Make argo-cd docker images openshift friendly (#2362)

In openshift clusters, the user id of your container can be arbitrary,
so you need to make the running images compatible with this behavior.

The problematic application for argo-cd was the repo server. When trying
to clone the repos it was getting the error "No user exists for uid
100083000" (100083000 was the random user id being injected by
openshift in my case). This was because the user 100083000 wasn't in the
/etc/passwd file.

The changes in this commit add a uid_entrypoint.sh script that, when the
container starts, modifies the /etc/passwd file to add an entry with the
current UID _only_ if the current UID isn't there.

References:
* Problematic behavior of ssh when user id isn't in the /etc/passwd file:
  https://unix.stackexchange.com/questions/524268/running-git-or-ssh-client-in-docker-as-user-no-user-exists-for-uid
* OpenShift guidelines on how to make your docker image runnable by
  arbitrary user ids:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html/creating_images/creating-images-guidelines#use-uid

Dockerfile

@@ -77,7 +77,9 @@ RUN echo 'deb http://deb.debian.org/debian stretch-backports main' >> /etc/apt/s
 RUN groupadd -g 999 argocd && \
     useradd -r -u 999 -g argocd argocd && \
     mkdir -p /home/argocd && \
-    chown argocd:argocd /home/argocd && \
+    chown argocd:0 /home/argocd && \
+    chmod g=u /home/argocd && \
+    chmod g=u /etc/passwd && \
     apt-get update && \
     apt-get install -y git git-lfs && \
     apt-get clean && \
@@ -89,6 +91,9 @@ COPY --from=builder /usr/local/bin/helm /usr/local/bin/helm
 COPY --from=builder /usr/local/bin/kubectl /usr/local/bin/kubectl
 COPY --from=builder /usr/local/bin/kustomize /usr/local/bin/kustomize
 COPY --from=builder /usr/local/bin/aws-iam-authenticator /usr/local/bin/aws-iam-authenticator
+# script to add current (possibly arbitrary) user to /etc/passwd at runtime
+# (if it's not already there, to be openshift friendly)
+COPY uid_entrypoint.sh /usr/local/bin/uid_entrypoint.sh
 
 # support for mounting configuration from a configmap
 RUN mkdir -p /app/config/ssh && \

VERSION

@@ -1 +1 @@
-1.2.2
+1.2.3

controller/appcontroller.go

@@ -672,7 +672,13 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 	defer func() {
 		reconcileDuration := time.Since(startTime)
 		ctrl.metricsServer.IncReconcile(origApp, reconcileDuration)
-		logCtx := log.WithFields(log.Fields{"application": origApp.Name, "time_ms": reconcileDuration.Seconds() * 1e3, "level": comparisonLevel})
+		logCtx := log.WithFields(log.Fields{
+			"application":    origApp.Name,
+			"time_ms":        reconcileDuration.Seconds() * 1e3,
+			"level":          comparisonLevel,
+			"dest-server":    origApp.Spec.Destination.Server,
+			"dest-namespace": origApp.Spec.Destination.Namespace,
+		})
 		logCtx.Info("Reconciliation completed")
 	}()
 

manifests/base/kustomization.yaml

@@ -12,7 +12,7 @@ bases:
 images:
 - name: argoproj/argocd
   newName: argoproj/argocd
-  newTag: v1.2.2
+  newTag: v1.2.3
 - name: argoproj/argocd-ui
   newName: argoproj/argocd-ui
-  newTag: v1.2.2
+  newTag: v1.2.3

manifests/base/repo-server/argocd-repo-server-deployment.yaml

@@ -21,6 +21,7 @@ spec:
         image: argoproj/argocd:latest
         imagePullPolicy: Always
         command:
+        - uid_entrypoint.sh
         - argocd-repo-server
         - --redis
         - argocd-redis:6379

manifests/ha/base/kustomization.yaml

@@ -18,7 +18,7 @@ bases:
 images:
 - name: argoproj/argocd
   newName: argoproj/argocd
-  newTag: v1.2.2
+  newTag: v1.2.3
 - name: argoproj/argocd-ui
   newName: argoproj/argocd-ui
-  newTag: v1.2.2
+  newTag: v1.2.3

manifests/ha/base/overlays/argocd-repo-server-deployment.yaml

@@ -23,6 +23,7 @@ spec:
       containers:
       - name: argocd-repo-server
         command:
+        - uid_entrypoint.sh
         - argocd-repo-server
         - --sentinel
         - argocd-redis-ha-announce-0:26379

manifests/ha/install.yaml

@@ -2901,7 +2901,7 @@ spec:
         - argocd-redis-ha-announce-2:26379
         - --sentinelmaster
         - argocd
-        image: argoproj/argocd:v1.2.2
+        image: argoproj/argocd:v1.2.3
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2955,7 +2955,7 @@ spec:
         - cp
         - /usr/local/bin/argocd-util
         - /shared
-        image: argoproj/argocd:v1.2.2
+        image: argoproj/argocd:v1.2.3
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -3001,6 +3001,7 @@ spec:
       automountServiceAccountToken: false
       containers:
       - command:
+        - uid_entrypoint.sh
         - argocd-repo-server
         - --sentinel
         - argocd-redis-ha-announce-0:26379
@@ -3010,7 +3011,7 @@ spec:
         - argocd-redis-ha-announce-2:26379
         - --sentinelmaster
         - argocd
-        image: argoproj/argocd:v1.2.2
+        image: argoproj/argocd:v1.2.3
         imagePullPolicy: Always
         livenessProbe:
           initialDelaySeconds: 5
@@ -3084,7 +3085,7 @@ spec:
         - argocd-redis-ha-announce-2:26379
         - --sentinelmaster
         - argocd
-        image: argoproj/argocd:v1.2.2
+        image: argoproj/argocd:v1.2.3
         imagePullPolicy: Always
         livenessProbe:
           httpGet:

