Hi, i would like to use a Ziti Network in my CICD Pipeline. So i create a Container with Ziti Tunneler. But what's with the Identitiy. I tried some ways:
I copy the identity File from /opt/openziti/etc/identities but in the config there is not loaded the controller Url and loaded=false
I add the Admin Credentials and i create a Idenitiy during the Pipeline is running, but then i have a lot of Identities
I saved the Container with the Identitiy inside, but then i have a Container accessable with the Identity.
Perhaps, you have an Idea or whats the best Solution for that?
How can i use Ziti Network in the Pipeline without storing Admin Credentials?
Thanks for Idea shareing!
Robin
we do internally in our CI jobs (github) to run webhooks over Ziti Network. we enroll an identity and create a secret with the content of the identity JSON file.
To build on @ekoby's reply, once you have the identity stored as a secret in the CI engine, echo it to a file and then run ziti-edge-tunnel run -i /path/to/the/file.json but it will depend on your CI stack and whether or not you can run sudo and make a tun. Hopefully that is allowed, it's mandatory if you want to intercept traffic.
Here's a GitHub action that you can look at. I have a ziti service that let's me contact my controller as a test example at mgmt.ziti.
Thanks a lot for your answer. I tried to run the edge tunnel in "run"-Mode, but it is not allowed to use /dev/net/tun in our gitlab runners. So i try "run-host", but then i can not resolve the intercepted Names, because the tunneler doesn't provide the proxy with dns namesever. Run-Host isn't the right way i think. Any Idea what can i do?
Sounds like you'll probably have to rely on using the ziti-prox-c binary. This is a small example app the ziti-sdk-c project provides with releases. Releases · openziti/ziti-sdk-c · GitHub
This will operate by starting a locally bound socket on whatever port you choose, acting like a local forward proxy. Have a try with that.
Thanks a lot. Python SDK is the Solution! Locally it works fine. We have to install the Certifactes to solve the TLS Issues. We do the same in the Pipeline. Before we do:
print("Start")
ztx = openziti.load('./ziti_id.json')
print("Identity loaded")
we check if the controller available with a simple curl execution. And it is available.
But "Print Identity loaded" is never reached. No error occured but it is running and running a lot of time. Locally it's fine. Is there a way to get an error or another way to debug openziti.load? Perhaps Proxy is ignored? Python SDK is using the C LIbrary. Can we configure the C Library to use the Proxy?
is Ziti controller available only via proxy? that could be the issue.
sounds like proxy setting is not propagated to the underlying transport. (added an issue)
Do you set an environment variable(http_proxy)?
you can also set ZITI_LOG envvar to get ziti library logs -- 1 - ERROR, 2 - WARN, 3 - INFO, and so forth