Ok, now I see what you’re after. What didn’t make sense to me, is that “the edge”, is what provides the ‘darkness’ that you’re describing. So having a non-edge-enabled controller doesn’t make sense to me. What does make sense to me is making the management API dark/private and providing access to that API through OpenZiti itself. That’s what I did in that Ziti TV episode where I “split” the client/management API. That makes sense for sure. That was the example I was talking about with the router co-located to the controller.
I think I see now that you’re trying to go one further step and yes, that could be done, that’s where I think you’re heading… Setup a “private” edge-router next to the controller, then setup a public edge router, and provide access to the controller’s management API that way. Sure, that makes sense too and would look like this: