From 50aa5eb736c47ffb72960fc6b29a811951c0695b Mon Sep 17 00:00:00 2001
From: Matt McEuen <matt.mceuen@att.com>
Date: Mon, 3 Dec 2018 23:23:59 -0600
Subject: [PATCH] Restrict etcd data directory permissions

Leverage the divingbell perm module to set the etcd data directories
to 700.  Prior to this change, they are 755 in Promenade-based
deployments.  However, this change is more of a best-practice
technicality than a true value-add, since all the directories
*inside* these data directories already have 700 permissions.

Change-Id: I92290c46441d008f05b40f0c219c1709627d2803
---
 .../charts/ucp/divingbell/divingbell.yaml     | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/global/software/charts/ucp/divingbell/divingbell.yaml b/global/software/charts/ucp/divingbell/divingbell.yaml
index b4fafc50c..c21993370 100644
--- a/global/software/charts/ucp/divingbell/divingbell.yaml
+++ b/global/software/charts/ucp/divingbell/divingbell.yaml
@@ -78,6 +78,29 @@ data:
         # were restarted. "Failed to add /run/systemd/ask-password to directory
         # watch: No space left on device". https://bit.ly/2Mj5qn2 TDP bug 427616
         fs.inotify.max_user_watches: '1048576'
+      overrides:
+        divingbell_perm:
+          labels:
+            - label:
+                key: kubernetes-etcd
+                values:
+                - enabled
+              conf:
+                perm:
+                  - path: '/var/lib/etcd/*'
+                    owner: 'root'
+                    group: 'root'
+                    permissions: '0700'
+            - label:
+                key: calico-etcd
+                values:
+                - enabled
+              conf:
+                perm:
+                  - path: '/var/lib/etcd/*'
+                    owner: 'root'
+                    group: 'root'
+                    permissions: '0700'
   dependencies:
     - ucp-divingbell-htk
 ---