Questions about controller HA

I have the some questions about controller HA as described in the following document:

• https://github.com/openziti/ziti/blob/main/doc/ha/overview.md

Questions around PKI:

• Does the trustdomain that is used to create the root CA have any relationship with the DNS domain of the controllers hosting the network?
• If not, are there any constraints on the trustdomain? For example, can it be a single-part name like myzitinetwork? Or does it have to look like a domainname myzitinetwork.com?
• What are the constraints on the controller name in the spiffe id? Do they have to match the any part of the DNS names assigned to the controller?

Questions around new authentication API (edge-oidc):

• Is this new API going to be used for both edge-clients and edge-management auth?
• If we bind the edge-client and edge-management-api to different addresses, can we include edge-oidc in both the bindings?

No. Easy to think they do because there is a protocol and hostname, but they are unrelated. Trust domains are used to verify that a SPIFFE ID in a verifiable document (cert, jwt) is "trusted"/"related"/"applicable" to the receiving application.

Any and all restraints come from the SPIFFE spec: spiffe/standards/SPIFFE.md at main · spiffe/spiffe · GitHub

In OpenZiti, we use the trust domain as an opaque string. Since it is a URI, it must conform to URI hostname standards. Top-level domains (.com, .net etc.) are not required. Trust domains are never resolved through DNS for any reason.

Controller SPIFFE IDs on server and client certificates should be in the format of spiffe://<trust domain>/controller/<id>

Yes.

Yes.

Thank you @andrew.martinez .

Just so that I understand correctly, the <id> in the spiffe controller ID is also an opaque string correct? Not related to any ID in the openziti DB.

Is this ID also used in the ziti commands to add/remove the controller from cluster?

# Adding Members
ziti agent cluster add <other controller raft address>

# Removing Members
ziti agent cluster remove <controller id>

# Transfer Leadership
ziti agent cluster transfer-leadership [new leader id]

Just so that I understand correctly, the <id> in the spiffe controller ID is also an opaque string correct? Not related to any ID in the openziti DB.

It is stored in the DB in one table, which is a list of controllers. They aren't referenced anywhere.

Is this ID also used in the ziti commands to add/remove the controller from cluster?

You are correct, the id is used in the cluster remove and cluster transfer-leadership commands.

The id is an optional parameter to the add command. If not provided it will be looked up from the target server.

Cheers,
Paul

Thank you @plorenz .