inlets-connect is a proxy that supports the HTTP CONNECT method to initiate a TCP connection over HTTP. It can be deployed as a stand-alone binary, a container, or as a side-car.

It's designed to allow access to a single, predefined address using TCP pass-through, without any decryption or MITM.

The reason inlets-connect was made was to make it easier to proxy the Kubernetes API server through inlets Pro TCP tunnels, where the TLS SAN name of the API server is fixed to kubernetes.default.svc for instance. This tool means that the API server can be accessed remotely from kubectl, ArgoCD and other tooling without resorting to TLS Insecure Verify, which is an anti-pattern.

For usage on Kubernetes, see: artifacts

go build && ./inlets-connect --upstream 192.168.0.15:443 --port 3128
curl https://192.168.0.15 -x https://127.0.0.1:3128

Assuming that you want to proxy to https://192.168.0.15, you can start a HTTPS proxy and then use curl to access it.

This example allows the proxy running on 127.0.0.1:3128 to accept a CONNECT request and forward traffic to the --upstream i.e. 192.168.0.15:443.

From within Kubernetes, the --upstream is likely to be kubernetes.default.svc and the proxy is likely to be run in a Pod.

Set the server as the upstream and the proxy-url as the endpoint for kubectl to talk to inlets-connect itself.

- cluster:
    certificate-authority-data: ...
    server: https://kubernetes.svc.default:443
    proxy-url: https://127.0.0.1:3128
  name: openshift-regulated-customer

Then use kubectl / helm / arkade as per usual.

Run the proxy with an allowed upstream of kubernetes:443

$ docker run -p 3128:3128 \
    -ti ghcr.io/alexellis/inlets-connect:latest -port 3128 -upstream ghost:443
2021/04/15 10:48:49 Version: 0.0.2      Commit: 3ec88704b162263511b46f33ee23f1c72f773d56
2021/04/15 10:48:49 Listening on 3128, allowed upstream: ghost:443

Then access an endpoint local to the proxy i.e. https://ghost via the proxy using curl -x https://proxy:port

curl https://ghost -x https://127.0.0.1:3128