Running OpenZiti with Odessa Branch

[Alex-M5]

Hello everyone,
I have been trying to run the OpenZiti integration with the Odessa branch of EdgeX compose and I have run into numerous issues.
Just wanted to check if I am missing something?

Execution
Updated the openziti-init-entrypoint.sh to use edgex-secret-store instead of vault:

oidc_server="edgex-secret-store:8200"
ext_signer_name="openbao.clients"
auth_policy_name="${ext_signer_name}.auth.policy"
iss="/v1/identity/oidc"
jwks="http://edgex-secret-store:8200/v1/identity/oidc/.well-known/keys"
aud="edgex"
claim="name"

I ran make openziti first, waited for the initialization to finish and then ran make openziti-logs to check for errors.
I then ran make run zero-trust.

Issues

• app-rules-engine: Kept restarting with this error in the logs:

level=ERROR ts=2025-07-10T11:55:58.385076612-04:00 app=app-rules-engine source=version.go:128 msg="Core Services version is malformed: version="
level=ERROR ts=2025-07-10T11:55:58.385295706-04:00 app=app-<profile> source=factory.go:43 msg="App Service initialization failed: bootstrapping failed"

Which I was able to work around by adding --skipVersionCheck in the command section for this service in docker-compose-zero-trust.yml.

• edgex-kuiper: Trying to reach vault still. Added vault alias to secret-store in the docker compose file.

• device-rest & device-virtual: I initially thought it was crashing due to this error:

level=ERROR ts=2025-07-10T12:04:36.101984901-04:00 app=device-rest source=clients.go:77 msg="could not obtain an http client for use with zero trust provider: could not authenticate to OpenZiti: Get \"https:///.well-known/est/cacerts\": http: no Host in request URL"

I was able to resolve the error by adding these security options to the configuration.yaml under Service section and rebuild but the container was still restarting.

  SecurityOptions:
    Mode: ""
    OpenZitiController: "openziti:1280"

I later found that the SERVICE_HOST env variable for the devices were being used by the device-sdk-go library internally in the container as the bind address for the HTTP server.
I changed it to ZITI_SERVICE_HOST and that seems to have solved the problem with them restarting.

• support-scheduler: I was receiving this error until I added a line to create the identity for the support scheduler in the openziti-init-entrypoint.sh script.

edgex-openziti | [ 87.492] ERROR ziti/controller/model.getAuthPolicyByExternalId: {authenticatorId=[] externalId=[support-scheduler] authMethod=[ext-jwt]} identity not found by externalId

Currently I haven't found any glaring issues in the zitilogs.log, but I might be missing something.
Any help would be appreciated!

[Alex-M5]

After discussing with a colleague, we were able to pinpoint an issue with how the device services are not using the openziti controller environment variable from the docker compose file. I opened an issue in the device-sdk-go repo.