shahab/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: shahab:bff4762e30b21301a709716afc4a9b9c3d22f4fc
Branches Tags
shahab:main
...
compare: shahab:497331e585e4e6da5816bb83e0e2e2db72a38571
Branches Tags
shahab:main

3 Commits
bff4762e30 ... 497331e585

Author SHA1 Message Date
Shahab Dogar
497331e585 feat: Minecraft | add StarTechnology server 2025-11-24 09:28:15 +05:00
Shahab Dogar
91720e6860 feat: Gitea | activate internal tls 2025-11-24 09:28:00 +05:00
Shahab Dogar
c53fe7b2d1 feat: Network | enable internal TLS 2025-11-24 09:27:48 +05:00
20 changed files with 771 additions and 219 deletions
Expand all files Collapse all files

111
core-services/cert-manager/index.ts
View File

@@ -3,32 +3,25 @@ import * as path from "path";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider"; import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
import { Release } from "@cdktf/provider-helm/lib/release"; import { Release } from "@cdktf/provider-helm/lib/release";
import { Construct } from "constructs"; import { Construct } from "constructs";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
type CertManagerOptions = { type CertManagerOptions = {
providers: { provider: HelmProvider;
kubernetes: KubernetesProvider;
helm: HelmProvider;
};
version: string; version: string;
name: string; name: string;
namespace: string; namespace: string;
certManagerApiVersion: string;
}; };
export class CertManager extends Construct { export class CertManager extends Construct {
constructor(scope: Construct, id: string, options: CertManagerOptions) { constructor(scope: Construct, id: string, options: CertManagerOptions) {
super(scope, id); super(scope, id);
const { helm, kubernetes } = options.providers; const { namespace, name, version, provider } = options;
const { certManagerApiVersion } = options;
new Release(this, id, { new Release(this, id, {
provider: helm, provider,
name: options.name, name,
namespace: options.namespace, namespace,
version: options.version, version,
repository: "https://charts.jetstack.io", repository: "https://charts.jetstack.io",
chart: "cert-manager", chart: "cert-manager",
createNamespace: true, createNamespace: true,
@@ -38,97 +31,5 @@ export class CertManager extends Construct {
}), }),
], ],
}); });
// Self-signed ClusterIssuer for initial CA
new Manifest(this, "ca-issuer", {
provider: kubernetes,
manifest: {
apiVersion: certManagerApiVersion,
kind: "ClusterIssuer",
metadata: {
name: "ca-issuer",
},
spec: {
selfSigned: {},
},
},
});
// Self-signed CA Certificate
new Manifest(this, "selfsigned-ca", {
provider: kubernetes,
manifest: {
apiVersion: certManagerApiVersion,
kind: "Certificate",
metadata: {
name: "selfsigned-ca",
namespace: options.namespace,
},
spec: {
isCA: true,
commonName: "Shahab Dogar",
secretName: "root-secret",
privateKey: {
algorithm: "ECDSA",
size: 256,
},
issuerRef: {
name: "ca-issuer",
kind: "ClusterIssuer",
group: "cert-manager.io",
},
},
},
});
// CA-based ClusterIssuer
new Manifest(this, "cluster-issuer", {
provider: kubernetes,
manifest: {
apiVersion: certManagerApiVersion,
kind: "ClusterIssuer",
metadata: {
name: "cluster-issuer",
},
spec: {
ca: {
secretName: "root-secret",
},
},
},
});
// Cloudflare ACME ClusterIssuer
new Manifest(this, "cloudflare-issuer", {
provider: kubernetes,
manifest: {
apiVersion: certManagerApiVersion,
kind: "ClusterIssuer",
metadata: {
name: "cloudflare-issuer",
},
spec: {
acme: {
email: "shahab@dogar.dev",
server: "https://acme-v02.api.letsencrypt.org/directory",
privateKeySecretRef: {
name: "cloudflare-cluster-issuer-account-key",
},
solvers: [
{
dns01: {
cloudflare: {
apiTokenSecretRef: {
name: "cloudflare-token",
key: "token",
},
},
},
},
],
},
},
},
});
} }
} }

6
core-services/index.ts
View File

@@ -56,14 +56,10 @@ export class CoreServices extends TerraformStack {
}); });
new CertManager(this, "cert-manager", { new CertManager(this, "cert-manager", {
certManagerApiVersion: "cert-manager.io/v1", provider: helm,
name: "cert-manager", name: "cert-manager",
namespace, namespace,
version: "1.18.2", version: "1.18.2",
providers: {
kubernetes,
helm,
},
}); });
} }
} }

8
core-services/traefik/values.yaml
View File

@@ -26,6 +26,7 @@ additionalArguments:
- "--entryPoints.ssh.address=:22/tcp" - "--entryPoints.ssh.address=:22/tcp"
- "--entryPoints.minecraft-gtnh.address=:25566/tcp" - "--entryPoints.minecraft-gtnh.address=:25566/tcp"
- "--entryPoints.minecraft-tfg.address=:25567/tcp" - "--entryPoints.minecraft-tfg.address=:25567/tcp"
- "--entryPoints.minecraft-star-technology.address=:25568/tcp"
ports: ports:
ssh: ssh:
name: ssh name: ssh
@@ -48,3 +49,10 @@ ports:
expose: expose:
default: true default: true
protocol: TCP protocol: TCP
minecraft-star-technology:
name: minecraft-star-technology
port: 25568
exposedPort: 25568
expose:
default: true
protocol: TCP

2
gaming-services/minecraft/index.ts
View File

@@ -5,6 +5,7 @@ import { NamespaceV1 } from "@cdktf/provider-kubernetes/lib/namespace-v1";
import { OnePasswordSecret } from "../../utils"; import { OnePasswordSecret } from "../../utils";
import { TerraFirmaGreg } from "./tfg"; import { TerraFirmaGreg } from "./tfg";
import { GTNH } from "./gtnh"; import { GTNH } from "./gtnh";
import { StarTechnology } from "./star-technology";
export class GamingServices extends TerraformStack { export class GamingServices extends TerraformStack {
constructor(scope: Construct, id: string) { constructor(scope: Construct, id: string) {
@@ -31,5 +32,6 @@ export class GamingServices extends TerraformStack {
new TerraFirmaGreg(this, "tfg", provider, namespace); new TerraFirmaGreg(this, "tfg", provider, namespace);
new GTNH(this, "gtnh", provider, namespace); new GTNH(this, "gtnh", provider, namespace);
new StarTechnology(this, "star-technology", provider, namespace);
} }
} }

74
gaming-services/minecraft/star-technology.ts Normal file
View File

@@ -0,0 +1,74 @@
import { Construct } from "constructs";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { MinecraftServer } from "./utils";
export class StarTechnology extends Construct {
constructor(
scope: Construct,
id: string,
provider: KubernetesProvider,
namespace: string,
) {
super(scope, id);
new MinecraftServer(this, "star-technology", {
provider,
namespace,
image: "itzg/minecraft-server:java21",
name: "star-technology",
env: [
{
name: "EULA",
value: "TRUE",
},
{
name: "MODE",
value: "survival",
},
{
name: "MODPACK_PLATFORM",
value: "AUTO_CURSEFORGE",
},
{
name: "CF_API_KEY",
valueFrom: {
secretKeyRef: {
name: "curseforge",
key: "credential",
},
},
},
{
name: "CF_PAGE_URL",
value:
"https://www.curseforge.com/minecraft/modpacks/star-technology",
},
{
name: "VERSION",
value: "1.20.1",
},
{
name: "INIT_MEMORY",
value: "2G",
},
{
name: "MAX_MEMORY",
value: "12G",
},
{
name: "ALLOW_FLIGHT",
value: "TRUE",
},
{
name: "ENABLE_ROLLING_LOGS",
value: "TRUE",
},
{
name: "USE_MEOWICE_FLAGS",
value: "TRUE",
},
],
});
}
}

13
main.ts
View File

@@ -7,6 +7,7 @@ import { K8SOperators } from "./k8s-operators";
import { CoreServices } from "./core-services"; import { CoreServices } from "./core-services";
import { NetworkSecurity } from "./network-security"; import { NetworkSecurity } from "./network-security";
import { GamingServices } from "./gaming-services/minecraft"; import { GamingServices } from "./gaming-services/minecraft";
import { PKI } from "./pki";
dotenv.config(); dotenv.config();
@@ -26,18 +27,21 @@ const coreServices = new CoreServices(app, "core-services");
const k8sOperators = new K8SOperators(app, "k8s-operators"); const k8sOperators = new K8SOperators(app, "k8s-operators");
k8sOperators.node.addDependency(coreServices); k8sOperators.node.addDependency(coreServices);
const pki = new PKI(app, "pki");
pki.node.addDependency(k8sOperators);
const networkSecurity = new NetworkSecurity(app, "network-security"); const networkSecurity = new NetworkSecurity(app, "network-security");
networkSecurity.node.addDependency(k8sOperators); networkSecurity.node.addDependency(pki);
const utilityServices = new UtilityServices(app, "utility-services"); const utilityServices = new UtilityServices(app, "utility-services");
utilityServices.node.addDependency(networkSecurity); utilityServices.node.addDependency(networkSecurity);
const caches = new CacheInfrastructure(app, "cache-infrastructure");
caches.node.addDependency(utilityServices);
const gamingServices = new GamingServices(app, "gaming-services"); const gamingServices = new GamingServices(app, "gaming-services");
gamingServices.node.addDependency(networkSecurity); gamingServices.node.addDependency(networkSecurity);
const caches = new CacheInfrastructure(app, "cache-infrastructure");
caches.node.addDependency(utilityServices);
const deploy: (stack: TerraformStack, key: string) => S3Backend = ( const deploy: (stack: TerraformStack, key: string) => S3Backend = (
stack, stack,
key, key,
@@ -61,6 +65,7 @@ const deploy: (stack: TerraformStack, key: string) => S3Backend = (
deploy(coreServices, "core-services"); deploy(coreServices, "core-services");
deploy(k8sOperators, "k8s-operators"); deploy(k8sOperators, "k8s-operators");
deploy(pki, "pki");
deploy(networkSecurity, "network-security"); deploy(networkSecurity, "network-security");
deploy(utilityServices, "utility-services"); deploy(utilityServices, "utility-services");
deploy(caches, "cache-infrastructure"); deploy(caches, "cache-infrastructure");

