feat: CertManager | update to latest version

Also improve pki
2025-11-29 13:18:34 +05:00
parent a753fc0e1e
commit 3c947c05ad
6 changed files with 70 additions and 43 deletions
--- a/core-services/cert-manager/index.ts
+++ b/core-services/cert-manager/index.ts
@@ -6,7 +6,6 @@ import { Construct } from "constructs";

 type CertManagerOptions = {
  provider: HelmProvider;
-  version: string;
  name: string;
  namespace: string;
 };
@@ -15,13 +14,12 @@ export class CertManager extends Construct {
  constructor(scope: Construct, id: string, options: CertManagerOptions) {
    super(scope, id);

-    const { namespace, name, version, provider } = options;
+    const { namespace, name, provider } = options;

    new Release(this, id, {
      provider,
      name,
      namespace,
-      version,
      repository: "https://charts.jetstack.io",
      chart: "cert-manager",
      createNamespace: true,
--- a/core-services/cert-manager/values.yaml
+++ b/core-services/cert-manager/values.yaml
@@ -1,6 +1,8 @@
 crds:
  enabled: true
+  keep: true
 prometheus:
  enabled: true
 webhook:
  timeoutSeconds: 4
+enableCertificateOwnerRef: true
--- a/core-services/index.ts
+++ b/core-services/index.ts
@@ -59,7 +59,6 @@ export class CoreServices extends TerraformStack {
      provider: helm,
      name: "cert-manager",
      namespace,
-      version: "1.18.2",
    });
  }
 }
--- a/pki/index.ts
+++ b/pki/index.ts
@@ -52,12 +52,9 @@ export class PKI extends TerraformStack {
      provider: kubernetes,
      namespace,
      apiVersion: "cert-manager.io/v1",
-      secretName: "root-secret",
+      rootSecretName: "root-secret",
+      intermediateSecretName: `${namespace}-ca-secret`,
      commonName: "Homelab Root CA",
-      privateKey: {
-        algorithm: "Ed25519",
-        size: 256,
-      },
    });

    new PublicIssuer(this, "public-issuer", {
--- a/pki/issuers/private.ts
+++ b/pki/issuers/private.ts
@@ -7,11 +7,8 @@ type PrivateIssuerOptions = {
  namespace: string;
  apiVersion: string;
  commonName: string;
-  secretName: string;
-  privateKey: {
-    algorithm: "RSA" | "ECDSA" | "Ed25519";
-    size: number;
-  };
+  rootSecretName: string;
+  intermediateSecretName: string;
 };

 export class PrivateIssuer extends Construct {
@@ -21,44 +18,41 @@ export class PrivateIssuer extends Construct {
    const {
      provider,
      namespace,
-      commonName,
-      privateKey,
-      secretName,
      apiVersion,
+      commonName,
+      rootSecretName,
+      intermediateSecretName,
    } = options;

-    // Self-signed ClusterIssuer for initial CA
-    new Manifest(this, "ca-issuer", {
+    //
+    // 1. Root CA (self-signed)
+    //
+    new Manifest(this, "root-ca-issuer", {
      provider,
      manifest: {
        apiVersion,
        kind: "ClusterIssuer",
-        metadata: {
-          name: "ca-issuer",
-        },
-        spec: {
-          selfSigned: {},
-        },
+        metadata: { name: "root-ca-selfsigned" },
+        spec: { selfSigned: {} },
      },
    });

-    // Self-signed CA Certificate
-    new Manifest(this, "selfsigned-ca", {
+    new Manifest(this, "root-ca", {
      provider,
      manifest: {
        apiVersion,
        kind: "Certificate",
-        metadata: {
-          name: "selfsigned-ca",
-          namespace,
-        },
+        metadata: { name: "root-ca", namespace },
        spec: {
          isCA: true,
-          commonName,
-          secretName,
-          privateKey,
+          commonName: `${commonName} Root CA`,
+          secretName: rootSecretName,
+          privateKey: {
+            algorithm: "RSA",
+            size: 4096,
+          },
          issuerRef: {
-            name: "ca-issuer",
+            name: "root-ca-selfsigned",
            kind: "ClusterIssuer",
            group: "cert-manager.io",
          },
@@ -66,19 +60,55 @@ export class PrivateIssuer extends Construct {
      },
    });

-    // CA-based ClusterIssuer
+    //
+    // 2. Intermediate CA (signed by root CA)
+    //
+    new Manifest(this, "intermediate-ca-issuer", {
+      provider,
+      manifest: {
+        apiVersion,
+        kind: "ClusterIssuer",
+        metadata: { name: "root-ca-signer" },
+        spec: {
+          ca: { secretName: rootSecretName },
+        },
+      },
+    });
+
+    new Manifest(this, "intermediate-ca", {
+      provider,
+      manifest: {
+        apiVersion,
+        kind: "Certificate",
+        metadata: { name: "intermediate-ca", namespace },
+        spec: {
+          isCA: true,
+          commonName: `${commonName} Intermediate CA`,
+          secretName: intermediateSecretName,
+          privateKey: {
+            algorithm: "ECDSA",
+            size: 384,
+          },
+          issuerRef: {
+            name: "root-ca-signer",
+            kind: "ClusterIssuer",
+            group: "cert-manager.io",
+          },
+        },
+      },
+    });
+
+    //
+    // 3. Final public cluster issuer (used by your apps)
+    //
    new Manifest(this, "cluster-issuer", {
      provider,
      manifest: {
        apiVersion,
        kind: "ClusterIssuer",
-        metadata: {
-          name: "cluster-issuer",
-        },
+        metadata: { name: "cluster-issuer" },
        spec: {
-          ca: {
-            secretName,
-          },
+          ca: { secretName: intermediateSecretName },
        },
      },
    });
--- a/utils/cert-manager/internal.ts
+++ b/utils/cert-manager/internal.ts
@@ -32,9 +32,10 @@ export class PrivateCertificate extends Certificate {
        kind: "ClusterIssuer",
      },
      privateKey: {
-        algorithm: "Ed25519",
+        algorithm: "ECDSA",
        size: 384,
      },
+      usages: ["digital signature", "key encipherment", "server auth"],
    });
  }
 }