Octelium Clusters need public DNS for 2 main purposes:
-
Setting the public DNS for the Cluster domain upon the Cluster installation in order for it to be able to receive requests by Users publicly over the internet since the API Server and the web Auth Server are addressed by the Cluster domain. That means you must set your public DNS by the end of the Cluster installation in order to actually start using the Cluster.
-
Setting the public DNS for publicly exposed (i.e. BeyondCorp mode) Services.
Cluster Domain
You can get the Cluster domain public IP address by the end of the installation of the Cluster which is created by a LoadBalancer kubernetes service that is used by a component called Ingress that is automatically installed during the Cluster installation.
Managed Kubernetes deployments (e.g. AWS EKS, Linode LKE, etc...) automatically initialize a managed load balancer with a public IP address within seconds after the creation of LoadBalancer services.
During the installation via the octops init command, you will be able to obtain that IP address by using the kubectl get svc -n octelium octelium-ingress-dataplane command as follows:
# We obtain the public IP address used by the ingress service `octelium-ingress-dataplane`# in the `octelium` namespacekubectl get svc -n octelium octelium-ingress-dataplane# The IP address is located in the `EXTERNAL-IP` fieldNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEoctelium-ingress-dataplane LoadBalancer 1.2.3.4 <IP_ADDRESS_HERE> 443:32180/TCP 8h
Once you obtain that IP address value, you can use it in your DNS provider (e.g. Cloudflare, GoDaddy, Namecheap, etc...) to set a typically A public DNS entry in order for the Cluster domain to refer to that IP address.
Publicly Exposed/BeyondCorp Services
BeyondCorp mode Services are exposed publicly to Users via the internet-facing Ingress (read more about BeyondCorp Services here). You can add a CNAME entry to refer to each publicly exposed Service domain (i.e. <SERVICE>.<NAMESPACE>.<DOMAIN> or simply <SERVICE>.<DOMAIN> for Services in the default Namespace) to the Cluster domain.
QUIC Mode
Octelium uses WireGuard by default for tunneling the traffic between the Cluster and clients. This is the default and extremely recommended way. Moreover, Octelium currently supports a very experimental QUIC-based tunneling mode. Unlike in WireGuard where clients address the Cluster's Gateways directly by their IP addresses, QUIC uses TLS via the Cluster domain TLS certificate. Therefore, the octelium client addresses a Gateway's QUIC server by the public hostname of that Gateway assigned automatically by the Cluster. In other words, you need to create a public A or AAAA DNS record for every Gateway in order to be addressed publicly by the octelium clients. You can find the hostname used by a specific Gateway provided in the status.hostname field as well as the public IP addresses of that Gateway provided in the status.publicIPs[] array as follows:
octeliumctl get gw <GATEWAY_NAME> -o yaml
Then you can find in the hostname in the output of the above command as follows:
1apiVersion: core/v12kind: Gateway3#....4status:5hostname: _gw-wa5us38r.example.com6# ....7publicIPs:8- 1.2.3.4
You can also list such information about all Gateways as follows:
octeliumctl get gw -o yaml
Once you obtain the hostname and public IP addresses of a certain Gateway, use them to create A or AAAA DNS records in your public DNS provider.