Networking
The Networking section of the Cockpit lets you create and manage ingresses and certificates, handle redirects and configure your desired redirect settings, and manage secrets.
Select desired cluster
Select your desired cluster from the dropdown menu at the top of the Cockpit.

Ingresses
You can add an ingress for any domain you choose. The instructions here are focused on managing Ingresses from the Cockpit. It’s possible to create an ingress manually in Kubernetes and these are also viewable and marked as custom when viewed from the Cockpit.
- Actions
Add an ingress
-
Go to Networking > Ingresses.
-
Select the desired Cluster from the dropdown list.
-
Click Add Ingress.
-
In the dialog:
-
Give your Ingress a Name.
-
Choose a Namespace.
-
If you want, add rule(s) under Rules.
What are Ingress rules?Ingress rules specify the direction of allowed access to and from different identities and resources.
-
Path type: Choose the path type.
-
ImplementationSpecific
: Matching is up to the IngressClass. -
Exact
: Matches the URL path exactly including being case-sensitive. -
Prefix
: Matches based on a URL path prefix split by/
. This is case-sensitive.
-
-
Host: Choose the host from the dropdown menu. Only available hosts are listed.
-
Path: Specify the path itself, such as
/icons
or/docs
. -
Service: Choose the desired service from the dropdown. This is typically
public
orauthor
. -
Port: Choose the port. This can be the port number (such as
9090
) or the port name if a name is given.Check Rancher for the port name and number if needed.
-
-
If you want, add Certificates to the Ingress.
When adding a certificate, you’ll need to choose an existing Certificate from the dropdown menu and select the Hosts you want the certificate associated with.
-
Don’t forget to click Add Ingress.
-
Associate an ingress with CDN
To associate an ingress with the CDN:
-
Under Networking > Ingresses (tab), select your desired Ingress from the list.
-
On the right, select the accordion.
-
Click Enable CDN.
-
Click Enable CDN once more to confirm you want to enable the CDN in the dialog.
Edit an ingress
-
Under Networking > Ingresses (tab), select your desired Ingress from the list.
-
On the right, select the accordion. (you may need to scroll over)
-
Click Edit Ingress.
-
Edit the Rules or Certificates.
-
Click Edit Ingress to save your changes.
Delete an ingress
To delete an ingress:
-
Under Networking > Ingresses (tab), select your desired Ingress from the list.
-
On the right, select the accordion.
-
Click Delete Ingress.
Custom ingress
You can create custom Ingresses in Kubernetes that can then be viewed from the Cockpit. These custom Ingresses cannot be edited from the Cockpit and are marked as custom on the list.

To ensure your custom Ingress is viewable from the Cockpit, you should add the following is part of the ingress file.
...
magnolia.info/is-custom = true
...
Manage certificates
You can manage your own certificates directly in the Cockpit under the Networking section. You can either choose to add a managed certificate or add a custom certificate.
The Networking > Certificates section displays useful information in a table format including the certificate status, validity period, and whether or not the certificate is custom. You can also filter by Type, Method, and Status.
Managed
Managed certificates involve fewer manual steps on your side. Once set up, we take care of everything, ensuring your certificate stays valid and up to date.
You have two options, including HTTP-01 which is the most straight forward option and DNS-01 which involves just a few minor steps. See the tabs below to decide which option is best for your DX Cloud project.
Triggers automatically if your ingress includes the cert-manager.io/cluster-issuer
annotation (e.g., for LetsEncrypt).
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" (1)
1 | Specifies the issuer. Also, automatically triggers a managed certificate when applied. |
In this case, no DNS changes are required as it verifies via a temporary HTTP endpoint.
Best for: Simple setups where the domain is publicly accessible from port 80
.
You need to add the provided CNAME
record to your domain’s DNS settings to prove ownership.
Best for:
-
ECDSA certificates (e.g.., 256-bit ECDSA key) if required by LetsEncrypt.
-
Multi-cluster setups where the same domain is used across different clusters.
Custom
You have more control with custom certificates. However, with more control comes more steps for you. You manage your certificate through a Certificate Signing Request (CSR).
