Launching the Platform/Self-hosted: On-prem/Prerequisites
Domain and tls configuration
Configure domain names and TLS certificates for your self-hosted platform
Overview
Purpose
- Secure platform access
- Service-to-service communication
- API endpoint security
- User authentication
Requirements
- Registered domain name
- DNS management access
- Ability to create DNS records
- TLS certificate provider
Domain configuration
1. Configure Main Domain
- Create an A record pointing to your ingress controller IP
- Example:
platform.company.com → 203.0.113.1
2. Add Wildcard Subdomain
- Create a CNAME record for all subdomains
- Pattern:
*.platform.company.com → platform.company.com
DNS Resolution Tests
# Check A record
dig +short platform.company.com
# Check CNAME record
dig +short test.platform.company.com
# Verify IP matches ingress
kubectl -n ingress-nginx get svc ingress-nginx-controller \
-o jsonpath='{.status.loadBalancer.ingress[0].ip}'
Tls configuration
Quick Setup with Cloudflare
Add Domain to Cloudflare
- Transfer DNS management
- Update nameservers
Configure SSL/TLS
- Purchase Advanced Certificate Manager (ACM)
- Enable Total TLS
- Set SSL/TLS mode to Full (Strict)
Benefits
- Automatic certificate management
- DDoS protection included
- Easy wildcard certificate support
- Global CDN
Setup with cert-manager
Install cert-manager
helm repo add jetstack https://charts.jetstack.io --force-update
helm repo update
helm upgrade --install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set installCRDs=true
Configure DNS Provider
# Create API token secret
kubectl apply -n cert-manager -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token-secret
namespace: cert-manager
type: Opaque
stringData:
api-token: <API Token>
EOF
Create ClusterIssuer
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
namespace: cert-manager
spec:
acme:
email: [email protected]
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: issuer-account-key
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token
EOF
Important
- Use a valid email address for certificate notifications
- Ensure DNS provider API token has sufficient permissions
- Allow time for initial certificate issuance
Information collection
Required values for platform installation
- Domain name (e.g.,
platform.company.com
) - Ingress annotations (if using cert-manager:
cert-manager.io/cluster-issuer: "letsencrypt"
) - TLS secret name for the certificate
- SSL redirect setting (
true
orfalse
)
ingress:
enabled: true
className: nginx
host: "platform.company.com"
annotations:
cert-manager.io/cluster-issuer: "letsencrypt"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
tls:
- secretName: "tls-secret"
hosts:
- "platform.company.com"
- "*.platform.company.com"
deploymentEngine:
platform:
domain:
hostname: "platform.company.com"
clusterManager:
domain:
hostname: "platform.company.com"
targets:
- clusters:
- domains:
service:
tls: true
hostname: "platform.company.com"
ingress:
ingressClass: "nginx"
Troubleshooting
DNS Issues
Not Resolving
- Verify A record IP
- Check CNAME configuration
- Allow DNS propagation (48h max)
Wrong IP
- Confirm ingress controller IP
- Update DNS records
- Clear local DNS cache
Certificate Issues
cert-manager
- Check issuer status
- Verify DNS01 challenge
- Review cert-manager logs
Cloudflare
- Verify SSL/TLS mode
- Check certificate status
- Confirm proxy status
Need help? Contact [email protected] if you encounter any issues.