OpenZiti configuration files

Hello,

I’m working on OpenZiti Ansible community collection, I’ve already made a role to download OpenZiti components from github (Core binaries, Edge-tunnel & console)

Today, I’ve started working on the Ziti Components Install & configuration part and I’ve a few questions :

  1. As I’m not an Ansible expert, I was wondering If i should do this using custom modules or stick with roles and develop modules only for the CLI part (adding new identity, etc)
  2. On the github repository there are few configuration yaml files for both the controller and router, when should I use which config file ? I mean for the controller, we have ctrl.with.edge.yml, ctrl.yml, ctrl2.yml and ctrl3.yml. For router we have router.yaml, edge.router.yml and edge.router_wss.yml
    2.1 Should I use ctrl.with.edge.yml when I setup an edge router in the same host as the controller ?
    2.2 What’s the difference between ctrl.yml, ctrl2.yml and ctrl3.yml ?
    2.3 Is router.yaml used for Fabric routers ?
    2.4 edge.router_wss.yml that means that the edge router be WS-Security enabled ?

Regards,
A.B

I mean, doest it make any sense to have a controller running without edge enabled ? How clients will be authorized in this scenario ?

The various config files are there for reference. We don’t make any substantial recommendations in those files. The quickstart config that is generated is slightly more complex as it uses 3 different CAs for the three separate sections (controller, edge-controller, identity enrollment).

I’m not quite sure what you’re asking but in my opinion, you shouldn’t have a controller running “without edge”. I personally don’t consider the “non-edge” controller to be something that’s worth spending time on when learning OpenZiti.

1 Like

What I'm trying to do is to setup a Ziti Network manually, without using the quickstart.

My goal is to understand how the different OpenZiti components fit together and how to configure those separately.

Once I've done that I'll be able to document it for other Ziti users and also finish up my Ansbile role.

It really doesn't make any sense ? I was thinking that maybe it could be a good idea to setup a "Dark" controller without edge enabled and then setup a separate Edge enabled router which routes authorization traffic to the dark controller.

But now that I've written it, I realize that it's not such a good idea lol

Ok, now I see what you’re after. What didn’t make sense to me, is that “the edge”, is what provides the ‘darkness’ that you’re describing. So having a non-edge-enabled controller doesn’t make sense to me. :slight_smile: What does make sense to me is making the management API dark/private and providing access to that API through OpenZiti itself. That’s what I did in that Ziti TV episode where I “split” the client/management API. That makes sense for sure. That was the example I was talking about with the router co-located to the controller.

I think I see now that you’re trying to go one further step and yes, that could be done, that’s where I think you’re heading… Setup a “private” edge-router next to the controller, then setup a public edge router, and provide access to the controller’s management API that way. Sure, that makes sense too and would look like this:

2 Likes