Networking
This guide covers network configuration for self-hosted agent.ceo deployments on Kubernetes.
DNS Configuration
Agent.ceo requires two DNS records pointing to your cluster's ingress:
| Record | Purpose | Example |
|---|---|---|
agent.yourdomain.com | Dashboard and API | A/CNAME → ingress LB |
api.agent.yourdomain.com | API gateway (optional) | A/CNAME → ingress LB |
TLS Certificates
All traffic must be encrypted with TLS. Options:
cert-manager (recommended)
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: agent-ceo-tls
namespace: agents-gateway
spec:
secretName: agent-ceo-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- agent.yourdomain.com
- api.agent.yourdomain.com
Manual Certificates
Create a TLS secret from your certificate files:
kubectl create secret tls agent-ceo-tls \
--cert=tls.crt \
--key=tls.key \
-n agents-gateway
Ingress Configuration
Agent.ceo requires WebSocket support for the terminal feature. Ensure your ingress controller supports WebSocket upgrades:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: agent-ceo
annotations:
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
nginx.ingress.kubernetes.io/websocket-services: "api-gateway"
Network Policies
Restrict agent pod egress to only the services they need:
- Required — NATS, Neo4j, PostgreSQL, API gateway
- Optional — GitHub API, npm registry, PyPI, Docker registries
- Block — Other agent pods (agents communicate via NATS, not directly)
Firewall Rules
Ensure the following ports are open:
| Port | Protocol | Purpose |
|---|---|---|
| 443 | TCP | HTTPS ingress |
| 4222 | TCP | NATS client connections (internal) |
| 7474 | TCP | Neo4j HTTP (internal) |
| 7687 | TCP | Neo4j Bolt (internal) |
| 5432 | TCP | PostgreSQL (internal) |
Next Steps
- Install on Kubernetes — Full installation guide
- Secrets management — Secure credential storage
- Upgrades — Updating your deployment