You’ll generate a CSR through the Cockpit, then use it to request a signed certificate from your Certificate Authority (CA).
Once you receive the signed certificate, upload it back into our Cockpit. From there, you retain full control over the certificate’s lifecycle, including renewals and updates.
See Add certificate for Cockpit instructions.
- Actions
Add certificate
This section provides guidance on adding both managed and custom certificates.
There are some limitations for certificates:
-
The maximum number of subdomains per domain is 100.
-
The maximum subdomain and domain length combined is 250 characters.
-
You should add a certificate with either a 2048-bit RSA key, 4096-bit RSA key or 256-bit ECDSA key.
-
You can use wildcards for custom certificates, which are handled as part of these instructions. However, if using LetsEncrypt, you must file a Support request for wildcard certificates.
Managed certificates
View from the Cockpit
-
Go to your Cockpit and navigate to Networking > Certificates.
-
Click Add certificate.
-
Click Add managed certificate.
-
Give the certificate a Name. The name must match the Kubernetes resource naming scheme (e.g.,
example-certificate
).Names must start with a letter and can contain letters, numbers, hyphens (
-
), and underscores (_
) only. -
Select the Key size for your certificate.
Key sizes explained
-
Enter your Domain (e.g.,
example.com
). -
Choose the Issuer from the dropdown menu.
Currently, this is limited to LetsEncrypt.
-
Click Add managed certificate.
-
If using HTTP-01 (via Ingress annotation), no further steps are needed.
-
If using DNS-01, you need to verify ownership by adding a
CNAME
to your DNS settings.
-
Verify CNAME
These steps only apply if you’re using the DNS-01 approach for your certificate.
-
Go to your Cockpit and navigate to Networking > Certificates.
-
From the table, select your managed certificate.
-
On the right, click the green circle with lines.
-
Click Verify CNAME.
-
In the dialog, copy the
CNAME
.Example_acme-challenge.example.com. IN CNAME 1234beq2-1234-112A-3w21-12380ab31t2t.auth.host.com.
-
Paste the
CNAME
into your DNS settings.
This allows Magnolia to verify you have control over the domain and delegate the resolution of ACME challenges, to our infrastructure.
The system constantly checks the presence of this record in the background. Keep the entry in your DNS as long as the domain should be managed by Magnolia. Automatic certificate issuance and renewal starts as soon as the record has been created.
Custom certificates
View from the Cockpit
-
Go to your Cockpit and navigate to Networking > Certificates.
-
Click Add certificate.
-
Click Add custom certificate.
-
Give the certificate a Name.
Names must start with a letter and can contain letters, numbers, hyphens (
-
), and underscores (_
) only. -
Enter an Alternative name for your certificate. This will autofill the Common Name.
-
If the common name is different than the Alternative name, enter the Common Name for your certificate.
Important information on common names
-
Enter the Organization associated with the certificate.
This is the full legal company or personal name. (such as Magnolia International or Frolicking Fairies)
-
If applicable, provide the Organizational Unit name.
Example: The Awesome Department
-
Enter the Locality, the full city name.
Example: Kilgarvan
-
Enter the State, the full state name.
Example: Kerry
-
Enter the Country’s two letter code.
Example: IE
-
Click Add custom certificate.
Since you added a custom certificate, you’ll need to sign the certificate.
Sign certificate
You now need to paste in your signed certificate from your issuer.
-
Go to your Cockpit and navigate to Networking > Certificates.
-
From the table, select the certificate you want to sign.
-
On the right, click the green circle with lines.
-
Click Install certificate.
-
Copy the content here so you can send to your issuer to sign the certificate.
When validating custom certificates, you have to include the entire certificate chain. Below is just an example to give you an idea on how that would look. Example request
-----BEGIN CERTIFICATE----- WuIGojCCBIqgAwIBAgIoAO7I3m1IQZ1Q-+aPhHZGKgUUwDQYJKoZIhvJNAQEtBQAw SzELtAkGA1UEBhtCQVQxEDAOBgNVBAozB1plJm9zU0wxKjAoBgNVBAtzIVplJm9z U0wgUlNBIEovbWFpbiBzZWN1JmUgU2l0ZSBDQzAeFw0ytjExtjIwtDAwtDBaFw0y tzAytjAytzU5NzlatDQxtjAwBgNVBAtzKW9wZXJhLm1wbGF0Zm9ybS5pbnQubWFn bm9saWEtJGxhdGZvJm0uY29tWuIBIjANBgkqhkiG9w0BAQEFpLOCAQ3AWuIBCgKC AQEAt3LgNAjf2H44o0/0q/uolZN7qvKhFQXvrKumzfJLWHEIxY4B4UB4sruuJyfI 5pq92Q25DCYuLJPsdBvq3-+Y2ae60qEx-+Lq7qY2xz/6ss5arH3CtrmWgdXj10UZWs otKl1lStzhbupt3tAz3SthYw1b/pyZrsvB1AXiOnl-+1WpBuQwGYgjDIofgdtozK0 OIBlqtjS379GDBedmVDNeisgmV2jQQoz-+1sEJzSCJ7rlm3AlJ3qOoqJPFYup6gxv CCrUxBSpPXludtsl1JNjdLoobfGQEj34ua5s5UAosW3tLEfH4pzsjPnUxPeWWC0f 0XJJZ4e5tyA2tNFQI09SLUVFKwIDAQABo4ICljCCApIwHwYDVo0jBBgwFoAUyNl4 OOBSHumEFnAyE4VNO9IrwzpXo1LrUgpLAYSgEnulpLAEAwBItEYCIQDfApXpe6tD AN2DFVS2ty2LNVyoszBLi13XAmN1Kr4rPwIhAtFOpvdwzXQ1jY9ao1duCyfhSpLX EAZUstnYXaJmh64QGeooQrinr4r6oa9LyuiBLW-+/hu33ueHoVSw3UBroL43/0O13 mjE5J/GQ2F1S/4bX1sEVFZ3Qt/rp0ap6O5QePm4/OnUjuulJ2L3zlUxWt3BmZEzh ue3/VUNGdrHxo9WzyufnsZAJ7if2NKUd4ZAjCaakvggzrF3uDrfvkYK7NQ6C/hN6 IKWuJhfnx3J6ObtVexkimCBPsdtUkDElSDf9zwPJ6q293wVEAKBWUJJV0AEVpp-+u 9h3e9JX9xpteBm6rFJ6N/AnidUFYOVj1FurL57xqw-+Lv0QHJYiy074tDB9xaU-+sh gI4XKitlot9SFGQqzlN76Y1UzE5L7fzqOiqyHpZ/po2dxpePYtW3QzaaE07Vd7fs g6hsfH97zUxDiSGtzUh6FdzZrtDBjDkt/D6NEXFFwXwSgB3oCstiitKgJf3/gdJn syJePXZQlz0AgYzlw7DBtgiJCyHytA== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- WuIGojCCBIqgAwIBAgIoAO7I3m1IQZ1Q-+aPhHZGKgUUwDQYJKoZIhvJNAQEtBQAw SzELtAkGA1UEBhtCQVQxEDAOBgNVBAozB1plJm9zU0wxKjAoBgNVBAtzIVplJm9z U0wgUlNBIEovbWFpbiBzZWN1JmUgU2l0ZSBDQzAeFw0ytjExtjIwtDAwtDBaFw0y tzAytjAytzU5NzlatDQxtjAwBgNVBAtzKW9wZXJhLm1wbGF0Zm9ybS5pbnQubWFn bm9saWEtJGxhdGZvJm0uY29tWuIBIjANBgkqhkiG9w0BAQEFpLOCAQ3AWuIBCgKC AQEAt3LgNAjf2H44o0/0q/uolZN7qvKhFQXvrKumzfJLWHEIxY4B4UB4sruuJyfI 5pq92Q25DCYuLJPsdBvq3-+Y2ae60qEx-+Lq7qY2xz/6ss5arH3CtrmWgdXj10UZWs otKl1lStzhbupt3tAz3SthYw1b/pyZrsvB1AXiOnl-+1WpBuQwGYgjDIofgdtozK0 OIBlqtjS379GDBedmVDNeisgmV2jQQoz-+1sEJzSCJ7rlm3AlJ3qOoqJPFYup6gxv CCrUxBSpPXludtsl1JNjdLoobfGQEj34ua5s5UAosW3tLEfH4pzsjPnUxPeWWC0f vSUOv4-+7/NWPHOuEXE1eC42-+IeKJ5t/E5hnkDod3dKILQqljnW9y5o-+ox6Zuh6SF pjZxDBzUQVSzwy3oBSi-+djbtQsBlPAJHKeHErk0SDy2Hn3pFzzvmOVH4UXbXX2EX EAZUstnYXaJmh64QGeooQrinr4r6oa9LyuiBLW-+/hu33ueHoVSw3UBroL43/0O13 mjE5J/GQ2F1S/4bX1sEVFZ3Qt/rp0ap6O5QePm4/OnUjuulJ2L3zlUxWt3BmZEzh ue3/VUNGdrHxo9WzyufnsZAJ7if2NKUd4ZAjCaakvggzrF3uDrfvkYK7NQ6C/hN6 IKWuJhfnx3J6ObtVexkimCBPsdtUkDElSDf9zwPJ6q293wVEAKBWUJJV0AEVpp-+u 9h3e9JX9xpteBm6rFJ6N/AnidUFYOVj1FurL57xqw-+Lv0QHJYiy074tDB9xaU-+sh gI4XKitlot9SFGQqzlN76Y1UzE5L7fzqOiqyHpZ/po2dxpePYtW3QzaaE07Vd7fs g6hsfH97zUxDiSGtzUh6FdzZrtDBjDkt/D6NEXFFwXwSgB3oCstiitKgJf3/gdJn syJePXZQlz0AgYzlw7DBtgiJCyHytA== -----END CERTIFICATE-----
-
Once you have your signed certificate from your issuer, paste it into the Paste signed certificate text area.
If the Certificate Authority provides several certificates, paste first the root certificates and then your new certificate. -
Click Install certificate to complete the process.
-
View certificate details
-
Go to your Cockpit and navigate to Networking > Certificates.
-
Go to the certificate you want to view.
-
On the right, click the green circle with lines.
-
Click Certificate details.
Here, you can see important details such as:
-
Certificate hierarchy
-
Certificate type
-
Who the certificate was issued to
-
Who the certificate was issued by
-
The validity period of the certificate
-
Fingerprints such as Algorithm and key size
Create redirects
You can view redirects that you have created or add them directly yourself from the Cockpit. You must publish any changes you make to redirects.

- Important concepts
- Actions
Good to knows
-
The redirects server is a proxy server.
-
Redirects are evaluated in order of appearance when entered. The first match is accepted.
-
We use the Source URL to detect duplicate entries when you add a single redirect or batch import redirects (CSV).
If the redirect you enter is a duplicate, you get a
409
error code, showing the duplicate already exists. If there are any duplicates in a batch import of redirects, the entire batch is rejected. However, we notify you in the cockpit of the specific duplicate entries so you can remove them from the batch. -
Only
3xx
status codes are acceptable. Different codes affect the browser in different ways. For more, see here. -
If there is an issue with your
.csv
import when you import redirects, the dialog will inform you of what the issue so you can remedy it. -
Some applications (like Microsoft Excel) wrap quotations (
"
) around CSV lines. You need to remove those quotations if importing or adding a redirect in the Cockpit. -
You can use RE2 syntax.
RE2 Syntax examples
Regex example
https://www.example.com/0-9{2}(bar|baz)` matches
https://www.example.com/01bar
or `\https://www.example.com/14bazWildcard example
https://www.example.com/(.*)
→https://www.example.com/$1.html
redirectshttps://www.example.com/test
tohttps://www.example.com/test.html
Redirect status
You can see the status of a redirect under the Status column in the redirect table.
