How to re-enroll zrok's public?

I have created public on the first HA controller. All routers have been created and enrolled on the second controller.
The first HA controller is now off. So I have changed manually ztAPI in .zrok/identities/public.json Unfortunately the routers do not accept the frontend’s certificate issued by the first controller.
This is strange however. In the reference example the ziti controllers have different intermediate certificates. I see that the public's certificate does not have URI:spiffe://domain.name. So public can not migrate to another controller. On the other hand public is unique identity in zrok.

Apparently the command zrok admin create frontend does not generate the identity file .zrok/identities/public.json.

Anyway the certificate issued to public is a 1 year certificate. So there should be a way to re-enroll public if I understand correctly.

Is it safe to delete the identity using ZAC? I have two propositions:

  1. The first option is to run the zrok admin bootstrap etc/ctrl.yml ? Will bootstrap keep the zrok database?
  2. The second option is to run bootstrap-frontend.bash

bootstrap-frontend.bash has done the work. Thank you.

But the script does not edit the edge router policy. So we need to change the policy manually using ZAC.

[  68.330] WARNING sdk-golang/ziti.(*ContextImpl).createSession: {error=[error for request KneOg6w6u: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection] errorType=[*rest_util.APIFormattedError]} failure creating Dial session to service htosd0wff4x7

It's safe to re-run zrok admin bootstrap. It's non-destructive and will create missing entities in Ziti.

Yes, the script assumes it is setting up a single public frontend with the default name "public" for a dedicated Ziti network with a standalone (not clustered) Ziti controller. I expect a future Linux service package for zrok that incorporates the ideas from that Docker self-hosting script I shared, and I'm glad you were able to reference that to see how to complete the Linux self-hosting setup!

We're working on shipping lots of changes for Ziti clustered mode right now, so the zrok enhancements for Linux are surely a few months out, at least.

Zrok is a very nice application. It was a good idea to create it, certainly. What his name stands for?

Just to add a few of details.

I have renamed the identity, public->public_010525.
Zac has modified the edge router policy public.

At this point there is no identity public. But there is the edge router policy public with public_010525.

Then I run the bootstap-frontend.bash. The script creates public and enrolls it. But keeps the edge router policy public as it was. So we need to edit the policy manually

 "identityRoles": [
    "@ks78qgkgo"
  ],
  "identityRolesDisplay": [
    {
      "name": "@public",
      "role": "@ks78qgkgo"
    }

Having a single public identity is enough, since the frontends are stateless. It works pretty well, indeed.
The only problem is the public's certificate. From my perspective the certificate could contain URI:spiffe://domain.name/controller/frontend in order to be accepted by another HA controller/routers.
Otherwise if the original controller where we have created and enrolled public, is stopped public can not connect. So we should remove the identity and create and enroll public again on second controller.