### Example Burrito Helm Values Configuration Source: https://github.com/padok-team/burrito/blob/main/docs/installation/with-helm.md An example Helm values file for bootstrapping a Burrito installation. It demonstrates configuration for controller timers, datastore mock storage, and tenant setup with GKE Workload Identity. ```yaml config: burrito: controller: timers: driftDetection: 10m # run drift detection every 10 minutes onError: 10s # wait 10 seconds before retrying on error waitAction: 1m # wait 1 minute before retrying on locked layer failureGracePeriod: 30s # set a grace period of 30 seconds before retrying on failure (increases exponentially with the amount of failed retries) datastore: storage: mock: true # use a mock storage for the datastore (useful for testing, not recommended for production) tenants: - namespace: create: true name: "burrito-project" serviceAccounts: - name: burrito-runner annotations: iam.gke.io/gcp-service-account: burrito@company-project.iam.gserviceaccount.com # example: use GKE Workload Identity to have access to GCP infrastructure ``` -------------------------------- ### Burrito Pods Running Example Source: https://github.com/padok-team/burrito/blob/main/docs/contributing.md Example output showing the expected status of Burrito pods after a successful deployment. All pods should be in a 'Running' state. ```text NAME READY STATUS RESTARTS AGE burrito-controllers-7657b7455-2ldtd 1/1 Running 0 5m32s burrito-datastore-5967f46497-tfzgg 1/1 Running 0 5m32s burrito-server-5b6fb78949-ngcnt 1/1 Running 0 5m32s ``` -------------------------------- ### Install Burrito Namespace and Manifests Source: https://github.com/padok-team/burrito/blob/main/docs/installation/with-static-manifests.md Creates the 'burrito' namespace and applies the main installation manifest. Ensure your kubeconfig is set up correctly. ```bash kubectl create namespace burrito kubectl apply -n burrito -f https://raw.githubusercontent.com/padok-team/burrito/main/manifests/install.yaml ``` -------------------------------- ### Encrypt Endpoint Usage Example with Curl Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/encrypt-endpoint.md This example demonstrates how to encrypt files using `curl` after setting up port-forwarding and obtaining a service account token. ```bash # enable port-forward to your datastore kubectl port-forward $(kubectl get pods -n burrito-system | awk '/burrito-datastore/{print $1}') -n burrito-system 8080:8080 # Get a token using the burrito-server service account (recommended) TOKEN=$(kubectl create token burrito-server -n burrito-system --audience=burrito) # Use it with curl curl -X POST http://localhost:8080/api/encrypt \ -H "Content-Type: application/json" \ -H "Authorization: $TOKEN" \ -d '{"encryptionKey": "your-encryption-key"}' ``` -------------------------------- ### Repository-level Sync Windows Example Source: https://github.com/padok-team/burrito/blob/main/docs/user-guide/sync-windows.md This example demonstrates how to define sync windows within a TerraformRepository configuration. It includes both 'allow' and 'deny' windows with specific schedules, durations, layers, and actions. ```yaml apiVersion: config.terraform.padok.cloud/v1alpha1 kind: TerraformRepository metadata: name: my-repository namespace: burrito-project spec: repository: url: https://github.com/padok-team/burrito-examples.git terraform: enabled: true syncWindows: - kind: allow schedule: "0 8 * * *" duration: "12h" layers: - "layer1" - "layer2" actions: - "plan" - "apply" - kind: deny schedule: "30 1 * * *" duration: "30m" layers: - "layer*" actions: - "apply" ``` -------------------------------- ### Install cert-manager with Helm Source: https://github.com/padok-team/burrito/blob/main/docs/contributing.md Installs cert-manager, a Kubernetes certificate management controller, using Helm. Ensure cert-manager is installed before proceeding with Burrito setup. ```bash helm install cert-manager oci://quay.io/jetstack/charts/cert-manager \ --version v1.20.2 \ --namespace cert-manager \ --create-namespace \ --set crds.enabled=true ``` -------------------------------- ### TerraformRepository Status Example Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/repository-controller.md Example status output for a TerraformRepository, showing branch information, last sync details, and overall state. ```yaml status: branches: - lastSyncDate: Fri Jun 13 13:48:48 UTC 2025 lastSyncStatus: success latestRev: 7a07490d90fdf6ffae19a6d00420871415a11ae5 name: main conditions: - status: "False" type: IsLastSyncTooOld # snip ... - status: "False" type: HasLastSyncFailed # snip ... state: Synced ``` -------------------------------- ### Install Burrito Core Components Source: https://github.com/padok-team/burrito/blob/main/docs/installation/with-helm.md Installs the Burrito core components into a dedicated namespace. Requires Helm v3.8.0 or above and access to an OCI-based registry. ```bash helm install burrito oci://ghcr.io/padok-team/charts/burrito -n burrito-system --create-namespace ``` -------------------------------- ### Example Remediation Strategy Source: https://github.com/padok-team/burrito/blob/main/docs/user-guide/remediation-strategy.md