| 1.1 | Add DNS A records for all subdomains in Route53 | Create A records in AWS Route53 for app, api, admin, keycloak, grafana, gitlab, wazuh, and doc subdomains, all pointing to the cluster's external IP. | dig +short <subdomain>.redactedworld.com returns the cluster IP for every subdomain. |
| 1.2 | Install Traefik, remove NGINX ingress | Deploy Traefik via Helm chart with TLS termination (Let's Encrypt / cert-manager), then remove the NGINX ingress controller and its resources. | Traefik pods are Running; NGINX ingress pods are gone; existing sites remain reachable through Traefik. |
| 1.3 | Deploy Keycloak | Deploy Keycloak with a PostgreSQL-backed realm (redactedworld), admin console on keycloak.redactedworld.com, and initial client registrations for the API Gateway and Angular frontend. | Keycloak admin console is reachable; a test user can authenticate via the redactedworld realm. |
| 1.4 | Deploy SpiceDB | Deploy SpiceDB (Authzed) with a PostgreSQL datastore and load the initial permissions schema defining user, organization, domain, and scan object types. | zed schema read returns the loaded schema; zed permission check succeeds for a test tuple. |
| 1.5 | Deploy ClickHouse | Deploy a single-node ClickHouse instance with persistent storage, create the scans and events databases, and configure retention policies. | clickhouse-client --query "SHOW DATABASES" lists scans and events; inserts and queries succeed. |
| 1.6 | Deploy Elasticsearch | Deploy a single-node Elasticsearch 8 instance with persistent storage and create index templates for scan reports and forum posts. | curl -s http://elasticsearch:9200/_cluster/health returns "status":"green" or "status":"yellow"; index templates are listed. |
| 1.7 | Migrate ingress rules to Traefik IngressRoutes | Convert every existing NGINX Ingress resource to a Traefik IngressRoute CRD with TLS passthrough or termination as appropriate. | All previously routed services respond correctly through Traefik; no NGINX Ingress resources remain. |
| 1.8 | Provision additional worker nodes | Add worker nodes (or increase node pool size) to handle the expected workload from scan jobs and data stores. | kubectl get nodes shows the new nodes in Ready state; resource headroom is sufficient for Phase 2+. |