diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml
index 19081793..bdf56182 100644
--- a/.github/workflows/lint-test.yaml
+++ b/.github/workflows/lint-test.yaml
@@ -39,10 +39,24 @@ jobs:
if [[ -n "$changed" ]]; then
echo "changed=true" >> "$GITHUB_OUTPUT"
fi
- - name: install helm unittests
+
+ - name: Check if docs are updated
+ if: steps.list-changed.outputs.changed == 'true'
+ run: |
+ make docs
+ if [[ -n "$(git status --porcelain --untracked-files=no)" ]]; then
+ echo "Documentation not up to date." >&2
+ echo "Please run 'make docs' from the repository root and commit changes!" >&2
+ exit 1
+ else
+ echo "Documentation is up to date." >&2
+ fi
+
+ - name: Install helm unittests
if: steps.list-changed.outputs.changed == 'true'
run: |
helm plugin install --version v0.3.6 https://github.com/helm-unittest/helm-unittest
+
- name: Run chart-testing (lint)
if: steps.list-changed.outputs.changed == 'true'
run: |
diff --git a/Makefile b/Makefile
new file mode 100644
index 00000000..b9b8eb91
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,9 @@
+.DEFAULT_GOAL := help
+
+.PHONY: help
+help: ## List targets & descriptions
+ @cat Makefile* | grep -E '^[a-zA-Z\/_-]+:.*?## .*$$' | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+
+.PHONY: docs
+docs: ## Build helm chart documentation
+ @docker run --rm --volume "$$(pwd):/helm-docs" -u $$(id -u) jnorwood/helm-docs:latest
diff --git a/README.md b/README.md
index 4c590145..75d6246e 100644
--- a/README.md
+++ b/README.md
@@ -7,263 +7,19 @@
[Atlantis](https://www.runatlantis.io/) is a tool for safe collaboration on [Terraform](https://www.terraform.io/) repositories.
-- [Introduction](#introduction)
-- [Prerequisites](#prerequisites)
-- [Required Configuration](#required-configuration)
-- [Additional manifests](#additional-manifests)
-- [Customization](#customization)
-- [Upgrading](#upgrading)
- - [From `2.*` to `3.*`](#from-2-to-3)
- - [From `1.*` to `2.*`](#from-1-to-2)
-- [Testing the Deployment](#testing-the-deployment)
+## Usage
-## Introduction
+[Helm](https://helm.sh) must be installed to use the charts.
+Please refer to Helm's [documentation](https://helm.sh/docs/) to get started.
-This chart creates a single pod in a StatefulSet running Atlantis. Atlantis persists Terraform [plan files](https://www.terraform.io/docs/commands/plan.html) and [lockfiles](https://www.terraform.io/docs/state/locking.html) to disk for the duration of a Pull/Merge Request. These files are stored in a PersistentVolumeClaim to survive Pod failures.
+Once Helm is set up properly, add the repository as follows:
-## Prerequisites
-
-- Kubernetes 1.9+
-- PersistentVolume support
-
-## Required Configuration
-
-In order for Atlantis to start and run successfully:
-
-1. At least one of the following sets of credentials must be defined:
- - `github`
- - `gitlab`
- - `bitbucket`
- - `azuredevops`
-
- Refer to [values.yaml](/charts/atlantis/values.yaml) for detailed examples.
- They can also be provided directly through a Kubernetes `Secret`, use the variable `vcsSecretName` to reference it.
-
-1. Supply a value for `orgAllowlist`, e.g. `github.com/myorg/*`.
-
-## Additional manifests
-
-It is possible to add additional manifests into a deployment, to extend the chart. One of the reason is to deploy a manifest specific to a cloud provider ( BackendConfig on GKE for example ).
-
-```yaml
-extraManifests:
- - apiVersion: cloud.google.com/v1beta1
- kind: BackendConfig
- metadata:
- name: "{{ .Release.Name }}-test"
- spec:
- securityPolicy:
- name: "gcp-cloud-armor-policy-test"
-```
-
-## Customization
-
-The following options are supported. See [values.yaml](/charts/atlantis/values.yaml) for more detailed documentation and examples:
-
-| Parameter | Description | Default |
-|-----------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------|
-| `allowDraftPRs` | Allow atlantis to run on draft Pull Requests | `false` |
-| `allowForkPRs` | Allow atlantis to run on fork Pull Requests | `false` |
-| `api.secret` | API secret to enable API endpoints | n/a |
-| `apiSecretName` | Name of a pre-existing Kubernetes `Secret` containing a `apisecret` key. Use this instead of `api.secret` | n/a |
-| `atlantisDataDirectory` | Path to the data directory for the volumeMount | `/atlantis-data` |
-| `atlantisUrl` | Base URL of atlantis server. This URL also reflects in pull-requests CI hooks where terraform changes are displayed. | n/a |
-| `aws.config` | Contents of a file to be mounted to `~/.aws/config` or `aws.directory/config`. | n/a |
-| `aws.credentials` | Contents of a file to be mounted to `~/.aws/credentials` `aws.directory/credentials`. | n/a |
-| `aws.directory` | If set, will mount AWS credentials to the specified path and set `AWS_SHARED_CREDENTIALS_FILE` and `AWS_CONFIG_FILE` variables. If not set, default path `/home/atlantis/.aws` will be used. | n/a |
-| `awsSecretName` | Secret name containing AWS credentials - will override aws.credentials and aws.config. Will be used a volume mount on `$HOME/.aws` or `aws.directory`, so it needs a `credentials` key. The key `config` is optional. See the file `templates/secret-aws.yml` for more info on the Secret contents. | n/a |
-| `azuredevops.token` | Personal access token for the Atlantis Azure DevOps user. | n/a |
-| `azuredevops.user` | Name of the Atlantis Azure DevOps user. | n/a |
-| `azuredevops.webhookPassword` | Webhook password for the Atlantis Azure DevOps integration. All repositories in Azure DevOps that are to be integrated with Atlantis must share the same value. | n/a |
-| `azuredevops.webhookUser` | Webhook user for the Atlantis Azure DevOps integration. | n/a |
-| `basicAuth.password` | Password for basic authentication | n/a |
-| `basicAuth.username` | Username for basic authentication | n/a |
-| `basicAuthSecretName` | Name of a pre-existing Kubernetes `Secret` containing `username` and `password` keys for basic auth credentials. Use this instead of `basicAuth.username`/`basicAuth.password` | n/a |
-| `bitbucket.baseURL` | Base URL of Bitbucket Server installation. | n/a |
-| `bitbucket.secret` | Webhook secret for Bitbucket repositories (Bitbucket Server only). | n/a |
-| `bitbucket.token` | Personal access token for the Atlantis Bitbucket user. | n/a |
-| `bitbucket.user` | Name of the Atlantis Bitbucket user. | n/a |
-| `command` | Optionally override the [`command` field](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.14/#container-v1-core) of the Atlantis Docker container. If not set, the default Atlantis `ENTRYPOINT` is used. Must be an array. | n/a |
-| `commonLabels` | Add Common Labels to all resources | `{}` |
-| `config` | Override atlantis main configuration by config map. It's allow some additional functionality like slack notifications. | n/a |
-| `containerSecurityContext.allowPrivilegeEscalation` | Whether to enable privilege escalation | n/a |
-| `containerSecurityContext.readOnlyRootFilesystem` | Whether the root file system should be read-only | n/a |
-| `customPem` | SecretName of the custom `ca-certificates.cert` to override the `/etc/ssl/certs/ca-certificates.crt` with your custom one (self-signed certificates)
Secret has to be created manually and shall contain `ca-certificates.crt: PEM` | n/a |
-| `dataStorage` | DEPRECATED - Amount of storage available for Atlantis' data directory (mostly used to check out git repositories). | `5Gi` |
-| `defaultTFVersion` | Default Terraform version to be used by atlantis server | n/a |
-| `disableApplyAll` | Disables running `atlantis apply` without any flags | `false` |
-| `disableApply` | Disables running `atlantis apply` regardless of what options are specified | `false` |
-| `disableRepoLocking` | Stops atlantis locking projects and or workspaces when running terraform | `false` |
-| `enableDiffMarkdownFormat` | Enable Atlantis to format Terraform plan output into a markdown-diff friendly format for color-coding purposes. | `false` |
-| `enableKubernetesBackend` | Deploy rbac to allow for the serviceAccount to manage terraform state via a kubernetes backend | false |
-| `environmentRaw` | Array environment variables in plain Kubernetes yaml format. See `values.yaml` for example. | `[]` |
-| `environmentSecrets` | Array of Kubernetes secrets that can be used to set environment variables. See `values.yaml` for example. | `{}` |
-| `environment` | Map of environment variables for the container. | `{}` |
-| `extraAnnotations` | These annotations will be added to all the resources | `{}` |
-| `extraArgs` | Add additional arguments to the atlantis server | `[]` |
-| `extraContainers` | Additional containers to use and depends of use cases. | `[]` |
-| `extraManifests` | Add additional manifests to deploy | `[]` |
-| `extraVolumeMounts` | List of additional volumes mounted to the container. | `[]` |
-| `extraVolumes` | List of additional volumes available to the pod. | `[]` |
-| `gitconfigSecretName` | Name of a pre-existing Kubernetes `Secret` containing a `gitconfig` key. Use this instead of `gitconfig` (optional) | n/a |
-| `gitconfig` | Contents of a file to be mounted to `~/.gitconfig`. Use to allow redirection for Terraform modules in private git repositories. | n/a |
-| `github.hostname` | Hostname of your GitHub Enterprise installation. | n/a |
-| `github.secret` | Repository or organization-wide webhook secret for the Atlantis GitHub integration. All repositories in GitHub that are to be integrated with Atlantis must share the same value. | n/a |
-| `github.token` | Personal access token for the Atlantis GitHub user. | n/a |
-| `github.user` | Name of the Atlantis GitHub user. | n/a |
-| `githubApp.id` | GitHub app ID. If set, GitHub authentication will be performed as an [installation](https://developer.github.com/v3/apps/installations/). | n/a |
-| `githubApp.key` | A GitHub App PEM encoded private key file. If set, GitHub authentication will be performed as an [installation](<(https://developer.github.com/v3/apps/installations/)>). | n/a |
-| `githubApp.secret` | Secret used to validate GitHub webhooks (see [Securing your webhooks](https://developer.github.com/webhooks/securing/)). | n/a |
-| `githubApp.slug` | A slugged version of GitHub app name shown in pull requests comments, etc (not Atlantis App but something like atlantis-app). Atlantis uses the value of this parameter to identify the comments it has left on GitHub pull requests. This is used for functions such as `hidePrevPlanComments`. | n/a |
-| `gitlab.hostname` | Hostname of your GitLab Enterprise installation. | n/a |
-| `gitlab.secret` | Webhook secret for the Atlantis GitLab integration. All repositories in GitLab that are to be integrated with Atlantis must share the same value. | n/a |
-| `gitlab.token` | Personal access token for the Atlantis GitLab user. | n/a |
-| `gitlab.user` | Name of the Atlantis GitLab user. | n/a |
-| `googleServiceAccountSecrets` | An array of Kubernetes secrets containing Google Service Account credentials. See `values.yaml` for examples and additional documentation. | n/a |
-| `hidePrevPlanComments` | Allow atlantis to hide previous plan comments | `false` |
-| `hideUnchangedPlanComments` | Allow atlantis to hide no-changes plan comments | `false` |
-| `hostAliases[].hostnames` | Hostnames for host alias entry | n/a |
-| `hostAliases[].ip` | IP for host alias entry | n/a |
-| `hostNetwork` | Use the host's network namespace. | `false` |
-| `imagePullSecrets` | List of secrets for pulling images from private registries. | `[]` |
-| `ingress.annotations` | Additional annotations to use for the Ingress. | `{}` |
-| `ingress.apiVersion` | The Kubernetes API version used for configuring ingress. If not specified, Helm tries to automatically determine a compatible version based on the cluster's capabilities. The default value is "" and is only accepted if it is one of the supported versions: `networking.k8s.io/v1`, `networking.k8s.io/v1beta1`, or `extensions/v1beta1`. In cases where Helm can't determine the cluster's capabilities automatically, this value can be used to override the API version. Setting an unsupported value will result in an error during the Helm chart installation. | "" |
-| `ingress.enabled` | Whether to create a Kubernetes Ingress. | `true` |
-| `ingress.host` | Domain name Kubernetes Ingress rule looks for. Set it to the domain Atlantis will be hosted on. | | | `/` |
-| `ingress.hosts[0].host` | List of domain names Kubernetes Ingress rule looks for. Set it to the domains in which Atlantis will be hosted on. | `chart-example.local` |
-| `ingress.hosts[0].paths` | List of paths to use in Kubernetes Ingress rules. Should be set to `/*` if using gce-ingress in Google | `[/]` |
-| `ingress.ingressClassName` | Name of the ingress class to use for the Ingress. | n/a | | `/` |
-| `ingress.labels` | Additional labels to use for the Ingress. | `{}` |
-| `ingress.pathType` | pathType to use in the `Ingress`. specify how Ingress paths should be matched. See [Kubernetes docs](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) for details. | `ImplementationSpecific` |
-| `ingress.path` | Path to use in the `Ingress`. Should be set to `/*` if using gce-ingress in Google Cloud. | `/` |
-| `ingress.tls` | Kubernetes tls block. See [Kubernetes docs](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) for details. | `[]` |
-| `initContainers` | Containers used to initialize context for Atlantis pods | `[]` |
-| `initConfig` | Init container used to install plugins/providers shared with Atlantis pods | n/a |
-| `lifecycle` | Configure pod container lifecycle hooks. See [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/) for details. | `{}` |
-| `loadEnvFromConfigMaps` | Array of Kubernetes `ConfigMap`s to set all key-value pairs as environment variables. See `values.yaml` for example. | `[]` |
-| `loadEnvFromSecrets` | Array of Kubernetes secrets to set all key-value pairs as environment variables. See `values.yaml` for example. | `[]` |
-| `lockingDbType` | Locking DB type for storing plan and apply locks. Allowed values are `boltdb` and `redis`. | n/a |
-| `logLevel` | Level to use for logging. Either debug, info, warn, or error. | n/a |
-| `netrcSecretName` | Name of a pre-existing Kubernetes `Secret` containing a `netrc` key. Use this instead of `netrc` (optional) | n/a |
-| `netrc` | Contents of a file to be mounted to `~/.netrc`. Use to authenticate with private registries hosting terraform modules. | n/a |
-| `orgAllowlist` | Allowlist of repositories from which Atlantis will accept webhooks. **This value must be set for Atlantis to function correctly.** Accepts wildcard characters (`*`). Multiple values may be comma-separated. | none |
-| `orgWhitelist` | Deprecated (see orgAllowlist) List of repositories from which Atlantis will accept webhooks. Accepts wildcard characters (`*`). Multiple values may be comma-separated. | none |
-| `podTemplate.annotations` | Additional annotations to use for pods. | `{}` |
-| `podTemplate.labels` | Additional labels to use for pods. | `{}` |
-| `redis.db` | Redis database number for Locking DB of type `redis`. | n/a |
-| `redis.host` | Redis hostname for Locking DB of type `redis`. | n/a |
-| `redis.insecureSkipVerify` | Whether Redis client should skip verification of Redis server's certificate chain and hostname. Setting to `true` may introduce a security vulnerability. | n/a |
-| `redis.password` | Redis password for Locking DB of type `redis`. | n/a |
-| `redis.port` | Redis port for Locking DB of type `redis`. | n/a |
-| `redis.tlsEnabled` | Whether to enable TLS connection to Redis. | n/a |
-| `redisSecretName` | Name of a pre-existing Kubernetes `Secret` containing a `password` key. Use this instead of `redis.password`. | n/a |
-| `replicaCount` | Number of replicas to run for the Atlantis server. | `1` |
-| `repoConfig` | [Server-side Repository Configuration](https://www.runatlantis.io/docs/server-side-repo-config.html) as a raw YAML string. Configuration is stored in ConfigMap. | n/a |
-| `service.annotations` | Additional annotations to use for the service. | n/a |
-| `service.loadBalancerIP` | Expose this service on the given ip if service.type = `LoadBalancerIP` | n/a |
-| `service.loadBalancerSourceRanges` | Array of allowlisted IP addresses for the Atlantis Service. If no value is specified, the Service will allow incoming traffic from all IP addresses (0.0.0.0/0). | n/a |
-| `service.nodePort` | The NodePort port to expose for the Atlantis Service. If no value is specified, it will not be used. | n/a |
-| `service.port` | Port of the `Service`. | `80` |
-| `service.targetPort` | Target Port of the `Service`. | `4141` |
-| `serviceAccount.annotations` | Additional Service Account annotations | n/a |
-| `serviceAccount.create` | Whether to create a Kubernetes ServiceAccount if no account matching `serviceAccount.name` exists. | `true` |
-| `serviceAccount.mount` | Whether to mount the Kubernetes ServiceAccount into the pod | `true` |
-| `serviceAccount.name` | Name of the Kubernetes ServiceAccount under which Atlantis should run. If no value is specified and `serviceAccount.create` is `true`, Atlantis will be run under a ServiceAccount whose name is the FullName of the Helm chart's instance, else Atlantis will be run under the `default` ServiceAccount. | n/a |
-| `serviceAccountSecrets.credentials-staging` | Deprecated (see googleServiceAccountSecrets) JSON string representing secrets for a Google Cloud Platform staging service account. Only applicable if hosting Atlantis on GKE. | n/a |
-| `serviceAccountSecrets.credentials` | Deprecated (see googleServiceAccountSecrets) JSON string representing secrets for a Google Cloud Platform production service account. Only applicable if hosting Atlantis on GKE. | n/a |
-| `servicemonitor.auth` | If authentication is required on Atlantis, the servicemonitor should reference a secret with the credentials. The default values.yaml file provides two options for that, basicAuth, using the atlantis-basic-auth secret created by this chart, or externalSecret if the credentials are set there | n/a |
-| `servicemonitor.enabled` | Enable Prometheus service monitor. This requires metrics.prometheus.endpoint to be defined (/metrics is a good default) in the repoConfig value | `false` |
-| `servicemonitor.interval` | Interval at which metrics should be scraped | `30s` |
-| `servicemonitor.path` | HTTP path to scrape for metrics | `/metrics` |
-| `servicemonitor.additionalLabels` | Prometheus ServiceMonitor labels | `{}` |
-| `statefulSet.annotations` | Additional annotations to use for StatefulSet. | `{}` |
-| `statefulSet.labels` | Additional labels to use for StatefulSet. | `{}` |
-| `statefulSet.priorityClassName` | Leverage a PriorityClass to ensure your pods survive resource shortages. | `{}` |
-| `statefulSet.securityContext` | Allow customizing securityContext. | `{}` |
-| `statefulSet.shareProcessNamespace` | Share the process namespace between all containers in a pod. | `false` |
-| `statefulSet.updateStrategy` | Configure [updateStrategy](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies) of the StatefulSet. | `{}` |
-| `storageClassName` | DEPRECATED - Storage class of the volume mounted for the Atlantis data directory. | n/a |
-| `terminationGracePeriodSeconds` | Set terminationGracePeriodSeconds for the StatefulSet. | `{}` |
-| `test.enabled` | Whether to enable the test. | `true` |
-| `tlsSecretName` | Name of a Secret for Atlantis' HTTPS certificate containing the following data items `tls.crt` with the public certificate and `tls.key` with the private key. | n/a |
-| `topologySpreadConstraints` | You can use topology spread constraints to control how Pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains. (requires Kubernetes >= 1.19). | `[]` |
-| `vcsSecretName` | Name of a pre-existing Kubernetes `Secret` containing `token` and `secret` keys set to your VCS provider's API token and webhook secret, respectively. Use this instead of `github.token`/`github.secret`, etc. (optional) | n/a |
-| `volumeClaim.dataStorage` | Amount of storage available for embedded Atlantis' data directory | `5Gi` |
-| `volumeClaim.enabled` | Activate embedded volume claim for Atlantis' data directory (mostly used to check out git repositories). | `true` |
-| `volumeClaim.storageClassName` | Storage class of the embedded volume mounted for the Atlantis data directory. | n/a |
-
-**NOTE**: All the [Server Configurations](https://www.runatlantis.io/docs/server-configuration.html) are passed as [Environment Variables](https://www.runatlantis.io/docs/server-configuration.html#environment-variables).
-
-## Upgrading
-
-### From `4.0.*` to `4.1.*`
-
-- The following value are deprecated:
- - `dataStorage`
- - `storageClassName`
-
-- In favor of the new working way:
- - `volumeClaim.enabled`
- - `volumeClaim.dataStorage`
- - `volumeClaim.storageClassName`
-
-### From `2.*` to `3.*`
-
-- The following value names have been removed. They are replaced by [Server-side Repository Configuration](https://www.runatlantis.io/docs/server-side-repo-config.html)
- - `requireApproval`
- - `requireMergeable`
- - `allowRepoConfig`
-
-To replicate your previous configuration, run Atlantis locally with your previous flags and Atlantis will print out the equivalent repo-config, for example:
-
-```bash
-$ atlantis server --allow-repo-config --require-approval --require-mergeable --gh-user=foo --gh-token=bar --repo-allowlist='*'
-WARNING: Flags --require-approval, --require-mergeable and --allow-repo-config have been deprecated.
-Create a --repo-config file with the following config instead:
-
----
-repos:
-- id: /.*/
- apply_requirements: [approved, mergeable]
- allowed_overrides: [apply_requirements, workflow]
- allow_custom_workflows: true
-
-or use --repo-config-json='{"repos":[{"id":"/.*/", "apply_requirements":["approved", "mergeable"], "allowed_overrides":["apply_requirements","workflow"], "allow_custom_workflows":true}]}'
+```console
+helm repo add runatlantis https://runatlantis.github.io/helm-charts
```
-Then use this YAML in the new repoConfig value:
-
-```yaml
-repoConfig: |
- ---
- repos:
- - id: /.*/
- apply_requirements: [approved, mergeable]
- allowed_overrides: [apply_requirements, workflow]
- allow_custom_workflows: true
-```
-
-### From `1.*` to `2.*`
-
-- The following value names have changed:
- - `allow_repo_config` => `allowRepoConfig`
- - `atlantis_data_storage` => `dataStorage` **NOTE: more than just a snake_case change**
- - `atlantis_data_storageClass` => `storageClassName` **NOTE: more than just a snake_case change**
- - `bitbucket.base_url` => `bitbucket.baseURL`
-
-## Testing the Deployment
-
-To perform a smoke test of the deployment (i.e. ensure that the Atlantis UI is up and running):
-
-1. Install the chart. Supply your own values file or use `test-values.yaml`, which has a minimal set of values required in order for Atlantis to start.
-
- ```bash
- helm repo add runatlantis https://runatlantis.github.io/helm-charts
- helm install -f test-values.yaml my-atlantis runatlantis/atlantis --debug
- ```
+You can then run `helm search repo runatlantis` to see the charts.
-1. Run the tests:
+## License
- ```bash
- helm test my-atlantis
- ```
+[Apache 2.0 License](../LICENSE).
diff --git a/charts/atlantis/Chart.yaml b/charts/atlantis/Chart.yaml
index ea94f54c..407353b1 100644
--- a/charts/atlantis/Chart.yaml
+++ b/charts/atlantis/Chart.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
appVersion: v0.27.2
description: A Helm chart for Atlantis https://www.runatlantis.io
name: atlantis
-version: 4.23.6
+version: 4.24.0
keywords:
- terraform
home: https://www.runatlantis.io
diff --git a/charts/atlantis/README.md b/charts/atlantis/README.md
new file mode 100644
index 00000000..42547b0a
--- /dev/null
+++ b/charts/atlantis/README.md
@@ -0,0 +1,312 @@
+# Atlantis
+
+[Atlantis](https://www.runatlantis.io/) is a tool for safe collaboration on [Terraform](https://www.terraform.io/) repositories.
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| lkysow | | |
+| jamengual | | |
+| chenrui333 | | |
+| nitrocode | | |
+| genpage | | |
+| gmartinez-sisti | | |
+
+## Links
+
+- [Introduction](#introduction)
+- [Prerequisites](#prerequisites)
+- [Required Configuration](#required-configuration)
+- [Additional manifests](#additional-manifests)
+- [Values](#values)
+- [Upgrading](#upgrading)
+ - [From `2.*` to `3.*`](#from-2-to-3)
+ - [From `1.*` to `2.*`](#from-1-to-2)
+- [Testing the Deployment](#testing-the-deployment)
+- [Update documentation](#update-documentation)
+
+## Introduction
+
+This chart creates a single pod in a StatefulSet running Atlantis. Atlantis persists Terraform [plan files](https://www.terraform.io/docs/commands/plan.html) and [lockfiles](https://www.terraform.io/docs/state/locking.html) to disk for the duration of a Pull/Merge Request. These files are stored in a PersistentVolumeClaim to survive Pod failures.
+
+## Prerequisites
+
+- Kubernetes 1.9+
+- PersistentVolume support
+
+## Required Configuration
+
+In order for Atlantis to start and run successfully:
+
+1. At least one of the following sets of credentials must be defined:
+ - `github`
+ - `gitlab`
+ - `bitbucket`
+ - `azuredevops`
+
+ Refer to [values.yaml](/charts/atlantis/values.yaml) for detailed examples.
+ They can also be provided directly through a Kubernetes `Secret`, use the variable `vcsSecretName` to reference it.
+
+1. Supply a value for `orgAllowlist`, e.g. `github.com/myorg/*`.
+
+## Additional manifests
+
+It is possible to add additional manifests into a deployment, to extend the chart. One of the reason is to deploy a manifest specific to a cloud provider ( BackendConfig on GKE for example ).
+
+```yaml
+extraManifests:
+ - apiVersion: cloud.google.com/v1beta1
+ kind: BackendConfig
+ metadata:
+ name: ".Release.Name-test"
+ spec:
+ securityPolicy:
+ name: "gcp-cloud-armor-policy-test"
+```
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` | |
+| allowDraftPRs | bool | `false` | Enables atlantis to run on a draft Pull Requests. |
+| allowForkPRs | bool | `false` | Enables atlantis to run on a fork Pull Requests. |
+| api | object | `{}` | Optionally specify an API secret to enable the API. Check values.yaml for examples. |
+| apiSecretName | string | `""` | If managing secrets outside the chart for the API secret, use this variable to reference the secret name. |
+| atlantisDataDirectory | string | `"/atlantis-data"` | Path to the data directory for the volumeMount. |
+| atlantisUrl | string | `""` | An option to override the atlantis url, if not using an ingress, set it to the external IP. Check values.yaml for examples. |
+| aws | object | `{}` | To specify AWS credentials to be mapped to ~/.aws or to aws.directory. Check values.yaml for examples. |
+| awsSecretName | string | `""` | To reference an already existing Secret object with AWS credentials |
+| azuredevops | object | `{}` | If using Azure DevOps, please enter your values as follows. The chart will perform the base64 encoding for you for values that are stored in secrets. Check values.yaml for examples. |
+| basicAuth | string | `""` | Optionally specify an username and a password for basic authentication. Check values.yaml for examples. |
+| basicAuthSecretName | string | `""` | If managing secrets outside the chart for the Basic Auth secret, use this variable to reference the secret name. |
+| bitbucket | object | `{}` | If using Bitbucket, there are two approaches: Bitbucket Server, deployed in your own infrastructure and Cloud available at (https://Bitbucket.org). The chart will perform the base64 encoding for you for values that are stored in secrets. Check values.yaml for examples. |
+| command | list | `[]` | Override the command field of the Atlantis container. |
+| commonLabels | object | `{}` | Common Labels for all resources created by this chart. |
+| config | string | `""` | Override atlantis main configuration by config map, ref: https://www.runatlantis.io/docs/using-slack-hooks.html#configuring-atlantis. Check values.yaml for examples. |
+| containerSecurityContext | object | `{}` | Check values.yaml for examples. |
+| customPem | string | `""` | Allows to override the /etc/ssl/certs/ca-certificates.cer with your custom one. You have to create a secret with the specified name. |
+| dataStorage | string | `""` | DEPRECATED - Disk space available to check out repositories. Example: 5Gi. |
+| defaultTFVersion | string | `""` | Sets the default terraform version to be used in atlantis server. Check values.yaml for examples. |
+| disableApply | bool | `false` | Disables running `atlantis apply` regardless of which flags are sent with it. |
+| disableApplyAll | bool | `false` | Disables running `atlantis apply` without any flags. |
+| disableRepoLocking | bool | `false` | Stops atlantis locking projects and or workspaces when running terraform. |
+| enableDiffMarkdownFormat | bool | `false` | Use Diff Markdown Format for color coding diffs. |
+| enableKubernetesBackend | bool | `false` | Optionally deploy rbac to allow for the serviceAccount to manage terraform state via the kubernetes backend. |
+| environment | object | `{}` | Environtment values to add to the Atlantis pod. Check values.yaml for examples. |
+| environmentRaw | list | `[]` | Optionally specify additional environment variables in raw yaml format. Useful to specify variables refering to k8s objects. Check values.yaml for examples. |
+| environmentSecrets | list | `[]` | Optionally specify additional environment variables to be populated from Kubernetes secrets. Useful for passing in TF_VAR_foo or other secret environment variables from Kubernetes secrets. Check values.yaml for examples. |
+| extraAnnotations | object | `{}` | |
+| extraArgs | list | `[]` | Optionally specify extra arguments for the Atlantis pod. Check values.yaml for examples. |
+| extraContainers | list | `[]` | Optionally specify extra containers for the Atlantis pod. Check values.yaml for examples. |
+| extraManifests | list | `[]` | Optionally specify additional manifests to be created. Check values.yaml for examples. |
+| extraVolumeMounts | list | `[]` | Optionally specify additional volume mounts for the container. Check values.yaml for examples. |
+| extraVolumes | list | `[]` | Optionally specify additional volumes for the pod. Check values.yaml for examples. |
+| fullnameOverride | string | `""` | Provide a name to substitute for the full names of resources |
+| gitconfig | string | `""` | When referencing Terraform modules in private repositories, it may be helpful (necessary?) to use redirection in a .gitconfig. Check values.yaml for examples. |
+| gitconfigSecretName | string | `""` | If managing secrets outside the chart for the gitconfig, use this variable to reference the secret name |
+| github | object | `{}` | If using GitHub, please enter your values as follows. The chart will perform the base64 encoding for values that are stored in secrets. The 'hostname' key is exclusive to GitHub Enterprise installations. Check values.yaml for examples. |
+| githubApp | object | `{}` | If using a GitHub App, please enter your values as follows. The chart will perform the base64 encoding for you for values that are stored in secrets. Check values.yaml for examples. |
+| gitlab | object | `{}` | If using GitLab, please enter your values as follows. The 'hostname' key is exclusive to GitLab Enterprise installations. The chart will perform the base64 encoding for you for values that are stored in secrets. Check values.yaml for examples. |
+| googleServiceAccountSecrets | list | `[]` | Optionally specify google service account credentials as Kubernetes secrets. If you are using the terraform google provider you can specify the credentials as "${file("/var/secrets/some-secret-name/key.json")}". Check values.yaml for examples. |
+| hidePrevPlanComments | bool | `false` | Enables atlantis to hide previous plan comments. |
+| hideUnchangedPlanComments | bool | `false` | Enables atlantis to hide no-changes plan comments from the pull request. |
+| hostAliases | list | `[]` | Optionally specify hostAliases for the Atlantis pod. Check values.yaml for examples. |
+| hostNetwork | bool | `false` | |
+| image.pullPolicy | string | `"Always"` | |
+| image.repository | string | `"ghcr.io/runatlantis/atlantis"` | |
+| image.tag | string | `""` | If not set appVersion field from Chart.yaml is used |
+| imagePullSecrets | list | `[]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/. Check values.yaml for examples. |
+| ingress.annotations | object | `{}` | Check values.yaml for examples. |
+| ingress.apiVersion | string | `""` | |
+| ingress.enabled | bool | `true` | |
+| ingress.host | string | `""` | |
+| ingress.hosts | list | `[]` | Used when several hosts are required. Check values.yaml for examples. |
+| ingress.ingressClassName | string | `nil` | |
+| ingress.labels | object | `{}` | |
+| ingress.path | string | `"/*"` | Use / for nginx. |
+| ingress.pathType | string | `"ImplementationSpecific"` | |
+| ingress.paths | list | `[]` | Used when several paths under the same host, with different backend services, are required. Check values.yaml for examples. |
+| ingress.tls | list | `[]` | Check values.yaml for examples. |
+| initConfig.enabled | bool | `false` | Install providers/plugins into a path shared with the Atlantis pod. |
+| initConfig.image | string | `"alpine:latest"` | |
+| initConfig.imagePullPolicy | string | `"IfNotPresent"` | |
+| initConfig.script | string | `""` | Check values.yaml for examples. |
+| initConfig.sharedDir | string | `"/plugins"` | SharedDir is set as env var INIT_SHARED_DIR. |
+| initConfig.sizeLimit | string | `"100Mi"` | Size for the shared volume. |
+| initConfig.workDir | string | `"/tmp"` | |
+| initContainers | list | `[]` | Optionally specify init containers manifests to be added to the Atlantis pod. Check values.yaml for examples. |
+| lifecycle | object | `{}` | Set lifecycle hooks. https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/. |
+| livenessProbe.enabled | bool | `true` | |
+| livenessProbe.failureThreshold | int | `5` | |
+| livenessProbe.initialDelaySeconds | int | `5` | |
+| livenessProbe.periodSeconds | int | `60` | We only need to check every 60s since Atlantis is not a high-throughput service. |
+| livenessProbe.scheme | string | `"HTTP"` | |
+| livenessProbe.successThreshold | int | `1` | |
+| livenessProbe.timeoutSeconds | int | `5` | |
+| loadEnvFromConfigMaps | list | `[]` | Optionally specify additional Kubernetes ConfigMaps to load environment variables from. All key-value pairs within these ConfigMaps will be set as environment variables. Note that any variables set here will be ignored if also defined in the env block of the atlantis statefulset. For example, providing ATLANTIS_ALLOW_FORK_PRS here and defining a value for allowForkPRs will result in the allowForkPRs value being used. Check values.yaml for examples. |
+| loadEnvFromSecrets | list | `[]` | Optionally specify additional Kubernetes secrets to load environment variables from. All key-value pairs within these secrets will be set as environment variables. Note that any variables set here will be ignored if also defined in the env block of the atlantis statefulset. For example, providing ATLANTIS_GH_USER here and defining a value for github.user will result in the github.user value being used. Check values.yaml for examples. |
+| lockingDbType | string | `""` | Set the desired Locking DB type Accepts boltdb or redis. |
+| logLevel | string | `""` | Specify the log level for Atlantis. Accepts: debug, info, warn, or error. |
+| nameOverride | string | `""` | Provide a name to substitute for the name of the chart |
+| netrc | string | `""` | When referencing Terraform modules in private repositories or registries (such as Artfactory) configuing a .netrc file for authentication may be required. Check values.yaml for examples. |
+| netrcSecretName | string | `""` | If managing secrets outside the chart for the netrc file, use this variable to reference the secret name |
+| nodeSelector | object | `{}` | |
+| orgAllowlist | string | No default. Needs to specified. | Replace this with your own repo allowlist. |
+| orgWhitelist | string | `""` | Deprecated in favor of orgAllowlist. |
+| podMonitor | object | `{"enabled":false,"interval":"30s"}` | Enable this if you're using Google Managed Prometheus. |
+| podTemplate.annotations | object | `{}` | Check values.yaml for examples. |
+| podTemplate.labels | object | `{}` | |
+| readinessProbe.enabled | bool | `true` | |
+| readinessProbe.failureThreshold | int | `5` | |
+| readinessProbe.initialDelaySeconds | int | `5` | |
+| readinessProbe.periodSeconds | int | `60` | |
+| readinessProbe.scheme | string | `"HTTP"` | |
+| readinessProbe.successThreshold | int | `1` | |
+| readinessProbe.timeoutSeconds | int | `5` | |
+| redis | object | `{}` | Configure Redis Locking DB. lockingDbType value must be redis for the config to take effect. Check values.yaml for examples. |
+| redisSecretName | string | `""` | When managing secrets outside the chart for the Redis secret, use this variable to reference the secret name. |
+| replicaCount | int | `1` | Replica count for Atlantis pods. |
+| repoConfig | string | `""` | Use Server Side Repo Config, ref: https://www.runatlantis.io/docs/server-side-repo-config.html. Check values.yaml for examples. |
+| resources | object | `{}` | Resources for Atlantis. Check values.yaml for examples. |
+| service.annotations | object | `{}` | |
+| service.loadBalancerIP | string | `nil` | |
+| service.loadBalancerSourceRanges | list | `[]` | |
+| service.nodePort | string | `nil` | |
+| service.port | int | `80` | |
+| service.targetPort | int | `4141` | |
+| service.type | string | `"NodePort"` | |
+| serviceAccount.annotations | object | `{}` | Annotations for the Service Account. Check values.yaml for examples. |
+| serviceAccount.create | bool | `true` | Specifies whether a ServiceAccount should be created. |
+| serviceAccount.mount | bool | `true` | If false, no kubernetes service account token will be mounted to the pod. |
+| serviceAccount.name | string | `nil` | The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
+| serviceAccountSecrets | object | `{}` | To keep backwards compatibility only. Deprecated (see googleServiceAccountSecrets). To be used for mounting credential files (when using google provider). Check values.yaml for examples. |
+| servicemonitor.additionalLabels | object | `{}` | Prometheus ServiceMonitor labels. |
+| servicemonitor.auth.basicAuth | object | `{"enabled":false}` | If auth is enabled on Atlantis, use one of the following mechanism. |
+| servicemonitor.auth.basicAuth.enabled | bool | `false` | Authentication from the secret generated with the basicAuth values this will reference the username and password keys from the atlantis-basic-auth secret. |
+| servicemonitor.auth.externalSecret.enabled | bool | `false` | Authentication based on an external secret |
+| servicemonitor.auth.externalSecret.keys | object | `{}` | Check values.yaml for examples. |
+| servicemonitor.auth.externalSecret.name | string | `""` | |
+| servicemonitor.enabled | bool | `false` | To enable a Prometheus servicemonitor, set enabled to true, and enable the metrics in this file's repoConfig by setting a value for metrics.prometheus.endpoint. |
+| servicemonitor.interval | string | `"30s"` | |
+| servicemonitor.path | string | `"/metrics"` | |
+| statefulSet.annotations | object | `{}` | |
+| statefulSet.labels | object | `{}` | |
+| statefulSet.priorityClassName | string | `""` | |
+| statefulSet.securityContext.fsGroup | int | `1000` | |
+| statefulSet.securityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` | |
+| statefulSet.securityContext.runAsUser | int | `100` | It is not recommended to run atlantis as root. |
+| statefulSet.shareProcessNamespace | bool | `false` | Option to share process namespace with atlantis container. |
+| statefulSet.updateStrategy | object | `{}` | |
+| storageClassName | string | `""` | DEPRECATED - Storage class name for Atlantis disk. |
+| terminationGracePeriodSeconds | int | default depends on the kubernetes version. | Optionally customize the termination grace period in seconds. |
+| test.annotations | object | `{}` | |
+| test.enabled | bool | `true` | Enables test container. |
+| test.image | string | `"bats/bats"` | |
+| test.imageTag | string | `"1.9.0"` | |
+| tlsSecretName | string | `""` | TLS Secret Name for Atlantis pod. |
+| tolerations | list | `[]` | |
+| topologySpreadConstraints | list | `[]` | You can use topology spread constraints to control how Pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains. (requires Kubernetes >= 1.19). Check values.yaml for examples. |
+| vcsSecretName | string | `""` | If managing secrets outside the chart for the webhook, use this variable to reference the secret name |
+| volumeClaim.accessModes[0] | string | `"ReadWriteOnce"` | |
+| volumeClaim.dataStorage | string | `"5Gi"` | Disk space available to check out repositories. |
+| volumeClaim.enabled | bool | `true` | |
+| volumeClaim.storageClassName | string | `""` | Storage class name (if possible, use a resizable one). |
+| webhook_ingress.annotations | object | `{}` | Check values.yaml for examples. |
+| webhook_ingress.apiVersion | string | `""` | |
+| webhook_ingress.enabled | bool | `false` | When true creates a secondary webhook. |
+| webhook_ingress.host | string | `""` | |
+| webhook_ingress.hosts | list | `[]` | Used when several hosts are required. Check values.yaml for examples. |
+| webhook_ingress.ingressClassName | string | `nil` | |
+| webhook_ingress.labels | object | `{}` | |
+| webhook_ingress.path | string | `"/*"` | Use / for nginx. |
+| webhook_ingress.pathType | string | `"ImplementationSpecific"` | |
+| webhook_ingress.paths | list | `[]` | Used when several paths under the same host, with different backend services, are required. Check values.yaml for examples. |
+| webhook_ingress.tls | list | `[]` | TLS configuration. Check values.yaml for examples. |
+
+## Upgrading
+
+### From `4.0.*` to `4.1.*`
+
+- The following value are deprecated:
+ - `dataStorage`
+ - `storageClassName`
+
+- In favor of the new working way:
+ - `volumeClaim.enabled`
+ - `volumeClaim.dataStorage`
+ - `volumeClaim.storageClassName`
+
+### From `2.*` to `3.*`
+
+- The following value names have been removed. They are replaced by [Server-side Repository Configuration](https://www.runatlantis.io/docs/server-side-repo-config.html)
+ - `requireApproval`
+ - `requireMergeable`
+ - `allowRepoConfig`
+
+To replicate your previous configuration, run Atlantis locally with your previous flags and Atlantis will print out the equivalent repo-config, for example:
+
+```bash
+$ atlantis server --allow-repo-config --require-approval --require-mergeable --gh-user=foo --gh-token=bar --repo-allowlist='*'
+WARNING: Flags --require-approval, --require-mergeable and --allow-repo-config have been deprecated.
+Create a --repo-config file with the following config instead:
+
+---
+repos:
+- id: /.*/
+ apply_requirements: [approved, mergeable]
+ allowed_overrides: [apply_requirements, workflow]
+ allow_custom_workflows: true
+
+or use --repo-config-json='{"repos":[{"id":"/.*/", "apply_requirements":["approved", "mergeable"], "allowed_overrides":["apply_requirements","workflow"], "allow_custom_workflows":true}]}'
+```
+
+Then use this YAML in the new repoConfig value:
+
+```yaml
+repoConfig: |
+ ---
+ repos:
+ - id: /.*/
+ apply_requirements: [approved, mergeable]
+ allowed_overrides: [apply_requirements, workflow]
+ allow_custom_workflows: true
+```
+
+### From `1.*` to `2.*`
+
+- The following value names have changed:
+ - `allow_repo_config` => `allowRepoConfig`
+ - `atlantis_data_storage` => `dataStorage` **NOTE: more than just a snake_case change**
+ - `atlantis_data_storageClass` => `storageClassName` **NOTE: more than just a snake_case change**
+ - `bitbucket.base_url` => `bitbucket.baseURL`
+
+## Testing the Deployment
+
+To perform a smoke test of the deployment (i.e. ensure that the Atlantis UI is up and running):
+
+1. Install the chart. Supply your own values file or use `test-values.yaml`, which has a minimal set of values required in order for Atlantis to start.
+
+ ```bash
+ helm repo add runatlantis https://runatlantis.github.io/helm-charts
+ helm install -f test-values.yaml my-atlantis runatlantis/atlantis --debug
+ ```
+
+1. Run the tests:
+
+ ```bash
+ helm test my-atlantis
+ ```
+
+## Update documentation
+
+Documentations is auto-generated using [helm-docs](https://github.com/norwoodj/helm-docs).
+
+To update run the follwogin (from the root path of the repository):
+
+1. If required, update `charts/atlantis/README.md.gotmpl`
+2. Run `make docs`
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.11.3](https://github.com/norwoodj/helm-docs/releases/v1.11.3)
diff --git a/charts/atlantis/README.md.gotmpl b/charts/atlantis/README.md.gotmpl
new file mode 100644
index 00000000..1ac82673
--- /dev/null
+++ b/charts/atlantis/README.md.gotmpl
@@ -0,0 +1,146 @@
+# Atlantis
+
+[Atlantis](https://www.runatlantis.io/) is a tool for safe collaboration on [Terraform](https://www.terraform.io/) repositories.
+
+{{ template "chart.maintainersSection" . }}
+
+{{ template "chart.requirementsSection" . }}
+
+## Links
+
+- [Introduction](#introduction)
+- [Prerequisites](#prerequisites)
+- [Required Configuration](#required-configuration)
+- [Additional manifests](#additional-manifests)
+- [Values](#values)
+- [Upgrading](#upgrading)
+ - [From `2.*` to `3.*`](#from-2-to-3)
+ - [From `1.*` to `2.*`](#from-1-to-2)
+- [Testing the Deployment](#testing-the-deployment)
+- [Update documentation](#update-documentation)
+
+## Introduction
+
+This chart creates a single pod in a StatefulSet running Atlantis. Atlantis persists Terraform [plan files](https://www.terraform.io/docs/commands/plan.html) and [lockfiles](https://www.terraform.io/docs/state/locking.html) to disk for the duration of a Pull/Merge Request. These files are stored in a PersistentVolumeClaim to survive Pod failures.
+
+## Prerequisites
+
+- Kubernetes 1.9+
+- PersistentVolume support
+
+## Required Configuration
+
+In order for Atlantis to start and run successfully:
+
+1. At least one of the following sets of credentials must be defined:
+ - `github`
+ - `gitlab`
+ - `bitbucket`
+ - `azuredevops`
+
+ Refer to [values.yaml](/charts/atlantis/values.yaml) for detailed examples.
+ They can also be provided directly through a Kubernetes `Secret`, use the variable `vcsSecretName` to reference it.
+
+1. Supply a value for `orgAllowlist`, e.g. `github.com/myorg/*`.
+
+## Additional manifests
+
+It is possible to add additional manifests into a deployment, to extend the chart. One of the reason is to deploy a manifest specific to a cloud provider ( BackendConfig on GKE for example ).
+
+```yaml
+extraManifests:
+ - apiVersion: cloud.google.com/v1beta1
+ kind: BackendConfig
+ metadata:
+ name: "{{ `.Release.Name` }}-test"
+ spec:
+ securityPolicy:
+ name: "gcp-cloud-armor-policy-test"
+```
+
+{{ template "chart.valuesSection" . }}
+
+## Upgrading
+
+### From `4.0.*` to `4.1.*`
+
+- The following value are deprecated:
+ - `dataStorage`
+ - `storageClassName`
+
+- In favor of the new working way:
+ - `volumeClaim.enabled`
+ - `volumeClaim.dataStorage`
+ - `volumeClaim.storageClassName`
+
+### From `2.*` to `3.*`
+
+- The following value names have been removed. They are replaced by [Server-side Repository Configuration](https://www.runatlantis.io/docs/server-side-repo-config.html)
+ - `requireApproval`
+ - `requireMergeable`
+ - `allowRepoConfig`
+
+To replicate your previous configuration, run Atlantis locally with your previous flags and Atlantis will print out the equivalent repo-config, for example:
+
+```bash
+$ atlantis server --allow-repo-config --require-approval --require-mergeable --gh-user=foo --gh-token=bar --repo-allowlist='*'
+WARNING: Flags --require-approval, --require-mergeable and --allow-repo-config have been deprecated.
+Create a --repo-config file with the following config instead:
+
+---
+repos:
+- id: /.*/
+ apply_requirements: [approved, mergeable]
+ allowed_overrides: [apply_requirements, workflow]
+ allow_custom_workflows: true
+
+or use --repo-config-json='{"repos":[{"id":"/.*/", "apply_requirements":["approved", "mergeable"], "allowed_overrides":["apply_requirements","workflow"], "allow_custom_workflows":true}]}'
+```
+
+Then use this YAML in the new repoConfig value:
+
+```yaml
+repoConfig: |
+ ---
+ repos:
+ - id: /.*/
+ apply_requirements: [approved, mergeable]
+ allowed_overrides: [apply_requirements, workflow]
+ allow_custom_workflows: true
+```
+
+### From `1.*` to `2.*`
+
+- The following value names have changed:
+ - `allow_repo_config` => `allowRepoConfig`
+ - `atlantis_data_storage` => `dataStorage` **NOTE: more than just a snake_case change**
+ - `atlantis_data_storageClass` => `storageClassName` **NOTE: more than just a snake_case change**
+ - `bitbucket.base_url` => `bitbucket.baseURL`
+
+## Testing the Deployment
+
+To perform a smoke test of the deployment (i.e. ensure that the Atlantis UI is up and running):
+
+1. Install the chart. Supply your own values file or use `test-values.yaml`, which has a minimal set of values required in order for Atlantis to start.
+
+ ```bash
+ helm repo add runatlantis https://runatlantis.github.io/helm-charts
+ helm install -f test-values.yaml my-atlantis runatlantis/atlantis --debug
+ ```
+
+1. Run the tests:
+
+ ```bash
+ helm test my-atlantis
+ ```
+
+## Update documentation
+
+Documentations is auto-generated using [helm-docs](https://github.com/norwoodj/helm-docs).
+
+To update run the follwogin (from the root path of the repository):
+
+1. If required, update `charts/atlantis/README.md.gotmpl`
+2. Run `make docs`
+
+{{ template "helm-docs.versionFooter" . }}
diff --git a/charts/atlantis/values.yaml b/charts/atlantis/values.yaml
index 0536d370..0b1c1440 100644
--- a/charts/atlantis/values.yaml
+++ b/charts/atlantis/values.yaml
@@ -2,34 +2,44 @@
# Values to override for your instance.
## -------------------------- ##
-# Provide a name to substitute for the full names of resources
+# -- Provide a name to substitute for the full names of resources
fullnameOverride: ""
-# Provide a name to substitute for the name of the chart
+# -- Provide a name to substitute for the name of the chart
nameOverride: ""
-## An option to override the atlantis url,
-## if not using an ingress, set it to the external IP.
-# atlantisUrl: http://10.0.0.0
+# -- An option to override the atlantis url,
+# if not using an ingress, set it to the external IP.
+# Check values.yaml for examples.
+atlantisUrl: ""
+# Example: http://10.0.0.0
-# Replace this with your own repo allowlist:
-orgAllowlist:
-# logLevel: "debug"
+# -- Replace this with your own repo allowlist.
+# @default -- No default. Needs to specified.
+orgAllowlist: ""
-# Deprecated in favor of orgAllowlist
-# orgWhitelist:
+# -- Deprecated in favor of orgAllowlist.
+orgWhitelist: ""
-# If using GitHub, specify like the following:
+# -- Specify the log level for Atlantis.
+# Accepts: debug, info, warn, or error.
+logLevel: ""
+
+# -- If using GitHub, please enter your values as follows.
+# The chart will perform the base64 encoding for values that are stored in secrets.
+# The 'hostname' key is exclusive to GitHub Enterprise installations.
+# Check values.yaml for examples.
github: {}
# github:
# user: foo
# token: bar
# secret: baz
-# GitHub Enterprise only:
# hostname: github.your.org
-# (The chart will perform the base64 encoding for you for values that are stored in secrets.)
-# If using a GitHub App, please enter your values as follows:
+# -- If using a GitHub App, please enter your values as follows.