manifests/ha/namespace-install.yaml

@@ -2816,7 +2816,7 @@ spec:
         - argocd-redis-ha-announce-2:26379
         - --sentinelmaster
         - argocd
-        image: argoproj/argocd:v1.2.2
+        image: argoproj/argocd:v1.2.3
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2870,7 +2870,7 @@ spec:
         - cp
         - /usr/local/bin/argocd-util
         - /shared
-        image: argoproj/argocd:v1.2.2
+        image: argoproj/argocd:v1.2.3
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -2916,6 +2916,7 @@ spec:
       automountServiceAccountToken: false
       containers:
       - command:
+        - uid_entrypoint.sh
         - argocd-repo-server
         - --sentinel
         - argocd-redis-ha-announce-0:26379
@@ -2925,7 +2926,7 @@ spec:
         - argocd-redis-ha-announce-2:26379
         - --sentinelmaster
         - argocd
-        image: argoproj/argocd:v1.2.2
+        image: argoproj/argocd:v1.2.3
         imagePullPolicy: Always
         livenessProbe:
           initialDelaySeconds: 5
@@ -2999,7 +3000,7 @@ spec:
         - argocd-redis-ha-announce-2:26379
         - --sentinelmaster
         - argocd
-        image: argoproj/argocd:v1.2.2
+        image: argoproj/argocd:v1.2.3
         imagePullPolicy: Always
         livenessProbe:
           httpGet:

manifests/install.yaml

@@ -2665,7 +2665,7 @@ spec:
         - "20"
         - --operation-processors
         - "10"
-        image: argoproj/argocd:v1.2.2
+        image: argoproj/argocd:v1.2.3
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2719,7 +2719,7 @@ spec:
         - cp
         - /usr/local/bin/argocd-util
         - /shared
-        image: argoproj/argocd:v1.2.2
+        image: argoproj/argocd:v1.2.3
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -2779,10 +2779,11 @@ spec:
       automountServiceAccountToken: false
       containers:
       - command:
+        - uid_entrypoint.sh
         - argocd-repo-server
         - --redis
         - argocd-redis:6379
-        image: argoproj/argocd:v1.2.2
+        image: argoproj/argocd:v1.2.3
         imagePullPolicy: Always
         livenessProbe:
           initialDelaySeconds: 5
@@ -2833,7 +2834,7 @@ spec:
         - argocd-server
         - --staticassets
         - /shared/app
-        image: argoproj/argocd:v1.2.2
+        image: argoproj/argocd:v1.2.3
         imagePullPolicy: Always
         livenessProbe:
           httpGet:

manifests/namespace-install.yaml

@@ -2580,7 +2580,7 @@ spec:
         - "20"
         - --operation-processors
         - "10"
-        image: argoproj/argocd:v1.2.2
+        image: argoproj/argocd:v1.2.3
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2634,7 +2634,7 @@ spec:
         - cp
         - /usr/local/bin/argocd-util
         - /shared
-        image: argoproj/argocd:v1.2.2
+        image: argoproj/argocd:v1.2.3
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -2694,10 +2694,11 @@ spec:
       automountServiceAccountToken: false
       containers:
       - command:
+        - uid_entrypoint.sh
         - argocd-repo-server
         - --redis
         - argocd-redis:6379
-        image: argoproj/argocd:v1.2.2
+        image: argoproj/argocd:v1.2.3
         imagePullPolicy: Always
         livenessProbe:
           initialDelaySeconds: 5
@@ -2748,7 +2749,7 @@ spec:
         - argocd-server
         - --staticassets
         - /shared/app
-        image: argoproj/argocd:v1.2.2
+        image: argoproj/argocd:v1.2.3
         imagePullPolicy: Always
         livenessProbe:
           httpGet:

server/server.go

@@ -419,6 +419,7 @@ func (a *ArgoCDServer) newGRPCServer() *grpc.Server {
 		"/account.AccountService/UpdatePassword":        true,
 		"/repository.RepositoryService/Create":          true,
 		"/repository.RepositoryService/Update":          true,
+		"/repository.RepositoryService/ValidateAccess":  true,
 		"/application.ApplicationService/PatchResource": true,
 	}
 	// NOTE: notice we do not configure the gRPC server here with TLS (e.g. grpc.Creds(creds))

uid_entrypoint.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# Make sure that if we are using an arbitrary UID that it appears in /etc/passwd,
+# otherwise this will cause issues with things like cloning with git+ssh
+# reference: https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html/creating_images/creating-images-guidelines#use-uid
+if ! whoami &> /dev/null; then
+  if [ -w /etc/passwd ]; then
+    echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:/home/argocd:/sbin/nologin" >> /etc/passwd
+  fi
+fi
+
+exec "$@"