An inlets cloud provides a way for you to create and manage multiple tunnel servers with the ease of a SaaS.
Example usage with the inlets-cloud CLI:
# Create a tunnel for Subhash
./inlets-cloud create subhash
Additional 0 domains: []
Created tunnel subhash. OK.
# Print his connection info, so he can connect a tunnel to the new
# tunnel server Pod
./inlets-cloud connect --domain tun.example.com subhash
# Access your tunnel via: https://subhash.tun.example.com
inlets-pro http client \
--token=r9OFd5AkerDmBMbs1lt1A0CvJwshO4zzemQnK67QquqWVSQViAyoGrsE \
--url=wss://subhash-tunnel.tun.example.com \
--upstream=http://127.0.0.1:8000 \
--auto-tls=false
You'll need a Kubernetes cluster and a domain name with a wildcard entry.
- A Kubernetes cluster, ideally 3 nodes with 2 vCPU and 4GB of RAM. Lower may also work
- A sub-domain you can use, and a way to set up your DNS01 challenge from cert-manager.
- An inlets Pro subscription - any tier will work here, but pay attention to the limits of your subscription, don't go over these
The Kubernetes cluster should be created on the public Internet.
I suggest using DigitalOcean or Google Cloud.
arkade install ingress-nginx
arkade install cert-manager
Create an inlets namespace:
kubectl create ns inlets
You need to create a DNS Zone in your managed provider.
If your wildcard domain is i.e. *.tun.example.com
create the zone as tun.example.com
as a NS record.
Now create a DNS A record for *.tun.example.com
and use the IP of ingress-nginx from kubectl get svc
Follow this guide and call your ClusterIssuer letsencrypt-prod
Note since we are using a ClusterIssuer, create your secrets in the
cert-manager
namespace
Create an access token in the UI and download it as ~/do-access-token
Create a secret with the value:
kubectl create secret generic \
-n cert-manager digitalocean-dns \
--from-file access-token=$HOME/do-access-token
Edit the email
field and then apply this file:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: inlets
spec:
acme:
email: webmaster@tun.example.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- dns01:
digitalocean:
tokenSecretRef:
name: digitalocean-dns
key: access-token
Create a Kubernetes secret for the inlets-cloud-operator to use:
kubectl create secret generic -n inlets \
inlets-license-key --from-file inlets-license-key=$HOME/.inlets/LICENSE.txt
There's a REST API aka client-api which can be used to integrate with inlets-cloud from your own applications.
Create a token for it:
export token=$(head -c 16 /dev/urandom | shasum | cut -d" " -f1)
echo -n $token > $HOME/.inlets/client-api-token.txt
kubectl create secret generic \
client-api-token \
-n inlets \
--from-file client-api-token=$HOME/.inlets/client-api-token.txt
The operator detects ExitTunnel
resources and creates a: secret, deployment to run inlets-pro http server
, service and compatible ingress entry.
Download inlets-cloud.yaml
and replace the example domain with your own, then apply it
sed s/tun.example.com/inlets.mydomain.dev/g inlets-cloud.yaml | \
kubectl apply -f-
Download the CLI from, make sure you have the latest version
https://github.com/alexellis/inlets-cloud-cli/releases/
# Create a new ExitTunnel
inlets-cloud-cli create NAME
# Create a new ExitTunnel with more than one domain
# mapped to it
#
# Do not add the domain suffix here
# So "gateway" instead of "gateway.tun.example.com"
#
# The command prints out how to connect and how to
# access the tunnel.
inlets-cloud-cli create NAME \
--upstream gateway \
--upstream prometheus
# Print inlets client connection string
inlets-cloud-cli connect NAME --domain tun.example.com
# List tunnels
inlets-cloud-cli list
# Rotate a secret for a tunnel
inlets-cloud-cli rotate NAME