[{"data":1,"prerenderedAt":435},["ShallowReactive",2],{"navigation_docs":3,"-install-dns-and-tls":136,"-install-dns-and-tls-surround":430},[4,26,47,68,89,110,123],{"title":5,"path":6,"stem":7,"children":8,"page":25},"Getting Started","\u002Fgetting-started","1.getting-started",[9,13,17,21],{"title":10,"path":11,"stem":12},"What you are running","\u002Fgetting-started\u002Fwhat-you-are-running","1.getting-started\u002F1.what-you-are-running",{"title":14,"path":15,"stem":16},"Architecture","\u002Fgetting-started\u002Farchitecture","1.getting-started\u002F2.architecture",{"title":18,"path":19,"stem":20},"Prerequisites","\u002Fgetting-started\u002Fprerequisites","1.getting-started\u002F3.prerequisites",{"title":22,"path":23,"stem":24},"Quickstart","\u002Fgetting-started\u002Fquickstart","1.getting-started\u002F4.quickstart",false,{"title":27,"path":28,"stem":29,"children":30,"page":25},"Install","\u002Finstall","2.install",[31,35,39,43],{"title":32,"path":33,"stem":34},"Install the chart","\u002Finstall\u002Finstall-the-chart","2.install\u002F1.install-the-chart",{"title":36,"path":37,"stem":38},"Activation","\u002Finstall\u002Factivation","2.install\u002F2.activation",{"title":40,"path":41,"stem":42},"DNS and TLS","\u002Finstall\u002Fdns-and-tls","2.install\u002F3.dns-and-tls",{"title":44,"path":45,"stem":46},"Verify your install","\u002Finstall\u002Fverify-your-install","2.install\u002F4.verify-your-install",{"title":48,"path":49,"stem":50,"children":51,"page":25},"Configure","\u002Fconfigure","3.configure",[52,56,60,64],{"title":53,"path":54,"stem":55},"Data services","\u002Fconfigure\u002Fdata-services","3.configure\u002F1.data-services",{"title":57,"path":58,"stem":59},"Secrets","\u002Fconfigure\u002Fsecrets","3.configure\u002F2.secrets",{"title":61,"path":62,"stem":63},"Registry and air-gapped installs","\u002Fconfigure\u002Fregistry-and-airgap","3.configure\u002F3.registry-and-airgap",{"title":65,"path":66,"stem":67},"Integrations","\u002Fconfigure\u002Fintegrations","3.configure\u002F4.integrations",{"title":69,"path":70,"stem":71,"children":72,"page":25},"Licensing","\u002Flicensing","4.licensing",[73,77,81,85],{"title":74,"path":75,"stem":76},"How licensing works","\u002Flicensing\u002Fhow-licensing-works","4.licensing\u002F1.how-licensing-works",{"title":78,"path":79,"stem":80},"Your key never leaves","\u002Flicensing\u002Fyour-key-never-leaves","4.licensing\u002F2.your-key-never-leaves",{"title":82,"path":83,"stem":84},"What phones home","\u002Flicensing\u002Fwhat-phones-home","4.licensing\u002F3.what-phones-home",{"title":86,"path":87,"stem":88},"Revoke and recover","\u002Flicensing\u002Frevoke-and-recover","4.licensing\u002F4.revoke-and-recover",{"title":90,"path":91,"stem":92,"children":93,"page":25},"Operate","\u002Foperate","5.operate",[94,98,102,106],{"title":95,"path":96,"stem":97},"Upgrade","\u002Foperate\u002Fupgrade","5.operate\u002F1.upgrade",{"title":99,"path":100,"stem":101},"Backup and restore","\u002Foperate\u002Fbackup-and-restore","5.operate\u002F2.backup-and-restore",{"title":103,"path":104,"stem":105},"Observability","\u002Foperate\u002Fobservability","5.operate\u002F3.observability",{"title":107,"path":108,"stem":109},"High availability","\u002Foperate\u002Fhigh-availability","5.operate\u002F4.high-availability",{"title":111,"path":112,"stem":113,"children":114,"page":25},"Troubleshooting","\u002Ftroubleshooting","6.troubleshooting",[115,119],{"title":116,"path":117,"stem":118},"Install failures","\u002Ftroubleshooting\u002Finstall-failures","6.troubleshooting\u002F1.install-failures",{"title":120,"path":121,"stem":122},"Licensing failures","\u002Ftroubleshooting\u002Flicensing-failures","6.troubleshooting\u002F2.licensing-failures",{"title":124,"path":125,"stem":126,"children":127,"page":25},"Reference","\u002Freference","9.reference",[128,132],{"title":129,"path":130,"stem":131},"Helm values","\u002Freference\u002Fhelm-values","9.reference\u002F1.helm-values",{"title":133,"path":134,"stem":135},"Environment