[linstor-gui] Fix secret mount mode so nginx can read mTLS client certs

The linstor-client-tls secret was mounted with defaultMode 0400 and
owned by root, so the nginx process (UID 101) got EACCES on tls.crt
and crash-looped with:

  [emerg] cannot load certificate "/etc/linstor/client/tls.crt":
  BIO_new_file() failed ... Permission denied

Set defaultMode to 0444. The secret volume is pod-local and
readOnlyRootFilesystem is on, so making it world-readable inside the
pod is not a broader disclosure.

Verified on dev10: pod Ready, /healthz 200, /v1/nodes proxied through
mTLS to linstor-controller:3371 returns real node data.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Myasnikov Daniil <myasnikovdaniil2001@gmail.com>
This commit is contained in:
Myasnikov Daniil 2026-04-13 12:41:58 +05:00
parent ba9f9e9f2c
commit 4b76a93dc1
No known key found for this signature in database
GPG key ID: FA953A439C637F04

View file

@ -93,7 +93,9 @@ spec:
- name: linstor-client-tls
secret:
secretName: {{ .Values.linstor.clientSecret }}
defaultMode: 0400
# 0444 so nginx (UID 101) can read the mTLS client keypair;
# the secret volume is pod-local, not a broader disclosure.
defaultMode: 0444
- name: tmp
emptyDir: {}
- name: nginx-cache