diff --git a/core-services/cert-manager/index.ts b/core-services/cert-manager/index.ts index cd88c5d..11bfa08 100644 --- a/core-services/cert-manager/index.ts +++ b/core-services/cert-manager/index.ts @@ -6,7 +6,6 @@ import { Construct } from "constructs"; type CertManagerOptions = { provider: HelmProvider; - version: string; name: string; namespace: string; }; @@ -15,13 +14,12 @@ export class CertManager extends Construct { constructor(scope: Construct, id: string, options: CertManagerOptions) { super(scope, id); - const { namespace, name, version, provider } = options; + const { namespace, name, provider } = options; new Release(this, id, { provider, name, namespace, - version, repository: "https://charts.jetstack.io", chart: "cert-manager", createNamespace: true, diff --git a/core-services/cert-manager/values.yaml b/core-services/cert-manager/values.yaml index bedeca1..7a600dc 100644 --- a/core-services/cert-manager/values.yaml +++ b/core-services/cert-manager/values.yaml @@ -1,6 +1,8 @@ crds: enabled: true + keep: true prometheus: enabled: true webhook: timeoutSeconds: 4 +enableCertificateOwnerRef: true diff --git a/core-services/index.ts b/core-services/index.ts index b80e576..389144f 100644 --- a/core-services/index.ts +++ b/core-services/index.ts @@ -59,7 +59,6 @@ export class CoreServices extends TerraformStack { provider: helm, name: "cert-manager", namespace, - version: "1.18.2", }); } } diff --git a/pki/index.ts b/pki/index.ts index adb9299..07e47b3 100644 --- a/pki/index.ts +++ b/pki/index.ts @@ -52,12 +52,9 @@ export class PKI extends TerraformStack { provider: kubernetes, namespace, apiVersion: "cert-manager.io/v1", - secretName: "root-secret", + rootSecretName: "root-secret", + intermediateSecretName: `${namespace}-ca-secret`, commonName: "Homelab Root CA", - privateKey: { - algorithm: "Ed25519", - size: 256, - }, }); new PublicIssuer(this, "public-issuer", { diff --git a/pki/issuers/private.ts b/pki/issuers/private.ts index 989d2e0..705e103 100644 --- a/pki/issuers/private.ts +++ b/pki/issuers/private.ts @@ -7,11 +7,8 @@ type PrivateIssuerOptions = { namespace: string; apiVersion: string; commonName: string; - secretName: string; - privateKey: { - algorithm: "RSA" | "ECDSA" | "Ed25519"; - size: number; - }; + rootSecretName: string; + intermediateSecretName: string; }; export class PrivateIssuer extends Construct { @@ -21,44 +18,41 @@ export class PrivateIssuer extends Construct { const { provider, namespace, - commonName, - privateKey, - secretName, apiVersion, + commonName, + rootSecretName, + intermediateSecretName, } = options; - // Self-signed ClusterIssuer for initial CA - new Manifest(this, "ca-issuer", { + // + // 1. Root CA (self-signed) + // + new Manifest(this, "root-ca-issuer", { provider, manifest: { apiVersion, kind: "ClusterIssuer", - metadata: { - name: "ca-issuer", - }, - spec: { - selfSigned: {}, - }, + metadata: { name: "root-ca-selfsigned" }, + spec: { selfSigned: {} }, }, }); - // Self-signed CA Certificate - new Manifest(this, "selfsigned-ca", { + new Manifest(this, "root-ca", { provider, manifest: { apiVersion, kind: "Certificate", - metadata: { - name: "selfsigned-ca", - namespace, - }, + metadata: { name: "root-ca", namespace }, spec: { isCA: true, - commonName, - secretName, - privateKey, + commonName: `${commonName} Root CA`, + secretName: rootSecretName, + privateKey: { + algorithm: "RSA", + size: 4096, + }, issuerRef: { - name: "ca-issuer", + name: "root-ca-selfsigned", kind: "ClusterIssuer", group: "cert-manager.io", }, @@ -66,19 +60,55 @@ export class PrivateIssuer extends Construct { }, }); - // CA-based ClusterIssuer + // + // 2. Intermediate CA (signed by root CA) + // + new Manifest(this, "intermediate-ca-issuer", { + provider, + manifest: { + apiVersion, + kind: "ClusterIssuer", + metadata: { name: "root-ca-signer" }, + spec: { + ca: { secretName: rootSecretName }, + }, + }, + }); + + new Manifest(this, "intermediate-ca", { + provider, + manifest: { + apiVersion, + kind: "Certificate", + metadata: { name: "intermediate-ca", namespace }, + spec: { + isCA: true, + commonName: `${commonName} Intermediate CA`, + secretName: intermediateSecretName, + privateKey: { + algorithm: "ECDSA", + size: 384, + }, + issuerRef: { + name: "root-ca-signer", + kind: "ClusterIssuer", + group: "cert-manager.io", + }, + }, + }, + }); + + // + // 3. Final public cluster issuer (used by your apps) + // new Manifest(this, "cluster-issuer", { provider, manifest: { apiVersion, kind: "ClusterIssuer", - metadata: { - name: "cluster-issuer", - }, + metadata: { name: "cluster-issuer" }, spec: { - ca: { - secretName, - }, + ca: { secretName: intermediateSecretName }, }, }, }); diff --git a/utils/cert-manager/internal.ts b/utils/cert-manager/internal.ts index aa43714..034a520 100644 --- a/utils/cert-manager/internal.ts +++ b/utils/cert-manager/internal.ts @@ -32,9 +32,10 @@ export class PrivateCertificate extends Certificate { kind: "ClusterIssuer", }, privateKey: { - algorithm: "Ed25519", + algorithm: "ECDSA", size: 384, }, + usages: ["digital signature", "key encipherment", "server auth"], }); } }