call downstream workflows with version tag

.github/workflows/main.yml

@@ -463,21 +463,8 @@ jobs:
                 -path "./release/*/linux/ziti" \
             | xargs -0 chmod -c +x
 
-      - name: Publish GitHub Release
-        # forks need to run this step with their own GPG key because ziti-ci creates the GH release 
-        if: env.ziti_ci_gpg_key_id != null && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release-v'))
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          ziti_ci_gpg_key: ${{ secrets.ZITI_CI_GPG_KEY }}
-          ziti_ci_gpg_key_id: ${{ secrets.ZITI_CI_GPG_KEY_ID }}
-        shell: bash
-        run: |
-          $(go env GOPATH)/bin/ziti-ci configure-git
-          $(go env GOPATH)/bin/ziti-ci tag -v -f version ${ZITI_BASE_VERSION:+--base-version $ZITI_BASE_VERSION}
-          $(go env GOPATH)/bin/ziti-ci publish-to-github --prerelease --archive-base ""
-
       # only ziti-ci computed version for release branches and {version}-{run_id} for non-release branches
-      - name: Compute the Ziti Version String used for Linux Packages and Container Image Tags
+      - name: Get next version for downstream release candidates
         id: get_version
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -495,59 +482,31 @@ jobs:
           echo "DEBUG: GITHUB_REPOSITORY=${GITHUB_REPOSITORY} GITHUB_REF=${GITHUB_REF} GITHUB_RUN_ID=${GITHUB_RUN_ID}"
           (set -x; git remote -v show;)
 
-          if [[ "${GITHUB_REF}" =~ ^refs/heads/(release-v|main$) ]]; then
-            # Set current tag as semver for release branches
-            ZITI_VERSION="$($(go env GOPATH)/bin/ziti-ci -q get-current-version)"
-
-            validateSemver "${ZITI_VERSION}"
+          # compute next patch level for non-release branches
+          ZITI_VERSION="$($(go env GOPATH)/bin/ziti-ci -q get-next-version ${ZITI_BASE_VERSION:+--base-version $ZITI_BASE_VERSION})"
 
-            # drop the leading 'v', if any
-            ZITI_VERSION=${ZITI_VERSION#v}
-          else
-            # compute next patch level for non-release branches
-            ZITI_VERSION="$($(go env GOPATH)/bin/ziti-ci -q get-next-version ${ZITI_BASE_VERSION:+--base-version $ZITI_BASE_VERSION})"
-
-            validateSemver "${ZITI_VERSION}"
+          validateSemver "${ZITI_VERSION}"
 
-            # drop the leading 'v', if any, and append run id
-            ZITI_VERSION=${ZITI_VERSION#v}-${GITHUB_RUN_ID}
-          fi
+          # drop the leading 'v', if any, and append run id
+          ZITI_VERSION=${ZITI_VERSION#v}-${GITHUB_RUN_ID}
 
           echo ZITI_VERSION="${ZITI_VERSION}" | tee -a $GITHUB_OUTPUT
 
-  call-publish-prerelease-docker-images:
+  call-publish-docker-images:
     # - !cancelled() allows evaluating further conditional expressions even if
     #   needed jobs were skipped
     if: ${{
       !cancelled()
       && needs.publish.result == 'success'
       && github.ref == 'refs/heads/release-next'
       }}
-    name: Publish Pre-Release Docker Images
+    name: Publish Release Next Docker Images
     needs: publish
     uses: ./.github/workflows/publish-docker-images.yml
     secrets: inherit
     with:
       ziti-tag: release-next
 
-  call-publish-release-docker-images:
-    # - !cancelled() allows evaluating further conditional expressions even if
-    #   needed jobs were skipped
-    if: ${{
-      !cancelled()
-      && needs.publish.result == 'success'
-      && (
-      github.ref == 'refs/heads/main'
-      || startsWith(github.ref, 'refs/heads/release-v')
-      )
-      }}
-    name: Publish Release Docker Images
-    needs: publish
-    uses: ./.github/workflows/publish-docker-images.yml
-    secrets: inherit
-    with:
-      ziti-tag: ${{ needs.publish.outputs.ZITI_VERSION }}
-
   # call on release-next and release branches to publish linux packages to
   # "testing" and "release" package repos in Artifactory
   call-publish-linux-packages:
@@ -556,13 +515,9 @@ jobs:
     if: ${{
       !cancelled()
       && needs.publish.result == 'success'
-      && (
-      github.ref == 'refs/heads/main'
-      || startsWith(github.ref, 'refs/heads/release-v')
-      || github.ref == 'refs/heads/release-next'
-      )
+      && github.ref == 'refs/heads/release-next'
       }}
-    name: Publish Linux Packages
+    name: Publish Release Next Linux Packages
     needs: publish
     uses: ./.github/workflows/publish-linux-packages.yml
     secrets: inherit

