feat(runner): refactor runner + use tenv to install binaries

.gitignore

@@ -16,6 +16,9 @@ Dockerfile.cross
 
 .terraform/
 
+# Artifact generated by tests
+test.out/*
+
 # Test binary, build with `go test -c`
 *.test
 

cmd/runner/start.go

@@ -21,5 +21,6 @@ func buildRunnerStartCmd(app *burrito.App) *cobra.Command {
 
 	cmd.Flags().StringVar(&app.Config.Runner.SSHKnownHostsConfigMapName, "ssh-known-hosts-cm-name", "burrito-ssh-known-hosts", "configmap name to get known hosts file from")
 	cmd.Flags().StringVar(&app.Config.Runner.RunnerBinaryPath, "runner-binary-path", "/runner/bin", "binary path where the runner can expect to find terraform or terragrunt binaries")
+	cmd.Flags().StringVar(&app.Config.Runner.RepositoryPath, "repository-path", "/runner/repository", "path where the runner fetches the Git repository to work on")
 	return cmd
 }

docs/examples/terraform-layer.yaml

@@ -11,5 +11,3 @@ spec:
   repository:
     name: my-repository
     namespace: burrito-project
-  terraform:
-    version: 1.3.1

docs/getting-started.md

@@ -62,7 +62,7 @@ spec:
 ```
 
 !!! info
-You can also connect to a public repository by omitting `spec.repository.secretName` in your `TerraformRepository` definition.
+    You can also connect to a public repository by omitting `spec.repository.secretName` in your `TerraformRepository` definition.
 
 ## 3. Synchronize a terraform layer
 

docs/guides/iac-drift-detection.md

@@ -72,14 +72,14 @@ Here is the content of the `TerraformRepository` resource that you have created
 apiVersion: config.terraform.padok.cloud/v1alpha1
 kind: TerraformRepository
 metadata:
-  name: my-repo
+  name: my-repository
   namespace: burrito-project
 spec:
   repository:
-    url: git@github.com:padok-team/burrito-examples.git
+    url: https://github.com/padok-team/burrito-examples
 ```
 
-Create a `TerraformLayer` resource in the `burrito-system` namespace, referencing the `TerraformRepository` you just created. For now, the autoApply is set to false, so the layer will only plan the Terraform code and not apply it.
+Create a `TerraformLayer` resource in the `burrito-system` namespace, referencing the `TerraformRepository` you just created. For now, the `autoApply` is set to false, so the layer will only plan the Terraform code and not apply it.
 
 ```bash
 kubectl apply -f https://raw.githubusercontent.com/padok-team/burrito/main/docs/examples/terraform-layer.yaml
@@ -99,8 +99,6 @@ spec:
   repository:
     name: my-repository
     namespace: burrito-project
-  terraform:
-    version: 1.3.1
 ```
 
 Check that your Terraform code is being planned by Burrito:
@@ -135,7 +133,7 @@ kubectl port-forward svc/burrito-server -n burrito-system 8080:80
 
 ![Burrito drift example](../assets/demo/drift-example.png)
 
-Activate the autoApply feature by updating the `TerraformLayer` resource:
+Activate the `autoApply` feature by updating the `TerraformLayer` resource:
 
 ```bash
 kubectl patch tfl my-layer -n burrito-project --type merge --patch '{"spec":{"remediationStrategy":{"autoApply":true}}}'

docs/guides/pr-mr-workflow.md

@@ -44,7 +44,7 @@ Configure a webhook in your GitHub repository to point to the exposed `burrito-s
 kind: Secret
 metadata:
   name: burrito-webhook-secret
-  namespace: burrito
+  namespace: burrito-system
 type: Opaque
 stringData:
   burrito-webhook-secret: <my-webhook-secret>
@@ -86,7 +86,7 @@ my-layer-pr-1-rxvrt   ApplyNeeded   my-repository   update-tf-code   terraform
 
 The Burrito server should have commented on the PR/MR with the plan output. You can check the comments on the PR/MR to see the plan output.
 
-![Pul request comment demo](../assets/demo/pr-demo.png)
+![Pull request comment demo](../assets/demo/pr-demo.png)
 
 Set the `autoApply` field to `true` in the TerraformLayer resource to automatically apply the Terraform code upon merging the PR/MR.
 

docs/operator-manual/architecture.md

@@ -86,9 +86,8 @@ The `TerraformRun` controller also creates and deletes the [Kubernetes leases](h
 
 ### The runners
 
-The runner image implementation heavily relies on Golang libraries provided by Hashicorp such as [`tfexec`](https://github.com/hashicorp/terraform-exec) and [`hc-install`](https://github.com/hashicorp/hc-install) which allows us to dynamically download and use any version of the Terraform binary.
-Thus, we support any existing version of Terraform.
+The runner implementation relies on [`tenv`](https://github.com/tofuutils/tenv), a tool from the community which allows us to dynamically download and use any version of Terraform, Terragrunt or OpenTofu (coming soon). Thus, we support any existing version of Terraform.
 
-The runners also support any existing version of [Terragrunt](https://terragrunt.gruntwork.io/).
+If no version constraint is set in the TerraformLayer resource or in the TerraformRepository resource, `tenv` will detect which version of Terraform/Terragrunt/OpenTofu to use by looking at the version constraints in your code.
 
-The runner is responsible to update the annotations of the layer it is associated with to store information about what commit was plan/apply and when.
+The runner is responsible to update the annotations of the layer it is associated to to store information about what commit was planned/applied and when.

docs/operator-manual/pr-mr-workflow.md

@@ -3,14 +3,14 @@
 <p align="center"><img src="../../assets/design/pr-mr-workflow.excalidraw.png" width="1000px" /></p>
 
 !!! info
-In this documentation all references to pull requests can be change to merge requests for GitLab. However, the resulting Kubernetes object will still be named `TerraformPullRequest`.
+    In this documentation all references to pull requests can be change to merge requests for GitLab. However, the resulting Kubernetes object will still be named `TerraformPullRequest`.
 
 ## Components
 
 ### The server
 
 !!! info
-For more information about the server, see the [architectural overview](./architecture.md) documentation.
+    For more information about the server, see the [architectural overview](./architecture.md) documentation.
 
 Upon receiving a Pull Request creation event, the server creates a `TerraformPullRequest` resource.
 
@@ -35,7 +35,7 @@ The status of a `TerraformPulLRequest` is defined using the [conditions standard
 - `IsCommentUpToDate`. This condition is used to check if the controller needs to send a comment to a pull request. This is checked by comparing the last discovered commit and the last commit for which a comment was already sent.
 
 !!! info
-We use annotations to store information.
+    We use annotations to store information.
 
 With those 3 conditions, we defined 3 states:
 

docs/user-guide/terraform-version.md

@@ -1,18 +1,20 @@
-# Choose a terraform/terragrunt version
+# Configure a Terraform/Terragrunt/OpenTofu version
 
-For now, Burrito doesn't auto-detect the terraform or terragrunt version used in your repository. You have to specify it in the `TerraformRepository` or `TerraformLayer` resource.
+By leveraging [`tenv`](https://github.com/tofuutils/tenv), Burrito auto-detects the Terraform, Terragrunt or OpenTofu version used in your repository, with version constraints set in your code (see [`tenv`'s README](https://github.com/tofuutils/tenv/blob/main/README.md)).
 
-## Choose terraform version
+Additionally, you can to specify version constraints in the `TerraformRepository` or `TerraformLayer` resource as described below.
 
-Both `TerraformRepository` and `TerraformLayer` expose a `spec.terrafrom.version` map field.
+## Choose Terraform version
+
+Both `TerraformRepository` and `TerraformLayer` expose a `spec.terraform.version` map field that support version constraints as described in the [Terraform documentation](https://www.terraform.io/docs/language/expressions/version-constraints.html).
 
 If the field is specified for a given `TerraformRepository` it will be applied by default to all `TerraformLayer` linked to it.
 
 If the field is specified for a given `TerraformLayer` it will take precedence over the `TerraformRepository` configuration.
 
 ## Enable Terragrunt
 
-You can specify usage of terragrunt as follow:
+You can specify usage of Terragrunt with the `spec.terraform.terragrunt` map as follow:
 
