Docker Labels

In Docker mode, rstream run --docker watches running containers and derives tunnel configuration from container labels. The model is intentionally similar to other label-driven ingress tools: the application containers declare the desired exposure, and a single agent reconciles tunnels.

Only labels with the rstream.tunnel. prefix are considered. Labels are grouped by tunnel name using the <name>.<key> pattern, and each tunnel group must define a forward label.

When a tunnel omits explicit values, the parser defaults publish=true and protocol=http.

Compose example

The example below runs the reconciler alongside two services. Each service declares a tunnel through labels.

services:
  rstream:
    image: rstream/rstream:latest
    command: ["rstream","run","--docker"]
    environment:
      RSTREAM_ENGINE: "<engine>"
      RSTREAM_AUTHENTICATION_TOKEN: "<token>"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
  api:
    image: my-api:latest
    labels:
      rstream.tunnel.api.forward: "8080"
      rstream.tunnel.api.publish: "true"
      rstream.tunnel.api.protocol: "http"
      rstream.tunnel.api.http.tokenAuth: "true"
  admin:
    image: my-admin:latest
    labels:
      rstream.tunnel.admin.forward: "9000"
      rstream.tunnel.admin.publish: "true"
      rstream.tunnel.admin.protocol: "http"
      rstream.tunnel.admin.auth.rstream: "true"

Label schema

The top-level keys under each tunnel name include forward, publish, protocol, type, host, trusted-ips, geoip, label.<key>, and nested keys under http.*, tls.*, and auth.*. Unknown keys are rejected.

The table below lists the most commonly used label keys.