v1.0.0-rc7

WARNING: Do not attempt to use this build against the hosted zrok service at zrok.io, until the service has also been upgraded to v1.0.0! The 1.0.x series of release uses a different default API endpoint of https://api-v1.zrok.io. This endpoint will become functional once v1.0.0 has been released.

CHANGELOG

MAJOR RELEASE: zrok reaches version 1.0.0!

FEATURE: Completely redesigned web interface ("API Console"). New implementation provides a dual-mode interface supporting an improved visual network navigator and also a "tabular" view, which provides a more traditional "data" view. New stack built using vite, React, and TypeScript (#724)

FEATURE: New "zrok Agent", a background manager process for your zrok environments, which allows you to easily manage and work with multiple zrok share and zrok access processes. New --subordinate flag added to zrok share [public|private|reserved] and zrok access private to operate in a mode that allows an Agent to manage shares and accesses (#463)

FEATURE: New "zrok Agent UI" a web-based user interface for the zrok Agent, which allows creating and releasing shares and accesses through a web browser. This is just an initial chunk of the new Agent UI, and is considered a "minimum viable" version of this interface (#221)

FEATURE: zrok share [public|private|reserved] and zrok access private now auto-detect if the zrok Agent is running in an environment and will automatically service share and access requests through the Agent, rather than in-process if the Agent is running. If the Agent is not running, operation remains as it was in v0.4.x and the share or access is handled in-process. New --force-agent and --force-local flags exist to skip Agent detection and manually select an operating mode (#751)

FEATURE: zrok access private supports a new --auto mode, which can automatically find an available open address/port to bind the frontend listener on. Also includes --auto-address, --auto-start-port, and --auto-end-port features with sensible defaults. Supported by both the agent and local operating modes (#780)

FEATURE: zrok rebase commands (zrok rebase apiEndpoint and zrok rebase accountToken) allows "rebasing" an enabled environment onto a different API endpoint or a different account token. This is useful for migrating already-enabled environments between endpoints supporting different zrok versions, and is also useful when regenerating an account token (#869, #897)

FEATURE: zrok test canary CLI tree replaces the old zrok test loop tree; new zrok test canary public-proxy and zrok test canary private-proxy provide modernized, updated versions of what the zrok test loop commands used to do. This new approach will serve as the foundation for all future zrok testing infrastructure (#771)

FEATURE: New /api/v1/versions endpoint to return comprehensive, full stack version information about the deployed service instance. Currently only returns a single controllerVersion property (#881)

CHANGE: The default API URL for v1.0.x zrok clients is now https://api-v1.zrok.io (instead of the older https://api.zrok.io). The zrok.io deployment will now be maintaining version-specific DNS for versioned API endpoints.

CHANGE: Refactored API implementation. Cleanup, lint removal, additional data elements added, unused data removed (#834)

CHANGE: Deprecated the passwords configuration stanza. The zrok controller and API console now use a hard-coded set of (what we believe to be) reasonable assumptions about password quality (#834)

CHANGE: The protocol for determining valid client versions has been changed. Previously a zrok client would do a GET against the /api/v1/version endpoint and do a local version string comparison (as a normal precondition to any API call) to see if the controller version matched. The protocol has been amended so that any out-of-date client using the old protocol will receive a version string indicating that they need to uprade their client. New clients will do a POST against the /api/v1/clientVersionCheck endpoint, posting their client version, and the server will check for compatibility. Does not change the security posture in any significant way, but gives more flexibility on the server side for managing client compatibility. Provides a better, cleared out-of-date error message for old clients when accessing v1.0.0+ (#859)

CHANGE: The Python SDK is now generated by openapi-generator and requires a newer urllib3 version 2.1.0. The published Python module, zrok, inherits the dependencies of the generated packages (#894)

v1.0.0-rc6

WARNING: Do not attempt to use this build against the hosted zrok service at zrok.io, until the service has also been upgraded to v1.0.0! The 1.0.x series of release uses a different default API endpoint of https://api-v1.zrok.io. This endpoint will become functional once v1.0.0 has been released.

