From 0fcb28dead8825095cc15e4acd9f27f535181334 Mon Sep 17 00:00:00 2001 From: mulmuri Date: Tue, 18 Feb 2025 21:45:25 +0900 Subject: [PATCH 1/2] feat: deploy atlantis in k8s --- .gitignore | 1 + atlantis.yaml | 22 +- modules/infra/atlantis/gateway.yaml | 16 + modules/infra/atlantis/main.tf | 27 + modules/infra/atlantis/values.yaml | 757 ++++++++++++++++++++++++++++ modules/infra/atlantis/variables.tf | 15 + projects/infra/main.tf | 13 + 7 files changed, 850 insertions(+), 1 deletion(-) create mode 100644 modules/infra/atlantis/gateway.yaml create mode 100644 modules/infra/atlantis/main.tf create mode 100644 modules/infra/atlantis/values.yaml create mode 100644 modules/infra/atlantis/variables.tf diff --git a/.gitignore b/.gitignore index 2dcc5d4..8c2a944 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .terraform.lock.hcl .terraform/ terraform.tfvars +*.tfplan diff --git a/atlantis.yaml b/atlantis.yaml index ba5c234..1be88af 100644 --- a/atlantis.yaml +++ b/atlantis.yaml @@ -1,8 +1,28 @@ version: 3 automerge: true projects: - - dir: projects/dev + - dir: projects/gcp workflow: default autoplan: when_modified: ["*.tf", "*.yaml", "*.json", "../../modules/**/*.tf", "../../modules/**/*.yaml", "../../modules/**/*.json"] enabled: true + - dir: projects/core + workflow: default + autoplan: + when_modified: ["*.tf", "*.yaml", "*.json", "../../modules/**/*.tf", "../../modules/**/*.yaml", "../../modules/**/*.json"] + enabled: true + - dir: projects/core/config + workflow: default + autoplan: + when_modified: ["*.tf", "*.yaml", "*.json", "../../../modules/**/*.tf", "../../../modules/**/*.yaml", "../../../modules/**/*.json"] + enabled: true + - dir: projects/domain + workflow: default + autoplan: + when_modified: ["*.tf", "*.yaml", "*.json", "../../../modules/**/*.tf", "../../../modules/**/*.yaml", "../../../modules/**/*.json"] + enabled: true + - dir: projects/infra + workflow: default + autoplan: + when_modified: ["*.tf", "*.yaml", "*.json", "../../../modules/**/*.tf", "../../../modules/**/*.yaml", "../../../modules/**/*.json"] + enabled: true diff --git a/modules/infra/atlantis/gateway.yaml b/modules/infra/atlantis/gateway.yaml new file mode 100644 index 0000000..9a2472d --- /dev/null +++ b/modules/infra/atlantis/gateway.yaml @@ -0,0 +1,16 @@ +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: atlantis-vs + namespace: atlantis +spec: + hosts: + - atlantis.goboolean.io + gateways: + - istio-system/istio-ingressgateway + http: + - route: + - destination: + host: atlantis.atlantis.svc.cluster.local + port: + number: 80 \ No newline at end of file diff --git a/modules/infra/atlantis/main.tf b/modules/infra/atlantis/main.tf new file mode 100644 index 0000000..9ee6b9f --- /dev/null +++ b/modules/infra/atlantis/main.tf @@ -0,0 +1,27 @@ +locals { + values_yaml = templatefile("${path.module}/values.yaml", { + atlantis_url = "https://atlantis.goboolean.io" + project_id = var.project_id + github_token = var.github_token + github_username = var.github_username + webhook_secret = var.webhook_secret + username = "username" + password = "password" + }) +} + +resource "helm_release" "atlantis" { + name = "atlantis" + repository = "https://runatlantis.github.io/helm-charts" + chart = "atlantis" + version = "4.4.0" + namespace = "atlantis" + + values = [local.values_yaml] + + timeout = 120 +} + +resource "kubernetes_manifest" "atlantis_gateway" { + manifest = yamldecode(file("${path.module}/gateway.yaml")) +} diff --git a/modules/infra/atlantis/values.yaml b/modules/infra/atlantis/values.yaml new file mode 100644 index 0000000..d65a971 --- /dev/null +++ b/modules/infra/atlantis/values.yaml @@ -0,0 +1,757 @@ +## -------------------------- ## +# Values to override for your instance. +## -------------------------- ## + +# -- Provide a name to substitute for the full names of resources. +fullnameOverride: "" + +# -- Provide a name to substitute for the name of the chart. +nameOverride: "" + +# -- An option to override the atlantis url, +# if not using an ingress, set it to the external IP. +# Check values.yaml for examples. +atlantisUrl: "https://atlantis.goboolean.io" +# Example: http://10.0.0.0 + +# -- Replace this with your own repo allowlist. +orgAllowlist: "github.com/goboolean/*" + +# -- Deprecated in favor of orgAllowlist. +orgWhitelist: "" + +# -- Specify the log level for Atlantis. +# Accepts: debug, info, warn, or error. +logLevel: "" + +# -- If using GitHub, please enter your values as follows. +# The chart will perform the base64 encoding for values that are stored in secrets. +# The 'hostname' key is exclusive to GitHub Enterprise installations. +# Check values.yaml for examples. +github: + user: ${github_username} + token: ${github_token} + secret: ${webhook_secret} +# github: +# user: foo +# token: bar +# secret: baz +# hostname: github.your.org + +# -- If using a GitHub App, please enter your values as follows. +# The chart will perform the base64 encoding for you for values that are stored in secrets. +# installationId is necessary when there are multiple installs of the Github App. +# Check values.yaml for examples. +githubApp: {} +# githubApp: +# id: 123456 +# installationId: 1 +# slug: foo +# key: | +# -----BEGIN PRIVATE KEY----- +# ... +# -----END PRIVATE KEY----- +# secret: baz + +# -- If using Gitea, please enter your values as follows. +# The 'baseUrl' key is exclusive to self-hosted Gitea installations. +# The chart will perform the base64 encoding for you for values that are stored in secrets. +# Check values.yaml for examples. +gitea: {} +# gitea: +# user: foo +# token: bar +# secret: baz +# baseUrl: gitea.your.org + +# -- If using GitLab, please enter your values as follows. +# The 'hostname' key is exclusive to GitLab Enterprise installations. +# The chart will perform the base64 encoding for you for values that are stored in secrets. +# Check values.yaml for examples. +gitlab: {} +# gitlab: +# user: foo +# token: bar +# secret: baz +# hostname: gitlab.your.org + +# -- If using Bitbucket, there are two approaches: +# Bitbucket Server, deployed in your own infrastructure +# and Cloud available at (https://Bitbucket.org). +# The chart will perform the base64 encoding for you for values that are stored in secrets. +# Check values.yaml for examples. +bitbucket: {} + +# Bitbucket Server +# bitbucket: +# user: foo +# token: bar +# secret: baz +# baseURL: https://bitbucket.yourorganization.com + +# Bitbucket Cloud +# The recommendation is to genarate a service user on your cloud environment, but you can live on the edge using your own user :). +# Create an APP PASSWORD to the user for the token value. +# Base URL are not needed here, but keep in mind to provide an IP Whitelist as the Atlantis documentation. +# bitbucket: +# user: foo +# token: bar + +# -- If using Azure DevOps, please enter your values as follows. +# The chart will perform the base64 encoding for you for values that are stored in secrets. +# Check values.yaml for examples. +azuredevops: {} +# azuredevops: +# user: foo +# token: bar +# webhookUser: foo +# webhookPassword: baz + +# -- If managing secrets outside the chart for the webhook, use this variable to reference the secret name +vcsSecretName: "" + +# -- When referencing Terraform modules in private repositories, it may be helpful +# (necessary?) to use redirection in a .gitconfig. +# Check values.yaml for examples. +gitconfig: "" +# gitconfig: | +# [url "https://YOUR_GH_TOKEN@github.com"] +# insteadOf = https://github.com +# [url "https://YOUR_GH_TOKEN@github.com"] +# insteadOf = ssh://git@github.com +# [url "https://oauth2:YOUR_GITLAB_TOKEN@gitlab.com"] +# insteadOf = https://gitlab.com +# [url "https://oauth2:YOUR_GITLAB_TOKEN@gitlab.com"] +# insteadOf = ssh://git@gitlab.com +# Source: https://stackoverflow.com/questions/42148841/github-clone-with-oauth-access-token + +# -- When true gitconfig file is mounted as read only. +# When false, the gitconfig value will be copied to '/home/atlantis/.gitconfig' before starting the atlantis process, +# instead of being mounted as a file. +gitconfigReadOnly: true + +# -- If managing secrets outside the chart for the gitconfig, use this variable to reference the secret name +gitconfigSecretName: "" + +# -- When referencing Terraform modules in private repositories or registries (such as Artfactory) +# configuing a .netrc file for authentication may be required. +# Check values.yaml for examples. +netrc: "" +# netrc: | +# machine artifactory.myapp.com login YOUR_USERNAME password YOUR_PASSWORD +# machine bitbucket.myapp.com login YOUR_USERNAME password YOUR_PASSWORD + +# -- If managing secrets outside the chart for the netrc file, use this variable to reference the secret name +netrcSecretName: "" + +# -- To specify AWS credentials to be mapped to ~/.aws or to aws.directory. +# Check values.yaml for examples. +aws: {} +# aws: +# credentials: | +# [default] +# aws_access_key_id=YOUR_ACCESS_KEY_ID +# aws_secret_access_key=YOUR_SECRET_ACCESS_KEY +# region=us-east-1 +# config: | +# [profile a_role_to_assume] +# role_arn = arn:aws:iam::123456789:role/service-role/roleToAssume +# source_profile = default +# directory: "/home/atlantis/.aws" + +# -- To reference an already existing Secret object with AWS credentials +awsSecretName: "" + +# -- To keep backwards compatibility only. +# Deprecated (see googleServiceAccountSecrets). +# To be used for mounting credential files (when using google provider). +# Check values.yaml for examples. +serviceAccountSecrets: {} +# serviceAccountSecrets: +# credentials: +# credentials-staging: + +## -------------------------- ## +# Default values for atlantis (override as needed). +## -------------------------- ## + +# -- (int) [optional] Define the port you would like atlantis to run on. When 0, the value of service.targetPort is used. +containerPort: 0 + +image: + repository: ghcr.io/runatlantis/atlantis + # -- If not set appVersion field from Chart.yaml is used + tag: "latest" + pullPolicy: Always + +# -- Optionally specify an array of imagePullSecrets. +# Secrets must be manually created in the namespace. +# ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/. +# Check values.yaml for examples. +imagePullSecrets: [] +# imagePullSecrets: +# - myRegistryKeySecretName + +# -- Override atlantis main configuration by config map, +# ref: https://www.runatlantis.io/docs/using-slack-hooks.html#configuring-atlantis. +# Check values.yaml for examples. +config: "" +# config: | +# --- +# webhooks: +# - event: apply +# workspace-regex: .* +# branch-regex: .* +# kind: slack +# channel: my-channel + +# -- Use Server Side Repo Config, +# ref: https://www.runatlantis.io/docs/server-side-repo-config.html. +# Check values.yaml for examples. +repoConfig: "" +# Example with default configuration: +# repoConfig: | +# --- +# repos: +# - id: /.*/ +# apply_requirements: [] +# workflow: default +# allowed_overrides: [] +# allow_custom_workflows: false +# workflows: +# default: +# plan: +# steps: [init, plan] +# apply: +# steps: [apply] +# metrics: +# prometheus: +# endpoint: /metrics + +# -- Enables atlantis to run on a fork Pull Requests. +allowForkPRs: false + +# -- Enables atlantis to run on a draft Pull Requests. +allowDraftPRs: false + +# -- Enables atlantis to hide previous plan comments. +hidePrevPlanComments: false + +# -- Enables atlantis to hide no-changes plan comments from the pull request. +hideUnchangedPlanComments: false + +# -- Sets the default terraform distribution to use. Can be set to terraform or opentofu. +defaultTFDistribution: terraform + +# -- Sets the default terraform version to be used in atlantis server. +# Check values.yaml for examples. +defaultTFVersion: "1.10.5" +# Example: "0.12.0". + +# -- Disables running `atlantis apply` regardless of which flags are sent with it. +disableApply: false + +# -- Disables running `atlantis apply` without any flags. +disableApplyAll: false + +# -- Stops atlantis locking projects and or workspaces when running terraform. +disableRepoLocking: false + +# -- Use Diff Markdown Format for color coding diffs. +enableDiffMarkdownFormat: false + +# -- Optionally specify an username and a password for basic authentication. +basicAuth: + username: ${username} + password: ${password} + +# -- If managing secrets outside the chart for the Basic Auth secret, use this variable to reference the secret name. +basicAuthSecretName: "" + +# -- Optionally specify an API secret to enable the API. +# Check values.yaml for examples. +api: {} +# api: +# secret: "s3cr3t" + +# -- If managing secrets outside the chart for the API secret, use this variable to reference the secret name. +apiSecretName: "" + +# -- Override the command field of the Atlantis container. +command: [] + +# -- Common Labels for all resources created by this chart. +commonLabels: {} + +livenessProbe: + enabled: true + # -- We only need to check every 60s since Atlantis is not a high-throughput service. + periodSeconds: 60 + initialDelaySeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + scheme: HTTP + +readinessProbe: + enabled: true + periodSeconds: 60 + initialDelaySeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + scheme: HTTP + +service: + type: ClusterIP + annotations: {} + port: 80 + portName: atlantis + nodePort: null + # -- (int) [optional] Define the port you would like atlantis to run on. Defaults to 4141. + targetPort: 4141 + loadBalancerIP: null + loadBalancerSourceRanges: [] + externalTrafficPolicy: null + +podTemplate: + # -- Check values.yaml for examples. + annotations: {} + # annotations: + # iam.amazonaws.com/role: role-arn # kube2iam example. + labels: {} + +statefulSet: + annotations: {} + labels: {} + securityContext: + fsGroup: 1000 + # -- It is not recommended to run atlantis as root. + runAsUser: 100 + fsGroupChangePolicy: "OnRootMismatch" + priorityClassName: "" + updateStrategy: {} + # -- Option to share process namespace with atlantis container. + shareProcessNamespace: false + +# -- (int) Optionally customize the termination grace period in seconds. +# @default -- default depends on the kubernetes version. +terminationGracePeriodSeconds: + +ingress: + enabled: true + ingressClassName: + apiVersion: "" + labels: {} + # -- Check values.yaml for examples. + annotations: {} + # annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # -- Use / for nginx. + path: /* + # -- Used when several paths under the same host, with different backend services, are required. + # Check values.yaml for examples. + paths: [] + # - path: "/path1" + # service: test1 + # port: + # - path: "/path2" + # service: test2 + # port: + pathType: ImplementationSpecific + host: "" + # -- Used when several hosts are required. + # Check values.yaml for examples. + hosts: [] + # - host: chart-example.local + # paths: ["/"] + # service: chart-example1 + # - host: chart-example.local2 + # service: chart-example1 + # paths: ["/lala"] + # -- Check values.yaml for examples. + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +webhook_ingress: + # -- When true creates a secondary webhook. + enabled: false + ingressClassName: + apiVersion: "" + # -- Check values.yaml for examples. + annotations: {} + # annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # -- Use / for nginx. + path: /* + # -- Used when several paths under the same host, with different backend services, are required. + # Check values.yaml for examples. + paths: [] + # - path: "/path1" + # service: test1 + # port: + # - path: "/path2" + # service: test2 + # port: + pathType: ImplementationSpecific + host: "" + # -- Used when several hosts are required. + # Check values.yaml for examples. + hosts: [] + # - host: chart-example.local + # paths: ["/"] + # service: chart-example1 + # - host: chart-example.local2 + # service: chart-example1 + # paths: ["/lala"] + # -- TLS configuration. + # Check values.yaml for examples. + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + labels: {} + +# -- Allows to override the /etc/ssl/certs/ca-certificates.cer with your custom one. +# You have to create a secret with the specified name. +customPem: "" + +# -- Resources for Atlantis. +# Check values.yaml for examples. +resources: {} +# resources: +# requests: +# memory: 1Gi +# cpu: 100m +# limits: +# memory: 1Gi +# cpu: 100m + +# -- Path to the data directory for the volumeMount. +atlantisDataDirectory: /atlantis-data + +volumeClaim: + enabled: true + # -- Disk space available to check out repositories. + dataStorage: 5Gi + # -- Storage class name (if possible, use a resizable one). + storageClassName: "" + accessModes: ["ReadWriteOnce"] + +# -- DEPRECATED - Disk space available to check out repositories. +# Example: 5Gi. +dataStorage: "" +# -- DEPRECATED - Storage class name for Atlantis disk. +storageClassName: "" + +# -- Replica count for Atlantis pods. +replicaCount: 1 + +test: + # -- Enables test container. + enabled: true + image: bats/bats + imageTag: 1.9.0 + annotations: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- You can use topology spread constraints to control how Pods are spread across your cluster among failure-domains such as regions, +# zones, nodes, and other user-defined topology domains. (requires Kubernetes >= 1.19). +# Check values.yaml for examples. +topologySpreadConstraints: [] +# - labelSelector: +# matchLabels: +# app.kubernetes.io/name: aws-example-cluster +# maxSkew: 1 +# topologyKey: topology.kubernetes.io/zone +# whenUnsatisfiable: DoNotSchedule + +serviceAccount: + # -- Specifies whether a ServiceAccount should be created. + create: true + # -- Set the `automountServiceAccountToken` field on the pod template spec. + # -- If false, no kubernetes service account token will be mounted to the pod. + mount: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template. + name: atlantis + # -- Annotations for the Service Account. + # Check values.yaml for examples. + annotations: + iam.gke.io/gcp-service-account: atlantis@${project_id}.iam.gserviceaccount.com + # annotations: + # annotation1: value + # annotation2: value + # IRSA example: + # annotations: + # eks.amazonaws.com/role-arn: role-arn + +# -- Optionally deploy rbac to allow for the serviceAccount to manage terraform state via the kubernetes backend. +enableKubernetesBackend: false + +# -- TLS Secret Name for Atlantis pod. +tlsSecretName: "" + +# -- Additional path (`:` separated) that will be appended to the system `PATH` environment variable. +extraPath: "" + +# -- Environment values to add to the Atlantis pod. +# Check values.yaml for examples. +environment: {} +# environment: +# ATLANTIS_DEFAULT_TF_VERSION: v1.2.9 + +# -- Optionally specify additional environment variables to be populated from Kubernetes secrets. +# Useful for passing in TF_VAR_foo or other secret environment variables from Kubernetes secrets. +# Check values.yaml for examples. +environmentSecrets: [] +# environmentSecrets: +# - name: THE_ENV_VAR +# secretKeyRef: +# name: the_k8s_secret_name +# key: the_key_of_the_value_in_the_secret + +# -- Optionally specify additional environment variables in raw yaml format. +# Useful to specify variables refering to k8s objects. +# Check values.yaml for examples. +environmentRaw: [] +# environmentRaw: +# - name: POD_IP +# valueFrom: +# fieldRef: +# fieldPath: status.podIP + +# -- Optionally specify additional Kubernetes secrets to load environment variables from. +# All key-value pairs within these secrets will be set as environment variables. +# Note that any variables set here will be ignored if also defined in the env block of the atlantis statefulset. +# For example, providing ATLANTIS_GH_USER here and defining a value for github.user will result in the github.user value being used. +# Check values.yaml for examples. +loadEnvFromSecrets: [] +# loadEnvFromSecrets: +# - secret_one +# - secret_two + +# -- Optionally specify additional Kubernetes ConfigMaps to load environment variables from. +# All key-value pairs within these ConfigMaps will be set as environment variables. +# Note that any variables set here will be ignored if also defined in the env block of the atlantis statefulset. +# For example, providing ATLANTIS_ALLOW_FORK_PRS here and defining a value for allowForkPRs will result in the allowForkPRs value being used. +# Check values.yaml for examples. +loadEnvFromConfigMaps: [] +# loadEnvFromConfigMaps: +# - config_one +# - config_two + +# -- Optionally specify google service account credentials as Kubernetes secrets. If you are using the terraform google provider you can specify the credentials as "$${file("/var/secrets/some-secret-name/key.json")}". +# Check values.yaml for examples. +googleServiceAccountSecrets: [] +# googleServiceAccountSecrets: +# - name: some-secret-name +# secretName: the_k8s_secret_name + +# -- Optionally specify additional volumes for the pod. +# Check values.yaml for examples. +extraVolumes: [] +# extraVolumes: +# - name: some-volume-name +# emptyDir: {} + +# -- Optionally specify additional volume mounts for the container. +# Check values.yaml for examples. +extraVolumeMounts: [] +# extraVolumeMounts: +# - name: some-volume-name +# mountPath: /path/in/container + +# -- Optionally specify additional manifests to be created. +# Check values.yaml for examples. +extraManifests: [] +# extraManifests: +# - apiVersion: cloud.google.com/v1beta1 +# kind: BackendConfig +# metadata: +# name: "{{ .Release.Name }}-test" +# spec: +# securityPolicy: +# name: "gcp-cloud-armor-policy-test" + +# -- Optionally specify init containers manifests to be added to the Atlantis pod. +# Check values.yaml for examples. +initContainers: [] +# initContainers: +# - name: example +# image: alpine:latest +# command: ['sh', '-c', 'echo The init container is running! && sleep 10'] + +initConfig: + # -- Install providers/plugins into a path shared with the Atlantis pod. + enabled: false + image: google/cloud-sdk:alpine + imagePullPolicy: IfNotPresent + # -- SharedDir is set as env var INIT_SHARED_DIR. + sharedDir: /plugins + sharedDirReadOnly: true + workDir: /tmp + # -- Size for the shared volume. + sizeLimit: 300Mi + # -- Security context for the container. + containerSecurityContext: {} + # -- Script to run on the init container. + # @default -- Check values.yaml. + script: | + #!/bin/sh + set -eoux pipefail + + # example for terragrunt + TG_VERSION="v0.67.5" + TG_SHA256_SUM="4e5ae67854a774be6419f7215733990b481662375dc0bd5f2eda05211a692cf0" + TG_FILE="$${INIT_SHARED_DIR}/terragrunt" + wget https://github.com/gruntwork-io/terragrunt/releases/download/$${TG_VERSION}/terragrunt_linux_amd64 -O "$${TG_FILE}" + echo "$${TG_SHA256_SUM} $${TG_FILE}" | sha256sum -c + chmod 755 "$${TG_FILE}" + terragrunt -v + + # example for terragrunt-atlantis-config + TAC_VERSION="1.18.0" # without v + TAC_SHA256_SUM="59178dcd3e426abf4b5d8fcb1ac8dbdea548a04aa64eaf39be200484a5e6f2ca" + TAC_FILE="$${INIT_SHARED_DIR}/terragrunt-atlantis-config" + wget "https://github.com/transcend-io/terragrunt-atlantis-config/releases/download/v$${TAC_VERSION}/terragrunt-atlantis-config_$${TAC_VERSION}_linux_amd64" + echo "$${TAC_SHA256_SUM} terragrunt-atlantis-config_$${TAC_VERSION}_linux_amd64" | sha256sum -c + cp -fv "terragrunt-atlantis-config_$${TAC_VERSION}_linux_amd64" "$${TAC_FILE}" + chmod 755 "$${TAC_FILE}" + terragrunt-atlantis-config version + +# -- Optionally specify hostAliases for the Atlantis pod. +# Check values.yaml for examples. +hostAliases: [] +# hostAliases: +# - hostnames: +# - aaa.com +# - test.ccc.com +# ip: 10.0.0.0 +# - hostnames: +# - bbb.com +# ip: 10.0.0.2 + +# -- Optionally specify dnsPolicy parameter to specify a DNS policy for a pod +# Check https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +dnsPolicy: "ClusterFirst" + +# -- Optionally specify dnsConfig for the Atlantis pod. +# Check values.yaml for examples. +dnsConfig: {} +# dnsConfig: +# nameservers: +# - 8.8.8.8 +# searches: +# - mydomain.com + +hostNetwork: false + +# - These annotations will be added to all the resources. +# Check values.yaml for examples. +extraAnnotations: {} +# extraAnnotations: +# team: example + +# -- Optionally specify extra arguments for the Atlantis pod. +# Check values.yaml for examples. +extraArgs: [] +# extraArgs: +# - --disable-autoplan +# - --disable-repo-locking + +# -- Optionally specify extra containers for the Atlantis pod. +# Check values.yaml for examples. +extraContainers: [] +# extraContainers: +# - name: +# args: +# - ... +# image: +# imagePullPolicy: IfNotPresent +# resources: +# limits: +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi +# volumeMounts: +# - ... + +# -- Check values.yaml for examples. +containerSecurityContext: {} +# containerSecurityContext: +# allowPrivilegeEscalation: false +# readOnlyRootFilesystem: true + +servicemonitor: + # -- To enable a Prometheus servicemonitor, set enabled to true, + # and enable the metrics in this file's repoConfig + # by setting a value for metrics.prometheus.endpoint. + enabled: false + interval: "30s" + path: /metrics + # -- Prometheus ServiceMonitor labels. + additionalLabels: {} + auth: + # -- If auth is enabled on Atlantis, use one of the following mechanism. + basicAuth: + # -- Authentication from the secret generated with the basicAuth values + # this will reference the username and password keys + # from the atlantis-basic-auth secret. + enabled: false + externalSecret: + # -- Authentication based on an external secret + enabled: false + name: "" + # -- Check values.yaml for examples. + keys: {} + # keys: + # username: USERNAME + # password: ATLANTIS_WEB_PASSWORD + # -- Optional metric relabelings to drop or modify metrics. + metricRelabelings: [] + # metricRelabelings: + # - action: drop + # regex: "atlantis_project_apply_execution_.*" + # sourceLabels: [__name__] + +# -- Enable this if you're using Google Managed Prometheus. +podMonitor: + enabled: false + interval: "30s" + +# -- Set the desired Locking DB type +# Accepts boltdb or redis. +lockingDbType: "" + +# -- Configure Redis Locking DB. +# lockingDbType value must be redis for the config to take effect. +# Check values.yaml for examples. +redis: {} +# redis: +# host: redis.host.name +# password: myRedisPassword +# port: 6379 +# db: 0 +# tlsEnabled: false +# insecureSkipVerify: false + +# -- When managing secrets outside the chart for the Redis secret, use this variable to reference the secret name. +redisSecretName: "" + +# -- Key within the existing Redis secret that contains the password value. +redisSecretPasswordKey: password + +# -- Set lifecycle hooks. +# https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/. +lifecycle: {} diff --git a/modules/infra/atlantis/variables.tf b/modules/infra/atlantis/variables.tf new file mode 100644 index 0000000..c2db351 --- /dev/null +++ b/modules/infra/atlantis/variables.tf @@ -0,0 +1,15 @@ +variable "project_id" { + type = string +} + +variable "github_username" { + type = string +} + +variable "github_token" { + type = string +} + +variable "webhook_secret" { + type = string +} diff --git a/projects/infra/main.tf b/projects/infra/main.tf index 1f207a5..e1fab3c 100644 --- a/projects/infra/main.tf +++ b/projects/infra/main.tf @@ -109,3 +109,16 @@ module "loki-stack" { module "dex" { source = "../../modules/infra/dex" } + +data "vault_kv_secret_v2" "github" { + mount = "kv" + name = "github" +} + +module "atlantis" { + source = "../../modules/infra/atlantis" + project_id = var.project_id + github_username = "goboolean-io" + github_token = data.vault_kv_secret_v2.github.data["admin_token"] + webhook_secret = data.vault_kv_secret_v2.github.data["atlantis_webhook_secret"] +} From 0021f30be21d62d9a55bb85c6ecad32be5c6b4f9 Mon Sep 17 00:00:00 2001 From: mulmuri Date: Tue, 18 Feb 2025 22:44:11 +0900 Subject: [PATCH 2/2] feat: wip --- modules/gcp/gke/namespace/main.tf | 24 +++++++++++++++ modules/infra/atlantis/values.yaml | 18 +++++++++--- modules/infra/atlantis/variables.tf | 8 +++++ projects/infra/main.tf | 45 +++++++++++++++++------------ 4 files changed, 72 insertions(+), 23 deletions(-) diff --git a/modules/gcp/gke/namespace/main.tf b/modules/gcp/gke/namespace/main.tf index ecee685..f63c18d 100644 --- a/modules/gcp/gke/namespace/main.tf +++ b/modules/gcp/gke/namespace/main.tf @@ -84,3 +84,27 @@ resource "kubernetes_namespace" "dex" { name = "dex" } } + +resource "kubernetes_namespace" "atlantis" { + metadata { + name = "atlantis" + } +} + +resource "kubernetes_namespace" "kiali" { + metadata { + name = "kiali" + } +} + +resource "kubernetes_namespace" "open-webui" { + metadata { + name = "open-webui" + } +} + +resource "kubernetes_namespace" "redis" { + metadata { + name = "redis" + } +} diff --git a/modules/infra/atlantis/values.yaml b/modules/infra/atlantis/values.yaml index d65a971..de63a1b 100644 --- a/modules/infra/atlantis/values.yaml +++ b/modules/infra/atlantis/values.yaml @@ -15,10 +15,10 @@ atlantisUrl: "https://atlantis.goboolean.io" # Example: http://10.0.0.0 # -- Replace this with your own repo allowlist. -orgAllowlist: "github.com/goboolean/*" +orgAllowlist: "github.com/goboolean/infrastructure" # -- Deprecated in favor of orgAllowlist. -orgWhitelist: "" +orgWhitelist: "github.com/goboolean/infrastructure" # -- Specify the log level for Atlantis. # Accepts: debug, info, warn, or error. @@ -208,7 +208,13 @@ config: "" # -- Use Server Side Repo Config, # ref: https://www.runatlantis.io/docs/server-side-repo-config.html. # Check values.yaml for examples. -repoConfig: "" +repoConfig: | + repos: + - id: "github.com/goboolean/infrastructure" + apply_requirements: [] + workflow: default + allowed_overrides: [workflow] + allow_custom_workflows: true # Example with default configuration: # repoConfig: | # --- @@ -422,7 +428,11 @@ customPem: "" # -- Resources for Atlantis. # Check values.yaml for examples. -resources: {} +resources: + limits: + memory: 1500Mi + cpu: 1Gi + # resources: # requests: # memory: 1Gi diff --git a/modules/infra/atlantis/variables.tf b/modules/infra/atlantis/variables.tf index c2db351..5c1ec01 100644 --- a/modules/infra/atlantis/variables.tf +++ b/modules/infra/atlantis/variables.tf @@ -13,3 +13,11 @@ variable "github_token" { variable "webhook_secret" { type = string } + +variable "username" { + type = string +} + +variable "password" { + type = string +} diff --git a/projects/infra/main.tf b/projects/infra/main.tf index e1fab3c..cf46a42 100644 --- a/projects/infra/main.tf +++ b/projects/infra/main.tf @@ -5,6 +5,25 @@ terraform { } } +data "vault_kv_secret_v2" "harbor" { + mount = "kv" + name = "infra/harbor" +} + +module "harbor" { + source = "../../modules/infra/harbor" + harbor_username = data.vault_kv_secret_v2.harbor.data["username"] + harbor_password = data.vault_kv_secret_v2.harbor.data["password"] +} + +module "harbor_policy" { + source = "../../modules/infra/harbor/policy" + providers = { + harbor = harbor + } +} + + module "argocd" { source = "../../modules/infra/argocd" } @@ -29,25 +48,6 @@ module "opentelemetry" { # } # } - -data "vault_kv_secret_v2" "harbor" { - mount = "kv" - name = "infra/harbor" -} - -module "harbor" { - source = "../../modules/infra/harbor" - harbor_username = data.vault_kv_secret_v2.harbor.data["username"] - harbor_password = data.vault_kv_secret_v2.harbor.data["password"] -} - -module "harbor_policy" { - source = "../../modules/infra/harbor/policy" - providers = { - harbor = harbor - } -} - data "vault_kv_secret_v2" "postgresql" { mount = "kv" name = "infra/postgresql" @@ -115,10 +115,17 @@ data "vault_kv_secret_v2" "github" { name = "github" } +data "vault_kv_secret_v2" "atlantis" { + mount = "kv" + name = "infra/atlantis" +} + module "atlantis" { source = "../../modules/infra/atlantis" project_id = var.project_id github_username = "goboolean-io" github_token = data.vault_kv_secret_v2.github.data["admin_token"] webhook_secret = data.vault_kv_secret_v2.github.data["atlantis_webhook_secret"] + username = data.vault_kv_secret_v2.atlantis.data["username"] + password = data.vault_kv_secret_v2.atlantis.data["password"] }