Add a New Hostname¶
Recipe for exposing a new hostname behind the shared Gateway.
Steps¶
1. Add a Gateway listener (platform/charts/gateway/templates/gateway.yaml)¶
Add a new entry under spec.listeners:
- name: my-new-hostname
protocol: HTTPS
port: 443
hostname: my-service.unipuka.app
tls:
mode: Terminate
certificateRefs:
- name: tls-unipuka-app # use zone-matching TLS Secret
allowedRoutes:
namespaces:
from: Same # if HTTPRoute is in gateway ns
# OR use Selector for tenant ns:
# from: Selector
# selector:
# matchLabels:
# gateway.unipuka.app/tenant: oep-stg
2. Add a Cloudflare DNS record (oep-infra/dns_platform.tf or tenants.tf)¶
resource "cloudflare_dns_record" "my_service" {
zone_id = local.cf_zones["unipuka.app"]
name = "my-service"
type = "CNAME"
content = data.digitalocean_loadbalancer.gateway.ip # or hostname
proxied = true # orange-cloud for CF Access gating
# proxied = false for direct DO LB (e.g. App Platform static sites)
}
3. Create an HTTPRoute (in the target namespace)¶
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: my-service
namespace: gateway # or tenant ns
spec:
parentRefs:
- name: shared
namespace: gateway
sectionName: my-new-hostname
hostnames:
- my-service.unipuka.app
rules:
- backendRefs:
- name: my-service-svc
port: 80
4. (Optional) CF Access app (oep-infra/cf_access_apps.tf)¶
For internal tools that need SSO gating:
resource "cloudflare_zero_trust_access_application" "my_service" {
account_id = local.cf_account_id
name = "my-service"
domain = "my-service.unipuka.app"
type = "self_hosted"
session_duration = "24h"
auto_redirect_to_identity = true
}
resource "cloudflare_zero_trust_access_policy" "my_service_unipuka" {
account_id = local.cf_account_id
application_id = cloudflare_zero_trust_access_application.my_service.id
name = "unipuka-email"
decision = "allow"
include {
email_domain = ["unipuka.com"]
}
}
5. Commit and push¶
Argo auto-syncs within ~3 min. Monitor: