Tofu Controller

Tofu Controller lets Flux reconcile OpenTofu/Terraform configurations the same way it reconciles Kubernetes manifests. It’s the bridge that brings non-Kubernetes resources — Vault paths, Postgres databases, OIDC clients — into the GitOps loop.

Deployment

Field	Value
Flux path	flux-clusters/stefanzhelev/apps/tofu-controller
Base path	flux-apps/tofu-controller
Namespace	flux-system
Sync wave	1
Depends on	—

What it deploys

• HelmRelease for the tofu-controller chart
• The controller itself, which watches Terraform CRs anywhere in the cluster

Configuration highlights

• allowCrossNamespaceRefs: true. A Terraform CR in one namespace can reference Secrets, ConfigMaps, and Source CRs from any other. This is what lets, for example, the CNPG Terraform CR pull a Vault token from the vault namespace.
• No state backend in-cluster. Each Terraform CR points at its own remote state target as part of its module configuration.

How it’s used

Tofu Controller reconciles the Terraform CRs that other apps ship in their Flux folders:

Consumer	What Terraform manages
Vault	Initial KV mounts and policies
CloudNative-PG	Per-app databases and roles
Authentik	Secret key + admin password material
Forgejo	Admin user + DB credentials
Grafana	Admin password + DB credentials
Dremio	AWS access keys
ClickStack	ClickHouse credentials

Integrations

• Flux: appears as just another HelmRelease, but enables Terraform CRs cluster-wide
• Vault: the primary Terraform target for credential material

Key commands

# Check the controller
kubectl get pods -n flux-system -l app.kubernetes.io/name=tofu-controller

# List Terraform CRs
kubectl get terraform -A

# Inspect a specific Terraform CR
kubectl describe terraform <name> -n <namespace>

# View controller logs
kubectl logs -n flux-system -l app.kubernetes.io/name=tofu-controller