From dd1bdcfa090e864ddd890aa65797c14dbe101e57 Mon Sep 17 00:00:00 2001
From: sshaikh1 <sirin.shaikh@windriver.com>
Date: Tue, 18 Feb 2025 04:02:13 -0500
Subject: [PATCH] Set permissions to 600 for certificates

In this commit, added the code to set permissions to 600
for all .crt files in /etc/kubernetes/pki directory.
This commit will be in effect during deployment of peer
nodes using pxe server.

TEST CASES:
PASSED: Run full build, system install, bootstrap and unlock (SX)
PASSED: System install, bootstrap, unlock and swact (DX)
PASSED: Checked permission using below command
        "ls -al /etc/kubernetes/pki/*.crt"
PASSED: Checked whether certificates are accessible and readable
        Example:
        openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text
PASSED: Checked status of kubernetes cluster and pods.
PASSED: No alarms when ran "fm alarm-list"

Story: 2011334
Task: 51677
Depends-On: https://review.opendev.org/c/starlingx/ansible-playbooks/+/940238

Change-Id: I9f05b0e9e35910d5a1a113d2be02635d48bc1063
Signed-off-by: sshaikh1 <sirin.shaikh@windriver.com>
---
 .../src/modules/platform/manifests/kubernetes.pp       | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
index a5b39934d..776004298 100644
--- a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
+++ b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
@@ -413,6 +413,14 @@ class platform::kubernetes::kubeadm {
   }
 }
 
+class platform::kubernetes::set_crt_permissions {
+  exec { 'set_permissions_on_crt_files':
+    command => 'find /etc/kubernetes/pki -type f -name "*.crt" -exec chmod 600 {} +',
+    onlyif  => 'find /etc/kubernetes/pki -type f -name "*.crt" ! -perm 600 | grep .',
+    path    => ['/bin', '/usr/bin'],
+  }
+}
+
 class platform::kubernetes::master::init
   inherits ::platform::kubernetes::params {
 
@@ -605,6 +613,8 @@ class platform::kubernetes::master::init
     hour        => '*/24',
     user        => 'root',
   }
+
+  -> class { 'platform::kubernetes::set_crt_permissions': }
 }
 
 class platform::kubernetes::master