Merge pull request #56 from MaterializeInc/certs_by_default

alex-hunt-materialize · web-flow · commit 31fb765d5eec · 2025-04-01T10:44:58.000+01:00
Enable TLS by default
diff --git a/README.md b/README.md
@@ -168,12 +168,12 @@ disk_support_config = {
 | <a name="input_helm_chart"></a> [helm\_chart](#input\_helm\_chart) | Chart name from repository or local path to chart. For local charts, set the path to the chart directory. | `string` | `"materialize-operator"` | no |
 | <a name="input_helm_values"></a> [helm\_values](#input\_helm\_values) | Additional Helm values to merge with defaults | `any` | `{}` | no |
 | <a name="input_install_aws_load_balancer_controller"></a> [install\_aws\_load\_balancer\_controller](#input\_install\_aws\_load\_balancer\_controller) | Whether to install the AWS Load Balancer Controller | `bool` | `true` | no |
-| <a name="input_install_cert_manager"></a> [install\_cert\_manager](#input\_install\_cert\_manager) | Whether to install cert-manager. | `bool` | `false` | no |
+| <a name="input_install_cert_manager"></a> [install\_cert\_manager](#input\_install\_cert\_manager) | Whether to install cert-manager. | `bool` | `true` | no |
 | <a name="input_install_materialize_operator"></a> [install\_materialize\_operator](#input\_install\_materialize\_operator) | Whether to install the Materialize operator | `bool` | `true` | no |
 | <a name="input_install_metrics_server"></a> [install\_metrics\_server](#input\_install\_metrics\_server) | Whether to install the metrics-server for the Materialize Console | `bool` | `true` | no |
 | <a name="input_kubernetes_namespace"></a> [kubernetes\_namespace](#input\_kubernetes\_namespace) | The Kubernetes namespace for the Materialize resources | `string` | `"materialize-environment"` | no |
 | <a name="input_log_group_name_prefix"></a> [log\_group\_name\_prefix](#input\_log\_group\_name\_prefix) | Prefix for the CloudWatch log group name (will be combined with environment name) | `string` | `"materialize"` | no |
-| <a name="input_materialize_instances"></a> [materialize\_instances](#input\_materialize\_instances) | Configuration for Materialize instances. Due to limitations in Terraform, `materialize_instances` cannot be defined on the first `terraform apply`. | <pre>list(object({<br/>    name                             = string<br/>    namespace                        = optional(string)<br/>    database_name                    = string<br/>    environmentd_version             = optional(string, "v0.130.4")<br/>    cpu_request                      = optional(string, "1")<br/>    memory_request                   = optional(string, "1Gi")<br/>    memory_limit                     = optional(string, "1Gi")<br/>    create_database                  = optional(bool, true)<br/>    create_nlb                       = optional(bool, true)<br/>    internal_nlb                     = optional(bool, true)<br/>    enable_cross_zone_load_balancing = optional(bool, true)<br/>    in_place_rollout                 = optional(bool, false)<br/>    request_rollout                  = optional(string)<br/>    force_rollout                    = optional(string)<br/>    balancer_memory_request          = optional(string, "256Mi")<br/>    balancer_memory_limit            = optional(string, "256Mi")<br/>    balancer_cpu_request             = optional(string, "100m")<br/>  }))</pre> | `[]` | no |
+| <a name="input_materialize_instances"></a> [materialize\_instances](#input\_materialize\_instances) | Configuration for Materialize instances. Due to limitations in Terraform, `materialize_instances` cannot be defined on the first `terraform apply`. | <pre>list(object({<br/>    name                             = string<br/>    namespace                        = optional(string)<br/>    database_name                    = string<br/>    environmentd_version             = optional(string)<br/>    cpu_request                      = optional(string, "1")<br/>    memory_request                   = optional(string, "1Gi")<br/>    memory_limit                     = optional(string, "1Gi")<br/>    create_database                  = optional(bool, true)<br/>    create_nlb                       = optional(bool, true)<br/>    internal_nlb                     = optional(bool, true)<br/>    enable_cross_zone_load_balancing = optional(bool, true)<br/>    in_place_rollout                 = optional(bool, false)<br/>    request_rollout                  = optional(string)<br/>    force_rollout                    = optional(string)<br/>    balancer_memory_request          = optional(string, "256Mi")<br/>    balancer_memory_limit            = optional(string, "256Mi")<br/>    balancer_cpu_request             = optional(string, "100m")<br/>  }))</pre> | `[]` | no |
 | <a name="input_metrics_retention_days"></a> [metrics\_retention\_days](#input\_metrics\_retention\_days) | Number of days to retain CloudWatch metrics | `number` | `7` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace for all resources, usually the organization or project name | `string` | n/a | yes |
 | <a name="input_network_id"></a> [network\_id](#input\_network\_id) | The ID of the VPC in which resources will be deployed. Only used if create\_vpc is false. | `string` | `""` | no |
@@ -195,7 +195,7 @@ disk_support_config = {
 | <a name="input_single_nat_gateway"></a> [single\_nat\_gateway](#input\_single\_nat\_gateway) | Use a single NAT Gateway for all private subnets | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Default tags to apply to all resources | `map(string)` | <pre>{<br/>  "Environment": "dev",<br/>  "Project": "materialize",<br/>  "Terraform": "true"<br/>}</pre> | no |
 | <a name="input_use_local_chart"></a> [use\_local\_chart](#input\_use\_local\_chart) | Whether to use a local chart instead of one from a repository | `bool` | `false` | no |
-| <a name="input_use_self_signed_cluster_issuer"></a> [use\_self\_signed\_cluster\_issuer](#input\_use\_self\_signed\_cluster\_issuer) | Whether to install and use a self-signed ClusterIssuer for TLS. Due to limitations in Terraform, this may not be enabled before the cert-manager CRDs are installed. | `bool` | `false` | no |
+| <a name="input_use_self_signed_cluster_issuer"></a> [use\_self\_signed\_cluster\_issuer](#input\_use\_self\_signed\_cluster\_issuer) | Whether to install and use a self-signed ClusterIssuer for TLS. To work around limitations in Terraform, this will be treated as `false` if no materialize instances are defined. | `bool` | `true` | no |
 | <a name="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr) | CIDR block for VPC | `string` | `"10.0.0.0/16"` | no |
 
