing).
  • Added incompatible-router detection before controller upgrades.
  • Changed upgrade order to controller-first, then routers.
  • Added component-selective upgrade flags to nf-upgrade: --controller, --router, --support, --console, --zlan, --ziti-host, --k3s.
  • Added a prompt to install Ziti Console Enterprise on upgrade if missing.
  • Added HA-aware snapshot restore.

Monitoring and dashboards

  • Updated event namespaces for OpenZiti v1.4+ (e.g. fabric.circuitscircuit).
  • Overhauled Grafana datasources with human-readable names, correct timestamp fields, and safe upgrade paths.
  • Consolidated dashboards and updated them for ZMP-enriched data.
  • Rewrote the logstash pipeline and consolidated RabbitMQ queues (fabric/edge/metricsziti.events).
  • Added strings_as_keyword dynamic mapping to Elasticsearch index templates so .keyword sub-fields are available for dashboard aggregations.

Security

  • Enabled security hardening by default (restricted file permissions, credential output suppression, secure pull-secret handling); the -H flag has been retired.
  • Changed nf-install-notes to fetch credentials live from Kubernetes secrets instead of a static file.
  • Gave ZMP its own dedicated Ziti admin account instead of reusing the default admin.

Container versions

  • Elasticsearch, Kibana, Logstash, Filebeat, Metricbeat: 8.19.12
  • Grafana: 12.3.5
  • RabbitMQ: 3.13
  • Redis: 7.4
  • ZMP: 0.0.5-ba92eb4

Other changes

  • Added trust-domain configuration for new installs (interactive prompt or TRUST_DOMAIN env var).
  • Added build/offline-config.sh for generating offline installation bundles.
  • Added ICMP protocol support to the zfw.v1 schema.
  • Removed installers/k3d-install.sh.

0.5.0 - 2026-03-05

Security hardening

  • Added -H flag to quickstart.sh for STIG-hardened installations
  • In hardened mode, NetworkPolicies are applied to the support and ziti namespaces (BYO clusters)
  • Enabled TLS certificate verification for Logstash and Grafana connections to Elasticsearch
  • Added configurable elasticsearch.tlsCaSecret Helm value for BYO Elasticsearch deployments
  • Added SHA256 integrity verification for downloaded ECK operator manifests
  • Registry pull secret output is suppressed and file permissions restricted

Upgrade script improvements

  • Added component-specific upgrade flags: --router, --controller, --ziti-host, --support, --k3s
  • Added --skip-snapshot / -S flag to skip pre-upgrade database snapshot
  • Auto-detect offline mode from pre-downloaded Helm charts

Fixes

  • Fixed snapshot creation and restore jobs for offline environments
  • Removed unused Docker socket mount from Metricbeat
  • Fixed .env parsing to use export instead of eval
  • Updated ziti-host Helm chart version constraint to ^1.2.0
  • Bumped support Helm chart to 0.1.5

0.4.4 - 2026-02-24

  • Improved alignment with offline installer
  • Fixes for snapshot creation and restore jobs
  • Fixed missing zip dependency for debian and offline install packages
  • Documentation updates
  • Improved user guidance post-install and upgrade for debian package
  • Fixed OpenZiti upgrade order based on latest OpenZiti best practices (routers, then controller)

0.4.3 - 2026-02-11

  • Fixes for nf-helpers.sh to be re-run safe
  • Updates for package installer for deb amd64 and arm64 packages
  • Added nf-restore-snapshot command for restoring controller snapshots

0.4.2 - 2025-11-14

  • Updated installer docs with offline install and zlan options
  • Fix script directory path in nf-helpers.sh
  • Fix Helm chart apiVersion

0.4.1 - 2025-11-10

  • Multiple fixes for zLAN installation
  • Added an OpenZiti database snapshot as a pre-upgrade step to upgrade.sh
  • Fix default router policy to better account to private routers
  • Added nf-help commands

0.4.0 - 2025-10-30

  • Updated support stack container images to use wolfi/oss image variants
  • Added migration script for ziti-host container at ./utilities/migrate_ZET_to_helmchart.sh for legacy installs
  • Pinned Helm chart versions for OpenZiti components in .env file to ensure alignment on OpenZiti versions
  • Fix for zLAN installs - added missing interfaces.v1 config type

0.3.4 - 2025-10-28

  • ziti-host container in the support namespace is now managed by Helm for easier maintenance and upgrades
  • NetFoundry support stack is now installed by default, the -s option can be passed to disable it
  • Added support for zLAN installation using the -z flag. Requires NetFoundry container registry secret
  • Updated charts so that all container images and pull policies are configurable

0.3.3 - 2025-09-24

  • Improve handling of KUBECONTEXT for K3S installs
  • Fix default imagePullPolicy for support stack resources
  • Enabled OpenZiti database snapshots by default
  • Migrated documentation to public docs site at: https://netfoundry.io/docs/onprem/intro

0.3.2

  • Added doc for FIPS installation
  • Reworked quickinstall.sh for better K8s and EKS integration
  • Added guided upgrade script at ./upgrade.sh
  • Fixes for missing KUBECONTEXT and making quickstart more re-run safe
  • Added OEM documentation at ./docs/oem.md for advanced installation use cases
  • Added support and documentation for automated backups, restore, and migration

0.3.1

  • Updates to support ziti-controller Helm chart v2.0+
  • cert-manager and trust-manager are now installed as separate Helm charts and managed independently from the ziti-controller chart
  • Added charts for local PCV backup or S3 backup for OpenZiti boltdb database
  • Enabled local PVC backup of boltdb by default
  • Added improved support for custom helm value files
  • Added restore processes for local PVC backup and S3 backup (./utilities/restore.sh, ./utilities/s3_restore.sh)

0.3.0

  • Moved to k3s as the default Kubernetes engine
  • Updated proxy documentation for k3s

0.2.8

  • Cleanup of quickinstall feedback and INSTALL-NOTES.txt
  • Fix for older versions of helm that failed upon re-add of a repo
  • Documentation cleanup

0.2.7

  • Added additional logging and diagnostic collection to installer scripts
  • Added documentation for single-node RKE2 installs
  • Added support for additional logstash outputs via helm values

0.2.6

  • Added documentation for outbound whitelisting for installations behind a corporate proxy
  • Changed default elasticsearch nodes to 1 for a much smaller resource footprint by default
  • Updated default configuration to use ALPN support for OpenZiti, reducing the number of ports and load balancers needed
  • Added support for ARM architecture
  • Added support and documentation for minimal installs on MicroK8s and Raspberry Pi4+

0.2.5

  • Added support for non-interactive quickstarts, use the -y flag and set the CTRL_ADDR environment variable
  • Added an uninstall.sh script that removes OpenZiti, support, and all checkpoints
  • Added a production installer - k8s-install.sh
  • Fixed time scale for Grafana OpenZiti controller dashboard showing in milliseconds when it should have showed nanoseconds