I am looking a little bit into the SDK part of OpenZiti and the enrollment part is not really clear to me.
In the various examples I have seen, it seems that we should enroll the jwt token externally to the application (i.e. with the ziti console) and then use the produced identity in the application.
My question is: Can we actually enroll from the application itself?
I looked into the Edge APIs, but I couldn't find something regarding this.
Maybe I missed it? Or is this intended? To have a single point of enrollment in ziti-cli.
I can understand how you'd get that impression. I think it's an artifact of trying to keep the code examples to a minimum as opposed to doing everything in code, maybe?
There's a few examples that actually use the sdk itself to enroll the token like the c# example @ghostidentity referenced. There's a c example ziti-sdk-c/programs/sample_enroll/sample_enroll.c at main · openziti/ziti-sdk-c · GitHub, Java ziti-sdk-jvm/samples/ziti-enroller/src/main/kotlin/org/openziti/ZitiEnroller.kt at main · openziti/ziti-sdk-jvm · GitHub.
The appetizer demo also is a fully functional demo that shows you how to automate the creating of an identity and then enrolling it (you can try it out here OpenZiti - open source zero trust networking! | OpenZiti or GitHub - openziti-test-kitchen/appetizer: The OpenZiti appetizer is a demo application designed to encourage people to want more ziti!)
You've inspired me though, I think I'm going to revisit enrollment in this Fridays Ziti tv.
Hope that helps
Thank you both for the answers, they are exactly what I was looking for!
Indeed, the misconception came from the fact that in most examples I saw, there was an external enrollment, which seemed the way to go.