Merge pull request #47 from MaterializeInc/add-auth-support

jubrad · web-flow · commit 547714878c43 · 2025-06-24T00:12:51.000-05:00
Add password auth support
diff --git a/README.md b/README.md
@@ -34,6 +34,36 @@ The module supports several rollout strategies for Materialize instances through
 
 To use these options, set the appropriate values in the `instances` input variable and when you want to rollout a new version of the instance, set the `request_rollout` or `force_rollout` value to a new UUID.
 
+## Authentication Options
+
+The module supports two authentication modes for Materialize instances:
+
+### `authenticator_kind` (string)
+- Determines how users authenticate with the Materialize instance.
+- Valid values are:
+  - `"None"` (default): No password authentication is enabled.
+  - `"Password"`: Enables password authentication for the `mz_system` user. When set to `"Password"`, you **must** provide a value for `external_login_password_mz_system`.
+
+### `external_login_password_mz_system` (string)
+- The password to set for the `mz_system` user when `authenticator_kind` is `"Password"`.
+- This value is stored securely in a Kubernetes Secret and used by the Materialize operator to configure authentication.
+- **Required** if `authenticator_kind` is set to `"Password"`.
+
+**Example:**
+```hcl
+instances = [
+  {
+    name                              = "mz-instance"
+    namespace                         = "mz-ns"
+    authenticator_kind                = "Password"
+    external_login_password_mz_system = "your-secure-password"
+    # other instance configurations
+  }
+]
+```
+
+If `authenticator_kind` is not set or set to `"None"`, password authentication is disabled and `external_login_password_mz_system` is ignored.
+
 ## Requirements
 
 | Name | Version |
@@ -77,7 +107,7 @@ No modules.
 | <a name="input_helm_repository"></a> [helm\_repository](#input\_helm\_repository) | Repository URL for the Materialize operator Helm chart. Leave empty if using local chart. | `string` | `"https://materializeinc.github.io/materialize/"` | no |
 | <a name="input_helm_values"></a> [helm\_values](#input\_helm\_values) | Values to pass to the Helm chart | `any` | n/a | yes |
 | <a name="input_install_metrics_server"></a> [install\_metrics\_server](#input\_install\_metrics\_server) | Whether to install the metrics-server | `bool` | `true` | no |
-| <a name="input_instances"></a> [instances](#input\_instances) | Configuration for Materialize instances | <pre>list(object({<br/>    name                 = string<br/>    namespace            = optional(string)<br/>    create_database      = optional(bool, true)<br/>    database_name        = string<br/>    metadata_backend_url = string<br/>    persist_backend_url  = string<br/>    license_key          = optional(string)<br/>    environmentd_version = optional(string, "v0.130.13") # META: mz version<br/>    environmentd_extra_env = optional(list(object({<br/>      name  = string<br/>      value = string<br/>    })), [])<br/>    environmentd_extra_args = optional(list(string), [])<br/>    cpu_request             = optional(string, "1")<br/>    memory_request          = optional(string, "1Gi")<br/>    memory_limit            = optional(string, "1Gi")<br/>    in_place_rollout        = optional(bool, true)<br/>    request_rollout         = optional(string, "00000000-0000-0000-0000-000000000001")<br/>    force_rollout           = optional(string, "00000000-0000-0000-0000-000000000001")<br/>    balancer_memory_request = optional(string, "256Mi")<br/>    balancer_memory_limit   = optional(string, "256Mi")<br/>    balancer_cpu_request    = optional(string, "100m")<br/>  }))</pre> | `[]` | no |
+| <a name="input_instances"></a> [instances](#input\_instances) | Configuration for Materialize instances | <pre>list(object({<br/>    name                              = string<br/>    namespace                         = optional(string)<br/>    create_database                   = optional(bool, true)<br/>    database_name                     = string<br/>    metadata_backend_url              = string<br/>    persist_backend_url               = string<br/>    license_key                       = optional(string)<br/>    external_login_password_mz_system = optional(string)<br/>    authenticator_kind                = optional(string, "None")<br/>    environmentd_version              = optional(string, "v0.130.13") # META: mz version<br/>    environmentd_extra_env = optional(list(object({<br/>      name  = string<br/>      value = string<br/>    })), [])<br/>    environmentd_extra_args = optional(list(string), [])<br/>    cpu_request             = optional(string, "1")<br/>    memory_request          = optional(string, "1Gi")<br/>    memory_limit            = optional(string, "1Gi")<br/>    in_place_rollout        = optional(bool, true)<br/>    request_rollout         = optional(string, "00000000-0000-0000-0000-000000000001")<br/>    force_rollout           = optional(string, "00000000-0000-0000-0000-000000000001")<br/>    balancer_memory_request = optional(string, "256Mi")<br/>    balancer_memory_limit   = optional(string, "256Mi")<br/>    balancer_cpu_request    = optional(string, "100m")<br/>  }))</pre> | `[]` | no |
 | <a name="input_metrics_server_version"></a> [metrics\_server\_version](#input\_metrics\_server\_version) | Version of metrics-server to install | `string` | `"3.12.2"` | no |
 | <a name="input_monitoring_namespace"></a> [monitoring\_namespace](#input\_monitoring\_namespace) | Namespace for monitoring resources | `string` | `"monitoring"` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace prefix for all resources | `string` | n/a | yes |
diff --git a/docs/header.md b/docs/header.md
@@ -29,3 +29,33 @@ The module supports several rollout strategies for Materialize instances through
 - Must be changed to a new UUID value for each rollout
 
