helm chart gitconfig option ignored

[pthornton]

Running terraform with modules imported from private gitLab fails using the /etc/secret-gitconfig/gitconfig mounted helm gitconfig option. If I copy this file to /home/atlantis/.gitconfig then terraform succeeds. Atlantis appears to be ignoring the mounted /etc/secret-gitconfig/gitconfig file?

Error: Failed to download module

Could not download module "eks_ingress" (main.tf:109) source code from
"git::https://git.mycompany.com/high-five/tf-modules/eks-ingress.git?ref=v2.0.0":
error downloading
'https://git.mycompany.com/high-five/tf-modules/eks-ingress.git?ref=v2.0.0':
/usr/bin/git exited with 128: Cloning into '.terraform/modules/eks_ingress'...
remote: Not Found
fatal: repository 'https://github.com/high-five/tf-modules/eks-ingress.git/'
not found

File contents: /etc/secret-gitconfig/gitconfig

[url "https://username:password@git.mycompany.com/"]
    insteadOf = https://git.mycompany.com/

Helm Chart:


gitconfig: |
   [url "https://username:password@git.mycompany.com/""]
     insteadOf = https://git.mycompany.com/

Atlantis version:

- name: atlantis
  repository: https://runatlantis.github.io/helm-charts
  version: "3.12.4"

  image:
    repository: runatlantis/atlantis
    tag: v0.15.1

[Bencyril]

Hey ! Don't know if it's a typo but the code from your helm chart has two double quote at the end of the url Otherwise, can you helm template the whole stuff to see what's taken into account

[joshuasimon-taulia]

there's a poststart hook in the statefulset that copies /etc/secret-gitconfig/gitconfig to /home/atlantis/.gitconfig. this works fine, but atlantis overwrites /home/atlantis/.gitconfig when a user files a PR and runs atlantis plan with the following:

[credential]
    helper = store
# [url "https://$GIT_TOKEN@github.com"]
#   insteadOf = https://github.com
# [url "https://$GIT_TOKEN@github.com"]
#   insteadOf = ssh://git@github.com
[url "https://x-access-token@github.com"]
    insteadOf = ssh://git@github.com

i believe this is the logic that writes the git-related files

Setting ATLANTIS_WRITE_GIT_CREDS=false results in a crashLoop because I am using a github app.

Mounting a custom /home/atlantis/.gitconfigresults in

There was an error running git config --global credential.helper store: error: could not write config file /home/atlantis/.gitconfig: Resource busy
: exit status 4

updating the PR clone ref per https://github.com/runatlantis/atlantis/issues/1696 would solve my issue

[ayushkr04]

@joshuasimon-taulia : I am running into similar issue (#2526 ), but in my case this has started happening suddenly, after running atlantis successfully for over 2 years now. Can you pls help me with the change you made which resolved your issue.

[romelBen]

Hello all, I receive the same issue when adding my configurations in the values.yaml like so:

  gitconfig: |
    [credential]
        helper = store
    [url "https://x-access-token@github.com"]
        insteadOf = ssh://git@github.com
    [safe]
      directory = *

With the same error: There was an error running git config --global credential.helper store: error: could not write config file /home/atlantis/.gitconfig: Resource busy : exit status 4

I am also utilizing GitHub App. Would appreciate any help.

[joshuasimon-taulia]

@joshuasimon-taulia : I am running into similar issue (#2526 ), but in my case this has started happening suddenly, after running atlantis successfully for over 2 years now. Can you pls help me with the change you made which resolved your issue.

my issue was solved by using github app credentials directly https://github.com/runatlantis/atlantis/pull/2044 instead of gitconfig

values.yaml

githubApp:
  id: "123456"
  key: required
  secret: to-get-vcsSecretName-to-mount

environmentRaw:
 - name: ATLANTIS_GH_APP_SLUG
  value: "YOUR-APP-NAME"
- name: GIT_USER
  value: "bot-atlantis"

vcsSecretName: "atlantis-github-app"

[ggujabidze]

Hello everyone!

I'm facing the same issue. My code is stored on Azure DevOps. I have the following variable enabled: ATLANTIS_WRITE_GIT_CREDS: "true" and everything worked perfectly till I used https protocol for downloading terraform modules from other private repositories. But my colleague asked me to configure custom .gitconfig as he wants to use ssh protocol in his module's address. So I added the following section into my helm value:

gitconfig: |
  [url "https://dev.azure.com"]
  insteadOf = "ssh://git@ssh.dev.azure.com"

But after trying to redeploy Helm chart, I'm getting the following error message:

{"level":"info","ts":"2023-07-10T10:16:24.653Z","caller":"vcs/git_cred_writer.go:29","msg":"wrote git credentials to /home/atlantis/.git-credentials","json":{}} ←[31mError: initializing server: There was an error running git config --global credential.helper store: error: could not write config file /home/atlantis/.gitconfig: Resource busy : exit status 4←[39m

I'm providing git credentials for Azure DevOps via the same helm value file with the following section:

azuredevops:
  user: devops-user
  token: devops-user-token

I really appreciate any response to assist me with resolving that issue.

