Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Using Service Interconnect

Red Hat Service Interconnect 2.0

Creating an application network with the CLI and YAML

Abstract

Red Hat Service Interconnect is a Red Hat build of the open source Skupper project. This Skupper documentation is reproduced for reference.

Chapter 1. Skupper overview
Copy link

Hybrid clouds enable organizations to combine on-premises, private cloud, and public cloud resources. While such a solution provides many benefits, it also presents a unique challenge: enabling these resources to communicate with each other.

Skupper provides a solution to this challenge with an Application Network that simply and securely connects applications running in different network locations.

1.1. Application Networks
Copy link

Skupper solves multi-cluster communication challenges through something called a Virtual Application Network or just application network. To understand the value of Skupper, it is helpful to first understand what an application network is.

An application network connects the applications and services in your hybrid cloud into a virtual network so that they can communicate with each other as if they were all running in the same site. In this diagram, an application network connects three services, each of which is running in a different cloud:

overview-clouds
View larger image
overview-clouds

In essence, the application network connects the services in a distributed application with a microservice architecture.

overview-application
View larger image
overview-application

Application networks are able to provide connectivity across the hybrid cloud because they operate at Layer 7 (the application layer). They use Layer 7 application routers to route communication between Layer 7 application services.

1.2. Layer 7 application routers
Copy link

Layer 7 application routers form the backbone of an application network in the same way that conventional network routers form the backbone of a VPN. However, instead of routing IP packets between network endpoints, Layer 7 application routers route messages between application endpoints (called Layer 7 application services).

Layer 7 application services

A Layer 7 application service represents an endpoint, or destination in the application network. When an application sends a communication to an service, the Layer 7 application routers distribute the communication to any other application in the application network that has the same service.

For example, in this diagram, Service B sends a message with an application service to its local application router. Service A and Service C are subscribed to the same service, so the application router routes copies of the message through the application network until they arrive at each destination.

overview-routers
View larger image
overview-routers

Application networks provide multiple routing patterns, so communications can be distributed in anycast (balanced or closest) or multicast patterns.

1.3. Skupper
Copy link

Skupper is an open source tool for creating application networks in Kubernetes or Linux. By using Skupper, you can create a distributed application consisting of microservices running in different sites.

This diagram illustrates a Skupper network that connects three services running in three different sites:

overview-clusters
View larger image
overview-clusters

In a Skupper network, each namespace contains a Skupper instance. When these Skupper instances connect, they continually share information about the services that each instance exposes. This means that each Skupper instance is always aware of every service that has been exposed to the Skupper network, regardless of the namespace in which each service resides.

Once a Skupper network is formed across Kubernetes namespaces, any of the services in those namespaces can be exposed (through annotation) to the Skupper network. When a service is exposed, Skupper creates proxy endpoints to make that service available on each namespace in the Skupper network.

Chapter 2. Skupper security
Copy link

Skupper securely connects your services with TLS authentication and encryption. See how Skupper enables you to deploy your application securely across Kubernetes clusters.

Security challenges in the cloud

Moving an application to the cloud raises security risks. Either your services must be exposed to the public internet, or you must adopt complex layer 3 network controls like VPNs, firewall rules, and access policies.

Increasing the challenge, layer 3 network controls do not extend easily to multiple clusters. These network controls must be duplicated for each cluster.

Built-in network isolation

Skupper provides default, built-in security that scales across clusters and clouds. In a Skupper network, the connections between Skupper routers are secured with mutual TLS using a private, dedicated certificate authority (CA). Each router is uniquely identified by its own certificate.

This means that the Skupper network is isolated from external access, preventing security risks such as lateral attacks, malware infestations, and data exfiltration.

Chapter 3. Skupper connectivity
Copy link

Skupper represents a new approach to connecting services across multiple Kubernetes clusters. See how Skupper can give you the flexibility to deploy your services where you need them.

One cluster

Kubernetes services provide a virtual network address for each element of your distributed application. Service "A" can contact service "B", "B" can contact "C", and so on.

But if you want to deploy your application across multiple clusters, your options are limited. You have to either expose your services to the public internet or set up a VPN.

Skupper offers a third way. It connects clusters to a secure layer 7 network. It uses that network to forward local service traffic to remote clusters.

Secure hybrid cloud communication

Deploy your application across public and private clusters.

You can host your database on a private cluster and retain full connectivity with services running on the public cloud. All communication is secured by mutual TLS authentication and encryption.

Edge-to-edge connectivity

Distribute application services across geographic regions.

You can connect multiple retail sites to a central office. Once connected, each edge location can contact any other edge. You can add and remove sites on demand.

Scale up and out

Build large, robust networks of connected clusters.

Chapter 4. Skupper routing
Copy link

Skupper uses layer 7 addressing and routing to connect services. See how the power of application-layer addressing can bring new capabilities to your applications.

Multi-cluster services

Deploy a single logical service across multiple clusters.

Skupper can route requests to instances of a single service running on multiple clusters. If a provider or data center fails, the service instances running at unaffected sites can scale to meet the need and maintain availability.

Dynamic load balancing

Balance requests across clusters according to service capacity.

The Skupper network has cross-cluster visibility. It can see which services are already loaded and which have spare capacity, and it directs requests accordingly.

You can assign a cost to each inter-cluster connection. This enables you to configure a preference for one resource over another. If demand is normal, you can keep all traffic on your private cloud. If demand peaks, you can dynamically spill over to public cloud resources.

Reliable networks

Skupper uses redundant network paths and smart routing to provide highly available connectivity at scale.

Chapter 5. Overview of Skupper CLI on Kubernetes
Copy link

You can use the skupper CLI on Kubernetes after installing the Skupper controller to configure sites, links and services.

The Skupper CLI is designed to generate and consume standard resources, ensuring that a sites, links and services configured using the CLI are identical to those configured directly through YAML.

Using the skupper command-line interface (CLI) allows you to create and manage sites from the context of the current namespace.

A typical workflow is to create a site, link sites together, and expose services to the service network.

6.1. Checking the Skupper CLI
Copy link

Installing the skupper command-line interface (CLI) provides a simple method to get started with Skupper.

  1. Follow the instructions for Installing Skupper.

  2. Verify the installation. 

    $  skupper version
COMPONENT               VERSION
cli                     {skupper_cli_version}
    Copy to Clipboard Toggle word wrap

Prerequisites

  • The skupper CLI is installed.
  • The Skupper controller is running on the Kubernetes cluster you are running or you are running on a platform.

Procedure

  1. Check that the SKUPPER_PLATFORM environment is unset or set to kubernetes.

    • kubernetes - default
    • podman
    • docker
    • linux

  2. Create a site on Kubernetes: 

    $ skupper site create <site-name> --namespace <namespace>
    Copy to Clipboard Toggle word wrap

    Specifying the namespace is not required if the context is set to the namespace where you want to create the site. For example: 

    $ skupper site create my-site
Waiting for status...
Site "my-site" is ready.
    Copy to Clipboard Toggle word wrap

    There are many options to consider when creating sites using the CLI, see CLI Reference, including frequently used options.

For example

  • --enable-link-access

    If enabled, this option allows you create tokens and link to this site. By default, this option is disabled but you can change the setting later skupper site update --enable-link-access.

  • --timeout <time>

    You can add the timeout option to specify the maximum time for the CLI wait for the site status to report ready. 

    skupper site create my-site --timeout 2m
    Copy to Clipboard Toggle word wrap

    The timeout option does not stop the site from being created, but if the site is not ready, the following is output: 

    Site "my-site" is not yet ready: Pending
    Copy to Clipboard Toggle word wrap

    You can check the status of the site at any time using skupper site status.

6.3. Deleting a site using the CLI on Kubernetes
Copy link

Prerequisites

  • The skupper CLI is installed.

Procedure

  1. Change context to the namespace where the site was created, for example: 

    kubectl config set-context --current --namespace west
    Copy to Clipboard Toggle word wrap

  2. Enter the following command to delete a site: 

    skupper site delete
    Copy to Clipboard Toggle word wrap

Using the Skupper command-line interface (CLI) allows you to create links between sites. The link direction is not significant, and is typically determined by ease of connectivity. For example, if east is behind a firewall, linking from east to west is the easiest option.

Once sites are linked, services can be exposed and consumed across the application network without the need to open ports or manage inter-site connectivity.

7.1. Linking sites using a token
Copy link

A token provides a secure method to link sites. By default, a token can only be used once and must be used within 15 minutes to link sites. This procedure describes how to issue a token from one site and redeem that token on another site to create a link.

Prerequisites

  • Two sites
  • At least one site with enable-link-access enabled.

To link sites, you create a token on one site and redeem that token on the other site to create the link.

Procedure

  1. On the site where you want to issue the token, make sure link access is enabled: 

    skupper site update --enable-link-access
    Copy to Clipboard Toggle word wrap

  2. Create a token: 

    skupper token issue <filename>
    Copy to Clipboard Toggle word wrap

    where <filename> is the name of a YAML file that is saved on your local filesystem.

    This file contains a key and the location of the site that created it.

    📌 NOTE Access to this file provides access to the application network. Protect it appropriately. A token can be restricted by any combination of:

    • Time - prevents token reuse after a specified period.

      For example, to allow a token to be used for 1 hour after it is issued: 

      skupper token issue build/west.yaml --expiration-window 60m
      Copy to Clipboard Toggle word wrap

    • Usage - prevents creating multiple links from a single token.

      For example, to allow a token to be used 3 times: 

      skupper token issue output/west.yaml --redemptions-allowed 3
      Copy to Clipboard Toggle word wrap

    All inter-site traffic is protected by mutual TLS using a private, dedicated certificate authority (CA). A token is not a certificate, but is securely exchanged for a certificate during the linking process.

  3. Redeem the token on a different site to create a link: 

    skupper token redeem <filename>
    Copy to Clipboard Toggle word wrap

    where <filename> is the name of a YAML file that is saved on your local filesystem.

  4. Check the status of the link: 

    skupper link status
    Copy to Clipboard Toggle word wrap

    You might need to issue the command multiple times before the link is ready: 

    $ skupper link status
NAME                                            STATUS  COST    MESSAGE
west-12f75bc8-5dda-4256-88f8-9df48150281a       Pending 1       Not Operational
$ skupper link status
NAME                                            STATUS  COST    MESSAGE
west-12f75bc8-5dda-4256-88f8-9df48150281a       Ready   1       OK
    Copy to Clipboard Toggle word wrap

    You can now expose services on the application network.

There are many options to consider when linking sites using the CLI, see CLI Reference, including frequently used options.

After creating an application network by linking sites, you can expose services from one site using connectors and consume those services on other sites using listeners. A routing key is a string that matches one or more connectors with one or more listeners. For example, if you create a connector with the routing key backend, you need to create a listener with the routing key backend to consume that service.

This section assumes you have created and linked at least two sites.

8.1. Creating a connector using the CLI
Copy link

A connector binds a local workload to listeners in remote sites. Listeners and connectors are matched using routing keys.

For more information about connectors, see Connector concept.

Procedure

  1. Create a workload that you want to expose on the network, for example: 

    kubectl create deployment backend --image quay.io/skupper/hello-world-backend --replicas 3
    Copy to Clipboard Toggle word wrap

  2. Create a connector: 

    skupper connector create <name> <port> [--routing-key <name>]
    Copy to Clipboard Toggle word wrap

    For example: 

    skupper connector create backend 8080 --workload deployment/backend
    Copy to Clipboard Toggle word wrap

  3. Check the connector status: 

    skupper connector status
    Copy to Clipboard Toggle word wrap

    For example: 

    $ skupper connector status
NAME    STATUS  ROUTING-KEY     SELECTOR        HOST    PORT    HAS MATCHING LISTENER    MESSAGE
backend Pending backend         app=backend             8080    false   No matching listeners
    Copy to Clipboard Toggle word wrap

    📌 NOTE By default, the routing key name is set to the name of the connector. If you want to use a custom routing key, set the --routing-key to your custom name.

