fix(atlantis): allow .gitconfig write

charts/atlantis/Chart.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 appVersion: v0.28.3
 description: A Helm chart for Atlantis https://www.runatlantis.io
 name: atlantis
-version: 5.4.0
+version: 5.4.1
 keywords:
   - terraform
 home: https://www.runatlantis.io

charts/atlantis/README.md

@@ -110,6 +110,7 @@ extraManifests:
 | extraVolumes | list | `[]` | Optionally specify additional volumes for the pod. Check values.yaml for examples. |
 | fullnameOverride | string | `""` | Provide a name to substitute for the full names of resources. |
 | gitconfig | string | `""` | When referencing Terraform modules in private repositories, it may be helpful (necessary?) to use redirection in a .gitconfig. Check values.yaml for examples. |
+| gitconfigReadOnly | bool | `true` | When true gitconfig file is mounted as read only. When false, the gitconfig value will be copied to '/home/atlantis/.gitconfig' before starting the atlantis process, instead of being mounted as a file. |
 | gitconfigSecretName | string | `""` | If managing secrets outside the chart for the gitconfig, use this variable to reference the secret name |
 | github | object | `{}` | If using GitHub, please enter your values as follows. The chart will perform the base64 encoding for values that are stored in secrets. The 'hostname' key is exclusive to GitHub Enterprise installations. Check values.yaml for examples. |
 | githubApp | object | `{}` | If using a GitHub App, please enter your values as follows. The chart will perform the base64 encoding for you for values that are stored in secrets. installationId is necessary when there are multiple installs of the Github App. Check values.yaml for examples. |
@@ -404,4 +405,4 @@ make unit-test-run-atlantis
 ```
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.14.0](https://github.com/norwoodj/helm-docs/releases/v1.14.0)
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/atlantis/templates/configmap-gitconfig-init.yaml

@@ -0,0 +1,18 @@
+{{- if not .Values.gitconfigReadOnly }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "atlantis.fullname" . }}-gitconfig-init
+  labels:
+    {{- include "atlantis.labels" . | nindent 4 }}
+  {{- with .Values.extraAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+data:
+  gitconfig-init.sh: |
+    #!/bin/sh
+    set -ex
+    cp -v /etc/.gitconfig /home/atlantis/.gitconfig
+    chown -v atlantis /home/atlantis/.gitconfig
+{{- end }}

charts/atlantis/templates/statefulset.yaml

@@ -105,14 +105,21 @@ spec:
       {{- if .Values.gitconfig }}
       - name: gitconfig-volume
         secret:
-          defaultMode: 0660
           secretName: {{ template "atlantis.fullname" . }}-gitconfig
       {{- else if .Values.gitconfigSecretName }}
       - name: gitconfig-volume
         secret:
-          defaultMode: 0660
           secretName: {{ .Values.gitconfigSecretName }}
       {{- end }}
+      {{- if not .Values.gitconfigReadOnly }}
+      - name: gitconfig-init
+        configMap:
+          name: {{ template "atlantis.fullname" . }}-gitconfig-init
+          items:
+            - key: gitconfig-init.sh
+              path: gitconfig-init.sh
+              mode: 0555
+      {{- end }}
       {{- if .Values.netrc }}
       - name: netrc-volume
         secret:
@@ -216,10 +223,10 @@ spec:
           {{- end }}
           {{- if .Values.command }}
           command:
-          {{- range .Values.command }}
+            {{- range .Values.command }}
             - {{ . }}
             {{- end }}
-            {{- end }}
+          {{- end }}
           args:
             - server
             {{- if .Values.config }}
@@ -536,9 +543,18 @@ spec:
           {{- if or .Values.gitconfig .Values.gitconfigSecretName }}
           - name: gitconfig-volume
             readOnly: true
+          {{- if .Values.gitconfigReadOnly }}
             mountPath: /home/atlantis/.gitconfig
+          {{- else }}
+            mountPath: /etc/.gitconfig
+          {{- end }}
             subPath: gitconfig
           {{- end }}
+          {{- if not .Values.gitconfigReadOnly }}
+          - name: gitconfig-init
+            mountPath: /docker-entrypoint.d/gitconfig-init.sh
+            subPath: gitconfig-init.sh
+          {{- end }}
           {{- if or .Values.netrc .Values.netrcSecretName }}
           - name: netrc-volume
             readOnly: true

charts/atlantis/tests/configmap-gitconfig-init_test.yaml

@@ -0,0 +1,35 @@
+---
+suite: test configmap-gitconfig-init for gitconfig
+templates:
+  - configmap-gitconfig-init.yaml
+release:
+  name: my-release
+tests:
+  - it: default values
+    template: configmap-gitconfig-init.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: gitconfig-read-write
+    template: configmap-gitconfig-init.yaml
+    set:
+      gitconfigReadOnly: false
+      commonLabels:
+        team: "infra"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - isAPIVersion:
+          of: v1
+      - equal:
+          path: metadata.name
+          value: my-release-atlantis-gitconfig-init
+      - equal:
+          path: data["gitconfig-init.sh"]
+          value: |
+            #!/bin/sh
+            set -ex
+            cp -v /etc/.gitconfig /home/atlantis/.gitconfig
+            chown -v atlantis /home/atlantis/.gitconfig

charts/atlantis/tests/statefulset_test.yaml

@@ -322,19 +322,19 @@ tests:
             mountPath: /var/secrets/gcp-staging
             name: gcp-staging
             readOnly: true
-  - it: gitconfig
+  - it: gitconfig-read-only
     template: statefulset.yaml
     set:
       gitconfig: |
         [url "https://[email protected]"]
         insteadOf = https://github.com
+      gitconfigReadOnly: true
     asserts:
       - equal:
           path: spec.template.spec.volumes[1]
           value:
             name: gitconfig-volume
             secret:
-              defaultMode: 432
               secretName: my-release-atlantis-gitconfig
       - equal:
           path: spec.template.spec.containers[0].volumeMounts[?(@.name ==
@@ -344,6 +344,45 @@ tests:
             name: gitconfig-volume
             readOnly: true
             subPath: gitconfig
+  - it: gitconfig-read-write
+    template: statefulset.yaml
+    set:
+      gitconfig: |
+        [url "https://[email protected]"]
+        insteadOf = https://github.com
+      gitconfigReadOnly: false
+    asserts:
+      - equal:
+          path: spec.template.spec.volumes[?(@.name == "gitconfig-volume")]
+          value:
+            name: gitconfig-volume
+            secret:
+              secretName: my-release-atlantis-gitconfig
+      - equal:
+          path: spec.template.spec.volumes[?(@.name == "gitconfig-init")]
+          value:
+            name: gitconfig-init
+            configMap:
+              name: my-release-atlantis-gitconfig-init
+              items:
+                - key: gitconfig-init.sh
+                  path: gitconfig-init.sh
+                  mode: 0555
+      - equal:
+          path: spec.template.spec.containers[0].volumeMounts[?(@.name ==
+            "gitconfig-volume")]
+          value:
+            mountPath: /etc/.gitconfig
+            name: gitconfig-volume
+            readOnly: true
+            subPath: gitconfig
+      - equal:
+          path: spec.template.spec.containers[0].volumeMounts[?(@.name ==
+            "gitconfig-init")]
+          value:
+            mountPath: /docker-entrypoint.d/gitconfig-init.sh
+            name: gitconfig-init
+            subPath: gitconfig-init.sh
   - it: gitconfigSecretName
     template: statefulset.yaml
     set:
@@ -354,7 +393,6 @@ tests:
           value:
             name: gitconfig-volume
             secret:
-              defaultMode: 432
               secretName: atlantis-gitconfig
       - equal:
           path: spec.template.spec.containers[0].volumeMounts[?(@.name ==

charts/atlantis/values.schema.json

@@ -190,6 +190,11 @@
       "type": "string",
       "description": "Contents of a file to be mounted to `~/.gitconfig`.  Use to allow redirection for Terraform modules in private git repositories."
     },
+    "gitconfigReadOnly": {
+      "type": "boolean",
+      "default": "true",
+      "description": "When true gitconfig file is mounted as read only. When false, the gitconfig value will be copied to '/home/atlantis/.gitconfig' before starting the atlantis process instead of being mounted as a file."
+    },
     "gitconfigSecretName": {
       "type": "string",
       "description": "Name of a pre-existing Kubernetes `Secret` containing a `gitconfig` key. Use this instead of `gitconfig` (optional)"

charts/atlantis/values.yaml

@@ -111,6 +111,11 @@ gitconfig: ""
 #   insteadOf = ssh://[email protected]
 # Source: https://stackoverflow.com/questions/42148841/github-clone-with-oauth-access-token
 
+# -- When true gitconfig file is mounted as read only.
+# When false, the gitconfig value will be copied to '/home/atlantis/.gitconfig' before starting the atlantis process,
+# instead of being mounted as a file.
+gitconfigReadOnly: true
+
 # -- If managing secrets outside the chart for the gitconfig, use this variable to reference the secret name
 gitconfigSecretName: ""