mirror of
https://github.com/netbirdio/netbird.git
synced 2026-07-03 05:09:54 +00:00
[e2e] Fix proxy cert permission denied on Linux CI runners
The proxy bind-mounts a temp dir of self-signed certs. MkdirTemp creates it 0700 and the key was 0600, which Docker Desktop on macOS ignores but a non-root proxy container on Linux runners cannot traverse/read, so the cert watcher failed with "open /certs/tls.crt: permission denied" and the container exited. Widen the cert dir to 0755 and write the throwaway key 0644 so the proxy uid can read the bind-mounted material.
This commit is contained in:
@@ -57,7 +57,9 @@ func writeSelfSignedCert(dir string, dnsNames []string) error {
|
||||
return fmt.Errorf("marshal key: %w", err)
|
||||
}
|
||||
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER})
|
||||
if err := os.WriteFile(filepath.Join(dir, "tls.key"), keyPEM, 0o600); err != nil {
|
||||
// World-readable so the (non-root) proxy container can read the bind-mounted
|
||||
// key on Linux CI runners; this is a throwaway self-signed e2e key.
|
||||
if err := os.WriteFile(filepath.Join(dir, "tls.key"), keyPEM, 0o644); err != nil { //nolint:gosec // throwaway self-signed e2e key, must be readable by the proxy container uid
|
||||
return fmt.Errorf("write key: %w", err)
|
||||
}
|
||||
return nil
|
||||
|
||||
@@ -51,6 +51,11 @@ func StartProxy(ctx context.Context, c *Combined, proxyToken string) (*Proxy, er
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("create proxy work dir: %w", err)
|
||||
}
|
||||
// MkdirTemp creates the dir 0700; widen it so the non-root proxy container
|
||||
// can traverse the bind-mounted cert dir on Linux CI runners.
|
||||
if err := os.Chmod(workDir, 0o755); err != nil { //nolint:gosec // throwaway e2e cert dir, must be traversable by the proxy container uid
|
||||
return nil, fmt.Errorf("chmod proxy cert dir: %w", err)
|
||||
}
|
||||
if err := writeSelfSignedCert(workDir, []string{"*." + AgentNetworkCluster, AgentNetworkCluster}); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user