fix: UtilityServices | use secure ingress routes

2025-11-22 23:19:44 +05:00
parent 4def414c16
commit 65ed6ea664
4 changed files with 30 additions and 159 deletions
--- a/utility-services/authentik/index.ts
+++ b/utility-services/authentik/index.ts
@@ -2,7 +2,7 @@ import * as fs from "fs";
 import * as path from "path";
 import { Release } from "@cdktf/provider-helm/lib/release";
 import { Construct } from "constructs";
-import { IngressRoute, OnePasswordSecret } from "../../utils";
+import { PublicIngressRoute, OnePasswordSecret } from "../../utils";
 import { Providers } from "../../types";

 type AuthentikServerOptions = {
@@ -44,14 +44,13 @@ export class AuthentikServer extends Construct {
      ],
    });

-    new IngressRoute(this, "ingress", {
+    new PublicIngressRoute(this, "ingress", {
      provider: kubernetes,
      name: options.name,
      namespace: options.namespace,
      host: "auth.dogar.dev",
      serviceName: `authentik-server`,
      servicePort: 80,
-      tlsSecretName: "authentik-tls",
    });
  }
 }
--- a/utility-services/gitea/server.ts
+++ b/utility-services/gitea/server.ts
@@ -3,7 +3,11 @@ import * as path from "path";
 import { Release } from "@cdktf/provider-helm/lib/release";
 import { Construct } from "constructs";

-import { OnePasswordSecret, IngressRoute, IngressRouteTcp } from "../../utils";
+import {
+  OnePasswordSecret,
+  PublicIngressRoute,
+  IngressRouteTcp,
+} from "../../utils";
 import type { Providers } from "../../types";

 type GiteaServerOptions = {
@@ -69,20 +73,20 @@ export class GiteaServer extends Construct {
    new IngressRouteTcp(this, "ssh-ingress", {
      provider: kubernetes,
      namespace: options.namespace,
+      name: options.name,
+      match: "HostSNI(`*`)",
      entryPoint: "ssh",
      serviceName: `${options.name}-ssh`,
      servicePort: 22,
    });

-    new IngressRoute(this, "http-ingress", {
+    new PublicIngressRoute(this, "http-ingress", {
      provider: kubernetes,
      namespace: options.namespace,
      name: options.name,
-      entryPoints: ["websecure"],
      host: "git.dogar.dev",
      serviceName: `${options.name}-http`,
      servicePort: 3000,
-      tlsSecretName: `${options.name}-tls`,
    });
  }
 }
--- a/utility-services/index.ts
+++ b/utility-services/index.ts
@@ -4,7 +4,6 @@ import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
 import { DataTerraformRemoteStateS3, TerraformStack } from "cdktf";
 import { Construct } from "constructs";

-import { ValkeyCluster } from "./valkey";
 import { GiteaRunner, GiteaServer } from "./gitea";
 import { AuthentikServer } from "./authentik";
 import { PostgresCluster } from "./postgres";
@@ -26,7 +25,10 @@ export class UtilityServices extends TerraformStack {

    const r2Endpoint = `${process.env.ACCOUNT_ID!}.r2.cloudflarestorage.com`;

-    const homelabState = new DataTerraformRemoteStateS3(this, "homelab-state", {
+    const coreServicesState = new DataTerraformRemoteStateS3(
+      this,
+      "core-services-state",
+      {
        usePathStyle: true,
        skipRegionValidation: true,
        skipCredentialsValidation: true,
@@ -41,9 +43,10 @@ export class UtilityServices extends TerraformStack {
        region: "auto",
        accessKey: process.env.ACCESS_KEY,
        secretKey: process.env.SECRET_KEY,
-    });
+      },
+    );

-    const namespaceName = homelabState.getString("namespace-output");
+    const namespaceName = coreServicesState.getString("namespace-output");
    const namespaceResource = new DataKubernetesNamespaceV1(
      this,
      "homelab-namespace",
@@ -70,12 +73,6 @@ export class UtilityServices extends TerraformStack {
      ],
    });

-    const valkeyCluster = new ValkeyCluster(this, "valkey-cluster", {
-      namespace,
-      provider: kubernetes,
-      name: "valkey",
-    });
-
    const postgres = new PostgresCluster(this, "postgres-cluster", {
      certManagerApiVersion: "cert-manager.io/v1",
      name: "postgres-cluster",
@@ -96,7 +93,6 @@ export class UtilityServices extends TerraformStack {
      namespace,
    });

-    authentik.node.addDependency(valkeyCluster);
    authentik.node.addDependency(postgres);

    const gitea = new GiteaServer(this, "gitea-server", {
--- a/utility-services/valkey/index.ts
+++ b/utility-services/valkey/index.ts
@@ -1,128 +0,0 @@
-import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
-import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
-import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
-import { Construct } from "constructs";
-import { OnePasswordSecret } from "../../utils";
-
-type ValkeyClusterOptions = {
-  provider: KubernetesProvider;
-  name: string;
-  namespace: string;
-};
-
-export class ValkeyCluster extends Construct {
-  constructor(scope: Construct, id: string, options: ValkeyClusterOptions) {
-    super(scope, id);
-
-    // Labels used by both Deployment and Service
-    const labels = { app: "valkey" };
-    const { provider, name, namespace } = options;
-
-    new OnePasswordSecret(this, "valkey-secret", {
-      provider,
-      name: "valkey",
-      namespace,
-      itemPath: "vaults/Lab/items/valkey",
-    });
-
-    new DeploymentV1(this, "valkey-deployment", {
-      provider,
-      metadata: {
-        name,
-        namespace,
-        labels,
-      },
-      spec: {
-        replicas: "1",
-        strategy: {
-          type: "RollingUpdate",
-          rollingUpdate: {
-            maxSurge: "1",
-            maxUnavailable: "0",
-          },
-        },
-        selector: { matchLabels: labels },
-        template: {
-          metadata: { labels },
-          spec: {
-            container: [
-              {
-                name: "valkey",
-                image: "docker.io/valkey/valkey:8.1.3",
-                port: [{ name: "client", containerPort: 6379 }],
-                env: [
-                  {
-                    name: "PASSWORD",
-                    valueFrom: {
-                      secretKeyRef: {
-                        name: "valkey",
-                        key: "password",
-                      },
-                    },
-                  },
-                ],
-                command: ["/bin/sh", "-c"],
-                args: ['exec valkey-server --requirepass "$PASSWORD"'],
-                readinessProbe: {
-                  tcpSocket: [
-                    {
-                      port: "6379",
-                    },
-                  ],
-                  initialDelaySeconds: 5,
-                  periodSeconds: 5,
-                  timeoutSeconds: 3,
-                  failureThreshold: 5,
-                },
-                livenessProbe: {
-                  tcpSocket: [
-                    {
-                      port: "6379",
-                    },
-                  ],
-                  initialDelaySeconds: 20,
-                  periodSeconds: 10,
-                  timeoutSeconds: 5,
-                  failureThreshold: 5,
-                },
-                resources: {
-                  requests: {
-                    cpu: "100m",
-                    memory: "128Mi",
-                  },
-                  limits: {
-                    memory: "512Mi",
-                  },
-                },
-              },
-            ],
-          },
-        },
-      },
-    });
-
-    new ServiceV1(this, "valkey-service", {
-      provider,
-      metadata: {
-        name,
-        namespace,
-        labels,
-        annotations: {
-          "external-dns.alpha.kubernetes.io/hostname": "valkey.dogar.dev",
-          "metallb.io/ip-allocated-from-pool": "pool",
-        },
-      },
-      spec: {
-        type: "LoadBalancer",
-        selector: labels,
-        port: [
-          {
-            name: "client",
-            port: 6379,
-            targetPort: "client",
-          },
-        ],
-      },
-    });
-  }
-}