Skip to content

HYPERFLEET-1057 - feat: Fix e2e dockerfile to properly install helm p… #125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
ma-hill wants to merge 1 commit into
base: main
Choose a base branch
from
+7 −0
Draft

HYPERFLEET-1057 - feat: Fix e2e dockerfile to properly install helm p… #125

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,13 @@ RUN curl -fsSL "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release
# Install Helm
RUN curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
Comment thread
coderabbitai[bot] marked this conversation as resolved.

# Set up Helm environment for plugin installation
RUN mkdir -p /tmp/helm-home && chmod 755 /tmp/helm-home
ENV HELM_CACHE_HOME=/tmp/helm-home/.cache/helm \
HELM_CONFIG_HOME=/tmp/helm-home/.config/helm \
HELM_DATA_HOME=/tmp/helm-home/.local/share/helm \
HELM_PLUGINS=/usr/local/share/helm/plugins
Comment on lines +43 to +47

@coderabbitai coderabbitai Bot Jun 11, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

/tmp/helm-home is not writable for prow’s non-root UID (CWE-732), so Helm state can still fail at runtime.

RUN mkdir -p /tmp/helm-home && chmod 755 /tmp/helm-home creates a root-owned directory that arbitrary non-root users cannot write to. That conflicts with the PR’s goal of making Helm usable when tests run non-root.

Suggested fix 
-RUN mkdir -p /tmp/helm-home && chmod 755 /tmp/helm-home
+RUN mkdir -p /tmp/helm-home && \
+    chgrp -R 0 /tmp/helm-home && \
+    chmod -R g=u /tmp/helm-home

As per coding guidelines, “Do not run as root — use USER with a non-root UID” and container permissions must avoid insecure/broken access patterns.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 43 - 47, The /tmp/helm-home directory is created
root-owned with chmod 755 so a non-root prow UID can't write to Helm state;
update the Dockerfile so that after creating /tmp/helm-home (the RUN mkdir -p
... && chmod 755 ... block) you chown it to the intended non-root user/UID (or
create a dedicated helm user and chown), and ensure you switch to that non-root
USER before runtime; keep the HELM_* env vars (HELM_CACHE_HOME,
HELM_CONFIG_HOME, HELM_DATA_HOME, HELM_PLUGINS) but make sure /tmp/helm-home and
its .cache/.config/.local/share subdirs are owned by the non-root UID (or are
group-writable to that UID) so Helm can write state at runtime.

Source: Coding guidelines


# Install Helm plugins - helm-git and helm-diff
ARG HELM_GIT_VERSION=v1.5.2
ARG HELM_DIFF_VERSION=3.15.7
Expand Down