feat: Network | enable internal TLS

utils/cert-manager/base.ts

@@ -0,0 +1,281 @@
+import { Construct } from "constructs";
+import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
+import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
+
+/**
+ * Options passed to the Certificate construct for generating
+ * cert-manager.io/v1 Certificate resources.
+ *
+ * This type supports both public certificates (Cloudflare/ACME)
+ * and private internal certificates (internal CA), making it usable
+ * across all cluster security contexts (Ingress TLS, internal mTLS, etc.).
+ */
+export type CertificateOptions = {
+  /**
+   * Kubernetes provider instance used by the underlying Manifest resource.
+   *
+   * This should typically be the cluster's primary Kubernetes provider.
+   *
+   * Required.
+   */
+  provider: KubernetesProvider;
+
+  /**
+   * Kubernetes namespace where the Certificate resource and the
+   * corresponding Secret will be created.
+   *
+   * Required.
+   */
+  namespace: string;
+
+  /**
+   * Name of the Certificate resource (metadata.name).
+   *
+   * This should be unique within the namespace.
+   *
+   * Required.
+   */
+  name: string;
+
+  /**
+   * Name of the Kubernetes Secret that cert-manager will populate with
+   * `tls.crt`, `tls.key`, and optionally `ca.crt`.
+   *
+   * This secret is automatically created and updated by cert-manager.
+   *
+   * Required.
+   */
+  secretName: string;
+
+  /**
+   * List of DNS Subject Alternative Names that the certificate must cover.
+   *
+   * cert-manager requires at least one entry.
+   *
+   * For internal certificates: service FQDNs (svc.cluster.local).
+   * For public certificates: external domain names.
+   *
+   * Required.
+   */
+  dnsNames: string[];
+
+  /**
+   * Reference to the cert-manager Issuer or ClusterIssuer used to sign the certificate.
+   *
+   * - For public certs: Cloudflare ACME ClusterIssuer
+   * - For private certs: Internal CA ClusterIssuer
+   *
+   * This field is usually injected automatically by subclasses
+   * (e.g., PublicCertificate / PrivateCertificate).
+   *
+   * Required internally — not intended to be set by user code directly.
+   */
+  issuerRef?: {
+    /**
+     * Name of the Issuer or ClusterIssuer.
+     */
+    name: string;
+
+    /**
+     * Type of issuer ("Issuer" or "ClusterIssuer").
+     *
+     * Defaults to "ClusterIssuer" when omitted.
+     */
+    kind?: string;
+  };
+
+  /**
+   * The certificate's validity duration (e.g. "2160h" for 90 days).
+   *
+   * If omitted, cert-manager applies its own default (90 days for ACME).
+   *
+   * Optional.
+   */
+  duration?: string;
+
+  /**
+   * How long before expiry cert-manager should attempt early renewal.
+   *
+   * Example: "360h" (15 days before expiration).
+   *
+   * Optional.
+   */
+  renewBefore?: string;
+
+  /**
+   * Optional Common Name for the certificate's subject.
+   *
+   * SAN-only certificates are recommended, but CN is still required for
+   * compatibility with some older libraries (Java, ClickHouse, OpenSSL tooling).
+   *
+   * Optional.
+   */
+  commonName?: string;
+
+  /**
+   * Key Usage extension — determines what the certificate may be used for.
+   *
+   * Common values:
+   *
+   * - "digital signature"
+   * - "key encipherment"
+   * - "server auth"
+   * - "client auth"
+   *
+   * Example for mTLS server certificates:
+   * usages: ["digital signature", "key encipherment", "server auth"]
+   *
+   * Example for mTLS client certificates:
+   * usages: ["digital signature", "client auth"]
+   *
+   * Optional — cert-manager applies sensible defaults when omitted.
+   */
+  usages?: string[];
+
+  /**
+   * Options controlling the generated private key.
+   *
+   * Useful for:
+   * - Choosing RSA vs ECDSA vs Ed25519
+   * - Increasing RSA key strength (2048 → 4096)
+   * - Optimizing performance for internal services (ECDSA P-256)
+   *
+   * Optional.
+   */
+  privateKey?: {
+    /**
+     * Private key algorithm.
+     *
+     * - "RSA"     (default)
+     * - "ECDSA"   (great for internal TLS)
+     * - "Ed25519" (fast and modern, but not universally supported)
+     *
+     * Optional.
+     */
+    algorithm?: "RSA" | "ECDSA" | "Ed25519";
+
+    /**
+     * Key size in bits.
+     *
+     * Only applies to algorithms that support length:
+     * - RSA: 2048, 3072, 4096
+     * - ECDSA: 256, 384
+     *
+     * Optional.
+     */
+    size?: number;
+  };
+
+  /**
+   * IP address SAN entries (rarely needed, but sometimes required
+   * for services bound directly to cluster node IPs or StatefulSet pod IPs).
+   *
+   * Using IP SANs is generally discouraged unless explicitly required.
+   *
+   * Optional.
+   */
+  ipAddresses?: string[];
+
+  /**
+   * Subject information for the certificate (Organization, OrgUnit, etc.)
+   *
+   * Example:
+   *
+   * subject: {
+   *   organizations: ["Internal Systems"],
+   *   organizationalUnits: ["Platform"]
+   * }
+   *
+   * Optional.
+   */
+  subject?: {
+    organizations?: string[];
+    organizationalUnits?: string[];
+    countries?: string[];
+    provinces?: string[];
+    localities?: string[];
+    streetAddresses?: string[];
+    postalCodes?: string[];
+  };
+};
+
+export class Certificate extends Construct {
+  /** The underlying Kubernetes manifest */
+  public readonly manifest: Manifest;
+
+  constructor(scope: Construct, id: string, opts: CertificateOptions) {
+    super(scope, id);
+
+    // --- Validation ---------------------------------------------------------
+    if (!opts.issuerRef) {
+      throw new Error(
+        `Certificate '${opts.name}' must specify issuerRef (usually provided by a subclass).`,
+      );
+    }
+    if (!opts.dnsNames || opts.dnsNames.length === 0) {
+      throw new Error(
+        `Certificate '${opts.name}' must include at least one DNS name in dnsNames[].`,
+      );
+    }
+
+    // --- Base manifest ------------------------------------------------------
+    const manifest: any = {
+      apiVersion: "cert-manager.io/v1",
+      kind: "Certificate",
+      metadata: {
+        name: opts.name,
+        namespace: opts.namespace,
+      },
+      spec: {
+        secretName: opts.secretName,
+        dnsNames: opts.dnsNames,
+        issuerRef: {
+          name: opts.issuerRef.name,
+          kind: opts.issuerRef.kind ?? "ClusterIssuer",
+        },
+      },
+    };
+
+    // --- Optional: duration & renewBefore ---------------------------------
+    if (opts.duration) {
+      manifest.spec.duration = opts.duration;
+    }
+
+    if (opts.renewBefore) {
+      manifest.spec.renewBefore = opts.renewBefore;
+    }
+
+    // --- Optional: commonName ----------------------------------------------
+    if (opts.commonName) {
+      manifest.spec.commonName = opts.commonName;
+    }
+
+    // --- Optional: key usages ----------------------------------------------
+    if (opts.usages?.length) {
+      manifest.spec.usages = opts.usages;
+    }
+
+    // --- Optional: private key settings ------------------------------------
+    if (opts.privateKey) {
+      manifest.spec.privateKey = {
+        ...opts.privateKey,
+      };
+    }
+
+    // --- Optional: IP SAN entries ------------------------------------------
+    if (opts.ipAddresses?.length) {
+      manifest.spec.ipAddresses = opts.ipAddresses;
+    }
+
+    // --- Optional: subject fields ------------------------------------------
+    if (opts.subject) {
+      manifest.spec.subject = opts.subject;
+    }
+
+    // --- Create manifest resource ------------------------------------------
+    this.manifest = new Manifest(this, id, {
+      provider: opts.provider,
+      manifest,
+    });
+  }
+}

utils/cert-manager/cloudflare.ts

@@ -0,0 +1,32 @@
+import { Construct } from "constructs";
+import { Certificate, CertificateOptions } from "./base";
+
+/**
+ * Public certificate issued via the Cloudflare ACME ClusterIssuer.
+ *
+ * This subclass automatically injects:
+ *
+ *   issuerRef:
+ *     name: "cloudflare-issuer"
+ *     kind: "ClusterIssuer"
+ *
+ * It is intended for generating publicly trusted HTTPS certificates
+ * (e.g., *.dogar.dev) using Cloudflare DNS-01 validation.
+ *
+ * Users of this class should *not* specify issuerRef manually.
+ */
+export class CloudflareCertificate extends Certificate {
+  constructor(
+    scope: Construct,
+    id: string,
+    opts: Omit<CertificateOptions, "issuerRef">,
+  ) {
+    super(scope, id, {
+      ...opts,
+      issuerRef: {
+        name: "cloudflare-issuer",
+        kind: "ClusterIssuer",
+      },
+    });
+  }
+}

utils/cert-manager/index.ts

@@ -1,85 +1,2 @@
-import { Construct } from "constructs";
-import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
-import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
-
-type CertificateOptions = {
-  provider: KubernetesProvider;
-
-  /** Namespace to create the Certificate in */
-  namespace: string;
-
-  /** Required name of the certificate (and CRD name) */
-  name: string;
-
-  /** Secret name for storing the issued TLS cert */
-  secretName: string;
-
-  /** One or more DNS names the certificate should cover */
-  dnsNames: string[];
-
-  /** Reference to the cert-manager issuer */
-  issuerRef: {
-    name: string;
-    kind?: string; // ClusterIssuer or Issuer
-  };
-
-  /** Optional duration (default: cert-manager default) */
-  duration?: string;
-
-  /** Optional renewBefore (default: cert-manager default) */
-  renewBefore?: string;
-};
-
-class Certificate extends Construct {
-  public readonly manifest: Manifest;
-
-  constructor(scope: Construct, id: string, opts: CertificateOptions) {
-    super(scope, id);
-
-    const manifest: any = {
-      apiVersion: "cert-manager.io/v1",
-      kind: "Certificate",
-      metadata: {
-        name: opts.name,
-        namespace: opts.namespace,
-      },
-      spec: {
-        secretName: opts.secretName,
-        dnsNames: opts.dnsNames,
-        issuerRef: {
-          name: opts.issuerRef.name,
-          kind: opts.issuerRef.kind ?? "ClusterIssuer",
-        },
-      },
-    };
-
-    if (opts.duration) {
-      manifest.spec.duration = opts.duration;
-    }
-
-    if (opts.renewBefore) {
-      manifest.spec.renewBefore = opts.renewBefore;
-    }
-
-    this.manifest = new Manifest(this, id, {
-      provider: opts.provider,
-      manifest,
-    });
-  }
-}
-
-export class CloudflareCertificate extends Certificate {
-  constructor(
-    scope: Construct,
-    id: string,
-    opts: Omit<CertificateOptions, "issuerRef">,
-  ) {
-    super(scope, id, {
-      ...opts,
-      issuerRef: {
-        name: "cloudflare-issuer",
-        kind: "ClusterIssuer",
-      },
-    });
-  }
-}
+export { CloudflareCertificate } from "./cloudflare";
+export { PrivateCertificate } from "./internal";

