Thanks for replying!
I mean this fabric/docs/concepts.md at p14_c2 · openziti/fabric · GitHub
For me it was a definitive concept overview, especially with control plane specific for openziti. And I see in videos and some parts of documentation refer to 'Control Plane' but do not define it.
So like I could create my own pki using good old openssl and hold the keys for the CAs? Isn't it obligatory to provide a whole pki for controller's usage? So that it creates and signs identities for instance.
Well the first one with Sessions and Connections does explain the sequence it takes to perform the connection. But the thing is I haven't found a general top-level overview in a form of a diagram of how communication is done, which ports are accessed by whom, which ports are exposed. There are pieces of it here and there, for instance the Host it Yourself guide, and docker-compose one do have some overview of ports being open for the communication. But it's unclear to me who does what with those ports.
Sorry, perhaps I was a little bit unclear with this. What I meant is that this whole 'without exposing a port' narrative feels too much magical. It is barely documented, on how exactly this being achieved. And by scimming the code and some parts of the documents I found out that at least for python sdk, that yes, it opens an outbound connection, does all the heavy lifting without a need to utilize a local tunneler, and just creates a local unix socket for the application that utilizes the sdk to listen for the ingress traffic. And it was the turning point for me to grasp the magicity of this whole 'not exposing a port' thing. Hence, the root question.
Hope that my questions don't look as mean as they might look. I don't mean to diss the documentation. Just a little bit too straight with questions.