nginx · pdabelf5 · Nov 25, 2024 · Nov 22, 2024 · Nov 22, 2024
@@ -572,7 +572,7 @@ func processDefaultServerSecret(ctx context.Context, kubeClient *kubernetes.Clie
 		}
 
 		bytes := configs.GenerateCertAndKeyFileContent(secret)
-		nginxManager.CreateSecret(configs.DefaultServerSecretFileName, bytes, nginx.TLSSecretFileMode)
+		nginxManager.CreateSecret(configs.DefaultServerSecretFileName, bytes, nginx.ReadWriteOnlyFileMode)
 	} else {
 		_, err := os.Stat(configs.DefaultServerSecretPath)
 		if err != nil {
@@ -596,7 +596,7 @@ func processWildcardSecret(ctx context.Context, kubeClient *kubernetes.Clientset
 		}
 
 		bytes := configs.GenerateCertAndKeyFileContent(secret)
-		nginxManager.CreateSecret(configs.WildcardSecretFileName, bytes, nginx.TLSSecretFileMode)
+		nginxManager.CreateSecret(configs.WildcardSecretFileName, bytes, nginx.ReadWriteOnlyFileMode)
 	}
 	return *wildcardTLSSecret != ""
 }

@@ -823,8 +823,8 @@ func (cnf *Configurator) addOrUpdateCASecret(secret *api_v1.Secret) string {
 	crtData, crlData := GenerateCAFileContent(secret)
 	crtSecretName := fmt.Sprintf("%s-%s", name, CACrtKey)
 	crlSecretName := fmt.Sprintf("%s-%s", name, CACrlKey)
-	crtFileName := cnf.nginxManager.CreateSecret(crtSecretName, crtData, nginx.TLSSecretFileMode)
-	crlFileName := cnf.nginxManager.CreateSecret(crlSecretName, crlData, nginx.TLSSecretFileMode)
+	crtFileName := cnf.nginxManager.CreateSecret(crtSecretName, crtData, nginx.ReadWriteOnlyFileMode)
+	crlFileName := cnf.nginxManager.CreateSecret(crlSecretName, crlData, nginx.ReadWriteOnlyFileMode)
 	return fmt.Sprintf("%s %s", crtFileName, crlFileName)
 }
 
@@ -919,7 +919,7 @@ func (cnf *Configurator) AddOrUpdateResources(resources ExtendedResources, reloa
 func (cnf *Configurator) addOrUpdateTLSSecret(secret *api_v1.Secret) string {
 	name := objectMetaToFileName(&secret.ObjectMeta)
 	data := GenerateCertAndKeyFileContent(secret)
-	return cnf.nginxManager.CreateSecret(name, data, nginx.TLSSecretFileMode)
+	return cnf.nginxManager.CreateSecret(name, data, nginx.ReadWriteOnlyFileMode)
 }
 
 // AddOrUpdateSpecialTLSSecrets adds or updates a file with a TLS cert and a key from a Special TLS Secret (eg. DefaultServerSecret, WildcardTLSSecret).
@@ -929,7 +929,7 @@ func (cnf *Configurator) AddOrUpdateSpecialTLSSecrets(secret *api_v1.Secret, sec
 	data := GenerateCertAndKeyFileContent(secret)
 
 	for _, secretName := range secretNames {
-		cnf.nginxManager.CreateSecret(secretName, data, nginx.TLSSecretFileMode)
+		cnf.nginxManager.CreateSecret(secretName, data, nginx.ReadWriteOnlyFileMode)
 	}
 
 	if !cnf.DynamicSSLReloadEnabled() {

@@ -26,8 +26,8 @@ const (
 	ReloadForEndpointsUpdate = true
 	// ReloadForOtherUpdate means that a reload is caused by an update for a resource(s) other than endpoints.
 	ReloadForOtherUpdate = false
-	// TLSSecretFileMode defines the default filemode for files with TLS Secrets.
-	TLSSecretFileMode = 0o600
+	// ReadWriteOnlyFileMode defines the default filemode for files with Secrets.
+	ReadWriteOnlyFileMode = 0o600
 	// JWKSecretFileMode defines the default filemode for files with JWK Secrets.
 	JWKSecretFileMode = 0o644
 	// HtpasswdSecretFileMode defines the default filemode for HTTP basic auth user files.