[e2e] Fix proxy cert permission denied on Linux CI runners

The proxy bind-mounts a temp dir of self-signed certs. MkdirTemp creates
it 0700 and the key was 0600, which Docker Desktop on macOS ignores but a
non-root proxy container on Linux runners cannot traverse/read, so the
cert watcher failed with "open /certs/tls.crt: permission denied" and the
container exited. Widen the cert dir to 0755 and write the throwaway key
0644 so the proxy uid can read the bind-mounted material.
This commit is contained in:
mlsmaycon
2026-06-30 09:30:25 +02:00
parent a4e4f1f620
commit 69e17d0470
2 changed files with 8 additions and 1 deletions

View File

@@ -57,7 +57,9 @@ func writeSelfSignedCert(dir string, dnsNames []string) error {
return fmt.Errorf("marshal key: %w", err)
}
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER})
if err := os.WriteFile(filepath.Join(dir, "tls.key"), keyPEM, 0o600); err != nil {
// World-readable so the (non-root) proxy container can read the bind-mounted
// key on Linux CI runners; this is a throwaway self-signed e2e key.
if err := os.WriteFile(filepath.Join(dir, "tls.key"), keyPEM, 0o644); err != nil { //nolint:gosec // throwaway self-signed e2e key, must be readable by the proxy container uid
return fmt.Errorf("write key: %w", err)
}
return nil

View File

@@ -51,6 +51,11 @@ func StartProxy(ctx context.Context, c *Combined, proxyToken string) (*Proxy, er
if err != nil {
return nil, fmt.Errorf("create proxy work dir: %w", err)
}
// MkdirTemp creates the dir 0700; widen it so the non-root proxy container
// can traverse the bind-mounted cert dir on Linux CI runners.
if err := os.Chmod(workDir, 0o755); err != nil { //nolint:gosec // throwaway e2e cert dir, must be traversable by the proxy container uid
return nil, fmt.Errorf("chmod proxy cert dir: %w", err)
}
if err := writeSelfSignedCert(workDir, []string{"*." + AgentNetworkCluster, AgentNetworkCluster}); err != nil {
return nil, err
}