Skip to main content
Version: 1.6


In Kubernetes you can configure external HTTPS access to your applications using Ingress resources. Ingress provides load balancing, SSL termination and name-based virtual hosting.

Wayfinder can automatically register domains and generate TLS certificates for Ingress objects. This lets developers easily expose their application services.

The following table lists some important terms to understand about how Wayfinder handles access to your applications.

Ingress resourceA collection of routing rules that define which inbound connections can reach your application service. Wayfinder provides an easy way to generate an ingress.yaml to create this resource. See Expose your Application via Ingress.
Network policyLets you control traffic flow to your application at the port level. By default Wayfinder deploys a default-denial-ingress network policy into each namespace, which forbids Ingress traffic for any deployed applications. To enable network access to your application, you need a new network policy that allows traffic from the Ingress controllers that Wayfinder manages.

Wayfinder can generate this network policy for you when you follow the steps in Generate an Ingress resource and network policy. You can also create a network policy manually—see Create Network Policies.
Ingress controllerActs mainly as a router and load balancer in Kubernetes. For the Ingress resource to work, a Kubernetes cluster must have an Ingress controller running. Wayfinder automatically installs a public-facing Ingress controller with class external in each Kubernetes cluster, using the ingress-nginx Ingress controller.
DNS zones and domainsWayfinder Administrators and Workspace Administrators can register DNS zones to be used for Ingress resources. Wayfinder installs and configures ExternalDNS in each managed Kubernetes cluster to automatically generate DNS records and managed DNS zones. For more information, see Manage Domains.
CertificatesWeb applications should use HTTPS endpoints. For security, we strongly recommend using end-to-end encryption for internal communication between your applications and services.

Wayfinder automatically installs and configures cert-manager in each managed Kubernetes cluster, which creates and manages X.509 certificates (used by TLS) for Kubernetes Ingress objects and other requirements. For more information, see Manage Certificates.