Docs/Reference/Custom Domains

Custom Domains

Point your own domain at a service running on Tawa. The CLI handles DNS, TLS certificates, and ingress configuration automatically.

Add a Domain

tawa domain add mydomain.com

# Auto-configure DNS via InsurEco Cloudflare
tawa domain add mydomain.com --cloudflare

# Manual DNS — you'll add a CNAME yourself
tawa domain add mydomain.com --external
OptionDescription
--cloudflareDomain is on InsurEco Cloudflare — DNS auto-configured
--externalExternal DNS provider — you add the CNAME yourself
--env <environment>Target environment: prod (default), sandbox, uat
--service <name>Target service (default: detected from directory)

Cloudflare-Managed DNS

If the domain is on InsurEco's Cloudflare, everything is automatic:

tawa domain add portal.example.com --cloudflare

# ✓ DNS record created: portal.example.com → my-svc.tawa.insureco.io
# ✓ Domain registered in platform
# ✓ Domain is live at portal.example.com

A CNAME record is created and Cloudflare's Total TLS provisions a certificate automatically. The domain is live within seconds.

External DNS Provider

If you manage DNS elsewhere (GoDaddy, Route 53, etc.):

tawa domain add portal.example.com --external

# ℹ Please add a CNAME record at your DNS provider:
#     portal.example.com  →  my-svc.tawa.insureco.io
#
# ℹ After adding the record, run:
#   tawa domain verify portal.example.com

Add the CNAME at your provider, wait for propagation, then verify:

tawa domain verify portal.example.com
tawa deploy --prod   # apply ingress changes

DNS propagation can take up to 48 hours, though most providers complete within minutes.

Manage Domains

# Check DNS propagation status
tawa domain verify portal.example.com

# View full configuration details
tawa domain status portal.example.com

# List all custom domains
tawa domain list
tawa domain list --service my-svc

# Remove a domain
tawa domain remove portal.example.com

How It Works

When you add a custom domain, the platform:

  1. Creates a CNAME record pointing to your service's platform hostname
  2. Registers the domain in the service registry
  3. Patches the Kubernetes ingress to accept traffic on the new hostname
  4. Provisions a TLS certificate automatically (Cloudflare Total TLS or cert-manager)

On subsequent deploys, verified custom domains are automatically included in the Helm values.

Troubleshooting

SymptomCauseFix
domain verify says "no CNAME record"DNS not propagated yetWait and retry
Domain resolves but shows TLS errorCertificate not yet provisionedWait a few minutes
Domain resolves to wrong serviceCNAME points to wrong hostnameCheck tawa domain status
Domain works but stops after redeployDomain was not verified before deployRun tawa domain verify then redeploy

Last updated: February 28, 2026