Support certificate authentication and Ziti identity JSON config format in provider

[qrkourier]

Feature Request

Please add support for authenticating to the Ziti management API using client certificate authentication (mTLS), in addition to the current username/password options.

Requirements

• Allow users to provide client certificate, key, and CA bundle values in the provider configuration, either as file paths, raw PEM strings, and ideally as a standard Ziti identity config JSON (raw string or b64 encoding)
• Support loading the standard Ziti identity JSON config file format (which includes client cert, key, and CA bundle) for authentication. This is the format generated by Ziti controllers and used by most Ziti SDKs and CLI tools.
• Ensure the provider's HTTP client is configured for mTLS using these values for management API calls.

Benefits

• Enables secure, passwordless, certificate-based authentication for Terraform automation.
• Aligns with standard Ziti practices and simplifies integration with existing identity JSON files.

References

• Example Ziti identity JSON: { "id": {"cert": "...", "key": "...", "ca": "..." }}

Labels: enhancement, authentication, cert

Thanks for considering this feature!

[qrkourier]

Here's a link to the line in another Go program that extracts the cert/key from a standard identity file, and verifies the mgmt API's server certificate with the identity's CAs, then instantiates a mgmt client with the Ziti Go SDK: https://github.com/netfoundry/ziti-k8s-agent/blob/add-helm-and-config-loader/ziti-agent/pkg/ziti-edge/client.go#L91

For NF Platform networks, It's important to require the Ziti internal API URL, not the "public" alternative API URL with a -p suffix, because that alternative server certificate will not be verifiable by the certificate authorities in the enrolled identity config.

[qrkourier]

Here's how the CLI handles this same scenario. It uses a bespoke file auth method.

https://github.com/openziti/ziti/blob/v1.7.1/ziti/cmd/edge/login.go#L204