This message was deleted.
# atlantis-community
s
This message was deleted.
s
What do I do about this section then? Do I comment this out?
Copy code
github:
  user: my-user
  token: ghp_123123123123
  secret: 1234567890987654321234567890987654321
I already have everything working….I just need to do something with my secrets so they arent commited to our repo
b
I use environment_raw to pass that in
and all that is commented out
environmentRaw:
the user however is
"fake"
if it’s an app
but basically any non-privileged info goes into environmentRaw
s
So what is this for? To me that sounds like what I need since I already have my secrets setup in aws and the role thats assumed by atlantis has permissions to access them.
Copy code
# To reference an already existing Secret object with AWS credentials
# awsSecretName: 'mysecretwithawscreds'
b
its so you don’t check in secrets
instead of reading the secrets in the config you point the chart at a secret object you create seperately
the operator just abstracts the need for your service role to access anything or do a get on secrets manager
and the reason you don’t have what you need is because in order for the atlantis pod to start you need a “valid” set of configs. So unless you ship them in with a sidecar or something you have to provide the config at runtime to the service
s
Whats wrong with just having eks look at the secret in secret manager? Its using a role that has the access it needs…same account, same region. Im just not following why the 10K ways of doing this
b
because the pod - the container doesn’t have the mechanism to satisfy that at startup
if the rule is that a container should only do 1 thing and you satisfy the rest of the conditions why would you have the first thing it does not be launch the process it’s running?
and instead fetch a secret to then init the pid of atlantis?
then your problem is that your process is no longer at the root of your container
and what I’m telling you is that in the example I gave you EKS is looking into secrets manager with a tool specifically built to do so
the external-secrets operator is a k8s operator that just takes external-secrets yaml objects and generates secrets for you to use
s
ok…starting to make more sense
so this…
ghe_webhook_secret
(whatever you call that) I notice one of the ones in your example is
ghe_app_key
Is that just something you made up a name for or is that like from some official list of whatever those are called? I need to make one for the UI password also. Can I use that app_key or is there something more specific to use for the UI password?
Copy code
# Optionally specify an username and a password for basic authentication
#basicAuth:
#  username: ""
#  password: ""
b
we use an app
but you could use the user/pass shit if you need
full list of valid things