Helm chart for ziti-edge-tunnel run transparent proxy

[mjtrangoni]

Hi,
I would like to ask if you are interested about having a new helm chart here for my use case. I need openziti/ziti-edge-tunnel running as DaemonSet, aka. transparent proxy modus or ziti-edge-tunnel run.

Let me know your thoughts! If yes, I would be submitting a PR soon.

Thank you!

[qrkourier]

Hello @mjtrangoni and thank you for the offer.

Here's a guide for running a daemonset as a node proxy: https://openziti.io/docs/guides/kubernetes/workload-tunneling/kubernetes-daemonset

This approach has an unsolved problem that led me to use sidecars instead of daemonset. Maybe you can think of a solution.

The problem with this approach is that CoreDNS answers Ziti DNS by forwarding the query to the tunneler pod on it's own node. The response is the Ziti intercept IP address on the controller node where CoreDNS is running, not necessarily the node where the pod is running that sent the original DNS query.

All nodes have the same Ziti Identity and so they obtain the same list of services from the Ziti controller and in most cases the mapping of Ziti addresses is identical, but there is no guarantee this is the case because Ziti intercept IP addresses are always picked on the node, not globally unique for the Ziti network.

This means the daemonset works when there's only one K8s node or only one Ziti service, and the risk of an incorrect IP intercept increases from there. This is a DNS related problem, so it does not affect Ziti services that don't employ DNS.

If it's possible, one solution would be to configure K8s so that every node runs CoreDNS and all pods only query DNS on their own node.

[mjtrangoni]

@qrkourier I think this could be closed now.