Example of how to configure `spec.remediationStrategy` in a `TerraformLayer` manifest to enable auto-apply and set a maximum of 3 retries on error. ```APIDOC ```yaml apiVersion: config.terraform.padok.cloud/v1alpha1 kind: TerraformLayer metadata: name: random-pets-terragrunt spec: remediationStrategy: autoApply: true onError: maxRetries: 3 # ... snipped ... ``` ``` -------------------------------- ### Install Burrito with Helm Source: https://github.com/padok-team/burrito/blob/main/docs/guides/iac-drift-detection.md Use Helm to install Burrito on your Kubernetes cluster. This command installs Burrito with a basic configuration, including drift detection timers and mock storage. ```bash helm upgrade --install burrito oci://ghcr.io/padok-team/charts/burrito -n burrito-system -f https://raw.githubusercontent.com/padok-team/burrito/main/docs/examples/values-simple.yaml ``` -------------------------------- ### Runner Pod Completion Example Source: https://github.com/padok-team/burrito/blob/main/docs/contributing.md Example output showing a completed runner pod for a Terraform layer. The 'Completed' status indicates that the Terraform apply process for the layer has finished. ```text NAME READY STATUS RESTARTS AGE my-layer-apply-gxjhd 0/1 Completed 0 2m36s ``` -------------------------------- ### TerraformRepository Example Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/git-webhook.md Defines a TerraformRepository resource. This is a prerequisite for configuring repository-specific credentials. ```yaml apiVersion: config.terraform.padok.cloud/v1alpha1 kind: TerraformRepository metadata: name: my-repository namespace: burrito-project spec: repository: url: https://github.com/owner/repo terraform: enabled: true ``` -------------------------------- ### Configure Init Containers for Runner Setup Source: https://github.com/padok-team/burrito/blob/main/docs/user-guide/override-runner.md Utilize `initContainers` within a TerraformLayer to perform setup tasks, such as generating kubeconfig files, before the main Terraform execution. Ensure `uid`/`gid` match the runner image for file access. ```yaml apiVersion: config.terraform.padok.cloud/v1alpha1 kind: TerraformLayer metadata: name: my-layer spec: overrideRunnerSpec: volumes: - name: kubeconfig-volume emptyDir: {} volumeMounts: - name: kubeconfig-volume mountPath: /home/burrito/.kube readOnly: true initContainers: - name: init-runner image: registry.domain.com/image:tag securityContext: runAsNonRoot: true runAsUser: 65532 # match USER from Dockerfile runAsGroup: 65532 # match USER from Dockerfile command: - 'sh' - '-c' - 'generate-kube-config --output=/.kube/config' envFrom: - secretRef: name: kube-secrets volumeMounts: - mountPath: /.kube name: kubeconfig-volume ``` -------------------------------- ### Install Burrito using Helm Source: https://github.com/padok-team/burrito/blob/main/docs/getting-started.md Install Burrito into your Kubernetes cluster using Helm. This command deploys Burrito services into the 'burrito-system' namespace and applies your custom configurations from values.yaml. ```bash helm install burrito oci://ghcr.io/padok-team/charts/burrito --create-namespace -n burrito-system -f ./values.yaml ``` -------------------------------- ### Build and Deploy Burrito to Kind Source: https://github.com/padok-team/burrito/blob/main/docs/contributing.md Builds a local Docker image of Burrito, loads it into the Kind cluster, and installs Burrito using Helm with development values. This is a key step for local development. ```bash make upgrade-dev-kind ``` -------------------------------- ### Global Sync Windows in Burrito Configuration Source: https://github.com/padok-team/burrito/blob/main/docs/user-guide/sync-windows.md This example shows how to define default sync windows in the Burrito configuration, which apply to all Burrito reconciliation runs. It is useful for setting universal time restrictions. ```yaml config: burrito: controller: # -- Default sync windows for layer reconciliation defaultSyncWindows: - kind: allow schedule: "0 8 * * *" duration: "12h" layers: - "layer1" - "layer2" actions: - "plan" - "apply" - kind: deny schedule: "30 1 * * *" duration: "30m" layers: - "layer*" actions: - "apply" ``` -------------------------------- ### Describe TerraformRepository Resource Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/repository-controller.md Get detailed information about a specific TerraformRepository resource to aid in troubleshooting. ```bash kubectl describe terraformrepository -n ``` -------------------------------- ### Convert Basic Authentication Secret (Old Format) Source: https://github.com/padok-team/burrito/blob/main/docs/migration-guides/new-credential-system.md Example of the old Kubernetes Secret format for Basic Authentication. ```yaml apiVersion: v1 kind: Secret metadata: name: burrito-repo namespace: burrito-project type: Opaque stringData: username: "my-username" password: "my-password" webhookSecret: "my-webhook-secret" ``` -------------------------------- ### Verify Burrito Pods Source: https://github.com/padok-team/burrito/blob/main/docs/guides/iac-drift-detection.md