github octelium/octelium v0.27.0
on GitHub

8 hours ago

You can upgrade an already running Cluster via the command octops upgrade as shown here. You can read the full changelog here. NOTE: skip v0.25.0 and v0.26.0 due to errors in the Cluster image build workflows.

Features

  • Clientless authentication for workloads via OIDC-based assertions via OAuth2 client credentials authentication (i.e. RFC 7523). So far this federated workload identity was supported only for the client-based mode via octelium login --assertion. Now with this clientless authentication mode, WORKLOAD Users can authenticate themselves using OIDC identity tokens issued by the identity provider hosting the workload ( e.g. Azure, GitHub Actions, Kubernetes clusters, SPIFFE, etc...) and access the Cluster's HTTP-based resources. Here is an example in Golang but you can apply the same in any language: 
package main

import (
	"context"
	"fmt"
	"io"
	"net/http"

	"golang.org/x/oauth2/clientcredentials"
)

func main() {
	ctx := context.Background()

	domain := "example.com"

	// 1. Configure the OAuth2 Client Credentials exchange
	config := clientcredentials.Config{
		TokenURL: fmt.Sprintf("https://%s/oauth2/token", domain),
		EndpointParams: map[string][]string{
			"client_assertion_type": {"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"},
			"client_assertion":      {yourJWT},
		},
	}

	// 2. Create an HTTP Client with your OAuth2 client credentials configuration
	httpClient := config.Client(ctx)

	// 3. Access the "demo-nginx" Service
	resp, err := httpClient.Get(fmt.Sprintf("https://demo-nginx.%s/", domain))
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()

	body, _ := io.ReadAll(resp.Body)
	if resp.StatusCode != http.StatusOK {
		panic(err)
	}

	fmt.Printf("Response: %s\n", string(body))
}
  • Bootstrap config now supports using the passwords of primary and secondary storage stores (i.e. Postgres and Redis database passwords) by reference from Kubernetes secrets. Here is an example: 
spec:
  primaryStorage:
    postgresql:
      username: octelium
      passwordFromSecret:
        name: octelium-pg
        namespace: default
        key: password
      host: octelium-pg-postgresql.default.svc
      database: octelium
      port: 5432
  secondaryStorage:
    redis:
      passwordFromSecret:
        name: octelium-redis
        namespace: default
        key: password
      host: octelium-redis-master.default.svc
      port: 6379
  • Exposing the per-request downstream IP address in ctx.request.ip. For now, this works only in the clientless mode for Clusters behind an external proxy (read more here).

Improvements

  • Various improvements for the octelium CLI in Windows and MacOS. Furthermore, octelium connect -d is now supported in MacOS.
  • Devices are now automatically registered for clients used by HUMAN Users upon login.
  • arm64/aarch64 support for the Cluster components.
  • arm64/aarch64 support for the octelium, octeliumctl and octops container images.
  • .deb and .rpm packages for Linux, both for amd64 and arm64.
  • .pkg packages for MacOS, both for amd64 and arm64.
  • .msi packages for Windows, both for amd64 and arm64.
Check out latest releases or
releases around octelium/octelium v0.27.0

Don't miss a new octelium release

NewReleases is sending notifications on new releases.

Get notifications