sol public edge
Public ingress and TLS edge for the reconstructed R001
trade surface on sol.
Purpose
- install an ingress controller on
sol - install
cert-manager - define
ClusterIssuer/letsencrypt-prod - publish
trade-r001-canary/trade-frontendontrade.mpabi.pl
Design
- ingress controller:
Traefik - controller exposure model:
hostPorton80and443 - TLS automation:
cert-managerwithLet's EncryptHTTP-01 - public host in this phase:
trade.mpabi.pl - application auth remains in
trade-frontend; ingress only terminates traffic
Operator Flow
- Prepare the host firewall from
trade-next/trade-host-iac:
./sol/public-edge/scripts/prepare-sol-public-edge.sh- Push this repository to
mainand letdeploy-sol-public-edgeprepare the host firewall and apply the cluster-side resources.
The workflow bootstraps cert-manager and
Traefik first, then applies
ClusterIssuer/letsencrypt-prod only after the cert-manager
CRDs are ready.
- Update the authoritative DNS record:
trade.mpabi.pl A 149.50.96.162
- Re-run the smoke checks:
./environments/sol/public-edge/scripts/check-sol-public-edge.sh
./environments/sol/trade-r001-canary/scripts/check-sol-canary-smoke.shNotes
- Before DNS cutover, the HTTP ingress can still be verified using
curl --resolve. cert-managerwill not be able to complete theHTTP-01challenge until the publicArecord points at149.50.96.162.