Skip to content

Getting started

Pre-requisites

  • A kubernetes cluster
  • [Optional for testing, necessary for production use] A storage bucket in a cloud provider (AWS, GCP, Azure)
  • [Optional, recommended for production use] cert-manager installed in your cluster (for internal encryption of plans and logs & provider cache)

Requirements

  • helm CLI
  • Have a kubeconfig file (default location is ~/.kube/config) to access your Kubernetes cluster

1. Install burrito

Copy and modify the default values to match your requirements.

Make sure to configure a tenant by updating the tenant field in the values.yaml file. The associated namespace will be created automatically and used to deploy Burrito resources on step 3.

For example, here is a default values.yaml file: 

config:
  datastore:
    storage:
      mock: true

tenants:
  - namespace:
      create: true
      name: "burrito-project-1"
    serviceAccounts:
      - name: "runner-project-1"

Info

To try Burrito without setting up a remote storage, set the config.burrito.datastore.storage.mock field to true in the values.yaml file. To persist data such as terraform logs, you must configure a storage bucket field. Make sure to specify a service account that has the necessary permissions to read/write to your remote bucket.

Then, install Burrito using the following command:

helm install burrito oci://ghcr.io/padok-team/charts/burrito --create-namespace -n burrito-system -f ./values.yaml

This will create a new namespace, burrito-system, where burrito services will be deployed.

2. Create a connection to a private repository

Create a Kubernetes Secret to reference the necessary credentials to clone your IaC repository (github or gitlab)

kind: Secret
metadata:
  name: burrito-repo
  namespace: <tenant-namespace>
type: Opaque
stringData:
  username: <my-username>
  password: <my-password | my-access-token>
  sshPrivateKey: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    ...
    -----END OPENSSH PRIVATE KEY-----

Then, create a TerraformRepository Kubernetes resource. The spec.terraform.enabled set the repository as a terraform repository (as opposed to an opentofu repository). This setting will propagate to all layers linked to this repository by default, but can be overridden at the layer level.

apiVersion: config.terraform.padok.cloud/v1alpha1
kind: TerraformRepository
metadata:
  name: burrito
  namespace: <tenant-namespace>
spec:
  repository:
    url: <https-or-ssh-repository-url>
    secretName: burrito-repo
  terraform:
    enabled: true

Info

You can also connect to a public repository by omitting spec.repository.secretName in your TerraformRepository definition.

3. Synchronize a terraform layer

After creating a TerraformRepository you can create a TerraformLayer ressource which looks like:

apiVersion: config.terraform.padok.cloud/v1alpha1
kind: TerraformLayer
metadata:
  name: random-pets
  namespace: burrito
spec:
  terraform:
    version: "1.3.1"
  path: "internal/e2e/testdata/terraform/random-pets"
  branch: "main"
  repository:
    name: burrito
    namespace: burrito

The controller will create a runner pod in your tenant namespace to synchronize the repository and apply the terraform code.

Guides

  • For detailed guides on how to use Burrito, see the Guides section.
  • To learn more about advanced configuration and features, see the Operator Manual section.