Ctrl vs client endpoints

Context

source: Edge APIs | OpenZiti

Edge Management API

  • edge management API provides the ability to create new identities, identities, policies, and other entities used to manage a network

Edge Client API

  • edge client API is used by clients that wish to dial (connect) or bind (host) services

source 2: Install the Controller in Kubernetes | OpenZiti

Controller values.yaml

clientApi:
    advertisedHost: ziti-controller-managed.example.com
ctrlPlane:
    advertisedHost: ziti-controller-managed-ctrl.example.com

Router Config

ctrl:
  # router control plane API (:6262)
  endpoint:    tls:zitictrl.mydomain.com:443
link:
  listeners:
    - binding:          transport
      bind:             tls:0.0.0.0:10080
      advertise:        tls:link.mydomain.com:443
listeners:
  - binding: edge
    address: tls:0.0.0.0:3022
    options:
        advertise: edge.mydomain.com:443

K8s Ingress

$ kubectl -n ziti get ingress
NAME                     CLASS   HOSTS                        ADDRESS         PORTS   AGE
ziti-controller-client   nginx   ziticlient.mydomain.com   20.255.214.10   80      53d
ziti-controller-ctrl     nginx   zitictrl.mydomain.com     20.255.214.10   80      53d
ziti-router-edge         nginx   edge.mydomain.com         20.255.214.10   80      53d
ziti-router-transport    nginx   link.mydomain.com         20.255.214.10   80      53d

Questions

  • would it be fair to say ziti cli uses edgemanagement endpoint to create resources. and edge routers/tunnels use the edge client endpoint to dial/bind services?
  • routerconfig references ctrl, client, and transport/link urls. how does router know about edge client api needed for binding services?
  • does it ever make sense for ctrl and client apis to share the same hostname? or would that not work

Hi @yemaney,

It'd be much more than 'fair', that is exactly how it does it :wink:

Only kinda. You mention edge routers. Edge routers will operate over the control plane and will not use the client nor the management API directly afaik. I'm pretty sure this is true but if not, I'll correct myself. OTHER tunnelers are all SDK-based clients of their own. They are purpose-built software that use our SDKs to 'do something' (be a tunneler). These will ALL use the client endpoint - yes.

It doesn't (answered above). It uses the control plane (the ctrl endpoint specified in the config) to communicate with the controller

Sharing a hostname is quite common. I don't know what you mean by "client apis" though, so I'm not entirely sure I know what you mean. using the same host has the "benefit" of allowing you to reuse the same certificate if you want and is generally useful for single-machine deployments. In general though, I tend to use different hostnames. This would allow you to always use the same port (port 443 for example).

1 Like

Edge routers will operate over the control plane

Okay this is why the router config will reference the controlplan endpoint via ctrl.endpoint

I don't know what you mean by "client apis" though

Sorry for the lack of clarity. The controller is deployed with clientApi.advertisedHost and a ctrlPlane.advertisedHost .in its config and I was wondering if they could be the same url. But I think you answered the question, its possible but different ports would have to be used which would make sense..

Oh - I see now. Yes, generally they ARE the same url and I'd recommend you keeping them the same in this case. You have the option to not have them be the same if you don't want them to be but it's much more complicated/complex to deploy that way and I definitely would not change the domain name until you are very well-versed with OpenZiti (or maybe just never :slight_smile: ).

1 Like