Octelium enables you to seamlessly easily deploy, scale and secure access as well as public anonymous access to your Next.js/Vite.js/Astro web containerized/dockerized applications, effectively making Octelium operate as a PaaS-like deployment platform. Octelium simply provides the following:
- A scalable infrastructure to provide clientless deployment and access to all your containerized/dockerized applications that can be hosted by public container registries or even private registries that require authentication (read more about managed containers here).
- Secure clientless BeyondCorp access for human Users via Octelium's OpenID Connect and SAML 2.0 IdentityProviders (read more here) as well as for your workload Users via OAuth2 client credentials (read more here) and bearer access tokens (read more here).
- Anonymous public access to your websites, APIs and webhooks (read more here).
- Dynamic identity-based, context-aware, L7 aware, on a per-request basis, centralized access control via policy-as-code with CEL and OPA (read more about Policies and access control here).
- Dynamic L7-aware routing to upstreams and advanced request/response header and body manipulation.
- OpenTelemetry-native, identity-based, L7 aware visibility and auditing (read more here).
- Zero-config private client-based access from anywhere by humans as well as workloads via the
octeliumclients and containers (read more about connecting to Clusters here). - GitOps-friendly declarative, programmable management (read more here).
In this guide, we're going to assume that your web app is built as a Docker image that is served by a private container registry (e.g. ghcr.io). We first need to obtain the user and password/token needed to authenticate to the private container registry. For example, the GitHub container registry (i.e. ghcr.io), you can read more here.
Now we store the obtained token as a Secret as follows:
octeliumctl create secret reg-password
Now we create the Service for our web application as follows:
1kind: Service2metadata:3name: dashboard4spec:5mode: WEB6isPublic: true7config:8upstream:9container:10port: 300011image: ghcr.io/<ORG>/<IMAGE>:<TAG>12command:13- npm14args:15- run16- start17replicas: 318credentials:19usernamePassword:20username: <USERNAME>21password:22fromSecret: reg-password23resourceLimit:24cpu:25millicores: 200026memory:27megabytes: 400028env:29- name: KEY130value: VALUE131- name: KEY232value: VALUE233securityContext:34runAsUser: 1000
You can now apply the Service as follows (read more here):
octeliumctl apply /PATH/TO/SERVICE.YAML
Now you can access the Service publicly via the client-less/BeyondCorp using your browser at the address https://dashboard.<DOMAIN>. You can read more about publicly exposed BeyondCorp Services here.
And to provide public anonymous access, you only need to enable the isAnonymous field as follows:
1kind: Service2metadata:3name: dashboard4spec:5mode: WEB6isPublic: true7isAnonymous: true8config:9# The rest of your config
You can also dynamically route to multiple containers (e.g. multiple container image versions) based on identity or/and context (read more about dynamic configuration here). Here is an example:
1kind: Service2metadata:3name: my-web-app4spec:5mode: WEB6dynamicConfig:7configs:8- name: c19upstream:10container:11port: 8012image: ghcr.io/org/image:v113- name: c214upstream:15container:16port: 8017image: ghcr.io/org/image:v218rules:19- condition:20match: ctx.request.http.path.startsWith("/v1")21configName: c122- condition:23match: ctx.request.http.path.startsWith("/v2")24configName: c2
When it comes to access control, Octelium provides a rich layer-7 aware, identity-based, context-aware ABAC access control on a per-request basis where you can control access based on the HTTP request's path, method, and even serialized JSON body content using policy-as-code with CEL and Open Policy Agent (OPA) (You can read more in detail about Policies and access control here). Here is a generic example:
1kind: Service2metadata:3name: my-nginx4spec:5mode: HTTP6config:7upstream:8container:9image: nginx10port: 8011replicas: 312authorization:13inlinePolicies:14- spec:15rules:16- effect: ALLOW17condition:18all:19of:20- match: ctx.user.spec.groups.hasAll("dev", "ops")21- match: ctx.request.http.method in ["POST", "PUT"]22- match: ctx.request.http.path.startsWith("/users")23- match: ctx.request.http.headers["x-custom-header"] == "this-value"24# bodyMap contains the serialized JSON body content25- match: ctx.request.http.bodyMap.age > 18 && ctx.request.http.bodyMap.email.endsWith("@example.com")
Octelium also provides OpenTelemetry-ready, application-layer L7 aware visibility and access logging in real time (see an example for HTTP here). You can read more about visibility here.
This was a very short guide to show you how to use Octelium to deploy, scale, route and provide secure access as well as anonymous public access to any webapp containers. Here are a few more related features that you might be interested in:
- Routing not just by request paths, but also by header keys and values, request body content including JSON (read more here).
- Request/response header manipulation (read more here).
- Cross-Origin Resource Sharing (CORS) (read more here).
- gRPC mode (read more here).
- Secretless access to upstreams and injecting bearer, basic, or custom authentication header credentials (read more here).
- Application layer-aware ABAC access control via policy-as-code using CEL and Open Policy Agent (read more here).
- OpenTelemetry-ready, application-layer L7 aware auditing and visibility (read more here).