openziti · qrkourier · Apr 3, 2025 · Apr 3, 2025 · Apr 3, 2025 · Apr 3, 2025
@@ -1,51 +1 @@
 /about
-/archive
-/bootstrapping-trust-part-1-encryption-everywhere
-/bootstrapping-trust-part-2-a-primer-on-public-key-cryptography
-/bootstrapping-trust-part-3-certificates
-/bootstrapping-trust-part-4-certificate-authorities-chains-of-trust
-/bootstrapping-trust-part-5-bootstrapping-trust
-/browzer-gateway-fqdn-certs
-/browzer-gateway-wildcard-certs
-/extrovert-wednesday
-/free-secure-access-to-nas-from-anywhere
-/golang-aha-moments-channels
-/golang-aha-moments-generics
-/high-level-publicprivate-cryptography
-/integrating-ziti-is-easy
-/introducing-openziti-browzer
-/its-a-zitiful-life
-/kubernetes
-/members
-/mobile-point-of-sale-mpos-app-ziti-android-java-sdk-integration
-/my-intern-assignment-call-a-dark-webhook-from-aws-lambda
-/newsletter
-/nginx-zerotrust-api-security
-/openziti-authentication-api-integrations
-/openziti-browzer-gateway
-/openziti-browzer-gateway-1
-/openziti-is-participating-in-hacktoberfest-prost
-/openziti-python-sdk-introduction
-/quickstart
-/securing-nodejs-applications
-/securing-web-apis-with-openziti
-/series/browzer
-/series/golang-aha
-/series/openziti-sdks
-/series/ziti-network-berlhome
-/setting-up-oracle-cloud-to-host-openziti
-/set-up-a-secure-multiplayer-minecraft-server
-/tag/aws-lambda
-/tag/developer
-/tag/ebpf
-/tag/go
-/tag/golang
-/tag/opensource
-/tag/openziti
-/tunneling-voip-over-openziti
-/using-ebpf-tc-to-securely-mangle-packets-in-the-kernel-and-pass-them-to-my-secure-networking-application
-/zero-trust-monitoring-with-openziti
-/zero-trust-overlay-network-to-access-homeassistant
-/zitification
-/zitifying-scp
-/zitifying-ssh
@@ -1,133 +1,2 @@
 /docs/learn/introduction
-/docs/learn/quickstarts
-/docs/learn/introduction/components
-/docs/category/network
-/docs/learn/quickstarts/zac
-/docs/learn/core-concepts
-/docs/learn/quickstarts/network/hosted
-/docs/learn/introduction/key_concepts
-/docs/reference/deployments
-/docs/reference/tunnelers/linux
-/docs/learn/quickstarts/network/local-no-docker
-/docs/learn/quickstarts/browzer
-/docs/learn/quickstarts/network/local-docker-compose
-/docs/learn/introduction/features
-/docs/downloads
-/docs/learn/quickstarts/services
-/docs/reference/configuration/conventions
-/docs/learn/introduction/openziti-is-software
-/docs/learn/core-concepts/clients/choose
-/docs/reference/deployments/controller
-/docs/category/public-cloud-deployment
-/docs/learn/quickstarts/network/local-with-docker
-/docs/reference/tunnelers/windows
-/docs/category/local-gateway
-/docs/reference/deployments/router/deployment
-/docs/reference
-/docs/reference/config-types
-/docs/reference/developer
-/docs/learn/quickstarts/services/ztha
-/docs/learn/core-concepts/identities/overview
-/docs/guides
-/docs/category/kubernetes
-/docs/learn/core-concepts/zero-trust-models/overview
-/docs/learn/quickstarts/browzer/example
-/docs/guides/Public_Cloud_Deployment/Controller
-/docs/guides/Public_Cloud_Deployment/Router
-/docs/reference/tunnelers/linux/container
-/docs/category/process-sequences
-/docs/learn/core-concepts/services/overview
-/docs/learn/quickstarts/network/local-kubernetes
-/docs/guides/data-flow-explainer
-/docs/learn/core-concepts/clients/process-sequences/EndpointInitialization
-/docs/reference/deployments/router/router-configuration
-/docs/guides/local-gateway/router
-/docs/category/hosting-openziti
-/docs/reference/developer/sdk
-/docs/reference/developer/api
-/docs/learn/core-concepts/security/overview
-/docs/reference/configuration/controller
-/docs/reference/configuration/router
-/docs/learn/core-concepts/config-store/overview
-/docs/learn/core-concepts/identities/creating
-/docs/reference/glossary
-/docs/guides/Public_Cloud_Deployment
-/docs/learn/core-concepts/clients/process-sequences/EndpointRegistration
-/docs/guides/Public_Cloud_Deployment/Services
-/docs/category/securing-apis
-/docs/guides/kubernetes/hosting/kubernetes-controller
-/docs/learn/core-concepts/zero-trust-models/ztaa
-/docs/learn/core-concepts/identities/enrolling
-/docs/reference/tunnelers/macos
-/docs/reference/tunnelers/android
-/docs/learn/core-concepts/zero-trust-models/ztha
-/docs/learn/core-concepts/metrics/overview
-/docs/learn/core-concepts/zero-trust-models/ztna
-/docs/guides/kubernetes/workload-tunneling
-/docs/learn/core-concepts/clients/process-sequences/ServiceDial
-/docs/reference/deployments/router/cli-mgmt
-/docs/guides/database-backup
-/docs/reference/tunnelers/linux/linux-tunnel-options
-/docs/learn/core-concepts/security/authentication/auth
-/docs/guides/local-gateway/tunneler
-/docs/learn/quickstarts/network/help/change-admin-password
-/docs/category/help
-/docs/reference/tunnelers/iOS
-/docs/guides/Local_Gateway/EdgeRouter
-/docs/guides/kubernetes/hosting/kubernetes-router
-/docs/reference/developer/api/edge-management-reference
-/docs/learn/core-concepts/pki
-/docs/learn/quickstarts/network/help/quickstart-walkthrough
-/docs/reference/developer/api/edge-client-reference
-/docs/reference/tunnelers/linux/linux-tunnel-troubleshooting
-/docs/reference/config-types/host.v1
-/docs/category/troubleshooting
-/docs/learn/core-concepts/config-store/config-type-host-v1
-/docs/guides/securing-apis/aks-api-with-nginx-ziti-module
-/docs/learn/quickstarts/services/kubernetes-service
-/docs/learn/core-concepts/security/authorization/auth
-/docs/guides/Local_Gateway/EdgeTunnel
-/docs/learn/core-concepts/metrics/available-metrics
-/docs/learn/core-concepts/security/authorization/policies/overview
-/docs/learn/quickstarts/network/help/reset-quickstart
-/docs/guides/hsm/yubikey
-/docs/reference/config-types/host.v2
-/docs/guides/kubernetes/hosting/kubernetes-console
-/docs/learn/core-concepts/security/SessionsAndConnections
-/docs/guides/hsm/softhsm
-/docs/learn/core-concepts/security/authentication/third-party-cas
-/docs/learn/core-concepts/security/connection-security
-/docs/learn/core-concepts/security/authentication/password-management
-/docs/learn/core-concepts/security/authentication/external-jwt-signers
-/docs/learn/core-concepts/metrics/types
-/docs/learn/quickstarts/network/help/upgrade-quickstart-network
-/docs/learn/core-concepts/security/authentication/identities
-/docs/guides/kubernetes/workload-tunneling/kubernetes-sidecar
-/docs/learn/core-concepts/metrics/prometheus
-/docs/learn/core-concepts/metrics/grafana
-/docs/guides/kubernetes/workload-tunneling/kubernetes-host
-/docs/learn/core-concepts/config-store/managing
-/docs/learn/core-concepts/config-store/config-type-intercept-v1
-/docs/learn/core-concepts/metrics/sequence-diagram
-/docs/learn/core-concepts/security/authentication/totp
-/docs/learn/core-concepts/security/sessions
-/docs/guides/kubernetes/workload-tunneling/kubernetes-daemonset
-/docs/reference/tunnelers
-/docs/learn/core-concepts/security/enrollment
-/docs/learn/core-concepts/config-store/consuming
-/docs/learn/core-concepts/security/authorization/posture-checks
-/docs/learn/core-concepts/metrics/inspect
-/docs/learn/core-concepts/security/authentication/authentication-policies
-/docs/learn/core-concepts/metrics/file
-/docs/learn/core-concepts/security/authorization/policies/creating-edge-router-policies
-/docs/learn/core-concepts/security/authentication/api-session-certificates
-/docs/learn/core-concepts/security/authentication/certificate-management
-/docs/guides/troubleshooting/circuit-create-error-codes
-/docs/reference/developer/api/fabric-api
-/docs/learn/core-concepts/security/authorization/policies/creating-service-edge-router-policies
-/docs/reference/developer/api/shared-api-capabilities
-/docs/guides/troubleshooting/pki-troubleshooting
-/docs/learn/core-concepts/security/authorization/policies/creating-service-policies
-/blog/zitification/prometheus/part1
-/docs/reference/developer/sdk/android
-/docs/category/deployments
+
@@ -1,14 +1,14 @@
 ---
-title: Controller Deployment
-sidebar_label: Controller
+title: Linux Controller
+sidebar_label: Linux
 id: deploy
 ---
 