+# The chart will perform the base64 encoding for you for values that are stored in secrets.
+# Check values.yaml for examples.
+githubApp: {}
# githubApp:
# id: 123456
# slug: foo
@@ -38,71 +48,86 @@ github: {}
# ...
# -----END PRIVATE KEY-----
# secret: baz
-# (The chart will perform the base64 encoding for you for values that are stored in secrets.)
-# If using GitLab, specify like the following:
+# -- If using GitLab, please enter your values as follows.
+# The 'hostname' key is exclusive to GitLab Enterprise installations.
+# The chart will perform the base64 encoding for you for values that are stored in secrets.
+# Check values.yaml for examples.
+gitlab: {}
# gitlab:
# user: foo
# token: bar
# secret: baz
-# GitLab Enterprise only:
# hostname: gitlab.your.org
-# (The chart will perform the base64 encoding for you for values that are stored in secrets.)
-# If using Bitbucket, there are two approachs, Bitbucket Server, deployed in your own infrastructure and Cloud available at (https://Bitbucket.org)
+# -- If using Bitbucket, there are two approaches:
+# Bitbucket Server, deployed in your own infrastructure
+# and Cloud available at (https://Bitbucket.org).
+# The chart will perform the base64 encoding for you for values that are stored in secrets.
+# Check values.yaml for examples.
+bitbucket: {}
-# Bitbucket Server, specify like the following:
+# Bitbucket Server
# bitbucket:
# user: foo
# token: bar
# secret: baz
# baseURL: https://bitbucket.yourorganization.com
-# Bitbucket Cloud, specify like the following:
+# Bitbucket Cloud
+# The recommendation is to genarate a service user on your cloud environment, but you can live on the edge using your own user :).
+# Create an APP PASSWORD to the user for the token value.
+# Base URL are not needed here, but keep in mind to provide an IP Whitelist as the Atlantis documentation.
# bitbucket:
-# user: # The recommended here is genarate a service user on your cloud environment, but yes, you can live on the edge using your own user :)
-# token: # Create an APP PASSWORD to the user
-# Base URL are not needed here, but keep in mind to provide an IP Whitelist as the Atlantis documentation
-# (The chart will perform the base64 encoding for you for values that are stored in secrets.)
+# user: foo
+# token: bar
-# If using Azure DevOps, specify like the following:
+# -- If using Azure DevOps, please enter your values as follows.
+# The chart will perform the base64 encoding for you for values that are stored in secrets.
+# Check values.yaml for examples.
+azuredevops: {}
# azuredevops:
# user: foo
# token: bar
# webhookUser: foo
# webhookPassword: baz
-# (The chart will perform the base64 encoding for you for values that are stored in secrets.)
-# If managing secrets outside the chart for the webhook, use this variable to reference the secret name
-# vcsSecretName: 'mysecret'
+# -- If managing secrets outside the chart for the webhook, use this variable to reference the secret name
+vcsSecretName: ""
-# When referencing Terraform modules in private repositories, it may be helpful
-# (necessary?) to use redirection in a .gitconfig like so:
+# -- When referencing Terraform modules in private repositories, it may be helpful
+# (necessary?) to use redirection in a .gitconfig.
+# Check values.yaml for examples.
+gitconfig: ""
# gitconfig: |
- # [url "https://YOUR_GH_TOKEN@github.com"]
- # insteadOf = https://github.com
- # [url "https://YOUR_GH_TOKEN@github.com"]
- # insteadOf = ssh://git@github.com
- # [url "https://oauth2:YOUR_GITLAB_TOKEN@gitlab.com"]
- # insteadOf = https://gitlab.com
- # [url "https://oauth2:YOUR_GITLAB_TOKEN@gitlab.com"]
- # insteadOf = ssh://git@gitlab.com
+# [url "https://YOUR_GH_TOKEN@github.com"]
+# insteadOf = https://github.com
+# [url "https://YOUR_GH_TOKEN@github.com"]
+# insteadOf = ssh://git@github.com
+# [url "https://oauth2:YOUR_GITLAB_TOKEN@gitlab.com"]
+# insteadOf = https://gitlab.com
+# [url "https://oauth2:YOUR_GITLAB_TOKEN@gitlab.com"]
+# insteadOf = ssh://git@gitlab.com
# Source: https://stackoverflow.com/questions/42148841/github-clone-with-oauth-access-token
-# If managing secrets outside the chart for the gitconfig, use this variable to reference the secret name
-# gitconfigSecretName: 'mygitconfigsecret'
+# -- If managing secrets outside the chart for the gitconfig, use this variable to reference the secret name
+gitconfigSecretName: ""
-# When referencing Terraform modules in private repositories or registries (such as Artfactory)
-# configuing a .netrc file for authentication may be required:
+# -- When referencing Terraform modules in private repositories or registries (such as Artfactory)
+# configuing a .netrc file for authentication may be required.
+# Check values.yaml for examples.
+netrc: ""
# netrc: |
- # machine artifactory.myapp.com login YOUR_USERNAME password YOUR_PASSWORD
- # machine bitbucket.myapp.com login YOUR_USERNAME password YOUR_PASSWORD
+# machine artifactory.myapp.com login YOUR_USERNAME password YOUR_PASSWORD
+# machine bitbucket.myapp.com login YOUR_USERNAME password YOUR_PASSWORD
-# If managing secrets outside the chart for the netrc file, use this variable to reference the secret name
-# netrcSecretName: 'mynetrcsecret'
+# -- If managing secrets outside the chart for the netrc file, use this variable to reference the secret name
+netrcSecretName: ""
-# To specify AWS credentials to be mapped to ~/.aws or to aws.directory:
+# -- To specify AWS credentials to be mapped to ~/.aws or to aws.directory.
+# Check values.yaml for examples.
aws: {}
+# aws:
# credentials: |
# [default]
# aws_access_key_id=YOUR_ACCESS_KEY_ID
@@ -113,16 +138,18 @@ aws: {}
# role_arn = arn:aws:iam::123456789:role/service-role/roleToAssume
# source_profile = default
# directory: "/home/atlantis/.aws"
-# To reference an already existing Secret object with AWS credentials
-# awsSecretName: 'mysecretwithawscreds'
-## To keep backwards compatibility
-## Deprecated (see googleServiceAccountSecrets)
-## To be used for mounting credential files (when using google provider).
-## serviceAccountSecrets:
- # credentials:
- # credentials-staging:
+# -- To reference an already existing Secret object with AWS credentials
+awsSecretName: ""
+# -- To keep backwards compatibility only.
+# Deprecated (see googleServiceAccountSecrets).
+# To be used for mounting credential files (when using google provider).
+# Check values.yaml for examples.
+serviceAccountSecrets: {}
+# serviceAccountSecrets:
+# credentials:
+# credentials-staging:
## -------------------------- ##
# Default values for atlantis (override as needed).
@@ -130,106 +157,118 @@ aws: {}
image:
repository: ghcr.io/runatlantis/atlantis
- # if not set appVersion field from Chart.yaml is used
+ # -- If not set appVersion field from Chart.yaml is used
tag: ""
pullPolicy: Always
-## Optionally specify an array of imagePullSecrets.
-## Secrets must be manually created in the namespace.
-## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-##
+# -- Optionally specify an array of imagePullSecrets.
+# Secrets must be manually created in the namespace.
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/.
+# Check values.yaml for examples.
+imagePullSecrets: []
# imagePullSecrets:
-# - myRegistryKeySecretName
+# - myRegistryKeySecretName
-## Override atlantis main configuration by config map,
-## ref: https://www.runatlantis.io/docs/using-slack-hooks.html#configuring-atlantis
+# -- Override atlantis main configuration by config map,
+# ref: https://www.runatlantis.io/docs/using-slack-hooks.html#configuring-atlantis.
+# Check values.yaml for examples.
+config: ""
# config: |
-# ---
-# webhooks:
-# - event: apply
-# workspace-regex: .*
-# branch-regex: .*
-# kind: slack
-# channel: my-channel
-
-## Use Server Side Repo Config,
-## ref: https://www.runatlantis.io/docs/server-side-repo-config.html
-## Example default configuration
+# ---
+# webhooks:
+# - event: apply
+# workspace-regex: .*
+# branch-regex: .*
+# kind: slack
+# channel: my-channel
+
+# -- Use Server Side Repo Config,
+# ref: https://www.runatlantis.io/docs/server-side-repo-config.html.
+# Check values.yaml for examples.
+repoConfig: ""
+# Example with default configuration:
# repoConfig: |
-# ---
-# repos:
-# - id: /.*/
-# apply_requirements: []
-# workflow: default
-# allowed_overrides: []
-# allow_custom_workflows: false
-# workflows:
-# default:
-# plan:
-# steps: [init, plan]
-# apply:
-# steps: [apply]
-# # metrics:
-# # prometheus:
-# # endpoint: /metrics
-
-# allowForkPRs enables atlantis to run on a fork Pull Requests
+# ---
+# repos:
+# - id: /.*/
+# apply_requirements: []
+# workflow: default
+# allowed_overrides: []
+# allow_custom_workflows: false
+# workflows:
+# default:
+# plan:
+# steps: [init, plan]
+# apply:
+# steps: [apply]
+# metrics:
+# prometheus:
+# endpoint: /metrics
+
+# -- Enables atlantis to run on a fork Pull Requests.
allowForkPRs: false
-# allowDraftPRs enables atlantis to run on a draft Pull Requests
+# -- Enables atlantis to run on a draft Pull Requests.
allowDraftPRs: false
-# hidePrevPlanComments enables atlantis to hide previous plan comments
+# -- Enables atlantis to hide previous plan comments.
hidePrevPlanComments: false
-# hideUnchangedPlanComments enables atlantis to hide no-changes plan comments from the pull request
+# -- Enables atlantis to hide no-changes plan comments from the pull request.
hideUnchangedPlanComments: false
-## defaultTFVersion set the default terraform version to be used in atlantis server
-# defaultTFVersion: 0.12.0
+# -- Sets the default terraform version to be used in atlantis server.
+# Check values.yaml for examples.
+defaultTFVersion: ""
+# Example: "0.12.0".
-# disableApply disables running `atlantis apply` regardless of which flags are sent with it
+# -- Disables running `atlantis apply` regardless of which flags are sent with it.
disableApply: false
-# disableApplyAll disables running `atlantis apply` without any flags
+# -- Disables running `atlantis apply` without any flags.
disableApplyAll: false
-# disableRepoLocking stops atlantis locking projects and or workspaces when running terraform
+# -- Stops atlantis locking projects and or workspaces when running terraform.
disableRepoLocking: false
-# Use Diff Markdown Format for color coding diffs
+# -- Use Diff Markdown Format for color coding diffs.
enableDiffMarkdownFormat: false
-# Optionally specify an username and a password for basic authentication
+# -- Optionally specify an username and a password for basic authentication.
+# Check values.yaml for examples.
+basicAuth: ""
# basicAuth:
-# username: "atlantis"
-# password: "atlantis"
+# username: "atlantis"
+# password: "atlantis"
-# If managing secrets outside the chart for the Basic Auth secret, use this variable to reference the secret name
-# basicAuthSecretName: "basicauthsecret"
+# -- If managing secrets outside the chart for the Basic Auth secret, use this variable to reference the secret name.
+basicAuthSecretName: ""
-# Optionally specify an API secret to enable the API
+# -- Optionally specify an API secret to enable the API.
+# Check values.yaml for examples.
+api: {}
# api:
# secret: "s3cr3t"
-# If managing secrets outside the chart for the API secret, use this variable to reference the secret name
-# apiSecretName: "myapisecret"
+# -- If managing secrets outside the chart for the API secret, use this variable to reference the secret name.
+apiSecretName: ""
-# Override the command field of the Atlantis container
-# command: []
+# -- Override the command field of the Atlantis container.
+command: []
-# Common Labels for all resources created by this chart.
+# -- Common Labels for all resources created by this chart.
commonLabels: {}
-# We only need to check every 60s since Atlantis is not a high-throughput service.
livenessProbe:
enabled: true
+ # -- We only need to check every 60s since Atlantis is not a high-throughput service.
periodSeconds: 60
initialDelaySeconds: 5
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
scheme: HTTP
+
readinessProbe:
enabled: true
periodSeconds: 60
@@ -249,128 +288,144 @@ service:
loadBalancerSourceRanges: []
podTemplate:
+ # -- Check values.yaml for examples.
annotations: {}
- # kube2iam example:
- # iam.amazonaws.com/role: role-arn
+ # annotations:
+ # iam.amazonaws.com/role: role-arn # kube2iam example.
labels: {}
-# It is not recommended to run atlantis as root
statefulSet:
annotations: {}
labels: {}
securityContext:
fsGroup: 1000
+ # -- It is not recommended to run atlantis as root.
runAsUser: 100
fsGroupChangePolicy: "OnRootMismatch"
priorityClassName: ""
updateStrategy: {}
- # option to share process namespace with atlantis container
+ # -- Option to share process namespace with atlantis container.
shareProcessNamespace: false
-## Optionally customize the terminationGracePeriodSeconds
-# terminationGracePeriodSeconds: 60
+# -- (int) Optionally customize the termination grace period in seconds.
+# @default -- default depends on the kubernetes version.
+terminationGracePeriodSeconds:
ingress:
enabled: true
ingressClassName:
apiVersion: ""
labels: {}
+ # -- Check values.yaml for examples.
annotations: {}
- # kubernetes.io/ingress.class: nginx
- # kubernetes.io/tls-acme: "true"
- path: /* # / for nginx
-## this is in case we want several paths under the same host, with different backend services
-# paths:
-# - path: "/path1"
-# service: test1
-# port:
-# - path: "/path2"
-# service: test2
-# port:
+ # annotations:
+ # kubernetes.io/ingress.class: nginx
+ # kubernetes.io/tls-acme: "true"
+ # -- Use / for nginx.
+ path: /*
+ # -- Used when several paths under the same host, with different backend services, are required.
+ # Check values.yaml for examples.
+ paths: []
+ # - path: "/path1"
+ # service: test1
+ # port:
+ # - path: "/path2"
+ # service: test2
+ # port:
pathType: ImplementationSpecific
- host:
-
-## in case we need several hosts:
- hosts:
+ host: ""
+ # -- Used when several hosts are required.
+ # Check values.yaml for examples.
+ hosts: []
# - host: chart-example.local
# paths: ["/"]
# service: chart-example1
# - host: chart-example.local2
# service: chart-example1
# paths: ["/lala"]
+ # -- Check values.yaml for examples.
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
-
webhook_ingress:
- enabled: false # true to create secondary webhook.
+ # -- When true creates a secondary webhook.
+ enabled: false
ingressClassName:
apiVersion: ""
+ # -- Check values.yaml for examples.
annotations: {}
- # kubernetes.io/ingress.class: nginx
- # kubernetes.io/tls-acme: "true"
- path: /* # / for nginx
-## this is in case we want several paths under the same host, with different backend services
-# paths:
-# - path: "/path1"
-# service: test1
-# port:
-# - path: "/path2"
-# service: test2
-# port:
+ # annotations:
+ # kubernetes.io/ingress.class: nginx
+ # kubernetes.io/tls-acme: "true"
+ # -- Use / for nginx.
+ path: /*
+ # -- Used when several paths under the same host, with different backend services, are required.
+ # Check values.yaml for examples.
+ paths: []
+ # - path: "/path1"
+ # service: test1
+ # port:
+ # - path: "/path2"
+ # service: test2
+ # port:
pathType: ImplementationSpecific
- host:
-
-## in case we need several hosts:
- hosts:
+ host: ""
+ # -- Used when several hosts are required.
+ # Check values.yaml for examples.
+ hosts: []
# - host: chart-example.local
# paths: ["/"]
# service: chart-example1
# - host: chart-example.local2
# service: chart-example1
# paths: ["/lala"]
+ # -- TLS configuration.
+ # Check values.yaml for examples.
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
labels: {}
-## Allow to override the /etc/ssl/certs/ca-certificates.cer with your custom one
-# You have to create a secret `my-ca-certificates`
-# customPem: my-ca-certificates
+# -- Allows to override the /etc/ssl/certs/ca-certificates.cer with your custom one.
+# You have to create a secret with the specified name.
+customPem: ""
+# -- Resources for Atlantis.
+# Check values.yaml for examples.
resources: {}
- # requests:
- # memory: 1Gi
- # cpu: 100m
- # limits:
- # memory: 1Gi
- # cpu: 100m
-
-## Path to the data directory for the volumeMount
+# resources:
+# requests:
+# memory: 1Gi
+# cpu: 100m
+# limits:
+# memory: 1Gi
+# cpu: 100m
+
+# -- Path to the data directory for the volumeMount.
atlantisDataDirectory: /atlantis-data
-## Embedded data volume & volumeMount (default working)
volumeClaim:
enabled: true
- ## Disk space for to check out repositories
+ # -- Disk space available to check out repositories.
dataStorage: 5Gi
- ## Storage class name (if possible, use a resizable one)
- # storageClassName: value
+ # -- Storage class name (if possible, use a resizable one).
+ storageClassName: ""
accessModes: ["ReadWriteOnce"]
-## To keep backwards compatibility
-## DEPRECATED - Disk space for Atlantis to check out repositories
-# dataStorage: 5Gi
-## DEPRECATED - Storage class name for Atlantis disk
-# storageClassName: value
+# -- DEPRECATED - Disk space available to check out repositories.
+# Example: 5Gi.
+dataStorage: ""
+# -- DEPRECATED - Storage class name for Atlantis disk.
+storageClassName: ""
+# -- Replica count for Atlantis pods.
replicaCount: 1
-## test container details
test:
+ # -- Enables test container.
enabled: true
image: bats/bats
imageTag: 1.9.0
@@ -382,7 +437,9 @@ tolerations: []
affinity: {}
-# topologySpreadConstraints -- You can use topology spread constraints to control how Pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains. (requires Kubernetes >= 1.19).
+# -- You can use topology spread constraints to control how Pods are spread across your cluster among failure-domains such as regions,
+# zones, nodes, and other user-defined topology domains. (requires Kubernetes >= 1.19).
+# Check values.yaml for examples.
topologySpreadConstraints: []
# - labelSelector:
# matchLabels:
@@ -392,35 +449,39 @@ topologySpreadConstraints: []
# whenUnsatisfiable: DoNotSchedule
serviceAccount:
- # Specifies whether a ServiceAccount should be created
+ # -- Specifies whether a ServiceAccount should be created.
create: true
- # Set the `automountServiceAccountToken` field on the pod template spec
- # If false, no kubernetes service account token will be mounted to the pod
+ # -- Set the `automountServiceAccountToken` field on the pod template spec.
+ # -- If false, no kubernetes service account token will be mounted to the pod.
mount: true
- # The name of the ServiceAccount to use.
- # If not set and create is true, a name is generated using the fullname template
+ # -- The name of the ServiceAccount to use.
+ # If not set and create is true, a name is generated using the fullname template.
name: null
- # Annotations for the Service Account
- # Example:
- #
+ # -- Annotations for the Service Account.
+ # Check values.yaml for examples.
+ annotations: {}
# annotations:
# annotation1: value
# annotation2: value
- annotations: {}
# IRSA example:
- # eks.amazonaws.com/role-arn: role-arn
+ # annotations:
+ # eks.amazonaws.com/role-arn: role-arn
-# Optionally deploy rbac to allow for the serviceAccount to manage terraform state via the kubernetes backend
+# -- Optionally deploy rbac to allow for the serviceAccount to manage terraform state via the kubernetes backend.
enableKubernetesBackend: false
-# tlsSecretName: tls
+# -- TLS Secret Name for Atlantis pod.
+tlsSecretName: ""
+# -- Environtment values to add to the Atlantis pod.
+# Check values.yaml for examples.
environment: {}
# environment:
# ATLANTIS_DEFAULT_TF_VERSION: v1.2.9
-# Optionally specify additional environment variables to be populated from Kubernetes secrets.
+# -- Optionally specify additional environment variables to be populated from Kubernetes secrets.
# Useful for passing in TF_VAR_foo or other secret environment variables from Kubernetes secrets.
+# Check values.yaml for examples.
environmentSecrets: []
# environmentSecrets:
# - name: THE_ENV_VAR
@@ -428,51 +489,59 @@ environmentSecrets: []
# name: the_k8s_secret_name
# key: the_key_of_the_value_in_the_secret
-# Optionally specify additional environment variables in raw yaml format
-# Useful to specify variables refering to k8s objects
+# -- Optionally specify additional environment variables in raw yaml format.
+# Useful to specify variables refering to k8s objects.
+# Check values.yaml for examples.
