Unkey
DocsDesignGitHub
CLIRun

Ingress

Run the Unkey Ingress server (multi-tenant ingress)

Command Syntax

unkey run ingress [flags]

Some flags are required for this command to work properly.

Flags

--http-port

HTTP port for the Ingress server to listen on. Default: 7070

  • Type: integer
  • Default: 7070
  • Environment: UNKEY_HTTP_PORT

--https-port

HTTPS port for the Ingress server to listen on. Default: 7443

  • Type: integer
  • Default: 7443
  • Environment: UNKEY_HTTPS_PORT

--tls-enabled

Enable TLS termination for the ingress. Default: true

  • Type: boolean
  • Default: true
  • Environment: UNKEY_TLS_ENABLED

--platform

Cloud platform identifier for this node. Used for logging and metrics.

  • Type: string
  • Environment: UNKEY_PLATFORM

--image

Container image identifier. Used for logging and metrics.

  • Type: string
  • Environment: UNKEY_IMAGE

--region

Geographic region identifier. Used for logging and routing. Default: unknown

  • Type: string
  • Default: "unknown"
  • Environment: UNKEY_REGION, AWS_REGION

--ingress-id

Unique identifier for this instance. Auto-generated if not provided.

  • Type: string
  • Default: "ingress_AbC1"
  • Environment: UNKEY_GATE_ID

--default-cert-domain

Domain to use for fallback TLS certificate when a domain has no cert configured

  • Type: string
  • Environment: UNKEY_DEFAULT_CERT_DOMAIN

--base-domain

Base domain for region routing. Cross-region requests forwarded to region.base-domain. Example: unkey.cloud

  • Type: string
  • Default: "unkey.cloud"
  • Environment: UNKEY_BASE_DOMAIN

--database-primary (required)

MySQL connection string for partitioned primary database (ingress operations). Required. Example: user:pass@host:3306/partition_001?parseTime=true

  • Type: string
  • Environment: UNKEY_DATABASE_PRIMARY

--database-replica

MySQL connection string for partitioned read-replica (ingress operations). Format same as database-primary.

  • Type: string
  • Environment: UNKEY_DATABASE_REPLICA

--spire-enabled

Enable SPIRE-based mTLS for gateway communication. Default: false

  • Type: boolean
  • Default: false
  • Environment: UNKEY_SPIRE_ENABLED

--spire-socket-path

Path to SPIRE agent socket. Default: /run/spire/sockets/agent.sock

  • Type: string
  • Default: "/run/spire/sockets/agent.sock"
  • Environment: UNKEY_SPIRE_SOCKET_PATH

--otel

Enable OpenTelemetry tracing and metrics

  • Type: boolean
  • Default: false
  • Environment: UNKEY_OTEL

--otel-trace-sampling-rate

Sampling rate for OpenTelemetry traces (0.0-1.0). Only used when --otel is provided. Default: 0.25

  • Type: float
  • Default: 0.25
  • Environment: UNKEY_OTEL_TRACE_SAMPLING_RATE

--prometheus-port

Enable Prometheus /metrics endpoint on specified port. Set to 0 to disable.

  • Type: integer
  • Default: 0
  • Environment: UNKEY_PROMETHEUS_PORT

--vault-master-keys

Vault master keys for encryption

  • Type: string[]
  • Environment: UNKEY_VAULT_MASTER_KEYS

--vault-s3-url

S3 Compatible Endpoint URL

  • Type: string
  • Environment: UNKEY_VAULT_S3_URL

--vault-s3-bucket

S3 bucket name

  • Type: string
  • Environment: UNKEY_VAULT_S3_BUCKET

--vault-s3-access-key-id

S3 access key ID

  • Type: string
  • Environment: UNKEY_VAULT_S3_ACCESS_KEY_ID

--vault-s3-access-key-secret

S3 secret access key

  • Type: string
  • Environment: UNKEY_VAULT_S3_ACCESS_KEY_SECRET

--require-local-cert

Generate and use self-signed certificate for *.unkey.local if it doesn't exist

  • Type: boolean
  • Default: false
  • Environment: UNKEY_REQUIRE_LOCAL_CERT

Example Usage

Production Deployment

unkey run ingress \
  --region=us-east-1 \
  --base-domain=unkey.cloud \
  --database-primary="user:pass@db.us-east-1:3306/partition_001?parseTime=true" \
  --spire-enabled=true \
  --otel=true \
  --prometheus-port=9090

Local Development

unkey run ingress \
  --region=local \
  --database-primary="root@localhost:3306/partition_001?parseTime=true" \
  --require-local-cert=true \
  --tls-enabled=true

Previous

Ctrl

Next

Krane

On this page