DNS Configuration

Introduction

DNS records must be configured to point to your Manifest deployment before users can access the platform. All subdomains should resolve to the IP address or load balancer of your Kubernetes cluster's ingress controller (i.e. the server's public IP address).

Wildcard DNS Recommendation

We recommend using wildcard DNS records where possible. This approach offers several advantages:

A wildcard record *.buckets.<your-domain> can cover all 15+ bucket subdomains
This simplifies management and future-proofs against new bucket additions
Two wildcard records (*.<your-domain> and *.buckets.<your-domain>) can cover all required DNS entries

Using wildcards reduces configuration complexity and ensures new services are automatically accessible without additional DNS changes.

Required DNS Records

The following DNS records are required for a complete Manifest deployment. All records should point to your cluster's ingress IP address or load balancer.

Core Application Services

Subdomain	Purpose
`app`	Main web application
`api`	API endpoint
`auth`	Authentication service

Object Storage (MinIO)

Subdomain	Purpose
`console.minio`	MinIO web console
`buckets`	Base bucket endpoint

Storage Buckets

These subdomains can be covered by a single wildcard record *.buckets.<your-domain>:

Subdomain	Purpose
`downloadable-files.buckets`	Downloadable file storage
`ingestion-epss.buckets`	EPSS data ingestion
`ingestion-kev.buckets`	KEV data ingestion
`ingestion-nvd.buckets`	NVD data ingestion
`ingestion-osv.buckets`	OSV data ingestion
`sbom-converted.buckets`	Converted SBOM storage
`sbom-enriched.buckets`	Enriched SBOM storage
`sbom-extracted-data.buckets`	Extracted SBOM data
`sbom-merged.buckets`	Merged SBOM storage
`sbom-original.buckets`	Original SBOM storage
`sbom-updated.buckets`	Updated SBOM storage
`vex-original.buckets`	VEX document storage
`mongodb-enterprise-backups.buckets`	MongoDB backup storage
`mongodb-enterprise-oplogs.buckets`	MongoDB oplog storage
`postgres-backups.buckets`	PostgreSQL backup storage

Monitoring

Subdomain	Purpose
`grafana`	Grafana monitoring dashboard

Identity & Access Management (Optional)

The following records are necessary if deploying Keycloak as part of the Manifest Self-Hosted deployment.

Subdomain	Purpose
`keycloak`	Keycloak identity provider
`keycloak-admin`	Keycloak administration console

Configuration Examples

Wildcard Approach (Recommended)

Using wildcard DNS records minimizes configuration and maintenance:

# Two A records (or CNAME records) cover all subdomains
*.<your-domain>           A    <ingress-ip>
*.buckets.<your-domain>   A    <ingress-ip>

Example with a real domain:

*.manifest.example.com           A    192.168.1.100
*.buckets.manifest.example.com   A    192.168.1.100

Individual Records Approach

If wildcard records are not supported, create individual A or CNAME records for each subdomain:

# Core Application Services
app.<your-domain>                              A    <ingress-ip>
api.<your-domain>                              A    <ingress-ip>
auth.<your-domain>                             A    <ingress-ip>

# Identity & Access Management
keycloak.<your-domain>                         A    <ingress-ip>
keycloak-admin.<your-domain>                   A    <ingress-ip>

# Object Storage
console.minio.<your-domain>                    A    <ingress-ip>
buckets.<your-domain>                          A    <ingress-ip>

# Storage Buckets
downloadable-files.buckets.<your-domain>       A    <ingress-ip>
ingestion-epss.buckets.<your-domain>           A    <ingress-ip>
ingestion-kev.buckets.<your-domain>            A    <ingress-ip>
ingestion-nvd.buckets.<your-domain>            A    <ingress-ip>
ingestion-osv.buckets.<your-domain>            A    <ingress-ip>
sbom-converted.buckets.<your-domain>           A    <ingress-ip>
sbom-enriched.buckets.<your-domain>            A    <ingress-ip>
sbom-extracted-data.buckets.<your-domain>      A    <ingress-ip>
sbom-merged.buckets.<your-domain>              A    <ingress-ip>
sbom-original.buckets.<your-domain>            A    <ingress-ip>
sbom-updated.buckets.<your-domain>             A    <ingress-ip>
vex-original.buckets.<your-domain>             A    <ingress-ip>
mongodb-enterprise-backups.buckets.<your-domain>   A    <ingress-ip>
mongodb-enterprise-oplogs.buckets.<your-domain>    A    <ingress-ip>
postgres-backups.buckets.<your-domain>         A    <ingress-ip>

# Monitoring
grafana.<your-domain>                          A    <ingress-ip>

Verification

After configuring DNS records, verify propagation using dig or nslookup:

# Using dig
dig app.<your-domain>
dig +short app.<your-domain>

# Using nslookup
nslookup app.<your-domain>

Verify that the returned IP address matches your cluster's ingress IP. DNS propagation may take up to 48 hours depending on your DNS provider and TTL settings, though most changes propagate within minutes.

To verify wildcard records are working:

# Test a bucket subdomain
dig +short sbom-original.buckets.<your-domain>

# Test a core service
dig +short api.<your-domain>

Both queries should return the same ingress IP address.