Become an inlets uplink provider¶
inlets uplink makes it easy for Service Providers and SaaS companies to deliver their product and services to customer networks.
To become a provider, you'll need a Kubernetes cluster, an inlets uplink subscription and to install the inlets-uplink-provider Helm chart.
Before you start¶
Before you start, you'll need the following:
- A Kubernetes cluster with LoadBalancer capabilities (i.e. public cloud).
- A domain name clients can use to connect to the tunnel control plane.
- An inlets uplink license (an inlets-pro license cannot be used)
-
Optional: arkade - a tool for installing popular Kubernetes tools
To install arkade run:
curl -sSLf https://get.arkade.dev/ | sudo sh
Inlets uplink has its own independent subscription from inlets-pro.
Sign-up here: inlets uplink plans.
Create a Kubernetes cluster¶
We recommend creating a Kubernetes cluster with a minimum of three nodes. Each node should have a minimum of 2GB of RAM and 2 CPU cores.
Install cert-manager¶
Install cert-manager, which is used to manage TLS certificates for inlets-uplink.
You can use Helm, or arkade:
arkade install cert-manager
Create a namespace for the inlets-uplink-provider and install your license¶
Make sure to create the target namespace for you installation first.
kubectl create namespace inlets
Create the required secret with your inlets-uplink license.
Note
There is a known issue with LemonSqueezy where the UI will copy the license key in lower-case, it needs to be converted to upper-case before being used with Inlets Uplink.
Convert the license to upper-case, if it's in lower-case:
(
mv $HOME/.inlets/LICENSE_UPLINK{,.lower}
cat $HOME/.inlets/LICENSE_UPLINK.lower | tr '[:lower:]' '[:upper:]' > $HOME/.inlets/LICENSE_UPLINK
rm $HOME/.inlets/LICENSE_UPLINK.lower
)
Create the secret for the license:
kubectl create secret generic \
-n inlets inlets-uplink-license \
--from-file license=$HOME/.inlets/LICENSE_UPLINK
Setup up ingress for customer tunnels¶
Tunnels on your customers' network will connect to your own inlets-uplink-provider.
There are two options for deploying the inlets-uplink-provider.
Use Option A if you're not sure, if your team already uses Istio or prefers Istio, use Option B.
A) Install with Kubernetes Ingress¶
We recommend ingress-nginx, and have finely tuned the configuration to work well for the underlying websocket for inlets. That said, you can change the IngressController if you wish.
Install ingress-nginx using arkade or Helm:
arkade install ingress-nginx
Create a values.yaml file for the inlets-uplink-provider chart:
clientRouter:
# Customer tunnels will connect with a URI of:
# wss://uplink.example.com/namespace/tunnel
domain: uplink.example.com
tls:
issuer:
# Email address used for ACME registration
email: "user@example.com"
ingress:
enabled: true
class: "nginx"
Make sure to replace the domain and email with your actual domain name and email address.
B) Install with Istio¶
We have added support in the inlets-uplink chart for Istio to make it as simple as possible to configure with a HTTP01 challenge.
If you don't have Istio setup already you can deploy it with arkade.
arkade install istio
Label the inlets namespace so that Istio can inject its sidecars:
kubectl label namespace inlets \
istio-injection=enabled --overwrite
Create a values.yaml file for the inlets-uplink chart:
clientRouter:
# Customer tunnels will connect with a URI of:
# wss://uplink.example.com/namespace/tunnel
domain: uplink.example.com
tls:
issuer:
# Email address used for ACME registration
email: "user@example.com"
istio:
enabled: true
Make sure to replace the domain and email with your actual domain name and email address.
Deploy with Helm¶
The Helm chart is called inlets-uplink-provider, you can deploy it using the custom values.yaml file created above:
helm upgrade --install inlets-uplink \
oci://ghcr.io/openfaasltd/inlets-uplink-provider \
--namespace inlets \
--values ./values.yaml
If you want to pin the version of the Helm chart, you can do so with the --version flag.
You can browse all versions of the Helm chart on GitHub
Verify the installation¶
Once you've installed inlets-uplink, you can verify it is deployed correctly by checking the inlets namespace for running pods:
$ kubectl get pods --namespace inlets
NAME READY STATUS RESTARTS AGE
client-router-b5857cf6f-7vrdh 1/1 Running 0 92s
prometheus-74d8d7db9b-2hptm 1/1 Running 0 16s
uplink-operator-7fccc9bdbc-twd2q 1/1 Running 0 92s
You should see the client-router and cloud-operator in a Running state.
If you installed inlets-uplink with Kubernetes ingress, you can verify that ingress for the client-router is setup and that a TLS certificate is issued for your domain using these two commands:
$ kubectl get -n inlets ingress/client-router
NAME CLASS HOSTS ADDRESS PORTS AGE
client-router <none> uplink.example.com 188.166.194.102 80, 443 31m
$ kubectl get -n inlets cert/client-router-cert
NAME READY SECRET AGE
client-router-cert True client-router-cert 30m
Download the tunnel CLI¶
We provide a CLI to help you create and manage tunnels. It is available as a plugin for the inlets-pro CLI.
Download the inlets-pro binary:
- Download it from the GitHub releases
- Get it with arkade:
arkade get inlets-pro
Get the tunnel plugin:
inlets-pro plugin get tunnel
Run inlets-pro tunnel --help to see all available commands.
Setup the first customer tunnel¶
Continue the setup here: Create a customer tunnel
Configuration reference¶
Overview of inlets-uplink parameters in values.yaml.
| Parameter | Description | Default |
|---|---|---|
pullPolicy |
The a imagePullPolicy applied to inlets-uplink components. | Always |
operator.image |
Container image used for the uplink operator. | ghcr.io/openfaasltd/uplink-operator:0.1.5 |
clientRouter.image |
Container image used for the client router. | ghcr.io/openfaasltd/uplink-client-router:0.1.5 |
clientRouter.domain |
Domain name for inlets uplink. Customer tunnels will connect with a URI of: wss://uplink.example.com/namespace/tunnel. | "" |
clientRouter.tls.issuerName |
Name of cert-manager Issuer for the clientRouter domain. | letsencrypt-prod |
clientRouter.tls.issuer.enabled |
Create a cert-manager Issuer for the clientRouter domain. | true |
clientRouter.tls.issuer.email |
Let's Encrypt email. Only used for certificate renewing notifications. | "" |
clientRouter.tls.ingress.enabled |
Enable ingress for the client router. | enabled |
clientRouter.tls.ingress.class |
Ingress class for client router ingress. | nginx |
clientRouter.tls.ingress.annotations |
Annotations to be added to the client router ingress resource. | {} |
clientRouter.tls.istio.enabled |
Use an Istio Gateway for incoming traffic to the client router. | false |
clientRouter.service.type |
Client router service type | ClusterIP |
clientRouter.service.nodePort |
Client router service port for NodePort service type, assigned automatically when left empty. (only if clientRouter.service.type is set to "NodePort") | nil |
tunnelsNamespace |
Deployments, Services and Secrets will be created in this namespace. Leave blank for a cluster-wide scope, with tunnels in multiple namespaces. | "" |
inletsVersion |
Inlets Pro release version for tunnel server Pods. | 0.9.12 |
clientApi.enabled |
Enable tunnel management REST API. | false |
clientApi.image |
Container image used for the client API. | ghcr.io/openfaasltd/uplink-api:0.1.5 |
prometheus.create |
Create the Prometheus monitoring component. | true |
prometheus.resources |
Resource limits and requests for prometheus containers. | {} |
prometheus.image |
Container image used for prometheus. | prom/prometheus:v2.40.1 |
prometheus.service.type |
Prometheus service type | ClusterIP |
prometheus.service.nodePort |
Prometheus service port for NodePort service type, assigned automatically when left empty. (only if prometheus.service.type is set to "NodePort") | nil |
nodeSelector |
Node labels for pod assignment. | {} |
affinity |
Node affinity for pod assignments. | {} |
tolerations |
Node tolerations for pod assignment. | [] |
Specify each parameter using the --set key=value[,key=value] argument to helm install