How can I make this service more flexible?

jptechnical · August 14, 2023, 2:53pm

Oh man… I am SOOOO CLOSE here to eliminating some redundant services with OpenZiti. This is pretty exciting.

So, I have this service (lovingly cultivated by this awesome community), it currently accommodates identities named *.jptech.ziti. The challenge here is my identities are all named as a FQDN… which I don’t need, visually. I will also add more tenants, so new devices like *.ase.ziti and *.afk.ziti.

So allow me these questions, three.

What’s the shortest (least typing) FQDN I can put in here? Can I do *.jptech and *.afk? And if I were to unwittingly duplicate a known TLD, what will happen?
Does the FQDN need to be host.domain or can it be domain.host for better visibility/sorting in the UI (and other interfaces that I can’t just grep)? I am not looking for technically possible but technically advisable.
What modifications to my service do I need to make, other than changing "addresses": ["*.jptech.ziti"] to "addresses": ["*.jptech.ziti", *.afk.ziti].

Here are my current service, policies, configs, and sample identities.

```bash
ziti edge create edge-router-policy all --edge-router-roles '#all' --identity-roles '#all'
ziti edge create service-edge-router-policy all --service-roles '#all' --edge-router-roles '#all'

ziti edge create config jptech.ssh.cfg.intercept intercept.v1 '{
    "addresses": ["*.jptech.ziti"],
    "protocols": ["tcp"],
    "portRanges": [ {"low":22,"high":22} ],
    "dialOptions": { "identity": "$dst_hostname" }
}'

ziti edge create config jptech.ssh.cfg.host host.v1 '{
    "address": "127.0.0.1",
    "protocol": "tcp",
    "port": 22,
    "listenOptions": { "identity": "$tunneler_id.name" }
}'

ziti edge create service jptech.ssh \
    --configs jptech.ssh.cfg.intercept,jptech.ssh.cfg.host \
    --role-attributes jptech.admin,jptech.ssh

ziti edge create service-policy jptech.ssh.dial Dial --identity-roles "#jptech.admin" --service-roles "@jptech.ssh"
ziti edge create service-policy jptech.ssh.bind Bind --identity-roles "#jptech.ssh" --service-roles "@jptech.ssh"
```

```bash
ziti edge create identity device admin.jptech.ziti --role-attributes jptech.admin -o admin.jptech.ziti.jwt
ziti edge create identity device linux.jptech.ziti --role-attributes jptech.ssh -o linux.jptech.ziti.jwt
```

TheLumberjack · August 14, 2023, 3:00pm

I'm pretty sure you can use *.j.p if you want. I routinely use ".ziti". I think you just need at least one valid character. Both *.jptech and *.afk should be just fine

It doesn't matter to ziti. If one way or the other works better for you, use it. Or put a different way, at this time, I know of no reason that it's NOT advisable. In practice, there might be something I'm not thinking of that would make me go... "oh. of course I shouldn't do that", but right now, nothing comes to my mind...

If you change domain name order, that's only thing you need to update. All the other things can remain the same if you like.

jptechnical · August 14, 2023, 5:02pm

Does anyone else have hidden gotcha for me?

tenor-20558749

Topic		Replies	Views
New "Quick Add" Features Ziti Administration Console	4	218	June 5, 2023
How can I create a service for ssh and add identities with the least amount of policies/configs/etc?	44	815	November 2, 2023
Misc notes after a few days of working with ziti General Questions	3	376	October 24, 2022
Quickstart(ish): Can see service but can't access it General Questions	22	634	May 1, 2023
Tips to integrate Ziti with a self hosted Git repo Building/Development	2	241	August 23, 2022

How can I make this service more flexible?

Related topics