theatre-secrets is intended to be able to run as non-root users as commented here. However, when injecting secrets into named files with vault-file: it creates parent directories with the 0600 permissions mask which prevents it from listing the files in said directories later on if running as non-root when it attempts to create the secret files:
app ts=2024-02-02T16:06:24.809590985Z caller=theatre-secrets/main.go:63 msg="exiting with error" error="failed to ensure path structure is available: mkdir /tmp/secrets/app: permission denied" errorVerbose="mkdir /tmp/secrets/app: permission denied\nfailed to ensure path structure is available\nmain.mainError\n\t
This change ensures that all directories created by theatre-secrets to store secret files are created with rwx permissions (read/write/list-files).
Tested by deploying to lab using tanka (changes here). Verified that the new non-root Atlantis came up healthy in lab with the new version of theatre-secrets deployed.
theatre-secretsis intended to be able to run as non-root users as commented here. However, when injecting secrets into named files withvault-file:it creates parent directories with the0600permissions mask which prevents it from listing the files in said directories later on if running as non-root when it attempts to create the secret files:app ts=2024-02-02T16:06:24.809590985Z caller=theatre-secrets/main.go:63 msg="exiting with error" error="failed to ensure path structure is available: mkdir /tmp/secrets/app: permission denied" errorVerbose="mkdir /tmp/secrets/app: permission denied\nfailed to ensure path structure is available\nmain.mainError\n\tThis change ensures that all directories created by
theatre-secretsto store secret files are created withrwxpermissions (read/write/list-files).Tested by deploying to lab using
tanka(changes here). Verified that the new non-root Atlantis came up healthy in lab with the new version oftheatre-secretsdeployed.