feat(repository): use git bundles in runners + refactor credentials

api/v1alpha1/terraformrepository_types.go

@@ -41,8 +41,7 @@ type TerraformRepositorySpec struct {
 	SyncWindows             []SyncWindow                  `json:"syncWindows,omitempty"`
 }
 type TerraformRepositoryRepository struct {
-	Url        string `json:"url,omitempty"`
-	SecretName string `json:"secretName,omitempty"`
+	Url string `json:"url,omitempty"`
 }
 
 // TerraformRepositoryStatus defines the observed state of TerraformRepository

api/v1alpha1/terraformrun_types.go

@@ -38,6 +38,7 @@ type Artifact struct {
 type TerraformRunLayer struct {
 	Name      string `json:"name,omitempty"`
 	Namespace string `json:"namespace,omitempty"`
+	Revision  string `json:"revision,omitempty"`
 }
 
 // TerraformRunStatus defines the observed state of TerraformRun

cmd/controllers/start.go

@@ -28,11 +28,13 @@ func buildControllersStartCmd(app *burrito.App) *cobra.Command {
 	defaultWaitActionTimer, _ := time.ParseDuration("5s")
 	defaultFailureGracePeriod, _ := time.ParseDuration("15s")
 	defaultRepositorySyncTimer, _ := time.ParseDuration("5m")
+	defaultCredentialsTTL, _ := time.ParseDuration("2m")
 
 	cmd.Flags().StringSliceVar(&app.Config.Controller.Namespaces, "namespaces", []string{"burrito-system"}, "list of namespaces to watch")
-	cmd.Flags().StringArrayVar(&app.Config.Controller.Types, "types", []string{"layer", "run", "pullrequest"}, "list of controllers to start")
+	cmd.Flags().StringArrayVar(&app.Config.Controller.Types, "types", []string{"layer", "repository", "run", "pullrequest"}, "list of controllers to start")
 	cmd.Flags().DurationVar(&app.Config.Controller.Timers.DriftDetection, "drift-detection-period", defaultDriftDetectionTimer, "period between two plans. Must end with s, m or h.")
 	cmd.Flags().DurationVar(&app.Config.Controller.Timers.RepositorySync, "repository-sync-period", defaultRepositorySyncTimer, "period between two repository sync. Must end with s, m or h.")
+	cmd.Flags().DurationVar(&app.Config.Controller.Timers.CredentialsTTL, "credentials-ttl", defaultCredentialsTTL, "default TTL for git providers credentials in controller's memory. Must end with s, m or h.")
 	cmd.Flags().DurationVar(&app.Config.Controller.Timers.OnError, "on-error-period", defaultOnErrorTimer, "period between two runners launch when an error occurred in the controllers. Must end with s, m or h.")
 	cmd.Flags().DurationVar(&app.Config.Controller.Timers.WaitAction, "wait-action-period", defaultWaitActionTimer, "period between two runners when a layer is locked. Must end with s, m or h.")
 	cmd.Flags().DurationVar(&app.Config.Controller.Timers.FailureGracePeriod, "failure-grace-period", defaultFailureGracePeriod, "initial time before retry, goes exponential function of number failure. Must end with s, m or h.")

deploy/charts/burrito/templates/rbac-server.yaml

@@ -89,3 +89,11 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - list
+  - watch
+  - get

deploy/charts/burrito/values.yaml

@@ -25,7 +25,7 @@ config:
         # -- Duration to wait before retrying on locked layer
         waitAction: 10s
         # -- Duration to wait before retrying on failure (increases exponentially with the amount of failed retries)
-        failureGracePeriod: 30
+        failureGracePeriod: 15s
       # -- Default sync windows for layer reconciliation
       defaultSyncWindows: []
       # -- Maximum number of concurrent reconciles for the controller, increse this value if you have a lot of resources to reconcile
@@ -34,9 +34,8 @@ config:
       maxConcurrentRunnerPods: 0
       # -- Maximum number of retries for Terraform operations (plan, apply...)
       terraformMaxRetries: 3
-      # TODO: enable repository controller by default
-      # -- Resource types to watch for reconciliation. Note: by default repository controller is disabled as it is not yet fully usable.
-      types: ["layer", "run", "pullrequest"]
+      # -- Resource types to watch for reconciliation.
+      types: ["layer", "repository", "run", "pullrequest"]
       leaderElection:
         # -- Enable/Disable leader election
         enabled: true
@@ -86,7 +85,7 @@ config:
         repository: ghcr.io/padok-team/burrito
         tag: "" # By default use Chart's appVersion
         pullPolicy: Always
-      
+
       # -- Command to run in the Burrito runner container
       command: ["burrito"]
       # -- Arguments to pass to the Burrito runner container

docs/getting-started.md

@@ -63,12 +63,15 @@ Create a Kubernetes `Secret` to reference the necessary credentials to clone you
 <!-- markdownlint-enable MD046 -->
 
 ```yaml
+apiVersion: v1
 kind: Secret
 metadata:
   name: burrito-repo
   namespace: <tenant-namespace>
-type: Opaque
+type: credentials.burrito.tf/repository
 stringData:
+  provider: standard
+  url: <https-or-ssh-repository-url>
   username: <my-username>
   password: <my-password | my-access-token>
   sshPrivateKey: |
@@ -88,13 +91,12 @@ metadata:
 spec:
   repository:
     url: <https-or-ssh-repository-url>
-    secretName: burrito-repo
   terraform:
     enabled: true
 ```
 
 !!! info
-    You can also connect to a public repository by omitting `spec.repository.secretName` in your `TerraformRepository` definition.
+    You can also connect to a public repository without creating any credentials.
 
 ## 3. Synchronize a Terraform layer
 

docs/guides/pr-mr-workflow.md

@@ -25,12 +25,11 @@ spec:
     enabled: true
 ```
 
-You will also need to setup a [GitHub App](https://docs.github.com/en/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps) to allow Burrito to comment on your PRs/MRs. Follow the instructions in the [PR/MR workflow](../operator-manual/pr-mr-workflow.md#configuration) section of the operator manual to set up the GitHub app.
+You will also need to setup a [GitHub App](https://docs.github.com/en/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps) to allow Burrito to comment on your PRs/MRs. Follow the instructions in the [GitHub App](../operator-manual/git-authentication/github-app.md) section of the operator manual to set up the GitHub app.
 Make sure that you created a secret associated to your repository that include the GitHub app ID, installation ID, and private key.
 
 !!! note
-    You can also use a personal access token instead of a GitHub app. Your GitHub account will be used to comment on the PRs/MRs.
-    The secret should include the personal access token in the `githubToken` key.
+    You can also use a [personal access token](../operator-manual/git-authentication/github-token.md) instead of a GitHub app. Your GitHub account will be used to comment on the PRs/MRs.
 
 Now let's configure the GitHub webhook. Expose the `burrito-server` kubernetes service to the internet using the method of your choice. (for testing purposes on a local cluster, you can use `kubectl port-forward` and [ngrok](https://ngrok.com/) to expose the service to the internet).
 
@@ -47,18 +46,21 @@ metadata:
 spec:
   repository:
     url: https://github.com/<your-github-handle>/burrito-examples
-    secretName: burrito-secret
   terraform:
     enabled: true
 ---
+apiVersion: v1
 kind: Secret
 metadata:
   name: burrito-webhook-secret
   namespace: burrito-project
-type: Opaque
+type: credentials.burrito.tf/repository
 stringData:
-  githubAppId: "123456"
-  githubAppInstallationId: "12345678"
+  provider: github
+  url: https://github.com/<your-github-handle>/burrito-examples
+  webhookSecret: "your-webhook-secret"
+  githubAppID: "123456"
+  githubAppInstallationID: "12345678"
   githubAppPrivateKey: |
     -----BEGIN RSA PRIVATE KEY-----
     my-private-key