Add new service on a separate "green" network in docker compose quickstart

4

:man_facepalming:
I didn't see that I had already made this diagram! I looked for it in that thread and missed it! I made this whole second image for nothing. :slight_smile:

I'm going to make some decisions on your behalf to just simplify things on my side (wrt docker).

So here is what I would do based on our limited interactions so far (I just need to assume some things and we can refine).

Prerequisites

I'll also assume you found the section on that page about docker and the hosts file and have that complexity all sorted. Local - Docker Compose | OpenZiti... So I'll assume you have the basics sorted (perhaps a bad decision but I'm starting there):

  • I'll also assume you have a tunneler installed on your local OS
  • you have made an identity for that tunneler
  • you have passed traffic before using an OpenZiti overlay

Join the Green Network to the Complex Docker Compose

To join the green network, you'll need to do a couple of things:

  • make a docker network named "zitigreen"
  • add zitigreen to the ziti-controller container and the ziti-edge-router (this gives the green network, the ability to reach the controller and router which is mandatory)
  • deploy a ziti-router into the green network
  • deploy your server into the green network
  • create an openziti serivce allowing the green router to offload data back to the underlay network towards the green server
  • authorize your green network router to 'bind' the green service
  • authorize your identity to dial (connect) to the service

I'm glossing over all the details here - I'm not sure if you need them or not yet but figured it's easier to reply and get more details and we can move along together. It's my end of day today so I'll be offline until tomorrow but I'll look for your reply. Maybe that will give you enough information, but if not we can keep moving forward.

Blue Server Dialing Green Server

This is more complex. This requires you to assign the blue router to the blue server as the network of the blue server, effectively melding the two containers networks togethter. You'll also need to enable tproxy on the blue router. This is what I was starting to talk about in this comment. This relies on a feature of docker compose named: network_mode. You assign one container as the network of another. you can see examples of that here:

A very reduced example is:

services:
  ziti-router:
   [stuff redacted for brevity]
    networks:
      - zitigreen
  other-service:
    image: busybox
    network_mode: service:ziti-router # HERE'S THE GOODS

Hopefully that helps. If you're still stuck, this would make another good ziti tv... Maybe I'll do a livestream tomorrow about this topic and you can join if you can (and if you want). :slight_smile: