From ee602b3175946bb84f6a3e519930e48648bfe66e Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Mon, 25 Nov 2024 08:54:18 +0000 Subject: [PATCH] rename TLSSecretFileMode to ReadWriteOnlyFileMode (#6854) --- cmd/nginx-ingress/main.go | 4 ++-- internal/configs/configurator.go | 8 ++++---- internal/nginx/manager.go | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index ae2fc567c3..df2f968942 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -572,7 +572,7 @@ func processDefaultServerSecret(ctx context.Context, kubeClient *kubernetes.Clie } bytes := configs.GenerateCertAndKeyFileContent(secret) - nginxManager.CreateSecret(configs.DefaultServerSecretFileName, bytes, nginx.TLSSecretFileMode) + nginxManager.CreateSecret(configs.DefaultServerSecretFileName, bytes, nginx.ReadWriteOnlyFileMode) } else { _, err := os.Stat(configs.DefaultServerSecretPath) if err != nil { @@ -596,7 +596,7 @@ func processWildcardSecret(ctx context.Context, kubeClient *kubernetes.Clientset } bytes := configs.GenerateCertAndKeyFileContent(secret) - nginxManager.CreateSecret(configs.WildcardSecretFileName, bytes, nginx.TLSSecretFileMode) + nginxManager.CreateSecret(configs.WildcardSecretFileName, bytes, nginx.ReadWriteOnlyFileMode) } return *wildcardTLSSecret != "" } diff --git a/internal/configs/configurator.go b/internal/configs/configurator.go index 8d286f0415..c1963108a2 100644 --- a/internal/configs/configurator.go +++ b/internal/configs/configurator.go @@ -823,8 +823,8 @@ func (cnf *Configurator) addOrUpdateCASecret(secret *api_v1.Secret) string { crtData, crlData := GenerateCAFileContent(secret) crtSecretName := fmt.Sprintf("%s-%s", name, CACrtKey) crlSecretName := fmt.Sprintf("%s-%s", name, CACrlKey) - crtFileName := cnf.nginxManager.CreateSecret(crtSecretName, crtData, nginx.TLSSecretFileMode) - crlFileName := cnf.nginxManager.CreateSecret(crlSecretName, crlData, nginx.TLSSecretFileMode) + crtFileName := cnf.nginxManager.CreateSecret(crtSecretName, crtData, nginx.ReadWriteOnlyFileMode) + crlFileName := cnf.nginxManager.CreateSecret(crlSecretName, crlData, nginx.ReadWriteOnlyFileMode) return fmt.Sprintf("%s %s", crtFileName, crlFileName) } @@ -919,7 +919,7 @@ func (cnf *Configurator) AddOrUpdateResources(resources ExtendedResources, reloa func (cnf *Configurator) addOrUpdateTLSSecret(secret *api_v1.Secret) string { name := objectMetaToFileName(&secret.ObjectMeta) data := GenerateCertAndKeyFileContent(secret) - return cnf.nginxManager.CreateSecret(name, data, nginx.TLSSecretFileMode) + return cnf.nginxManager.CreateSecret(name, data, nginx.ReadWriteOnlyFileMode) } // AddOrUpdateSpecialTLSSecrets adds or updates a file with a TLS cert and a key from a Special TLS Secret (eg. DefaultServerSecret, WildcardTLSSecret). @@ -929,7 +929,7 @@ func (cnf *Configurator) AddOrUpdateSpecialTLSSecrets(secret *api_v1.Secret, sec data := GenerateCertAndKeyFileContent(secret) for _, secretName := range secretNames { - cnf.nginxManager.CreateSecret(secretName, data, nginx.TLSSecretFileMode) + cnf.nginxManager.CreateSecret(secretName, data, nginx.ReadWriteOnlyFileMode) } if !cnf.DynamicSSLReloadEnabled() { diff --git a/internal/nginx/manager.go b/internal/nginx/manager.go index d346cba6b0..c1b2cfa1a9 100644 --- a/internal/nginx/manager.go +++ b/internal/nginx/manager.go @@ -26,8 +26,8 @@ const ( ReloadForEndpointsUpdate = true // ReloadForOtherUpdate means that a reload is caused by an update for a resource(s) other than endpoints. ReloadForOtherUpdate = false - // TLSSecretFileMode defines the default filemode for files with TLS Secrets. - TLSSecretFileMode = 0o600 + // ReadWriteOnlyFileMode defines the default filemode for files with Secrets. + ReadWriteOnlyFileMode = 0o600 // JWKSecretFileMode defines the default filemode for files with JWK Secrets. JWKSecretFileMode = 0o644 // HtpasswdSecretFileMode defines the default filemode for HTTP basic auth user files.