fix: Running on Openshift 4.x with readOnlyRootFilesystem (#6998)

Signed-off-by: Philipp Dallig <philipp.dallig@gmail.com>
argoproj · Aug 18, 2021 · 4ae1d87 · 4ae1d87
1 parent efc8ec1
commit 4ae1d87
Show file tree

Hide file tree

Showing 10 changed files with 17 additions and 29 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -47,7 +47,6 @@ RUN groupadd -g 999 argocd && \
     mkdir -p /home/argocd && \
     chown argocd:0 /home/argocd && \
     chmod g=u /home/argocd && \
-    chmod g=u /etc/passwd && \
     apt-get update && \
     apt-get dist-upgrade -y && \
     apt-get install -y git git-lfs python3-pip tini gpg tzdata && \
@@ -62,9 +61,7 @@ COPY --from=builder /usr/local/bin/ks /usr/local/bin/ks
 COPY --from=builder /usr/local/bin/helm2 /usr/local/bin/helm2
 COPY --from=builder /usr/local/bin/helm /usr/local/bin/helm
 COPY --from=builder /usr/local/bin/kustomize /usr/local/bin/kustomize
-# script to add current (possibly arbitrary) user to /etc/passwd at runtime
-# (if it's not already there, to be openshift friendly)
-COPY uid_entrypoint.sh /usr/local/bin/uid_entrypoint.sh
+COPY entrypoint.sh /usr/local/bin/entrypoint.sh
 
 # support for mounting configuration from a configmap
 RUN mkdir -p /app/config/ssh && \

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# If we're started as PID 1, we should wrap command execution through tini to
+# prevent leakage of orphaned processes ("zombies").
+if test "$$" = "1"; then
+	exec tini -- $@
+else
+	exec "$@"
+fi
diff --git a/manifests/base/repo-server/argocd-repo-server-deployment.yaml b/manifests/base/repo-server/argocd-repo-server-deployment.yaml
@@ -21,7 +21,7 @@ spec:
         image: quay.io/argoproj/argocd:latest
         imagePullPolicy: Always
         command:
-        - uid_entrypoint.sh
+        - entrypoint.sh
         - argocd-repo-server
         - --redis
         - $(ARGOCD_REDIS_SERVICE):6379

diff --git a/manifests/core-install.yaml b/manifests/core-install.yaml
@@ -2905,7 +2905,7 @@ spec:
       automountServiceAccountToken: false
       containers:
       - command:
-        - uid_entrypoint.sh
+        - entrypoint.sh
         - argocd-repo-server
         - --redis
         - argocd-redis:6379

diff --git a/manifests/ha/base/overlays/argocd-repo-server-deployment.yaml b/manifests/ha/base/overlays/argocd-repo-server-deployment.yaml
@@ -23,7 +23,7 @@ spec:
       containers:
       - name: argocd-repo-server
         command:
-        - uid_entrypoint.sh
+        - entrypoint.sh
         - argocd-repo-server
         - --redis
         - "argocd-redis-ha-haproxy:6379"
diff --git a/manifests/ha/install.yaml b/manifests/ha/install.yaml
@@ -3818,7 +3818,7 @@ spec:
       automountServiceAccountToken: false
       containers:
       - command:
-        - uid_entrypoint.sh
+        - entrypoint.sh
         - argocd-repo-server
         - --redis
         - argocd-redis-ha-haproxy:6379

diff --git a/manifests/ha/namespace-install.yaml b/manifests/ha/namespace-install.yaml
@@ -1205,7 +1205,7 @@ spec:
       automountServiceAccountToken: false
       containers:
       - command:
-        - uid_entrypoint.sh
+        - entrypoint.sh
         - argocd-repo-server
         - --redis
         - argocd-redis-ha-haproxy:6379

diff --git a/manifests/install.yaml b/manifests/install.yaml
@@ -3147,7 +3147,7 @@ spec:
       automountServiceAccountToken: false
       containers:
       - command:
-        - uid_entrypoint.sh
+        - entrypoint.sh
         - argocd-repo-server
         - --redis
         - argocd-redis:6379

diff --git a/manifests/namespace-install.yaml b/manifests/namespace-install.yaml
@@ -534,7 +534,7 @@ spec:
       automountServiceAccountToken: false
       containers:
       - command:
-        - uid_entrypoint.sh
+        - entrypoint.sh
         - argocd-repo-server
         - --redis
         - argocd-redis:6379

diff --git a/uid_entrypoint.sh b/uid_entrypoint.sh