Merge pull request #1157 from pivotal/rebase-pod-fix

Generate docker config in temp dir during image signing
buildpacks-community · Feb 27, 2023 · 0a0c184 · 0a0c184
2 parents 1d3673d + 61baf85
commit 0a0c184
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 28 deletions.
diff --git a/cmd/completion/main.go b/cmd/completion/main.go
@@ -98,17 +98,6 @@ func main() {
 			log.Fatal(err)
 		}
 	}
-
-	homeDir, err := os.UserHomeDir()
-	if err != nil {
-		log.Fatal(errors.Wrapf(err, "error obtaining home directory"))
-	}
-
-	err = creds.Save(filepath.Join(homeDir, ".docker", "config.json"))
-	if err != nil {
-		log.Fatal(errors.Wrapf(err, "error writing docker creds"))
-	}
-
 	keychain := authn.NewMultiKeychain(k8sNodeKeychain, creds)
 
 	metadataRetriever := cnb.RemoteMetadataRetriever{
@@ -140,6 +129,21 @@ func main() {
 	}
 
 	if hasCosign() || notaryV1URL != "" {
+		tempDir, err := os.MkdirTemp("", "")
+		if err != nil {
+			log.Fatal(errors.Wrapf(err, "error creating temprary directory"))
+		}
+
+		err = creds.Save(filepath.Join(tempDir, ".docker", "config.json"))
+		if err != nil {
+			log.Fatal(errors.Wrapf(err, "error writing docker creds"))
+		}
+
+		err = os.Setenv("DOCKER_CONFIG", filepath.Join(tempDir, ".docker"))
+		if err != nil {
+			log.Fatal(errors.Wrapf(err, "error setting DOCKER_CONFIG env"))
+		}
+
 		if err := signImage(report, keychain); err != nil {
 			log.Fatal(err)
 		}

diff --git a/pkg/apis/build/v1alpha2/build_pod.go b/pkg/apis/build/v1alpha2/build_pod.go
@@ -61,8 +61,6 @@ const (
 	TerminationMessagePathEnvVar = "TERMINATION_MESSAGE_PATH"
 
 	PlatformEnvVarPrefix = "PLATFORM_ENV_"
-	cnbUid               = 1000
-	cnbGid               = 1000
 )
 
 type ServiceBinding interface {
@@ -669,10 +667,6 @@ func boolPointer(b bool) *bool {
 	return &b
 }
 
-func int64Pointer(i int64) *int64 {
-	return &i
-}
-
 func containerSecurityContext(config BuildPodBuilderConfig) *corev1.SecurityContext {
 	if config.OS == "windows" {
 		return nil
@@ -820,9 +814,6 @@ func (b *Build) rebasePod(buildContext BuildContext, images BuildPodImages) (*co
 			PriorityClassName:  b.PriorityClassName(),
 			SecurityContext: &corev1.PodSecurityContext{
 				RunAsNonRoot:   boolPointer(true),
-				RunAsGroup:     int64Pointer(cnbGid),
-				RunAsUser:      int64Pointer(cnbUid),
-				FSGroup:        int64Pointer(cnbGid),
 				SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
 			},
 			Volumes: volumes(

diff --git a/pkg/apis/build/v1alpha2/build_pod_test.go b/pkg/apis/build/v1alpha2/build_pod_test.go
@@ -1414,7 +1414,6 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
 			})
 
 			it("creates a pod just to rebase", func() {
-				id := int64(1000)
 				pod, err := build.BuildPod(config, buildContext)
 				require.NoError(t, err)
 
@@ -1436,13 +1435,7 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
 						*kmeta.NewControllerRef(build),
 					},
 				})
-				require.Equal(t, &corev1.PodSecurityContext{
-					RunAsUser:      &id,
-					RunAsGroup:     &id,
-					RunAsNonRoot:   boolPointer(true),
-					FSGroup:        &id,
-					SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
-				}, pod.Spec.SecurityContext)
+
 				require.Equal(t, build.Spec.ServiceAccountName, pod.Spec.ServiceAccountName)
 				require.Equal(t, build.Spec.Tolerations, pod.Spec.Tolerations)
 				require.Equal(t, build.Spec.Affinity, pod.Spec.Affinity)