Networking Overview
Purpose
Lumie's networking stack spans OCI load balancers, K3s addons, certificate automation, and per-application ingress manifests. This page is an overview document for how traffic enters the cluster, how service names resolve inside it, and which repo paths own each layer.
For cluster topology, see Cluster Overview. For the active ingress controller, see Traefik.
Source Paths
| Path | Role |
|---|---|
lumie-infra/provision/terraform/nlb_0214.tf | Main public HTTPS ingress NLB |
lumie-infra/provision/terraform/nlb_teleport_0213.tf | Separate Teleport HTTPS ingress NLB |
lumie-infra/platform/traefik-config/ | Patch for the k3s-bundled Traefik addon |
lumie-infra/platform/coredns-config/ | CoreDNS workload shape override |
lumie-infra/platform/cert-manager/ | cert-manager chart and Cloudflare token secret sync |
lumie-infra/applications/cluster-bootstrap/manifests/cluster-issuer.yaml | Shared ACME issuers |
lumie-infra/applications/lumie/**/ingress*.yaml | Product ingress rules and middleware attachments |
Boundary Map
| Layer | Active owner | Responsibility |
|---|---|---|
| Public DNS and proxy | Cloudflare plus OCI public IPs from Terraform | Domain resolution and public entry to Lumie |
| Layer-4 ingress | OCI NLBs in Terraform | Forward TCP 443 to worker nodes or Teleport NodePort |
| Layer-7 ingress | k3s-bundled Traefik plus repo patches | Host and path routing, TLS termination, Traefik middleware |
| Certificate automation | cert-manager plus ClusterIssuer resources | ACME issuance and TLS secret management |
| Cluster DNS | CoreDNS addon with repo-managed DaemonSet | Service discovery inside the cluster |
| Legacy edge artifacts | bootstrap/kong/ | Retained repo-only Kong configuration, not part of the active path |
Runtime Flow
Active Networking Model
The active runtime path is:
- Cloudflare resolves a public hostname to an OCI reserved public IP.
- The OCI NLB forwards TCP
443to worker private IPs without terminating TLS. - Traefik on the worker terminates TLS by SNI and evaluates
Ingressobjects with classtraefik. - Optional Traefik
Middlewarestrips/apiprefixes or performs redirects. - The selected Kubernetes
Serviceforwards traffic to pods.
For Teleport, the path is separate: Cloudflare points to a dedicated NLB that forwards TCP 443 to NodePort 30443, bypassing Traefik.
TLS And DNS Model
- Standard Lumie domains use
letsencrypt-prodorletsencrypt-staging. - White-label custom domains use
letsencrypt-customdomainwith Cloudflare DNS-01 so issuance works regardless of HTTP proxy state. - CoreDNS resolves
*.svc.cluster.localnames inside the cluster and forwards everything else to the node resolver.
The live cluster inspected on June 14, 2026 had all three cluster issuers ready: letsencrypt-prod, letsencrypt-staging, and letsencrypt-customdomain.
Operational Notes
- The development cluster ingress intentionally serves only API paths on
dev.lumie-infra.com; the frontend itself runs locally, so bare/returns404. - Traefik timeout values were deliberately extended cluster-wide to support large Zot uploads through the ingress path.
- CoreDNS is deployed as a DaemonSet rather than the k3s default Deployment so every node answers DNS locally.
Contract Drift
Networking has one major repo-versus-runtime drift:
lumie-infra/README.mdstill describes Kong as the ingress controller, butlumie-infra/AGENTS.md, product ingress manifests, Terraform comments, and the live cluster all show Traefik as the active ingress path. No livekongnamespace or Argo CDkongapplication exists as of June 14, 2026.
Treat bootstrap/kong/ as legacy reference material, not the active edge.
Failure Modes
| Failure point | Impact |
|---|---|
| OCI NLB reserved IP detaches | Public HTTPS becomes unreachable before traffic reaches the cluster |
| TLS secret missing or wrong issuer | Traefik falls back to invalid cert behavior for that hostname |
| CoreDNS DaemonSet or ConfigMap drift | In-cluster name resolution becomes slow or broken |
| Middleware misconfiguration | Backend services receive the wrong request path |
| Kong artifacts mistaken for active config | Operators debug the wrong ingress stack |
Verification
kubectl get applications -n argocd
kubectl get clusterissuers
kubectl get pods -n kube-system
rg -n "traefik|ClusterIssuer|ingressClassName|cert-manager.io/cluster-issuer|Middleware" \
lumie-infra/provision/terraform \
lumie-infra/platform \
lumie-infra/applications