inletsctl automates the task of creating an exit-node on cloud infrastructure. Once provisioned, you'll receive a command to connect with. You can use this tool whether you want to use inlets or inlets-pro for L4 TCP.
It needs to exist as a separate binary and CLI, so that the core inlets tool does not become bloated. The EC2 and AWS SDKs for Golang are very heavy-weight and result in a binary of over 30MB vs the small and nimble inlets and inlets-pro binaries.
Conceptual diagram
Case-study with receiving webhooks from https://blog.alexellis.io/webhooks-are-great-when-you-can-get-them/
Use-cases:
- Setup L7 HTTP and L4 TCP tunnels for your local services using inlets with
inletsctl create - Port-forward services your local Kubernetes cluster using
inletsctl kfwd
In the demo we:
- Create a cloud host on DigitalOcean with a single command
- Run a local Python HTTP server
- Connect our
inlets client - Access the Python HTTP server via the DigitalOcean Public IP
- Use the CLI to delete the host
inletsctl is the quickest and easiest way to automate both inlets and inlets-pro, whilst retaining complete control.
Completed:
- Provisioner: DigitalOcean
- Provisioner: Scaleway
- Provisioner: Civo.com support
- Provisioner: Google Cloud
- Provisioner: Packet.com
- Provisioner: AWS EC2
- Provisioner: Azure
-
inletsctl deletecommand - Add poll interval
--poll 5sfor use with Civo that applies rate-limiting - Install
inlets/inlets-proviainletsctl download#12
Pending:
- Enable
inletsctl deletevia--ipvs. instance ID #2 - Enable
inlets-proand TCP withinletsctl kfwd#13 - Generate systemd unit files for tunnels
Inlets is a Cloud Native Tunnel and is listed on the Cloud Native Landscape under Service Proxies.
- inlets - Cloud Native Tunnel for L7 / HTTP traffic written in Go
- inlets-pro - Cloud Native Tunnel for L4 TCP
- inlets-operator - Public IPs for your private Kubernetes Services and CRD
- inletsctl - Automate the cloud for fast HTTP (L7) and TCP (L4) tunnels
The inletsctl create command will provision a cloud host with the provider and region of your choice and then start running inlets server. The host is configured with the standard VM image for Ubuntu or Debian Linux and inlets is installed via userdata/cloud-init.
The provision package contains defaults for OS images to use and for cloud host plans and sizing. You'll find all available options on inletsctl create --help
The cost for cloud hosts varies depending on a number of factors such as the region, bandwidth used, and so forth. A rough estimation is that it could cost around 5 USD / month to host a VM on for DigitalOcean, Civo, or Scaleway. The VM is required to provide your public IP. Some hosting providers supply credits and a free-tier such as GCE and AWS.
See the pricing grid on the inlets-operator for a detailed breakdown.
inletsctl does not automatically delete your exit nodes (read cloud hosts), so you'll need to do that in your dashboard or via inletsctl delete when you are done.
# Install to local directory
curl -sLSf https://raw.githubusercontent.com/inlets/inletsctl/master/get.sh | sh
# Install to /usr/local/bin/
curl -sLSf https://raw.githubusercontent.com/inlets/inletsctl/master/get.sh | sudo shOr
# Install to local directory
curl -sLSf https://inletsctl.inlets.dev | sh
# Install to /usr/local/bin/
curl -sLSf https://inletsctl.inlets.dev | sudo shWindows users are encouraged to use git bash to install the inletsctl binary.
Examples on how to run inletsctl to create an exit node.
