feat: Network | enable internal TLS

pki/issuers/index.ts

@@ -0,0 +1,2 @@
+export { PrivateIssuer } from "./private";
+export { PublicIssuer } from "./public";

pki/issuers/private.ts

@@ -0,0 +1,86 @@
+import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
+import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
+import { Construct } from "constructs";
+
+type PrivateIssuerOptions = {
+  provider: KubernetesProvider;
+  namespace: string;
+  apiVersion: string;
+  commonName: string;
+  secretName: string;
+  privateKey: {
+    algorithm: "RSA" | "ECDSA" | "Ed25519";
+    size: number;
+  };
+};
+
+export class PrivateIssuer extends Construct {
+  constructor(scope: Construct, id: string, options: PrivateIssuerOptions) {
+    super(scope, id);
+
+    const {
+      provider,
+      namespace,
+      commonName,
+      privateKey,
+      secretName,
+      apiVersion,
+    } = options;
+
+    // Self-signed ClusterIssuer for initial CA
+    new Manifest(this, "ca-issuer", {
+      provider,
+      manifest: {
+        apiVersion,
+        kind: "ClusterIssuer",
+        metadata: {
+          name: "ca-issuer",
+        },
+        spec: {
+          selfSigned: {},
+        },
+      },
+    });
+
+    // Self-signed CA Certificate
+    new Manifest(this, "selfsigned-ca", {
+      provider,
+      manifest: {
+        apiVersion,
+        kind: "Certificate",
+        metadata: {
+          name: "selfsigned-ca",
+          namespace,
+        },
+        spec: {
+          isCA: true,
+          commonName,
+          secretName,
+          privateKey,
+          issuerRef: {
+            name: "ca-issuer",
+            kind: "ClusterIssuer",
+            group: "cert-manager.io",
+          },
+        },
+      },
+    });
+
+    // CA-based ClusterIssuer
+    new Manifest(this, "cluster-issuer", {
+      provider,
+      manifest: {
+        apiVersion,
+        kind: "ClusterIssuer",
+        metadata: {
+          name: "cluster-issuer",
+        },
+        spec: {
+          ca: {
+            secretName,
+          },
+        },
+      },
+    });
+  }
+}

pki/issuers/public.ts

@@ -0,0 +1,59 @@
+import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
+import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
+import { Construct } from "constructs";
+import { OnePasswordSecret } from "../../utils";
+
+type PublicIssuerOptions = {
+  provider: KubernetesProvider;
+  apiVersion: string;
+  namespace: string;
+  server: string;
+};
+
+export class PublicIssuer extends Construct {
+  constructor(scope: Construct, id: string, options: PublicIssuerOptions) {
+    super(scope, id);
+
+    const { apiVersion, provider, namespace, server } = options;
+
+    new OnePasswordSecret(this, "cloudflare-token", {
+      provider,
+      namespace,
+      name: "public-issuer-cloudflare-token",
+      itemPath: "vaults/Lab/items/cloudflare",
+    });
+
+    // Cloudflare ACME ClusterIssuer
+    new Manifest(this, "cloudflare-issuer", {
+      provider,
+      manifest: {
+        apiVersion,
+        kind: "ClusterIssuer",
+        metadata: {
+          name: "cloudflare-issuer",
+        },
+        spec: {
+          acme: {
+            email: "shahab@dogar.dev",
+            server,
+            privateKeySecretRef: {
+              name: "cloudflare-cluster-issuer-account-key",
+            },
+            solvers: [
+              {
+                dns01: {
+                  cloudflare: {
+                    apiTokenSecretRef: {
+                      name: "public-issuer-cloudflare-token",
+                      key: "token",
+                    },
+                  },
+                },
+              },
+            ],
+          },
+        },
+      },
+    });
+  }
+}