What is considered 'Opinionated' in the quick-start and what are just 'Assumptions'?

1

Hello again,

So I have another question about the quickstart. I ask for your forbearance, the quickstart is what I have the most experience with and I am trying to reconcile what I do and don't need for a really simple, repeatable production instance.

If you search the forum for opinionated, two of the the results essentially say the quickstart is very opinionated. I have also had a chance to see how the quickstart script walks through the creation of the PKI. What I am unsure about is what is truly opinionated and what is just a sane default?

For instance, when I think of something being opinionated, I think of the fork of neovim vs vim, the former makes architectural decisions that vary greatly from the latter. Another example would be zsh vs fish for shells, very opinionated when it comes to POSIX compatibility, for instance.

So, with that in mind, does the quickstart believe a certain way of approaching the process is inherently better and provides actions crafted around that approach? Or, does it instead make assumptions, and without providing information to override them, it simply proceeds with those assumptions?

For instance, below is the tree of the volume created by the quickstart in docker. What in this tree is Opinionated and what is simple an Assumption?

root@ziti-dev:/var/lib/docker/volumes# tree
.
├── backingFsBlockDev
├── metadata.db
└── ziti_ziti-fs
    └── _data
        ├── access-control.init
        ├── db
        │   └── ctrl.db
        ├── pki
        │   ├── cas.pem
        │   ├── signing.pem
        │   ├── ziti-dev.jptech.corp-intermediate
        │   │   ├── certs
        │   │   │   ├── ziti-dev.jptech.corp-client.cert
        │   │   │   ├── ziti-dev.jptech.corp-intermediate.cert
        │   │   │   ├── ziti-dev.jptech.corp-intermediate.chain.pem
        │   │   │   ├── ziti-dev.jptech.corp-server.cert
        │   │   │   └── ziti-dev.jptech.corp-server.chain.pem
        │   │   ├── crlnumber
        │   │   ├── crls
        │   │   ├── index.txt
        │   │   ├── index.txt.attr
        │   │   ├── keys
        │   │   │   ├── ziti-dev.jptech.corp-client.key
        │   │   │   ├── ziti-dev.jptech.corp-intermediate.key
        │   │   │   └── ziti-dev.jptech.corp-server.key
        │   │   └── serial
        │   ├── ziti-dev.jptech.corp-root-ca
        │   │   ├── certs
        │   │   │   ├── ziti-dev.jptech.corp-intermediate.cert
        │   │   │   └── ziti-dev.jptech.corp-root-ca.cert
        │   │   ├── crlnumber
        │   │   ├── crls
        │   │   ├── index.txt
        │   │   ├── index.txt.attr
        │   │   ├── keys
        │   │   │   ├── ziti-dev.jptech.corp-intermediate.key
        │   │   │   └── ziti-dev.jptech.corp-root-ca.key
        │   │   └── serial
        │   ├── ziti-edge-controller-intermediate
        │   │   ├── certs
        │   │   │   ├── ziti-dev.jptech.corp-client.cert
        │   │   │   ├── ziti-dev.jptech.corp-server.cert
        │   │   │   ├── ziti-dev.jptech.corp-server.chain.pem
        │   │   │   ├── ziti-edge-controller-intermediate.cert
        │   │   │   └── ziti-edge-controller-intermediate.chain.pem
        │   │   ├── crlnumber
        │   │   ├── crls
        │   │   ├── index.txt
        │   │   ├── index.txt.attr
        │   │   ├── keys
        │   │   │   ├── ziti-dev.jptech.corp-client.key
        │   │   │   ├── ziti-dev.jptech.corp-server.key
        │   │   │   └── ziti-edge-controller-intermediate.key
        │   │   └── serial
        │   ├── ziti-edge-controller-root-ca
        │   │   ├── certs
        │   │   │   ├── ziti-edge-controller-intermediate.cert
        │   │   │   └── ziti-edge-controller-root-ca.cert
        │   │   ├── crlnumber
        │   │   ├── crls
        │   │   ├── index.txt
        │   │   ├── index.txt.attr
        │   │   ├── keys
        │   │   │   ├── ziti-edge-controller-intermediate.key
        │   │   │   └── ziti-edge-controller-root-ca.key
        │   │   └── serial
        │   ├── ziti-signing-intermediate
        │   │   ├── certs
        │   │   │   ├── ziti-signing-intermediate.cert
        │   │   │   └── ziti-signing-intermediate.chain.pem
        │   │   ├── crlnumber
        │   │   ├── crls
        │   │   ├── index.txt
        │   │   ├── index.txt.attr
        │   │   ├── keys
        │   │   │   └── ziti-signing-intermediate.key
        │   │   └── serial
        │   ├── ziti-signing-intermediate_grandparent_intermediate
        │   │   ├── certs
        │   │   │   ├── ziti-signing-intermediate.cert
        │   │   │   ├── ziti-signing-intermediate_grandparent_intermediate.cert
        │   │   │   └── ziti-signing-intermediate_grandparent_intermediate.chain.pem
        │   │   ├── crlnumber
        │   │   ├── crls
        │   │   ├── index.txt
        │   │   ├── index.txt.attr
        │   │   ├── keys
        │   │   │   ├── ziti-signing-intermediate.key
        │   │   │   └── ziti-signing-intermediate_grandparent_intermediate.key
        │   │   └── serial
        │   └── ziti-signing-root-ca
        │       ├── certs
        │       │   ├── ziti-signing-intermediate_grandparent_intermediate.cert
        │       │   └── ziti-signing-root-ca.cert
        │       ├── crlnumber
        │       ├── crls
        │       ├── index.txt
        │       ├── index.txt.attr
        │       ├── keys
        │       │   ├── ziti-signing-intermediate_grandparent_intermediate.key
        │       │   └── ziti-signing-root-ca.key
        │       └── serial
        ├── scripts
        ├── ziti-dev-router.jptech.corp.cas
        ├── ziti-dev-router.jptech.corp.cert
        ├── ziti-dev-router.jptech.corp.jwt
        ├── ziti-dev-router.jptech.corp.key
        ├── ziti-dev-router.jptech.corp.log
        ├── ziti-dev-router.jptech.corp.server.chain.cert
        ├── ziti-dev-router.jptech.corp.yaml
        ├── ziti-dev.jptech.corp.yaml
        └── ziti.env

34 directories, 79 files
2

Pot-A-to, po-TAH-to??? :ziggy_laughs_closeup:

The biggest assumptions/sane defaults/opinions it has that come to mind are:

  • you get a "complex" pki, built with the intention of learning/customizing/teaching, but not 'simple'
  • you get a pki for each major section of the overlay: control plane, api, identities
  • you don't get to "use your own pki" with the quickstart, it'll just make it for you
  • you'll have ONE listener for edge connections and it'll be whatever IP you tell it to listen on
  • if you make a "private" edge router, you'll still have the "edge" enabled
  • it emits a .env file, the file will have your password in it, that's not 'great' but that's what happens, you should remove it eventually when you consider this thing stable
  • it doesn't split the client and management apis
  • ...
  • ...

honestly, i could probably go on for quite a few more but I'm tired of typing :ziggy_laughs_closeup: You get the point. MOSTLY it's those sorts of things.

Yea, more like that. There are some things you just can't customize but might want to, but to be honest those numbers of things have become fewer and fewer over time. For example, you never used to be able to override the CSR for a router. You really can't 'quickstart' your way to browzer yet stuff like that...

I think it's a way of saying "look, you just can't quickstart ALL the things". It does it's best to set you up for long-term success but it's not infinitely flexible.

:ziggy_cool_closeup:

3

Good explanation, thanks @TheLumberjack !