From 3817a34ce16d3710c9d59d1490dec5e16f3c0e66 Mon Sep 17 00:00:00 2001
From: Siegfried Weber <mail@siegfriedweber.net>
Date: Fri, 17 Oct 2025 18:47:14 +0200
Subject: [PATCH 1/3] fix: Fix insecure file permissions

---
 CHANGELOG.md                                         |  2 ++
 .../examples/getting_started/opensearch.yaml         |  1 +
 .../src/controller/build/role_group_builder.rs       |  2 ++
 .../kuttl/external-access/opensearch.yaml.j2         |  1 +
 .../kuttl/ldap/21-install-opensearch.yaml.j2         |  1 +
 .../kuttl/metrics/20-install-opensearch.yaml.j2      |  1 +
 tests/templates/kuttl/smoke/10-assert.yaml.j2        | 12 ++++++------
 .../kuttl/smoke/10-install-opensearch.yaml.j2        |  1 +
 8 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8a2fce9..64d4280 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,7 @@ All notable changes to this project will be documented in this file.
 - Add Prometheus labels and annotations to role-group services ([#26]).
 - Helm: Allow Pod `priorityClassName` to be configured ([#34]).
 - Support log configuration and log aggregation ([#40]).
+- Ensure that the permissions of the configuration files are correct ([#47]).
 
 [#10]: https://github.com/stackabletech/opensearch-operator/pull/10
 [#17]: https://github.com/stackabletech/opensearch-operator/pull/17
@@ -34,3 +35,4 @@ All notable changes to this project will be documented in this file.
 [#34]: https://github.com/stackabletech/opensearch-operator/pull/34
 [#38]: https://github.com/stackabletech/opensearch-operator/pull/38
 [#40]: https://github.com/stackabletech/opensearch-operator/pull/40
+[#47]: https://github.com/stackabletech/opensearch-operator/pull/47
diff --git a/docs/modules/opensearch/examples/getting_started/opensearch.yaml b/docs/modules/opensearch/examples/getting_started/opensearch.yaml
index d56f87b..ee74aa4 100644
--- a/docs/modules/opensearch/examples/getting_started/opensearch.yaml
+++ b/docs/modules/opensearch/examples/getting_started/opensearch.yaml
@@ -37,6 +37,7 @@ spec:
           - name: security-config
             secret:
               secretName: opensearch-security-config
+              defaultMode: 0660
           - name: tls
             ephemeral:
               volumeClaimTemplate:
diff --git a/rust/operator-binary/src/controller/build/role_group_builder.rs b/rust/operator-binary/src/controller/build/role_group_builder.rs
index 4b42052..1ecb924 100644
--- a/rust/operator-binary/src/controller/build/role_group_builder.rs
+++ b/rust/operator-binary/src/controller/build/role_group_builder.rs
@@ -260,6 +260,7 @@ impl<'a> RoleGroupBuilder<'a> {
             Volume {
                 name: CONFIG_VOLUME_NAME.to_string(),
                 config_map: Some(ConfigMapVolumeSource {
+                    default_mode: Some(0o660),
                     name: self.resource_names.role_group_config_map().to_string(),
                     ..Default::default()
                 }),
@@ -268,6 +269,7 @@ impl<'a> RoleGroupBuilder<'a> {
             Volume {
                 name: LOG_CONFIG_VOLUME_NAME.to_string(),
                 config_map: Some(ConfigMapVolumeSource {
+                    default_mode: Some(0o660),
                     name: log_config_volume_config_map.to_string(),
                     ..Default::default()
                 }),
diff --git a/tests/templates/kuttl/external-access/opensearch.yaml.j2 b/tests/templates/kuttl/external-access/opensearch.yaml.j2
index 484627d..2a4fecd 100644
--- a/tests/templates/kuttl/external-access/opensearch.yaml.j2
+++ b/tests/templates/kuttl/external-access/opensearch.yaml.j2
@@ -106,6 +106,7 @@ spec:
           - name: security-config
             secret:
               secretName: opensearch-security-config
+              defaultMode: 0660
           - name: tls
             ephemeral:
               volumeClaimTemplate:
diff --git a/tests/templates/kuttl/ldap/21-install-opensearch.yaml.j2 b/tests/templates/kuttl/ldap/21-install-opensearch.yaml.j2
index 5f0b615..17403d2 100644
--- a/tests/templates/kuttl/ldap/21-install-opensearch.yaml.j2
+++ b/tests/templates/kuttl/ldap/21-install-opensearch.yaml.j2
@@ -63,6 +63,7 @@ spec:
           - name: security-config
             secret:
               secretName: opensearch-security-config
+              defaultMode: 0660
           - name: tls
             ephemeral:
               volumeClaimTemplate:
diff --git a/tests/templates/kuttl/metrics/20-install-opensearch.yaml.j2 b/tests/templates/kuttl/metrics/20-install-opensearch.yaml.j2
index d6e2d91..3d622db 100644
--- a/tests/templates/kuttl/metrics/20-install-opensearch.yaml.j2
+++ b/tests/templates/kuttl/metrics/20-install-opensearch.yaml.j2
@@ -63,6 +63,7 @@ spec:
           - name: security-config
             secret:
               secretName: opensearch-security-config
+              defaultMode: 0660
           - name: tls
             ephemeral:
               volumeClaimTemplate:
diff --git a/tests/templates/kuttl/smoke/10-assert.yaml.j2 b/tests/templates/kuttl/smoke/10-assert.yaml.j2
index c128217..3de57a1 100644
--- a/tests/templates/kuttl/smoke/10-assert.yaml.j2
+++ b/tests/templates/kuttl/smoke/10-assert.yaml.j2
@@ -246,11 +246,11 @@ spec:
       terminationGracePeriodSeconds: 120
       volumes:
       - configMap:
-          defaultMode: 420
+          defaultMode: 0660
           name: opensearch-nodes-cluster-manager
         name: config
       - configMap:
-          defaultMode: 420
+          defaultMode: 0660
           name: opensearch-nodes-cluster-manager
         name: log-config
       - emptyDir:
@@ -258,7 +258,7 @@ spec:
         name: log
       - name: security-config
         secret:
-          defaultMode: 420
+          defaultMode: 0660
           secretName: opensearch-security-config
       - ephemeral:
           volumeClaimTemplate:
@@ -558,11 +558,11 @@ spec:
       terminationGracePeriodSeconds: 120
       volumes:
       - configMap:
-          defaultMode: 420
+          defaultMode: 0660
           name: opensearch-nodes-data
         name: config
       - configMap:
-          defaultMode: 420
+          defaultMode: 0660
           name: opensearch-nodes-data
         name: log-config
       - emptyDir:
@@ -570,7 +570,7 @@ spec:
         name: log
       - name: security-config
         secret:
-          defaultMode: 420
+          defaultMode: 0660
           secretName: opensearch-security-config
       - ephemeral:
           volumeClaimTemplate:
diff --git a/tests/templates/kuttl/smoke/10-install-opensearch.yaml.j2 b/tests/templates/kuttl/smoke/10-install-opensearch.yaml.j2
index 56553df..32b00cf 100644
--- a/tests/templates/kuttl/smoke/10-install-opensearch.yaml.j2
+++ b/tests/templates/kuttl/smoke/10-install-opensearch.yaml.j2
@@ -101,6 +101,7 @@ spec:
           - name: security-config
             secret:
               secretName: opensearch-security-config
+              defaultMode: 0660
           - name: tls
             ephemeral:
               volumeClaimTemplate:

From f0d44aa0073d853c5cdb967ce4c2fec9be8d98b1 Mon Sep 17 00:00:00 2001
From: Siegfried Weber <mail@siegfriedweber.net>
Date: Mon, 20 Oct 2025 09:10:19 +0200
Subject: [PATCH 2/3] test: Fix a unit test assertion

---
 rust/operator-binary/src/controller/build/role_group_builder.rs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rust/operator-binary/src/controller/build/role_group_builder.rs b/rust/operator-binary/src/controller/build/role_group_builder.rs
index 1ecb924..431690f 100644
--- a/rust/operator-binary/src/controller/build/role_group_builder.rs
+++ b/rust/operator-binary/src/controller/build/role_group_builder.rs
@@ -1127,12 +1127,14 @@ mod tests {
                             "volumes": [
                                 {
                                     "configMap": {
+                                        "defaultMode": 0o660,
                                         "name": "my-opensearch-cluster-nodes-default"
                                     },
                                     "name": "config"
                                 },
                                 {
                                     "configMap": {
+                                        "defaultMode": 0o660,
                                         "name": "my-opensearch-cluster-nodes-default"
                                     },
                                     "name": "log-config"

From 244bd3d97680d846be6b0d8d98f1469be239b498 Mon Sep 17 00:00:00 2001
From: Siegfried Weber <mail@siegfriedweber.net>
Date: Mon, 20 Oct 2025 13:07:34 +0200
Subject: [PATCH 3/3] chore: Use new octal number format in YAML

---
 .../examples/getting_started/opensearch.yaml         |  2 +-
 .../kuttl/external-access/opensearch.yaml.j2         |  2 +-
 .../kuttl/ldap/21-install-opensearch.yaml.j2         |  2 +-
 .../kuttl/metrics/20-install-opensearch.yaml.j2      |  2 +-
 tests/templates/kuttl/smoke/10-assert.yaml.j2        | 12 ++++++------
 .../kuttl/smoke/10-install-opensearch.yaml.j2        |  2 +-
 6 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/docs/modules/opensearch/examples/getting_started/opensearch.yaml b/docs/modules/opensearch/examples/getting_started/opensearch.yaml
index ee74aa4..e98b45a 100644
--- a/docs/modules/opensearch/examples/getting_started/opensearch.yaml
+++ b/docs/modules/opensearch/examples/getting_started/opensearch.yaml
@@ -37,7 +37,7 @@ spec:
           - name: security-config
             secret:
               secretName: opensearch-security-config
-              defaultMode: 0660
+              defaultMode: 0o660
           - name: tls
             ephemeral:
               volumeClaimTemplate:
diff --git a/tests/templates/kuttl/external-access/opensearch.yaml.j2 b/tests/templates/kuttl/external-access/opensearch.yaml.j2
index 2a4fecd..2b7da52 100644
--- a/tests/templates/kuttl/external-access/opensearch.yaml.j2
+++ b/tests/templates/kuttl/external-access/opensearch.yaml.j2
@@ -106,7 +106,7 @@ spec:
           - name: security-config
             secret:
               secretName: opensearch-security-config
-              defaultMode: 0660
+              defaultMode: 0o660
           - name: tls
             ephemeral:
               volumeClaimTemplate:
diff --git a/tests/templates/kuttl/ldap/21-install-opensearch.yaml.j2 b/tests/templates/kuttl/ldap/21-install-opensearch.yaml.j2
index 17403d2..fb42f4e 100644
--- a/tests/templates/kuttl/ldap/21-install-opensearch.yaml.j2
+++ b/tests/templates/kuttl/ldap/21-install-opensearch.yaml.j2
@@ -63,7 +63,7 @@ spec:
           - name: security-config
             secret:
               secretName: opensearch-security-config
-              defaultMode: 0660
+              defaultMode: 0o660
           - name: tls
             ephemeral:
               volumeClaimTemplate:
diff --git a/tests/templates/kuttl/metrics/20-install-opensearch.yaml.j2 b/tests/templates/kuttl/metrics/20-install-opensearch.yaml.j2
index 3d622db..cf5f195 100644
--- a/tests/templates/kuttl/metrics/20-install-opensearch.yaml.j2
+++ b/tests/templates/kuttl/metrics/20-install-opensearch.yaml.j2
@@ -63,7 +63,7 @@ spec:
           - name: security-config
             secret:
               secretName: opensearch-security-config
-              defaultMode: 0660
+              defaultMode: 0o660
           - name: tls
             ephemeral:
               volumeClaimTemplate:
diff --git a/tests/templates/kuttl/smoke/10-assert.yaml.j2 b/tests/templates/kuttl/smoke/10-assert.yaml.j2
index 3de57a1..60c58ed 100644
--- a/tests/templates/kuttl/smoke/10-assert.yaml.j2
+++ b/tests/templates/kuttl/smoke/10-assert.yaml.j2
@@ -246,11 +246,11 @@ spec:
       terminationGracePeriodSeconds: 120
       volumes:
       - configMap:
-          defaultMode: 0660
+          defaultMode: 0o660
           name: opensearch-nodes-cluster-manager
         name: config
       - configMap:
-          defaultMode: 0660
+          defaultMode: 0o660
           name: opensearch-nodes-cluster-manager
         name: log-config
       - emptyDir:
@@ -258,7 +258,7 @@ spec:
         name: log
       - name: security-config
         secret:
-          defaultMode: 0660
+          defaultMode: 0o660
           secretName: opensearch-security-config
       - ephemeral:
           volumeClaimTemplate:
@@ -558,11 +558,11 @@ spec:
       terminationGracePeriodSeconds: 120
       volumes:
       - configMap:
-          defaultMode: 0660
+          defaultMode: 0o660
           name: opensearch-nodes-data
         name: config
       - configMap:
-          defaultMode: 0660
+          defaultMode: 0o660
           name: opensearch-nodes-data
         name: log-config
       - emptyDir:
@@ -570,7 +570,7 @@ spec:
         name: log
       - name: security-config
         secret:
-          defaultMode: 0660
+          defaultMode: 0o660
           secretName: opensearch-security-config
       - ephemeral:
           volumeClaimTemplate:
diff --git a/tests/templates/kuttl/smoke/10-install-opensearch.yaml.j2 b/tests/templates/kuttl/smoke/10-install-opensearch.yaml.j2
index 32b00cf..ee70e27 100644
--- a/tests/templates/kuttl/smoke/10-install-opensearch.yaml.j2
+++ b/tests/templates/kuttl/smoke/10-install-opensearch.yaml.j2
@@ -101,7 +101,7 @@ spec:
           - name: security-config
             secret:
               secretName: opensearch-security-config
-              defaultMode: 0660
+              defaultMode: 0o660
           - name: tls
             ephemeral:
               volumeClaimTemplate: