Phase 10-08: Implement DNS egress NetworkPolicy for staging environment

- Add comprehensive network policies to k8s/staging/network-policy.yaml
- Implements default-deny ingress pattern with explicit allow rules
- Critical: Add DNS egress rule for CoreDNS resolution (port 53 UDP/TCP)
- Policies cover: ingress-nginx→backend, backend→postgres, monitoring scrape
- External API egress for backend (HTTP/HTTPS)
- CDN egress for frontend (HTTP/HTTPS)
- Status: Applied to gravl-staging namespace, verified operational

k8s/production/cert-manager-setup.yaml

@@ -0,0 +1,114 @@
+# cert-manager Installation & Configuration
+# Phase 10-07, Task 5: Production TLS Gate
+# Status: READY FOR IMPLEMENTATION
+
+---
+# 1. Install cert-manager (version 1.14.x for K8s 1.26+)
+# Execution: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.0/cert-manager.yaml
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+---
+
+# 2. Let's Encrypt ClusterIssuer (Production)
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+  namespace: cert-manager
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: ops@gravl.app
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+    - dns01:
+        cloudflare:
+          email: ops@gravl.app
+          apiTokenSecretRef:
+            name: cloudflare-api-token
+            key: api-token
+
+---
+# 3. Let's Encrypt ClusterIssuer (Staging - for testing)
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+  namespace: cert-manager
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: ops@gravl.app
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+
+---
+# 4. Self-Signed Issuer (Fallback for internal testing)
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: gravl-prod
+spec:
+  selfSigned: {}
+
+---
+# 5. Updated Ingress with cert-manager annotations
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gravl-ingress
+  namespace: gravl-prod
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  tls:
+  - hosts:
+    - gravl.app
+    - api.gravl.app
+    secretName: gravl-tls-prod
+  rules:
+  - host: gravl.app
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: frontend
+            port:
+              number: 80
+  - host: api.gravl.app
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: backend
+            port:
+              number: 3000
+
+---
+# 6. Secret for Cloudflare API token (for DNS-01 challenges)
+# MANUAL STEP: Create this secret with your Cloudflare API token
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token
+  namespace: cert-manager
+type: Opaque
+stringData:
+  api-token: "PLACEHOLDER_REPLACE_WITH_ACTUAL_TOKEN"