Skip to content
Kupe Cloud Kupe Cloud Kupe Cloud Docs

TLS and Certificates

TLS on Kupe Cloud is usually part of the normal routing flow rather than a separate manual setup task.

Public traffic terminates at the platform gateway, and Kupe manages the certificate lifecycle around that gateway for the standard supported paths.

Two TLS paths

Section titled “Two TLS paths”
PathWhat you doWhat Kupe does
Platform domainsCreate an HTTPRoute with a *.kupe.cloud hostnameServes the route with the platform-managed wildcard certificate
Custom domainsCreate the route and add the two DNS CNAME records shown in the consoleIssues a per-host certificate, attaches it to the gateway, and renews it automatically

What this means in practice

Section titled “What this means in practice”

For most teams:

  • you do not create Certificate resources for normal app routing
  • you do not patch gateway listeners manually
  • you do not renew certificates by hand

The usual workflow is:

  1. create the HTTPRoute
  2. choose a platform or custom hostname
  3. complete the custom-domain DNS step if you are using your own domain
  4. let Kupe handle the rest

Platform domains

Section titled “Platform domains”

Hostnames under *.kupe.cloud are the simplest path.

They use the shared public gateway and the platform-managed wildcard certificate, so no extra DNS or certificate setup is needed from your side.

Custom domains

Section titled “Custom domains”

Custom domains use the same route model, but certificate issuance is tied to DNS verification.

When the required CNAME records are in place, Kupe:

  • verifies the traffic CNAME
  • verifies the ACME challenge CNAME
  • creates the certificate
  • adds the HTTPS listener for that hostname

See Custom Domains for the exact flow.

Validate HTTPS

Section titled “Validate HTTPS”

For platform or custom hostnames, validate the end result with:

  • a browser check against the public URL
  • curl -I https://<hostname>
  • the Custom Domains console page when you are using your own domain

For custom domains, wait until the route shows Active before treating the setup as complete.

What this page is not about

Section titled “What this page is not about”

This page covers public HTTPS for the standard Kupe Cloud routing model. It is not a general cert-manager guide or a guide to running your own certificate controllers inside the cluster.

Section titled “Related pages”