How to pass port to ziticontext in golang

21

Ok. I was chatting with another fella about this and I think this is a confusing timing issue. I think when using intercept-based dialing like this, we need to wait for the SDK to receive the services from the controller so let's make a small change...let's have the SDK verify it has access to the service, due to the implementation in the sdk, I am pretty sure this will block until the SDK is setup and ready for the intercept.

In createZitifiedHttpClient, before the NewSdkCollection function add a call to RefreshServices. So it would look like this:

	_ = ctx.RefreshServices()
	zitiContexts := ziti.NewSdkCollection()

Let's see if that fixes the issue.

22

Updated the code, heres the logs:

DEBU[0000] attempting to authenticate                   
DEBU[0000] setting active controller                     key="https://ziti-edge-controller:443/edge/client/v1"
DEBU[0000] no additional controllers reported, continuing with 1 default configured controller 
DEBU[0000] checking if service updates available        
DEBU[0000] refreshing services                          
DEBU[0000] processing service updates with 1 services   
DEBU[0000] no service config of type intercept.v1 defined for service  serviceId=4mkl06AmzCw3jx2hflY9u5 serviceName=dmz.r1.bct.tech
DEBU[0000] no service config of type ziti-tunneler-client.v1 defined for service  serviceId=4mkl06AmzCw3jx2hflY9u5 serviceName=dmz.r1.bct.tech
DEBU[0000] checking if service updates available        
DEBU[0000] refreshing services                          
DEBU[0000] processing service updates with 1 services   
DEBU[0000] no service config of type intercept.v1 defined for service  serviceId=4mkl06AmzCw3jx2hflY9u5 serviceName=dmz.r1.bct.tech
DEBU[0000] no service config of type ziti-tunneler-client.v1 defined for service  serviceId=4mkl06AmzCw3jx2hflY9u5 serviceName=dmz.r1.bct.tech
Get "https://dmz.r1.bct.tech:443/": dial tcp: lookup dmz.r1.bct.tech on 127.0.0.53:53: server misbehavingpanic: runtime error: invalid memory address or nil pointer dereference

Heres the intercept config, from zac:

{
  "name": "dmz.r1.bct.tech.int.config",
  "configTypeId": "g7cIWbcGg",
  "data": {
    "portRanges": [
      {
        "high": 443,
        "low": 443
      }
    ],
    "addresses": [
      "dmz.r1.bct.tech"
    ],
    "protocols": [
      "tcp"
    ]
  }
}
23

well that was why we weren't seeing logs it seems. so that's progress!

Is there any chance you deleted the intercept config and then added it back by the same name? can you show the json for the service and make sure it's listed in the configs? My guess is you deleted it and added it back and it's no longer linked to the service.

24

I am positive that i did not delete it and re-add it. I have an install script, before i sent any outputs to this thread i wiped everything and re-created.

Heres the dmz part of the script:

# Create dmz service
zitiEx edge create config ${ZITI_SERVICE_DMZ}.host.config host.v1 '{"protocol":"tcp", "address":"'"dmz-server"'", "port":'${DMZ_PORT}'}'
zitiEx edge create config ${ZITI_SERVICE_DMZ}.int.config  intercept.v1 '{
  "protocols":["tcp"],
  "addresses":["'${ZITI_SERVICE_DMZ}'"], 
  "portRanges":[{"low":'${DMZ_PORT}', "high":'${DMZ_PORT}'}]
}'
zitiEx edge create service ${ZITI_SERVICE_DMZ} --configs ${ZITI_SERVICE_DMZ}".host.config",${ZITI_SERVICE_DMZ}".int.config"
zitiEx edge create service-policy ${ZITI_SERVICE_DMZ}".bind" Bind --service-roles "@"${ZITI_SERVICE_DMZ} --identity-roles "#"${ZITI_SERVICE_DMZ}".bind"
zitiEx edge create service-policy ${ZITI_SERVICE_DMZ}".dial" Dial --service-roles "@"${ZITI_SERVICE_DMZ} --identity-roles "#"${ZITI_SERVICE_DMZ}".dial"
25

The script appears ok to me, could you list the service with json using the ziti CLI or ZAC to confirm things are linked properly?

ziti edge list services 'name = "${ZITI_SERVICE_DMZ}"' -j

I'm looking to confirm the service id (serviceId=4mkl06AmzCw3jx2hflY9u5) as well as confirm there are two configs showing in the json body.

I've never seen this particular problem where the service had policies and configs properly linked. I just want to confirm they are properly linked by inspecting the json... Thanks

26 
ziti@d69c91070d58:/persistent$ ziti edge list services 'name = "dmz.r1.bct.tech"' -j
{
    "data": [
        {
            "_links": {
                "configs": {
                    "href": "./services/4mkl06AmzCw3jx2hflY9u5/configs"
                },
                "self": {
                    "href": "./services/4mkl06AmzCw3jx2hflY9u5"
                },
                "service-edge-router-policies": {
                    "href": "./services/4mkl06AmzCw3jx2hflY9u5/service-edge-router-policies"
                },
                "service-policies": {
                    "href": "./services/4mkl06AmzCw3jx2hflY9u5/service-policies"
                },
                "terminators": {
                    "href": "./services/4mkl06AmzCw3jx2hflY9u5/terminators"
                }
            },
            "createdAt": "2024-09-10T11:04:57.571Z",
            "id": "4mkl06AmzCw3jx2hflY9u5",
            "tags": {},
            "updatedAt": "2024-09-10T11:04:57.571Z",
            "config": {},
            "configs": [
                "6q5eXNtQ9KNaHwGDDSGdGQ",
                "7khziPNowEF1N2saNZtQ81"
            ],
            "encryptionRequired": true,
            "maxIdleTimeMillis": 0,
            "name": "dmz.r1.bct.tech",
            "permissions": [
                "Invalid"
            ],
            "postureQueries": [
                {
                    "isPassing": true,
                    "policyId": "dummy invalid policy: no posture checks defined",
                    "policyType": "Invalid",
                    "postureQueries": []
                }
            ],
            "roleAttributes": null,
            "terminatorStrategy": "smartrouting"
        }
    ],
    "meta": {
        "filterableFields": [
            "name",
            "terminatorStrategy",
            "id",
            "updatedAt",
            "isSystem",
            "tags",
            "configs",
            "createdAt",
            "roleAttributes"
        ],
        "pagination": {
            "limit": 10,
            "offset": 0,
            "totalCount": 1
        }
    }
}
27

Thanks. This party catches my eye. I dunno what might cause it but I'll try to ask around the team and see if it might be relevant.

"permissions": [
                "Invalid"
            ],
1 Like
28

Any updates on this situation?

29

Ugh, this is my fault. I must have used a different bit of code before when I had tested it. I just looked at this issue again today with fresh eyes and it dawned on me that I forgot to tell you that you need to specify the config types you want to return....

In createZitifiedHttpClient you want to add one line:

	cfg, err := ziti.NewConfigFromFile(idFile)
	if err != nil {
		panic(err)
	}
	cfg.ConfigTypes = append(cfg.ConfigTypes, "all")
	//-- or more specific
	cfg.ConfigTypes = append(cfg.ConfigTypes, "intercept.v1")

If you don't specify to return the intercept config, it won't be returned when creating a session.

that should solve the issue.

1 Like
30

This did it! Thanks!

1 Like
31

Note: You need both:

	_ = ctx.RefreshServices()
	zitiContexts := ziti.NewSdkCollection()

and

	cfg.ConfigTypes = append(cfg.ConfigTypes, "all")

For this to work.