Merge pull request 'Reconfigured semaphore secrets' (#39) from dev into main

Reviewed-on: #39

kubernetes-templates/semaphoreui.yml

@@ -57,8 +57,8 @@ data:
   db-password: c2VYbk42RGt1cFJaN0Y=
   admin-password: QmxhY2tzdGFyMkBob21l
   access-key-encryption: NHZKMm1LMnBMNW5COHhSMnpRN3dFM3RZNnVJMG9QOWE=
-  id_ed25519: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFNd0FBQUF0emMyZ3RaVwpReU5UVXhPUUFBQUNEbkRQMDZzbmM0Q2k3M0ZPSW1nTmszTWJsc25vNTNoajZYRDJTSzE1ZFpiQUFBQUpnZWwvMndIcGY5CnNBQUFBQXR6YzJndFpXUXlOVFV4T1FBQUFDRG5EUDA2c25jNENpNzNGT0ltZ05rM01ibHNubzUzaGo2WEQyU0sxNWRaYkEKQUFBRUJUaHFjcnNXZWVVWnpFeVdWWmJoRGlKZE9FQkZYSkg4NXNhMUNjK1dXQ0krY00vVHF5ZHpnS0x2Y1U0aWFBMlRjeAp1V3llam5lR1BwY1BaSXJYbDFsc0FBQUFEbXRvZDJWNmFVQkVRVkpMVTFWT0FRSURCQVVHQnc9PQotLS0tLUVORCBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0=
+  id_ed25519: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFNd0FBQUF0emMyZ3RaVwpReU5UVXhPUUFBQUNEbkRQMDZzbmM0Q2k3M0ZPSW1nTmszTWJsc25vNTNoajZYRDJTSzE1ZFpiQUFBQUpnZWwvMndIcGY5CnNBQUFBQXR6YzJndFpXUXlOVFV4T1FBQUFDRG5EUDA2c25jNENpNzNGT0ltZ05rM01ibHNubzUzaGo2WEQyU0sxNWRaYkEKQUFBRUJUaHFjcnNXZWVVWnpFeVdWWmJoRGlKZE9FQkZYSkg4NXNhMUNjK1dXQ0krY00vVHF5ZHpnS0x2Y1U0aWFBMlRjeAp1V3llam5lR1BwY1BaSXJYbDFsc0FBQUFEbXRvZDJWNmFVQkVRVkpMVTFWT0FRSURCQVVHQnc9PQotLS0tLUVORCBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0K
-  id_ed25519.pub: c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU9jTS9UcXlkemdLTHZjVTRpYUEyVGN4dVd5ZWpuZUdQcGNQWklyWGwxbHMga2h3ZXppQERBUktTVU4=
+  id_ed25519.pub: c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU9jTS9UcXlkemdLTHZjVTRpYUEyVGN4dVd5ZWpuZUdQcGNQWklyWGwxbHMga2h3ZXppQERBUktTVU4K
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -107,9 +107,10 @@ spec:
         fsGroupChangePolicy: "Always"
 
       initContainers:
-        - name: fix-ssh-path
+        - name: fix-ssh-permissions
           image: busybox:latest
-          # Ensure the directory exists AND is clean before the subPath mount attempts to anchor
+          # We ensure the directory exists and has 700. 
+          # We don't touch the files yet because they are mounted by the main container.
           command: ["sh", "-c", "mkdir -p /home/semaphore/.ssh && chmod 700 /home/semaphore/.ssh"]
           volumeMounts:
             - name: semaphore-persistent-storage
@@ -159,13 +160,14 @@ spec:
             - name: semaphore-persistent-storage
               mountPath: /tmp/semaphore
               subPath: tmp
-            # Using subPath here is essential to put the file into the existing folder
             - name: ssh-keys-volume
               mountPath: /home/semaphore/.ssh/id_ed25519
               subPath: id_ed25519
+              readOnly: true
             - name: ssh-keys-volume
               mountPath: /home/semaphore/.ssh/id_ed25519.pub
               subPath: id_ed25519.pub
+              readOnly: true
       volumes:
         - name: semaphore-persistent-storage
           persistentVolumeClaim:
@@ -173,7 +175,7 @@ spec:
         - name: ssh-keys-volume
           secret:
             secretName: semaphore-secrets
-            defaultMode: 384 # This is octal 0600
+            defaultMode: 384 # 0600
             items:
               - key: id_ed25519
                 path: id_ed25519