1## -------------------------- ##
2# Values to override for your instance.
3## -------------------------- ##
5# -- Provide a name to substitute for the full names of resources.
7# -- Provide a name to substitute for the name of the chart.
9# -- An option to override the atlantis url,
10# if not using an ingress, set it to the external IP.
11# Check values.yaml for examples.
13# Example: http://10.0.0.0
15# -- Replace this with your own repo allowlist.
16orgAllowlist: "<replace-me>"
17# -- Deprecated in favor of orgAllowlist.
18orgWhitelist: "<deprecated>"
19# -- Specify the log level for Atlantis.
20# Accepts: debug, info, warn, or error.
22# -- If using GitHub, please enter your values as follows.
23# The chart will perform the base64 encoding for values that are stored in secrets.
24# The 'hostname' key is exclusive to GitHub Enterprise installations.
25# The 'org' key is used to restrict which GitHub org Atlantis will respond to.
26# Check values.yaml for examples.
32# hostname: github.your.org
35# -- If using a GitHub App, please enter your values as follows.
36# The chart will perform the base64 encoding for you for values that are stored in secrets.
37# installationId is necessary when there are multiple installs of the Github App.
38# Check values.yaml for examples.
45# -----BEGIN PRIVATE KEY-----
47# -----END PRIVATE KEY-----
50# -- If using Gitea, please enter your values as follows.
51# The 'baseUrl' key is exclusive to self-hosted Gitea installations.
52# The chart will perform the base64 encoding for you for values that are stored in secrets.
53# Check values.yaml for examples.
59# baseUrl: gitea.your.org
61# -- If using GitLab, please enter your values as follows.
62# The 'hostname' key is exclusive to GitLab Enterprise installations.
63# The chart will perform the base64 encoding for you for values that are stored in secrets.
64# Check values.yaml for examples.
70# hostname: gitlab.your.org
72# -- If using Bitbucket, there are two approaches:
73# Bitbucket Server, deployed in your own infrastructure
74# and Cloud available at (https://Bitbucket.org).
75# The chart will perform the base64 encoding for you for values that are stored in secrets.
76# Check values.yaml for examples.
83# baseURL: https://bitbucket.yourorganization.com
86# The recommendation is to genarate a service user on your cloud environment, but you can live on the edge using your own user :).
87# Create an APP PASSWORD to the user for the token value.
88# Base URL are not needed here, but keep in mind to provide an IP Whitelist as the Atlantis documentation.
89# For API token authentication (recommended over app passwords), specify apiUser which may differ from the user field.
93# apiUser: foo@example.com # Optional: specify if using API tokens and the API user differs from user
95# -- If using Azure DevOps, please enter your values as follows.
96# The chart will perform the base64 encoding for you for values that are stored in secrets.
97# Check values.yaml for examples.
103# webhookPassword: baz
105# -- If managing secrets outside the chart for the webhook, use this variable to reference the secret name
107# -- When referencing Terraform modules in private repositories, it may be helpful
108# (necessary?) to use redirection in a .gitconfig.
109# Check values.yaml for examples.
112# [url "https://YOUR_GH_TOKEN@github.com"]
113# insteadOf = https://github.com
114# [url "https://YOUR_GH_TOKEN@github.com"]
115# insteadOf = ssh://git@github.com
116# [url "https://oauth2:YOUR_GITLAB_TOKEN@gitlab.com"]
117# insteadOf = https://gitlab.com
118# [url "https://oauth2:YOUR_GITLAB_TOKEN@gitlab.com"]
119# insteadOf = ssh://git@gitlab.com
120# Source: https://stackoverflow.com/questions/42148841/github-clone-with-oauth-access-token
122# -- When true gitconfig file is mounted as read only.
123# When false, the gitconfig value will be copied to '/home/atlantis/.gitconfig' before starting the atlantis process,
124# instead of being mounted as a file.
125gitconfigReadOnly: true
126# -- If managing secrets outside the chart for the gitconfig, use this variable to reference the secret name
127gitconfigSecretName: ""
128# -- When referencing Terraform modules in private repositories or registries (such as Artfactory)
129# configuing a .netrc file for authentication may be required.
