Fix K8s *.key file permissions during upgrade end

Old versions of StarlingX have wrong permissions set to files "/etc/kubernetes/pki/ca.key" and "/etc/kubernetes/pki/apiserver-etcd-client.key". The simplex upgrade process carries the permissions of these files from the old StarlingX version to the new one. This commit fixes this problem by resetting these file permissions on controller-0 when activating the upgrade. This file permission reset is not needed in controller-1 because the duplex upgrade process resets the file permissions on both controllers. Test Plan: PASS: Successfully complete AIO-SX upgrade and check that the files "ca.key" and "apiserver-etcd-client.key" in the folder "/etc/kubernetes/pki/" have the permissions changed from 0644 to 0600. Closes-Bug: 1996932 Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com> Change-Id: I1f25724161bc1347187a4f276d8ddaf436fae3f3
2022-11-22 18:11:32 -03:00 · 2022-11-22 18:11:32 -03:00 · 986fe07db0
parent 9e05801e80
commit 986fe07db0
1 changed files with 42 additions and 0 deletions
--- a/controllerconfig/controllerconfig/upgrade-scripts/90-reset-k8s-key-file-permissions.sh
+++ b/controllerconfig/controllerconfig/upgrade-scripts/90-reset-k8s-key-file-permissions.sh
@ -0,0 +1,42 @@
+#!/bin/bash
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# This script resets permissions of some Kubernetes *.key files to 0600 on controller-0 only.
+
+FROM_RELEASE=$1
+TO_RELEASE=$2
+ACTION=$3
+
+# This will log to /var/log/platform.log
+function log {
+    logger -p local1.info $1
+}
+
+reset-k8s-key-file-permissions()
+{
+    APISERVER_KEY="/etc/kubernetes/pki/apiserver-etcd-client.key"
+    CA_KEY="/etc/kubernetes/pki/ca.key"
+    declare -a FILE_LIST=("$APISERVER_KEY" "$CA_KEY" )
+
+    for file in "${FILE_LIST[@]}"; do
+        if [ -f "$file" ]; then
+            log "Resetting permissions for file $file ..."
+            chmod 0600 $file
+        fi
+    done
+
+    log "Kubernetes key files permissions successfully reset."
+}
+
+log "Script $0 invoked with from_release = $FROM_RELEASE to_release = $TO_RELEASE action = $ACTION"
+
+if [ "$TO_RELEASE" == "22.12" ] && [ "$ACTION" == "activate" ]; then
+    reset-k8s-key-file-permissions
+else
+    log "Script $0 execution skipped"
+fi
+
+exit 0