starlingx/config
Code Issues Proposed changes
config/controllerconfig/controllerconfig/upgrade-scripts/90-reset-k8s-key-file-permissions.sh
Joao Victor Portal 986fe07db0 Fix K8s *.key file permissions during upgrade end 
Old versions of StarlingX have wrong permissions set to files
"/etc/kubernetes/pki/ca.key" and
"/etc/kubernetes/pki/apiserver-etcd-client.key". The simplex upgrade
process carries the permissions of these files from the old StarlingX
version to the new one. This commit fixes this problem by resetting
these file permissions on controller-0 when activating the upgrade.

This file permission reset is not needed in controller-1 because the
duplex upgrade process resets the file permissions on both controllers.

Test Plan:

PASS: Successfully complete AIO-SX upgrade and check that the files
"ca.key" and "apiserver-etcd-client.key" in the folder
"/etc/kubernetes/pki/" have the permissions changed from 0644 to 0600.

Closes-Bug: 1996932
Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
Change-Id: I1f25724161bc1347187a4f276d8ddaf436fae3f3
2022-11-28 18:07:00 -03:00

43 lines
1.0 KiB
Bash
Raw Blame History

#!/bin/bash
#
# Copyright (c) 2022 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# This script resets permissions of some Kubernetes *.key files to 0600 on controller-0 only.
FROM_RELEASE=$1
TO_RELEASE=$2
ACTION=$3
# This will log to /var/log/platform.log
function log {
logger -p local1.info $1
}
reset-k8s-key-file-permissions()
{
APISERVER_KEY="/etc/kubernetes/pki/apiserver-etcd-client.key"
CA_KEY="/etc/kubernetes/pki/ca.key"
declare -a FILE_LIST=("$APISERVER_KEY" "$CA_KEY" )
for file in "${FILE_LIST[@]}"; do
if [ -f "$file" ]; then
log "Resetting permissions for file $file ..."
chmod 0600 $file
fi
done
log "Kubernetes key files permissions successfully reset."
}
log "Script $0 invoked with from_release = $FROM_RELEASE to_release = $TO_RELEASE action = $ACTION"
if [ "$TO_RELEASE" == "22.12" ] && [ "$ACTION" == "activate" ]; then
reset-k8s-key-file-permissions
else
log "Script $0 execution skipped"
fi
exit 0
View Git Blame Copy Permalink