From 3991ebcd79c0c2ff669886837515ad8306886657 Mon Sep 17 00:00:00 2001
From: Mark Giles <mark.giles@oracle.com>
Date: Wed, 9 May 2018 14:39:05 -0400
Subject: [PATCH] Make generated private key files not world readable

The kolla-ansible certificates command creates a self-signed
certificate and corresponding private key.  This change sets the
file mode on the files that contain the private key so that they
are not world readable.

Change-Id: I7bfba5975af8d230e5d00c2ce801a914fbbf2d4e
---
 ansible/roles/certificates/tasks/generate.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ansible/roles/certificates/tasks/generate.yml b/ansible/roles/certificates/tasks/generate.yml
index d981e5a6d1..3ca4809d3f 100644
--- a/ansible/roles/certificates/tasks/generate.yml
+++ b/ansible/roles/certificates/tasks/generate.yml
@@ -22,6 +22,13 @@
   with_items:
     - "{{ node_config_directory }}/certificates/private/haproxy.key"
 
+- name: Setting permissions on key
+  become: true
+  file:
+    path: "{{ node_config_directory }}/certificates/private/haproxy.key"
+    mode: 0600
+    state: file
+
 - name: Creating Server Certificate
   become: true
   command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
@@ -45,3 +52,4 @@
   assemble:
     src: "{{ node_config_directory }}/certificates/private"
     dest: "{{ node_config_directory }}/certificates/haproxy.pem"
+    mode: 0600