I installed public router so I can connect to other private routers .
But it works only when I install public router in k3d cluster not in eks .
Following config of router
linkListeners:
transport: # https://docs.openziti.io/docs/reference/configuration/router/#transport
containerPort: 10080
advertisedHost: routerlistener.domain.co
advertisedPort: 443
service:
enabled: true
type: ClusterIP
labels:
annotations:
ingress:
enabled: true
ingressClassName: nginx
annotations:
kubernetes.io/ingress.allow-http: "false"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
# listen for edge clients
edge:
enabled: true
containerPort: 3022
advertisedHost: routeredge.domain.co
advertisedPort: 443
service:
enabled: true
# -- expose the service as a ClusterIP, NodePort, or LoadBalancer
type: ClusterIP
# -- service labels
labels:
# -- service annotations
annotations:
ingress:
enabled: true
ingressClassName: nginx
annotations:
kubernetes.io/ingress.allow-http: "false"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
tunnel:
mode: host
helm upgrade "ziti-router" openziti/ziti-router \
--namespace "ziti" \
--values=ziti-router-helm.yaml \
--set-file enrollmentJwt=./router1.jwt \
--set ctrl.endpoint="ctrlhost:6262"
The loadbalancer url I see on both the ingress was added as cname for respective domains
In the logs of router I get
{"_context":"ch{edge}-\u003eu{classic}-\u003ei{1Vr1}","chSeq":2,"connId":15,"edgeSeq":0,"error":"can't route from OSkP5ZEL2O -\u003e N0FndZEL2O","file":"github.com/openziti/ziti/router/xgress_edge/listener.go:199","func":"github.com/openziti/ziti/router/xgress_edge.(*edgeClientConn).processConnect","level":"warning","msg":"failed to dial fabric","time":"2024-07-19T17:20:02.181Z","token":"68e0b72b-ed86-48c7-a792-633a7eefd7ea","type":"EdgeConnectType"}
If it works when you install a public router, it sounds to me like there's some kind of issue with the underlay (IP) and it sounds like not all the routers are linked up.
"can't route from OSkP5ZEL2O -\u003e N0FndZEL2O"
That also sounds like the controller can't find a path to route the traffic to me.
@plorenz might have more to add
I have controller in a cluster1 (k3d) , a private router in cluster1 (k3d) . I wanted to tunnel and reach a service connected to private router .
So for that I had to deploy atleast one public router with reachable edge and listener
so I deployed one public router in some other cluster2 (k3d) . I was able to reach the app whereas if I remove that and deploy in an eks cluster configuring the ingress given in docs , I cant reach
Sure. What you're describing will work, but it all comes to do how you're doing, what you're doing.
At the end of the day, whether it's deployed in one cluster or another cluster won't matter whatsoever. What does matter is whether the private router form a link to the public router. I expect that is what's failing.
If the private router has successfully formed a link to the public router, the next question is: "is the user authorized to use the public router".
If the user is authorized, the next question is: "is the service authorized to use the public router and the private router".
Can you confirm the link exists from private router to public router and can you confirm (using policy advisor) that the identity accessing the private service has authorization to the public router and that the service has access to both routers?
@TheLumberjack , I'm not linking the public router to any service specifically (meaning I'm not assigning attributes) . I was just told that If I want to work with private routers having one public router is a must . So I just simply deployed one public router with reachable edge and link listeners
Yes, "link listeners" are what will allow the private router to "link" to the public router. If you have a public router and a private router you should see 1 link when you run:
ziti fabric list links
Do you have the link?
The private router is deployed like
helm upgrade --install "private-router2" openziti/ziti-router \
--namespace ziti \
--set-file enrollmentJwt=./router2.jwt \
--set edge.advertisedHost=private-router2-edge.ziti.svc.cluster.local \
--set linkListeners.transport.service.enabled=false \
--set tunnel.mode=host \
--set ctrl.endpoint="${NODE_IP}:6262"
A follow up from Not able to install router via helm chart to connect to ziti controller at port 443 but able to connect via router script - #17 by qrkourier
Ya ,
router2 (dailer) , router1 (acceptor) in connected state
router2 is the private one and router1 is public one
Now, following the steps outlined prior, run ziti edge policy-advisor identities ${the.identity.here} and let's see if it shows OKAY.
example:
ziti edge policy-advisor identities edgex.core-metadata -q
OKAY : edgex.core-metadata (1) -> edgex.core-data (2) Common Routers: (1/1) Dial: Y Bind: N
OKAY : edgex.core-metadata (1) -> edgex.ui (2) Common Routers: (1/1) Dial: Y Bind: N
OKAY : edgex.core-metadata (1) -> edgex.core-command (2) Common Routers: (1/1) Dial: Y Bind: N
OKAY : edgex.core-metadata (1) -> edgex.core-metadata (2) Common Routers: (1/1) Dial: Y Bind: Y
that identity has access to 3 services, and has 1 common router so it gets OKAY as a result
Here is the response
OKAY : hello-client (2) -> router2-service (2) Common Routers: (2/2) Dial: Y Bind: N
OKAY : hello-client (2) -> hello-service (2) Common Routers: (2/2) Dial: Y Bind: N
And can you do the same thing for your router identity now and confrim it has Bind access to one or both services?
After that, if yes, run the policy advisor again with services as the param:
ziti edge policy-advisor services hello-service -q
ziti edge policy-advisor services router2-service -q
ya ,
OKAY : hello-client (2) -> hello-service (2) Common Routers: (2/2) Dial: Y Bind: N
OKAY : hello-client2 (2) -> hello-service (2) Common Routers: (2/2) Dial: Y Bind: N
OKAY : router2 (2) -> hello-service (2) Common Routers: (2/2) Dial: N Bind: Y
OKAY : hello-client (2) -> router2-service (2) Common Routers: (2/2) Dial: Y Bind: N
OKAY : hello-client2 (2) -> router2-service (2) Common Routers: (2/2) Dial: Y Bind: N
OKAY : router2 (2) -> router2-service (2) Common Routers: (2/2) Dial: N Bind: Y
can you include the command you run when you show me the output please? that appears to be
ziti edge policy-advisor identities
?
Now show the policy-advisor for the services
sure ,
OKAY : hello-client (2) -> router2-service (2) Common Routers: (2/2) Dial: Y Bind: N
OKAY : hello-client (2) -> hello-service (2) Common Routers: (2/2) Dial: Y Bind: N
OKAY : hello-client2 (2) -> router2-service (2) Common Routers: (2/2) Dial: Y Bind: N
OKAY : hello-client2 (2) -> hello-service (2) Common Routers: (2/2) Dial: Y Bind: N
OKAY : router2 (2) -> router2-service (2) Common Routers: (2/2) Dial: N Bind: Y
OKAY : router2 (2) -> hello-service (2) Common Routers: (2/2) Dial: N Bind: Y
ERROR: Default Admin
- Identity does not have access to any services. Adjust service policies.
ERROR: router1
- Identity does not have access to any services. Adjust service policies.
Please include the command and output. That again appears to be
ziti edge policy-advisor identities -q
I have asked for
ziti edge policy-advisor services -q
without seeing the command you ran, it's hard for me to know if it's an identity or a service is all. thx
sure ,
root@ip-172-31-21-248:/home/ubuntu# ziti edge policy-advisor identities -q
OKAY : hello-client (2) -> router2-service (2) Common Routers: (2/2) Dial: Y Bind: N
OKAY : hello-client (2) -> hello-service (2) Common Routers: (2/2) Dial: Y Bind: N
OKAY : hello-client2 (2) -> router2-service (2) Common Routers: (2/2) Dial: Y Bind: N
OKAY : hello-client2 (2) -> hello-service (2) Common Routers: (2/2) Dial: Y Bind: N
OKAY : router2 (2) -> router2-service (2) Common Routers: (2/2) Dial: N Bind: Y
OKAY : router2 (2) -> hello-service (2) Common Routers: (2/2) Dial: N Bind: Y
ERROR: Default Admin
- Identity does not have access to any services. Adjust service policies.
ERROR: router1
- Identity does not have access to any services. Adjust service policies.
root@ip-172-31-21-248:/home/ubuntu# ziti edge policy-advisor services -q
OKAY : hello-client (2) -> router2-service (2) Common Routers: (2/2) Dial: Y Bind: N
OKAY : hello-client2 (2) -> router2-service (2) Common Routers: (2/2) Dial: Y Bind: N
OKAY : router2 (2) -> router2-service (2) Common Routers: (2/2) Dial: N Bind: Y
OKAY : hello-client (2) -> hello-service (2) Common Routers: (2/2) Dial: Y Bind: N
OKAY : hello-client2 (2) -> hello-service (2) Common Routers: (2/2) Dial: Y Bind: N
OKAY : router2 (2) -> hello-service (2) Common Routers: (2/2) Dial: N Bind: Y
Thank you 
and now let's make sure the binding router has created a terminator properly:
ziti edge list terminators
I would expect to see two
right
root@ip-172-31-21-248:/home/ubuntu# ziti edge list terminators
╭────────────────────────┬─────────────────┬─────────┬─────────┬────────────────────────┬──────────┬──────┬────────────┬──────────────╮
│ ID │ SERVICE │ ROUTER │ BINDING │ ADDRESS │ IDENTITY │ COST │ PRECEDENCE │ DYNAMIC COST │
├────────────────────────┼─────────────────┼─────────┼─────────┼────────────────────────┼──────────┼──────┼────────────┼──────────────┤
│ 22dI0xaavp0LtBp5IZ0V3X │ hello-service │ router2 │ tunnel │ 22dI0xaavp0LtBp5IZ0V3X │ │ 0 │ default │ 0 │
│ wGrHurfGxg7oJ1eUwE2Rx │ router2-service │ router2 │ tunnel │ wGrHurfGxg7oJ1eUwE2Rx │ │ 0 │ default │ 0 │
╰────────────────────────┴─────────────────┴─────────┴─────────┴────────────────────────┴──────────┴──────┴────────────┴──────────────╯
results: 1-2 of 2
And right now, this is using the "k3d cluster" (working) or is this using eks (not working)? Let's clarify that too
right now , router1 is in eks cluster which is not working