Domain and TLS Configuration
Overview
Purpose
- Secure platform access
- Service-to-service communication
- API endpoint security
- User authentication
Requirements
- Registered domain name
- DNS management access
- Ability to create DNS records
- TLS certificate provider
Domain Configuration
- Setup Steps
- Validation
1. Configure Main Domain
- Create an A record pointing to your ingress controller IP
- Example:
platform.company.com → 203.0.113.1
2. Add Wildcard Subdomain
- Create a CNAME record for all subdomains
- Pattern:
*.platform.company.com → platform.company.com
DNS Resolution Tests
# Check A record
dig +short platform.company.com
# Check CNAME record
dig +short test.platform.company.com
# Verify IP matches ingress
kubectl -n ingress-nginx get svc ingress-nginx-controller \
-o jsonpath='{.status.loadBalancer.ingress[0].ip}'
TLS Configuration
- Cloudflare (Recommended)
- cert-manager
Quick Setup with Cloudflare
-
Add Domain to Cloudflare
- Transfer DNS management
- Update nameservers
-
Configure SSL/TLS
- Purchase Advanced Certificate Manager (ACM)
- Enable Total TLS
- Set SSL/TLS mode to Full (Strict)
Benefits
- Automatic certificate management
- DDoS protection included
- Easy wildcard certificate support
- Global CDN
Setup with cert-manager
- Install cert-manager
helm repo add jetstack https://charts.jetstack.io --force-update
helm repo update
helm upgrade --install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set installCRDs=true
- Configure DNS Provider
# Create API token secret
kubectl apply -n cert-manager -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token-secret
namespace: cert-manager
type: Opaque
stringData:
api-token: <API Token>
EOF
- Create ClusterIssuer
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
namespace: cert-manager
spec:
acme:
email: [email protected]
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: issuer-account-key
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token
EOF
Important
- Use a valid email address for certificate notifications
- Ensure DNS provider API token has sufficient permissions
- Allow time for initial certificate issuance
Information Collection
Required Values for Platform Installation
- Domain name (e.g.,
platform.company.com) - Ingress annotations (if using cert-manager:
cert-manager.io/cluster-issuer: "letsencrypt") - TLS secret name for the certificate
- SSL redirect setting (
trueorfalse)
Example Configuration
ingress:
enabled: true
className: nginx
host: "platform.company.com"
annotations:
cert-manager.io/cluster-issuer: "letsencrypt"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
tls:
- secretName: "tls-secret"
hosts:
- "platform.company.com"
- "*.platform.company.com"
deploymentEngine:
platform:
domain:
hostname: "platform.company.com"
clusterManager:
domain:
hostname: "platform.company.com"
targets:
- clusters:
- domains:
service:
tls: true
hostname: "platform.company.com"
ingress:
ingressClass: "nginx"
Troubleshooting
DNS Issues
-
Not Resolving
- Verify A record IP
- Check CNAME configuration
- Allow DNS propagation (48h max)
-
Wrong IP
- Confirm ingress controller IP
- Update DNS records
- Clear local DNS cache
Certificate Issues
-
cert-manager
- Check issuer status
- Verify DNS01 challenge
- Review cert-manager logs
-
Cloudflare
- Verify SSL/TLS mode
- Check certificate status
- Confirm proxy status
Next Steps
- ✅ Verify DNS resolution
- ✅ Confirm TLS certificate issuance
- ➡️ Proceed to OAuth Provider Setup
Need Help?
Contact [email protected] if you encounter any issues.