CHANGELOG

FEATURE: Completely redesigned web interface ("API Console"). New implementation provides a dual-mode interface supporting an improved visual network navigator and also a "tabular" view, which provides a more traditional "data" view. New stack built using vite, React, and TypeScript (#724)

FEATURE: New "zrok Agent", a background manager process for your zrok environments, which allows you to easily manage and work with multiple zrok share and zrok access processes. New --subordinate flag added to zrok share [public|private|reserved] and zrok access private to operate in a mode that allows an Agent to manage shares and accesses (#463)

FEATURE: New "zrok Agent UI" a web-based user interface for the zrok Agent, which allows creating and releasing shares and accesses through a web browser. This is just an initial chunk of the new Agent UI, and is considered a "minimum viable" version of this interface (#221)

FEATURE: zrok share [public|private|reserved] and zrok access private now auto-detect if the zrok Agent is running in an environment and will automatically service share and access requests through the Agent, rather than in-process if the Agent is running. If the Agent is not running, operation remains as it was in v0.4.x and the share or access is handled in-process. New --force-agent and --force-local flags exist to skip Agent detection and manually select an operating mode (#751)

FEATURE: zrok access private supports a new --auto mode, which can automatically find an available open address/port to bind the frontend listener on. Also includes --auto-address, --auto-start-port, and --auto-end-port features with sensible defaults. Supported by both the agent and local operating modes (#780)

FEATURE: zrok rebase commands (zrok rebase apiEndpoint and zrok rebase accountToken) allows "rebasing" an enabled environment onto a different API endpoint or a different account token. This is useful for migrating already-enabled environments between endpoints supporting different zrok versions, and is also useful when regenerating an account token (#869, #897)

FEATURE: zrok test canary CLI tree replaces the old zrok test loop tree; new zrok test canary public-proxy and zrok test canary private-proxy provide modernized, updated versions of what the zrok test loop commands used to do. This new approach will serve as the foundation for all future zrok testing infrastructure (#771)

FEATURE: New /api/v1/versions endpoint to return comprehensive, full stack version information about the deployed service instance. Currently only returns a single controllerVersion property (#881)

CHANGE: The default API URL for v1.0.x zrok clients is now https://api-v1.zrok.io (instead of the older https://api.zrok.io). The zrok.io deployment will now be maintaining version-specific DNS for versioned API endpoints.

CHANGE: Refactored API implementation. Cleanup, lint removal, additional data elements added, unused data removed (#834)

CHANGE: Deprecated the passwords configuration stanza. The zrok controller and API console now use a hard-coded set of (what we believe to be) reasonable assumptions about password quality (#834)

CHANGE: The protocol for determining valid client versions has been changed. Previously a zrok client would do a GET against the /api/v1/version endpoint and do a local version string comparison (as a normal precondition to any API call) to see if the controller version matched. The protocol has been amended so that any out-of-date client using the old protocol will receive a version string indicating that they need to uprade their client. New clients will do a POST against the /api/v1/clientVersionCheck endpoint, posting their client version, and the server will check for compatibility. Does not change the security posture in any significant way, but gives more flexibility on the server side for managing client compatibility. Provides a better, cleared out-of-date error message for old clients when accessing v1.0.0+ (#859)

v0.4.49

CHANGELOG

FIX: Release artifacts now include a reproducible source archive. The archive's download URL is now used by the Homebrew formula when building from source instead of the archive generated on-demand by GitHub (#858).

FIX: Pre-releases are no longer uploaded to the stable Linux package repo, and workflows that promote stable release artifacts to downstream distribution channels enforce semver stable release tags, i.e., not having a semver hyphenated prerelease suffix.

CHANGE: The release checksums.txt has been renamed checksums.sha256.txt to reflect the use of a collision-resistant algorithm instead of shasum's default algorithm, SHA-1.

CHANGE: The dependency graph is now published as a release artifact named sbom-{version}.spdx.json (#888).

CHANGE: Pre-releases are uploaded to the pre-release Linux package repo and Docker Hub for testing. RELEASING.md describes releaser steps and the events they trigger.

CHANGE: Linux release binaries are now built on the ziti-builder container image based on Ubuntu Focal 20.04 to preserve backward compatibility as the ubuntu-20.04 GitHub runner is end of life.

CHANGE: Container images now include SLSA and SBOM attestations, and these are also published to the Docker Hub registry (#890).

CHANGE: Release binary and text artifacts are now accompanied by provenance attestations (#889).

v0.4.48

CHANGELOG

FEATURE: The controller configuration now supports a disable_auto_migration boolean in the store stanza. When set to true, the controller will not attempt to auto-migrate (or otherwise validate the migration state) of the underlying database. Leaving disable_auto_migration out, or setting it to false will retain the default behavior of auto-migrating when starting the zrok controller. The zrok admin migrate command will still perform a migration regardless of how this setting is configured in the controller configuration (#866)

FIX: the Python SDK erroneously assumed the enabled zrok environment contained a config.json file, and was changed to only load it if the file was present (#853)

v1.0.0-rc3

CHANGELOG

WARNING: Do not attempt to use this build against the hosted zrok service at zrok.io, until the service has also been upgraded to v1.0.0! The URL https://api.zrok.io/api/v1/version will return the current version of the production zrok service.

