Proto commits in flux-iac/tofu-controller

These 34 commits are when the Protocol Buffers files have changed:

2024-02-28

feat: Cache workspace blob on tofu-controller filesystem - block stream encryption + remove non-stream endpoint - Nothing uses the feature yet. ``` ❯ kubectl exec -it -n flux-system chart-tofu-controller-648fbc54f8-7sprc -- ls -la /blob-cache/ total 12 drwxrwsrwx 2 root 1337 4096 Dec 19 15:29 . drwxr-xr-x 1 root root 4096 Dec 19 15:29 .. -rw-r--r-- 1 controll 1337 800 Dec 20 09:41 terraform-helloworld-tf-priv.tar.gz ❯ kubectl exec -it -n flux-system chart-tofu-controller-648fbc54f8-7sprc -- hexdump -C /blob-cache/terraform-helloworld-tf-priv.tar.gz | head -n 3 00000000 1b 3f 00 8d 25 67 17 79 87 04 d7 b9 03 f2 6c ba |.?..%g.y......l.| 00000010 bc 0c 7e 75 29 de 25 1f bb 99 c4 49 2d 99 1b e0 |..~u).%....I-...| 00000020 b3 72 2f ca ab fb 5f 93 ee b4 ba bd a6 76 83 38 |.r/..._......v.8| ``` with a small go temp app, after decryption and untar (the repo itself has only one file: `main.tf`): ``` ❯ kubectl cp -n flux-system chart-tofu-controller-648fbc54f8-7sprc:/blob-cache/terraform-helloworld-tf-priv.tar.gz ./terraform-helloworld-tf-priv.tar.gz tar: removing leading '/' from member names ❯ go run . INFO[0000] /tmp/1417200660 ❯ tree /tmp/1417200660 /tmp/1417200660 ├── backend_override.tf ├── generated.auto.tfvars.json └── main.tf 1 directory, 3 files ``` Extra To Do items: - Add feature flag Signed-off-by: Balazs Nadasdi <balazs@weave.works> Signed-off-by: Victoria Nadasdi <victoria@efertone.me>

2024-01-24

chore(changes): add all changes from previous PR

The documentation is generated from this commit.

feat(tfvars): add tfvars feature, API

2023-12-07

feat: Implement BLOB encryption within the tf-runner As a starter, we need a ServiceAccountToken Secret. With older versions of Kubernetes, a default one was created automatically, but recent versions doesn't have this functionality. ``` apiVersion: v1 kind: Secret metadata: name: tf-runner-encryption namespace: terraform annotations: kubernetes.io/service-account.name: tf-runner type: kubernetes.io/service-account-token ``` When encrypting the BLOB content, we use the first 32 bytes of the generated token as AES256 key with a nonce using Galois Counter Mode. The full encryption is part of the `CreateWorkspaceBlob` function for now. It can be extracted, but until we need somewhere else it can live there. There is a chance we have to reconsider how it works when we approach the key rotation with #1161, because with this approach if the token is replaced, we have zero clue what was the previous one, therefore we can't decrypt existing content. It can be a design choice tho (discard all cache when key rotation happens). Closes #1121 References: - https://github.com/weaveworks/tf-controller/issues/1121 - https://github.com/weaveworks/tf-controller/issues/1161 Signed-off-by: Balazs Nadasdi <balazs@weave.works>

2023-12-04

feat: generate checksum for cache blobs Related to #1158 References: - https://github.com/weaveworks/tf-controller/issues/1158 Signed-off-by: Balazs Nadasdi <balazs@weave.works>

2023-12-01

Add CreateWorkspaceBlob RPC method to Runner service (#1152)

2023-11-01

[feat] This commit sets up the code based on PR #489 Enable the Terraform LockTimeout functionality in both API Versions and update the docs. Signed-off-by: Luke Mallon (Nalum) <luke@mallon.ie> Co-authored-by: Eugene Malihins <kp0ccobep@gmail.com>

