shahab/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ff2174205a73c3ec5191e438cbc8991efee16169
homelab/pki/issuers/private.ts
Shahab Dogar 3c947c05ad feat: CertManager | update to latest version 
Also improve pki
2025-11-29 13:18:34 +05:00

117 lines
2.7 KiB
TypeScript
Raw Blame History

import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { Construct } from "constructs";
type PrivateIssuerOptions = {
provider: KubernetesProvider;
namespace: string;
apiVersion: string;
commonName: string;
rootSecretName: string;
intermediateSecretName: string;
};
export class PrivateIssuer extends Construct {
constructor(scope: Construct, id: string, options: PrivateIssuerOptions) {
super(scope, id);
const {
provider,
namespace,
apiVersion,
commonName,
rootSecretName,
intermediateSecretName,
} = options;
//
// 1. Root CA (self-signed)
//
new Manifest(this, "root-ca-issuer", {
provider,
manifest: {
apiVersion,
kind: "ClusterIssuer",
metadata: { name: "root-ca-selfsigned" },
spec: { selfSigned: {} },
},
});
new Manifest(this, "root-ca", {
provider,
manifest: {
apiVersion,
kind: "Certificate",
metadata: { name: "root-ca", namespace },
spec: {
isCA: true,
commonName: `${commonName} Root CA`,
secretName: rootSecretName,
privateKey: {
algorithm: "RSA",
size: 4096,
},
issuerRef: {
name: "root-ca-selfsigned",
kind: "ClusterIssuer",
group: "cert-manager.io",
},
},
},
});
//
// 2. Intermediate CA (signed by root CA)
//
new Manifest(this, "intermediate-ca-issuer", {
provider,
manifest: {
apiVersion,
kind: "ClusterIssuer",
metadata: { name: "root-ca-signer" },
spec: {
ca: { secretName: rootSecretName },
},
},
});
new Manifest(this, "intermediate-ca", {
provider,
manifest: {
apiVersion,
kind: "Certificate",
metadata: { name: "intermediate-ca", namespace },
spec: {
isCA: true,
commonName: `${commonName} Intermediate CA`,
secretName: intermediateSecretName,
privateKey: {
algorithm: "ECDSA",
size: 384,
},
issuerRef: {
name: "root-ca-signer",
kind: "ClusterIssuer",
group: "cert-manager.io",
},
},
},
});
//
// 3. Final public cluster issuer (used by your apps)
//
new Manifest(this, "cluster-issuer", {
provider,
manifest: {
apiVersion,
kind: "ClusterIssuer",
metadata: { name: "cluster-issuer" },
spec: {
ca: { secretName: intermediateSecretName },
},
},
});
}
}
Reference in New Issue View Git Blame Copy Permalink