I familiarize myself with the project for a few days now, It seems everything in it may be distributed pretty much, apart from the controller. So the natural question comes, how complicated is it to implement a controller on something like cosmos ecosystem, such that every private setup could rely on entirely distributed infrastructure with the backups natively solved and no single point of failure?
I have no experience with this but I know that controller HA is something, that's already available and being tested right now.
Correct: controller HA is real and will solve some centralization concerns, but using blockchain "wallets" as Ziti identities could solve another problem: onboarding.
The "onboarding problem" aka "bottom turtle problem" is that identity-driven systems need everyone to have an identity, which usually means creating a trust chain from some existing identity or transmitting a security token out-of-band.
Using a blockchain or similar identity-based system offers yet another way to create a trust chain. It's been experimented with before, and Ziti has some new features that are applicable, like "external ID."
Essentially, a Ziti external ID is metadata on a Ziti identity that can be used to map an external identifying document to a set of authorizations in Ziti.
The owner of the external identifier, like an email address that can be attested with OIDC, an SVID from Spire, or, potentially, a wallet address, can bootstrap a Ziti API session by proving they own the external identity, then fetch a client cert for mTLS with the Ziti edge (the on-ramp to the transport fabric).
2 Likes
Can you elaborate please what is HA and where should I look for a reference?
I will take a punt as many are on holiday today with 4th of July.
HA is built into pretty much all parts of OpenZiti. This is a good place to start - Ziti Services | OpenZiti. It mostly explains the HA from the perspective of services and across the data plane. The fabric for OpenZiti is a smart routing mesh, thus HA by design. The NetFoundry documentation also explains this - https://support.netfoundry.io/hc/en-us/articles/4410429194125-NetFoundry-Smart-Routing. HA is also being built into the controllers - ziti/doc/ha/overview.md at v0.30.1 · openziti/ziti · GitHub - to ensure no single point of failure. HA controllers is currently in beta pre-release, Release v1.1.4 · openziti/ziti · GitHub (probably start with 1.1.5 (or later if available in future) though as it includes bug fixes), we would love to have you test it if you fancy and give any feedback. You can also see the development work here - Controller HA · GitHub
2 Likes