70
pki/index.ts Normal file
View File

@@ -0,0 +1,70 @@
import { DataKubernetesNamespaceV1 } from "@cdktf/provider-kubernetes/lib/data-kubernetes-namespace-v1";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { DataTerraformRemoteStateS3, TerraformStack } from "cdktf";
import { Construct } from "constructs";
import { PrivateIssuer, PublicIssuer } from "./issuers";
export class PKI extends TerraformStack {
constructor(scope: Construct, id: string) {
super(scope, id);
const kubernetes = new KubernetesProvider(this, "kubernetes", {
configPath: "~/.kube/config",
});
const r2Endpoint = `${process.env.ACCOUNT_ID!}.r2.cloudflarestorage.com`;
const coreServicesState = new DataTerraformRemoteStateS3(
this,
"core-services-state",
{
usePathStyle: true,
skipRegionValidation: true,
skipCredentialsValidation: true,
skipRequestingAccountId: true,
skipS3Checksum: true,
encrypt: true,
bucket: "terraform-state",
key: "core-services/terraform.tfstate",
endpoints: {
s3: `https://${r2Endpoint}`,
},
region: "auto",
accessKey: process.env.ACCESS_KEY,
secretKey: process.env.SECRET_KEY,
},
);
const namespaceName = coreServicesState.getString("namespace-output");
const namespaceResource = new DataKubernetesNamespaceV1(
this,
"homelab-namespace",
{
provider: kubernetes,
metadata: {
name: namespaceName,
},
},
);
const namespace = namespaceResource.metadata.name;
new PrivateIssuer(this, "private-issuer", {
provider: kubernetes,
namespace,
apiVersion: "cert-manager.io/v1",
secretName: "root-secret",
commonName: "Homelab Root CA",
privateKey: {
algorithm: "Ed25519",
size: 256,
},
});
new PublicIssuer(this, "public-issuer", {
provider: kubernetes,
namespace,
apiVersion: "cert-manager.io/v1",
server: "https://acme-v02.api.letsencrypt.org/directory",
});
}
}

2
pki/issuers/index.ts Normal file
View File

@@ -0,0 +1,2 @@
export { PrivateIssuer } from "./private";
export { PublicIssuer } from "./public";

86
pki/issuers/private.ts Normal file
View File

@@ -0,0 +1,86 @@
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { Construct } from "constructs";
type PrivateIssuerOptions = {
provider: KubernetesProvider;
namespace: string;
apiVersion: string;
commonName: string;
secretName: string;
privateKey: {
algorithm: "RSA" | "ECDSA" | "Ed25519";
size: number;
};
};
export class PrivateIssuer extends Construct {
constructor(scope: Construct, id: string, options: PrivateIssuerOptions) {
super(scope, id);
const {
provider,
namespace,
commonName,
privateKey,
secretName,
apiVersion,
} = options;
// Self-signed ClusterIssuer for initial CA
new Manifest(this, "ca-issuer", {
provider,
manifest: {
apiVersion,
kind: "ClusterIssuer",
metadata: {
name: "ca-issuer",
},
spec: {
selfSigned: {},
},
},
});
// Self-signed CA Certificate
new Manifest(this, "selfsigned-ca", {
provider,
manifest: {
apiVersion,
kind: "Certificate",
metadata: {
name: "selfsigned-ca",
namespace,
},
spec: {
isCA: true,
commonName,
secretName,
privateKey,
issuerRef: {
name: "ca-issuer",
kind: "ClusterIssuer",
group: "cert-manager.io",
},
},
},
});
// CA-based ClusterIssuer
new Manifest(this, "cluster-issuer", {
provider,
manifest: {
apiVersion,
kind: "ClusterIssuer",
metadata: {
name: "cluster-issuer",
},
spec: {
ca: {
secretName,
},
},
},
});
}
}

