diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..5c7e77a --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,17 @@ + + +## Ticket + + + +## Problem + + + +## Solution + + + +## Testing + + \ No newline at end of file diff --git a/ATLANTIS_SETUP.md b/ATLANTIS_SETUP.md new file mode 100644 index 0000000..4b676b6 --- /dev/null +++ b/ATLANTIS_SETUP.md @@ -0,0 +1,183 @@ +# Atlantis Setup Guide + +This guide will help you set up Atlantis for your GitOps repository to enable Terraform and Helm automation via GitHub comments. + +## Prerequisites + +1. **GitHub Personal Access Token** or **GitHub App** +2. **Domain name** for Atlantis (or use port-forwarding for testing) +3. **Kubernetes cluster** with ArgoCD running + +## Setup Steps + +### 1. Create GitHub Personal Access Token + +1. Go to GitHub Settings → Developer settings → Personal access tokens → Tokens (classic) +2. Click "Generate new token (classic)" +3. Give it a name like "Atlantis GitOps" +4. Select scopes: + - `repo` (Full control of private repositories) + - `write:discussion` (Write team discussions) + - `admin:org` (if using organization webhooks) +5. Copy the token (you won't see it again!) + +### 2. Create GitHub App (Alternative to Personal Access Token) + +If you prefer using a GitHub App: + +1. Go to GitHub Settings → Developer settings → GitHub Apps +2. Click "New GitHub App" +3. Fill in: + - **GitHub App name**: `atlantis-gitops` + - **Homepage URL**: `https://atlantis.yourdomain.com` + - **Webhook URL**: `https://atlantis.yourdomain.com/events` + - **Webhook secret**: Generate a random string +4. Select permissions: + - **Repository permissions**: + - Contents: Read + - Issues: Write + - Pull requests: Write + - Metadata: Read + - **Subscribe to events**: + - Pull request + - Issue comment + - Pull request review +5. Download the private key + +### 3. Update Atlantis Configuration + +Edit `helm/atlantis/values.yaml`: + +```yaml +atlantis: + env: + # Update these values + ATLANTIS_REPO_ALLOWLIST: "github.com/nwthomas/gitops" # Your repo + ATLANTIS_ATLANTIS_URL: "https://atlantis.yourdomain.com" # Your domain + GITHUB_USER: "nwthomas" # Your GitHub username + + # If using GitHub App, uncomment and set: + # GITHUB_APP_ID: "123456" # Your GitHub App ID +``` + +### 4. Create Kubernetes Secret + +Create the secret with your GitHub token: + +```bash +# For Personal Access Token +kubectl create secret generic atlantis-secrets \ + --from-literal=github-token="YOUR_GITHUB_TOKEN" \ + -n atlantis + +# For GitHub App (also include the private key) +kubectl create secret generic atlantis-secrets \ + --from-literal=github-token="YOUR_GITHUB_TOKEN" \ + --from-file=github-app-key=path/to/your/private-key.pem \ + -n atlantis +``` + +### 5. Set Up GitHub Webhook + +1. Go to your repository settings → Webhooks +2. Click "Add webhook" +3. Fill in: + - **Payload URL**: `https://atlantis.yourdomain.com/events` + - **Content type**: `application/json` + - **Secret**: (if using GitHub App, use the webhook secret) + - **Events**: Select "Let me select individual events" + - Pull requests + - Issue comments + - Pull request reviews +4. Click "Add webhook" + +### 6. Deploy Atlantis + +1. Commit and push your changes to the repository +2. ArgoCD will automatically deploy Atlantis +3. Check the deployment: + +```bash +kubectl get pods -n atlantis +kubectl get svc -n atlantis +kubectl get ingress -n atlantis +``` + +### 7. Test the Setup + +1. Create a test pull request that modifies files in the `/helm` directory +2. Comment on the PR: `atlantis plan` +3. Atlantis should respond with a plan +4. If the plan looks good, comment: `atlantis apply` +5. Atlantis will apply the changes + +## Usage + +### Available Commands + +- `atlantis plan` - Run terraform plan +- `atlantis apply` - Apply terraform changes +- `atlantis plan -p ` - Plan specific project +- `atlantis apply -p ` - Apply specific project +- `atlantis unlock` - Unlock a locked workspace +- `atlantis help` - Show help + +### Project Structure + +Atlantis monitors these directories: +- `/helm/*` - Helm charts +- `/terraform` - Terraform configurations +- `/argocd/apps/*` - ArgoCD applications + +### Security Features + +- **User Restriction**: Only `nwthomas` can run Atlantis commands +- **Approval Required**: All changes require PR approval +- **Mergeable Required**: PR must be mergeable before applying +- **Repository Allowlist**: Only your specific repository is allowed + +## Troubleshooting + +### Check Atlantis Logs + +```bash +kubectl logs -f deployment/atlantis -n atlantis +``` + +### Verify Webhook Delivery + +1. Go to your repository → Settings → Webhooks +2. Click on your webhook +3. Check "Recent Deliveries" for any failed deliveries + +### Common Issues + +1. **Webhook not working**: Check the webhook URL and secret +2. **Permission denied**: Verify GitHub token has correct permissions +3. **Atlantis not responding**: Check logs and ensure the service is running +4. **Terraform errors**: Check the terraform configuration and state + +### Port Forwarding for Testing + +If you don't have a domain set up yet: + +```bash +kubectl port-forward svc/atlantis 4141:4141 -n atlantis +``` + +Then use `http://localhost:4141` as your webhook URL temporarily. + +## Security Considerations + +1. **GitHub Token**: Store securely and rotate regularly +2. **Webhook Secret**: Use a strong, random secret +3. **RBAC**: Atlantis has minimal required permissions +4. **Network**: Use HTTPS for webhook URLs +5. **Monitoring**: Monitor Atlantis logs for suspicious activity + +## Next Steps + +1. Set up monitoring for Atlantis +2. Configure backup for Atlantis data +3. Set up alerting for failed plans/applies +4. Consider setting up Atlantis for multiple repositories diff --git a/argocd/apps/atlantis/atlantis-app.yaml b/argocd/apps/atlantis/atlantis-app.yaml new file mode 100644 index 0000000..b429449 --- /dev/null +++ b/argocd/apps/atlantis/atlantis-app.yaml @@ -0,0 +1,26 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: atlantis-app + namespace: argocd + finalizers: + - resources-finalizer.argocd.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://github.com/nwthomas/gitops.git + targetRevision: main + path: helm/atlantis + helm: + valueFiles: + - values.yaml + destination: + server: https://kubernetes.default.svc + namespace: atlantis + syncPolicy: + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + automated: + prune: true + selfHeal: true diff --git a/argocd/namespaces/atlantis-namespace-app.yaml b/argocd/namespaces/atlantis-namespace-app.yaml new file mode 100644 index 0000000..26b7ad9 --- /dev/null +++ b/argocd/namespaces/atlantis-namespace-app.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: atlantis-namespace-app + namespace: argocd +spec: + project: default + source: + repoURL: https://github.com/nwthomas/gitops.git + targetRevision: main + path: argocd/apps/atlantis + helm: + valueFiles: + - values.yaml + destination: + server: https://kubernetes.default.svc + namespace: atlantis + syncPolicy: + syncOptions: + - CreateNamespace=true + - Prune=true diff --git a/atlantis.yaml b/atlantis.yaml new file mode 100644 index 0000000..6756853 --- /dev/null +++ b/atlantis.yaml @@ -0,0 +1,94 @@ +version: 3 +projects: +# Monitor the helm directory for changes +- name: helm-argocd + dir: helm/argocd + workflow: default + autoplan: + when_modified: ["**/*.yaml", "**/*.yml", "**/*.tpl"] + enabled: true + apply_requirements: ["approved", "mergeable"] + allowed_users: ["nwthomas"] + +- name: helm-cert-manager + dir: helm/cert-manager + workflow: default + autoplan: + when_modified: ["**/*.yaml", "**/*.yml", "**/*.tpl"] + enabled: true + apply_requirements: ["approved", "mergeable"] + allowed_users: ["nwthomas"] + +- name: helm-grafana + dir: helm/grafana + workflow: default + autoplan: + when_modified: ["**/*.yaml", "**/*.yml", "**/*.tpl"] + enabled: true + apply_requirements: ["approved", "mergeable"] + allowed_users: ["nwthomas"] + +- name: helm-longhorn + dir: helm/longhorn + workflow: default + autoplan: + when_modified: ["**/*.yaml", "**/*.yml", "**/*.tpl"] + enabled: true + apply_requirements: ["approved", "mergeable"] + allowed_users: ["nwthomas"] + +- name: helm-prometheus + dir: helm/prometheus + workflow: default + autoplan: + when_modified: ["**/*.yaml", "**/*.yml", "**/*.tpl"] + enabled: true + apply_requirements: ["approved", "mergeable"] + allowed_users: ["nwthomas"] + +- name: helm-prometheus-operator + dir: helm/prometheus-operator + workflow: default + autoplan: + when_modified: ["**/*.yaml", "**/*.yml", "**/*.tpl"] + enabled: true + apply_requirements: ["approved", "mergeable"] + allowed_users: ["nwthomas"] + +- name: helm-prometheus-service-monitors + dir: helm/prometheus-service-monitors + workflow: default + autoplan: + when_modified: ["**/*.yaml", "**/*.yml", "**/*.tpl"] + enabled: true + apply_requirements: ["approved", "mergeable"] + allowed_users: ["nwthomas"] + +- name: helm-atlantis + dir: helm/atlantis + workflow: default + autoplan: + when_modified: ["**/*.yaml", "**/*.yml", "**/*.tpl"] + enabled: true + apply_requirements: ["approved", "mergeable"] + allowed_users: ["nwthomas"] + +# Monitor the terraform directory for changes +- name: terraform-namespaces + dir: terraform + workflow: default + autoplan: + when_modified: ["**/*.tf", "**/*.tfvars"] + enabled: true + apply_requirements: ["approved", "mergeable"] + allowed_users: ["nwthomas"] + +workflows: + default: + plan: + steps: + - init + - plan + apply: + steps: + - apply diff --git a/helm/atlantis/Chart.yaml b/helm/atlantis/Chart.yaml new file mode 100644 index 0000000..bad1b0a --- /dev/null +++ b/helm/atlantis/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v2 +name: atlantis +description: Atlantis is a tool for Terraform pull request automation +type: application +version: 0.1.0 +appVersion: "0.27.0" +keywords: + - atlantis + - terraform + - gitops + - automation +home: https://www.runatlantis.io/ +sources: + - https://github.com/runatlantis/atlantis +maintainers: + - name: Atlantis Team + email: atlantis@runatlantis.io diff --git a/helm/atlantis/templates/_helpers.tpl b/helm/atlantis/templates/_helpers.tpl new file mode 100644 index 0000000..9870e4b --- /dev/null +++ b/helm/atlantis/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "atlantis.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "atlantis.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "atlantis.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "atlantis.labels" -}} +helm.sh/chart: {{ include "atlantis.chart" . }} +{{ include "atlantis.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "atlantis.selectorLabels" -}} +app.kubernetes.io/name: {{ include "atlantis.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "atlantis.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "atlantis.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/helm/atlantis/templates/deployment.yaml b/helm/atlantis/templates/deployment.yaml new file mode 100644 index 0000000..1428e1a --- /dev/null +++ b/helm/atlantis/templates/deployment.yaml @@ -0,0 +1,101 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "atlantis.fullname" . }} + labels: + {{- include "atlantis.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "atlantis.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "atlantis.selectorLabels" . | nindent 8 }} + spec: + serviceAccountName: {{ include "atlantis.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: atlantis + image: "{{ .Values.atlantis.image.repository }}:{{ .Values.atlantis.image.tag }}" + imagePullPolicy: {{ .Values.atlantis.image.pullPolicy }} + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + ports: + - name: http + containerPort: {{ .Values.atlantis.service.targetPort }} + protocol: TCP + env: + - name: ATLANTIS_REPO_ALLOWLIST + value: {{ .Values.atlantis.env.ATLANTIS_REPO_ALLOWLIST | quote }} + - name: ATLANTIS_DATA_DIR + value: {{ .Values.atlantis.env.ATLANTIS_DATA_DIR | quote }} + - name: ATLANTIS_ATLANTIS_URL + value: {{ .Values.atlantis.env.ATLANTIS_ATLANTIS_URL | quote }} + - name: GITHUB_USER + value: {{ .Values.atlantis.env.GITHUB_USER | quote }} + - name: GITHUB_TOKEN + valueFrom: + secretKeyRef: + name: {{ include "atlantis.fullname" . }}-secrets + key: github-token + - name: ATLANTIS_REPO_CONFIG_JSON + value: {{ .Values.atlantis.env.ATLANTIS_REPO_CONFIG_JSON | quote }} + {{- if .Values.atlantis.env.GITHUB_APP_ID }} + - name: GITHUB_APP_ID + value: {{ .Values.atlantis.env.GITHUB_APP_ID | quote }} + - name: GITHUB_APP_KEY_FILE + value: {{ .Values.atlantis.env.GITHUB_APP_KEY_FILE | quote }} + {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {{- toYaml .Values.atlantis.resources | nindent 10 }} + volumeMounts: + - name: atlantis-data + mountPath: {{ .Values.atlantis.env.ATLANTIS_DATA_DIR }} + {{- if .Values.atlantis.env.GITHUB_APP_ID }} + - name: github-app-key + mountPath: /atlantis-data + readOnly: true + {{- end }} + volumes: + - name: atlantis-data + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ include "atlantis.fullname" . }}-pvc + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.atlantis.env.GITHUB_APP_ID }} + - name: github-app-key + secret: + secretName: {{ include "atlantis.fullname" . }}-secrets + items: + - key: github-app-key + path: github-app-key.pem + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/helm/atlantis/templates/ingress.yaml b/helm/atlantis/templates/ingress.yaml new file mode 100644 index 0000000..36f2112 --- /dev/null +++ b/helm/atlantis/templates/ingress.yaml @@ -0,0 +1,41 @@ +{{- if .Values.atlantis.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "atlantis.fullname" . }} + labels: + {{- include "atlantis.labels" . | nindent 4 }} + {{- with .Values.atlantis.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.atlantis.ingress.className }} + ingressClassName: {{ .Values.atlantis.ingress.className }} + {{- end }} + {{- if .Values.atlantis.ingress.tls }} + tls: + {{- range .Values.atlantis.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.atlantis.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ include "atlantis.fullname" $ }} + port: + number: {{ $.Values.atlantis.service.port }} + {{- end }} + {{- end }} +{{- end }} diff --git a/helm/atlantis/templates/pvc.yaml b/helm/atlantis/templates/pvc.yaml new file mode 100644 index 0000000..488650d --- /dev/null +++ b/helm/atlantis/templates/pvc.yaml @@ -0,0 +1,17 @@ +{{- if .Values.persistence.enabled }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "atlantis.fullname" . }}-pvc + labels: + {{- include "atlantis.labels" . | nindent 4 }} +spec: + accessModes: + - {{ .Values.persistence.accessMode }} + resources: + requests: + storage: {{ .Values.persistence.size }} + {{- if .Values.persistence.storageClass }} + storageClassName: {{ .Values.persistence.storageClass }} + {{- end }} +{{- end }} diff --git a/helm/atlantis/templates/rbac.yaml b/helm/atlantis/templates/rbac.yaml new file mode 100644 index 0000000..9fd5354 --- /dev/null +++ b/helm/atlantis/templates/rbac.yaml @@ -0,0 +1,97 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "atlantis.fullname" . }} + labels: + {{- include "atlantis.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - pods + - services + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + - podmonitors + - prometheusrules + - probes + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - argoproj.io + resources: + - applications + - applicationsets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "atlantis.fullname" . }} + labels: + {{- include "atlantis.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "atlantis.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "atlantis.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/helm/atlantis/templates/secret.yaml b/helm/atlantis/templates/secret.yaml new file mode 100644 index 0000000..435b47e --- /dev/null +++ b/helm/atlantis/templates/secret.