charts/atlantis/values.yaml

## -------------------------- ##
# Values to override for your instance.
## -------------------------- ##

# Provide a name to substitute for the full names of resources
fullnameOverride: ""

# Provide a name to substitute for the name of the chart
nameOverride: ""

## An option to override the atlantis url,
##   if not using an ingress, set it to the external IP.
# atlantisUrl: http://10.0.0.0

# Replace this with your own repo allowlist:
orgAllowlist: <replace-me>
# logLevel: "debug"

# Deprecated in favor of orgAllowlist
# orgWhitelist:  <replace-me>

# If using GitHub, specify like the following:
github: {}
# github:
#   user: foo
#   token: bar
#   secret: baz
# GitHub Enterprise only:
#   hostname: github.your.org
# (The chart will perform the base64 encoding for you for values that are stored in secrets.)

# If using a GitHub App, please enter your values as follows:
# githubApp:
#   id: 123456
#   slug: foo
#   key: |
#     -----BEGIN PRIVATE KEY-----
#     ...
#     -----END PRIVATE KEY-----
#   secret: baz
# (The chart will perform the base64 encoding for you for values that are stored in secrets.)

# If using GitLab, specify like the following:
# gitlab:
#   user: foo
#   token: bar
#   secret: baz
# GitLab Enterprise only:
#   hostname: gitlab.your.org
# (The chart will perform the base64 encoding for you for values that are stored in secrets.)

# If using Bitbucket, there are two approachs, Bitbucket Server, deployed in your own infrastructure and Cloud available at (https://Bitbucket.org)

# Bitbucket Server, specify like the following:
# bitbucket:
#   user: foo
#   token: bar
#   secret: baz
#   baseURL: https://bitbucket.yourorganization.com

# Bitbucket Cloud, specify like the following:
# bitbucket:
#   user: # The recommended here is genarate a service user on your cloud environment, but yes, you can live on the edge using your own user :)
#   token: # Create an APP PASSWORD to the user
# Base URL are not needed here, but keep in mind to provide an IP Whitelist as the Atlantis documentation
# (The chart will perform the base64 encoding for you for values that are stored in secrets.)

# If using Azure DevOps, specify like the following:
# azuredevops:
#   user: foo
#   token: bar
#   webhookUser: foo
#   webhookPassword: baz
# (The chart will perform the base64 encoding for you for values that are stored in secrets.)

# If managing secrets outside the chart for the webhook, use this variable to reference the secret name
# vcsSecretName: 'mysecret'

# When referencing Terraform modules in private repositories, it may be helpful
# (necessary?) to use redirection in a .gitconfig like so:
# gitconfig: |
  # [url "https://YOUR_GH_TOKEN@github.com"]
  #   insteadOf = https://github.com
  # [url "https://YOUR_GH_TOKEN@github.com"]
  #   insteadOf = ssh://git@github.com
  # [url "https://oauth2:YOUR_GITLAB_TOKEN@gitlab.com"]
  #   insteadOf = https://gitlab.com
  # [url "https://oauth2:YOUR_GITLAB_TOKEN@gitlab.com"]
  #   insteadOf = ssh://git@gitlab.com
# Source: https://stackoverflow.com/questions/42148841/github-clone-with-oauth-access-token

# If managing secrets outside the chart for the gitconfig, use this variable to reference the secret name
 # gitconfigSecretName: 'mygitconfigsecret'

# When referencing Terraform modules in private repositories or registries (such as Artfactory)
# configuing a .netrc file for authentication may be required:
# netrc: |
  # machine artifactory.myapp.com login YOUR_USERNAME password YOUR_PASSWORD
  # machine bitbucket.myapp.com login YOUR_USERNAME password YOUR_PASSWORD

# If managing secrets outside the chart for the netrc file, use this variable to reference the secret name
# netrcSecretName: 'mynetrcsecret'

# To specify AWS credentials to be mapped to ~/.aws or to aws.directory:
aws: {}
#   credentials: |
#     [default]
#     aws_access_key_id=YOUR_ACCESS_KEY_ID
#     aws_secret_access_key=YOUR_SECRET_ACCESS_KEY
#     region=us-east-1
#   config: |
#     [profile a_role_to_assume]
#     role_arn = arn:aws:iam::123456789:role/service-role/roleToAssume
#     source_profile = default
#   directory: "/home/atlantis/.aws"
# To reference an already existing Secret object with AWS credentials
# awsSecretName: 'mysecretwithawscreds'

## To keep backwards compatibility
## Deprecated (see googleServiceAccountSecrets)
## To be used for mounting credential files (when using google provider).
## serviceAccountSecrets:
    # credentials: <json file as base64 encoded string>
    # credentials-staging: <json file as base64 encoded string>


## -------------------------- ##
# Default values for atlantis (override as needed).
## -------------------------- ##

image:
  repository: ghcr.io/runatlantis/atlantis
  # if not set appVersion field from Chart.yaml is used
  tag: ""
  pullPolicy: Always

## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# imagePullSecrets:
# - myRegistryKeySecretName

## Override atlantis main configuration by config map,
## ref: https://www.runatlantis.io/docs/using-slack-hooks.html#configuring-atlantis
# config: |
#  ---
#  webhooks:
#    - event: apply
#      workspace-regex: .*
#      branch-regex: .*
#      kind: slack
#      channel: my-channel

## Use Server Side Repo Config,
## ref: https://www.runatlantis.io/docs/server-side-repo-config.html
## Example default configuration
# repoConfig: |
#  ---
#  repos:
#  - id: /.*/
#    apply_requirements: []
#    workflow: default
#    allowed_overrides: []
#    allow_custom_workflows: false
#  workflows:
#    default:
#      plan:
#        steps: [init, plan]
#      apply:
#        steps: [apply]
#  # metrics:
#  #   prometheus:
#  #     endpoint: /metrics

# allowForkPRs enables atlantis to run on a fork Pull Requests
allowForkPRs: false

# allowDraftPRs enables atlantis to run on a draft Pull Requests
allowDraftPRs: false

# hidePrevPlanComments enables atlantis to hide previous plan comments
hidePrevPlanComments: false

# hideUnchangedPlanComments enables atlantis to hide no-changes plan comments from the pull request
hideUnchangedPlanComments: false

## defaultTFVersion set the default terraform version to be used in atlantis server
# defaultTFVersion: 0.12.0

# disableApply disables running `atlantis apply` regardless of which flags are sent with it
disableApply: false

# disableApplyAll disables running `atlantis apply` without any flags
disableApplyAll: false

# disableRepoLocking stops atlantis locking projects and or workspaces when running terraform
disableRepoLocking: false

# Use Diff Markdown Format for color coding diffs
enableDiffMarkdownFormat: false

# Optionally specify an username and a password for basic authentication
# basicAuth:
#   username: "atlantis"
#   password: "atlantis"

# If managing secrets outside the chart for the Basic Auth secret, use this variable to reference the secret name
# basicAuthSecretName: "basicauthsecret"

# Optionally specify an API secret to enable the API
# api:
#   secret: "s3cr3t"

# If managing secrets outside the chart for the API secret, use this variable to reference the secret name
# apiSecretName: "myapisecret"

# Override the command field of the Atlantis container
# command: []

# Common Labels for all resources created by this chart.
commonLabels: {}

# We only need to check every 60s since Atlantis is not a high-throughput service.
livenessProbe:
  enabled: true
  periodSeconds: 60
  initialDelaySeconds: 5
  timeoutSeconds: 5
  successThreshold: 1
  failureThreshold: 5
  scheme: HTTP
readinessProbe:
  enabled: true
  periodSeconds: 60
  initialDelaySeconds: 5
  timeoutSeconds: 5
  successThreshold: 1
  failureThreshold: 5
  scheme: HTTP

service:
  type: NodePort
  annotations: {}
  port: 80
  nodePort: null
  targetPort: 4141
  loadBalancerIP: null
  loadBalancerSourceRanges: []

podTemplate:
  annotations: {}
    # kube2iam example:
    # iam.amazonaws.com/role: role-arn
  labels: {}

# It is not recommended to run atlantis as root
statefulSet:
  annotations: {}
  labels: {}
  securityContext:
    fsGroup: 1000
    runAsUser: 100
    fsGroupChangePolicy: "OnRootMismatch"
  priorityClassName: ""
  updateStrategy: {}
  # option to share process namespace with atlantis container
  shareProcessNamespace: false

## Optionally customize the terminationGracePeriodSeconds
# terminationGracePeriodSeconds: 60

ingress:
  enabled: true
  ingressClassName:
  apiVersion: ""
  labels: {}
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  path: /*  # / for nginx
##  this is in case we want several paths under the same host, with different backend services
#  paths:
#    - path: "/path1"
#      service: test1
#      port:
#    - path: "/path2"
#      service: test2
#      port:
  pathType: ImplementationSpecific
  host:

## in case we need several hosts:
  hosts:
  #   - host: chart-example.local
  #     paths: ["/"]
  #     service: chart-example1
  #   - host: chart-example.local2
  #     service: chart-example1
  #     paths: ["/lala"]
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local


webhook_ingress:
  enabled: false  # true to create secondary webhook.
  ingressClassName:
  apiVersion: ""
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  path: /*  # / for nginx
## this is in case we want several paths under the same host, with different backend services
#  paths:
#    - path: "/path1"
#      service: test1
#      port:
#    - path: "/path2"
#      service: test2
#      port:
  pathType: ImplementationSpecific
  host:

## in case we need several hosts:
  hosts:
  #   - host: chart-example.local
  #     paths: ["/"]
  #     service: chart-example1
  #   - host: chart-example.local2
  #     service: chart-example1
  #     paths: ["/lala"]
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local
  labels: {}

## Allow to override the /etc/ssl/certs/ca-certificates.cer with your custom one
# You have to create a secret `my-ca-certificates`
# customPem: my-ca-certificates

resources: {}
  # requests:
  #   memory: 1Gi
  #   cpu: 100m
  # limits:
  #   memory: 1Gi
  #   cpu: 100m

## Path to the data directory for the volumeMount
atlantisDataDirectory: /atlantis-data

## Embedded data volume & volumeMount (default working)
volumeClaim:
  enabled: true
  ## Disk space for to check out repositories
  dataStorage: 5Gi
  ## Storage class name (if possible, use a resizable one)
  # storageClassName: value

## To keep backwards compatibility
## DEPRECATED - Disk space for Atlantis to check out repositories
# dataStorage: 5Gi
## DEPRECATED - Storage class name for Atlantis disk
# storageClassName: value

replicaCount: 1

## test container details
test:
  enabled: true
  image: bats/bats
  imageTag: 1.9.0
  annotations: {}

nodeSelector: {}

tolerations: []

affinity: {}

# topologySpreadConstraints -- You can use topology spread constraints to control how Pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains. (requires Kubernetes >= 1.19).
topologySpreadConstraints: []
#  - labelSelector:
#      matchLabels:
#        app.kubernetes.io/name: aws-example-cluster
#    maxSkew: 1
#    topologyKey: topology.kubernetes.io/zone
#    whenUnsatisfiable: DoNotSchedule

serviceAccount:
  # Specifies whether a ServiceAccount should be created
  create: true
  # Set the `automountServiceAccountToken` field on the pod template spec
  # If false, no kubernetes service account token will be mounted to the pod
  mount: true
  # The name of the ServiceAccount to use.
  # If not set and create is true, a name is generated using the fullname template
  name: null
  # Annotations for the Service Account
  # Example:
  #
  # annotations:
  #   annotation1: value
  #   annotation2: value
  annotations: {}
  # IRSA example:
  # eks.amazonaws.com/role-arn: role-arn

# Optionally deploy rbac to allow for the serviceAccount to manage terraform state via the kubernetes backend
enableKubernetesBackend: false

# tlsSecretName: tls

environment: {}
# environment:
#   ATLANTIS_DEFAULT_TF_VERSION: v1.2.9

# Optionally specify additional environment variables to be populated from Kubernetes secrets.
# Useful for passing in TF_VAR_foo or other secret environment variables from Kubernetes secrets.
environmentSecrets: []
# environmentSecrets:
#   - name: THE_ENV_VAR
#     secretKeyRef:
#       name: the_k8s_secret_name
#       key: the_key_of_the_value_in_the_secret

# Optionally specify additional environment variables in raw yaml format
# Useful to specify variables refering to k8s objects
# environmentRaw:
#   - name: POD_IP
#     valueFrom:
#       fieldRef:
#         fieldPath: status.podIP
environmentRaw: []

# Optionally specify additional Kubernetes secrets to load environment variables from.
# All key-value pairs within these secrets will be set as environment variables.
# Note that any variables set here will be ignored if also defined in the env block of the atlantis statefulset.
# For example, providing ATLANTIS_GH_USER here and defining a value for github.user will result in the github.user value being used.
loadEnvFromSecrets: []
# loadEnvFromSecrets:
#   - secret_one
#   - secret_two

# Optionally specify additional Kubernetes ConfigMaps to load environment variables from.
# All key-value pairs within these ConfigMaps will be set as environment variables.
# Note that any variables set here will be ignored if also defined in the env block of the atlantis statefulset.
# For example, providing ATLANTIS_ALLOW_FORK_PRS here and defining a value for allowForkPRs will result in the allowForkPRs value being used.
loadEnvFromConfigMaps: []
# loadEnvFromConfigMaps:
#   - config_one
#   - config_two

# Optionally specify google service account credentials as Kubernetes secrets. If you are using the terraform google provider you can specify the credentials as "${file("/var/secrets/some-secret-name/key.json")}".
googleServiceAccountSecrets: []
# googleServiceAccountSecrets:
#   - name: some-secret-name
#     secretName: the_k8s_secret_name

# Optionally specify additional volumes for the pod.
extraVolumes: []
# extraVolumes:
#   - name: some-volume-name
#     emptyDir: {}

# Optionally specify additional volume mounts for the container.
extraVolumeMounts: []
# extraVolumeMounts:
#   - name: some-volume-name
#     mountPath: /path/in/container

extraManifests: []
# extraManifests:
#  - apiVersion: cloud.google.com/v1beta1
#    kind: BackendConfig
#    metadata:
#      name: "{{ .Release.Name }}-test"
#    spec:
#      securityPolicy:
#        name: "gcp-cloud-armor-policy-test"

initContainers: []
# initContainers:
# - name: example
#   image: alpine:latest
#   command: ['sh', '-c', 'echo The init container is running! && sleep 10']

# Install providers/plugins into a path shared with the Atlantis pod
initConfig:
  enabled: false
  image: alpine:latest
  imagePullPolicy: IfNotPresent
  # sharedDir is set as env var INIT_SHARED_DIR
  sharedDir: /plugins
  workDir: /tmp
  sizeLimit: 100Mi
  # example of how the script can be configured to install tools/providers required by the atlantis pod
  script: |
    #!/bin/sh
    set -eoux pipefail

    # example for terragrunt
    TG_VERSION="v0.47.0"
    TG_SHA256_SUM="98d45f6bfbfae84b51364c1ad6920f09ecb4d834908b0535e4e331a9fc6fc75b"
    TG_FILE="${INIT_SHARED_DIR}/terragrunt"
    wget https://github.com/gruntwork-io/terragrunt/releases/download/${TG_VERSION}/terragrunt_linux_amd64 -O "${TG_FILE}"
    echo "${TG_SHA256_SUM}  ${TG_FILE}" | sha256sum -c
    chmod 755 "${TG_FILE}"
    terragrunt -v

    # example for terragrunt-atlantis-config
    TAC_VERSION="1.16.0" # without v
    TAC_SHA256_SUM="fc3b069cf4ae51e9b7a7d01f09862d1974b260fffb3ec857d661d7b1756fe26f"
    TAC_FILE="${INIT_SHARED_DIR}/terragrunt-atlantis-config"
    wget "https://github.com/transcend-io/terragrunt-atlantis-config/releases/download/v${TAC_VERSION}/terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64.tar.gz"
    echo "${TAC_SHA256_SUM}  terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64.tar.gz" | sha256sum -c
    tar xf "terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64.tar.gz"
    cp -fv "terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64/terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64" "${TAC_FILE}"
    chmod 755 "${TG_FILE}"
    terragrunt-atlantis-config version


# hostAliases:
#   - hostnames:
#     - aaa.com
#     - test.ccc.com
#     ip: 10.0.0.0
#   - hostnames:
#     - bbb.com
#     ip: 10.0.0.2

hostNetwork: false

extraArgs: []
# extraArgs:
# - --disable-autoplan
# - --disable-repo-locking

extraContainers: []
# extraContainers:
#  - name: <container name>
#    args:
#      - ...
#    image: <docker images>
#    imagePullPolicy: IfNotPresent
#    resources:
#      limits:
#        memory: 128Mi
#      requests:
#        cpu: 100m
#        memory: 128Mi
#    volumeMounts:
#      - ...

containerSecurityContext: {}
# containerSecurityContext:
#   allowPrivilegeEscalation: false
#   readOnlyRootFilesystem: true

servicemonitor:
  # to enable a Prometheus servicemonitor, set enabled to true,
  #   and enable the metrics in this file's repoConfig
  #   by setting a value for metrics.prometheus.endpoint
  enabled: false
  interval: "30s"
  path: /metrics
  auth:
    # if auth is enabled on Atlantis, use one of the following mechanism
    basicAuth:
      # authentication from the secret generated with the basicAuth values
      #   this will reference the username and password keys
      #   from the atlantis-basic-auth secret
      enabled: false
    externalSecret:
      # authentication based on an external secret
      enabled: false
      # name: atlantis-env
      # keys:
      #   username: USERNAME
      #   password: ATLANTIS_WEB_PASSWORD

# Enable this if you're using Google Managed Prometheus
podMonitor:
  enabled: false
  interval: "30s"

# Set the desired Locking DB type
# lockingDbType: <boltdb|redis>

# Configure Redis Locking DB
# lockingDbType value must be redis for the config to take effect
redis: {}
#  host: redis.host.name
#  password: myRedisPassword
#  port: 6379
#  db: 0
#  tlsEnabled: false
#  insecureSkipVerify: false

# If managing secrets outside the chart for the Redis secret, use this variable to reference the secret name
# redisSecretName: "myRedisSecret"

# Set lifecycle hooks https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
lifecycle: {}