hashicorp · tomhjp · Mar 1, 2022 · Feb 6, 2022 · Feb 11, 2022 · Feb 11, 2022
@@ -11,6 +11,7 @@ IMPROVEMENTS:
   * `-vault-tls-client-key`
   * `-vault-tls-skip-verify`
 * Add an optional SecretProviderClass parameter `audience` to customize the `aud` claim in the JWT [[GH-144](https://github.com/hashicorp/vault-csi-provider/pull/144)]
+* New SecretProviderClass field `filePermission` can be used per-secret to set the file permissions it is written with. [[GH-139](https://github.com/hashicorp/vault-csi-provider/pull/139)]
 
 ## 1.0.0 (January 25th, 2022)
 

@@ -1,6 +1,6 @@
 module github.com/hashicorp/vault-csi-provider
 
-go 1.12
+go 1.13
 
 require (
 	github.com/hashicorp/go-hclog v1.0.0

@@ -79,11 +79,12 @@ type PodInfo struct {
 }
 
 type Secret struct {
-	ObjectName string                 `yaml:"objectName,omitempty"`
-	SecretPath string                 `yaml:"secretPath,omitempty"`
-	SecretKey  string                 `yaml:"secretKey,omitempty"`
-	Method     string                 `yaml:"method,omitempty"`
-	SecretArgs map[string]interface{} `yaml:"secretArgs,omitempty"`
+	ObjectName     string                 `yaml:"objectName,omitempty"`
+	SecretPath     string                 `yaml:"secretPath,omitempty"`
+	SecretKey      string                 `yaml:"secretKey,omitempty"`
+	Method         string                 `yaml:"method,omitempty"`
+	SecretArgs     map[string]interface{} `yaml:"secretArgs,omitempty"`
+	FilePermission os.FileMode            `yaml:"filePermission,omitempty"`
 }
 
 func Parse(parametersStr, targetPath, permissionStr string) (Config, error) {

@@ -12,7 +12,7 @@ import (
 )
 
 const (
-	objects      = "-\n  secretPath: \"v1/secret/foo1\"\n  objectName: \"bar1\""
+	objects      = "-\n  secretPath: \"v1/secret/foo1\"\n  objectName: \"bar1\"\n  filePermission: 0600"
 	certsSPCYaml = `apiVersion: secrets-store.csi.x-k8s.io/v1
 kind: SecretProviderClass
 metadata:
@@ -92,8 +92,8 @@ func TestParseParameters(t *testing.T) {
 			Insecure: true,
 		},
 		Secrets: []Secret{
-			{"bar1", "v1/secret/foo1", "", "GET", nil},
-			{"bar2", "v1/secret/foo2", "", "", nil},
+			{"bar1", "v1/secret/foo1", "", "GET", nil, 0},
+			{"bar2", "v1/secret/foo2", "", "", nil, 0},
 		},
 		PodInfo: PodInfo{
 			Name:               "nginx-secrets-store-inline",
@@ -131,7 +131,7 @@ func TestParseConfig(t *testing.T) {
 					expected.VaultRoleName = roleName
 					expected.VaultTLSConfig.Insecure = true
 					expected.Secrets = []Secret{
-						{"bar1", "v1/secret/foo1", "", "", nil},
+						{"bar1", "v1/secret/foo1", "", "", nil, 0o600},
 					}
 					return expected
 				}(),
@@ -167,7 +167,7 @@ func TestParseConfig(t *testing.T) {
 					VaultNamespace:           "my-vault-namespace",
 					VaultKubernetesMountPath: "my-mount-path",
 					Secrets: []Secret{
-						{"bar1", "v1/secret/foo1", "", "", nil},
+						{"bar1", "v1/secret/foo1", "", "", nil, 0o600},
 					},
 					VaultTLSConfig: api.TLSConfig{
 						CACert:        "my-ca-cert-path",

@@ -257,7 +257,11 @@ func (p *provider) HandleMountRequest(ctx context.Context, cfg config.Config, fl
 		}
 		versions[fmt.Sprintf("%s:%s:%s", secret.ObjectName, secret.SecretPath, secret.Method)] = "0"
 
-		files = append(files, &pb.File{Path: secret.ObjectName, Mode: int32(cfg.FilePermission), Contents: content})
+		filePermission := int32(cfg.FilePermission)
+		if secret.FilePermission != 0 {
+			filePermission = int32(secret.FilePermission)
+		}
+		files = append(files, &pb.File{Path: secret.ObjectName, Mode: filePermission, Contents: content})
 		p.logger.Info("secret added to mount response", "directory", cfg.TargetPath, "file", secret.ObjectName)
 	}
 

@@ -11,6 +11,7 @@ spec:
       - objectName: "secret-1"
         secretPath: "secret/data/kv1"
         secretKey: "bar1"
+        filePermission: 0600
       - objectName: "secret-2"
         secretPath: "secret/data/kv2"
         secretKey: "bar2"
@@ -150,8 +150,16 @@ teardown(){
     result=$(kubectl --namespace=test exec nginx-kv -- cat /mnt/secrets-store/secret-1)
     [[ "$result" == "hello1" ]]
 
+    # Check file permission is non-default
+    result=$(kubectl --namespace=test exec nginx-kv -- stat -c '%a' /mnt/secrets-store/..data/secret-1)
+    [[ "$result" == "600" ]]
+
     result=$(kubectl --namespace=test exec nginx-kv -- cat /mnt/secrets-store/secret-2)
     [[ "$result" == "hello2" ]]
+
+    # Check file permission is default
+    result=$(kubectl --namespace=test exec nginx-kv -- stat -c '%a' /mnt/secrets-store/..data/secret-2)
+    [[ "$result" == "644" ]]
 }
 
 @test "2 Sync with kubernetes secrets" {