From b3a37ab9bbb8f9be0fec475e2d5762e2e1337465 Mon Sep 17 00:00:00 2001
From: Ryan VanGundy <ryan.vangundy+rmvangun@gmail.com>
Date: Tue, 28 Jan 2025 01:26:33 -0500
Subject: [PATCH] Add cert-manager

---
 contexts/default/blueprint.yaml               | 14 ++++++++++++-
 .../default/terraform/cluster/talos.tfvars    |  4 ++--
 .../nodeport-web/patches/helm-release.yaml    |  1 -
 kustomize/kustomization.yaml                  |  1 -
 .../pki/base/cert-manager/helm-release.yaml   | 21 +++++++++++++++++++
 .../base/cert-manager/helm-repository.yaml    | 10 +++++++++
 .../pki/base/cert-manager/kustomization.yaml  |  5 +++++
 kustomize/pki/base/kustomization.yaml         |  2 ++
 kustomize/pki/base/namespace.yaml             |  8 +++++++
 kustomize/pki/resources/issuer.yaml           |  5 +++++
 kustomize/pki/resources/kustomization.yaml    |  2 ++
 .../selfsigned/kustomization.yaml             |  4 ++++
 .../selfsigned/patches/public-issuer.yaml     |  6 ++++++
 13 files changed, 78 insertions(+), 5 deletions(-)
 delete mode 100644 kustomize/kustomization.yaml
 create mode 100644 kustomize/pki/base/cert-manager/helm-release.yaml
 create mode 100644 kustomize/pki/base/cert-manager/helm-repository.yaml
 create mode 100644 kustomize/pki/base/cert-manager/kustomization.yaml
 create mode 100644 kustomize/pki/base/kustomization.yaml
 create mode 100644 kustomize/pki/base/namespace.yaml
 create mode 100644 kustomize/pki/resources/issuer.yaml
 create mode 100644 kustomize/pki/resources/kustomization.yaml
 create mode 100644 kustomize/pki/resources/public-issuer/selfsigned/kustomization.yaml
 create mode 100644 kustomize/pki/resources/public-issuer/selfsigned/patches/public-issuer.yaml

diff --git a/contexts/default/blueprint.yaml b/contexts/default/blueprint.yaml
index 211710eb..7ceb94c3 100644
--- a/contexts/default/blueprint.yaml
+++ b/contexts/default/blueprint.yaml
@@ -1,7 +1,7 @@
 kind: Blueprint
 apiVersion: blueprints.windsorcli.dev/v1alpha1
 metadata:
-  name: local
+  name: default
   description: This blueprint outlines resources in the local context
 repository:
   url: http://git.test/git/core
@@ -17,8 +17,20 @@ terraform:
 - path: cluster/talos
 - path: gitops/flux
 kustomize:
+- name: pki-base
+  path: pki/base
+  components:
+  - cert-manager
+- name: pki-resources
+  path: pki/resources
+  dependsOn:
+  - pki-base
+  components:
+  - public-issuer/selfsigned
 - name: ingress-base
   path: ingress/base
+  dependsOn:
+  - pki-resources
   components:
   - nginx
   - nginx/nodeport-web
diff --git a/contexts/default/terraform/cluster/talos.tfvars b/contexts/default/terraform/cluster/talos.tfvars
index 267bb846..7269cc9d 100644
--- a/contexts/default/terraform/cluster/talos.tfvars
+++ b/contexts/default/terraform/cluster/talos.tfvars
@@ -25,7 +25,7 @@ machine:
       forwardKubeDNSToHost: true
   kubelet:
     extraArgs:
-      rotate-server-certificates: true
+      rotate-server-certificates: "true"
   network:
     interfaces:
     - ignore: true
@@ -54,7 +54,7 @@ EOF
 
 // Machine config details for control planes
 controlplanes = [{
-  endpoint = "127.0.0.1:50001"
+  endpoint = "127.0.0.1:50000"
   hostname = "controlplane-1.test"
   node     = "127.0.0.1"
 }]
diff --git a/kustomize/ingress/base/nginx/nodeport-web/patches/helm-release.yaml b/kustomize/ingress/base/nginx/nodeport-web/patches/helm-release.yaml
index b5217eab..04d898dd 100644
--- a/kustomize/ingress/base/nginx/nodeport-web/patches/helm-release.yaml
+++ b/kustomize/ingress/base/nginx/nodeport-web/patches/helm-release.yaml
@@ -13,4 +13,3 @@ spec:
         nodePorts:
           http: 30080
           https: 30443
-
diff --git a/kustomize/kustomization.yaml b/kustomize/kustomization.yaml
deleted file mode 100644
index e584213c..00000000
--- a/kustomize/kustomization.yaml
+++ /dev/null
@@ -1 +0,0 @@
-resources: []
diff --git a/kustomize/pki/base/cert-manager/helm-release.yaml b/kustomize/pki/base/cert-manager/helm-release.yaml
new file mode 100644
index 00000000..d66c55c7
--- /dev/null
+++ b/kustomize/pki/base/cert-manager/helm-release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: system-pki
+spec:
+  interval: 5m
+  timeout: 5m
+  chart:
+    spec:
+      chart: cert-manager
+      # renovate: datasource=helm depName=cert-manager package=cert-manager helmRepo=https://charts.jetstack.io
+      version: 1.16.3
+      sourceRef: 
+        kind: HelmRepository
+        name: jetstack
+        namespace: system-gitops
+  values:
+    crds:
+      enabled: true
diff --git a/kustomize/pki/base/cert-manager/helm-repository.yaml b/kustomize/pki/base/cert-manager/helm-repository.yaml
new file mode 100644
index 00000000..e137d630
--- /dev/null
+++ b/kustomize/pki/base/cert-manager/helm-repository.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: jetstack
+  namespace: system-gitops
+spec:
+  interval: 10m
+  timeout: 3m
+  url: https://charts.jetstack.io
diff --git a/kustomize/pki/base/cert-manager/kustomization.yaml b/kustomize/pki/base/cert-manager/kustomization.yaml
new file mode 100644
index 00000000..e768af5d
--- /dev/null
+++ b/kustomize/pki/base/cert-manager/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - helm-repository.yaml
+  - helm-release.yaml
diff --git a/kustomize/pki/base/kustomization.yaml b/kustomize/pki/base/kustomization.yaml
new file mode 100644
index 00000000..736967b1
--- /dev/null
+++ b/kustomize/pki/base/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+  - namespace.yaml
diff --git a/kustomize/pki/base/namespace.yaml b/kustomize/pki/base/namespace.yaml
new file mode 100644
index 00000000..5a62fb0d
--- /dev/null
+++ b/kustomize/pki/base/namespace.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: system-pki
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/audit: baseline
+    pod-security.kubernetes.io/warn: baseline
diff --git a/kustomize/pki/resources/issuer.yaml b/kustomize/pki/resources/issuer.yaml
new file mode 100644
index 00000000..95e8612d
--- /dev/null
+++ b/kustomize/pki/resources/issuer.yaml
@@ -0,0 +1,5 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: public
+spec: {}
diff --git a/kustomize/pki/resources/kustomization.yaml b/kustomize/pki/resources/kustomization.yaml
new file mode 100644
index 00000000..e78cf9a6
--- /dev/null
+++ b/kustomize/pki/resources/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+  - issuer.yaml
diff --git a/kustomize/pki/resources/public-issuer/selfsigned/kustomization.yaml b/kustomize/pki/resources/public-issuer/selfsigned/kustomization.yaml
new file mode 100644
index 00000000..e1e62721
--- /dev/null
+++ b/kustomize/pki/resources/public-issuer/selfsigned/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+patches:
+  - path: patches/public-issuer.yaml
diff --git a/kustomize/pki/resources/public-issuer/selfsigned/patches/public-issuer.yaml b/kustomize/pki/resources/public-issuer/selfsigned/patches/public-issuer.yaml
new file mode 100644
index 00000000..65d02d26
--- /dev/null
+++ b/kustomize/pki/resources/public-issuer/selfsigned/patches/public-issuer.yaml
@@ -0,0 +1,6 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: public
+spec:
+  selfSigned: {}