From 6b903badb3a69ecc41384b29fed33ba2dddd2356 Mon Sep 17 00:00:00 2001 From: Ashvin Sharma Date: Mon, 5 May 2025 21:48:06 +0530 Subject: [PATCH] Grant executable permission on file contents of mountable secret Specifically for `gl-workspace-variables` secret, since it contains shell scripts that are necessary to run during the container initiailization. Earlier only the owner and the users belonging to the same group as the owner were allowed to execute it. This MR grants `other` users to execute these files. --- .../reconcile/reconcile_constants.rb | 2 +- .../workspace_operations_constants.rb | 2 +- .../desired_config_generator_golden_master_spec.rb | 10 +++++----- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ee/lib/remote_development/workspace_operations/reconcile/reconcile_constants.rb b/ee/lib/remote_development/workspace_operations/reconcile/reconcile_constants.rb index bd31907166842b..7e8c9925b137ee 100644 --- a/ee/lib/remote_development/workspace_operations/reconcile/reconcile_constants.rb +++ b/ee/lib/remote_development/workspace_operations/reconcile/reconcile_constants.rb @@ -15,7 +15,7 @@ module ReconcileConstants # Please keep alphabetized RUN_AS_USER = 5001 RUN_POSTSTART_COMMANDS_SCRIPT_NAME = "gl-run-poststart-commands.sh" - WORKSPACE_SCRIPTS_VOLUME_DEFAULT_MODE = 0o774 + WORKSPACE_SCRIPTS_VOLUME_DEFAULT_MODE = 0o555 WORKSPACE_SCRIPTS_VOLUME_NAME = "gl-workspace-scripts" WORKSPACE_SCRIPTS_VOLUME_PATH = "/workspace-scripts" end diff --git a/ee/lib/remote_development/workspace_operations/workspace_operations_constants.rb b/ee/lib/remote_development/workspace_operations/workspace_operations_constants.rb index e7ffb5eea5a5f7..be22c66396f33e 100644 --- a/ee/lib/remote_development/workspace_operations/workspace_operations_constants.rb +++ b/ee/lib/remote_development/workspace_operations/workspace_operations_constants.rb @@ -17,7 +17,7 @@ module WorkspaceOperations # See documentation at ../README.md#constant-declarations for more information. module WorkspaceOperationsConstants # Please keep alphabetized - VARIABLES_VOLUME_DEFAULT_MODE = 0o774 + VARIABLES_VOLUME_DEFAULT_MODE = 0o555 VARIABLES_VOLUME_NAME = "gl-workspace-variables" VARIABLES_VOLUME_PATH = "/.workspace-data/variables/file" WORKSPACE_DATA_VOLUME_PATH = "/projects" diff --git a/ee/spec/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator_golden_master_spec.rb b/ee/spec/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator_golden_master_spec.rb index 880ea53cf7e3ae..056e1778a026a1 100644 --- a/ee/spec/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator_golden_master_spec.rb +++ b/ee/spec/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator_golden_master_spec.rb @@ -583,7 +583,7 @@ def golden_master_desired_config_with_include_all_resources_true { name: "gl-workspace-variables", projected: { - defaultMode: 0o774, + defaultMode: 0o555, sources: [ { secret: { @@ -596,7 +596,7 @@ def golden_master_desired_config_with_include_all_resources_true { name: "gl-workspace-scripts", projected: { - defaultMode: 0o774, + defaultMode: 0o555, sources: [ { configMap: { @@ -1157,7 +1157,7 @@ def golden_master_desired_config_with_include_all_resources_false { name: "gl-workspace-variables", projected: { - defaultMode: 0o774, + defaultMode: 0o555, sources: [ { secret: { @@ -1170,7 +1170,7 @@ def golden_master_desired_config_with_include_all_resources_false { name: "gl-workspace-scripts", projected: { - defaultMode: 0o774, + defaultMode: 0o555, sources: [ { configMap: { @@ -1617,7 +1617,7 @@ def golden_master_desired_config_from_legacy_devfile_with_no_poststart_and_with_ { name: "gl-workspace-variables", projected: { - defaultMode: 0o774, + defaultMode: 0o555, sources: [ { secret: { -- GitLab