Set SSH private key file permissions to 0600

OpenSSH requires private keys to have mode 0600 when the file owner
matches the process UID. With restricted-v2 SCC (default), the process
runs as a random UID different from the file owner, so OpenSSH skips
the check. But when using NFS mounts for development (hostmount-anyuid
SCC), ansible-ee containers run as root which matches the key file
owner, triggering the strict permission check.

Set defaultMode to 384 (0600) for SSH key volumes to ensure OpenSSH
accepts the key.

Signed-off-by: rabi <ramishra@redhat.com>

Author: rabi

internal/dataplane/util/ansible_execution.go

@@ -30,6 +30,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	apimachineryvalidation "k8s.io/apimachinery/pkg/util/validation"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	networkv1 "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/apis/k8s.cni.cncf.io/v1"
@@ -324,7 +325,7 @@ func SetAeeSSHMounts(
 		sshKeyMountSubPath = fmt.Sprintf("ssh_key_%s", sshKeyNodeName)
 		sshKeyMountPath = fmt.Sprintf("/runner/env/ssh_key/%s", sshKeyMountSubPath)
 
-		CreateVolume(ansibleEEMounts, sshKeyName, sshKeyMountSubPath, sshKeySecret, "ssh-privatekey")
+		CreateVolume(ansibleEEMounts, sshKeyName, sshKeyMountSubPath, sshKeySecret, "ssh-privatekey", ptr.To(int32(0600)))
 		CreateVolumeMount(ansibleEEMounts, sshKeyName, sshKeyMountPath, sshKeyMountSubPath)
 	}
 }
@@ -361,18 +362,20 @@ func SetAeeInvMounts(
 			inventoryMountPath = "/runner/inventory/hosts"
 		}
 
-		CreateVolume(ansibleEEMounts, inventoryName, inventoryName, inventorySecrets[nodeName], "inventory")
+		CreateVolume(ansibleEEMounts, inventoryName, inventoryName, inventorySecrets[nodeName], "inventory", nil)
 		CreateVolumeMount(ansibleEEMounts, inventoryName, inventoryMountPath, inventoryName)
 	}
 }
 
 // CreateVolume creates a volume configuration for Ansible Execution Environment mounts
-func CreateVolume(ansibleEEMounts *storage.VolMounts, volumeName string, volumeMountPath string, secretName string, keyToPathKey string) {
+// If defaultMode is nil, Kubernetes default (0644) is used
+func CreateVolume(ansibleEEMounts *storage.VolMounts, volumeName string, volumeMountPath string, secretName string, keyToPathKey string, defaultMode *int32) {
 	volume := storage.Volume{
 		Name: volumeName,
 		VolumeSource: storage.VolumeSource{
 			Secret: &corev1.SecretVolumeSource{
-				SecretName: secretName,
+				SecretName:  secretName,
+				DefaultMode: defaultMode,
 				Items: []corev1.KeyToPath{
 					{
 						Key:  keyToPathKey,

test/kuttl/tests/dataplane-deploy-global-service-test/01-assert.yaml

@@ -162,7 +162,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -258,7 +258,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -362,7 +362,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -460,7 +460,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -558,7 +558,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -656,7 +656,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -808,7 +808,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -917,7 +917,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -1056,7 +1056,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -1165,7 +1165,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -1274,7 +1274,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -1383,7 +1383,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -1492,7 +1492,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -1631,7 +1631,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global

test/kuttl/tests/dataplane-deploy-global-service-test/02-assert.yaml

@@ -151,7 +151,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-beta-nodeset
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-beta-nodeset
@@ -254,7 +254,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-beta-nodeset
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-beta-nodeset

test/kuttl/tests/dataplane-deploy-multiple-secrets/02-assert.yaml

@@ -212,7 +212,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-openstack-edpm-tls
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_openstack-edpm-tls
@@ -319,7 +319,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-openstack-edpm-tls
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_openstack-edpm-tls

test/kuttl/tests/dataplane-deploy-no-nodes-test/01-assert.yaml

@@ -147,7 +147,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -252,7 +252,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -352,7 +352,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -452,7 +452,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -552,7 +552,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -700,7 +700,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -810,7 +810,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -950,7 +950,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -1060,7 +1060,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -1170,7 +1170,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -1280,7 +1280,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -1390,7 +1390,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -1530,7 +1530,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes

test/kuttl/tests/dataplane-deploy-no-nodes-test/02-assert.yaml

@@ -90,7 +90,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes

test/kuttl/tests/dataplane-deploy-no-nodes-test/04-assert.yaml

@@ -165,7 +165,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes

test/kuttl/tests/dataplane-deploy-no-nodes-test/06-assert.yaml

@@ -157,7 +157,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-beta-nodeset
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-beta-nodeset
@@ -258,7 +258,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-beta-nodeset
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-beta-nodeset

test/kuttl/tests/dataplane-deploy-no-nodes-test/07-assert.yaml

@@ -85,7 +85,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes

test/kuttl/tests/dataplane-deploy-tls-test/02-assert.yaml

@@ -249,7 +249,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-openstack-edpm-tls
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_openstack-edpm-tls
@@ -361,7 +361,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-openstack-edpm-tls
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_openstack-edpm-tls