There are many options to consider when creating connectors using the CLI, see CLI Reference, including frequently used options.

Additional information

If you need to expose a service from another namespace, you must use YAML as described in Creating a connector for a different namespace using YAML.

8.2. Creating a listener using the CLI
Copy link

A listener binds a local connection endpoint to connectors in remote sites. Listeners and connectors are matched using routing keys.

For more information about listeners. see Listener concept.

Procedure

  1. Identify a connector that you want to use. Note the routing key of that connector.

  2. Create a listener: 

    skupper connector create <name> <port> [--routing-key <name>]
    Copy to Clipboard Toggle word wrap

    For example: 

    $ skupper listener create backend 8080
Waiting for create to complete...
Listener "backend" is ready
    Copy to Clipboard Toggle word wrap

  3. Check the listener status: 

    skupper listener status
    Copy to Clipboard Toggle word wrap

    For example: 

    $ skupper listener status
NAME    STATUS  ROUTING-KEY     HOST    PORT    MATCHING-CONNECTOR      MESSAGE
backend Ready   backend         backend 8080    true                    OK
    Copy to Clipboard Toggle word wrap

    📌 NOTE There must be a MATCHING-CONNECTOR for the service to operate. By default, the routing key name is the listener name. If you want to use a custom routing key, set the --routing-key to your custom name.

There are many options to consider when creating connectors using the CLI, see CLI Reference, including frequently used options.

You can use YAML on Kubernetes after installing the Skupper controller to

Using YAML allows you to create and manage sites from the context of the current namespace.

A typical workflow is to create a site, link sites together, and expose services to the service network.

You can use YAML to create and manage Skupper sites.

Prerequisites

  • The Skupper controller is running on the Kubernetes cluster you are running or you are running on a platform.

Procedure

  1. Create a site CR YAML file named my-site.yaml, for example: 

    apiVersion: skupper.io/v2alpha1
kind: Site
metadata:
  name: my-site
  namespace: west
    Copy to Clipboard Toggle word wrap

    This YAML creates a site named my-site in the west namespace. Specifying the namespace is not required if the context is set to the namespace where you want to create the site.

  2. Create the site: 

    kubectl apply -f my-site.yaml
    Copy to Clipboard Toggle word wrap

  3. Check the status of the site: 

    kubectl get site
    Copy to Clipboard Toggle word wrap

    You might need to issue the command multiple times before the site is ready: 

    $ kubectl get site
NAME   STATUS    SITES IN NETWORK   MESSAGE
west   Pending                      containers with unready status: [router kube-adaptor]
$ kubectl get site
NAME   STATUS   SITES IN NETWORK   MESSAGE
west   Ready    1                  OK
    Copy to Clipboard Toggle word wrap

    You can now link this site to another site to create an application network.

There are many options to consider when creating sites using YAML, see YAML Reference, including frequently used options.

After creating an application network by linking sites, you can expose services from one site using connectors and consume those services on other sites using listeners. A routing key is a string that matches one or more connectors with one or more listeners. For example, if you create a connector with the routing key backend, you need to create a listener with the routing key backend to consume that service.

This section assumes you have created and linked at least two sites.

11.1. Creating a connector using YAML
Copy link

A connector binds a local workload to listeners in remote sites. Listeners and connectors are matched using routing keys.

There are many options to consider when creating connectors using YAML, see Connector resource.

Procedure

  1. Create a workload that you want to expose on the network, for example: 

    kubectl create deployment backend --image quay.io/skupper/hello-world-backend --replicas 3
    Copy to Clipboard Toggle word wrap

  2. Create a connector resource YAML file: 

    apiVersion: skupper.io/v2alpha1
kind: Connector
metadata:
  name: backend
  namespace: east
spec:
  routingKey: backend
  selector: app=backend
  port: 8080
    Copy to Clipboard Toggle word wrap

    This creates a connector in the east site and exposes the backend deployment on the network on port 8080. You can create a listener on a different site using the matching routing key backend to address this service.

    To create the connector resource: 

    kubectl apply -f <filename>
    Copy to Clipboard Toggle word wrap

    where <filename> is the name of a YAML file that is saved on your local filesystem.

  3. Check the connector status: 

    kubectl get connector
    Copy to Clipboard Toggle word wrap

    For example: 

    NAME    STATUS  ROUTING-KEY     SELECTOR        HOST    PORT    HAS MATCHING LISTENER    MESSAGE
backend Pending backend         app=backend             8080    false   No matching listeners
    Copy to Clipboard Toggle word wrap

    📌 NOTE By default, the routing key name is set to the name of the connector. If you want to use a custom routing key, set the --routing-key to your custom name.

There are many options to consider when creating connectors using YAML, see CLI Reference, including frequently used options.

11.2. Creating a listener using YAML
Copy link

A listener binds a local connection endpoint to connectors in remote sites. Listeners and connectors are matched using routing keys.

For more information about listeners. see Listener concept.

Procedure

  1. Identify a connector that you want to use. Note the routing key of that connector.

  2. Create a listener resource YAML file: 

    apiVersion: skupper.io/v2alpha1
kind: Listener
metadata:
  name: backend
  namespace: west
spec:
  routingKey: backend
  host: east-backend
  port: 8080
    Copy to Clipboard Toggle word wrap

    This creates a listener in the west site and matches with the connector that uses the routing key backend. It also creates a service named east-backend exposed on port 8080 in the current namespace.

    To create the connector resource: 

    kubectl apply -f <filename>
    Copy to Clipboard Toggle word wrap

    where <filename> is the name of a YAML file that is saved on your local filesystem.

  3. Check the listener status: 

    kubectl get listener
    Copy to Clipboard Toggle word wrap

    For example: 

    NAME      ROUTING KEY   PORT   HOST           STATUS   HAS MATCHING CONNECTOR   MESSAGE
backend   backend       8080   east-backend   Ready    true                     OK
    Copy to Clipboard Toggle word wrap

    📌 NOTE There must be a MATCHING-CONNECTOR for the service to operate.

There are many options to consider when creating listeners using YAML, see Listener resource.

A connector binds a local workload to listeners in remote sites.

If you create a site in one namespace and need to expose a service in a different namespace, use this procedure to create an attached connector in the other namespace and an AttachedConnectorBinding in the site namespace.

  • An attached connector is a connector in a peer namespace, that is, not the site namespace.
  • The AttachedConnectorBinding is a binding to an attached connector in a peer namespace and is created in the site namespace.

Procedure

  1. Create a workload that you want to expose on the network in a non-site namespace, for example: 

    kubectl create deployment backend --image quay.io/skupper/hello-world-backend --replicas 3
    Copy to Clipboard Toggle word wrap

  2. Create an AttachedConnector resource YAML file in the same namespace: 

    apiVersion: skupper.io/v2alpha1
kind: AttachedConnector
metadata:
  name: backend
  namespace: attached
spec:
  siteNamespace: skupper
  selector: app=backend
  port: 8080
    Copy to Clipboard Toggle word wrap

    To create the AttachedConnector resource: 

    kubectl apply -f <filename>
    Copy to Clipboard Toggle word wrap

    where <filename> is the name of a YAML file that is saved on your local filesystem.

  3. Create an AttachedConnectorBinding resource YAML file in the site namespace: 

    apiVersion: skupper.io/v2alpha1
kind: AttachedConnector
metadata:
  name: backend
  namespace: attached
spec:
  siteNamespace: skupper
  selector: app=backend
  port: 8080
    Copy to Clipboard Toggle word wrap

    To create the AttachedConnectorBinding resource: 

    kubectl apply -f <filename>
    Copy to Clipboard Toggle word wrap

    where <filename> is the name of a YAML file that is saved on your local filesystem.

  4. Check the AttachedConnectorBinding status from the context of the site namespace: 

    kubectl get AttachedConnectorBinding
    Copy to Clipboard Toggle word wrap

    For example: 

    NAME      ROUTING KEY   CONNECTOR NAMESPACE   STATUS   HAS MATCHING LISTENER
backend   backend       attached              Ready    true
    Copy to Clipboard Toggle word wrap

    📌 NOTE By default, the routing key name is set to the name of the connector. If you want to use a custom routing key, set the --routing-key to your custom name.

There are many options to consider when creating connectors using YAML, see Connector resource.

This is a Technology Preview feature.

Important

Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Using the skupper command-line interface (CLI) allows you to create and manage Skupper sites from the context of the current user.

A typical workflow is to create a site, link sites together, and expose services to the service network.

A local system includes Docker, Podman or Linux system.

If you require more than one site, specify a unique namespace when using skupper, for example skupper --namespace second-site ....

13.1. Checking the Skupper CLI and environment
Copy link

Installing the skupper command-line interface (CLI) provides a simple method to get started with Skupper.

  1. Follow the instructions for Installing Skupper.

  2. Verify the installation. 

    $  skupper version
COMPONENT               VERSION
cli                     {skupper_cli_version}
    Copy to Clipboard Toggle word wrap

  3. For podman sites:

    Make sure the Podman socket is available. To enable it: 

    systemctl --user enable --now podman.socket
    Copy to Clipboard Toggle word wrap

    Enable lingering to ensure the site persists over logouts: 

    loginctl enable-linger <username>
    Copy to Clipboard Toggle word wrap

Prerequisites

  • The skupper CLI is installed.

Procedure

  1. Set the SKUPPER_PLATFORM for type of site you want to install:

    • podman
    • docker
    • linux

  2. Create a site: 

    $ skupper site create <site-name>
    Copy to Clipboard Toggle word wrap

    For example: 

    $ skupper site create my-site
Waiting for status...
Site "my-site" is ready.
    Copy to Clipboard Toggle word wrap

📌 NOTE: On non-Kubernetes sites, you can create multiple sites per-user by specifying a namespace.

Prerequisites

  • The skupper CLI is installed.

Procedure

  1. Enter the following command to delete a site: 

    skupper system teardown
    Copy to Clipboard Toggle word wrap

Using the Skupper command-line interface (CLI) allows you to create links between sites. The link direction is not significant, and is typically determined by ease of connectivity. For example, if east is behind a firewall, linking from east to west is the easiest option.

Once sites are linked, services can be exposed and consumed across the application network without the need to open ports or manage inter-site connectivity.

A local system includes Docker, Podman or Linux system.

In this release, the CLI does not support issuing or redeeming tokens. In this release, the CLI does not support generating link resource files.

To link a local system site to a Kubernetes site, see Linking sites on local systems using YAML

After creating an application network by linking sites, you can expose services from one site using connectors and consume those services on other sites using listeners. A routing key is a string that matches one or more connectors with one or more listeners. For example, if you create a connector with the routing key backend, you need to create a listener with the routing key backend to consume that service.

This section assumes you have created and linked at least two sites.

15.1. Creating a connector using the CLI
Copy link

A connector binds a local workload to listeners in remote sites. Listeners and connectors are matched using routing keys.

For more information about connectors see Connector concept

Prerequisites

  • The skupper CLI is installed.
  • The SKUPPER_PLATFORM environment variable is set to one of * podman,docker or linux.

