Skip to content

Commit 5258795

Browse files
openshift-merge-bot[bot]openshift-merge-bot[bot]
authored
Merge pull request #1769 from rabi/private_key
Set SSH private key file permissions to 0600
2 parents cf82a75 + 5b079b3 commit 5258795

15 files changed

Lines changed: 51 additions & 48 deletions

File tree

internal/dataplane/util/ansible_execution.go

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@ import (
3030
corev1 "k8s.io/api/core/v1"
3131
k8serrors "k8s.io/apimachinery/pkg/api/errors"
3232
apimachineryvalidation "k8s.io/apimachinery/pkg/util/validation"
33+
"k8s.io/utils/ptr"
3334
"sigs.k8s.io/controller-runtime/pkg/client"
3435

3536
networkv1 "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/apis/k8s.cni.cncf.io/v1"
@@ -324,7 +325,7 @@ func SetAeeSSHMounts(
324325
sshKeyMountSubPath = fmt.Sprintf("ssh_key_%s", sshKeyNodeName)
325326
sshKeyMountPath = fmt.Sprintf("/runner/env/ssh_key/%s", sshKeyMountSubPath)
326327

327-
CreateVolume(ansibleEEMounts, sshKeyName, sshKeyMountSubPath, sshKeySecret, "ssh-privatekey")
328+
CreateVolume(ansibleEEMounts, sshKeyName, sshKeyMountSubPath, sshKeySecret, "ssh-privatekey", ptr.To(int32(0600)))
328329
CreateVolumeMount(ansibleEEMounts, sshKeyName, sshKeyMountPath, sshKeyMountSubPath)
329330
}
330331
}
@@ -361,18 +362,20 @@ func SetAeeInvMounts(
361362
inventoryMountPath = "/runner/inventory/hosts"
362363
}
363364

364-
CreateVolume(ansibleEEMounts, inventoryName, inventoryName, inventorySecrets[nodeName], "inventory")
365+
CreateVolume(ansibleEEMounts, inventoryName, inventoryName, inventorySecrets[nodeName], "inventory", nil)
365366
CreateVolumeMount(ansibleEEMounts, inventoryName, inventoryMountPath, inventoryName)
366367
}
367368
}
368369

369370
// CreateVolume creates a volume configuration for Ansible Execution Environment mounts
370-
func CreateVolume(ansibleEEMounts *storage.VolMounts, volumeName string, volumeMountPath string, secretName string, keyToPathKey string) {
371+
// If defaultMode is nil, Kubernetes default (0644) is used
372+
func CreateVolume(ansibleEEMounts *storage.VolMounts, volumeName string, volumeMountPath string, secretName string, keyToPathKey string, defaultMode *int32) {
371373
volume := storage.Volume{
372374
Name: volumeName,
373375
VolumeSource: storage.VolumeSource{
374376
Secret: &corev1.SecretVolumeSource{
375-
SecretName: secretName,
377+
SecretName: secretName,
378+
DefaultMode: defaultMode,
376379
Items: []corev1.KeyToPath{
377380
{
378381
Key: keyToPathKey,

test/kuttl/tests/dataplane-deploy-global-service-test/01-assert.yaml

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -162,7 +162,7 @@ spec:
162162
secretName: combined-ca-bundle
163163
- name: ssh-key-edpm-compute-global
164164
secret:
165-
defaultMode: 420
165+
defaultMode: 384
166166
items:
167167
- key: ssh-privatekey
168168
path: ssh_key_edpm-compute-global
@@ -258,7 +258,7 @@ spec:
258258
volumes:
259259
- name: ssh-key-edpm-compute-global
260260
secret:
261-
defaultMode: 420
261+
defaultMode: 384
262262
items:
263263
- key: ssh-privatekey
264264
path: ssh_key_edpm-compute-global
@@ -362,7 +362,7 @@ spec:
362362
secretName: combined-ca-bundle
363363
- name: ssh-key-edpm-compute-global
364364
secret:
365-
defaultMode: 420
365+
defaultMode: 384
366366
items:
367367
- key: ssh-privatekey
368368
path: ssh_key_edpm-compute-global
@@ -460,7 +460,7 @@ spec:
460460
volumes:
461461
- name: ssh-key-edpm-compute-global
462462
secret:
463-
defaultMode: 420
463+
defaultMode: 384
464464
items:
465465
- key: ssh-privatekey
466466
path: ssh_key_edpm-compute-global
@@ -558,7 +558,7 @@ spec:
558558
volumes:
559559
- name: ssh-key-edpm-compute-global
560560
secret:
561-
defaultMode: 420
561+
defaultMode: 384
562562
items:
563563
- key: ssh-privatekey
564564
path: ssh_key_edpm-compute-global
@@ -656,7 +656,7 @@ spec:
656656
volumes:
657657
- name: ssh-key-edpm-compute-global
658658
secret:
659-
defaultMode: 420
659+
defaultMode: 384
660660
items:
661661
- key: ssh-privatekey
662662
path: ssh_key_edpm-compute-global
@@ -808,7 +808,7 @@ spec:
808808
secretName: combined-ca-bundle
809809
- name: ssh-key-edpm-compute-global
810810
secret:
811-
defaultMode: 420
811+
defaultMode: 384
812812
items:
813813
- key: ssh-privatekey
814814
path: ssh_key_edpm-compute-global
@@ -917,7 +917,7 @@ spec:
917917
secretName: combined-ca-bundle
918918
- name: ssh-key-edpm-compute-global
919919
secret:
920-
defaultMode: 420
920+
defaultMode: 384
921921
items:
922922
- key: ssh-privatekey
923923
path: ssh_key_edpm-compute-global
@@ -1056,7 +1056,7 @@ spec:
10561056
secretName: combined-ca-bundle
10571057
- name: ssh-key-edpm-compute-global
10581058
secret:
1059-
defaultMode: 420
1059+
defaultMode: 384
10601060
items:
10611061
- key: ssh-privatekey
10621062
path: ssh_key_edpm-compute-global
@@ -1165,7 +1165,7 @@ spec:
11651165
secretName: combined-ca-bundle
11661166
- name: ssh-key-edpm-compute-global
11671167
secret:
1168-
defaultMode: 420
1168+
defaultMode: 384
11691169
items:
11701170
- key: ssh-privatekey
11711171
path: ssh_key_edpm-compute-global
@@ -1274,7 +1274,7 @@ spec:
12741274
secretName: combined-ca-bundle
12751275
- name: ssh-key-edpm-compute-global
12761276
secret:
1277-
defaultMode: 420
1277+
defaultMode: 384
12781278
items:
12791279
- key: ssh-privatekey
12801280
path: ssh_key_edpm-compute-global
@@ -1383,7 +1383,7 @@ spec:
13831383
secretName: combined-ca-bundle
13841384
- name: ssh-key-edpm-compute-global
13851385
secret:
1386-
defaultMode: 420
1386+
defaultMode: 384
13871387
items:
13881388
- key: ssh-privatekey
13891389
path: ssh_key_edpm-compute-global
@@ -1492,7 +1492,7 @@ spec:
14921492
secretName: combined-ca-bundle
14931493
- name: ssh-key-edpm-compute-global
14941494
secret:
1495-
defaultMode: 420
1495+
defaultMode: 384
14961496
items:
14971497
- key: ssh-privatekey
14981498
path: ssh_key_edpm-compute-global
@@ -1631,7 +1631,7 @@ spec:
16311631
secretName: combined-ca-bundle
16321632
- name: ssh-key-edpm-compute-global
16331633
secret:
1634-
defaultMode: 420
1634+
defaultMode: 384
16351635
items:
16361636
- key: ssh-privatekey
16371637
path: ssh_key_edpm-compute-global

test/kuttl/tests/dataplane-deploy-global-service-test/02-assert.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -151,7 +151,7 @@ spec:
151151
volumes:
152152
- name: ssh-key-edpm-compute-beta-nodeset
153153
secret:
154-
defaultMode: 420
154+
defaultMode: 384
155155
items:
156156
- key: ssh-privatekey
157157
path: ssh_key_edpm-compute-beta-nodeset
@@ -254,7 +254,7 @@ spec:
254254
secretName: combined-ca-bundle
255255
- name: ssh-key-edpm-compute-beta-nodeset
256256
secret:
257-
defaultMode: 420
257+
defaultMode: 384
258258
items:
259259
- key: ssh-privatekey
260260
path: ssh_key_edpm-compute-beta-nodeset

