Cert-manager with selfsigned cert

contexts/default/blueprint.yaml

@@ -1,7 +1,7 @@
 kind: Blueprint
 apiVersion: blueprints.windsorcli.dev/v1alpha1
 metadata:
-  name: local
+  name: default
   description: This blueprint outlines resources in the local context
 repository:
   url: http://git.test/git/core
@@ -17,8 +17,20 @@ terraform:
 - path: cluster/talos
 - path: gitops/flux
 kustomize:
+- name: pki-base
+  path: pki/base
+  components:
+  - cert-manager
+- name: pki-resources
+  path: pki/resources
+  dependsOn:
+  - pki-base
+  components:
+  - public-issuer/selfsigned
 - name: ingress-base
   path: ingress/base
+  dependsOn:
+  - pki-resources
   components:
   - nginx
   - nginx/nodeport-web

contexts/default/terraform/cluster/talos.tfvars

@@ -25,7 +25,7 @@ machine:
       forwardKubeDNSToHost: true
   kubelet:
     extraArgs:
-      rotate-server-certificates: true
+      rotate-server-certificates: "true"
   network:
     interfaces:
     - ignore: true
@@ -54,7 +54,7 @@ EOF
 
 // Machine config details for control planes
 controlplanes = [{
-  endpoint = "127.0.0.1:50001"
+  endpoint = "127.0.0.1:50000"
   hostname = "controlplane-1.test"
   node     = "127.0.0.1"
 }]

kustomize/ingress/base/nginx/nodeport-web/patches/helm-release.yaml

@@ -13,4 +13,3 @@ spec:
         nodePorts:
           http: 30080
           https: 30443
-

kustomize/pki/base/cert-manager/helm-release.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: system-pki
+spec:
+  interval: 5m
+  timeout: 5m
+  chart:
+    spec:
+      chart: cert-manager
+      # renovate: datasource=helm depName=cert-manager package=cert-manager helmRepo=https://charts.jetstack.io
+      version: 1.16.3
+      sourceRef: 
+        kind: HelmRepository
+        name: jetstack
+        namespace: system-gitops
+  values:
+    crds:
+      enabled: true

kustomize/pki/base/cert-manager/helm-repository.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: jetstack
+  namespace: system-gitops
+spec:
+  interval: 10m
+  timeout: 3m
+  url: https://charts.jetstack.io

kustomize/pki/base/cert-manager/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - helm-repository.yaml
+  - helm-release.yaml

kustomize/pki/base/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - namespace.yaml

kustomize/pki/base/namespace.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: system-pki
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/audit: baseline
+    pod-security.kubernetes.io/warn: baseline

kustomize/pki/resources/issuer.yaml

@@ -0,0 +1,5 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: public
+spec: {}

kustomize/pki/resources/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - issuer.yaml

kustomize/pki/resources/public-issuer/selfsigned/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+patches:
+  - path: patches/public-issuer.yaml

kustomize/pki/resources/public-issuer/selfsigned/patches/public-issuer.yaml

@@ -0,0 +1,6 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: public
+spec:
+  selfSigned: {}