Procedure

  1. Create a server that you want to expose on the network. For example, run a HTTP server on port 8080.

  2. Create a connector: 

    skupper connector create <name> <port> [--routing-key <name>]
    Copy to Clipboard Toggle word wrap

    For example: 

    skupper connector create my-server 8080 --host localhost
    Copy to Clipboard Toggle word wrap

  3. Check the connector status: 

    skupper connector status
    Copy to Clipboard Toggle word wrap

    For example: 

    $ skupper connector status
NAME		STATUS	ROUTING-KEY	HOST		PORT
my-server	Ok	my-server	localhost	8081
    Copy to Clipboard Toggle word wrap

    📌 NOTE By default, the routing key name is set to the name of the connector. If you want to use a custom routing key, set the --routing-key to your custom name.

    Apply the configuration using: 

    skupper system reload
    Copy to Clipboard Toggle word wrap

There are many options to consider when creating connectors using the CLI, see CLI Reference, including frequently used options.

15.2. Creating a listener using the CLI
Copy link

A listener binds a local connection endpoint to connectors in remote sites. Listeners and connectors are matched using routing keys.

Prerequisites

  • The skupper CLI is installed.
  • The SKUPPER_PLATFORM environment variable is set to one of * podman,docker or linux.

Procedure

  1. Identify a connector that you want to use. Note the routing key of that connector.

  2. Create a listener: 

    skupper connector create <name> <port> [--routing-key <name>]
    Copy to Clipboard Toggle word wrap

    For example: 

    $ skupper listener create my-server 8080
File written to /home/user/.local/share/skupper/namespaces/default/input/resources/Listener-backend.yaml
    Copy to Clipboard Toggle word wrap

    Apply the configuration using: 

    skupper system reload
    Copy to Clipboard Toggle word wrap

  3. Check the listener status: 

    skupper listener status
    Copy to Clipboard Toggle word wrap

    For example: 

    $ skupper listener status
NAME		STATUS	ROUTING-KEY	HOST		PORT
my-server	Ok	my-server	localhost	8081
    Copy to Clipboard Toggle word wrap

    📌 NOTE There must be a matching connector for the service to operate. By default, the routing key name is the listener name. If you want to use a custom routing key, set the --routing-key to your custom name.

There are many options to consider when creating connectors using the CLI, see CLI Reference, including frequently used options.

This is a Technology Preview feature.

Important

Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Using YAML allows you to create and manage sites on Docker, Podman and Linux.

A typical workflow is to create a site, link sites together, and expose services to the service network.

If you require more than one site, specify a unique namespace when using skupper, for example skupper --namespace second-site ....

You can use YAML to create and manage Skupper sites.

Prerequisites

  • The skupper CLI is installed.

Procedure

  1. Create a site CR YAML file named my-site.yaml in an empty directory, for example, local: 

    apiVersion: skupper.io/v2alpha1
kind: Site
metadata:
  name: my-site
    Copy to Clipboard Toggle word wrap

    This YAML creates a site named my-site in the default namespace.

  2. Create the site: 

    skupper system setup --path ./local
    Copy to Clipboard Toggle word wrap

    Skupper attempts to process any files in the local directory. Typically, you create all resources you require for a site before running skupper system setup.

  3. Check the status of the site: 

    skupper site status
    Copy to Clipboard Toggle word wrap

    You might need to issue the command multiple times before the site is ready: 

    NAME    STATUS  MESSAGE
default Ready   OK
    Copy to Clipboard Toggle word wrap

    You can now link this site to another site to create an application network.

There are many options to consider when creating sites using YAML, see YAML Reference, including frequently used options.

Using a link resource YAML file allows you to create links between sites. The link direction is not significant, and is typically determined by ease of connectivity. For example, if east is behind a firewall, linking from east to west is the easiest option.

Once sites are linked, services can be exposed and consumed across the application network without the need to open ports or manage inter-site connectivity.

The procedures below describe linking an existing site. Typically, it is easier to configure a site, links and services in a set of files and then create a configured site by placing all the YAML files in a directory, for example local and then using the following command to

After creating an application network by linking sites, you can expose services from one site using connectors and consume those services on other sites using listeners. A routing key is a string that matches one or more connectors with one or more listeners. For example, if you create a connector with the routing key backend, you need to create a listener with the routing key backend to consume that service.

This section assumes you have created and linked at least two sites.

19.1. Creating a connector using YAML
Copy link

A connector binds a local workload to listeners in remote sites. Listeners and connectors are matched using routing keys.

For more information about connectors see Connector concept

Procedure

  1. Create a workload that you want to expose on the network, for example: 

    kubectl create deployment backend --image quay.io/skupper/hello-world-backend --replicas 3
    Copy to Clipboard Toggle word wrap

  2. Create a connector resource YAML file: 

    apiVersion: skupper.io/v2alpha1
kind: Connector
metadata:
  name: backend
  namespace: east
spec:
  routingKey: backend
  selector: app=backend
  port: 8080
    Copy to Clipboard Toggle word wrap

    This creates a connector in the east site and exposes the backend deployment on the network on port 8080. You can create a listener on a different site using the matching routing key backend to address this service.

    To create the connector resource: 

    kubectl apply -f <filename>
    Copy to Clipboard Toggle word wrap

    where <filename> is the name of a YAML file that is saved on your local filesystem.

  3. Check the connector status: 

    kubectl get connector
    Copy to Clipboard Toggle word wrap

    For example: 

    NAME    STATUS  ROUTING-KEY     SELECTOR        HOST    PORT    HAS MATCHING LISTENER    MESSAGE
backend Pending backend         app=backend             8080    false   No matching listeners
    Copy to Clipboard Toggle word wrap

    📌 NOTE By default, the routing key name is set to the name of the connector. If you want to use a custom routing key, set the --routing-key to your custom name.

There are many options to consider when creating connectors using YAML, see CLI Reference, including frequently used options.

19.2. Creating a listener using YAML
Copy link

A listener binds a local connection endpoint to connectors in remote sites. Listeners and connectors are matched using routing keys.

Procedure

  1. Identify a connector that you want to use. Note the routing key of that connector.

  2. Create a listener resource YAML file: 

    apiVersion: skupper.io/v2alpha1
kind: Listener
metadata:
  name: backend
  namespace: west
spec:
  routingKey: backend
  host: east-backend
  port: 8080
    Copy to Clipboard Toggle word wrap

    This creates a listener in the west site and matches with the connector that uses the routing key backend. It also creates a service named east-backend exposed on port 8080 in the current namespace.

    To create the connector resource: 

    kubectl apply -f <filename>
    Copy to Clipboard Toggle word wrap

    where <filename> is the name of a YAML file that is saved on your local filesystem.

  3. Check the listener status: 

    kubectl get listener
    Copy to Clipboard Toggle word wrap

    For example: 

    NAME      ROUTING KEY   PORT   HOST           STATUS   HAS MATCHING CONNECTOR   MESSAGE
backend   backend       8080   east-backend   Ready    true                     OK
    Copy to Clipboard Toggle word wrap

    📌 NOTE There must be a MATCHING-CONNECTOR for the service to operate.

There are many options to consider when creating connectors using YAML, see CLI Reference, including frequently used options.

Chapter 20. Service Interconnect reference
Copy link

20.1. Reference
Copy link

20.1.1. Skupper concepts
Copy link

20.1.1.1. Site concept
Copy link

A site is a place on the network where application workloads are running. Sites are joined by links.

A site is associated with one platform and one network. Each site has zero or more workloads and zero or more links.

Sites operate on multiple platforms. One site corresponds to one namespace in a platform instance. Sites can be added to a network and removed from a network dynamically.

Each site has a Skupper router which is responsible for communicating with the local workloads and forwarding traffic to routers in remote sites.

20.1.1.2. Workload concept
Copy link

A workload is a set of processes running on a platform. A process is a pod, container, or system process. Workloads in a site are exposed as services on the network using connectors.

A platform has zero or more workloads. A site also has zero or more workloads. Each workload has zero or more processes and zero or more connectors.

A workload implements one part of an application by providing a network interface (for example, an API) that other parts of the application use. A workload can be both a client and a server.

On Kubernetes, a workload is a Deployment, StatefulSet, or DaemonSet. On Docker or Podman, a workload is a set of containers. On Linux, a workload is a set of system processes.

20.1.1.3. Platform concept
Copy link

A platform is a system for running application workloads. A platform hosts sites. Skupper supports Kubernetes, Docker, Podman, and Linux. Each site in a network can run on any supported platform.

Platforms provide namespaces for related workloads and resources. Skupper uses namespaces to host multiple independent sites on one instance of a platform. Each site on a platform can belong to a distinct application network.

A platform has zero or more namespaces. Each namespace is associated with zero or more workloads. A namespace may be associated with a site.

20.1.1.4. Network concept
Copy link

A network is a set of sites joined by links. A Skupper network is also known as an application network or virtual application network (VAN).

A network has one or more sites. Each site belongs to only one network.

Each site in the network can expose services to other sites in the network. In turn, each site in the network can access those exposed services. Each network is meant for one distributed application. This provides isolation from other applications and networks.

20.1.1.6. Access token concept
Copy link

An access token is a short-lived credential used to create a link. An access token contains the URL and secret code of a corresponding access grant.

Access tokens are issued from access grants. A grant issues zero or more tokens. Tokens are redeemed for links.

Access tokens have limited redemptions and limited lifespans. By default, they can be redeemed only once, and they expire 15 minutes after being issued. You can set custom limits by configuring the access grant.

  • A site wishing to accept a link (site 1) creates an access grant.
  • It uses the access grant to issue a corresponding access token and transfers it to a remote site (site 2).
  • Site 2 submits the access token to site 1 for redemption.
  • If the token is valid, site 1 sends site 2 the TLS host, port, and credentials required to create a link to site 1.
20.1.1.7. Listener concept
Copy link

A listener binds a local connection endpoint to connectors in remote sites. Listeners and connectors are matched using routing keys.

A site has zero or more listeners. Each listener has an associated connection endpoint and routing key. The connection endpoint exposes a host and port for accepting connections from local clients. The routing key is a string identifier that binds the listener to connectors in remote sites.

On Kubernetes, a listener is implemented as a Service. On Docker, Podman, and Linux, it is a listening socket bound to a local network interface.

Skupper routers forward client connections across the network from listeners to connectors with matching routing keys. The connectors then forward the client connections to the workload servers.

20.1.1.8. Connector concept
Copy link

A connector binds a local workload to listeners in remote sites. Listeners and connectors are matched using routing keys.

A site has zero or more connectors. Each connector has an associated workload and routing key. The workload can be specified as a Kubernetes pod selector or as the host and port of a local network service. The routing key is a string identifier that binds the connector to listeners in remote sites.

On Kubernetes, the workload is usually specified using a pod selector. On Docker, Podman, and Linux, it is specified using a host and port.

Skupper routers forward client connections across the network from listeners to connectors with matching routing keys. The connectors then forward the client connections to the workload servers.

20.1.1.9. Routing key concept
Copy link

A routing key is a string identifier for matching listeners and connectors.

A routing key has zero or more listeners and zero or more connectors. A service is exposed on the application network when it has at least one listener and one connector, matched by routing key.

20.1.1.10. Application concept
Copy link

An application is a set of components that work together. A Skupper network is dedicated to one application.

An application has one or more components.

20.1.1.11. Component concept
Copy link

A component is a logical part of an application. Each component has a set of responsibilities in achieving the goals of the application. Components provide and require interfaces such as REST APIs or database listeners. A component is implemented by workloads.

An application has one or more components. Each component provides and requires zero or more interfaces. Each component is implemented by zero or more workloads.

20.1.2. Skupper resources
Copy link

20.1.2.1. Site resource
Copy link

A site is a place on the network where application workloads are running. Sites are joined by links.

The Site resource is the basis for site configuration. It is the parent of all Skupper resources in its namespace. There can be only one active Site resource per namespace.

Examples

A minimal site: 

apiVersion: skupper.io/v2alpha1
kind: Site
metadata:
  name: east
  namespace: hello-world-east
Copy to Clipboard Toggle word wrap

A site configured to accept links: 

apiVersion: skupper.io/v2alpha1
kind: Site
metadata:
  name: west
  namespace: hello-world-west
spec:
  linkAccess: default
Copy to Clipboard Toggle word wrap

name Type: string

The name of the resource.

See also: Kubernetes object names

namespace Type: string

The namespace of the resource.

See also: Platform concept, Kubernetes namespaces, System namespaces

linkAccess Type: string

Configure external access for links from remote sites.

Sites and links are the basis for creating application networks. In a simple two-site network, at least one of the sites must have link access enabled.

Default
none
Choices:: none
No linking to this site is permitted.
default
Use the default link access for the current platform. On OpenShift, the default is route. For other Kubernetes flavors, the default is loadbalancer.
route
Use an OpenShift route. OpenShift only.
loadbalancer
Use a Kubernetes load balancer.
Updatable
True See also: Link concept, Site linking

ha Type: boolean

Configure the site for high availability (HA). HA sites have two active routers.

Note that Skupper routers are stateless, and they restart after failure. This already provides a high level of availability. Enabling HA goes further and reduces the window of downtime caused by restarts.

Default
False Updatable:: True See also: High availability

defaultIssuer Type: string

The name of a Kubernetes secret containing the signing CA used to generate a certificate from a token. A secret is generated if none is specified.

This issuer is used by AccessGrant and RouterAccess if a specific issuer is not set.

Default
skupper-site-ca
Updatable
True See also: Router TLS, Kubernetes TLS secrets

edge Type: boolean

Configure the site to operate in edge mode. Edge sites cannot accept links from remote sites.

Edge mode can help you scale your network to large numbers of sites. However, for networks with 16 or fewer sites, there is little benefit.

Currently, edge sites cannot also have HA enabled.

Default
False See also: Large networks

serviceAccount Type: string

The name of the Kubernetes service account under which to run the Skupper router. A service account is generated if none is specified.

Default
Generated

See also: Kubernetes service accounts

settings Type: object

A map containing additional settings. Each map entry has a string name and a string value.

Note

In general, we recommend not changing settings from their default values.

  • routerDataConnections: Set the number of data connections the router uses when linking to other routers. + Default: Computed based on the number of router worker threads. Minimum 2.
  • routerLogging: Set the router logging level. + Default: info. Choices: info, warning, error.

See also: Resource settings

status Type: string

The current state of the resource.

  • Pending: The resource is being processed.
  • Error: There was an error processing the resource. See message for more information.
  • Ready: The resource is ready to use.

See also: Resource status

message Type: string

A human-readable status message. Error messages are reported here.

See also: Resource status

conditions Type: array

A set of named conditions describing the current state of the resource.

  • Configured: The output resources for this resource have been created.
  • Running: There is at least one router pod running.
  • Resolved: The hostname or IP address for link access is available.
  • Ready: The site is ready for use. All other conditions are true.

See also: Resource status, Kubernetes conditions

defaultIssuer Type: string

The name of the Kubernetes secret containing the active default signing CA.

See also: Router TLS, Kubernetes TLS secrets

endpoints Type: array

An array of connection endpoints. Each item has a name, host, port, and group.

These include connection endpoints for link access.

See also: Link concept, Site linking

20.1.2.3. Listener resource
Copy link

A listener binds a local connection endpoint to connectors in remote sites. Listeners and connectors are matched by routing key.

A Listener resource specifies a host and port for accepting connections from local clients. To expose a multi-port service, create multiple listeners with the same host value.

Examples

A listener in site West for the Hello World backend service in site East: 

apiVersion: skupper.io/v2alpha1
kind: Listener
metadata:
  name: backend
  namespace: hello-world-west
spec:
  routingKey: backend
  host: backend
  port: 8080
Copy to Clipboard Toggle word wrap

name Type: string

The name of the resource.

See also: Kubernetes object names

namespace Type: string

The namespace of the resource.

See also: Platform concept, Kubernetes namespaces, System namespaces

routingKey Type: string

The identifier used to route traffic from listeners to connectors. To enable connecting to a service at a remote site, the local listener and the remote connector must have matching routing keys.

Updatable
True See also: Routing key concept

host Type: string

The hostname or IP address of the local listener. Clients at this site use the listener host and port to establish connections to the remote service.

Updatable
True

port Type: integer

The port of the local listener. Clients at this site use the listener host and port to establish connections to the remote service.

Updatable
True

exposePodsByName Type: boolean

If true, expose each pod as an individual service.

Default
False See also: Individual pod services

tlsCredentials Type: string

The name of a bundle of TLS certificates used for secure client-to-router communication. The bundle contains the server certificate and key. It optionally includes the trusted client certificate (usually a CA) for mutual TLS.

On Kubernetes, the value is the name of a Secret in the current namespace. On Docker, Podman, and Linux, the value is the name of a directory under input/certs/ in the current namespace.

See also: Application TLS, Kubernetes TLS secrets, System TLS credentials

settings Type: object

A map containing additional settings. Each map entry has a string name and a string value.

Note

In general, we recommend not changing settings from their default values.

  • observer: Set the protocol observer used to generate traffic metrics. + Default: auto. Choices: auto, none, http1, http2.

See also: Resource settings

status Type: string

The current state of the resource.

  • Pending: The resource is being processed.
  • Error: There was an error processing the resource. See message for more information.
  • Ready: The resource is ready to use.

See also: Resource status

message Type: string

A human-readable status message. Error messages are reported here.

See also: Resource status

hasMatchingConnector Type: boolean

True if there is at least one connector with a matching routing key (usually in a remote site).

Default
False See also: Routing key concept

conditions Type: array

A set of named conditions describing the current state of the resource.

  • Configured: The listener configuration has been applied to the router.
  • Matched: There is at least one connector corresponding to this listener.
  • Ready: The listener is ready to use. All other conditions are true.

See also: Resource status, Kubernetes conditions

20.1.2.4. Connector resource
Copy link

A connector binds a local workload to listeners in remote sites. Listeners and connectors are matched by routing key.

On Kubernetes, a Connector resource has a selector and port for specifying workload pods.

On Docker, Podman, and Linux, a Connector resource has a host and port for specifying a local server. Optionally, Kubernetes can also use a host and port.

Examples

A connector in site East for the Hello World backend service: 

apiVersion: skupper.io/v2alpha1
kind: Connector
metadata:
  name: backend
  namespace: hello-world-east
spec:
  routingKey: backend
  selector: app=backend
  port: 8080
Copy to Clipboard Toggle word wrap

name Type: string

The name of the resource.

See also: Kubernetes object names

namespace Type: string

The namespace of the resource.

See also: Platform concept, Kubernetes namespaces, System namespaces

routingKey Type: string

The identifier used to route traffic from listeners to connectors. To expose a local workload to a remote site, the remote listener and the local connector must have matching routing keys.

Updatable
True See also: Routing key concept

port Type: integer

The port on the target server to connect to.

Updatable
True

selector Type: string

A Kubernetes label selector for specifying target server pods. It uses <label-name>=<label-value> syntax.

On Kubernetes, either selector or host is required.

Updatable
True See also: Kubernetes label selectors

host Type: string

The hostname or IP address of the server. This is an alternative to selector for specifying the target server.

On Kubernetes, either selector or host is required.

On Docker, Podman, or Linux, host is required.

Updatable
True

includeNotReadyPods Type: boolean

If true, include server pods in the NotReady state.

Default
False

exposePodsByName Type: boolean

If true, expose each pod as an individual service.

Default
False See also: Individual pod services

tlsCredentials Type: string

The name of a bundle of TLS certificates used for secure router-to-server communication. The bundle contains the trusted server certificate (usually a CA). It optionally includes a client certificate and key for mutual TLS.

On Kubernetes, the value is the name of a Secret in the current namespace. On Docker, Podman, and Linux, the value is the name of a directory under input/certs/ in the current namespace.

See also: Application TLS, Kubernetes TLS secrets, System TLS credentials

useClientCert Type: boolean

Send the client certificate when connecting in order to enable mutual TLS.

Default
False See also: Application TLS

verifyHostname Type: boolean

If true, require that the hostname of the server connected to matches the hostname in the server’s certificate.

Default
False See also: Application TLS

settings Type: object

A map containing additional settings. Each map entry has a string name and a string value.

Note

In general, we recommend not changing settings from their default values.

See also: Resource settings

status Type: string

The current state of the resource.

  • Pending: The resource is being processed.
  • Error: There was an error processing the resource. See message for more information.
  • Ready: The resource is ready to use.

See also: Resource status

message Type: string

A human-readable status message. Error messages are reported here.

See also: Resource status

hasMatchingListener Type: boolean

True if there is at least one listener with a matching routing key (usually in a remote site).

Default
False See also: Routing key concept

conditions Type: array

A set of named conditions describing the current state of the resource.

  • Configured: The connector configuration has been applied to the router.
  • Matched: There is at least one listener corresponding to this connector.
  • Ready: The connector is ready to use. All other conditions are true.
20.1.2.5. Site resource
Copy link

selectedPods Type: array

A site is a place on the network where application workloads are running. Sites are joined by links.

The Site resource is the basis for site configuration. It is the parent of all Skupper resources in its namespace. There can be only one active Site resource per namespace.

Examples

A minimal site: 

apiVersion: skupper.io/v2alpha1
kind: Site
metadata:
  name: east
  namespace: hello-world-east
Copy to Clipboard Toggle word wrap

A site configured to accept links: 

apiVersion: skupper.io/v2alpha1
kind: Site
metadata:
  name: west
  namespace: hello-world-west
spec:
  linkAccess: default
Copy to Clipboard Toggle word wrap

name Type: string

The name of the resource.

See also: Kubernetes object names

namespace Type: string

The namespace of the resource.

See also: Platform concept, Kubernetes namespaces, System namespaces

linkAccess Type: string

Configure external access for links from remote sites.

Sites and links are the basis for creating application networks. In a simple two-site network, at least one of the sites must have link access enabled.

Default
none
Choices:: none
No linking to this site is permitted.
default
Use the default link access for the current platform. On OpenShift, the default is route. For other Kubernetes flavors, the default is loadbalancer.
route
Use an OpenShift route. OpenShift only.
loadbalancer
Use a Kubernetes load balancer.
Updatable
True See also: Link concept, Site linking

ha Type: boolean

Configure the site for high availability (HA). HA sites have two active routers.

Note that Skupper routers are stateless, and they restart after failure. This already provides a high level of availability. Enabling HA goes further and reduces the window of downtime caused by restarts.

Default
False Updatable:: True See also: High availability

defaultIssuer Type: string

The name of a Kubernetes secret containing the signing CA used to generate a certificate from a token. A secret is generated if none is specified.

This issuer is used by AccessGrant and RouterAccess if a specific issuer is not set.

Default
skupper-site-ca
Updatable
True See also: Router TLS, Kubernetes TLS secrets

edge Type: boolean

Configure the site to operate in edge mode. Edge sites cannot accept links from remote sites.

Edge mode can help you scale your network to large numbers of sites. However, for networks with 16 or fewer sites, there is little benefit.

Currently, edge sites cannot also have HA enabled.

Default
False See also: Large networks

serviceAccount Type: string

The name of the Kubernetes service account under which to run the Skupper router. A service account is generated if none is specified.

Default
Generated

See also: Kubernetes service accounts

settings Type: object

A map containing additional settings. Each map entry has a string name and a string value.

Note

In general, we recommend not changing settings from their default values.

  • routerDataConnections: Set the number of data connections the router uses when linking to other routers. + Default: Computed based on the number of router worker threads. Minimum 2.
  • routerLogging: Set the router logging level. + Default: info. Choices: info, warning, error.

See also: Resource settings

status Type: string

The current state of the resource.

  • Pending: The resource is being processed.
  • Error: There was an error processing the resource. See message for more information.
  • Ready: The resource is ready to use.

See also: Resource status

message Type: string

A human-readable status message. Error messages are reported here.

See also: Resource status

conditions Type: array

A set of named conditions describing the current state of the resource.

  • Configured: The output resources for this resource have been created.
  • Running: There is at least one router pod running.
  • Resolved: The hostname or IP address for link access is available.
  • Ready: The site is ready for use. All other conditions are true.

See also: Resource status, Kubernetes conditions

defaultIssuer Type: string

The name of the Kubernetes secret containing the active default signing CA.

See also: Router TLS, Kubernetes TLS secrets

endpoints Type: array

An array of connection endpoints. Each item has a name, host, port, and group.

These include connection endpoints for link access.

See also: Link concept, Site linking

20.1.2.7. AccessGrant resource
Copy link

Permission to redeem access tokens for links to the local site. A remote site can use a token containing the grant URL and secret code to obtain a certificate signed by the grant’s certificate authority (CA), within a certain expiration window and for a limited number of redemptions.

The code, url, and ca properties of the resource status are used to generate access tokens from the grant.

name Type: string

The name of the resource.

See also: Kubernetes object names

namespace Type: string

The namespace of the resource.

See also: Platform concept, Kubernetes namespaces, System namespaces

redemptionsAllowed Type: integer

The number of times an access token for this grant can be redeemed.

Default
1

expirationWindow Type: string (duration)

The period of time in which an access token for this grant can be redeemed.

Default
15m

code Type: string

The secret code to use to authenticate access tokens submitted for redemption.

If not set, a value is generated and placed in the code status property.

issuer Type: string

The name of a Kubernetes secret used to generate a certificate when redeeming a token for this grant.

If not set, defaultIssuer on the Site rsource is used.

See also: Router TLS, Kubernetes TLS secrets

settings Type: object

A map containing additional settings. Each map entry has a string name and a string value.

Note

In general, we recommend not changing settings from their default values.

See also: Resource settings

status Type: string

The current state of the resource.

  • Pending: The resource is being processed.
  • Error: There was an error processing the resource. See message for more information.
  • Ready: The resource is ready to use.

See also: Resource status

message Type: string

A human-readable status message. Error messages are reported here.

See also: Resource status

redemptions Type: integer

The number of times a token for this grant has been redeemed.

expirationTime Type: string (date-time)

The point in time when the grant expires.

url Type: string

The URL of the token-redemption service for this grant.

ca Type: string

The trusted server certificate of the token-redemption service for this grant.

code Type: string

The secret code used to authenticate access tokens submitted for redemption.

Default
Generated

conditions Type: array

A set of named conditions describing the current state of the resource.

  • Processed: The controller has accepted the grant.
  • Resolved: The grant service is available to process tokens for this grant.
  • Ready: The grant is ready to use. All other conditions are true.

See also: Resource status, Kubernetes conditions

20.1.2.8. AccessToken resource
Copy link

A short-lived credential used to create a link. An access token contains the URL and secret code of a corresponding access grant.

Note

Access tokens are often issued and redeemed using the Skupper CLI.

name Type: string

The name of the resource.

See also: Kubernetes object names

namespace Type: string

The namespace of the resource.

See also: Platform concept, Kubernetes namespaces, System namespaces

url Type: string

The URL of the grant service at the remote site.

code Type: string

The secret code used to authenticate the token when submitted for redemption.

ca Type: string

The trusted server certificate of the grant service at the remote site.

linkCost Type: integer

The link cost to use when creating the link.

Default
1 See also: Load balancing

settings Type: object

A map containing additional settings. Each map entry has a string name and a string value.

Note

In general, we recommend not changing settings from their default values.

See also: Resource settings

redeemed Type: boolean

True if the token has been redeemed. Once a token is redeemed, it cannot be used again.

Default
False

status Type: string

The current state of the resource.

  • Pending: The resource is being processed.
  • Error: There was an error processing the resource. See message for more information.
  • Ready: The resource is ready to use.

See also: Resource status

message Type: string

A human-readable status message. Error messages are reported here.

See also: Resource status

conditions Type: array

A set of named conditions describing the current state of the resource.

  • Redeemed: The token has been exchanged for a link.

See also: Resource status, Kubernetes conditions

20.1.2.9. Listener resource
Copy link

A listener binds a local connection endpoint to connectors in remote sites. Listeners and connectors are matched by routing key.

A Listener resource specifies a host and port for accepting connections from local clients. To expose a multi-port service, create multiple listeners with the same host value.

Examples

A listener in site West for the Hello World backend service in site East: 

apiVersion: skupper.io/v2alpha1
kind: Listener
metadata:
  name: backend
  namespace: hello-world-west
spec:
  routingKey: backend
  host: backend
  port: 8080
Copy to Clipboard Toggle word wrap

name Type: string

The name of the resource.

See also: Kubernetes object names

namespace Type: string

The namespace of the resource.

See also: Platform concept, Kubernetes namespaces, System namespaces

routingKey Type: string

The identifier used to route traffic from listeners to connectors. To enable connecting to a service at a remote site, the local listener and the remote connector must have matching routing keys.

Updatable
True See also: Routing key concept

host Type: string

The hostname or IP address of the local listener. Clients at this site use the listener host and port to establish connections to the remote service.

Updatable
True

port Type: integer

The port of the local listener. Clients at this site use the listener host and port to establish connections to the remote service.

Updatable
True

exposePodsByName Type: boolean

If true, expose each pod as an individual service.

Default
False See also: Individual pod services

tlsCredentials Type: string

The name of a bundle of TLS certificates used for secure client-to-router communication. The bundle contains the server certificate and key. It optionally includes the trusted client certificate (usually a CA) for mutual TLS.

On Kubernetes, the value is the name of a Secret in the current namespace. On Docker, Podman, and Linux, the value is the name of a directory under input/certs/ in the current namespace.

See also: Application TLS, Kubernetes TLS secrets, System TLS credentials

settings Type: object

A map containing additional settings. Each map entry has a string name and a string value.

Note

In general, we recommend not changing settings from their default values.

  • observer: Set the protocol observer used to generate traffic metrics. + Default: auto. Choices: auto, none, http1, http2.

See also: Resource settings

status Type: string

The current state of the resource.

  • Pending: The resource is being processed.
  • Error: There was an error processing the resource. See message for more information.
  • Ready: The resource is ready to use.

See also: Resource status

message Type: string

A human-readable status message. Error messages are reported here.

See also: Resource status

hasMatchingConnector Type: boolean

True if there is at least one connector with a matching routing key (usually in a remote site).

Default
False See also: Routing key concept

conditions Type: array

A set of named conditions describing the current state of the resource.

  • Configured: The listener configuration has been applied to the router.
  • Matched: There is at least one connector corresponding to this listener.
  • Ready: The listener is ready to use. All other conditions are true.

See also: Resource status, Kubernetes conditions

20.1.2.10. Connector resource
Copy link

A connector binds a local workload to listeners in remote sites. Listeners and connectors are matched by routing key.

On Kubernetes, a Connector resource has a selector and port for specifying workload pods.

On Docker, Podman, and Linux, a Connector resource has a host and port for specifying a local server. Optionally, Kubernetes can also use a host and port.

Examples

A connector in site East for the Hello World backend service: 

apiVersion: skupper.io/v2alpha1
kind: Connector
metadata:
  name: backend
  namespace: hello-world-east
spec:
  routingKey: backend
  selector: app=backend
  port: 8080
Copy to Clipboard Toggle word wrap

name Type: string

The name of the resource.

See also: Kubernetes object names

namespace Type: string

The namespace of the resource.

See also: Platform concept, Kubernetes namespaces, System namespaces

routingKey Type: string

The identifier used to route traffic from listeners to connectors. To expose a local workload to a remote site, the remote listener and the local connector must have matching routing keys.

Updatable
True See also: Routing key concept

port Type: integer

The port on the target server to connect to.

Updatable
True

selector Type: string

A Kubernetes label selector for specifying target server pods. It uses <label-name>=<label-value> syntax.

On Kubernetes, either selector or host is required.

Updatable
True See also: Kubernetes label selectors

host Type: string

The hostname or IP address of the server. This is an alternative to selector for specifying the target server.

On Kubernetes, either selector or host is required.

On Docker, Podman, or Linux, host is required.

Updatable
True

includeNotReadyPods Type: boolean

If true, include server pods in the NotReady state.

Default
False

exposePodsByName Type: boolean

If true, expose each pod as an individual service.

Default
False See also: Individual pod services

tlsCredentials Type: string

The name of a bundle of TLS certificates used for secure router-to-server communication. The bundle contains the trusted server certificate (usually a CA). It optionally includes a client certificate and key for mutual TLS.

On Kubernetes, the value is the name of a Secret in the current namespace. On Docker, Podman, and Linux, the value is the name of a directory under input/certs/ in the current namespace.

See also: Application TLS, Kubernetes TLS secrets, System TLS credentials

useClientCert Type: boolean

Send the client certificate when connecting in order to enable mutual TLS.

Default
False See also: Application TLS

verifyHostname Type: boolean

If true, require that the hostname of the server connected to matches the hostname in the server’s certificate.

Default
False See also: Application TLS

settings Type: object

A map containing additional settings. Each map entry has a string name and a string value.

Note

In general, we recommend not changing settings from their default values.

See also: Resource settings

status Type: string

The current state of the resource.

  • Pending: The resource is being processed.
  • Error: There was an error processing the resource. See message for more information.
  • Ready: The resource is ready to use.

See also: Resource status

message Type: string

A human-readable status message. Error messages are reported here.

See also: Resource status

hasMatchingListener Type: boolean

True if there is at least one listener with a matching routing key (usually in a remote site).

Default
False See also: Routing key concept

conditions Type: array

A set of named conditions describing the current state of the resource.

  • Configured: The connector configuration has been applied to the router.
  • Matched: There is at least one listener corresponding to this connector.
  • Ready: The connector is ready to use. All other conditions are true.
20.1.2.11. AttachedConnector resource
Copy link

selectedPods Type: array

A connector in a peer namespace.

name Type: string

The name of the resource.

The name must be the same as that of the associated AttachedConnectorBinding resource in the site namespace.

See also: Kubernetes object names

namespace Type: string

The namespace of the resource.

See also: Platform concept, Kubernetes namespaces, System namespaces

siteNamespace Type: string

The name of the namespace in which the site this connector should be attached to is defined.

port Type: integer

The port on the target server to connect to.

Updatable
True

selector Type: string

A Kubernetes label selector for specifying target server pods. It uses <label-name>=<label-value> syntax.

On Kubernetes, either selector or host is required.

Updatable
True See also: Kubernetes label selectors

includeNotReadyPods Type: boolean

If true, include server pods in the NotReady state.

Default
False

tlsCredentials Type: string

The name of a bundle of TLS certificates used for secure router-to-server communication. The bundle contains the trusted server certificate (usually a CA). It optionally includes a client certificate and key for mutual TLS.

On Kubernetes, the value is the name of a Secret in the current namespace. On Docker, Podman, and Linux, the value is the name of a directory under input/certs/ in the current namespace.

See also: Application TLS, Kubernetes TLS secrets, System TLS credentials

settings Type: object

A map containing additional settings. Each map entry has a string name and a string value.

Note

In general, we recommend not changing settings from their default values.

See also: Resource settings

status Type: string

The current state of the resource.

  • Pending: The resource is being processed.
  • Error: There was an error processing the resource. See message for more information.
  • Ready: The resource is ready to use.

See also: Resource status

conditions Type: array

A set of named conditions describing the current state of the resource.

See also: Resource status, Kubernetes conditions

20.1.2.12. AttachedConnectorBinding resource
Copy link

selectedPods Type: array

A binding to an attached connector in a peer namespace.

name Type: string

The name of the resource.

The name must be the same as that of the associated AttachedConnector resource in the connector namespace.

See also: Kubernetes object names

namespace Type: string

The namespace of the resource.

See also: Platform concept, Kubernetes namespaces, System namespaces

connectorNamespace Type: string

The name of the namespace where the associated AttachedConnector is located.

routingKey Type: string

The identifier used to route traffic from listeners to connectors. To expose a local workload to a remote site, the remote listener and the local connector must have matching routing keys.

Updatable
True See also: Routing key concept

exposePodsByName Type: boolean

If true, expose each pod as an individual service.

Default
False See also: Individual pod services

settings Type: object

A map containing additional settings. Each map entry has a string name and a string value.

Note

In general, we recommend not changing settings from their default values.

See also: Resource settings

status Type: string

The current state of the resource.

  • Pending: The resource is being processed.
  • Error: There was an error processing the resource. See message for more information.
  • Ready: The resource is ready to use.

See also: Resource status

hasMatchingListener Type: boolean

True if there is at least one listener with a matching routing key (usually in a remote site).

Default
False See also: Routing key concept

conditions Type: array

A set of named conditions describing the current state of the resource.

See also: Resource status, Kubernetes conditions

20.1.3. Skupper commands
Copy link

20.1.4. CLI Group: Site operations
Copy link

20.1.4.1. Using Site
Copy link
20.1.4.1.1. Site command
Copy link
skupper site [subcommand] [options]
Copy to Clipboard Toggle word wrap
Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Expand
Table 20.1. Subcommands
CommandDescription

Site create

Create a site

Site update

Change site settings

Site delete

Delete a site

Site status

Display the status of a site

Site generate

Generate a Site resource

20.1.4.1.2. Site create command
Copy link
skupper site create <name> [options]
Copy to Clipboard Toggle word wrap

Create a site.

Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Waits for

Ready

Examples

# Create a site
$ skupper site create west
Waiting for status...
Site "west" is ready.

# Create a site that can accept links from remote sites
$ skupper site create west --enable-link-access
Copy to Clipboard Toggle word wrap

Primary options

<name> required

A name of your choice for the Skupper site. This name is displayed in the console and CLI output.

See also: Kubernetes object names

--enable-link-access frequently used

Allow external access for links from remote sites.

Sites and links are the basis for creating application networks. In a simple two-site network, at least one of the sites must have link access enabled.

See also: Link concept, Site linking

--link-access-type

Configure external access for links from remote sites.

Sites and links are the basis for creating application networks. In a simple two-site network, at least one of the sites must have link access enabled.

Default
default
Choices:: default
Use the default link access. On OpenShift, the default is route. For other Kubernetes flavors, the default is loadbalancer.
route
Use an OpenShift route. OpenShift only.
loadbalancer
Use a Kubernetes load balancer. Kubernetes only.
Platforms:: Kubernetes Updatable
True See also: Site linking

--enable-ha

Configure the site for high availability (HA). HA sites have two active routers.

Note that Skupper routers are stateless, and they restart after failure. This already provides a high level of availability. Enabling HA goes further and reduces the window of downtime caused by restarts.

Default
False Platforms:: Kubernetes Updatable:: True See also: High availability

--timeout

Raise an error if the operation does not complete in the given period of time.

Default
60s
Platforms
Kubernetes See also: Duration format

--wait

Wait for the given status before exiting.

Default
ready
Choices:: none
Do not wait.
configured
Wait until the configuration is applied.
ready
Wait until the resource is ready to use.
Platforms
Kubernetes See also: Resource status

Global options

--context global

Set the kubeconfig context.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--kubeconfig global

Set the path to the kubeconfig file.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--namespace global

Set the current namespace.

See also: Kubernetes namespaces, System namespaces

--platform global

Set the Skupper platform.

Default
kubernetes
Choices:: kubernetes
Kubernetes
docker
Docker
podman
Podman
linux
Linux

See also: Platform concept

--help global

Display help and exit.

Errors

  • A site resource already exists

    There is already a site resource defined for the namespace.

20.1.4.1.3. Site update command
Copy link
skupper site update [name] [options]
Copy to Clipboard Toggle word wrap

Change site settings.

Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Waits for

Ready

Examples

# Update the current site to accept links
$ skupper site update --enable-link-access
Waiting for status...
Site "west" is ready.

# Update multiple settings
$ skupper site update --enable-link-access --enable-ha
Copy to Clipboard Toggle word wrap

Primary options

[name] optional

The name of the site resource.

If not specified, the name is that of the site associated with the current namespace.

See also: Kubernetes object names

--enable-link-access frequently used

Allow external access for links from remote sites.

Sites and links are the basis for creating application networks. In a simple two-site network, at least one of the sites must have link access enabled.

See also: Link concept, Site linking

--link-access-type

Configure external access for links from remote sites.

Sites and links are the basis for creating application networks. In a simple two-site network, at least one of the sites must have link access enabled.

Default
default
Choices:: default
Use the default link access. On OpenShift, the default is route. For other Kubernetes flavors, the default is loadbalancer.
route
Use an OpenShift route. OpenShift only.
loadbalancer
Use a Kubernetes load balancer. Kubernetes only.
Platforms:: Kubernetes Updatable
True See also: Site linking

--enable-ha

Configure the site for high availability (HA). HA sites have two active routers.

Note that Skupper routers are stateless, and they restart after failure. This already provides a high level of availability. Enabling HA goes further and reduces the window of downtime caused by restarts.

Default
False Platforms:: Kubernetes Updatable:: True See also: High availability

--timeout

Raise an error if the operation does not complete in the given period of time.

Default
60s
Platforms
Kubernetes

--wait

Wait for the given status before exiting.

Default
ready
Choices:: none
Do not wait
configured
Configured
ready
Ready
Platforms
Kubernetes See also: Resource status

Global options

--context global

Set the kubeconfig context.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--kubeconfig global

Set the path to the kubeconfig file.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--namespace global

Set the current namespace.

See also: Kubernetes namespaces, System namespaces

--platform global

Set the Skupper platform.

Default
kubernetes
Choices:: kubernetes
Kubernetes
docker
Docker
podman
Podman
linux
Linux

See also: Platform concept

--help global

Display help and exit.

Errors

  • No site resource exists

    There is no existing Skupper site resource to update.

20.1.4.1.4. Site delete command
Copy link
skupper site delete [name] [options]
Copy to Clipboard Toggle word wrap

Delete a site.

Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Waits for

Deletion

Examples

# Delete the current site
$ skupper site delete
Waiting for deletion...
Site "west" is deleted.

# Delete the current site and all of its associated Skupper resources
$ skupper site delete --all
Copy to Clipboard Toggle word wrap

Primary options

[name] optional

The name of the site resource.

If not specified, the name is that of the site associated with the current namespace.

See also: Kubernetes object names

--all frequently used

In addition the site resource, delete all of the Skupper resources associated with the site in the current namespace.

--timeout

Raise an error if the operation does not complete in the given period of time.

Default
60s
Platforms
Kubernetes

--wait

Wait for deletion to complete before exiting.

Default
true Platforms:: Kubernetes

Global options

--context global

Set the kubeconfig context.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--kubeconfig global

Set the path to the kubeconfig file.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--namespace global

Set the current namespace.

See also: Kubernetes namespaces, System namespaces

--platform global

Set the Skupper platform.

Default
kubernetes
Choices:: kubernetes
Kubernetes
docker
Docker
podman
Podman
linux
Linux

See also: Platform concept

--help global

Display help and exit.

Errors

  • No site resource exists

    There is no existing Skupper site resource to delete.

20.1.4.1.5. Site status command
Copy link
skupper site status [name] [options]
Copy to Clipboard Toggle word wrap

Display the status of a site.

Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Examples

# Show the status of the current site
$ skupper site status
Name:      west
Status:    Ready
Message:   -
Copy to Clipboard Toggle word wrap

Primary options

[name] optional

The name of the site resource.

If not specified, the name is that of the site associated with the current namespace.

See also: Kubernetes object names

--timeout

Raise an error if the operation does not complete in the given period of time.

Default
60s
Platforms
Kubernetes See also: Duration format

--output

Print status to the console in a structured output format.

Choices
json:: Produce JSON output
yaml
Produce YAML output

Global options

--context global

Set the kubeconfig context.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--kubeconfig global

Set the path to the kubeconfig file.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--namespace global

Set the current namespace.

See also: Kubernetes namespaces, System namespaces

--platform global

Set the Skupper platform.

Default
kubernetes
Choices:: kubernetes
Kubernetes
docker
Docker
podman
Podman
linux
Linux

See also: Platform concept

--help global

Display help and exit.

20.1.4.1.6. Site generate command
Copy link
skupper site generate <name> [options]
Copy to Clipboard Toggle word wrap

Generate a Site resource.

Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Examples

# Generate a Site resource and print it to the console
$ skupper site generate west --enable-link-access
apiVersion: skupper.io/v2alpha1
kind: Site
metadata:
  name: west
spec:
  linkAccess: default

# Generate a Site resource and direct the output to a file
$ skupper site generate east > east.yaml
Copy to Clipboard Toggle word wrap

Primary options

<name> required

The name of the resource to be generated.

See also: Kubernetes object names

--enable-link-access frequently used

Allow external access for links from remote sites.

Sites and links are the basis for creating application networks. In a simple two-site network, at least one of the sites must have link access enabled.

See also: Link concept, Site linking

--output

Select the output format.

Default
yaml
Choices:: json
Produce JSON output
yaml
Produce YAML output

--link-access-type

Configure external access for links from remote sites.

Sites and links are the basis for creating application networks. In a simple two-site network, at least one of the sites must have link access enabled.

Default
default
Choices:: default
Use the default link access. On OpenShift, the default is route. For other Kubernetes flavors, the default is loadbalancer.
route
Use an OpenShift route. OpenShift only.
loadbalancer
Use a Kubernetes load balancer. Kubernetes only.
Platforms:: Kubernetes Updatable
True See also: Site linking

--enable-ha

Configure the site for high availability (HA). HA sites have two active routers.

Note that Skupper routers are stateless, and they restart after failure. This already provides a high level of availability. Enabling HA goes further and reduces the window of downtime caused by restarts.

Default
False Platforms:: Kubernetes Updatable:: True See also: High availability

Global options

--platform global

Set the Skupper platform.

Default
kubernetes
Choices:: kubernetes
Kubernetes
docker
Docker
podman
Podman
linux
Linux

See also: Platform concept

--help global

Display help and exit.

20.1.5. CLI Group: Site linking
Copy link

20.1.5.1. Using Token
Copy link
20.1.5.1.1. Token command
Copy link
skupper token [subcommand] [options]
Copy to Clipboard Toggle word wrap
Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Expand
Table 20.2. Subcommands
CommandDescription

Token issue

Issue a token file redeemable for a link to the current site

Token redeem

Redeem a token file in order to create a link to a remote site

20.1.5.1.2. Token issue command
Copy link
skupper token issue <file> [options]
Copy to Clipboard Toggle word wrap

Issue a token file redeemable for a link to the current site.

This command first creates an access grant in order to issue the token.

Issuing a token requires a site with link access enabled. The command waits for the site to enter the ready state before producing the token.

Expand
FieldValue

Platforms

Kubernetes

Waits for

Ready

Examples

# Issue an access token
$ skupper token issue ~/token.yaml
Waiting for status...
Access grant "west-6bfn6" is ready.
Token file /home/fritz/token.yaml created.

Transfer this file to a remote site. At the remote site,
create a link to this site using the 'skupper token
redeem' command:

    $ skupper token redeem <file>

The token expires after 1 use or after 15 minutes.

# Issue an access token with non-default limits
$ skupper token issue ~/token.yaml --expiration-window 24h --redemptions-allowed 3

# Issue a token using an existing access grant
$ skupper token issue ~/token.yaml --grant west-1
Copy to Clipboard Toggle word wrap

Primary options

<file> required

The name of the token file to create.

Platforms
Kubernetes, Docker, Podman, Linux

--timeout

Raise an error if the operation does not complete in the given period of time.

Default
60s
Platforms
Kubernetes, Docker, Podman, Linux

--expiration-window

The period of time in which an access token for this grant can be redeemed.

Default
15m
Platforms
Kubernetes, Docker, Podman, Linux

--redemptions-allowed

The number of times an access token for this grant can be redeemed.

Default
1 Platforms:: Kubernetes, Docker, Podman, Linux

--grant advanced

Use the named access grant instead of creating a new one.

Platforms
Kubernetes, Docker, Podman, Linux

Global options

--context global

Set the kubeconfig context.

See also: Kubernetes kubeconfigs

--kubeconfig global

Set the path to the kubeconfig file.

See also: Kubernetes kubeconfigs

--namespace global

Set the current namespace.

Platforms
Kubernetes, Docker, Podman, Linux See also: Kubernetes namespaces, System namespaces

--platform global

Set the Skupper platform.

Default
kubernetes
Choices:: kubernetes
Kubernetes
docker
Docker
podman
Podman
linux
Linux
Platforms
Kubernetes, Docker, Podman, Linux See also: Platform concept

--help global

Display help and exit.

Platforms
Kubernetes, Docker, Podman, Linux

Errors

  • Link access is not enabled

    Link access at this site is not currently enabled. You can use "skupper site update --enable-link-access" to enable it.

20.1.5.1.3. Token redeem command
Copy link
skupper token redeem <file> [options]
Copy to Clipboard Toggle word wrap

Redeem a token file in order to create a link to a remote site.

Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Examples

# Redeem an access token
$ skupper token redeem ~/token.yaml
Waiting for status...
Link "west-6bfn6" is active.
You can now safely delete /home/fritz/token.yaml.
Copy to Clipboard Toggle word wrap

Primary options

<file> required

The name of the token file to use.

--timeout

Raise an error if the operation does not complete in the given period of time.

Default
60s

--link-cost

The link cost to use when creating the link.

Default
1 See also: Load balancing

Global options

--context global

Set the kubeconfig context.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--kubeconfig global

Set the path to the kubeconfig file.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--namespace global

Set the current namespace.

See also: Kubernetes namespaces, System namespaces

--platform global

Set the Skupper platform.

Default
kubernetes
Choices:: kubernetes
Kubernetes
docker
Docker
podman
Podman
linux
Linux

See also: Platform concept

--help global

Display help and exit.

20.1.6. CLI Group: Service exposure
Copy link

20.1.6.1. Using Listener
Copy link
20.1.6.1.1. Listener command
Copy link
skupper listener [subcommand] [options]
Copy to Clipboard Toggle word wrap
Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Expand
Table 20.4. Subcommands
CommandDescription

Listener create

Create a listener

Listener update

Update a listener

Listener delete

Delete a listener

Listener status

Display the status of listeners in the current site

Listener generate

Generate a Listener resource

20.1.6.1.2. Listener create command
Copy link
skupper listener create <name> <port> [options]
Copy to Clipboard Toggle word wrap

Create a listener.

Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Waits for

Configured

Examples

# Create a listener for a database
$ skupper listener create database 5432
Waiting for status...
Listener "database" is configured.

# Set the routing key and host explicitly
$ skupper listener create backend 8080 --routing-key be1 --host apiserver
Copy to Clipboard Toggle word wrap

Primary options

<name> required

The name of the resource to be created.

The name is the default routing key and host if the --routing-key and --host options are not specified.

See also: Kubernetes object names

<port> required

The port of the local listener. Clients at this site use the listener host and port to establish connections to the remote service.

Updatable
True

--routing-key frequently used

The identifier used to route traffic from listeners to connectors. To enable connecting to a service at a remote site, the local listener and the remote connector must have matching routing keys.

Default
Value of name
Updatable
True

--host frequently used

The hostname or IP address of the local listener. Clients at this site use the listener host and port to establish connections to the remote service.

Default
Value of name
Updatable
True

--wait

Wait for the given status before exiting.

Default
ready
Choices:: none
Do not wait.
configured
Wait until the configuration is applied.
ready
Wait until the resource is ready to use.
Platforms
Kubernetes See also: Resource status

--timeout

Raise an error if the operation does not complete in the given period of time.

Default
60s
Platforms
Kubernetes See also: Duration format

Global options

--context global

Set the kubeconfig context.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--kubeconfig global

Set the path to the kubeconfig file.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--namespace global

Set the current namespace.

See also: Kubernetes namespaces, System namespaces

--platform global

Set the Skupper platform.

Default
kubernetes
Choices:: kubernetes
Kubernetes
docker
Docker
podman
Podman
linux
Linux

See also: Platform concept

--help global

Display help and exit.

20.1.6.1.3. Listener update command
Copy link
skupper listener update <name> [options]
Copy to Clipboard Toggle word wrap

Update a listener.

Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Waits for

Configured

Examples

# Change the host and port
$ skupper listener update database --host mysql --port 3306
Waiting for status...
Listener "database" is configured.

# Change the routing key
$ skupper listener update backend --routing-key be2
Copy to Clipboard Toggle word wrap

Primary options

<name> required

The name of the resource to be updated.

See also: Kubernetes object names

--host frequently used

The hostname or IP address of the local listener. Clients at this site use the listener host and port to establish connections to the remote service.

Default
Value of name
Updatable
True

--port frequently used

The port of the local listener. Clients at this site use the listener host and port to establish connections to the remote service.

Updatable
True

--routing-key frequently used

The identifier used to route traffic from listeners to connectors. To enable connecting to a service at a remote site, the local listener and the remote connector must have matching routing keys.

Default
Value of name
Updatable
True

--wait

Wait for the given status before exiting.

Default
ready
Choices:: none
Do not wait
configured
Configured
ready
Ready
Platforms
Kubernetes See also: Resource status

--timeout

Raise an error if the operation does not complete in the given period of time.

Default
60s
Platforms
Kubernetes

Global options

--context global

Set the kubeconfig context.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--kubeconfig global

Set the path to the kubeconfig file.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--namespace global

Set the current namespace.

See also: Kubernetes namespaces, System namespaces

--platform global

Set the Skupper platform.

Default
kubernetes
Choices:: kubernetes
Kubernetes
docker
Docker
podman
Podman
linux
Linux

See also: Platform concept

--help global

Display help and exit.

20.1.6.1.4. Listener delete command
Copy link
skupper listener delete <name> [options]
Copy to Clipboard Toggle word wrap

Delete a listener.

Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Waits for

Deletion

Examples

# Delete a listener
$ skupper listener delete database
Waiting for deletion...
Listener "database" is deleted.
Copy to Clipboard Toggle word wrap

Primary options

<name> required

The name of the resource to be deleted.

See also: Kubernetes object names

--timeout

Raise an error if the operation does not complete in the given period of time.

Default
60s
Platforms
Kubernetes

--wait

Wait for deletion to complete before exiting.

Default
true Platforms:: Kubernetes

Global options

--context global

Set the kubeconfig context.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--kubeconfig global

Set the path to the kubeconfig file.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--namespace global

Set the current namespace.

See also: Kubernetes namespaces, System namespaces

--platform global

Set the Skupper platform.

Default
kubernetes
Choices:: kubernetes
Kubernetes
docker
Docker
podman
Podman
linux
Linux

See also: Platform concept

--help global

Display help and exit.

20.1.6.1.5. Listener status command
Copy link
skupper listener status [name] [options]
Copy to Clipboard Toggle word wrap

Display the status of listeners in the current site.

Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Examples

# Show the status of all listeners in the current site
$ skupper listener status
NAME       STATUS   ROUTING-KEY   HOST       PORT   CONNECTORS
backend    Ready    backend       backend    8080   true
database   Ready    database      database   5432   true

# Show the status of one listener
$ skupper listener status backend
Name:                      backend
Status:                    Ready
Message:                   <none>
Routing key:               backend
Host:                      backend
Port:                      8080
Has matching connectors:   true
Copy to Clipboard Toggle word wrap

Primary options

[name] optional

An optional resource name. If set, the status command reports status for the named resource only.

See also: Kubernetes object names

--timeout

Raise an error if the operation does not complete in the given period of time.

Default
60s
Platforms
Kubernetes See also: Duration format

--output

Print status to the console in a structured output format.

Choices
json:: Produce JSON output
yaml
Produce YAML output

Global options

--context global

Set the kubeconfig context.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--kubeconfig global

Set the path to the kubeconfig file.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--namespace global

Set the current namespace.

See also: Kubernetes namespaces, System namespaces

--platform global

Set the Skupper platform.

Default
kubernetes
Choices:: kubernetes
Kubernetes
docker
Docker
podman
Podman
linux
Linux

See also: Platform concept

--help global

Display help and exit.

20.1.6.1.6. Listener generate command
Copy link
skupper listener generate <name> <port> [options]
Copy to Clipboard Toggle word wrap

Generate a Listener resource.

Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Examples

# Generate a Listener resource and print it to the console
$ skupper listener generate backend 8080
apiVersion: skupper.io/v2alpha1
kind: Listener
metadata:
  name: backend
spec:
  routingKey: backend
  port: 8080
  host: backend

# Generate a Listener resource and direct the output to a file
$ skupper listener generate backend 8080 > backend.yaml
Copy to Clipboard Toggle word wrap

Primary options

<name> required

The name of the resource to be generated.

See also: Kubernetes object names

<port> required

The port of the local listener. Clients at this site use the listener host and port to establish connections to the remote service.

Updatable
True

--routing-key frequently used

The identifier used to route traffic from listeners to connectors. To enable connecting to a service at a remote site, the local listener and the remote connector must have matching routing keys.

Default
Value of name
Updatable
True

--host frequently used

The hostname or IP address of the local listener. Clients at this site use the listener host and port to establish connections to the remote service.

Default
Value of name
Updatable
True

--wait

Wait for the given status before exiting.

Default
configured
Choices:: none
Do not wait
configured
Configured
ready
Ready

--output

Select the output format.

Default
yaml
Choices:: json
Produce JSON output
yaml
Produce YAML output

Global options

--platform global

Set the Skupper platform.

Default
kubernetes
Choices:: kubernetes
Kubernetes
docker
Docker
podman
Podman
linux
Linux

See also: Platform concept

--help global

Display help and exit.

20.1.6.2. Using Connector
Copy link
20.1.6.2.1. Connector command
Copy link
skupper connector [subcommand] [options]
Copy to Clipboard Toggle word wrap
Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Expand
Table 20.5. Subcommands
CommandDescription

Connector create

Create a connector

Connector update

Update a connector

Connector delete

Delete a connector

Connector status

Display the status of connectors in the current site

Connector generate

Generate a Connector resource

20.1.6.2.2. Connector create command
Copy link
skupper connector create <name> <port> [options]
Copy to Clipboard Toggle word wrap

Create a connector.

Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Waits for

Configured

Examples

# Create a connector for a database
$ skupper connector create database 5432
Waiting for status...
Connector "database" is configured.

# Set the routing key and selector explicitly
$ skupper connector create backend 8080 --routing-key be1 --selector app=be1

# Use the workload option to select pods
$ skupper connector create backend 8080 --workload deployment/backend
Copy to Clipboard Toggle word wrap

Primary options

<name> required

The name of the resource to be created.

The name is the default routing key if the --routing-key option is not specified. On Kubernetes, the name defines the default pod selector if the --selector and --workload options are not specified.

See also: Kubernetes object names

<port> required

The port on the target server to connect to.

Updatable
True

--routing-key frequently used

The identifier used to route traffic from listeners to connectors. To expose a local workload to a remote site, the remote listener and the local connector must have matching routing keys.

Default
Value of name
Updatable
True

--workload frequently used

A Kubernetes resource name that identifies a workload. It uses <resource-type>/<resource-name> syntax and resolves to an equivalent pod selector.

This is an alternative to setting the --selector or --host options.

Platforms
Kubernetes See also: Kubernetes workloads

--selector

A Kubernetes label selector for specifying target server pods. It uses <label-name>=<label-value> syntax.

This is an alternative to setting the --workload or --host options.

Default
app=[value-of-name]
Platforms:: Kubernetes Updatable
True See also: Kubernetes label selectors

--host

The hostname or IP address of the server. This is an alternative to selector for specifying the target server.

This is an alternative to setting the --selector or --workload options.

Default
On Kubernetes: Value of name + On Docker, Podman, and Linux: localhost
Updatable
True

--wait

Wait for the given status before exiting.

Default
ready
Choices:: none
Do not wait.
configured
Wait until the configuration is applied.
ready
Wait until the resource is ready to use.
Platforms
Kubernetes See also: Resource status

--timeout

Raise an error if the operation does not complete in the given period of time.

Default
60s
Platforms
Kubernetes See also: Duration format

Global options

--context global

Set the kubeconfig context.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--kubeconfig global

Set the path to the kubeconfig file.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--namespace global

Set the current namespace.

See also: Kubernetes namespaces, System namespaces

--platform global

Set the Skupper platform.

Default
kubernetes
Choices:: kubernetes
Kubernetes
docker
Docker
podman
Podman
linux
Linux

See also: Platform concept

--help global

Display help and exit.

20.1.6.2.3. Connector update command
Copy link
skupper connector update <name> <port> [options]
Copy to Clipboard Toggle word wrap

Update a connector.

Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Waits for

Configured

Examples

# Change the workload and port
$ skupper connector update database --workload deployment/mysql --port 3306
Waiting for status...
Connector "database" is configured.

# Change the routing key
$ skupper connector update backend --routing-key be2
Copy to Clipboard Toggle word wrap

Primary options

<name> required

The name of the resource to be updated.

See also: Kubernetes object names

<port> required

The port on the target server to connect to.

Updatable
True

--routing-key frequently used

The identifier used to route traffic from listeners to connectors. To expose a local workload to a remote site, the remote listener and the local connector must have matching routing keys.

Default
Value of name
Updatable
True

--workload frequently used

A Kubernetes resource name that identifies a workload. It uses <resource-type>/<resource-name> syntax and resolves to an equivalent pod selector.

This is an alternative to setting the --selector or --host options.

Platforms
Kubernetes See also: Kubernetes workloads

--selector

A Kubernetes label selector for specifying target server pods. It uses <label-name>=<label-value> syntax.

This is an alternative to setting the --workload or --host options.

Default
app=[value-of-name]
Platforms:: Kubernetes Updatable
True See also: Kubernetes label selectors

--host

The hostname or IP address of the server. This is an alternative to selector for specifying the target server.

This is an alternative to setting the --selector or --workload options.

Default
On Kubernetes: Value of name + On Docker, Podman, and Linux: localhost
Updatable
True

--wait

Wait for the given status before exiting.

Default
ready
Choices:: none
Do not wait
configured
Configured
ready
Ready
Platforms
Kubernetes See also: Resource status

--timeout

Raise an error if the operation does not complete in the given period of time.

Default
60s
Platforms
Kubernetes

Global options

--context global

Set the kubeconfig context.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--kubeconfig global

Set the path to the kubeconfig file.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--namespace global

Set the current namespace.

See also: Kubernetes namespaces, System namespaces

--platform global

Set the Skupper platform.

Default
kubernetes
Choices:: kubernetes
Kubernetes
docker
Docker
podman
Podman
linux
Linux

See also: Platform concept

--help global

Display help and exit.

20.1.6.2.4. Connector delete command
Copy link
skupper connector delete <name> [options]
Copy to Clipboard Toggle word wrap

Delete a connector.

Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Waits for

Deletion

Examples

# Delete a connector
$ skupper connector delete database
Waiting for deletion...
Connector "database" is deleted.
Copy to Clipboard Toggle word wrap

Primary options

<name> required

The name of the resource to be deleted.

See also: Kubernetes object names

--timeout

Raise an error if the operation does not complete in the given period of time.

Default
60s
Platforms
Kubernetes

--wait

Wait for deletion to complete before exiting.

Default
true Platforms:: Kubernetes

Global options

--context global

Set the kubeconfig context.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--kubeconfig global

Set the path to the kubeconfig file.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--namespace global

Set the current namespace.

See also: Kubernetes namespaces, System namespaces

--platform global

Set the Skupper platform.

Default
kubernetes
Choices:: kubernetes
Kubernetes
docker
Docker
podman
Podman
linux
Linux

See also: Platform concept

--help global

Display help and exit.

20.1.6.2.5. Connector status command
Copy link
skupper connector status [name] [options]
Copy to Clipboard Toggle word wrap

Display the status of connectors in the current site.

Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Examples

# Show the status of all connectors in the current site
$ skupper connector status
NAME       STATUS   ROUTING-KEY   SELECTOR         HOST     PORT   LISTENERS
backend    Ready    backend       app=backend      <none>   8080   true
database   Ready    database      app=postgresql   <none>   5432   true

# Show the status of one connector
$ skupper connector status backend
Name:                     backend
Status:                   Ready
Message:                  <none>
Routing key:              backend
Selector:                 app=backend
Host:                     <none>
Port:                     8080
Has matching listeners:   1
Copy to Clipboard Toggle word wrap

Primary options

[name] optional

An optional resource name. If set, the status command reports status for the named resource only.

See also: Kubernetes object names

--timeout

Raise an error if the operation does not complete in the given period of time.

Default
60s
Platforms
Kubernetes See also: Duration format

--output

Print status to the console in a structured output format.

Choices
json:: Produce JSON output
yaml
Produce YAML output

Global options

--context global

Set the kubeconfig context.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--kubeconfig global

Set the path to the kubeconfig file.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--namespace global

Set the current namespace.

See also: Kubernetes namespaces, System namespaces

--platform global

Set the Skupper platform.

Default
kubernetes
Choices:: kubernetes
Kubernetes
docker
Docker
podman
Podman
linux
Linux

See also: Platform concept

--help global

Display help and exit.

20.1.6.2.6. Connector generate command
Copy link
skupper connector generate <name> <port> [options]
Copy to Clipboard Toggle word wrap

Generate a Connector resource.

Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Examples

# Generate a Connector resource and print it to the console
$ skupper connector generate backend 8080
apiVersion: skupper.io/v2alpha1
kind: Connector
metadata:
  name: backend
spec:
  routingKey: backend
  port: 8080
  selector: app=backend

# Generate a Connector resource and direct the output to a file
$ skupper connector generate backend 8080 > backend.yaml
Copy to Clipboard Toggle word wrap

Primary options

<name> required

The name of the resource to be generated.

See also: Kubernetes object names

<port> required

The port on the target server to connect to.

Updatable
True

--routing-key frequently used

The identifier used to route traffic from listeners to connectors. To expose a local workload to a remote site, the remote listener and the local connector must have matching routing keys.

Default
Value of name
Updatable
True

--workload frequently used

A Kubernetes resource name that identifies a workload. It uses <resource-type>/<resource-name> syntax and resolves to an equivalent pod selector.

This is an alternative to setting the --selector or --host options.

Platforms
Kubernetes See also: Kubernetes workloads

--selector

A Kubernetes label selector for specifying target server pods. It uses <label-name>=<label-value> syntax.

This is an alternative to setting the --workload or --host options.

Default
app=[value-of-name]
Platforms:: Kubernetes Updatable
True See also: Kubernetes label selectors

--host

The hostname or IP address of the server. This is an alternative to selector for specifying the target server.

This is an alternative to setting the --selector or --workload options.

Default
On Kubernetes: Value of name + On Docker, Podman, and Linux: localhost
Updatable
True

--wait

Wait for the given status before exiting.

Default
configured
Choices:: none
Do not wait
configured
Configured
ready
Ready

--output

Select the output format.

Default
yaml
Choices:: json
Produce JSON output
yaml
Produce YAML output

Global options

--platform global

Set the Skupper platform.

Default
kubernetes
Choices:: kubernetes
Kubernetes
docker
Docker
podman
Podman
linux
Linux

See also: Platform concept

--help global

Display help and exit.

20.1.7. CLI Group: Other operations
Copy link

20.1.7.1. Using Version
Copy link
20.1.7.1.1. Version command
Copy link
skupper version [options]
Copy to Clipboard Toggle word wrap

Display versions of Skupper components.

Expand
FieldValue

Platforms

Kubernetes, Docker, Podman, Linux

Examples

# Show component versions
$ skupper version
COMPONENT          VERSION
cli                2.0.0
controller         2.0.0
router             3.0.0

# Show version details in YAML format
$ skupper version --output yaml
components:
  cli:
    version: 2.0.0
  controller:
    version: 2.0.0
    images:
      controller:
        name: quay.io/skupper/controller:2.0.0
        digest: sha256:663d97f86ff3fcce27a3842cd2b3a8e32af791598a46d815c07b0aec07505f55
  router:
    version: 3.0.0
    images:
      router:
        name: quay.io/skupper/router:3.0.0
        digest: sha256:dc5e27385a1e110dd2db1903ba7ec3e0d50b57f742aa02d7dd0a7b1b68c34394
      kube-adaptor:
        name: quay.io/skupper/kube-adaptor:2.0.0
        digest: sha256:4dc24bb3d605ed3fcec2f8ef7d45ca883d9d87b278bfedd5fcca74281d617a5e
Copy to Clipboard Toggle word wrap

Primary options

--output

Produce verbose structured output.

Choices
json:: Produce JSON output
yaml
Produce YAML output

Global options

--context global

Set the kubeconfig context.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--kubeconfig global

Set the path to the kubeconfig file.

Platforms
Kubernetes See also: Kubernetes kubeconfigs

--namespace global

Set the current namespace.

See also: Kubernetes namespaces, System namespaces

--platform global

Set the Skupper platform.

Default
kubernetes
Choices:: kubernetes
Kubernetes
docker
Docker
podman
Podman
linux
Linux

See also: Platform concept

--help global

Display help and exit.

Legal Notice
Copy link

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat