Change default permissions for volumes created from secret (#201)

Author: Nikolas De Giorgis

pkg/controller/mongodb/mongodb_tls_test.go

@@ -46,11 +46,13 @@ func TestStatefulSet_IsCorrectlyConfiguredWithTLS(t *testing.T) {
 			},
 		},
 	})
+	permission := int32(416)
 	assert.Contains(t, sts.Spec.Template.Spec.Volumes, corev1.Volume{
 		Name: "tls-secret",
 		VolumeSource: corev1.VolumeSource{
 			Secret: &corev1.SecretVolumeSource{
-				SecretName: mdb.TLSOperatorSecretNamespacedName().Name,
+				SecretName:  mdb.TLSOperatorSecretNamespacedName().Name,
+				DefaultMode: &permission,
 			},
 		},
 	})

pkg/kube/statefulset/statefulset.go

@@ -100,11 +100,13 @@ func CreateVolumeFromConfigMap(name, sourceName string) corev1.Volume {
 }
 
 func CreateVolumeFromSecret(name, sourceName string, options ...func(v *corev1.Volume)) corev1.Volume {
+	permission := int32(416)
 	volumeMount := &corev1.Volume{
 		Name: name,
 		VolumeSource: corev1.VolumeSource{
 			Secret: &corev1.SecretVolumeSource{
-				SecretName: sourceName,
+				SecretName:  sourceName,
+				DefaultMode: &permission,
 			},
 		},
 	}

pkg/kube/statefulset/statefulset_test.go

@@ -98,7 +98,8 @@ func TestAddVolumeAndMount(t *testing.T) {
 	assert.Equal(t, sts.Spec.Template.Spec.Containers[1].VolumeMounts[0].MountPath, "mount-path-secret")
 
 	assert.Len(t, sts.Spec.Template.Spec.Volumes, 2)
-	assert.Equal(t, sts.Spec.Template.Spec.Volumes[1].Name, "mount-name-secret")
+	assert.Equal(t, "mount-name-secret", sts.Spec.Template.Spec.Volumes[1].Name)
+	assert.Equal(t, int32(416), *sts.Spec.Template.Spec.Volumes[1].Secret.DefaultMode)
 	assert.Nil(t, sts.Spec.Template.Spec.Volumes[1].VolumeSource.ConfigMap, "volume should not have been configured from a config map source")
 	assert.NotNil(t, sts.Spec.Template.Spec.Volumes[1].VolumeSource.Secret, "volume should have been configured from a secret source")