130# Check values.yaml for examples.
133# machine artifactory.myapp.com login YOUR_USERNAME password YOUR_PASSWORD
134# machine bitbucket.myapp.com login YOUR_USERNAME password YOUR_PASSWORD
136# -- If managing secrets outside the chart for the netrc file, use this variable to reference the secret name
138# -- To specify AWS credentials to be mapped to ~/.aws or to aws.directory.
139# Check values.yaml for examples.
144# aws_access_key_id=YOUR_ACCESS_KEY_ID
145# aws_secret_access_key=YOUR_SECRET_ACCESS_KEY
148# [profile a_role_to_assume]
149# role_arn = arn:aws:iam::123456789:role/service-role/roleToAssume
150# source_profile = default
151# directory: "/home/atlantis/.aws"
153# -- To reference an already existing Secret object with AWS credentials
155# -- To keep backwards compatibility only.
156# Deprecated (see googleServiceAccountSecrets).
157# To be used for mounting credential files (when using google provider).
158# Check values.yaml for examples.
159serviceAccountSecrets: {}
160# serviceAccountSecrets:
161# credentials: <json file as base64 encoded string>
162# credentials-staging: <json file as base64 encoded string>
164## -------------------------- ##
165# Default values for atlantis (override as needed).
166## -------------------------- ##
168# -- (int) [optional] Define the port you would like atlantis to run on. When 0, the value of service.targetPort is used.
171 repository: cgr.dev/scratch-images/test-tmp/atlantis
172 # -- If not set appVersion field from Chart.yaml is used
173 tag: 0.46.0-r1@sha256:d3d60966b87d6f5cddfb9d9d94c1e9cd269bd5dafdc7efa91fe7eea57ee34df1
175# -- Optionally specify an array of imagePullSecrets.
176# Secrets must be manually created in the namespace.
177# ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/.
178# Check values.yaml for examples.
181# - myRegistryKeySecretName
183# -- Override atlantis main configuration by config map,
184# ref: https://www.runatlantis.io/docs/using-slack-hooks.html#configuring-atlantis.
185# Check values.yaml for examples.
196# -- Use Server Side Repo Config,
197# ref: https://www.runatlantis.io/docs/server-side-repo-config.html.
198# Check values.yaml for examples.
200# Example with default configuration:
205# apply_requirements: []
207# allowed_overrides: []
208# allow_custom_workflows: false
219# -- Enables atlantis to run on a fork Pull Requests.
221# -- Enables atlantis to run on a draft Pull Requests.
223# -- Enables atlantis to hide previous plan comments.
224hidePrevPlanComments: false
225# -- Enables atlantis to hide no-changes plan comments from the pull request.
226hideUnchangedPlanComments: false
227# -- Sets the default terraform distribution to use. Can be set to terraform or opentofu.
228defaultTFDistribution: terraform
229# -- Sets the default terraform version to be used in atlantis server.
230# Check values.yaml for examples.
234# -- Disables running `atlantis apply` regardless of which flags are sent with it.
236# -- Disables running `atlantis apply` without any flags.
237disableApplyAll: false
238# -- Stops atlantis locking projects and or workspaces when running terraform.
239disableRepoLocking: false
240# -- Use Diff Markdown Format for color coding diffs.
241enableDiffMarkdownFormat: false
242# -- Optionally specify an username and a password for basic authentication.
246# -- If managing secrets outside the chart for the Basic Auth secret, use this variable to reference the secret name.
247basicAuthSecretName: ""
248# -- Optionally specify an API secret to enable the API.
249# Check values.yaml for examples.
254# -- If managing secrets outside the chart for the API secret, use this variable to reference the secret name. The key containing the secret must be called 'apisecret'.
256# -- Override the command field of the Atlantis container.
258# -- Common Labels for all resources created by this chart.
262 # -- We only need to check every 60s since Atlantis is not a high-throughput service.
264 initialDelaySeconds: 5
272 initialDelaySeconds: 5
283 # -- (int) [optional] Define the port you would like atlantis to run on. Defaults to 4141.
285 # -- (list) [optional] Additional ports to expose on the service, e.g. for an auth proxy sidecar. Each entry is a standard Service port object.
288 loadBalancerSourceRanges: []
289 externalTrafficPolicy: null
290 # -- (string) [optional] Internal traffic policy for the Service. One of: Cluster, Local.
291 internalTrafficPolicy: null
292 # -- (string) [optional] Kubernetes Service sessionAffinity setting. One of: ClientIP, None.
293 sessionAffinity: null
294 # -- (object) [optional] Kubernetes Service sessionAffinityConfig. Only applicable when sessionAffinity=ClientIP.
295 sessionAffinityConfig: null
297 # -- Check values.yaml for examples.
300 # iam.amazonaws.com/role: role-arn # kube2iam example.
307 # -- It is not recommended to run atlantis as root.
309 fsGroupChangePolicy: "OnRootMismatch"
310 priorityClassName: ""
312 # -- Option to share process namespace with atlantis container.
313 shareProcessNamespace: false
318 # -- Check values.yaml for examples.
321 # kubernetes.io/ingress.class: nginx
322 # kubernetes.io/tls-acme: "true"
323 # -- Use / for nginx.
325 # -- Used when several paths under the same host, with different backend services, are required.
326 # Check values.yaml for examples.
334 pathType: ImplementationSpecific
336 # -- Used when several hosts are required.
337 # Check values.yaml for examples.
339 # - host: chart-example.local
341 # service: chart-example1
342 # - host: chart-example.local2
343 # service: chart-example1
345 # -- Check values.yaml for examples.
347 # - secretName: chart-example-tls
349 # - chart-example.local
351 # -- When true creates a secondary webhook.
354 # -- Check values.yaml for examples.
357 # kubernetes.io/ingress.class: nginx
358 # kubernetes.io/tls-acme: "true"
359 # -- Use / for nginx.
361 # -- Used when several paths under the same host, with different backend services, are required.
362 # Check values.yaml for examples.
370 pathType: ImplementationSpecific
372 # -- Used when several hosts are required.
373 # Check values.yaml for examples.
375 # - host: chart-example.local
377 # service: chart-example1
378 # - host: chart-example.local2
379 # service: chart-example1
381 # -- TLS configuration.
382 # Check values.yaml for examples.
384 # - secretName: chart-example-tls
386 # - chart-example.local
390 # -- Enables or disables the route
392 # -- Set the route apiVersion, e.g. gateway.networking.k8s.io/v1 or gateway.networking.k8s.io/v1alpha2
393 apiVersion: gateway.networking.k8s.io/v1
394 # -- Set the route kind
399 # - atlantis.example.com
407 ## Filters define the filters that are applied to requests that match this rule.
409 ## Additional custom rules that can be added to the route
411 ## httpsRedirect adds a filter for redirecting to https (HTTP 301 Moved Permanently).
413# -- Allows to override the /etc/ssl/certs/ca-certificates.cer with your custom one.
414# You have to create a secret with the specified name.
416# -- Resources for Atlantis.
417# Check values.yaml for examples.
427# -- Path to the data directory for the volumeMount.
428atlantisDataDirectory: /atlantis-data
431 # -- Disk space available to check out repositories.
433 # -- Storage class name (if possible, use a resizable one).
435 # -- Volume attributes class name.
436 volumeAttributesClassName: ""
437 accessModes: ["ReadWriteOnce"]
438# -- DEPRECATED - Disk space available to check out repositories.
441# -- DEPRECATED - Storage class name for Atlantis disk.
443# -- Replica count for Atlantis pods.
446 # -- Enables test container.
454# -- You can use topology spread constraints to control how Pods are spread across your cluster among failure-domains such as regions,
455# zones, nodes, and other user-defined topology domains. (requires Kubernetes >= 1.19).
456# Check values.yaml for examples.
457topologySpreadConstraints: []
460# app.kubernetes.io/name: aws-example-cluster
462# topologyKey: topology.kubernetes.io/zone
463# whenUnsatisfiable: DoNotSchedule
466 # -- Specifies whether a ServiceAccount should be created.
468 # -- Set the `automountServiceAccountToken` field on the pod template spec.
469 # -- If false, no kubernetes service account token will be mounted to the pod.
471 # -- The name of the ServiceAccount to use.
472 # If not set and create is true, a name is generated using the fullname template.
474 # -- Annotations for the Service Account.
475 # Check values.yaml for examples.
482 # eks.amazonaws.com/role-arn: role-arn
483# -- Optionally deploy rbac to allow for the serviceAccount to manage terraform state via the kubernetes backend.
484enableKubernetesBackend: false
485# -- TLS Secret Name for Atlantis pod.
487# -- Additional path (`:` separated) that will be appended to the system `PATH` environment variable.
489# -- Environment values to add to the Atlantis pod.
490# Check values.yaml for examples.
493# ATLANTIS_DEFAULT_TF_VERSION: v1.2.9
495# -- Optionally specify additional environment variables to be populated from Kubernetes secrets.
496# Useful for passing in TF_VAR_foo or other secret environment variables from Kubernetes secrets.
497# Check values.yaml for examples.
498environmentSecrets: []
502# name: the_k8s_secret_name
503# key: the_key_of_the_value_in_the_secret
505# -- Optionally specify additional environment variables in raw yaml format.
506# Useful to specify variables refering to k8s objects.
507# Check values.yaml for examples.
513# fieldPath: status.podIP
515# -- Optionally specify additional Kubernetes secrets to load environment variables from.
516# All key-value pairs within these secrets will be set as environment variables.
517# Note that any variables set here will be ignored if also defined in the env block of the atlantis statefulset.
518# For example, providing ATLANTIS_GH_USER here and defining a value for github.user will result in the github.user value being used.
519# Check values.yaml for examples.
520loadEnvFromSecrets: []
525# -- Optionally specify additional Kubernetes ConfigMaps to load environment variables from.
526# All key-value pairs within these ConfigMaps will be set as environment variables.
527# Note that any variables set here will be ignored if also defined in the env block of the atlantis statefulset.
528# For example, providing ATLANTIS_ALLOW_FORK_PRS here and defining a value for allowForkPRs will result in the allowForkPRs value being used.
529# Check values.yaml for examples.
530loadEnvFromConfigMaps: []
531# loadEnvFromConfigMaps:
535# -- Optionally specify google service account credentials as Kubernetes secrets. If you are using the terraform google provider you can specify the credentials as "${file("/var/secrets/some-secret-name/key.json")}".
536# Check values.yaml for examples.
537googleServiceAccountSecrets: []
538# googleServiceAccountSecrets:
539# - name: some-secret-name
540# secretName: the_k8s_secret_name
542# -- Optionally specify additional volumes for the pod.
543# Check values.yaml for examples.
546# - name: some-volume-name
549# -- Optionally specify additional volume mounts for the container.
550# Check values.yaml for examples.
553# - name: some-volume-name
554# mountPath: /path/in/container
556# -- Optionally specify additional manifests to be created.
557# Check values.yaml for examples.
560# - apiVersion: cloud.google.com/v1beta1
563# name: "{{ .Release.Name }}-test"
566# name: "gcp-cloud-armor-policy-test"
568# -- Optionally specify init containers manifests to be added to the Atlantis pod.
569# Check values.yaml for examples.
573# image: alpine:latest
574# command: ['sh', '-c', 'echo The init container is running! && sleep 10']
577 # -- Install providers/plugins into a path shared with the Atlantis pod.
579 image: cgr.dev/scratch-images/test-tmp/busybox:latest@sha256:272cf135b92c85c19481205b6c352084522360ec305842d9c83b1bc5183e3b33
580 imagePullPolicy: IfNotPresent
581 # -- SharedDir is set as env var INIT_SHARED_DIR.
583 sharedDirReadOnly: true
585 # -- Size for the shared volume.
587 # -- Security context for the container.
588 containerSecurityContext: {}
589 # -- Script to run on the init container.
