Hi @papiris, welcome to the community and to OpenZiti!
Thanks for the details in your question. That sounds like a neat projectâ„¢ and a perfect use of OpenZiti, if you're building the camera software. If you do, then you can build an sdk into the camera software and you can accomodate reqruirements 3 and 4 easily. If you don't control that software, well then it's going to be hard to verify/guarantee #3/#4 using OpenZiti alone... I expect you won't be using OpenZiti for local traffic, relying on trusting that private network. It wasn't clear to me from your diagram exactly what you meant by 'No cross-talk between farms, no information leakage'. But I think that's what you meant?
Your overview of what you need sounds right, yes. I'd probably lean towards an edge router at each location so that the clients would be able to connect to the overlay using the LAN when they're on the LAN.
I'd start by:
- get your overlay network working and just get familiar with the zero trust concepts (which are somewhat different than the classic, IP-based rules most people are familiar with), identities, services, configs, service-policy, edge router policy... Those are the ones you'll need to understand.
- look at the helm/kubernetes stuff we have out there
- you mentioned provisioning new clients -- you'll have to decide how you'll want to do that. I'd start by using the Ziti Desktop Edge/Ziti Mobile Edge clients and emailing people a jwt then possibly transition to making your own (whitelabled) app someday. You'll also want to learn how to automate the setting up of the k3s cluster/identity
- once you have identities provisioned, you'll then use services, service policies to see everything working
- after you get familiar with that, I'd layer on browzer at the end.
hope that helps (or at least starts a discussion)