openshift · shaneboulden · Jul 4, 2025 · tjungblu · Jul 4, 2025 · shaneboulden
diff --git a/pkg/cmd/render/render.go b/pkg/cmd/render/render.go
@@ -306,13 +306,13 @@ func (r *renderOpts) Run() error {
 	certDir := filepath.Join(memberDir, "etcd-all-certs")
 
 	// Creating the cert dir recursively will create the base path too
-	err = os.MkdirAll(certDir, 0755)
+	err = os.MkdirAll(certDir, 0700)
           mkdir -p /var/log/etcd  && chmod 0600 /var/log/etcd 
           mkdir -p /var/log/etcd  && chmod 0600 /var/log/etcd 
 	if err != nil {
 		return fmt.Errorf("failed to create directory %s: %w", memberDir, err)
 	}
 	// tlsDir contains the ca bundle and client cert pair for bootkube.sh and the bootstrap apiserver
 	tlsDir := filepath.Join(r.assetOutputDir, "tls")
-	err = os.MkdirAll(tlsDir, 0755)
+	err = os.MkdirAll(tlsDir, 0700)
 
 	// Write the etcd ca bundle required by the bootstrap etcd member
 	for _, bundle := range templateData.caBundles {

diff --git a/pkg/operator/etcd_assets/bindata.go b/pkg/operator/etcd_assets/bindata.go
diff --git a/pkg/tnf/assets/bindata.go b/pkg/tnf/assets/bindata.go