You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| <aname="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones)| List of availability zones |`list(string)`| <pre>[<br/> "us-east-1a",<br/> "us-east-1b",<br/> "us-east-1c"<br/>]</pre> | no |
139
140
| <aname="input_bucket_force_destroy"></a> [bucket\_force\_destroy](#input\_bucket\_force\_destroy)| Enable force destroy for the S3 bucket |`bool`|`true`| no |
140
141
| <aname="input_bucket_lifecycle_rules"></a> [bucket\_lifecycle\_rules](#input\_bucket\_lifecycle\_rules)| List of lifecycle rules for the S3 bucket | <pre>list(object({<br/> id = string<br/> enabled = bool<br/> prefix = string<br/> transition_days = number<br/> transition_storage_class = string<br/> noncurrent_version_expiration_days = number<br/> }))</pre> | <pre>[<br/> {<br/> "enabled": true,<br/> "id": "cleanup",<br/> "noncurrent_version_expiration_days": 90,<br/> "prefix": "",<br/> "transition_days": 90,<br/> "transition_storage_class": "STANDARD_IA"<br/> }<br/>]</pre> | no |
142
+
| <aname="input_cert_manager_namespace"></a> [cert\_manager\_namespace](#input\_cert\_manager\_namespace)| The name of the namespace in which cert-manager is or will be installed. |`string`|`"cert-manager"`| no |
141
143
| <aname="input_cluster_enabled_log_types"></a> [cluster\_enabled\_log\_types](#input\_cluster\_enabled\_log\_types)| List of desired control plane logging to enable |`list(string)`| <pre>[<br/> "api",<br/> "audit",<br/> "authenticator",<br/> "controllerManager",<br/> "scheduler"<br/>]</pre> | no |
142
144
| <aname="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version)| Kubernetes version for the EKS cluster |`string`|`"1.32"`| no |
143
145
| <aname="input_create_vpc"></a> [create\_vpc](#input\_create\_vpc)| Controls if VPC should be created (it affects almost all resources) |`bool`|`true`| no |
@@ -158,6 +160,7 @@ disk_support_config = {
158
160
| <aname="input_helm_chart"></a> [helm\_chart](#input\_helm\_chart)| Chart name from repository or local path to chart. For local charts, set the path to the chart directory. |`string`|`"materialize-operator"`| no |
159
161
| <aname="input_helm_values"></a> [helm\_values](#input\_helm\_values)| Additional Helm values to merge with defaults |`any`|`{}`| no |
160
162
| <aname="input_install_aws_load_balancer_controller"></a> [install\_aws\_load\_balancer\_controller](#input\_install\_aws\_load\_balancer\_controller)| Whether to install the AWS Load Balancer Controller |`bool`|`true`| no |
163
+
| <aname="input_install_cert_manager"></a> [install\_cert\_manager](#input\_install\_cert\_manager)| Whether to install cert-manager. |`bool`|`false`| no |
161
164
| <aname="input_install_materialize_operator"></a> [install\_materialize\_operator](#input\_install\_materialize\_operator)| Whether to install the Materialize operator |`bool`|`true`| no |
162
165
| <aname="input_install_metrics_server"></a> [install\_metrics\_server](#input\_install\_metrics\_server)| Whether to install the metrics-server for the Materialize Console |`bool`|`true`| no |
163
166
| <aname="input_kubernetes_namespace"></a> [kubernetes\_namespace](#input\_kubernetes\_namespace)| The Kubernetes namespace for the Materialize resources |`string`|`"materialize-environment"`| no |
@@ -176,14 +179,15 @@ disk_support_config = {
176
179
| <aname="input_node_group_min_size"></a> [node\_group\_min\_size](#input\_node\_group\_min\_size)| Minimum number of worker nodes |`number`|`1`| no |
177
180
| <aname="input_operator_namespace"></a> [operator\_namespace](#input\_operator\_namespace)| Namespace for the Materialize operator |`string`|`"materialize"`| no |
178
181
| <aname="input_operator_version"></a> [operator\_version](#input\_operator\_version)| Version of the Materialize operator to install |`string`|`null`| no |
179
-
| <aname="input_orchestratord_version"></a> [orchestratord\_version](#input\_orchestratord\_version)| Version of the Materialize orchestrator to install |`string`|`"v0.130.4"`| no |
182
+
| <aname="input_orchestratord_version"></a> [orchestratord\_version](#input\_orchestratord\_version)| Version of the Materialize orchestrator to install |`string`|`null`| no |
180
183
| <aname="input_postgres_version"></a> [postgres\_version](#input\_postgres\_version)| Version of PostgreSQL to use |`string`|`"15"`| no |
181
184
| <aname="input_private_subnet_cidrs"></a> [private\_subnet\_cidrs](#input\_private\_subnet\_cidrs)| CIDR blocks for private subnets |`list(string)`| <pre>[<br/> "10.0.1.0/24",<br/> "10.0.2.0/24",<br/> "10.0.3.0/24"<br/>]</pre> | no |
182
185
| <aname="input_public_subnet_cidrs"></a> [public\_subnet\_cidrs](#input\_public\_subnet\_cidrs)| CIDR blocks for public subnets |`list(string)`| <pre>[<br/> "10.0.101.0/24",<br/> "10.0.102.0/24",<br/> "10.0.103.0/24"<br/>]</pre> | no |
183
186
| <aname="input_service_account_name"></a> [service\_account\_name](#input\_service\_account\_name)| Name of the service account |`string`|`"12345678-1234-1234-1234-123456789012"`| no |
184
187
| <aname="input_single_nat_gateway"></a> [single\_nat\_gateway](#input\_single\_nat\_gateway)| Use a single NAT Gateway for all private subnets |`bool`|`false`| no |
185
188
| <aname="input_tags"></a> [tags](#input\_tags)| Default tags to apply to all resources |`map(string)`| <pre>{<br/> "Environment": "dev",<br/> "Project": "materialize",<br/> "Terraform": "true"<br/>}</pre> | no |
186
189
| <aname="input_use_local_chart"></a> [use\_local\_chart](#input\_use\_local\_chart)| Whether to use a local chart instead of one from a repository |`bool`|`false`| no |
190
+
| <aname="input_use_self_signed_cluster_issuer"></a> [use\_self\_signed\_cluster\_issuer](#input\_use\_self\_signed\_cluster\_issuer)| Whether to install and use a self-signed ClusterIssuer for TLS. Due to limitations in Terraform, this may not be enabled before the cert-manager CRDs are installed. |`bool`|`false`| no |
187
191
| <aname="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr)| CIDR block for VPC |`string`|`"10.0.0.0/16"`| no |
188
192
189
193
## Outputs
@@ -225,6 +229,20 @@ By default, Network Load Balancers are created for each Materialize instance, wi
225
229
226
230
The DNS name and ARN for the NLBs will be in the `terraform output` as `nlb_details`.
227
231
232
+
#### TLS support
233
+
234
+
For example purposes, optional TLS support is provided by using `cert-manager` and a self-signed `ClusterIssuer`.
235
+
236
+
More advanced TLS support using user-provided CAs or per-Materialize `Issuer`s are out of scope for this Terraform module. Please refer to the [cert-manager documentation](https://cert-manager.io/docs/configuration/) for detailed guidance on more advanced usage.
237
+
238
+
###### To enable installation of `cert-manager` and configuration of the self-signed `ClusterIssuer`
239
+
1. Set `install_cert_manager` to `true`.
240
+
1. Run `terraform apply`.
241
+
1. Set `use_self_signed_cluster_issuer` to `true`.
242
+
1. Run `terraform apply`.
243
+
244
+
Due to limitations in Terraform, it cannot plan Kubernetes resources using CRDs that do not exist yet. We need to first install `cert-manager` in the first `terraform apply`, before defining any `ClusterIssuer` or `Certificate` resources which get created in the second `terraform apply`.
0 commit comments