OADP-6019: Add emptyDir volume for tmp files created by CCO flow for AWS STS. (#1731)

kaovilai · web-flow · commit 76e1b87b47d5 · 2025-04-25T19:30:57.000Z
Add a new emptyDir volume named tmp-dir to the controller pod specification
Add a volume mount to the container that mounts this volume to /tmp
Keep readOnlyRootFilesystem: true for security

Replaced the deprecated ioutil.TempFile() function with the recommended os.CreateTemp() function
Removed the unnecessary io/ioutil import since it's no longer needed

Signed-off-by: Tiger Kaovilai &lt;tkaovila@redhat.com&gt;
diff --git a/bundle/manifests/oadp-operator.clusterserviceversion.yaml b/bundle/manifests/oadp-operator.clusterserviceversion.yaml
@@ -1164,6 +1164,8 @@ spec:
                 - mountPath: /var/run/secrets/openshift/serviceaccount
                   name: bound-sa-token
                   readOnly: true
+                - mountPath: /tmp
+                  name: tmp-dir
               securityContext:
                 runAsNonRoot: true
               serviceAccountName: openshift-adp-controller-manager
@@ -1176,6 +1178,8 @@ spec:
                       audience: openshift
                       expirationSeconds: 3600
                       path: token
+              - emptyDir: {}
+                name: tmp-dir
       permissions:
       - rules:
         - apiGroups:
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -51,6 +51,8 @@ spec:
             - mountPath: /var/run/secrets/openshift/serviceaccount
               name: bound-sa-token
               readOnly: true
+            - mountPath: /tmp
+              name: tmp-dir
           env:
             - name: WATCH_NAMESPACE
               valueFrom:
@@ -126,4 +128,6 @@ spec:
                   path: token
                   expirationSeconds: 3600
                   audience: openshift
+        - name: tmp-dir
+          emptyDir: {}
       terminationGracePeriodSeconds: 10
diff --git a/pkg/bucket/client.go b/pkg/bucket/client.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 
@@ -91,7 +90,7 @@ func SharedCredentialsFileFromSecret(secret *corev1.Secret) (string, error) {
 		return "", errors.New("invalid secret for aws credentials")
 	}
 
-	f, err := ioutil.TempFile("", "aws-shared-credentials")
+	f, err := os.CreateTemp("", "aws-shared-credentials")
 	if err != nil {
 		return "", err
 	}

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,6 @@ import (`
`4`	`4`	`"context"`
`5`	`5`	`"errors"`
`6`	`6`	`"fmt"`
`7`		`- "io/ioutil"`
`8`	`7`	`"os"`
`9`	`8`	`"path/filepath"`
`10`	`9`
`@@ -91,7 +90,7 @@ func SharedCredentialsFileFromSecret(secret *corev1.Secret) (string, error) {`
`91`	`90`	`return "", errors.New("invalid secret for aws credentials")`
`92`	`91`	`}`
`93`	`92`
`94`		`- f, err := ioutil.TempFile("", "aws-shared-credentials")`
	`93`	`+ f, err := os.CreateTemp("", "aws-shared-credentials")`
`95`	`94`	`if err != nil {`
`96`	`95`	`return "", err`
`97`	`96`	`}`