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "atlantis.fullname" . }}-secrets + labels: + {{- include "atlantis.labels" . | nindent 4 }} +type: Opaque +data: + # GitHub token (base64 encoded) + # You need to create this secret manually with your GitHub token + github-token: "" # base64 encoded GitHub token + {{- if .Values.atlantis.env.GITHUB_APP_ID }} + # GitHub App private key (base64 encoded) + # You need to create this secret manually with your GitHub App private key + github-app-key: "" # base64 encoded GitHub App private key + {{- end }} diff --git a/helm/atlantis/templates/service.yaml b/helm/atlantis/templates/service.yaml new file mode 100644 index 0000000..68f9654 --- /dev/null +++ b/helm/atlantis/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "atlantis.fullname" . }} + labels: + {{- include "atlantis.labels" . | nindent 4 }} +spec: + type: {{ .Values.atlantis.service.type }} + ports: + - port: {{ .Values.atlantis.service.port }} + targetPort: {{ .Values.atlantis.service.targetPort }} + protocol: TCP + name: http + selector: + {{- include "atlantis.selectorLabels" . | nindent 4 }} diff --git a/helm/atlantis/templates/serviceaccount.yaml b/helm/atlantis/templates/serviceaccount.yaml new file mode 100644 index 0000000..b66589d --- /dev/null +++ b/helm/atlantis/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "atlantis.serviceAccountName" . }} + labels: + {{- include "atlantis.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/helm/atlantis/values.yaml b/helm/atlantis/values.yaml new file mode 100644 index 0000000..8e8c48b --- /dev/null +++ b/helm/atlantis/values.yaml @@ -0,0 +1,114 @@ +# Default values for atlantis +# This chart deploys Atlantis for Terraform pull request automation + +# Global settings +global: + imageRegistry: "" + imagePullSecrets: [] + +# Atlantis configuration +atlantis: + # Image configuration + image: + repository: runatlantis/atlantis + tag: "v0.27.0" + pullPolicy: IfNotPresent + + # Service configuration + service: + type: ClusterIP + port: 4141 + targetPort: 4141 + + # Ingress configuration + ingress: + enabled: true + className: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + hosts: + - host: atlantis.yourdomain.com # Change this to your domain + paths: + - path: / + pathType: Prefix + tls: + - secretName: atlantis-tls + hosts: + - atlantis.yourdomain.com # Change this to your domain + + # Resource configuration + resources: + requests: + cpu: "100m" + memory: "128Mi" + limits: + cpu: "500m" + memory: "512Mi" + + # Environment variables + env: + # GitHub configuration + ATLANTIS_REPO_ALLOWLIST: "github.com/nwthomas/gitops" # Your GitHub repo + ATLANTIS_DATA_DIR: "/atlantis-data" + ATLANTIS_ATLANTIS_URL: "https://atlantis.yourdomain.com" # Change this to your domain + + # GitHub App or Personal Access Token (set via secret) + GITHUB_TOKEN: "" # Will be set via secret + GITHUB_USER: "nwthomas" # Your GitHub username + GITHUB_APP_ID: "" # If using GitHub App + GITHUB_APP_KEY_FILE: "/atlantis-data/github-app-key.pem" # If using GitHub App + + # Webhook configuration + ATLANTIS_REPO_CONFIG_JSON: | + { + "repos": [ + { + "id": "/.*/", + "allowed_users": ["nwthomas"], # Only allow your GitHub username + "allowed_merge_methods": ["merge", "squash"], + "apply_requirements": ["approved", "mergeable"], + "workflow": "default" + } + ] + } + +# Security context +securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + +# Pod security context +podSecurityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + +# Service account +serviceAccount: + create: true + name: atlantis + annotations: {} + +# RBAC +rbac: + create: true + +# Persistence +persistence: + enabled: true + storageClass: "longhorn" + accessMode: ReadWriteOnce + size: 10Gi + +# Node selector +nodeSelector: {} + +# Tolerations +tolerations: [] + +# Affinity +affinity: {}