diff --git a/charts/atlantis/Chart.yaml b/charts/atlantis/Chart.yaml index b57d1104..fb3127f2 100644 --- a/charts/atlantis/Chart.yaml +++ b/charts/atlantis/Chart.yaml @@ -3,7 +3,7 @@ apiVersion: v1 appVersion: v0.28.3 description: A Helm chart for Atlantis https://www.runatlantis.io name: atlantis -version: 5.4.0 +version: 5.4.1 keywords: - terraform home: https://www.runatlantis.io diff --git a/charts/atlantis/README.md b/charts/atlantis/README.md index 28ec57d7..f51b319f 100644 --- a/charts/atlantis/README.md +++ b/charts/atlantis/README.md @@ -110,6 +110,7 @@ extraManifests: | extraVolumes | list | `[]` | Optionally specify additional volumes for the pod. Check values.yaml for examples. | | fullnameOverride | string | `""` | Provide a name to substitute for the full names of resources. | | gitconfig | string | `""` | When referencing Terraform modules in private repositories, it may be helpful (necessary?) to use redirection in a .gitconfig. Check values.yaml for examples. | +| gitconfigReadOnly | bool | `true` | When true gitconfig file is mounted as read only. When false, the gitconfig value will be copied to '/home/atlantis/.gitconfig' before starting the atlantis process, instead of being mounted as a file. | | gitconfigSecretName | string | `""` | If managing secrets outside the chart for the gitconfig, use this variable to reference the secret name | | github | object | `{}` | If using GitHub, please enter your values as follows. The chart will perform the base64 encoding for values that are stored in secrets. The 'hostname' key is exclusive to GitHub Enterprise installations. Check values.yaml for examples. | | githubApp | object | `{}` | If using a GitHub App, please enter your values as follows. The chart will perform the base64 encoding for you for values that are stored in secrets. installationId is necessary when there are multiple installs of the Github App. Check values.yaml for examples. | @@ -404,4 +405,4 @@ make unit-test-run-atlantis ``` ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.14.0](https://github.com/norwoodj/helm-docs/releases/v1.14.0) +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/charts/atlantis/templates/configmap-gitconfig-init.yaml b/charts/atlantis/templates/configmap-gitconfig-init.yaml new file mode 100644 index 00000000..b4865d06 --- /dev/null +++ b/charts/atlantis/templates/configmap-gitconfig-init.yaml @@ -0,0 +1,18 @@ +{{- if not .Values.gitconfigReadOnly }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "atlantis.fullname" . }}-gitconfig-init + labels: + {{- include "atlantis.labels" . | nindent 4 }} + {{- with .Values.extraAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +data: + gitconfig-init.sh: | + #!/bin/sh + set -ex + cp -v /etc/.gitconfig /home/atlantis/.gitconfig + chown -v atlantis /home/atlantis/.gitconfig +{{- end }} diff --git a/charts/atlantis/templates/statefulset.yaml b/charts/atlantis/templates/statefulset.yaml index 0c941a71..f137eb19 100644 --- a/charts/atlantis/templates/statefulset.yaml +++ b/charts/atlantis/templates/statefulset.yaml @@ -105,14 +105,21 @@ spec: {{- if .Values.gitconfig }} - name: gitconfig-volume secret: - defaultMode: 0660 secretName: {{ template "atlantis.fullname" . }}-gitconfig {{- else if .Values.gitconfigSecretName }} - name: gitconfig-volume secret: - defaultMode: 0660 secretName: {{ .Values.gitconfigSecretName }} {{- end }} + {{- if not .Values.gitconfigReadOnly }} + - name: gitconfig-init + configMap: + name: {{ template "atlantis.fullname" . }}-gitconfig-init + items: + - key: gitconfig-init.sh + path: gitconfig-init.sh + mode: 0555 + {{- end }} {{- if .Values.netrc }} - name: netrc-volume secret: @@ -216,10 +223,10 @@ spec: {{- end }} {{- if .Values.command }} command: - {{- range .Values.command }} + {{- range .Values.command }} - {{ . }} {{- end }} - {{- end }} + {{- end }} args: - server {{- if .Values.config }} @@ -536,9 +543,18 @@ spec: {{- if or .Values.gitconfig .Values.gitconfigSecretName }} - name: gitconfig-volume readOnly: true + {{- if .Values.gitconfigReadOnly }} mountPath: /home/atlantis/.gitconfig + {{- else }} + mountPath: /etc/.gitconfig + {{- end }} subPath: gitconfig {{- end }} + {{- if not .Values.gitconfigReadOnly }} + - name: gitconfig-init + mountPath: /docker-entrypoint.d/gitconfig-init.sh + subPath: gitconfig-init.sh + {{- end }} {{- if or .Values.netrc .Values.netrcSecretName }} - name: netrc-volume readOnly: true diff --git a/charts/atlantis/tests/configmap-gitconfig-init_test.yaml