Fix unwritable .aws directory

gurchik · gurchik · commit bef2a3af9b19 · 2025-08-15T17:25:27.000-04:00
diff --git a/charts/atlantis/Chart.yaml b/charts/atlantis/Chart.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
 appVersion: v0.35.1
 description: A Helm chart for Atlantis https://www.runatlantis.io
 name: atlantis
-version: 5.18.1
+version: 5.18.2
 keywords:
   - terraform
 home: https://www.runatlantis.io
diff --git a/charts/atlantis/templates/statefulset.yaml b/charts/atlantis/templates/statefulset.yaml
@@ -130,6 +130,10 @@ spec:
         secret:
           secretName: {{ .Values.netrcSecretName }}
       {{- end }}
+      {{- if or .Values.aws.credentials .Values.aws.config }}
+      - name: aws-dir
+        emptyDir: {}
+      {{- end }}
       {{- if or .Values.aws.credentials .Values.aws.config .Values.awsSecretName }}
       - name: aws-volume
         secret:
@@ -584,10 +588,23 @@ spec:
             mountPath: /home/atlantis/.netrc
             subPath: netrc
           {{- end }}
-          {{- if or .Values.aws.credentials .Values.aws.config .Values.awsSecretName }}
+          {{- if .Values.awsSecretName }}
           - name: aws-volume
             readOnly: true
             mountPath: {{ .Values.aws.directory | default "/home/atlantis/.aws" }}
+          {{- else if or .Values.aws.credentials .Values.aws.config }}
+          - name: aws-dir
+            mountPath: {{ .Values.aws.directory | default "/home/atlantis/.aws" }}
+          {{- end }}
+          {{- if .Values.aws.credentials }}
+          - name: aws-volume
+            mountPath: {{ .Values.aws.directory | default "/home/atlantis/.aws" }}/credentials
+            subPath: credentials
+          {{- end }}
+          {{- if .Values.aws.config }}
+          - name: aws-volume
+            mountPath: {{ .Values.aws.directory | default "/home/atlantis/.aws" }}/config
+            subPath: config
           {{- end }}
           {{- if .Values.tlsSecretName }}
           - name: tls
diff --git a/charts/atlantis/tests/statefulset_test.yaml b/charts/atlantis/tests/statefulset_test.yaml
@@ -508,16 +508,27 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.volumes[1]
+          value:
+            name: aws-dir
+            emptyDir: {}
+      - equal:
+          path: spec.template.spec.volumes[2]
           value:
             name: aws-volume
             secret:
               secretName: my-release-atlantis-aws
       - equal:
-          path: spec.template.spec.containers[0].volumeMounts[?(@.name == "aws-volume")]
+          path: spec.template.spec.containers[0].volumeMounts[?(@.name == "aws-volume" && @.subPath == "credentials")]
           value:
-            mountPath: /home/atlantis/.aws
+            mountPath: /home/atlantis/.aws/credentials
             name: aws-volume
-            readOnly: true
+            subPath: credentials
+      - equal:
+          path: spec.template.spec.containers[0].volumeMounts[?(@.name == "aws-volume" && @.subPath == "config")]
+          value:
+            mountPath: /home/atlantis/.aws/config
+            name: aws-volume
+            subPath: config
   - it: aws directory
     template: statefulset.yaml
     set:
