diff --git a/kubernetes/apps/atlantis.yaml b/kubernetes/apps/atlantis.yaml new file mode 100644 index 00000000000..6c255d42992 --- /dev/null +++ b/kubernetes/apps/atlantis.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: atlantis +spec: + destination: + namespace: atlantis + server: https://kubernetes.default.svc + project: default + source: + path: kubernetes/gke-utility/atlantis + repoURL: https://github.com/kubernetes/k8s.io + targetRevision: main + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + managedNamespaceMetadata: + labels: + istio-injection: enabled diff --git a/kubernetes/apps/kustomization.yaml b/kubernetes/apps/kustomization.yaml index 104266f64d5..43ee4496fc4 100644 --- a/kubernetes/apps/kustomization.yaml +++ b/kubernetes/apps/kustomization.yaml @@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: # - argocd.yaml This has been manually applied to fix sync issues + - atlantis.yaml - external-secrets.yaml - cert-manager.yaml - prow.yaml diff --git a/kubernetes/gke-utility/atlantis/atlantis.yaml b/kubernetes/gke-utility/atlantis/atlantis.yaml new file mode 100644 index 00000000000..c3d137f8a98 --- /dev/null +++ b/kubernetes/gke-utility/atlantis/atlantis.yaml @@ -0,0 +1,8 @@ +gh-user: k8s-infra-ci-robot +gh-org: kubernetes +repo-allowlist: github.com/kubernetes/k8s.io +allow-fork-prs: true +atlantis-url: https://atlantis.k8s.io +gh-team-allowlist: "sig-k8s-infra:*" +disable-global-apply-lock: true +autodiscover-mode: auto diff --git a/kubernetes/gke-utility/atlantis/extras.yaml b/kubernetes/gke-utility/atlantis/extras.yaml new file mode 100644 index 00000000000..88e8db45a30 --- /dev/null +++ b/kubernetes/gke-utility/atlantis/extras.yaml @@ -0,0 +1,15 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: atlantis-vcs +spec: + data: + - secretKey: webhook + remoteRef: + key: atlantis-webhook-k8s-io-repo + - secretKey: token + remoteRef: + key: k8s-infra-ci-robot-github-token + secretStoreRef: + kind: ClusterSecretStore + name: k8s-infra-prow diff --git a/kubernetes/gke-utility/atlantis/httproute.yaml b/kubernetes/gke-utility/atlantis/httproute.yaml new file mode 100644 index 00000000000..022376a8633 --- /dev/null +++ b/kubernetes/gke-utility/atlantis/httproute.yaml @@ -0,0 +1,18 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: atlantis +spec: + parentRefs: + - name: istio-ingressgateway + namespace: istio-system + sectionName: https + hostnames: + - atlantis.k8s.io + rules: + - matches: + - path: + value: / + backendRefs: + - name: atlantis + port: 80 diff --git a/kubernetes/gke-utility/atlantis/kustomization.yaml b/kubernetes/gke-utility/atlantis/kustomization.yaml new file mode 100644 index 00000000000..e271d84222c --- /dev/null +++ b/kubernetes/gke-utility/atlantis/kustomization.yaml @@ -0,0 +1,49 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: atlantis + +resources: +- github.com/runatlantis/atlantis//kustomize +- extras.yaml +- httproute.yaml + +images: + - name: ghcr.io/runatlantis/atlantis + newTag: v0.30.0 + +configMapGenerator: +- name: atlantis-config + files: + - atlantis.yaml + +patchesStrategicMerge: +- |- + apiVersion: apps/v1 + kind: StatefulSet + metadata: + name: atlantis + spec: + template: + spec: + containers: + - name: atlantis + env: + - name: ATLANTIS_CONFIG + value: /config/atlantis.yaml + - name: ATLANTIS_GH_TOKEN + valueFrom: + secretKeyRef: + name: atlantis-vcs + key: token + - name: ATLANTIS_GH_WEBHOOK_SECRET + valueFrom: + secretKeyRef: + name: atlantis-vcs + key: webhook + volumeMounts: + - name: config + mountPath: /config + volumes: + - name: config + configMap: + name: atlantis-config diff --git a/kubernetes/gke-utility/istio-system/auth-policy.yaml b/kubernetes/gke-utility/istio-system/auth-policy.yaml index c67875bd5bb..e351b0deafd 100644 --- a/kubernetes/gke-utility/istio-system/auth-policy.yaml +++ b/kubernetes/gke-utility/istio-system/auth-policy.yaml @@ -16,3 +16,9 @@ spec: hosts: - argo.k8s.io - monitoring.prow.k8s.io + # we want to force auth to atlantis.k8s.io/* except /events + - operation: + hosts: + - atlantis.k8s.io + notPaths: + - "/events"