Skip to main content
Ingresses provide HTTP(S) routing to your services. They allow you to use custom domains, enable HTTPS with automatic certificate management, and route traffic based on paths.

What is an Ingress?

An ingress is a Kubernetes resource that:
  • Maps custom domains to your services
  • Terminates TLS/HTTPS traffic
  • Routes requests based on URL paths
  • Provides a single entry point for HTTP traffic

When to Use Ingresses

Use Ingresses For

  • Custom domains (api.example.com)
  • HTTPS with auto-certificates
  • Path-based routing (/api, /admin)
  • Multiple services behind one domain

Use External Services For

  • Direct IP access without domain
  • Non-HTTP protocols (databases, gRPC)
  • Quick testing without DNS setup

Creating an Ingress

1

Navigate to your deployment

Open the deployment you want to expose.
2

Go to Networking tab

Click on the Networking tab.
3

Click 'Add Ingress'

Click Add Ingress to create a new ingress.
4

Configure the ingress

FieldDescriptionExample
HostYour custom domainapi.example.com
PathURL path to match/ or /api
ServiceTarget service nameapi-server
PortTarget service port8080
TLSEnable HTTPStrue
5

Create

Click Create to set up the ingress.

DNS Configuration

Before your ingress works, you need to point your domain to the cluster:
1

Get the cluster IP

The cluster IP is provided in your ingress details after creation.
2

Create a DNS record

Add an A record in your DNS provider:
TypeNameValue
Aapi<cluster-ip>
Or for the root domain:
TypeNameValue
A@<cluster-ip>
3

Wait for propagation

DNS changes can take up to 48 hours to propagate, though most update within minutes.

DNS Validation

Orchard can validate that your DNS is configured correctly:
1

Open ingress settings

Go to your ingress configuration.
2

Click 'Validate DNS'

Click the validate button to check DNS configuration.
3

Review results

Orchard will check if your domain points to the correct IP.

TLS/HTTPS Configuration

Automatic Certificates

Orchard integrates with cert-manager to automatically provision and renew TLS certificates:
1

Enable TLS

Toggle the TLS option when creating your ingress.
2

Select cluster issuer

Choose the certificate issuer (e.g., letsencrypt-prod).
3

Certificate provisioning

A certificate will be automatically requested and installed.
Automatic certificates require your DNS to be correctly configured before the certificate can be issued. The domain must resolve to the cluster IP.

Certificate Status

After enabling TLS, the certificate goes through these stages:
  1. Pending: Certificate request submitted
  2. Issuing: Certificate authority is validating
  3. Ready: Certificate installed and active
This process typically takes 1-2 minutes.

Path-Based Routing

You can route different paths to different services: 
example.com

    ├── /api/*     → api-service:8080
    ├── /admin/*   → admin-service:3000
    └── /*         → frontend-service:80

Path Types

TypeDescriptionExample Match
PrefixMatches path and all subpaths/api matches /api, /api/users, /api/v1/users
ExactMatches exact path only/api matches only /api

Creating Multiple Paths

For each path, create a separate ingress rule or configure multiple paths in one ingress: 
Host: example.com

Rule 1:
  Path: /api
  Service: api-server
  Port: 8080

Rule 2:
  Path: /
  Service: frontend
  Port: 80

Multiple Domains

To serve the same application on multiple domains:
Create multiple ingresses pointing to the same service:
  • example.com → api-server:8080
  • www.example.com → api-server:8080
  • api.example.com → api-server:8080

Ingress Annotations

For advanced configuration, you can add Kubernetes annotations:
AnnotationPurpose
cert-manager.io/cluster-issuerSpecify certificate issuer
nginx.ingress.kubernetes.io/rewrite-targetRewrite URL paths
nginx.ingress.kubernetes.io/ssl-redirectForce HTTPS redirect
Available annotations depend on your ingress controller. Contact your administrator for supported annotations.

Updating Ingresses

To modify an existing ingress:
1

Open Networking tab

Go to your deployment’s Networking tab.
2

Select the ingress

Click on the ingress you want to update.
3

Make changes

Modify the host, path, or TLS settings.
4

Save

Click Save to apply changes.

Deleting Ingresses

1

Open Networking tab

Go to your deployment’s Networking tab.
2

Find the ingress

Locate the ingress you want to delete.
3

Delete

Click the delete button and confirm.
Deleting an ingress immediately removes the routing rule. Your domain will no longer route to your service.

Best Practices

Enable TLS for all production ingresses. HTTP traffic can be intercepted and modified.
Redirect www to non-www (or vice versa) for consistency. Configure one as the canonical URL.
Configure DNS first to avoid certificate issuance delays.
While certificates auto-renew, monitor for renewal failures to avoid unexpected expiry.

Troubleshooting

If your domain doesn’t reach your service:
  1. Verify DNS is pointing to the cluster IP
  2. Check the ingress status in Orchard
  3. Ensure the target service exists and has healthy pods
  4. Wait for DNS propagation (up to 48 hours)
If TLS certificate stays pending:
  1. Verify DNS is correctly configured
  2. Check that port 80 is accessible for HTTP-01 challenge
  3. Review certificate status for error messages
  4. Try deleting and recreating the ingress
If HTTP doesn’t redirect to HTTPS:
  1. Verify TLS is enabled on the ingress
  2. Check for ssl-redirect annotation
  3. Clear browser cache and try again
If requests go to the wrong service:
  1. Check path priority (more specific paths should be first)
  2. Verify path type (Prefix vs Exact)
  3. Review all ingress rules for the same host

Next Steps

Services

Learn about service types and configuration

Volumes

Add persistent storage to your deployments