Provision External Services
Before building your bundle, provision the external services UDS Core requires: DNS, TLS certificates, object storage, and a database for Keycloak. Work through each section and note the values you’ll need when configuring overrides in the next step.
-
DNS
UDS Core uses two domains to route traffic:
- Tenant domain — application traffic (e.g.,
yourdomain.com) - Admin domain — platform UIs: Keycloak Admin Console, Grafana (e.g.,
admin.yourdomain.com)
Create wildcard DNS records for both domains. You will point these to your load balancer IP or hostname after deployment — see Deploy to Production for details on retrieving the gateway IPs.
The domain can be set in
uds-config.yamlvia thesharedsection:uds-config.yaml shared:domain: "yourdomain.com"or via the
UDS_DOMAINenvironment variable.For more detailed guidance, see Configure Ingress Gateways.
- Tenant domain — application traffic (e.g.,
-
TLS Certificates
UDS Core requires TLS certificates for two Istio ingress gateways: admin and tenant. Certificates must be provided in PEM format, base64-encoded, and must include the full certificate chain (server certificate → intermediates → root CA).
Gateway Purpose Admin Internal platform UIs (Keycloak Admin, Grafana) Tenant Application traffic To base64-encode a full-chain PEM file:
Terminal window base64 -w0 < fullchain.pem # Linuxbase64 -i fullchain.pem | tr -d '\n' # macOSThe resulting values map to these variables in
uds-config.yaml:uds-config.yaml variables:core:admin_tls_cert: "LS0t..." # base64-encoded full cert chain for admin gatewayadmin_tls_key: "LS0t..." # base64-encoded private key for admin gatewaytenant_tls_cert: "LS0t..." # base64-encoded full cert chain for tenant gatewaytenant_tls_key: "LS0t..." # base64-encoded private key for tenant gatewayFor detailed guidance, see Configure Ingress Gateways.
-
Object Storage
Loki (log storage) and Velero (backup storage) require object storage. Both support native cloud provider backends (S3, GCS, Azure Blob) as well as S3-compatible options like MinIO. Create the following buckets before deploying:
Component Buckets needed Loki chunks,adminVelero velero-backups(or your preferred name)Provider options
Provider Service Notes AWS S3 Use IAM role for service account or access keys Azure Azure Blob Storage Use Managed Identity or storage account credentials GCP Google Cloud Storage Use Workload Identity or service account key On-premises MinIO MinIO Operator UDS Package available Note the following for each bucket: endpoint URL, region, and bucket name. For authentication, you can use static credentials (access key ID and secret access key) or cloud-native identity mechanisms such as AWS IRSA, Azure Workload Identity, or GCP Workload Identity. You will use these when configuring bundle overrides.
For provider-specific Loki setup, see the Loki cloud deployment guides (AWS, Azure, GCP). For Velero, see the Velero supported providers documentation.
-
Keycloak Database
The local demo uses an embedded dev-mode database, which is not suitable for production. Production deployments require an external PostgreSQL database.
You will need a dedicated database and a dedicated user.
Provider options (PostgreSQL)
Provider Service AWS RDS for PostgreSQL Azure Azure Database for PostgreSQL GCP Cloud SQL for PostgreSQL On-premises / In-cluster UDS Postgres Operator Package (Zalando operator) Note the following: database host, database name, username, and password. You will use these when configuring bundle overrides.
Checklist
Section titled “Checklist”Before moving on, confirm:
- Wildcard DNS records created for tenant domain (
*.yourdomain.com) - Wildcard DNS records created for admin domain (
*.admin.yourdomain.com) - TLS certificates obtained and base64-encoded for both admin and tenant gateways
- Loki object storage buckets created (
chunks,admin) and credentials available - Velero object storage bucket created and credentials available
- Keycloak external database provisioned with dedicated user and credentials available