Check the status of Burrito pods in the `burrito-system` namespace to ensure the installation was successful and all components are running. ```bash kubectl get pods -n burrito-system ``` -------------------------------- ### Convert Basic Authentication Secret (New Format) Source: https://github.com/padok-team/burrito/blob/main/docs/migration-guides/new-credential-system.md Example of the new Kubernetes Secret format for Basic Authentication, specifying 'standard' as the provider. ```yaml apiVersion: v1 kind: Secret metadata: name: burrito-repo namespace: burrito-project type: credentials.burrito.tf/repository stringData: provider: standard url: https://git.example.com/owner/repo # Add the actual repository URL here username: "my-username" password: "my-password" webhookSecret: "my-webhook-secret" ``` -------------------------------- ### Configure Basic Tenants Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/multi-tenant-architecture.md Define tenant configurations including namespace creation and service accounts in the Helm chart's values.yaml. This setup isolates tenant resources into separate Kubernetes namespaces. ```yaml tenants: - namespace: create: true name: tenant-namespace-1 serviceAccounts: - name: runner-project - namespace: create: true name: tenant-namespace-2 serviceAccounts: - name: runner-project - namespace: create: true name: tenant-namespace-3 serviceAccounts: - name: runner-project ``` -------------------------------- ### TerraformLayer Remediation Strategy Example Source: https://github.com/padok-team/burrito/blob/main/docs/user-guide/remediation-strategy.md Configure automatic apply and retry attempts for Terraform drift. Use `autoApply: true` with caution as this feature is experimental. ```yaml apiVersion: config.terraform.padok.cloud/v1alpha1 kind: TerraformLayer metadata: name: random-pets-terragrunt spec: remediationStrategy: autoApply: true onError: maxRetries: 3 # ... snipped ... ``` -------------------------------- ### Get Events for TerraformRepository Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/repository-controller.md List events related to a specific TerraformRepository resource to diagnose problems. ```bash kubectl get events -n --field-selector involvedObject.name= ``` -------------------------------- ### Convert SSH Authentication Secret (Old Format) Source: https://github.com/padok-team/burrito/blob/main/docs/migration-guides/new-credential-system.md Example of the old Kubernetes Secret format for SSH Authentication. ```yaml apiVersion: v1 kind: Secret metadata: name: burrito-repo namespace: burrito-project type: Opaque stringData: sshPrivateKey: | -----BEGIN OPENSSH PRIVATE KEY----- my-private-key -----END OPENSSH PRIVATE KEY----- webhookSecret: "my-webhook-secret" ``` -------------------------------- ### Convert GitHub Token Authentication Secret (Old Format) Source: https://github.com/padok-team/burrito/blob/main/docs/migration-guides/new-credential-system.md Example of the old Kubernetes Secret format for GitHub Token authentication. ```yaml apiVersion: v1 kind: Secret metadata: name: burrito-repo namespace: burrito-project type: Opaque stringData: githubToken: "github_pat_xxx" webhookSecret: "my-webhook-secret" ``` -------------------------------- ### Convert GitLab Token Authentication Secret (New Format) Source: https://github.com/padok-team/burrito/blob/main/docs/migration-guides/new-credential-system.md Example of the new Kubernetes Secret format for GitLab Token authentication, specifying 'gitlab' as the provider. ```yaml apiVersion: v1 kind: Secret metadata: name: burrito-repo namespace: burrito-project type: credentials.burrito.tf/repository stringData: provider: gitlab url: https://gitlab.com/owner/repo # Add the actual repository URL here gitlabToken: "glpat-xxxx" webhookSecret: "my-webhook-secret" ``` -------------------------------- ### Convert GitLab Token Authentication Secret (Old Format) Source: https://github.com/padok-team/burrito/blob/main/docs/migration-guides/new-credential-system.md Example of the old Kubernetes Secret format for GitLab Token authentication. ```yaml apiVersion: v1 kind: Secret metadata: name: burrito-repo namespace: burrito-project type: Opaque stringData: gitlabToken: "glpat-xxxx" webhookSecret: "my-webhook-secret" ``` -------------------------------- ### Convert GitHub App Authentication Secret (Old Format) Source: https://github.com/padok-team/burrito/blob/main/docs/migration-guides/new-credential-system.md Example of the old Kubernetes Secret format for GitHub App authentication. ```yaml apiVersion: v1 kind: Secret metadata: name: burrito-repo namespace: burrito-project type: Opaque stringData: githubAppId: "123456" githubAppInstallationId: "12345678" githubAppPrivateKey: | -----BEGIN RSA PRIVATE KEY----- my-private-key -----END RSA PRIVATE KEY----- webhookSecret: "my-webhook-secret" ``` -------------------------------- ### Convert GitHub Token Authentication Secret (New Format) Source: https://github.com/padok-team/burrito/blob/main/docs/migration-guides/new-credential-system.md Example of the new Kubernetes Secret format for GitHub Token authentication, specifying 'github' as the provider. ```yaml apiVersion: v1 kind: Secret metadata: name: burrito-repo namespace: burrito-project type: credentials.burrito.tf/repository stringData: provider: github url: https://github.com/owner/repo # Add the actual repository URL here githubToken: "github_pat_xxx" webhookSecret: "my-webhook-secret" ``` -------------------------------- ### Default values.yaml for Burrito Installation Source: https://github.com/padok-team/burrito/blob/main/docs/getting-started.md Configure Burrito's settings, including storage options and tenant details, by modifying this default values.yaml file. Set 'config.burrito.datastore.storage.mock' to true to test without remote storage. ```yaml config: burrito: datastore: storage: mock: true tenants: - namespace: create: true name: "burrito-project-1" serviceAccounts: - name: "runner-project-1" ``` -------------------------------- ### Convert SSH Authentication Secret (New Format) Source: https://github.com/padok-team/burrito/blob/main/docs/migration-guides/new-credential-system.md Example of the new Kubernetes Secret format for SSH Authentication, specifying 'standard' as the provider. ```yaml apiVersion: v1 kind: Secret metadata: name: burrito-repo namespace: burrito-project type: credentials.burrito.tf/repository stringData: provider: standard url: git@git.example.com:owner/repo # Add the actual repository URL here sshPrivateKey: | -----BEGIN OPENSSH PRIVATE KEY----- my-private-key -----END OPENSSH PRIVATE KEY----- webhookSecret: "my-webhook-secret" ``` -------------------------------- ### Retrieve Basic Authentication Password Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/user-authentication.md Get the base64-decoded password for the 'admin' user from the Kubernetes secret. This is used for Basic Authentication. ```bash kubectl -n get secret burrito-admin-credentials \ -o jsonpath="{.data.password}" | base64 --decode ``` -------------------------------- ### Convert GitHub App Authentication Secret (New Format) Source: https://github.com/padok-team/burrito/blob/main/docs/migration-guides/new-credential-system.md Example of the new Kubernetes Secret format for GitHub App authentication, including the 'credentials.burrito.tf/repository' type and updated field names. ```yaml apiVersion: v1 kind: Secret metadata: name: burrito-repo namespace: burrito-project type: credentials.burrito.tf/repository stringData: provider: github url: https://github.com/owner/repo # Add the actual repository URL here githubAppID: "123456" # Note the change from githubAppId to githubAppID githubAppInstallationID: "12345678" # Note the change from githubAppInstallationId to githubAppInstallationID githubAppPrivateKey: | -----BEGIN RSA PRIVATE KEY----- my-private-key -----END RSA PRIVATE KEY----- webhookSecret: "my-webhook-secret" ``` -------------------------------- ### Repository-specific credential for GitHub using GitHub App Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/git-authentication.md Configure repository-specific credentials for GitHub using a GitHub App. Requires App ID, Installation ID, and private key. ```yaml apiVersion: v1 kind: Secret metadata: name: burrito-repo namespace: burrito-project type: credentials.burrito.tf/repository stringData: provider: github url: https://github.com/my-org/my-repo githubAppID: "123456" githubAppInstallationID: "12345678" githubAppPrivateKey: | -----BEGIN RSA PRIVATE KEY----- my-private-key -----END RSA PRIVATE KEY----- webhookSecret: "my-webhook-secret" ``` -------------------------------- ### TerraformRepository with Runner Overrides Source: https://github.com/padok-team/burrito/blob/main/docs/user-guide/override-runner.md Configure default runner pod specifications for all linked TerraformLayers at the repository level. This example sets image pull secrets, tolerations, node selector, and service account name. ```yaml apiVersion: config.terraform.padok.cloud/v1alpha1 kind: TerraformRepository metadata: name: burrito namespace: burrito spec: repository: url: https://github.com/padok-team/burrito terraform: enabled: true overrideRunnerSpec: imagePullSecrets: - name: ghcr-creds tolerations: - effect: NoSchedule key: burrito.io/production operator: Exists nodeSelector: production: "true" serviceAccountName: "production" ``` -------------------------------- ### Configure OIDC Authentication Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/user-authentication.md Enable and configure OpenID Connect (OIDC) for user authentication in Burrito. This is the recommended production setup. Ensure the client secret is stored in a Kubernetes secret named 'burrito-oidc-client-secret'. ```yaml config: burrito: server: oidc: enabled: true # Enable OIDC issuerUrl: # e.g. https://accounts.example.com clientId: redirectUrl: "https:///auth/callback" scopes: - "openid" - "profile" - "email" ... server: deployment: envFrom: - secretRef: name: burrito-oidc-client-secret ``` -------------------------------- ### Build and Deploy Debug Image to Kind Source: https://github.com/padok-team/burrito/blob/main/docs/contributing.md Build a new local debug image of Burrito, push it to your local Kind cluster, and