Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.emergence.ai/llms.txt

Use this file to discover all available pages before exploring further.

Networking

CRAFT uses Gateway API for traffic routing, cert-manager for TLS certificate lifecycle, and external-dns for automatic DNS record management. This guide covers the networking stack across cloud and on-premises environments.

Gateway API

EM-Runtime uses the Kubernetes Gateway API (v1) for all external traffic routing. Gateway API replaces traditional Ingress with a more expressive, role-oriented model.

Ingress Flow

Gateway Resource

The Gateway resource defines the load balancer and listeners. It must exist before the em-runtime chart deploys HTTPRoutes. 
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: em-runtime-gateway
  namespace: gateway
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  gatewayClassName: nginx    # or gke-l7-global-external-managed
  listeners:
  - name: https
    port: 443
    protocol: HTTPS
    tls:
      mode: Terminate
      certificateRefs:
      - name: platform-tls
    allowedRoutes:
      namespaces:
        from: All
  - name: http
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: All

HTTPRoute Rules

The em-runtime Helm chart creates an HTTPRoute with these default rules:
Path PrefixBackend ServicePortURL Rewrite
/keycloakkeycloak8080None (pass-through)
/api/governanceem-runtime-governance8000/governance
/api/assetsem-runtime-assets8000/assets
/api/utilsem-runtime-utils8000/utils

Gateway Controllers by Platform

PlatformControllerGatewayClassName
GKEGKE Gateway Controller (built-in)gke-l7-global-external-managed
EKSAWS Load Balancer Controlleraws-application-load-balancer
AKSAzure Application Gatewayazure-application-gateway
On-PremNGINX Gateway Fabricnginx
On-PremEnvoy Gatewayeg

Configuration in Helm

# Chart values for Gateway reference
gatewayName: "em-runtime-gateway"
gatewayNamespace: "gateway"
hostname: "api.example.com"

httpRoute:
  enabled: true
  rules:
    - pathPrefix: "/keycloak"
      serviceName: keycloak
      servicePort: 8080
    - pathPrefix: "/api/governance"
      rewritePrefix: "/governance"
      serviceName: em-runtime-governance
      servicePort: 8000

cert-manager

cert-manager automates TLS certificate provisioning and renewal. It supports ACME (Let’s Encrypt) and internal CA issuers.

Certificate Flow

Installation

Install cert-manager with Gateway API support: 
helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --set config.enableGatewayAPI=true \
  --set crds.enabled=true

ClusterIssuer Configuration

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v2.api.letsencrypt.org/directory
    email: admin@example.com
    privateKeySecretRef:
      name: letsencrypt-prod-key
    solvers:
    - dns01:
        cloudDNS:                    # GCP
          project: your-project-id
        # route53:                   # AWS
        #   region: us-east-1
        # azureDNS:                  # Azure
        #   subscriptionID: ...

DNS-01 Solver by Provider

ProviderSolverIAM Requirement
GCP Cloud DNSdns01.cloudDNSWorkload Identity service account
AWS Route 53dns01.route53IRSA role with Route 53 permissions
Azure DNSdns01.azureDNSWorkload Identity managed identity
On-Prem (BIND)dns01.rfc2136TSIG key for dynamic DNS updates

Gateway Annotation

Annotate the Gateway to trigger automatic certificate provisioning: 
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
cert-manager watches for Gateway resources with this annotation and provisions TLS certificates for each HTTPS listener.

external-dns

external-dns synchronizes Kubernetes resources (Gateway, Service, Ingress) with DNS providers, automatically creating A/CNAME records.

How It Works

  1. external-dns watches Gateway and Service resources for hostname annotations
  2. When a Gateway gets an external IP, external-dns creates a DNS A record
  3. Records are updated or removed as resources change

Configuration by Provider

provider: google
google:
  project: your-project-id
domainFilters:
  - runtime.dev.emergence.ai
policy: sync
sources:
  - gateway-httproute
  - service
Requires a Workload Identity service account with dns.admin role.

TLS Requirements

BoundaryRequirement
Client to load balancerTLS 1.2+ (certificate required)
Load balancer to podsHTTP (in-cluster; TLS optional)
Services to PostgreSQLSSL recommended (private network)
Services to RedisTLS supported (rediss:// scheme)

Network Policies

For on-premises deployments, configure Kubernetes NetworkPolicies for defense in depth: 
# Restrict data-insights egress to LLM API endpoints
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: talk2data-egress
  namespace: em-runtime
spec:
  podSelector:
    matchLabels:
      app: data-insights
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
    ports:
    - port: 443
      protocol: TCP
Restrict data-insights egress to allowlisted LLM API endpoints (OpenAI, Anthropic, Vertex AI) for SSRF mitigation.

Firewall Rules

Ensure the following traffic is permitted:
DirectionPortProtocolPurpose
Inbound443TCPHTTPS from clients
Inbound80TCPHTTP redirect to HTTPS
Cluster to DB5432TCPPostgreSQL
Cluster to Cache6379TCPRedis
Cluster to S3443TCPObject storage
Cluster to LLM443TCPLLM API endpoints (data-insights)

DNS Architecture

One DNS A record pointing the platform hostname to the load balancer IP/CNAME: 
api.example.com  →  A  →  <load-balancer-ip>
For GKE deployments, external-dns creates this automatically when the Gateway receives an IP address. For on-prem, configure the DNS record manually or use external-dns with RFC2136.

Troubleshooting

# Check cert-manager logs
kubectl logs -n cert-manager -l app=cert-manager

# Check certificate and challenge status
kubectl describe certificate -n gateway-system
kubectl get challenges -n gateway-system

# Check Gateway status
kubectl describe gateway em-runtime-gateway -n gateway

# Verify the gateway controller is running
kubectl get pods -n gateway-system

# Check external-dns logs
kubectl logs -l app.kubernetes.io/name=external-dns

# Verify IAM / Workload Identity
kubectl describe sa external-dns -n external-dns

Next Steps

Prerequisites

Complete networking prerequisites and firewall rules.