Fix permissions on sensitive config files

Signed-off-by: Lander Van den Bulcke <[email protected]>

Author: KrisBuytaert

manifests/config.pp

@@ -43,13 +43,17 @@
 
   if $manage_storage_config {
     thanos::config::storage { $storage_config_file:
-      * => $storage_config,
+      user  => $thanos::user,
+      group => $thanos::group,
+      *     => $storage_config,
     }
   }
 
   if $manage_tracing_config {
     thanos::config::tracing { $tracing_config_file:
-      * => $tracing_config,
+      user  => $thanos::user,
+      group => $thanos::group,
+      *     => $tracing_config,
     }
   }
 

manifests/config/storage.pp

@@ -9,7 +9,7 @@
 #    One of ['S3', 'GCS', 'AZURE', 'SWIFT', 'COS', 'ALIYUNOSS', 'FILESYSTEM']
 # @param config
 #  Configuration to typed storage.
-# @param prefix 
+# @param prefix
 #  Set the prefix for to be used on the storage
 # @example
 #   thanos::config::storage { '/etc/thanos/storage.yaml':
@@ -23,6 +23,8 @@
   Enum['present', 'absent'] $ensure,
   Thanos::Storage_type      $type,
   Hash[String, Data]        $config,
+  String                    $user,
+  String                    $group,
   String                    $prefix = '',
 ) {
   $_ensure = $ensure ? {
@@ -39,5 +41,8 @@
   file { $title:
     ensure  => $_ensure,
     content => $configs.to_yaml(),
+    owner   => $user,
+    group   => $group,
+    mode    => '0600',
   }
 }

manifests/config/tracing.pp

@@ -19,6 +19,8 @@
   Enum['present', 'absent'] $ensure,
   Thanos::Tracing_type      $type,
   Hash[String, Data]        $config,
+  String                    $user,
+  String                    $group,
 ) {
   $_ensure = $ensure ? {
     'present' => 'file',
@@ -33,5 +35,8 @@
   file { $title:
     ensure  => $_ensure,
     content => $configs.to_yaml(),
+    owner   => $user,
+    group   => $group,
+    mode    => '0600',
   }
 }