Changelog

1.0.0-rc1 - 2026-04-15

Breaking changes

Ziti Controller Helm Chart v2 → v3

This release upgrades the Ziti controller Helm chart from v2 to v3, which includes PKI consolidation and a new required cluster.mode value. The upgrade process is handled automatically by the installer, but operators should be aware of the following:

• The controller must be upgraded before the routers. Routers running versions below 1.7 will fail to connect after the controller upgrade. The upgrade script will warn if incompatible routers are detected.
• The PKI is consolidated from separate roots for control plane, web/client APIs, and edge enrollment into a single shared root of trust. This does not require re-enrolling routers or identities.
• cluster.mode is now required on all installations. The upgrade hook automatically sets standalone for existing installs. New installs default to cluster-init to allow adding controllers later.
• After the controller upgrade, the controller, router, and ziti-host are automatically restarted to pick up the new certificates.

For full details on the upstream breaking change, see PKI Consolidation and Clustered Mode.

Quay registry credentials required

Ziti Console Enterprise is now installed by default with the support stack. This requires NetFoundry private container registry (Quay) credentials. Existing installations upgrading to 1.0.0 will be prompted for these credentials during the upgrade if they are not already configured. Set REGISTRY_USERNAME and REGISTRY_PASSWORD environment variables for non-interactive upgrades.

New features

• Ziti Console Enterprise — Web console for managing your Ziti network. Automatically installed with the support stack; added during upgrade for existing installs. Requires NetFoundry container registry credentials.
• Ziti Metrics Processor (ZMP) — Real-time enrichment of Ziti network events with identity and service context before they reach Elasticsearch. ZMP uses a dedicated Ziti admin account, created automatically during install/upgrade.
• zLAN Ziti resources managed by Helm — Config types (zfw.v1, license.v1, interfaces.v1), logstash configs, services, and service policies are now created and updated automatically by the zlan-console Helm chart on install and upgrade. Schema changes are applied automatically, and the ziti CLI is no longer required on the installer host.
• Controller cluster support — New installs are configured with cluster-init mode and a configurable trust domain, allowing additional controllers to be added later.
• Base path support — zLAN Console and Ziti Console Enterprise can now be served from a sub-path (e.g. /zlan, /console) via the basePath Helm value, allowing both to share the same hostname.
• Structured logging — Installer and upgrade output is now written to timestamped log files in a logs/ directory. Kubernetes events are captured on error. nf-support-bundle collects these logs automatically.
• Helper commands — Added nf-controller-logs and nf-router-logs for live-tailing logs. Helper commands are set up automatically during upgrades if missing.
• HA cluster management (beta) — New nf-cluster command for managing HA controller clusters. Supports checking cluster status (nf-cluster status), adding controllers (nf-cluster add), removing controllers (nf-cluster remove), and migrating standalone installations to cluster mode (nf-cluster migrate). The command auto-detects the primary controller Helm release and handles cert-manager timing, support stack integration, and quorum warnings. See the HA cluster management guide for details.
• Environment file for quickstart — nf-quickstart now accepts a -f flag to source environment variables from a file for non-interactive installs. A template file (env-quickstart.example) is included with all available variables.
• Console disable flag — Set CONSOLE_DISABLED=true to skip ZAC and Ziti Console Enterprise installation.
• Install summary — The quickstart now prints a summary of installed Helm chart versions and Ziti container images at the end of the install.

Upgrade support

• Automated v2→v3 upgrade hook — Handles PKI consolidation, interfaces.v1 config-type rename, cluster.mode injection, certificate propagation wait, and component restarts.
• Support stack v0→v1 upgrade hook — Deploys ZMP and Redis, replicates admin secrets, migrates Grafana datasources, and consolidates RabbitMQ queues. Installs Ziti Console Enterprise and snapshot jobs if missing.
• Incompatible router detection — Upgrade warns if any routers are running versions below 1.7 before proceeding with a controller upgrade.
• Controller upgraded before router — The upgrade order now upgrades the controller first, then the router, to ensure compatibility.
• Component-selective upgrades — nf-upgrade accepts --controller, --router, --support, --console, --zlan, --ziti-host, and --k3s flags.
• Console Enterprise install on upgrade — If Ziti Console Enterprise is not installed, the upgrade script now offers to install it.
• HA controller snapshot restore — Snapshot restore scripts now detect clustered controllers and handle the restore process accordingly.

Monitoring and dashboards

• Event namespace alignment — Updated for OpenZiti v1.4+ (e.g. fabric.circuits → circuit).
• Grafana datasource overhaul — Human-readable datasource names, correct timestamp fields, and safe upgrade paths.
• Dashboard consolidation — Removed multi-network dashboard variants; updated for ZMP-enriched data.
• Logstash pipeline rewrite — Consolidated RabbitMQ queues (fabric/edge/metrics → ziti.events) with updated filters.
• Elasticsearch keyword mappings — Index templates now include strings_as_keyword dynamic mapping to ensure .keyword sub-fields are available for dashboard aggregations.

Security

• Security hardening enabled by default — Restricted file permissions, credential output suppression, and secure pull secret handling are now standard for all installations. The -H flag has been retired.
• Credentials retrieved dynamically — nf-install-notes fetches credentials live from Kubernetes secrets instead of reading from a static file.
• Dedicated ZMP admin account — ZMP now authenticates to the Ziti controller with its own dedicated admin account instead of using the shared default admin credentials.

