Managed by Kubernetes
If you have ExternalDNS installed and configured, you can create an Ingress object to fully automate the process of reserving a domain in ngrok, updating DNS records with your DNS provider to the ngrok-provided CNAME record, and receiving a TLS certificate. If you aren’t using ExternalDNS or a similar tool, you must manually create records for each Ingress or Gateway you provision.Ingress
If you create an ingress object (k8s ingress) or route object (Gateway API) with a hostname that isn’t a standard ngrok domain, the Operator will attempt to create a custom white-label domain for you. This domain will be reserved and registered with ngrok but you must configure its DNS records before you can use it. This will be registered in the ngrok API and also show up as a domain CRD. For example, if you create an ingress object like the one shown below, the Operator will attempt to reserve and register the domainfoo.bar.com with ngrok:
status.loadBalancer.ingress field.
kubectl get ingress -o yaml example-ingress
Gateway
Using a custom domain with the Gateway API is similar to the Ingress example above. If you create the following Gateway, the ngrok-operator will reserve the domain for you:status.addresses field:
Wait for the TLS certificate to provision
Once you’ve reserved a custom domain and pointed your CNAME at the value above, ngrok provisions a TLS certificate from an ACME provider such as Let’s Encrypt. This typically completes within a few minutes after your CNAME is resolvable, but DNS propagation or a slow DNS challenge can push it longer. While the certificate is still being provisioned, ngrok terminates HTTPS with a default ngrok wildcard certificate that does not match your custom hostname. If you send traffic to your endpoint over HTTPS during this window, clients will see a certificate name-mismatch warning (for example,NET::ERR_CERT_COMMON_NAME_INVALID in Chrome).
This is expected during provisioning and clears as soon as the certificate is issued.
The Domain CRD surfaces provisioning state through its status conditions.
Check CertificateReady, DNSConfigured, and Progressing to see whether the certificate is still being issued or blocked on a DNS configuration error:
CertificateReady stays False with reason ProvisioningError, recheck the CNAME records you configured against the status.cnameTarget value on the domain.
For wildcard custom domains, both CNAME records described in TLS certificate provisioning must exist before the certificate can be issued.