KBkilterKB
userdev

Production Routing & the Gateway

When kilter deploy finishes, your app is live at a real URL:

https://<app>.<cluster-domain>

This page explains where that URL comes from and what "public" means on a kilter-platform cluster.

The Gateway API, not Ingress

Kilter-platform clusters route external traffic with the Gateway API — the modern successor to the legacy Ingress resource. The split of responsibilities is the point:

  • The Gateway is cluster infrastructure: platform operators run it once, with listeners, TLS, and the wildcard DNS for *.<cluster-domain> already handled.
  • Each app attaches a route to that Gateway, claiming its hostname (<app>.<cluster-domain>) and pointing at the app's Service.

You author neither. When the kilter operator processes your KilterApp resource, the kilter-app Helm chart renders the route alongside the Deployment and Service, and Flux applies it (see Helm for the full pipeline). Deploying an app is publishing it.

Per-env hostnames

Every deployment env (--env prod, dev, alpha, pr-247) gets its own namespace, its own scoped database, and its own hostname on the same Gateway. A PR preview env is reachable at its own URL the moment its pods are Ready — no routing work per env.

What "public / routed" means

An app is public (the default) when it has a route on the cluster Gateway — reachable from the internet at its hostname. For internal tools, opt out in kilter.yaml:

public: false

The app then gets no external route. Only its in-cluster Service remains (http://<app>.<namespace>.svc:<port>, reported as the deploy URL), and its NetworkPolicy closes the port to other namespaces. Reach it via kubectl port-forward or from workloads in the same namespace. Flipping back to public re-publishes on the next deploy and tears down nothing else.

Components (supporting services you declare alongside the app) are internal-only by default and only join the Gateway if they declare a route: of their own.

Public by default

Unlike dev — where everything hides behind localhost ports — a production deploy is on the internet unless you say otherwise. For admin panels, workers with debug endpoints, or anything pre-auth, set public: false before the first deploy, not after.

The kilter portal lists each project's deployed apps, and the launch link next to an app is exactly this Gateway hostname — https://<app>.<cluster-domain> for the env you're looking at. Portal link, deploy output URL, and Gateway route are three views of one thing; if the launch link 404s, debug the deploy (did pods go Ready? did Flux apply?), not DNS.