remove the path if it exists before writing pki data.

if setfacl is called before chmod g+r at anypoint during the lifetime of
the cluster then the default group does not have read permissions on the
file. so we explicitly grant the default group read permissions. See
https://gist.github.com/mmdriley/85ca34f711acbec4b1b94902add488e5 for a
repro.
This commit is contained in:
Vinayak Goyal 2021-06-18 11:03:37 -07:00
parent ab7d8b5b5b
commit 774d228637

View File

@ -626,6 +626,8 @@ function append_or_replace_prefixed_line {
function write-pki-data {
local data="${1}"
local path="${2}"
# remove the path if it exists
rm -f "${path}"
if [[ -n "${KUBE_PKI_READERS_GROUP:-}" ]]; then
(umask 027; echo "${data}" | base64 --decode > "${path}")
chgrp "${KUBE_PKI_READERS_GROUP:-}" "${path}"