Seamlessly Switching Certificates, Configuring Multi-Location Routing Strategies, and Path Tracking

Support
4

Not sure what you mean. The router renews its certificates automatically so this shouldn't be a problem?

It's "possible" right now, but it'll be really cumbersome to implement. You can use a "service edge router policy" to inform services where they can be "onboarded" to the overlay, and where they can offload from the overlay. You can then stand up a bespoke router for bespoke links and control that path precisely, but boy that'll be "work"... :slight_smile: but you could do it!

Bespoke pathing like this is one of those features we've talked about before, but there's not been a substantial demand for the feature to date.

Make an ssh connection via ziti and you'll get results. If you're doing http requests, you basically need to do a tight loop to catch the path... I did exactly that to catch the http request I used to reply on this topic Inspecting the Fabric and Mesh - #6 by TheLumberjack

Here's a quick video showing you how to use traceroute and our complicated docker compose environment

Commands from the video

curl -so docker-compose.yaml https://get.openziti.io/dock/docker-compose.yml
curl -so .env https://get.openziti.io/dock/.env
docker compose --project-name traceroute up

docker exec -it traceroute-ziti-controller-1 vi ziti-fabric-router-br.yaml
  listeners:
    - binding:          transport
      groups:
        - intermediary

docker exec -it traceroute-ziti-controller-1 vi ziti-private-blue.yaml
link:
  dialers:
    - binding: transport
      groups:
        - intermediary
		
docker compose --project-name traceroute restart ziti-fabric-router-br ziti-private-blue

docker exec -it traceroute-ziti-controller-1 bash -i -c "source ~/.bashrc && zitiLogin"
docker exec -it traceroute-ziti-controller-1 /var/openziti/ziti-bin/ziti fabric list links

docker exec -it traceroute-ziti-controller-1 \
	/var/openziti/ziti-bin/ziti edge create config http.intercept.v1 intercept.v1 \
	'{"protocols":["tcp"],"addresses":["http.ziti"], "portRanges":[{"low":80, "high":80}]}'
docker exec -it traceroute-ziti-controller-1 \
	/var/openziti/ziti-bin/ziti edge create config http.host.v1 host.v1 \
	'{"protocol":"tcp", "address":"web.test.blue", "port":8000}'
docker exec -it traceroute-ziti-controller-1 \
	/var/openziti/ziti-bin/ziti edge create service http.svc \
	--configs http.intercept.v1,http.host.v1
docker exec -it traceroute-ziti-controller-1 \
	/var/openziti/ziti-bin/ziti edge create service-policy \
	http.policy.dial Dial \
	--service-roles "@http.svc" \
	--identity-roles '#http-clients'
docker exec -it traceroute-ziti-controller-1 \
	/var/openziti/ziti-bin/ziti edge create service-policy \
	http.policy.bind Bind \
	--service-roles '@http.svc' \
	--identity-roles '@ziti-private-blue'

docker exec -it traceroute-ziti-controller-1 \
	/var/openziti/ziti-bin/ziti edge create identity traceroute-test \
	-o traceroute-test.jwt \
	-a 'http-clients'
docker exec -it traceroute-ziti-controller-1 \
	/var/openziti/ziti-bin/ziti edge enroll traceroute-test.jwt

docker exec -it traceroute-ziti-controller-1 \
	/var/openziti/ziti-bin/ziti edge traceroute http.svc \
	--config-file traceroute-test.json