variables","\u002Freference\u002Fenvironment","9.reference\u002F2.environment",{"id":137,"title":40,"body":138,"description":423,"extension":424,"links":425,"meta":426,"navigation":427,"path":41,"seo":428,"stem":42,"__hash__":429},"docs\u002F2.install\u002F3.dns-and-tls.md",{"type":139,"value":140,"toc":416},"minimark",[141,145,154,159,168,177,181,184,218,238,249,259,263,277,280,317,331,342,346,349,374,377,381,391,406,412],[142,143,40],"h1",{"id":144},"dns-and-tls",[146,147,148,149,153],"p",{},"The chart renders an nginx Ingress and asks cert-manager for a certificate. Neither of those can invent a hostname, so ",[150,151,152],"code",{},"platform.host"," and your DNS records have to agree.",[155,156,158],"h2",{"id":157},"what-platformhost-has-to-match","What platform.host has to match",[146,160,161,163,164,167],{},[150,162,152],{}," is the public hostname of your API. The chart uses it in three places at once: the ",[150,165,166],{},"host"," on the Ingress rule, the name on the TLS certificate, and the base URL the platform hands to its own clients. There is no separate place to correct a mismatch, which is the point.",[146,169,170,171,173,174,176],{},"So the rule is simple. Whatever you set as ",[150,172,152],{}," must be the name that resolves to your cluster's ingress, and it must be the name your customers actually type. If you split the API and the web app onto separate hostnames, ",[150,175,152],{}," is the API one.",[155,178,180],{"id":179},"point-dns-at-the-ingress","Point DNS at the ingress",[146,182,183],{},"Find the external address of your ingress controller:",[185,186,191],"pre",{"className":187,"code":188,"language":189,"meta":190,"style":190},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","kubectl -n ingress-nginx get svc ingress-nginx-controller\n","bash","",[150,192,193],{"__ignoreMap":190},[194,195,198,202,206,209,212,215],"span",{"class":196,"line":197},"line",1,[194,199,201],{"class":200},"sBMFI","kubectl",[194,203,205],{"class":204},"sfazB"," -n",[194,207,208],{"class":204}," ingress-nginx",[194,210,211],{"class":204}," get",[194,213,214],{"class":204}," svc",[194,216,217],{"class":204}," ingress-nginx-controller\n",[146,219,220,221,224,225,228,229,231,232,228,234,237],{},"Take the ",[150,222,223],{},"EXTERNAL-IP"," from that output and create an ",[150,226,227],{},"A"," record for ",[150,230,152],{}," pointing at it. A wildcard ",[150,233,227],{},[150,235,236],{},"*.acme.com"," works too, and saves you a record per host if you plan to give the web app and the realtime stream their own names.",[146,239,240,241,244,245,248],{},"Do this before you install, or at least before you expect a certificate. cert-manager's default ",[150,242,243],{},"letsencrypt-prod"," issuer solves an HTTP-01 challenge, which means Let's Encrypt has to reach ",[150,246,247],{},"http:\u002F\u002F\u003Cplatform.host>\u002F.well-known\u002Facme-challenge\u002F..."," through your ingress. Until DNS resolves, the challenge cannot be served and the certificate stays pending. Nothing is broken at that point; the order is just waiting for a name that does not exist yet.",[146,250,251,254,255,258],{},[150,252,253],{},"ingress.externalDNS"," is ",[150,256,257],{},"false"," by default, which assumes you manage that record by hand. Turn it on if you run external-dns and want the chart to annotate the Ingress for it.",[155,260,262],{"id":261},"the-certificate","The certificate",[146,264,265,266,269,270,273,274,276],{},"cert-manager does the issuing. The chart annotates each Ingress with ",[150,267,268],{},"cert-manager.io\u002Fcluster-issuer",", taking the name from ",[150,271,272],{},"ingress.clusterIssuer"," (default ",[150,275,243],{},"), and names a TLS Secret for the certificate to land in. A ClusterIssuer by that exact name has to already exist in the cluster: the chart does not create one.",[146,278,279],{},"Watch it arrive:",[185,281,283],{"className":187,"code":282,"language":189,"meta":190,"style":190},"kubectl -n my-mvno get certificate\nkubectl -n my-mvno describe certificate my-mvno-platform-tls\n",[150,284,285,299],{"__ignoreMap":190},[194,286,287,289,291,294,296],{"class":196,"line":197},[194,288,201],{"class":200},[194,290,205],{"class":204},[194,292,293],{"class":204}," my-mvno",[194,295,211],{"class":204},[194,297,298],{"class":204}," certificate\n",[194,300,302,304,306,308,311,314],{"class":196,"line":301},2,[194,303,201],{"class":200},[194,305,205],{"class":204},[194,307,293],{"class":204},[194,309,310],{"class":204}," describe",[194,312,313],{"class":204}," certificate",[194,315,316],{"class":204}," my-mvno-platform-tls\n",[146,318,319,322,323,326,327,330],{},[150,320,321],{},"READY: True"," means you are done. A certificate stuck on ",[150,324,325],{},"False"," for more than a few minutes is almost always DNS: ",[150,328,329],{},"describe"," the Order and Challenge objects underneath it and the message will say so.",[146,332,333,334,337,338,341],{},"The ingress class comes from ",[150,335,336],{},"ingress.className",", default ",[150,339,340],{},"nginx",". The chart's Ingress objects are nginx plus cert-manager and nothing else, so a cluster running a different ingress controller needs that value changed, and a cluster running a Gateway API implementation instead is not a topology this chart renders.",[155,343,345],{"id":344},"app-and-realtime-hosts","App and realtime hosts",[146,347,348],{},"The web app and the realtime stream can have hostnames of their own:",[185,350,352],{"className":187,"code":351,"language":189,"meta":190,"style":190},"--set ingress.hosts.app=app.acme.com \\\n--set ingress.hosts.realtime=rt.acme.com\n",[150,353,354,366],{"__ignoreMap":190},[194,355,356,359,362],{"class":196,"line":197},[194,357,358],{"class":200},"--set",[194,360,361],{"class":204}," ingress.hosts.app=app.acme.com",[194,363,365],{"class":364},"sTEyZ"," \\\n",[194,367,368,371],{"class":196,"line":301},[194,369,370],{"class":364},"--set ",[194,372,373],{"class":204},"ingress.hosts.realtime=rt.acme.com\n",[146,375,376],{},"If you enable either workload but leave its host empty, the chart renders no Ingress for it. That is deliberate rather than a bug: two Ingresses claiming the same host and the same path would collide, so a workload without its own hostname stays reachable inside the cluster only, on its Service name. Give it a host when you want it public, and add the DNS record to match.",[155,378,380],{"id":379},"platformscheme","platform.scheme",[146,382,383,384,386,387,390],{},"Leave ",[150,385,380],{}," at ",[150,388,389],{},"https",".",[146,392,393,394,397,398,401,402,405],{},"Setting it to ",[150,395,396],{},"http"," is a local development escape hatch, and it does exactly what it sounds like: the chart drops the cert-manager annotation and the whole ",[150,399,400],{},"tls"," block from every Ingress, so nothing is encrypted and no certificate is issued. It also turns passkey sign-in off, because WebAuthn will not run over plain http on anything but localhost. Both of those are correct for a ",[150,403,404],{},"kind"," cluster on your laptop and wrong for anything a customer will ever reach.",[146,407,408,409,390],{},"Next: ",[410,411,44],"a",{"href":45},[413,414,415],"style",{},"html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}",{"title":190,"searchDepth":197,"depth":301,"links":417},[418,419,420,421,422],{"id":157,"depth":301,"text":158},{"id":179,"depth":301,"text":180},{"id":261,"depth":301,"text":262},{"id":344,"depth":301,"text":345},{"id":379,"depth":301,"text":380},"Point a hostname at the ingress and let cert-manager issue the certificate.","md",null,{},true,{"title":40,"description":423},"mvX_uRSG-kgvAWX8YdW2qioLnBIptv9ptumVOUVOAYA",[431,433],{"title":36,"path":37,"stem":38,"description":432,"children":-1},"Where the activation code comes from and what the license agent does with it.",{"title":44,"path":45,"stem":46,"description":434,"children":-1},"Four checks that tell you the release came up licensed and serving.",1783967741116]