diff --git a/cmd/flux/bootstrap.go b/cmd/flux/bootstrap.go index b4b319ef..9e390a89 100644 --- a/cmd/flux/bootstrap.go +++ b/cmd/flux/bootstrap.go @@ -19,13 +19,13 @@ package main import ( "crypto/elliptic" "fmt" - "os" "strings" "github.com/spf13/cobra" "github.com/fluxcd/flux2/internal/flags" "github.com/fluxcd/flux2/internal/utils" + "github.com/fluxcd/flux2/pkg/manifestgen" "github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret" ) @@ -154,7 +154,7 @@ func buildEmbeddedManifestBase() (string, error) { if !isEmbeddedVersion(bootstrapArgs.version) { return "", nil } - tmpBaseDir, err := os.MkdirTemp("", "flux-manifests-") + tmpBaseDir, err := manifestgen.MkdirTempAbs("", "flux-manifests-") if err != nil { return "", err } diff --git a/cmd/flux/bootstrap_bitbucket_server.go b/cmd/flux/bootstrap_bitbucket_server.go index 4898e1fe..b620fa61 100644 --- a/cmd/flux/bootstrap_bitbucket_server.go +++ b/cmd/flux/bootstrap_bitbucket_server.go @@ -30,6 +30,7 @@ import ( "github.com/fluxcd/flux2/internal/bootstrap/provider" "github.com/fluxcd/flux2/internal/flags" "github.com/fluxcd/flux2/internal/utils" + "github.com/fluxcd/flux2/pkg/manifestgen" "github.com/fluxcd/flux2/pkg/manifestgen/install" "github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret" "github.com/fluxcd/flux2/pkg/manifestgen/sync" @@ -165,7 +166,7 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error { } // Lazy go-git repository - tmpDir, err := os.MkdirTemp("", "flux-bootstrap-") + tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-") if err != nil { return fmt.Errorf("failed to create temporary working dir: %w", err) } diff --git a/cmd/flux/bootstrap_git.go b/cmd/flux/bootstrap_git.go index 7e2193eb..f3005107 100644 --- a/cmd/flux/bootstrap_git.go +++ b/cmd/flux/bootstrap_git.go @@ -35,6 +35,7 @@ import ( "github.com/fluxcd/flux2/internal/bootstrap/git/gogit" "github.com/fluxcd/flux2/internal/flags" "github.com/fluxcd/flux2/internal/utils" + "github.com/fluxcd/flux2/pkg/manifestgen" "github.com/fluxcd/flux2/pkg/manifestgen/install" "github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret" "github.com/fluxcd/flux2/pkg/manifestgen/sync" @@ -137,7 +138,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error { defer os.RemoveAll(manifestsBase) // Lazy go-git repository - tmpDir, err := os.MkdirTemp("", "flux-bootstrap-") + tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-") if err != nil { return fmt.Errorf("failed to create temporary working dir: %w", err) } diff --git a/cmd/flux/bootstrap_github.go b/cmd/flux/bootstrap_github.go index 3f2ff342..14261820 100644 --- a/cmd/flux/bootstrap_github.go +++ b/cmd/flux/bootstrap_github.go @@ -30,6 +30,7 @@ import ( "github.com/fluxcd/flux2/internal/bootstrap/provider" "github.com/fluxcd/flux2/internal/flags" "github.com/fluxcd/flux2/internal/utils" + "github.com/fluxcd/flux2/pkg/manifestgen" "github.com/fluxcd/flux2/pkg/manifestgen/install" "github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret" "github.com/fluxcd/flux2/pkg/manifestgen/sync" @@ -161,7 +162,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error { } // Lazy go-git repository - tmpDir, err := os.MkdirTemp("", "flux-bootstrap-") + tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-") if err != nil { return fmt.Errorf("failed to create temporary working dir: %w", err) } diff --git a/cmd/flux/bootstrap_gitlab.go b/cmd/flux/bootstrap_gitlab.go index afebfa91..56768042 100644 --- a/cmd/flux/bootstrap_gitlab.go +++ b/cmd/flux/bootstrap_gitlab.go @@ -32,6 +32,7 @@ import ( "github.com/fluxcd/flux2/internal/bootstrap/provider" "github.com/fluxcd/flux2/internal/flags" "github.com/fluxcd/flux2/internal/utils" + "github.com/fluxcd/flux2/pkg/manifestgen" "github.com/fluxcd/flux2/pkg/manifestgen/install" "github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret" "github.com/fluxcd/flux2/pkg/manifestgen/sync" @@ -172,7 +173,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error { } // Lazy go-git repository - tmpDir, err := os.MkdirTemp("", "flux-bootstrap-") + tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-") if err != nil { return fmt.Errorf("failed to create temporary working dir: %w", err) } diff --git a/cmd/flux/install.go b/cmd/flux/install.go index 616e3c95..0af11cee 100644 --- a/cmd/flux/install.go +++ b/cmd/flux/install.go @@ -27,6 +27,7 @@ import ( "github.com/fluxcd/flux2/internal/flags" "github.com/fluxcd/flux2/internal/utils" + "github.com/fluxcd/flux2/pkg/manifestgen" "github.com/fluxcd/flux2/pkg/manifestgen/install" "github.com/fluxcd/flux2/pkg/status" ) @@ -134,7 +135,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error { logger.Generatef("generating manifests") } - tmpDir, err := os.MkdirTemp("", *kubeconfigArgs.Namespace) + tmpDir, err := manifestgen.MkdirTempAbs("", *kubeconfigArgs.Namespace) if err != nil { return err } diff --git a/pkg/manifestgen/install/install.go b/pkg/manifestgen/install/install.go index ce6d1e19..80621782 100644 --- a/pkg/manifestgen/install/install.go +++ b/pkg/manifestgen/install/install.go @@ -54,7 +54,7 @@ func Generate(options Options, manifestsBase string) (*manifestgen.Manifest, err } else { // download the manifests base from GitHub if manifestsBase == "" { - manifestsBase, err = os.MkdirTemp("", options.Namespace) + manifestsBase, err = manifestgen.MkdirTempAbs("", options.Namespace) if err != nil { return nil, fmt.Errorf("temp dir error: %w", err) } diff --git a/pkg/manifestgen/install/manifests.go b/pkg/manifestgen/install/manifests.go index 6ab91eae..17fc33f1 100644 --- a/pkg/manifestgen/install/manifests.go +++ b/pkg/manifestgen/install/manifests.go @@ -26,6 +26,7 @@ import ( "path/filepath" "strings" + "github.com/fluxcd/pkg/kustomize/filesys" "github.com/fluxcd/pkg/untar" "github.com/fluxcd/flux2/pkg/manifestgen/kustomization" @@ -125,7 +126,12 @@ func build(base, output string) error { return err } - if err = os.WriteFile(output, resources, 0o640); err != nil { + outputBase := filepath.Dir(strings.TrimSuffix(output, string(filepath.Separator))) + fs, err := filesys.MakeFsOnDiskSecure(outputBase) + if err != nil { + return err + } + if err = fs.WriteFile(output, resources); err != nil { return err } diff --git a/pkg/manifestgen/tmpdir.go b/pkg/manifestgen/tmpdir.go new file mode 100644 index 00000000..db4daf13 --- /dev/null +++ b/pkg/manifestgen/tmpdir.go @@ -0,0 +1,38 @@ +/* +Copyright 2022 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package manifestgen + +import ( + "fmt" + "os" + "path/filepath" +) + +// MkdirTempAbs creates a tmp dir and returns the absolute path to the dir. +// This is required since certain OSes like MacOS create temporary files in +// e.g. `/private/var`, to which `/var` is a symlink. +func MkdirTempAbs(dir, pattern string) (string, error) { + tmpDir, err := os.MkdirTemp(dir, pattern) + if err != nil { + return "", err + } + tmpDir, err = filepath.EvalSymlinks(tmpDir) + if err != nil { + return "", fmt.Errorf("error evaluating symlink: %w", err) + } + return tmpDir, nil +}