bigbang-tracer · phase c sentinel

You hit test.orc.hemble.com.

If you're reading this with a green padlock in the address bar, the full TLS + DNS + ingress chain is up.

Host: test.orc.hemble.com

What had to work for this page to render

DNS resolution
Route53 test.orc.hemble.com ALIAS, written by external-dns, pointing at the Foundation-managed NLB.
NLB reachability
Internet-facing NLB (modules/ingress/aws_nlb) forwarding :443 → :30443 on the RKE2 nodes.
NodePort
Server-node SG opened on 30443 by modules/ingress/node_sg_rules.
L7 routing
ingress-nginx (DaemonSet, externalTrafficPolicy: Local) routing by Host header to the test-app Service.
TLS
Real Let's Encrypt cert issued by cert-manager via DNS-01 against Route53, stored in Secret test-app-tls.
GitOps reconciliation
Foundation pushed the gitops repo to the in-cluster gitea, flux pulled the tag, applied this Deployment + Ingress.

Served by nginx in test-app namespace · ingressClassName: nginx · cluster-issuer: letsencrypt-prod