Suggested workarounds for use GIT_SSH_COMMAND with a k8s deployment?

[red8888]

I have my modules in source so Im setting GIT_SSH_COMMAND as per: #176

Im deploying atlantis to k8s though so now I have this infuriating problem: kubernetes/kubernetes#34982

If I dont change perms of the ssh key I get WARNING: UNPROTECTED PRIVATE KEY FILE!
So I tried to change them via defaultMode: 0400
BUT Atlantis is deployed as a statefulset and is using fsgroup which is broken (overrides) defaultMode

This is not an atlantis issue but I was wondering if there are any suggested workarounds that would prevent me from having to modify the entrypoint or do some hacky scripty stuff to fix this.

Assuming Im not the only one deploying atlantis to GKE and need to give it access to a repo for modules

[lkysow]

or do some hacky scripty stuff to fix this

Was just gonna suggest this :D – a wrapper script to run chmod.

I can't think of a workaround unfortunately. If this is just for private modules have you tried the --write-git-creds flag? https://www.runatlantis.io/docs/server-configuration.html#write-git-creds

[red8888]

This is actually working, looks like my issue was unrelated. Sorry for the erroneous issue!

It seem to work when executed by the atlantis user- when exec-ing in as root it did not

Using the config from official helm chart and just adding a secret for it works fine

apiVersion: apps/v1
kind: StatefulSet
    ....
    spec:
      containers:
      - env:
        - name: GIT_SSH_COMMAND
          value: ssh -i $ATLANTIS_SSH_KEY -o 'StrictHostKeyChecking no'
        - name: ATLANTIS_SSH_KEY
          value: /var/secrets/.ssh/atlantis.pem
        volumeMounts:
        - mountPath: /var/secrets/.ssh
          name: atlantis-ssh-key
      .....
      volumes:
      - name: atlantis-ssh-key
        secret:
          # defaultMode still doesnt set correct permission because of fsgroup conflict but this still seems to work when executed by the atlantis user
          defaultMode: 256
          secretName: atlantis-ssh-key