 ## Outputs
@@ -239,19 +239,24 @@ The DNS name and ARN for the NLBs will be in the `terraform output` as `nlb_deta
 
 #### TLS support
 
-For example purposes, optional TLS support is provided by using `cert-manager` and a self-signed `ClusterIssuer`.
+TLS support is provided by using `cert-manager` and a self-signed `ClusterIssuer`.
 
 More advanced TLS support using user-provided CAs or per-Materialize `Issuer`s are out of scope for this Terraform module. Please refer to the [cert-manager documentation](https://cert-manager.io/docs/configuration/) for detailed guidance on more advanced usage.
 
-###### To enable installation of `cert-manager` and configuration of the self-signed `ClusterIssuer`
-1. Set `install_cert_manager` to `true`.
-1. Run `terraform apply`.
-1. Set `use_self_signed_cluster_issuer` to `true`.
-1. Run `terraform apply`.
+## Upgrade Notes
 
-Due to limitations in Terraform, it cannot plan Kubernetes resources using CRDs that do not exist yet. We need to first install `cert-manager` in the first `terraform apply`, before defining any `ClusterIssuer` or `Certificate` resources which get created in the second `terraform apply`.
+#### v0.4.0
+We now install `cert-manager` and configure a self-signed `ClusterIssuer` by default.
 
-## Upgrade Notes
+Due to limitations in Terraform, it cannot plan Kubernetes resources using CRDs that do not exist yet. We have worked around this for new users by only generating the certificate resources when creating Materialize instances that use them, which also cannot be created on the first run.
+
+For existing users upgrading Materialize instances not previously configured for TLS:
+1. Leave `install_cert_manager` at its default of `true`.
+2. Set `use_self_signed_cluster_issuer` to `false`.
+3. Run `terraform apply`. This will install cert-manager and its CRDs.
+4. Set `use_self_signed_cluster_issuer` back to `true` (the default).
+5. Update the `request_rollout` field of the Materialize instance.
+6. Run `terraform apply`. This will generate the certificates and configure your Materialize instance to use them.
 
 #### v0.3.0
 We now install the AWS Load Balancer Controller and create Network Load Balancers for each Materialize instance.
diff --git a/docs/footer.md b/docs/footer.md
@@ -19,19 +19,24 @@ The DNS name and ARN for the NLBs will be in the `terraform output` as `nlb_deta
 
 #### TLS support
 
-For example purposes, optional TLS support is provided by using `cert-manager` and a self-signed `ClusterIssuer`.
+TLS support is provided by using `cert-manager` and a self-signed `ClusterIssuer`.
 
 More advanced TLS support using user-provided CAs or per-Materialize `Issuer`s are out of scope for this Terraform module. Please refer to the [cert-manager documentation](https://cert-manager.io/docs/configuration/) for detailed guidance on more advanced usage.
 
-###### To enable installation of `cert-manager` and configuration of the self-signed `ClusterIssuer`
-1. Set `install_cert_manager` to `true`.
-1. Run `terraform apply`.
-1. Set `use_self_signed_cluster_issuer` to `true`.
-1. Run `terraform apply`.
+## Upgrade Notes
 
-Due to limitations in Terraform, it cannot plan Kubernetes resources using CRDs that do not exist yet. We need to first install `cert-manager` in the first `terraform apply`, before defining any `ClusterIssuer` or `Certificate` resources which get created in the second `terraform apply`.
+#### v0.4.0
+We now install `cert-manager` and configure a self-signed `ClusterIssuer` by default.
 
-## Upgrade Notes
+Due to limitations in Terraform, it cannot plan Kubernetes resources using CRDs that do not exist yet. We have worked around this for new users by only generating the certificate resources when creating Materialize instances that use them, which also cannot be created on the first run.
+
+For existing users upgrading Materialize instances not previously configured for TLS:
+1. Leave `install_cert_manager` at its default of `true`.
+2. Set `use_self_signed_cluster_issuer` to `false`.
+3. Run `terraform apply`. This will install cert-manager and its CRDs.
+4. Set `use_self_signed_cluster_issuer` back to `true` (the default).
+5. Update the `request_rollout` field of the Materialize instance.
+6. Run `terraform apply`. This will generate the certificates and configure your Materialize instance to use them.
 
 #### v0.3.0
 We now install the AWS Load Balancer Controller and create Network Load Balancers for each Materialize instance.
diff --git a/examples/simple/main.tf b/examples/simple/main.tf
@@ -162,13 +162,13 @@ variable "helm_values" {
 variable "install_cert_manager" {
   description = "Whether to install cert-manager."
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "use_self_signed_cluster_issuer" {
-  description = "Whether to install and use a self-signed ClusterIssuer for TLS. Due to limitations in Terraform, this may not be enabled before the cert-manager CRDs are installed."
+  description = "Whether to install and use a self-signed ClusterIssuer for TLS. To work around limitations in Terraform, this will be treated as `false` if no materialize instances are defined."
   type        = bool
-  default     = false
+  default     = true
 }
 
 # Outputs
diff --git a/main.tf b/main.tf
@@ -113,7 +113,7 @@ module "certificates" {
   install_cert_manager           = var.install_cert_manager
   cert_manager_install_timeout   = var.cert_manager_install_timeout
   cert_manager_chart_version     = var.cert_manager_chart_version
-  use_self_signed_cluster_issuer = var.use_self_signed_cluster_issuer
+  use_self_signed_cluster_issuer = var.use_self_signed_cluster_issuer && length(var.materialize_instances) > 0
   cert_manager_namespace         = var.cert_manager_namespace
   name_prefix                    = local.name_prefix
 
@@ -224,7 +224,7 @@ locals {
         parameters  = local.disk_config.storage_class_parameters
       }
     } : {}
-    tls = var.use_self_signed_cluster_issuer ? {
+    tls = (var.use_self_signed_cluster_issuer && length(var.materialize_instances) > 0) ? {
       defaultCertificateSpecs = {
         balancerdExternal = {
           dnsNames = [
diff --git a/variables.tf b/variables.tf
@@ -276,13 +276,13 @@ variable "install_aws_load_balancer_controller" {
 variable "install_cert_manager" {
   description = "Whether to install cert-manager."
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "use_self_signed_cluster_issuer" {
-  description = "Whether to install and use a self-signed ClusterIssuer for TLS. Due to limitations in Terraform, this may not be enabled before the cert-manager CRDs are installed."
+  description = "Whether to install and use a self-signed ClusterIssuer for TLS. To work around limitations in Terraform, this will be treated as `false` if no materialize instances are defined."
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "cert_manager_namespace" {
