Deploy Atlantis (#7520)

* deploy atlantis

* add additional config

* enable authorization on atlantis urls

* allow anyone from sig-k8s-infra team to interact with atlantis

---------

Co-authored-by: upodroid <upodroid@users.noreply.github.com>

kubernetes/apps/atlantis.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: atlantis
+spec:
+  destination:
+    namespace: atlantis
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: kubernetes/gke-utility/atlantis
+    repoURL: https://github.com/kubernetes/k8s.io
+    targetRevision: main
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    managedNamespaceMetadata:
+      labels:
+        istio-injection: enabled

kubernetes/apps/kustomization.yaml

@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   # - argocd.yaml This has been manually applied to fix sync issues
+  - atlantis.yaml
   - external-secrets.yaml
   - cert-manager.yaml
   - prow.yaml

kubernetes/gke-utility/atlantis/atlantis.yaml

@@ -0,0 +1,8 @@
+gh-user: k8s-infra-ci-robot
+gh-org: kubernetes
+repo-allowlist: github.com/kubernetes/k8s.io
+allow-fork-prs: true
+atlantis-url: https://atlantis.k8s.io
+gh-team-allowlist: "sig-k8s-infra:*"
+disable-global-apply-lock: true
+autodiscover-mode: auto

kubernetes/gke-utility/atlantis/extras.yaml

@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: atlantis-vcs
+spec:
+  data:
+    - secretKey: webhook
+      remoteRef:
+        key: atlantis-webhook-k8s-io-repo
+    - secretKey: token
+      remoteRef:
+        key: k8s-infra-ci-robot-github-token
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: k8s-infra-prow

kubernetes/gke-utility/atlantis/httproute.yaml

@@ -0,0 +1,18 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: atlantis
+spec:
+  parentRefs:
+  - name: istio-ingressgateway
+    namespace: istio-system
+    sectionName: https
+  hostnames:
+  - atlantis.k8s.io
+  rules:
+  - matches:
+    - path:
+        value: /
+    backendRefs:
+    - name: atlantis
+      port: 80

kubernetes/gke-utility/atlantis/kustomization.yaml

@@ -0,0 +1,49 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: atlantis
+
+resources:
+- github.com/runatlantis/atlantis//kustomize
+- extras.yaml
+- httproute.yaml
+
+images:
+ - name: ghcr.io/runatlantis/atlantis
+   newTag: v0.30.0
+
+configMapGenerator:
+- name: atlantis-config
+  files:
+    - atlantis.yaml
+
+patchesStrategicMerge:
+- |-
+  apiVersion: apps/v1
+  kind: StatefulSet
+  metadata:
+    name: atlantis
+  spec:
+    template:
+      spec:
+        containers:
+        - name: atlantis
+          env:
+            - name: ATLANTIS_CONFIG
+              value: /config/atlantis.yaml
+            - name: ATLANTIS_GH_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: atlantis-vcs
+                  key: token
+            - name: ATLANTIS_GH_WEBHOOK_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: atlantis-vcs
+                  key: webhook
+          volumeMounts:
+          - name: config
+            mountPath: /config
+        volumes:
+        - name: config
+          configMap:
+            name: atlantis-config

kubernetes/gke-utility/istio-system/auth-policy.yaml

@@ -16,3 +16,9 @@ spec:
         hosts:
         - argo.k8s.io
         - monitoring.prow.k8s.io
+    # we want to force auth to atlantis.k8s.io/* except /events
+    - operation:
+        hosts:
+        - atlantis.k8s.io
+        notPaths:
+        - "/events"