 import Tabs from '@theme/Tabs';
 import TabItem from '@theme/TabItem';
 import LinuxPackageRepo from '/docs/_linux-package-repo.mdx';
 
-This article is about deploying a controller as a Linux system service. [The controller introduction](/learn/introduction/03-components.mdx#controller) may be helpful to read first.
+This article is about deploying a controller as a Linux system service.
 
 We'll cover the following topics:
 
@@ -40,40 +40,48 @@ Finally, install the package: **openziti-controller**
 
 You must generate, migrate, or craft a configuration. Configuration consists of a PKI, a config YAML file, and a database.
 
-### Generate a Configuration
+### Generate a Configuration for the First Node in a New Cluster
 
-This is the recommended approach if you are installing a new controller.
+This is the simplest approach if you are installing a new controller as the first node in a new cluster and do not wish to craft a configuration from scratch.
 
 #### Answer Interactively
 
-Run `bootstrap.bash` to be prompted for the required values.
+Run `bootstrap.bash` and answer prompts.
 
 ```text
 sudo /opt/openziti/etc/controller/bootstrap.bash
 ```
 
+```buttonless title="Output"
+Create a new cluster (NO if joining a cluster) [Y/n]: 
+```
+
 #### Answer Non-interactively
 
-1. Set the required values in the answer file **/opt/openziti/etc/controller/bootstrap.env**.
-    1. `ZITI_CTRL_ADVERTISED_ADDRESS` - control plane permanent DNS name (required)
+1. Set the required values in the answer file **/opt/openziti/etc/controller/bootstrap.env** or export as environment variables.
+    1. `ZITI_CTRL_ADVERTISED_ADDRESS` - control plane address (required, ex: `ctrl1.ziti.example.com`)
     1. `ZITI_CTRL_ADVERTISED_PORT` - listener TCP port (default: 1280)
+    1. `ZITI_CLUSTER_TRUST_DOMAIN` - SPIFFEE trust domain (required, ex: `ziti.example.com`)
+    1. `ZITI_CLUSTER_NODE_NAME` - SPIFFEE node name (required, ex: `ctrl1`)
     1. `ZITI_USER` - username (default: admin)
     1. `ZITI_PWD` - password to initialize the database (required)
-1. Run `bootstrap.bash`
+1. Run `bootstrap.bash`.
 
     ```text
-    sudo /opt/openziti/etc/controller/bootstrap.bash
+    sudo -E /opt/openziti/etc/controller/bootstrap.bash < /dev/null
     ```
 
+### Generate a Configuration for a New Node in an Existing Cluster
+
+
+
 ### Migrate an Existing Configuration
 
-[This example](./15-migrate.mdx) illustrates copying the PKI, configuration, and database from a previous installation to the controller service's working directory.
+[This example](./70-migrate.mdx) illustrates copying the PKI, configuration, and database from a previous installation to the controller service's working directory.
 
 ### Craft a Configuration
 
-Craft a new configuration by running `ziti create config controller`.
-
-Review the environment variables, especially those named like `ZITI_CTRL_*`, that influence the controller configuration with `ziti create config environment`.
+Craft a new configuration from scratch or start with a sane set of default values by running `ziti create config controller --clustered`.
 
 Here's a link to [the controller configuration reference](/reference/30-configuration/controller.md).
 

@@ -0,0 +1,11 @@
+---
+title: Docker Controller
+sidebar_label: Docker
+---
+
+import DockerControllerReadme from '/docs/_remotes/ziti-cmd/dist/docker-images/ziti-controller/README.md';
+import MarkdownWithoutH1 from '@site/src/components/MarkdownWithoutH1';
+
+<MarkdownWithoutH1>
+    <DockerControllerReadme />
+</MarkdownWithoutH1>
@@ -0,0 +1,11 @@
+---
+title: Kubernetes Controller
+sidebar_label: Kubernetes
+---
+
+import ControllerHelmChartReadme from '/docs/_remotes/helm-charts/charts/ziti-controller/README.md';
+import MarkdownWithoutH1 from '@site/src/components/MarkdownWithoutH1';
+
+<MarkdownWithoutH1>
+    <ControllerHelmChartReadme />
+</MarkdownWithoutH1>
@@ -3,10 +3,10 @@ title: Migrate a Controller Installation
 sidebar_label: Migrate
 ---
 
-Here's an example of migrating an existing controller's configuration to the Linux service's working directory.
+Here's an example of migrating an existing controller's configuration to the Linux service's working directory. Similarly, you could migrate a configuration to a Docker volume.
 
 1. Remove the quickstart controller service if you followed the BASH quickstart to create **/etc/systemd/system/ziti-controller.service**.
-1. Follow [the Linux controller deployment guide](/guides/deployments/10-linux/10-controller/10-deploy.mdx) to install the controller service.
+1. Follow [the Linux controller deployment guide](/deployments/20-controller/20-linux.mdx) to install the controller service.
 1. Ensure the controller service is disabled and the state is clean.
 
     ```text

@@ -0,0 +1,34 @@
+---
+title: Controller Deployment Overview
+sidebar_label: Controller
+---
+
+## Getting Started
+
+These requirements apply to all controller deployments. Check out the [Linux](/deployments/20-controller/20-linux.mdx), [Docker](/deployments/20-controller/40-docker.mdx), and [Kubernetes](/deployments/20-controller/60-kubernetes.mdx) articles for more details.
+
+## Requirements
+
+1. a root CA for the cluster
+1. a signer CA certificate, identity certificates, and configuration YAML file for each node
+1. an initialized database on the first node, replicated to subsequent nodes
+
+### The Cluster Root CA Certificate
+
+Before provisioning your first node, you must [create a new public key infrastructure](/reference/ha/bootstrapping/certificates.md) (PKI) for the cluster. This includes a root CA certificate and private key.
+
+The cluster's root CA is never required on any node. For security, secure the root CA separately from the deployment environment, not on the first node. For convenience, the root CA may be co-located with the first node in the cluster.
+
+### The Edge Enrollment Signer CA Certificate
+
+Each node must have an edge enrollment signer CA certificate issued by [the cluster's root CA](/reference/ha/bootstrapping/certificates.md). In the configuration YAML file, [the property `edge.enrollment.signingCert`](/reference/30-configuration/controller.md) configures the edge signer CA certificate and private key. The edge signer CA issues leaf certificates during identity and router enrollment.
+
+### The Controller's Identity Certificates
+
+These are leaf certificates from the edge enrollment signer CA. In the configuration YAML file, [the property `identity`](/reference/30-configuration/conventions.md) configures the controller's identity certificates and private keys.
+
+### The Configuration YAML File
+
+[The configuration YAML file](/reference/30-configuration/controller.md) is required for all nodes. It is used to configure the controller's signing cert, identity, database, listener addresses, and more.
+
+A utility or template is provided for each type of deployment to assist with generating a valid configuration YAML file.
@@ -1,5 +1,6 @@
 ---
-title: Router Deployment
+title: Linux Router
+sidebar_label: Linux
 ---
 
 import Tabs from '@theme/Tabs';
@@ -17,9 +18,9 @@ We'll cover the following topics:
 
 ## Router Creation
 
-You must create the router in the controller first with [the web console](/guides/deployments/10-linux/30-console.mdx) or [the CLI](/guides/deployments/10-linux/20-router/40-cli-mgmt.mdx).
+You must create the router in the controller first with [the web console](/deployments/60-console/20-linux.mdx) or [the CLI](/deployments/40-router/75-cli-mgmt.mdx).
 
-After [creating the router](/guides/deployments/10-linux/20-router/40-cli-mgmt.mdx#create-a-router), save the enrollment token (JWT) and provide the file path to the router during the configuration step below.
+After [creating the router](/deployments/40-router/75-cli-mgmt.mdx#create-a-router), save the enrollment token (JWT) and provide the file path to the router during the configuration step below.
 
 ## Install the Router Package
 
@@ -71,10 +72,6 @@ sudo /opt/openziti/etc/router/bootstrap.bash
     sudo /opt/openziti/etc/router/bootstrap.bash
     ```
 
-### Migrate an Existing Configuration
-
-[This example](./50-migrate.mdx) illustrates copying the configuration and identity files from a previous installation to the router service's working directory.
-
 ### Craft a Configuration
 
 Craft a new configuration by running `ziti create config router edge --routerName=router`.
@@ -100,7 +97,7 @@ sudo systemctl restart ziti-router.service
 ```
 Here's a link to [the configuration reference](/reference/30-configuration/router.md).
 
-Learn more about [managing routers with the CLI](/guides/deployments/10-linux/20-router/40-cli-mgmt.mdx).
+Learn more about [managing routers with the CLI](/deployments/40-router/75-cli-mgmt.mdx).
 
 ## Firewall
 

@@ -0,0 +1,11 @@
+---
+title: Docker Router
+sidebar_label: Docker
+---
+
+import DockerRouterReadme from '/docs/_remotes/ziti-cmd/dist/docker-images/ziti-router/README.md';
+import MarkdownWithoutH1 from '@site/src/components/MarkdownWithoutH1';
+
+<MarkdownWithoutH1>
+    <DockerRouterReadme />
+</MarkdownWithoutH1>