From a753fc0e1ea326935c10171ad853afce4a8ab043 Mon Sep 17 00:00:00 2001
From: Shahab Dogar <shahab@dogar.dev>
Date: Mon, 24 Nov 2025 22:08:49 +0500
Subject: [PATCH] fix: Utils | update public and internal cert algorithms

---
 utils/cert-manager/cloudflare.ts         |  6 +-
 utils/cert-manager/internal.ts           |  6 +-
 utils/traefik/ingress/ingress.ts         | 10 +---
 utils/traefik/ingress/internalIngress.ts | 29 +++++++---
 utils/traefik/ingress/publicIngress.ts   | 70 +++++++++---------------
 5 files changed, 60 insertions(+), 61 deletions(-)

diff --git a/utils/cert-manager/cloudflare.ts b/utils/cert-manager/cloudflare.ts
index 2fa21e3..5ca48a7 100644
--- a/utils/cert-manager/cloudflare.ts
+++ b/utils/cert-manager/cloudflare.ts
@@ -19,7 +19,7 @@ export class CloudflareCertificate extends Certificate {
   constructor(
     scope: Construct,
     id: string,
-    opts: Omit<CertificateOptions, "issuerRef">,
+    opts: Omit<CertificateOptions, "issuerRef" | "privateKey">,
   ) {
     super(scope, id, {
       ...opts,
@@ -27,6 +27,10 @@ export class CloudflareCertificate extends Certificate {
         name: "cloudflare-issuer",
         kind: "ClusterIssuer",
       },
+      privateKey: {
+        algorithm: "RSA",
+        size: 4096,
+      },
     });
   }
 }
diff --git a/utils/cert-manager/internal.ts b/utils/cert-manager/internal.ts
index 0767283..aa43714 100644
--- a/utils/cert-manager/internal.ts
+++ b/utils/cert-manager/internal.ts
@@ -23,7 +23,7 @@ export class PrivateCertificate extends Certificate {
   constructor(
     scope: Construct,
     id: string,
-    opts: Omit<CertificateOptions, "issuerRef">,
+    opts: Omit<CertificateOptions, "issuerRef" | "privateKey">,
   ) {
     super(scope, id, {
       ...opts,
@@ -31,6 +31,10 @@ export class PrivateCertificate extends Certificate {
         name: "cluster-issuer", // internal CA
         kind: "ClusterIssuer",
       },
+      privateKey: {
+        algorithm: "Ed25519",
+        size: 384,
+      },
     });
   }
 }
diff --git a/utils/traefik/ingress/ingress.ts b/utils/traefik/ingress/ingress.ts
index d8d55fd..4e700ef 100644
--- a/utils/traefik/ingress/ingress.ts
+++ b/utils/traefik/ingress/ingress.ts
@@ -2,7 +2,7 @@ import { Construct } from "constructs";
 import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
 import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
 
-import { CloudflareCertificate, PrivateCertificate } from "../../cert-manager";
+import { PrivateCertificate } from "../../cert-manager";
 
 export type IngressRouteOptions = {
   provider: KubernetesProvider;
@@ -110,14 +110,6 @@ export class IngressRoute extends Construct {
       spec.tls = {
         secretName: opts.tlsSecretName,
       };
-
-      new CloudflareCertificate(this, `${name}-cert`, {
-        provider,
-        namespace,
-        name: opts.host,
-        secretName: opts.tlsSecretName,
-        dnsNames: [opts.host],
-      });
     }
 
     this.manifest = new Manifest(this, name, {
diff --git a/utils/traefik/ingress/internalIngress.ts b/utils/traefik/ingress/internalIngress.ts
index 020f493..b5bdc9c 100644
--- a/utils/traefik/ingress/internalIngress.ts
+++ b/utils/traefik/ingress/internalIngress.ts
@@ -2,6 +2,7 @@ import { Construct } from "constructs";
 import { IngressRoute, IngressRouteOptions } from "./ingress";
 import { DataTerraformRemoteStateS3 } from "cdktf";
 import { DataKubernetesNamespaceV1 } from "@cdktf/provider-kubernetes/lib/data-kubernetes-namespace-v1";
+import { PrivateCertificate } from "../../cert-manager";
 
 type InternalIngressRouteOptions = Omit<
   IngressRouteOptions,
@@ -47,17 +48,31 @@ export class InternalIngressRoute extends Construct {
     );
     const namespace = namespaceResource.metadata.name;
 