590 # @default -- Check values.yaml.
595 # example for terragrunt
597 TG_SHA256_SUM="4e5ae67854a774be6419f7215733990b481662375dc0bd5f2eda05211a692cf0"
598 TG_FILE="${INIT_SHARED_DIR}/terragrunt"
599 wget https://github.com/gruntwork-io/terragrunt/releases/download/${TG_VERSION}/terragrunt_linux_amd64 -O "${TG_FILE}"
600 echo "${TG_SHA256_SUM} ${TG_FILE}" | sha256sum -c
601 chmod 755 "${TG_FILE}"
604 # example for terragrunt-atlantis-config
605 TAC_VERSION="1.18.0" # without v
606 TAC_SHA256_SUM="59178dcd3e426abf4b5d8fcb1ac8dbdea548a04aa64eaf39be200484a5e6f2ca"
607 TAC_FILE="${INIT_SHARED_DIR}/terragrunt-atlantis-config"
608 wget "https://github.com/transcend-io/terragrunt-atlantis-config/releases/download/v${TAC_VERSION}/terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64"
609 echo "${TAC_SHA256_SUM} terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64" | sha256sum -c
610 cp -fv "terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64" "${TAC_FILE}"
611 chmod 755 "${TAC_FILE}"
612 terragrunt-atlantis-config version
613# -- Optionally specify hostAliases for the Atlantis pod.
614# Check values.yaml for examples.
625# -- Optionally specify dnsPolicy parameter to specify a DNS policy for a pod
626# Check https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
627dnsPolicy: "ClusterFirst"
628# -- Optionally specify dnsConfig for the Atlantis pod.
629# Check values.yaml for examples.
642 # -- Annotations for the Secrets.
643 # Check values.yaml for examples.
648# -- These annotations will be added to all the resources.
649# Check values.yaml for examples.
654# -- Optionally specify extra arguments for the Atlantis pod.
655# Check values.yaml for examples.
658# - --disable-autoplan
659# - --disable-repo-locking
661# -- Optionally specify extra containers for the Atlantis pod.
662# Check values.yaml for examples.
665# - name: <container name>
668# image: <docker images>
669# imagePullPolicy: IfNotPresent
679# -- Check values.yaml for examples.
680containerSecurityContext: {}
681# containerSecurityContext:
682# allowPrivilegeEscalation: false
683# readOnlyRootFilesystem: true
686 # -- To enable a Prometheus servicemonitor, set enabled to true,
687 # and enable the metrics in this file's repoConfig
688 # by setting a value for metrics.prometheus.endpoint.
692 # -- Prometheus ServiceMonitor labels.
695 # -- If auth is enabled on Atlantis, use one of the following mechanism.
697 # -- Authentication from the secret generated with the basicAuth values
698 # this will reference the username and password keys
699 # from the atlantis-basic-auth secret.
702 # -- Authentication based on an external secret
705 # -- Check values.yaml for examples.
709 # password: ATLANTIS_WEB_PASSWORD
710 # -- Optional metric relabelings to drop or modify metrics.
711 metricRelabelings: []
714 # regex: "atlantis_project_apply_execution_.*"
715 # sourceLabels: [__name__]
716# -- Enable this if you're using Google Managed Prometheus.
721# -- Set the desired Locking DB type
722# Accepts boltdb or redis.
724# -- Configure Redis Locking DB.
725# lockingDbType value must be redis for the config to take effect.
726# Check values.yaml for examples.
729# host: redis.host.name
730# password: myRedisPassword
734# insecureSkipVerify: false
736# -- When managing secrets outside the chart for the Redis secret, use this variable to reference the secret name.
738# -- Key within the existing Redis secret that contains the password value.
739redisSecretPasswordKey: password
740# -- (int) Optionally customize the termination grace period in seconds.
741# @default -- default depends on the kubernetes version.
742terminationGracePeriodSeconds:
743# terminationGracePeriodSeconds: 300
745# -- Set lifecycle hooks.
746# https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/.
754# - while pgrep -x "terraform|tofu|terragrunt" > /dev/null; do sleep 1; done