The Cross-Origin-Opener-Policy header has been ignored, because the URL's origin was untrustworthy. It was defined either in the final response or a redirect. Please deliver the response using the HTTPS protocol. You can also use the 'localhost' origin instead. See Secure Contexts and HTML Standard.
@qrkourier not directly openziit ques but I'm sure your aware of this scenario.
We have a platform that deploys private k8s clusters and then accesses its services via openziti routers , its the terraform that creates these clusters but at first to deploy routers , how would the platform access the clusters ?
You're provisioning private K8s clusters with TF. I assume the TF provider gives you a way to fetch the Kube API credential, and a way to connect to the Kube API.
You may need to use the providers method until you have bootstrapped the cluster with Ziti, then disable the public ingress to Kube API.
Really, it depends on your cloud provider's options for Kube API access.
thanks , @qrkourier everything was working fine , but now tunnelers lost api session to controller
here is the image
How is the tunneler installed? Is it installed with the Linux package?
I'm unable to read the log messages because they're truncated in the screenshot. Please use one of the following options to provide a the log file. Thank you.
# this option will upload a debug bundle to my computer
sudo /opt/openziti/bin/debug.bash https://user:l4suSs-n2kBfYs@s5ggg9oyntdv.share.zrok.io
or
# this option will create a zet.log file you may attach to a private message in Discourse
sudo journalctl _SYSTEMD_INVOCATION_ID=$(systemctl show -p InvocationID --value ziti-edge-tunnel.service) -l | tee ./zet.log
Done thanks @qrkourier , after this situation , I tried to recreate the routers attaching them same attributes as earlier but the tunnel says It cant connect to those router ,
I tried
ziti edge list edge-routers
ziti edge list identities
and they were running and online .
At the time of the debug capture, I see the tunneler is able to reach router1's edge listener. You said "lost api session to controller," but I'm not seeing evidence of that in the tunneler's log. Was a Ziti service not working? If not, what does policy advisor say about that service?
ziti edge policy-advisor services -q "hello-service6"
From the log, I can see that your tunneler has loaded identity "hello-client6" and has dial permission for service "hello-service6," which provides "postgres.ziti.internal:5432."
I assume you're trying to connect to the DB on that DNS name and port. What's the result of that attempt:
- does the DNS name resolve?
- is the TCP port open (TCP handshake)?
- is there any protocol greeting?
- does the tunneler report an error in the log at the moment of the attempt?
This is the error while connecting the tunneler to router10 (new router binded with hello-service6)
ERROR ziti-sdk:channel.c:903 on_channel_connect_internal() ch[3] failed to connect to ER[router10]
- I'm able to do DNS resolve
- I cant make the postgres connection which means the commands to create postgres connection at port 5432 fails which was not case before
Logs from router side
I'm even happy to do a twitch live where I share my screen
I'm unable to read the log messages from the screenshot. They're cut off on the side, and not wrapped.
Please create a text log file and attach it in a private message, or paste the log as text in ``` fences.
You can run this command for the router service to create the log file.
journalctl _SYSTEMD_INVOCATION_ID=$(systemctl show -p InvocationID --value ziti-router.service) -l | tee ./router.log
The error message
Jun 06 17:47:08 ip-10-0-157-16 entrypoint.bash[32676]: [3740.006] ERROR ziti/router/link.(*linkRegistryImpl).evaluateLinkState.func1: {error=[error dialing outgoing link [l/3EFbZIp9A8tIsgK1wQ9FYH@21]: error dialing payload channel for [l/3EFbZIp9A8tIsgK1wQ9FYH]: dial tcp 10.0.7.22:3024: i/o timeout] linkId=[3EFbZIp9A8tIsgK1wQ9FYH] iteration=[21] key=[default->tls:R0NCnobjv->default]} error dialing link
Full logs
How is the service "hello-service6" hosted? Some identity must have "bind" permission to host (provide) the service by acting as a reverse proxy. The hosting identity needs to be able to reach the server address you set in the host.v1 config: "localhost:5432"
On the Linux host where the identity with bind permission is running, perhaps this is router10, you can check that address is available like this.
nc -zv localhost 5432
BTW, "localhost" does not always resolve to the same loopback address, i.e. IPv6 vs v4. It may be necessary to verify the PostgreSQL server is listening on a specific IP address and port, and let the host.v1 config reflect the correct address.
This will show the listening address(es) if PostgreSQL is listening on 5432/tcp.
sudo ss -lntp | grep 5432
root@ip-10-0-157-16:/home/ubuntu# nc -zv localhost 5432
Connection to localhost (127.0.0.1) 5432 port [tcp/postgresql] succeeded!
root@ip-10-0-157-16:/home/ubuntu#
ya in localhost of postgres we can connect , also I was able to connect to old nginx service which was the service I tested earlier , its the postgres which is not connecting actually , through router
The link errors you reported may not be a problem. All routers continually dial all link listeners, and so many failures are expected if any link listener is not reachable.
For example, if a router on a private address has a link listener configured, then all routers will continually fail to dial the unreachable listener.
if the ping works but the connection to itself does not work , what does it mean ?
How is this service "hello-service6" hosted? Some identity must have bind permission.
Did you get a result from the policy advisor command I recommended?
Ziti does not transmit ping echo/reply packets at all, so you are only pinging the local interface.
@qrkourier , I recreated the service and policies and then it works ,
Do they expire I doubt ?
Since there is alot of stuffs we do around , whats the way of not making mistakes and doing them in more better way
They don't expire.
There's no great way to not make mistakes. I wish I could figure out how to do it! My recommendation is to just use the system for a while. You'll start to understand how it does what it does and why. Zero trust principles are new to a lot of people, it takes some time to get used to but once you do it a few times, I think you'll find it natural.
Glad to see you're up and working! Have fun! 
thanks @TheLumberjack , does this jwt's have expiry's ?
Please tell me the cases where something would expire or something can happen in a long run that could stop the network from normal working
jwt.io is a great resource to look at jwt's with. Check it out and you'll see they expire.
thanks @TheLumberjack , what would be the command to deploy router in private network with this cli ? GitHub - netfoundry/ziti_router_auto_enroll
To wrap this up please do confirm if I understood router and controller properly
My conception about routers were :
edge -> for sdks embedded code to connect
link listeners -> for inter routing communication to enable smart routing
private router->router without linklisteners and advertising private ip (they register themselves with controllers so controller knows how to route traffic to them so hence they are reachable)
public router-> have linklisteners and advertising public ip
Controllers :
would be great if I can get a bit clarity on difference btw ctrl and mgmt
Also was curious to understand how the controller registers private network routers and communicate with it , sharing links or explanation anything is fine with this regards
thanks again