.github/workflows/release.yml

@@ -147,8 +147,13 @@ jobs:
 
   publish:
     name: Publish Binaries
-    runs-on: ubuntu-20.04
+    if: ${{
+      !cancelled()
+      && (needs.mac-os-build.result == 'success' || needs.mac-os-build.result == 'skipped')
+      && (needs.windows-build.result == 'success' || needs.windows-build.result == 'skipped')
+      }}
     needs: [ tests, linux-build, mac-os-build, windows-build ]
+    runs-on: ubuntu-20.04
     outputs:
       ZITI_VERSION: ${{ steps.get_version.outputs.ZITI_VERSION }}
     steps:
@@ -217,3 +222,36 @@ jobs:
         run: |
           $(go env GOPATH)/bin/ziti-ci configure-git
           $(go env GOPATH)/bin/ziti-ci publish-to-github -t --prerelease --archive-base ""
+
+      # only ziti-ci computed version for release branches and {version}-{run_id} for non-release branches
+      - name: Compute the Ziti Version String used for Linux Packages and Container Image Tags
+        id: get_version
+        shell: bash
+        run: |
+          # drop the leading 'v', if any
+          ZITI_VERSION=${GITHUB_REF_NAME#v}
+          echo ZITI_VERSION="${ZITI_VERSION}" | tee -a $GITHUB_OUTPUT
+
+  call-publish-docker-images:
+    # - !cancelled() allows evaluating further conditional expressions even if
+    #   needed jobs were skipped
+    if: ${{ !cancelled() && needs.publish.result == 'success' }}
+    name: Publish Release Docker Images
+    needs: publish
+    uses: ./.github/workflows/publish-docker-images.yml
+    secrets: inherit
+    with:
+      ziti-tag: ${{ needs.publish.outputs.ZITI_VERSION }}
+
+  # call on release-next and release branches to publish linux packages to
+  # "testing" and "release" package repos in Artifactory
+  call-publish-linux-packages:
+    # - !cancelled() allows evaluating further conditional expressions even if
+    #   needed jobs were skipped
+    if: ${{ !cancelled() && needs.publish.result == 'success' }}
+    name: Publish Linux Packages
+    needs: publish
+    uses: ./.github/workflows/publish-linux-packages.yml
+    secrets: inherit
+    with:
+      ziti-version: ${{ needs.publish.outputs.ZITI_VERSION }}

CHANGELOG.md

@@ -1,3 +1,25 @@
+# Release 1.1.4
+
+## What's New
+
+* Bug fixes
+
+## Component Updates and Bug Fixes 
+
+* github.com/openziti/channel/v2: [v2.0.130 -> v2.0.131](https://github.com/openziti/channel/compare/v2.0.130...v2.0.131)
+* github.com/openziti/edge-api: [v0.26.19 -> v0.26.20](https://github.com/openziti/edge-api/compare/v0.26.19...v0.26.20)
+    * [Issue #113](https://github.com/openziti/edge-api/issues/113) - RecoveryCodesEnvelope is wrong
+
+* github.com/openziti/foundation/v2: [v2.0.45 -> v2.0.46](https://github.com/openziti/foundation/compare/v2.0.45...v2.0.46)
+    * [Issue #407](https://github.com/openziti/foundation/issues/407) - Remove Branch from build info
+
+* github.com/openziti/identity: [v1.0.77 -> v1.0.78](https://github.com/openziti/identity/compare/v1.0.77...v1.0.78)
+* github.com/openziti/metrics: [v1.2.54 -> v1.2.55](https://github.com/openziti/metrics/compare/v1.2.54...v1.2.55)
+* github.com/openziti/runzmd: [v1.0.47 -> v1.0.48](https://github.com/openziti/runzmd/compare/v1.0.47...v1.0.48)
+* github.com/openziti/transport/v2: [v2.0.133 -> v2.0.134](https://github.com/openziti/transport/compare/v2.0.133...v2.0.134)
+* github.com/openziti/ziti: [v1.1.3 -> v1.1.4](https://github.com/openziti/ziti/compare/v1.1.3...v1.1.4)
+    * [Issue #2124](https://github.com/openziti/ziti/issues/2124) - api session certs should be deleted when related api sessions are deleted
+
 # Release 1.1.3
 
 ## What's New

RELEASING.md

@@ -63,8 +63,10 @@ Perform these steps in PR branches based on release-next (trunk).
 