[Jeinhaus]

We solved this issue as described in https://github.com/runatlantis/helm-charts/issues/222:

• Create the gitconfig Secret outside the chart
• Mount the secret as a volume
• Add a lifecycle hook, that copies the mounted secret and sets the correct permissions

So our setup basically looks like this:

...
    # Replicate the changes from
    # https://github.com/runatlantis/helm-charts/pull/223/files
    # to avoid https://github.com/runatlantis/helm-charts/issues/222.
    extraVolumes:
    - name: gitconfig
      secret:
        secretName: atlantis-gitconfig-secret
    extraVolumeMounts:
    - name: gitconfig
      mountPath: /etc/secret-gitconfig
      subPath: gitconfig
    lifecycle:
      postStart:
        exec:
          command: ["/bin/sh", "-c", "cp /etc/secret-gitconfig /home/atlantis/.gitconfig && chown atlantis /home/atlantis/.gitconfig"]
...

[romelBen]

I should have replied back. This is exactly what was implemented to fix our issues. Once GitHub App placed the necessary permissions in ~/.gitconfig, I set a command for this to work in the lifecycle section in the K8s manifest.

[ggujabidze]

Hi Guys!

First of all I want to thank @Jeinhaus for his great and detailed fix for that issue. I've done everything as you suggested and it worked smoothly. But it's not very convenient, as you have to manage separate manifest for your custom kubernetes secret object.

So, if I understand correctly, the problems began after this particular change and I see that before it worked exactly the same way, as you suggested me to do manually. So, why not revert that particular change back? Of course I do not have deep vision of the entire project and there might be other factors depending on it, but I'm just curious if it is possible? Because I'm sure this feature ( I mean adding custom .gitconfig file) will be needed to most of the atlantis' users and it's a pity that current Helm chart fails to provide such functionality out of the box ((

[Jeinhaus]

@ggujabidze If I remember correctly, there was an open issue or pr that wanted to revert some of these changes. But I can't find it at the moment. I think the revert conflicted with some other changes that happened in the meantime.

[bdellegrazie]

@Jeinhaus for reference the PR is https://github.com/runatlantis/helm-charts/pull/223

[GMartinez-Sisti]

Possible fix on https://github.com/runatlantis/helm-charts/pull/384. Please review.

[dominik-dezordo-vc]

Just used the latest version of the helm chart (v5.0.2) and I am still running into the same issue. Helm values file looks like:

githubApp:
  id: 111111
  slug: some-slug

vcsSecretName: atlantis-github-app-credentials

gitconfigSecretName: atlantis-gitconfig

Error:

No files found in /docker-entrypoint.d/, skipping
{"level":"info","ts":"2024-05-08T16:46:00.019Z","caller":"server/server.go:447","msg":"Utilizing BoltDB","json":{}}
{"level":"info","ts":"2024-05-08T16:46:00.020Z","caller":"vcs/git_cred_writer.go:29","msg":"wrote git credentials to /home/atlantis/.git-credentials","json":{}}
Error: initializing server: could not write credentials: Writing ~/.git-credentials file: There was an error running git config --global credential.helper store: error: could not write config file /home/atlantis/.gitconfig: Resource busy
: exit status 4

[GMartinez-Sisti]

Thanks @dominik-dezordo-vc for checking!

I double checked and you are right, this requires a more convoluted way since the file is mounted using a tmpfs disk that cannot be changed even if we remove the readOnly flag. Something like https://github.com/runatlantis/atlantis/issues/1257#issuecomment-1630184449 baked on the helm-chart logic would work.

Another option is to allow specifying another file where atlantis would write the git configuration to, and source that file on the default .gitconfig file, but that would take longer than adding the copy logic to the helm chart.

[dominik-dezordo-vc]

Hey thanks for the fast answer! Yeah so actually just tried to fork your chart and try to set to volume to be writable, but it resulted in the same issue. I also tried the lifecycle hook and the extra volumes from your link, but i get now an error that the hook is not running successfully:

So I think the fix is currently not working anymore with this chart. Any other idea how to use github apps with the latest version of your chart?