Skip to main content

Bring your own DNS domain



By default, k8saas uses the subdomain or For instance: for Grafana

It is possible to use your own Azure DNS zone !

Grafana URL would be:


Use case

  • Expose several applications to end-users under the same subdomain
  • Migrate from PCF to k8saas keeping the previous subdomain

What to do ?

Step 1: Ask for an DNS App Registration

Ask for a k8saas app registration to allow the k8saas service to add entries in your DNS. The request need to be sent on the TrustNest K8SaaS Service catalog with the following information:

The k8saas support will provide you a clientID and/or a name of the app registration following this nomenclature: "dns-yourdomain-sp"

Step 2: DNS Zone Contributor role assignment

Once the app registration is received, you have to grant it the "DNS Zone Contributor" Role.

Using the Azure portal:






Once DONE, provide to the k8saas support the following information:

  • the ID of the subscription where the DNS zone is
  • the name of the resource group where the DNS zone is

Step 3: Change performed

Once the k8saas support term has performed the changed, you will receive a confirmation email. After that, you should be able to use to custom subdomain in ingress configuration.


Use 2 different domains with k8saas ?

This feature is not yet supported


Investigate why the TLS certificate is not valid ?

All the information are in events of the namespace; so during the deployment of your ingress, I recommend using the following command:

$ kubectl get events -n <your_namespace> -w

The following lines are important:

  • "Challenge scheduled for processing" - meaning the TLS certificate mechanism is ready
  • "Presented challenge using DNS-01 challenge mechanism" - meaning the TLS certificate mechanism uses DNS-01 challenge method. To understand better what it is: doc
  • "Created Challenge resource "grafana-tls-secret-XXXXX" for domain """ - meaning a secret will be created in your namespace to store the content of the TLS certificate.
  • "Issuing certificate as Secret does not exist" - meaning there is no certificate in the secret yet. It's normal
  • "Created new CertificateRequest resource "grafana-tls-secret-7g2mn"" - meaning, new certificate is requested
  • "Domain "" verified with "DNS-01" validation" - please check if the domain correspond to what you want
  • "The certificate has been successfully issued" - The TLS certificate is ready

Once done, you can also check the status of the certificate using:

$ kubectl get certificate -n yournamespace
app-tls-secret True app-tls-secret 44m