Mount the home volume in the completion container

If a build utilizing image signing is run on a stack with a different user than the completion image the container will not have access to the home directory. This allows the container to always have a writeable HOME directory which is the same as build-init.
buildpacks-community · Oct 25, 2021 · f0b68eb · f0b68eb
1 parent e379af6
commit f0b68eb
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 1 deletion.
diff --git a/pkg/apis/build/v1alpha2/build_pod.go b/pkg/apis/build/v1alpha2/build_pod.go
@@ -227,6 +227,9 @@ func (b *Build) BuildPod(images BuildPodImages, buildContext BuildContext) (*cor
 					Name:    "completion",
 					Image:   images.completion(buildContext.os()),
 					Command: []string{"/cnb/process/web"},
+					Env: []corev1.EnvVar{
+						homeEnv,
+					},
 					Args: args(
 						b.notaryArgs(),
 						secretArgs,
@@ -240,10 +243,11 @@ func (b *Build) BuildPod(images BuildPodImages, buildContext BuildContext) (*cor
 						[]corev1.VolumeMount{
 							reportVolume,
 							notaryV1Volume,
+							homeVolume,
 						},
 					),
 					ImagePullPolicy: corev1.PullIfNotPresent,
-				}, ifWindows(buildContext.os(), addNetworkWaitLauncherVolume(), useNetworkWaitLauncher(dnsProbeHost))...)
+				}, ifWindows(buildContext.os(), addNetworkWaitLauncherVolume(), useNetworkWaitLauncher(dnsProbeHost), userprofileHomeEnv())...)
 			}),
 			SecurityContext: podSecurityContext(buildContext.BuildPodBuilderConfig),
 			InitContainers: steps(func(step func(corev1.Container, ...stepModifier)) {

diff --git a/pkg/apis/build/v1alpha2/build_pod_test.go b/pkg/apis/build/v1alpha2/build_pod_test.go
@@ -1719,6 +1719,12 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
 						},
 					},
 				})
+				require.Contains(t, pod.Spec.Containers[0].Env, corev1.EnvVar{Name: "HOME", Value: "/builder/home"})
+				require.Contains(t, pod.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
+					Name:      "home-dir",
+					ReadOnly:  false,
+					MountPath: "/builder/home",
+				})
 			})
 		})
 
@@ -1792,6 +1798,13 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
 					},
 				})
 
+				require.Contains(t, pod.Spec.Containers[0].Env, corev1.EnvVar{Name: "HOME", Value: "/builder/home"})
+				require.Contains(t, pod.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
+					Name:      "home-dir",
+					ReadOnly:  false,
+					MountPath: "/builder/home",
+				})
+
 				require.Equal(t,
 					[]string{
 						"-notary-v1-url=some-notary-url",
@@ -2115,6 +2128,12 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
 				}, completionContainer.Args)
 
 				assert.Equal(t, "/networkWait/network-wait-launcher", completionContainer.Command[0])
+				assert.Subset(t, completionContainer.Env, []corev1.EnvVar{
+					{
+						Name:  "USERPROFILE",
+						Value: "/builder/home",
+					},
+				})
 				assert.Subset(t, pod.Spec.Volumes, []corev1.Volume{
 					{
 						Name: "network-wait-launcher-dir",
@@ -2150,6 +2169,13 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
 					"-cosign-annotations=buildTimestamp=19440606.133000",
 					"-cosign-annotations=buildNumber=12",
 				}, completionContainer.Args)
+
+				assert.Subset(t, completionContainer.Env, []corev1.EnvVar{
+					{
+						Name:  "USERPROFILE",
+						Value: "/builder/home",
+					},
+				})
 			})
 
 			it("does not use cache on windows", func() {