Update Rust crate thiserror to 1.0.57

Cargo.toml

@@ -6,17 +6,17 @@ edition = "2021"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-log = "0.4.20"
-env_logger = "0.10.0"
-anyhow = "1.0.75"
-serde = { version = "1.0.185", features = ["derive"] }
-serde_json = "1.0.105"
-schemars = "0.8.15"
-tokio = { version = "1.33.0", features = ["full"] }
-kube = { version = "0.85.0", features = ["runtime", "derive"] }
-k8s-openapi = { version = "0.19.0", features = ["v1_27"] }
-futures = "0.3.28"
-thiserror = "1.0.49"
+log = "0.4.21"
+env_logger = "0.10.1"
+anyhow = "1.0.79"
+serde = { version = "1.0.195", features = ["derive"] }
+serde_json = "1.0.111"
+schemars = "0.8.16"
+tokio = { version = "1.35.1", features = ["full"] }
+kube = { version = "0.87.2", features = ["runtime", "derive"] }
+k8s-openapi = { version = "0.20.0", features = ["v1_27"] }
+futures = "0.3.30"
+thiserror = "1.0.57"
 rand = "0.8.5"
 mktemp = "0.5.1"
-reqwest = "0.11.20"
+reqwest = "0.11.23"

Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:bullseye-slim
+FROM debian:bookworm-slim
 
 COPY minio-operator /usr/local/bin/minio-operator
 COPY mc /usr/local/bin/mc

src/lib.rs

@@ -4,4 +4,5 @@ pub mod minio;
 #[cfg(test)]
 pub mod minio_test_server;
 pub mod secrets;
+pub mod temp;
 pub mod utils;

src/minio.rs

@@ -5,6 +5,7 @@ use serde::Deserialize;
 
 use crate::constants::{MC_EXE, SECRET_MINIO_BUCKET_ACCESS_LEN, SECRET_MINIO_BUCKET_SECRET_LEN};
 use crate::crd::{BucketRetention, MinioBucketSpec, RetentionType};
+use crate::temp;
 use crate::utils::rand_str;
 
 const MC_ALIAS_NAME: &str = "managedminioinst";
@@ -173,7 +174,7 @@ impl MinioService {
     {
         log::debug!("exec_mc_cmd with args {:?}", args);
 
-        let conf_dir = mktemp::Temp::new_dir()?;
+        let conf_dir = temp::create_temp_dir()?;
         let global_flags = ["--config-dir", conf_dir.to_str().unwrap(), "--json"];
 
         // First, set our alias to mc in a temporary directory
@@ -261,7 +262,7 @@ impl MinioService {
         }
 
         let res = self.exec_mc_cmd::<BasicMinioResult>(&args).await?;
-        if res.get(0).map(|r| r.success()) != Some(true) {
+        if res.first().map(|r| r.success()) != Some(true) {
             return Err(MinioError::MakeBucketFailed.into());
         }
 
@@ -292,7 +293,7 @@ impl MinioService {
             ])
             .await?;
 
-        if res.get(0).map(|r| r.success()) != Some(true) {
+        if res.first().map(|r| r.success()) != Some(true) {
             return Err(MinioError::SetQuotaFailed.into());
         }
         Ok(())
@@ -330,7 +331,7 @@ impl MinioService {
             ])
             .await?;
 
-        if res.get(0).map(|r| r.success()) != Some(true) {
+        if res.first().map(|r| r.success()) != Some(true) {
             return Err(MinioError::SetAnonymousAcccessFailed.into());
         }
 
@@ -367,7 +368,7 @@ impl MinioService {
                 .await?
         };
 
-        if res.get(0).map(|r| r.success()) != Some(true) {
+        if res.first().map(|r| r.success()) != Some(true) {
             return Err(MinioError::SetQuotaFailed.into());
         }
         Ok(())
@@ -415,7 +416,7 @@ impl MinioService {
             .await?
         };
 
-        if res.get(0).map(|r| r.success()) != Some(true) {
+        if res.first().map(|r| r.success()) != Some(true) {
             return Err(MinioError::SetRetentionFailed.into());
         }
 
@@ -458,7 +459,7 @@ impl MinioService {
 
     /// Apply a bucket policy
     pub async fn policy_apply(&self, name: &str, content: &str) -> anyhow::Result<()> {
-        let tmp_file = mktemp::Temp::new_file()?;
+        let tmp_file = temp::create_temp_file()?;
         std::fs::write(&tmp_file, content)?;
 
         let res = self
@@ -472,7 +473,7 @@ impl MinioService {
             ])
             .await?;
 
-        if res.get(0).map(|r| r.success()) != Some(true) {
+        if res.first().map(|r| r.success()) != Some(true) {
             return Err(MinioError::ApplyPolicyFailed.into());
         }
 
@@ -512,7 +513,7 @@ impl MinioService {
             ])
             .await?;
 
-        if res.get(0).map(|r| r.success()) != Some(true) {
+        if res.first().map(|r| r.success()) != Some(true) {
             return Err(MinioError::CreateUserFailed.into());
         }
 
@@ -552,7 +553,7 @@ impl MinioService {
             ])
             .await?;
 
-        if res.get(0).map(|r| r.success()) != Some(true) {
+        if res.first().map(|r| r.success()) != Some(true) {
             return Err(MinioError::CreateUserFailed.into());
         }
 
@@ -579,7 +580,7 @@ impl MinioService {
             .userMappings;
 
         if let Some(mapping) = res {
-            if let Some(e) = mapping.get(0) {
+            if let Some(e) = mapping.first() {
                 return Ok(e.policies.clone());
             }
         }

src/minio_test_server.rs

@@ -3,6 +3,7 @@
 //! Used for testing only
 
 use crate::minio::MinioService;
+use crate::temp;
 use crate::utils::rand_str;
 use rand::RngCore;
 use std::io::ErrorKind;
@@ -20,7 +21,7 @@ pub struct MinioTestServer {
 
 impl MinioTestServer {
     pub async fn start() -> anyhow::Result<Self> {
-        let storage_dir = mktemp::Temp::new_dir()?;
+        let storage_dir = temp::create_temp_dir()?;
 
         let root_user = rand_str(30);
         let root_password = rand_str(30);

src/temp.rs

@@ -0,0 +1,26 @@
+use std::path::{Path, PathBuf};
+
+/// Get the directory where temp files should be created
+fn temp_path() -> Option<PathBuf> {
+    std::env::var("TEMP_DIR")
+        .as_deref()
+        .ok()
+        .map(Path::new)
+        .map(|p| p.to_path_buf())
+}
+
+/// Create a temporary directory
+pub fn create_temp_dir() -> std::io::Result<mktemp::Temp> {
+    match temp_path() {
+        None => mktemp::Temp::new_dir(),
+        Some(p) => mktemp::Temp::new_dir_in(p),
+    }
+}
+
+/// Create a temporary file
+pub fn create_temp_file() -> std::io::Result<mktemp::Temp> {
+    match temp_path() {
+        None => mktemp::Temp::new_file(),
+        Some(p) => mktemp::Temp::new_file_in(p),
+    }
+}

yaml/deployment.yaml

@@ -13,12 +13,12 @@ metadata:
   name: minio-operator
   namespace: default
 rules:
-- apiGroups: ["communiquons.org"]
-  resources: ["minioinstances", "miniobuckets"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["get", "create"]
+  - apiGroups: ["communiquons.org"]
+    resources: ["minioinstances", "miniobuckets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create"]
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -26,9 +26,9 @@ metadata:
   name: minio-operator
   namespace: default
 subjects:
-- kind: ServiceAccount
-  name: minio-operator
-  namespace: default
+  - kind: ServiceAccount
+    name: minio-operator
+    namespace: default
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -63,8 +63,19 @@ spec:
             requests:
               memory: 150Mi
               cpu: "0.01"
+          volumeMounts:
+            - mountPath: /tmp
+              readOnly: false
+              name: tempdir
           securityContext:
             allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsUser: 1000
+            runAsGroup: 1000
             capabilities:
               drop:
-              - ALL
+                - ALL
+      volumes:
+        - name: tempdir
+          emptyDir:
+            sizeLimit: 500Mi