 To use these options, set the appropriate values in the `instances` input variable and when you want to rollout a new version of the instance, set the `request_rollout` or `force_rollout` value to a new UUID.
+
+## Authentication Options
+
+The module supports two authentication modes for Materialize instances:
+
+### `authenticator_kind` (string)
+- Determines how users authenticate with the Materialize instance.
+- Valid values are:
+  - `"None"` (default): No password authentication is enabled.
+  - `"Password"`: Enables password authentication for the `mz_system` user. When set to `"Password"`, you **must** provide a value for `external_login_password_mz_system`.
+
+### `external_login_password_mz_system` (string)
+- The password to set for the `mz_system` user when `authenticator_kind` is `"Password"`.
+- This value is stored securely in a Kubernetes Secret and used by the Materialize operator to configure authentication.
+- **Required** if `authenticator_kind` is set to `"Password"`.
+
+**Example:**
+```hcl
+instances = [
+  {
+    name                              = "materialize-instance"
+    namespace                         = "materialize"
+    authenticator_kind                = "Password"
+    external_login_password_mz_system = "your-secure-password"
+    # other instance configurations
+  }
+]
+```
+
+If `authenticator_kind` is not set or set to `"None"`, password authentication is disabled and `external_login_password_mz_system` is ignored.
diff --git a/main.tf b/main.tf
@@ -66,11 +66,16 @@ resource "kubernetes_secret" "materialize_backends" {
     namespace = coalesce(each.value.namespace, var.operator_namespace)
   }
 
-  data = {
-    metadata_backend_url = each.value.metadata_backend_url
-    persist_backend_url  = each.value.persist_backend_url
-    license_key          = each.value.license_key == null ? "" : each.value.license_key
-  }
+  data = merge(
+    {
+      metadata_backend_url = each.value.metadata_backend_url
+      persist_backend_url  = each.value.persist_backend_url
+      license_key          = each.value.license_key == null ? "" : each.value.license_key
+    },
+    each.value.authenticator_kind == "Password" && each.value.external_login_password_mz_system != null ? {
+      external_login_password_mz_system = each.value.external_login_password_mz_system
+    } : {}
+  )
 
   depends_on = [
     kubernetes_namespace.instance_namespaces,
@@ -102,6 +107,7 @@ resource "kubernetes_manifest" "materialize_instances" {
     spec = {
       environmentdImageRef = "materialize/environmentd:${each.value.environmentd_version}"
       backendSecretName    = "${each.key}-materialize-backend"
+      authenticatorKind    = each.value.authenticator_kind
       inPlaceRollout       = each.value.in_place_rollout
       requestRollout       = lookup(each.value, "request_rollout", null)
       forceRollout         = lookup(each.value, "force_rollout", null)
diff --git a/variables.tf b/variables.tf
@@ -65,14 +65,16 @@ variable "install_metrics_server" {
 variable "instances" {
   description = "Configuration for Materialize instances"
   type = list(object({
-    name                 = string
-    namespace            = optional(string)
-    create_database      = optional(bool, true)
-    database_name        = string
-    metadata_backend_url = string
-    persist_backend_url  = string
-    license_key          = optional(string)
-    environmentd_version = optional(string, "v0.130.13") # META: mz version
+    name                              = string
+    namespace                         = optional(string)
+    create_database                   = optional(bool, true)
+    database_name                     = string
+    metadata_backend_url              = string
+    persist_backend_url               = string
+    license_key                       = optional(string)
+    external_login_password_mz_system = optional(string)
+    authenticator_kind                = optional(string, "None")
+    environmentd_version              = optional(string, "v0.130.13") # META: mz version
     environmentd_extra_env = optional(list(object({
       name  = string
       value = string
@@ -107,6 +109,23 @@ variable "instances" {
     ])
     error_message = "Force rollout must be a valid UUID in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
   }
+
+  validation {
+    condition = alltrue([
+      for instance in var.instances :
+      contains(["Password", "None"], instance.authenticator_kind)
+    ])
+    error_message = "Authenticator kind must be either 'Password' or 'None'"
+  }
+
+  validation {
+    condition = alltrue([
+      for instance in var.instances :
+      (instance.authenticator_kind == "Password" && instance.external_login_password_mz_system != null)
+      || (instance.authenticator_kind == "None" && instance.external_login_password_mz_system == null)
+    ])
+    error_message = "When authenticator_kind is 'Password', external_login_password_mz_system must be provided"
+  }
 }
 
 variable "postgres_version" {
