Merge branch 'flux-iac:main' into update-helm-docs

.dockerignore

@@ -2,3 +2,6 @@
 # Ignore build and test binaries.
 bin/
 testbin/
+!bin/tf-runner
+!bin/tofu-controller
+!bin/branch-planner

.github/workflows/e2e.yaml

@@ -58,16 +58,16 @@ jobs:
  echo 'run make test and commit changes'
  exit 1
  fi
- - name: Build the tf-controller container image
+ - name: Build the tofu-controller container image
  run: |
  VERSION="e2e-${GITHUB_SHA::8}"
  docker buildx use default
- make docker-buildx MANAGER_IMG=test/tf-controller RUNNER_IMG=test/tf-runner TAG=$VERSION
+ make docker-buildx MANAGER_IMG=test/tofu-controller RUNNER_IMG=test/tf-runner TAG=$VERSION
  - name: Load test images into KIND
  run: |
  VERSION="e2e-${GITHUB_SHA::8}"
 
- kind load docker-image test/tf-controller:$VERSION
+ kind load docker-image test/tofu-controller:$VERSION
  kind load docker-image test/tf-runner:$VERSION
  - name: Install CRDs
  run: make install
@@ -79,17 +79,17 @@ jobs:
  yq -i e ".spec.template.spec.containers[0].env[1].value=\"test/tf-runner:$VERSION\"" config/manager/manager.yaml
 
  # Dev deploy - do it twice to make sure the CRDs get in first
- make dev-deploy MANAGER_IMG=test/tf-controller RUNNER_IMG=test/tf-runner TAG=$VERSION || true
- make dev-deploy MANAGER_IMG=test/tf-controller RUNNER_IMG=test/tf-runner TAG=$VERSION
+ make dev-deploy MANAGER_IMG=test/tofu-controller RUNNER_IMG=test/tf-runner TAG=$VERSION || true
+ make dev-deploy MANAGER_IMG=test/tofu-controller RUNNER_IMG=test/tf-runner TAG=$VERSION
 
  # All of these old cert would be cleaned up by GC at the start of the test
- kubectl -n tf-system apply -f config/testdata/gc-old-certs/test.yaml
+ kubectl -n tofu-system apply -f config/testdata/gc-old-certs/test.yaml
 
  # Increase the concurrency of the controller to speed up tests
  # --cert-rotation-check-frequency=6m0s, then GC will run every 1 minute
  kubectl patch deployment \
- tf-controller \
- --namespace tf-system \
+ tofu-controller \
+ --namespace tofu-system \
  --type='json' \
  -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/args", "value": [
  "--watch-all-namespaces",
@@ -100,71 +100,71 @@ jobs:
  "--cert-rotation-check-frequency=6m0s",
  ]}]'
 
- kubectl -n tf-system rollout status deploy/source-controller --timeout=1m
- kubectl -n tf-system rollout status deploy/tf-controller --timeout=1m
+ kubectl -n tofu-system rollout status deploy/source-controller --timeout=1m
+ kubectl -n tofu-system rollout status deploy/tofu-controller --timeout=1m
  - name: Get terraform version
  run: |
- # Terraform binary will be moved from the TF-controller image to TF-runner, so we check TF's version there
+ # Terraform binary will be moved from the ToFu-controller image to TF-runner, so we check TF's version there
  VERSION="e2e-${GITHUB_SHA::8}"
  docker run --rm --entrypoint=/usr/local/bin/terraform test/tf-runner:$VERSION version
  - name: Add git repository source
  run: |
- kubectl -n tf-system apply -f ./config/testdata/source
- kubectl -n tf-system wait gitrepository/helloworld --for=condition=ready --timeout=4m
- kubectl -n tf-system wait ocirepository/helloworld-oci --for=condition=ready --timeout=4m
+ kubectl -n tofu-system apply -f ./config/testdata/source
+ kubectl -n tofu-system wait gitrepository/helloworld --for=condition=ready --timeout=4m
+ kubectl -n tofu-system wait ocirepository/helloworld-oci --for=condition=ready --timeout=4m
  - name: Run approvePlan tests
  run: |
- kubectl -n tf-system apply -f ./config/testdata/approve-plan
- kubectl -n tf-system wait terraform/helloworld-auto-approve --for=condition=ready --timeout=4m
- kubectl -n tf-system wait terraform/helloworld-oci-auto-approve --for=condition=ready --timeout=4m
- kubectl -n tf-system wait terraform/helloworld-manual-approve --for=condition=plan=true --timeout=4m
+ kubectl -n tofu-system apply -f ./config/testdata/approve-plan
+ kubectl -n tofu-system wait terraform/helloworld-auto-approve --for=condition=ready --timeout=4m
+ kubectl -n tofu-system wait terraform/helloworld-oci-auto-approve --for=condition=ready --timeout=4m
+ kubectl -n tofu-system wait terraform/helloworld-manual-approve --for=condition=plan=true --timeout=4m
 
