Atlantis has wide spectrum access to our infrastructure. All secrets must be protected. As all the secrets are currently in k8s secrets, we should be moving them to secret manager.
The atlantis service account key has been persisted in the secret manager when updating TFDD. We just need to use an init container to fetch and persist the key before atlantis starts.
Atlantis docker image doesn't support consuming google secret in environment variables directly. However, we can inject the berglas binary into a shared volume, then we can adjust the entry point of the atlantis container to use `berglas exec --` to gain ability to directly inject secrets into environment variable