Uploaded image for project: 'Service Binding'
  1. Service Binding
  2. APPSVC-1127

Allow service bindings to alter file permissions in projected secrets

XMLWordPrintable

    • 3
    • False
    • None
    • False
    • Hide
      By default, the projected files get their permissions set to 0644. {servicebinding-title} cannot set specific permissions due to [a bug in Kubernetes](https://github.com/kubernetes/kubernetes/issues/57923) that causes issues if the service expects specific permissions such as, `0600`. As a workaround, you can modify the code of the program or the application that is running inside a workload resource to copy the file to the `/tmp` directory and set the appropriate permissions.
      Show
      By default, the projected files get their permissions set to 0644. {servicebinding-title} cannot set specific permissions due to [a bug in Kubernetes]( https://github.com/kubernetes/kubernetes/issues/57923 ) that causes issues if the service expects specific permissions such as, `0600`. As a workaround, you can modify the code of the program or the application that is running inside a workload resource to copy the file to the `/tmp` directory and set the appropriate permissions.
    • AppSvc Sprint 221, AppSvc Sprint 222

      Owner: Architect:

      <Architect is responsible for completing this section to define the details of the story>

      Story (Required)

      As an OpenShift user, I want to have projected binding information available with a file mode not the default of 0755.  This allows me to project binding data to applications such as OpenSSL, which requires TLS secrets with a mode of 0400.

      Background (Required)

      Issue #1157 pointed out a deficiency in both the specification and the CoreOS API: it's currently not possible to change the file modes of the data SBO projects solely through a ServiceBinding.  APPSVC-1128 captures the effort to resolve this in the spec API; this story captures the effort to reflect this functionality in the CoreOS API.

      Approach(Required)

      <Description of the general technical path on how to achieve the goal of the story. Include details like json schema, class definitions>

      Dependencies

      <Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>

      Edge Case

      <Describe edge cases to consider when implementing the story and defining tests>

      Acceptance Criteria

      The default permissions for binding data is to be change for read only for current user.
      Acceptance test added for TLS certificate and key reference inspired by the customer scenario

      INVEST Checklist

      Dependencies identified
      Blockers noted and expected delivery timelines set
      Design is implementable
      Acceptance criteria agreed upon
      Story estimated

      Legend

      Unknown
      Verified
      Unsatisfied

        1. issue.yaml
          0.5 kB
        2. t1.diff
          4 kB

            bmuthuka Baiju Muthukadan
            ansadler@redhat.com Andy Sadler
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: