-
Provision a cluster on DigitalOcean Kubernetes or AKS
-
Prepare your krustlet and get its certificates
-
Create a Kubernetes secret for inlets
export TOKEN=$(head -c 16 /dev/urandom |shasum|cut -d- -f1)
echo $TOKEN > token.txt
kubectl create secret generic inlets-token --from-literal token=${TOKEN}
- Create a Kubernetes secret for krustlet's TLS
kubectl create secret ghosttunnel-tls generic \
--from-file tls.crt=krustlet.crt \
--from-file tls.key=krustlet.key
- Apply the inlets server Deployment and Service
apiVersion: v1
kind: Service
metadata:
name: inlets
labels:
app: inlets
spec:
type: ClusterIP
ports:
- port: 8000
protocol: TCP
targetPort: 8000
name: control
- port: 3001
protocol: TCP
targetPort: 3001
name: data
- port: 3000
protocol: TCP
targetPort: 3000
name: ghost
selector:
app: inlets
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: inlets
spec:
replicas: 1
selector:
matchLabels:
app: inlets
template:
metadata:
labels:
app: inlets
spec:
volumes:
- name: ghosttunnel-tls-volume
secret:
secretName: ghosttunnel-tls
- name: inlets-token-volume
secret:
secretName: inlets-token
containers:
- name: inlets
image: inlets/inlets:2.6.3
imagePullPolicy: Always
command: ["inlets"]
args:
- "server"
- "--token-from=/var/inlets/token"
- "--control-port=8000"
- "--port=3001"
volumeMounts:
- name: inlets-token-volume
mountPath: /var/inlets/
- name: ghosttunnel
image: squareup/ghostunnel:v1.5.2
imagePullPolicy: Always
args:
- "server"
- "--target=127.0.0.1:3001"
- "--listen=0.0.0.0:3000"
- "--cert=/etc/tls/tls.crt"
- "--key=/etc/tls/tls.key"
- "--disable-authentication"
volumeMounts:
- name: ghosttunnel-tls-volume
mountPath: /etc/tls
- Port-forward or expose the inlets server
kubectl port-forward svc/inlets 8000:8000 &
You can also expose inlets via Ingress using cert-manager to give its control-port a TLS certificate
- Run the
inlets client
on your computer
inlets client \
--upstream https://127.0.0.1:3000 \
--remote ws://127.0.0.1:8000 --token $(token.txt)
- Get the inlets server's service IP
export NODE_IP=$(kubectl get service inlets -o jsonpath="{.spec.clusterIP}")
- Run the kruslet now
krustlet-wasi --pfx-password $(cat pass) --node-ip $NODE_IP
- Deploy a manifest to Kubernetes
apiVersion: v1
kind: ConfigMap
metadata:
name: hello-world-wasi-rust
data:
myval: "cool stuff"
---
apiVersion: v1
kind: Pod
metadata:
name: hello-world-wasi-rust
spec:
containers:
- name: hello-world-wasi-rust
image: webassembly.azurecr.io/hello-world-wasi-rust:v0.1.0
env:
- name: FOO
value: bar
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: CONFIG_MAP_VAL
valueFrom:
configMapKeyRef:
key: myval
name: hello-world-wasi-rust
tolerations:
- key: "krustlet/arch"
operator: "Equal"
value: "wasm32-wasi"
effect: "NoExecute"
- Grab the logs
kubectl logs pod/hello-world-wasi-rust
hello from stdout!
hello from stderr!
FOO=bar
CONFIG_MAP_VAL=cool stuff
POD_NAME=hello-world-wasi-rust
Args are: []
Rejoice!
- Remove the port-forward
We are using a port-forward to make it easier to use the tutorial. For permanent use, you will want to expose the inlets server and its control port directly. The OSS version can be configured with TLS, but this is not built-in.
You can set up an Ingress rule for the control-port of the inlets server (port 8000), and obtain a TLS certificate from LetsEncrypt.
- Use inlets PRO instead
With inlets PRO you can expose the control port (8123) directly to the Internet as a NodePort, or LoadBalancer, or if you wish via an Ingress definition. The control port already has TLS configured, so won't need additional link-layer encryption.
Pure L4 TCP proxy with built-in TLS for the control-plane
Inlets OSS as used in the guide with ghosttunnel: