Improper TLS secret volumes defaultMode

### What happened?

Today mTLS volumes are declared with a default mode of 0440
See : https://github.com/redpanda-data/redpanda-operator/blob/90bb5673c43d29a9ac60cc48c59f312aa219fbc3/charts/redpanda/helpers.go#L279C1-L280C1

It leads to secret being only available to `root.root`, while the container runs by default as `redpanda`

```shell
redpanda@redpanda-2:/etc/tls/certs/default/..data$ ls -la
total 16
drwxr-xr-x 2 root root  100 Jan 16 11:21 .
drwxrwxrwt 3 root root  140 Jan 16 11:21 ..
-r--r----- 1 root root 2691 Jan 16 11:21 ca.crt
-r--r----- 1 root root 5634 Jan 16 11:21 tls.crt
-r--r----- 1 root root 1679 Jan 16 11:21 tls.key
redpanda@redpanda-2:/etc/tls/certs/default/..data$ cat tls.crt
cat: tls.crt: Permission denied
redpanda@redpanda-2:/etc/tls/certs/default/..data$
redpanda@redpanda-2:/etc/tls/certs/default/..data$
redpanda@redpanda-2:/etc/tls/certs/default/..data$ whoami
redpanda
```

Since it's part of common volumes it affects all containers.

Sidecars are configured by name, sidecars names are changing, breaking my current workaround to force all containers to run as `root` (bad!) via setting securityContext.



### What did you expect to happen?

`defaultMode: 0o444` would be a simple way to address it


### How can we reproduce it (as minimally and precisely as possible)?. Please include values file.

<details>

```console
$ helm get values <redpanda-release-name> -n <redpanda-release-namespace> --all

...
tls:
  certs:
    default:
      caEnabled: true
      clientSecretRef:
        name: redpanda-admin-cert
      secretRef:
        name: redpanda-tls-cert
    external:
      caEnabled: true
  enabled: true

 sideCars:
    # oopsy, now it's called sidecar
    configWatcher:
      resources:
        limits:
          cpu: 100m
          memory: 64Mi
        requests:
          cpu: 100m
          memory: 64Mi
      securityContext:
        runAsUser: 0

listeners:
  admin:
    authenticationMethod: mtls_identity
    external:
      default:
        enabled: true
        port: 9644
        tls:
          cert: default
          enabled: true
          requireClientAuth: true
          trustStore:
            configMapKeyRef:
              key: ca.crt
              name: redpanda-company-cacrt
    port: 9643
    tls:
      cert: default
      enabled: true
      requireClientAuth: true
      trustStore:
        configMapKeyRef:
          key: ca.crt
          name: redpanda-company-cacrt

```

</details>


### Anything else we need to know?

_No response_

### Which are the affected charts?

Redpanda

### Chart Version(s)

Latest

### Cloud provider

<details>

</details>


JIRA Link: [K8S-564](https://redpandadata.atlassian.net/browse/K8S-564)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Improper TLS secret volumes defaultMode #1657

What happened?

What did you expect to happen?

How can we reproduce it (as minimally and precisely as possible)?. Please include values file.

Anything else we need to know?

Which are the affected charts?

Chart Version(s)

Cloud provider

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Improper TLS secret volumes defaultMode #1657

Description

What happened?

What did you expect to happen?

How can we reproduce it (as minimally and precisely as possible)?. Please include values file.

Anything else we need to know?

Which are the affected charts?

Chart Version(s)

Cloud provider

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions