What happens if at some point I need to move my host and I need to change the IP address. Is it just a config file I need to adjust, or is there an IP buried in the PKI anywhere?
There’s only an IP baked into the controller or edge router PKI when you set the optional variables:
ZITI_CTRL_EDGE_IP_OVERRIDE="${IP}"
ZITI_ROUTER_IP_OVERRIDE="${IP}"
If you set those, that IP will make it into the PKI. This is why we strongly recommend you use a DNS entry instead of an IP when possible so that the DNS entry can just be updated.
It’s not “buried” per-se, but the server certificates presented to clients will end up with an IP sans field set.
Wait a minute... you can use a FQDN in that IP_ADDRESS variable? So. ziti.mydomain.com instead of 123.123.123.123?
To clarify, are you saying the following is acceptable/preferable? All DNS, no IPs.
# controller name, address/port information
ZITI_CTRL_NAME=ziti.mydomain.com
ZITI_CTRL_EDGE_ADVERTISED_ADDRESS=ziti.mydomain.com
ZITI_CTRL_ADVERTISED_ADDRESS=ziti.mydomain.com
ZITI_CTRL_EDGE_IP_OVERRIDE=ziti.mydomain.com
ZITI_CTRL_EDGE_ADVERTISED_PORT=8441
ZITI_CTRL_ADVERTISED_PORT=8440
# The duration of the enrollment period (in minutes), default if not set. shown - 7days
ZITI_EDGE_IDENTITY_ENROLLMENT_DURATION=10080
ZITI_ROUTER_ENROLLMENT_DURATION=10080
# router address/port information
ZITI_ROUTER_NAME=ziti.mydomain.com
ZITI_ROUTER_ADVERTISED_HOST=ziti.mydomain.com
ZITI_ROUTER_PORT=8442
ZITI_ROUTER_IP_OVERRIDE=ziti.mydomain.com
ZITI_ROUTER_LISTENER_BIND_PORT=8444
ZITI_ROUTER_ROLES=publicNo. If you don't want to add an IP to the pki, just leave those fields blank or absent entirely.