  # delete after tests
- kubectl -n tf-system delete -f ./config/testdata/approve-plan
+ kubectl -n tofu-system delete -f ./config/testdata/approve-plan
  - name: Run plan with pod cleanup tests
  run: |
- kubectl -n tf-system apply -f ./config/testdata/always-clean-pod
- kubectl -n tf-system wait terraform/helloworld-always-clean-pod-manual-approve --for=condition=plan=true --timeout=4m
+ kubectl -n tofu-system apply -f ./config/testdata/always-clean-pod
+ kubectl -n tofu-system wait terraform/helloworld-always-clean-pod-manual-approve --for=condition=plan=true --timeout=4m
 
  # negate pod not found to be true
- ! kubectl -n tf-system get terraform/helloworld-always-clean-pod-manual-approve-tf-runner
+ ! kubectl -n tofu-system get terraform/helloworld-always-clean-pod-manual-approve-tf-runner
 
  # delete after tests
- kubectl -n tf-system delete -f ./config/testdata/always-clean-pod
+ kubectl -n tofu-system delete -f ./config/testdata/always-clean-pod
  - name: Run drift detection tests
  run: |
- kubectl -n tf-system apply -f ./config/testdata/drift-detection
+ kubectl -n tofu-system apply -f ./config/testdata/drift-detection
 
  # apply should be true first
- kubectl -n tf-system wait terraform/helloworld-drift-detection --for=condition=apply=true --timeout=4m
+ kubectl -n tofu-system wait terraform/helloworld-drift-detection --for=condition=apply=true --timeout=4m
 
  # patch .spec.approvePlan to "disable"
- kubectl -n tf-system patch terraform/helloworld-drift-detection -p '{"spec":{"approvePlan":"disable"}}' --type=merge
- kubectl -n tf-system wait terraform/helloworld-drift-detection --for=condition=ready=true --timeout=4m
+ kubectl -n tofu-system patch terraform/helloworld-drift-detection -p '{"spec":{"approvePlan":"disable"}}' --type=merge
+ kubectl -n tofu-system wait terraform/helloworld-drift-detection --for=condition=ready=true --timeout=4m
 
  # disable drift detection
  # the object should work correctly
- kubectl -n tf-system wait terraform/helloworld-drift-detection-disable --for=condition=ready --timeout=4m
+ kubectl -n tofu-system wait terraform/helloworld-drift-detection-disable --for=condition=ready --timeout=4m
 
  # delete after tests
- kubectl -n tf-system delete -f ./config/testdata/drift-detection
+ kubectl -n tofu-system delete -f ./config/testdata/drift-detection
  - name: Run healthchecks tests
  run: |
- kubectl -n tf-system apply -f ./config/testdata/healthchecks
- kubectl -n tf-system wait terraform/helloworld-healthchecks --for=condition=ready --timeout=4m
+ kubectl -n tofu-system apply -f ./config/testdata/healthchecks
+ kubectl -n tofu-system wait terraform/helloworld-healthchecks --for=condition=ready --timeout=4m
 
  # delete after tests
- kubectl -n tf-system delete -f ./config/testdata/healthchecks
+ kubectl -n tofu-system delete -f ./config/testdata/healthchecks
  - name: Run vars tests
  run: |
- kubectl -n tf-system apply -f ./config/testdata/vars
- kubectl -n tf-system wait terraform/helloworld-vars --for=condition=ready --timeout=4m
+ kubectl -n tofu-system apply -f ./config/testdata/vars
+ kubectl -n tofu-system wait terraform/helloworld-vars --for=condition=ready --timeout=4m
 
  # delete after tests
- kubectl -n tf-system delete -f ./config/testdata/vars
+ kubectl -n tofu-system delete -f ./config/testdata/vars
  - name: Run multi-tenancy test
  run: |
- kubectl -n tf-system scale --replicas=3 deploy/tf-controller
+ kubectl -n tofu-system scale --replicas=3 deploy/tofu-controller
  kustomize build ./config/testdata/multi-tenancy/tenant01 | kubectl apply -f -
  kustomize build ./config/testdata/multi-tenancy/tenant02 | kubectl apply -f -
  kubectl -n tf-tenant01-dev wait terraform/helloworld-tenant01-dev --for=condition=ready --timeout=4m
@@ -190,7 +190,7 @@ jobs:
 
  - name: Set up chaos testing environment
  run: |
- kubectl -n tf-system scale --replicas=0 deploy/tf-controller
+ kubectl -n tofu-system scale --replicas=0 deploy/tofu-controller
  sleep 3
 
  kubectl -n chaos-testing apply -f ./config/testdata/chaos
@@ -199,7 +199,7 @@ jobs:
  # Set up namespace-scoped old certs for GC
  kubectl -n chaos-testing apply -f ./config/testdata/gc-old-certs/test.yaml
 
- kubectl -n tf-system scale --replicas=1 deploy/tf-controller
+ kubectl -n tofu-system scale --replicas=1 deploy/tofu-controller
 
  sleep 10
  - name: Randomly delete runner pods
@@ -232,32 +232,32 @@ jobs:
  (kubectl get secret terraform-runner.tls-8 -n chaos-testing >/dev/null 2>&1 && exit 1 || exit 0)
  (kubectl get secret terraform-runner.tls-9 -n chaos-testing >/dev/null 2>&1 && exit 1 || exit 0)
 
- (kubectl get secret terraform-runner.tls-0 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
- (kubectl get secret terraform-runner.tls-1 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
- (kubectl get secret terraform-runner.tls-2 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
- (kubectl get secret terraform-runner.tls-3 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
- (kubectl get secret terraform-runner.tls-4 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
- (kubectl get secret terraform-runner.tls-5 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
- (kubectl get secret terraform-runner.tls-6 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
- (kubectl get secret terraform-runner.tls-7 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
- (kubectl get secret terraform-runner.tls-8 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
- (kubectl get secret terraform-runner.tls-9 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
+ (kubectl get secret terraform-runner.tls-0 -n tofu-system >/dev/null 2>&1 && exit 1 || exit 0)
+ (kubectl get secret terraform-runner.tls-1 -n tofu-system >/dev/null 2>&1 && exit 1 || exit 0)
+ (kubectl get secret terraform-runner.tls-2 -n tofu-system >/dev/null 2>&1 && exit 1 || exit 0)
+ (kubectl get secret terraform-runner.tls-3 -n tofu-system >/dev/null 2>&1 && exit 1 || exit 0)
+ (kubectl get secret terraform-runner.tls-4 -n tofu-system >/dev/null 2>&1 && exit 1 || exit 0)
+ (kubectl get secret terraform-runner.tls-5 -n tofu-system >/dev/null 2>&1 && exit 1 || exit 0)
+ (kubectl get secret terraform-runner.tls-6 -n tofu-system >/dev/null 2>&1 && exit 1 || exit 0)
+ (kubectl get secret terraform-runner.tls-7 -n tofu-system >/dev/null 2>&1 && exit 1 || exit 0)
+ (kubectl get secret terraform-runner.tls-8 -n tofu-system >/dev/null 2>&1 && exit 1 || exit 0)
+ (kubectl get secret terraform-runner.tls-9 -n tofu-system >/dev/null 2>&1 && exit 1 || exit 0)
 
  echo "All tests are true, all of the old secrets were GCed."
  - name: Logs
  run: |
- kubectl -n tf-system logs deploy/source-controller
- kubectl -n tf-system logs deploy/tf-controller
+ kubectl -n tofu-system logs deploy/source-controller
+ kubectl -n tofu-system logs deploy/tofu-controller
  - name: Debug failure
  if: failure()
  run: |
  which kubectl
  kubectl version
  kustomize version
- kubectl -n tf-system logs deploy/source-controller
- kubectl -n tf-system logs deploy/tf-controller
+ kubectl -n tofu-system logs deploy/source-controller
+ kubectl -n tofu-system logs deploy/tofu-controller
 
- ns=(tf-system tf-tenant01-dev tf-tenant01-prd tf-tenant02-dev tf-tenant02-prd chaos-testing)
+ ns=(tofu-system tf-tenant01-dev tf-tenant01-prd tf-tenant02-dev tf-tenant02-prd chaos-testing)
  for n in "${ns[@]}"
  do
  kubectl -n $n get gitrepositories -oyaml 

.github/workflows/release.yaml

@@ -194,7 +194,7 @@ jobs:
  kustomize build ./config/rbac > ./config/release/${{ env.CONTROLLER }}.rbac.yaml
  kustomize build ./config/manager | yq e '.spec.template.spec.containers[0].env[1].value="ghcr.io/flux-iac/tf-runner:${{ steps.prep.outputs.VERSION }}"' - > ./config/release/${{ env.CONTROLLER }}.deployment.yaml
  kustomize build ./config/package > ./config/release/${{ env.CONTROLLER }}.packages.yaml
- echo '[CHANGELOG](https://github.com/weaveworks/${{ env.CONTROLLER }}/blob/main/CHANGELOG.md)' > ./config/release/notes.md
+ echo '[CHANGELOG](https://github.com/flux-iac/${{ env.CONTROLLER }}/blob/main/CHANGELOG.md)' > ./config/release/notes.md
  - name: Setup Go
  uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
  with:

.github/workflows/scan.yaml

@@ -46,13 +46,13 @@ jobs:
  steps:
  - name: Checkout code
  uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- - name: Build tf-controller image
+ - name: Build tofu-controller image
  run: |
  make docker-buildx
  - name: Run Trivy vulnerability scanner on controller image
  uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0
  with:
- image-ref: 'ghcr.io/flux-iac/tf-controller:latest'
+ image-ref: 'ghcr.io/flux-iac/tofu-controller:latest'
  format: 'table'
  exit-code: '1'
  ignore-unfixed: true

.goreleaser.yml

@@ -15,8 +15,11 @@ builds:
  binary: tfctl
  env:
  - CGO_ENABLED=0
+ flags:
+ - -trimpath
  ldflags:
- - -X main.BuildSHA={{.ShortCommit}} -X main.BuildVersion={{.Tag}}
+ - -s -w
+ - -X main.BuildSHA={{.ShortCommit}} -X main.BuildVersion={{.Tag}}
  goos:
  - darwin
  - linux
@@ -67,13 +70,13 @@ brews:
  ids:
  - tfctl
  tap:
- owner: weaveworks
+ owner: flux-iac
  name: homebrew-tap
  token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
  commit_author:
- name: weaveworksbot
- email: team+gitbot@weave.works
+ name: flux-iac
+ email: noreply@github.com
  folder: Formula
- homepage: https://weaveworks.github.io/tf-controller
+ homepage: https://flux-iac.github.io/tofu-controller
  install: |
  bin.install "tfctl"

CHANGELOG.md

@@ -2,6 +2,44 @@
 
 All notable changes of this project are documented in this file.
 
+# v0.16.0-rc.4
+
+**Release date:** 2024-03-14
+
+This is the first release of the project after rebooting under its new name and organization: Tofu Controller, now part of the Flux-IaC organization. Fully driven by our community, Tofu Controller and Flux-IaC aim to help innovate the development of Infrastructure as Code (IaC) controllers for Flux.
+
+Thank you so much to our vibrant community, which propelled us to reach 1,000 stars on GitHub recently.
+
+With the renaming of the controller, our community has identified several breaking changes, although some may have been missed. The transition from Weave TF-Controller to Flux-IaC Tofu-Controller could be challenging. We advise:
+
+ * Backing up your Terraform states (tfstates)
+ * Setting `spec.destroyResourcesOnDeletion=false` to avoid unintentional resource deletion
+ * Pausing all Terraform CRs
+
+before doing the upgrade.
+
+**BREAKING CHANGES**
+
+ * The renaming of the controller.
+ * Reorganization of CRDs in the Helm Chart, which may lead to their uninstallation and reinstallation.
+
+New Features and Bug Fixing:
+
+ * Pass missing build arg TARGETARCH to docker-build.
+ * Implement BLOB encryption within the tf-runner.
+ * Add `tfvars` feature and API.
+ * Generate checksum for cache blobs.
+ * Implement remediation retry.
+ * Add unique hash to cloned source to avoid conflict.
+ * Speed up compiling of binaries.
+ * Added config for building tf-runner image and using it in helloworld example.
+ * Bump version in manifest used in user guide to reflect latest RC.
+ * Document a fix to "terraform objects stuck on deletion" issue.
+ * Fix docker build breaking due to LIBCRYPTO_VERSION.
+ * Fix issues surfaced around the polling server.
+ * Add documentation about IPv6 support.
+ * Update branch planner default configuration.
+
 # v0.16.0-rc.3
 
 **Release date:** 2023-09-19

DEVELOPMENT.md

@@ -150,7 +150,7 @@ Running the above will also deploy `source-controller` and its CRDs to the clust
 
 For realtime communications we use Slack: To join the conversation, simply join the [Weave Users](https://weave-community.slack.com/) Slack workspace and use the [#tf-controller](https://weave-community.slack.com/messages/tf-controller/) channel.
 
-To discuss ideas and specifications we use [Github Discussions](https://github.com/weaveworks/tf-controller/discussions).
+To discuss ideas and specifications we use [Github Discussions](https://github.com/flux-iac/tofu-controller/discussions).
 
 ## Acceptance policy
 

Dockerfile

@@ -32,11 +32,11 @@ COPY utils/ utils/
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
  go build -gcflags=all="-N -l" \
  -ldflags "-X main.BuildSHA='${BUILD_SHA}' -X main.BuildVersion='${BUILD_VERSION}'" \
- -a -o tf-controller ./cmd/manager
+ -a -o tofu-controller ./cmd/manager
 
-FROM alpine:3.18
+FROM alpine:3.19
 
-LABEL org.opencontainers.image.source="https://github.com/weaveworks/tf-controller"
+LABEL org.opencontainers.image.source="https://github.com/flux-iac/tofu-controller"
 
 ARG LIBCRYPTO_VERSION
 
@@ -48,12 +48,12 @@ RUN apk update && \
  libretls \
  busybox
 
-COPY --from=builder /workspace/tf-controller /usr/local/bin/
+COPY --from=builder /workspace/tofu-controller /usr/local/bin/
 
 RUN addgroup --gid 65532 -S controller && adduser --uid 65532 -S controller -G controller
 
 USER 65532:65532
 
 ENV GNUPGHOME=/tmp
 
-ENTRYPOINT [ "/sbin/tini", "--", "tf-controller" ]
+ENTRYPOINT [ "/sbin/tini", "--", "tofu-controller" ]

Dockerfile.dev

@@ -0,0 +1,23 @@
+FROM alpine:3.19
+
+LABEL org.opencontainers.image.source="https://github.com/flux-iac/tofu-controller"
+
+ARG LIBCRYPTO_VERSION
+
+RUN apk update && \
+ apk add --no-cache \
+ libcrypto3=${LIBCRYPTO_VERSION} \
+ libssl3=${LIBCRYPTO_VERSION} \
+ ca-certificates tini git openssh-client gnupg \
+ libretls \
+ busybox
+
+COPY bin/tofu-controller /usr/local/bin/
+
+RUN addgroup --gid 65532 -S controller && adduser --uid 65532 -S controller -G controller
+
+USER 65532:65532
+
+ENV GNUPGHOME=/tmp
+
+ENTRYPOINT [ "/sbin/tini", "--", "tofu-controller" ]

MAINTAINERS

@@ -1,5 +1,6 @@
-Chanwit Kaewkasi, Weaveworks <chanwit@weave.works> (github: @chanwit)
+Chanwit Kaewkasi <chanwit@gmail.com> (github: @chanwit)
 Balazs Nadasdi <efertone@pm.me> (github: @yitsushi)
+Tonni Follmann (github: @ilithanos)
 
 ### Emeritus Maintainers