Add a separate Atlantis deployment for config-mgmt (!3227) · Merge requests · GitLab.com / GitLab Infrastructure Team / Kubernetes Workloads / GitLab Helmfiles

Pierre Guinoiseau requested to merge pguinoiseau/atlantis-ops-config-mgmt into master Oct 02, 2023

What

Add a separate Atlantis deployment for config-mgmt:

Move the atlantis-ops deployment under the /ops/ path in the ingress
Add a atlantis-ops-config-mgmt deployment, reusing the ingress from the first deployment under the path /ops-config-mgmt
Add a workload identity annotation to its service account which we will use for access to the Terraform state buckets
Use a different webhook secret for each deployment
Move the repository config under a plain YAML file to make it easier to edit and validate

Why

For security reason, because Atlantis is authenticating to Vault using its Kubernetes service account token and is granted all the permissions necessary for config-mgmt deployments which can be dangerous, we want a separate dedicated deployment for it. We might follow this pattern for other repositories as well.

Part of https://gitlab.com/gitlab-com/gl-infra/reliability/-/issues/24174

Add a separate Atlantis deployment for config-mgmt

What

Why

Merge request reports