v0.9.0

Changelog

Breaking changes: Burrito internal logic with Git repositories + Git authentication rework

This release 0.9.0 of Burrito introduces one major change in Burrito's internal logic: how handles Git repositories and interact with Git providers.

Main changes:

• The TerraformRepositoryController is now synchronizing regularly the content of TerraformRepositories to:

  • annotate automatically TerraformLayers with the last commit available (webhook is not mandatory anymore for detecting push!)
  • create Git bundles of the last available commit for each branch referenced in layers and store the bundles in Burrito Datastore

• TerraformRuns run on specific commits: this opens the possibility to track which commits have been planned/applied in future releases of Burrito

• The Burrito runners do not need to interact with Git repositories anymore: they just fetch the Git bundle for the commit hash they're running on, from the datastore

• The Git provider credentials system of Burrito has been remade from the ground up:

  • Credentials are defined in secrets with type credentials.burrito.tf/repository or credentials.burrito.tf/shared
  • One credential secret can be used by multiple TerraformRepositories in multiple tenants

📖 Documentation:

• New Git Authentication system
  
• How to migrate to the new authentication system
• How the TerraformRepository Controller works

🛠️ Implementation: 75c98f0: feat(repository): use git bundles in runners + refactor credentials (#605) (@corrieriluca)

Other breaking changes

• e09ad76: chore(helm): allow metadata labels and annotations on all resources (#711) (@seboudry)
  • Some values have changed in the Helm chart regarding annotations:
    • config.annotations => metadata.config.annotations
    • tenants[].serviceAccounts[].annotations => tenants[].serviceAccounts[].metadata.annotations
    • hermitcrab.service.annotations => hermitcrab.service.metadata.annotations
    • server.ingress.annotations => server.ingress.metadata.annotations (important if you have ingress controller specific annotations)

Minor changes / dependency updates

• fix(chart): make tenant metadata optional by @LucasMrqes in #724
• fix(chart): annotations/labels on tenants service accounts by @corrieriluca in #726
• fix(repo-controller): handle forced push by deleting local repository by @corrieriluca in #745
• chore: remove goreleaser by @corrieriluca in #744
• fix(logging): do not log nil error in run controller (#781) by @corrieriluca

v0.9.0-rc.2

What's Changed

• fix(chart): make tenant metadata optional by @LucasMrqes in #724
• fix(chart): annotations/labels on tenants service accounts by @corrieriluca in #726
• fix(repo-controller): handle forced push by deleting local repository by @corrieriluca in #745
• chore: remove goreleaser by @corrieriluca in #744

Dependency upgrades

• chore(release): bump version to v0.9.0-rc.1 by @github-actions[bot] in #723
• fix(deps): update go github sdk (minor) by @renovate[bot] in #717
• chore(deps): update dependency vite to v7.1.11 [security] by @renovate[bot] in #725
• chore(deps): update dependency @vitejs/plugin-react-swc to v4 by @renovate[bot] in #683
• chore(deps): update actions/setup-node action to v6 by @renovate[bot] in #731
• chore(deps): update node.js to v22.21.0 by @renovate[bot] in #728
• chore(deps): update ui dependencies (minor) by @renovate[bot] in #648
• revert: update dependency @vitejs/plugin-react-swc to v4 by @corrieriluca in #734
• fix(deps): update module google.golang.org/api to v0.253.0 by @renovate[bot] in #730
• fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/azidentity to v1.13.0 by @renovate[bot] in #719
• fix(deps): update module github.com/onsi/ginkgo/v2 to v2.27.1 by @renovate[bot] in #722
• fix(deps): update module github.com/coreos/go-oidc/v3 to v3.16.0 by @renovate[bot] in #720
• chore(deps): update actions/download-artifact action to v6 by @renovate[bot] in #736
• chore(deps): update actions/upload-artifact action to v5 by @renovate[bot] in #737
• fix(deps): update module github.com/spf13/viper to v1.21.0 by @renovate[bot] in #729
• fix(deps): update module github.com/spf13/cobra to v1.10.1 by @renovate[bot] in #693
• fix(deps): update module google.golang.org/api to v0.254.0 by @renovate[bot] in #742
• fix(deps): update all patch dependencies (patch) by @renovate[bot] in #703
• fix(deps): update module github.com/aws/aws-sdk-go-v2/service/s3 to v1.89.1 by @renovate[bot] in #741
• chore(deps): update localstack/localstack docker tag to v4.10.0 by @renovate[bot] in #743
• chore(deps): update dependency @vitejs/plugin-react-swc to v4 by @renovate[bot] in #738
• fix(deps): update module gitlab.com/gitlab-org/api/client-go to v0.157.1 by @renovate[bot] in #646
• chore(deps): update dependency eslint to v9.39.0 by @renovate[bot] in #735
• chore(deps): update dependency @tanstack/react-query to v5.90.6 by @renovate[bot] in #746
• fix(deps): update module gitlab.com/gitlab-org/api/client-go to v0.158.0 by @renovate[bot] in #747

Full Changelog: v0.9.0-rc.1...v0.9.0-rc.2

v0.9.0-rc.1

Changelog

Pre-release major breaking change: Burrito internal logic with Git repositories

This first pre-release version of Burrito 0.9.0 introduce one major change in Burrito's internal logic: how handles Git repositories.

Main changes:

• The TerraformRepositoryController is now synchronizing regularly the content of TerraformRepositories to:

  • annotate automatically TerraformLayers with the last commit available (webhook is not mandatory anymore!)
  • create Git bundles of the last available commit for each branch referenced in layers and store the bundles in Burrito Datastore

• TerraformRuns run on specific commits: this opens the possibility to track which commits have been planned/applied in future releases of Burrito

• The Burrito runners do not need to interact with Git repositories anymore: they just fetch the Git bundle for the commit hash they're running on, from the datastore

• The Git provider credentials system of Burrito has been remade from the ground up:

  • Credentials are defined in secrets with type credentials.burrito.tf/repository or credentials.burrito.tf/shared
  • One credential secret can be used by multiple TerraformRepositories in multiple tenants

📖 Documentation:

• New Git Authentication system
  
• How to migrate to the new authentication system
• How the TerraformRepository Controller works

🛠️ Implementation: 75c98f0: feat(repository): use git bundles in runners + refactor credentials (#605) (@corrieriluca)

When 0.9.0 will be released

We plan to release a stable release of 0.9.0 around the end of October 2025, once we have tested this pre-release in production clusters.

✨ Please give us your feedbacks on the pre-release in the meantime if you can test it in your environment!

Other breaking changes

• e09ad76: chore(helm): allow metadata labels and annotations on all resources (#711) (@seboudry)
  • Some values have changed in the Helm chart regarding annotations:
    • config.annotations => metadata.config.annotations
    • tenants[].serviceAccounts[].annotations => tenants[].serviceAccounts[].metadata.annotations
    • hermitcrab.service.annotations => hermitcrab.service.metadata.annotations
    • server.ingress.annotations => server.ingress.metadata.annotations (important if you have ingress controller specific annotations)

Minor changes / dependency updates

• c2980df: fix(deps): update module cloud.google.com/go/storage to v1.57.0 (#716) (@renovate[bot])

• 5bab5f8: feat(go): update to 1.25 (#718) (@corrieriluca)

• a57ccc1: chore(deps): update docker/dockerfile docker tag to v1.19.0 (#714) (@renovate[bot])

• 10bb34c: chore(deps): update localstack/localstack docker tag to v4.9.2 (#708) (@renovate[bot])

• 0f12b4d: chore(deps): update node.js to v22.20.0 (#715) (@renovate[bot])

• 9e32f2e: chore(release): bump version to v0.8.1 (#710) (@corrieriluca)

• 7bafe5d: chore: fix setup-envtest version in Makefile (#721) (@corrieriluca)

v0.8.1

Changelog

Minor Features

• 376fee2: feat(git): add tag support for TerraformLayers and enhance provider fallback logic (#652) (@nerdeveloper)
• a674588: feat(helm): add NetworkPolicy template to allow traffic from tenant namespaces (#702) (@corrieriluca)
• 37f6bdd: feat(helm): add traffic distribution and topology spread constraints (#701) (@corrieriluca)
• 1d51524: feat(helm): allow control of CRDs installation (#688) (@michael-todorovic)

Bug fixes

• db6cbbb: fix(ui): layer page scrolling & tiling (#705) (@LucasMrqes)

Dependency updates

• 7bce7ff: fix(deps): update all patch dependencies (#659) (@renovate[bot])
• b4c3415: fix(deps): update all patch dependencies (#691) (@renovate[bot])
• b0c34e0: fix(deps): update aws-sdk-go-v2 monorepo (#704) (@renovate[bot])
• 5b3f598: fix(deps): update dependency axios to v1.12.0 [security] (#706) (@renovate[bot])
• c0d2022: fix(deps): update module github.com/hashicorp/terraform-json to v0.27.2 (#709) (@renovate[bot])
• 8df4a70: fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.0 (#667) (@renovate[bot])
• 4c708d2: chore(deps): update actions/setup-go action to v6 (#694) (@renovate[bot])
• 3088d0d: chore(deps): update actions/setup-node action to v5 (#695) (@renovate[bot])
• 0513a27: chore(deps): update actions/setup-python action to v6 (#696) (@renovate[bot])
• f813fa6: chore(deps): update dependency vite to v7 (#631) (@renovate[bot])
• 3a247b0: chore(deps): update dependency vite to v7.1.5 [security] (#700) (@renovate[bot])
• e392d4e: chore(deps): update docker/dockerfile docker tag to v1.18.0 (#692) (@renovate[bot])
• 02508d8: chore(deps): update mcr.microsoft.com/azure-storage/azurite docker tag to v3.35.0 (#674) (@renovate[bot])
• 369844e: chore(docker): pin digests docker pin digests (#697) (@renovate[bot])
• c2f440f: chore(helm): add metadata in Chart.yaml (#707) (@corrieriluca)
• a70647b: chore(release): bump version to v0.8.0 (@corrieriluca)

v0.8.0

Changelog

💥 Breaking change

• Burrito UI authentication: starting with 0.8.0 Burrito automatically adds authentication (defaults to HTTP Basic Auth) for its user interface. OIDC can also be configured.
  • To keep your Burrito instance public/un-authenticated you need to set config.burrito.server.basicAuth.enabled to false in your Helm values.

Features

• b4cd4d2: feat: add basic and OAuth authentication (#611) (@LucasMrqes)
  • See User Authentication in Burrito doc
• 0e57ae9: feat: add support for datastore encryption (#626) (@michael-todorovic)
  • See Datastore Encrytion documentation
• b3cf7b1: feat: add layers status bar (#660) (@michael-todorovic)

Bug fixes

• e43bb4b: fix(docker): chown burrito user home directory (#653) (@arnaud-dezandee)
• d8c64b1: fix(layer-controller): consider layer not running when runs are not found (#625) (@LucasMrqes)
• 96d5e53: fix(tools): remove terraform-exec (#628) (@arnaud-dezandee)
• a3da7fc: fix: handle terragrunt 0.73.0+ new flags (#662) (@michael-todorovic)
• 31158f8: fix(chart): known_hosts multiline formatting (#627) (@arnaud-dezandee)

Others

• 1ec7907: fix(deps): update all patch dependencies (#619) (@renovate[bot])

• 1ac663e: fix(deps): update all patch dependencies (#633) (@renovate[bot])

• 8e17022: fix(deps): update aws-sdk-go-v2 monorepo (#501) (@renovate[bot])

• 35e49a4: fix(deps): update aws-sdk-go-v2 monorepo (#665) (@renovate[bot])

• e2339c5: fix(deps): update go github sdk (#684) (@renovate[bot])

• ac2d04f: fix(deps): update module cloud.google.com/go/storage to v1.55.0 (#636) (@renovate[bot])

• 2e57fa9: fix(deps): update module cloud.google.com/go/storage to v1.56.1 (#657) (@renovate[bot])

• 40361cd: fix(deps): update module github.com/aws/aws-sdk-go-v2/service/s3 to v1.83.0 (#645) (@renovate[bot])

• f21cec5: fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/azidentity to v1.10.1 (#618) (@renovate[bot])

• 6430f87: fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/azidentity to v1.11.0 (#677) (@renovate[bot])

• eb0019c: fix(deps): update module github.com/hashicorp/hcl/v2 to v2.24.0 (#678) (@renovate[bot])

• ed46be8: fix(deps): update module github.com/hashicorp/terraform-json to v0.25.0 (#621) (@renovate[bot])

• 5ddb173: fix(deps): update module github.com/hashicorp/terraform-json to v0.26.0 (#666) (@renovate[bot])

• 2935c2c: fix(deps): update module github.com/onsi/gomega to v1.37.0 (#639) (@renovate[bot])

• 529fca7: fix(deps): update module github.com/onsi/gomega to v1.38.2 (#680) (@renovate[bot])

• fba77bd: fix(deps): update module github.com/spf13/viper to v1.20.1 (#638) (@renovate[bot])

• ad49ae5: fix(deps): update module github.com/stretchr/testify to v1.11.1 (#681) (@renovate[bot])

• c309b37: fix(deps): update module github.com/tofuutils/tenv/v4 to v4.7.6 (#573) (@renovate[bot])

• 71edc52: fix(deps): update module google.golang.org/api to v0.248.0 (#682) (@renovate[bot])

• 5119053: feat: update go 1.24 + k8s.io packages (#632) (@corrieriluca)

• ce980e1: chore(ci): fix documentation release with mike (#643) (@corrieriluca)

• 96a7613: chore(deps): remove aws-sdk v1 (#685) (@corrieriluca)

• 43d5ac2: chore(deps): update actions/checkout action to v5 (#668) (@renovate[bot])

• 819fb19: chore(deps): update actions/download-artifact action to v5 (#670) (@renovate[bot])

• 5f3b9f7: chore(deps): update davidanson/markdownlint-cli2-action action to v20 (#622) (@renovate[bot])

• 82d0dff: chore(deps): update docker.io/library/alpine docker tag to v3.22.1 (#617) (@renovate[bot])

• cd78aec: chore(deps): update docker.io/library/golang docker tag to v1.24.4 (#542) (@renovate[bot])

• f44c09c: chore(deps): update docker/dockerfile docker tag to v1.16.0 (#520) (@renovate[bot])

• 6801b61: chore(deps): update docker/dockerfile docker tag to v1.17.1 (#630) (@renovate[bot])

• c0739a6: chore(deps): update localstack/localstack docker tag to v4.5.0 (#634) (@renovate[bot])

• 1d2a1a3: chore(deps): update localstack/localstack docker tag to v4.6.0 (#644) (@renovate[bot])

• e4e5769: chore(deps): update localstack/localstack docker tag to v4.7.0 (#673) (@renovate[bot])

• e597311: chore(deps): update node.js to v22.17.0 (#635) (@renovate[bot])

• b405b2a: chore(deps): update node.js to v22.19.0 (#675) (@renovate[bot])

• 8cdeabd: chore(deps): update stefanzweifel/git-auto-commit-action action to v6 (#650) (@renovate[bot])

• dddca5c: chore(release): bump version to v0.7.0 (@corrieriluca)

• 06baa11: chore(renovate): group github go packages (#664) (@corrieriluca)

v0.7.0

Changelog

Features

• 94235b4: feat(chart): allow service annotation on hermitcrab service to enable Topology Aware Routing (#589) (@DjinnS)
• a4f1f80: feat(contributing): add support for debugging live pods (#585) (@michael-todorovic)
• 978aec8: feat(datastore): normalize backends output, add storage unit tests, fix GetLastAttempt (#614) (@michael-todorovic)
• 235a7e0: feat(runner): allow command+args override (#594) (@michael-todorovic)
• 3f6baf3: feat(ui): upgrade to tailwindcss v4 (#610) (@corrieriluca)
• 245b9a9: feat: allow ssh known hosts override (#578) (@michael-todorovic)

Bug fixes

• 765acea: fix(datastore): handle not found error for S3 HeadObject (#588) (@corrieriluca)
• d7f4665: fix(deps): update all patch dependencies (#584) (@renovate[bot])
• e9a63df: fix(deps): update module github.com/bradleyfalzon/ghinstallation/v2 to v2.15.0 (#570) (@renovate[bot])
• 3f224ad: fix(deps): update module github.com/go-git/go-git/v5 to v5.16.0 (#571) (@renovate[bot])
• 1eeeaad: fix(deps): update module github.com/google/go-github/v68 to v71 (#563) (@renovate[bot])
• 979746d: fix(deps): update module github.com/hashicorp/terraform-exec to v0.23.0 (#572) (@renovate[bot])
• 4d782ca: fix(deps): update module gitlab.com/gitlab-org/api/client-go to v0.128.0 (#514) (@renovate[bot])
• c0784c6: fix(deps): update ui dependencies (#574) (@renovate[bot])
• 5f1c2dc: fix(layer-controller): no error on last result when layer is new (#587) (@corrieriluca)
• 888a716: fix(runner): handle resource replacement (#583) (@michael-todorovic)
• 5ac921c: fix(s3): remove ChecksumAlgorithm (#603) (@michael-todorovic)
• 1a614f3: fix: return rc=2 for unsupported commands (#595) (@michael-todorovic)
• 6ebc0ea: fix: support gh enterprise api (#613) (@ampc)