utils/cert-manager/internal.ts

@@ -0,0 +1,36 @@
+import { Construct } from "constructs";
+import { Certificate, CertificateOptions } from "./base";
+
+/**
+ * Private TLS certificate issued by the internal cluster CA.
+ *
+ * This subclass automatically injects:
+ *
+ *   issuerRef:
+ *     name: "cluster-issuer"
+ *     kind: "ClusterIssuer"
+ *
+ * Use this for:
+ * - Internal service-to-service TLS (HTTP, gRPC, Webhooks)
+ * - mTLS server certificates
+ * - mTLS client certificates
+ * - Internal wildcard certificates
+ * - Databases, queues, operators, controllers, etc.
+ *
+ * Users of this class should NOT specify issuerRef manually.
+ */
+export class PrivateCertificate extends Certificate {
+  constructor(
+    scope: Construct,
+    id: string,
+    opts: Omit<CertificateOptions, "issuerRef">,
+  ) {
+    super(scope, id, {
+      ...opts,
+      issuerRef: {
+        name: "cluster-issuer", // internal CA
+        kind: "ClusterIssuer",
+      },
+    });
+  }
+}

utils/index.ts

@@ -1,4 +1,4 @@
-export { CloudflareCertificate } from "./cert-manager";
+export { CloudflareCertificate, PrivateCertificate } from "./cert-manager";
 export { OnePasswordSecret } from "./1password-secret";
 export {
   PublicIngressRoute,

utils/traefik/ingress/ingress.ts

@@ -18,6 +18,7 @@ export type IngressRouteOptions = {
   /** Backend K8s Service */
   serviceName: string;
   servicePort: number;
+  serviceProtocol?: "http" | "https";
 
   /** EntryPoints (default: ["websecure"]) */
   entryPoints?: string[];
@@ -39,6 +40,31 @@ export class IngressRoute extends Construct {
     const path = opts.path ?? "/";
     const entryPoints = opts.entryPoints ?? ["websecure"];
 
+    const { provider, namespace } = opts;
+
+    if (opts.serviceProtocol === "https") {
+      new Manifest(this, `${name}-https-transport`, {
+        provider,
+        manifest: {
+          apiVersion: "traefik.io/v1alpha1",
+          kind: "ServersTransport",
+          metadata: {
+            name: `${name}-https-transport`,
+            namespace,
+          },
+          spec: {
+            serverName: `${opts.name}.${opts.namespace}.svc.cluster.local`,
+            rootCAs: [
+              {
+                secret: "root-secret",
+              },
+            ],
+            insecureSkipVerify: false,
+          },
+        },
+      });
+    }
+
     const route: any = {
       match: `Host(\`${opts.host}\`) && PathPrefix(\`${path}\`)`,
       kind: "Rule",
@@ -46,6 +72,11 @@ export class IngressRoute extends Construct {
         {
           name: opts.serviceName,
           port: opts.servicePort,
+          scheme: opts.serviceProtocol ?? "http",
+          serversTransport:
+            opts.serviceProtocol === "https"
+              ? `${name}-https-transport`
+              : undefined,
         },
       ],
     };
@@ -68,8 +99,8 @@ export class IngressRoute extends Construct {
       };
 
       new CloudflareCertificate(this, `${name}-cert`, {
-        provider: opts.provider,
-        namespace: opts.namespace,
+        provider,
+        namespace,
         name: opts.host,
         secretName: opts.tlsSecretName,
         dnsNames: [opts.host],
@@ -77,13 +108,13 @@ export class IngressRoute extends Construct {
     }
 
     this.manifest = new Manifest(this, name, {
-      provider: opts.provider,
+      provider,
       manifest: {
         apiVersion: "traefik.io/v1alpha1",
         kind: "IngressRoute",
         metadata: {
           name,
-          namespace: opts.namespace,
+          namespace,
         },
         spec,
       },

utils/traefik/ingress/publicIngress.ts

@@ -54,6 +54,7 @@ export class PublicIngressRoute extends Construct {
       path: opts.path ?? "/",
       serviceName: opts.serviceName,
       servicePort: opts.servicePort,
+      serviceProtocol: opts.serviceProtocol,
       entryPoints: ["websecure"],
       tlsSecretName: `${opts.name}-tls`,
       middlewares: [`${namespace}/rate-limit`],