feat: CertManager | update to latest version

Also improve pki
2025-11-29 13:18:34 +05:00
parent a753fc0e1e
commit 3c947c05ad
6 changed files with 70 additions and 43 deletions
--- a/pki/issuers/private.ts
+++ b/pki/issuers/private.ts
@@ -7,11 +7,8 @@ type PrivateIssuerOptions = {
  namespace: string;
  apiVersion: string;
  commonName: string;
-  secretName: string;
-  privateKey: {
-    algorithm: "RSA" | "ECDSA" | "Ed25519";
-    size: number;
-  };
+  rootSecretName: string;
+  intermediateSecretName: string;
 };

 export class PrivateIssuer extends Construct {
@@ -21,44 +18,41 @@ export class PrivateIssuer extends Construct {
    const {
      provider,
      namespace,
-      commonName,
-      privateKey,
-      secretName,
      apiVersion,
+      commonName,
+      rootSecretName,
+      intermediateSecretName,
    } = options;

-    // Self-signed ClusterIssuer for initial CA
-    new Manifest(this, "ca-issuer", {
+    //
+    // 1. Root CA (self-signed)
+    //
+    new Manifest(this, "root-ca-issuer", {
      provider,
      manifest: {
        apiVersion,
        kind: "ClusterIssuer",
-        metadata: {
-          name: "ca-issuer",
-        },
-        spec: {
-          selfSigned: {},
-        },
+        metadata: { name: "root-ca-selfsigned" },
+        spec: { selfSigned: {} },
      },
    });

-    // Self-signed CA Certificate
-    new Manifest(this, "selfsigned-ca", {
+    new Manifest(this, "root-ca", {
      provider,
      manifest: {
        apiVersion,
        kind: "Certificate",
-        metadata: {
-          name: "selfsigned-ca",
-          namespace,
-        },
+        metadata: { name: "root-ca", namespace },
        spec: {
          isCA: true,
-          commonName,
-          secretName,
-          privateKey,
+          commonName: `${commonName} Root CA`,
+          secretName: rootSecretName,
+          privateKey: {
+            algorithm: "RSA",
+            size: 4096,
+          },
          issuerRef: {
-            name: "ca-issuer",
+            name: "root-ca-selfsigned",
            kind: "ClusterIssuer",
            group: "cert-manager.io",
          },
@@ -66,19 +60,55 @@ export class PrivateIssuer extends Construct {
      },
    });

-    // CA-based ClusterIssuer
+    //
+    // 2. Intermediate CA (signed by root CA)
+    //
+    new Manifest(this, "intermediate-ca-issuer", {
+      provider,
+      manifest: {
+        apiVersion,
+        kind: "ClusterIssuer",
+        metadata: { name: "root-ca-signer" },
+        spec: {
+          ca: { secretName: rootSecretName },
+        },
+      },
+    });
+
+    new Manifest(this, "intermediate-ca", {
+      provider,
+      manifest: {
+        apiVersion,
+        kind: "Certificate",
+        metadata: { name: "intermediate-ca", namespace },
+        spec: {
+          isCA: true,
+          commonName: `${commonName} Intermediate CA`,
+          secretName: intermediateSecretName,
+          privateKey: {
+            algorithm: "ECDSA",
+            size: 384,
+          },
+          issuerRef: {
+            name: "root-ca-signer",
+            kind: "ClusterIssuer",
+            group: "cert-manager.io",
+          },
+        },
+      },
+    });
+
+    //
+    // 3. Final public cluster issuer (used by your apps)
+    //
    new Manifest(this, "cluster-issuer", {
      provider,
      manifest: {
        apiVersion,
        kind: "ClusterIssuer",
-        metadata: {
-          name: "cluster-issuer",
-        },
+        metadata: { name: "cluster-issuer" },
        spec: {
-          ca: {
-            secretName,
-          },
+          ca: { secretName: intermediateSecretName },
        },
      },
    });