Others

• 762dabb: chore(deps): update dependency vite to v6.2.7 [security] (#586) (@renovate[bot])
• 8a615ec: chore(deps): update node.js to v22.15.1 (#592) (@renovate[bot])
• fc749f7: chore(deps): update node.js to v22.16.0 (#609) (@renovate[bot])
• d62f5c6: chore(release): bump version to v0.6.5 (@corrieriluca)

v0.6.5

Changelog

Bug fix 💥

• d6aafd7: fix(run-controller): client side filter for running pods list (#577) (@LucasMrqes)
  • The maxConcurrentRunnerPods feature was not functional since 0.6.4, this fix the bugs by doing pod filtering on Burrito side

Others

• 6963bad: chore(release): bump version to v0.6.4 (@padok-runner)

v0.6.4

Changelog

Features

• 7d022cf: feat: add support for initContainers in overrideRunnerSpec (#576) (@michael-todorovic)

Bug fixes

• 7a94cae: fix: change casing 'maxConcurrentRunnerPods' key in burrito values' (#567) (@Pockylolo)
• 83d4ee7: fix: count pending pods when listing running pods (#564) (@LucasMrqes)

Dependency upgrades

• 85f4086: fix(deps): update module sigs.k8s.io/controller-runtime to v0.20.4 (#507) (@renovate[bot])
• 55667e5: chore(ci): remove digests in actions versions (#568) (@corrieriluca)
• 6ad0beb: chore(deps): update actions/cache digest to 5a3ec84 (#557) (@renovate[bot])
• 28607f2: chore(deps): update actions/setup-go digest to 0aaccfd (#558) (@renovate[bot])
• f513495: chore(deps): update actions/setup-python digest to 8d9ed9a (#565) (@renovate[bot])
• ed6fa34: chore(deps): update dependency vite to v6.2.6 [security] (#561) (@renovate[bot])
• d4651e3: chore(deps): update node.js to v22.14.0 (#543) (@renovate[bot])
• 4c0ebb6: chore(release): bump version to v0.6.3 (@LucasMrqes)

v0.6.3

New features

• SyncWindows allows you to define precise windows during which a layer will or will not be planned / applied by Burrito. Strongly inspired by Argo CD's SyncWindows. Documentation is available here.
• MaxConcurrentRunnerPod setting can be set on the controller or repository level to limit the number of Burrito runner pods that run in parallel. More information in the associated documentation

These two features aim to empower Burrito users with tools to fine-tune the scheduling of operations, which can be especially useful for FinOps or safety-related considerations.

What's Changed

• chore(deps): update actions/setup-python digest to 4237552 by @renovate in #534
• chore(deps): update goreleaser/goreleaser-action digest to 90a3faa by @renovate in #536
• chore(docker): pin digests docker pin digests by @renovate in #537
• fix(deps): update all patch dependencies (patch) by @renovate in #541
• docs: fix getting-started helm values by @rssnyder in #546
• fix: [opentofu] no color by @rssnyder in #548
• fix: [deploy] service type use service group value by @rssnyder in #547
• chore: add new blog post by @corrieriluca in #554
• chore: add opentofu guide by @rssnyder in #555
• feat: add sync windows by @LucasMrqes in #531
• chore(deps): update dependency vite to v6.0.13 [security] by @renovate in #552
• fix(deps): update dependency axios to v1.8.2 [security] by @renovate in #556
• feat: add setting to limit the number of concurrent runner pods by @LucasMrqes in #545

New Contributors

• @rssnyder made their first contribution in #546

Full Changelog: v0.6.2...v0.6.3

v0.6.2

What's Changed

• chore(deps): update dependency vite to v6.0.9 [security] by @renovate in #517
• chore(deps): update ui dependencies (minor) by @renovate in #493
• chore(deps): update dependency eslint-config-prettier to v10 by @renovate in #494
• fix(deps): update all patch dependencies (patch) by @renovate in #497
• docs: update domain name to docs.burrito.tf by @corrieriluca in #524
• feat(crd): support affinity in overriderunnerspec by @smeelock in #532
• chore(deps): update codecov/codecov-action digest to 0565863 by @renovate in #519
• chore(deps): update golangci/golangci-lint-action digest to 2226d7c by @renovate in #508
• chore(deps): update actions/setup-go digest to f111f33 by @renovate in #518
• chore(deps): update actions/cache digest to d4323d4 by @renovate in #533
• chore(deps): update actions/setup-node digest to 1d0ff46 by @renovate in #526
• docs: add affinity in available overrides by @corrieriluca in #538
• fix(pullrequests): inherit all properties from original layer in pr layer by @LucasMrqes in #539

New Contributors

• @smeelock made their first contribution in #532

Full Changelog: v0.6.1...v0.6.2