More OpenZiti Questions

I was speaking to an OpenZiti community member with private DMs recently. After the conversation, they said we share the conversation anonymised which should be valuable for others too.

User:

Hi Philip,

Thank you for your welcome! I’m fine answering your questions

Currently we have a varied bunch of ‘solutions’ - Bastion hosts, Site2Site VPN’s, Terminal Server stuff and even Customer-VPN-Clients installed on our employee client machines… My intention is to standardize this and present a smart solution. Also regarding all the GPDR and all related stuff here in Europe

My research started with https://goteleport.com/ which didn’t fit our needs and so we finally landed at guacomole (yeah, I’ve seen your BrowZer showcase) for the CLI and Windows desktop stuff, but there was no solution for HTTP or even Port-Tunneling. And after a long research and testing I found OpenZITI which looks very promizing

What has been your experience so far?

There are thing that look very fresh (Documentation, tutorials, … )and still being in a change (integrating router etc, into one binary, some conceptional changes when reading older docs, …) but on the other end it seems that there are also components looking very mature (Desktop / Mobile clients, API, UI, …). OpenZITI is very flexible, but this also bring’s a bit of a complexity that has to be learned

What use case are you focused on yourself?

I think I’ve explained my overall use case answering the 1st question. The Java connector would be for an application allowing the technicans to ‘open up connections’ on demand when working on tickets.

An other idea we have is to interconnect some internal services between separate kubernetes clusters, but this is currently only a rough idea.

What do you think we could do to improve the project?

Grow, get a bigger and greater community!

Maybe also have an eye on all the ‘cloud native’ (kubernetes) things and folks. Having it easily deployed and configured within a kubernetes infrastructure might be a goal. And also an (kubernetes) operator interacting with kubernets would be a nice option:

• Automatically Registering routers / ‘hosts’ (endpoint) when they get deployed
• When assigning intercept roles to a kubernetes deployed endpoint the operator could create service objects to announce the service and redirect things to the endpoint
• Also it could look for services having special annotations and automatically create the appropiate service configuration within the ziti controller

Quite a lot idea’s but this would be the next step

Philip:

First off, wow, super appreciate the in-depth feedback. Some people do not respond to my queries; you have gone in the other direction, and it’s invaluable!

Cool use case. I reckon you will appreciate these blogs too - Transparent Bastions - NetFoundry & Breakneck speed without breaking our necks - NetFoundry.

100%. Ziti has a lot of power, which means there are complex things to learn, but once you do, you go ‘wow, this is transformational’. I spend a lot of time trying to simplify it and compare…, particularly when talking to people in places like Reddit. We are working on our documentation A LOT atm, if there are any specific articles or pieces you think could be improved/created, please share. For example, I am currently working on ‘OpenZiti vs [insert a bunch of other tech]’ and I got someone on my team working on K8S documentation as it’s very scattered atm. Along those lines, you may find this useful too - IBM Developer

I would love to have an operator and K8S is an area we are focused on - as mentioned. We are actively working on a Kubernetes deployment for the Ziti controller and I believe the Edge Router was recently dockerised.

What do you mean by ‘Automatically Registering routers’? Due to the architecture of Ziti, everything needs to go through the process of bootstrapping trust. We have enabled Ziti to work with external JWT providers for the identity (e.g., SPIFFE/SPIRE or AthenZ)… would this cover part of the need? More can be read External JWT Signers OpenZiti or Integrate OpenZiti with JWTs, PKIs for seamless service . Ziti has the ability to intercept less granular traffic (e.g., CIDRs) and with CloudZiti we have built the functionality to report on this. The next step would be automated/suggested policies for granular access control.

User:

In short: I’ll discuss some topics with our cloud-native team. I’ve sold them OpenZiti yesterday evening in a 4h session after working hours, and they are excited by the ideas and concept. Currently, they are designing a new concept with a lot of edges (kubernetes computing) nodes, every node is on a different customer and site. They have evaluated quite a lot of service mesh concepts and lots of them are not designed for remote locations or coupled too tight, so it is not match our ideas of separating the nodes/customers the way we want.

Philip:

Thanks for the insights. Interesting comments about service mesh, I will include a comparison I wrote vs Istion (and SM in general below)… would be great to hear if you agree/have any comments. Which K8S/K3S are you working with by the way?

Also, why do you want to run the Ziti servers in Kubernetes?

User:

Currently we use Suse’s RKE2 for central / bigger installatinos and their K3S implementation for edge setups. Our Cloud-Native team also likes Suse’s Rancher stuff for managing it, I’m more the CLI guy. But we also have customers running on (RH’s) OpenStack, and also some guy’s having workload running on Google’s GKE.

We try to reduce the numbers of VM’s we have to maintain. And the ziti component’s seem to be ideal candidates for running in (kubernetes) pods - they are small, self-contained binaries. Kubernetes also gives us plenty of additional ‘environmental’ stuff like monitoring, collecting metrics (okay, i have to finalize this in the helm charts). An additional layer of security (i.e. by putting things like cilium.io or tigera.io on top of it) could also easly be added. Doing all of this to every VM is quite complicated. I’ll also ask my CN guy’s on this topic. We also can continue the discussion on this topic in the forum so my CN guy’s and other’s can jump in

I also have an eye on the HA stuff ziti/overview.md at main · openziti/ziti · GitHub here - I think this would be ideal for scaling / loadbalancing / HA through kubernetes