Replies: 1 comment
-
|
I think I just realised that atlantis is not technically pull-based due to the requirement of configuring webhooks.. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hey guys,
Have been aware of atlantis for a little while now and I've always been interested in it's real world applicability in an enterprise setting. I'm a big fan of pull-based CD (for example Flux/ArgoCD for k8s resources) and have been pondering how best to carry out IaC deployments following a GitOps model.
Most examples I have seen for IaC GitOps deployments rely on a push-based model where a PR/MR merge to master/main triggers a pipeline which completes the deployment via a build agent. Being pull-based, atlantis seems to offer the ability to remove a pipeline and it's associated config for deployment purposes as the atlantis agent handles this.
I notice from the atlantis docs that it is possible to deploy the atlantis agent via a number of methods like on a VM, as a "raw" container or within k8s. I began thinking about how you would deploy the atlantis agent itself in an automated fashion. I work in an enterprise setting which is all Kube based. I'm a big fan of grouping as much of a platform as possible into grouped code within a single repo for ease of use, so my initial take would be to deploy atlantis onto a Kube cluster as a deployment. I would likely deploy atlantis via something like Argo/Flux onto a cluster that I would look to create via... Terraform.
As I followed this line of thinking, it struck me that using atlantis to manage TF infrastructure that atlantis is itself deployed onto, you potentially get into a scenario whereby if you wanted or needed to drop the kube cluster (think a rollback following EKS/AKS/GKE upgrade gone wrong), you are inadvertently going to drop the atlantis agent too. Obviously I don't think this would work.
Resultantly I reach the conclusion that for atlantis to be deployed in a protected manner avoiding the above scenario, you would have to separate the deployment of atlantis from any IaC projects that you configure it to watch. I guess that's not a huge deal but just wanted to see if anyone else had any thoughts or battle-tested experience on this one cause as I said above I'm a huge fan of pull-based CD (single source of the truth, soft-immutability, less pipeline config required).
Thanks in advance!
Beta Was this translation helpful? Give feedback.
All reactions