Fix issue with read only configuration

src/lib.rs

@@ -4,4 +4,5 @@ pub mod minio;
 #[cfg(test)]
 pub mod minio_test_server;
 pub mod secrets;
+pub mod temp;
 pub mod utils;

src/minio.rs

@@ -5,6 +5,7 @@ use serde::Deserialize;
 
 use crate::constants::{MC_EXE, SECRET_MINIO_BUCKET_ACCESS_LEN, SECRET_MINIO_BUCKET_SECRET_LEN};
 use crate::crd::{BucketRetention, MinioBucketSpec, RetentionType};
+use crate::temp;
 use crate::utils::rand_str;
 
 const MC_ALIAS_NAME: &str = "managedminioinst";
@@ -173,7 +174,7 @@ impl MinioService {
     {
         log::debug!("exec_mc_cmd with args {:?}", args);
 
-        let conf_dir = mktemp::Temp::new_dir()?;
+        let conf_dir = temp::create_temp_dir()?;
         let global_flags = ["--config-dir", conf_dir.to_str().unwrap(), "--json"];
 
         // First, set our alias to mc in a temporary directory
@@ -458,7 +459,7 @@ impl MinioService {
 
     /// Apply a bucket policy
     pub async fn policy_apply(&self, name: &str, content: &str) -> anyhow::Result<()> {
-        let tmp_file = mktemp::Temp::new_file()?;
+        let tmp_file = temp::create_temp_file()?;
         std::fs::write(&tmp_file, content)?;
 
         let res = self

src/minio_test_server.rs

@@ -3,6 +3,7 @@
 //! Used for testing only
 
 use crate::minio::MinioService;
+use crate::temp;
 use crate::utils::rand_str;
 use rand::RngCore;
 use std::io::ErrorKind;
@@ -20,7 +21,7 @@ pub struct MinioTestServer {
 
 impl MinioTestServer {
     pub async fn start() -> anyhow::Result<Self> {
-        let storage_dir = mktemp::Temp::new_dir()?;
+        let storage_dir = temp::create_temp_dir()?;
 
         let root_user = rand_str(30);
         let root_password = rand_str(30);

src/temp.rs

@@ -0,0 +1,26 @@
+use std::path::{Path, PathBuf};
+
+/// Get the directory where temp files should be created
+fn temp_path() -> Option<PathBuf> {
+    std::env::var("TEMP_DIR")
+        .as_deref()
+        .ok()
+        .map(Path::new)
+        .map(|p| p.to_path_buf())
+}
+
+/// Create a temporary directory
+pub fn create_temp_dir() -> std::io::Result<mktemp::Temp> {
+    match temp_path() {
+        None => mktemp::Temp::new_dir(),
+        Some(p) => mktemp::Temp::new_dir_in(p),
+    }
+}
+
+/// Create a temporary file
+pub fn create_temp_file() -> std::io::Result<mktemp::Temp> {
+    match temp_path() {
+        None => mktemp::Temp::new_file(),
+        Some(p) => mktemp::Temp::new_file_in(p),
+    }
+}

yaml/deployment.yaml

@@ -13,12 +13,12 @@ metadata:
   name: minio-operator
   namespace: default
 rules:
-- apiGroups: ["communiquons.org"]
+  - apiGroups: ["communiquons.org"]
-  resources: ["minioinstances", "miniobuckets"]
+    resources: ["minioinstances", "miniobuckets"]
-  verbs: ["get", "list", "watch"]
+    verbs: ["get", "list", "watch"]
-- apiGroups: [""]
+  - apiGroups: [""]
-  resources: ["secrets"]
+    resources: ["secrets"]
-  verbs: ["get", "create"]
+    verbs: ["get", "create"]
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -26,9 +26,9 @@ metadata:
   name: minio-operator
   namespace: default
 subjects:
-- kind: ServiceAccount
+  - kind: ServiceAccount
-  name: minio-operator
+    name: minio-operator
-  namespace: default
+    namespace: default
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -63,6 +63,10 @@ spec:
             requests:
               memory: 150Mi
               cpu: "0.01"
+          volumeMounts:
+            - mountPath: /tmp
+              readOnly: false
+              name: tempdir
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
@@ -70,4 +74,8 @@ spec:
             runAsGroup: 1000
             capabilities:
               drop:
-              - ALL
+                - ALL
+      volumes:
+        - name: tempdir
+          emptyDir:
+            sizeLimit: 500Mi