b/charts/atlantis/tests/configmap-gitconfig-init_test.yaml new file mode 100644 index 00000000..4ebd54a6 --- /dev/null +++ b/charts/atlantis/tests/configmap-gitconfig-init_test.yaml @@ -0,0 +1,35 @@ +--- +suite: test configmap-gitconfig-init for gitconfig +templates: + - configmap-gitconfig-init.yaml +release: + name: my-release +tests: + - it: default values + template: configmap-gitconfig-init.yaml + asserts: + - hasDocuments: + count: 0 + - it: gitconfig-read-write + template: configmap-gitconfig-init.yaml + set: + gitconfigReadOnly: false + commonLabels: + team: "infra" + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - isAPIVersion: + of: v1 + - equal: + path: metadata.name + value: my-release-atlantis-gitconfig-init + - equal: + path: data["gitconfig-init.sh"] + value: | + #!/bin/sh + set -ex + cp -v /etc/.gitconfig /home/atlantis/.gitconfig + chown -v atlantis /home/atlantis/.gitconfig diff --git a/charts/atlantis/tests/statefulset_test.yaml b/charts/atlantis/tests/statefulset_test.yaml index ef60faa3..4096e8ce 100644 --- a/charts/atlantis/tests/statefulset_test.yaml +++ b/charts/atlantis/tests/statefulset_test.yaml @@ -322,19 +322,19 @@ tests: mountPath: /var/secrets/gcp-staging name: gcp-staging readOnly: true - - it: gitconfig + - it: gitconfig-read-only template: statefulset.yaml set: gitconfig: | [url "https://YOUR_GH_TOKEN@github.com"] insteadOf = https://github.com + gitconfigReadOnly: true asserts: - equal: path: spec.template.spec.volumes[1] value: name: gitconfig-volume secret: - defaultMode: 432 secretName: my-release-atlantis-gitconfig - equal: path: spec.template.spec.containers[0].volumeMounts[?(@.name == @@ -344,6 +344,45 @@ tests: name: gitconfig-volume readOnly: true subPath: gitconfig + - it: gitconfig-read-write + template: statefulset.yaml + set: + gitconfig: | + [url "https://YOUR_GH_TOKEN@github.com"] + insteadOf = https://github.com + gitconfigReadOnly: false + asserts: + - equal: + path: spec.template.spec.volumes[?(@.name == "gitconfig-volume")] + value: + name: gitconfig-volume + secret: + secretName: my-release-atlantis-gitconfig + - equal: + path: spec.template.spec.volumes[?(@.name == "gitconfig-init")] + value: + name: gitconfig-init + configMap: + name: my-release-atlantis-gitconfig-init + items: + - key: gitconfig-init.sh + path: gitconfig-init.sh + mode: 0555 + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == + "gitconfig-volume")] + value: + mountPath: /etc/.gitconfig + name: gitconfig-volume + readOnly: true + subPath: gitconfig + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == + "gitconfig-init")] + value: + mountPath: /docker-entrypoint.d/gitconfig-init.sh + name: gitconfig-init + subPath: gitconfig-init.sh - it: gitconfigSecretName template: statefulset.yaml set: @@ -354,7 +393,6 @@ tests: value: name: gitconfig-volume secret: - defaultMode: 432 secretName: atlantis-gitconfig - equal: path: spec.template.spec.containers[0].volumeMounts[?(@.name == diff --git a/charts/atlantis/values.schema.json b/charts/atlantis/values.schema.json index 1ab2d1ba..fc522503 100644 --- a/charts/atlantis/values.schema.json +++ b/charts/atlantis/values.schema.json @@ -190,6 +190,11 @@ "type": "string", "description": "Contents of a file to be mounted to `~/.gitconfig`. Use to allow redirection for Terraform modules in private git repositories." }, + "gitconfigReadOnly": { + "type": "boolean", + "default": "true", + "description": "When true gitconfig file is mounted as read only. When false, the gitconfig value will be copied to '/home/atlantis/.gitconfig' before starting the atlantis process instead of being mounted as a file." + }, "gitconfigSecretName": { "type": "string", "description": "Name of a pre-existing Kubernetes `Secret` containing a `gitconfig` key. Use this instead of `gitconfig` (optional)" diff --git a/charts/atlantis/values.yaml b/charts/atlantis/values.yaml index 5dad037c..ef8d159e 100644 --- a/charts/atlantis/values.yaml +++ b/charts/atlantis/values.yaml @@ -111,6 +111,11 @@ gitconfig: "" # insteadOf = ssh://git@gitlab.com # Source: https://stackoverflow.com/questions/42148841/github-clone-with-oauth-access-token +# -- When true gitconfig file is mounted as read only. +# When false, the gitconfig value will be copied to '/home/atlantis/.gitconfig' before starting the atlantis process, +# instead of being mounted as a file. +gitconfigReadOnly: true + # -- If managing secrets outside the chart for the gitconfig, use this variable to reference the secret name gitconfigSecretName: ""