Skip to main content

Networking

CRAFT uses Gateway API for traffic routing, cert-manager for TLS certificate lifecycle, and external-dns for automatic DNS record management. This guide covers the networking stack across cloud and on-premises environments.

Gateway API

EM-Runtime uses the Kubernetes Gateway API (v1) for all external traffic routing. Gateway API replaces traditional Ingress with a more expressive, role-oriented model.

Ingress Flow

Gateway Resource

The Gateway resource defines the load balancer and listeners. It must exist before the em-runtime chart deploys HTTPRoutes.

HTTPRoute Rules

The em-runtime Helm chart creates an HTTPRoute with these default rules:
Path PrefixBackend ServicePortURL Rewrite
/keycloakkeycloak8080None (pass-through)
/api/governanceem-runtime-governance8000/governance
/api/assetsem-runtime-assets8000/assets
/api/utilsem-runtime-utils8000/utils

Gateway Controllers by Platform

PlatformControllerGatewayClassName
GKEGKE Gateway Controller (built-in)gke-l7-global-external-managed
EKSAWS Load Balancer Controlleraws-application-load-balancer
AKSAzure Application Gatewayazure-application-gateway
On-PremNGINX Gateway Fabricnginx
On-PremEnvoy Gatewayeg

Configuration in Helm

cert-manager

cert-manager automates TLS certificate provisioning and renewal. It supports ACME (Let’s Encrypt) and internal CA issuers.

Certificate Flow

Installation

Install cert-manager with Gateway API support:

ClusterIssuer Configuration

DNS-01 Solver by Provider

ProviderSolverIAM Requirement
GCP Cloud DNSdns01.cloudDNSWorkload Identity service account
AWS Route 53dns01.route53IRSA role with Route 53 permissions
Azure DNSdns01.azureDNSWorkload Identity managed identity
On-Prem (BIND)dns01.rfc2136TSIG key for dynamic DNS updates

Gateway Annotation

Annotate the Gateway to trigger automatic certificate provisioning:
cert-manager watches for Gateway resources with this annotation and provisions TLS certificates for each HTTPS listener.

external-dns

external-dns synchronizes Kubernetes resources (Gateway, Service, Ingress) with DNS providers, automatically creating A/CNAME records.

How It Works

  1. external-dns watches Gateway and Service resources for hostname annotations
  2. When a Gateway gets an external IP, external-dns creates a DNS A record
  3. Records are updated or removed as resources change

Configuration by Provider

Requires a Workload Identity service account with dns.admin role.

TLS Requirements

BoundaryRequirement
Client to load balancerTLS 1.2+ (certificate required)
Load balancer to podsHTTP (in-cluster; TLS optional)
Services to PostgreSQLSSL recommended (private network)
Services to RedisTLS supported (rediss:// scheme)

Network Policies

For on-premises deployments, configure Kubernetes NetworkPolicies for defense in depth:
Restrict data-insights egress to allowlisted LLM API endpoints (OpenAI, Anthropic, Vertex AI) for SSRF mitigation.

Firewall Rules

Ensure the following traffic is permitted:
DirectionPortProtocolPurpose
Inbound443TCPHTTPS from clients
Inbound80TCPHTTP redirect to HTTPS
Cluster to DB5432TCPPostgreSQL
Cluster to Cache6379TCPRedis
Cluster to S3443TCPObject storage
Cluster to LLM443TCPLLM API endpoints (data-insights)

DNS Architecture

One DNS A record pointing the platform hostname to the load balancer IP/CNAME:
For GKE deployments, external-dns creates this automatically when the Gateway receives an IP address. For on-prem, configure the DNS record manually or use external-dns with RFC2136.

Troubleshooting

Next Steps

Prerequisites

Complete networking prerequisites and firewall rules.