# sol public edge Public ingress and TLS edge for the reconstructed `R001` trade surface on `sol`. ## Purpose - install an ingress controller on `sol` - install `cert-manager` - define `ClusterIssuer/letsencrypt-prod` - publish `trade-r001-canary/trade-frontend` on `trade.mpabi.pl` ## Design - ingress controller: `Traefik` - controller exposure model: `hostPort` on `80` and `443` - TLS automation: `cert-manager` with `Let's Encrypt` `HTTP-01` - public host in this phase: `trade.mpabi.pl` - application auth remains in `trade-frontend`; ingress only terminates traffic ## Operator Flow 1. Prepare the host firewall from `trade-next/trade-host-iac`: ```bash ./sol/public-edge/scripts/prepare-sol-public-edge.sh ``` 2. Push this repository to `main` and let `deploy-sol-public-edge` apply the cluster-side resources. The workflow bootstraps `cert-manager` and `Traefik` first, then applies `ClusterIssuer/letsencrypt-prod` only after the cert-manager CRDs are ready. 3. Update the authoritative DNS record: - `trade.mpabi.pl A 149.50.96.162` 4. Re-run the smoke checks: ```bash ./environments/sol/public-edge/scripts/check-sol-public-edge.sh ./environments/sol/trade-r001-canary/scripts/check-sol-canary-smoke.sh ``` ## Notes - Before DNS cutover, the HTTP ingress can still be verified using `curl --resolve`. - `cert-manager` will not be able to complete the `HTTP-01` challenge until the public `A` record points at `149.50.96.162`.