Follow-up from "Add support for observability endpoint TLS" - Use defaultMode: 0400 for secrets
The following discussion from !29 (merged) should be addressed:
-
@Alexand started a discussion: non-blocking
I think this is probably a good practice for all secret volumes. But we don't need to tackle it now. Following the K8s secret docs, we could make the permissions more restrictive, for instance:
secretName: {{ include "gitlab-agent.observabilitySecretName" . }} defaultMode: 0400
I'll open a follow up to propose adding it globally.