FEATURE: Completely redesigned web interface ("API Console"). New implementation provides a dual-mode interface supporting an improved visual network navigator and also a "tabular" view, which provides a more traditional "data" view. New stack built using vite, React, and TypeScript (#724)

FEATURE: New "zrok Agent", a background manager process for your zrok environments, which allows you to easily manage and work with multiple zrok share and zrok access processes. New --subordinate flag added to zrok share [public|private|reserved] and zrok access private to operate in a mode that allows an Agent to manage shares and accesses (#463)

FEATURE: New "zrok Agent UI" a web-based user interface for the zrok Agent, which allows creating and releasing shares and accesses through a web browser. This is just an initial chunk of the new Agent UI, and is considered a "minimum viable" version of this interface (#221)

FEATURE: zrok share [public|private|reserved] and zrok access private now auto-detect if the zrok Agent is running in an environment and will automatically service share and access requests through the Agent, rather than in-process if the Agent is running. If the Agent is not running, operation remains as it was in v0.4.x and the share or access is handled in-process. New --force-agent and --force-local flags exist to skip Agent detection and manually select an operating mode (#751)

FEATURE zrok access private supports a new --auto mode, which can automatically find an available open address/port to bind the frontend listener on. Also includes --auto-address, --auto-start-port, and --auto-end-port features with sensible defaults. Supported by both the agent and local operating modes (#780)

CHANGE: Refactored API implementation. Cleanup, lint removal, additional data elements added, unused data removed (#834)

CHANGE: Deprecated the passwords configuration stanza. The zrok controller and API console now use a hard-coded set of (what we believe to be) reasonable assumptions about password quality (#834)

v0.4.47

CHANGELOG

CHANGE: the Docker instance will wait for the ziti container healthy status (contribution from Ben Wong @bwong365 - #790)

CHANGE: Document solving the DNS propagation timeout for Docker instances that are using Caddy to manage the wildcard certificate.

CHANGE: Add usage hint in zrok config get --help to clarify how to list all valid configName and their current values by running zrok status.

CHANGE: The Python SDK's Overview() function was refactored as a class method (#846).

FEATURE: The Python SDK now includes a ProxyShare class providing an HTTP proxy for public and private shares and a
Jupyter notebook example (#847).

FIX: PyPi publishing was failing due to a CI issue (#849)

v0.4.46

CHANGELOG

FEATURE: Linux service template for systemd user units (#818)

FIX: Docker share examples had incorrect default path for zrok environment mountpoint

FIX: Clarify how to use DNS providers like Route53 with the zrok Docker instance sample.

CHANGE: Use port 80 for the default Ziti API endpoint in the zrok Docker instance sample (#793).

CHANGE: Clarify OS requirements for zrok VPN

CHANGE: Set the Windows executable search path in the Windows install guide.

CHANGE: bump macOS runner for Python module from macos-12 to macos-13

v0.4.45

CHANGELOG

FEATURE: Minimal support for "organizations". Site admin API endpoints provided to create, list, and delete "organizations". Site admin API endpoints provided to add, list, and remove "organization members" (zrok accounts) with the ability to mark accounts as a "organization admin". API endpoints provided for organization admins to list the members of their organizations, and to also see the overview (environments, shares, and accesses) for any account in their organization. API endpoint for end users to see which organizations their account is a member of (#537)

CHANGE: briefly mention the backend modes that apply to public and private share concepts

FIX: Update indirect dependency github.com/golang-jwt/jwt/v4 to version v4.5.1 (#794)

FIX: Document unique names

FIX: reduce Docker image sizes (#783)

FIX: Docker reserved private share startup error (#801)

FIX: Correct the download URL for the armv7 Linux release (#782)

v0.4.44

CHANGELOG

CHANGE: Update github.com/openziti/sdk-golang to version v0.23.44. Remove old github.com/openziti/fabric dependency, instead pulling in the modern github.com/openziti/ziti dependency.

FIX: Bypass interstitial page for HTTP OPTIONS method (#777)

FIX: Fix for goreleaser build action to align with changed ARM64 build path.

v0.4.42

CHANGELOG

CHANGE: Switch all Dial operations made into the OpenZiti overlay to use DialWithOptions(..., &ziti.DialOptions{ConnectTimeout: 30 * time.Second}), switching to a 30 second timeout from a 5 second default (#772)

FIX: Removed the --basic-auth flag from zrok share private as this was ignored... even if zrok access private honored the ziti.proxy.v1 config to ask for basic auth, it would still be easy to write a custom SDK client that ignored the basic auth and accessed the share directly; better to remove the option than to allow confusing usage (#770)

FIX: always append common options like --headless and conditionally append --verbose --insecure if their respective env vars are set to when running in a service manager like systemd or Docker and wrapping the zrok command with the zrok-share.bash shell script (https://openziti.discourse.group/t/question-about-reserved-public-vs-temp-public-shares/3169)

FIX: Correct registration page CSS to ensure that the entire form is visible