 Perform these steps in the release-next (trunk) branch which is based on main to release Ziti.
 
-1. Create a PR to merge release-next to main. Release happens by merging from the release-next branch to main.
-2. Ensure PR checks succeed.
+1. Create a PR to merge release-next to main.
+1. Ensure PR checks succeed.
+1. PreRelease happens by pushing a tag like v* on the HEAD of main.
+1. After burn-in, mark the release as "latest" in GitHub to promote downstreams.
 
 ## Downstreams
 

controller/config/config.go

@@ -23,6 +23,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"github.com/michaelquigley/pfxlog"
+	nfpem "github.com/openziti/foundation/v2/pem"
 	"github.com/openziti/identity"
 	"github.com/openziti/ziti/controller/command"
 	"github.com/pkg/errors"
@@ -101,6 +102,7 @@ type Config struct {
 	caPemsOnce      sync.Once
 	Totp            Totp
 	AuthRateLimiter command.AdaptiveRateLimiterConfig
+	caCerts         []*x509.Certificate
 }
 
 type HttpTimeouts struct {
@@ -133,22 +135,31 @@ func (c *Config) SessionTimeoutDuration() time.Duration {
 
 func (c *Config) CaPems() []byte {
 	c.caPemsOnce.Do(func() {
-		c.RefreshCaPems()
+		c.RefreshCas()
 	})
 
 	return c.caPems.Bytes()
 }
 
+func (c *Config) CaCerts() []*x509.Certificate {
+	c.caPemsOnce.Do(func() {
+		c.RefreshCas()
+	})
+
+	return c.caCerts
+}
+
 // AddCaPems adds a byte array of certificates to the current buffered list of CAs. The certificates
-// should be in PEM format separated by new lines. RefreshCaPems should be called after all
+// should be in PEM format separated by new lines. RefreshCas should be called after all
 // calls to AddCaPems are completed.
 func (c *Config) AddCaPems(caPems []byte) {
 	c.caPems.WriteString("\n")
 	c.caPems.Write(caPems)
 }
 
-func (c *Config) RefreshCaPems() {
+func (c *Config) RefreshCas() {
 	c.caPems = CalculateCaPems(c.caPems)
+	c.caCerts = nfpem.PemBytesToCertificates(c.caPems.Bytes())
 }
 
 func (c *Config) loadTotpSection(edgeConfigMap map[any]any) error {

controller/db/api_session_certificate_store.go

@@ -68,11 +68,11 @@ func (store *ApiSessionCertificateStoreImpl) initializeLocal() {
 	store.AddSymbol(FieldApiSessionCertificateApiSession, ast.NodeTypeString)
 	store.AddSymbol(FieldApiSessionCertificateSubject, ast.NodeTypeString)
 	store.AddSymbol(FieldApiSessionCertificateFingerprint, ast.NodeTypeString)
-	store.symbolApiSession = store.AddFkSymbol(FieldApiSessionCertificateApiSession, store.stores.apiSession)
+	store.symbolApiSession = store.AddSymbol(FieldApiSessionCertificateApiSession, ast.NodeTypeString)
 }
 
 func (store *ApiSessionCertificateStoreImpl) initializeLinked() {
-	store.AddFkIndex(store.symbolApiSession, store.stores.apiSession.apiSessionCertsSymbol)
+	store.AddFkIndexCascadeDelete(store.symbolApiSession, store.stores.apiSession.apiSessionCertsSymbol)
 }
 
 func (store *ApiSessionCertificateStoreImpl) NewEntity() *ApiSessionCertificate {

controller/model/enrollment_manager.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"github.com/michaelquigley/pfxlog"
 	"github.com/openziti/foundation/v2/errorz"
+	"github.com/openziti/identity"
 	"github.com/openziti/storage/boltz"
 	"github.com/openziti/ziti/common/cert"
 	"github.com/openziti/ziti/common/eid"
@@ -218,23 +219,26 @@ func (self *EnrollmentManager) ReplaceWithAuthenticator(enrollmentId string, aut
 // GetCertChainPem parses a given certificate in raw DER and attempt to provide string in PEM format of the
 // original certificate followed by each signing intermediate up to but not including the root CA.
 func (self *EnrollmentManager) GetCertChainPem(certRaw []byte) (string, error) {
-	clientCert, err := x509.ParseCertificate(certRaw)
+	targetCert, err := x509.ParseCertificate(certRaw)
 	if err != nil {
 		pfxlog.Logger().WithError(err).Error("error parsing cert raw during enrollment, attempting to assemble chain")
 		return "", err
 	}
 
-	var clientChainPem []byte
-	clientChain := self.env.GetHostController().Identity().CaPool().GetChainMinusRoot(clientCert)
-	for _, c := range clientChain {
+	var targetChainPem []byte
+
+	pool := identity.NewCaPool(self.env.GetConfig().CaCerts())
+	targetChain := pool.GetChainMinusRoot(targetCert)
+
+	for _, c := range targetChain {
 		pemData, err := cert.RawToPem(c.Raw)
 		if err != nil {
 			return "", err
 		}
-		clientChainPem = append(clientChainPem, pemData...)
+		targetChainPem = append(targetChainPem, pemData...)
 	}
 
-	return string(clientChainPem), nil
+	return string(targetChainPem), nil
 }
 
 func (self *EnrollmentManager) ApplyReplaceEncoderWithAuthenticatorCommand(cmd *ReplaceEnrollmentWithAuthenticatorCmd, ctx boltz.MutateContext) error {

controller/server/client-api.go

@@ -68,7 +68,7 @@ func (factory ClientApiFactory) Validate(config *xweb.InstanceConfig) error {
 		}
 	}
 
-	factory.appEnv.Config.RefreshCaPems()
+	factory.appEnv.Config.RefreshCas()
 
 	if !clientApiFound {
 		return errors.Errorf("could not find [edge.api.address] value [%s] as a bind point any instance of ApiConfig [%s]", factory.appEnv.Config.Api.Address, controller.ClientApiBinding)

go.mod

@@ -49,15 +49,15 @@ require (
 	github.com/natefinch/lumberjack v2.0.0+incompatible
 	github.com/openziti/agent v1.0.16
 	github.com/openziti/channel/v2 v2.0.131
-	github.com/openziti/edge-api v0.26.19
+	github.com/openziti/edge-api v0.26.20
 	github.com/openziti/foundation/v2 v2.0.46
 	github.com/openziti/identity v1.0.78
 	github.com/openziti/jwks v1.0.3
 	github.com/openziti/metrics v1.2.55
 	github.com/openziti/runzmd v1.0.48
 	github.com/openziti/sdk-golang v0.23.37
 	github.com/openziti/secretstream v0.1.20
-	github.com/openziti/storage v0.2.41
+	github.com/openziti/storage v0.2.42
 	github.com/openziti/transport/v2 v2.0.134
 	github.com/openziti/x509-claims v1.0.3
 	github.com/openziti/xweb/v2 v2.1.0
@@ -79,11 +79,11 @@ require (
 	github.com/zitadel/oidc/v2 v2.12.0
 	go.etcd.io/bbolt v1.3.10
 	go4.org v0.0.0-20180809161055-417644f6feb5
-	golang.org/x/crypto v0.23.0
-	golang.org/x/net v0.25.0
+	golang.org/x/crypto v0.24.0
+	golang.org/x/net v0.26.0
 	golang.org/x/sync v0.7.0
-	golang.org/x/sys v0.20.0
-	golang.org/x/text v0.15.0
+	golang.org/x/sys v0.21.0
+	golang.org/x/text v0.16.0
 	google.golang.org/protobuf v1.34.1
 	gopkg.in/AlecAivazis/survey.v1 v1.8.8
 	gopkg.in/resty.v1 v1.12.0
@@ -113,7 +113,7 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
@@ -176,17 +176,17 @@ require (
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.mongodb.org/mongo-driver v1.15.0 // indirect
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
-	go.opentelemetry.io/otel v1.26.0 // indirect
-	go.opentelemetry.io/otel/metric v1.26.0 // indirect
-	go.opentelemetry.io/otel/trace v1.26.0 // indirect
+	go.opentelemetry.io/otel v1.27.0 // indirect
+	go.opentelemetry.io/otel/metric v1.27.0 // indirect
+	go.opentelemetry.io/otel/trace v1.27.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
 	golang.org/x/image v0.13.0 // indirect
 	golang.org/x/mod v0.17.0 // indirect
 	golang.org/x/oauth2 v0.20.0 // indirect
-	golang.org/x/term v0.20.0 // indirect
-	golang.org/x/tools v0.21.0 // indirect
+	golang.org/x/term v0.21.0 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
 	nhooyr.io/websocket v1.8.11 // indirect