diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ea96ce97..7225fe03 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -106,7 +106,6 @@ jobs: run: | docker run --rm \ -v `pwd`:/infra \ - -u `id -u`:`id -g` \ test-image:${{ github.sha }} \ terraform init @@ -115,7 +114,6 @@ jobs: run: | docker run --rm \ -v `pwd`:/infra \ - -u `id -u`:`id -g` \ test-image:${{ github.sha }} \ terraform workspace new ops @@ -124,7 +122,6 @@ jobs: run: | docker run --rm \ -v `pwd`:/infra \ - -u `id -u`:`id -g` \ test-image:${{ github.sha }} \ terraform validate diff --git a/oci/Dockerfile b/oci/Dockerfile index 2bc6e7d0..624925be 100644 --- a/oci/Dockerfile +++ b/oci/Dockerfile @@ -50,7 +50,7 @@ RUN echo "TERRAFORM_PROVIDER_KUSTOMIZE_VERSION: ${TERRAFORM_PROVIDER_KUSTOMIZE_V && mv terraform-provider-kustomization-${TERRAFORM_PROVIDER_KUSTOMIZE_VERSION}-linux-amd64 /opt/bin/terraform-provider-kustomization \ && chmod +x /opt/bin/terraform-provider-kustomization -COPY entrypoint /opt/bin/entrypoint +COPY entrypoint entrypoint_user /opt/bin/ # @@ -144,7 +144,6 @@ RUN apt-get update && apt-get install -y \ wget \ openssh-client \ dnsutils \ - libnss-wrapper \ unzip \ && rm -rf /var/lib/apt/lists/* diff --git a/oci/entrypoint b/oci/entrypoint index d4658bf6..54f6ef03 100755 --- a/oci/entrypoint +++ b/oci/entrypoint @@ -1,70 +1,23 @@ #!/bin/sh set -e +uid=$(stat -c '%u' /infra) +gid=$(stat -c '%g' /infra) + # home may be modified from multiple sources # try to normalize before using it in paths below REALHOME=$(realpath $HOME) mkdir -p $REALHOME +chown $uid:$gid $REALHOME -echo "kbst:x:$(id -u):$(id -g):Kubestack User:${REALHOME}:/bin/sh" > /tmp/passwd - -export LD_PRELOAD=libnss_wrapper.so -export NSS_WRAPPER_PASSWD=/tmp/passwd -export NSS_WRAPPER_GROUP=/etc/group - -# -# -# AWS auth -AWS_CONFIG_PATH=$REALHOME/.aws -mkdir -p $AWS_CONFIG_PATH - -# handle base64 encoded AWS crendentials -if [ ! -z "$KBST_AUTH_AWS" ]; then - echo "$KBST_AUTH_AWS" | base64 --decode > $AWS_CONFIG_PATH/credentials - aws sts get-caller-identity -fi - - -# -# -# Azure auth -AZ_CONFIG_PATH=$REALHOME/.azure -mkdir -p $AZ_CONFIG_PATH -touch $AZ_CONFIG_PATH/KBST_AUTH_AZ +echo "kbst:x:${uid}:${gid}:Kubestack User:${REALHOME}:/bin/sh" >> /etc/passwd +echo "kbst:x:${gid}:" >> /etc/group -# handle base64 encoded AZ crendentials -if [ ! -z "$KBST_AUTH_AZ" ]; then - echo "$KBST_AUTH_AZ" | base64 --decode > $AZ_CONFIG_PATH/KBST_AUTH_AZ - . $AZ_CONFIG_PATH/KBST_AUTH_AZ - az login --service-principal --username $ARM_CLIENT_ID --password $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID +# if docker.sock is mounted, add our user to the socket's group +if test -S "/var/run/docker.sock"; then + echo "docker:x:$(stat -c '%g' /var/run/docker.sock):kbst" >> /etc/group fi -# always source and export the ARM_ env variables -# required by the azurerm Terraform provider -. $AZ_CONFIG_PATH/KBST_AUTH_AZ -export ARM_ACCESS_KEY -export ARM_CLIENT_ID -export ARM_CLIENT_SECRET -export ARM_SUBSCRIPTION_ID -export ARM_TENANT_ID - - -# -# -# Gcloud auth -GCLOUD_CONFIG_PATH=$REALHOME/.config/gcloud -mkdir -p $GCLOUD_CONFIG_PATH - -# handle base64 encoded GCLOUD crendentials -if [ ! -z "$KBST_AUTH_GCLOUD" ]; then - echo "$KBST_AUTH_GCLOUD" | base64 --decode > $GCLOUD_CONFIG_PATH/application_default_credentials.json - gcloud auth activate-service-account --key-file $GCLOUD_CONFIG_PATH/application_default_credentials.json -fi - -# do not have KBST_AUTH_* env vars set in runtime env -unset KBST_AUTH_AWS -unset KBST_AUTH_AZ -unset KBST_AUTH_GCLOUD - -exec "$@" +# stop running as root to preserve volume mount file ownership +exec runuser -u kbst -- entrypoint_user "$@" diff --git a/oci/entrypoint_user b/oci/entrypoint_user new file mode 100755 index 00000000..6e3ab871 --- /dev/null +++ b/oci/entrypoint_user @@ -0,0 +1,65 @@ +#!/bin/sh +set -e + +# +# +# AWS auth +# only if aws cli is installed +if [ -x "$(command -v aws)" ]; then + AWS_CONFIG_PATH=~/.aws + mkdir -p $AWS_CONFIG_PATH + + # handle base64 encoded AWS crendentials + if [ ! -z "$KBST_AUTH_AWS" ]; then + echo "$KBST_AUTH_AWS" | base64 --decode > $AWS_CONFIG_PATH/credentials + aws sts get-caller-identity + fi +fi + +# +# +# Azure auth +# only if az cli is installed +if [ -x "$(command -v az)" ]; then + AZ_CONFIG_PATH=~/.azure + mkdir -p $AZ_CONFIG_PATH + touch $AZ_CONFIG_PATH/KBST_AUTH_AZ + + # handle base64 encoded AZ crendentials + if [ ! -z "$KBST_AUTH_AZ" ]; then + echo "$KBST_AUTH_AZ" | base64 --decode > $AZ_CONFIG_PATH/KBST_AUTH_AZ + . $AZ_CONFIG_PATH/KBST_AUTH_AZ + az login --service-principal --username $ARM_CLIENT_ID --password $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID + fi + + # always source and export the ARM_ env variables + # required by the azurerm Terraform provider + . $AZ_CONFIG_PATH/KBST_AUTH_AZ + export ARM_ACCESS_KEY + export ARM_CLIENT_ID + export ARM_CLIENT_SECRET + export ARM_SUBSCRIPTION_ID + export ARM_TENANT_ID +fi + +# +# +# Gcloud auth +# only if az cli is installed +if [ -x "$(command -v gcloud)" ]; then + GCLOUD_CONFIG_PATH=~/.config/gcloud + mkdir -p $GCLOUD_CONFIG_PATH + + # handle base64 encoded GCLOUD crendentials + if [ ! -z "$KBST_AUTH_GCLOUD" ]; then + echo "$KBST_AUTH_GCLOUD" | base64 --decode > $GCLOUD_CONFIG_PATH/application_default_credentials.json + gcloud auth activate-service-account --key-file $GCLOUD_CONFIG_PATH/application_default_credentials.json + fi +fi + +# do not have KBST_AUTH_* env vars set in runtime env +unset KBST_AUTH_AWS +unset KBST_AUTH_AZ +unset KBST_AUTH_GCLOUD + +exec "$@"