From 774d228637d7ae3aab8f553dd746db981dc4bf2e Mon Sep 17 00:00:00 2001
From: Vinayak Goyal <vinaygo@google.com>
Date: Fri, 18 Jun 2021 11:03:37 -0700
Subject: [PATCH] remove the path if it exists before writing pki data.

if setfacl is called before chmod g+r at anypoint during the lifetime of
the cluster then the default group does not have read permissions on the
file. so we explicitly grant the default group read permissions. See
https://gist.github.com/mmdriley/85ca34f711acbec4b1b94902add488e5 for a
repro.
---
 cluster/gce/gci/configure-helper.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index 200ef36af39..aee4ff19fef 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -626,6 +626,8 @@ function append_or_replace_prefixed_line {
 function write-pki-data {
   local data="${1}"
   local path="${2}"
+  # remove the path if it exists
+  rm -f "${path}"
   if [[ -n "${KUBE_PKI_READERS_GROUP:-}" ]]; then
     (umask 027; echo "${data}" | base64 --decode > "${path}")
     chgrp "${KUBE_PKI_READERS_GROUP:-}" "${path}"