Ingress & TLS
Expose BoltMCP publicly. Reference setup with NGINX Ingress Controller and automatic HTTPS certificates.
The BoltMCP chart doesn't manage cluster ingress. It expects you to provision your own ingress / gateway / load balancer that terminates TLS and routes the BoltMCP hostnames to the in-cluster services.
If your platform team handles ingress, hand them the hostnames table below and skip the rest of this page. The walkthrough that follows is a reference setup using NGINX Ingress Controller, cert-manager, and Let's Encrypt - adapt it for your environment, or replace it entirely with whatever ingress your cluster already runs.
What BoltMCP needs from your ingress
For every value of global.domain you set in values-prod.yaml, the chart configures the workloads to expect these public hostnames, terminating TLS, routed to these in-cluster Services:
| Public hostname | Service | Port |
|---|---|---|
web.<domain> | boltmcp-web | 3000 |
auth.<domain> | boltmcp-keycloak | 8080 |
server.<domain> | boltmcp-mcp-server | 3001 |
inspector.<domain> | boltmcp-mcp-inspector | 6274 |
If you've overridden any of web.baseUrl, mcpServer.baseUrl, mcpInspector.baseUrl, or keycloak.hostname in your values, mirror those changes in your ingress.
One NGINX-specific annotation is commonly needed:
nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"- required for Keycloak's large authentication headers.
The equivalent setting exists on most ingress implementations; check your platform's docs.
Reference setup
The rest of this page walks through one common setup: NGINX Ingress Controller, cert-manager for automatic TLS, and DNS-based routing. Skip if your cluster already has these.
Install NGINX Ingress Controller
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo updatehelm install ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--create-namespace \
--set controller.service.externalTrafficPolicy=LocalOn EKS - and especially EKS Auto Mode - the integrated AWS Load Balancer Controller provisions a LoadBalancer Service as internal by default, which leaves the ingress unreachable from the public internet (and from Let's Encrypt's HTTP-01 validation). Set the aws-load-balancer-scheme annotation so the NLB is internet-facing from the start:
helm install ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--create-namespace \
--set controller.service.externalTrafficPolicy=Local \
--set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-scheme"=internet-facingThe load balancer scheme is immutable. If you install without this annotation and add it later, the controller deletes the internal NLB and creates a fresh internet-facing one with a different hostname - so any DNS records you've already pointed at the old hostname must be updated, and you'll wait out their TTL while resolution converges. Setting it up front avoids that churn.
helm install ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--create-namespace \
--set controller.service.externalTrafficPolicy=LocalWait for the external IP:
kubectl get svc ingress-nginx-controller -n ingress-nginx -wExpected output:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller LoadBalancer xx.x.xxx.xx x.xxx.xxx.xxx 80:32695/TCP,443:30691/TCP 2m8sNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller LoadBalancer xx.xxx.x.xx xx-xx.eu-west-2.elb.amazonaws.com 80:30454/TCP,443:31623/TCP 2m8sNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller LoadBalancer xx.x.xxx.xx x.xxx.xxx.xxx 80:32695/TCP,443:30691/TCP 2m8sReserve a Stable Address
Give the load balancer a stable address so your DNS records stay valid across restarts. Whether you need to do anything here depends on your cloud:
REGION=$(gcloud container clusters describe <cluster-name> \
--format="get(location)" | sed 's/-[a-z]$//')
CURRENT_IP=$(kubectl get svc ingress-nginx-controller \
-n ingress-nginx \
-o jsonpath='{.status.loadBalancer.ingress[0].ip}')
gcloud compute addresses create boltmcp-ingress-ip \
--addresses $CURRENT_IP \
--region $REGIONThe default ingress-nginx install provisions a Classic ELB, and its DNS hostname is already stable for the life of the Service - it survives pod, node, and controller restarts. There is nothing to reserve: note the hostname and point DNS at it with a CNAME in the next step.
You only need a literal static IP on EKS if something external must allowlist a fixed address, or you've overridden a BoltMCP service hostname to a zone apex (where CNAMEs aren't permitted - see the DNS step). In that case, provision a Network Load Balancer (NLB) with Elastic IPs instead of the default Classic ELB: install the AWS Load Balancer Controller, then recreate the controller Service as an NLB with the annotations service.beta.kubernetes.io/aws-load-balancer-type: external and service.beta.kubernetes.io/aws-load-balancer-eip-allocations set to one pre-allocated Elastic IP per public subnet (AZ). The EIP allocations must be set when the NLB is first created - they cannot be attached to an existing Classic ELB by annotation.
# Create a static public IP in the node resource group
NODE_RG=$(az aks show \
--resource-group boltmcp-rg \
--name boltmcp-cluster \
--query nodeResourceGroup -o tsv)
az network public-ip create \
--resource-group $NODE_RG \
--name boltmcp-ingress-ip \
--sku Standard \
--allocation-method Static \
--zone 1 2 3 \
--location westeuropeThe --location should match the region of your AKS node resource group. The create command's JSON response includes the assigned ipAddress - note it down. If you lose it, look it up again with az network public-ip show -g $NODE_RG -n boltmcp-ingress-ip --query ipAddress -o tsv.
Set the IP on the ingress controller:
helm upgrade ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--reuse-values \
--set controller.service.loadBalancerIP=<static-ip>On AKS - unlike GKE and EKS - the load balancer's external IP changes when you run this upgrade: Azure swaps the ephemeral IP for your reserved one. Update any in-progress DNS work to use the new IP.
Configure DNS
Point each BoltMCP subdomain at the load balancer. The record type depends on what the previous steps gave you, and the hostname values depend on whether your global.domain matches the DNS hosted zone.
- If your load balancer is an IP address (GKE, AKS, or an EKS NLB+EIP), create A records.
- If it's a DNS hostname (the default EKS Classic ELB), create CNAME records - a raw hostname can't go in an A record.
In the tables below, <lb-endpoint> is the EXTERNAL-IP you noted earlier (an IP or a hostname) and <record-type> is A for an IP or CNAME for a hostname.
BoltMCP's hostnames are always web., auth., server., and inspector. prefixed, so they're never a zone apex - a wildcard or per-service CNAME is always valid for the EKS hostname case. The apex restriction only matters if you've overridden a service URL to a bare apex domain; there, use your provider's ALIAS/ANAME record (or a Route 53 Alias) instead of a CNAME, or switch to an IP and an A record.
You are updating DNS records in a hosted zone which sits above global.domain. For example:
- DNS hosted zone: example.com
- BoltMCP global domain: boltmcp.example.com
If your DNS provider supports wildcard records and a wildcard at this label won't clash with other records in the zone, add a single record:
| Hostname | Type | Value |
|---|---|---|
*.boltmcp | <record-type> | <lb-endpoint> |
Otherwise, create four explicit records:
| Hostname | Type | Value |
|---|---|---|
web.boltmcp | <record-type> | <lb-endpoint> |
auth.boltmcp | <record-type> | <lb-endpoint> |
server.boltmcp | <record-type> | <lb-endpoint> |
inspector.boltmcp | <record-type> | <lb-endpoint> |
If your subdomain is different, replace "boltmcp" in the Hostnames accordingly.
You are updating DNS records in a hosted zone which matches global.domain. For example:
- DNS hosted zone: example.com
- BoltMCP global domain: example.com
If your DNS provider supports wildcard records and a wildcard at the zone root won't clash with other records in the zone, add a single record:
| Hostname | Type | Value |
|---|---|---|
* | <record-type> | <lb-endpoint> |
Otherwise, create four explicit records:
| Hostname | Type | Value |
|---|---|---|
web | <record-type> | <lb-endpoint> |
auth | <record-type> | <lb-endpoint> |
server | <record-type> | <lb-endpoint> |
inspector | <record-type> | <lb-endpoint> |
Verify propagation across all four subdomains:
for h in web auth server inspector; do
printf "%s -> " "$h.<domain>"
dig +short "$h.<domain>" @8.8.8.8 || echo "(none)"
doneEach line should resolve to your load balancer - directly to the IP for A records, or to the load balancer hostname (and, below it, the IPs it points to) for CNAME records. Replace <domain> with your global.domain value.
Install cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set crds.enabled=trueWait for all cert-manager pods to be running:
kubectl get pods -n cert-managerCreate a ClusterIssuer
Start with a staging issuer for testing (avoids Let's Encrypt rate limits):
kubectl apply -f ./config/cluster-issuer-staging.yamlapiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: your-email@example.com
privateKeySecretRef:
name: letsencrypt-staging-account-key
solvers:
- http01:
ingress:
class: nginxReplace your-email@example.com with a mailbox you actually monitor. Let's Encrypt uses this address to warn you when a certificate is approaching expiry without having auto-renewed - it's your only signal that renewal is broken before the cert goes down.
Verify:
kubectl get clusterissuer
# READY should be TrueCreate the Ingress Resource
kubectl apply -f ./config/boltmcp-ingress.yamlapiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: boltmcp-ingress
namespace: boltmcp
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging
nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
spec:
ingressClassName: nginx
tls:
- hosts:
- web.boltmcp.example.com
- auth.boltmcp.example.com
- server.boltmcp.example.com
- inspector.boltmcp.example.com
secretName: boltmcp-tls
rules:
- host: web.boltmcp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: boltmcp-web
port:
number: 3000
- host: auth.boltmcp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: boltmcp-keycloak
port:
number: 8080
- host: server.boltmcp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: boltmcp-mcp-server
port:
number: 3001
- host: inspector.boltmcp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: boltmcp-mcp-inspector
port:
number: 6274The proxy-buffer-size annotation is required for Keycloak's large authentication headers.
Watch certificate provisioning:
kubectl get certificates -n boltmcp -w
# Wait for READY to become TrueSwitch to Production Certificates
Once everything works with staging certificates, create a production issuer:
kubectl apply -f ./config/cluster-issuer-production.yamlapiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: your-email@example.com
privateKeySecretRef:
name: letsencrypt-production-account-key
solvers:
- http01:
ingress:
class: nginxAgain, replace your-email@example.com with a monitored mailbox so you receive Let's Encrypt's renewal-failure warnings.
Update the ingress annotation in boltmcp-ingress.yaml (edit the file on disk, not the live resource):
annotations:
cert-manager.io/cluster-issuer: letsencrypt-productionDelete the staging certificate to trigger re-issuance:
kubectl delete secret boltmcp-tls -n boltmcp
kubectl apply -f ./config/boltmcp-ingress.yamlVerify the new certificate:
kubectl get certificates -n boltmcp -w
# Wait for READY = TrueYour browser should now show a trusted certificate without security warnings.
Congratulations
You've successfully exposed BoltMCP to the public internet with TLS-secured ingress. Your cluster is now reachable at your configured hostnames with valid, auto-renewing certificates.