feat: CertManager | update to latest version

Also improve pki

core-services/cert-manager/index.ts

@@ -6,7 +6,6 @@ import { Construct } from "constructs";
 
 type CertManagerOptions = {
   provider: HelmProvider;
-  version: string;
   name: string;
   namespace: string;
 };
@@ -15,13 +14,12 @@ export class CertManager extends Construct {
   constructor(scope: Construct, id: string, options: CertManagerOptions) {
     super(scope, id);
 
-    const { namespace, name, version, provider } = options;
+    const { namespace, name, provider } = options;
 
     new Release(this, id, {
       provider,
       name,
       namespace,
-      version,
       repository: "https://charts.jetstack.io",
       chart: "cert-manager",
       createNamespace: true,

core-services/cert-manager/values.yaml

@@ -1,6 +1,8 @@
 crds:
   enabled: true
+  keep: true
 prometheus:
   enabled: true
 webhook:
   timeoutSeconds: 4
+enableCertificateOwnerRef: true

core-services/index.ts

@@ -59,7 +59,6 @@ export class CoreServices extends TerraformStack {
       provider: helm,
       name: "cert-manager",
       namespace,
-      version: "1.18.2",
     });
   }
 }

pki/index.ts

@@ -52,12 +52,9 @@ export class PKI extends TerraformStack {
       provider: kubernetes,
       namespace,
       apiVersion: "cert-manager.io/v1",
-      secretName: "root-secret",
+      rootSecretName: "root-secret",
+      intermediateSecretName: `${namespace}-ca-secret`,
       commonName: "Homelab Root CA",
-      privateKey: {
-        algorithm: "Ed25519",
-        size: 256,
-      },
     });
 
     new PublicIssuer(this, "public-issuer", {

pki/issuers/private.ts

@@ -7,11 +7,8 @@ type PrivateIssuerOptions = {
   namespace: string;
   apiVersion: string;
   commonName: string;
-  secretName: string;
+  rootSecretName: string;
-  privateKey: {
+  intermediateSecretName: string;
-    algorithm: "RSA" | "ECDSA" | "Ed25519";
-    size: number;
-  };
 };
 
 export class PrivateIssuer extends Construct {
@@ -21,44 +18,41 @@ export class PrivateIssuer extends Construct {
     const {
       provider,
       namespace,
-      commonName,
-      privateKey,
-      secretName,
       apiVersion,
+      commonName,
+      rootSecretName,
+      intermediateSecretName,
     } = options;
 
-    // Self-signed ClusterIssuer for initial CA
+    //
-    new Manifest(this, "ca-issuer", {
+    // 1. Root CA (self-signed)
+    //
+    new Manifest(this, "root-ca-issuer", {
       provider,
       manifest: {
         apiVersion,
         kind: "ClusterIssuer",
-        metadata: {
+        metadata: { name: "root-ca-selfsigned" },
-          name: "ca-issuer",
+        spec: { selfSigned: {} },
-        },
-        spec: {
-          selfSigned: {},
-        },
       },
     });
 
-    // Self-signed CA Certificate
+    new Manifest(this, "root-ca", {
-    new Manifest(this, "selfsigned-ca", {
       provider,
       manifest: {
         apiVersion,
         kind: "Certificate",
-        metadata: {
+        metadata: { name: "root-ca", namespace },
-          name: "selfsigned-ca",
-          namespace,
-        },
         spec: {
           isCA: true,
-          commonName,
+          commonName: `${commonName} Root CA`,
-          secretName,
+          secretName: rootSecretName,
-          privateKey,
+          privateKey: {
+            algorithm: "RSA",
+            size: 4096,
+          },
           issuerRef: {
-            name: "ca-issuer",
+            name: "root-ca-selfsigned",
             kind: "ClusterIssuer",
             group: "cert-manager.io",
           },
@@ -66,19 +60,55 @@ export class PrivateIssuer extends Construct {
       },
     });
 
-    // CA-based ClusterIssuer
+    //
+    // 2. Intermediate CA (signed by root CA)
+    //
+    new Manifest(this, "intermediate-ca-issuer", {
+      provider,
+      manifest: {
+        apiVersion,
+        kind: "ClusterIssuer",
+        metadata: { name: "root-ca-signer" },
+        spec: {
+          ca: { secretName: rootSecretName },
+        },
+      },
+    });
+
+    new Manifest(this, "intermediate-ca", {
+      provider,
+      manifest: {
+        apiVersion,
+        kind: "Certificate",
+        metadata: { name: "intermediate-ca", namespace },
+        spec: {
+          isCA: true,
+          commonName: `${commonName} Intermediate CA`,
+          secretName: intermediateSecretName,
+          privateKey: {
+            algorithm: "ECDSA",
+            size: 384,
+          },
+          issuerRef: {
+            name: "root-ca-signer",
+            kind: "ClusterIssuer",
+            group: "cert-manager.io",
+          },
+        },
+      },
+    });
+
+    //
+    // 3. Final public cluster issuer (used by your apps)
+    //
     new Manifest(this, "cluster-issuer", {
       provider,
       manifest: {
         apiVersion,
         kind: "ClusterIssuer",
-        metadata: {
+        metadata: { name: "cluster-issuer" },
-          name: "cluster-issuer",
-        },
         spec: {
-          ca: {
+          ca: { secretName: intermediateSecretName },
-            secretName,
-          },
         },
       },
     });

utils/cert-manager/internal.ts

@@ -32,9 +32,10 @@ export class PrivateCertificate extends Certificate {
         kind: "ClusterIssuer",
       },
       privateKey: {
-        algorithm: "Ed25519",
+        algorithm: "ECDSA",
         size: 384,
       },
+      usages: ["digital signature", "key encipherment", "server auth"],
     });
   }
 }