update the Helm release with the new image tag. ```bash make upgrade-debug-kind ``` -------------------------------- ### Build Docker Production Image Source: https://github.com/padok-team/burrito/blob/main/ui/README.md Builds a Docker image for the Burrito UI. Set the TAG and BURRITO_API_BASE_URL environment variables before running. ```bash TAG=latest # or any other tag BURRITO_API_BASE_URL=https://burrito.example.cloud/api # or any other API base URL docker build -t burrito-ui:$TAG --build-arg API_BASE_URL=$BURRITO_API_BASE_URL . ``` -------------------------------- ### Update TerraformRepository Resource (Old Format) Source: https://github.com/padok-team/burrito/blob/main/docs/migration-guides/new-credential-system.md Example of the old TerraformRepository resource referencing a secretName. ```yaml apiVersion: config.terraform.padok.cloud/v1alpha1 kind: TerraformRepository metadata: name: my-repository namespace: burrito-project spec: repository: url: https://github.com/owner/repo secretName: burrito-repo # This reference is no longer needed terraform: enabled: true ``` -------------------------------- ### PromQL: Get All Layers in Error State Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/metrics.md Retrieve all Terraform layers that are currently in an error state. ```promql # Get all layers in error state burrito_terraform_layer_status{status="error"} ``` -------------------------------- ### Check Repository Controller Logs Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/repository-controller.md Retrieve logs from the Burrito controller pod to troubleshoot issues with the Repository Controller. ```bash kubectl logs -n deployment/burrito-controller -c controller ``` -------------------------------- ### Get TerraformPullRequest Status Source: https://github.com/padok-team/burrito/blob/main/docs/guides/pr-mr-workflow.md This command retrieves the status of TerraformPullRequest resources within the specified namespace. ```bash kubectl get pr -n burrito-project ``` -------------------------------- ### Burrito Pods Running Status Source: https://github.com/padok-team/burrito/blob/main/docs/guides/iac-drift-detection.md This output confirms that the Burrito controller, datastore, and server pods are running in the `burrito-system` namespace, indicating a successful deployment. ```text NAME READY STATUS RESTARTS AGE burrito-controllers-6945797c5d-kjfl2 1/1 Running 0 2m00s burrito-datastore-94d999f54-kbg9z 1/1 Running 0 2m00s burrito-server-764f75766b-qw5nx 1/1 Running 0 2m00s ``` -------------------------------- ### Get TerraformRepository Status Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/repository-controller.md Use kubectl to retrieve the YAML status of a TerraformRepository resource in a specific namespace. ```bash kubectl get terraformrepository -n -o yaml ``` -------------------------------- ### PromQL: Get Specific Layer Status Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/metrics.md Retrieve the status of a specific Terraform layer identified by namespace and layer name. ```promql # Get specific layer status burrito_terraform_layer_status{namespace="production", layer_name="app-infrastructure"} ``` -------------------------------- ### PromQL: Get Layers Needing Attention Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/metrics.md Identify Terraform layers that require attention due to a warning or error status. ```promql # Get layers that need attention (warning or error) burrito_terraform_layer_status{status=~"warning|error"} ``` -------------------------------- ### Datastore Storage Configuration Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/datastore.md Configure the Datastore storage backend using YAML. Supports encryption, mock storage, S3, GCS, and Azure. ```yaml config: burrito: datastore: storage: encryption: enabled: # default: false mock: # default: false s3: bucket: usePathStyle: # default: false gcs: bucket: azure: storageAccount: container: ``` -------------------------------- ### PromQL: Run Creation Rate Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/metrics.md Calculate the rate of new Burrito runs being created per second over the last 5 minutes. ```promql # Run creation rate (runs per second over last 5 minutes) rate(burrito_runs_created_total[5m]) ``` -------------------------------- ### PromQL: Get Layers by State Needing Attention Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/metrics.md Identify Terraform layers that require attention due to a warning or error state. ```promql # Get layers that need attention (warning or error) burrito_terraform_layer_state{state=~"warning|error"} ``` -------------------------------- ### Enable Controller Ingress Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/metrics.md Enable the controller ingress in your Helm values to expose the metrics endpoint externally. This is the recommended approach for production environments. ```yaml controllers: ingress: enabled: true host: burrito-controllers.example.com ``` -------------------------------- ### Show Default Helm Chart Values Source: https://github.com/padok-team/burrito/blob/main/docs/installation/with-helm.md Retrieves and displays the default configuration values for the Burrito Helm chart. Useful for understanding available configuration options. ```bash helm show values oci://ghcr.io/padok-team/charts/burrito ``` -------------------------------- ### Get TerraformLayer Status Source: https://github.com/padok-team/burrito/blob/main/docs/guides/pr-mr-workflow.md This command retrieves the status of TerraformLayer resources, showing their state, associated repository, branch, path, and last result. ```bash kubectl get tfl -n burrito-project ``` -------------------------------- ### Shared credential for all repositories on gitlab.example.com Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/git-authentication.md Configure a shared credential for all repositories hosted on a specific GitLab instance. This secret is shared across all tenants by default. ```yaml apiVersion: v1 kind: Secret metadata: name: gitlab-shared-credentials namespace: burrito-system # 👇 by default this secret is shared with all tenants type: credentials.burrito.tf/shared stringData: provider: gitlab url: https://gitlab.example.com gitlabToken: "glpat-xxxx" webhookSecret: "my-webhook-secret" ``` -------------------------------- ### Enable Datastore Encryption Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/datastore.md Enable encryption for data at rest in the Datastore. Requires setting `encryption.enabled` and providing an encryption key via environment variable. ```yaml config: burrito: datastore: storage: encryption: enabled: true datastore: deployment: envFrom: - secretRef: name: burrito-datastore-encryption-key ``` -------------------------------- ### Decrypt Datastore File with OpenSSL Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/datastore.md Decrypt an encrypted file from the Datastore using OpenSSL. Requires the Initialization Vector (IV) and the derived key hash. ```bash # Extract the first 16 bytes (IV) as hex IV_HEX=$(xxd -l 16 -p plan.json) # derivate your key with sha256 KEY_HASH=$(echo -n "your-encryption-key" | sha256sum | cut -d' ' -f1) # decrypt the file openssl enc -aes-256-cbc -d -in plan.json -K "${KEY_HASH}" -iv "${IV_HEX}" ``` -------------------------------- ### Check Burrito Controller Logs Source: https://github.com/padok-team/burrito/blob/main/docs/migration-guides/new-credential-system.md Inspect the logs of the Burrito controller to verify that credentials are being detected and processed correctly. This is a crucial step for diagnosing issues after migration. ```bash kubectl logs -n your-namespace deployment/burrito-controller -c controller ``` -------------------------------- ### Repository-Specific Git Credentials Secret Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/git-authentication.md Example of a Kubernetes Secret for repository-specific Git credentials. This secret is tied to a single repository URL in a specific namespace and uses the `credentials.burrito.tf/repository` type. ```yaml apiVersion: v1 kind: Secret metadata: name: burrito-repo namespace: default type: credentials.burrito.tf/repository stringData: provider: github url: https://github.com/padok-team/burrito-examples githubToken: "github_pat_xxx" webhookSecret: "my-webhook-secret" ``` -------------------------------- ### Configure Service Accounts with Additional Role Bindings and Cloud Annotations Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/multi-tenant-architecture.md Configure service accounts within tenant namespaces, including additional Kubernetes role bindings for custom permissions and cloud-specific annotations for IAM roles (GKE and EKS). ```yaml - namespace: create: true name: tenant-namespace-1 serviceAccounts: - name: runner-kubernetes additionalRoleBindings: - name: custom role: kind: ClusterRole name: custom-role - name: runner-google labels: app.kubernetes.io/part-of: project-1 annotations: iam.gke.io/gcp-service-account: burrito-project-1@company-project.iam.gserviceaccount.com - name: runner-aws annotations: eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/my-role ``` -------------------------------- ### Define TerraformLayer and TerraformRepository Resources Source: https://github.com/padok-team/burrito/blob/main/docs/contributing.md Creates custom Kubernetes resources for Burrito to manage Terraform configurations. `TerraformLayer` defines the branch and path, while `TerraformRepository` specifies the Git repository URL. ```yaml apiVersion: config.terraform.padok.cloud/v1alpha1 kind: TerraformLayer metadata: name: my-layer namespace: burrito-project spec: branch: main path: terraform/ repository: name: my-repository namespace: burrito-project --- apiVersion: config.terraform.padok.cloud/v1alpha1 kind: TerraformRepository metadata: name: my-repository namespace: burrito-project spec: repository: url: https://github.com/padok-team/burrito-examples remediationStrategy: autoApply: true terraform: enabled: true opentofu: enabled: false terragrunt: enabled: false ``` -------------------------------- ### Shared Git Credentials Secret with Namespace Restriction Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/git-authentication.md Example of a Kubernetes Secret for shared Git credentials that can be used across multiple repositories. It includes an annotation to restrict its use to specific namespaces (`burrito.tf/allowed-tenants`). ```yaml apiVersion: v1 kind: Secret metadata: name: github-shared-credentials namespace: burrito-system annotations: burrito.tf/allowed-tenants: "team-a,team-b" type: credentials.burrito.tf/shared stringData: provider: github url: github.com githubToken: "github_pat_xxx" webhookSecret: "my-webhook-secret" ``` -------------------------------- ### Add Custom Service Account to Datastore Configuration Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/encrypt-endpoint.md Configure additional service accounts for datastore access by updating Helm values. ```yaml config: burrito: datastore: serviceAccounts: - burrito-project/burrito-runner - burrito-system/burrito-controllers - burrito-system/burrito-server - burrito-system/your-custom-service-account # Add custom accounts here ``` -------------------------------- ### Configure GitHub Token for TENV Source: https://github.com/padok-team/burrito/blob/main/docs/contributing.md Appends a configuration to `TerraformRepository` resources to set the `TENV_GITHUB_TOKEN` environment variable. This is recommended to bypass GitHub API rate limiting during development. ```yaml overrideRunnerSpec: env: - name: TENV_GITHUB_TOKEN value: ghp_xxxxx ``` -------------------------------- ### Repository-Specific GitHub App Credentials Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/git-authentication/github-app.md Configure Burrito to use a GitHub App for a specific repository by creating a Kubernetes Secret. This secret should contain the provider, repository URL, webhook secret, GitHub App ID, Installation ID, and the private key. ```yaml apiVersion: config.terraform.padok.cloud/v1alpha1 kind: TerraformRepository metadata: name: my-repository namespace: burrito-project spec: repository: url: https://github.com/owner/repo terraform: enabled: true --- apiVersion: v1 kind: Secret metadata: name: burrito-repo namespace: burrito-project type: credentials.burrito.tf/repository stringData: provider: github url: https://github.com/owner/repo webhookSecret: "my-webhook-secret" githubAppID: "123456" githubAppInstallationID: "12345678" githubAppPrivateKey: | -----BEGIN RSA PRIVATE KEY----- my-private-key -----END RSA PRIVATE KEY----- ``` -------------------------------- ### Identify Existing Secret References Source: https://github.com/padok-team/burrito/blob/main/docs/migration-guides/new-credential-system.md Use this command to list all TerraformRepository resources across all namespaces and display their associated secret names. ```bash kubectl get terraformrepositories --all-namespaces -o custom-columns=NAME:.metadata.name,NAMESPACE:.metadata.namespace,SECRET:.spec.repository.secretName ``` -------------------------------- ### Configure TerraformRepository Source: https://github.com/padok-team/burrito/blob/main/docs/guides/pr-mr-workflow.md This YAML defines the TerraformRepository resource, pointing to your forked GitHub repository for Burrito to manage. ```yaml apiVersion: config.terraform.padok.cloud/v1alpha1 kind: TerraformRepository metadata: name: my-repository namespace: burrito-project spec: repository: url: https://github.com//burrito-examples terraform: enabled: true ``` -------------------------------- ### Generate Encryption Key Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/datastore.md Generate a 32-byte random hexadecimal encryption key using OpenSSL. ```bash openssl rand -hex 32 ``` -------------------------------- ### Apply TerraformRepository Resource Source: https://github.com/padok-team/burrito/blob/main/docs/guides/iac-drift-detection.md Apply a TerraformRepository resource to connect Burrito to your Terraform code on GitHub. This resource specifies the repository URL and enables Terraform processing. ```bash kubectl apply -f https://raw.githubusercontent.com/padok-team/burrito/main/docs/examples/terraform-repository.yaml ``` -------------------------------- ### PromQL: Count Layers by Repository Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/metrics.md Aggregate and count Terraform layers based on their associated repository name. ```promql # Get layers by repository sum by (repository_name) (burrito_terraform_layer_status) ``` -------------------------------- ### Customize Tenant Namespace Labels and Annotations Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/multi-tenant-architecture.md Customize Kubernetes namespaces for tenants by adding labels and annotations in the Helm chart's values.yaml. This allows for finer-grained resource management and policy enforcement. ```yaml tenants: - namespace: create: true name: tenant-namespace-1 labels: app.kubernetes.io/part-of: project-1 annotations: helm.sh/resource-policy: keep ``` -------------------------------- ### Kubernetes ConfigMap for Git Configuration Source: https://github.com/padok-team/burrito/blob/main/docs/user-guide/private-modules.md Create a Kubernetes ConfigMap to configure the Git credential helper. This ensures that Git uses the stored credentials when accessing private repositories. ```yaml apiVersion: v1 kind: ConfigMap metadata: name: gitconfig data: .gitconfig: | [credential] helper = store ``` -------------------------------- ### Burrito Helm Chart Values Source: https://github.com/padok-team/burrito/blob/main/docs/guides/iac-drift-detection.md This YAML configuration sets up Burrito with specific timers for drift detection, error handling, and layer locking. It also configures mock storage for the datastore, which is useful for testing. ```yaml config: burrito: controller: timers: driftDetection: 10m # run drift detection every 10 minutes onError: 10s # wait 10 seconds before retrying on error waitAction: 1m # wait 1 minute before retrying on locked layer failureGracePeriod: 30s # set a grace period of 30 seconds before retrying on failure (increases exponentially with the amount of failed retries) datastore: storage: mock: true # use a mock storage for the datastore (useful for testing, not recommended for production) tenants: - namespace: create: true name: "burrito-project" ``` -------------------------------- ### POST /api/encrypt Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/encrypt-endpoint.md Encrypts all files in the datastore. This is useful for migrating from unencrypted to encrypted storage. ```APIDOC ## POST /api/encrypt ### Description Encrypts all files in the datastore, migrating from unencrypted to encrypted storage. The process skips files that are already encrypted. ### Method POST ### Endpoint /api/encrypt ### Parameters #### Request Body - **encryptionKey** (string) - Required - The encryption key that must match the server's configured encryption key. ### Request Example ```json { "encryptionKey": "your-encryption-key" } ``` ### Response #### Success Response (200 OK) - **message** (string) - Indicates the encryption process is complete. - **filesEncrypted** (integer) - The number of files successfully encrypted. - **errors** (array) - An empty array if no errors occurred. #### Partial Success Response (206 Partial Content) - **message** (string) - Indicates the encryption process is complete with some errors. - **filesEncrypted** (integer) - The number of files successfully encrypted. - **errors** (array) - A list of errors encountered during the encryption of specific files. #### Error Responses - **400 Bad Request**: Missing encryption key in request body or encryption not enabled in configuration. - **401 Unauthorized**: Invalid encryption key (does not match server configuration). - **500 Internal Server Error**: No encryption key configured on the server. ``` -------------------------------- ### Prometheus Scrape Configuration (Ingress) Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/metrics.md Configure Prometheus to scrape metrics via an ingress endpoint when using the ingress approach. ```yaml scrape_configs: - job_name: 'burrito-controllers' static_configs: - targets: ['burrito-controllers-metrics.example.com'] scheme: https metrics_path: '/metrics' scrape_interval: 30s ``` -------------------------------- ### VS Code Debug Configurations Source: https://github.com/padok-team/burrito/blob/main/docs/contributing.md This JSON configuration file is used by VS Code to attach to Go applications running remotely. It defines multiple configurations for attaching to different services (Controller, Runner, Datastore, Server) on specific ports. ```json { "version": "0.2.0", "configurations": [ { "name": "Attach to Controller", "type": "go", "request": "attach", "mode": "remote", "port": 2345, "host": "127.0.0.1", "apiVersion": 2 }, { "name": "Attach to Runner", "type": "go", "request": "attach", "mode": "remote", "port": 2346, "host": "127.0.0.1", "apiVersion": 2 }, { "name": "Attach to Datastore", "type": "go", "request": "attach", "mode": "remote", "port": 2347, "host": "127.0.0.1", "apiVersion": 2 }, { "name": "Attach to Server", "type": "go", "request": "attach", "mode": "remote", "port": 2348, "host": "127.0.0.1", "apiVersion": 2 } ] } ``` -------------------------------- ### Port-Forward Datastore Debug Session Source: https://github.com/padok-team/burrito/blob/main/docs/contributing.md Forward the datastore's debugging port (2347) from the pod to your local machine to enable debugging. ```bash kubectl port-forward $(kubectl get pods -n burrito-system | awk '/burrito-datastore.*Running/{print $1}') -n burrito-system 2347:2347 ``` -------------------------------- ### Port Forward to Burrito Server Source: https://github.com/padok-team/burrito/blob/main/docs/guides/iac-drift-detection.md Establish a port-forward connection to the Burrito service in the burrito-system namespace. This allows access to the Burrito UI or API for monitoring. ```bash kubectl port-forward svc/burrito-server -n burrito-system 8080:80 ``` -------------------------------- ### Prometheus Scrape Configuration (Direct) Source: https://github.com/padok-team/burrito/blob/main/docs/operator-manual/metrics.md Configure Prometheus to scrape metrics directly from the burrito-controllers service. ```yaml scrape_configs: - job_name: 'burrito-controllers' static_configs: - targets: ['burrito-controllers:8080'] metrics_path: '/metrics' scrape_interval: 30s ```