https://www.runatlantis.io/ logo
Title
b

Ben Parafina (grimaldi)

04/27/2023, 5:17 PM
environmentSecrets:
  - name: ATLANTIS_GH_APP_KEY
    secretKeyRef:
      name: atlantis-github-config
      key: ATLANTIS_GH_APP_KEY
  - name: ATLANTIS_GH_TOKEN
    secretKeyRef:
      name: atlantis-github-config
      key: ATLANTIS_GH_TOKEN
  - name: ATLANTIS_GH_WEBHOOK_SECRET
    secretKeyRef:
      name: atlantis-github-config
      key: ATLANTIS_GH_WEBHOOK_SECRET
from the atlantis helm chart
s

Seth Floyd

04/27/2023, 5:40 PM
What do I do about this section then? Do I comment this out?
github:
  user: my-user
  token: ghp_123123123123
  secret: 1234567890987654321234567890987654321
I already have everything working….I just need to do something with my secrets so they arent commited to our repo
b

Ben Parafina (grimaldi)

04/27/2023, 5:43 PM
I use environment_raw to pass that in
and all that is commented out
environmentRaw:
the user however is
"fake"
if it’s an app
but basically any non-privileged info goes into environmentRaw
s

Seth Floyd

04/27/2023, 5:56 PM
So what is this for? To me that sounds like what I need since I already have my secrets setup in aws and the role thats assumed by atlantis has permissions to access them.
# To reference an already existing Secret object with AWS credentials
# awsSecretName: 'mysecretwithawscreds'
b

Ben Parafina (grimaldi)

04/27/2023, 5:59 PM
its so you don’t check in secrets
instead of reading the secrets in the config you point the chart at a secret object you create seperately
the operator just abstracts the need for your service role to access anything or do a get on secrets manager
and the reason you don’t have what you need is because in order for the atlantis pod to start you need a “valid” set of configs. So unless you ship them in with a sidecar or something you have to provide the config at runtime to the service
s

Seth Floyd

04/27/2023, 6:03 PM
Whats wrong with just having eks look at the secret in secret manager? Its using a role that has the access it needs…same account, same region. Im just not following why the 10K ways of doing this
b

Ben Parafina (grimaldi)

04/27/2023, 6:04 PM
because the pod - the container doesn’t have the mechanism to satisfy that at startup
if the rule is that a container should only do 1 thing and you satisfy the rest of the conditions why would you have the first thing it does not be launch the process it’s running?
and instead fetch a secret to then init the pid of atlantis?
then your problem is that your process is no longer at the root of your container
and what I’m telling you is that in the example I gave you EKS is looking into secrets manager with a tool specifically built to do so
the external-secrets operator is a k8s operator that just takes external-secrets yaml objects and generates secrets for you to use
s

Seth Floyd

04/27/2023, 6:05 PM
ok…starting to make more sense
so this…
ghe_webhook_secret
(whatever you call that) I notice one of the ones in your example is
ghe_app_key
Is that just something you made up a name for or is that like from some official list of whatever those are called? I need to make one for the UI password also. Can I use that app_key or is there something more specific to use for the UI password?
# Optionally specify an username and a password for basic authentication
#basicAuth:
#  username: ""
#  password: ""
b

Ben Parafina (grimaldi)

04/27/2023, 6:35 PM
we use an app
but you could use the user/pass shit if you need
full list of valid things