Publish services with kziti
Create a service
kziti service create net-corp-a gitlab gitlab.corp-a.internal 443 \
--alias gitlab.corp-a.zt
Arguments, in order:
- Network ID — the network this service belongs to (
net-corp-a). The short form without the prefix (corp-a) also works. - Service name — the short name (
gitlab). - Destination — the real DNS name or IP the private router will reach (
gitlab.corp-a.internal). - Ports — single port (
443), comma-separated list (80,443), or range (8000-8100).
--alias is required and sets the intercept address — the hostname clients dial inside the Ziti tunnel. It must differ from the destination and does not need a real DNS entry; the Ziti tunnel resolves it locally.
Service sets
A service set groups related services. Grant access to the set once; add or remove services without touching user grants. Service sets are global — they can span multiple networks.
Create a service set
The set must exist before you can assign services to it:
kziti service-set create devops "DevOps Services"
The role attribute svcset-devops is created and registered. Pass --service-set when creating services. The flag is repeatable — a service can belong to multiple sets:
kziti service create net-corp-a gitlab gitlab.corp-a.internal 443 \
--alias gitlab.corp-a.zt --service-set devops
kziti service create net-corp-a jira jira.corp-a.internal 443 \
--alias jira.corp-a.zt --service-set devops
kziti service create net-corp-b wiki wiki.corp-b.internal 443 \
--alias wiki.corp-b.zt --service-set devops --service-set infra
The three services share the svcset-devops role attribute. A single access grant against svcset-devops gives an identity Dial access to all three, regardless of which network hosts them.
List service sets
kziti service-set list
Show a service set and its members
kziti service-set show devops
Lists the set's metadata and every service currently in the set, with network and destination details. The ID column shows the svc-<short_id> reference you pass to add and remove.
Add an existing service to a set
kziti service-set add devops svc-corp-a-gitlab
The argument is either the svc-<short_id> shown by service-set show and service list, or the full service UUID. The short ID is svc-<network>-<service-name> — for a service named gitlab in network corp-a it is svc-corp-a-gitlab.
Both the service's role attributes and its dial policy are updated atomically. A service can belong to any number of sets.
Remove a service from a set
kziti service-set remove devops svc-corp-a-gitlab
Strips svcset-devops from the service's role attributes and from its dial policy. Membership in other sets, the network role, and any individually granted access are not affected.
Delete a service set
kziti service-set delete devops
Deletion is blocked if any services still carry the set's role attribute. Remove them from the set first, or delete the services. Deleting the set does not affect the services themselves.
List services
# All services across all networks
kziti service list
# Just the services in one network
kziti service list --network corp-a
Search services
kziti service search 'name contains "gitlab"'
kziti service search 'name = "corp-a-web"'
Returns the same columns as service list (ID, name, network, destination, available-at). Use filter expressions supported by the OpenZiti filter syntax — contains, =, startswith, and boolean operators.
Show service details
kziti service show <service-id>
The output includes the intercept config, host config, and any service-set membership.
Rename a service
kziti service update <service-id> --name new-name
update only supports renaming. To change the destination, ports, or alias, delete and recreate the service. To change service-set membership, use service-set add and service-set remove.
Delete a service
kziti service delete <service-id>
Deletion removes the service and its intercept and host configs. Identities that had access via the service ID lose it; identities scoped via the network or service set retain access to the remaining services.