User Request
Agent workload pods fail to authenticate with the gateway via Ziti with error: managed identity not found. The gateway uses the wrong Ziti identity field to look up agent connections.
Specification
Problem
In internal/ziticonn/conn.go, SourceIdentityFromConn() calls conn.(SourceIdentifiable).SourceIdentifier() which returns the Ziti identity name (e.g., agent-550e8400-e29b-...-d716).
The gateway then passes this value to ziti-management.ResolveIdentity() as ZitiIdentityId. But the database stores the opaque Ziti controller ID (e.g., 7JcGDJQ39f) in the ziti_identity_id column, not the name. The lookup always returns zero rows → managed identity not found.
Root Cause
The OpenZiti SDK sets CallerId (returned by SourceIdentifier()) to the identity name, not the ID. The correct field to use is GetDialerIdentityId() which returns the opaque controller ID matching what's stored in the database.
Fix
Modify internal/ziticonn/conn.go to prefer GetDialerIdentityId() over SourceIdentifier():
type DialerIdentifiable interface {
GetDialerIdentityId() string
}
func SourceIdentityFromConn(conn net.Conn) (string, bool) {
if dialer, ok := conn.(DialerIdentifiable); ok {
id := strings.TrimSpace(dialer.GetDialerIdentityId())
if id != "" {
return id, true
}
}
source, ok := conn.(SourceIdentifiable)
if !ok {
return "", false
}
identity := strings.TrimSpace(source.SourceIdentifier())
if identity == "" {
return "", false
}
return identity, true
}Key Details
- The gateway uses
ziti.DefaultListenOptions() with DoNotSaveDialerIdentity = false (default) — this is correct and required for GetDialerIdentityId() to work.
- SDK v1.6.0 (currently in use) supports
GetDialerIdentityId().
- The
edge.Conn type returned by the Ziti SDK listener implements both SourceIdentifiable (name) and has GetDialerIdentityId() (ID).
- Existing tests should be updated to reflect the new interface if needed.
References
User Request
Agent workload pods fail to authenticate with the gateway via Ziti with error:
managed identity not found. The gateway uses the wrong Ziti identity field to look up agent connections.Specification
Problem
In
internal/ziticonn/conn.go,SourceIdentityFromConn()callsconn.(SourceIdentifiable).SourceIdentifier()which returns the Ziti identity name (e.g.,agent-550e8400-e29b-...-d716).The gateway then passes this value to
ziti-management.ResolveIdentity()asZitiIdentityId. But the database stores the opaque Ziti controller ID (e.g.,7JcGDJQ39f) in theziti_identity_idcolumn, not the name. The lookup always returns zero rows →managed identity not found.Root Cause
The OpenZiti SDK sets
CallerId(returned bySourceIdentifier()) to the identity name, not the ID. The correct field to use isGetDialerIdentityId()which returns the opaque controller ID matching what's stored in the database.Fix
Modify
internal/ziticonn/conn.goto preferGetDialerIdentityId()overSourceIdentifier():Key Details
ziti.DefaultListenOptions()withDoNotSaveDialerIdentity = false(default) — this is correct and required forGetDialerIdentityId()to work.GetDialerIdentityId().edge.Conntype returned by the Ziti SDK listener implements bothSourceIdentifiable(name) and hasGetDialerIdentityId()(ID).References