Merge pull request #111 from cdapio/configurable_mount_permissions

Make mount permissions of secrets configurable

controllers/constants.go

@@ -64,13 +64,15 @@ const (
 	confTwillSecurityWorkerSecretDiskName = "twill.security.worker.secret.disk.name"
 	confTwillSecurityWorkerSecretDiskPath = "twill.security.worker.secret.disk.path"
 	confJMXServerPort                     = "jmx.metrics.collector.server.port"
+	confSecretMountDefaultMode            = "secret.mount.default.mode"
 
 	// default values
-	defaultImage              = "gcr.io/cdapio/cdap:latest"
-	defaultRouterPort         = 11015
-	defaultUserInterfacePort  = 11011
-	defaultStorageSize        = "200Gi"
-	defaultSecuritySecretPath = "/etc/cdap/security"
+	defaultImage                  = "gcr.io/cdapio/cdap:latest"
+	defaultRouterPort             = 11015
+	defaultUserInterfacePort      = 11011
+	defaultStorageSize            = "200Gi"
+	defaultSecuritySecretPath     = "/etc/cdap/security"
+	defaultSecretMountDefaultMode = 420
 
 	// kubernetes labels
 	labelInstanceKey        = "cdap.instance"

controllers/deployment.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"reflect"
 	"sort"
+	"strconv"
 	"strings"
 
 	"cdap.io/cdap-operator/api/v1alpha1"
@@ -172,14 +173,20 @@ func buildStatefulSets(master *v1alpha1.CDAPMaster, name string, services Servic
 		return nil, err
 	}
 
+	defaultMode, err := getSecretMountDefaultMode(master)
+	if err != nil {
+		return nil, err
+	}
+
 	spec := newStatefulSpec(master, objName, labels, cconf, hconf, sysappconf).
 		setServiceAccountName(serviceAccount).
 		setNodeSelector(nodeSelector).
 		setRuntimeClassName(runtimeClass).
 		setPriorityClassName(priorityClass).
 		setSecurityContext(securityContext).
 		setReplicas(replicas).
-		setAffinity(affinity)
+		setAffinity(affinity).
+		setSecretMountDefaultMode(defaultMode)
 
 	// Add init container
 	spec = spec.withInitContainer(
@@ -317,14 +324,20 @@ func buildDeployment(master *v1alpha1.CDAPMaster, name string, services ServiceG
 		return nil, err
 	}
 
+	defaultMode, err := getSecretMountDefaultMode(master)
+	if err != nil {
+		return nil, err
+	}
+
 	spec := newDeploymentSpec(master, objName, labels, cconf, hconf, sysappconf).
 		setServiceAccountName(serviceAccount).
 		setNodeSelector(nodeSelector).
 		setRuntimeClassName(runtimeClass).
 		setPriorityClassName(priorityClass).
 		setReplicas(replicas).
 		setSecurityContext(securityContext).
-		setAffinity(affinity)
+		setAffinity(affinity).
+		setSecretMountDefaultMode(defaultMode)
 
 	// Add each service as a container
 	for _, s := range services {
@@ -703,6 +716,19 @@ func getAffinity(master *v1alpha1.CDAPMaster, services ServiceGroup) (*corev1.Af
 	return nil, fmt.Errorf("unable to cast value of type %T into Affinity", val)
 }
 
+// Return the default secret mount permissions.
+func getSecretMountDefaultMode(master *v1alpha1.CDAPMaster) (int32, error) {
+	val, ok := master.Spec.Config[confSecretMountDefaultMode]
+	if !ok {
+		return defaultSecretMountDefaultMode, nil
+	}
+	i, err := strconv.ParseInt(val, 10, 32)
+	if err != nil {
+		return 0, err
+	}
+	return int32(i), nil
+}
+
 // getReplicas returns the Replicas if all supplied services have the same setting, otherwise return an error
 func getReplicas(master *v1alpha1.CDAPMaster, services ServiceGroup) (int32, error) {
 	replicas := int32(0)

controllers/spec.go

@@ -147,6 +147,7 @@ type BaseSpec struct {
 	AdditionalVolumeMounts []corev1.VolumeMount      `json:"additionalVolumeMounts,omitempty"`
 	SecurityContext        *v1alpha1.SecurityContext `json:"securityContext,omitempty"`
 	Affinity               *corev1.Affinity          `json:"affinity,omitemtpy"`
+	SecretMountDefaultMode int32                     `json:"secretMountDefaultSecret,omitemtpy"`
 }
 
 func newBaseSpec(master *v1alpha1.CDAPMaster, name string, labels map[string]string, cconf, hconf, sysappconf string) *BaseSpec {
@@ -180,6 +181,11 @@ func (s *BaseSpec) setAffinity(affinity *corev1.Affinity) *BaseSpec {
 	return s
 }
 
+func (s *BaseSpec) setSecretMountDefaultMode(mode int32) *BaseSpec {
+	s.SecretMountDefaultMode = mode
+	return s
+}
+
 func (s *BaseSpec) setReplicas(replicas int32) *BaseSpec {
 	s.Replicas = replicas
 	return s
@@ -369,6 +375,11 @@ func (s *DeploymentSpec) setAffinity(affinity *corev1.Affinity) *DeploymentSpec
 	return s
 }
 
+func (s *DeploymentSpec) setSecretMountDefaultMode(mode int32) *DeploymentSpec {
+	s.Base.setSecretMountDefaultMode(mode)
+	return s
+}
+
 // For VolumnClaimTemplate in Statefulset
 type StorageSpec struct {
 	StorageClassName string `json:"storageClassName,omitempty"`
@@ -411,6 +422,11 @@ func (s *StatefulSpec) setAffinity(affinity *corev1.Affinity) *StatefulSpec {
 	return s
 }
 
+func (s *StatefulSpec) setSecretMountDefaultMode(mode int32) *StatefulSpec {
+	s.Base.setSecretMountDefaultMode(mode)
+	return s
+}
+
 func (s *StatefulSpec) setReplicas(replicas int32) *StatefulSpec {
 	s.Base.setReplicas(replicas)
 	return s

controllers/testdata/appfabric.json

@@ -407,4 +407,4 @@
     "replicas": 0,
     "updatedReplicas": 1
   }
-}
+}

controllers/testdata/artifactcache.json

@@ -102,6 +102,7 @@
           {
             "name":"cdap-security",
             "secret":{
+              "defaultMode": 420,
               "secretName":"cdap-secret"
             }
           },
@@ -120,6 +121,7 @@
           {
             "name":"cdap-se-vol-my-secret-1",
             "secret":{
+              "defaultMode": 420,
               "secretName":"my-secret-1"
             }
           },

controllers/testdata/authentication.json

@@ -240,6 +240,7 @@
           {
             "name": "cdap-se-vol-secret-key",
             "secret": {
+              "defaultMode": 420,
               "secretName": "secret-key"
             }
           },

controllers/testdata/router.json

@@ -260,6 +260,7 @@
           {
             "name": "cdap-se-vol-secret-key",
             "secret": {
+              "defaultMode": 420,
               "secretName": "secret-key"
             }
           },
@@ -319,4 +320,4 @@
     "replicas": 2,
     "updatedReplicas": 2
   }
-}
+}

controllers/testdata/supportbundle.json

@@ -102,6 +102,7 @@
           {
             "name":"cdap-security",
             "secret":{
+              "defaultMode": 420,
               "secretName":"cdap-secret"
             }
           },
@@ -120,6 +121,7 @@
           {
             "name":"cdap-se-vol-my-secret-1",
             "secret":{
+              "defaultMode": 420,
               "secretName":"my-secret-1"
             }
           },

controllers/testdata/tetheringagent.json

@@ -102,6 +102,7 @@
           {
             "name":"cdap-security",
             "secret":{
+              "defaultMode": 420,
               "secretName":"cdap-secret"
             }
           },
@@ -120,6 +121,7 @@
           {
             "name":"cdap-se-vol-my-secret-1",
             "secret":{
+              "defaultMode": 420,
               "secretName":"my-secret-1"
             }
           },

templates/cdap-deployment.yaml

@@ -164,6 +164,7 @@ spec:
         {{if .Base.SecuritySecret}}
         - name: cdap-security
           secret:
+            defaultMode: {{$.Base.SecretMountDefaultMode}}
             secretName: {{.Base.SecuritySecret}}
         {{end}}
         {{range $k,$v := $.Base.ConfigMapVolumes}}
@@ -174,5 +175,6 @@ spec:
         {{range $k,$v := $.Base.SecretVolumes}}
         - name: cdap-se-vol-{{$k}}
           secret:
+            defaultMode: {{$.Base.SecretMountDefaultMode}}
             secretName: {{$k}}
         {{end}}

templates/cdap-sts.yaml

@@ -204,6 +204,7 @@ spec:
         {{if $.Base.SecuritySecret}}
         - name: cdap-security
           secret:
+            defaultMode: {{$.Base.SecretMountDefaultMode}}
             secretName: {{$.Base.SecuritySecret}}
         {{end}}
         {{range $k,$v := $.Base.ConfigMapVolumes}}
@@ -214,6 +215,7 @@ spec:
         {{range $k,$v := $.Base.SecretVolumes}}
         - name: cdap-se-vol-{{$k}}
           secret:
+            defaultMode: {{$.Base.SecretMountDefaultMode}}
             secretName: {{$k}}
         {{end}}
   volumeClaimTemplates: