[stable/grafana] Mounting k8s configmaps (SSL certs) to Grafana and set the right permissions (0600 or less). Private key file has group or world access.

[markofferman]

Describe the bug
When deploying the Grafana Helm chart, I want to attach SSL certs for our Google CloudSQL Postgres 12 instance. Mounting succeeds, however the file permissions of these .pem files is not as it should. This then results in this error when adding a the postgres datasource in grafana:

Version of Helm and Kubernetes:
[helm]

version.BuildInfo{Version:"v3.1.1", GitCommit:"afe70585407b420d0097d07b21c47dc511525ac8", GitTreeState:"clean", GoVersion:"go1.13.8"}

[kubernetes]

Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.2", GitCommit:"c97fe5036ef3df2967d086711e6c0c405941e14b", GitTreeState:"clean", BuildDate:"2019-10-15T23:41:55Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"16+", GitVersion:"v1.16.12-gke.3", GitCommit:"5233378b7ab59d2cd7aea247b207805de586b9ed", GitTreeState:"clean", BuildDate:"2020-07-06T23:18:30Z", GoVersion:"go1.13.9b4", Compiler:"gc", Platform:"linux/amd64"}

Which chart:
bitnami/grafana

NAME     	NAMESPACE	REVISION	UPDATED                              	STATUS  	CHART        	APP VERSION
dashboard	staging  	1       	2020-07-29 14:22:48.966751 +0200 CEST	deployed	grafana-3.2.1	7.1.1

What happened:
When I deploy the chart, kubernetes mounts the configmap on the right place but sets the standard file permissions (i think this is 0644)

If we then kubectl get all -n staging in the namespace, I see that it runs successfully:

NAME                                     READY   STATUS    RESTARTS   AGE
pod/dashboard-grafana-68ffc58ff9-8bmj6   1/1     Running   0          12m

NAME                        TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)    AGE
service/dashboard-grafana   ClusterIP   10.0.1.26    <none>        3000/TCP   12m

NAME                                READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/dashboard-grafana   1/1     1            1           12m

NAME                                           DESIRED   CURRENT   READY   AGE
replicaset.apps/dashboard-grafana-68ffc58ff9   1         1         1       12m

If we than kubectl exec -it dashboard-grafana-68ffc58ff9-8bmj6 -n staging into the container and go to the mounted directory i see the symlinks:

I have no name!@dashboard-grafana-68ffc58ff9-8bmj6:/opt/bitnami/grafana/conf/provisioning/datasources$ ls -lah
total 12K
drwxrwsrwx 3 root 1001 4.0K Jul 29 12:23 .
drwxr-xr-x 6 1001 1001 4.0K Jul 24 15:34 ..
drwxr-sr-x 2 root 1001 4.0K Jul 29 12:23 ..2020_07_29_12_23_08.713712648
lrwxrwxrwx 1 root root   31 Jul 29 12:23 ..data -> ..2020_07_29_12_23_08.713712648
lrwxrwxrwx 1 root root   22 Jul 29 12:23 client-cert.pem -> ..data/client-cert.pem
lrwxrwxrwx 1 root root   21 Jul 29 12:23 client-key.pem -> ..data/client-key.pem
lrwxrwxrwx 1 root root   21 Jul 29 12:23 client-key.pk8 -> ..data/client-key.pk8
lrwxrwxrwx 1 root root   20 Jul 29 12:23 server-ca.pem -> ..data/server-ca.pem

and in the ..data folder:

I have no name!@dashboard-grafana-68ffc58ff9-8bmj6:/opt/bitnami/grafana/conf/provisioning/datasources/..data$ ls -lah
total 24K
drwxr-sr-x 2 root 1001 4.0K Jul 29 12:23 .
drwxrwsrwx 3 root 1001 4.0K Jul 29 12:23 ..
-rw-r--r-- 1 root 1001 1.3K Jul 29 12:23 client-cert.pem
-rw-r--r-- 1 root 1001 1.7K Jul 29 12:23 client-key.pem
-rw-r--r-- 1 root 1001 1.2K Jul 29 12:23 client-key.pk8
-rw-r--r-- 1 root 1001 1.3K Jul 29 12:23 server-ca.pem

What you expected to happen:
I expected that it will set the contents of the configmaps (the ssl-certs) to read-only for the user (400) and thus not give it Group or World access >> because we pass it the DefaultMode 400

Maybe something like this:

I have no name!@dashboard-grafana-68ffc58ff9-8bmj6:/opt/bitnami/grafana/conf/provisioning/datasources/..data$ ls -lah
total 24K
drwxr-sr-x 2 root 1001 4.0K Jul 29 12:23 .
drwxrwsrwx 3 root 1001 4.0K Jul 29 12:23 ..
-rw------- 1 1001 1001 1.3K Jul 29 12:23 client-cert.pem
-rw------- 1 1001 1001 1.7K Jul 29 12:23 client-key.pem
-rw------- 1 1001 1001 1.2K Jul 29 12:23 client-key.pk8
-rw------- 1 1001 1001 1.3K Jul 29 12:23 server-ca.pem

How to reproduce it (as minimally and precisely as possible):
in the values.yaml i've added:

extraConfigmaps:
   - name: pg-ssl-cm-gmmb6mt9fc
     mountPath: /opt/bitnami/grafana/conf/provisioning/datasources/
     defaultMode: 0400

datasources: 
   datasources.yaml:
   apiVersion: 1
   datasources:
    - name: PostgresSQL
      type: postgres
      access: proxy
      isDefault: true
      database: <db_name>
      url: <ip>:<port>
      secureJsonData:
         user: <user>
         password: <password>   
         postgresVersion: 12
         sslmode: verify-full
         sslRootCertFile: '/opt/bitnami/grafana/conf/provisioning/datasources/server-ca.pem'
         sslCertFile: '/opt/bitnami/grafana/conf/provisioning/datasources/client-cert.pem'
         sslKeyFile: '/opt/bitnami/grafana/conf/provisioning/datasources/client-key.pk8'

Anything else we need to know:
Someone please help me out, i am slowly becoming crazy.

[tjappo]

I also am experiencing the same problem and haven’t found a solution

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

[scottrigby]

📢 This chart is deprecated: #23662
If still applicable, please re-open issues at: https://github.com/grafana/helm-charts