Networking, Ingress & Domains
Eloquent supports two networking models: platform-managed ingress with automatic TLS, or customer-managed routing where your own reverse proxy handles traffic.
Ingress Models
Platform-Managed Ingress
The Helm chart deploys ingress-nginx resources with cert-manager for automatic Let's Encrypt TLS:
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
This mode creates Kubernetes Ingress resources for all enabled frontend apps and backend services.
Customer-Managed Ingress
For deployments where your organization manages its own reverse proxy (nginx, F5, Azure Application Gateway, etc.):
ingress:
enabled: false
When disabled, your reverse proxy routes external traffic to Kubernetes services via internal DNS:
your-proxy → api-gateway-service.eloquent.svc.cluster.local:80
your-proxy → eloquent-app.eloquent.svc.cluster.local:3000
your-proxy → admin-app.eloquent.svc.cluster.local:3000
You are responsible for TLS termination and certificate management.
Domain Configuration
Required Domains
| Setting | Purpose | Example |
|---|---|---|
customerDeployment.domain | Base domain (used for CORS) | customer.example.com |
customerDeployment.apiGatewayPublicUrl | Public API endpoint | https://api.customer.example.com |
customerDeployment.chatPublicUrl | Chat SSE/WebSocket endpoint | https://chat.customer.example.com/v1/chat |
customerDeployment.sandboxSubdomain | Sandbox service subdomain | sandbox |
appBaseUrl | App URL (used in invite emails) | https://app.customer.example.com |
Per-App Hosts
frontend:
eloquentApp:
host: app.customer.example.com
adminApp:
host: admin.customer.example.com
Chat Service Networking
The chat service requires special ingress configuration for SSE streaming and WebSocket support:
| Setting | Value | Purpose |
|---|---|---|
websocket-services | chat-service | Enable WebSocket upgrade |
proxy-buffering | off | Required for SSE streaming |
affinity | cookie | Sticky sessions for WebSocket |
proxy-read-timeout | 3600 | Long-lived connections (1 hour) |
These are automatically configured in the Helm chart's chat ingress template. If using customer-managed ingress, apply equivalent settings to your reverse proxy.
Cross-Namespace Communication
In customer deployments, the platform typically runs in its own namespace (e.g., eloquent) while customer applications run in a separate namespace:
customer-namespace/
└── customer-nginx → eloquent-namespace/api-gateway-service
Services are accessed via Kubernetes internal DNS:
<service-name>.<namespace>.svc.cluster.local
CORS Configuration
CORS is configured through the customerDeployment.domain setting. The API Gateway allows requests from:
- The configured domain and its subdomains
- Any domains specified in the domain allowlist
Ensure all frontend application domains are covered by the CORS configuration.
Proxy Settings
| Setting | Default | Description |
|---|---|---|
| Body size limit | 100MB | Maximum upload size |
| Read timeout | 60s (3600s for chat) | Maximum response wait time |
| WebSocket support | Enabled for chat | Full-duplex for legacy transport |
| Proxy buffering | Off for chat | Required for SSE streaming |