Edge standalone / container

In one sentence

Run the edge directly with systemd, or as a container / Kubernetes sidecar — the setup where it's easiest to make the edge the connection-terminating hop.

Running the edge close to where browser traffic lands keeps the connection-level timing signal strongest, because there are fewer hops between the browser and the edge.

systemd

Keep secrets in an environment file (mode 600), not in the unit:

/etc/octet/edge.env

PORT=8080
OCTET_URL=https://<your-octet-api-url>
LICENSE=<your-license-key>
# Mutual TLS is planned hardening — optional and inert until Octet provisions certs:
# OCTET_CA_FILE=/etc/octet/octet-ca.pem
# EDGE_CLIENT_CERT_FILE=/etc/octet/edge.crt
# EDGE_CLIENT_KEY_FILE=/etc/octet/edge.key

/etc/systemd/system/octet-edge.service

[Unit]
Description=Octet edge (harvester + connector)
After=network.target

[Service]
ExecStart=/usr/local/bin/octet-edge-linux-amd64
EnvironmentFile=/etc/octet/edge.env
Restart=on-failure
User=octet
DynamicUser=no

[Install]
WantedBy=multi-user.target

sudo systemctl enable --now octet-edge
curl -s localhost:8080/health    # {"ok":true,...}

Docker

The binary is static, so a minimal base image is enough:

FROM gcr.io/distroless/static-debian12
COPY octet-edge-linux-amd64 /octet-edge
ENTRYPOINT ["/octet-edge"]

docker run -d --name octet-edge -p 8080:8080 \
  -e OCTET_URL=https://<your-octet-api-url> \
  -e LICENSE=<your-license-key> \
  octet-edge:latest
# Mutual TLS is planned hardening. When Octet provisions certs, add:
#   -e OCTET_CA_FILE=/etc/octet/octet-ca.pem \
#   -e EDGE_CLIENT_CERT_FILE=/etc/octet/edge.crt \
#   -e EDGE_CLIENT_KEY_FILE=/etc/octet/edge.key \
#   -v /etc/octet:/etc/octet:ro

Kubernetes sidecar

Run the edge as a sidecar container in the pod that fronts browser traffic, mounting the credentials from a Secret:

containers:
  - name: octet-edge
    image: your-registry/octet-edge:latest
    ports:
      - containerPort: 8080
    env:
      - name: OCTET_URL
        value: https://<your-octet-api-url>
    envFrom:
      - secretRef:
          name: octet-edge-secrets   # LICENSE (and the planned mutual-TLS cert paths, when enabled)
    # Mount the mutual-TLS certs only once Octet provisions them (planned hardening):
    volumeMounts:
      - name: octet-certs
        mountPath: /etc/octet
        readOnly: true

Route the Octet path prefix (or a dedicated hostname) to the sidecar's port 8080, and make sure the source IP reaches it.

Where to go next

• Deploy the Edge. Env vars and the termination rule.
• Edge Configuration. Full reference.