Step 3: Verify your installation
Once the installer completes, verify that the OpenZiti components and support services are running correctly before proceeding.
Set up your shell session
If you installed using K3s, run these commands to set up your current shell session:
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
source /etc/profile.d/nf_help_menu.sh
These commands only need to be run once after the initial install—new shell sessions pick up these settings automatically.
If you're using a bring-your-own Kubernetes cluster, your KUBECONFIG is already configured. You still need to source
the profile script to load the nf-* shortcut commands into your session:
source /etc/profile.d/nf_help_menu.sh
Verify deployment health
Run nf-status to check the status of all NetFoundry deployments across the ziti, support, and cert-manager
namespaces:
nf-status
All deployments should show the expected replica count in the READY column (e.g., 1/1). If any deployments show
0/1, investigate with kubectl describe on the corresponding pod.
For more detail, check individual namespaces with kubectl:
kubectl get pods -n ziti
kubectl get pods -n support
All pods should show a Running status with all containers ready. If any pods show CrashLoopBackOff, Error, or
Pending, see Troubleshooting for diagnostic steps.
On a support-enabled install, the controller pod shows a single restart (RESTARTS of 1). The installer re-applies
the controller once to enable metrics, which restarts the pod. This is expected and not a fault.
Review installation notes
The installer generates an INSTALL-NOTES.txt file containing your console URL, admin credentials, support tool URLs,
and helm upgrade commands. View these notes at any time:
nf-install-notes
Access the OpenZiti API via CLI
The Ziti CLI is installed as part of the quickstart and can be used to manage your network directly from the command line. To authenticate with the controller, run:
nf-login
This retrieves the admin credentials from Kubernetes secrets and logs you into the controller automatically. Once logged
in, you can use ziti edge commands to list and manage identities, services, policies, routers, and other resources.
For example:
ziti edge list identities
ziti edge list services
Access the web console (Ziti Console Enterprise)
Ziti Console Enterprise is the default
web-based console for managing your OpenZiti network, including identities, services, and policies. It is installed
automatically with the support stack (the default install) and requires NetFoundry
container registry credentials (REGISTRY_USERNAME and REGISTRY_PASSWORD).
If you installed with the support stack disabled (-s) or without registry credentials, Ziti Console Enterprise is
not installed. Use the legacy Ziti Admin Console (ZAC) instead.
-
Console URL: Ziti Console Enterprise is reached at its own URL—
https://<your-console-address>/, or a base path such as/consoleifbasePathwas customized—not at the controller's/zac/path. The installer prints the exact address inINSTALL-NOTES.txt(look for "Access the Ziti Console Enterprise at: ..."). Runnf-install-notesto view it. -
Exposure: The console is exposed via ingress (the default, recommended for K3s) or a LoadBalancer service. If a LoadBalancer is used, a DNS entry pointing at the ingress or load balancer address may be required—the install notes call this out. For the EKS LoadBalancer setup, see Ziti Console Enterprise on EKS.
-
Initial credentials: The installer generates administrator credentials during setup. Run
nf-install-notesto view them. To retrieve the admin password directly from Kubernetes secrets:kubectl get secrets ziti-controller-admin-secret -n ziti \-o go-template='{{index .data "admin-password" | base64decode}}' -
Certificate warning: The console uses a self-signed TLS certificate issued by cert-manager, so your browser will display a security warning on first access. You can proceed past the warning or configure a public certificate.
Access the legacy Ziti Admin Console (ZAC)
The Ziti Admin Console (ZAC) still ships with the controller and deploys alongside it, served at
https://<your-controller-advertise-address>/zac/. The zac web binding is deprecated upstream, and ZAC is now only
the fallback console used when Ziti Console Enterprise is not installed (support stack disabled or no registry
credentials). Use the same admin credentials shown by nf-install-notes. As with the enterprise console, the
self-signed CA triggers a browser certificate warning on first access.
Verify support tool access
If you installed the OpenZiti network resources for support tools during setup, confirm they were created successfully.
In the web console, navigate to the services list to verify that services and policies have been created for Grafana, Kibana, and Elasticsearch.
If the OpenZiti edge tunnel was installed as a host identity, verify it's running:
kubectl get pods -n support -l app=ziti-edge-tunnel
The support tools are accessible over Ziti using the intercept addresses configured during installation (by default
grafana.ziti, kibana.ziti, and elasticsearch.ziti). To access them, enroll the support-user.jwt token
generated during installation with an OpenZiti client (Desktop Edge, mobile tunneler, or CLI tunneler).
For full details on intercept addresses, default credentials, and configuration options, see the support stack overview.
Troubleshoot common issues
| Symptom | Resolution |
|---|---|
Pods stuck in Pending | Check node resources with kubectl describe node and verify sufficient CPU/memory |
| LoadBalancer has no external IP | Verify your cluster supports LoadBalancer services or check cloud provider config |
| Can't reach console in browser | Confirm DNS is resolving to the correct ingress or LoadBalancer address and the console URL from nf-install-notes is reachable |
| Certificate errors in browser | Expected with self-signed CA—proceed past the warning or import the root CA |
Check Kubernetes events
Kubernetes events often reveal the root cause of pod failures, scheduling issues, or volume problems. To view recent events across the relevant namespaces, run:
kubectl get events -n ziti --sort-by='.metadata.creationTimestamp'
kubectl get events -n support --sort-by='.metadata.creationTimestamp'
Installer log files
The installer creates log files in the logs/ directory that are useful for diagnosing issues:
logs/quickstart_<timestamp>.log: Full output from the quickstart installer, including all commands and their results.logs/upgrade_<timestamp>.log: Full output from the upgrade script.logs/kubectl_events_<timestamp>.log: Kubernetes events captured automatically if the installer encounters an error.
Contact support
If you're unable to resolve an issue, run nf-support-bundle to collect diagnostics and logs into a zip file. Include
this bundle along with the log files in the logs/ directory when contacting NetFoundry support.
For more detailed troubleshooting, see the troubleshooting guide.