checkpoint

qrkourier · qrkourier · commit 60ecaff4c2be · 2025-04-29T13:38:48.000-04:00
diff --git a/deployments.tar b/deployments.tar
diff --git a/docusaurus/docs/deployments/20-controller/20-linux.mdx b/docusaurus/docs/deployments/20-controller/20-linux.mdx
@@ -8,7 +8,7 @@ import Tabs from '@theme/Tabs';
 import TabItem from '@theme/TabItem';
 import LinuxPackageRepo from '/docs/_linux-package-repo.mdx';
 
-This article is about deploying a controller as a Linux system service. [The controller introduction](/learn/introduction/03-components.mdx#controller) may be helpful to read first.
+This article is about deploying a controller as a Linux system service.
 
 We'll cover the following topics:
 
@@ -40,40 +40,48 @@ Finally, install the package: **openziti-controller**
 
 You must generate, migrate, or craft a configuration. Configuration consists of a PKI, a config YAML file, and a database.
 
-### Generate a Configuration
+### Generate a Configuration for the First Node in a New Cluster
 
-This is the recommended approach if you are installing a new controller.
+This is the simplest approach if you are installing a new controller as the first node in a new cluster and do not wish to craft a configuration from scratch.
 
 #### Answer Interactively
 
-Run `bootstrap.bash` to be prompted for the required values.
+Run `bootstrap.bash` and answer prompts.
 
 ```text
 sudo /opt/openziti/etc/controller/bootstrap.bash
 ```
 
+```buttonless title="Output"
+Create a new cluster (NO if joining a cluster) [Y/n]: 
+```
+
 #### Answer Non-interactively
 
-1. Set the required values in the answer file **/opt/openziti/etc/controller/bootstrap.env**.
-    1. `ZITI_CTRL_ADVERTISED_ADDRESS` - control plane permanent DNS name (required)
+1. Set the required values in the answer file **/opt/openziti/etc/controller/bootstrap.env** or export as environment variables.
+    1. `ZITI_CTRL_ADVERTISED_ADDRESS` - control plane address (required, ex: `ctrl1.ziti.example.com`)
     1. `ZITI_CTRL_ADVERTISED_PORT` - listener TCP port (default: 1280)
+    1. `ZITI_CLUSTER_TRUST_DOMAIN` - SPIFFEE trust domain (required, ex: `ziti.example.com`)
+    1. `ZITI_CLUSTER_NODE_NAME` - SPIFFEE node name (required, ex: `ctrl1`)
     1. `ZITI_USER` - username (default: admin)
     1. `ZITI_PWD` - password to initialize the database (required)
-1. Run `bootstrap.bash`
+1. Run `bootstrap.bash`.
 
     ```text
-    sudo /opt/openziti/etc/controller/bootstrap.bash
+    sudo -E /opt/openziti/etc/controller/bootstrap.bash < /dev/null
     ```
 
+### Generate a Configuration for a New Node in an Existing Cluster
+
+
+
 ### Migrate an Existing Configuration
 
 [This example](./70-migrate.mdx) illustrates copying the PKI, configuration, and database from a previous installation to the controller service's working directory.
 
 ### Craft a Configuration
 
-Craft a new configuration by running `ziti create config controller`.
-
-Review the environment variables, especially those named like `ZITI_CTRL_*`, that influence the controller configuration with `ziti create config environment`.
+Craft a new configuration from scratch or start with a sane set of default values by running `ziti create config controller --clustered`.
 
 Here's a link to [the controller configuration reference](/reference/30-configuration/controller.md).
 
diff --git a/docusaurus/docs/deployments/20-controller/70-migrate.mdx b/docusaurus/docs/deployments/20-controller/70-migrate.mdx
@@ -3,7 +3,7 @@ title: Migrate a Controller Installation
 sidebar_label: Migrate
 ---
 
-Here's an example of migrating an existing controller's configuration to the Linux service's working directory.
+Here's an example of migrating an existing controller's configuration to the Linux service's working directory. Similarly, you could migrate a configuration to a Docker volume.
 
 1. Remove the quickstart controller service if you followed the BASH quickstart to create **/etc/systemd/system/ziti-controller.service**.
 1. Follow [the Linux controller deployment guide](/deployments/20-controller/20-linux.mdx) to install the controller service.
diff --git a/docusaurus/docs/deployments/20-controller/index.mdx b/docusaurus/docs/deployments/20-controller/index.mdx
@@ -3,27 +3,31 @@ title: Controller Deployment Overview
 sidebar_label: Controller
 ---
 
+## Getting Started
+
+These requirements apply to all controller deployments. Check out the [Linux](/deployments/20-controller/20-linux.mdx), [Docker](/deployments/20-controller/40-docker.mdx), and [Kubernetes](/deployments/20-controller/60-kubernetes.mdx) articles for more details.
+
 ## Requirements
 
 1. a root CA for the cluster
-1. a signer CA certificate, identity certificate, and configuration YAML file for each node
+1. a signer CA certificate, identity certificates, and configuration YAML file for each node
 1. an initialized database on the first node, replicated to subsequent nodes
 
-## The Cluster Root CA Certificate
+### The Cluster Root CA Certificate
 
 Before provisioning your first node, you must [create a new public key infrastructure](/reference/ha/bootstrapping/certificates.md) (PKI) for the cluster. This includes a root CA certificate and private key.
 
 The cluster's root CA is never required on any node. For security, secure the root CA separately from the deployment environment, not on the first node. For convenience, the root CA may be co-located with the first node in the cluster.
 
-## The Edge Enrollment Signer CA Certificate
+### The Edge Enrollment Signer CA Certificate
 
 Each node must have an edge enrollment signer CA certificate issued by [the cluster's root CA](/reference/ha/bootstrapping/certificates.md). In the configuration YAML file, [the property `edge.enrollment.signingCert`](/reference/30-configuration/controller.md) configures the edge signer CA certificate and private key. The edge signer CA issues leaf certificates during identity and router enrollment.
 
-## The Controller's Identity Certificate
+### The Controller's Identity Certificates
 
-This is a leaf certificate from the edge enrollment signer CA. In the configuration YAML file, [the property `identity`](/reference/30-configuration/conventions.md) configures the controller's identity certificate and private key.
+These are leaf certificates from the edge enrollment signer CA. In the configuration YAML file, [the property `identity`](/reference/30-configuration/conventions.md) configures the controller's identity certificates and private keys.
 
-## The Configuration YAML File
+### The Configuration YAML File
 
 [The configuration YAML file](/reference/30-configuration/controller.md) is required for all nodes. It is used to configure the controller's signing cert, identity, database, listener addresses, and more.
 
