47 lines
1.4 KiB
Markdown
47 lines
1.4 KiB
Markdown
# sol public edge
|
|
|
|
Public ingress and TLS edge for the reconstructed `R001` trade surface on `sol`.
|
|
|
|
## Purpose
|
|
|
|
- install an ingress controller on `sol`
|
|
- install `cert-manager`
|
|
- define `ClusterIssuer/letsencrypt-prod`
|
|
- publish `trade-r001-canary/trade-frontend` on `trade.mpabi.pl`
|
|
|
|
## Design
|
|
|
|
- ingress controller: `Traefik`
|
|
- controller exposure model: `hostPort` on `80` and `443`
|
|
- TLS automation: `cert-manager` with `Let's Encrypt` `HTTP-01`
|
|
- public host in this phase: `trade.mpabi.pl`
|
|
- application auth remains in `trade-frontend`; ingress only terminates traffic
|
|
|
|
## Operator Flow
|
|
|
|
1. Prepare the host firewall from `trade-next/trade-host-iac`:
|
|
|
|
```bash
|
|
./sol/public-edge/scripts/prepare-sol-public-edge.sh
|
|
```
|
|
|
|
2. Push this repository to `main` and let `deploy-sol-public-edge` apply the cluster-side resources.
|
|
|
|
The workflow bootstraps `cert-manager` and `Traefik` first, then applies `ClusterIssuer/letsencrypt-prod` only after the cert-manager CRDs are ready.
|
|
|
|
3. Update the authoritative DNS record:
|
|
|
|
- `trade.mpabi.pl A 149.50.96.162`
|
|
|
|
4. Re-run the smoke checks:
|
|
|
|
```bash
|
|
./environments/sol/public-edge/scripts/check-sol-public-edge.sh
|
|
./environments/sol/trade-r001-canary/scripts/check-sol-canary-smoke.sh
|
|
```
|
|
|
|
## Notes
|
|
|
|
- Before DNS cutover, the HTTP ingress can still be verified using `curl --resolve`.
|
|
- `cert-manager` will not be able to complete the `HTTP-01` challenge until the public `A` record points at `149.50.96.162`.
|