Cluster configuration, or simply ClusterConfig, acts the sole source of truth for all global configurations and settings of the Cluster. ClusterConfig is created automatically upon the Cluster installation and can be updated declaratively via the command octeliumctl apply (read more here). You can read the entire Cluster configuration in the reference here.
You can get the ClusterConfig as follows:
octeliumctl get cc# ORocteliumctl get clusterconfig -o json
Session
Users can interact with a Cluster and access its Services as long as their Sessions are valid (read more about Session management here). A Session has a duration after which the Session expires and automatically gets deleted by the Cluster. It's recommended that the Session's duration should be as short as possible without becoming too annoying especially for HUMAN Users. The current fallback value for access token duration is 4 hours but it might change in the future.
You can set your own Session duration configuration as follows:
1kind: ClusterConfig2metadata:3name: cluster-config4spec:5session:6human:7clientDuration:8days: 19clientlessDuration:10hours: 1011maxPerUser: 3212accessTokenDuration:13hours: 414refreshTokenDuration:15hours: 1816workload:17clientDuration:18months: 619clientlessDuration:20weeks: 121maxPerUser: 10022accessTokenDuration:23hours: 424refreshTokenDuration:25weeks: 2
These Cluster-wide Session duration values can be overridden per User basis. You can read more here.
Device
Octelium enables you to control Device related configurations (read more about Devices here). For example, you can explicitly defined the default state of a new registered Device. By default, a Device's default state is set to ACTIVE, however, you can override that choice to PENDING or REJECTED. You can also set a per-User limit as follows:
1kind: ClusterConfig2metadata:3name: cluster-config4spec:5device:6human:7maxPerUser: 328defaultState: PENDING9workload:10maxPerUser: 10011defaultState: ACTIVE
Gateway
Octelium enables you to control the rotation duration of the Gateways WireGuard keys as follows:
1kind: ClusterConfig2metadata:3name: cluster-config4spec:5gateway:6wireguardKeyRotationDuration:7hours: 6
Ingress
You can choose to use the useForwardedForHeader field to enable the usage of the X-Forwarded-For header by the Cluster to obtain the downstream's public IP address. The downstream's IP address is mainly stored in the Session and can be used via your Policies to control access to Services.
1kind: ClusterConfig2metadata:3name: cluster-config4spec:5ingress:6useForwardedForHeader: true
DNS
The Cluster automatically serves private DNS, deployed as a typical Service that can be accessed by all, to resolve the domain names of the Cluster's Services to their IP addresses. Moreover, that private DNS Service can also resolve domain names outside the Cluster domain by proxying the requests to a server that is chosen randomly from a list of fallback DNS servers. Both UDP as well as DNS-over-TLS servers are supported. Here is an example:
1kind: ClusterConfig2metadata:3name: cluster-config4spec:5dns:6fallbackZone:7servers:8- dns://8.8.8.89- udp://1.1.1.110- tls://8.8.8.811- tls://1.1.1.112- dns://custom-dns-server:8053
The private DNS Service can also cache the results of the fallback servers. Here is an example:
1kind: ClusterConfig2metadata:3name: cluster-config4spec:5dns:6fallbackZone:7servers:8- tls://8.8.8.89- tls://1.1.1.110cacheDuration:11seconds: 3012
Authorization
You can define global Polices (read more here) that are always triggered across all the Cluster's requests as follows:
1kind: ClusterConfig2metadata:3name: cluster-config4spec:5authorization:6policies: ["pol-1", "pol-2"]7inlinePolicies:8- spec:9rules:10- effect: DENY11condition:12match: '"junior" in ctx.user.spec.groups && ctx.namespace.metadata.name == "production"'