+    const { provider, name, host, serviceName, servicePort, serviceProtocol } =
+      opts;
+
+    const tlsSecretName = `${name}-tls`;
+
+    new PrivateCertificate(this, `${name}-cert`, {
+      provider,
+      namespace,
+      name: host,
+      secretName: tlsSecretName,
+      dnsNames: [host],
+    });
+
     new IngressRoute(this, opts.name, {
-      provider: opts.provider,
-      namespace: opts.namespace,
-      host: opts.host,
+      provider,
+      namespace,
+      host,
+      serviceName,
+      servicePort,
+      serviceProtocol,
+      tlsSecretName,
+      name,
       path: opts.path ?? "/",
-      serviceName: opts.serviceName,
-      servicePort: opts.servicePort,
       entryPoints: ["websecure"],
-      tlsSecretName: `${opts.name}-tls`,
       middlewares: [`${namespace}/ip-allow-list`],
-      name: opts.name,
     });
   }
 }
diff --git a/utils/traefik/ingress/publicIngress.ts b/utils/traefik/ingress/publicIngress.ts
index ad28769..244e2dd 100644
--- a/utils/traefik/ingress/publicIngress.ts
+++ b/utils/traefik/ingress/publicIngress.ts
@@ -1,7 +1,6 @@
 import { Construct } from "constructs";
 import { IngressRoute, IngressRouteOptions } from "./ingress";
-import { DataTerraformRemoteStateS3 } from "cdktf";
-import { DataKubernetesNamespaceV1 } from "@cdktf/provider-kubernetes/lib/data-kubernetes-namespace-v1";
+import { CloudflareCertificate } from "../../cert-manager";
 
 type PublicIngressRouteOptions = Omit<
   IngressRouteOptions,
@@ -12,53 +11,38 @@ export class PublicIngressRoute extends Construct {
   constructor(scope: Construct, id: string, opts: PublicIngressRouteOptions) {
     super(scope, id);
 
-    const r2Endpoint = `${process.env.ACCOUNT_ID!}.r2.cloudflarestorage.com`;
+    const {
+      provider,
+      name,
+      namespace,
+      host,
+      serviceName,
+      servicePort,
+      serviceProtocol,
+    } = opts;
 
-    const coreServicesState = new DataTerraformRemoteStateS3(
-      this,
-      "core-services-state",
-      {
-        usePathStyle: true,
-        skipRegionValidation: true,
-        skipCredentialsValidation: true,
-        skipRequestingAccountId: true,
-        skipS3Checksum: true,
-        encrypt: true,
-        bucket: "terraform-state",
-        key: "core-services/terraform.tfstate",
-        endpoints: {
-          s3: `https://${r2Endpoint}`,
-        },
-        region: "auto",
-        accessKey: process.env.ACCESS_KEY,
-        secretKey: process.env.SECRET_KEY,
-      },
-    );
-    const namespaceName = coreServicesState.getString("namespace-output");
-    const namespaceResource = new DataKubernetesNamespaceV1(
-      this,
-      "core-services-namespace",
-      {
-        provider: opts.provider,
-        metadata: {
-          name: namespaceName,
-        },
-      },
-    );
-    const namespace = namespaceResource.metadata.name;
+    const tlsSecretName = `${name}-tls`;
+
+    new CloudflareCertificate(this, `${name}-cert`, {
+      provider,
+      namespace,
+      name: host,
+      secretName: tlsSecretName,
+      dnsNames: [host],
+    });
 
     new IngressRoute(this, opts.name, {
-      provider: opts.provider,
-      namespace: opts.namespace,
-      host: opts.host,
+      provider,
+      namespace,
+      host,
+      tlsSecretName,
+      serviceName,
+      servicePort,
+      serviceProtocol,
+      name,
       path: opts.path ?? "/",
-      serviceName: opts.serviceName,
-      servicePort: opts.servicePort,
-      serviceProtocol: opts.serviceProtocol,
       entryPoints: ["websecure"],
-      tlsSecretName: `${opts.name}-tls`,
       middlewares: [`${namespace}/rate-limit`],
-      name: opts.name,
     });
   }
 }