Setting up Astarte Default Ingress

Once your Cluster is up and running, to expose it to the outer world you need to set up an Ingress. Currently, the only managed and supported Ingress is based upon NGINX, and this guide will cover only this specific case.

Please, note that the previously supported Voyager based ingress is deprecated and should not be used (see the Voyager announcement and the related Astarte issue for further details).

If you want to migrate away from AstarteVoyagerIngress to the new AstarteDefaultIngress, please refer to the procedure outlined here.


Before proceeding with the deployment of the Astarte Default Ingress, the following requirements must be fulfilled:

  • TLS certificates must be deployed as a secret within the namespace in which Astarte resides (see the Handling Astarte Certificates section). To check if the TLS secret is correctly deployed, you can run:
    $ kubectl get secrets -n astarte
    and make sure your certificate is stored in a secret of type in that list;
  • Astarte must be configured such that TLS termination is handled at VerneMQ level: this can be done simply editing the Astarte resource and, in the vernemq section, setting the sslListener and sslListenerCertSecretName. Your Astarte CR will look something like:
    kind: Astarte
        sslListener: true
        sslListenerCertSecretName: <your-tls-secret-name>
  • ingress-nginx ingress controller must be deployed within your cluster. You can install it following the instructions reported here.

Creating an AstarteDefaultIngress

Most information needed for exposing your Ingress have already been given in your main Astarte resource. If your Kubernetes installation supports LoadBalancer ingresses (most managed ones do), you should be able to get away with the most standard CR:

kind: AstarteDefaultIngress
  name: adi
  namespace: astarte
  ### Astarte Default Ingress CRD
  astarte: astarte
  tlsSecret: <your-astarte-tls-cert>
    exposeHousekeeping: true
    deploy: true
    ssl: true
    host: <your-astarte-dashboard-host>
    deploy: true
    serviceType: LoadBalancer
    # loadBalancerIP is needed if your certificate is obtained with the solution of the HTTP
    # challenge, othewise it's optional. Please, be aware that the possibilities and modes for
    # assigning a loadBalancerIP to a service depend on your cloud provider.
    loadBalancerIP: <your-loadbalancerIP>

There's one very important thing to be noted: the astarte field must reference the name of an existing Astarte installation in the same namespace, and the Ingress will be configured and attached to that instance.

What happens after installing the AstarteDefaultIngress resource?

When the AstarteDefaultIngress resource is created, the Astarte Operator ensures that the following resources are created according to your configuration:

  • an NGINX ingress which is devoted to routing requests to the Astarte APIs and to the Astarte Dashboard,
  • a service of kind LoadBalancer which exposes the Astarte broker to the outer world.

The following commands will help you in the task of retrieving the external IPs assigned to both the ingress and the broker service. Assuming that your Astarte instance and AstarteDefaultIngress are respectively named astarte and adi, and that they are deployed within the astarte namespace, simply run:

$ # retrieve information about the ingress
$ kubectl get ingress -n astarte
NAME              CLASS   HOSTS          ADDRESS   PORTS     AGE
adi-api-ingress   nginx   <your-hosts>   X.Y.W.Z   80, 443   6s


$ # retrieve information about the broker service
$ kubectl get service -n astarte adi-broker-service
NAME                 TYPE           CLUSTER-IP     EXTERNAL-IP   PORT(S)         AGE
adi-broker-service   LoadBalancer   x.x.x.x        A.B.C.D       443:32149/TCP   17s

SSL and Certificates

Astarte heavily requires SSL in a number of interactions, even though this can be bypassed with ssl: false. If you do not have any SSL certificates for your domains, you can leverage cert-manager capabilities. Simply follow the instructions outlined here to learn how to handle your certificates.

How to support automatic certificate renewal for HTTP challenges?

When your certificate is issued after the solution of an HTTP challenge, to ensure the renewal of the certificate itself you must ensure that the NGINX ingress and the broker service are exposed on the same external IP.

Given that the ingress external IP is obtained after the deployment of the NGINX ingress controller, all you have to do is ensuring that the broker service is exposed on the ingress IP. Thus, set the loadBalancerIP field in your AstarteDefaultIngress resource:

kind: AstarteDefaultIngress
    deploy: true
    serviceType: LoadBalancer
    loadBalancerIP: <same-IP-of-your-ingress>

Please, be aware that the possibility of setting the loadBalancerIP is dependent on your cloud provider. For example, if your Astarte instance is hosted by Google, you will need to reserve the IP before assigning it to the broker service (see this page for further details). Discussing how other cloud providers handle this specific task is out of the scope of this guide and is left to the reader.

API Paths

AstarteDefaultIngress deploys a well-known tree of APIs to the host you specified in the main Astarte resource.

In particular, assuming your API host was

  • Housekeeping API base URL will be:
  • Realm Management API base URL will be:
  • Pairing API base URL will be:
  • AppEngine API base URL will be:

Further customization

AstarteDefaultIngress has a number of advanced options that can be used to accommodate needs of the most diverse deployments. Consult the CRD Documentation to learn more.