Adding Containers to Helm Service

The developer guide does not work in OpenShift because the Helm charts have insecure security policies and will not launch the hello-toy instance. To get around this I would like to launch another container app to use the ziti-host proxy but I’m having issues mapping the additional containers to the ziti-host service.

I have OpenShift 4.12 setup with a Helm openziti/ziti-host chart installed. I can not figure out how to have other containers use the ziti-host service.

I am using the following install guide;

apiVersion: v1
  name: sof-01-service
  namespace: metalcoms
  uid: db29a881-acf9-456c-b8b4-b3e4e13fbc77
  resourceVersion: '2727235'
  creationTimestamp: '2023-05-02T00:16:05Z'
  labels: hello-netfoundry Helm hello-toy latest hello-toy-2.0.1
  annotations: hello-netfoundry metalcoms
    - manager: helm
      operation: Update
      apiVersion: v1
      time: '2023-05-02T00:16:05Z'
      fieldsType: FieldsV1
            .: {}
            '': {}
            '': {}
            .: {}
            '': {}
            '': {}
            '': {}
            '': {}
            '': {}
          'f:internalTrafficPolicy': {}
            .: {}
              .: {}
              'f:name': {}
              'f:port': {}
              'f:protocol': {}
              'f:targetPort': {}
          'f:selector': {}
          'f:sessionAffinity': {}
          'f:type': {}
    - IPv4
    - name: http
      protocol: TCP
      port: 80
      targetPort: http
  internalTrafficPolicy: Cluster
  type: ClusterIP
  ipFamilyPolicy: SingleStack
  sessionAffinity: None
  selector: hello-netfoundry hello-toy
  loadBalancer: {}

Hi Brad,

Welcome to NetFoundry Community Support. Our Ad/Dev team will look into this and we’ll get back to you.


The ziti host chart installs ziti edge tunnel in host mode. You just need to configure a service with a destination name or ip address of the app you are trying to reach on the ziti controller.

Once the service is configured as described in the guide and other steps are completed, you should be able to reach your app inside the cluster from your ziti client.

If you have time today and want to discuss this over zoom , please let me know. I will send the invite.

Great, I’m available 9:30-10:00 and 12:30-3:00 EST today. Let me know if any or those times work

1:30 PM would work. If you message me your email, I will forward the invite.

I was able to get it to work. On the client side you have to use FQDN naming. I was using sof-01-service, the correct naming should have a “.” i.e. sof.service.

Also directly using the cluster IP of the container and port on the Kube side.

Glad it is working for you. Yes, you need at least one dot.

@Brad_Sollar Was the security policy issue preventing you from running the toy chart only? Would you be able to say what the issue was with that? I’m not up to speed yet on how OpenShift/MicroShift are handling the deprecation of pod security policies in Kubernetes upstream.

I’ll check again and get the exact error, but most of the time it when containers are run as root when you see those types of permissions issues. Best practice is to install software you need as root then change the user at the end to something like 1001

@Brad_Sollar I released a new version of that Helm chart “hello-toy” that uses an unprivileged webserver instead of running as root.

If you do a helm repo update openziti and set your chart version like >=2.1.0 then you’ll get this release in the next helm upgrade.

That got it to work in OpenShift 4.12. Thanks!

1 Like