fix(argo-cd): Make argocd-server /home/argocd/.aws writeable when using readOnlyRootFilesystem=false security context

[Cylix]

Context

We are running argo with containerSecurityContext.readOnlyRootFilesystem set to true.

However, a bunch of things are not loading on the ArgoCD Dashboard (logs, events, manifests, ...) when doing so. When looking at the argocd server logs, we found the following error:

[Errno 30] Read-only file system: '/home/argocd/.aws'
{"error":"Get \"https://{REDACTED}.eks.amazonaws.com/api/v1?timeout=32s\": getting credentials: exec: executable aws failed with exit code 255","grpc.code":"Unknown","grpc.method":"DeleteResource","grpc.service":"application.ApplicationService","grpc.start_time":"2021-10-28T20:31:02Z","grpc.time_ms":495.752,"level":"error","msg":"finished unary call with code Unknown","span.kind":"server","system":"grpc","time":"2021-10-28T20:31:02Z"}

The reason is that ArgoCD server is calling the AWS CLI, and AWS CLI needs to store some credentials under ~/.aws/cache/*.json. Note that this ~/.aws/cache folder is not configurable with AWS (other than updating $HOME, which would impact ArgoCD), so we can't just use some environment variables like AWS_CONFIG_FILE to make AWS CLI write stuff under /tmp.

Our current workaround is to set the following helm values:

      volumes = [
        {
          "name" = "aws-config",
          "emptyDir" = {}
        }
      ]

      volumeMounts = [
        {
          "name" = "aws-config",
          "mountPath" = "/home/argocd/.aws"
        }
      ]

We were thinking that it might be useful to directly set these when enabling server.readOnlyRootFilesystem since others might run in the same issue.

Testing

I followed the testing steps in the contributing guidelines, once with server.readOnlyRootFilesystem set to false, and another time with server.readOnlyRootFilesystem.

In both cases, I verified the configuration with kubectl describe pods and SSH'd into the server container to verify the volume configuration.

Checklist

• I have bumped the chart version according to versioning
• I have updated the chart changelog with all the changes that come with this pull request according to changelog.
• Any new values are backwards compatible and/or have sensible default.
• I have signed off all my commits as required by DCO.
• My build is green (troubleshooting builds).

Changes are automatically published when merged to master. They are not published on branches.