Docs

Docs

Automatic DNS and Certificate Management

Learn how to configure Control Center to automatically create DNS records and certificates for your applications.

Control Center supports automatic DNS record creation and TLS certificate issuance for deployed applications. This enables immediate and secure access to each application by its hostname, with valid HTTPS certificates issued by Let’s Encrypt.

Overview

When DNS automation is enabled, Control Center deploys and configures the ExternalDNS operator. This operator manages DNS records for applications using supported DNS providers. Certificate management is handled via cert-manager and an ACME issuer preconfigured for Let’s Encrypt.

Supported DNS Providers

Any provider supported by ExternalDNS can be used. Common options include:

The full list of supported services is maintained in the ExternalDNS documentation.

DigitalOcean Example Setup

This example demonstrates how to configure automatic DNS and certificate management using DigitalOcean DNS.

Note

For other DNS providers, refer to the ExternalDNS tutorials.

Adding a Domain in DigitalOcean

Before DNS records can be created automatically, the domain must be managed by DigitalOcean. This involves configuring the domain’s authoritative name servers to point to DigitalOcean and adding the domain in the control panel.

To add a domain:

  1. Log in to the DigitalOcean control panel.

  2. Navigate to Networking > Domains.

  3. Click Add Domain and enter the domain name (for example, example.com).

  4. Update the domain’s name servers at the domain registrar to the following DigitalOcean name servers:

    • ns1.digitalocean.com

    • ns2.digitalocean.com

    • ns3.digitalocean.com

Once DNS propagation is complete, DigitalOcean becomes the authoritative DNS provider for the domain.

For full instructions, refer to the official guide: How to Add Domains.

Important

Automatic DNS record creation only works if the domain is correctly added to DigitalOcean and its name servers are in use.

Create a DigitalOcean API Token

Create a Personal Access Token in the DigitalOcean control panel with access to manage domains. The token needs full-access permissions to the domain scope.

Store the Token in a Kubernetes Secret

Save the token as a secret in the namespace where Control Center is installed:

Source code
Terminal
kubectl create namespace vaadin
kubectl create secret -n vaadin generic digitalocean-dns --from-literal=token=YOUR_DIGITALOCEAN_TOKEN

Configure Control Center

Create a my-values.yaml file with the following configuration:

Source code
my-values.yaml
user:
  email: me@example.com
app:
  host: control.example.com
dns:
  enabled: true
  provider:
    name: digitalocean
  txtOwnerId: control-center
  domainFilters:
    - example.com
  env:
    - name: DO_TOKEN
      valueFrom:
        secretKeyRef:
          name: digitalocean-dns
          key: token

This configuration enables DNS automation and instructs ExternalDNS to manage records under example.com using the specified token.

Install or Upgrade Control Center

Apply the configuration using Helm:

Source code
Terminal
helm upgrade -i control-center oci://docker.io/vaadin/control-center \
  --namespace vaadin \
  -f my-values.yaml

Once installed, Control Center automatically:

  • Creates the DNS record for control.example.com

  • Issues a valid TLS certificate from Let’s Encrypt

  • Keeps both DNS and certificates updated

Use Cases and Benefits

  • Zero manual DNS setup: Application hostnames are automatically registered.

  • Secure by default: Valid TLS certificates are issued and renewed automatically.

  • Minimal configuration effort: DNS and certificate management are provisioned by enabling a single feature in Helm values.

Additional Resources