fix: Traefik | abstract TLSOptions class

2025-11-29 13:20:07 +05:00
parent ca8d140baf
commit 33a8dcdaf2
3 changed files with 59 additions and 1 deletions
--- a/network-security/index.ts
+++ b/network-security/index.ts
@@ -7,9 +7,10 @@ import {
  RateLimitMiddleware,
  IpAllowListMiddleware,
  IpAllowListMiddlewareTCP,
+  TLSOptions,
 } from "./traefik";
 import { ValkeyCluster } from "./valkey";
-import { InternalIngressRoute } from "../utils";
+import { InternalIngressRoute, PrivateCertificate } from "../utils";

 export class NetworkSecurity extends TerraformStack {
  constructor(scope: Construct, id: string) {
@@ -67,6 +68,11 @@ export class NetworkSecurity extends TerraformStack {
      name: "rate-limit",
    });

+    new TLSOptions(this, "tls-options", {
+      provider: kubernetes,
+      namespace,
+    });
+
    new IpAllowListMiddleware(this, "internal-ip-allow-list", {
      provider: kubernetes,
      namespace,
@@ -81,6 +87,15 @@ export class NetworkSecurity extends TerraformStack {
      sourceRanges: ["192.168.18.0/24", "10.42.0.0/16"],
    });

+    new PrivateCertificate(this, "longhorn-cert", {
+      provider: kubernetes,
+      namespace: "longhorn-system",
+      name: "longhorn-ui",
+      dnsNames: ["longhorn.dogar.dev"],
+      commonName: "longhorn.dogar.dev",
+      secretName: "longhorn-tls",
+    });
+
    new InternalIngressRoute(this, "longhorn-ui", {
      provider: kubernetes,
      namespace: "longhorn-system",
@@ -88,6 +103,16 @@ export class NetworkSecurity extends TerraformStack {
      host: "longhorn.dogar.dev",
      serviceName: "longhorn-frontend",
      servicePort: 80,
+      tlsSecretName: "longhorn-tls",
+    });
+
+    new PrivateCertificate(this, "grafana-cert", {
+      provider: kubernetes,
+      namespace: "monitoring",
+      name: "grafana-ui",
+      dnsNames: ["grafana.dogar.dev"],
+      commonName: "grafana.dogar.dev",
+      secretName: "grafana-tls",
    });

    new InternalIngressRoute(this, "grafana-ui", {
@@ -97,6 +122,7 @@ export class NetworkSecurity extends TerraformStack {
      host: "grafana.dogar.dev",
      serviceName: "prometheus-operator-grafana",
      servicePort: 80,
+      tlsSecretName: "grafana-tls",
    });
  }
 }
--- a/network-security/traefik/index.ts
+++ b/network-security/traefik/index.ts
@@ -1,2 +1,3 @@
 export { RateLimitMiddleware } from "./rateLimit";
 export { IpAllowListMiddleware, IpAllowListMiddlewareTCP } from "./ipAllowList";
+export { TLSOptions } from "./tlsOpts";
--- a/network-security/traefik/tlsOpts.ts
+++ b/network-security/traefik/tlsOpts.ts
@@ -0,0 +1,31 @@
+import { Construct } from "constructs";
+import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
+import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
+
+export class TLSOptions extends Construct {
+  constructor(
+    scope: Construct,
+    id: string,
+    opts: { provider: KubernetesProvider; namespace: string },
+  ) {
+    super(scope, id);
+
+    const { provider, namespace } = opts;
+
+    new Manifest(this, "traefik-tls-options", {
+      provider,
+      manifest: {
+        apiVersion: "traefik.io/v1alpha1",
+        kind: "TLSOption",
+        metadata: {
+          namespace,
+          name: "tls-options",
+        },
+        spec: {
+          minVersion: "VersionTLS13",
+          sniStrict: true,
+        },
+      },
+    });
+  }
+}