Fix: Set SP key Secret volume defaultMode to 0444 for nonroot init container

bbobrov · bbobrov · commit 8463aa1b738a · 2026-03-30T22:49:56.000+02:00
The distroless init container runs as nonroot (UID 65534). With
defaultMode 0440, files are owned by root:root and not readable by
the nonroot user. Changing to 0444 makes the Secret mount readable.

The init container still writes 0440 permissions on the tmpfs
destination (enforced by os.Chmod in the Go binary), so the final
files are restricted to the nonroot user only.
diff --git a/openstack/keystone/templates/deployment-api.yaml b/openstack/keystone/templates/deployment-api.yaml
@@ -300,7 +300,7 @@ spec:
         - name: keystone-saml-sp-keys
           secret:
             secretName: {{ .Values.federation.saml.idp.spKeySecretName | default "keystone-saml-sp" }}
-            defaultMode: 0440
+            defaultMode: 0444
         - name: saml-sp-tmpfs
           emptyDir:
             medium: Memory