+environmentRaw: []
# environmentRaw:
# - name: POD_IP
# valueFrom:
# fieldRef:
# fieldPath: status.podIP
-environmentRaw: []
-# Optionally specify additional Kubernetes secrets to load environment variables from.
+# -- Optionally specify additional Kubernetes secrets to load environment variables from.
# All key-value pairs within these secrets will be set as environment variables.
# Note that any variables set here will be ignored if also defined in the env block of the atlantis statefulset.
# For example, providing ATLANTIS_GH_USER here and defining a value for github.user will result in the github.user value being used.
+# Check values.yaml for examples.
loadEnvFromSecrets: []
# loadEnvFromSecrets:
# - secret_one
# - secret_two
-# Optionally specify additional Kubernetes ConfigMaps to load environment variables from.
+# -- Optionally specify additional Kubernetes ConfigMaps to load environment variables from.
# All key-value pairs within these ConfigMaps will be set as environment variables.
# Note that any variables set here will be ignored if also defined in the env block of the atlantis statefulset.
# For example, providing ATLANTIS_ALLOW_FORK_PRS here and defining a value for allowForkPRs will result in the allowForkPRs value being used.
+# Check values.yaml for examples.
loadEnvFromConfigMaps: []
# loadEnvFromConfigMaps:
# - config_one
# - config_two
-# Optionally specify google service account credentials as Kubernetes secrets. If you are using the terraform google provider you can specify the credentials as "${file("/var/secrets/some-secret-name/key.json")}".
+# -- Optionally specify google service account credentials as Kubernetes secrets. If you are using the terraform google provider you can specify the credentials as "${file("/var/secrets/some-secret-name/key.json")}".
+# Check values.yaml for examples.
googleServiceAccountSecrets: []
# googleServiceAccountSecrets:
# - name: some-secret-name
# secretName: the_k8s_secret_name
-# Optionally specify additional volumes for the pod.
+# -- Optionally specify additional volumes for the pod.
+# Check values.yaml for examples.
extraVolumes: []
# extraVolumes:
# - name: some-volume-name
# emptyDir: {}
-# Optionally specify additional volume mounts for the container.
+# -- Optionally specify additional volume mounts for the container.
+# Check values.yaml for examples.
extraVolumeMounts: []
# extraVolumeMounts:
# - name: some-volume-name
# mountPath: /path/in/container
+# -- Optionally specify additional manifests to be created.
+# Check values.yaml for examples.
extraManifests: []
# extraManifests:
# - apiVersion: cloud.google.com/v1beta1
@@ -483,47 +552,53 @@ extraManifests: []
# securityPolicy:
# name: "gcp-cloud-armor-policy-test"
+# -- Optionally specify init containers manifests to be added to the Atlantis pod.
+# Check values.yaml for examples.
initContainers: []
# initContainers:
# - name: example
# image: alpine:latest
# command: ['sh', '-c', 'echo The init container is running! && sleep 10']
-# Install providers/plugins into a path shared with the Atlantis pod
initConfig:
+ # -- Install providers/plugins into a path shared with the Atlantis pod.
enabled: false
image: alpine:latest
imagePullPolicy: IfNotPresent
- # sharedDir is set as env var INIT_SHARED_DIR
+ # -- SharedDir is set as env var INIT_SHARED_DIR.
sharedDir: /plugins
workDir: /tmp
+ # -- Size for the shared volume.
sizeLimit: 100Mi
- # example of how the script can be configured to install tools/providers required by the atlantis pod
- script: |
- #!/bin/sh
- set -eoux pipefail
-
- # example for terragrunt
- TG_VERSION="v0.47.0"
- TG_SHA256_SUM="98d45f6bfbfae84b51364c1ad6920f09ecb4d834908b0535e4e331a9fc6fc75b"
- TG_FILE="${INIT_SHARED_DIR}/terragrunt"
- wget https://github.com/gruntwork-io/terragrunt/releases/download/${TG_VERSION}/terragrunt_linux_amd64 -O "${TG_FILE}"
- echo "${TG_SHA256_SUM} ${TG_FILE}" | sha256sum -c
- chmod 755 "${TG_FILE}"
- terragrunt -v
-
- # example for terragrunt-atlantis-config
- TAC_VERSION="1.16.0" # without v
- TAC_SHA256_SUM="fc3b069cf4ae51e9b7a7d01f09862d1974b260fffb3ec857d661d7b1756fe26f"
- TAC_FILE="${INIT_SHARED_DIR}/terragrunt-atlantis-config"
- wget "https://github.com/transcend-io/terragrunt-atlantis-config/releases/download/v${TAC_VERSION}/terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64.tar.gz"
- echo "${TAC_SHA256_SUM} terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64.tar.gz" | sha256sum -c
- tar xf "terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64.tar.gz"
- cp -fv "terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64/terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64" "${TAC_FILE}"
- chmod 755 "${TG_FILE}"
- terragrunt-atlantis-config version
-
-
+ # -- Check values.yaml for examples.
+ script: ""
+ # script: |
+ # #!/bin/sh
+ # set -eoux pipefail
+
+ # # example for terragrunt
+ # TG_VERSION="v0.47.0"
+ # TG_SHA256_SUM="98d45f6bfbfae84b51364c1ad6920f09ecb4d834908b0535e4e331a9fc6fc75b"
+ # TG_FILE="${INIT_SHARED_DIR}/terragrunt"
+ # wget https://github.com/gruntwork-io/terragrunt/releases/download/${TG_VERSION}/terragrunt_linux_amd64 -O "${TG_FILE}"
+ # echo "${TG_SHA256_SUM} ${TG_FILE}" | sha256sum -c
+ # chmod 755 "${TG_FILE}"
+ # terragrunt -v
+
+ # # example for terragrunt-atlantis-config
+ # TAC_VERSION="1.16.0" # without v
+ # TAC_SHA256_SUM="fc3b069cf4ae51e9b7a7d01f09862d1974b260fffb3ec857d661d7b1756fe26f"
+ # TAC_FILE="${INIT_SHARED_DIR}/terragrunt-atlantis-config"
+ # wget "https://github.com/transcend-io/terragrunt-atlantis-config/releases/download/v${TAC_VERSION}/terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64.tar.gz"
+ # echo "${TAC_SHA256_SUM} terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64.tar.gz" | sha256sum -c
+ # tar xf "terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64.tar.gz"
+ # cp -fv "terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64/terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64" "${TAC_FILE}"
+ # chmod 755 "${TG_FILE}"
+ # terragrunt-atlantis-config version
+
+# -- Optionally specify hostAliases for the Atlantis pod.
+# Check values.yaml for examples.
+hostAliases: []
# hostAliases:
# - hostnames:
# - aaa.com
@@ -535,80 +610,93 @@ initConfig:
hostNetwork: false
-# these annotations will be added to all the resources
+# - These annotations will be added to all the resources.
+# Check values.yaml for examples.
extraAnnotations: {}
-# team: example
+# extraAnnotations:
+# team: example
+# -- Optionally specify extra arguments for the Atlantis pod.
+# Check values.yaml for examples.
extraArgs: []
# extraArgs:
-# - --disable-autoplan
-# - --disable-repo-locking
+# - --disable-autoplan
+# - --disable-repo-locking
+# -- Optionally specify extra containers for the Atlantis pod.
+# Check values.yaml for examples.
extraContainers: []
# extraContainers:
-# - name:
-# args:
-# - ...
-# image:
-# imagePullPolicy: IfNotPresent
-# resources:
-# limits:
-# memory: 128Mi
-# requests:
-# cpu: 100m
-# memory: 128Mi
-# volumeMounts:
-# - ...
-
+# - name:
+# args:
+# - ...
+# image:
+# imagePullPolicy: IfNotPresent
+# resources:
+# limits:
+# memory: 128Mi
+# requests:
+# cpu: 100m
+# memory: 128Mi
+# volumeMounts:
+# - ...
+
+# -- Check values.yaml for examples.
containerSecurityContext: {}
# containerSecurityContext:
# allowPrivilegeEscalation: false
# readOnlyRootFilesystem: true
servicemonitor:
- # to enable a Prometheus servicemonitor, set enabled to true,
+ # -- To enable a Prometheus servicemonitor, set enabled to true,
# and enable the metrics in this file's repoConfig
- # by setting a value for metrics.prometheus.endpoint
+ # by setting a value for metrics.prometheus.endpoint.
enabled: false
interval: "30s"
path: /metrics
- # Prometheus ServiceMonitor labels
+ # -- Prometheus ServiceMonitor labels.
additionalLabels: {}
auth:
- # if auth is enabled on Atlantis, use one of the following mechanism
+ # -- If auth is enabled on Atlantis, use one of the following mechanism.
basicAuth:
- # authentication from the secret generated with the basicAuth values
+ # -- Authentication from the secret generated with the basicAuth values
# this will reference the username and password keys
- # from the atlantis-basic-auth secret
+ # from the atlantis-basic-auth secret.
enabled: false
externalSecret:
- # authentication based on an external secret
+ # -- Authentication based on an external secret
enabled: false
- # name: atlantis-env
+ name: ""
+ # -- Check values.yaml for examples.
+ keys: {}
# keys:
# username: USERNAME
# password: ATLANTIS_WEB_PASSWORD
-# Enable this if you're using Google Managed Prometheus
+# -- Enable this if you're using Google Managed Prometheus.
podMonitor:
enabled: false
interval: "30s"
-# Set the desired Locking DB type
-# lockingDbType:
+# -- Set the desired Locking DB type
+# Accepts boltdb or redis.
+lockingDbType: ""
-# Configure Redis Locking DB
-# lockingDbType value must be redis for the config to take effect
+# -- Configure Redis Locking DB.
+# lockingDbType value must be redis for the config to take effect.
+# Check values.yaml for examples.
redis: {}
-# host: redis.host.name
-# password: myRedisPassword
-# port: 6379
-# db: 0
-# tlsEnabled: false
-# insecureSkipVerify: false
-
-# If managing secrets outside the chart for the Redis secret, use this variable to reference the secret name
-# redisSecretName: "myRedisSecret"
-
-# Set lifecycle hooks https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
+# redis:
+# host: redis.host.name
+# password: myRedisPassword
+# port: 6379
+# db: 0
+# tlsEnabled: false
+# insecureSkipVerify: false
+
+# -- When managing secrets outside the chart for the Redis secret, use this variable to reference the secret name.
+redisSecretName: ""
+
+# -- Set lifecycle hooks.
+# https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/.
lifecycle: {}