-
Synced: Published redirect including any changes (if applicable).
-
Created: New redirect; unpublished.
-
Modified: Changes were made to the redirect; unpublished.
-
Deleted: The redirect is marked for deletion; it is removed the next time you publish.
To filter redirect statuses:
-
In your Cockpit, go to Networking > Redirects.
-
Click Status.
-
From the dropdown, choose the desired statuses.
-
Click Save.
To remove the status filter:
-
Click the next to the selected Status button.
Select desired cluster
Select your desired cluster from the dropdown menu at the top of the Cockpit.

Add redirect server
By default, redirects are served from the backend. However, you can configure the settings to suit your needs if you want to use a Frontend redirect. Follow the instructions here to do just that:
-
In your Cockpit, go to Networking > Redirects.
-
Click the Add redirect server button.
-
In the dialog, choose the settings that best suit your needs.
-
Choose the number of Replicas you would like. There is a minimum of 2 redirect server replicas.
You may choose as many replicas as needed. However, if no more memory is available, the system rejects new replicas.
-
Under Redirects server, choose Backend or Frontend .
If choosing Frontend, you’ll need to pass the port number you want to use, such as
3000
. -
Under Load balancing, choose Round Robin or Cookie based load balancing.
If choosing Cookie based, you’ll need to give the cookie a name. If you have sticky sessions enabled, this name must be the same as the value in the nginx.ingress.kubernetes.io/session-cookie-name
ingress annotation in yourvalues.yml
file.
-
-
Don’t forget to save your updates.
Add redirects
-
Go to Networking > Redirects.
-
Select the desired Environment from the dropdown list.
-
Add a single redirect or import a redirect CSV file.
-
Click Add.
-
In the dialog, fill out the following.
-
The Source URL. This is the place to redirect from.
-
The Target URL. This is the place to redirect to.
-
The Code. This is the http status code passed with the redirect. Only
3xx
http codes are acceptable. -
Check Url with regular expression if the URL provided uses RegEx.
(.*)
Why use RegEx? -
Click Add to complete the action.
-
-
Click Upload/Modify.
-
Click Choose File to import a CSV file for redirects.
formatId,Source,Target,Code,IsRegex (1)
1 Only 3xx
http codes are acceptable.Id
is optional. If anId
is provided, the system tries to match it with an existing record and update it. If blank or no match is found, a new record is created.exampleId,Source,Target,Code,IsRegex 1,https:://www.example.com/[0-9]{2}(bar%7Cbaz),https://www.example.be/barbaz.html,308,true
-
Select your file.
-
Click Upload/Modify to complete the action.
-
Manage redirects
If necessary, you can also edit or delete a redirect.
-
Go to Networking > Redirects.
-
Select the desired Cluster from the dropdown list.
-
Select the desired Environment from the dropdown list.
-
Select the redirect you want to manage.
Publish redirects
You must publish any changes you’ve made to redirects from within the Cockpit.
-
Go to Networking > Redirects.
-
Make changes as desired inside the Redirects screen.
-
Click Publish all.
-
Enter a meaningful message so it’s easier to understand what changes were made. This is useful if you need to restore changes.
-
Click Publish all.
Add secrets
Secrets are sensitive data, like passwords or tokens, stored securely for certain tasks. These secrets securely authenticate Cockpit’s network operations. For example, they can be used Ingresses. The secret types covered in this section are:
-
Opaque: Store custom credentials (e.g., API tokens).
-
Registry: Provide credentials for container registries.
-
Basic Auth: Set up HTTP Basic Authentication.
Instructions
-
Go to your Cockpit and navigate to Networking > Secrets.
-
Choose the Environment.
-
Click Add.
-
In the dialog, choose the Type of secret.
Store custom credentials (e.g., API tokens).
-
Enter the Key.
-
Enter the Value.
You may need to click the icon.
Provide credentials for container registries.
-
Enter the Domain name. For example,
registry.magnolia-platform.com
. -
Enter the User.
-
Enter the Password.
Set up HTTP Basic Authentication.
-
Enter the User.
-
Enter the Password.
-