DNS & TLS Reference¶
Before You Read¶
For networking architecture context see Networking. For certificate emergencies see Certificate Rotation Runbook.
DNS Architecture¶
All DNS is managed in the orofi-cloud GCP project using Cloud DNS. This is a shared project separate from the environment-specific projects.
DNS records are created and managed by Terraform via infrastructure-management/modules/dns/. Zones exist for each environment:
| Zone Name | Domain | Records |
|---|---|---|
dev-orofi-xyz |
dev.orofi.xyz |
All *.dev.orofi.xyz records |
stage-orofi-xyz |
stage.orofi.xyz |
All *.stage.orofi.xyz records |
| [NEEDS TEAM INPUT: prod zone name] | orofi.xyz |
Production records |
DNS Records (Staging)¶
Defined in infrastructure-management/projects/orofi-staging/dns.tf.
| Record | Type | Value | TTL | Purpose |
|---|---|---|---|---|
*.stage.orofi.xyz |
A | Ingress static IP | 300 | Wildcard — all HTTPS apps |
mongodb-ext.stage.orofi.xyz |
A | Ingress static IP | 300 | MongoDB via Istio port 32017 |
redis.stage.orofi.xyz |
A | Redis private IP | 300 | Redis cache |
db.stage.orofi.xyz |
A | Cloud SQL private IP | 300 | Shared DB endpoint |
db-int.stage.orofi.xyz |
A | 10.128.0.11 |
300 | Internal direct DB access |
microservice-communication-db.stage.orofi.xyz |
A | Cloud SQL private IP | 300 | Per-service DB |
microservice-identity-db.stage.orofi.xyz |
A | Cloud SQL private IP | 300 | Per-service DB |
microservice-monolith-db.stage.orofi.xyz |
A | Cloud SQL private IP | 300 | Per-service DB |
microservice-analytics-db.stage.orofi.xyz |
A | Cloud SQL private IP | 300 | Per-service DB |
DNS Records (Dev)¶
| Record | Type | Value | Purpose |
|---|---|---|---|
*.dev.orofi.xyz |
A | Ingress static IP | Wildcard |
mongodb-ext.dev.orofi.xyz |
A | Ingress static IP | MongoDB external |
redis.dev.orofi.xyz |
A | Redis private IP | Redis |
db.dev.orofi.xyz |
A | Cloud SQL private IP | DB |
db-int.dev.orofi.xyz |
A | 10.128.0.12 |
Internal direct |
microservice-{name}-db.dev.orofi.xyz |
A | Cloud SQL private IP | Per-service DB |
Modifying DNS Records¶
DNS records are managed by Terraform. To add or change a record:
- Edit
infrastructure-management/projects/orofi-{env}/dns.tf - Add or modify the record using the
modules/dnsmodule pattern - Run
terraform planto verify the change - Run
terraform apply
DNS changes propagate within the configured TTL (300 seconds = 5 minutes).
Do not modify DNS manually
Manual changes in the GCP console will be overwritten by the next terraform apply. Always use Terraform.
TLS Architecture¶
Certificate Issuer Chain¶
Let's Encrypt (CA)
↓
ClusterIssuer: letsencrypt-prod (cert-manager)
↓
Certificate: istio-tls-cert (istio-system)
↓
Secret: istio-tls-cert (istio-system)
↓
Istio IngressGateway (oro-gateway)
↓
TLS termination for *.{env}.orofi.xyz
Issuers Available¶
Defined in infrastructure-management/modules/helm/ as part of the cert-manager Helm deployment:
| Issuer Name | Type | Used For |
|---|---|---|
letsencrypt-prod |
ClusterIssuer |
Production-trusted certificates |
letsencrypt-staging |
ClusterIssuer |
Testing (untrusted, but no rate limits) |
letsencrypt-dev |
ClusterIssuer |
Development certificates |
Certificate Resource¶
# Created in istio-system namespace by cert-manager
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: istio-tls-cert
namespace: istio-system
spec:
secretName: istio-tls-cert
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- "*.{env}.orofi.xyz"
DNS-01 Challenge¶
cert-manager uses DNS-01 (not HTTP-01) for certificate validation. This means:
- cert-manager creates a _acme-challenge.{env}.orofi.xyz TXT record in Cloud DNS
- Let's Encrypt verifies the TXT record exists
- cert-manager removes the TXT record after validation
- No publicly accessible server is required for validation
The cert-manager ServiceAccount in the cert-manager namespace uses Workload Identity to impersonate a GCP service account in orofi-cloud with roles/dns.admin.
Certificate Renewal¶
cert-manager automatically renews certificates 30 days before expiry (default). The renewal is triggered by cert-manager's internal schedule — no manual action is required.
To check certificate health:
# Certificate status
kubectl get certificate -n istio-system
# Detailed status and renewal time
kubectl describe certificate istio-tls-cert -n istio-system
# Expiry date
kubectl get secret istio-tls-cert -n istio-system \
-o jsonpath='{.data.tls\.crt}' | base64 -d | \
openssl x509 -noout -dates
Adding a New Hostname¶
If you need a new subdomain (e.g., myapp.stage.orofi.xyz):
- The wildcard certificate
*.stage.orofi.xyzalready covers it — no cert change needed - Add a DNS record in Terraform if needed (usually the wildcard A record handles it)
- Create an Istio VirtualService routing
myapp.stage.orofi.xyzto your service
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: myapp
namespace: my-namespace
spec:
hosts:
- "myapp.stage.orofi.xyz"
gateways:
- istio-system/oro-gateway
http:
- route:
- destination:
host: myapp
port:
number: 80
ArgoCD TLS¶
ArgoCD has its own TLS configuration (separate from the wildcard cert). It uses letsencrypt-prod-secret as defined in infrastructure-management/modules/helm/AppsIngress/app-ingress.yaml:
# ArgoCD ingress gateway uses credential: letsencrypt-prod-secret
tls:
mode: SIMPLE
credentialName: letsencrypt-prod-secret
[NEEDS TEAM INPUT: confirm whether ArgoCD uses a separate certificate or the same istio-tls-cert. The app-ingress.yaml references letsencrypt-prod-secret which suggests a separate cert is issued for ArgoCD specifically.]