Container versions

• Elasticsearch, Kibana, Logstash, Filebeat, Metricbeat: 8.19.12
• Grafana: 12.3.5
• RabbitMQ: 3.13
• Redis: 7.4
• ZMP: 0.0.5-ba92eb4

Other changes

• Trust domain configuration — New installs prompt for a trust domain used in SPIFFE IDs. Configurable via TRUST_DOMAIN environment variable for non-interactive mode.
• Offline installer configuration — Added build/offline-config.sh for generating offline installation bundles.
• Customize Helm values guide — New documentation for modifying Helm values after installation.
• zfw.v1 schema updated — Added ICMP protocol support.
• k3d installer removed — installers/k3d-install.sh has been removed.

0.5.0 - 2026-03-05

Security hardening

• Added -H flag to quickstart.sh for STIG-hardened installations
• In hardened mode, NetworkPolicies are applied to the support and ziti namespaces (BYO clusters)
• Enabled TLS certificate verification for Logstash and Grafana connections to Elasticsearch
• Added configurable elasticsearch.tlsCaSecret Helm value for BYO Elasticsearch deployments
• Added SHA256 integrity verification for downloaded ECK operator manifests
• Registry pull secret output is suppressed and file permissions restricted

Upgrade script improvements

• Added component-specific upgrade flags: --router, --controller, --ziti-host, --support, --k3s
• Added --skip-snapshot / -S flag to skip pre-upgrade database snapshot
• Auto-detect offline mode from pre-downloaded Helm charts

Fixes

• Fixed snapshot creation and restore jobs for offline environments
• Removed unused Docker socket mount from Metricbeat
• Fixed .env parsing to use export instead of eval
• Updated ziti-host Helm chart version constraint to ^1.2.0
• Bumped support Helm chart to 0.1.5

0.4.4 - 2026-02-24

• Improved alignment with offline installer
• Fixes for snapshot creation and restore jobs
• Fixed missing zip dependency for debian and offline install packages
• Documentation updates
• Improved user guidance post-install and upgrade for debian package
• Fixed OpenZiti upgrade order based on latest OpenZiti best practices (routers, then controller)

0.4.3 - 2026-02-11

• Fixes for nf-helpers.sh to be re-run safe
• Updates for package installer for deb amd64 and arm64 packages
• Added nf-restore-snapshot command for restoring controller snapshots

0.4.2 - 2025-11-14

• Updated installer docs with offline install and zlan options
• Fix script directory path in nf-helpers.sh
• Fix Helm chart apiVersion

0.4.1 - 2025-11-10

• Multiple fixes for zLAN installation
• Added an OpenZiti database snapshot as a pre-upgrade step to upgrade.sh
• Fix default router policy to better account to private routers
• Added nf-help commands

0.4.0 - 2025-10-30

• Updated support stack container images to use wolfi/oss image variants
• Added migration script for ziti-host container at ./utilities/migrate_ZET_to_helmchart.sh for legacy installs
• Pinned Helm chart versions for OpenZiti components in .env file to ensure alignment on OpenZiti versions
• Fix for zLAN installs - added missing interfaces.v1 config type

0.3.4 - 2025-10-28

• ziti-host container in the support namespace is now managed by Helm for easier maintenance and upgrades
• NetFoundry support stack is now installed by default, the -s option can be passed to disable it
• Added support for zLAN installation using the -z flag. Requires NetFoundry container registry secret
• Updated charts so that all container images and pull policies are configurable

0.3.3 - 2025-09-24

• Improve handling of KUBECONTEXT for K3S installs
• Fix default imagePullPolicy for support stack resources
• Enabled OpenZiti database snapshots by default
• Migrated documentation to public docs site at: https://netfoundry.io/docs/onprem/intro

0.3.2

• Added doc for FIPS installation
• Reworked quickinstall.sh for better K8s and EKS integration
• Added guided upgrade script at ./upgrade.sh
• Fixes for missing KUBECONTEXT and making quickstart more re-run safe
• Added OEM documentation at ./docs/oem.md for advanced installation use cases
• Added support and documentation for automated backups, restore, and migration

0.3.1

• Updates to support ziti-controller Helm chart v2.0+
• cert-manager and trust-manager are now installed as separate Helm charts and managed independently from the ziti-controller chart
• Added charts for local PCV backup or S3 backup for OpenZiti boltdb database
• Enabled local PVC backup of boltdb by default
• Added improved support for custom helm value files
• Added restore processes for local PVC backup and S3 backup (./utilities/restore.sh, ./utilities/s3_restore.sh)

0.3.0

• Moved to k3s as the default Kubernetes engine
• Updated proxy documentation for k3s

0.2.8

• Cleanup of quickinstall feedback and INSTALL-NOTES.txt
• Fix for older versions of helm that failed upon re-add of a repo
• Documentation cleanup

0.2.7

• Added additional logging and diagnostic collection to installer scripts
• Added documentation for single-node RKE2 installs
• Added support for additional logstash outputs via helm values

0.2.6

• Added documentation for outbound whitelisting for installations behind a corporate proxy
• Changed default elasticsearch nodes to 1 for a much smaller resource footprint by default
• Updated default configuration to use ALPN support for OpenZiti, reducing the number of ports and load balancers needed
• Added support for ARM architecture
• Added support and documentation for minimal installs on MicroK8s and Raspberry Pi4+

0.2.5

• Added support for non-interactive quickstarts, use the -y flag and set the CTRL_ADDR environment variable
• Added an uninstall.sh script that removes OpenZiti, support, and all checkpoints
• Added a production installer - k8s-install.sh
• Fixed time scale for Grafana OpenZiti controller dashboard showing in milliseconds when it should have showed nanoseconds