14ed84de41
Pass 8 — line-by-line read of platform/cnpg, platform/strimzi, platform/k8gb, platform/keycloak, platform/cert-manager, platform/cilium. CNPG and Strimzi: read in full and confirmed clean — they correctly position themselves as Application Blueprints and don't drift from the canonical model. CNPG's `<org>-postgres-dr` cluster name (Application-tier database role) is acceptable per NAMING-CONVENTION §1.3 (which only forbids primary/dr in K8s host-cluster names, not in Application-internal CRD names). Four READMEs updated: k8gb: - Header reframed: per-host-cluster infrastructure pointer to PLATFORM-TECH-STACK §3.1 and SRE §2.4 split-brain protection. - Removed dead link to ../failover-controller/docs/ADR-FAILOVER- CONTROLLER.md (the failover-controller folder has no docs/); replaced with link to that component's README + SRE §2.4. keycloak: - Header reframed from "FAPI Authorization Server for Open Banking" (narrow) to "User identity for Catalyst Sovereigns" (broad). Keycloak handles ALL user identity in Catalyst, not just FAPI. - Added per-Org / per-Sovereign topology callout matching SECURITY §6. Clarified that "Multi-tenant TPP" refers to PSD2 Third Party Providers, not Catalyst's Organization-level multi-tenancy. - FAPI features kept since Keycloak still serves Fingate as the FAPI Authorization Server. cert-manager: - Header reframed as per-host-cluster infrastructure with pointer to PLATFORM-TECH-STACK §3.3. cilium: - Header reframed as per-host-cluster infrastructure with pointer to PLATFORM-TECH-STACK §3.1, including the install-first note (CNI must come before any other workload during Phase 0). VALIDATION-LOG: Pass 8 entry added. Refs #37
2.8 KiB
2.8 KiB
cert-manager
TLS certificate automation. Per-host-cluster infrastructure (see docs/PLATFORM-TECH-STACK.md §3.3) — runs on every host cluster a Sovereign owns.
Status: Accepted | Updated: 2026-04-27
Overview
cert-manager provides automated TLS certificate management using Let's Encrypt with automatic renewal and Kubernetes-native integration.
Architecture
flowchart TB
subgraph CM["cert-manager"]
Controller[Controller]
Webhook[Webhook]
CAInjector[CA Injector]
end
subgraph Issuers["Issuers"]
LE[Let's Encrypt]
CA[Internal CA]
end
subgraph Resources["K8s Resources"]
Cert[Certificate]
Secret[TLS Secret]
Ingress[Gateway/Ingress]
end
Controller --> LE
Controller --> CA
Cert --> Controller
Controller --> Secret
Secret --> Ingress
Challenge Types
| Challenge | Use Case | DNS Provider |
|---|---|---|
| HTTP-01 | Public endpoints | Not required |
| DNS-01 | Wildcards, internal | Cloudflare, Route53, etc. |
Recommended: DNS-01 for wildcard certificates
Configuration
ClusterIssuer (Let's Encrypt)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@<domain>
privateKeySecretRef:
name: letsencrypt-prod-key
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token
key: api-token
Certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-cert
namespace: cilium-gateway
spec:
secretName: wildcard-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- "*.<domain>"
- "<domain>"
Gateway API Integration
cert-manager integrates with Cilium Gateway API:
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: main-gateway
namespace: cilium-gateway
spec:
gatewayClassName: cilium
listeners:
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- name: wildcard-tls
Renewal
| Setting | Value |
|---|---|
| Renewal window | 30 days before expiry |
| Check interval | 24 hours |
| Retry interval | 1 hour on failure |
cert-manager automatically renews certificates before expiration.
Monitoring
| Metric | Description |
|---|---|
certmanager_certificate_expiration_timestamp_seconds |
Certificate expiry time |
certmanager_certificate_ready_status |
Certificate readiness |
certmanager_http_acme_client_request_count |
ACME requests |
Part of OpenOva