search

livekit / livekit-helm

LiveKit Helm charts
https://docs.livekit.io
Apache License 2.0
50 stars 59 forks source link

storeKeysInSecret key files secret wrong permissions, livekit error "key file others permissions must be set to 0" #102

Closed paltaa closed 3 months ago

paltaa commented 3 months ago

Hey, ive set storeKeysInSecret to use a secret created with VaultSecretOperator. The secret is being created correctly but livekit is in crashloopBackoff with error: key file others permissions must be set to 0

Now after checking th deployment template i can see that defaultMode has permission 0600

        {{- if .Values.storeKeysInSecret.enabled }}
        - name: keys-volume
          secret:
            secretName: {{ (tpl .Values.storeKeysInSecret.existingSecret .) | default (include "livekit-server.fullname" .) }}
            defaultMode: 0600

But then after checking livekit code:

func createKeyProvider(conf *config.Config) (auth.KeyProvider, error) {
    // prefer keyfile if set
    if conf.KeyFile != "" {
        var otherFilter os.FileMode = 0007
        if st, err := os.Stat(conf.KeyFile); err != nil {
            return nil, err
        } else if st.Mode().Perm()&otherFilter != 0000 {
            return nil, fmt.Errorf("key file others permissions must be set to 0")
        }
        f, err := os.Open(conf.KeyFile)
        if err != nil {
            return nil, err
        }
        defer func() {
            _ = f.Close()
        }()
        decoder := yaml.NewDecoder(f)
        if err = decoder.Decode(conf.Keys); err != nil {
            return nil, err
        }
    }

    if len(conf.Keys) == 0 {
        return nil, errors.New("one of key-file or keys must be provided in order to support a secure installation")
    }

    return auth.NewFileBasedKeyProviderFromMap(conf.Keys), nil
}

The function is checking for permissions 0000

davidzhao commented 3 months ago

The logic is comparing the others bit to ensure that it's 0: st.Mode().Perm()&otherFilter != 0000

If this is failing, the most likely explanation is something had gone wrong in setting the permission of the secret file.

paltaa commented 3 months ago

Hey! It was my bad, the secret was expected to have the name of the file, not mount the entire secret as key value pairs, so my secret looks like:

apiVersion: v1
data:
  secret-keys.yaml: | KEY VALUE PAIRS HERE
kind: Secret
metadata:
  name: livekit-api-keys
  namespace: livekit
type: Opaque

And now its working correctly, closing the issue but wont delete it in case someone else have this issue in the future.

Values for tha values.yaml

storeKeysInSecret:
  enabled: true
  existingSecret: "livekit-api-keys"
livekit:
  port: 7880
  log_level: debug
  keys: {}
  key_file: secret-keys.yaml
davidzhao commented 3 months ago

thanks for providing the solution! this example will def help folks.