feat: add option to override image entrypoint and command

[d-costa]

what

• Give users the option to override container image entrypoint and command.

why

• Sometimes there is a need to modify the container's startup behavior, without directly modifying the image.
• More specifically, this feature can be used to inject a script before the Atlantis entrypoint to perform an initial setup, for example, to install gcloud, fetch secrets from Secret Manager (or other locations), and export environment variables.
• This allows users to export environment variables that do not appear in the Console (e.g. ATLANTIS_GH_WEBHOOK_SECRET)

Our use case

In the instance startup script, we create a custom entrypoint script, and place it in atlantis' home folder through the existing mountpoint. This custom entrypoint performs an initial setup (as described above), and calls the original atlantis entrypoint.

references

• gcloud docs: https://cloud.google.com/compute/docs/containers/configuring-options-to-run-containers#overriding_the_default_command_to_execute_on_container_startup
• example usage of the vm container module: https://github.com/terraform-google-modules/terraform-google-container-vm?tab=readme-ov-file#container-options

notes

May be relevant to add this info to the readme?

If CMD is defined from the base image, setting ENTRYPOINT will reset CMD to an empty value.
https://docs.docker.com/engine/reference/builder/#understand-how-cmd-and-entrypoint-interact

[bschaatsbergen]

This is awesome @d-costa, could you please add your suggestion to the readme and perhaps add an example in the secure env vars directory?

[d-costa]

Hey @bschaatsbergen, I added an example, let me know what you think!

PS: I had to throw in a chown 100 /mnt/disks/gce-containers-mounts/gce-persistent-disks/atlantis-disk-0/ in the script, because the folder's owner was never being changed from root when using this startup script. Do you have any idea of why that might happen?

[bschaatsbergen]

Awesome, I'm reviewing this tonight :)

[bschaatsbergen]

Hey @bschaatsbergen, I added an example, let me know what you think!

PS: I had to throw in a chown 100 /mnt/disks/gce-containers-mounts/gce-persistent-disks/atlantis-disk-0/ in the script, because the folder's owner was never being changed from root when using this startup script. Do you have any idea of why that might happen?

We do the same actually in the cloud init! It might be that it's done double now and that the startup script is excuted before the cloudinit

[bschaatsbergen]

The changes seem good to me, though I think we should have the example under the "secure-env-vars" directory, as this is primarily used to secure the environment variables and not have them leak in the Google Cloud UI. Is this something you could do please? 🙏🏼 @d-costa

Then I would like to merge this PR.

[bschaatsbergen]

Note for self: needs to be released under a major as this is a breaking change.

[bschaatsbergen]

You're doing some really awesome work @d-costa - excuse me for my slow review cycle.

[bschaatsbergen]

Please rebase @d-costa

[bschaatsbergen]

Got 1 question around possibly improving the script. I'm very happy with this PR 👍🏼

[bschaatsbergen]

Can you rebase this branch one more time @d-costa ?

[dgteixeira]

hey @bschaatsbergen , how are you?
Any idea on when you might be able to review this and #139

We are currently using a local version of this but we would love to point all the way to your upstream :)

[bschaatsbergen]

hey @bschaatsbergen , how are you? Any idea on when you might be able to review this and #139

We are currently using a local version of this but we would love to point all the way to your upstream :)

Hi @dgteixeira, thanks for getting in touch. Now that the repository has been transferred to the runatlantis organization, and you, @d-costa, @DanielRieske, and @cblkwell are maintainers of this repository, I encourage you to collaborate on addressing these PRs together :)

[cblkwell]

This also looks fine -- since this and the other PR are fairly sizable changes, it is probably best to get them both merged in and then cut the new major version. We should resolve conflicts before we move forward though.

[d-costa]

This is a breaking change:

module.atlantis.google_compute_instance_template.default must be replaced

Due to the changes in the gce-container-declaration metadata field:

    +     "args": null
    +     "command": null