Networking
These pages often point at shared systems. Confirm the cluster, namespace, and ownership boundary before running mutating commands.
This page explains how a public request reaches the backend.
In plain language, traffic starts at Cloudflare, enters the cluster through the public gateway, and is then routed to the correct internal service.
Crawbl runs on DigitalOcean Kubernetes (DOKS) in fra1.
Request Flow
Components
| Component | Namespace | Role |
|---|---|---|
| Envoy Gateway | envoy-gateway-system | Gateway API implementation, TLS termination |
| cert-manager | cert-manager | Let's Encrypt certs via Cloudflare DNS-01 |
| external-dns | external-dns | Auto-creates Cloudflare A records from Gateway hostnames |
Our gateway creates the public DigitalOcean LoadBalancer automatically, so we do not hand-configure a separate cluster entry point.
The orchestrator chart includes an HTTPRoute, which is the routing rule that says "requests for this hostname and path should go to this service and port."
That route matches dev.api.crawbl.com/v1/* to port 7171.
TLS Configuration
cert-manager uses a ClusterIssuer named letsencrypt-cloudflare.
If those terms are unfamiliar:
- a
ClusterIssueris the cluster-wide object that knows how to request certificates DNS-01is the validation method that proves domain ownership by creating DNS records
Current TLS settings:
| Setting | Value |
|---|---|
| Issuer | letsencrypt-cloudflare (ClusterIssuer) |
| ACME server | Let's Encrypt production |
| Challenge type | DNS-01 via Cloudflare |
| API token source | AWS Secrets Manager -> ESO -> cloudflare-api-token K8s Secret in cert-manager |
| Auto-renewal | 30 days before expiry |
The Cloudflare API token is stored in AWS Secrets Manager and synced to a Kubernetes Secret by ESO.
Certificates auto-renew 30 days before expiry.
DNS
external-dns watches gateway resources and creates the matching Cloudflare DNS records automatically.
That matters because new public services do not require manual DNS edits after the initial setup.
🔗 Terms On This Page
If a term below is unfamiliar, open its glossary entry. For the full list, go to Internal Glossary.
- DOKS: DigitalOcean Kubernetes, the managed Kubernetes service used for the Crawbl cluster.
- Envoy Gateway: The public gateway that receives incoming traffic and routes it to internal services.
- HTTPRoute: The routing rule that tells the gateway which hostname and path should reach which service.
- ClusterIssuer: The cluster-wide cert-manager object that knows how to obtain certificates.
- DNS-01: A certificate-validation method that proves domain control by creating DNS records.
- cert-manager: The controller that requests, renews, and stores TLS certificates inside Kubernetes.
- external-dns: The controller that creates and updates DNS records from Kubernetes or gateway resources.