docs: Kura self-host / on-prem operator guide (single-host, cert-manager, ingress-nginx, upgrade migration)

Background

The single-host gRPC change (#11356) reshapes how the Kura controller exposes gRPC, but there is no Kura self-host / on-prem documentation today — server/priv/docs/en/guides/server/self-host/ only has server.md and telemetry.md, neither mentions Kura. Raised in review of #11356.

Goal

Write a Kura self-host / on-prem operator guide (or section) covering what an operator needs to deploy and upgrade Kura safely after single-host.

Content to cover

• Single-host model: the HTTP cache and Bazel REAPI gRPC are served from one host (https://<host> / grpcs://<host>), path-split at the ingress — there is no separate grpc.<host>.
• cert-manager requirement: the controller touches the cert-manager Certificate kind on every reconcile; without the CRD installed it fails with NoMatchError (see #11388). Document cert-manager as a prerequisite (pending the decision in #11388).
• ingress-nginx requirement: the path-split relies on nginx.ingress.kubernetes.io/* annotations (use-regex, per-location backend-protocol); a non-nginx controller (Traefik/Contour/HAProxy/Cilium) silently routes gRPC to the HTTP backend.
• Upgrade / migration (blast radius): bumping @manifest_revision re-reconciles every KuraInstance on the first server start after upgrade, rewriting the gRPC Ingress in place from grpc.<host> to <host> with no staged-rollout flag. Operators who run their own DNS for grpc.<host> and have Bazel WORKSPACE files pinned to grpcs://grpc.<host>:443 must retire the grpc.<host> DNS record and update WORKSPACE configs — once the Ingress no longer claims that host, ingress-nginx returns 404.

References

• #11356 (single-host change)
• #11388 (cert-manager requirement decision)
• Review threads: pullrequestreview-4530759072 (r3440813028 migration, r3440813052 blast radius)

No GitHub comments yet.