I am doing my first steps with Openziti and I believe I have understood most of the basics. Actually, I have one usecase I would like to share my thoughts about with you and discuss what you think about that.
I want to use Openziti (between other things) for multicluster - intercluster Kubernetes communication. I have checked the different methods the ziti-tunneler is being able to run and found out that there is (except using the SDKs) no way to get into Openziti but to use the ziti-tunneler in the “run” mode which means pretty high privileges are needed (tun devices, dns intercept) which I am not too happy about.
I would wish to use openziti in a way to have an ingress controller (basically, a reverse proxy) on one cluster together with the services hosted by this ingress controller and one ziti-tunneler in “host” mode, and an openziti client on another cluster which participates in the Overlay network but exposes two TCP ports (could be 8443 and 8000, i.e.) and everything that arrives at these ports is sent to a (configured) service inside Openziti. This way, this client would be able to run without high privileges and had to do less fancy network stuff. In order to make the services hosted on the internal ingresscontroller available from the outside cluster, CoreDNS would be extended with some *.central.myfancynetwork.com custom DNS zone pointing everything in this domain to the cluster-internal address of the tunneler-proxy client.
As of what I understood, this kind of setup would be possible employing a haproxy or similar with a ziti-tunneler as a sidecar, but this sidecar would then still work based on DNS intercept to figure out into what service to push data in, and would therefore need the rather high privileges. Another approach that I came up with would be a relatively simple Go or Python application employing the SDK to achieve exactly that simple usecase.
Is a setup like the one described by me something that you have ever received a request upon? Is there a way to employ ziti-edge-tunnel in that way which I haven’t seen yet?
Looking forward for your opinions.
Christian