Production Routing & the Gateway
When kilter deploy finishes, your app is live at a real URL:
https://<app>.<cluster-domain>
This page explains where that URL comes from and what "public" means on a kilter-platform cluster.
The Gateway API, not Ingress
Kilter-platform clusters route external traffic with the Gateway API — the modern successor to the legacy Ingress resource. The split of responsibilities is the point:
- The Gateway is cluster infrastructure: platform operators run it once, with listeners, TLS, and the wildcard DNS for
*.<cluster-domain>already handled. - Each app attaches a route to that Gateway, claiming its hostname (
<app>.<cluster-domain>) and pointing at the app's Service.
You author neither. When the kilter operator processes your KilterApp resource, the kilter-app Helm chart renders the route alongside the Deployment and Service, and Flux applies it (see Helm for the full pipeline). Deploying an app is publishing it.
Per-env hostnames
Every deployment env (--env prod, dev, alpha, pr-247) gets its own namespace, its own scoped database, and its own hostname on the same Gateway. A PR preview env is reachable at its own URL the moment its pods are Ready — no routing work per env.
What "public / routed" means
An app is public (the default) when it has a route on the cluster Gateway — reachable from the internet at its hostname. For internal tools, opt out in kilter.yaml:
public: falseThe app then gets no external route. Only its in-cluster Service remains (http://<app>.<namespace>.svc:<port>, reported as the deploy URL), and its NetworkPolicy closes the port to other namespaces. Reach it via kubectl port-forward or from workloads in the same namespace. Flipping back to public re-publishes on the next deploy and tears down nothing else.
Components (supporting services you declare alongside the app) are internal-only by default and only join the Gateway if they declare a route: of their own.
Unlike dev — where everything hides behind localhost ports — a production deploy is on the internet unless you say otherwise. For admin panels, workers with debug endpoints, or anything pre-auth, set public: false before the first deploy, not after.
The portal launch link
The kilter portal lists each project's deployed apps, and the launch link next to an app is exactly this Gateway hostname — https://<app>.<cluster-domain> for the env you're looking at. Portal link, deploy output URL, and Gateway route are three views of one thing; if the launch link 404s, debug the deploy (did pods go Ready? did Flux apply?), not DNS.