[linstor-gui] Fix secret mount mode so nginx can read mTLS client certs
The linstor-client-tls secret was mounted with defaultMode 0400 and owned by root, so the nginx process (UID 101) got EACCES on tls.crt and crash-looped with: [emerg] cannot load certificate "/etc/linstor/client/tls.crt": BIO_new_file() failed ... Permission denied Set defaultMode to 0444. The secret volume is pod-local and readOnlyRootFilesystem is on, so making it world-readable inside the pod is not a broader disclosure. Verified on dev10: pod Ready, /healthz 200, /v1/nodes proxied through mTLS to linstor-controller:3371 returns real node data. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Myasnikov Daniil <myasnikovdaniil2001@gmail.com>
This commit is contained in:
parent
ba9f9e9f2c
commit
4b76a93dc1
1 changed files with 3 additions and 1 deletions
|
|
@ -93,7 +93,9 @@ spec:
|
|||
- name: linstor-client-tls
|
||||
secret:
|
||||
secretName: {{ .Values.linstor.clientSecret }}
|
||||
defaultMode: 0400
|
||||
# 0444 so nginx (UID 101) can read the mTLS client keypair;
|
||||
# the secret volume is pod-local, not a broader disclosure.
|
||||
defaultMode: 0444
|
||||
- name: tmp
|
||||
emptyDir: {}
|
||||
- name: nginx-cache
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue