enable authorization on atlantis urls

kubernetes · Nov 24, 2024 · 9981c13 · 9981c13
1 parent 87483bd
commit 9981c13
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 25 deletions.
diff --git a/kubernetes/apps/atlantis.yaml b/kubernetes/apps/atlantis.yaml
@@ -9,11 +9,11 @@ spec:
   project: default
   source:
     path: kubernetes/gke-utility/atlantis
-    repoURL: https://github.com/borg-land/k8s.io
-    targetRevision: deploy-atlantis
+    repoURL: https://github.com/kubernetes/k8s.io
+    targetRevision: main
   syncPolicy:
     automated:
-      prune: false
+      prune: true
       selfHeal: true
     syncOptions:
       - CreateNamespace=true

diff --git a/kubernetes/apps/kustomization.yaml b/kubernetes/apps/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   # - argocd.yaml This has been manually applied to fix sync issues
+  - atlantis.yaml
   - external-secrets.yaml
   - cert-manager.yaml
   - prow.yaml

diff --git a/kubernetes/gke-utility/atlantis/httproute.yaml b/kubernetes/gke-utility/atlantis/httproute.yaml
@@ -4,7 +4,8 @@ metadata:
   name: atlantis
 spec:
   parentRefs:
-  - name: prow
+  - name: istio-ingressgateway
+    namespace: istio-system
     sectionName: https
   hostnames:
   - atlantis.k8s.io
@@ -15,23 +16,3 @@ spec:
     backendRefs:
     - name: atlantis
       port: 80
----
-apiVersion: security.istio.io/v1
-kind: AuthorizationPolicy
-metadata:
-  name: atlantis
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: atlantis
-  action: ALLOW
-  rules:
-    - from:
-      - source:
-          remoteIpBlocks: 
-            - "192.30.252.0/22"
-            - "185.199.108.0/22"
-            - "140.82.112.0/20"
-            - "143.55.64.0/20"
-            - "2a0a:a440::/29"
-            - "2606:50c0::/32"
diff --git a/kubernetes/gke-utility/atlantis/kustomization.yaml b/kubernetes/gke-utility/atlantis/kustomization.yaml
@@ -9,7 +9,7 @@ resources:
 
 images:
  - name: ghcr.io/runatlantis/atlantis
-   newTag: v0.30.0 
+   newTag: v0.30.0
 
 configMapGenerator:
 - name: atlantis-config

diff --git a/kubernetes/gke-utility/istio-system/auth-policy.yaml b/kubernetes/gke-utility/istio-system/auth-policy.yaml
@@ -16,3 +16,9 @@ spec:
         hosts:
         - argo.k8s.io
         - monitoring.prow.k8s.io
+    # we want to force auth to atlantis.k8s.io/* except /events
+    - operation:
+        hosts:
+        - atlantis.k8s.io
+        notPaths:
+        - "/events"