From 69e17d0470df9f72bca00a8f6ebb1d1d9e2df2d5 Mon Sep 17 00:00:00 2001 From: mlsmaycon Date: Tue, 30 Jun 2026 09:30:25 +0200 Subject: [PATCH] [e2e] Fix proxy cert permission denied on Linux CI runners The proxy bind-mounts a temp dir of self-signed certs. MkdirTemp creates it 0700 and the key was 0600, which Docker Desktop on macOS ignores but a non-root proxy container on Linux runners cannot traverse/read, so the cert watcher failed with "open /certs/tls.crt: permission denied" and the container exited. Widen the cert dir to 0755 and write the throwaway key 0644 so the proxy uid can read the bind-mounted material. --- e2e/harness/cert.go | 4 +++- e2e/harness/proxy.go | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/e2e/harness/cert.go b/e2e/harness/cert.go index de898e7e0..c8a28e470 100644 --- a/e2e/harness/cert.go +++ b/e2e/harness/cert.go @@ -57,7 +57,9 @@ func writeSelfSignedCert(dir string, dnsNames []string) error { return fmt.Errorf("marshal key: %w", err) } keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER}) - if err := os.WriteFile(filepath.Join(dir, "tls.key"), keyPEM, 0o600); err != nil { + // World-readable so the (non-root) proxy container can read the bind-mounted + // key on Linux CI runners; this is a throwaway self-signed e2e key. + if err := os.WriteFile(filepath.Join(dir, "tls.key"), keyPEM, 0o644); err != nil { //nolint:gosec // throwaway self-signed e2e key, must be readable by the proxy container uid return fmt.Errorf("write key: %w", err) } return nil diff --git a/e2e/harness/proxy.go b/e2e/harness/proxy.go index 085ad6958..a4341f7b2 100644 --- a/e2e/harness/proxy.go +++ b/e2e/harness/proxy.go @@ -51,6 +51,11 @@ func StartProxy(ctx context.Context, c *Combined, proxyToken string) (*Proxy, er if err != nil { return nil, fmt.Errorf("create proxy work dir: %w", err) } + // MkdirTemp creates the dir 0700; widen it so the non-root proxy container + // can traverse the bind-mounted cert dir on Linux CI runners. + if err := os.Chmod(workDir, 0o755); err != nil { //nolint:gosec // throwaway e2e cert dir, must be traversable by the proxy container uid + return nil, fmt.Errorf("chmod proxy cert dir: %w", err) + } if err := writeSelfSignedCert(workDir, []string{"*." + AgentNetworkCluster, AgentNetworkCluster}); err != nil { return nil, err }