Add a separate Atlantis deployment for config-mgmt
What
Add a separate Atlantis deployment for config-mgmt:
- Move the
atlantis-ops
deployment under the/ops/
path in the ingress - Add a
atlantis-ops-config-mgmt
deployment, reusing the ingress from the first deployment under the path/ops-config-mgmt
- Add a workload identity annotation to its service account which we will use for access to the Terraform state buckets
- Use a different webhook secret for each deployment
- Move the repository config under a plain YAML file to make it easier to edit and validate
Why
For security reason, because Atlantis is authenticating to Vault using its Kubernetes service account token and is granted all the permissions necessary for config-mgmt
deployments which can be dangerous, we want a separate dedicated deployment for it. We might follow this pattern for other repositories as well.
Part of https://gitlab.com/gitlab-com/gl-infra/reliability/-/issues/24174