2023-08-10

feat: backport break-the-glass to v0.14 ``` ❯ go run ./cmd/tfctl break-glass -n terraform helloworld-tf  Break the glass requested for terraform/helloworld-tf Waiting: Reconciliation in progress Waiting: Reconciliation in progress Waiting: Reconciliation in progress Waiting: No drift: main@sha1:3ac83e0ff205dcd2e21f08120312e3502f62a9e2 Waiting: Reconciliation in progress Waiting: Reconciliation in progress Waiting: Reconciliation in progress Waiting: Breaking the glass ... The glass is breaking! /tmp/terraform-helloworld-tf $ ls README.md backend_override.tf dev-cluster generated.auto.tfvars.json main.tf /tmp/terraform-helloworld-tf $ ``` Additional changes: * backport Tiltfile to make it easier the development if we have to do anything else with v0.14 in the future (security fix for example) Signed-off-by: Balazs Nadasdi <balazs@weave.works>

2023-06-02

implement break the glass and allow-break-the-glass flag Signed-off-by: Chanwit Kaewkasi <chanwit@gmail.com>

feat: Add new properties and create secret using said properties

2023-05-28

implement break the glass and allow-break-the-glass flag Signed-off-by: Chanwit Kaewkasi <chanwit@gmail.com>

2023-05-12

feat: Add new properties and create secret using said properties

2023-04-21

fix the case when no resources to destroy, the object will be gracefully deleted Signed-off-by: Chanwit Kaewkasi <chanwit@gmail.com> (cherry picked from commit 0d9753d1a56c9eb6b239e6daf15e9d92108b532d) Signed-off-by: Chanwit Kaewkasi <chanwit@gmail.com>

2023-03-13

fix the case when no resources to destroy, the object will be gracefully deleted Signed-off-by: Chanwit Kaewkasi <chanwit@gmail.com>

2023-01-10

feat: enable parallelism option for TF apply stage

2022-10-18

Trace logging (#387) * Add trace level logging * Add more logs, fix an error with extra values * Remove duplicate call to create pod * Remove duplicate call and add a UUID to the logger for a loop id * Pass reconciliation loop id into runner which is then adopted as the runner instance id * Additional logs around logic * Fix var for loop id * Commit generated files * Fix check on the TfInstance * Fix reconciliation loop id * Pass the tfinstance id into the webhook funcs * Fix var declaration * Fix webhook test, missing tfInstance param * Fix tests * Fix import and pass expected param Signed-off-by: Luke Mallon (Nalum) <luke.mallon@weave.works>

2022-10-17

fix dependency finalization Signed-off-by: Chanwit Kaewkasi <chanwit@gmail.com>

2022-10-03

implement helm-like template Signed-off-by: Chanwit Kaewkasi <chanwit@gmail.com>

2022-09-13

Add optional workspace field This commit adds support for selecting given Terraform workspace. Signed-off-by: Dinar Valeev <dinar.valeev@absa.africa>

2022-09-06

support storing readable plan details in secret and configmap Signed-off-by: Chanwit Kaewkasi <chanwit@gmail.com>

Feature: configuration files mounting (#333) * feat: added fileMappings to RunnerSpec API + gRPC messages and generation * feat: added runner server + controller logic * feat: generated manifests and added logic * works * works * works * fixes for mr * review fixec * consts * fix conflixt problems * kubebuilder version fix + testcase Co-authored-by: itamar.marom <itamar.marom@appsflyer.com>

2022-08-29

Merge pull request #311 from akselleirv/targets feat: support for targets (#270)

2022-08-27

recording events to notification controller Signed-off-by: Chanwit Kaewkasi <chanwit@gmail.com>

2022-08-23

feat: support for targets (#270)

2022-08-18

Setup space for the lock id in reply messages Signed-off-by: Luke Mallon (Nalum) <luke.mallon@weave.works>

Setup new function to force unlock a locked state Signed-off-by: Luke Mallon (Nalum) <luke.mallon@weave.works>

2022-08-14

add backendConfigsFrom secret and cm Signed-off-by: Chanwit Kaewkasi <chanwit@gmail.com>

2022-08-12

Revert "add validation function and test. TODO: fix validation reconciliation" This reverts commit 5d3cbae810a758bb7f07ef8fd1a61f45f5edb54a.

add validation function and test. TODO: fix validation reconciliation

2022-06-21

implement inventory Signed-off-by: Chanwit Kaewkasi <chanwit@gmail.com>

2022-04-27

implement .spec.refreshBeforeApply to correct TF data behavior

2022-02-08

set up gh pages for helm repo Signed-off-by: Tom Huang <tom.huang@weave.works>

This commit does not contain any .proto files.

2022-01-31

port health check to gRPC

2022-01-30

implement local grpc for terraform runner