59
pki/issuers/public.ts Normal file
View File

@@ -0,0 +1,59 @@
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { Construct } from "constructs";
import { OnePasswordSecret } from "../../utils";
type PublicIssuerOptions = {
provider: KubernetesProvider;
apiVersion: string;
namespace: string;
server: string;
};
export class PublicIssuer extends Construct {
constructor(scope: Construct, id: string, options: PublicIssuerOptions) {
super(scope, id);
const { apiVersion, provider, namespace, server } = options;
new OnePasswordSecret(this, "cloudflare-token", {
provider,
namespace,
name: "public-issuer-cloudflare-token",
itemPath: "vaults/Lab/items/cloudflare",
});
// Cloudflare ACME ClusterIssuer
new Manifest(this, "cloudflare-issuer", {
provider,
manifest: {
apiVersion,
kind: "ClusterIssuer",
metadata: {
name: "cloudflare-issuer",
},
spec: {
acme: {
email: "shahab@dogar.dev",
server,
privateKeySecretRef: {
name: "cloudflare-cluster-issuer-account-key",
},
solvers: [
{
dns01: {
cloudflare: {
apiTokenSecretRef: {
name: "public-issuer-cloudflare-token",
key: "token",
},
},
},
},
],
},
},
},
});
}
}

4
utility-services/gitea/runner.ts → utility-services/gitea/runner/index.ts
View File

@@ -1,10 +1,10 @@
import { Construct } from "constructs"; import { Construct } from "constructs";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider"; import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { OnePasswordSecret, LonghornPvc } from "../../utils";
import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1"; import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
import { PodDisruptionBudgetV1 } from "@cdktf/provider-kubernetes/lib/pod-disruption-budget-v1"; import { PodDisruptionBudgetV1 } from "@cdktf/provider-kubernetes/lib/pod-disruption-budget-v1";
import { OnePasswordSecret, LonghornPvc } from "../../../utils";
type GiteaRunnerOptions = { type GiteaRunnerOptions = {
provider: KubernetesProvider; provider: KubernetesProvider;
name: string; name: string;

44
utility-services/gitea/server.ts → utility-services/gitea/server/index.ts
View File

@@ -7,8 +7,9 @@ import {
OnePasswordSecret, OnePasswordSecret,
PublicIngressRoute, PublicIngressRoute,
IngressRouteTcp, IngressRouteTcp,
} from "../../utils"; PrivateCertificate,
import type { Providers } from "../../types"; } from "../../../utils";
import type { Providers } from "../../../types";
type GiteaServerOptions = { type GiteaServerOptions = {
providers: Providers; providers: Providers;
@@ -22,45 +23,61 @@ export class GiteaServer extends Construct {
super(scope, id); super(scope, id);
const { kubernetes, helm } = options.providers; const { kubernetes, helm } = options.providers;
const { name, namespace, r2Endpoint } = options;
new OnePasswordSecret(this, "admin", { new OnePasswordSecret(this, "admin", {
provider: kubernetes, provider: kubernetes,
name: "gitea-admin", name: "gitea-admin",
namespace: options.namespace, namespace,
itemPath: "vaults/Lab/items/gitea-admin", itemPath: "vaults/Lab/items/gitea-admin",
}); });
new OnePasswordSecret(this, "oauth", { new OnePasswordSecret(this, "oauth", {
provider: kubernetes, provider: kubernetes,
name: "gitea-oauth", name: "gitea-oauth",
namespace: options.namespace, namespace,
itemPath: "vaults/Lab/items/gitea-oauth", itemPath: "vaults/Lab/items/gitea-oauth",
}); });
new OnePasswordSecret(this, "smtp", { new OnePasswordSecret(this, "smtp", {
provider: kubernetes, provider: kubernetes,
name: "gitea-smtp-token", name: "gitea-smtp-token",
namespace: options.namespace, namespace,
itemPath: "vaults/Lab/items/smtp-token", itemPath: "vaults/Lab/items/smtp-token",
}); });
new OnePasswordSecret(this, "r2", { new OnePasswordSecret(this, "r2", {
provider: kubernetes, provider: kubernetes,
name: "gitea-cloudflare-token", name: "gitea-cloudflare-token",
namespace: options.namespace, namespace,
itemPath: "vaults/Lab/items/cloudflare", itemPath: "vaults/Lab/items/cloudflare",
}); });
new PrivateCertificate(this, "internal-cert", {
provider: kubernetes,
namespace,
name: "gitea-tls-internal",
secretName: "gitea-tls-internal",
dnsNames: [
"git.dogar.dev",
"gitea",
"gitea.homelab.svc",
"gitea.homelab.svc.cluster.local",
],
usages: ["digital signature", "key encipherment", "server auth"],
});
new Release(this, id, { new Release(this, id, {
...options, ...options,
provider: helm, provider: helm,
repository: "https://dl.gitea.com/charts", repository: "https://dl.gitea.com/charts",
chart: "gitea", chart: "gitea",
namespace,
createNamespace: true, createNamespace: true,
set: [ set: [
{ {
name: "gitea.config.storage.MINIO_ENDPOINT", name: "gitea.config.storage.MINIO_ENDPOINT",
value: options.r2Endpoint, value: r2Endpoint,
}, },
], ],
values: [ values: [
@@ -72,21 +89,22 @@ export class GiteaServer extends Construct {
new IngressRouteTcp(this, "ssh-ingress", { new IngressRouteTcp(this, "ssh-ingress", {
provider: kubernetes, provider: kubernetes,
namespace: options.namespace, namespace,
name: options.name, name,
match: "HostSNI(`*`)", match: "HostSNI(`*`)",
entryPoint: "ssh", entryPoint: "ssh",
serviceName: `${options.name}-ssh`, serviceName: `${name}-ssh`,
servicePort: 22, servicePort: 22,
}); });
new PublicIngressRoute(this, "http-ingress", { new PublicIngressRoute(this, "http-ingress", {
provider: kubernetes, provider: kubernetes,
namespace: options.namespace, namespace,
name: options.name, name,
host: "git.dogar.dev", host: "git.dogar.dev",
serviceName: `${options.name}-http`, serviceName: `${name}-http`,
servicePort: 3000, servicePort: 3000,
serviceProtocol: "https",
}); });
} }
} }

33
utility-services/gitea/values.yaml → utility-services/gitea/server/values.yaml
View File

@@ -24,11 +24,18 @@ gitea:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
enabled: true enabled: true
scheme: "https"
tlsConfig:
insecureSkipVerify: false
caFile: /internal-ca/ca.crt
config: config:
server: server:
ENABLE_PPROF: true ENABLE_PPROF: true
ENABLE_GZIP: true ENABLE_GZIP: true
LFS_START_SERVER: true LFS_START_SERVER: true
PROTOCOL: https
CERT_FILE: /certs/tls.crt
KEY_FILE: /certs/tls.key
ROOT_URL: https://git.dogar.dev/ ROOT_URL: https://git.dogar.dev/
SSH_DOMAIN: git.dogar.dev SSH_DOMAIN: git.dogar.dev
DISABLE_SSH: false DISABLE_SSH: false
@@ -93,6 +100,27 @@ gitea:
secretKeyRef: secretKeyRef:
name: gitea-cloudflare-token name: gitea-cloudflare-token
key: secret_access_key key: secret_access_key
livenessProbe:
httpGet:
path: /api/healthz
port: 3000
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /api/healthz
port: 3000
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
startupProbe:
httpGet:
path: /api/healthz
port: 3000
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
persistence: persistence:
labels: labels:
recurring-job.longhorn.io/source: "enabled" recurring-job.longhorn.io/source: "enabled"
@@ -149,6 +177,9 @@ extraVolumes:
items: items:
- key: ca.crt - key: ca.crt
path: root.crt path: root.crt
- name: gitea-tls-internal
secret:
secretName: gitea-tls-internal
- name: gitea-temp - name: gitea-temp
emptyDir: {} emptyDir: {}
extraInitVolumeMounts: extraInitVolumeMounts:
@@ -159,6 +190,8 @@ extraContainerVolumeMounts:
- name: ssl-bundle - name: ssl-bundle
mountPath: /opt/gitea/.postgresql mountPath: /opt/gitea/.postgresql
readOnly: true readOnly: true
- name: gitea-tls-internal
mountPath: /certs
readOnly: true readOnly: true
- name: gitea-temp - name: gitea-temp
mountPath: /tmp/gitea-uploads mountPath: /tmp/gitea-uploads

