Enable TLS by default

Enable TLS by default.

Author: alex-hunt-materialize

README.md

@@ -62,7 +62,7 @@ No resources.
 | <a name="input_gke_config"></a> [gke\_config](#input\_gke\_config) | GKE cluster configuration. Make sure to use large enough machine types for your Materialize instances. | <pre>object({<br/>    node_count   = number<br/>    machine_type = string<br/>    disk_size_gb = number<br/>    min_nodes    = number<br/>    max_nodes    = number<br/>  })</pre> | <pre>{<br/>  "disk_size_gb": 50,<br/>  "machine_type": "e2-standard-4",<br/>  "max_nodes": 2,<br/>  "min_nodes": 1,<br/>  "node_count": 1<br/>}</pre> | no |
 | <a name="input_helm_chart"></a> [helm\_chart](#input\_helm\_chart) | Chart name from repository or local path to chart. For local charts, set the path to the chart directory. | `string` | `"materialize-operator"` | no |
 | <a name="input_helm_values"></a> [helm\_values](#input\_helm\_values) | Values to pass to the Helm chart | `any` | `{}` | no |
-| <a name="input_install_cert_manager"></a> [install\_cert\_manager](#input\_install\_cert\_manager) | Whether to install cert-manager. | `bool` | `false` | no |
+| <a name="input_install_cert_manager"></a> [install\_cert\_manager](#input\_install\_cert\_manager) | Whether to install cert-manager. | `bool` | `true` | no |
 | <a name="input_install_materialize_operator"></a> [install\_materialize\_operator](#input\_install\_materialize\_operator) | Whether to install the Materialize operator | `bool` | `true` | no |
 | <a name="input_install_metrics_server"></a> [install\_metrics\_server](#input\_install\_metrics\_server) | Whether to install the metrics-server for the Materialize Console. Defaults to false since GKE installs one by default in the kube-system namespace. Only set to true if the GKE cluster was deployed with [monitoring explicitly turned off](https://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics#:~:text=To%20disable%20system%20metric%20collection,for%20the%20%2D%2Dmonitoring%20flag). Refer to the [GKE docs](https://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics#:~:text=To%20disable%20system%20metric%20collection,for%20the%20%2D%2Dmonitoring%20flag) for more information, including impact to GKE customer support efforts. | `bool` | `false` | no |
 | <a name="input_labels"></a> [labels](#input\_labels) | Labels to apply to all resources | `map(string)` | `{}` | no |
@@ -76,7 +76,7 @@ No resources.
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The ID of the project where resources will be created | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The region where resources will be created | `string` | `"us-central1"` | no |
 | <a name="input_use_local_chart"></a> [use\_local\_chart](#input\_use\_local\_chart) | Whether to use a local chart instead of one from a repository | `bool` | `false` | no |
-| <a name="input_use_self_signed_cluster_issuer"></a> [use\_self\_signed\_cluster\_issuer](#input\_use\_self\_signed\_cluster\_issuer) | Whether to install and use a self-signed ClusterIssuer for TLS. Due to limitations in Terraform, this may not be enabled before the cert-manager CRDs are installed. | `bool` | `false` | no |
+| <a name="input_use_self_signed_cluster_issuer"></a> [use\_self\_signed\_cluster\_issuer](#input\_use\_self\_signed\_cluster\_issuer) | Whether to install and use a self-signed ClusterIssuer for TLS. To work around limitations in Terraform, this will be treated as `false` if no materialize instances are defined. | `bool` | `true` | no |
 
 ## Outputs
 
@@ -101,15 +101,23 @@ Access to the web console is through the console pods on port 8080.
 
 #### TLS support
 
-For example purposes, optional TLS support is provided by using `cert-manager` and a self-signed `ClusterIssuer`.
+TLS support is provided by using `cert-manager` and a self-signed `ClusterIssuer`.
 
 More advanced TLS support using user-provided CAs or per-Materialize `Issuer`s are out of scope for this Terraform module. Please refer to the [cert-manager documentation](https://cert-manager.io/docs/configuration/) for detailed guidance on more advanced usage.
 
-###### To enable installation of `cert-manager` and configuration of the self-signed `ClusterIssuer`
-1. Set `install_cert_manager` to `true`.
-1. Run `terraform apply`.
-1. Set `use_self_signed_cluster_issuer` to `true`.
-1. Run `terraform apply`.
+## Upgrade Notes
 
-Due to limitations in Terraform, it cannot plan Kubernetes resources using CRDs that do not exist yet. We need to first install `cert-manager` in the first `terraform apply`, before defining any `ClusterIssuer` or `Certificate` resources which get created in the second `terraform apply`.
+#### v0.3.0
+
+We now install `cert-manager` and configure a self-signed `ClusterIssuer` by default.
+
+Due to limitations in Terraform, it cannot plan Kubernetes resources using CRDs that do not exist yet. We have worked around this for new users by only generating the certificate resources when creating Materialize instances that use them, which also cannot be created on the first run.
+
+For existing users upgrading Materialize instances not previously configured for TLS:
+1. Leave `install_cert_manager` at its default of `true`.
+2. Set `use_self_signed_cluster_issuer` to `false`.
+3. Run `terraform apply`. This will install cert-manager and its CRDs.
+4. Set `use_self_signed_cluster_issuer` back to `true` (the default).
+5. Update the `request_rollout` field of the Materialize instance.
+6. Run `terraform apply`. This will generate the certificates and configure your Materialize instance to use them.
 <!-- END_TF_DOCS -->

docs/footer.md

@@ -8,14 +8,22 @@ Access to the web console is through the console pods on port 8080.
 
 #### TLS support
 
-For example purposes, optional TLS support is provided by using `cert-manager` and a self-signed `ClusterIssuer`.
+TLS support is provided by using `cert-manager` and a self-signed `ClusterIssuer`.
 
 More advanced TLS support using user-provided CAs or per-Materialize `Issuer`s are out of scope for this Terraform module. Please refer to the [cert-manager documentation](https://cert-manager.io/docs/configuration/) for detailed guidance on more advanced usage.
 
-###### To enable installation of `cert-manager` and configuration of the self-signed `ClusterIssuer`
-1. Set `install_cert_manager` to `true`.
-1. Run `terraform apply`.
-1. Set `use_self_signed_cluster_issuer` to `true`.
-1. Run `terraform apply`.
+## Upgrade Notes
 
-Due to limitations in Terraform, it cannot plan Kubernetes resources using CRDs that do not exist yet. We need to first install `cert-manager` in the first `terraform apply`, before defining any `ClusterIssuer` or `Certificate` resources which get created in the second `terraform apply`.
+#### v0.3.0
+
+We now install `cert-manager` and configure a self-signed `ClusterIssuer` by default.
+
+Due to limitations in Terraform, it cannot plan Kubernetes resources using CRDs that do not exist yet. We have worked around this for new users by only generating the certificate resources when creating Materialize instances that use them, which also cannot be created on the first run.
+
+For existing users upgrading Materialize instances not previously configured for TLS:
+1. Leave `install_cert_manager` at its default of `true`.
+2. Set `use_self_signed_cluster_issuer` to `false`.
+3. Run `terraform apply`. This will install cert-manager and its CRDs.
+4. Set `use_self_signed_cluster_issuer` back to `true` (the default).
+5. Update the `request_rollout` field of the Materialize instance.
+6. Run `terraform apply`. This will generate the certificates and configure your Materialize instance to use them.

examples/simple/main.tf

@@ -175,11 +175,11 @@ variable "materialize_instances" {
 variable "install_cert_manager" {
   description = "Whether to install cert-manager."
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "use_self_signed_cluster_issuer" {
-  description = "Whether to install and use a self-signed ClusterIssuer for TLS. Due to limitations in Terraform, this may not be enabled before the cert-manager CRDs are installed."
+  description = "Whether to install and use a self-signed ClusterIssuer for TLS. To work around limitations in Terraform, this will be treated as `false` if no materialize instances are defined."
   type        = bool
-  default     = false
+  default     = true
 }

main.tf

@@ -77,7 +77,7 @@ module "certificates" {
   install_cert_manager           = var.install_cert_manager
   cert_manager_install_timeout   = var.cert_manager_install_timeout
   cert_manager_chart_version     = var.cert_manager_chart_version
-  use_self_signed_cluster_issuer = var.use_self_signed_cluster_issuer
+  use_self_signed_cluster_issuer = var.use_self_signed_cluster_issuer && length(var.materialize_instances) > 0
   cert_manager_namespace         = var.cert_manager_namespace
   name_prefix                    = var.prefix
 
@@ -156,7 +156,7 @@ locals {
         }
       }
     }
-    tls = var.use_self_signed_cluster_issuer ? {
+    tls = (var.use_self_signed_cluster_issuer && length(var.materialize_instances) > 0) ? {
       defaultCertificateSpecs = {
         balancerdExternal = {
           dnsNames = [

variables.tf

@@ -163,13 +163,13 @@ variable "install_metrics_server" {
 variable "install_cert_manager" {
   description = "Whether to install cert-manager."
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "use_self_signed_cluster_issuer" {
-  description = "Whether to install and use a self-signed ClusterIssuer for TLS. Due to limitations in Terraform, this may not be enabled before the cert-manager CRDs are installed."
+  description = "Whether to install and use a self-signed ClusterIssuer for TLS. To work around limitations in Terraform, this will be treated as `false` if no materialize instances are defined."
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "cert_manager_namespace" {