Set HOME="/tekton/home" for GCS PipelineResources

Dashboard noticed their nightly release pipeline no longer worked after a Pipelines upgrade in dogfooding. They tracked it to use of a GCS pipeline resource; adding a HOME="/tekton/home" env var to the Task's PodTemplate resolved the issue. Prior to this commit the GCS PipelineResource didn't get its HOME explicitly set to /tekton/home. After this commit the GCS PipelineResource always includes this env var in the pre- and post- containers it adds to Task pods.
jerop · Jul 8, 2021 · 0e9d9e6 · 0e9d9e6
1 parent ea36b8c
commit 0e9d9e6
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 27 deletions.
diff --git a/pkg/apis/resource/v1alpha1/storage/gcs.go b/pkg/apis/resource/v1alpha1/storage/gcs.go
@@ -119,6 +119,8 @@ func (s *GCSResource) GetOutputTaskModifier(ts *v1beta1.TaskSpec, path string) (
 
 	envVars, secretVolumeMount := getSecretEnvVarsAndVolumeMounts(s.Name, gcsSecretVolumeMountPath, s.Secrets)
 
+	envVars = append(envVars, corev1.EnvVar{Name: "HOME", Value: pipeline.HomeDir})
+
 	step := v1beta1.Step{Container: corev1.Container{
 		Name:         names.SimpleNameGenerator.RestrictLengthWithRandomSuffix(fmt.Sprintf("upload-%s", s.Name)),
 		Image:        s.GsutilImage,
@@ -149,6 +151,7 @@ func (s *GCSResource) GetInputTaskModifier(ts *v1beta1.TaskSpec, path string) (v
 	}
 
 	envVars, secretVolumeMount := getSecretEnvVarsAndVolumeMounts(s.Name, gcsSecretVolumeMountPath, s.Secrets)
+	envVars = append(envVars, corev1.EnvVar{Name: "HOME", Value: pipeline.HomeDir})
 	steps := []v1beta1.Step{
 		CreateDirStep(s.ShellImage, s.Name, path),
 		{

diff --git a/pkg/apis/resource/v1alpha1/storage/gcs_test.go b/pkg/apis/resource/v1alpha1/storage/gcs_test.go
@@ -199,6 +199,9 @@ gsutil rsync -d -r gs://some-bucket /workspace
 				Env: []corev1.EnvVar{{
 					Name:  "GOOGLE_APPLICATION_CREDENTIALS",
 					Value: "/var/secret/secretName/key.json",
+				}, {
+					Name:  "HOME",
+					Value: "/tekton/home",
 				}},
 				VolumeMounts: []corev1.VolumeMount{{
 					Name:      "volume-gcs-valid-secretName",
@@ -241,6 +244,9 @@ gsutil cp gs://some-bucket /workspace
 				Env: []corev1.EnvVar{{
 					Name:  "GOOGLE_APPLICATION_CREDENTIALS",
 					Value: "/var/secret/secretName/key.json",
+				}, {
+					Name:  "HOME",
+					Value: "/tekton/home",
 				}},
 				VolumeMounts: []corev1.VolumeMount{{
 					Name:      "volume-gcs-valid-secretName",
@@ -288,7 +294,13 @@ func TestGetOutputTaskModifier(t *testing.T) {
 			Image:   "gcr.io/google.com/cloudsdktool/cloud-sdk",
 			Command: []string{"gsutil"},
 			Args:    []string{"rsync", "-d", "-r", "/workspace/", "gs://some-bucket"},
-			Env:     []corev1.EnvVar{{Name: "GOOGLE_APPLICATION_CREDENTIALS", Value: "/var/secret/secretName/key.json"}},
+			Env: []corev1.EnvVar{{
+				Name:  "GOOGLE_APPLICATION_CREDENTIALS",
+				Value: "/var/secret/secretName/key.json",
+			}, {
+				Name:  "HOME",
+				Value: "/tekton/home",
+			}},
 			VolumeMounts: []corev1.VolumeMount{{
 				Name:      "volume-gcs-valid-secretName",
 				MountPath: "/var/secret/secretName",
@@ -315,9 +327,13 @@ func TestGetOutputTaskModifier(t *testing.T) {
 			Image:   "gcr.io/google.com/cloudsdktool/cloud-sdk",
 			Command: []string{"gsutil"},
 			Args:    []string{"cp", "/workspace/*", "gs://some-bucket"},
-			Env: []corev1.EnvVar{
-				{Name: "GOOGLE_APPLICATION_CREDENTIALS", Value: "/var/secret/secretName/key.json"},
-			},
+			Env: []corev1.EnvVar{{
+				Name:  "GOOGLE_APPLICATION_CREDENTIALS",
+				Value: "/var/secret/secretName/key.json",
+			}, {
+				Name:  "HOME",
+				Value: "/tekton/home",
+			}},
 			VolumeMounts: []corev1.VolumeMount{{
 				Name:      "volume-gcs-valid-secretName",
 				MountPath: "/var/secret/secretName",
@@ -336,6 +352,10 @@ func TestGetOutputTaskModifier(t *testing.T) {
 			Image:   "gcr.io/google.com/cloudsdktool/cloud-sdk",
 			Command: []string{"gsutil"},
 			Args:    []string{"cp", "/workspace/*", "gs://some-bucket"},
+			Env: []corev1.EnvVar{{
+				Name:  "HOME",
+				Value: "/tekton/home",
+			}},
 		}}},
 	}} {
 		t.Run(tc.name, func(t *testing.T) {
@@ -345,7 +365,7 @@ func TestGetOutputTaskModifier(t *testing.T) {
 				t.Fatalf("Expected error to be %t but got %v:", tc.wantErr, err)
 			}
 
-			if d := cmp.Diff(got.GetStepsToAppend(), tc.wantSteps); d != "" {
+			if d := cmp.Diff(tc.wantSteps, got.GetStepsToAppend()); d != "" {
 				t.Errorf("Error mismatch between upload containers spec %s", diff.PrintWantGot(d))
 			}
 		})

diff --git a/pkg/reconciler/taskrun/resources/input_resource_test.go b/pkg/reconciler/taskrun/resources/input_resource_test.go
@@ -683,6 +683,10 @@ gsutil cp gs://fake-bucket/rules.zip /workspace/gcs-dir
 				Container: corev1.Container{
 					Name:  "fetch-storage1-mz4c7",
 					Image: "gcr.io/google.com/cloudsdktool/cloud-sdk",
+					Env: []corev1.EnvVar{{
+						Name:  "HOME",
+						Value: pipeline.HomeDir,
+					}},
 				},
 			}},
 			Resources: &v1beta1.TaskResources{
@@ -726,7 +730,10 @@ gsutil cp gs://fake-bucket/rules.zip /workspace/gcs-dir
 				Image:        "busybox",
 				Command:      []string{"cp", "-r", "prev-task-path/.", "/workspace/gcs-dir"},
 				VolumeMounts: []corev1.VolumeMount{{MountPath: "/pvc", Name: "pipelinerun-pvc"}},
-				Env:          []corev1.EnvVar{{Name: "TEKTON_RESOURCE_NAME", Value: "workspace"}},
+				Env: []corev1.EnvVar{{
+					Name:  "TEKTON_RESOURCE_NAME",
+					Value: "workspace",
+				}},
 			}}},
 			Volumes: []corev1.Volume{{
 				Name: "pipelinerun-pvc",
@@ -1081,6 +1088,7 @@ gsutil cp gs://fake-bucket/rules.zip /workspace/gcs-input-resource
 				Container: corev1.Container{
 					Name:  "fetch-gcs-input-resource-mz4c7",
 					Image: "gcr.io/google.com/cloudsdktool/cloud-sdk",
+					Env:   []corev1.EnvVar{{Name: "HOME", Value: pipeline.HomeDir}},
 				},
 			}},
 			Resources: &v1beta1.TaskResources{
@@ -1156,6 +1164,7 @@ gsutil rsync -d -r gs://fake-bucket/rules.zip /workspace/gcs-input-resource
 					},
 					Env: []corev1.EnvVar{
 						{Name: "GOOGLE_APPLICATION_CREDENTIALS", Value: "/var/secret/secret-name/key.json"},
+						{Name: "HOME", Value: pipeline.HomeDir},
 					},
 				},
 			}},

diff --git a/pkg/reconciler/taskrun/resources/output_resource_test.go b/pkg/reconciler/taskrun/resources/output_resource_test.go
@@ -22,6 +22,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/tektoncd/pipeline/pkg/apis/config"
+	"github.com/tektoncd/pipeline/pkg/apis/pipeline"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
 	"github.com/tektoncd/pipeline/pkg/apis/resource"
 	resourcev1alpha1 "github.com/tektoncd/pipeline/pkg/apis/resource/v1alpha1"
@@ -485,7 +486,9 @@ func TestValidOutputResources(t *testing.T) {
 				Image:        "busybox",
 				Command:      []string{"cp", "-r", "/workspace/output/source-workspace/.", "pipeline-task-path"},
 				VolumeMounts: []corev1.VolumeMount{{Name: "pipelinerun-parent-pvc", MountPath: "/pvc"}},
-				Env:          []corev1.EnvVar{{Name: "TEKTON_RESOURCE_NAME", Value: "source-gcs"}},
+				Env: []corev1.EnvVar{
+					{Name: "TEKTON_RESOURCE_NAME", Value: "source-gcs"},
+				},
 			}},
 			{Container: corev1.Container{
 				Name:  "upload-source-gcs-78c5n",
@@ -496,9 +499,10 @@ func TestValidOutputResources(t *testing.T) {
 				}},
 				Command: []string{"gsutil"},
 				Args:    []string{"rsync", "-d", "-r", "/workspace/output/source-workspace", "gs://some-bucket"},
-				Env: []corev1.EnvVar{{
-					Name: "GOOGLE_APPLICATION_CREDENTIALS", Value: "/var/secret/sname/key.json",
-				}},
+				Env: []corev1.EnvVar{
+					{Name: "GOOGLE_APPLICATION_CREDENTIALS", Value: "/var/secret/sname/key.json"},
+					{Name: "HOME", Value: pipeline.HomeDir},
+				},
 			}},
 		},
 
@@ -576,17 +580,20 @@ func TestValidOutputResources(t *testing.T) {
 				Image:        "busybox",
 				Command:      []string{"cp", "-r", "/workspace/output/source-workspace/.", "pipeline-task-path"},
 				VolumeMounts: []corev1.VolumeMount{{Name: "pipelinerun-pvc", MountPath: "/pvc"}},
-				Env:          []corev1.EnvVar{{Name: "TEKTON_RESOURCE_NAME", Value: "source-gcs"}},
+				Env: []corev1.EnvVar{
+					{Name: "TEKTON_RESOURCE_NAME", Value: "source-gcs"},
+				},
 			}},
 			{Container: corev1.Container{
 				Name:  "upload-source-gcs-78c5n",
 				Image: "gcr.io/google.com/cloudsdktool/cloud-sdk",
 				VolumeMounts: []corev1.VolumeMount{{
 					Name: "volume-source-gcs-sname", MountPath: "/var/secret/sname",
 				}},
-				Env: []corev1.EnvVar{{
-					Name: "GOOGLE_APPLICATION_CREDENTIALS", Value: "/var/secret/sname/key.json",
-				}},
+				Env: []corev1.EnvVar{
+					{Name: "GOOGLE_APPLICATION_CREDENTIALS", Value: "/var/secret/sname/key.json"},
+					{Name: "HOME", Value: pipeline.HomeDir},
+				},
 				Command: []string{"gsutil"},
 				Args:    []string{"rsync", "-d", "-r", "/workspace/output/source-workspace", "gs://some-bucket"},
 			}},
@@ -655,9 +662,10 @@ func TestValidOutputResources(t *testing.T) {
 				VolumeMounts: []corev1.VolumeMount{{
 					Name: "volume-source-gcs-sname", MountPath: "/var/secret/sname",
 				}},
-				Env: []corev1.EnvVar{{
-					Name: "GOOGLE_APPLICATION_CREDENTIALS", Value: "/var/secret/sname/key.json",
-				}},
+				Env: []corev1.EnvVar{
+					{Name: "GOOGLE_APPLICATION_CREDENTIALS", Value: "/var/secret/sname/key.json"},
+					{Name: "HOME", Value: pipeline.HomeDir},
+				},
 				Command: []string{"gsutil"},
 				Args:    []string{"rsync", "-d", "-r", "/workspace/output/source-workspace", "gs://some-bucket"},
 			}},
@@ -716,9 +724,10 @@ func TestValidOutputResources(t *testing.T) {
 				VolumeMounts: []corev1.VolumeMount{{
 					Name: "volume-source-gcs-sname", MountPath: "/var/secret/sname",
 				}},
-				Env: []corev1.EnvVar{{
-					Name: "GOOGLE_APPLICATION_CREDENTIALS", Value: "/var/secret/sname/key.json",
-				}},
+				Env: []corev1.EnvVar{
+					{Name: "GOOGLE_APPLICATION_CREDENTIALS", Value: "/var/secret/sname/key.json"},
+					{Name: "HOME", Value: pipeline.HomeDir},
+				},
 				Command: []string{"gsutil"},
 				Args:    []string{"rsync", "-d", "-r", "/workspace/output/source-workspace", "gs://some-bucket"},
 			}},
@@ -1461,12 +1470,10 @@ func TestInputOutputBucketResources(t *testing.T) {
 					"gs://fake-bucket/pipeline-task-path/*",
 					"/workspace/faraway-disk",
 				},
-				Env: []corev1.EnvVar{
-					{
-						Name:  "GOOGLE_APPLICATION_CREDENTIALS",
-						Value: "/var/bucketsecret/sname/key.json",
-					},
-				},
+				Env: []corev1.EnvVar{{
+					Name:  "GOOGLE_APPLICATION_CREDENTIALS",
+					Value: "/var/bucketsecret/sname/key.json",
+				}},
 				VolumeMounts: []corev1.VolumeMount{{Name: "volume-bucket-sname", MountPath: "/var/bucketsecret/sname"}},
 			}},
 			{Container: corev1.Container{
@@ -1475,6 +1482,10 @@ func TestInputOutputBucketResources(t *testing.T) {
 				VolumeMounts: nil,
 				Command:      []string{"gsutil"},
 				Args:         []string{"rsync", "-d", "-r", "/workspace/output/source-workspace", "gs://some-bucket"},
+				Env: []corev1.EnvVar{{
+					Name:  "HOME",
+					Value: pipeline.HomeDir,
+				}},
 			}},
 		},
 		wantVolumes: []corev1.Volume{{
@@ -1606,6 +1617,10 @@ func TestInputOutputBucketResources(t *testing.T) {
 				Image:   "gcr.io/google.com/cloudsdktool/cloud-sdk",
 				Command: []string{"gsutil"},
 				Args:    []string{"rsync", "-d", "-r", "/workspace/output/source-workspace-3", "gs://some-bucket-3"},
+				Env: []corev1.EnvVar{{
+					Name:  "HOME",
+					Value: pipeline.HomeDir,
+				}},
 			}},
 		},
 		wantVolumes: []corev1.Volume{{
@@ -1689,14 +1704,21 @@ func TestInputOutputBucketResources(t *testing.T) {
 					"/workspace/output/source-workspace",
 					"gs://some-bucket",
 				},
+				Env: []corev1.EnvVar{{
+					Name:  "HOME",
+					Value: pipeline.HomeDir,
+				}},
 			}},
 			{Container: corev1.Container{
 				Name:         "upload-source-gcs-bucket-2-78c5n",
 				Image:        "gcr.io/google.com/cloudsdktool/cloud-sdk",
 				VolumeMounts: nil,
 				Command:      []string{"gsutil"},
 				Args:         []string{"rsync", "-d", "-r", "/workspace/output/source-workspace-2", "gs://some-bucket-2"},
-				Env:          nil,
+				Env: []corev1.EnvVar{{
+					Name:  "HOME",
+					Value: pipeline.HomeDir,
+				}},
 			}},
 		},
 		wantVolumes: []corev1.Volume{{