 ```yaml
 apiVersion: config.terraform.padok.cloud/v1alpha1
@@ -21,7 +23,7 @@ metadata:
   name: random-pets-terragrunt
 spec:
   terraform:
-    version: "1.3.1"
+    version: "~> 1.3.0"
     terragrunt:
       enabled: true
       version: "0.44.5"
@@ -36,3 +38,7 @@ spec:
 
 !!! info
     This configuration can be specified at the `TerraformRepository` level to be enabled by default in each of its layers.
+
+## Use OpenTofu instead of Terraform
+
+(coming soon)

go.mod

@@ -13,11 +13,13 @@ require (
 	github.com/ghodss/yaml v1.0.0
 	github.com/gruntwork-io/go-commons v0.17.1
 	github.com/hashicorp/go-multierror v1.1.1
+	github.com/hashicorp/hcl/v2 v2.21.0
 	github.com/hashicorp/terraform-json v0.17.1
 	github.com/onsi/ginkgo/v2 v2.17.3
 	github.com/onsi/gomega v1.33.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.9.0
+	github.com/tofuutils/tenv/v3 v3.1.0
 	google.golang.org/api v0.178.0
 	k8s.io/apimachinery v0.30.2
 	k8s.io/client-go v0.30.2
@@ -34,8 +36,14 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
+	github.com/BurntSushi/toml v1.4.0 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/ProtonMail/go-crypto v1.1.0-alpha.2 // indirect
+	github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f // indirect
+	github.com/ProtonMail/gopenpgp/v2 v2.7.5 // indirect
+	github.com/PuerkitoBio/goquery v1.9.2 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/andybalholm/cascadia v1.3.2 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.29.0 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
@@ -53,22 +61,21 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.25.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.29.0 // indirect
 	github.com/aws/smithy-go v1.20.2 // indirect
-	github.com/cloudflare/circl v1.3.7 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/cloudflare/circl v1.3.9 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/fatih/color v1.17.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.5.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-github/v56 v56.0.0 // indirect
 	github.com/google/go-github/v62 v62.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect
@@ -77,13 +84,15 @@ require (
 	github.com/googleapis/gax-go/v2 v2.12.4 // indirect
 	github.com/hashicorp/errwrap v1.0.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-hclog v1.6.3 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.4 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/labstack/gommon v0.4.2 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
@@ -93,23 +102,22 @@ require (
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/skeema/knownhosts v1.2.2 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/urfave/cli v1.22.4 // indirect
 	github.com/urfave/cli/v2 v2.10.3 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fasttemplate v1.2.2 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
-	github.com/zclconf/go-cty v1.14.0 // indirect
+	github.com/zclconf/go-cty v1.15.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
 	go.opentelemetry.io/otel v1.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
-	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
+	golang.org/x/mod v0.20.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/tools v0.24.0 // indirect
 	google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240506185236-b8a5c65736ae // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 // indirect
@@ -141,8 +149,7 @@ require (
 	github.com/google/go-github/v50 v50.2.0
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/hashicorp/go-version v1.7.0
-	github.com/hashicorp/hc-install v0.6.4
+	github.com/hashicorp/go-version v1.7.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/terraform-exec v0.19.0
 	github.com/imdario/mergo v0.3.15 // indirect
@@ -166,19 +173,19 @@ require (
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
-	github.com/spf13/cobra v1.7.0
+	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.18.2
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/xanzy/go-gitlab v0.93.2
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
-	golang.org/x/crypto v0.24.0 // indirect
-	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/crypto v0.26.0 // indirect
+	golang.org/x/net v0.28.0 // indirect
 	golang.org/x/oauth2 v0.20.0
-	golang.org/x/sys v0.21.0 // indirect
-	golang.org/x/term v0.21.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/sys v0.24.0 // indirect
+	golang.org/x/term v0.23.0 // indirect
+	golang.org/x/text v0.17.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/protobuf v1.34.1 // indirect