Skip to content

POC: OpenZiti-based connectivity between platform-server and docker-runner (SDK + reconciliation) #1289

New issue
New issue
Open
#1290
Open
POC: OpenZiti-based connectivity between platform-server and docker-runner (SDK + reconciliation)#1289
#1290
@rowan-stein

Description

@rowan-stein
rowan-stein
opened on Feb 18, 2026

User request

Implement a development POC where:

  • OpenZiti (controller + router) runs via docker-compose in this repo for development.
  • platform-server reconciles required Ziti entities (identities, service, policies) via Ziti Management API.
  • platform-server connects to Ziti via the Node SDK.
  • docker-runner connects to Ziti via the Node SDK.
  • Communication between platform-server and docker-runner happens via Ziti (keep existing UI/UX unchanged).

Specification (research)

Minimal Ziti docker-compose topology

  • Services: ziti-controller, ziti-edge-router on a shared compose network.
  • Controller ports (dev):
    • 1280 (Edge Client API)
    • 1281 (Management API)
    • 6262 (fabric control plane for router)
  • Router ports (dev):
    • 3022 (edge listener)
  • Persist state under a gitignored .ziti/ directory.

Ziti object model (POC: single shared service)

Deterministic naming with prefix dev.agyn-platform:

  • Identities:
    • dev.agyn-platform.platform-server (attributes: app=agyn-platform, env=dev, component=platform-server)
    • dev.agyn-platform.docker-runner (attributes: app=agyn-platform, env=dev, component=docker-runner)
  • Service:
    • dev.agyn-platform.platform-api (attributes: app=agyn-platform, env=dev, service=platform-api)
  • Service policies:
    • Bind: dev.agyn-platform.platform-api.bind allows platform-server to bind service
    • Dial: dev.agyn-platform.platform-api.dial allows docker-runner to dial service
  • Edge-router policies:
    • dev.agyn-platform.identities.use-router allows both identities to use the router
    • dev.agyn-platform.platform-api.on-router places the service on the router

Reconciliation approach (idempotent)

platform-server implements reconciliation using the Ziti Management API:

  • Authenticate to management API (password or cert auth), acquire bearer token.
  • For each object type: GET by name → create if missing → patch/update if drift.
  • Generate enrollment tokens where needed; store identity artifacts in gitignored dev location.

Node SDK identity lifecycle

  • SDK loads an identity JSON file (enrolled identity) at runtime.
  • Enrollment is a one-time step from an enrollment JWT producing the identity JSON.
  • For POC dev, store artifacts under .ziti/identities/*.json (gitignored).

Dev bootstrap flow

  • docker compose up brings up Ziti.
  • Start platform-server, which reconciles Ziti objects.
  • platform-server and docker-runner load identity json and use Ziti for transport.

Acceptance criteria

  • Running dev docker compose starts Ziti controller+router.
  • platform-server reconciliation is idempotent and can be run repeatedly.
  • platform-server and docker-runner both establish Ziti connections using Node SDK.
  • Existing platform-server → docker-runner functionality works unchanged from the UI perspective (at least a smoke path).
  • Basic docs in repo on how to run the POC.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions