New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BranchPlanner] Is it possible to generate a Plan in Json format in the BranchPlanner flow? #1228
Comments
Hi @joaoarthurv Nice to see you're using the controller + a Jenkins pipeline. We have a feature to externally validate the tfplan via a Web hook, which could be in your Jenkins system for example. But I haven't tested this Web hook feature in the Branch Planner environment yet. @yitsushi might have some opinions |
I think we wipe out the webhook part in Branch Planner, if we don't that can cause issues as I don't think we updated that part at all for Branch Planner and I don't know if we send enough information and the recipient can distinguish calls from stable and branch planner calls. If the request contains the resource name and branch name, they may be able to distinguish the two kind of requests and should be fine, but still sounds a hacky solution. For the json output, right now the branch planner has the human readable flag enabled hard-coded and no way to change that at the moment. If Jenkins can read secrets from kubernetes, it is possible to read data from the secret, but I think that store only the machine format and the human format. |
First of all, thank you for the response, @chanwit and @yitsushi . Understood. I cloned the tofu-controller project and I'm studying the workflows here. Indeed, so far, in the Branchplanner flow, as @yitsushi mentioned, Branchplanner stores only the I'm studying the flow more and considering the possibility of including this feature: ( In the project I'm working on, we already have a series of Policies configured in an internal API separated from the TFController solution. We integrated them into our old workflow. The idea would be to leverage this internal API for now, which already has all the configured policies. The only hurdle I'm facing is that this API expects the Plan in Json as a contract. If TFController already had this functionality, it would fit without any hurdles. |
Code we're referring to is here: tofu-controller/internal/server/polling/terraform.go Lines 99 to 135 in 366f7bc
I didn't see any codes that reset the webhook setting. Maybe it still would work, if you wanted to try. |
Hello @chanwit ! I'm testing the Webhook configuration over here, I made this setup: I spun up the local Jenkins, exposed the webhook at a public endpoint. However, I received this error on TFController: (code that broke)
My assumption is that I need to create a volumeMount in the TFController pod, I'm heading in that direction. But if you have another suggestion, it will be welcome.
|
Hi @joaoarthurv Yep, you would also skip TLS verification for testing purpose or bind your cert and key files to the controller pod at the location suggested by the error message. tofu-controller/controllers/tf_controller_webhooks.go Lines 115 to 161 in 366f7bc
|
Hey @chanwit , Thank you for your tip. I followed by adding the environment variable The behavior was that the tool sends the body containing a tfplan in JSON, as expected, and that's amazing. However, there is an inconvenience: the tool continues to send an event to the webhook with each reconcile. In the project I'm working on, Jenkins should only scan the project when a PR is opened. In the case of the existing webhook tool in the tf-controller, Jenkins is triggered with each reconcile made in the configured repository. It was close that the tool didn't meet what I need. Do you think it would be too challenging to implement a temporary Plan JSON file as output in BranchPlanner? |
Kind of... not challenging, but can't call it "temporary". tl;drWithout changing the CRD, the Polling service, and the Informer, we can't get that behaviour without disturbing existing functionality. ExplanationThe code on the runner has an explicit "you can have only one of them": tofu-controller/runner/server_save_tfplan.go Lines 49 to 75 in 366f7bc
That means, we would need an extra field on the resource that tells the system to use json, but in that case the json content would be sent to the PR as comment as the Informer only reads the plan from the resource where we saved and sends it to github as it is (with a little bit of sugar coating). I think the ideal solution would be to save both human readable and json plan and set a field to the "requested" format. So if a TF resource indicates it wants a "human" plan:
And that's not a temporary quick-fix. I can't think any solutions right now that wouldn't require changing CRD.
|
Suggestion: I would like to move that issue to a discussion under "Ideas". That would make the discussion a bit easier with more ideas in the future. This issue is a very good discussion about a feature, but it's not actionable in this form. As a result we may file multiple issues, but the way we can add this functionality can't be determined now. We may have to think of other solutions. Most likely we can add an extra field to the CRD here: tofu-controller/api/v1alpha2/terraform_types.go Lines 275 to 281 in 366f7bc
// and GitHub Issues are very hard to follow if we have more than one threads, I hope one they we can have similar to code comments/discussions but for simple comments under an issue. |
Good afternoon everyone, I hope you're all doing well.
I'm working on a project to set up a GitOps workflow, and after some research, I've chosen the following tools (Flux + TFController (BranchPlanner) + Jenkins).
The idea is that when a PR is opened, the BranchPlanner is executed, and it should be possible to capture the plan in Json format. This Json-formatted plan will be captured by Jenkins, where I'll perform some validations.
While studying the tool and following the documentation, I noticed that when I open a PR, temporary PLANs are generated in ConfigMap, along with a secret related to the PLAN and another related to the TFState. So far, from what I could tell, neither of these is in Json format.
Currently, is it possible to capture the plan in Json format in the BranchPlanner flow?
I've noticed that if I merge the PR and the Terraform has the
storeReadablePlan: json
attribute enabled, a plan is created in the secret in .json format. However, since I expect this Json before the Merge, this feature doesn't fit well with what I need.If anyone has any suggestions, they are very welcome.
I appreciate the support in advance.
The text was updated successfully, but these errors were encountered: