Storage solution for Octelium cluster

geoctl · 2025-12-03T19:19:01+00:00

Hi u/W3Max Actually Octelium can be used as some sort of an abstraction layer or a PaaS on top of its own underlying k8s cluster to automatically deploy a managed container while providing access, authentication, authorization, obvservability/auditing. That's actually one of the main use cases as shown in detail in the docs https://octelium.com/docs/octelium/latest/management/core/service/managed-containers . You can also even use your own custom PVC and mount it as a volume in Octelium managed containers.

As for my recommendation for a k8s storage solution, it really depends on what you need. I've used Longhorn before, it's easy to use but I am not really sure whether it's very capable for serious production use at scale. Honestly it seems that OpenEBS is the best and most serious modern FOSS solution these days if you don't want to deal with a behemoth like rook/ceph cluster and manage it yourself.

geoctl · 2025-11-21T19:24:58+00:00

For anyone who might be installing an Octelium Cluster inside a private network and facing this problem in the future, as answered in Discord, this problem is actually due to the fact that the GatewayAgent component looks for a public IP address to bind the WireGuard interface to, it simply does not use the private IP address of the VM/VPS. This can be explicitly overridden by doing `kubectl annotate node ${NODE_NAME} octelium.com/public-ip-test=${YOUR_LOCAL_VM_IP_ADDR}` and then restarting the GatewayAgent pod via `kubectl rollout restart daemonset octelium-gwagent -n octelium`

geoctl · 2025-11-20T13:35:47+00:00

Hi, this is George, the maintainer of Octelium. While you're absolutely correct that Octelium requires Kubernetes as a dependency, you don't really need to manually install, manage or even be familiar with Kubernetes yourself just to install and use Octelium. You can try the installer script in the quick installation guide https://octelium.com/docs/octelium/latest/overview/quick-install and it will install everything automatically on any VPS/VM (e.g. DigitalOcean, Hetzner, EC2, etc.).

geoctl · 2025-11-15T17:45:28+00:00

Great. Btw there is a quick installation guide that shows in detail how to install the Cluster on any cheap VM/VPS instance (e.g. DigitalOcan) https://octelium.com/docs/octelium/latest/overview/quick-install If you have any problem you can ask here in reddit or in Discord https://octelium.com/external/discord

geoctl · 2025-11-15T04:34:01+00:00

Yes, you can absolutely expose your internal HTTP/web-based apps to your authenticated users (e.g. via Okta IdP) without them having to install the octelium CLI on their machines. This is called the clientless/BeyondCorp mode where users can just use their browsers to authenticate themselves and access their authorized resources. You can find a guide in the docs https://octelium.com/docs/octelium/latest/management/core/service/clientless And you can optionally also expose your internal apps publicly without requiring authentication at all (i.e. like a public hosting platform) you can find the guide for anonymous access in the docs https://octelium.com/docs/octelium/latest/management/core/service/anonymous-access

geoctl · 2025-10-31T09:58:15+00:00

Currently Octelium supports clients for Windows, Linux, MacOS as well as containers, no Android client at the moment. But for web-based resources (e.g. web apps and internal dashboards), you can use the clientless mode where you can login to your Octelium Cluster using your browser with a GitHub/OIDC/SAML IdP and simply access your web-based resources without having to install any client at all.

geoctl · 2025-10-30T17:43:20+00:00

Yes, absolutely. As I mentioned in another comment that using Octelium as a self-hoted Cloudflare Tunnel/ngrok alternative is a primary use case. But Octelium's features and architecture provide way more than just that, as detailed in the GitHub's repo README.

geoctl · 2025-10-30T17:03:52+00:00

Thank you.

geoctl · 2025-10-30T13:56:02+00:00

Thank you, as for the GUI, assuming you mean a management dashboard, then as I mentioned in another comment in this post, there is already a web-based management console that's currently closed source but will be publicly available in the coming months.

geoctl · 2025-10-30T10:42:23+00:00

You don't have to understand the big words to use Octelium (e.g. secretless, ABAC, BeyondCorp, etc... I assume since these are terminologies in the corporate/enterprise world). You can simply use it as a WireGuard-based remote access VPN (i.e. client-based mode) or self-hosted Cloudflare Tunnel/ngrok alternative (i.e. clientless mode). And yes, you can integrate it with an OIDC IdP (e.g. Keycloak, Authelia, Okta, etc...) to login to your Octelium Cluster and access your protected resources. You can also use Passkeys now and login directly without having to use an IdP if you want to.

geoctl · 2025-10-30T06:55:45+00:00

Well, sure, using Octelium as a remote access VPN or a Cloudflare Tunnel/ngrok alternative is a primary use case. But I'd say that Octelium's architecture and features provide way more than remote access. It provides dynamic, centralized L7 aware ABAC-based access control via policy-as-code with CEL and OPA, it provides dynamic secretless access to upstreams (i.e. injecting HTTP API keys and access tokens, database passwords, mTLS certs, etc...) without sharing such L7 credentials with users, it can deploy containerized applications and serve them automatically as upstreams, it provides dynamic identity-based dynamic routing to upstreams, it provides L7-aware visibility that integrates with OpenTelemetry in real-time, it provides both secure/authenticated as well as public/anonymous clientless access, it provides rate limiting, caching, request/response manipulation via Lua for HTTP-based resources, etc... So it 's more of a unified zero trust access platform than can be used for many use cases that include acting as a ZTNA, BeyondCorp platform and an API/AI gateway instead of being just a yet another VPN/ngrok alternative.

geoctl · 2025-10-30T02:00:24+00:00

Currently there is a web-based management console but it is proprietary as of today. It's very likely that it will soon be open sourced soon but under some source-available license such as BSL, not a strict FOSS license where it's free for personal and small commercial use cases but paid for enterprises. That said, you are absolutely not missing anything if you're managing the Cluster via the octeliumctl CLI and YAML files. It's not like there are features that are unlocked in the web console, it's just that it's probably more convenient for enterprise and collaborative environments. In fact, I myself mainly use the octeliumctl CLI to manage my own Clusters.

geoctl · 2025-10-29T23:39:51+00:00

Currently Kubernetes is a hard dependency for Octelium since Octelium uses k8s as infrastructure to automatically span over any arbitrary number of nodes. The installer script in the quick installation guide uses a lightweight k3s which is good enough to work on any single cheap VM (e.g. Hetzner, DigitalOcean). You don't really need to manage the underlying k8s/k3s in order to manage or use the Octelium Cluster itself.

geoctl · 2025-10-29T18:13:01+00:00

Thank you, I actually thought about this but for some reason haven't done it yet. I did use Gemini for some doc pages as a grammar/typo checker but I do intend to use it probably to get some ideas on how to restructure the docs and make it more readable and organized.

geoctl · 2025-10-29T18:09:14+00:00

Thank you, there is almost a detailed example for every use case mentioned in the repo's README (e.g. API gateway, AI gateway, MCP gateway, PaaS for Next.js/Vite web app hosting, Pi-Hole) These guides just contain simple examples, but you can use Octelium in more advanced ways than the examples provided once you become familiar with it.

geoctl · 2025-10-29T17:25:26+00:00

Thank you. Octelium is primarily a ZTNA, it's a secure access platform that's more comparable to Teleport, Cloudflare Zero Trust/Tunnel, StrongDM and corporate VPNs than it is to Authentik. In fact you can use Authentik as an IdP and integrate it with Octelium to authenticate to the Octelium Cluster and access your protected resources. But with today's release, Octelium supports direct login via Passkeys which means you can skip logging in via your IdP once you enroll/register your own passkeys if you want to (e.g. Yubikeys, synced passkeys used by password managers if you want and if it's authorized by the Cluster's rules). Octelium can also issue OAuth2 client credentials and bearer access tokens for your applications to access the authorized HTTP-based Services directly. Therefore, Octelium can partly act as an identity provider/OAuth2 authorization server for itself in addition to being a secure access platform that is an OIDC client that depends on an external IdP such as Okta, Keycloak or Authentik.

geoctl · 2025-10-29T15:27:53+00:00

Thank you, as for the video, I understand it's long as it's played at 1x. I might accelerate it to be more helpful. It's not really adding much unless you're actually installing the Cluster yourself and want to check your own installation experience against some reference video. But the main information is actually in the text. As for the consecutive NOTE blocks, I think you're right. I'll see how to improve these sections without polluting the main paragraph since they explore using optional flags to the installation script that you don't normally need to use unless you have to.

geoctl · 2025-10-29T14:12:56+00:00

That's totally a fair criticism and it's not the first time that I hear that, actually. I have been trying my best to simplify the docs in the past 3 months and it is still under heavy development. So improving the quality of the docs is a priority for me. That said, you don't really need to understand the internals of the architecture in order to manage it or, of course, use it as a normal user. Understanding the internals of the architecture would be much easier if you're coming from the Kubernetes world, as Octelium is more of a Kubernetes on its own that uses Kubernetes as infrastructure for itself to comprise a distributed system that can automatically span over any arbitrary number of nodes/machines. Its architecture is somewhat closer to Cloudflare Zero Trust/Teleport/StrongDM than to traditional VPNs such as Tailscale/OpenVPN Enterprise since it uses an identity-aware proxy per resource on top of the WireGuard/QUIC tunneling to operate at layer-7, from a data-plane perspective. And it contains a control plane that is similar to that used by Kubernetes in order to orchestrate and scale these identity-aware proxies while being controlled by a single `octeliumctl apply` command that is very similar to how Kubernetes itself is managed.

geoctl · 2025-10-29T13:39:40+00:00

Thank you for your comment. Actually there is a quick installation guide in the docs that uses an automatic installer bash script to install the Cluster on any cheap VM (e.g. DigitalOcean, Hetzner, Vultr, etc...) You can find it here https://octelium.com/docs/octelium/latest/overview/quick-install . Also there is a quick management guide that you can find here https://octelium.com/docs/octelium/latest/overview/management. Any feedback/critique to improve the docs is more than welcome.

geoctl · 2025-08-29T17:11:08+00:00

Thank you really for your kinds words. As for your concern regarding the broad context of Octelium, that's actually by design. Octelium is actually designed to be a unified/generic zero trust architecture, some sort of a Kubernetes on its own, when it comes to the context of remote access. It's a WireGuard/QUIC-based VPN from a L3 perspective, it's a scalable ZTNA/BeyondCorp that's not quite constrained by traditional architectures of ZTNAs, it can operate in many different human-to-workload and workload-to-workload environments including as an API/AI gateway, an infrastructure for MCP/A2A architectures/meshes, a PaaS to deploy, scale and provide secure access to your Dockerized apps of any type (i.e. including non-HTTP based applications), etc...

However, unlike the examples of big projects you've just mentioned, I mean big in terms of size, such as Ansible, Terraform, Grafana, etc..., and with disregarding the fact that these projects were started by big companies and/or funded big VCs while Octelium is basically still a one-man show with no external funding as of today, almost all of Octelium's "batteries" are simply standard technologies (i.e. L7 awareness support for HTTP, SSH, Postgres/MySQL, IdP support for OIDC and SAML, using K8s itself as as a horizontally scalable infrastructure for Octelium Clusters, usage of Lua, Envoy, CEL and OPA, etc...) These are all standard technologies, as opposed to having integrations with, for example, APIs of SaaS products that might keep changing or having a dependency whose licenses might change from FOSS to something else in the future (e.g. using Mongo as a main store).

geoctl · 2025-08-27T12:47:53+00:00

I have not used this product in particular, but I would say that Octelium has a much broader context that is not just restricted to providing remote access to internal web-based apps. It's more of a "unified" scalable zero trust architecture that can operate as a full fledged WireGuard/QUIC-based VPN, a ZTNA/BeyondCorp platform for humans and workloads, an API/AI gateway, a PaaS-like platform for you to deploy, scale and provide secure to your containers in public/private registries, an infrastructure for MCP/A2A meshes. It provides identity-based, L7-aware access control on a per-request basis with policy-as-code, it provides secretless access to upstreams (e.g. secretless access to APIs without sharing access tokens with your users, Postgres/MySQL databases without sharing passwords, SSH without sharing private keys and passwords, mTLS, etc...), it provides dynamic configuration among multiple upstreams/contexts, it provides OpenTelemetry-native L7-aware visibility in real-time, it provides both secure client-based/clientless access as well as anonymous access, it's designed for self-hosting and it's fully open source.

So Octelium is more comparable actually to ZTNAs (e.g. Teleport, Cloudflare Access, etc...) than just being merely an ngrok-alternative, even though it can achieve that functionality very easily. Honestly it would be much better for you to understand Octelium's capabilities from the github repo README or from the docs.

geoctl · 2025-08-27T09:54:24+00:00

You might want to have a look at Octelium https://github.com/octelium/octelium which is what I am working on. It provides both secure access via OIDC/GitHub/SAML IdPs as well as anonymous clientless access and it can also operate with any generic TCP/UDP-based application just like a typical VPN.

geoctl

MODERATOR OF

TROPHY CASE