I’ve been trying to follow the guide Using Grafana | NetFoundry Documentation for accessing the status of the identities of my OpenZiti network, but I’m a bit confused. In the Create a Dashboard section, when adding the variable, a username and password for the admin identity are used to later create the zt-session header in the query.
However what happens if I want to use an admin identity that was created by the ziti cli? If I’m not mistaken, no password is set for that identity, since you log in later using the .json file.
Is the Default admin identity (the one created when you first install the controller) mandatory for this use case? Or do I need to change something in the way the query is created or how the Grafana data source is configured?
Sorry if this is a basic question, I’m new to OpenZiti and observability in general, as I’m using Ziti for my bachelor’s thesis. I’m setting up a Zero Trust infrastructure for a fictional company, and it’s been really fun and great learning experience so far
Hi @martoAs, welcome to the community and to OpenZiti!
Well looking at that page, it sure looks like I authored it but it would astonish me if I did! I don't remember it at all. I'm not sure this page should stick around to be totally honest with you. But if you find it interesting and valuable do let us know.
I read the page, and I think I understand it mostly. Let me try to answer your questions now...
The page doesn't spell it out, but that is actually what's happening here. I can tell by the usage of ziti ops unwrap mention. That operates on an identity that you have generated using the ziti CLI (or ZAC) and subsequently enrolled. Such as:
ziti edge create identity test --admin -o test.jwt
ziti edge enroll --jwt test.jwt
ziti ops unwrap test.json
$ ls -tral test.*
-rw-r--r-- 1 clint clint 11742 Feb 13 16:05 test.json
-rw------- 1 clint clint 3243 Feb 13 16:05 test.key
-rw-r--r-- 1 clint clint 4025 Feb 13 16:05 test.cert
-rw-r--r-- 1 clint clint 4151 Feb 13 16:05 test.c
So you are expected to do that. based on the doc.
Correct, you then use the cert and key to authenticate to the controller in the Infinity data source.
Answered above but "no". You don't use that identity at all (but i expect you could use that with the Infinity plugin if you wanted - I didn't try)
After looking more deeply into how to authenticate with the Infinity data source, I realized that what you explained was indeed the solution, thank you for confirming it
Regarding your first paragraph, I found that specific page in the documentation while searching for information on how to export Ziti metrics to set up an observability/monitoring server. The Prometheus endpoint provided useful information, but I was also wondering whether it was possible to display identity-related data in a Grafana dashboard. That page gave me exactly what I needed.
I think it’s valuable to keep it in the documentation, well at least I certainly found it useful
