Declarative Tunnels

Declarative tunnels allow tunnel configuration to be described as desired state. Instead of running rstream forward for each tunnel, a single long-running agent reconciles the desired configuration and keeps tunnels in sync with it.

The declarative entrypoint is rstream run. It supports two sources: a YAML file for explicit tunnel definitions, and Docker container labels for service discovery in containerized environments.

This mode is the right fit when tunnels are part of an application deployment rather than an operator's interactive shell. It keeps tunnel configuration close to the application, supports reconnect and reconciliation, and marks managed tunnels with labels so they can be distinguished from manually created tunnels.

Apply mode and Docker mode

In apply mode, rstream run --apply <path> reads a YAML configuration file, validates it strictly, and reconciles tunnels to match it. This is useful for servers, CI deployments, and environments where tunnel definitions are stored next to application configuration.

In Docker mode, rstream run --docker listens to Docker events and reads labels on running containers to derive tunnels. This is useful when containers already declare their own exposure model and a single rstream agent should publish them.

Both modes support a watch loop. In watch mode, changes to the YAML file or Docker container labels trigger a reconciliation.

Related pages

YAML documents the configuration file format. Docker Labels documents the label schema and provides compose examples. CLI Workflow covers the context and environment resolution model used by rstream run.