#townhall (2018-10)

Town Hall Discussions

Archive: https://archive.sweetops.com/townhall/

2018-10-13

Gaurav avatar
Gaurav
11:47:18 AM

@Gaurav has joined the channel

2018-10-10

Raghu avatar
Raghu
01:16:05 PM

@Raghu has joined the channel

2018-10-05

Gabe avatar
Gabe
09:09:03 PM

@Gabe has joined the channel

2018-10-03

Steven avatar
Steven
11:52:08 AM

@Steven has joined the channel

tamsky avatar
tamsky

wanted to ask about how things were going with CP and Atlantis

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

There are two hard blockers for using it:

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

1) https://github.com/runatlantis/atlantis/issues/249 (no response) - to support multiple instances of atlantis in diffferent accounts

Atlantis nodes in different accounts with one repository · Issue #249 · runatlantis/atlantis

We have a repository that contains our live terraform definitions for multiple accounts. We currently have 4 accounts and plan to have an Atlantis node in each account. We've tossed around the …

mrwacky avatar
mrwacky

@Gabe - this one

Atlantis nodes in different accounts with one repository · Issue #249 · runatlantis/atlantis

We have a repository that contains our live terraform definitions for multiple accounts. We currently have 4 accounts and plan to have an Atlantis node in each account. We've tossed around the …

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Adds support for specifying the atlantis.yaml filename on the server side by darrylb-github · Pull Request #310 · runatlantis/atlantis

This allows setting different configs for different instances of atlantis, which is useful when wanting to run different servers for production and staging. Our use case is to have separate product…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

one left, and it’s ready for prime time: https://github.com/runatlantis/atlantis/issues/308

Restrict Plan or Apply to Github Teams or Github Users · Issue #308 · runatlantis/atlantis

what Allow operator to define a list of permitted users who can trigger atlantis commands why Currently, the only way to restrict access is by adding/revoking users from a repository altogether. We…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

2) no way to scope who can run plan or apply other than revoking access to repo

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
07:02:49 PM

awesome name @tamsky

2
tamsky avatar
tamsky

for 2) you’d like to see github groups perform RBAC ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i would be satisfied with a hardcoded list of usernames in the server

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

groups would be icing

tamsky avatar
tamsky

I’m really enjoying https://github.com/kislyuk/keymaker - and IAM groups <> UNIX groups

kislyuk/keymaker

Lightweight SSH key management on AWS EC2. Contribute to kislyuk/keymaker development by creating an account on GitHub.

tamsky avatar
tamsky

both of those blockers read to me as accurate and missing requirements. I could imagine bypassing 2) by having two Atlantis’s per stage, one RO other R+W.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Perhaps, but how would you scope the access to the r/w and r/o pipelines?

tamsky avatar
tamsky

at the oauth proxy?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

oh, but all the interaction is via git comments

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so what we really need is the google/kubernetes repo bot commands like

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ok to test

tamsky avatar
tamsky

then I deserve a “whoops”

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so i think technically, not too hard to extend

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

basically, validate git username is in some list

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

otherwise comment back and say not authorized

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i’ve debated if we want to commit the resources to fix 1 & 2

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we may just end up using codefresh for v1

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

prove the concept out

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

for example, with Zapier, i can act on a comment and trigger a pipeline via webhook

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i go back and forth with atlantis b/c we still need to solve the same problem with kops and helm (not just terraform)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so i want a strategy that works well for all 3

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@tamsky this was opened/closed today https://github.com/runatlantis/atlantis/pull/306/files

Support custom atlantis.yaml config filename on server side by darrylb-github · Pull Request #306 · runatlantis/atlantis

This allows repos to specify different atlantis configs that exist in the same repo, and supports running separate instances of atlantis for staging and production by pointing at different configs.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Addresses (1)

ankur avatar
ankur
02:52:08 AM

@ankur has joined the channel

2018-10-02

mallen avatar
mallen
07:26:35 PM

@mallen has joined the channel

    keyboard_arrow_up