Openziti on Talos cluster

brandi · March 2, 2025, 10:45pm

Hey,

I've a homelab Talos cluster with a bunch of SSFs. I wanna be able to access K8S API and my services remotely.

From this doc, I understand that I can deploy a Daemonset with an OpenZiti tunneler.

So this could solve the "access services remotely". But how can I access the API through Openziti If I cannot deploy a tunneler on the host directly ?

TheLumberjack · March 3, 2025, 12:01pm

Hi @brandi,

If I'm not mistaken, I believe the k8s API is available from within the cluster itself by default. You don't need to deploy a tunneler on the host via daemonset. You just need to deploy any OpenZiti tunneler in the kubernetes cluster. You could do that with a daemonset or just a regular pod.

Regardless of how you deploy OpenZiti though, are you confused as to how you'd create the service itself? As in, what the host config would look like? I am not sure I understand your question fully.

qrkourier · March 3, 2025, 4:50pm

Here's some specifics for the "just a regular pod" approach.

One way is to deploy a Ziti router: Install the Router in Kubernetes | OpenZiti. Then you can host Ziti services with that router's tunneler identity.

Another way is to deploy a Ziti tunneler in hosting mode as a reverse proxy: Deploy a Hosting Tunneler in Kubernetes | OpenZiti. The ziti-host chart runs ziti-edge-tunnel run-host, which is a run mode that only hosts Ziti services.

brandi · March 3, 2025, 5:35pm

Hi

Yeah basically that's my question, how can we configure an Openziti service to access the K8S API, how should the host.v1 be configured?

Also for apps hosted on K8S, if it's a pod running a private router or a tunneler with, should Openziti host.v1 config point directly to the K8S services ?

qrkourier · March 3, 2025, 5:48pm

Tunneled Ziti services need a "host config" to set the target address for the tunneler to send packets exiting the Ziti service.

host.v1 example:

{
  "address": "kubernetes.default.svc.cluster.local",
  "port": 443,
  "protocol": "tcp"
}

based on Tunneler Config Type host.v1 | OpenZiti

You could then use any of that Kubernetes API server's existing DNS SANs as the Ziti service intercept address in your intercept.v1.

{
    "protocols": [
        "tcp"
    ],
    "addresses": [
        "kubernetes.default.svc"
    ],
    "portRanges": [
        {
            "low": 443,
            "high": 443
        }
    ]
}

Depending on your K8S distribution, you may be able to add a DNS SAN and use that for your Ziti service intercept.

Topic		Replies	Views
OpenZiti meets Talos Linux!	10	131	September 21, 2024
AWS Self hosted K8s/DB scenarios General Questions	6	31	November 1, 2024
Dockerised ziti tunneller Tunneler Apps	2	318	June 20, 2022
TCP-Proxying services into Openziti without DNS Intercept? Ziti Overlay	14	1004	February 3, 2023
Zitify Homelab Kubernetes Cluster Ziti Overlay	8	670	May 31, 2023

Openziti on Talos cluster

Related topics