Merge pull request #336 from snyk/fix/ocp-home-override

ivanstanev · web-flow · commit 817908548418 · 2020-02-24T10:53:12.000+01:00
fix: hardcode HOME in the deployment of snyk-monitor
diff --git a/snyk-monitor-deployment.yaml b/snyk-monitor-deployment.yaml
@@ -56,6 +56,8 @@ spec:
                 optional: true
           - name: SNYK_MONITOR_VERSION
             value: IMAGE_TAG_OVERRIDE_WHEN_PUBLISHING
+          - name: HOME
+            value: /srv/app
         resources:
           requests:
             cpu: '250m'
diff --git a/snyk-monitor/templates/deployment.yaml b/snyk-monitor/templates/deployment.yaml
@@ -46,6 +46,8 @@ spec:
             value: {{ .Values.clusterName }}
           - name: SNYK_MONITOR_VERSION
             value: {{ .Values.image.tag }}
+          - name: HOME
+            value: /srv/app
           resources:
             requests:
               cpu: '250m'
diff --git a/src/common/process.ts b/src/common/process.ts
@@ -16,6 +16,7 @@ export function exec(bin: string, ...processArgs: IProcessArgument[]):
   // For example, that process doesn't need to know secrets like our integrationId!
   const env = {
     PATH: process.env.PATH,
+    HOME: process.env.HOME,
   };
 
   const allArguments = processArgs.map((arg) => arg.body);
diff --git a/test/helpers/deployment.ts b/test/helpers/deployment.ts
@@ -1,6 +1,26 @@
 import * as tap from 'tap';
 import { V1Deployment } from '@kubernetes/client-node';
 
+export function validateEnvironmentVariables(test: tap, deployment: V1Deployment) {
+  if (
+    !deployment.spec ||
+    !deployment.spec.template.spec ||
+    !deployment.spec.template.spec.containers ||
+    deployment.spec.template.spec.containers.length === 0 ||
+    !deployment.spec.template.spec.containers[0].env
+  ) {
+    test.fail('bad container spec or missing env');
+    return;
+  }
+
+  const env = deployment.spec.template.spec.containers[0].env;
+
+  const envHasHomeEntry = env.some(
+    (entry) => entry.name === 'HOME' && entry.value === '/srv/app',
+  );
+  test.ok(envHasHomeEntry, 'has HOME entry in env variables');
+}
+
 export function validateSecureConfiguration(test: tap, deployment: V1Deployment) {
   if (
     !deployment.spec ||
diff --git a/test/integration/kubernetes.test.ts b/test/integration/kubernetes.test.ts
@@ -8,7 +8,11 @@ import {
   validateUpstreamStoredMetadata,
   getUpstreamResponseBody,
 } from '../helpers/kubernetes-upstream';
-import { validateSecureConfiguration, validateVolumeMounts } from '../helpers/deployment';
+import {
+  validateSecureConfiguration,
+  validateVolumeMounts,
+  validateEnvironmentVariables,
+} from '../helpers/deployment';
 import * as kubectl from '../helpers/kubectl';
 
 let integrationId: string;
@@ -241,6 +245,7 @@ tap.test('snyk-monitor secure configuration is as expected', async (t) => {
 
   validateSecureConfiguration(t, deployment);
   validateVolumeMounts(t, deployment);
+  validateEnvironmentVariables(t, deployment);
 });
 
 /**
diff --git a/test/unit/deployment-files.test.ts b/test/unit/deployment-files.test.ts
@@ -3,7 +3,11 @@ import { parse } from 'yaml';
 import { readFileSync } from 'fs';
 import { V1Deployment } from '@kubernetes/client-node';
 import * as snykConfig from '../../src/common/config';
-import { validateSecureConfiguration, validateVolumeMounts } from '../helpers/deployment';
+import {
+  validateSecureConfiguration,
+  validateVolumeMounts,
+  validateEnvironmentVariables,
+} from '../helpers/deployment';
 
 /**
  * Note that these checks are also performed at runtime on the deployed snyk-monitor, see the integration tests.
@@ -20,5 +24,6 @@ tap.test('ensure the security properties of the deployment files are unchanged',
 
     validateSecureConfiguration(t, deployment);
     validateVolumeMounts(t, deployment);
+    validateEnvironmentVariables(t, deployment);
   }
 });
