Atlantis使用

Terraform CD

字数统计: 431阅读时长: 2 min

 2023/02/21   Share

前言

通过git管理Terraform

安装

创建Gitlab Token

Role: maintainer

Score: api

创建WebHooks Token

随便生成一串随机字符

安装

完整yaml

deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: atlantis
  labels:
    app: atlantis
spec:
  replicas: 1
  selector:
    matchLabels:
      app: atlantis
  template:
    metadata:
      annotations:
        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
      labels:
        app: atlantis
    spec:
      containers:
      - name: atlantis
        image: ghcr.io/runatlantis/atlantis:{{.Values.version}} # 1. Replace <VERSION> with the most recent release.
        env:
        - name: ATLANTIS_REPO_ALLOWLIST
          value: {{ .Values.ATLANTIS_REPO_ALLOWLIST }} # 2. Replace this with your own repo allowlist.
        - name: ATLANTIS_GITLAB_USER
          value: git 
        - name: ATLANTIS_GITLAB_HOSTNAME
          value:  {{ .Values.ATLANTIS_GITLAB_HOSTNAME }}
        - name: TF_HTTP_USERNAME
          value: {{ .Values.TF_HTTP_USERNAME }}
        - name: TF_HTTP_PASSWORD
          value: {{ .Values.TF_HTTP_PASSWORD }}
        - name: ALICLOUD_ACCESS_KEY
          value: {{ .Values.ALICLOUD_ACCESS_KEY }}
        - name: ALICLOUD_SECRET_KEY
          value: {{ .Values.ALICLOUD_SECRET_KEY }}
        - name: ATLANTIS_AUTOMERGE
          value: "true"
        - name: ATLANTIS_REPO_CONFIG
          value: /work/config/repos.yaml
        - name: ATLANTIS_GITLAB_TOKEN
          valueFrom:
            secretKeyRef:
              name: atlantis-vcs
              key: token
        - name: ATLANTIS_GITLAB_WEBHOOK_SECRET
          valueFrom:
            secretKeyRef:
              name: atlantis-vcs
              key: webhook-secret

        - name: ATLANTIS_PORT
          value: "4141" # Kubernetes sets an ATLANTIS_PORT variable so we need to override.
        ports:
        - name: atlantis
          containerPort: 4141
        volumeMounts:
        - mountPath: /work/config
          name: config
        resources:
          requests:
            memory: 256Mi
            cpu: 100m
          limits:
            memory: 256Mi
            cpu: 100m
        livenessProbe:
          # We only need to check every 60s since Atlantis is not a
          # high-throughput service.
          periodSeconds: 60
          httpGet:
            path: /healthz
            port: 4141
            # If using https, change this to HTTPS
            scheme: HTTP
        readinessProbe:
          periodSeconds: 60
          httpGet:
            path: /healthz
            port: 4141
            # If using https, change this to HTTPS
            scheme: HTTP
      volumes:
        - name: config
          projected:
            sources:
            - configMap:
                name: repos.yml
---
apiVersion: v1
kind: Service
metadata:
  name: atlantis
spec:
  type: NodePort
  ports:
  - name: atlantis
    port: 80
    targetPort: 4141
    nodePort: 31001
  selector:
    app: atlantis

configmap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: repos.yml
data:
  # 类属性键；每一个键都映射到一个简单的值
  repos.yaml: |
    ---
    repos:
    - id: /.*/
      branch: /.*/
      apply_requirements: [approved, mergeable]
      import_requirements: [approved, mergeable]
      delete_source_branch_on_merge: true

token.yaml

apiVersion: v1
data:
  token: {{ .Values.gitToken | b64enc }}
  webhook-secret: {{ .Values.webhookToken | b64enc }}
kind: Secret
metadata:
  name: atlantis-vcs
type: Opaque

values.yaml

version: "v0.22.3"
ATLANTIS_REPO_ALLOWLIST: xxxxxxxxx/*
gitToken: "xxxxxxxxx"
webhookToken: "xxxxxxxxx"
ATLANTIS_GITLAB_HOSTNAME: "xxxxxxxxx"

TF_HTTP_USERNAME: "xxxxxxxxx"
TF_HTTP_PASSWORD: "xxxxxxxxx"
ALICLOUD_ACCESS_KEY: "xxxxxxxxx"
ALICLOUD_SECRET_KEY: "xxxxxxxxx"