Skip to content
Edka infrastructure automation platform Edka infrastructure automation platform Edka
SYS.DOCS // DOCS

Domains and TLS

You can manage cluster-level domains from the Domains view. You can register single hostname or wildcard domains and bind them to public or private traffic classes.

Domain types

Section titled “Domain types”
  • Wildcard domains: *.example.com for multiple deployment hostnames on the same traffic class. (recommended)
  • Hostname domains: app.example.com for a single public hostname with an HTTP-01 certificate. Only available for public Gateway API traffic classes.

Notes:

  • Wildcards are single level. *.example.com matches app.example.com, not app.dev.example.com.
  • Wildcard domains can target public Gateway API classes, private MetalLB-backed Gateway API classes, legacy ingress controllers, or Tailscale tailnet (BYOD) Gateway classes.
  • Single hostname domains require a public Gateway API controller.
  • Direct tailscale ingress endpoints do not use the Domains view. When you select the direct tailscale traffic class, Edka builds the hostname from your tailnet DNS name and Tailscale manages the certificate. See Tailscale Tailnet Traffic Exposure.
  • The Cloudflare connector does not replace the Domains view. It advertises the cluster private subnet so private MetalLB-backed domains can be reached by WARP users.

Add a domain

Section titled “Add a domain”
  1. Open a cluster and go to Domains.
  2. Add either *.example.com or app.example.com.
  3. Select the traffic class.

Add Domain

DNS records

Section titled “DNS records”

The Domains view shows the recommended DNS records for the selected traffic class using its live endpoints.

Public Gateway API or legacy ingress controllers

Section titled “Public Gateway API or legacy ingress controllers”
  • Use the A or AAAA records shown in the UI.
  • For wildcard domains, point the wildcard record at the controller endpoint.
  • For hostname domains, point the exact hostname at the controller endpoint.

MetalLB private VIP Gateway classes

Section titled “MetalLB private VIP Gateway classes”
  • Use the private A record shown in the UI for the selected Gateway class.
  • Wildcard domains are supported on this path.
  • Clients must be able to route to the cluster private subnet, for example through Cloudflare Zero Trust private routing, VPN, or another routed private network.
  • Single hostname HTTP-01 certificates are not available on this path because the selected Gateway class is private.

Tailscale tailnet (BYOD) Gateway classes

Section titled “Tailscale tailnet (BYOD) Gateway classes”
  • Private tailnet-published Gateway classes only use the wildcard CNAME shown in the UI.

Verify DNS Records

TLS behavior

Section titled “TLS behavior”

Wildcard domains

Section titled “Wildcard domains”

Edka provisions and renews wildcard certificates with cert-manager using the Edka DNS-01 webhook inside your cluster.

Because wildcard issuance is DNS-01 based, it works for both public and private Gateway API traffic classes, including MetalLB private VIP classes.

DNS delegation

Section titled “DNS delegation”
  • Create the delegation record shown in the domain details.
  • Name: _acme-challenge.example.com
  • Type: CNAME
  • Target: <delegation-id>.acme.edka.net

Make sure the record is DNS only, not proxied. After DNS propagates, Edka checks the delegation and tracks certificate status from the Domains view.

Requirements

Section titled “Requirements”
  • cert-manager add-on
  • Edka DNS-01 webhook add-on
  • Reflector add-on if you want to mirror secrets to multiple namespaces (only necessary for legacy ingress controllers)

Namespaces and secrets

Section titled “Namespaces and secrets”
  • Certificate name: wildcard-<domain-id>
  • Secret name: wildcard-<domain-id>-tls
  • Default namespace: envoy-gateway-system. For legacy ingress controllers, the default namespace is edka-system.
  • Allowed namespaces control where the secret is mirrored. (not necessary when using Gateway API)
  • If you plan to have a deployment in a namespace other than the default, for example the production namespace, you need to add the namespace to the allowed namespaces. The Reflector add-on will mirror the secret to the other namespaces. (only necessary for legacy ingress controllers)

Single hostname domains

Section titled “Single hostname domains”
  • Edka provisions a single Let’s Encrypt certificate using HTTP-01 validation on the selected public Gateway.
  • The certificate is managed on the Gateway and attached automatically.
  • Because HTTP-01 needs public reachability, single hostname domains are not available on private Gateway classes and Tailscale tailnet (BYOD) Gateway classes.

Using domains in deployments

Section titled “Using domains in deployments”
  • Wildcard domains are the most flexible option when you want to expose multiple deployments or applications under a single domain. For preview environments, only wildcard domains are supported.
  • Use single hostname domains when you want a single cluster-managed FQDN on a public Gateway API traffic class.
  • Use a wildcard domain on a MetalLB private VIP Gateway class when you want private DNS names and private TLS termination through Envoy Gateway.
  • If you select the direct tailscale traffic class, skip the Domains flow and provide a tailnet subdomain instead in deployment or app networking/access form.

Private reachability

Section titled “Private reachability”

Domains attach hostnames and certificates to a traffic class, but they do not route private networks by themselves.

If you bind a domain to a MetalLB private VIP Gateway class, make sure clients can still reach the cluster private subnet. Edka’s recommended path is the Cloudflare connector, which advertises that subnet through Cloudflare Zero Trust, but any equivalent routed private network works.

Section titled “Related docs”