feat: CoreServices | move into separate stack

core-services/cert-manager/index.ts

@@ -0,0 +1,144 @@
+import * as fs from "fs";
+import * as path from "path";
+import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
+import { Release } from "@cdktf/provider-helm/lib/release";
+import { Construct } from "constructs";
+import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
+import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
+
+type CertManagerOptions = {
+  providers: {
+    kubernetes: KubernetesProvider;
+    helm: HelmProvider;
+  };
+  version: string;
+  name: string;
+  namespace: string;
+  certManagerApiVersion: string;
+};
+
+export class CertManager extends Construct {
+  constructor(scope: Construct, id: string, options: CertManagerOptions) {
+    super(scope, id);
+
+    const { helm, kubernetes } = options.providers;
+    const { certManagerApiVersion } = options;
+
+    new Release(this, id, {
+      provider: helm,
+      name: options.name,
+      namespace: options.namespace,
+      version: options.version,
+      repository: "https://charts.jetstack.io",
+      chart: "cert-manager",
+      createNamespace: true,
+      values: [
+        fs.readFileSync(path.join(__dirname, "values.yaml"), {
+          encoding: "utf8",
+        }),
+      ],
+    });
+
+    // "apiVersion=v1,kind=Secret,namespace=default,name=sample"
+
+    // Self-signed ClusterIssuer for initial CA
+    new Manifest(this, "ca-issuer", {
+      provider: kubernetes,
+      manifest: {
+        apiVersion: certManagerApiVersion,
+        kind: "ClusterIssuer",
+        metadata: {
+          name: "ca-issuer",
+        },
+        spec: {
+          selfSigned: {},
+        },
+      },
+    }).importFrom(
+      `apiVersion=${certManagerApiVersion},kind=ClusterIssuer,name=ca-issuer`,
+    );
+
+    // Self-signed CA Certificate
+    new Manifest(this, "selfsigned-ca", {
+      provider: kubernetes,
+      manifest: {
+        apiVersion: certManagerApiVersion,
+        kind: "Certificate",
+        metadata: {
+          name: "selfsigned-ca",
+          namespace: options.namespace,
+        },
+        spec: {
+          isCA: true,
+          commonName: "Shahab Dogar",
+          secretName: "root-secret",
+          privateKey: {
+            algorithm: "ECDSA",
+            size: 256,
+          },
+          issuerRef: {
+            name: "ca-issuer",
+            kind: "ClusterIssuer",
+            group: "cert-manager.io",
+          },
+        },
+      },
+    }).importFrom(
+      `apiVersion=${certManagerApiVersion},kind=Certificate,name=selfsigned-ca,namespace=${options.namespace}`,
+    );
+
+    // CA-based ClusterIssuer
+    new Manifest(this, "cluster-issuer", {
+      provider: kubernetes,
+      manifest: {
+        apiVersion: certManagerApiVersion,
+        kind: "ClusterIssuer",
+        metadata: {
+          name: "cluster-issuer",
+        },
+        spec: {
+          ca: {
+            secretName: "root-secret",
+          },
+        },
+      },
+    }).importFrom(
+      `apiVersion=${certManagerApiVersion},kind=ClusterIssuer,name=cluster-issuer`,
+    );
+
+    // Cloudflare ACME ClusterIssuer
+    new Manifest(this, "cloudflare-issuer", {
+      provider: kubernetes,
+      manifest: {
+        apiVersion: certManagerApiVersion,
+        kind: "ClusterIssuer",
+        metadata: {
+          name: "cloudflare-issuer",
+        },
+        spec: {
+          acme: {
+            email: "shahab@dogar.dev",
+            server: "https://acme-v02.api.letsencrypt.org/directory",
+            privateKeySecretRef: {
+              name: "cloudflare-cluster-issuer-account-key",
+            },
+            solvers: [
+              {
+                dns01: {
+                  cloudflare: {
+                    apiTokenSecretRef: {
+                      name: "cloudflare-token",
+                      key: "token",
+                    },
+                  },
+                },
+              },
+            ],
+          },
+        },
+      },
+    }).importFrom(
+      `apiVersion=${certManagerApiVersion},kind=ClusterIssuer,name=cloudflare-issuer`,
+    );
+  }
+}

core-services/cert-manager/values.yaml

@@ -0,0 +1,6 @@
+crds:
+  enabled: true
+prometheus:
+  enabled: true
+webhook:
+  timeoutSeconds: 4

core-services/index.ts

@@ -0,0 +1,69 @@
+import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
+import { NamespaceV1 } from "@cdktf/provider-kubernetes/lib/namespace-v1";
+import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
+import { TerraformOutput, TerraformStack } from "cdktf";
+import { Construct } from "constructs";
+import { Longhorn } from "./longhorn";
+import { MetalLB } from "./metallb";
+import { Traefik } from "./traefik";
+import { CertManager } from "./cert-manager";
+
+export class CoreServices extends TerraformStack {
+  constructor(scope: Construct, id: string) {
+    super(scope, id);
+
+    const kubernetes = new KubernetesProvider(this, "kubernetes", {
+      configPath: "~/.kube/config",
+    });
+
+    const helm = new HelmProvider(this, "helm", {
+      kubernetes: {
+        configPath: "~/.kube/config",
+      },
+    });
+
+    const namespace = "homelab";
+
+    new NamespaceV1(this, "namespace", {
+      provider: kubernetes,
+      metadata: {
+        name: namespace,
+      },
+    }).importFrom("homelab");
+
+    new TerraformOutput(this, "namespace-output", {
+      value: namespace,
+    });
+
+    new Longhorn(this, "longhorn", {
+      name: "longhorn",
+      providers: {
+        kubernetes,
+        helm,
+      },
+    });
+
+    new MetalLB(this, "metallb", {
+      provider: helm,
+      name: "metallb",
+      namespace: "metallb-system",
+    });
+
+    new Traefik(this, "traefik", {
+      provider: helm,
+      namespace,
+      name: "traefik",
+    });
+
+    new CertManager(this, "cert-manager", {
+      certManagerApiVersion: "cert-manager.io/v1",
+      name: "cert-manager",
+      namespace,
+      version: "1.18.2",
+      providers: {
+        kubernetes,
+        helm,
+      },
+    });
+  }
+}

core-services/longhorn/index.ts

@@ -0,0 +1,68 @@
+import * as fs from "fs";
+import * as path from "path";
+import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
+import { Release } from "@cdktf/provider-helm/lib/release";
+import { Construct } from "constructs";
+import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
+import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
+import { IngressRoute } from "../../utils";
+
+type LonghornOptions = {
+  providers: {
+    kubernetes: KubernetesProvider;
+    helm: HelmProvider;
+  };
+  name: string;
+};
+
+export class Longhorn extends Construct {
+  constructor(scope: Construct, id: string, options: LonghornOptions) {
+    super(scope, id);
+
+    const { helm, kubernetes } = options.providers;
+    const namespace = "longhorn-system";
+
+    new Release(this, id, {
+      name: options.name,
+      namespace,
+      provider: helm,
+      repository: "https://charts.longhorn.io",
+      chart: "longhorn",
+      createNamespace: true,
+      values: [
+        fs.readFileSync(path.join(__dirname, "values.yaml"), {
+          encoding: "utf8",
+        }),
+      ],
+    });
+
+    new Manifest(this, "recurring-backup-job", {
+      provider: kubernetes,
+      manifest: {
+        apiVersion: "longhorn.io/v1beta2",
+        kind: "RecurringJob",
+        metadata: {
+          name: "daily-backup",
+          namespace,
+        },
+        spec: {
+          cron: "0 0 * * *",
+          task: "backup",
+          retain: 7,
+          concurrency: 3,
+        },
+      },
+    });
+
+    new IngressRoute(this, "ingress", {
+      provider: kubernetes,
+      name: "longhorn",
+      namespace,
+      serviceName: "longhorn-frontend",
+      servicePort: 80,
+      host: "longhorn.dogar.dev",
+      tlsSecretName: "longhorn-tls",
+      entryPoints: ["websecure"],
+    });
+  }
+}

core-services/longhorn/values.yaml

@@ -0,0 +1,19 @@
+global:
+  nodeSelector:
+    nodepool: worker
+defaultSettings:
+  defaultReplicaCount: "3"
+  storageOverProvisioningPercentage: "100"
+  backupCompressionMethod: "gzip"
+  replicaSoftAntiAffinity: "true"
+  concurrentReplicaRebuildPerNodeLimit: "1"
+  replicaReplenishmentWaitInterval: "600"
+  disableSchdedulingOnCordonedNode: "true"
+defaultBackupStore:
+  backupTarget: "s3://longhorn-backups@auto/"
+  backupTargetCredentialSecret: cloudflare-token
+metrics:
+  serviceMonitor:
+    enabled: true
+ingress:
+  enabled: false

core-services/metallb/index.ts

@@ -0,0 +1,22 @@
+import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
+import { Release } from "@cdktf/provider-helm/lib/release";
+import { Construct } from "constructs";
+
+type MetalLBOptions = {
+  provider: HelmProvider;
+  name: string;
+  namespace: string;
+};
+
+export class MetalLB extends Construct {
+  constructor(scope: Construct, id: string, options: MetalLBOptions) {
+    super(scope, id);
+
+    new Release(this, id, {
+      ...options,
+      repository: "https://metallb.github.io/metallb",
+      chart: "metallb",
+      createNamespace: true,
+    });
+  }
+}

core-services/traefik/index.ts

@@ -0,0 +1,29 @@
+import * as fs from "fs";
+import * as path from "path";
+import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
+import { Release } from "@cdktf/provider-helm/lib/release";
+import { Construct } from "constructs";
+
+type TraefikOptions = {
+  provider: HelmProvider;
+  name: string;
+  namespace: string;
+};
+
+export class Traefik extends Construct {
+  constructor(scope: Construct, id: string, options: TraefikOptions) {
+    super(scope, id);
+
+    new Release(this, id, {
+      ...options,
+      repository: "https://traefik.github.io/charts",
+      chart: "traefik",
+      createNamespace: true,
+      values: [
+        fs.readFileSync(path.join(__dirname, "values.yaml"), {
+          encoding: "utf8",
+        }),
+      ],
+    });
+  }
+}

core-services/traefik/values.yaml

@@ -0,0 +1,28 @@
+ingress:
+  ingressClass:
+    enabled: true
+    isDefaultClass: false
+    name: traefik
+deployment:
+  replicas: 3
+  podLabels:
+    app: traefik
+nodeSelector:
+  nodepool: worker
+topologySpreadConstraints:
+  - maxSkew: 1
+    topologyKey: "kubernetes.io/hostname"
+    whenUnsatisfiable: "ScheduleAnyway"
+    labelSelector:
+      matchLabels:
+        app: traefik
+additionalArguments:
+  - "--entryPoints.ssh.address=:22/tcp"
+ports:
+  ssh:
+    name: ssh
+    port: 22
+    exposedPort: 22
+    expose:
+      default: true
+    protocol: TCP