e78000831e
Hearth is the infrastructure home for the letemcook ecosystem. Ported from coherence-mcp/infra: - Terraform modules (VPC, EKS, IAM, NLB, S3, storage) - Kubernetes manifests (Forgejo, ingress, cert-manager, karpenter) - Deployment scripts (phased rollout) Status: Not deployed. EKS cluster needs to be provisioned. Next steps: 1. Bootstrap terraform backend 2. Deploy phase 1 (foundation) 3. Deploy phase 2 (core services including Forgejo) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
105 lines
2.8 KiB
YAML
105 lines
2.8 KiB
YAML
# Core Services Ingress
|
|
# RFC 0040: Self-Hosted Core Services
|
|
#
|
|
# Routes traffic to Vault, Keycloak, and Forgejo via AWS ALB
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: core-services
|
|
namespace: ingress
|
|
labels:
|
|
app.kubernetes.io/name: core-services-ingress
|
|
app.kubernetes.io/part-of: core-services
|
|
annotations:
|
|
# AWS ALB Ingress Controller
|
|
kubernetes.io/ingress.class: alb
|
|
alb.ingress.kubernetes.io/scheme: internet-facing
|
|
alb.ingress.kubernetes.io/target-type: ip
|
|
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
|
|
alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06
|
|
alb.ingress.kubernetes.io/certificate-arn: ${ACM_CERT_ARN}
|
|
alb.ingress.kubernetes.io/ssl-redirect: "443"
|
|
# Health check settings
|
|
alb.ingress.kubernetes.io/healthcheck-path: /health
|
|
alb.ingress.kubernetes.io/healthcheck-interval-seconds: "15"
|
|
alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5"
|
|
alb.ingress.kubernetes.io/healthy-threshold-count: "2"
|
|
alb.ingress.kubernetes.io/unhealthy-threshold-count: "3"
|
|
# WAF integration (optional)
|
|
# alb.ingress.kubernetes.io/wafv2-acl-arn: ${WAF_ACL_ARN}
|
|
# Access logs
|
|
alb.ingress.kubernetes.io/load-balancer-attributes: >-
|
|
access_logs.s3.enabled=true,
|
|
access_logs.s3.bucket=alignment-alb-logs,
|
|
access_logs.s3.prefix=core-services
|
|
spec:
|
|
ingressClassName: alb
|
|
rules:
|
|
# Vault
|
|
- host: vault.beyondtheuniverse.superviber.com
|
|
http:
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
backend:
|
|
service:
|
|
name: vault
|
|
port:
|
|
number: 8200
|
|
# Keycloak
|
|
- host: auth.beyondtheuniverse.superviber.com
|
|
http:
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
backend:
|
|
service:
|
|
name: keycloak
|
|
port:
|
|
number: 8080
|
|
# Forgejo
|
|
- host: git.beyondtheuniverse.superviber.com
|
|
http:
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
backend:
|
|
service:
|
|
name: forgejo
|
|
port:
|
|
number: 3000
|
|
---
|
|
# Cross-namespace service references
|
|
# These ExternalName services allow the ingress namespace to route to other namespaces
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: vault
|
|
namespace: ingress
|
|
spec:
|
|
type: ExternalName
|
|
externalName: vault.vault.svc.cluster.local
|
|
ports:
|
|
- port: 8200
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: keycloak
|
|
namespace: ingress
|
|
spec:
|
|
type: ExternalName
|
|
externalName: keycloak.keycloak.svc.cluster.local
|
|
ports:
|
|
- port: 8080
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: forgejo
|
|
namespace: ingress
|
|
spec:
|
|
type: ExternalName
|
|
externalName: forgejo.forgejo.svc.cluster.local
|
|
ports:
|
|
- port: 3000
|