Archer is an OpenStack-style API service that privately connects services across OpenStack Networks. Consumers pick a service from a catalog and inject it into their own network — the service becomes reachable through a private IP, without exposing either network to the other.
Archer integrates with OpenStack Keystone for authentication and OpenStack Neutron for network and port management.
Archer exposes two resource types:
- Services — private or public services registered in Archer. They are reached by creating an endpoint.
- Endpoints — IP endpoints in a local network that transparently forward to a service living in another private network.
- Multi-tenant via OpenStack Identity
- OpenStack
policy.jsonaccess policies - Prometheus exporter
- Rate limiting and CORS
- CADF-compatible audit trail
- Sentry error reporting
- OpenStack-style CLI client (
archerctl)
- F5 BigIP — provisioned via the
archer-f5-agent - Network Injection — the
archer-ni-agent, using HAProxy inside Linux network namespaces; works alongsideopenvswitch-agentorlinuxbridge-agent
- PostgreSQL
- OpenStack Keystone
- OpenStack Neutron
| Binary | Description |
|---|---|
archer-server |
REST API server |
archer-f5-agent |
Backend agent for F5 BigIP |
archer-ni-agent |
Network Injection agent (HAProxy in netns) |
archer-migrate |
Database schema migration tool |
archerctl |
CLI client |
Build all of them with make build-all. Run make check to lint, test and build.
archerctl is an OpenStack-style CLI for the Archer API. It honours the standard OpenStack environment variables set by an OpenStack RC file.
# archerctl --help
Usage:
archerctl [OPTIONS] <command>
Application Options:
--debug Show verbose debug information
--os-endpoint= The endpoint that will always be used [$OS_ENDPOINT]
--os-auth-url= Authentication URL [$OS_AUTH_URL]
--os-token= Authentication token [$OS_TOKEN]
--os-password= User's password to use with [$OS_PASSWORD]
--os-username= User's username to use with [$OS_USERNAME]
--os-project-domain-name= Domain name containing project [$OS_PROJECT_DOMAIN_NAME]
--os-project-name= Project name to scope to [$OS_PROJECT_NAME]
--os-region-name= Authentication region name [$OS_REGION_NAME]
--os-user-domain-name= User's domain name [$OS_USER_DOMAIN_NAME]
--os-pw-cmd= Derive user's password from command [$OS_PW_CMD]
Output formatters:
-f, --format=[table|csv|markdown|html|value] The output format, defaults to table (default: table)
-c, --column= specify the column(s) to include, can be repeated to show multiple columns
--sort-column= specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
--long Show all columns in output
--no-color Disable colorized output for tables [$NO_COLOR]
Help Options:
-h, --help Show this help message
Available commands:
endpoint Endpoints
quota Quotas
rbac RBACs
service Services
version Version# archerctl service list
+--------------------------------------+------+------+---------+----------+-----------+-------------------+
| ID | NAME | PORT | ENABLED | PROVIDER | STATUS | AVAILABILITY_ZONE |
+--------------------------------------+------+------+---------+----------+-----------+-------------------+
| 3c8ab870-a409-46f2-b19a-f5672e793705 | test | 80 | true | tenant | AVAILABLE | |
+--------------------------------------+------+------+---------+----------+-----------+-------------------+Table output is colorized by default on interactive terminals to make states easier to scan:
| Color | Values |
|---|---|
| Green | true, enabled, active, available, success, accepted |
| Red | false, disabled, inactive, error, failed, rejected |
| Yellow | pending, processing, waiting |
| Cyan | Headers, status values, names |
| Gray | IDs, project IDs, null values |
Colors are automatically disabled when:
- Output is piped or redirected (e.g.
archerctl service list | less) NO_COLORis set in the environmentTERMisdumb- A non-table format is used (
--format=csv,--format=markdown, …)
To force-disable colors, use --no-color or NO_COLOR=1.
Archer exposes a RESTful HTTP API. The full spec is browsable via Swagger UI.
Requests and responses use JSON. POST requests must set Content-Type: application/json; responses always come back with Content-Type: application/json.
Archer uses OpenStack Keystone. Requests must include a Keystone token in the X-Auth-Token header. Because the project ID is derived from the token, project_id is not required on create requests.
List operations return a bounded number of items. Navigate the collection with URI parameters:
?limit=100&marker=1234&page_reverse=False
marker— the ID of the last item from the previous pagelimit— page size (clamped to the deployment maximum)page_reverse— reverse pagination direction
Responses include atom next and previous links. The final forward page has no next; the final reverse page has no previous. Deployments advertise pagination support through the pagination capability on the API detail endpoint.
Use sort with a comma-separated list of keys, in priority order. Prefix a key with - to sort descending:
?sort=key1,-key2,key3
Sort support is advertised through the sort capability on the API detail endpoint.
Most resources (services, endpoints, …) accept tags. Archer supports four tag filters on list operations:
tags— entities that have all the given tagstags-any— entities that have any of the given tagsnot-tags— entities that do not have all of the given tagsnot-tags-any— entities that do not have any of the given tags
Each tag is limited to 64 characters. Filters can be combined:
?tags=red,blue&tags-any=green,orange
| Code | Meaning |
|---|---|
| 400 | Validation error |
| 401 | Unauthorized |
| 403 | Policy denies the action, or the project is over quota |
| 404 | Resource not found |
| 409 | Conflict |
| 429 | Rate limit exceeded |
| 500 | Internal server error |
This project is open to feature requests, suggestions, and bug reports via GitHub issues. Contributions and feedback are welcome — see our Contribution Guidelines for project structure and how to get involved.
If you find a bug that may be a security problem, please follow our security policy. Do not open GitHub issues for security-related concerns.
We pledge to make participation in our community a harassment-free experience for everyone. By participating in this project, you agree to abide by our Code of Conduct.
Copyright 2023-2025 SAP SE or an SAP affiliate company and Archer contributors. See LICENSE for copyright and license information. Detailed third-party component information is available via the REUSE tool.