The operator runs as PID 1, which is expected to reap zombie processes; since it doesn't, they get left around to take up room. This PR installs tini and uses it as PID 1, instead.
I've removed the build/bin/{entrypoint,user_setup} scripts, which aren't necessary. The entry point can be given in the Dockerfile, and useradd already does the necessary setup. It is still necessary to create $HOME/.ssh, since git uses SSH and SSH expects that directory to exist.
The problem with falling back to ssh-agent is that it won't work inside the operator container -- even if you run ssh-agent, that will avoid go-git complaining about not finding its socket (which seems to have been the impetus for #92), but will then fail to authenticate because ssh-agent doesn't have any keys to offer. A better alternative is to explicitly require a secret key in .spec.gitAuth.
The operator runs as PID 1, which is expected to reap zombie processes; since it doesn't, they get left around to take up room. This PR installs
tini
and uses it as PID 1, instead.I've removed the build/bin/{entrypoint,user_setup} scripts, which aren't necessary. The entry point can be given in the Dockerfile, and
useradd
already does the necessary setup. It is still necessary to create $HOME/.ssh, since git uses SSH and SSH expects that directory to exist.This also removes the extra ceremony around using ssh-agent. Very little explanation is given in https://github.com/pulumi/pulumi-kubernetes-operator/pull/92 where it was added, so I did some investigation. It turns out that go-git will use SSH agent if not given any other auth. The automation API will supply auth to go-git as long as it's given something, but will otherwise let go-git fall back to using the ssh-agent.
The problem with falling back to ssh-agent is that it won't work inside the operator container -- even if you run ssh-agent, that will avoid go-git complaining about not finding its socket (which seems to have been the impetus for #92), but will then fail to authenticate because ssh-agent doesn't have any keys to offer. A better alternative is to explicitly require a secret key in
.spec.gitAuth
.