281
utils/cert-manager/base.ts Normal file
View File

@@ -0,0 +1,281 @@
import { Construct } from "constructs";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
/**
* Options passed to the Certificate construct for generating
* cert-manager.io/v1 Certificate resources.
*
* This type supports both public certificates (Cloudflare/ACME)
* and private internal certificates (internal CA), making it usable
* across all cluster security contexts (Ingress TLS, internal mTLS, etc.).
*/
export type CertificateOptions = {
/**
* Kubernetes provider instance used by the underlying Manifest resource.
*
* This should typically be the cluster's primary Kubernetes provider.
*
* Required.
*/
provider: KubernetesProvider;
/**
* Kubernetes namespace where the Certificate resource and the
* corresponding Secret will be created.
*
* Required.
*/
namespace: string;
/**
* Name of the Certificate resource (metadata.name).
*
* This should be unique within the namespace.
*
* Required.
*/
name: string;
/**
* Name of the Kubernetes Secret that cert-manager will populate with
* `tls.crt`, `tls.key`, and optionally `ca.crt`.
*
* This secret is automatically created and updated by cert-manager.
*
* Required.
*/
secretName: string;
/**
* List of DNS Subject Alternative Names that the certificate must cover.
*
* cert-manager requires at least one entry.
*
* For internal certificates: service FQDNs (svc.cluster.local).
* For public certificates: external domain names.
*
* Required.
*/
dnsNames: string[];
/**
* Reference to the cert-manager Issuer or ClusterIssuer used to sign the certificate.
*
* - For public certs: Cloudflare ACME ClusterIssuer
* - For private certs: Internal CA ClusterIssuer
*
* This field is usually injected automatically by subclasses
* (e.g., PublicCertificate / PrivateCertificate).
*
* Required internally — not intended to be set by user code directly.
*/
issuerRef?: {
/**
* Name of the Issuer or ClusterIssuer.
*/
name: string;
/**
* Type of issuer ("Issuer" or "ClusterIssuer").
*
* Defaults to "ClusterIssuer" when omitted.
*/
kind?: string;
};
/**
* The certificate's validity duration (e.g. "2160h" for 90 days).
*
* If omitted, cert-manager applies its own default (90 days for ACME).
*
* Optional.
*/
duration?: string;
/**
* How long before expiry cert-manager should attempt early renewal.
*
* Example: "360h" (15 days before expiration).
*
* Optional.
*/
renewBefore?: string;
/**
* Optional Common Name for the certificate's subject.
*
* SAN-only certificates are recommended, but CN is still required for
* compatibility with some older libraries (Java, ClickHouse, OpenSSL tooling).
*
* Optional.
*/
commonName?: string;
/**
* Key Usage extension — determines what the certificate may be used for.
*
* Common values:
*
* - "digital signature"
* - "key encipherment"
* - "server auth"
* - "client auth"
*
* Example for mTLS server certificates:
* usages: ["digital signature", "key encipherment", "server auth"]
*
* Example for mTLS client certificates:
* usages: ["digital signature", "client auth"]
*
* Optional — cert-manager applies sensible defaults when omitted.
*/
usages?: string[];
/**
* Options controlling the generated private key.
*
* Useful for:
* - Choosing RSA vs ECDSA vs Ed25519
* - Increasing RSA key strength (2048 → 4096)
* - Optimizing performance for internal services (ECDSA P-256)
*
* Optional.
*/
privateKey?: {
/**
* Private key algorithm.
*
* - "RSA" (default)
* - "ECDSA" (great for internal TLS)
* - "Ed25519" (fast and modern, but not universally supported)
*
* Optional.
*/
algorithm?: "RSA" | "ECDSA" | "Ed25519";
/**
* Key size in bits.
*
* Only applies to algorithms that support length:
* - RSA: 2048, 3072, 4096
* - ECDSA: 256, 384
*
* Optional.
*/
size?: number;
};
/**
* IP address SAN entries (rarely needed, but sometimes required
* for services bound directly to cluster node IPs or StatefulSet pod IPs).
*
* Using IP SANs is generally discouraged unless explicitly required.
*
* Optional.
*/
ipAddresses?: string[];
/**
* Subject information for the certificate (Organization, OrgUnit, etc.)
*
* Example:
*
* subject: {
* organizations: ["Internal Systems"],
* organizationalUnits: ["Platform"]
* }
*
* Optional.
*/
subject?: {
organizations?: string[];
organizationalUnits?: string[];
countries?: string[];
provinces?: string[];
localities?: string[];
streetAddresses?: string[];
postalCodes?: string[];
};
};
export class Certificate extends Construct {
/** The underlying Kubernetes manifest */
public readonly manifest: Manifest;
constructor(scope: Construct, id: string, opts: CertificateOptions) {
super(scope, id);
// --- Validation ---------------------------------------------------------
if (!opts.issuerRef) {
throw new Error(
`Certificate '${opts.name}' must specify issuerRef (usually provided by a subclass).`,
);
}
if (!opts.dnsNames || opts.dnsNames.length === 0) {
throw new Error(
`Certificate '${opts.name}' must include at least one DNS name in dnsNames[].`,
);
}
// --- Base manifest ------------------------------------------------------
const manifest: any = {
apiVersion: "cert-manager.io/v1",
kind: "Certificate",
metadata: {
name: opts.name,
namespace: opts.namespace,
},
spec: {
secretName: opts.secretName,
dnsNames: opts.dnsNames,
issuerRef: {
name: opts.issuerRef.name,
kind: opts.issuerRef.kind ?? "ClusterIssuer",
},
},
};
// --- Optional: duration & renewBefore ---------------------------------
if (opts.duration) {
manifest.spec.duration = opts.duration;
}
if (opts.renewBefore) {
manifest.spec.renewBefore = opts.renewBefore;
}
// --- Optional: commonName ----------------------------------------------
if (opts.commonName) {
manifest.spec.commonName = opts.commonName;
}
// --- Optional: key usages ----------------------------------------------
if (opts.usages?.length) {
manifest.spec.usages = opts.usages;
}
// --- Optional: private key settings ------------------------------------
if (opts.privateKey) {
manifest.spec.privateKey = {
...opts.privateKey,
};
}
// --- Optional: IP SAN entries ------------------------------------------
if (opts.ipAddresses?.length) {
manifest.spec.ipAddresses = opts.ipAddresses;
}
// --- Optional: subject fields ------------------------------------------
if (opts.subject) {
manifest.spec.subject = opts.subject;
}
// --- Create manifest resource ------------------------------------------
this.manifest = new Manifest(this, id, {
provider: opts.provider,
manifest,
});
}
}

32
utils/cert-manager/cloudflare.ts Normal file
View File

@@ -0,0 +1,32 @@
import { Construct } from "constructs";
import { Certificate, CertificateOptions } from "./base";
/**
* Public certificate issued via the Cloudflare ACME ClusterIssuer.
*
* This subclass automatically injects:
*
* issuerRef:
* name: "cloudflare-issuer"
* kind: "ClusterIssuer"
*
* It is intended for generating publicly trusted HTTPS certificates
* (e.g., *.dogar.dev) using Cloudflare DNS-01 validation.
*
* Users of this class should *not* specify issuerRef manually.
*/
export class CloudflareCertificate extends Certificate {
constructor(
scope: Construct,
id: string,
opts: Omit<CertificateOptions, "issuerRef">,
) {
super(scope, id, {
...opts,
issuerRef: {
name: "cloudflare-issuer",
kind: "ClusterIssuer",
},
});
}
}

87
utils/cert-manager/index.ts
View File

@@ -1,85 +1,2 @@
import { Construct } from "constructs"; export { CloudflareCertificate } from "./cloudflare";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest"; export { PrivateCertificate } from "./internal";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
type CertificateOptions = {
provider: KubernetesProvider;
/** Namespace to create the Certificate in */
namespace: string;
/** Required name of the certificate (and CRD name) */
name: string;
/** Secret name for storing the issued TLS cert */
secretName: string;
/** One or more DNS names the certificate should cover */
dnsNames: string[];
/** Reference to the cert-manager issuer */
issuerRef: {
name: string;
kind?: string; // ClusterIssuer or Issuer
};
/** Optional duration (default: cert-manager default) */
duration?: string;
/** Optional renewBefore (default: cert-manager default) */
renewBefore?: string;
};
class Certificate extends Construct {
public readonly manifest: Manifest;
constructor(scope: Construct, id: string, opts: CertificateOptions) {
super(scope, id);
const manifest: any = {
apiVersion: "cert-manager.io/v1",
kind: "Certificate",
metadata: {
name: opts.name,
namespace: opts.namespace,
},
spec: {
secretName: opts.secretName,
dnsNames: opts.dnsNames,
issuerRef: {
name: opts.issuerRef.name,
kind: opts.issuerRef.kind ?? "ClusterIssuer",
},
},
};
if (opts.duration) {
manifest.spec.duration = opts.duration;
}
if (opts.renewBefore) {
manifest.spec.renewBefore = opts.renewBefore;
}
this.manifest = new Manifest(this, id, {
provider: opts.provider,
manifest,
});
}
}
export class CloudflareCertificate extends Certificate {
constructor(
scope: Construct,
id: string,
opts: Omit<CertificateOptions, "issuerRef">,
) {
super(scope, id, {
...opts,
issuerRef: {
name: "cloudflare-issuer",
kind: "ClusterIssuer",
},
});
}
}

36
utils/cert-manager/internal.ts Normal file
View File

@@ -0,0 +1,36 @@
import { Construct } from "constructs";
import { Certificate, CertificateOptions } from "./base";
/**
* Private TLS certificate issued by the internal cluster CA.
*
* This subclass automatically injects:
*
* issuerRef:
* name: "cluster-issuer"
* kind: "ClusterIssuer"
*
* Use this for:
* - Internal service-to-service TLS (HTTP, gRPC, Webhooks)
* - mTLS server certificates
* - mTLS client certificates
* - Internal wildcard certificates
* - Databases, queues, operators, controllers, etc.
*
* Users of this class should NOT specify issuerRef manually.
*/
export class PrivateCertificate extends Certificate {
constructor(
scope: Construct,
id: string,
opts: Omit<CertificateOptions, "issuerRef">,
) {
super(scope, id, {
...opts,
issuerRef: {
name: "cluster-issuer", // internal CA
kind: "ClusterIssuer",
},
});
}
}

2
utils/index.ts
View File

@@ -1,4 +1,4 @@
export { CloudflareCertificate } from "./cert-manager"; export { CloudflareCertificate, PrivateCertificate } from "./cert-manager";
export { OnePasswordSecret } from "./1password-secret"; export { OnePasswordSecret } from "./1password-secret";
export { export {
PublicIngressRoute, PublicIngressRoute,

39
utils/traefik/ingress/ingress.ts
View File

@@ -18,6 +18,7 @@ export type IngressRouteOptions = {
/** Backend K8s Service */ /** Backend K8s Service */
serviceName: string; serviceName: string;
servicePort: number; servicePort: number;
serviceProtocol?: "http" | "https";
/** EntryPoints (default: ["websecure"]) */ /** EntryPoints (default: ["websecure"]) */
entryPoints?: string[]; entryPoints?: string[];
@@ -39,6 +40,31 @@ export class IngressRoute extends Construct {
const path = opts.path ?? "/"; const path = opts.path ?? "/";
const entryPoints = opts.entryPoints ?? ["websecure"]; const entryPoints = opts.entryPoints ?? ["websecure"];
const { provider, namespace } = opts;
if (opts.serviceProtocol === "https") {
new Manifest(this, `${name}-https-transport`, {
provider,
manifest: {
apiVersion: "traefik.io/v1alpha1",
kind: "ServersTransport",
metadata: {
name: `${name}-https-transport`,
namespace,
},
spec: {
serverName: `${opts.name}.${opts.namespace}.svc.cluster.local`,
rootCAs: [
{
secret: "root-secret",
},
],
insecureSkipVerify: false,
},
},
});
}
const route: any = { const route: any = {
match: `Host(\`${opts.host}\`) && PathPrefix(\`${path}\`)`, match: `Host(\`${opts.host}\`) && PathPrefix(\`${path}\`)`,
kind: "Rule", kind: "Rule",
@@ -46,6 +72,11 @@ export class IngressRoute extends Construct {
{ {
name: opts.serviceName, name: opts.serviceName,
port: opts.servicePort, port: opts.servicePort,
scheme: opts.serviceProtocol ?? "http",
serversTransport:
opts.serviceProtocol === "https"
? `${name}-https-transport`
: undefined,
}, },
], ],
}; };
@@ -68,8 +99,8 @@ export class IngressRoute extends Construct {
}; };
new CloudflareCertificate(this, `${name}-cert`, { new CloudflareCertificate(this, `${name}-cert`, {
provider: opts.provider, provider,
namespace: opts.namespace, namespace,
name: opts.host, name: opts.host,
secretName: opts.tlsSecretName, secretName: opts.tlsSecretName,
dnsNames: [opts.host], dnsNames: [opts.host],
@@ -77,13 +108,13 @@ export class IngressRoute extends Construct {
} }
this.manifest = new Manifest(this, name, { this.manifest = new Manifest(this, name, {
provider: opts.provider, provider,
manifest: { manifest: {
apiVersion: "traefik.io/v1alpha1", apiVersion: "traefik.io/v1alpha1",
kind: "IngressRoute", kind: "IngressRoute",
metadata: { metadata: {
name, name,
namespace: opts.namespace, namespace,
}, },
spec, spec,
}, },

1
utils/traefik/ingress/publicIngress.ts
View File

@@ -54,6 +54,7 @@ export class PublicIngressRoute extends Construct {
path: opts.path ?? "/", path: opts.path ?? "/",
serviceName: opts.serviceName, serviceName: opts.serviceName,
servicePort: opts.servicePort, servicePort: opts.servicePort,
serviceProtocol: opts.serviceProtocol,
entryPoints: ["websecure"], entryPoints: ["websecure"],
tlsSecretName: `${opts.name}-tls`, tlsSecretName: `${opts.name}-tls`,
middlewares: [`${namespace}/rate-limit`], middlewares: [`${namespace}/rate-limit`],