theatre-secrets is intended to be able to run as non-root users as commented here. However, when injecting secrets into named files with vault-file: it creates parent directories with the 0600 permissions mask which prevents it from listing the files in said directories later on if running as non-root when it attempts to create the secret files:
app ts=2024-02-02T16:06:24.809590985Z caller=theatre-secrets/main.go:63 msg="exiting with error" error="failed to ensure path structure is available: mkdir /tmp/secrets/app: permission denied" errorVerbose="mkdir /tmp/secrets/app: permission denied\nfailed to ensure path structure is available\nmain.mainError\n\t
This change ensures that all directories created by theatre-secrets to store secret files are created with rwx permissions (read/write/list-files).
Tested by deploying to lab using tanka (changes here). Verified that the new non-root Atlantis came up healthy in lab with the new version of theatre-secrets deployed.
theatre-secrets
is intended to be able to run as non-root users as commented here. However, when injecting secrets into named files withvault-file:
it creates parent directories with the0600
permissions mask which prevents it from listing the files in said directories later on if running as non-root when it attempts to create the secret files:app ts=2024-02-02T16:06:24.809590985Z caller=theatre-secrets/main.go:63 msg="exiting with error" error="failed to ensure path structure is available: mkdir /tmp/secrets/app: permission denied" errorVerbose="mkdir /tmp/secrets/app: permission denied\nfailed to ensure path structure is available\nmain.mainError\n\t
This change ensures that all directories created by
theatre-secrets
to store secret files are created withrwx
permissions (read/write/list-files
).Tested by deploying to lab using
tanka
(changes here). Verified that the new non-root Atlantis came up healthy in lab with the new version oftheatre-secrets
deployed.