test/kuttl/tests/dataplane-deploy-multiple-secrets/02-assert.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -212,7 +212,7 @@ spec:
212212
secretName: combined-ca-bundle
213213
- name: ssh-key-openstack-edpm-tls
214214
secret:
215-
defaultMode: 420
215+
defaultMode: 384
216216
items:
217217
- key: ssh-privatekey
218218
path: ssh_key_openstack-edpm-tls
@@ -319,7 +319,7 @@ spec:
319319
secretName: combined-ca-bundle
320320
- name: ssh-key-openstack-edpm-tls
321321
secret:
322-
defaultMode: 420
322+
defaultMode: 384
323323
items:
324324
- key: ssh-privatekey
325325
path: ssh_key_openstack-edpm-tls

test/kuttl/tests/dataplane-deploy-no-nodes-test/01-assert.yaml

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -147,7 +147,7 @@ spec:
147147
volumes:
148148
- name: ssh-key-edpm-compute-no-nodes
149149
secret:
150-
defaultMode: 420
150+
defaultMode: 384
151151
items:
152152
- key: ssh-privatekey
153153
path: ssh_key_edpm-compute-no-nodes
@@ -252,7 +252,7 @@ spec:
252252
secretName: combined-ca-bundle
253253
- name: ssh-key-edpm-compute-no-nodes
254254
secret:
255-
defaultMode: 420
255+
defaultMode: 384
256256
items:
257257
- key: ssh-privatekey
258258
path: ssh_key_edpm-compute-no-nodes
@@ -352,7 +352,7 @@ spec:
352352
volumes:
353353
- name: ssh-key-edpm-compute-no-nodes
354354
secret:
355-
defaultMode: 420
355+
defaultMode: 384
356356
items:
357357
- key: ssh-privatekey
358358
path: ssh_key_edpm-compute-no-nodes
@@ -452,7 +452,7 @@ spec:
452452
volumes:
453453
- name: ssh-key-edpm-compute-no-nodes
454454
secret:
455-
defaultMode: 420
455+
defaultMode: 384
456456
items:
457457
- key: ssh-privatekey
458458
path: ssh_key_edpm-compute-no-nodes
@@ -552,7 +552,7 @@ spec:
552552
volumes:
553553
- name: ssh-key-edpm-compute-no-nodes
554554
secret:
555-
defaultMode: 420
555+
defaultMode: 384
556556
items:
557557
- key: ssh-privatekey
558558
path: ssh_key_edpm-compute-no-nodes
@@ -700,7 +700,7 @@ spec:
700700
secretName: combined-ca-bundle
701701
- name: ssh-key-edpm-compute-no-nodes
702702
secret:
703-
defaultMode: 420
703+
defaultMode: 384
704704
items:
705705
- key: ssh-privatekey
706706
path: ssh_key_edpm-compute-no-nodes
@@ -810,7 +810,7 @@ spec:
810810
secretName: combined-ca-bundle
811811
- name: ssh-key-edpm-compute-no-nodes
812812
secret:
813-
defaultMode: 420
813+
defaultMode: 384
814814
items:
815815
- key: ssh-privatekey
816816
path: ssh_key_edpm-compute-no-nodes
@@ -950,7 +950,7 @@ spec:
950950
secretName: combined-ca-bundle
951951
- name: ssh-key-edpm-compute-no-nodes
952952
secret:
953-
defaultMode: 420
953+
defaultMode: 384
954954
items:
955955
- key: ssh-privatekey
956956
path: ssh_key_edpm-compute-no-nodes
@@ -1060,7 +1060,7 @@ spec:
10601060
secretName: combined-ca-bundle
10611061
- name: ssh-key-edpm-compute-no-nodes
10621062
secret:
1063-
defaultMode: 420
1063+
defaultMode: 384
10641064
items:
10651065
- key: ssh-privatekey
10661066
path: ssh_key_edpm-compute-no-nodes
@@ -1170,7 +1170,7 @@ spec:
11701170
secretName: combined-ca-bundle
11711171
- name: ssh-key-edpm-compute-no-nodes
11721172
secret:
1173-
defaultMode: 420
1173+
defaultMode: 384
11741174
items:
11751175
- key: ssh-privatekey
11761176
path: ssh_key_edpm-compute-no-nodes
@@ -1280,7 +1280,7 @@ spec:
12801280
secretName: combined-ca-bundle
12811281
- name: ssh-key-edpm-compute-no-nodes
12821282
secret:
1283-
defaultMode: 420
1283+
defaultMode: 384
12841284
items:
12851285
- key: ssh-privatekey
12861286
path: ssh_key_edpm-compute-no-nodes
@@ -1390,7 +1390,7 @@ spec:
13901390
secretName: combined-ca-bundle
13911391
- name: ssh-key-edpm-compute-no-nodes
13921392
secret:
1393-
defaultMode: 420
1393+
defaultMode: 384
13941394
items:
13951395
- key: ssh-privatekey
13961396
path: ssh_key_edpm-compute-no-nodes
@@ -1530,7 +1530,7 @@ spec:
15301530
secretName: combined-ca-bundle
15311531
- name: ssh-key-edpm-compute-no-nodes
15321532
secret:
1533-
defaultMode: 420
1533+
defaultMode: 384
15341534
items:
15351535
- key: ssh-privatekey
15361536
path: ssh_key_edpm-compute-no-nodes

test/kuttl/tests/dataplane-deploy-no-nodes-test/02-assert.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -90,7 +90,7 @@ spec:
9090
volumes:
9191
- name: ssh-key-edpm-compute-no-nodes
9292
secret:
93-
defaultMode: 420
93+
defaultMode: 384
9494
items:
9595
- key: ssh-privatekey
9696
path: ssh_key_edpm-compute-no-nodes

test/kuttl/tests/dataplane-deploy-no-nodes-test/04-assert.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -165,7 +165,7 @@ spec:
165165
secretName: combined-ca-bundle
166166
- name: ssh-key-edpm-compute-no-nodes
167167
secret:
168-
defaultMode: 420
168+
defaultMode: 384
169169
items:
170170
- key: ssh-privatekey
171171
path: ssh_key_edpm-compute-no-nodes

test/kuttl/tests/dataplane-deploy-no-nodes-test/06-assert.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -157,7 +157,7 @@ spec:
157157
secretName: combined-ca-bundle
158158
- name: ssh-key-edpm-compute-beta-nodeset
159159
secret:
160-
defaultMode: 420
160+
defaultMode: 384
161161
items:
162162
- key: ssh-privatekey
163163
path: ssh_key_edpm-compute-beta-nodeset
@@ -258,7 +258,7 @@ spec:
258258
volumes:
259259
- name: ssh-key-edpm-compute-beta-nodeset
260260
secret:
261-
defaultMode: 420
261+
defaultMode: 384
262262
items:
263263
- key: ssh-privatekey
264264
path: ssh_key_edpm-compute-beta-nodeset

test/kuttl/tests/dataplane-deploy-no-nodes-test/07-assert.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -85,7 +85,7 @@ spec:
8585
volumes:
8686
- name: ssh-key-edpm-compute-no-nodes
8787
secret:
88-
defaultMode: 420
88+
defaultMode: 384
8989
items:
9090
- key: ssh-privatekey
9191
path: ssh_key_edpm-compute-no-nodes

test/kuttl/tests/dataplane-deploy-tls-test/02-assert.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -249,7 +249,7 @@ spec:
249249
secretName: combined-ca-bundle
250250
- name: ssh-key-openstack-edpm-tls
251251
secret:
252-
defaultMode: 420
252+
defaultMode: 384
253253
items:
254254
- key: ssh-privatekey
255255
path: ssh_key_openstack-edpm-tls
@@ -361,7 +361,7 @@ spec:
361361
secretName: combined-ca-bundle
362362
- name: ssh-key-openstack-edpm-tls
363363
secret:
364-
defaultMode: 420
364+
defaultMode: 384
365365
items:
366366
- key: ssh-privatekey
367367
path: ssh_key_openstack-edpm-tls

0 commit comments

Comments
 (0)