Be able to specify mode/permissions of files

[ctryti]

It would be great if we could specify the mode of files fetched from Vault. The specific use-case I have at the moment is fetching an ssh-key from Vault, which needs to be set to 0600 in order to be used by ssh.
According to kubernetes-sigs/secrets-store-csi-driver#722 this has to be implemented in each csi-driver.

Azure's driver has this capability, used like this:

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: azure-kvname
spec:
  provider: azure
  parameters:
    [...]
    objects:  |
      array:
        - |
          objectName: secret1
          objectAlias: SECRET_1           # [OPTIONAL available for version > 0.0.4] object alias
          objectType: secret              # object types: secret, key or cert. For Key Vault certificates, refer to https://azure.github.io/secrets-store-csi-driver-provider-azure/configurations/getting-certs-and-keys/ for the object type to use
          objectVersion: ""               # [OPTIONAL] object versions, default to latest if empty
          objectVersionHistory: 5         # [OPTIONAL] if greater than 1, the number of versions to sync starting at the specified version.
          filePermission: 0755                # [OPTIONAL] permission for secret file being mounted into the pod, default is 0644 if not specified.
    [...]

(https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/getting-started/usage/)

[tomhjp]

Oops, this capability got added in #139, but I forgot to update the documentation. I've opened hashicorp/vault#16506 to add that. Note though that the owner of the files will still be the root user, so this isn't perfect yet: kubernetes-sigs/secrets-store-csi-driver#858

[ctryti]

Nice that permissions are already implemented, but that owner issue will cause us other problems. We'll just have to work around it for now.

Thanks!