Linking sites on Kubernetes using the Skupper CLI
Using the Skupper command-line interface (CLI) allows you to create links between sites. The link direction is not significant, and is typically determined by ease of connectivity. For example, if east is behind a firewall, linking from east to west is the easiest option.
Once sites are linked, services can be exposed and consumed across the application network without the need to open ports or manage inter-site connectivity.
Linking sites using a token
A token provides a secure method to link sites. By default, a token can only be used once and must be used within 15 minutes to link sites. This procedure describes how to issue a token from one site and redeem that token on another site to create a link.
Prerequisites
- Two sites
- At least one site with
enable-link-accessenabled.
To link sites, you create a token on one site and redeem that token on the other site to create the link.
Procedure
On the site where you want to issue the token, make sure link access is enabled:
skupper site update --enable-link-accessCreate a token:
skupper token issue <filename>where
<filename>is the name of a YAML file that is saved on your local filesystem.This file contains a key and the location of the site that created it.
📌 NOTE Access to this file provides access to the application network. Protect it appropriately. A token can be restricted by any combination of:
Time - prevents token reuse after a specified period.
For example, to allow a token to be used for 1 hour after it is issued:
skupper token issue build/west.yaml --expiration-window 60mUsage - prevents creating multiple links from a single token.
For example, to allow a token to be used 3 times:
skupper token issue output/west.yaml --redemptions-allowed 3
All inter-site traffic is protected by mutual TLS using a private, dedicated certificate authority (CA). A token is not a certificate, but is securely exchanged for a certificate during the linking process.
Redeem the token on a different site to create a link:
skupper token redeem <filename>where
<filename>is the name of a YAML file that is saved on your local filesystem.Check the status of the link:
skupper link statusYou might need to issue the command multiple times before the link is ready:
$ skupper link status NAME STATUS COST MESSAGE west-12f75bc8-5dda-4256-88f8-9df48150281a Pending 1 Not Operational $ skupper link status NAME STATUS COST MESSAGE west-12f75bc8-5dda-4256-88f8-9df48150281a Ready 1 OKYou can now expose services on the application network.
There are many options to consider when linking sites using the CLI, see [CLI Reference][cli-ref], including frequently used options.
Linking sites using a link resource
An alternative approach to linking sites using tokens is to create a link resource YAML file using the CLI, and to apply that resource to another site.
Prerequisites
- Two sites
- At least one site with
enable-link-accessenabled.
To link sites, you create a link resource YAML file on one site and apply that resource on the other site to create the link.
Procedure
On the site where you want to create a link , make sure link access is enabled:
skupper site update --enable-link-accessCreate a
linkresource YAML file:skupper link generate > <filename>where
<filename>is the name of a YAML file that is saved on your local filesystem.Apply the
linkresource YAML file on a different site to create a link:kubectl apply -f <filename>where
<filename>is the name of a YAML file that is saved on your local filesystem.Check the status of the link:
skupper link statusYou might need to issue the command multiple times before the link is ready:
$ skupper link status NAME STATUS COST MESSAGE west-12f75bc8-5dda-4256-88f8-9df48150281a Pending 1 Not Operational $ skupper link status NAME STATUS COST MESSAGE west-12f75bc8-5dda-4256-88f8-9df48150281a Ready 1 OKYou can now expose services on the application network.
There are many options to consider when linking sites using the CLI, see [CLI Reference][cli-ref], including frequently used options.