Openziti on Talos cluster

Hey,

I've a homelab Talos cluster with a bunch of SSFs. I wanna be able to access K8S API and my services remotely.

From this doc, I understand that I can deploy a Daemonset with an OpenZiti tunneler.

So this could solve the "access services remotely". But how can I access the API through Openziti If I cannot deploy a tunneler on the host directly ?

Hi @brandi,

If I'm not mistaken, I believe the k8s API is available from within the cluster itself by default. You don't need to deploy a tunneler on the host via daemonset. You just need to deploy any OpenZiti tunneler in the kubernetes cluster. You could do that with a daemonset or just a regular pod.

Regardless of how you deploy OpenZiti though, are you confused as to how you'd create the service itself? As in, what the host config would look like? I am not sure I understand your question fully.

1 Like

Here's some specifics for the "just a regular pod" approach.

One way is to deploy a Ziti router: Install the Router in Kubernetes | OpenZiti. Then you can host Ziti services with that router's tunneler identity.

Another way is to deploy a Ziti tunneler in hosting mode as a reverse proxy: Deploy a Hosting Tunneler in Kubernetes | OpenZiti. The ziti-host chart runs ziti-edge-tunnel run-host, which is a run mode that only hosts Ziti services.

1 Like

Hi

Yeah basically that's my question, how can we configure an Openziti service to access the K8S API, how should the host.v1 be configured?

Also for apps hosted on K8S, if it's a pod running a private router or a tunneler with, should Openziti host.v1 config point directly to the K8S services ?

Tunneled Ziti services need a "host config" to set the target address for the tunneler to send packets exiting the Ziti service.

host.v1 example:

{
  "address": "kubernetes.default.svc.cluster.local",
  "port": 443,
  "protocol": "tcp"
}

based on Tunneler Config Type host.v1 | OpenZiti

You could then use any of that Kubernetes API server's existing DNS SANs as the Ziti service intercept address in your intercept.v1.

{
    "protocols": [
        "tcp"
    ],
    "addresses": [
        "kubernetes.default.svc"
    ],
    "portRanges": [
        {
            "low": 443,
            "high": 443
        }
    ]
}

Depending on your K8S distribution, you may be able to add a DNS SAN and use that for your Ziti service intercept.