Hello, I'm still figuring the documentation. I managed to setup services, identities and confirmed that that some resource sessions are active. Im now in the process of setting up jwt on web server.
I pulled the openziti/hello-world , but it does not havea way to enroll the jwt token ? The documentation says that i need to enroll jwt on devices. Note that, the hello-world image dont even have bash support so i cant install the tunneler or other libraries.
Do you have a work around ? I could suggest to upon the hello-world with bash and have the option to enrol jwt.
Are you running the docker or the docker compose quickstart? It looks like "pure docker"? The openziti/helloworld container is a simple http server that runs "in docker". Generally, you would use it like this:
deploy an openziti quickstart in docker somehow- verify you can log into the controller
- ☐ run
openziti/hello-world in the same docker network as one of the routers
- ☐ create an http service that offloads from a router inside the docker environment towards the http server
Conceptually, this is what that looks like:
Here you can see a ziti-edge-tunnel (I'm assuming you're using linux?) that is authenticated to talk to the overlay network and is authorized to send traffic to the hello-world app.
To make that happen you need to do the following:
- make sure the controller and router are addressable from outside of docker. (add dns entries, hosts file, etc.)
- make two sets of
config objects, one that configures the intercepting side (the client tunneler) and one that represents the offloading (server) side.
- make a service, adding those two configs together, creating an OpenZiti service.
- authorize the client (dialing) side by making a "Dial" service-policy.
- authorize the server (binding) side by making a "Bind" service-policy.
You might be getting hung up on the fact that you need to start the hello-world on the same network as the router. Make sure you start the hello-world using something like this:
docker run --rm --name openziti-hello-world --network myFirstZitiNetwork openziti/hello-world
Here's the exact set of steps I ran to test/verify:
docker run --rm --name openziti-hello-world --network myFirstZitiNetwork openziti/hello-world
ziti edge create identity client -o client.jwt
ziti edge create config hello-world.intercept intercept.v1 '{"protocols":["tcp"],"addresses":["hello.world.ziti"], "portRanges":[{"low":8000, "high":8000}]}'
ziti edge create config hello-world.host host.v1 '{"protocol":"tcp", "address":"openziti-hello-world","port":8000 }'
ziti edge create service hello-world --configs "hello-world.intercept,hello-world.host"
ziti edge create service-policy hello-world.dial Dial --identity-roles "@client" --service-roles "@hello-world"
ziti edge create service-policy hello-world.bind Bind --identity-roles "@ziti-edge-router-1" --service-roles "@hello-world"
Hope that's enough info and helps get you moving!
Appreciate your response on this matter. Tried the sample but not able to confirm if the intercept able to respond. openziti.mkv . I tried http://172.18.0.4:8000/ or hello.world.ziti:8000 on the browser but failed. Note that, I already enrolled the JWT for client access on Ziti Desktop edge.
