Overview
Use Gateway API routing while Kupe operates the public gateway, DNS entrypoint, and TLS lifecycle.
The model is intentionally simple:
- platform hostnames under your cluster’s dedicated subdomain
*.<cluster>.<tenant>.clusters.kupe.cloudwork with the shared gateway - custom domains use the same
HTTPRoutemodel - you manage routes and services
- Kupe manages the gateway, public entrypoint, and certificate flow
How networking works
Section titled “How networking works”- Create an
HTTPRoutein the same namespace as your workload. - Reference
external-gatewayinkube-system. - Point the route at a backend
Service. - Choose either a platform hostname (under your cluster’s dedicated subdomain) or a custom hostname.
- Let Kupe handle the shared ingress and TLS flow.
You do not create or operate a dedicated public gateway for each application.
Two common paths
Section titled “Two common paths”| Path | What you do | What Kupe does |
|---|---|---|
| Platform domains | Create an HTTPRoute with a hostname under *.<cluster>.<tenant>.clusters.kupe.cloud | Serves traffic through the shared gateway and your cluster’s wildcard certificate |
| Custom domains | Create the same route with your own hostname, then add the DNS records shown in the console | Issues the certificate, adds the HTTPS listener, and serves traffic on your domain |
Core components
Section titled “Core components”| Component | What it does |
|---|---|
| HTTPRoute | Defines hostname, path matching, and backend service targets |
| external-gateway | The shared public gateway serving tenant traffic over HTTPS |
| Platform DNS | Provides the stable public entrypoint behind Kupe-hosted traffic |
| TLS automation | Handles platform wildcard certs and per-domain certificate issuance |
What Kupe manages
Section titled “What Kupe manages”Kupe provides the shared networking layer:
- the public gateway infrastructure
- the stable public DNS entrypoint behind that gateway
- platform-managed TLS via a per-cluster wildcard certificate
(
*.<cluster>.<tenant>.clusters.kupe.cloud) - certificate issuance and renewal for custom domains
- the supporting automation behind gateway DNS and custom-domain lifecycle
What your team manages
Section titled “What your team manages”Your team still controls application traffic behavior:
HTTPRouteresources- route hostnames and path rules
- backend
Servicetargets - custom domain records in your DNS provider when you use your own domain