Work with nonroot invocation images #42
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This updates the helm3 mixin for the upcoming change in Porter (v1) where bundles will run as the nonroot user instead of root. Starting in v1.0.0-alpha.12, porter injects files into the bundle differently, owned by a nonroot user and the root group. Previously the kubeconfig creds were injected to /root/.kube/config by most bundles. That location isn't accessible when running as a nonroot user. Any kubeconfig credentials should be updated to be placed in /home/nonroot/.kube/config or another location in /cnab/app that the nonroot user will have access to while exporting KUBECONFIG so it can be located by kubectl/helm.
I have updated helm3 to locate kubeconfig using the same logic as kubectl, using the KUBECONFIG environment variable, then $HOME/.kube/config.
It also switches the user that some commands run as during build. Installing helm should run as root, but initializing the helm repositories should run as the same user that the container runs as, nonroot so that the .helm config directory is located in /home/nonroot where it can be read when the bundle is executed.