feat: Network | enable internal TLS

pki/index.ts

@@ -0,0 +1,70 @@
+import { DataKubernetesNamespaceV1 } from "@cdktf/provider-kubernetes/lib/data-kubernetes-namespace-v1";
+import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
+import { DataTerraformRemoteStateS3, TerraformStack } from "cdktf";
+import { Construct } from "constructs";
+import { PrivateIssuer, PublicIssuer } from "./issuers";
+
+export class PKI extends TerraformStack {
+  constructor(scope: Construct, id: string) {
+    super(scope, id);
+
+    const kubernetes = new KubernetesProvider(this, "kubernetes", {
+      configPath: "~/.kube/config",
+    });
+
+    const r2Endpoint = `${process.env.ACCOUNT_ID!}.r2.cloudflarestorage.com`;
+
+    const coreServicesState = new DataTerraformRemoteStateS3(
+      this,
+      "core-services-state",
+      {
+        usePathStyle: true,
+        skipRegionValidation: true,
+        skipCredentialsValidation: true,
+        skipRequestingAccountId: true,
+        skipS3Checksum: true,
+        encrypt: true,
+        bucket: "terraform-state",
+        key: "core-services/terraform.tfstate",
+        endpoints: {
+          s3: `https://${r2Endpoint}`,
+        },
+        region: "auto",
+        accessKey: process.env.ACCESS_KEY,
+        secretKey: process.env.SECRET_KEY,
+      },
+    );
+
+    const namespaceName = coreServicesState.getString("namespace-output");
+    const namespaceResource = new DataKubernetesNamespaceV1(
+      this,
+      "homelab-namespace",
+      {
+        provider: kubernetes,
+        metadata: {
+          name: namespaceName,
+        },
+      },
+    );
+    const namespace = namespaceResource.metadata.name;
+
+    new PrivateIssuer(this, "private-issuer", {
+      provider: kubernetes,
+      namespace,
+      apiVersion: "cert-manager.io/v1",
+      secretName: "root-secret",
+      commonName: "Homelab Root CA",
+      privateKey: {
+        algorithm: "Ed25519",
+        size: 256,
+      },
+    });
+
+    new PublicIssuer(this, "public-issuer", {
+      provider: kubernetes,
+      namespace,
+      apiVersion: "cert-manager.io/v1",
+      server: "https://acme-v02.api.letsencrypt.org/directory",
+    });
+  }
+}

pki/issuers/index.ts

@@ -0,0 +1,2 @@
+export { PrivateIssuer } from "./private";
+export { PublicIssuer } from "./public";

pki/issuers/private.ts

@@ -0,0 +1,86 @@
+import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
+import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
+import { Construct } from "constructs";
+
+type PrivateIssuerOptions = {
+  provider: KubernetesProvider;
+  namespace: string;
+  apiVersion: string;
+  commonName: string;
+  secretName: string;
+  privateKey: {
+    algorithm: "RSA" | "ECDSA" | "Ed25519";
+    size: number;
+  };
+};
+
+export class PrivateIssuer extends Construct {
+  constructor(scope: Construct, id: string, options: PrivateIssuerOptions) {
+    super(scope, id);
+
+    const {
+      provider,
+      namespace,
+      commonName,
+      privateKey,
+      secretName,
+      apiVersion,
+    } = options;
+
+    // Self-signed ClusterIssuer for initial CA
+    new Manifest(this, "ca-issuer", {
+      provider,
+      manifest: {
+        apiVersion,
+        kind: "ClusterIssuer",
+        metadata: {
+          name: "ca-issuer",
+        },
+        spec: {
+          selfSigned: {},
+        },
+      },
+    });
+
+    // Self-signed CA Certificate
+    new Manifest(this, "selfsigned-ca", {
+      provider,
+      manifest: {
+        apiVersion,
+        kind: "Certificate",
+        metadata: {
+          name: "selfsigned-ca",
+          namespace,
+        },
+        spec: {
+          isCA: true,
+          commonName,
+          secretName,
+          privateKey,
+          issuerRef: {
+            name: "ca-issuer",
+            kind: "ClusterIssuer",
+            group: "cert-manager.io",
+          },
+        },
+      },
+    });
+
+    // CA-based ClusterIssuer
+    new Manifest(this, "cluster-issuer", {
+      provider,
+      manifest: {
+        apiVersion,
+        kind: "ClusterIssuer",
+        metadata: {
+          name: "cluster-issuer",
+        },
+        spec: {
+          ca: {
+            secretName,
+          },
+        },
+      },
+    });
+  }
+}

pki/issuers/public.ts

@@ -0,0 +1,59 @@
+import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
+import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
+import { Construct } from "constructs";
+import { OnePasswordSecret } from "../../utils";
+
+type PublicIssuerOptions = {
+  provider: KubernetesProvider;
+  apiVersion: string;
+  namespace: string;
+  server: string;
+};
+
+export class PublicIssuer extends Construct {
+  constructor(scope: Construct, id: string, options: PublicIssuerOptions) {
+    super(scope, id);
+
+    const { apiVersion, provider, namespace, server } = options;
+
+    new OnePasswordSecret(this, "cloudflare-token", {
+      provider,
+      namespace,
+      name: "public-issuer-cloudflare-token",
+      itemPath: "vaults/Lab/items/cloudflare",
+    });
+
+    // Cloudflare ACME ClusterIssuer
+    new Manifest(this, "cloudflare-issuer", {
+      provider,
+      manifest: {
+        apiVersion,
+        kind: "ClusterIssuer",
+        metadata: {
+          name: "cloudflare-issuer",
+        },
+        spec: {
+          acme: {
+            email: "shahab@dogar.dev",
+            server,
+            privateKeySecretRef: {
+              name: "cloudflare-cluster-issuer-account-key",
+            },
+            solvers: [
+              {
+                dns01: {
+                  cloudflare: {
+                    apiTokenSecretRef: {
+                      name: "public-issuer-cloudflare-token",
+                      key: "token",
+                    },
+                  },
+                },
+              },
+            ],
+          },
+        },
+      },
+    });
+  }
+}