diff --git a/cmd/flux/bootstrap.go b/cmd/flux/bootstrap.go
index b4b319efb9b23e20edcda606ee84bd90175f5ae4..9e390a898bd9b6a053b34a773a57fbd9c91ca02d 100644
--- a/cmd/flux/bootstrap.go
+++ b/cmd/flux/bootstrap.go
@@ -19,13 +19,13 @@ package main
import (
"crypto/elliptic"
"fmt"
- "os"
"strings"
"github.com/spf13/cobra"
"github.com/fluxcd/flux2/internal/flags"
"github.com/fluxcd/flux2/internal/utils"
+ "github.com/fluxcd/flux2/pkg/manifestgen"
"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
)
@@ -154,7 +154,7 @@ func buildEmbeddedManifestBase() (string, error) {
if !isEmbeddedVersion(bootstrapArgs.version) {
return "", nil
}
- tmpBaseDir, err := os.MkdirTemp("", "flux-manifests-")
+ tmpBaseDir, err := manifestgen.MkdirTempAbs("", "flux-manifests-")
if err != nil {
return "", err
}
diff --git a/cmd/flux/bootstrap_bitbucket_server.go b/cmd/flux/bootstrap_bitbucket_server.go
index 4898e1fee9482d65cf39f2857f5926c7db746321..b620fa61bb00fc04b4067cc4814c58f2bb718b2e 100644
--- a/cmd/flux/bootstrap_bitbucket_server.go
+++ b/cmd/flux/bootstrap_bitbucket_server.go
@@ -30,6 +30,7 @@ import (
"github.com/fluxcd/flux2/internal/bootstrap/provider"
"github.com/fluxcd/flux2/internal/flags"
"github.com/fluxcd/flux2/internal/utils"
+ "github.com/fluxcd/flux2/pkg/manifestgen"
"github.com/fluxcd/flux2/pkg/manifestgen/install"
"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
"github.com/fluxcd/flux2/pkg/manifestgen/sync"
@@ -165,7 +166,7 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
}
// Lazy go-git repository
- tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
+ tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
if err != nil {
return fmt.Errorf("failed to create temporary working dir: %w", err)
}
diff --git a/cmd/flux/bootstrap_git.go b/cmd/flux/bootstrap_git.go
index 7e2193eb9e5c03678f983e0c97a769ca4d9fb54d..f3005107a38deea85defcbb689f34273cdfd6e95 100644
--- a/cmd/flux/bootstrap_git.go
+++ b/cmd/flux/bootstrap_git.go
@@ -35,6 +35,7 @@ import (
"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
"github.com/fluxcd/flux2/internal/flags"
"github.com/fluxcd/flux2/internal/utils"
+ "github.com/fluxcd/flux2/pkg/manifestgen"
"github.com/fluxcd/flux2/pkg/manifestgen/install"
"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
"github.com/fluxcd/flux2/pkg/manifestgen/sync"
@@ -137,7 +138,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
defer os.RemoveAll(manifestsBase)
// Lazy go-git repository
- tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
+ tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
if err != nil {
return fmt.Errorf("failed to create temporary working dir: %w", err)
}
diff --git a/cmd/flux/bootstrap_github.go b/cmd/flux/bootstrap_github.go
index 3f2ff3427d4e13a9017d94f2c9c718f1d9a8bb1f..142618202698db2dba9a9131fbc82ee5e4d1d8a1 100644
--- a/cmd/flux/bootstrap_github.go
+++ b/cmd/flux/bootstrap_github.go
@@ -30,6 +30,7 @@ import (
"github.com/fluxcd/flux2/internal/bootstrap/provider"
"github.com/fluxcd/flux2/internal/flags"
"github.com/fluxcd/flux2/internal/utils"
+ "github.com/fluxcd/flux2/pkg/manifestgen"
"github.com/fluxcd/flux2/pkg/manifestgen/install"
"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
"github.com/fluxcd/flux2/pkg/manifestgen/sync"
@@ -161,7 +162,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
}
// Lazy go-git repository
- tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
+ tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
if err != nil {
return fmt.Errorf("failed to create temporary working dir: %w", err)
}
diff --git a/cmd/flux/bootstrap_gitlab.go b/cmd/flux/bootstrap_gitlab.go
index afebfa914f8d725cb8e75a59632b4a8f0b915c90..56768042736e4d6c544063b84d195730a2858088 100644
--- a/cmd/flux/bootstrap_gitlab.go
+++ b/cmd/flux/bootstrap_gitlab.go
@@ -32,6 +32,7 @@ import (
"github.com/fluxcd/flux2/internal/bootstrap/provider"
"github.com/fluxcd/flux2/internal/flags"
"github.com/fluxcd/flux2/internal/utils"
+ "github.com/fluxcd/flux2/pkg/manifestgen"
"github.com/fluxcd/flux2/pkg/manifestgen/install"
"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
"github.com/fluxcd/flux2/pkg/manifestgen/sync"
@@ -172,7 +173,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
}
// Lazy go-git repository
- tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
+ tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
if err != nil {
return fmt.Errorf("failed to create temporary working dir: %w", err)
}
diff --git a/cmd/flux/install.go b/cmd/flux/install.go
index 616e3c952817ec245caf2209ac1e6c398a1885f5..0af11cee46fdfbe5bf670b7cfb75fac1913483f7 100644
--- a/cmd/flux/install.go
+++ b/cmd/flux/install.go
@@ -27,6 +27,7 @@ import (
"github.com/fluxcd/flux2/internal/flags"
"github.com/fluxcd/flux2/internal/utils"
+ "github.com/fluxcd/flux2/pkg/manifestgen"
"github.com/fluxcd/flux2/pkg/manifestgen/install"
"github.com/fluxcd/flux2/pkg/status"
)
@@ -134,7 +135,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
logger.Generatef("generating manifests")
}
- tmpDir, err := os.MkdirTemp("", *kubeconfigArgs.Namespace)
+ tmpDir, err := manifestgen.MkdirTempAbs("", *kubeconfigArgs.Namespace)
if err != nil {
return err
}
diff --git a/pkg/manifestgen/install/install.go b/pkg/manifestgen/install/install.go
index ce6d1e1902f48cb2b0c58b31155b0a10022b629d..8062178247f4df1b171360e5d36d5ecdf7e19b56 100644
--- a/pkg/manifestgen/install/install.go
+++ b/pkg/manifestgen/install/install.go
@@ -54,7 +54,7 @@ func Generate(options Options, manifestsBase string) (*manifestgen.Manifest, err
} else {
// download the manifests base from GitHub
if manifestsBase == "" {
- manifestsBase, err = os.MkdirTemp("", options.Namespace)
+ manifestsBase, err = manifestgen.MkdirTempAbs("", options.Namespace)
if err != nil {
return nil, fmt.Errorf("temp dir error: %w", err)
}
diff --git a/pkg/manifestgen/install/manifests.go b/pkg/manifestgen/install/manifests.go
index 6ab91eaefd2655dfad2361e935bc60355aaf7acb..17fc33f101a70276263b8ca439b307ecd765abb4 100644
--- a/pkg/manifestgen/install/manifests.go
+++ b/pkg/manifestgen/install/manifests.go
@@ -26,6 +26,7 @@ import (
"path/filepath"
"strings"
+ "github.com/fluxcd/pkg/kustomize/filesys"
"github.com/fluxcd/pkg/untar"
"github.com/fluxcd/flux2/pkg/manifestgen/kustomization"
@@ -125,7 +126,12 @@ func build(base, output string) error {
return err
}
- if err = os.WriteFile(output, resources, 0o640); err != nil {
+ outputBase := filepath.Dir(strings.TrimSuffix(output, string(filepath.Separator)))
+ fs, err := filesys.MakeFsOnDiskSecure(outputBase)
+ if err != nil {
+ return err
+ }
+ if err = fs.WriteFile(output, resources); err != nil {
return err
}
diff --git a/pkg/manifestgen/tmpdir.go b/pkg/manifestgen/tmpdir.go
new file mode 100644
index 0000000000000000000000000000000000000000..db4daf133a9f73bb02d679dac7f680ee4a28a0e7
--- /dev/null
+++ b/pkg/manifestgen/tmpdir.go
@@ -0,0 +1,38 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package manifestgen
+
+import (
+ "fmt"
+ "os"
+ "path/filepath"
+)
+
+// MkdirTempAbs creates a tmp dir and returns the absolute path to the dir.
+// This is required since certain OSes like MacOS create temporary files in
+// e.g. `/private/var`, to which `/var` is a symlink.
+func MkdirTempAbs(dir, pattern string) (string, error) {
+ tmpDir, err := os.MkdirTemp(dir, pattern)
+ if err != nil {
+ return "", err
+ }
+ tmpDir, err = filepath.EvalSymlinks(tmpDir)
+ if err != nil {
+ return "", fmt.Errorf("error evaluating symlink: %w", err)
+ }
+ return tmpDir, nil
+}