Skip to content

Become an inlets uplink provider

inlets uplink makes it easy for Service Providers and SaaS companies to deliver their product and services to customer networks.

To become a provider, you'll need a Kubernetes cluster, an inlets uplink subscription and to install the inlets-uplink-provider Helm chart.

Before you start

Before you start, you'll need the following:

  • A Kubernetes cluster with LoadBalancer capabilities (i.e. public cloud).
  • A domain name clients can use to connect to the tunnel control plane.
  • An inlets uplink license (an inlets-pro license cannot be used)
  • Optional: arkade - a tool for installing popular Kubernetes tools

    To install arkade run:

    curl -sSLf | sudo sh

Inlets uplink has its own independent subscription from inlets-pro.

Sign-up here: inlets uplink plans.

Create a Kubernetes cluster

We recommend creating a Kubernetes cluster with a minimum of three nodes. Each node should have a minimum of 2GB of RAM and 2 CPU cores.

Install cert-manager

Install cert-manager, which is used to manage TLS certificates for inlets-uplink.

You can use Helm, or arkade:

arkade install cert-manager

Make sure to create the target namespace for you installation first.

kubectl create namespace inlets

Create the required secret with your inlets-uplink license.


There is a known issue with LemonSqueezy where the UI will copy the license key in lower-case, it needs to be converted to upper-case before being used with Inlets Uplink.

Convert the license to upper-case, if it's in lower-case:

  mv $HOME/.inlets/LICENSE_UPLINK{,.lower}

  cat $HOME/.inlets/LICENSE_UPLINK.lower | tr '[:lower:]' '[:upper:]' > $HOME/.inlets/LICENSE_UPLINK
  rm $HOME/.inlets/LICENSE_UPLINK.lower

Create the secret for the license:

kubectl create secret generic \
  -n inlets inlets-uplink-license \
  --from-file license=$HOME/.inlets/LICENSE_UPLINK

Setup up ingress for customer tunnels

Tunnels on your customers' network will connect to your own inlets-uplink-provider.

There are two options for deploying the inlets-uplink-provider.

Use Option A if you're not sure, if your team already uses Istio or prefers Istio, use Option B.

A) Install with Kubernetes Ingress

We recommend ingress-nginx, and have finely tuned the configuration to work well for the underlying websocket for inlets. That said, you can change the IngressController if you wish.

Install ingress-nginx using arkade or Helm:

arkade install ingress-nginx

Create a values.yaml file for the inlets-uplink-provider chart:

  # Customer tunnels will connect with a URI of:
  # wss://

      # Email address used for ACME registration
      email: ""

      enabled: true
      class: "nginx"      

Make sure to replace the domain and email with your actual domain name and email address.

B) Install with Istio

We have added support in the inlets-uplink chart for Istio to make it as simple as possible to configure with a HTTP01 challenge.

If you don't have Istio setup already you can deploy it with arkade.

arkade install istio

Label the inlets namespace so that Istio can inject its sidecars:

kubectl label namespace inlets \
  istio-injection=enabled --overwrite

Create a values.yaml file for the inlets-uplink chart:

  # Customer tunnels will connect with a URI of:
  # wss://

      # Email address used for ACME registration
      email: ""

      enabled: true

Make sure to replace the domain and email with your actual domain name and email address.

Deploy with Helm

The Helm chart is called inlets-uplink-provider, you can deploy it using the custom values.yaml file created above:

helm upgrade --install inlets-uplink \
  oci:// \
  --namespace inlets \
  --values ./values.yaml

If you want to pin the version of the Helm chart, you can do so with the --version flag.

You can browse all versions of the Helm chart on GitHub

Verify the installation

Once you've installed inlets-uplink, you can verify it is deployed correctly by checking the inlets namespace for running pods:

$ kubectl get pods --namespace inlets

NAME                               READY   STATUS    RESTARTS   AGE
client-router-b5857cf6f-7vrdh      1/1     Running   0          92s
prometheus-74d8d7db9b-2hptm        1/1     Running   0          16s
uplink-operator-7fccc9bdbc-twd2q   1/1     Running   0          92s

You should see the client-router and cloud-operator in a Running state.

If you installed inlets-uplink with Kubernetes ingress, you can verify that ingress for the client-router is setup and that a TLS certificate is issued for your domain using these two commands:

$ kubectl get -n inlets ingress/client-router

NAME            CLASS    HOSTS                ADDRESS           PORTS     AGE
client-router   <none>   80, 443   31m
$ kubectl get -n inlets cert/client-router-cert

NAME                 READY   SECRET               AGE
client-router-cert   True    client-router-cert   30m

Download the tunnel CLI

We provide a CLI to help you create and manage tunnels. It is available as a plugin for the inlets-pro CLI.

Download the inlets-pro binary:

Get the tunnel plugin:

inlets-pro plugin get tunnel

Run inlets-pro tunnel --help to see all available commands.

Setup the first customer tunnel

Continue the setup here: Create a customer tunnel

Configuration reference

Overview of inlets-uplink parameters in values.yaml.

Parameter Description Default
pullPolicy The a imagePullPolicy applied to inlets-uplink components. Always
operator.image Container image used for the uplink operator.
clientRouter.image Container image used for the client router.
clientRouter.domain Domain name for inlets uplink. Customer tunnels will connect with a URI of: wss:// ""
clientRouter.tls.issuerName Name of cert-manager Issuer for the clientRouter domain. letsencrypt-prod
clientRouter.tls.issuer.enabled Create a cert-manager Issuer for the clientRouter domain. true Let's Encrypt email. Only used for certificate renewing notifications. ""
clientRouter.tls.ingress.enabled Enable ingress for the client router. enabled
clientRouter.tls.ingress.class Ingress class for client router ingress. nginx
clientRouter.tls.ingress.annotations Annotations to be added to the client router ingress resource. {}
clientRouter.tls.istio.enabled Use an Istio Gateway for incoming traffic to the client router. false
clientRouter.service.type Client router service type ClusterIP
clientRouter.service.nodePort Client router service port for NodePort service type, assigned automatically when left empty. (only if clientRouter.service.type is set to "NodePort") nil
tunnelsNamespace Deployments, Services and Secrets will be created in this namespace. Leave blank for a cluster-wide scope, with tunnels in multiple namespaces. ""
inletsVersion Inlets Pro release version for tunnel server Pods. 0.9.12
clientApi.enabled Enable tunnel management REST API. false
clientApi.image Container image used for the client API.
prometheus.create Create the Prometheus monitoring component. true
prometheus.resources Resource limits and requests for prometheus containers. {}
prometheus.image Container image used for prometheus. prom/prometheus:v2.40.1
prometheus.service.type Prometheus service type ClusterIP
prometheus.service.nodePort Prometheus service port for NodePort service type, assigned automatically when left empty. (only if prometheus.service.type is set to "NodePort") nil
nodeSelector Node labels for pod assignment. {}
affinity Node affinity for pod assignments. {}
tolerations Node tolerations for pod assignment. []

Specify each parameter using the --set key=value[,key=value] argument to helm install