Allow setting chmod-like permissions on file-based variables
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Release notes
Problem to solve
File-based variables are by default created with the permission 644. Certain tools will complain about this (their secret being world readable). Users are not always in a position to change the permission (they may, for example, not have control over their .gitlab-ci.yml) and need to suffer safe-to-ignore warnings.
In particular, the GitLab integrations for Kubernetes inject a file-based KUBECONFIG, and Helm, a popular package manager for Kubernetes, warns when the kubeconfig file is world-readable.
Proposal
Make it possible able to specify the file permission on the file together with the variable, and immediately start using it for injected KUBECONFIG variables.
In the first iteration, the implementation can be backend-only, a frontend can be added separately. For example, it would suffice to be able to write:
variables.append(key: 'KUBECONFIG', value: 'true', chmod: '0400')where variables is a Gitlab::Ci::Variables::Collection.
Intended users
Feature Usage Metrics
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.