Merge pull request #20194 from umohnani8/kube-mode

Add DefaultMode to kube play

Author: openshift-merge-robot

pkg/domain/infra/abi/play.go

@@ -628,6 +628,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 if err != nil || mountPoint == "" {
 return nil, nil, fmt.Errorf("unable to get mountpoint of volume %q: %w", vol.Name(), err)
 }
+defaultMode := v.DefaultMode
 // Create files and add data to the volume mountpoint based on the Items in the volume
 for k, v := range v.Items {
 dataPath := filepath.Join(mountPoint, k)
@@ -640,6 +641,10 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 if err != nil {
 return nil, nil, err
 }
+// Set file permissions
+if err := os.Chmod(f.Name(), os.FileMode(defaultMode)); err != nil {
+return nil, nil, err
+}
 }
 }
 }

pkg/specgen/generate/kube/volume.go

@@ -51,6 +51,9 @@ type KubeVolume struct {
 // If the volume is optional, we can move on if it is not found
 // Only used when there are volumes in a yaml that refer to a configmap
 Optional bool
+// DefaultMode sets the permissions on files created for the volume
+// This is optional and defaults to 0644
+DefaultMode int32
 }
 
 // Create a KubeVolume from an HostPathVolumeSource
@@ -135,9 +138,18 @@ func VolumeFromHostPath(hostPath *v1.HostPathVolumeSource, mountLabel string) (*
 // VolumeFromSecret creates a new kube volume from a kube secret.
 func VolumeFromSecret(secretSource *v1.SecretVolumeSource, secretsManager *secrets.SecretsManager) (*KubeVolume, error) {
 kv := &KubeVolume{
-Type: KubeVolumeTypeSecret,
-Source: secretSource.SecretName,
-Items: map[string][]byte{},
+Type: KubeVolumeTypeSecret,
+Source: secretSource.SecretName,
+Items: map[string][]byte{},
+DefaultMode: v1.SecretVolumeSourceDefaultMode,
+}
+// Set the defaultMode if set in the kube yaml
+validMode, err := isValidDefaultMode(secretSource.DefaultMode)
+if err != nil {
+return nil, fmt.Errorf("invalid DefaultMode for secret %q: %w", secretSource.SecretName, err)
+}
+if validMode {
+kv.DefaultMode = *secretSource.DefaultMode
 }
 
 // returns a byte array of a kube secret data, meaning this needs to go into a string map
@@ -191,8 +203,9 @@ func VolumeFromPersistentVolumeClaim(claim *v1.PersistentVolumeClaimVolumeSource
 func VolumeFromConfigMap(configMapVolumeSource *v1.ConfigMapVolumeSource, configMaps []v1.ConfigMap) (*KubeVolume, error) {
 var configMap *v1.ConfigMap
 kv := &KubeVolume{
-Type: KubeVolumeTypeConfigMap,
-Items: map[string][]byte{},
+Type: KubeVolumeTypeConfigMap,
+Items: map[string][]byte{},
+DefaultMode: v1.ConfigMapVolumeSourceDefaultMode,
 }
 for _, cm := range configMaps {
 if cm.Name == configMapVolumeSource.Name {
@@ -203,6 +216,14 @@ func VolumeFromConfigMap(configMapVolumeSource *v1.ConfigMapVolumeSource, config
 break
 }
 }
+// Set the defaultMode if set in the kube yaml
+validMode, err := isValidDefaultMode(configMapVolumeSource.DefaultMode)
+if err != nil {
+return nil, fmt.Errorf("invalid DefaultMode for configMap %q: %w", configMapVolumeSource.Name, err)
+}
+if validMode {
+kv.DefaultMode = *configMapVolumeSource.DefaultMode
+}
 
 if configMap == nil {
 // If the volumeSource was optional, move on even if a matching configmap wasn't found
@@ -279,3 +300,14 @@ func InitializeVolumes(specVolumes []v1.Volume, configMaps []v1.ConfigMap, secre
 
 return volumes, nil
 }
+
+// isValidDefaultMode returns true if mode is between 0 and 0777
+func isValidDefaultMode(mode *int32) (bool, error) {
+if mode == nil {
+return false, nil
+}
+if *mode >= 0 && *mode <= int32(os.ModePerm) {
+return true, nil
+}
+return false, errors.New("must be between 0000 and 0777")
+}