fix: Fix insecure file permissions (#47)

* fix: Fix insecure file permissions

* test: Fix a unit test assertion

* chore: Use new octal number format in YAML

Author: siegfriedweber

CHANGELOG.md

@@ -26,6 +26,7 @@ All notable changes to this project will be documented in this file.
 - Add Prometheus labels and annotations to role-group services ([#26]).
 - Helm: Allow Pod `priorityClassName` to be configured ([#34]).
 - Support log configuration and log aggregation ([#40]).
+- Ensure that the permissions of the configuration files are correct ([#47]).
 
 [#10]: https://github.com/stackabletech/opensearch-operator/pull/10
 [#17]: https://github.com/stackabletech/opensearch-operator/pull/17
@@ -34,3 +35,4 @@ All notable changes to this project will be documented in this file.
 [#34]: https://github.com/stackabletech/opensearch-operator/pull/34
 [#38]: https://github.com/stackabletech/opensearch-operator/pull/38
 [#40]: https://github.com/stackabletech/opensearch-operator/pull/40
+[#47]: https://github.com/stackabletech/opensearch-operator/pull/47

docs/modules/opensearch/examples/getting_started/opensearch.yaml

@@ -37,6 +37,7 @@ spec:
           - name: security-config
             secret:
               secretName: opensearch-security-config
+              defaultMode: 0o660
           - name: tls
             ephemeral:
               volumeClaimTemplate:

rust/operator-binary/src/controller/build/role_group_builder.rs

@@ -260,6 +260,7 @@ impl<'a> RoleGroupBuilder<'a> {
             Volume {
                 name: CONFIG_VOLUME_NAME.to_string(),
                 config_map: Some(ConfigMapVolumeSource {
+                    default_mode: Some(0o660),
                     name: self.resource_names.role_group_config_map().to_string(),
                     ..Default::default()
                 }),
@@ -268,6 +269,7 @@ impl<'a> RoleGroupBuilder<'a> {
             Volume {
                 name: LOG_CONFIG_VOLUME_NAME.to_string(),
                 config_map: Some(ConfigMapVolumeSource {
+                    default_mode: Some(0o660),
                     name: log_config_volume_config_map.to_string(),
                     ..Default::default()
                 }),
@@ -1125,12 +1127,14 @@ mod tests {
                             "volumes": [
                                 {
                                     "configMap": {
+                                        "defaultMode": 0o660,
                                         "name": "my-opensearch-cluster-nodes-default"
                                     },
                                     "name": "config"
                                 },
                                 {
                                     "configMap": {
+                                        "defaultMode": 0o660,
                                         "name": "my-opensearch-cluster-nodes-default"
                                     },
                                     "name": "log-config"

tests/templates/kuttl/external-access/opensearch.yaml.j2

@@ -106,6 +106,7 @@ spec:
           - name: security-config
             secret:
               secretName: opensearch-security-config
+              defaultMode: 0o660
           - name: tls
             ephemeral:
               volumeClaimTemplate:

tests/templates/kuttl/ldap/21-install-opensearch.yaml.j2

@@ -63,6 +63,7 @@ spec:
           - name: security-config
             secret:
               secretName: opensearch-security-config
+              defaultMode: 0o660
           - name: tls
             ephemeral:
               volumeClaimTemplate:

tests/templates/kuttl/metrics/20-install-opensearch.yaml.j2

@@ -63,6 +63,7 @@ spec:
           - name: security-config
             secret:
               secretName: opensearch-security-config
+              defaultMode: 0o660
           - name: tls
             ephemeral:
               volumeClaimTemplate:

tests/templates/kuttl/smoke/10-assert.yaml.j2

@@ -246,19 +246,19 @@ spec:
       terminationGracePeriodSeconds: 120
       volumes:
       - configMap:
-          defaultMode: 420
+          defaultMode: 0o660
           name: opensearch-nodes-cluster-manager
         name: config
       - configMap:
-          defaultMode: 420
+          defaultMode: 0o660
           name: opensearch-nodes-cluster-manager
         name: log-config
       - emptyDir:
           sizeLimit: 30Mi
         name: log
       - name: security-config
         secret:
-          defaultMode: 420
+          defaultMode: 0o660
           secretName: opensearch-security-config
       - ephemeral:
           volumeClaimTemplate:
@@ -558,19 +558,19 @@ spec:
       terminationGracePeriodSeconds: 120
       volumes:
       - configMap:
-          defaultMode: 420
+          defaultMode: 0o660
           name: opensearch-nodes-data
         name: config
       - configMap:
-          defaultMode: 420
+          defaultMode: 0o660
           name: opensearch-nodes-data
         name: log-config
       - emptyDir:
           sizeLimit: 30Mi
         name: log
       - name: security-config
         secret:
-          defaultMode: 420
+          defaultMode: 0o660
           secretName: opensearch-security-config
       - ephemeral:
           volumeClaimTemplate:

tests/templates/kuttl/smoke/10-install-opensearch.yaml.j2

@@ -101,6 +101,7 @@ spec:
           - name: security-config
             secret:
               secretName: opensearch-security-config
+              defaultMode: 0o660
           - name: tls
             ephemeral:
               volumeClaimTemplate: