Atlantis

⚠️ DEPRECATED Further development was moved to https://github.com/runatlantis/helm-charts

Atlantis is a tool for safe collaboration on Terraform repositories.

Introduction

This chart creates a single pod in a StatefulSet running Atlantis. Atlantis persists Terraform plan files and lock files to disk for the duration of a Pull/Merge Request. These files are stored in a PersistentVolumeClaim to survive Pod failures.

Prerequisites

Kubernetes 1.9+
PersistentVolume support

Required Configuration

In order for Atlantis to start and run successfully:

At least one of the following sets of credentials must be defined:
- github
- gitlab
- bitbucket
Refer to values.yaml for detailed examples. They can also be provided directly through a Kubernetes Secret, use the variable vcsSecretName to reference it.
Supply a value for orgWhitelist, e.g. github.org/myorg/*.

Additional manifests

It is possible to add additional manifests into a deployment, to extend the chart. One of the reason is to deploy a manifest specific to a cloud provider ( BackendConfig on GKE for example ).

yaml

extraManifests:
  - apiVersion: cloud.google.com/v1beta1
    kind: BackendConfig
    metadata:
      name: "{{ .Release.Name }}-test"
    spec:
      securityPolicy:
        name: "gcp-cloud-armor-policy-test"

Customization

The following options are supported. See values.yaml for more detailed documentation and examples:

Parameter	Description	Default
`dataStorage`	Amount of storage available for Atlantis' data directory (mostly used to check out git repositories).	`5Gi`
`aws.config`	Contents of a file to be mounted to `~/.aws/config`.	n/a
`aws.credentials`	Contents of a file to be mounted to `~/.aws/credentials`.	n/a
`awsSecretName`	Secret name containing AWS credentials - will override aws.credentials and aws.config. Will be used a volume mount on `$HOME/.aws`, so it needs a `credentials` key. The key `config` is optional. See the file `templates/secret-aws.yml` for more info on the Secret contents.	n/a
`bitbucket.user`	Name of the Atlantis Bitbucket user.	n/a
`bitbucket.token`	Personal access token for the Atlantis Bitbucket user.	n/a
`bitbucket.secret`	Webhook secret for Bitbucket repositories (Bitbucket Server only).	n/a
`bitbucket.baseURL`	Base URL of Bitbucket Server installation.	n/a
`environment`	Map of environment variables for the container.	`{}`
`environmentSecrets`	Array of Kubernetes secrets that can be used to set environment variables. See `values.yaml` for example.	`{}`
`loadEnvFromSecrets`	Array of Kubernetes secrets to set all key-value pairs as environment variables. See `values.yaml` for example.	`[]`
`extraVolumes`	List of additional volumes available to the pod.	`[]`
`extraVolumeMounts`	List of additional volumes mounted to the container.	`[]`
`imagePullSecrets`	List of secrets for pulling images from private registries.	`[]`
`gitconfig`	Contents of a file to be mounted to `~/.gitconfig`. Use to allow redirection for Terraform modules in private git repositories.	n/a
`gitconfigSecretName`	Name of a pre-existing Kubernetes `Secret` containing a `gitconfig` key. Use this instead of `gitconfig` (optional)	n/a
`command`	Optionally override the `command` field of the Atlantis Docker container. If not set, the default Atlantis `ENTRYPOINT` is used. Must be an array.	n/a
`github.user`	Name of the Atlantis GitHub user.	n/a
`github.token`	Personal access token for the Atlantis GitHub user.	n/a
`github.secret`	Repository or organization-wide webhook secret for the Atlantis GitHub integration. All repositories in GitHub that are to be integrated with Atlantis must share the same value.	n/a
`github.hostname`	Hostname of your GitHub Enterprise installation.	n/a
`gitlab.user`	Repository or organization-wide secret for the Atlantis GitLab,integration. All repositories in GitLab that are to be integrated with Atlantis must share the same value.	n/a
`gitlab.token`	Personal access token for the Atlantis GitLab user.	n/a
`gitlab.secret`	Webhook secret for the Atlantis GitLab integration. All repositories in GitLab that are to be integrated with Atlantis must share the same value.	n/a
`gitlab.hostname`	Hostname of your GitLab Enterprise installation.	n/a
`vcsSecretName`	Name of a pre-existing Kubernetes `Secret` containing `token` and `secret` keys set to your VCS provider's API token and webhook secret, respectively. Use this instead of `github.token`/`github.secret`, etc. (optional)	n/a
`podTemplate.annotations`	Additional annotations to use for the StatefulSet.	n/a
`podTemplate.annotations`	Additional annotations to use for pods.	`{}`
`podTemplate.labels`	Additional labels to use for pods.	`{}`
`statefulSet.annotations`	Additional annotations to use for StatefulSet.	`{}`
`statefulSet.labels`	Additional labels to use for StatefulSet.	`{}`
`logLevel`	Level to use for logging. Either debug, info, warn, or error.	n/a
`orgWhitelist`	Whitelist of repositories from which Atlantis will accept webhooks. This value must be set for Atlantis to function correctly. Accepts wildcard characters (`*`). Multiple values may be comma-separated.	none
`config`	Override atlantis main configuration by config map. It's allow some additional functionality like slack notifications.	n/a
`repoConfig`	Server Side Repo Configuration as a raw YAML string. Configuration is stored in ConfigMap.	n/a
`defaultTFVersion`	Default Terraform version to be used by atlantis server	n/a
`allowForkPRs`	Allow atlantis to run on fork Pull Requests	`false`
`disableApplyAll`	Disables running `atlantis apply` without any flags	`false`
`serviceAccount.create`	Whether to create a Kubernetes ServiceAccount if no account matching `serviceAccount.name` exists.	`true`
`serviceAccount.name`	Name of the Kubernetes ServiceAccount under which Atlantis should run. If no value is specified and `serviceAccount.create` is `true`, Atlantis will be run under a ServiceAccount whose name is the FullName of the Helm chart's instance, else Atlantis will be run under the `default` ServiceAccount.	n/a
`serviceAccount.annotations`	Additional Service Account annotations	n/a
`serviceAccountSecrets.credentials`	Deprecated (see googleServiceAccountSecrets) JSON string representing secrets for a Google Cloud Platform production service account. Only applicable if hosting Atlantis on GKE.	n/a
`serviceAccountSecrets.credentials-staging`	Deprecated (see googleServiceAccountSecrets) JSON string representing secrets for a Google Cloud Platform staging service account. Only applicable if hosting Atlantis on GKE.	n/a
`googleServiceAccountSecrets`	An array of Kubernetes secrets containing Google Service Account credentials. See `values.yaml` for examples and additional documentation.	n/a
`service.port`	Port of the `Service`.	`80`
`service.loadBalancerSourceRanges`	Array of whitelisted IP addresses for the Atlantis Service. If no value is specified, the Service will allow incoming traffic from all IP addresses (0.0.0.0/0).	n/a
`storageClassName`	Storage class of the volume mounted for the Atlantis data directory.	n/a
`tlsSecretName`	Name of a Secret for Atlantis' HTTPS certificate containing the following data items `tls.crt` with the public certificate and `tls.key` with the private key.	n/a
`ingress.enabled`	Whether to create a Kubernetes Ingress.	`true`
`ingress.annotations`	Additional annotations to use for the Ingress.	`{}`
`ingress.labels`	Additional labels to use for the Ingress.	`{}`
`ingress.path`	Path to use in the `Ingress`. Should be set to `/*` if using gce-ingress in Google Cloud.	`/`
`ingress.host`	Domain name Kubernetes Ingress rule looks for. Set it to the domain Atlantis will be hosted on.	`chart-example.local`
`ingress.tls`	Kubernetes tls block. See Kubernetes docs for details.	`[]`
`test.enabled`	Whether to enable the test.	`true`
`extraManifests`	add additional manifests to deploy	`[]`

NOTE: All the Server Configurations are passed as Environment Variables.

Upgrading

From 2.* to 3.*

The following value names have been removed. They are replaced by Server Side Repo Configuration
- requireApproval
- requireMergeable
- allowRepoConfig

To replicate your previous configuration, run Atlantis locally with your previous flags and Atlantis will print out the equivalent repo-config, for example:

$ atlantis server --allow-repo-config --require-approval --require-mergeable --gh-user=foo --gh-token=bar --repo-whitelist='*'
WARNING: Flags --require-approval, --require-mergeable and --allow-repo-config have been deprecated.
Create a --repo-config file with the following config instead:

---
repos:
- id: /.*/
  apply_requirements: [approved, mergeable]
  allowed_overrides: [apply_requirements, workflow]
  allow_custom_workflows: true

or use --repo-config-json='{"repos":[{"id":"/.*/", "apply_requirements":["approved", "mergeable"], "allowed_overrides":["apply_requirements","workflow"], "allow_custom_workflows":true}]}'

Then use this YAML in the new repoConfig value:

repoConfig: |
  ---
  repos:
  - id: /.*/
    apply_requirements: [approved, mergeable]
    allowed_overrides: [apply_requirements, workflow]
    allow_custom_workflows: true

From 1.* to 2.*

The following value names have changed:
- allow_repo_config => allowRepoConfig
- atlantis_data_storage => dataStorage NOTE: more than just a snake_case change
- atlantis_data_storageClass => storageClassName NOTE: more than just a snake_case change
- bitbucket.base_url => bitbucket.baseURL

Testing the Deployment

To perform a smoke test of the deployment (i.e. ensure that the Atlantis UI is up and running):

Install the chart. Supply your own values file or use test-values.yaml, which has a minimal set of values required in order for Atlantis to start.
bash
```
helm install -f test-values.yaml --name my-atlantis stable/atlantis --debug
```
Run the tests:
bash
```
helm test my-atlantis
```