Files
trade-gitops/environments/sol/public-edge

sol public edge

Public ingress and TLS edge for the reconstructed R001 trade surface on sol.

Purpose

  • install an ingress controller on sol
  • install cert-manager
  • define ClusterIssuer/letsencrypt-prod
  • publish trade-r001-canary/trade-frontend on trade.mpabi.pl

Design

  • ingress controller: Traefik
  • controller exposure model: hostPort on 80 and 443
  • TLS automation: cert-manager with Let's Encrypt HTTP-01
  • public host in this phase: trade.mpabi.pl
  • application auth remains in trade-frontend; ingress only terminates traffic

Operator Flow

  1. Prepare the host firewall from trade-next/trade-host-iac:
./sol/public-edge/scripts/prepare-sol-public-edge.sh
  1. Push this repository to main and let deploy-sol-public-edge prepare the host firewall and apply the cluster-side resources.

The workflow bootstraps cert-manager and Traefik first, then applies ClusterIssuer/letsencrypt-prod only after the cert-manager CRDs are ready.

  1. Update the authoritative DNS record:
  • trade.mpabi.pl A 149.50.96.162
  1. Re-run the smoke checks:
./environments/sol/public-edge/scripts/check-sol-public-edge.sh
./environments/sol/trade-r001-canary/scripts/check-sol-canary-smoke.sh

Notes

  • Before DNS cutover, the HTTP ingress can still be verified using curl --resolve.
  • cert-manager will not be able to complete the HTTP-01 challenge until the public A record points at 149.50.96.162.