Allow arbitrary user to run atlantis

docker-base/Dockerfile

@@ -4,13 +4,20 @@
 FROM alpine:3.8
 LABEL authors="Anubhav Mishra, Luke Kysow"
 
-# create atlantis user
+# We use gosu to step down from root and run as the atlantis user so we need
+# to create that user and group.
+# We add the atlantis user to the root group and make its home directory
+# owned by root so that OpenShift users can use /home/atlantis as their
+# data dir because OpenShift runs containers as a random uid that's part of
+# the root group.
 RUN addgroup atlantis && \
-    adduser -S -G atlantis atlantis
+    adduser -S -G atlantis atlantis && \
+    adduser atlantis root && \
+    chown atlantis:root /home/atlantis/ && \
+    chmod g=u /home/atlantis/ && \
+    chmod g=u /etc/passwd
 
-ENV ATLANTIS_HOME_DIR=/home/atlantis
-
-# install atlantis dependencies
+# Install dumb-init and gosu.
 ENV DUMB_INIT_VERSION=1.2.0
 ENV GOSU_VERSION=1.10
 RUN apk add --no-cache ca-certificates gnupg curl git unzip bash openssh libcap openssl && \
@@ -35,6 +42,6 @@ RUN apk add --no-cache ca-certificates gnupg curl git unzip bash openssh libcap
         apk del gnupg openssl && \
         rm -rf /root/.gnupg && rm -rf /var/cache/apk/*
 
-# set up nsswitch.conf for Go's "netgo" implementation
+# Set up nsswitch.conf for Go's "netgo" implementation
 # - https://github.com/golang/go/blob/go1.9.1/src/net/conf.go#L194-L275
 RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf

docker-entrypoint.sh

@@ -9,15 +9,30 @@ if [ "${1:0:1}" = '-' ]; then
     set -- atlantis "$@"
 fi
 
-# Look for atlantis subcommands.
+# If the user is running an atlantis subcommand (ex. server) then we want to prepend
+# atlantis as the first arg to exec. To detect if they're running a subcommand
+# we take the potential subcommand and run it through atlantis help {subcommand}.
+# If the output contains "atlantis subcommand" then we know it's a subcommand
+# since the help output contains that string. For anything else (ex. sh)
+# it won't contain that string.
+# NOTE: We use grep instead of the exit code since help always returns 0.
 if atlantis --help "$1" 2>&1 | grep -q "atlantis $1"; then
     # We can't use the return code to check for the existence of a subcommand, so
     # we have to use grep to look for a pattern in the help output.
     set -- atlantis "$@"
 fi
 
-# If we are running atlantis, make sure it executes as the proper user.
-if [ "$1" = 'atlantis' ]; then
+# If the current uid running does not have a user create one in /etc/passwd
+if ! whoami &> /dev/null; then
+  if [ -w /etc/passwd ]; then
+    echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:/home/atlantis:/sbin/nologin" >> /etc/passwd
+  fi
+fi
+
+# If we're running as root and we're trying to execute atlantis then we use
+# gosu to step down from root and run as the atlantis user.
+# In OpenShift, containers are run as a random users so we don't need to use gosu.
+if [[ $(id -u) == 0 ]] && [[ "$1" = 'atlantis' ]]; then
     # If requested, set the capability to bind to privileged ports before
     # we drop to the non-root user. Note that this doesn't work with all
     # storage drivers (it won't work with AUFS).

helm/atlantis/templates/statefulset.yaml

@@ -19,8 +19,7 @@ spec:
         app: {{ template "atlantis.name" . }}
         release: {{ .Release.Name }}
     spec:
-      securityContext:
-        fsGroup: 1000
+      securityContext: {}
       volumes:
       {{- range $name, $_ := .Values.serviceAccountSecrets }}
       - name: {{ $name }}-volume