Pre-reqs:
- You will need inlets on your client
Workflow:
-
After running
inletsctl create, the IP address of your exit-node will be returned along with a sampleinlets clientcommand, for instance:Inlets OSS exit-node summary: IP: 209.97.131.180 Auth-token: qFyFzKYQvFSgtl7TM76p5SwWpmHaQGMT405HajiMzIYmwYVgJt1lvAMXfV4S3KlS Command: export UPSTREAM=http://127.0.0.1:8000 inlets client --remote "ws://209.97.131.180:8080" \ --token "qFyFzKYQvFSgtl7TM76p5SwWpmHaQGMT405HajiMzIYmwYVgJt1lvAMXfV4S3KlS" \ --upstream $UPSTREAM
-
You can delete your exit node using the
idgiven by your cloud providerinletsctl delete --access-token-file ~/Downloads/do-access-token --id 164857028
- One time setup required for a service account key
It is assumed that you have gcloud installed and configured on your machine. If not, then follow the instructions here
# Get current projectID
export PROJECTID=$(gcloud config get-value core/project 2>/dev/null)
# Create a service account
gcloud iam service-accounts create inlets \
--description "inlets-operator service account" \
--display-name "inlets"
# Get service account email
export SERVICEACCOUNT=$(gcloud iam service-accounts list | grep inlets | awk '{print $2}')
# Assign appropriate roles to inlets service account
gcloud projects add-iam-policy-binding $PROJECTID \
--member serviceAccount:$SERVICEACCOUNT \
--role roles/compute.admin
gcloud projects add-iam-policy-binding $PROJECTID \
--member serviceAccount:$SERVICEACCOUNT \
--role roles/iam.serviceAccountUser
# Create inlets service account key file
gcloud iam service-accounts keys create key.json \
--iam-account $SERVICEACCOUNT- Run inlets OSS or inlets-pro
# Create a tunnel with inlets OSS
inletsctl create -p gce --project-id=$PROJECTID -f=key.json
## Create a TCP tunnel with inlets-pro
inletsctl create -p gce -p $PROJECTID --remote-tcp=127.0.0.1 -f=key.json
# Or specify any valid Google Cloud Zone optional zone, by default it get provisioned in us-central1-a
inletsctl create -p gce --project-id=$PROJECTID -f key.json --zone=us-central1-ainletsctl create --access-token-file $HOME/Downloads/do-access-token \
--region="nyc1"Let's say we want to forward TCP connections to the IP 192.168.0.26 within our client's network, using inlets-pro, we'd run this using the --remote-tcp flag.
inletsctl create digitalocean --access-token-file ~/Downloads/do-access-token \
--remote-tcp 192.168.0.26# Obtain from your Scaleway dashboard:
export TOKEN=""
export SECRET_KEY=""
export ORG_ID=""
inletsctl create --provider scaleway \
--access-token $TOKEN
--secret-key $SECRET_KEY --organisation-id $ORG_IDThe region is hard-coded to France / Paris 1.
The inletsctl kfwd command can port-forward services from within your local Kubernetes cluster to your local network or computer.
Example usage:
inletsctl kfwd --if 192.168.0.14 --from openfaas-figlet:8080Then access the service via http://127.0.0.1:8080.
Prerequisites:
- You will need
az. See Install the Azure CLI
Generate Azure auth file
az ad sp create-for-rbac --sdk-auth > ~/Downloads/client_credentials.jsonCreate
inletsctl create --provider=azure --subscription-id=4d68ee0c-7079-48d2-b15c-f294f9b11a9e \
--region=eastus --access-token-file=~/Downloads/client_credentials.json Delete
inletsctl delete --provider=azure --id inlets-clever-volhard8 \
--subscription-id=4d68ee0c-7079-48d2-b15c-f294f9b11a9e \
--region=eastus --access-token-file=~/Downloads/client_credentials.jsonThe inletsctl download command can be used to download the inlets or inltets-pro binaries from github
Example usage:
# Download the latest inlets binary
inletsctl download
#Download the latest inlets-pro binary
inletsctl download --pro
# Download a specific version of inlets/inlets-pro
inletsctl download --version 2.6.2You may want to set an environment variable that points at your access-token-file or secret-key-file
Inlets will look for the following:
# For providers that use --access-token-file
INLETS_ACCESS_TOKEN
# For providers that use --secret-key-file
INLETS_SECRET_KEY
With the correct one of these set you wont need to add the flag on every command execution.
You can set the following syntax in your bashrc (or equivalent for your shell)
export INLETS_ACCESS_TOKEN=$(cat my-token.txt)
# or set the INLETS_SECRET_KEY for those providors that use this
export INLETS_SECRET_KEY=$(cat my-token.txt)Add a provisioner by sending a PR to the inlets-operator's provision package, once released, you can vendor the package here and add any flags that are required.
Note: only providers and platforms which support cloud-init's user-data scripts are supported.
MIT