Step 2: Install NetFoundry Self-Hosted
NetFoundry Self-Hosted provides a guided installation process via the quickstart.sh script to deploy your Ziti network
across various Kubernetes environments, supporting both interactive and automated configurations.
Before you begin
Ensure you've completed Step 1: Plan your deployment and verify the following:
- Ubuntu 22.x or Ubuntu 24.x host machine
- User account with sudo permissions
- For existing Kubernetes clusters: Kubernetes context loaded into your shell session
- Default storage class configured on the cluster
- DNS entries configured for controller and edge router addresses
The installer verifies cluster access by running kubectl cluster-info.
What the installer does
The quickstart script automates deployment by:
- Verifying prerequisites and cluster connectivity
- Installing NetFoundry Support stack to the
supportnamespace - Deploying OpenZiti ziti-controller to the
zitinamespace - Optionally installing a Ziti edge router with edge listener (requires an advertise address that is reachable by the Ziti network clients)
- Optionally configuring Ziti network resources for support tool access (Ziti services and policies for Grafana, Kibana, and RabbitMQ)
- Optionally installing Ziti edge tunnel as a host identity to access the support resources in the
supportnamespace
Run the installer
Interactive mode
Run the installer and follow the prompts:
./quickstart.sh
The installer will prompt you for:
- Controller advertise address
- Edge router advertise address (if installing the default router)
- Whether to install optional components (support tools, edge tunnel)
If you don't have an existing Kubernetes cluster, the installer can set up K3s for you when prompted.
Non-interactive mode
For automated deployments, set the controller address and accept all defaults:
export CTRL_ADDR=<controller-advertise-address>
./quickstart.sh -y
Example:
export CTRL_ADDR=ziti-clients.example.com
./quickstart.sh -y
Offline installation
For air-gapped environments, use the offline installation tarball. Currently the offline installer only supports single-node K3s installations.
Prerequisites
JFROG service account credentials from the NetFoundry Console at https://<orgname>.cloudziti.io
Download and extract
# Download the tarball
curl -fSL -u "$USERNAME:$PASS" -OJ https://netfoundry.jfrog.io/artifactory/nfpax-private-tgz-stable/deb/amd64/On-Prem-Offline-0.4.2.tar.gz
# Extract on the destination machine
mkdir -p netfoundry
tar -zxf ./On-Prem-Offline-0.4.2.tar.gz -C ./netfoundry
cd ./netfoundry
Run the installer
Interactive mode:
./quickstart-offline.sh
Non-interactive mode:
export CTRL_ADDR=<controller-advertise-address>
./quickstart-offline.sh -y
Offline installation currently supports single-node K3s installations only. zLAN features are not currently supported.
Enable optional features
NetFoundry zLAN
Enable zLAN features during initial installation or add them later:
./quickstart.sh -z
The installer will prompt for NetFoundry's private container registry credentials. For non-interactive mode, set environment variables:
export REGISTRY_USERNAME=<your-username>
export REGISTRY_PASSWORD=<your-password>
./quickstart.sh -z
Service account credentials can be obtained by downloading the QUAY service credentials from the NetFoundry
Console. Credentials are stored in Kubernetes as netfoundry-pull-secret.
Advanced deployment scenarios
Corporate proxy environments
Installing behind a corporate proxy requires additional setup. Review the proxy setup
documentation before running quickstart.sh.
EKS storage configuration
For installations on existing Amazon EKS clusters, initialize the ebs.csi.aws.com driver:
./installers/setup_eks_storage.sh
DNS configuration during installation
After the installer creates Kubernetes services, configure DNS mappings before proceeding:
-
Check the service endpoint:
kubectl get services -n ziti
NAME TYPE EXTERNAL-IP
ziti-controller-client LoadBalancer a6190904c366c4c69882d46069e44e28-12345678.us-east-1.elb.amazonaws.com -
Create DNS entry mapping your advertise address to the external endpoint:
ziti-clients.example.com → a6190904c366c4c69882d46069e44e28-12345678.us-east-1.elb.amazonaws.com -
Resume the installer once DNS is configured.
DNS changes can take several minutes to propagate. Use nslookup or dig to verify before proceeding.
Troubleshooting
Storage class not found
Configure a default storage class before running the installer. See Storage configuration.
DNS resolution fails
Verify DNS entries are correctly configured and propagated:
nslookup ziti-clients.example.com
Port conflicts on K3s
K3s quickstart requires ports above 1024. Use the default ports (1280 for controller, 3022 for router) or see the FAQ for configuration below port 1024.